Elastic Stack : default to version 8.x

nagios-nrpe: new monitoringctl command
ansible.builtin. prefix for modules
2024-06-17 10:46:34 +02:00 · 2024-06-14 16:27:29 +02:00 · 2024-06-14 09:14:12 -04:00 · 2024-06-13 15:35:11 -04:00 · 2024-06-12 21:53:43 +02:00 · 2024-06-12 15:46:54 -04:00
193 changed files with 11641 additions and 511 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -13,10 +13,26 @@ The **patch** part is incremented if multiple releases happen the same month
 ### Added
 * bind: New variables to change IPs bind will listen on & send notify/transfer commands
 * evolinux-base: Create custom SSH configuration file
 * evolinux-base: install evobackup-client (default: true)
 * lxc: new lxc_template_mirror option (useful to get old Debian from archive.debian.org)
 * munin: add linux_psi contrib plugin
 * nagios-nrpe: add new check_ftp_users
 * proftpd: add new munin graph (users count)
 * nagios-nrpe: new monitoringctl command
 ### Changed
 * Elastic Stack : default to version 8.x
 * evolinux-base: Customize logcheck recipient when serveur-base is installed
 * log2mail: task log2mail.yml of evolinux-base converted to a role
 * lxc-solr: update solr9 version + fix URL in README
 ### Fixed
 * openvpn: Make it work on OpenBSD in check mode
 ### Removed
 ### Security
@ -29,6 +45,7 @@ The **patch** part is incremented if multiple releases happen the same month
 ### Changed
 * certbot: allow haproxy deploy hook to work with evoacme too (using env variables)
 * evobackup-client: upstream release 24.05.1
 * evolinux-base: improve adding the current user to SSH AllowGroups of AllowUsers
 * evolinux-users: improve SSH configuration
@ -38,6 +55,7 @@ The **patch** part is incremented if multiple releases happen the same month
 ### Fixed
 * apt: use archive.debian.org with Buster
 * fail2ban: remount-usr added because it is needed for last task
 ## [24.04] 2024-04-30
--- a/bind/defaults/main.yml
+++ b/bind/defaults/main.yml
@ -1,12 +1,26 @@
 ---
-bind_recursive_server: False
+bind_recursive_server: false
-bind_authoritative_server: True
+bind_authoritative_server: true
-bind_chroot_set: True
+bind_chroot_set: true
-# Until chroot-bind.sh is migrated to ansible, we hardcode the chroot paths.
+
 #bind_chroot_path: /var/chroot-bind
 bind_systemd_service_path: /etc/systemd/system/bind9.service
 bind_statistics_file: /var/run/named.stats
 bind_log_file: /var/log/bind.log
 bind_query_file: /var/log/bind_queries.log
-bind_query_file_enabled: False
+bind_query_file_enabled: false
 bind_cache_dir: /var/cache/bind
 # String (bind syntax) of IPv4/ to listen on (or any by default)
 # eg. "192.0.2.1; 192.0.2.3"   or all interfaces : "any ;"
 bind_listen_on_ipv4: "any;"
 # String (bind syntax) of IPv6 to listen on (or any by default)
 # eg. "2001:db8::1; 2001:db8::42"   or all interfaces : "any ;" or not at all "none;"
 bind_listen_on_ipv6: "any;"
 # For server with multiples IP Adresses, enforce the usage of a specific IP for NOTIFY commands
 bind_notify_source: ''
 # For server with multiples IP Adresses, enforce the usage of a specific IP for TRANSFER commands
 bind_transfer_source: ''
--- a/bind/templates/named.conf.options_authoritative.j2
+++ b/bind/templates/named.conf.options_authoritative.j2
@ -10,8 +10,15 @@ options {
    masterfile-format text;
    statistics-file "{{ bind_statistics_file }}";
-      listen-on-v6 { any; };
+    listen-on { {{ bind_listen_on_ipv4 }} };
-      listen-on { any; };
+    listen-on-v6 { {{ bind_listen_on_ipv6 }} };
 {% if bind_notify_source is defined and bind_notify_source|length %}
    notify-source {{ bind_notify_source }};
 {% endif %}
 {% if bind_transfer_source is defined and bind_transfer_source|length %}
    transfer-source {{ bind_transfer_source }};
 {% endif %}
    allow-query { localhost; };
    allow-recursion { localhost; };
--- a/certbot/files/hooks/deploy/haproxy.sh
+++ b/certbot/files/hooks/deploy/haproxy.sh
@ -1,4 +1,6 @@
 #!/bin/sh
 # /!\ MODIFIED to work with evoacme OR certbot
 private_keys_dirs="/etc/ssl/private" # Only used for evoacme
 error() {
    >&2 echo "${PROGNAME}: $1"
@ -13,7 +15,7 @@ daemon_found_and_running() {
    test -n "$(pidof haproxy)" && test -n "${haproxy_bin}"
 }
 found_renewed_lineage() {
-    test -f "${RENEWED_LINEAGE}/fullchain.pem" && test -f "${RENEWED_LINEAGE}/privkey.pem"
+    test -f "${RENEWED_LINEAGE}/fullchain.pem" && test -f "${private_key}"
 }
 config_check() {
    ${haproxy_bin} -c -f "${haproxy_config_file}" > /dev/null 2>&1
@ -24,7 +26,7 @@ concat_files() {
    chown root: "${haproxy_cert_dir}"
    debug "Concatenating certificate files to ${haproxy_cert_file}"
-    cat "${RENEWED_LINEAGE}/fullchain.pem" "${RENEWED_LINEAGE}/privkey.pem" > "${haproxy_cert_file}"
+    cat "${RENEWED_LINEAGE}/fullchain.pem" "${private_key}" > "${haproxy_cert_file}"
    chmod 600 "${haproxy_cert_file}"
    chown root: "${haproxy_cert_file}"
 }
@ -58,10 +60,19 @@ main() {
    if daemon_found_and_running; then
        readonly haproxy_config_file="/etc/haproxy/haproxy.cfg"
        readonly haproxy_cert_dir=$(detect_haproxy_cert_dir)
        if  [ -z "${EVOACME_VHOST_NAME}" ]; then
            # CERTBOT
            private_key=${RENEWED_LINEAGE}/privkey.pem
            cert_name=$(basename "${RENEWED_LINEAGE}")
        else
            # EVOACME
            private_key=${private_keys_dirs}/$(basename $(dirname ${RENEWED_LINEAGE})).key
 	    cert_name=$(basename $(dirname "${RENEWED_LINEAGE}"))
        fi
        if found_renewed_lineage; then
-            haproxy_cert_file="${haproxy_cert_dir}/$(basename "${RENEWED_LINEAGE}").pem"
+            haproxy_cert_file="${haproxy_cert_dir}/${cert_name}.pem"
-            failed_cert_file="/root/$(basename "${RENEWED_LINEAGE}").failed.pem"
+            failed_cert_file="/root/${cert_name}.failed.pem"
            concat_files
@ -77,7 +88,8 @@ main() {
                error "HAProxy config is broken, you must fix it !"
            fi
        else
-            error "Couldn't find ${RENEWED_LINEAGE}/fullchain.pem or ${RENEWED_LINEAGE}/privkey.pem"
+
            error "Couldn't find ${RENEWED_LINEAGE}/fullchain.pem or "${private_key}""
        fi
    else
        debug "HAProxy is not running or missing. Skip."
@ -91,3 +103,4 @@ readonly QUIET=${QUIET:-"0"}
 readonly haproxy_bin=$(command -v haproxy)
 main
--- a/elasticsearch/defaults/main.yml
+++ b/elasticsearch/defaults/main.yml
@ -1,5 +1,5 @@
 ---
-elastic_stack_version: "7.x"
+elastic_stack_version: "8.x"
 elasticsearch_cluster_name: Null
 elasticsearch_cluster_members: Null
--- a/evolinux-base/defaults/main.yml
+++ b/evolinux-base/defaults/main.yml
@ -243,3 +243,6 @@ evolinux_utils_include: True
 # Autosysadmin
 evolinux_autosysadmin_include: false
 # Evobackup client
 evolinux_evobackup_client_include: True
--- a/evolinux-base/handlers/main.yml
+++ b/evolinux-base/handlers/main.yml
@ -74,11 +74,6 @@
    name: postfix
    state: reloaded
 - name: restart log2mail
  ansible.builtin.service:
    name: log2mail
    state: restarted
 - name: restart systemd-journald
  ansible.builtin.service:
    name: systemd-journald.service
--- a/evolinux-base/tasks/main.yml
+++ b/evolinux-base/tasks/main.yml
@ -116,7 +116,8 @@
  when: evolinux_provider_orange_fce_include | bool
 - name: Override Log2mail service
-  ansible.builtin.import_tasks: log2mail.yml
+  ansible.builtin.include_role:
    name: evolix/log2mail
  when: evolinux_log2mail_include | bool
 - ansible.builtin.import_tasks: motd.yml
@ -158,6 +159,11 @@
    name: 'evolix/autosysadmin-restart_nrpe'
  when: evolinux_autosysadmin_include | bool
 - name: Evobackup (client)
  ansible.builtin.include_role:
    name: 'evolix/evobackup-client'
  when: evolinux_evobackup_client_include | bool
 - name: fail2ban
  ansible.builtin.include_role:
    name: evolix/fail2ban
--- a/evolinux-base/tasks/packages.yml
+++ b/evolinux-base/tasks/packages.yml
@ -111,7 +111,9 @@
    dest: /etc/logcheck/logcheck.conf
    regexp: '^SENDMAILTO=".*"$'
    line: 'SENDMAILTO="{{ logcheck_alert_email or general_alert_email | mandatory }}"'
-  when: evolinux_packages_logcheck_recipient | bool
+  when:
    - evolinux_packages_serveur_base | bool
    - evolinux_packages_logcheck_recipient | bool
 - name: Deleting rpcbind and nfs-common
  ansible.builtin.apt:
--- a/evolinux-base/tasks/ssh.included-files.yml
+++ b/evolinux-base/tasks/ssh.included-files.yml
@ -16,6 +16,14 @@
    dest: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf
    mode: "0644"
 - name: create custom SSH server configuration file
  ansible.builtin.file:
    path: /etc/ssh/sshd_config.d/zzz-evolinux-custom.conf
    state: touch
    mode: "0644"
    modification_time: preserve
    access_time: preserve
 # Should we allow the current user?
 - name: Allow the current user
  block:
--- a/fail2ban/tasks/main.yml
+++ b/fail2ban/tasks/main.yml
@ -112,6 +112,9 @@
  tags:
    - fail2ban
 - include_role:
    name: evolix/remount-usr
 - name: Script unban_ip is installed
  ansible.builtin.copy:
    src: unban_ip.sh
--- a/filebeat/defaults/main.yml
+++ b/filebeat/defaults/main.yml
@ -1,5 +1,5 @@
 ---
-elastic_stack_version: "7.x"
+elastic_stack_version: "8.x"
 filebeat_logstash_plugin: False
--- a/fluentd/tasks/main.yml
+++ b/fluentd/tasks/main.yml
@ -75,7 +75,7 @@
 - name: NRPE check is configured
  ansible.builtin.lineinfile:
    path: /etc/nagios/nrpe.d/evolix.cfg
-    line: 'command[check_fluentd]=/usr/lib/nagios/plugins/check_tcp -p {{ fluentd_port }}'
+    line: 'command[check_fluentd]=/usr/local/lib/monitoringctl/alerts_wrapper --name fluentd /usr/lib/nagios/plugins/check_tcp -p {{ fluentd_port }}'
  notify: "restart nagios-nrpe-server"
  tags:
    - fluentd
--- a/keepalived/tasks/main.yml
+++ b/keepalived/tasks/main.yml
@ -36,7 +36,7 @@
  ansible.builtin.lineinfile:
    dest: /etc/nagios/nrpe.d/evolix.cfg
    regexp: 'command\[check_keepalived\]'
-    replace: 'command[check_keepalived]=/usr/local/lib/nagios/plugins/check_keepalived'
+    replace: 'command[check_keepalived]=/usr/local/lib/monitoringctl/alerts_wrapper --name keepalived /usr/local/lib/nagios/plugins/check_keepalived'
  notify: restart nagios-nrpe-server
  tags:
    - keepalived
--- a/kibana/defaults/main.yml
+++ b/kibana/defaults/main.yml
@ -1,5 +1,5 @@
 ---
-elastic_stack_version: "7.x"
+elastic_stack_version: "8.x"
 kibana_server_host: "127.0.0.1"
 kibana_server_basepath: ""
--- a/log2mail/defaults/main.yml
+++ b/log2mail/defaults/main.yml
@ -0,0 +1,3 @@
 ---
 log2mail_alert_email: Null
 general_alert_email: "root@localhost"
--- a/evolinux-base/files/log2mail.service
+++ b/evolinux-base/files/log2mail.service
--- a/log2mail/handlers/main.yml
+++ b/log2mail/handlers/main.yml
@ -0,0 +1,5 @@
 ---
 - name: restart log2mail
  ansible.builtin.service:
    name: log2mail
    state: restarted
--- a/evolinux-base/tasks/log2mail.yml
+++ b/evolinux-base/tasks/log2mail.yml
@ -23,18 +23,14 @@
    marker: "# {mark} ANSIBLE MANAGED RULES FOR DEFAULT INSTANCE"
    state: absent
  notify: restart log2mail
  tags:
    - log2mail
 - name: log2mail evolinux-defaults config is present
  ansible.builtin.template:
-    src: log2mail/evolinux-defaults.j2
+    src: evolinux-defaults.j2
    dest: /etc/log2mail/config/evolinux-defaults
    owner: log2mail
    group: adm
    mode: "0640"
    force: yes
  notify: restart log2mail
  tags:
    - log2mail
--- a/evolinux-base/templates/log2mail/evolinux-defaults.j2
+++ b/evolinux-base/templates/log2mail/evolinux-defaults.j2
--- a/logstash/defaults/main.yml
+++ b/logstash/defaults/main.yml
@ -1,5 +1,5 @@
 ---
-elastic_stack_version: "7.x"
+elastic_stack_version: "8.x"
 logstash_jvm_xms: 256m
 logstash_jvm_xmx: 512g
--- a/lxc-php/tasks/php56.yml
+++ b/lxc-php/tasks/php56.yml
@ -1,11 +1,11 @@
 ---
- name: "{{ lxc_php_version }} - Install PHP packages"
+- name: "{{ lxc_php_container_name }} - Install PHP packages"
  community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
    container_command: "DEBIAN_FRONTEND=noninteractive apt install --yes --force-yes php5-fpm php5-cli php5-gd php5-imap php5-ldap php5-mcrypt php5-mysql php5-pgsql php5-sqlite php-gettext php5-intl php5-curl php5-ssh2 libphp-phpmailer"
- name: "{{ lxc_php_version }} - Copy evolinux PHP configuration"
+- name: "{{ lxc_php_container_name }} - Copy evolinux PHP configuration"
  ansible.builtin.template:
    src: z-evolinux-defaults.ini.j2
    dest: "{{ line_item }}"
--- a/lxc-php/tasks/php70.yml
+++ b/lxc-php/tasks/php70.yml
@ -1,11 +1,11 @@
 ---
- name: "{{ lxc_php_version }} - Install PHP packages"
+- name: "{{ lxc_php_container_name }} - Install PHP packages"
  community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
    container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mcrypt php-mysql php-pgsql php-sqlite3 php-gettext php-curl php-ssh2 php-zip php-mbstring composer libphp-phpmailer"
- name: "{{ lxc_php_version }} - Copy evolinux PHP configuration"
+- name: "{{ lxc_php_container_name }} - Copy evolinux PHP configuration"
  ansible.builtin.template:
    src: z-evolinux-defaults.ini.j2
    dest: "{{ line_item }}"
--- a/lxc-php/tasks/php74.yml
+++ b/lxc-php/tasks/php74.yml
@ -1,17 +1,17 @@
 ---
- name: "{{ lxc_php_version }} - Install PHP packages"
+- name: "{{ lxc_php_container_name }} - Install PHP packages"
  community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
    container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer"
- name: "{{ lxc_php_version }} - fix bullseye repository"
+- name: "{{ lxc_php_container_name }} - fix bullseye repository"
  ansible.builtin.replace:
    dest: "{{ lxc_rootfs }}/etc/apt/sources.list"
    regexp: 'bullseye/updates'
    replace: 'bullseye-security'
- name: "{{ lxc_php_version }} - Copy evolinux PHP configuration"
+- name: "{{ lxc_php_container_name }} - Copy evolinux PHP configuration"
  ansible.builtin.template:
    src: z-evolinux-defaults.ini.j2
    dest: "{{ line_item }}"
--- a/lxc-php/tasks/php80.yml
+++ b/lxc-php/tasks/php80.yml
@ -5,18 +5,18 @@
    lxc_apt_keyring_dir: /etc/apt/trusted.gpg.d
- name: "{{ lxc_php_version }} - Install dependency packages"
+- name: "{{ lxc_php_container_name }} - Install dependency packages"
  community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
    container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget gnupg"
- name: "{{ lxc_php_version }} - fix bullseye repository"
+- name: "{{ lxc_php_container_name }} - fix bullseye repository"
  ansible.builtin.replace:
    dest: "{{ lxc_rootfs }}/etc/apt/sources.list"
    regexp: 'bullseye/updates'
    replace: 'bullseye-security'
- name: "{{ lxc_php_version }} - Add sury repo"
+- name: "{{ lxc_php_container_name }} - Add sury repo"
  ansible.builtin.lineinfile:
    dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/sury.list"
    line: "{{ item }}"
@ -51,17 +51,17 @@
    owner: root
    group: root
- name: "{{ lxc_php_version }} - Update APT cache"
+- name: "{{ lxc_php_container_name }} - Update APT cache"
  community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
    container_command: "DEBIAN_FRONTEND=noninteractive apt update"
- name: "{{ lxc_php_version }} - Install PHP packages"
+- name: "{{ lxc_php_container_name }} - Install PHP packages"
  community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
    container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer"
- name: "{{ lxc_php_version }} - Copy evolinux PHP configuration"
+- name: "{{ lxc_php_container_name }} - Copy evolinux PHP configuration"
  ansible.builtin.template:
    src: z-evolinux-defaults.ini.j2
    dest: "{{ line_item }}"
--- a/lxc-php/tasks/php81.yml
+++ b/lxc-php/tasks/php81.yml
@ -4,18 +4,18 @@
  ansible.builtin.set_fact:
    lxc_apt_keyring_dir: /etc/apt/trusted.gpg.d
- name: "{{ lxc_php_version }} - Install dependency packages"
+- name: "{{ lxc_php_container_name }} - Install dependency packages"
  community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
    container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget gnupg"
- name: "{{ lxc_php_version }} - fix bullseye repository"
+- name: "{{ lxc_php_container_name }} - fix bullseye repository"
  ansible.builtin.replace:
    dest: "{{ lxc_rootfs }}/etc/apt/sources.list"
    regexp: 'bullseye/updates'
    replace: 'bullseye-security'
- name: "{{ lxc_php_version }} - Add sury repo"
+- name: "{{ lxc_php_container_name }} - Add sury repo"
  ansible.builtin.lineinfile:
    dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/sury.list"
    line: "{{ item }}"
@ -50,17 +50,17 @@
    owner: root
    group: root
- name: "{{ lxc_php_version }} - Update APT cache"
+- name: "{{ lxc_php_container_name }} - Update APT cache"
  community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
    container_command: "DEBIAN_FRONTEND=noninteractive apt update"
- name: "{{ lxc_php_version }} - Install PHP packages"
+- name: "{{ lxc_php_container_name }} - Install PHP packages"
  community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
    container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer"
- name: "{{ lxc_php_version }} - Copy evolinux PHP configuration"
+- name: "{{ lxc_php_container_name }} - Copy evolinux PHP configuration"
  ansible.builtin.template:
    src: z-evolinux-defaults.ini.j2
    dest: "{{ line_item }}"
--- a/lxc-php/tasks/php82.yml
+++ b/lxc-php/tasks/php82.yml
@ -4,24 +4,24 @@
  ansible.builtin.set_fact:
    lxc_apt_keyring_dir: /etc/apt/trusted.gpg.d
- name: "{{ lxc_php_version }} - Install dependency packages"
+- name: "{{ lxc_php_container_name }} - Install dependency packages"
  community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
    container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget gnupg"
- name: "{{ lxc_php_version }} - delete sources.list bookworm repository"
+- name: "{{ lxc_php_container_name }} - delete sources.list bookworm repository"
  ansible.builtin.file:
    path: "{{ lxc_rootfs }}/etc/apt/sources.list"
    state: absent
- name: "{{ lxc_php_version }} - system bookworm repository"
+- name: "{{ lxc_php_container_name }} - system bookworm repository"
  ansible.builtin.template:
    src: bookworm_basics.sources.j2
    dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/system.sources"
    force: true
    mode: "0644"
- name: "{{ lxc_php_version }} - security bookworm repository"
+- name: "{{ lxc_php_container_name }} - security bookworm repository"
  ansible.builtin.template:
    src: bookworm_security.sources.j2
    dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/security.sources"
@ -44,17 +44,17 @@
    owner: root
    group: root
- name: "{{ lxc_php_version }} - Update APT cache"
+- name: "{{ lxc_php_container_name }} - Update APT cache"
  community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
    container_command: "DEBIAN_FRONTEND=noninteractive apt update"
- name: "{{ lxc_php_version }} - Install PHP packages"
+- name: "{{ lxc_php_container_name }} - Install PHP packages"
  community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
    container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer"
- name: "{{ lxc_php_version }} - Copy evolinux PHP configuration"
+- name: "{{ lxc_php_container_name }} - Copy evolinux PHP configuration"
  ansible.builtin.template:
    src: z-evolinux-defaults.ini.j2
    dest: "{{ line_item }}"
--- a/lxc-php/tasks/php83.yml
+++ b/lxc-php/tasks/php83.yml
@ -4,38 +4,38 @@
  ansible.builtin.set_fact:
    lxc_apt_keyring_dir: /etc/apt/trusted.gpg.d
- name: "{{ lxc_php_version }} - Install dependency packages"
+- name: "{{ lxc_php_container_name }} - Install dependency packages"
  community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
    container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget gnupg"
- name: "{{ lxc_php_version }} - delete sources.list bookworm repository"
+- name: "{{ lxc_php_container_name }} - delete sources.list bookworm repository"
  ansible.builtin.file:
    path: "{{ lxc_rootfs }}/etc/apt/sources.list"
    state: absent
- name: "{{ lxc_php_version }} - system bookworm repository"
+- name: "{{ lxc_php_container_name }} - system bookworm repository"
  ansible.builtin.template:
    src: bookworm_basics.sources.j2
    dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/system.sources"
    force: true
    mode: "0644"
- name: "{{ lxc_php_version }} - security bookworm repository"
+- name: "{{ lxc_php_container_name }} - security bookworm repository"
  ansible.builtin.template:
    src: bookworm_security.sources.j2
    dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/security.sources"
    force: true
    mode: "0644"
- name: "{{ lxc_php_version }} - Add sury repo"
+- name: "{{ lxc_php_container_name }} - Add sury repo"
  ansible.builtin.template:
    src: sury.sources.j2
    dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/sury.sources"
    force: true
    mode: "0644"
- name: "{{ lxc_php_version }} - Add sury failsafe repo"
+- name: "{{ lxc_php_container_name }} - Add sury failsafe repo"
  ansible.builtin.template:
    src: evolix_sury.sources.j2
    dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/evolix_sury.sources"
@ -66,17 +66,17 @@
    owner: root
    group: root
- name: "{{ lxc_php_version }} - Update APT cache"
+- name: "{{ lxc_php_container_name }} - Update APT cache"
  community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
    container_command: "DEBIAN_FRONTEND=noninteractive apt update"
- name: "{{ lxc_php_version }} - Install PHP packages"
+- name: "{{ lxc_php_container_name }} - Install PHP packages"
  community.general.lxc_container:
-    name: "{{ lxc_php_version }}"
+    name: "{{ lxc_php_container_name }}"
    container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer"
- name: "{{ lxc_php_version }} - Copy evolinux PHP configuration"
+- name: "{{ lxc_php_container_name }} - Copy evolinux PHP configuration"
  ansible.builtin.template:
    src: z-evolinux-defaults.ini.j2
    dest: "{{ line_item }}"
--- a/lxc-solr/README.md
+++ b/lxc-solr/README.md
@ -15,7 +15,7 @@ Since this role depend on the lxc role, please refer to it for a full variable l
 * `lxc_containers`: list of LXC containers to create. Default: `[]` (empty).
  * `name`: name of the LXC container to create.
  * `release`: Debian version to install
-  * `solr_version`: Solr version to install *(refer to https://archive.apache.org/dist/lucene/solr/ for a full version list)*
+  * `solr_version`: Solr version to install *(refer to https://archive.apache.org/dist/solr/solr/ for a full version list)*
  * `solr_port`: port for Solr to listen on
  Eg.:
  ```
--- a/lxc-solr/defaults/main.yml
+++ b/lxc-solr/defaults/main.yml
@ -16,7 +16,7 @@
 #     solr_port: 8985
 #   - name: solr9
 #     release: bullseye
-#     solr_version: 9.0.0
+#     solr_version: 9.6.1
 #     solr_port: 8985
 lxc_containers: []
--- a/lxc/defaults/main.yml
+++ b/lxc/defaults/main.yml
@ -8,6 +8,10 @@ lxc_network_type: "none"
 # Partition to bind mount into containers.
 lxc_mount_part: "/home"
 # Mirror URL (optionnal).
 # For old Debian, use https://archive.debian.org/debian/
 lxc_template_mirror: ""
 # List of LXC containers to create.
 # Eg.:
 # lxc_containers:
--- a/lxc/tasks/create-container.yml
+++ b/lxc/tasks/create-container.yml
@ -6,13 +6,16 @@
  check_mode: no
  register: container_exists
 - ansible.builtin.set_fact:
    lxc_template_mirror_option: "{{ '--mirror ' + lxc_template_mirror if lxc_template_mirror != '' else '' }}"
 - name: "Create container {{ name }}"
  community.general.lxc_container:
    name: "{{ name }}"
    container_log: true
    template: debian
    state: stopped
-    template_options: "--arch amd64 --release {{ release }}"
+    template_options: "--arch amd64 --release {{ release }} {{ lxc_template_mirror_option }}"
  when: container_exists.stdout_lines | length == 0
 - name: "Disable network configuration inside container {{ name }}"
--- a/memcached/tasks/nrpe.yml
+++ b/memcached/tasks/nrpe.yml
@ -34,7 +34,7 @@
    ansible.builtin.lineinfile:
      name: /etc/nagios/nrpe.d/evolix.cfg
      regexp: '^command\[check_memcached\]='
-      line: 'command[check_memcached]=/usr/local/lib/nagios/plugins/check_memcached.pl -H 127.0.0.1 -p {{ memcached_port }}'
+      line: 'command[check_memcached]=/usr/local/lib/monitoringctl/alerts_wrapper --name memcached /usr/local/lib/nagios/plugins/check_memcached.pl -H 127.0.0.1 -p {{ memcached_port }}'
    notify: restart nagios-nrpe-server
    when: memcached_instance_name | length == 0
@ -42,7 +42,7 @@
    ansible.builtin.lineinfile:
      name: /etc/nagios/nrpe.d/evolix.cfg
      regexp: '^command\[check_memcached\]='
-      line: 'command[check_memcached]=/usr/local/lib/nagios/plugins/check_memcached_instances'
+      line: 'command[check_memcached]=/usr/local/lib/monitoringctl/alerts_wrapper --name memcached /usr/local/lib/nagios/plugins/check_memcached_instances'
    notify: restart nagios-nrpe-server
    when: memcached_instance_name | length > 0
--- a/metricbeat/defaults/main.yml
+++ b/metricbeat/defaults/main.yml
@ -1,5 +1,5 @@
 ---
-elastic_stack_version: "7.x"
+elastic_stack_version: "8.x"
 metricbeat_elasticsearch_hosts:
  - "localhost:9200"
--- a/minifirewall/tasks/nrpe.yml
+++ b/minifirewall/tasks/nrpe.yml
@ -46,7 +46,7 @@
  ansible.builtin.lineinfile:
    dest: /etc/nagios/nrpe.d/evolix.cfg
    regexp: 'command\[check_minifirewall\]'
-    line: 'command[check_minifirewall]=sudo {{ nagios_plugins_directory }}/check_minifirewall'
+    line: 'command[check_minifirewall]=/usr/local/lib/monitoringctl/alerts_wrapper --name minifirewall sudo {{ nagios_plugins_directory }}/check_minifirewall'
  notify: restart nagios-nrpe-server
  when: nrpe_evolix_cfg.stat.exists
--- a/munin/files/plugins/linux-psi
+++ b/munin/files/plugins/linux-psi
@ -0,0 +1,360 @@
 #!/bin/bash
 : << =cut
 =head1 NAME
 linux_psi - Plugin to monitor the pressure stall information for CPU, Memory and
 IO as reported by the Linux kernel.
 This plugin monitors the pressure stall information (psi) as reported by the
 Linux Kernel. By default it reports all average intervals (10 seconds,
 60 seconds and 300 seconds) as well as the total values as a rate of change
 (DERIVE) for all resources (cpu, memory, io). The average intervals can be
 configured if you only deem some of them useful. See CONFIGURATION for
 explanations on that.
 This is a multigraph plugin that, by default, will create six detail graphs and
 one summary graph (so seven in total). The summary graph will contain the 300
 seconds average percentages of all resources. The detail graphs are split in two
 graphs per resource. One combining all average intervals and one for the
 "totals" (rate of change) for the given resource.
 There are no defaults for warnings and criticals, because this highly depends on
 the system, so you need to configure them yourself (if you want any). It is
 recommended that you first lookup the meaning of the different values.
 For more information on psi see:
 https://www.kernel.org/doc/html/latest/accounting/psi.html
 =head1 CONFIGURATION
 Simply create a symlink in your plugins directory like with any other plugin.
 No additional configuration needed, no specific user required (typically).
 If you want to configure alerts, just add "warn_" or "crit_" in front of the
 internal name.
 Optional configuration examples:
 [linux_psi]
 env.resources cpu io memory       - Specify the resources to monitor. Leave one
                                    out if you don't want this one to be
                                    monitored.
 env.intervals avg10 avg60 avg300  - Sepcify the average intervals to monitor.
                                    Leave one out if you don't want this one to
                                    be monitored
 env.scopes some full              - Specify the scopes to monitor. Leave one out
                                    If you don't want it to be monitored.
 env.summary_interval avg300       - Specify the interval to be used for the
                                    summary-graph.
 env.warn_psi_cpu_avg300_some 5    - Set a warning-level of 5 for
                                    "psi_cpu_avg300_some"
 env.crit_psi_io_total_full 2000   - Set a critical-level of 2000 for
                                    "psi_io_total_full"
 =head1 AUTHOR
 2022, HaseHarald
 =head1 LICENSE
 LGPLv3
 =head1 BUGS
 =head1 TODO
 =head1 MAGIC MARKERS
 #%# family=auto
 #%# capabilities=autoconf
 =cut
 # This file contains a munin-plugin to graph the psi (pressure) for CPU, Memory
 # and IO, as reported by the Linux kernel.
 #
 # This is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Lesser General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU Lesser General Public License for more details.
 #
 # You should have received a copy of the GNU Lesser General Public License
 # along with this plugin.  If not, see <http://www.gnu.org/licenses/>.
 resource_defaults=('cpu' 'io' 'memory')
 interval_defaults=('avg10' 'avg60' 'avg300')
 scope_defaults=('some' 'full')
 pressure_dir=${pressure_dir:-'/proc/pressure/'}
 pressure_resources=( "${resources[@]:-${resource_defaults[@]}}" )
 pressure_intervals=( "${intervals[@]:-${interval_defaults[@]}}" )
 pressure_scopes=( "${scopes[@]:-${scope_defaults[@]}}" )
 summary_interval="${summary_interval:-avg300}"
 check_autoconf() {
  if [ -d "${pressure_dir}" ]; then
    printf "yes\n"
  else
    printf "no (%s not found)\n" "${pressure_dir}"
  fi
 }
 get_pressure_value() {
  local resource
  local interval
  local scope
  resource="$1"
  interval="$2"
  scope="${3:-some}"
  grep "$scope" "${pressure_dir}/${resource}" | grep -o -E "${interval}=[0-9]{1,}(\.[0-9]{1,}){0,1}" | cut -d '=' -f 2
 }
 get_printable_name() {
  local kind
  local value
  local printable_name
  kind="$1"
  value="$2"
  printable_name=""
  case "$kind" in
    interval)
      case "$interval" in
        avg10)
          printable_name="10sec"
          ;;
        avg60)
          printable_name="60sec"
          ;;
        avg300)
          printable_name="5min"
          ;;
        total)
          printable_name="Total"
          ;;
        *)
          printf "ERROR: Could not determine interval %s ! Must be one of 'avg10' 'avg60' 'avg300' 'total'\n" "$value" >&2
          exit 2
          ;;
      esac
      ;;
    scope)
      case "$value" in
        some)
          printable_name="Some"
          ;;
        full)
          printable_name="Full"
          ;;
        *)
          printf "ERROR: Could not determine scope %s ! Must be one of 'full' 'some'.\n" "$value" >&2
          exit 2
          ;;
      esac
      ;;
    resource)
      case "$value" in
        cpu)
          printable_name="CPU"
          ;;
        io)
          printable_name="IO"
          ;;
        memory)
          printable_name="Memory"
          ;;
        *)
          printf "ERROR: Could not determine resource-type %s ! Must be one of 'cpu' 'io' 'memory'.\n" "$value" >&2
          exit 2
          ;;
      esac
      ;;
    *)
      printf "ERROR: Could not determine kind %s ! Must be one of 'interval' 'scope' 'resource'\n" "$kind" >&2
      exit 2
      ;;
  esac
  printf "%s" "$printable_name"
 }
 iterate_config() {
  for resource in "${pressure_resources[@]}"; do
    local printable_resource
    printable_resource=$( get_printable_name resource "$resource" )
    printf "multigraph linux_psi.%s_avg\n" "$resource"
    printf "graph_title %s Pressure Stall Information - Average\n" "$printable_resource"
    printf "graph_category system\n"
    printf "graph_info Average PSI based latency caused by lack of %s resources.\n" "$printable_resource"
    printf "graph_vlabel %%\n"
    printf "graph_scale no\n"
    for interval in "${pressure_intervals[@]}"; do
      local printable_interval
      printable_interval=$( get_printable_name interval "$interval" )
      output_config "$resource" "$interval"
    done
    echo ""
  done
  for resource in "${pressure_resources[@]}"; do
    local interval
    local printable_resource
    interval="total"
    printable_resource=$( get_printable_name resource "$resource" )
    printf "multigraph linux_psi.%s_total\n" "$resource"
    printf "graph_title %s Pressure Stall Information - Rate\n" "$printable_resource"
    printf "graph_category system\n"
    printf "graph_info Total PSI based latency rate caused by lack of %s resources.\n" "$printable_resource"
    printf "graph_vlabel rate\n"
    output_config "$resource" "$interval"
    echo ""
  done
  printf "multigraph linux_psi\n"
  printf "graph_title Pressure Stall Information - Average\n"
  printf "graph_vlabel %%\n"
  printf "graph_scale no\n"
  printf "graph_category system\n"
  printf "graph_info Average PSI based latency caused by lack of resources.\n"
  for resource in "${pressure_resources[@]}"; do
    output_config "$resource" "$summary_interval"
  done
  echo ""
 }
 iterate_values() {
  for resource in "${pressure_resources[@]}"; do
    printf "multigraph linux_psi.%s_avg\n" "$resource"
    for interval in "${pressure_intervals[@]}"; do
      output_values "$resource" "$interval"
    done
    echo ""
  done
  for resource in "${pressure_resources[@]}"; do
    local interval
    interval="total"
    printf "multigraph linux_psi.%s_total\n" "$resource"
    output_values "$resource" "$interval"
    echo ""
  done
  printf "multigraph linux_psi\n"
  for resource in "${pressure_resources[@]}"; do
    output_values "$resource" "$summary_interval"
  done
  echo ""
 }
 output_config() {
  local resource
  local interval
  local printable_resource
  local printable_interval
  resource="$1"
  interval="$2"
  printable_resource=$( get_printable_name resource "$resource" )
  printable_interval=$( get_printable_name interval "$interval" )
  for scope in "${pressure_scopes[@]}"; do
    if [ "${resource}" == "cpu" ] && [ "${scope}" != "some" ]; then
      continue
    else
      local printable_scope
      local this_warn_var
      local this_crit_var
      printable_scope=$( get_printable_name scope "$scope" )
      this_warn_var=$( echo "warn_psi_${resource}_${interval}_${scope}" | sed 's/[^A-Za-z0-9_]/_/g' )
      this_crit_var=$( echo "crit_psi_${resource}_${interval}_${scope}" | sed 's/[^A-Za-z0-9_]/_/g' )
      printf "psi_%s_%s_%s.min 0\n" "$resource" "$interval" "$scope"
      printf "psi_%s_%s_%s.label %s %s %s\n" "$resource" "$interval" "$scope" "$printable_resource" "$printable_interval" "$printable_scope"
      if [ -n "${!this_warn_var}" ]; then
        printf "psi_%s_%s_%s.warning %s\n" "$resource" "$interval" "$scope" "${!this_warn_var}"
      fi
      if [ -n "${!this_crit_var}" ]; then
        printf "psi_%s_%s_%s.critical %s\n" "$resource" "$interval" "$scope" "${!this_crit_var}"
      fi
      if [ "$interval" == "total" ]; then
        printf "psi_%s_%s_%s.type DERIVE\n" "$resource" "$interval" "$scope"
      fi
    fi
  done
 }
 output_values() {
  local resource
  local interval
  resource="$1"
  interval="$2"
  for scope in "${pressure_scopes[@]}"; do
    if [ "${resource}" == "cpu" ] && [ "${scope}" != "some" ]; then
      continue
    else
      printf "psi_%s_%s_%s.value %s\n" "$resource" "$interval" "$scope" "$(get_pressure_value "$resource" "$interval" "$scope")"
    fi
  done
 }
 output_usage() {
  printf >&2 "%s - munin plugin to graph pressure stall information for CPU, Memory and IO as reported by the Linux kernel.\n" "${0##*/}"
  printf >&2 "Usage: %s [config]\n" "${0##*/}"
  printf >&2 "You may use environment settings in a plugin-config file, used by munin (for example /etc/munin/plugin-conf.d/munin-node) to further adjust settings.\n"
  printf >&2 "You can use these settings to configure which resources, intervals or scopes are monitored or to configure warning and critical levels.\n"
  printf >&2 "To do so use a syntax like this:\n"
  printf >&2 "[linux_psi]\n"
  printf >&2 "env.resources cpu io memory\n"
  printf >&2 "env.intervals avg10 avg60 avg300\n"
  printf >&2 "env.scopes some full\n"
  printf >&2 "env.summary_interval avg300\n"
  printf >&2 "env.warn_psi_cpu_avg300_some 5\n"
  printf >&2 "env.crit_psi_io_total_full 2000\n"
 }
 case "$#" in
  0)
    iterate_values
    ;;
  1)
    case "$1" in
      autoconf)
        check_autoconf
        ;;
      config)
        iterate_config
        ;;
      fetch)
        iterate_values
        ;;
      *)
        output_usage
        exit 1
        ;;
    esac
    ;;
  *)
    output_usage
    exit 1
    ;;
 esac
--- a/munin/tasks/main.yml
+++ b/munin/tasks/main.yml
@ -46,6 +46,8 @@
    dest: '/usr/share/munin/plugins/{{ item }}'
  loop:
    - dhcp_pool
    - linux-psi
    - ipmi_
  tags:
    - munin
@ -77,6 +79,7 @@
    - postfix_mailqueue
    - postfix_mailstats
    - postfix_mailvolume
    - linux-psi
  notify: restart munin-node
  tags:
    - munin
@ -106,6 +109,14 @@
    - temp
    - power
    - volts
    - amp
 - name: Ensure ipmitool is installed on dedicated hardware
  ansible.builtin.apt:
    name: ipmitool
    state: present
  when: ansible_virtualization_role == "host"
  notify: restart munin-node
 - name: adjustments for grsec kernel
  ansible.builtin.blockinfile:
--- a/nagios-nrpe/files/alerts_switch
+++ b/nagios-nrpe/files/alerts_switch
@ -1,83 +1,143 @@
 #!/bin/bash
 # https://forge.evolix.org/projects/evolix-private/repository
 #
-# You should not alter this file.
+# Source:
-# If you need to, create and customize a copy.
+# https://gitea.evolix.org/evolix/ansible-roles/src/branch/stable/nagios-nrpe
-
+#
 set -e
 readonly PROGNAME=$(basename $0)
-readonly PROGDIR=$(readlink -m $(dirname $0))
+readonly VERSION="24.06.00"
 readonly ARGS="$@"
-usage() {
+# Load common functions and vars
-    echo "$PROGNAME action prefix"
+readonly lib_dir="/usr/local/lib/monitoringctl"
-}
+if [ -r "${lib_dir}/common" ]; then
-
+    # shellcheck source=monitoringctl_common
-disable_alerts () {
+    source "${lib_dir}/common"
-    disabled_file="$1_disabled"
+else
-    enabled_file="$1_enabled"
+    >&2 echo "Error: missing ${lib_dir}/common file."
    if [ -e "${enabled_file}" ]; then
        mv "${enabled_file}" "${disabled_file}"
    else
        touch "${disabled_file}"
        chmod 0644 "${disabled_file}"
    fi
 }
 enable_alerts () {
    disabled_file="$1_disabled"
    enabled_file="$1_enabled"
    if [ -e "${disabled_file}" ]; then
        mv "${disabled_file}" "${enabled_file}"
    else
        touch "${enabled_file}"
        chmod 0644 "${enabled_file}"
    fi
 }
 now () {
  date --iso-8601=seconds
 }
 log_disable () {
    echo "$(now) - alerts disabled by $(logname || echo unknown)" >> $1
 }
 log_enable () {
    echo "$(now) - alerts enabled by $(logname || echo unknown)" >> $1
 }
 main () {
    local action=$1
    local prefix=$2
    local base_dir="/var/lib/misc"
    mkdir -p "${base_dir}"
    local file_path="${base_dir}/${prefix}_alerts"
    local log_file="/var/log/${prefix}_alerts.log"
    case "$action" in
    enable)
        enable_alerts ${file_path}
        log_enable ${log_file}
        ;;
    disable)
        disable_alerts ${file_path}
        log_disable ${log_file}
        ;;
    help)
        usage
        ;;
    *)
        >&2 echo "Unknown action '$action'"
    exit 1
-        ;;
+fi
-    esac
+
 if [ ! -e "${var_dir}" ]; then
    >&2 echo "Warning: missing ${var_dir} directory."
 fi
 function show_help() {
    cat <<END
 $PROGNAME disables or enables NRPE alerts wrapped by the script 'alerts_wrapper' in NRPE configuration.
 Usage: $PROGNAME disable [-d|--during <DURATION>] [--message '<DISABLE_MESSAGE>'] <WRAPPER_NAME|all>
       $PROGNAME enable [--message '<ENABLE_MESSAGE>'] <WRAPPER_NAME|all>
       $PROGNAME help
 WRAPPER_NAME:    The name given to '--name' option of 'alerts_wrapper'.
 DURATION:        Duration of alert disabling.
                 Can be '1d' for 1 day, '5m' for 5 minutes or more complex
                 expressions like '1w2d10m42s' (if no time unit is provided,
                 hour is assumed)
                 Default value: 1h
 DISABLE_MESSAGE: Message that will be logged and printed by alerts_wrapper
                 when alert is disabled.
 ENABLE_MESSAGE:  Message that will be logged when alert is enabled
 END
 }
-main $ARGS
+function disable_alerts() {
    # $1: wrapper name, $2: duration_sec, $3: disable message
    now_secs=$(date +"%s")
    disable_until_secs=$(( now_secs + ${2} ))
    disable_file_path="$(get_disable_file_path "${1}")"
    echo "${disable_until_secs}" > "${disable_file_path}"
    echo "$(logname || echo unknown): \"${3}\"" >> "${disable_file_path}"
    chmod 0644 "${disable_file_path}"
    log "${1} alerts disabled by $(logname || echo unknown)"
    log "Disable message: ${3}"
 }
 function enable_alerts() {
    # $1: wrapper name, $2: enable message
    disable_file_path="$(get_disable_file_path "${1}")"
    if [ -e "${disable_file_path}" ]; then
        rm "${disable_file_path}"
    fi
    log "${1} alerts enabled by $(logname || echo unknown)"
    log "Enable message: ${2}"
 }
 function main() {
    if [ "${action}" == 'enable' ]; then
        if [ "${wrapper_name}" == "all" ]; then
            for wrapper in $(get_wrappers_names); do
                enable_alerts "${wrapper}" "${message}"
            done
        else
            enable_alerts "${wrapper_name}" "${message}"
        fi
    elif [ "${action}" == 'disable' ]; then
        duration_sec=$(time_to_seconds "${duration}")
        if [ "${wrapper_name}" == "all" ]; then
            for wrapper in $(get_wrappers_names); do
                disable_alerts "${wrapper}" "${duration_sec}" "${message}"
            done
        else
            disable_alerts "${wrapper_name}" "${duration_sec}" "${message}"
        fi
    elif [ "${action}" == 'help' ]; then
        show_help
    fi
 }
 while :; do
    case "${1}" in
        enable|disable|help)
            action="${1}"
            shift;;
        -d|--during)
            if [ "$#" -gt 1 ]; then
                if filter_duration "${2}"; then
                    duration="${2}"
                else
                    usage_error "Option --during: \"${2}\" is not a valid duration."
                fi
            else
                error "Missing --during argument."
            fi
            shift; shift;;
        -m|--message)
            if [ "$#" -gt 1 ]; then
                message="${2}"
            else
                error "Missing --message argument."
            fi
            shift; shift;;
        *)
            if [ -n "${1}" ]; then
                if is_wrapper "${1}" || [ "${1}" == "all" ]; then
                    wrapper_name="${1}"
                else
                    error "Unknown argument '${1}', or NAME not defined in NRPE configuration."
                fi
            else
                if [ -z "${action}" ]; then
                    error "Missing action argument."
                elif [ -z "${1}" ]; then
                    break
                fi
            fi
            shift;;
    esac
 done
 if [ -z "${wrapper_name}" ] && [ "${action}" != 'help' ] ; then
    error "Missing WRAPPER_NAME."
 fi
 if [ -z "${duration}" ]; then
    duration="${default_disabled_time}"
 fi
 readonly wrapper_name duration action
 main
--- a/nagios-nrpe/files/alerts_wrapper
+++ b/nagios-nrpe/files/alerts_wrapper
@ -1,114 +1,101 @@
 #!/bin/bash
 # https://forge.evolix.org/projects/evolix-private/repository
 #
-# You should not alter this file.
+# Source:
-# If you need to, create and customize a copy.
+# https://gitea.evolix.org/evolix/ansible-roles/src/branch/stable/nagios-nrpe
 #
-VERSION="21.04"
+readonly PROGNAME=$(basename $0)
-readonly VERSION
+readonly VERSION="24.06.00"
-# base functions
+# Load common functions and vars
 readonly lib_dir="/usr/local/lib/monitoringctl"
 if [ -r "${lib_dir}/common" ]; then
    # shellcheck source=monitoringctl_common
    source "${lib_dir}/common"
 else
    >&2 echo "Error: missing ${lib_dir}/common file."
    exit 1
 fi
-show_version() {
+if [ ! -e "${var_dir}" ]; then
    >&2 echo "Warning: missing ${var_dir} directory."
 fi
 function show_help() {
    cat <<END
-alerts_wrapper version ${VERSION}
+alerts_wrapper wraps an NRPE command and overrides the return code.
-Copyright 2018-2021 Evolix <info@evolix.fr>,
+Usage: alerts_wrapper --name <WRAPPER_NAME> <CHECK_COMMAND>
-                    Jérémy Lecour <jlecour@evolix.fr>
+Usage: alerts_wrapper <WRAPPER_NAME> <CHECK_COMMAND> (deprecated)
                    and others.
 alerts_wrapper comes with ABSOLUTELY NO WARRANTY.This is free software,
 and you are welcome to redistribute it under certain conditions.
 See the GNU General Public License v3.0 for details.
 END
 }
 show_help() {
    cat <<END
 alerts_wrapper is supposed to wrap an NRPE command and overrides the return code.
 Usage: alerts_wrapper --limit=1d --name=check_name command with optional arguments
  or   alerts_wrapper --name=check_name command with optional arguments
  or   alerts_wrapper check_name command with optional arguments
 Options
- --limit            max age of the "check file" ;
+  --name               Wrapper name, it is very recommended to use the check name (like load, disk1…).
-                    can be "1d" for 1 day, "5m" for 5 minutes…
+                       Special name: 'all' is already hard-coded.
-                    or more complex expressions like "1w2d10m42s"
+  -h, --help           Print this message and exit.
- --name             check name
+  -V, --version        Print version and exit.
 -h, --help         print this message and exit
 -V, --version      print version and exit
 END
 }
-time_in_seconds() {
+function enable_wrapper() {
-    if echo "${1}" | grep -E -q '^([0-9]+[wdhms])+$'; then
+    # $1: wrapper name
        echo "${1}" | sed 's/w/ * 604800 + /g; s/d/ * 86400 + /g; s/h/ * 3600 + /g; s/m/ * 60 + /g; s/s/ + /g; s/+ $//' | xargs expr
    elif echo "${1}" | grep -E -q '^([0-9]+$)'; then
        echo "${1} * 3600" | xargs expr
    else
        return 1
    fi
 }
 delay_from_alerts_disabled_file() {
    last_change=$(stat -c %Z "${alerts_disabled_file}")
    limit_seconds=$(time_in_seconds "${wrapper_limit}" || time_in_seconds "${wrapper_limit_default}") 
    limit_date=$(date --date "${limit_seconds} seconds ago" +"%s")
    echo $(( last_change - limit_date ))
 }
 enable_check() {
    if [ "$(id -u)" -eq "0" ] ; then
-        /usr/local/bin/alerts_switch enable "${check_name}"
+        /usr/local/bin/alerts_switch enable "${1}"
    else
-        sudo /usr/local/bin/alerts_switch enable "${check_name}"
+        sudo /usr/local/bin/alerts_switch enable "${1}"
    fi
 }
-main() {
+function main() {
-    ${check_command} > "${check_stdout}"
+    is_disabled="$(is_disabled_wrapper "${wrapper_name}")"
    if [ -e "${disable_file}" ] && [ "${is_disabled}" = "False" ]; then
        enable_wrapper "${wrapper_name}"
    fi
    timeout_command=""
    if [ "${is_disabled}" = "True" ]; then
        timeout_command="timeout 8"
    fi
    check_stdout="$(${timeout_command} ${check_command})"
    check_rc=$?
    readonly check_rc
-    delay=0
+    if [ "${is_disabled}" = "True" ] && [ "${check_rc}" -eq 124 ] && [ -z "${check_stdout}" ]; then
-
+        check_stdout="Check timeout (> 8 sec)"
    if [ -e "${alerts_disabled_file}" ]; then
        delay=$(delay_from_alerts_disabled_file)
        if [ "${delay}" -le "0" ]; then
            enable_check
        fi
    fi
-    if [ -e "${alerts_disabled_file}" ]; then
+    if [ "${is_disabled}" = "True" ]; then
-        formatted_last_change=$(date --date "@$(stat -c %Z "${alerts_disabled_file}")" +'%c')
+        enable_time="$(get_enable_time "${wrapper_name}")"
-        readonly formatted_last_change
+        enable_delay="$(enable_delay "${enable_time}")"
        delay_str="$(delay_to_string "${enable_delay}")"
        enable_date="$(date --date "+${enable_delay} seconds" "+%d %h %Y at %H:%M:%S")"
        disable_msg="$(get_disable_message "${wrapper_name}")"
        if [ -n "${disable_msg}" ]; then
            disable_msg="- ${disable_msg} "
        fi
        echo "ALERT DISABLED until ${enable_date} (${delay_str} left) ${disable_msg}- Check output: ${check_stdout}"
    else
        echo "${check_stdout}"
    fi
-        echo "ALERTS DISABLED for ${check_name} (since ${formatted_last_change}, delay: ${delay} sec) - $(cat "${check_stdout}")"
+    if [ "${is_disabled}" = "True" ]; then
        if [ ${check_rc} = 0 ]; then
-            # Nagios OK
+            exit 0  # Nagios OK
            exit 0
        else
-            # Nagios WARNING
+            exit 1  # Nagios WARNING
            exit 1
        fi
    else
        cat "${check_stdout}"
        exit ${check_rc}
    fi
 }
 # Default: 1 day before re-enabling the check
 wrapper_limit_default="1d"
 readonly wrapper_limit_default
 if [[ "${1}" =~ -.* ]]; then
    # parse options
    # based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
    while :; do
-        case $1 in
+        case "${1}" in
            -h|-\?|--help)
                show_help
                exit 0
@ -117,47 +104,25 @@ if [[ "${1}" =~ -.* ]]; then
                show_version
                exit 0
                ;;
-
+            -n|--name)
            --limit)
                # with value separated by space
-                if [ -n "$2" ]; then
+                if [ -n "${2}" ]; then
-                    wrapper_limit=$2
+                    wrapper_name="${2}"
                    shift
                else
                    printf 'ERROR: "--limit" requires a non-empty option argument.\n' >&2
                    exit 1
                fi
                ;;
            --limit=?*)
                # with value speparated by =
                wrapper_limit=${1#*=}
                ;;
            --limit=)
                # without value
                printf 'ERROR: "--limit" requires a non-empty option argument.\n' >&2
                exit 1
                ;;
            --name)
                # with value separated by space
                if [ -n "$2" ]; then
                    check_name=$2
                    shift
                else
                    printf 'ERROR: "--name" requires a non-empty option argument.\n' >&2
-                    exit 1
+                    exit 2
                fi
                ;;
-            --name=?*)
+            -n|--name=?*)
-                # with value speparated by =
+                # with value separated by =
-                check_name=${1#*=}
+                wrapper_name="${1#*=}"
                ;;
-            --name=)
+            -n|--name=)
                # without value
                printf 'ERROR: "--name" requires a non-empty option argument.\n' >&2
-                exit 1
+                exit 2
                ;;
            --)
                # End of all options.
                shift
@ -165,8 +130,8 @@ if [[ "${1}" =~ -.* ]]; then
                ;;
            -?*)
                # ignore unknown options
-                printf 'WARN: Unknown option : %s\n' "$1" >&2
+                printf 'ERROR: Unknown option : %s\n' "${1}" >&2
-                exit 1
+                exit 2
                ;;
            *)
                # Default case: If no more options then break out of the loop.
@ -180,38 +145,22 @@ if [[ "${1}" =~ -.* ]]; then
    check_command="$*"
 else
    # no option is passed (backward compatibility with previous version)
-    # treat the first argument as check_name and the rest as the command
+    # treat the first argument as wrapper_name and the rest as the command
-    check_name="${1}"
+    wrapper_name="${1}"
    shift
    check_command="$*"
 fi
-# Default values or errors
+if [ -z "${wrapper_name}" ]; then
-if [ -z "${wrapper_limit}" ]; then
+    printf 'ERROR: You must specify a wrapper name, with --names.\n' >&2
-    wrapper_limit="${wrapper_limit_default}"
+    exit 2
 fi
 if [ -z "${check_name}" ]; then
    printf 'ERROR: You must specify a check name, with --name.\n' >&2
    exit 1
 fi
 if [ -z "${check_command}" ]; then
    printf 'ERROR: You must specify a command to execute.\n' >&2
-    exit 1
+    exit 2
 fi
-readonly check_name
+disable_file="$(get_disable_file_path "${wrapper_name}")"
-readonly check_command
+readonly wrapper_name check_command disable_file
 readonly wrapper_limit
 alerts_disabled_file="/var/lib/misc/${check_name}_alerts_disabled"
 readonly alerts_disabled_file
 check_file="/var/lib/misc/${check_name}_alerts_disabled"
 readonly check_file
 check_stdout=$(mktemp --tmpdir=/tmp "${check_name}_stdout.XXXX")
 readonly check_stdout
 # shellcheck disable=SC2064
 trap "rm ${check_stdout}" EXIT
 main
--- a/nagios-nrpe/files/check-local
+++ b/nagios-nrpe/files/check-local
@ -1,36 +1,9 @@
 #!/usr/bin/env bash
-CHECK_BIN=/usr/lib/nagios/plugins/check_nrpe
+readonly orange="\e[0;33m"
 readonly nocolor="\e[0m"
-server_address="127.0.0.1"
+echo -e "${orange}'check-local' is now an alias for 'monitoringctl check'. See 'monitoringctl -h' for more information.${nocolor}"
 if ! test -f "${CHECK_BIN}"; then
    echo "${CHECK_BIN} is missing, please install nagios-nrpe-plugin package."
    exit 1
 fi
 for file in /etc/nagios/{nrpe.cfg,nrpe_local.cfg,nrpe.d/evolix.cfg}; do
    if [ -r ${file} ]; then
        command_search=$(grep "\[check_$1\]" "${file}" | grep -v '^[[:blank:]]*#' | tail -n1 | cut -d'=' -f2-)
    fi
    if [ -n "${command_search}" ]; then
        command="${command_search}"
    fi
    if [ -r ${file} ]; then
        server_address_search=$(grep "server_address" "${file}" | grep -v '^[[:blank:]]*#' | cut -d'=' -f2)
    fi
    if [ -n "${server_address_search}" ]; then
        server_address="${server_address_search}"
    fi
 done
 if [ -n "${command}" ]; then
    echo "Found command in /etc/nagios (take care, in some cases, Nagios can play another command):"
    echo "    ${command}"
 fi
 echo "NRPE daemon output:"
 "${CHECK_BIN}" -H "${server_address}" -c "check_$1"
 monitoringctl check "${1}"
--- a/nagios-nrpe/files/check-local_completion
+++ b/nagios-nrpe/files/check-local_completion
@ -1,10 +1,14 @@
 #!/usr/bin/env bash
 function _get_checks_names() {
    grep --extended-regexp --no-filename --no-messages -R "command\[check_.*\]="  /etc/nagios/ | grep --invert-match --extended-regexp "^\s*#" | awk -F"[\\\[\\\]=]" '{sub("check_", "", $2); print $2}' | sort | uniq
 }
 # List of available checks
 _check_local_dynamic_completion() {
-    local cur;
+    local cur=${COMP_WORDS[COMP_CWORD]};
-    cur=${COMP_WORDS[COMP_CWORD]};
+
-    COMPREPLY=();
+    COMPREPLY=( $( compgen -W '$(_get_checks_names)' -- "${cur}" ) );
    COMPREPLY=( $( compgen -W '$(grep "\[check_" -Rs /etc/nagios/ | grep -vE "^[[:blank:]]*#" | awk -F"[\\\[\\\]=]" "{print \$2}" | sed "s/check_//" | sort | uniq)' -- $cur ) );
 }
 complete -F _check_local_dynamic_completion check-local
--- a/nagios-nrpe/files/check_async
+++ b/nagios-nrpe/files/check_async
--- a/nagios-nrpe/files/monitoringctl
+++ b/nagios-nrpe/files/monitoringctl
@ -0,0 +1,634 @@
 #!/usr/bin/env bash
 #set -x
 readonly VERSION="24.06.00"
 function show_help() {
    cat <<EOF
 ${bold}monitoringctl${no_bold} version ${VERSION}.
 ${bold}monitoringctl${no_bold} gives some control over NRPE checks and alerts.
 Usage: ${bold}monitoringctl${no_bold} [OPTIONS] ACTION ARGUMENTS
 ${bold}GENERAL OPTIONS${no_bold}
    -h, --help                  Print this message and exit.
    -V, --version               Print version number and exit.
 ${bold}ACTIONS${no_bold}
    ${bold}list${no_bold}
        List the checks defined in NRPE configuration.
    ${bold}status [CHECK_NAME|all]${no_bold}
        Print whether alerts are enabled or not (silenced).
        If alerts are disabled (silenced), show disable message and time left before automatic re-enabling.
    ${bold}check [-b|--bypass-nrpe] CHECK_NAME|all${no_bold}
        Ask CHECK_NAME status to NRPE as an HTTP request.
        Indicates which command NRPE has supposedly run (from its configuration).
        -b, --bypass-nrpe       Execute directly command from NRPE configuration,
                                as user nagios, without passing the request to NRPE.
    ${bold}disable CHECK_NAME|all [-d|--during DURATION] [-m|--message 'DISABLE MESSAGE']${no_bold}
        Disable (silence) CHECK_NAME or all alerts for DURATION and write DISABLE MESSAGE into the log.
        Checks output is still printed, so alerts history won't be lost.
        -d, --during DURATION            See section DURATION.
        -m, --message 'DISABLE MESSAGE'  See section MESSAGE.
    ${bold}enable CHECK_NAME|all [-m|--message 'ENABLE MESSAGE']${no_bold}
        Re-enable CHECK_NAME or all alerts
        -m, --message 'ENABLE MESSAGE'   See section MESSAGE.
    ${bold}show CHECK_NAME${no_bold}
        Show NPRE command(s) configured for CHECK_NAME
 ${bold}MESSAGE${no_bold}
    Message that will be written in log and in check output when disabled.
    It is mandatory, but in interactive shells it can be omitted. In tgis case it is asked interactively.
    Warning: In non-interactive shells (scripts, crons…), this option is mandatory.
 ${bold}DURATION${no_bold}
    Time (string) during which alerts will be disabled (optional, default: "1h").
    ${bold}Format${no_bold}
        You can use 'd' (day), 'h' (hour) and 'm' (minute) , or a combination of them, to specify a duration.
        Examples: '2d', '1h', '10m', '1h10' ('m' is guessed).
 ${bold}OTHER NOTES${no_bold}
    For actions disable, enable and status, CHECK_NAME is actually the --name option passed to alerts_wrapper, and not the NRPE check name. Both check name and alerts_wrapper --name option should be equal in NRPE configuration to avoid confusion.
    Log path: ${log_file}
 EOF
 }
 function list_checks() {
    checks="$(get_checks_names)"
    for check in $checks; do
        echo "${check}"
    done
 }
 function check() {
    # $1: check name, "all" or empty
    readonly check_nrpe_bin="/usr/lib/nagios/plugins/check_nrpe"
    if [ ! -f "${check_nrpe_bin}" ]; then
        >&2 echo "${check_nrpe_bin} is missing, please install nagios-nrpe-plugin package."
        exit 1
    fi
    conf_lines="$(get_nrpe_conf "${nrpe_conf_path}")"
    server_address=$(echo "$conf_lines" | grep "server_address" | tail -n1 | cut -d'=' -f2)
    if [ -z "${server_address}" ]; then server_address="127.0.0.1"; fi
    server_port=$(echo "$conf_lines" | grep "server_port" | tail -n1 | cut -d'=' -f2)
    if [ -z "${server_port}" ]; then server_port="5666"; fi
    if [ -z "${1}" ] || [ "${1}" = "all" ]; then
        # Array header for multi-checks
        checks="$(get_checks_names)"
        header="Check\tStatus\tOutput (truncated)"
        underline="-----\t------\t------------------"
        str_out="\n${header}\n${underline}\n"
    else
        checks="${1}"
    fi
    for check in $checks; do
        printf "\033[KChecking %s…\r" "${check}"
        err_msg=""
        if [ "${bypass_nrpe}" = "False" ]; then
            request_command="${check_nrpe_bin} -H ${server_address} -p ${server_port} -c check_${check} 2&>1"
        else
            check_commands="$(get_check_commands "${check}")"
            if [ -n "${check_commands}" ]; then
                check_command="$(echo "${check_commands}" |  tail -n1)"
                request_command="sudo -u nagios -- ${check_command}"
            else
                if [ -z "${1}" ] || [ "${1}" = "all" ]; then
                    err_msg="Check command not found in NRPE configuration."
                else
                    err_msg="Error: no command found in NRPE configuration for check '${check}'. Aborted."
                fi
            fi
        fi
        if [ -z "${err_msg}" ]; then
            check_output="$(${request_command})"
            rc="$?"
            check_output="$(echo "${check_output}" | tr '\n' ' ')"
            if [ -z "${1}" ] || [ "${1}" = "all" ]; then
                if [ "${#check_output}" -gt 60 ]; then
                    check_output="$(echo "${check_output}" | cut -c-80) [...]"
                fi
            fi
        else
            check_output="${err_msg}"
            rc="3"
        fi
        case "${rc}" in
            0)
                rc_str="OK"
                color="${green}"
                ;;
            1)
                rc_str="Warning"
                color="${orange}"
                ;;
            2)
                rc_str="Critical"
                color="${red}"
                ;;
            3)
                rc_str="Unknown"
                color="${purple}"
                ;;
            *)
                rc_str="Unknown"
                color="${purple}"
        esac
        if [ -z "${1}" ] || [ "${1}" = "all" ]; then
            str_out="${str_out}${color}${check}\t${rc_str}${nocolor}\t${check_output}\n"
        fi
    done
    if [ -z "${1}" ] || [ "${1}" = "all" ]; then
        echo -e "${str_out}" | column -t -s $'\t'
    else
        printf "\033[K\n"  # erase tmp line « Checking check_toto…»
        if [ "${bypass_nrpe}" = "False" ]; then
            echo -e "NRPE service output (on ${server_address}:${server_port}):\n"
        else
            echo -e "Direct check output (bypassing NRPE):\n"
        fi
        echo -e "${color}${check_output}${nocolor}\n" | sed 's/|/\n/g'
        exit "${rc}"
    fi
 }
 # Print error message and exit if not installed
 function alerts_switch_is_installed() {
    if ! command -v alerts_switch &> /dev/null; then
        error "Error: script 'alerts_switch' is not installed. Aborted."
    fi
 }
 function disable_alerts() {
    # $1: check name | all
    # $2: disable message
    alerts_switch_is_installed
    if [ "${1}" = "all" ]; then
        checks="$(get_checks_names)"
    else
        checks="${1}"
    fi
    warn_not_wrapped "${checks}"
    warn_wrapper_names "${checks}"
    if [ -z "${2}" ]; then
        if [ "${is_interactive}" = "False" ]; then
            error "Error: disable message option is mandatory in non-interactive shell."
        fi
        echo -n "> Please provide a disable message (for logging and check output): "
        read -r message
        echo ''
        if [ -z "${message}" ]; then
            error "${red}Error:${nocolor} disable message is mandatory."
        fi
    else
        message="${2}"
    fi
    default_msg=""
    if [ "${default_duration}" = "True" ]; then
        default_msg=" (use --during to change default time)"
    fi
    if [ "${1}" = "all" ]; then
        check_txt="All checks"
    else
        check_txt="Check ${1}"
    fi
    echo_box "${check_txt} will be disabled for ${duration}${default_msg}."
    cat <<EOF
 Additional information:
 * Alerts history is kept in our monitoring system.
 * To see when the will be re-enabled, execute 'monitoringctl status ${1}'.
 * To re-enable alert(s) before ${duration}, execute as root or with sudo: 'monitoringctl enable ${1}'.
 EOF
    if [ "${1}" != "all" ]; then
        if is_check "${1}"; then
            wrapper="$(get_check_wrapper_name "${1}")"
        else
            wrapper="${1}"
        fi
        checks="$(get_wrapper_checks "${wrapper}")"
        n_checks="$(echo "${checks}" | wc -w)"
        if [ "${n_checks}" -gt 1 ]; then
            >&2 echo -e "${orange}Warning:${nocolor} because they have the same configuration, disabling ${1} will disable: ${checks}.\n"
            log "Warning: disabling ${1} will disable ${checks} (which have the same wrapper name)."
        fi
    else
        wrapper="all"
    fi
    if [ "${is_interactive}" = "True" ]; then
        echo -n "> Confirm (y/N)? "
        read -r answer
        if [ "${answer}" != "Y" ] && [ "${answer}" != "y" ]; then
            echo -e "${orange}Canceled.${nocolor}" && exit 0
        fi
    fi
    log "Action disable ${1} requested for ${duration} by user $(logname || echo unknown)."
    alerts_switch disable "${wrapper}" --during "${duration}" --message "${message}"
    if [ "${1}" != "all" ]; then
        if [ "${n_checks}" -eq 1 ]; then
            echo -e "${orange}Check ${1} alerts are now disabled for ${duration}.${nocolor}"
        else
            echo -e "${orange}Alerts are now disabled for ${duration} for checks: ${checks}.${nocolor}"
        fi
    else
        echo -e "${orange}All alerts are now disabled for ${duration}.${nocolor}"
    fi
 }
 function enable_alerts() {
    # $1: check name, $2: enable message
    alerts_switch_is_installed
    if [ "${1}" != "all" ]; then
        # Verify that check is not already enabled
        is_disabled="$(is_disabled_check "${1}")"
        if [ "${is_disabled}" = "False" ]; then
            echo "${1} is already enabled, see 'monitoringctl status'"
            exit 0
        fi
    fi
    if [ -z "${2}" ]; then
        if [ "${is_interactive}" = "False" ]; then
            error "Error: disable message option is mandatory in non-interactive shell."
        fi
        echo -n "> Please provide an enable message (for logging): "
        read -r message
        echo ''
        if [ -z "${message}" ]; then
            error "${red}Error:${nocolor} disable message is mandatory."
        fi
    else
        message="${2}"
    fi
    log "Action enable ${1} requested by user $(logname || echo unknown)."
    if [ "${1}" != "all" ]; then
        if is_check "${1}"; then
            wrapper="$(get_check_wrapper_name "${1}")"
        else
            wrapper="${1}"
        fi
        checks="$(get_wrapper_checks "${wrapper}")"
        n_checks="$(echo "${checks}" | wc -w)"
        if [ "${n_checks}" -gt 1 ]; then
            >&2 echo -e "${orange}Warning:${nocolor} because they have the same configuration, enabling ${1} will enable: ${checks}.\n"
            log "Warning: check ${1} will enable ${checks} (which have the same wrapper name)."
        fi
    else
        wrapper="all"
    fi
    alerts_switch enable "${wrapper}" --message "${message}"
    if [ "${1}" != "all" ]; then
        if [ "${n_checks}" -eq 1 ]; then
            echo -e "${green}Check ${1} alerts are now enabled.${nocolor}"
        else
            echo -e "${green}Alerts are now enabled for checks: ${checks}.${nocolor}"
        fi
    else
        echo -e "${green}All alerts are now enabled.${nocolor}"
    fi
 }
 # Show NRPE command(s) configured for a check
 function show_check_commands() {
    # $1: check name
    check_commands=$(get_check_commands "${1}")
    if [ -z "${check_commands}" ]; then
        usage_error "Error: no command found in NRPE configuration for check '${1}."
    fi
    n_commands="$(echo "${check_commands}" | wc -l)"
    if [ "${n_commands}" -ne 1 ]; then
        echo "Available commands (in config order, the last one overwrites the others):"
        echo "    $check_commands"
    fi
    check_command=$(echo "${check_commands}" | tail -n1)
    echo "Command used by NRPE:"
    echo "    ${check_command}"
 }
 # Print a warning if some wrappers have the same name
 # or if a name is different from the check.
 function warn_wrapper_names() {
    #$1: checks to verify
    warned="False"
    for check in ${1}; do
        wrapper_name="$(get_check_wrapper_name "${check}")"
        if [ -n "${wrapper_name}" ] && [ "${wrapper_name}" != "${check}" ]; then
            >&2 echo -e "${orange}Warning:${nocolor} ${check} check has wrapper name ${wrapper_name}."
            warned="True"
        fi
    done
    if [ "${warned}" = "True" ]; then
        >&2 echo -e "${orange}It is recommanded to name the wrappers the same as the checks.${nocolor}\n"
    fi
 }
 # Print a warning if some checks are not wrapped
 function warn_not_wrapped() {
    #$1: checks to verify
    unwrappeds="$(not_wrapped_checks)"
    unwrapped_checks="$(comm -12 <(echo "${1}") <(echo "${unwrappeds}"))"
    if [ -n "${unwrapped_checks}" ]; then
        n_checks="$(echo "${1}" | wc -w)"
        n_unwrapped="$(echo "${unwrapped_checks}" | wc -w)"
        if [ "${n_unwrapped}" == "${n_checks}" ]; then
            if [ "${n_unwrapped}" -eq 1 ]; then
                error "${red}Error:${nocolor} ${1} check is not wrapped, it cannot be disabled."
            else
                error "${red}Error:${nocolor} these checks are not wrapped, they cannot be disabled: $(echo "${unwrapped_checks}" | xargs)"
            fi
        else
            if [ "${n_unwrapped}" -eq 1 ]; then
                >&2 echo -e "${orange}Warning:${nocolor} ${unwrapped_checks} check is not wrapped, it will not be disabled."
            else
                >&2 echo -e -n "${orange}Warning:${nocolor} some checks are not configured, they will not be disabled: $(echo "${unwrapped_checks}" | xargs)\n\n"
            fi
        fi
        log "Warning: some checks have no alerts_wrapper, they will not be disabled: $(echo "${unwrapped_checks}" | xargs)"
    fi
 }
 # Echo a message in a box
 function echo_box() {
    # $1: message
    msg_len="${#1}"
    line="$(printf '─%.0s' $(eval "echo {1.."${msg_len}"}"))"
    cat <<EOF
 ┌${line}┐
 │${1}│
 └${line}┘
 EOF
 }
 # Echo which checks are enabled or disabled and time left
 function alerts_status() {
    # $1: check name, "all" or empty
    if [ -z "${1}" ] || [ "${1}" = "all" ]; then
        checks="$(get_checks_names)"
    else
        checks="${1}"
    fi
    warn_wrapper_names "${checks}"
    header="Check\tStatus\tRe-enable time\tDisable message"
    underline="-----\t------\t--------------\t---------------"
    str_out="${header}\n${underline}\n"
    for check in $checks; do
        enable_str=""
        status_str="Enabled"
        disable_msg=""
        if ! is_wrapped "${check}"; then
            status_str="Not configured"
        else
            is_disabled="$(is_disabled_check "${check}")"
            wrapper_name="$(get_check_wrapper_name "${check}")"
            if [ "${is_disabled}" = "True" ]; then
                status_str="Disabled"
                enable_time="$(get_enable_time "${wrapper_name}")"
                enable_delay="$(enable_delay "${enable_time}")"
                delay_str="$(delay_to_string "${enable_delay}")"
                enable_date="$(date --date "+${enable_delay} seconds" "+%d %h %Y at %H:%M:%S")"
                enable_str="${enable_date} (${delay_str} left)"
                disable_msg="$(get_disable_message "${wrapper_name}")"
            fi
        fi
        case "${status_str}" in
            "Enabled")
                color="${green}"
                ;;
            "Disabled")
                color="${orange}"
                ;;
            *)
                color="${red}"
        esac
        str_out="${str_out}${color}${check}\t${status_str}${nocolor}\t${enable_str}\t${disable_msg}\n"
    done
    echo -e "${str_out}" | column -t -s $'\t'
 }
 ### MAIN #########################################
 red=''
 green=''
 orange=''
 purple=''
 nocolor=''
 bold=''
 no_bold=''
 # Is interactive shell ?
 if [ -t 0 ] && [ -t 1 ]; then
    readonly is_interactive="True"
    red="\e[0;31m"
    green="\e[0;32m"
    orange="\e[0;33m"
    purple="\e[0;35m"
    nocolor="\e[0m"
    bold="$(tput bold)"
    no_bold="$(tput sgr0)"
 else
    readonly is_interactive="False"
 fi
 # Load common functions and vars
 readonly lib_dir="/usr/local/lib/monitoringctl"
 if [ -r "${lib_dir}/common" ]; then
    # shellcheck source=monitoringctl_common
    source "${lib_dir}/common"
 else
    >&2 echo "Error: missing ${lib_dir}/common file."
    exit 1
 fi
 if [[ ! "${PATH}" =~ /usr/local/bin ]]; then
    PATH="/usr/local/bin:${PATH}"
 fi
 # Must be root
 if [ "$(id -u)" -ne 0 ]; then
    >&2 echo "You need to be root (or use sudo) to run ${0}!"
    exit 1
 fi
 # No argument
 if [ "$#" = "0" ]; then
    show_help
    exit 1
 fi
 # Default arguments and options
 action=""
 message=""
 duration="${default_disabled_time}"
 bypass_nrpe="False"
 default_duration="True"
 # Parse arguments and options
 while :; do
    case "${1}" in
        -h|-\?|--help)
            show_help
            exit 0;;
        -V|--version)
            show_version
            exit 0;;
        -b|--bypass-nrpe)
            bypass_nrpe="True"
            shift;;
        -d|--during)
            if [ "${default_duration}" = "False" ]; then
                 usage_error "Option --during: defined multiple times."
            fi
            if [ "$#" -lt 2 ]; then
                usage_error "Option --during: missing value."
            fi
            if filter_duration "${2}"; then
                duration="${2}"
            else
                usage_error "Option --during: \"${2}\" is not a valid duration."
            fi
            default_duration="False"
            shift; shift;;
        -m|--message)
            if [ "$#" -lt 2 ]; then
                usage_error "Option --message: missing message string."
            fi
            message="${2}"
            shift; shift;;
        status|check|enable|disable|show|list)
            action="${1}"
            shift;;
        *)
            if [ -z "${1}" ]; then
                break
            fi
            case "${action}" in
                status|check)
                    if is_check "${1}" || [ "${1}" = "all" ]; then
                        check_name="${1}"
                    else
                        usage_error "Action ${action}: unknown check '${1}'."
                    fi
                    ;;
                show)
                    if is_check "${1}"; then
                        check_name="${1}"
                    else
                        usage_error "Action ${action}: unknown check '${1}'."
                    fi
                    ;;
                enable|disable)
                    if is_wrapper "${1}" || is_check "${1}" || [ "${1}" = "all" ]; then
                        check_name="${1}"
                    else
                        # We use the word "check" for the end user,
                        # but this is actually "unknown wrapper"
                        usage_error "Action ${action}: unknown check '${1}'."
                    fi
                    ;;
                *)
                    usage_error "Missing or invalid ACTION argument."
                    ;;
            esac
            shift;;
    esac
 done
 if [ "$#" -gt 0 ]; then
    usage_error "Too many arguments."
 fi
 case "${action}" in
    disable|enable|show)
        if [ -z "${check_name}" ]; then
            usage_error "Action ${action}: missing CHECK_NAME argument."
        fi
        ;;
 esac
 if [ ! "${action}" = "disable" ]; then
    if [ "${default_duration}" = "False" ]; then
        usage_error "Action ${action}: there is no --during option."
    fi
 fi
 case "${action}" in
    list)
        list_checks
        ;;
    status)
        alerts_status "${check_name}"
        ;;
    check)
        check "${check_name}"
        ;;
    show)
        show_check_commands "${check_name}"
        ;;
    enable)
        enable_alerts "${check_name}" "${message}"
        ;;
    disable)
        disable_alerts "${check_name}" "${message}"
        ;;
 esac
--- a/nagios-nrpe/files/monitoringctl_common
+++ b/nagios-nrpe/files/monitoringctl_common
@ -0,0 +1,292 @@
 #!/usr/bin/env bash
 # Location of disable files
 readonly var_dir="/var/lib/monitoringctl"
 readonly log_file="/var/log/monitoringctl.log"
 readonly nrpe_conf_path="/etc/nagios/nrpe.cfg"
 debian_major_version="$(cut -d "." -f 1 < /etc/debian_version)"
 readonly debian_major_version
 # If no time limit is provided in CLI or found in file, this value is used
 readonly default_disabled_time="1h"
 _nrpe_conf_lines=''  # populated at the end of the file
 function error() {
    # $1: error message
    >&2 echo -e "${1}"
    exit 1
 }
 function usage_error() {
    # $1: error message
    >&2 echo "${1}"
    >&2 echo "Execute \"${PROGNAME} --help\" for information on usage."
    exit 1
 }
 function log() {
    # $1: message
    echo "$(now_iso) - ${PROGNAME}: ${1}" >> "${log_file}"
 }
 function show_version() {
    cat <<END
 ${PROGNAME} version ${VERSION}.
 Copyright 2018-2024 Evolix <info@evolix.fr>,
                    Jérémy Lecour <jlecour@evolix.fr>
                    and others.
 ${PROGNAME} comes with ABSOLUTELY NO WARRANTY.This is free software,
 and you are welcome to redistribute it under certain conditions.
 See the GNU General Public License v3.0 for details.
 END
 }
 # Fail if argument does not respect format: XwXdXhXmXs, XhX, XmX
 function filter_duration() {
    # $1: duration in format specified above
    _time_regex="^([0-9]+d)?(([0-9]+h(([0-9]+m?)|([0-9]+m([0-9]+s?)?))?)|(([0-9]+m([0-9]+s?)?)?))?$"
    if [[ "${1}" =~ ${_time_regex} ]]; then
        return 0
    fi
    return 1
 }
 # Convert human writable duration into seconds
 function time_to_seconds() {
    # $1: formated time string
    if echo "${1}" | grep -E -q '^([0-9]+[wdhms])+$'; then
        echo "${1}" | sed 's/w/ * 604800 + /g; s/d/ * 86400 + /g; s/h/ * 3600 + /g; s/m/ * 60 + /g; s/s/ + /g; s/+ $//' | xargs expr
    elif echo "${1}" | grep -E -q '^([0-9]+h[0-9]+$)'; then
        echo "${1}" | sed 's/h/ * 3600 + /g; s/$/ * 60/' | xargs expr
    elif echo "${1}" | grep -E -q '^([0-9]+m[0-9]+$)'; then
        echo "${1}" | sed 's/m/ * 60 + /g' | xargs expr
    else
        error "Invalid duration: '${1}'."
    fi
 }
 # Print re-enable time in secs
 function get_enable_time() {
    # $1: wrapper name
    _disable_file_path="$(get_disable_file_path "${1}")"
    if [ ! -e "${_disable_file_path}" ]; then
        return
    fi
    _enable_secs="$(grep -v -E "^\s*#" "${_disable_file_path}" | sed '/^$/d' | head -n1 | awk '/^[0-9]+$/ {print $1}')"
    # If file is empty, use file last change date plus default disabled time
    if [ -z "${_enable_secs}" ]; then
        _file_last_change_secs="$(stat -c %Z "${_disable_file_path}")"
        _default_disabled_time_secs="$(time_to_seconds "${default_disabled_time}")"
        _enable_secs="$(( _file_last_change_secs + _default_disabled_time_secs ))"
    fi
    echo "${_enable_secs}"
 }
 # Print disable message
 function get_disable_message() {
    # $1: wrapper name
    _disable_file_path="$(get_disable_file_path "${1}")"
    if [ ! -e "${_disable_file_path}" ]; then
        return
    fi
    _disable_msg="$(sed '/^$/d' "${_disable_file_path}" | tail -n+2 | tr '\n' ' ' | awk '{$1=$1;print}')"
    echo "${_disable_msg}"
 }
 function now_secs() {
    date +"%s"
 }
 function now_iso() {
    date --iso-8601=seconds
 }
 # Print delay before re-enable in secs
 function enable_delay() {
    # $1: re-enable time in secs
    echo $(( ${1} - $(now_secs) ))
 }
 # Converts delay (in seconds) into human readable duration
 function delay_to_string() {
    # $1: delay in secs
    _delay_days="$(( ${1} /86400 ))"
    if [ "${_delay_days}" -eq 0 ]; then _delay_days=""
    else _delay_days="${_delay_days}d"; fi
    _delay_hours="$(( (${1} %86400) /3600 ))"
    if [ "${_delay_hours}" -eq 0 ]; then _delay_hours=""
    else _delay_hours="${_delay_hours}h"; fi
    _delay_minutes="$(( ((${1} %86400) %3600) /60 ))"
    if [ "${_delay_minutes}" -eq 0 ]; then _delay_minutes=""
    else _delay_minutes="${_delay_minutes}m"; fi
    _delay_seconds="$(( ((${1} %86400) %3600) %60 ))"
    if [ "${_delay_seconds}" -eq 0 ]; then _delay_seconds=""
    else _delay_seconds="${_delay_seconds}s"; fi
    echo "${_delay_days}${_delay_hours}${_delay_minutes}${_delay_seconds}"
 }
 function is_disabled_check() {
    # $1: check name
    _wrapper="$(get_check_wrapper_name "${1}")"
    is_disabled_wrapper "${_wrapper}"
 }
 function is_disabled_wrapper() {
    # $1: wrapper name
    _wrapper="${1}"
    _disable_file_path="$(get_disable_file_path "${_wrapper}")"
    if [ -e "${_disable_file_path}" ]; then
        _enable_time="$(get_enable_time "${_wrapper}")"
        _enable_delay="$(enable_delay "${_enable_time}")"
        if [ "${_enable_delay}" -le "0" ]; then
            echo "False"
        else
            echo "True"
        fi
    else
        echo False
    fi
 }
 function get_disable_file_path() {
    # $1: wrapper name
    echo "${var_dir}/${1}_alerts_disabled"
 }
 ### Nagios configuration functions ####################
 # Print NRPE configuration, with includes, without comments
 # and in the same order than NRPE does (taking account that
 # order changes from Deb10)
 function get_nrpe_conf() {
    echo "${_nrpe_conf_lines}"
 }
 # Private function to recursively get NRPE conf from file
 function _get_conf_from_file() {
    # $1: NRPE conf file (.cfg)
    if [ ! -f "${1}" ]; then return; fi
    _conf_lines=$(grep -E -R -v --no-filename "^\s*(#.*|)$" "${1}")
    while read -r _line; do
        if [[ "${_line}" =~ .*'include='.* ]]; then
            _conf_file=$(echo "${_line}" | cut -d= -f2)
            _get_conf_from_file "${_conf_file}"
        elif [[ "${_line}" =~ .*'include_dir='.* ]]; then
            _conf_dir=$(echo "${_line}" | cut -d= -f2)
            _get_conf_from_dir "${_conf_dir}"
        else
            echo "${_line}"
        fi
    done <<< "${_conf_lines}"
 }
 # Private function to recursively get NRPE conf from directory
 function _get_conf_from_dir() {
    # $1: NRPE conf dir
    if [ ! -d "${1}" ]; then return; fi
    if [ "${debian_major_version}" -ge 10 ]; then
        # From Deb10, NRPE use scandir() with alphasort() function
        _sort_command="sort"
    else
        # Before Deb10, NRPE use loaddir(), like find utility
        _sort_command="cat -"
    fi
    # Add conf files in dir to be processed recursively
    for _file in $(find "${1}" -maxdepth 1 -name "*.cfg" 2> /dev/null | ${_sort_command}); do
        if [ -f "${_file}" ]; then
            _get_conf_from_file "${_file}"
        elif [ -d "${_file}" ]; then
            _get_conf_from_dir "${_file}"
        fi
    done
 }
 # Print the checks that are configured in NRPE
 function get_checks_names() {
    echo "${_nrpe_conf_lines}" | grep -E "command\[check_.*\]=" | awk -F"[\\\[\\\]=]" '{sub("check_", "", $2); print $2}' | sort | uniq
 }
 # Print the commands defined for check $1 in NRPE configuration
 function get_check_commands() {
    # $1: check name
    echo "${_nrpe_conf_lines}" | grep -E "command\[check_${1}\]" | cut -d'=' -f2-
 }
 # Print the checks that have no alerts_wrapper in NRPE configuration
 function not_wrapped_checks() {
    for _check in $(get_checks_names); do
        if ! is_wrapped "${_check}"; then
            echo "${_check}"
        fi
    done
 }
 # Fail if check is not wrapped
 function is_wrapped() {
    # $1: check name
    _cmd=$(get_check_commands "${1}" | tail -n1)
    if echo "${_cmd}" | grep --quiet --no-messages alerts_wrapper; then
        return 0
    fi
    return 1
 }
 # Print the names that are defined in the wrappers of the checks
 function get_wrappers_names() {
    echo "${_nrpe_conf_lines}" | grep -s "alerts_wrapper" | awk '{ for (i=1 ; i<=NF; i++) { if ($i ~ /^(-n|--name)$/) { print $(i+1); break } } }' | tr ',' '\n' | sort | uniq
 }
 # Print the wrapper name of the check
 function get_check_wrapper_name() {
    # $1: check name
    _cmd=$(get_check_commands "${1}" | tail -n1)
    if echo "${_cmd}" | grep --quiet --no-messages alerts_wrapper; then
        echo "${_cmd}" | awk '/--name/ {match($0, /--name\s*([a-zA-Z0-9_\-]*)\s*/, m); print m[1]}'
    fi
 }
 function is_check() {
    # $1: check name
    _checks="$(get_checks_names)"
    if echo "${_checks}" | grep --quiet -E "^${1}$"; then
        return 0
    fi
    return 1
 }
 function is_wrapper() {
    # $1: wrapper name
    _wrappers="$(get_wrappers_names)"
    if echo "${_wrappers}" | grep --quiet -E "^${1}$"; then
        return 0
    fi
    return 1
 }
 # Print the checks that name this wrapper
 function get_wrapper_checks() {
    # $1: wrapper name
    echo "${_nrpe_conf_lines}" | grep -E "command\[check_.*\]=" | grep -E "\-\-name\s*${1}" | awk -F"[\\\[\\\]=]" '{sub("check_", "", $2); print $2}' | sort | uniq | xargs
 }
 # Load NRPE configuration
 _nrpe_conf_lines="$(_get_conf_from_file "${nrpe_conf_path}")"
--- a/nagios-nrpe/files/monitoringctl_completion
+++ b/nagios-nrpe/files/monitoringctl_completion
@ -0,0 +1,88 @@
 #!/usr/bin/bash
 #
 function _get_wrappers_names() {
    grep "alerts_wrapper" --no-filename --no-messages -R /etc/nagios/ | grep --invert-match --extended-regexp "^\s*#" | awk '{ for (i=1 ; i<=NF; i++) { if ($i ~ /^(-n|--name)$/) { print $(i+1); break } } }' | tr ',' '\n' | sort | uniq
 }
 function _get_checks_names() {
    grep --extended-regexp --no-filename --no-messages -R "command\[check_.*\]="  /etc/nagios/ | grep --invert-match --extended-regexp "^\s*#" | awk -F"[\\\[\\\]=]" '{sub("check_", "", $2); print $2}' | sort | uniq
 }
 function _monitoringctl_completion() {
    local cur=${COMP_WORDS[COMP_CWORD]};
    local prev=${COMP_WORDS[COMP_CWORD-1]};
    local action=""
    for w in "${COMP_WORDS[@]}"; do
        case "$w" in
            status|check|enable|disable|show|list)
                action="${w}"
                ;;
        esac
    done
    local words="--help"
    case "${action}" in
        check|show)
            checks="$(_get_checks_names)"
            check=""
            for w in "${COMP_WORDS[@]}"; do
                for c in ${checks}; do
                    if [ "${c}" == "${w}" ]; then
                        check="${w}"
                        break
                    fi
                done
            done
            if [ -z "${check}" ]; then
                words="${checks} ${words}"
            fi
            if [ "${action}" == "check" ]; then
                words="all --bypass-nrpe ${words}"
            fi
            ;;
        status)
            if [ "${prev}" == "status" ]; then
                words="all $(_get_checks_names)"
            fi
            ;;
        enable)
            if [ "${prev}" == "enable" ]; then
                words="all $(_get_wrappers_names)"
            else
                words="--message ${words}"
            fi
            ;;
        disable)
            if [ "${prev}" == "disable" ]; then
                words="all $(_get_wrappers_names)"
            elif [ "${prev}" == "-d" ] || [ "${prev}" == "--during" ]; then
                words="1d 1d12h 1h 1h30m 1m 1m30s 30s"
            else
                words="--during --message ${words}"
            fi
            ;;
        *)
            words="status check enable disable show list ${words}"
            ;;
    esac
    # Avoid double
    opts=();
    for i in ${words}; do
        for j in "${COMP_WORDS[@]}"; do
            if [[ "$i" == "$j" ]]; then
                continue 2
            fi
        done
        opts+=("$i")
    done
    COMPREPLY=($(compgen -W "${opts[*]}" -- "${cur}"))
    return 0
 }
 complete -F _monitoringctl_completion monitoringctl
--- a/nagios-nrpe/files/plugins/check_ftp_users
+++ b/nagios-nrpe/files/plugins/check_ftp_users
@ -0,0 +1,75 @@
 #!/usr/bin/env bash
 function help() {
    echo "Check the number of proftpd user with 'ftpcount' output."
    echo "Usage:"
    echo "    check_proftpd_user -w|warning <WARN_THRESHOLD> -c|critical <CRITICAL_THRESHOLD>"
 }
 warn="-1"
 crit="-1"
 while [ $# -gt 0 ]; do
    case "${1}" in
        -h|--help)
            show_help
            exit 0
            ;;
        -c|--critical)
            crit="${2}"
            shift
            shift
            ;;
        -w|--warning)
            warn="${2}"
            shift
            shift
            ;;
        *)
            >&2 echo "Error: unknown argument ${1}, exit."
            help
            exit 3
    esac
 done
 if [ "${warn}" == "-1" ]; then
    echo "Error: warning threshold no defined, exit."
    help
    exit 3
 fi
 if [ "${crit}" == "-1" ]; then
    echo "Error: critical threshold no defined, exit."
    help
    exit 3
 fi
 if [[ "${warn}" =~ [^0-9] ]]; then
    echo "Error: warning threshold must be an integer, exit."
    help
    exit 3
 fi
 if [[ "${crit}" =~ [^0-9] ]]; then
    echo "Error: critical threshold must be an integer, exit."
    help
    exit 3
 fi
 if ! command -v ftpcount > /dev/null; then
    echo "Error: missing 'ftpcount' command, cannot check users count."
    exit 3
 fi
 n_users="$(ftpcount | awk '/users/{print $4}')"
 if [ "${n_users}" -gt "${crit}" ]; then
    echo "CRITICAL - ${n_users} ftp users connected (warning: ${warn}, critical: ${crit})"
    exit 2
 elif [ "${n_users}" -gt "${warn}" ]; then
    echo "WARNING - ${n_users} ftp users connected (warning: ${warn}, critical: ${crit})"
    exit 1
 else
    echo "OK - ${n_users} ftp users connected (warning: ${warn}, critical: ${crit})"
    exit 0
 fi
--- a/nagios-nrpe/tasks/check-local.yml
+++ b/nagios-nrpe/tasks/check-local.yml
@ -1,34 +0,0 @@
 ---
 # Install check-local utilitary
 - name: Package nagios-nrpe-plugin is intalled
  ansible.builtin.apt:
    name: nagios-nrpe-plugin
 - name: "Remount /usr if needed"
  ansible.builtin.include_role:
    name: remount-usr
 - name: Utilitary check-local is installed
  ansible.builtin.copy:
    src: check-local
    dest: /usr/local/bin/check-local
    mode: "0755"
 - name: Package bash-completion is installed
  ansible.builtin.apt:
    name: bash-completion
 - name: Directory /etc/bash_completion.d exists
  ansible.builtin.file:
    path: '/etc/bash_completion.d'
    state: directory
    mode: '0644'
 - name: Completion for utilitary check-local is installed
  ansible.builtin.copy:
    src: check-local_completion
    dest: /etc/bash_completion.d/check-local
    mode: "0755"
--- a/nagios-nrpe/tasks/main.yml
+++ b/nagios-nrpe/tasks/main.yml
@ -91,6 +91,5 @@
  tags:
    - nagios-nrpe
- ansible.builtin.include_tasks: wrapper.yml
+- ansible.builtin.include_tasks: monitoringctl.yml
 - ansible.builtin.include_tasks: check-local.yml
--- a/nagios-nrpe/tasks/monitoringctl.yml
+++ b/nagios-nrpe/tasks/monitoringctl.yml
@ -0,0 +1,162 @@
 ---
 - name: "Remount /usr if needed"
  ansible.builtin.include_role:
    name: remount-usr
 ### alerts_wrapper and alerts_switch section
 - name: "dir /usr/local/lib/monitoringctl/ exists"
  ansible.builtin.file:
    path: /usr/local/lib/monitoringctl/
    state: directory
    mode: '0755'
 - name: "check if old alerts_switch script is present"
  ansible.builtin.stat:
    path: /usr/share/scripts/alerts_switch
  register: old_alerts_switch
 - name: "alerts_switch is at the right place"
  ansible.builtin.command:
    cmd: "mv /usr/share/scripts/alerts_switch /usr/local/bin/alerts_switch"
  args:
    creates: /usr/local/bin/alerts_switch
  when: old_alerts_switch.stat.exists
 - name: "copy alerts_switch"
  ansible.builtin.copy:
    src: alerts_switch
    dest: /usr/local/bin/alerts_switch
    owner: root
    group: root
    mode: "0750"
    force: true
 - name: "alerts_switch symlink for backward compatibility"
  ansible.builtin.file:
    src: /usr/local/bin/alerts_switch
    path: /usr/share/scripts/alerts_switch
    state: link
  when: old_alerts_switch.stat.exists
 - name: "nagios user can run alerts_switch with sudo (used by alerts_wrapper)"
  ansible.builtin.lineinfile:
    path: /etc/sudoers.d/monitoringctl
    regexp: "nagios.*alerts_switch"
    line: "nagios           ALL = NOPASSWD:/usr/local/bin/alerts_switch *"
    create: true
    owner: root
    group: root
    mode: "640"
    validate: "visudo -c -f %s"
 - name: "check if old alerts_wrapper script is present"
  ansible.builtin.stat:
    path: "{{ nagios_plugins_directory }}/alerts_wrapper"
  register: old_alerts_wrapper
 - name: "alerts_wrapper is at the right place"
  ansible.builtin.command:
    cmd: "mv {{ nagios_plugins_directory }}/alerts_wrapper /usr/local/lib/monitoringctl/alerts_wrapper"
    creates: /usr/local/lib/monitoringctl/alerts_wrapper
  when: old_alerts_wrapper.stat.exists
 - name: "copy alerts_wrapper"
  ansible.builtin.copy:
    src: alerts_wrapper
    dest: "/usr/local/lib/monitoringctl/alerts_wrapper"
    owner: root
    group: staff
    mode: "0755"
    force: true
 - name: "alerts_wrapper symlink for backward compatibility"
  ansible.builtin.file:
    src: /usr/local/lib/monitoringctl/alerts_wrapper
    path: "{{ nagios_plugins_directory }}/alerts_wrapper"
    state: link
  when:
    - old_alerts_wrapper.stat.exists
    - not ansible_check_mode
 - name: "copy monitoringctl_common lib"
  ansible.builtin.copy:
    src: monitoringctl_common
    dest: /usr/local/lib/monitoringctl/common
    owner: root
    group: root
    mode: "0644"
    force: true
 ### monitoringctl section
 - name: "package bash-completion is installed"
  ansible.builtin.apt:
    name: bash-completion
 - name: "package nagios-nrpe-plugin is installed"
  ansible.builtin.apt:
    name: nagios-nrpe-plugin
 - name: "directory /etc/bash_completion.d exists"
  ansible.builtin.file:
    path: '/etc/bash_completion.d'
    state: directory
    mode: '0755'
 - name: "dir /var/lib/monitoringctl/ exists"
  ansible.builtin.file:
    path: /var/lib/monitoringctl/
    state: directory
    mode: '0755'
 - name: "monitoringctl is not in /usr/local/sbin/"
  ansible.builtin.file:
    path: /usr/local/sbin/monitoringctl
    state: absent
 - name: "copy monitoringctl"
  ansible.builtin.copy:
    src: monitoringctl
    dest: /usr/local/bin/monitoringctl
    owner: root
    group: root
    mode: "0755"
    force: true
 - name: "copy monitoringctl_common lib"
  ansible.builtin.copy:
    src: monitoringctl_common
    dest: /usr/local/lib/monitoringctl/common
    owner: root
    group: root
    mode: "0644"
    force: true
 - name: "copy monitoringctl_completion script"
  ansible.builtin.copy:
    src: monitoringctl_completion
    dest: /etc/bash_completion.d/monitoringctl
    owner: root
    group: root
    mode: "0644"
    force: true
 - name: "copy check-local (it's just a wrapper calling 'monitoringctl check' for backward compatibility)"
  ansible.builtin.copy:
    src: check-local
    dest: /usr/local/bin/check-local
    owner: root
    group: root
    mode: "0755"
    force: true
 - name: "copy completion for check-local"
  ansible.builtin.copy:
    src: check-local_completion
    dest: /etc/bash_completion.d/check-local
    mode: "0755"
--- a/nagios-nrpe/tasks/wrapper.yml
+++ b/nagios-nrpe/tasks/wrapper.yml
@ -1,43 +0,0 @@
 ---
 - name: "Remount /usr if needed"
  ansible.builtin.include_role:
    name: remount-usr
 - name: check if old script is present
  ansible.builtin.stat:
    path: /usr/share/scripts/alerts_switch
  register: old_alerts_switch
 - name: alerts_switch is at the right place
  ansible.builtin.command:
    cmd: "mv /usr/share/scripts/alerts_switch /usr/local/bin/alerts_switch"
  args:
    creates: /usr/local/bin/alerts_switch
  when: old_alerts_switch.stat.exists
 - name: "copy alerts_switch"
  ansible.builtin.copy:
    src: alerts_switch
    dest: /usr/local/bin/alerts_switch
    owner: root
    group: root
    mode: "0750"
    force: true
 - name: "symlink for backward compatibility"
  ansible.builtin.file:
    src: /usr/local/bin/alerts_switch
    dest: /usr/share/scripts/alerts_switch
    state: link
  when: old_alerts_switch.stat.exists
 - name: "copy alerts_wrapper"
  ansible.builtin.copy:
    src: alerts_wrapper
    dest: "{{ nagios_plugins_directory }}/alerts_wrapper"
    owner: root
    group: staff
    mode: "0755"
    force: true
--- a/nagios-nrpe/templates/evolix.cfg.j2
+++ b/nagios-nrpe/templates/evolix.cfg.j2
@ -6,94 +6,102 @@
 # Allowed IPs
 allowed_hosts={{ nagios_nrpe_allowed_hosts | join(',') }}
-# System checks
+# Default activated checks
 command[check_load]=/usr/lib/nagios/plugins/check_load --percpu --warning=0.7,0.6,0.5 --critical=0.9,0.8,0.7
 command[check_swap]=/usr/lib/nagios/plugins/check_swap -a -w 30% -c 20%
 command[check_disk1]=/usr/lib/nagios/plugins/check_disk -e -w 10% -c 3% -W 10% -K 3% -C -w 5% -c 2% -W 5% -K 2% -p /home -x /lib/init/rw -x /dev -x /dev/shm -x /run -I '^/run/' -I '^/sys/' -X overlay
 command[check_zombie_procs]=sudo /usr/lib/nagios/plugins/check_procs -w 5 -c 10 -s Z
 command[check_total_procs]=sudo /usr/lib/nagios/plugins/check_procs -w 400 -c 600
 command[check_users]=/usr/lib/nagios/plugins/check_users -w 5 -c 10
-# Generic services checks
+## System checks
-command[check_smtp]=/usr/lib/nagios/plugins/check_smtp -H localhost
+command[check_disk1]=/usr/local/lib/monitoringctl/alerts_wrapper --name disk1 /usr/lib/nagios/plugins/check_disk -e -w 10% -c 3% -W 10% -K 3% -C -w 5% -c 2% -W 5% -K 2% -p /home -x /lib/init/rw -x /dev -x /dev/shm -x /run -I '^/run/' -I '^/sys/' -X overlay
-command[check_dns]=/usr/lib/nagios/plugins/check_dns -H evolix.net
+command[check_load]=/usr/local/lib/monitoringctl/alerts_wrapper --name load /usr/lib/nagios/plugins/check_load --percpu --warning=0.7,0.6,0.5 --critical=0.9,0.8,0.7
-command[check_ntp]=/usr/lib/nagios/plugins/check_ntp -H {{ nagios_nrpe_ntp_server or nagios_nrpe_default_ntp_server | mandatory }}
+command[check_mem]=/usr/local/lib/monitoringctl/alerts_wrapper --name mem {{ nagios_plugins_directory }}/check_mem -f -C -w 20 -c 10
-command[check_ssh]=/usr/lib/nagios/plugins/check_ssh localhost
+command[check_pressure_cpu]=/usr/local/lib/monitoringctl/alerts_wrapper --name pressure_cpu /usr/lib/nagios/plugins/check_pressure --cpu -w 100000 -c 500000
-command[check_mailq]=/usr/lib/nagios/plugins/check_mailq -M postfix -w 10 -c 20
+command[check_pressure_mem]=/usr/local/lib/monitoringctl/alerts_wrapper --name pressure_mem /usr/lib/nagios/plugins/check_pressure --mem --full -w 100000 -c 500000
 command[check_pressure_io]=/usr/local/lib/monitoringctl/alerts_wrapper --name pressure_io /usr/lib/nagios/plugins/check_pressure --io --full -w 100000 -c 500000
 command[check_swap]=/usr/local/lib/monitoringctl/alerts_wrapper --name swap /usr/lib/nagios/plugins/check_swap -a -w 30% -c 20%
 command[check_total_procs]=/usr/local/lib/monitoringctl/alerts_wrapper --name total_procs sudo /usr/lib/nagios/plugins/check_procs -w 400 -c 600
 command[check_users]=/usr/local/lib/monitoringctl/alerts_wrapper --name users /usr/lib/nagios/plugins/check_users -w 5 -c 10
 command[check_zombie_procs]=/usr/local/lib/monitoringctl/alerts_wrapper --name zombie_procs sudo /usr/lib/nagios/plugins/check_procs -w 5 -c 10 -s Z
-# Specific services checks
+## Generic services checks
-command[check_pgsql]=/usr/lib/nagios/plugins/check_pgsql -H localhost -l nrpe -p '{{ nagios_nrpe_pgsql_passwd }}'
+command[check_dns]=/usr/local/lib/monitoringctl/alerts_wrapper --name dns /usr/lib/nagios/plugins/check_dns -H evolix.net
-command[check_mysql]=/usr/lib/nagios/plugins/check_mysql -H localhost -f ~nagios/.my.cnf
+command[check_mailq]=/usr/local/lib/monitoringctl/alerts_wrapper --name mailq /usr/lib/nagios/plugins/check_mailq -M postfix -w 10 -c 20
-command[check_mysql_slave]=/usr/lib/nagios/plugins/check_mysql --check-slave -H localhost -f ~nagios/.my.cnf -w 1800 -c 3600
+command[check_ntp]=/usr/local/lib/monitoringctl/alerts_wrapper --name ntp /usr/lib/nagios/plugins/check_ntp -H {{ nagios_nrpe_ntp_server or nagios_nrpe_default_ntp_server | mandatory }}
-command[check_ldap]=/usr/lib/nagios/plugins/check_ldap -3 --extra-opts=@/etc/nagios/monitoring-plugins.ini
+command[check_smtp]=/usr/local/lib/monitoringctl/alerts_wrapper --name smtp /usr/lib/nagios/plugins/check_smtp -H localhost
-command[check_ldaps]=/usr/lib/nagios/plugins/check_ldap -3 -T --extra-opts=@/etc/nagios/monitoring-plugins.ini
+command[check_ssh]=/usr/local/lib/monitoringctl/alerts_wrapper --name ssh /usr/lib/nagios/plugins/check_ssh localhost
 command[check_imap]=/usr/lib/nagios/plugins/check_imap -H localhost
 command[check_imaps]=/usr/lib/nagios/plugins/check_imap -S -H localhost -p 993
 command[check_imapproxy]=/usr/lib/nagios/plugins/check_imap -H localhost -p 1143
 command[check_pop]=/usr/lib/nagios/plugins/check_pop -H localhost
 command[check_pops]=/usr/lib/nagios/plugins/check_pop -S -H localhost -p 995
 command[check_ftp]=/usr/lib/nagios/plugins/check_ftp -H localhost
 command[check_http]=/usr/lib/nagios/plugins/check_http -e 301 -I 127.0.0.1 -H localhost
 command[check_https]=/usr/lib/nagios/plugins/check_http -e 401,403 -I 127.0.0.1 -S -p 443 --sni -H ssl.evolix.net
 command[check_bind]=/usr/lib/nagios/plugins/check_dig -l evolix.net -H localhost
 command[check_unbound]=/usr/lib/nagios/plugins/check_dig -l evolix.net -H localhost
 command[check_smb]=/usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 445
 command[check_tse]=/usr/lib/nagios/plugins/check_tcp -H TSEADDR -p 3389
 command[check_jboss-http]=/usr/lib/nagios/plugins/check_tcp -p 8080
 command[check_jboss-ajp13]=/usr/lib/nagios/plugins/check_tcp -p 8009
 command[check_tomcat-http]=/usr/lib/nagios/plugins/check_tcp -p 8080
 command[check_tomcat-ajp13]=/usr/lib/nagios/plugins/check_tcp -p 8009
 command[check_proxy]=/usr/lib/nagios/plugins/check_http -H {{ nagios_nrpe_check_proxy_host }}
 command[check_redis]=/usr/lib/nagios/plugins/check_tcp -p 6379
 command[check_clamd]=/usr/lib/nagios/plugins/check_clamd -H /var/run/clamav/clamd.ctl -v
 command[check_clamav_db]=/usr/lib/nagios/plugins/check_file_age -w 86400 -c 172800 -f /var/lib/clamav/daily.cld
 command[check_ssl]=/usr/lib/nagios/plugins/check_http -f follow -I 127.0.0.1 -S -p 443 -H ssl.evolix.net -C 15,5
 command[check_elasticsearch]=/usr/lib/nagios/plugins/check_http -I 127.0.0.1 -u /_cat/health?h=st -p 9200 -r 'red' --invert-regex
 command[check_memcached]=/usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 11211
 command[check_opendkim]=/usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 8891
 command[check_bkctld_setup]=sudo /usr/sbin/bkctld check-setup
 command[check_bkctld_jails]=sudo /usr/sbin/bkctld check-jails
 # "check_bkctld" is here as backward compatibility, but is replaced by "check_bkctld_jails"
 command[check_bkctld]=sudo /usr/sbin/bkctld check
 command[check_postgrey]=/usr/lib/nagios/plugins/check_tcp -p10023
 command[check_influxdb]=/usr/lib/nagios/plugins/check_http -I 127.0.0.1 -u /health -p 8086 -r '"status":"pass"'
 command[check_dhcpd]=/usr/lib/nagios/plugins/check_procs -c1:1 -C dhcpd -t 60
 command[check_ipmi_sensors]=sudo /usr/lib/nagios/plugins/check_ipmi_sensor
 command[check_raid_status]=/usr/lib/nagios/plugins/check_raid
 command[check_dockerd]=/usr/lib/nagios/plugins/check_tcp -H /var/run/docker.sock --escape -s "GET /_ping HTTP/1.1\nHost: http\n\n" -e OK
-# Local checks (not packaged)
+## Local checks (not packaged)
-command[check_mem]={{ nagios_plugins_directory }}/check_mem -f -C -w 20 -c 10
+command[check_minifirewall]=/usr/local/lib/monitoringctl/alerts_wrapper --name minifirewall sudo {{ nagios_plugins_directory }}/check_minifirewall
-command[check_amavis]={{ nagios_plugins_directory }}/check_amavis --server 127.0.0.1 --from {{ nagios_nrpe_amavis_from }} --to postmaster@localhost --port 10024
+
-command[check_spamd]={{ nagios_plugins_directory }}/check_spamd -H 127.0.0.1
+
-command[check_nfsclient]=sudo -u www-data {{ nagios_plugins_directory }}/check_nfsclient
+# Optionnal checks
-command[check_evobackup]={{ nagios_plugins_directory }}/check_evobackup
+
-command[check_process]={{ nagios_plugins_directory }}/check_process {{ nagios_nrpe_processes | join(' ') }}
+## Specific services checks
-command[check_drbd]={{ nagios_plugins_directory }}/check_drbd -d All -c StandAlone
+#command[check_pgsql]=/usr/local/lib/monitoringctl/alerts_wrapper --name pgsql /usr/lib/nagios/plugins/check_pgsql -H localhost -l nrpe -p '{{ nagios_nrpe_pgsql_passwd }}'
-command[check_mongodb_connect]={{ nagios_plugins_directory }}/check_mongodb -H localhost -P27017 -A connect
+#command[check_mysql]=/usr/local/lib/monitoringctl/alerts_wrapper --name mysql /usr/lib/nagios/plugins/check_mysql -H localhost -f ~nagios/.my.cnf
-command[check_glusterfs]={{ nagios_plugins_directory }}/check_glusterfs -v all -n 0
+#command[check_mysql_slave]=/usr/local/lib/monitoringctl/alerts_wrapper --name mysql_slave /usr/lib/nagios/plugins/check_mysql --check-slave -H localhost -f ~nagios/.my.cnf -w 1800 -c 3600
-command[check_supervisord_status]={{ nagios_plugins_directory }}/check_supervisord
+#command[check_ldap]=/usr/local/lib/monitoringctl/alerts_wrapper --name ldap /usr/lib/nagios/plugins/check_ldap -3 --extra-opts=@/etc/nagios/monitoring-plugins.ini
-command[check_varnish]={{ nagios_plugins_directory }}/check_varnish_health -i 127.0.0.1 -p 6082 -s /etc/varnish/secret -w 2 -c 4
+#command[check_ldaps]=/usr/local/lib/monitoringctl/alerts_wrapper --name ldaps /usr/lib/nagios/plugins/check_ldap -3 -T --extra-opts=@/etc/nagios/monitoring-plugins.ini
-command[check_haproxy]=sudo {{ nagios_plugins_directory }}/check_haproxy_stats -s /run/haproxy/admin.sock -w 80 -c 90 --ignore-maint --ignore-nolb --ignore-drain
+#command[check_imap]=/usr/local/lib/monitoringctl/alerts_wrapper --name imap /usr/lib/nagios/plugins/check_imap -H localhost
-command[check_minifirewall]=sudo {{ nagios_plugins_directory }}/check_minifirewall
+#command[check_imaps]=/usr/local/lib/monitoringctl/alerts_wrapper --name imaps /usr/lib/nagios/plugins/check_imap -S -H localhost -p 993
-command[check_redis_instances]={{ nagios_plugins_directory }}/check_redis_instances
+#command[check_imapproxy]=/usr/local/lib/monitoringctl/alerts_wrapper --name imapproxy /usr/lib/nagios/plugins/check_imap -H localhost -p 1143
-command[check_sentinel]=sudo {{ nagios_plugins_directory }}/check_sentinel -c /etc/redis/sentinel.conf
+#command[check_pop]=/usr/local/lib/monitoringctl/alerts_wrapper --name pop /usr/lib/nagios/plugins/check_pop -H localhost
-command[check_hpraid]={{ nagios_plugins_directory }}/check_hpraid
+#command[check_pops]=/usr/local/lib/monitoringctl/alerts_wrapper --name pops /usr/lib/nagios/plugins/check_pop -S -H localhost -p 995
-command[check_php-fpm]={{ nagios_plugins_directory }}/check_phpfpm_multi
+#command[check_ftp]=/usr/local/lib/monitoringctl/alerts_wrapper --name ftp /usr/lib/nagios/plugins/check_ftp -H localhost
-command[check_php-fpm56]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php56/rootfs/etc/php5/fpm/pool.d/
+#command[check_ftp_users]=/usr/local/lib/monitoringctl/alerts_wrapper --name ftp_users /usr/local/lib/nagios/plugins/check_ftp_users -w 20 -c 40
-command[check_php-fpm70]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php70/rootfs/etc/php/7.0/fpm/pool.d/
+#command[check_http]=/usr/local/lib/monitoringctl/alerts_wrapper --name http /usr/lib/nagios/plugins/check_http -e 301 -I 127.0.0.1 -H localhost
-command[check_php-fpm73]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php73/rootfs/etc/php/7.3/fpm/pool.d/
+#command[check_https]=/usr/local/lib/monitoringctl/alerts_wrapper --name https /usr/lib/nagios/plugins/check_http -e 401,403 -I 127.0.0.1 -S -p 443 --sni -H ssl.evolix.net
-command[check_php-fpm74]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php74/rootfs/etc/php/7.4/fpm/pool.d/
+#command[check_bind]=/usr/local/lib/monitoringctl/alerts_wrapper --name bind /usr/lib/nagios/plugins/check_dig -l evolix.net -H localhost
-command[check_php-fpm80]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php80/rootfs/etc/php/8.0/fpm/pool.d/
+#command[check_unbound]=/usr/local/lib/monitoringctl/alerts_wrapper --name unbound /usr/lib/nagios/plugins/check_dig -l evolix.net -H localhost
-command[check_php-fpm81]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php81/rootfs/etc/php/8.1/fpm/pool.d/
+#command[check_smb]=/usr/local/lib/monitoringctl/alerts_wrapper --name smb /usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 445
-command[check_php-fpm82]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php82/rootfs/etc/php/8.2/fpm/pool.d/
+#command[check_tse]=/usr/local/lib/monitoringctl/alerts_wrapper --name tse /usr/lib/nagios/plugins/check_tcp -H TSEADDR -p 3389
-command[check_php-fpm83]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php83/rootfs/etc/php/8.3/fpm/pool.d/
+#command[check_jboss-http]=/usr/local/lib/monitoringctl/alerts_wrapper --name jboss-http /usr/lib/nagios/plugins/check_tcp -p 8080
-command[check_dhcp_pool]={{ nagios_plugins_directory }}/check_dhcp_pool
+#command[check_jboss-ajp13]=/usr/local/lib/monitoringctl/alerts_wrapper --name jboss-ajp13 /usr/lib/nagios/plugins/check_tcp -p 8009
-command[check_ssl_local]={{ nagios_plugins_directory }}/check_ssl_local
+#command[check_tomcat-http]=/usr/local/lib/monitoringctl/alerts_wrapper --name tomcat-http /usr/lib/nagios/plugins/check_tcp -p 8080
-command[check_pressure_cpu]=/usr/lib/nagios/plugins/check_pressure --cpu -w 100000 -c 500000
+#command[check_tomcat-ajp13]=/usr/local/lib/monitoringctl/alerts_wrapper --name tomcat-ajp13 /usr/lib/nagios/plugins/check_tcp -p 8009
-command[check_pressure_mem]=/usr/lib/nagios/plugins/check_pressure --mem --full -w 100000 -c 500000
+#command[check_proxy]=/usr/local/lib/monitoringctl/alerts_wrapper --name proxy /usr/lib/nagios/plugins/check_http -H {{ nagios_nrpe_check_proxy_host }}
-command[check_pressure_io]=/usr/lib/nagios/plugins/check_pressure --io --full -w 100000 -c 500000
+#command[check_redis]=/usr/local/lib/monitoringctl/alerts_wrapper --name redis /usr/lib/nagios/plugins/check_tcp -p 6379
 #command[check_clamd]=/usr/local/lib/monitoringctl/alerts_wrapper --name clamd /usr/lib/nagios/plugins/check_clamd -H /var/run/clamav/clamd.ctl -v
 #command[check_clamav_db]=/usr/local/lib/monitoringctl/alerts_wrapper --name clamav_db /usr/lib/nagios/plugins/check_file_age -w 86400 -c 172800 -f /var/lib/clamav/daily.cld
 #command[check_ssl]=/usr/local/lib/monitoringctl/alerts_wrapper --name ssl /usr/lib/nagios/plugins/check_http -f follow -I 127.0.0.1 -S -p 443 -H ssl.evolix.net -C 15,5
 #command[check_elasticsearch]=/usr/local/lib/monitoringctl/alerts_wrapper --name elasticsearch /usr/lib/nagios/plugins/check_http -I 127.0.0.1 -u /_cat/health?h=st -p 9200 -r 'red' --invert-regex
 #command[check_memcached]=/usr/local/lib/monitoringctl/alerts_wrapper --name memcached /usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 11211
 #command[check_opendkim]=/usr/local/lib/monitoringctl/alerts_wrapper --name opendkim /usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 8891
 #command[check_bkctld_setup]=/usr/local/lib/monitoringctl/alerts_wrapper --name bkctld_setup sudo /usr/sbin/bkctld check-setup
 #command[check_bkctld_jails]=/usr/local/lib/monitoringctl/alerts_wrapper --name bkctld_jails sudo /usr/sbin/bkctld check-jails
 ## "check_bkctld" is here as backward compatibility, but is replaced by "check_bkctld_jails"
 #command[check_bkctld]=/usr/local/lib/monitoringctl/alerts_wrapper --name bkctld sudo /usr/sbin/bkctld check
 #command[check_postgrey]=/usr/local/lib/monitoringctl/alerts_wrapper --name postgrey /usr/lib/nagios/plugins/check_tcp -p10023
 #command[check_influxdb]=/usr/local/lib/monitoringctl/alerts_wrapper --name influxdb /usr/lib/nagios/plugins/check_http -I 127.0.0.1 -u /health -p 8086 -r '"status":"pass"'
 #command[check_dhcpd]=/usr/local/lib/monitoringctl/alerts_wrapper --name dhcpd /usr/lib/nagios/plugins/check_procs -c1:1 -C dhcpd -t 60
 #command[check_ipmi_sensors]=/usr/local/lib/monitoringctl/alerts_wrapper --name ipmi_sensors sudo /usr/lib/nagios/plugins/check_ipmi_sensor
 #command[check_raid_status]=/usr/local/lib/monitoringctl/alerts_wrapper --name raid_status /usr/lib/nagios/plugins/check_raid
 #command[check_dockerd]=/usr/local/lib/monitoringctl/alerts_wrapper --name dockerd /usr/lib/nagios/plugins/check_tcp -H /var/run/docker.sock --escape -s "GET /_ping HTTP/1.1\nHost: http\n\n" -e OK
 ## Local checks (not packaged)
 #command[check_amavis]=/usr/local/lib/monitoringctl/alerts_wrapper --name amavis {{ nagios_plugins_directory }}/check_amavis --server 127.0.0.1 --from {{ nagios_nrpe_amavis_from }} --to postmaster@localhost --port 10024
 #command[check_spamd]=/usr/local/lib/monitoringctl/alerts_wrapper --name spamd {{ nagios_plugins_directory }}/check_spamd -H 127.0.0.1
 #command[check_nfsclient]=/usr/local/lib/monitoringctl/alerts_wrapper --name nfsclient sudo -u www-data {{ nagios_plugins_directory }}/check_nfsclient
 #command[check_evobackup]=/usr/local/lib/monitoringctl/alerts_wrapper --name evobackup {{ nagios_plugins_directory }}/check_evobackup
 #command[check_process]=/usr/local/lib/monitoringctl/alerts_wrapper --name process {{ nagios_plugins_directory }}/check_process {{ nagios_nrpe_processes | join(' ') }}
 #command[check_drbd]=/usr/local/lib/monitoringctl/alerts_wrapper --name drbd {{ nagios_plugins_directory }}/check_drbd -d All -c StandAlone
 #command[check_mongodb_connect]=/usr/local/lib/monitoringctl/alerts_wrapper --name mongodb_connect {{ nagios_plugins_directory }}/check_mongodb -H localhost -P27017 -A connect
 #command[check_glusterfs]=/usr/local/lib/monitoringctl/alerts_wrapper --name glusterfs {{ nagios_plugins_directory }}/check_glusterfs -v all -n 0
 #command[check_supervisord_status]=/usr/local/lib/monitoringctl/alerts_wrapper --name supervisord_status {{ nagios_plugins_directory }}/check_supervisord
 #command[check_varnish]=/usr/local/lib/monitoringctl/alerts_wrapper --name varnish {{ nagios_plugins_directory }}/check_varnish_health -i 127.0.0.1 -p 6082 -s /etc/varnish/secret -w 2 -c 4
 #command[check_haproxy]=/usr/local/lib/monitoringctl/alerts_wrapper --name haproxy sudo {{ nagios_plugins_directory }}/check_haproxy_stats -s /run/haproxy/admin.sock -w 80 -c 90 --ignore-maint --ignore-nolb --ignore-drain
 #command[check_redis_instances]=/usr/local/lib/monitoringctl/alerts_wrapper --name redis_instances {{ nagios_plugins_directory }}/check_redis_instances
 #command[check_sentinel]=/usr/local/lib/monitoringctl/alerts_wrapper --name sentinel sudo {{ nagios_plugins_directory }}/check_sentinel -c /etc/redis/sentinel.conf
 #command[check_hpraid]=/usr/local/lib/monitoringctl/alerts_wrapper --name hpraid {{ nagios_plugins_directory }}/check_hpraid
 #command[check_php-fpm]=/usr/local/lib/monitoringctl/alerts_wrapper --name php-fpm {{ nagios_plugins_directory }}/check_phpfpm_multi
 #command[check_php-fpm56]=/usr/local/lib/monitoringctl/alerts_wrapper --name php-fpm56 sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php56/rootfs/etc/php5/fpm/pool.d/
 #command[check_php-fpm70]=/usr/local/lib/monitoringctl/alerts_wrapper --name php-fpm70 sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php70/rootfs/etc/php/7.0/fpm/pool.d/
 #command[check_php-fpm73]=/usr/local/lib/monitoringctl/alerts_wrapper --name php-fpm73 sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php73/rootfs/etc/php/7.3/fpm/pool.d/
 #command[check_php-fpm74]=/usr/local/lib/monitoringctl/alerts_wrapper --name php-fpm74 sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php74/rootfs/etc/php/7.4/fpm/pool.d/
 #command[check_php-fpm80]=/usr/local/lib/monitoringctl/alerts_wrapper --name php-fpm80 sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php80/rootfs/etc/php/8.0/fpm/pool.d/
 #command[check_php-fpm81]=/usr/local/lib/monitoringctl/alerts_wrapper --name php-fpm81 sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php81/rootfs/etc/php/8.1/fpm/pool.d/
 #command[check_php-fpm82]=/usr/local/lib/monitoringctl/alerts_wrapper --name php-fpm82 sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php82/rootfs/etc/php/8.2/fpm/pool.d/
 #command[check_php-fpm83]=/usr/local/lib/monitoringctl/alerts_wrapper --name php-fpm83 sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php83/rootfs/etc/php/8.3/fpm/pool.d/
 #command[check_dhcp_pool]=/usr/local/lib/monitoringctl/alerts_wrapper --name dhcp_pool {{ nagios_plugins_directory }}/check_dhcp_pool
 #command[check_ssl_local]=/usr/local/lib/monitoringctl/alerts_wrapper --name ssl_local {{ nagios_plugins_directory }}/check_ssl_local
 # Check HTTP "many". Use this to check many websites (http, https, ports, sockets and SSL certificates).
 # Beware! All checks must not take more than 10s!
-#command[check_https]={{ nagios_plugins_directory }}/check_http_many
+#command[check_https]=/usr/local/lib/monitoringctl/alerts_wrapper --name https {{ nagios_plugins_directory }}/check_http_many
--- a/nodejs/tasks/main.yml
+++ b/nodejs/tasks/main.yml
@ -38,7 +38,6 @@
  ansible.builtin.template:
    src: nodesource.sources.j2
    dest: /etc/apt/sources.list.d/nodesource.sources
    state: present
  register: nodesource_sources
  tags:
    - system
--- a/nodejs/tasks/yarn.yml
+++ b/nodejs/tasks/yarn.yml
@ -37,8 +37,6 @@
  ansible.builtin.template:
    src: yarn.sources.j2
    dest: /etc/apt/sources.list.d/yarn.sources
    state: present
    update_cache: yes
  register: yarn_sources
  tags:
    - system
--- a/openvpn/tasks/debian.yml
+++ b/openvpn/tasks/debian.yml
@ -201,7 +201,7 @@
  ansible.builtin.lineinfile:
    dest: "/etc/nagios/nrpe.d/evolix.cfg"
    regexp: '^command\[check_openvpn\]='
-    line: "command[check_openvpn]=/usr/local/lib/nagios/plugins/check_openvpn -H 127.0.0.1 -p 1195 -P {{ management_pwd }}"
+    line: "command[check_openvpn]=/usr/local/lib/monitoringctl/alerts_wrapper --name openvpn /usr/local/lib/nagios/plugins/check_openvpn -H 127.0.0.1 -p 1195 -P {{ management_pwd }}"
  notify: restart nagios-nrpe-server
  when: nrpe_evolix_config.stat.exists
@ -233,7 +233,7 @@
  ansible.builtin.lineinfile:
    dest: "/etc/nagios/nrpe.d/evolix.cfg"
    regexp: '^command\[check_openvpn_certificates\]='
-    line: "command[check_openvpn_certificates]=sudo /usr/local/lib/nagios/plugins/check_openvpn_certificates.sh"
+    line: "command[check_openvpn_certificates]=/usr/local/lib/monitoringctl/alerts_wrapper --name openvpn_certificates sudo /usr/local/lib/nagios/plugins/check_openvpn_certificates.sh"
  notify: restart nagios-nrpe-server
  when: nrpe_evolix_config.stat.exists
--- a/openvpn/tasks/openbsd.yml
+++ b/openvpn/tasks/openbsd.yml
@ -9,6 +9,7 @@
  ansible.builtin.command:
    cmd: pkg_info -Iq inst:openvpn
  register: is_installed
  check_mode: false
  ignore_errors: true
  changed_when: false
@ -138,6 +139,7 @@
  ansible.builtin.command:
    cmd: pkg_info -Iq inst:p5-Net-Telnet
  register: is_installed
  check_mode: false
  ignore_errors: true
  changed_when: false
--- a/postgresql/tasks/nrpe.yml
+++ b/postgresql/tasks/nrpe.yml
@ -43,7 +43,7 @@
    ansible.builtin.lineinfile:
      name: /etc/nagios/nrpe.d/evolix.cfg
      regexp: '^command\[check_pgsql\]='
-      line: 'command[check_pgsql]=/usr/lib/nagios/plugins/check_pgsql -H localhost -l nrpe -p "{{ postgresql_nrpe_password.stdout }}"'
+      line: 'command[check_pgsql]=/usr/local/lib/monitoringctl/alerts_wrapper --name pgsql /usr/lib/nagios/plugins/check_pgsql -H localhost -l nrpe -p "{{ postgresql_nrpe_password.stdout }}"'
    notify: restart nagios-nrpe-server
    when: postgresql_create_nrpe_user is changed
  when: nrpe_evolix_config.stat.exists
--- a/proftpd/files/munin_plugin
+++ b/proftpd/files/munin_plugin
@ -0,0 +1,18 @@
 #! /bin/bash
 # 
 if [ "$1" = 'config' ]; then
        echo "graph_args --base 1000 -l 0"
        echo "graph_title ProFTPd"
        echo "graph_category network"
        echo "graph_vlabel Stats Proftpd"
        echo "users_count.label Connected users"
        echo "users_count.draw AREA"
 fi
 n_users="$(ftpcount | awk '/users/{print $4}')"
 echo "users_count.value ${n_users}"
 exit 0
--- a/proftpd/tasks/main.yml
+++ b/proftpd/tasks/main.yml
@ -96,3 +96,15 @@
 - ansible.builtin.include: accounts.yml
  when: proftpd_accounts | length > 0
 - name: Munin plugin is copied
  ansible.builtin.copy:
    src: munin_plugin
    dest: /usr/share/munin/plugins/proftpd
    mode: 755
 - name: Munin plugin is enabled
  ansible.builtin.file:
    src: /usr/share/munin/plugins/proftpd
    dest: /etc/munin/plugins/proftpd
    state: link
--- a/rabbitmq/tasks/nrpe.yml
+++ b/rabbitmq/tasks/nrpe.yml
@ -40,7 +40,7 @@
  ansible.builtin.lineinfile:
    dest: /etc/nagios/nrpe.d/evolix.cfg
    regexp: 'command\[check_rab_connection_count\]'
-    line: 'command[check_rab_connection_count]=sudo /usr/local/lib/nagios/plugins/check_rabbitmq -a connection_count -C {{ rabbitmq_connections_critical }} -W {{ rabbitmq_connections_warning }}'
+    line: 'command[check_rab_connection_count]=/usr/local/lib/monitoringctl/alerts_wrapper --name rab_connection_count sudo /usr/local/lib/nagios/plugins/check_rabbitmq -a connection_count -C {{ rabbitmq_connections_critical }} -W {{ rabbitmq_connections_warning }}'
  notify: restart nagios-nrpe-server
 - name: sudo without password for nagios
--- a/redis/tasks/nrpe.yml
+++ b/redis/tasks/nrpe.yml
@ -60,7 +60,7 @@
  ansible.builtin.replace:
    dest: /etc/nagios/nrpe.d/evolix.cfg
    regexp: '^command\[check_redis\]=.+'
-    replace: 'command[check_redis]=sudo {{ redis_check_redis_path }} -H {{ redis_bind_interfaces | first }} -p {{ redis_port }}'
+    replace: 'command[check_redis]=/usr/local/lib/monitoringctl/alerts_wrapper --name redis sudo {{ redis_check_redis_path }} -H {{ redis_bind_interfaces | first }} -p {{ redis_port }}'
  when: redis_instance_name is undefined
  notify: restart nagios-nrpe-server
  tags:
@ -99,7 +99,7 @@
  ansible.builtin.replace:
    dest: /etc/nagios/nrpe.d/evolix.cfg
    regexp: '^command\[check_redis\]=.+'
-    replace: 'command[check_redis]=sudo /usr/local/lib/nagios/plugins/check_redis_instances'
+    replace: 'command[check_redis]=/usr/local/lib/monitoringctl/alerts_wrapper --name redis sudo /usr/local/lib/nagios/plugins/check_redis_instances'
  when: redis_instance_name is defined
  notify: restart nagios-nrpe-server
  tags:
--- a/webapps/etherpad/LISEZMOI.md
+++ b/webapps/etherpad/LISEZMOI.md
@ -0,0 +1,58 @@
 etherpad
 =========
 Ce rôle installe le serveur d'Etherpad, une application rédaction collaborative en temps-réel. 
 Notez qu'hormis le présent fichier LISEZMOI.md, tous les fichiers du rôle etherpad sont rédigés en anglais afin de suivre les conventions de la communauté Ansible, favoriser sa réutilisation et son amélioration, etc. Libre à vous cependant de faire appel à ce role dans un playbook rédigé principalement en français ou toute autre langue.
 Requis
 ------
 ...
 Variables du rôle
 -----------------
 Plusieurs des valeurs par défaut dans defaults/main.yml doivent être changées soit directement dans defaults/main.yml ou mieux encore en les supplantant ailleurs, par exemple dans votre playbook (voir l'exemple ci-bas).
 Dépendances
 ------------
 Ce rôle Ansible dépend des rôles suivants :
 - nodejs
 Exemple de playbook
 -------------------
 ```
 - name: "Déployer un serveur Etherpad"
  hosts: 
    - all
  vars:
    # Supplanter ici les variables du rôle
    service: 'mon-etherpad'
    etherpad_domains: ['votre-vrai-domaine.org']
    etherpad_db_host: 'localhost'
    etherpad_db_user: "{{ service }}"
    etherpad_db_name: "{{ service }}"
    etherpad_db_password: 'zKEh-CHANGEZ-MOI-qIKc'
  pre_tasks:
    - name: "Installer les rôles systèmes"
      roles:
        - { role: nodejs, nodejs_apt_version: "{{ etherpad_node_version }}" }
  roles:
    - { role: webapps/etherpad , tags: "etherpad" }
 ```
 Licence
 -------
 GPLv3
 Infos sur l'auteur
 ------------------
 Mathieu Gauthier-Pilote, administrateur de systèmes chez Evolix.
--- a/webapps/etherpad/README.md
+++ b/webapps/etherpad/README.md
@ -0,0 +1,58 @@
 etherpad
 =========
 This role installs or upgrades the server for the real-time collaborative editor Etherpad. 
 FRENCH: Voir le fichier LISEZMOI.md pour le français.
 Requirements
 ------------
 ...
 Role Variables
 --------------
 Several of the default values in defaults/main.yml must be changed either directly in defaults/main.yml or better even by overwriting them somewhere else, for example in your playbook (see the example below).
 Dependencies
 ------------
 This Ansible role depends on the following other roles:
 - nodejs
 Example Playbook
 ----------------
 ```
 - name: "Deploy an Etherpad server"
  hosts: 
    - all
  vars:
    # Overwrite the role variable here
    service: 'my-etherpad'
    etherpad_domains: ['your-real-domain.org']
    etherpad_db_host: 'localhost'
    etherpad_db_user: "{{ service }}"
    etherpad_db_name: "{{ service }}"
    etherpad_db_password: 'zKEh-CHANGE-ME-qIKc'
  pre_tasks:
    - name: "Install system roles"
      roles:
        - { role: nodejs, nodejs_apt_version: "{{ etherpad_node_version }}" }
  roles:
    - { role: webapps/etherpad , tags: "etherpad" }
 ```
 License
 -------
 GPLv3
 Author Information
 ------------------
 Mathieu Gauthier-Pilote, sys. admin. at Evolix.
--- a/webapps/etherpad/defaults/main.yml
+++ b/webapps/etherpad/defaults/main.yml
@ -0,0 +1,28 @@
 ---
 # defaults file for etherpad
 service: 'example'
 etherpad_system_dep: "['apt-transport-https', 'mariadb-server', 'python3-mysqldb', 'nginx', 'ssl-cert', 'git', 'wget', 'certbot', 'npm']"
 etherpad_git_url: 'https://github.com/ether/etherpad-lite.git'
 etherpad_git_version: '1.8.18'
 etherpad_node_version: 'node_18.x'
 etherpad_node_port: '9001'
 etherpad_domains: ['example.domain.org']
 etherpad_certbot_admin_email: 'mgauthier@evolix.ca'
 etherpad_db_host: '127.0.0.1'
 etherpad_db_port: '3306'
 etherpad_db_user: "{{ service }}"
 etherpad_db_name: "{{ service }}"
 etherpad_db_password: 'CHANGE_ME'
 etherpad_app_ip: '127.0.0.1'
 etherpad_app_title: 'My Etherpad'
 etherpad_app_db_type: 'mysql'
 etherpad_app_skin_name: 'colibris'
 etherpad_app_skin_variants: 'super-light-toolbar super-light-editor light-background'
 etherpad_app_trust_proxy: 'true'
 etherpad_app_require_authentication: 'false'
 etherpad_app_require_authorization: 'true'
 etherpad_app_admin_password: 'CHANGE_ME_TOO'
 etherpad_app_default_pad_text: 'Bienvenue sur Etherpad !\n\nLe texte de ce bloc-notes est synchronisé sur le serveur au fur et à mesure que vous tapez, de sorte que toutes les personnes qui consultent cette page voient le même texte. Cela vous permet de collaborer de manière transparente et collaborative sur des documents !\n\nParticipez à Etherpad sur https:\/\/etherpad.org\n'
 etherpad_app_file_ends: 'false'
--- a/webapps/etherpad/handlers/main.yml
+++ b/webapps/etherpad/handlers/main.yml
@ -0,0 +1,11 @@
 ---
 # handlers file for etherpad
 - name: reload nginx
  ansible.builtin.systemd:
    name: nginx
    state: reloaded
 - name: restart etherpad
  ansible.builtin.systemd:
    name: "{{ service }}.service"
    state: restarted
--- a/webapps/etherpad/meta/main.yml
+++ b/webapps/etherpad/meta/main.yml
@ -0,0 +1,52 @@
 galaxy_info:
  author: Mathieu Gauthier-Pilote
  description: sys. admin.
  company: Evolix
  # If the issue tracker for your role is not on github, uncomment the
  # next line and provide a value
  # issue_tracker_url: http://example.com/issue/tracker
  # Choose a valid license ID from https://spdx.org - some suggested licenses:
  # - BSD-3-Clause (default)
  # - MIT
  # - GPL-2.0-or-later
  # - GPL-3.0-only
  # - Apache-2.0
  # - CC-BY-4.0
  license: license GPL-3.0-only
  min_ansible_version: 2.10
  # If this a Container Enabled role, provide the minimum Ansible Container version.
  # min_ansible_container_version:
  #
  # Provide a list of supported platforms, and for each platform a list of versions.
  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
  # To view available platforms and versions (or releases), visit:
  # https://galaxy.ansible.com/api/v1/platforms/
  #
  # platforms:
  # - name: Fedora
  #   versions:
  #   - all
  #   - 25
  # - name: SomePlatform
  #   versions:
  #   - all
  #   - 1.0
  #   - 7
  #   - 99.99
  galaxy_tags: []
    # List tags for your role here, one per line. A tag is a keyword that describes
    # and categorizes the role. Users find roles by searching for tags. Be sure to
    # remove the '[]' above, if you add tags to this list.
    #
    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
    #       Maximum 20 tags per role.
 dependencies: []
  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
  # if you add dependencies to this list.
--- a/webapps/etherpad/tasks/main.yml
+++ b/webapps/etherpad/tasks/main.yml
@ -0,0 +1,142 @@
 ---
 # tasks file for etherpad install
 - name: Install main system dependencies
  ansible.builtin.apt:
    name: "{{ etherpad_system_dep }}"
    update_cache: yes
 - name: Install pnpm (via npm)
  ansible.builtin.command:
    cmd: npm install -g pnpm
 - name: Fix permissions for pnpm
  ansible.builtin.file:
    path: /usr/local/lib/node_modules/
    state: directory
    mode: o+rx
    recurse: yes
 - name: Add UNIX account
  ansible.builtin.user:
    name: "{{ service }}"
    shell: /bin/bash
 - name: Add database
  ansible.builtin.mysql_db:
    name: "{{ etherpad_db_name }}"
 - name: Add database user
  ansible.builtin.mysql_user:
    name: "{{ etherpad_db_user }}"
    password: "{{ etherpad_db_password }}"
    priv: "{{ etherpad_db_name }}.*:{{privileges |default('SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,INDEX,ALTER,CREATE TEMPORARY TABLES')}}"
    update_password: on_create
 - name: Clone etherpad repo (git)
  ansible.builtin.git:
    repo: "{{ etherpad_git_url }}"
    dest: "~/etherpad-lite/"
    version: "{{ etherpad_git_version | default(omit) }}"
    update: yes
    force: true
    umask: '0022'
  become_user: "{{ service }}"
 - name: Fix run.sh so it does not start etherpad at the end
  ansible.builtin.lineinfile: 
    path: "~/etherpad-lite/bin/run.sh"
    state: absent
    regexp: '^exec pnpm run dev'
  become_user: "{{ service }}"
 - name: Run setup
  ansible.builtin.shell: "bin/run.sh"
  args:
    chdir: "~/etherpad-lite"
  become_user: "{{ service }}"
 - name: Template json config file
  ansible.builtin.template:
    src: "settings.json.j2"
    dest: "~{{ service }}/etherpad-lite/settings.json"
    owner: "{{ service }}"
    group: "{{ service }}"
    mode: "0640"
 - name: Add systemd unit
  ansible.builtin.template:
    src: "etherpad.service.j2"
    dest: "/etc/systemd/system/{{ service }}.service"
 - name: Enable systemd unit
  ansible.builtin.systemd:
    name: "{{ service }}.service"
    enabled: yes
    daemon_reload: yes
  notify: 
    - restart etherpad
 - name: Template nginx snippet for Let's Encrypt/Certbot
  ansible.builtin.template: 
    src: "letsencrypt.conf.j2"
    dest: "/etc/nginx/snippets/letsencrypt.conf"
 - name: Check if SSL certificate is present and register result
  ansible.builtin.stat:
    path: "/etc/letsencrypt/live/{{ etherpad_domains |first }}/fullchain.pem"
  register: ssl
 - name: Generate certificate only if required (first time)
  block:
  - name: Template vhost without SSL for successfull LE challengce
    ansible.builtin.template: 
      src: "vhost.conf.j2"
      dest: "/etc/nginx/sites-available/{{ service }}.conf"
  - name: Enable temporary nginx vhost for LE
    ansible.builtin.file:
      src: "/etc/nginx/sites-available/{{ service }}.conf"
      dest: "/etc/nginx/sites-enabled/{{ service }}.conf"
      state: link
    notify: 
      - reload nginx
  - name: Flush handlers
    ansible.builtin.meta: flush_handlers
  - name: Make sure /var/lib/letsencrypt exists and has correct permissions
    ansible.builtin.file: 
      path: /var/lib/letsencrypt
      state: directory
      mode: '0755'
  - name: Generate certificate with certbot
    ansible.builtin.command:
      cmd: certbot certonly --webroot --webroot-path /var/lib/letsencrypt --non-interactive --agree-tos --email {{ etherpad_certbot_admin_email }} -d {{ etherpad_domains |first }}
  - name: Create the ssl dir if needed
    ansible.builtin.file:
      path: /etc/nginx/ssl
      state: directory
      mode: '0750'
  - name: Template ssl bloc for nginx vhost
    ansible.builtin.template: 
      src: "ssl.conf.j2"
      dest: "/etc/nginx/ssl/{{ etherpad_domains |first }}.conf"
  when: ssl.stat.exists != true
 - name: (Re)check if SSL certificate is present and register result
  ansible.builtin.stat:
    path: "/etc/letsencrypt/live/{{ etherpad_domains |first }}/fullchain.pem"
  register: ssl
 - name: (Re)template conf file for nginx vhost with SSL
  ansible.builtin.template:
    src: "vhost.conf.j2"
    dest: "/etc/nginx/sites-available/{{ service }}.conf"
  notify: 
    - reload nginx
 - name: Enable nginx vhost for etherpad
  ansible.builtin.file:
    src: "/etc/nginx/sites-available/{{ service }}.conf"
    dest: "/etc/nginx/sites-enabled/{{ service }}.conf"
    state: link
  notify: 
    - reload nginx
--- a/webapps/etherpad/tasks/upgrade.yml
+++ b/webapps/etherpad/tasks/upgrade.yml
@ -0,0 +1,52 @@
 ---
 # tasks file for etherpad upgrade
 - name: Dump database to a file with compression
  ansible.builtin.mysql_db:
    name: "{{ service }}"
    state: dump
    target: "~/{{ service }}.sql.gz"
 - name: Stop service
  ansible.builtin.systemd:
    name: "{{ service }}.service"
    state: stopped
 - name: Clone etherpad repo (git)
  ansible.builtin.git:
    repo: "{{ etherpad_git_url }}"
    dest: "~/etherpad-lite/"
    version: "{{ etherpad_git_version }}"
    update: yes
    force: true
  become_user: "{{ service }}"
 - name: Fix run.sh so it does not start etherpad at the end
  ansible.builtin.lineinfile: 
    path: "~/etherpad-lite/src/bin/run.sh"
    state: absent
    regexp: 'exec node src/node/server.js'
  become_user: "{{ service }}"
 - name: Run setup
  ansible.builtin.shell: "src/bin/run.sh"
  args:
    chdir: "~/etherpad-lite"
  become_user: "{{ service }}"
 - name: Start service
  ansible.builtin.systemd:
    name: "{{ service }}.service"
    state: started
 - name: Define variable to skip next task by default
  ansible.builtin.set_fact:
    keep_db_dump: true
 - name: Remove database dump
  ansible.builtin.file:
    path: "~/{{ service }}.sql.gz"
    state: absent
  when: keep_db_dump is undefined
  tags: clean
  notify: reload nginx
--- a/webapps/etherpad/templates/etherpad.service.j2
+++ b/webapps/etherpad/templates/etherpad.service.j2
@ -0,0 +1,17 @@
 [Unit]
 Description=Etherpad - open source online editor for real-time collaborative editing.
 Documentation=https://etherpad.org/doc/v1.8.18/
 After=network.target
 After=mariadb.service
 [Service]
 Type=simple
 Environment=NODE_ENV=production
 ExecStart=pnpm run prod
 Restart=always
 User={{service}}
 Group={{service}}
 WorkingDirectory=/home/{{service}}/etherpad-lite
 [Install]
 WantedBy=multi-user.target
--- a/webapps/etherpad/templates/letsencrypt.conf.j2
+++ b/webapps/etherpad/templates/letsencrypt.conf.j2
@ -0,0 +1,5 @@
 location ~ /.well-known/acme-challenge {
  alias /var/lib/letsencrypt/;
  try_files $uri =404;
  allow all;
 }
--- a/webapps/etherpad/templates/settings.json.j2
+++ b/webapps/etherpad/templates/settings.json.j2
@ -0,0 +1,641 @@
 /*
 * This file must be valid JSON. But comments are allowed
 *
 * Please edit settings.json, not settings.json.template
 *
 * Please note that starting from Etherpad 1.6.0 you can store DB credentials in
 * a separate file (credentials.json).
 *
 *
 * ENVIRONMENT VARIABLE SUBSTITUTION
 * =================================
 *
 * All the configuration values can be read from environment variables using the
 * syntax "${ENV_VAR}" or "${ENV_VAR:default_value}".
 *
 * This is useful, for example, when running in a Docker container.
 *
 * DETAILED RULES:
 *   - If the environment variable is set to the string "true" or "false", the
 *     value becomes Boolean true or false.
 *   - If the environment variable is set to the string "null", the value
 *     becomes null.
 *   - If the environment variable is set to the string "undefined", the setting
 *     is removed entirely, except when used as the member of an array in which
 *     case it becomes null.
 *   - If the environment variable is set to a string representation of a finite
 *     number, the string is converted to that number.
 *   - If the environment variable is set to any other string, including the
 *     empty string, the value is that string.
 *   - If the environment variable is unset and a default value is provided, the
 *     value is as if the environment variable was set to the provided default:
 *       - "${UNSET_VAR:}" becomes the empty string.
 *       - "${UNSET_VAR:foo}" becomes the string "foo".
 *       - "${UNSET_VAR:true}" and "${UNSET_VAR:false}" become true and false.
 *       - "${UNSET_VAR:null}" becomes null.
 *       - "${UNSET_VAR:undefined}" causes the setting to be removed (or be set
 *         to null, if used as a member of an array).
 *   - If the environment variable is unset and no default value is provided,
 *     the value becomes null. THIS BEHAVIOR MAY CHANGE IN A FUTURE VERSION OF
 *     ETHERPAD; if you want the default value to be null, you should explicitly
 *     specify "null" as the default value.
 *
 * EXAMPLE:
 *    "port":     "${PORT:9001}"
 *    "minify":   "${MINIFY}"
 *    "skinName": "${SKIN_NAME:colibris}"
 *
 * Would read the configuration values for those items from the environment
 * variables PORT, MINIFY and SKIN_NAME.
 *
 * If PORT and SKIN_NAME variables were not defined, the default values 9001 and
 * "colibris" would be used.
 * The configuration value "minify", on the other hand, does not have a
 * designated default value. Thus, if the environment variable MINIFY were
 * undefined, "minify" would be null.
 *
 * REMARKS:
 * 1) please note that variable substitution always needs to be quoted.
 *
 *    "port":     9001,            <-- Literal values. When not using
 *    "minify":   false                substitution, only strings must be
 *    "skinName": "colibris"           quoted. Booleans and numbers must not.
 *
 *    "port":     "${PORT:9001}"   <-- CORRECT: if you want to use a variable
 *    "minify":   "${MINIFY:true}"     substitution, put quotes around its name,
 *    "skinName": "${SKIN_NAME}"       even if the required value is a number or
 *                                     a boolean.
 *                                     Etherpad will take care of rewriting it
 *                                     to the proper type if necessary.
 *
 *    "port":     ${PORT:9001}     <-- ERROR: this is not valid json. Quotes
 *    "minify":   ${MINIFY}            around variable names are missing.
 *    "skinName": ${SKIN_NAME}
 *
 * 2) Beware of undefined variables and default values: nulls and empty strings
 *    are different!
 *
 *    This is particularly important for user's passwords (see the relevant
 *    section):
 *
 *    "password": "${PASSW}"  // if PASSW is not defined would result in password === null
 *    "password": "${PASSW:}" // if PASSW is not defined would result in password === ''
 *
 *    If you want to use an empty value (null) as default value for a variable,
 *    simply do not set it, without putting any colons: "${ABIWORD}".
 *
 * 3) if you want to use newlines in the default value of a string parameter,
 *    use "\n" as usual.
 *
 *    "defaultPadText" : "${DEFAULT_PAD_TEXT}Line 1\nLine 2"
 */
 {
  /*
   * Name your instance!
   */
  "title": "{{ etherpad_app_title }}",
  /*
   * Pathname of the favicon you want to use. If null, the skin's favicon is
   * used if one is provided by the skin, otherwise the default Etherpad favicon
   * is used. If this is a relative path it is interpreted as relative to the
   * Etherpad root directory.
   */
  "favicon": null,
  /*
   * Skin name.
   *
   * Its value has to be an existing directory under src/static/skins.
   * You can write your own, or use one of the included ones:
   *
   * - "no-skin":  an empty skin (default). This yields the unmodified,
   *               traditional Etherpad theme.
   * - "colibris": the new experimental skin (since Etherpad 1.8), candidate to
   *               become the default in Etherpad 2.0
   */
  "skinName": "{{ etherpad_app_skin_name }}",
  /*
   * Skin Variants
   *
   * Use the UI skin variants builder at /p/test#skinvariantsbuilder
   *
   * For the colibris skin only, you can choose how to render the three main
   * containers:
   * - toolbar (top menu with icons)
   * - editor (containing the text of the pad)
   * - background (area outside of editor, mostly visible when using page style)
   *
   * For each of the 3 containers you can choose 4 color combinations:
   * super-light, light, dark, super-dark.
   *
   * For example, to make the toolbar dark, you will include "dark-toolbar" into
   * skinVariants.
   *
   * You can provide multiple skin variants separated by spaces. Default
   * skinVariant is "super-light-toolbar super-light-editor light-background".
   *
   * For the editor container, you can also make it full width by adding
   * "full-width-editor" variant (by default editor is rendered as a page, with
   * a max-width of 900px).
   */
  "skinVariants": "{{ etherpad_app_skin_variants }}",
  /*
   * IP and port which Etherpad should bind at.
   *
   * Binding to a Unix socket is also supported: just use an empty string for
   * the ip, and put the full path to the socket in the port parameter.
   *
   * EXAMPLE USING UNIX SOCKET:
   *    "ip": "",                             // <-- has to be an empty string
   *    "port" : "/somepath/etherpad.socket", // <-- path to a Unix socket
   */
  "ip": "{{ etherpad_app_ip }}",
  "port": {{ etherpad_node_port }},
  /*
   * Option to hide/show the settings.json in admin page.
   *
   * Default option is set to true
   */
  "showSettingsInAdminPage": true,
  /*
   * Node native SSL support
   *
   * This is disabled by default.
   * Make sure to have the minimum and correct file access permissions set so
   * that the Etherpad server can access them
   */
  /*
  "ssl" : {
            "key"  : "/path-to-your/epl-server.key",
            "cert" : "/path-to-your/epl-server.crt",
            "ca": ["/path-to-your/epl-intermediate-cert1.crt", "/path-to-your/epl-intermediate-cert2.crt"]
          },
  */
  /*
   * The type of the database.
   *
   * You can choose between many DB drivers, for example: dirty, postgres,
   * sqlite, mysql.
   *
   * You shouldn't use "dirty" for for anything else than testing or
   * development.
   *
   *
   * Database specific settings are dependent on dbType, and go in dbSettings.
   * Remember that since Etherpad 1.6.0 you can also store this information in
   * credentials.json.
   *
   * For a complete list of the supported drivers, please refer to:
   * https://www.npmjs.com/package/ueberdb2
   */
  /*
  "dbType": "dirty",
  "dbSettings": {
    "filename": "var/dirty.db"
  },
  */
  /*
   * An Example of MySQL Configuration (commented out).
   *
   * See: https://github.com/ether/etherpad-lite/wiki/How-to-use-Etherpad-Lite-with-MySQL
   */
  "dbType" : "mysql",
  "dbSettings" : {
    "user":     "{{ etherpad_db_user }}",
    "host":     "{{ etherpad_db_host }}",
    "port":     "{{ etherpad_db_port }}",
    "password": "{{ etherpad_db_password }}",
    "database": "{{ etherpad_db_name }}",
    "charset":  "utf8mb4"
  },
  /*
   * The default text of a pad
   */
  "defaultPadText" : "{{ etherpad_app_default_pad_text }}",
  /*
   * Default Pad behavior.
   *
   * Change them if you want to override.
   */
  "padOptions": {
    "noColors":         false,
    "showControls":     true,
    "showChat":         true,
    "showLineNumbers":  true,
    "useMonospaceFont": false,
    "userName":         null,
    "userColor":        null,
    "rtl":              false,
    "alwaysShowChat":   false,
    "chatAndUsers":     false,
    "lang":             null
  },
  /*
   * Pad Shortcut Keys
   */
  "padShortcutEnabled" : {
    "altF9":     true, /* focus on the File Menu and/or editbar */
    "altC":      true, /* focus on the Chat window */
    "cmdShift2": true, /* shows a gritter popup showing a line author */
    "delete":    true,
    "return":    true,
    "esc":       true, /* in mozilla versions 14-19 avoid reconnecting pad */
    "cmdS":      true, /* save a revision */
    "tab":       true, /* indent */
    "cmdZ":      true, /* undo/redo */
    "cmdY":      true, /* redo */
    "cmdI":      true, /* italic */
    "cmdB":      true, /* bold */
    "cmdU":      true, /* underline */
    "cmd5":      true, /* strike through */
    "cmdShiftL": true, /* unordered list */
    "cmdShiftN": true, /* ordered list */
    "cmdShift1": true, /* ordered list */
    "cmdShiftC": true, /* clear authorship */
    "cmdH":      true, /* backspace */
    "ctrlHome":  true, /* scroll to top of pad */
    "pageUp":    true,
    "pageDown":  true
  },
  /*
   * Should we suppress errors from being visible in the default Pad Text?
   */
  "suppressErrorsInPadText": false,
  /*
   * If this option is enabled, a user must have a session to access pads.
   * This effectively allows only group pads to be accessed.
   */
  "requireSession": false,
  /*
   * Users may edit pads but not create new ones.
   *
   * Pad creation is only via the API.
   * This applies both to group pads and regular pads.
   */
  "editOnly": false,
  /*
   * If true, all css & js will be minified before sending to the client.
   *
   * This will improve the loading performance massively, but makes it difficult
   * to debug the javascript/css
   */
  "minify": true,
  /*
   * How long may clients use served javascript code (in seconds)?
   *
   * Not setting this may cause problems during deployment.
   * Set to 0 to disable caching.
   */
  "maxAge": 21600, // 60 * 60 * 6 = 6 hours
  /*
   * Absolute path to the Abiword executable.
   *
   * Abiword is needed to get advanced import/export features of pads. Setting
   * it to null disables Abiword and will only allow plain text and HTML
   * import/exports.
   */
  "abiword": null,
  /*
   * This is the absolute path to the soffice executable.
   *
   * LibreOffice can be used in lieu of Abiword to export pads.
   * Setting it to null disables LibreOffice exporting.
   */
  "soffice": null,
  /*
   * Allow import of file types other than the supported ones:
   * txt, doc, docx, rtf, odt, html & htm
   */
  "allowUnknownFileEnds": {{ etherpad_app_file_ends }},
  /*
   * This setting is used if you require authentication of all users.
   *
   * Note: "/admin" always requires authentication.
   */
  "requireAuthentication": {{ etherpad_app_require_authentication }},
  /*
   * Require authorization by a module, or a user with is_admin set, see below.
   */
  "requireAuthorization": {{ etherpad_app_require_authorization }},
  /*
   * When you use NGINX or another proxy/load-balancer set this to true.
   *
   * This is especially necessary when the reverse proxy performs SSL
   * termination, otherwise the cookies will not have the "secure" flag.
   *
   * The other effect will be that the logs will contain the real client's IP,
   * instead of the reverse proxy's IP.
   */
  "trustProxy": {{ etherpad_app_trust_proxy }},
  /*
   * Settings controlling the session cookie issued by Etherpad.
   */
  "cookie": {
    /*
     * How often (in milliseconds) the key used to sign the express_sid cookie
     * should be rotated. Long rotation intervals reduce signature verification
     * overhead (because there are fewer historical keys to check) and database
     * load (fewer historical keys to store, and less frequent queries to
     * get/update the keys). Short rotation intervals are slightly more secure.
     *
     * Multiple Etherpad processes sharing the same database (table) is
     * supported as long as the clock sync error is significantly less than this
     * value.
     *
     * Key rotation can be disabled (not recommended) by setting this to 0 or
     * null, or by disabling session expiration (see sessionLifetime).
     */
    "keyRotationInterval": 86400000, // = 1d * 24h/d * 60m/h * 60s/m * 1000ms/s
    /*
     * Value of the SameSite cookie property. "Lax" is recommended unless
     * Etherpad will be embedded in an iframe from another site, in which case
     * this must be set to "None". Note: "None" will not work (the browser will
     * not send the cookie to Etherpad) unless https is used to access Etherpad
     * (either directly or via a reverse proxy with "trustProxy" set to true).
     *
     * "Strict" is not recommended because it has few security benefits but
     * significant usability drawbacks vs. "Lax". See
     * https://stackoverflow.com/q/41841880 for discussion.
     */
    "sameSite": "Lax",
    /*
     * How long (in milliseconds) after navigating away from Etherpad before the
     * user is required to log in again. (The express_sid cookie is set to
     * expire at time now + sessionLifetime when first created, and its
     * expiration time is periodically refreshed to a new now + sessionLifetime
     * value.) If requireAuthentication is false then this value does not really
     * matter.
     *
     * The "best" value depends on your users' usage patterns and the amount of
     * convenience you desire. A long lifetime is more convenient (users won't
     * have to log back in as often) but has some drawbacks:
     *   - It increases the amount of state kept in the database.
     *   - It might weaken security somewhat: The cookie expiration is refreshed
     *     indefinitely without consulting authentication or authorization
     *     hooks, so once a user has accessed a pad, the user can continue to
     *     use the pad until the user leaves for longer than sessionLifetime.
     *   - More historical keys (sessionLifetime / keyRotationInterval) must be
     *     checked when verifying signatures.
     *
     * Session lifetime can be set to infinity (not recommended) by setting this
     * to null or 0. Note that if the session does not expire, most browsers
     * will delete the cookie when the browser exits, but a session record is
     * kept in the database forever.
     */
    "sessionLifetime": 864000000, // = 10d * 24h/d * 60m/h * 60s/m * 1000ms/s
    /*
     * How long (in milliseconds) before the expiration time of an active user's
     * session is refreshed (to now + sessionLifetime). This setting affects the
     * following:
     *   - How often a new session expiration time will be written to the
     *     database.
     *   - How often each user's browser will ping the Etherpad server to
     *     refresh the expiration time of the session cookie.
     *
     * High values reduce the load on the database and the load from browsers,
     * but can shorten the effective session lifetime if Etherpad is restarted
     * or the user navigates away.
     *
     * Automatic session refreshes can be disabled (not recommended) by setting
     * this to null.
     */
    "sessionRefreshInterval": 86400000 // = 1d * 24h/d * 60m/h * 60s/m * 1000ms/s
  },
  /*
   * Privacy: disable IP logging
   */
  "disableIPlogging": false,
  /*
   * Time (in seconds) to automatically reconnect pad when a "Force reconnect"
   * message is shown to user.
   *
   * Set to 0 to disable automatic reconnection.
   */
  "automaticReconnectionTimeout": 0,
  /*
   * By default, when caret is moved out of viewport, it scrolls the minimum
   * height needed to make this line visible.
   */
  "scrollWhenFocusLineIsOutOfViewport": {
    /*
     * Percentage of viewport height to be additionally scrolled.
     *
     * E.g.: use "percentage.editionAboveViewport": 0.5, to place caret line in
     *       the middle of viewport, when user edits a line above of the
     *       viewport
     *
     * Set to 0 to disable extra scrolling
     */
    "percentage": {
      "editionAboveViewport": 0,
      "editionBelowViewport": 0
    },
    /*
     * Time (in milliseconds) used to animate the scroll transition.
     * Set to 0 to disable animation
     */
    "duration": 0,
    /*
     * Flag to control if it should scroll when user places the caret in the
     * last line of the viewport
     */
    "scrollWhenCaretIsInTheLastLineOfViewport": false,
    /*
     * Percentage of viewport height to be additionally scrolled when user
     * presses arrow up in the line of the top of the viewport.
     *
     * Set to 0 to let the scroll to be handled as default by Etherpad
     */
    "percentageToScrollWhenUserPressesArrowUp": 0
  },
  /*
   * User accounts. These accounts are used by:
   *   - default HTTP basic authentication if no plugin handles authentication
   *   - some but not all authentication plugins
   *   - some but not all authorization plugins
   *
   * User properties:
   *   - password: The user's password. Some authentication plugins will ignore
   *     this.
   *   - is_admin: true gives access to /admin. Defaults to false. If you do not
   *     uncomment this, /admin will not be available!
   *   - readOnly: If true, this user will not be able to create new pads or
   *     modify existing pads. Defaults to false.
   *   - canCreate: If this is true and readOnly is false, this user can create
   *     new pads. Defaults to true.
   *
   * Authentication and authorization plugins may define additional properties.
   *
   * WARNING: passwords should not be stored in plaintext in this file.
   *          If you want to mitigate this, please install ep_hash_auth and
   *          follow the section "secure your installation" in README.md
   */
  "users": {
    "admin": {
      // 1) "password" can be replaced with "hash" if you install ep_hash_auth
      // 2) please note that if password is null, the user will not be created
      "password": "{{ etherpad_app_admin_password }}",
      "is_admin": true
    }
  },
  /*
   * Restrict socket.io transport methods
   */
  "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],
  "socketIo": {
    /*
     * Maximum permitted client message size (in bytes). All messages from
     * clients that are larger than this will be rejected. Large values make it
     * possible to paste large amounts of text, and plugins may require a larger
     * value to work properly, but increasing the value increases susceptibility
     * to denial of service attacks (malicious clients can exhaust memory).
     */
    "maxHttpBufferSize": 10000
  },
  /*
   * Allow Load Testing tools to hit the Etherpad Instance.
   *
   * WARNING: this will disable security on the instance.
   */
  "loadTest": false,
  /**
  * Disable dump of objects preventing a clean exit
  */
  "dumpOnUncleanExit": false,
  /*
   * Disable indentation on new line when previous line ends with some special
   * chars (':', '[', '(', '{')
   */
  /*
  "indentationOnNewLine": false,
  */
  /*
   * From Etherpad 1.8.3 onwards, import and export of pads is always rate
   * limited.
   *
   * The default is to allow at most 10 requests per IP in a 90 seconds window.
   * After that the import/export request is rejected.
   *
   * See https://github.com/nfriedly/express-rate-limit for more options
   */
  "importExportRateLimiting": {
    // duration of the rate limit window (milliseconds)
    "windowMs": 90000,
    // maximum number of requests per IP to allow during the rate limit window
    "max": 10
  },
  /*
   * From Etherpad 1.8.3 onwards, the maximum allowed size for a single imported
   * file is always bounded.
   *
   * File size is specified in bytes. Default is 50 MB.
   */
  "importMaxFileSize": 52428800, // 50 * 1024 * 1024
  /*
   * From Etherpad 1.8.5 onwards, when Etherpad is in production mode commits from individual users are rate limited
   *
   * The default is to allow at most 10 changes per IP in a 1 second window.
   * After that the change is rejected.
   *
   * See https://github.com/animir/node-rate-limiter-flexible/wiki/Overall-example#websocket-single-connection-prevent-flooding for more options
   */
  "commitRateLimiting": {
    // duration of the rate limit window (seconds)
    "duration": 1,
    // maximum number of changes per IP to allow during the rate limit window
    "points": 10
  },
  /*
   * Toolbar buttons configuration.
   *
   * Uncomment to customize.
   */
  /*
  "toolbar": {
    "left": [
      ["bold", "italic", "underline", "strikethrough"],
      ["orderedlist", "unorderedlist", "indent", "outdent"],
      ["undo", "redo"],
      ["clearauthorship"]
    ],
    "right": [
      ["importexport", "timeslider", "savedrevision"],
      ["settings", "embed"],
      ["showusers"]
    ],
    "timeslider": [
      ["timeslider_export", "timeslider_returnToPad"]
    ]
  },
  */
  /*
   * Expose Etherpad version in the web interface and in the Server http header.
   *
   * Do not enable on production machines.
   */
  "exposeVersion": false,
  /*
   * The log level we are using.
   *
   * Valid values: DEBUG, INFO, WARN, ERROR
   */
  "loglevel": "INFO",
  /* Override any strings found in locale directories */
  "customLocaleStrings": {},
  /* Disable Admin UI tests */
  "enableAdminUITests": false
 }
--- a/webapps/etherpad/templates/ssl.conf.j2
+++ b/webapps/etherpad/templates/ssl.conf.j2
@ -0,0 +1,22 @@
 ##
 # Certificates
 # you need a certificate to run in production. see https://letsencrypt.org/
 ##
 ssl_certificate     /etc/letsencrypt/live/{{ etherpad_domains | first }}/fullchain.pem;
 ssl_certificate_key /etc/letsencrypt/live/{{ etherpad_domains | first }}/privkey.pem;
 ##
 # Security hardening (as of Nov 15, 2020)
 # based on Mozilla Guideline v5.6
 ##
 ssl_protocols             TLSv1.2 TLSv1.3;
 ssl_prefer_server_ciphers on;
 ssl_ciphers               ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; # add ECDHE-RSA-AES256-SHA if you want compatibility with Android 4
 ssl_session_timeout       1d; # defaults to 5m
 ssl_session_cache         shared:SSL:10m; # estimated to 40k sessions
 ssl_session_tickets       off;
 ssl_stapling              on;
 ssl_stapling_verify       on;
 # HSTS (https://hstspreload.org), requires to be copied in 'location' sections that have add_header directives
 #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
--- a/webapps/etherpad/templates/vhost.conf.j2
+++ b/webapps/etherpad/templates/vhost.conf.j2
@ -0,0 +1,49 @@
 map $http_upgrade $connection_upgrade {
  default upgrade;
  ''      close;
 }
 server {
  listen 80;
  listen [::]:80;
  server_name {{ etherpad_domains |first }};
  # For certbot
  include /etc/nginx/snippets/letsencrypt.conf;
  {% if ssl.stat.exists %}
  location / { return 301 https://$host$request_uri; }
  {% endif %}
 }
 {% if ssl.stat.exists %}
 server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name {{ etherpad_domains |first }};
  access_log /var/log/nginx/{{ service }}.access.log;
  error_log  /var/log/nginx/{{ service }}.error.log;
  include /etc/nginx/snippets/letsencrypt.conf;
  include /etc/nginx/ssl/{{ etherpad_domains | first }}.conf;
  location / {
    proxy_pass         http://127.0.0.1:{{ etherpad_node_port }};
    proxy_buffering    off; # be careful, this line doesn't override any proxy_buffering on set in a conf.d/file.conf
    proxy_set_header   Host $host;
    proxy_pass_header  Server;
    # Note you might want to pass these headers etc too.
    proxy_set_header    X-Real-IP $remote_addr; # https://nginx.org/en/docs/http/ngx_http_proxy_module.html
    proxy_set_header    X-Forwarded-For $remote_addr; # EP logs to show the actual remote IP
    proxy_set_header    X-Forwarded-Proto $scheme; # for EP to set secure cookie flag when https is used
    proxy_http_version  1.1; # recommended with keepalive connections
    # WebSocket proxying - from https://nginx.org/en/docs/http/websocket.html
    proxy_set_header  Upgrade $http_upgrade;
    proxy_set_header  Connection $connection_upgrade;
  }  
 }
 {% endif %}
--- a/webapps/etherpad/tests/inventory
+++ b/webapps/etherpad/tests/inventory
@ -0,0 +1,2 @@
 localhost
--- a/webapps/etherpad/tests/test.yml
+++ b/webapps/etherpad/tests/test.yml
@ -0,0 +1,5 @@
 ---
 - hosts: localhost
  remote_user: root
  roles:
    - hedgedoc
--- a/webapps/etherpad/vars/main.yml
+++ b/webapps/etherpad/vars/main.yml
@ -0,0 +1,2 @@
 ---
 # vars file 
--- a/webapps/gitea/LISEZMOI.md
+++ b/webapps/gitea/LISEZMOI.md
@ -0,0 +1,49 @@
 gitea
 =====
 Ce rôle installe un serveur gitea. 
 Notez qu'hormis le présent fichier LISEZMOI.md, tous les fichiers du rôle gitea sont rédigés en anglais afin de suivre les conventions de la communauté Ansible, favoriser sa réutilisation et son amélioration, etc. Libre à vous cependant de faire appel à ce role dans un playbook rédigé principalement en français ou toute autre langue.
 Requis
 ------
 ...
 Variables du rôle
 -----------------
 Plusieurs des valeurs par défaut dans defaults/main.yml doivent être changées soit directement dans defaults/main.yml ou mieux encore en les supplantant ailleurs, par exemple dans votre playbook (voir l'exemple ci-bas).
 Dépendances
 ------------
 Ce rôle Ansible dépend des rôles suivants :
 - nodejs
 Exemple de playbook
 -------------------
 ```
 - name: "Déployer un serveur gitea"
  hosts: 
    - all
  vars:
    # Supplanter ici les variables du rôle
    domains: ['votre-vrai-domaine.org']
    service: 'mon-gitea'
  roles:
    - { role: webapps/gitea , tags: "gitea" }
 ```
 Licence
 -------
 GPLv3
 Infos sur l'auteur
 ------------------
 Mathieu Gauthier-Pilote, administrateur de systèmes chez Evolix.
--- a/webapps/gitea/README.md
+++ b/webapps/gitea/README.md
@ -0,0 +1,49 @@
 gitea
 =====
 This role installs or upgrades the server for gitea. 
 FRENCH: Voir le fichier LISEZMOI.md pour le français.
 Requirements
 ------------
 ...
 Role Variables
 --------------
 Several of the default values in defaults/main.yml must be changed either directly in defaults/main.yml or better even by overwriting them somewhere else, for example in your playbook (see the example below).
 Dependencies
 ------------
 This Ansible role depends on the following other roles:
 - nodejs
 Example Playbook
 ----------------
 ```
 - name: "Deploy an gitea server"
  hosts: 
    - all
  vars:
    # Overwrite the role variable here
    domains: ['your-real-domain.org']
    service: 'my-gitea'
  roles:
    - { role: webapps/gitea , tags: "gitea" }
 ```
 License
 -------
 GPLv3
 Author Information
 ------------------
 Mathieu Gauthier-Pilote, sys. admin. at Evolix.
--- a/webapps/gitea/defaults/main.yml
+++ b/webapps/gitea/defaults/main.yml
@ -0,0 +1,14 @@
 ---
 # defaults file for vars
 gitea_system_dep: "['apt-transport-https', 'git', 'nginx', 'mariadb-server', 'mariadb-client', 'python3-mysqldb', 'redis-server', 'certbot']"
 gitea_git_version: '1.21.3'
 gitea_url: "https://dl.gitea.io/gitea/{{ gitea_git_version }}/gitea-{{ gitea_git_version }}-linux-amd64"
 gitea_checksum: "sha256:ccf6cc2077401e382bca0d000553a781a42c9103656bd33ef32bf093cca570eb"
 gitea_domains: ['example.domain.org']
 gitea_certbot_admin_email: 'security@example.domain.org'
 gitea_db_host: '127.0.0.1:3306'
 gitea_db_name: "{{ gitea_service }}"
 gitea_db_user: "{{ gitea_service }}"
 gitea_db_password: 'UQ6_CHANGE_ME_Gzb'
 gitea_redis_maxclients: '128'
 gitea_redis_maxmemory: '300M'
--- a/webapps/gitea/handlers/main.yml
+++ b/webapps/gitea/handlers/main.yml
@ -0,0 +1,2 @@
 ---
 # handlers file
--- a/webapps/gitea/meta/main.yml
+++ b/webapps/gitea/meta/main.yml
@ -0,0 +1,52 @@
 galaxy_info:
  author: Mathieu Gauthier-Pilote
  description: sys. admin.
  company: Evolix
  # If the issue tracker for your role is not on github, uncomment the
  # next line and provide a value
  # issue_tracker_url: http://example.com/issue/tracker
  # Choose a valid license ID from https://spdx.org - some suggested licenses:
  # - BSD-3-Clause (default)
  # - MIT
  # - GPL-2.0-or-later
  # - GPL-3.0-only
  # - Apache-2.0
  # - CC-BY-4.0
  license: license GPL-3.0-only
  min_ansible_version: 2.10
  # If this a Container Enabled role, provide the minimum Ansible Container version.
  # min_ansible_container_version:
  #
  # Provide a list of supported platforms, and for each platform a list of versions.
  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
  # To view available platforms and versions (or releases), visit:
  # https://galaxy.ansible.com/api/v1/platforms/
  #
  # platforms:
  # - name: Fedora
  #   versions:
  #   - all
  #   - 25
  # - name: SomePlatform
  #   versions:
  #   - all
  #   - 1.0
  #   - 7
  #   - 99.99
  galaxy_tags: []
    # List tags for your role here, one per line. A tag is a keyword that describes
    # and categorizes the role. Users find roles by searching for tags. Be sure to
    # remove the '[]' above, if you add tags to this list.
    #
    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
    #       Maximum 20 tags per role.
 dependencies: []
  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
  # if you add dependencies to this list.
--- a/webapps/gitea/tasks/main.yml
+++ b/webapps/gitea/tasks/main.yml
@ -0,0 +1,165 @@
 ---
 # tasks file for gitea install
 - name: Install main system dependencies
  ansible.builtin.apt:
    name: "{{ gitea_system_dep }}"
    update_cache: yes
 - name: Download gitea binary
  ansible.builtin.get_url:
    url: "{{ gitea_url }}"
    dest: /usr/local/bin
    checksum: "{{ gitea_checksum }}"
    mode: '0755'
 - name: Create symbolic link
  ansible.builtin.file:
    src: "/usr/local/bin/gitea-{{ gitea_git_version }}-linux-amd64"
    dest: "/usr/local/bin/gitea"
    state: link
 - name: Add UNIX account
  ansible.builtin.user:
    name: "{{ gitea_service }}"
    shell: /bin/bash
 - name: Add www-data (nginx) to service's group
  ansible.builtin.user:
    name: www-data
    #group: www-data
    groups: "{{ gitea_service }}"
    append: true
 - name: Add database
  ansible.builtin.mysql_db:
    name: "{{ gitea_db_name }}"
 - name: Add database user
  ansible.builtin.mysql_user:
    name: "{{ gitea_db_user }}"
    password: "{{ gitea_db_password }}"
    priv: "{{ gitea_db_name }}.*:{{privileges |default('SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,INDEX,ALTER,CREATE TEMPORARY TABLES')}}"
    update_password: on_create
 - name: Create the gitea conf dir if needed
  ansible.builtin.file:
    path: /etc/gitea
    state: directory
    mode: '0755'
 - name: Template gitea ini file
  ansible.builtin.template: 
    src: "gitea.ini.j2"
    dest: "/etc/gitea/{{ gitea_service }}.ini"
    owner: 'root'
    group: "{{ gitea_service }}"
    mode: '0660'
 - name: Template gitea systemd unit
  ansible.builtin.template: 
    src: "gitea.service.j2"
    dest: "/etc/systemd/system/gitea@.service"
 - name: Start gitea systemd unit
  ansible.builtin.service:
    name: "gitea@{{ gitea_service }}"
    state: restarted
 - name: Create the redis dir if needed
  ansible.builtin.file:
    path: /home/{{ gitea_service }}/redis
    state: directory
    owner: "{{ gitea_service }}"
    group: "{{ gitea_service }}"
    mode: '0750'
 - name: Create the log dir if needed
  ansible.builtin.file:
    path: /home/{{ gitea_service }}/log
    state: directory
    owner: "{{ gitea_service }}"
    group: "{{ gitea_service }}"
    mode: '0750'
 - name: Template redis conf
  ansible.builtin.template: 
    src: "redis.conf.j2"
    dest: "/home/{{ gitea_service }}/redis/redis.conf"
    owner: "{{ gitea_service }}"
    group: "{{ gitea_service }}"
    mode: '0640'
 - name: Template redis systemd unit
  ansible.builtin.template: 
    src: "redis.service.j2"
    dest: "/etc/systemd/system/redis@.service"
 - name: Start redis systemd unit
  ansible.builtin.service:
    name: "redis@{{ gitea_service }}"
    state: started
 - name: Template nginx snippet for Let's Encrypt/Certbot
  ansible.builtin.template: 
    src: "letsencrypt.conf.j2"
    dest: "/etc/nginx/snippets/letsencrypt.conf"
 - name: Check if SSL certificate is present and register result
  ansible.builtin.stat:
    path: "/etc/letsencrypt/live/{{ gitea_domains |first }}/fullchain.pem"
  register: ssl
 - name: Generate certificate only if required (first time)
  block:
  - name: Template vhost without SSL for successfull LE challengce
    ansible.builtin.template: 
      src: "vhost.conf.j2"
      dest: "/etc/nginx/sites-available/{{ gitea_service }}.conf"
  - name: Enable temporary nginx vhost for gitea
    ansible.builtin.file:
      src: "/etc/nginx/sites-available/{{ gitea_service }}.conf"
      dest: "/etc/nginx/sites-enabled/{{ gitea_service }}.conf"
      state: link
  - name: Reload nginx conf
    ansible.builtin.service:
      name: nginx
      state: reloaded
  - name: Make sure /var/lib/letsencrypt exists and has correct permissions
    ansible.builtin.file: 
      path: /var/lib/letsencrypt
      state: directory
      mode: '0755'
  - name: Generate certificate with certbot
    ansible.builtin.shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt --non-interactive --agree-tos --email {{ gitea_certbot_admin_email }} -d {{ gitea_domains |first }}
  - name: Create the ssl dir if needed
    ansible.builtin.file:
      path: /etc/nginx/ssl
      state: directory
      mode: '0750'
  - name: Template ssl bloc for nginx vhost
    ansible.builtin.template: 
      src: "ssl.conf.j2"
      dest: "/etc/nginx/ssl/{{ gitea_domains |first }}.conf"
  when: ssl.stat.exists != true
 - name: (Re)check if SSL certificate is present and register result
  ansible.builtin.stat:
    path: "/etc/letsencrypt/live/{{ gitea_domains |first }}/fullchain.pem"
  register: ssl
 - name: (Re)template conf file for nginx vhost with SSL
  ansible.builtin.template:
    src: "vhost.conf.j2"
    dest: "/etc/nginx/sites-available/{{ gitea_service }}.conf"
 - name: Enable nginx vhost for gitea
  ansible.builtin.file:
    src: "/etc/nginx/sites-available/{{ gitea_service }}.conf"
    dest: "/etc/nginx/sites-enabled/{{ gitea_service }}.conf"
    state: link
 - name: Reload nginx conf
  ansible.builtin.service:
    name: nginx
    state: reloaded
--- a/webapps/gitea/tasks/upgrade.yml
+++ b/webapps/gitea/tasks/upgrade.yml
@ -0,0 +1,26 @@
 ---
 # tasks file for gitea upgrade
 - name: Download gitea binary
  ansible.builtin.get_url:
    url: "{{ gitea_url }}"
    dest: /usr/local/bin
    checksum: "{{ gitea_checksum }}"
    mode: '0755'
 - name: Create symbolic link
  ansible.builtin.file:
    src: "/usr/local/bin/gitea-{{ gitea_git_version }}-linux-amd64"
    dest: "/usr/local/bin/gitea"
    state: link
 - name: Start gitea systemd unit
  ansible.builtin.service:
    name: "gitea@{{ gitea_service }}"
    state: restarted
 - name: Reload nginx conf
  ansible.builtin.service:
    name: nginx
    state: reloaded
--- a/webapps/gitea/templates/gitea.ini.j2
+++ b/webapps/gitea/templates/gitea.ini.j2
@ -0,0 +1,39 @@
 APP_NAME = Gitea
 RUN_USER = {{ gitea_service }}
 RUN_MODE = prod
 [server]
 PROTOCOL               = unix
 DOMAIN                 = {{ gitea_domains | first }}
 HTTP_ADDR              = /home/{{ gitea_service }}/gitea.sock
 UNIX_SOCKET_PERMISSION = 660
 OFFLINE_MODE           = true
 SSH_DOMAIN             = {{ gitea_domains | first }}
 ROOT_URL               = https://{{ gitea_domains | first }}/
 [repository]
 ROOT = /home/{{ gitea_service }}/repositories
 [log]
 ROOT_PATH = /home/{{ gitea_service }}/log/
 MODE      = console
 LEVEL     = info
 [i18n]
 LANGS = fr-FR, en-US
 NAMES = Français,English
 [database]
 DB_TYPE  = mysql
 HOST     = {{ gitea_db_host }}
 NAME     = {{ gitea_db_name }}
 USER     = {{ gitea_db_user }}
 PASSWD   = {{ gitea_db_password }}
 [session]
 PROVIDER         = redis
 PROVIDER_CONFIG  = network=unix,addr=/home/{{ gitea_service }}/redis/redis.sock,db=0,pool_size=100,idle_timeout=180
 [cache]
 ADAPTER = redis
 HOST    = network=unix,addr=/home/{{ gitea_service }}/redis/redis.sock,db=1,pool_size=100,idle_timeout=180
--- a/webapps/gitea/templates/gitea.service.j2
+++ b/webapps/gitea/templates/gitea.service.j2
@ -0,0 +1,22 @@
 [Unit]
 Description=Gitea (Git with a cup of tea)
 After=syslog.target
 After=network.target
 After=mysqld.service
 [Service]
 User=%i
 Group=%i
 Type=simple
 RestartSec=2s
 Restart=always
 WorkingDirectory=/home/%i
 ExecStart=/usr/local/bin/gitea web --config /etc/gitea/%i.ini
 Environment=GITEA_WORK_DIR=/home/%i/internals
 [Install]
 WantedBy=multi-user.target
--- a/webapps/gitea/templates/letsencrypt.conf.j2
+++ b/webapps/gitea/templates/letsencrypt.conf.j2
@ -0,0 +1,5 @@
 location ~ /.well-known/acme-challenge {
  alias /var/lib/letsencrypt/;
  try_files $uri =404;
  allow all;
 }
--- a/webapps/gitea/templates/redis.conf.j2
+++ b/webapps/gitea/templates/redis.conf.j2
@ -0,0 +1,22 @@
 bind 127.0.0.1 ::1
 protected-mode yes
 port 0
 unixsocket /home/{{ gitea_service }}/redis/redis.sock
 unixsocketperm 770
 timeout 0
 tcp-keepalive 300
 loglevel notice
 logfile /home/{{ gitea_service }}/log/redis-server.log
 databases 16
 save 900 1
 save 300 10
 save 60 10000
 dbfilename dump.rdb
 dir /home/{{ gitea_service }}/redis
 maxclients {{ gitea_redis_maxclients }}
 maxmemory {{ gitea_redis_maxmemory }}
--- a/webapps/gitea/templates/redis.service.j2
+++ b/webapps/gitea/templates/redis.service.j2
@ -0,0 +1,14 @@
 [Unit]
 Description=Advanced key-value store
 After=network.target
 [Service]
 Type=simple
 ExecStart=/usr/bin/redis-server /home/%i/redis/redis.conf
 TimeoutStopSec=0
 Restart=always
 User=%i
 Group=%i
 [Install]
 WantedBy=multi-user.target
--- a/webapps/gitea/templates/ssl.conf.j2
+++ b/webapps/gitea/templates/ssl.conf.j2
@ -0,0 +1,22 @@
 ##
 # Certificates
 # you need a certificate to run in production. see https://letsencrypt.org/
 ##
 ssl_certificate     /etc/letsencrypt/live/{{ gitea_domains | first }}/fullchain.pem;
 ssl_certificate_key /etc/letsencrypt/live/{{ gitea_domains | first }}/privkey.pem;
 ##
 # Security hardening (as of Nov 15, 2020)
 # based on Mozilla Guideline v5.6
 ##
 ssl_protocols             TLSv1.2 TLSv1.3;
 ssl_prefer_server_ciphers on;
 ssl_ciphers               ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; # add ECDHE-RSA-AES256-SHA if you want compatibility with Android 4
 ssl_session_timeout       1d; # defaults to 5m
 ssl_session_cache         shared:SSL:10m; # estimated to 40k sessions
 ssl_session_tickets       off;
 ssl_stapling              on;
 ssl_stapling_verify       on;
 # HSTS (https://hstspreload.org), requires to be copied in 'location' sections that have add_header directives
 #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
--- a/webapps/gitea/templates/vhost.conf.j2
+++ b/webapps/gitea/templates/vhost.conf.j2
@ -0,0 +1,38 @@
 upstream gitea_{{ gitea_service }} {
    server unix:/home/{{ gitea_service }}/gitea.sock;
 }
 server {
  listen 80;
  listen [::]:80;
  server_name {{ gitea_domains | first }};
  # For certbot
  include /etc/nginx/snippets/letsencrypt.conf;
  {% if ssl.stat.exists %}
  location / { return 301 https://$host$request_uri; }
  {% endif %}
 }
 {% if ssl.stat.exists %}
 server {
    listen 0.0.0.0:443 ssl http2;
    listen [::]:443 ssl http2;
    server_name {{ gitea_domains | first }};
    access_log /var/log/nginx/{{ gitea_service }}.access.log;
    error_log  /var/log/nginx/{{ gitea_service }}.error.log;
    include /etc/nginx/snippets/letsencrypt.conf;
    include /etc/nginx/ssl/{{ gitea_domains | first }}.conf;
    location / {
        proxy_pass http://gitea_{{ gitea_service }};
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_read_timeout 10;
    }
 }
 {% endif %}
--- a/webapps/gitea/tests/inventory
+++ b/webapps/gitea/tests/inventory
@ -0,0 +1,2 @@
 localhost
--- a/webapps/gitea/tests/test.yml
+++ b/webapps/gitea/tests/test.yml
@ -0,0 +1,5 @@
 ---
 - hosts: localhost
  remote_user: root
  roles:
    - privatebin
--- a/webapps/gitea/vars/main.yml
+++ b/webapps/gitea/vars/main.yml
@ -0,0 +1,2 @@
 ---
 # vars file 
--- a/webapps/hedgedoc/LISEZMOI.md
+++ b/webapps/hedgedoc/LISEZMOI.md
@ -0,0 +1,58 @@
 hedgedoc
 =========
 Ce rôle installe le serveur de HedgeDoc, une application rédaction collaborative en temps-réel utilisant la syntaxe Markdown. 
 Notez qu'hormis le présent fichier LISEZMOI.md, tous les fichiers du rôle hedgedoc sont rédigés en anglais afin de suivre les conventions de la communauté Ansible, favoriser sa réutilisation et son amélioration, etc. Libre à vous cependant de faire appel à ce role dans un playbook rédigé principalement en français ou toute autre langue.
 Requis
 ------
 ...
 Variables du rôle
 -----------------
 Plusieurs des valeurs par défaut dans defaults/main.yml doivent être changées soit directement dans defaults/main.yml ou mieux encore en les supplantant ailleurs, par exemple dans votre playbook (voir l'exemple ci-bas).
 Dépendances
 ------------
 Ce rôle Ansible dépend des rôles suivants :
 - nodejs
 Exemple de playbook
 -------------------
 ```
 - name: "Déployer un serveur HedgeDoc"
  hosts: 
    - all
  vars:
    # Supplanter ici les variables du rôle
    domains: ['votre-vrai-domaine.org']
    service: 'mon-hedgedoc'
    db_host: 'localhost'
    db_user: "{{ service }}"
    db_name: "{{ service }}"
    db_password: 'zKEh-CHANGEZ-MOI-qIKc'
  pre_tasks:
    - name: "Installer les rôles systèmes"
      roles:
        - { role: nodejs, nodejs_apt_version: "{{ node_version }}" }
  roles:
    - { role: webapps/hedgedoc , tags: "hedgedoc" }
 ```
 Licence
 -------
 GPLv3
 Infos sur l'auteur
 ------------------
 Mathieu Gauthier-Pilote, administrateur de systèmes chez Evolix.
--- a/webapps/hedgedoc/README.md
+++ b/webapps/hedgedoc/README.md
@ -0,0 +1,58 @@
 hedgedoc
 =========
 This role installs or upgrades the server for the real-time markdown collaborative editor HedgeDoc. 
 FRENCH: Voir le fichier LISEZMOI.md pour le français.
 Requirements
 ------------
 ...
 Role Variables
 --------------
 Several of the default values in defaults/main.yml must be changed either directly in defaults/main.yml or better even by overwriting them somewhere else, for example in your playbook (see the example below).
 Dependencies
 ------------
 This Ansible role depends on the following other roles:
 - nodejs
 Example Playbook
 ----------------
 ```
 - name: "Deploy a HedgeDoc server"
  hosts: 
    - all
  vars:
    # Overwrite the role variable here
    domains: ['your-real-domain.org']
    service: 'my-hedgedoc'
    db_host: 'localhost'
    db_user: "{{ service }}"
    db_name: "{{ service }}"
    db_password: 'zKEh-CHANGE-ME-qIKc'
  pre_tasks:
    - name: "Install system roles"
      roles:
        - { role: nodejs, nodejs_apt_version: "{{ node_version }}" }
  roles:
    - { role: webapps/hedgedoc , tags: "hedgedoc" }
 ```
 License
 -------
 GPLv3
 Author Information
 ------------------
 Mathieu Gauthier-Pilote, sys. admin. at Evolix.
--- a/webapps/hedgedoc/defaults/main.yml
+++ b/webapps/hedgedoc/defaults/main.yml
@ -0,0 +1,15 @@
 ---
 # defaults file for mastodon
 hedgedoc_system_dep: "['apt-transport-https', 'postgresql', 'python3-psycopg2', 'nginx', 'git', 'wget', 'certbot']"
 hedgedoc_git_url: 'https://github.com/hedgedoc/hedgedoc.git'
 hedgedoc_git_version: '1.9.9'
 hedgedoc_node_version: 'node_18.x'
 hedgedoc_node_port: '3000'
 hedgedoc_service: 'example'
 hedgedoc_domains: ['example.domain.org']
 hedgedoc_certbot_admin_email: 'security@example.org'
 hedgedoc_db_host: 'localhost'
 hedgedoc_db_user: "{{ hedgedoc_service }}"
 hedgedoc_db_name: "{{ hedgedoc_service }}"
 hedgedoc_db_password: 'CHANGE_ME'
--- a/webapps/hedgedoc/handlers/main.yml
+++ b/webapps/hedgedoc/handlers/main.yml
@ -0,0 +1,2 @@
 ---
 # handlers file for mastodon
--- a/webapps/hedgedoc/meta/main.yml
+++ b/webapps/hedgedoc/meta/main.yml
@ -0,0 +1,52 @@
 galaxy_info:
  author: Mathieu Gauthier-Pilote
  description: sys. admin.
  company: Evolix
  # If the issue tracker for your role is not on github, uncomment the
  # next line and provide a value
  # issue_tracker_url: http://example.com/issue/tracker
  # Choose a valid license ID from https://spdx.org - some suggested licenses:
  # - BSD-3-Clause (default)
  # - MIT
  # - GPL-2.0-or-later
  # - GPL-3.0-only
  # - Apache-2.0
  # - CC-BY-4.0
  license: license GPL-3.0-only
  min_ansible_version: 2.10
  # If this a Container Enabled role, provide the minimum Ansible Container version.
  # min_ansible_container_version:
  #
  # Provide a list of supported platforms, and for each platform a list of versions.
  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
  # To view available platforms and versions (or releases), visit:
  # https://galaxy.ansible.com/api/v1/platforms/
  #
  # platforms:
  # - name: Fedora
  #   versions:
  #   - all
  #   - 25
  # - name: SomePlatform
  #   versions:
  #   - all
  #   - 1.0
  #   - 7
  #   - 99.99
  galaxy_tags: []
    # List tags for your role here, one per line. A tag is a keyword that describes
    # and categorizes the role. Users find roles by searching for tags. Be sure to
    # remove the '[]' above, if you add tags to this list.
    #
    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
    #       Maximum 20 tags per role.
 dependencies: []
  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
  # if you add dependencies to this list.
--- a/webapps/hedgedoc/tasks/main.yml
+++ b/webapps/hedgedoc/tasks/main.yml
@ -0,0 +1,151 @@
 ---
 # tasks file for hedgedoc install
 - name: Install main system dependencies
  ansible.builtin.apt:
    name: "{{ hedgedoc_system_dep }}"
    update_cache: yes
 #- name: Install node-gyp from npm
 #  ansible.builtin.shell: npm install --global node-gyp corepack
 #- name: Enable yarn (via corepack)
 #  ansible.builtin.shell: "corepack enable"
 #- name: Fix permissions 
 #  ansible.builtin.file:
 #    path: /usr/local/lib/node_modules
 #    mode: g+rx,o+rx
 #    recurse: yes
 - name: Add UNIX account
  ansible.builtin.user:
    name: "{{ hedgedoc_service }}"
    shell: /bin/bash
 - name: Add PostgreSQL user
  community.postgresql.postgresql_user:
    name: "{{ hedgedoc_db_user }}"
    password: "{{ hedgedoc_db_password }}"
    no_password_changes: true
  become_user: postgres
 - name: Add PostgreSQL database
  community.postgresql.postgresql_db:
    name: "{{ hedgedoc_db_name }}"
    owner: "{{ hedgedoc_db_user }}"
  become_user: postgres
 - block:
  - name: Clone hedgedoc repo (git)
    ansible.builtin.git:
      repo: "{{ hedgedoc_git_url }}"
      dest: "~/hedgedoc/"
      version: "{{ hedgedoc_git_version | default(omit) }}"
      update: yes
      umask: '0022'
 #  - name: Set cache dir for yarn
 #    ansible.builtin.shell: yarn config set cache-folder /var/tmp/cache/yarn
 #    args:
 #      chdir: "~/"
  - name: Run setup
    ansible.builtin.shell: "bin/setup"
    args:
      chdir: "~/hedgedoc"
  - name: Install dependencies for frontend app
    ansible.builtin.shell: "yarn install --frozen-lockfile"
    args:
      chdir: "~/hedgedoc"
  - name: Build frontend app
    ansible.builtin.shell: "yarn build"
    args:
      chdir: "~/hedgedoc"
  become_user: "{{ hedgedoc_service }}"
 - name: Template json config file
  ansible.builtin.template:
    src: "config.json.j2"
    dest: "~{{ hedgedoc_service }}/hedgedoc/config.json"
    owner: "{{ hedgedoc_service }}"
    group: "{{ hedgedoc_service }}"
    mode: "0640"
 - name: Add systemd unit
  ansible.builtin.template:
    src: "hedgedoc.service.j2"
    dest: "/etc/systemd/system/{{ hedgedoc_service }}.service"
 - name: Enable systemd units
  ansible.builtin.systemd:
    name: "{{ hedgedoc_service }}.service"
    enabled: yes
    daemon_reload: yes
 - name: Start service
  ansible.builtin.service:
    name: "{{ hedgedoc_service }}.service"
    state: restarted
 - name: Template nginx snippet for Let's Encrypt/Certbot
  ansible.builtin.template: 
    src: "letsencrypt.conf.j2"
    dest: "/etc/nginx/snippets/letsencrypt.conf"
 - name: Check if SSL certificate is present and register result
  ansible.builtin.stat:
    path: "/etc/letsencrypt/live/{{ hedgedoc_domains |first }}/fullchain.pem"
  register: ssl
 - name: Generate certificate only if required (first time)
  block:
  - name: Template vhost without SSL for successfull LE challengce
    ansible.builtin.template: 
      src: "vhost.conf.j2"
      dest: "/etc/nginx/sites-available/{{ hedgedoc_service }}"
  - name: Enable temporary nginx vhost for LE
    ansible.builtin.file:
      src: "/etc/nginx/sites-available/{{ hedgedoc_service }}"
      dest: "/etc/nginx/sites-enabled/{{ hedgedoc_service }}"
      state: link
  - name: Reload nginx conf
    ansible.builtin.service:
      name: nginx
      state: reloaded
  - name: Make sure /var/lib/letsencrypt exists and has correct permissions
    ansible.builtin.file: 
      path: /var/lib/letsencrypt
      state: directory
      mode: '0755'
  - name: Generate certificate with certbot
    ansible.builtin.shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt --non-interactive --agree-tos --email {{ hedgedoc_certbot_admin_email }} -d {{ hedgedoc_domains |first }}
  - name: Create the ssl dir if needed
    ansible.builtin.file:
      path: /etc/nginx/ssl
      state: directory
      mode: '0750'
  - name: Template ssl bloc for nginx vhost
    ansible.builtin.template: 
      src: "ssl.conf.j2"
      dest: "/etc/nginx/ssl/{{ hedgedoc_domains |first }}.conf"
  when: ssl.stat.exists != true
 - name: (Re)check if SSL certificate is present and register result
  ansible.builtin.stat:
    path: "/etc/letsencrypt/live/{{ hedgedoc_domains |first }}/fullchain.pem"
  register: ssl
 - name: (Re)template conf file for nginx vhost with SSL
  ansible.builtin.template:
    src: "vhost.conf.j2"
    dest: "/etc/nginx/sites-available/{{ hedgedoc_service }}"
 - name: Enable nginx vhost for hedgedoc
  ansible.builtin.file:
    src: "/etc/nginx/sites-available/{{ hedgedoc_service }}"
    dest: "/etc/nginx/sites-enabled/{{ hedgedoc_service }}"
    state: link
 - name: Reload nginx conf
  ansible.builtin.service:
    name: nginx
    state: reloaded
--- a/webapps/hedgedoc/tasks/upgrade.yml
+++ b/webapps/hedgedoc/tasks/upgrade.yml
@ -0,0 +1,57 @@
 ---
 # tasks file for hedgedoc upgrade
 - name: Dump database to a file with compression
  community.postgresql.postgresql_db:
    name: "{{ hedgedoc_service }}"
    state: dump
    target: "~/{{ hedgedoc_service }}.sql.gz"
  become_user: postgres
 - name: Stop service
  ansible.builtin.service:
    name: "{{ hedgedoc_service }}.service"
    state: stopped
 - block:
  - name: Clone hedgedoc repo (git)
    ansible.builtin.git:
      repo: "{{ hedgedoc_git_url }}"
      dest: "~/hedgedoc/"
      version: "{{ hedgedoc_git_version }}"
      update: yes
  - name: Run setup
    ansible.builtin.shell: "bin/setup"
    args:
      chdir: "~/hedgedoc"
  - name: Install dependencies for frontend app
    ansible.builtin.shell: "yarn install --frozen-lockfile"
    args:
      chdir: "~/hedgedoc"
  - name: Build frontend app
    ansible.builtin.shell: "yarn build"
    args:
      chdir: "~/hedgedoc"
  become_user: "{{ hedgedoc_service }}"
 - name: Restart services
  ansible.builtin.service:
    name: "{{ hedgedoc_service }}.service"
    state: restarted
 - name: Define variable to skip next task by default
  ansible.builtin.set_fact:
    keep_db_dump: true
 - name: Remove database dump
  ansible.builtin.file:
    path: "~/{{ hedgedoc_service }}.sql.gz"
    state: absent
  become_user: postgres
  when: keep_db_dump is undefined
  tags: clean
 - name: Reload nginx conf
  ansible.builtin.service:
    name: nginx
    state: reloaded
--- a/webapps/hedgedoc/templates/config.json.j2
+++ b/webapps/hedgedoc/templates/config.json.j2
@ -0,0 +1,46 @@
 {
    "test": {
        "db": {
            "dialect": "sqlite",
            "storage": ":memory:"
        },
        "linkifyHeaderStyle": "gfm"
    },
    "development": {
        "loglevel": "debug",
        "db": {
            "dialect": "sqlite",
            "storage": "./db.hedgedoc.sqlite"
        },
        "domain": "localhost",
        "urlAddPort": true
    },
    "production": {
        "domain": "{{ hedgedoc_domains }}",
        "loglevel": "info",
        "protocolUseSSL": "true",
        "urlAddPort": false,
        "hsts": {
            "enable": true,
            "maxAgeSeconds": 31536000,
            "includeSubdomains": true,
            "preload": true
        },
        "csp": {
            "enable": true,
            "directives": {
            },
            "upgradeInsecureRequests": "auto",
            "addDefaults": true
        },
        "cookiePolicy": "lax",
        "db": {
            "username": "{{ hedgedoc_db_user }}",
            "password": "{{ hedgedoc_db_password }}",
            "database": "{{ hedgedoc_db_name }}",
            "host": "{{ hedgedoc_db_host }}",
            "port": "5432",
            "dialect": "postgres"
        }
    }
 }
--- a/Show more
+++ b/Show more