fix completion, ajout option --no-confirm

Fixes phpXY-new containers build.

CHANGELOG.md

@@ -13,8 +13,18 @@ The **patch** part is incremented if multiple releases happen the same month
 
 ### Added
 
+* bind: New variables to change IPs bind will listen on & send notify/transfer commands
+* evolinux-base: install evobackup-client (default: true)
+* munin: add linux_psi contrib plugin
+* evolinux-base: Create custom SSH configuration file
+* lxc: new lxc_template_mirror option (useful to get old Debian from archive.debian.org)
+
 ### Changed
 
+* log2mail: task log2mail.yml of evolinux-base converted to a role
+* lxc-solr: update solr9 version + fix URL in README
+* evolinux-users, nagios-nrpe: sudoers conf for nagios splitted and moved from evolinux-users to nagios-nrpe
+
 ### Fixed
 
 ### Removed
@@ -29,6 +39,7 @@ The **patch** part is incremented if multiple releases happen the same month
 
 ### Changed
 
+* certbot: allow haproxy deploy hook to work with evoacme too (using env variables)
 * evobackup-client: upstream release 24.05.1
 * evolinux-base: improve adding the current user to SSH AllowGroups of AllowUsers
 * evolinux-users: improve SSH configuration
@@ -38,6 +49,7 @@ The **patch** part is incremented if multiple releases happen the same month
 ### Fixed
 
 * apt: use archive.debian.org with Buster
+* fail2ban: remount-usr added because it is needed for last task
 
 ## [24.04] 2024-04-30
 

bind/defaults/main.yml

@@ -1,12 +1,26 @@
 ---
-bind_recursive_server: False
-bind_authoritative_server: True
-bind_chroot_set: True
-# Until chroot-bind.sh is migrated to ansible, we hardcode the chroot paths.
-#bind_chroot_path: /var/chroot-bind
+bind_recursive_server: false
+bind_authoritative_server: true
+bind_chroot_set: true
+
 bind_systemd_service_path: /etc/systemd/system/bind9.service
+
 bind_statistics_file: /var/run/named.stats
 bind_log_file: /var/log/bind.log
 bind_query_file: /var/log/bind_queries.log
-bind_query_file_enabled: False
+bind_query_file_enabled: false
 bind_cache_dir: /var/cache/bind
+
+# String (bind syntax) of IPv4/ to listen on (or any by default)
+# eg. "192.0.2.1; 192.0.2.3"   or all interfaces : "any ;"
+bind_listen_on_ipv4: "any;"
+
+# String (bind syntax) of IPv6 to listen on (or any by default)
+# eg. "2001:db8::1; 2001:db8::42"   or all interfaces : "any ;" or not at all "none;"
+bind_listen_on_ipv6: "any;"
+
+# For server with multiples IP Adresses, enforce the usage of a specific IP for NOTIFY commands
+bind_notify_source: ''
+
+# For server with multiples IP Adresses, enforce the usage of a specific IP for TRANSFER commands
+bind_transfer_source: ''

bind/templates/named.conf.options_authoritative.j2

@@ -4,18 +4,25 @@
 // };
 
 options {
-      directory "{{ bind_cache_dir }}";
-      version "Bingo";
-      auth-nxdomain no;
-      masterfile-format text;
-      statistics-file "{{ bind_statistics_file }}";
+    directory "{{ bind_cache_dir }}";
+    version "Bingo";
+    auth-nxdomain no;
+    masterfile-format text;
+    statistics-file "{{ bind_statistics_file }}";
 
-      listen-on-v6 { any; };
-      listen-on { any; };
+    listen-on { {{ bind_listen_on_ipv4 }} };
+    listen-on-v6 { {{ bind_listen_on_ipv6 }} };
 
-      allow-query { localhost; };
-      allow-recursion { localhost; };
-      allow-transfer { localhost; };
+{% if bind_notify_source is defined and bind_notify_source|length %}
+    notify-source {{ bind_notify_source }};
+{% endif %}
+{% if bind_transfer_source is defined and bind_transfer_source|length %}
+    transfer-source {{ bind_transfer_source }};
+{% endif %}
+
+    allow-query { localhost; };
+    allow-recursion { localhost; };
+    allow-transfer { localhost; };
 };
 
 logging {

certbot/files/hooks/deploy/haproxy.sh

@@ -1,4 +1,6 @@
 #!/bin/sh
+# /!\ MODIFIED to work with evoacme OR certbot
+private_keys_dirs="/etc/ssl/private" # Only used for evoacme
 
 error() {
     >&2 echo "${PROGNAME}: $1"
@@ -13,7 +15,7 @@ daemon_found_and_running() {
     test -n "$(pidof haproxy)" && test -n "${haproxy_bin}"
 }
 found_renewed_lineage() {
-    test -f "${RENEWED_LINEAGE}/fullchain.pem" && test -f "${RENEWED_LINEAGE}/privkey.pem"
+    test -f "${RENEWED_LINEAGE}/fullchain.pem" && test -f "${private_key}"
 }
 config_check() {
     ${haproxy_bin} -c -f "${haproxy_config_file}" > /dev/null 2>&1
@@ -24,7 +26,7 @@ concat_files() {
     chown root: "${haproxy_cert_dir}"
 
     debug "Concatenating certificate files to ${haproxy_cert_file}"
-    cat "${RENEWED_LINEAGE}/fullchain.pem" "${RENEWED_LINEAGE}/privkey.pem" > "${haproxy_cert_file}"
+    cat "${RENEWED_LINEAGE}/fullchain.pem" "${private_key}" > "${haproxy_cert_file}"
     chmod 600 "${haproxy_cert_file}"
     chown root: "${haproxy_cert_file}"
 }
@@ -58,10 +60,19 @@ main() {
     if daemon_found_and_running; then
         readonly haproxy_config_file="/etc/haproxy/haproxy.cfg"
         readonly haproxy_cert_dir=$(detect_haproxy_cert_dir)
+        if  [ -z "${EVOACME_VHOST_NAME}" ]; then
+            # CERTBOT
+            private_key=${RENEWED_LINEAGE}/privkey.pem
+            cert_name=$(basename "${RENEWED_LINEAGE}")
+        else
+            # EVOACME
+            private_key=${private_keys_dirs}/$(basename $(dirname ${RENEWED_LINEAGE})).key
+	    cert_name=$(basename $(dirname "${RENEWED_LINEAGE}"))
+        fi
 
         if found_renewed_lineage; then
-            haproxy_cert_file="${haproxy_cert_dir}/$(basename "${RENEWED_LINEAGE}").pem"
-            failed_cert_file="/root/$(basename "${RENEWED_LINEAGE}").failed.pem"
+            haproxy_cert_file="${haproxy_cert_dir}/${cert_name}.pem"
+            failed_cert_file="/root/${cert_name}.failed.pem"
 
             concat_files
 
@@ -77,7 +88,8 @@ main() {
                 error "HAProxy config is broken, you must fix it !"
             fi
         else
-            error "Couldn't find ${RENEWED_LINEAGE}/fullchain.pem or ${RENEWED_LINEAGE}/privkey.pem"
+
+            error "Couldn't find ${RENEWED_LINEAGE}/fullchain.pem or "${private_key}""
         fi
     else
         debug "HAProxy is not running or missing. Skip."
@@ -91,3 +103,4 @@ readonly QUIET=${QUIET:-"0"}
 readonly haproxy_bin=$(command -v haproxy)
 
 main
+

evolinux-base/defaults/main.yml

@@ -243,3 +243,6 @@ evolinux_utils_include: True
 
 # Autosysadmin
 evolinux_autosysadmin_include: false
+
+# Evobackup client
+evolinux_evobackup_client_include: True

evolinux-base/handlers/main.yml

@@ -74,11 +74,6 @@
     name: postfix
     state: reloaded
 
-- name: restart log2mail
-  ansible.builtin.service:
-    name: log2mail
-    state: restarted
-
 - name: restart systemd-journald
   ansible.builtin.service:
     name: systemd-journald.service

evolinux-base/tasks/main.yml

@@ -116,7 +116,8 @@
   when: evolinux_provider_orange_fce_include | bool
 
 - name: Override Log2mail service
-  ansible.builtin.import_tasks: log2mail.yml
+  ansible.builtin.include_role:
+    name: evolix/log2mail
   when: evolinux_log2mail_include | bool
 
 - ansible.builtin.import_tasks: motd.yml
@@ -158,6 +159,11 @@
     name: 'evolix/autosysadmin-restart_nrpe'
   when: evolinux_autosysadmin_include | bool
 
+- name: Evobackup (client)
+  ansible.builtin.include_role:
+    name: 'evolix/evobackup-client'
+  when: evolinux_evobackup_client_include | bool
+
 - name: fail2ban
   ansible.builtin.include_role:
     name: evolix/fail2ban

evolinux-base/tasks/ssh.included-files.yml

@@ -16,6 +16,14 @@
     dest: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf
     mode: "0644"
 
+- name: create custom SSH server configuration file
+  ansible.builtin.file:
+    path: /etc/ssh/sshd_config.d/zzz-evolinux-custom.conf
+    state: touch
+    mode: "0644"
+    modification_time: preserve
+    access_time: preserve
+
 # Should we allow the current user?
 - name: Allow the current user
   block:

evolinux-users/templates/sudoers.j2

@@ -2,33 +2,5 @@ Defaults        umask=0077
 
 Cmnd_Alias      MAINT = /usr/share/scripts/evomaintenance.sh, /usr/share/scripts/listupgrade.sh
 
-nagios          ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs
-nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_minifirewall
-nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_haproxy_stats
-nagios          ALL = NOPASSWD: /usr/sbin/bkctld check
-nagios          ALL = NOPASSWD: /usr/sbin/bkctld check-jails
-nagios          ALL = NOPASSWD: /usr/sbin/bkctld check-setup
-nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php56/rootfs/etc/php5/fpm/pool.d/
-nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php70/rootfs/etc/php/7.0/fpm/pool.d/
-nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php73/rootfs/etc/php/7.3/fpm/pool.d/
-nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php74/rootfs/etc/php/7.4/fpm/pool.d/
-nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php80/rootfs/etc/php/8.0/fpm/pool.d/
-nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php81/rootfs/etc/php/8.1/fpm/pool.d/
-nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php82/rootfs/etc/php/8.2/fpm/pool.d/
-nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php83/rootfs/etc/php/8.3/fpm/pool.d/
-nagios          ALL = NOPASSWD: /usr/sbin/megaclisas-status --nagios
-nagios          ALL = NOPASSWD: /usr/lib/nagios/plugins/check_ipmi_sensor
-nagios          ALL = NOPASSWD: /sbin/dmsetup status --noflush
-nagios          ALL = NOPASSWD: /sbin/megacli -PDList -aALL -NoLog
-nagios          ALL = NOPASSWD: /sbin/megacli -LdInfo -Lall -aALL -NoLog
-nagios          ALL = NOPASSWD: /sbin/megacli -AdpBbuCmd -GetBbuStatus -aALL -NoLog
-nagios          ALL = NOPASSWD: /sbin/ssacli controller all show status
-nagios          ALL = NOPASSWD: /sbin/ssacli controller slot=0 logicaldrive all show
-nagios          ALL = NOPASSWD: /usr/local/bin/mvcli info -o blk
-nagios          ALL = NOPASSWD: /usr/local/bin/mvcli info -o vd
-nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_gluster.rb
-
-nagios          ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt
-
 %{{ evolinux_sudo_group }}  ALL=(ALL:ALL) ALL
 %{{ evolinux_sudo_group }}  ALL = NOPASSWD: MAINT

evolinux-users/templates/sudoers_jessie.j2

@@ -3,13 +3,5 @@ Defaults        umask=0077
 Cmnd_Alias      MAINT = /usr/share/scripts/evomaintenance.sh, /usr/share/scripts/listupgrade.sh
 User_Alias      ADMINS = {{ user.name }}
 
-nagios          ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs
-nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_minifirewall
-nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_haproxy_stats
-nagios          ALL = NOPASSWD: /usr/sbin/bkctld check
-nagios          ALL = NOPASSWD: /usr/sbin/bkctld check-jails
-nagios          ALL = NOPASSWD: /usr/sbin/bkctld check-setup
-nagios          ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt
-
 ADMINS          ALL = (ALL:ALL) ALL
 ADMINS          ALL = NOPASSWD: MAINT

fail2ban/tasks/main.yml

@@ -112,6 +112,9 @@
   tags:
     - fail2ban
 
+- include_role:
+    name: evolix/remount-usr
+
 - name: Script unban_ip is installed
   ansible.builtin.copy:
     src: unban_ip.sh

fluentd/tasks/main.yml

@@ -75,7 +75,7 @@
 - name: NRPE check is configured
   ansible.builtin.lineinfile:
     path: /etc/nagios/nrpe.d/evolix.cfg
-    line: 'command[check_fluentd]=/usr/lib/nagios/plugins/check_tcp -p {{ fluentd_port }}'
+    line: 'command[check_fluentd]=/usr/local/lib/monitoringctl/alerts_wrapper --name fluentd /usr/lib/nagios/plugins/check_tcp -p {{ fluentd_port }}'
   notify: "restart nagios-nrpe-server"
   tags:
     - fluentd

keepalived/tasks/main.yml

@@ -36,7 +36,7 @@
   ansible.builtin.lineinfile:
     dest: /etc/nagios/nrpe.d/evolix.cfg
     regexp: 'command\[check_keepalived\]'
-    replace: 'command[check_keepalived]=/usr/local/lib/nagios/plugins/check_keepalived'
+    replace: 'command[check_keepalived]=/usr/local/lib/monitoringctl/alerts_wrapper --name keepalived /usr/local/lib/nagios/plugins/check_keepalived'
   notify: restart nagios-nrpe-server
   tags:
     - keepalived

log2mail/defaults/main.yml

@@ -0,0 +1,3 @@
+---
+log2mail_alert_email: Null
+general_alert_email: "root@localhost"

log2mail/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: restart log2mail
+  ansible.builtin.service:
+    name: log2mail
+    state: restarted

log2mail/tasks/main.yml

@@ -23,18 +23,14 @@
     marker: "# {mark} ANSIBLE MANAGED RULES FOR DEFAULT INSTANCE"
     state: absent
   notify: restart log2mail
-  tags:
-    - log2mail
 
 - name: log2mail evolinux-defaults config is present
   ansible.builtin.template:
-    src: log2mail/evolinux-defaults.j2
+    src: evolinux-defaults.j2
     dest: /etc/log2mail/config/evolinux-defaults
     owner: log2mail
     group: adm
     mode: "0640"
     force: yes
   notify: restart log2mail
-  tags:
-    - log2mail
 

lxc-php/tasks/php56.yml

@@ -1,11 +1,11 @@
 ---
 
-- name: "{{ lxc_php_version }} - Install PHP packages"
+- name: "{{ lxc_php_container_name }} - Install PHP packages"
   community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
     container_command: "DEBIAN_FRONTEND=noninteractive apt install --yes --force-yes php5-fpm php5-cli php5-gd php5-imap php5-ldap php5-mcrypt php5-mysql php5-pgsql php5-sqlite php-gettext php5-intl php5-curl php5-ssh2 libphp-phpmailer"
 
-- name: "{{ lxc_php_version }} - Copy evolinux PHP configuration"
+- name: "{{ lxc_php_container_name }} - Copy evolinux PHP configuration"
   ansible.builtin.template:
     src: z-evolinux-defaults.ini.j2
     dest: "{{ line_item }}"

lxc-php/tasks/php70.yml

@@ -1,11 +1,11 @@
 ---
 
-- name: "{{ lxc_php_version }} - Install PHP packages"
+- name: "{{ lxc_php_container_name }} - Install PHP packages"
   community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
     container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mcrypt php-mysql php-pgsql php-sqlite3 php-gettext php-curl php-ssh2 php-zip php-mbstring composer libphp-phpmailer"
 
-- name: "{{ lxc_php_version }} - Copy evolinux PHP configuration"
+- name: "{{ lxc_php_container_name }} - Copy evolinux PHP configuration"
   ansible.builtin.template:
     src: z-evolinux-defaults.ini.j2
     dest: "{{ line_item }}"

lxc-php/tasks/php74.yml

@@ -1,17 +1,17 @@
 ---
 
-- name: "{{ lxc_php_version }} - Install PHP packages"
+- name: "{{ lxc_php_container_name }} - Install PHP packages"
   community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
     container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer"
 
-- name: "{{ lxc_php_version }} - fix bullseye repository"
+- name: "{{ lxc_php_container_name }} - fix bullseye repository"
   ansible.builtin.replace:
     dest: "{{ lxc_rootfs }}/etc/apt/sources.list"
     regexp: 'bullseye/updates'
     replace: 'bullseye-security'
 
-- name: "{{ lxc_php_version }} - Copy evolinux PHP configuration"
+- name: "{{ lxc_php_container_name }} - Copy evolinux PHP configuration"
   ansible.builtin.template:
     src: z-evolinux-defaults.ini.j2
     dest: "{{ line_item }}"

lxc-php/tasks/php80.yml

@@ -5,18 +5,18 @@
     lxc_apt_keyring_dir: /etc/apt/trusted.gpg.d
 
 
-- name: "{{ lxc_php_version }} - Install dependency packages"
+- name: "{{ lxc_php_container_name }} - Install dependency packages"
   community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
     container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget gnupg"
 
-- name: "{{ lxc_php_version }} - fix bullseye repository"
+- name: "{{ lxc_php_container_name }} - fix bullseye repository"
   ansible.builtin.replace:
     dest: "{{ lxc_rootfs }}/etc/apt/sources.list"
     regexp: 'bullseye/updates'
     replace: 'bullseye-security'
 
-- name: "{{ lxc_php_version }} - Add sury repo"
+- name: "{{ lxc_php_container_name }} - Add sury repo"
   ansible.builtin.lineinfile:
     dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/sury.list"
     line: "{{ item }}"
@@ -51,17 +51,17 @@
     owner: root
     group: root
 
-- name: "{{ lxc_php_version }} - Update APT cache"
+- name: "{{ lxc_php_container_name }} - Update APT cache"
   community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
     container_command: "DEBIAN_FRONTEND=noninteractive apt update"
 
-- name: "{{ lxc_php_version }} - Install PHP packages"
+- name: "{{ lxc_php_container_name }} - Install PHP packages"
   community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
     container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer"
 
-- name: "{{ lxc_php_version }} - Copy evolinux PHP configuration"
+- name: "{{ lxc_php_container_name }} - Copy evolinux PHP configuration"
   ansible.builtin.template:
     src: z-evolinux-defaults.ini.j2
     dest: "{{ line_item }}"

lxc-php/tasks/php81.yml

@@ -4,18 +4,18 @@
   ansible.builtin.set_fact:
     lxc_apt_keyring_dir: /etc/apt/trusted.gpg.d
 
-- name: "{{ lxc_php_version }} - Install dependency packages"
+- name: "{{ lxc_php_container_name }} - Install dependency packages"
   community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
     container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget gnupg"
 
-- name: "{{ lxc_php_version }} - fix bullseye repository"
+- name: "{{ lxc_php_container_name }} - fix bullseye repository"
   ansible.builtin.replace:
     dest: "{{ lxc_rootfs }}/etc/apt/sources.list"
     regexp: 'bullseye/updates'
     replace: 'bullseye-security'
 
-- name: "{{ lxc_php_version }} - Add sury repo"
+- name: "{{ lxc_php_container_name }} - Add sury repo"
   ansible.builtin.lineinfile:
     dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/sury.list"
     line: "{{ item }}"
@@ -50,17 +50,17 @@
     owner: root
     group: root
 
-- name: "{{ lxc_php_version }} - Update APT cache"
+- name: "{{ lxc_php_container_name }} - Update APT cache"
   community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
     container_command: "DEBIAN_FRONTEND=noninteractive apt update"
 
-- name: "{{ lxc_php_version }} - Install PHP packages"
+- name: "{{ lxc_php_container_name }} - Install PHP packages"
   community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
     container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer"
 
-- name: "{{ lxc_php_version }} - Copy evolinux PHP configuration"
+- name: "{{ lxc_php_container_name }} - Copy evolinux PHP configuration"
   ansible.builtin.template:
     src: z-evolinux-defaults.ini.j2
     dest: "{{ line_item }}"

lxc-php/tasks/php82.yml

@@ -4,24 +4,24 @@
   ansible.builtin.set_fact:
     lxc_apt_keyring_dir: /etc/apt/trusted.gpg.d
 
-- name: "{{ lxc_php_version }} - Install dependency packages"
+- name: "{{ lxc_php_container_name }} - Install dependency packages"
   community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
     container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget gnupg"
 
-- name: "{{ lxc_php_version }} - delete sources.list bookworm repository"
+- name: "{{ lxc_php_container_name }} - delete sources.list bookworm repository"
   ansible.builtin.file:
     path: "{{ lxc_rootfs }}/etc/apt/sources.list"
     state: absent
 
-- name: "{{ lxc_php_version }} - system bookworm repository"
+- name: "{{ lxc_php_container_name }} - system bookworm repository"
   ansible.builtin.template:
     src: bookworm_basics.sources.j2
     dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/system.sources"
     force: true
     mode: "0644"
 
-- name: "{{ lxc_php_version }} - security bookworm repository"
+- name: "{{ lxc_php_container_name }} - security bookworm repository"
   ansible.builtin.template:
     src: bookworm_security.sources.j2
     dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/security.sources"
@@ -44,17 +44,17 @@
     owner: root
     group: root
 
-- name: "{{ lxc_php_version }} - Update APT cache"
+- name: "{{ lxc_php_container_name }} - Update APT cache"
   community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
     container_command: "DEBIAN_FRONTEND=noninteractive apt update"
 
-- name: "{{ lxc_php_version }} - Install PHP packages"
+- name: "{{ lxc_php_container_name }} - Install PHP packages"
   community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
     container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer"
 
-- name: "{{ lxc_php_version }} - Copy evolinux PHP configuration"
+- name: "{{ lxc_php_container_name }} - Copy evolinux PHP configuration"
   ansible.builtin.template:
     src: z-evolinux-defaults.ini.j2
     dest: "{{ line_item }}"

lxc-php/tasks/php83.yml

@@ -4,38 +4,38 @@
   ansible.builtin.set_fact:
     lxc_apt_keyring_dir: /etc/apt/trusted.gpg.d
 
-- name: "{{ lxc_php_version }} - Install dependency packages"
+- name: "{{ lxc_php_container_name }} - Install dependency packages"
   community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
     container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget gnupg"
 
-- name: "{{ lxc_php_version }} - delete sources.list bookworm repository"
+- name: "{{ lxc_php_container_name }} - delete sources.list bookworm repository"
   ansible.builtin.file:
     path: "{{ lxc_rootfs }}/etc/apt/sources.list"
     state: absent
 
-- name: "{{ lxc_php_version }} - system bookworm repository"
+- name: "{{ lxc_php_container_name }} - system bookworm repository"
   ansible.builtin.template:
     src: bookworm_basics.sources.j2
     dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/system.sources"
     force: true
     mode: "0644"
 
-- name: "{{ lxc_php_version }} - security bookworm repository"
+- name: "{{ lxc_php_container_name }} - security bookworm repository"
   ansible.builtin.template:
     src: bookworm_security.sources.j2
     dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/security.sources"
     force: true
     mode: "0644"
 
-- name: "{{ lxc_php_version }} - Add sury repo"
+- name: "{{ lxc_php_container_name }} - Add sury repo"
   ansible.builtin.template:
     src: sury.sources.j2
     dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/sury.sources"
     force: true
     mode: "0644"
 
-- name: "{{ lxc_php_version }} - Add sury failsafe repo"
+- name: "{{ lxc_php_container_name }} - Add sury failsafe repo"
   ansible.builtin.template:
     src: evolix_sury.sources.j2
     dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/evolix_sury.sources"
@@ -66,17 +66,17 @@
     owner: root
     group: root
 
-- name: "{{ lxc_php_version }} - Update APT cache"
+- name: "{{ lxc_php_container_name }} - Update APT cache"
   community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
     container_command: "DEBIAN_FRONTEND=noninteractive apt update"
 
-- name: "{{ lxc_php_version }} - Install PHP packages"
+- name: "{{ lxc_php_container_name }} - Install PHP packages"
   community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
     container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer"
 
-- name: "{{ lxc_php_version }} - Copy evolinux PHP configuration"
+- name: "{{ lxc_php_container_name }} - Copy evolinux PHP configuration"
   ansible.builtin.template:
     src: z-evolinux-defaults.ini.j2
     dest: "{{ line_item }}"

lxc-solr/README.md

@@ -15,7 +15,7 @@ Since this role depend on the lxc role, please refer to it for a full variable l
 * `lxc_containers`: list of LXC containers to create. Default: `[]` (empty).
   * `name`: name of the LXC container to create.
   * `release`: Debian version to install
-  * `solr_version`: Solr version to install *(refer to https://archive.apache.org/dist/lucene/solr/ for a full version list)*
+  * `solr_version`: Solr version to install *(refer to https://archive.apache.org/dist/solr/solr/ for a full version list)*
   * `solr_port`: port for Solr to listen on
   Eg.:
   ```

lxc-solr/defaults/main.yml

@@ -16,7 +16,7 @@
 #     solr_port: 8985
 #   - name: solr9
 #     release: bullseye
-#     solr_version: 9.0.0
+#     solr_version: 9.6.1
 #     solr_port: 8985
 lxc_containers: []
 

lxc/defaults/main.yml

@@ -8,6 +8,10 @@ lxc_network_type: "none"
 # Partition to bind mount into containers.
 lxc_mount_part: "/home"
 
+# Mirror URL (optionnal).
+# For old Debian, use https://archive.debian.org/debian/
+lxc_template_mirror: ""
+
 # List of LXC containers to create.
 # Eg.:
 # lxc_containers:

lxc/tasks/create-container.yml

@@ -6,13 +6,16 @@
   check_mode: no
   register: container_exists
 
+- ansible.builtin.set_fact:
+    lxc_template_mirror_option: "{{ '--mirror ' + lxc_template_mirror if lxc_template_mirror != '' else '' }}"
+
 - name: "Create container {{ name }}"
   community.general.lxc_container:
     name: "{{ name }}"
     container_log: true
     template: debian
     state: stopped
-    template_options: "--arch amd64 --release {{ release }}"
+    template_options: "--arch amd64 --release {{ release }} {{ lxc_template_mirror_option }}"
   when: container_exists.stdout_lines | length == 0
 
 - name: "Disable network configuration inside container {{ name }}"

memcached/tasks/nrpe.yml

@@ -34,7 +34,7 @@
     ansible.builtin.lineinfile:
       name: /etc/nagios/nrpe.d/evolix.cfg
       regexp: '^command\[check_memcached\]='
-      line: 'command[check_memcached]=/usr/local/lib/nagios/plugins/check_memcached.pl -H 127.0.0.1 -p {{ memcached_port }}'
+      line: 'command[check_memcached]=/usr/local/lib/monitoringctl/alerts_wrapper --name memcached /usr/local/lib/nagios/plugins/check_memcached.pl -H 127.0.0.1 -p {{ memcached_port }}'
     notify: restart nagios-nrpe-server
     when: memcached_instance_name | length == 0
 
@@ -42,7 +42,7 @@
     ansible.builtin.lineinfile:
       name: /etc/nagios/nrpe.d/evolix.cfg
       regexp: '^command\[check_memcached\]='
-      line: 'command[check_memcached]=/usr/local/lib/nagios/plugins/check_memcached_instances'
+      line: 'command[check_memcached]=/usr/local/lib/monitoringctl/alerts_wrapper --name memcached /usr/local/lib/nagios/plugins/check_memcached_instances'
     notify: restart nagios-nrpe-server
     when: memcached_instance_name | length > 0
 

minifirewall/tasks/nrpe.yml

@@ -46,7 +46,7 @@
   ansible.builtin.lineinfile:
     dest: /etc/nagios/nrpe.d/evolix.cfg
     regexp: 'command\[check_minifirewall\]'
-    line: 'command[check_minifirewall]=sudo {{ nagios_plugins_directory }}/check_minifirewall'
+    line: 'command[check_minifirewall]=/usr/local/lib/monitoringctl/alerts_wrapper --name minifirewall sudo {{ nagios_plugins_directory }}/check_minifirewall'
   notify: restart nagios-nrpe-server
   when: nrpe_evolix_cfg.stat.exists
 

munin/files/plugins/linux-psi

@@ -0,0 +1,360 @@
+#!/bin/bash
+
+
+: << =cut
+
+=head1 NAME
+
+linux_psi - Plugin to monitor the pressure stall information for CPU, Memory and
+IO as reported by the Linux kernel.
+
+This plugin monitors the pressure stall information (psi) as reported by the
+Linux Kernel. By default it reports all average intervals (10 seconds,
+60 seconds and 300 seconds) as well as the total values as a rate of change
+(DERIVE) for all resources (cpu, memory, io). The average intervals can be
+configured if you only deem some of them useful. See CONFIGURATION for
+explanations on that.
+
+This is a multigraph plugin that, by default, will create six detail graphs and
+one summary graph (so seven in total). The summary graph will contain the 300
+seconds average percentages of all resources. The detail graphs are split in two
+graphs per resource. One combining all average intervals and one for the
+"totals" (rate of change) for the given resource.
+
+There are no defaults for warnings and criticals, because this highly depends on
+the system, so you need to configure them yourself (if you want any). It is
+recommended that you first lookup the meaning of the different values.
+
+For more information on psi see:
+https://www.kernel.org/doc/html/latest/accounting/psi.html
+
+=head1 CONFIGURATION
+
+Simply create a symlink in your plugins directory like with any other plugin.
+No additional configuration needed, no specific user required (typically).
+
+If you want to configure alerts, just add "warn_" or "crit_" in front of the
+internal name.
+
+Optional configuration examples:
+
+[linux_psi]
+env.resources cpu io memory       - Specify the resources to monitor. Leave one
+                                    out if you don't want this one to be
+                                    monitored.
+env.intervals avg10 avg60 avg300  - Sepcify the average intervals to monitor.
+                                    Leave one out if you don't want this one to
+                                    be monitored
+env.scopes some full              - Specify the scopes to monitor. Leave one out
+                                    If you don't want it to be monitored.
+env.summary_interval avg300       - Specify the interval to be used for the
+                                    summary-graph.
+env.warn_psi_cpu_avg300_some 5    - Set a warning-level of 5 for
+                                    "psi_cpu_avg300_some"
+env.crit_psi_io_total_full 2000   - Set a critical-level of 2000 for
+                                    "psi_io_total_full"
+
+=head1 AUTHOR
+
+2022, HaseHarald
+
+=head1 LICENSE
+
+LGPLv3
+
+=head1 BUGS
+
+=head1 TODO
+
+=head1 MAGIC MARKERS
+
+ #%# family=auto
+ #%# capabilities=autoconf
+
+=cut
+
+
+# This file contains a munin-plugin to graph the psi (pressure) for CPU, Memory
+# and IO, as reported by the Linux kernel.
+#
+# This is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this plugin.  If not, see <http://www.gnu.org/licenses/>.
+
+
+resource_defaults=('cpu' 'io' 'memory')
+interval_defaults=('avg10' 'avg60' 'avg300')
+scope_defaults=('some' 'full')
+pressure_dir=${pressure_dir:-'/proc/pressure/'}
+pressure_resources=( "${resources[@]:-${resource_defaults[@]}}" )
+pressure_intervals=( "${intervals[@]:-${interval_defaults[@]}}" )
+pressure_scopes=( "${scopes[@]:-${scope_defaults[@]}}" )
+summary_interval="${summary_interval:-avg300}"
+
+check_autoconf() {
+  if [ -d "${pressure_dir}" ]; then
+    printf "yes\n"
+  else
+    printf "no (%s not found)\n" "${pressure_dir}"
+  fi
+}
+
+get_pressure_value() {
+  local resource
+  local interval
+  local scope
+  
+  resource="$1"
+  interval="$2"
+  scope="${3:-some}"
+  
+  grep "$scope" "${pressure_dir}/${resource}" | grep -o -E "${interval}=[0-9]{1,}(\.[0-9]{1,}){0,1}" | cut -d '=' -f 2
+}
+
+get_printable_name() {
+  local kind
+  local value
+  local printable_name
+  kind="$1"
+  value="$2"
+  printable_name=""
+  
+  case "$kind" in
+    
+    interval)
+      case "$interval" in
+        avg10)
+          printable_name="10sec"
+          ;;
+        avg60)
+          printable_name="60sec"
+          ;;
+        avg300)
+          printable_name="5min"
+          ;;
+        total)
+          printable_name="Total"
+          ;;
+        *)
+          printf "ERROR: Could not determine interval %s ! Must be one of 'avg10' 'avg60' 'avg300' 'total'\n" "$value" >&2
+          exit 2
+          ;;
+      esac
+      ;;
+    
+    scope)
+      case "$value" in
+        some)
+          printable_name="Some"
+          ;;
+        full)
+          printable_name="Full"
+          ;;
+        *)
+          printf "ERROR: Could not determine scope %s ! Must be one of 'full' 'some'.\n" "$value" >&2
+          exit 2
+          ;;
+      esac
+      ;;
+    
+    resource)
+      case "$value" in
+        cpu)
+          printable_name="CPU"
+          ;;
+        io)
+          printable_name="IO"
+          ;;
+        memory)
+          printable_name="Memory"
+          ;;
+        *)
+          printf "ERROR: Could not determine resource-type %s ! Must be one of 'cpu' 'io' 'memory'.\n" "$value" >&2
+          exit 2
+          ;;
+      esac
+      ;;
+    
+    *)
+      printf "ERROR: Could not determine kind %s ! Must be one of 'interval' 'scope' 'resource'\n" "$kind" >&2
+      exit 2
+      ;;
+  esac
+  
+  printf "%s" "$printable_name"
+}
+
+iterate_config() {
+  for resource in "${pressure_resources[@]}"; do
+    local printable_resource
+    printable_resource=$( get_printable_name resource "$resource" )
+    printf "multigraph linux_psi.%s_avg\n" "$resource"
+    printf "graph_title %s Pressure Stall Information - Average\n" "$printable_resource"
+    printf "graph_category system\n"
+    printf "graph_info Average PSI based latency caused by lack of %s resources.\n" "$printable_resource"
+    printf "graph_vlabel %%\n"
+    printf "graph_scale no\n"
+    for interval in "${pressure_intervals[@]}"; do
+      local printable_interval
+      printable_interval=$( get_printable_name interval "$interval" )
+      output_config "$resource" "$interval"
+    done
+    echo ""
+  done
+  
+  for resource in "${pressure_resources[@]}"; do
+    local interval
+    local printable_resource
+    interval="total"
+    printable_resource=$( get_printable_name resource "$resource" )
+    
+    printf "multigraph linux_psi.%s_total\n" "$resource"
+    printf "graph_title %s Pressure Stall Information - Rate\n" "$printable_resource"
+    printf "graph_category system\n"
+    printf "graph_info Total PSI based latency rate caused by lack of %s resources.\n" "$printable_resource"
+    printf "graph_vlabel rate\n"
+    output_config "$resource" "$interval"
+    echo ""
+  done
+  
+  printf "multigraph linux_psi\n"
+  printf "graph_title Pressure Stall Information - Average\n"
+  printf "graph_vlabel %%\n"
+  printf "graph_scale no\n"
+  printf "graph_category system\n"
+  printf "graph_info Average PSI based latency caused by lack of resources.\n"
+  for resource in "${pressure_resources[@]}"; do
+    output_config "$resource" "$summary_interval"
+  done
+  echo ""
+}
+
+iterate_values() {
+  for resource in "${pressure_resources[@]}"; do
+    printf "multigraph linux_psi.%s_avg\n" "$resource"
+    for interval in "${pressure_intervals[@]}"; do
+      output_values "$resource" "$interval"
+    done
+    echo ""
+  done
+  
+  for resource in "${pressure_resources[@]}"; do
+    local interval
+    interval="total"
+    printf "multigraph linux_psi.%s_total\n" "$resource"
+    output_values "$resource" "$interval"
+    echo ""
+  done
+  
+  printf "multigraph linux_psi\n"
+  for resource in "${pressure_resources[@]}"; do
+    output_values "$resource" "$summary_interval"
+  done
+  echo ""
+}
+
+output_config() {
+  local resource
+  local interval
+  local printable_resource
+  local printable_interval
+
+  resource="$1"
+  interval="$2"
+  printable_resource=$( get_printable_name resource "$resource" )
+  printable_interval=$( get_printable_name interval "$interval" )
+  
+  for scope in "${pressure_scopes[@]}"; do
+    if [ "${resource}" == "cpu" ] && [ "${scope}" != "some" ]; then
+      continue
+    else
+      local printable_scope
+      local this_warn_var
+      local this_crit_var
+      
+      printable_scope=$( get_printable_name scope "$scope" )
+      this_warn_var=$( echo "warn_psi_${resource}_${interval}_${scope}" | sed 's/[^A-Za-z0-9_]/_/g' )
+      this_crit_var=$( echo "crit_psi_${resource}_${interval}_${scope}" | sed 's/[^A-Za-z0-9_]/_/g' )
+      
+      printf "psi_%s_%s_%s.min 0\n" "$resource" "$interval" "$scope"
+      printf "psi_%s_%s_%s.label %s %s %s\n" "$resource" "$interval" "$scope" "$printable_resource" "$printable_interval" "$printable_scope"
+      if [ -n "${!this_warn_var}" ]; then
+        printf "psi_%s_%s_%s.warning %s\n" "$resource" "$interval" "$scope" "${!this_warn_var}"
+      fi
+      if [ -n "${!this_crit_var}" ]; then
+        printf "psi_%s_%s_%s.critical %s\n" "$resource" "$interval" "$scope" "${!this_crit_var}"
+      fi
+      if [ "$interval" == "total" ]; then
+        printf "psi_%s_%s_%s.type DERIVE\n" "$resource" "$interval" "$scope"
+      fi
+    fi
+  done
+}
+
+output_values() {
+  local resource
+  local interval
+  resource="$1"
+  interval="$2"
+  
+  for scope in "${pressure_scopes[@]}"; do
+    if [ "${resource}" == "cpu" ] && [ "${scope}" != "some" ]; then
+      continue
+    else
+      printf "psi_%s_%s_%s.value %s\n" "$resource" "$interval" "$scope" "$(get_pressure_value "$resource" "$interval" "$scope")"
+    fi
+  done
+}
+
+output_usage() {
+  printf >&2 "%s - munin plugin to graph pressure stall information for CPU, Memory and IO as reported by the Linux kernel.\n" "${0##*/}"
+  printf >&2 "Usage: %s [config]\n" "${0##*/}"
+  printf >&2 "You may use environment settings in a plugin-config file, used by munin (for example /etc/munin/plugin-conf.d/munin-node) to further adjust settings.\n"
+  printf >&2 "You can use these settings to configure which resources, intervals or scopes are monitored or to configure warning and critical levels.\n"
+  printf >&2 "To do so use a syntax like this:\n"
+  printf >&2 "[linux_psi]\n"
+  printf >&2 "env.resources cpu io memory\n"
+  printf >&2 "env.intervals avg10 avg60 avg300\n"
+  printf >&2 "env.scopes some full\n"
+  printf >&2 "env.summary_interval avg300\n"
+  printf >&2 "env.warn_psi_cpu_avg300_some 5\n"
+  printf >&2 "env.crit_psi_io_total_full 2000\n"
+}
+
+case "$#" in
+  0)
+    iterate_values
+    ;;
+  
+  1)
+    case "$1" in
+      autoconf)
+        check_autoconf
+        ;;
+      config)
+        iterate_config
+        ;;
+      fetch)
+        iterate_values
+        ;;
+      *)
+        output_usage
+        exit 1
+        ;;
+    esac
+    ;;
+  
+  *)
+    output_usage
+    exit 1
+    ;;
+esac

munin/tasks/main.yml

@@ -46,6 +46,7 @@
     dest: '/usr/share/munin/plugins/{{ item }}'
   loop:
     - dhcp_pool
+    - linux-psi
   tags:
     - munin
 
@@ -77,6 +78,7 @@
     - postfix_mailqueue
     - postfix_mailstats
     - postfix_mailvolume
+    - linux-psi
   notify: restart munin-node
   tags:
     - munin

nagios-nrpe/files/alerts_switch

@@ -1,83 +1,143 @@
 #!/bin/bash
-
-# https://forge.evolix.org/projects/evolix-private/repository
 #
-# You should not alter this file.
-# If you need to, create and customize a copy.
-
-set -e
+# Source:
+# https://gitea.evolix.org/evolix/ansible-roles/src/branch/stable/nagios-nrpe
+#
 
 readonly PROGNAME=$(basename $0)
-readonly PROGDIR=$(readlink -m $(dirname $0))
-readonly ARGS="$@"
+readonly VERSION="24.06.00"
 
-usage() {
-    echo "$PROGNAME action prefix"
+# Load common functions and vars
+readonly lib_dir="/usr/local/lib/monitoringctl"
+if [ -r "${lib_dir}/common" ]; then
+    # shellcheck source=monitoringctl_common
+    source "${lib_dir}/common"
+else
+    >&2 echo "Error: missing ${lib_dir}/common file."
+    exit 1
+fi
+
+if [ ! -e "${var_dir}" ]; then
+    >&2 echo "Warning: missing ${var_dir} directory."
+fi
+
+function show_help() {
+    cat <<END
+$PROGNAME disables or enables NRPE alerts wrapped by the script 'alerts_wrapper' in NRPE configuration.
+
+Usage: $PROGNAME disable [-d|--during <DURATION>] [--message '<DISABLE_MESSAGE>'] <WRAPPER_NAME|all>
+       $PROGNAME enable [--message '<ENABLE_MESSAGE>'] <WRAPPER_NAME|all>
+       $PROGNAME help
+
+WRAPPER_NAME:    The name given to '--name' option of 'alerts_wrapper'.
+DURATION:        Duration of alert disabling.
+                 Can be '1d' for 1 day, '5m' for 5 minutes or more complex
+                 expressions like '1w2d10m42s' (if no time unit is provided,
+                 hour is assumed)
+                 Default value: 1h
+DISABLE_MESSAGE: Message that will be logged and printed by alerts_wrapper
+                 when alert is disabled.
+ENABLE_MESSAGE:  Message that will be logged when alert is enabled
+END
 }
 
-disable_alerts () {
-    disabled_file="$1_disabled"
-    enabled_file="$1_enabled"
+function disable_alerts() {
+    # $1: wrapper name, $2: duration_sec, $3: disable message
+    now_secs=$(date +"%s")
+    disable_until_secs=$(( now_secs + ${2} ))
+    disable_file_path="$(get_disable_file_path "${1}")"
+    echo "${disable_until_secs}" > "${disable_file_path}"
+    echo "$(logname || echo unknown): \"${3}\"" >> "${disable_file_path}"
+    chmod 0644 "${disable_file_path}"
+    log "${1} alerts disabled by $(logname || echo unknown)"
+    log "Disable message: ${3}"
+}
 
-    if [ -e "${enabled_file}" ]; then
-        mv "${enabled_file}" "${disabled_file}"
-    else
-        touch "${disabled_file}"
-        chmod 0644 "${disabled_file}"
+function enable_alerts() {
+    # $1: wrapper name, $2: enable message
+    disable_file_path="$(get_disable_file_path "${1}")"
+    if [ -e "${disable_file_path}" ]; then
+        rm "${disable_file_path}"
+    fi
+    log "${1} alerts enabled by $(logname || echo unknown)"
+    log "Enable message: ${2}"
+}
+
+function main() {
+    if [ "${action}" == 'enable' ]; then
+        if [ "${wrapper_name}" == "all" ]; then
+            for wrapper in $(get_wrappers_names); do
+                enable_alerts "${wrapper}" "${message}"
+            done
+        else
+            enable_alerts "${wrapper_name}" "${message}"
+        fi
+    elif [ "${action}" == 'disable' ]; then
+        duration_sec=$(time_to_seconds "${duration}")
+        if [ "${wrapper_name}" == "all" ]; then
+            for wrapper in $(get_wrappers_names); do
+                disable_alerts "${wrapper}" "${duration_sec}" "${message}"
+            done
+        else
+            disable_alerts "${wrapper_name}" "${duration_sec}" "${message}"
+        fi
+    elif [ "${action}" == 'help' ]; then
+        show_help
     fi
 }
 
-enable_alerts () {
-    disabled_file="$1_disabled"
-    enabled_file="$1_enabled"
 
-    if [ -e "${disabled_file}" ]; then
-        mv "${disabled_file}" "${enabled_file}"
-    else
-        touch "${enabled_file}"
-        chmod 0644 "${enabled_file}"
-    fi
-}
+while :; do
+    case "${1}" in
+        enable|disable|help)
+            action="${1}"
+            shift;;
+        -d|--during)
+            if [ "$#" -gt 1 ]; then
+                if filter_duration "${2}"; then
+                    duration="${2}"
+                else
+                    usage_error "Option --during: \"${2}\" is not a valid duration."
+                fi
+            else
+                error "Missing --during argument."
+            fi
+            shift; shift;;
+        -m|--message)
+            if [ "$#" -gt 1 ]; then
+                message="${2}"
+            else
+                error "Missing --message argument."
+            fi
+            shift; shift;;
+        *)
+            if [ -n "${1}" ]; then
+                if is_wrapper "${1}" || [ "${1}" == "all" ]; then
+                    wrapper_name="${1}"
+                else
+                    error "Unknown argument '${1}', or NAME not defined in NRPE configuration."
+                fi
+            else
+                if [ -z "${action}" ]; then
+                    error "Missing action argument."
+                elif [ -z "${1}" ]; then
+                    break
+                fi
+            fi
 
-now () {
-  date --iso-8601=seconds
-}
-
-log_disable () {
-    echo "$(now) - alerts disabled by $(logname || echo unknown)" >> $1
-}
-
-log_enable () {
-    echo "$(now) - alerts enabled by $(logname || echo unknown)" >> $1
-}
-
-main () {
-    local action=$1
-    local prefix=$2
-
-    local base_dir="/var/lib/misc"
-    mkdir -p "${base_dir}"
-
-    local file_path="${base_dir}/${prefix}_alerts"
-    local log_file="/var/log/${prefix}_alerts.log"
-
-    case "$action" in
-    enable)
-        enable_alerts ${file_path}
-        log_enable ${log_file}
-        ;;
-    disable)
-        disable_alerts ${file_path}
-        log_disable ${log_file}
-        ;;
-    help)
-        usage
-        ;;
-    *)
-        >&2 echo "Unknown action '$action'"
-        exit 1
-        ;;
+            shift;;
     esac
-}
+done
+
+if [ -z "${wrapper_name}" ] && [ "${action}" != 'help' ] ; then
+    error "Missing WRAPPER_NAME."
+fi
+
+if [ -z "${duration}" ]; then
+    duration="${default_disabled_time}"
+fi
+
+readonly wrapper_name duration action
+
+main
 
-main $ARGS

nagios-nrpe/files/alerts_wrapper

@@ -1,114 +1,101 @@
 #!/bin/bash
-
-# https://forge.evolix.org/projects/evolix-private/repository
 #
-# You should not alter this file.
-# If you need to, create and customize a copy.
+# Source:
+# https://gitea.evolix.org/evolix/ansible-roles/src/branch/stable/nagios-nrpe
+#
 
-VERSION="21.04"
-readonly VERSION
+readonly PROGNAME=$(basename $0)
+readonly VERSION="24.06.00"
 
-# base functions
+# Load common functions and vars
+readonly lib_dir="/usr/local/lib/monitoringctl"
+if [ -r "${lib_dir}/common" ]; then
+    # shellcheck source=monitoringctl_common
+    source "${lib_dir}/common"
+else
+    >&2 echo "Error: missing ${lib_dir}/common file."
+    exit 1
+fi
 
-show_version() {
+if [ ! -e "${var_dir}" ]; then
+    >&2 echo "Warning: missing ${var_dir} directory."
+fi
+
+
+function show_help() {
     cat <<END
-alerts_wrapper version ${VERSION}
+alerts_wrapper wraps an NRPE command and overrides the return code.
 
-Copyright 2018-2021 Evolix <info@evolix.fr>,
-                    Jérémy Lecour <jlecour@evolix.fr>
-                    and others.
-
-alerts_wrapper comes with ABSOLUTELY NO WARRANTY.This is free software,
-and you are welcome to redistribute it under certain conditions.
-See the GNU General Public License v3.0 for details.
-END
-}
-show_help() {
-    cat <<END
-alerts_wrapper is supposed to wrap an NRPE command and overrides the return code.
-
-Usage: alerts_wrapper --limit=1d --name=check_name command with optional arguments
-  or   alerts_wrapper --name=check_name command with optional arguments
-  or   alerts_wrapper check_name command with optional arguments
+Usage: alerts_wrapper --name <WRAPPER_NAME> <CHECK_COMMAND>
+Usage: alerts_wrapper <WRAPPER_NAME> <CHECK_COMMAND> (deprecated)
 
 Options
- --limit            max age of the "check file" ;
-                    can be "1d" for 1 day, "5m" for 5 minutes…
-                    or more complex expressions like "1w2d10m42s"
- --name             check name
- -h, --help         print this message and exit
- -V, --version      print version and exit
+  --name               Wrapper name, it is very recommended to use the check name (like load, disk1…).
+                       Special name: 'all' is already hard-coded.
+  -h, --help           Print this message and exit.
+  -V, --version        Print version and exit.
 END
 }
 
-time_in_seconds() {
-    if echo "${1}" | grep -E -q '^([0-9]+[wdhms])+$'; then
-        echo "${1}" | sed 's/w/ * 604800 + /g; s/d/ * 86400 + /g; s/h/ * 3600 + /g; s/m/ * 60 + /g; s/s/ + /g; s/+ $//' | xargs expr
-    elif echo "${1}" | grep -E -q '^([0-9]+$)'; then
-        echo "${1} * 3600" | xargs expr
-    else
-        return 1
-    fi
-}
-
-delay_from_alerts_disabled_file() {
-    last_change=$(stat -c %Z "${alerts_disabled_file}")
-    limit_seconds=$(time_in_seconds "${wrapper_limit}" || time_in_seconds "${wrapper_limit_default}") 
-    limit_date=$(date --date "${limit_seconds} seconds ago" +"%s")
-
-    echo $(( last_change - limit_date ))
-}
-
-enable_check() {
+function enable_wrapper() {
+    # $1: wrapper name
     if [ "$(id -u)" -eq "0" ] ; then
-        /usr/local/bin/alerts_switch enable "${check_name}"
+        /usr/local/bin/alerts_switch enable "${1}"
     else
-        sudo /usr/local/bin/alerts_switch enable "${check_name}"
+        sudo /usr/local/bin/alerts_switch enable "${1}"
     fi
 }
 
-main() {
-    ${check_command} > "${check_stdout}"
-    check_rc=$?
-    readonly check_rc
+function main() {
+    is_disabled="$(is_disabled_wrapper "${wrapper_name}")"
 
-    delay=0
-
-    if [ -e "${alerts_disabled_file}" ]; then
-        delay=$(delay_from_alerts_disabled_file)
-
-        if [ "${delay}" -le "0" ]; then
-            enable_check
-        fi
+    if [ -e "${disable_file}" ] && [ "${is_disabled}" = "False" ]; then
+        enable_wrapper "${wrapper_name}"
     fi
 
-    if [ -e "${alerts_disabled_file}" ]; then
-        formatted_last_change=$(date --date "@$(stat -c %Z "${alerts_disabled_file}")" +'%c')
-        readonly formatted_last_change
+    timeout_command=""
+    if [ "${is_disabled}" = "True" ]; then
+        timeout_command="timeout 8"
+    fi
 
-        echo "ALERTS DISABLED for ${check_name} (since ${formatted_last_change}, delay: ${delay} sec) - $(cat "${check_stdout}")"
+    check_stdout="$(${timeout_command} ${check_command})"
+    check_rc=$?
+
+    if [ "${is_disabled}" = "True" ] && [ "${check_rc}" -eq 124 ] && [ -z "${check_stdout}" ]; then
+        check_stdout="Check timeout (> 8 sec)"
+    fi
+
+    if [ "${is_disabled}" = "True" ]; then
+        enable_time="$(get_enable_time "${wrapper_name}")"
+        enable_delay="$(enable_delay "${enable_time}")"
+        delay_str="$(delay_to_string "${enable_delay}")"
+        enable_date="$(date --date "+${enable_delay} seconds" "+%d %h %Y at %H:%M:%S")"
+        disable_msg="$(get_disable_message "${wrapper_name}")"
+        if [ -n "${disable_msg}" ]; then
+            disable_msg="- ${disable_msg} "
+        fi
+        echo "ALERT DISABLED until ${enable_date} (${delay_str} left) ${disable_msg}- Check output: ${check_stdout}"
+    else
+        echo "${check_stdout}"
+    fi
+
+    if [ "${is_disabled}" = "True" ]; then
         if [ ${check_rc} = 0 ]; then
-            # Nagios OK
-            exit 0
+            exit 0  # Nagios OK
         else
-            # Nagios WARNING
-            exit 1
+            exit 1  # Nagios WARNING
         fi
     else
-        cat "${check_stdout}"
         exit ${check_rc}
     fi
 }
 
-# Default: 1 day before re-enabling the check
-wrapper_limit_default="1d"
-readonly wrapper_limit_default
 
 if [[ "${1}" =~ -.* ]]; then
     # parse options
     # based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
     while :; do
-        case $1 in
+        case "${1}" in
             -h|-\?|--help)
                 show_help
                 exit 0
@@ -117,47 +104,25 @@ if [[ "${1}" =~ -.* ]]; then
                 show_version
                 exit 0
                 ;;
-
-            --limit)
+            -n|--name)
                 # with value separated by space
-                if [ -n "$2" ]; then
-                    wrapper_limit=$2
-                    shift
-                else
-                    printf 'ERROR: "--limit" requires a non-empty option argument.\n' >&2
-                    exit 1
-                fi
-                ;;
-            --limit=?*)
-                # with value speparated by =
-                wrapper_limit=${1#*=}
-                ;;
-            --limit=)
-                # without value
-                printf 'ERROR: "--limit" requires a non-empty option argument.\n' >&2
-                exit 1
-                ;;
-
-            --name)
-                # with value separated by space
-                if [ -n "$2" ]; then
-                    check_name=$2
+                if [ -n "${2}" ]; then
+                    wrapper_name="${2}"
                     shift
                 else
                     printf 'ERROR: "--name" requires a non-empty option argument.\n' >&2
-                    exit 1
+                    exit 2
                 fi
                 ;;
-            --name=?*)
-                # with value speparated by =
-                check_name=${1#*=}
+            -n|--name=?*)
+                # with value separated by =
+                wrapper_name="${1#*=}"
                 ;;
-            --name=)
+            -n|--name=)
                 # without value
                 printf 'ERROR: "--name" requires a non-empty option argument.\n' >&2
-                exit 1
+                exit 2
                 ;;
-
             --)
                 # End of all options.
                 shift
@@ -165,8 +130,8 @@ if [[ "${1}" =~ -.* ]]; then
                 ;;
             -?*)
                 # ignore unknown options
-                printf 'WARN: Unknown option : %s\n' "$1" >&2
-                exit 1
+                printf 'ERROR: Unknown option : %s\n' "${1}" >&2
+                exit 2
                 ;;
             *)
                 # Default case: If no more options then break out of the loop.
@@ -180,38 +145,22 @@ if [[ "${1}" =~ -.* ]]; then
     check_command="$*"
 else
     # no option is passed (backward compatibility with previous version)
-    # treat the first argument as check_name and the rest as the command
-    check_name="${1}"
+    # treat the first argument as wrapper_name and the rest as the command
+    wrapper_name="${1}"
     shift
     check_command="$*"
 fi
 
-# Default values or errors
-if [ -z "${wrapper_limit}" ]; then
-    wrapper_limit="${wrapper_limit_default}"
-fi
-if [ -z "${check_name}" ]; then
-    printf 'ERROR: You must specify a check name, with --name.\n' >&2
-    exit 1
+if [ -z "${wrapper_name}" ]; then
+    printf 'ERROR: You must specify a wrapper name, with --names.\n' >&2
+    exit 2
 fi
 if [ -z "${check_command}" ]; then
     printf 'ERROR: You must specify a command to execute.\n' >&2
-    exit 1
+    exit 2
 fi
 
-readonly check_name
-readonly check_command
-readonly wrapper_limit
-alerts_disabled_file="/var/lib/misc/${check_name}_alerts_disabled"
-readonly alerts_disabled_file
-
-check_file="/var/lib/misc/${check_name}_alerts_disabled"
-readonly check_file
-
-check_stdout=$(mktemp --tmpdir=/tmp "${check_name}_stdout.XXXX")
-readonly check_stdout
-
-# shellcheck disable=SC2064
-trap "rm ${check_stdout}" EXIT
+disable_file="$(get_disable_file_path "${wrapper_name}")"
+readonly wrapper_name check_command disable_file
 
 main

nagios-nrpe/files/check-local

@@ -1,36 +1,9 @@
 #!/usr/bin/env bash
 
-CHECK_BIN=/usr/lib/nagios/plugins/check_nrpe
+readonly orange="\e[0;33m"
+readonly nocolor="\e[0m"
 
-server_address="127.0.0.1"
-
-if ! test -f "${CHECK_BIN}"; then
-    echo "${CHECK_BIN} is missing, please install nagios-nrpe-plugin package."
-    exit 1
-fi
-
-for file in /etc/nagios/{nrpe.cfg,nrpe_local.cfg,nrpe.d/evolix.cfg}; do
-    if [ -r ${file} ]; then
-        command_search=$(grep "\[check_$1\]" "${file}" | grep -v '^[[:blank:]]*#' | tail -n1 | cut -d'=' -f2-)
-    fi
-    if [ -n "${command_search}" ]; then
-        command="${command_search}"
-    fi
-
-    if [ -r ${file} ]; then
-        server_address_search=$(grep "server_address" "${file}" | grep -v '^[[:blank:]]*#' | cut -d'=' -f2)
-    fi
-    if [ -n "${server_address_search}" ]; then
-        server_address="${server_address_search}"
-    fi
-done
-
-if [ -n "${command}" ]; then
-    echo "Found command in /etc/nagios (take care, in some cases, Nagios can play another command):"
-    echo "    ${command}"
-fi
-
-echo "NRPE daemon output:"
-"${CHECK_BIN}" -H "${server_address}" -c "check_$1"
+echo -e "${orange}'check-local' is now an alias for 'monitoringctl check'. See 'monitoringctl -h' for more information.${nocolor}"
 
+monitoringctl check "${1}"
 

nagios-nrpe/files/check-local_completion

@@ -1,10 +1,14 @@
 #!/usr/bin/env bash
 
+function _get_checks_names() {
+    grep --extended-regexp --no-filename --no-messages -R "command\[check_.*\]="  /etc/nagios/ | grep --invert-match --extended-regexp "^\s*#" | awk -F"[\\\[\\\]=]" '{sub("check_", "", $2); print $2}' | sort | uniq
+}
+
+# List of available checks
 _check_local_dynamic_completion() {
-    local cur;
-    cur=${COMP_WORDS[COMP_CWORD]};
-    COMPREPLY=();
-    COMPREPLY=( $( compgen -W '$(grep "\[check_" -Rs /etc/nagios/ | grep -vE "^[[:blank:]]*#" | awk -F"[\\\[\\\]=]" "{print \$2}" | sed "s/check_//" | sort | uniq)' -- $cur ) );
+    local cur=${COMP_WORDS[COMP_CWORD]};
+
+    COMPREPLY=( $( compgen -W '$(_get_checks_names)' -- "${cur}" ) );
 }
 
 complete -F _check_local_dynamic_completion check-local

nagios-nrpe/files/monitoringctl

@@ -0,0 +1,596 @@
+#!/usr/bin/env bash
+
+#set -x
+
+readonly PROGNAME=$(basename $0)
+readonly VERSION="24.06.00"
+
+readonly red="\e[0;31m"
+readonly green="\e[0;32m"
+readonly orange="\e[0;33m"
+readonly lightgreen="\e[1;32m"
+readonly yellow="\e[1;33m"
+readonly lightblue="\e[1;34m"
+readonly purple="\e[0;35m"
+readonly nocolor="\e[0m"
+
+# Load common functions and vars
+readonly lib_dir="/usr/local/lib/monitoringctl"
+if [ -r "${lib_dir}/common" ]; then
+    # shellcheck source=monitoringctl_common
+    source "${lib_dir}/common"
+else
+    >&2 echo "Error: missing ${lib_dir}/common file."
+    exit 1
+fi
+
+function show_help() {
+    cat <<EOF
+monitoringctl version ${VERSION}.
+
+monitoringctl gives some control over NRPE checks and alerts.
+
+Usage: monitoringctl [OPTIONS] ACTION ARGUMENTS
+
+GENERAL OPTIONS:
+
+    -h, --help                         Print this message and exit.
+    -V, --version                      Print version number and exit.
+
+ACTIONS:
+
+    status [CHECK_NAME|all]
+
+        Print whether alerts are enabled or not (silenced).
+        If alerts are disabled (silenced), show disable message and time left before automatic re-enabling.
+
+    check [-b|--bypass-nrpe] CHECK_NAME
+
+        Ask CHECK_NAME status to NRPE as an HTTP request.
+        Indicates which command NRPE has supposedly run (from its configuration).
+        -b, --bypass-nrpe          Execute directly command from NRPE configuration,
+                                   as user nagios, without passing the request to NRPE.
+
+    disable CHECK_NAME|all [-d|--during DURATION] [-m|--message 'DISABLE MESSAGE'] [-y|--no-confirm]
+
+        Disable (silence) CHECK_NAME or all alerts for DURATION and write DISABLE MESSAGE into the log.
+        Checks output is still printed, so alerts history won't be lost.
+
+    enable CHECK_NAME|all [-m|--message 'ENABLE MESSAGE']
+
+        Re-enable CHECK_NAME or all alerts
+
+    show CHECK_NAME
+
+        Show NPRE command(s) configured for CHECK_NAME
+
+MESSAGE:
+
+    Message to be written in log and disabled check output (mandatory, will be asked dynamically if not provided).
+
+DURATION:
+
+    Time (string) during which alerts will be disabled (optional, default: "1h").
+
+    Format:
+        You can use 'd' (day), 'h' (hour) and 'm' (minute) , or a combination of them, to specify a duration.
+        Examples: '2d', '1h', '10m', '1h10' ('m' is guessed).
+
+NOTES
+
+    For actions disable, enable and status, CHECK_NAME is actually the --name option passed to alerts_wrapper, and not the NRPE check name. Both check name and alerts_wrapper --name option should be equal in NRPE configuration to avoid confusion.
+
+Log path: ${log_file}
+
+EOF
+}
+
+function check() {
+    # $1: check name, "all" or empty
+    readonly check_nrpe_bin="/usr/lib/nagios/plugins/check_nrpe"
+    if [ ! -f "${check_nrpe_bin}" ]; then
+        >&2 echo "${check_nrpe_bin} is missing, please install nagios-nrpe-plugin package."
+        exit 1
+    fi
+
+    conf_lines="$(get_nrpe_conf "${nrpe_conf_path}")"
+
+    server_address=$(echo "$conf_lines" | grep "server_address" | tail -n1 | cut -d'=' -f2)
+    if [ -z "${server_address}" ]; then server_address="127.0.0.1"; fi
+
+    server_port=$(echo "$conf_lines" | grep "server_port" | tail -n1 | cut -d'=' -f2)
+    if [ -z "${server_port}" ]; then server_port="5666"; fi
+
+    if [ -z "${1}" ] || [ "${1}" = "all" ]; then
+        # Array header for multi-checks
+        checks="$(get_checks_names)"
+        header="Check\tStatus\tOutput (truncated)"
+        underline="-----\t------\t------------------"
+        str_out="\n${header}\n${underline}\n"
+    else
+        checks="${1}"
+    fi
+
+    for check in $checks; do
+        printf "\033[KChecking %s…\r" "${check}"
+        err_msg=""
+        if [ "${bypass_nrpe}" = "False" ]; then
+            request_command="${check_nrpe_bin} -H ${server_address} -p ${server_port} -c check_${check} 2&>1"
+        else
+            check_commands="$(get_check_commands "${check}")"
+            if [ -n "${check_commands}" ]; then
+                check_command="$(echo "${check_commands}" |  tail -n1)"
+                request_command="sudo -u nagios -- ${check_command}"
+            else
+                if [ -z "${1}" ] || [ "${1}" = "all" ]; then
+                    err_msg="Check command not found in NRPE configuration."
+                else
+                    err_msg="Error: no command found in NRPE configuration for check '${check}'. Aborted."
+                fi
+            fi
+        fi
+        if [ -z "${err_msg}" ]; then
+            check_output="$(${request_command})"
+            rc="$?"
+            check_output="$(echo "${check_output}" | tr '\n' ' ')"
+            if [ -z "${1}" ] || [ "${1}" = "all" ]; then
+                if [ "${#check_output}" -gt 60 ]; then
+                    check_output="$(echo "${check_output}" | cut -c-80) [...]"
+                fi
+            fi
+        else
+            check_output="${err_msg}"
+            rc="3"
+        fi
+
+        case "${rc}" in
+            0)
+                rc_str="OK"
+                color="${green}"
+                ;;
+            1)
+                rc_str="Warning"
+                color="${orange}"
+                ;;
+            2)
+                rc_str="Critical"
+                color="${red}"
+                ;;
+            3)
+                rc_str="Unknown"
+                color="${purple}"
+                ;;
+            *)
+                rc_str="Unknown"
+                color="${purple}"
+        esac
+
+        if [ -z "${1}" ] || [ "${1}" = "all" ]; then
+            str_out="${str_out}${color}${check}\t${rc_str}${nocolor}\t${check_output}\n"
+        fi
+    done
+
+    if [ -z "${1}" ] || [ "${1}" = "all" ]; then
+        echo -e "${str_out}" | column -t -s $'\t'
+    else
+        printf "\033[K\n"  # erase tmp line « Checking check_toto…»
+        if [ "${bypass_nrpe}" = "False" ]; then
+            echo -e "NRPE service output (on ${server_address}:${server_port}):\n"
+        else
+            echo -e "Direct check output (bypassing NRPE):\n"
+        fi
+        echo -e "${color}${check_output}${nocolor}\n" | sed 's/|/\n/g'
+        exit "${rc}"
+    fi
+}
+
+# Print error message and exit if not installed
+function alerts_switch_is_installed() {
+    if ! command -v alerts_switch &> /dev/null; then
+        error "Error: script 'alerts_switch' is not installed. Aborted."
+    fi
+}
+
+function disable_alerts() {
+    # $1: check name | all
+    # $2: disable message
+    alerts_switch_is_installed
+
+    if [ "${1}" = "all" ]; then
+        checks="$(get_checks_names)"
+    else
+        checks="${1}"
+    fi
+
+    warn_not_wrapped "${checks}"
+    warn_wrapper_names "${checks}"
+
+    if [ -z "${2}" ]; then
+        echo -n "> Please provide a disable message (for logging and check output): "
+        read -r message
+        echo ''
+        if [ -z "${message}" ]; then
+            error "${red}Error:${nocolor} disable message is mandatory."
+        fi
+    else
+        message="${2}"
+    fi
+
+    default_msg=""
+    if [ "${default_duration}" = "True" ]; then
+        default_msg=" (use --during to change default time)"
+    fi
+
+    if [ "${1}" = "all" ]; then
+        check_txt="All checks"
+    else
+        check_txt="Check ${1}"
+    fi
+
+    echo_box "${check_txt} will be disabled for ${duration}${default_msg}."
+    cat <<EOF
+
+Additional information:
+* Alerts history is kept in our monitoring system.
+* To see when the will be re-enabled, execute 'monitoringctl status ${1}'.
+* To re-enable alert(s) before ${duration}, execute as root or with sudo: 'monitoringctl enable ${1}'.
+
+EOF
+
+    if [ "${1}" != "all" ]; then
+        if is_check "${1}"; then
+            wrapper="$(get_check_wrapper_name "${1}")"
+        else
+            wrapper="${1}"
+        fi
+        checks="$(get_wrapper_checks "${wrapper}")"
+        n_checks="$(echo "${checks}" | wc -w)"
+        if [ "${n_checks}" -gt 1 ]; then
+            >&2 echo -e "${orange}Warning:${nocolor} because they have the same configuration, disabling ${1} will disable: ${checks}.\n"
+            log "Warning: disabling ${1} will disable ${checks} (which have the same wrapper name)."
+        fi
+    else
+        wrapper="all"
+    fi
+
+    if [ "${confirm}" = "True" ]; then
+        echo -n "> Confirm (y/N)? "
+        read -r answer
+        if [ "${answer}" != "Y" ] && [ "${answer}" != "y" ]; then
+            echo -e "${orange}Canceled.${nocolor}" && exit 0
+        fi
+    fi
+
+    log "Action disable ${1} requested for ${duration} by user $(logname || echo unknown)."
+
+    alerts_switch disable "${wrapper}" --during "${duration}" --message "${message}"
+
+    if [ "${1}" != "all" ]; then
+        if [ "${n_checks}" -eq 1 ]; then
+            echo -e "${orange}Check ${1} alerts are now disabled for ${duration}.${nocolor}"
+        else
+            echo -e "${orange}Alerts are now disabled for ${duration} for checks: ${checks}.${nocolor}"
+        fi
+    else
+        echo -e "${orange}All alerts are now disabled for ${duration}.${nocolor}"
+    fi
+}
+
+function enable_alerts() {
+    # $1: check name, $2: enable message
+    alerts_switch_is_installed
+
+    if [ "${1}" != "all" ]; then
+        # Verify that check is not already enabled
+        is_disabled="$(is_disabled_check "${1}")"
+        if [ "${is_disabled}" = "False" ]; then
+            echo "${1} is already enabled, see 'monitoringctl status'"
+            exit 0
+        fi
+    fi
+
+    if [ -z "${2}" ]; then
+        echo -n "> Please provide an enable message (for logging): "
+        read -r message
+        echo ''
+        if [ -z "${message}" ]; then
+            error "${red}Error:${nocolor} disable message is mandatory."
+        fi
+    else
+        message="${2}"
+    fi
+
+    log "Action enable ${1} requested by user $(logname || echo unknown)."
+
+    if [ "${1}" != "all" ]; then
+        if is_check "${1}"; then
+            wrapper="$(get_check_wrapper_name "${1}")"
+        else
+            wrapper="${1}"
+        fi
+        checks="$(get_wrapper_checks "${wrapper}")"
+        n_checks="$(echo "${checks}" | wc -w)"
+        if [ "${n_checks}" -gt 1 ]; then
+            >&2 echo -e "${orange}Warning:${nocolor} because they have the same configuration, enabling ${1} will enable: ${checks}.\n"
+            log "Warning: check ${1} will enable ${checks} (which have the same wrapper name)."
+        fi
+    else
+        wrapper="all"
+    fi
+
+    alerts_switch enable "${wrapper}" --message "${message}"
+
+    if [ "${1}" != "all" ]; then
+        if [ "${n_checks}" -eq 1 ]; then
+            echo -e "${green}Check ${1} alerts are now enabled.${nocolor}"
+        else
+            echo -e "${green}Alerts are now enabled for checks: ${checks}.${nocolor}"
+        fi
+    else
+        echo -e "${green}All alerts are now enabled.${nocolor}"
+    fi
+}
+
+# Show NRPE command(s) configured for a check
+function show_check_commands() {
+    # $1: check name
+    check_commands=$(get_check_commands "${1}")
+
+    if [ -z "${check_commands}" ]; then
+        usage_error "Error: no command found in NRPE configuration for check '${1}."
+    fi
+
+    n_commands="$(echo "${check_commands}" | wc -l)"
+    if [ "${n_commands}" -ne 1 ]; then
+        echo "Available commands (in config order, the last one overwrites the others):"
+        echo "    $check_commands"
+    fi
+
+    check_command=$(echo "${check_commands}" | tail -n1)
+    echo "Command used by NRPE:"
+    echo "    ${check_command}"
+}
+
+# Print a warning if some wrappers have the same name
+# or if a name is different from the check.
+function warn_wrapper_names() {
+    #$1: checks to verify
+    warned="False"
+    for check in ${1}; do
+        wrapper_name="$(get_check_wrapper_name "${check}")"
+        if [ -n "${wrapper_name}" ] && [ "${wrapper_name}" != "${check}" ]; then
+            >&2 echo -e "${orange}Warning:${nocolor} ${check} check has wrapper name ${wrapper_name}."
+            warned="True"
+        fi
+    done
+    if [ "${warned}" = "True" ]; then
+        >&2 echo -e "${orange}It is recommanded to name the wrappers the same as the checks.${nocolor}\n"
+    fi
+}
+
+# Print a warning if some checks are not wrapped
+function warn_not_wrapped() {
+    #$1: checks to verify
+    unwrappeds="$(not_wrapped_checks)"
+    unwrapped_checks="$(comm -12 <(echo "${1}") <(echo "${unwrappeds}"))"
+    if [ -n "${unwrapped_checks}" ]; then
+        n_checks="$(echo "${1}" | wc -w)"
+        n_unwrapped="$(echo "${unwrapped_checks}" | wc -w)"
+        if [ "${n_unwrapped}" == "${n_checks}" ]; then
+            if [ "${n_unwrapped}" -eq 1 ]; then
+                error "${red}Error:${nocolor} ${1} check is not wrapped, it cannot be disabled."
+            else
+                error "${red}Error:${nocolor} these checks are not wrapped, they cannot be disabled: $(echo "${unwrapped_checks}" | xargs)"
+            fi
+        else
+            if [ "${n_unwrapped}" -eq 1 ]; then
+                >&2 echo -e "${orange}Warning:${nocolor} ${unwrapped_checks} check is not wrapped, it will not be disabled."
+            else
+                >&2 echo -e -n "${orange}Warning:${nocolor} some checks are not configured, they will not be disabled: $(echo "${unwrapped_checks}" | xargs)\n\n"
+            fi
+        fi
+
+        log "Warning: some checks have no alerts_wrapper, they will not be disabled: $(echo "${unwrapped_checks}" | xargs)"
+    fi
+}
+
+# Echo a message in a box
+function echo_box() {
+    # $1: message
+    msg_len="${#1}"
+    line="$(printf '─%.0s' $(eval "echo {1.."${msg_len}"}"))"
+    cat <<EOF
+┌${line}┐
+│${1}│
+└${line}┘
+EOF
+}
+
+# Echo which checks are enabled or disabled and time left
+function alerts_status() {
+    # $1: check name, "all" or empty
+    if [ -z "${1}" ] || [ "${1}" = "all" ]; then
+        checks="$(get_checks_names)"
+    else
+        checks="${1}"
+    fi
+
+    warn_wrapper_names "${checks}"
+
+    header="Check\tStatus\tRe-enable time\tDisable message"
+    underline="-----\t------\t--------------\t---------------"
+    str_out="${header}\n${underline}\n"
+
+    for check in $checks; do
+        enable_str=""
+        status_str="Enabled"
+        disable_msg=""
+        if ! is_wrapped "${check}"; then
+            status_str="Not configured"
+        else
+            is_disabled="$(is_disabled_check "${check}")"
+            wrapper_name="$(get_check_wrapper_name "${check}")"
+            if [ "${is_disabled}" = "True" ]; then
+                status_str="Disabled"
+                enable_time="$(get_enable_time "${wrapper_name}")"
+                enable_delay="$(enable_delay "${enable_time}")"
+                delay_str="$(delay_to_string "${enable_delay}")"
+                enable_date="$(date --date "+${enable_delay} seconds" "+%d %h %Y at %H:%M:%S")"
+                enable_str="${enable_date} (${delay_str} left)"
+                disable_msg="$(get_disable_message "${wrapper_name}")"
+            fi
+        fi
+        case "${status_str}" in
+            "Enabled")
+                color="${green}"
+                ;;
+            "Disabled")
+                color="${orange}"
+                ;;
+            *)
+                color="${red}"
+        esac
+        str_out="${str_out}${color}${check}\t${status_str}${nocolor}\t${enable_str}\t${disable_msg}\n"
+    done
+
+    echo -e "${str_out}" | column -t -s $'\t'
+}
+
+
+### MAIN #########################################
+
+# No root
+if [ "$(id -u)" -ne 0 ]; then
+    >&2 echo "You need to be root (or use sudo) to run ${0}!"
+    exit 1
+fi
+
+# No argument
+if [ "$#" = "0" ]; then
+    show_help
+    exit 1
+fi
+
+# Default arguments and options
+action=""
+message=""
+duration="${default_disabled_time}"
+bypass_nrpe="False"
+confirm="True"
+default_duration="True"
+
+# Parse arguments and options
+while :; do
+    case "${1}" in
+        -h|-\?|--help)
+            show_help
+            exit 0;;
+        -V|--version)
+            show_version
+            exit 0;;
+        -b|--bypass-nrpe)
+            bypass_nrpe="True"
+            shift;;
+        -y|--no-confirm)
+            confirm="False"
+            shift;;
+        -d|--during)
+            if [ "${default_duration}" = "False" ]; then
+                 usage_error "Option --during: defined multiple times."
+            fi
+            if [ "$#" -lt 2 ]; then
+                usage_error "Option --during: missing value."
+            fi
+            if filter_duration "${2}"; then
+                duration="${2}"
+            else
+                usage_error "Option --during: \"${2}\" is not a valid duration."
+            fi
+            default_duration="False"
+            shift; shift;;
+        -m|--message)
+            if [ "$#" -lt 2 ]; then
+                usage_error "Option --message: missing message string."
+            fi
+            message="${2}"
+            shift; shift;;
+        status|check|enable|disable|show)
+            action="${1}"
+            shift;;
+        *)
+            if [ -z "${1}" ]; then
+                break
+            fi
+
+            case "${action}" in
+                status|check)
+                    if is_check "${1}" || [ "${1}" = "all" ]; then
+                        check_name="${1}"
+                    else
+                        usage_error "Action ${action}: unknown check '${1}'."
+                    fi
+                    ;;
+                show)
+                    if is_check "${1}"; then
+                        check_name="${1}"
+                    else
+                        usage_error "Action ${action}: unknown check '${1}'."
+                    fi
+                    ;;
+                enable|disable)
+                    if is_wrapper "${1}" || is_check "${1}" || [ "${1}" = "all" ]; then
+                        check_name="${1}"
+                    else
+                        # We use the word "check" for the end user,
+                        # but this is actually "unknown wrapper"
+                        usage_error "Action ${action}: unknown check '${1}'."
+                    fi
+                    ;;
+                *)
+                    usage_error "Missing or invalid ACTION argument."
+                    ;;
+            esac
+            shift;;
+    esac
+done
+
+
+if [ "$#" -gt 0 ]; then
+    usage_error "Too many arguments."
+fi
+
+case "${action}" in
+    disable|enable|show)
+        if [ -z "${check_name}" ]; then
+            usage_error "Action ${action}: missing CHECK_NAME argument."
+        fi
+        ;;
+esac
+
+if [ ! "${action}" = "disable" ]; then
+    if [ "${default_duration}" = "False" ]; then
+        usage_error "Action ${action}: there is no --during option."
+    fi
+    if [ "${confirm}" = "False" ]; then
+        usage_error "Action ${action}: there is no --no-confirm option."
+    fi
+fi
+
+case "${action}" in
+    status)
+        alerts_status "${check_name}"
+        ;;
+    check)
+        check "${check_name}"
+        ;;
+    show)
+        show_check_commands "${check_name}"
+        ;;
+    enable)
+        enable_alerts "${check_name}" "${message}"
+        ;;
+    disable)
+        disable_alerts "${check_name}" "${message}"
+        ;;
+esac
+

nagios-nrpe/files/monitoringctl_common

@@ -0,0 +1,292 @@
+#!/usr/bin/env bash
+
+# Location of disable files
+readonly var_dir="/var/lib/monitoringctl"
+
+readonly log_file="/var/log/monitoringctl.log"
+
+readonly nrpe_conf_path="/etc/nagios/nrpe.cfg"
+
+debian_major_version="$(cut -d "." -f 1 < /etc/debian_version)"
+readonly debian_major_version
+
+# If no time limit is provided in CLI or found in file, this value is used
+readonly default_disabled_time="1h"
+
+_nrpe_conf_lines=''  # populated at the end of the file
+
+
+function error() {
+    # $1: error message
+    >&2 echo -e "${1}"
+    exit 1
+}
+
+function usage_error() {
+    # $1: error message
+    >&2 echo "${1}"
+    >&2 echo "Execute \"${PROGNAME} --help\" for information on usage."
+    exit 1
+}
+
+function log() {
+    # $1: message
+    echo "$(now_iso) - ${PROGNAME}: ${1}" >> "${log_file}"
+}
+
+function show_version() {
+    cat <<END
+${PROGNAME} version ${VERSION}.
+
+Copyright 2018-2024 Evolix <info@evolix.fr>,
+                    Jérémy Lecour <jlecour@evolix.fr>
+                    and others.
+
+${PROGNAME} comes with ABSOLUTELY NO WARRANTY.This is free software,
+and you are welcome to redistribute it under certain conditions.
+See the GNU General Public License v3.0 for details.
+END
+}
+
+# Fail if argument does not respect format: XwXdXhXmXs, XhX, XmX
+function filter_duration() {
+    # $1: duration in format specified above
+    _time_regex="^([0-9]+d)?(([0-9]+h(([0-9]+m?)|([0-9]+m([0-9]+s?)?))?)|(([0-9]+m([0-9]+s?)?)?))?$"
+    if [[ "${1}" =~ ${_time_regex} ]]; then
+        return 0
+    fi
+    return 1
+}
+
+# Convert human writable duration into seconds
+function time_to_seconds() {
+    # $1: formated time string
+    if echo "${1}" | grep -E -q '^([0-9]+[wdhms])+$'; then
+        echo "${1}" | sed 's/w/ * 604800 + /g; s/d/ * 86400 + /g; s/h/ * 3600 + /g; s/m/ * 60 + /g; s/s/ + /g; s/+ $//' | xargs expr
+    elif echo "${1}" | grep -E -q '^([0-9]+h[0-9]+$)'; then
+        echo "${1}" | sed 's/h/ * 3600 + /g; s/$/ * 60/' | xargs expr
+    elif echo "${1}" | grep -E -q '^([0-9]+m[0-9]+$)'; then
+        echo "${1}" | sed 's/m/ * 60 + /g' | xargs expr
+    else
+        error "Invalid duration: '${1}'."
+    fi
+}
+
+# Print re-enable time in secs
+function get_enable_time() {
+    # $1: wrapper name
+    _disable_file_path="$(get_disable_file_path "${1}")"
+    if [ ! -e "${_disable_file_path}" ]; then
+        return
+    fi
+
+    _enable_secs="$(grep -v -E "^\s*#" "${_disable_file_path}" | sed '/^$/d' | head -n1 | awk '/^[0-9]+$/ {print $1}')"
+    # If file is empty, use file last change date plus default disabled time
+    if [ -z "${_enable_secs}" ]; then
+        _file_last_change_secs="$(stat -c %Z "${_disable_file_path}")"
+        _default_disabled_time_secs="$(time_to_seconds "${default_disabled_time}")"
+        _enable_secs="$(( _file_last_change_secs + _default_disabled_time_secs ))"
+    fi
+    echo "${_enable_secs}"
+}
+
+# Print disable message
+function get_disable_message() {
+    # $1: wrapper name
+    _disable_file_path="$(get_disable_file_path "${1}")"
+    if [ ! -e "${_disable_file_path}" ]; then
+        return
+    fi
+
+    _disable_msg="$(sed '/^$/d' "${_disable_file_path}" | tail -n+2 | tr '\n' ' ' | awk '{$1=$1;print}')"
+    echo "${_disable_msg}"
+}
+
+function now_secs() {
+    date +"%s"
+}
+
+function now_iso() {
+    date --iso-8601=seconds
+}
+
+# Print delay before re-enable in secs
+function enable_delay() {
+    # $1: re-enable time in secs
+    echo $(( ${1} - $(now_secs) ))
+}
+
+# Converts delay (in seconds) into human readable duration
+function delay_to_string() {
+    # $1: delay in secs
+    _delay_days="$(( ${1} /86400 ))"
+    if [ "${_delay_days}" -eq 0 ]; then _delay_days=""
+    else _delay_days="${_delay_days}d"; fi
+
+    _delay_hours="$(( (${1} %86400) /3600 ))"
+    if [ "${_delay_hours}" -eq 0 ]; then _delay_hours=""
+    else _delay_hours="${_delay_hours}h"; fi
+
+    _delay_minutes="$(( ((${1} %86400) %3600) /60 ))"
+    if [ "${_delay_minutes}" -eq 0 ]; then _delay_minutes=""
+    else _delay_minutes="${_delay_minutes}m"; fi
+
+    _delay_seconds="$(( ((${1} %86400) %3600) %60 ))"
+    if [ "${_delay_seconds}" -eq 0 ]; then _delay_seconds=""
+    else _delay_seconds="${_delay_seconds}s"; fi
+
+    echo "${_delay_days}${_delay_hours}${_delay_minutes}${_delay_seconds}"
+}
+
+function is_disabled_check() {
+    # $1: check name
+    _wrapper="$(get_check_wrapper_name "${1}")"
+    is_disabled_wrapper "${_wrapper}"
+}
+
+function is_disabled_wrapper() {
+    # $1: wrapper name
+    _wrapper="${1}"
+    _disable_file_path="$(get_disable_file_path "${_wrapper}")"
+    if [ -e "${_disable_file_path}" ]; then
+        _enable_time="$(get_enable_time "${_wrapper}")"
+        _enable_delay="$(enable_delay "${_enable_time}")"
+        if [ "${_enable_delay}" -le "0" ]; then
+            echo "False"
+        else
+            echo "True"
+        fi
+    else
+        echo False
+    fi
+}
+
+function get_disable_file_path() {
+    # $1: wrapper name
+    echo "${var_dir}/${1}_alerts_disabled"
+}
+
+
+
+### Nagios configuration functions ####################
+
+# Print NRPE configuration, with includes, without comments
+# and in the same order than NRPE does (taking account that
+# order changes from Deb10)
+function get_nrpe_conf() {
+    echo "${_nrpe_conf_lines}"
+}
+
+# Private function to recursively get NRPE conf from file
+function _get_conf_from_file() {
+    # $1: NRPE conf file (.cfg)
+    if [ ! -f "${1}" ]; then return; fi
+
+    _conf_lines=$(grep -E -R -v --no-filename "^\s*(#.*|)$" "${1}")
+    while read -r _line; do
+        if [[ "${_line}" =~ .*'include='.* ]]; then
+            _conf_file=$(echo "${_line}" | cut -d= -f2)
+            _get_conf_from_file "${_conf_file}"
+        elif [[ "${_line}" =~ .*'include_dir='.* ]]; then
+            _conf_dir=$(echo "${_line}" | cut -d= -f2)
+            _get_conf_from_dir "${_conf_dir}"
+        else
+            echo "${_line}"
+        fi
+    done <<< "${_conf_lines}"
+}
+
+# Private function to recursively get NRPE conf from directory
+function _get_conf_from_dir() {
+    # $1: NRPE conf dir
+    if [ ! -d "${1}" ]; then return; fi
+
+    if [ "${debian_major_version}" -ge 10 ]; then
+        # From Deb10, NRPE use scandir() with alphasort() function
+        _sort_command="sort"
+    else
+        # Before Deb10, NRPE use loaddir(), like find utility
+        _sort_command="cat -"
+    fi
+
+    # Add conf files in dir to be processed recursively
+    for _file in $(find "${1}" -maxdepth 1 -name "*.cfg" 2> /dev/null | ${_sort_command}); do
+        if [ -f "${_file}" ]; then
+            _get_conf_from_file "${_file}"
+        elif [ -d "${_file}" ]; then
+            _get_conf_from_dir "${_file}"
+        fi
+    done
+}
+
+# Print the checks that are configured in NRPE
+function get_checks_names() {
+    echo "${_nrpe_conf_lines}" | grep -E "command\[check_.*\]=" | awk -F"[\\\[\\\]=]" '{sub("check_", "", $2); print $2}' | sort | uniq
+}
+
+# Print the commands defined for check $1 in NRPE configuration
+function get_check_commands() {
+    # $1: check name
+    echo "${_nrpe_conf_lines}" | grep -E "command\[check_${1}\]" | cut -d'=' -f2-
+}
+
+# Print the checks that have no alerts_wrapper in NRPE configuration
+function not_wrapped_checks() {
+    for _check in $(get_checks_names); do
+        if ! is_wrapped "${_check}"; then
+            echo "${_check}"
+        fi
+    done
+}
+
+# Fail if check is not wrapped
+function is_wrapped() {
+    # $1: check name
+    _cmd=$(get_check_commands "${1}" | tail -n1)
+    if echo "${_cmd}" | grep --quiet --no-messages alerts_wrapper; then
+        return 0
+    fi
+    return 1
+}
+
+# Print the names that are defined in the wrappers of the checks
+function get_wrappers_names() {
+    echo "${_nrpe_conf_lines}" | grep -s "alerts_wrapper" | awk '{ for (i=1 ; i<=NF; i++) { if ($i ~ /^(-n|--name)$/) { print $(i+1); break } } }' | tr ',' '\n' | sort | uniq
+}
+
+# Print the wrapper name of the check
+function get_check_wrapper_name() {
+    # $1: check name
+    _cmd=$(get_check_commands "${1}" | tail -n1)
+    if echo "${_cmd}" | grep --quiet --no-messages alerts_wrapper; then
+        echo "${_cmd}" | awk '/--name/ {match($0, /--name\s*([a-zA-Z0-9_\-]*)\s*/, m); print m[1]}'
+    fi
+}
+
+function is_check() {
+    # $1: check name
+    _checks="$(get_checks_names)"
+    if echo "${_checks}" | grep --quiet -E "^${1}$"; then
+        return 0
+    fi
+    return 1
+}
+
+function is_wrapper() {
+    # $1: wrapper name
+    _wrappers="$(get_wrappers_names)"
+    if echo "${_wrappers}" | grep --quiet -E "^${1}$"; then
+        return 0
+    fi
+    return 1
+}
+
+# Print the checks that name this wrapper
+function get_wrapper_checks() {
+    # $1: wrapper name
+    echo "${_nrpe_conf_lines}" | grep -E "command\[check_.*\]=" | grep -E "\-\-name\s*${1}" | awk -F"[\\\[\\\]=]" '{sub("check_", "", $2); print $2}' | sort | uniq | xargs
+}
+
+
+# Load NRPE configuration
+_nrpe_conf_lines="$(_get_conf_from_file "${nrpe_conf_path}")"

nagios-nrpe/files/monitoringctl_completion

@@ -0,0 +1,88 @@
+#!/usr/bin/bash
+#
+
+function _get_wrappers_names() {
+    grep "alerts_wrapper" --no-filename --no-messages -R /etc/nagios/ | grep --invert-match --extended-regexp "^\s*#" | awk '{ for (i=1 ; i<=NF; i++) { if ($i ~ /^(-n|--name)$/) { print $(i+1); break } } }' | tr ',' '\n' | sort | uniq
+}
+
+function _get_checks_names() {
+    grep --extended-regexp --no-filename --no-messages -R "command\[check_.*\]="  /etc/nagios/ | grep --invert-match --extended-regexp "^\s*#" | awk -F"[\\\[\\\]=]" '{sub("check_", "", $2); print $2}' | sort | uniq
+}
+
+function _monitoringctl_completion() {
+    local cur=${COMP_WORDS[COMP_CWORD]};
+    local prev=${COMP_WORDS[COMP_CWORD-1]};
+
+    local action=""
+    for w in "${COMP_WORDS[@]}"; do
+        case "$w" in
+            status|check|enable|disable|show)
+                action="${w}"
+                ;;
+        esac
+    done
+
+    local words="--help"
+    case "${action}" in
+        check|show)
+            checks="$(_get_checks_names)"
+            check=""
+            for w in "${COMP_WORDS[@]}"; do
+                for c in ${checks}; do
+                    if [ "${c}" == "${w}" ]; then
+                        check="${w}"
+                        break
+                    fi
+                done
+            done
+            if [ -z "${check}" ]; then
+                words="${checks} ${words}"
+            fi
+            if [ "${action}" == "check" ]; then
+                words="all --bypass-nrpe ${words}"
+            fi
+            ;;
+        status)
+            if [ "${prev}" == "status" ]; then
+                words="all $(_get_checks_names)"
+            fi
+            ;;
+        enable)
+            if [ "${prev}" == "enable" ]; then
+                words="all $(_get_wrappers_names)"
+            else
+                words="--message ${words}"
+            fi
+            ;;
+        disable)
+            if [ "${prev}" == "disable" ]; then
+                words="all $(_get_wrappers_names)"
+            elif [ "${prev}" == "-d" ] || [ "${prev}" == "--during" ]; then
+                words="1d 1d12h 1h 1h30m 1m 1m30s 30s"
+            else
+                words="--during --message ${words}"
+            fi
+            ;;
+        *)
+            words="status check enable disable show ${words}"
+            ;;
+    esac
+
+    # Avoid double
+    opts=();
+    for i in ${words}; do
+        for j in "${COMP_WORDS[@]}"; do
+            if [[ "$i" == "$j" ]]; then
+                continue 2
+            fi
+        done
+        opts+=("$i")
+    done
+
+    COMPREPLY=($(compgen -W "${opts[*]}" -- "${cur}"))
+    return 0
+
+}
+
+complete -F _monitoringctl_completion monitoringctl
+

nagios-nrpe/files/sudoers

@@ -0,0 +1,27 @@
+nagios          ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs
+nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_minifirewall
+nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_haproxy_stats
+nagios          ALL = NOPASSWD: /usr/sbin/bkctld check
+nagios          ALL = NOPASSWD: /usr/sbin/bkctld check-jails
+nagios          ALL = NOPASSWD: /usr/sbin/bkctld check-setup
+nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php56/rootfs/etc/php5/fpm/pool.d/
+nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php70/rootfs/etc/php/7.0/fpm/pool.d/
+nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php73/rootfs/etc/php/7.3/fpm/pool.d/
+nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php74/rootfs/etc/php/7.4/fpm/pool.d/
+nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php80/rootfs/etc/php/8.0/fpm/pool.d/
+nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php81/rootfs/etc/php/8.1/fpm/pool.d/
+nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php82/rootfs/etc/php/8.2/fpm/pool.d/
+nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php83/rootfs/etc/php/8.3/fpm/pool.d/
+nagios          ALL = NOPASSWD: /usr/sbin/megaclisas-status --nagios
+nagios          ALL = NOPASSWD: /usr/lib/nagios/plugins/check_ipmi_sensor
+nagios          ALL = NOPASSWD: /sbin/dmsetup status --noflush
+nagios          ALL = NOPASSWD: /sbin/megacli -PDList -aALL -NoLog
+nagios          ALL = NOPASSWD: /sbin/megacli -LdInfo -Lall -aALL -NoLog
+nagios          ALL = NOPASSWD: /sbin/megacli -AdpBbuCmd -GetBbuStatus -aALL -NoLog
+nagios          ALL = NOPASSWD: /sbin/ssacli controller all show status
+nagios          ALL = NOPASSWD: /sbin/ssacli controller slot=0 logicaldrive all show
+nagios          ALL = NOPASSWD: /usr/local/bin/mvcli info -o blk
+nagios          ALL = NOPASSWD: /usr/local/bin/mvcli info -o vd
+nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_gluster.rb
+nagios          ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt
+

nagios-nrpe/files/sudoers_jessie

@@ -0,0 +1,7 @@
+nagios          ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs
+nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_minifirewall
+nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_haproxy_stats
+nagios          ALL = NOPASSWD: /usr/sbin/bkctld check
+nagios          ALL = NOPASSWD: /usr/sbin/bkctld check-jails
+nagios          ALL = NOPASSWD: /usr/sbin/bkctld check-setup
+nagios          ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt

nagios-nrpe/tasks/check-local.yml

@@ -1,34 +0,0 @@
----
-# Install check-local utilitary
-
-- name: Package nagios-nrpe-plugin is intalled
-  ansible.builtin.apt:
-    name: nagios-nrpe-plugin
-
-- name: "Remount /usr if needed"
-  ansible.builtin.include_role:
-    name: remount-usr
-
-- name: Utilitary check-local is installed
-  ansible.builtin.copy:
-    src: check-local
-    dest: /usr/local/bin/check-local
-    mode: "0755"
-
-- name: Package bash-completion is installed
-  ansible.builtin.apt:
-    name: bash-completion
-
-- name: Directory /etc/bash_completion.d exists
-  ansible.builtin.file:
-    path: '/etc/bash_completion.d'
-    state: directory
-    mode: '0644'
-
-- name: Completion for utilitary check-local is installed
-  ansible.builtin.copy:
-    src: check-local_completion
-    dest: /etc/bash_completion.d/check-local
-    mode: "0755"
-
-

nagios-nrpe/tasks/main.yml

@@ -91,6 +91,7 @@
   tags:
     - nagios-nrpe
 
-- ansible.builtin.include_tasks: wrapper.yml
+- ansible.builtin.include_tasks: sudoers.yml
+
+- ansible.builtin.include_tasks: monitoringctl.yml
 
-- ansible.builtin.include_tasks: check-local.yml

nagios-nrpe/tasks/monitoringctl.yml

@@ -0,0 +1,167 @@
+---
+
+### alerts_wrapper and alerts_switch section
+
+- name: "check if old alerts_switch script is present"
+  ansible.builtin.stat:
+    path: /usr/share/scripts/alerts_switch
+  register: old_alerts_switch
+
+- name: "alerts_switch is at the right place"
+  ansible.builtin.command:
+    cmd: "mv /usr/share/scripts/alerts_switch /usr/local/bin/alerts_switch"
+  args:
+    creates: /usr/local/bin/alerts_switch
+  when: old_alerts_switch.stat.exists
+
+- name: "copy alerts_switch"
+  ansible.builtin.copy:
+    src: alerts_switch
+    dest: /usr/local/bin/alerts_switch
+    owner: root
+    group: root
+    mode: "0750"
+    force: true
+
+- name: "alerts_switch symlink for backward compatibility"
+  ansible.builtin.file:
+    src: /usr/local/bin/alerts_switch
+    path: /usr/share/scripts/alerts_switch
+    state: link
+  when: old_alerts_switch.stat.exists
+
+- name: "is /etc/sudoers.d/nagios present ?"
+  ansible.builtin.stat:
+    path: /etc/sudoers.d/nagios
+  register: is_sudoers_nagios_file
+
+- ansible.builtin.set_fact:
+    sudoers_file: "{{ '/etc/sudoers.d/nagios' if is_sudoers_nagios_file.stat.exists else '/etc/sudoers.d/evolinux' }}"
+
+- name: "nagios user can run alerts_switch with sudo (used by alerts_wrapper)"
+  ansible.builtin.lineinfile:
+    path: "{{ sudoers_file }}"
+    regexp: "nagios.*alerts_switch"
+    line: "nagios           ALL = NOPASSWD:/usr/local/bin/alerts_switch *"
+    owner: root
+    group: root
+    mode: "640"
+    validate: "visudo -c -f %s"
+
+- name: "check if old alerts_wrapper script is present"
+  ansible.builtin.stat:
+    path: "{{ nagios_plugins_directory }}/alerts_wrapper"
+  register: old_alerts_wrapper
+
+- name: "alerts_wrapper is at the right place"
+  ansible.builtin.command:
+    cmd: "mv {{ nagios_plugins_directory }}/alerts_wrapper /usr/local/lib/monitoringctl/alerts_wrapper"
+    creates: /usr/local/lib/monitoringctl/alerts_wrapper
+  when: old_alerts_wrapper.stat.exists
+
+- name: "copy alerts_wrapper"
+  ansible.builtin.copy:
+    src: alerts_wrapper
+    dest: "/usr/local/lib/monitoringctl/alerts_wrapper"
+    owner: root
+    group: staff
+    mode: "0755"
+    force: true
+
+- name: "alerts_wrapper symlink for backward compatibility"
+  ansible.builtin.file:
+    src: /usr/local/lib/monitoringctl/alerts_wrapper
+    path: "{{ nagios_plugins_directory }}/alerts_wrapper"
+    state: link
+  when: old_alerts_wrapper.stat.exists
+
+- name: "copy monitoringctl_common lib"
+  ansible.builtin.copy:
+    src: monitoringctl_common
+    dest: /usr/local/lib/monitoringctl/common
+    owner: root
+    group: root
+    mode: "0644"
+    force: true
+
+
+### monitoringctl section
+
+- name: "Remount /usr if needed"
+  ansible.builtin.include_role:
+    name: remount-usr
+
+- name: "package bash-completion is installed"
+  ansible.builtin.apt:
+    name: bash-completion
+
+- name: "package nagios-nrpe-plugin is installed"
+  ansible.builtin.apt:
+    name: nagios-nrpe-plugin
+
+- name: "directory /etc/bash_completion.d exists"
+  ansible.builtin.file:
+    path: '/etc/bash_completion.d'
+    state: directory
+    mode: '0644'
+
+- name: "dir /usr/local/lib/monitoringctl/ exists"
+  ansible.builtin.file:
+    path: /usr/local/lib/monitoringctl/
+    state: directory
+    mode: '0755'
+
+- name: "dir /var/lib/monitoringctl/ exists"
+  ansible.builtin.file:
+    path: /var/lib/monitoringctl/
+    state: directory
+    mode: '0755'
+
+- name: "monitoringctl is not in /usr/local/sbin/"
+  ansible.builtin.file:
+    path: /usr/local/sbin/monitoringctl
+    state: absent
+
+- name: "copy monitoringctl"
+  ansible.builtin.copy:
+    src: monitoringctl
+    dest: /usr/local/bin/monitoringctl
+    owner: root
+    group: root
+    mode: "0755"
+    force: true
+
+- name: "copy monitoringctl_common lib"
+  ansible.builtin.copy:
+    src: monitoringctl_common
+    dest: /usr/local/lib/monitoringctl/common
+    owner: root
+    group: root
+    mode: "0644"
+    force: true
+
+- name: "copy monitoringctl_completion script"
+  ansible.builtin.copy:
+    src: monitoringctl_completion
+    dest: /etc/bash_completion.d/monitoringctl
+    owner: root
+    group: root
+    mode: "0644"
+    force: true
+
+- name: "copy check-local (it's just a wrapper calling 'monitoringctl check' for backward compatibility)"
+  ansible.builtin.copy:
+    src: check-local
+    dest: /usr/local/bin/check-local
+    owner: root
+    group: root
+    mode: "0755"
+    force: true
+
+- name: "copy completion for check-local"
+  ansible.builtin.copy:
+    src: check-local_completion
+    dest: /etc/bash_completion.d/check-local
+    mode: "0755"
+
+

nagios-nrpe/tasks/sudoers.yml

@@ -0,0 +1,28 @@
+---
+- name: "/etc/sudoers.d presence and permissions"
+  ansible.builtin.file:
+    path: /etc/sudoers.d
+    owner: root
+    group: root
+    mode: "0750"
+    state: directory
+
+- name: "Copy nagios sudoers conf (Debian 9 Stretch and later)"
+  ansible.builtin.copy:
+    src: sudoers
+    dest: /etc/sudoers.d/nagios
+    mode: "0440"
+    validate: '/usr/sbin/visudo -cf %s'
+  register: copy_sudoers_evolinux
+  when:
+    - ansible_distribution_major_version is defined
+    - ansible_distribution_major_version is version('9', '>=')
+
+- name: "Copy nagios sudoers conf (Debian 8 Jessie) "
+  ansible.builtin.copy:
+    src: sudoers_jessie
+    dest: /etc/sudoers.d/nagios
+    mode: "0440"
+    validate: '/usr/sbin/visudo -cf %s'
+  register: copy_sudoers_evolinux
+  when: ansible_distribution_release == "jessie"

nagios-nrpe/tasks/wrapper.yml

@@ -1,43 +0,0 @@
----
-
-
-- name: "Remount /usr if needed"
-  ansible.builtin.include_role:
-    name: remount-usr
-
-- name: check if old script is present
-  ansible.builtin.stat:
-    path: /usr/share/scripts/alerts_switch
-  register: old_alerts_switch
-
-- name: alerts_switch is at the right place
-  ansible.builtin.command:
-    cmd: "mv /usr/share/scripts/alerts_switch /usr/local/bin/alerts_switch"
-  args:
-    creates: /usr/local/bin/alerts_switch
-  when: old_alerts_switch.stat.exists
-
-- name: "copy alerts_switch"
-  ansible.builtin.copy:
-    src: alerts_switch
-    dest: /usr/local/bin/alerts_switch
-    owner: root
-    group: root
-    mode: "0750"
-    force: true
-
-- name: "symlink for backward compatibility"
-  ansible.builtin.file:
-    src: /usr/local/bin/alerts_switch
-    dest: /usr/share/scripts/alerts_switch
-    state: link
-  when: old_alerts_switch.stat.exists
-
-- name: "copy alerts_wrapper"
-  ansible.builtin.copy:
-    src: alerts_wrapper
-    dest: "{{ nagios_plugins_directory }}/alerts_wrapper"
-    owner: root
-    group: staff
-    mode: "0755"
-    force: true

nagios-nrpe/templates/evolix.cfg.j2

@@ -6,94 +6,101 @@
 # Allowed IPs
 allowed_hosts={{ nagios_nrpe_allowed_hosts | join(',') }}
 
-# System checks
-command[check_load]=/usr/lib/nagios/plugins/check_load --percpu --warning=0.7,0.6,0.5 --critical=0.9,0.8,0.7
-command[check_swap]=/usr/lib/nagios/plugins/check_swap -a -w 30% -c 20%
-command[check_disk1]=/usr/lib/nagios/plugins/check_disk -e -w 10% -c 3% -W 10% -K 3% -C -w 5% -c 2% -W 5% -K 2% -p /home -x /lib/init/rw -x /dev -x /dev/shm -x /run -I '^/run/' -I '^/sys/' -X overlay
-command[check_zombie_procs]=sudo /usr/lib/nagios/plugins/check_procs -w 5 -c 10 -s Z
-command[check_total_procs]=sudo /usr/lib/nagios/plugins/check_procs -w 400 -c 600
-command[check_users]=/usr/lib/nagios/plugins/check_users -w 5 -c 10
+# Default activated checks
 
-# Generic services checks
-command[check_smtp]=/usr/lib/nagios/plugins/check_smtp -H localhost
-command[check_dns]=/usr/lib/nagios/plugins/check_dns -H evolix.net
-command[check_ntp]=/usr/lib/nagios/plugins/check_ntp -H {{ nagios_nrpe_ntp_server or nagios_nrpe_default_ntp_server | mandatory }}
-command[check_ssh]=/usr/lib/nagios/plugins/check_ssh localhost
-command[check_mailq]=/usr/lib/nagios/plugins/check_mailq -M postfix -w 10 -c 20
+## System checks
+command[check_disk1]=/usr/local/lib/monitoringctl/alerts_wrapper --name disk1 /usr/lib/nagios/plugins/check_disk -e -w 10% -c 3% -W 10% -K 3% -C -w 5% -c 2% -W 5% -K 2% -p /home -x /lib/init/rw -x /dev -x /dev/shm -x /run -I '^/run/' -I '^/sys/' -X overlay
+command[check_load]=/usr/local/lib/monitoringctl/alerts_wrapper --name load /usr/lib/nagios/plugins/check_load --percpu --warning=0.7,0.6,0.5 --critical=0.9,0.8,0.7
+command[check_mem]=/usr/local/lib/monitoringctl/alerts_wrapper --name mem {{ nagios_plugins_directory }}/check_mem -f -C -w 20 -c 10
+command[check_pressure_cpu]=/usr/local/lib/monitoringctl/alerts_wrapper --name pressure_cpu /usr/lib/nagios/plugins/check_pressure --cpu -w 100000 -c 500000
+command[check_pressure_mem]=/usr/local/lib/monitoringctl/alerts_wrapper --name pressure_mem /usr/lib/nagios/plugins/check_pressure --mem --full -w 100000 -c 500000
+command[check_pressure_io]=/usr/local/lib/monitoringctl/alerts_wrapper --name pressure_io /usr/lib/nagios/plugins/check_pressure --io --full -w 100000 -c 500000
+command[check_swap]=/usr/local/lib/monitoringctl/alerts_wrapper --name swap /usr/lib/nagios/plugins/check_swap -a -w 30% -c 20%
+command[check_total_procs]=/usr/local/lib/monitoringctl/alerts_wrapper --name total_procs sudo /usr/lib/nagios/plugins/check_procs -w 400 -c 600
+command[check_users]=/usr/local/lib/monitoringctl/alerts_wrapper --name users /usr/lib/nagios/plugins/check_users -w 5 -c 10
+command[check_zombie_procs]=/usr/local/lib/monitoringctl/alerts_wrapper --name zombie_procs sudo /usr/lib/nagios/plugins/check_procs -w 5 -c 10 -s Z
 
-# Specific services checks
-command[check_pgsql]=/usr/lib/nagios/plugins/check_pgsql -H localhost -l nrpe -p '{{ nagios_nrpe_pgsql_passwd }}'
-command[check_mysql]=/usr/lib/nagios/plugins/check_mysql -H localhost -f ~nagios/.my.cnf
-command[check_mysql_slave]=/usr/lib/nagios/plugins/check_mysql --check-slave -H localhost -f ~nagios/.my.cnf -w 1800 -c 3600
-command[check_ldap]=/usr/lib/nagios/plugins/check_ldap -3 --extra-opts=@/etc/nagios/monitoring-plugins.ini
-command[check_ldaps]=/usr/lib/nagios/plugins/check_ldap -3 -T --extra-opts=@/etc/nagios/monitoring-plugins.ini
-command[check_imap]=/usr/lib/nagios/plugins/check_imap -H localhost
-command[check_imaps]=/usr/lib/nagios/plugins/check_imap -S -H localhost -p 993
-command[check_imapproxy]=/usr/lib/nagios/plugins/check_imap -H localhost -p 1143
-command[check_pop]=/usr/lib/nagios/plugins/check_pop -H localhost
-command[check_pops]=/usr/lib/nagios/plugins/check_pop -S -H localhost -p 995
-command[check_ftp]=/usr/lib/nagios/plugins/check_ftp -H localhost
-command[check_http]=/usr/lib/nagios/plugins/check_http -e 301 -I 127.0.0.1 -H localhost
-command[check_https]=/usr/lib/nagios/plugins/check_http -e 401,403 -I 127.0.0.1 -S -p 443 --sni -H ssl.evolix.net
-command[check_bind]=/usr/lib/nagios/plugins/check_dig -l evolix.net -H localhost
-command[check_unbound]=/usr/lib/nagios/plugins/check_dig -l evolix.net -H localhost
-command[check_smb]=/usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 445
-command[check_tse]=/usr/lib/nagios/plugins/check_tcp -H TSEADDR -p 3389
-command[check_jboss-http]=/usr/lib/nagios/plugins/check_tcp -p 8080
-command[check_jboss-ajp13]=/usr/lib/nagios/plugins/check_tcp -p 8009
-command[check_tomcat-http]=/usr/lib/nagios/plugins/check_tcp -p 8080
-command[check_tomcat-ajp13]=/usr/lib/nagios/plugins/check_tcp -p 8009
-command[check_proxy]=/usr/lib/nagios/plugins/check_http -H {{ nagios_nrpe_check_proxy_host }}
-command[check_redis]=/usr/lib/nagios/plugins/check_tcp -p 6379
-command[check_clamd]=/usr/lib/nagios/plugins/check_clamd -H /var/run/clamav/clamd.ctl -v
-command[check_clamav_db]=/usr/lib/nagios/plugins/check_file_age -w 86400 -c 172800 -f /var/lib/clamav/daily.cld
-command[check_ssl]=/usr/lib/nagios/plugins/check_http -f follow -I 127.0.0.1 -S -p 443 -H ssl.evolix.net -C 15,5
-command[check_elasticsearch]=/usr/lib/nagios/plugins/check_http -I 127.0.0.1 -u /_cat/health?h=st -p 9200 -r 'red' --invert-regex
-command[check_memcached]=/usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 11211
-command[check_opendkim]=/usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 8891
-command[check_bkctld_setup]=sudo /usr/sbin/bkctld check-setup
-command[check_bkctld_jails]=sudo /usr/sbin/bkctld check-jails
-# "check_bkctld" is here as backward compatibility, but is replaced by "check_bkctld_jails"
-command[check_bkctld]=sudo /usr/sbin/bkctld check
-command[check_postgrey]=/usr/lib/nagios/plugins/check_tcp -p10023
-command[check_influxdb]=/usr/lib/nagios/plugins/check_http -I 127.0.0.1 -u /health -p 8086 -r '"status":"pass"'
-command[check_dhcpd]=/usr/lib/nagios/plugins/check_procs -c1:1 -C dhcpd -t 60
-command[check_ipmi_sensors]=sudo /usr/lib/nagios/plugins/check_ipmi_sensor
-command[check_raid_status]=/usr/lib/nagios/plugins/check_raid
-command[check_dockerd]=/usr/lib/nagios/plugins/check_tcp -H /var/run/docker.sock --escape -s "GET /_ping HTTP/1.1\nHost: http\n\n" -e OK
+## Generic services checks
+command[check_dns]=/usr/local/lib/monitoringctl/alerts_wrapper --name dns /usr/lib/nagios/plugins/check_dns -H evolix.net
+command[check_mailq]=/usr/local/lib/monitoringctl/alerts_wrapper --name mailq /usr/lib/nagios/plugins/check_mailq -M postfix -w 10 -c 20
+command[check_ntp]=/usr/local/lib/monitoringctl/alerts_wrapper --name ntp /usr/lib/nagios/plugins/check_ntp -H {{ nagios_nrpe_ntp_server or nagios_nrpe_default_ntp_server | mandatory }}
+command[check_smtp]=/usr/local/lib/monitoringctl/alerts_wrapper --name smtp /usr/lib/nagios/plugins/check_smtp -H localhost
+command[check_ssh]=/usr/local/lib/monitoringctl/alerts_wrapper --name ssh /usr/lib/nagios/plugins/check_ssh localhost
 
-# Local checks (not packaged)
-command[check_mem]={{ nagios_plugins_directory }}/check_mem -f -C -w 20 -c 10
-command[check_amavis]={{ nagios_plugins_directory }}/check_amavis --server 127.0.0.1 --from {{ nagios_nrpe_amavis_from }} --to postmaster@localhost --port 10024
-command[check_spamd]={{ nagios_plugins_directory }}/check_spamd -H 127.0.0.1
-command[check_nfsclient]=sudo -u www-data {{ nagios_plugins_directory }}/check_nfsclient
-command[check_evobackup]={{ nagios_plugins_directory }}/check_evobackup
-command[check_process]={{ nagios_plugins_directory }}/check_process {{ nagios_nrpe_processes | join(' ') }}
-command[check_drbd]={{ nagios_plugins_directory }}/check_drbd -d All -c StandAlone
-command[check_mongodb_connect]={{ nagios_plugins_directory }}/check_mongodb -H localhost -P27017 -A connect
-command[check_glusterfs]={{ nagios_plugins_directory }}/check_glusterfs -v all -n 0
-command[check_supervisord_status]={{ nagios_plugins_directory }}/check_supervisord
-command[check_varnish]={{ nagios_plugins_directory }}/check_varnish_health -i 127.0.0.1 -p 6082 -s /etc/varnish/secret -w 2 -c 4
-command[check_haproxy]=sudo {{ nagios_plugins_directory }}/check_haproxy_stats -s /run/haproxy/admin.sock -w 80 -c 90 --ignore-maint --ignore-nolb --ignore-drain
-command[check_minifirewall]=sudo {{ nagios_plugins_directory }}/check_minifirewall
-command[check_redis_instances]={{ nagios_plugins_directory }}/check_redis_instances
-command[check_sentinel]=sudo {{ nagios_plugins_directory }}/check_sentinel -c /etc/redis/sentinel.conf
-command[check_hpraid]={{ nagios_plugins_directory }}/check_hpraid
-command[check_php-fpm]={{ nagios_plugins_directory }}/check_phpfpm_multi
-command[check_php-fpm56]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php56/rootfs/etc/php5/fpm/pool.d/
-command[check_php-fpm70]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php70/rootfs/etc/php/7.0/fpm/pool.d/
-command[check_php-fpm73]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php73/rootfs/etc/php/7.3/fpm/pool.d/
-command[check_php-fpm74]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php74/rootfs/etc/php/7.4/fpm/pool.d/
-command[check_php-fpm80]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php80/rootfs/etc/php/8.0/fpm/pool.d/
-command[check_php-fpm81]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php81/rootfs/etc/php/8.1/fpm/pool.d/
-command[check_php-fpm82]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php82/rootfs/etc/php/8.2/fpm/pool.d/
-command[check_php-fpm83]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php83/rootfs/etc/php/8.3/fpm/pool.d/
-command[check_dhcp_pool]={{ nagios_plugins_directory }}/check_dhcp_pool
-command[check_ssl_local]={{ nagios_plugins_directory }}/check_ssl_local
-command[check_pressure_cpu]=/usr/lib/nagios/plugins/check_pressure --cpu -w 100000 -c 500000
-command[check_pressure_mem]=/usr/lib/nagios/plugins/check_pressure --mem --full -w 100000 -c 500000
-command[check_pressure_io]=/usr/lib/nagios/plugins/check_pressure --io --full -w 100000 -c 500000
+## Local checks (not packaged)
+command[check_minifirewall]=/usr/local/lib/monitoringctl/alerts_wrapper --name minifirewall sudo {{ nagios_plugins_directory }}/check_minifirewall
+
+
+# Optionnal checks
+
+## Specific services checks
+#command[check_pgsql]=/usr/local/lib/monitoringctl/alerts_wrapper --name pgsql /usr/lib/nagios/plugins/check_pgsql -H localhost -l nrpe -p '{{ nagios_nrpe_pgsql_passwd }}'
+#command[check_mysql]=/usr/local/lib/monitoringctl/alerts_wrapper --name mysql /usr/lib/nagios/plugins/check_mysql -H localhost -f ~nagios/.my.cnf
+#command[check_mysql_slave]=/usr/local/lib/monitoringctl/alerts_wrapper --name mysql_slave /usr/lib/nagios/plugins/check_mysql --check-slave -H localhost -f ~nagios/.my.cnf -w 1800 -c 3600
+#command[check_ldap]=/usr/local/lib/monitoringctl/alerts_wrapper --name ldap /usr/lib/nagios/plugins/check_ldap -3 --extra-opts=@/etc/nagios/monitoring-plugins.ini
+#command[check_ldaps]=/usr/local/lib/monitoringctl/alerts_wrapper --name ldaps /usr/lib/nagios/plugins/check_ldap -3 -T --extra-opts=@/etc/nagios/monitoring-plugins.ini
+#command[check_imap]=/usr/local/lib/monitoringctl/alerts_wrapper --name imap /usr/lib/nagios/plugins/check_imap -H localhost
+#command[check_imaps]=/usr/local/lib/monitoringctl/alerts_wrapper --name imaps /usr/lib/nagios/plugins/check_imap -S -H localhost -p 993
+#command[check_imapproxy]=/usr/local/lib/monitoringctl/alerts_wrapper --name imapproxy /usr/lib/nagios/plugins/check_imap -H localhost -p 1143
+#command[check_pop]=/usr/local/lib/monitoringctl/alerts_wrapper --name pop /usr/lib/nagios/plugins/check_pop -H localhost
+#command[check_pops]=/usr/local/lib/monitoringctl/alerts_wrapper --name pops /usr/lib/nagios/plugins/check_pop -S -H localhost -p 995
+#command[check_ftp]=/usr/local/lib/monitoringctl/alerts_wrapper --name ftp /usr/lib/nagios/plugins/check_ftp -H localhost
+#command[check_http]=/usr/local/lib/monitoringctl/alerts_wrapper --name http /usr/lib/nagios/plugins/check_http -e 301 -I 127.0.0.1 -H localhost
+#command[check_https]=/usr/local/lib/monitoringctl/alerts_wrapper --name https /usr/lib/nagios/plugins/check_http -e 401,403 -I 127.0.0.1 -S -p 443 --sni -H ssl.evolix.net
+#command[check_bind]=/usr/local/lib/monitoringctl/alerts_wrapper --name bind /usr/lib/nagios/plugins/check_dig -l evolix.net -H localhost
+#command[check_unbound]=/usr/local/lib/monitoringctl/alerts_wrapper --name unbound /usr/lib/nagios/plugins/check_dig -l evolix.net -H localhost
+#command[check_smb]=/usr/local/lib/monitoringctl/alerts_wrapper --name smb /usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 445
+#command[check_tse]=/usr/local/lib/monitoringctl/alerts_wrapper --name tse /usr/lib/nagios/plugins/check_tcp -H TSEADDR -p 3389
+#command[check_jboss-http]=/usr/local/lib/monitoringctl/alerts_wrapper --name jboss-http /usr/lib/nagios/plugins/check_tcp -p 8080
+#command[check_jboss-ajp13]=/usr/local/lib/monitoringctl/alerts_wrapper --name jboss-ajp13 /usr/lib/nagios/plugins/check_tcp -p 8009
+#command[check_tomcat-http]=/usr/local/lib/monitoringctl/alerts_wrapper --name tomcat-http /usr/lib/nagios/plugins/check_tcp -p 8080
+#command[check_tomcat-ajp13]=/usr/local/lib/monitoringctl/alerts_wrapper --name tomcat-ajp13 /usr/lib/nagios/plugins/check_tcp -p 8009
+#command[check_proxy]=/usr/local/lib/monitoringctl/alerts_wrapper --name proxy /usr/lib/nagios/plugins/check_http -H {{ nagios_nrpe_check_proxy_host }}
+#command[check_redis]=/usr/local/lib/monitoringctl/alerts_wrapper --name redis /usr/lib/nagios/plugins/check_tcp -p 6379
+#command[check_clamd]=/usr/local/lib/monitoringctl/alerts_wrapper --name clamd /usr/lib/nagios/plugins/check_clamd -H /var/run/clamav/clamd.ctl -v
+#command[check_clamav_db]=/usr/local/lib/monitoringctl/alerts_wrapper --name clamav_db /usr/lib/nagios/plugins/check_file_age -w 86400 -c 172800 -f /var/lib/clamav/daily.cld
+#command[check_ssl]=/usr/local/lib/monitoringctl/alerts_wrapper --name ssl /usr/lib/nagios/plugins/check_http -f follow -I 127.0.0.1 -S -p 443 -H ssl.evolix.net -C 15,5
+#command[check_elasticsearch]=/usr/local/lib/monitoringctl/alerts_wrapper --name elasticsearch /usr/lib/nagios/plugins/check_http -I 127.0.0.1 -u /_cat/health?h=st -p 9200 -r 'red' --invert-regex
+#command[check_memcached]=/usr/local/lib/monitoringctl/alerts_wrapper --name memcached /usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 11211
+#command[check_opendkim]=/usr/local/lib/monitoringctl/alerts_wrapper --name opendkim /usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 8891
+#command[check_bkctld_setup]=/usr/local/lib/monitoringctl/alerts_wrapper --name bkctld_setup sudo /usr/sbin/bkctld check-setup
+#command[check_bkctld_jails]=/usr/local/lib/monitoringctl/alerts_wrapper --name bkctld_jails sudo /usr/sbin/bkctld check-jails
+## "check_bkctld" is here as backward compatibility, but is replaced by "check_bkctld_jails"
+#command[check_bkctld]=/usr/local/lib/monitoringctl/alerts_wrapper --name bkctld sudo /usr/sbin/bkctld check
+#command[check_postgrey]=/usr/local/lib/monitoringctl/alerts_wrapper --name postgrey /usr/lib/nagios/plugins/check_tcp -p10023
+#command[check_influxdb]=/usr/local/lib/monitoringctl/alerts_wrapper --name influxdb /usr/lib/nagios/plugins/check_http -I 127.0.0.1 -u /health -p 8086 -r '"status":"pass"'
+#command[check_dhcpd]=/usr/local/lib/monitoringctl/alerts_wrapper --name dhcpd /usr/lib/nagios/plugins/check_procs -c1:1 -C dhcpd -t 60
+#command[check_ipmi_sensors]=/usr/local/lib/monitoringctl/alerts_wrapper --name ipmi_sensors sudo /usr/lib/nagios/plugins/check_ipmi_sensor
+#command[check_raid_status]=/usr/local/lib/monitoringctl/alerts_wrapper --name raid_status /usr/lib/nagios/plugins/check_raid
+#command[check_dockerd]=/usr/local/lib/monitoringctl/alerts_wrapper --name dockerd /usr/lib/nagios/plugins/check_tcp -H /var/run/docker.sock --escape -s "GET /_ping HTTP/1.1\nHost: http\n\n" -e OK
+
+## Local checks (not packaged)
+#command[check_amavis]=/usr/local/lib/monitoringctl/alerts_wrapper --name amavis {{ nagios_plugins_directory }}/check_amavis --server 127.0.0.1 --from {{ nagios_nrpe_amavis_from }} --to postmaster@localhost --port 10024
+#command[check_spamd]=/usr/local/lib/monitoringctl/alerts_wrapper --name spamd {{ nagios_plugins_directory }}/check_spamd -H 127.0.0.1
+#command[check_nfsclient]=/usr/local/lib/monitoringctl/alerts_wrapper --name nfsclient sudo -u www-data {{ nagios_plugins_directory }}/check_nfsclient
+#command[check_evobackup]=/usr/local/lib/monitoringctl/alerts_wrapper --name evobackup {{ nagios_plugins_directory }}/check_evobackup
+#command[check_process]=/usr/local/lib/monitoringctl/alerts_wrapper --name process {{ nagios_plugins_directory }}/check_process {{ nagios_nrpe_processes | join(' ') }}
+#command[check_drbd]=/usr/local/lib/monitoringctl/alerts_wrapper --name drbd {{ nagios_plugins_directory }}/check_drbd -d All -c StandAlone
+#command[check_mongodb_connect]=/usr/local/lib/monitoringctl/alerts_wrapper --name mongodb_connect {{ nagios_plugins_directory }}/check_mongodb -H localhost -P27017 -A connect
+#command[check_glusterfs]=/usr/local/lib/monitoringctl/alerts_wrapper --name glusterfs {{ nagios_plugins_directory }}/check_glusterfs -v all -n 0
+#command[check_supervisord_status]=/usr/local/lib/monitoringctl/alerts_wrapper --name supervisord_status {{ nagios_plugins_directory }}/check_supervisord
+#command[check_varnish]=/usr/local/lib/monitoringctl/alerts_wrapper --name varnish {{ nagios_plugins_directory }}/check_varnish_health -i 127.0.0.1 -p 6082 -s /etc/varnish/secret -w 2 -c 4
+#command[check_haproxy]=/usr/local/lib/monitoringctl/alerts_wrapper --name haproxy sudo {{ nagios_plugins_directory }}/check_haproxy_stats -s /run/haproxy/admin.sock -w 80 -c 90 --ignore-maint --ignore-nolb --ignore-drain
+#command[check_redis_instances]=/usr/local/lib/monitoringctl/alerts_wrapper --name redis_instances {{ nagios_plugins_directory }}/check_redis_instances
+#command[check_sentinel]=/usr/local/lib/monitoringctl/alerts_wrapper --name sentinel sudo {{ nagios_plugins_directory }}/check_sentinel -c /etc/redis/sentinel.conf
+#command[check_hpraid]=/usr/local/lib/monitoringctl/alerts_wrapper --name hpraid {{ nagios_plugins_directory }}/check_hpraid
+#command[check_php-fpm]=/usr/local/lib/monitoringctl/alerts_wrapper --name php-fpm {{ nagios_plugins_directory }}/check_phpfpm_multi
+#command[check_php-fpm56]=/usr/local/lib/monitoringctl/alerts_wrapper --name php-fpm56 sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php56/rootfs/etc/php5/fpm/pool.d/
+#command[check_php-fpm70]=/usr/local/lib/monitoringctl/alerts_wrapper --name php-fpm70 sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php70/rootfs/etc/php/7.0/fpm/pool.d/
+#command[check_php-fpm73]=/usr/local/lib/monitoringctl/alerts_wrapper --name php-fpm73 sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php73/rootfs/etc/php/7.3/fpm/pool.d/
+#command[check_php-fpm74]=/usr/local/lib/monitoringctl/alerts_wrapper --name php-fpm74 sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php74/rootfs/etc/php/7.4/fpm/pool.d/
+#command[check_php-fpm80]=/usr/local/lib/monitoringctl/alerts_wrapper --name php-fpm80 sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php80/rootfs/etc/php/8.0/fpm/pool.d/
+#command[check_php-fpm81]=/usr/local/lib/monitoringctl/alerts_wrapper --name php-fpm81 sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php81/rootfs/etc/php/8.1/fpm/pool.d/
+#command[check_php-fpm82]=/usr/local/lib/monitoringctl/alerts_wrapper --name php-fpm82 sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php82/rootfs/etc/php/8.2/fpm/pool.d/
+#command[check_php-fpm83]=/usr/local/lib/monitoringctl/alerts_wrapper --name php-fpm83 sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php83/rootfs/etc/php/8.3/fpm/pool.d/
+#command[check_dhcp_pool]=/usr/local/lib/monitoringctl/alerts_wrapper --name dhcp_pool {{ nagios_plugins_directory }}/check_dhcp_pool
+#command[check_ssl_local]=/usr/local/lib/monitoringctl/alerts_wrapper --name ssl_local {{ nagios_plugins_directory }}/check_ssl_local
 
 # Check HTTP "many". Use this to check many websites (http, https, ports, sockets and SSL certificates).
 # Beware! All checks must not take more than 10s!
-#command[check_https]={{ nagios_plugins_directory }}/check_http_many
+#command[check_https]=/usr/local/lib/monitoringctl/alerts_wrapper --name https {{ nagios_plugins_directory }}/check_http_many

openvpn/tasks/debian.yml

@@ -201,7 +201,7 @@
   ansible.builtin.lineinfile:
     dest: "/etc/nagios/nrpe.d/evolix.cfg"
     regexp: '^command\[check_openvpn\]='
-    line: "command[check_openvpn]=/usr/local/lib/nagios/plugins/check_openvpn -H 127.0.0.1 -p 1195 -P {{ management_pwd }}"
+    line: "command[check_openvpn]=/usr/local/lib/monitoringctl/alerts_wrapper --name openvpn /usr/local/lib/nagios/plugins/check_openvpn -H 127.0.0.1 -p 1195 -P {{ management_pwd }}"
   notify: restart nagios-nrpe-server
   when: nrpe_evolix_config.stat.exists
 
@@ -233,7 +233,7 @@
   ansible.builtin.lineinfile:
     dest: "/etc/nagios/nrpe.d/evolix.cfg"
     regexp: '^command\[check_openvpn_certificates\]='
-    line: "command[check_openvpn_certificates]=sudo /usr/local/lib/nagios/plugins/check_openvpn_certificates.sh"
+    line: "command[check_openvpn_certificates]=/usr/local/lib/monitoringctl/alerts_wrapper --name openvpn_certificates sudo /usr/local/lib/nagios/plugins/check_openvpn_certificates.sh"
   notify: restart nagios-nrpe-server
   when: nrpe_evolix_config.stat.exists
 

postgresql/tasks/nrpe.yml

@@ -43,7 +43,7 @@
     ansible.builtin.lineinfile:
       name: /etc/nagios/nrpe.d/evolix.cfg
       regexp: '^command\[check_pgsql\]='
-      line: 'command[check_pgsql]=/usr/lib/nagios/plugins/check_pgsql -H localhost -l nrpe -p "{{ postgresql_nrpe_password.stdout }}"'
+      line: 'command[check_pgsql]=/usr/local/lib/monitoringctl/alerts_wrapper --name pgsql /usr/lib/nagios/plugins/check_pgsql -H localhost -l nrpe -p "{{ postgresql_nrpe_password.stdout }}"'
     notify: restart nagios-nrpe-server
     when: postgresql_create_nrpe_user is changed
   when: nrpe_evolix_config.stat.exists

rabbitmq/tasks/nrpe.yml

@@ -40,7 +40,7 @@
   ansible.builtin.lineinfile:
     dest: /etc/nagios/nrpe.d/evolix.cfg
     regexp: 'command\[check_rab_connection_count\]'
-    line: 'command[check_rab_connection_count]=sudo /usr/local/lib/nagios/plugins/check_rabbitmq -a connection_count -C {{ rabbitmq_connections_critical }} -W {{ rabbitmq_connections_warning }}'
+    line: 'command[check_rab_connection_count]=/usr/local/lib/monitoringctl/alerts_wrapper --name rab_connection_count sudo /usr/local/lib/nagios/plugins/check_rabbitmq -a connection_count -C {{ rabbitmq_connections_critical }} -W {{ rabbitmq_connections_warning }}'
   notify: restart nagios-nrpe-server
 
 - name: sudo without password for nagios

redis/tasks/nrpe.yml

@@ -60,7 +60,7 @@
   ansible.builtin.replace:
     dest: /etc/nagios/nrpe.d/evolix.cfg
     regexp: '^command\[check_redis\]=.+'
-    replace: 'command[check_redis]=sudo {{ redis_check_redis_path }} -H {{ redis_bind_interfaces | first }} -p {{ redis_port }}'
+    replace: 'command[check_redis]=/usr/local/lib/monitoringctl/alerts_wrapper --name redis sudo {{ redis_check_redis_path }} -H {{ redis_bind_interfaces | first }} -p {{ redis_port }}'
   when: redis_instance_name is undefined
   notify: restart nagios-nrpe-server
   tags:
@@ -99,7 +99,7 @@
   ansible.builtin.replace:
     dest: /etc/nagios/nrpe.d/evolix.cfg
     regexp: '^command\[check_redis\]=.+'
-    replace: 'command[check_redis]=sudo /usr/local/lib/nagios/plugins/check_redis_instances'
+    replace: 'command[check_redis]=/usr/local/lib/monitoringctl/alerts_wrapper --name redis sudo /usr/local/lib/nagios/plugins/check_redis_instances'
   when: redis_instance_name is defined
   notify: restart nagios-nrpe-server
   tags: