From 42189ba6136f53b25b279b02d1a236395f311347 Mon Sep 17 00:00:00 2001
From: Ludovic Poujol <lpoujol@evolix.fr>
Date: Tue, 17 Aug 2021 16:38:02 +0200
Subject: [PATCH 001/125] Configure php7.4 for evoadmin-web on bullseye

---
 webapps/evoadmin-web/tasks/web.yml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/webapps/evoadmin-web/tasks/web.yml b/webapps/evoadmin-web/tasks/web.yml
index 7f95c96c..9778da4e 100644
--- a/webapps/evoadmin-web/tasks/web.yml
+++ b/webapps/evoadmin-web/tasks/web.yml
@@ -27,6 +27,15 @@
   notify: reload apache2
   when: ansible_distribution_major_version is version('10', '=')
 
+- name: "Set custom values for PHP config (Debian 11)"
+  ini_file:
+    dest: /etc/php/7.4/apache2/conf.d/zzz-evolinux-custom.ini
+    section: PHP
+    option: "disable_functions"
+    value: "shell-exec,system,passthru,putenv,popen"
+  notify: reload apache2
+  when: ansible_distribution_major_version is version('11', '=')
+
 - name: Install evoadmin VHost
   template:
     src: "{{ item }}"

From bd92ff95c8c6381fddd78aa0965fd9389a34b452 Mon Sep 17 00:00:00 2001
From: Eric Morino <emorino@evolix.fr>
Date: Fri, 20 Aug 2021 11:32:16 +0200
Subject: [PATCH 002/125] use absolute path in evacme cron

---
 evoacme/files/evoacme.cron | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/evoacme/files/evoacme.cron b/evoacme/files/evoacme.cron
index 4d849673..ea78f2c2 100755
--- a/evoacme/files/evoacme.cron
+++ b/evoacme/files/evoacme.cron
@@ -15,12 +15,12 @@ find "${CRT_DIR}" \
     -maxdepth 1 \
     -mindepth 1 \
     -type d \
-    ! -path "*accounts" \
-    ! -path "*archive" \
-    ! -path "*csr" \
-    ! -path "*hooks" \
-    ! -path "*keys" \
-    ! -path "*live" \
-    ! -path "*renewal" \
+    ! -path "${CRT_DIR}/accounts" \
+    ! -path "${CRT_DIR}/archive" \
+    ! -path "${CRT_DIR}/csr" \
+    ! -path "${CRT_DIR}/hooks" \
+    ! -path "${CRT_DIR}/keys" \
+    ! -path "${CRT_DIR}/live" \
+    ! -path "${CRT_DIR}/renewal" \
     -printf "%f\n" \
         | xargs --max-args=1 --no-run-if-empty evoacme

From 5a83a30a4c0149e4e0a8cb08381b4a7c3d6f8b8b Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Tue, 24 Aug 2021 18:16:11 +0200
Subject: [PATCH 003/125] whitespace

---
 evolinux-base/tasks/hardware.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/evolinux-base/tasks/hardware.yml b/evolinux-base/tasks/hardware.yml
index 9f0c6da3..7fa04a70 100644
--- a/evolinux-base/tasks/hardware.yml
+++ b/evolinux-base/tasks/hardware.yml
@@ -35,8 +35,8 @@
 # HP gen <10: Hewlett-Packard Company Smart Array
 # HP gen >=10: Adaptec Smart Storage PQI
 - name: Detect if RAID is installed
-  shell: 
-    cmd: "set -o pipefail && lspci -q | grep -e 'RAID bus controller' -e 'Serial Attached SCSI controller'"
+  shell:
+    cmd: "lspci -q | grep -e 'RAID bus controller' -e 'Serial Attached SCSI controller'"
     executable: /bin/bash
   check_mode: no
   register: raidmodel

From 916138575a24c7b7e83badf8f3311705da8fc485 Mon Sep 17 00:00:00 2001
From: Eric Morino <emorino@evolix.fr>
Date: Wed, 25 Aug 2021 11:48:10 +0200
Subject: [PATCH 004/125] Add generate dhparam and update variables for dovecot
 2.3

---
 dovecot/tasks/main.yml                        | 4 ++++
 dovecot/templates/z-evolinux-defaults.conf.j2 | 4 ++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/dovecot/tasks/main.yml b/dovecot/tasks/main.yml
index aa817086..7558afd5 100644
--- a/dovecot/tasks/main.yml
+++ b/dovecot/tasks/main.yml
@@ -10,6 +10,10 @@
   tags:
   - dovecot
 
+- name: Generate Diffie-Hellman parameters with the default size (4096 bits)
+    openssl_dhparam:
+      path: /etc/ssl/dhparams.pem
+
 - name: disable pam auth
   replace:
     dest: /etc/dovecot/conf.d/10-auth.conf
diff --git a/dovecot/templates/z-evolinux-defaults.conf.j2 b/dovecot/templates/z-evolinux-defaults.conf.j2
index 2c067b99..ab74ec0d 100644
--- a/dovecot/templates/z-evolinux-defaults.conf.j2
+++ b/dovecot/templates/z-evolinux-defaults.conf.j2
@@ -38,9 +38,9 @@ mail_max_userip_connections = 42
 # SSL/TLS
 ssl = yes
 ssl_prefer_server_ciphers = yes
-ssl_dh_parameters_length = 2048
+ssl_dh=</etc/ssl/dhparam.pem
 ssl_options = no_compression no_ticket
-ssl_protocols = !TLSv1 !TLSv1.1
+ssl_min_protocol = TLSv1.2
 ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
 ssl_cert = </etc/ssl/certs/ssl-cert-snakeoil.pem
 ssl_key = </etc/ssl/private/ssl-cert-snakeoil.key

From 999efb39838c6753e56c0110d8d2553f2ce76574 Mon Sep 17 00:00:00 2001
From: Eric Morino <emorino@evolix.fr>
Date: Wed, 25 Aug 2021 11:52:10 +0200
Subject: [PATCH 005/125] Add "may take several minutes" for task generate
 dhparam

---
 dovecot/tasks/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dovecot/tasks/main.yml b/dovecot/tasks/main.yml
index 7558afd5..efe0644e 100644
--- a/dovecot/tasks/main.yml
+++ b/dovecot/tasks/main.yml
@@ -10,7 +10,7 @@
   tags:
   - dovecot
 
-- name: Generate Diffie-Hellman parameters with the default size (4096 bits)
+- name: Generate Diffie-Hellman parameters with the default size 4096 bits (may take several minutes)
     openssl_dhparam:
       path: /etc/ssl/dhparams.pem
 

From 2c7380240cc5ef2a6e900db12bf1848f12407e2f Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Wed, 25 Aug 2021 10:43:02 +0200
Subject: [PATCH 006/125] nagios-nrpe + evolinux-users: new checks for bkctld

---
 CHANGELOG.md                                | 1 +
 evolinux-users/templates/sudoers_jessie.j2  | 2 ++
 evolinux-users/templates/sudoers_stretch.j2 | 2 ++
 nagios-nrpe/templates/evolix.cfg.j2         | 3 +++
 4 files changed, 8 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 930d2696..853cfbfd 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -18,6 +18,7 @@ The **patch** part changes incrementally at each release.
 * listupgrade: crontab is configurable
 * mongodb: create munin plugins directory if missing
 * mysql: script "mysql_connections" to display a compact list of connections
+* nagios-nrpe + evolinux-users: new checks for bkctld
 * redis: instance service for Debian 11
 
 ### Changed
diff --git a/evolinux-users/templates/sudoers_jessie.j2 b/evolinux-users/templates/sudoers_jessie.j2
index b82c67ac..c0703c49 100644
--- a/evolinux-users/templates/sudoers_jessie.j2
+++ b/evolinux-users/templates/sudoers_jessie.j2
@@ -7,6 +7,8 @@ nagios          ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs
 nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_minifirewall
 nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_haproxy_stats
 nagios          ALL = NOPASSWD: /usr/sbin/bkctld check
+nagios          ALL = NOPASSWD: /usr/sbin/bkctld check-jails
+nagios          ALL = NOPASSWD: /usr/sbin/bkctld check-setup
 nagios          ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt
 
 ADMINS          ALL = (ALL:ALL) ALL
diff --git a/evolinux-users/templates/sudoers_stretch.j2 b/evolinux-users/templates/sudoers_stretch.j2
index 539f871e..7874a19a 100644
--- a/evolinux-users/templates/sudoers_stretch.j2
+++ b/evolinux-users/templates/sudoers_stretch.j2
@@ -6,6 +6,8 @@ nagios          ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs
 nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_minifirewall
 nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_haproxy_stats
 nagios          ALL = NOPASSWD: /usr/sbin/bkctld check
+nagios          ALL = NOPASSWD: /usr/sbin/bkctld check-jails
+nagios          ALL = NOPASSWD: /usr/sbin/bkctld check-setup
 nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php56/rootfs/etc/php5/fpm/pool.d/
 nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php70/rootfs/etc/php/7.0/fpm/pool.d/
 nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php73/rootfs/etc/php/7.3/fpm/pool.d/
diff --git a/nagios-nrpe/templates/evolix.cfg.j2 b/nagios-nrpe/templates/evolix.cfg.j2
index 7306b9cb..148314ab 100644
--- a/nagios-nrpe/templates/evolix.cfg.j2
+++ b/nagios-nrpe/templates/evolix.cfg.j2
@@ -51,6 +51,9 @@ command[check_ssl]=/usr/lib/nagios/plugins/check_http -f follow -I 127.0.0.1 -S
 command[check_elasticsearch]=/usr/lib/nagios/plugins/check_http -I 127.0.0.1 -u /_cat/health?h=st -p 9200 -r 'red' --invert-regex
 command[check_memcached]=/usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 11211
 command[check_opendkim]=/usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 54321
+command[check_bkctld_setup]=sudo /usr/sbin/bkctld check-setup
+command[check_bkctld_jails]=sudo /usr/sbin/bkctld check-jails
+# "check_bkctld" is here as backward compatibility, but is replaced by "check_bkctld_jails"
 command[check_bkctld]=sudo /usr/sbin/bkctld check
 command[check_postgrey]=/usr/lib/nagios/plugins/check_tcp -p10023
 

From ecba57ad75a8fbe71913296595ee0a3218d78883 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Wed, 25 Aug 2021 17:57:38 +0200
Subject: [PATCH 007/125] evolinux-base: install molly-guard by default

---
 CHANGELOG.md                     | 1 +
 evolinux-base/tasks/packages.yml | 1 +
 2 files changed, 2 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 853cfbfd..f14be146 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -15,6 +15,7 @@ The **patch** part changes incrementally at each release.
 * Preliminary support for Debian 11 « Bullseye »
 * apache: new variable for mpm mode (+ updated default config accordingly)
 * certbot: add script for manual deploy hooks execution
+* evolinux-base: install molly-guard by default
 * listupgrade: crontab is configurable
 * mongodb: create munin plugins directory if missing
 * mysql: script "mysql_connections" to display a compact list of connections
diff --git a/evolinux-base/tasks/packages.yml b/evolinux-base/tasks/packages.yml
index 8df64abd..9d9a6d6a 100644
--- a/evolinux-base/tasks/packages.yml
+++ b/evolinux-base/tasks/packages.yml
@@ -34,6 +34,7 @@
       - telnet
       - traceroute
       - man
+      - molly-guard
   when: evolinux_packages_diagnostic | bool
 
 - name: Install/Update hardware tools

From 6c21c3b505b5719d2c1b2df1a4bbd71acbe13944 Mon Sep 17 00:00:00 2001
From: Eric Morino <emorino@evolix.fr>
Date: Thu, 26 Aug 2021 09:51:09 +0200
Subject: [PATCH 008/125] Add configuration for listener stats write and read
 with correct right

---
 dovecot/templates/z-evolinux-defaults.conf.j2 | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/dovecot/templates/z-evolinux-defaults.conf.j2 b/dovecot/templates/z-evolinux-defaults.conf.j2
index ab74ec0d..74081a57 100644
--- a/dovecot/templates/z-evolinux-defaults.conf.j2
+++ b/dovecot/templates/z-evolinux-defaults.conf.j2
@@ -35,6 +35,21 @@ service login {
 }
 mail_max_userip_connections = 42
 
+# Configuration pour stats dovecot
+service stats {
+    unix_listener stats-reader {
+        user = vmail
+        group = vmail
+        mode = 0660
+    }
+
+    unix_listener stats-writer {
+        user = vmail
+        group = vmail
+        mode = 0660
+    }
+}
+
 # SSL/TLS
 ssl = yes
 ssl_prefer_server_ciphers = yes

From 5e794cd2b6e26f6b18c38af7e2868a31ab20e850 Mon Sep 17 00:00:00 2001
From: Gregory Colpart <gcolpart+git@evolix.fr>
Date: Thu, 26 Aug 2021 11:42:02 +0200
Subject: [PATCH 009/125] commit whitespace

---
 evolinux-base/files/logs/logrotate.disabled/ldap | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/evolinux-base/files/logs/logrotate.disabled/ldap b/evolinux-base/files/logs/logrotate.disabled/ldap
index 59372a33..4be35fa8 100644
--- a/evolinux-base/files/logs/logrotate.disabled/ldap
+++ b/evolinux-base/files/logs/logrotate.disabled/ldap
@@ -2,8 +2,8 @@
         weekly
         missingok
         rotate 3
-	compress
-	notifempty
+        compress
+        notifempty
         create 640 root adm
 }
 

From d2ef3fe27f6718b220768e22c85869315bb57d7e Mon Sep 17 00:00:00 2001
From: Eric Morino <emorino@evolix.fr>
Date: Fri, 27 Aug 2021 10:50:11 +0200
Subject: [PATCH 010/125] Fix syntax on task "plugins are installed for"

---
 rbenv/tasks/main.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/rbenv/tasks/main.yml b/rbenv/tasks/main.yml
index 08f8242e..de366e78 100644
--- a/rbenv/tasks/main.yml
+++ b/rbenv/tasks/main.yml
@@ -68,8 +68,7 @@
     version: '{{ item.version }}'
     accept_hostkey: yes
     force: yes
-  loop:
-  - "{{ rbenv_plugins }}"
+  loop: "{{ rbenv_plugins }}"
   become_user: "{{ username }}"
   become: yes
   tags:

From 74ab96d67fba699b334b6e90ffb1197dcc797c3f Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Fri, 27 Aug 2021 11:01:26 +0200
Subject: [PATCH 011/125] loop syntax and whitespaces

---
 clamav/tasks/main.yml                | 106 +++++++++++++--------------
 evolinux-base/tasks/kernel.yml       |   8 +-
 evolinux-base/tasks/system.yml       |   8 +-
 java/tasks/oracle.yml                |   6 +-
 kvm-host/tasks/ssh.yml               |   6 +-
 lxc-solr/tasks/main.yml              |   6 +-
 opendkim/tasks/main.yml              |   4 +-
 postfix/tasks/packmail.yml           |  44 +++++------
 postgresql/tasks/munin.yml           |  10 +--
 postgresql/tasks/packages_jessie.yml |   6 +-
 redmine/tasks/config.yml             |   6 +-
 vrrpd/tasks/main.yml                 |  12 +--
 webapps/evoadmin-web/tasks/user.yml  |   6 +-
 13 files changed, 111 insertions(+), 117 deletions(-)

diff --git a/clamav/tasks/main.yml b/clamav/tasks/main.yml
index be9e5b00..6d1da3eb 100644
--- a/clamav/tasks/main.yml
+++ b/clamav/tasks/main.yml
@@ -6,48 +6,48 @@
     value: "{{ item.value }}"
     vtype: "{{ item.type }}"
   loop:
-  - { key: 'clamav-daemon/debconf', type: 'boolean', value: 'true' }
-  - { key: 'clamav-daemon/MaxHTMLNormalize', type: 'string', value: '10M' }
-  - { key: 'clamav-daemon/StatsPEDisabled', type: 'boolean', value: 'true' }
-  - { key: 'clamav-daemon/FollowDirectorySymlinks', type: 'boolean', value: 'false' }
-  - { key: 'clamav-daemon/StreamMaxLength', type: 'string', value: '25' }
-  - { key: 'clamav-daemon/ReadTimeout', type: 'string', value: '180' }
-  - { key: 'clamav-daemon/StatsEnabled', type: 'boolean', value: 'false' }
-  - { key: 'clamav-daemon/MaxConnectionQueueLength', type: 'string', value: '15' }
-  - { key: 'clamav-daemon/LogRotate', type: 'boolean', value: 'true' }
-  - { key: 'clamav-daemon/AllowAllMatchScan', type: 'boolean', value: 'true' }
-  - { key: 'clamav-daemon/ScanOnAccess', type: 'boolean', value: 'false' }
-  - { key: 'clamav-daemon/LogFile', type: 'string', value: '/var/log/clamav/clamav.log' }
-  - { key: 'clamav-daemon/ScanMail', type: 'boolean', value: 'true' }
-  - { key: 'clamav-daemon/BytecodeTimeout', type: 'string', value: '60000' }
-  - { key: 'clamav-daemon/LogTime', type: 'boolean', value: 'true' }
-  - { key: 'clamav-daemon/OnAccessMaxFileSize', type: 'string', value: '5M' }
-  - { key: 'clamav-daemon/TcpOrLocal', type: 'select', value: 'UNIX' }
-  - { key: 'clamav-daemon/MaxEmbeddedPE', type: 'string', value: '10M' }
-  - { key: 'clamav-daemon/FixStaleSocket', type: 'boolean', value: 'true' }
-  - { key: 'clamav-daemon/User', type: 'string', value: 'clamav' }
-  - { key: 'clamav-daemon/BytecodeSecurity', type: 'select', value: 'TrustSigned' }
-  - { key: 'clamav-daemon/ScanSWF', type: 'boolean', value: 'true' }
-  - { key: 'clamav-daemon/MaxDirectoryRecursion', type: 'string', value: '0' }
-  - { key: 'clamav-daemon/MaxThreads', type: 'string', value: '12' }
-  - { key: 'clamav-daemon/LocalSocketGroup', type: 'string', value: 'clamav' }
-  - { key: 'clamav-daemon/MaxScriptNormalize', type: 'string', value: '5M' }
-  - { key: 'clamav-daemon/ForceToDisk', type: 'boolean', value: 'false' }
-  - { key: 'clamav-daemon/StatsHostID', type: 'string', value: 'auto' }
-  - { key: 'clamav-daemon/FollowFileSymlinks', type: 'boolean', value: 'false' }
-  - { key: 'clamav-daemon/TCPSocket', type: 'string', value: '3310' }
-  - { key: 'clamav-daemon/TCPAddr', type: 'string', value: 'any' }
-  - { key: 'clamav-daemon/DisableCertCheck', type: 'boolean', value: 'false' }
-  - { key: 'clamav-daemon/SelfCheck', type: 'string', value: '3600' }
-  - { key: 'clamav-daemon/LocalSocket', type: 'string', value: '/var/run/clamav/clamd.ctl' }
-  - { key: 'clamav-daemon/LocalSocketMode', type: 'string', value: '666' }
-  - { key: 'clamav-daemon/StatsTimeout', type: 'string', value: '10' }
-  - { key: 'clamav-daemon/MaxZipTypeRcg', type: 'string', value: '1M' }
-  - { key: 'clamav-daemon/MaxHTMLNoTags', type: 'string', value: '2M' }
-  - { key: 'clamav-daemon/LogSyslog', type: 'boolean', value: 'false' }
-  - { key: 'clamav-daemon/AddGroups', type: 'string', value: '' }
-  - { key: 'clamav-daemon/Bytecode', type: 'boolean', value: 'true' }
-  - { key: 'clamav-daemon/ScanArchive', type: 'boolean', value: 'true' }
+    - { key: 'clamav-daemon/debconf', type: 'boolean', value: 'true' }
+    - { key: 'clamav-daemon/MaxHTMLNormalize', type: 'string', value: '10M' }
+    - { key: 'clamav-daemon/StatsPEDisabled', type: 'boolean', value: 'true' }
+    - { key: 'clamav-daemon/FollowDirectorySymlinks', type: 'boolean', value: 'false' }
+    - { key: 'clamav-daemon/StreamMaxLength', type: 'string', value: '25' }
+    - { key: 'clamav-daemon/ReadTimeout', type: 'string', value: '180' }
+    - { key: 'clamav-daemon/StatsEnabled', type: 'boolean', value: 'false' }
+    - { key: 'clamav-daemon/MaxConnectionQueueLength', type: 'string', value: '15' }
+    - { key: 'clamav-daemon/LogRotate', type: 'boolean', value: 'true' }
+    - { key: 'clamav-daemon/AllowAllMatchScan', type: 'boolean', value: 'true' }
+    - { key: 'clamav-daemon/ScanOnAccess', type: 'boolean', value: 'false' }
+    - { key: 'clamav-daemon/LogFile', type: 'string', value: '/var/log/clamav/clamav.log' }
+    - { key: 'clamav-daemon/ScanMail', type: 'boolean', value: 'true' }
+    - { key: 'clamav-daemon/BytecodeTimeout', type: 'string', value: '60000' }
+    - { key: 'clamav-daemon/LogTime', type: 'boolean', value: 'true' }
+    - { key: 'clamav-daemon/OnAccessMaxFileSize', type: 'string', value: '5M' }
+    - { key: 'clamav-daemon/TcpOrLocal', type: 'select', value: 'UNIX' }
+    - { key: 'clamav-daemon/MaxEmbeddedPE', type: 'string', value: '10M' }
+    - { key: 'clamav-daemon/FixStaleSocket', type: 'boolean', value: 'true' }
+    - { key: 'clamav-daemon/User', type: 'string', value: 'clamav' }
+    - { key: 'clamav-daemon/BytecodeSecurity', type: 'select', value: 'TrustSigned' }
+    - { key: 'clamav-daemon/ScanSWF', type: 'boolean', value: 'true' }
+    - { key: 'clamav-daemon/MaxDirectoryRecursion', type: 'string', value: '0' }
+    - { key: 'clamav-daemon/MaxThreads', type: 'string', value: '12' }
+    - { key: 'clamav-daemon/LocalSocketGroup', type: 'string', value: 'clamav' }
+    - { key: 'clamav-daemon/MaxScriptNormalize', type: 'string', value: '5M' }
+    - { key: 'clamav-daemon/ForceToDisk', type: 'boolean', value: 'false' }
+    - { key: 'clamav-daemon/StatsHostID', type: 'string', value: 'auto' }
+    - { key: 'clamav-daemon/FollowFileSymlinks', type: 'boolean', value: 'false' }
+    - { key: 'clamav-daemon/TCPSocket', type: 'string', value: '3310' }
+    - { key: 'clamav-daemon/TCPAddr', type: 'string', value: 'any' }
+    - { key: 'clamav-daemon/DisableCertCheck', type: 'boolean', value: 'false' }
+    - { key: 'clamav-daemon/SelfCheck', type: 'string', value: '3600' }
+    - { key: 'clamav-daemon/LocalSocket', type: 'string', value: '/var/run/clamav/clamd.ctl' }
+    - { key: 'clamav-daemon/LocalSocketMode', type: 'string', value: '666' }
+    - { key: 'clamav-daemon/StatsTimeout', type: 'string', value: '10' }
+    - { key: 'clamav-daemon/MaxZipTypeRcg', type: 'string', value: '1M' }
+    - { key: 'clamav-daemon/MaxHTMLNoTags', type: 'string', value: '2M' }
+    - { key: 'clamav-daemon/LogSyslog', type: 'boolean', value: 'false' }
+    - { key: 'clamav-daemon/AddGroups', type: 'string', value: '' }
+    - { key: 'clamav-daemon/Bytecode', type: 'boolean', value: 'true' }
+    - { key: 'clamav-daemon/ScanArchive', type: 'boolean', value: 'true' }
   tags:
   - clamav
 
@@ -58,17 +58,17 @@
     value: "{{ item.value }}"
     vtype: "{{ item.type }}"
   loop:
-  - { key: 'clamav-freshclam/autoupdate_freshclam', type: 'select', value: 'daemon' }
-  - { key: 'clamav-freshclam/proxy_user', type: 'string', value: '' }
-  - { key: 'clamav-freshclam/NotifyClamd', type: 'boolean', value: 'true' }
-  - { key: 'clamav-freshclam/local_mirror', type: 'select', value: 'db.fr.clamav.net' }
-  - { key: 'clamav-freshclam/http_proxy', type: 'string', value: '' }
-  - { key: 'clamav-freshclam/LogRotate', type: 'boolean', value: 'true' }
-  - { key: 'clamav-freshclam/Bytecode', type: 'boolean', value: 'true' }
-  - { key: 'clamav-freshclam/update_interval', type: 'string', value: '24' }
-  - { key: 'clamav-freshclam/SafeBrowsing', type: 'boolean', value: 'false' }
-  - { key: 'clamav-freshclam/PrivateMirror', type: 'string', value: '' }
-  - { key: 'clamav-freshclam/internet_interface', type: 'string', value: '' }
+    - { key: 'clamav-freshclam/autoupdate_freshclam', type: 'select', value: 'daemon' }
+    - { key: 'clamav-freshclam/proxy_user', type: 'string', value: '' }
+    - { key: 'clamav-freshclam/NotifyClamd', type: 'boolean', value: 'true' }
+    - { key: 'clamav-freshclam/local_mirror', type: 'select', value: 'db.fr.clamav.net' }
+    - { key: 'clamav-freshclam/http_proxy', type: 'string', value: '' }
+    - { key: 'clamav-freshclam/LogRotate', type: 'boolean', value: 'true' }
+    - { key: 'clamav-freshclam/Bytecode', type: 'boolean', value: 'true' }
+    - { key: 'clamav-freshclam/update_interval', type: 'string', value: '24' }
+    - { key: 'clamav-freshclam/SafeBrowsing', type: 'boolean', value: 'false' }
+    - { key: 'clamav-freshclam/PrivateMirror', type: 'string', value: '' }
+    - { key: 'clamav-freshclam/internet_interface', type: 'string', value: '' }
   tags:
   - clamav
 
diff --git a/evolinux-base/tasks/kernel.yml b/evolinux-base/tasks/kernel.yml
index b49968f1..6ddeb57f 100644
--- a/evolinux-base/tasks/kernel.yml
+++ b/evolinux-base/tasks/kernel.yml
@@ -8,8 +8,8 @@
     state: present
     reload: yes
   loop:
-  - { name: kernel.panic_on_oops, value: 1 }
-  - { name: kernel.panic, value: 60 }
+    - { name: kernel.panic_on_oops, value: 1 }
+    - { name: kernel.panic, value: 60 }
   when: evolinux_kernel_reboot_after_panic | bool
 
 - name: Don't reboot after panic
@@ -19,8 +19,8 @@
     state: absent
     reload: yes
   loop:
-  - kernel.panic_on_oops
-  - kernel.panic
+    - kernel.panic_on_oops
+    - kernel.panic
   when: not evolinux_kernel_reboot_after_panic | bool
 
 - name: Disable net.ipv4.tcp_timestamps
diff --git a/evolinux-base/tasks/system.yml b/evolinux-base/tasks/system.yml
index 554bb02a..486dc2e8 100644
--- a/evolinux-base/tasks/system.yml
+++ b/evolinux-base/tasks/system.yml
@@ -119,10 +119,10 @@
     regexp:  "{{ item.regexp }}"
     replace: "{{ item.replace }}"
   loop:
-  - { regexp: '^17((\s*\*){4})',         replace: '{{ 59|random(start=1) }}\1' }
-  - { regexp: '^25\s*6((\s*\*){3})',     replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1' }
-  - { regexp: '^47\s*6((\s*\*){2}\s*7)', replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1' }
-  - { regexp: '^52\s*6(\s*1(\s*\*){2})', replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1' }
+    - { regexp: '^17((\s*\*){4})',         replace: '{{ 59|random(start=1) }}\1' }
+    - { regexp: '^25\s*6((\s*\*){3})',     replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1' }
+    - { regexp: '^47\s*6((\s*\*){2}\s*7)', replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1' }
+    - { regexp: '^52\s*6(\s*1(\s*\*){2})', replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1' }
   when:
     - is_cron_installed.rc == 0
     - evolinux_system_cron_random | bool
diff --git a/java/tasks/oracle.yml b/java/tasks/oracle.yml
index c2ab5ebf..0b057695 100644
--- a/java/tasks/oracle.yml
+++ b/java/tasks/oracle.yml
@@ -14,9 +14,9 @@
     state: directory
     mode: "0777"
   loop:
-  - /srv/java-package
-  - /srv/java-package/src
-  - /srv/java-package/tmp
+    - /srv/java-package
+    - /srv/java-package/src
+    - /srv/java-package/tmp
   tags:
   - java
 
diff --git a/kvm-host/tasks/ssh.yml b/kvm-host/tasks/ssh.yml
index fe71c287..c48722a3 100644
--- a/kvm-host/tasks/ssh.yml
+++ b/kvm-host/tasks/ssh.yml
@@ -34,8 +34,7 @@
     special_time: "hourly"
     user: root
     job: "rsync -a --delete /etc/libvirt/qemu/ {{ hostvars[item]['ansible_hostname'] }}:/root/libvirt-{{ inventory_hostname }}/"
-  loop:
-    - "{{ groups['hypervisors'] }}"
+  loop: "{{ groups['hypervisors'] }}"
   when: item != inventory_hostname
 
 - name: Crontab for sync list of running vm
@@ -45,6 +44,5 @@
     special_time: "daily"
     user: root
     job: "virsh list --all | ssh {{ hostvars[item]['ansible_hostname'] }} 'cat >/root/libvirt-{{ inventory_hostname }}/virsh-list.txt'"
-  loop:
-    - "{{ groups['hypervisors'] }}"
+  loop: "{{ groups['hypervisors'] }}"
   when: item != inventory_hostname
diff --git a/lxc-solr/tasks/main.yml b/lxc-solr/tasks/main.yml
index 3fad863f..d629bbf6 100644
--- a/lxc-solr/tasks/main.yml
+++ b/lxc-solr/tasks/main.yml
@@ -8,9 +8,7 @@
     path: "/var/lib/lxc/{{ item.name }}/rootfs"
     state: directory
     mode: '0755'
-  loop:
-    - "{{ lxc_containers }}"
+  loop: "{{ lxc_containers }}"
 
 - include: "solr.yml name={{item.name}} solr_version={{item.solr_version}} solr_port={{item.solr_port}}"
-  loop:
-    - "{{ lxc_containers }}"
+  loop: "{{ lxc_containers }}"
diff --git a/opendkim/tasks/main.yml b/opendkim/tasks/main.yml
index 1db961e2..94aa3dfd 100644
--- a/opendkim/tasks/main.yml
+++ b/opendkim/tasks/main.yml
@@ -39,8 +39,8 @@
     group: opendkim
     mode: "0640"
   loop:
-  - 'KeyTable'
-  - 'SigningTable'
+    - 'KeyTable'
+    - 'SigningTable'
   changed_when: False
   tags:
   - opendkim
diff --git a/postfix/tasks/packmail.yml b/postfix/tasks/packmail.yml
index 80f90232..90d424b2 100644
--- a/postfix/tasks/packmail.yml
+++ b/postfix/tasks/packmail.yml
@@ -38,17 +38,17 @@
     dest: "/etc/postfix/{{ item }}"
     force: no
   loop:
-  - virtual
-  - client.access
-  - client.access_local
-  - header_kill
-  - header_kill_local
-  - recipient.access
-  - recipient.access_local
-  - sa-blacklist.access
-  - sender.access
-  - sender.access_local
-  - spamd.cidr
+    - virtual
+    - client.access
+    - client.access_local
+    - header_kill
+    - header_kill_local
+    - recipient.access
+    - recipient.access_local
+    - sa-blacklist.access
+    - sender.access
+    - sender.access_local
+    - spamd.cidr
   register: postfix_copy_filter
   tags:
   - postfix
@@ -56,17 +56,17 @@
 - name: postmap filter files
   command: "postmap /etc/postfix/{{ item }}"
   loop:
-  - virtual
-  - client.access
-  - client.access_local
-  - header_kill
-  - header_kill_local
-  - recipient.access
-  - recipient.access_local
-  - sa-blacklist.access
-  - sender.access
-  - sender.access_local
-  - spamd.cidr
+    - virtual
+    - client.access
+    - client.access_local
+    - header_kill
+    - header_kill_local
+    - recipient.access
+    - recipient.access_local
+    - sa-blacklist.access
+    - sender.access
+    - sender.access_local
+    - spamd.cidr
   when: postfix_copy_filter is changed
   tags:
   - postfix
diff --git a/postgresql/tasks/munin.yml b/postgresql/tasks/munin.yml
index 4e62ddf6..ed2cc883 100644
--- a/postgresql/tasks/munin.yml
+++ b/postgresql/tasks/munin.yml
@@ -15,11 +15,11 @@
     src: '/usr/share/munin/plugins/{{item}}'
     dest: '/etc/munin/plugins/{{item}}'
   loop:
-  - postgres_bgwriter
-  - postgres_checkpoints
-  - postgres_connections_db
-  - postgres_users
-  - postgres_xlog
+    - postgres_bgwriter
+    - postgres_checkpoints
+    - postgres_connections_db
+    - postgres_users
+    - postgres_xlog
   notify: restart munin-node
   when: etc_munin_plugins.stat.exists and usr_share_munin_plugins.stat.exists
 
diff --git a/postgresql/tasks/packages_jessie.yml b/postgresql/tasks/packages_jessie.yml
index cf8f0879..b9f9b31b 100644
--- a/postgresql/tasks/packages_jessie.yml
+++ b/postgresql/tasks/packages_jessie.yml
@@ -12,6 +12,6 @@
   apt:
     name: '{{item}}'
   loop:
-  - "postgresql-{{postgresql_version}}"
-  - ptop
-  - libdbd-pg-perl
+    - "postgresql-{{postgresql_version}}"
+    - ptop
+    - libdbd-pg-perl
diff --git a/redmine/tasks/config.yml b/redmine/tasks/config.yml
index d65f8172..e45bcea5 100644
--- a/redmine/tasks/config.yml
+++ b/redmine/tasks/config.yml
@@ -7,9 +7,9 @@
     owner: "{{ redmine_user }}"
     group: "{{ redmine_user }}"
   loop:
-  - ".config"
-  - ".config/systemd"
-  - ".config/systemd/user"
+    - ".config"
+    - ".config/systemd"
+    - ".config/systemd/user"
   tags:
     - redmine
 
diff --git a/vrrpd/tasks/main.yml b/vrrpd/tasks/main.yml
index 84d4f4ee..74dfa5c2 100644
--- a/vrrpd/tasks/main.yml
+++ b/vrrpd/tasks/main.yml
@@ -19,11 +19,11 @@
     sysctl_set: yes
     state: present
   loop:
-  - { name: 'net.ipv4.conf.default.rp_filter', value: 0 }
-  - { name: 'net.ipv4.conf.eth0.rp_filter', value: 0 }
-  - { name: 'net.ipv4.conf.all.rp_filter', value: 0 }
-  - { name: 'net.ipv4.conf.all.arp_ignore', value: 1 }
-  - { name: 'net.ipv4.conf.all.arp_announce', value: 2 }
-  - { name: 'net.ipv4.ip_nonlocal_bind', value: 1 }
+    - { name: 'net.ipv4.conf.default.rp_filter', value: 0 }
+    - { name: 'net.ipv4.conf.eth0.rp_filter', value: 0 }
+    - { name: 'net.ipv4.conf.all.rp_filter', value: 0 }
+    - { name: 'net.ipv4.conf.all.arp_ignore', value: 1 }
+    - { name: 'net.ipv4.conf.all.arp_announce', value: 2 }
+    - { name: 'net.ipv4.ip_nonlocal_bind', value: 1 }
   tags:
   - vrrpd
diff --git a/webapps/evoadmin-web/tasks/user.yml b/webapps/evoadmin-web/tasks/user.yml
index 68ac91de..bbad1b8f 100644
--- a/webapps/evoadmin-web/tasks/user.yml
+++ b/webapps/evoadmin-web/tasks/user.yml
@@ -38,10 +38,8 @@
     regexp: "{{ item.regexp }}"
     state: present
   loop:
-    - line: 'evoadmin: root'
-      regexp: '^evoadmin:'
-    - line: 'www-evoadmin: root'
-      regexp: '^www-evoadmin:'
+    - { line: 'evoadmin: root', regexp: '^evoadmin:' }
+    - { line: 'www-evoadmin: root', regexp: '^www-evoadmin:' }
   notify: "newaliases"
   when: etc_aliases.stat.exists
 

From 65750d2aa6199d06fe78a089aa9d5ce96c4289f7 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Mon, 30 Aug 2021 09:24:57 +0200
Subject: [PATCH 012/125] evomaintenance: extract a config.yyml tasks file

---
 CHANGELOG.md                                   |  1 +
 evomaintenance/tasks/config.yml                | 18 ++++++++++++++++++
 evomaintenance/tasks/install_vendor_debian.yml | 13 +------------
 evomaintenance/tasks/main.yml                  | 11 ++---------
 evomaintenance/tasks/minifirewall.yml          |  3 +++
 5 files changed, 25 insertions(+), 21 deletions(-)
 create mode 100644 evomaintenance/tasks/config.yml

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f14be146..31ef9b18 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -31,6 +31,7 @@ The **patch** part changes incrementally at each release.
 * certbot: silence letsencrypt deprecation warnings
 * elasticsearch: 7.x by default
 * evoadmin-web: simpler PHP packages lists
+* evomaintenance: extract a config.yyml tasks file
 * evocheck: upstream release 21.07
 * evolinux-base: alert5 comes after the network
 * evolinux-base: force Debian version to buster for Evolix repository (temporary)
diff --git a/evomaintenance/tasks/config.yml b/evomaintenance/tasks/config.yml
new file mode 100644
index 00000000..097e9770
--- /dev/null
+++ b/evomaintenance/tasks/config.yml
@@ -0,0 +1,18 @@
+---
+
+- assert:
+    that:
+      - evomaintenance_api_endpoint is not none
+      - evomaintenance_api_key is not none
+    msg: evomaintenance api variables must be set
+
+- name: Configuration is installed
+  template:
+    src: evomaintenance.j2
+    dest: /etc/evomaintenance.cf
+    owner: root
+    group: root
+    mode: "0600"
+    force: "{{ evomaintenance_force_config | bool }}"
+  tags:
+    - evomaintenance
diff --git a/evomaintenance/tasks/install_vendor_debian.yml b/evomaintenance/tasks/install_vendor_debian.yml
index 2faaac79..99448e3c 100644
--- a/evomaintenance/tasks/install_vendor_debian.yml
+++ b/evomaintenance/tasks/install_vendor_debian.yml
@@ -46,15 +46,4 @@
     - { src: 'evomaintenance.sh', dest: '/usr/share/scripts/', mode: '0700' }
     - { src: 'evomaintenance.tpl', dest: '/usr/share/scripts/', mode: '0600' }
   tags:
-    - evomaintenance
-
-- name: Configuration is installed
-  template:
-    src: evomaintenance.j2
-    dest: /etc/evomaintenance.cf
-    owner: root
-    group: root
-    mode: "0600"
-    force: "{{ evomaintenance_force_config | bool }}"
-  tags:
-    - evomaintenance
+    - evomaintenance
\ No newline at end of file
diff --git a/evomaintenance/tasks/main.yml b/evomaintenance/tasks/main.yml
index 9826089b..0a4e5010 100644
--- a/evomaintenance/tasks/main.yml
+++ b/evomaintenance/tasks/main.yml
@@ -1,14 +1,5 @@
 ---
 
-- set_fact:
-    minifirewall_restart_handler_name: "{{ minifirewall_restart_if_needed | bool | ternary('restart minifirewall', 'restart minifirewall (noop)') }}"
-
-- assert:
-    that:
-      - evomaintenance_api_endpoint is not none
-      - evomaintenance_api_key is not none
-    msg: evomaintenance api variables must be set
-
 - include: install_package_debian.yml
   when:
     - not (evomaintenance_install_vendor | bool)
@@ -19,6 +10,8 @@
     - evomaintenance_install_vendor | bool
     - ansible_distribution == "Debian"
 
+- include: config.yml
+
 - include: minifirewall.yml
   when:
     - evomaintenance_hook_db | bool
diff --git a/evomaintenance/tasks/minifirewall.yml b/evomaintenance/tasks/minifirewall.yml
index ad48e856..98dad15b 100644
--- a/evomaintenance/tasks/minifirewall.yml
+++ b/evomaintenance/tasks/minifirewall.yml
@@ -1,5 +1,8 @@
 ---
 
+- set_fact:
+    minifirewall_restart_handler_name: "{{ minifirewall_restart_if_needed | bool | ternary('restart minifirewall', 'restart minifirewall (noop)') }}"
+
 - name: Is minifirewall installed?
   stat:
     path: /etc/default/minifirewall

From 73f55a42fa58a54b3e4f098a45f426a983c0d873 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Mon, 30 Aug 2021 09:26:04 +0200
Subject: [PATCH 013/125] forgotten file

---
 evomaintenance/tasks/install_package_debian.yml | 13 +------------
 1 file changed, 1 insertion(+), 12 deletions(-)

diff --git a/evomaintenance/tasks/install_package_debian.yml b/evomaintenance/tasks/install_package_debian.yml
index a5da77ea..ce9d90e7 100644
--- a/evomaintenance/tasks/install_package_debian.yml
+++ b/evomaintenance/tasks/install_package_debian.yml
@@ -12,15 +12,4 @@
     name: evomaintenance
     allow_unauthenticated: yes
   tags:
-    - evomaintenance
-
-- name: Configuration is installed
-  template:
-    src: evomaintenance.j2
-    dest: /etc/evomaintenance.cf
-    owner: root
-    group: root
-    mode: "0600"
-    force: "{{ evomaintenance_force_config | bool }}"
-  tags:
-    - evomaintenance
+    - evomaintenance
\ No newline at end of file

From e45ee59801f8c9f6a5e1057b05d28c7646d48d67 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Mon, 30 Aug 2021 14:05:15 +0200
Subject: [PATCH 014/125] mysql: script "mysql-queries-killer.sh" to kill MySQL
 queries

---
 CHANGELOG.md                        |   1 +
 mysql/files/mysql-queries-killer.sh | 168 ++++++++++++++++++++++++++++
 mysql/tasks/utils.yml               |   9 ++
 3 files changed, 178 insertions(+)
 create mode 100644 mysql/files/mysql-queries-killer.sh

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 31ef9b18..890631f6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -19,6 +19,7 @@ The **patch** part changes incrementally at each release.
 * listupgrade: crontab is configurable
 * mongodb: create munin plugins directory if missing
 * mysql: script "mysql_connections" to display a compact list of connections
+* mysql: script "mysql-queries-killer.sh" to kill MySQL queries
 * nagios-nrpe + evolinux-users: new checks for bkctld
 * redis: instance service for Debian 11
 
diff --git a/mysql/files/mysql-queries-killer.sh b/mysql/files/mysql-queries-killer.sh
new file mode 100644
index 00000000..203d992e
--- /dev/null
+++ b/mysql/files/mysql-queries-killer.sh
@@ -0,0 +1,168 @@
+#!/bin/sh
+
+VERSION="21.07.1"
+
+show_version() {
+    cat <<END
+mysql-queries-killer version ${VERSION}
+
+Copyright 2021-2021 Evolix <info@evolix.fr>,
+               Jérémy Lecour <jlecour@evolix.fr>
+               and others.
+
+mysql-queries-killer comes with ABSOLUTELY NO WARRANTY.  This is free software,
+and you are welcome to redistribute it under certain conditions.
+See the GNU General Public Licence for details.
+END
+}
+
+show_help() {
+    cat <<END
+mysql-queries-killer can list/kill SQL queries
+
+END
+    show_usage
+}
+
+show_usage() {
+    cat <<END
+Usage: mysql-queries-killer [--port <port>] --list [--time <time>]
+  or   mysql-queries-killer [--port <port>] --kill [--time <time>]
+
+Options
+  --port        MySQL port (default: 3306)
+  --time        query busy time, in seconds (default: 600)
+  --list        list matching queries (default action)
+  --kill        kill connexions related to matching queries
+  --help        Print this message and exit
+  --version     Print version and exit
+END
+}
+
+kill_connexions() {
+    cmd="${PTKILL_BIN} --host 127.0.0.1 --port ${port} --busy-time ${time} --kill --print"
+
+    ${cmd}
+}
+
+list_queries() {
+    cmd="${PTKILL_BIN} --host 127.0.0.1 --port ${port} --busy-time ${time} --print"
+
+    ${cmd}
+}
+
+main() {
+    case ${action} in
+    kill)
+        kill_connexions
+        ;;
+    list)
+        list_queries
+        ;;
+    *)
+        list_queries
+        ;;
+    esac
+}
+
+if command -v pt-kill >/dev/null; then
+    PTKILL_BIN=$(command -v pt-kill)
+else
+    error "The command \`pt-kill' couldn't be found. It is available in the \`percona-toolkit' package." 1
+fi
+
+# Parse options
+# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
+while :; do
+    case $1 in
+        -h|-\?|--help)
+            show_help
+            exit 0
+            ;;
+        -V|--version)
+            show_version
+            exit 0
+            ;;
+        --kill)
+            action="kill"
+            ;;
+        --list)
+            action="list"
+            ;;
+        --port)
+            # with value separated by space
+            if [ -n "$2" ]; then
+                port=$2
+                shift
+            else
+                printf 'ERROR: "--port" requires a non-empty option argument.\n' >&2
+                exit 1
+            fi
+            ;;
+        --port=?*)
+            # with value speparated by =
+            port=${1#*=}
+            ;;
+        --port=)
+            # without value
+            printf 'ERROR: "--port" requires a non-empty option argument.\n' >&2
+            exit 1
+            ;;
+        --time)
+            # with value separated by space
+            if [ -n "$2" ]; then
+                time=$2
+                shift
+            else
+                printf 'ERROR: "--time" requires a non-empty option argument.\n' >&2
+                exit 1
+            fi
+            ;;
+        --time=?*)
+            # with value speparated by =
+            time=${1#*=}
+            ;;
+        --time=)
+            # without value
+            printf 'ERROR: "--time" requires a non-empty option argument.\n' >&2
+            exit 1
+            ;;
+        --)
+            # End of all options.
+            shift
+            break
+            ;;
+        -?*|[[:alnum:]]*)
+            # ignore unknown options
+            printf 'ERROR: Unknown option : %s\n' "$1" >&2
+            echo "" >&2
+            show_usage >&2
+            exit 1
+            ;;
+        *)
+            # Default case: If no more options then break out of the loop.
+            break
+            ;;
+    esac
+
+    shift
+done
+
+# Initial values
+action=${action:-}
+time=${time:-"600"}
+port=${port:-"3306"}
+
+set -u
+set -e
+
+if [ -z "${port}" ]; then
+    echo "You must provide an port name" >&2
+    echo "" >&2
+    show_usage >&2
+    exit 1
+fi
+
+main
+
+exit 0
\ No newline at end of file
diff --git a/mysql/tasks/utils.yml b/mysql/tasks/utils.yml
index 4ad22aa1..228b69b4 100644
--- a/mysql/tasks/utils.yml
+++ b/mysql/tasks/utils.yml
@@ -208,3 +208,12 @@
     force: no
   tags:
     - mysql
+
+- name: "Install mysql-queries-killer.sh"
+  copy:
+    src: mysql-queries-killer.sh
+    dest: "{{ _mysql_scripts_dir }}/mysql-queries-killer.sh"
+    mode: "0755"
+    force: no
+  tags:
+    - mysql
\ No newline at end of file

From 887c1552cb04b19e425a121ddaebedfa4fc49df8 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Mon, 30 Aug 2021 14:06:32 +0200
Subject: [PATCH 015/125] certbot: sync_remote.sh uses quotes for variable
 export

---
 certbot/files/hooks/deploy/sync_remote.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/certbot/files/hooks/deploy/sync_remote.sh b/certbot/files/hooks/deploy/sync_remote.sh
index d1721fdb..dd4b8f6d 100644
--- a/certbot/files/hooks/deploy/sync_remote.sh
+++ b/certbot/files/hooks/deploy/sync_remote.sh
@@ -44,7 +44,7 @@ main() {
                 || error "Couldn't sync hooks on ${server}"
 
             # shellcheck disable=SC2029
-            ssh "${remote_host}" "export RENEWED_LINEAGE=\"${remote_lineage}/\" RENEWED_DOMAINS=${RENEWED_DOMAINS}; find ${remote_dir}/hooks/ -mindepth 1 -maxdepth 1 -type f -executable -exec {} \;" \
+            ssh "${remote_host}" "export RENEWED_LINEAGE=\"${remote_lineage}/\" RENEWED_DOMAINS=\"${RENEWED_DOMAINS}\"; find ${remote_dir}/hooks/ -mindepth 1 -maxdepth 1 -type f -executable -exec {} \;" \
                 || error "Something went wrong on ${server} for deploy hooks"
         done
     else

From 51e414df31bfcd8f9ee59d189446d47de9219a6d Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Mon, 30 Aug 2021 14:07:11 +0200
Subject: [PATCH 016/125] certbot: syntax for "no-self-upgrade" variable

---
 certbot/tasks/install-legacy.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/certbot/tasks/install-legacy.yml b/certbot/tasks/install-legacy.yml
index d9dfb382..446e557a 100644
--- a/certbot/tasks/install-legacy.yml
+++ b/certbot/tasks/install-legacy.yml
@@ -56,5 +56,5 @@
     dest: "/etc/letsencrypt/cli.ini"
     section: null
     option: "no-self-upgrade"
-    value: 0
+    value: "no"
     state: present

From b908fc6ceebc1fa4535c52d1db79b35e9c21d846 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Mon, 30 Aug 2021 14:07:46 +0200
Subject: [PATCH 017/125] certbot: don't install legacy Certbot on Debian 9

---
 certbot/tasks/main.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/certbot/tasks/main.yml b/certbot/tasks/main.yml
index 9259e027..cede35a6 100644
--- a/certbot/tasks/main.yml
+++ b/certbot/tasks/main.yml
@@ -7,17 +7,17 @@
       - ansible_distribution_major_version is version('8', '>=')
     msg: only compatible with Debian 9+
 
-- name: Install legacy script on Debian 8 and 9
+- name: Install legacy script on Debian 8
   include: install-legacy.yml
   when:
     - ansible_distribution == "Debian"
-    - ansible_distribution_major_version is version('10', '<')
+    - ansible_distribution_major_version is version('9', '<')
 
-- name: Install package on Debian 10+
+- name: Install package on Debian 9+
   include: install-package.yml
   when:
     - ansible_distribution == "Debian"
-    - ansible_distribution_major_version is version('10', '>=')
+    - ansible_distribution_major_version is version('9', '>=')
 
 - include: acme-challenge.yml
 

From e76f2fe448b1d2d4b18adf1ee6a5790bb59ff103 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Tue, 31 Aug 2021 11:58:52 +0200
Subject: [PATCH 018/125] mysql-queries-killer: use a config file

---
 mysql/files/mysql-queries-killer.sh | 75 ++++++++++++++++++++---------
 1 file changed, 52 insertions(+), 23 deletions(-)

diff --git a/mysql/files/mysql-queries-killer.sh b/mysql/files/mysql-queries-killer.sh
index 203d992e..29a5222b 100644
--- a/mysql/files/mysql-queries-killer.sh
+++ b/mysql/files/mysql-queries-killer.sh
@@ -1,12 +1,12 @@
 #!/bin/sh
 
-VERSION="21.07.1"
+VERSION="21.08"
 
 show_version() {
     cat <<END
 mysql-queries-killer version ${VERSION}
 
-Copyright 2021-2021 Evolix <info@evolix.fr>,
+Copyright 2018-2021 Evolix <info@evolix.fr>,
                Jérémy Lecour <jlecour@evolix.fr>
                and others.
 
@@ -23,34 +23,68 @@ mysql-queries-killer can list/kill SQL queries
 END
     show_usage
 }
-
 show_usage() {
     cat <<END
-Usage: mysql-queries-killer [--port <port>] --list [--time <time>]
-  or   mysql-queries-killer [--port <port>] --kill [--time <time>]
+Usage: mysql-queries-killer [--instance <instance>] --list [--time <time>]
+  or   mysql-queries-killer [--instance <instance>] --kill [--time <time>]
 
 Options
-  --port        MySQL port (default: 3306)
+  --instance    MySQL instance name (see below)
   --time        query busy time, in seconds (default: 600)
   --list        list matching queries (default action)
   --kill        kill connexions related to matching queries
   --help        Print this message and exit
   --version     Print version and exit
+
+If an instance parameter is provided, pt-kill will look for a configuration
+file at ~/.pt-kill.<instance>.cnf
+If no instance parameter is provided, pt-kill will use the conventional
+configuration files.
 END
 }
 
+error() {
+    >&2 echo "mysql-queries-killer: $1"
+    exit 
+}
+
 kill_connexions() {
-    cmd="${PTKILL_BIN} --host 127.0.0.1 --port ${port} --busy-time ${time} --kill --print"
+    cmd="${PTKILL_BIN}"
+
+    if [ -n "${config_file}" ]; then
+        cmd="${cmd} --config ${config_file}"
+    fi
+
+    cmd="${cmd} --busy-time ${time} --run-time 1 --interval 1 --print --kill"
 
     ${cmd}
 }
 
 list_queries() {
-    cmd="${PTKILL_BIN} --host 127.0.0.1 --port ${port} --busy-time ${time} --print"
+    cmd="${PTKILL_BIN}"
+
+    if [ -n "${config_file}" ]; then
+        cmd="${cmd} --config ${config_file}"
+    fi
+
+    cmd="${cmd} --busy-time ${time} --run-time 1 --interval 1 --print"
 
     ${cmd}
 }
 
+set_config_file() {
+    config_file=""
+
+    if [ -n "${instance}" ]; then
+        file="${HOME}/.pt-kill.${instance}.cnf"
+        if [ ! -f "${file}" ]; then
+            error "The config file \`${file}' doesn't exist." 2
+        else
+            config_file="${file}"
+        fi
+    fi
+}
+
 main() {
     case ${action} in
     kill)
@@ -89,23 +123,23 @@ while :; do
         --list)
             action="list"
             ;;
-        --port)
+        --instance)
             # with value separated by space
             if [ -n "$2" ]; then
-                port=$2
+                instance=$2
                 shift
             else
-                printf 'ERROR: "--port" requires a non-empty option argument.\n' >&2
+                printf 'ERROR: "--instance" requires a non-empty option argument.\n' >&2
                 exit 1
             fi
             ;;
-        --port=?*)
+        --instance=?*)
             # with value speparated by =
-            port=${1#*=}
+            instance=${1#*=}
             ;;
-        --port=)
+        --instance=)
             # without value
-            printf 'ERROR: "--port" requires a non-empty option argument.\n' >&2
+            printf 'ERROR: "--instance" requires a non-empty option argument.\n' >&2
             exit 1
             ;;
         --time)
@@ -151,18 +185,13 @@ done
 # Initial values
 action=${action:-}
 time=${time:-"600"}
-port=${port:-"3306"}
+instance=${instance:-""}
+
+set_config_file
 
 set -u
 set -e
 
-if [ -z "${port}" ]; then
-    echo "You must provide an port name" >&2
-    echo "" >&2
-    show_usage >&2
-    exit 1
-fi
-
 main
 
 exit 0
\ No newline at end of file

From 0cab0624310d35a0803dee864d2bc5db6980890b Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Wed, 1 Sep 2021 17:41:27 +0200
Subject: [PATCH 019/125] kill/list all queries at once

---
 mysql/files/mysql-queries-killer.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/mysql/files/mysql-queries-killer.sh b/mysql/files/mysql-queries-killer.sh
index 29a5222b..3ea6e00b 100644
--- a/mysql/files/mysql-queries-killer.sh
+++ b/mysql/files/mysql-queries-killer.sh
@@ -55,7 +55,7 @@ kill_connexions() {
         cmd="${cmd} --config ${config_file}"
     fi
 
-    cmd="${cmd} --busy-time ${time} --run-time 1 --interval 1 --print --kill"
+    cmd="${cmd} --busy-time ${time} --run-time 1 --interval 1 --victims all --print --kill"
 
     ${cmd}
 }
@@ -67,7 +67,7 @@ list_queries() {
         cmd="${cmd} --config ${config_file}"
     fi
 
-    cmd="${cmd} --busy-time ${time} --run-time 1 --interval 1 --print"
+    cmd="${cmd} --busy-time ${time} --run-time 1 --interval 1 --victims all --print"
 
     ${cmd}
 }

From e429f7aecb700775c0aafbf11426166a844df6d7 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Tue, 7 Sep 2021 14:01:52 +0200
Subject: [PATCH 020/125] squid: add *.o.lencr.org to default whitelist

---
 CHANGELOG.md                                 | 1 +
 squid/files/evolinux-whitelist-defaults.conf | 1 +
 2 files changed, 2 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 890631f6..ef53b579 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -22,6 +22,7 @@ The **patch** part changes incrementally at each release.
 * mysql: script "mysql-queries-killer.sh" to kill MySQL queries
 * nagios-nrpe + evolinux-users: new checks for bkctld
 * redis: instance service for Debian 11
+* squid: add *.o.lencr.org to default whitelist
 
 ### Changed
 
diff --git a/squid/files/evolinux-whitelist-defaults.conf b/squid/files/evolinux-whitelist-defaults.conf
index fea90344..fe3ff500 100644
--- a/squid/files/evolinux-whitelist-defaults.conf
+++ b/squid/files/evolinux-whitelist-defaults.conf
@@ -14,6 +14,7 @@
 
 # Let's Encrypt
 .+\.letsencrypt.org$
+.+\.o\.lencr.org$
 
 # Other OCSP endpoint
 ^ocsp\.usertrust\.com$

From 2b549af7d9c09af93419149dc32048cd3702039f Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Thu, 9 Sep 2021 10:23:53 +0200
Subject: [PATCH 021/125] evolinux-base: split dpkg logrotate configuration

---
 CHANGELOG.md                                      |  1 +
 evolinux-base/files/logs/logrotate.d/alternatives |  9 +++++++++
 evolinux-base/files/logs/logrotate.d/dpkg         | 12 +-----------
 3 files changed, 11 insertions(+), 11 deletions(-)
 create mode 100644 evolinux-base/files/logs/logrotate.d/alternatives

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ef53b579..39b33e78 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -37,6 +37,7 @@ The **patch** part changes incrementally at each release.
 * evocheck: upstream release 21.07
 * evolinux-base: alert5 comes after the network
 * evolinux-base: force Debian version to buster for Evolix repository (temporary)
+* evolinux-base: split dpkg logrotate configuration
 * kibana: 7.x by default
 * listupgrade: upstream release 21.06.3
 * mysql: mariadb-client-10.5 on Debian 11
diff --git a/evolinux-base/files/logs/logrotate.d/alternatives b/evolinux-base/files/logs/logrotate.d/alternatives
new file mode 100644
index 00000000..5fa5b7a1
--- /dev/null
+++ b/evolinux-base/files/logs/logrotate.d/alternatives
@@ -0,0 +1,9 @@
+/var/log/alternatives.log {
+    monthly
+    rotate 120
+    compress
+    delaycompress
+    missingok
+    notifempty
+    create 644 root root
+}
diff --git a/evolinux-base/files/logs/logrotate.d/dpkg b/evolinux-base/files/logs/logrotate.d/dpkg
index 16ac22fe..81f71969 100644
--- a/evolinux-base/files/logs/logrotate.d/dpkg
+++ b/evolinux-base/files/logs/logrotate.d/dpkg
@@ -6,14 +6,4 @@
     missingok
     notifempty
     create 644 root root
-}
-/var/log/alternatives.log {
-    monthly
-    rotate 120
-    compress
-    delaycompress
-    missingok
-    notifempty
-    create 644 root root
-}
-
+}
\ No newline at end of file

From 45b7ce348634fe56a3e1a06692f09bcf6f9f621c Mon Sep 17 00:00:00 2001
From: Brice Waegeneire <bwaegeneire+git@evolix.fr>
Date: Tue, 14 Sep 2021 08:34:48 +0200
Subject: [PATCH 022/125] lxc-php: Use Debian bullseye package for php74

---
 lxc-php/tasks/php74.yml | 37 -------------------------------------
 1 file changed, 37 deletions(-)

diff --git a/lxc-php/tasks/php74.yml b/lxc-php/tasks/php74.yml
index 9438dcc7..a3a7eb44 100644
--- a/lxc-php/tasks/php74.yml
+++ b/lxc-php/tasks/php74.yml
@@ -1,42 +1,5 @@
 ---
 
-- name: "{{ lxc_php_version }} - Install dependency packages"
-  lxc_container:
-    name: "{{ lxc_php_version }}"
-    container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget apt-transport-https gnupg"
-
-- name: "{{ lxc_php_version }} - Add sury repo"
-  lineinfile:
-    dest: "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/sources.list.d/sury.list"
-    line: "{{ item }}"
-    state: present
-    create: yes
-    mode: "0644"
-  loop:
-    - "deb https://packages.sury.org/php/ bullseye main"
-    - "deb http://pub.evolix.net/ bullseye-php74/"
-
-- name: copy pub.evolix.net GPG key
-  copy:
-    src: reg.asc
-    dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/trusted.gpg.d/reg.asc
-    mode: "0644"
-    owner: root
-    group: root
-
-- name: copy packages.sury.org GPG Key
-  copy:
-    src: sury.gpg
-    dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/trusted.gpg.d/sury.gpg
-    mode: "0644"
-    owner: root
-    group: root
-
-- name: "{{ lxc_php_version }} - Update APT cache"
-  lxc_container:
-    name: "{{ lxc_php_version }}"
-    container_command: "DEBIAN_FRONTEND=noninteractive apt update"
-
 - name: "{{ lxc_php_version }} - Install PHP packages"
   lxc_container:
     name: "{{ lxc_php_version }}"

From fa0c668cec98dc079ec7db3cb7d1d438fd739d21 Mon Sep 17 00:00:00 2001
From: Ludovic Poujol <lpoujol@evolix.fr>
Date: Thu, 16 Sep 2021 15:58:10 +0200
Subject: [PATCH 023/125] evolinux-base: install freeipmi by default on
 dedicated hw

---
 CHANGELOG.md                     |  1 +
 evolinux-base/tasks/hardware.yml | 12 ++++++++++++
 2 files changed, 13 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 39b33e78..80148f85 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -38,6 +38,7 @@ The **patch** part changes incrementally at each release.
 * evolinux-base: alert5 comes after the network
 * evolinux-base: force Debian version to buster for Evolix repository (temporary)
 * evolinux-base: split dpkg logrotate configuration
+* evolinux-base: install freeipmi by default on dedicated hw
 * kibana: 7.x by default
 * listupgrade: upstream release 21.06.3
 * mysql: mariadb-client-10.5 on Debian 11
diff --git a/evolinux-base/tasks/hardware.yml b/evolinux-base/tasks/hardware.yml
index 7fa04a70..7ec39d01 100644
--- a/evolinux-base/tasks/hardware.yml
+++ b/evolinux-base/tasks/hardware.yml
@@ -30,6 +30,18 @@
     - packages
   when: broadcom_netextreme_search.rc == 0
 
+
+## Dedicated hardware 
+- name: Install freepmi when it's dedicated hardware
+  apt:
+    name: 
+      - libipc-run-perl 
+      - freeipmi
+    state: present
+  tags:
+    - packages
+  when: ansible_virtualization_role == "host"
+
 ## RAID
 # Dell and others: MegaRAID SAS
 # HP gen <10: Hewlett-Packard Company Smart Array

From 51fd2337f0b9d80015835cb7200c39ba6b84690d Mon Sep 17 00:00:00 2001
From: Ludovic Poujol <lpoujol@evolix.fr>
Date: Thu, 16 Sep 2021 16:40:57 +0200
Subject: [PATCH 024/125] nagios-nrpe + evolinux-users: new check raid (soft +
 hard)

---
 CHANGELOG.md                                | 1 +
 evolinux-users/templates/sudoers_stretch.j2 | 4 ++++
 nagios-nrpe/templates/evolix.cfg.j2         | 1 +
 3 files changed, 6 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 80148f85..42d62468 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -21,6 +21,7 @@ The **patch** part changes incrementally at each release.
 * mysql: script "mysql_connections" to display a compact list of connections
 * mysql: script "mysql-queries-killer.sh" to kill MySQL queries
 * nagios-nrpe + evolinux-users: new checks for bkctld
+* nagios-nrpe + evolinux-users: new check raid (soft + hard)
 * redis: instance service for Debian 11
 * squid: add *.o.lencr.org to default whitelist
 
diff --git a/evolinux-users/templates/sudoers_stretch.j2 b/evolinux-users/templates/sudoers_stretch.j2
index 7874a19a..87e339a3 100644
--- a/evolinux-users/templates/sudoers_stretch.j2
+++ b/evolinux-users/templates/sudoers_stretch.j2
@@ -12,6 +12,10 @@ nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi
 nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php70/rootfs/etc/php/7.0/fpm/pool.d/
 nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php73/rootfs/etc/php/7.3/fpm/pool.d/
 nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php74/rootfs/etc/php/7.4/fpm/pool.d/
+nagios          ALL = NOPASSWD: /sbin/dmsetup status --noflush
+nagios          ALL = NOPASSWD: /sbin/megacli -PDList -aALL -NoLog
+nagios          ALL = NOPASSWD: /sbin/megacli -LdInfo -Lall -aALL -NoLog
+nagios          ALL = NOPASSWD: /sbin/megacli -AdpBbuCmd -GetBbuStatus -aALL -NoLog
 nagios          ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt
 
 %{{ evolinux_sudo_group }}  ALL=(ALL:ALL) ALL
diff --git a/nagios-nrpe/templates/evolix.cfg.j2 b/nagios-nrpe/templates/evolix.cfg.j2
index 148314ab..76a31793 100644
--- a/nagios-nrpe/templates/evolix.cfg.j2
+++ b/nagios-nrpe/templates/evolix.cfg.j2
@@ -78,6 +78,7 @@ command[check_php-fpm56]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi
 command[check_php-fpm70]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php70/rootfs/etc/php/7.0/fpm/pool.d/
 command[check_php-fpm73]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php73/rootfs/etc/php/7.3/fpm/pool.d/
 command[check_php-fpm74]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php74/rootfs/etc/php/7.4/fpm/pool.d/
+command[check_raid_status]=/usr/lib/nagios/plugins/check_raid
 
 # Check HTTP "many". Use this to check many websites (http, https, ports, sockets and SSL certificates).
 # Beware! All checks must not take more than 10s!

From 6a2cd59e6d1bfdbf18be1654bc5e419a093dd733 Mon Sep 17 00:00:00 2001
From: Ludovic Poujol <lpoujol@evolix.fr>
Date: Thu, 16 Sep 2021 16:48:03 +0200
Subject: [PATCH 025/125] nagios-nrpe + evolinux-users: new check ipmi

---
 CHANGELOG.md                                | 1 +
 evolinux-users/templates/sudoers_stretch.j2 | 1 +
 nagios-nrpe/templates/evolix.cfg.j2         | 1 +
 3 files changed, 3 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 42d62468..74f83d18 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -22,6 +22,7 @@ The **patch** part changes incrementally at each release.
 * mysql: script "mysql-queries-killer.sh" to kill MySQL queries
 * nagios-nrpe + evolinux-users: new checks for bkctld
 * nagios-nrpe + evolinux-users: new check raid (soft + hard)
+* nagios-nrpe + evolinux-users: new check ipmi
 * redis: instance service for Debian 11
 * squid: add *.o.lencr.org to default whitelist
 
diff --git a/evolinux-users/templates/sudoers_stretch.j2 b/evolinux-users/templates/sudoers_stretch.j2
index 87e339a3..777eb8f7 100644
--- a/evolinux-users/templates/sudoers_stretch.j2
+++ b/evolinux-users/templates/sudoers_stretch.j2
@@ -12,6 +12,7 @@ nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi
 nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php70/rootfs/etc/php/7.0/fpm/pool.d/
 nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php73/rootfs/etc/php/7.3/fpm/pool.d/
 nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php74/rootfs/etc/php/7.4/fpm/pool.d/
+nagios          ALL = NOPASSWD: /usr/lib/nagios/plugins/check_ipmi_sensor
 nagios          ALL = NOPASSWD: /sbin/dmsetup status --noflush
 nagios          ALL = NOPASSWD: /sbin/megacli -PDList -aALL -NoLog
 nagios          ALL = NOPASSWD: /sbin/megacli -LdInfo -Lall -aALL -NoLog
diff --git a/nagios-nrpe/templates/evolix.cfg.j2 b/nagios-nrpe/templates/evolix.cfg.j2
index 76a31793..e830e697 100644
--- a/nagios-nrpe/templates/evolix.cfg.j2
+++ b/nagios-nrpe/templates/evolix.cfg.j2
@@ -78,6 +78,7 @@ command[check_php-fpm56]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi
 command[check_php-fpm70]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php70/rootfs/etc/php/7.0/fpm/pool.d/
 command[check_php-fpm73]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php73/rootfs/etc/php/7.3/fpm/pool.d/
 command[check_php-fpm74]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php74/rootfs/etc/php/7.4/fpm/pool.d/
+command[check_ipmi_sensors]=sudo /usr/lib/nagios/plugins/check_ipmi_sensor
 command[check_raid_status]=/usr/lib/nagios/plugins/check_raid
 
 # Check HTTP "many". Use this to check many websites (http, https, ports, sockets and SSL certificates).

From de4d814d7418ad9d6eb3a3fd37e18a67f668b6c5 Mon Sep 17 00:00:00 2001
From: Ludovic Poujol <lpoujol@evolix.fr>
Date: Thu, 16 Sep 2021 17:17:32 +0200
Subject: [PATCH 026/125] generate-ldif: detect hardware raid card

---
 CHANGELOG.md                               |  1 +
 generate-ldif/templates/generateldif.sh.j2 | 13 +++++++++++++
 2 files changed, 14 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 74f83d18..c952a12d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -16,6 +16,7 @@ The **patch** part changes incrementally at each release.
 * apache: new variable for mpm mode (+ updated default config accordingly)
 * certbot: add script for manual deploy hooks execution
 * evolinux-base: install molly-guard by default
+* generate-ldid: detect hardware raid card
 * listupgrade: crontab is configurable
 * mongodb: create munin plugins directory if missing
 * mysql: script "mysql_connections" to display a compact list of connections
diff --git a/generate-ldif/templates/generateldif.sh.j2 b/generate-ldif/templates/generateldif.sh.j2
index d5c19411..a90a2b03 100755
--- a/generate-ldif/templates/generateldif.sh.j2
+++ b/generate-ldif/templates/generateldif.sh.j2
@@ -174,6 +174,19 @@ NagiosEnabled: TRUE
 EOT
 fi
 
+# raid hardware
+if [ -n "${raidModel}" ]; then
+    cat <<EOT >> "${ldif_file}"
+
+dn: HardwareName=raid_card,${computer_dn}
+objectClass: EvoHardware
+HardwareName: raid_card
+HardwareType: disk
+HardwareModel: ${raidModel}
+NagiosEnabled: TRUE
+EOT
+fi
+
 # Swap
 swap=$(free -h | grep Swap: | tr -s ' ' | cut -d ' ' -f2)
 if [ -n "${swap}" ]; then

From f75354bb843a0744266037f0c0a6cb7dd99bb37b Mon Sep 17 00:00:00 2001
From: Ludovic Poujol <lpoujol@evolix.fr>
Date: Thu, 16 Sep 2021 17:26:58 +0200
Subject: [PATCH 027/125] generate-ldif: detect mdadm

---
 CHANGELOG.md                               |  3 ++-
 generate-ldif/templates/generateldif.sh.j2 | 19 ++++++++++++++++++-
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c952a12d..ff905a42 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -16,7 +16,8 @@ The **patch** part changes incrementally at each release.
 * apache: new variable for mpm mode (+ updated default config accordingly)
 * certbot: add script for manual deploy hooks execution
 * evolinux-base: install molly-guard by default
-* generate-ldid: detect hardware raid card
+* generate-ldif: detect hardware raid card
+* generate-ldif: detect mdadm
 * listupgrade: crontab is configurable
 * mongodb: create munin plugins directory if missing
 * mysql: script "mysql_connections" to display a compact list of connections
diff --git a/generate-ldif/templates/generateldif.sh.j2 b/generate-ldif/templates/generateldif.sh.j2
index a90a2b03..e0463078 100755
--- a/generate-ldif/templates/generateldif.sh.j2
+++ b/generate-ldif/templates/generateldif.sh.j2
@@ -583,10 +583,27 @@ objectClass: EvoService
 ServiceName: postgresql
 ipServicePort: 5432
 ServiceType: database
-ServiceVersion: PostgreSQL ${elasticsearch_version}
+ServiceVersion: PostgreSQL ${postgresql_version}
 EOT
 fi
 
+# mdadm
+if is_pkg_installed mdadm; then
+    mdadm_version=$(get_pkg_version mdadm)
+fi
+if [ -n "${mdadm_version}" ]; then
+    cat <<EOT >> "${ldif_file}"
+
+dn: ServiceName=mdadm,${computer_dn}
+NagiosEnabled: TRUE
+objectClass: EvoService
+ServiceName: mdadm
+ServiceType: raid
+ServiceVersion: mdadm ${mdadm_version}
+EOT
+fi
+
+
 # test if we have a stdout
 if [ -t 1 ]; then
   echo "Output is in ${ldif_file}"

From ef1472cbbadbdb7534094ddd26dadc18f458e88f Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Tue, 21 Sep 2021 14:39:51 +0200
Subject: [PATCH 028/125] logstash: elastic_stack_version = 7.x

---
 CHANGELOG.md               | 1 +
 logstash/defaults/main.yml | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ff905a42..ac78e059 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -45,6 +45,7 @@ The **patch** part changes incrementally at each release.
 * evolinux-base: install freeipmi by default on dedicated hw
 * kibana: 7.x by default
 * listupgrade: upstream release 21.06.3
+* logstash: elastic_stack_version = 7.x
 * mysql: mariadb-client-10.5 on Debian 11
 * mysql: use python3 with Debian 11 and later
 * squid: improve default whitelist (more specific patterns)
diff --git a/logstash/defaults/main.yml b/logstash/defaults/main.yml
index 456769cd..06bf376d 100644
--- a/logstash/defaults/main.yml
+++ b/logstash/defaults/main.yml
@@ -1,5 +1,5 @@
 ---
-elastic_stack_version: "6.x"
+elastic_stack_version: "7.x"
 
 logstash_jvm_xms: 256m
 logstash_jvm_xmx: 512g

From 8233264d2af682c6fbe5876497fe0ffcef6f6bab Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Tue, 21 Sep 2021 14:41:07 +0200
Subject: [PATCH 029/125] logstash: logging to syslog is configurable (default:
 True)

---
 CHANGELOG.md               |  1 +
 logstash/defaults/main.yml |  2 ++
 logstash/handlers/main.yml | 10 ++++++++++
 logstash/tasks/logs.yml    | 23 +++++++++++++++++++++++
 logstash/tasks/main.yml    |  2 +-
 5 files changed, 37 insertions(+), 1 deletion(-)
 create mode 100644 logstash/handlers/main.yml

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ac78e059..652f5250 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -19,6 +19,7 @@ The **patch** part changes incrementally at each release.
 * generate-ldif: detect hardware raid card
 * generate-ldif: detect mdadm
 * listupgrade: crontab is configurable
+* logstash: logging to syslog is configurable (default: True)
 * mongodb: create munin plugins directory if missing
 * mysql: script "mysql_connections" to display a compact list of connections
 * mysql: script "mysql-queries-killer.sh" to kill MySQL queries
diff --git a/logstash/defaults/main.yml b/logstash/defaults/main.yml
index 06bf376d..7cc40e49 100644
--- a/logstash/defaults/main.yml
+++ b/logstash/defaults/main.yml
@@ -6,3 +6,5 @@ logstash_jvm_xmx: 512g
 logstash_log_rotate_days: 365
 logstash_custom_tmpdir: Null
 logstash_default_tmpdir: /var/lib/logstash/tmp
+logstash_log_syslog_enabled: True
+logstash_config_force: True
\ No newline at end of file
diff --git a/logstash/handlers/main.yml b/logstash/handlers/main.yml
new file mode 100644
index 00000000..d21d4de3
--- /dev/null
+++ b/logstash/handlers/main.yml
@@ -0,0 +1,10 @@
+---
+
+- name: restart logstash
+  systemd:
+    name: logstash
+    state: restarted
+    daemon_reload: yes
+
+- name: reload systemd
+  command: systemctl daemon-reload
\ No newline at end of file
diff --git a/logstash/tasks/logs.yml b/logstash/tasks/logs.yml
index 975cd8bc..b09ebaf2 100644
--- a/logstash/tasks/logs.yml
+++ b/logstash/tasks/logs.yml
@@ -16,3 +16,26 @@
     group: root
     mode: "0750"
   when: is_cron_installed.rc == 0
+
+- name: "Create a system config directory for systemd overrides"
+  file:
+    path: /etc/systemd/system/logstash.service.d
+    state: directory
+
+- name: "disable syslog"
+  ini_file:
+    path: /etc/systemd/system/logstash.service.d/override.conf
+    section: Service
+    option: "{{ item.option }}"
+    value: "{{ item.value }}"
+    owner: root
+    group: root
+    mode: "0644"
+    create: yes
+    no_extra_spaces: yes
+    state: "{{ logstash_log_syslog_enabled | bool | ternary('absent','present') }}"
+  loop:
+    - { option: "StandardOutput", value: "null" }
+    - { option: "StandardError",  value: "null" }
+  notify:
+    - restart logstash
\ No newline at end of file
diff --git a/logstash/tasks/main.yml b/logstash/tasks/main.yml
index 73bdab1d..856ceba1 100644
--- a/logstash/tasks/main.yml
+++ b/logstash/tasks/main.yml
@@ -88,7 +88,7 @@
     owner: logstash
     group: logstash
     mode: "0640"
-    force: yes
+    force: "{{ logstash_config_force | bool }}"
   loop: "{{ query('first_found', templates) }}"
   vars:
     templates:

From 1d5596552713f7dd6175b0aa9c41e844a0dfaa95 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Tue, 21 Sep 2021 14:41:48 +0200
Subject: [PATCH 030/125] logstash: no more dependency on Java

---
 CHANGELOG.md           | 1 +
 logstash/meta/main.yml | 3 +--
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 652f5250..0e37730f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -60,6 +60,7 @@ The **patch** part changes incrementally at each release.
 ### Removed
 
 * php: remove php-gettext for 7.4
+* logstash: no more dependency on Java
 
 ### Security
 
diff --git a/logstash/meta/main.yml b/logstash/meta/main.yml
index b2ef1210..bad2b6a5 100644
--- a/logstash/meta/main.yml
+++ b/logstash/meta/main.yml
@@ -24,5 +24,4 @@ galaxy_info:
     # NOTE: A tag is limited to a single word comprised of
     # alphanumeric characters. Maximum 20 tags per role.
 
-dependencies:
-  - { role: evolix/java, java_alternative: 'openjdk', java_version: 8 }
+dependencies: []

From ae2be6a009a9a33cd61244491fb55a3a4374d63f Mon Sep 17 00:00:00 2001
From: Eric Morino <emorino@evolix.fr>
Date: Tue, 21 Sep 2021 14:46:41 +0200
Subject: [PATCH 031/125] Fix indent for generate dh_param

---
 dovecot/tasks/main.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/dovecot/tasks/main.yml b/dovecot/tasks/main.yml
index efe0644e..7db272da 100644
--- a/dovecot/tasks/main.yml
+++ b/dovecot/tasks/main.yml
@@ -11,8 +11,8 @@
   - dovecot
 
 - name: Generate Diffie-Hellman parameters with the default size 4096 bits (may take several minutes)
-    openssl_dhparam:
-      path: /etc/ssl/dhparams.pem
+  openssl_dhparam:
+    path: /etc/ssl/dhparams.pem
 
 - name: disable pam auth
   replace:

From 3fcb79a3a342ee17b6ba214c32a9086e7b41cbb5 Mon Sep 17 00:00:00 2001
From: Eric Morino <emorino@evolix.fr>
Date: Tue, 21 Sep 2021 15:55:25 +0200
Subject: [PATCH 032/125] Fix path to dhparam certificate

---
 dovecot/templates/z-evolinux-defaults.conf.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dovecot/templates/z-evolinux-defaults.conf.j2 b/dovecot/templates/z-evolinux-defaults.conf.j2
index 74081a57..f913ff38 100644
--- a/dovecot/templates/z-evolinux-defaults.conf.j2
+++ b/dovecot/templates/z-evolinux-defaults.conf.j2
@@ -53,7 +53,7 @@ service stats {
 # SSL/TLS
 ssl = yes
 ssl_prefer_server_ciphers = yes
-ssl_dh=</etc/ssl/dhparam.pem
+ssl_dh=</etc/ssl/dhparams.pem
 ssl_options = no_compression no_ticket
 ssl_min_protocol = TLSv1.2
 ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

From 73efee9caaed48cf2f1a70ed914c23a124768399 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Thu, 23 Sep 2021 14:45:19 +0200
Subject: [PATCH 033/125] etc-git: purge old .git/index.lock (default: True)

---
 CHANGELOG.md                 |  1 +
 etc-git/defaults/main.yml    |  2 ++
 etc-git/tasks/do_commit.yml  | 14 ++++++++++++++
 etc-git/tasks/repository.yml |  2 +-
 4 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0e37730f..383f3138 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -15,6 +15,7 @@ The **patch** part changes incrementally at each release.
 * Preliminary support for Debian 11 « Bullseye »
 * apache: new variable for mpm mode (+ updated default config accordingly)
 * certbot: add script for manual deploy hooks execution
+* etc-git: purge old .git/index.lock (default: True)
 * evolinux-base: install molly-guard by default
 * generate-ldif: detect hardware raid card
 * generate-ldif: detect mdadm
diff --git a/etc-git/defaults/main.yml b/etc-git/defaults/main.yml
index 8a822abd..dbecc6a3 100644
--- a/etc-git/defaults/main.yml
+++ b/etc-git/defaults/main.yml
@@ -2,3 +2,5 @@
 commit_message: Ansible run
 
 etc_git_monitor_status: True
+etc_git_purge_index_lock_enabled: True
+etc_git_purge_index_lock_age: 86400
diff --git a/etc-git/tasks/do_commit.yml b/etc-git/tasks/do_commit.yml
index 6b09eaaf..bae36936 100644
--- a/etc-git/tasks/do_commit.yml
+++ b/etc-git/tasks/do_commit.yml
@@ -5,6 +5,20 @@
     name: remount-usr
   when: git_folder is match('/usr/.*')
 
+- name: "stat {{ git_folder }}/.git/index.lock"
+  stat:
+    path: "{{ git_folder }}/.git/index.lock"
+  register: _index_lock
+
+- name: index file is removed if old enough
+  file:
+    path: "{{ git_folder }}/.git/index.lock"
+    state: absent
+  when:
+    - _index_lock.stat.exists
+    - _index_lock.stat.mtime | int <= ((ansible_date_time.epoch | int) - etc_git_purge_index_lock_age | default(86400))
+    - etc_git_purge_index_lock_enabled
+
 - name: "is {{ git_folder }} clean?"
   command: git status --porcelain
   args:
diff --git a/etc-git/tasks/repository.yml b/etc-git/tasks/repository.yml
index e8599c1e..80987da2 100644
--- a/etc-git/tasks/repository.yml
+++ b/etc-git/tasks/repository.yml
@@ -70,4 +70,4 @@
   register: git_commit
   when: git_log.rc != 0 or (git_init is defined and git_init is changed)
   tags:
-    - etc-git
+    - etc-git
\ No newline at end of file

From e1307280348a1fe2c108c6f55219de529416bde8 Mon Sep 17 00:00:00 2001
From: Ludovic Poujol <lpoujol@evolix.fr>
Date: Fri, 24 Sep 2021 14:33:24 +0200
Subject: [PATCH 034/125] evolix-users: Add missing sudo auth for check_raid
 for HP hardware

---
 evolinux-users/templates/sudoers_stretch.j2 | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/evolinux-users/templates/sudoers_stretch.j2 b/evolinux-users/templates/sudoers_stretch.j2
index 777eb8f7..a5b75f31 100644
--- a/evolinux-users/templates/sudoers_stretch.j2
+++ b/evolinux-users/templates/sudoers_stretch.j2
@@ -17,6 +17,9 @@ nagios          ALL = NOPASSWD: /sbin/dmsetup status --noflush
 nagios          ALL = NOPASSWD: /sbin/megacli -PDList -aALL -NoLog
 nagios          ALL = NOPASSWD: /sbin/megacli -LdInfo -Lall -aALL -NoLog
 nagios          ALL = NOPASSWD: /sbin/megacli -AdpBbuCmd -GetBbuStatus -aALL -NoLog
+nagios          ALL = NOPASSWD: /sbin/ssacli controller all show status
+nagios          ALL = NOPASSWD: /sbin/ssacli controller slot=0 logicaldrive all show
+      
 nagios          ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt
 
 %{{ evolinux_sudo_group }}  ALL=(ALL:ALL) ALL

From febc76b26c9ad46e5399f28794d41105d7639e67 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Wed, 29 Sep 2021 16:40:25 +0200
Subject: [PATCH 035/125] php: fix tasks names

---
 php/tasks/main_bullseye.yml | 18 +++++++++---------
 php/tasks/main_buster.yml   | 18 +++++++++---------
 php/tasks/main_jessie.yml   | 16 ++++++++--------
 php/tasks/main_stretch.yml  | 18 +++++++++---------
 4 files changed, 35 insertions(+), 35 deletions(-)

diff --git a/php/tasks/main_bullseye.yml b/php/tasks/main_bullseye.yml
index bdeffe56..a1f7d5f5 100644
--- a/php/tasks/main_bullseye.yml
+++ b/php/tasks/main_bullseye.yml
@@ -1,6 +1,6 @@
 ---
 
-- name: "Set variables (Debian 10 or later)"
+- name: "Set variables (Debian 11)"
   set_fact:
     php_cli_defaults_ini_file: /etc/php/7.4/cli/conf.d/z-evolinux-defaults.ini
     php_cli_custom_ini_file: /etc/php/7.4/cli/conf.d/zzz-evolinux-custom.ini
@@ -16,7 +16,7 @@
 
 # Packages
 
-- name: "Set package list (Debian 9 or later)"
+- name: "Set package list (Debian 11)"
   set_fact:
     php_stretch_packages:
       - php-cli
@@ -37,12 +37,12 @@
 - include: sury_pre.yml
   when: php_sury_enable
 
-- name: "Install PHP packages (Debian 9 or later)"
+- name: "Install PHP packages (Debian 11)"
   apt:
     name: '{{ php_stretch_packages }}'
     state: present
 
-- name: "Install mod_php packages (Debian 9 or later)"
+- name: "Install mod_php packages (Debian 11)"
   apt:
     name:
       - libapache2-mod-php
@@ -50,7 +50,7 @@
     state: present
   when: php_apache_enable
 
-- name: "Install PHP FPM packages (Debian 9 or later)"
+- name: "Install PHP FPM packages (Debian 11)"
   apt:
     name:
       - php-fpm
@@ -60,7 +60,7 @@
 
 # Configuration
 
-- name: Enforce permissions on PHP directory
+- name: "Enforce permissions on PHP directory (Debian 11)"
   file:
     dest: "{{ item }}"
     mode: "0755"
@@ -69,7 +69,7 @@
     - /etc/php/7.4
 
 - include: config_cli.yml
-- name: Enforce permissions on PHP cli directory
+- name: "Enforce permissions on PHP cli directory (Debian 11)"
   file:
     dest: /etc/php/7.4/cli
     mode: "0755"
@@ -77,7 +77,7 @@
 - include: config_fpm.yml
   when: php_fpm_enable
 
-- name: Enforce permissions on PHP fpm directory
+- name: "Enforce permissions on PHP fpm directory (Debian 11)"
   file:
     dest: /etc/php/7.4/fpm
     mode: "0755"
@@ -86,7 +86,7 @@
 - include: config_apache.yml
   when: php_apache_enable
 
-- name: Enforce permissions on PHP apache2 directory
+- name: "Enforce permissions on PHP apache2 directory (Debian 11)"
   file:
     dest: /etc/php/7.4/apache2
     mode: "0755"
diff --git a/php/tasks/main_buster.yml b/php/tasks/main_buster.yml
index fba952ab..2fc4293e 100644
--- a/php/tasks/main_buster.yml
+++ b/php/tasks/main_buster.yml
@@ -1,6 +1,6 @@
 ---
 
-- name: "Set variables (Debian 10 or later)"
+- name: "Set variables (Debian 10)"
   set_fact:
     php_cli_defaults_ini_file: /etc/php/7.3/cli/conf.d/z-evolinux-defaults.ini
     php_cli_custom_ini_file: /etc/php/7.3/cli/conf.d/zzz-evolinux-custom.ini
@@ -16,7 +16,7 @@
 
 # Packages
 
-- name: "Set package list (Debian 9 or later)"
+- name: "Set package list (Debian 10)"
   set_fact:
     php_stretch_packages:
       - php-cli
@@ -38,12 +38,12 @@
 - include: sury_pre.yml
   when: php_sury_enable | bool
 
-- name: "Install PHP packages (Debian 9 or later)"
+- name: "Install PHP packages (Debian 10)"
   apt:
     name: '{{ php_stretch_packages }}'
     state: present
 
-- name: "Install mod_php packages (Debian 9 or later)"
+- name: "Install mod_php packages (Debian 10)"
   apt:
     name:
       - libapache2-mod-php
@@ -51,7 +51,7 @@
     state: present
   when: php_apache_enable | bool
 
-- name: "Install PHP FPM packages (Debian 9 or later)"
+- name: "Install PHP FPM packages (Debian 10)"
   apt:
     name:
       - php-fpm
@@ -61,7 +61,7 @@
 
 # Configuration
 
-- name: Enforce permissions on PHP directory
+- name: "Enforce permissions on PHP directory (Debian 10)"
   file:
     dest: "{{ item }}"
     mode: "0755"
@@ -70,7 +70,7 @@
     - /etc/php/7.3
 
 - include: config_cli.yml
-- name: Enforce permissions on PHP cli directory
+- name: "Enforce permissions on PHP cli directory (Debian 10)"
   file:
     dest: /etc/php/7.3/cli
     mode: "0755"
@@ -78,7 +78,7 @@
 - include: config_fpm.yml
   when: php_fpm_enable | bool
 
-- name: Enforce permissions on PHP fpm directory
+- name: "Enforce permissions on PHP fpm directory (Debian 10)"
   file:
     dest: /etc/php/7.3/fpm
     mode: "0755"
@@ -87,7 +87,7 @@
 - include: config_apache.yml
   when: php_apache_enable | bool
 
-- name: Enforce permissions on PHP apache2 directory
+- name: "Enforce permissions on PHP apache2 directory (Debian 10)"
   file:
     dest: /etc/php/7.3/apache2
     mode: "0755"
diff --git a/php/tasks/main_jessie.yml b/php/tasks/main_jessie.yml
index 5ec3123d..75105166 100644
--- a/php/tasks/main_jessie.yml
+++ b/php/tasks/main_jessie.yml
@@ -1,6 +1,6 @@
 ---
 
-- name: "Set variables (jessie)"
+- name: "Set variables (Debian 8)"
   set_fact:
     php_cli_defaults_ini_file: /etc/php5/cli/conf.d/z-evolinux-defaults.ini
     php_cli_custom_ini_file: /etc/php5/cli/conf.d/zzz-evolinux-custom.ini
@@ -16,7 +16,7 @@
 
 # Packages
 
-- name: "Install PHP packages (jessie)"
+- name: "Install PHP packages (Debian 8)"
   apt:
     name:
       - php5-cli
@@ -34,7 +34,7 @@
       - libphp-phpmailer
     state: present
 
-- name: "Install mod_php packages (jessie)"
+- name: "Install mod_php packages (Debian 8)"
   apt:
     name:
       - libapache2-mod-php5
@@ -42,7 +42,7 @@
     state: present
   when: php_apache_enable | bool
 
-- name: "Install PHP FPM packages (jessie)"
+- name: "Install PHP FPM packages (Debian 8)"
   apt:
     name:
       - php5-fpm
@@ -52,14 +52,14 @@
 
 # Configuration
 
-- name: Enforce permissions on PHP directory
+- name: Enforce permissions on PHP directory (Debian 8)
   file:
     dest: /etc/php5
     mode: "0755"
 
 - include: config_cli.yml
 
-- name: Enforce permissions on PHP cli directory
+- name: Enforce permissions on PHP cli directory (Debian 8)
   file:
     dest: /etc/php5/cli
     mode: "0755"
@@ -67,7 +67,7 @@
 - include: config_fpm.yml
   when: php_fpm_enable | bool
 
-- name: Enforce permissions on PHP fpm directory
+- name: Enforce permissions on PHP fpm directory (Debian 8)
   file:
     dest: /etc/php5/fpm
     mode: "0755"
@@ -76,7 +76,7 @@
 - include: config_apache.yml
   when: php_apache_enable | bool
 
-- name: Enforce permissions on PHP apache2 directory
+- name: Enforce permissions on PHP apache2 directory (Debian 8)
   file:
     dest: /etc/php5/apache2
     mode: "0755"
diff --git a/php/tasks/main_stretch.yml b/php/tasks/main_stretch.yml
index dc16c6e4..698621ac 100644
--- a/php/tasks/main_stretch.yml
+++ b/php/tasks/main_stretch.yml
@@ -1,6 +1,6 @@
 ---
 
-- name: "Set variables (Debian 9 or later)"
+- name: "Set variables (Debian 9)"
   set_fact:
     php_cli_defaults_ini_file: /etc/php/7.0/cli/conf.d/z-evolinux-defaults.ini
     php_cli_custom_ini_file: /etc/php/7.0/cli/conf.d/zzz-evolinux-custom.ini
@@ -16,7 +16,7 @@
 
 # Packages
 
-- name: "Set package list (Debian 9 or later)"
+- name: "Set package list (Debian 9)"
   set_fact:
     php_stretch_packages:
       - php-cli
@@ -38,12 +38,12 @@
 - include: sury_pre.yml
   when: php_sury_enable | bool
 
-- name: "Install PHP packages (Debian 9 or later)"
+- name: "Install PHP packages (Debian 9)"
   apt:
     name: '{{ php_stretch_packages }}'
     state: present
 
-- name: "Install mod_php packages (Debian 9 or later)"
+- name: "Install mod_php packages (Debian 9)"
   apt:
     name:
       - libapache2-mod-php
@@ -51,7 +51,7 @@
     state: present
   when: php_apache_enable | bool
 
-- name: "Install PHP FPM packages (Debian 9 or later)"
+- name: "Install PHP FPM packages (Debian 9)"
   apt:
     name:
       - php-fpm
@@ -61,7 +61,7 @@
 
 # Configuration
 
-- name: Enforce permissions on PHP directory
+- name: "Enforce permissions on PHP directory (Debian 9)"
   file:
     dest: "{{ item }}"
     mode: "0755"
@@ -71,7 +71,7 @@
 
 - include: config_cli.yml
 
-- name: Enforce permissions on PHP cli directory
+- name: "Enforce permissions on PHP cli directory (Debian 9)"
   file:
     dest: /etc/php/7.0/cli
     mode: "0755"
@@ -79,7 +79,7 @@
 - include: config_fpm.yml
   when: php_fpm_enable | bool
 
-- name: Enforce permissions on PHP fpm directory
+- name: "Enforce permissions on PHP fpm directory (Debian 9)"
   file:
     dest: /etc/php/7.0/fpm
     mode: "0755"
@@ -88,7 +88,7 @@
 - include: config_apache.yml
   when: php_apache_enable | bool
 
-- name: Enforce permissions on PHP apache2 directory
+- name: "Enforce permissions on PHP apache2 directory (Debian 9)"
   file:
     dest: /etc/php/7.0/apache2
     mode: "0755"

From 0eb7332a34ae8c5b6647d4fe12088dd175b8a674 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Wed, 29 Sep 2021 16:43:05 +0200
Subject: [PATCH 036/125] php: enforce Debian version with assert instead of
 fail

---
 CHANGELOG.md       | 22 +++++++++++++++++-----
 php/tasks/main.yml |  9 ++++++---
 2 files changed, 23 insertions(+), 8 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 383f3138..e2f6d2e2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,14 +4,26 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 
 This project does not follow semantic versioning.
-The **major** part of the version is aligned with the stable version of Debian.
-The **minor** part changes with big changes (probably incompatible).
-The **patch** part changes incrementally at each release.
+The **major** part of the version is the year
+The **minor** part changes is the month
+The **patch** part changes is incremented if multiple releases happen the same month
 
 ## [Unreleased]
 
 ### Added
 
+### Changed
+
+### Fixed
+
+### Removed
+
+### Security
+
+## [21.09] 2021-09-29
+
+### Added
+
 * Preliminary support for Debian 11 « Bullseye »
 * apache: new variable for mpm mode (+ updated default config accordingly)
 * certbot: add script for manual deploy hooks execution
@@ -32,6 +44,7 @@ The **patch** part changes incrementally at each release.
 
 ### Changed
 
+* Change version pattern
 * Use python3 modules for Debian 11 and later
 * Remove embedded GPG keys only if legacy keyring is present
 * apt: remove workaround for Evolix public repositories with Debian 11
@@ -50,6 +63,7 @@ The **patch** part changes incrementally at each release.
 * logstash: elastic_stack_version = 7.x
 * mysql: mariadb-client-10.5 on Debian 11
 * mysql: use python3 with Debian 11 and later
+* php: enforce Debian version with assert instead of fail
 * squid: improve default whitelist (more specific patterns)
 * squid: must be started in foreground mode for systemd
 * squid: remove obsolete variable on Squid 4
@@ -63,8 +77,6 @@ The **patch** part changes incrementally at each release.
 * php: remove php-gettext for 7.4
 * logstash: no more dependency on Java
 
-### Security
-
 ## [10.6.0] 2021-06-28
 
 ### Added
diff --git a/php/tasks/main.yml b/php/tasks/main.yml
index 5cf46bec..c0f736c4 100644
--- a/php/tasks/main.yml
+++ b/php/tasks/main.yml
@@ -1,8 +1,11 @@
 ---
 
-- fail:
-    msg: only compatible with Debian >= 8
-  when: ansible_distribution != "Debian" or ansible_distribution_major_version is version('8', '<')
+- assert:
+    that:
+      - ansible_distribution != "Debian"
+      - ansible_distribution_major_version is version('8', '>=')
+      - ansible_distribution_major_version is version('11', '<=')
+    msg: This is only compatible with Debian 8 → 11
 
 - include: main_jessie.yml
   when: ansible_distribution_release == "jessie"

From 437d2986ae9a3d26d3c7dc01726d400c4f076402 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Wed, 29 Sep 2021 18:39:29 +0200
Subject: [PATCH 037/125] better python3 modules management

---
 mysql-oracle/tasks/users.yml     | 14 +++++++++-----
 mysql/tasks/users_stretch.yml    | 14 +++++++++-----
 postgresql/tasks/nrpe.yml        |  2 +-
 rabbitmq/tasks/nrpe.yml          |  2 +-
 redmine/tasks/packages.yml       | 14 +++++++++-----
 webapps/nextcloud/tasks/main.yml | 14 +++++++++-----
 6 files changed, 38 insertions(+), 22 deletions(-)

diff --git a/mysql-oracle/tasks/users.yml b/mysql-oracle/tasks/users.yml
index e5a7e3da..a34cea7b 100644
--- a/mysql-oracle/tasks/users.yml
+++ b/mysql-oracle/tasks/users.yml
@@ -1,20 +1,24 @@
 ---
 
 # dependency for mysql_user and mysql_db
-- name: python-mysqldb is installed (Ansible dependency)
+- name: python modules is installed (Ansible dependency)
   apt:
-    name: python-mysqldb
+    name:
+      - python-mysqldb
+      - python-pymysql
     state: present
   when: ansible_distribution_major_version is version('10', '<=')
   tags:
     - mysql
 
 # dependency for mysql_user and mysql_db
-- name: python3-mysqldb is installed (Ansible dependency)
+- name: python3 modules is installed (Ansible dependency)
   apt:
-    name: python3-mysqldb
+    name:
+      - python3-mysqldb
+      - python3-pymysql
     state: present
-  when: ansible_distribution_major_version is version('10', '>')
+  when: ansible_distribution_major_version is version('10', '>=')
   tags:
     - mysql
 
diff --git a/mysql/tasks/users_stretch.yml b/mysql/tasks/users_stretch.yml
index 2b9bec6b..00b7a5e6 100644
--- a/mysql/tasks/users_stretch.yml
+++ b/mysql/tasks/users_stretch.yml
@@ -1,20 +1,24 @@
 ---
 
 # dependency for mysql_user and mysql_db
-- name: python-mysqldb is installed (Ansible dependency)
+- name: python modules is installed (Ansible dependency)
   apt:
-    name: python-mysqldb
+    name:
+      - python-mysqldb
+      - python-pymysql
     state: present
   when: ansible_distribution_major_version is version('10', '<=')
   tags:
     - mysql
 
 # dependency for mysql_user and mysql_db
-- name: python3-mysqldb is installed (Ansible dependency)
+- name: python3 modules is installed (Ansible dependency)
   apt:
-    name: python3-mysqldb
+    name:
+      - python3-mysqldb
+      - python3-pymysql
     state: present
-  when: ansible_distribution_major_version is version('10', '>')
+  when: ansible_distribution_major_version is version('10', '>=')
   tags:
     - mysql
 
diff --git a/postgresql/tasks/nrpe.yml b/postgresql/tasks/nrpe.yml
index 9c22e293..825390d6 100644
--- a/postgresql/tasks/nrpe.yml
+++ b/postgresql/tasks/nrpe.yml
@@ -19,7 +19,7 @@
   apt:
     name: python3-psycopg2
     state: present
-  when: ansible_distribution_major_version is version('10', '>')
+  when: ansible_distribution_major_version is version('10', '>=')
 
 - name: Is nrpe present ?
   stat:
diff --git a/rabbitmq/tasks/nrpe.yml b/rabbitmq/tasks/nrpe.yml
index 75b37043..9af64f19 100644
--- a/rabbitmq/tasks/nrpe.yml
+++ b/rabbitmq/tasks/nrpe.yml
@@ -10,7 +10,7 @@
   apt:
     name: python3-requests
     state: present
-  when: ansible_distribution_major_version is version('10', '>')
+  when: ansible_distribution_major_version is version('10', '>=')
 
 - include_role:
     name: evolix/remount-usr
diff --git a/redmine/tasks/packages.yml b/redmine/tasks/packages.yml
index 0c65df44..17f0d4a5 100644
--- a/redmine/tasks/packages.yml
+++ b/redmine/tasks/packages.yml
@@ -19,19 +19,23 @@
     - redmine
 
 # dependency for mysql_user and mysql_db
-- name: python-mysqldb is installed (Ansible dependency)
+- name: python modules is installed (Ansible dependency)
   apt:
-    name: python-mysqldb
+    name:
+      - python-mysqldb
+      - python-pymysql
     state: present
   when: ansible_distribution_major_version is version('10', '<=')
   tags:
     - redmine
 
 # dependency for mysql_user and mysql_db
-- name: python3-mysqldb is installed (Ansible dependency)
+- name: python3 modules is installed (Ansible dependency)
   apt:
-    name: python3-mysqldb
+    name:
+      - python3-mysqldb
+      - python3-pymysql
     state: present
-  when: ansible_distribution_major_version is version('10', '>')
+  when: ansible_distribution_major_version is version('10', '>=')
   tags:
     - redmine
\ No newline at end of file
diff --git a/webapps/nextcloud/tasks/main.yml b/webapps/nextcloud/tasks/main.yml
index c63291f1..942b385e 100644
--- a/webapps/nextcloud/tasks/main.yml
+++ b/webapps/nextcloud/tasks/main.yml
@@ -20,20 +20,24 @@
     - nextcloud
 
 # dependency for mysql_user and mysql_db
-- name: python-mysqldb is installed (Ansible dependency)
+- name: python modules is installed (Ansible dependency)
   apt:
-    name: python-mysqldb
+    name:
+      - python-mysqldb
+      - python-pymysql
     state: present
   when: ansible_distribution_major_version is version('10', '<=')
   tags:
     - nextcloud
 
 # dependency for mysql_user and mysql_db
-- name: python3-mysqldb is installed (Ansible dependency)
+- name: python3 modules is installed (Ansible dependency)
   apt:
-    name: python3-mysqldb
+    name:
+      - python3-mysqldb
+      - python3-pymysql
     state: present
-  when: ansible_distribution_major_version is version('10', '>')
+  when: ansible_distribution_major_version is version('10', '>=')
   tags:
     - nextcloud
 

From 4c52719561250592dbba044852c666ae08241652 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Wed, 29 Sep 2021 18:39:42 +0200
Subject: [PATCH 038/125] php: fix assert condition

---
 php/tasks/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/php/tasks/main.yml b/php/tasks/main.yml
index c0f736c4..86bde74f 100644
--- a/php/tasks/main.yml
+++ b/php/tasks/main.yml
@@ -2,7 +2,7 @@
 
 - assert:
     that:
-      - ansible_distribution != "Debian"
+      - ansible_distribution == "Debian"
       - ansible_distribution_major_version is version('8', '>=')
       - ansible_distribution_major_version is version('11', '<=')
     msg: This is only compatible with Debian 8 → 11

From 3de5de53043d5405819173a959f476d91f64d338 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Thu, 30 Sep 2021 10:13:11 +0200
Subject: [PATCH 039/125] mysql: improve Bullseye compatibility

---
 CHANGELOG.md                      |  1 +
 mysql/tasks/main.yml              |  9 ++-
 mysql/tasks/munin.yml             | 10 +++-
 mysql/tasks/users_buster.yml      | 96 +++++++++++++++++++++++++++++++
 mysql/tasks/users_jessie.yml      | 23 ++------
 mysql/tasks/users_stretch.yml     | 28 +++------
 mysql/tasks/utils.yml             | 18 +++++-
 mysql/templates/mytop.bullseye.j2 |  3 +
 8 files changed, 147 insertions(+), 41 deletions(-)
 create mode 100644 mysql/tasks/users_buster.yml
 create mode 100644 mysql/templates/mytop.bullseye.j2

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e2f6d2e2..4867c047 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -34,6 +34,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * listupgrade: crontab is configurable
 * logstash: logging to syslog is configurable (default: True)
 * mongodb: create munin plugins directory if missing
+* mysql: improve Bullseye compatibility
 * mysql: script "mysql_connections" to display a compact list of connections
 * mysql: script "mysql-queries-killer.sh" to kill MySQL queries
 * nagios-nrpe + evolinux-users: new checks for bkctld
diff --git a/mysql/tasks/main.yml b/mysql/tasks/main.yml
index ace6299e..b99a9aa1 100644
--- a/mysql/tasks/main.yml
+++ b/mysql/tasks/main.yml
@@ -10,8 +10,15 @@
 - include: packages_jessie.yml
   when: ansible_distribution_release == "jessie"
 
+## There is nothing to do with users on Debian 11
+# - include: users_bullseye.yml
+#   when: ansible_distribution_release == "bullseye"
+
+- include: users_buster.yml
+  when: ansible_distribution_release == "buster"
+
 - include: users_stretch.yml
-  when: ansible_distribution_major_version is version('9', '>=')
+  when: ansible_distribution_release == "stretch"
 
 - include: users_jessie.yml
   when: ansible_distribution_release == "jessie"
diff --git a/mysql/tasks/munin.yml b/mysql/tasks/munin.yml
index f2a333e7..33da8492 100644
--- a/mysql/tasks/munin.yml
+++ b/mysql/tasks/munin.yml
@@ -10,12 +10,20 @@
     - munin
 
 - block:
-  - name: Install perl libraries for Munin
+  - name: "Install perl libraries for Munin (Debian < 11)"
     apt:
       name:
         - libdbd-mysql-perl
         - libcache-cache-perl
       state: present
+    when: ansible_distribution_major_version is version('11', '<')
+
+  - name: "Install perl libraries for Munin (Debian >= 11)"
+    apt:
+      name:
+        - libcache-cache-perl
+        - libdbd-mariadb-perl
+    when: ansible_distribution_major_version is version('11', '>=')
 
   - name: Enable core Munin plugins
     file:
diff --git a/mysql/tasks/users_buster.yml b/mysql/tasks/users_buster.yml
new file mode 100644
index 00000000..90f9e801
--- /dev/null
+++ b/mysql/tasks/users_buster.yml
@@ -0,0 +1,96 @@
+---
+
+- name: Python dependencies for Ansible are installed
+  apt:
+    name:
+      - python-mysqldb
+      - python-pymysql
+      - python3-mysqldb
+      - python3-pymysql
+    state: present
+  tags:
+    - mysql
+
+- name: create a password for mysqladmin
+  command: "apg -n 1 -m 16 -M lcN"
+  register: mysql_admin_password
+  changed_when: False
+  check_mode: False
+  tags:
+    - mysql
+
+- name: there is a mysqladmin user
+  mysql_user:
+    name: mysqladmin
+    password: '{{ mysql_admin_password.stdout }}'
+    priv: "*.*:ALL,GRANT"
+    update_password: on_create
+    state: present
+    config_file: "/etc/mysql/debian.cnf"
+    login_user: root
+    login_unix_socket: /var/run/mysqld/mysqld.sock
+  register: create_mysqladmin_user
+  tags:
+    - mysql
+
+- name: mysqladmin is the default user
+  ini_file:
+    dest: /root/.my.cnf
+    mode: "0600"
+    section: client
+    option: '{{ item.option }}'
+    value: '{{ item.value }}'
+    create: yes
+  loop:
+    - { option: 'user',     value: 'mysqladmin' }
+    - { option: 'password', value: '{{ mysql_admin_password.stdout }}' }
+  when: create_mysqladmin_user is changed
+  tags:
+    - mysql
+
+- name: create a password for debian-sys-maint
+  command: "apg -n 1 -m 16 -M lcN"
+  register: mysql_debian_password
+  changed_when: False
+  check_mode: False
+  tags:
+    - mysql
+
+- name: there is a debian-sys-maint user
+  mysql_user:
+    name: debian-sys-maint
+    password: '{{ mysql_debian_password.stdout }}'
+    priv: "*.*:ALL,GRANT"
+    update_password: on_create
+    state: present
+    config_file: "/root/.my.cnf"
+  register: create_debian_user
+  tags:
+    - mysql
+
+- name: store debian-sys-maint user credentials
+  ini_file:
+    dest: /etc/mysql/debian.cnf
+    mode: "0600"
+    section: "{{ item[0] }}"
+    option: '{{ item[1].option }}'
+    value: '{{ item[1].value }}'
+    create: yes
+  loop: "{{ _sections | product(_credentials) | list }}"
+  vars:
+    _sections: [ 'client', 'mysql_upgrade' ]
+    _credentials:
+      - { option: 'user',     value: 'debian-sys-maint' }
+      - { option: 'password', value: '{{ mysql_debian_password.stdout }}' }
+  when: create_debian_user is changed
+  tags:
+    - mysql
+
+- name: root user is absent
+  mysql_user:
+    name: root
+    host_all: yes
+    config_file: "/root/.my.cnf"
+    state: absent
+  tags:
+    - mysql
diff --git a/mysql/tasks/users_jessie.yml b/mysql/tasks/users_jessie.yml
index 3a56a63d..d9cab42f 100644
--- a/mysql/tasks/users_jessie.yml
+++ b/mysql/tasks/users_jessie.yml
@@ -5,21 +5,10 @@
     msg: "We can't create other users with 'debian-sys-maint' on Debian 8 with MariaDB.\nWe must give it the GRANT privilege before continuing."
   when: mysql_variant == "mariadb"
 
-# dependency for mysql_user and mysql_db
-- name: python-mysqldb is installed (Ansible dependency)
+- name: Python dependencies for Ansible are installed
   apt:
     name: python-mysqldb
     state: present
-  when: ansible_distribution_major_version is version('10', '<=')
-  tags:
-    - mysql
-
-# dependency for mysql_user and mysql_db
-- name: python3-mysqldb is installed (Ansible dependency)
-  apt:
-    name: python3-mysqldb
-    state: present
-  when: ansible_distribution_major_version is version('10', '>')
   tags:
     - mysql
 
@@ -29,7 +18,7 @@
   changed_when: False
   check_mode: no
   tags:
-  - mysql
+    - mysql
 
 - name: there is a mysqladmin user
   mysql_user:
@@ -41,7 +30,7 @@
     config_file: "/etc/mysql/debian.cnf"
   register: create_mysqladmin_user
   tags:
-  - mysql
+    - mysql
 
 - name: mysqladmin is the default user
   ini_file:
@@ -56,13 +45,13 @@
     - { option: 'password', value: '{{ mysql_admin_password.stdout }}' }
   when: create_mysqladmin_user is changed
   tags:
-  - mysql
+   - mysql
 
-- name: remove root user
+- name: root user is absent
   mysql_user:
     name: root
     host_all: yes
     config_file: "/root/.my.cnf"
     state: absent
   tags:
-  - mysql
+    - mysql
diff --git a/mysql/tasks/users_stretch.yml b/mysql/tasks/users_stretch.yml
index 00b7a5e6..7a886f83 100644
--- a/mysql/tasks/users_stretch.yml
+++ b/mysql/tasks/users_stretch.yml
@@ -1,24 +1,11 @@
 ---
 
-# dependency for mysql_user and mysql_db
-- name: python modules is installed (Ansible dependency)
+- name: Python dependencies for Ansible are installed
   apt:
     name:
       - python-mysqldb
       - python-pymysql
     state: present
-  when: ansible_distribution_major_version is version('10', '<=')
-  tags:
-    - mysql
-
-# dependency for mysql_user and mysql_db
-- name: python3 modules is installed (Ansible dependency)
-  apt:
-    name:
-      - python3-mysqldb
-      - python3-pymysql
-    state: present
-  when: ansible_distribution_major_version is version('10', '>=')
   tags:
     - mysql
 
@@ -28,7 +15,7 @@
   changed_when: False
   check_mode: False
   tags:
-  - mysql
+    - mysql
 
 - name: there is a mysqladmin user
   mysql_user:
@@ -38,9 +25,11 @@
     update_password: on_create
     state: present
     config_file: "/etc/mysql/debian.cnf"
+    login_user: root
+    login_unix_socket: /var/run/mysqld/mysqld.sock
   register: create_mysqladmin_user
   tags:
-  - mysql
+    - mysql
 
 - name: mysqladmin is the default user
   ini_file:
@@ -55,8 +44,7 @@
     - { option: 'password', value: '{{ mysql_admin_password.stdout }}' }
   when: create_mysqladmin_user is changed
   tags:
-  - mysql
-
+    - mysql
 
 - name: create a password for debian-sys-maint
   command: "apg -n 1 -m 16 -M lcN"
@@ -64,7 +52,7 @@
   changed_when: False
   check_mode: False
   tags:
-  - mysql
+    - mysql
 
 - name: there is a debian-sys-maint user
   mysql_user:
@@ -96,7 +84,7 @@
   tags:
     - mysql
 
-- name: remove root user
+- name: root user is absent
   mysql_user:
     name: root
     host_all: yes
diff --git a/mysql/tasks/utils.yml b/mysql/tasks/utils.yml
index 228b69b4..b210ca3a 100644
--- a/mysql/tasks/utils.yml
+++ b/mysql/tasks/utils.yml
@@ -49,17 +49,19 @@
       - mariadb-client-10.5
       - libconfig-inifiles-perl
       - libterm-readkey-perl
+      - libdbd-mariadb-perl
   when: ansible_distribution_major_version is version('11', '>=')
 
-- name: Read debian-sys-maint password
+- name: Read debian-sys-maint password (Debian < 11)
   shell: 'cat /etc/mysql/debian.cnf | grep -m1 "password = .*" | cut -d" " -f3'
   register: mysql_debian_password
   changed_when: False
   check_mode: no
   tags:
     - mysql
+  when: ansible_distribution_major_version is version('11', '<')
 
-- name: Configure mytop
+- name: Configure mytop (Debian < 11)
   template:
     src: mytop.j2
     dest: /root/.mytop
@@ -68,6 +70,18 @@
   tags:
     - mytop
     - mysql
+  when: ansible_distribution_major_version is version('11', '<')
+
+- name: Configure mytop (Debian >= 11)
+  template:
+    src: mytop.bullseye.j2
+    dest: /root/.mytop
+    mode: "0600"
+    force: yes
+  tags:
+    - mytop
+    - mysql
+  when: ansible_distribution_major_version is version('11', '>=')
 
 # mysqltuner
 
diff --git a/mysql/templates/mytop.bullseye.j2 b/mysql/templates/mytop.bullseye.j2
new file mode 100644
index 00000000..d31a6243
--- /dev/null
+++ b/mysql/templates/mytop.bullseye.j2
@@ -0,0 +1,3 @@
+user = root
+socket = /var/run/mysqld/mysqld.sock
+db = mysql

From 4a035d248deef3828e754e2fc2dabcf3a7470000 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Thu, 30 Sep 2021 10:45:07 +0200
Subject: [PATCH 040/125] evocheck: upstream release 21.09

---
 CHANGELOG.md               |  4 ++--
 evocheck/files/evocheck.sh | 41 +++++++++++++++++++++++++++++---------
 2 files changed, 34 insertions(+), 11 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4867c047..e61b8add 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -24,7 +24,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 
 ### Added
 
-* Preliminary support for Debian 11 « Bullseye »
+* Support for Debian 11 « Bullseye » (with possible remaining blind spots)
 * apache: new variable for mpm mode (+ updated default config accordingly)
 * certbot: add script for manual deploy hooks execution
 * etc-git: purge old .git/index.lock (default: True)
@@ -54,7 +54,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * elasticsearch: 7.x by default
 * evoadmin-web: simpler PHP packages lists
 * evomaintenance: extract a config.yyml tasks file
-* evocheck: upstream release 21.07
+* evocheck: upstream release 21.09
 * evolinux-base: alert5 comes after the network
 * evolinux-base: force Debian version to buster for Evolix repository (temporary)
 * evolinux-base: split dpkg logrotate configuration
diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh
index 02fa4a6b..89127600 100644
--- a/evocheck/files/evocheck.sh
+++ b/evocheck/files/evocheck.sh
@@ -4,7 +4,7 @@
 # Script to verify compliance of a Debian/OpenBSD server
 # powered by Evolix
 
-VERSION="21.07"
+VERSION="21.09"
 readonly VERSION
 
 # base functions
@@ -233,8 +233,19 @@ check_syslogconf() {
         || failed "IS_SYSLOGCONF" "syslog evolix config file missing"
 }
 check_debiansecurity() {
-    grep -q "^deb.*security" /etc/apt/sources.list \
-        || failed "IS_DEBIANSECURITY" "missing debian security repository"
+    if is_debian_bullseye; then
+        # https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.html#security-archive
+        pattern="^deb https://deb\.debian\.org/debian-security bullseye-security main"
+    elif is_debian_buster; then
+        pattern="^deb http://security\.debian\.org/debian-security buster/updates main"
+    elif is_debian_stretch; then
+        pattern="^deb http://security\.debian\.org/debian-security stretch/updates main"
+    else
+        pattern="^deb.*security"
+    fi
+
+    source_file="/etc/apt/sources.list"
+    grep -q "${pattern}" "${source_file}" || failed "IS_DEBIANSECURITY" "missing debian security repository"
 }
 check_aptitudeonly() {
     if is_debian_squeeze || is_debian_wheezy; then
@@ -345,6 +356,13 @@ check_minifw() {
     /sbin/iptables -L -n | grep -q -E "^ACCEPT\s*all\s*--\s*31\.170\.8\.4\s*0\.0\.0\.0/0\s*$" \
         || failed "IS_MINIFW" "minifirewall seems not starded"
 }
+check_minifw_includes() {
+    if is_debian_bullseye; then
+        if grep -q -e '/sbin/iptables' -e '/sbin/ip6tables' "${MINIFW_FILE}"; then
+            failed "IS_MINIFWINCLUDES" "minifirewall has direct iptables invocations in ${MINIFW_FILE} that should go in /etc/minifirewall.d/"
+        fi
+    fi
+}
 check_nrpeperms() {
     if [ -d /etc/nagios ]; then
         nagiosDir="/etc/nagios"
@@ -405,17 +423,20 @@ check_apachemunin() {
 check_mysqlutils() {
     MYSQL_ADMIN=${MYSQL_ADMIN:-mysqladmin}
     if is_installed mysql-server; then
-        # You can configure MYSQL_ADMIN in evocheck.cf
-        if ! grep -qs "$MYSQL_ADMIN" /root/.my.cnf; then
-            failed "IS_MYSQLUTILS" "mysqladmin missing in /root/.my.cnf"
+        # With Debian 11 and later, root can connect to MariaDB with the socket
+        if is_debian_wheezy || is_debian_jessie ||  is_debian_stretch || is_debian_buster; then
+            # You can configure MYSQL_ADMIN in evocheck.cf
+            if ! grep -qs "^user *= *${MYSQL_ADMIN}" /root/.my.cnf; then
+                failed "IS_MYSQLUTILS" "${MYSQL_ADMIN} missing in /root/.my.cnf"
+            fi
         fi
         if ! test -x /usr/bin/mytop; then
             if ! test -x /usr/local/bin/mytop; then
                 failed "IS_MYSQLUTILS" "mytop binary missing"
             fi
         fi
-        if ! grep -qs debian-sys-maint /root/.mytop; then
-            failed "IS_MYSQLUTILS" "debian-sys-maint missing in /root/.mytop"
+        if ! grep -qs '^user *=' /root/.mytop; then
+            failed "IS_MYSQLUTILS" "credentials missing in /root/.mytop"
         fi
     fi
 }
@@ -457,7 +478,8 @@ check_squid() {
             && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d $host -j ACCEPT" "$MINIFW_FILE" \
             && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" "$MINIFW_FILE" \
             && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* $http_port" "$MINIFW_FILE";
-        } || failed "IS_SQUID" "missing squid rules in minifirewall"
+        } || grep -qE "^PROXY='?on'?" "$MINIFW_FILE" \
+          || failed "IS_SQUID" "missing squid rules in minifirewall"
     fi
 }
 check_evomaintenance_fw() {
@@ -1386,6 +1408,7 @@ main() {
         test "${IS_ALERT5MINIFW:=1}" = 1 && test "${IS_MINIFW:=1}" = 1 && check_minifw
         test "${IS_NRPEPERMS:=1}" = 1 && check_nrpeperms
         test "${IS_MINIFWPERMS:=1}" = 1 && check_minifwperms
+        test "${IS_MINIFWINCLUDES:=1}" = 1 && check_minifw_includes
         test "${IS_NRPEDISKS:=0}" = 1 && check_nrpedisks
         test "${IS_NRPEPID:=1}" = 1 && check_nrpepid
         test "${IS_GRSECPROCS:=1}" = 1 && check_grsecprocs

From 9b479f9c050957fbdcb8465540f71180d1ea5d33 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Thu, 30 Sep 2021 12:07:02 +0200
Subject: [PATCH 041/125] evolinux-base: logs are rotated with dateext by
 default

---
 CHANGELOG.md                                  |  1 +
 evolinux-base/defaults/main.yml               |  2 ++
 .../files/logs/logrotate.disabled/procmail    |  4 ---
 evolinux-base/tasks/logs.yml                  | 25 ++++++++++++++++++-
 evolinux-base/templates/logs/zsyslog.j2       |  5 ++++
 5 files changed, 32 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e61b8add..189019f2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -59,6 +59,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * evolinux-base: force Debian version to buster for Evolix repository (temporary)
 * evolinux-base: split dpkg logrotate configuration
 * evolinux-base: install freeipmi by default on dedicated hw
+* evolinux-base: logs are rotated with dateext by default
 * kibana: 7.x by default
 * listupgrade: upstream release 21.06.3
 * logstash: elastic_stack_version = 7.x
diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml
index 26f6e4c8..05830845 100644
--- a/evolinux-base/defaults/main.yml
+++ b/evolinux-base/defaults/main.yml
@@ -164,8 +164,10 @@ evolinux_logs_include: True
 
 evolinux_logs_logrotate_confs: True
 evolinux_logs_default_rotate: True
+evolinux_logs_default_dateext : True
 evolinux_logs_disable_logrotate_rsyslog: True
 evolinux_logs_rsyslog_conf: True
+evolinux_logrotate_dateformat: "-%Y%m%d%H"
 
 # default www
 
diff --git a/evolinux-base/files/logs/logrotate.disabled/procmail b/evolinux-base/files/logs/logrotate.disabled/procmail
index d42323f1..29dd2d7a 100644
--- a/evolinux-base/files/logs/logrotate.disabled/procmail
+++ b/evolinux-base/files/logs/logrotate.disabled/procmail
@@ -1,11 +1,7 @@
 /var/log/procmail.log {
     daily
     rotate 365
-    dateext
-    dateyesterday
-    dateformat .%Y%m%d
     missingok
-    rotate 365
     create 640 root adm
 }
 
diff --git a/evolinux-base/tasks/logs.yml b/evolinux-base/tasks/logs.yml
index 2bf28b98..8298486e 100644
--- a/evolinux-base/tasks/logs.yml
+++ b/evolinux-base/tasks/logs.yml
@@ -30,11 +30,34 @@
     dest: /etc/logrotate.d/zsyslog
   when: evolinux_logs_logrotate_confs | bool
 
-- name: Configure logrotate.conf
+- name: Configure logrotate.conf default rotate value
   replace:
     dest: /etc/logrotate.conf
     regexp: "rotate [0-9]+"
     replace: "rotate 12"
   when: evolinux_logs_default_rotate | bool
 
+- name: Enable logrotate.conf dateext option
+  lineinfile:
+    dest: /etc/logrotate.conf
+    line: "dateext"
+    regexp: "^#?\\s*dateext"
+  when: evolinux_logs_default_dateext | bool
+
+- name: Enable logrotate.conf dateformat option
+  lineinfile:
+    dest: /etc/logrotate.conf
+    line: "dateformat {{ evolinux_logrotate_dateformat | mandatory }}"
+    regexp: "^#?\\s*dateformat.*"
+    insertafter: 'dateext'
+  when: evolinux_logs_default_dateext | bool
+
+- name: Disable logrotate.conf dateyesterday option
+  lineinfile:
+    dest: /etc/logrotate.conf
+    line: "# dateyesterday"
+    regexp: "^\\s*dateyesterday"
+    insertafter: 'dateext'
+  when: evolinux_logs_default_dateext | bool
+
 - meta: flush_handlers
diff --git a/evolinux-base/templates/logs/zsyslog.j2 b/evolinux-base/templates/logs/zsyslog.j2
index 2fc2bd1a..cb6d931e 100644
--- a/evolinux-base/templates/logs/zsyslog.j2
+++ b/evolinux-base/templates/logs/zsyslog.j2
@@ -1,8 +1,13 @@
 # Custom EvoLinux
 create 640 root adm
+{% if not evolinux_logs_default_dateext %}
+# BEGIN legacy setting
+# … when global dateext and dateformat are not enabled
 dateext
 dateyesterday
 dateformat .%Y%m%d
+# END legacy setting
+{% endif %}
 missingok
 notifempty
 delaycompress

From b2f8095d145e9a2e9f7b05397ef9508417988117 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Thu, 30 Sep 2021 12:07:39 +0200
Subject: [PATCH 042/125] mysql: fix task settings temporary mistake

---
 mysql/tasks/users_buster.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/mysql/tasks/users_buster.yml b/mysql/tasks/users_buster.yml
index 90f9e801..7f73167a 100644
--- a/mysql/tasks/users_buster.yml
+++ b/mysql/tasks/users_buster.yml
@@ -27,8 +27,6 @@
     update_password: on_create
     state: present
     config_file: "/etc/mysql/debian.cnf"
-    login_user: root
-    login_unix_socket: /var/run/mysqld/mysqld.sock
   register: create_mysqladmin_user
   tags:
     - mysql

From 5cbfda8f5290a004668745bc9e30490d12f1e549 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Thu, 30 Sep 2021 12:09:11 +0200
Subject: [PATCH 043/125] docker-host: install additional dependencies

---
 CHANGELOG.md               | 1 +
 docker-host/tasks/main.yml | 4 +++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 189019f2..84670ff2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -27,6 +27,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * Support for Debian 11 « Bullseye » (with possible remaining blind spots)
 * apache: new variable for mpm mode (+ updated default config accordingly)
 * certbot: add script for manual deploy hooks execution
+* docker-host: install additional dependencies
 * etc-git: purge old .git/index.lock (default: True)
 * evolinux-base: install molly-guard by default
 * generate-ldif: detect hardware raid card
diff --git a/docker-host/tasks/main.yml b/docker-host/tasks/main.yml
index 796c800d..d0d5c54e 100644
--- a/docker-host/tasks/main.yml
+++ b/docker-host/tasks/main.yml
@@ -40,6 +40,8 @@
   apt:
     name:
       - docker-ce
+      - docker-ce-cli
+      - containerd.io
     update_cache: yes
 
 - name: python-docker is installed
@@ -52,7 +54,7 @@
   apt:
     name: python3-docker
     state: present
-  when: ansible_distribution_major_version is version('10', '>')
+  when: ansible_distribution_major_version is version('10', '>=')
 
 - name: Copy Docker daemon configuration file
   template:

From dc1a01ce370af0f66fe0f17a44315c2184e0243d Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Thu, 30 Sep 2021 12:10:55 +0200
Subject: [PATCH 044/125] lxc: fix dependencies

---
 lxc/tasks/main.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/lxc/tasks/main.yml b/lxc/tasks/main.yml
index 74ba69ae..bc5b01eb 100644
--- a/lxc/tasks/main.yml
+++ b/lxc/tasks/main.yml
@@ -6,19 +6,19 @@
       - debootstrap
       - xz-utils
 
-- name: python-lxc is installed
+- name: python-lxc is installed (Debian <= 10)
   apt:
     name: python-lxc
     state: present
   when: ansible_distribution_major_version is version('10', '<=')
 
-- name: python3-lxc is installed
+- name: python3-lxc is installed (Debian >= 10)
   apt:
     name: python3-lxc
     state: present
-  when: ansible_distribution_major_version is version('10', '>')
+  when: ansible_distribution_major_version is version('10', '>=')
 
-- name: Install additional packages on Buster
+- name: Install additional packages (Debian >= 10)
   apt:
     name:
       - apparmor

From b293cf2cf9245d8836dd08a489af82604213733b Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Thu, 30 Sep 2021 17:05:10 +0200
Subject: [PATCH 045/125] Install python 2 or 3 libraries according to running
 python version

---
 CHANGELOG.md                     |  2 +-
 docker-host/tasks/main.yml       |  6 +++---
 lxc/tasks/main.yml               |  4 ++--
 mysql-oracle/tasks/users.yml     | 10 ++++------
 mysql/tasks/users_buster.yml     | 11 ++++++++++-
 mysql/tasks/users_stretch.yml    | 13 ++++++++++++-
 postgresql/tasks/nrpe.yml        |  4 ++--
 rabbitmq/tasks/nrpe.yml          |  4 ++--
 redmine/tasks/packages.yml       |  6 +++---
 webapps/nextcloud/tasks/main.yml |  4 ++--
 10 files changed, 41 insertions(+), 23 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 84670ff2..0a147a25 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -47,7 +47,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 ### Changed
 
 * Change version pattern
-* Use python3 modules for Debian 11 and later
+* Install python 2 or 3 libraries according to running python version
 * Remove embedded GPG keys only if legacy keyring is present
 * apt: remove workaround for Evolix public repositories with Debian 11
 * apt: use the new security repository for Bullseye
diff --git a/docker-host/tasks/main.yml b/docker-host/tasks/main.yml
index d0d5c54e..026181f6 100644
--- a/docker-host/tasks/main.yml
+++ b/docker-host/tasks/main.yml
@@ -36,7 +36,7 @@
     owner: root
     group: root
 
-- name: Install docker and python-docker
+- name: Install Docker
   apt:
     name:
       - docker-ce
@@ -48,13 +48,13 @@
   apt:
     name: python-docker
     state: present
-  when: ansible_distribution_major_version is version('10', '<=')
+  when: ansible_python_version is version('3', '<')
 
 - name: python3-docker is installed
   apt:
     name: python3-docker
     state: present
-  when: ansible_distribution_major_version is version('10', '>=')
+  when: ansible_python_version is version('3', '>=')
 
 - name: Copy Docker daemon configuration file
   template:
diff --git a/lxc/tasks/main.yml b/lxc/tasks/main.yml
index bc5b01eb..23e40971 100644
--- a/lxc/tasks/main.yml
+++ b/lxc/tasks/main.yml
@@ -10,13 +10,13 @@
   apt:
     name: python-lxc
     state: present
-  when: ansible_distribution_major_version is version('10', '<=')
+  when: ansible_python_version is version('3', '<')
 
 - name: python3-lxc is installed (Debian >= 10)
   apt:
     name: python3-lxc
     state: present
-  when: ansible_distribution_major_version is version('10', '>=')
+  when: ansible_python_version is version('3', '>=')
 
 - name: Install additional packages (Debian >= 10)
   apt:
diff --git a/mysql-oracle/tasks/users.yml b/mysql-oracle/tasks/users.yml
index a34cea7b..d0c444e5 100644
--- a/mysql-oracle/tasks/users.yml
+++ b/mysql-oracle/tasks/users.yml
@@ -1,26 +1,24 @@
 ---
 
-# dependency for mysql_user and mysql_db
-- name: python modules is installed (Ansible dependency)
+- name: Python2 dependencies for Ansible are installed
   apt:
     name:
       - python-mysqldb
       - python-pymysql
     state: present
-  when: ansible_distribution_major_version is version('10', '<=')
   tags:
     - mysql
+  when: ansible_python_version is version('3', '<')
 
-# dependency for mysql_user and mysql_db
-- name: python3 modules is installed (Ansible dependency)
+- name: Python3 dependencies for Ansible are installed
   apt:
     name:
       - python3-mysqldb
       - python3-pymysql
     state: present
-  when: ansible_distribution_major_version is version('10', '>=')
   tags:
     - mysql
+  when: ansible_python_version is version('3', '>=')
 
 - name: create a password for mysqladmin
   command: "apg -n 1 -m 16 -M lcN"
diff --git a/mysql/tasks/users_buster.yml b/mysql/tasks/users_buster.yml
index 7f73167a..18b5d98d 100644
--- a/mysql/tasks/users_buster.yml
+++ b/mysql/tasks/users_buster.yml
@@ -1,15 +1,24 @@
 ---
 
-- name: Python dependencies for Ansible are installed
+- name: Python2 dependencies for Ansible are installed
   apt:
     name:
       - python-mysqldb
       - python-pymysql
+    state: present
+  tags:
+    - mysql
+  when: ansible_python_version is version('3', '<')
+
+- name: Python3 dependencies for Ansible are installed
+  apt:
+    name:
       - python3-mysqldb
       - python3-pymysql
     state: present
   tags:
     - mysql
+  when: ansible_python_version is version('3', '>=')
 
 - name: create a password for mysqladmin
   command: "apg -n 1 -m 16 -M lcN"
diff --git a/mysql/tasks/users_stretch.yml b/mysql/tasks/users_stretch.yml
index 7a886f83..ca567889 100644
--- a/mysql/tasks/users_stretch.yml
+++ b/mysql/tasks/users_stretch.yml
@@ -1,6 +1,6 @@
 ---
 
-- name: Python dependencies for Ansible are installed
+- name: Python2 dependencies for Ansible are installed
   apt:
     name:
       - python-mysqldb
@@ -8,6 +8,17 @@
     state: present
   tags:
     - mysql
+  when: ansible_python_version is version('3', '<')
+
+- name: Python3 dependencies for Ansible are installed
+  apt:
+    name:
+      - python3-mysqldb
+      - python3-pymysql
+    state: present
+  tags:
+    - mysql
+  when: ansible_python_version is version('3', '>=')
 
 - name: create a password for mysqladmin
   command: "apg -n 1 -m 16 -M lcN"
diff --git a/postgresql/tasks/nrpe.yml b/postgresql/tasks/nrpe.yml
index 825390d6..4aea2d81 100644
--- a/postgresql/tasks/nrpe.yml
+++ b/postgresql/tasks/nrpe.yml
@@ -13,13 +13,13 @@
   apt:
     name: python-psycopg2
     state: present
-  when: ansible_distribution_major_version is version('10', '<=')
+  when: ansible_python_version is version('3', '<')
 
 - name: python3-psycopg2 is installed (Ansible dependency)
   apt:
     name: python3-psycopg2
     state: present
-  when: ansible_distribution_major_version is version('10', '>=')
+  when: ansible_python_version is version('3', '>=')
 
 - name: Is nrpe present ?
   stat:
diff --git a/rabbitmq/tasks/nrpe.yml b/rabbitmq/tasks/nrpe.yml
index 9af64f19..4272f57b 100644
--- a/rabbitmq/tasks/nrpe.yml
+++ b/rabbitmq/tasks/nrpe.yml
@@ -4,13 +4,13 @@
   apt:
     name: python-requests
     state: present
-  when: ansible_distribution_major_version is version('10', '<=')
+  when: ansible_python_version is version('3', '<')
 
 - name: python3-requests is installed (check_rabbitmq dependency)
   apt:
     name: python3-requests
     state: present
-  when: ansible_distribution_major_version is version('10', '>=')
+  when: ansible_python_version is version('3', '>=')
 
 - include_role:
     name: evolix/remount-usr
diff --git a/redmine/tasks/packages.yml b/redmine/tasks/packages.yml
index 17f0d4a5..294ef693 100644
--- a/redmine/tasks/packages.yml
+++ b/redmine/tasks/packages.yml
@@ -25,9 +25,9 @@
       - python-mysqldb
       - python-pymysql
     state: present
-  when: ansible_distribution_major_version is version('10', '<=')
   tags:
     - redmine
+  when: ansible_python_version is version('3', '<')
 
 # dependency for mysql_user and mysql_db
 - name: python3 modules is installed (Ansible dependency)
@@ -36,6 +36,6 @@
       - python3-mysqldb
       - python3-pymysql
     state: present
-  when: ansible_distribution_major_version is version('10', '>=')
   tags:
-    - redmine
\ No newline at end of file
+    - redmine
+  when: ansible_python_version is version('3', '>=')
\ No newline at end of file
diff --git a/webapps/nextcloud/tasks/main.yml b/webapps/nextcloud/tasks/main.yml
index 942b385e..8e165559 100644
--- a/webapps/nextcloud/tasks/main.yml
+++ b/webapps/nextcloud/tasks/main.yml
@@ -26,9 +26,9 @@
       - python-mysqldb
       - python-pymysql
     state: present
-  when: ansible_distribution_major_version is version('10', '<=')
   tags:
     - nextcloud
+  when: ansible_python_version is version('3', '<)
 
 # dependency for mysql_user and mysql_db
 - name: python3 modules is installed (Ansible dependency)
@@ -37,9 +37,9 @@
       - python3-mysqldb
       - python3-pymysql
     state: present
-  when: ansible_distribution_major_version is version('10', '>=')
   tags:
     - nextcloud
+  when: ansible_python_version is version('3', '>=')
 
 - include: user.yml
 

From 6cb2c669247e3ffccfe0cb416df3a5e80e239f82 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Thu, 30 Sep 2021 17:52:49 +0200
Subject: [PATCH 046/125] mysql: fix task settings temporary mistake

---
 mysql/tasks/users_stretch.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/mysql/tasks/users_stretch.yml b/mysql/tasks/users_stretch.yml
index ca567889..18b5d98d 100644
--- a/mysql/tasks/users_stretch.yml
+++ b/mysql/tasks/users_stretch.yml
@@ -36,8 +36,6 @@
     update_password: on_create
     state: present
     config_file: "/etc/mysql/debian.cnf"
-    login_user: root
-    login_unix_socket: /var/run/mysqld/mysqld.sock
   register: create_mysqladmin_user
   tags:
     - mysql

From de843cb91f0a866328a1be47ebca61cf8772a19d Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Thu, 30 Sep 2021 17:52:49 +0200
Subject: [PATCH 047/125] mysql: fix task settings temporary mistake

---
 evocheck/files/evocheck.sh | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh
index 89127600..8ad42b68 100644
--- a/evocheck/files/evocheck.sh
+++ b/evocheck/files/evocheck.sh
@@ -4,7 +4,7 @@
 # Script to verify compliance of a Debian/OpenBSD server
 # powered by Evolix
 
-VERSION="21.09"
+VERSION="21.10"
 readonly VERSION
 
 # base functions
@@ -235,17 +235,17 @@ check_syslogconf() {
 check_debiansecurity() {
     if is_debian_bullseye; then
         # https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.html#security-archive
-        pattern="^deb https://deb\.debian\.org/debian-security bullseye-security main"
+        pattern="^deb https://deb\.debian\.org/debian-security/? bullseye-security main"
     elif is_debian_buster; then
-        pattern="^deb http://security\.debian\.org/debian-security buster/updates main"
+        pattern="^deb http://security\.debian\.org/debian-security/? buster/updates main"
     elif is_debian_stretch; then
-        pattern="^deb http://security\.debian\.org/debian-security stretch/updates main"
+        pattern="^deb http://security\.debian\.org/debian-security/? stretch/updates main"
     else
         pattern="^deb.*security"
     fi
 
     source_file="/etc/apt/sources.list"
-    grep -q "${pattern}" "${source_file}" || failed "IS_DEBIANSECURITY" "missing debian security repository"
+    grep -qE "${pattern}" "${source_file}" || failed "IS_DEBIANSECURITY" "missing debian security repository"
 }
 check_aptitudeonly() {
     if is_debian_squeeze || is_debian_wheezy; then

From e089ddf091916adfd4220cec8ced7edd9366c6a5 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Fri, 1 Oct 2021 18:27:44 +0200
Subject: [PATCH 048/125] evocheck: upstream release 21.10

---
 CHANGELOG.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0a147a25..db0c4b7a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -55,7 +55,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * elasticsearch: 7.x by default
 * evoadmin-web: simpler PHP packages lists
 * evomaintenance: extract a config.yyml tasks file
-* evocheck: upstream release 21.09
+* evocheck: upstream release 21.10
 * evolinux-base: alert5 comes after the network
 * evolinux-base: force Debian version to buster for Evolix repository (temporary)
 * evolinux-base: split dpkg logrotate configuration

From 37cb18f67651d89ba1e18c5f2c0f8718935f3456 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Sat, 2 Oct 2021 09:35:17 +0200
Subject: [PATCH 049/125] nginx: improve tasks naiming

---
 nginx/tasks/logrotate.yml          |  2 +-
 nginx/tasks/munin_graphs.yml       |  4 ++--
 nginx/tasks/munin_vhost.yml        | 10 +++++-----
 nginx/tasks/packages.yml           |  4 ++--
 nginx/tasks/packages_backports.yml |  5 +++--
 5 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/nginx/tasks/logrotate.yml b/nginx/tasks/logrotate.yml
index 6cdd556c..c987c2f7 100644
--- a/nginx/tasks/logrotate.yml
+++ b/nginx/tasks/logrotate.yml
@@ -1,6 +1,6 @@
 ---
 
-- name: logrotate configuration
+- name: Logrotate is configured for Nginx
   copy:
     src: logrotate_nginx
     dest: /etc/logrotate.d/nginx
diff --git a/nginx/tasks/munin_graphs.yml b/nginx/tasks/munin_graphs.yml
index ae0bb9ac..5958c856 100644
--- a/nginx/tasks/munin_graphs.yml
+++ b/nginx/tasks/munin_graphs.yml
@@ -1,13 +1,13 @@
 ---
 
-- name: Copy Munin config for Nginx
+- name: Munin config for Nginx is present
   template:
     src: munin/evolinux.nginx
     dest: /etc/munin/plugin-conf.d/
     mode: "0644"
   notify: restart munin
 
-- name: Enable Munin plugins for Nginx
+- name: Munin plugins for Nginx are installed
   file:
     src: '/usr/share/munin/plugins/{{ item }}'
     dest: '/etc/munin/plugins/{{ item }}'
diff --git a/nginx/tasks/munin_vhost.yml b/nginx/tasks/munin_vhost.yml
index 83754ba4..ff9f8423 100644
--- a/nginx/tasks/munin_vhost.yml
+++ b/nginx/tasks/munin_vhost.yml
@@ -6,7 +6,7 @@
     line: '127.0.0.1        munin'
     insertafter: EOF
 
-- name: Ensure packages for Munin CGI are installed
+- name: Packages for Munin CGI are installed
   apt:
     name:
       - liblwp-useragent-determined-perl
@@ -14,26 +14,26 @@
       - spawn-fcgi
     state: present
 
-- name: Adjust owner for munin-cgi
+- name: Owner for munin-cgi is set to www-data:munin
   shell: "chown --verbose www-data:munin /var/log/munin/munin-cgi-*"
   register: command_result
   changed_when: "'changed' in command_result.stdout"
   args:
     warn: no
 
-- name: Adjust rights for munin-cgi
+- name: Mode for munin-cgi is set to 660
   shell: "chmod --verbose 660 /var/log/munin/munin-cgi-*"
   register: command_result
   changed_when: "'changed' in command_result.stdout"
   args:
     warn: no
 
-- name: Systemd unit for Munin-fcgi
+- name: Systemd unit for Munin-fcgi is installed
   copy:
     src: systemd/spawn-fcgi-munin-graph.service
     dest: /etc/systemd/system/spawn-fcgi-munin-graph.service
 
-- name: Enable and start Munin-fcgi
+- name: Systemd unit for Munin-fcgi is started
   systemd:
     name: spawn-fcgi-munin-graph
     daemon_reload: yes
diff --git a/nginx/tasks/packages.yml b/nginx/tasks/packages.yml
index 7d9eead5..ebd5eaaf 100644
--- a/nginx/tasks/packages.yml
+++ b/nginx/tasks/packages.yml
@@ -9,7 +9,7 @@
 
 # TODO: install "nginx" + only necessary modules, instead of "nginx-full"
 
-- name: Ensure Nginx is installed
+- name: Nginx is installed
   apt:
     name: "{{ nginx_package_name | default(nginx_default_package_name) }}"
     state: present
@@ -17,7 +17,7 @@
     - nginx
     - packages
 
-- name: Ensure nginx service is running as configured.
+- name: Service is running as configured.
   service:
     name: nginx
     state: "{{ nginx_service_state }}"
diff --git a/nginx/tasks/packages_backports.yml b/nginx/tasks/packages_backports.yml
index 3ac5088f..820d8713 100644
--- a/nginx/tasks/packages_backports.yml
+++ b/nginx/tasks/packages_backports.yml
@@ -1,6 +1,7 @@
 ---
 
-- include_role:
+- name: Backports repository is configured
+  include_role:
     name: evolix/apt
     tasks_from: backports.yml
   tags:
@@ -18,7 +19,7 @@
     - nginx
     - packages
 
-- name: update apt
+- name: APT cache is updated
   apt:
     update_cache: yes
   when: nginx_apt_preferences is changed

From 7b142965031205021ee298f67296b19b18bf28bb Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Sat, 2 Oct 2021 12:50:01 +0200
Subject: [PATCH 050/125] etc-git: optimize maintenance tasks

* manage commits with an optimized shell script instead of many slow Ansible tasks
* centralize cron jobs in dedicated crontab
---
 CHANGELOG.md                        |   3 +-
 etc-git/files/etc-git-optimize      |  11 ++
 etc-git/files/etc-git-status        |  11 ++
 etc-git/files/evocommit             | 227 ++++++++++++++++++++++++++++
 etc-git/files/optimize-etc-git      |   3 -
 etc-git/tasks/commit.yml            |  34 ++++-
 etc-git/tasks/do_commit.yml         |  77 ----------
 etc-git/tasks/main.yml              |  90 ++++++++---
 etc-git/templates/etc-git-status.j2 |   4 -
 9 files changed, 345 insertions(+), 115 deletions(-)
 create mode 100644 etc-git/files/etc-git-optimize
 create mode 100644 etc-git/files/etc-git-status
 create mode 100644 etc-git/files/evocommit
 delete mode 100644 etc-git/files/optimize-etc-git
 delete mode 100644 etc-git/tasks/do_commit.yml
 delete mode 100644 etc-git/templates/etc-git-status.j2

diff --git a/CHANGELOG.md b/CHANGELOG.md
index db0c4b7a..78027f49 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -28,7 +28,8 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * apache: new variable for mpm mode (+ updated default config accordingly)
 * certbot: add script for manual deploy hooks execution
 * docker-host: install additional dependencies
-* etc-git: purge old .git/index.lock (default: True)
+* etc-git: manage commits with an optimized shell script instead of many slow Ansible tasks
+* etc-git: centralize cron jobs in dedicated crontab
 * evolinux-base: install molly-guard by default
 * generate-ldif: detect hardware raid card
 * generate-ldif: detect mdadm
diff --git a/etc-git/files/etc-git-optimize b/etc-git/files/etc-git-optimize
new file mode 100644
index 00000000..3d4932ee
--- /dev/null
+++ b/etc-git/files/etc-git-optimize
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+set -u
+
+repositories="/etc /etc/bind/ /usr/share/scripts"
+
+for repository in ${repositories}; do
+    if [ -d "${repository}/.git" ]; then
+        git --git-dir="${repository}/.git" gc --quiet
+    fi
+done
diff --git a/etc-git/files/etc-git-status b/etc-git/files/etc-git-status
new file mode 100644
index 00000000..90603366
--- /dev/null
+++ b/etc-git/files/etc-git-status
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+set -u
+
+repositories="/etc /etc/bind/ /usr/share/scripts"
+
+for repository in ${repositories}; do
+    if [ -d "${repository}/.git" ]; then
+        git --git-dir="${repository}/.git" --work-tree="${repository}" status --short
+    fi
+done
\ No newline at end of file
diff --git a/etc-git/files/evocommit b/etc-git/files/evocommit
new file mode 100644
index 00000000..0fd21076
--- /dev/null
+++ b/etc-git/files/evocommit
@@ -0,0 +1,227 @@
+#!/bin/sh
+
+set -u
+
+VERSION="21.10"
+
+show_version() {
+    cat <<END
+evocommit version ${VERSION}
+
+Copyright 2021 Evolix <info@evolix.fr>,
+               Jérémy Lecour <jlecour@evolix.fr>
+               and others.
+
+evocommit comes with ABSOLUTELY NO WARRANTY.  This is free software,
+and you are welcome to redistribute it under certain conditions.
+See the GNU General Public Licence for details.
+END
+}
+
+show_help() {
+    cat <<END
+evocommit helps properly committing changes in a repository
+
+END
+    show_usage
+}
+show_usage() {
+    cat <<END
+Usage: evocommit --repository /path/to/repository --message "add new host"
+
+Options
+     --repository PATH   set the path for the repository
+     --message MESSAGE   set the commit message
+ -V, --version           print version number
+ -v, --verbose           increase verbosity
+ -n, --dry-run           actions are not executed
+     --help              print this message and exit
+     --version           print version and exit
+END
+}
+
+syslog() {
+    if [ -x "${LOGGER_BIN}" ]; then
+        ${LOGGER_BIN} -t "evocommit" "$1"
+    fi
+}
+get_system() {
+    uname -s
+}
+is_repository_readonly() {
+    if [ "$(get_system)" = "OpenBSD" ]; then
+        partition=$(stat -f '%Sd' $1)
+        mount | grep "${partition}" | grep -q "read-only"
+    elif command -v findmnt >/dev/null; then
+        mountpoint=$(stat -c '%m' $1)
+        findmnt "${mountpoint}" --noheadings --output OPTIONS -O ro
+    else
+        grep /usr /proc/mounts | grep -E '\bro\b'
+    fi
+}
+remount_repository_readwrite() {
+    if [ "$(get_system)" = "OpenBSD" ]; then
+        partition=$(stat -f '%Sd' $1)
+        mount -u -w /dev/${partition} 2>/dev/null
+    else
+        mountpoint=$(stat -c '%m' $1)
+        mount -o remount,rw ${mountpoint}
+        syslog "Re-mount ${mountpoint} as read-write to commit in repository $1"
+    fi
+}
+remount_repository_readonly() {
+    if [ "$(get_system)" = "OpenBSD" ]; then
+        partition=$(stat -f '%Sd' $1)
+        mount -u -r /dev/${partition} 2>/dev/null
+    else
+        mountpoint=$(stat -c '%m' $1)
+        mount -o remount,ro ${mountpoint} 2>/dev/null
+        syslog "Re-mount ${mountpoint} as read-only after commit to repository $1"
+    fi
+}
+is_dry_run() {
+    test "${DRY_RUN}" = "1"
+}
+main() {
+
+    lock="${GIT_DIR}/index.lock"
+    if [ -f "${lock}" ]; then
+        limit=$(date +"%s" -d "now - 1 hour")
+        updated_at=$(stat -c "%Y" "${lock}")
+        if [ "$updated_at" -lt "$limit" ]; then
+            rm -f "${lock}"
+        fi
+    fi
+
+    git_status=$(${GIT_BIN} status --porcelain)
+
+    if [ -n "${git_status}" ]; then
+        if is_dry_run; then
+            ${GIT_BIN} status
+        else
+            readonly_orig=0
+            # remount mount point read-write if currently readonly
+            if is_repository_readonly "${REPOSITORY}"; then
+                readonly_orig=1;
+                remount_repository_readwrite "${REPOSITORY}";
+            fi
+            author=$(logname)
+            email=$(git config --get user.email)
+            email=${email:-"${author}@evolix.net"}
+            # commit changes
+            ${GIT_BIN} add --all
+            ${GIT_BIN} commit --message "${MESSAGE}" --author "${author} <${email}>" --quiet
+            # remount mount point read-only if it was before
+            if [ ${readonly_orig} -eq 1 ]; then
+                remount_repository_readonly "${REPOSITORY}"
+            fi
+        fi
+    fi
+
+    unset GIT_DIR
+    unset GIT_WORK_TREE
+}
+# Parse options
+# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
+while :; do
+    case ${1:-''} in
+        -h|-\?|--help)
+            show_help
+            exit 0
+            ;;
+        -V|--version)
+            show_version
+            exit 0
+            ;;
+        --message)
+            # message options, with value speparated by space
+            if [ -n "$2" ]; then
+                MESSAGE=$2
+                shift
+            else
+                printf 'ERROR: "--message" requires a non-empty option argument.\n' >&2
+                exit 1
+            fi
+            ;;
+        --message=?*)
+            # message options, with value speparated by =
+            MESSAGE=${1#*=}
+            ;;
+        --message=)
+            # message options, without value
+            printf 'ERROR: "--message" requires a non-empty option argument.\n' >&2
+            exit 1
+            ;;
+        --repository)
+            # repository options, with value speparated by space
+            if [ -n "$2" ]; then
+                REPOSITORY=$2
+                shift
+            else
+                printf 'ERROR: "--repository" requires a non-empty option argument.\n' >&2
+                exit 1
+            fi
+            ;;
+        --repository=?*)
+            # repository options, with value speparated by =
+            REPOSITORY=${1#*=}
+            ;;
+        --repository=)
+            # repository options, without value
+            printf 'ERROR: "--repository" requires a non-empty option argument.\n' >&2
+            exit 1
+            ;;
+        -n|--dry-run)
+            # disable actual commands
+            DRY_RUN=1
+            ;;
+        -v|--verbose)
+            # print verbose information
+            VERBOSE=1
+            ;;
+        --)
+            # End of all options.
+            shift
+            break
+            ;;
+        -?*|[[:alnum:]]*)
+            # ignore unknown options
+            printf 'WARN: Unknown option (ignored): %s\n' "$1" >&2
+            ;;
+        *)
+            # Default case: If no more options then break out of the loop.
+            break
+            ;;
+    esac
+
+    shift
+done
+
+if [ -z "${MESSAGE}" ]; then
+    echo "Error: missing message parameter" >&2
+    show_usage
+    exit 1
+fi
+if [ -z "${REPOSITORY}" ]; then
+    echo "Error: missing repository parameter" >&2
+    show_usage
+    exit 1
+fi
+DRY_RUN=${DRY_RUN:-0}
+VERBOSE=${VERBOSE:-0}
+
+GIT_BIN=$(command -v git)
+readonly GIT_BIN
+
+LOGGER_BIN=$(command -v logger)
+readonly LOGGER_BIN
+
+export GIT_DIR="${REPOSITORY}/.git"
+export GIT_WORK_TREE="${REPOSITORY}"
+
+if [ -d "${GIT_DIR}" ]; then
+    main
+else
+    echo "There is no Git repository in '${REPOSITORY}'" >&2
+    exit 1
+fi
\ No newline at end of file
diff --git a/etc-git/files/optimize-etc-git b/etc-git/files/optimize-etc-git
deleted file mode 100644
index a7b7510f..00000000
--- a/etc-git/files/optimize-etc-git
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-
-git --git-dir /etc/.git gc --quiet
diff --git a/etc-git/tasks/commit.yml b/etc-git/tasks/commit.yml
index 4bcf8e5c..f32c6ede 100644
--- a/etc-git/tasks/commit.yml
+++ b/etc-git/tasks/commit.yml
@@ -1,25 +1,47 @@
 ---
 
+- name: "evocommit script is installed"
+  copy:
+    src: evocommit
+    dest: /usr/local/bin/evocommit
+    mode: "0755"
+    force: yes
+
+# /etc
 - name: Is /etc a git repository
   stat:
     path: /etc/.git
   register: _etc_git
 
-- include: do_commit.yml
-  vars:
-    git_folder: "/etc"
+- name: "evocommit /etc"
+  command: "/usr/local/bin/evocommit --repository /etc --message \"{{ commit_message | mandatory }}\""
+  ignore_errors: yes
   when:
     - _etc_git.stat.exists
     - _etc_git.stat.isdir
 
+# /etc/bind
+- name: Is /etc/bind a git repository
+  stat:
+    path: /etc/bind/.git
+  register: _etc_bind_git
+
+- name: "evocommit /etc/bind"
+  command: "/usr/local/bin/evocommit --repository /etc/bind --message \"{{ commit_message | mandatory }}\""
+  ignore_errors: yes
+  when:
+    - _etc_bind_git.stat.exists
+    - _etc_bind_git.stat.isdir
+
+# /usr/share/scripts
 - name: Is /usr/share/scripts a git repository
   stat:
     path: /usr/share/scripts/.git
   register: _usr_share_scripts_git
 
-- include: do_commit.yml
-  vars:
-    git_folder: "/usr/share/scripts"
+- name: "evocommit /usr/share/scripts"
+  command: "/usr/local/bin/evocommit --repository /usr/share/scripts --message \"{{ commit_message | mandatory }}\""
+  ignore_errors: yes
   when:
     - _usr_share_scripts_git.stat.exists
     - _usr_share_scripts_git.stat.isdir
diff --git a/etc-git/tasks/do_commit.yml b/etc-git/tasks/do_commit.yml
deleted file mode 100644
index bae36936..00000000
--- a/etc-git/tasks/do_commit.yml
+++ /dev/null
@@ -1,77 +0,0 @@
----
-
-- name: "Remount /usr if needed"
-  include_role:
-    name: remount-usr
-  when: git_folder is match('/usr/.*')
-
-- name: "stat {{ git_folder }}/.git/index.lock"
-  stat:
-    path: "{{ git_folder }}/.git/index.lock"
-  register: _index_lock
-
-- name: index file is removed if old enough
-  file:
-    path: "{{ git_folder }}/.git/index.lock"
-    state: absent
-  when:
-    - _index_lock.stat.exists
-    - _index_lock.stat.mtime | int <= ((ansible_date_time.epoch | int) - etc_git_purge_index_lock_age | default(86400))
-    - etc_git_purge_index_lock_enabled
-
-- name: "is {{ git_folder }} clean?"
-  command: git status --porcelain
-  args:
-    chdir: "{{ git_folder }}"
-  changed_when: False
-  register: git_status
-  when: not ansible_check_mode
-  ignore_errors: yes
-  tags:
-    - etc-git
-    - commit
-
-- debug:
-    var: git_status
-    verbosity: 3
-  tags:
-    - etc-git
-    - commit
-
-- name: fetch current Git user.email
-  git_config:
-    name: user.email
-    repo: "{{ git_folder }}"
-  register: git_config_user_email
-  ignore_errors: yes
-  tags:
-    - etc-git
-    - commit
-
-- name: "set commit author"
-  set_fact:
-    commit_author: '{% if ansible_env.SUDO_USER is not defined %}root{% else %}{{ ansible_env.SUDO_USER }}{% endif %}'
-    commit_email:  '{% if git_config_user_email.config_value is not defined or not git_config_user_email.config_value %}root@localhost{% else %}{{ git_config_user_email.config_value }}{% endif %}' # noqa 204
-  tags:
-    - etc-git
-    - commit
-
-- name: "{{ git_folder }} modifications are committed"
-  shell: "git add -A . && git commit -m \"{{ commit_message | mandatory }}\" --author \"{{ commit_author | mandatory }} <{{ commit_email | mandatory }}>\""
-  args:
-    chdir: "{{ git_folder }}"
-  register: commit_end_run
-  when:
-    - not ansible_check_mode
-    - git_status.stdout | length > 0
-  ignore_errors: yes
-  tags:
-    - etc-git
-    - commit
-
-- debug:
-    var: commit_end_run
-    verbosity: 4
-  tags:
-    - etc-git
-    - commit
diff --git a/etc-git/tasks/main.yml b/etc-git/tasks/main.yml
index 37d1c692..90df9f60 100644
--- a/etc-git/tasks/main.yml
+++ b/etc-git/tasks/main.yml
@@ -32,6 +32,33 @@
     - _usr_share_scripts.stat.isdir
     - ansible_distribution_major_version is version('10', '>=')
 
+- name: "evocommit script is installed"
+  copy:
+    src: evocommit
+    dest: /usr/local/bin/evocommit
+    mode: "0755"
+    force: yes
+  tags:
+    - etc-git
+
+- name: "etc-git-optimize script is installed"
+  copy:
+    src: etc-git-optimize
+    dest: /usr/share/scripts/etc-git-optimize
+    mode: "0755"
+    force: yes
+  tags:
+    - etc-git
+
+- name: "etc-git-status script is installed"
+  copy:
+    src: etc-git-status
+    dest: /usr/share/scripts/etc-git-status
+    mode: "0755"
+    force: yes
+  tags:
+    - etc-git
+
 - name: Check if cron is installed
   shell: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'"
   args:
@@ -41,29 +68,44 @@
   check_mode: no
   register: is_cron_installed
 
-- name: Optimize script is installed in monthly crontab
-  copy:
-    src: optimize-etc-git
-    dest: /etc/cron.monthly/optimize-etc-git
-    mode: "0750"
-    force: no
+- block:
+  - name: Legacy cron jobs for /etc/.git status are absent 
+    file:
+      dest: "{{ item }}"
+      state: absent
+    loop:
+      - /etc/cron.monthly/optimize-etc-git
+      - /etc/cron.d/etc-git-status
+
+  - name: Cron job for monthly git optimization
+    cron:
+      name: "Monthly optimization"
+      cron_file: etc-git
+      special_time: "monthly"
+      user: root
+      job: "/usr/share/scripts/etc-git-optimize"
+
+  - name: Cron job for hourly git status
+    cron:
+      name: "Hourly warning for unclean Git repository if nobody is connected"
+      cron_file: etc-git
+      special_time: "hourly"
+      user: root
+      job: "who > /dev/null || /usr/share/scripts/etc-git-status"
+      state: "{{ etc_git_monitor_status | bool | ternary('present','absent') }}"
+
+  - name: Cron job for daily git status
+    cron:
+      name: "Daily warning for unclean Git repository"
+      cron_file: etc-git
+      user: root
+      job: "/usr/share/scripts/etc-git-status"
+      minute: "21"
+      hour: "21"
+      weekday: "*"
+      day: "*"
+      month: "*"
+      state: "{{ etc_git_monitor_status | bool | ternary('present','absent') }}"
   when: is_cron_installed.rc == 0
   tags:
-    - etc-git
-
-- name: Cron job for /etc/.git status is installed
-  template:
-    src: etc-git-status.j2
-    dest: /etc/cron.d/etc-git-status
-    mode: "0644"
-  when: is_cron_installed.rc == 0 and etc_git_monitor_status
-  tags:
-    - etc-git
-
-- name: Cron job for /etc/.git status is removed
-  file:
-    dest: /etc/cron.d/etc-git-status
-    state: absent
-  when: is_cron_installed.rc == 0 and not etc_git_monitor_status
-  tags:
-    - etc-git
+    - etc-git
\ No newline at end of file
diff --git a/etc-git/templates/etc-git-status.j2 b/etc-git/templates/etc-git-status.j2
deleted file mode 100644
index e1696c54..00000000
--- a/etc-git/templates/etc-git-status.j2
+++ /dev/null
@@ -1,4 +0,0 @@
-# {{ ansible_managed }}
-
-@hourly root who > /dev/null || git --git-dir=/etc/.git --work-tree=/etc status --short
-21 21 * * * root git --git-dir=/etc/.git --work-tree=/etc status --short

From 86e5df9c167155c79fdc393b64a9520c970e4455 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Tue, 5 Oct 2021 07:48:37 +0200
Subject: [PATCH 051/125] etc-git: simplify commit tasks

---
 etc-git/defaults/main.yml |  2 +-
 etc-git/tasks/commit.yml  | 30 +++---------------------------
 2 files changed, 4 insertions(+), 28 deletions(-)

diff --git a/etc-git/defaults/main.yml b/etc-git/defaults/main.yml
index dbecc6a3..d0da5e7d 100644
--- a/etc-git/defaults/main.yml
+++ b/etc-git/defaults/main.yml
@@ -1,5 +1,5 @@
 ---
-commit_message: Ansible run
+etc_git_default_commit_message: Ansible run
 
 etc_git_monitor_status: True
 etc_git_purge_index_lock_enabled: True
diff --git a/etc-git/tasks/commit.yml b/etc-git/tasks/commit.yml
index f32c6ede..2217e45d 100644
--- a/etc-git/tasks/commit.yml
+++ b/etc-git/tasks/commit.yml
@@ -8,40 +8,16 @@
     force: yes
 
 # /etc
-- name: Is /etc a git repository
-  stat:
-    path: /etc/.git
-  register: _etc_git
-
 - name: "evocommit /etc"
-  command: "/usr/local/bin/evocommit --repository /etc --message \"{{ commit_message | mandatory }}\""
+  shell: "test -d /etc/.git && /usr/local/bin/evocommit --repository /etc --message \"{{ commit_message | default(etc_git_default_commit_message) }}\""
   ignore_errors: yes
-  when:
-    - _etc_git.stat.exists
-    - _etc_git.stat.isdir
 
 # /etc/bind
-- name: Is /etc/bind a git repository
-  stat:
-    path: /etc/bind/.git
-  register: _etc_bind_git
-
 - name: "evocommit /etc/bind"
-  command: "/usr/local/bin/evocommit --repository /etc/bind --message \"{{ commit_message | mandatory }}\""
+  shell: "test -d /etc/bind/.git && /usr/local/bin/evocommit --repository /etc/bind --message \"{{ commit_message | default(etc_git_default_commit_message) }}\""
   ignore_errors: yes
-  when:
-    - _etc_bind_git.stat.exists
-    - _etc_bind_git.stat.isdir
 
 # /usr/share/scripts
-- name: Is /usr/share/scripts a git repository
-  stat:
-    path: /usr/share/scripts/.git
-  register: _usr_share_scripts_git
-
 - name: "evocommit /usr/share/scripts"
-  command: "/usr/local/bin/evocommit --repository /usr/share/scripts --message \"{{ commit_message | mandatory }}\""
+  shell: "test -d /usr/share/scripts/.git && /usr/local/bin/evocommit --repository /usr/share/scripts --message \"{{ commit_message | default(etc_git_default_commit_message) }}\""
   ignore_errors: yes
-  when:
-    - _usr_share_scripts_git.stat.exists
-    - _usr_share_scripts_git.stat.isdir

From 7d63f20336f4ddf538702cb1058a4ea829b45f99 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Tue, 5 Oct 2021 08:28:47 +0200
Subject: [PATCH 052/125] evoacme: exclude renewal-hooks directory from cron

---
 CHANGELOG.md               | 1 +
 evoacme/files/evoacme.cron | 1 +
 2 files changed, 2 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 78027f49..a6ae9958 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -54,6 +54,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * apt: use the new security repository for Bullseye
 * certbot: silence letsencrypt deprecation warnings
 * elasticsearch: 7.x by default
+* evoacme: exclude renewal-hooks directory from cron
 * evoadmin-web: simpler PHP packages lists
 * evomaintenance: extract a config.yyml tasks file
 * evocheck: upstream release 21.10
diff --git a/evoacme/files/evoacme.cron b/evoacme/files/evoacme.cron
index ea78f2c2..7d4b598c 100755
--- a/evoacme/files/evoacme.cron
+++ b/evoacme/files/evoacme.cron
@@ -22,5 +22,6 @@ find "${CRT_DIR}" \
     ! -path "${CRT_DIR}/keys" \
     ! -path "${CRT_DIR}/live" \
     ! -path "${CRT_DIR}/renewal" \
+    ! -path "${CRT_DIR}/renewal-hooks" \
     -printf "%f\n" \
         | xargs --max-args=1 --no-run-if-empty evoacme

From a6fe0397a680c4a6a9d42ad17c5da2012f32d6d9 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Tue, 5 Oct 2021 14:31:53 +0200
Subject: [PATCH 053/125] etc-git: back to 2 tasks for each commit

"test X && git commit" generates a failure and a lot of noise.
---
 etc-git/tasks/commit.yml | 30 +++++++++++++++++++++++++++---
 1 file changed, 27 insertions(+), 3 deletions(-)

diff --git a/etc-git/tasks/commit.yml b/etc-git/tasks/commit.yml
index 2217e45d..f32c6ede 100644
--- a/etc-git/tasks/commit.yml
+++ b/etc-git/tasks/commit.yml
@@ -8,16 +8,40 @@
     force: yes
 
 # /etc
+- name: Is /etc a git repository
+  stat:
+    path: /etc/.git
+  register: _etc_git
+
 - name: "evocommit /etc"
-  shell: "test -d /etc/.git && /usr/local/bin/evocommit --repository /etc --message \"{{ commit_message | default(etc_git_default_commit_message) }}\""
+  command: "/usr/local/bin/evocommit --repository /etc --message \"{{ commit_message | mandatory }}\""
   ignore_errors: yes
+  when:
+    - _etc_git.stat.exists
+    - _etc_git.stat.isdir
 
 # /etc/bind
+- name: Is /etc/bind a git repository
+  stat:
+    path: /etc/bind/.git
+  register: _etc_bind_git
+
 - name: "evocommit /etc/bind"
-  shell: "test -d /etc/bind/.git && /usr/local/bin/evocommit --repository /etc/bind --message \"{{ commit_message | default(etc_git_default_commit_message) }}\""
+  command: "/usr/local/bin/evocommit --repository /etc/bind --message \"{{ commit_message | mandatory }}\""
   ignore_errors: yes
+  when:
+    - _etc_bind_git.stat.exists
+    - _etc_bind_git.stat.isdir
 
 # /usr/share/scripts
+- name: Is /usr/share/scripts a git repository
+  stat:
+    path: /usr/share/scripts/.git
+  register: _usr_share_scripts_git
+
 - name: "evocommit /usr/share/scripts"
-  shell: "test -d /usr/share/scripts/.git && /usr/local/bin/evocommit --repository /usr/share/scripts --message \"{{ commit_message | default(etc_git_default_commit_message) }}\""
+  command: "/usr/local/bin/evocommit --repository /usr/share/scripts --message \"{{ commit_message | mandatory }}\""
   ignore_errors: yes
+  when:
+    - _usr_share_scripts_git.stat.exists
+    - _usr_share_scripts_git.stat.isdir

From 616ead41d530f841885b5bd2233eef4631e3d814 Mon Sep 17 00:00:00 2001
From: Brice Waegeneire <bwaegeneire+git@evolix.fr>
Date: Tue, 5 Oct 2021 14:36:10 +0200
Subject: [PATCH 054/125] lxc-php: Add php 8.0 support

---
 lxc-php/defaults/main.yml |  1 +
 lxc-php/handlers/main.yml |  5 ++++
 lxc-php/tasks/main.yml    |  3 +++
 lxc-php/tasks/php80.yml   | 57 +++++++++++++++++++++++++++++++++++++++
 4 files changed, 66 insertions(+)
 create mode 100644 lxc-php/tasks/php80.yml

diff --git a/lxc-php/defaults/main.yml b/lxc-php/defaults/main.yml
index ce8a935d..9eb226f1 100644
--- a/lxc-php/defaults/main.yml
+++ b/lxc-php/defaults/main.yml
@@ -19,3 +19,4 @@ lxc_php_container_releases:
   php70: "stretch"
   php73: "buster"
   php74: "bullseye"
+  php80: "bullseye"
diff --git a/lxc-php/handlers/main.yml b/lxc-php/handlers/main.yml
index 95882838..27ba8157 100644
--- a/lxc-php/handlers/main.yml
+++ b/lxc-php/handlers/main.yml
@@ -1,4 +1,9 @@
 ---
+- name: Reload php80-fpm
+  lxc_container:
+    name: "{{ lxc_php_version }}"
+    container_command: "systemctl reload php8.0-fpm"
+
 - name: Reload php74-fpm
   lxc_container:
     name: "{{ lxc_php_version }}"
diff --git a/lxc-php/tasks/main.yml b/lxc-php/tasks/main.yml
index 25c0a978..0de38336 100644
--- a/lxc-php/tasks/main.yml
+++ b/lxc-php/tasks/main.yml
@@ -21,4 +21,7 @@
 - include: "php74.yml"
   when: lxc_php_version == "php74"
 
+- include: "php80.yml"
+  when: lxc_php_version == "php80"
+
 - include: "misc.yml"
diff --git a/lxc-php/tasks/php80.yml b/lxc-php/tasks/php80.yml
new file mode 100644
index 00000000..390f7edf
--- /dev/null
+++ b/lxc-php/tasks/php80.yml
@@ -0,0 +1,57 @@
+---
+
+- name: "{{ lxc_php_version }} - Install dependency packages"
+  lxc_container:
+    name: "{{ lxc_php_version }}"
+    container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget apt-transport-https gnupg"
+
+- name: "{{ lxc_php_version }} - Add sury repo"
+  lineinfile:
+    dest: "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/sources.list.d/sury.list"
+    line: "{{ item }}"
+    state: present
+    create: yes
+    mode: "0644"
+  loop:
+    - "deb https://packages.sury.org/php/ bullseye main"
+    - "deb http://pub.evolix.net/ bullseye-php74/"
+
+- name: copy pub.evolix.net GPG key
+  copy:
+    src: reg.asc
+    dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/trusted.gpg.d/reg.asc
+    mode: "0644"
+    owner: root
+    group: root
+
+- name: copy packages.sury.org GPG Key
+  copy:
+    src: sury.gpg
+    dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/trusted.gpg.d/sury.gpg
+    mode: "0644"
+    owner: root
+    group: root
+
+- name: "{{ lxc_php_version }} - Update APT cache"
+  lxc_container:
+    name: "{{ lxc_php_version }}"
+    container_command: "DEBIAN_FRONTEND=noninteractive apt update"
+
+- name: "{{ lxc_php_version }} - Install PHP packages"
+  lxc_container:
+    name: "{{ lxc_php_version }}"
+    container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-zip composer libphp-phpmailer"
+
+- name: "{{ lxc_php_version }} - Copy evolinux PHP configuration"
+  template:
+    src: z-evolinux-defaults.ini.j2
+    dest: "{{ line_item }}"
+    mode: "0644"
+  notify: "Reload {{ lxc_php_version }}-fpm"
+  loop:
+    - "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/php/8.0/fpm/conf.d/z-evolinux-defaults.ini"
+    - "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/php/8.0/cli/conf.d/z-evolinux-defaults.ini"
+  loop_control:
+    loop_var: line_item
+
+- include: "mail_opensmtpd.yml"

From 73d6979e725635d43354dc2dc06ca3fef60c7a11 Mon Sep 17 00:00:00 2001
From: Ludovic Poujol <lpoujol@evolix.fr>
Date: Tue, 5 Oct 2021 15:48:57 +0200
Subject: [PATCH 055/125] Various changes on mongodb (support 5.0) + fixes &
 compatibility
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* mongodb: Deny the install on Debian 11 « Bullseye » when the version is unsupported
* mongodb: Support version 5.0 (for buster)
* mongodb: Allow to specify a mongodb version for buster & bullseye
* mongodb: Add missing remount-usr for munin plugins
---
 CHANGELOG.md                    |  4 +++
 mongodb/defaults/main.yml       |  2 ++
 mongodb/files/server-5.0.asc    | 29 ++++++++++++++++++++++
 mongodb/tasks/main.yml          |  5 ----
 mongodb/tasks/main_bullseye.yml | 43 +++++++++++++++++++++------------
 mongodb/tasks/main_buster.yml   | 11 ++++++---
 6 files changed, 69 insertions(+), 25 deletions(-)
 create mode 100644 mongodb/files/server-5.0.asc

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a6ae9958..718ac464 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,6 +14,10 @@ The **patch** part changes is incremented if multiple releases happen the same m
 
 ### Changed
 
+* mongodb: Deny the install on Debian 11 « Bullseye » when the version is unsupported
+* mongodb: Support version 5.0 (for buster)
+* mongodb: Allow to specify a mongodb version for buster & bullseye
+
 ### Fixed
 
 ### Removed
diff --git a/mongodb/defaults/main.yml b/mongodb/defaults/main.yml
index ec255349..c118f588 100644
--- a/mongodb/defaults/main.yml
+++ b/mongodb/defaults/main.yml
@@ -6,3 +6,5 @@ mongodb_bind: 127.0.0.1
 # Warning: config must not be overwritten by default
 # otherwise it can disable important settings, like authorization :/
 mongodb_force_config: False
+
+mongodb_version: 4.4
\ No newline at end of file
diff --git a/mongodb/files/server-5.0.asc b/mongodb/files/server-5.0.asc
new file mode 100644
index 00000000..44ea4919
--- /dev/null
+++ b/mongodb/files/server-5.0.asc
@@ -0,0 +1,29 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGAsKNUBEAClMqPCvvqm6gFmbiorEN9qp00GI8oaECkwbxtGGbqX9sqMSrKe
+AB3sGI7kqG2Fl0K+xmmiq1QDjhNgFDA1jjXq+Bd66RNPtvu747IRxVs+9fX7bk67
+8Bruha7U3M5l4193x5oYLlbcZL9aC7RSJE2mggTyS6LarmF6vKQN9LMXDicnageV
+KCPpF2i3jkZaGnLPzAisW/pOjPQpWCbatTVqKOKvtOyP3Fz1spYd4obu6ELu1PXa
+gmhSfvWJYt1irpchOl29LWZfcmXuJszmb00bqm4gLcK12VrnK191iXv46A8h2hSO
+f3eQqrkc+pF/kw4RyG54EV7QtHXyTe9TVCbJUfgtliWIQt/bCoJYfPLHJaWIMs83
+bzA6ZvOjCKIfMS0CY5ZJyVaBfiI3wURSjgZIYFZAXVwbreQIfOKKuik7UVVn3xUO
+nWpmQ2zyI0W7cJMquxwLNjkI+RckPhIqxWFo5iNSV4v6pzrlHD1WmIfFGBKEn7m+
+edwVyHG53fNIFZjxyShO6Pf1vgb9Js/XmXB4lxYnNyx1tB+hQhXTjLlY6N5gPpw5
+Z/PWQc7vfYekUZGQMXhTyRxU0QTwmdEeKcb+fb9r23OH59bbAfzE10xTMzhqCd2L
+lgSozMBvMmkHb1xs1x6FFuv/U/X7LjHTrHIf4M//DNwdP4l4I1jhPlTAxwARAQAB
+tDdNb25nb0RCIDUuMCBSZWxlYXNlIFNpZ25pbmcgS2V5IDxwYWNrYWdpbmdAbW9u
+Z29kYi5jb20+iQI+BBMBAgAoBQJgLCjVAhsDBQkJZgGABgsJCAcDAgYVCAIJCgsE
+FgIDAQIeAQIXgAAKCRCwCgvR4sY8EawdD/0ewkyx3yE99K9n3y7gdvh5+2U8BsqU
+7SWEfup7kPpf+4pF5xWqMaciEV/wRAGt7TiKlfVyAv3Q9iNsaLFN+s3kMaIcKhwD
+8+q/iGfziIuOSTeo20dAxn9vF6YqrKGc7TbHdXf9AtYuJCfIU5j02uVZiupx+P9+
+rG39dEnjOXm3uY0Fv3pRGCpuGubDlWB1DYh0R5O481kDVGoMqBxmc3iTALu14L/u
+g+AKxFYfT4DmgdzPVMDhppgywfyd/IOWxoOCl4laEhVjUt5CygBa7w07qdKwWx2w
+gTd9U0KGHxnnSmvQYxrRrS5RX3ILPJShivTSZG+rMqnUe6RgCwBrKHCRU1L728Yv
+1B3ZFJLxB1TlVT2Hjr+oigp0RY9W1FCIdO2uhb9GImpaJ1Y0ZZqUkt/d9D8U2wcw
+SW6/6WYeO7wAi/zlJ25hrBwhxS2+88gM6wJ1yL9yrM9v8JUb7Kq0rCGsEO5kqscV
+AmX90wsF2cZ6gHR53eGIDbAJK0MO5RHR73aQ4bpTivPnoTx4HTj5fyhW9z8yCSOe
+BlQABoFFqFvOS7KBxoyIS3pxlDetWOSc6yQrvA1CwxnkB81OHNmJfWAbNbEtZkLm
+xs2c8CIh2R81yi6HUzAaxyDH7mrThbwX3hUe/wsaD1koV91G6bDD4Xx3zpa9DG/O
+HyB98+e983gslg==
+=IQQF
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/mongodb/tasks/main.yml b/mongodb/tasks/main.yml
index 1d238b00..3054ccfe 100644
--- a/mongodb/tasks/main.yml
+++ b/mongodb/tasks/main.yml
@@ -1,10 +1,5 @@
 ---
 
-# - fail:
-#     msg: only compatible with Debian 8
-#   when:
-#   - ansible_distribution != "Debian" or ansible_distribution_release != "jessie"
-
 - include: main_jessie.yml
   when: ansible_distribution_release == "jessie"
 
diff --git a/mongodb/tasks/main_bullseye.yml b/mongodb/tasks/main_bullseye.yml
index d9e6e0eb..e31ffed3 100644
--- a/mongodb/tasks/main_bullseye.yml
+++ b/mongodb/tasks/main_bullseye.yml
@@ -1,9 +1,11 @@
 ---
 
-- name: Look for legacy apt keyring
-  stat:
-    path: /etc/apt/trusted.gpg
-  register: _trusted_gpg_keyring
+- fail:
+    msg: Not compatible with Debian 11 (Bullseye)
+  when:
+  - ansible_distribution_release == "bullseye" 
+  - mongodb_version is version_compare('5.0', '<=')
+
 
 - name: MongoDB embedded GPG key is absent
   apt_key:
@@ -14,8 +16,8 @@
 
 - name: Add MongoDB GPG key
   copy:
-    src: server-4.4.asc
-    dest: /etc/apt/trusted.gpg.d/mongodb-server-4.4.asc
+    src: "server-{{mongodb_version}}.asc"
+    dest: "/etc/apt/trusted.gpg.d/mongodb-server-{{mongodb_version}}.asc"
     force: yes
     mode: "0644"
     owner: root
@@ -23,9 +25,9 @@
 
 - name: enable APT sources list
   apt_repository:
-    repo: deb http://repo.mongodb.org/apt/debian buster/mongodb-org/4.4 main
+    repo: "deb http://repo.mongodb.org/apt/debian buster/mongodb-org/{{mongodb_version}} main"
     state: present
-    filename: mongodb-org-4.4
+    filename: "mongodb-org-{{mongodb_version}}"
     update_cache: yes
 
 - name: Install packages
@@ -40,30 +42,39 @@
     name: mongod
     enabled: yes
     state: started
-  when: _mongodb_install_package.changed
+  when: _mongodb_install_package is changed
 
 - name: install dependency for monitoring
   apt:
-    name: python3-pymongo
+    name: python-pymongo
     state: present
 
 - name: Custom configuration
   template:
-    src: mongodb_bullseye.conf.j2
+    src: mongodb_buster.conf.j2
     dest: "/etc/mongod.conf"
     force: "{{ mongodb_force_config | bool | ternary('yes', 'no') }}"
   notify: restart mongod
 
 - name: Configure logrotate
   template:
-    src: logrotate_bullseye.j2
+    src: logrotate_buster.j2
     dest: /etc/logrotate.d/mongodb
     force: yes
     backup: no
 
-- name: Munin plugins local directory exists
+- include_role:
+    name: evolix/remount-usr
+
+- name: Create plugin directory
   file:
-    dest: /usr/local/share/munin/plugins/
+    name: /usr/local/share/munin/
+    state: directory
+    mode: "0755"
+
+- name: Create plugin directory
+  file:
+    name: /usr/local/share/munin/plugins/
     state: directory
     mode: "0755"
 
@@ -72,7 +83,7 @@
     src: "munin/{{ item }}"
     dest: '/usr/local/share/munin/plugins/{{ item }}'
     force: yes
-  with_items:
+  loop:
     - mongo_btree
     - mongo_collections
     - mongo_conn
@@ -88,7 +99,7 @@
     src: '/usr/local/share/munin/plugins/{{ item }}'
     dest: /etc/munin/plugins/{{ item }}
     state: link
-  with_items:
+  loop:
     - mongo_btree
     - mongo_collections
     - mongo_conn
diff --git a/mongodb/tasks/main_buster.yml b/mongodb/tasks/main_buster.yml
index fc7ac7ed..cf5ce2ae 100644
--- a/mongodb/tasks/main_buster.yml
+++ b/mongodb/tasks/main_buster.yml
@@ -14,8 +14,8 @@
 
 - name: Add MongoDB GPG key
   copy:
-    src: server-4.2.asc
-    dest: /etc/apt/trusted.gpg.d/mongodb-server-4.2.asc
+    src: "server-{{mongodb_version}}.asc"
+    dest: "/etc/apt/trusted.gpg.d/mongodb-server-{{mongodb_version}}.asc"
     force: yes
     mode: "0644"
     owner: root
@@ -23,9 +23,9 @@
 
 - name: enable APT sources list
   apt_repository:
-    repo: deb http://repo.mongodb.org/apt/debian buster/mongodb-org/4.2 main
+    repo: "deb http://repo.mongodb.org/apt/debian buster/mongodb-org/{{mongodb_version}} main"
     state: present
-    filename: mongodb-org-4.2
+    filename: "mongodb-org-{{mongodb_version}}"
     update_cache: yes
 
 - name: Install packages
@@ -61,6 +61,9 @@
     force: yes
     backup: no
 
+- include_role:
+    name: evolix/remount-usr
+
 - name: Create plugin directory
   file:
     name: /usr/local/share/munin/

From 679875d00b359a937c46cfb4eea655897cde5e53 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Wed, 6 Oct 2021 14:43:41 +0200
Subject: [PATCH 056/125] mysql: install python dependencies earlier

---
 mysql/tasks/packages_jessie.yml  |  8 ++++++++
 mysql/tasks/packages_stretch.yml | 22 ++++++++++++++++++++++
 mysql/tasks/users_buster.yml     | 20 --------------------
 mysql/tasks/users_jessie.yml     |  7 -------
 4 files changed, 30 insertions(+), 27 deletions(-)

diff --git a/mysql/tasks/packages_jessie.yml b/mysql/tasks/packages_jessie.yml
index 48408433..652eace7 100644
--- a/mysql/tasks/packages_jessie.yml
+++ b/mysql/tasks/packages_jessie.yml
@@ -50,3 +50,11 @@
   tags:
   - mysql
   - packages
+
+- name: Python dependencies for Ansible are installed
+  apt:
+    name: python-mysqldb
+    state: present
+  tags:
+    - mysql
+    - packages
diff --git a/mysql/tasks/packages_stretch.yml b/mysql/tasks/packages_stretch.yml
index 98a8f69d..880f5050 100644
--- a/mysql/tasks/packages_stretch.yml
+++ b/mysql/tasks/packages_stretch.yml
@@ -36,3 +36,25 @@
   tags:
   - mysql
   - packages
+
+- name: Python2 dependencies for Ansible are installed
+  apt:
+    name:
+      - python-mysqldb
+      - python-pymysql
+    state: present
+  tags:
+    - mysql
+    - packages
+  when: ansible_python_version is version('3', '<')
+
+- name: Python3 dependencies for Ansible are installed
+  apt:
+    name:
+      - python3-mysqldb
+      - python3-pymysql
+    state: present
+  tags:
+    - mysql
+    - packages
+  when: ansible_python_version is version('3', '>=')
\ No newline at end of file
diff --git a/mysql/tasks/users_buster.yml b/mysql/tasks/users_buster.yml
index 18b5d98d..dc7cec85 100644
--- a/mysql/tasks/users_buster.yml
+++ b/mysql/tasks/users_buster.yml
@@ -1,25 +1,5 @@
 ---
 
-- name: Python2 dependencies for Ansible are installed
-  apt:
-    name:
-      - python-mysqldb
-      - python-pymysql
-    state: present
-  tags:
-    - mysql
-  when: ansible_python_version is version('3', '<')
-
-- name: Python3 dependencies for Ansible are installed
-  apt:
-    name:
-      - python3-mysqldb
-      - python3-pymysql
-    state: present
-  tags:
-    - mysql
-  when: ansible_python_version is version('3', '>=')
-
 - name: create a password for mysqladmin
   command: "apg -n 1 -m 16 -M lcN"
   register: mysql_admin_password
diff --git a/mysql/tasks/users_jessie.yml b/mysql/tasks/users_jessie.yml
index d9cab42f..e2b066b1 100644
--- a/mysql/tasks/users_jessie.yml
+++ b/mysql/tasks/users_jessie.yml
@@ -5,13 +5,6 @@
     msg: "We can't create other users with 'debian-sys-maint' on Debian 8 with MariaDB.\nWe must give it the GRANT privilege before continuing."
   when: mysql_variant == "mariadb"
 
-- name: Python dependencies for Ansible are installed
-  apt:
-    name: python-mysqldb
-    state: present
-  tags:
-    - mysql
-
 - name: create a password for mysqladmin
   command: "apg -n 1 -m 16 -M lcN"
   register: mysql_admin_password

From dfd6aa0315bacb68ac84cd98264bf361e7d2cb1e Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Wed, 6 Oct 2021 16:54:11 +0200
Subject: [PATCH 057/125] evocheck: minifirewall is not ready yet

---
 evocheck/files/evocheck.sh | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh
index 8ad42b68..fd3de94b 100644
--- a/evocheck/files/evocheck.sh
+++ b/evocheck/files/evocheck.sh
@@ -1408,7 +1408,8 @@ main() {
         test "${IS_ALERT5MINIFW:=1}" = 1 && test "${IS_MINIFW:=1}" = 1 && check_minifw
         test "${IS_NRPEPERMS:=1}" = 1 && check_nrpeperms
         test "${IS_MINIFWPERMS:=1}" = 1 && check_minifwperms
-        test "${IS_MINIFWINCLUDES:=1}" = 1 && check_minifw_includes
+        # Enable when minifirewall is released
+        test "${IS_MINIFWINCLUDES:=0}" = 1 && check_minifw_includes
         test "${IS_NRPEDISKS:=0}" = 1 && check_nrpedisks
         test "${IS_NRPEPID:=1}" = 1 && check_nrpepid
         test "${IS_GRSECPROCS:=1}" = 1 && check_grsecprocs

From 2d11580a6e90b4677ed9d69d0143b996a0e4d7db Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Wed, 6 Oct 2021 16:54:52 +0200
Subject: [PATCH 058/125] forgotten file

---
 mysql/tasks/users_stretch.yml | 20 --------------------
 1 file changed, 20 deletions(-)

diff --git a/mysql/tasks/users_stretch.yml b/mysql/tasks/users_stretch.yml
index 18b5d98d..dc7cec85 100644
--- a/mysql/tasks/users_stretch.yml
+++ b/mysql/tasks/users_stretch.yml
@@ -1,25 +1,5 @@
 ---
 
-- name: Python2 dependencies for Ansible are installed
-  apt:
-    name:
-      - python-mysqldb
-      - python-pymysql
-    state: present
-  tags:
-    - mysql
-  when: ansible_python_version is version('3', '<')
-
-- name: Python3 dependencies for Ansible are installed
-  apt:
-    name:
-      - python3-mysqldb
-      - python3-pymysql
-    state: present
-  tags:
-    - mysql
-  when: ansible_python_version is version('3', '>=')
-
 - name: create a password for mysqladmin
   command: "apg -n 1 -m 16 -M lcN"
   register: mysql_admin_password

From 3e80c98a0594ea2dee913aaadcc1986628d480dd Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Fri, 8 Oct 2021 15:46:45 +0200
Subject: [PATCH 059/125] etc-git: evocommit should be present

---
 etc-git/tasks/commit.yml | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/etc-git/tasks/commit.yml b/etc-git/tasks/commit.yml
index f32c6ede..f84c9b67 100644
--- a/etc-git/tasks/commit.yml
+++ b/etc-git/tasks/commit.yml
@@ -1,12 +1,5 @@
 ---
 
-- name: "evocommit script is installed"
-  copy:
-    src: evocommit
-    dest: /usr/local/bin/evocommit
-    mode: "0755"
-    force: yes
-
 # /etc
 - name: Is /etc a git repository
   stat:

From 2dfd0c0706b3de34b5683b0da7a1a0af8b80ea86 Mon Sep 17 00:00:00 2001
From: Eric Morino <emorino@evolix.fr>
Date: Mon, 11 Oct 2021 11:03:28 +0200
Subject: [PATCH 060/125] Add squid logrotate

---
 lxc-php/templates/mailname.j2 |  1 +
 squid/files/logrotate_squid   | 11 +++++++++++
 2 files changed, 12 insertions(+)
 create mode 100644 lxc-php/templates/mailname.j2
 create mode 100644 squid/files/logrotate_squid

diff --git a/lxc-php/templates/mailname.j2 b/lxc-php/templates/mailname.j2
new file mode 100644
index 00000000..e374dd45
--- /dev/null
+++ b/lxc-php/templates/mailname.j2
@@ -0,0 +1 @@
+{{ansible_fqdn}}
diff --git a/squid/files/logrotate_squid b/squid/files/logrotate_squid
new file mode 100644
index 00000000..95946eb9
--- /dev/null
+++ b/squid/files/logrotate_squid
@@ -0,0 +1,11 @@
+/var/log/squid3/*.log {
+    monthly
+    compress
+    rotate 12
+    missingok
+    create 640 proxy adm
+    sharedscripts
+    postrotate
+        test ! -e /var/run/squid3.pid || /usr/sbin/squid3 -k rotate
+    endscript
+}
\ No newline at end of file

From 9aff38c0a78a3d705dac969662d327d5b9f291f1 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Tue, 12 Oct 2021 11:13:52 +0200
Subject: [PATCH 061/125] squid: add ZeroSSL to default whitelist

---
 squid/files/evolinux-whitelist-defaults.conf | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/squid/files/evolinux-whitelist-defaults.conf b/squid/files/evolinux-whitelist-defaults.conf
index fe3ff500..fe9c0fb4 100644
--- a/squid/files/evolinux-whitelist-defaults.conf
+++ b/squid/files/evolinux-whitelist-defaults.conf
@@ -15,6 +15,8 @@
 # Let's Encrypt
 .+\.letsencrypt.org$
 .+\.o\.lencr.org$
+# ZeroSSL.com
+^api\.zerossl\.com$
 
 # Other OCSP endpoint
 ^ocsp\.usertrust\.com$

From 520cba9c5b9fecca514e4d82fb9cc1eaff76790c Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Tue, 12 Oct 2021 11:15:29 +0200
Subject: [PATCH 062/125] etc-git: evocommit has an Ansible mode to report
 changes

---
 etc-git/files/evocommit  | 44 +++++++++++++++++++++++++++++++++++++---
 etc-git/tasks/commit.yml | 12 ++++++++---
 2 files changed, 50 insertions(+), 6 deletions(-)

diff --git a/etc-git/files/evocommit b/etc-git/files/evocommit
index 0fd21076..36050d02 100644
--- a/etc-git/files/evocommit
+++ b/etc-git/files/evocommit
@@ -82,8 +82,14 @@ remount_repository_readonly() {
 is_dry_run() {
     test "${DRY_RUN}" = "1"
 }
+is_verbose() {
+    test "${VERBOSE}" = "1"
+}
+is_ansible() {
+    test "${ANSIBLE}" = "1"
+}
 main() {
-
+    rc=0
     lock="${GIT_DIR}/index.lock"
     if [ -f "${lock}" ]; then
         limit=$(date +"%s" -d "now - 1 hour")
@@ -108,18 +114,45 @@ main() {
             author=$(logname)
             email=$(git config --get user.email)
             email=${email:-"${author}@evolix.net"}
+
             # commit changes
-            ${GIT_BIN} add --all
-            ${GIT_BIN} commit --message "${MESSAGE}" --author "${author} <${email}>" --quiet
+            git_add_result=$(${GIT_BIN} add --all)
+            git_add_rc=$?
+
+            if is_ansible; then
+                if [ ${git_add_rc} -ne 0 ]; then
+                    printf "FAILED: %s\n%s" "can't add changes in ${REPOSITORY}" "${git_add_result}"
+                    rc=1
+                fi
+            fi
+
+            git_commit_result=$(${GIT_BIN} commit --message "${MESSAGE}" --author "${author} <${email}>")
+            git_commit_rc=$?
+
+            if is_ansible; then
+                if [ ${git_commit_rc} -eq 0 ]; then
+                    printf "CHANGED: %s\n" "commit done in ${REPOSITORY} with \`${MESSAGE}'"
+                else
+                    printf "FAILED: %s\n%s" "can't commit in ${REPOSITORY} \`${MESSAGE}'" "${git_commit_result}"
+                    rc=1
+                fi
+            fi
+
             # remount mount point read-only if it was before
             if [ ${readonly_orig} -eq 1 ]; then
                 remount_repository_readonly "${REPOSITORY}"
             fi
         fi
+    else
+        if is_ansible; then
+            printf "INFO: %s\n" "no commit in ${REPOSITORY}'"
+        fi
     fi
 
     unset GIT_DIR
     unset GIT_WORK_TREE
+
+    exit ${rc}
 }
 # Parse options
 # based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
@@ -179,6 +212,10 @@ while :; do
             # print verbose information
             VERBOSE=1
             ;;
+        --ansible)
+            # print information for Ansible
+            ANSIBLE=1
+            ;;
         --)
             # End of all options.
             shift
@@ -209,6 +246,7 @@ if [ -z "${REPOSITORY}" ]; then
 fi
 DRY_RUN=${DRY_RUN:-0}
 VERBOSE=${VERBOSE:-0}
+ANSIBLE=${ANSIBLE:-0}
 
 GIT_BIN=$(command -v git)
 readonly GIT_BIN
diff --git a/etc-git/tasks/commit.yml b/etc-git/tasks/commit.yml
index f84c9b67..01530b71 100644
--- a/etc-git/tasks/commit.yml
+++ b/etc-git/tasks/commit.yml
@@ -7,8 +7,10 @@
   register: _etc_git
 
 - name: "evocommit /etc"
-  command: "/usr/local/bin/evocommit --repository /etc --message \"{{ commit_message | mandatory }}\""
+  command: "/usr/local/bin/evocommit --ansible --repository /etc --message \"{{ commit_message | mandatory }}\""
+  changed_when: "'CHANGED:' in _etc_git_commit.stdout"
   ignore_errors: yes
+  register: _etc_git_commit
   when:
     - _etc_git.stat.exists
     - _etc_git.stat.isdir
@@ -20,8 +22,10 @@
   register: _etc_bind_git
 
 - name: "evocommit /etc/bind"
-  command: "/usr/local/bin/evocommit --repository /etc/bind --message \"{{ commit_message | mandatory }}\""
+  command: "/usr/local/bin/evocommit --ansible --repository /etc/bind --message \"{{ commit_message | mandatory }}\""
+  changed_when: "'CHANGED:' in _etc_bind_git_commit.stdout"
   ignore_errors: yes
+  register: _etc_bind_git_commit
   when:
     - _etc_bind_git.stat.exists
     - _etc_bind_git.stat.isdir
@@ -33,8 +37,10 @@
   register: _usr_share_scripts_git
 
 - name: "evocommit /usr/share/scripts"
-  command: "/usr/local/bin/evocommit --repository /usr/share/scripts --message \"{{ commit_message | mandatory }}\""
+  command: "/usr/local/bin/evocommit --ansible --repository /usr/share/scripts --message \"{{ commit_message | mandatory }}\""
+  changed_when: "'CHANGED:' in _usr_share_scripts_git_commit.stdout"
   ignore_errors: yes
+  register: _usr_share_scripts_git_commit
   when:
     - _usr_share_scripts_git.stat.exists
     - _usr_share_scripts_git.stat.isdir

From 6a4b250b5d510ca1f059db26ea8e0fba4d6846bf Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Tue, 12 Oct 2021 18:23:50 +0200
Subject: [PATCH 063/125] etc-git: better output detection

---
 etc-git/tasks/commit.yml | 12 +++++++++---
 etc-git/tasks/main.yml   | 21 ++++++++++++---------
 2 files changed, 21 insertions(+), 12 deletions(-)

diff --git a/etc-git/tasks/commit.yml b/etc-git/tasks/commit.yml
index 01530b71..3f993771 100644
--- a/etc-git/tasks/commit.yml
+++ b/etc-git/tasks/commit.yml
@@ -8,7 +8,9 @@
 
 - name: "evocommit /etc"
   command: "/usr/local/bin/evocommit --ansible --repository /etc --message \"{{ commit_message | mandatory }}\""
-  changed_when: "'CHANGED:' in _etc_git_commit.stdout"
+  changed_when:
+    - _etc_git_commit.stdout
+    - "'CHANGED:' in _etc_git_commit.stdout"
   ignore_errors: yes
   register: _etc_git_commit
   when:
@@ -23,7 +25,9 @@
 
 - name: "evocommit /etc/bind"
   command: "/usr/local/bin/evocommit --ansible --repository /etc/bind --message \"{{ commit_message | mandatory }}\""
-  changed_when: "'CHANGED:' in _etc_bind_git_commit.stdout"
+  changed_when:
+    - _etc_bind_git_commit.stdout
+    - "'CHANGED:' in _etc_bind_git_commit.stdout"
   ignore_errors: yes
   register: _etc_bind_git_commit
   when:
@@ -38,7 +42,9 @@
 
 - name: "evocommit /usr/share/scripts"
   command: "/usr/local/bin/evocommit --ansible --repository /usr/share/scripts --message \"{{ commit_message | mandatory }}\""
-  changed_when: "'CHANGED:' in _usr_share_scripts_git_commit.stdout"
+  changed_when:
+    - _usr_share_scripts_git_commit.stdout
+    - "'CHANGED:' in _usr_share_scripts_git_commit.stdout"
   ignore_errors: yes
   register: _usr_share_scripts_git_commit
   when:
diff --git a/etc-git/tasks/main.yml b/etc-git/tasks/main.yml
index 90df9f60..11be1899 100644
--- a/etc-git/tasks/main.yml
+++ b/etc-git/tasks/main.yml
@@ -7,6 +7,18 @@
   tags:
     - etc-git
 
+- include_role:
+    name: evolix/remount-usr
+
+- name: "evocommit script is installed"
+  copy:
+    src: evocommit
+    dest: /usr/local/bin/evocommit
+    mode: "0755"
+    force: yes
+  tags:
+    - etc-git
+
 - include: repository.yml
   vars:
     repository_path: "/etc"
@@ -32,15 +44,6 @@
     - _usr_share_scripts.stat.isdir
     - ansible_distribution_major_version is version('10', '>=')
 
-- name: "evocommit script is installed"
-  copy:
-    src: evocommit
-    dest: /usr/local/bin/evocommit
-    mode: "0755"
-    force: yes
-  tags:
-    - etc-git
-
 - name: "etc-git-optimize script is installed"
   copy:
     src: etc-git-optimize

From 33cb1dd8ef174b8c9bc3b5cb6d1ae193d3cfb069 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Thu, 14 Oct 2021 17:38:42 +0200
Subject: [PATCH 064/125] certbot: detect domains for SAN certificates

---
 certbot/files/hooks/deploy/sync_remote.sh | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/certbot/files/hooks/deploy/sync_remote.sh b/certbot/files/hooks/deploy/sync_remote.sh
index dd4b8f6d..7fc3ecf4 100644
--- a/certbot/files/hooks/deploy/sync_remote.sh
+++ b/certbot/files/hooks/deploy/sync_remote.sh
@@ -14,8 +14,15 @@ debug() {
 found_renewed_lineage() {
     test -f "${RENEWED_LINEAGE}/fullchain.pem" && test -f "${RENEWED_LINEAGE}/privkey.pem"
 }
+cert_content() {
+    openssl x509 -text -in "${RENEWED_LINEAGE}/fullchain.pem"
+}
 domain_from_cert() {
-    openssl x509 -noout -subject -in "${RENEWED_LINEAGE}/fullchain.pem" | sed 's/^.*CN\ *=\ *//'
+    if cert_content | grep -q "X509v3 Subject Alternative Name:" && cert_content | grep -q "DNS:"; then
+        cert_content | grep "DNS:" | sed -e 's/\s\+//g' -e 's/DNS://g'
+    else
+        cert_content | sed 's/^.*CN\ *=\ *//'
+    fi
 }
 main() {
     if [ -z "${RENEWED_LINEAGE}" ]; then

From bbd16dc5b42a02fcbf7f866a25438847af7eeee1 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Fri, 15 Oct 2021 10:50:42 +0200
Subject: [PATCH 065/125] evolinux-base: add script backup-server-state

---
 CHANGELOG.md                               |   2 +
 evolinux-base/files/backup-server-state.sh | 413 +++++++++++++++++++++
 evolinux-base/tasks/main.yml               |   2 +
 evolinux-base/tasks/utils.yml              |  10 +
 4 files changed, 427 insertions(+)
 create mode 100644 evolinux-base/files/backup-server-state.sh
 create mode 100644 evolinux-base/tasks/utils.yml

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 718ac464..0205e2b6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,8 @@ The **patch** part changes is incremented if multiple releases happen the same m
 
 ### Added
 
+* evolinux-base: add script backup-server-state
+
 ### Changed
 
 * mongodb: Deny the install on Debian 11 « Bullseye » when the version is unsupported
diff --git a/evolinux-base/files/backup-server-state.sh b/evolinux-base/files/backup-server-state.sh
new file mode 100644
index 00000000..8b79e77f
--- /dev/null
+++ b/evolinux-base/files/backup-server-state.sh
@@ -0,0 +1,413 @@
+#!/bin/sh
+
+PROGNAME="backup-server-state"
+
+VERSION="21.10"
+readonly VERSION
+
+backup_dir=
+rc=0
+
+# base functions
+
+show_version() {
+    cat <<END
+${PROGNAME} version ${VERSION}
+
+Copyright 2018-2021 Evolix <info@evolix.fr>,
+                    Jérémy Lecour <jlecour@evolix.fr>
+                    and others.
+
+${PROGNAME} comes with ABSOLUTELY NO WARRANTY.This is free software,
+and you are welcome to redistribute it under certain conditions.
+See the GNU General Public License v3.0 for details.
+END
+}
+show_help() {
+    cat <<END
+${PROGNAME} is making backup copies of information related to the state of the server.
+
+Usage: ${PROGNAME} --backup-dir=/path/to/backup/directory [OPTIONS]
+
+Options
+ -d, --backup-dir   path to the directory where the backup will be stored
+     --etc          backup copy of /etc
+     --no-etc       no backup copy of /etc (default)
+     --dpkg         backup copy of /var/lib/dpkg
+     --no-dpkg      no backup copy of /var/lib/dpkg (default)
+ -v, --verbose      print details about backup steps
+ -V, --version      print version and exit
+ -h, --help         print this message and exit
+END
+}
+debug() {
+    if [ "${VERBOSE}" = "1" ]; then
+        echo "$1"
+    fi
+}
+
+create_backup_dir() {
+    debug "Create ${backup_dir}"
+
+    last_result=$(mkdir -p "${backup_dir}" && chmod -R 755 "${backup_dir}")
+    last_rc=$?
+
+    if [ ${last_rc} -eq 0 ]; then
+        debug "* mkdir/chmod OK"
+    else
+        debug "* mkdir/chmod ERROR :"
+        debug "${last_result}"
+        rc=10
+    fi
+}
+
+backup_etc() {
+    debug "Backup /etc"
+
+    last_result=$(rsync -ah --itemize-changes --exclude=.git /etc "${backup_dir}/")
+    last_rc=$?
+
+    if [ ${last_rc} -eq 0 ]; then
+        debug "* rsync OK"
+    else
+        debug "* rsync ERROR :"
+        debug "${last_result}"
+        rc=10
+    fi
+}
+
+backup_apt() {
+    if [ -f /var/lib/apt/extended_states ]; then
+        debug "Backup APT states"
+
+        last_result=$(mkdir -p "${backup_dir}/var/lib/apt" && chmod -R 755 "${backup_dir}/var/lib/apt")
+        last_rc=$?
+
+        if [ ${last_rc} -eq 0 ]; then
+            debug "* mkdir/chmod OK"
+        else
+            debug "* mkdir/chmod ERROR"
+            debug "${last_result}"
+            rc=10
+        fi
+
+        last_result=$(rsync -ah /var/lib/apt/extended_states "${backup_dir}/var/lib/apt/")
+        last_rc=$?
+
+        if [ ${last_rc} -eq 0 ]; then
+            debug "* rsync OK"
+        else
+            debug "* rsync ERROR :"
+            debug "${last_result}"
+            rc=10
+        fi
+    fi
+}
+
+backup_dpkg() {
+    debug "Backup DPkg"
+
+    last_result=$(mkdir -p "${backup_dir}/var/lib" && chmod -R 755 "${backup_dir}/var/lib")
+    last_rc=$?
+
+    if [ ${last_rc} -eq 0 ]; then
+        debug "* mkdir/chmod OK"
+    else
+        debug "* mkdir/chmod ERROR"
+        debug "${last_result}"
+        rc=10
+    fi
+
+    last_result=$(rsync -ah --itemize-changes /var/lib/dpkg "${backup_dir}/var/lib/")
+    last_rc=$?
+
+    if [ ${last_rc} -eq 0 ]; then
+        debug "* rsync OK"
+    else
+        debug "* rsync ERROR"
+        debug "${last_result}"
+        rc=10
+    fi
+}
+
+backup_packages() {
+    debug "Backup list of installed package"
+
+    last_result=$(dpkg --get-selections "*" > "${backup_dir}/current_packages.txt")
+    last_rc=$?
+
+    if [ ${last_rc} -eq 0 ]; then
+        debug "* dpkg OK"
+    else
+        debug "* dpkg ERROR :"
+        debug "${last_result}"
+        rc=10
+    fi
+}
+
+backup_uptime() {
+    debug "Backup uptime"
+
+    last_result=$(uptime > "${backup_dir}/uptime.out")
+    last_rc=$?
+
+    if [ ${last_rc} -eq 0 ]; then
+        debug "* uptime OK"
+    else
+        debug "* uptime ERROR"
+        debug "${last_result}"
+        rc=10
+    fi
+}
+
+backup_processes() {
+    debug "Backup process list"
+
+    last_result=$(ps fauxw > "${backup_dir}/ps.out")
+    last_rc=$?
+
+    if [ ${last_rc} -eq 0 ]; then
+        debug "* ps OK"
+    else
+        debug "* ps ERROR"
+        debug "${last_result}"
+        rc=10
+    fi
+
+    pstree_bin=$(command -v pstree)
+
+    if [ -z "${pstree_bin}" ]; then
+        last_result=$(pstree -pan > "${backup_dir}/pstree.out")
+        last_rc=$?
+
+        if [ ${last_rc} -eq 0 ]; then
+            debug "* pstree OK"
+        else
+            debug "* pstree ERROR"
+            debug "${last_result}"
+            rc=10
+        fi
+    fi
+}
+
+backup_netstat() {
+    debug "Backup network status"
+
+    ss_bin=$(command -v ss)
+    if [ -z "${ss_bin}" ]; then
+        last_result=$(${ss_bin} -tanpul > "${backup_dir}/listen.out")
+        last_rc=$?
+
+        if [ ${last_rc} -eq 0 ]; then
+            debug "* ss OK"
+        else
+            debug "* ss ERROR"
+            debug "${last_result}"
+            rc=10
+        fi
+    fi
+
+    netstat_bin=$(command -v netstat)
+    if [ -z "${netstat_bin}" ]; then
+        last_result=$(netstat -laputen > "${backup_dir}/netstat.out")
+        last_rc=$?
+
+        if [ ${last_rc} -eq 0 ]; then
+            debug "* netstat OK"
+        else
+            debug "* netstat ERROR"
+            debug "${last_result}"
+            rc=10
+        fi
+    fi
+}
+
+backup_netcfg() {
+    debug "Backup network configuration"
+
+    last_result=$(ip address show > "${backup_dir}/ip-address.txt")
+    last_rc=$?
+
+    if [ ${last_rc} -eq 0 ]; then
+        debug "* ip address OK"
+    else
+        debug "* ip address ERROR"
+        debug "${last_result}"
+        rc=10
+    fi
+
+    last_result=$(ip route show > "${backup_dir}/ip-route.txt")
+    last_rc=$?
+
+    if [ ${last_rc} -eq 0 ]; then
+        debug "* ip route OK"
+    else
+        debug "* ip route ERROR"
+        debug "${last_result}"
+        rc=10
+    fi
+}
+
+backup_iptables() {
+    debug "Backup iptables"
+
+    last_result=$({ /sbin/iptables -L -n -v; /sbin/iptables -t filter -L -n -v; } > "${backup_dir}/iptables.txt")
+    last_rc=$?
+
+    if [ ${last_rc} -eq 0 ]; then
+        debug "* iptables OK"
+    else
+        debug "* iptables ERROR"
+        debug "${last_result}"
+        rc=10
+    fi
+}
+
+backup_sysctl() {
+    debug "Backup sysctl values"
+
+    last_result=$(sysctl -a | sort -h > "${backup_dir}/sysctl.txt")
+    last_rc=$?
+
+    if [ ${last_rc} -eq 0 ]; then
+        debug "* sysctl OK"
+    else
+        debug "* sysctl ERROR"
+        debug "${last_result}"
+        rc=10
+    fi
+}
+
+main() {
+    if [ -z "${backup_dir}" ]; then
+        echo "ERROR: You must provide the --backup-dir argument" >&2
+        exit 1
+    fi
+
+    if [ -d "${backup_dir}" ]; then
+        echo "ERROR: The backup directory ${backup_dir} already exists. Delete it first." >&2
+        exit 2
+    else
+        create_backup_dir
+    fi
+
+    if [ "${DO_ETC}" -eq 1 ]; then
+        backup_etc
+    fi
+    if [ "${DO_DPKG}" -eq 1 ]; then
+        backup_dpkg
+    fi
+    if [ "${DO_APT}" -eq 1 ]; then
+        backup_apt
+    fi
+    if [ "${DO_PACKAGES}" -eq 1 ]; then
+        backup_packages
+    fi
+    if [ "${DO_PROCESSES}" -eq 1 ]; then
+        backup_processes
+    fi
+    if [ "${DO_UPTIME}" -eq 1 ]; then
+        backup_uptime
+    fi
+    if [ "${DO_NETSTAT}" -eq 1 ]; then
+        backup_netstat
+    fi
+    if [ "${DO_NETCFG}" -eq 1 ]; then
+        backup_netcfg
+    fi
+    if [ "${DO_IPTABLES}" -eq 1 ]; then
+        backup_iptables
+    fi
+    if [ "${DO_SYSCTL}" -eq 1 ]; then
+        backup_sysctl
+    fi
+
+    debug "=> Your backup is available at ${backup_dir}"
+    exit ${rc}
+}
+
+# parse options
+# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
+while :; do
+    case $1 in
+        -h|-\?|--help)
+            show_help
+            exit 0
+            ;;
+        -V|--version)
+            show_version
+            exit 0
+            ;;
+        -v|--verbose)
+            VERBOSE=1
+            ;;
+
+        -d|--backup-dir)
+            # with value separated by space
+            if [ -n "$2" ]; then
+                backup_dir=$2
+                shift
+            else
+                printf 'ERROR: "-d|--backup-dir" requires a non-empty option argument.\n' >&2
+                exit 1
+            fi
+            ;;
+        --backup-dir=?*)
+            # with value speparated by =
+            backup_dir=${1#*=}
+            ;;
+        --backup-dir=)
+            # without value
+            printf 'ERROR: "--backup-dir" requires a non-empty option argument.\n' >&2
+            exit 1
+            ;;
+
+        --etc)
+            DO_ETC=1
+            ;;
+        --no-etc)
+            DO_ETC=0
+            ;;
+
+        --dpkg)
+            DO_DPKG=1
+            ;;
+        --no-dpkg)
+            DO_DPKG=0
+            ;;
+
+        --)
+            # End of all options.
+            shift
+            break
+            ;;
+        -?*)
+            # ignore unknown options
+            printf 'WARN: Unknown option : %s\n' "$1" >&2
+            exit 1
+            ;;
+        *)
+            # Default case: If no more options then break out of the loop.
+            break
+            ;;
+    esac
+
+    shift
+done
+
+# Default values
+: "${VERBOSE:=0}"
+: "${DO_ETC:=0}"
+: "${DO_DPKG:=0}"
+: "${DO_APT:=1}"
+: "${DO_PACKAGES:=1}"
+: "${DO_PROCESSES:=1}"
+: "${DO_UPTIME:=1}"
+: "${DO_NETSTAT:=1}"
+: "${DO_NETCFG:=1}"
+: "${DO_IPTABLES:=1}"
+: "${DO_SYSCTL:=1}"
+
+set -u
+
+main
diff --git a/evolinux-base/tasks/main.yml b/evolinux-base/tasks/main.yml
index 2da87162..590de7d7 100644
--- a/evolinux-base/tasks/main.yml
+++ b/evolinux-base/tasks/main.yml
@@ -98,6 +98,8 @@
 
 - include: motd.yml
 
+- include: utils.yml
+
 - name: Munin
   include_role:
     name: evolix/munin
diff --git a/evolinux-base/tasks/utils.yml b/evolinux-base/tasks/utils.yml
new file mode 100644
index 00000000..80527ce5
--- /dev/null
+++ b/evolinux-base/tasks/utils.yml
@@ -0,0 +1,10 @@
+---
+
+- name: backup-server-state script is present
+  file:
+    src: "backup-server-state.sh"
+    dest: /usr/local/sbin/backup-server-state
+    force: True
+    owner: root
+    group: root
+    mode: "0750"

From 7586881f4d296ad7194bd08ef6695c4c0cbafe81 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Fri, 15 Oct 2021 10:54:39 +0200
Subject: [PATCH 066/125] fix module name

---
 evolinux-base/tasks/utils.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/evolinux-base/tasks/utils.yml b/evolinux-base/tasks/utils.yml
index 80527ce5..dd7ade4b 100644
--- a/evolinux-base/tasks/utils.yml
+++ b/evolinux-base/tasks/utils.yml
@@ -1,7 +1,7 @@
 ---
 
 - name: backup-server-state script is present
-  file:
+  copy:
     src: "backup-server-state.sh"
     dest: /usr/local/sbin/backup-server-state
     force: True

From d38119eb0f519f29850f52cd57fd6f93cae1395a Mon Sep 17 00:00:00 2001
From: Jeremy Dubois <jdubois@evolix.fr>
Date: Mon, 18 Oct 2021 14:54:09 +0200
Subject: [PATCH 067/125] nginx : fix variable name and debug

nginx_minimal defined the nginx_package_name_default variable which was not
used instead of the nginx_default_package_name variable

also fixed debug which was reversed, and add another one to be sure which mode
is used
---
 CHANGELOG.md             | 2 ++
 nginx/tasks/main.yml     | 4 ++++
 nginx/tasks/packages.yml | 2 +-
 3 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0205e2b6..6762c9f2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -22,6 +22,8 @@ The **patch** part changes is incremented if multiple releases happen the same m
 
 ### Fixed
 
+* nginx : fix variable name and debug to actually use nginx-light
+
 ### Removed
 
 ### Security
diff --git a/nginx/tasks/main.yml b/nginx/tasks/main.yml
index 8a8fc264..6bb09f03 100644
--- a/nginx/tasks/main.yml
+++ b/nginx/tasks/main.yml
@@ -2,6 +2,10 @@
 
 - debug:
     msg: "Nginx minimal mode has been removed, falling back to normal mode."
+  when: not nginx_minimal | bool
+
+- debug:
+    msg: "Nginx minimal mode has been set, using minimal mode."
   when: nginx_minimal | bool
 
 - include: packages.yml
diff --git a/nginx/tasks/packages.yml b/nginx/tasks/packages.yml
index ebd5eaaf..f9a500c0 100644
--- a/nginx/tasks/packages.yml
+++ b/nginx/tasks/packages.yml
@@ -1,7 +1,7 @@
 
 
 - set_fact:
-    nginx_package_name_default: nginx-light
+    nginx_default_package_name: nginx-light
   when: nginx_minimal | bool
 
 - include: packages_backports.yml

From a9d0d0958d796204adad8317a0409c81abe63faa Mon Sep 17 00:00:00 2001
From: Ludovic Poujol <lpoujol@evolix.fr>
Date: Mon, 18 Oct 2021 18:30:47 +0200
Subject: [PATCH 068/125] packweb-apache : Support php 8.0

---
 CHANGELOG.md                 | 1 +
 packweb-apache/meta/main.yml | 1 +
 2 files changed, 2 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6762c9f2..a4345b7f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -23,6 +23,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 ### Fixed
 
 * nginx : fix variable name and debug to actually use nginx-light
+* packweb-apache : Support php 8.0 
 
 ### Removed
 
diff --git a/packweb-apache/meta/main.yml b/packweb-apache/meta/main.yml
index 7033e7e9..ad211bbb 100644
--- a/packweb-apache/meta/main.yml
+++ b/packweb-apache/meta/main.yml
@@ -37,5 +37,6 @@ dependencies:
   - { role: evolix/lxc-php, lxc_php_version: php70, lxc_php_create_mysql_link: True, when: "'php70' in packweb_multiphp_versions" }
   - { role: evolix/lxc-php, lxc_php_version: php73, lxc_php_create_mysql_link: True, when: "'php73' in packweb_multiphp_versions" }
   - { role: evolix/lxc-php, lxc_php_version: php74, lxc_php_create_mysql_link: True, when: "'php74' in packweb_multiphp_versions" }
+  - { role: evolix/lxc-php, lxc_php_version: php80, lxc_php_create_mysql_link: True, when: "'php80' in packweb_multiphp_versions" }
   - { role: evolix/webapps/evoadmin-web, evoadmin_enable_vhost: "{{ packweb_enable_evoadmin_vhost }}", evoadmin_multiphp_versions: "{{ packweb_multiphp_versions }}" }
   - { role: evolix/evoacme }

From be5bb736753e2336bd90dca88d78219e8b2c92f2 Mon Sep 17 00:00:00 2001
From: Eric Morino <emorino@evolix.fr>
Date: Wed, 20 Oct 2021 15:57:58 +0200
Subject: [PATCH 069/125] Include role remount-usr to backup-state-server

---
 evolinux-base/tasks/utils.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/evolinux-base/tasks/utils.yml b/evolinux-base/tasks/utils.yml
index dd7ade4b..33c14c5e 100644
--- a/evolinux-base/tasks/utils.yml
+++ b/evolinux-base/tasks/utils.yml
@@ -8,3 +8,5 @@
     owner: root
     group: root
     mode: "0750"
+- include_role:
+    name: evolix/remount-usr

From b120a922039d3d1232d6e2fba44b0d8b59b6b3df Mon Sep 17 00:00:00 2001
From: Ludovic Poujol <lpoujol@evolix.fr>
Date: Tue, 19 Oct 2021 16:12:51 +0200
Subject: [PATCH 070/125] evolinux-users + nagios-nrpe: Add support for
 php-fpm80 in lxc

---
 CHANGELOG.md                                | 1 +
 evolinux-users/templates/sudoers_stretch.j2 | 1 +
 nagios-nrpe/templates/evolix.cfg.j2         | 1 +
 3 files changed, 3 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a4345b7f..e3a6467e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -16,6 +16,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 
 ### Changed
 
+* evolinux-users + nagios-nrpe: Add support for php-fpm80 in lxc
 * mongodb: Deny the install on Debian 11 « Bullseye » when the version is unsupported
 * mongodb: Support version 5.0 (for buster)
 * mongodb: Allow to specify a mongodb version for buster & bullseye
diff --git a/evolinux-users/templates/sudoers_stretch.j2 b/evolinux-users/templates/sudoers_stretch.j2
index a5b75f31..e99d9141 100644
--- a/evolinux-users/templates/sudoers_stretch.j2
+++ b/evolinux-users/templates/sudoers_stretch.j2
@@ -12,6 +12,7 @@ nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi
 nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php70/rootfs/etc/php/7.0/fpm/pool.d/
 nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php73/rootfs/etc/php/7.3/fpm/pool.d/
 nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php74/rootfs/etc/php/7.4/fpm/pool.d/
+nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php74/rootfs/etc/php/8.0/fpm/pool.d/
 nagios          ALL = NOPASSWD: /usr/lib/nagios/plugins/check_ipmi_sensor
 nagios          ALL = NOPASSWD: /sbin/dmsetup status --noflush
 nagios          ALL = NOPASSWD: /sbin/megacli -PDList -aALL -NoLog
diff --git a/nagios-nrpe/templates/evolix.cfg.j2 b/nagios-nrpe/templates/evolix.cfg.j2
index e830e697..6c0dd873 100644
--- a/nagios-nrpe/templates/evolix.cfg.j2
+++ b/nagios-nrpe/templates/evolix.cfg.j2
@@ -78,6 +78,7 @@ command[check_php-fpm56]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi
 command[check_php-fpm70]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php70/rootfs/etc/php/7.0/fpm/pool.d/
 command[check_php-fpm73]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php73/rootfs/etc/php/7.3/fpm/pool.d/
 command[check_php-fpm74]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php74/rootfs/etc/php/7.4/fpm/pool.d/
+command[check_php-fpm80]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php80/rootfs/etc/php/8.0/fpm/pool.d/
 command[check_ipmi_sensors]=sudo /usr/lib/nagios/plugins/check_ipmi_sensor
 command[check_raid_status]=/usr/lib/nagios/plugins/check_raid
 

From 9b3bb39bd035c384b82c6ffe20f94790e27fc1c4 Mon Sep 17 00:00:00 2001
From: Ludovic Poujol <lpoujol@evolix.fr>
Date: Wed, 20 Oct 2021 16:31:05 +0200
Subject: [PATCH 071/125] mysql : Create a default ~root/.my.cnf for
 compatibility reasons

---
 CHANGELOG.md                   |  1 +
 mysql/tasks/main.yml           |  6 +++---
 mysql/tasks/users_bullseye.yml | 15 +++++++++++++++
 3 files changed, 19 insertions(+), 3 deletions(-)
 create mode 100644 mysql/tasks/users_bullseye.yml

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e3a6467e..0ab1c6d1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -23,6 +23,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 
 ### Fixed
 
+* mysql : Create a default ~root/.my.cnf for compatibility reasons
 * nginx : fix variable name and debug to actually use nginx-light
 * packweb-apache : Support php 8.0 
 
diff --git a/mysql/tasks/main.yml b/mysql/tasks/main.yml
index b99a9aa1..a7c38808 100644
--- a/mysql/tasks/main.yml
+++ b/mysql/tasks/main.yml
@@ -10,9 +10,9 @@
 - include: packages_jessie.yml
   when: ansible_distribution_release == "jessie"
 
-## There is nothing to do with users on Debian 11
-# - include: users_bullseye.yml
-#   when: ansible_distribution_release == "bullseye"
+## There is nothing to do with users on Debian 11 - yet we need a /root/.my.cnf for compatibility
+- include: users_bullseye.yml
+  when: ansible_distribution_release == "bullseye"
 
 - include: users_buster.yml
   when: ansible_distribution_release == "buster"
diff --git a/mysql/tasks/users_bullseye.yml b/mysql/tasks/users_bullseye.yml
new file mode 100644
index 00000000..1bdc9084
--- /dev/null
+++ b/mysql/tasks/users_bullseye.yml
@@ -0,0 +1,15 @@
+---
+
+- name: Populate the .my.cnf of root with default user
+  ini_file:
+    dest: /root/.my.cnf
+    mode: "0600"
+    section: client
+    option: '{{ item.option }}'
+    value: '{{ item.value }}'
+    create: yes
+  loop:
+    - { option: 'user',     value: 'root' }
+    - { option: 'socket',   value: '/run/mysqld/mysqld.sock' }
+  tags:
+    - mysql

From dcdde5f7f6d33bd08d0fa8b92ceba0a4df30d108 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Thu, 21 Oct 2021 17:08:42 +0200
Subject: [PATCH 072/125] evocheck: upstream release 21.10.1

---
 CHANGELOG.md               |   1 +
 evocheck/files/evocheck.sh | 129 +++++++++++++++++++++++++++++++++++--
 2 files changed, 125 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0ab1c6d1..24c83e77 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -16,6 +16,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 
 ### Changed
 
+* evocheck: upstream release 21.10.1
 * evolinux-users + nagios-nrpe: Add support for php-fpm80 in lxc
 * mongodb: Deny the install on Debian 11 « Bullseye » when the version is unsupported
 * mongodb: Support version 5.0 (for buster)
diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh
index fd3de94b..ab952fd0 100644
--- a/evocheck/files/evocheck.sh
+++ b/evocheck/files/evocheck.sh
@@ -4,7 +4,7 @@
 # Script to verify compliance of a Debian/OpenBSD server
 # powered by Evolix
 
-VERSION="21.10"
+VERSION="21.10.1"
 readonly VERSION
 
 # base functions
@@ -74,7 +74,7 @@ detect_os() {
 }
 
 is_debian() {
-  test -n "${DEBIAN_RELEASE}"
+    test -n "${DEBIAN_RELEASE}"
 }
 is_debian_lenny() {
     test "${DEBIAN_RELEASE}" = "lenny"
@@ -220,7 +220,6 @@ check_vartmpfs() {
     else
         df /var/tmp | grep -q tmpfs || failed "IS_VARTMPFS" "/var/tmp is not a tmpfs"
     fi
-    
 }
 check_serveurbase() {
     is_installed serveur-base || failed "IS_SERVEURBASE" "serveur-base package is not installed"
@@ -316,7 +315,7 @@ check_customcrontab() {
     test "$found_lines" = 4 && failed "IS_CUSTOMCRONTAB" "missing custom field in crontab"
 }
 check_sshallowusers() {
-    grep -E -qi "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config \
+    grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config /etc/ssh/sshd_config.d \
         || failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config"
 }
 check_diskperf() {
@@ -604,6 +603,7 @@ check_evobackup_exclude_mount() {
             failed "IS_EVOBACKUP_EXCLUDE_MOUNT" "${mount} is not excluded from ${evobackup_file} backup script"
         done
     done
+    rm -rf "${excludes_file}"
 }
 # Verification de la presence du userlogrotate
 check_userlogrotate() {
@@ -1040,7 +1040,7 @@ check_phpevolinuxconf() {
 check_squidlogrotate() {
     if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
         if is_installed squid; then
-            grep -q monthly /etc/logrotate.d/squid \
+            grep -q -e monthly -e daily /etc/logrotate.d/squid \
                 || failed "IS_SQUIDLOGROTATE" "missing squid logrotate file"
         fi
     fi
@@ -1353,6 +1353,124 @@ check_lxc_container_resolv_conf() {
         done 
     fi
 }
+download_versions() {
+    local file
+    file=${1:-}
+
+    ## The file is supposed to list programs : each on a line, then its latest version number
+    ## Examples:
+    # evoacme 21.06
+    # evomaintenance 0.6.4
+
+    if is_debian; then
+        versions_url="https://upgrades.evolix.org/versions-${DEBIAN_RELEASE}"
+    elif is_openbsd; then
+        versions_url="https://upgrades.evolix.org/versions-${OPENBSD_RELEASE}"
+    else
+        failed "IS_VERSIONS_CHECK" "error determining os release"
+    fi
+
+    # fetch timeout, in seconds
+    timeout=10
+
+    if command -v curl > /dev/null; then
+        curl --max-time ${timeout} --fail --silent --output "${versions_file}" "${versions_url}"
+    elif command -v wget > /dev/null; then
+        wget --timeout=${timeout} --quiet "${versions_url}" -O "${versions_file}"
+    elif command -v GET; then
+        GET -t ${timeout}s "${versions_url}" > "${versions_file}"
+    else
+        failed "IS_VERSIONS_CHECK" "failed to find curl, wget or GET"
+    fi
+    test "$?" -eq 0 || failed "IS_VERSIONS_CHECK" "failed to download ${versions_url} to ${versions_file}"
+}
+get_command() {
+    local program
+    program=${1:-}
+
+    case "${program}" in
+        ## Special cases where the program name is different than the command name
+        evocheck) echo "${0}" ;;
+        evomaintenance) command -v "evomaintenance.sh" ;;
+        listupgrade) command -v "evolistupgrade.sh" ;;
+        old-kernel-autoremoval) command -v "old-kernel-autoremoval.sh" ;;
+        mysql-queries-killer) command -v "mysql-queries-killer.sh" ;;
+
+        ## General case, where the program name is the same as the command name
+        *) command -v "${program}" ;;
+    esac
+}
+get_version() {
+    local program
+    local command
+    program=${1:-}
+    command=${2:-}
+
+    case "${program}" in
+        ## Special case if `command --version => 'command` is not the standard way to get the version
+        # my_command)
+        #    /path/to/my_command --get-version 
+        #    ;;
+
+        ## When there is just an internal variable name
+        kvmstats | add-vm)
+            grep '^VERSION=' "${command}" | head -1 | cut -d '=' -f 2
+            ;;
+
+        ## General case to get the version
+        *) ${command} --version 2> /dev/null | head -1 | cut -d ' ' -f 3 ;;
+    esac
+}
+check_version() {
+    local program
+    local expected_version
+    program=${1:-}
+    expected_version=${2:-}
+
+    command=$(get_command "${program}")
+    if [ -n "${command}" ]; then
+        # shellcheck disable=SC2086
+        actual_version=$(get_version "${program}" "${command}")
+        # printf "program:%s expected:%s actual:%s\n" "${program}" "${expected_version}" "${actual_version}"
+        if [ -z "${actual_version}" ]; then
+            failed "IS_VERSIONS_CHECK" "failed to lookup actual version of ${program}"
+        elif dpkg --compare-versions "${actual_version}" lt "${expected_version}"; then
+            failed "IS_VERSIONS_CHECK" "${program} version ${expected_version} expected, but ${actual_version} found"
+        else
+            : # Version check OK
+        fi
+    fi
+}
+add_to_path() {
+    local new_path
+    new_path=${1:-}
+
+    echo "$PATH" | grep -qF "${new_path}" || export PATH="${PATH}:${new_path}"
+}
+check_versions() {
+    versions_file=$(mktemp --tmpdir=/tmp "evocheck-versions.XXXXX")
+    # shellcheck disable=SC2064
+    trap "rm -f ${versions_file}" 0
+    download_versions "${versions_file}"
+    add_to_path "/usr/share/scripts"
+
+    grep -v '^ *#' < "${versions_file}" | while IFS= read -r line; do
+        local program
+        local version
+        program=$(echo "${line}" | cut -d ' ' -f 1)
+        version=$(echo "${line}" | cut -d ' ' -f 2)
+
+        if [ -n "${program}" ]; then
+            if [ -n "${version}" ]; then
+                check_version "${program}" "${version}"
+            else
+                failed "IS_VERSIONS_CHECK" "failed to lookup expected version for ${program}"
+            fi
+        fi
+    done
+
+    rm -f "${versions_file}"
+}
 
 main() {
     # Default return code : 0 = no error
@@ -1483,6 +1601,7 @@ main() {
         test "${IS_CHROOTED_BINARY_UPTODATE:=1}" = 1 && check_chrooted_binary_uptodate
         test "${IS_NGINX_LETSENCRYPT_UPTODATE:=1}" = 1 && check_nginx_letsencrypt_uptodate
         test "${IS_LXC_CONTAINER_RESOLV_CONF:=1}" = 1 && check_lxc_container_resolv_conf
+        test "${IS_CHECK_VERSIONS:=1}" = 1 && check_versions
     fi
 
     #-----------------------------------------------------------

From 7cb6dffd6fa331dfe6e2e2a4ab15554a1315163d Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Thu, 21 Oct 2021 17:30:53 +0200
Subject: [PATCH 073/125] add internal VERSION variable to kvmstats and add-vm

---
 kvm-host/files/add-vm.sh   | 2 ++
 kvm-host/files/kvmstats.sh | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/kvm-host/files/add-vm.sh b/kvm-host/files/add-vm.sh
index ec50763d..51b5c737 100755
--- a/kvm-host/files/add-vm.sh
+++ b/kvm-host/files/add-vm.sh
@@ -10,6 +10,8 @@
 # Bash strict mode
 set -euo pipefail
 
+VERSION="21.10"
+
 isDryRun() {
     test "${doDryRun}" = "true"
 }
diff --git a/kvm-host/files/kvmstats.sh b/kvm-host/files/kvmstats.sh
index 5fa20ccb..02a10224 100755
--- a/kvm-host/files/kvmstats.sh
+++ b/kvm-host/files/kvmstats.sh
@@ -1,5 +1,7 @@
 #!/bin/sh
 
+VERSION="21.10"
+
 error () {
     echo "$0": "$@" >&2
     exit 1

From 03f846b94be1848ee651c8846533d1f7a8316620 Mon Sep 17 00:00:00 2001
From: Ludovic Poujol <lpoujol@evolix.fr>
Date: Fri, 22 Oct 2021 11:56:43 +0200
Subject: [PATCH 074/125] remount before the task

---
 evolinux-base/tasks/utils.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/evolinux-base/tasks/utils.yml b/evolinux-base/tasks/utils.yml
index 33c14c5e..ede5f4e8 100644
--- a/evolinux-base/tasks/utils.yml
+++ b/evolinux-base/tasks/utils.yml
@@ -1,5 +1,8 @@
 ---
 
+- include_role:
+    name: evolix/remount-usr
+
 - name: backup-server-state script is present
   copy:
     src: "backup-server-state.sh"
@@ -8,5 +11,3 @@
     owner: root
     group: root
     mode: "0750"
-- include_role:
-    name: evolix/remount-usr

From 72e8200d5b7358fc19d79cbdef0b836937785c77 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Fri, 22 Oct 2021 13:30:32 +0200
Subject: [PATCH 075/125] kvm-host: reorganize code for kvmstats

* add -V|--version flag
* add -h|--help flag
* normalize options parsing
---
 kvm-host/files/kvmstats.sh | 249 ++++++++++++++++++++++++++-----------
 1 file changed, 177 insertions(+), 72 deletions(-)

diff --git a/kvm-host/files/kvmstats.sh b/kvm-host/files/kvmstats.sh
index 02a10224..0b3f4f2d 100755
--- a/kvm-host/files/kvmstats.sh
+++ b/kvm-host/files/kvmstats.sh
@@ -2,97 +2,202 @@
 
 VERSION="21.10"
 
+PROGNAME=$(basename "$0")
+
+show_version() {
+    cat <<END
+${PROGNAME} version ${VERSION}
+
+Copyright 2018-2021 Evolix <info@evolix.fr>,
+               Alexis Ben Miloud--Josselin <abenmiloud@evolix.fr>,
+               Jérémy Lecour <jlecour@evolix.fr>
+               and others.
+
+${PROGNAME} comes with ABSOLUTELY NO WARRANTY.  This is free software,
+and you are welcome to redistribute it under certain conditions.
+See the GNU General Public Licence for details.
+END
+}
+
+show_help() {
+    cat <<END
+${PROGNAME} print stats about configured virtal servers
+
+END
+    show_usage
+}
+show_usage() {
+    cat <<END
+Usage: ${PROGNAME} --all
+  or   ${PROGNAME} --output <human|html|csv>
+  or   ${PROGNAME} --units <k|m|g>
+END
+}
+
 error () {
     echo "$0": "$@" >&2
     exit 1
 }
 
-usage () {
-    echo 'usage:' "$0" '[-a] [-u k|m|g] [-o human|html|csv]' >&2
-    exit 1
+main() {
+    for VM in $(virsh list --name --all)
+    do
+        echo "$VM"
+
+        # cpu
+        virsh vcpucount --current "$VM"
+
+        # mem
+        # libvirt stores memory in KiB, POW must be lowered by 1
+        virsh dommemstat "$VM" 2>/dev/null | awk 'BEGIN{ret=1}$1~/^actual$/{print $2 / '$((POW / 1024))';ret=0}END{exit ret}' ||
+            virsh dumpxml "$VM" | awk -F'[<>]' '$2~/^memory unit/{print $3/'$((POW / 1024))'}'
+
+        # disk
+        for BLK in $(virsh domblklist "$VM" | sed '1,2d;/-$/d;/^$/d' | awk '{print $1}')
+        do
+            virsh domblkinfo "$VM" "$BLK" 2>/dev/null
+        done | awk '/Physical:/ { size += $2 } END { print int(size / '${POW}') }'
+
+        # state
+        virsh domstate "$VM" | grep -q '^running$' && echo yes || echo no
+    done | xargs -n5 | {
+        echo vm vcpu ram disk running
+        awk '{ print } /yes$/ { vcpu += $2; ram += $3; disk += $4; running++ } END { print "TOTAL(running)", vcpu, ram, disk, running }'
+        test "$SHOW_AVAIL" && {
+            nproc
+            awk '/^MemTotal:/ { print int($2 / '$((POW / 1024))' ) }' /proc/meminfo
+        } | xargs -r printf 'AVAILABLE %s %s %s %s\n'
+    } | case "$FMT" in
+    'human')
+        column -t
+        ;;
+    'html')
+        awk 'BEGIN{print "<html><body>\n<table>"}{printf "<tr>";for(i=1;i<=NF;i++)printf "<td>%s</td>", $i;print "</tr>"}END{print "</table>\n</body></html>"}'
+        ;;
+    'csv')
+        tr ' ' ','
+        ;;
+    esac
 }
 
+parse_units() {
+    case "$1" in
+    'k')
+        POW="$(echo '1024 ^ 1' | bc)"
+        ;;
+    'm')
+        POW="$(echo '1024 ^ 2' | bc)"
+        ;;
+    'g')
+        POW="$(echo '1024 ^ 3' | bc)"
+        ;;
+    *)
+        printf 'ERROR: Unknown unit value: %s. Possible values: %s\n' "$1" "k, m, g" >&2
+        echo "" >&2
+        show_usage >&2
+        exit 1
+        ;;
+    esac 
+}
+parse_output() {
+    case "$1" in
+    'csv'|'html'|'human')
+        FMT="$1"
+        ;;
+    *)
+        printf 'ERROR: Unknown output value : %s. Possible values: %s\n' "$1" "csv, html, human" >&2
+        echo "" >&2
+        show_usage >&2
+        exit 1
+        ;;
+    esac
+}
+
+# Check dependencies
 for DEP in bc virsh
 do
     command -v "$DEP" > /dev/null || error "$DEP" 'command not found'
 done
 
+# default values
 POW="$(echo '1024 ^ 3' | bc)"
 FMT='human'
-while [ "$#" -ne 0 ]
-do
-    case "$1" in
-    '-a')
-        SHOW_AVAIL='y'
-        ;;
-    '-o')
-        case "$2" in
-        'csv'|'html'|'human')
-            FMT="$2"
+
+# Parse options
+# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
+while :; do
+    case $1 in
+        -h|-\?|--help)
+            show_help
+            exit 0
+            ;;
+        -V|--version)
+            show_version
+            exit 0
+            ;;
+        -a|--all)
+            SHOW_AVAIL='y'
+            ;;
+        -u|--units)
+            # with value separated by space
+            if [ -n "$2" ]; then
+                parse_units "$2"
+                shift
+            else
+                printf 'ERROR: "-u|--units" requires a non-empty option argument.\n' >&2
+                exit 1
+            fi
+            ;;
+        --units=?*)
+            # with value speparated by =
+            parse_units ${1#*=}
+            ;;
+        --units=)
+            # without value
+            printf 'ERROR: "--units" requires a non-empty option argument.\n' >&2
+            exit 1
+            ;;
+
+        -o|--output)
+            # with value separated by space
+            if [ -n "$2" ]; then
+                parse_output "$2"
+                shift
+            else
+                printf 'ERROR: "-o|--output" requires a non-empty option argument.\n' >&2
+                exit 1
+            fi
+            ;;
+        --output=?*)
+            # with value speparated by =
+            parse_output ${1#*=}
+            ;;
+        --output=)
+            # without value
+            printf 'ERROR: "--output" requires a non-empty option argument.\n' >&2
+            exit 1
+            ;;
+
+        --)
+            # End of all options.
+            shift
+            break
+            ;;
+        -?*|[[:alnum:]]*)
+            # ignore unknown options
+            printf 'ERROR: Unknown option : %s\n' "$1" >&2
+            echo "" >&2
+            show_usage >&2
+            exit 1
             ;;
         *)
-            usage
+            # Default case: If no more options then break out of the loop.
+            break
             ;;
-        esac
-        shift
-        ;;
-    '-u')
-        case "$2" in
-        'k')
-            POW="$(echo '1024 ^ 1' | bc)"
-            ;;
-        'm')
-            POW="$(echo '1024 ^ 2' | bc)"
-            ;;
-        'g')
-            POW="$(echo '1024 ^ 3' | bc)"
-            ;;
-        *)
-            usage
-        esac
-        shift
-        ;;
-    *)
-        usage
     esac
+
     shift
 done
 
-for VM in $(virsh list --name --all)
-do
-    echo "$VM"
+main
 
-    # cpu
-    virsh vcpucount --current "$VM"
-
-    # mem
-    # libvirt stores memory in KiB, POW must be lowered by 1
-    virsh dommemstat "$VM" 2>/dev/null | awk 'BEGIN{ret=1}$1~/^actual$/{print $2 / '$((POW / 1024))';ret=0}END{exit ret}' ||
-        virsh dumpxml "$VM" | awk -F'[<>]' '$2~/^memory unit/{print $3/'$((POW / 1024))'}'
-
-    # disk
-    for BLK in $(virsh domblklist "$VM" | sed '1,2d;/-$/d;/^$/d' | awk '{print $1}')
-    do
-        virsh domblkinfo "$VM" "$BLK" 2>/dev/null
-    done | awk '/Physical:/ { size += $2 } END { print int(size / '${POW}') }'
-
-    # state
-    virsh domstate "$VM" | grep -q '^running$' && echo yes || echo no
-done | xargs -n5 | {
-    echo vm vcpu ram disk running
-    awk '{ print } /yes$/ { vcpu += $2; ram += $3; disk += $4; running++ } END { print "TOTAL(running)", vcpu, ram, disk, running }'
-    test "$SHOW_AVAIL" && {
-        nproc
-        awk '/^MemTotal:/ { print int($2 / '$((POW / 1024))' ) }' /proc/meminfo
-    } | xargs -r printf 'AVAILABLE %s %s %s %s\n'
-} | case "$FMT" in
-'human')
-    column -t
-    ;;
-'html')
-    awk 'BEGIN{print "<html><body>\n<table>"}{printf "<tr>";for(i=1;i<=NF;i++)printf "<td>%s</td>", $i;print "</tr>"}END{print "</table>\n</body></html>"}'
-    ;;
-'csv')
-    tr ' ' ','
-    ;;
-esac

From 1706361e8d8ff02d96ed3148feb6ef3e17370f8c Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Fri, 22 Oct 2021 13:43:43 +0200
Subject: [PATCH 076/125] evocheck: upstream release 21.10.2

---
 CHANGELOG.md                  |   2 +-
 evocheck/files/evocheck.sh    |  10 +-
 nagios-nrpe/files/check_async | 209 ++++++++++++++++++++++++++++++++++
 3 files changed, 217 insertions(+), 4 deletions(-)
 create mode 100644 nagios-nrpe/files/check_async

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 24c83e77..16bba5df 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -16,7 +16,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 
 ### Changed
 
-* evocheck: upstream release 21.10.1
+* evocheck: upstream release 21.10.2
 * evolinux-users + nagios-nrpe: Add support for php-fpm80 in lxc
 * mongodb: Deny the install on Debian 11 « Bullseye » when the version is unsupported
 * mongodb: Support version 5.0 (for buster)
diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh
index ab952fd0..8a5719a8 100644
--- a/evocheck/files/evocheck.sh
+++ b/evocheck/files/evocheck.sh
@@ -4,7 +4,7 @@
 # Script to verify compliance of a Debian/OpenBSD server
 # powered by Evolix
 
-VERSION="21.10.1"
+VERSION="21.10.2"
 readonly VERSION
 
 # base functions
@@ -1412,9 +1412,13 @@ get_version() {
         #    /path/to/my_command --get-version 
         #    ;;
 
-        ## When there is just an internal variable name
+        ## Let's try the --version flag before falling back to grep for the constant
         kvmstats | add-vm)
-            grep '^VERSION=' "${command}" | head -1 | cut -d '=' -f 2
+            if ${command} --version > /dev/null 2> /dev/null; then
+                 ${command} --version 2> /dev/null | head -1 | cut -d ' ' -f 3
+            else
+                grep '^VERSION=' "${command}" | head -1 | cut -d '=' -f 2
+            fi
             ;;
 
         ## General case to get the version
diff --git a/nagios-nrpe/files/check_async b/nagios-nrpe/files/check_async
new file mode 100644
index 00000000..15a6bf71
--- /dev/null
+++ b/nagios-nrpe/files/check_async
@@ -0,0 +1,209 @@
+#!/bin/bash
+
+VERSION="21.04"
+readonly VERSION
+
+# base functions
+
+show_version() {
+    cat <<END
+check_async version ${VERSION}
+
+Copyright 2018-2021 Evolix <info@evolix.fr>,
+                    Jérémy Lecour <jlecour@evolix.fr>
+                    and others.
+
+check_async comes with ABSOLUTELY NO WARRANTY.This is free software,
+and you are welcome to redistribute it under certain conditions.
+See the GNU General Public License v3.0 for details.
+END
+}
+show_help() {
+    cat <<END
+check_async is supposed to wrap an NRPE command and overrides the return code.
+
+Usage: check_async --max-age=1d --name=check_name
+  or   check_async --name=check_name
+
+Options
+ -m, --max-age      max age of the "check file" ;
+                    can be "1d" for 1 day, "5m" for 5 minutes…
+                    or more complex expressions like "1w2d10m42s"
+ -n, --name         check name
+ -h, --help         print this message and exit
+ -V, --version      print version and exit
+END
+}
+
+time_in_seconds() {
+    if echo "${1}" | grep -E -q '^([0-9]+[wdhms])+$'; then
+        echo "${1}" | sed 's/w/ * 604800 + /g; s/d/ * 86400 + /g; s/h/ * 3600 + /g; s/m/ * 60 + /g; s/s/ + /g; s/+ $//' | xargs expr
+    elif echo "${1}" | grep -E -q '^([0-9]+$)'; then
+        echo "${1} * 3600" | xargs expr
+    else
+        return 1
+    fi
+}
+
+delay_from_check_file() {
+    last_change=$(stat -c %Z "${check_file}")
+    limit_seconds=$(time_in_seconds "${wrapper_limit}" || time_in_seconds "${wrapper_limit_default}") 
+    limit_date=$(date --date "${limit_seconds} seconds ago" +"%s")
+
+    echo $(( last_change - limit_date ))
+}
+
+enable_check() {
+    if [ "$(id -u)" -eq "0" ] ; then
+        /usr/share/scripts/alerts_switch enable "${check_name}"
+    else
+        sudo /usr/share/scripts/alerts_switch enable "${check_name}"
+    fi
+}
+
+main() {
+    ${check_command} > "${check_stdout}"
+    check_rc=$?
+    readonly check_rc
+
+    delay=0
+
+    if [ -e "${check_file}" ]; then
+        delay=$(delay_from_check_file)
+
+        if [ "${delay}" -le "0" ]; then
+            enable_check
+        fi
+    fi
+
+    if [ -e "${check_file}" ]; then
+        formatted_last_change=$(date --date "@$(stat -c %Z "${check_file}")" +'%c')
+        readonly formatted_last_change
+
+        echo "ALERTS DISABLED for ${check_name} (since ${formatted_last_change}, delay: ${delay} sec) - $(cat "${check_stdout}")"
+        if [ ${check_rc} = 0 ]; then
+            # Nagios OK
+            exit 0
+        else
+            # Nagios WARNING
+            exit 1
+        fi
+    else
+        cat "${check_stdout}"
+        exit ${check_rc}
+    fi
+}
+
+# Default: 1 day before re-enabling the check
+wrapper_limit_default="1d"
+readonly wrapper_limit_default
+
+if [[ "${1}" =~ -.* ]]; then
+    # parse options
+    # based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
+    while :; do
+        case $1 in
+            -h|-\?|--help)
+                show_help
+                exit 0
+                ;;
+            -V|--version)
+                show_version
+                exit 0
+                ;;
+
+            --limit)
+                # with value separated by space
+                if [ -n "$2" ]; then
+                    wrapper_limit=$2
+                    shift
+                else
+                    printf 'ERROR: "--limit" requires a non-empty option argument.\n' >&2
+                    exit 1
+                fi
+                ;;
+            --limit=?*)
+                # with value speparated by =
+                wrapper_limit=${1#*=}
+                ;;
+            --limit=)
+                # without value
+                printf 'ERROR: "--limit" requires a non-empty option argument.\n' >&2
+                exit 1
+                ;;
+
+            --name)
+                # with value separated by space
+                if [ -n "$2" ]; then
+                    check_name=$2
+                    shift
+                else
+                    printf 'ERROR: "--name" requires a non-empty option argument.\n' >&2
+                    exit 1
+                fi
+                ;;
+            --name=?*)
+                # with value speparated by =
+                check_name=${1#*=}
+                ;;
+            --name=)
+                # without value
+                printf 'ERROR: "--name" requires a non-empty option argument.\n' >&2
+                exit 1
+                ;;
+
+            --)
+                # End of all options.
+                shift
+                break
+                ;;
+            -?*)
+                # ignore unknown options
+                printf 'WARN: Unknown option : %s\n' "$1" >&2
+                exit 1
+                ;;
+            *)
+                # Default case: If no more options then break out of the loop.
+                break
+                ;;
+        esac
+
+        shift
+    done
+    # The rest is the command
+    check_command="$*"
+else
+    # no option is passed (backward compatibility with previous version)
+    # treat the first argument as check_name and the rest as the command
+    check_name="${1}"
+    shift
+    check_command="$*"
+fi
+
+# Default values or errors
+if [ -z "${wrapper_limit}" ]; then
+    wrapper_limit="${wrapper_limit_default}"
+fi
+if [ -z "${check_name}" ]; then
+    printf 'ERROR: You must specify a check name, with --name.\n' >&2
+    exit 1
+fi
+if [ -z "${check_command}" ]; then
+    printf 'ERROR: You must specify a command to execute.\n' >&2
+    exit 1
+fi
+
+readonly check_name
+readonly check_command
+readonly wrapper_limit
+
+check_file="/var/lib/misc/${check_name}_alerts_disabled"
+readonly check_file
+
+check_stdout=$(mktemp --tmpdir=/tmp "${check_name}_stdout.XXXX")
+readonly check_stdout
+
+# shellcheck disable=SC2064
+trap "rm ${check_stdout}" EXIT
+
+main

From ca28df1b75f9838ee12b81318bfbcd8855682b91 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Fri, 22 Oct 2021 13:57:56 +0200
Subject: [PATCH 077/125] evocheck: upstream release 21.10.3

---
 CHANGELOG.md               |  2 +-
 evocheck/files/evocheck.sh | 11 ++++++++---
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 16bba5df..bf55d9af 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -16,7 +16,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 
 ### Changed
 
-* evocheck: upstream release 21.10.2
+* evocheck: upstream release 21.10.3
 * evolinux-users + nagios-nrpe: Add support for php-fpm80 in lxc
 * mongodb: Deny the install on Debian 11 « Bullseye » when the version is unsupported
 * mongodb: Support version 5.0 (for buster)
diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh
index 8a5719a8..b2aa4138 100644
--- a/evocheck/files/evocheck.sh
+++ b/evocheck/files/evocheck.sh
@@ -4,7 +4,7 @@
 # Script to verify compliance of a Debian/OpenBSD server
 # powered by Evolix
 
-VERSION="21.10.2"
+VERSION="21.10.3"
 readonly VERSION
 
 # base functions
@@ -1412,8 +1412,11 @@ get_version() {
         #    /path/to/my_command --get-version 
         #    ;;
 
+        add-vm)
+            grep '^VERSION=' "${command}" | head -1 | cut -d '=' -f 2
+            ;;
         ## Let's try the --version flag before falling back to grep for the constant
-        kvmstats | add-vm)
+        kvmstats)
             if ${command} --version > /dev/null 2> /dev/null; then
                  ${command} --version 2> /dev/null | head -1 | cut -d ' ' -f 3
             else
@@ -1439,7 +1442,9 @@ check_version() {
         if [ -z "${actual_version}" ]; then
             failed "IS_VERSIONS_CHECK" "failed to lookup actual version of ${program}"
         elif dpkg --compare-versions "${actual_version}" lt "${expected_version}"; then
-            failed "IS_VERSIONS_CHECK" "${program} version ${expected_version} expected, but ${actual_version} found"
+            failed "IS_VERSIONS_CHECK" "${program} version ${actual_version} is older than expected version ${expected_version}"
+        elif dpkg --compare-versions "${actual_version}" gt "${expected_version}"; then
+            failed "IS_VERSIONS_CHECK" "${program} version ${actual_version} is newer than expected version ${expected_version}, you should update tour index."
         else
             : # Version check OK
         fi

From 90acb99c2a3d29c7736f65461ce992721d420384 Mon Sep 17 00:00:00 2001
From: Jeremy Dubois <jdubois@evolix.fr>
Date: Fri, 22 Oct 2021 14:51:36 +0200
Subject: [PATCH 078/125] nagios-nrpe: new check influxdb

---
 CHANGELOG.md                        | 1 +
 nagios-nrpe/templates/evolix.cfg.j2 | 1 +
 2 files changed, 2 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index bf55d9af..e66fb5c1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,6 +13,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 ### Added
 
 * evolinux-base: add script backup-server-state
+* nagios-nrpe: new check influxdb
 
 ### Changed
 
diff --git a/nagios-nrpe/templates/evolix.cfg.j2 b/nagios-nrpe/templates/evolix.cfg.j2
index 6c0dd873..7b63b017 100644
--- a/nagios-nrpe/templates/evolix.cfg.j2
+++ b/nagios-nrpe/templates/evolix.cfg.j2
@@ -56,6 +56,7 @@ command[check_bkctld_jails]=sudo /usr/sbin/bkctld check-jails
 # "check_bkctld" is here as backward compatibility, but is replaced by "check_bkctld_jails"
 command[check_bkctld]=sudo /usr/sbin/bkctld check
 command[check_postgrey]=/usr/lib/nagios/plugins/check_tcp -p10023
+command[check_influxdb]=/usr/lib/nagios/plugins/check_http -I 127.0.0.1 -u /health -p 8086 -r '"status":"pass"'
 
 # Local checks (not packaged)
 command[check_mem]={{ nagios_plugins_directory }}/check_mem -f -C -w 20 -c 10

From 0e2b43a1e92bfe95f4c0d2b880d0ed5be405e9f1 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Fri, 22 Oct 2021 15:33:57 +0200
Subject: [PATCH 079/125] backup-server-state: add virsh and lxc lists

---
 evolinux-base/files/backup-server-state.sh | 52 ++++++++++++++++++++++
 1 file changed, 52 insertions(+)

diff --git a/evolinux-base/files/backup-server-state.sh b/evolinux-base/files/backup-server-state.sh
index 8b79e77f..856cd759 100644
--- a/evolinux-base/files/backup-server-state.sh
+++ b/evolinux-base/files/backup-server-state.sh
@@ -278,6 +278,48 @@ backup_sysctl() {
     fi
 }
 
+backup_virsh() {
+    debug "Backup virsh list"
+
+    virsh_bin=$(command -v virsh)
+
+    if [ -n "${virsh_bin}" ]; then
+        last_result=$(${virsh_bin} list --all > "${backup_dir}/virsh-list.txt")
+        last_rc=$?
+
+        if [ ${last_rc} -eq 0 ]; then
+            debug "* virsh list OK"
+        else
+            debug "* virsh list ERROR"
+            debug "${last_result}"
+            rc=10
+        fi
+    else
+        debug "* virsh not installed"
+    fi
+}
+
+backup_lxc() {
+    debug "Backup lxc list"
+
+    lxc_ls_bin=$(command -v lxc-ls)
+
+    if [ -n "${lxc_ls_bin}" ]; then
+        last_result=$(${lxc_ls_bin} --fancy > "${backup_dir}/lxc-list.txt")
+        last_rc=$?
+
+        if [ ${last_rc} -eq 0 ]; then
+            debug "* lxc list OK"
+        else
+            debug "* lxc list ERROR"
+            debug "${last_result}"
+            rc=10
+        fi
+    else
+        debug "* lxc-ls not installed"
+    fi
+}
+
 main() {
     if [ -z "${backup_dir}" ]; then
         echo "ERROR: You must provide the --backup-dir argument" >&2
@@ -321,6 +363,12 @@ main() {
     if [ "${DO_SYSCTL}" -eq 1 ]; then
         backup_sysctl
     fi
+    if [ "${DO_VIRSH}" -eq 1 ]; then
+        backup_virsh
+    fi
+    if [ "${DO_LXC}" -eq 1 ]; then
+        backup_lxc
+    fi
 
     debug "=> Your backup is available at ${backup_dir}"
     exit ${rc}
@@ -407,6 +455,10 @@ done
 : "${DO_NETCFG:=1}"
 : "${DO_IPTABLES:=1}"
 : "${DO_SYSCTL:=1}"
+: "${DO_VIRSH:=1}"
+: "${DO_LXC:=1}"
+
+export LC_ALL=C
 
 set -u
 

From dd53c01027900b9480374e5f4216a5b95b613421 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Mon, 25 Oct 2021 10:02:12 +0200
Subject: [PATCH 080/125] evocheck: upstream release 21.10.4

---
 CHANGELOG.md               | 2 +-
 evocheck/files/evocheck.sh | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e66fb5c1..5080b525 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -17,7 +17,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 
 ### Changed
 
-* evocheck: upstream release 21.10.3
+* evocheck: upstream release 21.10.4
 * evolinux-users + nagios-nrpe: Add support for php-fpm80 in lxc
 * mongodb: Deny the install on Debian 11 « Bullseye » when the version is unsupported
 * mongodb: Support version 5.0 (for buster)
diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh
index b2aa4138..fb8a6eeb 100644
--- a/evocheck/files/evocheck.sh
+++ b/evocheck/files/evocheck.sh
@@ -4,7 +4,7 @@
 # Script to verify compliance of a Debian/OpenBSD server
 # powered by Evolix
 
-VERSION="21.10.3"
+VERSION="21.10.4"
 readonly VERSION
 
 # base functions
@@ -1750,6 +1750,7 @@ while :; do
             IS_KERNELUPTODATE=0
             IS_UPTIME=0
             IS_MELTDOWN_SPECTRE=0
+            IS_CHECK_VERSIONS=0
             ;;
         -v|--verbose)
             VERBOSE=1

From 646a7b18136b5b474317497d6906307bd751b7d4 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Mon, 25 Oct 2021 10:08:40 +0200
Subject: [PATCH 081/125] evocheck: package install is not supported anymore

---
 CHANGELOG.md                                      | 2 ++
 evocheck/README.md                                | 2 --
 evocheck/defaults/main.yml                        | 2 +-
 evocheck/tasks/{install_local.yml => install.yml} | 0
 evocheck/tasks/install_package.yml                | 5 -----
 evocheck/tasks/main.yml                           | 9 +++++----
 evolinux-base/defaults/main.yml                   | 1 -
 evolinux-base/tasks/main.yml                      | 2 --
 8 files changed, 8 insertions(+), 15 deletions(-)
 rename evocheck/tasks/{install_local.yml => install.yml} (100%)
 delete mode 100644 evocheck/tasks/install_package.yml

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5080b525..31ce19c8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -31,6 +31,8 @@ The **patch** part changes is incremented if multiple releases happen the same m
 
 ### Removed
 
+* evocheck: package install is not supported anymore
+
 ### Security
 
 ## [21.09] 2021-09-29
diff --git a/evocheck/README.md b/evocheck/README.md
index ce9999c0..6739bef8 100644
--- a/evocheck/README.md
+++ b/evocheck/README.md
@@ -16,6 +16,4 @@ A separate `exec.yml` file can be imported manually in playbooks or roles to exe
 ## Variables
 
 We can force install via :
-* `evocheck_force_install: local` : will copy the script provided by the role
-* `evocheck_force_install: package` : will install the package via repositories
 * `evocheck_update_crontab` : will update the crontab (default: `True`)
diff --git a/evocheck/defaults/main.yml b/evocheck/defaults/main.yml
index e2d80c2a..6dc43677 100644
--- a/evocheck/defaults/main.yml
+++ b/evocheck/defaults/main.yml
@@ -1,4 +1,4 @@
 ---
-evocheck_force_install: False
+
 evocheck_update_crontab: True
 evocheck_bin_dir: /usr/share/scripts
diff --git a/evocheck/tasks/install_local.yml b/evocheck/tasks/install.yml
similarity index 100%
rename from evocheck/tasks/install_local.yml
rename to evocheck/tasks/install.yml
diff --git a/evocheck/tasks/install_package.yml b/evocheck/tasks/install_package.yml
deleted file mode 100644
index 34e672e5..00000000
--- a/evocheck/tasks/install_package.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-- name: install evocheck from package
-  apt:
-    name: evocheck
-    state: present
diff --git a/evocheck/tasks/main.yml b/evocheck/tasks/main.yml
index 87e2d636..9f6732ac 100644
--- a/evocheck/tasks/main.yml
+++ b/evocheck/tasks/main.yml
@@ -1,10 +1,11 @@
 ---
 
-- include: install_local.yml
-  when: evocheck_force_install == "local"
-
-- include: install_package.yml
+- name: Package install is not supported anymore
+  fail:
+    msg: Package install is not supported anymore
   when: evocheck_force_install == "package"
 
+- include: install.yml
+
 - include: cron.yml
   when: evocheck_update_crontab | bool
diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml
index 05830845..28aa3786 100644
--- a/evolinux-base/defaults/main.yml
+++ b/evolinux-base/defaults/main.yml
@@ -208,7 +208,6 @@ evolinux_fail2ban_include: False
 # Evocheck
 
 evolinux_evocheck_include: True
-evolinux_evocheck_force_install: "local"
 
 # Listupgrade
 
diff --git a/evolinux-base/tasks/main.yml b/evolinux-base/tasks/main.yml
index 590de7d7..49e816ee 100644
--- a/evolinux-base/tasks/main.yml
+++ b/evolinux-base/tasks/main.yml
@@ -118,8 +118,6 @@
 - name: Evocheck
   include_role:
     name: evolix/evocheck
-  vars:
-    evocheck_force_install: "{{ evolinux_evocheck_force_install }}"
   when: evolinux_evocheck_include | bool
 
 - name: Listupgrade

From dcfea674a4980174c613130f3544767249d63978 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Mon, 25 Oct 2021 14:23:52 +0200
Subject: [PATCH 082/125] listupgrade: old-kernel-removal version 21.10

---
 CHANGELOG.md                                |   1 +
 listupgrade/files/old-kernel-autoremoval.sh | 165 ++++++++++++++------
 2 files changed, 118 insertions(+), 48 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 31ce19c8..e57275a1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -19,6 +19,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 
 * evocheck: upstream release 21.10.4
 * evolinux-users + nagios-nrpe: Add support for php-fpm80 in lxc
+* listupgrade: old-kernel-removal version 21.10
 * mongodb: Deny the install on Debian 11 « Bullseye » when the version is unsupported
 * mongodb: Support version 5.0 (for buster)
 * mongodb: Allow to specify a mongodb version for buster & bullseye
diff --git a/listupgrade/files/old-kernel-autoremoval.sh b/listupgrade/files/old-kernel-autoremoval.sh
index ceed0b99..ce1c6002 100644
--- a/listupgrade/files/old-kernel-autoremoval.sh
+++ b/listupgrade/files/old-kernel-autoremoval.sh
@@ -4,13 +4,36 @@
 
 # fork by reg from /etc/kernel/postinst.d/apt-auto-removal script
 
-VERSION="21.06.3"
+VERSION="21.10"
+readonly VERSION
 
-set -e
+PROGNAME=$(basename "$0")
 
-# shellcheck disable=SC2046
-eval $(apt-config shell DPKG Dir::bin::dpkg/f)
-DPKG="${DPKG:-/usr/bin/dpkg}"
+show_version() {
+    cat <<END
+${PROGNAME} version ${VERSION}
+
+Copyright 2018-2021 Evolix <info@evolix.fr>,
+               Gregory Colpart <reg@evolix.fr>,
+               Romain Dessort <rdessort@evolix.fr>,
+               Ludovic Poujol <lpoujol@evolix.fr>,
+               Jérémy Lecour <jlecour@evolix.fr>
+               and others.
+
+${PROGNAME} comes with ABSOLUTELY NO WARRANTY.  This is free software,
+and you are welcome to redistribute it under certain conditions.
+See the GNU General Public Licence for details.
+END
+}
+show_help() {
+    cat <<END
+${PROGNAME} removes old kernels.
+
+Options
+ -h, --help                  print this message and exit
+     --version               print version and exit
+END
+}
 
 # Detect which one of apt/aptitude we should use.
 # shellcheck disable=SC2120
@@ -27,57 +50,103 @@ get_apt_binary() {
     fi
 }
 
-listupgrade_state_dir="${listupgrade_state_dir:-/var/lib/listupgrade}"
+main() {
+    specifc_kernel="$1"
 
-APT=$(get_apt_binary)
+    # shellcheck disable=SC2046
+    eval $(apt-config shell DPKG Dir::bin::dpkg/f)
+    DPKG="${DPKG:-/usr/bin/dpkg}"
 
-list="$("${DPKG}" -l | awk '/^[ih][^nc][ ]+(linux|kfreebsd|gnumach)-image-[0-9]+\./ && $2 !~ /-dbg(:.*)?$/ && $2 !~ /-dbgsym(:.*)?$/ { print $2,$3; }' \
-   | sed -e 's#^\(linux\|kfreebsd\|gnumach\)-image-##' -e 's#:[^:]\+ # #')"
-debverlist="$(echo "${list}" | cut -d' ' -f 2 | sort --unique --reverse --version-sort)"
+    listupgrade_state_dir="${listupgrade_state_dir:-/var/lib/listupgrade}"
 
-if [ -n "$1" ]; then
-    installed_version="$(echo "$list" | awk "\$1 == \"$1\" { print \$2;exit; }")"
-fi
-unamer="$(uname -r | tr '[:upper:]' '[:lower:]')"
-if [ -n "${unamer}" ]; then
-    running_version="$(echo "${list}" | awk "\$1 == \"${unamer}\" { print \$2;exit; }")"
-fi
-# ignore the currently running version if attempting a reproducible build
-if [ -n "${SOURCE_DATE_EPOCH}" ]; then
-    unamer=""
-    running_version=""
-fi
-latest_version="$(echo "${debverlist}" | sed -n 1p)"
-previous_version="$(echo "${debverlist}" | sed -n 2p)"
+    APT=$(get_apt_binary)
 
-debkernels="$(echo "${latest_version}
-${installed_version}
-${running_version}" | sort -u | sed -e '/^$/ d')"
-kernels="$( (echo "$1
-${unamer}"; for deb in ${debkernels}; do echo "${list}" | awk "\$2 == \"${deb}\" { print \$1; }"; done; ) \
-   | sed -e 's#\([\.\+]\)#\\\1#g' -e '/^$/ d' | sort -u|tr '\n' '|' | sed -e 's/|$//')"
+    list="$("${DPKG}" -l | awk '/^[ih][^nc][ ]+(linux|kfreebsd|gnumach)-image-[0-9]+\./ && $2 !~ /-dbg(:.*)?$/ && $2 !~ /-dbgsym(:.*)?$/ { print $2,$3; }' \
+    | sed -e 's#^\(linux\|kfreebsd\|gnumach\)-image-##' -e 's#:[^:]\+ # #')"
+    debverlist="$(echo "${list}" | cut -d' ' -f 2 | sort --unique --reverse --version-sort)"
+
+    if [ -n "${specifc_kernel}" ]; then
+        installed_version="$(echo "$list" | awk "\$1 == \"${specifc_kernel}\" { print \$2;exit; }")"
+    fi
+    unamer="$(uname -r | tr '[:upper:]' '[:lower:]')"
+    if [ -n "${unamer}" ]; then
+        running_version="$(echo "${list}" | awk "\$1 == \"${unamer}\" { print \$2;exit; }")"
+    fi
+    # ignore the currently running version if attempting a reproducible build
+    if [ -n "${SOURCE_DATE_EPOCH}" ]; then
+        unamer=""
+        running_version=""
+    fi
+    latest_version="$(echo "${debverlist}" | sed -n 1p)"
+    previous_version="$(echo "${debverlist}" | sed -n 2p)"
+
+    debkernels="$(echo "${latest_version}
+    ${installed_version}
+    ${running_version}" | sort -u | sed -e '/^$/ d')"
+    kernels="$( (echo "${specifc_kernel}
+    ${unamer}"; for deb in ${debkernels}; do echo "${list}" | awk "\$2 == \"${deb}\" { print \$1; }"; done; ) \
+    | sed -e 's#\([\.\+]\)#\\\1#g' -e '/^$/ d' | sort -u|tr '\n' '|' | sed -e 's/|$//')"
 
 
-echo "
-List of installed kernel packages:
-$list
+    echo "
+    List of installed kernel packages:
+    $list
 
-# Running kernel: ${running_version:-ignored} (${unamer:-ignored})
-# Last kernel: ${latest_version}
-# Previous kernel: ${previous_version}
-# Kernel versions list to keep:
-${debkernels}
+    # Running kernel: ${running_version:-ignored} (${unamer:-ignored})
+    # Last kernel: ${latest_version}
+    # Previous kernel: ${previous_version}
+    # Kernel versions list to keep:
+    ${debkernels}
 
-# Kernel packages (version part) to protect:
-${kernels}
-"
+    # Kernel packages (version part) to protect:
+    ${kernels}
+    "
 
-echo "BEFORE"
-dpkg -l | grep linux-image
+    echo "BEFORE"
+    dpkg -l | grep linux-image
 
-dpkg --get-selections | tr '\t' ' ' | cut -d" " -f1 | grep '^linux-image-[234]' | grep -v -E "(${kernels})" | xargs --no-run-if-empty ${APT} -o Dir::State::Lists="${listupgrade_state_dir}" -y purge
+    dpkg --get-selections | tr '\t' ' ' | cut -d" " -f1 | grep '^linux-image-[234]' | grep -v -E "(${kernels})" | xargs --no-run-if-empty ${APT} -o Dir::State::Lists="${listupgrade_state_dir}" -y purge
 
-echo "
-AFTER"
-dpkg -l | grep linux-image
-echo ""
+    echo "
+    AFTER"
+    dpkg -l | grep linux-image
+    echo ""
+
+}
+
+# Parse options
+# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
+while :; do
+    case $1 in
+        -h|-\?|--help)
+            show_help
+            exit 0
+            ;;
+        -V|--version)
+            show_version
+            exit 0
+            ;;
+        --)
+            # End of all options.
+            shift
+            break
+            ;;
+        -?*|[[:alnum:]]*)
+            # ignore unknown options
+            if [ "${QUIET}" != 1 ]; then
+                printf 'WARN: Unknown option (ignored): %s\n' "$1" >&2
+            fi
+            ;;
+        *)
+            # Default case: If no more options then break out of the loop.
+            break
+            ;;
+    esac
+
+    shift
+done
+
+set -e
+
+
+main "${@}"

From b9c1e9eafe50c3856c24da641906df8599af11f8 Mon Sep 17 00:00:00 2001
From: "William Hirigoyen (Evolix)" <whirigoyen@evolix.fr>
Date: Tue, 26 Oct 2021 15:34:13 +0200
Subject: [PATCH 083/125] Fix missing quote, option createhome -> create_home
 in Ansible 3.10, no mode option in user module (fix error introduced in
 e75eeb8c3fa6ed1dcb3f584f3408eb3f8e24b5e0)

---
 webapps/nextcloud/tasks/main.yml | 2 +-
 webapps/nextcloud/tasks/user.yml | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/webapps/nextcloud/tasks/main.yml b/webapps/nextcloud/tasks/main.yml
index 8e165559..a6d39b4b 100644
--- a/webapps/nextcloud/tasks/main.yml
+++ b/webapps/nextcloud/tasks/main.yml
@@ -28,7 +28,7 @@
     state: present
   tags:
     - nextcloud
-  when: ansible_python_version is version('3', '<)
+  when: ansible_python_version is version('3', '<')
 
 # dependency for mysql_user and mysql_db
 - name: python3 modules is installed (Ansible dependency)
diff --git a/webapps/nextcloud/tasks/user.yml b/webapps/nextcloud/tasks/user.yml
index dd778f87..e89fe41a 100644
--- a/webapps/nextcloud/tasks/user.yml
+++ b/webapps/nextcloud/tasks/user.yml
@@ -12,9 +12,9 @@
     group: "{{ nextcloud_user }}"
     home: "{{ nextcloud_home | mandatory }}"
     shell: '/bin/bash'
-    createhome: True
+    create_home: True
     state: present
-    mode: "0755"
+#    mode: "0755"
   tags:
   - nextcloud
 

From 2ea8d279d58cba8d1ee3c81b68d015de6f8d34ea Mon Sep 17 00:00:00 2001
From: Eric Morino <emorino@evolix.fr>
Date: Wed, 27 Oct 2021 10:43:17 +0200
Subject: [PATCH 084/125] Add replication graph for mysql

---
 mysql/tasks/munin.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/mysql/tasks/munin.yml b/mysql/tasks/munin.yml
index 33da8492..9ee8f95f 100644
--- a/mysql/tasks/munin.yml
+++ b/mysql/tasks/munin.yml
@@ -63,6 +63,7 @@
       - sorts
       - table_locks
       - tmp_tables
+      - replication
     notify: restart munin-node
 
   - name: verify Munin configuration for mysql

From 02472164295cfdde907fef783f3fde7f1c4626c3 Mon Sep 17 00:00:00 2001
From: Alexis Ben Miloud--Josselin <abenmiloud+git@evolix.fr>
Date: Thu, 28 Oct 2021 10:27:44 +0200
Subject: [PATCH 085/125] [kvmstats] Sort domain list

---
 kvm-host/files/kvmstats.sh | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/kvm-host/files/kvmstats.sh b/kvm-host/files/kvmstats.sh
index 0b3f4f2d..0dcfb4e8 100755
--- a/kvm-host/files/kvmstats.sh
+++ b/kvm-host/files/kvmstats.sh
@@ -40,7 +40,7 @@ error () {
 }
 
 main() {
-    for VM in $(virsh list --name --all)
+    for VM in $(virsh list --name --all | sed '/^$/d' | sort)
     do
         echo "$VM"
 
@@ -200,4 +200,3 @@ while :; do
 done
 
 main
-

From 6cf8195744f2198e7b149c828b01826cfbf01fc7 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Fri, 29 Oct 2021 07:52:22 +0200
Subject: [PATCH 086/125] evolinux-base: fix alert5.service dependency syntax

---
 CHANGELOG.md                       | 1 +
 evolinux-base/files/alert5.service | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e57275a1..f7455b82 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -26,6 +26,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 
 ### Fixed
 
+* evolinux-base: fix alert5.service dependency syntax
 * mysql : Create a default ~root/.my.cnf for compatibility reasons
 * nginx : fix variable name and debug to actually use nginx-light
 * packweb-apache : Support php 8.0 
diff --git a/evolinux-base/files/alert5.service b/evolinux-base/files/alert5.service
index eb5c72a9..ea966b37 100644
--- a/evolinux-base/files/alert5.service
+++ b/evolinux-base/files/alert5.service
@@ -1,10 +1,10 @@
 [Unit]
 Description=Evolix alert5 script
+After=network.target
 
 [Service]
 Type=oneshot
 ExecStart=/usr/share/scripts/alert5.sh
 
 [Install]
-WantedBy=multi-user.target
-After=network.target
\ No newline at end of file
+WantedBy=multi-user.target
\ No newline at end of file

From 51aaac0cbc5ef013148b2fcabe4f16e9f29d64a9 Mon Sep 17 00:00:00 2001
From: "William Hirigoyen (Evolix)" <whirigoyen@evolix.fr>
Date: Fri, 29 Oct 2021 14:54:44 +0200
Subject: [PATCH 087/125] =?UTF-8?q?Fix=20evocheck=5Fforce=5Finstall=20VARI?=
 =?UTF-8?q?ABLE=20IS=20NOT=20DEFINED=20(valid=C3=A9=20par=20jlecour)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 evocheck/tasks/main.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/evocheck/tasks/main.yml b/evocheck/tasks/main.yml
index 9f6732ac..2032740b 100644
--- a/evocheck/tasks/main.yml
+++ b/evocheck/tasks/main.yml
@@ -3,7 +3,9 @@
 - name: Package install is not supported anymore
   fail:
     msg: Package install is not supported anymore
-  when: evocheck_force_install == "package"
+  when: 
+    - evocheck_force_install is defined
+    - evocheck_force_install == "package"
 
 - include: install.yml
 

From 039c740ef3b64665e96453be8cb43531ae670140 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Mon, 1 Nov 2021 10:16:52 +0100
Subject: [PATCH 088/125] mysql: add evomariabackup 21.11

---
 CHANGELOG.md                  |   1 +
 mysql/files/evomariabackup.sh | 554 ++++++++++++++++++++++++++++++++++
 mysql/tasks/utils.yml         |   9 +
 3 files changed, 564 insertions(+)
 create mode 100644 mysql/files/evomariabackup.sh

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f7455b82..4549cdca 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,6 +13,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 ### Added
 
 * evolinux-base: add script backup-server-state
+* mysql: add evomariabackup 21.11
 * nagios-nrpe: new check influxdb
 
 ### Changed
diff --git a/mysql/files/evomariabackup.sh b/mysql/files/evomariabackup.sh
new file mode 100644
index 00000000..0e3de84b
--- /dev/null
+++ b/mysql/files/evomariabackup.sh
@@ -0,0 +1,554 @@
+#!/bin/sh
+
+VERSION="21.11"
+
+show_version() {
+    cat <<END
+evomariabackup version ${VERSION}
+
+Copyright 2004-2021 Evolix <info@evolix.fr>,
+                    Éric Morino <emorino@evolix.fr>,
+                    Jérémy Lecour <jlecour@evolix.fr>
+                    and others.
+
+evomariabackup comes with ABSOLUTELY NO WARRANTY.  This is free software,
+and you are welcome to redistribute it under certain conditions.
+See the GNU Affero General Public License v3.0 for details.
+END
+}
+show_help() {
+    cat <<EOF
+Usage: evomariabackup --backup-dir /path/to/mariabackup-target --compress-file /path/to/compressed.tgz
+Options
+    --backup-dir     mariabackup target directory
+    --compress-file  File name for the compressed version
+    --backup         Force backup phase
+    --no-backup      Skip backup phase
+    --compress       Force compress phase
+    --no-compress    Skip compress phase
+    --log-file       Log file to send messages
+    --verbose        Output much more information (to stdout/stderr or the log file)
+    --quiet          Ouput only the most critical information
+    --lock-file      Specify which lock file to use (default: /run/lock/mariabackup.lock)
+    --max-age        Lock file is ignored if older than this (default: 1d)
+    -h|--help|-?     Display help
+    -V|--version     Display version, authors and license
+
+Example usage for a backup then compress :
+    # /usr/local/bin/evomariabackup --verbose \
+        --backup-dir /backup/mariabackup/current \
+        --compress-file /backup/mariabackup/compressed/$(date +%H).tgz \
+        --log-file /var/log/evomariabackup.log
+
+max-age possible values:
+    Xd = X days
+    X or Xh = X hours
+    Xm = X minutes
+    Xs = X seconds
+EOF
+}
+
+log_date() {
+    date +"%Y-%m-%d %H:%M:%S"
+}
+is_log_file() {
+    test -n "${log_file}"
+}
+is_verbose() {
+    test "${verbose}" = "1"
+}
+is_quiet() {
+    test "${quiet}" = "1"
+}
+log_line() {
+    level=$1
+    msg=$2
+    printf "[%s] %s: %s\n" "$(log_date)" "${level}" "${msg}"
+}
+log_debug() {
+    level="DEBUG"
+    msg=$1
+    if ! is_quiet && is_verbose; then
+        if is_log_file; then
+            log_line "${level}" "${msg}" >> "${log_file}"
+        else
+            log_line "${level}" "${msg}" >&2
+        fi
+    fi
+}
+log_info() {
+    level="INFO"
+    msg=$1
+    if ! is_quiet; then
+        if is_log_file; then
+            log_line "${level}" "${msg}" >> "${log_file}"
+        else
+            log_line "${level}" "${msg}" >&2
+        fi
+    fi
+}
+log_warning() {
+    level="WARNING"
+    msg=$1
+    if ! is_quiet; then
+        if is_log_file; then
+            log_line "${level}" "${msg}" >> "${log_file}"
+        else
+            log_line "${level}" "${msg}" >&2
+        fi
+    fi
+}
+log_error() {
+    level="ERROR"
+    msg=$1
+    if ! is_quiet; then
+        if is_log_file; then
+            log_line "${level}" "${msg}" >> "${log_file}"
+            if tty -s; then
+                printf "%s\n" "${msg}" >&2
+            fi
+        else
+            log_line "${level}" "${msg}" >&2
+        fi
+    fi
+}
+log_fatal() {
+    level="FATAL"
+    msg=$1
+    if is_log_file; then
+        log_line "${level}" "${msg}" >> "${log_file}"
+        if tty -s; then
+            printf "%s\n" "${msg}" >&2
+        fi
+    else
+        log_line "${level}" "${msg}" >&2
+    fi
+}
+duration_in_seconds() {
+    if echo "${1}" | grep -E -q '^([0-9]+[wdhms])+$'; then
+        duration=$(echo "${1}" | sed 's/w/ * 604800 + /g; s/d/ * 86400 + /g; s/h/ * 3600 + /g; s/m/ * 60 + /g; s/s/ + /g; s/+ $//' | xargs expr)
+    elif echo "${1}" | grep -E -q '^[0-9]+$'; then
+        duration=$(echo "${1} * 3600" | xargs expr)
+    else
+        return 1
+    fi
+    log_debug "Duration \`${1}' translated to ${duration} seconds"
+
+    echo "${duration}"
+}
+lock_file_created_at() {
+    created_at=$(stat -c %Z "${lock_file}")
+    log_debug "Lock file ${lock_file} created at ${created_at}"
+
+    echo "${created_at}"
+}
+lock_file_age() {
+    last_change=$(lock_file_created_at)
+    now=$(date +"%s")
+
+    age=$(( now - last_change ))
+    log_debug "Lock file ${lock_file} is ${age} seconds old"
+
+    echo "${created_at}"
+}
+is_lock_file_too_old() {
+    test "$(lock_file_age)" -ge "${max_age}"
+}
+kill_or_clean_lockfile() {
+    lock_file=${1:-}
+
+    if [ -f "${lock_file}" ]; then
+        # Get Process ID from the lock file
+        pid=$(cat "${lock_file}")
+        if [ -n "${pid}" ]; then
+            log_debug "Found pid ${pid} in ${lock_file}"
+
+            if kill -0 "${pid}" 2> /dev/null; then
+                log_debug "Found process with pid ${pid}"
+
+                lock_file_created_at_human=$(date --date "@$(lock_file_created_at)" +"%Y-%m-%d %H:%M:%S")
+                if is_lock_file_too_old ; then
+                    # Kill the children
+                    pkill -9 --parent "${pid}"
+                    # Kill the parent
+                    kill -9 "${pid}"
+                    # Only one process can run in parallel
+                    log_warning "Process \`${pid}' (started at ${lock_file_created_at_human}) has been killed by \`$$'"
+                else
+                    log_info "Process \`${pid}' (started at ${lock_file_created_at_human}) has precedence. Let's leave it work."
+                    # make sure that this exit doesn't remove the existing lockfile !!
+                    exit 0
+                fi
+            else
+                log_warning "Process not found at PID \`${pid}'. Ignoring lock file \`${lock_file}'."
+            fi
+        else
+            log_warning "Empty lockfile \`${lock_file}'. It should contain a PID."
+        fi
+        # Remove the lock file
+        rm -f "${lock_file}"
+        log_debug "Lock file ${lock_file} has been removed"
+    fi
+}
+new_lock_file() {
+    lock_file=${1:-}
+    lock_dir=$(dirname "${lock_file}")
+
+    if mkdir --parents "${lock_dir}"; then
+        echo $$ > "${lock_file}"
+        log_debug "Lock file '${lock_file}' has been created"
+    else
+        log_fatal "Failed to acquire lock file '${lock_file}'. Abort."
+        exit 1
+    fi
+}
+is_mariabackup_directory() {
+    directory=${1:-}
+    find "${directory}" -name 'ibdata*' -o -name 'ib_logfile*' -o -name 'xtrabackup_*' > /dev/null
+}
+check_backup_dir() {
+    if [ -d "${backup_dir:?}" ]; then
+        if [ "$(ls -A "${backup_dir:?}")" ]; then
+            if is_mariabackup_directory "${backup_dir:?}"; then
+                log_debug "The backup directory ${backup_dir:?} is not empty but looks like a mariabackup target. Let's clear it."
+                rm -rf "${backup_dir:?}"
+            else
+                log_fatal "The backup directory ${backup_dir:?} is not empty and doesn't look like a mariabackup target. Please verify and clear the directory if you are sure."
+                exit 1
+            fi
+        else
+            log_debug "The backup directory ${backup_dir:?} exists but is empty. Let's proceed."
+        fi
+    else
+        log_debug "The backup directory ${backup_dir:?} doesn't exist. Let's proceed."
+    fi
+    mkdir -p "${backup_dir:?}"
+}
+check_compress_dir() {
+    if [ -d "${compress_dir:?}" ]; then
+        log_debug "The compress_dir directory ${compress_dir:?} exists. Let's proceed."
+    else
+        log_debug "The compress_dir directory ${compress_dir:?} doesn't exist. Let's proceed."
+    fi
+    mkdir -p "${compress_dir:?}"
+}
+
+backup() {
+    if [ -z "${backup_dir}" ]; then
+        log_fatal "backup-dir option is empty"
+    else
+        check_backup_dir
+    fi
+
+    mariabackup_bin=$(command -v mariabackup)
+    if [ -z "${mariabackup_bin}" ]; then
+        log_fatal "Couldn't find mariabackup.\nUse 'apt install mariadb-backup'."
+        exit 1
+    fi
+
+    backup_command="${mariabackup_bin} --backup --slave-info --target-dir=${backup_dir:?}"
+
+
+    if ! is_quiet; then
+        log_debug "${backup_command}"
+        log_info "BEGIN mariabackup backup phase"
+    fi
+
+    if is_quiet || ! is_verbose ; then
+        ${backup_command} >/dev/null 2>&1
+        backup_rc=$?
+    elif ! is_quiet; then
+        if is_log_file; then
+            ${backup_command} >>"${log_file}" 2>&1
+            backup_rc=$?
+        else
+            ${backup_command}
+            backup_rc=$?
+        fi
+    fi
+
+    if [ ${backup_rc} -ne 0 ]; then
+        log_fatal "Error executing mariabackup --backup"
+        exit 1
+    elif ! is_quiet; then
+        log_info "END mariabackup backup phase"
+    fi
+
+    prepare_command="${mariabackup_bin} --prepare --target-dir=${backup_dir:?}"
+
+    if ! is_quiet; then
+        log_debug "${prepare_command}"
+        log_info "BEGIN mariabackup prepare phase"
+    fi
+
+    if is_quiet || ! is_verbose ; then
+        ${prepare_command} >/dev/null 2>&1
+        prepare_rc=$?
+    elif ! is_quiet; then
+        if is_log_file; then
+            ${prepare_command} >>"${log_file}" 2>&1
+            prepare_rc=$?
+        else
+            ${prepare_command}
+            prepare_rc=$?
+        fi
+    fi
+
+    if [ ${prepare_rc} -ne 0 ]; then
+        log_fatal "Error executing mariabackup --prepare"
+        exit 1
+    elif ! is_quiet; then
+        log_info "END mariabackup prepare phase"
+    fi
+}
+compress() {
+    compress_dir=$(dirname "${compress_file}")
+
+    if [ -z "${backup_dir}" ]; then
+        log_fatal "backup-dir option is empty"
+        exit 1
+    elif [ -e "${backup_dir}" ] && [ ! -d "${backup_dir}" ]; then
+        log_fatal "backup directory '${backup_dir}' exists but is not a directory"
+        exit 1
+    fi
+    if [ -z "${compress_file}" ]; then
+        log_fatal "compress-file option is empty"
+        exit 1
+    fi
+    if [ -n "${compress_dir}" ]; then
+        check_compress_dir
+    fi
+
+    pigz_bin=$(command -v pigz)
+    gzip_bin=$(command -v gzip)
+
+    if [ -n "${pigz_bin}" ]; then
+        compress_program="${pigz_bin} --keep -6"
+    elif [ -n "${gzip_bin}" ]; then
+        compress_program="${gzip_bin} -6"
+    else
+        log_fatal "Couldn't find pigz nor gzip.\nUse 'apt install pigz' or 'apt install gzip'."
+        exit 1
+    fi
+
+    if ! is_quiet; then
+        log_debug "Compression of ${backup_dir} to ${compress_file} using \`${compress_program}'"
+        log_info "BEGIN compression phase"
+    fi
+    if is_quiet || ! is_verbose ; then
+        tar --use-compress-program="${compress_program}" -cf "${compress_file}" "${backup_dir}" >/dev/null 2>&1
+        tar_rc=$?
+    elif ! is_quiet; then
+        if is_log_file; then
+            tar --use-compress-program="${compress_program}" -cf "${compress_file}" "${backup_dir}" >>"${log_file}" 2>&1
+            tar_rc=$?
+        else
+            tar --use-compress-program="${compress_program}" -cf "${compress_file}" "${backup_dir}"
+            tar_rc=$?
+        fi
+    fi
+
+    if [ ${tar_rc} -ne 0 ]; then
+        log_fatal "An error occured while compressing ${backup_dir} to ${compress_file}"
+        exit 1
+    elif ! is_quiet; then
+        log_info "END compression phase"
+    fi
+}
+main() {
+    kill_or_clean_lockfile "${lock_file}"
+    # shellcheck disable=SC2064
+    trap "rm -f ${lock_file};" 0
+    new_lock_file "${lock_file}"
+
+    if [ "${do_backup}" = "1" ] && [ -n "${backup_dir}" ]; then
+        backup "${backup_dir}"
+    fi
+
+    if [ "${do_compress}" = "1" ] && [ -n "${compress_file}" ]; then
+        compress "${backup_dir}" "${compress_file}"
+    fi
+}
+
+# Declare variables
+
+lock_file=""
+log_file=""
+verbose=""
+quiet=""
+max_age=""
+max_age=""
+do_backup=""
+backup_dir=""
+do_compress=""
+compress_file=""
+
+# Parse options
+# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
+while :; do
+    case $1 in
+        -h|-\?|--help)
+            show_help
+            exit 0
+            ;;
+        -V|--version)
+            show_version
+            exit 0
+            ;;
+
+        -m|--max-age)
+            # with value separated by space
+            if [ -n "$2" ]; then
+                max_age=$(duration_in_seconds "$2")
+                shift
+            else
+                log_fatal 'ERROR: "-m|--max-age" requires a non-empty option argument.'
+            fi
+            ;;
+        --max-age=?*)
+            # with value speparated by =
+            max_age=$(duration_in_seconds "${1#*=}")
+            ;;
+        --max-age=)
+            # without value
+            log_fatal 'ERROR: "--max-age" requires a non-empty option argument.'
+            ;;
+
+        --backup)
+            do_backup=1
+            ;;
+
+        --no-backup)
+            do_backup=0
+            ;;
+
+        --backup-dir)
+            # with value separated by space
+            if [ -n "$2" ]; then
+                backup_dir="$2"
+                shift
+            else
+                log_fatal 'ERROR: "--backup-dir" requires a non-empty option argument.'
+            fi
+            ;;
+        --backup-dir=?*)
+            # with value speparated by =
+            backup_dir=${1#*=}
+            ;;
+        --backup-dir=)
+            # without value
+            log_fatal '"--backup-dir" requires a non-empty option argument.'
+            ;;
+
+        --compress)
+            do_compress=1
+            ;;
+
+        --no-compress)
+            do_compress=0
+            ;;
+
+        --compress-file)
+            # with value separated by space
+            if [ -n "$2" ]; then
+                compress_file="$2"
+                if [ -z "${do_compress}" ]; then
+                    do_compress=1
+                fi
+                shift
+            else
+                log_fatal '"--compress-file" requires a non-empty option argument.'
+            fi
+            ;;
+        --compress-file=?*)
+            # with value speparated by =
+            compress_file=${1#*=}
+            if [ -z "${do_compress}" ]; then
+                do_compress=1
+            fi
+            ;;
+        --compress-file=)
+            # without value
+            log_fatal '"--compress-file" requires a non-empty option argument.'
+            ;;
+
+        --lock-file)
+            # with value separated by space
+            if [ -n "$2" ]; then
+                lock_file="$2"
+                shift
+            else
+                log_fatal '"--lock-file" requires a non-empty option argument.'
+            fi
+            ;;
+        --lock-file=?*)
+            # with value speparated by =
+            lock_file=${1#*=}
+            ;;
+        --lock-file=)
+            # without value
+            log_fatal '"--lock-file" requires a non-empty option argument.'
+            ;;
+
+        --log-file)
+            # with value separated by space
+            if [ -n "$2" ]; then
+                log_file="$2"
+                shift
+            else
+                log_fatal '"--log-file" requires a non-empty option argument.'
+            fi
+            ;;
+        --log-file=?*)
+            # with value speparated by =
+            log_file=${1#*=}
+            ;;
+        --log-file=)
+            # without value
+            log_fatal '"--log-file" requires a non-empty option argument.'
+            ;;
+
+        -v|--verbose)
+            verbose=1
+            ;;
+
+        --quiet)
+            quiet=1
+            verbose=0
+            ;;
+
+        --)
+            # End of all options.
+            shift
+            break
+            ;;
+        -?*|[[:alnum:]]*)
+            # ignore unknown options
+            if tty -s; then
+               printf 'Unknown option : %s\n' "$1" >&2
+                echo "" >&2
+                show_usage >&2
+                exit 1
+            else
+                log_fatal 'Unknown option : %s\n' "$1" >&2
+            fi
+            ;;
+        *)
+            # Default case: If no more options then break out of the loop.
+            break
+            ;;
+    esac
+
+    shift
+done
+
+# Default values
+
+lock_file="${lock_file:-/run/lock/evomariabackup.lock}"
+verbose=${verbose:-0}
+quiet=${quiet:-0}
+max_age="${max_age:-86400}"
+do_backup="${do_backup:-1}"
+do_compress="${do_compress:-0}"
+
+main
\ No newline at end of file
diff --git a/mysql/tasks/utils.yml b/mysql/tasks/utils.yml
index b210ca3a..e55b6361 100644
--- a/mysql/tasks/utils.yml
+++ b/mysql/tasks/utils.yml
@@ -229,5 +229,14 @@
     dest: "{{ _mysql_scripts_dir }}/mysql-queries-killer.sh"
     mode: "0755"
     force: no
+  tags:
+    - mysql
+
+- name: "Install evomariabackup"
+  copy:
+    src: evomariabackup.sh
+    dest: "{{ _mysql_scripts_dir }}/evomariabackup"
+    mode: "0755"
+    force: no
   tags:
     - mysql
\ No newline at end of file

From e4bb0c6f55e95ea61049db57f14c40e55bda7bf7 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Fri, 12 Nov 2021 10:07:43 +0100
Subject: [PATCH 089/125] filebeat/metricbeat: version 7.x y default

---
 CHANGELOG.md                 | 1 +
 filebeat/defaults/main.yml   | 2 +-
 metricbeat/defaults/main.yml | 2 +-
 3 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4549cdca..60938983 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -20,6 +20,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 
 * evocheck: upstream release 21.10.4
 * evolinux-users + nagios-nrpe: Add support for php-fpm80 in lxc
+* filebeat/metricbeat: version 7.x y default
 * listupgrade: old-kernel-removal version 21.10
 * mongodb: Deny the install on Debian 11 « Bullseye » when the version is unsupported
 * mongodb: Support version 5.0 (for buster)
diff --git a/filebeat/defaults/main.yml b/filebeat/defaults/main.yml
index 598a08ed..deed1508 100644
--- a/filebeat/defaults/main.yml
+++ b/filebeat/defaults/main.yml
@@ -1,5 +1,5 @@
 ---
-elastic_stack_version: "6.x"
+elastic_stack_version: "7.x"
 
 filebeat_logstash_plugin: False
 
diff --git a/metricbeat/defaults/main.yml b/metricbeat/defaults/main.yml
index 9529bef3..780a4ffd 100644
--- a/metricbeat/defaults/main.yml
+++ b/metricbeat/defaults/main.yml
@@ -1,5 +1,5 @@
 ---
-elastic_stack_version: "6.x"
+elastic_stack_version: "7.x"
 
 metricbeat_elasticsearch_hosts:
   - "localhost:9200"

From 4fb885a33b30f1f93d2be85171b70a9ff8e41f38 Mon Sep 17 00:00:00 2001
From: Eric Morino <emorino@evolix.fr>
Date: Mon, 15 Nov 2021 11:33:34 +0100
Subject: [PATCH 090/125] Fix right for redis log dir and log file

---
 redis/tasks/instance-server.yml | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/redis/tasks/instance-server.yml b/redis/tasks/instance-server.yml
index 08430eb8..462ee8f4 100644
--- a/redis/tasks/instance-server.yml
+++ b/redis/tasks/instance-server.yml
@@ -87,7 +87,7 @@
 - name: "Instance '{{ redis_instance_name }}' data/log directories are present"
   file:
     dest: "{{ item }}"
-    mode: "0750"
+    mode: "0751"
     owner: "redis-{{ redis_instance_name }}"
     group: "redis-{{ redis_instance_name }}"
     follow: yes
@@ -98,6 +98,17 @@
   tags:
     - redis
 
+- name: "Instance '{{ redis_instance_name }}' log file are present"
+  file:
+    path: "{{ redis_log_dir }}/redis-server.log"
+    mode: "660"
+    owner: "redis-{{ redis_instance_name }}"
+    group: "adm"
+    state: touch
+  tags:
+    - redis
+
+
 - name: "Instance '{{ redis_instance_name }}' configuration file is present"
   template:
     src: redis.conf.j2

From 21bd4021d3313ac17f5c4e92b87fe8077b2bf873 Mon Sep 17 00:00:00 2001
From: Eric Morino <emorino@evolix.fr>
Date: Mon, 22 Nov 2021 10:42:46 +0100
Subject: [PATCH 091/125] add virsh list --all on kvm host and this neighbor

---
 kvm-host/tasks/ssh.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kvm-host/tasks/ssh.yml b/kvm-host/tasks/ssh.yml
index c48722a3..7ac01487 100644
--- a/kvm-host/tasks/ssh.yml
+++ b/kvm-host/tasks/ssh.yml
@@ -43,6 +43,6 @@
     state: present
     special_time: "daily"
     user: root
-    job: "virsh list --all | ssh {{ hostvars[item]['ansible_hostname'] }} 'cat >/root/libvirt-{{ inventory_hostname }}/virsh-list.txt'"
+    job: "virsh list --all | tee /root/virsh-list.txt | ssh {{ hostvars[item]['ansible_hostname'] }} 'cat >/root/libvirt-{{ inventory_hostname }}/virsh-list.txt'"
   loop: "{{ groups['hypervisors'] }}"
   when: item != inventory_hostname

From c9af7db8278d7ddcae7a5759e798b6361d20e225 Mon Sep 17 00:00:00 2001
From: Eric Morino <emorino@evolix.fr>
Date: Mon, 22 Nov 2021 11:38:10 +0100
Subject: [PATCH 092/125] re-activation task ssh.yml + modify crontab for sync
 list of running vm + add tags

---
 kvm-host/tasks/main.yml |  2 +-
 kvm-host/tasks/ssh.yml  | 28 +++++++++++++++-------------
 2 files changed, 16 insertions(+), 14 deletions(-)

diff --git a/kvm-host/tasks/main.yml b/kvm-host/tasks/main.yml
index 95cb7090..a2f6953c 100644
--- a/kvm-host/tasks/main.yml
+++ b/kvm-host/tasks/main.yml
@@ -5,7 +5,7 @@
   when: kvm_install_drbd
 
 ## TODO: check why it's disabled
-#- include: ssh.yml
+- include: ssh.yml
 
 - include: packages.yml
 
diff --git a/kvm-host/tasks/ssh.yml b/kvm-host/tasks/ssh.yml
index 7ac01487..4ead9dcf 100644
--- a/kvm-host/tasks/ssh.yml
+++ b/kvm-host/tasks/ssh.yml
@@ -15,17 +15,17 @@
   debug:
     msg: "{{ ssh_keys.stdout }}"
 
-- name: Autorize other kvm ssh key
-  authorized_key:
-    user: root
-    state: present
-    key: "{{ item[0] }}"
-  delegate_to: "{{ item[1] }}"
-  loop: "{{ _keys | product(_servers) | list }}"
-  vars:
-    _keys: ssh_keys.stdout
-    _servers: groups['hypervisors']
-  when: item[1] != inventory_hostname
+#- name: Autorize other kvm ssh key
+#  authorized_key:
+#    user: root
+#    state: present
+#    key: "{{ item[0] }}"
+#  delegate_to: "{{ item[1] }}"
+#  loop: "{{ _keys | product(_servers) | list }}"
+#  vars:
+#    _keys: ssh_keys.stdout
+#    _servers: groups['hypervisors']
+#  when: item[1] != inventory_hostname
 
 - name: Crontab for sync libvirt xml file
   cron:
@@ -33,9 +33,10 @@
     state: present
     special_time: "hourly"
     user: root
-    job: "rsync -a --delete /etc/libvirt/qemu/ {{ hostvars[item]['ansible_hostname'] }}:/root/libvirt-{{ inventory_hostname }}/"
+    job: "rsync -a --delete /etc/libvirt/qemu/ {{ hostvars[item]['ansible_pair'] }}:/root/libvirt-{{ inventory_hostname }}/"
   loop: "{{ groups['hypervisors'] }}"
   when: item != inventory_hostname
+  tags: crontab
 
 - name: Crontab for sync list of running vm
   cron:
@@ -43,6 +44,7 @@
     state: present
     special_time: "daily"
     user: root
-    job: "virsh list --all | tee /root/virsh-list.txt | ssh {{ hostvars[item]['ansible_hostname'] }} 'cat >/root/libvirt-{{ inventory_hostname }}/virsh-list.txt'"
+    job: "virsh list --all | tee /root/virsh-list.txt | ssh {{ hostvars[item]['ansible_pair'] }} 'cat >/root/libvirt-{{ inventory_hostname }}/virsh-list.txt'"
   loop: "{{ groups['hypervisors'] }}"
   when: item != inventory_hostname
+  tags: crontab

From 8dca949564aaa7c695dbf1914e0a09c4cd8dffef Mon Sep 17 00:00:00 2001
From: Eric Morino <emorino@evolix.fr>
Date: Mon, 22 Nov 2021 11:44:07 +0100
Subject: [PATCH 093/125] Add *xml to crontab for sync libvirt xml file

---
 kvm-host/tasks/ssh.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kvm-host/tasks/ssh.yml b/kvm-host/tasks/ssh.yml
index 4ead9dcf..1d79707c 100644
--- a/kvm-host/tasks/ssh.yml
+++ b/kvm-host/tasks/ssh.yml
@@ -33,7 +33,7 @@
     state: present
     special_time: "hourly"
     user: root
-    job: "rsync -a --delete /etc/libvirt/qemu/ {{ hostvars[item]['ansible_pair'] }}:/root/libvirt-{{ inventory_hostname }}/"
+    job: "rsync -a --delete /etc/libvirt/qemu/*xml {{ hostvars[item]['ansible_pair'] }}:/root/libvirt-{{ inventory_hostname }}/"
   loop: "{{ groups['hypervisors'] }}"
   when: item != inventory_hostname
   tags: crontab

From a35139fceec289ba01176486341f99f16d6fd326 Mon Sep 17 00:00:00 2001
From: Ludovic Poujol <lpoujol@evolix.fr>
Date: Mon, 22 Nov 2021 16:28:30 +0100
Subject: [PATCH 094/125] Add missing sudoers line (for old debian 9)

---
 evolinux-users/templates/sudoers_stretch.j2 | 1 +
 1 file changed, 1 insertion(+)

diff --git a/evolinux-users/templates/sudoers_stretch.j2 b/evolinux-users/templates/sudoers_stretch.j2
index e99d9141..4a522e1b 100644
--- a/evolinux-users/templates/sudoers_stretch.j2
+++ b/evolinux-users/templates/sudoers_stretch.j2
@@ -13,6 +13,7 @@ nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi
 nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php73/rootfs/etc/php/7.3/fpm/pool.d/
 nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php74/rootfs/etc/php/7.4/fpm/pool.d/
 nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php74/rootfs/etc/php/8.0/fpm/pool.d/
+nagios          ALL = NOPASSWD: /usr/sbin/megaclisas-status --nagios
 nagios          ALL = NOPASSWD: /usr/lib/nagios/plugins/check_ipmi_sensor
 nagios          ALL = NOPASSWD: /sbin/dmsetup status --noflush
 nagios          ALL = NOPASSWD: /sbin/megacli -PDList -aALL -NoLog

From 82694ef5e996eb4bb884c5d31077c7a22252b1f1 Mon Sep 17 00:00:00 2001
From: Ludovic Poujol <lpoujol@evolix.fr>
Date: Mon, 22 Nov 2021 17:40:49 +0100
Subject: [PATCH 095/125] generate-ldif: Don't miss detect deb11 as VM

---
 generate-ldif/templates/generateldif.sh.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/generate-ldif/templates/generateldif.sh.j2 b/generate-ldif/templates/generateldif.sh.j2
index e0463078..9adb31b0 100755
--- a/generate-ldif/templates/generateldif.sh.j2
+++ b/generate-ldif/templates/generateldif.sh.j2
@@ -31,7 +31,7 @@ computerKernel=$(uname -r)
 HardwareSerial=$(dmidecode -s system-serial-number | grep -v '^#')
 
 type="baremetal"
-lscpu | grep -q KVM && type="kvm"
+lscpu | grep "Hypervisor vendor:" | grep -q KVM && type="kvm"
 lscpu | grep -q Oracle && type="virtualbox"
 
 if [ "$type" = "kvm" ]; then

From d3eef71127baf00a51456b9e3bc746fe73726045 Mon Sep 17 00:00:00 2001
From: Mathieu Trossevin <mtrossevin+git@evolix.fr>
Date: Tue, 16 Nov 2021 14:50:12 +0100
Subject: [PATCH 096/125] nagios-nrpe: Fix check_nfsserver for buster and
 bullseye

From buster onward the nfs server doesn't run NFSv4 over UDP (it is out
of spec, see RFC 7530). As such the check broke as it attempt to check
the availability of NFSv4 over UDP.

Right now the check doesn't check for NFSv2 over UDP as it would need to
check if it exist first, as on bullseye it isn't supported by default
anymore.
---
 CHANGELOG.md                              | 3 ++-
 nagios-nrpe/files/plugins/check_nfsserver | 4 ++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 60938983..5f21ad6a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -31,7 +31,8 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * evolinux-base: fix alert5.service dependency syntax
 * mysql : Create a default ~root/.my.cnf for compatibility reasons
 * nginx : fix variable name and debug to actually use nginx-light
-* packweb-apache : Support php 8.0 
+* packweb-apache : Support php 8.0
+* nagios-nrpe: Fix check\_nfsserver for buster and bullseye
 
 ### Removed
 
diff --git a/nagios-nrpe/files/plugins/check_nfsserver b/nagios-nrpe/files/plugins/check_nfsserver
index 80752bfd..3debccc4 100755
--- a/nagios-nrpe/files/plugins/check_nfsserver
+++ b/nagios-nrpe/files/plugins/check_nfsserver
@@ -1,12 +1,12 @@
 #!/bin/sh
 # Check if nfs server is running using rpcinfo
 
-rpcinfo -u localhost nfs
+rpcinfo -T udp localhost nfs 3
 if [ $? -ne 0 ]; then
     exit 2
 fi
 
-rpcinfo -t localhost nfs
+rpcinfo -T tcp localhost nfs
 if [ $? -ne 0 ]; then
     exit 2
 fi

From 2ec026c2b3c55cea31bb24dfa7d7e09b543de500 Mon Sep 17 00:00:00 2001
From: Eric Morino <emorino@evolix.fr>
Date: Fri, 26 Nov 2021 11:08:02 +0100
Subject: [PATCH 097/125] Change variable item by kvm_pair and disable loop on
 all 'hypervisor' group

---
 kvm-host/tasks/ssh.yml | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

diff --git a/kvm-host/tasks/ssh.yml b/kvm-host/tasks/ssh.yml
index 1d79707c..a36f7549 100644
--- a/kvm-host/tasks/ssh.yml
+++ b/kvm-host/tasks/ssh.yml
@@ -29,22 +29,20 @@
 
 - name: Crontab for sync libvirt xml file
   cron:
-    name: "sync libvirt xml on {{ item }}"
+    name: "sync libvirt xml on {{ kvm_pair }}"
     state: present
     special_time: "hourly"
     user: root
-    job: "rsync -a --delete /etc/libvirt/qemu/*xml {{ hostvars[item]['ansible_pair'] }}:/root/libvirt-{{ inventory_hostname }}/"
-  loop: "{{ groups['hypervisors'] }}"
-  when: item != inventory_hostname
+    job: "rsync -a --delete /etc/libvirt/qemu/*xml {{ hostvars[kvm_pair]['lan.ip'] }}:/root/libvirt-{{ inventory_hostname }}/"
+  when: kvm_pair != inventory_hostname
   tags: crontab
 
 - name: Crontab for sync list of running vm
   cron:
-    name: "sync list of libvirt running vm on {{ item }}"
+    name: "sync list of libvirt running vm on {{ kvm_pair }}"
     state: present
     special_time: "daily"
     user: root
-    job: "virsh list --all | tee /root/virsh-list.txt | ssh {{ hostvars[item]['ansible_pair'] }} 'cat >/root/libvirt-{{ inventory_hostname }}/virsh-list.txt'"
-  loop: "{{ groups['hypervisors'] }}"
-  when: item != inventory_hostname
+    job: "virsh list --all | tee /root/virsh-list.txt | ssh {{ hostvars[kvm_pair]['lan.ip'] }} 'cat >/root/libvirt-{{ inventory_hostname }}/virsh-list.txt'"
+  when: kvm_pair != inventory_hostname
   tags: crontab

From 7e36d038040819fa06e59fdb1d32caeb72b9c788 Mon Sep 17 00:00:00 2001
From: Eric Morino <emorino@evolix.fr>
Date: Fri, 26 Nov 2021 15:42:39 +0100
Subject: [PATCH 098/125] Add new location by default for /.well-know, fix some
 warning in Nextcloud check setup

---
 webapps/nextcloud/templates/nginx.conf.j2 | 23 +++++++++++------------
 1 file changed, 11 insertions(+), 12 deletions(-)

diff --git a/webapps/nextcloud/templates/nginx.conf.j2 b/webapps/nextcloud/templates/nginx.conf.j2
index ffb72f01..78532377 100644
--- a/webapps/nextcloud/templates/nginx.conf.j2
+++ b/webapps/nextcloud/templates/nginx.conf.j2
@@ -35,20 +35,19 @@ server {
         access_log off;
     }
 
-    # The following 2 rules are only needed for the user_webfinger app.
-    # Uncomment it if you're planning to use this app.
-    rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
-    rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
+    # Make a regex exception for `/.well-known` so that clients can still
+    # access it despite the existence of the regex rule
+    # `location ~ /(\.|autotest|...)` which would otherwise handle requests
+    # for `/.well-known`.
+    location ^~ /.well-known {
+        # The following 6 rules are borrowed from `.htaccess`
 
-    # The following rule is only needed for the Social app.
-    # Uncomment it if you're planning to use this app.
-    rewrite ^/.well-known/webfinger /public.php?service=webfinger last;
+        location = /.well-known/carddav     { return 301 /remote.php/dav/; }
+        location = /.well-known/caldav      { return 301 /remote.php/dav/; }
+        # Anything else is dynamically handled by Nextcloud
+        location ^~ /.well-known            { return 301 /index.php$uri; }
 
-    location = /.well-known/carddav {
-      return 301 $scheme://$host:$server_port/remote.php/dav;
-    }
-    location = /.well-known/caldav {
-      return 301 $scheme://$host:$server_port/remote.php/dav;
+        try_files $uri $uri/ =404;
     }
 
     # set max upload size

From cd7c488713ae6a92aee370b95a86b81596c0b175 Mon Sep 17 00:00:00 2001
From: Eric Morino <emorino@evolix.fr>
Date: Fri, 26 Nov 2021 16:37:00 +0100
Subject: [PATCH 099/125] Add rule .well-know to allow letsencrypt challenge

---
 webapps/nextcloud/templates/nginx.conf.j2 | 1 +
 1 file changed, 1 insertion(+)

diff --git a/webapps/nextcloud/templates/nginx.conf.j2 b/webapps/nextcloud/templates/nginx.conf.j2
index 78532377..c2b7b7e3 100644
--- a/webapps/nextcloud/templates/nginx.conf.j2
+++ b/webapps/nextcloud/templates/nginx.conf.j2
@@ -46,6 +46,7 @@ server {
         location = /.well-known/caldav      { return 301 /remote.php/dav/; }
         # Anything else is dynamically handled by Nextcloud
         location ^~ /.well-known            { return 301 /index.php$uri; }
+        location ~ ^/.well-known/acme-challenge/* { allow all; }
 
         try_files $uri $uri/ =404;
     }

From bd429275d149013ed5da12d967b6c84e8b045ca3 Mon Sep 17 00:00:00 2001
From: Ludovic Poujol <lpoujol@evolix.fr>
Date: Wed, 8 Dec 2021 18:07:53 +0100
Subject: [PATCH 100/125] generate-ldif: properly flag virtual machines on
 vmware as virtual machines

---
 generate-ldif/templates/generateldif.sh.j2 | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/generate-ldif/templates/generateldif.sh.j2 b/generate-ldif/templates/generateldif.sh.j2
index 9adb31b0..8eb729cf 100755
--- a/generate-ldif/templates/generateldif.sh.j2
+++ b/generate-ldif/templates/generateldif.sh.j2
@@ -32,16 +32,29 @@ HardwareSerial=$(dmidecode -s system-serial-number | grep -v '^#')
 
 type="baremetal"
 lscpu | grep "Hypervisor vendor:" | grep -q KVM && type="kvm"
+lscpu | grep "Hypervisor vendor:" | grep -q VMware && type="vmware"
 lscpu | grep -q Oracle && type="virtualbox"
 
 if [ "$type" = "kvm" ]; then
+    ComputerType="VM"
     HardwareMark="KVM"
     HardwareModel="Virtual Machine"
 
     cpuMark=$(lscpu | grep Vendor | tr -s '\t' ' ' | cut -d' ' -f3)
     cpuModel="Virtual $(lscpu | grep "Model name" | tr -s '\t' ' ' | cut -d' ' -f3-), $(nproc) vCPU"
     cpuFreq="$(lscpu | grep "CPU MHz" | tr -s '\t' ' ' | cut -d' ' -f3-)MHz"
+
+elif [ "$type" = "vmware" ]; then
+    ComputerType="VM"
+    HardwareMark="VMWare"
+    HardwareModel="Virtual Machine"
+
+    cpuMark=$(lscpu | grep Vendor | tr -s '\t' ' ' | cut -d' ' -f3)
+    cpuModel="Virtual $(lscpu | grep "Model name" | tr -s '\t' ' ' | cut -d' ' -f3-), $(nproc) vCPU"
+    cpuFreq="$(lscpu | grep "CPU MHz" | tr -s '\t' ' ' | cut -d' ' -f3-)MHz"
+
 elif [ "$type" = "virtualbox" ]; then
+    ComputerType="VM"
     HardwareMark="VirtualBox"
     HardwareModel="Virtual Machine"
 
@@ -49,6 +62,7 @@ elif [ "$type" = "virtualbox" ]; then
     cpuModel="Virtual $(lscpu | grep "Model name" | tr -s '\t' ' ' | cut -d' ' -f3-), $(nproc) vCPU"
     cpuFreq="$(lscpu | grep "CPU MHz" | tr -s '\t' ' ' | cut -d' ' -f3-)MHz"
 else
+    ComputerType="Baremetal"
     HardwareModel=$(dmidecode -s system-product-name | grep -v '^#')
 
     cpuMark=$(dmidecode -s processor-manufacturer | grep -v '^#' | head -1)
@@ -115,6 +129,7 @@ NagiosEnabled: ${NagiosEnabled}
 NagiosComments: ${monitoringType},${monitoringMode},${monitoringTimeout}
 HardwareSerial: ${HardwareSerial}
 clientNumber: ${clientNumber}
+ComputerType: ${computerType}
 EOT
 
 # CPU

From d27d6b69cd38513b961583c04b6d6dab8d152a2c Mon Sep 17 00:00:00 2001
From: Ludovic Poujol <lpoujol@evolix.fr>
Date: Wed, 8 Dec 2021 18:35:55 +0100
Subject: [PATCH 101/125] evolinux-base: Add missing dependency dmidecode

---
 evolinux-base/tasks/packages.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/evolinux-base/tasks/packages.yml b/evolinux-base/tasks/packages.yml
index 9d9a6d6a..33cf1b99 100644
--- a/evolinux-base/tasks/packages.yml
+++ b/evolinux-base/tasks/packages.yml
@@ -16,6 +16,7 @@
       - ssl-cert
       - ca-certificates
       - rename
+      - dmidecode
   when: evolinux_packages_system | bool
 
 - name: Install/Update diagnostic tools

From 8b701e615fab45da847ba7312bed704cc48d0f1c Mon Sep 17 00:00:00 2001
From: Ludovic Poujol <lpoujol@evolix.fr>
Date: Fri, 10 Dec 2021 11:37:33 +0100
Subject: [PATCH 102/125] evolinux-base: Donner le choix de changer (ou non) le
 motd

---
 evolinux-base/defaults/main.yml | 3 +++
 evolinux-base/tasks/main.yml    | 1 +
 2 files changed, 4 insertions(+)

diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml
index 28aa3786..61e4277c 100644
--- a/evolinux-base/defaults/main.yml
+++ b/evolinux-base/defaults/main.yml
@@ -219,3 +219,6 @@ evolinux_generateldif_include: True
 
 # Cron check_hpraid
 evolinux_cron_checkhpraid_frequency: daily
+
+# Motd
+evolinux_motd_include: True
\ No newline at end of file
diff --git a/evolinux-base/tasks/main.yml b/evolinux-base/tasks/main.yml
index 49e816ee..dbd50950 100644
--- a/evolinux-base/tasks/main.yml
+++ b/evolinux-base/tasks/main.yml
@@ -97,6 +97,7 @@
   when: evolinux_log2mail_include | bool
 
 - include: motd.yml
+  when: evolinux_motd_include | bool
 
 - include: utils.yml
 

From 64b632c0002b6356342a7847a65013073269b84b Mon Sep 17 00:00:00 2001
From: Ludovic Poujol <lpoujol@evolix.fr>
Date: Fri, 10 Dec 2021 11:37:56 +0100
Subject: [PATCH 103/125] evolinux-base: Donner le choix (ou non) de virer
 apt-listchanges

---
 evolinux-base/defaults/main.yml  | 1 +
 evolinux-base/tasks/packages.yml | 1 +
 2 files changed, 2 insertions(+)

diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml
index 61e4277c..591bc62b 100644
--- a/evolinux-base/defaults/main.yml
+++ b/evolinux-base/defaults/main.yml
@@ -89,6 +89,7 @@ evolinux_packages_invalid_mta: True
 evolinux_packages_delete_nfs: True
 evolinux_packages_listchanges: True
 evolinux_packages_logcheck_recipient: False
+evolinux_packages_delete_aptlistchanges: True
 
 # system
 
diff --git a/evolinux-base/tasks/packages.yml b/evolinux-base/tasks/packages.yml
index 33cf1b99..f4eafc6c 100644
--- a/evolinux-base/tasks/packages.yml
+++ b/evolinux-base/tasks/packages.yml
@@ -145,5 +145,6 @@
   when:
     - ansible_distribution == "Debian"
     - ansible_distribution_major_version is version('9', '>=')
+    - evolinux_packages_delete_aptlistchanges
 
 - meta: flush_handlers

From 7c7ccf07ebfa17300f3cff4f65c3ab2675e9adf9 Mon Sep 17 00:00:00 2001
From: Ludovic Poujol <lpoujol@evolix.fr>
Date: Mon, 13 Dec 2021 17:01:59 +0100
Subject: [PATCH 104/125] generate-ldif: fix typo in var name (cap)

---
 generate-ldif/templates/generateldif.sh.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/generate-ldif/templates/generateldif.sh.j2 b/generate-ldif/templates/generateldif.sh.j2
index 8eb729cf..aa3ec7dd 100755
--- a/generate-ldif/templates/generateldif.sh.j2
+++ b/generate-ldif/templates/generateldif.sh.j2
@@ -129,7 +129,7 @@ NagiosEnabled: ${NagiosEnabled}
 NagiosComments: ${monitoringType},${monitoringMode},${monitoringTimeout}
 HardwareSerial: ${HardwareSerial}
 clientNumber: ${clientNumber}
-ComputerType: ${computerType}
+ComputerType: ${ComputerType}
 EOT
 
 # CPU

From 7bb7b22d1ff99b936073043a55c6801c482d724f Mon Sep 17 00:00:00 2001
From: Eric Morino <emorino@evolix.fr>
Date: Mon, 20 Dec 2021 09:59:25 +0100
Subject: [PATCH 105/125] Add redirectMath 404 on http request /.git by default

---
 apache/files/evolinux-defaults.conf | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/apache/files/evolinux-defaults.conf b/apache/files/evolinux-defaults.conf
index 06e28d9e..5e3e4700 100644
--- a/apache/files/evolinux-defaults.conf
+++ b/apache/files/evolinux-defaults.conf
@@ -57,3 +57,6 @@ MaxKeepAliveRequests 10
 <LocationMatch "^/evolinux_fpm_status-.*">
     Require all denied
 </LocationMatch>
+
+# Block http request on /.git
+RedirectMatch 404 /\.git

From 1c754f7eb02d72d0efc939840e91f7650e9c85ef Mon Sep 17 00:00:00 2001
From: "William Hirigoyen (Evolix)" <whirigoyen@evolix.fr>
Date: Tue, 21 Dec 2021 15:27:27 +0100
Subject: [PATCH 106/125] Fix Filebeat role for --check mode.

---
 filebeat/handlers/main.yml | 1 +
 filebeat/tasks/main.yml    | 5 ++++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/filebeat/handlers/main.yml b/filebeat/handlers/main.yml
index 0a6d83f9..3ad08a63 100644
--- a/filebeat/handlers/main.yml
+++ b/filebeat/handlers/main.yml
@@ -4,3 +4,4 @@
   systemd:
     name: filebeat
     state: restarted
+  when: not ansible_check_mode
diff --git a/filebeat/tasks/main.yml b/filebeat/tasks/main.yml
index c84c4db8..dd326cc8 100644
--- a/filebeat/tasks/main.yml
+++ b/filebeat/tasks/main.yml
@@ -62,6 +62,7 @@
     name: filebeat
     enabled: yes
   notify: restart filebeat
+  when: not ansible_check_mode
 
 - name: is logstash-plugin available?
   stat:
@@ -140,7 +141,9 @@
     when:
       - filebeat_elasticsearch_auth_username | length > 0
       - filebeat_elasticsearch_auth_password | length > 0
-  when: not (filebeat_use_config_template | bool)
+  when:
+    - not (filebeat_use_config_template | bool)
+    - not ansible_check_mode
 
 - name: Filebeat api_key for Elasticsearch are configured
   lineinfile:

From ec346a42a51b64efa5c6daa1d8fcdda2f0a1f1a7 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Thu, 23 Dec 2021 16:56:23 +0100
Subject: [PATCH 107/125] munin: systemd override to unprotect home directory

---
 CHANGELOG.md            |  1 +
 munin/handlers/main.yml |  5 +++++
 munin/tasks/main.yml    | 17 +++++++++++++++++
 3 files changed, 23 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5f21ad6a..b8961b58 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,6 +13,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 ### Added
 
 * evolinux-base: add script backup-server-state
+* munin: systemd override to unprotect home directory
 * mysql: add evomariabackup 21.11
 * nagios-nrpe: new check influxdb
 
diff --git a/munin/handlers/main.yml b/munin/handlers/main.yml
index a0d465a2..8654181d 100644
--- a/munin/handlers/main.yml
+++ b/munin/handlers/main.yml
@@ -1,4 +1,5 @@
 ---
+
 - name: restart munin-node
   service:
     name: munin-node
@@ -8,3 +9,7 @@
   service:
     name: munin_node
     state: restarted
+
+- name: systemd daemon-reload
+  systemd:
+    daemon_reload: yes
\ No newline at end of file
diff --git a/munin/tasks/main.yml b/munin/tasks/main.yml
index aab79f62..addc5107 100644
--- a/munin/tasks/main.yml
+++ b/munin/tasks/main.yml
@@ -88,3 +88,20 @@
       [swap]
       user root
   when: ansible_kernel is search("-grs-")
+
+- name: Create override directory for munin-node unit
+  file:
+    name: /etc/systemd/system/munin-node.service.d/
+    state: directory
+    mode: "0755"
+
+- name: Override is present for protected home
+  ini_file:
+    dest: "/etc/systemd/system/munin-node.service.d/override.conf"
+    section: "Service"
+    option: "ProtectHome"
+    value: "false"
+    state: present
+    notify:
+      - systemd daemon-reload
+      - restart munin-node
\ No newline at end of file

From 1893b6dea5ca19ca78389e32dc6053d818b91c84 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Thu, 23 Dec 2021 16:56:43 +0100
Subject: [PATCH 108/125] don't enable alert5 service in check mode

---
 evolinux-base/tasks/system.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/evolinux-base/tasks/system.yml b/evolinux-base/tasks/system.yml
index 486dc2e8..4b6c95b4 100644
--- a/evolinux-base/tasks/system.yml
+++ b/evolinux-base/tasks/system.yml
@@ -182,6 +182,7 @@
     - evolinux_system_alert5_init | bool
     - evolinux_system_alert5_enable | bool
     - ansible_distribution_major_version is version('10', '>=')
+    - not ansible_check_mode
 
 ## network interfaces
 

From 4c6d30a52c4e30027eb818db1b3d8934fc656f94 Mon Sep 17 00:00:00 2001
From: Brice Waegeneire <bwaegeneire+git@evolix.fr>
Date: Tue, 28 Dec 2021 16:11:20 +0100
Subject: [PATCH 109/125] apache: block access to .git* and .env* files

---
 apache/files/evolinux-defaults.conf | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/apache/files/evolinux-defaults.conf b/apache/files/evolinux-defaults.conf
index 5e3e4700..65c8c921 100644
--- a/apache/files/evolinux-defaults.conf
+++ b/apache/files/evolinux-defaults.conf
@@ -48,15 +48,23 @@ MaxKeepAliveRequests 10
     Deny from env=GoAway
 </Directory>
 
+<DirectoryMatch "/\.git">
+    # We don't want to let the client know a file exist on the server,
+    # so we return 404 "Not found" instead of 403 "Forbidden".
+    Redirect 404
+</DirectoryMatch>
 
-<Files ~ "\.(inc|bak)$">
-    Require all denied
-</Files>
+# File names starting with
+<FilesMatch "^\.(git|env)">
+    Redirect 404
+</FilesMatch>
 
+# File names ending with
+<FilesMatch "\.(inc|bak)$">
+    Redirect 404
+</FilesMatch>
 
 <LocationMatch "^/evolinux_fpm_status-.*">
     Require all denied
 </LocationMatch>
 
-# Block http request on /.git
-RedirectMatch 404 /\.git

From 14883aa95e63a694c12672edea5c87566b21de2e Mon Sep 17 00:00:00 2001
From: "William Hirigoyen (Evolix)" <whirigoyen@evolix.fr>
Date: Tue, 11 Jan 2022 11:02:03 +0100
Subject: [PATCH 110/125] Ensure that /var is mounted with dev and exec options
 prior to LXC container creation.

---
 evolinux-base/tasks/fstab.yml |  1 +
 lxc/tasks/main.yml            | 10 ++++++++++
 2 files changed, 11 insertions(+)

diff --git a/evolinux-base/tasks/fstab.yml b/evolinux-base/tasks/fstab.yml
index e10f483e..a3933844 100644
--- a/evolinux-base/tasks/fstab.yml
+++ b/evolinux-base/tasks/fstab.yml
@@ -1,5 +1,6 @@
 ---
 # TODO: trouver comment faire une copie initiale de /etc/fstab
+#   - piste : paramètre "backup" du module mount https://docs.ansible.com/ansible/latest/collections/ansible/posix/mount_module.html
 # TODO: try to use the custom mount_uuid module for a different approach
 
 - name: Fetch fstab content
diff --git a/lxc/tasks/main.yml b/lxc/tasks/main.yml
index 23e40971..4d7f0128 100644
--- a/lxc/tasks/main.yml
+++ b/lxc/tasks/main.yml
@@ -43,6 +43,16 @@
     - lxc_unprivilegied_containers | bool
     - root_subuids.rc != 0
 
+- name: /var has mount options dev and exec enabled
+  mount:
+    path: /var
+    opts: dev,exec
+    state: remounted
+  with_items: "{{ ansible_mounts }}"
+  when: "item.mount == '/var' and
+        ('nodev' in item.options.split(',') or
+        'noexec' in item.options.split(','))"
+
 - name: Create containers
   include: create-container.yml
   vars:

From bd39adaf689f549a126cf439008d2357094d5870 Mon Sep 17 00:00:00 2001
From: "William Hirigoyen (Evolix)" <whirigoyen@evolix.fr>
Date: Tue, 11 Jan 2022 11:48:57 +0100
Subject: [PATCH 111/125] Fail if /var has nodev or noexec option enabled.

---
 lxc/tasks/main.yml | 14 +++++---------
 1 file changed, 5 insertions(+), 9 deletions(-)

diff --git a/lxc/tasks/main.yml b/lxc/tasks/main.yml
index 4d7f0128..daf2885a 100644
--- a/lxc/tasks/main.yml
+++ b/lxc/tasks/main.yml
@@ -43,15 +43,11 @@
     - lxc_unprivilegied_containers | bool
     - root_subuids.rc != 0
 
-- name: /var has mount options dev and exec enabled
-  mount:
-    path: /var
-    opts: dev,exec
-    state: remounted
-  with_items: "{{ ansible_mounts }}"
-  when: "item.mount == '/var' and
-        ('nodev' in item.options.split(',') or
-        'noexec' in item.options.split(','))"
+- name: Check if /var has not mount options nodev or noexec
+  shell: findmnt | grep -E "/var[^/]" | grep -e nodev -e noexec
+  register: check_var
+  changed_when: false
+  failed_when: "check_var.rc == 0"
 
 - name: Create containers
   include: create-container.yml

From ca1f465aaa6a0f2bf66abc454235a9dd67f8abd3 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Fri, 31 Dec 2021 08:58:39 +0100
Subject: [PATCH 112/125] nodejs: default to version 16 LTS

---
 CHANGELOG.md             | 1 +
 nodejs/defaults/main.yml | 5 ++++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b8961b58..de6fc8b7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -26,6 +26,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * mongodb: Deny the install on Debian 11 « Bullseye » when the version is unsupported
 * mongodb: Support version 5.0 (for buster)
 * mongodb: Allow to specify a mongodb version for buster & bullseye
+* nodejs: default to version 16 LTS
 
 ### Fixed
 
diff --git a/nodejs/defaults/main.yml b/nodejs/defaults/main.yml
index 70c5d483..8f36de49 100644
--- a/nodejs/defaults/main.yml
+++ b/nodejs/defaults/main.yml
@@ -1,3 +1,6 @@
 ---
-nodejs_apt_version: 'node_12.x'
+
+# https://nodejs.org/en/about/releases/
+nodejs_apt_version: 'node_16.x'
+
 nodejs_install_yarn: False

From ea382a1686d39e56c17e5451fe1d084bb84f31b6 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Wed, 12 Jan 2022 13:04:11 +0100
Subject: [PATCH 113/125] varnish: add additional options

---
 varnish/defaults/main.yml                | 1 +
 varnish/templates/varnish.conf.buster.j2 | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/varnish/defaults/main.yml b/varnish/defaults/main.yml
index fd22bfe2..2de75a15 100644
--- a/varnish/defaults/main.yml
+++ b/varnish/defaults/main.yml
@@ -14,6 +14,7 @@ varnish_thread_pool_add_delay: 0
 varnish_thread_pool_min: 500
 varnish_thread_pool_max: 5000
 varnish_jail: "unix,user=vcache"
+varnish_additional_options: ""
 
 varnish_config_file: /etc/varnish/default.vcl
 varnish_secret_file: /etc/varnish/secret
diff --git a/varnish/templates/varnish.conf.buster.j2 b/varnish/templates/varnish.conf.buster.j2
index 63439b61..77e7d408 100644
--- a/varnish/templates/varnish.conf.buster.j2
+++ b/varnish/templates/varnish.conf.buster.j2
@@ -2,4 +2,4 @@
 
 [Service]
 ExecStart=
-ExecStart=/usr/sbin/varnishd -F -j {{ varnish_jail }} {{ varnish_addresses | map('regex_replace', '^(.*)$', '-a \\1') | list | join(' ') }} -T {{ varnish_management_address }} -f {{ varnish_config_file }} -S {{ varnish_secret_file }} -s {{ varnish_storage }} -p thread_pools={{ varnish_thread_pools }} -p thread_pool_add_delay={{ varnish_thread_pool_add_delay }} -p thread_pool_min={{ varnish_thread_pool_min }} -p thread_pool_max={{ varnish_thread_pool_max }}
+ExecStart=/usr/sbin/varnishd -F -j {{ varnish_jail }} {{ varnish_addresses | map('regex_replace', '^(.*)$', '-a \\1') | list | join(' ') }} -T {{ varnish_management_address }} -f {{ varnish_config_file }} -S {{ varnish_secret_file }} -s {{ varnish_storage }} -p thread_pools={{ varnish_thread_pools }} -p thread_pool_add_delay={{ varnish_thread_pool_add_delay }} -p thread_pool_min={{ varnish_thread_pool_min }} -p thread_pool_max={{ varnish_thread_pool_max }} {{ varnish_additional_options }}

From c8a862c5e76d3d29531a5b704543e8a869026e0a Mon Sep 17 00:00:00 2001
From: Ludovic Poujol <lpoujol@evolix.fr>
Date: Fri, 14 Jan 2022 17:06:48 +0100
Subject: [PATCH 114/125] =?UTF-8?q?nagios-nrpe:=20Am=C3=A9lioration=20du?=
 =?UTF-8?q?=20check=20phpfpm=5Fstatus=20et=20phpfpm=5Fmulti?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Pour phpfpm_status > Ajout de la possibilité d'avoir un seuil de max procs actifs
Pour phpfpm_multi > Utilisation des seuils max (calculé sur le pm.max_children) + timeout
---
 nagios-nrpe/files/plugins/check_phpfpm_multi  |  9 +++--
 .../files/plugins/check_phpfpm_status.pl      | 36 +++++++++++++------
 2 files changed, 33 insertions(+), 12 deletions(-)

diff --git a/nagios-nrpe/files/plugins/check_phpfpm_multi b/nagios-nrpe/files/plugins/check_phpfpm_multi
index b2788d86..865c31d3 100644
--- a/nagios-nrpe/files/plugins/check_phpfpm_multi
+++ b/nagios-nrpe/files/plugins/check_phpfpm_multi
@@ -33,7 +33,11 @@ for pool_file in $POOL_FILES; do
   pool_name=$(grep "^\[" "$pool_file" | sed -E 's/^\[(.*)\].*$/\1/g')
   pool_status_path=$(grep -E "^pm.status_path\s?=" "$pool_file" |  sed -E "s/.*=\s?'?([^']*)'?\s?$/\1/g")
   pool_listen=$(grep -E "^listen\s?=" "$pool_file" |  sed -E 's/.*=\s?(.*)\s?$/\1/g')
-  
+  pool_max_children=$(grep -E "^pm.max_children" "$pool_file" | sed -E 's/.*=\s?(.*)\s?$/\1/g' )
+
+  pool_crit_procs=$(expr $pool_max_children \* 85 / 100)
+  pool_warn_procs=$(expr $pool_max_children \* 55 / 100)
+
   if [[ "$pool_status_path" == '' ]]; then
       nb_unchk=$((nb_unchk + 1))
       output="${output}UNCHK - ${pool_name} (missing pm.status_path definition)\n" 
@@ -47,7 +51,7 @@ for pool_file in $POOL_FILES; do
     target=(-H "$(echo "$pool_listen" | cut -d':' -f1)" -p "$(echo "$pool_listen" | cut -d':' -f2 )")
   fi
   
-  result=$(perl /usr/local/lib/nagios/plugins/check_phpfpm_status.pl "${target[@]}" -u "$pool_status_path")
+  result=$(perl /usr/local/lib/nagios/plugins/check_phpfpm_status.pl -t 5 "${target[@]}" -u "$pool_status_path" -c "$pool_crit_procs" -w "$pool_warn_procs" )
   ret="${?}"
   
   if [ "${ret}" -ge 2 ]; then
@@ -80,3 +84,4 @@ printf "%b" "${output}" | grep -E "OK"
 printf "%b" "${output}" | grep -E "^UNCHK"
 
 exit "${return}"
+
diff --git a/nagios-nrpe/files/plugins/check_phpfpm_status.pl b/nagios-nrpe/files/plugins/check_phpfpm_status.pl
index fb8ba65c..4b4875c5 100755
--- a/nagios-nrpe/files/plugins/check_phpfpm_status.pl
+++ b/nagios-nrpe/files/plugins/check_phpfpm_status.pl
@@ -38,6 +38,8 @@ my $o_user=           undef;     # user for auth
 my $o_pass=           '';        # password for auth
 my $o_realm=          '';        # password for auth
 my $o_version=        undef;     # print version
+my $o_warn_a_level=   -1;        # Max number of active workers that will cause a warning
+my $o_crit_a_level=   -1;        # Max number of active workers that will cause an error
 my $o_warn_p_level=   -1;        # Min number of idle workers that will cause a warning
 my $o_crit_p_level=   -1;        # Min number of idle workersthat will cause an error
 my $o_warn_q_level=   -1;        # Number of Max Queue Reached that will cause a warning
@@ -130,17 +132,19 @@ sub help {
 -X, --cacert
    Full path to the cacert.pem certificate authority used to verify ssl certificates (use with --verifyssl).
    if not given the cacert from Mozilla::CA cpan plugin will be used.
--w, --warn=MIN_AVAILABLE_PROCESSES,PROC_MAX_REACHED,QUEUE_MAX_REACHED
+-w, --warn=MAX_ACTIVE_PROCESSES,MIN_AVAILABLE_PROCESSES,PROC_MAX_REACHED,QUEUE_MAX_REACHED
    number of available workers, or max states reached that will cause a warning
    -1 for no warning
--c, --critical=MIN_AVAILABLE_PROCESSES,PROC_MAX_REACHED,QUEUE_MAX_REACHED
+-c, --critical=MAX_ACTIVE_PROCESSES,MIN_AVAILABLE_PROCESSES,PROC_MAX_REACHED,QUEUE_MAX_REACHED
    number of available workers, or max states reached that will cause an error
    -1 for no CRITICAL
 -V, --version
    prints version number
 
 Note :
-  3 items can be managed on this check, this is why -w and -c parameters are using 3 values thresholds
+  4 items can be managed on this check, this is why -w and -c parameters are using 3 values thresholds
+  - MAX_ACTIVE_PROCESSES:  Working with the number of available (Idle) and working processes (Busy).
+    Generating WARNING and CRITICAL if you do have too many Active processes.
   - MIN_AVAILABLE_PROCESSES: Working with the number of available (Idle) and working processes (Busy).
     Generating WARNING and CRITICAL if you do not have enough Idle processes.
   - PROC_MAX_REACHED: the fpm-status report will show us how many times the max processes were reached since start,
@@ -231,12 +235,12 @@ sub check_options {
     };
 
     if (defined($o_warn_threshold)) {
-        ($o_warn_p_level,$o_warn_m_level,$o_warn_q_level) = split(',', $o_warn_threshold);
+        ($o_warn_a_level,$o_warn_p_level,$o_warn_m_level,$o_warn_q_level) = split(',', $o_warn_threshold);
     } else {
         $o_warn_threshold = 'undefined'
     }
     if (defined($o_crit_threshold)) {
-        ($o_crit_p_level,$o_crit_m_level,$o_crit_q_level) = split(',', $o_crit_threshold);
+        ($o_crit_a_level,$o_crit_p_level,$o_crit_m_level,$o_crit_q_level) = split(',', $o_crit_threshold);
     } else {
         $o_crit_threshold = 'undefined'
     }
@@ -247,20 +251,24 @@ sub check_options {
         $o_fastcgi = 1;
     }
     if (defined($o_debug)) {
-        print("\nDEBUG thresholds: \nWarning: ($o_warn_threshold) => Min Idle: $o_warn_p_level Max Reached :$o_warn_m_level MaxQueue: $o_warn_q_level");
-        print("\nCritical ($o_crit_threshold) => : Min Idle: $o_crit_p_level Max Reached: $o_crit_m_level MaxQueue : $o_crit_q_level\n");
+        print("\nDEBUG thresholds: \nWarning: ($o_warn_threshold) => Max Active: $o_warn_a_level Min Idle: $o_warn_p_level Max Reached :$o_warn_m_level MaxQueue: $o_warn_q_level");
+        print("\nCritical ($o_crit_threshold) => Max Active: $o_crit_a_level Min Idle: $o_crit_p_level Max Reached: $o_crit_m_level MaxQueue : $o_crit_q_level\n");
+    }
+    if ((defined($o_warn_a_level) && defined($o_crit_a_level)) &&
+         (($o_warn_a_level != -1) && ($o_crit_a_level != -1) && ($o_warn_a_level <= $o_crit_p_level)) ) {
+        nagios_exit($phpfpm,"UNKNOWN","Check warning and critical values for ActiveProcess (1st part of threshold), warning level must be > crit level!");
     }
     if ((defined($o_warn_p_level) && defined($o_crit_p_level)) &&
          (($o_warn_p_level != -1) && ($o_crit_p_level != -1) && ($o_warn_p_level <= $o_crit_p_level)) ) {
-        nagios_exit($phpfpm,"UNKNOWN","Check warning and critical values for IdleProcesses (1st part of threshold), warning level must be > crit level!");
+        nagios_exit($phpfpm,"UNKNOWN","Check warning and critical values for IdleProcesses (2nd part of threshold), warning level must be > crit level!");
     }
     if ((defined($o_warn_m_level) && defined($o_crit_m_level)) &&
          (($o_warn_m_level != -1) && ($o_crit_m_level != -1) && ($o_warn_m_level >= $o_crit_m_level)) ) {
-        nagios_exit($phpfpm,"UNKNOWN","Check warning and critical values for MaxProcesses (2nd part of threshold), warning level must be < crit level!");
+        nagios_exit($phpfpm,"UNKNOWN","Check warning and critical values for MaxProcesses (3rd part of threshold), warning level must be < crit level!");
     }
     if ((defined($o_warn_q_level) && defined($o_crit_q_level)) &&
          (($o_warn_q_level != -1) && ($o_crit_q_level != -1) && ($o_warn_q_level >= $o_crit_q_level)) ) {
-        nagios_exit($phpfpm,"UNKNOWN","Check warning and critical values for MaxQueue (3rd part of threshold), warning level must be < crit level!");
+        nagios_exit($phpfpm,"UNKNOWN","Check warning and critical values for MaxQueue (4th part of threshold), warning level must be < crit level!");
     }
     # Check compulsory attributes
     if (!defined($o_host)) {
@@ -654,6 +662,9 @@ if ($response->is_success) {
     if (defined($o_crit_p_level) && (-1!=$o_crit_p_level) && ($IdleProcesses <= $o_crit_p_level)) {
         nagios_exit($phpfpm,"CRITICAL", "Idle workers are critically low " . $InfoData,$PerfData);
     }
+    if (defined($o_crit_a_level) && (-1!=$o_crit_a_level) && ($ActiveProcesses >= $o_crit_a_level)) {
+        nagios_exit($phpfpm,"CRITICAL", "Active workers are critically high " . $InfoData,$PerfData);
+    }
     # Then WARNING exits by priority
     if (defined($o_warn_q_level) && (-1!=$o_warn_q_level) && ($MaxListenQueueNew >= $o_warn_q_level)) {
         nagios_exit($phpfpm,"WARNING", "Max queue reached is high " . $InfoData,$PerfData);
@@ -664,6 +675,9 @@ if ($response->is_success) {
     if (defined($o_warn_p_level) && (-1!=$o_warn_p_level) && ($IdleProcesses <= $o_warn_p_level)) {
         nagios_exit($phpfpm,"WARNING", "Idle workers are low " . $InfoData,$PerfData);
     }
+    if (defined($o_warn_a_level) && (-1!=$o_warn_a_level) && ($ActiveProcesses >= $o_warn_a_level)) {
+        nagios_exit($phpfpm,"WARNING", "Active workers are high " . $InfoData,$PerfData);
+    }
 
     nagios_exit($phpfpm,"OK",$InfoData,$PerfData);
 
@@ -733,3 +747,5 @@ sub header() {
     }
     return 0;
 }
+
+

From c4fab71d7a0984dc822dff6a0023c795b408f773 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Sat, 15 Jan 2022 18:50:57 +0100
Subject: [PATCH 115/125] evolinux-base: add new states to backup-server-states

---
 evolinux-base/files/backup-server-state.sh | 182 ++++++++++++++++++++-
 1 file changed, 176 insertions(+), 6 deletions(-)

diff --git a/evolinux-base/files/backup-server-state.sh b/evolinux-base/files/backup-server-state.sh
index 856cd759..0c503c37 100644
--- a/evolinux-base/files/backup-server-state.sh
+++ b/evolinux-base/files/backup-server-state.sh
@@ -2,7 +2,7 @@
 
 PROGNAME="backup-server-state"
 
-VERSION="21.10"
+VERSION="22.01"
 readonly VERSION
 
 backup_dir=
@@ -35,6 +35,30 @@ Options
      --no-etc       no backup copy of /etc (default)
      --dpkg         backup copy of /var/lib/dpkg
      --no-dpkg      no backup copy of /var/lib/dpkg (default)
+     --apt          backup copy of apt extended states (default)
+     --no-apt       no backup copy of apt extended states
+     --packages     backup copy of dpkg selections (default)
+     --no-packages  no backup copy of dpkg selections
+     --processes    backup copy of process list (default)
+     --no-processes no backup copy of process list
+     --uptime       backup of uptime value (default)
+     --no-uptime    no backup of uptime value
+     --netstat      backup copy of netstat (default)
+     --no-netstat   no backup copy of netstat
+     --netcfg       backup copy of network configuration (default)
+     --no-netcfg    no backup copy of network configuration
+     --iptables     backup copy of iptables (default)
+     --no-iptables  no backup copy of iptables
+     --sysctl       backup copy of sysctl values (default)
+     --no-sysctl    no backup copy of sysctl values
+     --virsh        backup copy of virsh list (default)
+     --no-virsh     no backup copy of virsh list
+     --lxc          backup copy of lxc list (default)
+     --no-lxc       no backup copy of lxc list
+     --mount        backup copy of mount points (default)
+     --no-mount     no backup copy of mount points
+     --df           backup copy of disk usage (default)
+     --no-df        no backup copy of disk usage
  -v, --verbose      print details about backup steps
  -V, --version      print version and exit
  -h, --help         print this message and exit
@@ -148,7 +172,7 @@ backup_packages() {
 backup_uptime() {
     debug "Backup uptime"
 
-    last_result=$(uptime > "${backup_dir}/uptime.out")
+    last_result=$(uptime > "${backup_dir}/uptime.txt")
     last_rc=$?
 
     if [ ${last_rc} -eq 0 ]; then
@@ -163,7 +187,7 @@ backup_uptime() {
 backup_processes() {
     debug "Backup process list"
 
-    last_result=$(ps fauxw > "${backup_dir}/ps.out")
+    last_result=$(ps fauxw > "${backup_dir}/ps.txt")
     last_rc=$?
 
     if [ ${last_rc} -eq 0 ]; then
@@ -177,7 +201,7 @@ backup_processes() {
     pstree_bin=$(command -v pstree)
 
     if [ -z "${pstree_bin}" ]; then
-        last_result=$(pstree -pan > "${backup_dir}/pstree.out")
+        last_result=$(pstree -pan > "${backup_dir}/pstree.txt")
         last_rc=$?
 
         if [ ${last_rc} -eq 0 ]; then
@@ -195,7 +219,7 @@ backup_netstat() {
 
     ss_bin=$(command -v ss)
     if [ -z "${ss_bin}" ]; then
-        last_result=$(${ss_bin} -tanpul > "${backup_dir}/listen.out")
+        last_result=$(${ss_bin} -tanpul > "${backup_dir}/netstat-ss.txt")
         last_rc=$?
 
         if [ ${last_rc} -eq 0 ]; then
@@ -209,7 +233,7 @@ backup_netstat() {
 
     netstat_bin=$(command -v netstat)
     if [ -z "${netstat_bin}" ]; then
-        last_result=$(netstat -laputen > "${backup_dir}/netstat.out")
+        last_result=$(netstat -laputen > "${backup_dir}/netstat-legacy.txt")
         last_rc=$?
 
         if [ ${last_rc} -eq 0 ]; then
@@ -320,6 +344,60 @@ backup_lxc() {
     fi
 }
 
+backup_mount() {
+    debug "Backup mount points"
+
+    findmnt_bin=$(command -v findmnt)
+    mount_bin=$(command -v mount)
+
+    if [ -n "${findmnt_bin}" ]; then
+        last_result=$(${findmnt_bin} > "${backup_dir}/mount.txt")
+        last_rc=$?
+
+        if [ ${last_rc} -eq 0 ]; then
+            debug "* mount points OK"
+        else
+            debug "* mount points ERROR"
+            debug "${last_result}"
+            rc=10
+        fi
+    elif [ -n "${mount_bin}" ]; then
+        last_result=$(${mount_bin} > "${backup_dir}/mount.txt")
+        last_rc=$?
+
+        if [ ${last_rc} -eq 0 ]; then
+            debug "* mount points OK"
+        else
+            debug "* mount points ERROR"
+            debug "${last_result}"
+            rc=10
+        fi
+    else
+        debug "* findmnt and mount not installed"
+    fi
+}
+
+backup_df() {
+    debug "Backup df"
+
+    df_bin=$(command -v df)
+
+    if [ -n "${df_bin}" ]; then
+        last_result=$(${df_bin} --portability > "${backup_dir}/df.txt")
+        last_rc=$?
+
+        if [ ${last_rc} -eq 0 ]; then
+            debug "* df OK"
+        else
+            debug "* df ERROR"
+            debug "${last_result}"
+            rc=10
+        fi
+    else
+        debug "* df not installed"
+    fi
+}
+
 main() {
     if [ -z "${backup_dir}" ]; then
         echo "ERROR: You must provide the --backup-dir argument" >&2
@@ -369,6 +447,12 @@ main() {
     if [ "${DO_LXC}" -eq 1 ]; then
         backup_lxc
     fi
+    if [ "${DO_MOUNT}" -eq 1 ]; then
+        backup_mount
+    fi
+    if [ "${DO_DF}" -eq 1 ]; then
+        backup_df
+    fi
 
     debug "=> Your backup is available at ${backup_dir}"
     exit ${rc}
@@ -424,6 +508,90 @@ while :; do
             DO_DPKG=0
             ;;
 
+        --apt)
+            DO_APT=1
+            ;;
+        --no-apt)
+            DO_APT=0
+            ;;
+
+        --packages)
+            DO_PACKAGES=1
+            ;;
+        --no-packages)
+            DO_PACKAGES=0
+            ;;
+
+        --processes)
+            DO_PROCESSES=1
+            ;;
+        --no-processes)
+            DO_PROCESSES=0
+            ;;
+
+        --uptime)
+            DO_UPTIME=1
+            ;;
+        --no-uptime)
+            DO_UPTIME=0
+            ;;
+
+        --netstat)
+            DO_NETSTAT=1
+            ;;
+        --no-netstat)
+            DO_NETSTAT=0
+            ;;
+
+        --netcfg)
+            DO_NETCFG=1
+            ;;
+        --no-netcfg)
+            DO_NETCFG=0
+            ;;
+
+        --iptables)
+            DO_IPTABLES=1
+            ;;
+        --no-iptables)
+            DO_IPTABLES=0
+            ;;
+
+        --sysctl)
+            DO_SYSCTL=1
+            ;;
+        --no-sysctl)
+            DO_SYSCTL=0
+            ;;
+
+        --virsh)
+            DO_VIRSH=1
+            ;;
+        --no-virsh)
+            DO_VIRSH=0
+            ;;
+
+        --lxc)
+            DO_LXC=1
+            ;;
+        --no-lxc)
+            DO_LXC=0
+            ;;
+
+        --mount)
+            DO_MOUNT=1
+            ;;
+        --no-mount)
+            DO_MOUNT=0
+            ;;
+
+        --df)
+            DO_DF=1
+            ;;
+        --no-df)
+            DO_DF=0
+            ;;
+
         --)
             # End of all options.
             shift
@@ -457,6 +625,8 @@ done
 : "${DO_SYSCTL:=1}"
 : "${DO_VIRSH:=1}"
 : "${DO_LXC:=1}"
+: "${DO_MOUNT:=1}"
+: "${DO_DF:=1}"
 
 export LC_ALL=C
 

From 168b0fa9b791d74a9f8625ea8983292624c4eec2 Mon Sep 17 00:00:00 2001
From: Brice Waegeneire <bwaegeneire+git@evolix.fr>
Date: Thu, 20 Jan 2022 10:43:24 +0100
Subject: [PATCH 116/125] nginx: Add snippet for custom server block config.

---
 nginx/files/nginx/snippets/evolinux_server_custom | 7 +++++++
 nginx/templates/evolinux-default.conf.j2          | 2 ++
 2 files changed, 9 insertions(+)
 create mode 100644 nginx/files/nginx/snippets/evolinux_server_custom

diff --git a/nginx/files/nginx/snippets/evolinux_server_custom b/nginx/files/nginx/snippets/evolinux_server_custom
new file mode 100644
index 00000000..f7f34ef9
--- /dev/null
+++ b/nginx/files/nginx/snippets/evolinux_server_custom
@@ -0,0 +1,7 @@
+# Evolinux custom configuration, to be used in all server blocks
+
+location ~ /\.(inc|git|bak|env) {
+  # We don't want to let the client know a file exist on the server,
+  # so we return 404 "Not found" instead of 403 "Forbidden".
+  return 404;
+}
diff --git a/nginx/templates/evolinux-default.conf.j2 b/nginx/templates/evolinux-default.conf.j2
index 1a385e17..a0ed95c3 100644
--- a/nginx/templates/evolinux-default.conf.j2
+++ b/nginx/templates/evolinux-default.conf.j2
@@ -49,6 +49,8 @@ server {
         stub_status on;
         access_log off;
     }
+
+    include /etc/nginx/snippets/evolinux_server_custom;
 }
 
 server {

From 4effe91b9f0552355ff0bc09d7ff3dc4604da1c1 Mon Sep 17 00:00:00 2001
From: Jeremy Dubois <jdubois@evolix.fr>
Date: Mon, 24 Jan 2022 19:12:48 +0100
Subject: [PATCH 117/125] Write an openvpn role

---
 openvpn/README.md                           |  19 ++
 openvpn/defaults/main.yml                   |   7 +
 openvpn/files/check_openvpn.pl              | 215 +++++++++++++++
 openvpn/files/check_openvpn_certificates.sh | 140 ++++++++++
 openvpn/handlers/main.yml                   |   6 +
 openvpn/tasks/main.yml                      | 285 ++++++++++++++++++++
 openvpn/templates/ovpn.conf.j2              |  12 +
 openvpn/templates/server.conf.j2            |  31 +++
 8 files changed, 715 insertions(+)
 create mode 100644 openvpn/README.md
 create mode 100644 openvpn/defaults/main.yml
 create mode 100644 openvpn/files/check_openvpn.pl
 create mode 100644 openvpn/files/check_openvpn_certificates.sh
 create mode 100644 openvpn/handlers/main.yml
 create mode 100644 openvpn/tasks/main.yml
 create mode 100644 openvpn/templates/ovpn.conf.j2
 create mode 100644 openvpn/templates/server.conf.j2

diff --git a/openvpn/README.md b/openvpn/README.md
new file mode 100644
index 00000000..f68b9d66
--- /dev/null
+++ b/openvpn/README.md
@@ -0,0 +1,19 @@
+# OpenVPN
+
+Install and configure OpenVPN, based on [our HowtoOpenVPN wiki](https://wiki.evolix.org/HowtoOpenVPN)
+
+## Tasks
+
+Everything is in the `tasks/main.yml` file.
+Some manual actions are requested at the end of the playbook, to do before finishing the playbook.
+
+## Variables
+
+* `openvpn_lan`: network to use for OpenVPN
+* `openvpn_netmask`: netmask of the network to use for OpenVPN
+* `openvpn_netmask_cidr`: automatically generated prefix length of the netmask, in CIDR notation
+
+## TODO
+
+* Make it compatible with OpenBSD
+* See TODO tasks in tasks/main.yml
diff --git a/openvpn/defaults/main.yml b/openvpn/defaults/main.yml
new file mode 100644
index 00000000..6fcc7197
--- /dev/null
+++ b/openvpn/defaults/main.yml
@@ -0,0 +1,7 @@
+---
+
+# openvpn_lan default to 10."last 2 digit of main IP of server".0/24. For example, if the server IP is 192.0.2.42, then openvpn_lan will be 10.2.42.0/24
+openvpn_lan: "10.{{ ansible_default_ipv4.address | regex_search('([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})', '\\3', '\\4') | join('.') }}.0"
+openvpn_netmask: "255.255.255.0"
+openvpn_netmask_cidr: "{{ (openvpn_lan + '/' + openvpn_netmask) | ipaddr('prefix') }}"
+
diff --git a/openvpn/files/check_openvpn.pl b/openvpn/files/check_openvpn.pl
new file mode 100644
index 00000000..270fd1e9
--- /dev/null
+++ b/openvpn/files/check_openvpn.pl
@@ -0,0 +1,215 @@
+#!/usr/bin/perl -w
+
+#######################################################################
+#
+# Copyright (c) 2007 Jaime Gascon Romero <jgascon@gmail.com>
+#
+# License Information:
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+# $Id: check_openvpn.pl,v 1.1 2014/09/29 08:39:24 rdessort Exp $
+# $Revision: 1.1 $
+# Home Site: http://emergeworld.blogspot.com/
+# #####################################################################
+
+use diagnostics;
+use strict;
+use Net::Telnet ();
+use Getopt::Long qw(:config no_ignore_case);
+use vars qw($PROGNAME $VERSION);
+use lib "/usr/lib/nagios/plugins/";
+use utils qw(%ERRORS);
+
+$PROGNAME = "check_openvpn";
+$VERSION = '$Revision: 1.1 $';
+
+$ENV{'PATH'}='';
+$ENV{'BASH_ENV'}=''; 
+$ENV{'ENV'}='';
+
+my ($opt_h, $opt_H, $opt_p, $opt_P, $opt_t, $opt_i, $opt_n, $opt_c, $opt_w, $opt_C, $opt_r);
+
+sub print_help ();
+sub print_usage ();
+
+GetOptions
+  ("h"  =>  \$opt_h, "help" => \$opt_h,
+   "H=s" => \$opt_H, "host=s"  => \$opt_H,
+   "p=i" => \$opt_p, "port=i" => \$opt_p,
+   "P=s" => \$opt_P, "password=s" => \$opt_P,
+   "t=i" => \$opt_t, "timeout=i" => \$opt_t,
+   "i"  =>  \$opt_i, "ip" => \$opt_i,
+   "n" => \$opt_n, "numeric" => \$opt_n,
+   "c" => \$opt_c, "critical" => \$opt_c,
+   "w" => \$opt_w, "warning" => \$opt_w,
+   "C=s" => \$opt_C, "common_name=s" => \$opt_C,
+   "r=s" => \$opt_r, "remote_ip=s" => \$opt_r,
+  ) or exit $ERRORS{'UNKNOWN'};
+
+# default values
+unless ( defined $opt_t ) {
+   $opt_t = 10;
+}
+
+if ($opt_h) {print_help(); exit $ERRORS{'OK'};}
+
+if ( ! defined($opt_H) || ! defined($opt_p) ) {
+  print_usage();
+  exit $ERRORS{'UNKNOWN'}
+}
+
+my @lines;
+my @clients;
+my @clients_ip;
+my $t;
+
+eval { 
+$t = new Net::Telnet (Timeout => $opt_t,
+                      Port => $opt_p,
+                      Prompt => '/END$/'
+                    );
+$t->open($opt_H);
+if ( defined $opt_P ) {
+  $t->waitfor('/ENTER PASSWORD:$/');
+  $t->print($opt_P);
+}
+$t->waitfor('/^$/');
+@lines = $t->cmd("status 2");
+$t->close;
+};
+
+if ($@) {
+ print "OpenVPN Critical: Can't connect to server\n";
+ exit $ERRORS{'CRITICAL'};
+}
+
+
+if (defined $opt_i || defined $opt_r) {
+  foreach (@lines) {
+    if ($_ =~ /CLIENT_LIST,.*,(\d+\.\d+\.\d+\.\d+):\d+,/) {
+      push @clients_ip, $1;
+    }
+}
+  if (defined $opt_i) {
+    print "OpenVPN OK: "."@clients_ip ";
+    exit $ERRORS{'OK'};
+  } elsif (defined $opt_r) {
+    if ( ! grep /\b$opt_r\b/, @clients_ip) {
+      if (defined $opt_c) {
+        print "OpenVPN CRITICAL: $opt_r don't found";
+        exit $ERRORS{'CRITICAL'};
+      } else {
+        print "OpenVPN WARNING: $opt_r don't found";
+        exit $ERRORS{'WARNING'};
+      }
+    }
+    print "OpenVPN OK: "."@clients_ip ";
+    exit $ERRORS{'OK'};
+  }
+}
+
+foreach (@lines) {
+  if ($_ =~ /CLIENT_LIST,(.*),\d+\.\d+\.\d+\.\d+:\d+,/) {
+    push @clients, $1;
+  }
+}
+
+if (defined $opt_C) {
+  if ( ! grep /\b$opt_C\b/, @clients) {
+    if (defined $opt_c) {
+      print "OpenVPN CRITICAL: $opt_C don't found";
+      exit $ERRORS{'CRITICAL'};
+    } else {
+      print "OpenVPN WARNING: $opt_C don't found";
+      exit $ERRORS{'WARNING'};
+    }
+  }
+}
+
+
+if (defined $opt_n) {
+print "OpenVPN OK: ".@clients." connected clients.";
+exit $ERRORS{'OK'};
+}
+
+print "OpenVPN OK: "."@clients ";
+exit $ERRORS{'OK'};
+
+#######################################################################
+###### Subroutines ####################################################
+
+sub print_usage() {
+  print "Usage: $PROGNAME -H | --host <IP or hostname> -p | --port <port number> [-P | --password] <password> [-t | --timeout] <timeout in seconds> 
+                    [-i | --ip] [-n | --numeric] [-C | --common_name] <common_name> [-r | --remote_ip] <remote_ip> [-c | --critical] [-w | --warning]\n\n";
+  print "       $PROGNAME [-h | --help]\n";
+}
+
+sub print_help() {
+  print "$PROGNAME $VERSION\n\n";
+  print "Copyright (c) 2007 Jaime Gascon Romero
+
+Nagios plugin to check the clients connected to a openvpn server.
+
+";
+ print_usage();
+  print "
+-H | --host
+  IP address or hostname of the openvpn server.
+
+-p | --port
+  Management port interface of the openvpn server.
+
+-P | --password
+  Password for the management interface of the openvpn server.
+
+-t | --timeout
+  Timeout for the connection attempt. Optional, default 10 seconds.
+
+
+        Optional parameters
+        ===================
+
+-i | --ip
+  Prints the IP address of the remote client instead of the common name.
+
+-n | --numeric
+  Prints the number of clients connected to the openvpn server.
+
+
+        Matching Parameters
+        ===================
+
+-C | --common_name
+  The common name, as it is specified in the client certificate, who is wanted to check.
+
+-r | --remote_ip
+  The client remote ip address who is wanted to check.
+
+-c | --critical
+  Exits with CRITICAL status if the client specified by the common name or the remote ip address is not connected.
+
+-w | --warning
+  Exits with WARNING status if the client specified by the common name or the remote ip address is not connected.
+
+
+       Other Parameters
+       ================
+
+-h | --help
+  Show this help.
+";
+
+}
+
+# vim:sts=2:sw=2:ts=2:et
diff --git a/openvpn/files/check_openvpn_certificates.sh b/openvpn/files/check_openvpn_certificates.sh
new file mode 100644
index 00000000..47dca4b6
--- /dev/null
+++ b/openvpn/files/check_openvpn_certificates.sh
@@ -0,0 +1,140 @@
+#!/bin/sh
+
+set -eu
+
+trap error 0
+
+STATE_OK=0
+STATE_WARNING=1
+STATE_CRITICAL=2
+STATE_UNKNOWN=3
+STATE=$STATE_OK
+CERT_STATE=$STATE
+CA_STATE=$STATE
+CERT_ECHO=""
+CA_ECHO=""
+
+error() {
+    if [ $? -eq 2 ] && [ "X$CERT_ECHO" = "X" ] && [ "X$CA_ECHO" = "X" ] ; then
+        echo "CRITICAL - The check exited with an error. Is the conf_file var containing the real conf file location ? On Debian, is the check executed with sudo ?"
+    fi
+}
+
+SYSTEM=$(uname | tr '[:upper:]' '[:lower:]')
+date_cmd=$(command -v date)
+
+# Dates in seconds
+_15_days="1296000"
+_30_days="2592000"
+current_date=$($date_cmd +"%s")
+
+# Trying to define the OpenVPN conf file location - default to /etc/openvpn/server.conf
+conf_file=$(ps auwwwx | grep openvpn | grep -- --config | grep -v sed | sed -e "s/.*config \(\/etc\/openvpn.*.conf\).*/\1/" | head -1)
+[ "$SYSTEM" = "openbsd" ] && conf_file=${conf_file:-$(grep openvpn_flags /etc/rc.conf.local | sed -e "s/.*config \(\/etc\/openvpn.*.conf\).*/\1/")}
+conf_file=${conf_file:-"/etc/openvpn/server.conf"}
+
+# Get the cert and ca file location, based on the OpenVPN conf file location
+# Done in 2 times because sh does not support pipefail - needed in the case where $conf_file does not exist
+cert_file=$(grep -s "^cert " $conf_file)
+cert_file=$(echo $cert_file | sed -e "s/^cert *\//\//")
+ca_file=$(grep -s "^ca " $conf_file)
+ca_file=$(echo $ca_file | sed -e "s/^ca *\//\//")
+
+# Get expiration date of cert and ca certificates
+cert_expiration_date=$(grep "Not After" $cert_file | sed -e "s/.*Not After : //")
+ca_expiration_date=$(openssl x509 -enddate -noout -in $ca_file | cut -d '=' -f 2)
+
+test_cert_expiration() {
+    # Already expired - Cert file
+    if [ $current_date -ge $1 ]; then
+        CERT_ECHO="CRITICAL - The server certificate has expired on $formatted_cert_expiration_date"
+        CERT_STATE=$STATE_CRITICAL
+    # Expiration in 15 days or less - Cert file
+    elif [ $((current_date+_15_days)) -ge $1 ]; then
+        CERT_ECHO="CRITICAL - The server certificate expires in 15 days or less : $formatted_cert_expiration_date"
+        CERT_STATE=$STATE_CRITICAL
+    # Expiration in 30 days or less - Cert file
+    elif [ $((current_date+_30_days)) -ge $1 ]; then
+        CERT_ECHO="WARNING - The server certificate expires in 30 days or less : $formatted_cert_expiration_date"
+        CERT_STATE=$STATE_WARNING
+    # Expiration in more than 30 days - Cert file
+    else
+        CERT_ECHO="OK - The server certificate expires on $formatted_cert_expiration_date"
+        CERT_STATE=$STATE_OK
+    fi
+}
+
+test_ca_expiration() {
+    # Already expired - CA file
+    if [ $current_date -ge $1 ]; then
+        CA_ECHO="CRITICAL - The server CA has expired on $formatted_ca_expiration_date"
+        CA_STATE=$STATE_CRITICAL
+    # Expiration in 15 days or less - CA file
+    elif [ $((current_date+_15_days)) -ge $1 ]; then
+        CA_ECHO="CRITICAL - The server CA expires in 15 days or less : $formatted_ca_expiration_date"
+        CA_STATE=$STATE_CRITICAL
+    # Expiration in 30 days or less - CA file
+    elif [ $((current_date+_30_days)) -ge $1 ]; then
+        CA_ECHO="WARNING - The server CA expires in 30 days or less : $formatted_ca_expiration_date"
+        CA_STATE=$STATE_WARNING
+    # Expiration in more than 30 days - CA file
+    else
+        CA_ECHO="OK - The server CA expires on $formatted_ca_expiration_date"
+        CA_STATE=$STATE_OK
+    fi
+}
+
+# Linux and BSD systems do not implement 'date' the same way
+if [ "$SYSTEM" = "linux" ]; then
+
+    # Cert expiration date human formated then in seconds
+    formatted_cert_expiration_date=$(TZ="Europe/Paris" $date_cmd -d "$cert_expiration_date" +"%F %T %Z")
+    seconds_cert_expiration_date=$(TZ="Europe/Paris" $date_cmd -d "$cert_expiration_date" +"%s")
+
+    # CA expiration date human formated then in seconds
+    formatted_ca_expiration_date=$(TZ="Europe/Paris" $date_cmd -d "$ca_expiration_date" +"%F %T %Z")
+    seconds_ca_expiration_date=$(TZ="Europe/Paris" $date_cmd -d "$ca_expiration_date" +"%s")
+
+    test_cert_expiration $seconds_cert_expiration_date
+    test_ca_expiration $seconds_ca_expiration_date
+
+elif [ "$SYSTEM" = "openbsd" ]; then
+
+    # Cert expiration date for POSIX date, human formated then in seconds
+    posix_cert_expiration_date=$(echo "$cert_expiration_date" | awk '{ printf $4" "(index("JanFebMarAprMayJunJulAugSepOctNovDec",$1)+2)/3" "$2" ",split($3,time,":"); print time[1],time[2],time[3]}' | awk '{printf "%04d%02d%02d%02d%02d.%02d\n", $1, $2, $3, $4, $5, $6}')
+    cert_zone=$(echo "$cert_expiration_date" | awk '{print $5}')
+    formatted_cert_expiration_date=$(TZ=$cert_zone $date_cmd -j -z "Europe/Paris" "$posix_cert_expiration_date" +"%F %T %Z")
+    seconds_cert_expiration_date=$(TZ=$cert_zone $date_cmd -j -z "Europe/Paris" "$posix_cert_expiration_date" +"%s")
+
+    # CA expiration date for POSIX date, human formated then in seconds
+    posix_ca_expiration_date=$(echo "$ca_expiration_date" | awk '{ printf $4" "(index("JanFebMarAprMayJunJulAugSepOctNovDec",$1)+2)/3" "$2" ",split($3,time,":"); print time[1],time[2],time[3]}' | awk '{printf "%04d%02d%02d%02d%02d.%02d\n", $1, $2, $3, $4, $5, $6}')
+    ca_zone=$(echo "$ca_expiration_date" | awk '{print $5}')
+    formatted_ca_expiration_date=$(TZ=$ca_zone $date_cmd -j -z "Europe/Paris" "$posix_ca_expiration_date" +"%F %T %Z")
+    seconds_ca_expiration_date=$(TZ=$ca_zone $date_cmd -j -z "Europe/Paris" "$posix_ca_expiration_date" +"%s")
+
+    test_cert_expiration $seconds_cert_expiration_date
+    test_ca_expiration $seconds_ca_expiration_date
+
+# If neither Linux nor BSD
+else
+
+    echo "CRITICAL - OS not supported"
+    STATE=$STATE_CRITICAL
+    exit $STATE
+
+fi
+
+# Display the first one that expires first
+if [ $CA_STATE -gt $CERT_STATE  ]; then
+    echo $CA_ECHO
+    echo $CERT_ECHO
+    exit $CA_STATE
+elif [ $CERT_STATE -gt $CA_STATE ]; then
+    echo $CERT_ECHO
+    echo $CA_ECHO
+    exit $CERT_STATE
+else
+    echo $CERT_ECHO
+    echo $CA_ECHO
+    exit $CERT_STATE
+fi
diff --git a/openvpn/handlers/main.yml b/openvpn/handlers/main.yml
new file mode 100644
index 00000000..5ba1926c
--- /dev/null
+++ b/openvpn/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+
+- name: restart nagios-nrpe-server
+  service:
+    name: nagios-nrpe-server
+    state: restarted
diff --git a/openvpn/tasks/main.yml b/openvpn/tasks/main.yml
new file mode 100644
index 00000000..105b3c0b
--- /dev/null
+++ b/openvpn/tasks/main.yml
@@ -0,0 +1,285 @@
+---
+
+- name: This role is only compatible with Debian
+  assert:
+    that: "ansible_distribution == 'Debian'"
+    msg: "Only compatible with Debian"
+
+- name: Install OpenVPN
+  apt:
+    name: openvpn
+
+- name: Delete unwanted OpenVPN folders
+  file:
+    state: absent
+    path: "/etc/openvpn/{{ item }}"
+  with_items:
+    - client
+    - server
+
+- name: Clone shellpki repo
+  git:
+    repo: "https://gitea.evolix.org/evolix/shellpki.git"
+    dest: /root/shellpki
+
+- name: Create the shellpki user
+  user:
+    name: shellpki
+    system: yes
+    create_home: no
+    home: "/etc/shellpki"
+    shell: "/usr/sbin/nologin"
+
+- name: Create /etc/shellpki
+  file:
+    path: "/etc/shellpki"
+    state: directory
+
+- include_role:
+    name: evolix/remount-usr
+
+- name: Copy shellpki files
+  copy:
+    src: "{{ item.source }}"
+    dest: "{{ item.destination }}"
+    remote_src: yes
+  with_items:
+     - { source: "/root/shellpki/openssl.cnf", destination: "/etc/shellpki/openssl.cnf" }
+     - { source: "/root/shellpki/shellpki", destination: "/usr/local/sbin/shellpki" }
+
+- include_role:
+    name: evolix/remount-usr
+
+- name: Change files permissions
+  file:
+    path: "{{ item.path }}"
+    mode: "{{ item.mode }}"
+  with_items:
+     - { path: "/etc/shellpki/openssl.cnf", mode: "0640" }
+     - { path: "/usr/local/sbin/shellpki", mode: "0755" }
+
+- name: Delete local shellpki repo
+  file:
+    state: absent
+    path: "/root/shellpki"
+
+- name: Change directory owner
+  file:
+    path: "/etc/shellpki"
+    owner: shellpki
+    recurse: yes
+    state: directory
+
+- name: Add sudo rights
+  lineinfile:
+    dest: "/etc/sudoers.d/shellpki"
+    regexp: '/usr/local/sbin/shellpki'
+    line: "%shellpki ALL = (root) /usr/local/sbin/shellpki"
+    create: yes
+    validate: 'visudo -cf %s'
+
+- name: Deploy OpenVPN client config template
+  template:
+    src: "ovpn.conf.j2"
+    dest: "/etc/shellpki/ovpn.conf"
+
+- name: Generate dhparam
+  command: "openssl dhparam -out /etc/shellpki/dh2048.pem 2048"
+
+- include_role:
+    name: evolix/remount-usr
+
+- name: Fix CRL rights in shellpki command
+  lineinfile:
+    path: "/usr/local/sbin/shellpki"
+    regexp: '{{ item.regexp }}'
+    insertafter: "{{ item.insertafter }}"
+    line: "{{ item.line }}"
+  with_items:
+     - { regexp: '^    chmod 644 /etc/shellpki/crl.pem$', line: "    chmod 644 /etc/shellpki/crl.pem", insertafter: '^    chmod 640 "\${CACERT}"$' }
+     - { regexp: '^    chmod 755 /etc/shellpki/$', line: "    chmod 755 /etc/shellpki/", insertafter: '^    chmod 644 /etc/shellpki/crl.pem$' }
+
+- name: Deploy OpenVPN server config
+  template:
+    src: "server.conf.j2"
+    dest: "/etc/openvpn/server.conf"
+
+- name: Is minifirewall installed ?
+  stat:
+    path: "/etc/default/minifirewall"
+  check_mode: no
+  register: minifirewall_config
+
+- name: Retrieve the default interface
+  shell: "grep '^INT=' /etc/default/minifirewall | cut -d\\' -f 2"
+  check_mode: no
+  changed_when: false
+  register: minifirewall_int
+
+- name: Add minifirewall rule in config file
+  lineinfile:
+    path: "/etc/default/minifirewall"
+    line: "{{ item }}"
+  with_items:
+     - "# OpenVPN"
+     - "/sbin/iptables -t nat -A POSTROUTING -s {{ openvpn_lan }}/{{ openvpn_netmask_cidr }} -o $INT -j MASQUERADE"
+  when: minifirewall_config.stat.exists
+
+- name: Activate minifirewall rule
+  iptables:
+    table: nat
+    chain: POSTROUTING
+    source: "{{ openvpn_lan }}/{{ openvpn_netmask_cidr }}"
+    out_interface: "{{ minifirewall_int.stdout }}"
+    jump: MASQUERADE
+  when: minifirewall_config.stat.exists
+
+- name: Add 1194/udp OpenVPN port to public services in minifirewall
+  replace:
+    path: "/etc/default/minifirewall"
+    regexp: "^SERVICESUDP1='(.*)?'$"
+    replace: "SERVICESUDP1='\\1 1194'"
+    backup: yes
+  when: minifirewall_config.stat.exists
+
+- name: Activate minifirewall rule for IPv4
+  iptables:
+    chain: INPUT
+    protocol: udp
+    destination_port: "1194"
+    jump: ACCEPT
+    ip_version: ipv4
+  when: minifirewall_config.stat.exists
+
+- name: Activate minifirewall rule for IPv6
+  iptables:
+    chain: INPUT
+    protocol: udp
+    destination_port: "1194"
+    jump: ACCEPT
+    ip_version: ipv6
+  when: minifirewall_config.stat.exists
+
+- name: Enable forwarding
+  sysctl:
+    name: net.ipv4.ip_forward
+    value: "1"
+    sysctl_file: "/etc/sysctl.d/openvpn.conf"
+
+- name: Generate a password for the management interface
+  set_fact:
+    management_pwd: "{{ lookup('password', '/dev/null length=15 chars=ascii_letters,digits') }}"
+
+- name: Set the management password
+  copy:
+    dest: "/etc/openvpn/management-pwd"
+    content: "{{ management_pwd }}"
+
+- name: Enable openvpn service
+  systemd:
+    name: "openvpn@server.service"
+    enabled: yes
+
+- name: Is NRPE installed ?
+  stat:
+    path: "/etc/nagios/nrpe.d/evolix.cfg"
+  check_mode: no
+  register: nrpe_evolix_config
+
+- name: Install NRPE check dependencies
+  apt:
+    name: libnet-telnet-perl
+  when: nrpe_evolix_config.stat.exists
+
+- include_role:
+    name: evolix/remount-usr
+
+- name: Install OpenVPN NRPE check
+  copy:
+    src: "files/check_openvpn.pl"
+    dest: "/usr/local/lib/nagios/plugins/check_openvpn"
+    mode: "0755"
+    owner: root
+    group: nagios
+  when: nrpe_evolix_config.stat.exists
+
+- name: Add NRPE check
+  lineinfile:
+    dest: "/etc/nagios/nrpe.d/evolix.cfg"
+    regexp: '^command\[check_openvpn\]='
+    line: "command[check_openvpn]=/usr/local/lib/nagios/plugins/check_openvpn -H 127.0.0.1 -p 1195 -P {{ management_pwd }}"
+  notify: restart nagios-nrpe-server
+  when: nrpe_evolix_config.stat.exists
+
+- include_role:
+    name: evolix/remount-usr
+
+- name: Install OpenVPN certificates NRPE check
+  copy:
+    src: "files/check_openvpn_certificates.sh"
+    dest: "/usr/local/lib/nagios/plugins/check_openvpn_certificates.sh"
+    mode: "0755"
+    owner: root
+    group: nagios
+  when: nrpe_evolix_config.stat.exists
+
+- name: Add sudo rights for NRPE check
+  lineinfile:
+    dest: "/etc/sudoers.d/openvpn"
+    regexp: 'check_openvpn_certificates.sh'
+    line: "nagios  ALL=NOPASSWD: /usr/local/lib/nagios/plugins/check_openvpn_certificates.sh"
+    create: yes
+    validate: 'visudo -cf %s'
+  when: nrpe_evolix_config.stat.exists
+
+- name: Add NRPE check
+  lineinfile:
+    dest: "/etc/nagios/nrpe.d/evolix.cfg"
+    regexp: '^command\[check_openvpn_certificates\]='
+    line: "command[check_openvpn_certificates]=sudo /usr/local/lib/nagios/plugins/check_openvpn_certificates.sh"
+  notify: restart nagios-nrpe-server
+  when: nrpe_evolix_config.stat.exists
+
+# BEGIN TODO : Get this script from master branch when cloning it at the beginning when dev branch is merged with master (this script is currently not available on master branch)
+- name: Clone dev branch of shellpki repo
+  git:
+    repo: "https://gitea.evolix.org/evolix/shellpki.git"
+    dest: /root/shellpki-dev
+    version: dev
+
+- include_role:
+    name: evolix/remount-usr
+
+- name: Copy shellpki script
+  copy:
+    src: "/root/shellpki-dev/cert-expirations.sh"
+    dest: "/usr/share/scripts/cert-expirations.sh"
+    mode: "0700"
+#    owner: root
+#    group: root
+    remote_src: yes
+
+- name: Delete local shellpki-dev repo
+  file:
+    state: absent
+    path: "/root/shellpki-dev"
+# END TODO
+
+- name: Install cron to warn about certificates expiration
+  cron:
+    name: "OpenVPN certificates expiration"
+    special_time: monthly
+    job: '/usr/share/scripts/cert-expirations.sh | mail -E -s "PKI VPN {{ ansible_hostname }} : recapitulatif expirations" {{ client_email }}'
+
+- name: Warn the user about command to execute manually
+  pause:
+    prompt: |
+      /!\ WARNING /!\
+      You have to manually create the CA on the server with "shellpki init {{ ansible_fqdn }}". The command will ask you to create a password, and will ask you again to give the same one several times.
+      You have to manually generate the CRL on the server with "openssl ca -gencrl -keyfile /etc/shellpki/cakey.key -cert /etc/shellpki/cacert.pem -out /etc/shellpki/crl.pem -config /etc/shellpki/openssl.cnf". The previously created password will be asked
+      You have to manually create the server's certificate with "shellpki create {{ ansible_fqdn }}"
+      You have to adjuste the config file "/etc/openvpn/server.conf" for the following parameters : local (to check), cert (to check), key (to add), server (to check), push (to complete if needed).
+      Finally, you can (re)start the OpenVPN service with "systemctl restart openvpn@server.service"
+      
+      Press enter to exit when it's done.
+
diff --git a/openvpn/templates/ovpn.conf.j2 b/openvpn/templates/ovpn.conf.j2
new file mode 100644
index 00000000..d82b0b42
--- /dev/null
+++ b/openvpn/templates/ovpn.conf.j2
@@ -0,0 +1,12 @@
+client
+dev tun
+tls-client
+proto udp
+
+remote {{ ansible_fqdn }} 1194
+
+persist-key
+persist-tun
+
+cipher AES-256-CBC
+
diff --git a/openvpn/templates/server.conf.j2 b/openvpn/templates/server.conf.j2
new file mode 100644
index 00000000..0508ff9d
--- /dev/null
+++ b/openvpn/templates/server.conf.j2
@@ -0,0 +1,31 @@
+user  nobody
+group nogroup
+
+local {{ ansible_default_ipv4.address }}
+port 1194
+proto udp
+dev tun
+mode server
+keepalive 10 120
+
+cipher AES-256-GCM # AES
+
+persist-key
+persist-tun
+
+status /var/log/openvpn-status.log
+log-append  /var/log/openvpn.log
+
+ca   /etc/shellpki/cacert.pem
+cert /etc/shellpki/certs/{{ ansible_fqdn }}.crt
+key  /etc/shellpki/private/TO_COMPLETE
+dh   /etc/shellpki/dh2048.pem
+
+crl-verify /etc/shellpki/crl.pem
+
+server {{ openvpn_lan }} {{ openvpn_netmask }}
+
+#push "route 192.0.3.0 255.255.255.0"
+
+# Management interface (used by check_openvpn for Nagios)
+management 127.0.0.1 1195 /etc/openvpn/management-pwd

From 3822696db6b7fd98edea8a0c582c39e8da10e575 Mon Sep 17 00:00:00 2001
From: Jeremy Dubois <jdubois@evolix.fr>
Date: Mon, 24 Jan 2022 19:23:26 +0100
Subject: [PATCH 118/125] Update CHANGELOG for new openvpn role

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index de6fc8b7..7284a7a1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -16,6 +16,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * munin: systemd override to unprotect home directory
 * mysql: add evomariabackup 21.11
 * nagios-nrpe: new check influxdb
+* openvpn: new openvpn role
 
 ### Changed
 

From fec9e49c18f68b0a37ad4364403ecea9acb3ba73 Mon Sep 17 00:00:00 2001
From: Mathieu Trossevin <mtrossevin+git@evolix.fr>
Date: Tue, 25 Jan 2022 11:00:45 +0100
Subject: [PATCH 119/125] Repair munin role

---
 munin/tasks/main.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/munin/tasks/main.yml b/munin/tasks/main.yml
index addc5107..81769488 100644
--- a/munin/tasks/main.yml
+++ b/munin/tasks/main.yml
@@ -102,6 +102,6 @@
     option: "ProtectHome"
     value: "false"
     state: present
-    notify:
-      - systemd daemon-reload
-      - restart munin-node
\ No newline at end of file
+  notify:
+    - systemd daemon-reload
+    - restart munin-node

From 1902c40c3cf8d8de82dd47131bffd193b79b60c8 Mon Sep 17 00:00:00 2001
From: Mathieu Trossevin <mtrossevin+git@evolix.fr>
Date: Fri, 5 Nov 2021 11:34:21 +0100
Subject: [PATCH 120/125] lxc-php: Fix config for opensmtpd on bullseye

---
 CHANGELOG.md                             |  3 ++-
 lxc-php/tasks/mail_opensmtpd.yml         | 10 ++++++++++
 lxc-php/templates/smtpd.conf.bullseye.j2 | 17 +++++++++++++++++
 3 files changed, 29 insertions(+), 1 deletion(-)
 create mode 100644 lxc-php/templates/smtpd.conf.bullseye.j2

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7284a7a1..2ab40fd7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -34,8 +34,9 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * evolinux-base: fix alert5.service dependency syntax
 * mysql : Create a default ~root/.my.cnf for compatibility reasons
 * nginx : fix variable name and debug to actually use nginx-light
-* packweb-apache : Support php 8.0
+* packweb-apache : Support php 8.0 
 * nagios-nrpe: Fix check\_nfsserver for buster and bullseye
+* lxc-php: fix config for opensmtpd on bullseye containers
 
 ### Removed
 
diff --git a/lxc-php/tasks/mail_opensmtpd.yml b/lxc-php/tasks/mail_opensmtpd.yml
index 1b4dbea0..25dec9ea 100644
--- a/lxc-php/tasks/mail_opensmtpd.yml
+++ b/lxc-php/tasks/mail_opensmtpd.yml
@@ -11,3 +11,13 @@
     dest: "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/smtpd.conf"
     mode: "0644"
   notify: "Restart opensmtpd"
+  when: lxc_php_container_releases[lxc_php_version] in ["jessie", "stretch", "buster"]
+
+
+- name: "{{ lxc_php_version }} - Configure opensmtpd (in the container)"
+  template:
+    src: smtpd.conf.bullseye.j2
+    dest: "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/smtpd.conf"
+    mode: "0644"
+  notify: "Restart opensmtpd"
+  when: not lxc_php_container_releases[lxc_php_version] in ["jessie", "stretch", "buster"]
diff --git a/lxc-php/templates/smtpd.conf.bullseye.j2 b/lxc-php/templates/smtpd.conf.bullseye.j2
new file mode 100644
index 00000000..0a6d658f
--- /dev/null
+++ b/lxc-php/templates/smtpd.conf.bullseye.j2
@@ -0,0 +1,17 @@
+# This is the smtpd server system-wide configuration file.
+# See smtpd.conf(5) for more information.
+
+# To accept external mail, replace with: listen on all
+#listen on localhost
+
+# If you edit the file, you have to run "smtpctl update table aliases"
+table aliases file:/etc/aliases
+
+action "mbox" mbox alias <aliases>
+action "relay" relay host "smtp://127.0.0.1"
+
+# Uncomment the following to accept external mail for domain "example.org"
+#match from any for domain "example.org" action "mbox"
+
+match for local action "mbox"
+match for any action "relay"

From 51bc48623b959fecb5ae439a2e6c70544347d3a1 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Tue, 25 Jan 2022 10:10:11 +0100
Subject: [PATCH 121/125] dovecot: switch to TLS 1.2+ and external DH params

---
 dovecot/tasks/main.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/dovecot/tasks/main.yml b/dovecot/tasks/main.yml
index 7db272da..1bebbafc 100644
--- a/dovecot/tasks/main.yml
+++ b/dovecot/tasks/main.yml
@@ -10,9 +10,10 @@
   tags:
   - dovecot
 
-- name: Generate Diffie-Hellman parameters with the default size 4096 bits (may take several minutes)
+- name: Generate 4096 bits Diffie-Hellman parameters (may take several minutes)
   openssl_dhparam:
     path: /etc/ssl/dhparams.pem
+    size: 4096
 
 - name: disable pam auth
   replace:

From 266289c72e9ecbd4222a49e640a388425e720308 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Tue, 25 Jan 2022 10:14:02 +0100
Subject: [PATCH 122/125] whitespaces

---
 evolinux-base/tasks/hardware.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/evolinux-base/tasks/hardware.yml b/evolinux-base/tasks/hardware.yml
index 7ec39d01..e072f95c 100644
--- a/evolinux-base/tasks/hardware.yml
+++ b/evolinux-base/tasks/hardware.yml
@@ -31,11 +31,11 @@
   when: broadcom_netextreme_search.rc == 0
 
 
-## Dedicated hardware 
+## Dedicated hardware
 - name: Install freepmi when it's dedicated hardware
   apt:
-    name: 
-      - libipc-run-perl 
+    name:
+      - libipc-run-perl
       - freeipmi
     state: present
   tags:

From 544b213529c6c5fa0052756087c85d6fdaf7aa5b Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Tue, 25 Jan 2022 11:00:27 +0100
Subject: [PATCH 123/125] evomaintenance: Upstream release 22.01

---
 evomaintenance/files/evomaintenance.sh | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/evomaintenance/files/evomaintenance.sh b/evomaintenance/files/evomaintenance.sh
index 1961ebf2..3903f2ef 100644
--- a/evomaintenance/files/evomaintenance.sh
+++ b/evomaintenance/files/evomaintenance.sh
@@ -4,16 +4,16 @@
 # Dependencies (all OS): git postgresql-client
 # Dependencies (Debian): sudo
 
-# Copyright 2007-2021 Evolix <info@evolix.fr>, Gregory Colpart <reg@evolix.fr>,
+# Copyright 2007-2022 Evolix <info@evolix.fr>, Gregory Colpart <reg@evolix.fr>,
 #                     Jérémy Lecour <jlecour@evolix.fr> and others.
 
-VERSION="0.6.4"
+VERSION="22.01"
 
 show_version() {
     cat <<END
 evomaintenance version ${VERSION}
 
-Copyright 2007-2021 Evolix <info@evolix.fr>,
+Copyright 2007-2022 Evolix <info@evolix.fr>,
                     Gregory Colpart <reg@evolix.fr>,
                     Jérémy Lecour <jlecour@evolix.fr>
                     and others.
@@ -303,6 +303,9 @@ From: ${FULLFROM}
 Content-Type: text/plain; charset=UTF-8
 MIME-Version: 1.0
 Content-Transfer-Encoding: 8bit
+X-Evomaintenance-Version: ${VERSION}
+X-Evomaintenance-Host: ${HOSTNAME_TEXT}
+X-Evomaintenance-User: ${USER}
 To: ${EVOMAINTMAIL}
 Subject: [evomaintenance] Intervention sur ${HOSTNAME_TEXT} (${USER})
 

From 0fce412cf51cb7e63f7fd77d194571d9a2b2a580 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Tue, 25 Jan 2022 11:15:10 +0100
Subject: [PATCH 124/125] add WIP warning to check_async

---
 nagios-nrpe/files/check_async | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/nagios-nrpe/files/check_async b/nagios-nrpe/files/check_async
index 15a6bf71..5ff8ad24 100644
--- a/nagios-nrpe/files/check_async
+++ b/nagios-nrpe/files/check_async
@@ -1,5 +1,9 @@
 #!/bin/bash
 
+### WARNING #######################################
+# THIS IS A WORK IN PROGRESS AND IT IS NOT USABLE #
+###################################################
+
 VERSION="21.04"
 readonly VERSION
 

From 1f4ee2de79416b8a4af288e1e60175cc5df3a758 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Tue, 25 Jan 2022 14:53:19 +0100
Subject: [PATCH 125/125] Prepare CHANGELOG for 22.01 release

---
 CHANGELOG.md | 73 +++++++++++++++++++++++++---------------------------
 1 file changed, 35 insertions(+), 38 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2ab40fd7..871c7b29 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,60 +12,43 @@ The **patch** part changes is incremented if multiple releases happen the same m
 
 ### Added
 
-* evolinux-base: add script backup-server-state
-* munin: systemd override to unprotect home directory
-* mysql: add evomariabackup 21.11
-* nagios-nrpe: new check influxdb
-* openvpn: new openvpn role
-
 ### Changed
 
-* evocheck: upstream release 21.10.4
-* evolinux-users + nagios-nrpe: Add support for php-fpm80 in lxc
-* filebeat/metricbeat: version 7.x y default
-* listupgrade: old-kernel-removal version 21.10
-* mongodb: Deny the install on Debian 11 « Bullseye » when the version is unsupported
-* mongodb: Support version 5.0 (for buster)
-* mongodb: Allow to specify a mongodb version for buster & bullseye
-* nodejs: default to version 16 LTS
-
 ### Fixed
 
-* evolinux-base: fix alert5.service dependency syntax
-* mysql : Create a default ~root/.my.cnf for compatibility reasons
-* nginx : fix variable name and debug to actually use nginx-light
-* packweb-apache : Support php 8.0 
-* nagios-nrpe: Fix check\_nfsserver for buster and bullseye
-* lxc-php: fix config for opensmtpd on bullseye containers
-
 ### Removed
 
-* evocheck: package install is not supported anymore
-
 ### Security
 
-## [21.09] 2021-09-29
+## [22.01] 2022-01-25
 
 ### Added
 
 * Support for Debian 11 « Bullseye » (with possible remaining blind spots)
-* apache: new variable for mpm mode (+ updated default config accordingly)
+* apache: new variable for MPM mode (+ updated default config accordingly)
+* apache: prevent accessing Git or "env" related files
 * certbot: add script for manual deploy hooks execution
 * docker-host: install additional dependencies
-* etc-git: manage commits with an optimized shell script instead of many slow Ansible tasks
+* dovecot: switch to TLS 1.2+ and external DH params
 * etc-git: centralize cron jobs in dedicated crontab
+* etc-git: manage commits with an optimized shell script instead of many slow Ansible tasks
+* evolinux-base: add script backup-server-state
 * evolinux-base: install molly-guard by default
-* generate-ldif: detect hardware raid card
+* generate-ldif: detect RAID controller
 * generate-ldif: detect mdadm
 * listupgrade: crontab is configurable
 * logstash: logging to syslog is configurable (default: True)
 * mongodb: create munin plugins directory if missing
+* munin: systemd override to unprotect home directory
+* mysql: add evomariabackup 21.11
 * mysql: improve Bullseye compatibility
 * mysql: script "mysql_connections" to display a compact list of connections
 * mysql: script "mysql-queries-killer.sh" to kill MySQL queries
+* nagios-nrpe + evolinux-users: new check for ipmi
+* nagios-nrpe + evolinux-users: new check for RAID (soft + hard)
 * nagios-nrpe + evolinux-users: new checks for bkctld
-* nagios-nrpe + evolinux-users: new check raid (soft + hard)
-* nagios-nrpe + evolinux-users: new check ipmi
+* nagios-nrpe: new check influxdb
+* openvpn: new role (beta)
 * redis: instance service for Debian 11
 * squid: add *.o.lencr.org to default whitelist
 
@@ -77,21 +60,28 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * apt: remove workaround for Evolix public repositories with Debian 11
 * apt: use the new security repository for Bullseye
 * certbot: silence letsencrypt deprecation warnings
-* elasticsearch: 7.x by default
+* elasticsearch: elastic_stack_version = 7.x
 * evoacme: exclude renewal-hooks directory from cron
 * evoadmin-web: simpler PHP packages lists
-* evomaintenance: extract a config.yyml tasks file
-* evocheck: upstream release 21.10
+* evocheck: upstream release 21.10.4
 * evolinux-base: alert5 comes after the network
 * evolinux-base: force Debian version to buster for Evolix repository (temporary)
-* evolinux-base: split dpkg logrotate configuration
 * evolinux-base: install freeipmi by default on dedicated hw
 * evolinux-base: logs are rotated with dateext by default
-* kibana: 7.x by default
+* evolinux-base: split dpkg logrotate configuration
+* evolinux-users + nagios-nrpe: Add support for php-fpm80 in lxc
+* evomaintenance: extract a config.yml tasks file
+* evomaintenance: upstream release 22.01
+* filebeat/metricbeat: elastic_stack_version = 7.x
+* kibana: elastic_stack_version = 7.x
+* listupgrade: old-kernel-removal version 21.10
 * listupgrade: upstream release 21.06.3
 * logstash: elastic_stack_version = 7.x
-* mysql: mariadb-client-10.5 on Debian 11
-* mysql: use python3 with Debian 11 and later
+* mongodb: Allow to specify a mongodb version for buster & bullseye
+* mongodb: Deny the install on Debian 11 « Bullseye » when the version is unsupported
+* mongodb: Support version 5.0 (for buster)
+* mysql: use python3 and mariadb-client-10.5 with Debian 11 and later
+* nodejs: default to version 16 LTS
 * php: enforce Debian version with assert instead of fail
 * squid: improve default whitelist (more specific patterns)
 * squid: must be started in foreground mode for systemd
@@ -99,12 +89,19 @@ The **patch** part changes is incremented if multiple releases happen the same m
 
 ### Fixed
 
+* evolinux-base: fix alert5.service dependency syntax
 * certbot: sync_remote excludes itself
+* lxc-php: fix config for opensmtpd on bullseye containers
+* mysql : Create a default ~root/.my.cnf for compatibility reasons
+* nginx : fix variable name and debug to actually use nginx-light
+* packweb-apache : Support php 8.0
+* nagios-nrpe: Fix check_nfsserver for buster and bullseye
 
 ### Removed
 
-* php: remove php-gettext for 7.4
+* evocheck: package install is not supported anymore
 * logstash: no more dependency on Java
+* php: remove php-gettext for 7.4
 
 ## [10.6.0] 2021-06-28