diff --git a/.gitignore b/.gitignore
index f29d4e84..8abdc284 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,16 @@
+# backup and temporary files
*~
+
+# patches and related files
+*.orig
*.patch
+*.rej
+
+# html files (as generated from markdown)
*.html
+
+# checksums file as used by $ScriptInstallUpdate
+checksums.json
+
+# Mac OS X folder settings file
+.DS_Store
diff --git a/BRANCHES.md b/BRANCHES.md
new file mode 100644
index 00000000..df7eb0d5
--- /dev/null
+++ b/BRANCHES.md
@@ -0,0 +1,50 @@
+Installing from branches
+========================
+
+[](https://github.com/eworm-de/routeros-scripts/stargazers)
+[](https://github.com/eworm-de/routeros-scripts/network)
+[](https://github.com/eworm-de/routeros-scripts/watchers)
+[](https://mikrotik.com/download/changelogs/)
+[](https://t.me/routeros_scripts)
+[](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J)
+
+[⬅️ Go back to main README](README.md)
+
+> ⚠️ **Warning**: Living on the edge? Great, read on!
+> If not: Please use the `main` branch and leave this page!
+
+These scripts are developed in a [git ↗️](https://git-scm.com/) repository.
+Development and experimental branches are used to provide early access
+for specific changes. You can install scripts from these branches
+for testing.
+
+## Install single script
+
+To install a single script from `next` branch:
+
+ $ScriptInstallUpdate script-name "base-url=https://rsc.eworm.de/next/";
+
+## Switch existing script
+
+Alternatively switch an existing script to update from `next` branch:
+
+ /system/script/set comment="base-url=https://rsc.eworm.de/next/" script-name;
+ $ScriptInstallUpdate;
+
+## Switch installation
+
+Last but not least - to switch the complete installation to the `next`
+branch edit `global-config-overlay` and add:
+
+ :global ScriptUpdatesBaseUrl "https://rsc.eworm.de/next/";
+
+... then reload the configuration and update:
+
+ /system/script/run global-config;
+ $ScriptInstallUpdate;
+
+> ℹ️ **Info**: Replace `next` with *whatever* to use another specific branch.
+
+---
+[⬅️ Go back to main README](README.md)
+[⬆️ Go back to top](#top)
diff --git a/CERTIFICATES.d/01-dialog-A.avif b/CERTIFICATES.d/01-dialog-A.avif
new file mode 100644
index 00000000..2fc3c9bd
Binary files /dev/null and b/CERTIFICATES.d/01-dialog-A.avif differ
diff --git a/CERTIFICATES.d/02-dialog-B.avif b/CERTIFICATES.d/02-dialog-B.avif
new file mode 100644
index 00000000..5e408abe
Binary files /dev/null and b/CERTIFICATES.d/02-dialog-B.avif differ
diff --git a/CERTIFICATES.d/03-window.avif b/CERTIFICATES.d/03-window.avif
new file mode 100644
index 00000000..96039a3b
Binary files /dev/null and b/CERTIFICATES.d/03-window.avif differ
diff --git a/CERTIFICATES.d/04-certificate.avif b/CERTIFICATES.d/04-certificate.avif
new file mode 100644
index 00000000..e6663146
Binary files /dev/null and b/CERTIFICATES.d/04-certificate.avif differ
diff --git a/CERTIFICATES.md b/CERTIFICATES.md
new file mode 100644
index 00000000..3eae6c5c
--- /dev/null
+++ b/CERTIFICATES.md
@@ -0,0 +1,83 @@
+Certificate name from browser
+=============================
+
+[](https://github.com/eworm-de/routeros-scripts/stargazers)
+[](https://github.com/eworm-de/routeros-scripts/network)
+[](https://github.com/eworm-de/routeros-scripts/watchers)
+[](https://mikrotik.com/download/changelogs/)
+[](https://t.me/routeros_scripts)
+[](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J)
+
+[⬅️ Go back to main README](README.md)
+
+All well known desktop, mobile and server operating systems come with a
+certificate store that is populated with a set of well known and trusted
+certificates, acting as *trust anchors*.
+
+However RouterOS does not, still sometimes a specific certificate is
+required to properly verify a chain of trust. One example is downloading
+the scripts from this repository with `fetch` command, thus the very
+first step of [installation](README.md#the-long-way-in-detail) is importing
+the certificate.
+
+The scripts can install additional certificates when required. This happens
+from this repository if available, or from [mkcert.org ↗️](https://mkcert.org)
+as a fallback.
+
+Get the certificate's CommonName
+--------------------------------
+
+But how to determine what certificate may be required? Often easiest way
+is to use a desktop browser to get that information. This demonstration uses
+[Mozilla Firefox ↗️](https://www.mozilla.org/firefox/).
+
+Let's assume we want to make sure the certificate for
+[git.eworm.de](https://git.eworm.de/) is available. Open that page in the
+browser, then click the *lock* icon in addressbar, followed by "*Connection
+secure*".
+
+
+
+The dialog will change, click "*More information*".
+
+
+
+A new window opens, click the button "*View Certificate*". (That window
+can be closed now.)
+
+
+
+A new tab opens, showing information on the server certificate and its
+chain of trust. The leftmost certificate is what we are interested in.
+
+
+
+Now we know that "`ISRG Root X2`" is required, some scripts need just
+that information.
+
+Import a certificate by CommonName
+----------------------------------
+
+Running the function `$CertificateAvailable` with that name as parameter
+makes sure the certificate is available in the device's store:
+
+ $CertificateAvailable "ISRG Root X2" "fetch";
+
+If the certificate is actually available already nothing happens, and there
+is no output. Otherwise the certificate is downloaded and imported.
+
+If importing a certificate with that exact name fails a warning is given
+and nothing is actually imported.
+
+See also
+--------
+
+* [Download, import and update firewall address-lists](doc/fw-addr-lists.md)
+* [Manage DNS and DoH servers from netwatch](doc/netwatch-dns.md)
+* [Send notifications via Gotify](doc/mod/notification-gotify.md)
+* [Send notifications via Matrix](doc/mod/notification-matrix.md)
+* [Send notifications via Ntfy](doc/mod/notification-ntfy.md)
+
+---
+[⬅️ Go back to main README](README.md)
+[⬆️ Go back to top](#top)
diff --git a/CONTRIBUTIONS.md b/CONTRIBUTIONS.md
index a15a72a8..c7e05b21 100644
--- a/CONTRIBUTIONS.md
+++ b/CONTRIBUTIONS.md
@@ -1,26 +1,66 @@
Past Contributions
==================
-[◀ Go back to main README](README.md)
+[](https://github.com/eworm-de/routeros-scripts/stargazers)
+[](https://github.com/eworm-de/routeros-scripts/network)
+[](https://github.com/eworm-de/routeros-scripts/watchers)
+[](https://mikrotik.com/download/changelogs/)
+[](https://t.me/routeros_scripts)
+[](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J)
-Thanks a lot for your contributions!
+[⬅️ Go back to main README](README.md)
+
+Thanks a lot for your contributions! ❤️
## Patches
-These persons contributed code. See the git history for details!
+These persons contributed code or documentation. See the git history
+for details!
-* [Michael Gisbers](mailto:michael@gisbers.de)
+* [Anatoly Bubenkov](mailto:bubenkoff@gmail.com) (@bubenkoff)
+* [Ben Harris](mailto:mail@bharr.is) (@bharrisau)
+* [Daniel Ziegenberg](mailto:daniel@ziegenberg.at) (@ziegenberg)
+* [Ignacio Serrano](mailto:ignic@ignic.com) (@ignic)
+* [Ilya Kulakov](mailto:kulakov.ilya@gmail.com) (@Kentzo)
+* [Leonardo David Monteiro](mailto:leo@cub3.xyz) (@leosfsm)
+* [Michael Gisbers](mailto:michael@gisbers.de) (@mgisbers)
+* [Miquel Bonastre](mailto:mbonastre@yahoo.com) (@mbonastre)
+* @netravnen
+* [netztrip](mailto:dave-tvg@netztrip.de) (@netztrip)
+* [Stefan Müller](mailto:stefan.mueller.83@gmail.com) (@PackElend)
## Donations
Add yourself to the list,
-[donate with PayPal](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J)!
+[donate with PayPal ↗️](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J)!
-* Reiner Vehrenkamp
-* Linux-Schmie.de Michael Gisbers
+* Abdul Mannan Abbasi
+* Alex Maier
+* Andrea Ruffini Perico
+* Andrew Cox
* Christoph Boss (@Kampfwurst)
+* Daniel Ziegenberg (@ziegenberg)
+* Devin Dean (@dd2594gh)
+* Evaldo Gardenal
+* Florian Estraviz
+* Giorgio Bikos
+* Harold Schoemaker
+* Hugo BV
* Klaus Michael Rübsam
+* Leonardo Valeri Manera
+* Linux-Schmie.de Michael Gisbers
+* Manuel Kuhn
+* Marek Čábák
+* Oleksandr Yukhymchuk
+* Peter Holtkamp
+* Peter Ponzel
+* Reiner Vehrenkamp
+* Richard Österreicher
+* Simon Hitzemann
+* Sunny Chu (@sunnychuchu)
+* Ulrich Wessendorf
+* Zac Kornilakis
---
-[◀ Go back to main README](README.md)
-[▲ Go back to top](#top)
+[⬅️ Go back to main README](README.md)
+[⬆️ Go back to top](#top)
diff --git a/COPYING.md b/COPYING.md
new file mode 100644
index 00000000..2fb2e74d
--- /dev/null
+++ b/COPYING.md
@@ -0,0 +1,675 @@
+### GNU GENERAL PUBLIC LICENSE
+
+Version 3, 29 June 2007
+
+Copyright (C) 2007 Free Software Foundation, Inc.
+
+
+Everyone is permitted to copy and distribute verbatim copies of this
+license document, but changing it is not allowed.
+
+### Preamble
+
+The GNU General Public License is a free, copyleft license for
+software and other kinds of works.
+
+The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works. By contrast,
+the GNU General Public License is intended to guarantee your freedom
+to share and change all versions of a program--to make sure it remains
+free software for all its users. We, the Free Software Foundation, use
+the GNU General Public License for most of our software; it applies
+also to any other work released this way by its authors. You can apply
+it to your programs, too.
+
+When we speak of free software, we are referring to freedom, not
+price. Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+To protect your rights, we need to prevent others from denying you
+these rights or asking you to surrender the rights. Therefore, you
+have certain responsibilities if you distribute copies of the
+software, or if you modify it: responsibilities to respect the freedom
+of others.
+
+For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must pass on to the recipients the same
+freedoms that you received. You must make sure that they, too, receive
+or can get the source code. And you must show them these terms so they
+know their rights.
+
+Developers that use the GNU GPL protect your rights with two steps:
+(1) assert copyright on the software, and (2) offer you this License
+giving you legal permission to copy, distribute and/or modify it.
+
+For the developers' and authors' protection, the GPL clearly explains
+that there is no warranty for this free software. For both users' and
+authors' sake, the GPL requires that modified versions be marked as
+changed, so that their problems will not be attributed erroneously to
+authors of previous versions.
+
+Some devices are designed to deny users access to install or run
+modified versions of the software inside them, although the
+manufacturer can do so. This is fundamentally incompatible with the
+aim of protecting users' freedom to change the software. The
+systematic pattern of such abuse occurs in the area of products for
+individuals to use, which is precisely where it is most unacceptable.
+Therefore, we have designed this version of the GPL to prohibit the
+practice for those products. If such problems arise substantially in
+other domains, we stand ready to extend this provision to those
+domains in future versions of the GPL, as needed to protect the
+freedom of users.
+
+Finally, every program is threatened constantly by software patents.
+States should not allow patents to restrict development and use of
+software on general-purpose computers, but in those that do, we wish
+to avoid the special danger that patents applied to a free program
+could make it effectively proprietary. To prevent this, the GPL
+assures that patents cannot be used to render the program non-free.
+
+The precise terms and conditions for copying, distribution and
+modification follow.
+
+### TERMS AND CONDITIONS
+
+#### 0. Definitions.
+
+"This License" refers to version 3 of the GNU General Public License.
+
+"Copyright" also means copyright-like laws that apply to other kinds
+of works, such as semiconductor masks.
+
+"The Program" refers to any copyrightable work licensed under this
+License. Each licensee is addressed as "you". "Licensees" and
+"recipients" may be individuals or organizations.
+
+To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of
+an exact copy. The resulting work is called a "modified version" of
+the earlier work or a work "based on" the earlier work.
+
+A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy. Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies. Mere interaction with a user
+through a computer network, with no transfer of a copy, is not
+conveying.
+
+An interactive user interface displays "Appropriate Legal Notices" to
+the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License. If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+#### 1. Source Code.
+
+The "source code" for a work means the preferred form of the work for
+making modifications to it. "Object code" means any non-source form of
+a work.
+
+A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form. A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities. However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work. For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+The Corresponding Source need not include anything that users can
+regenerate automatically from other parts of the Corresponding Source.
+
+The Corresponding Source for a work in source code form is that same
+work.
+
+#### 2. Basic Permissions.
+
+All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met. This License explicitly affirms your unlimited
+permission to run the unmodified Program. The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work. This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+You may make, run and propagate covered works that you do not convey,
+without conditions so long as your license otherwise remains in force.
+You may convey covered works to others for the sole purpose of having
+them make modifications exclusively for you, or provide you with
+facilities for running those works, provided that you comply with the
+terms of this License in conveying all material for which you do not
+control copyright. Those thus making or running the covered works for
+you must do so exclusively on your behalf, under your direction and
+control, on terms that prohibit them from making any copies of your
+copyrighted material outside their relationship with you.
+
+Conveying under any other circumstances is permitted solely under the
+conditions stated below. Sublicensing is not allowed; section 10 makes
+it unnecessary.
+
+#### 3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such
+circumvention is effected by exercising rights under this License with
+respect to the covered work, and you disclaim any intention to limit
+operation or modification of the work as a means of enforcing, against
+the work's users, your or third parties' legal rights to forbid
+circumvention of technological measures.
+
+#### 4. Conveying Verbatim Copies.
+
+You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+#### 5. Conveying Modified Source Versions.
+
+You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these
+conditions:
+
+- a) The work must carry prominent notices stating that you modified
+ it, and giving a relevant date.
+- b) The work must carry prominent notices stating that it is
+ released under this License and any conditions added under
+ section 7. This requirement modifies the requirement in section 4
+ to "keep intact all notices".
+- c) You must license the entire work, as a whole, under this
+ License to anyone who comes into possession of a copy. This
+ License will therefore apply, along with any applicable section 7
+ additional terms, to the whole of the work, and all its parts,
+ regardless of how they are packaged. This License gives no
+ permission to license the work in any other way, but it does not
+ invalidate such permission if you have separately received it.
+- d) If the work has interactive user interfaces, each must display
+ Appropriate Legal Notices; however, if the Program has interactive
+ interfaces that do not display Appropriate Legal Notices, your
+ work need not make them do so.
+
+A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit. Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+#### 6. Conveying Non-Source Forms.
+
+You may convey a covered work in object code form under the terms of
+sections 4 and 5, provided that you also convey the machine-readable
+Corresponding Source under the terms of this License, in one of these
+ways:
+
+- a) Convey the object code in, or embodied in, a physical product
+ (including a physical distribution medium), accompanied by the
+ Corresponding Source fixed on a durable physical medium
+ customarily used for software interchange.
+- b) Convey the object code in, or embodied in, a physical product
+ (including a physical distribution medium), accompanied by a
+ written offer, valid for at least three years and valid for as
+ long as you offer spare parts or customer support for that product
+ model, to give anyone who possesses the object code either (1) a
+ copy of the Corresponding Source for all the software in the
+ product that is covered by this License, on a durable physical
+ medium customarily used for software interchange, for a price no
+ more than your reasonable cost of physically performing this
+ conveying of source, or (2) access to copy the Corresponding
+ Source from a network server at no charge.
+- c) Convey individual copies of the object code with a copy of the
+ written offer to provide the Corresponding Source. This
+ alternative is allowed only occasionally and noncommercially, and
+ only if you received the object code with such an offer, in accord
+ with subsection 6b.
+- d) Convey the object code by offering access from a designated
+ place (gratis or for a charge), and offer equivalent access to the
+ Corresponding Source in the same way through the same place at no
+ further charge. You need not require recipients to copy the
+ Corresponding Source along with the object code. If the place to
+ copy the object code is a network server, the Corresponding Source
+ may be on a different server (operated by you or a third party)
+ that supports equivalent copying facilities, provided you maintain
+ clear directions next to the object code saying where to find the
+ Corresponding Source. Regardless of what server hosts the
+ Corresponding Source, you remain obligated to ensure that it is
+ available for as long as needed to satisfy these requirements.
+- e) Convey the object code using peer-to-peer transmission,
+ provided you inform other peers where the object code and
+ Corresponding Source of the work are being offered to the general
+ public at no charge under subsection 6d.
+
+A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal,
+family, or household purposes, or (2) anything designed or sold for
+incorporation into a dwelling. In determining whether a product is a
+consumer product, doubtful cases shall be resolved in favor of
+coverage. For a particular product received by a particular user,
+"normally used" refers to a typical or common use of that class of
+product, regardless of the status of the particular user or of the way
+in which the particular user actually uses, or expects or is expected
+to use, the product. A product is a consumer product regardless of
+whether the product has substantial commercial, industrial or
+non-consumer uses, unless such uses represent the only significant
+mode of use of the product.
+
+"Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to
+install and execute modified versions of a covered work in that User
+Product from a modified version of its Corresponding Source. The
+information must suffice to ensure that the continued functioning of
+the modified object code is in no case prevented or interfered with
+solely because modification has been made.
+
+If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information. But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or
+updates for a work that has been modified or installed by the
+recipient, or for the User Product in which it has been modified or
+installed. Access to a network may be denied when the modification
+itself materially and adversely affects the operation of the network
+or violates the rules and protocols for communication across the
+network.
+
+Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+#### 7. Additional Terms.
+
+"Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law. If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it. (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.) You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders
+of that material) supplement the terms of this License with terms:
+
+- a) Disclaiming warranty or limiting liability differently from the
+ terms of sections 15 and 16 of this License; or
+- b) Requiring preservation of specified reasonable legal notices or
+ author attributions in that material or in the Appropriate Legal
+ Notices displayed by works containing it; or
+- c) Prohibiting misrepresentation of the origin of that material,
+ or requiring that modified versions of such material be marked in
+ reasonable ways as different from the original version; or
+- d) Limiting the use for publicity purposes of names of licensors
+ or authors of the material; or
+- e) Declining to grant rights under trademark law for use of some
+ trade names, trademarks, or service marks; or
+- f) Requiring indemnification of licensors and authors of that
+ material by anyone who conveys the material (or modified versions
+ of it) with contractual assumptions of liability to the recipient,
+ for any liability that these contractual assumptions directly
+ impose on those licensors and authors.
+
+All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10. If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term. If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions; the
+above requirements apply either way.
+
+#### 8. Termination.
+
+You may not propagate or modify a covered work except as expressly
+provided under this License. Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+However, if you cease all violation of this License, then your license
+from a particular copyright holder is reinstated (a) provisionally,
+unless and until the copyright holder explicitly and finally
+terminates your license, and (b) permanently, if the copyright holder
+fails to notify you of the violation by some reasonable means prior to
+60 days after the cessation.
+
+Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License. If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+#### 9. Acceptance Not Required for Having Copies.
+
+You are not required to accept this License in order to receive or run
+a copy of the Program. Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance. However,
+nothing other than this License grants you permission to propagate or
+modify any covered work. These actions infringe copyright if you do
+not accept this License. Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+#### 10. Automatic Licensing of Downstream Recipients.
+
+Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License. You are not responsible
+for enforcing compliance by third parties with this License.
+
+An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations. If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License. For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+#### 11. Patents.
+
+A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based. The
+work thus licensed is called the contributor's "contributor version".
+
+A contributor's "essential patent claims" are all patent claims owned
+or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version. For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement). To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients. "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+A patent license is "discriminatory" if it does not include within the
+scope of its coverage, prohibits the exercise of, or is conditioned on
+the non-exercise of one or more of the rights that are specifically
+granted under this License. You may not convey a covered work if you
+are a party to an arrangement with a third party that is in the
+business of distributing software, under which you make payment to the
+third party based on the extent of your activity of conveying the
+work, and under which the third party grants, to any of the parties
+who would receive the covered work from you, a discriminatory patent
+license (a) in connection with copies of the covered work conveyed by
+you (or copies made from those copies), or (b) primarily for and in
+connection with specific products or compilations that contain the
+covered work, unless you entered into that arrangement, or that patent
+license was granted, prior to 28 March 2007.
+
+Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+#### 12. No Surrender of Others' Freedom.
+
+If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under
+this License and any other pertinent obligations, then as a
+consequence you may not convey it at all. For example, if you agree to
+terms that obligate you to collect a royalty for further conveying
+from those to whom you convey the Program, the only way you could
+satisfy both those terms and this License would be to refrain entirely
+from conveying the Program.
+
+#### 13. Use with the GNU Affero General Public License.
+
+Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU Affero General Public License into a single
+combined work, and to convey the resulting work. The terms of this
+License will continue to apply to the part which is the covered work,
+but the special requirements of the GNU Affero General Public License,
+section 13, concerning interaction through a network will apply to the
+combination as such.
+
+#### 14. Revised Versions of this License.
+
+The Free Software Foundation may publish revised and/or new versions
+of the GNU General Public License from time to time. Such new versions
+will be similar in spirit to the present version, but may differ in
+detail to address new problems or concerns.
+
+Each version is given a distinguishing version number. If the Program
+specifies that a certain numbered version of the GNU General Public
+License "or any later version" applies to it, you have the option of
+following the terms and conditions either of that numbered version or
+of any later version published by the Free Software Foundation. If the
+Program does not specify a version number of the GNU General Public
+License, you may choose any version ever published by the Free
+Software Foundation.
+
+If the Program specifies that a proxy can decide which future versions
+of the GNU General Public License can be used, that proxy's public
+statement of acceptance of a version permanently authorizes you to
+choose that version for the Program.
+
+Later license versions may give you additional or different
+permissions. However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+#### 15. Disclaimer of Warranty.
+
+THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT
+WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND
+PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE
+DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR
+CORRECTION.
+
+#### 16. Limitation of Liability.
+
+IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR
+CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES
+ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT
+NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR
+LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM
+TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER
+PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+#### 17. Interpretation of Sections 15 and 16.
+
+If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+END OF TERMS AND CONDITIONS
+
+### How to Apply These Terms to Your New Programs
+
+If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these
+terms.
+
+To do so, attach the following notices to the program. It is safest to
+attach them to the start of each source file to most effectively state
+the exclusion of warranty; and each file should have at least the
+"copyright" line and a pointer to where the full notice is found.
+
+
+ Copyright (C)
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see .
+
+Also add information on how to contact you by electronic and paper
+mail.
+
+If the program does terminal interaction, make it output a short
+notice like this when it starts in an interactive mode:
+
+ Copyright (C)
+ This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+ This is free software, and you are welcome to redistribute it
+ under certain conditions; type `show c' for details.
+
+The hypothetical commands \`show w' and \`show c' should show the
+appropriate parts of the General Public License. Of course, your
+program's commands might be different; for a GUI interface, you would
+use an "about box".
+
+You should also get your employer (if you work as a programmer) or
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary. For more information on this, and how to apply and follow
+the GNU GPL, see .
+
+The GNU General Public License does not permit incorporating your
+program into proprietary programs. If your program is a subroutine
+library, you may consider it more useful to permit linking proprietary
+applications with the library. If this is what you want to do, use the
+GNU Lesser General Public License instead of this License. But first,
+please read .
diff --git a/DEBUG.md b/DEBUG.md
new file mode 100644
index 00000000..69c1eaa3
--- /dev/null
+++ b/DEBUG.md
@@ -0,0 +1,63 @@
+Debug output and logs
+=====================
+
+[](https://github.com/eworm-de/routeros-scripts/stargazers)
+[](https://github.com/eworm-de/routeros-scripts/network)
+[](https://github.com/eworm-de/routeros-scripts/watchers)
+[](https://mikrotik.com/download/changelogs/)
+[](https://t.me/routeros_scripts)
+[](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J)
+
+[⬅️ Go back to main README](README.md)
+
+Sometimes scripts do not behave as expected. In these cases debug output
+or logs can help.
+
+## Debug output
+
+Run this command in a terminal:
+
+ :set PrintDebug true;
+
+You will then see debug output when running the script from terminal.
+
+To revert to default output run:
+
+ :set PrintDebug false;
+
+### Debug output for specific script
+
+Even having debug output for a specific script or function only (or a
+set of) is possible. To enable debug output for `telegram-chat` run:
+
+ :set ($PrintDebugOverride->"telegram-chat") true;
+
+## Debug logs
+
+The debug info can go to system log. To make it show up in `memory` run:
+
+ /system/logging/add topics=script,debug action=memory;
+
+Other actions (`disk`, `email`, `remote` or `support`) can be used as
+well. I do not recommend using `echo` - use [debug output](#debug-output)
+instead.
+
+Disable or remove that setting to restore regular logging.
+
+## Verbose output
+
+Specific scripts can generate huge amount of output. These do use a function
+`$LogPrintVerbose`, which is declared, but has no code, intentionally.
+
+If you *really* want that output set the function to be the same as
+`$LogPrint`:
+
+ :set LogPrintVerbose $LogPrint;
+
+To revert that change just run:
+
+ :set LogPrintVerbose;
+
+---
+[⬅️ Go back to main README](README.md)
+[⬆️ Go back to top](#top)
diff --git a/INITIAL-COMMANDS.md b/INITIAL-COMMANDS.md
index 4541430e..eb06ad29 100644
--- a/INITIAL-COMMANDS.md
+++ b/INITIAL-COMMANDS.md
@@ -1,29 +1,69 @@
Initial commands
================
-[◀ Go back to main README](README.md)
+[](https://github.com/eworm-de/routeros-scripts/stargazers)
+[](https://github.com/eworm-de/routeros-scripts/network)
+[](https://github.com/eworm-de/routeros-scripts/watchers)
+[](https://mikrotik.com/download/changelogs/)
+[](https://t.me/routeros_scripts)
+[](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J)
-These command are inteneded for initial setup. If you are not aware of the
-procedure please follow [the long way in detail](README.md#the-long-way-in-detail).
+[⬅️ Go back to main README](README.md)
+
+> ⚠️ **Warning**: These commands are intended for initial setup. If you are
+> not aware of the procedure please follow
+> [the long way in detail](README.md#the-long-way-in-detail).
+
+Run the complete base installation:
{
- / tool fetch "https://git.eworm.de/cgit/routeros-scripts/plain/certs/Let%27s%20Encrypt%20Authority%20X3.pem" dst-path="letsencrypt.pem";
- :delay 1s;
- / certificate import file-name=letsencrypt.pem passphrase="";
- :if ([ / certificate print count-only where fingerprint="96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6" or fingerprint="731d3d9cfaa061487a1d71445a42f67df0afca2a6c2d2f98ff7b3ce112b1f568" or fingerprint="0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739" ] != 3) do={
- :error "Something is wrong with your certificates!";
- }
- / file remove "letsencrypt.pem";
+ :local BaseUrl "https://rsc.eworm.de/main/";
+ :local CertCommonName "ISRG Root X2";
+ :local CertFileName "ISRG-Root-X2.pem";
+ :local CertFingerprint "69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470";
+
+ :local CertSettings [ /certificate/settings/get ];
+ :if (!((($CertSettings->"builtin-trust-anchors") = "trusted" || \
+ ($CertSettings->"builtin-trust-store") ~ "fetch" || \
+ ($CertSettings->"builtin-trust-store") = "all") && \
+ [[ :parse (":return [ :len [ /certificate/builtin/find where common-name=\"" . $CertCommonName . "\" ] ]") ]] > 0)) do={
+ :put "Importing certificate...";
+ /tool/fetch ($BaseUrl . "certs/" . $CertFileName) dst-path=$CertFileName as-value;
+ :delay 1s;
+ /certificate/import file-name=$CertFileName passphrase="";
+ :if ([ :len [ /certificate/find where fingerprint=$CertFingerprint ] ] != 1) do={
+ :error "Something is wrong with your certificates!";
+ };
+ :delay 1s;
+ };
+ :put "Renaming global-config-overlay, if exists...";
+ /system/script/set name=("global-config-overlay-" . [ /system/clock/get date ] . "-" . [ /system/clock/get time ]) [ find where name="global-config-overlay" ];
:foreach Script in={ "global-config"; "global-config-overlay"; "global-functions" } do={
- / system script add name=$Script source=([ / tool fetch check-certificate=yes-without-crl ("https://git.eworm.de/cgit/routeros-scripts/plain/" . $Script) output=user as-value]->"data");
- }
- / system script { run global-config; run global-config-overlay; run global-functions; }
- / system scheduler add name="global-scripts" start-time=startup on-event="/ system script { run global-config; run global-config-overlay; run global-functions; }"
- $CertificateNameByCN "ISRG Root X1";
- $CertificateNameByCN "Let's Encrypt Authority X3";
- $CertificateNameByCN "DST Root CA X3";
- }
+ :put "Installing $Script...";
+ /system/script/remove [ find where name=$Script ];
+ /system/script/add name=$Script owner=$Script source=([ /tool/fetch check-certificate=yes-without-crl ($BaseUrl . $Script . ".rsc") output=user as-value ]->"data");
+ };
+ :put "Loading configuration and functions...";
+ /system/script { run global-config; run global-functions; };
+ :if ([ :len [ /certificate/find where fingerprint=$CertFingerprint ] ] > 0) do={
+ :put "Renaming certificate by its common-name...";
+ :global CertificateNameByCN;
+ $CertificateNameByCN $CertFingerprint;
+ };
+ };
+
+Then continue setup with
+[scheduled automatic updates](README.md#scheduled-automatic-updates) or
+[editing configuration](README.md#editing-configuration).
+
+## Fix existing installation
+
+The [initial commands](#initial-commands) above allow to fix an existing
+installation in case it ever breaks. If `global-config-overlay` did exist
+before it is renamed with a date and time suffix (like
+`global-config-overlay-2024-01-25-09:33:12`). Make sure to restore the
+configuration overlay if required.
---
-[◀ Go back to main README](README.md)
-[▲ Go back to top](#top)
+[⬅️ Go back to main README](README.md)
+[⬆️ Go back to top](#top)
diff --git a/Makefile b/Makefile
index f96e73e8..5db0a303 100644
--- a/Makefile
+++ b/Makefile
@@ -2,24 +2,45 @@
# template scripts -> final scripts
# markdown files -> html files
-TEMPLATE = $(wildcard *.template)
-CAPSMAN = $(TEMPLATE:.template=.capsman)
-LOCAL = $(TEMPLATE:.template=.local)
+ALL_RSC := $(wildcard *.rsc */*.rsc)
+GEN_RSC := $(wildcard *.capsman.rsc *.local.rsc *.wifi.rsc)
-MARKDOWN = $(wildcard *.md)
-HTML = $(MARKDOWN:.md=.html)
+MARKDOWN := $(wildcard *.md doc/*.md doc/mod/*.md)
+HTML := $(MARKDOWN:.md=.html)
-all: $(CAPSMAN) $(LOCAL) $(HTML)
+DATE ?= $(shell date --rfc-email)
+VERSION ?= $(shell git symbolic-ref --short HEAD 2>/dev/null)/$(shell git rev-list --count HEAD 2>/dev/null)/$(shell git rev-parse --short=8 HEAD 2>/dev/null)
+export DATE VERSION
-%.html: %.md Makefile
- markdown $< | sed 's/href="\([-[:alnum:]]*\)\.md"/href="\1.html"/g' > $@
+.PHONY: all checksums commitinfo docs rsc clean
-%.local: %.template Makefile
- sed -e '/\/ caps-man/d' -e 's|%PATH%|interface wireless|' -e 's|%TEMPL%|$(suffix $@)|' \
- -e '/^# !!/,/^# !!/c # !! Do not edit this file, it is generated from template!' \
- < $< > $@
+all: checksums docs rsc
-%.capsman: %.template Makefile
- sed -e '/\/ interface wireless/d' -e 's/%PATH%/caps-man/' -e 's/%TEMPL%/$(suffix $@)/' \
- -e '/^# !!/,/^# !!/c # !! Do not edit this file, it is generated from template!' \
- < $< > $@
+checksums: checksums.json
+
+checksums.json: contrib/checksums.sh $(ALL_RSC)
+ contrib/checksums.sh > $@
+
+commitinfo: global-functions.rsc
+ contrib/commitinfo.sh $< > $<~
+ mv $<~ $<
+
+docs: $(HTML)
+
+%.html: %.md general/style.css contrib/html.sh contrib/html.sh.d/head.html contrib/html.sh.d/foot.html
+ contrib/html.sh $< > $@
+
+rsc: $(GEN_RSC)
+
+%.capsman.rsc: %.template.rsc contrib/template-capsman.sh
+ contrib/template-capsman.sh $< > $@
+
+%.local.rsc: %.template.rsc contrib/template-local.sh
+ contrib/template-local.sh $< > $@
+
+%.wifi.rsc: %.template.rsc contrib/template-wifi.sh
+ contrib/template-wifi.sh $< > $@
+
+clean:
+ rm -f $(HTML) checksums.json
+ make -C contrib/ clean
diff --git a/README.d/01-download-certs.avif b/README.d/01-download-certs.avif
new file mode 100644
index 00000000..f2afeb54
Binary files /dev/null and b/README.d/01-download-certs.avif differ
diff --git a/README.d/02-import-certs.avif b/README.d/02-import-certs.avif
new file mode 100644
index 00000000..b31343cd
Binary files /dev/null and b/README.d/02-import-certs.avif differ
diff --git a/README.d/03-check-certs.avif b/README.d/03-check-certs.avif
new file mode 100644
index 00000000..1f03ad2c
Binary files /dev/null and b/README.d/03-check-certs.avif differ
diff --git a/README.d/04-import-scripts.avif b/README.d/04-import-scripts.avif
new file mode 100644
index 00000000..c09949ab
Binary files /dev/null and b/README.d/04-import-scripts.avif differ
diff --git a/README.d/05-run-scripts.avif b/README.d/05-run-scripts.avif
new file mode 100644
index 00000000..12d812c0
Binary files /dev/null and b/README.d/05-run-scripts.avif differ
diff --git a/README.d/06-schedule-update.avif b/README.d/06-schedule-update.avif
new file mode 100644
index 00000000..158e13f5
Binary files /dev/null and b/README.d/06-schedule-update.avif differ
diff --git a/README.d/07-edit-global-config-overlay.avif b/README.d/07-edit-global-config-overlay.avif
new file mode 100644
index 00000000..9a5b9037
Binary files /dev/null and b/README.d/07-edit-global-config-overlay.avif differ
diff --git a/README.d/08-apply-configuration.avif b/README.d/08-apply-configuration.avif
new file mode 100644
index 00000000..ab22cae3
Binary files /dev/null and b/README.d/08-apply-configuration.avif differ
diff --git a/README.d/09-update-scripts.avif b/README.d/09-update-scripts.avif
new file mode 100644
index 00000000..e713ac2c
Binary files /dev/null and b/README.d/09-update-scripts.avif differ
diff --git a/README.d/10-install-scripts.avif b/README.d/10-install-scripts.avif
new file mode 100644
index 00000000..cf26b168
Binary files /dev/null and b/README.d/10-install-scripts.avif differ
diff --git a/README.d/11-schedule-script.avif b/README.d/11-schedule-script.avif
new file mode 100644
index 00000000..558614f8
Binary files /dev/null and b/README.d/11-schedule-script.avif differ
diff --git a/README.d/12-setup-lease-script.avif b/README.d/12-setup-lease-script.avif
new file mode 100644
index 00000000..2a8bcb24
Binary files /dev/null and b/README.d/12-setup-lease-script.avif differ
diff --git a/README.d/13-install-custom-script.avif b/README.d/13-install-custom-script.avif
new file mode 100644
index 00000000..221b84e2
Binary files /dev/null and b/README.d/13-install-custom-script.avif differ
diff --git a/README.d/14-remove-script.avif b/README.d/14-remove-script.avif
new file mode 100644
index 00000000..3e4c105a
Binary files /dev/null and b/README.d/14-remove-script.avif differ
diff --git a/README.d/hello-world.rsc b/README.d/hello-world.rsc
new file mode 100644
index 00000000..64047818
--- /dev/null
+++ b/README.d/hello-world.rsc
@@ -0,0 +1,3 @@
+#!rsc by RouterOS
+
+:put ("Hello World from " . [ /system/identity/get name ] . "!");
diff --git a/README.d/notification-news-and-changes.avif b/README.d/notification-news-and-changes.avif
new file mode 100644
index 00000000..d2e8aa7f
Binary files /dev/null and b/README.d/notification-news-and-changes.avif differ
diff --git a/README.d/telegram-group.avif b/README.d/telegram-group.avif
new file mode 100644
index 00000000..eb75d13a
Binary files /dev/null and b/README.d/telegram-group.avif differ
diff --git a/README.md b/README.md
index c1b19238..f9149217 100644
--- a/README.md
+++ b/README.md
@@ -1,27 +1,75 @@
RouterOS Scripts
================
-[](https://github.com/eworm-de/routeros-scripts/network)
-[](https://github.com/eworm-de/routeros-scripts/stargazers)
-[](https://github.com/eworm-de/routeros-scripts/watchers)
+[](https://github.com/eworm-de/routeros-scripts/stargazers)
+[](https://github.com/eworm-de/routeros-scripts/network)
+[](https://github.com/eworm-de/routeros-scripts/watchers)
+[](https://mikrotik.com/download/changelogs/)
+[](https://t.me/routeros_scripts)
+[](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J)
-[RouterOS](https://mikrotik.com/software) is the operating system developed
-by [MikroTik](https://mikrotik.com/aboutus) for networking tasks. This
-repository holds a number of [scripts](https://wiki.mikrotik.com/wiki/Manual:Scripting)
+**a collection of scripts for MikroTik RouterOS**
+
+
+
+[RouterOS ↗️](https://mikrotik.com/software) is the operating system developed
+by [MikroTik ↗️](https://mikrotik.com/aboutus) for networking tasks. This
+repository holds a number of [scripts ↗️](https://wiki.mikrotik.com/wiki/Manual:Scripting)
to manage RouterOS devices or extend their functionality.
-*Use at your own risk!*
+*Use at your own risk*, pay attention to
+[license and warranty](#license-and-warranty), and
+[disclaimer on external links](#disclaimer-on-external-links)!
Requirements
------------
-Latest version of the scripts require at least **RouterOS 6.43** to function
-properly. The changelog lists the corresponding change as follows:
+### Software (RouterOS)
-> *) fetch - added "as-value" output format;
+Latest version of the scripts require recent RouterOS to function properly.
+Make sure to install latest updates before you begin. This is supposed to
+work flawlessly with these channels:
-Specific scripts may require even newer RouterOS version, for example cloud
-backup was added in 6.44.
+* `stable` - the latest version considered stable for daily use, including
+ new features
+* `long-term` - a version considered rock-solid, usually one minor version
+ behind `stable` (`7.(n-1)`)
+
+New functionality or breaking changes in RouterOS are adopted fairly quick.
+These changes are pushed for general availability once a version of
+RouterOS supporting this had been released to the `long-term` channel a
+reasonable time ago.
+
+At any time you should have at least two minor versions and their bugfix
+releases to choose from. Often way older versions of RouterOS work just
+fine.
+
+On the other hand in seldom cases and for good reasons *specific* scripts
+may require an even newer RouterOS version, so only `stable` is supported
+temporarily.
+
+> 💡️ **Hint**: If in doubt have a look at the badge at the top of each
+> page showing the minimum version required:
+> 
+
+> ℹ️ **Info**: The `main` branch is now RouterOS v7 only. If you are still
+> running RouterOS v6 switch to `routeros-v6` branch!
+
+#### Prerequisite configuration
+
+Starting with RouterOS 7.17 the
+[device-mode ↗️](https://help.mikrotik.com/docs/spaces/ROS/pages/93749258/Device-mode)
+has been extended to give more fine-grained control over what features are
+available. You need to enable `scheduler` and `fetch` at least, specific
+scripts may require additional features.
+
+### Hardware
+
+RouterOS packages increase in size with each release. This becomes a
+problem for devices with 16MB storage and below, those with an ARM CPU
+are specifically affected.
+
+Huge configuration and lots of scripts give an extra risk. **Take care!**
Initial setup
-------------
@@ -29,85 +77,147 @@ Initial setup
### Get me ready!
If you know how things work just copy and paste the
-[initial commands](INITIAL-COMMANDS.md). Remember to edit and rerun
+[initial commands](INITIAL-COMMANDS.md). These also support fixing an
+existing but broken installation. Remember to edit and rerun
`global-config-overlay`!
-First time users should take the long way below.
+
+> 💡️ **Hint**: First time users should take
+> [the long way in detail](#the-long-way-in-detail) below.
### Live presentation
Want to see it in action? I've had a presentation [Repository based
-RouterOS script distribution](https://www.youtube.com/watch?v=B9neG3oAhcY)
-including demonstation recorded live at [MUM Europe
-2019](https://mum.mikrotik.com/2019/EU/) in Vienna.
+RouterOS script distribution ↗️](https://www.youtube.com/watch?v=B9neG3oAhcY)
+including demonstration recorded live at [MUM Europe
+2019 ↗️](https://mum.mikrotik.com/2019/EU/) in Vienna.
+
+> ⚠️ **Warning**: Some details changed. So see the presentation, then follow
+> the steps below for up-to-date commands.
### The long way in detail
The update script does server certificate verification, so first step is to
-download the certificates. If you intend to download the scripts from a
+download the certificates.
+
+> 💡️ **Hint**: RouterOS 7.19 comes with a builtin certificate store. You
+> can skip the steps regarding certificate download and import and jump
+> to [installation of scripts](#installation-of-scripts) if you set the
+> trust for these builtin trust anchors:
+> `/certificate/settings/set builtin-trust-anchors=trusted;`
+> With RouterOS 7.21 the functionality was changed. Set this at minimum,
+> but make sure not to drop other targets:
+> `/certificate/settings/set builtin-trust-store=fetch;`
+
+If you intend to download the scripts from a
different location (for example from github.com) install the corresponding
certificate chain.
- [admin@MikroTik] > / tool fetch "https://git.eworm.de/cgit/routeros-scripts/plain/certs/Let%27s%20Encrypt%20Authority%20X3.pem" dst-path="letsencrypt.pem"
- status: finished
- downloaded: 3KiBC-z pause]
- total: 3KiB
- duration: 1s
+ /tool/fetch "https://rsc.eworm.de/main/certs/ISRG-Root-X2.pem" dst-path="isrg-root-x2.pem";
+
+
Note that the commands above do *not* verify server certificate, so if you
want to be safe download with your workstations's browser and transfer the
-files to your MikroTik device.
+file to your MikroTik device.
-* [ISRG Root X1](https://letsencrypt.org/certs/isrgrootx1.pem.txt)
-* [Let's Encrypt Authority X3](https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt)
+* [ISRG Root X2 ↗️](https://letsencrypt.org/certs/isrg-root-x2.pem)
-Then we import the certificates.
+Then we import the certificate.
- [admin@MikroTik] > / certificate import file-name=letsencrypt.pem passphrase=""
- certificates-imported: 3
- private-keys-imported: 0
- files-imported: 1
- decryption-failures: 0
- keys-with-no-certificate: 0
+ /certificate/import file-name="isrg-root-x2.pem" passphrase="";
-For basic verification we rename the certifiactes and print their count. Make
-sure the certificate count is **three**.
+Do not worry that the command is not shown - that happens because it contains
+a sensitive property, the passphrase.
- [admin@MikroTik] > / certificate set name="ISRG-Root-X1" [ find where fingerprint="96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6" ]
- [admin@MikroTik] > / certificate set name="Let-s-Encrypt-Authority-X3" [ find where fingerprint="731d3d9cfaa061487a1d71445a42f67df0afca2a6c2d2f98ff7b3ce112b1f568" ]
- [admin@MikroTik] > / certificate set name="DST-Root-CA-X3" [ find where fingerprint="0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739" ]
- [admin@MikroTik] > / certificate print count-only where fingerprint="96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6" or fingerprint="731d3d9cfaa061487a1d71445a42f67df0afca2a6c2d2f98ff7b3ce112b1f568" or fingerprint="0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739"
- 3
+
+
+For basic verification we rename the certificate and print it by
+fingerprint. Make sure exactly this one certificate ("*ISRG-Root-X2*")
+is shown.
+
+ /certificate/set name="ISRG-Root-X2" [ find where common-name="ISRG Root X2" ];
+ /certificate/print proplist=name,fingerprint where fingerprint="69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470";
+
+
Always make sure there are no certificates installed you do not know or want!
-Actually we do not require the certificate named `DST Root CA X3`, but as it
-is used by `Let's Encrypt` to cross-sign we install it anyway - this makes
-sure things do not go wrong if the intermediate certificate is replaced.
-The IdenTrust certificate *should* be available from their
-[download page](https://www.identrust.com/support/downloads). The site is
-crap and a good example how to *not* do it.
+#### Installation of scripts
+
+All following commands will verify the server certificate. For validity the
+certificate's lifetime is checked with local time, so make sure the device's
+date and time is set correctly!
Now let's download the main scripts and add them in configuration on the fly.
- [admin@MikroTik] > :foreach Script in={ "global-config"; "global-config-overlay"; "global-functions" } do={ / system script add name=$Script source=([ / tool fetch check-certificate=yes-without-crl ("https://git.eworm.de/cgit/routeros-scripts/plain/" . $Script) output=user as-value]->"data"); }
+ :foreach Script in={ "global-config"; "global-config-overlay"; "global-functions" } do={ /system/script/add name=$Script owner=$Script source=([ /tool/fetch check-certificate=yes-without-crl ("https://rsc.eworm.de/main/" . $Script . ".rsc") output=user as-value ]->"data"); };
-The configuration needs to be tweaked for your needs. Make sure not to send
-your mails to `mail@example.com`! Edit `global-config-overlay`, copy
-configuration from `global-config`.
+
- [admin@MikroTik] > / system script edit global-config-overlay source
+And finally run configuration and functions. This will also add the
+scheduler for loading at system startup automatically.
-And finally load configuration and functions and add the scheduler.
+ /system/script { run global-config; run global-functions; };
- [admin@MikroTik] > / system script { run global-config; run global-config-overlay; run global-functions; }
- [admin@MikroTik] > / system scheduler add name="global-scripts" start-time=startup on-event="/ system script { run global-config; run global-config-overlay; run global-functions; }"
+
+
+> 💡️ **Hint**: You see complaints regarding syntax errors? Most likely the
+> RouterOS on your device is too old. Check for updates!
+
+### Scheduled automatic updates
+
+The last step is optional: Add this scheduler **only** if you want the
+scripts to be updated automatically!
+
+ /system/scheduler/add name="ScriptInstallUpdate" start-time=startup interval=1d on-event=":global ScriptInstallUpdate; \$ScriptInstallUpdate;";
+
+
+
+Editing configuration
+---------------------
+
+The configuration needs to be tweaked for your needs. Edit
+`global-config-overlay`, copy relevant configuration from
+[`global-config`](global-config.rsc) (the one without `-overlay`).
+Save changes and exit with `Ctrl-o`.
+
+ /system/script/edit global-config-overlay source;
+
+
+
+Additionally creating configuration snippets is supported. The script name
+of these snippets has to start with `global-config-overlay.d/` to make them
+being loaded automatically. This allows to split off parts of the
+configuration.
+
+To apply your changes run `global-config`, which will automatically load
+the overlay as well:
+
+ /system/script/run global-config;
+
+
+
+This last step is required when ever you make changes to your configuration.
+
+> ℹ️ **Info**: It is recommended to edit the configuration using the command
+> line interface. If using Winbox on Windows OS, the line endings may be
+> missing. To fix this run:
+> `/system/script/set source=[ :tocrlf [ get global-config-overlay source ] ] global-config-overlay;`
Updating scripts
----------------
-To update existing scripts just run function `$ScriptInstallUpdate`.
+To update existing scripts just run function `$ScriptInstallUpdate`. If
+everything is up-to-date it will not produce any output.
- [admin@MikroTik] > $ScriptInstallUpdate
+ $ScriptInstallUpdate;
+
+
+
+If the update includes news or requires configuration changes a notification
+is sent - in addition to terminal output and log messages.
+
+
Adding a script
---------------
@@ -115,103 +225,219 @@ Adding a script
To add a script from the repository run function `$ScriptInstallUpdate` with
a comma separated list of script names.
- [admin@MikroTik] > $ScriptInstallUpdate check-certificates,check-routeros-update
+ $ScriptInstallUpdate check-certificates,check-routeros-update;
+
+
Scheduler and events
--------------------
Most scripts are designed to run regularly from
-[scheduler](https://wiki.mikrotik.com/wiki/Manual:System/Scheduler). We just
-added `check-routeros-update`, so let's run it every hour to make sure not to
+[scheduler ↗️](https://wiki.mikrotik.com/wiki/Manual:System/Scheduler). We just
+added `check-routeros-update`, so let's run it daily to make sure not to
miss an update.
- [admin@MikroTik] > / system scheduler add name="check-routeros-update" interval=1h on-event="/ system script run check-routeros-update;"
+ /system/scheduler/add name="check-routeros-update" interval=1d start-time=startup on-event="/system/script/run check-routeros-update;";
+
+
Some events can run a script. If you want your DHCP hostnames to be available
in DNS use `dhcp-to-dns` with the events from dhcp server. For a regular
cleanup add a scheduler entry.
- [admin@MikroTik] > $ScriptInstallUpdate dhcp-to-dns,lease-script
- [admin@MikroTik] > / ip dhcp-server set lease-script=lease-script [ find ]
- [admin@MikroTik] > / system scheduler add name="dhcp-to-dns" interval=5m on-event="/ system script run dhcp-to-dns;"
+ $ScriptInstallUpdate dhcp-to-dns,lease-script;
+ /ip/dhcp-server/set lease-script=lease-script [ find ];
+ /system/scheduler/add name="dhcp-to-dns" interval=5m start-time=startup on-event="/system/script/run dhcp-to-dns;";
+
+
There's much more to explore... Have fun!
-Available Scripts
+Available scripts
-----------------
-* [Find and remove access list duplicates](doc/accesslist-duplicates.md)
-* [Manage ports in bridge](doc/bridge-port.md)
-* [Download packages for CAP upgrade from CAPsMAN](doc/capsman-download-packages.md)
-* [Run rolling CAP upgrades from CAPsMAN](doc/capsman-rolling-upgrade.md)
-* [Renew locally issued certificates](doc/certificate-renew-issued.md)
-* [Renew certificates and notify on expiration](doc/check-certificates.md)
-* [Notify about health state](doc/check-health.md)
-* [Notify on LTE firmware upgrade](doc/check-lte-firmware-upgrade.md)
-* [Notify on RouterOS update](doc/check-routeros-update.md)
-* [Upload backup to Mikrotik cloud](doc/cloud-backup.md)
-* [Collect MAC addresses in wireless access list](doc/collect-wireless-mac.md)
-* [Use wireless network with daily psk](doc/daily-psk.md)
-* [Comment DHCP leases with info from access list](doc/dhcp-lease-comment.md)
-* [Create DNS records for DHCP leases](doc/dhcp-to-dns.md)
-* [Send notification with early errors](doc/early-errors.md)
-* [Send backup via e-mail](doc/email-backup.md)
-* [Wait for configuration und functions](doc/global-wait.md)
-* [Send GPS position to server](doc/gps-track.md)
-* [Use WPA2 network with hotspot credentials](doc/hotspot-to-wpa.md)
-* [Update configuration on IPv6 prefix change](doc/ipv6-update.md)
-* [Manage IP addresses with bridge status](doc/ip-addr-bridge.md)
-* [Run other scripts on DHCP lease](doc/lease-script.md)
-* [Manage LEDs dark mode](doc/leds-mode.md)
-* [Mode botton with multiple presses](doc/mode-button.md)
-* [Notify on host up and down](doc/netwatch-notify.md)
-* [Manage remote logging](doc/netwatch-syslog.md)
-* [Manage system update](doc/packages-update.md)
-* [Run scripts on ppp connection](doc/ppp-on-up.md)
-* [Rotate NTP servers](doc/rotate-ntp.md)
-* [Act on received SMS](doc/sms-action.md)
-* [Forward received SMS](doc/sms-forward.md)
-* [Import SSH keys](doc/ssh-keys-import.md)
-* [Play Super Mario theme](doc/super-mario-theme.md)
-* [Install LTE firmware upgrade](doc/unattended-lte-firmware-upgrade.md)
-* [Update GRE configuration with dynamic addresses](doc/update-gre-address.md)
-* [Update tunnelbroker configuration](doc/update-tunnelbroker.md)
-* [Upload backup to server](doc/upload-backup.md)
+* [Find and remove access list duplicates](doc/accesslist-duplicates.md) (`accesslist-duplicates`)
+* [Upload backup to Mikrotik cloud](doc/backup-cloud.md) (`backup-cloud`)
+* [Send backup via e-mail](doc/backup-email.md) (`backup-email`)
+* [Save configuration to fallback partition](doc/backup-partition.md) (`backup-partition`)
+* [Upload backup to server](doc/backup-upload.md) (`backup-upload`)
+* [Download packages for CAP upgrade from CAPsMAN](doc/capsman-download-packages.md) (`capsman-download-packages`)
+* [Run rolling CAP upgrades from CAPsMAN](doc/capsman-rolling-upgrade.md) (`capsman-rolling-upgrade`)
+* [Renew locally issued certificates](doc/certificate-renew-issued.md) (`certificate-renew-issued`)
+* [Renew certificates and notify on expiration](doc/check-certificates.md) (`check-certificates`)
+* [Notify about health state](doc/check-health.md) (`check-health`)
+* [Notify on LTE firmware upgrade](doc/check-lte-firmware-upgrade.md) (`check-lte-firmware-upgrade`)
+* [Check perpetual license on CHR](doc/check-perpetual-license.md) (`check-perpetual-license`)
+* [Notify on RouterOS update](doc/check-routeros-update.md) (`check-routeros-update`)
+* [Collect MAC addresses in wireless access list](doc/collect-wireless-mac.md) (`collect-wireless-mac`)
+* [Use wireless network with daily psk](doc/daily-psk.md) (`daily-psk`)
+* [Comment DHCP leases with info from access list](doc/dhcp-lease-comment.md) (`dhcp-lease-comment`)
+* [Create DNS records for DHCP leases](doc/dhcp-to-dns.md) (`dhcp-to-dns`)
+* [Automatically upgrade firmware and reboot](doc/firmware-upgrade-reboot.md) (`firmware-upgrade-reboot`)
+* [Download, import and update firewall address-lists](doc/fw-addr-lists.md) (`fw-addr-lists`)
+* [Wait for global functions und modules](doc/global-wait.md) (`global-wait`)
+* [Send GPS position to server](doc/gps-track.md) (`gps-track`)
+* [Use WPA network with hotspot credentials](doc/hotspot-to-wpa.md) (`hotspot-to-wpa` & `hotspot-to-wpa-cleanup`)
+* [Create DNS records for IPSec peers](doc/ipsec-to-dns.md) (`ipsec-to-dns`)
+* [Update configuration on IPv6 prefix change](doc/ipv6-update.md) (`ipv6-update`)
+* [Manage IP addresses with bridge status](doc/ip-addr-bridge.md) (`ip-addr-bridge`)
+* [Run other scripts on DHCP lease](doc/lease-script.md) (`lease-script`)
+* [Manage LEDs dark mode](doc/leds-mode.md) (`leds-day-mode`, `leds-night-mode` & `leds-toggle-mode`)
+* [Forward log messages via notification](doc/log-forward.md) (`log-forward`)
+* [Mode button with multiple presses](doc/mode-button.md) (`mode-button`)
+* [Manage DNS and DoH servers from netwatch](doc/netwatch-dns.md) (`netwatch-dns`)
+* [Notify on host up and down](doc/netwatch-notify.md) (`netwatch-notify`)
+* [Visualize OSPF state via LEDs](doc/ospf-to-leds.md) (`ospf-to-leds`)
+* [Manage system update](doc/packages-update.md) (`packages-update`)
+* [Run scripts on ppp connection](doc/ppp-on-up.md) (`ppp-on-up`)
+* [Act on received SMS](doc/sms-action.md) (`sms-action`)
+* [Forward received SMS](doc/sms-forward.md) (`sms-forward`)
+* [Play Super Mario theme](doc/super-mario-theme.md) (`super-mario-theme`)
+* [Chat with your router and send commands via Telegram bot](doc/telegram-chat.md) (`telegram-chat`)
+* [Install LTE firmware upgrade](doc/unattended-lte-firmware-upgrade.md) (`unattended-lte-firmware-upgrade`)
+* [Update GRE configuration with dynamic addresses](doc/update-gre-address.md) (`update-gre-address`)
+* [Update tunnelbroker configuration](doc/update-tunnelbroker.md) (`update-tunnelbroker`)
-[comment]: # (TODO: currently undocumented)
-[comment]: # (* learn-mac-based-vlan)
-[comment]: # (* manage-umts)
+Available modules
+-----------------
+
+* [Manage ports in bridge](doc/mod/bridge-port-to.md) (`mod/bridge-port-to`)
+* [Manage VLANs on bridge ports](doc/mod/bridge-port-vlan.md) (`mod/bridge-port-vlan`)
+* [Inspect variables](doc/mod/inspectvar.md) (`mod/inspectvar`)
+* [IP address calculation](doc/mod/ipcalc.md) (`mod/ipcalc`)
+* [Send notifications via e-mail](doc/mod/notification-email.md) (`mod/notification-email`)
+* [Send notifications via Gotify](doc/mod/notification-gotify.md) (`mod/notification-gotify`)
+* [Send notifications via Matrix](doc/mod/notification-matrix.md) (`mod/notification-matrix`)
+* [Send notifications via Ntfy](doc/mod/notification-ntfy.md) (`mod/notification-ntfy`)
+* [Send notifications via Telegram](doc/mod/notification-telegram.md) (`mod/notification-telegram`)
+* [Download script and run it once](doc/mod/scriptrunonce.md) (`mod/scriptrunonce`)
+* [Import ssh keys for public key authentication](doc/mod/ssh-keys-import.md) (`mod/ssh-keys-import`)
+
+Installing custom scripts & modules
+-----------------------------------
+
+My scripts cover a lot of use cases, but you may have your own ones. You can
+still use my scripts to manage and deploy yours, by specifying `base-url`
+(and `url-suffix`) for each script.
+
+This will fetch and install a script `hello-world.rsc` from the given url:
+
+ $ScriptInstallUpdate hello-world "base-url=https://git.eworm.de/cgit/routeros-scripts-custom/plain/";
+
+
+
+For a script to be considered valid it has to begin with a *magic token*.
+Have a look at [any script](README.d/hello-world.rsc) and copy the first line
+without modification.
+
+Starting a script's name with `mod/` makes it a module and it is run
+automatically by `global-functions`.
+
+### Linked custom scripts & modules
+
+> ⚠️ **Warning**: These links are being provided for your convenience only;
+> they do not constitute an endorsement or an approval by me. I bear no
+> responsibility for the accuracy, legality or content of the external site
+> or for that of subsequent links. Contact the external site for answers to
+> questions regarding its content.
+
+* [Hello World](https://git.eworm.de/cgit/routeros-scripts-custom/about/doc/hello-world.md)
+ (This is a demo script to show how the linking to external documentation
+ will be done.)
+
+> ℹ️ **Info**: You have your own set of scripts and/or modules and want these
+> to be listed here? There should be a general info page that links here,
+> and documentation for each script. You can start by cloning my
+> [Custom RouterOS-Scripts](https://git.eworm.de/cgit/routeros-scripts-custom/)
+> (or fork on [GitHub](https://github.com/eworm-de/routeros-scripts-custom)
+> or [GitLab](https://gitlab.com/eworm-de/routeros-scripts-custom)) and make
+> your changes. Then please [get in contact](#patches-issues-and-whishlist)...
+
+Removing a script
+-----------------
+
+There is no specific function for script removal. Just remove it from
+configuration...
+
+ /system/script/remove to-be-removed;
+
+
+
+Possibly a scheduler and other configuration has to be removed as well.
+
+Contact
+-------
+
+We have a Telegram Group [RouterOS-Scripts ↗️](https://t.me/routeros_scripts)!
+
+[](https://t.me/routeros_scripts)
+
+Get help, give feedback or just chat - but do not expect free professional
+support!
Contribute
----------
-Thanks a lot for [past contributions](CONTRIBUTIONS.md)!
+Thanks a lot for [past contributions](CONTRIBUTIONS.md)! ❤️
### Patches, issues and whishlist
Feel free to contact me via e-mail or open an
-[issue at github](https://github.com/eworm-de/routeros-scripts/issues).
+[issue](https://github.com/eworm-de/routeros-scripts/issues) or
+[pull request](https://github.com/eworm-de/routeros-scripts/pulls)
+at github.
### Donate
This project is developed in private spare time and usage is free of charge
for you. If you like the scripts and think this is of value for you or your
business please consider to
-[donate with PayPal](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J).
+[donate with PayPal ↗️](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J).
-[](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J)
+[](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J)
Thanks a lot for your support!
+License and warranty
+--------------------
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+[GNU General Public License](COPYING.md) for more details.
+
+Disclaimer on external links
+----------------------------
+
+Our website contains links to the websites of third parties ("external
+links"). As the content of these websites is not under our control, we
+cannot assume any liability for such external content. In all cases, the
+provider of information of the linked websites is liable for the content
+and accuracy of the information provided. At the point in time when the
+links were placed, no infringements of the law were recognisable to us.
+As soon as an infringement of the law becomes known to us, we will
+immediately remove the link in question.
+
+> 💡️ **Hint**: All external links are marked with an arrow pointing
+> diagonally in an up-right (or north-east) direction (↗️).
+
Upstream
--------
-URL:
-[GitHub.com](https://github.com/eworm-de/routeros-scripts#routeros-scripts)
+[rsc.eworm.de](https://rsc.eworm.de/)
-Mirror:
-[eworm.de](https://git.eworm.de/cgit/routeros-scripts/about/)
-[GitLab.com](https://gitlab.com/eworm-de/routeros-scripts#routeros-scripts)
+[](https://rsc.eworm.de/)
+
+### Code hosting
+
+* [git.eworm.de](https://git.eworm.de/cgit/routeros-scripts/about/)
+* [GitHub.com](https://github.com/eworm-de/routeros-scripts#routeros-scripts)
+* [GitLab.com](https://gitlab.com/eworm-de/routeros-scripts#routeros-scripts)
---
-[▲ Go back to top](#top)
+[⬆️ Go back to top](#top)
diff --git a/accesslist-duplicates.capsman b/accesslist-duplicates.capsman
deleted file mode 100644
index b441c31f..00000000
--- a/accesslist-duplicates.capsman
+++ /dev/null
@@ -1,35 +0,0 @@
-#!rsc
-# RouterOS script: accesslist-duplicates.capsman
-# Copyright (c) 2018-2020 Christian Hesse
-#
-# print duplicate antries in wireless access list
-# https://git.eworm.de/cgit/routeros-scripts/about/doc/accesslist-duplicates.md
-#
-# !! Do not edit this file, it is generated from template!
-
-:local Seen [ :toarray "" ];
-:local Shown [ :toarray "" ];
-
-:foreach AccList in=[ / caps-man access-list find where mac-address!="00:00:00:00:00:00" ] do={
- :local Mac [ / caps-man access-list get $AccList mac-address ];
- :foreach SeenMac in=$Seen do={
- :if ($SeenMac = $Mac) do={
- :local Skip 0;
- :foreach ShownMac in=$Shown do={
- :if ($ShownMac = $Mac) do={ :set Skip 1; }
- }
- :if ($Skip = 0) do={
- / caps-man access-list print where mac-address=$Mac;
- :set Shown ($Shown, $Mac);
-
- :put "\nNumeric id to remove, any key to skip!";
- :local Remove ([ :terminal inkey ] - 48);
- :if ($Remove >= 0 && $Remove <= 9) do={
- :put ("Removing numeric id " . $Remove . "...\n");
- / caps-man access-list remove $Remove;
- }
- }
- }
- }
- :set Seen ($Seen, $Mac);
-}
diff --git a/accesslist-duplicates.capsman.rsc b/accesslist-duplicates.capsman.rsc
new file mode 100644
index 00000000..c7784f3b
--- /dev/null
+++ b/accesslist-duplicates.capsman.rsc
@@ -0,0 +1,37 @@
+#!rsc by RouterOS
+# RouterOS script: accesslist-duplicates.capsman
+# Copyright (c) 2018-2026 Christian Hesse
+# https://rsc.eworm.de/COPYING.md
+#
+# requires RouterOS, version=7.17
+#
+# print duplicate antries in wireless access list
+# https://rsc.eworm.de/doc/accesslist-duplicates.md
+#
+# !! Do not edit this file, it is generated from template!
+
+:local ExitOK false;
+:onerror Err {
+ :global GlobalConfigReady; :global GlobalFunctionsReady;
+ :retry { :if ($GlobalConfigReady != true || $GlobalFunctionsReady != true) \
+ do={ :error ("Global config and/or functions not ready."); }; } delay=500ms max=50;
+ :local ScriptName [ :jobname ];
+
+ :local Seen ({});
+
+ :foreach AccList in=[ /caps-man/access-list/find where mac-address!="00:00:00:00:00:00" ] do={
+ :local Mac [ /caps-man/access-list/get $AccList mac-address ];
+ :if ($Seen->$Mac = 1) do={
+ /caps-man/access-list/print without-paging where mac-address=$Mac;
+ :local Remove [ :tonum [ /terminal/ask prompt="\nNumeric id to remove, any key to skip!" ] ];
+
+ :if ([ :typeof $Remove ] = "num") do={
+ :put ("Removing numeric id " . $Remove . "...\n");
+ /caps-man/access-list/remove $Remove;
+ }
+ }
+ :set ($Seen->$Mac) 1;
+ }
+} do={
+ :global ExitError; $ExitError $ExitOK [ :jobname ] $Err;
+}
diff --git a/accesslist-duplicates.local b/accesslist-duplicates.local
deleted file mode 100644
index 00d9ae01..00000000
--- a/accesslist-duplicates.local
+++ /dev/null
@@ -1,35 +0,0 @@
-#!rsc
-# RouterOS script: accesslist-duplicates.local
-# Copyright (c) 2018-2020 Christian Hesse
-#
-# print duplicate antries in wireless access list
-# https://git.eworm.de/cgit/routeros-scripts/about/doc/accesslist-duplicates.md
-#
-# !! Do not edit this file, it is generated from template!
-
-:local Seen [ :toarray "" ];
-:local Shown [ :toarray "" ];
-
-:foreach AccList in=[ / interface wireless access-list find where mac-address!="00:00:00:00:00:00" ] do={
- :local Mac [ / interface wireless access-list get $AccList mac-address ];
- :foreach SeenMac in=$Seen do={
- :if ($SeenMac = $Mac) do={
- :local Skip 0;
- :foreach ShownMac in=$Shown do={
- :if ($ShownMac = $Mac) do={ :set Skip 1; }
- }
- :if ($Skip = 0) do={
- / interface wireless access-list print where mac-address=$Mac;
- :set Shown ($Shown, $Mac);
-
- :put "\nNumeric id to remove, any key to skip!";
- :local Remove ([ :terminal inkey ] - 48);
- :if ($Remove >= 0 && $Remove <= 9) do={
- :put ("Removing numeric id " . $Remove . "...\n");
- / interface wireless access-list remove $Remove;
- }
- }
- }
- }
- :set Seen ($Seen, $Mac);
-}
diff --git a/accesslist-duplicates.local.rsc b/accesslist-duplicates.local.rsc
new file mode 100644
index 00000000..0eee485b
--- /dev/null
+++ b/accesslist-duplicates.local.rsc
@@ -0,0 +1,37 @@
+#!rsc by RouterOS
+# RouterOS script: accesslist-duplicates.local
+# Copyright (c) 2018-2026 Christian Hesse
+# https://rsc.eworm.de/COPYING.md
+#
+# requires RouterOS, version=7.17
+#
+# print duplicate antries in wireless access list
+# https://rsc.eworm.de/doc/accesslist-duplicates.md
+#
+# !! Do not edit this file, it is generated from template!
+
+:local ExitOK false;
+:onerror Err {
+ :global GlobalConfigReady; :global GlobalFunctionsReady;
+ :retry { :if ($GlobalConfigReady != true || $GlobalFunctionsReady != true) \
+ do={ :error ("Global config and/or functions not ready."); }; } delay=500ms max=50;
+ :local ScriptName [ :jobname ];
+
+ :local Seen ({});
+
+ :foreach AccList in=[ /interface/wireless/access-list/find where mac-address!="00:00:00:00:00:00" ] do={
+ :local Mac [ /interface/wireless/access-list/get $AccList mac-address ];
+ :if ($Seen->$Mac = 1) do={
+ /interface/wireless/access-list/print without-paging where mac-address=$Mac;
+ :local Remove [ :tonum [ /terminal/ask prompt="\nNumeric id to remove, any key to skip!" ] ];
+
+ :if ([ :typeof $Remove ] = "num") do={
+ :put ("Removing numeric id " . $Remove . "...\n");
+ /interface/wireless/access-list/remove $Remove;
+ }
+ }
+ :set ($Seen->$Mac) 1;
+ }
+} do={
+ :global ExitError; $ExitError $ExitOK [ :jobname ] $Err;
+}
diff --git a/accesslist-duplicates.template b/accesslist-duplicates.template
deleted file mode 100644
index f527810f..00000000
--- a/accesslist-duplicates.template
+++ /dev/null
@@ -1,36 +0,0 @@
-#!rsc
-# RouterOS script: accesslist-duplicates%TEMPL%
-# Copyright (c) 2018-2020 Christian Hesse
-#
-# print duplicate antries in wireless access list
-# https://git.eworm.de/cgit/routeros-scripts/about/doc/accesslist-duplicates.md
-#
-# !! This is just a template! Replace '%PATH%' with 'caps-man'
-# !! or 'interface wireless'!
-
-:local Seen [ :toarray "" ];
-:local Shown [ :toarray "" ];
-
-:foreach AccList in=[ / %PATH% access-list find where mac-address!="00:00:00:00:00:00" ] do={
- :local Mac [ / %PATH% access-list get $AccList mac-address ];
- :foreach SeenMac in=$Seen do={
- :if ($SeenMac = $Mac) do={
- :local Skip 0;
- :foreach ShownMac in=$Shown do={
- :if ($ShownMac = $Mac) do={ :set Skip 1; }
- }
- :if ($Skip = 0) do={
- / %PATH% access-list print where mac-address=$Mac;
- :set Shown ($Shown, $Mac);
-
- :put "\nNumeric id to remove, any key to skip!";
- :local Remove ([ :terminal inkey ] - 48);
- :if ($Remove >= 0 && $Remove <= 9) do={
- :put ("Removing numeric id " . $Remove . "...\n");
- / %PATH% access-list remove $Remove;
- }
- }
- }
- }
- :set Seen ($Seen, $Mac);
-}
diff --git a/accesslist-duplicates.template.rsc b/accesslist-duplicates.template.rsc
new file mode 100644
index 00000000..e780a475
--- /dev/null
+++ b/accesslist-duplicates.template.rsc
@@ -0,0 +1,46 @@
+#!rsc by RouterOS
+# RouterOS script: accesslist-duplicates%TEMPL%
+# Copyright (c) 2018-2026 Christian Hesse
+# https://rsc.eworm.de/COPYING.md
+#
+# requires RouterOS, version=7.17
+#
+# print duplicate antries in wireless access list
+# https://rsc.eworm.de/doc/accesslist-duplicates.md
+#
+# !! This is just a template to generate the real script!
+# !! Pattern '%TEMPL%' is replaced, paths are filtered.
+
+:local ExitOK false;
+:onerror Err {
+ :global GlobalConfigReady; :global GlobalFunctionsReady;
+ :retry { :if ($GlobalConfigReady != true || $GlobalFunctionsReady != true) \
+ do={ :error ("Global config and/or functions not ready."); }; } delay=500ms max=50;
+ :local ScriptName [ :jobname ];
+
+ :local Seen ({});
+
+ :foreach AccList in=[ /caps-man/access-list/find where mac-address!="00:00:00:00:00:00" ] do={
+ :foreach AccList in=[ /interface/wifi/access-list/find where mac-address!="00:00:00:00:00:00" ] do={
+ :foreach AccList in=[ /interface/wireless/access-list/find where mac-address!="00:00:00:00:00:00" ] do={
+ :local Mac [ /caps-man/access-list/get $AccList mac-address ];
+ :local Mac [ /interface/wifi/access-list/get $AccList mac-address ];
+ :local Mac [ /interface/wireless/access-list/get $AccList mac-address ];
+ :if ($Seen->$Mac = 1) do={
+ /caps-man/access-list/print without-paging where mac-address=$Mac;
+ /interface/wifi/access-list/print without-paging where mac-address=$Mac;
+ /interface/wireless/access-list/print without-paging where mac-address=$Mac;
+ :local Remove [ :tonum [ /terminal/ask prompt="\nNumeric id to remove, any key to skip!" ] ];
+
+ :if ([ :typeof $Remove ] = "num") do={
+ :put ("Removing numeric id " . $Remove . "...\n");
+ /caps-man/access-list/remove $Remove;
+ /interface/wifi/access-list/remove $Remove;
+ /interface/wireless/access-list/remove $Remove;
+ }
+ }
+ :set ($Seen->$Mac) 1;
+ }
+} do={
+ :global ExitError; $ExitError $ExitOK [ :jobname ] $Err;
+}
diff --git a/accesslist-duplicates.wifi.rsc b/accesslist-duplicates.wifi.rsc
new file mode 100644
index 00000000..c0a8b4f9
--- /dev/null
+++ b/accesslist-duplicates.wifi.rsc
@@ -0,0 +1,37 @@
+#!rsc by RouterOS
+# RouterOS script: accesslist-duplicates.wifi
+# Copyright (c) 2018-2026 Christian Hesse
+# https://rsc.eworm.de/COPYING.md
+#
+# requires RouterOS, version=7.17
+#
+# print duplicate antries in wireless access list
+# https://rsc.eworm.de/doc/accesslist-duplicates.md
+#
+# !! Do not edit this file, it is generated from template!
+
+:local ExitOK false;
+:onerror Err {
+ :global GlobalConfigReady; :global GlobalFunctionsReady;
+ :retry { :if ($GlobalConfigReady != true || $GlobalFunctionsReady != true) \
+ do={ :error ("Global config and/or functions not ready."); }; } delay=500ms max=50;
+ :local ScriptName [ :jobname ];
+
+ :local Seen ({});
+
+ :foreach AccList in=[ /interface/wifi/access-list/find where mac-address!="00:00:00:00:00:00" ] do={
+ :local Mac [ /interface/wifi/access-list/get $AccList mac-address ];
+ :if ($Seen->$Mac = 1) do={
+ /interface/wifi/access-list/print without-paging where mac-address=$Mac;
+ :local Remove [ :tonum [ /terminal/ask prompt="\nNumeric id to remove, any key to skip!" ] ];
+
+ :if ([ :typeof $Remove ] = "num") do={
+ :put ("Removing numeric id " . $Remove . "...\n");
+ /interface/wifi/access-list/remove $Remove;
+ }
+ }
+ :set ($Seen->$Mac) 1;
+ }
+} do={
+ :global ExitError; $ExitError $ExitOK [ :jobname ] $Err;
+}
diff --git a/backup-cloud.rsc b/backup-cloud.rsc
new file mode 100644
index 00000000..e5f25d34
--- /dev/null
+++ b/backup-cloud.rsc
@@ -0,0 +1,104 @@
+#!rsc by RouterOS
+# RouterOS script: backup-cloud
+# Copyright (c) 2013-2026 Christian Hesse
+# https://rsc.eworm.de/COPYING.md
+#
+# provides: backup-script, order=40
+# requires RouterOS, version=7.17
+#
+# upload backup to MikroTik cloud
+# https://rsc.eworm.de/doc/backup-cloud.md
+
+:local ExitOK false;
+:onerror Err {
+ :global GlobalConfigReady; :global GlobalFunctionsReady;
+ :retry { :if ($GlobalConfigReady != true || $GlobalFunctionsReady != true) \
+ do={ :error ("Global config and/or functions not ready."); }; } delay=500ms max=50;
+ :local ScriptName [ :jobname ];
+
+ :global BackupRandomDelay;
+ :global Identity;
+ :global PackagesUpdateBackupFailure;
+
+ :global DeviceInfo;
+ :global FormatLine;
+ :global HumanReadableNum;
+ :global LogPrint;
+ :global MkDir;
+ :global RandomDelay;
+ :global RmDir;
+ :global ScriptFromTerminal;
+ :global ScriptLock;
+ :global SendNotification2;
+ :global SymbolForNotification;
+ :global WaitForFile;
+ :global WaitFullyConnected;
+
+ :if ([ $ScriptLock $ScriptName ] = false) do={
+ :set PackagesUpdateBackupFailure true;
+ :set ExitOK true;
+ :error false;
+ }
+
+ :if ([ :len [ /system/scheduler/find where name="running-from-backup-partition" ] ] > 0) do={
+ $LogPrint warning $ScriptName ("Running from backup partition, refusing to act.");
+ :set PackagesUpdateBackupFailure true;
+ :set ExitOK true;
+ :error false;
+ }
+
+ $WaitFullyConnected;
+
+ :if ([ $ScriptFromTerminal $ScriptName ] = false && $BackupRandomDelay > 0) do={
+ $RandomDelay $BackupRandomDelay;
+ }
+
+ :if ([ $MkDir ("tmpfs/backup-cloud") ] = false) do={
+ $LogPrint error $ScriptName ("Failed creating directory!");
+ :set ExitOK true;
+ :error false;
+ }
+
+ :local I 5;
+ :do {
+ :execute {
+ :global BackupPassword;
+
+ :local Backup ([ /system/backup/cloud/find ]->0);
+ :if ([ :typeof $Backup ] = "id") do={
+ /system/backup/cloud/upload-file action=create-and-upload \
+ password=$BackupPassword replace=$Backup;
+ } else={
+ /system/backup/cloud/upload-file action=create-and-upload \
+ password=$BackupPassword;
+ }
+ /file/add name="tmpfs/backup-cloud/done";
+ } as-string;
+ :set I ($I - 1);
+ } while=([ $WaitForFile "tmpfs/backup-cloud/done" 200ms ] = false && $I > 0);
+
+ :if ([ $WaitForFile "tmpfs/backup-cloud/done" ] = true) do={
+ :if ($I < 4) do={
+ :log warning ($ScriptName . ": Retry successful, please discard previous connection errors.");
+ }
+
+ :local Cloud [ /system/backup/cloud/get ([ find ]->0) ];
+
+ $SendNotification2 ({ origin=$ScriptName; \
+ subject=([ $SymbolForNotification "floppy-disk,cloud" ] . "Cloud backup"); \
+ message=("Uploaded backup for " . $Identity . " to cloud.\n\n" . \
+ [ $DeviceInfo ] . "\n\n" . \
+ [ $FormatLine "Name" ($Cloud->"name") ] . "\n" . \
+ [ $FormatLine "Size" ([ $HumanReadableNum ($Cloud->"size") 1024 ] . "B") ] . "\n" . \
+ [ $FormatLine "Download key" ($Cloud->"secret-download-key") ]); silent=true });
+ } else={
+ $SendNotification2 ({ origin=$ScriptName; \
+ subject=([ $SymbolForNotification "floppy-disk,warning-sign" ] . "Cloud backup failed"); \
+ message=("Failed uploading backup for " . $Identity . " to cloud!\n\n" . [ $DeviceInfo ]) });
+ $LogPrint error $ScriptName ("Failed uploading backup for " . $Identity . " to cloud!");
+ :set PackagesUpdateBackupFailure true;
+ }
+ $RmDir "tmpfs/backup-cloud";
+} do={
+ :global ExitError; $ExitError $ExitOK [ :jobname ] $Err;
+}
diff --git a/backup-email.rsc b/backup-email.rsc
new file mode 100644
index 00000000..c12942a2
--- /dev/null
+++ b/backup-email.rsc
@@ -0,0 +1,143 @@
+#!rsc by RouterOS
+# RouterOS script: backup-email
+# Copyright (c) 2013-2026 Christian Hesse
+# https://rsc.eworm.de/COPYING.md
+#
+# provides: backup-script, order=20
+# requires RouterOS, version=7.17
+#
+# create and email backup and config file
+# https://rsc.eworm.de/doc/backup-email.md
+
+:local ExitOK false;
+:onerror Err {
+ :global GlobalConfigReady; :global GlobalFunctionsReady;
+ :retry { :if ($GlobalConfigReady != true || $GlobalFunctionsReady != true) \
+ do={ :error ("Global config and/or functions not ready."); }; } delay=500ms max=50;
+ :local ScriptName [ :jobname ];
+
+ :global BackupPassword;
+ :global BackupRandomDelay;
+ :global BackupSendBinary;
+ :global BackupSendExport;
+ :global BackupSendGlobalConfig;
+ :global Domain;
+ :global Identity;
+ :global PackagesUpdateBackupFailure;
+
+ :global CleanName;
+ :global DeviceInfo;
+ :global FileExists;
+ :global FormatLine;
+ :global LogPrint;
+ :global MkDir;
+ :global RandomDelay;
+ :global ScriptFromTerminal;
+ :global ScriptLock;
+ :global SendEMail2;
+ :global SymbolForNotification;
+ :global WaitForFile;
+ :global WaitFullyConnected;
+
+ :if ([ :typeof $SendEMail2 ] = "nothing") do={
+ $LogPrint error $ScriptName ("The module for sending notifications via e-mail is not installed.");
+ :set ExitOK true;
+ :error false;
+ }
+
+ :if ($BackupSendBinary != true && \
+ $BackupSendExport != true) do={
+ $LogPrint error $ScriptName ("Configured to send neither backup nor config export.");
+ :set ExitOK true;
+ :error false;
+ }
+
+ :if ([ $ScriptLock $ScriptName ] = false) do={
+ :set PackagesUpdateBackupFailure true;
+ :set ExitOK true;
+ :error false;
+ }
+
+ :if ([ :len [ /system/scheduler/find where name="running-from-backup-partition" ] ] > 0) do={
+ $LogPrint warning $ScriptName ("Running from backup partition, refusing to act.");
+ :set PackagesUpdateBackupFailure true;
+ :set ExitOK true;
+ :error false;
+ }
+
+ $WaitFullyConnected;
+
+ :if ([ $ScriptFromTerminal $ScriptName ] = false && $BackupRandomDelay > 0) do={
+ $RandomDelay $BackupRandomDelay;
+ }
+
+ # filename based on identity
+ :local DirName ("tmpfs/" . $ScriptName);
+ :local FileName [ $CleanName ($Identity . "." . $Domain) ];
+ :local FilePath ($DirName . "/" . $FileName);
+ :local BackupFile "none";
+ :local ExportFile "none";
+ :local ConfigFile "none";
+ :local Attach ({});
+
+ :if ([ $MkDir $DirName ] = false) do={
+ $LogPrint error $ScriptName ("Failed creating directory!");
+ :set ExitOK true;
+ :error false;
+ }
+
+ # binary backup
+ :if ($BackupSendBinary = true) do={
+ /system/backup/save encryption=aes-sha256 name=$FilePath password=$BackupPassword;
+ $WaitForFile ($FilePath . ".backup");
+ :set BackupFile ($FileName . ".backup");
+ :set Attach ($Attach, ($FilePath . ".backup"));
+ }
+
+ # create configuration export
+ :if ($BackupSendExport = true) do={
+ /export terse show-sensitive file=$FilePath;
+ $WaitForFile ($FilePath . ".rsc");
+ :set ExportFile ($FileName . ".rsc");
+ :set Attach ($Attach, ($FilePath . ".rsc"));
+ }
+
+ # global-config-overlay
+ :if ($BackupSendGlobalConfig = true) do={
+ # Do *NOT* use '/file/add ...' here, as it is limited to 4095 bytes!
+ :execute script={ :put [ /system/script/get global-config-overlay source ]; } \
+ file=($FilePath . ".conf\00");
+ $WaitForFile ($FilePath . ".conf");
+ :set ConfigFile ($FileName . ".conf");
+ :set Attach ($Attach, ($FilePath . ".conf"));
+ }
+
+ # send email with status and files
+ $SendEMail2 ({ origin=$ScriptName; \
+ subject=([ $SymbolForNotification "floppy-disk,incoming-envelope" ] . \
+ "Backup & Config"); \
+ message=("See attached files for backup and config export for " . \
+ $Identity . ".\n\n" . \
+ [ $DeviceInfo ] . "\n\n" . \
+ [ $FormatLine "Backup file" $BackupFile ] . "\n" . \
+ [ $FormatLine "Export file" $ExportFile ] . "\n" . \
+ [ $FormatLine "Config file" $ConfigFile ]); \
+ attach=$Attach; remove-attach=true });
+
+ # wait for the mail to be sent
+ :do {
+ :retry {
+ :if ([ $FileExists ($FilePath . ".conf") ".conf file" ] = true || \
+ [ $FileExists ($FilePath . ".backup") "backup" ] = true || \
+ [ $FileExists ($FilePath . ".rsc") "script" ] = true) do={
+ :error "Files are still available.";
+ }
+ } delay=1s max=120;
+ } on-error={
+ $LogPrint warning $ScriptName ("Files are still available, sending e-mail failed.");
+ :set PackagesUpdateBackupFailure true;
+ }
+ # do not remove the files here, as the mail is still queued!
+} do={
+ :global ExitError; $ExitError $ExitOK [ :jobname ] $Err;
+}
diff --git a/backup-partition.rsc b/backup-partition.rsc
new file mode 100644
index 00000000..a9f11a59
--- /dev/null
+++ b/backup-partition.rsc
@@ -0,0 +1,128 @@
+#!rsc by RouterOS
+# RouterOS script: backup-partition
+# Copyright (c) 2022-2026 Christian Hesse
+# https://rsc.eworm.de/COPYING.md
+#
+# provides: backup-script, order=70
+# requires RouterOS, version=7.17
+# requires device-mode, scheduler
+#
+# save configuration to fallback partition
+# https://rsc.eworm.de/doc/backup-partition.md
+
+:local ExitOK false;
+:onerror Err {
+ :global GlobalConfigReady; :global GlobalFunctionsReady;
+ :retry { :if ($GlobalConfigReady != true || $GlobalFunctionsReady != true) \
+ do={ :error ("Global config and/or functions not ready."); }; } delay=500ms max=50;
+ :local ScriptName [ :jobname ];
+
+ :global BackupPartitionCopyBeforeFeatureUpdate;
+ :global PackagesUpdateBackupFailure;
+
+ :global LogPrint;
+ :global ScriptFromTerminal;
+ :global ScriptLock;
+ :global VersionToNum;
+
+ :local CopyTo do={
+ :local ScriptName [ :tostr $1 ];
+ :local FallbackTo [ :toid $2 ];
+ :local FallbackToName [ :tostr $3 ];
+
+ :global LogPrint;
+
+ :onerror Err {
+ /partitions/copy-to $FallbackTo;
+ $LogPrint info $ScriptName ("Copied RouterOS to partition '" . $FallbackToName . "'.");
+ } do={
+ $LogPrint error $ScriptName ("Failed copying RouterOS to partition '" . \
+ $FallbackToName . "': " . $Err);
+ :return false;
+ }
+ :return true;
+ }
+
+ :if ([ $ScriptLock $ScriptName ] = false) do={
+ :set PackagesUpdateBackupFailure true;
+ :set ExitOK true;
+ :error false;
+ }
+
+ :if ([ :len [ /system/scheduler/find where name="running-from-backup-partition" ] ] > 0) do={
+ $LogPrint warning $ScriptName ("Running from backup partition, refusing to act.");
+ :set PackagesUpdateBackupFailure true;
+ :set ExitOK true;
+ :error false;
+ }
+
+ :if ([ :len [ /partitions/find ] ] < 2) do={
+ $LogPrint error $ScriptName ("Device does not have a fallback partition.");
+ :set PackagesUpdateBackupFailure true;
+ :set ExitOK true;
+ :error false;
+ }
+
+ :local ActiveRunning [ /partitions/find where active running ];
+
+ :if ([ :len $ActiveRunning ] < 1) do={
+ $LogPrint error $ScriptName ("Device is not running from active partition.");
+ :set PackagesUpdateBackupFailure true;
+ :set ExitOK true;
+ :error false;
+ }
+
+ :local FallbackToName [ /partitions/get $ActiveRunning fallback-to ];
+ :local FallbackTo [ /partition/find where name=$FallbackToName !active ];
+
+ :if ([ :len $FallbackTo ] < 1) do={
+ $LogPrint error $ScriptName ("There is no inactive partition named '" . $FallbackToName . "'.");
+ :set PackagesUpdateBackupFailure true;
+ :set ExitOK true;
+ :error false;
+ }
+
+ :if ([ /partitions/get $ActiveRunning version ] != [ /partitions/get $FallbackTo version]) do={
+ :if ([ $ScriptFromTerminal $ScriptName ] = true) do={
+ :put ("The partitions have different RouterOS versions. Copy over to '" . $FallbackToName . "'? [y/N]");
+ :if (([ /terminal/inkey timeout=60 ] % 32) = 25) do={
+ :if ([ $CopyTo $ScriptName $FallbackTo $FallbackToName ] = false) do={
+ :set PackagesUpdateBackupFailure true;
+ :set ExitOK true;
+ :error false;
+ }
+ }
+ } else={
+ :local Update [ /system/package/update/get ];
+ :local NumInstalled [ $VersionToNum ($Update->"installed-version") ];
+ :local NumLatest [ $VersionToNum ($Update->"latest-version") ];
+ :local BitMask [ $VersionToNum "255.255zero0" ];
+ :if ($BackupPartitionCopyBeforeFeatureUpdate = true && $NumLatest > 0 && \
+ ($NumInstalled & $BitMask) != ($NumLatest & $BitMask)) do={
+ :if ([ $CopyTo $ScriptName $FallbackTo $FallbackToName ] = false) do={
+ :set PackagesUpdateBackupFailure true;
+ :set ExitOK true;
+ :error false;
+ }
+ }
+ }
+ }
+
+ :onerror Err {
+ /system/scheduler/add start-time=startup name="running-from-backup-partition" \
+ on-event=(":log warning (\"Running from partition '\" . " . \
+ "[ /partitions/get [ find where running ] name ] . \"'!\")");
+ /partitions/save-config-to $FallbackTo;
+ /system/scheduler/remove "running-from-backup-partition";
+ $LogPrint info $ScriptName ("Saved configuration to partition '" . $FallbackToName . "'.");
+ } do={
+ /system/scheduler/remove [ find where name="running-from-backup-partition" ];
+ $LogPrint error $ScriptName ("Failed saving configuration to partition '" . \
+ $FallbackToName . "': " . $Err);
+ :set PackagesUpdateBackupFailure true;
+ :set ExitOK true;
+ :error false;
+ }
+} do={
+ :global ExitError; $ExitError $ExitOK [ :jobname ] $Err;
+}
diff --git a/backup-upload.rsc b/backup-upload.rsc
new file mode 100644
index 00000000..cae67bfa
--- /dev/null
+++ b/backup-upload.rsc
@@ -0,0 +1,178 @@
+#!rsc by RouterOS
+# RouterOS script: backup-upload
+# Copyright (c) 2013-2026 Christian Hesse
+# https://rsc.eworm.de/COPYING.md
+#
+# provides: backup-script, order=50
+# requires RouterOS, version=7.17
+# requires device-mode, fetch
+#
+# create and upload backup and config file
+# https://rsc.eworm.de/doc/backup-upload.md
+
+:local ExitOK false;
+:onerror Err {
+ :global GlobalConfigReady; :global GlobalFunctionsReady;
+ :retry { :if ($GlobalConfigReady != true || $GlobalFunctionsReady != true) \
+ do={ :error ("Global config and/or functions not ready."); }; } delay=500ms max=50;
+ :local ScriptName [ :jobname ];
+
+ :global BackupPassword;
+ :global BackupRandomDelay;
+ :global BackupSendBinary;
+ :global BackupSendExport;
+ :global BackupSendGlobalConfig;
+ :global BackupUploadPass;
+ :global BackupUploadUrl;
+ :global BackupUploadUser;
+ :global Domain;
+ :global Identity;
+ :global PackagesUpdateBackupFailure;
+
+ :global CleanName;
+ :global DeviceInfo;
+ :global IfThenElse;
+ :global LogPrint;
+ :global MkDir;
+ :global RandomDelay;
+ :global RmDir;
+ :global RmFile;
+ :global ScriptFromTerminal;
+ :global ScriptLock;
+ :global SendNotification2;
+ :global SymbolForNotification;
+ :global WaitForFile;
+ :global WaitFullyConnected;
+
+ :if ($BackupSendBinary != true && \
+ $BackupSendExport != true) do={
+ $LogPrint error $ScriptName ("Configured to send neither backup nor config export.");
+ :set ExitOK true;
+ :error false;
+ }
+
+ :if ([ $ScriptLock $ScriptName ] = false) do={
+ :set PackagesUpdateBackupFailure true;
+ :set ExitOK true;
+ :error false;
+ }
+
+ :if ([ :len [ /system/scheduler/find where name="running-from-backup-partition" ] ] > 0) do={
+ $LogPrint warning $ScriptName ("Running from backup partition, refusing to act.");
+ :set PackagesUpdateBackupFailure true;
+ :set ExitOK true;
+ :error false;
+ }
+
+ $WaitFullyConnected;
+
+ :if ([ $ScriptFromTerminal $ScriptName ] = false && $BackupRandomDelay > 0) do={
+ $RandomDelay $BackupRandomDelay;
+ }
+
+ # filename based on identity
+ :local DirName ("tmpfs/" . $ScriptName);
+ :local FileName [ $CleanName ($Identity . "." . $Domain) ];
+ :local FilePath ($DirName . "/" . $FileName);
+ :local BackupFile "none";
+ :local ExportFile "none";
+ :local ConfigFile "none";
+ :local Failed 0;
+
+ :if ([ $MkDir $DirName ] = false) do={
+ $LogPrint error $ScriptName ("Failed creating directory!");
+ :set ExitOK true;
+ :error false;
+ }
+
+ # binary backup
+ :if ($BackupSendBinary = true) do={
+ /system/backup/save encryption=aes-sha256 name=$FilePath password=$BackupPassword;
+ $WaitForFile ($FilePath . ".backup");
+
+ :onerror Err {
+ /tool/fetch upload=yes url=($BackupUploadUrl . "/" . $FileName . ".backup") \
+ user=$BackupUploadUser password=$BackupUploadPass src-path=($FilePath . ".backup");
+ :set BackupFile [ /file/get ($FilePath . ".backup") ];
+ :set ($BackupFile->"name") ($FileName . ".backup");
+ } do={
+ $LogPrint error $ScriptName ("Uploading backup file failed: " . $Err);
+ :set BackupFile "failed";
+ :set Failed 1;
+ }
+
+ $RmFile ($FilePath . ".backup");
+ }
+
+ # create configuration export
+ :if ($BackupSendExport = true) do={
+ /export terse show-sensitive file=$FilePath;
+ $WaitForFile ($FilePath . ".rsc");
+
+ :onerror Err {
+ /tool/fetch upload=yes url=($BackupUploadUrl . "/" . $FileName . ".rsc") \
+ user=$BackupUploadUser password=$BackupUploadPass src-path=($FilePath . ".rsc");
+ :set ExportFile [ /file/get ($FilePath . ".rsc") ];
+ :set ($ExportFile->"name") ($FileName . ".rsc");
+ } do={
+ $LogPrint error $ScriptName ("Uploading configuration export failed: " . $Err);
+ :set ExportFile "failed";
+ :set Failed 1;
+ }
+
+ $RmFile ($FilePath . ".rsc");
+ }
+
+ # global-config-overlay
+ :if ($BackupSendGlobalConfig = true) do={
+ # Do *NOT* use '/file/add ...' here, as it is limited to 4095 bytes!
+ :execute script={ :put [ /system/script/get global-config-overlay source ]; } \
+ file=($FilePath . ".conf\00");
+ $WaitForFile ($FilePath . ".conf");
+
+ :onerror Err {
+ /tool/fetch upload=yes url=($BackupUploadUrl . "/" . $FileName . ".conf") \
+ user=$BackupUploadUser password=$BackupUploadPass src-path=($FilePath . ".conf");
+ :set ConfigFile [ /file/get ($FilePath . ".conf") ];
+ :set ($ConfigFile->"name") ($FileName . ".conf");
+ } do={
+ $LogPrint error $ScriptName ("Uploading global-config-overlay failed: " . $Err);
+ :set ConfigFile "failed";
+ :set Failed 1;
+ }
+
+ $RmFile ($FilePath . ".conf");
+ }
+
+ :local FileInfo do={
+ :local Name $1;
+ :local File $2;
+
+ :global FormatLine;
+ :global HumanReadableNum;
+ :global IfThenElse;
+
+ :return \
+ [ $IfThenElse ([ :typeof $File ] = "array") \
+ ($Name . ":\n" . [ $FormatLine " name" ($File->"name") ] . "\n" . \
+ [ $FormatLine " size" ([ $HumanReadableNum ($File->"size") 1024 ] . "B") ]) \
+ [ $FormatLine $Name $File ] ];
+ }
+
+ $SendNotification2 ({ origin=$ScriptName; \
+ subject=[ $IfThenElse ($Failed > 0) \
+ ([ $SymbolForNotification "floppy-disk,warning-sign" ] . "Backup & Config upload with failure") \
+ ([ $SymbolForNotification "floppy-disk,arrow-up" ] . "Backup & Config upload") ]; \
+ message=("Backup and config export upload for " . $Identity . ".\n\n" . \
+ [ $DeviceInfo ] . "\n\n" . \
+ [ $FileInfo "Backup file" $BackupFile ] . "\n" . \
+ [ $FileInfo "Export file" $ExportFile ] . "\n" . \
+ [ $FileInfo "Config file" $ConfigFile ]); silent=true });
+
+ :if ($Failed = 1) do={
+ :set PackagesUpdateBackupFailure true;
+ }
+ $RmDir $DirName;
+} do={
+ :global ExitError; $ExitError $ExitOK [ :jobname ] $Err;
+}
diff --git a/bridge-port-to-default b/bridge-port-to-default
deleted file mode 100644
index 409dcb9e..00000000
--- a/bridge-port-to-default
+++ /dev/null
@@ -1,38 +0,0 @@
-#!rsc
-# RouterOS script: bridge-port-to-default
-# Copyright (c) 2013-2020 Christian Hesse
-#
-# reset bridge ports to default bridge
-# https://git.eworm.de/cgit/routeros-scripts/about/doc/bridge-port.md
-
-:global BridgePortTo;
-
-:global LogPrintExit;
-:global ParseKeyValueStore;
-
-:foreach BridgePort in=[ / interface bridge port find where comment~"." ] do={
- :local BridgePortVal [ / interface bridge port get $BridgePort ];
- :foreach Config,BridgeDefault in=[ $ParseKeyValueStore ($BridgePortVal->"comment") ] do={
- :if ($Config = $BridgePortTo) do={
- :if ($BridgeDefault = "dhcp-client") do={
- :if ($BridgePortVal->"disabled" = false) do={
- $LogPrintExit info ("Disabling bridge port for interface " . $BridgePortVal->"interface" . ", enabling dhcp client.") false;
- / interface bridge port disable $BridgePort;
- / ip dhcp-client enable [ find where interface=$BridgePortVal->"interface" comment="toggle with bridge port" disabled=yes ];
- }
- } else={
- :if ($BridgePortVal->"disabled" = true) do={
- $LogPrintExit info ("Enabling bridge port for interface " . $BridgePortVal->"interface" . ", disabling dhcp client.") false;
- / ip dhcp-client disable [ find where interface=$BridgePortVal->"interface" comment="toggle with bridge port" disabled=no ];
- / interface bridge port enable $BridgePort;
- }
- :if ($BridgeDefault != $BridgePortVal->"bridge") do={
- $LogPrintExit info ("Changing interface " . $BridgePortVal->"interface" . " to " . $BridgePortTo . " bridge " . $BridgeDefault) false;
- / interface bridge port set bridge=$BridgeDefault $BridgePort;
- } else={
- $LogPrintExit debug ("Interface " . $BridgePortVal->"interface" . " already connected to " . $BridgePortTo . " bridge " . $BridgeDefault) false;
- }
- }
- }
- }
-}
diff --git a/bridge-port-toggle b/bridge-port-toggle
deleted file mode 100644
index a8ad8add..00000000
--- a/bridge-port-toggle
+++ /dev/null
@@ -1,16 +0,0 @@
-#!rsc
-# RouterOS script: bridge-port-toggle
-# Copyright (c) 2013-2020 Christian Hesse
-#
-# toggle bridge ports between default and alt bridge
-# https://git.eworm.de/cgit/routeros-scripts/about/doc/bridge-port.md
-
-:global BridgePortTo;
-
-:if ($BridgePortTo != "default") do={
- :set BridgePortTo "default";
-} else={
- :set BridgePortTo "alt";
-}
-
-/ system script run bridge-port-to-default;
diff --git a/capsman-download-packages b/capsman-download-packages
deleted file mode 100644
index c17a09d0..00000000
--- a/capsman-download-packages
+++ /dev/null
@@ -1,48 +0,0 @@
-#!rsc
-# RouterOS script: capsman-download-packages
-# Copyright (c) 2018-2020 Christian Hesse
-# Michael Gisbers
-#
-# download and cleanup packages for CAP installation from CAPsMAN
-# https://git.eworm.de/cgit/routeros-scripts/about/doc/capsman-download-packages.md
-
-:global CleanFilePath;
-:global DownloadPackage;
-:global LogPrintExit;
-:global MkDir;
-:global ScriptLock;
-
-$ScriptLock "capsman-download-packages";
-
-:local PackagePath [ $CleanFilePath [ / caps-man manager get package-path ] ];
-:local InstalledVersion [ / system package update get installed-version ];
-:local Updated false;
-
-:if ([ / file print count-only where name=$PackagePath type="directory" ] = 0) do={
- $MkDir $PackagePath;
- $LogPrintExit info ("Created directory at package path (" . $PackagePath . \
- "). Please place your packages!") false;
-}
-
-:foreach Package in=[ / file find where type=package \
- package-version!=$InstalledVersion name~("^" . $PackagePath) ] do={
- :local File [ / file get $Package ];
- :if ($File->"package-architecture" = "mips") do={
- :set ($File->"package-architecture") "mipsbe";
- }
- :if ($File->"package-name" = "wireless@") do={
- :set ($File->"package-name") "wireless";
- }
- :if ([ $DownloadPackage ($File->"package-name") $InstalledVersion ($File->"package-architecture") $PackagePath ] = true) do={
- :set Updated true;
- / file remove $Package;
- }
-}
-
-:if ($Updated = true) do={
- :if ([ / system script print count-only where name="capsman-rolling-upgrade" ] > 0) do={
- / system script run capsman-rolling-upgrade;
- } else={
- / caps-man remote-cap upgrade [ find where version!=$InstalledVersion ];
- }
-}
diff --git a/capsman-download-packages.capsman.rsc b/capsman-download-packages.capsman.rsc
new file mode 100644
index 00000000..838f41b9
--- /dev/null
+++ b/capsman-download-packages.capsman.rsc
@@ -0,0 +1,93 @@
+#!rsc by RouterOS
+# RouterOS script: capsman-download-packages.capsman
+# Copyright (c) 2018-2026 Christian Hesse
+# Michael Gisbers
+# https://rsc.eworm.de/COPYING.md
+#
+# requires RouterOS, version=7.17
+#
+# download and cleanup packages for CAP installation from CAPsMAN
+# https://rsc.eworm.de/doc/capsman-download-packages.md
+#
+# !! Do not edit this file, it is generated from template!
+
+:local ExitOK false;
+:onerror Err {
+ :global GlobalConfigReady; :global GlobalFunctionsReady;
+ :retry { :if ($GlobalConfigReady != true || $GlobalFunctionsReady != true) \
+ do={ :error ("Global config and/or functions not ready."); }; } delay=500ms max=50;
+ :local ScriptName [ :jobname ];
+
+ :global CleanFilePath;
+ :global DownloadPackage;
+ :global FileGet;
+ :global LogPrint;
+ :global MkDir;
+ :global RmFile;
+ :global ScriptLock;
+ :global WaitFullyConnected;
+
+ :if ([ $ScriptLock $ScriptName ] = false) do={
+ :set ExitOK true;
+ :error false;
+ }
+ $WaitFullyConnected;
+
+ :local PackagePath [ $CleanFilePath [ /caps-man/manager/get package-path ] ];
+ :local InstalledVersion [ /system/package/update/get installed-version ];
+ :local Updated false;
+
+ :if ([ :len $PackagePath ] = 0) do={
+ $LogPrint warning $ScriptName ("The CAPsMAN package path is not defined, can not download packages.");
+ :set ExitOK true;
+ :error false;
+ }
+
+ :if ([ $FileGet $PackagePath ] = false) do={
+ :if ([ $MkDir $PackagePath ] = false) do={
+ $LogPrint warning $ScriptName ("Creating directory at CAPsMAN package path (" . \
+ $PackagePath . ") failed!");
+ :set ExitOK true;
+ :error false;
+ }
+ $LogPrint info $ScriptName ("Created directory at CAPsMAN package path (" . $PackagePath . \
+ "). Please place your packages!");
+ }
+
+ :foreach Package in=[ /file/find where type="package" \
+ package-version!=$InstalledVersion name~("^" . $PackagePath) ] do={
+ :local File [ /file/get $Package ];
+ :if ($File->"package-architecture" = "mips") do={
+ :set ($File->"package-architecture") "mipsbe";
+ }
+ :if ([ $DownloadPackage ($File->"package-name") $InstalledVersion \
+ ($File->"package-architecture") $PackagePath ] = true) do={
+ :set Updated true;
+ $RmFile ($File->"name");
+ }
+ }
+
+ :if ([ :len [ /file/find where type="package" name~("^" . $PackagePath) ] ] = 0) do={
+ $LogPrint info $ScriptName ("No packages available, downloading default set.");
+ :foreach Arch in={ "arm"; "mipsbe" } do={
+ :foreach Package in={ "routeros"; "wireless" } do={
+ :if ([ $DownloadPackage $Package $InstalledVersion $Arch $PackagePath ] = true) do={
+ :set Updated true;
+ }
+ }
+ }
+ }
+
+ :if ($Updated = true) do={
+ :local Scripts [ /system/script/find where source~"\n# provides: capsman-rolling-upgrade.capsman\r?\n" ];
+ :if ([ :len $Scripts ] > 0) do={
+ :foreach Script in=$Scripts do={
+ /system/script/run $Script;
+ }
+ } else={
+ /caps-man/remote-cap/upgrade [ find where version!=$InstalledVersion ];
+ }
+ }
+} do={
+ :global ExitError; $ExitError $ExitOK [ :jobname ] $Err;
+}
diff --git a/capsman-download-packages.template.rsc b/capsman-download-packages.template.rsc
new file mode 100644
index 00000000..1d31eb5a
--- /dev/null
+++ b/capsman-download-packages.template.rsc
@@ -0,0 +1,104 @@
+#!rsc by RouterOS
+# RouterOS script: capsman-download-packages%TEMPL%
+# Copyright (c) 2018-2026 Christian Hesse
+# Michael Gisbers
+# https://rsc.eworm.de/COPYING.md
+#
+# requires RouterOS, version=7.17
+#
+# download and cleanup packages for CAP installation from CAPsMAN
+# https://rsc.eworm.de/doc/capsman-download-packages.md
+#
+# !! This is just a template to generate the real script!
+# !! Pattern '%TEMPL%' is replaced, paths are filtered.
+
+:local ExitOK false;
+:onerror Err {
+ :global GlobalConfigReady; :global GlobalFunctionsReady;
+ :retry { :if ($GlobalConfigReady != true || $GlobalFunctionsReady != true) \
+ do={ :error ("Global config and/or functions not ready."); }; } delay=500ms max=50;
+ :local ScriptName [ :jobname ];
+
+ :global CleanFilePath;
+ :global DownloadPackage;
+ :global FileGet;
+ :global LogPrint;
+ :global MkDir;
+ :global RmFile;
+ :global ScriptLock;
+ :global WaitFullyConnected;
+
+ :if ([ $ScriptLock $ScriptName ] = false) do={
+ :set ExitOK true;
+ :error false;
+ }
+ $WaitFullyConnected;
+
+ :local PackagePath [ $CleanFilePath [ /caps-man/manager/get package-path ] ];
+ :local PackagePath [ $CleanFilePath [ /interface/wifi/capsman/get package-path ] ];
+ :local InstalledVersion [ /system/package/update/get installed-version ];
+ :local Updated false;
+
+ :if ([ :len $PackagePath ] = 0) do={
+ $LogPrint warning $ScriptName ("The CAPsMAN package path is not defined, can not download packages.");
+ :set ExitOK true;
+ :error false;
+ }
+
+ :if ([ $FileGet $PackagePath ] = false) do={
+ :if ([ $MkDir $PackagePath ] = false) do={
+ $LogPrint warning $ScriptName ("Creating directory at CAPsMAN package path (" . \
+ $PackagePath . ") failed!");
+ :set ExitOK true;
+ :error false;
+ }
+ $LogPrint info $ScriptName ("Created directory at CAPsMAN package path (" . $PackagePath . \
+ "). Please place your packages!");
+ }
+
+ :foreach Package in=[ /file/find where type="package" \
+ package-version!=$InstalledVersion name~("^" . $PackagePath) ] do={
+ :local File [ /file/get $Package ];
+ :if ($File->"package-architecture" = "mips") do={
+ :set ($File->"package-architecture") "mipsbe";
+ }
+ :if ([ $DownloadPackage ($File->"package-name") $InstalledVersion \
+ ($File->"package-architecture") $PackagePath ] = true) do={
+ :set Updated true;
+ $RmFile ($File->"name");
+ }
+ }
+
+ :if ([ :len [ /file/find where type="package" name~("^" . $PackagePath) ] ] = 0) do={
+ $LogPrint info $ScriptName ("No packages available, downloading default set.");
+# NOT /interface/wifi/ #
+ :foreach Arch in={ "arm"; "mipsbe" } do={
+ :foreach Package in={ "routeros"; "wireless" } do={
+# NOT /interface/wifi/ #
+# NOT /caps-man/ #
+ :foreach Arch in={ "arm"; "arm64" } do={
+ :local Packages { "arm"={ "routeros"; "wifi-qcom"; "wifi-qcom-ac" };
+ "arm64"={ "routeros"; "wifi-qcom" } };
+ :foreach Package in=($Packages->$Arch) do={
+# NOT /caps-man/ #
+ :if ([ $DownloadPackage $Package $InstalledVersion $Arch $PackagePath ] = true) do={
+ :set Updated true;
+ }
+ }
+ }
+ }
+
+ :if ($Updated = true) do={
+ :local Scripts [ /system/script/find where source~"\n# provides: capsman-rolling-upgrade%TEMPL%\r?\n" ];
+ :if ([ :len $Scripts ] > 0) do={
+ :foreach Script in=$Scripts do={
+ /system/script/run $Script;
+ }
+ } else={
+ /caps-man/remote-cap/upgrade [ find where version!=$InstalledVersion ];
+ /interface/wifi/capsman/remote-cap/upgrade [ find where version!=$InstalledVersion ];
+ }
+ }
+} do={
+ :global ExitError; $ExitError $ExitOK [ :jobname ] $Err;
+}
diff --git a/capsman-download-packages.wifi.rsc b/capsman-download-packages.wifi.rsc
new file mode 100644
index 00000000..242bb0c8
--- /dev/null
+++ b/capsman-download-packages.wifi.rsc
@@ -0,0 +1,95 @@
+#!rsc by RouterOS
+# RouterOS script: capsman-download-packages.wifi
+# Copyright (c) 2018-2026 Christian Hesse
+# Michael Gisbers
+# https://rsc.eworm.de/COPYING.md
+#
+# requires RouterOS, version=7.17
+#
+# download and cleanup packages for CAP installation from CAPsMAN
+# https://rsc.eworm.de/doc/capsman-download-packages.md
+#
+# !! Do not edit this file, it is generated from template!
+
+:local ExitOK false;
+:onerror Err {
+ :global GlobalConfigReady; :global GlobalFunctionsReady;
+ :retry { :if ($GlobalConfigReady != true || $GlobalFunctionsReady != true) \
+ do={ :error ("Global config and/or functions not ready."); }; } delay=500ms max=50;
+ :local ScriptName [ :jobname ];
+
+ :global CleanFilePath;
+ :global DownloadPackage;
+ :global FileGet;
+ :global LogPrint;
+ :global MkDir;
+ :global RmFile;
+ :global ScriptLock;
+ :global WaitFullyConnected;
+
+ :if ([ $ScriptLock $ScriptName ] = false) do={
+ :set ExitOK true;
+ :error false;
+ }
+ $WaitFullyConnected;
+
+ :local PackagePath [ $CleanFilePath [ /interface/wifi/capsman/get package-path ] ];
+ :local InstalledVersion [ /system/package/update/get installed-version ];
+ :local Updated false;
+
+ :if ([ :len $PackagePath ] = 0) do={
+ $LogPrint warning $ScriptName ("The CAPsMAN package path is not defined, can not download packages.");
+ :set ExitOK true;
+ :error false;
+ }
+
+ :if ([ $FileGet $PackagePath ] = false) do={
+ :if ([ $MkDir $PackagePath ] = false) do={
+ $LogPrint warning $ScriptName ("Creating directory at CAPsMAN package path (" . \
+ $PackagePath . ") failed!");
+ :set ExitOK true;
+ :error false;
+ }
+ $LogPrint info $ScriptName ("Created directory at CAPsMAN package path (" . $PackagePath . \
+ "). Please place your packages!");
+ }
+
+ :foreach Package in=[ /file/find where type="package" \
+ package-version!=$InstalledVersion name~("^" . $PackagePath) ] do={
+ :local File [ /file/get $Package ];
+ :if ($File->"package-architecture" = "mips") do={
+ :set ($File->"package-architecture") "mipsbe";
+ }
+ :if ([ $DownloadPackage ($File->"package-name") $InstalledVersion \
+ ($File->"package-architecture") $PackagePath ] = true) do={
+ :set Updated true;
+ $RmFile ($File->"name");
+ }
+ }
+
+ :if ([ :len [ /file/find where type="package" name~("^" . $PackagePath) ] ] = 0) do={
+ $LogPrint info $ScriptName ("No packages available, downloading default set.");
+ :foreach Arch in={ "arm"; "arm64" } do={
+ :local Packages { "arm"={ "routeros"; "wifi-qcom"; "wifi-qcom-ac" };
+ "arm64"={ "routeros"; "wifi-qcom" } };
+ :foreach Package in=($Packages->$Arch) do={
+ :if ([ $DownloadPackage $Package $InstalledVersion $Arch $PackagePath ] = true) do={
+ :set Updated true;
+ }
+ }
+ }
+ }
+
+ :if ($Updated = true) do={
+ :local Scripts [ /system/script/find where source~"\n# provides: capsman-rolling-upgrade.wifi\r?\n" ];
+ :if ([ :len $Scripts ] > 0) do={
+ :foreach Script in=$Scripts do={
+ /system/script/run $Script;
+ }
+ } else={
+ /interface/wifi/capsman/remote-cap/upgrade [ find where version!=$InstalledVersion ];
+ }
+ }
+} do={
+ :global ExitError; $ExitError $ExitOK [ :jobname ] $Err;
+}
diff --git a/capsman-rolling-upgrade b/capsman-rolling-upgrade
deleted file mode 100644
index a4961676..00000000
--- a/capsman-rolling-upgrade
+++ /dev/null
@@ -1,27 +0,0 @@
-#!rsc
-# RouterOS script: capsman-rolling-upgrade
-# Copyright (c) 2018-2020 Christian Hesse
-# Michael Gisbers
-#
-# upgrade CAPs one after another
-# https://git.eworm.de/cgit/routeros-scripts/about/doc/capsman-rolling-upgrade.md
-
-:global LogPrintExit;
-:global ScriptLock;
-
-$ScriptLock "capsman-rolling-upgrade";
-
-:local InstalledVersion [ / system package update get installed-version ];
-
-:local RemoteCapCount [ /caps-man remote-cap print count-only ];
-:if ($RemoteCapCount > 0) do={
- :local Delay (600 / $RemoteCapCount);
- :if ($Delay > 120) do={ :set Delay 120; }
- :foreach RemoteCap in=[ / caps-man remote-cap find where version!=$InstalledVersion ] do={
- :local RemoteCapVal [ / caps-man remote-cap get $RemoteCap ];
- $LogPrintExit info ("Starting upgrade for " . $RemoteCapVal->"name" . \
- " (" . $RemoteCapVal->"identity" . ")...") false;
- / caps-man remote-cap upgrade [ find where name=$RemoteCapVal->"name" ];
- :delay ($Delay . "s");
- }
-}
diff --git a/capsman-rolling-upgrade.capsman.rsc b/capsman-rolling-upgrade.capsman.rsc
new file mode 100644
index 00000000..bb1b17b1
--- /dev/null
+++ b/capsman-rolling-upgrade.capsman.rsc
@@ -0,0 +1,50 @@
+#!rsc by RouterOS
+# RouterOS script: capsman-rolling-upgrade.capsman
+# Copyright (c) 2018-2026 Christian Hesse
+# Michael Gisbers
+# https://rsc.eworm.de/COPYING.md
+#
+# provides: capsman-rolling-upgrade.capsman
+# requires RouterOS, version=7.17
+#
+# upgrade CAPs one after another
+# https://rsc.eworm.de/doc/capsman-rolling-upgrade.md
+#
+# !! Do not edit this file, it is generated from template!
+
+:local ExitOK false;
+:onerror Err {
+ :global GlobalConfigReady; :global GlobalFunctionsReady;
+ :retry { :if ($GlobalConfigReady != true || $GlobalFunctionsReady != true) \
+ do={ :error ("Global config and/or functions not ready."); }; } delay=500ms max=50;
+ :local ScriptName [ :jobname ];
+
+ :global LogPrint;
+ :global ScriptLock;
+
+ :if ([ $ScriptLock $ScriptName ] = false) do={
+ :set ExitOK true;
+ :error false;
+ }
+
+ :local InstalledVersion [ /system/package/update/get installed-version ];
+
+ :local RemoteCapCount [ :len [ /caps-man/remote-cap/find ] ];
+ :if ($RemoteCapCount > 0) do={
+ :local Delay (600 / $RemoteCapCount);
+ :if ($Delay > 120) do={ :set Delay 120; }
+ :foreach RemoteCap in=[ /caps-man/remote-cap/find where version!=$InstalledVersion ] do={
+ :local RemoteCapVal [ /caps-man/remote-cap/get $RemoteCap ];
+ :if ([ :len $RemoteCapVal ] > 1) do={
+ $LogPrint info $ScriptName ("Starting upgrade for " . $RemoteCapVal->"name" . \
+ " (" . $RemoteCapVal->"identity" . ")...");
+ /caps-man/remote-cap/upgrade $RemoteCap;
+ } else={
+ $LogPrint warning $ScriptName ("Remote CAP vanished, skipping upgrade.");
+ }
+ :delay ($Delay . "s");
+ }
+ }
+} do={
+ :global ExitError; $ExitError $ExitOK [ :jobname ] $Err;
+}
diff --git a/capsman-rolling-upgrade.template.rsc b/capsman-rolling-upgrade.template.rsc
new file mode 100644
index 00000000..919765a0
--- /dev/null
+++ b/capsman-rolling-upgrade.template.rsc
@@ -0,0 +1,58 @@
+#!rsc by RouterOS
+# RouterOS script: capsman-rolling-upgrade%TEMPL%
+# Copyright (c) 2018-2026 Christian Hesse
+# Michael Gisbers
+# https://rsc.eworm.de/COPYING.md
+#
+# provides: capsman-rolling-upgrade%TEMPL%
+# requires RouterOS, version=7.17
+#
+# upgrade CAPs one after another
+# https://rsc.eworm.de/doc/capsman-rolling-upgrade.md
+#
+# !! This is just a template to generate the real script!
+# !! Pattern '%TEMPL%' is replaced, paths are filtered.
+
+:local ExitOK false;
+:onerror Err {
+ :global GlobalConfigReady; :global GlobalFunctionsReady;
+ :retry { :if ($GlobalConfigReady != true || $GlobalFunctionsReady != true) \
+ do={ :error ("Global config and/or functions not ready."); }; } delay=500ms max=50;
+ :local ScriptName [ :jobname ];
+
+ :global LogPrint;
+ :global ScriptLock;
+
+ :if ([ $ScriptLock $ScriptName ] = false) do={
+ :set ExitOK true;
+ :error false;
+ }
+
+ :local InstalledVersion [ /system/package/update/get installed-version ];
+
+ :local RemoteCapCount [ :len [ /caps-man/remote-cap/find ] ];
+ :local RemoteCapCount [ :len [ /interface/wifi/capsman/remote-cap/find ] ];
+ :if ($RemoteCapCount > 0) do={
+ :local Delay (600 / $RemoteCapCount);
+ :if ($Delay > 120) do={ :set Delay 120; }
+ :foreach RemoteCap in=[ /caps-man/remote-cap/find where version!=$InstalledVersion ] do={
+ :foreach RemoteCap in=[ /interface/wifi/capsman/remote-cap/find where version!=$InstalledVersion ] do={
+ :local RemoteCapVal [ /caps-man/remote-cap/get $RemoteCap ];
+ :local RemoteCapVal [ /interface/wifi/capsman/remote-cap/get $RemoteCap ];
+ :if ([ :len $RemoteCapVal ] > 1) do={
+# NOT /caps-man/ #
+ :set ($RemoteCapVal->"name") ($RemoteCapVal->"common-name");
+# NOT /caps-man/ #
+ $LogPrint info $ScriptName ("Starting upgrade for " . $RemoteCapVal->"name" . \
+ " (" . $RemoteCapVal->"identity" . ")...");
+ /caps-man/remote-cap/upgrade $RemoteCap;
+ /interface/wifi/capsman/remote-cap/upgrade $RemoteCap;
+ } else={
+ $LogPrint warning $ScriptName ("Remote CAP vanished, skipping upgrade.");
+ }
+ :delay ($Delay . "s");
+ }
+ }
+} do={
+ :global ExitError; $ExitError $ExitOK [ :jobname ] $Err;
+}
diff --git a/capsman-rolling-upgrade.wifi.rsc b/capsman-rolling-upgrade.wifi.rsc
new file mode 100644
index 00000000..b0c9d034
--- /dev/null
+++ b/capsman-rolling-upgrade.wifi.rsc
@@ -0,0 +1,51 @@
+#!rsc by RouterOS
+# RouterOS script: capsman-rolling-upgrade.wifi
+# Copyright (c) 2018-2026 Christian Hesse
+# Michael Gisbers
+# https://rsc.eworm.de/COPYING.md
+#
+# provides: capsman-rolling-upgrade.wifi
+# requires RouterOS, version=7.17
+#
+# upgrade CAPs one after another
+# https://rsc.eworm.de/doc/capsman-rolling-upgrade.md
+#
+# !! Do not edit this file, it is generated from template!
+
+:local ExitOK false;
+:onerror Err {
+ :global GlobalConfigReady; :global GlobalFunctionsReady;
+ :retry { :if ($GlobalConfigReady != true || $GlobalFunctionsReady != true) \
+ do={ :error ("Global config and/or functions not ready."); }; } delay=500ms max=50;
+ :local ScriptName [ :jobname ];
+
+ :global LogPrint;
+ :global ScriptLock;
+
+ :if ([ $ScriptLock $ScriptName ] = false) do={
+ :set ExitOK true;
+ :error false;
+ }
+
+ :local InstalledVersion [ /system/package/update/get installed-version ];
+
+ :local RemoteCapCount [ :len [ /interface/wifi/capsman/remote-cap/find ] ];
+ :if ($RemoteCapCount > 0) do={
+ :local Delay (600 / $RemoteCapCount);
+ :if ($Delay > 120) do={ :set Delay 120; }
+ :foreach RemoteCap in=[ /interface/wifi/capsman/remote-cap/find where version!=$InstalledVersion ] do={
+ :local RemoteCapVal [ /interface/wifi/capsman/remote-cap/get $RemoteCap ];
+ :if ([ :len $RemoteCapVal ] > 1) do={
+ :set ($RemoteCapVal->"name") ($RemoteCapVal->"common-name");
+ $LogPrint info $ScriptName ("Starting upgrade for " . $RemoteCapVal->"name" . \
+ " (" . $RemoteCapVal->"identity" . ")...");
+ /interface/wifi/capsman/remote-cap/upgrade $RemoteCap;
+ } else={
+ $LogPrint warning $ScriptName ("Remote CAP vanished, skipping upgrade.");
+ }
+ :delay ($Delay . "s");
+ }
+ }
+} do={
+ :global ExitError; $ExitError $ExitOK [ :jobname ] $Err;
+}
diff --git a/certificate-renew-issued b/certificate-renew-issued
deleted file mode 100644
index fe33b931..00000000
--- a/certificate-renew-issued
+++ /dev/null
@@ -1,30 +0,0 @@
-#!rsc
-# RouterOS script: certificate-renew-issued
-# Copyright (c) 2019-2020 Christian Hesse
-#
-# renew locally issued certificates
-# https://git.eworm.de/cgit/routeros-scripts/about/doc/certificate-renew-issued.md
-
-:global CertIssuedExportPass;
-
-:global LogPrintExit;
-:global MkDir;
-
-:foreach Cert in=[ / certificate find where issued expires-after<3w ] do={
- :local CertVal [ / certificate get $Cert ];
- / certificate issued-revoke $Cert;
- / certificate set name=($CertVal->"name" . "-revoked-" . [ / system clock get date ]) $Cert;
- / certificate add name=($CertVal->"name") common-name=($CertVal->"common-name") \
- key-usage=($CertVal->"key-usage") subject-alt-name=($CertVal->"subject-alt-name");
- / certificate sign ($CertVal->"name") ca=($CertVal->"ca");
- :if ([ :typeof ($CertIssuedExportPass->($CertVal->"common-name")) ] = "str") do={
- $MkDir "cert-issued";
- / certificate export-certificate ($CertVal->"name") type=pkcs12 \
- file-name=("cert-issued/" . $CertVal->"common-name") \
- export-passphrase=($CertIssuedExportPass->($CertVal->"common-name"));
- $LogPrintExit info ("Issued a new certificate for \"" . $CertVal->"common-name" . \
- "\", exported to \"cert-issued/" . $CertVal->"common-name" . ".p12\".") false;
- } else={
- $LogPrintExit info ("Issued a new certificate for \"" . $CertVal->"common-name" . "\".") false;
- }
-}
diff --git a/certificate-renew-issued.rsc b/certificate-renew-issued.rsc
new file mode 100644
index 00000000..fc8bff32
--- /dev/null
+++ b/certificate-renew-issued.rsc
@@ -0,0 +1,52 @@
+#!rsc by RouterOS
+# RouterOS script: certificate-renew-issued
+# Copyright (c) 2019-2026 Christian Hesse
+# https://rsc.eworm.de/COPYING.md
+#
+# requires RouterOS, version=7.17
+#
+# renew locally issued certificates
+# https://rsc.eworm.de/doc/certificate-renew-issued.md
+
+:local ExitOK false;
+:onerror Err {
+ :global GlobalConfigReady; :global GlobalFunctionsReady;
+ :retry { :if ($GlobalConfigReady != true || $GlobalFunctionsReady != true) \
+ do={ :error ("Global config and/or functions not ready."); }; } delay=500ms max=50;
+ :local ScriptName [ :jobname ];
+
+ :global CertIssuedExportPass;
+
+ :global LogPrint;
+ :global MkDir;
+ :global ScriptLock;
+
+ :if ([ $ScriptLock $ScriptName ] = false) do={
+ :set ExitOK true;
+ :error false;
+ }
+
+ :foreach Cert in=[ /certificate/find where issued expires-after<3w ] do={
+ :local CertVal [ /certificate/get $Cert ];
+ /certificate/issued-revoke $Cert;
+ /certificate/set name=($CertVal->"name" . "-revoked-" . [ /system/clock/get date ]) $Cert;
+ /certificate/add name=($CertVal->"name") common-name=($CertVal->"common-name") \
+ key-usage=($CertVal->"key-usage") subject-alt-name=($CertVal->"subject-alt-name");
+ /certificate/sign ($CertVal->"name") ca=($CertVal->"ca");
+ :if ([ :typeof ($CertIssuedExportPass->($CertVal->"common-name")) ] = "str") do={
+ :if ([ $MkDir "cert-issued" ] = true) do={
+ /certificate/export-certificate ($CertVal->"name") type=pkcs12 \
+ file-name=("cert-issued/" . $CertVal->"common-name") \
+ export-passphrase=($CertIssuedExportPass->($CertVal->"common-name"));
+ $LogPrint info $ScriptName ("Issued a new certificate for '" . $CertVal->"common-name" . \
+ "', exported to 'cert-issued/" . $CertVal->"common-name" . ".p12'.");
+ } else={
+ $LogPrint warning $ScriptName ("Failed creating directory, not exporting certificate.");
+ }
+ } else={
+ $LogPrint info $ScriptName ("Issued a new certificate for '" . $CertVal->"common-name" . "'.");
+ }
+ }
+} do={
+ :global ExitError; $ExitError $ExitOK [ :jobname ] $Err;
+}
diff --git a/certs/Certum-Trusted-Network-CA.pem b/certs/Certum-Trusted-Network-CA.pem
new file mode 100644
index 00000000..a48e7063
--- /dev/null
+++ b/certs/Certum-Trusted-Network-CA.pem
@@ -0,0 +1,29 @@
+# Issuer: CN=Certum Trusted Network CA O=Unizeto Technologies S.A. OU=Certum Certification Authority
+# Subject: CN=Certum Trusted Network CA O=Unizeto Technologies S.A. OU=Certum Certification Authority
+# Label: "Certum Trusted Network CA"
+# Serial: 279744
+# MD5 Fingerprint: d5:e9:81:40:c5:18:69:fc:46:2c:89:75:62:0f:aa:78
+# SHA1 Fingerprint: 07:e0:32:e0:20:b7:2c:3f:19:2f:06:28:a2:59:3a:19:a7:0f:06:9e
+# SHA256 Fingerprint: 5c:58:46:8d:55:f5:8e:49:7e:74:39:82:d2:b5:00:10:b6:d1:65:37:4a:cf:83:a7:d4:a3:2d:b7:68:c4:40:8e
+-----BEGIN CERTIFICATE-----
+MIIDuzCCAqOgAwIBAgIDBETAMA0GCSqGSIb3DQEBBQUAMH4xCzAJBgNVBAYTAlBM
+MSIwIAYDVQQKExlVbml6ZXRvIFRlY2hub2xvZ2llcyBTLkEuMScwJQYDVQQLEx5D
+ZXJ0dW0gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIjAgBgNVBAMTGUNlcnR1bSBU
+cnVzdGVkIE5ldHdvcmsgQ0EwHhcNMDgxMDIyMTIwNzM3WhcNMjkxMjMxMTIwNzM3
+WjB+MQswCQYDVQQGEwJQTDEiMCAGA1UEChMZVW5pemV0byBUZWNobm9sb2dpZXMg
+Uy5BLjEnMCUGA1UECxMeQ2VydHVtIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSIw
+IAYDVQQDExlDZXJ0dW0gVHJ1c3RlZCBOZXR3b3JrIENBMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEA4/t9o3K6wvDJFIf1awFO4W5AB7ptJ11/91sts1rH
+UV+rpDKmYYe2bg+G0jACl/jXaVehGDldamR5xgFZrDwxSjh80gTSSyjoIF87B6LM
+TXPb865Px1bVWqeWifrzq2jUI4ZZJ88JJ7ysbnKDHDBy3+Ci6dLhdHUZvSqeexVU
+BBvXQzmtVSjF4hq79MDkrjhJM8x2hZ85RdKknvISjFH4fOQtf/WsX+sWn7Et0brM
+kUJ3TCXJkDhv2/DM+44el1k+1WBO5gUo7Ul5E0u6SNsv+XLTOcr+H9g0cvW0QM8x
+AcPs3hEtF10fuFDRXhmnad4HMyjKUJX5p1TLVIZQRan5SQIDAQABo0IwQDAPBgNV
+HRMBAf8EBTADAQH/MB0GA1UdDgQWBBQIds3LB/8k9sXN7buQvOKEN0Z19zAOBgNV
+HQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEFBQADggEBAKaorSLOAT2mo/9i0Eidi15y
+sHhE49wcrwn9I0j6vSrEuVUEtRCjjSfeC4Jj0O7eDDd5QVsisrCaQVymcODU0HfL
+I9MA4GxWL+FpDQ3Zqr8hgVDZBqWo/5U30Kr+4rP1mS1FhIrlQgnXdAIv94nYmem8
+J9RHjboNRhx3zxSkHLmkMcScKHQDNP8zGSal6Q10tz6XxnboJ5ajZt3hrvJBW8qY
+VoNzcOSGGtIxQbovvi0TWnZvTuhOgQ4/WwMioBK+ZlgRSssDxLQqKi2WF+A5VLxI
+03YnnZotBqbJ7DnSq9ufmgsnAjUpsUCV5/nonFWIGUbWtzT1fs45mtk48VH3Tyw=
+-----END CERTIFICATE-----
diff --git a/certs/DigiCert ECC Secure Server CA.pem b/certs/DigiCert ECC Secure Server CA.pem
deleted file mode 100644
index 184ca1d5..00000000
--- a/certs/DigiCert ECC Secure Server CA.pem
+++ /dev/null
@@ -1,44 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDrDCCApSgAwIBAgIQCssoukZe5TkIdnRw883GEjANBgkqhkiG9w0BAQwFADBh
-MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
-d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
-QTAeFw0xMzAzMDgxMjAwMDBaFw0yMzAzMDgxMjAwMDBaMEwxCzAJBgNVBAYTAlVT
-MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJjAkBgNVBAMTHURpZ2lDZXJ0IEVDQyBT
-ZWN1cmUgU2VydmVyIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE4ghC6nfYJN6g
-LGSkE85AnCNyqQIKDjc/ITa4jVMU9tWRlUvzlgKNcR7E2Munn17voOZ/WpIRllNv
-68DLP679Wz9HJOeaBy6Wvqgvu1cYr3GkvXg6HuhbPGtkESvMNCuMo4IBITCCAR0w
-EgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwNAYIKwYBBQUHAQEE
-KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wQgYDVR0f
-BDswOTA3oDWgM4YxaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xv
-YmFsUm9vdENBLmNybDA9BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYc
-aHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAdBgNVHQ4EFgQUo53mH/naOU/A
-buiRy5Wl2jHiCp8wHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUwDQYJ
-KoZIhvcNAQEMBQADggEBAMeKoENL7HTJxavVHzA1Nm6YVntIrAVjrnuaVyRXzG/6
-3qttnMe2uuzO58pzZNvfBDcKAEmzP58mrZGMIOgfiA4q+2Y3yDDo0sIkp0VILeoB
-UEoxlBPfjV/aKrtJPGHzecicZpIalir0ezZYoyxBEHQa0+1IttK7igZFcTMQMHp6
-mCHdJLnsnLWSB62DxsRq+HfmNb4TDydkskO/g+l3VtsIh5RHFPVfKK+jaEyDj2D3
-loB5hWp2Jp2VDCADjT7ueihlZGak2YPqmXTNbk19HOuNssWvFhtOyPNV6og4ETQd
-Ea8/B6hPatJ0ES8q/HO3X8IVQwVs1n3aAr0im0/T+Xc=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
-MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
-d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
-QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
-MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
-b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
-9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
-CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
-nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
-43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
-T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
-gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
-BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
-TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
-DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
-hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
-06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
-PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
-YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
-CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
------END CERTIFICATE-----
diff --git a/certs/DigiCert-Global-Root-G2.pem b/certs/DigiCert-Global-Root-G2.pem
new file mode 100644
index 00000000..8af6c7aa
--- /dev/null
+++ b/certs/DigiCert-Global-Root-G2.pem
@@ -0,0 +1,29 @@
+# Issuer: CN=DigiCert Global Root G2 O=DigiCert Inc OU=www.digicert.com
+# Subject: CN=DigiCert Global Root G2 O=DigiCert Inc OU=www.digicert.com
+# Label: "DigiCert Global Root G2"
+# Serial: 4293743540046975378534879503202253541
+# MD5 Fingerprint: e4:a6:8a:c8:54:ac:52:42:46:0a:fd:72:48:1b:2a:44
+# SHA1 Fingerprint: df:3c:24:f9:bf:d6:66:76:1b:26:80:73:fe:06:d1:cc:8d:4f:82:a4
+# SHA256 Fingerprint: cb:3c:cb:b7:60:31:e5:e0:13:8f:8d:d3:9a:23:f9:de:47:ff:c3:5e:43:c1:14:4c:ea:27:d4:6a:5a:b1:cb:5f
+-----BEGIN CERTIFICATE-----
+MIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSxHQn65TANBgkqhkiG9w0BAQsFADBh
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH
+MjAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYTAlVT
+MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
+b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEcyMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzfNNNx7a8myaJCtSnX/RrohCgiN9RlUyfuI
+2/Ou8jqJkTx65qsGGmvPrC3oXgkkRLpimn7Wo6h+4FR1IAWsULecYxpsMNzaHxmx
+1x7e/dfgy5SDN67sH0NO3Xss0r0upS/kqbitOtSZpLYl6ZtrAGCSYP9PIUkY92eQ
+q2EGnI/yuum06ZIya7XzV+hdG82MHauVBJVJ8zUtluNJbd134/tJS7SsVQepj5Wz
+tCO7TG1F8PapspUwtP1MVYwnSlcUfIKdzXOS0xZKBgyMUNGPHgm+F6HmIcr9g+UQ
+vIOlCsRnKPZzFBQ9RnbDhxSJITRNrw9FDKZJobq7nMWxM4MphQIDAQABo0IwQDAP
+BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUTiJUIBiV
+5uNu5g/6+rkS7QYXjzkwDQYJKoZIhvcNAQELBQADggEBAGBnKJRvDkhj6zHd6mcY
+1Yl9PMWLSn/pvtsrF9+wX3N3KjITOYFnQoQj8kVnNeyIv/iPsGEMNKSuIEyExtv4
+NeF22d+mQrvHRAiGfzZ0JFrabA0UWTW98kndth/Jsw1HKj2ZL7tcu7XUIOGZX1NG
+Fdtom/DzMNU+MeKNhJ7jitralj41E6Vf8PlwUHBHQRFXGU7Aj64GxJUTFy8bJZ91
+8rGOmaFvE7FBcf6IKshPECBV1/MUReXgRPTqh5Uykw7+U0b6LJ3/iyK5S9kJRaTe
+pLiaWN0bfVKfjllDiIGknibVb63dDcY3fe0Dkhvld1927jyNxF1WW6LZZm6zNTfl
+MrY=
+-----END CERTIFICATE-----
diff --git a/certs/DigiCert-Global-Root-G3.pem b/certs/DigiCert-Global-Root-G3.pem
new file mode 100644
index 00000000..12324dcc
--- /dev/null
+++ b/certs/DigiCert-Global-Root-G3.pem
@@ -0,0 +1,22 @@
+# Issuer: CN=DigiCert Global Root G3 O=DigiCert Inc OU=www.digicert.com
+# Subject: CN=DigiCert Global Root G3 O=DigiCert Inc OU=www.digicert.com
+# Label: "DigiCert Global Root G3"
+# Serial: 7089244469030293291760083333884364146
+# MD5 Fingerprint: f5:5d:a4:50:a5:fb:28:7e:1e:0f:0d:cc:96:57:56:ca
+# SHA1 Fingerprint: 7e:04:de:89:6a:3e:66:6d:00:e6:87:d3:3f:fa:d9:3b:e8:3d:34:9e
+# SHA256 Fingerprint: 31:ad:66:48:f8:10:41:38:c7:38:f3:9e:a4:32:01:33:39:3e:3a:18:cc:02:29:6e:f9:7c:2a:c9:ef:67:31:d0
+-----BEGIN CERTIFICATE-----
+MIICPzCCAcWgAwIBAgIQBVVWvPJepDU1w6QP1atFcjAKBggqhkjOPQQDAzBhMQsw
+CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cu
+ZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBHMzAe
+Fw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYTAlVTMRUw
+EwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20x
+IDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEczMHYwEAYHKoZIzj0CAQYF
+K4EEACIDYgAE3afZu4q4C/sLfyHS8L6+c/MzXRq8NOrexpu80JX28MzQC7phW1FG
+fp4tn+6OYwwX7Adw9c+ELkCDnOg/QW07rdOkFFk2eJ0DQ+4QE2xy3q6Ip6FrtUPO
+Z9wj/wMco+I+o0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAd
+BgNVHQ4EFgQUs9tIpPmhxdiuNkHMEWNpYim8S8YwCgYIKoZIzj0EAwMDaAAwZQIx
+AK288mw/EkrRLTnDCgmXc/SINoyIJ7vmiI1Qhadj+Z4y3maTD/HMsQmP3Wyr+mt/
+oAIwOWZbwmSNuJ5Q3KjVSaLtx9zRSX8XAbjIho9OjIgrqJqpisXRAL34VOKa5Vt8
+sycX
+-----END CERTIFICATE-----
diff --git a/certs/GTS-Root-R1.pem b/certs/GTS-Root-R1.pem
new file mode 100644
index 00000000..a6095d2b
--- /dev/null
+++ b/certs/GTS-Root-R1.pem
@@ -0,0 +1,38 @@
+# Issuer: CN=GTS Root R1 O=Google Trust Services LLC
+# Subject: CN=GTS Root R1 O=Google Trust Services LLC
+# Label: "GTS Root R1"
+# Serial: 159662320309726417404178440727
+# MD5 Fingerprint: 05:fe:d0:bf:71:a8:a3:76:63:da:01:e0:d8:52:dc:40
+# SHA1 Fingerprint: e5:8c:1c:c4:91:3b:38:63:4b:e9:10:6e:e3:ad:8e:6b:9d:d9:81:4a
+# SHA256 Fingerprint: d9:47:43:2a:bd:e7:b7:fa:90:fc:2e:6b:59:10:1b:12:80:e0:e1:c7:e4:e4:0f:a3:c6:88:7f:ff:57:a7:f4:cf
+-----BEGIN CERTIFICATE-----
+MIIFVzCCAz+gAwIBAgINAgPlk28xsBNJiGuiFzANBgkqhkiG9w0BAQwFADBHMQsw
+CQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEU
+MBIGA1UEAxMLR1RTIFJvb3QgUjEwHhcNMTYwNjIyMDAwMDAwWhcNMzYwNjIyMDAw
+MDAwWjBHMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZp
+Y2VzIExMQzEUMBIGA1UEAxMLR1RTIFJvb3QgUjEwggIiMA0GCSqGSIb3DQEBAQUA
+A4ICDwAwggIKAoICAQC2EQKLHuOhd5s73L+UPreVp0A8of2C+X0yBoJx9vaMf/vo
+27xqLpeXo4xL+Sv2sfnOhB2x+cWX3u+58qPpvBKJXqeqUqv4IyfLpLGcY9vXmX7w
+Cl7raKb0xlpHDU0QM+NOsROjyBhsS+z8CZDfnWQpJSMHobTSPS5g4M/SCYe7zUjw
+TcLCeoiKu7rPWRnWr4+wB7CeMfGCwcDfLqZtbBkOtdh+JhpFAz2weaSUKK0Pfybl
+qAj+lug8aJRT7oM6iCsVlgmy4HqMLnXWnOunVmSPlk9orj2XwoSPwLxAwAtcvfaH
+szVsrBhQf4TgTM2S0yDpM7xSma8ytSmzJSq0SPly4cpk9+aCEI3oncKKiPo4Zor8
+Y/kB+Xj9e1x3+naH+uzfsQ55lVe0vSbv1gHR6xYKu44LtcXFilWr06zqkUspzBmk
+MiVOKvFlRNACzqrOSbTqn3yDsEB750Orp2yjj32JgfpMpf/VjsPOS+C12LOORc92
+wO1AK/1TD7Cn1TsNsYqiA94xrcx36m97PtbfkSIS5r762DL8EGMUUXLeXdYWk70p
+aDPvOmbsB4om3xPXV2V4J95eSRQAogB/mqghtqmxlbCluQ0WEdrHbEg8QOB+DVrN
+VjzRlwW5y0vtOUucxD/SVRNuJLDWcfr0wbrM7Rv1/oFB2ACYPTrIrnqYNxgFlQID
+AQABo0IwQDAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E
+FgQU5K8rJnEaK0gnhS9SZizv8IkTcT4wDQYJKoZIhvcNAQEMBQADggIBAJ+qQibb
+C5u+/x6Wki4+omVKapi6Ist9wTrYggoGxval3sBOh2Z5ofmmWJyq+bXmYOfg6LEe
+QkEzCzc9zolwFcq1JKjPa7XSQCGYzyI0zzvFIoTgxQ6KfF2I5DUkzps+GlQebtuy
+h6f88/qBVRRiClmpIgUxPoLW7ttXNLwzldMXG+gnoot7TiYaelpkttGsN/H9oPM4
+7HLwEXWdyzRSjeZ2axfG34arJ45JK3VmgRAhpuo+9K4l/3wV3s6MJT/KYnAK9y8J
+ZgfIPxz88NtFMN9iiMG1D53Dn0reWVlHxYciNuaCp+0KueIHoI17eko8cdLiA6Ef
+MgfdG+RCzgwARWGAtQsgWSl4vflVy2PFPEz0tv/bal8xa5meLMFrUKTX5hgUvYU/
+Z6tGn6D/Qqc6f1zLXbBwHSs09dR2CQzreExZBfMzQsNhFRAbd03OIozUhfJFfbdT
+6u9AWpQKXCBfTkBdYiJ23//OYb2MI3jSNwLgjt7RETeJ9r/tSQdirpLsQBqvFAnZ
+0E6yove+7u7Y/9waLd64NnHi/Hm3lCXRSHNboTXns5lndcEZOitHTtNCjv0xyBZm
+2tIMPNuzjsmhDYAPexZ3FL//2wmUspO8IFgV6dtxQ/PeEMMA3KgqlbbC1j+Qa3bb
+bP6MvPJwNQzcmRk13NfIRmPVNnGuV/u3gm3c
+-----END CERTIFICATE-----
diff --git a/certs/GTS-Root-R4.pem b/certs/GTS-Root-R4.pem
new file mode 100644
index 00000000..16a1c368
--- /dev/null
+++ b/certs/GTS-Root-R4.pem
@@ -0,0 +1,20 @@
+# Issuer: CN=GTS Root R4 O=Google Trust Services LLC
+# Subject: CN=GTS Root R4 O=Google Trust Services LLC
+# Label: "GTS Root R4"
+# Serial: 159662532700760215368942768210
+# MD5 Fingerprint: 43:96:83:77:19:4d:76:b3:9d:65:52:e4:1d:22:a5:e8
+# SHA1 Fingerprint: 77:d3:03:67:b5:e0:0c:15:f6:0c:38:61:df:7c:e1:3b:92:46:4d:47
+# SHA256 Fingerprint: 34:9d:fa:40:58:c5:e2:63:12:3b:39:8a:e7:95:57:3c:4e:13:13:c8:3f:e6:8f:93:55:6c:d5:e8:03:1b:3c:7d
+-----BEGIN CERTIFICATE-----
+MIICCTCCAY6gAwIBAgINAgPlwGjvYxqccpBQUjAKBggqhkjOPQQDAzBHMQswCQYD
+VQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEUMBIG
+A1UEAxMLR1RTIFJvb3QgUjQwHhcNMTYwNjIyMDAwMDAwWhcNMzYwNjIyMDAwMDAw
+WjBHMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2Vz
+IExMQzEUMBIGA1UEAxMLR1RTIFJvb3QgUjQwdjAQBgcqhkjOPQIBBgUrgQQAIgNi
+AATzdHOnaItgrkO4NcWBMHtLSZ37wWHO5t5GvWvVYRg1rkDdc/eJkTBa6zzuhXyi
+QHY7qca4R9gq55KRanPpsXI5nymfopjTX15YhmUPoYRlBtHci8nHc8iMai/lxKvR
+HYqjQjBAMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
+BBSATNbrdP9JNqPV2Py1PsVq8JQdjDAKBggqhkjOPQQDAwNpADBmAjEA6ED/g94D
+9J+uHXqnLrmvT/aDHQ4thQEd0dlq7A/Cr8deVl5c1RxYIigL9zC2L7F8AjEA8GE8
+p/SgguMh1YQdc4acLa/KNJvxn7kjNuK8YAOdgLOaVsjh4rsUecrNIdSUtUlD
+-----END CERTIFICATE-----
diff --git a/certs/Go Daddy Secure Certificate Authority - G2.pem b/certs/Go Daddy Secure Certificate Authority - G2.pem
deleted file mode 100644
index 72e5054d..00000000
--- a/certs/Go Daddy Secure Certificate Authority - G2.pem
+++ /dev/null
@@ -1,51 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDxTCCAq2gAwIBAgIBADANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
-EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
-EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
-ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAwMFoXDTM3MTIzMTIz
-NTk1OVowgYMxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
-EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjExMC8GA1UE
-AxMoR28gRGFkZHkgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjCCASIw
-DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL9xYgjx+lk09xvJGKP3gElY6SKD
-E6bFIEMBO4Tx5oVJnyfq9oQbTqC023CYxzIBsQU+B07u9PpPL1kwIuerGVZr4oAH
-/PMWdYA5UXvl+TW2dE6pjYIT5LY/qQOD+qK+ihVqf94Lw7YZFAXK6sOoBJQ7Rnwy
-DfMAZiLIjWltNowRGLfTshxgtDj6AozO091GB94KPutdfMh8+7ArU6SSYmlRJQVh
-GkSBjCypQ5Yj36w6gZoOKcUcqeldHraenjAKOc7xiID7S13MMuyFYkMlNAJWJwGR
-tDtwKj9useiciAF9n9T521NtYJ2/LOdYq7hfRvzOxBsDPAnrSTFcaUaz4EcCAwEA
-AaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE
-FDqahQcQZyi27/a9BUFuIMGU2g/eMA0GCSqGSIb3DQEBCwUAA4IBAQCZ21151fmX
-WWcDYfF+OwYxdS2hII5PZYe096acvNjpL9DbWu7PdIxztDhC2gV7+AJ1uP2lsdeu
-9tfeE8tTEH6KRtGX+rcuKxGrkLAngPnon1rpN5+r5N9ss4UXnT3ZJE95kTXWXwTr
-gIOrmgIttRD02JDHBHNA7XIloKmf7J6raBKZV8aPEjoJpL1E/QYVN8Gb5DKj7Tjo
-2GTzLH4U/ALqn83/B2gX2yKQOC16jdFU8WnjXzPKej17CuPKf1855eJ1usV2GDPO
-LPAvTK33sefOT6jEm0pUBsV/fdUID+Ic/n4XuKxe9tQWskMJDE32p2u0mYRlynqI
-4uJEvlz36hz1
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIE0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
-EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
-EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
-ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAwMFoXDTMxMDUwMzA3
-MDAwMFowgbQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
-EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UE
-CxMkaHR0cDovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQD
-EypHbyBEYWRkeSBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEi
-MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC54MsQ1K92vdSTYuswZLiBCGzD
-BNliF44v/z5lz4/OYuY8UhzaFkVLVat4a2ODYpDOD2lsmcgaFItMzEUz6ojcnqOv
-K/6AYZ15V8TPLvQ/MDxdR/yaFrzDN5ZBUY4RS1T4KL7QjL7wMDge87Am+GZHY23e
-cSZHjzhHU9FGHbTj3ADqRay9vHHZqm8A29vNMDp5T19MR/gd71vCxJ1gO7GyQ5HY
-pDNO6rPWJ0+tJYqlxvTV0KaudAVkV4i1RFXULSo6Pvi4vekyCgKUZMQWOlDxSq7n
-eTOvDCAHf+jfBDnCaQJsY1L6d8EbyHSHyLmTGFBUNUtpTrw700kuH9zB0lL7AgMB
-AAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV
-HQ4EFgQUQMK9J47MNIMwojPX+2yz8LQsgM4wHwYDVR0jBBgwFoAUOpqFBxBnKLbv
-9r0FQW4gwZTaD94wNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v
-b2NzcC5nb2RhZGR5LmNvbS8wNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2NybC5n
-b2RhZGR5LmNvbS9nZHJvb3QtZzIuY3JsMEYGA1UdIAQ/MD0wOwYEVR0gADAzMDEG
-CCsGAQUFBwIBFiVodHRwczovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkv
-MA0GCSqGSIb3DQEBCwUAA4IBAQAIfmyTEMg4uJapkEv/oV9PBO9sPpyIBslQj6Zz
-91cxG7685C/b+LrTW+C05+Z5Yg4MotdqY3MxtfWoSKQ7CC2iXZDXtHwlTxFWMMS2
-RJ17LJ3lXubvDGGqv+QqG+6EnriDfcFDzkSnE3ANkR/0yBOtg2DZ2HKocyQetawi
-DsoXiWJYRBuriSUBAA/NxBti21G00w9RKpv0vHP8ds42pM3Z2Czqrpv1KrKQ0U11
-GIo/ikGQI31bS/6kA1ibRrLDYGCD+H1QQc7CoZDDu+8CL9IVVO5EFdkKrqeKM+2x
-LXY2JtwE65/3YR8V3Idv7kaWKK2hJn0KCacuBKONvPi8BDAB
------END CERTIFICATE-----
diff --git a/certs/Go-Daddy-Root-Certificate-Authority-G2.pem b/certs/Go-Daddy-Root-Certificate-Authority-G2.pem
new file mode 100644
index 00000000..c61f300e
--- /dev/null
+++ b/certs/Go-Daddy-Root-Certificate-Authority-G2.pem
@@ -0,0 +1,30 @@
+# Issuer: CN=Go Daddy Root Certificate Authority - G2 O=GoDaddy.com, Inc.
+# Subject: CN=Go Daddy Root Certificate Authority - G2 O=GoDaddy.com, Inc.
+# Label: "Go Daddy Root Certificate Authority - G2"
+# Serial: 0
+# MD5 Fingerprint: 80:3a:bc:22:c1:e6:fb:8d:9b:3b:27:4a:32:1b:9a:01
+# SHA1 Fingerprint: 47:be:ab:c9:22:ea:e8:0e:78:78:34:62:a7:9f:45:c2:54:fd:e6:8b
+# SHA256 Fingerprint: 45:14:0b:32:47:eb:9c:c8:c5:b4:f0:d7:b5:30:91:f7:32:92:08:9e:6e:5a:63:e2:74:9d:d3:ac:a9:19:8e:da
+-----BEGIN CERTIFICATE-----
+MIIDxTCCAq2gAwIBAgIBADANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
+EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
+EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
+ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAwMFoXDTM3MTIzMTIz
+NTk1OVowgYMxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
+EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjExMC8GA1UE
+AxMoR28gRGFkZHkgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL9xYgjx+lk09xvJGKP3gElY6SKD
+E6bFIEMBO4Tx5oVJnyfq9oQbTqC023CYxzIBsQU+B07u9PpPL1kwIuerGVZr4oAH
+/PMWdYA5UXvl+TW2dE6pjYIT5LY/qQOD+qK+ihVqf94Lw7YZFAXK6sOoBJQ7Rnwy
+DfMAZiLIjWltNowRGLfTshxgtDj6AozO091GB94KPutdfMh8+7ArU6SSYmlRJQVh
+GkSBjCypQ5Yj36w6gZoOKcUcqeldHraenjAKOc7xiID7S13MMuyFYkMlNAJWJwGR
+tDtwKj9useiciAF9n9T521NtYJ2/LOdYq7hfRvzOxBsDPAnrSTFcaUaz4EcCAwEA
+AaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE
+FDqahQcQZyi27/a9BUFuIMGU2g/eMA0GCSqGSIb3DQEBCwUAA4IBAQCZ21151fmX
+WWcDYfF+OwYxdS2hII5PZYe096acvNjpL9DbWu7PdIxztDhC2gV7+AJ1uP2lsdeu
+9tfeE8tTEH6KRtGX+rcuKxGrkLAngPnon1rpN5+r5N9ss4UXnT3ZJE95kTXWXwTr
+gIOrmgIttRD02JDHBHNA7XIloKmf7J6raBKZV8aPEjoJpL1E/QYVN8Gb5DKj7Tjo
+2GTzLH4U/ALqn83/B2gX2yKQOC16jdFU8WnjXzPKej17CuPKf1855eJ1usV2GDPO
+LPAvTK33sefOT6jEm0pUBsV/fdUID+Ic/n4XuKxe9tQWskMJDE32p2u0mYRlynqI
+4uJEvlz36hz1
+-----END CERTIFICATE-----
diff --git a/certs/ISRG-Root-X1.pem b/certs/ISRG-Root-X1.pem
new file mode 100644
index 00000000..995c95d5
--- /dev/null
+++ b/certs/ISRG-Root-X1.pem
@@ -0,0 +1,38 @@
+# Issuer: CN=ISRG Root X1 O=Internet Security Research Group
+# Subject: CN=ISRG Root X1 O=Internet Security Research Group
+# Label: "ISRG Root X1"
+# Serial: 172886928669790476064670243504169061120
+# MD5 Fingerprint: 0c:d2:f9:e0:da:17:73:e9:ed:86:4d:a5:e3:70:e7:4e
+# SHA1 Fingerprint: ca:bd:2a:79:a1:07:6a:31:f2:1d:25:36:35:cb:03:9d:43:29:a5:e8
+# SHA256 Fingerprint: 96:bc:ec:06:26:49:76:f3:74:60:77:9a:cf:28:c5:a7:cf:e8:a3:c0:aa:e1:1a:8f:fc:ee:05:c0:bd:df:08:c6
+-----BEGIN CERTIFICATE-----
+MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
+WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
+ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
+MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
+h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
+0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
+A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
+T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
+B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
+B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
+KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
+OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
+jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
+qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
+rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
+HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
+hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
+ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
+3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
+NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
+ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
+TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
+jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
+oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
+4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
+mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
+emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
+-----END CERTIFICATE-----
diff --git a/certs/ISRG-Root-X2.pem b/certs/ISRG-Root-X2.pem
new file mode 100644
index 00000000..9cca880a
--- /dev/null
+++ b/certs/ISRG-Root-X2.pem
@@ -0,0 +1,21 @@
+# Issuer: CN=ISRG Root X2 O=Internet Security Research Group
+# Subject: CN=ISRG Root X2 O=Internet Security Research Group
+# Label: "ISRG Root X2"
+# Serial: 87493402998870891108772069816698636114
+# MD5 Fingerprint: d3:9e:c4:1e:23:3c:a6:df:cf:a3:7e:6d:e0:14:e6:e5
+# SHA1 Fingerprint: bd:b1:b9:3c:d5:97:8d:45:c6:26:14:55:f8:db:95:c7:5a:d1:53:af
+# SHA256 Fingerprint: 69:72:9b:8e:15:a8:6e:fc:17:7a:57:af:b7:17:1d:fc:64:ad:d2:8c:2f:ca:8c:f1:50:7e:34:45:3c:cb:14:70
+-----BEGIN CERTIFICATE-----
+MIICGzCCAaGgAwIBAgIQQdKd0XLq7qeAwSxs6S+HUjAKBggqhkjOPQQDAzBPMQsw
+CQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFyY2gg
+R3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMjAeFw0yMDA5MDQwMDAwMDBaFw00
+MDA5MTcxNjAwMDBaME8xCzAJBgNVBAYTAlVTMSkwJwYDVQQKEyBJbnRlcm5ldCBT
+ZWN1cml0eSBSZXNlYXJjaCBHcm91cDEVMBMGA1UEAxMMSVNSRyBSb290IFgyMHYw
+EAYHKoZIzj0CAQYFK4EEACIDYgAEzZvVn4CDCuwJSvMWSj5cz3es3mcFDR0HttwW
++1qLFNvicWDEukWVEYmO6gbf9yoWHKS5xcUy4APgHoIYOIvXRdgKam7mAHf7AlF9
+ItgKbppbd9/w+kHsOdx1ymgHDB/qo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0T
+AQH/BAUwAwEB/zAdBgNVHQ4EFgQUfEKWrt5LSDv6kviejM9ti6lyN5UwCgYIKoZI
+zj0EAwMDaAAwZQIwe3lORlCEwkSHRhtFcP9Ymd70/aTSVaYgLXTWNLxBo1BfASdW
+tL4ndQavEi51mI38AjEAi/V3bNTIZargCyzuFJ0nN6T5U6VR5CmD1/iQMVtCnwr1
+/q4AaOeMSQ+2b1tbFfLn
+-----END CERTIFICATE-----
diff --git a/certs/Let's Encrypt Authority X3.pem b/certs/Let's Encrypt Authority X3.pem
deleted file mode 100644
index 7df773fe..00000000
--- a/certs/Let's Encrypt Authority X3.pem
+++ /dev/null
@@ -1,83 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
-TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
-cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
-WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
-ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
-MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
-h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
-0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
-A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
-T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
-B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
-B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
-KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
-OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
-jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
-qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
-rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
-HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
-hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
-ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
-3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
-NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
-ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
-TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
-jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
-oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
-4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
-mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
-emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIFjTCCA3WgAwIBAgIRANOxciY0IzLc9AUoUSrsnGowDQYJKoZIhvcNAQELBQAw
-TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
-cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTYxMDA2MTU0MzU1
-WhcNMjExMDA2MTU0MzU1WjBKMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
-RW5jcnlwdDEjMCEGA1UEAxMaTGV0J3MgRW5jcnlwdCBBdXRob3JpdHkgWDMwggEi
-MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCc0wzwWuUuR7dyXTeDs2hjMOrX
-NSYZJeG9vjXxcJIvt7hLQQWrqZ41CFjssSrEaIcLo+N15Obzp2JxunmBYB/XkZqf
-89B4Z3HIaQ6Vkc/+5pnpYDxIzH7KTXcSJJ1HG1rrueweNwAcnKx7pwXqzkrrvUHl
-Npi5y/1tPJZo3yMqQpAMhnRnyH+lmrhSYRQTP2XpgofL2/oOVvaGifOFP5eGr7Dc
-Gu9rDZUWfcQroGWymQQ2dYBrrErzG5BJeC+ilk8qICUpBMZ0wNAxzY8xOJUWuqgz
-uEPxsR/DMH+ieTETPS02+OP88jNquTkxxa/EjQ0dZBYzqvqEKbbUC8DYfcOTAgMB
-AAGjggFnMIIBYzAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADBU
-BgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsGAQUFBwIB
-FiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMB0GA1UdDgQWBBSo
-SmpjBH3duubRObemRWXv86jsoTAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3Js
-LnJvb3QteDEubGV0c2VuY3J5cHQub3JnMHIGCCsGAQUFBwEBBGYwZDAwBggrBgEF
-BQcwAYYkaHR0cDovL29jc3Aucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcvMDAGCCsG
-AQUFBzAChiRodHRwOi8vY2VydC5yb290LXgxLmxldHNlbmNyeXB0Lm9yZy8wHwYD
-VR0jBBgwFoAUebRZ5nu25eQBc4AIiMgaWPbpm24wDQYJKoZIhvcNAQELBQADggIB
-ABnPdSA0LTqmRf/Q1eaM2jLonG4bQdEnqOJQ8nCqxOeTRrToEKtwT++36gTSlBGx
-A/5dut82jJQ2jxN8RI8L9QFXrWi4xXnA2EqA10yjHiR6H9cj6MFiOnb5In1eWsRM
-UM2v3e9tNsCAgBukPHAg1lQh07rvFKm/Bz9BCjaxorALINUfZ9DD64j2igLIxle2
-DPxW8dI/F2loHMjXZjqG8RkqZUdoxtID5+90FgsGIfkMpqgRS05f4zPbCEHqCXl1
-eO5HyELTgcVlLXXQDgAWnRzut1hFJeczY1tjQQno6f6s+nMydLN26WuU4s3UYvOu
-OsUxRlJu7TSRHqDC3lSE5XggVkzdaPkuKGQbGpny+01/47hfXXNB7HntWNZ6N2Vw
-p7G6OfY+YQrZwIaQmhrIqJZuigsrbe3W+gdn5ykE9+Ky0VgVUsfxo52mwFYs1JKY
-2PGDuWx8M6DlS6qQkvHaRUo0FMd8TsSlbF0/v965qGFKhSDeQoMpYnwcmQilRh/0
-ayLThlHLN81gSkJjVrPI0Y8xCVPB4twb1PFUd2fPM3sA1tJ83sZ5v8vgFv2yofKR
-PB0t6JzUA81mSqM3kxl5e+IZwhYAyO0OTg3/fs8HqGTNKd9BqoUwSRBzp06JMg5b
-rUCGwbCUDI0mxadJ3Bz4WxR6fyNpBK2yAinWEsikxqEt
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
-MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
-DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
-PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
-Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
-AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
-rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
-OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
-xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
-7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
-aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
-HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
-SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
-ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
-AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
-R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
-JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
-Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
------END CERTIFICATE-----
diff --git a/certs/Makefile b/certs/Makefile
new file mode 100644
index 00000000..3ccad6e2
--- /dev/null
+++ b/certs/Makefile
@@ -0,0 +1,58 @@
+# Makefile to check certificates
+
+CURL = curl \
+ --capath /dev/null \
+ --connect-timeout 5 \
+ --output /dev/null \
+ --silent
+
+DOMAINS_DUAL = \
+ api.macvendors.com/GTS-Root-R4 \
+ api.telegram.org/Go-Daddy-Root-Certificate-Authority-G2 \
+ cloudflare-dns.com/DigiCert-Global-Root-G2 \
+ dns.google/GTS-Root-R4 \
+ dns.quad9.net/DigiCert-Global-Root-G3 \
+ git.eworm.de/ISRG-Root-X2 \
+ lists.blocklist.de/Certum-Trusted-Network-CA \
+ matrix.org/GTS-Root-R4 \
+ raw.githubusercontent.com/USERTrust-RSA-Certification-Authority \
+ rsc.eworm.de/ISRG-Root-X2 \
+ upgrade.mikrotik.com/ISRG-Root-X1
+DOMAINS_IPV4 = \
+ 1.1.1.1/DigiCert-Global-Root-G2 \
+ 8.8.8.8/GTS-Root-R1 \
+ 9.9.9.9/DigiCert-Global-Root-G3 \
+ api.mullvad.net/ISRG-Root-X1 \
+ ipv4.showipv6.de/ISRG-Root-X1 \
+ ipv4.tunnelbroker.net/Starfield-Root-Certificate-Authority-G2 \
+ mkcert.org/ISRG-Root-X1 \
+ ntfy.sh/ISRG-Root-X1 \
+ www.dshield.org/ISRG-Root-X1 \
+ www.spamhaus.org/GTS-Root-R4
+DOMAINS_IPV6 = \
+ [2606\:4700\:4700\:\:1111]/DigiCert-Global-Root-G2 \
+ [2001\:4860\:4860\:\:8888]/GTS-Root-R1 \
+ [2620\:fe\:\:9]/DigiCert-Global-Root-G3 \
+ ipv6.showipv6.de/ISRG-Root-X1
+
+.PHONY: $(DOMAINS_DUAL) $(DOMAINS_IPV4) $(DOMAINS_IPV6)
+
+all: $(DOMAINS_DUAL) $(DOMAINS_IPV4) $(DOMAINS_IPV6)
+
+$(DOMAINS_DUAL):
+ifndef NOIPV4
+ $(CURL) -4 --cacert $(notdir $@).pem https://$(dir $@)
+endif
+ifndef NOIPV6
+ $(CURL) -6 --cacert $(notdir $@).pem https://$(dir $@)
+endif
+
+$(DOMAINS_IPV4):
+ifndef NOIPV4
+ $(CURL) -4 --cacert $(notdir $@).pem https://$(dir $@)
+endif
+
+$(DOMAINS_IPV6):
+ifndef NOIPV6
+ $(CURL) -6 --cacert $(notdir $@).pem https://$(dir $@)
+endif
diff --git a/certs/Starfield Secure Certificate Authority - G2.pem b/certs/Starfield Secure Certificate Authority - G2.pem
deleted file mode 100644
index 9c17e74e..00000000
--- a/certs/Starfield Secure Certificate Authority - G2.pem
+++ /dev/null
@@ -1,52 +0,0 @@
------BEGIN CERTIFICATE-----
-MIID3TCCAsWgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMx
-EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAjBgNVBAoT
-HFN0YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAMTKVN0YXJmaWVs
-ZCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAw
-MFoXDTM3MTIzMTIzNTk1OVowgY8xCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6
-b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMSUwIwYDVQQKExxTdGFyZmllbGQgVGVj
-aG5vbG9naWVzLCBJbmMuMTIwMAYDVQQDEylTdGFyZmllbGQgUm9vdCBDZXJ0aWZp
-Y2F0ZSBBdXRob3JpdHkgLSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
-ggEBAL3twQP89o/8ArFvW59I2Z154qK3A2FWGMNHttfKPTUuiUP3oWmb3ooa/RMg
-nLRJdzIpVv257IzdIvpy3Cdhl+72WoTsbhm5iSzchFvVdPtrX8WJpRBSiUZV9Lh1
-HOZ/5FSuS/hVclcCGfgXcVnrHigHdMWdSL5stPSksPNkN3mSwOxGXn/hbVNMYq/N
-Hwtjuzqd+/x5AJhhdM8mgkBj87JyahkNmcrUDnXMN/uLicFZ8WJ/X7NfZTD4p7dN
-dloedl40wOiWVpmKs/B/pM293DIxfJHP4F8R+GuqSVzRmZTRouNjWwl2tVZi4Ut0
-HZbUJtQIBFnQmA4O5t78w+wfkPECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAO
-BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFHwMMh+n2TB/xH1oo2Kooc6rB1snMA0G
-CSqGSIb3DQEBCwUAA4IBAQARWfolTwNvlJk7mh+ChTnUdgWUXuEok21iXQnCoKjU
-sHU48TRqneSfioYmUeYs0cYtbpUgSpIB7LiKZ3sx4mcujJUDJi5DnUox9g61DLu3
-4jd/IroAow57UvtruzvE03lRTs2Q9GcHGcg8RnoNAX3FWOdt5oUwF5okxBDgBPfg
-8n/Uqgr/Qh037ZTlZFkSIHc40zI+OIF1lnP6aI+xy84fxez6nH7PfrHxBy22/L/K
-pL/QlwVKvOoYKAKQvVR4CSFx09F9HdkWsKlhPdAKACL8x3vLCWRFCztAgfd9fDL1
-mMpYjn0q7pBZc2T5NnReJaH1ZgUufzkVqSr7UIuOhWn0
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIFADCCA+igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMx
-EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAjBgNVBAoT
-HFN0YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAMTKVN0YXJmaWVs
-ZCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAw
-MFoXDTMxMDUwMzA3MDAwMFowgcYxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6
-b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMSUwIwYDVQQKExxTdGFyZmllbGQgVGVj
-aG5vbG9naWVzLCBJbmMuMTMwMQYDVQQLEypodHRwOi8vY2VydHMuc3RhcmZpZWxk
-dGVjaC5jb20vcmVwb3NpdG9yeS8xNDAyBgNVBAMTK1N0YXJmaWVsZCBTZWN1cmUg
-Q2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
-DwAwggEKAoIBAQDlkGZL7PlGcakgg77pbL9KyUhpgXVObST2yxcT+LBxWYR6ayuF
-pDS1FuXLzOlBcCykLtb6Mn3hqN6UEKwxwcDYav9ZJ6t21vwLdGu4p64/xFT0tDFE
-3ZNWjKRMXpuJyySDm+JXfbfYEh/JhW300YDxUJuHrtQLEAX7J7oobRfpDtZNuTlV
-Bv8KJAV+L8YdcmzUiymMV33a2etmGtNPp99/UsQwxaXJDgLFU793OGgGJMNmyDd+
-MB5FcSM1/5DYKp2N57CSTTx/KgqT3M0WRmX3YISLdkuRJ3MUkuDq7o8W6o0OPnYX
-v32JgIBEQ+ct4EMJddo26K3biTr1XRKOIwSDAgMBAAGjggEsMIIBKDAPBgNVHRMB
-Af8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUJUWBaFAmOD07LSy+
-zWrZtj2zZmMwHwYDVR0jBBgwFoAUfAwyH6fZMH/EfWijYqihzqsHWycwOgYIKwYB
-BQUHAQEELjAsMCoGCCsGAQUFBzABhh5odHRwOi8vb2NzcC5zdGFyZmllbGR0ZWNo
-LmNvbS8wOwYDVR0fBDQwMjAwoC6gLIYqaHR0cDovL2NybC5zdGFyZmllbGR0ZWNo
-LmNvbS9zZnJvb3QtZzIuY3JsMEwGA1UdIARFMEMwQQYEVR0gADA5MDcGCCsGAQUF
-BwIBFitodHRwczovL2NlcnRzLnN0YXJmaWVsZHRlY2guY29tL3JlcG9zaXRvcnkv
-MA0GCSqGSIb3DQEBCwUAA4IBAQBWZcr+8z8KqJOLGMfeQ2kTNCC+Tl94qGuc22pN
-QdvBE+zcMQAiXvcAngzgNGU0+bE6TkjIEoGIXFs+CFN69xpk37hQYcxTUUApS8L0
-rjpf5MqtJsxOYUPl/VemN3DOQyuwlMOS6eFfqhBJt2nk4NAfZKQrzR9voPiEJBjO
-eT2pkb9UGBOJmVQRDVXFJgt5T1ocbvlj2xSApAer+rKluYjdkf5lO6Sjeb6JTeHQ
-sPTIFwwKlhR8Cbds4cLYVdQYoKpBaXAko7nv6VrcPuuUSvC33l8Odvr7+2kDRUBQ
-7nIMpBKGgc0T0U7EPMpODdIm8QC3tKai4W56gf0wrHofx1l7
------END CERTIFICATE-----
diff --git a/certs/Starfield-Root-Certificate-Authority-G2.pem b/certs/Starfield-Root-Certificate-Authority-G2.pem
new file mode 100644
index 00000000..4e6774d2
--- /dev/null
+++ b/certs/Starfield-Root-Certificate-Authority-G2.pem
@@ -0,0 +1,30 @@
+# Issuer: CN=Starfield Root Certificate Authority - G2 O=Starfield Technologies, Inc.
+# Subject: CN=Starfield Root Certificate Authority - G2 O=Starfield Technologies, Inc.
+# Label: "Starfield Root Certificate Authority - G2"
+# Serial: 0
+# MD5 Fingerprint: d6:39:81:c6:52:7e:96:69:fc:fc:ca:66:ed:05:f2:96
+# SHA1 Fingerprint: b5:1c:06:7c:ee:2b:0c:3d:f8:55:ab:2d:92:f4:fe:39:d4:e7:0f:0e
+# SHA256 Fingerprint: 2c:e1:cb:0b:f9:d2:f9:e1:02:99:3f:be:21:51:52:c3:b2:dd:0c:ab:de:1c:68:e5:31:9b:83:91:54:db:b7:f5
+-----BEGIN CERTIFICATE-----
+MIID3TCCAsWgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMx
+EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAjBgNVBAoT
+HFN0YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAMTKVN0YXJmaWVs
+ZCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAw
+MFoXDTM3MTIzMTIzNTk1OVowgY8xCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6
+b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMSUwIwYDVQQKExxTdGFyZmllbGQgVGVj
+aG5vbG9naWVzLCBJbmMuMTIwMAYDVQQDEylTdGFyZmllbGQgUm9vdCBDZXJ0aWZp
+Y2F0ZSBBdXRob3JpdHkgLSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAL3twQP89o/8ArFvW59I2Z154qK3A2FWGMNHttfKPTUuiUP3oWmb3ooa/RMg
+nLRJdzIpVv257IzdIvpy3Cdhl+72WoTsbhm5iSzchFvVdPtrX8WJpRBSiUZV9Lh1
+HOZ/5FSuS/hVclcCGfgXcVnrHigHdMWdSL5stPSksPNkN3mSwOxGXn/hbVNMYq/N
+Hwtjuzqd+/x5AJhhdM8mgkBj87JyahkNmcrUDnXMN/uLicFZ8WJ/X7NfZTD4p7dN
+dloedl40wOiWVpmKs/B/pM293DIxfJHP4F8R+GuqSVzRmZTRouNjWwl2tVZi4Ut0
+HZbUJtQIBFnQmA4O5t78w+wfkPECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAO
+BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFHwMMh+n2TB/xH1oo2Kooc6rB1snMA0G
+CSqGSIb3DQEBCwUAA4IBAQARWfolTwNvlJk7mh+ChTnUdgWUXuEok21iXQnCoKjU
+sHU48TRqneSfioYmUeYs0cYtbpUgSpIB7LiKZ3sx4mcujJUDJi5DnUox9g61DLu3
+4jd/IroAow57UvtruzvE03lRTs2Q9GcHGcg8RnoNAX3FWOdt5oUwF5okxBDgBPfg
+8n/Uqgr/Qh037ZTlZFkSIHc40zI+OIF1lnP6aI+xy84fxez6nH7PfrHxBy22/L/K
+pL/QlwVKvOoYKAKQvVR4CSFx09F9HdkWsKlhPdAKACL8x3vLCWRFCztAgfd9fDL1
+mMpYjn0q7pBZc2T5NnReJaH1ZgUufzkVqSr7UIuOhWn0
+-----END CERTIFICATE-----
diff --git a/certs/USERTrust-RSA-Certification-Authority.pem b/certs/USERTrust-RSA-Certification-Authority.pem
new file mode 100644
index 00000000..0fbeef63
--- /dev/null
+++ b/certs/USERTrust-RSA-Certification-Authority.pem
@@ -0,0 +1,41 @@
+# Issuer: CN=USERTrust RSA Certification Authority O=The USERTRUST Network
+# Subject: CN=USERTrust RSA Certification Authority O=The USERTRUST Network
+# Label: "USERTrust RSA Certification Authority"
+# Serial: 2645093764781058787591871645665788717
+# MD5 Fingerprint: 1b:fe:69:d1:91:b7:19:33:a3:72:a8:0f:e1:55:e5:b5
+# SHA1 Fingerprint: 2b:8f:1b:57:33:0d:bb:a2:d0:7a:6c:51:f7:0e:e9:0d:da:b9:ad:8e
+# SHA256 Fingerprint: e7:93:c9:b0:2f:d8:aa:13:e2:1c:31:22:8a:cc:b0:81:19:64:3b:74:9c:89:89:64:b1:74:6d:46:c3:d4:cb:d2
+-----BEGIN CERTIFICATE-----
+MIIF3jCCA8agAwIBAgIQAf1tMPyjylGoG7xkDjUDLTANBgkqhkiG9w0BAQwFADCB
+iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
+cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
+BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAw
+MjAxMDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNV
+BAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVU
+aGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2Vy
+dGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
+AoICAQCAEmUXNg7D2wiz0KxXDXbtzSfTTK1Qg2HiqiBNCS1kCdzOiZ/MPans9s/B
+3PHTsdZ7NygRK0faOca8Ohm0X6a9fZ2jY0K2dvKpOyuR+OJv0OwWIJAJPuLodMkY
+tJHUYmTbf6MG8YgYapAiPLz+E/CHFHv25B+O1ORRxhFnRghRy4YUVD+8M/5+bJz/
+Fp0YvVGONaanZshyZ9shZrHUm3gDwFA66Mzw3LyeTP6vBZY1H1dat//O+T23LLb2
+VN3I5xI6Ta5MirdcmrS3ID3KfyI0rn47aGYBROcBTkZTmzNg95S+UzeQc0PzMsNT
+79uq/nROacdrjGCT3sTHDN/hMq7MkztReJVni+49Vv4M0GkPGw/zJSZrM233bkf6
+c0Plfg6lZrEpfDKEY1WJxA3Bk1QwGROs0303p+tdOmw1XNtB1xLaqUkL39iAigmT
+Yo61Zs8liM2EuLE/pDkP2QKe6xJMlXzzawWpXhaDzLhn4ugTncxbgtNMs+1b/97l
+c6wjOy0AvzVVdAlJ2ElYGn+SNuZRkg7zJn0cTRe8yexDJtC/QV9AqURE9JnnV4ee
+UB9XVKg+/XRjL7FQZQnmWEIuQxpMtPAlR1n6BB6T1CZGSlCBst6+eLf8ZxXhyVeE
+Hg9j1uliutZfVS7qXMYoCAQlObgOK6nyTJccBz8NUvXt7y+CDwIDAQABo0IwQDAd
+BgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/BAQDAgEGMA8G
+A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAFzUfA3P9wF9QZllDHPF
+Up/L+M+ZBn8b2kMVn54CVVeWFPFSPCeHlCjtHzoBN6J2/FNQwISbxmtOuowhT6KO
+VWKR82kV2LyI48SqC/3vqOlLVSoGIG1VeCkZ7l8wXEskEVX/JJpuXior7gtNn3/3
+ATiUFJVDBwn7YKnuHKsSjKCaXqeYalltiz8I+8jRRa8YFWSQEg9zKC7F4iRO/Fjs
+8PRF/iKz6y+O0tlFYQXBl2+odnKPi4w2r78NBc5xjeambx9spnFixdjQg3IM8WcR
+iQycE0xyNN+81XHfqnHd4blsjDwSXWXavVcStkNr/+XeTWYRUc+ZruwXtuhxkYze
+Sf7dNXGiFSeUHM9h4ya7b6NnJSFd5t0dCy5oGzuCr+yDZ4XUmFF0sbmZgIn/f3gZ
+XHlKYC6SQK5MNyosycdiyA5d9zZbyuAlJQG03RoHnHcAP9Dc1ew91Pq7P8yF1m9/
+qS3fuQL39ZeatTXaw2ewh0qpKJ4jjv9cJ2vhsE/zB+4ALtRZh8tSQZXq9EfX7mRB
+VXyNWQKV3WKdwrnuWih0hKWbt5DHDAff9Yk2dDLWKMGwsAvgnEzDHNb842m1R0aB
+L6KCq9NjRHDEjf8tM7qtj3u1cIiuPhnPQCjY/MiQu12ZIvVS5ljFH4gxQ+6IHdfG
+jjxDah2nGN59PRbxYvnKkKj9
+-----END CERTIFICATE-----
diff --git a/check-certificates b/check-certificates
deleted file mode 100644
index 0964bdea..00000000
--- a/check-certificates
+++ /dev/null
@@ -1,124 +0,0 @@
-#!rsc
-# RouterOS script: check-certificates
-# Copyright (c) 2013-2020 Christian Hesse
-#
-# check for certificate validity
-# https://git.eworm.de/cgit/routeros-scripts/about/doc/check-certificates.md
-
-:global CertRenewPass;
-:global CertRenewUrl;
-:global Identity;
-
-:global CertificateAvailable
-:global CertificateNameByCN;
-:global LogPrintExit;
-:global ParseKeyValueStore;
-:global SendNotification;
-:global TimeIsSync;
-:global UrlEncode;
-:global WaitForFile;
-
-:local FormatExpire do={
- :global CharacterReplace;
- :return [ $CharacterReplace [ $CharacterReplace [ :tostr $1 ] "w" "w " ] "d" "d " ];
-}
-
-:if ($TimeIsSync = false) do={
- $LogPrintExit warning ("Time is not yet synchronized.") true;
-}
-
-:foreach Cert in=[ / certificate find where !revoked !ca !scep-url expires-after<3w ] do={
- :local CertVal [ / certificate get $Cert ];
-
- :do {
- :if ([ :len $CertRenewUrl ] = 0) do={
- $LogPrintExit warning ("No CertRenewUrl given.") true;
- }
-
- :foreach Type in={ ".pem"; ".p12" } do={
- :local CertFileName ([ $UrlEncode ($CertVal->"common-name") ] . $Type);
- :do {
- / tool fetch check-certificate=yes-without-crl \
- ($CertRenewUrl . $CertFileName) dst-path=$CertFileName;
- $WaitForFile $CertFileName;
- :foreach PassPhrase in=$CertRenewPass do={
- / certificate import file-name=$CertFileName passphrase=$PassPhrase;
- }
- / file remove [ find where name=$CertFileName ];
-
- :foreach CertInChain in=[ / certificate find where name~("^" . $CertFileName . "_[0-9]+\$") common-name!=($CertVal->"common-name") ] do={
- $CertificateNameByCN [ / certificate get $CertInChain common-name ];
- }
- } on-error={
- $LogPrintExit debug ("Could not download certificate file " . $CertFileName) false;
- }
- }
-
- :local CertNew [ / certificate find where common-name=($CertVal->"common-name") fingerprint!=[ :tostr ($CertVal->"fingerprint") ] expires-after>3w ];
- :local CertNewVal [ / certificate get $CertNew ];
-
- :if ([ $CertificateAvailable ([ $ParseKeyValueStore ($CertNewVal->"issuer") ]->"CN") ] = false) do={
- $LogPrintExit warning ("The certificate chain is not available!") false;
- }
-
- :if ($Cert != $CertNew) do={
- $LogPrintExit debug ("Certificate '" . $CertVal->"name" . "' was not updated, but replaced.") false;
-
- / ip service set certificate=($CertNewVal->"name") [ find where certificate=($CertVal->"name") ];
-
- :do {
- / ip ipsec identity set certificate=($CertNewVal->"name") [ / ip ipsec identity find where certificate=($CertVal->"name") ];
- / ip ipsec identity set remote-certificate=($CertNewVal->"name") [ / ip ipsec identity find where remote-certificate=($CertVal->"name") ];
- } on-error={
- $LogPrintExit debug ("Setting IPSEC certificates failed. Package 'security' not installed?") false;
- }
-
- :do {
- / ip hotspot profile set ssl-certificate=($CertNewVal->"name") [ / ip hotspot profile find where ssl-certificate=($CertVal->"name") ];
- } on-error={
- $LogPrintExit debug ("Setting hotspot certificates failed. Package 'hotspot' not installed?") false;
- }
-
- / certificate remove $Cert;
- / certificate set $CertNew name=($CertVal->"name");
- }
-
- $SendNotification ("Certificate renewed") \
- ("A certificate on " . $Identity . " has been renewed.\n\n" . \
- "Name: " . ($CertVal->"name") . "\n" . \
- "CommonName: " . ($CertNewVal->"common-name") . "\n" . \
- "Fingerprint: " . ($CertNewVal->"fingerprint") . "\n" . \
- "Issuer: " . ([ $ParseKeyValueStore ($CertNewVal->"issuer") ]->"CN") . "\n" . \
- "Validity: " . ($CertNewVal->"invalid-before") . " to " . ($CertNewVal->"invalid-after") . "\n" . \
- "Expires in: " . [ $FormatExpire ($CertNewVal->"expires-after") ]) "" "true";
- $LogPrintExit info ("The certificate " . ($CertVal->"name") . " has been renewed.") false;
- } on-error={
- $LogPrintExit debug ("Could not renew certificate " . ($CertVal->"name") . ".") false;
- }
-}
-
-:foreach Cert in=[ / certificate find where !revoked !scep-url expires-after<2w fingerprint~"." ] do={
- :local CertVal [ / certificate get $Cert ];
-
- :if ([ / certificate scep-server print count-only where ca-cert=($CertVal->"ca") ] > 0) do={
- $LogPrintExit debug ("Certificate \"" . ($CertVal->"name") . "\" is handled by SCEP, skipping.") false;
- } else={
- :local ExpiresAfter [ $FormatExpire ($CertVal->"expires-after") ];
- :local State "is about to expire";
- :if (($CertVal->"expired") = true) do={
- :set ExpiresAfter "expired";
- :set State "expired";
- }
-
- $SendNotification ("Certificate warning!") \
- ("A certificate on " . $Identity . " " . $State . ".\n\n" . \
- "Name: " . ($CertVal->"name") . "\n" . \
- "CommonName: " . ($CertVal->"common-name") . "\n" . \
- "Fingerprint: " . ($CertVal->"fingerprint") . "\n" . \
- "Issuer: " . ($CertVal->"ca") . ([ $ParseKeyValueStore ($CertVal->"issuer") ]->"CN") . "\n" . \
- "Validity: " . ($CertVal->"invalid-before") . " to " . ($CertVal->"invalid-after") . "\n" . \
- "Expires in: " . $ExpiresAfter);
- $LogPrintExit warning ("The certificate " . ($CertVal->"name") . " " . $State . \
- ", it is invalid after " . ($CertVal->"invalid-after") . ".") false;
- }
-}
diff --git a/check-certificates.rsc b/check-certificates.rsc
new file mode 100644
index 00000000..1dd61299
--- /dev/null
+++ b/check-certificates.rsc
@@ -0,0 +1,250 @@
+#!rsc by RouterOS
+# RouterOS script: check-certificates
+# Copyright (c) 2013-2026 Christian Hesse
+# https://rsc.eworm.de/COPYING.md
+#
+# requires RouterOS, version=7.17
+# requires device-mode, fetch
+#
+# check for certificate validity
+# https://rsc.eworm.de/doc/check-certificates.md
+
+:local ExitOK false;
+:onerror Err {
+ :global GlobalConfigReady; :global GlobalFunctionsReady;
+ :retry { :if ($GlobalConfigReady != true || $GlobalFunctionsReady != true) \
+ do={ :error ("Global config and/or functions not ready."); }; } delay=500ms max=50;
+ :local ScriptName [ :jobname ];
+
+ :global CertRenewTime;
+ :global CertRenewUrl;
+ :global CertWarnTime;
+ :global Identity;
+
+ :global CertificateAvailable;
+ :global EscapeForRegEx;
+ :global IfThenElse;
+ :global LogPrint;
+ :global ParseKeyValueStore;
+ :global ScriptLock;
+ :global SendNotification2;
+ :global SymbolForNotification;
+ :global UrlEncode;
+ :global WaitFullyConnected;
+
+ :local CheckCertificatesDownloadImport do={
+ :local ScriptName [ :tostr $1 ];
+ :local CertName [ :tostr $2 ];
+ :local FetchName [ :tostr $3 ];
+
+ :global CertRenewUrl;
+ :global CertRenewPass;
+
+ :global CertificateNameByCN;
+ :global EscapeForRegEx;
+ :global FetchUserAgentStr;
+ :global LogPrint;
+ :global RmFile;
+ :global UrlEncode;
+ :global WaitForFile;
+
+ :foreach Type in={ "p12"; "pem" } do={
+ :local CertFileName ([ $UrlEncode $FetchName ] . "." . $Type);
+ $LogPrint debug $ScriptName ("Trying type '" . $Type . "' for '" . $CertName . \
+ "' (file '" . $CertFileName . "')...");
+
+ :do {
+ /tool/fetch check-certificate=yes-without-crl http-header-field=({ [ $FetchUserAgentStr $ScriptName ] }) \
+ ($CertRenewUrl . $CertFileName) dst-path=$CertFileName as-value;
+ $WaitForFile $CertFileName;
+
+ :local DecryptionFailed true;
+ :foreach I,PassPhrase in=$CertRenewPass do={
+ :do {
+ $LogPrint debug $ScriptName ("Trying " . $I . ". passphrase... ");
+ :local Result [ /certificate/import file-name=$CertFileName passphrase=$PassPhrase as-value ];
+ :if ($Result->"decryption-failures" = 0) do={
+ $LogPrint debug $ScriptName ("Success!");
+ :set DecryptionFailed false;
+ }
+ } on-error={ }
+ }
+ $RmFile $CertFileName;
+
+ :if ($DecryptionFailed = true) do={
+ $LogPrint warning $ScriptName ("Decryption failed for certificate file '" . $CertFileName . "'.");
+ }
+
+ :foreach CertInChain in=[ /certificate/find where common-name!=$CertName !private-key \
+ name~("^" . [ $EscapeForRegEx $CertFileName ] . "_[0-9]+\$") \
+ !(subject-alt-name~("(^|\\W)(DNS|IP):" . [ $EscapeForRegEx $CertName ] . "(\\W|\$)")) \
+ !(common-name=[]) ] do={
+ $CertificateNameByCN [ /certificate/get $CertInChain common-name ];
+ }
+
+ :return true;
+ } on-error={
+ $LogPrint debug $ScriptName ("Could not download certificate file '" . $CertFileName . "'.");
+ }
+ }
+
+ :return false;
+ }
+
+ :local FormatInfo do={
+ :local Cert $1;
+
+ :global FormatLine;
+ :global FormatMultiLines;
+ :global IfThenElse;
+
+ :local FormatExpire do={
+ :global CharacterReplace;
+ :return [ $CharacterReplace [ $CharacterReplace [ :tostr $1 ] "w" "w " ] "d" "d " ];
+ }
+
+ :local FormatCertChain do={
+ :local Cert $1;
+
+ :global ParseKeyValueStore;
+
+ :local CertVal [ /certificate/get $Cert ];
+
+ :if ([ :typeof ($CertVal->"issuer") ] = "nothing") do={
+ :return "self-signed";
+ }
+
+ :local Return "";
+ :for I from=0 to=5 do={
+ :set Return ($Return . [ $ParseKeyValueStore ($CertVal->"issuer") ]->"CN");
+ :local CertSettings [ /certificate/settings/get ];
+ :if (([ :len ($CertSettings->"builtin-trust-anchors") ] > 0 || \
+ [ :len ($CertSettings->"builtin-trust-store") ] > 0) && \
+ [[ :parse (":return [ :len [ /certificate/builtin/find where skid=\"" . ($CertVal->"akid") . "\" ] ]") ]] > 0) do={
+ :return $Return;
+ }
+ :do {
+ :set CertVal [ /certificate/get [ find where skid=($CertVal->"akid") ] ];
+ } on-error={
+ :return ($Return . " (possibly incomplete!)");
+ }
+ :if (($CertVal->"akid") = "" || ($CertVal->"akid") = ($CertVal->"skid")) do={
+ :return $Return;
+ }
+ :set Return ($Return . " -> ");
+ }
+ :return ($Return . "...");
+ }
+
+ :local CertVal [ /certificate/get $Cert ];
+
+ :return ( \
+ [ $FormatLine "Name" ($CertVal->"name") ] . "\n" . \
+ [ $IfThenElse ([ :len ($CertVal->"common-name") ] > 0) ([ $FormatLine "CommonName" ($CertVal->"common-name") ] . "\n") ] . \
+ [ $IfThenElse ([ :len ($CertVal->"subject-alt-name") ] > 0) ([ $FormatMultiLines "SubjectAltNames" ($CertVal->"subject-alt-name") ] . "\n") ] . \
+ [ $FormatLine "Private key" [ $IfThenElse (($CertVal->"private-key") = true) "available" "missing" ] ] . "\n" . \
+ [ $FormatLine "Fingerprint" ($CertVal->"fingerprint") ] . "\n" . \
+ [ $IfThenElse ([ :len ($CertVal->"ca") ] > 0) [ $FormatLine "Issuer" ($CertVal->"ca") ] [ $FormatLine "Issuer chain" [ $FormatCertChain $Cert ] ] ] . "\n" . \
+ "Validity:\n" . \
+ [ $FormatLine " from" ($CertVal->"invalid-before") ] . "\n" . \
+ [ $FormatLine " to" ($CertVal->"invalid-after") ] . "\n" . \
+ [ $FormatLine "Expires in" [ $IfThenElse (($CertVal->"expired") = true) "expired" [ $FormatExpire ($CertVal->"expires-after") ] ] ]);
+ }
+
+ :if ([ $ScriptLock $ScriptName ] = false) do={
+ :set ExitOK true;
+ :error false;
+ }
+ $WaitFullyConnected;
+
+ :foreach Cert in=[ /certificate/find where !revoked !ca !scep-url expires-after<$CertRenewTime ] do={
+ :local CertVal [ /certificate/get $Cert ];
+ :local LastName;
+ :local FetchName;
+
+ :do {
+ :if ([ :len $CertRenewUrl ] = 0) do={
+ $LogPrint info $ScriptName ("No CertRenewUrl given.");
+ :error false;
+ }
+ $LogPrint info $ScriptName ("Attempting to renew certificate '" . ($CertVal->"name") . "'.");
+
+ :local ImportSuccess false;
+ :set LastName ($CertVal->"common-name");
+ :set FetchName $LastName;
+ :set ImportSuccess [ $CheckCertificatesDownloadImport $ScriptName $LastName $FetchName ];
+ :foreach SAN in=($CertVal->"subject-alt-name") do={
+ :if ($ImportSuccess = false) do={
+ :set LastName [ :pick $SAN ([ :find $SAN ":" ] + 1) [ :len $SAN ] ];
+ :set FetchName $LastName;
+ :set ImportSuccess [ $CheckCertificatesDownloadImport $ScriptName $LastName $FetchName ];
+ :if ($ImportSuccess = false && [ :pick $LastName 0 2 ] = "*.") do={
+ :set FetchName ("star." . [ :pick $LastName 2 [ :len $LastName ] ]);
+ :set ImportSuccess [ $CheckCertificatesDownloadImport $ScriptName $LastName $FetchName ];
+ }
+ }
+ }
+ :if ($ImportSuccess = false) do={ :error false; }
+
+ :if ([ :len ($CertVal->"fingerprint") ] > 0 && $CertVal->"fingerprint" != [ /certificate/get $Cert fingerprint ]) do={
+ $LogPrint debug $ScriptName ("Certificate '" . $CertVal->"name" . "' was updated in place.");
+ :set CertVal [ /certificate/get $Cert ];
+ } else={
+ $LogPrint debug $ScriptName ("Certificate '" . $CertVal->"name" . "' was not updated, but replaced.");
+
+ :local CertNew [ /certificate/find where name~("^" . [ $EscapeForRegEx [ $UrlEncode $FetchName ] ] . "\\.(p12|pem)_[0-9]+\$") \
+ (common-name=($CertVal->"common-name") or subject-alt-name~("(^|\\W)(DNS|IP):" . [ $EscapeForRegEx $LastName ] . "(\\W|\$)")) \
+ fingerprint!=[ :tostr ($CertVal->"fingerprint") ] expires-after>$CertRenewTime ];
+ :local CertNewVal [ /certificate/get $CertNew ];
+
+ :if ([ $CertificateAvailable ([ $ParseKeyValueStore ($CertNewVal->"issuer") ]->"CN") "fetch" ] = false) do={
+ $LogPrint warning $ScriptName ("The certificate chain is not available!");
+ }
+
+ :if (($CertVal->"private-key") = true && ($CertVal->"private-key") != ($CertNewVal->"private-key")) do={
+ /certificate/remove $CertNew;
+ $LogPrint warning $ScriptName ("Old certificate '" . ($CertVal->"name") . "' has a private key, new certificate does not. Aborting renew.");
+ :error false;
+ }
+
+ /ip/service/set certificate=($CertNewVal->"name") [ find where certificate=($CertVal->"name") ];
+
+ /ip/ipsec/identity/set certificate=($CertNewVal->"name") [ find where certificate=($CertVal->"name") ];
+ /ip/ipsec/identity/set remote-certificate=($CertNewVal->"name") [ find where remote-certificate=($CertVal->"name") ];
+
+ /ip/hotspot/profile/set ssl-certificate=($CertNewVal->"name") [ find where ssl-certificate=($CertVal->"name") ];
+
+ /certificate/remove $Cert;
+ /certificate/set $CertNew name=($CertVal->"name");
+ :set Cert $CertNew;
+ :set CertVal [ /certificate/get $CertNew ];
+ }
+
+ $SendNotification2 ({ origin=$ScriptName; silent=true; \
+ subject=([ $SymbolForNotification "lock-with-ink-pen" ] . "Certificate renewed: " . ($CertVal->"name")); \
+ message=("A certificate on " . $Identity . " has been renewed.\n\n" . [ $FormatInfo $Cert ]) });
+ $LogPrint info $ScriptName ("The certificate '" . ($CertVal->"name") . "' has been renewed.");
+ } on-error={
+ $LogPrint debug $ScriptName ("Could not renew certificate '" . ($CertVal->"name") . "'.");
+ }
+ }
+
+ :foreach Cert in=[ /certificate/find where !revoked !scep-url !(expires-after=[]) \
+ expires-after<$CertWarnTime !(fingerprint=[]) ] do={
+ :local CertVal [ /certificate/get $Cert ];
+
+ :if ([ :len [ /certificate/scep-server/find where ca-cert=($CertVal->"ca") ] ] > 0) do={
+ $LogPrint debug $ScriptName ("Certificate '" . ($CertVal->"name") . "' is handled by SCEP, skipping.");
+ } else={
+ :local State [ $IfThenElse (($CertVal->"expired") = true) "expired" "is about to expire" ];
+
+ $SendNotification2 ({ origin=$ScriptName; \
+ subject=([ $SymbolForNotification "lock-with-ink-pen,warning-sign" ] . "Certificate warning: " . ($CertVal->"name")); \
+ message=("A certificate on " . $Identity . " " . $State . ".\n\n" . [ $FormatInfo $Cert ]) });
+ $LogPrint info $ScriptName ("The certificate '" . ($CertVal->"name") . "' " . $State . \
+ ", it is invalid after " . ($CertVal->"invalid-after") . ".");
+ }
+ }
+} do={
+ :global ExitError; $ExitError $ExitOK [ :jobname ] $Err;
+}
diff --git a/check-health b/check-health
deleted file mode 100644
index e41984f3..00000000
--- a/check-health
+++ /dev/null
@@ -1,74 +0,0 @@
-#!rsc
-# RouterOS script: check-health
-# Copyright (c) 2019-2020 Christian Hesse
-#
-# check for RouterOS health state
-# https://git.eworm.de/cgit/routeros-scripts/about/doc/check-health.md
-
-:global CheckHealthLast;
-:global CheckHealthTemperature;
-:global CheckHealthVoltagePercent;
-:global Identity;
-
-:global LogPrintExit;
-:global SendNotification;
-
-:local FormatVoltage do={
- :local Voltage [ :tonum $1 ];
- :return (($Voltage / 10) . "." . ($Voltage % ($Voltage / 10 * 10)) . "V");
-}
-
-:local CheckHealthCurrent [ / system health get ];
-
-:foreach Voltage in={ "battery"; "psu1-voltage"; "psu2-voltage"; "voltage" } do={
- :if ([ :typeof ($CheckHealthLast->$Voltage) ] = "num" && \
- [ :typeof ($CheckHealthCurrent->$Voltage) ] = "num") do={
- :if ($CheckHealthLast->$Voltage * (100 + $CheckHealthVoltagePercent) < $CheckHealthCurrent->$Voltage * 100 || \
- $CheckHealthLast->$Voltage * 100 > $CheckHealthCurrent->$Voltage * (100 + $CheckHealthVoltagePercent)) do={
- $SendNotification ("Health warning: " . $Voltage) \
- ("The " . $Voltage . " on " . $Identity . " jumped more than " . $CheckHealthVoltagePercent . "%.\n\n" . \
- "old value: " . [ $FormatVoltage ($CheckHealthLast->$Voltage) ] . "\n" . \
- "new value: " . [ $FormatVoltage ($CheckHealthCurrent->$Voltage) ]);
- }
- }
-}
-
-:foreach PSU in={ "psu1"; "psu2" } do={
- :if ([ :typeof ($CheckHealthLast->($PSU . "-state")) ] = "str" && \
- [ :typeof ($CheckHealthCurrent->($PSU . "-state")) ] = "str") do={
- :if ($CheckHealthLast->($PSU . "-state") = "ok" && \
- $CheckHealthCurrent->($PSU . "-state") != "ok") do={
- $SendNotification ("Health warning: \E2\9D\8C " . $PSU . " state") \
- ("The power supply unit '" . $PSU . "' on " . $Identity . " failed!");
- }
- :if ($CheckHealthLast->($PSU . "-state") != "ok" && \
- $CheckHealthCurrent->($PSU . "-state") = "ok") do={
- $SendNotification ("Health recovery: \E2\9C\85 " . $PSU . " state") \
- ("The power supply unit '" . $PSU . "' on " . $Identity . " recovered!");
- }
- }
-}
-
-:foreach Temperature in={ "temperature"; "cpu-temperature"; "board-temperature1"; "board-temperature2" } do={
- :if ([ :typeof ($CheckHealthLast->$Temperature) ] = "num" && \
- [ :typeof ($CheckHealthCurrent->$Temperature) ] = "num") do={
- :if ([ :typeof ($CheckHealthTemperature->$Temperature) ] != "num" ) do={
- $LogPrintExit warning ("No threshold given for " . $Temperature . ", assuming 50C.") false;
- :set ($CheckHealthTemperature->$Temperature) 50;
- }
- :if ($CheckHealthLast->$Temperature <= $CheckHealthTemperature->$Temperature && \
- $CheckHealthCurrent->$Temperature > $CheckHealthTemperature->$Temperature) do={
- $SendNotification ("Health warning: \E2\9D\8C " . $Temperature) \
- ("The " . $Temperature . " on " . $Identity . " is above threshold: " . \
- $CheckHealthCurrent->$Temperature . "\C2\B0" . "C");
- }
- :if ($CheckHealthLast->$Temperature > $CheckHealthTemperature->$Temperature && \
- $CheckHealthCurrent->$Temperature <= $CheckHealthTemperature->$Temperature) do={
- $SendNotification ("Health recovery: \E2\9C\85 " . $Temperature) \
- ("The " . $Temperature . " on " . $Identity . " dropped below threshold: " . \
- $CheckHealthCurrent->$Temperature . "\C2\B0" . "C");
- }
- }
-}
-
-:set CheckHealthLast $CheckHealthCurrent;
diff --git a/check-health.d/state.rsc b/check-health.d/state.rsc
new file mode 100644
index 00000000..bbba31e0
--- /dev/null
+++ b/check-health.d/state.rsc
@@ -0,0 +1,49 @@
+#!rsc by RouterOS
+# RouterOS script: check-health.d/state
+# Copyright (c) 2019-2026 Christian Hesse
+# https://rsc.eworm.de/COPYING.md
+#
+# requires RouterOS, version=7.17
+#
+# check for RouterOS health state - state plugin
+# https://rsc.eworm.de/doc/check-health.md
+
+:global CheckHealthPlugins;
+
+:set ($CheckHealthPlugins->[ :jobname ]) do={
+ :local FuncName [ :tostr $0 ];
+ :local ScriptName [ :tostr $1 ];
+
+ :global CheckHealthLast;
+ :global Identity;
+
+ :global LogPrint;
+ :global SendNotification2;
+ :global SymbolForNotification;
+
+ :if ([ :len [ /system/health/find where type="" name~"-state\$"] ] = 0) do={
+ $LogPrint debug $FuncName ("Your device does not provide any state health values.");
+ :return false;
+ }
+
+ :foreach State in=[ /system/health/find where type="" name~"-state\$" ] do={
+ :local Name [ /system/health/get $State name ];
+ :local Value [ /system/health/get $State value ];
+
+ :if ([ :typeof ($CheckHealthLast->$Name) ] != "nothing") do={
+ :if ($CheckHealthLast->$Name = "ok" && \
+ $Value != "ok") do={
+ $SendNotification2 ({ origin=$ScriptName; \
+ subject=([ $SymbolForNotification "cross-mark" ] . "Health warning: " . $Name); \
+ message=("The device '" . $Name . "' on " . $Identity . " failed!") });
+ }
+ :if ($CheckHealthLast->$Name != "ok" && \
+ $Value = "ok") do={
+ $SendNotification2 ({ origin=$ScriptName; \
+ subject=([ $SymbolForNotification "white-heavy-check-mark" ] . "Health recovery: " . $Name); \
+ message=("The device '" . $Name . "' on " . $Identity . " recovered!") });
+ }
+ }
+ :set ($CheckHealthLast->$Name) $Value;
+ }
+}
diff --git a/check-health.d/temperature.rsc b/check-health.d/temperature.rsc
new file mode 100644
index 00000000..64fc6bf3
--- /dev/null
+++ b/check-health.d/temperature.rsc
@@ -0,0 +1,75 @@
+#!rsc by RouterOS
+# RouterOS script: check-health.d/temperature
+# Copyright (c) 2019-2026 Christian Hesse
+# https://rsc.eworm.de/COPYING.md
+#
+# requires RouterOS, version=7.17
+#
+# check for RouterOS health state - temperature plugin
+# https://rsc.eworm.de/doc/check-health.md
+
+:global CheckHealthPlugins;
+
+:set ($CheckHealthPlugins->[ :jobname ]) do={
+ :local FuncName [ :tostr $0 ];
+ :local ScriptName [ :tostr $1 ];
+
+ :global CheckHealthLast;
+ :global CheckHealthTemperature;
+ :global CheckHealthTemperatureDeviation;
+ :global CheckHealthTemperatureNotified;
+ :global Identity;
+
+ :global LogPrint;
+ :global SendNotification2;
+ :global SymbolForNotification;
+
+ :if ([ :len [ /system/health/find where type="C" ] ] = 0) do={
+ $LogPrint debug $FuncName ("Your device does not provide any voltage health values.");
+ :return false;
+ }
+
+ :local TempToNum do={
+ :global CharacterReplace;
+ :local T [ :toarray [ $CharacterReplace $1 "." "," ] ];
+ :return ($T->0 * 10 + $T->1);
+ }
+
+ :if ([ :typeof $CheckHealthTemperatureNotified ] != "array") do={
+ :set CheckHealthTemperatureNotified ({});
+ }
+
+ :foreach Temperature in=[ /system/health/find where type="C" ] do={
+ :local Name [ /system/health/get $Temperature name ];
+ :local Value [ /system/health/get $Temperature value ];
+
+ :if ([ :typeof ($CheckHealthLast->$Name) ] != "nothing") do={
+ :if ([ :typeof ($CheckHealthTemperature->$Name) ] != "num" ) do={
+ $LogPrint info $FuncName ("No threshold given for " . $Name . ", assuming 50C.");
+ :set ($CheckHealthTemperature->$Name) 50;
+ }
+ :local Validate [ /system/health/get [ find where name=$Name ] value ];
+ :while ($Value != $Validate) do={
+ :set Value $Validate;
+ :set Validate [ /system/health/get [ find where name=$Name ] value ];
+ }
+ :if ($Value > $CheckHealthTemperature->$Name && \
+ $CheckHealthTemperatureNotified->$Name != true) do={
+ $SendNotification2 ({ origin=$ScriptName; \
+ subject=([ $SymbolForNotification "fire" ] . "Health warning: " . $Name); \
+ message=("The " . $Name . " on " . $Identity . " is above threshold: " . \
+ $Value . "\C2\B0" . "C") });
+ :set ($CheckHealthTemperatureNotified->$Name) true;
+ }
+ :if ($Value <= ($CheckHealthTemperature->$Name - $CheckHealthTemperatureDeviation) && \
+ $CheckHealthTemperatureNotified->$Name = true) do={
+ $SendNotification2 ({ origin=$ScriptName; \
+ subject=([ $SymbolForNotification "white-heavy-check-mark" ] . "Health recovery: " . $Name); \
+ message=("The " . $Name . " on " . $Identity . " dropped below threshold: " . \
+ $Value . "\C2\B0" . "C") });
+ :set ($CheckHealthTemperatureNotified->$Name) false;
+ }
+ }
+ :set ($CheckHealthLast->$Name) $Value;
+ }
+}
diff --git a/check-health.d/voltage.rsc b/check-health.d/voltage.rsc
new file mode 100644
index 00000000..1121c23c
--- /dev/null
+++ b/check-health.d/voltage.rsc
@@ -0,0 +1,64 @@
+#!rsc by RouterOS
+# RouterOS script: check-health.d/voltage
+# Copyright (c) 2019-2026 Christian Hesse
+# https://rsc.eworm.de/COPYING.md
+#
+# requires RouterOS, version=7.17
+#
+# check for RouterOS health state - voltage plugin
+# https://rsc.eworm.de/doc/check-health.md
+
+:global CheckHealthPlugins;
+
+:set ($CheckHealthPlugins->[ :jobname ]) do={
+ :local FuncName [ :tostr $0 ];
+ :local ScriptName [ :tostr $1 ];
+
+ :global CheckHealthLast;
+ :global CheckHealthVoltageLow;
+ :global CheckHealthVoltagePercent;
+ :global Identity;
+
+ :global FormatLine;
+ :global IfThenElse;
+ :global LogPrint;
+ :global SendNotification2;
+ :global SymbolForNotification;
+
+ :if ([ :len [ /system/health/find where type="V" ] ] = 0) do={
+ $LogPrint debug $FuncName ("Your device does not provide any voltage health values.");
+ :return false;
+ }
+
+ :foreach Voltage in=[ /system/health/find where type="V" ] do={
+ :local Name [ /system/health/get $Voltage name ];
+ :local Value [ /system/health/get $Voltage value ];
+
+ :if ([ :typeof ($CheckHealthLast->$Name) ] != "nothing") do={
+ :local NumCurr [ $TempToNum $Value ];
+ :local NumLast [ $TempToNum ($CheckHealthLast->$Name) ];
+
+ :if ($NumLast * (100 + $CheckHealthVoltagePercent) < $NumCurr * 100 || \
+ $NumLast * 100 > $NumCurr * (100 + $CheckHealthVoltagePercent)) do={
+ $SendNotification2 ({ origin=$ScriptName; \
+ subject=([ $SymbolForNotification ("high-voltage-sign,chart-" . [ $IfThenElse ($NumLast < \
+ $NumCurr) "in" "de" ] . "creasing") ] . "Health warning: " . $Name); \
+ message=("The " . $Name . " on " . $Identity . " jumped more than " . $CheckHealthVoltagePercent . "%.\n\n" . \
+ [ $FormatLine "old value" ($CheckHealthLast->$Name . " V") 12 ] . "\n" . \
+ [ $FormatLine "new value" ($Value . " V") 12 ]) });
+ } else={
+ :if ($NumCurr <= $CheckHealthVoltageLow && $NumLast > $CheckHealthVoltageLow) do={
+ $SendNotification2 ({ origin=$ScriptName; \
+ subject=([ $SymbolForNotification "high-voltage-sign,chart-decreasing" ] . "Health warning: Low " . $Name); \
+ message=("The " . $Name . " on " . $Identity . " dropped to " . $Value . " V below hard limit.") });
+ }
+ :if ($NumCurr > $CheckHealthVoltageLow && $NumLast <= $CheckHealthVoltageLow) do={
+ $SendNotification2 ({ origin=$ScriptName; \
+ subject=([ $SymbolForNotification "high-voltage-sign,chart-increasing" ] . "Health recovery: Low " . $Name); \
+ message=("The " . $Name . " on " . $Identity . " recovered to " . $Value . " V above hard limit.") });
+ }
+ }
+ }
+ :set ($CheckHealthLast->$Name) $Value;
+ }
+}
diff --git a/check-health.rsc b/check-health.rsc
new file mode 100644
index 00000000..eea31701
--- /dev/null
+++ b/check-health.rsc
@@ -0,0 +1,110 @@
+#!rsc by RouterOS
+# RouterOS script: check-health
+# Copyright (c) 2019-2026 Christian Hesse
+# https://rsc.eworm.de/COPYING.md
+#
+# requires RouterOS, version=7.17
+#
+# check for RouterOS health state
+# https://rsc.eworm.de/doc/check-health.md
+
+:local ExitOK false;
+:onerror Err {
+ :global GlobalConfigReady; :global GlobalFunctionsReady;
+ :retry { :if ($GlobalConfigReady != true || $GlobalFunctionsReady != true) \
+ do={ :error ("Global config and/or functions not ready."); }; } delay=500ms max=50;
+ :local ScriptName [ :jobname ];
+
+ :global CheckHealthCPUUtilization;
+ :global CheckHealthCPUUtilizationNotified;
+ :global CheckHealthLast;
+ :global CheckHealthRAMUtilizationNotified;
+ :global Identity;
+
+ :global FormatLine;
+ :global HumanReadableNum;
+ :global IfThenElse;
+ :global LogPrint;
+ :global ScriptLock;
+ :global SendNotification2;
+ :global SymbolForNotification;
+ :global ValidateSyntax;
+
+ :local TempToNum do={
+ :global CharacterReplace;
+ :local T [ :toarray [ $CharacterReplace $1 "." "," ] ];
+ :return ($T->0 * 10 + $T->1);
+ }
+
+ :if ([ $ScriptLock $ScriptName ] = false) do={
+ :set ExitOK true;
+ :error false;
+ }
+
+ :local Resource [ /system/resource/get ];
+
+ :set CheckHealthCPUUtilization (($CheckHealthCPUUtilization * 4 + ($Resource->"cpu-load") * 10) / 5);
+ :if ($CheckHealthCPUUtilization > 750 && $CheckHealthCPUUtilizationNotified != true) do={
+ $SendNotification2 ({ origin=$ScriptName; \
+ subject=([ $SymbolForNotification "abacus,chart-increasing" ] . "Health warning: CPU utilization"); \
+ message=("The average CPU utilization on " . $Identity . " is at " . ($CheckHealthCPUUtilization / 10) . "%!") });
+ :set CheckHealthCPUUtilizationNotified true;
+ }
+ :if ($CheckHealthCPUUtilization < 650 && $CheckHealthCPUUtilizationNotified = true) do={
+ $SendNotification2 ({ origin=$ScriptName; \
+ subject=([ $SymbolForNotification "abacus,chart-decreasing" ] . "Health recovery: CPU utilization"); \
+ message=("The average CPU utilization on " . $Identity . " decreased to " . ($CheckHealthCPUUtilization / 10) . "%.") });
+ :set CheckHealthCPUUtilizationNotified false;
+ }
+
+ :local CheckHealthRAMUtilization (($Resource->"total-memory" - $Resource->"free-memory") * 100 / $Resource->"total-memory");
+ :if ($CheckHealthRAMUtilization >=80 && $CheckHealthRAMUtilizationNotified != true) do={
+ $SendNotification2 ({ origin=$ScriptName; \
+ subject=([ $SymbolForNotification "card-file-box,chart-increasing" ] . "Health warning: RAM utilization"); \
+ message=("The RAM utilization on " . $Identity . " is at " . $CheckHealthRAMUtilization . "%!\n\n" . \
+ [ $FormatLine "total" ([ $HumanReadableNum ($Resource->"total-memory") 1024 ] . "B") 8 ] . "\n" . \
+ [ $FormatLine "used" ([ $HumanReadableNum ($Resource->"total-memory" - $Resource->"free-memory") 1024 ] . "B") 8 ] . "\n" . \
+ [ $FormatLine "free" ([ $HumanReadableNum ($Resource->"free-memory") 1024 ] . "B") 8 ]) });
+ :set CheckHealthRAMUtilizationNotified true;
+ }
+ :if ($CheckHealthRAMUtilization < 70 && $CheckHealthRAMUtilizationNotified = true) do={
+ $SendNotification2 ({ origin=$ScriptName; \
+ subject=([ $SymbolForNotification "card-file-box,chart-decreasing" ] . "Health recovery: RAM utilization"); \
+ message=("The RAM utilization on " . $Identity . " decreased to " . $CheckHealthRAMUtilization . "%.") });
+ :set CheckHealthRAMUtilizationNotified false;
+ }
+
+ :local Plugins [ /system/script/find where name~"^check-health\\.d/." ];
+ :if ([ :len $Plugins ] = 0) do={
+ $LogPrint debug $ScriptName ("No plugins installed.");
+ :set ExitOK true;
+ :error true;
+ }
+
+ :global CheckHealthPlugins ({});
+ :if ([ :typeof $CheckHealthLast ] != "array") do={
+ :set CheckHealthLast ({});
+ }
+
+ :foreach Plugin in=$Plugins do={
+ :local PluginVal [ /system/script/get $Plugin ];
+ :if ([ $ValidateSyntax ($PluginVal->"source") ] = true) do={
+ :onerror Err {
+ /system/script/run $Plugin;
+ } do={
+ $LogPrint error $ScriptName ("Plugin '" . $PluginVal->"name" . "' failed to run: " . $Err);
+ }
+ } else={
+ $LogPrint error $ScriptName ("Plugin '" . $PluginVal->"name" . "' failed syntax validation, skipping.");
+ }
+ }
+
+ :foreach PluginName,Discard in=$CheckHealthPlugins do={
+ ($CheckHealthPlugins->$PluginName) \
+ ("\$CheckHealthPlugins->\"" . $PluginName . "\"") $ScriptName;
+ }
+
+ :set CheckHealthPlugins;
+} do={
+ :global ExitError; $ExitError $ExitOK [ :jobname ] $Err;
+}
diff --git a/check-lte-firmware-upgrade b/check-lte-firmware-upgrade
deleted file mode 100644
index 218aac0a..00000000
--- a/check-lte-firmware-upgrade
+++ /dev/null
@@ -1,36 +0,0 @@
-#!rsc
-# RouterOS script: check-lte-firmware-upgrade
-# Copyright (c) 2018-2020 Christian Hesse
-#
-# check for LTE firmware upgrade, send notification
-# https://git.eworm.de/cgit/routeros-scripts/about/doc/check-lte-firmware-upgrade.md
-
-:global Identity;
-:global SentLteFirmwareUpgradeNotification;
-
-:global LogPrintExit;
-:global SendNotification;
-
-:foreach Interface in=[ / interface lte find ] do={
- :local IntName [ / interface lte get $Interface name ];
- :do {
- :local Firmware [ / interface lte firmware-upgrade $Interface once as-value ];
-
- :if ($SentLteFirmwareUpgradeNotification = ($Firmware->"latest")) do={
- $LogPrintExit debug ("Already sent the LTE firmware upgrade notification for version " . \
- ($Firmware->"latest") . ".") false;
- } else={
- :if (($Firmware->"installed") != ($Firmware->"latest")) do={
- $SendNotification ("LTE firmware upgrade") \
- ("A new firmware version " . ($Firmware->"latest") . " is available for " . \
- "LTE interface " . $IntName . " on " . $Identity . ".\n\n" . \
- "Installed: " . ($Firmware->"installed") . "\n" . \
- "Available: " . ($Firmware->"latest")) "" "true";
- :set SentLteFirmwareUpgradeNotification ($Firmware->"latest");
- }
- }
- } on-error={
- $LogPrintExit debug ("Could not get latest LTE firmware version for interface " . \
- $IntName . ".") false;
- }
-}
diff --git a/check-lte-firmware-upgrade.rsc b/check-lte-firmware-upgrade.rsc
new file mode 100644
index 00000000..da268e4c
--- /dev/null
+++ b/check-lte-firmware-upgrade.rsc
@@ -0,0 +1,107 @@
+#!rsc by RouterOS
+# RouterOS script: check-lte-firmware-upgrade
+# Copyright (c) 2018-2026 Christian Hesse
+# https://rsc.eworm.de/COPYING.md
+#
+# requires RouterOS, version=7.17
+#
+# check for LTE firmware upgrade, send notification
+# https://rsc.eworm.de/doc/check-lte-firmware-upgrade.md
+
+:local ExitOK false;
+:onerror Err {
+ :global GlobalConfigReady; :global GlobalFunctionsReady;
+ :retry { :if ($GlobalConfigReady != true || $GlobalFunctionsReady != true) \
+ do={ :error ("Global config and/or functions not ready."); }; } delay=500ms max=50;
+ :local ScriptName [ :jobname ];
+
+ :global SentLteFirmwareUpgradeNotification;
+
+ :global ScriptLock;
+
+ :if ([ $ScriptLock $ScriptName ] = false) do={
+ :set ExitOK true;
+ :error false;
+ }
+
+ :if ([ :typeof $SentLteFirmwareUpgradeNotification ] != "array") do={
+ :global SentLteFirmwareUpgradeNotification ({});
+ }
+
+ :local CheckInterface do={
+ :local ScriptName $1;
+ :local Interface $2;
+
+ :global Identity;
+ :global SentLteFirmwareUpgradeNotification;
+
+ :global FormatLine;
+ :global IfThenElse;
+ :global LogPrint;
+ :global ScriptFromTerminal;
+ :global SendNotification2;
+ :global SymbolForNotification;
+
+ :local IntName [ /interface/lte/get $Interface name ];
+ :local Firmware;
+ :local Info;
+ :onerror Err {
+ :set Firmware [ /interface/lte/firmware-upgrade $Interface as-value ];
+ :set Info [ /interface/lte/monitor $Interface once as-value ];
+ } do={
+ $LogPrint debug $ScriptName ("Could not get latest LTE firmware version for interface " . \
+ $IntName . ": " . $Err);
+ :return false;
+ }
+
+ :if ([ :len ($Firmware->"latest") ] = 0) do={
+ $LogPrint info $ScriptName ("An empty string is not a valid version.");
+ :return false;
+ }
+
+ :if (($Firmware->"installed") = ($Firmware->"latest")) do={
+ :if ([ $ScriptFromTerminal $ScriptName ] = true) do={
+ $LogPrint info $ScriptName ("No firmware upgrade available for LTE interface " . $IntName . ".");
+ }
+ :return true;
+ }
+
+ :if ([ $ScriptFromTerminal $ScriptName ] = true && \
+ [ :len [ /system/script/find where name="unattended-lte-firmware-upgrade" ] ] > 0) do={
+ :put ("Do you want to start unattended lte firmware upgrade for interface " . $IntName . "? [y/N]");
+ :if (([ /terminal/inkey timeout=60 ] % 32) = 25) do={
+ /system/script/run unattended-lte-firmware-upgrade;
+ $LogPrint info $ScriptName ("Scheduled lte firmware upgrade for interface " . $IntName . "...");
+ :return true;
+ } else={
+ :put "Canceled...";
+ }
+ }
+
+ :if (($SentLteFirmwareUpgradeNotification->$IntName) = ($Firmware->"latest")) do={
+ $LogPrint debug $ScriptName ("Already sent the LTE firmware upgrade notification for version " . \
+ ($Firmware->"latest") . ".");
+ :return false;
+ }
+
+ $LogPrint info $ScriptName ("A new firmware version " . ($Firmware->"latest") . " is available for " . \
+ "LTE interface " . $IntName . ".");
+ $SendNotification2 ({ origin=$ScriptName; \
+ subject=([ $SymbolForNotification "sparkles" ] . "LTE firmware upgrade"); \
+ message=("A new firmware version " . ($Firmware->"latest") . " is available for " . \
+ "LTE interface " . $IntName . " on " . $Identity . ".\n\n" . \
+ [ $IfThenElse ([ :len ($Info->"manufacturer") ] > 0) ([ $FormatLine "Manufacturer" ($Info->"manufacturer") ] . "\n") ] . \
+ [ $IfThenElse ([ :len ($Info->"model") ] > 0) ([ $FormatLine "Model" ($Info->"model") ] . "\n") ] . \
+ [ $IfThenElse ([ :len ($Info->"revision") ] > 0) ([ $FormatLine "Revision" ($Info->"revision") ] . "\n") ] . \
+ "Firmware version:\n" . \
+ [ $FormatLine " Installed" ($Firmware->"installed") ] . "\n" . \
+ [ $FormatLine " Available" ($Firmware->"latest") ]); silent=true });
+ :set ($SentLteFirmwareUpgradeNotification->$IntName) ($Firmware->"latest");
+ }
+
+ :foreach Interface in=[ /interface/lte/find ] do={
+ $CheckInterface $ScriptName $Interface;
+ }
+} do={
+ :global ExitError; $ExitError $ExitOK [ :jobname ] $Err;
+}
diff --git a/check-perpetual-license.rsc b/check-perpetual-license.rsc
new file mode 100644
index 00000000..4326a2f5
--- /dev/null
+++ b/check-perpetual-license.rsc
@@ -0,0 +1,78 @@
+#!rsc by RouterOS
+# RouterOS script: check-perpetual-license
+# Copyright (c) 2025-2026 Christian Hesse
+# https://rsc.eworm.de/COPYING.md
+#
+# requires RouterOS, version=7.17
+#
+# check perpetual license on CHR
+# https://rsc.eworm.de/doc/check-perpetual-license.md
+
+:local ExitOK false;
+:onerror Err {
+ :global GlobalConfigReady; :global GlobalFunctionsReady;
+ :retry { :if ($GlobalConfigReady != true || $GlobalFunctionsReady != true) \
+ do={ :error ("Global config and/or functions not ready."); }; } delay=500ms max=50;
+ :local ScriptName [ :jobname ];
+
+ :global Identity;
+ :global SentCertificateNotification;
+
+ :global LogPrint;
+ :global ScriptLock;
+ :global SendNotification2;
+ :global SymbolForNotification;
+ :global WaitFullyConnected;
+
+ :if ([ $ScriptLock $ScriptName ] = false) do={
+ :set ExitOK true;
+ :error false;
+ }
+
+ $WaitFullyConnected;
+
+ :local License [ /system/license/get ];
+ :if ([ :typeof ($License->"deadline-at") ] != "str") do={
+ $LogPrint info $ScriptName ("This device does not have a perpetual license.");
+ :set ExitOK true;
+ :error true;
+ }
+
+ :if ([ :len ($License->"next-renewal-at") ] = 0 && ($License->"limited-upgrades") = true) do={
+ $LogPrint warning $ScriptName ("Your license expired on " . ($License->"deadline-at") . "!");
+ :if ($SentCertificateNotification != "expired") do={
+ $SendNotification2 ({ origin=$ScriptName; \
+ subject=([ $SymbolForNotification "scroll,cross-mark" ] . "License expired!"); \
+ message=("Your license expired on " . ($License->"deadline-at") . \
+ ", can no longer update RouterOS on " . $Identity . "...") });
+ :set SentCertificateNotification "expired";
+ }
+ :set ExitOK true;
+ :error true;
+ }
+
+ :if ([ :totime ($License->"deadline-at") ] - 3w < [ :timestamp ]) do={
+ $LogPrint warning $ScriptName ("Your license will expire on " . ($License->"deadline-at") . "!");
+ :if ($SentCertificateNotification != "warning") do={
+ $SendNotification2 ({ origin=$ScriptName; \
+ subject=([ $SymbolForNotification "scroll,warning-sign" ] . "License about to expire!"); \
+ message=("Your license failed to renew and is about to expire on " . \
+ ($License->"deadline-at") . " on " . $Identity . "...") });
+ :set SentCertificateNotification "warning";
+ }
+ :set ExitOK true;
+ :error true;
+ }
+
+ :if ([ :typeof $SentCertificateNotification ] = "str" && \
+ [ :totime ($License->"deadline-at") ] - 4w > [ :timestamp ]) do={
+ $LogPrint info $ScriptName ("Your license was successfully renewed.");
+ $SendNotification2 ({ origin=$ScriptName; \
+ subject=([ $SymbolForNotification "scroll,white-heavy-check-mark" ] . "License renewed"); \
+ message=("Your license was successfully renewed on " . $Identity . \
+ ". It is now valid until " . ($License->"deadline-at") . ".") });
+ :set SentCertificateNotification;
+ }
+} do={
+ :global ExitError; $ExitError $ExitOK [ :jobname ] $Err;
+}
diff --git a/check-routeros-update b/check-routeros-update
deleted file mode 100644
index 7df980e8..00000000
--- a/check-routeros-update
+++ /dev/null
@@ -1,84 +0,0 @@
-#!rsc
-# RouterOS script: check-routeros-update
-# Copyright (c) 2013-2020 Christian Hesse
-#
-# check for RouterOS update, send notification and/or install
-# https://git.eworm.de/cgit/routeros-scripts/about/doc/check-routeros-update.md
-
-:global Identity;
-:global SafeUpdateUrl;
-:global SentRouterosUpdateNotification;
-
-:global DeviceInfo;
-:global LogPrintExit;
-:global ScriptFromTerminal;
-:global SendNotification;
-
-:local DoUpdate do={
- :if ([ / system script print count-only where name="packages-update" ] > 0) do={
- / system script run packages-update;
- } else={
- / system package update install without-paging;
- }
- :error "Waiting for system to reboot.";
-}
-
-:if ([ / system package print count-only where name="wireless" disabled=no ] > 0) do={
- :if ([ / interface wireless cap get enabled ] = true && \
- [ / caps-man manager get enabled ] = false) do={
- $LogPrintExit error "System is managed by CAPsMAN, not checking." true;
- }
-}
-
-:if ([ / system scheduler print count-only where name="reboot-for-update" ] > 0) do={
- :error "A reboot for update is already scheduled.";
-}
-
-/ system package update check-for-updates without-paging;
-:local Update [ / system package update get ];
-
-:if ([ :len ($Update->"latest-version") ] = 0) do={
- $LogPrintExit warning "An empty string is not a valid version." true;
-}
-
-:if ($Update->"installed-version" != $Update->"latest-version") do={
- :if ([ :len $SafeUpdateUrl ] > 0) do={
- :local Result;
- :do {
- :set Result [ / tool fetch check-certificate=yes-without-crl \
- ($SafeUpdateUrl . $Update->"channel" . "?installed=" . $Update->"installed-version" . \
- "&latest=" . $Update->"latest-version") output=user as-value ];
- } on-error={
- $LogPrintExit warning ("Failed receiving safe version for " . $Update->"channel" . ".") false;
- }
- :if ($Result->"status" = "finished" && $Result->"data" = $Update->"latest-version") do={
- $LogPrintExit info ("Version " . $Update->"latest-version" . " is considered safe, updating...") false;
- $SendNotification ("RouterOS update") \
- ("Version " . $Update->"latest-version" . " is considered safe for " . $Update->"channel" . \
- ", updating on " . $Identity . "...") "" "true";
- $DoUpdate;
- }
- }
-
- :if ([ $ScriptFromTerminal "check-routeros-update" ] = true) do={
- :put ("Do you want to install RouterOS version " . $Update->"latest-version" . "? [y/N]");
- :if ([ :terminal inkey timeout=60 ] = 121) do={
- $DoUpdate;
- } else={
- :put "Canceled...";
- }
- }
-
- :if ($SentRouterosUpdateNotification = $Update->"latest-version") do={
- $LogPrintExit info ("Already sent the RouterOS update notification for version " . \
- $Update->"latest-version" . ".") true;
- }
-
- $SendNotification ("RouterOS update \E2\9C\A8") \
- ("A new RouterOS version " . ($Update->"latest-version") . \
- " is available for " . $Identity . ".\n\n" . \
- [ $DeviceInfo ] . "\n\n" . \
- "https://mikrotik.com/download/changelogs/" . $Update->"channel" . "-release-tree") \
- "" "true";
- :set SentRouterosUpdateNotification ($Update->"latest-version");
-}
diff --git a/check-routeros-update.rsc b/check-routeros-update.rsc
new file mode 100644
index 00000000..98edb366
--- /dev/null
+++ b/check-routeros-update.rsc
@@ -0,0 +1,222 @@
+#!rsc by RouterOS
+# RouterOS script: check-routeros-update
+# Copyright (c) 2013-2026 Christian Hesse
+# https://rsc.eworm.de/COPYING.md
+#
+# requires RouterOS, version=7.17
+# requires device-mode, fetch, scheduler
+#
+# check for RouterOS update, send notification and/or install
+# https://rsc.eworm.de/doc/check-routeros-update.md
+
+:local ExitOK false;
+:onerror Err {
+ :global GlobalConfigReady; :global GlobalFunctionsReady;
+ :retry { :if ($GlobalConfigReady != true || $GlobalFunctionsReady != true) \
+ do={ :error ("Global config and/or functions not ready."); }; } delay=500ms max=50;
+ :local ScriptName [ :jobname ];
+
+ :global Identity;
+ :global SafeUpdateAll;
+ :global SafeUpdateNeighbor;
+ :global SafeUpdateNeighborIdentity;
+ :global SafeUpdatePatch;
+ :global SafeUpdateUrl;
+ :global SentRouterosUpdateNotification;
+
+ :global DeviceInfo;
+ :global EscapeForRegEx;
+ :global FetchUserAgentStr;
+ :global LogPrint;
+ :global RebootForUpdate;
+ :global ScriptFromTerminal;
+ :global ScriptLock;
+ :global SendNotification2;
+ :global SymbolForNotification;
+ :global VersionToNum;
+ :global WaitFullyConnected;
+
+ :local DoUpdate do={
+ :local ScriptName [ :tostr $1 ];
+
+ :if ([ :len [ /system/script/find where name="packages-update" ] ] > 0) do={
+ /system/script/run packages-update;
+ } else={
+ /system/package/update/install without-paging;
+ }
+ }
+
+ :if ([ $ScriptLock $ScriptName ] = false) do={
+ :set ExitOK true;
+ :error false;
+ }
+
+ :if ([ :len [ /system/scheduler/find where name="running-from-backup-partition" ] ] > 0) do={
+ $LogPrint warning $ScriptName ("Running from backup partition, refusing to act.");
+ :set ExitOK true;
+ :error false;
+ }
+
+ $WaitFullyConnected;
+
+ :if ([ :len [ /system/scheduler/find where name="_RebootForUpdate" ] ] > 0) do={
+ :if ([ :typeof $RebootForUpdate ] = "nothing") do={
+ $LogPrint info $ScriptName ("Found a stale scheduler for reboot, removing.");
+ /system/scheduler/remove "_RebootForUpdate";
+ } else={
+ $LogPrint info $ScriptName ("A reboot for update is already scheduled.");
+ :set ExitOK true;
+ :error false;
+ }
+ }
+
+ $LogPrint debug $ScriptName ("Checking for updates...");
+ /system/package/update/check-for-updates without-paging as-value;
+ :local Update [ /system/package/update/get ];
+
+ :if (($Update->"installed-version") = ($Update->"latest-version")) do={
+ :if ([ $ScriptFromTerminal $ScriptName ] = true) do={
+ $LogPrint info $ScriptName ("System is already up to date.");
+ }
+ :set ExitOK true;
+ :error true;
+ }
+
+ :if ([ :len ($Update->"latest-version") ] = 0) do={
+ $LogPrint info $ScriptName ("Received an empty version string from server.");
+ :set ExitOK true;
+ :error false;
+ }
+
+ :local NumInstalled [ $VersionToNum ($Update->"installed-version") ];
+ :local NumLatest [ $VersionToNum ($Update->"latest-version") ];
+ :local BitMask [ $VersionToNum "255.255zero0" ];
+ :local NumInstalledFeature ($NumInstalled & $BitMask);
+ :local NumLatestFeature ($NumLatest & $BitMask);
+ :local Link ("https://mikrotik.com/download/changelogs/" . $Update->"channel" . "-release-tree");
+
+ :if ($NumLatest < [ $VersionToNum "7.0" ]) do={
+ $LogPrint warning $ScriptName ("The version '" . ($Update->"latest-version") . "' is not a valid version.");
+ :set ExitOK true;
+ :error false;
+ }
+
+ :if ($NumInstalled < $NumLatest) do={
+ :if ($SafeUpdateAll ~ "^YES,? ?PLEASE!?\$") do={
+ $LogPrint info $ScriptName ("Installing ALL versions automatically, including " . \
+ $Update->"latest-version" . "...");
+ $SendNotification2 ({ origin=$ScriptName; \
+ subject=([ $SymbolForNotification "sparkles" ] . "RouterOS update: " . $Update->"latest-version"); \
+ message=("Installing ALL versions automatically, including " . $Update->"latest-version" . \
+ "... Updating on " . $Identity . "..."); link=$Link; silent=true });
+ $DoUpdate $ScriptName;
+ :set ExitOK true;
+ :error true;
+ }
+
+ :if ($SafeUpdatePatch = true && $NumInstalledFeature = $NumLatestFeature) do={
+ $LogPrint info $ScriptName ("Version " . $Update->"latest-version" . " is a patch release, updating...");
+ $SendNotification2 ({ origin=$ScriptName; \
+ subject=([ $SymbolForNotification "sparkles" ] . "RouterOS update: " . $Update->"latest-version"); \
+ message=("Version " . $Update->"latest-version" . " is a patch update for " . $Update->"channel" . \
+ ", updating on " . $Identity . "..."); link=$Link; silent=true });
+ $DoUpdate $ScriptName;
+ :set ExitOK true;
+ :error true;
+ }
+
+ :if ($SafeUpdateNeighbor = true) do={
+ :local Neighbors [ /ip/neighbor/find where platform="MikroTik" identity~$SafeUpdateNeighborIdentity \
+ version~("^" . [ $EscapeForRegEx ($Update->"latest-version") ] . "\\b") ];
+ :if ([ :len $Neighbors ] > 0) do={
+ :local Neighbor [ /ip/neighbor/get ($Neighbors->0) identity ];
+ $LogPrint info $ScriptName ("Seen a neighbor (" . $Neighbor . ") running version " . \
+ $Update->"latest-version" . " from " . $Update->"channel" . ", updating...");
+ $SendNotification2 ({ origin=$ScriptName; \
+ subject=([ $SymbolForNotification "sparkles" ] . "RouterOS update: " . $Update->"latest-version"); \
+ message=("Seen a neighbor (" . $Neighbor . ") running version " . $Update->"latest-version" . \
+ " from " . $Update->"channel" . ", updating on " . $Identity . "..."); link=$Link; silent=true });
+ $DoUpdate $ScriptName;
+ :set ExitOK true;
+ :error true;
+ }
+ }
+
+ :if ([ :len $SafeUpdateUrl ] > 0) do={
+ :local Result;
+ :onerror Err {
+ :set Result [ /tool/fetch check-certificate=yes-without-crl \
+ ($SafeUpdateUrl . $Update->"channel" . "?installed=" . $Update->"installed-version" . \
+ "&latest=" . $Update->"latest-version") http-header-field=({ [ $FetchUserAgentStr $ScriptName ] }) \
+ output=user as-value ];
+ } do={
+ $LogPrint warning $ScriptName ("Failed receiving safe version for " . $Update->"channel" . ": " . $Err);
+ }
+ :if ($Result->"status" = "finished" && $Result->"data" = $Update->"latest-version") do={
+ $LogPrint info $ScriptName ("Version " . $Update->"latest-version" . " is considered safe, updating...");
+ $SendNotification2 ({ origin=$ScriptName; \
+ subject=([ $SymbolForNotification "sparkles" ] . "RouterOS update: " . $Update->"latest-version"); \
+ message=("Version " . $Update->"latest-version" . " is considered safe for " . $Update->"channel" . \
+ ", updating on " . $Identity . "..."); link=$Link; silent=true });
+ $DoUpdate $ScriptName;
+ :set ExitOK true;
+ :error true;
+ }
+ }
+
+ :if ([ $ScriptFromTerminal $ScriptName ] = true) do={
+ :if (($Update->"channel") = "testing" && $NumInstalledFeature < $NumLatestFeature) do={
+ :put ("This is a feature update in testing channel. Switch to channel 'stable'? [y/N]");
+ :if (([ /terminal/inkey timeout=60 ] % 32) = 25) do={
+ /system/package/update/set channel=stable;
+ $LogPrint info $ScriptName ("Switched to channel 'stable', please re-run!");
+ :set ExitOK true;
+ :error true;
+ }
+ }
+
+ :put ("Do you want to install RouterOS version " . $Update->"latest-version" . "? [y/N]");
+ :if (([ /terminal/inkey timeout=60 ] % 32) = 25) do={
+ $DoUpdate $ScriptName;
+ :set ExitOK true;
+ :error true;
+ } else={
+ :put "Canceled...";
+ }
+ }
+
+ :if ($SentRouterosUpdateNotification = $Update->"latest-version") do={
+ $LogPrint info $ScriptName ("Already sent the RouterOS update notification for version " . \
+ $Update->"latest-version" . ".");
+ :set ExitOK true;
+ :error true;
+ }
+
+ $SendNotification2 ({ origin=$ScriptName; \
+ subject=([ $SymbolForNotification "sparkles" ] . "RouterOS update: " . $Update->"latest-version"); \
+ message=("A new RouterOS version " . ($Update->"latest-version") . \
+ " is available for " . $Identity . ".\n\n" . \
+ [ $DeviceInfo ]); link=$Link; silent=true });
+ :set SentRouterosUpdateNotification ($Update->"latest-version");
+ }
+
+ :if ($NumInstalled > $NumLatest) do={
+ :if ($SentRouterosUpdateNotification = $Update->"latest-version") do={
+ $LogPrint info $ScriptName ("Already sent the RouterOS downgrade notification for version " . \
+ $Update->"latest-version" . ".");
+ :set ExitOK true;
+ :error true;
+ }
+
+ $SendNotification2 ({ origin=$ScriptName; \
+ subject=([ $SymbolForNotification "warning-sign" ] . "RouterOS version: " . $Update->"latest-version"); \
+ message=("A different RouterOS version " . ($Update->"latest-version") . \
+ " is available for " . $Identity . ", but it is a downgrade.\n\n" . \
+ [ $DeviceInfo ]); link=$Link; silent=true });
+ $LogPrint info $ScriptName ("A different RouterOS version " . ($Update->"latest-version") . \
+ " is available for downgrade.");
+ :set SentRouterosUpdateNotification ($Update->"latest-version");
+ }
+} do={
+ :global ExitError; $ExitError $ExitOK [ :jobname ] $Err;
+}
diff --git a/cloud-backup b/cloud-backup
deleted file mode 100644
index 89648d5f..00000000
--- a/cloud-backup
+++ /dev/null
@@ -1,36 +0,0 @@
-#!rsc
-# RouterOS script: cloud-backup
-# Copyright (c) 2013-2020 Christian Hesse
-#
-# upload backup to MikroTik cloud
-# https://git.eworm.de/cgit/routeros-scripts/about/doc/cloud-backup.md
-
-:global BackupPassword;
-:global Identity;
-
-:global DeviceInfo;
-:global LogPrintExit;
-:global SendNotification;
-
-:do {
- # we are not interested in output, but print without count-only is
- # required to fetch information from cloud
- / system backup cloud print as-value;
- :if ([ / system backup cloud print count-only ] > 0) do={
- / system backup cloud upload-file action=create-and-upload \
- password=$BackupPassword replace=[ get ([ find ]->0) name ];
- } else={
- / system backup cloud upload-file action=create-and-upload \
- password=$BackupPassword;
- }
- :local Cloud [ / system backup cloud get ([ find ]->0) ];
-
- $SendNotification "Cloud backup" \
- ("Uploaded backup for " . $Identity . " to cloud.\n\n" . \
- [ $DeviceInfo ] . "\n\n" . \
- "Name: " . $Cloud->"name" . "\n" . \
- "Size: " . $Cloud->"size" . "\n" . \
- "Download key: " . $Cloud->"secret-download-key") "" "true";
-} on-error={
- $LogPrintExit error ("Failed uploading backup for " . $Identity . " to cloud.") false;
-}
diff --git a/collect-wireless-mac.capsman b/collect-wireless-mac.capsman
deleted file mode 100644
index c89ea190..00000000
--- a/collect-wireless-mac.capsman
+++ /dev/null
@@ -1,68 +0,0 @@
-#!rsc
-# RouterOS script: collect-wireless-mac.capsman
-# Copyright (c) 2013-2020 Christian Hesse
-#
-# collect wireless mac adresses in access list
-# https://git.eworm.de/cgit/routeros-scripts/about/doc/collect-wireless-mac.md
-#
-# !! Do not edit this file, it is generated from template!
-
-:global Identity;
-
-:global GetMacVendor;
-:global LogPrintExit;
-:global ScriptLock;
-:global SendNotification;
-
-$ScriptLock "collect-wireless-mac.capsman";
-
-:if ([ / caps-man access-list print count-only where comment="--- collected above ---" disabled ] = 0) do={
- / caps-man access-list add comment="--- collected above ---" disabled=yes;
- $LogPrintExit warning "Added disabled access-list entry with comment '--- collected above ---'." false;
-}
-:local PlaceBefore [ / caps-man access-list find where comment="--- collected above ---" disabled ];
-
-:foreach RegTbl in=[ / caps-man registration-table find ] do={
- :local Mac [ / caps-man registration-table get $RegTbl mac-address ];
- :local AccessList ([ / caps-man access-list find where mac-address=$Mac ]->0);
- :if ([ :len $AccessList ] = 0) do={
- :local Address "no dhcp lease";
- :local DnsName "no dhcp lease";
- :local HostName "no dhcp lease";
- :local Lease [ / ip dhcp-server lease find where mac-address=$Mac dynamic=yes status=bound ];
- :if ([ :len $Lease ] > 0) do={
- :set Address [ / ip dhcp-server lease get $Lease address ];
- :set HostName [ / ip dhcp-server lease get $Lease host-name ];
- :if ([ :len $HostName ] = 0) do={
- :set HostName "no hostname";
- }
- :set DnsName [ / ip dns static get ([ find where address=$Address ]->0) name ];
- :if ([ :len $DnsName ] = 0) do={
- :set DnsName "no dns name";
- }
- }
- :local RegEntry [ / caps-man registration-table find where mac-address=$Mac ];
- :local Interface [ / caps-man registration-table get $RegEntry interface ];
- :local Ssid [ / caps-man registration-table get $RegEntry ssid ];
- :local DateTime ([ / system clock get date ] . " " . [ / system clock get time ]);
- :local Vendor [ $GetMacVendor $Mac ];
- :local Message ("unknown MAC address " . $Mac . " (" . $Vendor . ", " . $HostName . ") " . \
- "first seen on " . $DateTime . " connected to SSID " . $Ssid . ", interface " . $Interface);
- $LogPrintExit info $Message false;
- / caps-man access-list add place-before=$PlaceBefore comment=$Message mac-address=$Mac disabled=yes;
- $SendNotification ($Mac . " connected to " . $Ssid) \
- ("A device with unknown MAC address connected to " . $Ssid . " on " . $Identity . ".\n\n" . \
- "Controller: " . $Identity . "\n" . \
- "Interface: " . $Interface . "\n" . \
- "SSID: " . $Ssid . "\n" . \
- "MAC: " . $Mac . "\n" . \
- "Vendor: " . $Vendor . "\n" . \
- "Hostname: " . $HostName . "\n" . \
- "Address: " . $Address . "\n" . \
- "DNS name: " . $DnsName . "\n" . \
- "Date: " . $DateTime);
- } else={
- $LogPrintExit debug ("MAC address " . $Mac . " already known: " . \
- [ / caps-man access-list get $AccessList comment ]) false;
- }
-}
diff --git a/collect-wireless-mac.capsman.rsc b/collect-wireless-mac.capsman.rsc
new file mode 100644
index 00000000..0ef08b0d
--- /dev/null
+++ b/collect-wireless-mac.capsman.rsc
@@ -0,0 +1,100 @@
+#!rsc by RouterOS
+# RouterOS script: collect-wireless-mac.capsman
+# Copyright (c) 2013-2026 Christian Hesse
+# https://rsc.eworm.de/COPYING.md
+#
+# provides: lease-script, order=40
+# requires RouterOS, version=7.17
+#
+# collect wireless mac adresses in access list
+# https://rsc.eworm.de/doc/collect-wireless-mac.md
+#
+# !! Do not edit this file, it is generated from template!
+
+:local ExitOK false;
+:onerror Err {
+ :global GlobalConfigReady; :global GlobalFunctionsReady;
+ :retry { :if ($GlobalConfigReady != true || $GlobalFunctionsReady != true) \
+ do={ :error ("Global config and/or functions not ready."); }; } delay=500ms max=50;
+ :local ScriptName [ :jobname ];
+
+ :global Identity;
+
+ :global EitherOr;
+ :global FormatLine;
+ :global FormatMultiLines;
+ :global GetMacVendor;
+ :global LogPrint;
+ :global ScriptLock;
+ :global SendNotification2;
+ :global SymbolForNotification;
+
+ :if ([ $ScriptLock $ScriptName 10 ] = false) do={
+ :set ExitOK true;
+ :error false;
+ }
+
+ :if ([ :len [ /caps-man/access-list/find where comment="--- collected above ---" disabled ] ] = 0) do={
+ /caps-man/access-list/add comment="--- collected above ---" disabled=yes;
+ $LogPrint warning $ScriptName ("Added disabled access-list entry with comment '--- collected above ---'.");
+ }
+ :local PlaceBefore ([ /caps-man/access-list/find where comment="--- collected above ---" disabled ]->0);
+
+ :foreach Reg in=[ /caps-man/registration-table/find ] do={
+ :local RegVal;
+ :do {
+ :set RegVal [ /caps-man/registration-table/get $Reg ];
+ } on-error={
+ $LogPrint debug $ScriptName ("Device already gone... Ignoring.");
+ }
+
+ :if ([ :len ($RegVal->"mac-address") ] > 0) do={
+ :local AccessList ([ /caps-man/access-list/find where mac-address=($RegVal->"mac-address") ]->0);
+ :if ([ :len $AccessList ] > 0) do={
+ $LogPrint debug $ScriptName ("MAC address " . $RegVal->"mac-address" . " already known: " . \
+ [ /caps-man/access-list/get $AccessList comment ]);
+ }
+
+ :if ([ :len $AccessList ] = 0) do={
+ :local Address "no dhcp lease";
+ :local DnsName "no dhcp lease";
+ :local HostName "no dhcp lease";
+ :local Lease ([ /ip/dhcp-server/lease/find where active-mac-address=($RegVal->"mac-address") dynamic=yes status=bound ]->0);
+ :if ([ :len $Lease ] > 0) do={
+ :set Address [ /ip/dhcp-server/lease/get $Lease active-address ];
+ :set HostName [ $EitherOr [ /ip/dhcp-server/lease/get $Lease host-name ] "no hostname" ];
+ :set DnsName "no dns name";
+ :local DnsRec ([ /ip/dns/static/find where address=$Address ]->0);
+ :if ([ :len $DnsRec ] > 0) do={
+ :set DnsName ({ [ /ip/dns/static/get $DnsRec name ] });
+ :foreach CName in=[ /ip/dns/static/find where type=CNAME cname=($DnsName->0) ] do={
+ :set DnsName ($DnsName, [ /ip/dns/static/get $CName name ]);
+ }
+ }
+ }
+ :local DateTime ([ /system/clock/get date ] . " " . [ /system/clock/get time ]);
+ :local Vendor [ $GetMacVendor ($RegVal->"mac-address") ];
+ :local Message ("MAC address " . $RegVal->"mac-address" . " (" . $Vendor . ", " . $HostName . ") " . \
+ "first seen on " . $DateTime . " connected to SSID " . $RegVal->"ssid" . ", interface " . $RegVal->"interface");
+ $LogPrint info $ScriptName $Message;
+ /caps-man/access-list/add place-before=$PlaceBefore comment=$Message mac-address=($RegVal->"mac-address") disabled=yes;
+ $SendNotification2 ({ origin=$ScriptName; \
+ subject=([ $SymbolForNotification "mobile-phone" ] . $RegVal->"mac-address" . " connected to " . $RegVal->"ssid"); \
+ message=("A device with unknown MAC address connected to " . $RegVal->"ssid" . " on " . $Identity . ".\n\n" . \
+ [ $FormatLine "Controller" $Identity ] . "\n" . \
+ [ $FormatLine "Interface" ($RegVal->"interface") ] . "\n" . \
+ [ $FormatLine "SSID" ($RegVal->"ssid") ] . "\n" . \
+ [ $FormatLine "MAC" ($RegVal->"mac-address") ] . "\n" . \
+ [ $FormatLine "Vendor" $Vendor ] . "\n" . \
+ [ $FormatLine "Hostname" $HostName ] . "\n" . \
+ [ $FormatLine "Address" $Address ] . "\n" . \
+ [ $FormatMultiLines "DNS name" $DnsName ] . "\n" . \
+ [ $FormatLine "Date" $DateTime ]) });
+ }
+ } else={
+ $LogPrint debug $ScriptName ("No mac address available... Ignoring.");
+ }
+ }
+} do={
+ :global ExitError; $ExitError $ExitOK [ :jobname ] $Err;
+}
diff --git a/collect-wireless-mac.local b/collect-wireless-mac.local
deleted file mode 100644
index eac87340..00000000
--- a/collect-wireless-mac.local
+++ /dev/null
@@ -1,68 +0,0 @@
-#!rsc
-# RouterOS script: collect-wireless-mac.local
-# Copyright (c) 2013-2020 Christian Hesse
-#
-# collect wireless mac adresses in access list
-# https://git.eworm.de/cgit/routeros-scripts/about/doc/collect-wireless-mac.md
-#
-# !! Do not edit this file, it is generated from template!
-
-:global Identity;
-
-:global GetMacVendor;
-:global LogPrintExit;
-:global ScriptLock;
-:global SendNotification;
-
-$ScriptLock "collect-wireless-mac.local";
-
-:if ([ / interface wireless access-list print count-only where comment="--- collected above ---" disabled ] = 0) do={
- / interface wireless access-list add comment="--- collected above ---" disabled=yes;
- $LogPrintExit warning "Added disabled access-list entry with comment '--- collected above ---'." false;
-}
-:local PlaceBefore [ / interface wireless access-list find where comment="--- collected above ---" disabled ];
-
-:foreach RegTbl in=[ / interface wireless registration-table find ] do={
- :local Mac [ / interface wireless registration-table get $RegTbl mac-address ];
- :local AccessList ([ / interface wireless access-list find where mac-address=$Mac ]->0);
- :if ([ :len $AccessList ] = 0) do={
- :local Address "no dhcp lease";
- :local DnsName "no dhcp lease";
- :local HostName "no dhcp lease";
- :local Lease [ / ip dhcp-server lease find where mac-address=$Mac dynamic=yes status=bound ];
- :if ([ :len $Lease ] > 0) do={
- :set Address [ / ip dhcp-server lease get $Lease address ];
- :set HostName [ / ip dhcp-server lease get $Lease host-name ];
- :if ([ :len $HostName ] = 0) do={
- :set HostName "no hostname";
- }
- :set DnsName [ / ip dns static get ([ find where address=$Address ]->0) name ];
- :if ([ :len $DnsName ] = 0) do={
- :set DnsName "no dns name";
- }
- }
- :local RegEntry [ / interface wireless registration-table find where mac-address=$Mac ];
- :local Interface [ / interface wireless registration-table get $RegEntry interface ];
- :local Ssid [ / interface wireless get [ find where name=$Interface ] ssid ];
- :local DateTime ([ / system clock get date ] . " " . [ / system clock get time ]);
- :local Vendor [ $GetMacVendor $Mac ];
- :local Message ("unknown MAC address " . $Mac . " (" . $Vendor . ", " . $HostName . ") " . \
- "first seen on " . $DateTime . " connected to SSID " . $Ssid . ", interface " . $Interface);
- $LogPrintExit info $Message false;
- / interface wireless access-list add place-before=$PlaceBefore comment=$Message mac-address=$Mac disabled=yes;
- $SendNotification ($Mac . " connected to " . $Ssid) \
- ("A device with unknown MAC address connected to " . $Ssid . " on " . $Identity . ".\n\n" . \
- "Controller: " . $Identity . "\n" . \
- "Interface: " . $Interface . "\n" . \
- "SSID: " . $Ssid . "\n" . \
- "MAC: " . $Mac . "\n" . \
- "Vendor: " . $Vendor . "\n" . \
- "Hostname: " . $HostName . "\n" . \
- "Address: " . $Address . "\n" . \
- "DNS name: " . $DnsName . "\n" . \
- "Date: " . $DateTime);
- } else={
- $LogPrintExit debug ("MAC address " . $Mac . " already known: " . \
- [ / interface wireless access-list get $AccessList comment ]) false;
- }
-}
diff --git a/collect-wireless-mac.local.rsc b/collect-wireless-mac.local.rsc
new file mode 100644
index 00000000..263ef164
--- /dev/null
+++ b/collect-wireless-mac.local.rsc
@@ -0,0 +1,101 @@
+#!rsc by RouterOS
+# RouterOS script: collect-wireless-mac.local
+# Copyright (c) 2013-2026 Christian Hesse
+# https://rsc.eworm.de/COPYING.md
+#
+# provides: lease-script, order=40
+# requires RouterOS, version=7.17
+#
+# collect wireless mac adresses in access list
+# https://rsc.eworm.de/doc/collect-wireless-mac.md
+#
+# !! Do not edit this file, it is generated from template!
+
+:local ExitOK false;
+:onerror Err {
+ :global GlobalConfigReady; :global GlobalFunctionsReady;
+ :retry { :if ($GlobalConfigReady != true || $GlobalFunctionsReady != true) \
+ do={ :error ("Global config and/or functions not ready."); }; } delay=500ms max=50;
+ :local ScriptName [ :jobname ];
+
+ :global Identity;
+
+ :global EitherOr;
+ :global FormatLine;
+ :global FormatMultiLines;
+ :global GetMacVendor;
+ :global LogPrint;
+ :global ScriptLock;
+ :global SendNotification2;
+ :global SymbolForNotification;
+
+ :if ([ $ScriptLock $ScriptName 10 ] = false) do={
+ :set ExitOK true;
+ :error false;
+ }
+
+ :if ([ :len [ /interface/wireless/access-list/find where comment="--- collected above ---" disabled ] ] = 0) do={
+ /interface/wireless/access-list/add comment="--- collected above ---" disabled=yes;
+ $LogPrint warning $ScriptName ("Added disabled access-list entry with comment '--- collected above ---'.");
+ }
+ :local PlaceBefore ([ /interface/wireless/access-list/find where comment="--- collected above ---" disabled ]->0);
+
+ :foreach Reg in=[ /interface/wireless/registration-table/find where ap=no ] do={
+ :local RegVal;
+ :do {
+ :set RegVal [ /interface/wireless/registration-table/get $Reg ];
+ } on-error={
+ $LogPrint debug $ScriptName ("Device already gone... Ignoring.");
+ }
+
+ :if ([ :len ($RegVal->"mac-address") ] > 0) do={
+ :local AccessList ([ /interface/wireless/access-list/find where mac-address=($RegVal->"mac-address") ]->0);
+ :if ([ :len $AccessList ] > 0) do={
+ $LogPrint debug $ScriptName ("MAC address " . $RegVal->"mac-address" . " already known: " . \
+ [ /interface/wireless/access-list/get $AccessList comment ]);
+ }
+
+ :if ([ :len $AccessList ] = 0) do={
+ :local Address "no dhcp lease";
+ :local DnsName "no dhcp lease";
+ :local HostName "no dhcp lease";
+ :local Lease ([ /ip/dhcp-server/lease/find where active-mac-address=($RegVal->"mac-address") dynamic=yes status=bound ]->0);
+ :if ([ :len $Lease ] > 0) do={
+ :set Address [ /ip/dhcp-server/lease/get $Lease active-address ];
+ :set HostName [ $EitherOr [ /ip/dhcp-server/lease/get $Lease host-name ] "no hostname" ];
+ :set DnsName "no dns name";
+ :local DnsRec ([ /ip/dns/static/find where address=$Address ]->0);
+ :if ([ :len $DnsRec ] > 0) do={
+ :set DnsName ({ [ /ip/dns/static/get $DnsRec name ] });
+ :foreach CName in=[ /ip/dns/static/find where type=CNAME cname=($DnsName->0) ] do={
+ :set DnsName ($DnsName, [ /ip/dns/static/get $CName name ]);
+ }
+ }
+ }
+ :set ($RegVal->"ssid") [ /interface/wireless/get [ find where name=($RegVal->"interface") ] ssid ];
+ :local DateTime ([ /system/clock/get date ] . " " . [ /system/clock/get time ]);
+ :local Vendor [ $GetMacVendor ($RegVal->"mac-address") ];
+ :local Message ("MAC address " . $RegVal->"mac-address" . " (" . $Vendor . ", " . $HostName . ") " . \
+ "first seen on " . $DateTime . " connected to SSID " . $RegVal->"ssid" . ", interface " . $RegVal->"interface");
+ $LogPrint info $ScriptName $Message;
+ /interface/wireless/access-list/add place-before=$PlaceBefore comment=$Message mac-address=($RegVal->"mac-address") disabled=yes;
+ $SendNotification2 ({ origin=$ScriptName; \
+ subject=([ $SymbolForNotification "mobile-phone" ] . $RegVal->"mac-address" . " connected to " . $RegVal->"ssid"); \
+ message=("A device with unknown MAC address connected to " . $RegVal->"ssid" . " on " . $Identity . ".\n\n" . \
+ [ $FormatLine "Controller" $Identity ] . "\n" . \
+ [ $FormatLine "Interface" ($RegVal->"interface") ] . "\n" . \
+ [ $FormatLine "SSID" ($RegVal->"ssid") ] . "\n" . \
+ [ $FormatLine "MAC" ($RegVal->"mac-address") ] . "\n" . \
+ [ $FormatLine "Vendor" $Vendor ] . "\n" . \
+ [ $FormatLine "Hostname" $HostName ] . "\n" . \
+ [ $FormatLine "Address" $Address ] . "\n" . \
+ [ $FormatMultiLines "DNS name" $DnsName ] . "\n" . \
+ [ $FormatLine "Date" $DateTime ]) });
+ }
+ } else={
+ $LogPrint debug $ScriptName ("No mac address available... Ignoring.");
+ }
+ }
+} do={
+ :global ExitError; $ExitError $ExitOK [ :jobname ] $Err;
+}
diff --git a/collect-wireless-mac.template b/collect-wireless-mac.template
deleted file mode 100644
index 0f936b3a..00000000
--- a/collect-wireless-mac.template
+++ /dev/null
@@ -1,70 +0,0 @@
-#!rsc
-# RouterOS script: collect-wireless-mac%TEMPL%
-# Copyright (c) 2013-2020 Christian Hesse
-#
-# collect wireless mac adresses in access list
-# https://git.eworm.de/cgit/routeros-scripts/about/doc/collect-wireless-mac.md
-#
-# !! This is just a template! Replace '%PATH%' with 'caps-man'
-# !! or 'interface wireless'!
-
-:global Identity;
-
-:global GetMacVendor;
-:global LogPrintExit;
-:global ScriptLock;
-:global SendNotification;
-
-$ScriptLock "collect-wireless-mac%TEMPL%";
-
-:if ([ / %PATH% access-list print count-only where comment="--- collected above ---" disabled ] = 0) do={
- / %PATH% access-list add comment="--- collected above ---" disabled=yes;
- $LogPrintExit warning "Added disabled access-list entry with comment '--- collected above ---'." false;
-}
-:local PlaceBefore [ / %PATH% access-list find where comment="--- collected above ---" disabled ];
-
-:foreach RegTbl in=[ / %PATH% registration-table find ] do={
- :local Mac [ / %PATH% registration-table get $RegTbl mac-address ];
- :local AccessList ([ / %PATH% access-list find where mac-address=$Mac ]->0);
- :if ([ :len $AccessList ] = 0) do={
- :local Address "no dhcp lease";
- :local DnsName "no dhcp lease";
- :local HostName "no dhcp lease";
- :local Lease [ / ip dhcp-server lease find where mac-address=$Mac dynamic=yes status=bound ];
- :if ([ :len $Lease ] > 0) do={
- :set Address [ / ip dhcp-server lease get $Lease address ];
- :set HostName [ / ip dhcp-server lease get $Lease host-name ];
- :if ([ :len $HostName ] = 0) do={
- :set HostName "no hostname";
- }
- :set DnsName [ / ip dns static get ([ find where address=$Address ]->0) name ];
- :if ([ :len $DnsName ] = 0) do={
- :set DnsName "no dns name";
- }
- }
- :local RegEntry [ / %PATH% registration-table find where mac-address=$Mac ];
- :local Interface [ / %PATH% registration-table get $RegEntry interface ];
- :local Ssid [ / caps-man registration-table get $RegEntry ssid ];
- :local Ssid [ / interface wireless get [ find where name=$Interface ] ssid ];
- :local DateTime ([ / system clock get date ] . " " . [ / system clock get time ]);
- :local Vendor [ $GetMacVendor $Mac ];
- :local Message ("unknown MAC address " . $Mac . " (" . $Vendor . ", " . $HostName . ") " . \
- "first seen on " . $DateTime . " connected to SSID " . $Ssid . ", interface " . $Interface);
- $LogPrintExit info $Message false;
- / %PATH% access-list add place-before=$PlaceBefore comment=$Message mac-address=$Mac disabled=yes;
- $SendNotification ($Mac . " connected to " . $Ssid) \
- ("A device with unknown MAC address connected to " . $Ssid . " on " . $Identity . ".\n\n" . \
- "Controller: " . $Identity . "\n" . \
- "Interface: " . $Interface . "\n" . \
- "SSID: " . $Ssid . "\n" . \
- "MAC: " . $Mac . "\n" . \
- "Vendor: " . $Vendor . "\n" . \
- "Hostname: " . $HostName . "\n" . \
- "Address: " . $Address . "\n" . \
- "DNS name: " . $DnsName . "\n" . \
- "Date: " . $DateTime);
- } else={
- $LogPrintExit debug ("MAC address " . $Mac . " already known: " . \
- [ / %PATH% access-list get $AccessList comment ]) false;
- }
-}
diff --git a/collect-wireless-mac.template.rsc b/collect-wireless-mac.template.rsc
new file mode 100644
index 00000000..37933250
--- /dev/null
+++ b/collect-wireless-mac.template.rsc
@@ -0,0 +1,118 @@
+#!rsc by RouterOS
+# RouterOS script: collect-wireless-mac%TEMPL%
+# Copyright (c) 2013-2026 Christian Hesse
+# https://rsc.eworm.de/COPYING.md
+#
+# provides: lease-script, order=40
+# requires RouterOS, version=7.17
+#
+# collect wireless mac adresses in access list
+# https://rsc.eworm.de/doc/collect-wireless-mac.md
+#
+# !! This is just a template to generate the real script!
+# !! Pattern '%TEMPL%' is replaced, paths are filtered.
+
+:local ExitOK false;
+:onerror Err {
+ :global GlobalConfigReady; :global GlobalFunctionsReady;
+ :retry { :if ($GlobalConfigReady != true || $GlobalFunctionsReady != true) \
+ do={ :error ("Global config and/or functions not ready."); }; } delay=500ms max=50;
+ :local ScriptName [ :jobname ];
+
+ :global Identity;
+
+ :global EitherOr;
+ :global FormatLine;
+ :global FormatMultiLines;
+ :global GetMacVendor;
+ :global LogPrint;
+ :global ScriptLock;
+ :global SendNotification2;
+ :global SymbolForNotification;
+
+ :if ([ $ScriptLock $ScriptName 10 ] = false) do={
+ :set ExitOK true;
+ :error false;
+ }
+
+ :if ([ :len [ /caps-man/access-list/find where comment="--- collected above ---" disabled ] ] = 0) do={
+ :if ([ :len [ /interface/wifi/access-list/find where comment="--- collected above ---" disabled ] ] = 0) do={
+ :if ([ :len [ /interface/wireless/access-list/find where comment="--- collected above ---" disabled ] ] = 0) do={
+ /caps-man/access-list/add comment="--- collected above ---" disabled=yes;
+ /interface/wifi/access-list/add comment="--- collected above ---" disabled=yes;
+ /interface/wireless/access-list/add comment="--- collected above ---" disabled=yes;
+ $LogPrint warning $ScriptName ("Added disabled access-list entry with comment '--- collected above ---'.");
+ }
+ :local PlaceBefore ([ /caps-man/access-list/find where comment="--- collected above ---" disabled ]->0);
+ :local PlaceBefore ([ /interface/wifi/access-list/find where comment="--- collected above ---" disabled ]->0);
+ :local PlaceBefore ([ /interface/wireless/access-list/find where comment="--- collected above ---" disabled ]->0);
+
+ :foreach Reg in=[ /caps-man/registration-table/find ] do={
+ :foreach Reg in=[ /interface/wifi/registration-table/find ] do={
+ :foreach Reg in=[ /interface/wireless/registration-table/find where ap=no ] do={
+ :local RegVal;
+ :do {
+ :set RegVal [ /caps-man/registration-table/get $Reg ];
+ :set RegVal [ /interface/wifi/registration-table/get $Reg ];
+ :set RegVal [ /interface/wireless/registration-table/get $Reg ];
+ } on-error={
+ $LogPrint debug $ScriptName ("Device already gone... Ignoring.");
+ }
+
+ :if ([ :len ($RegVal->"mac-address") ] > 0) do={
+ :local AccessList ([ /caps-man/access-list/find where mac-address=($RegVal->"mac-address") ]->0);
+ :local AccessList ([ /interface/wifi/access-list/find where mac-address=($RegVal->"mac-address") ]->0);
+ :local AccessList ([ /interface/wireless/access-list/find where mac-address=($RegVal->"mac-address") ]->0);
+ :if ([ :len $AccessList ] > 0) do={
+ $LogPrint debug $ScriptName ("MAC address " . $RegVal->"mac-address" . " already known: " . \
+ [ /caps-man/access-list/get $AccessList comment ]);
+ [ /interface/wifi/access-list/get $AccessList comment ]);
+ [ /interface/wireless/access-list/get $AccessList comment ]);
+ }
+
+ :if ([ :len $AccessList ] = 0) do={
+ :local Address "no dhcp lease";
+ :local DnsName "no dhcp lease";
+ :local HostName "no dhcp lease";
+ :local Lease ([ /ip/dhcp-server/lease/find where active-mac-address=($RegVal->"mac-address") dynamic=yes status=bound ]->0);
+ :if ([ :len $Lease ] > 0) do={
+ :set Address [ /ip/dhcp-server/lease/get $Lease active-address ];
+ :set HostName [ $EitherOr [ /ip/dhcp-server/lease/get $Lease host-name ] "no hostname" ];
+ :set DnsName "no dns name";
+ :local DnsRec ([ /ip/dns/static/find where address=$Address ]->0);
+ :if ([ :len $DnsRec ] > 0) do={
+ :set DnsName ({ [ /ip/dns/static/get $DnsRec name ] });
+ :foreach CName in=[ /ip/dns/static/find where type=CNAME cname=($DnsName->0) ] do={
+ :set DnsName ($DnsName, [ /ip/dns/static/get $CName name ]);
+ }
+ }
+ }
+ :set ($RegVal->"ssid") [ /interface/wireless/get [ find where name=($RegVal->"interface") ] ssid ];
+ :local DateTime ([ /system/clock/get date ] . " " . [ /system/clock/get time ]);
+ :local Vendor [ $GetMacVendor ($RegVal->"mac-address") ];
+ :local Message ("MAC address " . $RegVal->"mac-address" . " (" . $Vendor . ", " . $HostName . ") " . \
+ "first seen on " . $DateTime . " connected to SSID " . $RegVal->"ssid" . ", interface " . $RegVal->"interface");
+ $LogPrint info $ScriptName $Message;
+ /caps-man/access-list/add place-before=$PlaceBefore comment=$Message mac-address=($RegVal->"mac-address") disabled=yes;
+ /interface/wifi/access-list/add place-before=$PlaceBefore comment=$Message mac-address=($RegVal->"mac-address") disabled=yes;
+ /interface/wireless/access-list/add place-before=$PlaceBefore comment=$Message mac-address=($RegVal->"mac-address") disabled=yes;
+ $SendNotification2 ({ origin=$ScriptName; \
+ subject=([ $SymbolForNotification "mobile-phone" ] . $RegVal->"mac-address" . " connected to " . $RegVal->"ssid"); \
+ message=("A device with unknown MAC address connected to " . $RegVal->"ssid" . " on " . $Identity . ".\n\n" . \
+ [ $FormatLine "Controller" $Identity ] . "\n" . \
+ [ $FormatLine "Interface" ($RegVal->"interface") ] . "\n" . \
+ [ $FormatLine "SSID" ($RegVal->"ssid") ] . "\n" . \
+ [ $FormatLine "MAC" ($RegVal->"mac-address") ] . "\n" . \
+ [ $FormatLine "Vendor" $Vendor ] . "\n" . \
+ [ $FormatLine "Hostname" $HostName ] . "\n" . \
+ [ $FormatLine "Address" $Address ] . "\n" . \
+ [ $FormatMultiLines "DNS name" $DnsName ] . "\n" . \
+ [ $FormatLine "Date" $DateTime ]) });
+ }
+ } else={
+ $LogPrint debug $ScriptName ("No mac address available... Ignoring.");
+ }
+ }
+} do={
+ :global ExitError; $ExitError $ExitOK [ :jobname ] $Err;
+}
diff --git a/collect-wireless-mac.wifi.rsc b/collect-wireless-mac.wifi.rsc
new file mode 100644
index 00000000..342351b1
--- /dev/null
+++ b/collect-wireless-mac.wifi.rsc
@@ -0,0 +1,100 @@
+#!rsc by RouterOS
+# RouterOS script: collect-wireless-mac.wifi
+# Copyright (c) 2013-2026 Christian Hesse
+# https://rsc.eworm.de/COPYING.md
+#
+# provides: lease-script, order=40
+# requires RouterOS, version=7.17
+#
+# collect wireless mac adresses in access list
+# https://rsc.eworm.de/doc/collect-wireless-mac.md
+#
+# !! Do not edit this file, it is generated from template!
+
+:local ExitOK false;
+:onerror Err {
+ :global GlobalConfigReady; :global GlobalFunctionsReady;
+ :retry { :if ($GlobalConfigReady != true || $GlobalFunctionsReady != true) \
+ do={ :error ("Global config and/or functions not ready."); }; } delay=500ms max=50;
+ :local ScriptName [ :jobname ];
+
+ :global Identity;
+
+ :global EitherOr;
+ :global FormatLine;
+ :global FormatMultiLines;
+ :global GetMacVendor;
+ :global LogPrint;
+ :global ScriptLock;
+ :global SendNotification2;
+ :global SymbolForNotification;
+
+ :if ([ $ScriptLock $ScriptName 10 ] = false) do={
+ :set ExitOK true;
+ :error false;
+ }
+
+ :if ([ :len [ /interface/wifi/access-list/find where comment="--- collected above ---" disabled ] ] = 0) do={
+ /interface/wifi/access-list/add comment="--- collected above ---" disabled=yes;
+ $LogPrint warning $ScriptName ("Added disabled access-list entry with comment '--- collected above ---'.");
+ }
+ :local PlaceBefore ([ /interface/wifi/access-list/find where comment="--- collected above ---" disabled ]->0);
+
+ :foreach Reg in=[ /interface/wifi/registration-table/find ] do={
+ :local RegVal;
+ :do {
+ :set RegVal [ /interface/wifi/registration-table/get $Reg ];
+ } on-error={
+ $LogPrint debug $ScriptName ("Device already gone... Ignoring.");
+ }
+
+ :if ([ :len ($RegVal->"mac-address") ] > 0) do={
+ :local AccessList ([ /interface/wifi/access-list/find where mac-address=($RegVal->"mac-address") ]->0);
+ :if ([ :len $AccessList ] > 0) do={
+ $LogPrint debug $ScriptName ("MAC address " . $RegVal->"mac-address" . " already known: " . \
+ [ /interface/wifi/access-list/get $AccessList comment ]);
+ }
+
+ :if ([ :len $AccessList ] = 0) do={
+ :local Address "no dhcp lease";
+ :local DnsName "no dhcp lease";
+ :local HostName "no dhcp lease";
+ :local Lease ([ /ip/dhcp-server/lease/find where active-mac-address=($RegVal->"mac-address") dynamic=yes status=bound ]->0);
+ :if ([ :len $Lease ] > 0) do={
+ :set Address [ /ip/dhcp-server/lease/get $Lease active-address ];
+ :set HostName [ $EitherOr [ /ip/dhcp-server/lease/get $Lease host-name ] "no hostname" ];
+ :set DnsName "no dns name";
+ :local DnsRec ([ /ip/dns/static/find where address=$Address ]->0);
+ :if ([ :len $DnsRec ] > 0) do={
+ :set DnsName ({ [ /ip/dns/static/get $DnsRec name ] });
+ :foreach CName in=[ /ip/dns/static/find where type=CNAME cname=($DnsName->0) ] do={
+ :set DnsName ($DnsName, [ /ip/dns/static/get $CName name ]);
+ }
+ }
+ }
+ :local DateTime ([ /system/clock/get date ] . " " . [ /system/clock/get time ]);
+ :local Vendor [ $GetMacVendor ($RegVal->"mac-address") ];
+ :local Message ("MAC address " . $RegVal->"mac-address" . " (" . $Vendor . ", " . $HostName . ") " . \
+ "first seen on " . $DateTime . " connected to SSID " . $RegVal->"ssid" . ", interface " . $RegVal->"interface");
+ $LogPrint info $ScriptName $Message;
+ /interface/wifi/access-list/add place-before=$PlaceBefore comment=$Message mac-address=($RegVal->"mac-address") disabled=yes;
+ $SendNotification2 ({ origin=$ScriptName; \
+ subject=([ $SymbolForNotification "mobile-phone" ] . $RegVal->"mac-address" . " connected to " . $RegVal->"ssid"); \
+ message=("A device with unknown MAC address connected to " . $RegVal->"ssid" . " on " . $Identity . ".\n\n" . \
+ [ $FormatLine "Controller" $Identity ] . "\n" . \
+ [ $FormatLine "Interface" ($RegVal->"interface") ] . "\n" . \
+ [ $FormatLine "SSID" ($RegVal->"ssid") ] . "\n" . \
+ [ $FormatLine "MAC" ($RegVal->"mac-address") ] . "\n" . \
+ [ $FormatLine "Vendor" $Vendor ] . "\n" . \
+ [ $FormatLine "Hostname" $HostName ] . "\n" . \
+ [ $FormatLine "Address" $Address ] . "\n" . \
+ [ $FormatMultiLines "DNS name" $DnsName ] . "\n" . \
+ [ $FormatLine "Date" $DateTime ]) });
+ }
+ } else={
+ $LogPrint debug $ScriptName ("No mac address available... Ignoring.");
+ }
+ }
+} do={
+ :global ExitError; $ExitError $ExitOK [ :jobname ] $Err;
+}
diff --git a/contrib/Makefile b/contrib/Makefile
new file mode 100644
index 00000000..e755a1d5
--- /dev/null
+++ b/contrib/Makefile
@@ -0,0 +1,17 @@
+# Makefile
+
+HTML := $(shell grep -xl '' *.html)
+
+.PHONY: all docs clean
+
+all: docs
+
+badges.html: badges.md
+ markdown $< > $@
+
+docs: static-html.sh $(HTML) badges.html
+ ./static-html.sh $(HTML)
+
+clean:
+ rm -f badges.html
+ git checkout HEAD -- $(HTML)
diff --git a/contrib/badges.md b/contrib/badges.md
new file mode 100644
index 00000000..a23090b5
--- /dev/null
+++ b/contrib/badges.md
@@ -0,0 +1,6 @@
+[](https://github.com/eworm-de/routeros-scripts/stargazers)
+[](https://github.com/eworm-de/routeros-scripts/network)
+[](https://github.com/eworm-de/routeros-scripts/watchers)
+[](https://mikrotik.com/download/changelogs/)
+[](https://t.me/routeros_scripts)
+[](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J)
diff --git a/contrib/checksums.sh b/contrib/checksums.sh
new file mode 100755
index 00000000..ab4e9738
--- /dev/null
+++ b/contrib/checksums.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+# generate a checksums file as used by $ScriptInstallUpdate
+
+set -e
+
+md5sum $(find -name '*.rsc' | sort) | \
+ sed -e "s| \./||" -e 's|.rsc$||' | \
+ jq --raw-input --null-input '[ inputs | split (" ") | { (.[1]): (.[0]) }] | add'
diff --git a/contrib/commitinfo.sh b/contrib/commitinfo.sh
new file mode 100755
index 00000000..21faf9fc
--- /dev/null
+++ b/contrib/commitinfo.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+sed \
+ -e "/^:global CommitId/c :global CommitId \"${COMMITID:-unknown}\";" \
+ -e "/^:global CommitInfo/c :global CommitInfo \"${COMMITINFO:-unknown}\";" \
+ < "${1}"
diff --git a/contrib/html.sh b/contrib/html.sh
new file mode 100755
index 00000000..03eba23d
--- /dev/null
+++ b/contrib/html.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+set -e
+
+RELTO="$(dirname "${1}")"
+
+sed \
+ -e "s|__TITLE__|$(head -n1 "${1}")|" \
+ -e "s|__GENERAL__|$(realpath --relative-to="${RELTO}" general/)|" \
+ -e "s|__ROOT__|$(realpath --relative-to="${RELTO}" ./)|" \
+ < "${0}.d/head.html"
+
+markdown -f toc,idanchor "${1}" | sed \
+ -e 's/href="\([-_\./[:alnum:]]*\)\.md\(#[-[:alnum:]]*\)\?"/href="\1.html\2"/g' \
+ -e '/| id="\L\1">|' \
+ -e '//s|pre|pre class="code" onclick="CopyToClipboard(this)"|g' \
+ -e '/The above link may be broken on code hosting sites/s|blockquote|blockquote style="display: none;"|'
+
+sed \
+ -e "s|__DATE__|${DATE:-$(date --rfc-email)}|" \
+ -e "s|__VERSION__|${VERSION:-unknown}|" \
+ < "${0}.d/foot.html"
diff --git a/contrib/html.sh.d/foot.html b/contrib/html.sh.d/foot.html
new file mode 100644
index 00000000..9e28e115
--- /dev/null
+++ b/contrib/html.sh.d/foot.html
@@ -0,0 +1,5 @@
+
+
+
+