diff --git a/.Jenkinsfile b/.Jenkinsfile
new file mode 100644
index 00000000..3f488638
--- /dev/null
+++ b/.Jenkinsfile
@@ -0,0 +1,50 @@
+pipeline {
+    agent { label 'docker' }
+
+    environment {
+        ROLES_VERSION = "${env.GIT_COMMIT}"
+    }
+
+    stages {
+        stage('Build tagged docker image') {
+            when {
+                buildingTag()
+            }
+            steps {
+                script {
+                    def im = docker.build("evolix/ansible-roles:build${env.BUILD_ID}")
+                    im.inside {
+                        sh 'echo Test needed'
+                    }
+                    def version = TAG_NAME
+                    def versions = version.split('\\.')
+                    def major = versions[0]
+                    def minor = versions[0] + '.' + versions[1]
+                    def patch = version.trim()
+                 /* No crendentials yet
+                    im.push(major)
+                    im.push(minor)
+                    im.push(patch)
+                  */
+                }
+            }
+        }
+
+        stage('Build latest docker image') {
+            when {
+                branch 'unstable'
+            }
+            steps {
+                script {
+                    def im = docker.build("evolix/ansible-roles:build${env.BUILD_ID}")
+                    im.inside {
+                        sh 'echo Test needed'
+                    }
+                 /* No crendentials yet
+                    im.push('latest')
+                  */
+                }
+            }
+        }
+    }
+}
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2429f2fe..2a162ae9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -20,6 +20,22 @@ The **patch** part changes is incremented if multiple releases happen the same m
 
 ### Security
 
+## [22.07.1] 2022-07-28
+
+### Changed
+
+* evocheck: upstream release 22.07
+* evomaintenance: upstream release 22.07
+* mongodb: replace version_compare() with version()
+* nagios-nrpe: check_disk1 returns only alerts
+* nagios-nrpe: use regexp to exclude paths/devices in check_disk1
+
+## [22.07] 2022-07-08
+
+### Added
+
+* fail2ban: Ensure apply dbpurgeage from stretch and buster
+
 ## [22.07] 2022-07-06
 
 ### Added
diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh
index 9391f119..1bc54d79 100644
--- a/evocheck/files/evocheck.sh
+++ b/evocheck/files/evocheck.sh
@@ -4,7 +4,7 @@
 # Script to verify compliance of a Debian/OpenBSD server
 # powered by Evolix
 
-VERSION="22.06.2"
+VERSION="22.07"
 readonly VERSION
 
 # base functions
@@ -610,6 +610,14 @@ check_evobackup() {
     evobackup_found=$(find /etc/cron* -name '*evobackup*' | wc -l)
     test "$evobackup_found" -gt 0 || failed "IS_EVOBACKUP" "missing evobackup cron"
 }
+# Vérification de la mise en place de la purge pour fail2ban
+check_purge_fail2ban() {
+    if is_debian_stretch || is_debian_buster; then
+      if is_installed fail2ban; then
+        test -f /etc/cron.daily/fail2ban_dbpurge || failed "IS_FAIL2BAN_PURGE" "missing script fail2ban_dbpurge cron"
+      fi
+    fi
+}
 # Vérification de l'exclusion des montages (NFS) dans les sauvegardes
 check_evobackup_exclude_mount() {
     excludes_file=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.evobackup_exclude_mount.XXXXX")
@@ -742,7 +750,7 @@ check_backupuptodate() {
     backup_dir="/home/backup"
     if [ -d "${backup_dir}" ]; then
         if [ -n "$(ls -A ${backup_dir})" ]; then
-            find "${backup_dir}" -type f -maxdepth 1 | while read -r file; do
+            find "${backup_dir}" -maxdepth 1 -type f | while read -r file; do
                 limit=$(date +"%s" -d "now - 2 day")
                 updated_at=$(stat -c "%Y" "$file")
 
@@ -970,7 +978,7 @@ check_mongo_backup() {
         # You could change the default path in /etc/evocheck.cf
         MONGO_BACKUP_PATH=${MONGO_BACKUP_PATH:-"/home/backup/mongodump"}
         if [ -d "$MONGO_BACKUP_PATH" ]; then
-            for file in "${MONGO_BACKUP_PATH}"/*/*.{json,bson}.*; do
+            for file in "${MONGO_BACKUP_PATH}"/*/*.{json,bson}*; do
                 # Skip indexes file.
                 if ! [[ "$file" =~ indexes ]]; then
                     limit=$(date +"%s" -d "now - 2 day")
@@ -1227,8 +1235,8 @@ check_sshpermitrootno() {
         # -T doesn't require the additional -C.
 	sshd_args=
     fi
-    # XXX: We want parameter expension here
-    if ! (sshd -T $sshd_args | grep -q 'permitrootlogin no'); then
+    # shellcheck disable=SC2086
+    if ! (sshd -T ${sshd_args} | grep -q 'permitrootlogin no'); then
        failed "IS_SSHPERMITROOTNO" "PermitRoot should be set to no"
     fi
 }
@@ -1810,6 +1818,7 @@ while :; do
             IS_UPTIME=0
             IS_MELTDOWN_SPECTRE=0
             IS_CHECK_VERSIONS=0
+            IS_NETWORKING_SERVICE=0
             ;;
         -v|--verbose)
             VERBOSE=1
diff --git a/evomaintenance/files/evomaintenance.sh b/evomaintenance/files/evomaintenance.sh
index 3903f2ef..bce0e562 100644
--- a/evomaintenance/files/evomaintenance.sh
+++ b/evomaintenance/files/evomaintenance.sh
@@ -7,7 +7,7 @@
 # Copyright 2007-2022 Evolix <info@evolix.fr>, Gregory Colpart <reg@evolix.fr>,
 #                     Jérémy Lecour <jlecour@evolix.fr> and others.
 
-VERSION="22.01"
+VERSION="22.07"
 
 show_version() {
     cat <<END
@@ -47,6 +47,7 @@ Options
      --no-evocheck           disable evocheck execution
      --auto                  use "auto" mode
      --no-auto               use "manual" mode (default)
+     --autosysadmin          author change as autosysadmin
  -v, --verbose               increase verbosity
  -n, --dry-run               actions are not executed
      --help                  print this message and exit
@@ -97,13 +98,22 @@ get_who() {
 }
 
 get_begin_date() {
-    printf "%s %s" "$(date "+%Y")" "$(get_who | cut -d" " -f3,4,5)"
+    # XXX A begin date isn't applicable when used in autosysadmin, so we
+    # use the same date as the end date.
+    if is_autosysadmin; then
+	    get_end_date
+    else
+	    printf "%s %s" "$(date "+%Y")" "$(get_who | cut -d" " -f3,4,5)"
+    fi
 }
 
 get_ip() {
     ip=$(get_who | cut -d" " -f6 | sed -e "s/^(// ; s/)$//")
-    [ -z "${ip}" ] && ip="unknown (no tty)"
-    [ "${ip}" = ":0" ] && ip="localhost"
+    if  is_autosysadmin || [ "${ip}" = ":0" ]; then
+	    ip="localhost"
+    elif [ -z "${ip}" ]; then
+	    ip="unknown (no tty)"
+    fi
 
     echo "${ip}"
 }
@@ -116,6 +126,14 @@ get_now() {
     date +"%Y-%m-%dT%H:%M:%S%z"
 }
 
+get_user() {
+    if is_autosysadmin; then
+	    echo autosysadmin
+    else
+	    logname
+    fi
+}
+
 get_complete_hostname() {
     REAL_HOSTNAME=$(get_fqdn)
     if [ "${HOSTNAME}" = "${REAL_HOSTNAME}" ]; then
@@ -174,6 +192,10 @@ print_session_data() {
     printf "Message   : %s\n" "${MESSAGE}"
 }
 
+is_autosysadmin() {
+    test "${AUTOSYSADMIN}" -eq 1
+}
+
 is_repository_readonly() {
     if [ "$(get_system)" = "OpenBSD" ]; then
         partition=$(stat -f '%Sd' $1)
@@ -382,6 +404,7 @@ AUTO=${AUTO:-"0"}
 EVOCHECK=${EVOCHECK:-"0"}
 GIT_STATUS_MAX_LINES=${GIT_STATUS_MAX_LINES:-20}
 API_ENDPOINT=${API_ENDPOINT:-""}
+AUTOSYSADMIN=${AUTOSYSADMIN:-0}
 
 # initialize variables
 MESSAGE=""
@@ -497,7 +520,7 @@ HOSTNAME_TEXT=$(get_complete_hostname)
 IP=$(get_ip)
 BEGIN_DATE=$(get_begin_date)
 END_DATE=$(get_end_date)
-USER=$(logname)
+USER=$(get_user)
 
 PATH=${PATH}:/usr/sbin
 
@@ -536,6 +559,11 @@ EVOCHECK_BIN="/usr/share/scripts/evocheck.sh"
 
 GIT_REPOSITORIES="/etc /etc/bind /usr/share/scripts"
 
+# Add /etc directories from lxc containers if they are git directories
+if [ -d /var/lib/lxc ]; then
+    GIT_REPOSITORIES="${GIT_REPOSITORIES} $(find /var/lib/lxc/ -maxdepth 3 -name 'etc' | tr '\n' ' ' | sed 's/[[:space:]]\+$//')"
+fi
+
 # initialize variable
 GIT_STATUSES=""
 # git statuses
diff --git a/fail2ban/tasks/fix-dbpurgeage.yml b/fail2ban/tasks/fix-dbpurgeage.yml
new file mode 100644
index 00000000..67819a3f
--- /dev/null
+++ b/fail2ban/tasks/fix-dbpurgeage.yml
@@ -0,0 +1,19 @@
+- name: Sqlite needed
+  ansible.builtin.apt:
+    name:
+      - sqlite3
+    state: present
+
+- name: Register bantime from default config from package
+  shell: "grep -R -E 'dbpurgeage[[:blank:]]*=[[:blank:]]*[0-9]+' /etc/fail2ban/fail2ban.conf |awk '{print $3}'|head -n1"
+  register: default_dbpurgeage
+  changed_when: false
+  check_mode: false
+
+- name: Add crontab
+  template:
+    src: fail2ban_dbpurge.j2
+    dest: /etc/cron.daily/fail2ban_dbpurge
+    mode: 0700
+    owner: root
+    group: root
diff --git a/fail2ban/tasks/main.yml b/fail2ban/tasks/main.yml
index 56378c9b..08478112 100644
--- a/fail2ban/tasks/main.yml
+++ b/fail2ban/tasks/main.yml
@@ -103,4 +103,11 @@
     mode: "0644"
   notify: restart fail2ban
   when:
-    - fail2ban_recidive
\ No newline at end of file
+    - fail2ban_recidive
+
+- name: Fix dbpurgeage for stretch and buster
+  include: fix-dbpurgeage.yml
+  when:
+    - ansible_distribution_release == "stretch" or ansible_distribution_release == "buster"
+  tags:
+    - fail2ban
diff --git a/fail2ban/templates/fail2ban_dbpurge.j2 b/fail2ban/templates/fail2ban_dbpurge.j2
new file mode 100644
index 00000000..1611bcbd
--- /dev/null
+++ b/fail2ban/templates/fail2ban_dbpurge.j2
@@ -0,0 +1,3 @@
+#!/bin/sh
+# Juin 2022 : #64088
+/usr/bin/sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "DELETE FROM bans WHERE date('now', '-{{  fail2ban_recidive_bantime | default(default_dbpurgeage.stdout) }}') > datetime(timeofban, 'unixepoch'); VACUUM;"
diff --git a/fail2ban/tests/test.yml b/fail2ban/tests/test.yml
index 67c6e10c..59e70a73 100644
--- a/fail2ban/tests/test.yml
+++ b/fail2ban/tests/test.yml
@@ -1,4 +1,6 @@
 ---
-- hosts: test-kitchen
+- hosts: all
+  become: yes
+#  gather_facts: no
   roles:
     - role: fail2ban
diff --git a/generate-ldif/templates/generateldif.sh.j2 b/generate-ldif/templates/generateldif.sh.j2
index 86bfc0eb..17ff759a 100755
--- a/generate-ldif/templates/generateldif.sh.j2
+++ b/generate-ldif/templates/generateldif.sh.j2
@@ -488,8 +488,8 @@ EOT
 fi
 
 # Dovecot
-if is_pkg_installed dovecot-common; then
-    dovecot_version=$(get_pkg_version dovecot-common)
+if is_pkg_installed dovecot-core; then
+    dovecot_version=$(get_pkg_version dovecot-core)
 fi
 if [ -n "${dovecot_version}" ]; then
     cat <<EOT >> "${ldif_file}"
diff --git a/mongodb/tasks/main_bullseye.yml b/mongodb/tasks/main_bullseye.yml
index e31ffed3..78459863 100644
--- a/mongodb/tasks/main_bullseye.yml
+++ b/mongodb/tasks/main_bullseye.yml
@@ -4,7 +4,7 @@
     msg: Not compatible with Debian 11 (Bullseye)
   when:
   - ansible_distribution_release == "bullseye" 
-  - mongodb_version is version_compare('5.0', '<=')
+  - mongodb_version is version('5.0', '<=')
 
 
 - name: MongoDB embedded GPG key is absent
diff --git a/nagios-nrpe/templates/evolix.cfg.j2 b/nagios-nrpe/templates/evolix.cfg.j2
index d3d102f0..b007b3a8 100644
--- a/nagios-nrpe/templates/evolix.cfg.j2
+++ b/nagios-nrpe/templates/evolix.cfg.j2
@@ -9,7 +9,7 @@ allowed_hosts={{ nagios_nrpe_allowed_hosts | join(',') }}
 # System checks
 command[check_load]=/usr/lib/nagios/plugins/check_load --percpu --warning=0.7,0.6,0.5 --critical=0.9,0.8,0.7
 command[check_swap]=/usr/lib/nagios/plugins/check_swap -a -w 30% -c 20%
-command[check_disk1]=/usr/lib/nagios/plugins/check_disk -x /lib/init/rw -x /dev -x /dev/shm -x /sys/kernel/debug/tracing -w 10% -c 3% -W 10% -K 3% -C -w 5% -c 2% -W 5% -K 2% -p /home
+command[check_disk1]=/usr/lib/nagios/plugins/check_disk -e -w 10% -c 3% -W 10% -K 3% -C -w 5% -c 2% -W 5% -K 2% -p /home -x /lib/init/rw -x /dev -x /dev/shm -x /run -I '^/run/' -I '^/sys/'
 command[check_zombie_procs]=sudo /usr/lib/nagios/plugins/check_procs -w 5 -c 10 -s Z
 command[check_total_procs]=sudo /usr/lib/nagios/plugins/check_procs -w 400 -c 600
 command[check_users]=/usr/lib/nagios/plugins/check_users -w 5 -c 10
diff --git a/packweb-apache/files/userlogrotate b/packweb-apache/files/userlogrotate
index 897c077b..7ed42668 100644
--- a/packweb-apache/files/userlogrotate
+++ b/packweb-apache/files/userlogrotate
@@ -5,7 +5,6 @@ HOMEPREFIX="/home"
 
 rotate () {
   mv $1 $1.$DATE
-  gzip $1.$DATE
   touch $1
   chown $2 $1
   chmod g+r $1
@@ -36,5 +35,21 @@ fi;
 
 test -x /usr/sbin/nginx && invoke-rc.d nginx rotate >/dev/null 2>&1
 
+# Zipping is done after web server reload, so that the file descriptor is released.
+# Else, an error is raised (gzip file size changed while zipping)
+# and logs written during the zipping process might be lost.
+
+for log in access.log access-*.log error.log; do
+  for i in `ls -1 -d $HOMEPREFIX/*/log/$log 2>/dev/null | grep -v \.bak\.`; do
+    gzip $i
+  done
+done
+
+for log in production.log delayed_job.log development.log test.log; do
+  for i in `ls -1 -d $HOMEPREFIX/*/www/{,current/}log/$log 2>/dev/null | grep -v \.bak\.`; do
+    gzip $i
+  done
+done
+
 # we want exit 0
 true
diff --git a/packweb-apache/tasks/update_userlogrotate.yml b/packweb-apache/tasks/update_userlogrotate.yml
new file mode 100644
index 00000000..a94080b0
--- /dev/null
+++ b/packweb-apache/tasks/update_userlogrotate.yml
@@ -0,0 +1,16 @@
+---
+
+- name: "Cherche l'emplacement de userlogrotate"
+  ansible.builtin.find:
+    path: /etc
+    patterns: userlogrotate
+  register: find_logrotate
+
+- name: "Met-à-jour userlogrotate"
+  ansible.builtin.copy:
+    src: userlogrotate
+    dest: "{{ item }}"
+    mode: "0755"
+  loop: "{{ find_logrotate.files }}"
+  when: find_logrotate.files | length>0
+
diff --git a/php/files/sury.preferences b/php/files/sury.preferences
index cc4901c2..15aa9c16 100644
--- a/php/files/sury.preferences
+++ b/php/files/sury.preferences
@@ -1,4 +1,4 @@
-Package: php* libapache2-mod-php* libpcre2* libzip4*
+Package: php* libapache2-mod-php* libpcre2* libzip4* libgd*
 Pin: origin packages.sury.org
 Pin-Priority: 999
 
diff --git a/php/tasks/sury_pre.yml b/php/tasks/sury_pre.yml
index c421fe04..13dcc4ec 100644
--- a/php/tasks/sury_pre.yml
+++ b/php/tasks/sury_pre.yml
@@ -40,3 +40,4 @@
       - php-ssh2
       - composer
       - libphp-phpmailer
+  when: ansible_distribution_release != "bullseye"
diff --git a/postfix/templates/packmail_main.cf.j2 b/postfix/templates/packmail_main.cf.j2
index d9d90836..82b94afa 100644
--- a/postfix/templates/packmail_main.cf.j2
+++ b/postfix/templates/packmail_main.cf.j2
@@ -412,8 +412,8 @@ smtpd_sasl_path = private/auth-client
 
 # Amavis and OpenDKIM
 content_filter = smtp-amavis:[127.0.0.1]:10024
-smtpd_milters = inet:[127.0.0.1]:54321
-non_smtpd_milters = inet:[127.0.0.1]:54321
+smtpd_milters = inet:[127.0.0.1]:8891
+non_smtpd_milters = inet:[127.0.0.1]:8891
 
 {% if postfix_slow_transport_include == True %}
 # Slow transports configuration
diff --git a/webapps/evoadmin-mail/tasks/main.yml b/webapps/evoadmin-mail/tasks/main.yml
index 7f94281b..88f2dbb6 100644
--- a/webapps/evoadmin-mail/tasks/main.yml
+++ b/webapps/evoadmin-mail/tasks/main.yml
@@ -1,4 +1,9 @@
 ---
+
+- name: Remount /usr RW
+  include_role:
+    name: evolix/remount-usr
+
 - name: Install evoadmin-mail package
   apt:
     deb: /tmp/evoadmin-mail.deb
diff --git a/webapps/roundcube/templates/apache2.conf.j2 b/webapps/roundcube/templates/apache2.conf.j2
index 01c25f3a..87bdf79e 100644
--- a/webapps/roundcube/templates/apache2.conf.j2
+++ b/webapps/roundcube/templates/apache2.conf.j2
@@ -9,7 +9,7 @@
     ServerName {{ roundcube_host }}
 
     # Repertoire principal
-    DocumentRoot /var/lib/roundcube/
+    DocumentRoot /var/lib/roundcube/public_html
 
     # Return 503 if imapproxy doesn't run
     <If "! -f '/run/imapproxy.pid'">
diff --git a/webapps/roundcube/templates/nginx.conf.j2 b/webapps/roundcube/templates/nginx.conf.j2
index 1719c407..66dcb8a5 100644
--- a/webapps/roundcube/templates/nginx.conf.j2
+++ b/webapps/roundcube/templates/nginx.conf.j2
@@ -10,7 +10,7 @@ server {
         access_log /var/log/nginx/.{{ roundcube_host }}.access.log;
 	error_log  /var/log/nginx/.{{ roundcube_host }}.error.log;
 
-        root /var/lib/roundcube/;
+        root /var/lib/roundcube/public_html;
         index index.php;
 
         location / {