From b8ac36e6739296c01a753251e7f39d8bad5a2cf2 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Sat, 1 May 2021 16:53:02 +0200
Subject: [PATCH 01/29] =?UTF-8?q?Fake=20=C2=AB=20testing=20=C2=BB=20as=20D?=
 =?UTF-8?q?eban=2011=20=C2=AB=20Bullseye=20=C2=BB?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 evolinux-base/tasks/main.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/evolinux-base/tasks/main.yml b/evolinux-base/tasks/main.yml
index 2da87162..f8b4cd6d 100644
--- a/evolinux-base/tasks/main.yml
+++ b/evolinux-base/tasks/main.yml
@@ -1,5 +1,11 @@
 ---
 
+# Force facts until Debian 11 is released because Ansible is dumb
+- set_fact:
+    ansible_distribution_major_version: 11
+    ansible_distribution_release: "bullseye"
+  when: ansible_distribution_major_version == 'testing'
+
 - name: "System compatibility checks"
   assert:
     that:

From 6bfef357296fceec044af8304049ba8044529e09 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Sat, 1 May 2021 16:53:40 +0200
Subject: [PATCH 02/29] Add bullseye APT repositories

---
 apt/templates/bullseye_backports.list.j2 | 3 +++
 apt/templates/bullseye_basics.list.j2    | 5 +++++
 2 files changed, 8 insertions(+)
 create mode 100644 apt/templates/bullseye_backports.list.j2
 create mode 100644 apt/templates/bullseye_basics.list.j2

diff --git a/apt/templates/bullseye_backports.list.j2 b/apt/templates/bullseye_backports.list.j2
new file mode 100644
index 00000000..ab989dec
--- /dev/null
+++ b/apt/templates/bullseye_backports.list.j2
@@ -0,0 +1,3 @@
+# {{ ansible_managed }}
+
+deb http://mirror.evolix.org/debian bullseye-backports {{ apt_backports_components | mandatory }}
diff --git a/apt/templates/bullseye_basics.list.j2 b/apt/templates/bullseye_basics.list.j2
new file mode 100644
index 00000000..5e0a0a53
--- /dev/null
+++ b/apt/templates/bullseye_basics.list.j2
@@ -0,0 +1,5 @@
+# {{ ansible_managed }}
+
+deb http://mirror.evolix.org/debian bullseye {{ apt_basics_components | mandatory }}
+deb http://mirror.evolix.org/debian/ bullseye-updates {{ apt_basics_components | mandatory }}
+deb http://security.debian.org/ bullseye-security {{ apt_basics_components | mandatory }}

From 2f68ae53390df40ef972704b2e17b41ddf7010e7 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Sat, 1 May 2021 17:51:50 +0200
Subject: [PATCH 03/29] Preliminary support for Bullseye

---
 CHANGELOG.md                               |   1 +
 apt/files/bullseye_backports_preferences   |   3 +
 apt/tasks/basics.yml                       |   1 +
 evolinux-base/tasks/system.yml             |   6 +-
 haproxy/defaults/main.yml                  |   1 +
 haproxy/tasks/packages_backports.yml       |   4 +
 lxc-php/defaults/main.yml                  |   2 +-
 lxc-php/tasks/php74.yml                    |   4 +-
 mongodb/files/server-4.4.asc               |  30 +++++++
 mongodb/files/server-4.4.gpg               | Bin 0 -> 1162 bytes
 mongodb/tasks/main.yml                     |   5 +-
 mongodb/tasks/main_bullseye.yml            |  80 +++++++++++++++++
 mongodb/templates/logrotate_bullseye.j2    |  15 ++++
 mongodb/templates/mongodb_bullseye.conf.j2 |  39 +++++++++
 php/handlers/main.yml                      |   5 ++
 php/tasks/main.yml                         |   3 +
 php/tasks/main_bullseye.yml                |  97 +++++++++++++++++++++
 postgresql/tasks/main.yml                  |   4 +-
 tomcat/tasks/packages.yml                  |   7 ++
 varnish/tasks/main.yml                     |   1 +
 20 files changed, 299 insertions(+), 9 deletions(-)
 create mode 100644 apt/files/bullseye_backports_preferences
 create mode 100644 mongodb/files/server-4.4.asc
 create mode 100644 mongodb/files/server-4.4.gpg
 create mode 100644 mongodb/tasks/main_bullseye.yml
 create mode 100644 mongodb/templates/logrotate_bullseye.j2
 create mode 100644 mongodb/templates/mongodb_bullseye.conf.j2
 create mode 100644 php/tasks/main_bullseye.yml

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 38d99455..5d9abcaf 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,7 @@ The **patch** part changes incrementally at each release.
 
 ### Added
 
+* Preliminary support for Debian 11 « Bullseye »
 * certbot: add script for manual deploy hooks execution
 * listupgrade: crontab is configurable
 
diff --git a/apt/files/bullseye_backports_preferences b/apt/files/bullseye_backports_preferences
new file mode 100644
index 00000000..3a667c93
--- /dev/null
+++ b/apt/files/bullseye_backports_preferences
@@ -0,0 +1,3 @@
+Package: *
+Pin: release a=bullseye-backports
+Pin-Priority: 50
diff --git a/apt/tasks/basics.yml b/apt/tasks/basics.yml
index fee1430a..33c79129 100644
--- a/apt/tasks/basics.yml
+++ b/apt/tasks/basics.yml
@@ -19,6 +19,7 @@
     - /etc/apt/sources.list.d/debian-jessie.list
     - /etc/apt/sources.list.d/debian-stretch.list
     - /etc/apt/sources.list.d/debian-buster.list
+    - /etc/apt/sources.list.d/debian-bullseye.list
     - /etc/apt/sources.list.d/debian-update.list
   when: apt_clean_gandi_sourceslist | bool
   tags:
diff --git a/evolinux-base/tasks/system.yml b/evolinux-base/tasks/system.yml
index 53fa243c..554bb02a 100644
--- a/evolinux-base/tasks/system.yml
+++ b/evolinux-base/tasks/system.yml
@@ -153,7 +153,7 @@
 
 
 
-- name: Install alert5 init script (buster)
+- name: Install alert5 init script (buster and later)
   template:
     src: system/alert5.sh.j2
     dest: /usr/share/scripts/alert5.sh
@@ -163,7 +163,7 @@
     - evolinux_system_alert5_init | bool
     - ansible_distribution_major_version is version('10', '>=')
 
-- name: Install alert5 service (buster)
+- name: Install alert5 service (buster and later)
   copy:
     src: alert5.service
     dest: /etc/systemd/system/alert5.service
@@ -173,7 +173,7 @@
     - evolinux_system_alert5_init | bool
     - ansible_distribution_major_version is version('10', '>=')
 
-- name: Enable alert5 init script (buster)
+- name: Enable alert5 init script (buster and later)
   systemd:
     name: alert5
     daemon_reload: yes
diff --git a/haproxy/defaults/main.yml b/haproxy/defaults/main.yml
index b94d2872..0745f1a9 100644
--- a/haproxy/defaults/main.yml
+++ b/haproxy/defaults/main.yml
@@ -34,3 +34,4 @@ haproxy_deny_ips: []
 
 haproxy_backports_packages_stretch: haproxy libssl1.0.0
 haproxy_backports_packages_buster: haproxy
+haproxy_backports_packages_bullseye: haproxy
diff --git a/haproxy/tasks/packages_backports.yml b/haproxy/tasks/packages_backports.yml
index 9a682120..eab4fbca 100644
--- a/haproxy/tasks/packages_backports.yml
+++ b/haproxy/tasks/packages_backports.yml
@@ -15,6 +15,10 @@
     haproxy_backports_packages: "{{ haproxy_backports_packages_buster }}"
   when: ansible_distribution_release == 'buster'
 
+- set_fact:
+    haproxy_backports_packages: "{{ haproxy_backports_packages_bullseye }}"
+  when: ansible_distribution_release == 'bullseye'
+
 - name: Prefer HAProxy package from backports
   template:
     src: haproxy_apt_preferences.j2
diff --git a/lxc-php/defaults/main.yml b/lxc-php/defaults/main.yml
index 1cceab35..ce8a935d 100644
--- a/lxc-php/defaults/main.yml
+++ b/lxc-php/defaults/main.yml
@@ -18,4 +18,4 @@ lxc_php_container_releases:
   php56: "jessie"
   php70: "stretch"
   php73: "buster"
-  php74: "buster"
+  php74: "bullseye"
diff --git a/lxc-php/tasks/php74.yml b/lxc-php/tasks/php74.yml
index 2c4538e8..464e0766 100644
--- a/lxc-php/tasks/php74.yml
+++ b/lxc-php/tasks/php74.yml
@@ -13,8 +13,8 @@
     create: yes
     mode: "0644"
   loop:
-    - "deb https://packages.sury.org/php/ buster main"
-    - "deb http://pub.evolix.net/ buster-php74/"
+    - "deb https://packages.sury.org/php/ bullseye main"
+    - "deb http://pub.evolix.net/ bullseye-php74/"
 
 - name: copy pub.evolix.net GPG key
   copy:
diff --git a/mongodb/files/server-4.4.asc b/mongodb/files/server-4.4.asc
new file mode 100644
index 00000000..9f4d9161
--- /dev/null
+++ b/mongodb/files/server-4.4.asc
@@ -0,0 +1,30 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1
+
+mQINBFzteqwBEADSirbLWsjgkQmdWr06jXPN8049MCqXQIZ2ovy9uJPyLkHgOCta
+8dmX+8Fkk5yNOLScjB1HUGJxAWJG+AhldW1xQGeo6loDfTW1mlfetq/zpW7CKbUp
+qve9eYYulneAy/81M/UoUZSzHqj6XY39wzJCH20H+Qx3WwcqXgSU7fSFXyJ4EBYs
+kWybbrAra5v29LUTBd7OvvS+Swovdh4T31YijUOUUL/gJkBI9UneVyV7/8DdUoVJ
+a8ym2pZ6ALy+GZrWBHcCKD/rQjEkXJnDglu+FSUI50SzaC9YX31TTzEMJijiPi6I
+MIZJMXLH7GpCIDcvyrLWIRYVJAQRoYJB4rmp42HTyed4eg4RnSiFrxVV5xQaDnSl
+/8zSOdVMBVewp8ipv34VeRXgNTgRkhA2JmL+KlALMkPo7MbRkJF01DiOOsIdz3Iu
+43oYg3QYmqxZI6kZNtXpUMnJeuRmMQJJN8yc9ZdOA9Ll2TTcIql8XEsjGcM7IWM9
+CP6zGwCcbrv72Ka+h/bGaLpwLbpkr5I8PjjSECn9fBcgnVX6HfKH7u3y11+Va1nh
+a8ZEE1TuOqRxnVDQ+K4iwaZFgFYsBMKo2ghoU2ZbZxu14vs6Eksn6UFsm8DpPwfy
+jtLtdje8jrbYAqAy5zIMLoW+I6Rb5sU3Olh9nI7NW4T5qQeemBcuRAwB4QARAQAB
+tDdNb25nb0RCIDQuNCBSZWxlYXNlIFNpZ25pbmcgS2V5IDxwYWNrYWdpbmdAbW9u
+Z29kYi5jb20+iQI+BBMBAgAoBQJc7XqsAhsDBQkJZgGABgsJCAcDAgYVCAIJCgsE
+FgIDAQIeAQIXgAAKCRBlZAjjkM+x9SKmD/9BzdjFAgBPPkUnD5pJQgsBQKUEkDsu
+cht6Q0Y4M635K7okpqJvXtZV5Mo+ajWZjUeHn4wPdVgzF2ItwVLRjjak3tIZfe3+
+ME5Y27Aej3LeqQC3Q5g6SnpeZwVEhWzU35CnyhQecP4AhDG3FO0gKUn3GkEgmsd6
+rnXAQLEw3VUYO8boxqBF3zjmFLIIaODYNmO1bLddJgvZlefUC62lWBBUs6Z7PBnl
+q7qBQFhz9qV9zXZwCT2/vgGLg5JcwVdcJXwAsQSr1WCVd7Y79+JcA7BZiSg9FAQd
+4t2dCkkctoUKgXsAH5fPwErGNj5L6iUnhFODPvdDJ7l35UcIZ2h74lqfEh+jh8eo
+UgxkcI2y2FY/lPapcPPKe0FHzCxG2U/NRdM+sqrIfp9+s88Bj+Eub7OhW4dF3AlL
+bh/BGHL9R8xAJRDLv8v7nsKkZWUnJaskeDFCKX3rjcTyTRWTG7EuMCmCn0Ou1hKc
+R3ECvIq0pVfVh+qk0hu+A5Dvj6k3QDcTfse+KfSAJkYvRKiuRuq5KgYcX3YSzL6K
+aZitMyu18XsQxKavpIGzaDhWyrVAig3XXF//zxowYVwuOikr5czgqizu87cqjpyn
+S0vVG4Q3+LswH4xVTn3UWadY/9FkM167ecouu4g3op29VDi7hCKsMeFvFP6OOIls
+G4vQ/QbzucK77Q==
+=eD3N
+-----END PGP PUBLIC KEY BLOCK-----
\ No newline at end of file
diff --git a/mongodb/files/server-4.4.gpg b/mongodb/files/server-4.4.gpg
new file mode 100644
index 0000000000000000000000000000000000000000..f1b1730e67131b5c9f15b1ec84d5fc10f79887ee
GIT binary patch
literal 1162
zcmV;51a<qF0u2OQ?Ru;M5CGDOw#!<`;E@TPTD>}rbItQkJuoVlK!$dr{Jpr7@-9K(
zI4fH5*_ZplWRskYIJBIM9Y;`NaRFjR_y}cnZE-+nsOnk+eKob3SKhX-^QCUWDYYr8
z_q}<BE|zzI%l|bq^(ax4vmU7WU5)+2GD0712l)(lTL&s$1eERcg<m3g5Ed+vY@2Sd
zD{Gtf^tBTO-p;=CzDo)(b{-SoRw9i<lu*CmCO}B_N#0i_d;h@QQiVxt%%<9wdH}q>
z8JgAvcLFFs>q0RkT$#gyTfP+~2<JqzXfIe_eN#^{3??YzJ}!tbhDkAU$LwlCAU7|{
zveqFM6(j@^p@Ko;xvAq})5+&}dJYktD21;TRp%5M4s@me%+fj4Oa)i4r^u<leieBY
z;59fAk`Oi~V*V;n3o=9K?8ecMk#y8Jjyl2}&vGu~dKiOr7@DkEBdHlS)#*^l$$I2w
zF#<_9%$)U?P6N{A*)-fDseD{ZBN@XxA!9uV{<9kZoNl}O*rvXR_Qq(sa4ouIuaZ1I
zIMNU){d^Z7omKiB@`vv2^4DLLYgyrI#zYfT?mDD#olwyDt|GyvMSxZ;1j4A=2xwDg
zTW1@!;`=%hODE|;Y@5L8KL_%T((QIPypFcm0-!SIG7K(-z9Xbt=EXNUSbdz1&0B=|
zsRy2z7cN8$0pS1<0RRECH%)JDXKzG8AT%yCAW~&)Wnpt=AX8~)ZfS03AWLO=AUtqk
zV{2h&X>MmgZEtR8Z)9RFV{dIfi2^<Z69EDMC<Ovs?Ru;N8v_Li31$I+1`7!Y2Ll2I
z6$k<e3JU}l0s{d89svRufB*^!5M^Wt<B-p>^&+MZ|3S^z#R33NK1C-Fnn^+n0YIe$
zkUK7N8+t=VI5VyJE4n16qHkW-RpiP(YBiaSM~9z`4|P~G7h)~JQqhh!q~6jQeeM1*
zPFUNp9*=U~sQ|Y_m^w;&US|bFg>2N{kf+KN9&r8ugfX`i?I0;h_ZmSUn#X#sb-+Ne
zFx^!cJI3h7phe#}<`l9BXyDj3W3_CzT_y|JmFLt8t)*BHRI{dgJQ?Myx`9AgbM~cu
z&314JJ-@yIi-VF}!B<=*d;qZotJPqYceXqC;#>o;S&1k;6a*dO-JJ?a9JYlDfqMWS
zm(RdT#x_1n>Ln+HQ-ePDLnpa+<wpo-XnW#XpAsLVhsUT=3}kSPve;HXl=i7`^U8Zc
zN6ain*-y<y(>}7Q$bO%Gv(EvK;Vy5pp<9PV+zCr=AHf)M{YT6|B@oNM%ln?fq-A9%
zC95QOF+wSQ>y5<nO%;<Hu`Vzvf}caK))JgYaRR)Gw53<ohw7x#8@>aO?~kcBKsOV9
z$G$1_fF?#SM5wMt>bWWg9A9=4%)W|gn5{D_wefop#HO#LfwO2hR?4+NiVfFXU;ob<
zFkxISIw>pV%;2gl?(?@Qj-01UOVt~MH~70SAB<H_ebiZ}SpU&vGhVxS$}YQzH=>=r
cR5-hYBCIjtZxsHHIEic<i_rZB^SQ#i?W1%G{{R30

literal 0
HcmV?d00001

diff --git a/mongodb/tasks/main.yml b/mongodb/tasks/main.yml
index a054a5fd..1d238b00 100644
--- a/mongodb/tasks/main.yml
+++ b/mongodb/tasks/main.yml
@@ -12,4 +12,7 @@
   when: ansible_distribution_release == "stretch"
 
 - include: main_buster.yml
-  when: ansible_distribution_major_version is version('10', '>=')
+  when: ansible_distribution_release == "buster"
+
+- include: main_bullseye.yml
+  when: ansible_distribution_major_version is version('11', '>=')
diff --git a/mongodb/tasks/main_bullseye.yml b/mongodb/tasks/main_bullseye.yml
new file mode 100644
index 00000000..03094278
--- /dev/null
+++ b/mongodb/tasks/main_bullseye.yml
@@ -0,0 +1,80 @@
+---
+
+# https://wiki.debian.org/DebianRepository/UseThirdParty
+- name: Add MongoDB GPG key for version 4.4
+  copy:
+    src: server-4.4.gpg
+    dest: /usr/share/keyrings/mongodb-server-4.4.gpg
+    force: yes
+
+- name: enable APT sources list
+  apt_repository:
+    repo: deb [signed-by=/usr/share/keyrings/mongodb-server-4.4.gpg] http://repo.mongodb.org/apt/debian buster/mongodb-org/4.4 main
+    state: present
+    filename: mongodb-org-4.4
+    update_cache: yes
+
+- name: Install packages
+  apt:
+    name: mongodb-org
+    update_cache: yes
+    state: present
+  register: _mongodb_install_package
+
+- name: MongoDB service in enabled and started
+  systemd:
+    name: mongod
+    enabled: yes
+    state: started
+  when: _mongodb_install_package.changed
+
+- name: install dependency for monitoring
+  apt:
+    name: python-pymongo
+    state: present
+
+- name: Custom configuration
+  template:
+    src: mongodb_bullseye.conf.j2
+    dest: "/etc/mongod.conf"
+    force: "{{ mongodb_force_config | bool | ternary('yes', 'no') }}"
+  notify: restart mongod
+
+- name: Configure logrotate
+  template:
+    src: logrotate_bullseye.j2
+    dest: /etc/logrotate.d/mongodb
+    force: yes
+    backup: no
+
+- name: Munin plugins are present
+  copy:
+    src: "munin/{{ item }}"
+    dest: '/usr/local/share/munin/plugins/{{ item }}'
+    force: yes
+  with_items:
+    - mongo_btree
+    - mongo_collections
+    - mongo_conn
+    - mongo_docs
+    - mongo_lock
+    - mongo_mem
+    - mongo_ops
+    - mongo_page_faults
+  notify: restart munin-node
+
+- name: Enable core Munin plugins
+  file:
+    src: '/usr/local/share/munin/plugins/{{ item }}'
+    dest: /etc/munin/plugins/{{ item }}
+    state: link
+  with_items:
+    - mongo_btree
+    - mongo_collections
+    - mongo_conn
+    - mongo_docs
+    - mongo_lock
+    - mongo_mem
+    - mongo_ops
+    - mongo_page_faults
+  notify: restart munin-node
diff --git a/mongodb/templates/logrotate_bullseye.j2 b/mongodb/templates/logrotate_bullseye.j2
new file mode 100644
index 00000000..8239e880
--- /dev/null
+++ b/mongodb/templates/logrotate_bullseye.j2
@@ -0,0 +1,15 @@
+# {{ ansible_managed }}
+
+/var/log/mongodb/mongod.log {
+    daily
+    missingok
+    rotate 365
+    dateext
+    compress
+    delaycompress
+    notifempty
+    sharedscripts
+    postrotate
+       pidof mongod | xargs kill -USR1
+    endscript
+}
diff --git a/mongodb/templates/mongodb_bullseye.conf.j2 b/mongodb/templates/mongodb_bullseye.conf.j2
new file mode 100644
index 00000000..b61479bd
--- /dev/null
+++ b/mongodb/templates/mongodb_bullseye.conf.j2
@@ -0,0 +1,39 @@
+# mongodb.conf - {{ ansible_managed }}
+
+# for documentation of all options, see:
+#   http://docs.mongodb.org/manual/reference/configuration-options/
+
+# Where and how to store data.
+storage:
+  dbPath: /var/lib/mongodb
+  journal:
+    enabled: true
+#  engine:
+#  mmapv1:
+#  wiredTiger:
+
+# where to write logging data.
+systemLog:
+  destination: file
+  logRotate: reopen
+  logAppend: true
+  path: /var/log/mongodb/mongodb.log
+
+# network interfaces
+net:
+  port: {{ mongodb_port }}
+  bindIp: {{ mongodb_bind }}
+
+#security:
+
+#operationProfiling:
+
+#replication:
+
+#sharding:
+
+## Enterprise-Only Options:
+
+#auditLog:
+
+#snmp:
diff --git a/php/handlers/main.yml b/php/handlers/main.yml
index 1aade6c1..973c0069 100644
--- a/php/handlers/main.yml
+++ b/php/handlers/main.yml
@@ -14,3 +14,8 @@
   service:
     name: php7.3-fpm
     state: restarted
+
+- name: restart php7.4-fpm
+  service:
+    name: php7.4-fpm
+    state: restarted
diff --git a/php/tasks/main.yml b/php/tasks/main.yml
index e9687e67..5cf46bec 100644
--- a/php/tasks/main.yml
+++ b/php/tasks/main.yml
@@ -12,3 +12,6 @@
 
 - include: main_buster.yml
   when: ansible_distribution_release == "buster"
+
+- include: main_bullseye.yml
+  when: ansible_distribution_release == "bullseye"
diff --git a/php/tasks/main_bullseye.yml b/php/tasks/main_bullseye.yml
new file mode 100644
index 00000000..7584305d
--- /dev/null
+++ b/php/tasks/main_bullseye.yml
@@ -0,0 +1,97 @@
+---
+
+- name: "Set variables (Debian 10 or later)"
+  set_fact:
+    php_cli_defaults_ini_file: /etc/php/7.4/cli/conf.d/z-evolinux-defaults.ini
+    php_cli_custom_ini_file: /etc/php/7.4/cli/conf.d/zzz-evolinux-custom.ini
+    php_apache_defaults_ini_file: /etc/php/7.4/apache2/conf.d/z-evolinux-defaults.ini
+    php_apache_custom_ini_file: /etc/php/7.4/apache2/conf.d/zzz-evolinux-custom.ini
+    php_fpm_defaults_ini_file: /etc/php/7.4/fpm/conf.d/z-evolinux-defaults.ini
+    php_fpm_custom_ini_file: /etc/php/7.4/fpm/conf.d/zzz-evolinux-custom.ini
+    php_fpm_debian_default_pool_file: /etc/php/7.4/fpm/pool.d/www.conf
+    php_fpm_default_pool_file: /etc/php/7.4/fpm/pool.d/www-evolinux-defaults.conf
+    php_fpm_default_pool_custom_file: /etc/php/7.4/fpm/pool.d/www-evolinux-zcustom.conf
+    php_fpm_default_pool_socket: /var/run/php/php7.4-fpm.sock
+    php_fpm_service_name: php7.4-fpm
+
+# Packages
+
+- name: "Set package list (Debian 9 or later)"
+  set_fact:
+    php_stretch_packages:
+      - php-cli
+      - php-gd
+      - php-intl
+      - php-imap
+      - php-ldap
+      - php-mysql
+      # php-mcrypt is no longer packaged for PHP 7.2
+      - php-pgsql
+      - php-sqlite3
+      - php-gettext
+      - php-curl
+      - php-ssh2
+      - php-zip
+      - composer
+      - libphp-phpmailer
+
+- include: sury_pre.yml
+  when: php_sury_enable
+
+- name: "Install PHP packages (Debian 9 or later)"
+  apt:
+    name: '{{ php_stretch_packages }}'
+    state: present
+
+- name: "Install mod_php packages (Debian 9 or later)"
+  apt:
+    name:
+      - libapache2-mod-php
+      - php
+    state: present
+  when: php_apache_enable
+
+- name: "Install PHP FPM packages (Debian 9 or later)"
+  apt:
+    name:
+      - php-fpm
+      - php
+    state: present
+  when: php_fpm_enable
+
+# Configuration
+
+- name: Enforce permissions on PHP directory
+  file:
+    dest: "{{ item }}"
+    mode: "0755"
+  with_items:
+    - /etc/php
+    - /etc/php/7.4
+
+- include: config_cli.yml
+- name: Enforce permissions on PHP cli directory
+  file:
+    dest: /etc/php/7.4/cli
+    mode: "0755"
+
+- include: config_fpm.yml
+  when: php_fpm_enable
+
+- name: Enforce permissions on PHP fpm directory
+  file:
+    dest: /etc/php/7.4/fpm
+    mode: "0755"
+  when: php_fpm_enable
+
+- include: config_apache.yml
+  when: php_apache_enable
+
+- name: Enforce permissions on PHP apache2 directory
+  file:
+    dest: /etc/php/7.4/apache2
+    mode: "0755"
+  when: php_apache_enable
+
+- include: sury_post.yml
+  when: php_sury_enable
diff --git a/postgresql/tasks/main.yml b/postgresql/tasks/main.yml
index fbe22989..1783a763 100644
--- a/postgresql/tasks/main.yml
+++ b/postgresql/tasks/main.yml
@@ -5,10 +5,10 @@
   when: ansible_distribution_release == "jessie"
 
 - include: packages_stretch.yml
-  when: ansible_distribution_major_version is version('9', '=')
+  when: ansible_distribution_release == "stretch"
 
 - include: packages_buster.yml
-  when: ansible_distribution_major_version is version('10', '=')
+  when: ansible_distribution_release == "buster"
 
 - include: packages_bullseye.yml
   when: ansible_distribution_major_version is version('11', '>=')
diff --git a/tomcat/tasks/packages.yml b/tomcat/tasks/packages.yml
index 900dffd0..9b7995cc 100644
--- a/tomcat/tasks/packages.yml
+++ b/tomcat/tasks/packages.yml
@@ -21,6 +21,13 @@
     - ansible_distribution_release == "buster"
     - tomcat_version is not defined
 
+- name: Set Tomcat version to 10 on Debian 11 if missing
+  set_fact:
+    tomcat_version: 10
+  when:
+    - ansible_distribution_release == "bullseye"
+    - tomcat_version is not defined
+
 - name: Install packages
   apt:
     name:
diff --git a/varnish/tasks/main.yml b/varnish/tasks/main.yml
index 95a720c8..75268841 100644
--- a/varnish/tasks/main.yml
+++ b/varnish/tasks/main.yml
@@ -52,6 +52,7 @@
     - config
     - update-config
 
+# TODO: verify if it's still necessary for Debian 11
 - name: Override Varnish systemd unit (Buster and later)
   template:
     src: varnish.conf.buster.j2

From 4a158ac819b2d6cd6cbfb1d92a2761e9810c7334 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Sat, 1 May 2021 22:11:08 +0200
Subject: [PATCH 04/29] Reduce verbosity

---
 apache/tasks/server_status.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/apache/tasks/server_status.yml b/apache/tasks/server_status.yml
index 2ca77951..efd2b00e 100644
--- a/apache/tasks/server_status.yml
+++ b/apache/tasks/server_status.yml
@@ -33,6 +33,7 @@
 
 - debug:
     var: apache_serverstatus_suffix
+    verbosity: 1
 
 - name: replace server-status suffix in default site index
   replace:

From 52d06a39878e4a4bd073db318577bd3afc77ef90 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Sat, 1 May 2021 22:11:50 +0200
Subject: [PATCH 05/29] temporary bulseye-detect role

Overrides some facts to add compatibility with unreleased Debian version
---
 bullseye-detect/tasks/main.yml | 8 ++++++++
 1 file changed, 8 insertions(+)
 create mode 100644 bullseye-detect/tasks/main.yml

diff --git a/bullseye-detect/tasks/main.yml b/bullseye-detect/tasks/main.yml
new file mode 100644
index 00000000..07b898e3
--- /dev/null
+++ b/bullseye-detect/tasks/main.yml
@@ -0,0 +1,8 @@
+---
+
+# Force facts until Debian 11 is released because Ansible is dumb
+- set_fact:
+    ansible_distribution_major_version: 11
+    ansible_distribution: "Debian"
+    ansible_distribution_release: "bullseye"
+  when: "ansible_lsb.codename == 'bullseye'"
\ No newline at end of file

From 008cb6a3c97fb5889d6fb3559776004d1856ba43 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Sat, 1 May 2021 22:12:27 +0200
Subject: [PATCH 06/29] quote numeric values

---
 evolinux-base/tasks/kernel.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/evolinux-base/tasks/kernel.yml b/evolinux-base/tasks/kernel.yml
index 76965f47..b49968f1 100644
--- a/evolinux-base/tasks/kernel.yml
+++ b/evolinux-base/tasks/kernel.yml
@@ -26,7 +26,7 @@
 - name: Disable net.ipv4.tcp_timestamps
   sysctl:
     name: net.ipv4.tcp_timestamps
-    value: 0
+    value: '0'
     sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
     state: present
     reload: yes

From 380c50b999071c14166173ebaa0326cd2503a51f Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Sat, 1 May 2021 22:12:58 +0200
Subject: [PATCH 07/29] evolinux-base: increase minimum Ansible version to 2.9

---
 evolinux-base/meta/main.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/evolinux-base/meta/main.yml b/evolinux-base/meta/main.yml
index 84c001c1..83ed8538 100644
--- a/evolinux-base/meta/main.yml
+++ b/evolinux-base/meta/main.yml
@@ -14,6 +14,7 @@ galaxy_info:
         - jessie
         - stretch
         - buster
+        - bullseye
 
   galaxy_tags: []
     # List tags for your role here, one per line. A tag is

From 5e09906c8f1fc35c3cbbebccc643f7c1b9da492f Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Sat, 1 May 2021 22:13:37 +0200
Subject: [PATCH 08/29] fixup! temporary bulseye-detect role

---
 evolinux-base/tasks/main.yml | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/evolinux-base/tasks/main.yml b/evolinux-base/tasks/main.yml
index f8b4cd6d..2da87162 100644
--- a/evolinux-base/tasks/main.yml
+++ b/evolinux-base/tasks/main.yml
@@ -1,11 +1,5 @@
 ---
 
-# Force facts until Debian 11 is released because Ansible is dumb
-- set_fact:
-    ansible_distribution_major_version: 11
-    ansible_distribution_release: "bullseye"
-  when: ansible_distribution_major_version == 'testing'
-
 - name: "System compatibility checks"
   assert:
     that:

From 51d4ec1bb29a0f41fb40aa908be38926f460c12b Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Sat, 1 May 2021 22:14:33 +0200
Subject: [PATCH 09/29] php: remove php-gettext for 7.4

---
 CHANGELOG.md                | 2 ++
 lxc-php/tasks/php74.yml     | 2 +-
 php/tasks/main_bullseye.yml | 1 -
 3 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5d9abcaf..8b96ed2e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -26,6 +26,8 @@ The **patch** part changes incrementally at each release.
 
 ### Removed
 
+* php: remove php-gettext for 7.4
+
 ### Security
 
 ## [10.6.0] 2021-06-28
diff --git a/lxc-php/tasks/php74.yml b/lxc-php/tasks/php74.yml
index 464e0766..9438dcc7 100644
--- a/lxc-php/tasks/php74.yml
+++ b/lxc-php/tasks/php74.yml
@@ -40,7 +40,7 @@
 - name: "{{ lxc_php_version }} - Install PHP packages"
   lxc_container:
     name: "{{ lxc_php_version }}"
-    container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-gettext php-curl php-zip php-mbstring php-zip composer libphp-phpmailer"
+    container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-zip composer libphp-phpmailer"
 
 - name: "{{ lxc_php_version }} - Copy evolinux PHP configuration"
   template:
diff --git a/php/tasks/main_bullseye.yml b/php/tasks/main_bullseye.yml
index 7584305d..bdeffe56 100644
--- a/php/tasks/main_bullseye.yml
+++ b/php/tasks/main_bullseye.yml
@@ -28,7 +28,6 @@
       # php-mcrypt is no longer packaged for PHP 7.2
       - php-pgsql
       - php-sqlite3
-      - php-gettext
       - php-curl
       - php-ssh2
       - php-zip

From c5bb8f06ae12930cf51a9497744a7f66b49050f9 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Sat, 1 May 2021 22:17:17 +0200
Subject: [PATCH 10/29] mysql: use python3 with Debian 11 and later

---
 CHANGELOG.md                     |  1 +
 mysql-oracle/tasks/users.yml     | 10 ++++++++++
 mysql/tasks/users_jessie.yml     | 13 +++++++++++--
 mysql/tasks/users_stretch.yml    | 13 +++++++++++--
 redmine/tasks/packages.yml       | 21 +++++++++++++++++++--
 webapps/nextcloud/tasks/main.yml | 19 ++++++++++++++++++-
 6 files changed, 70 insertions(+), 7 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8b96ed2e..c04a50c2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -19,6 +19,7 @@ The **patch** part changes incrementally at each release.
 ### Changed
 
 * listupgrade: upstream release 21.06.3
+* mysql: use python3 with Debian 11 and later
 
 ### Fixed
 
diff --git a/mysql-oracle/tasks/users.yml b/mysql-oracle/tasks/users.yml
index da1ca05f..e5a7e3da 100644
--- a/mysql-oracle/tasks/users.yml
+++ b/mysql-oracle/tasks/users.yml
@@ -5,6 +5,16 @@
   apt:
     name: python-mysqldb
     state: present
+  when: ansible_distribution_major_version is version('10', '<=')
+  tags:
+    - mysql
+
+# dependency for mysql_user and mysql_db
+- name: python3-mysqldb is installed (Ansible dependency)
+  apt:
+    name: python3-mysqldb
+    state: present
+  when: ansible_distribution_major_version is version('10', '>')
   tags:
     - mysql
 
diff --git a/mysql/tasks/users_jessie.yml b/mysql/tasks/users_jessie.yml
index 99dd2d04..3a56a63d 100644
--- a/mysql/tasks/users_jessie.yml
+++ b/mysql/tasks/users_jessie.yml
@@ -6,13 +6,22 @@
   when: mysql_variant == "mariadb"
 
 # dependency for mysql_user and mysql_db
-
 - name: python-mysqldb is installed (Ansible dependency)
   apt:
     name: python-mysqldb
     state: present
+  when: ansible_distribution_major_version is version('10', '<=')
   tags:
-  - mysql
+    - mysql
+
+# dependency for mysql_user and mysql_db
+- name: python3-mysqldb is installed (Ansible dependency)
+  apt:
+    name: python3-mysqldb
+    state: present
+  when: ansible_distribution_major_version is version('10', '>')
+  tags:
+    - mysql
 
 - name: create a password for mysqladmin
   command: "apg -n 1 -m 16 -M lcN"
diff --git a/mysql/tasks/users_stretch.yml b/mysql/tasks/users_stretch.yml
index 574399af..2b9bec6b 100644
--- a/mysql/tasks/users_stretch.yml
+++ b/mysql/tasks/users_stretch.yml
@@ -1,13 +1,22 @@
 ---
 
 # dependency for mysql_user and mysql_db
-
 - name: python-mysqldb is installed (Ansible dependency)
   apt:
     name: python-mysqldb
     state: present
+  when: ansible_distribution_major_version is version('10', '<=')
   tags:
-  - mysql
+    - mysql
+
+# dependency for mysql_user and mysql_db
+- name: python3-mysqldb is installed (Ansible dependency)
+  apt:
+    name: python3-mysqldb
+    state: present
+  when: ansible_distribution_major_version is version('10', '>')
+  tags:
+    - mysql
 
 - name: create a password for mysqladmin
   command: "apg -n 1 -m 16 -M lcN"
diff --git a/redmine/tasks/packages.yml b/redmine/tasks/packages.yml
index b2be8faa..0c65df44 100644
--- a/redmine/tasks/packages.yml
+++ b/redmine/tasks/packages.yml
@@ -1,5 +1,5 @@
 ---
-- name: Install dependancy
+- name: Install dependency
   apt:
     name:
       - libpam-systemd
@@ -14,7 +14,24 @@
       - libmagickwand-dev
       - libmagickcore-dev
       - libmariadbclient-dev
-      - python-mysqldb
     state: present
   tags:
     - redmine
+
+# dependency for mysql_user and mysql_db
+- name: python-mysqldb is installed (Ansible dependency)
+  apt:
+    name: python-mysqldb
+    state: present
+  when: ansible_distribution_major_version is version('10', '<=')
+  tags:
+    - redmine
+
+# dependency for mysql_user and mysql_db
+- name: python3-mysqldb is installed (Ansible dependency)
+  apt:
+    name: python3-mysqldb
+    state: present
+  when: ansible_distribution_major_version is version('10', '>')
+  tags:
+    - redmine
\ No newline at end of file
diff --git a/webapps/nextcloud/tasks/main.yml b/webapps/nextcloud/tasks/main.yml
index 2c525114..c63291f1 100644
--- a/webapps/nextcloud/tasks/main.yml
+++ b/webapps/nextcloud/tasks/main.yml
@@ -16,7 +16,24 @@
     - php-apcu
     - php-redis
     - php-bcmath
-    - python-mysqldb
+  tags:
+    - nextcloud
+
+# dependency for mysql_user and mysql_db
+- name: python-mysqldb is installed (Ansible dependency)
+  apt:
+    name: python-mysqldb
+    state: present
+  when: ansible_distribution_major_version is version('10', '<=')
+  tags:
+    - nextcloud
+
+# dependency for mysql_user and mysql_db
+- name: python3-mysqldb is installed (Ansible dependency)
+  apt:
+    name: python3-mysqldb
+    state: present
+  when: ansible_distribution_major_version is version('10', '>')
   tags:
     - nextcloud
 

From 2c441f176ae7d101403c39b6772310676260997c Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Sat, 1 May 2021 22:19:31 +0200
Subject: [PATCH 11/29] mysql: mariadb-client-10.5 on Debian 11

---
 CHANGELOG.md                 |  1 +
 mysql-oracle/tasks/utils.yml | 16 ++++++++++++----
 mysql/tasks/utils.yml        | 16 ++++++++++++----
 3 files changed, 25 insertions(+), 8 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c04a50c2..a0ff32ad 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -19,6 +19,7 @@ The **patch** part changes incrementally at each release.
 ### Changed
 
 * listupgrade: upstream release 21.06.3
+* mysql: mariadb-client-10.5 on Debian 11
 * mysql: use python3 with Debian 11 and later
 
 ### Fixed
diff --git a/mysql-oracle/tasks/utils.yml b/mysql-oracle/tasks/utils.yml
index e7573afe..e0520cee 100644
--- a/mysql-oracle/tasks/utils.yml
+++ b/mysql-oracle/tasks/utils.yml
@@ -17,7 +17,7 @@
 
 # mytop
 
-- name: "mytop is installed (jessie)"
+- name: "mytop is installed (Debian 9)"
   apt:
     name: mytop
     state: present
@@ -32,7 +32,7 @@
 #     name: mysql-utilities
 #   when: ansible_distribution_major_version is version('9', '>=')
 
-- name: "mytop dependencies are installed (stretch)"
+- name: "mytop dependencies are installed (Buster)"
   apt:
     name:
       - libconfig-inifiles-perl
@@ -46,13 +46,21 @@
     - mysql
   when: ansible_distribution_release == "stretch"
 
-- name: "Install dependencies for mytop (Debian 10 or later)"
+- name: "Install dependencies for mytop (Debian 10)"
   apt:
     name:
       - mariadb-client-10.3
       - libconfig-inifiles-perl
       - libterm-readkey-perl
-  when: ansible_distribution_major_version is version('10', '>=')
+  when: ansible_distribution_release == "buster"
+
+- name: "Install dependencies for mytop (Debian 11 or later)"
+  apt:
+    name:
+      - mariadb-client-10.5
+      - libconfig-inifiles-perl
+      - libterm-readkey-perl
+  when: ansible_distribution_major_version is version('11', '>=')
 
 - include_role:
     name: evolix/remount-usr
diff --git a/mysql/tasks/utils.yml b/mysql/tasks/utils.yml
index b4abf059..f1a9cb24 100644
--- a/mysql/tasks/utils.yml
+++ b/mysql/tasks/utils.yml
@@ -17,7 +17,7 @@
 
 # mytop
 
-- name: "Install mytop (jessie)"
+- name: "Install mytop (Debian 9)"
   apt:
     name: mytop
     state: present
@@ -27,7 +27,7 @@
     - mysql
   when: ansible_distribution_release == "jessie"
 
-- name: "Install dependencies for mytop (stretch)"
+- name: "Install dependencies for mytop (Debian 9)"
   apt:
     name:
       - mariadb-client-10.1
@@ -35,13 +35,21 @@
       - libterm-readkey-perl
   when: ansible_distribution_release == "stretch"
 
-- name: "Install dependencies for mytop (Debian 10 or later)"
+- name: "Install dependencies for mytop (Debian 10)"
   apt:
     name:
       - mariadb-client-10.3
       - libconfig-inifiles-perl
       - libterm-readkey-perl
-  when: ansible_distribution_major_version is version('10', '>=')
+  when: ansible_distribution_release == "buster"
+
+- name: "Install dependencies for mytop (Debian 11 or later)"
+  apt:
+    name:
+      - mariadb-client-10.5
+      - libconfig-inifiles-perl
+      - libterm-readkey-perl
+  when: ansible_distribution_major_version is version('11', '>=')
 
 - name: Read debian-sys-maint password
   shell: 'cat /etc/mysql/debian.cnf | grep -m1 "password = .*" | cut -d" " -f3'

From f673ea85d1c4dbb9deef7a737e5161596d3da7f5 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Sat, 1 May 2021 22:22:54 +0200
Subject: [PATCH 12/29] Force Debian version to buster for Evolix repository

---
 CHANGELOG.md                        | 1 +
 apt/templates/evolix_public.list.j2 | 5 +++++
 2 files changed, 6 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a0ff32ad..9364cc4b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -18,6 +18,7 @@ The **patch** part changes incrementally at each release.
 
 ### Changed
 
+* evolinux-base: force Debian version to buster for Evolix repository (temporary)
 * listupgrade: upstream release 21.06.3
 * mysql: mariadb-client-10.5 on Debian 11
 * mysql: use python3 with Debian 11 and later
diff --git a/apt/templates/evolix_public.list.j2 b/apt/templates/evolix_public.list.j2
index 06de99c0..25156cd0 100644
--- a/apt/templates/evolix_public.list.j2
+++ b/apt/templates/evolix_public.list.j2
@@ -1,3 +1,8 @@
 # {{ ansible_managed }}
 
+{% if ansible_distribution_release == 'bullseye' %}
+# Force previous Debian version (temporary)
+deb http://pub.evolix.net/ buster/
+{% else  %}
 deb http://pub.evolix.net/ {{ ansible_distribution_release }}/
+{% endif  %}

From c5ab0c0ff9191878a0dcf27e97c0d661fea57b9f Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Sat, 1 May 2021 22:24:40 +0200
Subject: [PATCH 13/29] squid: remove obsolete variable on Squid 4

---
 CHANGELOG.md                            | 2 ++
 squid/tasks/main.yml                    | 7 +++++++
 squid/templates/evolinux-custom.conf.j2 | 2 +-
 3 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9364cc4b..be32015f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -22,6 +22,8 @@ The **patch** part changes incrementally at each release.
 * listupgrade: upstream release 21.06.3
 * mysql: mariadb-client-10.5 on Debian 11
 * mysql: use python3 with Debian 11 and later
+* ntpd: Add leapfile configuration setting to ntpd on debian 10+
+* squid: remove obsolete variable on Squid 4
 
 ### Fixed
 
diff --git a/squid/tasks/main.yml b/squid/tasks/main.yml
index 9e00dcb0..4a3cab4d 100644
--- a/squid/tasks/main.yml
+++ b/squid/tasks/main.yml
@@ -22,6 +22,13 @@
       - squidclient
     state: present
 
+- name: Fetch packages
+  package_facts:
+    manager: auto  
+
+- debug:
+    var: ansible_facts.packages[squid_daemon_name]
+
 - name: "Set alternative config file (Debian 9 or later)"
   copy:
     src: default_squid
diff --git a/squid/templates/evolinux-custom.conf.j2 b/squid/templates/evolinux-custom.conf.j2
index cc465dc7..27c97cc2 100644
--- a/squid/templates/evolinux-custom.conf.j2
+++ b/squid/templates/evolinux-custom.conf.j2
@@ -1,4 +1,4 @@
 http_port 8888 transparent
 cache deny all
-ignore_expect_100 on
+{% if ansible_facts.packages[squid_daemon_name][0]['version'] is version (4, '<') %}ignore_expect_100 on{% endif %}
 tcp_outgoing_address {{ squid_address }}

From e8a8e8581923aae6c5d680409100517c6438754a Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Sat, 1 May 2021 22:25:38 +0200
Subject: [PATCH 14/29] redis: instance service for Debian 11

---
 CHANGELOG.md                                  |  5 +++
 .../redis-server@bullseye.service.j2          | 45 +++++++++++++++++++
 2 files changed, 50 insertions(+)
 create mode 100644 redis/templates/redis-server@bullseye.service.j2

diff --git a/CHANGELOG.md b/CHANGELOG.md
index be32015f..b5ca4ab5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,8 +13,13 @@ The **patch** part changes incrementally at each release.
 ### Added
 
 * Preliminary support for Debian 11 « Bullseye »
+* apache: new variable for mpm mode (+ updated default config accordingly)
 * certbot: add script for manual deploy hooks execution
+* evolinux-base: add default motd template
+* kvm-host: add migrate-vm script
 * listupgrade: crontab is configurable
+* mysql: variable to disable myadd script overwrite (default: True)
+* redis: instance service for Debian 11
 
 ### Changed
 
diff --git a/redis/templates/redis-server@bullseye.service.j2 b/redis/templates/redis-server@bullseye.service.j2
new file mode 100644
index 00000000..623eb919
--- /dev/null
+++ b/redis/templates/redis-server@bullseye.service.j2
@@ -0,0 +1,45 @@
+[Unit]
+Description=Advanced key-value store
+After=network.target
+Documentation=http://redis.io/documentation, man:redis-server(1)
+
+[Service]
+Type=notify
+ExecStart=/usr/bin/redis-server {{ redis_conf_dir_prefix }}-%i/redis.conf --supervised systemd --daemonize no
+PIDFile=/run/redis-%i/redis-server.pid
+TimeoutStopSec=0
+Restart=always
+User=redis-%i
+Group=redis-%i
+RuntimeDirectory=redis-%i
+RuntimeDirectoryMode=2755
+
+UMask=007
+PrivateTmp=yes
+LimitNOFILE=65535
+PrivateDevices=yes
+ProtectHome={{ redis_data_dir_prefix is match('/home') | ternary('no', 'yes') }}
+ReadOnlyDirectories=/
+ReadWritePaths=-{{ redis_data_dir_prefix }}-%i
+ReadWritePaths=-{{ redis_log_dir_prefix }}-%i
+ReadWritePaths=-{{ redis_pid_dir_prefix }}-%i
+ReadWritePaths=-{{ redis_socket_dir_prefix }}-%i
+
+NoNewPrivileges=true
+CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE
+MemoryDenyWriteExecute=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+RestrictRealtime=true
+RestrictNamespaces=true
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+
+# redis-server can write to its own config file when in cluster mode so we
+# permit writing there by default. If you are not using this feature, it is
+# recommended that you replace the following lines with "ProtectSystem=full".
+ProtectSystem=true
+ReadWriteDirectories=-{{ redis_conf_dir_prefix }}-%i
+
+[Install]
+WantedBy=multi-user.target
\ No newline at end of file

From c80c354d65cd21374508db211046ea7c1ad196d4 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Sun, 2 May 2021 00:33:26 +0200
Subject: [PATCH 15/29] fix keyrings permissions

---
 mongodb/tasks/main_bullseye.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/mongodb/tasks/main_bullseye.yml b/mongodb/tasks/main_bullseye.yml
index 03094278..a2ef6038 100644
--- a/mongodb/tasks/main_bullseye.yml
+++ b/mongodb/tasks/main_bullseye.yml
@@ -6,6 +6,7 @@
     src: server-4.4.gpg
     dest: /usr/share/keyrings/mongodb-server-4.4.gpg
     force: yes
+    mode: "0644"
 
 - name: enable APT sources list
   apt_repository:

From a60189eb3eaf8b7683be4edbb860ea83a5d0751d Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Sun, 2 May 2021 00:33:46 +0200
Subject: [PATCH 16/29] better bullseye compatibility workaround

---
 bullseye-detect/tasks/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bullseye-detect/tasks/main.yml b/bullseye-detect/tasks/main.yml
index 07b898e3..6f97db0a 100644
--- a/bullseye-detect/tasks/main.yml
+++ b/bullseye-detect/tasks/main.yml
@@ -5,4 +5,4 @@
     ansible_distribution_major_version: 11
     ansible_distribution: "Debian"
     ansible_distribution_release: "bullseye"
-  when: "ansible_lsb.codename == 'bullseye'"
\ No newline at end of file
+  when: "ansible_lsb.codename == 'bullseye' or ansible_lsb.release == 'testing/unstable'"
\ No newline at end of file

From 613a11d11986c56b4d580ed9c6ca2003a31a947f Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Sun, 2 May 2021 01:11:39 +0200
Subject: [PATCH 17/29] elasticsearch: 7.x by default

---
 elasticsearch/defaults/main.yml  |   2 +-
 elasticsearch/files/elastic.gpg  | Bin 0 -> 1220 bytes
 elasticsearch/tasks/packages.yml |   4 ++--
 3 files changed, 3 insertions(+), 3 deletions(-)
 create mode 100644 elasticsearch/files/elastic.gpg

diff --git a/elasticsearch/defaults/main.yml b/elasticsearch/defaults/main.yml
index eb254807..2b891953 100644
--- a/elasticsearch/defaults/main.yml
+++ b/elasticsearch/defaults/main.yml
@@ -1,5 +1,5 @@
 ---
-elastic_stack_version: "6.x"
+elastic_stack_version: "7.x"
 
 elasticsearch_cluster_name: Null
 elasticsearch_cluster_members: Null
diff --git a/elasticsearch/files/elastic.gpg b/elasticsearch/files/elastic.gpg
new file mode 100644
index 0000000000000000000000000000000000000000..2508ddc9bcb7cd2aa56d7aafe3de18669a0c8ba4
GIT binary patch
literal 1220
zcmV;#1Uvhg0SyFFHy+9X2msd(*3Bk-TRxz5yfbYI%AtFYZxxFfH_{Gf##e%#+8#K1
z2#`Yq=EfB4GKIH$YTfyb2-X7)PTj}Yu%IRvFMzLd#|X(4-iB<XkOEAI0<Q_=iO>BB
zNn%0m_TsC~ZB39y)A$x$Gg-&m{Vx<_HJ4a{ZYHBI6Vn<+ja$J$Z_bLEys?>&bcNL;
z&iOETLb2qn0l~6m{w3DBcZMam&+X_d%)$f>mbr5v?^aLd4eK<%vZ3A8g1>2wYKDT%
zhMz|Kd|`1VLXf(=Nh@R3mUT<m?gaW5S5{UvyhSu@4u|tt8dpQwNr8WMAPT38%yyx$
z0V%u*yi69mL)Es_FE0QQ0RRECMMZ33b98BAb7f(2V`v~KMQmYnbZKLAWnpq-XdqK*
zXKrb3XCO;uc_|<~WMy_=Z*X%!Wo%({bZKLAWnpq-XfAJZXFiDmI0O>`0stZf0#Y{~
z$^sh$1`7!Y2Ll2I6$k<e3JU}l0s{d89svRufB*^!5Yl~SY}k%Mv~!FI0F^Zm)@Uf+
za=HX%+mD67Ci|HTZ3iH@l(*_npFa7X$MiL5YDbKQ7Fnse%U}v*!}xsIwO?PS+Lryi
z6}XU%w58<U$8%r+Sow)`3GDyuErz&Yj+MFemf(#~&~YYsc$hC?{lbXfE@Qo(@M`=X
z<6B;+ZFpDVC>1I9H1eiT7XwUM)$J*jKM;X&4Bpd635J@=#!Hzn^VO=5Quvp{Lfq6q
zKg&p0;T}I;59QwR-t5EW@5CLNH;5-rRCA2IXH6P(hi}L@X)0mz2KKe4NV8?e5O%lc
zG)BnX7|uU=8Bbd&MQu|Y=9z<}i))c&r_2}RnR55M?U&ta@R=cELAe191X4F1$^i%f
z<dr4O!xrcFF3FU9YE+tVs-a1{=t`=a%yOJj24<HtOekc)1W~og9DT3s8vXm~KckaJ
zG(){qzjG%rv&I+fH*TA}e7KK!Z`_{O_44L=4-#)259n!@dQ|xEP-LE0Ct^O<Urmb~
zc<%$oUErlIryZY0vUltLM+f))bqTKb92;gCQY1KyW@Muq0Mop2>=^zo-#-+gyRdXc
zz2n7GMpEdJar9zpjUZbc6l7{|xO!!`xo8!AoNmFz0-sj0HUw=dA#e6HD}!XnSWEL`
zA8pG7!o|;p6vcp*u(ONlxL7}sQDvVE4K(#n)-y>g(5x^M1f=~y?oNzGoTWB(01*KI
z0f_-01Q-DV00{*GQa2vT0vikf3JDO>eP(RfjzY9^a|i%|J%j{y(rSrVw=BfFYevql
zG+kA$kbdHS`Q-&WqYyQTP)_K9ZsMpc7hQ=>tLG<^3ur{;f(6+7Fy4RLGEDX8LCa~)
z#*I`to_7j0N+R^$<0x)ZuUeB4{f#5)xw|3?%vnI!4EyLjXv~*twTU;f9zz)uB?<8&
ztY~<6jbCu5(xwZ*zVs{%x<dQB&T#R_FD8I6vYo}BpFqWHVK;TjVad#WD`X<&phvYf
zujaPbMY_IqF;j{S(D{sV>g-_ro>xOx{G=XH<4nM0#RsGZOZKNlp^$qBqms55p)+lM
iS#cuoS7K;^5fneD@Z}j9PJvY2_Z1%;Su+QnobN%rVK31D

literal 0
HcmV?d00001

diff --git a/elasticsearch/tasks/packages.yml b/elasticsearch/tasks/packages.yml
index da154593..b1d5cb9a 100644
--- a/elasticsearch/tasks/packages.yml
+++ b/elasticsearch/tasks/packages.yml
@@ -31,7 +31,7 @@
 
 - name: Elastic sources list is available
   apt_repository:
-    repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
+    repo: "deb [signed-by=/usr/share/keyrings/elastic.gpg] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
     filename: elastic
     state: present
     update_cache: yes
@@ -52,4 +52,4 @@
     name: elasticsearch
     enabled: yes
   tags:
-  - elasticsearch
+    - elasticsearch

From d40fad662f15b993286480feccf17c4e6a503084 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Sun, 2 May 2021 01:12:37 +0200
Subject: [PATCH 18/29] kibana: 7.x by default

---
 kibana/defaults/main.yml       |   2 +-
 kibana/files/elastic.gpg       | Bin 0 -> 1220 bytes
 kibana/files/elasticsearch.key |  31 -------------------------------
 kibana/tasks/main.yml          |   2 ++
 4 files changed, 3 insertions(+), 32 deletions(-)
 create mode 100644 kibana/files/elastic.gpg
 delete mode 100644 kibana/files/elasticsearch.key

diff --git a/kibana/defaults/main.yml b/kibana/defaults/main.yml
index e167c21f..7107398c 100644
--- a/kibana/defaults/main.yml
+++ b/kibana/defaults/main.yml
@@ -1,5 +1,5 @@
 ---
-elastic_stack_version: "5.x"
+elastic_stack_version: "7.x"
 
 kibana_server_host: "127.0.0.1"
 kibana_server_basepath: ""
diff --git a/kibana/files/elastic.gpg b/kibana/files/elastic.gpg
new file mode 100644
index 0000000000000000000000000000000000000000..2508ddc9bcb7cd2aa56d7aafe3de18669a0c8ba4
GIT binary patch
literal 1220
zcmV;#1Uvhg0SyFFHy+9X2msd(*3Bk-TRxz5yfbYI%AtFYZxxFfH_{Gf##e%#+8#K1
z2#`Yq=EfB4GKIH$YTfyb2-X7)PTj}Yu%IRvFMzLd#|X(4-iB<XkOEAI0<Q_=iO>BB
zNn%0m_TsC~ZB39y)A$x$Gg-&m{Vx<_HJ4a{ZYHBI6Vn<+ja$J$Z_bLEys?>&bcNL;
z&iOETLb2qn0l~6m{w3DBcZMam&+X_d%)$f>mbr5v?^aLd4eK<%vZ3A8g1>2wYKDT%
zhMz|Kd|`1VLXf(=Nh@R3mUT<m?gaW5S5{UvyhSu@4u|tt8dpQwNr8WMAPT38%yyx$
z0V%u*yi69mL)Es_FE0QQ0RRECMMZ33b98BAb7f(2V`v~KMQmYnbZKLAWnpq-XdqK*
zXKrb3XCO;uc_|<~WMy_=Z*X%!Wo%({bZKLAWnpq-XfAJZXFiDmI0O>`0stZf0#Y{~
z$^sh$1`7!Y2Ll2I6$k<e3JU}l0s{d89svRufB*^!5Yl~SY}k%Mv~!FI0F^Zm)@Uf+
za=HX%+mD67Ci|HTZ3iH@l(*_npFa7X$MiL5YDbKQ7Fnse%U}v*!}xsIwO?PS+Lryi
z6}XU%w58<U$8%r+Sow)`3GDyuErz&Yj+MFemf(#~&~YYsc$hC?{lbXfE@Qo(@M`=X
z<6B;+ZFpDVC>1I9H1eiT7XwUM)$J*jKM;X&4Bpd635J@=#!Hzn^VO=5Quvp{Lfq6q
zKg&p0;T}I;59QwR-t5EW@5CLNH;5-rRCA2IXH6P(hi}L@X)0mz2KKe4NV8?e5O%lc
zG)BnX7|uU=8Bbd&MQu|Y=9z<}i))c&r_2}RnR55M?U&ta@R=cELAe191X4F1$^i%f
z<dr4O!xrcFF3FU9YE+tVs-a1{=t`=a%yOJj24<HtOekc)1W~og9DT3s8vXm~KckaJ
zG(){qzjG%rv&I+fH*TA}e7KK!Z`_{O_44L=4-#)259n!@dQ|xEP-LE0Ct^O<Urmb~
zc<%$oUErlIryZY0vUltLM+f))bqTKb92;gCQY1KyW@Muq0Mop2>=^zo-#-+gyRdXc
zz2n7GMpEdJar9zpjUZbc6l7{|xO!!`xo8!AoNmFz0-sj0HUw=dA#e6HD}!XnSWEL`
zA8pG7!o|;p6vcp*u(ONlxL7}sQDvVE4K(#n)-y>g(5x^M1f=~y?oNzGoTWB(01*KI
z0f_-01Q-DV00{*GQa2vT0vikf3JDO>eP(RfjzY9^a|i%|J%j{y(rSrVw=BfFYevql
zG+kA$kbdHS`Q-&WqYyQTP)_K9ZsMpc7hQ=>tLG<^3ur{;f(6+7Fy4RLGEDX8LCa~)
z#*I`to_7j0N+R^$<0x)ZuUeB4{f#5)xw|3?%vnI!4EyLjXv~*twTU;f9zz)uB?<8&
ztY~<6jbCu5(xwZ*zVs{%x<dQB&T#R_FD8I6vYo}BpFqWHVK;TjVad#WD`X<&phvYf
zujaPbMY_IqF;j{S(D{sV>g-_ro>xOx{G=XH<4nM0#RsGZOZKNlp^$qBqms55p)+lM
iS#cuoS7K;^5fneD@Z}j9PJvY2_Z1%;Su+QnobN%rVK31D

literal 0
HcmV?d00001

diff --git a/kibana/files/elasticsearch.key b/kibana/files/elasticsearch.key
deleted file mode 100644
index 1b50dcca..00000000
--- a/kibana/files/elasticsearch.key
+++ /dev/null
@@ -1,31 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v2.0.14 (GNU/Linux)
-
-mQENBFI3HsoBCADXDtbNJnxbPqB1vDNtCsqhe49vFYsZN9IOZsZXgp7aHjh6CJBD
-A+bGFOwyhbd7at35jQjWAw1O3cfYsKAmFy+Ar3LHCMkV3oZspJACTIgCrwnkic/9
-CUliQe324qvObU2QRtP4Fl0zWcfb/S8UYzWXWIFuJqMvE9MaRY1bwUBvzoqavLGZ
-j3SF1SPO+TB5QrHkrQHBsmX+Jda6d4Ylt8/t6CvMwgQNlrlzIO9WT+YN6zS+sqHd
-1YK/aY5qhoLNhp9G/HxhcSVCkLq8SStj1ZZ1S9juBPoXV1ZWNbxFNGwOh/NYGldD
-2kmBf3YgCqeLzHahsAEpvAm8TBa7Q9W21C8vABEBAAG0RUVsYXN0aWNzZWFyY2gg
-KEVsYXN0aWNzZWFyY2ggU2lnbmluZyBLZXkpIDxkZXZfb3BzQGVsYXN0aWNzZWFy
-Y2gub3JnPokBOAQTAQIAIgUCUjceygIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgEC
-F4AACgkQ0n1mbNiOQrRzjAgAlTUQ1mgo3nK6BGXbj4XAJvuZDG0HILiUt+pPnz75
-nsf0NWhqR4yGFlmpuctgCmTD+HzYtV9fp9qW/bwVuJCNtKXk3sdzYABY+Yl0Cez/
-7C2GuGCOlbn0luCNT9BxJnh4mC9h/cKI3y5jvZ7wavwe41teqG14V+EoFSn3NPKm
-TxcDTFrV7SmVPxCBcQze00cJhprKxkuZMPPVqpBS+JfDQtzUQD/LSFfhHj9eD+Xe
-8d7sw+XvxB2aN4gnTlRzjL1nTRp0h2/IOGkqYfIG9rWmSLNlxhB2t+c0RsjdGM4/
-eRlPWylFbVMc5pmDpItrkWSnzBfkmXL3vO2X3WvwmSFiQbkBDQRSNx7KAQgA5JUl
-zcMW5/cuyZR8alSacKqhSbvoSqqbzHKcUQZmlzNMKGTABFG1yRx9r+wa/fvqP6OT
-RzRDvVS/cycws8YX7Ddum7x8uI95b9ye1/Xy5noPEm8cD+hplnpU+PBQZJ5XJ2I+
-1l9Nixx47wPGXeClLqcdn0ayd+v+Rwf3/XUJrvccG2YZUiQ4jWZkoxsA07xx7Bj+
-Lt8/FKG7sHRFvePFU0ZS6JFx9GJqjSBbHRRkam+4emW3uWgVfZxuwcUCn1ayNgRt
-KiFv9jQrg2TIWEvzYx9tywTCxc+FFMWAlbCzi+m4WD+QUWWfDQ009U/WM0ks0Kww
-EwSk/UDuToxGnKU2dQARAQABiQEfBBgBAgAJBQJSNx7KAhsMAAoJENJ9ZmzYjkK0
-c3MIAIE9hAR20mqJWLcsxLtrRs6uNF1VrpB+4n/55QU7oxA1iVBO6IFu4qgsF12J
-TavnJ5MLaETlggXY+zDef9syTPXoQctpzcaNVDmedwo1SiL03uMoblOvWpMR/Y0j
-6rm7IgrMWUDXDPvoPGjMl2q1iTeyHkMZEyUJ8SKsaHh4jV9wp9KmC8C+9CwMukL7
-vM5w8cgvJoAwsp3Fn59AxWthN3XJYcnMfStkIuWgR7U2r+a210W6vnUxU4oN0PmM
-cursYPyeV0NX/KQeUeNMwGTFB6QHS/anRaGQewijkrYYoTNtfllxIu9XYmiBERQ/
-qPDlGRlOgVTd9xUfHFkzB52c70E=
-=92oX
------END PGP PUBLIC KEY BLOCK-----
diff --git a/kibana/tasks/main.yml b/kibana/tasks/main.yml
index 1ed342e0..8ebbe752 100644
--- a/kibana/tasks/main.yml
+++ b/kibana/tasks/main.yml
@@ -129,3 +129,5 @@
 
 - include: proxy_nginx.yml
   when: kibana_proxy_nginx | bool
+  tags:
+    - kibana

From 6b87ead5b40171d2e3e2891b2ea906892ec12d26 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Sun, 2 May 2021 01:13:12 +0200
Subject: [PATCH 19/29] update changelog

---
 CHANGELOG.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b5ca4ab5..87242546 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -23,7 +23,10 @@ The **patch** part changes incrementally at each release.
 
 ### Changed
 
+* elasticsearch: 7.x by default
+* evolinux-base: copy GPG key instead of using apt-key
 * evolinux-base: force Debian version to buster for Evolix repository (temporary)
+* kibana: 7.x by default
 * listupgrade: upstream release 21.06.3
 * mysql: mariadb-client-10.5 on Debian 11
 * mysql: use python3 with Debian 11 and later

From 9c8dd743c8c94e79dc6a275f4efe4ab896005f1f Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Sun, 2 May 2021 01:14:06 +0200
Subject: [PATCH 20/29] Use python3 packages on Debian 11 and later

---
 CHANGELOG.md                    |  1 +
 docker-host/tasks/main.yml      | 13 ++++++++++++-
 lxc/tasks/main.yml              | 13 ++++++++++++-
 mongodb/tasks/main_bullseye.yml |  2 +-
 postgresql/tasks/nrpe.yml       |  9 ++++++++-
 rabbitmq/tasks/nrpe.yml         |  9 ++++++++-
 6 files changed, 42 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 87242546..e1de215f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -23,6 +23,7 @@ The **patch** part changes incrementally at each release.
 
 ### Changed
 
+* Use python3 modules for Debian 11 and later
 * elasticsearch: 7.x by default
 * evolinux-base: copy GPG key instead of using apt-key
 * evolinux-base: force Debian version to buster for Evolix repository (temporary)
diff --git a/docker-host/tasks/main.yml b/docker-host/tasks/main.yml
index d3a41a28..796c800d 100644
--- a/docker-host/tasks/main.yml
+++ b/docker-host/tasks/main.yml
@@ -40,9 +40,20 @@
   apt:
     name:
       - docker-ce
-      - python-docker
     update_cache: yes
 
+- name: python-docker is installed
+  apt:
+    name: python-docker
+    state: present
+  when: ansible_distribution_major_version is version('10', '<=')
+
+- name: python3-docker is installed
+  apt:
+    name: python3-docker
+    state: present
+  when: ansible_distribution_major_version is version('10', '>')
+
 - name: Copy Docker daemon configuration file
   template:
     src: daemon.json.j2
diff --git a/lxc/tasks/main.yml b/lxc/tasks/main.yml
index a3a31cf5..74ba69ae 100644
--- a/lxc/tasks/main.yml
+++ b/lxc/tasks/main.yml
@@ -5,7 +5,18 @@
       - lxc
       - debootstrap
       - xz-utils
-      - python-lxc
+
+- name: python-lxc is installed
+  apt:
+    name: python-lxc
+    state: present
+  when: ansible_distribution_major_version is version('10', '<=')
+
+- name: python3-lxc is installed
+  apt:
+    name: python3-lxc
+    state: present
+  when: ansible_distribution_major_version is version('10', '>')
 
 - name: Install additional packages on Buster
   apt:
diff --git a/mongodb/tasks/main_bullseye.yml b/mongodb/tasks/main_bullseye.yml
index a2ef6038..e8415b03 100644
--- a/mongodb/tasks/main_bullseye.yml
+++ b/mongodb/tasks/main_bullseye.yml
@@ -31,7 +31,7 @@
 
 - name: install dependency for monitoring
   apt:
-    name: python-pymongo
+    name: python3-pymongo
     state: present
 
 - name: Custom configuration
diff --git a/postgresql/tasks/nrpe.yml b/postgresql/tasks/nrpe.yml
index 740c7b08..9c22e293 100644
--- a/postgresql/tasks/nrpe.yml
+++ b/postgresql/tasks/nrpe.yml
@@ -9,10 +9,17 @@
   register: postgresql_nrpe_password
   changed_when: False
 
-- name: Install python dependencies for postgresql_user
+- name: python-psycopg2 is installed (Ansible dependency)
   apt:
     name: python-psycopg2
     state: present
+  when: ansible_distribution_major_version is version('10', '<=')
+
+- name: python3-psycopg2 is installed (Ansible dependency)
+  apt:
+    name: python3-psycopg2
+    state: present
+  when: ansible_distribution_major_version is version('10', '>')
 
 - name: Is nrpe present ?
   stat:
diff --git a/rabbitmq/tasks/nrpe.yml b/rabbitmq/tasks/nrpe.yml
index c4c700df..75b37043 100644
--- a/rabbitmq/tasks/nrpe.yml
+++ b/rabbitmq/tasks/nrpe.yml
@@ -1,9 +1,16 @@
 ---
 
-- name: check_rabbitmq dependencies
+- name: python-requests is installed (check_rabbitmq dependency)
   apt:
     name: python-requests
     state: present
+  when: ansible_distribution_major_version is version('10', '<=')
+
+- name: python3-requests is installed (check_rabbitmq dependency)
+  apt:
+    name: python3-requests
+    state: present
+  when: ansible_distribution_major_version is version('10', '>')
 
 - include_role:
     name: evolix/remount-usr

From 8a784c39abc72230a545bd05c8516e7505f3680c Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Sun, 2 May 2021 01:15:38 +0200
Subject: [PATCH 21/29] mongodb: create munin plugins directory if missing

---
 CHANGELOG.md                    | 1 +
 mongodb/tasks/main_bullseye.yml | 6 ++++++
 2 files changed, 7 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e1de215f..a06493ae 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -18,6 +18,7 @@ The **patch** part changes incrementally at each release.
 * evolinux-base: add default motd template
 * kvm-host: add migrate-vm script
 * listupgrade: crontab is configurable
+* mongodb: create munin plugins directory if missing
 * mysql: variable to disable myadd script overwrite (default: True)
 * redis: instance service for Debian 11
 
diff --git a/mongodb/tasks/main_bullseye.yml b/mongodb/tasks/main_bullseye.yml
index e8415b03..eed10eb4 100644
--- a/mongodb/tasks/main_bullseye.yml
+++ b/mongodb/tasks/main_bullseye.yml
@@ -48,6 +48,12 @@
     force: yes
     backup: no
 
+- name: Munin plugins local directory exists
+  file:
+    dest: /usr/local/share/munin/plugins/
+    state: directory
+    mode: "0755"
+
 - name: Munin plugins are present
   copy:
     src: "munin/{{ item }}"

From 5c1ae6ed0c2185706f7cbc4d825900b566fdfd82 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Sun, 2 May 2021 01:22:57 +0200
Subject: [PATCH 22/29] spamassassin: change dependency on evomaintenance

Fail with an error if evomaintenance config is missing
instead of trying to install a package that doesn't exist anymore.
---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a06493ae..c484d724 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -33,6 +33,7 @@ The **patch** part changes incrementally at each release.
 * mysql: mariadb-client-10.5 on Debian 11
 * mysql: use python3 with Debian 11 and later
 * ntpd: Add leapfile configuration setting to ntpd on debian 10+
+* spamassassin: change dependency on evomaintenance
 * squid: remove obsolete variable on Squid 4
 
 ### Fixed

From a5658b7f2621e9364cb27534c468bd6e64846598 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Tue, 4 May 2021 12:36:00 +0200
Subject: [PATCH 23/29] packweb-apache: install phpMyAdmin from
 buster-backports

---
 CHANGELOG.md                                           | 3 +++
 packweb-apache/templates/phpmyadmin_apt_preferences.j2 | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c484d724..09213e22 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -25,6 +25,8 @@ The **patch** part changes incrementally at each release.
 ### Changed
 
 * Use python3 modules for Debian 11 and later
+* apt: store keys in /etc/apt/trusted.gpg.d in ascii format
+* certbot: sync_remote.sh is configurable
 * elasticsearch: 7.x by default
 * evolinux-base: copy GPG key instead of using apt-key
 * evolinux-base: force Debian version to buster for Evolix repository (temporary)
@@ -33,6 +35,7 @@ The **patch** part changes incrementally at each release.
 * mysql: mariadb-client-10.5 on Debian 11
 * mysql: use python3 with Debian 11 and later
 * ntpd: Add leapfile configuration setting to ntpd on debian 10+
+* packweb-apache: install phpMyAdmin from buster-backports
 * spamassassin: change dependency on evomaintenance
 * squid: remove obsolete variable on Squid 4
 
diff --git a/packweb-apache/templates/phpmyadmin_apt_preferences.j2 b/packweb-apache/templates/phpmyadmin_apt_preferences.j2
index 02578c0d..3a2d2833 100644
--- a/packweb-apache/templates/phpmyadmin_apt_preferences.j2
+++ b/packweb-apache/templates/phpmyadmin_apt_preferences.j2
@@ -1,3 +1,3 @@
 Package: phpmyadmin php-twig
 Pin: release a=buster-backports
-Pin-Priority: 999
\ No newline at end of file
+Pin-Priority: 999

From 58cd1fedfad116f7b5ec297cdfe03822b81e09a4 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Tue, 4 May 2021 12:39:47 +0200
Subject: [PATCH 24/29] fix path for first_found lookup

---
 metricbeat/tasks/main.yml | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/metricbeat/tasks/main.yml b/metricbeat/tasks/main.yml
index 640a8902..17d4a7d7 100644
--- a/metricbeat/tasks/main.yml
+++ b/metricbeat/tasks/main.yml
@@ -121,13 +121,13 @@
       src: "{{ item }}"
       dest: /etc/metricbeat/metricbeat.yml
       force: "{{ metricbeat_force_config }}"
-  loop: "{{ query('first_found', templates) }}"
-  vars:
-    templates:
-      - "templates/metricbeat/metricbeat.{{ inventory_hostname }}.yml.j2"
-      - "templates/metricbeat/metricbeat.{{ host_group | default('all') }}.yml.j2"
-      - "templates/metricbeat/metricbeat.default.yml.j2"
-      - "templates/metricbeat.default.yml.j2"
-    notify: restart metricbeat
-    when: metricbeat_update_config | bool
+    loop: "{{ query('first_found', templates) }}"
+    vars:
+      templates:
+        - "templates/metricbeat/metricbeat.{{ inventory_hostname }}.yml.j2"
+        - "templates/metricbeat/metricbeat.{{ host_group | default('all') }}.yml.j2"
+        - "templates/metricbeat/metricbeat.default.yml.j2"
+        - "templates/metricbeat.default.yml.j2"
+      notify: restart metricbeat
+      when: metricbeat_update_config | bool
   when: metricbeat_use_config_template | bool

From b5bcd666c68b1b2877740d4a9884dad16092302b Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Fri, 2 Jul 2021 21:23:14 +0200
Subject: [PATCH 25/29] fix apt gpg keys after rebase from unstable

---
 elasticsearch/tasks/packages.yml |  2 +-
 mongodb/tasks/main_bullseye.yml  | 16 ++++++++++++----
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/elasticsearch/tasks/packages.yml b/elasticsearch/tasks/packages.yml
index b1d5cb9a..b1291d4a 100644
--- a/elasticsearch/tasks/packages.yml
+++ b/elasticsearch/tasks/packages.yml
@@ -31,7 +31,7 @@
 
 - name: Elastic sources list is available
   apt_repository:
-    repo: "deb [signed-by=/usr/share/keyrings/elastic.gpg] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
+    repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
     filename: elastic
     state: present
     update_cache: yes
diff --git a/mongodb/tasks/main_bullseye.yml b/mongodb/tasks/main_bullseye.yml
index eed10eb4..63b2193b 100644
--- a/mongodb/tasks/main_bullseye.yml
+++ b/mongodb/tasks/main_bullseye.yml
@@ -1,16 +1,24 @@
 ---
 
 # https://wiki.debian.org/DebianRepository/UseThirdParty
-- name: Add MongoDB GPG key for version 4.4
+- name: MongoDB embedded GPG key is absent
+  apt_key:
+    id: "B8612B5D"
+    keyring: /etc/apt/trusted.gpg
+    state: absent
+
+- name: Add MongoDB GPG key
   copy:
-    src: server-4.4.gpg
-    dest: /usr/share/keyrings/mongodb-server-4.4.gpg
+    src: server-4.4.asc
+    dest: /etc/apt/trusted.gpg.d/mongodb-server-4.4.asc
     force: yes
     mode: "0644"
+    owner: root
+    group: root
 
 - name: enable APT sources list
   apt_repository:
-    repo: deb [signed-by=/usr/share/keyrings/mongodb-server-4.4.gpg] http://repo.mongodb.org/apt/debian buster/mongodb-org/4.4 main
+    repo: deb http://repo.mongodb.org/apt/debian buster/mongodb-org/4.4 main
     state: present
     filename: mongodb-org-4.4
     update_cache: yes

From 5905751a824657ac74c3932cfcba30a9c2801683 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Fri, 2 Jul 2021 23:45:42 +0200
Subject: [PATCH 26/29] squid: must be started in foreground mode for systemd

---
 CHANGELOG.md                             | 1 +
 squid/files/systemd-override.conf        | 4 ----
 squid/tasks/systemd.yml                  | 4 ++--
 squid/templates/systemd-override.conf.j2 | 8 ++++++++
 4 files changed, 11 insertions(+), 6 deletions(-)
 delete mode 100644 squid/files/systemd-override.conf
 create mode 100644 squid/templates/systemd-override.conf.j2

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 09213e22..b75809f9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -37,6 +37,7 @@ The **patch** part changes incrementally at each release.
 * ntpd: Add leapfile configuration setting to ntpd on debian 10+
 * packweb-apache: install phpMyAdmin from buster-backports
 * spamassassin: change dependency on evomaintenance
+* squid: must be started in foreground mode for systemd
 * squid: remove obsolete variable on Squid 4
 
 ### Fixed
diff --git a/squid/files/systemd-override.conf b/squid/files/systemd-override.conf
deleted file mode 100644
index eab76a17..00000000
--- a/squid/files/systemd-override.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-# systemd override for Squid
-[Service]
-ExecStart=
-ExecStart=/usr/sbin/squid -sYC -f /etc/squid/evolinux-defaults.conf
diff --git a/squid/tasks/systemd.yml b/squid/tasks/systemd.yml
index 82b8760c..ac9eb7e9 100644
--- a/squid/tasks/systemd.yml
+++ b/squid/tasks/systemd.yml
@@ -16,8 +16,8 @@
     mode: "0755"
 
 - name: "Squid systemd unit service is present"
-  copy:
-    src: systemd-override.conf
+  template:
+    src: systemd-override.conf.j2
     dest: /etc/systemd/system/squid.service.d/override.conf
     force: yes
   register: _squid_systemd_override
diff --git a/squid/templates/systemd-override.conf.j2 b/squid/templates/systemd-override.conf.j2
new file mode 100644
index 00000000..ee3ff666
--- /dev/null
+++ b/squid/templates/systemd-override.conf.j2
@@ -0,0 +1,8 @@
+# systemd override for Squid
+[Service]
+ExecStart=
+{% if ansible_distribution_major_version is version('11', '>=') %}
+ExecStart=/usr/sbin/squid --foreground -sYC -f /etc/squid/evolinux-defaults.conf
+{% else %}
+ExecStart=/usr/sbin/squid -sYC -f /etc/squid/evolinux-defaults.conf
+{% endif %}

From 3721c2ab38f9e79c5efd138032802a9eaacfbac1 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Sat, 3 Jul 2021 08:52:50 +0200
Subject: [PATCH 27/29] squid: improve default whitelist

---
 CHANGELOG.md                                 |  2 +-
 squid/files/evolinux-whitelist-defaults.conf | 58 ++++++++++----------
 2 files changed, 30 insertions(+), 30 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b75809f9..56086961 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -37,9 +37,9 @@ The **patch** part changes incrementally at each release.
 * ntpd: Add leapfile configuration setting to ntpd on debian 10+
 * packweb-apache: install phpMyAdmin from buster-backports
 * spamassassin: change dependency on evomaintenance
+* squid: improve default whitelist (more specific patterns)
 * squid: must be started in foreground mode for systemd
 * squid: remove obsolete variable on Squid 4
-
 ### Fixed
 
 * certbot: sync_remote excludes itself
diff --git a/squid/files/evolinux-whitelist-defaults.conf b/squid/files/evolinux-whitelist-defaults.conf
index 83b5e827..fea90344 100644
--- a/squid/files/evolinux-whitelist-defaults.conf
+++ b/squid/files/evolinux-whitelist-defaults.conf
@@ -1,20 +1,19 @@
 ### Evolix & System
-^.*\.evolix\.(net|org|com|fr)$
-^.*\.debian\.org$
+(\.)?evolix\.(net|org|com|fr)$
+(\.)?debian\.org$
 ^www\.backports\.org$
-^backports\.debian\.org$
 ^www\.kernel\.org$
 ^hwraid\.le-vert\.net$
-^.*\.clamav\.net$
+.+\.clamav\.net$
 ^spamassassin\.apache\.org$
-^.*sa-update.*$
+.+\.sa-update\..+
 ^pear\.php\.net$
 ^repo\.mysql\.com$
 ^deb\.nodesource\.com$
 ^dl\.yarnpkg\.com$
 
 # Let's Encrypt
-^.*\.letsencrypt.org$
+.+\.letsencrypt.org$
 
 # Other OCSP endpoint
 ^ocsp\.usertrust\.com$
@@ -22,9 +21,9 @@
 ### CMS / Wordpress / Drupal / ...
 
 # Wordpress
-^.*\.akismet\.com$
-^.*\.wordpress\.(org|com)$
-^.*\.gravatar\.com$
+.+\.akismet\.com$
+.+\.wordpress\.(org|com)$
+.+\.gravatar\.com$
 ^www\.wordpress-fr\.net$
 ^pixel\.wp\.com$
 ^wp-updates\.com$
@@ -63,11 +62,11 @@
 ^www\.weblogalot\.com$
 
 # Wordpress plugins
-^.*\.wpml\.org$
+.+\.wpml\.org$
 ^www\.wpcube\.co\.uk$
-^.*\.wp-rocket\.me$
+.+\.wp-rocket\.me$
 ^www\.yithemes\.com$
-^.*\.yoast\.com$
+.+\.yoast\.com$
 ^yarpp\.org$
 ^repository\.kreaturamedia\.com$
 ^api\.wp-events-plugin\.com$
@@ -87,7 +86,7 @@
 ^amasty\.com$
 
 # Joomla
-^.*\.joomla\.org$
+.+\.joomla\.org$
 ^getk2\.org$
 ^miwisoft\.com$
 ^mijosoft\.com$
@@ -97,13 +96,13 @@
 ^download\.nonumber\.nl$
 
 # Prestashop
-^.*\.prestashop\.com$
+.+\.prestashop\.com$
 ^www\.presta-module\.com$
 ^www\.presteamshop\.com$
 
 # Others
-^.*.drupal\.org$
-^.*\.dotclear\.(net|org)$
+.+\.drupal\.org$
+.+\.dotclear\.(net|org)$
 ^www\.phpbb\.com$
 ^www\.typolight\.org$
 ^www\.spip\.net$
@@ -113,8 +112,8 @@
 
 # Google
 
-^.*\.googleapis\.com$
-^.*\.google-analytics\.com$
+.+\.googleapis\.com$
+.+\.google-analytics\.com$
 ^blogsearch\.google\.(com|fr)$
 ^csi\.gstatic\.com$
 ^maps\.google\..*$
@@ -123,8 +122,8 @@
 ^fonts\.googleapis\.com$
 
 # Facebook
-^.*\.facebook\.com$
-^.*\.fbcdn\.net$
+.+\.facebook\.com$
+.+\.fbcdn\.net$
 
 # Maxmind
 ^geolite\.maxmind\.com$
@@ -138,15 +137,15 @@
 ^www\.liberation\.fr$
 
 # Others
-#^.*\.amazon.com$
-^.*\.twitter\.com$
-^.*\.feedburner\.com$
-^.*\.openx\.(org|com|net)$
+#.+\.amazon.com$
+.+\.twitter\.com$
+.+\.feedburner\.com$
+.+\.openx\.(org|com|net)$
 ^geoip-api\.meteor\.com$
 ^www\.bing\.com$
 ^www\.telize\.com$
-^.*\.ident\.me$
-^.*\.icanhazip\.com$
+.+\.ident\.me$
+.+\.icanhazip\.com$
 ^www\.express-mailing\.com$
 ^bot\.whatismyipaddress\.com$
 ^ipecho\.net$
@@ -158,12 +157,13 @@
 ^ftp-.*\.osuosl\.org$
 ^ftp\.icm\.edu\.pl$
 ^apt\.newrelic\.com$
-^.*\.cloudfront\.net$
+.+\.cloudfront\.net$
 ^api\.mailjet\.com$
 ^bfmbusiness\.bfmtv\.com$
 ^api\.pinterest\.com$
 ^api\.openweathermap\.org$
 ^www\.lefigaro\.fr$
 ^www\.dailymotion\.com$
-^.*\.123rf\.com$
-^.*.gouv\.fr$
+.+\.123rf\.com$
+.+\.gouv\.fr$
+^ifconfig\.me$
\ No newline at end of file

From 4167b6d2a905b6ae4c5f19ba0340264a9e0e4701 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Sat, 3 Jul 2021 09:10:22 +0200
Subject: [PATCH 28/29] fix CHANGELOG

---
 CHANGELOG.md | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 56086961..06abf68b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -15,28 +15,19 @@ The **patch** part changes incrementally at each release.
 * Preliminary support for Debian 11 « Bullseye »
 * apache: new variable for mpm mode (+ updated default config accordingly)
 * certbot: add script for manual deploy hooks execution
-* evolinux-base: add default motd template
-* kvm-host: add migrate-vm script
 * listupgrade: crontab is configurable
 * mongodb: create munin plugins directory if missing
-* mysql: variable to disable myadd script overwrite (default: True)
 * redis: instance service for Debian 11
 
 ### Changed
 
 * Use python3 modules for Debian 11 and later
-* apt: store keys in /etc/apt/trusted.gpg.d in ascii format
-* certbot: sync_remote.sh is configurable
 * elasticsearch: 7.x by default
-* evolinux-base: copy GPG key instead of using apt-key
 * evolinux-base: force Debian version to buster for Evolix repository (temporary)
 * kibana: 7.x by default
 * listupgrade: upstream release 21.06.3
 * mysql: mariadb-client-10.5 on Debian 11
 * mysql: use python3 with Debian 11 and later
-* ntpd: Add leapfile configuration setting to ntpd on debian 10+
-* packweb-apache: install phpMyAdmin from buster-backports
-* spamassassin: change dependency on evomaintenance
 * squid: improve default whitelist (more specific patterns)
 * squid: must be started in foreground mode for systemd
 * squid: remove obsolete variable on Squid 4

From d1829e700052d761bf08e78af80009ae85fd3a1a Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Sat, 3 Jul 2021 09:16:12 +0200
Subject: [PATCH 29/29] metricbeat: fix indentation

---
 metricbeat/tasks/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/metricbeat/tasks/main.yml b/metricbeat/tasks/main.yml
index 17d4a7d7..ded5d008 100644
--- a/metricbeat/tasks/main.yml
+++ b/metricbeat/tasks/main.yml
@@ -129,5 +129,5 @@
         - "templates/metricbeat/metricbeat.default.yml.j2"
         - "templates/metricbeat.default.yml.j2"
       notify: restart metricbeat
-      when: metricbeat_update_config | bool
+    when: metricbeat_update_config | bool
   when: metricbeat_use_config_template | bool