capsman-download-packages: fix parameter for $RmFile

The function can not handle ids, we have to pass a name instead.

.gitignore

@@ -1,3 +1,13 @@
+# backup and temporary files
 *~
+
+# patches and related files
+*.orig
 *.patch
+*.rej
+
+# html files (as generated from markdown)
 *.html
+
+# Mac OS X folder settings file
+.DS_Store

BRANCHES.md

@@ -0,0 +1,50 @@
+Installing from branches
+========================
+
+[![GitHub stars](https://img.shields.io/github/stars/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=red)](https://github.com/eworm-de/routeros-scripts/stargazers)
+[![GitHub forks](https://img.shields.io/github/forks/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=green)](https://github.com/eworm-de/routeros-scripts/network)
+[![GitHub watchers](https://img.shields.io/github/watchers/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=blue)](https://github.com/eworm-de/routeros-scripts/watchers)
+[![required RouterOS version](https://img.shields.io/badge/RouterOS-7.15-yellow?style=flat)](https://mikrotik.com/download/changelogs/)
+[![Telegram group @routeros_scripts](https://img.shields.io/badge/Telegram-%40routeros__scripts-%2326A5E4?logo=telegram&style=flat)](https://t.me/routeros_scripts)
+[![donate with PayPal](https://img.shields.io/badge/Like_it%3F-Donate!-orange?logo=githubsponsors&logoColor=orange&style=flat)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J)
+
+[⬅️ Go back to main README](README.md)
+
+> ⚠️ **Warning**: Living on the edge? Great, read on!
+> If not: Please use the `main` branch and leave this page!
+
+These scripts are developed in a [git](https://git-scm.com/) repository.
+Development and experimental branches are used to provide early access
+for specific changes. You can install scripts from these branches
+for testing.
+
+## Install single script
+
+To install a single script from `next` branch:
+
+    $ScriptInstallUpdate script-name "base-url=https://rsc.eworm.de/next/";
+
+## Switch existing script
+
+Alternatively switch an existing script to update from `next` branch:
+
+    /system/script/set comment="base-url=https://rsc.eworm.de/next/" script-name;
+    $ScriptInstallUpdate;
+
+## Switch installation
+
+Last but not least - to switch the complete installation to the `next`
+branch edit `global-config-overlay` and add:
+
+    :global ScriptUpdatesBaseUrl "https://rsc.eworm.de/next/";
+
+... then reload the configuration and update:
+
+    /system/script/run global-config;
+    $ScriptInstallUpdate;
+
+> ℹ️ **Info**: Replace `next` with *whatever* to use another specific branch.
+
+---
+[⬅️ Go back to main README](README.md)  
+[⬆️ Go back to top](#top)

CERTIFICATES.md

@@ -0,0 +1,82 @@
+Certificate name from browser
+=============================
+
+[![GitHub stars](https://img.shields.io/github/stars/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=red)](https://github.com/eworm-de/routeros-scripts/stargazers)
+[![GitHub forks](https://img.shields.io/github/forks/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=green)](https://github.com/eworm-de/routeros-scripts/network)
+[![GitHub watchers](https://img.shields.io/github/watchers/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=blue)](https://github.com/eworm-de/routeros-scripts/watchers)
+[![required RouterOS version](https://img.shields.io/badge/RouterOS-7.15-yellow?style=flat)](https://mikrotik.com/download/changelogs/)
+[![Telegram group @routeros_scripts](https://img.shields.io/badge/Telegram-%40routeros__scripts-%2326A5E4?logo=telegram&style=flat)](https://t.me/routeros_scripts)
+[![donate with PayPal](https://img.shields.io/badge/Like_it%3F-Donate!-orange?logo=githubsponsors&logoColor=orange&style=flat)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J)
+
+[⬅️ Go back to main README](README.md)
+
+All well known desktop, mobile and server operating systems come with a
+certificate store that is populated with a set of well known and trusted
+certificates, acting as *trust anchors*.
+
+However RouterOS does not, still sometimes a specific certificate is
+required to properly verify a chain of trust. One example is downloading
+the scripts from this repository with `fetch` command, thus the very
+first step of [installation](README.md#the-long-way-in-detail) is importing
+the certificate.
+
+The scripts can install additional certificates when required. This happens
+from this repository if available, or from [mkcert.org](https://mkcert.org)
+as a fallback.
+
+Get the certificate's CommonName
+--------------------------------
+
+But how to determine what certificate may be required? Often easiest way
+is to use a desktop browser to get that information. This demonstration uses
+[Mozilla Firefox](https://www.mozilla.org/firefox/).
+
+Let's assume we want to make sure the certificate for
+[git.eworm.de](https://git.eworm.de/) is available. Open that page in the
+browser, then click the *lock* icon in addressbar, followed by "*Connection
+secure*".
+
+![screenshot: dialog A](CERTIFICATES.d/01-dialog-A.avif)
+
+The dialog will change, click "*More information*".
+
+![screenshot: dialog B](CERTIFICATES.d/02-dialog-B.avif)
+
+A new window opens, click the button "*View Certificate*". (That window
+can be closed now.)
+
+![screenshot: window](CERTIFICATES.d/03-window.avif)
+
+A new tab opens, showing information on the server certificate and its
+chain of trust. The leftmost certificate is what we are interested in.
+
+![screenshot: certificate](CERTIFICATES.d/04-certificate.avif)
+
+Now we know that "`ISRG Root X2`" is required, some scripts need just
+that information.
+
+Import a certificate by CommonName
+----------------------------------
+
+Running the function `$CertificateAvailable` with that name as parameter
+makes sure the certificate is available in the device's store:
+
+    $CertificateAvailable "ISRG Root X2";
+
+If the certificate is actually available already nothing happens, and there
+is no output. Otherwise the certificate is downloaded and imported.
+
+If importing a certificate with that exact name fails a warning is given
+and nothing is actually imported.
+
+See also
+--------
+
+* [Download, import and update firewall address-lists](doc/fw-addr-lists.md)
+* [Manage DNS and DoH servers from netwatch](doc/netwatch-dns.md)
+* [Send notifications via Matrix](doc/mod/notification-matrix.md)
+* [Send notifications via Ntfy](doc/mod/notification-ntfy.md)
+
+---
+[⬅️ Go back to main README](README.md)  
+[⬆️ Go back to top](#top)

CONTRIBUTIONS.md

@@ -0,0 +1,63 @@
+Past Contributions
+==================
+
+[![GitHub stars](https://img.shields.io/github/stars/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=red)](https://github.com/eworm-de/routeros-scripts/stargazers)
+[![GitHub forks](https://img.shields.io/github/forks/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=green)](https://github.com/eworm-de/routeros-scripts/network)
+[![GitHub watchers](https://img.shields.io/github/watchers/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=blue)](https://github.com/eworm-de/routeros-scripts/watchers)
+[![required RouterOS version](https://img.shields.io/badge/RouterOS-7.15-yellow?style=flat)](https://mikrotik.com/download/changelogs/)
+[![Telegram group @routeros_scripts](https://img.shields.io/badge/Telegram-%40routeros__scripts-%2326A5E4?logo=telegram&style=flat)](https://t.me/routeros_scripts)
+[![donate with PayPal](https://img.shields.io/badge/Like_it%3F-Donate!-orange?logo=githubsponsors&logoColor=orange&style=flat)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J)
+
+[⬅️ Go back to main README](README.md)
+
+Thanks a lot for your contributions! ❤️
+
+## Patches
+
+These persons contributed code or documentation. See the git history
+for details!
+
+* [Anatoly Bubenkov](mailto:bubenkoff@gmail.com) (@bubenkoff)
+* [Ben Harris](mailto:mail@bharr.is) (@bharrisau)
+* [Daniel Ziegenberg](mailto:daniel@ziegenberg.at) (@ziegenberg)
+* [Ignacio Serrano](mailto:ignic@ignic.com) (@ignic)
+* [Michael Gisbers](mailto:michael@gisbers.de) (@mgisbers)
+* [Miquel Bonastre](mailto:mbonastre@yahoo.com) (@mbonastre)
+* @netravnen
+* [netztrip](mailto:dave-tvg@netztrip.de) (@netztrip)
+* [Stefan Müller](mailto:stefan.mueller.83@gmail.com) (@PackElend)
+
+## Donations
+
+Add yourself to the list,
+[donate with PayPal](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J)!
+
+* Abdul Mannan Abbasi
+* Andrea Ruffini Perico
+* Andrew Cox
+* Christoph Boss (@Kampfwurst)
+* Daniel Ziegenberg (@ziegenberg)
+* Devin Dean (@dd2594gh)
+* Evaldo Gardenal
+* Florian Estraviz
+* Giorgio Bikos
+* Harold Schoemaker
+* Hugo BV
+* Klaus Michael Rübsam
+* Leonardo Valeri Manera
+* Linux-Schmie.de Michael Gisbers
+* Manuel Kuhn
+* Marek Čábák
+* Oleksandr Yukhymchuk
+* Peter Holtkamp
+* Peter Ponzel
+* Reiner Vehrenkamp
+* Richard Österreicher
+* Simon Hitzemann
+* Sunny Chu (@sunnychuchu)
+* Ulrich Wessendorf
+* Zac Kornilakis
+
+---
+[⬅️ Go back to main README](README.md)  
+[⬆️ Go back to top](#top)

COPYING.md

@@ -0,0 +1,675 @@
+### GNU GENERAL PUBLIC LICENSE
+
+Version 3, 29 June 2007
+
+Copyright (C) 2007 Free Software Foundation, Inc.
+<https://fsf.org/>
+
+Everyone is permitted to copy and distribute verbatim copies of this
+license document, but changing it is not allowed.
+
+### Preamble
+
+The GNU General Public License is a free, copyleft license for
+software and other kinds of works.
+
+The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works. By contrast,
+the GNU General Public License is intended to guarantee your freedom
+to share and change all versions of a program--to make sure it remains
+free software for all its users. We, the Free Software Foundation, use
+the GNU General Public License for most of our software; it applies
+also to any other work released this way by its authors. You can apply
+it to your programs, too.
+
+When we speak of free software, we are referring to freedom, not
+price. Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+To protect your rights, we need to prevent others from denying you
+these rights or asking you to surrender the rights. Therefore, you
+have certain responsibilities if you distribute copies of the
+software, or if you modify it: responsibilities to respect the freedom
+of others.
+
+For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must pass on to the recipients the same
+freedoms that you received. You must make sure that they, too, receive
+or can get the source code. And you must show them these terms so they
+know their rights.
+
+Developers that use the GNU GPL protect your rights with two steps:
+(1) assert copyright on the software, and (2) offer you this License
+giving you legal permission to copy, distribute and/or modify it.
+
+For the developers' and authors' protection, the GPL clearly explains
+that there is no warranty for this free software. For both users' and
+authors' sake, the GPL requires that modified versions be marked as
+changed, so that their problems will not be attributed erroneously to
+authors of previous versions.
+
+Some devices are designed to deny users access to install or run
+modified versions of the software inside them, although the
+manufacturer can do so. This is fundamentally incompatible with the
+aim of protecting users' freedom to change the software. The
+systematic pattern of such abuse occurs in the area of products for
+individuals to use, which is precisely where it is most unacceptable.
+Therefore, we have designed this version of the GPL to prohibit the
+practice for those products. If such problems arise substantially in
+other domains, we stand ready to extend this provision to those
+domains in future versions of the GPL, as needed to protect the
+freedom of users.
+
+Finally, every program is threatened constantly by software patents.
+States should not allow patents to restrict development and use of
+software on general-purpose computers, but in those that do, we wish
+to avoid the special danger that patents applied to a free program
+could make it effectively proprietary. To prevent this, the GPL
+assures that patents cannot be used to render the program non-free.
+
+The precise terms and conditions for copying, distribution and
+modification follow.
+
+### TERMS AND CONDITIONS
+
+#### 0. Definitions.
+
+"This License" refers to version 3 of the GNU General Public License.
+
+"Copyright" also means copyright-like laws that apply to other kinds
+of works, such as semiconductor masks.
+
+"The Program" refers to any copyrightable work licensed under this
+License. Each licensee is addressed as "you". "Licensees" and
+"recipients" may be individuals or organizations.
+
+To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of
+an exact copy. The resulting work is called a "modified version" of
+the earlier work or a work "based on" the earlier work.
+
+A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy. Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies. Mere interaction with a user
+through a computer network, with no transfer of a copy, is not
+conveying.
+
+An interactive user interface displays "Appropriate Legal Notices" to
+the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License. If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+#### 1. Source Code.
+
+The "source code" for a work means the preferred form of the work for
+making modifications to it. "Object code" means any non-source form of
+a work.
+
+A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form. A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities. However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work. For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+The Corresponding Source need not include anything that users can
+regenerate automatically from other parts of the Corresponding Source.
+
+The Corresponding Source for a work in source code form is that same
+work.
+
+#### 2. Basic Permissions.
+
+All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met. This License explicitly affirms your unlimited
+permission to run the unmodified Program. The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work. This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+You may make, run and propagate covered works that you do not convey,
+without conditions so long as your license otherwise remains in force.
+You may convey covered works to others for the sole purpose of having
+them make modifications exclusively for you, or provide you with
+facilities for running those works, provided that you comply with the
+terms of this License in conveying all material for which you do not
+control copyright. Those thus making or running the covered works for
+you must do so exclusively on your behalf, under your direction and
+control, on terms that prohibit them from making any copies of your
+copyrighted material outside their relationship with you.
+
+Conveying under any other circumstances is permitted solely under the
+conditions stated below. Sublicensing is not allowed; section 10 makes
+it unnecessary.
+
+#### 3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such
+circumvention is effected by exercising rights under this License with
+respect to the covered work, and you disclaim any intention to limit
+operation or modification of the work as a means of enforcing, against
+the work's users, your or third parties' legal rights to forbid
+circumvention of technological measures.
+
+#### 4. Conveying Verbatim Copies.
+
+You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+#### 5. Conveying Modified Source Versions.
+
+You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these
+conditions:
+
+-   a) The work must carry prominent notices stating that you modified
+    it, and giving a relevant date.
+-   b) The work must carry prominent notices stating that it is
+    released under this License and any conditions added under
+    section 7. This requirement modifies the requirement in section 4
+    to "keep intact all notices".
+-   c) You must license the entire work, as a whole, under this
+    License to anyone who comes into possession of a copy. This
+    License will therefore apply, along with any applicable section 7
+    additional terms, to the whole of the work, and all its parts,
+    regardless of how they are packaged. This License gives no
+    permission to license the work in any other way, but it does not
+    invalidate such permission if you have separately received it.
+-   d) If the work has interactive user interfaces, each must display
+    Appropriate Legal Notices; however, if the Program has interactive
+    interfaces that do not display Appropriate Legal Notices, your
+    work need not make them do so.
+
+A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit. Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+#### 6. Conveying Non-Source Forms.
+
+You may convey a covered work in object code form under the terms of
+sections 4 and 5, provided that you also convey the machine-readable
+Corresponding Source under the terms of this License, in one of these
+ways:
+
+-   a) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by the
+    Corresponding Source fixed on a durable physical medium
+    customarily used for software interchange.
+-   b) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by a
+    written offer, valid for at least three years and valid for as
+    long as you offer spare parts or customer support for that product
+    model, to give anyone who possesses the object code either (1) a
+    copy of the Corresponding Source for all the software in the
+    product that is covered by this License, on a durable physical
+    medium customarily used for software interchange, for a price no
+    more than your reasonable cost of physically performing this
+    conveying of source, or (2) access to copy the Corresponding
+    Source from a network server at no charge.
+-   c) Convey individual copies of the object code with a copy of the
+    written offer to provide the Corresponding Source. This
+    alternative is allowed only occasionally and noncommercially, and
+    only if you received the object code with such an offer, in accord
+    with subsection 6b.
+-   d) Convey the object code by offering access from a designated
+    place (gratis or for a charge), and offer equivalent access to the
+    Corresponding Source in the same way through the same place at no
+    further charge. You need not require recipients to copy the
+    Corresponding Source along with the object code. If the place to
+    copy the object code is a network server, the Corresponding Source
+    may be on a different server (operated by you or a third party)
+    that supports equivalent copying facilities, provided you maintain
+    clear directions next to the object code saying where to find the
+    Corresponding Source. Regardless of what server hosts the
+    Corresponding Source, you remain obligated to ensure that it is
+    available for as long as needed to satisfy these requirements.
+-   e) Convey the object code using peer-to-peer transmission,
+    provided you inform other peers where the object code and
+    Corresponding Source of the work are being offered to the general
+    public at no charge under subsection 6d.
+
+A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal,
+family, or household purposes, or (2) anything designed or sold for
+incorporation into a dwelling. In determining whether a product is a
+consumer product, doubtful cases shall be resolved in favor of
+coverage. For a particular product received by a particular user,
+"normally used" refers to a typical or common use of that class of
+product, regardless of the status of the particular user or of the way
+in which the particular user actually uses, or expects or is expected
+to use, the product. A product is a consumer product regardless of
+whether the product has substantial commercial, industrial or
+non-consumer uses, unless such uses represent the only significant
+mode of use of the product.
+
+"Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to
+install and execute modified versions of a covered work in that User
+Product from a modified version of its Corresponding Source. The
+information must suffice to ensure that the continued functioning of
+the modified object code is in no case prevented or interfered with
+solely because modification has been made.
+
+If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information. But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or
+updates for a work that has been modified or installed by the
+recipient, or for the User Product in which it has been modified or
+installed. Access to a network may be denied when the modification
+itself materially and adversely affects the operation of the network
+or violates the rules and protocols for communication across the
+network.
+
+Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+#### 7. Additional Terms.
+
+"Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law. If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it. (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.) You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders
+of that material) supplement the terms of this License with terms:
+
+-   a) Disclaiming warranty or limiting liability differently from the
+    terms of sections 15 and 16 of this License; or
+-   b) Requiring preservation of specified reasonable legal notices or
+    author attributions in that material or in the Appropriate Legal
+    Notices displayed by works containing it; or
+-   c) Prohibiting misrepresentation of the origin of that material,
+    or requiring that modified versions of such material be marked in
+    reasonable ways as different from the original version; or
+-   d) Limiting the use for publicity purposes of names of licensors
+    or authors of the material; or
+-   e) Declining to grant rights under trademark law for use of some
+    trade names, trademarks, or service marks; or
+-   f) Requiring indemnification of licensors and authors of that
+    material by anyone who conveys the material (or modified versions
+    of it) with contractual assumptions of liability to the recipient,
+    for any liability that these contractual assumptions directly
+    impose on those licensors and authors.
+
+All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10. If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term. If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions; the
+above requirements apply either way.
+
+#### 8. Termination.
+
+You may not propagate or modify a covered work except as expressly
+provided under this License. Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+However, if you cease all violation of this License, then your license
+from a particular copyright holder is reinstated (a) provisionally,
+unless and until the copyright holder explicitly and finally
+terminates your license, and (b) permanently, if the copyright holder
+fails to notify you of the violation by some reasonable means prior to
+60 days after the cessation.
+
+Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License. If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+#### 9. Acceptance Not Required for Having Copies.
+
+You are not required to accept this License in order to receive or run
+a copy of the Program. Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance. However,
+nothing other than this License grants you permission to propagate or
+modify any covered work. These actions infringe copyright if you do
+not accept this License. Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+#### 10. Automatic Licensing of Downstream Recipients.
+
+Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License. You are not responsible
+for enforcing compliance by third parties with this License.
+
+An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations. If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License. For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+#### 11. Patents.
+
+A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based. The
+work thus licensed is called the contributor's "contributor version".
+
+A contributor's "essential patent claims" are all patent claims owned
+or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version. For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement). To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients. "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+A patent license is "discriminatory" if it does not include within the
+scope of its coverage, prohibits the exercise of, or is conditioned on
+the non-exercise of one or more of the rights that are specifically
+granted under this License. You may not convey a covered work if you
+are a party to an arrangement with a third party that is in the
+business of distributing software, under which you make payment to the
+third party based on the extent of your activity of conveying the
+work, and under which the third party grants, to any of the parties
+who would receive the covered work from you, a discriminatory patent
+license (a) in connection with copies of the covered work conveyed by
+you (or copies made from those copies), or (b) primarily for and in
+connection with specific products or compilations that contain the
+covered work, unless you entered into that arrangement, or that patent
+license was granted, prior to 28 March 2007.
+
+Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+#### 12. No Surrender of Others' Freedom.
+
+If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under
+this License and any other pertinent obligations, then as a
+consequence you may not convey it at all. For example, if you agree to
+terms that obligate you to collect a royalty for further conveying
+from those to whom you convey the Program, the only way you could
+satisfy both those terms and this License would be to refrain entirely
+from conveying the Program.
+
+#### 13. Use with the GNU Affero General Public License.
+
+Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU Affero General Public License into a single
+combined work, and to convey the resulting work. The terms of this
+License will continue to apply to the part which is the covered work,
+but the special requirements of the GNU Affero General Public License,
+section 13, concerning interaction through a network will apply to the
+combination as such.
+
+#### 14. Revised Versions of this License.
+
+The Free Software Foundation may publish revised and/or new versions
+of the GNU General Public License from time to time. Such new versions
+will be similar in spirit to the present version, but may differ in
+detail to address new problems or concerns.
+
+Each version is given a distinguishing version number. If the Program
+specifies that a certain numbered version of the GNU General Public
+License "or any later version" applies to it, you have the option of
+following the terms and conditions either of that numbered version or
+of any later version published by the Free Software Foundation. If the
+Program does not specify a version number of the GNU General Public
+License, you may choose any version ever published by the Free
+Software Foundation.
+
+If the Program specifies that a proxy can decide which future versions
+of the GNU General Public License can be used, that proxy's public
+statement of acceptance of a version permanently authorizes you to
+choose that version for the Program.
+
+Later license versions may give you additional or different
+permissions. However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+#### 15. Disclaimer of Warranty.
+
+THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT
+WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND
+PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE
+DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR
+CORRECTION.
+
+#### 16. Limitation of Liability.
+
+IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR
+CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES
+ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT
+NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR
+LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM
+TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER
+PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+#### 17. Interpretation of Sections 15 and 16.
+
+If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+END OF TERMS AND CONDITIONS
+
+### How to Apply These Terms to Your New Programs
+
+If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these
+terms.
+
+To do so, attach the following notices to the program. It is safest to
+attach them to the start of each source file to most effectively state
+the exclusion of warranty; and each file should have at least the
+"copyright" line and a pointer to where the full notice is found.
+
+        <one line to give the program's name and a brief idea of what it does.>
+        Copyright (C) <year>  <name of author>
+
+        This program is free software: you can redistribute it and/or modify
+        it under the terms of the GNU General Public License as published by
+        the Free Software Foundation, either version 3 of the License, or
+        (at your option) any later version.
+
+        This program is distributed in the hope that it will be useful,
+        but WITHOUT ANY WARRANTY; without even the implied warranty of
+        MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+        GNU General Public License for more details.
+
+        You should have received a copy of the GNU General Public License
+        along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+Also add information on how to contact you by electronic and paper
+mail.
+
+If the program does terminal interaction, make it output a short
+notice like this when it starts in an interactive mode:
+
+        <program>  Copyright (C) <year>  <name of author>
+        This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+        This is free software, and you are welcome to redistribute it
+        under certain conditions; type `show c' for details.
+
+The hypothetical commands \`show w' and \`show c' should show the
+appropriate parts of the General Public License. Of course, your
+program's commands might be different; for a GUI interface, you would
+use an "about box".
+
+You should also get your employer (if you work as a programmer) or
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary. For more information on this, and how to apply and follow
+the GNU GPL, see <https://www.gnu.org/licenses/>.
+
+The GNU General Public License does not permit incorporating your
+program into proprietary programs. If your program is a subroutine
+library, you may consider it more useful to permit linking proprietary
+applications with the library. If this is what you want to do, use the
+GNU Lesser General Public License instead of this License. But first,
+please read <https://www.gnu.org/licenses/why-not-lgpl.html>.

DEBUG.md

@@ -0,0 +1,63 @@
+Debug output and logs
+=====================
+
+[![GitHub stars](https://img.shields.io/github/stars/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=red)](https://github.com/eworm-de/routeros-scripts/stargazers)
+[![GitHub forks](https://img.shields.io/github/forks/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=green)](https://github.com/eworm-de/routeros-scripts/network)
+[![GitHub watchers](https://img.shields.io/github/watchers/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=blue)](https://github.com/eworm-de/routeros-scripts/watchers)
+[![required RouterOS version](https://img.shields.io/badge/RouterOS-7.15-yellow?style=flat)](https://mikrotik.com/download/changelogs/)
+[![Telegram group @routeros_scripts](https://img.shields.io/badge/Telegram-%40routeros__scripts-%2326A5E4?logo=telegram&style=flat)](https://t.me/routeros_scripts)
+[![donate with PayPal](https://img.shields.io/badge/Like_it%3F-Donate!-orange?logo=githubsponsors&logoColor=orange&style=flat)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J)
+
+[⬅️ Go back to main README](README.md)
+
+Sometimes scripts do not behave as expected. In these cases debug output
+or logs can help.
+
+## Debug output
+
+Run this command in a terminal:
+
+    :set PrintDebug true;
+
+You will then see debug output when running the script from terminal.
+
+To revert to default output run:
+
+    :set PrintDebug false;
+
+### Debug output for specific script
+
+Even having debug output for a specific script or function only (or a
+set of) is possible. To enable debug output for `telegram-chat` run:
+
+    :set ($PrintDebugOverride->"telegram-chat") true;
+
+## Debug logs
+
+The debug info can go to system log. To make it show up in `memory` run:
+
+    /system/logging/add topics=script,debug action=memory;
+
+Other actions (`disk`, `email`, `remote` or `support`) can be used as
+well. I do not recommend using `echo` - use [debug output](#debug-output)
+instead.
+
+Disable or remote that setting to restore regular logging.
+
+## Verbose output
+
+Specific scripts can generate huge amount of output. These do use a function
+`$LogPrintVerbose`, which is declared, but has no code, intentionally.
+
+If you *really* want that output set the function to be the same as
+`$LogPrint`:
+
+    :set LogPrintVerbose $LogPrint;
+
+To revert that change just run:
+
+    :set LogPrintVerbose;
+
+---
+[⬅️ Go back to main README](README.md)  
+[⬆️ Go back to top](#top)

INITIAL-COMMANDS.md

@@ -0,0 +1,53 @@
+Initial commands
+================
+
+[![GitHub stars](https://img.shields.io/github/stars/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=red)](https://github.com/eworm-de/routeros-scripts/stargazers)
+[![GitHub forks](https://img.shields.io/github/forks/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=green)](https://github.com/eworm-de/routeros-scripts/network)
+[![GitHub watchers](https://img.shields.io/github/watchers/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=blue)](https://github.com/eworm-de/routeros-scripts/watchers)
+[![required RouterOS version](https://img.shields.io/badge/RouterOS-7.15-yellow?style=flat)](https://mikrotik.com/download/changelogs/)
+[![Telegram group @routeros_scripts](https://img.shields.io/badge/Telegram-%40routeros__scripts-%2326A5E4?logo=telegram&style=flat)](https://t.me/routeros_scripts)
+[![donate with PayPal](https://img.shields.io/badge/Like_it%3F-Donate!-orange?logo=githubsponsors&logoColor=orange&style=flat)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J)
+
+[⬅️ Go back to main README](README.md)
+
+> ⚠️ **Warning**: These command are inteneded for initial setup. If you are
+> not aware of the procedure please follow
+> [the long way in detail](README.md#the-long-way-in-detail).
+
+Run the complete base installation:
+
+    {
+      /tool/fetch "https://git.eworm.de/cgit/routeros-scripts/plain/certs/ISRG-Root-X2.pem" dst-path="isrg-root-x2.pem" as-value;
+      :delay 1s;
+      /certificate/import file-name="isrg-root-x2.pem" passphrase="";
+      :if ([ :len [ /certificate/find where fingerprint="69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470" ] ] != 1) do={
+        :error "Something is wrong with your certificates!";
+      };
+      :delay 1s;
+      /system/script/set name=("global-config-overlay-" . [ /system/clock/get date ] . "-" . [ /system/clock/get time ]) [ find where name="global-config-overlay" ];
+      :foreach Script in={ "global-config"; "global-config-overlay"; "global-functions" } do={
+        /system/script/remove [ find where name=$Script ];
+        /system/script/add name=$Script owner=$Script source=([ /tool/fetch check-certificate=yes-without-crl ("https://git.eworm.de/cgit/routeros-scripts/plain/" . $Script . ".rsc") output=user as-value]->"data");
+      };
+      /system/script { run global-config; run global-functions; };
+      /system/scheduler/remove [ find where name="global-scripts" ];
+      /system/scheduler/add name="global-scripts" start-time=startup on-event="/system/script { run global-config; run global-functions; }";
+      :global CertificateNameByCN;
+      $CertificateNameByCN "ISRG Root X2";
+    };
+
+Then continue setup with
+[scheduled automatic updates](README.md#scheduled-automatic-updates) or
+[editing configuration](README.md#editing-configuration).
+
+## Fix existing installation
+
+The [initial commands](#initial-commands) above allow to fix an existing
+installation in case it ever breaks. If `global-config-overlay` did exist
+before it is renamed with a date and time suffix (like
+`global-config-overlay-2024-01-25-09:33:12`). Make sure to restore the
+configuration overlay if required.
+
+---
+[⬅️ Go back to main README](README.md)  
+[⬆️ Go back to top](#top)

Makefile

@@ -2,24 +2,35 @@
 #  template scripts -> final scripts
 #  markdown files -> html files
 
-TEMPLATE = $(wildcard *.template)
-CAPSMAN = $(TEMPLATE:.template=.capsman)
-LOCAL = $(TEMPLATE:.template=.local)
+CAPSMAN = $(wildcard *.capsman.rsc)
+LOCAL = $(wildcard *.local.rsc)
+WIFI = $(wildcard *.wifi.rsc)
 
-MARKDOWN = $(wildcard *.md)
-HTML =  $(MARKDOWN:.md=.html)
+MARKDOWN = $(wildcard *.md doc/*.md doc/mod/*.md)
+HTML = $(MARKDOWN:.md=.html)
 
-all: $(CAPSMAN) $(LOCAL) $(HTML)
+all: $(CAPSMAN) $(LOCAL) $(WIFI) $(HTML)
 
 %.html: %.md Makefile
-	markdown $< | sed 's/href="\([-[:alnum:]]*\)\.md"/href="\1.html"/g' > $@
+	markdown $< | sed 's/href="\([-_\./[:alnum:]]*\)\.md"/href="\1.html"/g' > $@
 
-%.local: %.template Makefile
-	sed -e '/\/ caps-man/d' -e 's|%PATH%|interface wireless|' -e 's|%TEMPL%|$(suffix $@)|' \
+%.capsman.rsc: %.template.rsc Makefile
+	sed -e '/\/interface\/wifi\//d' -e '/\/interface\/wireless\//d' -e 's|%TEMPL%|.capsman|' \
+		-e '/^# NOT \/caps-man\/ #$$/,/^# NOT \/caps-man\/ #$$/d' \
 		-e '/^# !!/,/^# !!/c # !! Do not edit this file, it is generated from template!' \
 		< $< > $@
 
-%.capsman: %.template Makefile
-	sed -e '/\/ interface wireless/d' -e 's/%PATH%/caps-man/' -e 's/%TEMPL%/$(suffix $@)/' \
+%.local.rsc: %.template.rsc Makefile
+	sed -e '/\/caps-man\//d' -e '/\/interface\/wifi\//d' -e 's|%TEMPL%|.local|' \
+		-e '/^# NOT \/interface\/wireless\/ #$$/,/^# NOT \/interface\/wireless\/ #$$/d' \
 		-e '/^# !!/,/^# !!/c # !! Do not edit this file, it is generated from template!' \
 		< $< > $@
+
+%.wifi.rsc: %.template.rsc Makefile
+	sed -e '/\/caps-man\//d' -e '/\/interface\/wireless\//d' -e 's|%TEMPL%|.wifi|' \
+		-e '/^# NOT \/interface\/wifi\/ #$$/,/^# NOT \/interface\/wifi\/ #$$/d' \
+		-e '/^# !!/,/^# !!/c # !! Do not edit this file, it is generated from template!' \
+		< $< > $@
+
+clean:
+	rm -f $(HTML)

README.d/hello-world.rsc

@@ -0,0 +1,3 @@
+#!rsc by RouterOS
+
+:put ("Hello World from " . [ /system/identity/get name ] . "!");

README.md

@@ -1,23 +1,52 @@
 RouterOS Scripts
 ================
 
+[![GitHub stars](https://img.shields.io/github/stars/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=red)](https://github.com/eworm-de/routeros-scripts/stargazers)
+[![GitHub forks](https://img.shields.io/github/forks/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=green)](https://github.com/eworm-de/routeros-scripts/network)
+[![GitHub watchers](https://img.shields.io/github/watchers/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=blue)](https://github.com/eworm-de/routeros-scripts/watchers)
+[![required RouterOS version](https://img.shields.io/badge/RouterOS-7.15-yellow?style=flat)](https://mikrotik.com/download/changelogs/)
+[![Telegram group @routeros_scripts](https://img.shields.io/badge/Telegram-%40routeros__scripts-%2326A5E4?logo=telegram&style=flat)](https://t.me/routeros_scripts)
+[![donate with PayPal](https://img.shields.io/badge/Like_it%3F-Donate!-orange?logo=githubsponsors&logoColor=orange&style=flat)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J)
+
+![RouterOS Scripts Logo](logo.svg)
+
 [RouterOS](https://mikrotik.com/software) is the operating system developed
 by [MikroTik](https://mikrotik.com/aboutus) for networking tasks. This
 repository holds a number of [scripts](https://wiki.mikrotik.com/wiki/Manual:Scripting)
 to manage RouterOS devices or extend their functionality.
 
-*Use at your own risk!*
+*Use at your own risk*, pay attention to
+[license and warranty](#license-and-warranty)!
 
 Requirements
 ------------
 
-Latest version of the scripts require at least **RouterOS 6.43** to function
-properly. The changelog lists the corresponding change as follows:
+### Software (RouterOS)
 
-> *) fetch - added "as-value" output format;
+Latest version of the scripts require recent RouterOS to function properly.
+Make sure to install latest updates before you begin. If new functionality
+or a breaking change in RouterOS `7.n` is used in my scripts I push my
+change some time after `7.(n+1)` was released. At any time you should have
+at least two minor and their bugfix releases to choose from.
 
-Specific scripts may require even newer RouterOS version, for example cloud
-backup was added in 6.44.
+Specific scripts may require even newer RouterOS version.
+
+> ℹ️ **Info**: The `main` branch is now RouterOS v7 only. If you are still
+> running RouterOS v6 switch to `routeros-v6` branch!
+
+Starting with RouterOS 7.17 the
+[device-mode](https://help.mikrotik.com/docs/spaces/ROS/pages/93749258/Device-mode)
+has been extended to give more fine-grained control over what features are
+available. You need to enable `scheduler` and `fetch` at least, specific
+scripts may require additional features.
+
+### Hardware
+
+RouterOS packages increase in size with each release. This becomes a
+problem for devices with 16MB storage and below, those with an ARM CPU
+are specifically affected.
+
+Huge configuration and lots of scripts give an extra risk. **Take care!**
 
 Initial setup
 -------------
@@ -25,9 +54,9 @@ Initial setup
 ### Get me ready!
 
 If you know how things work just copy and paste the
-[initial commands](initial-commands). Remember to edit and rerun
-`global-config`!
-First time useres should take the long way below.
+[initial commands](INITIAL-COMMANDS.md). Remember to edit and rerun
+`global-config-overlay`!
+First time users should take the long way below.
 
 ### Live presentation
 
@@ -36,6 +65,9 @@ RouterOS script distribution](https://www.youtube.com/watch?v=B9neG3oAhcY)
 including demonstation recorded live at [MUM Europe
 2019](https://mum.mikrotik.com/2019/EU/) in Vienna.
 
+> ⚠️ **Warning**: Some details changed. So see the presentation, then follow
+> the steps below for up-to-date commands.
+
 ### The long way in detail
 
 The update script does server certificate verification, so first step is to
@@ -43,107 +75,309 @@ download the certificates. If you intend to download the scripts from a
 different location (for example from github.com) install the corresponding
 certificate chain.
 
-    [admin@MikroTik] > / tool fetch "https://git.eworm.de/cgit.cgi/routeros-scripts/plain/certs/letsencrypt.pem" dst-path="letsencrypt.pem"
-          status: finished
-      downloaded: 3KiBC-z pause]
-           total: 3KiB
-        duration: 1s
+    /tool/fetch "https://git.eworm.de/cgit/routeros-scripts/plain/certs/ISRG-Root-X2.pem" dst-path="isrg-root-x2.pem";
+
+![screenshot: download certs](README.d/01-download-certs.avif)
 
 Note that the commands above do *not* verify server certificate, so if you
 want to be safe download with your workstations's browser and transfer the
-files to your MikroTik device.
+file to your MikroTik device.
 
-* [ISRG Root X1](https://letsencrypt.org/certs/isrgrootx1.pem.txt)
-* [Let's Encrypt Authority X3](https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt)
+* [ISRG Root X2](https://letsencrypt.org/certs/isrg-root-x2.pem)
 
-Then we import the certificates.
+Then we import the certificate.
 
-    [admin@MikroTik] > / certificate import file-name=letsencrypt.pem passphrase=""
-         certificates-imported: 3
-         private-keys-imported: 0
-                files-imported: 1
-           decryption-failures: 0
-      keys-with-no-certificate: 0
+    /certificate/import file-name="isrg-root-x2.pem" passphrase="";
 
-For basic verification we rename the certifiactes and print their count. Make
-sure the certificate count is **three**.
+Do not worry that the command is not shown - that happens because it contains
+a sensitive property, the passphrase.
 
-    [admin@MikroTik] > / certificate set name="ISRG-Root-X1" [ find where fingerprint="96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6" ]
-    [admin@MikroTik] > / certificate set name="Let-s-Encrypt-Authority-X3" [ find where fingerprint="731d3d9cfaa061487a1d71445a42f67df0afca2a6c2d2f98ff7b3ce112b1f568" ]
-    [admin@MikroTik] > / certificate set name="DST-Root-CA-X3" [ find where fingerprint="0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739" ]
-    [admin@MikroTik] > / certificate print count-only where fingerprint="96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6" or fingerprint="731d3d9cfaa061487a1d71445a42f67df0afca2a6c2d2f98ff7b3ce112b1f568" or fingerprint="0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739"
-    3
+![screenshot: import certs](README.d/02-import-certs.avif)
+
+For basic verification we rename the certificate and print it by
+fingerprint. Make sure exactly this one certificate ("*ISRG-Root-X2*")
+is shown.
+
+    /certificate/set name="ISRG-Root-X2" [ find where common-name="ISRG Root X2" ];
+    /certificate/print proplist=name,fingerprint where fingerprint="69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470";
+
+![screenshot: check certs](README.d/03-check-certs.avif)
 
 Always make sure there are no certificates installed you do not know or want!
 
-Actually we do not require the certificate named `DST Root CA X3`, but as it
-is used by `Let's Encrypt` to cross-sign we install it anyway - this makes
-sure things do not go wrong if the intermediate certificate is replaced.
-The IdenTrust certificate *should* be available from their
-[download page](https://www.identrust.com/support/downloads). The site is
-crap and a good example how to *not* do it.
+All following commands will verify the server certificate. For validity the
+certificate's lifetime is checked with local time, so make sure the device's
+date and time is set correctly!
 
 Now let's download the main scripts and add them in configuration on the fly.
 
-    [admin@MikroTik] > :foreach Script in={ "global-config"; "global-functions"; "script-updates" } do={ / system script add name=$Script source=([ / tool fetch check-certificate=yes-without-crl ("https://git.eworm.de/cgit.cgi/routeros-scripts/plain/" . $Script) output=user as-value]->"data"); }
+    :foreach Script in={ "global-config"; "global-config-overlay"; "global-functions" } do={ /system/script/add name=$Script owner=$Script source=([ /tool/fetch check-certificate=yes-without-crl ("https://git.eworm.de/cgit/routeros-scripts/plain/" . $Script . ".rsc") output=user as-value]->"data"); };
 
-The configuration needs to be tweaked for your needs. Make sure not to send
-your mails to `mail@example.com`!
+![screenshot: import scripts](README.d/04-import-scripts.avif)
 
-    [admin@MikroTik] > / system script edit global-config source
+And finally load configuration and functions and add the scheduler.
 
-And finally load configuration and functions and add the schedulers.
+    /system/script { run global-config; run global-functions; };
+    /system/scheduler/add name="global-scripts" start-time=startup on-event="/system/script { run global-config; run global-functions; }";
 
-    [admin@MikroTik] > / system script run global-config
-    [admin@MikroTik] > / system script run global-functions
-    [admin@MikroTik] > / system scheduler add name=global-config start-time=startup on-event=global-config
-    [admin@MikroTik] > / system scheduler add name=global-functions start-time=startup on-event=global-functions
+![screenshot: run and schedule scripts](README.d/05-run-and-schedule-scripts.avif)
+
+### Scheduled automatic updates
+
+The last step is optional: Add this scheduler **only** if you want the
+scripts to be updated automatically!
+
+    /system/scheduler/add name="ScriptInstallUpdate" start-time=startup interval=1d on-event=":global ScriptInstallUpdate; \$ScriptInstallUpdate;";
+
+![screenshot: schedule update](README.d/06-schedule-update.avif)
+
+Editing configuration
+---------------------
+
+The configuration needs to be tweaked for your needs. Edit
+`global-config-overlay`, copy relevant configuration from
+[`global-config`](global-config.rsc) (the one without `-overlay`).
+Save changes and exit with `Ctrl-o`.
+
+    /system/script/edit global-config-overlay source;
+
+![screenshot: edit global-config-overlay](README.d/07-edit-global-config-overlay.avif)
+
+Additionally creating configuration snippets is supported. The script name
+of these snippets has to start with `global-config-overlay.d/` to make them
+being loaded automatically. This allows to split off parts of the
+configuration.
+
+To apply your changes run `global-config`, which will automatically load
+the overlay as well:
+
+    /system/script/run global-config;
+
+![screenshot: apply configuration](README.d/08-apply-configuration.avif)
+
+This last step is required when ever you make changes to your configuration.
+
+> ℹ️ **Info**: It is recommended to edit the configuration using the command
+> line interface. If using Winbox on Windows OS, the line endings may be
+> missing. To fix this run:
+> `/system/script/set source=[ :tocrlf [ get global-config-overlay source ] ] global-config-overlay;`
 
 Updating scripts
 ----------------
 
-To update existing scripts just run `script-updates`.
+To update existing scripts just run function `$ScriptInstallUpdate`. If
+everything is up-to-date it will not produce any output.
 
-    [admin@MikroTik] > / system script run script-updates
+    $ScriptInstallUpdate;
+
+![screenshot: update scripts](README.d/09-update-scripts.avif)
+
+If the update includes news or requires configuration changes a notification
+is sent - in addition to terminal output and log messages.
+
+![news and changes notification](README.d/notification-news-and-changes.avif)
 
 Adding a script
 ---------------
 
-To add a script from the repository create a configuration item first, then
-update scripts to fetch the source.
+To add a script from the repository run function `$ScriptInstallUpdate` with
+a comma separated list of script names.
 
-    [admin@MikroTik] > / system script add name=check-routeros-update
-    [admin@MikroTik] > / system script run script-updates
+    $ScriptInstallUpdate check-certificates,check-routeros-update;
+
+![screenshot: install scripts](README.d/10-install-scripts.avif)
 
 Scheduler and events
 --------------------
 
 Most scripts are designed to run regularly from
 [scheduler](https://wiki.mikrotik.com/wiki/Manual:System/Scheduler). We just
-added `check-routeros-update`, so let's run it every hour to make sure not to
+added `check-routeros-update`, so let's run it daily to make sure not to
 miss an update.
 
-    [admin@MikroTik] > / system scheduler add name=check-routeros-update interval=1h on-event=check-routeros-update
+    /system/scheduler/add name="check-routeros-update" interval=1d start-time=startup on-event="/system/script/run check-routeros-update;";
+
+![screenshot: schedule script](README.d/11-schedule-script.avif)
 
 Some events can run a script. If you want your DHCP hostnames to be available
 in DNS use `dhcp-to-dns` with the events from dhcp server. For a regular
 cleanup add a scheduler entry.
 
-    [admin@MikroTik] > / system script add name=dhcp-to-dns
-    [admin@MikroTik] > / system script run script-updates
-    [admin@MikroTik] > / ip dhcp-server set lease-script=dhcp-to-dns [ find ]
-    [admin@MikroTik] > / system scheduler add name=dhcp-to-dns interval=5m on-event=dhcp-to-dns
+    $ScriptInstallUpdate dhcp-to-dns,lease-script;
+    /ip/dhcp-server/set lease-script=lease-script [ find ];
+    /system/scheduler/add name="dhcp-to-dns" interval=5m on-event="/system/script/run dhcp-to-dns;";
+
+![screenshot: setup lease script](README.d/12-setup-lease-script.avif)
 
 There's much more to explore... Have fun!
 
-### Upstream
+Available scripts
+-----------------
+
+* [Find and remove access list duplicates](doc/accesslist-duplicates.md)
+* [Upload backup to Mikrotik cloud](doc/backup-cloud.md)
+* [Send backup via e-mail](doc/backup-email.md)
+* [Save configuration to fallback partition](doc/backup-partition.md)
+* [Upload backup to server](doc/backup-upload.md)
+* [Download packages for CAP upgrade from CAPsMAN](doc/capsman-download-packages.md)
+* [Run rolling CAP upgrades from CAPsMAN](doc/capsman-rolling-upgrade.md)
+* [Renew locally issued certificates](doc/certificate-renew-issued.md)
+* [Renew certificates and notify on expiration](doc/check-certificates.md)
+* [Notify about health state](doc/check-health.md)
+* [Notify on LTE firmware upgrade](doc/check-lte-firmware-upgrade.md)
+* [Notify on RouterOS update](doc/check-routeros-update.md)
+* [Collect MAC addresses in wireless access list](doc/collect-wireless-mac.md)
+* [Use wireless network with daily psk](doc/daily-psk.md)
+* [Comment DHCP leases with info from access list](doc/dhcp-lease-comment.md)
+* [Create DNS records for DHCP leases](doc/dhcp-to-dns.md)
+* [Automatically upgrade firmware and reboot](doc/firmware-upgrade-reboot.md)
+* [Download, import and update firewall address-lists](doc/fw-addr-lists.md)
+* [Wait for global functions und modules](doc/global-wait.md)
+* [Send GPS position to server](doc/gps-track.md)
+* [Use WPA network with hotspot credentials](doc/hotspot-to-wpa.md)
+* [Create DNS records for IPSec peers](doc/ipsec-to-dns.md)
+* [Update configuration on IPv6 prefix change](doc/ipv6-update.md)
+* [Manage IP addresses with bridge status](doc/ip-addr-bridge.md)
+* [Run other scripts on DHCP lease](doc/lease-script.md)
+* [Manage LEDs dark mode](doc/leds-mode.md)
+* [Forward log messages via notification](doc/log-forward.md)
+* [Mode button with multiple presses](doc/mode-button.md)
+* [Manage DNS and DoH servers from netwatch](doc/netwatch-dns.md)
+* [Notify on host up and down](doc/netwatch-notify.md)
+* [Visualize OSPF state via LEDs](doc/ospf-to-leds.md)
+* [Manage system update](doc/packages-update.md)
+* [Run scripts on ppp connection](doc/ppp-on-up.md)
+* [Act on received SMS](doc/sms-action.md)
+* [Forward received SMS](doc/sms-forward.md)
+* [Play Super Mario theme](doc/super-mario-theme.md)
+* [Chat with your router and send commands via Telegram bot](doc/telegram-chat.md)
+* [Install LTE firmware upgrade](doc/unattended-lte-firmware-upgrade.md)
+* [Update GRE configuration with dynamic addresses](doc/update-gre-address.md)
+* [Update tunnelbroker configuration](doc/update-tunnelbroker.md)
+
+Available modules
+-----------------
+
+* [Manage ports in bridge](doc/mod/bridge-port-to.md)
+* [Manage VLANs on bridge ports](doc/mod/bridge-port-vlan.md)
+* [Inspect variables](doc/mod/inspectvar.md)
+* [IP address calculation](doc/mod/ipcalc.md)
+* [Send notifications via e-mail](doc/mod/notification-email.md)
+* [Send notifications via Matrix](doc/mod/notification-matrix.md)
+* [Send notifications via Ntfy](doc/mod/notification-ntfy.md)
+* [Send notifications via Telegram](doc/mod/notification-telegram.md)
+* [Download script and run it once](doc/mod/scriptrunonce.md)
+* [Import ssh keys for public key authentication](doc/mod/ssh-keys-import.md)
+
+Installing custom scripts & modules
+-----------------------------------
+
+My scripts cover a lot of use cases, but you may have your own ones. You can
+still use my scripts to manage and deploy yours, by specifying `base-url`
+(and `url-suffix`) for each script.
+
+This will fetch and install a script `hello-world.rsc` from the given url:
+
+    $ScriptInstallUpdate hello-world "base-url=https://git.eworm.de/cgit/routeros-scripts-custom/plain/";
+
+![screenshot: install custom script](README.d/13-install-custom-script.avif)
+
+For a script to be considered valid it has to begin with a *magic token*.
+Have a look at [any script](README.d/hello-world.rsc) and copy the first line
+without modification.
+
+Starting a script's name with `mod/` makes it a module and it is run
+automatically by `global-functions`.
+
+### Linked custom scripts & modules
+
+> ⚠️ **Warning**: These links are being provided for your convenience only;
+> they do not constitute an endorsement or an approval by me. I bear no
+> responsibility for the accuracy, legality or content of the external site
+> or for that of subsequent links. Contact the external site for answers to
+> questions regarding its content.
+
+* [Hello World](https://git.eworm.de/cgit/routeros-scripts-custom/about/doc/hello-world.md)
+  (This is a demo script to show how the linking to external documentation
+  will be done.)
+
+> ℹ️ **Info**: You have your own set of scripts and/or modules and want these
+> to be listed here? There should be a general info page that links here,
+> and documentation for each script. You can start by cloning my
+> [Custom RouterOS-Scripts](https://git.eworm.de/cgit/routeros-scripts-custom/)
+> (or fork on [GitHub](https://github.com/eworm-de/routeros-scripts-custom)
+> or [GitLab](https://gitlab.com/eworm-de/routeros-scripts-custom)) and make
+> your changes. Then please [get in contact](#patches-issues-and-whishlist)...
+
+Removing a script
+-----------------
+
+There is no specific function for script removal. Just remove it from
+configuration...
+
+    /system/script/remove to-be-removed;
+
+![screenshot: remove script](README.d/14-remove-script.avif)
+
+Possibly a scheduler and other configuration has to be removed as well.
+
+Contact
+-------
+
+We have a Telegram Group [RouterOS-Scripts](https://t.me/routeros_scripts)!
+
+[![RouterOS Scripts Telegram Group](README.d/telegram-group.avif)](https://t.me/routeros_scripts)
+
+Get help, give feedback or just chat - but do not expect free professional
+support!
+
+Contribute
+----------
+
+Thanks a lot for [past contributions](CONTRIBUTIONS.md)! ❤️
+
+### Patches, issues and whishlist
+
+Feel free to contact me via e-mail or open an
+[issue](https://github.com/eworm-de/routeros-scripts/issues) or
+[pull request](https://github.com/eworm-de/routeros-scripts/pulls)
+at github.
+
+### Donate
+
+This project is developed in private spare time and usage is free of charge
+for you. If you like the scripts and think this is of value for you or your
+business please consider to
+[donate with PayPal](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J).
+
+[![donate with PayPal](https://img.shields.io/badge/Like_it%3F-Donate!-orange?logo=githubsponsors&logoColor=orange&style=for-the-badge)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J)
+
+Thanks a lot for your support!
+
+License and warranty
+--------------------
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+[GNU General Public License](COPYING.md) for more details.
+
+Upstream
+--------
+
+[![upstream](README.d/upstream.png)](https://rsc.eworm.de/)
 
 URL:
 [GitHub.com](https://github.com/eworm-de/routeros-scripts#routeros-scripts)
 
 Mirror:
-[eworm.de](https://git.eworm.de/cgit.cgi/routeros-scripts/about/)
+[eworm.de](https://git.eworm.de/cgit/routeros-scripts/about/)
 [GitLab.com](https://gitlab.com/eworm-de/routeros-scripts#routeros-scripts)
 
 ---
-[▲ Go back to top](#top)
+[⬆️ Go back to top](#top)

accesslist-duplicates.capsman

@@ -1,34 +0,0 @@
-#!rsc
-# RouterOS script: accesslist-duplicates.capsman
-# Copyright (c) 2018-2019 Christian Hesse <mail@eworm.de>
-#
-# print duplicate antries in wireless access list
-#
-# !! Do not edit this file, it is generated from template!
-
-:local Seen [ :toarray "" ];
-:local Shown [ :toarray "" ];
-
-:foreach AccList in=[ / caps-man access-list find where mac-address!="00:00:00:00:00:00" ] do={
-  :local Mac [ / caps-man access-list get $AccList mac-address ];
-  :foreach SeenMac in=$Seen do={
-    :if ($SeenMac = $Mac) do={
-      :local Skip 0;
-      :foreach ShownMac in=$Shown do={
-        :if ($ShownMac = $Mac) do={ :set Skip 1; }
-      }
-      :if ($Skip = 0) do={
-        / caps-man access-list print where mac-address=$Mac;
-        :set Shown ($Shown, $Mac);
-
-        :put "\nNumeric id to remove, any key to skip!";
-        :local Remove ([ :terminal inkey ] - 48);
-        :if ($Remove >= 0 && $Remove <= 9) do={
-          :put ("Removing numeric id " . $Remove . "...\n");
-          / caps-man access-list remove $Remove;
-        }
-      }
-    }
-  }
-  :set Seen ($Seen, $Mac);
-}

accesslist-duplicates.capsman.rsc

@@ -0,0 +1,37 @@
+#!rsc by RouterOS
+# RouterOS script: accesslist-duplicates.capsman
+# Copyright (c) 2018-2025 Christian Hesse <mail@eworm.de>
+# https://rsc.eworm.de/COPYING.md
+#
+# requires RouterOS, version=7.15
+#
+# print duplicate antries in wireless access list
+# https://rsc.eworm.de/doc/accesslist-duplicates.md
+#
+# !! Do not edit this file, it is generated from template!
+
+:global GlobalFunctionsReady;
+:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
+
+:local ExitOK false;
+:do {
+  :local ScriptName [ :jobname ];
+
+  :local Seen ({});
+
+  :foreach AccList in=[ /caps-man/access-list/find where mac-address!="00:00:00:00:00:00" ] do={
+    :local Mac [ /caps-man/access-list/get $AccList mac-address ];
+    :if ($Seen->$Mac = 1) do={
+      /caps-man/access-list/print where mac-address=$Mac;
+      :local Remove [ :tonum [ /terminal/ask prompt="\nNumeric id to remove, any key to skip!" ] ];
+
+      :if ([ :typeof $Remove ] = "num") do={
+        :put ("Removing numeric id " . $Remove . "...\n");
+        /caps-man/access-list/remove $Remove;
+      }
+    }
+    :set ($Seen->$Mac) 1;
+  }
+} on-error={
+  :global ExitError; $ExitError $ExitOK [ :jobname ];
+}

accesslist-duplicates.local

@@ -1,34 +0,0 @@
-#!rsc
-# RouterOS script: accesslist-duplicates.local
-# Copyright (c) 2018-2019 Christian Hesse <mail@eworm.de>
-#
-# print duplicate antries in wireless access list
-#
-# !! Do not edit this file, it is generated from template!
-
-:local Seen [ :toarray "" ];
-:local Shown [ :toarray "" ];
-
-:foreach AccList in=[ / interface wireless access-list find where mac-address!="00:00:00:00:00:00" ] do={
-  :local Mac [ / interface wireless access-list get $AccList mac-address ];
-  :foreach SeenMac in=$Seen do={
-    :if ($SeenMac = $Mac) do={
-      :local Skip 0;
-      :foreach ShownMac in=$Shown do={
-        :if ($ShownMac = $Mac) do={ :set Skip 1; }
-      }
-      :if ($Skip = 0) do={
-        / interface wireless access-list print where mac-address=$Mac;
-        :set Shown ($Shown, $Mac);
-
-        :put "\nNumeric id to remove, any key to skip!";
-        :local Remove ([ :terminal inkey ] - 48);
-        :if ($Remove >= 0 && $Remove <= 9) do={
-          :put ("Removing numeric id " . $Remove . "...\n");
-          / interface wireless access-list remove $Remove;
-        }
-      }
-    }
-  }
-  :set Seen ($Seen, $Mac);
-}

accesslist-duplicates.local.rsc

@@ -0,0 +1,37 @@
+#!rsc by RouterOS
+# RouterOS script: accesslist-duplicates.local
+# Copyright (c) 2018-2025 Christian Hesse <mail@eworm.de>
+# https://rsc.eworm.de/COPYING.md
+#
+# requires RouterOS, version=7.15
+#
+# print duplicate antries in wireless access list
+# https://rsc.eworm.de/doc/accesslist-duplicates.md
+#
+# !! Do not edit this file, it is generated from template!
+
+:global GlobalFunctionsReady;
+:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
+
+:local ExitOK false;
+:do {
+  :local ScriptName [ :jobname ];
+
+  :local Seen ({});
+
+  :foreach AccList in=[ /interface/wireless/access-list/find where mac-address!="00:00:00:00:00:00" ] do={
+    :local Mac [ /interface/wireless/access-list/get $AccList mac-address ];
+    :if ($Seen->$Mac = 1) do={
+      /interface/wireless/access-list/print where mac-address=$Mac;
+      :local Remove [ :tonum [ /terminal/ask prompt="\nNumeric id to remove, any key to skip!" ] ];
+
+      :if ([ :typeof $Remove ] = "num") do={
+        :put ("Removing numeric id " . $Remove . "...\n");
+        /interface/wireless/access-list/remove $Remove;
+      }
+    }
+    :set ($Seen->$Mac) 1;
+  }
+} on-error={
+  :global ExitError; $ExitError $ExitOK [ :jobname ];
+}

accesslist-duplicates.template

@@ -1,35 +0,0 @@
-#!rsc
-# RouterOS script: accesslist-duplicates%TEMPL%
-# Copyright (c) 2018-2019 Christian Hesse <mail@eworm.de>
-#
-# print duplicate antries in wireless access list
-#
-# !! This is just a template! Replace '%PATH%' with 'caps-man'
-# !! or 'interface wireless'!
-
-:local Seen [ :toarray "" ];
-:local Shown [ :toarray "" ];
-
-:foreach AccList in=[ / %PATH% access-list find where mac-address!="00:00:00:00:00:00" ] do={
-  :local Mac [ / %PATH% access-list get $AccList mac-address ];
-  :foreach SeenMac in=$Seen do={
-    :if ($SeenMac = $Mac) do={
-      :local Skip 0;
-      :foreach ShownMac in=$Shown do={
-        :if ($ShownMac = $Mac) do={ :set Skip 1; }
-      }
-      :if ($Skip = 0) do={
-        / %PATH% access-list print where mac-address=$Mac;
-        :set Shown ($Shown, $Mac);
-
-        :put "\nNumeric id to remove, any key to skip!";
-        :local Remove ([ :terminal inkey ] - 48);
-        :if ($Remove >= 0 && $Remove <= 9) do={
-          :put ("Removing numeric id " . $Remove . "...\n");
-          / %PATH% access-list remove $Remove;
-        }
-      }
-    }
-  }
-  :set Seen ($Seen, $Mac);
-}

accesslist-duplicates.template.rsc

@@ -0,0 +1,46 @@
+#!rsc by RouterOS
+# RouterOS script: accesslist-duplicates%TEMPL%
+# Copyright (c) 2018-2025 Christian Hesse <mail@eworm.de>
+# https://rsc.eworm.de/COPYING.md
+#
+# requires RouterOS, version=7.15
+#
+# print duplicate antries in wireless access list
+# https://rsc.eworm.de/doc/accesslist-duplicates.md
+#
+# !! This is just a template to generate the real script!
+# !! Pattern '%TEMPL%' is replaced, paths are filtered.
+
+:global GlobalFunctionsReady;
+:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
+
+:local ExitOK false;
+:do {
+  :local ScriptName [ :jobname ];
+
+  :local Seen ({});
+
+  :foreach AccList in=[ /caps-man/access-list/find where mac-address!="00:00:00:00:00:00" ] do={
+  :foreach AccList in=[ /interface/wifi/access-list/find where mac-address!="00:00:00:00:00:00" ] do={
+  :foreach AccList in=[ /interface/wireless/access-list/find where mac-address!="00:00:00:00:00:00" ] do={
+    :local Mac [ /caps-man/access-list/get $AccList mac-address ];
+    :local Mac [ /interface/wifi/access-list/get $AccList mac-address ];
+    :local Mac [ /interface/wireless/access-list/get $AccList mac-address ];
+    :if ($Seen->$Mac = 1) do={
+      /caps-man/access-list/print where mac-address=$Mac;
+      /interface/wifi/access-list/print where mac-address=$Mac;
+      /interface/wireless/access-list/print where mac-address=$Mac;
+      :local Remove [ :tonum [ /terminal/ask prompt="\nNumeric id to remove, any key to skip!" ] ];
+
+      :if ([ :typeof $Remove ] = "num") do={
+        :put ("Removing numeric id " . $Remove . "...\n");
+        /caps-man/access-list/remove $Remove;
+        /interface/wifi/access-list/remove $Remove;
+        /interface/wireless/access-list/remove $Remove;
+      }
+    }
+    :set ($Seen->$Mac) 1;
+  }
+} on-error={
+  :global ExitError; $ExitError $ExitOK [ :jobname ];
+}

accesslist-duplicates.wifi.rsc

@@ -0,0 +1,37 @@
+#!rsc by RouterOS
+# RouterOS script: accesslist-duplicates.wifi
+# Copyright (c) 2018-2025 Christian Hesse <mail@eworm.de>
+# https://rsc.eworm.de/COPYING.md
+#
+# requires RouterOS, version=7.15
+#
+# print duplicate antries in wireless access list
+# https://rsc.eworm.de/doc/accesslist-duplicates.md
+#
+# !! Do not edit this file, it is generated from template!
+
+:global GlobalFunctionsReady;
+:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
+
+:local ExitOK false;
+:do {
+  :local ScriptName [ :jobname ];
+
+  :local Seen ({});
+
+  :foreach AccList in=[ /interface/wifi/access-list/find where mac-address!="00:00:00:00:00:00" ] do={
+    :local Mac [ /interface/wifi/access-list/get $AccList mac-address ];
+    :if ($Seen->$Mac = 1) do={
+      /interface/wifi/access-list/print where mac-address=$Mac;
+      :local Remove [ :tonum [ /terminal/ask prompt="\nNumeric id to remove, any key to skip!" ] ];
+
+      :if ([ :typeof $Remove ] = "num") do={
+        :put ("Removing numeric id " . $Remove . "...\n");
+        /interface/wifi/access-list/remove $Remove;
+      }
+    }
+    :set ($Seen->$Mac) 1;
+  }
+} on-error={
+  :global ExitError; $ExitError $ExitOK [ :jobname ];
+}

backup-cloud.rsc

@@ -0,0 +1,104 @@
+#!rsc by RouterOS
+# RouterOS script: backup-cloud
+# Copyright (c) 2013-2025 Christian Hesse <mail@eworm.de>
+# https://rsc.eworm.de/COPYING.md
+#
+# provides: backup-script, order=40
+# requires RouterOS, version=7.15
+#
+# upload backup to MikroTik cloud
+# https://rsc.eworm.de/doc/backup-cloud.md
+
+:global GlobalFunctionsReady;
+:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
+
+:local ExitOK false;
+:do {
+  :local ScriptName [ :jobname ];
+
+  :global BackupRandomDelay;
+  :global Identity;
+  :global PackagesUpdateBackupFailure;
+
+  :global DeviceInfo;
+  :global FormatLine;
+  :global HumanReadableNum;
+  :global LogPrint;
+  :global MkDir;
+  :global RandomDelay;
+  :global RmDir;
+  :global ScriptFromTerminal;
+  :global ScriptLock;
+  :global SendNotification2;
+  :global SymbolForNotification;
+  :global WaitForFile;
+  :global WaitFullyConnected;
+
+  :if ([ $ScriptLock $ScriptName ] = false) do={
+    :set PackagesUpdateBackupFailure true;
+    :set ExitOK true;
+    :error false;
+  }
+
+  :if ([ :len [ /system/scheduler/find where name="running-from-backup-partition" ] ] > 0) do={
+    $LogPrint warning $ScriptName ("Running from backup partition, refusing to act.");
+    :set PackagesUpdateBackupFailure true;
+    :set ExitOK true;
+    :error false;
+  }
+
+  $WaitFullyConnected;
+
+  :if ([ $ScriptFromTerminal $ScriptName ] = false && $BackupRandomDelay > 0) do={
+    $RandomDelay $BackupRandomDelay;
+  }
+
+  :if ([ $MkDir ("tmpfs/backup-cloud") ] = false) do={
+    $LogPrint error $ScriptName ("Failed creating directory!");
+    :set ExitOK true;
+    :error false;
+  }
+
+  :local I 5;
+  :do {
+    :execute {
+      :global BackupPassword;
+
+      :local Backup ([ /system/backup/cloud/find ]->0);
+      :if ([ :typeof $Backup ] = "id") do={
+        /system/backup/cloud/upload-file action=create-and-upload \
+            password=$BackupPassword replace=$Backup;
+      } else={
+        /system/backup/cloud/upload-file action=create-and-upload \
+            password=$BackupPassword;
+      }
+      /file/add name="tmpfs/backup-cloud/done";
+    } as-string;
+    :set I ($I - 1);
+  } while=([ $WaitForFile "tmpfs/backup-cloud/done" 200ms ] = false && $I > 0);
+
+  :if ([ $WaitForFile "tmpfs/backup-cloud/done" ] = true) do={
+    :if ($I < 4) do={
+      :log warning ($ScriptName . ": Retry successful, please discard previous connection errors.");
+    }
+
+    :local Cloud [ /system/backup/cloud/get ([ find ]->0) ];
+
+    $SendNotification2 ({ origin=$ScriptName; \
+      subject=([ $SymbolForNotification "floppy-disk,cloud" ] . "Cloud backup"); \
+      message=("Uploaded backup for " . $Identity . " to cloud.\n\n" . \
+        [ $DeviceInfo ] . "\n\n" . \
+        [ $FormatLine "Name" ($Cloud->"name") ] . "\n" . \
+        [ $FormatLine "Size" ([ $HumanReadableNum ($Cloud->"size") 1024 ] . "B") ] . "\n" . \
+        [ $FormatLine "Download key" ($Cloud->"secret-download-key") ]); silent=true });
+  } else={
+    $SendNotification2 ({ origin=$ScriptName; \
+      subject=([ $SymbolForNotification "floppy-disk,warning-sign" ] . "Cloud backup failed"); \
+      message=("Failed uploading backup for " . $Identity . " to cloud!\n\n" . [ $DeviceInfo ]) });
+    $LogPrint error $ScriptName ("Failed uploading backup for " . $Identity . " to cloud!");
+    :set PackagesUpdateBackupFailure true;
+  }
+  $RmDir "tmpfs/backup-cloud";
+} on-error={
+  :global ExitError; $ExitError $ExitOK [ :jobname ];
+}

backup-email.rsc

@@ -0,0 +1,140 @@
+#!rsc by RouterOS
+# RouterOS script: backup-email
+# Copyright (c) 2013-2025 Christian Hesse <mail@eworm.de>
+# https://rsc.eworm.de/COPYING.md
+#
+# provides: backup-script, order=20
+# requires RouterOS, version=7.15
+#
+# create and email backup and config file
+# https://rsc.eworm.de/doc/backup-email.md
+
+:global GlobalFunctionsReady;
+:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
+
+:local ExitOK false;
+:do {
+  :local ScriptName [ :jobname ];
+
+  :global BackupPassword;
+  :global BackupRandomDelay;
+  :global BackupSendBinary;
+  :global BackupSendExport;
+  :global BackupSendGlobalConfig;
+  :global Domain;
+  :global Identity;
+  :global PackagesUpdateBackupFailure;
+
+  :global CleanName;
+  :global DeviceInfo;
+  :global FormatLine;
+  :global LogPrint;
+  :global MkDir;
+  :global RandomDelay;
+  :global ScriptFromTerminal;
+  :global ScriptLock;
+  :global SendEMail2;
+  :global SymbolForNotification;
+  :global WaitForFile;
+  :global WaitFullyConnected;
+
+  :if ([ :typeof $SendEMail2 ] = "nothing") do={
+    $LogPrint error $ScriptName ("The module for sending notifications via e-mail is not installed.");
+    :set ExitOK true;
+    :error false;
+  }
+
+  :if ($BackupSendBinary != true && \
+       $BackupSendExport != true) do={
+    $LogPrint error $ScriptName ("Configured to send neither backup nor config export.");
+    :set ExitOK true;
+    :error false;
+  }
+
+  :if ([ $ScriptLock $ScriptName ] = false) do={
+    :set PackagesUpdateBackupFailure true;
+    :set ExitOK true;
+    :error false;
+  }
+
+  :if ([ :len [ /system/scheduler/find where name="running-from-backup-partition" ] ] > 0) do={
+    $LogPrint warning $ScriptName ("Running from backup partition, refusing to act.");
+    :set PackagesUpdateBackupFailure true;
+    :set ExitOK true;
+    :error false;
+  }
+
+  $WaitFullyConnected;
+
+  :if ([ $ScriptFromTerminal $ScriptName ] = false && $BackupRandomDelay > 0) do={
+    $RandomDelay $BackupRandomDelay;
+  }
+
+  # filename based on identity
+  :local DirName ("tmpfs/" . $ScriptName);
+  :local FileName [ $CleanName ($Identity . "." . $Domain) ];
+  :local FilePath ($DirName . "/" . $FileName);
+  :local BackupFile "none";
+  :local ExportFile "none";
+  :local ConfigFile "none";
+  :local Attach ({});
+
+  :if ([ $MkDir $DirName ] = false) do={
+    $LogPrint error $ScriptName ("Failed creating directory!");
+    :set ExitOK true;
+    :error false;
+  }
+
+  # binary backup
+  :if ($BackupSendBinary = true) do={
+    /system/backup/save encryption=aes-sha256 name=$FilePath password=$BackupPassword;
+    $WaitForFile ($FilePath . ".backup");
+    :set BackupFile ($FileName . ".backup");
+    :set Attach ($Attach, ($FilePath . ".backup"));
+  }
+
+  # create configuration export
+  :if ($BackupSendExport = true) do={
+    /export terse show-sensitive file=$FilePath;
+    $WaitForFile ($FilePath . ".rsc");
+    :set ExportFile ($FileName . ".rsc");
+    :set Attach ($Attach, ($FilePath . ".rsc"));
+  }
+
+  # global-config-overlay
+  :if ($BackupSendGlobalConfig = true) do={
+    # Do *NOT* use '/file/add ...' here, as it is limited to 4095 bytes!
+    :execute script={ :put [ /system/script/get global-config-overlay source ]; } \
+        file=($FilePath . ".conf\00");
+    $WaitForFile ($FilePath . ".conf");
+    :set ConfigFile ($FileName . ".conf");
+    :set Attach ($Attach, ($FilePath . ".conf"));
+  }
+
+  # send email with status and files
+  $SendEMail2 ({ origin=$ScriptName; \
+    subject=([ $SymbolForNotification "floppy-disk,incoming-envelope" ] . \
+      "Backup & Config"); \
+    message=("See attached files for backup and config export for " . \
+      $Identity . ".\n\n" . \
+      [ $DeviceInfo ] . "\n\n" . \
+      [ $FormatLine "Backup file" $BackupFile ] . "\n" . \
+      [ $FormatLine "Export file" $ExportFile ] . "\n" . \
+      [ $FormatLine "Config file" $ConfigFile ]); \
+    attach=$Attach; remove-attach=true });
+
+  # wait for the mail to be sent
+  :local I 0;
+  :while ([ :len [ /file/find where name ~ ($FilePath . "\\.(backup|rsc)\$") ] ] > 0) do={
+    :if ($I >= 120) do={
+      $LogPrint warning $ScriptName ("Files are still available, sending e-mail failed.");
+      :set PackagesUpdateBackupFailure true;
+      :set ExitOK true;
+      :error false;
+    }
+    :delay 1s;
+    :set I ($I + 1);
+  }
+} on-error={
+  :global ExitError; $ExitError $ExitOK [ :jobname ];
+}

backup-partition.rsc

@@ -0,0 +1,126 @@
+#!rsc by RouterOS
+# RouterOS script: backup-partition
+# Copyright (c) 2022-2025 Christian Hesse <mail@eworm.de>
+# https://rsc.eworm.de/COPYING.md
+#
+# provides: backup-script, order=70
+# requires RouterOS, version=7.15
+# requires device-mode, scheduler
+#
+# save configuration to fallback partition
+# https://rsc.eworm.de/doc/backup-partition.md
+
+:global GlobalFunctionsReady;
+:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
+
+:local ExitOK false;
+:do {
+  :local ScriptName [ :jobname ];
+
+  :global BackupPartitionCopyBeforeFeatureUpdate;
+  :global PackagesUpdateBackupFailure;
+
+  :global LogPrint;
+  :global ScriptFromTerminal;
+  :global ScriptLock;
+  :global VersionToNum;
+
+  :local CopyTo do={
+    :local ScriptName     [ :tostr $1 ];
+    :local FallbackTo     [ :toid  $2 ];
+    :local FallbackToName [ :tostr $3 ];
+
+    :global LogPrint;
+
+    :do {
+      /partitions/copy-to $FallbackTo;
+      $LogPrint info $ScriptName ("Copied RouterOS to partition '" . $FallbackToName . "'.");
+      :return true;
+    } on-error={
+      $LogPrint error $ScriptName ("Failed copying RouterOS to partition '" . $FallbackToName . "'!");
+      :return false;
+    }
+  }
+
+  :if ([ $ScriptLock $ScriptName ] = false) do={
+    :set PackagesUpdateBackupFailure true;
+    :set ExitOK true;
+    :error false;
+  }
+
+  :if ([ :len [ /system/scheduler/find where name="running-from-backup-partition" ] ] > 0) do={
+    $LogPrint warning $ScriptName ("Running from backup partition, refusing to act.");
+    :set PackagesUpdateBackupFailure true;
+    :set ExitOK true;
+    :error false;
+  }
+
+  :if ([ :len [ /partitions/find ] ] < 2) do={
+    $LogPrint error $ScriptName ("Device does not have a fallback partition.");
+    :set PackagesUpdateBackupFailure true;
+    :set ExitOK true;
+    :error false;
+  }
+
+  :local ActiveRunning [ /partitions/find where active running ];
+
+  :if ([ :len $ActiveRunning ] < 1) do={
+    $LogPrint error $ScriptName ("Device is not running from active partition.");
+    :set PackagesUpdateBackupFailure true;
+    :set ExitOK true;
+    :error false;
+  }
+
+  :local FallbackToName [ /partitions/get $ActiveRunning fallback-to ];
+  :local FallbackTo [ /partition/find where name=$FallbackToName !active ];
+
+  :if ([ :len $FallbackTo ] < 1) do={
+    $LogPrint error $ScriptName ("There is no inactive partition named '" . $FallbackToName . "'.");
+    :set PackagesUpdateBackupFailure true;
+    :set ExitOK true;
+    :error false;
+  }
+
+  :if ([ /partitions/get $ActiveRunning version ] != [ /partitions/get $FallbackTo version]) do={
+    :if ([ $ScriptFromTerminal $ScriptName ] = true) do={
+      :put ("The partitions have different RouterOS versions. Copy over to '" . $FallbackToName . "'? [y/N]");
+      :if (([ /terminal/inkey timeout=60 ] % 32) = 25) do={
+        :if ([ $CopyTo $ScriptName $FallbackTo $FallbackToName ] = false) do={
+          :set PackagesUpdateBackupFailure true;
+          :set ExitOK true;
+          :error false;
+        }
+      }
+    } else={
+      :local Update [ /system/package/update/get ];
+      :local NumInstalled [ $VersionToNum ($Update->"installed-version") ];
+      :local NumLatest [ $VersionToNum ($Update->"latest-version") ];
+      :local BitMask [ $VersionToNum "255.255zero0" ];
+      :if ($BackupPartitionCopyBeforeFeatureUpdate = true && $NumLatest > 0 && \
+           ($NumInstalled & $BitMask) != ($NumLatest & $BitMask)) do={
+        :if ([ $CopyTo $ScriptName $FallbackTo $FallbackToName ] = false) do={
+          :set PackagesUpdateBackupFailure true;
+          :set ExitOK true;
+          :error false;
+        }
+      }
+    }
+  }
+
+  :do {
+    /system/scheduler/add start-time=startup name="running-from-backup-partition" \
+        on-event=(":log warning (\"Running from partition '\" . " . \
+        "[ /partitions/get [ find where running ] name ] . \"'!\")");
+    /partitions/save-config-to $FallbackTo;
+    /system/scheduler/remove "running-from-backup-partition";
+    $LogPrint info $ScriptName ("Saved configuration to partition '" . $FallbackToName . "'.");
+  } on-error={
+    /system/scheduler/remove [ find where name="running-from-backup-partition" ];
+    $LogPrint error $ScriptName ("Failed saving configuration to partition '" . $FallbackToName . "'!");
+    :set PackagesUpdateBackupFailure true;
+    :set ExitOK true;
+    :error false;
+  }
+} on-error={
+  :global ExitError; $ExitError $ExitOK [ :jobname ];
+}

backup-upload.rsc

@@ -0,0 +1,178 @@
+#!rsc by RouterOS
+# RouterOS script: backup-upload
+# Copyright (c) 2013-2025 Christian Hesse <mail@eworm.de>
+# https://rsc.eworm.de/COPYING.md
+#
+# provides: backup-script, order=50
+# requires RouterOS, version=7.15
+# requires device-mode, fetch
+#
+# create and upload backup and config file
+# https://rsc.eworm.de/doc/backup-upload.md
+
+:global GlobalFunctionsReady;
+:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
+
+:local ExitOK false;
+:do {
+  :local ScriptName [ :jobname ];
+
+  :global BackupPassword;
+  :global BackupRandomDelay;
+  :global BackupSendBinary;
+  :global BackupSendExport;
+  :global BackupSendGlobalConfig;
+  :global BackupUploadPass;
+  :global BackupUploadUrl;
+  :global BackupUploadUser;
+  :global Domain;
+  :global Identity;
+  :global PackagesUpdateBackupFailure;
+
+  :global CleanName;
+  :global DeviceInfo;
+  :global IfThenElse;
+  :global LogPrint;
+  :global MkDir;
+  :global RandomDelay;
+  :global RmDir;
+  :global RmFile;
+  :global ScriptFromTerminal;
+  :global ScriptLock;
+  :global SendNotification2;
+  :global SymbolForNotification;
+  :global WaitForFile;
+  :global WaitFullyConnected;
+
+  :if ($BackupSendBinary != true && \
+       $BackupSendExport != true) do={
+    $LogPrint error $ScriptName ("Configured to send neither backup nor config export.");
+    :set ExitOK true;
+    :error false;
+  }
+
+  :if ([ $ScriptLock $ScriptName ] = false) do={
+    :set PackagesUpdateBackupFailure true;
+    :set ExitOK true;
+    :error false;
+  }
+
+  :if ([ :len [ /system/scheduler/find where name="running-from-backup-partition" ] ] > 0) do={
+    $LogPrint warning $ScriptName ("Running from backup partition, refusing to act.");
+    :set PackagesUpdateBackupFailure true;
+    :set ExitOK true;
+    :error false;
+  }
+
+  $WaitFullyConnected;
+
+  :if ([ $ScriptFromTerminal $ScriptName ] = false && $BackupRandomDelay > 0) do={
+    $RandomDelay $BackupRandomDelay;
+  }
+
+  # filename based on identity
+  :local DirName ("tmpfs/" . $ScriptName);
+  :local FileName [ $CleanName ($Identity . "." . $Domain) ];
+  :local FilePath ($DirName . "/" . $FileName);
+  :local BackupFile "none";
+  :local ExportFile "none";
+  :local ConfigFile "none";
+  :local Failed 0;
+
+  :if ([ $MkDir $DirName ] = false) do={
+    $LogPrint error $ScriptName ("Failed creating directory!");
+    :set ExitOK true;
+    :error false;
+  }
+
+  # binary backup
+  :if ($BackupSendBinary = true) do={
+    /system/backup/save encryption=aes-sha256 name=$FilePath password=$BackupPassword;
+    $WaitForFile ($FilePath . ".backup");
+
+    :do {
+      /tool/fetch upload=yes url=($BackupUploadUrl . "/" . $FileName . ".backup") \
+          user=$BackupUploadUser password=$BackupUploadPass src-path=($FilePath . ".backup");
+      :set BackupFile [ /file/get ($FilePath . ".backup") ];
+      :set ($BackupFile->"name") ($FileName . ".backup");
+    } on-error={
+      $LogPrint error $ScriptName ("Uploading backup file failed!");
+      :set BackupFile "failed";
+      :set Failed 1;
+    }
+
+    $RmFile ($FilePath . ".backup");
+  }
+
+  # create configuration export
+  :if ($BackupSendExport = true) do={
+    /export terse show-sensitive file=$FilePath;
+    $WaitForFile ($FilePath . ".rsc");
+
+    :do {
+      /tool/fetch upload=yes url=($BackupUploadUrl . "/" . $FileName . ".rsc") \
+          user=$BackupUploadUser password=$BackupUploadPass src-path=($FilePath . ".rsc");
+      :set ExportFile [ /file/get ($FilePath . ".rsc") ];
+      :set ($ExportFile->"name") ($FileName . ".rsc");
+    } on-error={
+      $LogPrint error $ScriptName ("Uploading configuration export failed!");
+      :set ExportFile "failed";
+      :set Failed 1;
+    }
+
+    $RmFile ($FilePath . ".rsc");
+  }
+
+  # global-config-overlay
+  :if ($BackupSendGlobalConfig = true) do={
+    # Do *NOT* use '/file/add ...' here, as it is limited to 4095 bytes!
+    :execute script={ :put [ /system/script/get global-config-overlay source ]; } \
+        file=($FilePath . ".conf\00");
+    $WaitForFile ($FilePath . ".conf");
+
+    :do {
+      /tool/fetch upload=yes url=($BackupUploadUrl . "/" . $FileName . ".conf") \
+          user=$BackupUploadUser password=$BackupUploadPass src-path=($FilePath . ".conf");
+      :set ConfigFile [ /file/get ($FilePath . ".conf") ];
+      :set ($ConfigFile->"name") ($FileName . ".conf");
+    } on-error={
+      $LogPrint error $ScriptName ("Uploading global-config-overlay failed!");
+      :set ConfigFile "failed";
+      :set Failed 1;
+    }
+
+    $RmFile ($FilePath . ".conf");
+  }
+
+  :local FileInfo do={
+    :local Name $1;
+    :local File $2;
+
+    :global FormatLine;
+    :global HumanReadableNum;
+    :global IfThenElse;
+
+    :return \
+      [ $IfThenElse ([ :typeof $File ] = "array") \
+        ($Name . ":\n" . [ $FormatLine "    name" ($File->"name") ] . "\n" . \
+          [ $FormatLine "    size" ([ $HumanReadableNum ($File->"size") 1024 ] . "B") ]) \
+        [ $FormatLine $Name $File ] ];
+  }
+
+  $SendNotification2 ({ origin=$ScriptName; \
+    subject=[ $IfThenElse ($Failed > 0) \
+      ([ $SymbolForNotification "floppy-disk,warning-sign" ] . "Backup & Config upload with failure") \
+      ([ $SymbolForNotification "floppy-disk,arrow-up" ] . "Backup & Config upload") ]; \
+    message=("Backup and config export upload for " . $Identity . ".\n\n" . \
+      [ $DeviceInfo ] . "\n\n" . \
+      [ $FileInfo "Backup file" $BackupFile ] . "\n" . \
+      [ $FileInfo "Export file" $ExportFile ] . "\n" . \
+      [ $FileInfo "Config file" $ConfigFile ]); silent=true });
+
+  :if ($Failed = 1) do={
+    :set PackagesUpdateBackupFailure true;
+  }
+  $RmDir $DirName;
+} on-error={
+  :global ExitError; $ExitError $ExitOK [ :jobname ];
+}

bridge-port-to-default

@@ -1,31 +0,0 @@
-#!rsc
-# RouterOS script: bridge-port-to-default
-# Copyright (c) 2013-2019 Christian Hesse <mail@eworm.de>
-#
-# reset bridge ports to default bridge
-
-:global BridgePortTo;
-
-:local Len ([ :len $BridgePortTo ] + 1);
-
-:if ($Len = 1) do={
-  :delay 1s;
-  :set Len ([ :len $BridgePortTo ] + 1);
-}
-
-:foreach Interface in=[ / interface bridge port find where comment!="" ] do={
-  :foreach Comment in=[ :toarray [ / interface bridge port get $Interface comment ] ] do={
-    :if ([ :pick $Comment 0 $Len ] = ($BridgePortTo . ":")) do={
-      :local InterfaceName [ / interface bridge port get $Interface interface ];
-      :local BridgeDefault [ :pick $Comment $Len [ :len $Comment ] ];
-      :local BridgeCurrent [ / interface bridge port get $Interface bridge ];
-      :if ($BridgeDefault != $BridgeCurrent) do={
-        :log info ("Changing interface " . $InterfaceName . " to " . $BridgePortTo . " bridge " . $BridgeDefault);
-        / interface bridge port set bridge=$BridgeDefault $Interface;
-        / ip dhcp-client renew [ find where interface=$BridgeDefault ];
-      } else={
-        :log debug ("Interface " . $InterfaceName . " already connected to " . $BridgePortTo . " bridge " . $BridgeDefault);
-      }
-    }
-  }
-}

bridge-port-toggle

@@ -1,15 +0,0 @@
-#!rsc
-# RouterOS script: bridge-port-toggle
-# Copyright (c) 2013-2019 Christian Hesse <mail@eworm.de>
-#
-# toggle bridge ports between default and alt bridge
-
-:global BridgePortTo;
-
-:if ($BridgePortTo != "default") do={
-  :set BridgePortTo "default";
-} else={
-  :set BridgePortTo "alt";
-}
-
-/ system script run bridge-port-to-default;

capsman-download-packages

@@ -1,39 +0,0 @@
-#!rsc
-# RouterOS script: capsman-download-packages
-# Copyright (c) 2018-2019 Christian Hesse <mail@eworm.de>
-#                         Michael Gisbers <michael@gisbers.de>
-#
-# requires: dont-require-permissions=yes
-#
-# download and cleanup packages for CAP installation from CAPsMAN
-
-:global DownloadPackage;
-:global CleanFilePath;
-
-:local PackagePath [ $CleanFilePath [ / caps-man manager get package-path ] ];
-:local InstalledVersion [ / system package update get installed-version ];
-:local Updated false;
-
-:foreach Package in=[ / file find where type=package \
-      package-version!=$InstalledVersion name~("^" . $PackagePath) ] do={
-  :local PackageName [ / file get $Package package-name ];
-  :local PackageArchitecture [ / file get $Package package-architecture ];
-  :if ($PackageArchitecture = "mips") do={
-    :set PackageArchitecture "mipsbe";
-  }
-  :if ($PackageName = "wireless@") do={
-    :set PackageName "wireless";
-  }
-  :if ([ $DownloadPackage $PackageName $InstalledVersion $PackageArchitecture $PackagePath ] = true) do={
-    :set Updated true;
-    / file remove $Package;
-  }
-}
-
-:if ($Updated = true) do={
-  :if ([ / system script print count-only where name="capsman-rolling-upgrade" ] > 0) do={
-    / system script run capsman-rolling-upgrade;
-  } else={
-    / caps-man remote-cap upgrade [ find where version!=$InstalledVersion ];
-  }
-}

capsman-download-packages.capsman.rsc

@@ -0,0 +1,92 @@
+#!rsc by RouterOS
+# RouterOS script: capsman-download-packages.capsman
+# Copyright (c) 2018-2025 Christian Hesse <mail@eworm.de>
+#                         Michael Gisbers <michael@gisbers.de>
+# https://rsc.eworm.de/COPYING.md
+#
+# requires RouterOS, version=7.15
+#
+# download and cleanup packages for CAP installation from CAPsMAN
+# https://rsc.eworm.de/doc/capsman-download-packages.md
+#
+# !! Do not edit this file, it is generated from template!
+
+:global GlobalFunctionsReady;
+:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
+
+:local ExitOK false;
+:do {
+  :local ScriptName [ :jobname ];
+
+  :global CleanFilePath;
+  :global DownloadPackage;
+  :global LogPrint;
+  :global MkDir;
+  :global RmFile;
+  :global ScriptLock;
+  :global WaitFullyConnected;
+
+  :if ([ $ScriptLock $ScriptName ] = false) do={
+    :set ExitOK true;
+    :error false;
+  }
+  $WaitFullyConnected;
+
+  :local PackagePath [ $CleanFilePath [ /caps-man/manager/get package-path ] ];
+  :local InstalledVersion [ /system/package/update/get installed-version ];
+  :local Updated false;
+
+  :if ([ :len $PackagePath ] = 0) do={
+    $LogPrint warning $ScriptName ("The CAPsMAN package path is not defined, can not download packages.");
+    :set ExitOK true;
+    :error false;
+  }
+
+  :if ([ :len [ /file/find where name=$PackagePath type="directory" ] ] = 0) do={
+    :if ([ $MkDir $PackagePath ] = false) do={
+      $LogPrint warning $ScriptName ("Creating directory at CAPsMAN package path (" . \
+        $PackagePath . ") failed!");
+      :set ExitOK true;
+      :error false;
+    }
+    $LogPrint info $ScriptName ("Created directory at CAPsMAN package path (" . $PackagePath . \
+      "). Please place your packages!");
+  }
+
+  :foreach Package in=[ /file/find where type=package \
+        package-version!=$InstalledVersion name~("^" . $PackagePath) ] do={
+    :local File [ /file/get $Package ];
+    :if ($File->"package-architecture" = "mips") do={
+      :set ($File->"package-architecture") "mipsbe";
+    }
+    :if ([ $DownloadPackage ($File->"package-name") $InstalledVersion \
+         ($File->"package-architecture") $PackagePath ] = true) do={
+      :set Updated true;
+      $RmFile ($File->"name");
+    }
+  }
+
+  :if ([ :len [ /file/find where type=package name~("^" . $PackagePath) ] ] = 0) do={
+    $LogPrint info $ScriptName ("No packages available, downloading default set.");
+    :foreach Arch in={ "arm"; "mipsbe" } do={
+      :foreach Package in={ "routeros"; "wireless" } do={
+        :if ([ $DownloadPackage $Package $InstalledVersion $Arch $PackagePath ] = true) do={
+          :set Updated true;
+        }
+      }
+    }
+  }
+
+  :if ($Updated = true) do={
+    :local Scripts [ /system/script/find where source~"\n# provides: capsman-rolling-upgrade.capsman\r?\n" ];
+    :if ([ :len $Scripts ] > 0) do={
+      :foreach Script in=$Scripts do={
+        /system/script/run $Script;
+      }
+    } else={
+      /caps-man/remote-cap/upgrade [ find where version!=$InstalledVersion ];
+    }
+  }
+} on-error={
+  :global ExitError; $ExitError $ExitOK [ :jobname ];
+}

capsman-download-packages.template.rsc

@@ -0,0 +1,103 @@
+#!rsc by RouterOS
+# RouterOS script: capsman-download-packages%TEMPL%
+# Copyright (c) 2018-2025 Christian Hesse <mail@eworm.de>
+#                         Michael Gisbers <michael@gisbers.de>
+# https://rsc.eworm.de/COPYING.md
+#
+# requires RouterOS, version=7.15
+#
+# download and cleanup packages for CAP installation from CAPsMAN
+# https://rsc.eworm.de/doc/capsman-download-packages.md
+#
+# !! This is just a template to generate the real script!
+# !! Pattern '%TEMPL%' is replaced, paths are filtered.
+
+:global GlobalFunctionsReady;
+:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
+
+:local ExitOK false;
+:do {
+  :local ScriptName [ :jobname ];
+
+  :global CleanFilePath;
+  :global DownloadPackage;
+  :global LogPrint;
+  :global MkDir;
+  :global RmFile;
+  :global ScriptLock;
+  :global WaitFullyConnected;
+
+  :if ([ $ScriptLock $ScriptName ] = false) do={
+    :set ExitOK true;
+    :error false;
+  }
+  $WaitFullyConnected;
+
+  :local PackagePath [ $CleanFilePath [ /caps-man/manager/get package-path ] ];
+  :local PackagePath [ $CleanFilePath [ /interface/wifi/capsman/get package-path ] ];
+  :local InstalledVersion [ /system/package/update/get installed-version ];
+  :local Updated false;
+
+  :if ([ :len $PackagePath ] = 0) do={
+    $LogPrint warning $ScriptName ("The CAPsMAN package path is not defined, can not download packages.");
+    :set ExitOK true;
+    :error false;
+  }
+
+  :if ([ :len [ /file/find where name=$PackagePath type="directory" ] ] = 0) do={
+    :if ([ $MkDir $PackagePath ] = false) do={
+      $LogPrint warning $ScriptName ("Creating directory at CAPsMAN package path (" . \
+        $PackagePath . ") failed!");
+      :set ExitOK true;
+      :error false;
+    }
+    $LogPrint info $ScriptName ("Created directory at CAPsMAN package path (" . $PackagePath . \
+      "). Please place your packages!");
+  }
+
+  :foreach Package in=[ /file/find where type=package \
+        package-version!=$InstalledVersion name~("^" . $PackagePath) ] do={
+    :local File [ /file/get $Package ];
+    :if ($File->"package-architecture" = "mips") do={
+      :set ($File->"package-architecture") "mipsbe";
+    }
+    :if ([ $DownloadPackage ($File->"package-name") $InstalledVersion \
+         ($File->"package-architecture") $PackagePath ] = true) do={
+      :set Updated true;
+      $RmFile ($File->"name");
+    }
+  }
+
+  :if ([ :len [ /file/find where type=package name~("^" . $PackagePath) ] ] = 0) do={
+    $LogPrint info $ScriptName ("No packages available, downloading default set.");
+# NOT /interface/wifi/ #
+    :foreach Arch in={ "arm"; "mipsbe" } do={
+      :foreach Package in={ "routeros"; "wireless" } do={
+# NOT /interface/wifi/ #
+# NOT /caps-man/ #
+    :foreach Arch in={ "arm"; "arm64" } do={
+      :local Packages { "arm"={ "routeros"; "wifi-qcom"; "wifi-qcom-ac" };
+                      "arm64"={ "routeros"; "wifi-qcom" } };
+      :foreach Package in=($Packages->$Arch) do={
+# NOT /caps-man/ #
+        :if ([ $DownloadPackage $Package $InstalledVersion $Arch $PackagePath ] = true) do={
+          :set Updated true;
+        }
+      }
+    }
+  }
+
+  :if ($Updated = true) do={
+    :local Scripts [ /system/script/find where source~"\n# provides: capsman-rolling-upgrade%TEMPL%\r?\n" ];
+    :if ([ :len $Scripts ] > 0) do={
+      :foreach Script in=$Scripts do={
+        /system/script/run $Script;
+      }
+    } else={
+      /caps-man/remote-cap/upgrade [ find where version!=$InstalledVersion ];
+      /interface/wifi/capsman/remote-cap/upgrade [ find where version!=$InstalledVersion ];
+    }
+  }
+} on-error={
+  :global ExitError; $ExitError $ExitOK [ :jobname ];
+}

capsman-download-packages.wifi.rsc

@@ -0,0 +1,94 @@
+#!rsc by RouterOS
+# RouterOS script: capsman-download-packages.wifi
+# Copyright (c) 2018-2025 Christian Hesse <mail@eworm.de>
+#                         Michael Gisbers <michael@gisbers.de>
+# https://rsc.eworm.de/COPYING.md
+#
+# requires RouterOS, version=7.15
+#
+# download and cleanup packages for CAP installation from CAPsMAN
+# https://rsc.eworm.de/doc/capsman-download-packages.md
+#
+# !! Do not edit this file, it is generated from template!
+
+:global GlobalFunctionsReady;
+:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
+
+:local ExitOK false;
+:do {
+  :local ScriptName [ :jobname ];
+
+  :global CleanFilePath;
+  :global DownloadPackage;
+  :global LogPrint;
+  :global MkDir;
+  :global RmFile;
+  :global ScriptLock;
+  :global WaitFullyConnected;
+
+  :if ([ $ScriptLock $ScriptName ] = false) do={
+    :set ExitOK true;
+    :error false;
+  }
+  $WaitFullyConnected;
+
+  :local PackagePath [ $CleanFilePath [ /interface/wifi/capsman/get package-path ] ];
+  :local InstalledVersion [ /system/package/update/get installed-version ];
+  :local Updated false;
+
+  :if ([ :len $PackagePath ] = 0) do={
+    $LogPrint warning $ScriptName ("The CAPsMAN package path is not defined, can not download packages.");
+    :set ExitOK true;
+    :error false;
+  }
+
+  :if ([ :len [ /file/find where name=$PackagePath type="directory" ] ] = 0) do={
+    :if ([ $MkDir $PackagePath ] = false) do={
+      $LogPrint warning $ScriptName ("Creating directory at CAPsMAN package path (" . \
+        $PackagePath . ") failed!");
+      :set ExitOK true;
+      :error false;
+    }
+    $LogPrint info $ScriptName ("Created directory at CAPsMAN package path (" . $PackagePath . \
+      "). Please place your packages!");
+  }
+
+  :foreach Package in=[ /file/find where type=package \
+        package-version!=$InstalledVersion name~("^" . $PackagePath) ] do={
+    :local File [ /file/get $Package ];
+    :if ($File->"package-architecture" = "mips") do={
+      :set ($File->"package-architecture") "mipsbe";
+    }
+    :if ([ $DownloadPackage ($File->"package-name") $InstalledVersion \
+         ($File->"package-architecture") $PackagePath ] = true) do={
+      :set Updated true;
+      $RmFile ($File->"name");
+    }
+  }
+
+  :if ([ :len [ /file/find where type=package name~("^" . $PackagePath) ] ] = 0) do={
+    $LogPrint info $ScriptName ("No packages available, downloading default set.");
+    :foreach Arch in={ "arm"; "arm64" } do={
+      :local Packages { "arm"={ "routeros"; "wifi-qcom"; "wifi-qcom-ac" };
+                      "arm64"={ "routeros"; "wifi-qcom" } };
+      :foreach Package in=($Packages->$Arch) do={
+        :if ([ $DownloadPackage $Package $InstalledVersion $Arch $PackagePath ] = true) do={
+          :set Updated true;
+        }
+      }
+    }
+  }
+
+  :if ($Updated = true) do={
+    :local Scripts [ /system/script/find where source~"\n# provides: capsman-rolling-upgrade.wifi\r?\n" ];
+    :if ([ :len $Scripts ] > 0) do={
+      :foreach Script in=$Scripts do={
+        /system/script/run $Script;
+      }
+    } else={
+      /interface/wifi/capsman/remote-cap/upgrade [ find where version!=$InstalledVersion ];
+    }
+  }
+} on-error={
+  :global ExitError; $ExitError $ExitOK [ :jobname ];
+}

capsman-rolling-upgrade

@@ -1,20 +0,0 @@
-#!rsc
-# RouterOS script: capsman-rolling-upgrade
-# Copyright (c) 2018-2019 Christian Hesse <mail@eworm.de>
-#                         Michael Gisbers <michael@gisbers.de>
-#
-# upgrade CAPs one after another
-
-:local InstalledVersion [ / system package update get installed-version ];
-
-:local RemoteCapCount [ /caps-man remote-cap print count-only ];
-:if ($RemoteCapCount > 0) do={
-  :local Delay (600 / $RemoteCapCount);
-  :if ($Delay > 120) do={ :set Delay 120; }
-  :foreach RemoteCap in=[ / caps-man remote-cap find where version!=$InstalledVersion ] do={
-    :local RemoteCapName [ / caps-man remote-cap get $RemoteCap name ];
-    :log debug ("Starting upgrade for CAP " . $RemoteCapName . "...");
-    / caps-man remote-cap upgrade $RemoteCap;
-    :delay ($Delay . "s");
-  }
-}

capsman-rolling-upgrade.capsman.rsc

@@ -0,0 +1,50 @@
+#!rsc by RouterOS
+# RouterOS script: capsman-rolling-upgrade.capsman
+# Copyright (c) 2018-2025 Christian Hesse <mail@eworm.de>
+#                         Michael Gisbers <michael@gisbers.de>
+# https://rsc.eworm.de/COPYING.md
+#
+# provides: capsman-rolling-upgrade.capsman
+# requires RouterOS, version=7.15
+#
+# upgrade CAPs one after another
+# https://rsc.eworm.de/doc/capsman-rolling-upgrade.md
+#
+# !! Do not edit this file, it is generated from template!
+
+:global GlobalFunctionsReady;
+:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
+
+:local ExitOK false;
+:do {
+  :local ScriptName [ :jobname ];
+
+  :global LogPrint;
+  :global ScriptLock;
+
+  :if ([ $ScriptLock $ScriptName ] = false) do={
+    :set ExitOK true;
+    :error false;
+  }
+
+  :local InstalledVersion [ /system/package/update/get installed-version ];
+
+  :local RemoteCapCount [ :len [ /caps-man/remote-cap/find ] ];
+  :if ($RemoteCapCount > 0) do={
+    :local Delay (600 / $RemoteCapCount);
+    :if ($Delay > 120) do={ :set Delay 120; }
+    :foreach RemoteCap in=[ /caps-man/remote-cap/find where version!=$InstalledVersion ] do={
+      :local RemoteCapVal [ /caps-man/remote-cap/get $RemoteCap ];
+      :if ([ :len $RemoteCapVal ] > 1) do={
+        $LogPrint info $ScriptName ("Starting upgrade for " . $RemoteCapVal->"name" . \
+          " (" . $RemoteCapVal->"identity" . ")...");
+        /caps-man/remote-cap/upgrade $RemoteCap;
+      } else={
+        $LogPrint warning $ScriptName ("Remote CAP vanished, skipping upgrade.");
+      }
+      :delay ($Delay . "s");
+    }
+  }
+} on-error={
+  :global ExitError; $ExitError $ExitOK [ :jobname ];
+}

capsman-rolling-upgrade.template.rsc

@@ -0,0 +1,58 @@
+#!rsc by RouterOS
+# RouterOS script: capsman-rolling-upgrade%TEMPL%
+# Copyright (c) 2018-2025 Christian Hesse <mail@eworm.de>
+#                         Michael Gisbers <michael@gisbers.de>
+# https://rsc.eworm.de/COPYING.md
+#
+# provides: capsman-rolling-upgrade%TEMPL%
+# requires RouterOS, version=7.15
+#
+# upgrade CAPs one after another
+# https://rsc.eworm.de/doc/capsman-rolling-upgrade.md
+#
+# !! This is just a template to generate the real script!
+# !! Pattern '%TEMPL%' is replaced, paths are filtered.
+
+:global GlobalFunctionsReady;
+:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
+
+:local ExitOK false;
+:do {
+  :local ScriptName [ :jobname ];
+
+  :global LogPrint;
+  :global ScriptLock;
+
+  :if ([ $ScriptLock $ScriptName ] = false) do={
+    :set ExitOK true;
+    :error false;
+  }
+
+  :local InstalledVersion [ /system/package/update/get installed-version ];
+
+  :local RemoteCapCount [ :len [ /caps-man/remote-cap/find ] ];
+  :local RemoteCapCount [ :len [ /interface/wifi/capsman/remote-cap/find ] ];
+  :if ($RemoteCapCount > 0) do={
+    :local Delay (600 / $RemoteCapCount);
+    :if ($Delay > 120) do={ :set Delay 120; }
+    :foreach RemoteCap in=[ /caps-man/remote-cap/find where version!=$InstalledVersion ] do={
+    :foreach RemoteCap in=[ /interface/wifi/capsman/remote-cap/find where version!=$InstalledVersion ] do={
+      :local RemoteCapVal [ /caps-man/remote-cap/get $RemoteCap ];
+      :local RemoteCapVal [ /interface/wifi/capsman/remote-cap/get $RemoteCap ];
+      :if ([ :len $RemoteCapVal ] > 1) do={
+# NOT /caps-man/ #
+        :set ($RemoteCapVal->"name") ($RemoteCapVal->"common-name");
+# NOT /caps-man/ #
+        $LogPrint info $ScriptName ("Starting upgrade for " . $RemoteCapVal->"name" . \
+          " (" . $RemoteCapVal->"identity" . ")...");
+        /caps-man/remote-cap/upgrade $RemoteCap;
+        /interface/wifi/capsman/remote-cap/upgrade $RemoteCap;
+      } else={
+        $LogPrint warning $ScriptName ("Remote CAP vanished, skipping upgrade.");
+      }
+      :delay ($Delay . "s");
+    }
+  }
+} on-error={
+  :global ExitError; $ExitError $ExitOK [ :jobname ];
+}

capsman-rolling-upgrade.wifi.rsc

@@ -0,0 +1,51 @@
+#!rsc by RouterOS
+# RouterOS script: capsman-rolling-upgrade.wifi
+# Copyright (c) 2018-2025 Christian Hesse <mail@eworm.de>
+#                         Michael Gisbers <michael@gisbers.de>
+# https://rsc.eworm.de/COPYING.md
+#
+# provides: capsman-rolling-upgrade.wifi
+# requires RouterOS, version=7.15
+#
+# upgrade CAPs one after another
+# https://rsc.eworm.de/doc/capsman-rolling-upgrade.md
+#
+# !! Do not edit this file, it is generated from template!
+
+:global GlobalFunctionsReady;
+:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
+
+:local ExitOK false;
+:do {
+  :local ScriptName [ :jobname ];
+
+  :global LogPrint;
+  :global ScriptLock;
+
+  :if ([ $ScriptLock $ScriptName ] = false) do={
+    :set ExitOK true;
+    :error false;
+  }
+
+  :local InstalledVersion [ /system/package/update/get installed-version ];
+
+  :local RemoteCapCount [ :len [ /interface/wifi/capsman/remote-cap/find ] ];
+  :if ($RemoteCapCount > 0) do={
+    :local Delay (600 / $RemoteCapCount);
+    :if ($Delay > 120) do={ :set Delay 120; }
+    :foreach RemoteCap in=[ /interface/wifi/capsman/remote-cap/find where version!=$InstalledVersion ] do={
+      :local RemoteCapVal [ /interface/wifi/capsman/remote-cap/get $RemoteCap ];
+      :if ([ :len $RemoteCapVal ] > 1) do={
+        :set ($RemoteCapVal->"name") ($RemoteCapVal->"common-name");
+        $LogPrint info $ScriptName ("Starting upgrade for " . $RemoteCapVal->"name" . \
+          " (" . $RemoteCapVal->"identity" . ")...");
+        /interface/wifi/capsman/remote-cap/upgrade $RemoteCap;
+      } else={
+        $LogPrint warning $ScriptName ("Remote CAP vanished, skipping upgrade.");
+      }
+      :delay ($Delay . "s");
+    }
+  }
+} on-error={
+  :global ExitError; $ExitError $ExitOK [ :jobname ];
+}

certificate-renew-issued.rsc

@@ -0,0 +1,52 @@
+#!rsc by RouterOS
+# RouterOS script: certificate-renew-issued
+# Copyright (c) 2019-2025 Christian Hesse <mail@eworm.de>
+# https://rsc.eworm.de/COPYING.md
+#
+# requires RouterOS, version=7.15
+#
+# renew locally issued certificates
+# https://rsc.eworm.de/doc/certificate-renew-issued.md
+
+:global GlobalFunctionsReady;
+:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
+
+:local ExitOK false;
+:do {
+  :local ScriptName [ :jobname ];
+
+  :global CertIssuedExportPass;
+
+  :global LogPrint;
+  :global MkDir;
+  :global ScriptLock;
+
+  :if ([ $ScriptLock $ScriptName ] = false) do={
+    :set ExitOK true;
+    :error false;
+  }
+
+  :foreach Cert in=[ /certificate/find where issued expires-after<3w ] do={
+    :local CertVal [ /certificate/get $Cert ];
+    /certificate/issued-revoke $Cert;
+    /certificate/set name=($CertVal->"name" . "-revoked-" . [ /system/clock/get date ]) $Cert;
+    /certificate/add name=($CertVal->"name") common-name=($CertVal->"common-name") \
+        key-usage=($CertVal->"key-usage") subject-alt-name=($CertVal->"subject-alt-name");
+    /certificate/sign ($CertVal->"name") ca=($CertVal->"ca");
+    :if ([ :typeof ($CertIssuedExportPass->($CertVal->"common-name")) ] = "str") do={
+      :if ([ $MkDir "cert-issued" ] = true) do={
+        /certificate/export-certificate ($CertVal->"name") type=pkcs12 \
+            file-name=("cert-issued/" . $CertVal->"common-name") \
+            export-passphrase=($CertIssuedExportPass->($CertVal->"common-name"));
+        $LogPrint info $ScriptName ("Issued a new certificate for '" . $CertVal->"common-name" . \
+          "', exported to 'cert-issued/" . $CertVal->"common-name" . ".p12'.");
+      } else={
+        $LogPrint warning $ScriptName ("Failed creating directory, not exporting certificate.");
+      }
+    } else={
+      $LogPrint info $ScriptName ("Issued a new certificate for '" . $CertVal->"common-name" . "'.");
+    }
+  }
+} on-error={
+  :global ExitError; $ExitError $ExitOK [ :jobname ];
+}

certs/Certum-Trusted-Network-CA.pem

@@ -0,0 +1,29 @@
+# Issuer: CN=Certum Trusted Network CA O=Unizeto Technologies S.A. OU=Certum Certification Authority
+# Subject: CN=Certum Trusted Network CA O=Unizeto Technologies S.A. OU=Certum Certification Authority
+# Label: "Certum Trusted Network CA"
+# Serial: 279744
+# MD5 Fingerprint: d5:e9:81:40:c5:18:69:fc:46:2c:89:75:62:0f:aa:78
+# SHA1 Fingerprint: 07:e0:32:e0:20:b7:2c:3f:19:2f:06:28:a2:59:3a:19:a7:0f:06:9e
+# SHA256 Fingerprint: 5c:58:46:8d:55:f5:8e:49:7e:74:39:82:d2:b5:00:10:b6:d1:65:37:4a:cf:83:a7:d4:a3:2d:b7:68:c4:40:8e
+-----BEGIN CERTIFICATE-----
+MIIDuzCCAqOgAwIBAgIDBETAMA0GCSqGSIb3DQEBBQUAMH4xCzAJBgNVBAYTAlBM
+MSIwIAYDVQQKExlVbml6ZXRvIFRlY2hub2xvZ2llcyBTLkEuMScwJQYDVQQLEx5D
+ZXJ0dW0gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIjAgBgNVBAMTGUNlcnR1bSBU
+cnVzdGVkIE5ldHdvcmsgQ0EwHhcNMDgxMDIyMTIwNzM3WhcNMjkxMjMxMTIwNzM3
+WjB+MQswCQYDVQQGEwJQTDEiMCAGA1UEChMZVW5pemV0byBUZWNobm9sb2dpZXMg
+Uy5BLjEnMCUGA1UECxMeQ2VydHVtIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSIw
+IAYDVQQDExlDZXJ0dW0gVHJ1c3RlZCBOZXR3b3JrIENBMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEA4/t9o3K6wvDJFIf1awFO4W5AB7ptJ11/91sts1rH
+UV+rpDKmYYe2bg+G0jACl/jXaVehGDldamR5xgFZrDwxSjh80gTSSyjoIF87B6LM
+TXPb865Px1bVWqeWifrzq2jUI4ZZJ88JJ7ysbnKDHDBy3+Ci6dLhdHUZvSqeexVU
+BBvXQzmtVSjF4hq79MDkrjhJM8x2hZ85RdKknvISjFH4fOQtf/WsX+sWn7Et0brM
+kUJ3TCXJkDhv2/DM+44el1k+1WBO5gUo7Ul5E0u6SNsv+XLTOcr+H9g0cvW0QM8x
+AcPs3hEtF10fuFDRXhmnad4HMyjKUJX5p1TLVIZQRan5SQIDAQABo0IwQDAPBgNV
+HRMBAf8EBTADAQH/MB0GA1UdDgQWBBQIds3LB/8k9sXN7buQvOKEN0Z19zAOBgNV
+HQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEFBQADggEBAKaorSLOAT2mo/9i0Eidi15y
+sHhE49wcrwn9I0j6vSrEuVUEtRCjjSfeC4Jj0O7eDDd5QVsisrCaQVymcODU0HfL
+I9MA4GxWL+FpDQ3Zqr8hgVDZBqWo/5U30Kr+4rP1mS1FhIrlQgnXdAIv94nYmem8
+J9RHjboNRhx3zxSkHLmkMcScKHQDNP8zGSal6Q10tz6XxnboJ5ajZt3hrvJBW8qY
+VoNzcOSGGtIxQbovvi0TWnZvTuhOgQ4/WwMioBK+ZlgRSssDxLQqKi2WF+A5VLxI
+03YnnZotBqbJ7DnSq9ufmgsnAjUpsUCV5/nonFWIGUbWtzT1fs45mtk48VH3Tyw=
+-----END CERTIFICATE-----

certs/DigiCert-Global-Root-G2.pem

@@ -0,0 +1,29 @@
+# Issuer: CN=DigiCert Global Root G2 O=DigiCert Inc OU=www.digicert.com
+# Subject: CN=DigiCert Global Root G2 O=DigiCert Inc OU=www.digicert.com
+# Label: "DigiCert Global Root G2"
+# Serial: 4293743540046975378534879503202253541
+# MD5 Fingerprint: e4:a6:8a:c8:54:ac:52:42:46:0a:fd:72:48:1b:2a:44
+# SHA1 Fingerprint: df:3c:24:f9:bf:d6:66:76:1b:26:80:73:fe:06:d1:cc:8d:4f:82:a4
+# SHA256 Fingerprint: cb:3c:cb:b7:60:31:e5:e0:13:8f:8d:d3:9a:23:f9:de:47:ff:c3:5e:43:c1:14:4c:ea:27:d4:6a:5a:b1:cb:5f
+-----BEGIN CERTIFICATE-----
+MIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSxHQn65TANBgkqhkiG9w0BAQsFADBh
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH
+MjAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYTAlVT
+MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
+b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEcyMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzfNNNx7a8myaJCtSnX/RrohCgiN9RlUyfuI
+2/Ou8jqJkTx65qsGGmvPrC3oXgkkRLpimn7Wo6h+4FR1IAWsULecYxpsMNzaHxmx
+1x7e/dfgy5SDN67sH0NO3Xss0r0upS/kqbitOtSZpLYl6ZtrAGCSYP9PIUkY92eQ
+q2EGnI/yuum06ZIya7XzV+hdG82MHauVBJVJ8zUtluNJbd134/tJS7SsVQepj5Wz
+tCO7TG1F8PapspUwtP1MVYwnSlcUfIKdzXOS0xZKBgyMUNGPHgm+F6HmIcr9g+UQ
+vIOlCsRnKPZzFBQ9RnbDhxSJITRNrw9FDKZJobq7nMWxM4MphQIDAQABo0IwQDAP
+BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUTiJUIBiV
+5uNu5g/6+rkS7QYXjzkwDQYJKoZIhvcNAQELBQADggEBAGBnKJRvDkhj6zHd6mcY
+1Yl9PMWLSn/pvtsrF9+wX3N3KjITOYFnQoQj8kVnNeyIv/iPsGEMNKSuIEyExtv4
+NeF22d+mQrvHRAiGfzZ0JFrabA0UWTW98kndth/Jsw1HKj2ZL7tcu7XUIOGZX1NG
+Fdtom/DzMNU+MeKNhJ7jitralj41E6Vf8PlwUHBHQRFXGU7Aj64GxJUTFy8bJZ91
+8rGOmaFvE7FBcf6IKshPECBV1/MUReXgRPTqh5Uykw7+U0b6LJ3/iyK5S9kJRaTe
+pLiaWN0bfVKfjllDiIGknibVb63dDcY3fe0Dkhvld1927jyNxF1WW6LZZm6zNTfl
+MrY=
+-----END CERTIFICATE-----

certs/DigiCert-Global-Root-G3.pem

@@ -0,0 +1,22 @@
+# Issuer: CN=DigiCert Global Root G3 O=DigiCert Inc OU=www.digicert.com
+# Subject: CN=DigiCert Global Root G3 O=DigiCert Inc OU=www.digicert.com
+# Label: "DigiCert Global Root G3"
+# Serial: 7089244469030293291760083333884364146
+# MD5 Fingerprint: f5:5d:a4:50:a5:fb:28:7e:1e:0f:0d:cc:96:57:56:ca
+# SHA1 Fingerprint: 7e:04:de:89:6a:3e:66:6d:00:e6:87:d3:3f:fa:d9:3b:e8:3d:34:9e
+# SHA256 Fingerprint: 31:ad:66:48:f8:10:41:38:c7:38:f3:9e:a4:32:01:33:39:3e:3a:18:cc:02:29:6e:f9:7c:2a:c9:ef:67:31:d0
+-----BEGIN CERTIFICATE-----
+MIICPzCCAcWgAwIBAgIQBVVWvPJepDU1w6QP1atFcjAKBggqhkjOPQQDAzBhMQsw
+CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cu
+ZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBHMzAe
+Fw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYTAlVTMRUw
+EwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20x
+IDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEczMHYwEAYHKoZIzj0CAQYF
+K4EEACIDYgAE3afZu4q4C/sLfyHS8L6+c/MzXRq8NOrexpu80JX28MzQC7phW1FG
+fp4tn+6OYwwX7Adw9c+ELkCDnOg/QW07rdOkFFk2eJ0DQ+4QE2xy3q6Ip6FrtUPO
+Z9wj/wMco+I+o0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAd
+BgNVHQ4EFgQUs9tIpPmhxdiuNkHMEWNpYim8S8YwCgYIKoZIzj0EAwMDaAAwZQIx
+AK288mw/EkrRLTnDCgmXc/SINoyIJ7vmiI1Qhadj+Z4y3maTD/HMsQmP3Wyr+mt/
+oAIwOWZbwmSNuJ5Q3KjVSaLtx9zRSX8XAbjIho9OjIgrqJqpisXRAL34VOKa5Vt8
+sycX
+-----END CERTIFICATE-----

certs/GTS-Root-R1.pem

@@ -0,0 +1,38 @@
+# Issuer: CN=GTS Root R1 O=Google Trust Services LLC
+# Subject: CN=GTS Root R1 O=Google Trust Services LLC
+# Label: "GTS Root R1"
+# Serial: 159662320309726417404178440727
+# MD5 Fingerprint: 05:fe:d0:bf:71:a8:a3:76:63:da:01:e0:d8:52:dc:40
+# SHA1 Fingerprint: e5:8c:1c:c4:91:3b:38:63:4b:e9:10:6e:e3:ad:8e:6b:9d:d9:81:4a
+# SHA256 Fingerprint: d9:47:43:2a:bd:e7:b7:fa:90:fc:2e:6b:59:10:1b:12:80:e0:e1:c7:e4:e4:0f:a3:c6:88:7f:ff:57:a7:f4:cf
+-----BEGIN CERTIFICATE-----
+MIIFVzCCAz+gAwIBAgINAgPlk28xsBNJiGuiFzANBgkqhkiG9w0BAQwFADBHMQsw
+CQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEU
+MBIGA1UEAxMLR1RTIFJvb3QgUjEwHhcNMTYwNjIyMDAwMDAwWhcNMzYwNjIyMDAw
+MDAwWjBHMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZp
+Y2VzIExMQzEUMBIGA1UEAxMLR1RTIFJvb3QgUjEwggIiMA0GCSqGSIb3DQEBAQUA
+A4ICDwAwggIKAoICAQC2EQKLHuOhd5s73L+UPreVp0A8of2C+X0yBoJx9vaMf/vo
+27xqLpeXo4xL+Sv2sfnOhB2x+cWX3u+58qPpvBKJXqeqUqv4IyfLpLGcY9vXmX7w
+Cl7raKb0xlpHDU0QM+NOsROjyBhsS+z8CZDfnWQpJSMHobTSPS5g4M/SCYe7zUjw
+TcLCeoiKu7rPWRnWr4+wB7CeMfGCwcDfLqZtbBkOtdh+JhpFAz2weaSUKK0Pfybl
+qAj+lug8aJRT7oM6iCsVlgmy4HqMLnXWnOunVmSPlk9orj2XwoSPwLxAwAtcvfaH
+szVsrBhQf4TgTM2S0yDpM7xSma8ytSmzJSq0SPly4cpk9+aCEI3oncKKiPo4Zor8
+Y/kB+Xj9e1x3+naH+uzfsQ55lVe0vSbv1gHR6xYKu44LtcXFilWr06zqkUspzBmk
+MiVOKvFlRNACzqrOSbTqn3yDsEB750Orp2yjj32JgfpMpf/VjsPOS+C12LOORc92
+wO1AK/1TD7Cn1TsNsYqiA94xrcx36m97PtbfkSIS5r762DL8EGMUUXLeXdYWk70p
+aDPvOmbsB4om3xPXV2V4J95eSRQAogB/mqghtqmxlbCluQ0WEdrHbEg8QOB+DVrN
+VjzRlwW5y0vtOUucxD/SVRNuJLDWcfr0wbrM7Rv1/oFB2ACYPTrIrnqYNxgFlQID
+AQABo0IwQDAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E
+FgQU5K8rJnEaK0gnhS9SZizv8IkTcT4wDQYJKoZIhvcNAQEMBQADggIBAJ+qQibb
+C5u+/x6Wki4+omVKapi6Ist9wTrYggoGxval3sBOh2Z5ofmmWJyq+bXmYOfg6LEe
+QkEzCzc9zolwFcq1JKjPa7XSQCGYzyI0zzvFIoTgxQ6KfF2I5DUkzps+GlQebtuy
+h6f88/qBVRRiClmpIgUxPoLW7ttXNLwzldMXG+gnoot7TiYaelpkttGsN/H9oPM4
+7HLwEXWdyzRSjeZ2axfG34arJ45JK3VmgRAhpuo+9K4l/3wV3s6MJT/KYnAK9y8J
+ZgfIPxz88NtFMN9iiMG1D53Dn0reWVlHxYciNuaCp+0KueIHoI17eko8cdLiA6Ef
+MgfdG+RCzgwARWGAtQsgWSl4vflVy2PFPEz0tv/bal8xa5meLMFrUKTX5hgUvYU/
+Z6tGn6D/Qqc6f1zLXbBwHSs09dR2CQzreExZBfMzQsNhFRAbd03OIozUhfJFfbdT
+6u9AWpQKXCBfTkBdYiJ23//OYb2MI3jSNwLgjt7RETeJ9r/tSQdirpLsQBqvFAnZ
+0E6yove+7u7Y/9waLd64NnHi/Hm3lCXRSHNboTXns5lndcEZOitHTtNCjv0xyBZm
+2tIMPNuzjsmhDYAPexZ3FL//2wmUspO8IFgV6dtxQ/PeEMMA3KgqlbbC1j+Qa3bb
+bP6MvPJwNQzcmRk13NfIRmPVNnGuV/u3gm3c
+-----END CERTIFICATE-----

certs/GTS-Root-R4.pem

@@ -0,0 +1,20 @@
+# Issuer: CN=GTS Root R4 O=Google Trust Services LLC
+# Subject: CN=GTS Root R4 O=Google Trust Services LLC
+# Label: "GTS Root R4"
+# Serial: 159662532700760215368942768210
+# MD5 Fingerprint: 43:96:83:77:19:4d:76:b3:9d:65:52:e4:1d:22:a5:e8
+# SHA1 Fingerprint: 77:d3:03:67:b5:e0:0c:15:f6:0c:38:61:df:7c:e1:3b:92:46:4d:47
+# SHA256 Fingerprint: 34:9d:fa:40:58:c5:e2:63:12:3b:39:8a:e7:95:57:3c:4e:13:13:c8:3f:e6:8f:93:55:6c:d5:e8:03:1b:3c:7d
+-----BEGIN CERTIFICATE-----
+MIICCTCCAY6gAwIBAgINAgPlwGjvYxqccpBQUjAKBggqhkjOPQQDAzBHMQswCQYD
+VQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEUMBIG
+A1UEAxMLR1RTIFJvb3QgUjQwHhcNMTYwNjIyMDAwMDAwWhcNMzYwNjIyMDAwMDAw
+WjBHMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2Vz
+IExMQzEUMBIGA1UEAxMLR1RTIFJvb3QgUjQwdjAQBgcqhkjOPQIBBgUrgQQAIgNi
+AATzdHOnaItgrkO4NcWBMHtLSZ37wWHO5t5GvWvVYRg1rkDdc/eJkTBa6zzuhXyi
+QHY7qca4R9gq55KRanPpsXI5nymfopjTX15YhmUPoYRlBtHci8nHc8iMai/lxKvR
+HYqjQjBAMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
+BBSATNbrdP9JNqPV2Py1PsVq8JQdjDAKBggqhkjOPQQDAwNpADBmAjEA6ED/g94D
+9J+uHXqnLrmvT/aDHQ4thQEd0dlq7A/Cr8deVl5c1RxYIigL9zC2L7F8AjEA8GE8
+p/SgguMh1YQdc4acLa/KNJvxn7kjNuK8YAOdgLOaVsjh4rsUecrNIdSUtUlD
+-----END CERTIFICATE-----

certs/Go-Daddy-Root-Certificate-Authority-G2.pem

@@ -0,0 +1,30 @@
+# Issuer: CN=Go Daddy Root Certificate Authority - G2 O=GoDaddy.com, Inc.
+# Subject: CN=Go Daddy Root Certificate Authority - G2 O=GoDaddy.com, Inc.
+# Label: "Go Daddy Root Certificate Authority - G2"
+# Serial: 0
+# MD5 Fingerprint: 80:3a:bc:22:c1:e6:fb:8d:9b:3b:27:4a:32:1b:9a:01
+# SHA1 Fingerprint: 47:be:ab:c9:22:ea:e8:0e:78:78:34:62:a7:9f:45:c2:54:fd:e6:8b
+# SHA256 Fingerprint: 45:14:0b:32:47:eb:9c:c8:c5:b4:f0:d7:b5:30:91:f7:32:92:08:9e:6e:5a:63:e2:74:9d:d3:ac:a9:19:8e:da
+-----BEGIN CERTIFICATE-----
+MIIDxTCCAq2gAwIBAgIBADANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
+EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
+EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
+ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAwMFoXDTM3MTIzMTIz
+NTk1OVowgYMxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
+EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjExMC8GA1UE
+AxMoR28gRGFkZHkgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL9xYgjx+lk09xvJGKP3gElY6SKD
+E6bFIEMBO4Tx5oVJnyfq9oQbTqC023CYxzIBsQU+B07u9PpPL1kwIuerGVZr4oAH
+/PMWdYA5UXvl+TW2dE6pjYIT5LY/qQOD+qK+ihVqf94Lw7YZFAXK6sOoBJQ7Rnwy
+DfMAZiLIjWltNowRGLfTshxgtDj6AozO091GB94KPutdfMh8+7ArU6SSYmlRJQVh
+GkSBjCypQ5Yj36w6gZoOKcUcqeldHraenjAKOc7xiID7S13MMuyFYkMlNAJWJwGR
+tDtwKj9useiciAF9n9T521NtYJ2/LOdYq7hfRvzOxBsDPAnrSTFcaUaz4EcCAwEA
+AaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE
+FDqahQcQZyi27/a9BUFuIMGU2g/eMA0GCSqGSIb3DQEBCwUAA4IBAQCZ21151fmX
+WWcDYfF+OwYxdS2hII5PZYe096acvNjpL9DbWu7PdIxztDhC2gV7+AJ1uP2lsdeu
+9tfeE8tTEH6KRtGX+rcuKxGrkLAngPnon1rpN5+r5N9ss4UXnT3ZJE95kTXWXwTr
+gIOrmgIttRD02JDHBHNA7XIloKmf7J6raBKZV8aPEjoJpL1E/QYVN8Gb5DKj7Tjo
+2GTzLH4U/ALqn83/B2gX2yKQOC16jdFU8WnjXzPKej17CuPKf1855eJ1usV2GDPO
+LPAvTK33sefOT6jEm0pUBsV/fdUID+Ic/n4XuKxe9tQWskMJDE32p2u0mYRlynqI
+4uJEvlz36hz1
+-----END CERTIFICATE-----

certs/ISRG-Root-X1.pem

@@ -0,0 +1,38 @@
+# Issuer: CN=ISRG Root X1 O=Internet Security Research Group
+# Subject: CN=ISRG Root X1 O=Internet Security Research Group
+# Label: "ISRG Root X1"
+# Serial: 172886928669790476064670243504169061120
+# MD5 Fingerprint: 0c:d2:f9:e0:da:17:73:e9:ed:86:4d:a5:e3:70:e7:4e
+# SHA1 Fingerprint: ca:bd:2a:79:a1:07:6a:31:f2:1d:25:36:35:cb:03:9d:43:29:a5:e8
+# SHA256 Fingerprint: 96:bc:ec:06:26:49:76:f3:74:60:77:9a:cf:28:c5:a7:cf:e8:a3:c0:aa:e1:1a:8f:fc:ee:05:c0:bd:df:08:c6
+-----BEGIN CERTIFICATE-----
+MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
+WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
+ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
+MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
+h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
+0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
+A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
+T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
+B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
+B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
+KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
+OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
+jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
+qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
+rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
+HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
+hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
+ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
+3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
+NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
+ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
+TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
+jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
+oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
+4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
+mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
+emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
+-----END CERTIFICATE-----

certs/ISRG-Root-X2.pem

@@ -0,0 +1,21 @@
+# Issuer: CN=ISRG Root X2 O=Internet Security Research Group
+# Subject: CN=ISRG Root X2 O=Internet Security Research Group
+# Label: "ISRG Root X2"
+# Serial: 87493402998870891108772069816698636114
+# MD5 Fingerprint: d3:9e:c4:1e:23:3c:a6:df:cf:a3:7e:6d:e0:14:e6:e5
+# SHA1 Fingerprint: bd:b1:b9:3c:d5:97:8d:45:c6:26:14:55:f8:db:95:c7:5a:d1:53:af
+# SHA256 Fingerprint: 69:72:9b:8e:15:a8:6e:fc:17:7a:57:af:b7:17:1d:fc:64:ad:d2:8c:2f:ca:8c:f1:50:7e:34:45:3c:cb:14:70
+-----BEGIN CERTIFICATE-----
+MIICGzCCAaGgAwIBAgIQQdKd0XLq7qeAwSxs6S+HUjAKBggqhkjOPQQDAzBPMQsw
+CQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFyY2gg
+R3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMjAeFw0yMDA5MDQwMDAwMDBaFw00
+MDA5MTcxNjAwMDBaME8xCzAJBgNVBAYTAlVTMSkwJwYDVQQKEyBJbnRlcm5ldCBT
+ZWN1cml0eSBSZXNlYXJjaCBHcm91cDEVMBMGA1UEAxMMSVNSRyBSb290IFgyMHYw
+EAYHKoZIzj0CAQYFK4EEACIDYgAEzZvVn4CDCuwJSvMWSj5cz3es3mcFDR0HttwW
++1qLFNvicWDEukWVEYmO6gbf9yoWHKS5xcUy4APgHoIYOIvXRdgKam7mAHf7AlF9
+ItgKbppbd9/w+kHsOdx1ymgHDB/qo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0T
+AQH/BAUwAwEB/zAdBgNVHQ4EFgQUfEKWrt5LSDv6kviejM9ti6lyN5UwCgYIKoZI
+zj0EAwMDaAAwZQIwe3lORlCEwkSHRhtFcP9Ymd70/aTSVaYgLXTWNLxBo1BfASdW
+tL4ndQavEi51mI38AjEAi/V3bNTIZargCyzuFJ0nN6T5U6VR5CmD1/iQMVtCnwr1
+/q4AaOeMSQ+2b1tbFfLn
+-----END CERTIFICATE-----

certs/Makefile

@@ -0,0 +1,58 @@
+# Makefile to check certificates
+
+CURL = curl \
+	--capath /dev/null \
+	--connect-timeout 5 \
+	--output /dev/null \
+	--silent
+
+DOMAINS_DUAL = \
+	api.macvendors.com/GTS-Root-R4 \
+	api.telegram.org/Go-Daddy-Root-Certificate-Authority-G2 \
+	cloudflare-dns.com/DigiCert-Global-Root-G2 \
+	dns.google/GTS-Root-R4 \
+	dns.quad9.net/DigiCert-Global-Root-G3 \
+	git.eworm.de/ISRG-Root-X2 \
+	lists.blocklist.de/Certum-Trusted-Network-CA \
+	matrix.org/GTS-Root-R4 \
+	raw.githubusercontent.com/USERTrust-RSA-Certification-Authority \
+	rsc.eworm.de/ISRG-Root-X2 \
+	upgrade.mikrotik.com/ISRG-Root-X1
+DOMAINS_IPV4 = \
+	1.1.1.1/DigiCert-Global-Root-G2 \
+	8.8.8.8/GTS-Root-R1 \
+	9.9.9.9/DigiCert-Global-Root-G3 \
+	api.mullvad.net/ISRG-Root-X1 \
+	ipv4.showipv6.de/ISRG-Root-X1 \
+	ipv4.tunnelbroker.net/Starfield-Root-Certificate-Authority-G2 \
+	mkcert.org/ISRG-Root-X1 \
+	ntfy.sh/ISRG-Root-X1 \
+	www.dshield.org/ISRG-Root-X1 \
+	www.spamhaus.org/GTS-Root-R4
+DOMAINS_IPV6 = \
+	[2606\:4700\:4700\:\:1111]/DigiCert-Global-Root-G2 \
+	[2001\:4860\:4860\:\:8888]/GTS-Root-R1 \
+	[2620\:fe\:\:9]/DigiCert-Global-Root-G3 \
+	ipv6.showipv6.de/ISRG-Root-X1
+
+.PHONY: $(DOMAINS_DUAL) $(DOMAINS_IPV4) $(DOMAINS_IPV6)
+
+all: $(DOMAINS_DUAL) $(DOMAINS_IPV4) $(DOMAINS_IPV6)
+
+$(DOMAINS_DUAL):
+ifndef NOIPV4
+	$(CURL) -4 --cacert $(notdir $@).pem https://$(dir $@)
+endif
+ifndef NOIPV6
+	$(CURL) -6 --cacert $(notdir $@).pem https://$(dir $@)
+endif
+
+$(DOMAINS_IPV4):
+ifndef NOIPV4
+	$(CURL) -4 --cacert $(notdir $@).pem https://$(dir $@)
+endif
+
+$(DOMAINS_IPV6):
+ifndef NOIPV6
+	$(CURL) -6 --cacert $(notdir $@).pem https://$(dir $@)
+endif

certs/Starfield-Root-Certificate-Authority-G2.pem

@@ -0,0 +1,30 @@
+# Issuer: CN=Starfield Root Certificate Authority - G2 O=Starfield Technologies, Inc.
+# Subject: CN=Starfield Root Certificate Authority - G2 O=Starfield Technologies, Inc.
+# Label: "Starfield Root Certificate Authority - G2"
+# Serial: 0
+# MD5 Fingerprint: d6:39:81:c6:52:7e:96:69:fc:fc:ca:66:ed:05:f2:96
+# SHA1 Fingerprint: b5:1c:06:7c:ee:2b:0c:3d:f8:55:ab:2d:92:f4:fe:39:d4:e7:0f:0e
+# SHA256 Fingerprint: 2c:e1:cb:0b:f9:d2:f9:e1:02:99:3f:be:21:51:52:c3:b2:dd:0c:ab:de:1c:68:e5:31:9b:83:91:54:db:b7:f5
+-----BEGIN CERTIFICATE-----
+MIID3TCCAsWgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMx
+EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAjBgNVBAoT
+HFN0YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAMTKVN0YXJmaWVs
+ZCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAw
+MFoXDTM3MTIzMTIzNTk1OVowgY8xCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6
+b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMSUwIwYDVQQKExxTdGFyZmllbGQgVGVj
+aG5vbG9naWVzLCBJbmMuMTIwMAYDVQQDEylTdGFyZmllbGQgUm9vdCBDZXJ0aWZp
+Y2F0ZSBBdXRob3JpdHkgLSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAL3twQP89o/8ArFvW59I2Z154qK3A2FWGMNHttfKPTUuiUP3oWmb3ooa/RMg
+nLRJdzIpVv257IzdIvpy3Cdhl+72WoTsbhm5iSzchFvVdPtrX8WJpRBSiUZV9Lh1
+HOZ/5FSuS/hVclcCGfgXcVnrHigHdMWdSL5stPSksPNkN3mSwOxGXn/hbVNMYq/N
+Hwtjuzqd+/x5AJhhdM8mgkBj87JyahkNmcrUDnXMN/uLicFZ8WJ/X7NfZTD4p7dN
+dloedl40wOiWVpmKs/B/pM293DIxfJHP4F8R+GuqSVzRmZTRouNjWwl2tVZi4Ut0
+HZbUJtQIBFnQmA4O5t78w+wfkPECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAO
+BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFHwMMh+n2TB/xH1oo2Kooc6rB1snMA0G
+CSqGSIb3DQEBCwUAA4IBAQARWfolTwNvlJk7mh+ChTnUdgWUXuEok21iXQnCoKjU
+sHU48TRqneSfioYmUeYs0cYtbpUgSpIB7LiKZ3sx4mcujJUDJi5DnUox9g61DLu3
+4jd/IroAow57UvtruzvE03lRTs2Q9GcHGcg8RnoNAX3FWOdt5oUwF5okxBDgBPfg
+8n/Uqgr/Qh037ZTlZFkSIHc40zI+OIF1lnP6aI+xy84fxez6nH7PfrHxBy22/L/K
+pL/QlwVKvOoYKAKQvVR4CSFx09F9HdkWsKlhPdAKACL8x3vLCWRFCztAgfd9fDL1
+mMpYjn0q7pBZc2T5NnReJaH1ZgUufzkVqSr7UIuOhWn0
+-----END CERTIFICATE-----

certs/USERTrust-RSA-Certification-Authority.pem

@@ -0,0 +1,41 @@
+# Issuer: CN=USERTrust RSA Certification Authority O=The USERTRUST Network
+# Subject: CN=USERTrust RSA Certification Authority O=The USERTRUST Network
+# Label: "USERTrust RSA Certification Authority"
+# Serial: 2645093764781058787591871645665788717
+# MD5 Fingerprint: 1b:fe:69:d1:91:b7:19:33:a3:72:a8:0f:e1:55:e5:b5
+# SHA1 Fingerprint: 2b:8f:1b:57:33:0d:bb:a2:d0:7a:6c:51:f7:0e:e9:0d:da:b9:ad:8e
+# SHA256 Fingerprint: e7:93:c9:b0:2f:d8:aa:13:e2:1c:31:22:8a:cc:b0:81:19:64:3b:74:9c:89:89:64:b1:74:6d:46:c3:d4:cb:d2
+-----BEGIN CERTIFICATE-----
+MIIF3jCCA8agAwIBAgIQAf1tMPyjylGoG7xkDjUDLTANBgkqhkiG9w0BAQwFADCB
+iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
+cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
+BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAw
+MjAxMDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNV
+BAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVU
+aGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2Vy
+dGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
+AoICAQCAEmUXNg7D2wiz0KxXDXbtzSfTTK1Qg2HiqiBNCS1kCdzOiZ/MPans9s/B
+3PHTsdZ7NygRK0faOca8Ohm0X6a9fZ2jY0K2dvKpOyuR+OJv0OwWIJAJPuLodMkY
+tJHUYmTbf6MG8YgYapAiPLz+E/CHFHv25B+O1ORRxhFnRghRy4YUVD+8M/5+bJz/
+Fp0YvVGONaanZshyZ9shZrHUm3gDwFA66Mzw3LyeTP6vBZY1H1dat//O+T23LLb2
+VN3I5xI6Ta5MirdcmrS3ID3KfyI0rn47aGYBROcBTkZTmzNg95S+UzeQc0PzMsNT
+79uq/nROacdrjGCT3sTHDN/hMq7MkztReJVni+49Vv4M0GkPGw/zJSZrM233bkf6
+c0Plfg6lZrEpfDKEY1WJxA3Bk1QwGROs0303p+tdOmw1XNtB1xLaqUkL39iAigmT
+Yo61Zs8liM2EuLE/pDkP2QKe6xJMlXzzawWpXhaDzLhn4ugTncxbgtNMs+1b/97l
+c6wjOy0AvzVVdAlJ2ElYGn+SNuZRkg7zJn0cTRe8yexDJtC/QV9AqURE9JnnV4ee
+UB9XVKg+/XRjL7FQZQnmWEIuQxpMtPAlR1n6BB6T1CZGSlCBst6+eLf8ZxXhyVeE
+Hg9j1uliutZfVS7qXMYoCAQlObgOK6nyTJccBz8NUvXt7y+CDwIDAQABo0IwQDAd
+BgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/BAQDAgEGMA8G
+A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAFzUfA3P9wF9QZllDHPF
+Up/L+M+ZBn8b2kMVn54CVVeWFPFSPCeHlCjtHzoBN6J2/FNQwISbxmtOuowhT6KO
+VWKR82kV2LyI48SqC/3vqOlLVSoGIG1VeCkZ7l8wXEskEVX/JJpuXior7gtNn3/3
+ATiUFJVDBwn7YKnuHKsSjKCaXqeYalltiz8I+8jRRa8YFWSQEg9zKC7F4iRO/Fjs
+8PRF/iKz6y+O0tlFYQXBl2+odnKPi4w2r78NBc5xjeambx9spnFixdjQg3IM8WcR
+iQycE0xyNN+81XHfqnHd4blsjDwSXWXavVcStkNr/+XeTWYRUc+ZruwXtuhxkYze
+Sf7dNXGiFSeUHM9h4ya7b6NnJSFd5t0dCy5oGzuCr+yDZ4XUmFF0sbmZgIn/f3gZ
+XHlKYC6SQK5MNyosycdiyA5d9zZbyuAlJQG03RoHnHcAP9Dc1ew91Pq7P8yF1m9/
+qS3fuQL39ZeatTXaw2ewh0qpKJ4jjv9cJ2vhsE/zB+4ALtRZh8tSQZXq9EfX7mRB
+VXyNWQKV3WKdwrnuWih0hKWbt5DHDAff9Yk2dDLWKMGwsAvgnEzDHNb842m1R0aB
+L6KCq9NjRHDEjf8tM7qtj3u1cIiuPhnPQCjY/MiQu12ZIvVS5ljFH4gxQ+6IHdfG
+jjxDah2nGN59PRbxYvnKkKj9
+-----END CERTIFICATE-----

certs/godaddy.pem

@@ -1,51 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDxTCCAq2gAwIBAgIBADANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
-EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
-EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
-ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAwMFoXDTM3MTIzMTIz
-NTk1OVowgYMxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
-EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjExMC8GA1UE
-AxMoR28gRGFkZHkgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjCCASIw
-DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL9xYgjx+lk09xvJGKP3gElY6SKD
-E6bFIEMBO4Tx5oVJnyfq9oQbTqC023CYxzIBsQU+B07u9PpPL1kwIuerGVZr4oAH
-/PMWdYA5UXvl+TW2dE6pjYIT5LY/qQOD+qK+ihVqf94Lw7YZFAXK6sOoBJQ7Rnwy
-DfMAZiLIjWltNowRGLfTshxgtDj6AozO091GB94KPutdfMh8+7ArU6SSYmlRJQVh
-GkSBjCypQ5Yj36w6gZoOKcUcqeldHraenjAKOc7xiID7S13MMuyFYkMlNAJWJwGR
-tDtwKj9useiciAF9n9T521NtYJ2/LOdYq7hfRvzOxBsDPAnrSTFcaUaz4EcCAwEA
-AaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE
-FDqahQcQZyi27/a9BUFuIMGU2g/eMA0GCSqGSIb3DQEBCwUAA4IBAQCZ21151fmX
-WWcDYfF+OwYxdS2hII5PZYe096acvNjpL9DbWu7PdIxztDhC2gV7+AJ1uP2lsdeu
-9tfeE8tTEH6KRtGX+rcuKxGrkLAngPnon1rpN5+r5N9ss4UXnT3ZJE95kTXWXwTr
-gIOrmgIttRD02JDHBHNA7XIloKmf7J6raBKZV8aPEjoJpL1E/QYVN8Gb5DKj7Tjo
-2GTzLH4U/ALqn83/B2gX2yKQOC16jdFU8WnjXzPKej17CuPKf1855eJ1usV2GDPO
-LPAvTK33sefOT6jEm0pUBsV/fdUID+Ic/n4XuKxe9tQWskMJDE32p2u0mYRlynqI
-4uJEvlz36hz1
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIE0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
-EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
-EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
-ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAwMFoXDTMxMDUwMzA3
-MDAwMFowgbQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
-EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UE
-CxMkaHR0cDovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQD
-EypHbyBEYWRkeSBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEi
-MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC54MsQ1K92vdSTYuswZLiBCGzD
-BNliF44v/z5lz4/OYuY8UhzaFkVLVat4a2ODYpDOD2lsmcgaFItMzEUz6ojcnqOv
-K/6AYZ15V8TPLvQ/MDxdR/yaFrzDN5ZBUY4RS1T4KL7QjL7wMDge87Am+GZHY23e
-cSZHjzhHU9FGHbTj3ADqRay9vHHZqm8A29vNMDp5T19MR/gd71vCxJ1gO7GyQ5HY
-pDNO6rPWJ0+tJYqlxvTV0KaudAVkV4i1RFXULSo6Pvi4vekyCgKUZMQWOlDxSq7n
-eTOvDCAHf+jfBDnCaQJsY1L6d8EbyHSHyLmTGFBUNUtpTrw700kuH9zB0lL7AgMB
-AAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV
-HQ4EFgQUQMK9J47MNIMwojPX+2yz8LQsgM4wHwYDVR0jBBgwFoAUOpqFBxBnKLbv
-9r0FQW4gwZTaD94wNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v
-b2NzcC5nb2RhZGR5LmNvbS8wNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2NybC5n
-b2RhZGR5LmNvbS9nZHJvb3QtZzIuY3JsMEYGA1UdIAQ/MD0wOwYEVR0gADAzMDEG
-CCsGAQUFBwIBFiVodHRwczovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkv
-MA0GCSqGSIb3DQEBCwUAA4IBAQAIfmyTEMg4uJapkEv/oV9PBO9sPpyIBslQj6Zz
-91cxG7685C/b+LrTW+C05+Z5Yg4MotdqY3MxtfWoSKQ7CC2iXZDXtHwlTxFWMMS2
-RJ17LJ3lXubvDGGqv+QqG+6EnriDfcFDzkSnE3ANkR/0yBOtg2DZ2HKocyQetawi
-DsoXiWJYRBuriSUBAA/NxBti21G00w9RKpv0vHP8ds42pM3Z2Czqrpv1KrKQ0U11
-GIo/ikGQI31bS/6kA1ibRrLDYGCD+H1QQc7CoZDDu+8CL9IVVO5EFdkKrqeKM+2x
-LXY2JtwE65/3YR8V3Idv7kaWKK2hJn0KCacuBKONvPi8BDAB
------END CERTIFICATE-----

certs/letsencrypt.pem

@@ -1,83 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
-TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
-cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
-WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
-ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
-MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
-h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
-0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
-A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
-T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
-B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
-B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
-KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
-OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
-jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
-qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
-rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
-HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
-hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
-ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
-3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
-NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
-ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
-TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
-jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
-oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
-4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
-mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
-emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIFjTCCA3WgAwIBAgIRANOxciY0IzLc9AUoUSrsnGowDQYJKoZIhvcNAQELBQAw
-TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
-cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTYxMDA2MTU0MzU1
-WhcNMjExMDA2MTU0MzU1WjBKMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
-RW5jcnlwdDEjMCEGA1UEAxMaTGV0J3MgRW5jcnlwdCBBdXRob3JpdHkgWDMwggEi
-MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCc0wzwWuUuR7dyXTeDs2hjMOrX
-NSYZJeG9vjXxcJIvt7hLQQWrqZ41CFjssSrEaIcLo+N15Obzp2JxunmBYB/XkZqf
-89B4Z3HIaQ6Vkc/+5pnpYDxIzH7KTXcSJJ1HG1rrueweNwAcnKx7pwXqzkrrvUHl
-Npi5y/1tPJZo3yMqQpAMhnRnyH+lmrhSYRQTP2XpgofL2/oOVvaGifOFP5eGr7Dc
-Gu9rDZUWfcQroGWymQQ2dYBrrErzG5BJeC+ilk8qICUpBMZ0wNAxzY8xOJUWuqgz
-uEPxsR/DMH+ieTETPS02+OP88jNquTkxxa/EjQ0dZBYzqvqEKbbUC8DYfcOTAgMB
-AAGjggFnMIIBYzAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADBU
-BgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsGAQUFBwIB
-FiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMB0GA1UdDgQWBBSo
-SmpjBH3duubRObemRWXv86jsoTAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3Js
-LnJvb3QteDEubGV0c2VuY3J5cHQub3JnMHIGCCsGAQUFBwEBBGYwZDAwBggrBgEF
-BQcwAYYkaHR0cDovL29jc3Aucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcvMDAGCCsG
-AQUFBzAChiRodHRwOi8vY2VydC5yb290LXgxLmxldHNlbmNyeXB0Lm9yZy8wHwYD
-VR0jBBgwFoAUebRZ5nu25eQBc4AIiMgaWPbpm24wDQYJKoZIhvcNAQELBQADggIB
-ABnPdSA0LTqmRf/Q1eaM2jLonG4bQdEnqOJQ8nCqxOeTRrToEKtwT++36gTSlBGx
-A/5dut82jJQ2jxN8RI8L9QFXrWi4xXnA2EqA10yjHiR6H9cj6MFiOnb5In1eWsRM
-UM2v3e9tNsCAgBukPHAg1lQh07rvFKm/Bz9BCjaxorALINUfZ9DD64j2igLIxle2
-DPxW8dI/F2loHMjXZjqG8RkqZUdoxtID5+90FgsGIfkMpqgRS05f4zPbCEHqCXl1
-eO5HyELTgcVlLXXQDgAWnRzut1hFJeczY1tjQQno6f6s+nMydLN26WuU4s3UYvOu
-OsUxRlJu7TSRHqDC3lSE5XggVkzdaPkuKGQbGpny+01/47hfXXNB7HntWNZ6N2Vw
-p7G6OfY+YQrZwIaQmhrIqJZuigsrbe3W+gdn5ykE9+Ky0VgVUsfxo52mwFYs1JKY
-2PGDuWx8M6DlS6qQkvHaRUo0FMd8TsSlbF0/v965qGFKhSDeQoMpYnwcmQilRh/0
-ayLThlHLN81gSkJjVrPI0Y8xCVPB4twb1PFUd2fPM3sA1tJ83sZ5v8vgFv2yofKR
-PB0t6JzUA81mSqM3kxl5e+IZwhYAyO0OTg3/fs8HqGTNKd9BqoUwSRBzp06JMg5b
-rUCGwbCUDI0mxadJ3Bz4WxR6fyNpBK2yAinWEsikxqEt
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
-MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
-DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
-PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
-Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
-AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
-rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
-OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
-xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
-7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
-aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
-HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
-SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
-ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
-AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
-R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
-JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
-Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
------END CERTIFICATE-----

certs/starfield.pem

@@ -1,52 +0,0 @@
------BEGIN CERTIFICATE-----
-MIID3TCCAsWgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMx
-EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAjBgNVBAoT
-HFN0YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAMTKVN0YXJmaWVs
-ZCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAw
-MFoXDTM3MTIzMTIzNTk1OVowgY8xCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6
-b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMSUwIwYDVQQKExxTdGFyZmllbGQgVGVj
-aG5vbG9naWVzLCBJbmMuMTIwMAYDVQQDEylTdGFyZmllbGQgUm9vdCBDZXJ0aWZp
-Y2F0ZSBBdXRob3JpdHkgLSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
-ggEBAL3twQP89o/8ArFvW59I2Z154qK3A2FWGMNHttfKPTUuiUP3oWmb3ooa/RMg
-nLRJdzIpVv257IzdIvpy3Cdhl+72WoTsbhm5iSzchFvVdPtrX8WJpRBSiUZV9Lh1
-HOZ/5FSuS/hVclcCGfgXcVnrHigHdMWdSL5stPSksPNkN3mSwOxGXn/hbVNMYq/N
-Hwtjuzqd+/x5AJhhdM8mgkBj87JyahkNmcrUDnXMN/uLicFZ8WJ/X7NfZTD4p7dN
-dloedl40wOiWVpmKs/B/pM293DIxfJHP4F8R+GuqSVzRmZTRouNjWwl2tVZi4Ut0
-HZbUJtQIBFnQmA4O5t78w+wfkPECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAO
-BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFHwMMh+n2TB/xH1oo2Kooc6rB1snMA0G
-CSqGSIb3DQEBCwUAA4IBAQARWfolTwNvlJk7mh+ChTnUdgWUXuEok21iXQnCoKjU
-sHU48TRqneSfioYmUeYs0cYtbpUgSpIB7LiKZ3sx4mcujJUDJi5DnUox9g61DLu3
-4jd/IroAow57UvtruzvE03lRTs2Q9GcHGcg8RnoNAX3FWOdt5oUwF5okxBDgBPfg
-8n/Uqgr/Qh037ZTlZFkSIHc40zI+OIF1lnP6aI+xy84fxez6nH7PfrHxBy22/L/K
-pL/QlwVKvOoYKAKQvVR4CSFx09F9HdkWsKlhPdAKACL8x3vLCWRFCztAgfd9fDL1
-mMpYjn0q7pBZc2T5NnReJaH1ZgUufzkVqSr7UIuOhWn0
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIFADCCA+igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMx
-EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAjBgNVBAoT
-HFN0YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAMTKVN0YXJmaWVs
-ZCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAw
-MFoXDTMxMDUwMzA3MDAwMFowgcYxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6
-b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMSUwIwYDVQQKExxTdGFyZmllbGQgVGVj
-aG5vbG9naWVzLCBJbmMuMTMwMQYDVQQLEypodHRwOi8vY2VydHMuc3RhcmZpZWxk
-dGVjaC5jb20vcmVwb3NpdG9yeS8xNDAyBgNVBAMTK1N0YXJmaWVsZCBTZWN1cmUg
-Q2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
-DwAwggEKAoIBAQDlkGZL7PlGcakgg77pbL9KyUhpgXVObST2yxcT+LBxWYR6ayuF
-pDS1FuXLzOlBcCykLtb6Mn3hqN6UEKwxwcDYav9ZJ6t21vwLdGu4p64/xFT0tDFE
-3ZNWjKRMXpuJyySDm+JXfbfYEh/JhW300YDxUJuHrtQLEAX7J7oobRfpDtZNuTlV
-Bv8KJAV+L8YdcmzUiymMV33a2etmGtNPp99/UsQwxaXJDgLFU793OGgGJMNmyDd+
-MB5FcSM1/5DYKp2N57CSTTx/KgqT3M0WRmX3YISLdkuRJ3MUkuDq7o8W6o0OPnYX
-v32JgIBEQ+ct4EMJddo26K3biTr1XRKOIwSDAgMBAAGjggEsMIIBKDAPBgNVHRMB
-Af8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUJUWBaFAmOD07LSy+
-zWrZtj2zZmMwHwYDVR0jBBgwFoAUfAwyH6fZMH/EfWijYqihzqsHWycwOgYIKwYB
-BQUHAQEELjAsMCoGCCsGAQUFBzABhh5odHRwOi8vb2NzcC5zdGFyZmllbGR0ZWNo
-LmNvbS8wOwYDVR0fBDQwMjAwoC6gLIYqaHR0cDovL2NybC5zdGFyZmllbGR0ZWNo
-LmNvbS9zZnJvb3QtZzIuY3JsMEwGA1UdIARFMEMwQQYEVR0gADA5MDcGCCsGAQUF
-BwIBFitodHRwczovL2NlcnRzLnN0YXJmaWVsZHRlY2guY29tL3JlcG9zaXRvcnkv
-MA0GCSqGSIb3DQEBCwUAA4IBAQBWZcr+8z8KqJOLGMfeQ2kTNCC+Tl94qGuc22pN
-QdvBE+zcMQAiXvcAngzgNGU0+bE6TkjIEoGIXFs+CFN69xpk37hQYcxTUUApS8L0
-rjpf5MqtJsxOYUPl/VemN3DOQyuwlMOS6eFfqhBJt2nk4NAfZKQrzR9voPiEJBjO
-eT2pkb9UGBOJmVQRDVXFJgt5T1ocbvlj2xSApAer+rKluYjdkf5lO6Sjeb6JTeHQ
-sPTIFwwKlhR8Cbds4cLYVdQYoKpBaXAko7nv6VrcPuuUSvC33l8Odvr7+2kDRUBQ
-7nIMpBKGgc0T0U7EPMpODdIm8QC3tKai4W56gf0wrHofx1l7
------END CERTIFICATE-----

check-certificates

@@ -1,117 +0,0 @@
-#!rsc
-# RouterOS script: check-certificates
-# Copyright (c) 2013-2019 Christian Hesse <mail@eworm.de>
-#
-# check for certificate validity
-
-:global Identity;
-:global CertRenewUrl;
-:global CertRenewPass;
-
-:global SendNotification;
-
-:local GetIssuerCN do={
-  :foreach IssuerI in=$1 do={
-    :if ([ :pick $IssuerI 0 3 ] = "CN=") do={
-      :return [ :pick $IssuerI 3 99 ];
-    }
-  }
-}
-
-:local FormatExpire do={
-  :global CharacterReplace;
-  :return [ $CharacterReplace [ $CharacterReplace [ :tostr $1 ] "w" "w " ] "d" "d " ];
-}
-
-:foreach Cert in=[ / certificate find where !revoked expires-after<3w ] do={
-  :local CertName [ / certificate get $Cert name ];
-  :local CommonName [ / certificate get $Cert common-name ];
-  :local FingerPrint [ / certificate get $Cert fingerprint ];
-
-  :do {
-    :if ([ :len $CertRenewUrl ] = 0) do={
-      :error "No CertRenewUrl given.";
-    }
-
-    / tool fetch mode=https check-certificate=yes-without-crl url=($CertRenewUrl . $CommonName . ".pem");
-    :foreach PassPhrase in=$CertRenewPass do={
-      / certificate import file-name=($CommonName . ".pem") passphrase=$PassPhrase;
-    }
-    / file remove [ find where name=($CommonName . ".pem") ];
-
-    :local CertNew [ / certificate find where common-name=$CommonName fingerprint!=$FingerPrint expires-after>3w ];
-    :local CertNameNew [ / certificate get $CertNew name ];
-
-    :foreach IpService in=[ / ip service find where certificate=$CertName ] do={
-      / ip service set $IpService certificate=$CertNameNew;
-    }
-
-    :do {
-      :foreach Identity in=[ / ip ipsec identity find where certificate=$CertName ] do={
-        / ip ipsec identity set $Identity certificate=$CertNameNew;
-      }
-      :foreach Identity in=[ / ip ipsec identity find where remote-certificate=$CertName ] do={
-        / ip ipsec identity set $Identity remote-certificate=$CertNameNew;
-      }
-    } on-error={
-      :log debug ("Setting IPSEC certificates failed. Package 'security' not installed?");
-    }
-
-    :do {
-      :foreach Hotspot in=[ / ip hotspot profile find where ssl-certificate=$CertName ] do={
-        / ip hotspot profile set $Hotspot ssl-certificate=$CertNameNew;
-      }
-    } on-error={
-      :log debug ("Setting hotspot certificates failed. Package 'hotspot' not installed?");
-    }
-
-    / certificate remove $Cert;
-    / certificate set $CertNew name=$CertName;
-
-    :set CommonName [ / certificate get $CertNew common-name ];
-    :set FingerPrint [ / certificate get $CertNew fingerprint ];
-    :local Issuer [ $GetIssuerCN [ / certificate get $CertNew issuer ] ];
-    :local InvalidBefore [ / certificate get $CertNew invalid-before ];
-    :local InvalidAfter [ / certificate get $CertNew invalid-after ];
-    :local ExpiresAfter [ $FormatExpire [ / certificate get $CertNew expires-after ] ];
-
-    $SendNotification ("Certificate renewed") \
-      ("A certificate on " . $Identity . " has been renewed.\n\n" . \
-        "Name:        " . $CertName . "\n" . \
-        "CommonName:  " . $CommonName . "\n" . \
-        "Fingerprint: " . $FingerPrint . "\n" . \
-        "Issuer:      " . $Issuer . "\n" . \
-        "Validity:    " . $InvalidBefore . " to " . $InvalidAfter . "\n" . \
-        "Expires in:  " . $ExpiresAfter);
-    :log info ("The certificate " . $CertName . " has been renewed.");
-  } on-error={
-    :log debug ("Could not renew certificate " . $CertName ".");
-  }
-}
-
-:foreach Cert in=[ / certificate find where !revoked expires-after<2w ] do={
-  :local CertName [ / certificate get $Cert name ];
-  :local CommonName [ / certificate get $Cert common-name ];
-  :local FingerPrint [ / certificate get $Cert fingerprint ];
-  :local Issuer [ $GetIssuerCN [ / certificate get $Cert issuer ] ];
-  :local InvalidBefore [ / certificate get $Cert invalid-before ];
-  :local InvalidAfter [ / certificate get $Cert invalid-after ];
-
-  :local ExpiresAfter [ $FormatExpire [ / certificate get $Cert expires-after ] ];
-  :local State "is about to expire";
-  :if ([ / certificate get $Cert expired ] = true) do={
-    :set ExpiresAfter "expired";
-    :set State "expired";
-  }
-
-  $SendNotification ("Certificate warning!") \
-    ("A certificate on " . $Identity . " " . $State . ".\n\n" . \
-      "Name:        " . $CertName . "\n" . \
-      "CommonName:  " . $CommonName . "\n" . \
-      "Fingerprint: " . $FingerPrint . "\n" . \
-      "Issuer:      " . $Issuer . "\n" . \
-      "Validity:    " . $InvalidBefore . " to " . $InvalidAfter . "\n" . \
-      "Expires in:  " . $ExpiresAfter);
-  :log warning ("The certificate " . $CertName . " " . $State . \
-      ", it is invalid after " . $InvalidAfter . ".");
-}

check-certificates.rsc

@@ -0,0 +1,242 @@
+#!rsc by RouterOS
+# RouterOS script: check-certificates
+# Copyright (c) 2013-2025 Christian Hesse <mail@eworm.de>
+# https://rsc.eworm.de/COPYING.md
+#
+# requires RouterOS, version=7.15
+# requires device-mode, fetch
+#
+# check for certificate validity
+# https://rsc.eworm.de/doc/check-certificates.md
+
+:global GlobalFunctionsReady;
+:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
+
+:local ExitOK false;
+:do {
+  :local ScriptName [ :jobname ];
+
+  :global CertRenewTime;
+  :global CertRenewUrl;
+  :global CertWarnTime;
+  :global Identity;
+
+  :global CertificateAvailable
+  :global EscapeForRegEx;
+  :global IfThenElse;
+  :global LogPrint;
+  :global ParseKeyValueStore;
+  :global ScriptLock;
+  :global SendNotification2;
+  :global SymbolForNotification;
+  :global UrlEncode;
+  :global WaitFullyConnected;
+
+  :local CheckCertificatesDownloadImport do={
+    :local ScriptName [ :tostr $1 ];
+    :local CertName   [ :tostr $2 ];
+    :local FetchName  [ :tostr $3 ];
+
+    :global CertRenewUrl;
+    :global CertRenewPass;
+
+    :global CertificateNameByCN;
+    :global EscapeForRegEx;
+    :global FetchUserAgentStr;
+    :global LogPrint;
+    :global RmFile;
+    :global UrlEncode;
+    :global WaitForFile;
+
+    :foreach Type in={ "p12"; "pem" } do={
+      :local CertFileName ([ $UrlEncode $FetchName ] . "." . $Type);
+      $LogPrint debug $ScriptName ("Trying type '" . $Type . "' for '" . $CertName . \
+          "' (file '" . $CertFileName . "')...");
+
+      :do {
+        /tool/fetch check-certificate=yes-without-crl http-header-field=({ [ $FetchUserAgentStr $ScriptName ] }) \
+            ($CertRenewUrl . $CertFileName) dst-path=$CertFileName as-value;
+        $WaitForFile $CertFileName;
+
+        :local DecryptionFailed true;
+        :foreach I,PassPhrase in=$CertRenewPass do={
+          :do {
+            $LogPrint debug $ScriptName ("Trying " . $I . ". passphrase... ");
+            :local Result [ /certificate/import file-name=$CertFileName passphrase=$PassPhrase as-value ];
+            :if ($Result->"decryption-failures" = 0) do={
+              $LogPrint debug $ScriptName ("Success!");
+              :set DecryptionFailed false;
+            }
+          } on-error={ }
+        }
+        $RmFile $CertFileName;
+
+        :if ($DecryptionFailed = true) do={
+          $LogPrint warning $ScriptName ("Decryption failed for certificate file '" . $CertFileName . "'.");
+        }
+
+        :foreach CertInChain in=[ /certificate/find where common-name!=$CertName !private-key \
+            name~("^" . [ $EscapeForRegEx $CertFileName ] . "_[0-9]+\$") \
+            !(subject-alt-name~("(^|\\W)(DNS|IP):" . [ $EscapeForRegEx $CertName ] . "(\\W|\$)")) \
+            !(common-name=[]) ] do={
+          $CertificateNameByCN [ /certificate/get $CertInChain common-name ];
+        }
+
+        :return true;
+      } on-error={
+        $LogPrint debug $ScriptName ("Could not download certificate file '" . $CertFileName . "'.");
+      }
+    }
+
+    :return false;
+  }
+
+  :local FormatInfo do={
+    :local Cert $1;
+
+    :global FormatLine;
+    :global FormatMultiLines;
+    :global IfThenElse;
+
+    :local FormatExpire do={
+      :global CharacterReplace;
+      :return [ $CharacterReplace [ $CharacterReplace [ :tostr $1 ] "w" "w " ] "d" "d " ];
+    }
+
+    :local FormatCertChain do={
+      :local Cert $1;
+
+      :global EitherOr;
+      :global ParseKeyValueStore;
+
+      :local CertVal [ /certificate/get $Cert ];
+
+      :if ([ :typeof ($CertVal->"issuer") ] = "nothing") do={
+        :return "self-signed";
+      }
+
+      :local Return "";
+      :for I from=0 to=5 do={
+        :set Return ($Return . [ $EitherOr ([ $ParseKeyValueStore ($CertVal->"issuer") ]->"CN") \
+          ([ $ParseKeyValueStore (($CertVal->"issuer")->0) ]->"CN") ]);
+        :set CertVal [ /certificate/get [ find where skid=($CertVal->"akid") ] ];
+        :if (($CertVal->"akid") = "" || ($CertVal->"akid") = ($CertVal->"skid")) do={
+          :return $Return;
+        }
+        :set Return ($Return . " -> ");
+      }
+      :return ($Return . "...");
+    }
+
+    :local CertVal [ /certificate/get $Cert ];
+
+    :return ( \
+      [ $FormatLine "Name" ($CertVal->"name") ] . "\n" . \
+      [ $IfThenElse ([ :len ($CertVal->"common-name") ] > 0) ([ $FormatLine "CommonName" ($CertVal->"common-name") ] . "\n") ] . \
+      [ $IfThenElse ([ :len ($CertVal->"subject-alt-name") ] > 0) ([ $FormatMultiLines "SubjectAltNames" ($CertVal->"subject-alt-name") ] . "\n") ] . \
+      [ $FormatLine "Private key" [ $IfThenElse (($CertVal->"private-key") = true) "available" "missing" ] ] . "\n" . \
+      [ $FormatLine "Fingerprint" ($CertVal->"fingerprint") ] . "\n" . \
+      [ $IfThenElse ([ :len ($CertVal->"ca") ] > 0) [ $FormatLine "Issuer" ($CertVal->"ca") ] [ $FormatLine "Issuer chain" [ $FormatCertChain $Cert ] ] ] . "\n" . \
+      "Validity:\n" . \
+      [ $FormatLine "    from" ($CertVal->"invalid-before") ] . "\n" . \
+      [ $FormatLine "    to" ($CertVal->"invalid-after") ] . "\n" . \
+      [ $FormatLine "Expires in" [ $IfThenElse (($CertVal->"expired") = true) "expired" [ $FormatExpire ($CertVal->"expires-after") ] ] ]);
+  }
+
+  :if ([ $ScriptLock $ScriptName ] = false) do={
+    :set ExitOK true;
+    :error false;
+  }
+  $WaitFullyConnected;
+
+  :foreach Cert in=[ /certificate/find where !revoked !ca !scep-url expires-after<$CertRenewTime ] do={
+    :local CertVal [ /certificate/get $Cert ];
+    :local LastName;
+    :local FetchName;
+
+    :do {
+      :if ([ :len $CertRenewUrl ] = 0) do={
+        $LogPrint info $ScriptName ("No CertRenewUrl given.");
+        :error false;
+      }
+      $LogPrint info $ScriptName ("Attempting to renew certificate '" . ($CertVal->"name") . "'.");
+
+      :local ImportSuccess false;
+      :set LastName ($CertVal->"common-name");
+      :set FetchName $LastName;
+      :set ImportSuccess [ $CheckCertificatesDownloadImport $ScriptName $LastName $FetchName ];
+      :foreach SAN in=($CertVal->"subject-alt-name") do={
+        :if ($ImportSuccess = false) do={
+          :set LastName [ :pick $SAN ([ :find $SAN ":" ] + 1) [ :len $SAN ] ];
+          :set FetchName $LastName;
+          :set ImportSuccess [ $CheckCertificatesDownloadImport $ScriptName $LastName $FetchName ];
+          :if ($ImportSuccess = false && [ :pick $LastName 0 2 ] = "*.") do={
+            :set FetchName ("star." . [ :pick $LastName 2 [ :len $LastName ] ]);
+            :set ImportSuccess [ $CheckCertificatesDownloadImport $ScriptName $LastName $FetchName ];
+          }
+        }
+      }
+      :if ($ImportSuccess = false) do={ :error false; }
+
+      :if ([ :len ($CertVal->"fingerprint") ] > 0 && $CertVal->"fingerprint" != [ /certificate/get $Cert fingerprint ]) do={
+        $LogPrint debug $ScriptName ("Certificate '" . $CertVal->"name" . "' was updated in place.");
+        :set CertVal [ /certificate/get $Cert ];
+      } else={
+        $LogPrint debug $ScriptName ("Certificate '" . $CertVal->"name" . "' was not updated, but replaced.");
+
+        :local CertNew [ /certificate/find where name~("^" . [ $EscapeForRegEx [ $UrlEncode $FetchName ] ] . "\\.(p12|pem)_[0-9]+\$") \
+          (common-name=($CertVal->"common-name") or subject-alt-name~("(^|\\W)(DNS|IP):" . [ $EscapeForRegEx $LastName ] . "(\\W|\$)")) \
+          fingerprint!=[ :tostr ($CertVal->"fingerprint") ] expires-after>$CertRenewTime ];
+        :local CertNewVal [ /certificate/get $CertNew ];
+
+        :if ([ $CertificateAvailable ([ $ParseKeyValueStore ($CertNewVal->"issuer") ]->"CN") ] = false) do={
+          $LogPrint warning $ScriptName ("The certificate chain is not available!");
+        }
+
+        :if (($CertVal->"private-key") = true && ($CertVal->"private-key") != ($CertNewVal->"private-key")) do={
+          /certificate/remove $CertNew;
+          $LogPrint warning $ScriptName ("Old certificate '" . ($CertVal->"name") . "' has a private key, new certificate does not. Aborting renew.");
+          :error false;
+        }
+
+        /ip/service/set certificate=($CertNewVal->"name") [ find where certificate=($CertVal->"name") ];
+
+        /ip/ipsec/identity/set certificate=($CertNewVal->"name") [ find where certificate=($CertVal->"name") ];
+        /ip/ipsec/identity/set remote-certificate=($CertNewVal->"name") [ find where remote-certificate=($CertVal->"name") ];
+
+        /ip/hotspot/profile/set ssl-certificate=($CertNewVal->"name") [ find where ssl-certificate=($CertVal->"name") ];
+
+        /certificate/remove $Cert;
+        /certificate/set $CertNew name=($CertVal->"name");
+        :set Cert $CertNew;
+        :set CertVal [ /certificate/get $CertNew ];
+      }
+
+      $SendNotification2 ({ origin=$ScriptName; silent=true; \
+        subject=([ $SymbolForNotification "lock-with-ink-pen" ] . "Certificate renewed: " . ($CertVal->"name")); \
+        message=("A certificate on " . $Identity . " has been renewed.\n\n" . [ $FormatInfo $Cert ]) });
+      $LogPrint info $ScriptName ("The certificate '" . ($CertVal->"name") . "' has been renewed.");
+    } on-error={
+      $LogPrint debug $ScriptName ("Could not renew certificate '" . ($CertVal->"name") . "'.");
+    }
+  }
+
+  :foreach Cert in=[ /certificate/find where !revoked !scep-url !(expires-after=[]) \
+                     expires-after<$CertWarnTime !(fingerprint=[]) ] do={
+    :local CertVal [ /certificate/get $Cert ];
+
+    :if ([ :len [ /certificate/scep-server/find where ca-cert=($CertVal->"ca") ] ] > 0) do={
+      $LogPrint debug $ScriptName ("Certificate '" . ($CertVal->"name") . "' is handled by SCEP, skipping.");
+    } else={
+      :local State [ $IfThenElse (($CertVal->"expired") = true) "expired" "is about to expire" ];
+
+      $SendNotification2 ({ origin=$ScriptName; \
+        subject=([ $SymbolForNotification "warning-sign" ] . "Certificate warning: " . ($CertVal->"name")); \
+        message=("A certificate on " . $Identity . " " . $State . ".\n\n" . [ $FormatInfo $Cert ]) });
+      $LogPrint info $ScriptName ("The certificate '" . ($CertVal->"name") . "' " . $State . \
+          ", it is invalid after " . ($CertVal->"invalid-after") . ".");
+    }
+  }
+} on-error={
+  :global ExitError; $ExitError $ExitOK [ :jobname ];
+}

check-health.d/state.rsc

@@ -0,0 +1,48 @@
+#!rsc by RouterOS
+# RouterOS script: check-health.d/state
+# Copyright (c) 2019-2025 Christian Hesse <mail@eworm.de>
+# https://rsc.eworm.de/COPYING.md
+#
+# requires RouterOS, version=7.15
+#
+# check for RouterOS health state - state plugin
+# https://rsc.eworm.de/doc/check-health.md
+
+:global CheckHealthPlugins;
+
+:set ($CheckHealthPlugins->[ :jobname ]) do={
+  :local FuncName [ :tostr $0 ];
+
+  :global CheckHealthLast;
+  :global Identity;
+
+  :global LogPrint;
+  :global SendNotification2;
+  :global SymbolForNotification;
+
+  :if ([ :len [ /system/health/find where type="" name~"-state\$"] ] = 0) do={
+    $LogPrint debug $FuncName ("Your device does not provide any state health values.");
+    :return false;
+  }
+
+  :foreach State in=[ /system/health/find where type="" name~"-state\$" ] do={
+    :local Name  [ /system/health/get $State name  ];
+    :local Value [ /system/health/get $State value ];
+
+    :if ([ :typeof ($CheckHealthLast->$Name) ] != "nothing") do={
+      :if ($CheckHealthLast->$Name = "ok" && \
+           $Value != "ok") do={
+        $SendNotification2 ({ origin=$FuncName; \
+          subject=([ $SymbolForNotification "cross-mark" ] . "Health warning: " . $Name); \
+          message=("The device '" . $Name . "' on " . $Identity . " failed!") });
+      }
+      :if ($CheckHealthLast->$Name != "ok" && \
+           $Value = "ok") do={
+        $SendNotification2 ({ origin=$FuncName; \
+          subject=([ $SymbolForNotification "white-heavy-check-mark" ] . "Health recovery: " . $Name); \
+          message=("The device '" . $Name . "' on " . $Identity . " recovered!") });
+      }
+    }
+    :set ($CheckHealthLast->$Name) $Value;
+  }
+}

check-health.d/temperature.rsc

@@ -0,0 +1,74 @@
+#!rsc by RouterOS
+# RouterOS script: check-health.d/temperature
+# Copyright (c) 2019-2025 Christian Hesse <mail@eworm.de>
+# https://rsc.eworm.de/COPYING.md
+#
+# requires RouterOS, version=7.15
+#
+# check for RouterOS health state - temperature plugin
+# https://rsc.eworm.de/doc/check-health.md
+
+:global CheckHealthPlugins;
+
+:set ($CheckHealthPlugins->[ :jobname ]) do={
+  :local FuncName [ :tostr $0 ];
+
+  :global CheckHealthLast;
+  :global CheckHealthTemperature;
+  :global CheckHealthTemperatureDeviation;
+  :global CheckHealthTemperatureNotified;
+  :global Identity;
+
+  :global LogPrint;
+  :global SendNotification2;
+  :global SymbolForNotification;
+
+  :if ([ :len [ /system/health/find where type="C" ] ] = 0) do={
+    $LogPrint debug $FuncName ("Your device does not provide any voltage health values.");
+    :return false;
+  }
+
+  :local TempToNum do={
+    :global CharacterReplace;
+    :local T [ :toarray [ $CharacterReplace $1 "." "," ] ];
+    :return ($T->0 * 10 + $T->1);
+  }
+
+  :if ([ :typeof $CheckHealthTemperatureNotified ] != "array") do={
+    :set CheckHealthTemperatureNotified ({});
+  }
+
+  :foreach Temperature in=[ /system/health/find where type="C" ] do={
+    :local Name  [ /system/health/get $Temperature name  ];
+    :local Value [ /system/health/get $Temperature value ];
+
+    :if ([ :typeof ($CheckHealthLast->$Name) ] != "nothing") do={
+      :if ([ :typeof ($CheckHealthTemperature->$Name) ] != "num" ) do={
+        $LogPrint info $FuncName ("No threshold given for " . $Name . ", assuming 50C.");
+        :set ($CheckHealthTemperature->$Name) 50;
+      }
+      :local Validate [ /system/health/get [ find where name=$Name ] value ];
+      :while ($Value != $Validate) do={
+        :set Value $Validate;
+        :set Validate [ /system/health/get [ find where name=$Name ] value ];
+      }
+      :if ($Value > $CheckHealthTemperature->$Name && \
+           $CheckHealthTemperatureNotified->$Name != true) do={
+        $SendNotification2 ({ origin=$FuncName; \
+          subject=([ $SymbolForNotification "fire" ] . "Health warning: " . $Name); \
+          message=("The " . $Name . " on " . $Identity . " is above threshold: " . \
+            $Value . "\C2\B0" . "C") });
+        :set ($CheckHealthTemperatureNotified->$Name) true;
+      }
+      :if ($Value <= ($CheckHealthTemperature->$Name - $CheckHealthTemperatureDeviation) && \
+           $CheckHealthTemperatureNotified->$Name = true) do={
+        $SendNotification2 ({ origin=$FuncName; \
+          subject=([ $SymbolForNotification "white-heavy-check-mark" ] . "Health recovery: " . $Name); \
+          message=("The " . $Name . " on " . $Identity . " dropped below threshold: " .  \
+            $Value . "\C2\B0" . "C") });
+        :set ($CheckHealthTemperatureNotified->$Name) false;
+      }
+    }
+    :set ($CheckHealthLast->$Name) $Value;
+  }
+}

check-health.d/voltage.rsc

@@ -0,0 +1,63 @@
+#!rsc by RouterOS
+# RouterOS script: check-health.d/voltage
+# Copyright (c) 2019-2025 Christian Hesse <mail@eworm.de>
+# https://rsc.eworm.de/COPYING.md
+#
+# requires RouterOS, version=7.15
+#
+# check for RouterOS health state - voltage plugin
+# https://rsc.eworm.de/doc/check-health.md
+
+:global CheckHealthPlugins;
+
+:set ($CheckHealthPlugins->[ :jobname ]) do={
+  :local FuncName [ :tostr $0 ];
+
+  :global CheckHealthLast;
+  :global CheckHealthVoltageLow;
+  :global CheckHealthVoltagePercent;
+  :global Identity;
+
+  :global FormatLine;
+  :global IfThenElse;
+  :global LogPrint;
+  :global SendNotification2;
+  :global SymbolForNotification;
+
+  :if ([ :len [ /system/health/find where type="V" ] ] = 0) do={
+    $LogPrint debug $FuncName ("Your device does not provide any voltage health values.");
+    :return false;
+  }
+
+  :foreach Voltage in=[ /system/health/find where type="V" ] do={
+    :local Name  [ /system/health/get $Voltage name  ];
+    :local Value [ /system/health/get $Voltage value ];
+
+    :if ([ :typeof ($CheckHealthLast->$Name) ] != "nothing") do={
+      :local NumCurr [ $TempToNum $Value ];
+      :local NumLast [ $TempToNum ($CheckHealthLast->$Name) ];
+
+      :if ($NumLast * (100 + $CheckHealthVoltagePercent) < $NumCurr * 100 || \
+           $NumLast * 100 > $NumCurr * (100 + $CheckHealthVoltagePercent)) do={
+        $SendNotification2 ({ origin=$FuncName; \
+          subject=([ $SymbolForNotification ("high-voltage-sign,chart-" . [ $IfThenElse ($NumLast < \
+            $NumCurr) "in" "de" ] . "creasing") ] . "Health warning: " . $Name); \
+          message=("The " . $Name . " on " . $Identity . " jumped more than " . $CheckHealthVoltagePercent . "%.\n\n" . \
+            [ $FormatLine "old value" ($CheckHealthLast->$Name . " V") 12 ] . "\n" . \
+            [ $FormatLine "new value" ($Value . " V") 12 ]) });
+      } else={ 
+        :if ($NumCurr <= $CheckHealthVoltageLow && $NumLast > $CheckHealthVoltageLow) do={ 
+          $SendNotification2 ({ origin=$FuncName; \
+            subject=([ $SymbolForNotification "high-voltage-sign,chart-decreasing" ] . "Health warning: Low " . $Name); \ 
+            message=("The " . $Name . " on " . $Identity . " dropped to " . $Value . " V below hard limit.") }); 
+        } 
+        :if ($NumCurr > $CheckHealthVoltageLow && $NumLast <= $CheckHealthVoltageLow) do={ 
+          $SendNotification2 ({ origin=$FuncName; \
+            subject=([ $SymbolForNotification "high-voltage-sign,chart-increasing" ] . "Health recovery: Low " . $Name); \ 
+            message=("The " . $Name . " on " . $Identity . " recovered to " . $Value . " V above hard limit.") }); 
+        }
+      }
+    }
+    :set ($CheckHealthLast->$Name) $Value;
+  }
+}

check-health.rsc

@@ -0,0 +1,110 @@
+#!rsc by RouterOS
+# RouterOS script: check-health
+# Copyright (c) 2019-2025 Christian Hesse <mail@eworm.de>
+# https://rsc.eworm.de/COPYING.md
+#
+# requires RouterOS, version=7.15
+#
+# check for RouterOS health state
+# https://rsc.eworm.de/doc/check-health.md
+
+:global GlobalFunctionsReady;
+:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
+
+:local ExitOK false;
+:do {
+  :local ScriptName [ :jobname ];
+
+  :global CheckHealthCPUUtilization;
+  :global CheckHealthCPUUtilizationNotified;
+  :global CheckHealthLast;
+  :global CheckHealthRAMUtilizationNotified;
+  :global Identity;
+
+  :global FormatLine;
+  :global HumanReadableNum;
+  :global IfThenElse;
+  :global LogPrint;
+  :global ScriptLock;
+  :global SendNotification2;
+  :global SymbolForNotification;
+  :global ValidateSyntax;
+
+  :local TempToNum do={
+    :global CharacterReplace;
+    :local T [ :toarray [ $CharacterReplace $1 "." "," ] ];
+    :return ($T->0 * 10 + $T->1);
+  }
+
+  :if ([ $ScriptLock $ScriptName ] = false) do={
+    :set ExitOK true;
+    :error false;
+  }
+
+  :local Resource [ /system/resource/get ];
+
+  :set CheckHealthCPUUtilization (($CheckHealthCPUUtilization * 4 + ($Resource->"cpu-load") * 10) / 5);
+  :if ($CheckHealthCPUUtilization > 750 && $CheckHealthCPUUtilizationNotified != true) do={
+    $SendNotification2 ({ origin=$ScriptName; \
+      subject=([ $SymbolForNotification "abacus,chart-increasing" ] . "Health warning: CPU utilization"); \
+      message=("The average CPU utilization on " . $Identity . " is at " . ($CheckHealthCPUUtilization / 10) . "%!") });
+    :set CheckHealthCPUUtilizationNotified true;
+  }
+  :if ($CheckHealthCPUUtilization < 650 && $CheckHealthCPUUtilizationNotified = true) do={
+    $SendNotification2 ({ origin=$ScriptName; \
+      subject=([ $SymbolForNotification "abacus,chart-decreasing" ] . "Health recovery: CPU utilization"); \
+      message=("The average CPU utilization on " . $Identity . " decreased to " . ($CheckHealthCPUUtilization / 10) . "%.") });
+    :set CheckHealthCPUUtilizationNotified false;
+  }
+
+  :local CheckHealthRAMUtilization (($Resource->"total-memory" - $Resource->"free-memory") * 100 / $Resource->"total-memory");
+  :if ($CheckHealthRAMUtilization >=80 && $CheckHealthRAMUtilizationNotified != true) do={
+    $SendNotification2 ({ origin=$ScriptName; \
+      subject=([ $SymbolForNotification "card-file-box,chart-increasing" ] . "Health warning: RAM utilization"); \
+      message=("The RAM utilization on " . $Identity . " is at " . $CheckHealthRAMUtilization . "%!\n\n" . \
+      [ $FormatLine "total" ([ $HumanReadableNum ($Resource->"total-memory") 1024 ] . "B") 8 ] . "\n" . \
+      [ $FormatLine "used" ([ $HumanReadableNum ($Resource->"total-memory" - $Resource->"free-memory") 1024 ] . "B") 8 ] . "\n" . \
+      [ $FormatLine "free" ([ $HumanReadableNum ($Resource->"free-memory") 1024 ] . "B") 8 ]) });
+    :set CheckHealthRAMUtilizationNotified true;
+  }
+  :if ($CheckHealthRAMUtilization < 70 && $CheckHealthRAMUtilizationNotified = true) do={
+    $SendNotification2 ({ origin=$ScriptName; \
+      subject=([ $SymbolForNotification "card-file-box,chart-decreasing" ] . "Health recovery: RAM utilization"); \
+      message=("The RAM utilization on " . $Identity . " decreased to " . $CheckHealthRAMUtilization . "%.") });
+    :set CheckHealthRAMUtilizationNotified false;
+  }
+
+  :local Plugins [ /system/script/find where name~"^check-health.d/." ];
+  :if ([ :len $Plugins ] = 0) do={
+    $LogPrint debug $ScriptName ("No plugins installed.");
+    :set ExitOK true;
+    :error true;
+  }
+
+  :global CheckHealthPlugins ({});
+  :if ([ :typeof $CheckHealthLast ] != "array") do={
+    :set CheckHealthLast ({});
+  }
+
+  :foreach Plugin in=$Plugins do={
+    :local PluginVal [ /system/script/get $Plugin ];
+    :if ([ $ValidateSyntax ($PluginVal->"source") ] = true) do={
+      :do {
+        /system/script/run $Plugin;
+      } on-error={
+        $LogPrint error $ScriptName ("Plugin '" . $ScriptVal->"name" . "' failed to run.");
+      }
+    } else={
+      $LogPrint error $ScriptName ("Plugin '" . $ScriptVal->"name" . "' failed syntax validation, skipping.");
+    }
+  }
+
+  :foreach PluginName,Discard in=$CheckHealthPlugins do={
+    ($CheckHealthPlugins->$PluginName) \
+         ("\$CheckHealthPlugins->\"" . $PluginName . "\"");
+  }
+
+  :set CheckHealthPlugins;
+} on-error={
+  :global ExitError; $ExitError $ExitOK [ :jobname ];
+}

check-lte-firmware-upgrade

@@ -1,32 +0,0 @@
-#!rsc
-# RouterOS script: check-lte-firmware-upgrade
-# Copyright (c) 2018-2019 Christian Hesse <mail@eworm.de>
-#
-# check for LTE firmware upgrade, send notification e-mails
-
-:global Identity;
-:global SentLteFirmwareUpgradeNotification;
-
-:global SendNotification;
-
-:foreach Interface in=[ / interface lte find ] do={
-  :local IntName [ / interface lte get $Interface name ];
-  :do {
-    :local Firmware [ / interface lte firmware-upgrade $Interface once as-value ];
-    
-    :if ($SentLteFirmwareUpgradeNotification = ($Firmware->"latest")) do={
-      :log debug ("Already sent the LTE firmware upgrade notification for version " . \
-        ($Firmware->"latest") . ".");
-    } else={
-      :if (($Firmware->"installed") != ($Firmware->"latest")) do={
-        $SendNotification ("LTE firmware upgrade notification") \
-          ("A new firmware version " . ($Firmware->"latest") . " is available for " . \
-          "LTE interface " . $IntName . " on " . $Identity . ".");
-        :set SentLteFirmwareUpgradeNotification ($Firmware->"latest");
-      }
-    }
-  } on-error={
-    :log debug ("Could not get latest LTE firmware version for interface " . \
-      $IntName . ".");
-  }
-}

check-lte-firmware-upgrade.rsc

@@ -0,0 +1,107 @@
+#!rsc by RouterOS
+# RouterOS script: check-lte-firmware-upgrade
+# Copyright (c) 2018-2025 Christian Hesse <mail@eworm.de>
+# https://rsc.eworm.de/COPYING.md
+#
+# requires RouterOS, version=7.15
+#
+# check for LTE firmware upgrade, send notification
+# https://rsc.eworm.de/doc/check-lte-firmware-upgrade.md
+
+:global GlobalFunctionsReady;
+:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
+
+:local ExitOK false;
+:do {
+  :local ScriptName [ :jobname ];
+
+  :global SentLteFirmwareUpgradeNotification;
+
+  :global ScriptLock;
+
+  :if ([ $ScriptLock $ScriptName ] = false) do={
+    :set ExitOK true;
+    :error false;
+  }
+
+  :if ([ :typeof $SentLteFirmwareUpgradeNotification ] != "array") do={
+    :global SentLteFirmwareUpgradeNotification ({});
+  }
+
+  :local CheckInterface do={
+    :local ScriptName $1;
+    :local Interface  $2;
+
+    :global Identity;
+    :global SentLteFirmwareUpgradeNotification;
+
+    :global FormatLine;
+    :global IfThenElse;
+    :global LogPrint;
+    :global ScriptFromTerminal;
+    :global SendNotification2;
+    :global SymbolForNotification;
+
+    :local IntName [ /interface/lte/get $Interface name ];
+    :local Firmware;
+    :local Info;
+    :do {
+      :set Firmware [ /interface/lte/firmware-upgrade $Interface as-value ];
+      :set Info [ /interface/lte/monitor $Interface once as-value ];
+    } on-error={
+      $LogPrint debug $ScriptName ("Could not get latest LTE firmware version for interface " . \
+        $IntName . ".");
+      :return false;
+    }
+
+    :if ([ :len ($Firmware->"latest") ] = 0) do={
+      $LogPrint info $ScriptName ("An empty string is not a valid version.");
+      :return false;
+    }
+
+    :if (($Firmware->"installed") = ($Firmware->"latest")) do={
+      :if ([ $ScriptFromTerminal $ScriptName ] = true) do={
+        $LogPrint info $ScriptName ("No firmware upgrade available for LTE interface " . $IntName . ".");
+      }
+      :return true;
+    }
+
+    :if ([ $ScriptFromTerminal $ScriptName ] = true && \
+        [ :len [ /system/script/find where name="unattended-lte-firmware-upgrade" ] ] > 0) do={
+      :put ("Do you want to start unattended lte firmware upgrade for interface " . $IntName . "? [y/N]");
+      :if (([ /terminal/inkey timeout=60 ] % 32) = 25) do={
+          /system/script/run unattended-lte-firmware-upgrade;
+          $LogPrint info $ScriptName ("Scheduled lte firmware upgrade for interface " . $IntName . "...");
+        :return true;
+      } else={
+        :put "Canceled...";
+      }
+    }
+
+    :if (($SentLteFirmwareUpgradeNotification->$IntName) = ($Firmware->"latest")) do={
+      $LogPrint debug $ScriptName ("Already sent the LTE firmware upgrade notification for version " . \
+        ($Firmware->"latest") . ".");
+      :return false;
+    }
+
+    $LogPrint info $ScriptName ("A new firmware version " . ($Firmware->"latest") . " is available for " . \
+      "LTE interface " . $IntName . ".");
+    $SendNotification2 ({ origin=$ScriptName; \
+      subject=([ $SymbolForNotification "sparkles" ] . "LTE firmware upgrade"); \
+      message=("A new firmware version " . ($Firmware->"latest") . " is available for " . \
+        "LTE interface " . $IntName . " on " . $Identity . ".\n\n" . \
+        [ $IfThenElse ([ :len ($Info->"manufacturer") ] > 0) ([ $FormatLine "Manufacturer" ($Info->"manufacturer") ] . "\n") ] . \
+        [ $IfThenElse ([ :len ($Info->"model") ] > 0) ([ $FormatLine "Model" ($Info->"model") ] . "\n") ] . \
+        [ $IfThenElse ([ :len ($Info->"revision") ] > 0) ([ $FormatLine "Revision" ($Info->"revision") ] . "\n") ] . \
+        "Firmware version:\n" . \
+        [ $FormatLine "    Installed" ($Firmware->"installed") ] . "\n" . \
+        [ $FormatLine "    Available" ($Firmware->"latest") ]); silent=true });
+    :set ($SentLteFirmwareUpgradeNotification->$IntName) ($Firmware->"latest");
+  }
+
+  :foreach Interface in=[ /interface/lte/find ] do={
+    $CheckInterface $ScriptName $Interface;
+  }
+} on-error={
+  :global ExitError; $ExitError $ExitOK [ :jobname ];
+}

check-routeros-update

@@ -1,82 +0,0 @@
-#!rsc
-# RouterOS script: check-routeros-update
-# Copyright (c) 2013-2019 Christian Hesse <mail@eworm.de>
-#
-# check for RouterOS update, send notification e-mails
-
-:global Identity;
-:global SafeUpdateUrl;
-:global SentRouterosUpdateNotification;
-
-:global SendNotification;
-
-:local Update do={
-  :if ([ / system script print count-only where name="packages-update" ] > 0) do={
-    / system script run packages-update;
-  } else={
-    / system package update install without-paging;
-  }
-  :error "Waiting for system to reboot.";
-}
-
-:if ([ / system package print count-only where name="wireless" disabled=no ] > 0) do={
-  :if ([ / interface wireless cap get enabled ] = true && \
-      [ / caps-man manager get enabled ] = false) do={
-    :error "System is managed by CAPsMAN, not checking.";
-  }
-}
-
-/ system package update check-for-updates without-paging;
-:local InstalledVersion [ / system package update get installed-version ];
-:local LatestVersion [ / system package update get latest-version ];
-
-:if ($InstalledVersion != $LatestVersion) do={
-  :local Channel [ / system package update get channel ];
-  :local BoardName [ / system resource get board-name ];
-  :local Model [ / system routerboard get model ];
-  :local SerialNumber [ / system routerboard get serial-number ];
-
-  :if ([ :len $SafeUpdateUrl ] > 0) do={
-    :local Result;
-    :do {
-      :set Result [ / tool fetch check-certificate=yes-without-crl \
-          ($SafeUpdateUrl . $Channel . "?installed=" . $InstalledVersion . \
-          "&latest=" . $LatestVersion) output=user as-value ];
-    } on-error={
-      :log warning ("Failed receiving safe version for " . $Channel . ".");
-    }
-    :if ($Result->"status" = "finished" && $Result->"data" = $LatestVersion) do={
-      :log info ("Version " . $LatestVersion . " is considered safe, updating...");
-      $SendNotification ("RouterOS update notification") \
-          ("Version " . $LatestVersion . " is considered safe for " . $Channel . \
-          ", updating on " . $Identity . "...");
-      $Update;
-    }
-  }
-
-  :if ([ / system script job print count-only where script="check-routeros-update" parent~"." ] > 0) do={
-    :put ("Do you want to install RouterOS version " . $LatestVersion . "? [y/N]");
-    :if ([ :terminal inkey timeout=60 ] = 121) do={
-      $Update;
-    } else={
-      :put "Canceled...";
-    }
-  }
-
-  :if ($SentRouterosUpdateNotification = $LatestVersion) do={
-    :error ("Already sent the RouterOS update notification for version " . \
-        $LatestVersion . ".");
-  }
-
-  $SendNotification ("RouterOS update notification") \
-    ("There is a RouterOS update available\n\n" . \
-      "Board name:    " . $BoardName . "\n" . \
-      "Model:         " . $Model . "\n" . \
-      "Serial number: " . $SerialNumber . "\n" . \
-      "Hostname:      " . $Identity . "\n" . \
-      "Channel:       " . $Channel . "\n" . \
-      "Installed:     " . $InstalledVersion . "\n" . \
-      "Available:     " . $LatestVersion . "\n\n" .\
-      "https://upgrade.mikrotik.com/routeros/" . $LatestVersion . "/CHANGELOG");
-  :set SentRouterosUpdateNotification $LatestVersion;
-}

check-routeros-update.rsc

@@ -0,0 +1,239 @@
+#!rsc by RouterOS
+# RouterOS script: check-routeros-update
+# Copyright (c) 2013-2025 Christian Hesse <mail@eworm.de>
+# https://rsc.eworm.de/COPYING.md
+#
+# requires RouterOS, version=7.15
+# requires device-mode, fetch, scheduler
+#
+# check for RouterOS update, send notification and/or install
+# https://rsc.eworm.de/doc/check-routeros-update.md
+
+:global GlobalFunctionsReady;
+:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
+
+:local ExitOK false;
+:do {
+  :local ScriptName [ :jobname ];
+
+  :global Identity;
+  :global SafeUpdateAll;
+  :global SafeUpdateNeighbor;
+  :global SafeUpdateNeighborIdentity;
+  :global SafeUpdatePatch;
+  :global SafeUpdateUrl;
+  :global SentRouterosUpdateNotification;
+
+  :global DeviceInfo;
+  :global EscapeForRegEx;
+  :global FetchUserAgentStr;
+  :global LogPrint;
+  :global ScriptFromTerminal;
+  :global ScriptLock;
+  :global SendNotification2;
+  :global SymbolForNotification;
+  :global VersionToNum;
+  :global WaitFullyConnected;
+
+  :local DoUpdate do={
+    :local ScriptName [ :tostr $1 ];
+
+    :global LogPrint;
+
+    :if ([ :len [ /system/script/find where name="packages-update" ] ] > 0) do={
+      /system/script/run packages-update;
+    } else={
+      /system/package/update/install without-paging;
+    }
+    $LogPrint info $ScriptName ("Waiting for system to reboot.");
+  }
+
+  :if ([ $ScriptLock $ScriptName ] = false) do={
+    :set ExitOK true;
+    :error false;
+  }
+
+  :if ([ :len [ /system/scheduler/find where name="running-from-backup-partition" ] ] > 0) do={
+    $LogPrint warning $ScriptName ("Running from backup partition, refusing to act.");
+    :set ExitOK true;
+    :error false;
+  }
+
+  $WaitFullyConnected;
+
+  :if ([ :len [ /system/scheduler/find where name="_RebootForUpdate" ] ] > 0) do={
+    :set ExitOK true;
+    :error "A reboot for update is already scheduled.";
+  }
+
+  :local License [ /system/license/get ];
+  :if ([ :typeof ($License->"deadline-at") ] = "str") do={
+    :if ([ :len ($License->"next-renewal-at") ] = 0 && ($License->"limited-upgrades") = true) do={
+      $LogPrint warning $ScriptName ("Your license expired on " . ($License->"deadline-at") . "!");
+      $SendNotification2 ({ origin=$ScriptName; \
+        subject=([ $SymbolForNotification "warning-sign" ] . "License expired!"); \
+        message=("Your license expired on " . ($License->"deadline-at") . \
+          ", can no longer update RouterOS on " . $Identity . "...") });
+      :set ExitOK true;
+      :error false;
+    }
+
+    :if ([ :totime ($License->"deadline-at") ] - 3w < [ :timestamp ]) do={
+      $LogPrint warning $ScriptName ("Your license will expire on " . ($License->"deadline-at") . "!");
+      $SendNotification2 ({ origin=$ScriptName; \
+        subject=([ $SymbolForNotification "warning-sign" ] . "License about to expire!"); \
+        message=("Your license failed to renew and is about to expire on " . \
+          ($License->"deadline-at") . " on " . $Identity . "...") });
+    }
+  }
+
+  $LogPrint debug $ScriptName ("Checking for updates...");
+  /system/package/update/check-for-updates without-paging as-value;
+  :local Update [ /system/package/update/get ];
+
+  :if (($Update->"installed-version") = ($Update->"latest-version")) do={
+    :if ([ $ScriptFromTerminal $ScriptName ] = true) do={
+      $LogPrint info $ScriptName ("System is already up to date.");
+    }
+    :set ExitOK true;
+    :error true;
+  }
+
+  :if ([ :len ($Update->"latest-version") ] = 0) do={
+    $LogPrint info $ScriptName ("Received an empty version string from server.");
+    :set ExitOK true;
+    :error false;
+  }
+
+  :local NumInstalled [ $VersionToNum ($Update->"installed-version") ];
+  :local NumLatest [ $VersionToNum ($Update->"latest-version") ];
+  :local BitMask [ $VersionToNum "255.255zero0" ];
+  :local NumInstalledFeature ($NumInstalled & $BitMask);
+  :local NumLatestFeature ($NumLatest & $BitMask);
+  :local Link ("https://mikrotik.com/download/changelogs/" . $Update->"channel" . "-release-tree");
+
+  :if ($NumLatest < [ $VersionToNum "7.0" ]) do={
+    $LogPrint warning $ScriptName ("The version '" . ($Update->"latest-version") . "' is not a valid version.");
+    :set ExitOK true;
+    :error false;
+  }
+
+  :if ($NumInstalled < $NumLatest) do={
+    :if ($SafeUpdateAll ~ "^YES,? ?PLEASE!?\$") do={
+      $LogPrint info $ScriptName ("Installing ALL versions automatically, including " . \
+        $Update->"latest-version" . "...");
+      $SendNotification2 ({ origin=$ScriptName; \
+        subject=([ $SymbolForNotification "sparkles" ] . "RouterOS update: " . $Update->"latest-version"); \
+        message=("Installing ALL versions automatically, including " . $Update->"latest-version" . \
+          "... Updating on " . $Identity . "..."); link=$Link; silent=true });
+      $DoUpdate $ScriptName;
+      :set ExitOK true;
+      :error true;
+    }
+
+    :if ($SafeUpdatePatch = true && $NumInstalledFeature = $NumLatestFeature) do={
+      $LogPrint info $ScriptName ("Version " . $Update->"latest-version" . " is a patch release, updating...");
+      $SendNotification2 ({ origin=$ScriptName; \
+        subject=([ $SymbolForNotification "sparkles" ] . "RouterOS update: " . $Update->"latest-version"); \
+        message=("Version " . $Update->"latest-version" . " is a patch update for " . $Update->"channel" . \
+          ", updating on " . $Identity . "..."); link=$Link; silent=true });
+      $DoUpdate $ScriptName;
+      :set ExitOK true;
+      :error true;
+    }
+
+    :if ($SafeUpdateNeighbor = true) do={
+      :local Neighbors [ /ip/neighbor/find where platform="MikroTik" identity~$SafeUpdateNeighborIdentity \
+         version~("^" . [ $EscapeForRegEx ($Update->"latest-version") ] . "\\b") ];
+      :if ([ :len $Neighbors ] > 0) do={
+        :local Neighbor [ /ip/neighbor/get ($Neighbors->0) identity ];
+        $LogPrint info $ScriptName ("Seen a neighbor (" . $Neighbor . ") running version " . \
+          $Update->"latest-version" . " from " . $Update->"channel" . ", updating...");
+        $SendNotification2 ({ origin=$ScriptName; \
+          subject=([ $SymbolForNotification "sparkles" ] . "RouterOS update: " . $Update->"latest-version"); \
+          message=("Seen a neighbor (" . $Neighbor . ") running version " . $Update->"latest-version" . \
+            " from " . $Update->"channel" . ", updating on " . $Identity . "..."); link=$Link; silent=true });
+        $DoUpdate $ScriptName;
+        :set ExitOK true;
+        :error true;
+      }
+    }
+
+    :if ([ :len $SafeUpdateUrl ] > 0) do={
+      :local Result;
+      :do {
+        :set Result [ /tool/fetch check-certificate=yes-without-crl \
+            ($SafeUpdateUrl . $Update->"channel" . "?installed=" . $Update->"installed-version" . \
+            "&latest=" . $Update->"latest-version") http-header-field=({ [ $FetchUserAgentStr $ScriptName ] }) \
+            output=user as-value ];
+      } on-error={
+        $LogPrint warning $ScriptName ("Failed receiving safe version for " . $Update->"channel" . ".");
+      }
+      :if ($Result->"status" = "finished" && $Result->"data" = $Update->"latest-version") do={
+        $LogPrint info $ScriptName ("Version " . $Update->"latest-version" . " is considered safe, updating...");
+        $SendNotification2 ({ origin=$ScriptName; \
+          subject=([ $SymbolForNotification "sparkles" ] . "RouterOS update: " . $Update->"latest-version"); \
+          message=("Version " . $Update->"latest-version" . " is considered safe for " . $Update->"channel" . \
+            ", updating on " . $Identity . "..."); link=$Link; silent=true });
+        $DoUpdate $ScriptName;
+        :set ExitOK true;
+        :error true;
+      }
+    }
+
+    :if ([ $ScriptFromTerminal $ScriptName ] = true) do={
+      :if (($Update->"channel") = "testing" && $NumInstalledFeature < $NumLatestFeature) do={
+        :put ("This is a feature update in testing channel. Switch to channel 'stable'? [y/N]");
+        :if (([ /terminal/inkey timeout=60 ] % 32) = 25) do={
+          /system/package/update/set channel=stable;
+          $LogPrint info $ScriptName ("Switched to channel 'stable', please re-run!");
+          :set ExitOK true;
+          :error true;
+        }
+      }
+
+      :put ("Do you want to install RouterOS version " . $Update->"latest-version" . "? [y/N]");
+      :if (([ /terminal/inkey timeout=60 ] % 32) = 25) do={
+        $DoUpdate $ScriptName;
+        :set ExitOK true;
+        :error true;
+      } else={
+        :put "Canceled...";
+      }
+    }
+
+    :if ($SentRouterosUpdateNotification = $Update->"latest-version") do={
+      $LogPrint info $ScriptName ("Already sent the RouterOS update notification for version " . \
+          $Update->"latest-version" . ".");
+      :set ExitOK true;
+      :error true;
+    }
+
+    $SendNotification2 ({ origin=$ScriptName; \
+      subject=([ $SymbolForNotification "sparkles" ] . "RouterOS update: " . $Update->"latest-version"); \
+      message=("A new RouterOS version " . ($Update->"latest-version") . \
+        " is available for " . $Identity . ".\n\n" . \
+        [ $DeviceInfo ]); link=$Link; silent=true });
+    :set SentRouterosUpdateNotification ($Update->"latest-version");
+  }
+
+  :if ($NumInstalled > $NumLatest) do={
+    :if ($SentRouterosUpdateNotification = $Update->"latest-version") do={
+      $LogPrint info $ScriptName ("Already sent the RouterOS downgrade notification for version " . \
+          $Update->"latest-version" . ".");
+      :set ExitOK true;
+      :error true;
+    }
+
+    $SendNotification2 ({ origin=$ScriptName; \
+      subject=([ $SymbolForNotification "warning-sign" ] . "RouterOS version: " . $Update->"latest-version"); \
+      message=("A different RouterOS version " . ($Update->"latest-version") . \
+        " is available for " . $Identity . ", but it is a downgrade.\n\n" . \
+        [ $DeviceInfo ]); link=$Link; silent=true });
+    $LogPrint info $ScriptName ("A different RouterOS version " . ($Update->"latest-version") . \
+      " is available for downgrade.");
+    :set SentRouterosUpdateNotification ($Update->"latest-version");
+  }
+} on-error={
+  :global ExitError; $ExitError $ExitOK [ :jobname ];
+}

collect-wireless-mac.capsman

@@ -1,62 +0,0 @@
-#!rsc
-# RouterOS script: collect-wireless-mac.capsman
-# Copyright (c) 2013-2019 Christian Hesse <mail@eworm.de>
-#
-# collect wireless mac adresses in access list
-#
-# !! Do not edit this file, it is generated from template!
-
-:global Identity;
-
-:global GetMacVendor;
-:global SendNotification;
-:global ScriptLock;
-
-$ScriptLock "collect-wireless-mac.capsman";
-
-:local PlaceBefore [ / caps-man access-list find where comment="--- collected above ---" disabled ];
-:if ([ :len $PlaceBefore ] = 0) do={
-  :error "Missing disabled access-list entry with comment '--- collected above ---'";
-}
-
-:foreach RegTbl in=[ / caps-man registration-table find ] do={
-  :local Mac [ / caps-man registration-table get $RegTbl mac-address ];
-  :local AccessList ([ / caps-man access-list find where mac-address=$Mac ]->0);
-  :if ([ :len $AccessList ] = 0) do={
-    :local HostName "no dhcp lease";
-    :local Address "no dhcp lease";
-    :local Lease [ / ip dhcp-server lease find where mac-address=$Mac ];
-    :if ([ :len $Lease ] > 0) do={
-      :set HostName [ / ip dhcp-server lease get $Lease host-name ];
-      :set Address [ / ip dhcp-server lease get $Lease address ];
-    }
-    :if ([ :len $HostName ] = 0) do={
-      :set HostName "no hostname";
-    }
-    :if ([ :len $Address ] = 0) do={
-      :set Address "no address";
-    }
-    :local RegEntry [ / caps-man registration-table find where mac-address=$Mac ];
-    :local Interface [ / caps-man registration-table get $RegEntry interface ];
-    :local Ssid [ / caps-man registration-table get $RegEntry ssid ];
-    :local DateTime ([ / system clock get date ] . " " . [ / system clock get time ]);
-    :local Vendor [ $GetMacVendor $Mac ];
-    :local Message ("unknown MAC address " . $Mac . " (" . $Vendor . ", " . $HostName . ") " . \
-      "first seen on " . $DateTime . " connected to SSID " . $Ssid . ", interface " . $Interface);
-    / log info $Message;
-    / caps-man access-list add place-before=$PlaceBefore comment=$Message mac-address=$Mac disabled=yes;
-    $SendNotification ($Mac . " connected to " . $Ssid) \
-      ("A device with unknown MAC address connected to " . $Ssid . " on " . $Identity . ".\n\n" . \
-        "Controller: " . $Identity . "\n" . \
-        "Interface:  " . $Interface . "\n" . \
-        "SSID:       " . $Ssid . "\n" . \
-        "MAC:        " . $Mac . "\n" . \
-        "Vendor:     " . $Vendor . "\n" . \
-        "Hostname:   " . $HostName . "\n" . \
-        "Address:    " . $Address . "\n" . \
-        "Date:       " . $DateTime);
-  } else={
-    :local Comment [ / caps-man access-list get $AccessList comment ];
-    :log debug ("MAC address " . $Mac . " already known: " . $Comment);
-  }
-}

collect-wireless-mac.capsman.rsc

@@ -0,0 +1,100 @@
+#!rsc by RouterOS
+# RouterOS script: collect-wireless-mac.capsman
+# Copyright (c) 2013-2025 Christian Hesse <mail@eworm.de>
+# https://rsc.eworm.de/COPYING.md
+#
+# provides: lease-script, order=40
+# requires RouterOS, version=7.15
+#
+# collect wireless mac adresses in access list
+# https://rsc.eworm.de/doc/collect-wireless-mac.md
+#
+# !! Do not edit this file, it is generated from template!
+
+:global GlobalFunctionsReady;
+:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
+
+:local ExitOK false;
+:do {
+  :local ScriptName [ :jobname ];
+
+  :global Identity;
+
+  :global EitherOr;
+  :global FormatLine;
+  :global FormatMultiLines;
+  :global GetMacVendor;
+  :global LogPrint;
+  :global ScriptLock;
+  :global SendNotification2;
+  :global SymbolForNotification;
+
+  :if ([ $ScriptLock $ScriptName 10 ] = false) do={
+    :set ExitOK true;
+    :error false;
+  }
+
+  :if ([ :len [ /caps-man/access-list/find where comment="--- collected above ---" disabled ] ] = 0) do={
+    /caps-man/access-list/add comment="--- collected above ---" disabled=yes;
+    $LogPrint warning $ScriptName ("Added disabled access-list entry with comment '--- collected above ---'.");
+  }
+  :local PlaceBefore ([ /caps-man/access-list/find where comment="--- collected above ---" disabled ]->0);
+
+  :foreach Reg in=[ /caps-man/registration-table/find ] do={
+    :local RegVal;
+    :do {
+      :set RegVal [ /caps-man/registration-table/get $Reg ];
+    } on-error={
+      $LogPrint debug $ScriptName ("Device already gone... Ignoring.");
+    }
+
+    :if ([ :len ($RegVal->"mac-address") ] > 0) do={
+      :local AccessList ([ /caps-man/access-list/find where mac-address=($RegVal->"mac-address") ]->0);
+      :if ([ :len $AccessList ] > 0) do={
+        $LogPrint debug $ScriptName ("MAC address " . $RegVal->"mac-address" . " already known: " . \
+          [ /caps-man/access-list/get $AccessList comment ]);
+      }
+
+      :if ([ :len $AccessList ] = 0) do={
+        :local Address "no dhcp lease";
+        :local DnsName "no dhcp lease";
+        :local HostName "no dhcp lease";
+        :local Lease ([ /ip/dhcp-server/lease/find where active-mac-address=($RegVal->"mac-address") dynamic=yes status=bound ]->0);
+        :if ([ :len $Lease ] > 0) do={
+          :set Address [ /ip/dhcp-server/lease/get $Lease active-address ];
+          :set HostName [ $EitherOr [ /ip/dhcp-server/lease/get $Lease host-name ] "no hostname" ];
+          :set DnsName "no dns name";
+          :local DnsRec ([ /ip/dns/static/find where address=$Address ]->0);
+          :if ([ :len $DnsRec ] > 0) do={
+            :set DnsName ({ [ /ip/dns/static/get $DnsRec name ] });
+            :foreach CName in=[ /ip/dns/static/find where type=CNAME cname=($DnsName->0) ] do={
+              :set DnsName ($DnsName, [ /ip/dns/static/get $CName name ]);
+            }
+          }
+        }
+        :local DateTime ([ /system/clock/get date ] . " " . [ /system/clock/get time ]);
+        :local Vendor [ $GetMacVendor ($RegVal->"mac-address") ];
+        :local Message ("MAC address " . $RegVal->"mac-address" . " (" . $Vendor . ", " . $HostName . ") " . \
+          "first seen on " . $DateTime . " connected to SSID " . $RegVal->"ssid" . ", interface " . $RegVal->"interface");
+        $LogPrint info $ScriptName $Message;
+        /caps-man/access-list/add place-before=$PlaceBefore comment=$Message mac-address=($RegVal->"mac-address") disabled=yes;
+        $SendNotification2 ({ origin=$ScriptName; \
+          subject=([ $SymbolForNotification "mobile-phone" ] . $RegVal->"mac-address" . " connected to " . $RegVal->"ssid"); \
+          message=("A device with unknown MAC address connected to " . $RegVal->"ssid" . " on " . $Identity . ".\n\n" . \
+            [ $FormatLine "Controller" $Identity ] . "\n" . \
+            [ $FormatLine "Interface" ($RegVal->"interface") ] . "\n" . \
+            [ $FormatLine "SSID" ($RegVal->"ssid") ] . "\n" . \
+            [ $FormatLine "MAC" ($RegVal->"mac-address") ] . "\n" . \
+            [ $FormatLine "Vendor" $Vendor ] . "\n" . \
+            [ $FormatLine "Hostname" $HostName ] . "\n" . \
+            [ $FormatLine "Address" $Address ] . "\n" . \
+            [ $FormatMultiLines "DNS name" $DnsName ] . "\n" . \
+            [ $FormatLine "Date" $DateTime ]) });
+      }
+    } else={
+      $LogPrint debug $ScriptName ("No mac address available... Ignoring.");
+    }
+  }
+} on-error={
+  :global ExitError; $ExitError $ExitOK [ :jobname ];
+}

collect-wireless-mac.local

@@ -1,62 +0,0 @@
-#!rsc
-# RouterOS script: collect-wireless-mac.local
-# Copyright (c) 2013-2019 Christian Hesse <mail@eworm.de>
-#
-# collect wireless mac adresses in access list
-#
-# !! Do not edit this file, it is generated from template!
-
-:global Identity;
-
-:global GetMacVendor;
-:global SendNotification;
-:global ScriptLock;
-
-$ScriptLock "collect-wireless-mac.local";
-
-:local PlaceBefore [ / interface wireless access-list find where comment="--- collected above ---" disabled ];
-:if ([ :len $PlaceBefore ] = 0) do={
-  :error "Missing disabled access-list entry with comment '--- collected above ---'";
-}
-
-:foreach RegTbl in=[ / interface wireless registration-table find ] do={
-  :local Mac [ / interface wireless registration-table get $RegTbl mac-address ];
-  :local AccessList ([ / interface wireless access-list find where mac-address=$Mac ]->0);
-  :if ([ :len $AccessList ] = 0) do={
-    :local HostName "no dhcp lease";
-    :local Address "no dhcp lease";
-    :local Lease [ / ip dhcp-server lease find where mac-address=$Mac ];
-    :if ([ :len $Lease ] > 0) do={
-      :set HostName [ / ip dhcp-server lease get $Lease host-name ];
-      :set Address [ / ip dhcp-server lease get $Lease address ];
-    }
-    :if ([ :len $HostName ] = 0) do={
-      :set HostName "no hostname";
-    }
-    :if ([ :len $Address ] = 0) do={
-      :set Address "no address";
-    }
-    :local RegEntry [ / interface wireless registration-table find where mac-address=$Mac ];
-    :local Interface [ / interface wireless registration-table get $RegEntry interface ];
-    :local Ssid [ / interface wireless get [ find where name=$Interface ] ssid ];
-    :local DateTime ([ / system clock get date ] . " " . [ / system clock get time ]);
-    :local Vendor [ $GetMacVendor $Mac ];
-    :local Message ("unknown MAC address " . $Mac . " (" . $Vendor . ", " . $HostName . ") " . \
-      "first seen on " . $DateTime . " connected to SSID " . $Ssid . ", interface " . $Interface);
-    / log info $Message;
-    / interface wireless access-list add place-before=$PlaceBefore comment=$Message mac-address=$Mac disabled=yes;
-    $SendNotification ($Mac . " connected to " . $Ssid) \
-      ("A device with unknown MAC address connected to " . $Ssid . " on " . $Identity . ".\n\n" . \
-        "Controller: " . $Identity . "\n" . \
-        "Interface:  " . $Interface . "\n" . \
-        "SSID:       " . $Ssid . "\n" . \
-        "MAC:        " . $Mac . "\n" . \
-        "Vendor:     " . $Vendor . "\n" . \
-        "Hostname:   " . $HostName . "\n" . \
-        "Address:    " . $Address . "\n" . \
-        "Date:       " . $DateTime);
-  } else={
-    :local Comment [ / interface wireless access-list get $AccessList comment ];
-    :log debug ("MAC address " . $Mac . " already known: " . $Comment);
-  }
-}

collect-wireless-mac.local.rsc

@@ -0,0 +1,101 @@
+#!rsc by RouterOS
+# RouterOS script: collect-wireless-mac.local
+# Copyright (c) 2013-2025 Christian Hesse <mail@eworm.de>
+# https://rsc.eworm.de/COPYING.md
+#
+# provides: lease-script, order=40
+# requires RouterOS, version=7.15
+#
+# collect wireless mac adresses in access list
+# https://rsc.eworm.de/doc/collect-wireless-mac.md
+#
+# !! Do not edit this file, it is generated from template!
+
+:global GlobalFunctionsReady;
+:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
+
+:local ExitOK false;
+:do {
+  :local ScriptName [ :jobname ];
+
+  :global Identity;
+
+  :global EitherOr;
+  :global FormatLine;
+  :global FormatMultiLines;
+  :global GetMacVendor;
+  :global LogPrint;
+  :global ScriptLock;
+  :global SendNotification2;
+  :global SymbolForNotification;
+
+  :if ([ $ScriptLock $ScriptName 10 ] = false) do={
+    :set ExitOK true;
+    :error false;
+  }
+
+  :if ([ :len [ /interface/wireless/access-list/find where comment="--- collected above ---" disabled ] ] = 0) do={
+    /interface/wireless/access-list/add comment="--- collected above ---" disabled=yes;
+    $LogPrint warning $ScriptName ("Added disabled access-list entry with comment '--- collected above ---'.");
+  }
+  :local PlaceBefore ([ /interface/wireless/access-list/find where comment="--- collected above ---" disabled ]->0);
+
+  :foreach Reg in=[ /interface/wireless/registration-table/find where ap=no ] do={
+    :local RegVal;
+    :do {
+      :set RegVal [ /interface/wireless/registration-table/get $Reg ];
+    } on-error={
+      $LogPrint debug $ScriptName ("Device already gone... Ignoring.");
+    }
+
+    :if ([ :len ($RegVal->"mac-address") ] > 0) do={
+      :local AccessList ([ /interface/wireless/access-list/find where mac-address=($RegVal->"mac-address") ]->0);
+      :if ([ :len $AccessList ] > 0) do={
+        $LogPrint debug $ScriptName ("MAC address " . $RegVal->"mac-address" . " already known: " . \
+          [ /interface/wireless/access-list/get $AccessList comment ]);
+      }
+
+      :if ([ :len $AccessList ] = 0) do={
+        :local Address "no dhcp lease";
+        :local DnsName "no dhcp lease";
+        :local HostName "no dhcp lease";
+        :local Lease ([ /ip/dhcp-server/lease/find where active-mac-address=($RegVal->"mac-address") dynamic=yes status=bound ]->0);
+        :if ([ :len $Lease ] > 0) do={
+          :set Address [ /ip/dhcp-server/lease/get $Lease active-address ];
+          :set HostName [ $EitherOr [ /ip/dhcp-server/lease/get $Lease host-name ] "no hostname" ];
+          :set DnsName "no dns name";
+          :local DnsRec ([ /ip/dns/static/find where address=$Address ]->0);
+          :if ([ :len $DnsRec ] > 0) do={
+            :set DnsName ({ [ /ip/dns/static/get $DnsRec name ] });
+            :foreach CName in=[ /ip/dns/static/find where type=CNAME cname=($DnsName->0) ] do={
+              :set DnsName ($DnsName, [ /ip/dns/static/get $CName name ]);
+            }
+          }
+        }
+        :set ($RegVal->"ssid") [ /interface/wireless/get [ find where name=($RegVal->"interface") ] ssid ];
+        :local DateTime ([ /system/clock/get date ] . " " . [ /system/clock/get time ]);
+        :local Vendor [ $GetMacVendor ($RegVal->"mac-address") ];
+        :local Message ("MAC address " . $RegVal->"mac-address" . " (" . $Vendor . ", " . $HostName . ") " . \
+          "first seen on " . $DateTime . " connected to SSID " . $RegVal->"ssid" . ", interface " . $RegVal->"interface");
+        $LogPrint info $ScriptName $Message;
+        /interface/wireless/access-list/add place-before=$PlaceBefore comment=$Message mac-address=($RegVal->"mac-address") disabled=yes;
+        $SendNotification2 ({ origin=$ScriptName; \
+          subject=([ $SymbolForNotification "mobile-phone" ] . $RegVal->"mac-address" . " connected to " . $RegVal->"ssid"); \
+          message=("A device with unknown MAC address connected to " . $RegVal->"ssid" . " on " . $Identity . ".\n\n" . \
+            [ $FormatLine "Controller" $Identity ] . "\n" . \
+            [ $FormatLine "Interface" ($RegVal->"interface") ] . "\n" . \
+            [ $FormatLine "SSID" ($RegVal->"ssid") ] . "\n" . \
+            [ $FormatLine "MAC" ($RegVal->"mac-address") ] . "\n" . \
+            [ $FormatLine "Vendor" $Vendor ] . "\n" . \
+            [ $FormatLine "Hostname" $HostName ] . "\n" . \
+            [ $FormatLine "Address" $Address ] . "\n" . \
+            [ $FormatMultiLines "DNS name" $DnsName ] . "\n" . \
+            [ $FormatLine "Date" $DateTime ]) });
+      }
+    } else={
+      $LogPrint debug $ScriptName ("No mac address available... Ignoring.");
+    }
+  }
+} on-error={
+  :global ExitError; $ExitError $ExitOK [ :jobname ];
+}

collect-wireless-mac.template

@@ -1,64 +0,0 @@
-#!rsc
-# RouterOS script: collect-wireless-mac%TEMPL%
-# Copyright (c) 2013-2019 Christian Hesse <mail@eworm.de>
-#
-# collect wireless mac adresses in access list
-#
-# !! This is just a template! Replace '%PATH%' with 'caps-man'
-# !! or 'interface wireless'!
-
-:global Identity;
-
-:global GetMacVendor;
-:global SendNotification;
-:global ScriptLock;
-
-$ScriptLock "collect-wireless-mac%TEMPL%";
-
-:local PlaceBefore [ / %PATH% access-list find where comment="--- collected above ---" disabled ];
-:if ([ :len $PlaceBefore ] = 0) do={
-  :error "Missing disabled access-list entry with comment '--- collected above ---'";
-}
-
-:foreach RegTbl in=[ / %PATH% registration-table find ] do={
-  :local Mac [ / %PATH% registration-table get $RegTbl mac-address ];
-  :local AccessList ([ / %PATH% access-list find where mac-address=$Mac ]->0);
-  :if ([ :len $AccessList ] = 0) do={
-    :local HostName "no dhcp lease";
-    :local Address "no dhcp lease";
-    :local Lease [ / ip dhcp-server lease find where mac-address=$Mac ];
-    :if ([ :len $Lease ] > 0) do={
-      :set HostName [ / ip dhcp-server lease get $Lease host-name ];
-      :set Address [ / ip dhcp-server lease get $Lease address ];
-    }
-    :if ([ :len $HostName ] = 0) do={
-      :set HostName "no hostname";
-    }
-    :if ([ :len $Address ] = 0) do={
-      :set Address "no address";
-    }
-    :local RegEntry [ / %PATH% registration-table find where mac-address=$Mac ];
-    :local Interface [ / %PATH% registration-table get $RegEntry interface ];
-    :local Ssid [ / caps-man registration-table get $RegEntry ssid ];
-    :local Ssid [ / interface wireless get [ find where name=$Interface ] ssid ];
-    :local DateTime ([ / system clock get date ] . " " . [ / system clock get time ]);
-    :local Vendor [ $GetMacVendor $Mac ];
-    :local Message ("unknown MAC address " . $Mac . " (" . $Vendor . ", " . $HostName . ") " . \
-      "first seen on " . $DateTime . " connected to SSID " . $Ssid . ", interface " . $Interface);
-    / log info $Message;
-    / %PATH% access-list add place-before=$PlaceBefore comment=$Message mac-address=$Mac disabled=yes;
-    $SendNotification ($Mac . " connected to " . $Ssid) \
-      ("A device with unknown MAC address connected to " . $Ssid . " on " . $Identity . ".\n\n" . \
-        "Controller: " . $Identity . "\n" . \
-        "Interface:  " . $Interface . "\n" . \
-        "SSID:       " . $Ssid . "\n" . \
-        "MAC:        " . $Mac . "\n" . \
-        "Vendor:     " . $Vendor . "\n" . \
-        "Hostname:   " . $HostName . "\n" . \
-        "Address:    " . $Address . "\n" . \
-        "Date:       " . $DateTime);
-  } else={
-    :local Comment [ / %PATH% access-list get $AccessList comment ];
-    :log debug ("MAC address " . $Mac . " already known: " . $Comment);
-  }
-}

collect-wireless-mac.template.rsc

@@ -0,0 +1,118 @@
+#!rsc by RouterOS
+# RouterOS script: collect-wireless-mac%TEMPL%
+# Copyright (c) 2013-2025 Christian Hesse <mail@eworm.de>
+# https://rsc.eworm.de/COPYING.md
+#
+# provides: lease-script, order=40
+# requires RouterOS, version=7.15
+#
+# collect wireless mac adresses in access list
+# https://rsc.eworm.de/doc/collect-wireless-mac.md
+#
+# !! This is just a template to generate the real script!
+# !! Pattern '%TEMPL%' is replaced, paths are filtered.
+
+:global GlobalFunctionsReady;
+:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
+
+:local ExitOK false;
+:do {
+  :local ScriptName [ :jobname ];
+
+  :global Identity;
+
+  :global EitherOr;
+  :global FormatLine;
+  :global FormatMultiLines;
+  :global GetMacVendor;
+  :global LogPrint;
+  :global ScriptLock;
+  :global SendNotification2;
+  :global SymbolForNotification;
+
+  :if ([ $ScriptLock $ScriptName 10 ] = false) do={
+    :set ExitOK true;
+    :error false;
+  }
+
+  :if ([ :len [ /caps-man/access-list/find where comment="--- collected above ---" disabled ] ] = 0) do={
+  :if ([ :len [ /interface/wifi/access-list/find where comment="--- collected above ---" disabled ] ] = 0) do={
+  :if ([ :len [ /interface/wireless/access-list/find where comment="--- collected above ---" disabled ] ] = 0) do={
+    /caps-man/access-list/add comment="--- collected above ---" disabled=yes;
+    /interface/wifi/access-list/add comment="--- collected above ---" disabled=yes;
+    /interface/wireless/access-list/add comment="--- collected above ---" disabled=yes;
+    $LogPrint warning $ScriptName ("Added disabled access-list entry with comment '--- collected above ---'.");
+  }
+  :local PlaceBefore ([ /caps-man/access-list/find where comment="--- collected above ---" disabled ]->0);
+  :local PlaceBefore ([ /interface/wifi/access-list/find where comment="--- collected above ---" disabled ]->0);
+  :local PlaceBefore ([ /interface/wireless/access-list/find where comment="--- collected above ---" disabled ]->0);
+
+  :foreach Reg in=[ /caps-man/registration-table/find ] do={
+  :foreach Reg in=[ /interface/wifi/registration-table/find ] do={
+  :foreach Reg in=[ /interface/wireless/registration-table/find where ap=no ] do={
+    :local RegVal;
+    :do {
+      :set RegVal [ /caps-man/registration-table/get $Reg ];
+      :set RegVal [ /interface/wifi/registration-table/get $Reg ];
+      :set RegVal [ /interface/wireless/registration-table/get $Reg ];
+    } on-error={
+      $LogPrint debug $ScriptName ("Device already gone... Ignoring.");
+    }
+
+    :if ([ :len ($RegVal->"mac-address") ] > 0) do={
+      :local AccessList ([ /caps-man/access-list/find where mac-address=($RegVal->"mac-address") ]->0);
+      :local AccessList ([ /interface/wifi/access-list/find where mac-address=($RegVal->"mac-address") ]->0);
+      :local AccessList ([ /interface/wireless/access-list/find where mac-address=($RegVal->"mac-address") ]->0);
+      :if ([ :len $AccessList ] > 0) do={
+        $LogPrint debug $ScriptName ("MAC address " . $RegVal->"mac-address" . " already known: " . \
+          [ /caps-man/access-list/get $AccessList comment ]);
+          [ /interface/wifi/access-list/get $AccessList comment ]);
+          [ /interface/wireless/access-list/get $AccessList comment ]);
+      }
+
+      :if ([ :len $AccessList ] = 0) do={
+        :local Address "no dhcp lease";
+        :local DnsName "no dhcp lease";
+        :local HostName "no dhcp lease";
+        :local Lease ([ /ip/dhcp-server/lease/find where active-mac-address=($RegVal->"mac-address") dynamic=yes status=bound ]->0);
+        :if ([ :len $Lease ] > 0) do={
+          :set Address [ /ip/dhcp-server/lease/get $Lease active-address ];
+          :set HostName [ $EitherOr [ /ip/dhcp-server/lease/get $Lease host-name ] "no hostname" ];
+          :set DnsName "no dns name";
+          :local DnsRec ([ /ip/dns/static/find where address=$Address ]->0);
+          :if ([ :len $DnsRec ] > 0) do={
+            :set DnsName ({ [ /ip/dns/static/get $DnsRec name ] });
+            :foreach CName in=[ /ip/dns/static/find where type=CNAME cname=($DnsName->0) ] do={
+              :set DnsName ($DnsName, [ /ip/dns/static/get $CName name ]);
+            }
+          }
+        }
+        :set ($RegVal->"ssid") [ /interface/wireless/get [ find where name=($RegVal->"interface") ] ssid ];
+        :local DateTime ([ /system/clock/get date ] . " " . [ /system/clock/get time ]);
+        :local Vendor [ $GetMacVendor ($RegVal->"mac-address") ];
+        :local Message ("MAC address " . $RegVal->"mac-address" . " (" . $Vendor . ", " . $HostName . ") " . \
+          "first seen on " . $DateTime . " connected to SSID " . $RegVal->"ssid" . ", interface " . $RegVal->"interface");
+        $LogPrint info $ScriptName $Message;
+        /caps-man/access-list/add place-before=$PlaceBefore comment=$Message mac-address=($RegVal->"mac-address") disabled=yes;
+        /interface/wifi/access-list/add place-before=$PlaceBefore comment=$Message mac-address=($RegVal->"mac-address") disabled=yes;
+        /interface/wireless/access-list/add place-before=$PlaceBefore comment=$Message mac-address=($RegVal->"mac-address") disabled=yes;
+        $SendNotification2 ({ origin=$ScriptName; \
+          subject=([ $SymbolForNotification "mobile-phone" ] . $RegVal->"mac-address" . " connected to " . $RegVal->"ssid"); \
+          message=("A device with unknown MAC address connected to " . $RegVal->"ssid" . " on " . $Identity . ".\n\n" . \
+            [ $FormatLine "Controller" $Identity ] . "\n" . \
+            [ $FormatLine "Interface" ($RegVal->"interface") ] . "\n" . \
+            [ $FormatLine "SSID" ($RegVal->"ssid") ] . "\n" . \
+            [ $FormatLine "MAC" ($RegVal->"mac-address") ] . "\n" . \
+            [ $FormatLine "Vendor" $Vendor ] . "\n" . \
+            [ $FormatLine "Hostname" $HostName ] . "\n" . \
+            [ $FormatLine "Address" $Address ] . "\n" . \
+            [ $FormatMultiLines "DNS name" $DnsName ] . "\n" . \
+            [ $FormatLine "Date" $DateTime ]) });
+      }
+    } else={
+      $LogPrint debug $ScriptName ("No mac address available... Ignoring.");
+    }
+  }
+} on-error={
+  :global ExitError; $ExitError $ExitOK [ :jobname ];
+}

collect-wireless-mac.wifi.rsc

@@ -0,0 +1,100 @@
+#!rsc by RouterOS
+# RouterOS script: collect-wireless-mac.wifi
+# Copyright (c) 2013-2025 Christian Hesse <mail@eworm.de>
+# https://rsc.eworm.de/COPYING.md
+#
+# provides: lease-script, order=40
+# requires RouterOS, version=7.15
+#
+# collect wireless mac adresses in access list
+# https://rsc.eworm.de/doc/collect-wireless-mac.md
+#
+# !! Do not edit this file, it is generated from template!
+
+:global GlobalFunctionsReady;
+:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
+
+:local ExitOK false;
+:do {
+  :local ScriptName [ :jobname ];
+
+  :global Identity;
+
+  :global EitherOr;
+  :global FormatLine;
+  :global FormatMultiLines;
+  :global GetMacVendor;
+  :global LogPrint;
+  :global ScriptLock;
+  :global SendNotification2;
+  :global SymbolForNotification;
+
+  :if ([ $ScriptLock $ScriptName 10 ] = false) do={
+    :set ExitOK true;
+    :error false;
+  }
+
+  :if ([ :len [ /interface/wifi/access-list/find where comment="--- collected above ---" disabled ] ] = 0) do={
+    /interface/wifi/access-list/add comment="--- collected above ---" disabled=yes;
+    $LogPrint warning $ScriptName ("Added disabled access-list entry with comment '--- collected above ---'.");
+  }
+  :local PlaceBefore ([ /interface/wifi/access-list/find where comment="--- collected above ---" disabled ]->0);
+
+  :foreach Reg in=[ /interface/wifi/registration-table/find ] do={
+    :local RegVal;
+    :do {
+      :set RegVal [ /interface/wifi/registration-table/get $Reg ];
+    } on-error={
+      $LogPrint debug $ScriptName ("Device already gone... Ignoring.");
+    }
+
+    :if ([ :len ($RegVal->"mac-address") ] > 0) do={
+      :local AccessList ([ /interface/wifi/access-list/find where mac-address=($RegVal->"mac-address") ]->0);
+      :if ([ :len $AccessList ] > 0) do={
+        $LogPrint debug $ScriptName ("MAC address " . $RegVal->"mac-address" . " already known: " . \
+          [ /interface/wifi/access-list/get $AccessList comment ]);
+      }
+
+      :if ([ :len $AccessList ] = 0) do={
+        :local Address "no dhcp lease";
+        :local DnsName "no dhcp lease";
+        :local HostName "no dhcp lease";
+        :local Lease ([ /ip/dhcp-server/lease/find where active-mac-address=($RegVal->"mac-address") dynamic=yes status=bound ]->0);
+        :if ([ :len $Lease ] > 0) do={
+          :set Address [ /ip/dhcp-server/lease/get $Lease active-address ];
+          :set HostName [ $EitherOr [ /ip/dhcp-server/lease/get $Lease host-name ] "no hostname" ];
+          :set DnsName "no dns name";
+          :local DnsRec ([ /ip/dns/static/find where address=$Address ]->0);
+          :if ([ :len $DnsRec ] > 0) do={
+            :set DnsName ({ [ /ip/dns/static/get $DnsRec name ] });
+            :foreach CName in=[ /ip/dns/static/find where type=CNAME cname=($DnsName->0) ] do={
+              :set DnsName ($DnsName, [ /ip/dns/static/get $CName name ]);
+            }
+          }
+        }
+        :local DateTime ([ /system/clock/get date ] . " " . [ /system/clock/get time ]);
+        :local Vendor [ $GetMacVendor ($RegVal->"mac-address") ];
+        :local Message ("MAC address " . $RegVal->"mac-address" . " (" . $Vendor . ", " . $HostName . ") " . \
+          "first seen on " . $DateTime . " connected to SSID " . $RegVal->"ssid" . ", interface " . $RegVal->"interface");
+        $LogPrint info $ScriptName $Message;
+        /interface/wifi/access-list/add place-before=$PlaceBefore comment=$Message mac-address=($RegVal->"mac-address") disabled=yes;
+        $SendNotification2 ({ origin=$ScriptName; \
+          subject=([ $SymbolForNotification "mobile-phone" ] . $RegVal->"mac-address" . " connected to " . $RegVal->"ssid"); \
+          message=("A device with unknown MAC address connected to " . $RegVal->"ssid" . " on " . $Identity . ".\n\n" . \
+            [ $FormatLine "Controller" $Identity ] . "\n" . \
+            [ $FormatLine "Interface" ($RegVal->"interface") ] . "\n" . \
+            [ $FormatLine "SSID" ($RegVal->"ssid") ] . "\n" . \
+            [ $FormatLine "MAC" ($RegVal->"mac-address") ] . "\n" . \
+            [ $FormatLine "Vendor" $Vendor ] . "\n" . \
+            [ $FormatLine "Hostname" $HostName ] . "\n" . \
+            [ $FormatLine "Address" $Address ] . "\n" . \
+            [ $FormatMultiLines "DNS name" $DnsName ] . "\n" . \
+            [ $FormatLine "Date" $DateTime ]) });
+      }
+    } else={
+      $LogPrint debug $ScriptName ("No mac address available... Ignoring.");
+    }
+  }
+} on-error={
+  :global ExitError; $ExitError $ExitOK [ :jobname ];
+}

contrib/logo-color.d/script.js

@@ -0,0 +1,12 @@
+function invertHex(hex) {
+  return (Number("0x1" + hex) ^ 0xffffff).toString(16).substr(1);
+}
+
+function color() {
+  var svg = document.querySelector(".logo").getSVGDocument();
+  svg.getElementById("dark-1").setAttribute("stop-color", document.getElementById("color1").value);
+  svg.getElementById("dark-2").setAttribute("stop-color", document.getElementById("color2").value);
+  var background = document.getElementById("color3").value;
+  svg.getElementById("background").setAttribute("fill", background);
+  svg.getElementById("hexagon").setAttribute("stroke", "#" + invertHex(background.substring(1)));
+}

contrib/logo-color.d/style.css

@@ -0,0 +1,5 @@
+body {
+  font-family: fira-sans, sans-serif;
+  font-size: 10pt;
+  background-color: transparent;
+}

contrib/logo-color.html

@@ -0,0 +1,40 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<title>RouterOS-Scripts Logo Color Changer</title>
+<link rel="stylesheet" type="text/css" href="logo-color.d/style.css">
+<script src="logo-color.d/script.js"></script>
+</head>
+<body>
+
+<h1>RouterOS-Scripts Logo Color Changer</h1>
+
+<p>You want the logo for your own notifications? But you joined the
+<a href="https://t.me/routeros_scripts">Telegram Group</a> and want
+something that differentiates? Color it!</p>
+
+<embed class="logo" src="../logo.svg" width="192" height="192" type="image/svg+xml">
+
+<p>Select the colors here:
+<input id="color1" type="color" value="#222222" onchange="color();">
+<input id="color2" type="color" value="#444444" onchange="color();">
+<input id="color3" type="color" value="#ffffff" onchange="color();"></p>
+
+<p>Then right-click, click "<i>Take Screenshot</i>" and finally select the
+logo and download it.</p>
+
+<p><img src="logo-color.d/browser-01.avif" width=533 height=482 alt="Screenshot Browser 01">
+<img src="logo-color.d/browser-02.avif" width=533 height=482 alt="Screenshot Browser 02">
+<img src="logo-color.d/browser-03.avif" width=533 height=482 alt="Screenshot Browser 03"></p>
+
+<p>(This example is with
+<a href="https://www.mozilla.org/de/firefox/new/">Firefox</a>. The workflow
+for other browsers may differ.)</p>
+
+<p>See how to
+<a href="../../about/doc/mod/notification-telegram.md#set-a-profile-photo">Set
+a profile photo</a> for your Telegram bot.</p>
+
+</body>
+</html>

contrib/notification.d/script.js

@@ -0,0 +1,6 @@
+function visible(cb, element) {
+  document.getElementById(element).style.display = cb.checked ? "block" : "none";
+}
+function update(cb, element) {
+  document.getElementById(element).innerHTML = cb.value;
+}

contrib/notification.d/style.css

@@ -0,0 +1,36 @@
+body {
+  font-family: fira-sans, sans-serif;
+  font-size: 10pt;
+  background-color: transparent;
+}
+div.notification {
+  position: relative;
+  float: right;
+  width: 600px;
+  border: 3px outset #6c5d53;
+  /* border-radius: 5px; */
+  padding: 10px;
+  background-color: #e6e6e6;
+}
+div.content {
+  padding-left: 60px;
+}
+img.logo {
+  float: left;
+  border-radius: 50%;
+}
+p.heading {
+  margin: 0px;
+  font-weight: bold;
+  text-decoration: underline;
+}
+p.hint {
+  display: none;
+}
+pre {
+  font-family: fira-mono, monospace;
+  white-space: pre-wrap;
+}
+span.link {
+  color: #863600;
+}

contrib/notification.html

@@ -0,0 +1,35 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<title>RouterOS-Scripts Notification Generator</title>
+<link rel="stylesheet" type="text/css" href="notification.d/style.css">
+<script src="notification.d/script.js"></script> 
+</head>
+<body>
+
+<h1>RouterOS-Scripts Notification Generator</h1>
+
+<div class="notification">
+  <img src="../logo.svg" alt="logo" class="logo" width=48 height=48>
+  <div class="content">
+  <p id="heading" class="heading">[<span id="hostname">MikroTik</span>] <span id="subject">ℹ️  Subject</span></p>
+  <pre id="message">Message</pre>
+  <p id="link" class="hint">🔗 <span id="link-text" class="link">https://eworm.de/</span></p>
+  <p id="queued" class="hint">⏰ This message was queued since <span id="queued-since">oct/18/2022 18:30:48</span> and may be obsolete.</p>
+  <p id="cut" class="hint">✂️ The message was too long and has been truncated, cut off <span id="cut-percent">13</span>%!</p>
+  </div>
+</div>
+
+<p>Hostname: <input type="text" value="MikroTik" onchange="update(this, 'hostname')"></p>
+<p>Subject: <input type="text" size=50 value="ℹ️  Subject" onchange="update(this, 'subject')"></p>
+<p>Message: <textarea id="w3review" name="w3review" rows="4" cols="50" onchange="update(this, 'message')">Message</textarea></p>
+<p><input type="checkbox" onclick="visible(this, 'link')"> Show link: <input type="text" value="https://eworm.de/" onchange="update(this, 'link-text')"></p>
+<p><input type="checkbox" onclick="visible(this, 'queued')"> Queued since <input type="text" value="oct/18/2022 18:30:48" onchange="update(this, 'queued-since')"></p>
+<p><input type="checkbox" onclick="visible(this, 'cut')"> Cut-off with <input type="number" min=1 max=99 value=13 onchange="update(this, 'cut-percent')"> percent</p>
+
+<p>Then right-click, click "<i>Take Screenshot</i>" and finally select the
+notification and download it.</p>
+
+</body>
+</html>

daily-psk-schedule

@@ -1,23 +0,0 @@
-#!rsc
-# RouterOS script: daily-psk-schedule
-# Copyright (c) 2013-2019 Christian Hesse <mail@eworm.de>
-#
-# schedule daily-psk on startup
-
-:local Scheduler [ / system scheduler find where name="daily-psk-schedule" ];
-
-:if ([ / system scheduler get $Scheduler interval ] = 0s) do={
-  / system scheduler set interval=15s $Scheduler;
-} else={
-  :if ([ / tool netwatch get [ find where comment=[ / tool e-mail get address ] ] status ] != "up") do={
-    :error "Mail server is not up.";
-  }
-
-  :if ([ / system ntp client get status ] != "synchronized") do={
-    :error "Time is not yet synchronized from ntp.";
-  }
-
-  / system script run [ find where name~"daily-psk\\.(capsman|local)" ];
-
-  / system scheduler set interval=0s $Scheduler;
-}

daily-psk.capsman

@@ -1,90 +0,0 @@
-#!rsc
-# RouterOS script: daily-psk.capsman
-# Copyright (c) 2013-2019 Christian Hesse <mail@eworm.de>
-#                         Michael Gisbers <michael@gisbers.de>
-#
-# update daily PSK (pre shared key)
-
-:global Identity;
-:global DailyPskMatchComment;
-:global UrlEncode;
-
-:global SendNotification;
-
-:local Seen [ :toarray "" ];
-
-# return pseudo-random string for PSK
-:local GeneratePSK do={
-  :local Date [ :tostr $1 ];
-
-  :global DailyPskSecrets;
-
-  :local Months { "jan"; "feb"; "mar"; "apr"; "may"; "jun";
-                  "jul"; "aug"; "sep"; "oct"; "nov"; "dec" };
-
-  :local Month [ :pick $Date 0 3 ];
-  :local Day [ :tonum [ :pick $Date 4 6 ] ];
-  :local Year [ :pick $Date 7 11 ];
-
-  :for MIndex from=0 to=[ :len $Months ] do={
-    :if ($Months->$MIndex = $Month) do={
-      :set Month ($MIndex + 1);
-    }
-  }
-
-  :local A ((14 - $Month) / 12);
-  :local B ($Year - $A);
-  :local C ($Month + 12 * $A - 2);
-  :local WeekDay (7000 + $Day + $B + ($B / 4) - ($B / 100) + ($B / 400) + ((31 * $C) / 12));
-  :set WeekDay ($WeekDay - (($WeekDay / 7) * 7));
-
-  :return (($DailyPskSecrets->0->($Day - 1)) . \
-    ($DailyPskSecrets->1->($Month - 1)) . \
-    ($DailyPskSecrets->2->$WeekDay));
-}
-
-:local Date [ / system clock get date ];
-:local NewPsk [ $GeneratePSK $Date ];
-
-:foreach AccList in=[ / caps-man access-list find where comment~$DailyPskMatchComment ] do={
-  :local Ssid [ / caps-man access-list get $AccList ssid-regexp ];
-  :local Configuration [ / caps-man configuration get [ find where ssid=$Ssid ] name ];
-  :local OldPsk [ / caps-man access-list get $AccList private-passphrase ];
-  :local Skip 0;
-
-  :if ($NewPsk != $OldPsk) do={
-    :log info ("Updating daily PSK for " . $Ssid . " to " . $NewPsk . " (was " . $OldPsk . ")");
-    / caps-man access-list set $AccList private-passphrase=$NewPsk;
-
-    :if ([ / caps-man interface print count-only where configuration=$Configuration ] > 0) do={
-      :foreach SeenSsid in=$Seen do={
-        :if ($SeenSsid = $Ssid) do={
-          :log debug ("Already sent a mail for SSID " . $Ssid . ", skipping.");
-          :set Skip 1;
-        }
-      }
-
-      :if ($Skip = 0) do={
-        :set Seen ($Seen, $Ssid);
-
-        :local Url ("https://www.eworm.de/cgi-bin/cqrlogo-wifi.cgi" . \
-            "?scale=8&level=1&ssid=" . [ $UrlEncode $Ssid ] . "&pass=" . [ $UrlEncode $NewPsk ]);
-        :local Attach "qrcode-daily.png";
-
-        :do {
-          / tool fetch mode=https check-certificate=yes-without-crl \
-              $Url dst-path=$Attach;
-        } on-error={
-          :set Attach "";
-        }
-
-        $SendNotification ("daily PSK " . $Ssid) \
-          ("This is the daily PSK on " . $Identity . ":\n\n" . \
-            "SSID: " . $Ssid . "\n" . \
-            "PSK:  " . $NewPsk . "\n" . \
-            "Date: " . $Date . "\n\n" . \
-            $Url) $Attach;
-      }
-    }
-  }
-}

daily-psk.capsman.rsc

@@ -0,0 +1,96 @@
+#!rsc by RouterOS
+# RouterOS script: daily-psk.capsman
+# Copyright (c) 2013-2025 Christian Hesse <mail@eworm.de>
+#                         Michael Gisbers <michael@gisbers.de>
+# https://rsc.eworm.de/COPYING.md
+#
+# requires RouterOS, version=7.15
+#
+# update daily PSK (pre shared key)
+# https://rsc.eworm.de/doc/daily-psk.md
+#
+# !! Do not edit this file, it is generated from template!
+
+:global GlobalFunctionsReady;
+:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
+
+:local ExitOK false;
+:do {
+  :local ScriptName [ :jobname ];
+
+  :global DailyPskMatchComment;
+  :global DailyPskQrCodeUrl;
+  :global Identity;
+
+  :global FormatLine;
+  :global LogPrint;
+  :global ScriptLock;
+  :global SendNotification2;
+  :global SymbolForNotification;
+  :global UrlEncode;
+  :global WaitForFile;
+  :global WaitFullyConnected;
+
+  :if ([ $ScriptLock $ScriptName ] = false) do={
+    :set ExitOK true;
+    :error false;
+  }
+  $WaitFullyConnected;
+
+  # return pseudo-random string for PSK
+  :local GeneratePSK do={
+    :local Date [ :tostr $1 ];
+
+    :global DailyPskSecrets;
+
+    :global ParseDate;
+
+    :set Date [ $ParseDate $Date ];
+
+    :local A ((14 - ($Date->"month")) / 12);
+    :local B (($Date->"year") - $A);
+    :local C (($Date->"month") + 12 * $A - 2);
+    :local WeekDay (7000 + ($Date->"day") + $B + ($B / 4) - ($B / 100) + ($B / 400) + ((31 * $C) / 12));
+    :set WeekDay ($WeekDay - (($WeekDay / 7) * 7));
+
+    :return (($DailyPskSecrets->0->(($Date->"day") - 1)) . \
+      ($DailyPskSecrets->1->(($Date->"month") - 1)) . \
+      ($DailyPskSecrets->2->$WeekDay));
+  }
+
+  :local Seen ({});
+  :local Date [ /system/clock/get date ];
+  :local NewPsk [ $GeneratePSK $Date ];
+
+  :foreach AccList in=[ /caps-man/access-list/find where comment~$DailyPskMatchComment ] do={
+    :local SsidRegExp [ /caps-man/access-list/get $AccList ssid-regexp ];
+    :local Configuration ([ /caps-man/configuration/find where ssid~$SsidRegExp ]->0);
+    :local Ssid [ /caps-man/configuration/get $Configuration ssid ];
+    :local OldPsk [ /caps-man/access-list/get $AccList private-passphrase ];
+    :local Skip 0;
+
+    :if ($NewPsk != $OldPsk) do={
+      $LogPrint info $ScriptName ("Updating daily PSK for '" . $Ssid . "' to '" . $NewPsk . "' (was '" . $OldPsk . "')");
+      /caps-man/access-list/set $AccList private-passphrase=$NewPsk;
+
+      :if ([ :len [ /caps-man/actual-interface-configuration/find where configuration.ssid=$Ssid !disabled ] ] > 0) do={
+        :if ($Seen->$Ssid = 1) do={
+          $LogPrint debug $ScriptName ("Already sent a mail for SSID " . $Ssid . ", skipping.");
+        } else={
+          :local Link ($DailyPskQrCodeUrl . \
+              "?scale=8&level=1&ssid=" . [ $UrlEncode $Ssid ] . "&pass=" . [ $UrlEncode $NewPsk ]);
+          $SendNotification2 ({ origin=$ScriptName; \
+            subject=([ $SymbolForNotification "calendar" ] . "daily PSK " . $Ssid); \
+            message=("This is the daily PSK on " . $Identity . ":\n\n" . \
+              [ $FormatLine "SSID" $Ssid 8 ] . "\n" . \
+              [ $FormatLine "PSK" $NewPsk 8 ] . "\n" . \
+              [ $FormatLine "Date" $Date 8 ] . "\n\n" . \
+              "A client device specific rule must not exist!"); link=$Link });
+          :set ($Seen->$Ssid) 1;
+        }
+      }
+    }
+  }
+} on-error={
+  :global ExitError; $ExitError $ExitOK [ :jobname ];
+}

daily-psk.local

@@ -1,90 +0,0 @@
-#!rsc
-# RouterOS script: daily-psk.local
-# Copyright (c) 2013-2019 Christian Hesse <mail@eworm.de>
-#                         Michael Gisbers <michael@gisbers.de>
-#
-# update daily PSK (pre shared key)
-
-:global Identity;
-:global DailyPskMatchComment;
-:global UrlEncode;
-
-:global SendNotification;
-
-:local Seen [ :toarray "" ];
-
-# return pseudo-random string for PSK
-:local GeneratePSK do={
-  :local Date [ :tostr $1 ];
-
-  :global DailyPskSecrets;
-
-  :local Months { "jan"; "feb"; "mar"; "apr"; "may"; "jun";
-                  "jul"; "aug"; "sep"; "oct"; "nov"; "dec" };
-
-  :local Month [ :pick $Date 0 3 ];
-  :local Day [ :tonum [ :pick $Date 4 6 ] ];
-  :local Year [ :pick $Date 7 11 ];
-
-  :for MIndex from=0 to=[ :len $Months ] do={
-    :if ($Months->$MIndex = $Month) do={
-      :set Month ($MIndex + 1);
-    }
-  }
-
-  :local A ((14 - $Month) / 12);
-  :local B ($Year - $A);
-  :local C ($Month + 12 * $A - 2);
-  :local WeekDay (7000 + $Day + $B + ($B / 4) - ($B / 100) + ($B / 400) + ((31 * $C) / 12));
-  :set WeekDay ($WeekDay - (($WeekDay / 7) * 7));
-
-  :return (($DailyPskSecrets->0->($Day - 1)) . \
-    ($DailyPskSecrets->1->($Month - 1)) . \
-    ($DailyPskSecrets->2->$WeekDay));
-}
-
-:local Date [ / system clock get date ];
-:local NewPsk [ $GeneratePSK $Date ];
-
-:foreach AccList in=[ / interface wireless access-list find where comment~$DailyPskMatchComment ] do={
-  :local IntName [ / interface wireless access-list get $AccList interface ];
-  :local Ssid [ / interface wireless get $IntName ssid ];
-  :local OldPsk [ / interface wireless access-list get $AccList private-pre-shared-key ];
-  :local Skip 0;
-
-  :if ($NewPsk != $OldPsk) do={
-    :log info ("Updating daily PSK for " . $Ssid . " to " . $NewPsk . " (was " . $OldPsk . ")");
-    / interface wireless access-list set $AccList private-pre-shared-key=$NewPsk;
-
-    :if ([ / interface wireless print count-only where name=$IntName disabled=no ] = 1) do={
-      :foreach SeenSsid in=$Seen do={
-        :if ($SeenSsid = $Ssid) do={
-          :log debug ("Already sent a mail for SSID " . $Ssid . ", skipping.");
-          :set Skip 1;
-        }
-      }
-
-      :if ($Skip = 0) do={
-        :set Seen ($Seen, $Ssid);
-
-        :local Url ("https://www.eworm.de/cgi-bin/cqrlogo-wifi.cgi" . \
-            "?scale=8&level=1&ssid=" . [ $UrlEncode $Ssid ] . "&pass=" . [ $UrlEncode $NewPsk ]);
-        :local Attach "qrcode-daily.png";
-
-        :do {
-          / tool fetch mode=https check-certificate=yes-without-crl \
-              $Url dst-path=$Attach;
-        } on-error={
-          :set Attach "";
-        }
-
-        $SendNotification ("daily PSK " . $Ssid) \
-          ("This is the daily PSK on " . $Identity . ":\n\n" . \
-            "SSID: " . $Ssid . "\n" . \
-            "PSK:  " . $NewPsk . "\n" . \
-            "Date: " . $Date . "\n\n" . \
-            $Url) $Attach;
-      }
-    }
-  }
-}

daily-psk.local.rsc

@@ -0,0 +1,95 @@
+#!rsc by RouterOS
+# RouterOS script: daily-psk.local
+# Copyright (c) 2013-2025 Christian Hesse <mail@eworm.de>
+#                         Michael Gisbers <michael@gisbers.de>
+# https://rsc.eworm.de/COPYING.md
+#
+# requires RouterOS, version=7.15
+#
+# update daily PSK (pre shared key)
+# https://rsc.eworm.de/doc/daily-psk.md
+#
+# !! Do not edit this file, it is generated from template!
+
+:global GlobalFunctionsReady;
+:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
+
+:local ExitOK false;
+:do {
+  :local ScriptName [ :jobname ];
+
+  :global DailyPskMatchComment;
+  :global DailyPskQrCodeUrl;
+  :global Identity;
+
+  :global FormatLine;
+  :global LogPrint;
+  :global ScriptLock;
+  :global SendNotification2;
+  :global SymbolForNotification;
+  :global UrlEncode;
+  :global WaitForFile;
+  :global WaitFullyConnected;
+
+  :if ([ $ScriptLock $ScriptName ] = false) do={
+    :set ExitOK true;
+    :error false;
+  }
+  $WaitFullyConnected;
+
+  # return pseudo-random string for PSK
+  :local GeneratePSK do={
+    :local Date [ :tostr $1 ];
+
+    :global DailyPskSecrets;
+
+    :global ParseDate;
+
+    :set Date [ $ParseDate $Date ];
+
+    :local A ((14 - ($Date->"month")) / 12);
+    :local B (($Date->"year") - $A);
+    :local C (($Date->"month") + 12 * $A - 2);
+    :local WeekDay (7000 + ($Date->"day") + $B + ($B / 4) - ($B / 100) + ($B / 400) + ((31 * $C) / 12));
+    :set WeekDay ($WeekDay - (($WeekDay / 7) * 7));
+
+    :return (($DailyPskSecrets->0->(($Date->"day") - 1)) . \
+      ($DailyPskSecrets->1->(($Date->"month") - 1)) . \
+      ($DailyPskSecrets->2->$WeekDay));
+  }
+
+  :local Seen ({});
+  :local Date [ /system/clock/get date ];
+  :local NewPsk [ $GeneratePSK $Date ];
+
+  :foreach AccList in=[ /interface/wireless/access-list/find where comment~$DailyPskMatchComment ] do={
+    :local IntName [ /interface/wireless/access-list/get $AccList interface ];
+    :local Ssid [ /interface/wireless/get $IntName ssid ];
+    :local OldPsk [ /interface/wireless/access-list/get $AccList private-pre-shared-key ];
+    :local Skip 0;
+
+    :if ($NewPsk != $OldPsk) do={
+      $LogPrint info $ScriptName ("Updating daily PSK for '" . $Ssid . "' to '" . $NewPsk . "' (was '" . $OldPsk . "')");
+      /interface/wireless/access-list/set $AccList private-pre-shared-key=$NewPsk;
+
+      :if ([ :len [ /interface/wireless/find where name=$IntName !disabled ] ] = 1) do={
+        :if ($Seen->$Ssid = 1) do={
+          $LogPrint debug $ScriptName ("Already sent a mail for SSID " . $Ssid . ", skipping.");
+        } else={
+          :local Link ($DailyPskQrCodeUrl . \
+              "?scale=8&level=1&ssid=" . [ $UrlEncode $Ssid ] . "&pass=" . [ $UrlEncode $NewPsk ]);
+          $SendNotification2 ({ origin=$ScriptName; \
+            subject=([ $SymbolForNotification "calendar" ] . "daily PSK " . $Ssid); \
+            message=("This is the daily PSK on " . $Identity . ":\n\n" . \
+              [ $FormatLine "SSID" $Ssid 8 ] . "\n" . \
+              [ $FormatLine "PSK" $NewPsk 8 ] . "\n" . \
+              [ $FormatLine "Date" $Date 8 ] . "\n\n" . \
+              "A client device specific rule must not exist!"); link=$Link });
+          :set ($Seen->$Ssid) 1;
+        }
+      }
+    }
+  }
+} on-error={
+  :global ExitError; $ExitError $ExitOK [ :jobname ];
+}

daily-psk.template

@@ -1,96 +0,0 @@
-#!rsc
-# RouterOS script: daily-psk%TEMPL%
-# Copyright (c) 2013-2019 Christian Hesse <mail@eworm.de>
-#                         Michael Gisbers <michael@gisbers.de>
-#
-# update daily PSK (pre shared key)
-
-:global Identity;
-:global DailyPskMatchComment;
-:global UrlEncode;
-
-:global SendNotification;
-
-:local Seen [ :toarray "" ];
-
-# return pseudo-random string for PSK
-:local GeneratePSK do={
-  :local Date [ :tostr $1 ];
-
-  :global DailyPskSecrets;
-
-  :local Months { "jan"; "feb"; "mar"; "apr"; "may"; "jun";
-                  "jul"; "aug"; "sep"; "oct"; "nov"; "dec" };
-
-  :local Month [ :pick $Date 0 3 ];
-  :local Day [ :tonum [ :pick $Date 4 6 ] ];
-  :local Year [ :pick $Date 7 11 ];
-
-  :for MIndex from=0 to=[ :len $Months ] do={
-    :if ($Months->$MIndex = $Month) do={
-      :set Month ($MIndex + 1);
-    }
-  }
-
-  :local A ((14 - $Month) / 12);
-  :local B ($Year - $A);
-  :local C ($Month + 12 * $A - 2);
-  :local WeekDay (7000 + $Day + $B + ($B / 4) - ($B / 100) + ($B / 400) + ((31 * $C) / 12));
-  :set WeekDay ($WeekDay - (($WeekDay / 7) * 7));
-
-  :return (($DailyPskSecrets->0->($Day - 1)) . \
-    ($DailyPskSecrets->1->($Month - 1)) . \
-    ($DailyPskSecrets->2->$WeekDay));
-}
-
-:local Date [ / system clock get date ];
-:local NewPsk [ $GeneratePSK $Date ];
-
-:foreach AccList in=[ / interface wireless access-list find where comment~$DailyPskMatchComment ] do={
-:foreach AccList in=[ / caps-man access-list find where comment~$DailyPskMatchComment ] do={
-  :local IntName [ / interface wireless access-list get $AccList interface ];
-  :local Ssid [ / interface wireless get $IntName ssid ];
-  :local Ssid [ / caps-man access-list get $AccList ssid-regexp ];
-  :local Configuration [ / caps-man configuration get [ find where ssid=$Ssid ] name ];
-  :local OldPsk [ / interface wireless access-list get $AccList private-pre-shared-key ];
-  :local OldPsk [ / caps-man access-list get $AccList private-passphrase ];
-  :local Skip 0;
-
-  :if ($NewPsk != $OldPsk) do={
-    :log info ("Updating daily PSK for " . $Ssid . " to " . $NewPsk . " (was " . $OldPsk . ")");
-    / interface wireless access-list set $AccList private-pre-shared-key=$NewPsk;
-    / caps-man access-list set $AccList private-passphrase=$NewPsk;
-
-    :if ([ / interface wireless print count-only where name=$IntName disabled=no ] = 1) do={
-    :if ([ / caps-man interface print count-only where configuration=$Configuration ] > 0) do={
-      :foreach SeenSsid in=$Seen do={
-        :if ($SeenSsid = $Ssid) do={
-          :log debug ("Already sent a mail for SSID " . $Ssid . ", skipping.");
-          :set Skip 1;
-        }
-      }
-
-      :if ($Skip = 0) do={
-        :set Seen ($Seen, $Ssid);
-
-        :local Url ("https://www.eworm.de/cgi-bin/cqrlogo-wifi.cgi" . \
-            "?scale=8&level=1&ssid=" . [ $UrlEncode $Ssid ] . "&pass=" . [ $UrlEncode $NewPsk ]);
-        :local Attach "qrcode-daily.png";
-
-        :do {
-          / tool fetch mode=https check-certificate=yes-without-crl \
-              $Url dst-path=$Attach;
-        } on-error={
-          :set Attach "";
-        }
-
-        $SendNotification ("daily PSK " . $Ssid) \
-          ("This is the daily PSK on " . $Identity . ":\n\n" . \
-            "SSID: " . $Ssid . "\n" . \
-            "PSK:  " . $NewPsk . "\n" . \
-            "Date: " . $Date . "\n\n" . \
-            $Url) $Attach;
-      }
-    }
-  }
-}

daily-psk.template.rsc

@@ -0,0 +1,111 @@
+#!rsc by RouterOS
+# RouterOS script: daily-psk%TEMPL%
+# Copyright (c) 2013-2025 Christian Hesse <mail@eworm.de>
+#                         Michael Gisbers <michael@gisbers.de>
+# https://rsc.eworm.de/COPYING.md
+#
+# requires RouterOS, version=7.15
+#
+# update daily PSK (pre shared key)
+# https://rsc.eworm.de/doc/daily-psk.md
+#
+# !! This is just a template to generate the real script!
+# !! Pattern '%TEMPL%' is replaced, paths are filtered.
+
+:global GlobalFunctionsReady;
+:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
+
+:local ExitOK false;
+:do {
+  :local ScriptName [ :jobname ];
+
+  :global DailyPskMatchComment;
+  :global DailyPskQrCodeUrl;
+  :global Identity;
+
+  :global FormatLine;
+  :global LogPrint;
+  :global ScriptLock;
+  :global SendNotification2;
+  :global SymbolForNotification;
+  :global UrlEncode;
+  :global WaitForFile;
+  :global WaitFullyConnected;
+
+  :if ([ $ScriptLock $ScriptName ] = false) do={
+    :set ExitOK true;
+    :error false;
+  }
+  $WaitFullyConnected;
+
+  # return pseudo-random string for PSK
+  :local GeneratePSK do={
+    :local Date [ :tostr $1 ];
+
+    :global DailyPskSecrets;
+
+    :global ParseDate;
+
+    :set Date [ $ParseDate $Date ];
+
+    :local A ((14 - ($Date->"month")) / 12);
+    :local B (($Date->"year") - $A);
+    :local C (($Date->"month") + 12 * $A - 2);
+    :local WeekDay (7000 + ($Date->"day") + $B + ($B / 4) - ($B / 100) + ($B / 400) + ((31 * $C) / 12));
+    :set WeekDay ($WeekDay - (($WeekDay / 7) * 7));
+
+    :return (($DailyPskSecrets->0->(($Date->"day") - 1)) . \
+      ($DailyPskSecrets->1->(($Date->"month") - 1)) . \
+      ($DailyPskSecrets->2->$WeekDay));
+  }
+
+  :local Seen ({});
+  :local Date [ /system/clock/get date ];
+  :local NewPsk [ $GeneratePSK $Date ];
+
+  :foreach AccList in=[ /caps-man/access-list/find where comment~$DailyPskMatchComment ] do={
+  :foreach AccList in=[ /interface/wifi/access-list/find where comment~$DailyPskMatchComment ] do={
+  :foreach AccList in=[ /interface/wireless/access-list/find where comment~$DailyPskMatchComment ] do={
+    :local SsidRegExp [ /caps-man/access-list/get $AccList ssid-regexp ];
+    :local SsidRegExp [ /interface/wifi/access-list/get $AccList ssid-regexp ];
+    :local Configuration ([ /caps-man/configuration/find where ssid~$SsidRegExp ]->0);
+    :local Configuration ([ /interface/wifi/configuration/find where ssid~$SsidRegExp ]->0);
+    :local Ssid [ /caps-man/configuration/get $Configuration ssid ];
+    :local Ssid [ /interface/wifi/configuration/get $Configuration ssid ];
+    :local OldPsk [ /caps-man/access-list/get $AccList private-passphrase ];
+    :local OldPsk [ /interface/wifi/access-list/get $AccList passphrase ];
+    # /caps-man/ /interface/wifi/ above - /interface/wireless/ below
+    :local IntName [ /interface/wireless/access-list/get $AccList interface ];
+    :local Ssid [ /interface/wireless/get $IntName ssid ];
+    :local OldPsk [ /interface/wireless/access-list/get $AccList private-pre-shared-key ];
+    :local Skip 0;
+
+    :if ($NewPsk != $OldPsk) do={
+      $LogPrint info $ScriptName ("Updating daily PSK for '" . $Ssid . "' to '" . $NewPsk . "' (was '" . $OldPsk . "')");
+      /caps-man/access-list/set $AccList private-passphrase=$NewPsk;
+      /interface/wifi/access-list/set $AccList passphrase=$NewPsk;
+      /interface/wireless/access-list/set $AccList private-pre-shared-key=$NewPsk;
+
+      :if ([ :len [ /caps-man/actual-interface-configuration/find where configuration.ssid=$Ssid !disabled ] ] > 0) do={
+      :if ([ :len [ /interface/wifi/find where configuration.ssid=$Ssid !disabled ] ] > 0) do={
+      :if ([ :len [ /interface/wireless/find where name=$IntName !disabled ] ] = 1) do={
+        :if ($Seen->$Ssid = 1) do={
+          $LogPrint debug $ScriptName ("Already sent a mail for SSID " . $Ssid . ", skipping.");
+        } else={
+          :local Link ($DailyPskQrCodeUrl . \
+              "?scale=8&level=1&ssid=" . [ $UrlEncode $Ssid ] . "&pass=" . [ $UrlEncode $NewPsk ]);
+          $SendNotification2 ({ origin=$ScriptName; \
+            subject=([ $SymbolForNotification "calendar" ] . "daily PSK " . $Ssid); \
+            message=("This is the daily PSK on " . $Identity . ":\n\n" . \
+              [ $FormatLine "SSID" $Ssid 8 ] . "\n" . \
+              [ $FormatLine "PSK" $NewPsk 8 ] . "\n" . \
+              [ $FormatLine "Date" $Date 8 ] . "\n\n" . \
+              "A client device specific rule must not exist!"); link=$Link });
+          :set ($Seen->$Ssid) 1;
+        }
+      }
+    }
+  }
+} on-error={
+  :global ExitError; $ExitError $ExitOK [ :jobname ];
+}