Merge branch 'unstable' into stable

handlers are not supposed to be executed in check-mode since no change should happen in check-mode.
If there is a corner case we should deal with it at the source, not at the handler level.

CHANGELOG.md

@@ -21,6 +21,142 @@ The **patch** part changes is incremented if multiple releases happen the same m
 
 ### Security
 
+## [24.03] 2024-03-01
+
+### Added
+
+* autosysadmin-agent: upstream release 24.03
+* autosysadmin-restart_nrpe: add role
+* certbot: Renewal hook for NRPE
+* kvm-host: add minifirewall rules if DRBD interface is configured
+
+### Changed
+
+* apt: add ftp.evolix.org as recognized system source
+* autosysadmin-agent: logs clearing is done weekly
+* autosysadmin-agent: rename /usr/share/scripts/autosysadmin/{auto,restart}
+* certbot: use pkey to test the key
+* evolinux-base: execute autosysadmin-agent and autosysadmin-restart_nrpe roles
+* lxc-php, php: Update sury PGP key
+* openvpn: earlier alert for CA expiration
+* redis: create sysfs config file if missing
+
+### Removed
+
+* autosysadmin: replaced by autosysadmin-agent
+
+## [24.02.1] 2024-02-08
+
+### Fixed
+
+* fail2ban: fix Ansible syntax
+
+## [24.02] 2024-02-08
+
+### Added
+
+* Support for PHP 8.3 with bookworm LXC containers
+* apt: add task file to install ELTS repository (default: False)
+* autosysadmin: Add a role to automatically deploy autosysadmin on evolixisation
+* check_free_space: added role
+* etc-git: add /var/chroot-bind/etc/bind repo
+* fail2ban: add script unban_ip
+* generateldif: new Services for check_pressure_{cpu,io,mem}
+* kvm-host: Automatically add an LVM filter when LVM is present
+* lxc-php: Allow one to install php83 on Bookworm container
+* minifirewall: Fix nagios check for old versions of minifirewall
+* mongodb: add gpg key for 7.0
+* nagios-nrpe: add check_sentinel for monitoring Redis Sentinel
+* nagios-nrpe: new check_pressure_{cpu,io,mem}
+* remount-usr: do not try to remount /usr RW if /usr is not a mounted partition
+* vrrpd: configure minifirewall
+* vrrpd: test if interface exists before deleting it
+* webapps/evoadmin-mail: package installed via public.evolix.org/evolix repo starting with Bookworm
+* webapps/nextcloud: Add condition for archive tasks
+* webapps/nextcloud: Add condition for config tasks
+* webapps/nextcloud: Added var nextcloud_user_uid to enforce uid for nextcloud user
+* webapps/nextcloud: Set ownership and permissions of data directory
+
+### Changed
+
+* add-vm.sh: allow VM name max length > 20
+* amavis: make ldap_suffix mandatory
+* apache : fix goaway pattern for bad bots 
+* apache : rename MaxRequestsPerChild to MaxConnectionsPerChild (new name)
+* apache: use backward compatible Redirect directive
+* apt: Disable archive repository for Debian 8
+* apt: Use the GPG version of the key for Debian 8-9
+* bind: Update role for Buster, Bullseye and Bookworm support
+* dovecot: add variables for LDAP
+* dovecot: Munin plugin conf path is now `/etc/munin/plugin-conf.d/zzz-dovecot` (instead of `z-evolinux-dovecot`)
+* evocheck: upstream release 24.01
+* evolinux-base: dump-server-state upstream release 23.11
+* evolinux-base: use separate default config file for rsyslog
+* kvmstats: use .capacity instead of .physical for disk size
+* ldap: make ldap_suffix mandatory
+* listupgrade : old-kernel-removal.sh upstream release 24.01
+* log2mail: move custom config in separate file
+* lxc: init /etc git repository in lxc container
+* mysql: disable performance schema for Debian 8
+* nagios: add dockerd check in nrpe check template
+* nagios: cleaning nrpe check template
+* nagios: rename var `nagios_nrpe_process_processes` into `nagios_nrpe_processes` and check systemd-timesyncd instead of ntpd in Debian 12
+* nagios: add option --full to check pressure IO and mem to avoid flaps
+* proftpd: in SFTP vhost, enable SSH keys login, enable ed25549 host key for Debian >= 11
+* redis: manage config template inside a block, to allow custom modifications outside
+* spamassassin: Use spamd starting with Bookworm
+* squid: config directory seems to have changed from /etc/squid3 to /etc/squid in Debian 8
+* unbound: Add config file to allow configuration reload on Debian 11 and lower
+* unbound: Add munin configuration & setup plugin
+* unbound: Big cleanup
+* unbound: Move generated config file to `/etc/unbound/unbound.conf.d/evolinux.conf`
+* unbound: Use root hints provided by debian package dns-root-data instead of downloading them
+* vrrpd: replace switch script with custom one (fix MAC issue, use `ip(8)`, shell cleanup…)
+* vrrpd: variable to force update the switch script (default: false)
+* webapps/nextcloud: Add Ceph volume to fstab
+* webapps/nextcloud: Set home directory's mode
+
+### Fixed
+
+* Add php-fpm82 to LDAP when relevant
+* Check stat.exists before stat.isdir
+* apache: fix MaxRequestsPerChild value to be sync with wiki.e.o
+* apt: use archive.debian.org with Stretch
+* certbot: fix hook for dovecot when more than one certificate is used (eg. different certificates for POP3 and IMAP)
+* dovecot: add missing LDAP conf iterate_filter to exclude disabled accounts in users list (caused « User no longer exists » errors in commands listing users like « doveadm user -u '*' » or « doveadm expunge -u "*" mailbox INBOX savedbefore 7d »).
+* dovecot: fix missing default mails
+* dovecot: fix plugin dovecot1
+* evoadmin-web: Fix PHP version for Bookworm
+* evolinux-base: fix hardware.yml (wrong repo, missing update cache)
+* evolinux-base: start to install linux-image-cloud-amd64 with Buster
+* fail2ban: fix template marker
+* minifirewall: ports 25, 53, 443, 993, 995 not opened publicly by default anymore, ports 20, 21, 110, 143 not opened semi-publicly by default anymore.
+* nagios: fix default file to monitor for check_clamav_db
+* nginx: add "when: not ansible_check_mode" in various tasks to prevent fail in check mode
+* nginx: fix mistake between "check_mode: no" and "when: not ansible_check_mode" (fail in check mode)
+* nginx: fix mistake between "check_mode: no" and "when: not ansible_check_mode" (fail in check mode)
+* nginx: keep indentation
+* nginx: take care of « already defined » and « not yet defined » server status suffix in check mode
+* php: Bullseye/Sury > Honor the php_version asked in the pub.evolix.org repository
+* php: drop apt_preferences(5) file for sury
+* postfix: remove dependency on evolinux_fqdn var
+* proftpd: set missing default listen IP for SFTP
+* roundcube: set default SMTP port to 25 instead of 587, which failed because of missing SSL conf (local connexion does not need SSL)
+* ssl: no not execute haproxy tasks and reload if haproxy is disabled
+* unbound: Add a apt cache validity to enforce an apt update if needed
+* webapps/nextcloud: added check that nextcloud uid is over 3000
+* webapps/nextcloud: fix Add Ceph volume to fstab : missing UUID= in src
+* webapps/nextcloud: fix misplaced gid attribute
+* webapps/nextcloud: fix missing gid
+* webapps/roundcube & evoadminmail: make roles more idempotent (were failing when played twice)
+* amavis: Add variables for generate "ldap_suffix"
+* proftpd: fix error when no SSH key is provided
+
+### Removed
+
+* evolinux-base: no need to remove update-evobackup-canary from sbin anymore
+* evolinux-base: no need to symlink backup-server-state to dump-server-state anymore
+
 ## [23.10] 2023-10-14
 
 ### Added
@@ -381,16 +517,16 @@ The **patch** part changes is incremented if multiple releases happen the same m
 
 ### Added
 
-* docker : Introduce new default settings + allow to change the docker data directory
-* docker : Introduce new variables to tweak daemon settings
+* docker: Introduce new default settings + allow to change the docker data directory
+* docker: Introduce new variables to tweak daemon settings
 
 ### Changed
 
-* evocheck: upstream release 22.05
+* evocheck: Upstream release 22.05
 
 ### Removed
 
-* docker : Removed Debian Jessie support
+* docker: Removed Debian Jessie support
 
 ## [22.05] 2022-05-10
 

amavis/defaults/main.yml

@@ -0,0 +1,5 @@
+---
+
+ldap_hostname: "{{ ansible_hostname }}"
+ldap_domain: "{{ ansible_domain }}"
+ldap_suffix: "dc={{ ldap_hostname }},dc={{ ldap_domain.split('.')[-2] }},dc={{ ldap_domain.split('.')[-1] }}"

amavis/tasks/main.yml

@@ -6,7 +6,7 @@
       - amavisd-new
     state: present
   tags:
-  - amavis
+    - amavis
 
 - name: configure Amavis
   ansible.builtin.template:
@@ -15,7 +15,7 @@
     mode: "0644"
   notify: restart amavis
   tags:
-  - amavis
+    - amavis
 
 - name: Install purge custom cron
   ansible.builtin.copy:
@@ -23,5 +23,5 @@
     dest: /etc/cron.daily/amavis_purge_virusmails
     mode: "0755"
   tags:
-  - amavis
-  - amavis_purge_cron
+    - amavis
+    - amavis_purge_cron

amavis/templates/amavis.conf.j2

@@ -44,7 +44,7 @@ $max_servers = 2;
 $enable_ldap = 1;
 $default_ldap = {
    hostname => '127.0.0.1', tls => 0,
-   base => '{{ ldap_suffix }}', scope => 'sub',
+   base => '{{ ldap_suffix | mandatory }}', scope => 'sub',
    query_filter => '(&(mailacceptinggeneralid=%m)(isActive=TRUE))'
 };
 

apache/files/evolinux-defaults.conf

@@ -10,7 +10,7 @@ MaxKeepAliveRequests 10
     StartServers 50
     MinSpareServers 20
     MaxSpareServers 30
-    MaxRequestsPerChild 0
+    MaxConnectionsPerChild 100
 </IfModule>
 
 <IfModule mpm_worker_module>
@@ -20,7 +20,7 @@ MaxKeepAliveRequests 10
     ThreadLimit          64
     ThreadsPerChild      25
     MaxRequestWorkers     150
-    MaxConnectionsPerChild   0
+    MaxConnectionsPerChild  100 
 </IfModule>
 
 <IfModule mpm_itk_module>
@@ -40,28 +40,25 @@ MaxKeepAliveRequests 10
     </IfModule>
 </IfModule>
 
-
-<Directory /home/>
-    AllowOverride None
-    Require all granted
-    # "Require not env XXX" is not supported :(
-    Deny from env=GoAway
-</Directory>
+# Go away bad bots (define "bad bots" in zzz-evolinux-custom.conf)
+<If "reqenv('GoAway') -eq 1">
+  Require all denied
+</If>
 
 <DirectoryMatch "/\.git">
     # We don't want to let the client know a file exist on the server,
     # so we return 404 "Not found" instead of 403 "Forbidden".
-    Redirect 404
+    Redirect 404 "-"
 </DirectoryMatch>
 
 # File names starting with
 <FilesMatch "^\.(git|env)">
-    Redirect 404
+    Redirect 404 "-"
 </FilesMatch>
 
 # File names ending with
 <FilesMatch "\.(inc|bak)$">
-    Redirect 404
+    Redirect 404 "-"
 </FilesMatch>
 
 <LocationMatch "^/evolinux_fpm_status-.*">

apache/tasks/ip_whitelist.yml

@@ -5,6 +5,7 @@
     dest: /etc/apache2/ipaddr_whitelist.conf
     line: "Require ip {{ item }}"
     state: present
+    create: yes
   loop: "{{ apache_ipaddr_whitelist_present }}"
   notify: reload apache
   tags:

apt/defaults/main.yml

@@ -14,6 +14,7 @@ apt_install_backports: False
 apt_backports_components: "main"
 
 apt_install_evolix_public: True
+apt_install_extended_lts: False
 
 apt_clean_gandi_sourceslist: False
 
@@ -28,4 +29,4 @@ apt_check_hold_cron_weekday: "*"
 apt_check_hold_cron_day: "*"
 apt_check_hold_cron_month: "*"
 
-apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"
+apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"

apt/files/bookworm_backports_preferences

@@ -1,3 +0,0 @@
-Package: *
-Pin: release a=bookworm-backports
-Pin-Priority: 50

apt/files/bullseye_backports_preferences

@@ -1,3 +0,0 @@
-Package: *
-Pin: release a=bullseye-backports
-Pin-Priority: 50

apt/files/buster_backports_preferences

@@ -1,3 +0,0 @@
-Package: *
-Pin: release a=buster-backports
-Pin-Priority: 50

apt/files/deb822-migration.py

@@ -1,5 +1,11 @@
 #!/usr/bin/env python3
 
+##########
+# This script takes a multi-lines input of "oneliner-style" APT sources definitions.
+# It converts them into "deb822-style" sources.
+# Each generated file will have only one stanza, possibly with multiple Types/Suites/Components
+##########
+
 import re
 import sys
 import os
@@ -10,11 +16,16 @@ import apt_pkg
 # Order matters !
 destinations = {
     "debian-security": "security.sources",
+
     ".*-backports": "backports.sources",
+
     ".debian.org": "system.sources",
     "mirror.evolix.org": "system.sources",
+    "ftp.evolix.org": "system.sources",
+
     "pub.evolix.net": "evolix_public_old.sources.bak",
     "pub.evolix.org": "evolix_public.sources",
+
     "artifacts.elastic.co": "elastic.sources",
     "download.docker.com": "docker.sources",
     "downloads.linux.hpe.com": "hp.sources",
@@ -76,6 +87,11 @@ def prepare_sources(lines):
                         key, value = option.split("=")
                         options[key] = value
 
+            ### WARNING ###
+            # if there are multiple lines with different URIS for a given destination (eg. "system")
+            # each one will overwrite the previous one 
+            # and the last evaluated will be what remains.
+
             if dest in sources:
                 sources[dest]["Types"].add(matches["type"])
                 sources[dest]["URIs"] = matches["uri"]

apt/files/deb822-migration.sh

@@ -1,5 +1,11 @@
 #!/bin/sh
 
+##########
+# This script changes all "one-line" APT sources into "deb822" sources.
+# It is responsible for searching and processing the files.
+# The actual format migration is done by a python script.
+##########
+
 deb822_migrate_script=$(command -v deb822-migration.py)
 
 if [ -z "${deb822_migrate_script}" ]; then
@@ -46,4 +52,4 @@ for file in $(find /etc/apt/sources.list.d -mindepth 1 -maxdepth 1 -type f -name
 done
 
 echo "${count} file(s) migrated"
-exit ${rc}
+exit ${rc}

apt/files/jessie_backports_preferences

@@ -1,3 +0,0 @@
-Package: *
-Pin: release a=jessie-backports
-Pin-Priority: 50

apt/files/stretch_backports_preferences

@@ -1,3 +0,0 @@
-Package: *
-Pin: release a=stretch-backports
-Pin-Priority: 50

apt/tasks/backports.deb822.yml

@@ -10,19 +10,9 @@
   tags:
     - apt
 
-- name: Backports configuration
-  ansible.builtin.copy:
-    src: '{{ ansible_distribution_release }}_backports_preferences'
-    dest: /etc/apt/preferences.d/0-backports-defaults
-    force: true
-    mode: "0640"
-  register: apt_backports_config
-  tags:
-    - apt
-
 - name: Apt update
   ansible.builtin.apt:
     update_cache: yes
-  when: apt_backports_sources is changed or apt_backports_config is changed
+  when: apt_backports_sources is changed
   tags:
     - apt

apt/tasks/backports.oneline.yml

@@ -17,16 +17,6 @@
   tags:
     - apt
 
-- name: Backports configuration
-  ansible.builtin.copy:
-    src: '{{ ansible_distribution_release }}_backports_preferences'
-    dest: /etc/apt/preferences.d/0-backports-defaults
-    force: true
-    mode: "0640"
-  register: apt_backports_config
-  tags:
-    - apt
-
 - name: Archived backport are accepted (jessie)
   ansible.builtin.lineinfile:
     dest: '/etc/apt/apt.conf.d/99no-check-valid-until'
@@ -42,4 +32,4 @@
     update_cache: yes
   tags:
     - apt
-  when: apt_backports_list is changed or apt_backports_config is changed
+  when: apt_backports_list is changed

apt/tasks/evolix_public.deb822.yml

@@ -24,10 +24,16 @@
     owner: root
     group: root
 
+- name: Set Evolix GPG key format to ASC
+  set_fact:
+    apt_evolix_public_key: "{{ apt_keyring_dir }}/pub_evolix.asc"
+  tags:
+    - apt
+
 - name: Add Evolix GPG key
   ansible.builtin.copy:
     src: pub_evolix.asc
-    dest: "{{ apt_keyring_dir }}/pub_evolix.asc"
+    dest: "{{ apt_evolix_public_key }}"
     force: true
     mode: "0644"
     owner: root

apt/tasks/evolix_public.oneline.yml

@@ -24,10 +24,26 @@
     owner: root
     group: root
 
+- name: Set Evolix GPG key format to GPG (Debian < 9)
+  set_fact:
+    apt_evolix_public_key: "pub_evolix.gpg"
+  when:
+    - ansible_distribution_major_version is version('9', '<')
+  tags:
+    - apt
+
+- name: Set Evolix GPG key format to ASC (Debian >= 9)
+  set_fact:
+    apt_evolix_public_key: "pub_evolix.asc"
+  when:
+    - ansible_distribution_major_version is version('9', '>=')
+  tags:
+    - apt
+
 - name: Add Evolix GPG key
   ansible.builtin.copy:
-    src: pub_evolix.asc
-    dest: "{{ apt_keyring_dir }}/pub_evolix.asc"
+    src: "{{ apt_evolix_public_key }}"
+    dest: "{{ apt_keyring_dir }}/{{ apt_evolix_public_key }}"
     force: true
     mode: "0644"
     owner: root

apt/tasks/extended-lts.oneline.yml

@@ -0,0 +1,37 @@
+---
+
+- name: "Ensure {{ apt_keyring_dir }} directory exists"
+  file:
+    path: "{{ apt_keyring_dir }}"
+    state: directory
+    mode: "755"
+    owner: root
+    group: root
+
+- name: Add Evolix GPG key
+  ansible.builtin.copy:
+    src: "freexian-archive-extended-lts.gpg"
+    dest: "{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"
+    force: true
+    mode: "0644"
+    owner: root
+    group: root
+  tags:
+    - apt
+
+- name: ELTS list is installed
+  ansible.builtin.template:
+    src: "{{ ansible_distribution_release }}_extended-lts.list.j2"
+    dest: /etc/apt/sources.list.d/extended-lts.list
+    force: true
+    mode: "0640"
+  register: apt_extended_lts
+  tags:
+    - apt
+
+- name: Apt update
+  ansible.builtin.apt:
+    update_cache: yes
+  tags:
+    - apt
+  when: apt_extended_lts is changed

apt/tasks/main.yml

@@ -80,6 +80,14 @@
     - apt_install_evolix_public | bool
     - ansible_distribution_major_version is version('12', '>=')
 
+- name: Install Extended-LTS repositories (Debian < 10)
+  ansible.builtin.import_tasks: extended-lts.oneline.yml
+  tags:
+    - apt
+  when:
+    - apt_install_extended_lts | bool
+    - ansible_distribution_major_version is version('10', '<')
+
 - name: Clean GANDI sources
   ansible.builtin.file:
     path: '{{ item }}'
@@ -126,4 +134,4 @@
     upgrade: dist
   when: apt_upgrade | bool
   tags:
-    - apt
+    - apt

apt/tasks/migrate-to-deb822.yml

@@ -31,6 +31,11 @@
   tags:
     - apt
 
+- name: Is system.sources present?
+  ansible.builtin.stat:
+    path: /etc/apt/sources.list.d/system.sources
+  register: _system_sources
+
 - name: Add signed-by when relevant for bookworm
   ansible.builtin.lineinfile:
     dest: /etc/apt/sources.list.d/system.sources
@@ -39,6 +44,12 @@
     state: present
   tags:
     - apt
+  when: _system_sources.stat.exists or not ansible_check_mode
+
+- name: Is security.sources present?
+  ansible.builtin.stat:
+    path: /etc/apt/sources.list.d/security.sources
+  register: _security_sources
 
 - name: Add signed-by when relevant for bookworm-security
   ansible.builtin.lineinfile:
@@ -48,3 +59,4 @@
     state: present
   tags:
     - apt
+  when: _security_sources.stat.exists or not ansible_check_mode

apt/templates/bookworm_basics.sources.j2

@@ -3,6 +3,6 @@
 Types: deb
 URIs: http://mirror.evolix.org/debian
 Suites: bookworm bookworm-updates
-Components: {{ apt_basics_components | mandatory }} 
+Components: {{ apt_basics_components | mandatory }}
 Enabled: yes
 Signed-By: /usr/share/keyrings/debian-archive-bookworm-automatic.gpg

apt/templates/bookworm_security.sources.j2

@@ -3,6 +3,6 @@
 Types: deb
 URIs: https://security.debian.org/debian-security
 Suites: bookworm-security
-Components: {{ apt_basics_components | mandatory }} 
+Components: {{ apt_basics_components | mandatory }}
 Enabled: yes
-Signed-By: /usr/share/keyrings/debian-archive-bookworm-security-automatic.gpg
+Signed-By: /usr/share/keyrings/debian-archive-bookworm-security-automatic.gpg

apt/templates/bullseye_basics.list.j2

@@ -1,5 +1,5 @@
 # {{ ansible_managed }}
 
 deb http://mirror.evolix.org/debian bullseye {{ apt_basics_components | mandatory }}
-deb http://mirror.evolix.org/debian/ bullseye-updates {{ apt_basics_components | mandatory }} 
+deb http://mirror.evolix.org/debian bullseye-updates {{ apt_basics_components | mandatory }}
 deb http://security.debian.org/debian-security bullseye-security {{ apt_basics_components | mandatory }}

apt/templates/buster_basics.list.j2

@@ -1,5 +1,5 @@
 # {{ ansible_managed }}
 
 deb http://mirror.evolix.org/debian buster {{ apt_basics_components | mandatory }}
-deb http://mirror.evolix.org/debian/ buster-updates {{ apt_basics_components | mandatory }}
+deb http://mirror.evolix.org/debian buster-updates {{ apt_basics_components | mandatory }}
 deb http://security.debian.org/debian-security buster/updates {{ apt_basics_components | mandatory }}

apt/templates/evolix_public.list.j2

@@ -1,3 +1,3 @@
 # {{ ansible_managed }}
 
-deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix {{ ansible_distribution_release }} main
+deb [signed-by={{ apt_keyring_dir }}/{{ apt_evolix_public_key }}] http://pub.evolix.org/evolix {{ ansible_distribution_release }} main

apt/templates/evolix_public.sources.j2

@@ -1,6 +1,6 @@
 # {{ ansible_managed }}
 
-Types:deb
+Types: deb
 URIs: http://pub.evolix.org/evolix
 Suites: {{ ansible_distribution_release }}
 Components: main

apt/templates/jessie_basics.list.j2

@@ -1,4 +1,5 @@
 # {{ ansible_managed }}
 
-deb http://mirror.evolix.org/debian/ jessie {{ apt_basics_components | mandatory }}
-deb http://security.debian.org/ jessie/updates {{ apt_basics_components | mandatory }}
+### Those repositories are unusable. Move to ELTS (manually).
+# deb http://archive.debian.org/debian jessie {{ apt_basics_components | mandatory }}
+# deb http://archive.debian.org/debian-security jessie/updates {{ apt_basics_components | mandatory }}

apt/templates/jessie_extended-lts.list.j2

@@ -0,0 +1,4 @@
+# {{ ansible_managed }}
+
+deb [signed-by="{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"] http://elts.evolix.org/extended-lts jessie main
+deb [signed-by="{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"] http://elts.evolix.org/extended-lts jessie-lts main

apt/templates/stretch_basics.list.j2

@@ -1,5 +1,4 @@
 # {{ ansible_managed }}
 
-deb http://mirror.evolix.org/debian stretch {{ apt_basics_components | mandatory }}
-deb http://mirror.evolix.org/debian/ stretch-updates {{ apt_basics_components | mandatory }}
-deb http://security.debian.org/debian-security stretch/updates {{ apt_basics_components | mandatory }}
+deb http://archive.debian.org/debian stretch {{ apt_basics_components | mandatory }}
+deb http://archive.debian.org/debian-security stretch/updates {{ apt_basics_components | mandatory }}

apt/templates/stretch_extended-lts.list.j2

@@ -0,0 +1,4 @@
+# {{ ansible_managed }}
+
+deb [signed-by="{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"] http://elts.evolix.org/extended-lts stretch main
+deb [signed-by="{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"] http://elts.evolix.org/extended-lts stretch-lts main

autosysadmin-agent/defaults/main.yml

@@ -0,0 +1,17 @@
+---
+
+general_scripts_dir: "/usr/share/scripts"
+
+autosysadmin_agent_bin_dir: "/usr/local/bin/autosysadmin"
+autosysadmin_agent_lib_dir: "/usr/local/lib/autosysadmin"
+autosysadmin_agent_auto_dir: "{{ general_scripts_dir }}/autosysadmin/restart"
+
+autosysadmin_agent_crontab_enabled: true
+autosysadmin_agent_log_retention_days: 365
+
+autosysadmin_config: []
+  ### All repair are disabled if set to 'off'
+  ### even if a specific repair value is 'on'
+  # repair_all: 'on'
+  ### Default values for checks
+  # repair_foo: 'off'

autosysadmin-agent/files/autosysadmin.logrotate.conf

@@ -0,0 +1,13 @@
+/var/log/autosysadmin.log {
+    daily
+    missingok
+    rotate 365
+    compress
+    nodelaycompress
+    notifempty
+    dateext
+    dateformat .%Y-%m-%d
+    dateyesterday
+    copytruncate
+    create 0640 root adm
+}

autosysadmin-agent/files/autosysadmin.rsyslog.conf

@@ -0,0 +1,3 @@
+$template autosysadmin, "/var/log/autosysadmin.log"
+if $programname contains 'autosysadmin' then ?autosysadmin
+& stop

autosysadmin-agent/files/upstream/bin/delete_old_logs.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+days=${1:-365}
+log_dir="/var/log/autosysadmin/"
+
+if [ -d "${log_dir}" ]; then
+    find_run_dirs() {
+        find "${log_dir}" \
+            -mindepth 1 \
+            -maxdepth 1 \
+            -type d \
+            -ctime "+${days}" \
+            -print0
+    }
+    log() {
+        /usr/bin/logger -p local0.notice -t autosysadmin "${1}"
+    }
+
+    while IFS= read -r -d '' run_dir; do
+        rm --recursive --force "${run_dir}"
+        log "Delete ${run_dir} (older than ${days} days)"
+    done < <(find_run_dirs)
+fi
+
+exit 0

autosysadmin-agent/files/upstream/lib/common.sh

@@ -0,0 +1,907 @@
+#!/bin/bash
+
+VERSION="24.03"
+
+# Common functions for "repair" and "restart" scripts
+
+set -u
+
+# Initializes the program, context, configuration…
+initialize() {
+    PATH="${PATH}":/usr/sbin:/sbin
+
+    # Used in many places to refer to the program name.
+    # Examples: repair_mysql, restart_nrpe…
+    PROGNAME=$(basename "${0}")
+
+    # find out if running in interactive mode, or not
+    if [ -t 0 ]; then
+        INTERACTIVE=1
+    else
+        INTERACTIVE=0
+    fi
+    readonly INTERACTIVE
+
+    # Default empty value for Debug mode
+    DEBUG="${DEBUG:-""}"
+
+    # Repair scripts obey to the value of a variable named after the script
+    # You can set the value ("on" or "off") in /etc/evolinux/autosysadmin
+    # Here we set the default value to "on".
+    declare -g "${PROGNAME}"=on  # dynamic variable assignment ($PROGNAME == repair_*)
+
+    PID=$$
+    readonly PID
+
+    # Each execution (run) gets a unique ID
+    RUN_ID="$(date +"%Y-%m-%d_%H-%M")_${PROGNAME}_${PID}"
+    readonly RUN_ID
+
+    # Main log directory
+    MAIN_LOG_DIR="/var/log/autosysadmin"
+    readonly MAIN_LOG_DIR
+    # shellcheck disable=SC2174
+    mkdir --mode=750 --parents "${MAIN_LOG_DIR}"
+    chgrp adm "${MAIN_LOG_DIR}"
+
+    # Each execution store some information
+    # in a unique directory based on the RUN_ID
+    RUN_LOG_DIR="${MAIN_LOG_DIR}/${RUN_ID}"
+    readonly RUN_LOG_DIR
+    # shellcheck disable=SC2174
+    mkdir --mode=750 --parents "${RUN_LOG_DIR}"
+    chgrp adm "${RUN_LOG_DIR}"
+
+    # This log file contains all events
+    RUN_LOG_FILE="${RUN_LOG_DIR}/autosysadmin.log"
+    readonly RUN_LOG_FILE
+
+    # This log file contains notable actions
+    ACTIONS_FILE="${RUN_LOG_DIR}/actions.log"
+    readonly ACTIONS_FILE
+    touch "${ACTIONS_FILE}"
+    # This log file contains abort reasons (if any)
+    ABORT_FILE="${RUN_LOG_DIR}/abort.log"
+    readonly ABORT_FILE
+    # touch "${ABORT_FILE}"
+
+    # Date format for log messages
+    DATE_FORMAT="%Y-%m-%d %H:%M:%S"
+
+    # This will contain lock, last-run markers…
+    # It's ok to lose the content after a reboot
+    RUN_DIR="/run/autosysadmin"
+    readonly RUN_DIR
+    mkdir -p "${RUN_DIR}"
+
+    # Only a singe instace of each script can run simultaneously
+    # We use a customizable lock name for this.
+    # By default it's the script's name
+    LOCK_NAME=${LOCK_NAME:-${PROGNAME}}
+    # If a lock is found, we can wait for it to disappear.
+    # The value must be understood by sleep(1)
+    LOCK_WAIT="0"
+
+    # Default values for email headers
+    EMAIL_FROM="equipe+autosysadmin@evolix.fr"
+    EMAIL_INTERNAL="autosysadmin@evolix.fr"
+
+    LOCK_FILE="${RUN_DIR}/${LOCK_NAME}.lock"
+    readonly LOCK_FILE
+    # Remove lock file at exit
+    cleanup() {
+        # shellcheck disable=SC2317
+        rm -f "${LOCK_FILE}"
+    }
+    trap 'cleanup' 0
+
+    # Load configuration
+    # shellcheck disable=SC1091
+    test -f /etc/evolinux/autosysadmin && source /etc/evolinux/autosysadmin
+
+    log_all "Begin ${PROGNAME} RUN_ID: ${RUN_ID}"
+    log_all "Log directory is ${RUN_LOG_DIR}"
+}
+
+# Executes a list of tasks before exiting:
+# * prepare a summary of actions and possible abort reasons
+# * send emails
+# * do some cleanup
+quit() {
+    log_all "End ${PROGNAME} RUN_ID: ${RUN_ID}"
+
+    summary="RUN_ID: ${RUN_ID}"
+    if [ -s "${ABORT_FILE}" ]; then
+        # Add abort reasons to summary
+        summary="${summary}\n$(print_abort_reasons)"
+        hook_mail "abort"
+
+        return_code=1
+    else
+        if [ -s "${ACTIONS_FILE}" ]; then
+            # Add notable actions to summary
+            summary="${summary}\n$(print_actions "Aucune action")"
+            hook_mail "success"
+        fi
+
+        return_code=0
+    fi
+
+    hook_mail "internal"
+
+    if is_interactive; then
+        # shellcheck disable=SC2001
+        echo "${summary}" | sed -e 's/\\n/\n/g'
+    else
+        /usr/share/scripts/evomaintenance.sh --auto --user autosysadmin --message "${summary}" --no-commit --no-mail
+    fi
+
+    teardown
+
+    # shellcheck disable=SC2086
+    exit ${return_code}
+}
+
+teardown() {
+    :
+}
+
+# Return true/false
+is_interactive() {
+    test "${INTERACTIVE}" -eq "1"
+}
+
+save_server_state() {
+    DUMP_SERVER_STATE_BIN="$(command -v dump-server-state || command -v backup-server-state)"
+
+    if [ -z "${DUMP_SERVER_STATE_BIN}" ]; then
+        log_all "Warning: dump-server-state is not present. No server state recorded."
+    fi
+
+    if [ -x "${DUMP_SERVER_STATE_BIN}" ]; then
+        DUMP_DIR=$(file_path_in_log_dir "server-state")
+        # We don't want the logging to take too much time,
+        # so we kill it if it takes more than 20 seconds.
+        timeout --signal 9 20          \
+            "${DUMP_SERVER_STATE_BIN}" \
+            --dump-dir="${DUMP_DIR}"   \
+            --df                       \
+            --dmesg                    \
+            --iptables                 \
+            --lxc                      \
+            --netcfg                   \
+            --netstat                  \
+            --uname                    \
+            --processes                \
+            --systemctl                \
+            --uptime                   \
+            --virsh                    \
+            --disks                    \
+            --mysql-processes          \
+            --no-apt-states            \
+            --no-apt-config            \
+            --no-dpkg-full             \
+            --no-dpkg-status           \
+            --no-mount                 \
+            --no-packages              \
+            --no-sysctl                \
+            --no-etc
+
+        log_run "Server state saved in \`server-state' directory."
+    fi
+}
+
+is_debug() {
+    # first time: do the check…
+    # other times: pass
+    if [ -z "${DEBUG:-""}" ]; then
+        debug_file="/etc/evolinux/autosysadmin.debug"
+
+        if [ -e "${debug_file}" ]; then
+            last_change=$(stat -c %Z "${debug_file}")
+            limit_date=$(date --date "14400 seconds ago" +"%s")
+
+            if [ $(( last_change - limit_date )) -le "0" ]; then
+                log_run "Debug mode disabled; file is too old (%{last_change} seconds)."
+                rm "${debug_file}"
+                # Debug mode disabled
+                DEBUG="0"
+            else
+                log_run "Debug mode enabled."
+                # Debug mode enabled
+                DEBUG="1"
+            fi
+        else
+            # log_run "Debug mode disabled; file is absent."
+            # Debug mode disabled
+            DEBUG="0"
+        fi
+    fi
+    # return the value
+    test "${DEBUG}" -eq "1"
+}
+
+# Uses the who(1) definition of "active"
+currently_active_users() {
+    LC_ALL=C who --users | grep --extended-regexp "\s+\.\s+" | awk '{print $1}' | sort --human-numeric-sort | uniq
+}
+# Users active in the last 29 minutes
+recently_active_users() {
+    LC_ALL=C who --users | grep --extended-regexp "\s+00:(0|1|2)[0-9]\s+" | awk --field-separator ' ' '{print $1,$6}'
+}
+# Save the list of users to a file in the log directory
+save_active_users() {
+    LC_ALL=C who --users | save_in_log_dir "who-users"
+}
+
+# An autosysadmin must not perform actions if a user is active or was active recently.
+#
+# This can by bypassed in interactive mode.
+# It's OK to lose this data after a reboot.
+ensure_no_active_users_or_exit() {
+    # Save all active users
+    save_active_users
+
+    if is_debug; then
+        log_run "Debug mode enabled: continue without checking active users."
+        return 0;
+    fi
+
+    # Is there any currently active user?
+    currently_active_users=$(currently_active_users)
+    if [ -n "${currently_active_users}" ]; then
+        # shellcheck disable=SC2001
+        users_oneliner=$(echo "${currently_active_users}" | sed -e 's/\n/ /')
+        log_run "Currently active users: ${users_oneliner}"
+        if is_interactive; then
+            echo "Some users are currently active:"
+            # shellcheck disable=SC2001
+            echo "${currently_active_users}" | sed -e 's/\(.\+\)/* \1/'
+            answer=""
+            while :; do
+                printf "> Continue? [Y,n,?] "
+                read -r answer
+                case ${answer} in
+                    [Yy]|"" )
+                        log_run "Active users check bypassed manually in interactive mode."
+                        return
+                        ;;
+                    [Nn] )
+                        log_run "Active users check confirmed manually in interactive mode."
+                        log_abort_and_quit "Active users detected: ${users_oneliner}"
+                        ;;
+                    * )
+                        printf "y - yes, continue\n"
+                        printf "n - no, exit\n"
+                        printf "? - print this help\n"
+                        ;;
+                esac
+            done
+        else
+            log_abort_and_quit "Currently active users detected: ${users_oneliner}."
+        fi
+    else
+        # or recently (the last 30 minutes) active user?
+        recently_active_users=$(recently_active_users)
+        if [ -n "${recently_active_users}" ]; then
+            # shellcheck disable=SC2001
+            users_oneliner=$(echo "${recently_active_users}" | sed -e 's/\n/ /')
+            log_run "Recently active users: ${users_oneliner}"
+            if is_interactive; then
+                echo "Some users were recently active:"
+                # shellcheck disable=SC2001
+                echo "${recently_active_users}" | sed -e 's/\(.\+\)/* \1/'
+                answer=""
+                while :; do
+                    printf "> Continue? [Y,n,?] "
+                    read -r answer
+                    case ${answer} in
+                        [Yy]|"" )
+                            log_run "Active users check bypassed manually in interactive mode."
+                            return
+                            ;;
+                        [Nn] )
+                            log_run "Active users check confirmed manually in interactive mode."
+                            log_abort_and_quit "Recently active users detected: ${users_oneliner}."
+                            ;;
+                        * )
+                            printf "y - yes, continue\n"
+                            printf "n - no, exit\n"
+                            printf "? - print this help\n"
+                            ;;
+                    esac
+                done
+            else
+                log_abort_and_quit "Recently active users detected: ${users_oneliner}."
+            fi
+        fi
+    fi
+}
+
+# Takes an NRPE command name as 1st parameter,
+# and executes the full command if found in the configuration.
+# Return the result and the return code of the command.
+check_nrpe() {
+    check="$1"
+
+    nrpe_files=""
+
+    # Check if NRPE config is found
+    if [ -f "/etc/nagios/nrpe.cfg" ]; then
+        nrpe_files="${nrpe_files} /etc/nagios/nrpe.cfg"
+    else
+        msg="NRPE configuration not found: /etc/nagios/nrpe.cfg"
+        log_run "${msg}"
+        echo "${msg}"
+        return 3
+    fi
+
+    # Search for included files
+    # shellcheck disable=SC2086
+    while IFS= read -r include_file; do
+        nrpe_files="${nrpe_files} ${include_file}"
+    done < <(grep --extended-regexp '^\s*include=.+' ${nrpe_files} | cut -d = -f 2)
+
+    # Search for files in included directories
+    # shellcheck disable=SC2086
+    while IFS= read -r include_dir; do
+        nrpe_files="${nrpe_files} ${include_dir}/*.cfg"
+    done < <(grep --extended-regexp '^\s*include_dir=.+' ${nrpe_files} | cut -d = -f 2)
+
+    # Fetch uncommented commands in (sorted) config files
+    # shellcheck disable=SC2086
+    nrpe_commands=$(grep --no-filename --exclude=*~ --fixed-strings "[${check}]" ${nrpe_files} | grep --invert-match --extended-regexp '^\s*#\s*command' | cut -d = -f 2)
+    nrpe_commands_count=$(echo "${nrpe_commands}" | wc -l)
+
+    if is_debian_version "9" "<=" && [ "${nrpe_commands_count}" -gt "1" ]; then
+        # On Debian <= 9, NRPE loading was not sorted
+        # we need to raise an error if we have multiple defined commands
+        msg="Unable to determine which NRPE command to run"
+        log_run "${msg}"
+        echo "${msg}"
+        return 3
+    else
+        # On Debian > 9, use the last command
+        nrpe_command=$(echo "${nrpe_commands}" | tail -n 1)
+
+        nrpe_result=$(${nrpe_command})
+        nrpe_rc=$?
+
+        log_run "NRPE command (exited with ${nrpe_rc}): ${nrpe_command}"
+        log_run "${nrpe_result}"
+
+        echo "${nrpe_result}"
+        return "${nrpe_rc}"
+    fi
+}
+
+# An autosysadmin script must not run twice (or more) simultaneously.
+# We use a customizable (with LOCK_NAME) lock file to keep track of this.
+# A wait time can be configured.
+#
+# This can by bypassed in interactive mode.
+# It's OK to lose this data after a reboot.
+acquire_lock_or_exit() {
+    lock_file="${1:-${LOCK_FILE}}"
+    lock_wait="${2:-${LOCK_WAIT}}"
+
+    # lock_wait must be compatible with sleep(1), otherwise fallback to 0
+    if ! echo "${lock_wait}" | grep -Eq '^[0-9]+[smhd]?$'; then
+        log_run "Lock wait: incorrect value '${lock_wait}', fallback to 0."
+        lock_wait=0
+    fi
+
+    if [ "${lock_wait}" != "0" ] && [ -f "${lock_file}" ]; then
+        log_run "Lock file present. Let's wait ${lock_wait} and check again."
+        sleep "${lock_wait}"
+    fi
+
+    if [ -f "${lock_file}" ]; then
+        log_abort_and_quit "Lock file still present."
+    else
+        log_run "Lock file absent. Let's put one."
+        touch "${lock_file}"
+    fi
+}
+
+# If a script has been run in the ast 30 minutes, running it again won't fix the issue.
+# We use a /run/ausosysadmin/${PROGNAME}_lastrun file to keep track of this.
+# 
+# This can by bypassed in interactive mode.
+# This is bypassed in debug mode.
+# It's OK to lose this data after a reboot.
+ensure_not_too_soon_or_exit() {
+    if is_debug; then
+        log_run "Debug mode enabled: continue without checking when was the last run."
+        return 0;
+    fi
+
+    lastrun_file="${RUN_DIR}/${PROGNAME}_lastrun"
+    if [ -f "${lastrun_file}" ]; then
+        lastrun_age="$(($(date +%s)-$(stat -c "%Y" "${lastrun_file}")))"
+        log_run "Last run was ${lastrun_age} seconds ago."
+        if [ "${lastrun_age}" -lt 1800 ]; then
+            if is_interactive; then
+                echo "${PROGNAME} was run ${lastrun_age} seconds ago."
+                answer=""
+                while :; do
+                    printf "> Continue? [Y,n,?] "
+                    read -r answer
+                    case ${answer} in
+                        [Yy]|"" )
+                            log_run "Last run check bypassed manually in interactive mode."
+                            break
+                            ;;
+                        [Nn] )
+                            log_run "Last run check confirmed manually in interactive mode."
+                            log_abort_and_quit 'Last run too recent.'
+                            ;;
+                        * )
+                            printf "y - yes, continue\n"
+                            printf "n - no, exit\n"
+                            printf "? - print this help\n"
+                            ;;
+                    esac
+                done
+            else
+                log_abort_and_quit "Last run too recent."
+            fi
+        fi
+    fi
+    touch "${lastrun_file}"
+}
+
+# Populate DEBIAN_VERSION and DEBIAN_RELEASE variables
+# based on gathered information about the operating system
+detect_os() {
+    DEBIAN_RELEASE="unknown"
+    DEBIAN_VERSION="unknown"
+    LSB_RELEASE_BIN="$(command -v lsb_release)"
+
+    if [ -e /etc/debian_version ]; then
+        DEBIAN_VERSION="$(cut -d "." -f 1 < /etc/debian_version)"
+        if [ -x "${LSB_RELEASE_BIN}" ]; then
+            DEBIAN_RELEASE="$("${LSB_RELEASE_BIN}" --codename --short)"
+        else
+            case "${DEBIAN_VERSION}" in
+                 7) DEBIAN_RELEASE="wheezy"   ;;
+                 8) DEBIAN_RELEASE="jessie"   ;;
+                 9) DEBIAN_RELEASE="stretch"  ;;
+                10) DEBIAN_RELEASE="buster"   ;;
+                11) DEBIAN_RELEASE="bullseye" ;;
+                12) DEBIAN_RELEASE="bookworm" ;;
+                13) DEBIAN_RELEASE="trixie"   ;;
+            esac
+        fi
+    #    log_run "Detected OS: Debian version=${DEBIAN_VERSION} release=${DEBIAN_RELEASE}"
+    # else
+    #    log_run "Detected OS: unknown (missing /etc/debian_version)"
+    fi
+}
+
+is_debian_wheezy() {
+    test "${DEBIAN_RELEASE}" = "wheezy"
+}
+is_debian_jessie() {
+    test "${DEBIAN_RELEASE}" = "jessie"
+}
+is_debian_stretch() {
+    test "${DEBIAN_RELEASE}" = "stretch"
+}
+is_debian_buster() {
+    test "${DEBIAN_RELEASE}" = "buster"
+}
+is_debian_bullseye() {
+    test "${DEBIAN_RELEASE}" = "bullseye"
+}
+is_debian_bookworm() {
+    test "${DEBIAN_RELEASE}" = "bookworm"
+}
+is_debian_trixie() {
+    test "${DEBIAN_RELEASE}" = "trixie"
+}
+is_debian_version() {
+    local version=$1
+    local relation=${2:-"eq"}
+
+    if [ -z "${DEBIAN_VERSION:-""}" ]; then
+        detect_os
+    fi
+
+    dpkg --compare-versions "${DEBIAN_VERSION}" "${relation}" "${version}"
+}
+
+# List systemd services (only names), even if stopped
+systemd_list_services() {
+    pattern=$1
+
+    systemctl list-units --all --no-legend --type=service "${pattern}" | grep --only-matching --extended-regexp '\S+\.service'
+}
+
+is_systemd_enabled() {
+    systemctl --quiet is-enabled "$1" 2> /dev/null
+}
+
+is_systemd_active() {
+    systemctl --quiet is-active "$1" 2> /dev/null
+}
+
+is_sysvinit_enabled() {
+    find /etc/rc2.d/ -name "$1" > /dev/null
+}
+
+get_fqdn() {
+    # shellcheck disable=SC2155
+    local system=$(uname -s)
+
+    if [ "${system}" = "Linux" ]; then
+        hostname --fqdn
+    elif [ "${system}" = "OpenBSD" ]; then
+        hostname
+    else
+        log_abort_and_quit "System '${system}' not recognized."
+    fi
+}
+
+get_complete_hostname() {
+    REAL_HOSTNAME="$(get_fqdn)"
+    if [ "${HOSTNAME}" = "${REAL_HOSTNAME}" ]; then
+        echo "${HOSTNAME}"
+    else
+        echo "${HOSTNAME} (${REAL_HOSTNAME})"
+    fi
+}
+# Fetch values from evomaintenance configuration
+get_evomaintenance_mail() {
+    grep "EVOMAINTMAIL=" /etc/evomaintenance.cf | cut -d '=' -f2
+}
+get_evomaintenance_emergency_mail() {
+    grep "URGENCYFROM=" /etc/evomaintenance.cf | cut -d '=' -f2
+}
+get_evomaintenance_emergency_tel() {
+    grep "URGENCYTEL=" /etc/evomaintenance.cf | cut -d '=' -f2
+}
+
+# Log a message to the log file in the log directory
+log_run() {
+    local msg="${1:-$(cat /dev/stdin)}"
+    # shellcheck disable=SC2155
+    local date=$(/bin/date +"${DATE_FORMAT}")
+
+    printf "[%s] %s[%s]: %s\\n" \
+        "${date}" "${PROGNAME}" "${PID}" "${msg}" \
+        >> "${RUN_LOG_FILE}"
+}
+# Log a message in the system log file (syslog or journald)
+log_global() {
+    local msg="${1:-$(cat /dev/stdin)}"
+
+    echo "${msg}" \
+        | /usr/bin/logger -p local0.notice -t autosysadmin
+}
+# Log a message in both places
+log_all() {
+    local msg="${1:-$(cat /dev/stdin)}"
+
+    log_global "${msg}"
+    log_run "${msg}"
+}
+# Log a notable action in regular places
+# and append it to the dedicated list
+log_action() {
+    log_all "$*"
+    append_action "$*"
+}
+# Append a line in the actions.log file in the log directory
+append_action() {
+    echo "$*" >> "${ACTIONS_FILE}"
+}
+# Print the content of the actions.log file
+# or a fallback content (1st parameter) if empty
+# shellcheck disable=SC2120
+print_actions() {
+    local fallback=${1:-""}
+    if [ -s "${ACTIONS_FILE}" ]; then
+        cat "${ACTIONS_FILE}"
+    elif [ -n "${fallback}" ]; then
+        echo "${fallback}"
+    fi
+}
+
+# Log a an abort reason in regular places
+# and append it to the dedicated list
+log_abort() {
+    log_all "$*"
+    append_abort_reason "$*"
+}
+# Append a line in the abort.log file in the log directory
+append_abort_reason() {
+    echo "$*" >> "${ABORT_FILE}"
+}
+# Print the content of the abort.log file
+# or a fallback content (1st parameter) if empty
+# shellcheck disable=SC2120
+print_abort_reasons() {
+    local fallback=${1:-""}
+    if [ -s "${ABORT_FILE}" ]; then
+        cat "${ABORT_FILE}"
+    elif [ -n "${fallback}" ]; then
+        echo "${fallback}"
+    fi
+}
+# Print the content of the main log from the log directory
+print_main_log() {
+    cat "${RUN_LOG_FILE}"
+}
+# Log an abort reason and quit the script
+log_abort_and_quit() {
+    log_abort "$*"
+    quit
+}
+
+# Store the content from standard inpu
+# into a file in the log directory named after the 1st parameter
+save_in_log_dir() {
+    local file_name=$1
+    local file_path="${RUN_LOG_DIR}/${file_name}"
+
+    cat /dev/stdin > "${file_path}"
+
+    log_run "Saved \`${file_name}' file."
+}
+# Return the full path of the file in log directory
+# based on the name in the 1st parameter
+file_path_in_log_dir() {
+    echo "${RUN_LOG_DIR}/${1}"
+}
+
+format_mail_success() {
+    cat <<EOTEMPLATE
+From: AutoSysadmin Evolix <${EMAIL_FROM}>
+Content-Type: text/plain; charset=UTF-8
+MIME-Version: 1.0
+Content-Transfer-Encoding: 8bit
+X-Script: ${PROGNAME}
+X-RunId: ${RUN_ID}
+To: ${EMAIL_CLIENT:-alert5@evolix.fr}
+Cc: ${EMAIL_INTERNAL}
+Subject: [autosysadmin] Intervention automatisée sur ${HOSTNAME_TEXT}
+
+Bonjour,
+
+Une intervention automatisée vient de se terminer.
+
+Nom du serveur : ${HOSTNAME_TEXT}
+Heure d'intervention : $(LC_ALL=fr_FR.utf8 date)
+Script déclenché : ${PROGNAME}
+
+### Actions réalisées
+
+$(print_actions "Aucune")
+
+### Réagir à cette intervention
+
+Vous pouvez répondre à ce message (${EMAIL_FROM}).
+
+En cas d'urgence, utilisez l'adresse ${EMERGENCY_MAIL}
+ou notre ligne d'astreinte (${EMERGENCY_TEL})
+
+--
+Votre AutoSysadmin
+EOTEMPLATE
+}
+
+format_mail_abort() {
+    cat <<EOTEMPLATE
+From: AutoSysadmin Evolix <${EMAIL_FROM}>
+Content-Type: text/plain; charset=UTF-8
+MIME-Version: 1.0
+Content-Transfer-Encoding: 8bit
+X-Script: ${PROGNAME}
+X-RunId: ${RUN_ID}
+To: ${EMAIL_CLIENT:-alert5@evolix.fr}
+Cc: ${EMAIL_INTERNAL}
+Subject: [autosysadmin] Intervention automatisée interrompue sur ${HOSTNAME_TEXT}
+
+Bonjour,
+
+Une intervention automatisée a été déclenchée mais s'est interrompue.
+
+Nom du serveur : ${HOSTNAME_TEXT}
+Heure d'intervention : $(LC_ALL=fr_FR.utf8 date)
+Script déclenché : ${PROGNAME}
+
+### Actions réalisées
+
+$(print_actions "Aucune")
+
+### Raison(s) de l'interruption
+
+$(print_abort_reasons "Inconnue")
+
+### Réagir à cette intervention
+
+Vous pouvez répondre à ce message (${EMAIL_FROM}).
+
+En cas d'urgence, utilisez l'adresse ${EMERGENCY_MAIL}
+ou notre ligne d'astreinte (${EMERGENCY_TEL})
+
+--
+Votre AutoSysadmin
+EOTEMPLATE
+}
+
+# shellcheck disable=SC2028
+print_report_information() {
+    echo "**Uptime**"
+    echo ""
+    uptime
+    
+    echo ""
+    echo "**Utilisateurs récents**"
+    echo ""
+    who_file=$(file_path_in_log_dir "who-users")
+    if [ -s "${who_file}" ]; then
+        cat "${who_file}"
+    else
+        who --users
+    fi
+    
+    echo ""
+    echo "**Espace disque**"
+    echo ""
+    df_file=$(file_path_in_log_dir "server-state/df.txt")
+    if [ -s "${df_file}" ]; then
+        cat "${df_file}"
+    else
+        df -h
+    fi
+    
+    echo ""
+    echo "**Dmesg**"
+    echo ""
+    dmesg_file=$(file_path_in_log_dir "server-state/dmesg.txt")
+    if [ -s "${dmesg_file}" ]; then
+        tail -n 5 "${dmesg_file}"
+    else
+        dmesg | tail -n 5
+    fi
+    
+    echo ""
+    echo "**systemd failed services**"
+    echo ""
+    failed_services_file=$(file_path_in_log_dir "server-state/systemctl-failed-services.txt")
+    if [ -s "${failed_services_file}" ]; then
+        cat "${failed_services_file}"
+    else
+        systemctl --no-legend --state=failed --type=service
+    fi
+
+    if command -v lxc-ls > /dev/null 2>&1; then
+        echo ""
+        echo "**LXC containers**"
+        echo ""
+        lxc_ls_file=$(file_path_in_log_dir "server-state/lxc-list.txt")
+        if [ -s "${lxc_ls_file}" ]; then
+            cat "${lxc_ls_file}"
+        else
+            lxc-ls --fancy
+        fi
+    fi
+
+    apache_errors_file=$(file_path_in_log_dir "apache-errors.log")
+    if [ -f "${apache_errors_file}" ]; then
+        echo ""
+        echo "**Apache errors**"
+        echo ""
+        cat "${apache_errors_file}"
+    fi
+
+    nginx_errors_file=$(file_path_in_log_dir "nginx-errors.log")
+    if [ -f "${nginx_errors_file}" ]; then
+        echo ""
+        echo "**Nginx errors**"
+        echo ""
+        cat "${nginx_errors_file}"
+    fi
+}
+
+format_mail_internal() {
+    cat <<EOTEMPLATE
+From: AutoSysadmin Evolix <${EMAIL_FROM}>
+Content-Type: text/plain; charset=UTF-8
+MIME-Version: 1.0
+Content-Transfer-Encoding: 8bit
+X-Script: ${PROGNAME}
+X-RunId: ${RUN_ID}
+To: ${EMAIL_INTERNAL}
+Subject: [autosysadmin] Rapport interne d'intervention sur ${HOSTNAME_TEXT}
+
+Bonjour,
+
+Une intervention automatique vient de se terminer.
+
+Nom du serveur : ${HOSTNAME_TEXT}
+Heure d'intervention : $(LC_ALL=fr_FR.utf8 date)
+Script déclenché : ${PROGNAME}
+
+### Actions réalisées
+
+$(print_actions "Aucune")
+
+### Raison(s) de l'interruption
+
+$(print_abort_reasons "Aucune")
+
+### Log autosysadmin
+
+$(print_main_log)
+
+### Informations additionnelles
+
+$(print_report_information)
+
+--
+Votre AutoSysadmin
+EOTEMPLATE
+}
+
+# Generic function to send emails at the end of the script.
+# Takes a template as 1st parameter
+hook_mail() {
+    if is_debug; then
+        log_run "Debug mode enabled: continue without sending mail."
+        return 0;
+    fi
+
+    HOSTNAME="${HOSTNAME:-"$(get_fqdn)"}"
+    HOSTNAME_TEXT="$(get_complete_hostname)"
+    EMAIL_CLIENT="$(get_evomaintenance_mail)"
+    EMERGENCY_MAIL="$(get_evomaintenance_emergency_mail)"
+    EMERGENCY_TEL="$(get_evomaintenance_emergency_tel)"
+
+    MAIL_CONTENT="$(format_mail_"$1")"
+
+    SENDMAIL_BIN="$(command -v sendmail)"
+
+    if [ -z "${SENDMAIL_BIN}" ]; then
+        log_global "ERROR: No \`sendmail' command has been found, can't send mail."
+    fi
+    if [ -x "${SENDMAIL_BIN}" ]; then
+        echo "${MAIL_CONTENT}" | "${SENDMAIL_BIN}" -oi -t -f "equipe@evolix.fr"
+        log_global "Sent '$1' mail for RUN_ID: ${RUN_ID}"
+    fi
+}
+
+is_holiday() {
+    # gcal mark today as a holiday by surrounding with < and > the day
+    # of the month of that holiday line.  For example if today is 2022-05-01 we'll
+    # get among other lines:
+    # Fête du Travail (FR)                    + Di, < 1>Mai 2022
+    # Jour de la Victoire (FR)                + Di, : 8:Mai 2022 =   +7 jours
+    LANGUAGE=fr_FR.UTF-8 TZ=Europe/Paris gcal --cc-holidays=fr --holiday-list=short | grep -E '<[0-9 ]{2}>' --quiet
+}
+
+is_weekend() {
+    day_of_week=$(date +%u)
+    if [ "${day_of_week}" != 6 ] && [ "${day_of_week}" != 7 ]; then
+        return 1
+    fi
+}
+
+is_workday() {
+    if is_holiday || is_weekend; then
+        return 1
+    fi
+}
+
+is_worktime() {
+    if ! is_workday; then
+        return 1
+    fi
+
+    hour=$(date +%H)
+    if [ "${hour}" -lt 9 ] || { [ "${hour}" -ge 12 ] && [ "${hour}" -lt 14 ] ; } || [ "${hour}" -ge 18 ]; then
+        return 1
+    fi
+}

autosysadmin-agent/files/upstream/lib/repair.sh

@@ -0,0 +1,112 @@
+#!/bin/bash
+
+# Specific functions for "repair" scripts
+
+is_all_repair_disabled() {
+    # Fetch values from the config
+    # and if it is not defined or has no value, then assign "on"
+
+    local status=${repair_all:=on}
+
+
+    test "${status}" = "off" || test "${status}" = "0"
+}
+
+is_current_repair_disabled() {
+    # Fetch values from the config
+    # and if it is not defined or has no value, then assign "on"
+
+    local status=${!PROGNAME:=on}
+
+    test "${status}" = "off" || test "${status}" = "0"
+}
+
+ensure_not_disabled_or_exit() {
+    if is_all_repair_disabled; then
+        log_global 'All repair scripts are disabled.'
+        exit 0
+    fi
+    if is_current_repair_disabled; then
+        log_global "Current repair script (${PROGNAME}) is disabled."
+        exit 0
+    fi
+}
+
+# Set of actions to do at the begining of a "repair" script
+pre_repair() {
+    initialize
+
+    # Are we supposed to run?
+    ensure_not_disabled_or_exit
+
+    # Has it recently been run?
+    ensure_not_too_soon_or_exit
+
+    # Can we acquire a lock?
+    acquire_lock_or_exit
+
+    # Is there any active user?
+    ensure_no_active_users_or_exit
+
+    # Save important information
+    save_server_state
+}
+
+# Set of actions to do at the end of a "repair" script
+post_repair() {
+    quit
+}
+
+repair_lxc_php() {
+    container_name=$1
+
+    if is_systemd_enabled 'lxc.service'; then
+        lxc_path=$(lxc-config lxc.lxcpath)
+        if lxc-info --name "${container_name}" > /dev/null; then
+            rootfs="${lxc_path}/${container_name}/rootfs"
+            case "${container_name}" in
+                php56) fpm_log_file="${rootfs}/var/log/php5-fpm.log"   ;;
+                php70) fpm_log_file="${rootfs}/var/log/php7.0-fpm.log" ;;
+                php73) fpm_log_file="${rootfs}/var/log/php7.3-fpm.log" ;;
+                php74) fpm_log_file="${rootfs}/var/log/php7.4-fpm.log" ;;
+                php80) fpm_log_file="${rootfs}/var/log/php8.0-fpm.log" ;;
+                php81) fpm_log_file="${rootfs}/var/log/php8.1-fpm.log" ;;
+                php82) fpm_log_file="${rootfs}/var/log/php8.2-fpm.log" ;;
+                php83) fpm_log_file="${rootfs}/var/log/php8.3-fpm.log" ;;
+                *)
+                    log_abort_and_quit "Unknown container '${container_name}'" 
+                ;;
+            esac
+
+            # Determine FPM Pool path
+            php_path_pool=$(find "${lxc_path}/${container_name}/" -type d -name "pool.d")
+
+            # Save LXC info (before restart)
+            lxc-info --name "${container_name}" | save_in_log_dir "lxc-${container_name}.before.status"
+            # Save last lines of FPM log (before restart)
+            tail "${fpm_log_file}" | save_in_log_dir "$(basename "${fpm_log_file}" | sed -e 's/.log/.before.log/')"
+            # Save NRPE check (before restart)
+            /usr/local/lib/nagios/plugins/check_phpfpm_multi "${php_path_pool}" | save_in_log_dir "check_fpm_${container_name}.before.out"
+
+            lxc-stop --timeout 20 --name "${container_name}"
+            lxc-start --daemon --name "${container_name}"
+            rc=$?
+            if [ "${rc}" -eq "0" ]; then
+                log_all "Restart LXC container '${container_name}: OK"
+            else
+                log_all "Restart LXC container '${container_name}: failed"
+            fi
+
+            # Save LXC info (after restart)
+            lxc-info --name "${container_name}" | save_in_log_dir "lxc-${container_name}.after.status"
+            # Save last lines of FPM log (after restart)
+            tail "${fpm_log_file}" | save_in_log_dir "$(basename "${fpm_log_file}" | sed -e 's/.log/.after.log/')"
+            # Save NRPE check (after restart)
+            /usr/local/lib/nagios/plugins/check_phpfpm_multi "${php_path_pool}" | save_in_log_dir "check_fpm_${container_name}.after.out"
+        else
+            log_abort_and_quit "LXC container '${container_name}' doesn't exist."
+        fi
+    else
+        log_abort_and_quit 'LXC not found.'
+    fi
+}

autosysadmin-agent/files/upstream/lib/restart.sh

@@ -0,0 +1,76 @@
+#!/bin/bash
+
+# Specific functions for "restart" scripts
+
+running_custom() {
+    # Placeholder that returns 1, to prevent running if not redefined
+    log_global "running_custom() function has not been redefined! Let's quit." 
+    return 1
+}
+
+# Examine RUNNING variable and decide if the script should run or not
+is_supposed_to_run() {
+    if is_debug; then return 0; fi
+
+    case ${RUNNING} in
+    never)
+        # log_global "is_supposed_to_run: no (never)"
+        return 1
+        ;;
+    always)
+        # log_global "is_supposed_to_run: yes (always)"
+        return 0
+        ;;
+    nwh-fr)
+        ! is_worktime
+        rc=$?
+        # if [ ${rc} -eq 0 ]; then
+        #     log_global "is_supposed_to_run: yes (nwh-fr returned ${rc})"
+        # else
+        #     log_global "is_supposed_to_run: no (nwh-fr returned ${rc})"
+        # fi
+        return ${rc} 
+        ;;
+    nwh-ca)
+        # Not implemented yet
+        return 0
+        ;;
+    custom)
+        running_custom
+        rc=$?
+        # if [ ${rc} -eq 0 ]; then
+        #     log_global "is_supposed_to_run: yes (custom returned ${rc})"
+        # else
+        #     log_global "is_supposed_to_run: no (custom returned ${rc})"
+        # fi
+        return ${rc} 
+        ;;
+    esac
+}
+
+ensure_supposed_to_run_or_exit() {
+    if ! is_supposed_to_run; then
+        # simply quit (no logging, no notifications…)
+        # log_global "${PROGNAME} is not supposed to run (RUNNING=${RUNNING})."
+        exit 0
+    fi
+}
+
+# Set of actions to do at the begining of a "restart" script
+pre_restart() {
+    initialize
+
+    # Has it recently been run?
+    ensure_not_too_soon_or_exit
+
+    # Can we acquire a lock?
+    acquire_lock_or_exit
+
+    # Save important information
+    save_server_state
+}
+
+# Set of actions to do at the end of a "restart" script
+post_restart() {
+    quit
+}

autosysadmin-agent/files/upstream/repair/repair_disk

@@ -0,0 +1,157 @@
+#!/bin/bash
+
+: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
+source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
+source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
+
+pre_repair
+
+
+# We always keep some reserved blocks to avoid missing some logs
+# https://gitea.evolix.org/evolix/autosysadmin/issues/22
+RESERVED_BLOCKS_MIN=1
+
+get_mountpoints() {
+    # the $(...) get the check_disk1 command
+    # the cut command selects the critical part of the check_disk1 output
+    # the grep command extracts the mountpoints and available disk space
+    # the last cut command selects the mountpoints
+    check_disk1_command=$(grep check_disk1 /etc/nagios/nrpe.d/evolix.cfg | cut -d'=' -f2-)
+    
+    ${check_disk1_command} -e | cut -d'|' -f1 | grep --extended-regexp --only-matching '/[[:graph:]]* [0-9]+ [A-Z][A-Z]' | cut -d' ' -f1
+}
+
+is_reserved_blocks_nominal() {
+    partition=${1}
+
+    fs_type="$(findmnt -n --output=fstype "${partition}")"
+    if [ "${fs_type}" = "ext4" ]; then
+        device="$(findmnt -n --output=source "${partition}")"
+        reserved_block_count="$(tune2fs -l "${device}" | grep 'Reserved block count' | awk -F':' '{ gsub (" ", "", $0); print $2}')"
+        block_count="$(tune2fs -l "${device}" | grep 'Block count' | awk -F':' '{ gsub (" ", "", $0); print $2}')"
+        percentage=$(awk "BEGIN { pc=100*${reserved_block_count}/${block_count}; i=int(pc); print (pc-i<0.5)?i:i+1 }")
+
+        log_run "Reserved blocks for ${partition} is currently at ${percentage}%"
+        if [ "${percentage}" -gt "${RESERVED_BLOCKS_MIN}" ]; then
+            log_run "Allowing tune2fs action to reduce the number of reserved blocks"
+            return 0
+        else
+            log_run "Reserved blocks already at or bellow ${RESERVED_BLOCKS_MIN}%, no automatic action possible"
+            return 1
+        fi
+    else
+        log_run "Filesystem for ${partition} (${fs_type}) is incompatible with reserved block reduction."
+        return 1
+    fi
+}
+
+reduce_reserved_blocks() {
+    partition=${1}
+
+    device=$(findmnt -n --output=source "${partition}")
+    tune2fs -m "${RESERVED_BLOCKS_MIN}" "${device}"
+    log_action "Reserved blocks for ${partition} changed to ${RESERVED_BLOCKS_MIN} percent"
+}
+
+is_tmp_to_delete() {
+    size="$(find /var/log/ -type f -ctime +1 -exec du {} \+ | awk '{s+=$1}END{print s / 1024}')"
+    if [ -n "${size}" ]; then
+        return 0
+    else
+        return 1
+    fi
+}
+
+is_log_to_delete() {
+    size="$(find /var/log/ -type f -mtime +365 -exec du {} \+ | awk '{s+=$1}END{print s / 1024}')"
+    if [ -n "${size}" ]; then
+        return 0
+    else
+        return 1
+    fi
+}
+
+clean_apt_cache() {
+    for container in $(lxc-ls -1); do
+        if [ -e "$(lxc-config lxc.lxcpath)/${container}/rootfs/var/cache" ]; then
+            lxc-attach --name "${container}" -- apt-get clean
+            log_action "Clean apt cache in LXC container ${container}";
+        fi
+    done
+
+    # NOTE: "head -n 1" might be superfluous, but let's be sure to have only the first returned value
+    biggest_subdir=$(du --summarize --one-file-system "/var/*" | sort --numeric-sort --reverse | sed 's/^[0-9]\+[[:space:]]\+//;q' | head -n 1)
+    case "${biggest_subdir}" in
+        '/var/cache')
+            apt-get clean
+            log_action 'Clean apt cache'
+        ;;
+    esac
+}
+
+clean_amavis_virusmails() {
+    if du --inodes /var/lib/* | sort --numeric-sort | tail -n 3 | grep --quiet 'virusmails$'; then
+        find /var/lib/amavis/virusmails/ -type f -atime +30 -delete
+        log_action 'Clean amavis infected mails'
+    fi
+}
+
+critical_mountpoints=$(get_mountpoints)
+
+if [ -z "${critical_mountpoints}" ]; then
+    log_abort_and_quit "No partition is in critical state, nothing left to do."
+else
+    for mountpoint in ${critical_mountpoints}; do
+        case "${mountpoint}" in
+        /var)
+            #if is_log_to_delete
+            #then
+            #    find /var/log/ -type f -mtime +365 -delete
+            #    log_action "$size Mo of disk space freed in /var"
+            #fi
+            if is_reserved_blocks_nominal /var; then
+                reduce_reserved_blocks /var
+                clean_apt_cache
+                clean_amavis_virusmails
+            fi
+            ;;
+        /tmp)
+            #if is_tmp_to_delete
+            #then
+            #    find /tmp/ -type f -ctime +1 -delete
+            #    log_action "$size Mo of disk space freed in /tmp"
+            #fi
+            if is_reserved_blocks_nominal /tmp; then
+                reduce_reserved_blocks /tmp
+            fi
+            ;;
+        /home)
+            if is_reserved_blocks_nominal /home; then
+                reduce_reserved_blocks /home
+            fi
+            ;;
+        /srv)
+            if is_reserved_blocks_nominal /srv; then
+                reduce_reserved_blocks /srv
+            fi
+            ;;
+        /filer)
+            if is_reserved_blocks_nominal /filer; then
+                reduce_reserved_blocks /filer
+            fi
+            ;;
+        /)
+            if is_reserved_blocks_nominal /; then
+                reduce_reserved_blocks /
+                # Suggest remove old kernel ?
+            fi
+            ;;
+        *)
+            # unknown
+            log_run 'Unknown partition (or weird case) or nothing to do'
+            ;;
+        esac
+    done
+fi
+
+post_repair

autosysadmin-agent/files/upstream/repair/repair_elasticsearch

@@ -0,0 +1,35 @@
+#!/bin/bash
+
+: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
+source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
+source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
+
+pre_repair
+
+service="elasticsearch.service"
+service_name="elasticsearch"
+
+if is_systemd_enabled "${service}"; then
+    if is_systemd_active "${service}"; then
+        log_abort_and_quit "${service} is active, nothing left to do."
+    else
+        # Save service status before restart
+        systemctl status "${service}" | save_in_log_dir "${service_name}.before.status"
+
+        # Try to restart
+        timeout 20 systemctl restart "${service}" > /dev/null
+        rc=$?
+        if [ "${rc}" -eq "0" ]; then
+            log_action "Restart ${service_name}: OK"
+        else
+            log_action "Restart ${service_name}: failed"
+        fi
+
+        # Save service status after restart
+        systemctl status "${service}" | save_in_log_dir "${service_name}.after.status"
+    fi
+else
+    log_abort_and_quit "${service} is disabled (or missing), nothing left to do."
+fi
+
+post_repair

autosysadmin-agent/files/upstream/repair/repair_http

@@ -0,0 +1,131 @@
+#!/bin/bash
+
+: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
+source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
+source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
+
+pre_repair
+
+## Apache
+
+service="apache2.service"
+service_name="apache2"
+
+if is_systemd_enabled "${service}"; then
+    if is_systemd_active "${service}"; then
+        log_all "${service} is active. Skip."
+    else
+        # Save service status before restart
+        systemctl status "${service}" | save_in_log_dir "${service_name}.before.status"
+
+        # check syntax
+        if apache2ctl -t > /dev/null 2>&1; then
+            # Try to restart
+            timeout 20 systemctl restart "${service}" > /dev/null
+            rc=$?
+            if [ "${rc}" -eq "0" ]; then
+                log_action "Restart ${service_name}: OK"
+            else
+                log_action "Restart ${service_name}: failed"
+            fi
+
+            # Save service status after restart
+            systemctl status "${service}" | save_in_log_dir "${service_name}.after.status"
+
+            # Save error logs
+            date=$(LANG=en_US.UTF-8 date '+%b %d')
+            grep "${date}" /home/*/log/error.log /var/log/apache2/*error.log \
+                | grep -v \
+                -e "Got error 'PHP message:" \
+                -e "No matching DirectoryIndex" \
+                -e "client denied by server configuration" \
+                -e "server certificate does NOT include an ID which matches the server name" \
+                    | save_in_log_dir "apache-errors.log"
+        else
+            log_action "Restart ${service_name}: skip (invalid configuration)"
+        fi
+    fi
+else
+    log_all "${service} is disabled (or missing). Skip."
+fi
+
+## Nginx
+
+service="nginx.service"
+service_name="nginx"
+
+if is_systemd_enabled "${service}"; then
+    if is_systemd_active "${service}"; then
+        log_all "${service} is active. Skip."
+    else
+        # Save service status before restart
+        systemctl status "${service}" | save_in_log_dir "${service_name}.before.status"
+
+        # check syntax
+        if nginx -t > /dev/null 2>&1; then
+            # Try to restart
+            timeout 20 systemctl restart "${service}" > /dev/null
+            rc=$?
+            if [ "${rc}" -eq "0" ]; then
+                log_action "Restart ${service_name}: OK"
+            else
+                log_action "Restart ${service_name}: failed"
+            fi
+
+            # Save service status after restart
+            systemctl status "${service}" | save_in_log_dir "${service_name}.after.status"
+
+            # Save error logs
+            ### Consider doing for Nginx the same as Apache
+        else
+            log_action "Restart ${service_name}: skip (invalid configuration)"
+        fi
+    fi
+else
+    log_all "${service} is disabled (or missing). Skip."
+fi
+
+## LXC
+
+if is_systemd_enabled 'lxc.service'; then
+    for container in $(lxc-ls -1 | grep --fixed-strings 'php' | grep --extended-regexp --invert-match --regexp '\bold\b' --regexp '\bdisabled\b'); do
+        repair_lxc_php "${container}"
+    done
+else
+    log_all "LXC is disabled (or missing). Skip."
+fi
+
+## FPM
+
+fpm_services=$(systemd_list_services 'php*-fpm*')
+if [ -n "${fpm_services}" ]; then
+    for service in ${fpm_services}; do
+        service_name="${service//.service/}"
+        if is_systemd_enabled "${service}"; then
+            if is_systemd_active "${service}"; then
+                log_all "${service} is active. Skip."
+            else
+                # Save service status before restart
+                systemctl status "${service}" | save_in_log_dir "${service_name}.before.status"
+
+                # Try to restart
+                timeout 20 systemctl restart "${service}" > /dev/null
+                rc=$?
+                if [ "${rc}" -eq "0" ]; then
+                    log_action "Restart ${service_name}: OK"
+                else
+                    log_action "Restart ${service_name}: failed"
+                fi
+
+                # Save service status after restart
+                systemctl status "${service}" | save_in_log_dir "${service_name}.after.status"
+            fi
+        else
+            log_all "${service} is disabled (or missing). Skip."
+        fi
+    done
+else
+    log_all "PHP FPM not found. Skip."
+fi
+
+post_repair

autosysadmin-agent/files/upstream/repair/repair_mysql

@@ -0,0 +1,69 @@
+#!/bin/bash
+
+: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
+source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
+source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
+
+pre_repair
+
+if is_debian_version "8" "<="; then
+
+    if is_sysvinit_enabled '*mysql*'; then
+        if ! pgrep -u mysql mysqld > /dev/null; then
+
+            # Save service status before restart
+            timeout 2 mysqladmin status 2>&1 | save_in_log_dir "mysql.before.status"
+
+            timeout 20 /etc/init.d/mysql restart > /dev/null
+            rc=$?
+            if [ "${rc}" -eq "0" ]; then
+                log_action "Restart mysql: OK"
+            else
+                log_action "Restart mysql: failed"
+            fi
+
+            # Save service status after restart
+            timeout 2 mysqladmin status 2>&1 | save_in_log_dir "mysql.after.status"
+        else
+            log_abort_and_quit "mysqld process alive. Aborting"
+        fi
+    else
+        log_abort_and_quit "MySQL not enabled. Aborting"
+    fi
+
+else
+
+    if is_debian_version "12" ">="; then
+        service="mariadb.service"
+        service_name="mariadb"
+    else
+        service="mysql.service"
+        service_name="mysql"
+    fi
+
+    if is_systemd_enabled "${service}"; then
+        if is_systemd_active "${service}"; then
+            log_abort_and_quit "${service} is active, nothing left to do."
+        else
+            # Save service status before restart
+            systemctl status "${service}" | save_in_log_dir "${service_name}.before.status"
+
+            # Try to restart
+            timeout 20 systemctl restart "${service}" > /dev/null
+            rc=$?
+            if [ "${rc}" -eq "0" ]; then
+                log_action "Restart ${service_name}: OK"
+            else
+                log_action "Restart ${service_name}: failed"
+            fi
+
+            # Save service status after restart
+            systemctl status "${service}" | save_in_log_dir "${service_name}.after.status"
+        fi
+    else
+        log_abort_and_quit "${service} is disabled (or missing), nothing left to do."
+    fi
+
+fi
+
+post_repair

autosysadmin-agent/files/upstream/repair/repair_opendkim

@@ -0,0 +1,35 @@
+#!/bin/bash
+
+: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
+source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
+source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
+
+pre_repair
+
+service="opendkim.service"
+service_name="opendkim"
+
+if is_systemd_enabled "${service}"; then
+    if is_systemd_active "${service}"; then
+        log_abort_and_quit "${service} is active, nothing left to do."
+    else
+        # Save service status before restart
+        systemctl status "${service}" | save_in_log_dir "${service_name}.before.status"
+
+        # Try to restart
+        timeout 20 systemctl restart "${service}" > /dev/null
+        rc=$?
+        if [ "${rc}" -eq "0" ]; then
+            log_action "Restart ${service_name}: OK"
+        else
+            log_action "Restart ${service_name}: failed"
+        fi
+
+        # Save service status after restart
+        systemctl status "${service}" | save_in_log_dir "${service_name}.after.status"
+    fi
+else
+    log_abort_and_quit "${service} is disabled (or missing). Abort."
+fi
+
+post_repair

autosysadmin-agent/files/upstream/repair/repair_php_fpm56

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
+source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
+source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
+
+LOCK_WAIT="15s"
+LOCK_NAME="repair_http"
+
+pre_repair
+
+repair_lxc_php php56
+
+post_repair

autosysadmin-agent/files/upstream/repair/repair_php_fpm70

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
+source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
+source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
+
+LOCK_WAIT="15s"
+LOCK_NAME="repair_http"
+
+pre_repair
+
+repair_lxc_php php70
+
+post_repair

autosysadmin-agent/files/upstream/repair/repair_php_fpm73

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
+source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
+source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
+
+LOCK_WAIT="15s"
+LOCK_NAME="repair_http"
+
+pre_repair
+
+repair_lxc_php php73
+
+post_repair

autosysadmin-agent/files/upstream/repair/repair_php_fpm74

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
+source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
+source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
+
+LOCK_WAIT="15s"
+LOCK_NAME="repair_http"
+
+pre_repair
+
+repair_lxc_php php74
+
+post_repair

autosysadmin-agent/files/upstream/repair/repair_php_fpm80

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
+source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
+source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
+
+LOCK_WAIT="15s"
+LOCK_NAME="repair_http"
+
+pre_repair
+
+repair_lxc_php php80
+
+post_repair

autosysadmin-agent/files/upstream/repair/repair_php_fpm81

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
+source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
+source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
+
+LOCK_WAIT="15s"
+LOCK_NAME="repair_http"
+
+pre_repair
+
+repair_lxc_php php81
+
+post_repair

autosysadmin-agent/files/upstream/repair/repair_php_fpm82

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
+source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
+source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
+
+LOCK_WAIT="15s"
+LOCK_NAME="repair_http"
+
+pre_repair
+
+repair_lxc_php php82
+
+post_repair

autosysadmin-agent/files/upstream/repair/repair_php_fpm83

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
+source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
+source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
+
+LOCK_WAIT="15s"
+LOCK_NAME="repair_http"
+
+pre_repair
+
+repair_lxc_php php83
+
+post_repair

autosysadmin-agent/files/upstream/repair/repair_redis

@@ -0,0 +1,32 @@
+#!/bin/bash
+
+: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
+source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
+source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
+
+pre_repair
+
+for service in $(systemd_list_services 'redis-server*'); do
+    service_name="${service//.service/}"
+
+    if is_systemd_active "${service}"; then
+        log_all "${service} is active. Skip."
+    else
+        # Save service status before restart
+        systemctl status "${service}" | save_in_log_dir "${service_name}.before.status"
+
+        # Try to restart
+        timeout 20 systemctl restart "${service}" > /dev/null
+        rc=$?
+        if [ "${rc}" -eq "0" ]; then
+            log_action "Restart ${service_name}: OK."
+        else
+            log_action "Restart ${service_name}: failed."
+        fi
+
+        # Save service status after restart
+        systemctl status "${service}" | save_in_log_dir "${service_name}.after.status"
+    fi
+done
+
+post_repair

autosysadmin-agent/files/upstream/repair/repair_tomcat_instance

@@ -0,0 +1,34 @@
+#!/bin/bash
+
+: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
+source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
+source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
+
+pre_repair
+
+repair_tomcat_instance_handle_tomcat() {
+
+    if /bin/su - "${1}" -c "/bin/systemctl --quiet --user is-active tomcat.service" ; then
+        if ! /bin/su - "${1}" -c "/usr/bin/timeout 20 /bin/systemctl --quiet --user restart tomcat.service"
+        then
+            log_abort_and_quit "Echec de redémarrage instance tomcat utilisateur ${1}"
+        else
+            log_action "Redémarrage instance tomcat utilisateur ${1}"
+        fi
+    elif /bin/systemctl --quiet is-active "${1}".service ; then
+        if ! /usr/bin/timeout 20 systemctl --quiet restart "${1}".service
+        then
+            log_abort_and_quit "Echec de redémarrage instance tomcat ${1}"
+        else
+            log_action "Redémarrage instance tomcat ${1}"
+        fi
+    fi
+
+}
+
+for instance in $( /usr/local/lib/nagios/plugins/check_tomcat_instance.sh |grep CRITICAL |awk '{print $3}' |sed '1d') ;
+do
+    repair_tomcat_instance_handle_tomcat "${instance}"
+done
+
+post_repair

autosysadmin-agent/files/upstream/repair/zzz-repair_example.template

@@ -0,0 +1,41 @@
+#!/bin/bash
+
+: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
+source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
+source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
+
+## Custom lock wait and/or lock name
+# LOCK_WAIT="15s"
+# LOCK_NAME="repair_http"
+
+pre_repair
+
+## The name of the service, mainly for logging
+service_name="example"
+## The systemd service name
+systemd_service="${service_name}.service"
+
+if is_systemd_enabled "${systemd_service}"; then
+    if is_systemd_active "${systemd_service}"; then
+        log_abort_and_quit "${systemd_service} is active, nothing left to do."
+    else
+        # Save service status before restart
+        systemctl status "${systemd_service}" | save_in_log_dir "${service_name}.before.status"
+
+        # Try to restart
+        timeout 20 systemctl restart "${systemd_service}" > /dev/null
+        rc=$?
+        if [ "${rc}" -eq "0" ]; then
+            log_action "Restart ${service_name}: OK"
+        else
+            log_action "Restart ${service_name}: failed"
+        fi
+
+        # Save service status after restart
+        systemctl status "${systemd_service}" | save_in_log_dir "${service_name}.after.status"
+    fi
+else
+    log_abort_and_quit "${service_name} is disabled (or missing), nothing left to do."
+fi
+
+post_repair

autosysadmin-agent/files/upstream/restart/README

@@ -0,0 +1,19 @@
+Autosysadmin "restart auto" scripts
+===================================
+
+In this directory you can place scripts that will be executed automatically by a cron job (stored in `/etc/cron.d/autosysadmin`).
+
+They must satisfy the default `run-parts(8)` constraints :
+
+* be "executable"
+* belong to the Debian cron script namespace (`^[a-zA-Z0-9_-]+$`), example: `restart_amavis`
+
+Warning: scripts that do not satisfy those criteria will NOT be run (silently)!
+
+You can print the names of the scripts which would be run, without actually running them, with this command :
+
+```
+$ run-parts --test /usr/share/scripts/autosysadmin/restart
+```
+
+You can use `zzz-restart_example.template` as boilerplate code to make your own "restart" script.

autosysadmin-agent/files/upstream/restart/zzz-restart_example.template

@@ -0,0 +1,120 @@
+#!/bin/bash
+
+: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
+source "${AUTOSYSADMIN_LIB}/common.sh"  || exit 1
+source "${AUTOSYSADMIN_LIB}/restart.sh" || exit 1
+
+# shellcheck disable=SC2034
+RUNNING="nwh-fr"
+
+## Possible values for RUNNING :
+##   never    => disabled
+##   always   => enabled
+##   nwh-fr   => enabled during non-working-hours in France
+##   nwh-ca   => enabled during non-working-hours in Canada (not supported yet)
+##   custom   => enabled if `running_custom()` function returns 0, otherwise disabled.
+
+## Uncomment and customize this method if you want to have a special logic :
+##
+##   return 1 if we should not run
+##   return 0 if we should run
+##
+## Some available functions :
+##   is_weekend()  : Saturday or Sunday
+##   is_holiday()  : holiday in France (based on `gcal(1)`)
+##   is_workday()  : not weekend and not holiday
+##   is_worktime() : work day between 9-12h and 14-18h
+#
+# running_custom() {
+#     # implement your own custom method to decide if we should run or not
+# }
+
+## The name of the service, mainly for logging
+service_name="example"
+## The SysVinit script name
+sysvinit_script="${service_name}"
+## The systemd service name
+systemd_service="${service_name}.service"
+
+is_service_alive() {
+    ## this must return 0 if the service is alive, otherwise return 1
+    ## Example:
+    pgrep -u USER PROCESS_NAME > /dev/null
+}
+
+## Action for SysVinit system
+sysvinit_action() {
+    # Save service status before restart
+    timeout 2 "/etc/init.d/${sysvinit_script}" status | save_in_log_dir "${service_name}.before.status"
+
+    # Try to restart
+    timeout 20 "/etc/init.d/${sysvinit_script}" restart > /dev/null
+    rc=$?
+    if [ "${rc}" -eq "0" ]; then
+        log_action "Restart ${service_name}: OK"
+    else
+        log_action "Restart ${service_name}: failed"
+    fi
+
+    # Save service status after restart
+    timeout 2 "/etc/init.d/${sysvinit_script}" status | save_in_log_dir "${service_name}.after.status"
+}
+
+## Action for systemd system
+systemd_action() {
+    # Save service status before restart
+    systemctl status "${systemd_service}" | save_in_log_dir "${service_name}.before.status"
+
+    # Try to restart
+    # systemctl (only for NRPE ?) sometimes returns 0 even if the service has failed to start
+    # so we check the status explicitly
+    timeout 20 systemctl restart "${systemd_service}" > /dev/null \
+        && sleep 1 \
+        && systemctl status "${systemd_service}" > /dev/null
+    rc=$?
+    if [ "${rc}" -eq "0" ]; then
+        log_action "Restart ${service_name}: OK"
+    else
+        log_action "Restart ${service_name}: failed"
+    fi
+
+    # Save service status after restart
+    systemctl status "${systemd_service}" | save_in_log_dir "${service_name}.after.status"
+}
+
+# Should we run?
+if ! is_supposed_to_run; then
+    # log_global "${PROGNAME} is not supposed to run (RUNNING=${RUNNING})."
+    exit 0
+fi
+if is_service_alive; then
+    # log_global "${service_name} process alive. Aborting"
+    exit 0
+fi
+
+# Yes we do, so check for sysvinit or systemd
+if is_debian_version "8" "<="; then
+    if ! is_sysvinit_enabled "*${sysvinit_script}*"; then
+        # log_global "${service_name} not enabled. Aborting"
+        exit 0
+    fi
+
+    # Let's finally do the action
+    pre_restart
+    sysvinit_action
+    post_restart
+else
+    if ! is_systemd_enabled "${systemd_service}"; then
+        # log_global "${service_name} is disabled (or missing), nothing left to do."
+        exit 0
+    fi
+    if is_systemd_active "${systemd_service}"; then
+        # log_global "${service_name} is active, nothing left to do."
+        exit 0
+    fi
+
+    # Let's finally do the action
+    pre_restart
+    systemd_action
+    post_restart
+fi

autosysadmin-agent/handlers/main.yml

@@ -0,0 +1,16 @@
+---
+
+- name: restart nagios-nrpe-server
+  service:
+    name: nagios-nrpe-server
+    state: restarted
+
+- name: restart nrpe
+  service:
+    name: nrpe
+    state: restarted
+
+- name: restart rsyslog
+  service:
+    name: rsyslog
+    state: restarted

autosysadmin-agent/tasks/crontab.yml

@@ -0,0 +1,25 @@
+---
+
+- name: "Add begin marker if missing"
+  ansible.builtin.lineinfile:
+    path: "/etc/cron.d/autosysadmin"
+    line: "# BEGIN ANSIBLE MANAGED SECTION FOR AUTOSYSADMIN"
+    insertbefore: BOF
+    create: yes
+
+- name: "Add end marker if missing"
+  ansible.builtin.lineinfile:
+    path: "/etc/cron.d/autosysadmin"
+    line: "# END ANSIBLE MANAGED SECTION FOR AUTOSYSADMIN"
+    insertbefore: "EOF"
+    create: yes
+
+- name: "Create config if missing"
+  ansible.builtin.blockinfile:
+    path: "/etc/cron.d/autosysadmin"
+    marker: "# {mark} ANSIBLE MANAGED SECTION FOR AUTOSYSADMIN"
+    block: "{{ lookup('ansible.builtin.template', '../templates/autosysadmin.cron.j2') }}"
+    owner: root
+    group: root
+    mode: "0750"
+    create: yes

autosysadmin-agent/tasks/dependencies.yml

@@ -0,0 +1,4 @@
+---
+- name: Install gcal
+  ansible.builtin.apt:
+    name: gcal

autosysadmin-agent/tasks/install.yml

@@ -0,0 +1,114 @@
+---
+- name: "Remount /usr if needed"
+  ansible.builtin.include_role:
+    name: remount-usr
+
+- name: Previous autosysadmin restart directory is renamed
+  command:
+    cmd: mv "/usr/share/scripts/autosysadmin/auto" "{{ autosysadmin_agent_auto_dir }}"
+    removes: "/usr/share/scripts/autosysadmin/auto"
+    creates: "{{ autosysadmin_agent_auto_dir }}" 
+
+- name: Create autosysadmin directories
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    owner: "root"
+    group: "root"
+    mode: "0750"
+  loop:
+    - "{{ autosysadmin_agent_bin_dir }}"
+    - "{{ autosysadmin_agent_lib_dir }}"
+    - "{{ autosysadmin_agent_auto_dir }}"
+
+- name: Copy libraries
+  ansible.builtin.copy:
+    src: "upstream/lib/"
+    dest: "{{ autosysadmin_agent_lib_dir }}/"
+    owner: root
+    group: root
+    mode: "0750"
+
+- name: Copy repair scripts
+  ansible.builtin.copy:
+    src: "upstream/repair/"
+    dest: "{{ autosysadmin_agent_bin_dir }}/"
+    owner: root
+    group: root
+    mode: "0750"
+
+- name: Copy other utilities
+  ansible.builtin.copy:
+    src: "upstream/bin/"
+    dest: "{{ autosysadmin_agent_bin_dir }}/"
+    owner: root
+    group: root
+    mode: "0750"
+
+### WARNING: thos files are explicitly marked as non-executable
+### to prevent them from being run automatically by run-parts
+
+- name: Copy restart scripts
+  ansible.builtin.copy:
+    src: "upstream/restart/"
+    dest: "{{ autosysadmin_agent_auto_dir }}/"
+    owner: root
+    group: root
+    mode: "0640"
+
+- name: Ensure /etc/evolinux folder exists
+  ansible.builtin.file:
+    path: "/etc/evolinux"
+    state: directory
+    owner: "root"
+    group: "root"
+    mode: "0700"
+
+- name: Copy the configuration file if missing
+  ansible.builtin.template:
+    src: "autosysadmin.cf.j2"
+    dest: "/etc/evolinux/autosysadmin"
+    owner: root
+    group: root
+    mode: "0640"
+    force: no
+
+# Repair scripts are supposed to be 'on' by default
+# A line "repair_XXX=off" is added to the file only if the script is to be disabled.
+# That's why all the ternary logic for the state is reversed.
+- name: Update value per variable
+  ansible.builtin.lineinfile:
+    dest: "/etc/evolinux/autosysadmin"
+    line: "{{ item }}={{ autosysadmin_config[item] | default(true) | bool | ternary('on', 'off') }}"
+    regexp: '^(#\s*)?{{ item }}=.*'
+    state: "{{ autosysadmin_config[item] | default(true) | bool | ternary('absent', 'present') }}"
+  register: _line
+  loop: "{{ autosysadmin_repair_scripts | union(['repair_all']) }}"
+
+- name: Ensure restart folder exists
+  ansible.builtin.file:
+    path: "auto"
+    state: directory
+    owner: "root"
+    group: "root"
+    mode: "0700"
+
+- name: Legacy scripts are removed
+  ansible.builtin.file:
+    path: "{{ general_scripts_dir }}/autosysadmin/{{ item }}"
+    state: absent
+  loop:
+    - repair_amavis.sh
+    - repair_disk.sh
+    - repair_elasticsearch.sh
+    - repair_http.sh
+    - repair_mysql.sh
+    - repair_opendkim.sh
+    - repair_php_fpm56.sh
+    - repair_php_fpm70.sh
+    - repair_php_fpm73.sh
+    - repair_php_fpm74.sh
+    - repair_php_fpm80.sh
+    - repair_php_fpm81.sh
+    - repair_redis.sh
+    - repair_tomcat_instance.sh

autosysadmin-agent/tasks/logrotate.yml

@@ -0,0 +1,8 @@
+---
+- name: Copy logrotate configuration for autosysadmin
+  ansible.builtin.copy:
+    src: "files/autosysadmin.logrotate.conf"
+    dest: "/etc/logrotate.d/autosysadmin"
+    owner: root
+    group: root
+    mode: "0644"

autosysadmin-agent/tasks/main.yml

@@ -0,0 +1,31 @@
+---
+
+- name: The list of all repair scripts is composed.
+  set_fact:
+    autosysadmin_repair_scripts: "{{ lookup('ansible.builtin.fileglob', '../../../autosysadmin/agent/repair/repair_*', wantlist=True) | map('basename') | sort }}"
+
+- name: Install dependencies
+  ansible.builtin.include_tasks: dependencies.yml
+
+- name: Install autosysadmin
+  ansible.builtin.include_tasks: install.yml
+
+- name: Crontab configuration
+  ansible.builtin.include_tasks: crontab.yml
+
+- name: NRPE configuration
+  ansible.builtin.include_tasks: nrpe.yml
+
+- name: sudo configuration
+  ansible.builtin.include_tasks: sudo.yml
+
+- name: rsyslog configuration
+  ansible.builtin.include_tasks: rsyslog.yml
+
+- name: logrotate configuration
+  ansible.builtin.include_tasks: logrotate.yml
+
+- name: Install latest version of dump-server-state
+  ansible.builtin.include_role:
+    name: evolinux-base
+    tasks_from: dump-server-state.yml

autosysadmin-agent/tasks/nrpe.yml

@@ -0,0 +1,9 @@
+---
+- name: custom configuration is present
+  ansible.builtin.template:
+    src: autosysadmin.nrpe.cfg.j2
+    dest: /etc/nagios/nrpe.d/autosysadmin.cfg
+    group: nagios
+    mode: "0640"
+    force: yes
+  notify: restart nagios-nrpe-server

autosysadmin-agent/tasks/rsyslog.yml

@@ -0,0 +1,9 @@
+---
+- name: Copy rsyslog configuration for autosysadmin
+  ansible.builtin.copy:
+    src: "files/autosysadmin.rsyslog.conf"
+    dest: "/etc/rsyslog.d/autosysadmin.conf"
+    owner: root
+    group: root
+    mode: "0644"
+  notify: restart rsyslog

autosysadmin-agent/tasks/sudo.yml

@@ -0,0 +1,7 @@
+---
+- name: Add autosysadmin sudoers file
+  ansible.builtin.template:
+    src: autosysadmin.sudoers.j2
+    dest: /etc/sudoers.d/autosysadmin
+    mode: "0600"
+    validate: "visudo -cf %s"

autosysadmin-agent/templates/autosysadmin.cf.j2

@@ -0,0 +1,12 @@
+# This configuration is partially managed by Ansible
+# You can change specific values manually, but they may be overridden by Ansible
+# 
+# To be safe, update the hosts_vars/group_vars in the autosysadmin project
+# https://gitea.evolix.org/evolix/autosysadmin/src/branch/master
+# then use the "agent" playbook to deploy.
+#
+# Configuration for autosysadmin
+# Use this file to change configuration values defined in repair scripts
+# To disable all repair scripts : repair_all=off
+# To disable "repair_http" : repair_http=off
+#

autosysadmin-agent/templates/autosysadmin.cron.j2

@@ -0,0 +1,7 @@
+PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+# Run each enabled script
+*/5 * * * * root run-parts /usr/share/scripts/autosysadmin/restart
+
+# Clean run log files
+@weekly root {{ autosysadmin_agent_bin_dir | mandatory }}/delete_old_logs.sh {{ autosysadmin_agent_log_retention_days | default('365') }}

autosysadmin-agent/templates/autosysadmin.nrpe.cfg.j2

@@ -0,0 +1,8 @@
+#
+# Ansible managed - DO NOT MODIFY, your changes will be overwritten !
+#
+
+# Autosysadmin repair commands
+{% for script in lookup('ansible.builtin.fileglob', '../../../autosysadmin/agent/repair/repair_*', wantlist=True) | map("basename") | sort %}
+command[{{ script }}]=sudo {{ autosysadmin_agent_bin_dir }}/{{ script }}
+{% endfor %}

autosysadmin-agent/templates/autosysadmin.sudoers.j2

@@ -0,0 +1,7 @@
+#
+# Ansible managed - DO NOT MODIFY, your changes will be overwritten !
+#
+
+{% for script in lookup('ansible.builtin.fileglob', '../../../autosysadmin/agent/repair/repair_*', wantlist=True) | map("basename") | sort %}
+nagios          ALL = NOPASSWD: {{ autosysadmin_agent_bin_dir }}/{{ script }}
+{% endfor %}

autosysadmin-restart_nrpe/defaults/main.yml

@@ -0,0 +1,8 @@
+---
+
+general_scripts_dir: "/usr/share/scripts"
+
+restart_nrpe_path: "{{ general_scripts_dir }}/autosysadmin/restart/restart_nrpe"
+
+# Change this to customize the RUNNING value in the script
+restart_nrpe_running: Null

autosysadmin-restart_nrpe/files/upstream/restart_nrpe

@@ -0,0 +1,105 @@
+#!/bin/bash
+
+: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
+source "${AUTOSYSADMIN_LIB}/common.sh"  || exit 1
+source "${AUTOSYSADMIN_LIB}/restart.sh" || exit 1
+
+## Possible values for RUNNING :
+##   never    => disabled
+##   always   => enabled
+##   nwh-fr   => enabled during non-working-hours in France
+##   nwh-ca   => enabled during non-working-hours in Canada (not supported yet)
+##   custom   => enabled if `running_custom()` function return 0, otherwise disabled.
+
+# shellcheck disable=SC2034
+RUNNING="nwh-fr"
+
+## The name of the service, mainly for logging
+service_name="nagios-nrpe-server"
+## The SysVinit script name
+sysvinit_script="${service_name}"
+## The systemd service name
+systemd_service="${service_name}.service"
+
+is_service_alive() {
+    ## this must return 0 if the service is alive, otherwise return 1
+    ## Example:
+    pgrep -u nagios nrpe > /dev/null
+}
+
+## Action for SysVinit system
+sysvinit_action() {
+    # Save service status before restart
+    timeout 2 "/etc/init.d/${sysvinit_script}" status | save_in_log_dir "${service_name}.before.status"
+
+    # Try to restart
+    timeout 20 "/etc/init.d/${sysvinit_script}" restart > /dev/null
+    rc=$?
+    if [ "${rc}" -eq "0" ]; then
+        log_action "Restart ${service_name}: OK"
+    else
+        log_action "Restart ${service_name}: failed"
+    fi
+
+    # Save service status after restart
+    timeout 2 "/etc/init.d/${sysvinit_script}" status | save_in_log_dir "${service_name}.after.status"
+}
+
+## Action for systemd system
+systemd_action() {
+    # Save service status before restart
+    systemctl status "${systemd_service}" | save_in_log_dir "${service_name}.before.status"
+
+    # Try to restart
+    # systemctl (only for NRPE ?) sometimes returns 0 even if the service has failed to start
+    # so we check the status explicitly
+    timeout 20 systemctl restart "${systemd_service}" > /dev/null \
+        && sleep 1 \
+        && systemctl status "${systemd_service}" > /dev/null
+    rc=$?
+    if [ "${rc}" -eq "0" ]; then
+        log_action "Restart ${service_name}: OK"
+    else
+        log_action "Restart ${service_name}: failed"
+    fi
+
+    # Save service status after restart
+    systemctl status "${systemd_service}" | save_in_log_dir "${service_name}.after.status"
+}
+
+# Should we run?
+if ! is_supposed_to_run; then
+    # log_global "${PROGNAME} is not supposed to run (RUNNING=${RUNNING})."
+    exit 0
+fi
+if is_service_alive; then
+    # log_global "${service_name} process alive. Aborting"
+    exit 0
+fi
+
+# Yes we do, so check for sysvinit or systemd
+if is_debian_version "8" "<="; then
+    if ! is_sysvinit_enabled "*${sysvinit_script}*"; then
+        # log_global "${service_name} not enabled. Aborting"
+        exit 0
+    fi
+
+    # Let's finally do the action
+    pre_restart
+    sysvinit_action
+    post_restart
+else
+    if ! is_systemd_enabled "${systemd_service}"; then
+        # log_global "${service_name} is disabled (or missing), nothing left to do."
+        exit 0
+    fi
+    if is_systemd_active "${systemd_service}"; then
+        # log_global "${service_name} is active, nothing left to do."
+        exit 0
+    fi
+
+    # Let's finally do the action
+    pre_restart
+    systemd_action
+    post_restart
+fi

autosysadmin-restart_nrpe/tasks/main.yml

@@ -0,0 +1,24 @@
+---
+
+    - name: "Remount /usr if needed"
+      ansible.builtin.include_role:
+        name: remount-usr
+
+    - name: "Copy restart_nrpe"
+      ansible.builtin.copy:
+        src: upstream/restart_nrpe
+        dest: "{{ restart_nrpe_path }}"
+        owner: "root"
+        group: "root"
+        mode: "0750"
+
+    - name: "Customize RUNNING value"
+      ansible.builtin.lineinfile:
+        path: "{{ restart_nrpe_path }}"
+        line: "RUNNING=\"{{ restart_nrpe_running }}\""
+        regexp: "^ *RUNNING="
+        create: False
+      when:
+        - restart_nrpe_running is defined
+        - restart_nrpe_running != None
+        - restart_nrpe_running | length > 0

bind/README.md

@@ -10,4 +10,4 @@ Minimal configuration is in `tasks/main.yml`
 
 The full list of variables (with default values) can be found in `defaults/main.yml`.
 
-waening : sync chroot-bind.sh
+warning : sync chroot-bind.sh

bind/files/apparmor.usr.sbin.named

@@ -0,0 +1,5 @@
+/var/chroot-bind/etc/bind/** r,
+/var/chroot-bind/var/** rw,
+/var/chroot-bind/dev/** rw,
+/var/chroot-bind/run/** rw,
+/var/chroot-bind/usr/** r,

bind/files/bind-reload-zone.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+#
+# Script utilitaire pour tester et recharger facilement une zone dans Bind
+#
+
+usage() {
+    echo "Usage: bind-reload-zone <DOMAIN>"
+    echo "       bind-reload-zone -h|--help"
+}
+
+if [ $# -ne 1 ] ; then
+    usage
+    exit 1
+fi
+
+while :; do
+    case $1 in
+        -h|--help)
+            usage
+            exit 0
+            ;;
+        *)
+            zone=$1
+            break
+            ;;
+    esac
+    shift
+done
+
+if ! [ -f "/etc/bind/db.${zone}" ]; then
+    >&2 echo "Error: zone for ${zone} not found."
+    usage
+    exit 1
+fi
+
+named-checkzone "${zone}" /etc/bind/db."${zone}" && rndc reload "${zone}"
+

bind/files/bind-reload-zone_completion.sh

@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+_bind_reload_zone_dynamic_completion() {
+    local cur;
+    cur=${COMP_WORDS[COMP_CWORD]};
+    COMPREPLY=();
+    COMPREPLY=( $( compgen -W '$(grep -v -h '"'"'//'"'"' /etc/bind/named.conf* | grep -B1 "type master" | grep zone | grep -v arpa | awk '"'"'{gsub(/"/, "", $2); print $2}'"'"' | sort | uniq)' -- $cur ) );
+
+    # reverse ipv4 :
+    #grep -v -h '//' /etc/bind/named.conf*     | grep -B1 "type master" | grep zone | grep arpa | grep -v ip6 | awk '{gsub(/"/, "", $2); gsub(/.in-addr.arpa/, "", $2); print $2}' | sort | uniq | awk -F'.' '{ for (i=NF; i>1; i--) printf("%s.",$i); print $1 }'
+
+    # reveres ipv6 : je bloque sur l'inversion 4 par 4
+    #grep -v -h '//' /etc/bind/named.conf* | grep -B1 "type master" | grep zone | grep arpa | grep ip6 | awk '{gsub(/"/, "", $2); gsub(/.ip6.arpa/, "", $2); print $2}' | sort | uniq | awk -F'.' '{ for (i=NF; i>1; i--) { if ($i % 4 == 0) printf("%s.",$i); else printf("%s",$i); } print $1 }'
+
+}
+
+complete -F _bind_reload_zone_dynamic_completion bind-reload-zone
+

bind/files/chroot-bind.sh

@@ -3,12 +3,17 @@
 # Gregory Colpart <reg@debian.org>
 # chroot (or re-chroot) script for bind9
 
-# tested on Debian Wheezy/Jessie/Stretch
+# tested on Debian Wheezy/Jessie/Stretch/Buster/Bullseye/Bookworm
 # Exec this script after `(apt-get|aptitude|apt) install bind9`
 # and after *each* bind9 upgrade
 
 # When the script is finished, ensure you have
-# 'OPTIONS="-u bind -t /var/chroot-bind"' in /etc/default/bind9
+# 'OPTIONS="-u bind -t /var/chroot-bind"' in /etc/default/named
+# (since Bullseye) or, until Buster, in /etc/default/bind9
+#
+# Since Bookmworm, one also needs to handle bind mount points
+# https://wiki.evolix.org/HowtoBind#bind-mount-%C3%A0-partir-de-bookworm-debian-12
+#
 # and /etc/init.d/bind9 (re)start
 #
 # for Jessie/systemd only:
@@ -22,8 +27,10 @@ mkdir -p /var/chroot-bind
 mkdir -p /var/chroot-bind/bin /var/chroot-bind/dev /var/chroot-bind/etc \
         /var/chroot-bind/lib /var/chroot-bind/usr/lib                   \
         /var/chroot-bind/usr/sbin /var/chroot-bind/var/cache/bind       \
-        /var/chroot-bind/var/log /var/chroot-bind/var/run/named/        \
-        /var/chroot-bind/run/named/
+        /var/chroot-bind/var/log /var/chroot-bind/var/run/named         \
+        /var/chroot-bind/run/named /var/chroot-bind/usr/share/dns
+
+chmod 750 /var/chroot-bind
 
 # for conf
 if [ ! -h "/etc/bind" ]; then
@@ -31,6 +38,11 @@ if [ ! -h "/etc/bind" ]; then
     ln -s /var/chroot-bind/etc/bind/ /etc/bind
 fi
 
+# for dns
+if [ -d "/usr/share/dns" ]; then
+    cp -a /usr/share/dns/* /var/chroot-bind/usr/share/dns/
+fi
+
 # for logs
 touch /var/chroot-bind/var/log/bind.log
 if [ ! -h "/var/log/bind.log" ]; then
@@ -58,11 +70,16 @@ fi
 #chmod 666 /var/chroot-bind/dev/{null,random}
 
 # essential libs
-for i in `ldd $(which named) | grep -v linux-vdso.so.1 | cut -d">" -f2 | cut -d"(" -f1` \
-         /usr/lib/x86_64-linux-gnu/openssl-1.0.*/engines/libgost.so ; do
-    install -D $i /var/chroot-bind/${i##/}
+for i in `ldd $(which named) | grep -v linux-vdso.so.1 | cut -d">" -f2 | cut -d"(" -f1`
+    do install -D $i /var/chroot-bind/${i##/}
 done
 
+if [ ls /usr/lib/x86_64-linux-gnu/openssl-1.0.*/engines/libgost.so 1>/dev/null 2>&1 ]; then
+    for i in /usr/lib/x86_64-linux-gnu/openssl-1.0.*/engines/libgost.so
+        do install -D $i /var/chroot-bind/${i##/}
+    done
+fi
+
 # essential (hum, bash is required ??)
 #cp /bin/bash /var/chroot-bind/bin/
 cp /usr/sbin/named /var/chroot-bind/usr/sbin/

bind/files/reload-zone

@@ -1,14 +0,0 @@
-#!/bin/bash
-#
-# Script utilitaire pour tester et recharger facilement un domaine dans Bind
-# Usage : reload-zone <DOMAINE>
-#
-# TODO:
-# - renommer le script (par ex bind-safe-reload)
-# - vérifier le serial
-# - ajouter un -h --help
-# - prendre en charge plusieurs zones (ou aucune)
-# - ajouter le script dans le role bind
-
-named-checkzone "$1" /etc/bind/db."$1" && rndc reload "$1"
-

bind/handlers/main.yml

@@ -3,7 +3,6 @@
   ansible.builtin.systemd:
     daemon-reload: yes
 
-
 - name: restart apparmor
   ansible.builtin.systemd:
     name: apparmor

bind/meta/main.yml

@@ -14,6 +14,8 @@ galaxy_info:
         - jessie
         - stretch
         - buster
+        - bullseye
+        - bookworm
 
   galaxy_tags: []
     # Be sure to remove the '[]' above if you add dependencies

bind/tasks/main.yml

@@ -17,13 +17,13 @@
   register: check_apparmor
 
 - name: configure apparmor
-  ansible.builtin.template:
-    src: apparmor.usr.sbin.named.j2
-    dest: /etc/apparmor.d/usr.sbin.named
-    owner: root
-    group: root
+  ansible.builtin.copy:
+    src: apparmor.usr.sbin.named
+    dest: /etc/apparmor.d/local/usr.sbin.named
     mode: "0644"
+    owner: root
     force: true
+    backup: yes
   notify: restart apparmor
   when: check_apparmor.rc == 0
 
@@ -94,13 +94,67 @@
     - bind_chroot_set | bool
     - chrootbind_run.stdout | length > 0
 
-- name: Modify OPTIONS in /etc/default/bind9 for chroot
+- name: Modify OPTIONS in /etc/default/bind9 for chroot (until Buster)
   ansible.builtin.replace:
     dest: /etc/default/bind9
     regexp: '^OPTIONS=.*'
     replace: 'OPTIONS="-u bind -t {{ bind_chroot_path }}"'
   notify: restart bind
-  when: bind_chroot_set | bool
+  when:
+    - bind_chroot_set | bool
+    - ansible_distribution_major_version is version('11', '<')
+
+- name: Modify OPTIONS in /etc/default/named for chroot (since Bullseye)
+  ansible.builtin.replace:
+    dest: /etc/default/named
+    regexp: '^OPTIONS=.*'
+    replace: 'OPTIONS="-u bind -t {{ bind_chroot_path }}"'
+  notify: restart bind
+  when:
+    - bind_chroot_set | bool
+    - ansible_distribution_major_version is version('11', '>=')
+
+- name: Create mount target directory for chroot (since Bookworm)
+  ansible.builtin.file:
+    path: /var/chroot-bind/run/systemd/journal
+    state: directory
+    owner: bind
+    group: bind
+  notify: restart bind
+  when:
+    - bind_chroot_set | bool
+    - ansible_distribution_major_version is version('12', '>=')
+
+- name: Create mount targets for chroot (since Bookworm)
+  ansible.builtin.file:
+    path: '{{ item }}'
+    state: touch
+    owner: bind
+    group: bind
+  loop:
+    - /var/chroot-bind/run/systemd/journal/socket
+    - /var/chroot-bind/run/systemd/journal/stdout
+    - /var/chroot-bind/run/systemd/notify
+  notify: restart bind
+  when:
+    - bind_chroot_set | bool
+    - ansible_distribution_major_version is version('12', '>=')
+
+- name: Set up bind mount for chroot (since Bookworm)
+  ansible.posix.mount:
+    src: "{{ item }}"
+    path: "/var/chroot-bind{{ item }}"
+    opts: bind
+    state: mounted
+    fstype: none
+  loop:
+    - /run/systemd/journal/socket
+    - /run/systemd/journal/stdout
+    - /run/systemd/notify
+  notify: restart bind
+  when:
+    - bind_chroot_set | bool
+    - ansible_distribution_major_version is version('12', '>=')
 
 - name: logrotate for bind
   ansible.builtin.template:

bind/templates/apparmor.usr.sbin.named.j2

@@ -1,97 +0,0 @@
-# vim:syntax=apparmor
-# Last Modified: Tue Mar  9 14:17:50 EST 2021
-#include <tunables/global>
-
-/usr/sbin/named flags=(attach_disconnected) {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
-
-  capability net_bind_service,
-  capability setgid,
-  capability setuid,
-  capability sys_chroot,
-  capability sys_resource,
-
-  # /etc/bind should be read-only for bind
-  # /var/lib/bind is for dynamically updated zone (and journal) files.
-  # /var/cache/bind is for slave/stub data, since we're not the origin of it.
-  # See /usr/share/doc/bind9/README.Debian.gz
-  /etc/bind/** r,
-  /var/lib/bind/** rw,
-  /var/lib/bind/ rw,
-  /var/cache/bind/** lrw,
-  /var/cache/bind/ rw,
-
-  # Database file used by allow-new-zones
-  /var/cache/bind/_default.nzd-lock rwk,
-
-  # gssapi
-  /etc/krb5.keytab kr,
-  /etc/bind/krb5.keytab kr,
-
-  # ssl
-  /etc/ssl/openssl.cnf r,
-
-  # root hints from dns-data-root
-  /usr/share/dns/root.* r,
-
-  # GeoIP data files for GeoIP ACLs
-  /usr/share/GeoIP/** r,
-
-  # dnscvsutil package
-  /var/lib/dnscvsutil/compiled/** rw,
-
-  # Allow changing worker thread names
-  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
-
-  @{PROC}/net/if_inet6 r,
-  @{PROC}/*/net/if_inet6 r,
-  @{PROC}/sys/net/ipv4/ip_local_port_range r,
-  /usr/sbin/named mr,
-  /{,var/}run/named/named.pid w,
-  /{,var/}run/named/session.key w,
-  # support for resolvconf
-  /{,var/}run/named/named.options r,
-
-  # some people like to put logs in /var/log/named/ instead of having
-  # syslog do the heavy lifting.
-  {{ bind_log_file }} rw,
-{% if bind_query_file_enabled | bool %}
-  {{ bind_query_file }} rw,
-{% endif %}
-
-  # gssapi
-  /var/lib/sss/pubconf/krb5.include.d/** r,
-  /var/lib/sss/pubconf/krb5.include.d/ r,
-  /var/lib/sss/mc/initgroups r,
-  /etc/gss/mech.d/ r,
-
-  # ldap
-  /etc/ldap/ldap.conf r,
-  /{,var/}run/slapd-*.socket rw,
-
-  # dynamic updates
-  /var/tmp/DNS_* rw,
-
-  # dyndb backends
-  /usr/lib/bind/*.so rm,
-
-  # Samba DLZ
-  /{usr/,}lib/@{multiarch}/samba/bind9/*.so rm,
-  /{usr/,}lib/@{multiarch}/samba/gensec/*.so rm,
-  /{usr/,}lib/@{multiarch}/samba/ldb/*.so rm,
-  /{usr/,}lib/@{multiarch}/ldb/modules/ldb/*.so rm,
-  /var/lib/samba/bind-dns/dns.keytab rk,
-  /var/lib/samba/bind-dns/named.conf r,
-  /var/lib/samba/bind-dns/dns/** rwk,
-  /var/lib/samba/private/dns.keytab rk,
-  /var/lib/samba/private/named.conf r,
-  /var/lib/samba/private/dns/** rwk,
-  /etc/samba/smb.conf r,
-  /dev/urandom rwmk,
-  owner /var/tmp/krb5_* rwk,
-
-  # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.sbin.named>
-}
-

certbot/files/hooks/deploy/dovecot.sh

@@ -16,7 +16,7 @@ config_check() {
     ${doveconf_bin} > /dev/null 2>&1
 }
 letsencrypt_used() {
-    ${doveconf_bin} | grep -E "^ssl_cert[^_]" | grep -q "letsencrypt"
+    ${doveconf_bin} | grep -E "^[[:blank:]]*ssl_cert[^_]" | grep -q "letsencrypt"
 }
 main() {
     if daemon_found_and_running; then

certbot/files/hooks/deploy/hapee.sh

@@ -39,8 +39,8 @@ concat_files() {
     chown root: "${hapee_cert_file}"
 }
 cert_and_key_mismatch() {
-    hapee_cert_md5=$(openssl x509 -noout -modulus -in "${hapee_cert_file}" | openssl md5)
-    hapee_key_md5=$(openssl rsa -noout -modulus -in "${hapee_cert_file}" | openssl md5)
+    hapee_cert_md5=$(openssl x509 -noout -pubkey -in "${hapee_cert_file}" | openssl md5)
+    hapee_key_md5=$(openssl pkey -noout -pubout -in "${hapee_cert_file}" | openssl md5)
 
     test "${hapee_cert_md5}" != "${hapee_key_md5}"
 }

certbot/files/hooks/deploy/haproxy.sh

@@ -29,8 +29,8 @@ concat_files() {
     chown root: "${haproxy_cert_file}"
 }
 cert_and_key_mismatch() {
-    haproxy_cert_md5=$(openssl x509 -noout -modulus -in "${haproxy_cert_file}" | openssl md5)
-    haproxy_key_md5=$(openssl rsa -noout -modulus -in "${haproxy_cert_file}" | openssl md5)
+    haproxy_cert_md5=$(openssl x509 -noout -pubkey -in "${haproxy_cert_file}" | openssl md5)
+    haproxy_key_md5=$(openssl pkey -noout -pubout -in "${haproxy_cert_file}" | openssl md5)
 
     test "${haproxy_cert_md5}" != "${haproxy_key_md5}"
 }

certbot/files/hooks/deploy/nrpe.sh

@@ -0,0 +1,44 @@
+#!/bin/sh
+
+error() {
+    >&2 echo "${PROGNAME}: $1"
+    exit 1
+}
+debug() {
+    if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then
+        >&2 echo "${PROGNAME}: $1"
+    fi
+}
+daemon_found_and_running() {
+    test -n "$(pidof nrpe)"
+}
+letsencrypt_lineaged_used() {
+    grep -r "^ssl_cert_file" /etc/nagios/ | grep "letsencrypt" | grep -q "$(basename "${RENEWED_LINEAGE}")"
+}
+copy_letsencrypt_cert() {
+    DEST_CERTIFICATE=$(grep -r "^ssl_cert_file" /etc/nagios/ | awk -F'=' '{print $2}')
+    DEST_PRIVATE_KEY=$(grep -r "^ssl_privatekey_file" /etc/nagios/ | awk -F'=' '{print $2}')
+
+    install --mode 440 --group nagios ${RENEWED_LINEAGE}/fullchain.pem ${DEST_CERTIFICATE}
+    install --mode 440 --group nagios ${RENEWED_LINEAGE}/privkey.pem ${DEST_PRIVATE_KEY}
+}
+main() {
+    if daemon_found_and_running; then
+        if letsencrypt_lineaged_used; then
+            debug "NRPE detected... Copying certificates to the right place & permissions"
+            copy_letsencrypt_cert
+            debug "Restarting NRPE"
+            systemctl restart nagios-nrpe-server
+        else
+            debug "NRPE doesn't use the given Let's Encrypt certificate. Skip."
+        fi
+    else
+        debug "NRPE is not running or missing. Skip."
+    fi
+}
+
+readonly PROGNAME=$(basename "$0")
+readonly VERBOSE=${VERBOSE:-"0"}
+readonly QUIET=${QUIET:-"0"}
+
+main

certbot/tasks/main.yml

@@ -21,6 +21,8 @@
 
 - ansible.builtin.include: acme-challenge.yml
 
+# This is always going to mark a "change".
+# Couldn't figure out why !
 - name: Deploy hooks are present
   ansible.builtin.copy:
     src: hooks/deploy/

check_free_space/defaults/main.yml

@@ -0,0 +1,6 @@
+---
+check_free_space_partitions:
+  - "/home"
+  - "/srv"
+check_free_space_max_percent: 70
+check_free_space_mailto: Null

check_free_space/files/check_free_space.sh

@@ -0,0 +1,166 @@
+#!/bin/sh
+
+# This script verifies if the specified partitions on a machine are filled
+# at more than x%.
+#
+# If so, it sends a mail to the admin of that machine, warning him/her
+# that mesures should be taken.
+#
+# Two outputs are provided to the recipient of the mail:
+#  * some general infos with `df`
+#  * a more indepth inspection with `duc`
+#
+# This script takes 3 (mandatory) arguments:
+#  * a list of the partitions to check (space separated)
+#  * the maximum allowed percentage
+#  * the email template to use
+# 
+# This script should be ran by cron @daily.
+#
+#
+# Copyright (C) 2016 Louis-Philippe Véronneau <lpveronneau@evolix.ca, Evolix <info@evolix.fr>
+#
+# This program is licensed under GPLv3 +
+
+
+# Check argument sanity
+
+PID_FILE='/var/run/check_free_space.pid'
+
+if test -f "$PID_FILE"
+then
+  pid=$(cat "$PID_FILE")
+  ps -p "$pid" > /dev/null
+  if test $? -eq 0
+  then
+    echo "$0 already run !" >&2
+    exit 1
+  else
+    rm $PID_FILE
+  fi
+fi
+
+echo $$ > $PID_FILE
+
+if test -z "$1" || test -z "$2" || test -z "$3"  # is non null
+then
+  echo "Some arguments are missing. Please issue a partition list, a" \
+       "maximum percentage and an email template."
+  exit 1
+elif ! [ "$2" -le 100 -a "$2" -ge 0 ] # is a percentage
+then
+  echo "Please enter a maximum percentage value between 0 and 100."
+  exit 1
+fi
+
+# Argument processing
+
+partition_list=$1
+max_percentage=$((100-$2))
+email_template=$3
+
+HOSTNAME=$(hostname)
+debian_version=$(lsb_release -c)
+
+check_disk='/usr/lib/nagios/plugins/check_disk'
+
+test -f /etc/evomaintenance.cf && . /etc/evomaintenance.cf
+
+
+# Test what version of df we have
+
+old_df=false
+
+case "$debian_version" in
+    *squeeze* ) old_df=true ;;
+    *wheezy* ) old_df=true ;;
+esac
+
+
+# Check disk space
+
+df_options="size,avail,pcent,itotal,iavail,ipcent"
+
+for partition in $partition_list
+do
+  if ! $check_disk -w $max_percentage% -W $max_percentage% $partition > /dev/null
+  then
+    # the 'newline' is a hack to make sed behave
+    PARTITION_DATA="$PARTITION_DATA newline $partition newline"
+    if [ $old_df ]
+    then
+      PARTITION_DATA="$PARTITION_DATA $(/bin/df -h $partition) newline"
+      PARTITION_DATA="$PARTITION_DATA newline $(df -ih $partition) newlinenewline"
+    else
+      PARTITION_DATA="$PARTITION_DATA $(/bin/df -h --output=$df_options $partition) newline"
+    fi
+    full_partitions="$full_partitions $partition"
+    partname=$(echo $partition|tr -s '/' '-')
+    graph_list="$graph_list -a /home/duc${partname}.png"
+  fi
+done
+
+
+# Exit if everything is OK
+
+if test -z "$PARTITION_DATA"
+then
+  exit 0
+fi
+ 
+
+# If there is indeed a problem, get more infos with duc
+
+/usr/bin/ionice -c3 /usr/bin/duc index -H -d /home/duc.idx -x $full_partitions -q
+
+for partition in $full_partitions
+do
+  duc_temp=$(/usr/bin/duc ls -d /home/duc.idx -Fg $partition)
+  duc_temp=$(printf "$duc_temp" | sed -e "s@]@]newline@" | grep -v "lost+found")
+  DUC_OUTPUT="$DUC_OUTPUT newline$partition newline$duc_temp"
+  partname=$(echo $partition|tr -s '/' '-')
+  duc graph -d /home/duc.idx -o /home/duc${partname}.png -l8 -s 1024 $partition
+done 
+
+
+# Replace placeholders & send the mail !
+
+PARTITION_DATA="$(echo "$PARTITION_DATA"|tr -d $'\n')" # make sed accept the input
+DUC_OUTPUT="$(echo "$DUC_OUTPUT"|tr -d $'\n')"
+
+if [ $old_df ]
+then
+  sed -e "s/__TO__/$EVOMAINTMAIL/"                         \
+      -e "s/__HOSTNAME__/$HOSTNAME/"                       \
+      -e "s@__PARTITION_DATA__@$PARTITION_DATA@"           \
+      -e "s@__DUC_OUTPUT__@$DUC_OUTPUT@"                   \
+      -e "s/newline/\n/g"                                  \
+      -e "s/IUse%/IUse%\n/g"                               \
+      -e "s/ Use%/ Use%\n/g"                               \
+      -e "s@Filesystem \{12\}@@g"                          \
+      -e "s@Mounted on\/dev\/[a-z]\{3\}[0-9]\+ \{13\}@@g"  \
+      -e "s@% \/[a-z]\+@%@g"                               \
+      -e "s/__MAX_PERCENTAGE__/$max_percentage/"           \
+      -e "s/__FULLFROM__/$FULLFROM/"                       \
+      -e "s/__FROM__/$FROM/"                               \
+      -e "s/__URGENCYFROM__/$URGENCYFROM/"                 \
+      -e "s/__URGENCYTEL__/$URGENCYTEL/"                   \
+       $email_template |                                   \
+  /usr/bin/mutt -H - $graph_list
+else
+  sed -e "s/__TO__/$EVOMAINTMAIL/"               \
+      -e "s/__HOSTNAME__/$HOSTNAME/"             \
+      -e "s@__PARTITION_DATA__@$PARTITION_DATA@" \
+      -e "s@__DUC_OUTPUT__@$DUC_OUTPUT@"         \
+      -e "s/newline/\n/g"                        \
+      -e "s/IUse%/IUse%\n/g"                     \
+      -e "s/__MAX_PERCENTAGE__/$max_percentage/" \
+      -e "s/__FULLFROM__/$FULLFROM/"             \
+      -e "s/__FROM__/$FROM/"                     \
+      -e "s/__URGENCYFROM__/$URGENCYFROM/"       \
+      -e "s/__URGENCYTEL__/$URGENCYTEL/"         \
+       $email_template |                         \
+  /usr/bin/mutt -H - $graph_list
+fi
+
+rm -f $PID_FILE

check_free_space/files/check_free_space.tpl

@@ -0,0 +1,24 @@
+From: __FULLFROM__
+Content-Type: text/plain; charset=UTF-8
+MIME-Version: 1.0
+Content-Transfer-Encoding: 8bit
+To: __TO__
+Subject: [WARNING] Espace disque faible sur __HOSTNAME__
+
+Bonjour,
+
+Ceci est un message automatique pour vous informer qu'il y a un
+souci d'espace disque sur votre serveur __HOSTNAME__
+
+Voici les informations sur l'espace disque qui pose problème :
+__PARTITION_DATA__
+Détails sur les partitions problématiques :
+__DUC_OUTPUT__
+Un graphe par partition problématique est disponible en pièce jointe.
+
+Nous vous recommandons d'effectuer du ménage pour maintenir
+chaque partition avec un minimum de __MAX_PERCENTAGE__% d'espace disque libre.
+
+Cordialement,
+-- 
+__FULLFROM__

check_free_space/tasks/main.yml

@@ -0,0 +1,37 @@
+---
+- ansible.builtin.include_role:
+    name: evolix/remount-usr
+
+- name: Copy check_free_space.sh script
+  ansible.builtin.copy:
+    src: files/check_free_space.sh
+    dest: /usr/share/scripts/check_free_space
+    owner: root
+    group: root
+    mode: "0750"
+
+- name: Copy email template
+  ansible.builtin.copy:
+    src: files/check_free_space.tpl
+    dest: /usr/share/scripts/check_free_space.tpl
+    owner: root
+    group: root
+    mode: "0644"
+
+# not using the cron_module for this since it is buggy
+- name: check_free_space.sh is run by cron
+  ansible.builtin.template:
+    src: templates/cron_check_free_space.j2
+    dest: /etc/cron.d/check_free_space
+    owner: root
+    group: root
+    mode: "0644"
+    force: false
+
+- name: Duc and Mutt are installed
+  ansible.builtin.apt:
+    pkg:
+      - mutt
+      - duc
+    state: present
+

check_free_space/tasks/shell_script.yml

@@ -0,0 +1,30 @@
+---
+
+- include_role:
+    name: evolix/remount-usr
+
+- name: shell script
+  copy:
+    src: files/check_free_space.sh
+    dest: /usr/share/scripts/check_free_space
+    owner: root
+    group: root
+    mode: "0750"
+
+- name: email template
+  copy:
+    src: files/check_free_space.tpl
+    dest: /usr/share/scripts/check_free_space.tpl
+    owner: root
+    group: root
+    mode: "0644"
+
+# not using the cron_module for this since it is buggy
+- name: cron
+  template:
+    src: templates/cron_check_free_space.j2
+    dest: /etc/cron.d/check_free_space
+    owner: root
+    group: root
+    mode: "0644"
+    force: false

check_free_space/templates/cron_check_free_space.j2

@@ -0,0 +1,4 @@
+{% if check_free_space_mailto and check_free_space_mailto != "" %}
+MAILTO={{ check_free_space_mailto }}
+{% endif %}
+30 4 * * 1 root /usr/share/scripts/check_free_space "{{ check_free_space_partitions | join(' ') }}" {{ check_free_space_max_percent }} /usr/share/scripts/check_free_space.tpl

docker-host/tasks/main.yml

@@ -119,4 +119,4 @@
     cmd: "{{ docker_tls_path }}/shellpki.sh init"
   when:
     - docker_tls_enabled | bool
-    - not tls_certs_stat.stat.isdir
+    - not (tls_certs_stat.stat.exists and tls_certs_stat.stat.isdir)

dovecot/defaults/main.yml

@@ -1,4 +1,12 @@
 ---
 
+general_alert_email: "root@localhost"
+log2mail_alert_email: Null
+
 dovecot_vmail_uid: 5000
 dovecot_vmail_gid: 5000
+
+ldap_hostname: "{{ ansible_hostname }}"
+ldap_domain: "{{ ansible_domain }}"
+ldap_suffix: "dc={{ ldap_hostname }},dc={{ ldap_domain.split('.')[-2] }},dc={{ ldap_domain.split('.')[-1] }}"
+ldap_enabled: False

dovecot/files/munin_plugin_dovecot1

@@ -53,15 +53,17 @@ if ( $ARGV[0] and $ARGV[0] eq "autoconf" ) {
   exit 0;
 }
 
-if (-f "$logfile.0") {
-  $rotlogfile = $logfile . ".0";
-} elsif (-f "$logfile.1") {
-  $rotlogfile = $logfile . ".1";
-} elsif (-f "$logfile.01") {
-  $rotlogfile = $logfile . ".01";
-} else {
-  $rotlogfile = $logfile . ".0";
-}
+# Disable rotated log inpection because name is not deterministic across systems
+# and data loss is may 5 min 
+#if (-f "$logfile.0") {
+#  $rotlogfile = $logfile . ".0";
+#} elsif (-f "$logfile.1") {
+#  $rotlogfile = $logfile . ".1";
+#} elsif (-f "$logfile.01") {
+#  $rotlogfile = $logfile . ".01";
+#} else { 
+#  $rotlogfile = $logfile . ".0";
+#}
 
 if ( $ARGV[0] and $ARGV[0] eq "config" ) {
   print "multigraph dovecot_connections\n";
@@ -179,7 +181,9 @@ if (!defined $pos) {
 
 if ($startsize < $pos) {
   # Log rotated
-  parseDovecotfile ($rotlogfile, $pos, (stat $rotlogfile)[7]);
+  # Disable rotated log inpection because name is not deterministic across systems
+  # and data loss is may 5 min 
+  #parseDovecotfile ($rotlogfile, $pos, (stat $rotlogfile)[7]);
   $pos = 0;
 }
 

dovecot/tasks/main.yml

@@ -1,3 +1,5 @@
+---
+
 - name: ensure packages are installed
   ansible.builtin.apt:
     name:
@@ -8,7 +10,7 @@
       - dovecot-managesieved
     state: present
   tags:
-  - dovecot
+    - dovecot
 
 - name: Generate 4096 bits Diffie-Hellman parameters (may take several minutes)
   community.crypto.openssl_dhparam:
@@ -21,7 +23,7 @@
     regexp: "[^#]!include auth-system.conf.ext"
     replace: "#!include auth-system.conf.ext"
   tags:
-  - dovecot
+    - dovecot
 
 - name: update ldap auth
   ansible.builtin.lineinfile:
@@ -33,14 +35,15 @@
     - { key: 'hosts', value: '127.0.0.1' }
     - { key: 'auth_bind', value: 'yes' }
     - { key: 'ldap_version', value: 3 }
-    - { key: 'base', value: "{{ ldap_suffix }}" }
+    - { key: 'base', value: "{{ ldap_suffix | mandatory }}" }
     - { key: 'user_attrs', value: 'homeDirectory=home' }
     - { key: 'user_filter', value: '(&(isActive=TRUE)(uid=%u))' }
     - { key: 'pass_attrs', value: 'uid=user,userPassword=password' }
-  when: ldap_suffix is defined
+    - { key: 'iterate_filter', value: '(&(isActive=TRUE))' }
+  when: ldap_enabled | bool | default(False)
   notify: reload dovecot
   tags:
-  - dovecot
+    - dovecot
 
 - name: create vmail group
   ansible.builtin.group:
@@ -48,7 +51,7 @@
     gid: "{{ dovecot_vmail_gid }}"
     system: True
   tags:
-  - dovecot
+    - dovecot
 
 - name: create vmail user
   ansible.builtin.user:
@@ -58,16 +61,16 @@
     shell: /bin/false
     system: True
   tags:
-  - dovecot
+    - dovecot
 
-- name: deploy evolix config
+- name: deploy evolix config for Dovecot
   ansible.builtin.template:
     src: z-evolinux-defaults.conf.j2
     dest: /etc/dovecot/conf.d/z-evolinux-defaults.conf
     mode: "0644"
   notify: reload dovecot
   tags:
-  - dovecot
+    - dovecot
 
 - name: deploy file for custom configuration
   ansible.builtin.template:
@@ -76,7 +79,7 @@
     mode: "0644"
   notify: reload dovecot
   tags:
-  - dovecot
+    - dovecot
 
 - ansible.builtin.include: munin.yml
   tags:
@@ -86,7 +89,8 @@
   ansible.builtin.apt:
     name: log2mail
     state: present
-  tags: dovecot
+  tags:
+    - dovecot
 
 - name: dovecot is configured in log2mail
   ansible.builtin.blockinfile:
@@ -101,5 +105,6 @@
       mailto = {{ log2mail_alert_email or general_alert_email | mandatory }}
       template = /etc/log2mail/mail
   notify: restart log2mail
-  tags: dovecot
+  tags:
+    - dovecot
 

dovecot/tasks/munin.yml

@@ -9,15 +9,18 @@
 - name: Munin plugins are present and configured
   block:
 
-    - name: Disable dovecot plugin
+    - name: Disable Dovecot plugin
       ansible.builtin.file:
         path: /etc/munin/plugins/dovecot
         state: absent
 
-    - name: Remove dovecot plugin conf
+    - name: Remove old Dovecot plugin conf
       ansible.builtin.file:
-        path: /etc/munin/plugin-conf.d/dovecot
+        path: "/etc/munin/plugin-conf.d/{{ item }}"
         state: absent
+      loop:
+        - dovecot
+        - z-evolinux-dovecot
 
     - name: "Remount /usr if needed"
       ansible.builtin.include_role:
@@ -46,8 +49,8 @@
 
     - name: Copy Munin config
       ansible.builtin.copy:
-        src: z-evolinux-dovecot.conf
-        dest: /etc/munin/plugin-conf.d/z-evolinux-dovecot
+        src: munin_plugins.conf
+        dest: /etc/munin/plugin-conf.d/zzz-dovecot
         mode: '0644'
       notify: restart munin-node