Merge pull request 'Release 22.01' (#142) from unstable into stable

Reviewed-on: #142
2022-01-25 18:30:07 +01:00 · 2022-01-25 18:30:07 +01:00 · 2c6a3601de
parent 1b8de7c524 bff8fcfebb
commit 2c6a3601de
201 changed files with 5250 additions and 871 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -4,9 +4,9 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 This project does not follow semantic versioning.
-The **major** part of the version is aligned with the stable version of Debian.
+The **major** part of the version is the year
-The **minor** part changes with big changes (probably incompatible).
+The **minor** part changes is the month
-The **patch** part changes incrementally at each release.
+The **patch** part changes is incremented if multiple releases happen the same month
 ## [Unreleased]
@ -20,6 +20,91 @@ The **patch** part changes incrementally at each release.
 ### Security
 ## [22.01] 2022-01-25
 ### Added
 * Support for Debian 11 « Bullseye » (with possible remaining blind spots)
 * apache: new variable for MPM mode (+ updated default config accordingly)
 * apache: prevent accessing Git or "env" related files
 * certbot: add script for manual deploy hooks execution
 * docker-host: install additional dependencies
 * dovecot: switch to TLS 1.2+ and external DH params
 * etc-git: centralize cron jobs in dedicated crontab
 * etc-git: manage commits with an optimized shell script instead of many slow Ansible tasks
 * evolinux-base: add script backup-server-state
 * evolinux-base: configure top and htop to display the swap column
 * evolinux-base: install molly-guard by default
 * generate-ldif: detect RAID controller
 * generate-ldif: detect mdadm
 * listupgrade: crontab is configurable
 * logstash: logging to syslog is configurable (default: True)
 * mongodb: create munin plugins directory if missing
 * munin: systemd override to unprotect home directory
 * mysql: add evomariabackup 21.11
 * mysql: improve Bullseye compatibility
 * mysql: script "mysql_connections" to display a compact list of connections
 * mysql: script "mysql-queries-killer.sh" to kill MySQL queries
 * nagios-nrpe + evolinux-users: new check for ipmi
 * nagios-nrpe + evolinux-users: new check for RAID (soft + hard)
 * nagios-nrpe + evolinux-users: new checks for bkctld
 * nagios-nrpe: new check influxdb
 * openvpn: new role (beta)
 * redis: instance service for Debian 11
 * squid: add *.o.lencr.org to default whitelist
 ### Changed
 * Change version pattern
 * Install python 2 or 3 libraries according to running python version
 * Remove embedded GPG keys only if legacy keyring is present
 * apt: remove workaround for Evolix public repositories with Debian 11
 * apt: upgrade packages after all the configuration is done
 * apt: use the new security repository for Bullseye
 * certbot: silence letsencrypt deprecation warnings
 * elasticsearch: elastic_stack_version = 7.x
 * evoacme: exclude renewal-hooks directory from cron
 * evoadmin-web: simpler PHP packages lists
 * evocheck: upstream release 21.10.4
 * evolinux-base: alert5 comes after the network
 * evolinux-base: force Debian version to buster for Evolix repository (temporary)
 * evolinux-base: install freeipmi by default on dedicated hw
 * evolinux-base: logs are rotated with dateext by default
 * evolinux-base: split dpkg logrotate configuration
 * evolinux-users + nagios-nrpe: Add support for php-fpm80 in lxc
 * evomaintenance: extract a config.yml tasks file
 * evomaintenance: upstream release 22.01
 * filebeat/metricbeat: elastic_stack_version = 7.x
 * kibana: elastic_stack_version = 7.x
 * listupgrade: old-kernel-removal version 21.10
 * listupgrade: upstream release 21.06.3
 * logstash: elastic_stack_version = 7.x
 * mongodb: Allow to specify a mongodb version for buster & bullseye
 * mongodb: Deny the install on Debian 11 « Bullseye » when the version is unsupported
 * mongodb: Support version 5.0 (for buster)
 * mysql: use python3 and mariadb-client-10.5 with Debian 11 and later
 * nodejs: default to version 16 LTS
 * php: enforce Debian version with assert instead of fail
 * squid: improve default whitelist (more specific patterns)
 * squid: must be started in foreground mode for systemd
 * squid: remove obsolete variable on Squid 4
 ### Fixed
 * evolinux-base: fix alert5.service dependency syntax
 * certbot: sync_remote excludes itself
 * lxc-php: fix config for opensmtpd on bullseye containers
 * mysql : Create a default ~root/.my.cnf for compatibility reasons
 * nginx : fix variable name and debug to actually use nginx-light
 * packweb-apache : Support php 8.0
 * nagios-nrpe: Fix check_nfsserver for buster and bullseye
 ### Removed
 * evocheck: package install is not supported anymore
 * logstash: no more dependency on Java
 * php: remove php-gettext for 7.4
 ## [10.6.0] 2021-06-28
 ### Added
--- a/apache/files/evolinux-defaults.conf
+++ b/apache/files/evolinux-defaults.conf
@ -48,12 +48,23 @@ MaxKeepAliveRequests 10
    Deny from env=GoAway
 </Directory>
 <DirectoryMatch "/\.git">
    # We don't want to let the client know a file exist on the server,
    # so we return 404 "Not found" instead of 403 "Forbidden".
    Redirect 404
 </DirectoryMatch>
-<Files ~ "\.(inc|bak)$">
+# File names starting with
-    Require all denied
+<FilesMatch "^\.(git|env)">
-</Files>
+    Redirect 404
 </FilesMatch>
 # File names ending with
 <FilesMatch "\.(inc|bak)$">
    Redirect 404
 </FilesMatch>
 <LocationMatch "^/evolinux_fpm_status-.*">
    Require all denied
 </LocationMatch>
--- a/apache/tasks/server_status.yml
+++ b/apache/tasks/server_status.yml
@ -33,6 +33,7 @@
 - debug:
    var: apache_serverstatus_suffix
    verbosity: 1
 - name: replace server-status suffix in default site index
  replace:
--- a/apt/files/bullseye_backports_preferences
+++ b/apt/files/bullseye_backports_preferences
@ -0,0 +1,3 @@
 Package: *
 Pin: release a=bullseye-backports
 Pin-Priority: 50
--- a/apt/tasks/basics.yml
+++ b/apt/tasks/basics.yml
@ -19,6 +19,7 @@
    - /etc/apt/sources.list.d/debian-jessie.list
    - /etc/apt/sources.list.d/debian-stretch.list
    - /etc/apt/sources.list.d/debian-buster.list
    - /etc/apt/sources.list.d/debian-bullseye.list
    - /etc/apt/sources.list.d/debian-update.list
  when: apt_clean_gandi_sourceslist | bool
  tags:
--- a/apt/tasks/config.yml
+++ b/apt/tasks/config.yml
@ -39,17 +39,3 @@
  when: apt_remove_aptitude | bool
  tags:
    - apt
 - name: Updating APT cache
  apt:
    update_cache: yes
  changed_when: False
  tags:
    - apt
 - name: Upgrading system
  apt:
    upgrade: dist
  when: apt_upgrade | bool
  tags:
    - apt
--- a/apt/tasks/evolix_public.yml
+++ b/apt/tasks/evolix_public.yml
@ -1,10 +1,18 @@
 ---
 - name: Look for legacy apt keyring
  stat:
    path: /etc/apt/trusted.gpg
  register: _trusted_gpg_keyring
  tags:
    - apt
 - name: Evolix embedded GPG key is absent
  apt_key:
    id: "B8612B5D"
    keyring: /etc/apt/trusted.gpg
    state: absent
  when: _trusted_gpg_keyring.stat.exists
  tags:
    - apt
--- a/apt/tasks/main.yml
+++ b/apt/tasks/main.yml
@ -37,3 +37,17 @@
  when: apt_install_hold_packages | bool
  tags:
    - apt
 - name: Updating APT cache
  apt:
    update_cache: yes
  changed_when: False
  tags:
    - apt
 - name: Upgrading system
  apt:
    upgrade: dist
  when: apt_upgrade | bool
  tags:
    - apt
--- a/apt/templates/bullseye_backports.list.j2
+++ b/apt/templates/bullseye_backports.list.j2
@ -0,0 +1,3 @@
 # {{ ansible_managed }}
 deb http://mirror.evolix.org/debian bullseye-backports {{ apt_backports_components | mandatory }}
--- a/apt/templates/bullseye_basics.list.j2
+++ b/apt/templates/bullseye_basics.list.j2
@ -0,0 +1,5 @@
 # {{ ansible_managed }}
 deb http://mirror.evolix.org/debian bullseye {{ apt_basics_components | mandatory }}
 deb http://mirror.evolix.org/debian/ bullseye-updates {{ apt_basics_components | mandatory }} 
 deb https://deb.debian.org/debian-security bullseye-security {{ apt_basics_components | mandatory }}
--- a/bullseye-detect/tasks/main.yml
+++ b/bullseye-detect/tasks/main.yml
@ -0,0 +1,8 @@
 ---
 # Force facts until Debian 11 is released because Ansible is dumb
 - set_fact:
    ansible_distribution_major_version: 11
    ansible_distribution: "Debian"
    ansible_distribution_release: "bullseye"
  when: "ansible_lsb.codename == 'bullseye' or ansible_lsb.release == 'testing/unstable'"
--- a/certbot/files/hooks/deploy/sync_remote.sh
+++ b/certbot/files/hooks/deploy/sync_remote.sh
@ -14,8 +14,15 @@ debug() {
 found_renewed_lineage() {
    test -f "${RENEWED_LINEAGE}/fullchain.pem" && test -f "${RENEWED_LINEAGE}/privkey.pem"
 }
 cert_content() {
    openssl x509 -text -in "${RENEWED_LINEAGE}/fullchain.pem"
 }
 domain_from_cert() {
-    openssl x509 -noout -subject -in "${RENEWED_LINEAGE}/fullchain.pem" | sed 's/^.*CN\ *=\ *//'
+    if cert_content | grep -q "X509v3 Subject Alternative Name:" && cert_content | grep -q "DNS:"; then
        cert_content | grep "DNS:" | sed -e 's/\s\+//g' -e 's/DNS://g'
    else
        cert_content | sed 's/^.*CN\ *=\ *//'
    fi
 }
 main() {
    if [ -z "${RENEWED_LINEAGE}" ]; then
@ -40,11 +47,11 @@ main() {
            rsync --archive --copy-links --delete "${RENEWED_LINEAGE}/" "${remote_host}:${remote_lineage}/" \
                || error "Couldn't sync certificate on ${server}"
-            rsync --archive --copy-links --delete --exclude $0 --delete-excluded "${hooks_dir}/" "${remote_host}:${remote_dir}/hooks/" \
+            rsync --archive --copy-links --delete --exclude "$(basename "$0")" --delete-excluded "${hooks_dir}/" "${remote_host}:${remote_dir}/hooks/" \
                || error "Couldn't sync hooks on ${server}"
            # shellcheck disable=SC2029
-            ssh "${remote_host}" "export RENEWED_LINEAGE=\"${remote_lineage}/\" RENEWED_DOMAINS=${RENEWED_DOMAINS}; find ${remote_dir}/hooks/ -mindepth 1 -maxdepth 1 -type f -executable -exec {} \;" \
+            ssh "${remote_host}" "export RENEWED_LINEAGE=\"${remote_lineage}/\" RENEWED_DOMAINS=\"${RENEWED_DOMAINS}\"; find ${remote_dir}/hooks/ -mindepth 1 -maxdepth 1 -type f -executable -exec {} \;" \
                || error "Something went wrong on ${server} for deploy hooks"
        done
    else
--- a/certbot/files/hooks/manual-deploy.sh
+++ b/certbot/files/hooks/manual-deploy.sh
@ -0,0 +1,40 @@
 #!/bin/sh
 set -u
 error() {
    >&2 echo "${PROGNAME}: $1"
    exit 1
 }
 debug() {
    if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then
        >&2 echo "${PROGNAME}: $1"
    fi
 }
 found_renewed_lineage() {
    test -f "${RENEWED_LINEAGE}/fullchain.pem" && test -f "${RENEWED_LINEAGE}/privkey.pem"
 }
 main() {
    if [ -z "${RENEWED_LINEAGE:-}" ]; then
        error "Missing RENEWED_LINEAGE environment variable (usually provided by certbot)."
    fi
    if [ "${VERBOSE}" = "1" ]; then
        xargs_verbose="--verbose"
    else
        xargs_verbose=""
    fi
    if found_renewed_lineage; then
        find "${hooks_dir}" -mindepth 1 -maxdepth 1 -type f -executable -print0 | sort --zero-terminated --dictionary-order | xargs ${xargs_verbose} --no-run-if-empty --null --max-args=1 sh -c
    else
        error "Couldn't find required files in \`${RENEWED_LINEAGE}'"
    fi
 }
 PROGNAME=$(basename "$0")
 VERBOSE=${VERBOSE:-"0"}
 QUIET=${QUIET:-"0"}
 hooks_dir="/etc/letsencrypt/renewal-hooks/deploy"
 main
--- a/certbot/files/letsencrypt-auto
+++ b/certbot/files/letsencrypt-auto
@ -31,7 +31,7 @@ if [ -z "$VENV_PATH" ]; then
 fi
 VENV_BIN="$VENV_PATH/bin"
 BOOTSTRAP_VERSION_PATH="$VENV_PATH/certbot-auto-bootstrap-version.txt"
-LE_AUTO_VERSION="1.9.0"
+LE_AUTO_VERSION="1.14.0"
 BASENAME=$(basename $0)
 USAGE="Usage: $BASENAME [OPTIONS]
 A self-updating wrapper script for the Certbot ACME client. When run, updates
@ -497,7 +497,7 @@ Python36SclIsAvailable() {
 # Try to enable rh-python36 from SCL if it is necessary and possible.
 EnablePython36SCL() {
-  if "$EXISTS" python3.6 > /dev/null 2>/dev/null; then
+  if "$EXISTS" python3.6 > /dev/null 2> /dev/null; then
      return 0
  fi
  if [ ! -f /opt/rh/rh-python36/enable ]; then
@ -799,15 +799,15 @@ BootstrapMageiaCommon() {
 # that function. If Bootstrap is set to a function that doesn't install any
 # packages BOOTSTRAP_VERSION is not set.
 if [ -f /etc/debian_version ]; then
-  Bootstrap() {
+  DEPRECATED_OS=1
-    BootstrapMessage "Debian-based OSes"
+  NO_SELF_UPGRADE=1
    BootstrapDebCommon
  }
  BOOTSTRAP_VERSION="BootstrapDebCommon $BOOTSTRAP_DEB_COMMON_VERSION"
 elif [ -f /etc/mageia-release ]; then
  # Mageia has both /etc/mageia-release and /etc/redhat-release
  DEPRECATED_OS=1
  NO_SELF_UPGRADE=1
 elif [ -f /etc/redhat-release ]; then
  DEPRECATED_OS=1
  NO_SELF_UPGRADE=1
  # Run DeterminePythonVersion to decide on the basis of available Python versions
  # whether to use 2.x or 3.x on RedHat-like systems.
  # Then, revert LE_PYTHON to its previous state.
@ -815,7 +815,7 @@ elif [ -f /etc/redhat-release ]; then
  unset LE_PYTHON
  DeterminePythonVersion "NOCRASH"
-  RPM_DIST_NAME=`(. /etc/os-release 2>/dev/null && echo $ID) || echo "unknown"`
+  RPM_DIST_NAME=`(. /etc/os-release 2> /dev/null && echo $ID) || echo "unknown"`
  if [ "$PYVER" -eq 26 -a $(uname -m) != 'x86_64' ]; then
    # 32 bits CentOS 6 and affiliates are not supported anymore by certbot-auto.
@ -825,7 +825,7 @@ elif [ -f /etc/redhat-release ]; then
  # Set RPM_DIST_VERSION to VERSION_ID from /etc/os-release after splitting on
  # '.' characters (e.g. "8.0" becomes "8"). If the command exits with an
  # error, RPM_DIST_VERSION is set to "unknown".
-  RPM_DIST_VERSION=$( (. /etc/os-release 2>/dev/null && echo "$VERSION_ID") | cut -d '.' -f1 || echo "unknown")
+  RPM_DIST_VERSION=$( (. /etc/os-release 2> /dev/null && echo "$VERSION_ID") | cut -d '.' -f1 || echo "unknown")
  # If RPM_DIST_VERSION is an empty string or it contains any nonnumeric
  # characters, the value is unexpected so we set RPM_DIST_VERSION to 0.
@ -840,12 +840,7 @@ elif [ -f /etc/redhat-release ]; then
      INTERACTIVE_BOOTSTRAP=1
    fi
    Bootstrap() {
      BootstrapMessage "Legacy RedHat-based OSes that will use Python3"
      BootstrapRpmPython3Legacy
    }
    USE_PYTHON_3=1
    BOOTSTRAP_VERSION="BootstrapRpmPython3Legacy $BOOTSTRAP_RPM_PYTHON3_LEGACY_VERSION"
    # Try now to enable SCL rh-python36 for systems already bootstrapped
    # NB: EnablePython36SCL has been defined along with BootstrapRpmPython3Legacy in certbot-auto
@ -864,43 +859,38 @@ elif [ -f /etc/redhat-release ]; then
    fi
    if [ "$RPM_USE_PYTHON_3" = 1 ]; then
      Bootstrap() {
        BootstrapMessage "RedHat-based OSes that will use Python3"
        BootstrapRpmPython3
      }
      USE_PYTHON_3=1
      BOOTSTRAP_VERSION="BootstrapRpmPython3 $BOOTSTRAP_RPM_PYTHON3_VERSION"
    else
      Bootstrap() {
        BootstrapMessage "RedHat-based OSes"
        BootstrapRpmCommon
      }
      BOOTSTRAP_VERSION="BootstrapRpmCommon $BOOTSTRAP_RPM_COMMON_VERSION"
    fi
  fi
  LE_PYTHON="$prev_le_python"
 elif [ -f /etc/os-release ] && `grep -q openSUSE /etc/os-release` ; then
  DEPRECATED_OS=1
  NO_SELF_UPGRADE=1
 elif [ -f /etc/arch-release ]; then
  DEPRECATED_OS=1
  NO_SELF_UPGRADE=1
 elif [ -f /etc/manjaro-release ]; then
  DEPRECATED_OS=1
  NO_SELF_UPGRADE=1
 elif [ -f /etc/gentoo-release ]; then
  DEPRECATED_OS=1
  NO_SELF_UPGRADE=1
 elif uname | grep -iq FreeBSD ; then
  DEPRECATED_OS=1
  NO_SELF_UPGRADE=1
 elif uname | grep -iq Darwin ; then
  DEPRECATED_OS=1
  NO_SELF_UPGRADE=1
 elif [ -f /etc/issue ] && grep -iq "Amazon Linux" /etc/issue ; then
-  Bootstrap() {
+  DEPRECATED_OS=1
-    ExperimentalBootstrap "Amazon Linux" BootstrapRpmCommon
+  NO_SELF_UPGRADE=1
  }
  BOOTSTRAP_VERSION="BootstrapRpmCommon $BOOTSTRAP_RPM_COMMON_VERSION"
 elif [ -f /etc/product ] && grep -q "Joyent Instance" /etc/product ; then
  DEPRECATED_OS=1
  NO_SELF_UPGRADE=1
 else
  DEPRECATED_OS=1
  NO_SELF_UPGRADE=1
 fi
 # We handle this case after determining the normal bootstrap version to allow
@ -1122,15 +1112,17 @@ if [ "$1" = "--le-auto-phase2" ]; then
  if [ "$DEPRECATED_OS" = 1 ]; then
    # Phase 2 damage control mode for deprecated OSes.
    # In this situation, we bypass any bootstrap or certbot venv setup.
-    error "Your system is not supported by certbot-auto anymore."
+    # error "Your system is not supported by certbot-auto anymore."
    if [ ! -d "$VENV_PATH" ] && OldVenvExists; then
      VENV_BIN="$OLD_VENV_PATH/bin"
    fi
    if [ -f "$VENV_BIN/letsencrypt" -a "$INSTALL_ONLY" != 1 ]; then
-      error "Certbot will no longer receive updates."
+      # error "certbot-auto and its Certbot installation will no longer receive updates."
-      error "Please visit https://certbot.eff.org/ to check for other alternatives."
+      # error "You will not receive any bug fixes including those fixing server compatibility"
      # error "or security problems."
      # error "Please visit https://certbot.eff.org/ to check for other alternatives."
      "$VENV_BIN/letsencrypt" "$@"
      exit 0
    else
@ -1497,18 +1489,18 @@ letsencrypt==0.7.0 \
    --hash=sha256:105a5fb107e45bcd0722eb89696986dcf5f08a86a321d6aef25a0c7c63375ade \
    --hash=sha256:c36e532c486a7e92155ee09da54b436a3c420813ec1c590b98f635d924720de9
-certbot==1.9.0 \
+certbot==1.14.0 \
-    --hash=sha256:d5a804d32e471050921f7b39ed9859e2e9de02824176ed78f57266222036b53a \
+    --hash=sha256:67b4d26ceaea6c7f8325d0d45169e7a165a2cabc7122c84bc971ba068ca19cca \
-    --hash=sha256:2ff9bf7d9af381c7efee22dec2dd6938d9d8fddcc9e11682b86e734164a30b57
+    --hash=sha256:959ea90c6bb8dca38eab9772722cb940972ef6afcd5f15deef08b3c3636841eb
-acme==1.9.0 \
+acme==1.14.0 \
-    --hash=sha256:d8061b396a22b21782c9b23ff9a945b23e50fca2573909a42f845e11d5658ac5 \
+    --hash=sha256:4f48c41261202f1a389ec2986b2580b58f53e0d5a1ae2463b34318d78b87fc66 \
-    --hash=sha256:38a1630c98e144136c62eec4d2c545a1bdb1a3cd4eca82214be6b83a1f5a161f
+    --hash=sha256:61daccfb0343628cbbca551a7fc4c82482113952c21db3fe0c585b7c98fa1c35
-certbot-apache==1.9.0 \
+certbot-apache==1.14.0 \
-    --hash=sha256:09528a820d57e54984d490100644cd8a6603db97bf5776f86e95795ecfacf23d \
+    --hash=sha256:b757038db23db707c44630fecb46e99172bd791f0db5a8e623c0842613c4d3d9 \
-    --hash=sha256:f47fb3f4a9bd927f4812121a0beefe56b163475a28f4db34c64dc838688d9e9e
+    --hash=sha256:887fe4a21af2de1e5c2c9428bacba6eb7c1219257bc70f1a1d8447c8a321adb0
-certbot-nginx==1.9.0 \
+certbot-nginx==1.14.0 \
-    --hash=sha256:bb2e3f7fe17f071f350a3efa48571b8ef40a8e4b6db9c6da72539206a20b70be \
+    --hash=sha256:8916a815437988d6c192df9f035bb7a176eab20eee0956677b335d0698d243fb \
-    --hash=sha256:ab26a4f49d53b0e8bf0f903e58e2a840cda233fe1cbbc54c36ff17f973e57d65
+    --hash=sha256:cc2a8a0de56d9bb6b2efbda6c80c647dad8db2bb90675cac03ade94bd5fc8597
 UNLIKELY_EOF
    # -------------------------------------------------------------------------
--- a/certbot/tasks/install-legacy.yml
+++ b/certbot/tasks/install-legacy.yml
@ -8,6 +8,7 @@
 - include_role:
    name: evolix/remount-usr
 # copied and customized from https://raw.githubusercontent.com/certbot/certbot/v1.14.0/letsencrypt-auto
 - name: Let's Encrypt script is present
  copy:
    src: letsencrypt-auto
@ -55,5 +56,5 @@
    dest: "/etc/letsencrypt/cli.ini"
    section: null
    option: "no-self-upgrade"
-    value: 0
+    value: "no"
    state: present
--- a/certbot/tasks/main.yml
+++ b/certbot/tasks/main.yml
@ -7,17 +7,17 @@
      - ansible_distribution_major_version is version('8', '>=')
    msg: only compatible with Debian 9+
- name: Install legacy script on Debian 8 and 9
+- name: Install legacy script on Debian 8
  include: install-legacy.yml
  when:
    - ansible_distribution == "Debian"
-    - ansible_distribution_major_version is version('10', '<')
+    - ansible_distribution_major_version is version('9', '<')
- name: Install package on Debian 10+
+- name: Install package on Debian 9+
  include: install-package.yml
  when:
    - ansible_distribution == "Debian"
-    - ansible_distribution_major_version is version('10', '>=')
+    - ansible_distribution_major_version is version('9', '>=')
 - include: acme-challenge.yml
@ -29,6 +29,14 @@
    owner: root
    group: root
 - name: Manual deploy hook is present
  copy:
    src: hooks/manual-deploy.sh
    dest: /etc/letsencrypt/renewal-hooks/manual-deploy.sh
    mode: "0700"
    owner: root
    group: root
 - name: "sync_remote is configured with servers"
  lineinfile:
    dest: /etc/letsencrypt/renewal-hooks/deploy/sync_remote.cf
--- a/clamav/tasks/main.yml
+++ b/clamav/tasks/main.yml
@ -6,48 +6,48 @@
    value: "{{ item.value }}"
    vtype: "{{ item.type }}"
  loop:
-  - { key: 'clamav-daemon/debconf', type: 'boolean', value: 'true' }
+    - { key: 'clamav-daemon/debconf', type: 'boolean', value: 'true' }
-  - { key: 'clamav-daemon/MaxHTMLNormalize', type: 'string', value: '10M' }
+    - { key: 'clamav-daemon/MaxHTMLNormalize', type: 'string', value: '10M' }
-  - { key: 'clamav-daemon/StatsPEDisabled', type: 'boolean', value: 'true' }
+    - { key: 'clamav-daemon/StatsPEDisabled', type: 'boolean', value: 'true' }
-  - { key: 'clamav-daemon/FollowDirectorySymlinks', type: 'boolean', value: 'false' }
+    - { key: 'clamav-daemon/FollowDirectorySymlinks', type: 'boolean', value: 'false' }
-  - { key: 'clamav-daemon/StreamMaxLength', type: 'string', value: '25' }
+    - { key: 'clamav-daemon/StreamMaxLength', type: 'string', value: '25' }
-  - { key: 'clamav-daemon/ReadTimeout', type: 'string', value: '180' }
+    - { key: 'clamav-daemon/ReadTimeout', type: 'string', value: '180' }
-  - { key: 'clamav-daemon/StatsEnabled', type: 'boolean', value: 'false' }
+    - { key: 'clamav-daemon/StatsEnabled', type: 'boolean', value: 'false' }
-  - { key: 'clamav-daemon/MaxConnectionQueueLength', type: 'string', value: '15' }
+    - { key: 'clamav-daemon/MaxConnectionQueueLength', type: 'string', value: '15' }
-  - { key: 'clamav-daemon/LogRotate', type: 'boolean', value: 'true' }
+    - { key: 'clamav-daemon/LogRotate', type: 'boolean', value: 'true' }
-  - { key: 'clamav-daemon/AllowAllMatchScan', type: 'boolean', value: 'true' }
+    - { key: 'clamav-daemon/AllowAllMatchScan', type: 'boolean', value: 'true' }
-  - { key: 'clamav-daemon/ScanOnAccess', type: 'boolean', value: 'false' }
+    - { key: 'clamav-daemon/ScanOnAccess', type: 'boolean', value: 'false' }
-  - { key: 'clamav-daemon/LogFile', type: 'string', value: '/var/log/clamav/clamav.log' }
+    - { key: 'clamav-daemon/LogFile', type: 'string', value: '/var/log/clamav/clamav.log' }
-  - { key: 'clamav-daemon/ScanMail', type: 'boolean', value: 'true' }
+    - { key: 'clamav-daemon/ScanMail', type: 'boolean', value: 'true' }
-  - { key: 'clamav-daemon/BytecodeTimeout', type: 'string', value: '60000' }
+    - { key: 'clamav-daemon/BytecodeTimeout', type: 'string', value: '60000' }
-  - { key: 'clamav-daemon/LogTime', type: 'boolean', value: 'true' }
+    - { key: 'clamav-daemon/LogTime', type: 'boolean', value: 'true' }
-  - { key: 'clamav-daemon/OnAccessMaxFileSize', type: 'string', value: '5M' }
+    - { key: 'clamav-daemon/OnAccessMaxFileSize', type: 'string', value: '5M' }
-  - { key: 'clamav-daemon/TcpOrLocal', type: 'select', value: 'UNIX' }
+    - { key: 'clamav-daemon/TcpOrLocal', type: 'select', value: 'UNIX' }
-  - { key: 'clamav-daemon/MaxEmbeddedPE', type: 'string', value: '10M' }
+    - { key: 'clamav-daemon/MaxEmbeddedPE', type: 'string', value: '10M' }
-  - { key: 'clamav-daemon/FixStaleSocket', type: 'boolean', value: 'true' }
+    - { key: 'clamav-daemon/FixStaleSocket', type: 'boolean', value: 'true' }
-  - { key: 'clamav-daemon/User', type: 'string', value: 'clamav' }
+    - { key: 'clamav-daemon/User', type: 'string', value: 'clamav' }
-  - { key: 'clamav-daemon/BytecodeSecurity', type: 'select', value: 'TrustSigned' }
+    - { key: 'clamav-daemon/BytecodeSecurity', type: 'select', value: 'TrustSigned' }
-  - { key: 'clamav-daemon/ScanSWF', type: 'boolean', value: 'true' }
+    - { key: 'clamav-daemon/ScanSWF', type: 'boolean', value: 'true' }
-  - { key: 'clamav-daemon/MaxDirectoryRecursion', type: 'string', value: '0' }
+    - { key: 'clamav-daemon/MaxDirectoryRecursion', type: 'string', value: '0' }
-  - { key: 'clamav-daemon/MaxThreads', type: 'string', value: '12' }
+    - { key: 'clamav-daemon/MaxThreads', type: 'string', value: '12' }
-  - { key: 'clamav-daemon/LocalSocketGroup', type: 'string', value: 'clamav' }
+    - { key: 'clamav-daemon/LocalSocketGroup', type: 'string', value: 'clamav' }
-  - { key: 'clamav-daemon/MaxScriptNormalize', type: 'string', value: '5M' }
+    - { key: 'clamav-daemon/MaxScriptNormalize', type: 'string', value: '5M' }
-  - { key: 'clamav-daemon/ForceToDisk', type: 'boolean', value: 'false' }
+    - { key: 'clamav-daemon/ForceToDisk', type: 'boolean', value: 'false' }
-  - { key: 'clamav-daemon/StatsHostID', type: 'string', value: 'auto' }
+    - { key: 'clamav-daemon/StatsHostID', type: 'string', value: 'auto' }
-  - { key: 'clamav-daemon/FollowFileSymlinks', type: 'boolean', value: 'false' }
+    - { key: 'clamav-daemon/FollowFileSymlinks', type: 'boolean', value: 'false' }
-  - { key: 'clamav-daemon/TCPSocket', type: 'string', value: '3310' }
+    - { key: 'clamav-daemon/TCPSocket', type: 'string', value: '3310' }
-  - { key: 'clamav-daemon/TCPAddr', type: 'string', value: 'any' }
+    - { key: 'clamav-daemon/TCPAddr', type: 'string', value: 'any' }
-  - { key: 'clamav-daemon/DisableCertCheck', type: 'boolean', value: 'false' }
+    - { key: 'clamav-daemon/DisableCertCheck', type: 'boolean', value: 'false' }
-  - { key: 'clamav-daemon/SelfCheck', type: 'string', value: '3600' }
+    - { key: 'clamav-daemon/SelfCheck', type: 'string', value: '3600' }
-  - { key: 'clamav-daemon/LocalSocket', type: 'string', value: '/var/run/clamav/clamd.ctl' }
+    - { key: 'clamav-daemon/LocalSocket', type: 'string', value: '/var/run/clamav/clamd.ctl' }
-  - { key: 'clamav-daemon/LocalSocketMode', type: 'string', value: '666' }
+    - { key: 'clamav-daemon/LocalSocketMode', type: 'string', value: '666' }
-  - { key: 'clamav-daemon/StatsTimeout', type: 'string', value: '10' }
+    - { key: 'clamav-daemon/StatsTimeout', type: 'string', value: '10' }
-  - { key: 'clamav-daemon/MaxZipTypeRcg', type: 'string', value: '1M' }
+    - { key: 'clamav-daemon/MaxZipTypeRcg', type: 'string', value: '1M' }
-  - { key: 'clamav-daemon/MaxHTMLNoTags', type: 'string', value: '2M' }
+    - { key: 'clamav-daemon/MaxHTMLNoTags', type: 'string', value: '2M' }
-  - { key: 'clamav-daemon/LogSyslog', type: 'boolean', value: 'false' }
+    - { key: 'clamav-daemon/LogSyslog', type: 'boolean', value: 'false' }
-  - { key: 'clamav-daemon/AddGroups', type: 'string', value: '' }
+    - { key: 'clamav-daemon/AddGroups', type: 'string', value: '' }
-  - { key: 'clamav-daemon/Bytecode', type: 'boolean', value: 'true' }
+    - { key: 'clamav-daemon/Bytecode', type: 'boolean', value: 'true' }
-  - { key: 'clamav-daemon/ScanArchive', type: 'boolean', value: 'true' }
+    - { key: 'clamav-daemon/ScanArchive', type: 'boolean', value: 'true' }
  tags:
  - clamav
@ -58,17 +58,17 @@
    value: "{{ item.value }}"
    vtype: "{{ item.type }}"
  loop:
-  - { key: 'clamav-freshclam/autoupdate_freshclam', type: 'select', value: 'daemon' }
+    - { key: 'clamav-freshclam/autoupdate_freshclam', type: 'select', value: 'daemon' }
-  - { key: 'clamav-freshclam/proxy_user', type: 'string', value: '' }
+    - { key: 'clamav-freshclam/proxy_user', type: 'string', value: '' }
-  - { key: 'clamav-freshclam/NotifyClamd', type: 'boolean', value: 'true' }
+    - { key: 'clamav-freshclam/NotifyClamd', type: 'boolean', value: 'true' }
-  - { key: 'clamav-freshclam/local_mirror', type: 'select', value: 'db.fr.clamav.net' }
+    - { key: 'clamav-freshclam/local_mirror', type: 'select', value: 'db.fr.clamav.net' }
-  - { key: 'clamav-freshclam/http_proxy', type: 'string', value: '' }
+    - { key: 'clamav-freshclam/http_proxy', type: 'string', value: '' }
-  - { key: 'clamav-freshclam/LogRotate', type: 'boolean', value: 'true' }
+    - { key: 'clamav-freshclam/LogRotate', type: 'boolean', value: 'true' }
-  - { key: 'clamav-freshclam/Bytecode', type: 'boolean', value: 'true' }
+    - { key: 'clamav-freshclam/Bytecode', type: 'boolean', value: 'true' }
-  - { key: 'clamav-freshclam/update_interval', type: 'string', value: '24' }
+    - { key: 'clamav-freshclam/update_interval', type: 'string', value: '24' }
-  - { key: 'clamav-freshclam/SafeBrowsing', type: 'boolean', value: 'false' }
+    - { key: 'clamav-freshclam/SafeBrowsing', type: 'boolean', value: 'false' }
-  - { key: 'clamav-freshclam/PrivateMirror', type: 'string', value: '' }
+    - { key: 'clamav-freshclam/PrivateMirror', type: 'string', value: '' }
-  - { key: 'clamav-freshclam/internet_interface', type: 'string', value: '' }
+    - { key: 'clamav-freshclam/internet_interface', type: 'string', value: '' }
  tags:
  - clamav
--- a/docker-host/tasks/main.yml
+++ b/docker-host/tasks/main.yml
@ -36,13 +36,26 @@
    owner: root
    group: root
- name: Install docker and python-docker
+- name: Install Docker
  apt:
    name:
      - docker-ce
-      - python-docker
+      - docker-ce-cli
      - containerd.io
    update_cache: yes
 - name: python-docker is installed
  apt:
    name: python-docker
    state: present
  when: ansible_python_version is version('3', '<')
 - name: python3-docker is installed
  apt:
    name: python3-docker
    state: present
  when: ansible_python_version is version('3', '>=')
 - name: Copy Docker daemon configuration file
  template:
    src: daemon.json.j2
--- a/dovecot/tasks/main.yml
+++ b/dovecot/tasks/main.yml
@ -10,6 +10,11 @@
  tags:
  - dovecot
 - name: Generate 4096 bits Diffie-Hellman parameters (may take several minutes)
  openssl_dhparam:
    path: /etc/ssl/dhparams.pem
    size: 4096
 - name: disable pam auth
  replace:
    dest: /etc/dovecot/conf.d/10-auth.conf
--- a/dovecot/templates/z-evolinux-defaults.conf.j2
+++ b/dovecot/templates/z-evolinux-defaults.conf.j2
@ -35,12 +35,27 @@ service login {
 }
 mail_max_userip_connections = 42
 # Configuration pour stats dovecot
 service stats {
    unix_listener stats-reader {
        user = vmail
        group = vmail
        mode = 0660
    }
    unix_listener stats-writer {
        user = vmail
        group = vmail
        mode = 0660
    }
 }
 # SSL/TLS
 ssl = yes
 ssl_prefer_server_ciphers = yes
-ssl_dh_parameters_length = 2048
+ssl_dh=</etc/ssl/dhparams.pem
 ssl_options = no_compression no_ticket
-ssl_protocols = !TLSv1 !TLSv1.1
+ssl_min_protocol = TLSv1.2
 ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
 ssl_cert = </etc/ssl/certs/ssl-cert-snakeoil.pem
 ssl_key = </etc/ssl/private/ssl-cert-snakeoil.key
--- a/elasticsearch/defaults/main.yml
+++ b/elasticsearch/defaults/main.yml
@ -1,5 +1,5 @@
 ---
-elastic_stack_version: "6.x"
+elastic_stack_version: "7.x"
 elasticsearch_cluster_name: Null
 elasticsearch_cluster_members: Null
--- a/elasticsearch/files/elastic.gpg
+++ b/elasticsearch/files/elastic.gpg
--- a/elasticsearch/tasks/packages.yml
+++ b/elasticsearch/tasks/packages.yml
@ -8,11 +8,20 @@
    - elasticsearch
    - packages
 - name: Look for legacy apt keyring
  stat:
    path: /etc/apt/trusted.gpg
  register: _trusted_gpg_keyring
  tags:
    - elasticsearch
    - packages
 - name: Elastic embedded GPG key is absent
  apt_key:
    id: "D88E42B4"
    keyring: /etc/apt/trusted.gpg
    state: absent
  when: _trusted_gpg_keyring.stat.exists
  tags:
    - elasticsearch
    - packages
@ -52,4 +61,4 @@
    name: elasticsearch
    enabled: yes
  tags:
-  - elasticsearch
+    - elasticsearch
--- a/etc-git/defaults/main.yml
+++ b/etc-git/defaults/main.yml
@ -1,4 +1,6 @@
 ---
-commit_message: Ansible run
+etc_git_default_commit_message: Ansible run
 etc_git_monitor_status: True
 etc_git_purge_index_lock_enabled: True
 etc_git_purge_index_lock_age: 86400
--- a/etc-git/files/etc-git-optimize
+++ b/etc-git/files/etc-git-optimize
@ -0,0 +1,11 @@
 #!/bin/sh
 set -u
 repositories="/etc /etc/bind/ /usr/share/scripts"
 for repository in ${repositories}; do
    if [ -d "${repository}/.git" ]; then
        git --git-dir="${repository}/.git" gc --quiet
    fi
 done
--- a/etc-git/files/etc-git-status
+++ b/etc-git/files/etc-git-status
@ -0,0 +1,11 @@
 #!/bin/sh
 set -u
 repositories="/etc /etc/bind/ /usr/share/scripts"
 for repository in ${repositories}; do
    if [ -d "${repository}/.git" ]; then
        git --git-dir="${repository}/.git" --work-tree="${repository}" status --short
    fi
 done
--- a/etc-git/files/evocommit
+++ b/etc-git/files/evocommit
@ -0,0 +1,265 @@
 #!/bin/sh
 set -u
 VERSION="21.10"
 show_version() {
    cat <<END
 evocommit version ${VERSION}
 Copyright 2021 Evolix <info@evolix.fr>,
               Jérémy Lecour <jlecour@evolix.fr>
               and others.
 evocommit comes with ABSOLUTELY NO WARRANTY.  This is free software,
 and you are welcome to redistribute it under certain conditions.
 See the GNU General Public Licence for details.
 END
 }
 show_help() {
    cat <<END
 evocommit helps properly committing changes in a repository
 END
    show_usage
 }
 show_usage() {
    cat <<END
 Usage: evocommit --repository /path/to/repository --message "add new host"
 Options
     --repository PATH   set the path for the repository
     --message MESSAGE   set the commit message
 -V, --version           print version number
 -v, --verbose           increase verbosity
 -n, --dry-run           actions are not executed
     --help              print this message and exit
     --version           print version and exit
 END
 }
 syslog() {
    if [ -x "${LOGGER_BIN}" ]; then
        ${LOGGER_BIN} -t "evocommit" "$1"
    fi
 }
 get_system() {
    uname -s
 }
 is_repository_readonly() {
    if [ "$(get_system)" = "OpenBSD" ]; then
        partition=$(stat -f '%Sd' $1)
        mount | grep "${partition}" | grep -q "read-only"
    elif command -v findmnt >/dev/null; then
        mountpoint=$(stat -c '%m' $1)
        findmnt "${mountpoint}" --noheadings --output OPTIONS -O ro
    else
        grep /usr /proc/mounts | grep -E '\bro\b'
    fi
 }
 remount_repository_readwrite() {
    if [ "$(get_system)" = "OpenBSD" ]; then
        partition=$(stat -f '%Sd' $1)
        mount -u -w /dev/${partition} 2>/dev/null
    else
        mountpoint=$(stat -c '%m' $1)
        mount -o remount,rw ${mountpoint}
        syslog "Re-mount ${mountpoint} as read-write to commit in repository $1"
    fi
 }
 remount_repository_readonly() {
    if [ "$(get_system)" = "OpenBSD" ]; then
        partition=$(stat -f '%Sd' $1)
        mount -u -r /dev/${partition} 2>/dev/null
    else
        mountpoint=$(stat -c '%m' $1)
        mount -o remount,ro ${mountpoint} 2>/dev/null
        syslog "Re-mount ${mountpoint} as read-only after commit to repository $1"
    fi
 }
 is_dry_run() {
    test "${DRY_RUN}" = "1"
 }
 is_verbose() {
    test "${VERBOSE}" = "1"
 }
 is_ansible() {
    test "${ANSIBLE}" = "1"
 }
 main() {
    rc=0
    lock="${GIT_DIR}/index.lock"
    if [ -f "${lock}" ]; then
        limit=$(date +"%s" -d "now - 1 hour")
        updated_at=$(stat -c "%Y" "${lock}")
        if [ "$updated_at" -lt "$limit" ]; then
            rm -f "${lock}"
        fi
    fi
    git_status=$(${GIT_BIN} status --porcelain)
    if [ -n "${git_status}" ]; then
        if is_dry_run; then
            ${GIT_BIN} status
        else
            readonly_orig=0
            # remount mount point read-write if currently readonly
            if is_repository_readonly "${REPOSITORY}"; then
                readonly_orig=1;
                remount_repository_readwrite "${REPOSITORY}";
            fi
            author=$(logname)
            email=$(git config --get user.email)
            email=${email:-"${author}@evolix.net"}
            # commit changes
            git_add_result=$(${GIT_BIN} add --all)
            git_add_rc=$?
            if is_ansible; then
                if [ ${git_add_rc} -ne 0 ]; then
                    printf "FAILED: %s\n%s" "can't add changes in ${REPOSITORY}" "${git_add_result}"
                    rc=1
                fi
            fi
            git_commit_result=$(${GIT_BIN} commit --message "${MESSAGE}" --author "${author} <${email}>")
            git_commit_rc=$?
            if is_ansible; then
                if [ ${git_commit_rc} -eq 0 ]; then
                    printf "CHANGED: %s\n" "commit done in ${REPOSITORY} with \`${MESSAGE}'"
                else
                    printf "FAILED: %s\n%s" "can't commit in ${REPOSITORY} \`${MESSAGE}'" "${git_commit_result}"
                    rc=1
                fi
            fi
            # remount mount point read-only if it was before
            if [ ${readonly_orig} -eq 1 ]; then
                remount_repository_readonly "${REPOSITORY}"
            fi
        fi
    else
        if is_ansible; then
            printf "INFO: %s\n" "no commit in ${REPOSITORY}'"
        fi
    fi
    unset GIT_DIR
    unset GIT_WORK_TREE
    exit ${rc}
 }
 # Parse options
 # based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
 while :; do
    case ${1:-''} in
        -h|-\?|--help)
            show_help
            exit 0
            ;;
        -V|--version)
            show_version
            exit 0
            ;;
        --message)
            # message options, with value speparated by space
            if [ -n "$2" ]; then
                MESSAGE=$2
                shift
            else
                printf 'ERROR: "--message" requires a non-empty option argument.\n' >&2
                exit 1
            fi
            ;;
        --message=?*)
            # message options, with value speparated by =
            MESSAGE=${1#*=}
            ;;
        --message=)
            # message options, without value
            printf 'ERROR: "--message" requires a non-empty option argument.\n' >&2
            exit 1
            ;;
        --repository)
            # repository options, with value speparated by space
            if [ -n "$2" ]; then
                REPOSITORY=$2
                shift
            else
                printf 'ERROR: "--repository" requires a non-empty option argument.\n' >&2
                exit 1
            fi
            ;;
        --repository=?*)
            # repository options, with value speparated by =
            REPOSITORY=${1#*=}
            ;;
        --repository=)
            # repository options, without value
            printf 'ERROR: "--repository" requires a non-empty option argument.\n' >&2
            exit 1
            ;;
        -n|--dry-run)
            # disable actual commands
            DRY_RUN=1
            ;;
        -v|--verbose)
            # print verbose information
            VERBOSE=1
            ;;
        --ansible)
            # print information for Ansible
            ANSIBLE=1
            ;;
        --)
            # End of all options.
            shift
            break
            ;;
        -?*|[[:alnum:]]*)
            # ignore unknown options
            printf 'WARN: Unknown option (ignored): %s\n' "$1" >&2
            ;;
        *)
            # Default case: If no more options then break out of the loop.
            break
            ;;
    esac
    shift
 done
 if [ -z "${MESSAGE}" ]; then
    echo "Error: missing message parameter" >&2
    show_usage
    exit 1
 fi
 if [ -z "${REPOSITORY}" ]; then
    echo "Error: missing repository parameter" >&2
    show_usage
    exit 1
 fi
 DRY_RUN=${DRY_RUN:-0}
 VERBOSE=${VERBOSE:-0}
 ANSIBLE=${ANSIBLE:-0}
 GIT_BIN=$(command -v git)
 readonly GIT_BIN
 LOGGER_BIN=$(command -v logger)
 readonly LOGGER_BIN
 export GIT_DIR="${REPOSITORY}/.git"
 export GIT_WORK_TREE="${REPOSITORY}"
 if [ -d "${GIT_DIR}" ]; then
    main
 else
    echo "There is no Git repository in '${REPOSITORY}'" >&2
    exit 1
 fi
--- a/etc-git/files/optimize-etc-git
+++ b/etc-git/files/optimize-etc-git
@ -1,3 +0,0 @@
 #!/bin/sh
 git --git-dir /etc/.git gc --quiet
--- a/etc-git/tasks/commit.yml
+++ b/etc-git/tasks/commit.yml
@ -1,25 +1,52 @@
 ---
 # /etc
 - name: Is /etc a git repository
  stat:
    path: /etc/.git
  register: _etc_git
- include: do_commit.yml
+- name: "evocommit /etc"
-  vars:
+  command: "/usr/local/bin/evocommit --ansible --repository /etc --message \"{{ commit_message | mandatory }}\""
-    git_folder: "/etc"
+  changed_when:
    - _etc_git_commit.stdout
    - "'CHANGED:' in _etc_git_commit.stdout"
  ignore_errors: yes
  register: _etc_git_commit
  when:
    - _etc_git.stat.exists
    - _etc_git.stat.isdir
 # /etc/bind
 - name: Is /etc/bind a git repository
  stat:
    path: /etc/bind/.git
  register: _etc_bind_git
 - name: "evocommit /etc/bind"
  command: "/usr/local/bin/evocommit --ansible --repository /etc/bind --message \"{{ commit_message | mandatory }}\""
  changed_when:
    - _etc_bind_git_commit.stdout
    - "'CHANGED:' in _etc_bind_git_commit.stdout"
  ignore_errors: yes
  register: _etc_bind_git_commit
  when:
    - _etc_bind_git.stat.exists
    - _etc_bind_git.stat.isdir
 # /usr/share/scripts
 - name: Is /usr/share/scripts a git repository
  stat:
    path: /usr/share/scripts/.git
  register: _usr_share_scripts_git
- include: do_commit.yml
+- name: "evocommit /usr/share/scripts"
-  vars:
+  command: "/usr/local/bin/evocommit --ansible --repository /usr/share/scripts --message \"{{ commit_message | mandatory }}\""
-    git_folder: "/usr/share/scripts"
+  changed_when:
    - _usr_share_scripts_git_commit.stdout
    - "'CHANGED:' in _usr_share_scripts_git_commit.stdout"
  ignore_errors: yes
  register: _usr_share_scripts_git_commit
  when:
    - _usr_share_scripts_git.stat.exists
    - _usr_share_scripts_git.stat.isdir
--- a/etc-git/tasks/do_commit.yml
+++ b/etc-git/tasks/do_commit.yml
@ -1,63 +0,0 @@
 ---
 - name: "Remount /usr if needed"
  include_role:
    name: remount-usr
  when: git_folder is match('/usr/.*')
 - name: "is {{ git_folder }} clean?"
  command: git status --porcelain
  args:
    chdir: "{{ git_folder }}"
  changed_when: False
  register: git_status
  when: not ansible_check_mode
  ignore_errors: yes
  tags:
    - etc-git
    - commit
 - debug:
    var: git_status
    verbosity: 3
  tags:
    - etc-git
    - commit
 - name: fetch current Git user.email
  git_config:
    name: user.email
    repo: "{{ git_folder }}"
  register: git_config_user_email
  ignore_errors: yes
  tags:
    - etc-git
    - commit
 - name: "set commit author"
  set_fact:
    commit_author: '{% if ansible_env.SUDO_USER is not defined %}root{% else %}{{ ansible_env.SUDO_USER }}{% endif %}'
    commit_email:  '{% if git_config_user_email.config_value is not defined or not git_config_user_email.config_value %}root@localhost{% else %}{{ git_config_user_email.config_value }}{% endif %}' # noqa 204
  tags:
    - etc-git
    - commit
 - name: "{{ git_folder }} modifications are committed"
  shell: "git add -A . && git commit -m \"{{ commit_message | mandatory }}\" --author \"{{ commit_author | mandatory }} <{{ commit_email | mandatory }}>\""
  args:
    chdir: "{{ git_folder }}"
  register: commit_end_run
  when:
    - not ansible_check_mode
    - git_status.stdout | length > 0
  ignore_errors: yes
  tags:
    - etc-git
    - commit
 - debug:
    var: commit_end_run
    verbosity: 4
  tags:
    - etc-git
    - commit
--- a/etc-git/tasks/main.yml
+++ b/etc-git/tasks/main.yml
@ -7,6 +7,18 @@
  tags:
    - etc-git
 - include_role:
    name: evolix/remount-usr
 - name: "evocommit script is installed"
  copy:
    src: evocommit
    dest: /usr/local/bin/evocommit
    mode: "0755"
    force: yes
  tags:
    - etc-git
 - include: repository.yml
  vars:
    repository_path: "/etc"
@ -32,6 +44,24 @@
    - _usr_share_scripts.stat.isdir
    - ansible_distribution_major_version is version('10', '>=')
 - name: "etc-git-optimize script is installed"
  copy:
    src: etc-git-optimize
    dest: /usr/share/scripts/etc-git-optimize
    mode: "0755"
    force: yes
  tags:
    - etc-git
 - name: "etc-git-status script is installed"
  copy:
    src: etc-git-status
    dest: /usr/share/scripts/etc-git-status
    mode: "0755"
    force: yes
  tags:
    - etc-git
 - name: Check if cron is installed
  shell: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'"
  args:
@ -41,29 +71,44 @@
  check_mode: no
  register: is_cron_installed
- name: Optimize script is installed in monthly crontab
+- block:
-  copy:
+  - name: Legacy cron jobs for /etc/.git status are absent 
-    src: optimize-etc-git
+    file:
-    dest: /etc/cron.monthly/optimize-etc-git
+      dest: "{{ item }}"
-    mode: "0750"
+      state: absent
-    force: no
+    loop:
      - /etc/cron.monthly/optimize-etc-git
      - /etc/cron.d/etc-git-status
  - name: Cron job for monthly git optimization
    cron:
      name: "Monthly optimization"
      cron_file: etc-git
      special_time: "monthly"
      user: root
      job: "/usr/share/scripts/etc-git-optimize"
  - name: Cron job for hourly git status
    cron:
      name: "Hourly warning for unclean Git repository if nobody is connected"
      cron_file: etc-git
      special_time: "hourly"
      user: root
      job: "who > /dev/null || /usr/share/scripts/etc-git-status"
      state: "{{ etc_git_monitor_status | bool | ternary('present','absent') }}"
  - name: Cron job for daily git status
    cron:
      name: "Daily warning for unclean Git repository"
      cron_file: etc-git
      user: root
      job: "/usr/share/scripts/etc-git-status"
      minute: "21"
      hour: "21"
      weekday: "*"
      day: "*"
      month: "*"
      state: "{{ etc_git_monitor_status | bool | ternary('present','absent') }}"
  when: is_cron_installed.rc == 0
  tags:
-    - etc-git
+    - etc-git
 - name: Cron job for /etc/.git status is installed
  template:
    src: etc-git-status.j2
    dest: /etc/cron.d/etc-git-status
    mode: "0644"
  when: is_cron_installed.rc == 0 and etc_git_monitor_status
  tags:
    - etc-git
 - name: Cron job for /etc/.git status is removed
  file:
    dest: /etc/cron.d/etc-git-status
    state: absent
  when: is_cron_installed.rc == 0 and not etc_git_monitor_status
  tags:
    - etc-git
--- a/etc-git/tasks/repository.yml
+++ b/etc-git/tasks/repository.yml
@ -70,4 +70,4 @@
  register: git_commit
  when: git_log.rc != 0 or (git_init is defined and git_init is changed)
  tags:
-    - etc-git
+    - etc-git
--- a/etc-git/templates/etc-git-status.j2
+++ b/etc-git/templates/etc-git-status.j2
@ -1,4 +0,0 @@
 # {{ ansible_managed }}
@hourly root who > /dev/null || git --git-dir=/etc/.git --work-tree=/etc status --short
 21 21 * * * root git --git-dir=/etc/.git --work-tree=/etc status --short
--- a/evoacme/files/evoacme.cron
+++ b/evoacme/files/evoacme.cron
@ -15,12 +15,13 @@ find "${CRT_DIR}" \
    -maxdepth 1 \
    -mindepth 1 \
    -type d \
-    ! -path "*accounts" \
+    ! -path "${CRT_DIR}/accounts" \
-    ! -path "*archive" \
+    ! -path "${CRT_DIR}/archive" \
-    ! -path "*csr" \
+    ! -path "${CRT_DIR}/csr" \
-    ! -path "*hooks" \
+    ! -path "${CRT_DIR}/hooks" \
-    ! -path "*keys" \
+    ! -path "${CRT_DIR}/keys" \
-    ! -path "*live" \
+    ! -path "${CRT_DIR}/live" \
-    ! -path "*renewal" \
+    ! -path "${CRT_DIR}/renewal" \
    ! -path "${CRT_DIR}/renewal-hooks" \
    -printf "%f\n" \
        | xargs --max-args=1 --no-run-if-empty evoacme
--- a/evocheck/README.md
+++ b/evocheck/README.md
@ -16,6 +16,4 @@ A separate `exec.yml` file can be imported manually in playbooks or roles to exe
 ## Variables
 We can force install via :
 * `evocheck_force_install: local` : will copy the script provided by the role
 * `evocheck_force_install: package` : will install the package via repositories
 * `evocheck_update_crontab` : will update the crontab (default: `True`)
--- a/evocheck/defaults/main.yml
+++ b/evocheck/defaults/main.yml
@ -1,4 +1,4 @@
 ---
-evocheck_force_install: False
+
 evocheck_update_crontab: True
 evocheck_bin_dir: /usr/share/scripts
--- a/evocheck/files/evocheck.sh
+++ b/evocheck/files/evocheck.sh
@ -4,7 +4,8 @@
 # Script to verify compliance of a Debian/OpenBSD server
 # powered by Evolix
-readonly VERSION="20.12"
+VERSION="21.10.4"
 readonly VERSION
 # base functions
@ -12,7 +13,7 @@ show_version() {
    cat <<END
 evocheck version ${VERSION}
-Copyright 2009-2019 Evolix <info@evolix.fr>,
+Copyright 2009-2021 Evolix <info@evolix.fr>,
                    Romain Dessort <rdessort@evolix.fr>,
                    Benoit Série <bserie@evolix.fr>,
                    Gregory Colpart <reg@evolix.fr>,
@ -62,6 +63,8 @@ detect_os() {
                8) DEBIAN_RELEASE="jessie";;
                9) DEBIAN_RELEASE="stretch";;
                10) DEBIAN_RELEASE="buster";;
                11) DEBIAN_RELEASE="bullseye";;
                12) DEBIAN_RELEASE="bookworm";;
            esac
        fi
    elif [ "$(uname -s)" = "OpenBSD" ]; then
@ -71,7 +74,7 @@ detect_os() {
 }
 is_debian() {
-  test -n "${DEBIAN_RELEASE}"
+    test -n "${DEBIAN_RELEASE}"
 }
 is_debian_lenny() {
    test "${DEBIAN_RELEASE}" = "lenny"
@ -91,6 +94,12 @@ is_debian_stretch() {
 is_debian_buster() {
    test "${DEBIAN_RELEASE}" = "buster"
 }
 is_debian_bullseye() {
    test "${DEBIAN_RELEASE}" = "bullseye"
 }
 is_debian_bookworm() {
    test "${DEBIAN_RELEASE}" = "bookworm"
 }
 debian_release() {
    printf "%s" "${DEBIAN_RELEASE}"
 }
@ -109,7 +118,7 @@ is_pack_samba(){
 }
 is_installed(){
    for pkg in "$@"; do
-        dpkg -l "$pkg" 2>/dev/null | grep -q -E '^(i|h)i' || return 1
+        dpkg -l "$pkg" 2> /dev/null | grep -q -E '^(i|h)i' || return 1
    done
 }
 minifirewall_file() {
@ -147,7 +156,7 @@ check_lsbrelease(){
        ## only the major version matters
        lhs=$(${LSB_RELEASE_BIN} --release --short | cut -d "." -f 1)
        rhs=$(cut -d "." -f 1 < /etc/debian_version)
-        test "$lhs" = "$rhs" || failed "IS_LSBRELEASE" "release is not consistent between lsb_release and /etc/debian_version"
+        test "$lhs" = "$rhs" || failed "IS_LSBRELEASE" "release is not consistent between lsb_release (${lhs}) and /etc/debian_version (${rhs})"
    else
        failed "IS_LSBRELEASE" "lsb_release is missing or not executable"
    fi
@ -165,7 +174,7 @@ check_dpkgwarning() {
            test -e /etc/apt/apt.conf \
                && failed "IS_DPKGWARNING" "/etc/apt/apt.conf is missing"
        fi
-    elif is_debian_stretch || is_debian_buster; then
+    elif is_debian_stretch || is_debian_buster || is_debian_bullseye; then
        test -e /etc/apt/apt.conf.d/z-evolinux.conf \
            || failed "IS_DPKGWARNING" "/etc/apt/apt.conf.d/z-evolinux.conf is missing"
    fi
@ -211,7 +220,6 @@ check_vartmpfs() {
    else
        df /var/tmp | grep -q tmpfs || failed "IS_VARTMPFS" "/var/tmp is not a tmpfs"
    fi
 }
 check_serveurbase() {
    is_installed serveur-base || failed "IS_SERVEURBASE" "serveur-base package is not installed"
@ -224,8 +232,19 @@ check_syslogconf() {
        || failed "IS_SYSLOGCONF" "syslog evolix config file missing"
 }
 check_debiansecurity() {
-    grep -q "^deb.*security" /etc/apt/sources.list \
+    if is_debian_bullseye; then
-        || failed "IS_DEBIANSECURITY" "missing debian security repository"
+        # https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.html#security-archive
        pattern="^deb https://deb\.debian\.org/debian-security/? bullseye-security main"
    elif is_debian_buster; then
        pattern="^deb http://security\.debian\.org/debian-security/? buster/updates main"
    elif is_debian_stretch; then
        pattern="^deb http://security\.debian\.org/debian-security/? stretch/updates main"
    else
        pattern="^deb.*security"
    fi
    source_file="/etc/apt/sources.list"
    grep -qE "${pattern}" "${source_file}" || failed "IS_DEBIANSECURITY" "missing debian security repository"
 }
 check_aptitudeonly() {
    if is_debian_squeeze || is_debian_wheezy; then
@ -234,13 +253,13 @@ check_aptitudeonly() {
    fi
 }
 check_aptitude() {
-    if is_debian_jessie || is_debian_stretch || is_debian_buster; then
+    if is_debian_jessie || is_debian_stretch || is_debian_buster || is_debian_bullseye; then
        test -e /usr/bin/aptitude && failed "IS_APTITUDE" "aptitude may not be installed on Debian >=8"
    fi
 }
 check_aptgetbak() {
-    if is_debian_jessie || is_debian_stretch || is_debian_buster; then
+    if is_debian_jessie || is_debian_stretch || is_debian_buster || is_debian_bullseye; then
-        test -e /usr/bin/apt-get.bak && failed "IS_APTGETBAK" "missing dpkg-divert apt-get.bak"
+        test -e /usr/bin/apt-get.bak && failed "IS_APTGETBAK" "prohibit the installation of apt-get.bak with dpkg-divert(1)"
    fi
 }
 check_apticron() {
@ -276,7 +295,7 @@ check_mountfstab() {
    fi
 }
 check_listchangesconf() {
-    if is_debian_stretch || is_debian_buster; then
+    if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
        if is_installed apt-listchanges; then
            failed "IS_LISTCHANGESCONF" "apt-listchanges must not be installed on Debian >=9"
        fi
@ -296,7 +315,7 @@ check_customcrontab() {
    test "$found_lines" = 4 && failed "IS_CUSTOMCRONTAB" "missing custom field in crontab"
 }
 check_sshallowusers() {
-    grep -E -qi "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config \
+    grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config /etc/ssh/sshd_config.d \
        || failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config"
 }
 check_diskperf() {
@ -307,7 +326,7 @@ check_tmoutprofile() {
    grep -sq "TMOUT=" /etc/profile /etc/profile.d/evolinux.sh || failed "IS_TMOUTPROFILE" "TMOUT is not set"
 }
 check_alert5boot() {
-    if is_debian_buster; then
+    if is_debian_buster || is_debian_bullseye; then
        grep -qs "^date" /usr/share/scripts/alert5.sh || failed "IS_ALERT5BOOT" "boot mail is not sent by alert5 init script"
        test -f /etc/systemd/system/alert5.service || failed "IS_ALERT5BOOT" "alert5 unit file is missing"
        systemctl is-enabled alert5 -q || failed "IS_ALERT5BOOT" "alert5 unit is not enabled"
@ -320,7 +339,7 @@ check_alert5boot() {
    fi
 }
 check_alert5minifw() {
-    if is_debian_buster; then
+    if is_debian_buster || is_debian_bullseye; then
        grep -qs "^/etc/init.d/minifirewall" /usr/share/scripts/alert5.sh \
            || failed "IS_ALERT5MINIFW" "Minifirewall is not started by alert5 script or script is missing"
    else
@ -336,6 +355,13 @@ check_minifw() {
    /sbin/iptables -L -n | grep -q -E "^ACCEPT\s*all\s*--\s*31\.170\.8\.4\s*0\.0\.0\.0/0\s*$" \
        || failed "IS_MINIFW" "minifirewall seems not starded"
 }
 check_minifw_includes() {
    if is_debian_bullseye; then
        if grep -q -e '/sbin/iptables' -e '/sbin/ip6tables' "${MINIFW_FILE}"; then
            failed "IS_MINIFWINCLUDES" "minifirewall has direct iptables invocations in ${MINIFW_FILE} that should go in /etc/minifirewall.d/"
        fi
    fi
 }
 check_nrpeperms() {
    if [ -d /etc/nagios ]; then
        nagiosDir="/etc/nagios"
@ -357,7 +383,11 @@ check_nrpedisks() {
    test "$NRPEDISKS" = "$DFDISKS" || failed "IS_NRPEDISKS" "there must be $DFDISKS check_disk in nrpe.cfg"
 }
 check_nrpepid() {
-    if ! is_debian_squeeze; then
+    if is_debian_bullseye; then
        { test -e /etc/nagios/nrpe.cfg \
            && grep -q "^pid_file=/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg;
        } || failed "IS_NRPEPID" "missing or wrong pid_file directive in nrpe.cfg"
    elif ! is_debian_squeeze; then
        { test -e /etc/nagios/nrpe.cfg \
            && grep -q "^pid_file=/var/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg;
        } || failed "IS_NRPEPID" "missing or wrong pid_file directive in nrpe.cfg"
@ -372,7 +402,7 @@ check_grsecprocs() {
 }
 check_apachemunin() {
    if test -e /etc/apache2/apache2.conf; then
-        if is_debian_stretch || is_debian_buster; then
+        if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
            { test -h /etc/apache2/mods-enabled/status.load \
                && test -h /etc/munin/plugins/apache_accesses \
                && test -h /etc/munin/plugins/apache_processes \
@ -392,17 +422,20 @@ check_apachemunin() {
 check_mysqlutils() {
    MYSQL_ADMIN=${MYSQL_ADMIN:-mysqladmin}
    if is_installed mysql-server; then
-        # You can configure MYSQL_ADMIN in evocheck.cf
+        # With Debian 11 and later, root can connect to MariaDB with the socket
-        if ! grep -qs "$MYSQL_ADMIN" /root/.my.cnf; then
+        if is_debian_wheezy || is_debian_jessie ||  is_debian_stretch || is_debian_buster; then
-            failed "IS_MYSQLUTILS" "mysqladmin missing in /root/.my.cnf"
+            # You can configure MYSQL_ADMIN in evocheck.cf
            if ! grep -qs "^user *= *${MYSQL_ADMIN}" /root/.my.cnf; then
                failed "IS_MYSQLUTILS" "${MYSQL_ADMIN} missing in /root/.my.cnf"
            fi
        fi
        if ! test -x /usr/bin/mytop; then
            if ! test -x /usr/local/bin/mytop; then
                failed "IS_MYSQLUTILS" "mytop binary missing"
            fi
        fi
-        if ! grep -qs debian-sys-maint /root/.mytop; then
+        if ! grep -qs '^user *=' /root/.mytop; then
-            failed "IS_MYSQLUTILS" "debian-sys-maint missing in /root/.mytop"
+            failed "IS_MYSQLUTILS" "credentials missing in /root/.mytop"
        fi
    fi
 }
@ -431,7 +464,7 @@ check_muninlogrotate() {
 }
 # Verification de l'activation de Squid dans le cas d'un pack mail
 check_squid() {
-    if is_debian_stretch || is_debian_buster; then
+    if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
        squidconffile="/etc/squid/evolinux-custom.conf"
    else
        squidconffile="/etc/squid*/squid.conf"
@ -444,7 +477,8 @@ check_squid() {
            && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d $host -j ACCEPT" "$MINIFW_FILE" \
            && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" "$MINIFW_FILE" \
            && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* $http_port" "$MINIFW_FILE";
-        } || failed "IS_SQUID" "missing squid rules in minifirewall"
+        } || grep -qE "^PROXY='?on'?" "$MINIFW_FILE" \
          || failed "IS_SQUID" "missing squid rules in minifirewall"
    fi
 }
 check_evomaintenance_fw() {
@ -473,7 +507,7 @@ check_log2mailrunning() {
    fi
 }
 check_log2mailapache() {
-    if is_debian_stretch || is_debian_buster; then
+    if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
        conf=/etc/log2mail/config/apache
    else
        conf=/etc/log2mail/config/default
@ -532,10 +566,10 @@ check_network_interfaces() {
 }
 # Verify if all if are in auto
 check_autoif() {
-    if is_debian_stretch || is_debian_buster; then
+    if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
-        interfaces=$(/sbin/ip address show up | grep "^[0-9]*:" | grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap)" | cut -d " " -f 2 | tr -d : | cut -d@ -f1 | tr "\n" " ")
+        interfaces=$(/sbin/ip address show up | grep "^[0-9]*:" | grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap|vrrp)" | cut -d " " -f 2 | tr -d : | cut -d@ -f1 | tr "\n" " ")
    else
-        interfaces=$(/sbin/ifconfig -s | tail -n +2 | grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap)" | cut -d " " -f 1 |tr "\n" " ")
+        interfaces=$(/sbin/ifconfig -s | tail -n +2 | grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap|vrrp)" | cut -d " " -f 1 |tr "\n" " ")
    fi
    for interface in $interfaces; do
        if ! grep -q "^auto $interface" /etc/network/interfaces; then
@ -569,6 +603,7 @@ check_evobackup_exclude_mount() {
            failed "IS_EVOBACKUP_EXCLUDE_MOUNT" "${mount} is not excluded from ${evobackup_file} backup script"
        done
    done
    rm -rf "${excludes_file}"
 }
 # Verification de la presence du userlogrotate
 check_userlogrotate() {
@ -681,6 +716,7 @@ check_backupuptodate() {
    backup_dir="/home/backup"
    if [ -d "${backup_dir}" ]; then
        if [ -n "$(ls -A ${backup_dir})" ]; then
            # shellcheck disable=SC2231
            for file in ${backup_dir}/*; do
                limit=$(date +"%s" -d "now - 2 day")
                updated_at=$(stat -c "%Y" "$file")
@ -771,7 +807,7 @@ check_tune2fs_m5() {
    done
 }
 check_evolinuxsudogroup() {
-    if is_debian_stretch || is_debian_buster; then
+    if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
        if grep -q "^evolinux-sudo:" /etc/group; then
            grep -qE '^%evolinux-sudo +ALL ?= ?\(ALL:ALL\) ALL' /etc/sudoers.d/evolinux \
                || failed "IS_EVOLINUXSUDOGROUP" "missing evolinux-sudo directive in sudoers file"
@ -779,7 +815,7 @@ check_evolinuxsudogroup() {
    fi
 }
 check_userinadmgroup() {
-    if is_debian_stretch || is_debian_buster; then
+    if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
        users=$(grep "^evolinux-sudo:" /etc/group | awk -F: '{print $4}' | tr ',' ' ')
        for user in $users; do
            if ! groups "$user" | grep -q adm; then
@ -790,7 +826,7 @@ check_userinadmgroup() {
    fi
 }
 check_apache2evolinuxconf() {
-    if is_debian_stretch || is_debian_buster; then
+    if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
        if test -d /etc/apache2; then
            { test -L /etc/apache2/conf-enabled/z-evolinux-defaults.conf \
                && test -L /etc/apache2/conf-enabled/zzz-evolinux-custom.conf \
@ -800,7 +836,7 @@ check_apache2evolinuxconf() {
    fi
 }
 check_backportsconf() {
-    if is_debian_stretch || is_debian_buster; then
+    if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
        grep -qsE "^[^#].*backports" /etc/apt/sources.list \
            && failed "IS_BACKPORTSCONF" "backports can't be in main sources list"
        if grep -qsE "^[^#].*backports" /etc/apt/sources.list.d/*.list; then
@ -810,7 +846,7 @@ check_backportsconf() {
    fi
 }
 check_bind9munin() {
-    if is_debian_stretch || is_debian_buster; then
+    if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
        if is_installed bind9; then
            { test -L /etc/munin/plugins/bind9 \
                && test -e /etc/munin/plugin-conf.d/bind9;
@ -819,7 +855,7 @@ check_bind9munin() {
    fi
 }
 check_bind9logrotate() {
-    if is_debian_stretch || is_debian_buster; then
+    if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
        if is_installed bind9; then
            test -e /etc/logrotate.d/bind9 || failed "IS_BIND9LOGROTATE" "missing bind logrotate file"
        fi
@ -840,7 +876,7 @@ check_broadcomfirmware() {
 check_hardwareraidtool() {
    LSPCI_BIN=$(command -v lspci)
    if [ -x "${LSPCI_BIN}" ]; then
-        if ${LSPCI_BIN} | grep -q 'MegaRAID SAS'; then
+        if ${LSPCI_BIN} | grep -q 'MegaRAID'; then
            # shellcheck disable=SC2015
            is_installed megacli && { is_installed megaclisas-status || is_installed megaraidsas-status; } \
                || failed "IS_HARDWARERAIDTOOL" "Mega tools not found"
@ -853,7 +889,7 @@ check_hardwareraidtool() {
    fi
 }
 check_log2mailsystemdunit() {
-    if is_debian_stretch || is_debian_buster; then
+    if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
        systemctl -q is-active log2mail.service \
            || failed "IS_LOG2MAILSYSTEMDUNIT" "log2mail unit not running"
        test -f /etc/systemd/system/log2mail.service \
@ -869,7 +905,7 @@ check_listupgrade() {
        || failed "IS_LISTUPGRADE" "missing listupgrade script or not executable"
 }
 check_mariadbevolinuxconf() {
-    if is_debian_stretch || is_debian_buster; then
+    if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
        if is_installed mariadb-server; then
            { test -f /etc/mysql/mariadb.conf.d/z-evolinux-defaults.cnf \
                && test -f /etc/mysql/mariadb.conf.d/zzz-evolinux-custom.cnf;
@ -945,6 +981,7 @@ check_elastic_backup() {
    fi
 }
 check_mariadbsystemdunit() {
    # TODO: check if it is still needed for bullseye
    if is_debian_stretch || is_debian_buster; then
        if is_installed mariadb-server; then
            if systemctl -q is-active mariadb.service; then
@ -955,7 +992,7 @@ check_mariadbsystemdunit() {
    fi
 }
 check_mysqlmunin() {
-    if is_debian_stretch || is_debian_buster; then
+    if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
        if is_installed mariadb-server; then
            for file in mysql_bytes mysql_queries mysql_slowqueries \
                mysql_threads mysql_connections mysql_files_tables \
@ -973,7 +1010,7 @@ check_mysqlmunin() {
    fi
 }
 check_mysqlnrpe() {
-    if is_debian_stretch || is_debian_buster; then
+    if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
        if is_installed mariadb-server; then
            nagios_file=~nagios/.my.cnf
            if ! test -f ${nagios_file}; then
@ -989,9 +1026,10 @@ check_mysqlnrpe() {
    fi
 }
 check_phpevolinuxconf() {
-    if is_debian_stretch || is_debian_buster; then
+    if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
-        is_debian_stretch && phpVersion="7.0"
+        is_debian_stretch  && phpVersion="7.0"
-        is_debian_buster && phpVersion="7.3"
+        is_debian_buster   && phpVersion="7.3"
        is_debian_bullseye && phpVersion="7.4"
        if is_installed php; then
            { test -f /etc/php/${phpVersion}/cli/conf.d/z-evolinux-defaults.ini \
                && test -f /etc/php/${phpVersion}/cli/conf.d/zzz-evolinux-custom.ini
@ -1000,15 +1038,15 @@ check_phpevolinuxconf() {
    fi
 }
 check_squidlogrotate() {
-    if is_debian_stretch || is_debian_buster; then
+    if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
        if is_installed squid; then
-            grep -q monthly /etc/logrotate.d/squid \
+            grep -q -e monthly -e daily /etc/logrotate.d/squid \
                || failed "IS_SQUIDLOGROTATE" "missing squid logrotate file"
        fi
    fi
 }
 check_squidevolinuxconf() {
-    if is_debian_stretch || is_debian_buster; then
+    if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
        if is_installed squid; then
            { grep -qs "^CONFIG=/etc/squid/evolinux-defaults.conf$" /etc/default/squid \
                && test -f /etc/squid/evolinux-defaults.conf \
@ -1044,7 +1082,7 @@ check_duplicate_fs_label() {
    fi
 }
 check_evolix_user() {
-    grep -q "evolix:" /etc/passwd \
+    grep -q -E "^evolix:" /etc/passwd \
        && failed "IS_EVOLIX_USER" "evolix user should be deleted, used only for install"
 }
 check_evoacme_cron() {
@ -1083,7 +1121,7 @@ check_apache_confenabled() {
    # Starting from Jessie and Apache 2.4, /etc/apache2/conf.d/
    # must be replaced by conf-available/ and config files symlinked
    # to conf-enabled/
-    if is_debian_jessie || is_debian_stretch || is_debian_buster; then
+    if is_debian_jessie || is_debian_stretch || is_debian_buster || is_debian_bullseye; then
        if [ -f /etc/apache2/apache2.conf ]; then
            test -d /etc/apache2/conf.d/ \
                && failed "IS_APACHE_CONFENABLED" "apache's conf.d directory must not exists"
@ -1095,7 +1133,7 @@ check_apache_confenabled() {
 check_meltdown_spectre() {
    # For Stretch, detection is easy as the kernel use
    # /sys/devices/system/cpu/vulnerabilities/
-    if is_debian_stretch || is_debian_buster; then
+    if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
        for vuln in meltdown spectre_v1 spectre_v2; do
            test -f "/sys/devices/system/cpu/vulnerabilities/$vuln" \
                || failed "IS_MELTDOWN_SPECTRE" "vulnerable to $vuln"
@ -1148,7 +1186,7 @@ check_usrsharescripts() {
    test "$expected" = "$actual" || failed "IS_USRSHARESCRIPTS" "/usr/share/scripts must be $expected"
 }
 check_sshpermitrootno() {
-    if is_debian_stretch || is_debian_buster; then
+    if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
        if grep -q "^PermitRoot" /etc/ssh/sshd_config; then
            grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config \
                || failed "IS_SSHPERMITROOTNO" "PermitRoot should be set at no"
@ -1159,7 +1197,7 @@ check_sshpermitrootno() {
    fi
 }
 check_evomaintenanceusers() {
-    if is_debian_stretch || is_debian_buster; then
+    if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
        users=$(getent group evolinux-sudo | cut -d':' -f4 | tr ',' ' ')
    else
        if [ -f /etc/sudoers.d/evolinux ]; then
@ -1295,6 +1333,154 @@ check_nginx_letsencrypt_uptodate() {
    fi
 }
 check_lxc_container_resolv_conf() {
    if is_installed lxc; then
        container_list=$(lxc-ls)
        current_resolvers=$(grep nameserver /etc/resolv.conf | sed 's/nameserver//g' )
       for container in $container_list; do
            if [ -f "/var/lib/lxc/${container}/rootfs/etc/resolv.conf" ]; then
                while read -r resolver; do
                    if ! grep -qE "^nameserver\s+${resolver}" "/var/lib/lxc/${container}/rootfs/etc/resolv.conf"; then
                        failed "IS_LXC_CONTAINER_RESOLV_CONF" "resolv.conf miss-match beween host and container : missing nameserver ${resolver} in container ${container} resolv.conf"
                    fi
                done <<< "${current_resolvers}"
            else
                failed "IS_LXC_CONTAINER_RESOLV_CONF" "resolv.conf missing in container ${container}"
            fi
        done 
    fi
 }
 download_versions() {
    local file
    file=${1:-}
    ## The file is supposed to list programs : each on a line, then its latest version number
    ## Examples:
    # evoacme 21.06
    # evomaintenance 0.6.4
    if is_debian; then
        versions_url="https://upgrades.evolix.org/versions-${DEBIAN_RELEASE}"
    elif is_openbsd; then
        versions_url="https://upgrades.evolix.org/versions-${OPENBSD_RELEASE}"
    else
        failed "IS_VERSIONS_CHECK" "error determining os release"
    fi
    # fetch timeout, in seconds
    timeout=10
    if command -v curl > /dev/null; then
        curl --max-time ${timeout} --fail --silent --output "${versions_file}" "${versions_url}"
    elif command -v wget > /dev/null; then
        wget --timeout=${timeout} --quiet "${versions_url}" -O "${versions_file}"
    elif command -v GET; then
        GET -t ${timeout}s "${versions_url}" > "${versions_file}"
    else
        failed "IS_VERSIONS_CHECK" "failed to find curl, wget or GET"
    fi
    test "$?" -eq 0 || failed "IS_VERSIONS_CHECK" "failed to download ${versions_url} to ${versions_file}"
 }
 get_command() {
    local program
    program=${1:-}
    case "${program}" in
        ## Special cases where the program name is different than the command name
        evocheck) echo "${0}" ;;
        evomaintenance) command -v "evomaintenance.sh" ;;
        listupgrade) command -v "evolistupgrade.sh" ;;
        old-kernel-autoremoval) command -v "old-kernel-autoremoval.sh" ;;
        mysql-queries-killer) command -v "mysql-queries-killer.sh" ;;
        ## General case, where the program name is the same as the command name
        *) command -v "${program}" ;;
    esac
 }
 get_version() {
    local program
    local command
    program=${1:-}
    command=${2:-}
    case "${program}" in
        ## Special case if `command --version => 'command` is not the standard way to get the version
        # my_command)
        #    /path/to/my_command --get-version 
        #    ;;
        add-vm)
            grep '^VERSION=' "${command}" | head -1 | cut -d '=' -f 2
            ;;
        ## Let's try the --version flag before falling back to grep for the constant
        kvmstats)
            if ${command} --version > /dev/null 2> /dev/null; then
                 ${command} --version 2> /dev/null | head -1 | cut -d ' ' -f 3
            else
                grep '^VERSION=' "${command}" | head -1 | cut -d '=' -f 2
            fi
            ;;
        ## General case to get the version
        *) ${command} --version 2> /dev/null | head -1 | cut -d ' ' -f 3 ;;
    esac
 }
 check_version() {
    local program
    local expected_version
    program=${1:-}
    expected_version=${2:-}
    command=$(get_command "${program}")
    if [ -n "${command}" ]; then
        # shellcheck disable=SC2086
        actual_version=$(get_version "${program}" "${command}")
        # printf "program:%s expected:%s actual:%s\n" "${program}" "${expected_version}" "${actual_version}"
        if [ -z "${actual_version}" ]; then
            failed "IS_VERSIONS_CHECK" "failed to lookup actual version of ${program}"
        elif dpkg --compare-versions "${actual_version}" lt "${expected_version}"; then
            failed "IS_VERSIONS_CHECK" "${program} version ${actual_version} is older than expected version ${expected_version}"
        elif dpkg --compare-versions "${actual_version}" gt "${expected_version}"; then
            failed "IS_VERSIONS_CHECK" "${program} version ${actual_version} is newer than expected version ${expected_version}, you should update tour index."
        else
            : # Version check OK
        fi
    fi
 }
 add_to_path() {
    local new_path
    new_path=${1:-}
    echo "$PATH" | grep -qF "${new_path}" || export PATH="${PATH}:${new_path}"
 }
 check_versions() {
    versions_file=$(mktemp --tmpdir=/tmp "evocheck-versions.XXXXX")
    # shellcheck disable=SC2064
    trap "rm -f ${versions_file}" 0
    download_versions "${versions_file}"
    add_to_path "/usr/share/scripts"
    grep -v '^ *#' < "${versions_file}" | while IFS= read -r line; do
        local program
        local version
        program=$(echo "${line}" | cut -d ' ' -f 1)
        version=$(echo "${line}" | cut -d ' ' -f 2)
        if [ -n "${program}" ]; then
            if [ -n "${version}" ]; then
                check_version "${program}" "${version}"
            else
                failed "IS_VERSIONS_CHECK" "failed to lookup expected version for ${program}"
            fi
        fi
    done
    rm -f "${versions_file}"
 }
 main() {
    # Default return code : 0 = no error
    RC=0
@ -1349,6 +1535,8 @@ main() {
        test "${IS_ALERT5MINIFW:=1}" = 1 && test "${IS_MINIFW:=1}" = 1 && check_minifw
        test "${IS_NRPEPERMS:=1}" = 1 && check_nrpeperms
        test "${IS_MINIFWPERMS:=1}" = 1 && check_minifwperms
        # Enable when minifirewall is released
        test "${IS_MINIFWINCLUDES:=0}" = 1 && check_minifw_includes
        test "${IS_NRPEDISKS:=0}" = 1 && check_nrpedisks
        test "${IS_NRPEPID:=1}" = 1 && check_nrpepid
        test "${IS_GRSECPROCS:=1}" = 1 && check_grsecprocs
@ -1421,6 +1609,8 @@ main() {
        test "${IS_APT_VALID_UNTIL:=1}" = 1 && check_apt_valid_until
        test "${IS_CHROOTED_BINARY_UPTODATE:=1}" = 1 && check_chrooted_binary_uptodate
        test "${IS_NGINX_LETSENCRYPT_UPTODATE:=1}" = 1 && check_nginx_letsencrypt_uptodate
        test "${IS_LXC_CONTAINER_RESOLV_CONF:=1}" = 1 && check_lxc_container_resolv_conf
        test "${IS_CHECK_VERSIONS:=1}" = 1 && check_versions
    fi
    #-----------------------------------------------------------
@ -1528,10 +1718,13 @@ main() {
    exit ${RC}
 }
 PROGNAME=$(basename "$0")
 # shellcheck disable=SC2034
-readonly PROGNAME=$(basename "$0")
+readonly PROGNAME
-# shellcheck disable=2124
+
-readonly ARGS=$@
+# shellcheck disable=SC2124
 ARGS=$@
 readonly ARGS
 # Disable LANG*
 export LANG=C
@ -1557,6 +1750,7 @@ while :; do
            IS_KERNELUPTODATE=0
            IS_UPTIME=0
            IS_MELTDOWN_SPECTRE=0
            IS_CHECK_VERSIONS=0
            ;;
        -v|--verbose)
            VERBOSE=1
--- a/evocheck/tasks/install_local.yml
+++ b/evocheck/tasks/install_local.yml
--- a/evocheck/tasks/install_package.yml
+++ b/evocheck/tasks/install_package.yml
@ -1,5 +0,0 @@
 ---
 - name: install evocheck from package
  apt:
    name: evocheck
    state: present
--- a/evocheck/tasks/main.yml
+++ b/evocheck/tasks/main.yml
@ -1,10 +1,13 @@
 ---
- include: install_local.yml
+- name: Package install is not supported anymore
-  when: evocheck_force_install == "local"
+  fail:
    msg: Package install is not supported anymore
  when: 
    - evocheck_force_install is defined
    - evocheck_force_install == "package"
- include: install_package.yml
+- include: install.yml
  when: evocheck_force_install == "package"
 - include: cron.yml
  when: evocheck_update_crontab | bool
--- a/evolinux-base/defaults/main.yml
+++ b/evolinux-base/defaults/main.yml
@ -89,6 +89,7 @@ evolinux_packages_invalid_mta: True
 evolinux_packages_delete_nfs: True
 evolinux_packages_listchanges: True
 evolinux_packages_logcheck_recipient: False
 evolinux_packages_delete_aptlistchanges: True
 # system
@ -164,8 +165,10 @@ evolinux_logs_include: True
 evolinux_logs_logrotate_confs: True
 evolinux_logs_default_rotate: True
 evolinux_logs_default_dateext : True
 evolinux_logs_disable_logrotate_rsyslog: True
 evolinux_logs_rsyslog_conf: True
 evolinux_logrotate_dateformat: "-%Y%m%d%H"
 # default www
@ -206,7 +209,6 @@ evolinux_fail2ban_include: False
 # Evocheck
 evolinux_evocheck_include: True
 evolinux_evocheck_force_install: "local"
 # Listupgrade
@ -218,3 +220,6 @@ evolinux_generateldif_include: True
 # Cron check_hpraid
 evolinux_cron_checkhpraid_frequency: daily
 # Motd
 evolinux_motd_include: True
--- a/evolinux-base/files/alert5.service
+++ b/evolinux-base/files/alert5.service
@ -1,9 +1,10 @@
 [Unit]
 Description=Evolix alert5 script
 After=network.target
 [Service]
 Type=oneshot
 ExecStart=/usr/share/scripts/alert5.sh
 [Install]
-WantedBy=multi-user.target
+WantedBy=multi-user.target
--- a/evolinux-base/files/backup-server-state.sh
+++ b/evolinux-base/files/backup-server-state.sh
@ -0,0 +1,635 @@
 #!/bin/sh
 PROGNAME="backup-server-state"
 VERSION="22.01"
 readonly VERSION
 backup_dir=
 rc=0
 # base functions
 show_version() {
    cat <<END
 ${PROGNAME} version ${VERSION}
 Copyright 2018-2021 Evolix <info@evolix.fr>,
                    Jérémy Lecour <jlecour@evolix.fr>
                    and others.
 ${PROGNAME} comes with ABSOLUTELY NO WARRANTY.This is free software,
 and you are welcome to redistribute it under certain conditions.
 See the GNU General Public License v3.0 for details.
 END
 }
 show_help() {
    cat <<END
 ${PROGNAME} is making backup copies of information related to the state of the server.
 Usage: ${PROGNAME} --backup-dir=/path/to/backup/directory [OPTIONS]
 Options
 -d, --backup-dir   path to the directory where the backup will be stored
     --etc          backup copy of /etc
     --no-etc       no backup copy of /etc (default)
     --dpkg         backup copy of /var/lib/dpkg
     --no-dpkg      no backup copy of /var/lib/dpkg (default)
     --apt          backup copy of apt extended states (default)
     --no-apt       no backup copy of apt extended states
     --packages     backup copy of dpkg selections (default)
     --no-packages  no backup copy of dpkg selections
     --processes    backup copy of process list (default)
     --no-processes no backup copy of process list
     --uptime       backup of uptime value (default)
     --no-uptime    no backup of uptime value
     --netstat      backup copy of netstat (default)
     --no-netstat   no backup copy of netstat
     --netcfg       backup copy of network configuration (default)
     --no-netcfg    no backup copy of network configuration
     --iptables     backup copy of iptables (default)
     --no-iptables  no backup copy of iptables
     --sysctl       backup copy of sysctl values (default)
     --no-sysctl    no backup copy of sysctl values
     --virsh        backup copy of virsh list (default)
     --no-virsh     no backup copy of virsh list
     --lxc          backup copy of lxc list (default)
     --no-lxc       no backup copy of lxc list
     --mount        backup copy of mount points (default)
     --no-mount     no backup copy of mount points
     --df           backup copy of disk usage (default)
     --no-df        no backup copy of disk usage
 -v, --verbose      print details about backup steps
 -V, --version      print version and exit
 -h, --help         print this message and exit
 END
 }
 debug() {
    if [ "${VERBOSE}" = "1" ]; then
        echo "$1"
    fi
 }
 create_backup_dir() {
    debug "Create ${backup_dir}"
    last_result=$(mkdir -p "${backup_dir}" && chmod -R 755 "${backup_dir}")
    last_rc=$?
    if [ ${last_rc} -eq 0 ]; then
        debug "* mkdir/chmod OK"
    else
        debug "* mkdir/chmod ERROR :"
        debug "${last_result}"
        rc=10
    fi
 }
 backup_etc() {
    debug "Backup /etc"
    last_result=$(rsync -ah --itemize-changes --exclude=.git /etc "${backup_dir}/")
    last_rc=$?
    if [ ${last_rc} -eq 0 ]; then
        debug "* rsync OK"
    else
        debug "* rsync ERROR :"
        debug "${last_result}"
        rc=10
    fi
 }
 backup_apt() {
    if [ -f /var/lib/apt/extended_states ]; then
        debug "Backup APT states"
        last_result=$(mkdir -p "${backup_dir}/var/lib/apt" && chmod -R 755 "${backup_dir}/var/lib/apt")
        last_rc=$?
        if [ ${last_rc} -eq 0 ]; then
            debug "* mkdir/chmod OK"
        else
            debug "* mkdir/chmod ERROR"
            debug "${last_result}"
            rc=10
        fi
        last_result=$(rsync -ah /var/lib/apt/extended_states "${backup_dir}/var/lib/apt/")
        last_rc=$?
        if [ ${last_rc} -eq 0 ]; then
            debug "* rsync OK"
        else
            debug "* rsync ERROR :"
            debug "${last_result}"
            rc=10
        fi
    fi
 }
 backup_dpkg() {
    debug "Backup DPkg"
    last_result=$(mkdir -p "${backup_dir}/var/lib" && chmod -R 755 "${backup_dir}/var/lib")
    last_rc=$?
    if [ ${last_rc} -eq 0 ]; then
        debug "* mkdir/chmod OK"
    else
        debug "* mkdir/chmod ERROR"
        debug "${last_result}"
        rc=10
    fi
    last_result=$(rsync -ah --itemize-changes /var/lib/dpkg "${backup_dir}/var/lib/")
    last_rc=$?
    if [ ${last_rc} -eq 0 ]; then
        debug "* rsync OK"
    else
        debug "* rsync ERROR"
        debug "${last_result}"
        rc=10
    fi
 }
 backup_packages() {
    debug "Backup list of installed package"
    last_result=$(dpkg --get-selections "*" > "${backup_dir}/current_packages.txt")
    last_rc=$?
    if [ ${last_rc} -eq 0 ]; then
        debug "* dpkg OK"
    else
        debug "* dpkg ERROR :"
        debug "${last_result}"
        rc=10
    fi
 }
 backup_uptime() {
    debug "Backup uptime"
    last_result=$(uptime > "${backup_dir}/uptime.txt")
    last_rc=$?
    if [ ${last_rc} -eq 0 ]; then
        debug "* uptime OK"
    else
        debug "* uptime ERROR"
        debug "${last_result}"
        rc=10
    fi
 }
 backup_processes() {
    debug "Backup process list"
    last_result=$(ps fauxw > "${backup_dir}/ps.txt")
    last_rc=$?
    if [ ${last_rc} -eq 0 ]; then
        debug "* ps OK"
    else
        debug "* ps ERROR"
        debug "${last_result}"
        rc=10
    fi
    pstree_bin=$(command -v pstree)
    if [ -z "${pstree_bin}" ]; then
        last_result=$(pstree -pan > "${backup_dir}/pstree.txt")
        last_rc=$?
        if [ ${last_rc} -eq 0 ]; then
            debug "* pstree OK"
        else
            debug "* pstree ERROR"
            debug "${last_result}"
            rc=10
        fi
    fi
 }
 backup_netstat() {
    debug "Backup network status"
    ss_bin=$(command -v ss)
    if [ -z "${ss_bin}" ]; then
        last_result=$(${ss_bin} -tanpul > "${backup_dir}/netstat-ss.txt")
        last_rc=$?
        if [ ${last_rc} -eq 0 ]; then
            debug "* ss OK"
        else
            debug "* ss ERROR"
            debug "${last_result}"
            rc=10
        fi
    fi
    netstat_bin=$(command -v netstat)
    if [ -z "${netstat_bin}" ]; then
        last_result=$(netstat -laputen > "${backup_dir}/netstat-legacy.txt")
        last_rc=$?
        if [ ${last_rc} -eq 0 ]; then
            debug "* netstat OK"
        else
            debug "* netstat ERROR"
            debug "${last_result}"
            rc=10
        fi
    fi
 }
 backup_netcfg() {
    debug "Backup network configuration"
    last_result=$(ip address show > "${backup_dir}/ip-address.txt")
    last_rc=$?
    if [ ${last_rc} -eq 0 ]; then
        debug "* ip address OK"
    else
        debug "* ip address ERROR"
        debug "${last_result}"
        rc=10
    fi
    last_result=$(ip route show > "${backup_dir}/ip-route.txt")
    last_rc=$?
    if [ ${last_rc} -eq 0 ]; then
        debug "* ip route OK"
    else
        debug "* ip route ERROR"
        debug "${last_result}"
        rc=10
    fi
 }
 backup_iptables() {
    debug "Backup iptables"
    last_result=$({ /sbin/iptables -L -n -v; /sbin/iptables -t filter -L -n -v; } > "${backup_dir}/iptables.txt")
    last_rc=$?
    if [ ${last_rc} -eq 0 ]; then
        debug "* iptables OK"
    else
        debug "* iptables ERROR"
        debug "${last_result}"
        rc=10
    fi
 }
 backup_sysctl() {
    debug "Backup sysctl values"
    last_result=$(sysctl -a | sort -h > "${backup_dir}/sysctl.txt")
    last_rc=$?
    if [ ${last_rc} -eq 0 ]; then
        debug "* sysctl OK"
    else
        debug "* sysctl ERROR"
        debug "${last_result}"
        rc=10
    fi
 }
 backup_virsh() {
    debug "Backup virsh list"
    virsh_bin=$(command -v virsh)
    if [ -n "${virsh_bin}" ]; then
        last_result=$(${virsh_bin} list --all > "${backup_dir}/virsh-list.txt")
        last_rc=$?
        if [ ${last_rc} -eq 0 ]; then
            debug "* virsh list OK"
        else
            debug "* virsh list ERROR"
            debug "${last_result}"
            rc=10
        fi
    else
        debug "* virsh not installed"
    fi
 }
 backup_lxc() {
    debug "Backup lxc list"
    lxc_ls_bin=$(command -v lxc-ls)
    if [ -n "${lxc_ls_bin}" ]; then
        last_result=$(${lxc_ls_bin} --fancy > "${backup_dir}/lxc-list.txt")
        last_rc=$?
        if [ ${last_rc} -eq 0 ]; then
            debug "* lxc list OK"
        else
            debug "* lxc list ERROR"
            debug "${last_result}"
            rc=10
        fi
    else
        debug "* lxc-ls not installed"
    fi
 }
 backup_mount() {
    debug "Backup mount points"
    findmnt_bin=$(command -v findmnt)
    mount_bin=$(command -v mount)
    if [ -n "${findmnt_bin}" ]; then
        last_result=$(${findmnt_bin} > "${backup_dir}/mount.txt")
        last_rc=$?
        if [ ${last_rc} -eq 0 ]; then
            debug "* mount points OK"
        else
            debug "* mount points ERROR"
            debug "${last_result}"
            rc=10
        fi
    elif [ -n "${mount_bin}" ]; then
        last_result=$(${mount_bin} > "${backup_dir}/mount.txt")
        last_rc=$?
        if [ ${last_rc} -eq 0 ]; then
            debug "* mount points OK"
        else
            debug "* mount points ERROR"
            debug "${last_result}"
            rc=10
        fi
    else
        debug "* findmnt and mount not installed"
    fi
 }
 backup_df() {
    debug "Backup df"
    df_bin=$(command -v df)
    if [ -n "${df_bin}" ]; then
        last_result=$(${df_bin} --portability > "${backup_dir}/df.txt")
        last_rc=$?
        if [ ${last_rc} -eq 0 ]; then
            debug "* df OK"
        else
            debug "* df ERROR"
            debug "${last_result}"
            rc=10
        fi
    else
        debug "* df not installed"
    fi
 }
 main() {
    if [ -z "${backup_dir}" ]; then
        echo "ERROR: You must provide the --backup-dir argument" >&2
        exit 1
    fi
    if [ -d "${backup_dir}" ]; then
        echo "ERROR: The backup directory ${backup_dir} already exists. Delete it first." >&2
        exit 2
    else
        create_backup_dir
    fi
    if [ "${DO_ETC}" -eq 1 ]; then
        backup_etc
    fi
    if [ "${DO_DPKG}" -eq 1 ]; then
        backup_dpkg
    fi
    if [ "${DO_APT}" -eq 1 ]; then
        backup_apt
    fi
    if [ "${DO_PACKAGES}" -eq 1 ]; then
        backup_packages
    fi
    if [ "${DO_PROCESSES}" -eq 1 ]; then
        backup_processes
    fi
    if [ "${DO_UPTIME}" -eq 1 ]; then
        backup_uptime
    fi
    if [ "${DO_NETSTAT}" -eq 1 ]; then
        backup_netstat
    fi
    if [ "${DO_NETCFG}" -eq 1 ]; then
        backup_netcfg
    fi
    if [ "${DO_IPTABLES}" -eq 1 ]; then
        backup_iptables
    fi
    if [ "${DO_SYSCTL}" -eq 1 ]; then
        backup_sysctl
    fi
    if [ "${DO_VIRSH}" -eq 1 ]; then
        backup_virsh
    fi
    if [ "${DO_LXC}" -eq 1 ]; then
        backup_lxc
    fi
    if [ "${DO_MOUNT}" -eq 1 ]; then
        backup_mount
    fi
    if [ "${DO_DF}" -eq 1 ]; then
        backup_df
    fi
    debug "=> Your backup is available at ${backup_dir}"
    exit ${rc}
 }
 # parse options
 # based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
 while :; do
    case $1 in
        -h|-\?|--help)
            show_help
            exit 0
            ;;
        -V|--version)
            show_version
            exit 0
            ;;
        -v|--verbose)
            VERBOSE=1
            ;;
        -d|--backup-dir)
            # with value separated by space
            if [ -n "$2" ]; then
                backup_dir=$2
                shift
            else
                printf 'ERROR: "-d|--backup-dir" requires a non-empty option argument.\n' >&2
                exit 1
            fi
            ;;
        --backup-dir=?*)
            # with value speparated by =
            backup_dir=${1#*=}
            ;;
        --backup-dir=)
            # without value
            printf 'ERROR: "--backup-dir" requires a non-empty option argument.\n' >&2
            exit 1
            ;;
        --etc)
            DO_ETC=1
            ;;
        --no-etc)
            DO_ETC=0
            ;;
        --dpkg)
            DO_DPKG=1
            ;;
        --no-dpkg)
            DO_DPKG=0
            ;;
        --apt)
            DO_APT=1
            ;;
        --no-apt)
            DO_APT=0
            ;;
        --packages)
            DO_PACKAGES=1
            ;;
        --no-packages)
            DO_PACKAGES=0
            ;;
        --processes)
            DO_PROCESSES=1
            ;;
        --no-processes)
            DO_PROCESSES=0
            ;;
        --uptime)
            DO_UPTIME=1
            ;;
        --no-uptime)
            DO_UPTIME=0
            ;;
        --netstat)
            DO_NETSTAT=1
            ;;
        --no-netstat)
            DO_NETSTAT=0
            ;;
        --netcfg)
            DO_NETCFG=1
            ;;
        --no-netcfg)
            DO_NETCFG=0
            ;;
        --iptables)
            DO_IPTABLES=1
            ;;
        --no-iptables)
            DO_IPTABLES=0
            ;;
        --sysctl)
            DO_SYSCTL=1
            ;;
        --no-sysctl)
            DO_SYSCTL=0
            ;;
        --virsh)
            DO_VIRSH=1
            ;;
        --no-virsh)
            DO_VIRSH=0
            ;;
        --lxc)
            DO_LXC=1
            ;;
        --no-lxc)
            DO_LXC=0
            ;;
        --mount)
            DO_MOUNT=1
            ;;
        --no-mount)
            DO_MOUNT=0
            ;;
        --df)
            DO_DF=1
            ;;
        --no-df)
            DO_DF=0
            ;;
        --)
            # End of all options.
            shift
            break
            ;;
        -?*)
            # ignore unknown options
            printf 'WARN: Unknown option : %s\n' "$1" >&2
            exit 1
            ;;
        *)
            # Default case: If no more options then break out of the loop.
            break
            ;;
    esac
    shift
 done
 # Default values
 : "${VERBOSE:=0}"
 : "${DO_ETC:=0}"
 : "${DO_DPKG:=0}"
 : "${DO_APT:=1}"
 : "${DO_PACKAGES:=1}"
 : "${DO_PROCESSES:=1}"
 : "${DO_UPTIME:=1}"
 : "${DO_NETSTAT:=1}"
 : "${DO_NETCFG:=1}"
 : "${DO_IPTABLES:=1}"
 : "${DO_SYSCTL:=1}"
 : "${DO_VIRSH:=1}"
 : "${DO_LXC:=1}"
 : "${DO_MOUNT:=1}"
 : "${DO_DF:=1}"
 export LC_ALL=C
 set -u
 main
--- a/evolinux-base/files/htoprc
+++ b/evolinux-base/files/htoprc
@ -0,0 +1,2 @@
 # Force the SWAP column to the right of the CPU one
 fields=0 48 17 18 38 39 40 119 2 46 47 49 1
--- a/evolinux-base/files/logs/logrotate.d/alternatives
+++ b/evolinux-base/files/logs/logrotate.d/alternatives
@ -0,0 +1,9 @@
 /var/log/alternatives.log {
    monthly
    rotate 120
    compress
    delaycompress
    missingok
    notifempty
    create 644 root root
 }
--- a/evolinux-base/files/logs/logrotate.d/dpkg
+++ b/evolinux-base/files/logs/logrotate.d/dpkg
@ -6,14 +6,4 @@
    missingok
    notifempty
    create 644 root root
-}
+}
 /var/log/alternatives.log {
    monthly
    rotate 120
    compress
    delaycompress
    missingok
    notifempty
    create 644 root root
 }
--- a/evolinux-base/files/logs/logrotate.disabled/ldap
+++ b/evolinux-base/files/logs/logrotate.disabled/ldap
@ -2,8 +2,8 @@
        weekly
        missingok
        rotate 3
-	compress
+        compress
-	notifempty
+        notifempty
        create 640 root adm
 }
--- a/evolinux-base/files/logs/logrotate.disabled/procmail
+++ b/evolinux-base/files/logs/logrotate.disabled/procmail
@ -1,11 +1,7 @@
 /var/log/procmail.log {
    daily
    rotate 365
    dateext
    dateyesterday
    dateformat .%Y%m%d
    missingok
    rotate 365
    create 640 root adm
 }
--- a/evolinux-base/files/topdefaultrc
+++ b/evolinux-base/files/topdefaultrc
@ -0,0 +1,15 @@
 top's Config File (Linux processes with windows)
 Id:j, Mode_altscr=0, Mode_irixps=1, Delay_time=3.0, Curwin=0
 Def     fieldscur=ķ&')*+,-./012568>?ABCFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz
        winflags=193844, sortindx=18, maxtasks=0, graph_cpus=0, graph_mems=0, double_up=0, combine_cpus=0
        summclr=1, msgsclr=1, headclr=3, taskclr=1
 Job     fieldscur=(Ļ@<)*+,-./012568>?ABCFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz
        winflags=193844, sortindx=0, maxtasks=0, graph_cpus=0, graph_mems=0, double_up=0, combine_cpus=0
        summclr=6, msgsclr=6, headclr=7, taskclr=6
 Mem     fieldscur=<MBND34&'()*+,-./0125689FGHIJKLOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz
        winflags=193844, sortindx=21, maxtasks=0, graph_cpus=0, graph_mems=0, double_up=0, combine_cpus=0
        summclr=5, msgsclr=5, headclr=4, taskclr=5
 Usr     fieldscur=)+,-./1234568;<=>?@ABCFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz
        winflags=193844, sortindx=3, maxtasks=0, graph_cpus=0, graph_mems=0, double_up=0, combine_cpus=0
        summclr=3, msgsclr=3, headclr=2, taskclr=3
 Fixed_widest=0, Summ_mscale=1, Task_mscale=0, Zero_suppress=0
--- a/evolinux-base/meta/main.yml
+++ b/evolinux-base/meta/main.yml
@ -14,6 +14,7 @@ galaxy_info:
        - jessie
        - stretch
        - buster
        - bullseye
  galaxy_tags: []
    # List tags for your role here, one per line. A tag is
--- a/evolinux-base/tasks/fstab.yml
+++ b/evolinux-base/tasks/fstab.yml
@ -1,5 +1,6 @@
 ---
 # TODO: trouver comment faire une copie initiale de /etc/fstab
 #   - piste : paramètre "backup" du module mount https://docs.ansible.com/ansible/latest/collections/ansible/posix/mount_module.html
 # TODO: try to use the custom mount_uuid module for a different approach
 - name: Fetch fstab content
--- a/evolinux-base/tasks/hardware.yml
+++ b/evolinux-base/tasks/hardware.yml
@ -3,6 +3,8 @@
  apt:
    name: pciutils
    state: present
  tags:
    - packages
 ## Broadcom NetXtreme II
@ -12,6 +14,8 @@
  register: broadcom_netextreme_search
  failed_when: False
  changed_when: False
  tags:
    - packages
 # TODO: add the "non-free" part to the existing sources
 # instead of adding a new source
@ -22,18 +26,43 @@
    tasks_from: basics.yml
  vars:
    apt_basics_components: "main contrib non-free"
  tags:
    - packages
  when: broadcom_netextreme_search.rc == 0
 ## Dedicated hardware
 - name: Install freepmi when it's dedicated hardware
  apt:
    name:
      - libipc-run-perl
      - freeipmi
    state: present
  tags:
    - packages
  when: ansible_virtualization_role == "host"
 ## RAID
 # Dell and others: MegaRAID SAS
 # HP gen <10: Hewlett-Packard Company Smart Array
 # HP gen >=10: Adaptec Smart Storage PQI
 - name: Detect if RAID is installed
-  shell: "set -o pipefail && lspci -q | grep -e 'RAID bus controller' -e 'Serial Attached SCSI controller'"
+  shell:
    cmd: "lspci -q | grep -e 'RAID bus controller' -e 'Serial Attached SCSI controller'"
    executable: /bin/bash
  check_mode: no
  register: raidmodel
  changed_when: "'FAILED' in raidmodel.stdout"
  failed_when: "'FAILED' in raidmodel.stdout"
  tags:
    - packages
 - name: Look for legacy apt keyring
  stat:
    path: /etc/apt/trusted.gpg
  register: _trusted_gpg_keyring
  tags:
    - packages
 - name: HPE Smart Storage Administrator (ssacli) is present
  block:
@ -42,6 +71,9 @@
        id: "26C2B797"
        keyring: /etc/apt/trusted.gpg
        state: absent
      when: _trusted_gpg_keyring.stat.exists
      tags:
        - packages
    - name: HPE GPG key is installed
      copy:
@ -51,14 +83,21 @@
        mode: "0644"
        owner: root
        group: root
      tags:
        - packages
    - name: Add HPE repository
      apt_repository:
        repo: 'deb https://downloads.linux.hpe.com/SDR/repo/mcp {{ ansible_distribution_release }}/current non-free'
        state: present
      tags:
        - packages
    - name: Install HPE Smart Storage Administrator (ssacli)
      apt:
        name: ssacli
      tags:
        - packages
  when:
    - "'Hewlett-Packard Company Smart Array' in raidmodel.stdout"
    - "'Adaptec Smart Storage PQI' in raidmodel.stdout"
@ -72,6 +111,8 @@
        src: check_hpraid.cron.sh
        dest: /etc/cron.{{ evolinux_cron_checkhpraid_frequency | mandatory }}/check_hpraid
        mode: "0755"
      tags:
        - config
  when: "'Adaptec Smart Storage PQI' in raidmodel.stdout"
 - name: Install and configure cciss-vol-status (HP gen <10)
@ -80,12 +121,16 @@
      apt:
        name: cciss-vol-status
        state: present
      tags:
        - packages
    - name: cciss-vol-statusd init script is present (HP gen <10)
      template:
        src: hardware/cciss-vol-statusd.j2
        dest: /etc/init.d/cciss-vol-statusd
        mode: "0755"
      tags:
        - packages
    - name: Configure cciss-vol-statusd (HP gen <10)
      lineinfile:
@ -93,12 +138,17 @@
        line: 'MAILTO="{{ raid_alert_email or general_alert_email | mandatory }}"'
        regexp: 'MAILTO='
        create: yes
      tags:
        - config
    - name: Enable cciss-vol-status in systemd (HP gen <10)
      service:
        name: cciss-vol-statusd
        enabled: true
        state: restarted
      tags:
        - packages
        - config
  when: "'Hewlett-Packard Company Smart Array' in raidmodel.stdout"
 - name: MegaRAID SAS package is present
@ -108,7 +158,9 @@
        id: "23B3D3B4"
        keyring: /etc/apt/trusted.gpg
        state: absent
-      when: ansible_distribution_major_version is version('9', '>=')
+      tags:
        - packages
      when: _trusted_gpg_keyring.stat.exists
    - name: HWRaid GPG key is installed
      copy:
@ -118,12 +170,16 @@
        mode: "0644"
        owner: root
        group: root
      tags:
        - packages
      when: ansible_distribution_major_version is version('9', '>=')
    - name: Add HW tool repository
      apt_repository:
        repo: 'deb http://hwraid.le-vert.net/debian {{ ansible_distribution_release }} main'
        state: present
      tags:
        - packages
    - name: Install packages for DELL/LSI hardware
      apt:
@ -131,18 +187,25 @@
          - megacli
          - megaclisas-status
        allow_unauthenticated: yes
      tags:
        - packages
    - name: Configure packages for DELL/LSI hardware
      template:
        src: hardware/megaclisas-statusd.j2
        dest: /etc/default/megaclisas-statusd
        mode: "0755"
      tags:
        - config
    - name: Enable DELL/LSI hardware in systemd
      service:
        name: megaclisas-statusd
        enabled: true
-        state: started
+        state: restarted
-  when: "'MegaRAID SAS' in raidmodel.stdout"
+      tags:
        - packages
        - config
  when: "'MegaRAID' in raidmodel.stdout"
 - meta: flush_handlers
--- a/evolinux-base/tasks/htop.yml
+++ b/evolinux-base/tasks/htop.yml
@ -0,0 +1,6 @@
 ---
 - name: Deploy htop configuration
  copy:
    src: htoprc
    dest: /etc/htoprc
    mode: "0644"
--- a/evolinux-base/tasks/kernel.yml
+++ b/evolinux-base/tasks/kernel.yml
@ -8,8 +8,8 @@
    state: present
    reload: yes
  loop:
-  - { name: kernel.panic_on_oops, value: 1 }
+    - { name: kernel.panic_on_oops, value: 1 }
-  - { name: kernel.panic, value: 60 }
+    - { name: kernel.panic, value: 60 }
  when: evolinux_kernel_reboot_after_panic | bool
 - name: Don't reboot after panic
@ -19,14 +19,14 @@
    state: absent
    reload: yes
  loop:
-  - kernel.panic_on_oops
+    - kernel.panic_on_oops
-  - kernel.panic
+    - kernel.panic
  when: not evolinux_kernel_reboot_after_panic | bool
 - name: Disable net.ipv4.tcp_timestamps
  sysctl:
    name: net.ipv4.tcp_timestamps
-    value: 0
+    value: '0'
    sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
    state: present
    reload: yes
--- a/evolinux-base/tasks/logs.yml
+++ b/evolinux-base/tasks/logs.yml
@ -30,11 +30,34 @@
    dest: /etc/logrotate.d/zsyslog
  when: evolinux_logs_logrotate_confs | bool
- name: Configure logrotate.conf
+- name: Configure logrotate.conf default rotate value
  replace:
    dest: /etc/logrotate.conf
    regexp: "rotate [0-9]+"
    replace: "rotate 12"
  when: evolinux_logs_default_rotate | bool
 - name: Enable logrotate.conf dateext option
  lineinfile:
    dest: /etc/logrotate.conf
    line: "dateext"
    regexp: "^#?\\s*dateext"
  when: evolinux_logs_default_dateext | bool
 - name: Enable logrotate.conf dateformat option
  lineinfile:
    dest: /etc/logrotate.conf
    line: "dateformat {{ evolinux_logrotate_dateformat | mandatory }}"
    regexp: "^#?\\s*dateformat.*"
    insertafter: 'dateext'
  when: evolinux_logs_default_dateext | bool
 - name: Disable logrotate.conf dateyesterday option
  lineinfile:
    dest: /etc/logrotate.conf
    line: "# dateyesterday"
    regexp: "^\\s*dateyesterday"
    insertafter: 'dateext'
  when: evolinux_logs_default_dateext | bool
 - meta: flush_handlers
--- a/evolinux-base/tasks/main.yml
+++ b/evolinux-base/tasks/main.yml
@ -13,6 +13,7 @@
  vars:
    apt_install_basics: "{{ evolinux_apt_replace_default_sources }}"
    apt_install_evolix_public: "{{ evolinux_apt_public_sources }}"
    apt_upgrade: "{{ evolinux_apt_upgrade }}"
  when: evolinux_apt_include | bool
 - name: /etc versioning with Git
@ -97,6 +98,9 @@
  when: evolinux_log2mail_include | bool
 - include: motd.yml
  when: evolinux_motd_include | bool
 - include: utils.yml
 - name: Munin
  include_role:
@ -116,8 +120,6 @@
 - name: Evocheck
  include_role:
    name: evolix/evocheck
  vars:
    evocheck_force_install: "{{ evolinux_evocheck_force_install }}"
  when: evolinux_evocheck_include | bool
 - name: Listupgrade
@ -129,3 +131,7 @@
  include_role:
    name: evolix/generate-ldif
  when: evolinux_generateldif_include | bool
 - include: top.yml
 - include: htop.yml
--- a/evolinux-base/tasks/packages.yml
+++ b/evolinux-base/tasks/packages.yml
@ -16,6 +16,7 @@
      - ssl-cert
      - ca-certificates
      - rename
      - dmidecode
  when: evolinux_packages_system | bool
 - name: Install/Update diagnostic tools
@ -34,6 +35,7 @@
      - telnet
      - traceroute
      - man
      - molly-guard
  when: evolinux_packages_diagnostic | bool
 - name: Install/Update hardware tools
@ -143,5 +145,6 @@
  when:
    - ansible_distribution == "Debian"
    - ansible_distribution_major_version is version('9', '>=')
    - evolinux_packages_delete_aptlistchanges
 - meta: flush_handlers
--- a/evolinux-base/tasks/system.yml
+++ b/evolinux-base/tasks/system.yml
@ -119,10 +119,10 @@
    regexp:  "{{ item.regexp }}"
    replace: "{{ item.replace }}"
  loop:
-  - { regexp: '^17((\s*\*){4})',         replace: '{{ 59|random(start=1) }}\1' }
+    - { regexp: '^17((\s*\*){4})',         replace: '{{ 59|random(start=1) }}\1' }
-  - { regexp: '^25\s*6((\s*\*){3})',     replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1' }
+    - { regexp: '^25\s*6((\s*\*){3})',     replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1' }
-  - { regexp: '^47\s*6((\s*\*){2}\s*7)', replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1' }
+    - { regexp: '^47\s*6((\s*\*){2}\s*7)', replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1' }
-  - { regexp: '^52\s*6(\s*1(\s*\*){2})', replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1' }
+    - { regexp: '^52\s*6(\s*1(\s*\*){2})', replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1' }
  when:
    - is_cron_installed.rc == 0
    - evolinux_system_cron_random | bool
@ -153,7 +153,7 @@
- name: Install alert5 init script (buster)
+- name: Install alert5 init script (buster and later)
  template:
    src: system/alert5.sh.j2
    dest: /usr/share/scripts/alert5.sh
@ -163,7 +163,7 @@
    - evolinux_system_alert5_init | bool
    - ansible_distribution_major_version is version('10', '>=')
- name: Install alert5 service (buster)
+- name: Install alert5 service (buster and later)
  copy:
    src: alert5.service
    dest: /etc/systemd/system/alert5.service
@ -173,7 +173,7 @@
    - evolinux_system_alert5_init | bool
    - ansible_distribution_major_version is version('10', '>=')
- name: Enable alert5 init script (buster)
+- name: Enable alert5 init script (buster and later)
  systemd:
    name: alert5
    daemon_reload: yes
@ -182,6 +182,7 @@
    - evolinux_system_alert5_init | bool
    - evolinux_system_alert5_enable | bool
    - ansible_distribution_major_version is version('10', '>=')
    - not ansible_check_mode
 ## network interfaces
@ -203,13 +204,4 @@
 ## /sbin/deny
 - name: "/sbin/deny script is present"
  copy:
    src: deny.sh
    dest: /sbin/deny
    mode: "0700"
    owner: root
    group: root
    force: no
 - meta: flush_handlers
--- a/evolinux-base/tasks/top.yml
+++ b/evolinux-base/tasks/top.yml
@ -0,0 +1,7 @@
 ---
 - name: Deploy top configuration file
  copy:
    # The config format is unredable; ATM it only add the SWAP column
    src: htoprc
    dest: /etc/topdefaultrc
    mode: "0644"
--- a/evolinux-base/tasks/utils.yml
+++ b/evolinux-base/tasks/utils.yml
@ -0,0 +1,22 @@
 ---
 - include_role:
    name: evolix/remount-usr
 - name: backup-server-state script is present
  copy:
    src: "backup-server-state.sh"
    dest: /usr/local/sbin/backup-server-state
    force: True
    owner: root
    group: root
    mode: "0750"
 - name: "/sbin/deny script is present"
  copy:
    src: deny.sh
    dest: /sbin/deny
    mode: "0700"
    owner: root
    group: root
    force: no
--- a/evolinux-base/templates/logs/zsyslog.j2
+++ b/evolinux-base/templates/logs/zsyslog.j2
@ -1,8 +1,13 @@
 # Custom EvoLinux
 create 640 root adm
 {% if not evolinux_logs_default_dateext %}
 # BEGIN legacy setting
 # … when global dateext and dateformat are not enabled
 dateext
 dateyesterday
 dateformat .%Y%m%d
 # END legacy setting
 {% endif %}
 missingok
 notifempty
 delaycompress
--- a/evolinux-users/templates/sudoers_jessie.j2
+++ b/evolinux-users/templates/sudoers_jessie.j2
@ -7,6 +7,8 @@ nagios          ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs
 nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_minifirewall
 nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_haproxy_stats
 nagios          ALL = NOPASSWD: /usr/sbin/bkctld check
 nagios          ALL = NOPASSWD: /usr/sbin/bkctld check-jails
 nagios          ALL = NOPASSWD: /usr/sbin/bkctld check-setup
 nagios          ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt
 ADMINS          ALL = (ALL:ALL) ALL
--- a/evolinux-users/templates/sudoers_stretch.j2
+++ b/evolinux-users/templates/sudoers_stretch.j2
@ -6,10 +6,22 @@ nagios          ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs
 nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_minifirewall
 nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_haproxy_stats
 nagios          ALL = NOPASSWD: /usr/sbin/bkctld check
 nagios          ALL = NOPASSWD: /usr/sbin/bkctld check-jails
 nagios          ALL = NOPASSWD: /usr/sbin/bkctld check-setup
 nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php56/rootfs/etc/php5/fpm/pool.d/
 nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php70/rootfs/etc/php/7.0/fpm/pool.d/
 nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php73/rootfs/etc/php/7.3/fpm/pool.d/
 nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php74/rootfs/etc/php/7.4/fpm/pool.d/
 nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php74/rootfs/etc/php/8.0/fpm/pool.d/
 nagios          ALL = NOPASSWD: /usr/sbin/megaclisas-status --nagios
 nagios          ALL = NOPASSWD: /usr/lib/nagios/plugins/check_ipmi_sensor
 nagios          ALL = NOPASSWD: /sbin/dmsetup status --noflush
 nagios          ALL = NOPASSWD: /sbin/megacli -PDList -aALL -NoLog
 nagios          ALL = NOPASSWD: /sbin/megacli -LdInfo -Lall -aALL -NoLog
 nagios          ALL = NOPASSWD: /sbin/megacli -AdpBbuCmd -GetBbuStatus -aALL -NoLog
 nagios          ALL = NOPASSWD: /sbin/ssacli controller all show status
 nagios          ALL = NOPASSWD: /sbin/ssacli controller slot=0 logicaldrive all show
 nagios          ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt
 %{{ evolinux_sudo_group }}  ALL=(ALL:ALL) ALL
--- a/evomaintenance/files/evomaintenance.sh
+++ b/evomaintenance/files/evomaintenance.sh
@ -4,16 +4,16 @@
 # Dependencies (all OS): git postgresql-client
 # Dependencies (Debian): sudo
-# Copyright 2007-2021 Evolix <info@evolix.fr>, Gregory Colpart <reg@evolix.fr>,
+# Copyright 2007-2022 Evolix <info@evolix.fr>, Gregory Colpart <reg@evolix.fr>,
 #                     Jérémy Lecour <jlecour@evolix.fr> and others.
-VERSION="0.6.4"
+VERSION="22.01"
 show_version() {
    cat <<END
 evomaintenance version ${VERSION}
-Copyright 2007-2021 Evolix <info@evolix.fr>,
+Copyright 2007-2022 Evolix <info@evolix.fr>,
                    Gregory Colpart <reg@evolix.fr>,
                    Jérémy Lecour <jlecour@evolix.fr>
                    and others.
@ -303,6 +303,9 @@ From: ${FULLFROM}
 Content-Type: text/plain; charset=UTF-8
 MIME-Version: 1.0
 Content-Transfer-Encoding: 8bit
 X-Evomaintenance-Version: ${VERSION}
 X-Evomaintenance-Host: ${HOSTNAME_TEXT}
 X-Evomaintenance-User: ${USER}
 To: ${EVOMAINTMAIL}
 Subject: [evomaintenance] Intervention sur ${HOSTNAME_TEXT} (${USER})
--- a/evomaintenance/tasks/config.yml
+++ b/evomaintenance/tasks/config.yml
@ -0,0 +1,18 @@
 ---
 - assert:
    that:
      - evomaintenance_api_endpoint is not none
      - evomaintenance_api_key is not none
    msg: evomaintenance api variables must be set
 - name: Configuration is installed
  template:
    src: evomaintenance.j2
    dest: /etc/evomaintenance.cf
    owner: root
    group: root
    mode: "0600"
    force: "{{ evomaintenance_force_config | bool }}"
  tags:
    - evomaintenance
--- a/evomaintenance/tasks/install_package_debian.yml
+++ b/evomaintenance/tasks/install_package_debian.yml
@ -12,15 +12,4 @@
    name: evomaintenance
    allow_unauthenticated: yes
  tags:
-    - evomaintenance
+    - evomaintenance
 - name: Configuration is installed
  template:
    src: evomaintenance.j2
    dest: /etc/evomaintenance.cf
    owner: root
    group: root
    mode: "0600"
    force: "{{ evomaintenance_force_config | bool }}"
  tags:
    - evomaintenance
--- a/evomaintenance/tasks/install_vendor_debian.yml
+++ b/evomaintenance/tasks/install_vendor_debian.yml
@ -46,15 +46,4 @@
    - { src: 'evomaintenance.sh', dest: '/usr/share/scripts/', mode: '0700' }
    - { src: 'evomaintenance.tpl', dest: '/usr/share/scripts/', mode: '0600' }
  tags:
-    - evomaintenance
+    - evomaintenance
 - name: Configuration is installed
  template:
    src: evomaintenance.j2
    dest: /etc/evomaintenance.cf
    owner: root
    group: root
    mode: "0600"
    force: "{{ evomaintenance_force_config | bool }}"
  tags:
    - evomaintenance
--- a/evomaintenance/tasks/main.yml
+++ b/evomaintenance/tasks/main.yml
@ -1,14 +1,5 @@
 ---
 - set_fact:
    minifirewall_restart_handler_name: "{{ minifirewall_restart_if_needed | bool | ternary('restart minifirewall', 'restart minifirewall (noop)') }}"
 - assert:
    that:
      - evomaintenance_api_endpoint is not none
      - evomaintenance_api_key is not none
    msg: evomaintenance api variables must be set
 - include: install_package_debian.yml
  when:
    - not (evomaintenance_install_vendor | bool)
@ -19,6 +10,8 @@
    - evomaintenance_install_vendor | bool
    - ansible_distribution == "Debian"
 - include: config.yml
 - include: minifirewall.yml
  when:
    - evomaintenance_hook_db | bool
--- a/evomaintenance/tasks/minifirewall.yml
+++ b/evomaintenance/tasks/minifirewall.yml
@ -1,5 +1,8 @@
 ---
 - set_fact:
    minifirewall_restart_handler_name: "{{ minifirewall_restart_if_needed | bool | ternary('restart minifirewall', 'restart minifirewall (noop)') }}"
 - name: Is minifirewall installed?
  stat:
    path: /etc/default/minifirewall
--- a/filebeat/defaults/main.yml
+++ b/filebeat/defaults/main.yml
@ -1,5 +1,5 @@
 ---
-elastic_stack_version: "6.x"
+elastic_stack_version: "7.x"
 filebeat_logstash_plugin: False
--- a/filebeat/handlers/main.yml
+++ b/filebeat/handlers/main.yml
@ -4,3 +4,4 @@
  systemd:
    name: filebeat
    state: restarted
  when: not ansible_check_mode
--- a/filebeat/tasks/main.yml
+++ b/filebeat/tasks/main.yml
@ -8,11 +8,20 @@
    - filebeat
    - packages
 - name: Look for legacy apt keyring
  stat:
    path: /etc/apt/trusted.gpg
  register: _trusted_gpg_keyring
  tags:
    - filebeat
    - packages
 - name: Elastic embedded GPG key is absent
  apt_key:
    id: "D88E42B4"
    keyring: /etc/apt/trusted.gpg
    state: absent
  when: _trusted_gpg_keyring.stat.exists
  tags:
    - filebeat
    - packages
@ -53,6 +62,7 @@
    name: filebeat
    enabled: yes
  notify: restart filebeat
  when: not ansible_check_mode
 - name: is logstash-plugin available?
  stat:
@ -131,7 +141,9 @@
    when:
      - filebeat_elasticsearch_auth_username | length > 0
      - filebeat_elasticsearch_auth_password | length > 0
-  when: not (filebeat_use_config_template | bool)
+  when:
    - not (filebeat_use_config_template | bool)
    - not ansible_check_mode
 - name: Filebeat api_key for Elasticsearch are configured
  lineinfile:
--- a/fluentd/tasks/main.yml
+++ b/fluentd/tasks/main.yml
@ -1,10 +1,19 @@
 ---
 - name: Look for legacy apt keyring
  stat:
    path: /etc/apt/trusted.gpg
  register: _trusted_gpg_keyring
  tags:
    - packages
    - fluentd
 - name: Fluentd embedded GPG key is absent
  apt_key:
    id: "AB97ACBE"
    keyring: /etc/apt/trusted.gpg
    state: absent
  when: _trusted_gpg_keyring.stat.exists
  tags:
    - packages
    - fluentd
--- a/generate-ldif/templates/generateldif.sh.j2
+++ b/generate-ldif/templates/generateldif.sh.j2
@ -31,17 +31,30 @@ computerKernel=$(uname -r)
 HardwareSerial=$(dmidecode -s system-serial-number | grep -v '^#')
 type="baremetal"
-lscpu | grep -q KVM && type="kvm"
+lscpu | grep "Hypervisor vendor:" | grep -q KVM && type="kvm"
 lscpu | grep "Hypervisor vendor:" | grep -q VMware && type="vmware"
 lscpu | grep -q Oracle && type="virtualbox"
 if [ "$type" = "kvm" ]; then
    ComputerType="VM"
    HardwareMark="KVM"
    HardwareModel="Virtual Machine"
    cpuMark=$(lscpu | grep Vendor | tr -s '\t' ' ' | cut -d' ' -f3)
    cpuModel="Virtual $(lscpu | grep "Model name" | tr -s '\t' ' ' | cut -d' ' -f3-), $(nproc) vCPU"
    cpuFreq="$(lscpu | grep "CPU MHz" | tr -s '\t' ' ' | cut -d' ' -f3-)MHz"
 elif [ "$type" = "vmware" ]; then
    ComputerType="VM"
    HardwareMark="VMWare"
    HardwareModel="Virtual Machine"
    cpuMark=$(lscpu | grep Vendor | tr -s '\t' ' ' | cut -d' ' -f3)
    cpuModel="Virtual $(lscpu | grep "Model name" | tr -s '\t' ' ' | cut -d' ' -f3-), $(nproc) vCPU"
    cpuFreq="$(lscpu | grep "CPU MHz" | tr -s '\t' ' ' | cut -d' ' -f3-)MHz"
 elif [ "$type" = "virtualbox" ]; then
    ComputerType="VM"
    HardwareMark="VirtualBox"
    HardwareModel="Virtual Machine"
@ -49,6 +62,7 @@ elif [ "$type" = "virtualbox" ]; then
    cpuModel="Virtual $(lscpu | grep "Model name" | tr -s '\t' ' ' | cut -d' ' -f3-), $(nproc) vCPU"
    cpuFreq="$(lscpu | grep "CPU MHz" | tr -s '\t' ' ' | cut -d' ' -f3-)MHz"
 else
    ComputerType="Baremetal"
    HardwareModel=$(dmidecode -s system-product-name | grep -v '^#')
    cpuMark=$(dmidecode -s processor-manufacturer | grep -v '^#' | head -1)
@ -115,6 +129,7 @@ NagiosEnabled: ${NagiosEnabled}
 NagiosComments: ${monitoringType},${monitoringMode},${monitoringTimeout}
 HardwareSerial: ${HardwareSerial}
 clientNumber: ${clientNumber}
 ComputerType: ${ComputerType}
 EOT
 # CPU
@ -174,6 +189,19 @@ NagiosEnabled: TRUE
 EOT
 fi
 # raid hardware
 if [ -n "${raidModel}" ]; then
    cat <<EOT >> "${ldif_file}"
 dn: HardwareName=raid_card,${computer_dn}
 objectClass: EvoHardware
 HardwareName: raid_card
 HardwareType: disk
 HardwareModel: ${raidModel}
 NagiosEnabled: TRUE
 EOT
 fi
 # Swap
 swap=$(free -h | grep Swap: | tr -s ' ' | cut -d ' ' -f2)
 if [ -n "${swap}" ]; then
@ -570,10 +598,27 @@ objectClass: EvoService
 ServiceName: postgresql
 ipServicePort: 5432
 ServiceType: database
-ServiceVersion: PostgreSQL ${elasticsearch_version}
+ServiceVersion: PostgreSQL ${postgresql_version}
 EOT
 fi
 # mdadm
 if is_pkg_installed mdadm; then
    mdadm_version=$(get_pkg_version mdadm)
 fi
 if [ -n "${mdadm_version}" ]; then
    cat <<EOT >> "${ldif_file}"
 dn: ServiceName=mdadm,${computer_dn}
 NagiosEnabled: TRUE
 objectClass: EvoService
 ServiceName: mdadm
 ServiceType: raid
 ServiceVersion: mdadm ${mdadm_version}
 EOT
 fi
 # test if we have a stdout
 if [ -t 1 ]; then
  echo "Output is in ${ldif_file}"
--- a/haproxy/defaults/main.yml
+++ b/haproxy/defaults/main.yml
@ -34,3 +34,4 @@ haproxy_deny_ips: []
 haproxy_backports_packages_stretch: haproxy libssl1.0.0
 haproxy_backports_packages_buster: haproxy
 haproxy_backports_packages_bullseye: haproxy
--- a/haproxy/tasks/packages_backports.yml
+++ b/haproxy/tasks/packages_backports.yml
@ -15,6 +15,10 @@
    haproxy_backports_packages: "{{ haproxy_backports_packages_buster }}"
  when: ansible_distribution_release == 'buster'
 - set_fact:
    haproxy_backports_packages: "{{ haproxy_backports_packages_bullseye }}"
  when: ansible_distribution_release == 'bullseye'
 - name: Prefer HAProxy package from backports
  template:
    src: haproxy_apt_preferences.j2
--- a/java/tasks/oracle.yml
+++ b/java/tasks/oracle.yml
@ -14,9 +14,9 @@
    state: directory
    mode: "0777"
  loop:
-  - /srv/java-package
+    - /srv/java-package
-  - /srv/java-package/src
+    - /srv/java-package/src
-  - /srv/java-package/tmp
+    - /srv/java-package/tmp
  tags:
  - java
--- a/jenkins/tasks/main.yml
+++ b/jenkins/tasks/main.yml
@ -5,11 +5,17 @@
 # http://mirrors.jenkins.io/.*
 # http://jenkins.mirror.isppower.de/.*
 - name: Look for legacy apt keyring
  stat:
    path: /etc/apt/trusted.gpg
  register: _trusted_gpg_keyring
 - name: Jenkins embedded GPG key is absent
  apt_key:
    id: "D50582E6"
    keyring: /etc/apt/trusted.gpg
    state: absent
  when: _trusted_gpg_keyring.stat.exists
 - name: Add Jenkins GPG key
  copy:
--- a/kibana/defaults/main.yml
+++ b/kibana/defaults/main.yml
@ -1,5 +1,5 @@
 ---
-elastic_stack_version: "5.x"
+elastic_stack_version: "7.x"
 kibana_server_host: "127.0.0.1"
 kibana_server_basepath: ""
--- a/kibana/files/elastic.gpg
+++ b/kibana/files/elastic.gpg
--- a/kibana/files/elasticsearch.key
+++ b/kibana/files/elasticsearch.key
@ -1,31 +0,0 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 Version: GnuPG v2.0.14 (GNU/Linux)
 mQENBFI3HsoBCADXDtbNJnxbPqB1vDNtCsqhe49vFYsZN9IOZsZXgp7aHjh6CJBD
 A+bGFOwyhbd7at35jQjWAw1O3cfYsKAmFy+Ar3LHCMkV3oZspJACTIgCrwnkic/9
 CUliQe324qvObU2QRtP4Fl0zWcfb/S8UYzWXWIFuJqMvE9MaRY1bwUBvzoqavLGZ
 j3SF1SPO+TB5QrHkrQHBsmX+Jda6d4Ylt8/t6CvMwgQNlrlzIO9WT+YN6zS+sqHd
 1YK/aY5qhoLNhp9G/HxhcSVCkLq8SStj1ZZ1S9juBPoXV1ZWNbxFNGwOh/NYGldD
 2kmBf3YgCqeLzHahsAEpvAm8TBa7Q9W21C8vABEBAAG0RUVsYXN0aWNzZWFyY2gg
 KEVsYXN0aWNzZWFyY2ggU2lnbmluZyBLZXkpIDxkZXZfb3BzQGVsYXN0aWNzZWFy
 Y2gub3JnPokBOAQTAQIAIgUCUjceygIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgEC
 F4AACgkQ0n1mbNiOQrRzjAgAlTUQ1mgo3nK6BGXbj4XAJvuZDG0HILiUt+pPnz75
 nsf0NWhqR4yGFlmpuctgCmTD+HzYtV9fp9qW/bwVuJCNtKXk3sdzYABY+Yl0Cez/
 7C2GuGCOlbn0luCNT9BxJnh4mC9h/cKI3y5jvZ7wavwe41teqG14V+EoFSn3NPKm
 TxcDTFrV7SmVPxCBcQze00cJhprKxkuZMPPVqpBS+JfDQtzUQD/LSFfhHj9eD+Xe
 8d7sw+XvxB2aN4gnTlRzjL1nTRp0h2/IOGkqYfIG9rWmSLNlxhB2t+c0RsjdGM4/
 eRlPWylFbVMc5pmDpItrkWSnzBfkmXL3vO2X3WvwmSFiQbkBDQRSNx7KAQgA5JUl
 zcMW5/cuyZR8alSacKqhSbvoSqqbzHKcUQZmlzNMKGTABFG1yRx9r+wa/fvqP6OT
 RzRDvVS/cycws8YX7Ddum7x8uI95b9ye1/Xy5noPEm8cD+hplnpU+PBQZJ5XJ2I+
 1l9Nixx47wPGXeClLqcdn0ayd+v+Rwf3/XUJrvccG2YZUiQ4jWZkoxsA07xx7Bj+
 Lt8/FKG7sHRFvePFU0ZS6JFx9GJqjSBbHRRkam+4emW3uWgVfZxuwcUCn1ayNgRt
 KiFv9jQrg2TIWEvzYx9tywTCxc+FFMWAlbCzi+m4WD+QUWWfDQ009U/WM0ks0Kww
 EwSk/UDuToxGnKU2dQARAQABiQEfBBgBAgAJBQJSNx7KAhsMAAoJENJ9ZmzYjkK0
 c3MIAIE9hAR20mqJWLcsxLtrRs6uNF1VrpB+4n/55QU7oxA1iVBO6IFu4qgsF12J
 TavnJ5MLaETlggXY+zDef9syTPXoQctpzcaNVDmedwo1SiL03uMoblOvWpMR/Y0j
 6rm7IgrMWUDXDPvoPGjMl2q1iTeyHkMZEyUJ8SKsaHh4jV9wp9KmC8C+9CwMukL7
 vM5w8cgvJoAwsp3Fn59AxWthN3XJYcnMfStkIuWgR7U2r+a210W6vnUxU4oN0PmM
 cursYPyeV0NX/KQeUeNMwGTFB6QHS/anRaGQewijkrYYoTNtfllxIu9XYmiBERQ/
 qPDlGRlOgVTd9xUfHFkzB52c70E=
 =92oX
 -----END PGP PUBLIC KEY BLOCK-----
--- a/kibana/tasks/main.yml
+++ b/kibana/tasks/main.yml
@ -8,11 +8,20 @@
    - kibana
    - packages
 - name: Look for legacy apt keyring
  stat:
    path: /etc/apt/trusted.gpg
  register: _trusted_gpg_keyring
  tags:
    - kibana
    - packages
 - name: Elastic embedded GPG key is absent
  apt_key:
    id: "D88E42B4"
    keyring: /etc/apt/trusted.gpg
    state: absent
  when: _trusted_gpg_keyring.stat.exists
  tags:
    - kibana
    - packages
@ -129,3 +138,5 @@
 - include: proxy_nginx.yml
  when: kibana_proxy_nginx | bool
  tags:
    - kibana
--- a/kvm-host/files/add-vm.sh
+++ b/kvm-host/files/add-vm.sh
@ -10,6 +10,8 @@
 # Bash strict mode
 set -euo pipefail
 VERSION="21.10"
 isDryRun() {
    test "${doDryRun}" = "true"
 }
--- a/kvm-host/files/kvmstats.sh
+++ b/kvm-host/files/kvmstats.sh
@ -1,96 +1,202 @@
 #!/bin/sh
 VERSION="21.10"
 PROGNAME=$(basename "$0")
 show_version() {
    cat <<END
 ${PROGNAME} version ${VERSION}
 Copyright 2018-2021 Evolix <info@evolix.fr>,
               Alexis Ben Miloud--Josselin <abenmiloud@evolix.fr>,
               Jérémy Lecour <jlecour@evolix.fr>
               and others.
 ${PROGNAME} comes with ABSOLUTELY NO WARRANTY.  This is free software,
 and you are welcome to redistribute it under certain conditions.
 See the GNU General Public Licence for details.
 END
 }
 show_help() {
    cat <<END
 ${PROGNAME} print stats about configured virtal servers
 END
    show_usage
 }
 show_usage() {
    cat <<END
 Usage: ${PROGNAME} --all
  or   ${PROGNAME} --output <human|html|csv>
  or   ${PROGNAME} --units <k|m|g>
 END
 }
 error () {
    echo "$0": "$@" >&2
    exit 1
 }
-usage () {
+main() {
-    echo 'usage:' "$0" '[-a] [-u k|m|g] [-o human|html|csv]' >&2
+    for VM in $(virsh list --name --all | sed '/^$/d' | sort)
-    exit 1
+    do
        echo "$VM"
        # cpu
        virsh vcpucount --current "$VM"
        # mem
        # libvirt stores memory in KiB, POW must be lowered by 1
        virsh dommemstat "$VM" 2>/dev/null | awk 'BEGIN{ret=1}$1~/^actual$/{print $2 / '$((POW / 1024))';ret=0}END{exit ret}' ||
            virsh dumpxml "$VM" | awk -F'[<>]' '$2~/^memory unit/{print $3/'$((POW / 1024))'}'
        # disk
        for BLK in $(virsh domblklist "$VM" | sed '1,2d;/-$/d;/^$/d' | awk '{print $1}')
        do
            virsh domblkinfo "$VM" "$BLK" 2>/dev/null
        done | awk '/Physical:/ { size += $2 } END { print int(size / '${POW}') }'
        # state
        virsh domstate "$VM" | grep -q '^running$' && echo yes || echo no
    done | xargs -n5 | {
        echo vm vcpu ram disk running
        awk '{ print } /yes$/ { vcpu += $2; ram += $3; disk += $4; running++ } END { print "TOTAL(running)", vcpu, ram, disk, running }'
        test "$SHOW_AVAIL" && {
            nproc
            awk '/^MemTotal:/ { print int($2 / '$((POW / 1024))' ) }' /proc/meminfo
        } | xargs -r printf 'AVAILABLE %s %s %s %s\n'
    } | case "$FMT" in
    'human')
        column -t
        ;;
    'html')
        awk 'BEGIN{print "<html><body>\n<table>"}{printf "<tr>";for(i=1;i<=NF;i++)printf "<td>%s</td>", $i;print "</tr>"}END{print "</table>\n</body></html>"}'
        ;;
    'csv')
        tr ' ' ','
        ;;
    esac
 }
 parse_units() {
    case "$1" in
    'k')
        POW="$(echo '1024 ^ 1' | bc)"
        ;;
    'm')
        POW="$(echo '1024 ^ 2' | bc)"
        ;;
    'g')
        POW="$(echo '1024 ^ 3' | bc)"
        ;;
    *)
        printf 'ERROR: Unknown unit value: %s. Possible values: %s\n' "$1" "k, m, g" >&2
        echo "" >&2
        show_usage >&2
        exit 1
        ;;
    esac 
 }
 parse_output() {
    case "$1" in
    'csv'|'html'|'human')
        FMT="$1"
        ;;
    *)
        printf 'ERROR: Unknown output value : %s. Possible values: %s\n' "$1" "csv, html, human" >&2
        echo "" >&2
        show_usage >&2
        exit 1
        ;;
    esac
 }
 # Check dependencies
 for DEP in bc virsh
 do
    command -v "$DEP" > /dev/null || error "$DEP" 'command not found'
 done
 # default values
 POW="$(echo '1024 ^ 3' | bc)"
 FMT='human'
-while [ "$#" -ne 0 ]
+
-do
+# Parse options
-    case "$1" in
+# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
-    '-a')
+while :; do
-        SHOW_AVAIL='y'
+    case $1 in
-        ;;
+        -h|-\?|--help)
-    '-o')
+            show_help
-        case "$2" in
+            exit 0
-        'csv'|'html'|'human')
+            ;;
-            FMT="$2"
+        -V|--version)
            show_version
            exit 0
            ;;
        -a|--all)
            SHOW_AVAIL='y'
            ;;
        -u|--units)
            # with value separated by space
            if [ -n "$2" ]; then
                parse_units "$2"
                shift
            else
                printf 'ERROR: "-u|--units" requires a non-empty option argument.\n' >&2
                exit 1
            fi
            ;;
        --units=?*)
            # with value speparated by =
            parse_units ${1#*=}
            ;;
        --units=)
            # without value
            printf 'ERROR: "--units" requires a non-empty option argument.\n' >&2
            exit 1
            ;;
        -o|--output)
            # with value separated by space
            if [ -n "$2" ]; then
                parse_output "$2"
                shift
            else
                printf 'ERROR: "-o|--output" requires a non-empty option argument.\n' >&2
                exit 1
            fi
            ;;
        --output=?*)
            # with value speparated by =
            parse_output ${1#*=}
            ;;
        --output=)
            # without value
            printf 'ERROR: "--output" requires a non-empty option argument.\n' >&2
            exit 1
            ;;
        --)
            # End of all options.
            shift
            break
            ;;
        -?*|[[:alnum:]]*)
            # ignore unknown options
            printf 'ERROR: Unknown option : %s\n' "$1" >&2
            echo "" >&2
            show_usage >&2
            exit 1
            ;;
        *)
-            usage
+            # Default case: If no more options then break out of the loop.
            break
            ;;
        esac
        shift
        ;;
    '-u')
        case "$2" in
        'k')
            POW="$(echo '1024 ^ 1' | bc)"
            ;;
        'm')
            POW="$(echo '1024 ^ 2' | bc)"
            ;;
        'g')
            POW="$(echo '1024 ^ 3' | bc)"
            ;;
        *)
            usage
        esac
        shift
        ;;
    *)
        usage
    esac
    shift
 done
-for VM in $(virsh list --name --all)
+main
 do
    echo "$VM"
    # cpu
    virsh vcpucount --current "$VM"
    # mem
    # libvirt stores memory in KiB, POW must be lowered by 1
    virsh dommemstat "$VM" 2>/dev/null | awk 'BEGIN{ret=1}$1~/^actual$/{print $2 / '$((POW / 1024))';ret=0}END{exit ret}' ||
        virsh dumpxml "$VM" | awk -F'[<>]' '$2~/^memory unit/{print $3/'$((POW / 1024))'}'
    # disk
    for BLK in $(virsh domblklist "$VM" | sed '1,2d;/-$/d;/^$/d' | awk '{print $1}')
    do
        virsh domblkinfo "$VM" "$BLK" 2>/dev/null
    done | awk '/Physical:/ { size += $2 } END { print int(size / '${POW}') }'
    # state
    virsh domstate "$VM" | grep -q '^running$' && echo yes || echo no
 done | xargs -n5 | {
    echo vm vcpu ram disk running
    awk '{ print } /yes$/ { vcpu += $2; ram += $3; disk += $4; running++ } END { print "TOTAL(running)", vcpu, ram, disk, running }'
    test "$SHOW_AVAIL" && {
        nproc
        awk '/^MemTotal:/ { print int($2 / '$((POW / 1024))' ) }' /proc/meminfo
    } | xargs -r printf 'AVAILABLE %s %s %s %s\n'
 } | case "$FMT" in
 'human')
    column -t
    ;;
 'html')
    awk 'BEGIN{print "<html><body>\n<table>"}{printf "<tr>";for(i=1;i<=NF;i++)printf "<td>%s</td>", $i;print "</tr>"}END{print "</table>\n</body></html>"}'
    ;;
 'csv')
    tr ' ' ','
    ;;
 esac
--- a/kvm-host/tasks/main.yml
+++ b/kvm-host/tasks/main.yml
@ -5,7 +5,7 @@
  when: kvm_install_drbd
 ## TODO: check why it's disabled
-#- include: ssh.yml
+- include: ssh.yml
 - include: packages.yml
--- a/kvm-host/tasks/ssh.yml
+++ b/kvm-host/tasks/ssh.yml
@ -15,36 +15,34 @@
  debug:
    msg: "{{ ssh_keys.stdout }}"
- name: Autorize other kvm ssh key
+#- name: Autorize other kvm ssh key
-  authorized_key:
+#  authorized_key:
-    user: root
+#    user: root
-    state: present
+#    state: present
-    key: "{{ item[0] }}"
+#    key: "{{ item[0] }}"
-  delegate_to: "{{ item[1] }}"
+#  delegate_to: "{{ item[1] }}"
-  loop: "{{ _keys | product(_servers) | list }}"
+#  loop: "{{ _keys | product(_servers) | list }}"
-  vars:
+#  vars:
-    _keys: ssh_keys.stdout
+#    _keys: ssh_keys.stdout
-    _servers: groups['hypervisors']
+#    _servers: groups['hypervisors']
-  when: item[1] != inventory_hostname
+#  when: item[1] != inventory_hostname
 - name: Crontab for sync libvirt xml file
  cron:
-    name: "sync libvirt xml on {{ item }}"
+    name: "sync libvirt xml on {{ kvm_pair }}"
    state: present
    special_time: "hourly"
    user: root
-    job: "rsync -a --delete /etc/libvirt/qemu/ {{ hostvars[item]['ansible_hostname'] }}:/root/libvirt-{{ inventory_hostname }}/"
+    job: "rsync -a --delete /etc/libvirt/qemu/*xml {{ hostvars[kvm_pair]['lan.ip'] }}:/root/libvirt-{{ inventory_hostname }}/"
-  loop:
+  when: kvm_pair != inventory_hostname
-    - "{{ groups['hypervisors'] }}"
+  tags: crontab
  when: item != inventory_hostname
 - name: Crontab for sync list of running vm
  cron:
-    name: "sync list of libvirt running vm on {{ item }}"
+    name: "sync list of libvirt running vm on {{ kvm_pair }}"
    state: present
    special_time: "daily"
    user: root
-    job: "virsh list --all | ssh {{ hostvars[item]['ansible_hostname'] }} 'cat >/root/libvirt-{{ inventory_hostname }}/virsh-list.txt'"
+    job: "virsh list --all | tee /root/virsh-list.txt | ssh {{ hostvars[kvm_pair]['lan.ip'] }} 'cat >/root/libvirt-{{ inventory_hostname }}/virsh-list.txt'"
-  loop:
+  when: kvm_pair != inventory_hostname
-    - "{{ groups['hypervisors'] }}"
+  tags: crontab
  when: item != inventory_hostname
--- a/ldap/defaults/main.yml
+++ b/ldap/defaults/main.yml
@ -1,10 +1,10 @@
 ---
-ldap_listen: "ldap://127.0.0.1:389/"
+ldap_listen: "ldap://127.0.0.1:389/ ldapi:///"
 ldap_hostname: "{{ ansible_hostname }}"
 ldap_domain: "{{ ansible_domain }}"
 ldap_suffix: "dc={{ ldap_hostname }},dc={{ ldap_domain.split('.')[-2] }},dc={{ ldap_domain.split('.')[-1] }}"
 ldap_admin_password: ""
-ldap_nagios_password: ""
+ldap_nagios_password: ""
--- a/listupgrade/defaults/main.yml
+++ b/listupgrade/defaults/main.yml
@ -2,4 +2,10 @@
 general_alert_email: "root@localhost"
 listupgrade_alert_email: Null
-listupgrade_cron_enabled: true
+listupgrade_cron_enabled: true
 listupgrade_cron_minute: "42"
 listupgrade_cron_hour: "9"
 listupgrade_cron_day: "*"
 listupgrade_cron_month: "*"
 listupgrade_cron_weekday: "2"
 listupgrade_cron_force: false
--- a/listupgrade/files/listupgrade.sh
+++ b/listupgrade/files/listupgrade.sh
@ -1,5 +1,7 @@
 #!/bin/bash
 # Repository: https://gitea.evolix.org/evolix/maj.sh/
 # Exit codes :
 # - 30 : $skip_releases or $skip_packages is set to "all"
 # - 40 : current release is in $skip_releases list
@ -7,7 +9,7 @@
 # - 60 : current release is not in the $r_releases list
 # - 70 : at least an upgradable package is not in the $r_packages list
-VERSION="21.06.2"
+VERSION="21.06.3"
 show_version() {
    cat <<END
@ -121,7 +123,7 @@ EOT
 # are executed if they are executable
 # and if their name doesn't contain a dot
 exec_hooks_in_dir() {
-    hooks=$(find "${1}" -type f -executable -not -name '*.*')
+    hooks=$(find "${1}" -type f -executable -not -name '*.* -print0 | sort --zero-terminated --dictionary-order | xargs --no-run-if-empty --null --max-args=1')
    for hook in ${hooks}; do
        if ! cron_mode; then
            printf "Running '%s\`\n" "${hook}"
@ -178,13 +180,14 @@ main() {
        echo 'Aucun' >"${packagesHold}"
    fi
    local_release=$(cut -f 1 -d . </etc/debian_version)
    if force_mode; then
        if ! cron_mode; then
            echo "Force mode is enabled, as if every release/package is available for upgrade."
        fi
    else
        fetch_upgrade_info
        local_release=$(cut -f 1 -d . </etc/debian_version)
        # Exit if skip_releases or skip_packages in upgrade info file are set to all.
        if [ "${r_skip_releases}" = "all" ] || [ "${r_skip_packages}" = "all" ]; then
--- a/listupgrade/files/old-kernel-autoremoval.sh
+++ b/listupgrade/files/old-kernel-autoremoval.sh
@ -1,74 +1,152 @@
 #!/bin/sh
 # Repository: https://gitea.evolix.org/evolix/maj.sh/
 # fork by reg from /etc/kernel/postinst.d/apt-auto-removal script
-set -e
+VERSION="21.10"
 readonly VERSION
-eval $(apt-config shell DPKG Dir::bin::dpkg/f)
+PROGNAME=$(basename "$0")
-test -n "$DPKG" || DPKG="/usr/bin/dpkg"
+
 show_version() {
    cat <<END
 ${PROGNAME} version ${VERSION}
 Copyright 2018-2021 Evolix <info@evolix.fr>,
               Gregory Colpart <reg@evolix.fr>,
               Romain Dessort <rdessort@evolix.fr>,
               Ludovic Poujol <lpoujol@evolix.fr>,
               Jérémy Lecour <jlecour@evolix.fr>
               and others.
 ${PROGNAME} comes with ABSOLUTELY NO WARRANTY.  This is free software,
 and you are welcome to redistribute it under certain conditions.
 See the GNU General Public Licence for details.
 END
 }
 show_help() {
    cat <<END
 ${PROGNAME} removes old kernels.
 Options
 -h, --help                  print this message and exit
     --version               print version and exit
 END
 }
 # Detect which one of apt/aptitude we should use.
 # shellcheck disable=SC2120
 get_apt_binary() {
-    root="$1"
+    root="${1:-}"
    # apt could be a Java binary...
-    if [ -x $root/usr/bin/apt ] && ! $root/usr/bin/apt --version 2>&1 |grep -q "javac"; then
+    if [ -x "${root}/usr/bin/apt" ] && ! ${root}/usr/bin/apt --version 2>&1 | grep -q "javac"; then
        echo "apt"
-    elif [ -x $root/usr/bin/aptitude ]; then
+    elif [ -x "${root}/usr/bin/aptitude" ]; then
        echo "aptitude"
    # Usually in containers
    else
        echo "apt-get"
    fi
 }
 APT=$(get_apt_binary)
-list="$("${DPKG}" -l | awk '/^[ih][^nc][ ]+(linux|kfreebsd|gnumach)-image-[0-9]+\./ && $2 !~ /-dbg(:.*)?$/ && $2 !~ /-dbgsym(:.*)?$/ { print $2,$3; }' \
+main() {
-   | sed -e 's#^\(linux\|kfreebsd\|gnumach\)-image-##' -e 's#:[^:]\+ # #')"
+    specifc_kernel="$1"
 debverlist="$(echo "$list" | cut -d' ' -f 2 | sort --unique --reverse --version-sort)"
-if [ -n "$1" ]; then
+    # shellcheck disable=SC2046
-    installed_version="$(echo "$list" | awk "\$1 == \"$1\" { print \$2;exit; }")"
+    eval $(apt-config shell DPKG Dir::bin::dpkg/f)
-fi
+    DPKG="${DPKG:-/usr/bin/dpkg}"
 unamer="$(uname -r | tr '[A-Z]' '[a-z]')"
 if [ -n "$unamer" ]; then
    running_version="$(echo "$list" | awk "\$1 == \"$unamer\" { print \$2;exit; }")"
 fi
 # ignore the currently running version if attempting a reproducible build
 if [ -n "${SOURCE_DATE_EPOCH}" ]; then
    unamer=""
    running_version=""
 fi
 latest_version="$(echo "$debverlist" | sed -n 1p)"
 previous_version="$(echo "$debverlist" | sed -n 2p)"
-debkernels="$(echo "$latest_version
+    listupgrade_state_dir="${listupgrade_state_dir:-/var/lib/listupgrade}"
-$installed_version
+
-$running_version" | sort -u | sed -e '/^$/ d')"
+    APT=$(get_apt_binary)
-kernels="$( (echo "$1
+
-$unamer"; for deb in $debkernels; do echo "$list" | awk "\$2 == \"$deb\" { print \$1; }"; done; ) \
+    list="$("${DPKG}" -l | awk '/^[ih][^nc][ ]+(linux|kfreebsd|gnumach)-image-[0-9]+\./ && $2 !~ /-dbg(:.*)?$/ && $2 !~ /-dbgsym(:.*)?$/ { print $2,$3; }' \
-   | sed -e 's#\([\.\+]\)#\\\1#g' -e '/^$/ d' | sort -u|tr '\n' '|' | sed -e 's/|$//')"
+    | sed -e 's#^\(linux\|kfreebsd\|gnumach\)-image-##' -e 's#:[^:]\+ # #')"
    debverlist="$(echo "${list}" | cut -d' ' -f 2 | sort --unique --reverse --version-sort)"
    if [ -n "${specifc_kernel}" ]; then
        installed_version="$(echo "$list" | awk "\$1 == \"${specifc_kernel}\" { print \$2;exit; }")"
    fi
    unamer="$(uname -r | tr '[:upper:]' '[:lower:]')"
    if [ -n "${unamer}" ]; then
        running_version="$(echo "${list}" | awk "\$1 == \"${unamer}\" { print \$2;exit; }")"
    fi
    # ignore the currently running version if attempting a reproducible build
    if [ -n "${SOURCE_DATE_EPOCH}" ]; then
        unamer=""
        running_version=""
    fi
    latest_version="$(echo "${debverlist}" | sed -n 1p)"
    previous_version="$(echo "${debverlist}" | sed -n 2p)"
    debkernels="$(echo "${latest_version}
    ${installed_version}
    ${running_version}" | sort -u | sed -e '/^$/ d')"
    kernels="$( (echo "${specifc_kernel}
    ${unamer}"; for deb in ${debkernels}; do echo "${list}" | awk "\$2 == \"${deb}\" { print \$1; }"; done; ) \
    | sed -e 's#\([\.\+]\)#\\\1#g' -e '/^$/ d' | sort -u|tr '\n' '|' | sed -e 's/|$//')"
-echo "
+    echo "
-List of installed kernel packages:
+    List of installed kernel packages:
-$list
+    $list
-# Running kernel: ${running_version:-ignored} (${unamer:-ignored})
+    # Running kernel: ${running_version:-ignored} (${unamer:-ignored})
-# Last kernel: $latest_version
+    # Last kernel: ${latest_version}
-# Previous kernel: $previous_version
+    # Previous kernel: ${previous_version}
-# Kernel versions list to keep:
+    # Kernel versions list to keep:
-$debkernels
+    ${debkernels}
-# Kernel packages (version part) to protect:
+    # Kernel packages (version part) to protect:
-$kernels
+    ${kernels}
-"
+    "
-echo "BEFORE"
+    echo "BEFORE"
-dpkg -l | grep linux-image
+    dpkg -l | grep linux-image
-dpkg --get-selections | tr '\t' ' ' | cut -d" " -f1 | grep ^linux-image-[234] | egrep -v  "($kernels)" | xargs --no-run-if-empty $APT -y purge
+    dpkg --get-selections | tr '\t' ' ' | cut -d" " -f1 | grep '^linux-image-[234]' | grep -v -E "(${kernels})" | xargs --no-run-if-empty ${APT} -o Dir::State::Lists="${listupgrade_state_dir}" -y purge
-echo "
+    echo "
-AFTER"
+    AFTER"
-dpkg -l | grep linux-image
+    dpkg -l | grep linux-image
-echo ""
+    echo ""
 }
 # Parse options
 # based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
 while :; do
    case $1 in
        -h|-\?|--help)
            show_help
            exit 0
            ;;
        -V|--version)
            show_version
            exit 0
            ;;
        --)
            # End of all options.
            shift
            break
            ;;
        -?*|[[:alnum:]]*)
            # ignore unknown options
            if [ "${QUIET}" != 1 ]; then
                printf 'WARN: Unknown option (ignored): %s\n' "$1" >&2
            fi
            ;;
        *)
            # Default case: If no more options then break out of the loop.
            break
            ;;
    esac
    shift
 done
 set -e
 main "${@}"
--- a/listupgrade/tasks/main.yml
+++ b/listupgrade/tasks/main.yml
@ -46,14 +46,17 @@
    group: root
 - name: Enable listupgrade cron
-  copy:
+  cron:
-    src: listupgrade_cron
+    name: "lisupgrade.sh"
-    dest: /etc/cron.d/listupgrade
+    cron_file: "listupgrade"
-    mode: "0600"
+    user: root
-    owner: root
+    job: "/usr/share/scripts/listupgrade.sh --cron {{ listupgrade_cron_force | bool | ternary('--force','') }}"
-    group: root
+    minute: "{{ listupgrade_cron_minute }}"
-    force: no
+    hour: "{{ listupgrade_cron_hour }}"
-  when: listupgrade_cron_enabled | bool
+    weekday: "{{ listupgrade_cron_weekday }}"
    day: "{{ listupgrade_cron_day }}"
    month: "{{ listupgrade_cron_month }}"
    state: "{{ listupgrade_cron_enabled | bool | ternary('present','absent') }}"
 - name: old-kernel-autoremoval script is present
  copy:
--- a/logstash/defaults/main.yml
+++ b/logstash/defaults/main.yml
@ -1,8 +1,10 @@
 ---
-elastic_stack_version: "6.x"
+elastic_stack_version: "7.x"
 logstash_jvm_xms: 256m
 logstash_jvm_xmx: 512g
 logstash_log_rotate_days: 365
 logstash_custom_tmpdir: Null
 logstash_default_tmpdir: /var/lib/logstash/tmp
 logstash_log_syslog_enabled: True
 logstash_config_force: True
--- a/logstash/handlers/main.yml
+++ b/logstash/handlers/main.yml
@ -0,0 +1,10 @@
 ---
 - name: restart logstash
  systemd:
    name: logstash
    state: restarted
    daemon_reload: yes
 - name: reload systemd
  command: systemctl daemon-reload
--- a/logstash/meta/main.yml
+++ b/logstash/meta/main.yml
@ -24,5 +24,4 @@ galaxy_info:
    # NOTE: A tag is limited to a single word comprised of
    # alphanumeric characters. Maximum 20 tags per role.
-dependencies:
+dependencies: []
  - { role: evolix/java, java_alternative: 'openjdk', java_version: 8 }
--- a/logstash/tasks/logs.yml
+++ b/logstash/tasks/logs.yml
@ -16,3 +16,26 @@
    group: root
    mode: "0750"
  when: is_cron_installed.rc == 0
 - name: "Create a system config directory for systemd overrides"
  file:
    path: /etc/systemd/system/logstash.service.d
    state: directory
 - name: "disable syslog"
  ini_file:
    path: /etc/systemd/system/logstash.service.d/override.conf
    section: Service
    option: "{{ item.option }}"
    value: "{{ item.value }}"
    owner: root
    group: root
    mode: "0644"
    create: yes
    no_extra_spaces: yes
    state: "{{ logstash_log_syslog_enabled | bool | ternary('absent','present') }}"
  loop:
    - { option: "StandardOutput", value: "null" }
    - { option: "StandardError",  value: "null" }
  notify:
    - restart logstash
--- a/logstash/tasks/main.yml
+++ b/logstash/tasks/main.yml
@ -8,11 +8,20 @@
    - logstash
    - packages
 - name: Look for legacy apt keyring
  stat:
    path: /etc/apt/trusted.gpg
  register: _trusted_gpg_keyring
  tags:
    - logstash
    - packages
 - name: Elastic embedded GPG key is absent
  apt_key:
    id: "D88E42B4"
    keyring: /etc/apt/trusted.gpg
    state: absent
  when: _trusted_gpg_keyring.stat.exists
  tags:
    - logstash
    - packages
@ -79,7 +88,7 @@
    owner: logstash
    group: logstash
    mode: "0640"
-    force: yes
+    force: "{{ logstash_config_force | bool }}"
  loop: "{{ query('first_found', templates) }}"
  vars:
    templates:
--- a/lxc-php/defaults/main.yml
+++ b/lxc-php/defaults/main.yml
@ -18,4 +18,5 @@ lxc_php_container_releases:
  php56: "jessie"
  php70: "stretch"
  php73: "buster"
-  php74: "buster"
+  php74: "bullseye"
  php80: "bullseye"
--- a/lxc-php/handlers/main.yml
+++ b/lxc-php/handlers/main.yml
@ -1,4 +1,9 @@
 ---
 - name: Reload php80-fpm
  lxc_container:
    name: "{{ lxc_php_version }}"
    container_command: "systemctl reload php8.0-fpm"
 - name: Reload php74-fpm
  lxc_container:
    name: "{{ lxc_php_version }}"
--- a/lxc-php/tasks/mail_opensmtpd.yml
+++ b/lxc-php/tasks/mail_opensmtpd.yml
@ -11,3 +11,13 @@
    dest: "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/smtpd.conf"
    mode: "0644"
  notify: "Restart opensmtpd"
  when: lxc_php_container_releases[lxc_php_version] in ["jessie", "stretch", "buster"]
 - name: "{{ lxc_php_version }} - Configure opensmtpd (in the container)"
  template:
    src: smtpd.conf.bullseye.j2
    dest: "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/smtpd.conf"
    mode: "0644"
  notify: "Restart opensmtpd"
  when: not lxc_php_container_releases[lxc_php_version] in ["jessie", "stretch", "buster"]
--- a/lxc-php/tasks/main.yml
+++ b/lxc-php/tasks/main.yml
@ -21,4 +21,7 @@
 - include: "php74.yml"
  when: lxc_php_version == "php74"
 - include: "php80.yml"
  when: lxc_php_version == "php80"
 - include: "misc.yml"
--- a/Show more
+++ b/Show more
		`@ -0,0 +1,3 @@`
							`# {{ ansible_managed }}`

							`deb http://mirror.evolix.org/debian bullseye-backports {{ apt_backports_components \| mandatory }}`
		`@ -1,3 +0,0 @@`
			`#!/bin/sh`

			`git --git-dir /etc/.git gc --quiet`
		`@ -0,0 +1,2 @@`
							`# Force the SWAP column to the right of the CPU one`
							`fields=0 48 17 18 38 39 40 119 2 46 47 49 1`