Merge branch 'gestionSecrets'

2025-09-03 21:49:21 +02:00
parent 0d00b418a0 d10fb08f71
commit bca0693a14
110 changed files with 1021 additions and 1520 deletions
--- a/config/dockers.tmpl.env
+++ b/config/dockers.tmpl.env
@@ -159,3 +159,8 @@ apikazServName=apikazServ
 # services activés par container.sh
 # variables d'environneements utilisées
 # pour le tmpl du mandataire (proxy)
+
+
+##################
+#qui on envoi le mail d'inscription ?
+EMAIL_CONTACT="toto@kaz.bzh"
--- a/config/orgaTmpl/app/Dockerfile
+++ b/config/orgaTmpl/app/Dockerfile
@@ -1,58 +0,0 @@
-FROM alpine:3.17
-
-# Some ENV variables
-ENV PATH="/mattermost/bin:${PATH}"
-#ENV MM_VERSION=5.32.0
-ENV MM_VERSION=6.1.0
-ENV MM_INSTALL_TYPE=docker
-
-# Build argument to set Mattermost edition
-ARG edition=enterprise
-ARG PUID=2000
-ARG PGID=2000
-ARG MM_BINARY=
-
-
-# Install some needed packages
-RUN apk add --no-cache \
-	ca-certificates \
-	curl \
-	jq \
-	libc6-compat \
-	libffi-dev \
-	libcap \
-	linux-headers \
-	mailcap \
-	netcat-openbsd \
-	xmlsec-dev \
-	tzdata \
-	&& rm -rf /tmp/*
-
-# Get Mattermost
-RUN mkdir -p /mattermost/data /mattermost/plugins /mattermost/client/plugins \
-	&& if [ ! -z "$MM_BINARY" ]; then curl $MM_BINARY | tar -xvz ; \
-		elif [ "$edition" = "team" ] ; then curl https://releases.mattermost.com/$MM_VERSION/mattermost-team-$MM_VERSION-linux-amd64.tar.gz?src=docker-app | tar -xvz ; \
-		else curl https://releases.mattermost.com/$MM_VERSION/mattermost-$MM_VERSION-linux-amd64.tar.gz?src=docker-app | tar -xvz ; fi \
-	&& cp /mattermost/config/config.json /config.json.save \
-	&& rm -rf /mattermost/config/config.json \
-	&& addgroup -g ${PGID} mattermost \
-	&& adduser -D -u ${PUID} -G mattermost -h /mattermost -D mattermost \
-	&& chown -R mattermost:mattermost /mattermost /config.json.save /mattermost/plugins /mattermost/client/plugins \
-	&& setcap cap_net_bind_service=+ep /mattermost/bin/mattermost
-
-USER mattermost
-
-#Healthcheck to make sure container is ready
-HEALTHCHECK CMD curl --fail http://localhost:8000 || exit 1
-
-# Configure entrypoint and command
-COPY entrypoint.sh /
-ENTRYPOINT ["/entrypoint.sh"]
-WORKDIR /mattermost
-CMD ["mattermost"]
-
-# Expose port 8000 of the container
-EXPOSE 8000
-
-# Declare volumes for mount point directories
-VOLUME ["/mattermost/data", "/mattermost/logs", "/mattermost/config", "/mattermost/plugins", "/mattermost/client/plugins"]
--- a/config/orgaTmpl/app/entrypoint.sh
+++ b/config/orgaTmpl/app/entrypoint.sh
@@ -1,82 +0,0 @@
-#!/bin/sh
-
-# Function to generate a random salt
-generate_salt() {
-	tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 48 | head -n 1
-}
-
-# Read environment variables or set default values
-DB_HOST=${DB_HOST:-db}
-DB_PORT_NUMBER=${DB_PORT_NUMBER:-5432}
-# see https://www.postgresql.org/docs/current/libpq-ssl.html
-# for usage when database connection requires encryption
-# filenames should be escaped if they contain spaces
-#  i.e. $(printf %s ${MY_ENV_VAR:-''}  | jq -s -R -r @uri)
-# the location of the CA file can be set using environment var PGSSLROOTCERT
-# the location of the CRL file can be set using PGSSLCRL
-# The URL syntax for connection string does not support the parameters
-# sslrootcert and sslcrl reliably, so use these PostgreSQL-specified variables
-# to set names if using a location other than default
-DB_USE_SSL=${DB_USE_SSL:-disable}
-MM_DBNAME=${MM_DBNAME:-mattermost}
-MM_CONFIG=${MM_CONFIG:-/mattermost/config/config.json}
-
-_1=$(echo "$1" | awk  '{ s=substr($0, 0, 1); print s; }' )
-if [ "$_1" = '-' ]; then
-	set -- mattermost "$@"
-fi
-
-if [ "$1" = 'mattermost' ]; then
-	# Check CLI args for a -config option
-	for ARG in "$@"; do
-		case "$ARG" in
-			-config=*) MM_CONFIG=${ARG#*=};;
-		esac
-	done
-
-	if [ ! -f "$MM_CONFIG" ]; then
-		# If there is no configuration file, create it with some default values
-		echo "No configuration file $MM_CONFIG"
-		echo "Creating a new one"
-		# Copy default configuration file
-		cp /config.json.save "$MM_CONFIG"
-		# Substitute some parameters with jq
-		jq '.ServiceSettings.ListenAddress = ":8000"' "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-		jq '.LogSettings.EnableConsole = true' "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-		jq '.LogSettings.ConsoleLevel = "ERROR"' "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-		jq '.FileSettings.Directory = "/mattermost/data/"' "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-		jq '.FileSettings.EnablePublicLink = true' "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-		jq ".FileSettings.PublicLinkSalt = \"$(generate_salt)\"" "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-		jq '.EmailSettings.SendEmailNotifications = false' "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-		jq '.EmailSettings.FeedbackEmail = ""' "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-		jq '.EmailSettings.SMTPServer = ""' "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-		jq '.EmailSettings.SMTPPort = ""' "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-		jq ".EmailSettings.InviteSalt = \"$(generate_salt)\"" "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-		jq ".EmailSettings.PasswordResetSalt = \"$(generate_salt)\"" "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-		jq '.RateLimitSettings.Enable = true' "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-		jq '.SqlSettings.DriverName = "postgres"' "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-		jq ".SqlSettings.AtRestEncryptKey = \"$(generate_salt)\"" "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-		jq '.PluginSettings.Directory = "/mattermost/plugins/"' "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
-	else
-		echo "Using existing config file $MM_CONFIG"
-	fi
-
-	# Configure database access
-	if [ -z "$MM_SQLSETTINGS_DATASOURCE" ] && [ -n "$MM_USERNAME" ] && [ -n "$MM_PASSWORD" ]; then
-		echo "Configure database connection..."
-		# URLEncode the password, allowing for special characters
-		ENCODED_PASSWORD=$(printf %s "$MM_PASSWORD" | jq -s -R -r @uri)
-		export MM_SQLSETTINGS_DATASOURCE="postgres://$MM_USERNAME:$ENCODED_PASSWORD@$DB_HOST:$DB_PORT_NUMBER/$MM_DBNAME?sslmode=$DB_USE_SSL&connect_timeout=10"
-		echo "OK"
-	else
-		echo "Using existing database connection"
-	fi
-
-	# Wait another second for the database to be properly started.
-	# Necessary to avoid "panic: Failed to open sql connection pq: the database system is starting up"
-	sleep 1
-
-	echo "Starting mattermost"
-fi
-
-exec "$@"
--- a/config/orgaTmpl/docker-compose.yml
+++ b/config/orgaTmpl/docker-compose.yml
@@ -4,21 +4,21 @@ services:
 #{{db
  db:
    image: mariadb:11.4
-    container_name: ${orga}DB
+    container_name: ${orga}-DB
    #disk_quota: 10G
    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
    restart: ${restartPolicy}
    volumes:
-      - ./initdb.d:/docker-entrypoint-initdb.d:ro
+#      - ./initdb.d:/docker-entrypoint-initdb.d:ro
      - orgaDB:/var/lib/mysql
      - /etc/localtime:/etc/localtime:ro
      - /etc/timezone:/etc/timezone:ro
    environment:
      - MARIADB_AUTO_UPGRADE=1      
    env_file:
-      - ../../secret/env-${nextcloudDBName}
-#      - ../../secret/env-${mattermostDBName}
-      - ../../secret/env-${wordpressDBName}
+      - ../../secret/orgas/${orga}/env-${nextcloudDBName}
+#      - ../../secret/orgas/${orga}/env-${mattermostDBName}
+      - ../../secret/orgas/${orga}/env-${wordpressDBName}
    networks:
      - orgaNet
    healthcheck: # utilisé par init-db.sh pour la créa d'orga
@@ -34,7 +34,7 @@ services:
 #{{cloud
  cloud:
    image: nextcloud
-    container_name: ${orga}${nextcloudServName}
+    container_name: ${orga}-${nextcloudServName}
    #disk_quota: 10G
    restart: ${restartPolicy}
    networks:
@@ -50,8 +50,8 @@ services:
      - ${smtpServName}:${smtpHost}
    labels:
      - "traefik.enable=true"
-      - "traefik.http.routers.${orga}${nextcloudServName}.rule=Host(`${orga}${cloudHost}.${domain}`){{FOREIGN_NC}}"
-      - "traefik.http.routers.${orga}${nextcloudServName}.middlewares=nextcloud-redirectregex1@file,nextcloud-redirectregex2@file"
+      - "traefik.http.routers.${orga}-${nextcloudServName}.rule=Host(`${orga}-${cloudHost}.${domain}`){{FOREIGN_NC}}"
+      - "traefik.http.routers.${orga}-${nextcloudServName}.middlewares=nextcloud-redirectregex1@file,nextcloud-redirectregex2@file"
    volumes:
      - cloudMain:/var/www/html
      - cloudData:/var/www/html/data
@@ -63,10 +63,10 @@ services:
      - /etc/localtime:/etc/localtime:ro
      - /etc/timezone:/etc/timezone:ro
    env_file:
-      - ../../secret/env-${nextcloudServName}
-      - ../../secret/env-${nextcloudDBName}
+      - ../../secret/orgas/${orga}/env-${nextcloudServName}
+      - ../../secret/orgas/${orga}/env-${nextcloudDBName}
    environment:
-      - NEXTCLOUD_TRUSTED_DOMAINS=${orga}${cloudHost}.${domain}
+      - NEXTCLOUD_TRUSTED_DOMAINS=${orga}-${cloudHost}.${domain}
      - SMTP_HOST=${smtpHost}
      - SMTP_PORT=25
      - MAIL_DOMAIN=${domain}
@@ -80,7 +80,7 @@ services:
        - edition=team
        - PUID=1000
        - PGID=1000
-    container_name: ${orga}${mattermostServName}
+    container_name: ${orga}-${mattermostServName}
    #disk_quota: 10G
    restart: ${restartPolicy}
    # memory: 1G
@@ -109,20 +109,20 @@ services:
      - /etc/timezone:/etc/timezone:ro
      - /etc/environment:/etc/environment:ro
    env_file:
-      - ../../secret/env-${mattermostServName}
+      - ../../secret/orgas/${orga}/env-${mattermostServName}
    environment:
-      - VIRTUAL_HOST=${orga}${matterHost}.${domain}
+      - VIRTUAL_HOST=${orga}-${matterHost}.${domain}
      # in case your config is not in default location
      #- MM_CONFIG=/mattermost/config/config.json

    labels:
      - "traefik.enable=true"
-      - "traefik.http.routers.${orga}${mattermostServName}.rule=Host(`${orga}${matterHost}.${domain}`)"
+      - "traefik.http.routers.${orga}-${mattermostServName}.rule=Host(`${orga}-${matterHost}.${domain}`)"
 #}}
 #{{wp
  wordpress:
    image: wordpress
-    container_name: ${orga}${wordpressServName}
+    container_name: ${orga}-${wordpressServName}
    restart: ${restartPolicy}
    networks:
      - orgaNet
@@ -136,17 +136,17 @@ services:
    external_links:
      - ${smtpServName}:${smtpHost}.${domain}
    env_file:
-      - ../../secret/env-${wordpressServName}
+      - ../../secret/orgas/${orga}/env-${wordpressServName}
    environment:
      - WORDPRESS_SMTP_HOST=${smtpHost}.${domain}
      - WORDPRESS_SMTP_PORT=25
      # - WORDPRESS_SMTP_USERNAME
      # - WORDPRESS_SMTP_PASSWORD
-      # - WORDPRESS_SMTP_FROM=${orga}
-      - WORDPRESS_SMTP_FROM_NAME=${orga}
+      # - WORDPRESS_SMTP_FROM=${orga}-
+      - WORDPRESS_SMTP_FROM_NAME=${orga}-
    labels:
      - "traefik.enable=true"
-      - "traefik.http.routers.${orga}${wordpressServName}.rule=Host(`${orga}${wordpressHost}.${domain}`){{FOREIGN_WP}}"
+      - "traefik.http.routers.${orga}-${wordpressServName}.rule=Host(`${orga}-${wordpressHost}.${domain}`){{FOREIGN_WP}}"
    volumes:
      - wordpress:/var/www/html
 #      - ../../config/orgaTmpl/wp:/usr/local/bin/wp:ro
@@ -154,12 +154,12 @@ services:
 #{{wiki
  dokuwiki:
    image: mprasil/dokuwiki
-    container_name: ${orga}${dokuwikiServName}
+    container_name: ${orga}-${dokuwikiServName}
    #disk_quota: 10G
    restart: ${restartPolicy}
    labels:
      - "traefik.enable=true"
-      - "traefik.http.routers.${orga}${dokuwikiServName}.rule=Host(`${orga}${dokuwikiHost}.${domain}`){{FOREIGN_DW}}"
+      - "traefik.http.routers.${orga}-${dokuwikiServName}.rule=Host(`${orga}-${dokuwikiHost}.${domain}`){{FOREIGN_DW}}"
    volumes:
      - wikiData:/dokuwiki/data
      - wikiConf:/dokuwiki/conf
@@ -175,7 +175,7 @@ services:
 #{{castopod
  castopod:
    image: castopod/castopod:latest
-    container_name: ${orga}${castopodServName}
+    container_name: ${orga}-${castopodServName}
    #disk_quota: 10G
    restart: ${restartPolicy}
    # memory: 1G
@@ -193,27 +193,27 @@ services:
    volumes:
      - castopodMedia:/var/www/castopod/public/media
    environment:
-      CP_BASEURL: "https://${orga}${castopodHost}.${domain}"
+      CP_BASEURL: "https://${orga}-${castopodHost}.${domain}"
      CP_ANALYTICS_SALT: qldsgfliuzrbhgmkjbdbmkvb
      VIRTUAL_PORT: 8000
      CP_CACHE_HANDLER: redis
      CP_REDIS_HOST: redis
      CP_DATABASE_HOSTNAME: db
    env_file:
-      - ../../secret/env-${castopodServName}
-      - ../../secret/env-${castopodDBName}
+      - ../../secret/orgas/${orga}/env-${castopodServName}
+      - ../../secret/orgas/${orga}/env-${castopodDBName}
    labels:
      - "traefik.enable=true"
-      - "traefik.http.routers.${orga}${castopodServName}.rule=Host(`${orga}${castopodHost}.${domain}`){{FOREIGN_POD}}"
+      - "traefik.http.routers.${orga}-${castopodServName}.rule=Host(`${orga}-${castopodHost}.${domain}`){{FOREIGN_POD}}"
  redis:
    image: redis:7.0-alpine
-    container_name: ${orga}castopodCache
+    container_name: ${orga}-castopodCache
    volumes:
      - castopodCache:/data
    networks:
      - orgaNet
    env_file:
-      - ../../secret/env-${castopodServName}
+      - ../../secret/orgas/${orga}/env-${castopodServName}
    command: --requirepass ${castopodRedisPassword} 
 #}}
 #{{spip
@@ -225,16 +225,16 @@ services:
    links:
      - db
    env_file:
-      - ../../secret/env-${spipServName}
+      - ../../secret/orgas/${orga}/env-${spipServName}
    environment:
      - SPIP_AUTO_INSTALL=1
      - SPIP_DB_HOST=db
-      - SPIP_SITE_ADDRESS=https://${orga}${spipHost}.${domain}
+      - SPIP_SITE_ADDRESS=https://${orga}-${spipHost}.${domain}
    expose:
      - 80
    labels:
      - "traefik.enable=true"
-      - "traefik.http.routers.${orga}${spipServName}.rule=Host(`${orga}${spipHost}.${domain}`){{FOREIGN_SPIP}}"
+      - "traefik.http.routers.${orga}-${spipServName}.rule=Host(`${orga}-${spipHost}.${domain}`){{FOREIGN_SPIP}}"
    networks:
      - orgaNet
    volumes:
@@ -250,84 +250,84 @@ volumes:
 #{{db
  orgaDB:
    external: true
-    name: orga_${orga}orgaDB
+    name: orga_${orga}-orgaDB
 #}}
 #{{agora
  matterConfig:
    external: true
-    name: orga_${orga}matterConfig
+    name: orga_${orga}-matterConfig
  matterData:
    external: true
-    name: orga_${orga}matterData
+    name: orga_${orga}-matterData
  matterLogs:
    external: true
-    name: orga_${orga}matterLogs
+    name: orga_${orga}-matterLogs
  matterPlugins:
    external: true
-    name: orga_${orga}matterPlugins
+    name: orga_${orga}-matterPlugins
  matterClientPlugins:
    external: true
-    name: orga_${orga}matterClientPlugins
+    name: orga_${orga}-matterClientPlugins
  matterIcons:
    external: true
    name: matterIcons
 #{{cloud
  cloudMain:
    external: true
-    name: orga_${orga}cloudMain
+    name: orga_${orga}-cloudMain
  cloudData:
    external: true
-    name: orga_${orga}cloudData
+    name: orga_${orga}-cloudData
  cloudConfig:
    external: true
-    name: orga_${orga}cloudConfig
+    name: orga_${orga}-cloudConfig
  cloudApps:
    external: true
-    name: orga_${orga}cloudApps
+    name: orga_${orga}-cloudApps
  cloudCustomApps:
    external: true
-    name: orga_${orga}cloudCustomApps
+    name: orga_${orga}-cloudCustomApps
  cloudThemes:
    external: true
-    name: orga_${orga}cloudThemes
+    name: orga_${orga}-cloudThemes
  cloudPhp:
    external: true
-    name: orga_${orga}cloudPhp
+    name: orga_${orga}-cloudPhp
 #}}
 #{{wiki
  wikiData:
    external: true
-    name: orga_${orga}wikiData
+    name: orga_${orga}-wikiData
  wikiConf:
    external: true
-    name: orga_${orga}wikiConf
+    name: orga_${orga}-wikiConf
  wikiPlugins:
    external: true
-    name: orga_${orga}wikiPlugins
+    name: orga_${orga}-wikiPlugins
  wikiLibtpl:
    external: true
-    name: orga_${orga}wikiLibtpl
+    name: orga_${orga}-wikiLibtpl
  wikiLogs:
    external: true
-    name: orga_${orga}wikiLogs
+    name: orga_${orga}-wikiLogs
 #}}
 #{{wp
  wordpress:
    external: true
-    name: orga_${orga}wordpress
+    name: orga_${orga}-wordpress
 #}}
 #{{castopod
  castopodMedia:
    external: true
-    name: orga_${orga}castopodMedia
+    name: orga_${orga}-castopodMedia
  castopodCache:
    external: true
-    name: orga_${orga}castopodCache
+    name: orga_${orga}-castopodCache
 #}}
 #{{spip
  spip:
    external: true
-    name: orga_${orga}spip
+    name: orga_${orga}-spip
 #}}


@@ -335,7 +335,7 @@ volumes:
 networks:
  orgaNet:
    external: true
-    name: ${orga}orgaNet
+    name: ${orga}-orgaNet
  # postfixNet:
  #   external:
  #     name: postfixNet
--- a/config/orgaTmpl/init-db.sh
+++ b/config/orgaTmpl/init-db.sh
@@ -4,7 +4,6 @@ KAZ_ROOT=$(cd $(dirname $0)/../..; pwd)
 . "${KAZ_ROOT}/bin/.commonFunctions.sh"
 setKazVars
 . "${DOCKERS_ENV}"
-. "${KAZ_KEY_DIR}/SetAllPass.sh"

 cd $(dirname $0)
 ORGA_DIR="$(basename "$(pwd)")"
@@ -25,57 +24,66 @@ SQL=""
 for ARG in "$@"; do
    case "${ARG}" in
 	'cloud' )
+		. $KAZ_KEY_DIR/orgas/$ORGA/env-nextcloudDB
 	    SQL="$SQL
-CREATE DATABASE IF NOT EXISTS ${nextcloud_MYSQL_DATABASE};
+CREATE DATABASE IF NOT EXISTS ${MYSQL_DATABASE};

-DROP USER IF EXISTS '${nextcloud_MYSQL_USER}';
-CREATE USER '${nextcloud_MYSQL_USER}'@'%';
+DROP USER IF EXISTS '${MYSQL_USER}';
+CREATE USER '${MYSQL_USER}'@'%';

-GRANT ALL ON ${nextcloud_MYSQL_DATABASE}.* TO '${nextcloud_MYSQL_USER}'@'%' IDENTIFIED BY '${nextcloud_MYSQL_PASSWORD}';
+GRANT ALL ON ${MYSQL_DATABASE}.* TO '${MYSQL_USER}'@'%' IDENTIFIED BY '${MYSQL_PASSWORD}';

 FLUSH PRIVILEGES;"
        ;;
 	'agora' )
+	
+		. $KAZ_KEY_DIR/orgas/$ORGA/env-mattermostDB
 	    SQL="$SQL
-CREATE DATABASE IF NOT EXISTS ${mattermost_MYSQL_DATABASE};
+CREATE DATABASE IF NOT EXISTS ${MYSQL_DATABASE};

-DROP USER IF EXISTS '${mattermost_MYSQL_USER}';
-CREATE USER '${mattermost_MYSQL_USER}'@'%';
+DROP USER IF EXISTS '${MYSQL_USER}';
+CREATE USER '${MYSQL_USER}'@'%';

-GRANT ALL ON ${mattermost_MYSQL_DATABASE}.* TO '${mattermost_MYSQL_USER}'@'%' IDENTIFIED BY '${mattermost_MYSQL_PASSWORD}';
+GRANT ALL ON ${MYSQL_DATABASE}.* TO '${MYSQL_USER}'@'%' IDENTIFIED BY '${MYSQL_PASSWORD}';

 FLUSH PRIVILEGES;"
 	    ;;
 	'wp' )
+	
+		. $KAZ_KEY_DIR/orgas/$ORGA/env-wpDB
 	    SQL="$SQL
-CREATE DATABASE IF NOT EXISTS ${wp_MYSQL_DATABASE};
+CREATE DATABASE IF NOT EXISTS ${MYSQL_DATABASE};

-DROP USER IF EXISTS '${wp_MYSQL_USER}';
-CREATE USER '${wp_MYSQL_USER}'@'%';
+DROP USER IF EXISTS '${MYSQL_USER}';
+CREATE USER '${MYSQL_USER}'@'%';

-GRANT ALL ON ${wp_MYSQL_DATABASE}.* TO '${wp_MYSQL_USER}'@'%' IDENTIFIED BY '${wp_MYSQL_PASSWORD}';
+GRANT ALL ON ${MYSQL_DATABASE}.* TO '${MYSQL_USER}'@'%' IDENTIFIED BY '${MYSQL_PASSWORD}';

 FLUSH PRIVILEGES;"
 	    ;;
 	'castopod' )
+	
+		. $KAZ_KEY_DIR/orgas/$ORGA/env-castopodDB
 	    SQL="$SQL
-CREATE DATABASE IF NOT EXISTS ${castopod_MYSQL_DATABASE};
+CREATE DATABASE IF NOT EXISTS ${MYSQL_DATABASE};

-DROP USER IF EXISTS '${castopod_MYSQL_USER}';
-CREATE USER '${castopod_MYSQL_USER}'@'%';
+DROP USER IF EXISTS '${MYSQL_USER}';
+CREATE USER '${MYSQL_USER}'@'%';

-GRANT ALL ON ${castopod_MYSQL_DATABASE}.* TO '${castopod_MYSQL_USER}'@'%' IDENTIFIED BY '${castopod_MYSQL_PASSWORD}';
+GRANT ALL ON ${MYSQL_DATABASE}.* TO '${MYSQL_USER}'@'%' IDENTIFIED BY '${MYSQL_PASSWORD}';

 FLUSH PRIVILEGES;"
 	    ;;
 	'spip' )
+	
+		. $KAZ_KEY_DIR/orgas/$ORGA/env-spipDB
           SQL="$SQL
-CREATE DATABASE IF NOT EXISTS ${spip_MYSQL_DATABASE};
+CREATE DATABASE IF NOT EXISTS ${MYSQL_DATABASE};

-DROP USER IF EXISTS '${spip_MYSQL_USER}';
-CREATE USER '${spip_MYSQL_USER}'@'%';
+DROP USER IF EXISTS '${MYSQL_USER}';
+CREATE USER '${MYSQL_USER}'@'%';

-GRANT ALL ON ${spip_MYSQL_DATABASE}.* TO '${spip_MYSQL_USER}'@'%' IDENTIFIED BY '${spip_MYSQL_PASSWORD}';
+GRANT ALL ON ${MYSQL_DATABASE}.* TO '${MYSQL_USER}'@'%' IDENTIFIED BY '${MYSQL_PASSWORD}';

 FLUSH PRIVILEGES;"
 	    ;;
@@ -84,4 +92,4 @@ FLUSH PRIVILEGES;"
    esac
 done

-echo $SQL | docker exec -i ${ORGA}-DB bash -c "mariadb --user=root --password=${wp_MYSQL_ROOT_PASSWORD}"
+echo $SQL | docker exec -i ${ORGA}-DB bash -c "mariadb --user=root --password=${MYSQL_ROOT_PASSWORD}"
--- a/config/orgaTmpl/init-volume.sh
+++ b/config/orgaTmpl/init-volume.sh
@@ -3,41 +3,41 @@
 #docker network create postfix_mailNet

 #{{db
-docker volume create --name=orga_${orga}orgaDB
+docker volume create --name=orga_${orga}-orgaDB
 #}}
 #{{agora
-docker volume create --name=orga_${orga}matterConfig
-docker volume create --name=orga_${orga}matterData
-docker volume create --name=orga_${orga}matterLogs
-docker volume create --name=orga_${orga}matterPlugins
-docker volume create --name=orga_${orga}matterClientPlugins
+docker volume create --name=orga_${orga}-matterConfig
+docker volume create --name=orga_${orga}-matterData
+docker volume create --name=orga_${orga}-matterLogs
+docker volume create --name=orga_${orga}-matterPlugins
+docker volume create --name=orga_${orga}-matterClientPlugins
 docker volume create --name=matterIcons
 #}}
 #{{cloud
-docker volume create --name=orga_${orga}cloudMain
-docker volume create --name=orga_${orga}cloudData
-docker volume create --name=orga_${orga}cloudConfig
-docker volume create --name=orga_${orga}cloudApps
-docker volume create --name=orga_${orga}cloudCustomApps
-docker volume create --name=orga_${orga}cloudThemes
-docker volume create --name=orga_${orga}cloudPhp
-chown 33:33 /var/lib/docker/volumes/orga_${orga}cloud*/_data
+docker volume create --name=orga_${orga}-cloudMain
+docker volume create --name=orga_${orga}-cloudData
+docker volume create --name=orga_${orga}-cloudConfig
+docker volume create --name=orga_${orga}-cloudApps
+docker volume create --name=orga_${orga}-cloudCustomApps
+docker volume create --name=orga_${orga}-cloudThemes
+docker volume create --name=orga_${orga}-cloudPhp
+chown 33:33 /var/lib/docker/volumes/orga_${orga}-cloud*/_data
 #}}
 #{{wiki
-docker volume create --name=orga_${orga}wikiData
-docker volume create --name=orga_${orga}wikiConf
-docker volume create --name=orga_${orga}wikiPlugins
-docker volume create --name=orga_${orga}wikiLibtpl
-docker volume create --name=orga_${orga}wikiLogs
+docker volume create --name=orga_${orga}-wikiData
+docker volume create --name=orga_${orga}-wikiConf
+docker volume create --name=orga_${orga}-wikiPlugins
+docker volume create --name=orga_${orga}-wikiLibtpl
+docker volume create --name=orga_${orga}-wikiLogs
 #}}
 #{{wp
-docker volume create --name=orga_${orga}wordpress
+docker volume create --name=orga_${orga}-wordpress
 #}}
 #{{castopod
-docker volume create --name=orga_${orga}castopodCache
-docker volume create --name=orga_${orga}castopodMedia
+docker volume create --name=orga_${orga}-castopodCache
+docker volume create --name=orga_${orga}-castopodMedia
 #}}
 #{{spip
-docker volume create --name=orga_${orga}spip
+docker volume create --name=orga_${orga}-spip
 #}}

--- a/config/orgaTmpl/initdb.d/orga.sql
+++ b/config/orgaTmpl/initdb.d/orga.sql
@@ -1,3 +0,0 @@
-CREATE DATABASE IF NOT EXISTS nextcloud;
-CREATE DATABASE IF NOT EXISTS mattermost;
-CREATE DATABASE IF NOT EXISTS wpdb;
--- a/config/orgaTmpl/orga-gen.sh
+++ b/config/orgaTmpl/orga-gen.sh
@@ -389,7 +389,7 @@ update() {
 					       -e "s/{{FOREIGN_DW}}/${FOREIGN_DW}/"\
 					       -e "s/{{FOREIGN_POD}}/${FOREIGN_POD}/"\
 						   -e "s/{{FOREIGN_SPIP}}/${FOREIGN_SPIP}/"\
-					       -e "s|\${orga}|${ORGA}-|g"
+					       -e "s|\${orga}|${ORGA}|g"
    ) > "$2"
    sed "s/storage_opt:.*/storage_opt: ${quota}/g" -i "$2"
 }
@@ -412,13 +412,18 @@ if [[ -n "${STAGE_DEFAULT}${STAGE_CREATE}" ]]; then
    ln -sf ../../config/orgaTmpl/orga-gen.sh
    ln -sf ../../config/orgaTmpl/orga-rm.sh
    ln -sf ../../config/orgaTmpl/init-paheko.sh    
-    ln -sf ../../config/orgaTmpl/initdb.d/
+    #ln -sf ../../config/orgaTmpl/initdb.d/
    ln -sf ../../config/orgaTmpl/app/
    ln -sf ../../config/orgaTmpl/wiki-conf/
    ln -sf ../../config/orgaTmpl/reload.sh
    ln -sf ../../config/orgaTmpl/init-db.sh
 fi

+if [ ! -d "${KAZ_KEY_DIR}/orgas/$ORGA/" ]; then
+    rsync -a "${KAZ_CONF_DIR}/orgaTmpl/secret.tmpl/" "${KAZ_KEY_DIR}/orgas/$ORGA/"
+	${KAZ_BIN_DIR}/secretGen.sh -d $ORGA
+fi
+
 if [[ -n "${STAGE_DEFAULT}${STAGE_CREATE}" ]]; then
    # ########## update ${DOCKERS_ENV}
    if ! grep -q "proxy_orga=" .env 2> /dev/null
@@ -438,6 +443,12 @@ if [[ -n "${STAGE_DEFAULT}${STAGE_CREATE}" ]]; then
 fi

 if [[ -n "${STAGE_DEFAULT}${STAGE_CREATE}" ]]; then
+
+
+    # ########## create network 
+	## GAEL bizarre, je pense que c'est déjà fait qque part, mais chez moi ça veut pas ... 
+    docker network create "${ORGA}-orgaNet"
+
    # ########## create volume
    ./init-volume.sh
 fi
--- a/config/orgaTmpl/orga-rm.sh
+++ b/config/orgaTmpl/orga-rm.sh
@@ -40,6 +40,8 @@ remove () {
 	    sed -i -e "/proxy_${ORGA_FLAG}=/d" "${DOCKERS_ENV}"
 	    sed -i -e "/^${ORGA}-orga$/d" "${ORGA_LIST}"
 	    rm -fr "${KAZ_COMP_DIR}/${ORGA}-orga"
+		
+	    rm -fr "${KAZ_KEY_DIR}/orgas/${ORGA}"
 	    exit;;
 	    [Nn]* )

--- a/config/orgaTmpl/secret.tmpl/env-castopodAdmin
+++ b/config/orgaTmpl/secret.tmpl/env-castopodAdmin
@@ -0,0 +1,3 @@
+ADMIN_USER=@@pass@@castopod2@@p@@
+ADMIN_MAIL=admin@@@globalvar@@domain@@gv@@
+ADMIN_PASSWORD=@@pass@@castopod3@@p@@
--- a/config/orgaTmpl/secret.tmpl/env-castopodDB
+++ b/config/orgaTmpl/secret.tmpl/env-castopodDB
@@ -0,0 +1,4 @@
+MYSQL_ROOT_PASSWORD=@@pass@@rootdb@@p@@
+MYSQL_USER=@@user@@castopod1@@u@@
+MYSQL_PASSWORD=@@pass@@castopod1@@p@@
+MYSQL_DATABASE=@@db@@castopod1@@d@@
--- a/config/orgaTmpl/secret.tmpl/env-castopodServ
+++ b/config/orgaTmpl/secret.tmpl/env-castopodServ
@@ -0,0 +1,7 @@
+CP_EMAIL_SMTP_HOST= 
+CP_EMAIL_FROM=	
+CP_EMAIL_SMTP_USERNAME=
+CP_EMAIL_SMTP_PASSWORD=
+CP_EMAIL_SMTP_PORT=
+CP_EMAIL_SMTP_CRYPTO=
+CP_REDIS_PASSWORD=
--- a/config/orgaTmpl/secret.tmpl/env-mattermostDB
+++ b/config/orgaTmpl/secret.tmpl/env-mattermostDB
@@ -0,0 +1,9 @@
+
+MYSQL_ROOT_PASSWORD=@@pass@@rootdb@@p@@
+MYSQL_DATABASE=@@db@@mattermost@@d@@
+MYSQL_USER=@@user@@mattermost@@u@@
+MYSQL_PASSWORD=@@pass@@mattermost@@p@@
+
+POSTGRES_USER=@@user@@mattermost@@u@@
+POSTGRES_PASSWORD=@@pass@@mattermost@@p@@
+POSTGRES_DB=@@db@@mattermost@@d@@
--- a/config/orgaTmpl/secret.tmpl/env-mattermostServ
+++ b/config/orgaTmpl/secret.tmpl/env-mattermostServ
@@ -0,0 +1,5 @@
+MM_ADMIN_EMAIL=@@globalvar@@matterHost@@gv@@@@@globalvar@@domain@@gv@@
+MM_ADMIN_USER=@@user@@mattermost2@@u@@
+MM_ADMIN_PASSWORD=@@pass@@mattermost2@@p@@
+MM_SQLSETTINGS_DATASOURCE=postgres://@@user@@mattermost@@u@@:@@pass@@mattermost@@p@@@postgres:5432/@@db@@mattermost@@d@@?sslmode=disable&connect_timeout=10
+
--- a/config/orgaTmpl/secret.tmpl/env-nextcloudDB
+++ b/config/orgaTmpl/secret.tmpl/env-nextcloudDB
@@ -0,0 +1,8 @@
+
+MYSQL_ROOT_PASSWORD=@@pass@@rootdb@@p@@
+MYSQL_DATABASE=@@db@@nextcloud@@d@@
+MYSQL_USER=@@user@@nextcloud@@u@@
+MYSQL_PASSWORD=@@pass@@nextcloud@@p@@
+
+#NC_MYSQL_USER=
+#NC_MYSQL_PASSWORD=
--- a/config/orgaTmpl/secret.tmpl/env-nextcloudServ
+++ b/config/orgaTmpl/secret.tmpl/env-nextcloudServ
@@ -0,0 +1,5 @@
+
+NEXTCLOUD_ADMIN_USER=@@user@@nextcloudadmin@@u@@
+NEXTCLOUD_ADMIN_PASSWORD=@@pass@@nextcloudadmin@@p@@
+MYSQL_HOST=db
+RAIN_LOOP=@@pass@@rainloop@@p@@
--- a/config/orgaTmpl/secret.tmpl/env-spipDB
+++ b/config/orgaTmpl/secret.tmpl/env-spipDB
@@ -0,0 +1,4 @@
+MYSQL_ROOT_PASSWORD=@@pass@@rootdb@@p@@
+MYSQL_DATABASE=@@db@@spip@@d@@
+MYSQL_USER=@@user@@spip@@u@@
+MYSQL_PASSWORD=@@pass@@spip@@p@@
--- a/config/orgaTmpl/secret.tmpl/env-spipServ
+++ b/config/orgaTmpl/secret.tmpl/env-spipServ
@@ -0,0 +1,10 @@
+SPIP_AUTO_INSTALL=1
+SPIP_DB_SERVER=mysql
+SPIP_DB_NAME=@@db@@spip@@d@@
+SPIP_DB_LOGIN=@@user@@spip@@u@@
+SPIP_DB_PASS=@@pass@@spip@@p@@
+SPIP_ADMIN_NAME=admin
+SPIP_ADMIN_LOGIN=@@user@@spipadmin@@u@@
+SPIP_ADMIN_EMAIL=admin@@@globalvar@@domain@@gv@@
+SPIP_ADMIN_PASS=@@pass@@spipadmin@@p@@
+PHP_TIMEZONE=Europe/Paris
--- a/config/orgaTmpl/secret.tmpl/env-wpDB
+++ b/config/orgaTmpl/secret.tmpl/env-wpDB
@@ -0,0 +1,4 @@
+MYSQL_ROOT_PASSWORD=@@pass@@rootdb@@p@@
+MYSQL_DATABASE=@@db@@wp@@d@@
+MYSQL_USER=@@user@@wp@@u@@
+MYSQL_PASSWORD=@@pass@@wp@@p@@
--- a/config/orgaTmpl/secret.tmpl/env-wpServ
+++ b/config/orgaTmpl/secret.tmpl/env-wpServ
@@ -0,0 +1,8 @@
+# share with wpDB
+
+WORDPRESS_DB_HOST=db:3306
+WORDPRESS_ADMIN_USER=@@user@@adminwp@@u@@
+WORDPRESS_ADMIN_PASSWORD=@@pass@@adminwp@@p@@
+WORDPRESS_DB_NAME=@@db@@wp@@d@@
+WORDPRESS_DB_USER=@@user@@wp@@u@@
+WORDPRESS_DB_PASSWORD=@@pass@@wp@@p@@
--- a/config/orgaTmpl/wiki-conf/acl.auth.php
+++ b/config/orgaTmpl/wiki-conf/acl.auth.php
@@ -1,10 +0,0 @@
-# acl.auth.php
-# <?php exit()?>
-# Don't modify the lines above
-#
-# Access Control Lists
-#
-# Auto-generated by install script
-# Date: Sat, 13 Feb 2021 17:42:28 +0000
-*	@ALL	1
-*	@user	8
--- a/config/orgaTmpl/wiki-conf/local.php
+++ b/config/orgaTmpl/wiki-conf/local.php
@@ -1,26 +0,0 @@
-<?php
-/*
- * Dokuwiki's Main Configuration File - Local Settings
- * Auto-generated by config plugin
- * Run for user: felix
- * Date: Sun, 28 Feb 2021 15:56:13 +0000
- */
-
-$conf['title'] = 'Kaz';
-$conf['template'] = 'docnavwiki';
-$conf['license'] = 'cc-by-sa';
-$conf['useacl'] = 1;
-$conf['superuser'] = '@admin';
-$conf['manager'] = '@manager';
-$conf['disableactions'] = 'register';
-$conf['remoteuser'] = '';
-$conf['mailfrom'] = 'dokuwiki@kaz.bzh';
-$conf['updatecheck'] = 0;
-$conf['userewrite'] = '1';
-$conf['useslash'] = 1;
-$conf['plugin']['ckgedit']['scayt_auto'] = 'on';
-$conf['plugin']['ckgedit']['scayt_lang'] = 'French/fr_FR';
-$conf['plugin']['ckgedit']['other_lang'] = 'fr';
-$conf['plugin']['smtp']['smtp_host'] = 'smtp.kaz.bzh';
-$conf['plugin']['todo']['CheckboxText'] = 0;
-$conf['plugin']['wrap']['restrictionType'] = '1';
--- a/config/orgaTmpl/wiki-conf/users.auth.php
+++ b/config/orgaTmpl/wiki-conf/users.auth.php
@@ -1,13 +0,0 @@
-# users.auth.php
-# <?php exit()?>
-# Don't modify the lines above
-#
-# Userfile
-#
-# Auto-generated by install script
-# Date: Sat, 13 Feb 2021 17:42:28 +0000
-#
-# Format:
-# login:passwordhash:Real Name:email:groups,comma,separated
-
-admin:$2y$10$GYvFgViXeEUmDViplHEs7eoYV8tmbfsS8wA1vfHQ.tWgW14o9aTjy:admin:contact@kaz.bzh:admin,user
--- a/config/proxy/proxy_params
+++ b/config/proxy/proxy_params
@@ -1,21 +0,0 @@
-
-#proxy_buffering off;
-#proxy_set_header X-Forwarded-Host $host:$server_port;
-#proxy_set_header X-Forwarded-Server $host;
-#XXX pb proxy_set_header Connection $proxy_connection;
-
-proxy_buffers 256 16k;
-proxy_buffer_size 16k;
-
-# mattermost
-http2_push_preload on; # Enable HTTP/2 Server Push
-add_header Strict-Transport-Security max-age=15768000;
-proxy_set_header Host $http_host;
-proxy_set_header X-Real-IP $remote_addr;
-#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-proxy_set_header X-Forwarded-Proto $scheme;
-
-#proxy_hide_header 'x-frame-options';
-#proxy_set_header x-frame-options allowall;
-proxy_set_header X-Frame-Options SAMEORIGIN;
-