diff --git a/CHANGELOG.md b/CHANGELOG.md
index 15539488..5f5ad694 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -18,6 +18,16 @@ The **patch** part changes incrementally at each release.
 
 ### Security
 
+## [9.4.1] - 2018-09-28
+
+### Added
+* redis: set masterauth when redis_password is defined
+* evomaintenance: variable to install a vendored version
+* evomaintenance: tasks/variables to handle minifirewall restarts
+
+### Changed
+* mysql-oracle: better handle packages and users
+
 ## [9.4.0] - 2018-09-20
 
 ### Added
diff --git a/evomaintenance/README.md b/evomaintenance/README.md
index 5ca66acf..bb3323bb 100644
--- a/evomaintenance/README.md
+++ b/evomaintenance/README.md
@@ -2,9 +2,6 @@
 
 Install a script to notify when operations are performed on a server
 
-The Debian package is available at `pub.evolix.net`.
-Make you have `deb http://pub.evolix.net/ jessie/` in your sources list.
-
 ## Tasks
 
 Installation and configuration are performed via `tasks/main.yml`.
diff --git a/evomaintenance/defaults/main.yml b/evomaintenance/defaults/main.yml
index 1806f691..6ad55a9b 100644
--- a/evomaintenance/defaults/main.yml
+++ b/evomaintenance/defaults/main.yml
@@ -2,21 +2,37 @@
 general_alert_email: "root@localhost"
 evomaintenance_alert_email: Null
 
-evomaintenance_hostname: "{{ ansible_fqdn }}"
+### copied from evolinux-base ###
+evolinux_hostname: "{{ ansible_hostname }}"
+evolinux_domain:   "{{ ansible_domain }}"
+evolinux_fqdn:     "{{ evolinux_hostname }}.{{ evolinux_domain }}"
+
+evolinux_internal_hostname: "{{ evolinux_hostname }}"
+evolinux_internal_domain:   "{{ evolinux_domain }}"
+evolinux_internal_fqdn:     "{{ evolinux_internal_hostname }}.{{ evolinux_internal_domain }}"
+#################################
+
+evomaintenance_install_vendor: False
+evomaintenance_force_config: True
+
+evomaintenance_hostname: "{{ evolinux_internal_fqdn }}"
 
 evomaintenance_pg_host: Null
 evomaintenance_pg_passwd: Null
 evomaintenance_pg_db: Null
 evomaintenance_pg_table: Null
 
-evomaintenance_from: "evomaintenance@{{ ansible_fqdn }}"
+evomaintenance_from: "evomaintenance@{{ evolinux_internal_fqdn }}"
 evomaintenance_full_from: "Evomaintenance <{{ evomaintenance_from }}>"
 
 evomaintenance_urgency_from: mama.doe@example.com
 evomaintenance_urgency_tel: "06.00.00.00.00"
 
-evomaintenance_realm: "{{ ansible_domain }}"
+evomaintenance_realm: "{{ evolinux_internal_domain }}"
 
 evomaintenance_default_hosts: []
 evomaintenance_additional_hosts: []
 evomaintenance_hosts: "{{ evomaintenance_default_hosts | union(evomaintenance_additional_hosts) | unique }}"
+
+minifirewall_restart_if_needed: True
+minifirewall_restart_force: False
diff --git a/evomaintenance/files/evomaintenance.sh b/evomaintenance/files/evomaintenance.sh
new file mode 100644
index 00000000..2e01c022
--- /dev/null
+++ b/evomaintenance/files/evomaintenance.sh
@@ -0,0 +1,198 @@
+#!/bin/sh
+
+# EvoMaintenance script
+# Dependencies (all OS): git postgresql-client
+# Dependencies (Debian): sudo
+
+# version 0.4.1
+# Copyright 2007-2018 Gregory Colpart <reg@evolix.fr>, Jérémy Lecour <jlecour@evolix.fr>, Evolix <info@evolix.fr>
+
+get_system() {
+  uname -s
+}
+
+get_fqdn() {
+  if [ "$(get_system)" = "Linux" ]; then
+    hostname --fqdn
+  elif [ "$(get_system)" = "OpenBSD" ]; then
+    hostname
+  else
+    echo "OS not detected!"
+    exit 1
+  fi
+}
+
+get_tty() {
+  if [ "$(get_system)" = "Linux" ]; then
+    ps -o tty= | tail -1
+  elif [ "$(get_system)" = "OpenBSD" ]; then
+    env | grep SSH_TTY | cut -d"/" -f3
+  else
+    echo "OS not detected!"
+    exit 1
+  fi
+}
+
+get_who() {
+  who=$(LC_ALL=C who -m)
+
+  if [ -n "${who}" ]; then
+    echo "${who}"
+  else
+    LC_ALL=C who | grep $(get_tty) | tr -s ' '
+  fi
+}
+
+get_begin_date() {
+  echo "$(date "+%Y") $(echo $(get_who) | cut -d" " -f3,4,5)"
+}
+
+get_ip() {
+  ip=$(echo $(get_who) | cut -d" " -f6 | sed -e "s/^(// ; s/)$//")
+  [ -z "${ip}" ] && ip="unknown (no tty)"
+  [ "${ip}" = ":0" ] && ip="localhost"
+
+  echo "${ip}"
+}
+
+get_end_date() {
+  date +"%Y %b %d %H:%M"
+}
+
+get_now() {
+  date +"%Y-%m-%dT%H:%M:%S%z"
+}
+
+test -f /etc/evomaintenance.cf && . /etc/evomaintenance.cf
+
+[ -n "${HOSTNAME}" ]     || HOSTNAME=$(get_fqdn)
+[ -n "${EVOMAINTMAIL}" ] || EVOMAINTMAIL=evomaintenance-$(echo "${HOSTNAME}" | cut -d- -f1)@${REALM}
+[ -n "${LOGFILE}" ]      || LOGFILE=/var/log/evomaintenance.log
+
+# Treat unset variables as an error when substituting.
+# Only after this line, because some config variables might be missing.
+set -u
+
+REAL_HOSTNAME=$(get_fqdn)
+if [ "${HOSTNAME}" = "${REAL_HOSTNAME}" ]; then
+    HOSTNAME_TEXT="${HOSTNAME}"
+else
+    HOSTNAME_TEXT="${HOSTNAME} (${REAL_HOSTNAME})"
+fi
+
+# TTY=$(get_tty)
+# WHO=$(get_who)
+IP=$(get_ip)
+BEGIN_DATE=$(get_begin_date)
+END_DATE=$(get_end_date)
+USER=$(logname)
+
+PATH=${PATH}:/usr/sbin
+
+SENDMAIL_BIN=$(command -v sendmail)
+GIT_BIN=$(command -v git)
+
+GIT_REPOSITORIES="/etc /etc/bind"
+
+# git statuses
+GIT_STATUSES=""
+
+if test -x "${GIT_BIN}"; then
+    # loop on possible directories managed by GIT
+    for dir in ${GIT_REPOSITORIES}; do
+        # tell Git where to find the repository and the work tree (no need to `cd …` there)
+        export GIT_DIR="${dir}/.git" GIT_WORK_TREE="${dir}"
+        # If the repository and the work tree exist, try to commit changes
+        if test -d "${GIT_DIR}" && test -d "${GIT_WORK_TREE}"; then
+            CHANGED_LINES=$(${GIT_BIN} status --porcelain | wc -l | tr -d ' ')
+            if [ "${CHANGED_LINES}" != "0" ]; then
+              STATUS=$(${GIT_BIN} status --short | tail -n 10)
+              # append diff data, without empty lines
+              GIT_STATUSES=$(printf "%s\n%s\n%s\n" "${GIT_STATUSES}" "${GIT_DIR} (last 10 lines)" "${STATUS}" | sed -e '/^$/d')
+            fi
+        fi
+        # unset environment variables to prevent accidental influence on other git commands
+        unset GIT_DIR GIT_WORK_TREE
+    done
+    if [ -n "${GIT_STATUSES}" ]; then
+      echo "/!\ There are some uncommited changes. If you proceed, everything will be commited."
+      echo "${GIT_STATUSES}"
+      echo ""
+    fi
+fi
+
+# get input from stdin
+echo "> Please, enter details about your maintenance"
+read TEXTE
+
+if [ "${TEXTE}" = "" ]; then
+    echo "no value..."
+    exit 1
+fi
+
+# recapitulatif
+BLOB=$(cat <<END
+Host      : $HOSTNAME_TEXT
+User      : $USER
+IP        : $IP
+Begin     : $BEGIN_DATE
+End       : $END_DATE
+Message   : $TEXTE
+END
+)
+
+echo ""
+echo "${BLOB}"
+echo ""
+echo "> Press <Enter> to submit, or <Ctrl+c> to cancel."
+read enter
+
+# write log
+echo "----------- $(get_now) ---------------" >> "${LOGFILE}"
+echo "${BLOB}" >> "${LOGFILE}"
+
+# git commit
+GIT_COMMITS=""
+
+if test -x "${GIT_BIN}"; then
+    # loop on possible directories managed by GIT
+    for dir in ${GIT_REPOSITORIES}; do
+        # tell Git where to find the repository and the work tree (no need to `cd …` there)
+        export GIT_DIR="${dir}/.git" GIT_WORK_TREE="${dir}"
+        # If the repository and the work tree exist, try to commit changes
+        if test -d "${GIT_DIR}" && test -d "${GIT_WORK_TREE}"; then
+            CHANGED_LINES=$(${GIT_BIN} status --porcelain | wc -l | tr -d ' ')
+            if [ "${CHANGED_LINES}" != "0" ]; then
+              ${GIT_BIN} add --all
+              ${GIT_BIN} commit --message "${TEXTE}" --author="${USER} <${USER}@evolix.net>" --quiet
+              # Add the SHA to the log file if something has been committed
+              SHA=$(${GIT_BIN} rev-parse --short HEAD)
+              STATS=$(${GIT_BIN} show --stat | tail -1)
+              # append commit data, without empty lines
+              GIT_COMMITS=$(printf "%s\n%s : %s –%s" "${GIT_COMMITS}" "${GIT_DIR}" "${SHA}" "${STATS}" | sed -e '/^$/d')
+            fi
+        fi
+        # unset environment variables to prevent accidental influence on other git commands
+        unset GIT_DIR GIT_WORK_TREE
+    done
+    if [ -n "${GIT_COMMITS}" ]; then
+      echo "${GIT_COMMITS}" >> "${LOGFILE}"
+    fi
+fi
+
+# insert into PG
+# SQL_TEXTE=`echo "${TEXTE}" | sed "s/'/\\\\\\'/g ; s@/@\\\\\/@g ; s@\\&@et@g"`
+SQL_TEXTE=`echo "${TEXTE}" | sed "s/'/''/g"`
+
+PG_QUERY="INSERT INTO evomaint(hostname,userid,ipaddress,begin_date,end_date,details) VALUES ('${HOSTNAME}','${USER}','${IP}','${BEGIN_DATE}',now(),'${SQL_TEXTE}')"
+echo "${PG_QUERY}" | psql ${PGDB} ${PGTABLE} -h ${PGHOST} --quiet
+
+# send mail
+MAIL_TEXTE=$(echo "${TEXTE}" | sed -e "s@/@\\\\\/@g ; s@&@\\\\&@")
+MAIL_GIT_COMMITS=$(echo "${GIT_COMMITS}" | sed -e "s@/@\\\\\/@g ; s@&@\\\\&@")
+
+cat /usr/share/scripts/evomaintenance.tpl | \
+    sed -e "s/__TO__/${EVOMAINTMAIL}/ ; s/__HOSTNAME__/${HOSTNAME_TEXT}/ ; s/__USER__/${USER}/ ; s/__BEGIN_DATE__/${BEGIN_DATE}/ ; s/__END_DATE__/${END_DATE}/ ; s/__GIT_COMMITS__/${MAIL_GIT_COMMITS}/ ; s/__TEXTE__/${MAIL_TEXTE}/ ; s/__IP__/${IP}/ ; s/__FULLFROM__/${FULLFROM}/ ; s/__FROM__/${FROM}/ ; s/__URGENCYFROM__/${URGENCYFROM}/ ; s/__URGENCYTEL__/${URGENCYTEL}/" | \
+    ${SENDMAIL_BIN} -oi -t -f ${FROM}
+
+exit 0
diff --git a/evomaintenance/files/evomaintenance.tpl b/evomaintenance/files/evomaintenance.tpl
new file mode 100644
index 00000000..ddddd7b6
--- /dev/null
+++ b/evomaintenance/files/evomaintenance.tpl
@@ -0,0 +1,33 @@
+From: __FULLFROM__
+Content-Type: text/plain; charset=UTF-8
+MIME-Version: 1.0
+Content-Transfer-Encoding: 8bit
+To: __TO__
+Subject: [evomaintenance] Intervention sur __HOSTNAME__ (__USER__)
+
+Bonjour,
+
+Une intervention vient de se terminer sur votre serveur.
+Voici les renseignements sur l'intervention :
+
+Nom du serveur : __HOSTNAME__
+Personne ayant réalisée l'intervention : __USER__
+Intervention réalisée depuis : __IP__
+Début de l'intervention : __BEGIN_DATE__
+Fin de l'intervention : __END_DATE__
+
+###
+Renseignements sur l'intervention :
+__TEXTE__
+###
+
+__GIT_COMMITS__
+
+Pour réagir à cette intervention, vous pouvez répondre à ce message
+(sur l'adresse mail __FROM__). En cas d'urgence, utilisez
+l'adresse __URGENCYFROM__ ou notre téléphone portable d'astreinte
+(__URGENCYTEL__)
+
+Cordialement,
+--
+__FULLFROM__
diff --git a/evomaintenance/handlers/main.yml b/evomaintenance/handlers/main.yml
new file mode 100644
index 00000000..85884f73
--- /dev/null
+++ b/evomaintenance/handlers/main.yml
@@ -0,0 +1,13 @@
+---
+
+- name: restart minifirewall
+  command: /etc/init.d/minifirewall restart
+  register: minifirewall_init_restart
+  failed_when: "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout"
+  changed_when: "'starting IPTables rules is now finish : OK' in minifirewall_init_restart.stdout"
+
+- name: restart minifirewall (noop)
+  meta: noop
+  register: minifirewall_init_restart
+  failed_when: False
+  changed_when: False
diff --git a/evomaintenance/tasks/install_package.yml b/evomaintenance/tasks/install_package.yml
new file mode 100644
index 00000000..62b9f04d
--- /dev/null
+++ b/evomaintenance/tasks/install_package.yml
@@ -0,0 +1,15 @@
+---
+
+- name: Install Evolix public repositry
+  include_role:
+    name: apt
+    tasks_from: evolix_public.yml
+  tags:
+    - evomaintenance
+
+- name: evomaintenance is installed
+  apt:
+    name: evomaintenance
+    allow_unauthenticated: yes
+  tags:
+    - evomaintenance
diff --git a/evomaintenance/tasks/install_vendor.yml b/evomaintenance/tasks/install_vendor.yml
new file mode 100644
index 00000000..d75b2f2f
--- /dev/null
+++ b/evomaintenance/tasks/install_vendor.yml
@@ -0,0 +1,40 @@
+---
+
+- include_role:
+    name: remount-usr
+  tags:
+    - evomaintenance
+
+- name: /usr/share/scripts exists
+  file:
+    dest: /usr/share/scripts
+    mode: "0700"
+    owner: root
+    group: root
+    state: directory
+  tags:
+    - evomaintenance
+
+- name: Script is installed
+  copy:
+    src: evomaintenance.sh
+    dest: /usr/share/scripts/evomaintenance.sh
+    mode: "0700"
+    owner: root
+    group: root
+    force: yes
+    backup: yes
+  tags:
+    - evomaintenance
+
+- name: Template is installed
+  copy:
+    src: evomaintenance.tpl
+    dest: /usr/share/scripts/evomaintenance.tpl
+    mode: "0600"
+    owner: root
+    group: root
+    force: yes
+    backup: yes
+  tags:
+    - evomaintenance
diff --git a/evomaintenance/tasks/main.yml b/evomaintenance/tasks/main.yml
index c8e24e54..d2e1f064 100644
--- a/evomaintenance/tasks/main.yml
+++ b/evomaintenance/tasks/main.yml
@@ -1,17 +1,13 @@
 ---
-- name: Install Evolix public repositry
-  include_role:
-    name: apt
-    tasks_from: evolix_public.yml
-  tags:
-    - evomaintenance
 
-- name: evomaintenance is installed
-  apt:
-    name: evomaintenance
-    allow_unauthenticated: yes
-  tags:
-    - evomaintenance
+- set_fact:
+    minifirewall_restart_handler_name: "{{ minifirewall_restart_if_needed | ternary('restart minifirewall', 'restart minifirewall (noop)') }}"
+
+- include: install_package.yml
+  when: not evomaintenance_install_vendor
+
+- include: install_vendor.yml
+  when: evomaintenance_install_vendor
 
 - name: configuration is applied
   template:
@@ -20,22 +16,10 @@
     owner: root
     group: root
     mode: "0600"
+    force: "{{ evomaintenance_force_config | bool }}"
   tags:
     - evomaintenance
 
-# - name: list users with a shell
-#   shell: "cat /etc/passwd | grep -vE \"^root:\"  | grep -E \":/[^:]+sh$\" | cut -d: -f6"
-#   changed_when: False
-#   check_mode: no
-#   register: home_of_shell_users
-#   tags:
-#     - evomaintenance
-#
-# - include: trap.yml home={{ item }}
-#   with_items: "{{ home_of_shell_users.stdout_lines }}"
-#   tags:
-#     - evomaintenance
-
 - name: Is minifirewall installed?
   stat:
     path: /etc/default/minifirewall
@@ -49,6 +33,7 @@
     line: "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s {{ item }} -m state --state ESTABLISHED,RELATED -j ACCEPT"
     insertafter: "^# EvoMaintenance"
   with_items: "{{ evomaintenance_hosts }}"
+  notify: "{{ minifirewall_restart_handler_name }}"
   when: minifirewall_default_file.stat.exists
   tags:
     - evomaintenance
@@ -58,6 +43,14 @@
     dest: /etc/default/minifirewall
     regexp: '^#.*(--sport 5432).*(-s X\.X\.X\.X)'
     state: absent
+  notify: "{{ minifirewall_restart_handler_name }}"
   when: minifirewall_default_file.stat.exists
   tags:
     - evomaintenance
+
+-  name: Force restart minifirewall
+   command: /bin/true
+   notify: restart minifirewall
+   when: minifirewall_restart_force
+   tags:
+     - evomaintenance
diff --git a/evomaintenance/templates/evomaintenance.j2 b/evomaintenance/templates/evomaintenance.j2
index acb6fd46..79bc0cbf 100644
--- a/evomaintenance/templates/evomaintenance.j2
+++ b/evomaintenance/templates/evomaintenance.j2
@@ -1,11 +1,11 @@
 HOSTNAME={{ evomaintenance_hostname }}
 EVOMAINTMAIL={{ evomaintenance_alert_email or general_alert_email | mandatory }}
 
-export PGPASSWORD={{ evomaintenance_pg_passwd }}
+export PGPASSWORD={{ evomaintenance_pg_passwd | mandatory }}
 
-PGDB={{ evomaintenance_pg_db }}
-PGTABLE={{ evomaintenance_pg_table }}
-PGHOST={{ evomaintenance_pg_host }}
+PGDB={{ evomaintenance_pg_db | mandatory }}
+PGTABLE={{ evomaintenance_pg_table | mandatory }}
+PGHOST={{ evomaintenance_pg_host | mandatory }}
 FROM={{ evomaintenance_from }}
 FULLFROM="{{ evomaintenance_full_from }}"
 URGENCYFROM={{ evomaintenance_urgency_from }}
diff --git a/mysql-oracle/tasks/packages.yml b/mysql-oracle/tasks/packages.yml
index 1d6ebf64..e77288c5 100644
--- a/mysql-oracle/tasks/packages.yml
+++ b/mysql-oracle/tasks/packages.yml
@@ -1,16 +1,26 @@
 ---
 
+- set_fact:
+    mysql_apt_config_package: mysql-apt-config_0.8.9-1_all.deb
+
+- name: Set default MySQL version to 5.7
+  debconf:
+    name: mysql-apt-config
+    question: mysql-apt-config/enable-repo
+    value: mysql-5.7
+    vtype: select
+
 - name: MySQL APT config package is available
   copy:
-    src: mysql-apt-config_0.8.9-1_all.deb
-    dest: /root/mysql-apt-config_0.8.9-1_all.deb
+    src: "{{ mysql_apt_config_package }}"
+    dest: "/root/{{ mysql_apt_config_package }}"
 
 - include_role:
     name: remount-usr
 
 - name: MySQL APT config package is installed
   apt:
-    deb: /root/mysql-apt-config_0.8.9-1_all.deb
+    deb: "/root/{{ mysql_apt_config_package }}"
     state: present
   register: mysql_apt_config_deb
 
@@ -23,6 +33,36 @@
 
 - meta: flush_handlers
 
+- include_role:
+    name: remount-usr
+
+- name: /usr/share/mysql exists
+  file:
+    dest: /usr/share/mysql/
+    mode: "0755"
+    owner: root
+    group: root
+    state: directory
+
+- name: mysql-systemd-start scripts is installed
+  copy:
+    src: debian/mysql-systemd-start
+    dest: /usr/share/mysql/mysql-systemd-start
+    mode: "0755"
+    owner: root
+    group: root
+    force: yes
+
+- name: systemd unit is installed
+  copy:
+    src: debian/mysql-server-5.7.mysql.service
+    dest: /etc/systemd/system/mysql.service
+    mode: "0644"
+    owner: root
+    group: root
+    force: yes
+  register: mysql_systemd_unit
+
 - name: APT cache is up-to-date
   apt:
     update_cache: yes
@@ -52,28 +92,6 @@
     - packages
   when: mysql_install_libclient
 
-- include_role:
-    name: remount-usr
-
-- name: mysql-systemd-start scripts is installed
-  copy:
-    src: debian/mysql-systemd-start
-    dest: /usr/share/mysql/mysql-systemd-start
-    mode: "0755"
-    owner: root
-    group: root
-    force: yes
-
-- name: systemd unit is installed
-  copy:
-    src: debian/mysql-server-5.7.mysql.service
-    dest: /etc/systemd/system/mysql.service
-    mode: "0755"
-    owner: root
-    group: root
-    force: yes
-  register: mysql_systemd_unit
-
 - name: MySQL is started
   systemd:
     name: mysql
diff --git a/mysql-oracle/tasks/users.yml b/mysql-oracle/tasks/users.yml
index 696743f3..7a7ee8ba 100644
--- a/mysql-oracle/tasks/users.yml
+++ b/mysql-oracle/tasks/users.yml
@@ -23,6 +23,7 @@
     update_password: on_create
     state: present
     config_file: "/etc/mysql/debian.cnf"
+    check_implicit_admin: True
   register: create_mysqladmin_user
   tags:
     - mysql
diff --git a/redis/templates/redis.conf.j2 b/redis/templates/redis.conf.j2
index d2e558cc..21873942 100644
--- a/redis/templates/redis.conf.j2
+++ b/redis/templates/redis.conf.j2
@@ -9,6 +9,7 @@ unixsocket {{ redis_unixsocket }}
 
 {% if redis_password %}
 requirepass {{ redis_password }}
+masterauth {{ redis_password }}
 {% endif %}
 
 timeout {{ redis_timeout }}