.gitignore

@@ -1,13 +1,3 @@
-# backup and temporary files
 *~
-
-# patches and related files
-*.orig
 *.patch
-*.rej
-
-# html files (as generated from markdown)
 *.html
-
-# Mac OS X folder settings file
-.DS_Store

BRANCHES.md

@@ -1,50 +0,0 @@
-Installing from branches
-========================
-
-[![GitHub stars](https://img.shields.io/github/stars/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=red)](https://github.com/eworm-de/routeros-scripts/stargazers)
-[![GitHub forks](https://img.shields.io/github/forks/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=green)](https://github.com/eworm-de/routeros-scripts/network)
-[![GitHub watchers](https://img.shields.io/github/watchers/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=blue)](https://github.com/eworm-de/routeros-scripts/watchers)
-[![required RouterOS version](https://img.shields.io/badge/RouterOS-7.15-yellow?style=flat)](https://mikrotik.com/download/changelogs/)
-[![Telegram group @routeros_scripts](https://img.shields.io/badge/Telegram-%40routeros__scripts-%2326A5E4?logo=telegram&style=flat)](https://t.me/routeros_scripts)
-[![donate with PayPal](https://img.shields.io/badge/Like_it%3F-Donate!-orange?logo=githubsponsors&logoColor=orange&style=flat)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J)
-
-[⬅️ Go back to main README](README.md)
-
-> ⚠️ **Warning**: Living on the edge? Great, read on!
-> If not: Please use the `main` branch and leave this page!
-
-These scripts are developed in a [git](https://git-scm.com/) repository.
-Development and experimental branches are used to provide early access
-for specific changes. You can install scripts from these branches
-for testing.
-
-## Install single script
-
-To install a single script from `next` branch:
-
-    $ScriptInstallUpdate script-name "base-url=https://rsc.eworm.de/next/";
-
-## Switch existing script
-
-Alternatively switch an existing script to update from `next` branch:
-
-    /system/script/set comment="base-url=https://rsc.eworm.de/next/" script-name;
-    $ScriptInstallUpdate;
-
-## Switch installation
-
-Last but not least - to switch the complete installation to the `next`
-branch edit `global-config-overlay` and add:
-
-    :global ScriptUpdatesBaseUrl "https://rsc.eworm.de/next/";
-
-... then reload the configuration and update:
-
-    /system/script/run global-config;
-    $ScriptInstallUpdate;
-
-> ℹ️ **Info**: Replace `next` with *whatever* to use another specific branch.
-
----
-[⬅️ Go back to main README](README.md)  
-[⬆️ Go back to top](#top)

CERTIFICATES.md

@@ -1,82 +0,0 @@
-Certificate name from browser
-=============================
-
-[![GitHub stars](https://img.shields.io/github/stars/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=red)](https://github.com/eworm-de/routeros-scripts/stargazers)
-[![GitHub forks](https://img.shields.io/github/forks/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=green)](https://github.com/eworm-de/routeros-scripts/network)
-[![GitHub watchers](https://img.shields.io/github/watchers/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=blue)](https://github.com/eworm-de/routeros-scripts/watchers)
-[![required RouterOS version](https://img.shields.io/badge/RouterOS-7.15-yellow?style=flat)](https://mikrotik.com/download/changelogs/)
-[![Telegram group @routeros_scripts](https://img.shields.io/badge/Telegram-%40routeros__scripts-%2326A5E4?logo=telegram&style=flat)](https://t.me/routeros_scripts)
-[![donate with PayPal](https://img.shields.io/badge/Like_it%3F-Donate!-orange?logo=githubsponsors&logoColor=orange&style=flat)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J)
-
-[⬅️ Go back to main README](README.md)
-
-All well known desktop, mobile and server operating systems come with a
-certificate store that is populated with a set of well known and trusted
-certificates, acting as *trust anchors*.
-
-However RouterOS does not, still sometimes a specific certificate is
-required to properly verify a chain of trust. One example is downloading
-the scripts from this repository with `fetch` command, thus the very
-first step of [installation](README.md#the-long-way-in-detail) is importing
-the certificate.
-
-The scripts can install additional certificates when required. This happens
-from this repository if available, or from [mkcert.org](https://mkcert.org)
-as a fallback.
-
-Get the certificate's CommonName
---------------------------------
-
-But how to determine what certificate may be required? Often easiest way
-is to use a desktop browser to get that information. This demonstration uses
-[Mozilla Firefox](https://www.mozilla.org/firefox/).
-
-Let's assume we want to make sure the certificate for
-[git.eworm.de](https://git.eworm.de/) is available. Open that page in the
-browser, then click the *lock* icon in addressbar, followed by "*Connection
-secure*".
-
-![screenshot: dialog A](CERTIFICATES.d/01-dialog-A.avif)
-
-The dialog will change, click "*More information*".
-
-![screenshot: dialog B](CERTIFICATES.d/02-dialog-B.avif)
-
-A new window opens, click the button "*View Certificate*". (That window
-can be closed now.)
-
-![screenshot: window](CERTIFICATES.d/03-window.avif)
-
-A new tab opens, showing information on the server certificate and its
-chain of trust. The leftmost certificate is what we are interested in.
-
-![screenshot: certificate](CERTIFICATES.d/04-certificate.avif)
-
-Now we know that "`ISRG Root X2`" is required, some scripts need just
-that information.
-
-Import a certificate by CommonName
-----------------------------------
-
-Running the function `$CertificateAvailable` with that name as parameter
-makes sure the certificate is available in the device's store:
-
-    $CertificateAvailable "ISRG Root X2";
-
-If the certificate is actually available already nothing happens, and there
-is no output. Otherwise the certificate is downloaded and imported.
-
-If importing a certificate with that exact name fails a warning is given
-and nothing is actually imported.
-
-See also
---------
-
-* [Download, import and update firewall address-lists](doc/fw-addr-lists.md)
-* [Manage DNS and DoH servers from netwatch](doc/netwatch-dns.md)
-* [Send notifications via Matrix](doc/mod/notification-matrix.md)
-* [Send notifications via Ntfy](doc/mod/notification-ntfy.md)
-
----
-[⬅️ Go back to main README](README.md)  
-[⬆️ Go back to top](#top)

CONTRIBUTIONS.md

@@ -1,63 +0,0 @@
-Past Contributions
-==================
-
-[![GitHub stars](https://img.shields.io/github/stars/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=red)](https://github.com/eworm-de/routeros-scripts/stargazers)
-[![GitHub forks](https://img.shields.io/github/forks/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=green)](https://github.com/eworm-de/routeros-scripts/network)
-[![GitHub watchers](https://img.shields.io/github/watchers/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=blue)](https://github.com/eworm-de/routeros-scripts/watchers)
-[![required RouterOS version](https://img.shields.io/badge/RouterOS-7.15-yellow?style=flat)](https://mikrotik.com/download/changelogs/)
-[![Telegram group @routeros_scripts](https://img.shields.io/badge/Telegram-%40routeros__scripts-%2326A5E4?logo=telegram&style=flat)](https://t.me/routeros_scripts)
-[![donate with PayPal](https://img.shields.io/badge/Like_it%3F-Donate!-orange?logo=githubsponsors&logoColor=orange&style=flat)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J)
-
-[⬅️ Go back to main README](README.md)
-
-Thanks a lot for your contributions! ❤️
-
-## Patches
-
-These persons contributed code or documentation. See the git history
-for details!
-
-* [Anatoly Bubenkov](mailto:bubenkoff@gmail.com) (@bubenkoff)
-* [Ben Harris](mailto:mail@bharr.is) (@bharrisau)
-* [Daniel Ziegenberg](mailto:daniel@ziegenberg.at) (@ziegenberg)
-* [Ignacio Serrano](mailto:ignic@ignic.com) (@ignic)
-* [Michael Gisbers](mailto:michael@gisbers.de) (@mgisbers)
-* [Miquel Bonastre](mailto:mbonastre@yahoo.com) (@mbonastre)
-* @netravnen
-* [netztrip](mailto:dave-tvg@netztrip.de) (@netztrip)
-* [Stefan Müller](mailto:stefan.mueller.83@gmail.com) (@PackElend)
-
-## Donations
-
-Add yourself to the list,
-[donate with PayPal](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J)!
-
-* Abdul Mannan Abbasi
-* Andrea Ruffini Perico
-* Andrew Cox
-* Christoph Boss (@Kampfwurst)
-* Daniel Ziegenberg (@ziegenberg)
-* Devin Dean (@dd2594gh)
-* Evaldo Gardenal
-* Florian Estraviz
-* Giorgio Bikos
-* Harold Schoemaker
-* Hugo BV
-* Klaus Michael Rübsam
-* Leonardo Valeri Manera
-* Linux-Schmie.de Michael Gisbers
-* Manuel Kuhn
-* Marek Čábák
-* Oleksandr Yukhymchuk
-* Peter Holtkamp
-* Peter Ponzel
-* Reiner Vehrenkamp
-* Richard Österreicher
-* Simon Hitzemann
-* Sunny Chu (@sunnychuchu)
-* Ulrich Wessendorf
-* Zac Kornilakis
-
----
-[⬅️ Go back to main README](README.md)  
-[⬆️ Go back to top](#top)

COPYING.md

@@ -1,675 +0,0 @@
-### GNU GENERAL PUBLIC LICENSE
-
-Version 3, 29 June 2007
-
-Copyright (C) 2007 Free Software Foundation, Inc.
-<https://fsf.org/>
-
-Everyone is permitted to copy and distribute verbatim copies of this
-license document, but changing it is not allowed.
-
-### Preamble
-
-The GNU General Public License is a free, copyleft license for
-software and other kinds of works.
-
-The licenses for most software and other practical works are designed
-to take away your freedom to share and change the works. By contrast,
-the GNU General Public License is intended to guarantee your freedom
-to share and change all versions of a program--to make sure it remains
-free software for all its users. We, the Free Software Foundation, use
-the GNU General Public License for most of our software; it applies
-also to any other work released this way by its authors. You can apply
-it to your programs, too.
-
-When we speak of free software, we are referring to freedom, not
-price. Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-them if you wish), that you receive source code or can get it if you
-want it, that you can change the software or use pieces of it in new
-free programs, and that you know you can do these things.
-
-To protect your rights, we need to prevent others from denying you
-these rights or asking you to surrender the rights. Therefore, you
-have certain responsibilities if you distribute copies of the
-software, or if you modify it: responsibilities to respect the freedom
-of others.
-
-For example, if you distribute copies of such a program, whether
-gratis or for a fee, you must pass on to the recipients the same
-freedoms that you received. You must make sure that they, too, receive
-or can get the source code. And you must show them these terms so they
-know their rights.
-
-Developers that use the GNU GPL protect your rights with two steps:
-(1) assert copyright on the software, and (2) offer you this License
-giving you legal permission to copy, distribute and/or modify it.
-
-For the developers' and authors' protection, the GPL clearly explains
-that there is no warranty for this free software. For both users' and
-authors' sake, the GPL requires that modified versions be marked as
-changed, so that their problems will not be attributed erroneously to
-authors of previous versions.
-
-Some devices are designed to deny users access to install or run
-modified versions of the software inside them, although the
-manufacturer can do so. This is fundamentally incompatible with the
-aim of protecting users' freedom to change the software. The
-systematic pattern of such abuse occurs in the area of products for
-individuals to use, which is precisely where it is most unacceptable.
-Therefore, we have designed this version of the GPL to prohibit the
-practice for those products. If such problems arise substantially in
-other domains, we stand ready to extend this provision to those
-domains in future versions of the GPL, as needed to protect the
-freedom of users.
-
-Finally, every program is threatened constantly by software patents.
-States should not allow patents to restrict development and use of
-software on general-purpose computers, but in those that do, we wish
-to avoid the special danger that patents applied to a free program
-could make it effectively proprietary. To prevent this, the GPL
-assures that patents cannot be used to render the program non-free.
-
-The precise terms and conditions for copying, distribution and
-modification follow.
-
-### TERMS AND CONDITIONS
-
-#### 0. Definitions.
-
-"This License" refers to version 3 of the GNU General Public License.
-
-"Copyright" also means copyright-like laws that apply to other kinds
-of works, such as semiconductor masks.
-
-"The Program" refers to any copyrightable work licensed under this
-License. Each licensee is addressed as "you". "Licensees" and
-"recipients" may be individuals or organizations.
-
-To "modify" a work means to copy from or adapt all or part of the work
-in a fashion requiring copyright permission, other than the making of
-an exact copy. The resulting work is called a "modified version" of
-the earlier work or a work "based on" the earlier work.
-
-A "covered work" means either the unmodified Program or a work based
-on the Program.
-
-To "propagate" a work means to do anything with it that, without
-permission, would make you directly or secondarily liable for
-infringement under applicable copyright law, except executing it on a
-computer or modifying a private copy. Propagation includes copying,
-distribution (with or without modification), making available to the
-public, and in some countries other activities as well.
-
-To "convey" a work means any kind of propagation that enables other
-parties to make or receive copies. Mere interaction with a user
-through a computer network, with no transfer of a copy, is not
-conveying.
-
-An interactive user interface displays "Appropriate Legal Notices" to
-the extent that it includes a convenient and prominently visible
-feature that (1) displays an appropriate copyright notice, and (2)
-tells the user that there is no warranty for the work (except to the
-extent that warranties are provided), that licensees may convey the
-work under this License, and how to view a copy of this License. If
-the interface presents a list of user commands or options, such as a
-menu, a prominent item in the list meets this criterion.
-
-#### 1. Source Code.
-
-The "source code" for a work means the preferred form of the work for
-making modifications to it. "Object code" means any non-source form of
-a work.
-
-A "Standard Interface" means an interface that either is an official
-standard defined by a recognized standards body, or, in the case of
-interfaces specified for a particular programming language, one that
-is widely used among developers working in that language.
-
-The "System Libraries" of an executable work include anything, other
-than the work as a whole, that (a) is included in the normal form of
-packaging a Major Component, but which is not part of that Major
-Component, and (b) serves only to enable use of the work with that
-Major Component, or to implement a Standard Interface for which an
-implementation is available to the public in source code form. A
-"Major Component", in this context, means a major essential component
-(kernel, window system, and so on) of the specific operating system
-(if any) on which the executable work runs, or a compiler used to
-produce the work, or an object code interpreter used to run it.
-
-The "Corresponding Source" for a work in object code form means all
-the source code needed to generate, install, and (for an executable
-work) run the object code and to modify the work, including scripts to
-control those activities. However, it does not include the work's
-System Libraries, or general-purpose tools or generally available free
-programs which are used unmodified in performing those activities but
-which are not part of the work. For example, Corresponding Source
-includes interface definition files associated with source files for
-the work, and the source code for shared libraries and dynamically
-linked subprograms that the work is specifically designed to require,
-such as by intimate data communication or control flow between those
-subprograms and other parts of the work.
-
-The Corresponding Source need not include anything that users can
-regenerate automatically from other parts of the Corresponding Source.
-
-The Corresponding Source for a work in source code form is that same
-work.
-
-#### 2. Basic Permissions.
-
-All rights granted under this License are granted for the term of
-copyright on the Program, and are irrevocable provided the stated
-conditions are met. This License explicitly affirms your unlimited
-permission to run the unmodified Program. The output from running a
-covered work is covered by this License only if the output, given its
-content, constitutes a covered work. This License acknowledges your
-rights of fair use or other equivalent, as provided by copyright law.
-
-You may make, run and propagate covered works that you do not convey,
-without conditions so long as your license otherwise remains in force.
-You may convey covered works to others for the sole purpose of having
-them make modifications exclusively for you, or provide you with
-facilities for running those works, provided that you comply with the
-terms of this License in conveying all material for which you do not
-control copyright. Those thus making or running the covered works for
-you must do so exclusively on your behalf, under your direction and
-control, on terms that prohibit them from making any copies of your
-copyrighted material outside their relationship with you.
-
-Conveying under any other circumstances is permitted solely under the
-conditions stated below. Sublicensing is not allowed; section 10 makes
-it unnecessary.
-
-#### 3. Protecting Users' Legal Rights From Anti-Circumvention Law.
-
-No covered work shall be deemed part of an effective technological
-measure under any applicable law fulfilling obligations under article
-11 of the WIPO copyright treaty adopted on 20 December 1996, or
-similar laws prohibiting or restricting circumvention of such
-measures.
-
-When you convey a covered work, you waive any legal power to forbid
-circumvention of technological measures to the extent such
-circumvention is effected by exercising rights under this License with
-respect to the covered work, and you disclaim any intention to limit
-operation or modification of the work as a means of enforcing, against
-the work's users, your or third parties' legal rights to forbid
-circumvention of technological measures.
-
-#### 4. Conveying Verbatim Copies.
-
-You may convey verbatim copies of the Program's source code as you
-receive it, in any medium, provided that you conspicuously and
-appropriately publish on each copy an appropriate copyright notice;
-keep intact all notices stating that this License and any
-non-permissive terms added in accord with section 7 apply to the code;
-keep intact all notices of the absence of any warranty; and give all
-recipients a copy of this License along with the Program.
-
-You may charge any price or no price for each copy that you convey,
-and you may offer support or warranty protection for a fee.
-
-#### 5. Conveying Modified Source Versions.
-
-You may convey a work based on the Program, or the modifications to
-produce it from the Program, in the form of source code under the
-terms of section 4, provided that you also meet all of these
-conditions:
-
--   a) The work must carry prominent notices stating that you modified
-    it, and giving a relevant date.
--   b) The work must carry prominent notices stating that it is
-    released under this License and any conditions added under
-    section 7. This requirement modifies the requirement in section 4
-    to "keep intact all notices".
--   c) You must license the entire work, as a whole, under this
-    License to anyone who comes into possession of a copy. This
-    License will therefore apply, along with any applicable section 7
-    additional terms, to the whole of the work, and all its parts,
-    regardless of how they are packaged. This License gives no
-    permission to license the work in any other way, but it does not
-    invalidate such permission if you have separately received it.
--   d) If the work has interactive user interfaces, each must display
-    Appropriate Legal Notices; however, if the Program has interactive
-    interfaces that do not display Appropriate Legal Notices, your
-    work need not make them do so.
-
-A compilation of a covered work with other separate and independent
-works, which are not by their nature extensions of the covered work,
-and which are not combined with it such as to form a larger program,
-in or on a volume of a storage or distribution medium, is called an
-"aggregate" if the compilation and its resulting copyright are not
-used to limit the access or legal rights of the compilation's users
-beyond what the individual works permit. Inclusion of a covered work
-in an aggregate does not cause this License to apply to the other
-parts of the aggregate.
-
-#### 6. Conveying Non-Source Forms.
-
-You may convey a covered work in object code form under the terms of
-sections 4 and 5, provided that you also convey the machine-readable
-Corresponding Source under the terms of this License, in one of these
-ways:
-
--   a) Convey the object code in, or embodied in, a physical product
-    (including a physical distribution medium), accompanied by the
-    Corresponding Source fixed on a durable physical medium
-    customarily used for software interchange.
--   b) Convey the object code in, or embodied in, a physical product
-    (including a physical distribution medium), accompanied by a
-    written offer, valid for at least three years and valid for as
-    long as you offer spare parts or customer support for that product
-    model, to give anyone who possesses the object code either (1) a
-    copy of the Corresponding Source for all the software in the
-    product that is covered by this License, on a durable physical
-    medium customarily used for software interchange, for a price no
-    more than your reasonable cost of physically performing this
-    conveying of source, or (2) access to copy the Corresponding
-    Source from a network server at no charge.
--   c) Convey individual copies of the object code with a copy of the
-    written offer to provide the Corresponding Source. This
-    alternative is allowed only occasionally and noncommercially, and
-    only if you received the object code with such an offer, in accord
-    with subsection 6b.
--   d) Convey the object code by offering access from a designated
-    place (gratis or for a charge), and offer equivalent access to the
-    Corresponding Source in the same way through the same place at no
-    further charge. You need not require recipients to copy the
-    Corresponding Source along with the object code. If the place to
-    copy the object code is a network server, the Corresponding Source
-    may be on a different server (operated by you or a third party)
-    that supports equivalent copying facilities, provided you maintain
-    clear directions next to the object code saying where to find the
-    Corresponding Source. Regardless of what server hosts the
-    Corresponding Source, you remain obligated to ensure that it is
-    available for as long as needed to satisfy these requirements.
--   e) Convey the object code using peer-to-peer transmission,
-    provided you inform other peers where the object code and
-    Corresponding Source of the work are being offered to the general
-    public at no charge under subsection 6d.
-
-A separable portion of the object code, whose source code is excluded
-from the Corresponding Source as a System Library, need not be
-included in conveying the object code work.
-
-A "User Product" is either (1) a "consumer product", which means any
-tangible personal property which is normally used for personal,
-family, or household purposes, or (2) anything designed or sold for
-incorporation into a dwelling. In determining whether a product is a
-consumer product, doubtful cases shall be resolved in favor of
-coverage. For a particular product received by a particular user,
-"normally used" refers to a typical or common use of that class of
-product, regardless of the status of the particular user or of the way
-in which the particular user actually uses, or expects or is expected
-to use, the product. A product is a consumer product regardless of
-whether the product has substantial commercial, industrial or
-non-consumer uses, unless such uses represent the only significant
-mode of use of the product.
-
-"Installation Information" for a User Product means any methods,
-procedures, authorization keys, or other information required to
-install and execute modified versions of a covered work in that User
-Product from a modified version of its Corresponding Source. The
-information must suffice to ensure that the continued functioning of
-the modified object code is in no case prevented or interfered with
-solely because modification has been made.
-
-If you convey an object code work under this section in, or with, or
-specifically for use in, a User Product, and the conveying occurs as
-part of a transaction in which the right of possession and use of the
-User Product is transferred to the recipient in perpetuity or for a
-fixed term (regardless of how the transaction is characterized), the
-Corresponding Source conveyed under this section must be accompanied
-by the Installation Information. But this requirement does not apply
-if neither you nor any third party retains the ability to install
-modified object code on the User Product (for example, the work has
-been installed in ROM).
-
-The requirement to provide Installation Information does not include a
-requirement to continue to provide support service, warranty, or
-updates for a work that has been modified or installed by the
-recipient, or for the User Product in which it has been modified or
-installed. Access to a network may be denied when the modification
-itself materially and adversely affects the operation of the network
-or violates the rules and protocols for communication across the
-network.
-
-Corresponding Source conveyed, and Installation Information provided,
-in accord with this section must be in a format that is publicly
-documented (and with an implementation available to the public in
-source code form), and must require no special password or key for
-unpacking, reading or copying.
-
-#### 7. Additional Terms.
-
-"Additional permissions" are terms that supplement the terms of this
-License by making exceptions from one or more of its conditions.
-Additional permissions that are applicable to the entire Program shall
-be treated as though they were included in this License, to the extent
-that they are valid under applicable law. If additional permissions
-apply only to part of the Program, that part may be used separately
-under those permissions, but the entire Program remains governed by
-this License without regard to the additional permissions.
-
-When you convey a copy of a covered work, you may at your option
-remove any additional permissions from that copy, or from any part of
-it. (Additional permissions may be written to require their own
-removal in certain cases when you modify the work.) You may place
-additional permissions on material, added by you to a covered work,
-for which you have or can give appropriate copyright permission.
-
-Notwithstanding any other provision of this License, for material you
-add to a covered work, you may (if authorized by the copyright holders
-of that material) supplement the terms of this License with terms:
-
--   a) Disclaiming warranty or limiting liability differently from the
-    terms of sections 15 and 16 of this License; or
--   b) Requiring preservation of specified reasonable legal notices or
-    author attributions in that material or in the Appropriate Legal
-    Notices displayed by works containing it; or
--   c) Prohibiting misrepresentation of the origin of that material,
-    or requiring that modified versions of such material be marked in
-    reasonable ways as different from the original version; or
--   d) Limiting the use for publicity purposes of names of licensors
-    or authors of the material; or
--   e) Declining to grant rights under trademark law for use of some
-    trade names, trademarks, or service marks; or
--   f) Requiring indemnification of licensors and authors of that
-    material by anyone who conveys the material (or modified versions
-    of it) with contractual assumptions of liability to the recipient,
-    for any liability that these contractual assumptions directly
-    impose on those licensors and authors.
-
-All other non-permissive additional terms are considered "further
-restrictions" within the meaning of section 10. If the Program as you
-received it, or any part of it, contains a notice stating that it is
-governed by this License along with a term that is a further
-restriction, you may remove that term. If a license document contains
-a further restriction but permits relicensing or conveying under this
-License, you may add to a covered work material governed by the terms
-of that license document, provided that the further restriction does
-not survive such relicensing or conveying.
-
-If you add terms to a covered work in accord with this section, you
-must place, in the relevant source files, a statement of the
-additional terms that apply to those files, or a notice indicating
-where to find the applicable terms.
-
-Additional terms, permissive or non-permissive, may be stated in the
-form of a separately written license, or stated as exceptions; the
-above requirements apply either way.
-
-#### 8. Termination.
-
-You may not propagate or modify a covered work except as expressly
-provided under this License. Any attempt otherwise to propagate or
-modify it is void, and will automatically terminate your rights under
-this License (including any patent licenses granted under the third
-paragraph of section 11).
-
-However, if you cease all violation of this License, then your license
-from a particular copyright holder is reinstated (a) provisionally,
-unless and until the copyright holder explicitly and finally
-terminates your license, and (b) permanently, if the copyright holder
-fails to notify you of the violation by some reasonable means prior to
-60 days after the cessation.
-
-Moreover, your license from a particular copyright holder is
-reinstated permanently if the copyright holder notifies you of the
-violation by some reasonable means, this is the first time you have
-received notice of violation of this License (for any work) from that
-copyright holder, and you cure the violation prior to 30 days after
-your receipt of the notice.
-
-Termination of your rights under this section does not terminate the
-licenses of parties who have received copies or rights from you under
-this License. If your rights have been terminated and not permanently
-reinstated, you do not qualify to receive new licenses for the same
-material under section 10.
-
-#### 9. Acceptance Not Required for Having Copies.
-
-You are not required to accept this License in order to receive or run
-a copy of the Program. Ancillary propagation of a covered work
-occurring solely as a consequence of using peer-to-peer transmission
-to receive a copy likewise does not require acceptance. However,
-nothing other than this License grants you permission to propagate or
-modify any covered work. These actions infringe copyright if you do
-not accept this License. Therefore, by modifying or propagating a
-covered work, you indicate your acceptance of this License to do so.
-
-#### 10. Automatic Licensing of Downstream Recipients.
-
-Each time you convey a covered work, the recipient automatically
-receives a license from the original licensors, to run, modify and
-propagate that work, subject to this License. You are not responsible
-for enforcing compliance by third parties with this License.
-
-An "entity transaction" is a transaction transferring control of an
-organization, or substantially all assets of one, or subdividing an
-organization, or merging organizations. If propagation of a covered
-work results from an entity transaction, each party to that
-transaction who receives a copy of the work also receives whatever
-licenses to the work the party's predecessor in interest had or could
-give under the previous paragraph, plus a right to possession of the
-Corresponding Source of the work from the predecessor in interest, if
-the predecessor has it or can get it with reasonable efforts.
-
-You may not impose any further restrictions on the exercise of the
-rights granted or affirmed under this License. For example, you may
-not impose a license fee, royalty, or other charge for exercise of
-rights granted under this License, and you may not initiate litigation
-(including a cross-claim or counterclaim in a lawsuit) alleging that
-any patent claim is infringed by making, using, selling, offering for
-sale, or importing the Program or any portion of it.
-
-#### 11. Patents.
-
-A "contributor" is a copyright holder who authorizes use under this
-License of the Program or a work on which the Program is based. The
-work thus licensed is called the contributor's "contributor version".
-
-A contributor's "essential patent claims" are all patent claims owned
-or controlled by the contributor, whether already acquired or
-hereafter acquired, that would be infringed by some manner, permitted
-by this License, of making, using, or selling its contributor version,
-but do not include claims that would be infringed only as a
-consequence of further modification of the contributor version. For
-purposes of this definition, "control" includes the right to grant
-patent sublicenses in a manner consistent with the requirements of
-this License.
-
-Each contributor grants you a non-exclusive, worldwide, royalty-free
-patent license under the contributor's essential patent claims, to
-make, use, sell, offer for sale, import and otherwise run, modify and
-propagate the contents of its contributor version.
-
-In the following three paragraphs, a "patent license" is any express
-agreement or commitment, however denominated, not to enforce a patent
-(such as an express permission to practice a patent or covenant not to
-sue for patent infringement). To "grant" such a patent license to a
-party means to make such an agreement or commitment not to enforce a
-patent against the party.
-
-If you convey a covered work, knowingly relying on a patent license,
-and the Corresponding Source of the work is not available for anyone
-to copy, free of charge and under the terms of this License, through a
-publicly available network server or other readily accessible means,
-then you must either (1) cause the Corresponding Source to be so
-available, or (2) arrange to deprive yourself of the benefit of the
-patent license for this particular work, or (3) arrange, in a manner
-consistent with the requirements of this License, to extend the patent
-license to downstream recipients. "Knowingly relying" means you have
-actual knowledge that, but for the patent license, your conveying the
-covered work in a country, or your recipient's use of the covered work
-in a country, would infringe one or more identifiable patents in that
-country that you have reason to believe are valid.
-
-If, pursuant to or in connection with a single transaction or
-arrangement, you convey, or propagate by procuring conveyance of, a
-covered work, and grant a patent license to some of the parties
-receiving the covered work authorizing them to use, propagate, modify
-or convey a specific copy of the covered work, then the patent license
-you grant is automatically extended to all recipients of the covered
-work and works based on it.
-
-A patent license is "discriminatory" if it does not include within the
-scope of its coverage, prohibits the exercise of, or is conditioned on
-the non-exercise of one or more of the rights that are specifically
-granted under this License. You may not convey a covered work if you
-are a party to an arrangement with a third party that is in the
-business of distributing software, under which you make payment to the
-third party based on the extent of your activity of conveying the
-work, and under which the third party grants, to any of the parties
-who would receive the covered work from you, a discriminatory patent
-license (a) in connection with copies of the covered work conveyed by
-you (or copies made from those copies), or (b) primarily for and in
-connection with specific products or compilations that contain the
-covered work, unless you entered into that arrangement, or that patent
-license was granted, prior to 28 March 2007.
-
-Nothing in this License shall be construed as excluding or limiting
-any implied license or other defenses to infringement that may
-otherwise be available to you under applicable patent law.
-
-#### 12. No Surrender of Others' Freedom.
-
-If conditions are imposed on you (whether by court order, agreement or
-otherwise) that contradict the conditions of this License, they do not
-excuse you from the conditions of this License. If you cannot convey a
-covered work so as to satisfy simultaneously your obligations under
-this License and any other pertinent obligations, then as a
-consequence you may not convey it at all. For example, if you agree to
-terms that obligate you to collect a royalty for further conveying
-from those to whom you convey the Program, the only way you could
-satisfy both those terms and this License would be to refrain entirely
-from conveying the Program.
-
-#### 13. Use with the GNU Affero General Public License.
-
-Notwithstanding any other provision of this License, you have
-permission to link or combine any covered work with a work licensed
-under version 3 of the GNU Affero General Public License into a single
-combined work, and to convey the resulting work. The terms of this
-License will continue to apply to the part which is the covered work,
-but the special requirements of the GNU Affero General Public License,
-section 13, concerning interaction through a network will apply to the
-combination as such.
-
-#### 14. Revised Versions of this License.
-
-The Free Software Foundation may publish revised and/or new versions
-of the GNU General Public License from time to time. Such new versions
-will be similar in spirit to the present version, but may differ in
-detail to address new problems or concerns.
-
-Each version is given a distinguishing version number. If the Program
-specifies that a certain numbered version of the GNU General Public
-License "or any later version" applies to it, you have the option of
-following the terms and conditions either of that numbered version or
-of any later version published by the Free Software Foundation. If the
-Program does not specify a version number of the GNU General Public
-License, you may choose any version ever published by the Free
-Software Foundation.
-
-If the Program specifies that a proxy can decide which future versions
-of the GNU General Public License can be used, that proxy's public
-statement of acceptance of a version permanently authorizes you to
-choose that version for the Program.
-
-Later license versions may give you additional or different
-permissions. However, no additional obligations are imposed on any
-author or copyright holder as a result of your choosing to follow a
-later version.
-
-#### 15. Disclaimer of Warranty.
-
-THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
-APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
-HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT
-WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT
-LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND
-PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE
-DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR
-CORRECTION.
-
-#### 16. Limitation of Liability.
-
-IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR
-CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
-INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES
-ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT
-NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR
-LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM
-TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER
-PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
-
-#### 17. Interpretation of Sections 15 and 16.
-
-If the disclaimer of warranty and limitation of liability provided
-above cannot be given local legal effect according to their terms,
-reviewing courts shall apply local law that most closely approximates
-an absolute waiver of all civil liability in connection with the
-Program, unless a warranty or assumption of liability accompanies a
-copy of the Program in return for a fee.
-
-END OF TERMS AND CONDITIONS
-
-### How to Apply These Terms to Your New Programs
-
-If you develop a new program, and you want it to be of the greatest
-possible use to the public, the best way to achieve this is to make it
-free software which everyone can redistribute and change under these
-terms.
-
-To do so, attach the following notices to the program. It is safest to
-attach them to the start of each source file to most effectively state
-the exclusion of warranty; and each file should have at least the
-"copyright" line and a pointer to where the full notice is found.
-
-        <one line to give the program's name and a brief idea of what it does.>
-        Copyright (C) <year>  <name of author>
-
-        This program is free software: you can redistribute it and/or modify
-        it under the terms of the GNU General Public License as published by
-        the Free Software Foundation, either version 3 of the License, or
-        (at your option) any later version.
-
-        This program is distributed in the hope that it will be useful,
-        but WITHOUT ANY WARRANTY; without even the implied warranty of
-        MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-        GNU General Public License for more details.
-
-        You should have received a copy of the GNU General Public License
-        along with this program.  If not, see <https://www.gnu.org/licenses/>.
-
-Also add information on how to contact you by electronic and paper
-mail.
-
-If the program does terminal interaction, make it output a short
-notice like this when it starts in an interactive mode:
-
-        <program>  Copyright (C) <year>  <name of author>
-        This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
-        This is free software, and you are welcome to redistribute it
-        under certain conditions; type `show c' for details.
-
-The hypothetical commands \`show w' and \`show c' should show the
-appropriate parts of the General Public License. Of course, your
-program's commands might be different; for a GUI interface, you would
-use an "about box".
-
-You should also get your employer (if you work as a programmer) or
-school, if any, to sign a "copyright disclaimer" for the program, if
-necessary. For more information on this, and how to apply and follow
-the GNU GPL, see <https://www.gnu.org/licenses/>.
-
-The GNU General Public License does not permit incorporating your
-program into proprietary programs. If your program is a subroutine
-library, you may consider it more useful to permit linking proprietary
-applications with the library. If this is what you want to do, use the
-GNU Lesser General Public License instead of this License. But first,
-please read <https://www.gnu.org/licenses/why-not-lgpl.html>.

DEBUG.md

@@ -1,63 +0,0 @@
-Debug output and logs
-=====================
-
-[![GitHub stars](https://img.shields.io/github/stars/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=red)](https://github.com/eworm-de/routeros-scripts/stargazers)
-[![GitHub forks](https://img.shields.io/github/forks/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=green)](https://github.com/eworm-de/routeros-scripts/network)
-[![GitHub watchers](https://img.shields.io/github/watchers/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=blue)](https://github.com/eworm-de/routeros-scripts/watchers)
-[![required RouterOS version](https://img.shields.io/badge/RouterOS-7.15-yellow?style=flat)](https://mikrotik.com/download/changelogs/)
-[![Telegram group @routeros_scripts](https://img.shields.io/badge/Telegram-%40routeros__scripts-%2326A5E4?logo=telegram&style=flat)](https://t.me/routeros_scripts)
-[![donate with PayPal](https://img.shields.io/badge/Like_it%3F-Donate!-orange?logo=githubsponsors&logoColor=orange&style=flat)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J)
-
-[⬅️ Go back to main README](README.md)
-
-Sometimes scripts do not behave as expected. In these cases debug output
-or logs can help.
-
-## Debug output
-
-Run this command in a terminal:
-
-    :set PrintDebug true;
-
-You will then see debug output when running the script from terminal.
-
-To revert to default output run:
-
-    :set PrintDebug false;
-
-### Debug output for specific script
-
-Even having debug output for a specific script or function only (or a
-set of) is possible. To enable debug output for `telegram-chat` run:
-
-    :set ($PrintDebugOverride->"telegram-chat") true;
-
-## Debug logs
-
-The debug info can go to system log. To make it show up in `memory` run:
-
-    /system/logging/add topics=script,debug action=memory;
-
-Other actions (`disk`, `email`, `remote` or `support`) can be used as
-well. I do not recommend using `echo` - use [debug output](#debug-output)
-instead.
-
-Disable or remote that setting to restore regular logging.
-
-## Verbose output
-
-Specific scripts can generate huge amount of output. These do use a function
-`$LogPrintVerbose`, which is declared, but has no code, intentionally.
-
-If you *really* want that output set the function to be the same as
-`$LogPrint`:
-
-    :set LogPrintVerbose $LogPrint;
-
-To revert that change just run:
-
-    :set LogPrintVerbose;
-
----
-[⬅️ Go back to main README](README.md)  
-[⬆️ Go back to top](#top)

INITIAL-COMMANDS.md

@@ -1,53 +0,0 @@
-Initial commands
-================
-
-[![GitHub stars](https://img.shields.io/github/stars/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=red)](https://github.com/eworm-de/routeros-scripts/stargazers)
-[![GitHub forks](https://img.shields.io/github/forks/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=green)](https://github.com/eworm-de/routeros-scripts/network)
-[![GitHub watchers](https://img.shields.io/github/watchers/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=blue)](https://github.com/eworm-de/routeros-scripts/watchers)
-[![required RouterOS version](https://img.shields.io/badge/RouterOS-7.15-yellow?style=flat)](https://mikrotik.com/download/changelogs/)
-[![Telegram group @routeros_scripts](https://img.shields.io/badge/Telegram-%40routeros__scripts-%2326A5E4?logo=telegram&style=flat)](https://t.me/routeros_scripts)
-[![donate with PayPal](https://img.shields.io/badge/Like_it%3F-Donate!-orange?logo=githubsponsors&logoColor=orange&style=flat)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J)
-
-[⬅️ Go back to main README](README.md)
-
-> ⚠️ **Warning**: These command are inteneded for initial setup. If you are
-> not aware of the procedure please follow
-> [the long way in detail](README.md#the-long-way-in-detail).
-
-Run the complete base installation:
-
-    {
-      /tool/fetch "https://git.eworm.de/cgit/routeros-scripts/plain/certs/ISRG-Root-X2.pem" dst-path="isrg-root-x2.pem" as-value;
-      :delay 1s;
-      /certificate/import file-name="isrg-root-x2.pem" passphrase="";
-      :if ([ :len [ /certificate/find where fingerprint="69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470" ] ] != 1) do={
-        :error "Something is wrong with your certificates!";
-      };
-      :delay 1s;
-      /system/script/set name=("global-config-overlay-" . [ /system/clock/get date ] . "-" . [ /system/clock/get time ]) [ find where name="global-config-overlay" ];
-      :foreach Script in={ "global-config"; "global-config-overlay"; "global-functions" } do={
-        /system/script/remove [ find where name=$Script ];
-        /system/script/add name=$Script owner=$Script source=([ /tool/fetch check-certificate=yes-without-crl ("https://git.eworm.de/cgit/routeros-scripts/plain/" . $Script . ".rsc") output=user as-value]->"data");
-      };
-      /system/script { run global-config; run global-functions; };
-      /system/scheduler/remove [ find where name="global-scripts" ];
-      /system/scheduler/add name="global-scripts" start-time=startup on-event="/system/script { run global-config; run global-functions; }";
-      :global CertificateNameByCN;
-      $CertificateNameByCN "ISRG Root X2";
-    };
-
-Then continue setup with
-[scheduled automatic updates](README.md#scheduled-automatic-updates) or
-[editing configuration](README.md#editing-configuration).
-
-## Fix existing installation
-
-The [initial commands](#initial-commands) above allow to fix an existing
-installation in case it ever breaks. If `global-config-overlay` did exist
-before it is renamed with a date and time suffix (like
-`global-config-overlay-2024-01-25-09:33:12`). Make sure to restore the
-configuration overlay if required.
-
----
-[⬅️ Go back to main README](README.md)  
-[⬆️ Go back to top](#top)

Makefile

@@ -2,35 +2,24 @@
 #  template scripts -> final scripts
 #  markdown files -> html files
 
-CAPSMAN = $(wildcard *.capsman.rsc)
-LOCAL = $(wildcard *.local.rsc)
-WIFI = $(wildcard *.wifi.rsc)
+TEMPLATE = $(wildcard *.template)
+CAPSMAN = $(TEMPLATE:.template=.capsman)
+LOCAL = $(TEMPLATE:.template=.local)
 
-MARKDOWN = $(wildcard *.md doc/*.md doc/mod/*.md)
-HTML = $(MARKDOWN:.md=.html)
+MARKDOWN = $(wildcard *.md)
+HTML =  $(MARKDOWN:.md=.html)
 
-all: $(CAPSMAN) $(LOCAL) $(WIFI) $(HTML)
+all: $(CAPSMAN) $(LOCAL) $(HTML)
 
 %.html: %.md Makefile
-	markdown $< | sed 's/href="\([-_\./[:alnum:]]*\)\.md"/href="\1.html"/g' > $@
+	markdown $< | sed 's/href="\([-[:alnum:]]*\)\.md"/href="\1.html"/g' > $@
 
-%.capsman.rsc: %.template.rsc Makefile
-	sed -e '/\/interface\/wifi\//d' -e '/\/interface\/wireless\//d' -e 's|%TEMPL%|.capsman|' \
-		-e '/^# NOT \/caps-man\/ #$$/,/^# NOT \/caps-man\/ #$$/d' \
+%.local: %.template Makefile
+	sed -e '/\/ caps-man/d' -e 's|%PATH%|interface wireless|' -e 's|%TEMPL%|$(suffix $@)|' \
 		-e '/^# !!/,/^# !!/c # !! Do not edit this file, it is generated from template!' \
 		< $< > $@
 
-%.local.rsc: %.template.rsc Makefile
-	sed -e '/\/caps-man\//d' -e '/\/interface\/wifi\//d' -e 's|%TEMPL%|.local|' \
-		-e '/^# NOT \/interface\/wireless\/ #$$/,/^# NOT \/interface\/wireless\/ #$$/d' \
+%.capsman: %.template Makefile
+	sed -e '/\/ interface wireless/d' -e 's/%PATH%/caps-man/' -e 's/%TEMPL%/$(suffix $@)/' \
 		-e '/^# !!/,/^# !!/c # !! Do not edit this file, it is generated from template!' \
 		< $< > $@
-
-%.wifi.rsc: %.template.rsc Makefile
-	sed -e '/\/caps-man\//d' -e '/\/interface\/wireless\//d' -e 's|%TEMPL%|.wifi|' \
-		-e '/^# NOT \/interface\/wifi\/ #$$/,/^# NOT \/interface\/wifi\/ #$$/d' \
-		-e '/^# !!/,/^# !!/c # !! Do not edit this file, it is generated from template!' \
-		< $< > $@
-
-clean:
-	rm -f $(HTML)

README.d/hello-world.rsc

@@ -1,3 +0,0 @@
-#!rsc by RouterOS
-
-:put ("Hello World from " . [ /system/identity/get name ] . "!");

README.md

@@ -1,52 +1,23 @@
 RouterOS Scripts
 ================
 
-[![GitHub stars](https://img.shields.io/github/stars/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=red)](https://github.com/eworm-de/routeros-scripts/stargazers)
-[![GitHub forks](https://img.shields.io/github/forks/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=green)](https://github.com/eworm-de/routeros-scripts/network)
-[![GitHub watchers](https://img.shields.io/github/watchers/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=blue)](https://github.com/eworm-de/routeros-scripts/watchers)
-[![required RouterOS version](https://img.shields.io/badge/RouterOS-7.15-yellow?style=flat)](https://mikrotik.com/download/changelogs/)
-[![Telegram group @routeros_scripts](https://img.shields.io/badge/Telegram-%40routeros__scripts-%2326A5E4?logo=telegram&style=flat)](https://t.me/routeros_scripts)
-[![donate with PayPal](https://img.shields.io/badge/Like_it%3F-Donate!-orange?logo=githubsponsors&logoColor=orange&style=flat)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J)
-
-![RouterOS Scripts Logo](logo.svg)
-
 [RouterOS](https://mikrotik.com/software) is the operating system developed
 by [MikroTik](https://mikrotik.com/aboutus) for networking tasks. This
 repository holds a number of [scripts](https://wiki.mikrotik.com/wiki/Manual:Scripting)
 to manage RouterOS devices or extend their functionality.
 
-*Use at your own risk*, pay attention to
-[license and warranty](#license-and-warranty)!
+*Use at your own risk!*
 
 Requirements
 ------------
 
-### Software (RouterOS)
+Latest version of the scripts require at least **RouterOS 6.43** to function
+properly. The changelog lists the corresponding change as follows:
 
-Latest version of the scripts require recent RouterOS to function properly.
-Make sure to install latest updates before you begin. If new functionality
-or a breaking change in RouterOS `7.n` is used in my scripts I push my
-change some time after `7.(n+1)` was released. At any time you should have
-at least two minor and their bugfix releases to choose from.
+> *) fetch - added "as-value" output format;
 
-Specific scripts may require even newer RouterOS version.
-
-> ℹ️ **Info**: The `main` branch is now RouterOS v7 only. If you are still
-> running RouterOS v6 switch to `routeros-v6` branch!
-
-Starting with RouterOS 7.17 the
-[device-mode](https://help.mikrotik.com/docs/spaces/ROS/pages/93749258/Device-mode)
-has been extended to give more fine-grained control over what features are
-available. You need to enable `scheduler` and `fetch` at least, specific
-scripts may require additional features.
-
-### Hardware
-
-RouterOS packages increase in size with each release. This becomes a
-problem for devices with 16MB storage and below, those with an ARM CPU
-are specifically affected.
-
-Huge configuration and lots of scripts give an extra risk. **Take care!**
+Specific scripts may require even newer RouterOS version, for example cloud
+backup was added in 6.44.
 
 Initial setup
 -------------
@@ -54,9 +25,9 @@ Initial setup
 ### Get me ready!
 
 If you know how things work just copy and paste the
-[initial commands](INITIAL-COMMANDS.md). Remember to edit and rerun
-`global-config-overlay`!
-First time users should take the long way below.
+[initial commands](initial-commands). Remember to edit and rerun
+`global-config`!
+First time useres should take the long way below.
 
 ### Live presentation
 
@@ -65,9 +36,6 @@ RouterOS script distribution](https://www.youtube.com/watch?v=B9neG3oAhcY)
 including demonstation recorded live at [MUM Europe
 2019](https://mum.mikrotik.com/2019/EU/) in Vienna.
 
-> ⚠️ **Warning**: Some details changed. So see the presentation, then follow
-> the steps below for up-to-date commands.
-
 ### The long way in detail
 
 The update script does server certificate verification, so first step is to
@@ -75,309 +43,107 @@ download the certificates. If you intend to download the scripts from a
 different location (for example from github.com) install the corresponding
 certificate chain.
 
-    /tool/fetch "https://git.eworm.de/cgit/routeros-scripts/plain/certs/ISRG-Root-X2.pem" dst-path="isrg-root-x2.pem";
-
-![screenshot: download certs](README.d/01-download-certs.avif)
+    [admin@MikroTik] > / tool fetch "https://git.eworm.de/cgit.cgi/routeros-scripts/plain/certs/letsencrypt.pem" dst-path="letsencrypt.pem"
+          status: finished
+      downloaded: 3KiBC-z pause]
+           total: 3KiB
+        duration: 1s
 
 Note that the commands above do *not* verify server certificate, so if you
 want to be safe download with your workstations's browser and transfer the
-file to your MikroTik device.
+files to your MikroTik device.
 
-* [ISRG Root X2](https://letsencrypt.org/certs/isrg-root-x2.pem)
+* [ISRG Root X1](https://letsencrypt.org/certs/isrgrootx1.pem.txt)
+* [Let's Encrypt Authority X3](https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt)
 
-Then we import the certificate.
+Then we import the certificates.
 
-    /certificate/import file-name="isrg-root-x2.pem" passphrase="";
+    [admin@MikroTik] > / certificate import file-name=letsencrypt.pem passphrase=""
+         certificates-imported: 3
+         private-keys-imported: 0
+                files-imported: 1
+           decryption-failures: 0
+      keys-with-no-certificate: 0
 
-Do not worry that the command is not shown - that happens because it contains
-a sensitive property, the passphrase.
+For basic verification we rename the certifiactes and print their count. Make
+sure the certificate count is **three**.
 
-![screenshot: import certs](README.d/02-import-certs.avif)
-
-For basic verification we rename the certificate and print it by
-fingerprint. Make sure exactly this one certificate ("*ISRG-Root-X2*")
-is shown.
-
-    /certificate/set name="ISRG-Root-X2" [ find where common-name="ISRG Root X2" ];
-    /certificate/print proplist=name,fingerprint where fingerprint="69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470";
-
-![screenshot: check certs](README.d/03-check-certs.avif)
+    [admin@MikroTik] > / certificate set name="ISRG-Root-X1" [ find where fingerprint="96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6" ]
+    [admin@MikroTik] > / certificate set name="Let-s-Encrypt-Authority-X3" [ find where fingerprint="731d3d9cfaa061487a1d71445a42f67df0afca2a6c2d2f98ff7b3ce112b1f568" ]
+    [admin@MikroTik] > / certificate set name="DST-Root-CA-X3" [ find where fingerprint="0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739" ]
+    [admin@MikroTik] > / certificate print count-only where fingerprint="96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6" or fingerprint="731d3d9cfaa061487a1d71445a42f67df0afca2a6c2d2f98ff7b3ce112b1f568" or fingerprint="0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739"
+    3
 
 Always make sure there are no certificates installed you do not know or want!
 
-All following commands will verify the server certificate. For validity the
-certificate's lifetime is checked with local time, so make sure the device's
-date and time is set correctly!
+Actually we do not require the certificate named `DST Root CA X3`, but as it
+is used by `Let's Encrypt` to cross-sign we install it anyway - this makes
+sure things do not go wrong if the intermediate certificate is replaced.
+The IdenTrust certificate *should* be available from their
+[download page](https://www.identrust.com/support/downloads). The site is
+crap and a good example how to *not* do it.
 
 Now let's download the main scripts and add them in configuration on the fly.
 
-    :foreach Script in={ "global-config"; "global-config-overlay"; "global-functions" } do={ /system/script/add name=$Script owner=$Script source=([ /tool/fetch check-certificate=yes-without-crl ("https://git.eworm.de/cgit/routeros-scripts/plain/" . $Script . ".rsc") output=user as-value]->"data"); };
+    [admin@MikroTik] > :foreach Script in={ "global-config"; "global-functions"; "script-updates" } do={ / system script add name=$Script source=([ / tool fetch check-certificate=yes-without-crl ("https://git.eworm.de/cgit.cgi/routeros-scripts/plain/" . $Script) output=user as-value]->"data"); }
 
-![screenshot: import scripts](README.d/04-import-scripts.avif)
+The configuration needs to be tweaked for your needs. Make sure not to send
+your mails to `mail@example.com`!
 
-And finally load configuration and functions and add the scheduler.
+    [admin@MikroTik] > / system script edit global-config source
 
-    /system/script { run global-config; run global-functions; };
-    /system/scheduler/add name="global-scripts" start-time=startup on-event="/system/script { run global-config; run global-functions; }";
+And finally load configuration and functions and add the schedulers.
 
-![screenshot: run and schedule scripts](README.d/05-run-and-schedule-scripts.avif)
-
-### Scheduled automatic updates
-
-The last step is optional: Add this scheduler **only** if you want the
-scripts to be updated automatically!
-
-    /system/scheduler/add name="ScriptInstallUpdate" start-time=startup interval=1d on-event=":global ScriptInstallUpdate; \$ScriptInstallUpdate;";
-
-![screenshot: schedule update](README.d/06-schedule-update.avif)
-
-Editing configuration
----------------------
-
-The configuration needs to be tweaked for your needs. Edit
-`global-config-overlay`, copy relevant configuration from
-[`global-config`](global-config.rsc) (the one without `-overlay`).
-Save changes and exit with `Ctrl-o`.
-
-    /system/script/edit global-config-overlay source;
-
-![screenshot: edit global-config-overlay](README.d/07-edit-global-config-overlay.avif)
-
-Additionally creating configuration snippets is supported. The script name
-of these snippets has to start with `global-config-overlay.d/` to make them
-being loaded automatically. This allows to split off parts of the
-configuration.
-
-To apply your changes run `global-config`, which will automatically load
-the overlay as well:
-
-    /system/script/run global-config;
-
-![screenshot: apply configuration](README.d/08-apply-configuration.avif)
-
-This last step is required when ever you make changes to your configuration.
-
-> ℹ️ **Info**: It is recommended to edit the configuration using the command
-> line interface. If using Winbox on Windows OS, the line endings may be
-> missing. To fix this run:
-> `/system/script/set source=[ :tocrlf [ get global-config-overlay source ] ] global-config-overlay;`
+    [admin@MikroTik] > / system script run global-config
+    [admin@MikroTik] > / system script run global-functions
+    [admin@MikroTik] > / system scheduler add name=global-config start-time=startup on-event=global-config
+    [admin@MikroTik] > / system scheduler add name=global-functions start-time=startup on-event=global-functions
 
 Updating scripts
 ----------------
 
-To update existing scripts just run function `$ScriptInstallUpdate`. If
-everything is up-to-date it will not produce any output.
+To update existing scripts just run `script-updates`.
 
-    $ScriptInstallUpdate;
-
-![screenshot: update scripts](README.d/09-update-scripts.avif)
-
-If the update includes news or requires configuration changes a notification
-is sent - in addition to terminal output and log messages.
-
-![news and changes notification](README.d/notification-news-and-changes.avif)
+    [admin@MikroTik] > / system script run script-updates
 
 Adding a script
 ---------------
 
-To add a script from the repository run function `$ScriptInstallUpdate` with
-a comma separated list of script names.
+To add a script from the repository create a configuration item first, then
+update scripts to fetch the source.
 
-    $ScriptInstallUpdate check-certificates,check-routeros-update;
-
-![screenshot: install scripts](README.d/10-install-scripts.avif)
+    [admin@MikroTik] > / system script add name=check-routeros-update
+    [admin@MikroTik] > / system script run script-updates
 
 Scheduler and events
 --------------------
 
 Most scripts are designed to run regularly from
 [scheduler](https://wiki.mikrotik.com/wiki/Manual:System/Scheduler). We just
-added `check-routeros-update`, so let's run it daily to make sure not to
+added `check-routeros-update`, so let's run it every hour to make sure not to
 miss an update.
 
-    /system/scheduler/add name="check-routeros-update" interval=1d start-time=startup on-event="/system/script/run check-routeros-update;";
-
-![screenshot: schedule script](README.d/11-schedule-script.avif)
+    [admin@MikroTik] > / system scheduler add name=check-routeros-update interval=1h on-event=check-routeros-update
 
 Some events can run a script. If you want your DHCP hostnames to be available
 in DNS use `dhcp-to-dns` with the events from dhcp server. For a regular
 cleanup add a scheduler entry.
 
-    $ScriptInstallUpdate dhcp-to-dns,lease-script;
-    /ip/dhcp-server/set lease-script=lease-script [ find ];
-    /system/scheduler/add name="dhcp-to-dns" interval=5m on-event="/system/script/run dhcp-to-dns;";
-
-![screenshot: setup lease script](README.d/12-setup-lease-script.avif)
+    [admin@MikroTik] > / system script add name=dhcp-to-dns
+    [admin@MikroTik] > / system script run script-updates
+    [admin@MikroTik] > / ip dhcp-server set lease-script=dhcp-to-dns [ find ]
+    [admin@MikroTik] > / system scheduler add name=dhcp-to-dns interval=5m on-event=dhcp-to-dns
 
 There's much more to explore... Have fun!
 
-Available scripts
------------------
-
-* [Find and remove access list duplicates](doc/accesslist-duplicates.md)
-* [Upload backup to Mikrotik cloud](doc/backup-cloud.md)
-* [Send backup via e-mail](doc/backup-email.md)
-* [Save configuration to fallback partition](doc/backup-partition.md)
-* [Upload backup to server](doc/backup-upload.md)
-* [Download packages for CAP upgrade from CAPsMAN](doc/capsman-download-packages.md)
-* [Run rolling CAP upgrades from CAPsMAN](doc/capsman-rolling-upgrade.md)
-* [Renew locally issued certificates](doc/certificate-renew-issued.md)
-* [Renew certificates and notify on expiration](doc/check-certificates.md)
-* [Notify about health state](doc/check-health.md)
-* [Notify on LTE firmware upgrade](doc/check-lte-firmware-upgrade.md)
-* [Notify on RouterOS update](doc/check-routeros-update.md)
-* [Collect MAC addresses in wireless access list](doc/collect-wireless-mac.md)
-* [Use wireless network with daily psk](doc/daily-psk.md)
-* [Comment DHCP leases with info from access list](doc/dhcp-lease-comment.md)
-* [Create DNS records for DHCP leases](doc/dhcp-to-dns.md)
-* [Automatically upgrade firmware and reboot](doc/firmware-upgrade-reboot.md)
-* [Download, import and update firewall address-lists](doc/fw-addr-lists.md)
-* [Wait for global functions und modules](doc/global-wait.md)
-* [Send GPS position to server](doc/gps-track.md)
-* [Use WPA network with hotspot credentials](doc/hotspot-to-wpa.md)
-* [Create DNS records for IPSec peers](doc/ipsec-to-dns.md)
-* [Update configuration on IPv6 prefix change](doc/ipv6-update.md)
-* [Manage IP addresses with bridge status](doc/ip-addr-bridge.md)
-* [Run other scripts on DHCP lease](doc/lease-script.md)
-* [Manage LEDs dark mode](doc/leds-mode.md)
-* [Forward log messages via notification](doc/log-forward.md)
-* [Mode button with multiple presses](doc/mode-button.md)
-* [Manage DNS and DoH servers from netwatch](doc/netwatch-dns.md)
-* [Notify on host up and down](doc/netwatch-notify.md)
-* [Visualize OSPF state via LEDs](doc/ospf-to-leds.md)
-* [Manage system update](doc/packages-update.md)
-* [Run scripts on ppp connection](doc/ppp-on-up.md)
-* [Act on received SMS](doc/sms-action.md)
-* [Forward received SMS](doc/sms-forward.md)
-* [Play Super Mario theme](doc/super-mario-theme.md)
-* [Chat with your router and send commands via Telegram bot](doc/telegram-chat.md)
-* [Install LTE firmware upgrade](doc/unattended-lte-firmware-upgrade.md)
-* [Update GRE configuration with dynamic addresses](doc/update-gre-address.md)
-* [Update tunnelbroker configuration](doc/update-tunnelbroker.md)
-
-Available modules
------------------
-
-* [Manage ports in bridge](doc/mod/bridge-port-to.md)
-* [Manage VLANs on bridge ports](doc/mod/bridge-port-vlan.md)
-* [Inspect variables](doc/mod/inspectvar.md)
-* [IP address calculation](doc/mod/ipcalc.md)
-* [Send notifications via e-mail](doc/mod/notification-email.md)
-* [Send notifications via Matrix](doc/mod/notification-matrix.md)
-* [Send notifications via Ntfy](doc/mod/notification-ntfy.md)
-* [Send notifications via Telegram](doc/mod/notification-telegram.md)
-* [Download script and run it once](doc/mod/scriptrunonce.md)
-* [Import ssh keys for public key authentication](doc/mod/ssh-keys-import.md)
-
-Installing custom scripts & modules
------------------------------------
-
-My scripts cover a lot of use cases, but you may have your own ones. You can
-still use my scripts to manage and deploy yours, by specifying `base-url`
-(and `url-suffix`) for each script.
-
-This will fetch and install a script `hello-world.rsc` from the given url:
-
-    $ScriptInstallUpdate hello-world "base-url=https://git.eworm.de/cgit/routeros-scripts-custom/plain/";
-
-![screenshot: install custom script](README.d/13-install-custom-script.avif)
-
-For a script to be considered valid it has to begin with a *magic token*.
-Have a look at [any script](README.d/hello-world.rsc) and copy the first line
-without modification.
-
-Starting a script's name with `mod/` makes it a module and it is run
-automatically by `global-functions`.
-
-### Linked custom scripts & modules
-
-> ⚠️ **Warning**: These links are being provided for your convenience only;
-> they do not constitute an endorsement or an approval by me. I bear no
-> responsibility for the accuracy, legality or content of the external site
-> or for that of subsequent links. Contact the external site for answers to
-> questions regarding its content.
-
-* [Hello World](https://git.eworm.de/cgit/routeros-scripts-custom/about/doc/hello-world.md)
-  (This is a demo script to show how the linking to external documentation
-  will be done.)
-
-> ℹ️ **Info**: You have your own set of scripts and/or modules and want these
-> to be listed here? There should be a general info page that links here,
-> and documentation for each script. You can start by cloning my
-> [Custom RouterOS-Scripts](https://git.eworm.de/cgit/routeros-scripts-custom/)
-> (or fork on [GitHub](https://github.com/eworm-de/routeros-scripts-custom)
-> or [GitLab](https://gitlab.com/eworm-de/routeros-scripts-custom)) and make
-> your changes. Then please [get in contact](#patches-issues-and-whishlist)...
-
-Removing a script
------------------
-
-There is no specific function for script removal. Just remove it from
-configuration...
-
-    /system/script/remove to-be-removed;
-
-![screenshot: remove script](README.d/14-remove-script.avif)
-
-Possibly a scheduler and other configuration has to be removed as well.
-
-Contact
--------
-
-We have a Telegram Group [RouterOS-Scripts](https://t.me/routeros_scripts)!
-
-[![RouterOS Scripts Telegram Group](README.d/telegram-group.avif)](https://t.me/routeros_scripts)
-
-Get help, give feedback or just chat - but do not expect free professional
-support!
-
-Contribute
-----------
-
-Thanks a lot for [past contributions](CONTRIBUTIONS.md)! ❤️
-
-### Patches, issues and whishlist
-
-Feel free to contact me via e-mail or open an
-[issue](https://github.com/eworm-de/routeros-scripts/issues) or
-[pull request](https://github.com/eworm-de/routeros-scripts/pulls)
-at github.
-
-### Donate
-
-This project is developed in private spare time and usage is free of charge
-for you. If you like the scripts and think this is of value for you or your
-business please consider to
-[donate with PayPal](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J).
-
-[![donate with PayPal](https://img.shields.io/badge/Like_it%3F-Donate!-orange?logo=githubsponsors&logoColor=orange&style=for-the-badge)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J)
-
-Thanks a lot for your support!
-
-License and warranty
---------------------
-
-This program is free software: you can redistribute it and/or modify
-it under the terms of the GNU General Public License as published by
-the Free Software Foundation, either version 3 of the License, or
-(at your option) any later version.
-
-This program is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-[GNU General Public License](COPYING.md) for more details.
-
-Upstream
---------
-
-[![upstream](README.d/upstream.png)](https://rsc.eworm.de/)
+### Upstream
 
 URL:
 [GitHub.com](https://github.com/eworm-de/routeros-scripts#routeros-scripts)
 
 Mirror:
-[eworm.de](https://git.eworm.de/cgit/routeros-scripts/about/)
+[eworm.de](https://git.eworm.de/cgit.cgi/routeros-scripts/about/)
 [GitLab.com](https://gitlab.com/eworm-de/routeros-scripts#routeros-scripts)
 
 ---
-[⬆️ Go back to top](#top)
+[▲ Go back to top](#top)

accesslist-duplicates.capsman

@@ -0,0 +1,34 @@
+#!rsc
+# RouterOS script: accesslist-duplicates.capsman
+# Copyright (c) 2018-2019 Christian Hesse <mail@eworm.de>
+#
+# print duplicate antries in wireless access list
+#
+# !! Do not edit this file, it is generated from template!
+
+:local Seen [ :toarray "" ];
+:local Shown [ :toarray "" ];
+
+:foreach AccList in=[ / caps-man access-list find where mac-address!="00:00:00:00:00:00" ] do={
+  :local Mac [ / caps-man access-list get $AccList mac-address ];
+  :foreach SeenMac in=$Seen do={
+    :if ($SeenMac = $Mac) do={
+      :local Skip 0;
+      :foreach ShownMac in=$Shown do={
+        :if ($ShownMac = $Mac) do={ :set Skip 1; }
+      }
+      :if ($Skip = 0) do={
+        / caps-man access-list print where mac-address=$Mac;
+        :set Shown ($Shown, $Mac);
+
+        :put "\nNumeric id to remove, any key to skip!";
+        :local Remove ([ :terminal inkey ] - 48);
+        :if ($Remove >= 0 && $Remove <= 9) do={
+          :put ("Removing numeric id " . $Remove . "...\n");
+          / caps-man access-list remove $Remove;
+        }
+      }
+    }
+  }
+  :set Seen ($Seen, $Mac);
+}

accesslist-duplicates.capsman.rsc

@@ -1,37 +0,0 @@
-#!rsc by RouterOS
-# RouterOS script: accesslist-duplicates.capsman
-# Copyright (c) 2018-2025 Christian Hesse <mail@eworm.de>
-# https://rsc.eworm.de/COPYING.md
-#
-# requires RouterOS, version=7.15
-#
-# print duplicate antries in wireless access list
-# https://rsc.eworm.de/doc/accesslist-duplicates.md
-#
-# !! Do not edit this file, it is generated from template!
-
-:global GlobalFunctionsReady;
-:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
-
-:local ExitOK false;
-:do {
-  :local ScriptName [ :jobname ];
-
-  :local Seen ({});
-
-  :foreach AccList in=[ /caps-man/access-list/find where mac-address!="00:00:00:00:00:00" ] do={
-    :local Mac [ /caps-man/access-list/get $AccList mac-address ];
-    :if ($Seen->$Mac = 1) do={
-      /caps-man/access-list/print where mac-address=$Mac;
-      :local Remove [ :tonum [ /terminal/ask prompt="\nNumeric id to remove, any key to skip!" ] ];
-
-      :if ([ :typeof $Remove ] = "num") do={
-        :put ("Removing numeric id " . $Remove . "...\n");
-        /caps-man/access-list/remove $Remove;
-      }
-    }
-    :set ($Seen->$Mac) 1;
-  }
-} on-error={
-  :global ExitError; $ExitError $ExitOK [ :jobname ];
-}

accesslist-duplicates.local

@@ -0,0 +1,34 @@
+#!rsc
+# RouterOS script: accesslist-duplicates.local
+# Copyright (c) 2018-2019 Christian Hesse <mail@eworm.de>
+#
+# print duplicate antries in wireless access list
+#
+# !! Do not edit this file, it is generated from template!
+
+:local Seen [ :toarray "" ];
+:local Shown [ :toarray "" ];
+
+:foreach AccList in=[ / interface wireless access-list find where mac-address!="00:00:00:00:00:00" ] do={
+  :local Mac [ / interface wireless access-list get $AccList mac-address ];
+  :foreach SeenMac in=$Seen do={
+    :if ($SeenMac = $Mac) do={
+      :local Skip 0;
+      :foreach ShownMac in=$Shown do={
+        :if ($ShownMac = $Mac) do={ :set Skip 1; }
+      }
+      :if ($Skip = 0) do={
+        / interface wireless access-list print where mac-address=$Mac;
+        :set Shown ($Shown, $Mac);
+
+        :put "\nNumeric id to remove, any key to skip!";
+        :local Remove ([ :terminal inkey ] - 48);
+        :if ($Remove >= 0 && $Remove <= 9) do={
+          :put ("Removing numeric id " . $Remove . "...\n");
+          / interface wireless access-list remove $Remove;
+        }
+      }
+    }
+  }
+  :set Seen ($Seen, $Mac);
+}

accesslist-duplicates.local.rsc

@@ -1,37 +0,0 @@
-#!rsc by RouterOS
-# RouterOS script: accesslist-duplicates.local
-# Copyright (c) 2018-2025 Christian Hesse <mail@eworm.de>
-# https://rsc.eworm.de/COPYING.md
-#
-# requires RouterOS, version=7.15
-#
-# print duplicate antries in wireless access list
-# https://rsc.eworm.de/doc/accesslist-duplicates.md
-#
-# !! Do not edit this file, it is generated from template!
-
-:global GlobalFunctionsReady;
-:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
-
-:local ExitOK false;
-:do {
-  :local ScriptName [ :jobname ];
-
-  :local Seen ({});
-
-  :foreach AccList in=[ /interface/wireless/access-list/find where mac-address!="00:00:00:00:00:00" ] do={
-    :local Mac [ /interface/wireless/access-list/get $AccList mac-address ];
-    :if ($Seen->$Mac = 1) do={
-      /interface/wireless/access-list/print where mac-address=$Mac;
-      :local Remove [ :tonum [ /terminal/ask prompt="\nNumeric id to remove, any key to skip!" ] ];
-
-      :if ([ :typeof $Remove ] = "num") do={
-        :put ("Removing numeric id " . $Remove . "...\n");
-        /interface/wireless/access-list/remove $Remove;
-      }
-    }
-    :set ($Seen->$Mac) 1;
-  }
-} on-error={
-  :global ExitError; $ExitError $ExitOK [ :jobname ];
-}

accesslist-duplicates.template

@@ -0,0 +1,35 @@
+#!rsc
+# RouterOS script: accesslist-duplicates%TEMPL%
+# Copyright (c) 2018-2019 Christian Hesse <mail@eworm.de>
+#
+# print duplicate antries in wireless access list
+#
+# !! This is just a template! Replace '%PATH%' with 'caps-man'
+# !! or 'interface wireless'!
+
+:local Seen [ :toarray "" ];
+:local Shown [ :toarray "" ];
+
+:foreach AccList in=[ / %PATH% access-list find where mac-address!="00:00:00:00:00:00" ] do={
+  :local Mac [ / %PATH% access-list get $AccList mac-address ];
+  :foreach SeenMac in=$Seen do={
+    :if ($SeenMac = $Mac) do={
+      :local Skip 0;
+      :foreach ShownMac in=$Shown do={
+        :if ($ShownMac = $Mac) do={ :set Skip 1; }
+      }
+      :if ($Skip = 0) do={
+        / %PATH% access-list print where mac-address=$Mac;
+        :set Shown ($Shown, $Mac);
+
+        :put "\nNumeric id to remove, any key to skip!";
+        :local Remove ([ :terminal inkey ] - 48);
+        :if ($Remove >= 0 && $Remove <= 9) do={
+          :put ("Removing numeric id " . $Remove . "...\n");
+          / %PATH% access-list remove $Remove;
+        }
+      }
+    }
+  }
+  :set Seen ($Seen, $Mac);
+}

accesslist-duplicates.template.rsc

@@ -1,46 +0,0 @@
-#!rsc by RouterOS
-# RouterOS script: accesslist-duplicates%TEMPL%
-# Copyright (c) 2018-2025 Christian Hesse <mail@eworm.de>
-# https://rsc.eworm.de/COPYING.md
-#
-# requires RouterOS, version=7.15
-#
-# print duplicate antries in wireless access list
-# https://rsc.eworm.de/doc/accesslist-duplicates.md
-#
-# !! This is just a template to generate the real script!
-# !! Pattern '%TEMPL%' is replaced, paths are filtered.
-
-:global GlobalFunctionsReady;
-:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
-
-:local ExitOK false;
-:do {
-  :local ScriptName [ :jobname ];
-
-  :local Seen ({});
-
-  :foreach AccList in=[ /caps-man/access-list/find where mac-address!="00:00:00:00:00:00" ] do={
-  :foreach AccList in=[ /interface/wifi/access-list/find where mac-address!="00:00:00:00:00:00" ] do={
-  :foreach AccList in=[ /interface/wireless/access-list/find where mac-address!="00:00:00:00:00:00" ] do={
-    :local Mac [ /caps-man/access-list/get $AccList mac-address ];
-    :local Mac [ /interface/wifi/access-list/get $AccList mac-address ];
-    :local Mac [ /interface/wireless/access-list/get $AccList mac-address ];
-    :if ($Seen->$Mac = 1) do={
-      /caps-man/access-list/print where mac-address=$Mac;
-      /interface/wifi/access-list/print where mac-address=$Mac;
-      /interface/wireless/access-list/print where mac-address=$Mac;
-      :local Remove [ :tonum [ /terminal/ask prompt="\nNumeric id to remove, any key to skip!" ] ];
-
-      :if ([ :typeof $Remove ] = "num") do={
-        :put ("Removing numeric id " . $Remove . "...\n");
-        /caps-man/access-list/remove $Remove;
-        /interface/wifi/access-list/remove $Remove;
-        /interface/wireless/access-list/remove $Remove;
-      }
-    }
-    :set ($Seen->$Mac) 1;
-  }
-} on-error={
-  :global ExitError; $ExitError $ExitOK [ :jobname ];
-}

accesslist-duplicates.wifi.rsc

@@ -1,37 +0,0 @@
-#!rsc by RouterOS
-# RouterOS script: accesslist-duplicates.wifi
-# Copyright (c) 2018-2025 Christian Hesse <mail@eworm.de>
-# https://rsc.eworm.de/COPYING.md
-#
-# requires RouterOS, version=7.15
-#
-# print duplicate antries in wireless access list
-# https://rsc.eworm.de/doc/accesslist-duplicates.md
-#
-# !! Do not edit this file, it is generated from template!
-
-:global GlobalFunctionsReady;
-:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
-
-:local ExitOK false;
-:do {
-  :local ScriptName [ :jobname ];
-
-  :local Seen ({});
-
-  :foreach AccList in=[ /interface/wifi/access-list/find where mac-address!="00:00:00:00:00:00" ] do={
-    :local Mac [ /interface/wifi/access-list/get $AccList mac-address ];
-    :if ($Seen->$Mac = 1) do={
-      /interface/wifi/access-list/print where mac-address=$Mac;
-      :local Remove [ :tonum [ /terminal/ask prompt="\nNumeric id to remove, any key to skip!" ] ];
-
-      :if ([ :typeof $Remove ] = "num") do={
-        :put ("Removing numeric id " . $Remove . "...\n");
-        /interface/wifi/access-list/remove $Remove;
-      }
-    }
-    :set ($Seen->$Mac) 1;
-  }
-} on-error={
-  :global ExitError; $ExitError $ExitOK [ :jobname ];
-}

backup-cloud.rsc

@@ -1,104 +0,0 @@
-#!rsc by RouterOS
-# RouterOS script: backup-cloud
-# Copyright (c) 2013-2025 Christian Hesse <mail@eworm.de>
-# https://rsc.eworm.de/COPYING.md
-#
-# provides: backup-script, order=40
-# requires RouterOS, version=7.15
-#
-# upload backup to MikroTik cloud
-# https://rsc.eworm.de/doc/backup-cloud.md
-
-:global GlobalFunctionsReady;
-:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
-
-:local ExitOK false;
-:do {
-  :local ScriptName [ :jobname ];
-
-  :global BackupRandomDelay;
-  :global Identity;
-  :global PackagesUpdateBackupFailure;
-
-  :global DeviceInfo;
-  :global FormatLine;
-  :global HumanReadableNum;
-  :global LogPrint;
-  :global MkDir;
-  :global RandomDelay;
-  :global RmDir;
-  :global ScriptFromTerminal;
-  :global ScriptLock;
-  :global SendNotification2;
-  :global SymbolForNotification;
-  :global WaitForFile;
-  :global WaitFullyConnected;
-
-  :if ([ $ScriptLock $ScriptName ] = false) do={
-    :set PackagesUpdateBackupFailure true;
-    :set ExitOK true;
-    :error false;
-  }
-
-  :if ([ :len [ /system/scheduler/find where name="running-from-backup-partition" ] ] > 0) do={
-    $LogPrint warning $ScriptName ("Running from backup partition, refusing to act.");
-    :set PackagesUpdateBackupFailure true;
-    :set ExitOK true;
-    :error false;
-  }
-
-  $WaitFullyConnected;
-
-  :if ([ $ScriptFromTerminal $ScriptName ] = false && $BackupRandomDelay > 0) do={
-    $RandomDelay $BackupRandomDelay;
-  }
-
-  :if ([ $MkDir ("tmpfs/backup-cloud") ] = false) do={
-    $LogPrint error $ScriptName ("Failed creating directory!");
-    :set ExitOK true;
-    :error false;
-  }
-
-  :local I 5;
-  :do {
-    :execute {
-      :global BackupPassword;
-
-      :local Backup ([ /system/backup/cloud/find ]->0);
-      :if ([ :typeof $Backup ] = "id") do={
-        /system/backup/cloud/upload-file action=create-and-upload \
-            password=$BackupPassword replace=$Backup;
-      } else={
-        /system/backup/cloud/upload-file action=create-and-upload \
-            password=$BackupPassword;
-      }
-      /file/add name="tmpfs/backup-cloud/done";
-    } as-string;
-    :set I ($I - 1);
-  } while=([ $WaitForFile "tmpfs/backup-cloud/done" 200ms ] = false && $I > 0);
-
-  :if ([ $WaitForFile "tmpfs/backup-cloud/done" ] = true) do={
-    :if ($I < 4) do={
-      :log warning ($ScriptName . ": Retry successful, please discard previous connection errors.");
-    }
-
-    :local Cloud [ /system/backup/cloud/get ([ find ]->0) ];
-
-    $SendNotification2 ({ origin=$ScriptName; \
-      subject=([ $SymbolForNotification "floppy-disk,cloud" ] . "Cloud backup"); \
-      message=("Uploaded backup for " . $Identity . " to cloud.\n\n" . \
-        [ $DeviceInfo ] . "\n\n" . \
-        [ $FormatLine "Name" ($Cloud->"name") ] . "\n" . \
-        [ $FormatLine "Size" ([ $HumanReadableNum ($Cloud->"size") 1024 ] . "B") ] . "\n" . \
-        [ $FormatLine "Download key" ($Cloud->"secret-download-key") ]); silent=true });
-  } else={
-    $SendNotification2 ({ origin=$ScriptName; \
-      subject=([ $SymbolForNotification "floppy-disk,warning-sign" ] . "Cloud backup failed"); \
-      message=("Failed uploading backup for " . $Identity . " to cloud!\n\n" . [ $DeviceInfo ]) });
-    $LogPrint error $ScriptName ("Failed uploading backup for " . $Identity . " to cloud!");
-    :set PackagesUpdateBackupFailure true;
-  }
-  $RmDir "tmpfs/backup-cloud";
-} on-error={
-  :global ExitError; $ExitError $ExitOK [ :jobname ];
-}

backup-email.rsc

@@ -1,140 +0,0 @@
-#!rsc by RouterOS
-# RouterOS script: backup-email
-# Copyright (c) 2013-2025 Christian Hesse <mail@eworm.de>
-# https://rsc.eworm.de/COPYING.md
-#
-# provides: backup-script, order=20
-# requires RouterOS, version=7.15
-#
-# create and email backup and config file
-# https://rsc.eworm.de/doc/backup-email.md
-
-:global GlobalFunctionsReady;
-:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
-
-:local ExitOK false;
-:do {
-  :local ScriptName [ :jobname ];
-
-  :global BackupPassword;
-  :global BackupRandomDelay;
-  :global BackupSendBinary;
-  :global BackupSendExport;
-  :global BackupSendGlobalConfig;
-  :global Domain;
-  :global Identity;
-  :global PackagesUpdateBackupFailure;
-
-  :global CleanName;
-  :global DeviceInfo;
-  :global FormatLine;
-  :global LogPrint;
-  :global MkDir;
-  :global RandomDelay;
-  :global ScriptFromTerminal;
-  :global ScriptLock;
-  :global SendEMail2;
-  :global SymbolForNotification;
-  :global WaitForFile;
-  :global WaitFullyConnected;
-
-  :if ([ :typeof $SendEMail2 ] = "nothing") do={
-    $LogPrint error $ScriptName ("The module for sending notifications via e-mail is not installed.");
-    :set ExitOK true;
-    :error false;
-  }
-
-  :if ($BackupSendBinary != true && \
-       $BackupSendExport != true) do={
-    $LogPrint error $ScriptName ("Configured to send neither backup nor config export.");
-    :set ExitOK true;
-    :error false;
-  }
-
-  :if ([ $ScriptLock $ScriptName ] = false) do={
-    :set PackagesUpdateBackupFailure true;
-    :set ExitOK true;
-    :error false;
-  }
-
-  :if ([ :len [ /system/scheduler/find where name="running-from-backup-partition" ] ] > 0) do={
-    $LogPrint warning $ScriptName ("Running from backup partition, refusing to act.");
-    :set PackagesUpdateBackupFailure true;
-    :set ExitOK true;
-    :error false;
-  }
-
-  $WaitFullyConnected;
-
-  :if ([ $ScriptFromTerminal $ScriptName ] = false && $BackupRandomDelay > 0) do={
-    $RandomDelay $BackupRandomDelay;
-  }
-
-  # filename based on identity
-  :local DirName ("tmpfs/" . $ScriptName);
-  :local FileName [ $CleanName ($Identity . "." . $Domain) ];
-  :local FilePath ($DirName . "/" . $FileName);
-  :local BackupFile "none";
-  :local ExportFile "none";
-  :local ConfigFile "none";
-  :local Attach ({});
-
-  :if ([ $MkDir $DirName ] = false) do={
-    $LogPrint error $ScriptName ("Failed creating directory!");
-    :set ExitOK true;
-    :error false;
-  }
-
-  # binary backup
-  :if ($BackupSendBinary = true) do={
-    /system/backup/save encryption=aes-sha256 name=$FilePath password=$BackupPassword;
-    $WaitForFile ($FilePath . ".backup");
-    :set BackupFile ($FileName . ".backup");
-    :set Attach ($Attach, ($FilePath . ".backup"));
-  }
-
-  # create configuration export
-  :if ($BackupSendExport = true) do={
-    /export terse show-sensitive file=$FilePath;
-    $WaitForFile ($FilePath . ".rsc");
-    :set ExportFile ($FileName . ".rsc");
-    :set Attach ($Attach, ($FilePath . ".rsc"));
-  }
-
-  # global-config-overlay
-  :if ($BackupSendGlobalConfig = true) do={
-    # Do *NOT* use '/file/add ...' here, as it is limited to 4095 bytes!
-    :execute script={ :put [ /system/script/get global-config-overlay source ]; } \
-        file=($FilePath . ".conf\00");
-    $WaitForFile ($FilePath . ".conf");
-    :set ConfigFile ($FileName . ".conf");
-    :set Attach ($Attach, ($FilePath . ".conf"));
-  }
-
-  # send email with status and files
-  $SendEMail2 ({ origin=$ScriptName; \
-    subject=([ $SymbolForNotification "floppy-disk,incoming-envelope" ] . \
-      "Backup & Config"); \
-    message=("See attached files for backup and config export for " . \
-      $Identity . ".\n\n" . \
-      [ $DeviceInfo ] . "\n\n" . \
-      [ $FormatLine "Backup file" $BackupFile ] . "\n" . \
-      [ $FormatLine "Export file" $ExportFile ] . "\n" . \
-      [ $FormatLine "Config file" $ConfigFile ]); \
-    attach=$Attach; remove-attach=true });
-
-  # wait for the mail to be sent
-  :local I 0;
-  :while ([ :len [ /file/find where name ~ ($FilePath . "\\.(backup|rsc)\$") ] ] > 0) do={
-    :if ($I >= 120) do={
-      $LogPrint warning $ScriptName ("Files are still available, sending e-mail failed.");
-      :set PackagesUpdateBackupFailure true;
-      :set ExitOK true;
-      :error false;
-    }
-    :delay 1s;
-    :set I ($I + 1);
-  }
-} on-error={
-  :global ExitError; $ExitError $ExitOK [ :jobname ];
-}

backup-partition.rsc

@@ -1,126 +0,0 @@
-#!rsc by RouterOS
-# RouterOS script: backup-partition
-# Copyright (c) 2022-2025 Christian Hesse <mail@eworm.de>
-# https://rsc.eworm.de/COPYING.md
-#
-# provides: backup-script, order=70
-# requires RouterOS, version=7.15
-# requires device-mode, scheduler
-#
-# save configuration to fallback partition
-# https://rsc.eworm.de/doc/backup-partition.md
-
-:global GlobalFunctionsReady;
-:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
-
-:local ExitOK false;
-:do {
-  :local ScriptName [ :jobname ];
-
-  :global BackupPartitionCopyBeforeFeatureUpdate;
-  :global PackagesUpdateBackupFailure;
-
-  :global LogPrint;
-  :global ScriptFromTerminal;
-  :global ScriptLock;
-  :global VersionToNum;
-
-  :local CopyTo do={
-    :local ScriptName     [ :tostr $1 ];
-    :local FallbackTo     [ :toid  $2 ];
-    :local FallbackToName [ :tostr $3 ];
-
-    :global LogPrint;
-
-    :do {
-      /partitions/copy-to $FallbackTo;
-      $LogPrint info $ScriptName ("Copied RouterOS to partition '" . $FallbackToName . "'.");
-      :return true;
-    } on-error={
-      $LogPrint error $ScriptName ("Failed copying RouterOS to partition '" . $FallbackToName . "'!");
-      :return false;
-    }
-  }
-
-  :if ([ $ScriptLock $ScriptName ] = false) do={
-    :set PackagesUpdateBackupFailure true;
-    :set ExitOK true;
-    :error false;
-  }
-
-  :if ([ :len [ /system/scheduler/find where name="running-from-backup-partition" ] ] > 0) do={
-    $LogPrint warning $ScriptName ("Running from backup partition, refusing to act.");
-    :set PackagesUpdateBackupFailure true;
-    :set ExitOK true;
-    :error false;
-  }
-
-  :if ([ :len [ /partitions/find ] ] < 2) do={
-    $LogPrint error $ScriptName ("Device does not have a fallback partition.");
-    :set PackagesUpdateBackupFailure true;
-    :set ExitOK true;
-    :error false;
-  }
-
-  :local ActiveRunning [ /partitions/find where active running ];
-
-  :if ([ :len $ActiveRunning ] < 1) do={
-    $LogPrint error $ScriptName ("Device is not running from active partition.");
-    :set PackagesUpdateBackupFailure true;
-    :set ExitOK true;
-    :error false;
-  }
-
-  :local FallbackToName [ /partitions/get $ActiveRunning fallback-to ];
-  :local FallbackTo [ /partition/find where name=$FallbackToName !active ];
-
-  :if ([ :len $FallbackTo ] < 1) do={
-    $LogPrint error $ScriptName ("There is no inactive partition named '" . $FallbackToName . "'.");
-    :set PackagesUpdateBackupFailure true;
-    :set ExitOK true;
-    :error false;
-  }
-
-  :if ([ /partitions/get $ActiveRunning version ] != [ /partitions/get $FallbackTo version]) do={
-    :if ([ $ScriptFromTerminal $ScriptName ] = true) do={
-      :put ("The partitions have different RouterOS versions. Copy over to '" . $FallbackToName . "'? [y/N]");
-      :if (([ /terminal/inkey timeout=60 ] % 32) = 25) do={
-        :if ([ $CopyTo $ScriptName $FallbackTo $FallbackToName ] = false) do={
-          :set PackagesUpdateBackupFailure true;
-          :set ExitOK true;
-          :error false;
-        }
-      }
-    } else={
-      :local Update [ /system/package/update/get ];
-      :local NumInstalled [ $VersionToNum ($Update->"installed-version") ];
-      :local NumLatest [ $VersionToNum ($Update->"latest-version") ];
-      :local BitMask [ $VersionToNum "255.255zero0" ];
-      :if ($BackupPartitionCopyBeforeFeatureUpdate = true && $NumLatest > 0 && \
-           ($NumInstalled & $BitMask) != ($NumLatest & $BitMask)) do={
-        :if ([ $CopyTo $ScriptName $FallbackTo $FallbackToName ] = false) do={
-          :set PackagesUpdateBackupFailure true;
-          :set ExitOK true;
-          :error false;
-        }
-      }
-    }
-  }
-
-  :do {
-    /system/scheduler/add start-time=startup name="running-from-backup-partition" \
-        on-event=(":log warning (\"Running from partition '\" . " . \
-        "[ /partitions/get [ find where running ] name ] . \"'!\")");
-    /partitions/save-config-to $FallbackTo;
-    /system/scheduler/remove "running-from-backup-partition";
-    $LogPrint info $ScriptName ("Saved configuration to partition '" . $FallbackToName . "'.");
-  } on-error={
-    /system/scheduler/remove [ find where name="running-from-backup-partition" ];
-    $LogPrint error $ScriptName ("Failed saving configuration to partition '" . $FallbackToName . "'!");
-    :set PackagesUpdateBackupFailure true;
-    :set ExitOK true;
-    :error false;
-  }
-} on-error={
-  :global ExitError; $ExitError $ExitOK [ :jobname ];
-}

backup-upload.rsc

@@ -1,178 +0,0 @@
-#!rsc by RouterOS
-# RouterOS script: backup-upload
-# Copyright (c) 2013-2025 Christian Hesse <mail@eworm.de>
-# https://rsc.eworm.de/COPYING.md
-#
-# provides: backup-script, order=50
-# requires RouterOS, version=7.15
-# requires device-mode, fetch
-#
-# create and upload backup and config file
-# https://rsc.eworm.de/doc/backup-upload.md
-
-:global GlobalFunctionsReady;
-:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
-
-:local ExitOK false;
-:do {
-  :local ScriptName [ :jobname ];
-
-  :global BackupPassword;
-  :global BackupRandomDelay;
-  :global BackupSendBinary;
-  :global BackupSendExport;
-  :global BackupSendGlobalConfig;
-  :global BackupUploadPass;
-  :global BackupUploadUrl;
-  :global BackupUploadUser;
-  :global Domain;
-  :global Identity;
-  :global PackagesUpdateBackupFailure;
-
-  :global CleanName;
-  :global DeviceInfo;
-  :global IfThenElse;
-  :global LogPrint;
-  :global MkDir;
-  :global RandomDelay;
-  :global RmDir;
-  :global RmFile;
-  :global ScriptFromTerminal;
-  :global ScriptLock;
-  :global SendNotification2;
-  :global SymbolForNotification;
-  :global WaitForFile;
-  :global WaitFullyConnected;
-
-  :if ($BackupSendBinary != true && \
-       $BackupSendExport != true) do={
-    $LogPrint error $ScriptName ("Configured to send neither backup nor config export.");
-    :set ExitOK true;
-    :error false;
-  }
-
-  :if ([ $ScriptLock $ScriptName ] = false) do={
-    :set PackagesUpdateBackupFailure true;
-    :set ExitOK true;
-    :error false;
-  }
-
-  :if ([ :len [ /system/scheduler/find where name="running-from-backup-partition" ] ] > 0) do={
-    $LogPrint warning $ScriptName ("Running from backup partition, refusing to act.");
-    :set PackagesUpdateBackupFailure true;
-    :set ExitOK true;
-    :error false;
-  }
-
-  $WaitFullyConnected;
-
-  :if ([ $ScriptFromTerminal $ScriptName ] = false && $BackupRandomDelay > 0) do={
-    $RandomDelay $BackupRandomDelay;
-  }
-
-  # filename based on identity
-  :local DirName ("tmpfs/" . $ScriptName);
-  :local FileName [ $CleanName ($Identity . "." . $Domain) ];
-  :local FilePath ($DirName . "/" . $FileName);
-  :local BackupFile "none";
-  :local ExportFile "none";
-  :local ConfigFile "none";
-  :local Failed 0;
-
-  :if ([ $MkDir $DirName ] = false) do={
-    $LogPrint error $ScriptName ("Failed creating directory!");
-    :set ExitOK true;
-    :error false;
-  }
-
-  # binary backup
-  :if ($BackupSendBinary = true) do={
-    /system/backup/save encryption=aes-sha256 name=$FilePath password=$BackupPassword;
-    $WaitForFile ($FilePath . ".backup");
-
-    :do {
-      /tool/fetch upload=yes url=($BackupUploadUrl . "/" . $FileName . ".backup") \
-          user=$BackupUploadUser password=$BackupUploadPass src-path=($FilePath . ".backup");
-      :set BackupFile [ /file/get ($FilePath . ".backup") ];
-      :set ($BackupFile->"name") ($FileName . ".backup");
-    } on-error={
-      $LogPrint error $ScriptName ("Uploading backup file failed!");
-      :set BackupFile "failed";
-      :set Failed 1;
-    }
-
-    $RmFile ($FilePath . ".backup");
-  }
-
-  # create configuration export
-  :if ($BackupSendExport = true) do={
-    /export terse show-sensitive file=$FilePath;
-    $WaitForFile ($FilePath . ".rsc");
-
-    :do {
-      /tool/fetch upload=yes url=($BackupUploadUrl . "/" . $FileName . ".rsc") \
-          user=$BackupUploadUser password=$BackupUploadPass src-path=($FilePath . ".rsc");
-      :set ExportFile [ /file/get ($FilePath . ".rsc") ];
-      :set ($ExportFile->"name") ($FileName . ".rsc");
-    } on-error={
-      $LogPrint error $ScriptName ("Uploading configuration export failed!");
-      :set ExportFile "failed";
-      :set Failed 1;
-    }
-
-    $RmFile ($FilePath . ".rsc");
-  }
-
-  # global-config-overlay
-  :if ($BackupSendGlobalConfig = true) do={
-    # Do *NOT* use '/file/add ...' here, as it is limited to 4095 bytes!
-    :execute script={ :put [ /system/script/get global-config-overlay source ]; } \
-        file=($FilePath . ".conf\00");
-    $WaitForFile ($FilePath . ".conf");
-
-    :do {
-      /tool/fetch upload=yes url=($BackupUploadUrl . "/" . $FileName . ".conf") \
-          user=$BackupUploadUser password=$BackupUploadPass src-path=($FilePath . ".conf");
-      :set ConfigFile [ /file/get ($FilePath . ".conf") ];
-      :set ($ConfigFile->"name") ($FileName . ".conf");
-    } on-error={
-      $LogPrint error $ScriptName ("Uploading global-config-overlay failed!");
-      :set ConfigFile "failed";
-      :set Failed 1;
-    }
-
-    $RmFile ($FilePath . ".conf");
-  }
-
-  :local FileInfo do={
-    :local Name $1;
-    :local File $2;
-
-    :global FormatLine;
-    :global HumanReadableNum;
-    :global IfThenElse;
-
-    :return \
-      [ $IfThenElse ([ :typeof $File ] = "array") \
-        ($Name . ":\n" . [ $FormatLine "    name" ($File->"name") ] . "\n" . \
-          [ $FormatLine "    size" ([ $HumanReadableNum ($File->"size") 1024 ] . "B") ]) \
-        [ $FormatLine $Name $File ] ];
-  }
-
-  $SendNotification2 ({ origin=$ScriptName; \
-    subject=[ $IfThenElse ($Failed > 0) \
-      ([ $SymbolForNotification "floppy-disk,warning-sign" ] . "Backup & Config upload with failure") \
-      ([ $SymbolForNotification "floppy-disk,arrow-up" ] . "Backup & Config upload") ]; \
-    message=("Backup and config export upload for " . $Identity . ".\n\n" . \
-      [ $DeviceInfo ] . "\n\n" . \
-      [ $FileInfo "Backup file" $BackupFile ] . "\n" . \
-      [ $FileInfo "Export file" $ExportFile ] . "\n" . \
-      [ $FileInfo "Config file" $ConfigFile ]); silent=true });
-
-  :if ($Failed = 1) do={
-    :set PackagesUpdateBackupFailure true;
-  }
-  $RmDir $DirName;
-} on-error={
-  :global ExitError; $ExitError $ExitOK [ :jobname ];
-}

bridge-port-to-default

@@ -0,0 +1,31 @@
+#!rsc
+# RouterOS script: bridge-port-to-default
+# Copyright (c) 2013-2019 Christian Hesse <mail@eworm.de>
+#
+# reset bridge ports to default bridge
+
+:global BridgePortTo;
+
+:local Len ([ :len $BridgePortTo ] + 1);
+
+:if ($Len = 1) do={
+  :delay 1s;
+  :set Len ([ :len $BridgePortTo ] + 1);
+}
+
+:foreach Interface in=[ / interface bridge port find where comment!="" ] do={
+  :foreach Comment in=[ :toarray [ / interface bridge port get $Interface comment ] ] do={
+    :if ([ :pick $Comment 0 $Len ] = ($BridgePortTo . ":")) do={
+      :local InterfaceName [ / interface bridge port get $Interface interface ];
+      :local BridgeDefault [ :pick $Comment $Len [ :len $Comment ] ];
+      :local BridgeCurrent [ / interface bridge port get $Interface bridge ];
+      :if ($BridgeDefault != $BridgeCurrent) do={
+        :log info ("Changing interface " . $InterfaceName . " to " . $BridgePortTo . " bridge " . $BridgeDefault);
+        / interface bridge port set bridge=$BridgeDefault $Interface;
+        / ip dhcp-client renew [ find where interface=$BridgeDefault ];
+      } else={
+        :log debug ("Interface " . $InterfaceName . " already connected to " . $BridgePortTo . " bridge " . $BridgeDefault);
+      }
+    }
+  }
+}

bridge-port-toggle

@@ -0,0 +1,15 @@
+#!rsc
+# RouterOS script: bridge-port-toggle
+# Copyright (c) 2013-2019 Christian Hesse <mail@eworm.de>
+#
+# toggle bridge ports between default and alt bridge
+
+:global BridgePortTo;
+
+:if ($BridgePortTo != "default") do={
+  :set BridgePortTo "default";
+} else={
+  :set BridgePortTo "alt";
+}
+
+/ system script run bridge-port-to-default;

capsman-download-packages

@@ -0,0 +1,39 @@
+#!rsc
+# RouterOS script: capsman-download-packages
+# Copyright (c) 2018-2019 Christian Hesse <mail@eworm.de>
+#                         Michael Gisbers <michael@gisbers.de>
+#
+# requires: dont-require-permissions=yes
+#
+# download and cleanup packages for CAP installation from CAPsMAN
+
+:global DownloadPackage;
+:global CleanFilePath;
+
+:local PackagePath [ $CleanFilePath [ / caps-man manager get package-path ] ];
+:local InstalledVersion [ / system package update get installed-version ];
+:local Updated false;
+
+:foreach Package in=[ / file find where type=package \
+      package-version!=$InstalledVersion name~("^" . $PackagePath) ] do={
+  :local PackageName [ / file get $Package package-name ];
+  :local PackageArchitecture [ / file get $Package package-architecture ];
+  :if ($PackageArchitecture = "mips") do={
+    :set PackageArchitecture "mipsbe";
+  }
+  :if ($PackageName = "wireless@") do={
+    :set PackageName "wireless";
+  }
+  :if ([ $DownloadPackage $PackageName $InstalledVersion $PackageArchitecture $PackagePath ] = true) do={
+    :set Updated true;
+    / file remove $Package;
+  }
+}
+
+:if ($Updated = true) do={
+  :if ([ / system script print count-only where name="capsman-rolling-upgrade" ] > 0) do={
+    / system script run capsman-rolling-upgrade;
+  } else={
+    / caps-man remote-cap upgrade [ find where version!=$InstalledVersion ];
+  }
+}

capsman-download-packages.capsman.rsc

@@ -1,92 +0,0 @@
-#!rsc by RouterOS
-# RouterOS script: capsman-download-packages.capsman
-# Copyright (c) 2018-2025 Christian Hesse <mail@eworm.de>
-#                         Michael Gisbers <michael@gisbers.de>
-# https://rsc.eworm.de/COPYING.md
-#
-# requires RouterOS, version=7.15
-#
-# download and cleanup packages for CAP installation from CAPsMAN
-# https://rsc.eworm.de/doc/capsman-download-packages.md
-#
-# !! Do not edit this file, it is generated from template!
-
-:global GlobalFunctionsReady;
-:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
-
-:local ExitOK false;
-:do {
-  :local ScriptName [ :jobname ];
-
-  :global CleanFilePath;
-  :global DownloadPackage;
-  :global LogPrint;
-  :global MkDir;
-  :global RmFile;
-  :global ScriptLock;
-  :global WaitFullyConnected;
-
-  :if ([ $ScriptLock $ScriptName ] = false) do={
-    :set ExitOK true;
-    :error false;
-  }
-  $WaitFullyConnected;
-
-  :local PackagePath [ $CleanFilePath [ /caps-man/manager/get package-path ] ];
-  :local InstalledVersion [ /system/package/update/get installed-version ];
-  :local Updated false;
-
-  :if ([ :len $PackagePath ] = 0) do={
-    $LogPrint warning $ScriptName ("The CAPsMAN package path is not defined, can not download packages.");
-    :set ExitOK true;
-    :error false;
-  }
-
-  :if ([ :len [ /file/find where name=$PackagePath type="directory" ] ] = 0) do={
-    :if ([ $MkDir $PackagePath ] = false) do={
-      $LogPrint warning $ScriptName ("Creating directory at CAPsMAN package path (" . \
-        $PackagePath . ") failed!");
-      :set ExitOK true;
-      :error false;
-    }
-    $LogPrint info $ScriptName ("Created directory at CAPsMAN package path (" . $PackagePath . \
-      "). Please place your packages!");
-  }
-
-  :foreach Package in=[ /file/find where type=package \
-        package-version!=$InstalledVersion name~("^" . $PackagePath) ] do={
-    :local File [ /file/get $Package ];
-    :if ($File->"package-architecture" = "mips") do={
-      :set ($File->"package-architecture") "mipsbe";
-    }
-    :if ([ $DownloadPackage ($File->"package-name") $InstalledVersion \
-         ($File->"package-architecture") $PackagePath ] = true) do={
-      :set Updated true;
-      $RmFile ($File->"name");
-    }
-  }
-
-  :if ([ :len [ /file/find where type=package name~("^" . $PackagePath) ] ] = 0) do={
-    $LogPrint info $ScriptName ("No packages available, downloading default set.");
-    :foreach Arch in={ "arm"; "mipsbe" } do={
-      :foreach Package in={ "routeros"; "wireless" } do={
-        :if ([ $DownloadPackage $Package $InstalledVersion $Arch $PackagePath ] = true) do={
-          :set Updated true;
-        }
-      }
-    }
-  }
-
-  :if ($Updated = true) do={
-    :local Scripts [ /system/script/find where source~"\n# provides: capsman-rolling-upgrade.capsman\r?\n" ];
-    :if ([ :len $Scripts ] > 0) do={
-      :foreach Script in=$Scripts do={
-        /system/script/run $Script;
-      }
-    } else={
-      /caps-man/remote-cap/upgrade [ find where version!=$InstalledVersion ];
-    }
-  }
-} on-error={
-  :global ExitError; $ExitError $ExitOK [ :jobname ];
-}

capsman-download-packages.template.rsc

@@ -1,103 +0,0 @@
-#!rsc by RouterOS
-# RouterOS script: capsman-download-packages%TEMPL%
-# Copyright (c) 2018-2025 Christian Hesse <mail@eworm.de>
-#                         Michael Gisbers <michael@gisbers.de>
-# https://rsc.eworm.de/COPYING.md
-#
-# requires RouterOS, version=7.15
-#
-# download and cleanup packages for CAP installation from CAPsMAN
-# https://rsc.eworm.de/doc/capsman-download-packages.md
-#
-# !! This is just a template to generate the real script!
-# !! Pattern '%TEMPL%' is replaced, paths are filtered.
-
-:global GlobalFunctionsReady;
-:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
-
-:local ExitOK false;
-:do {
-  :local ScriptName [ :jobname ];
-
-  :global CleanFilePath;
-  :global DownloadPackage;
-  :global LogPrint;
-  :global MkDir;
-  :global RmFile;
-  :global ScriptLock;
-  :global WaitFullyConnected;
-
-  :if ([ $ScriptLock $ScriptName ] = false) do={
-    :set ExitOK true;
-    :error false;
-  }
-  $WaitFullyConnected;
-
-  :local PackagePath [ $CleanFilePath [ /caps-man/manager/get package-path ] ];
-  :local PackagePath [ $CleanFilePath [ /interface/wifi/capsman/get package-path ] ];
-  :local InstalledVersion [ /system/package/update/get installed-version ];
-  :local Updated false;
-
-  :if ([ :len $PackagePath ] = 0) do={
-    $LogPrint warning $ScriptName ("The CAPsMAN package path is not defined, can not download packages.");
-    :set ExitOK true;
-    :error false;
-  }
-
-  :if ([ :len [ /file/find where name=$PackagePath type="directory" ] ] = 0) do={
-    :if ([ $MkDir $PackagePath ] = false) do={
-      $LogPrint warning $ScriptName ("Creating directory at CAPsMAN package path (" . \
-        $PackagePath . ") failed!");
-      :set ExitOK true;
-      :error false;
-    }
-    $LogPrint info $ScriptName ("Created directory at CAPsMAN package path (" . $PackagePath . \
-      "). Please place your packages!");
-  }
-
-  :foreach Package in=[ /file/find where type=package \
-        package-version!=$InstalledVersion name~("^" . $PackagePath) ] do={
-    :local File [ /file/get $Package ];
-    :if ($File->"package-architecture" = "mips") do={
-      :set ($File->"package-architecture") "mipsbe";
-    }
-    :if ([ $DownloadPackage ($File->"package-name") $InstalledVersion \
-         ($File->"package-architecture") $PackagePath ] = true) do={
-      :set Updated true;
-      $RmFile ($File->"name");
-    }
-  }
-
-  :if ([ :len [ /file/find where type=package name~("^" . $PackagePath) ] ] = 0) do={
-    $LogPrint info $ScriptName ("No packages available, downloading default set.");
-# NOT /interface/wifi/ #
-    :foreach Arch in={ "arm"; "mipsbe" } do={
-      :foreach Package in={ "routeros"; "wireless" } do={
-# NOT /interface/wifi/ #
-# NOT /caps-man/ #
-    :foreach Arch in={ "arm"; "arm64" } do={
-      :local Packages { "arm"={ "routeros"; "wifi-qcom"; "wifi-qcom-ac" };
-                      "arm64"={ "routeros"; "wifi-qcom" } };
-      :foreach Package in=($Packages->$Arch) do={
-# NOT /caps-man/ #
-        :if ([ $DownloadPackage $Package $InstalledVersion $Arch $PackagePath ] = true) do={
-          :set Updated true;
-        }
-      }
-    }
-  }
-
-  :if ($Updated = true) do={
-    :local Scripts [ /system/script/find where source~"\n# provides: capsman-rolling-upgrade%TEMPL%\r?\n" ];
-    :if ([ :len $Scripts ] > 0) do={
-      :foreach Script in=$Scripts do={
-        /system/script/run $Script;
-      }
-    } else={
-      /caps-man/remote-cap/upgrade [ find where version!=$InstalledVersion ];
-      /interface/wifi/capsman/remote-cap/upgrade [ find where version!=$InstalledVersion ];
-    }
-  }
-} on-error={
-  :global ExitError; $ExitError $ExitOK [ :jobname ];
-}

capsman-download-packages.wifi.rsc

@@ -1,94 +0,0 @@
-#!rsc by RouterOS
-# RouterOS script: capsman-download-packages.wifi
-# Copyright (c) 2018-2025 Christian Hesse <mail@eworm.de>
-#                         Michael Gisbers <michael@gisbers.de>
-# https://rsc.eworm.de/COPYING.md
-#
-# requires RouterOS, version=7.15
-#
-# download and cleanup packages for CAP installation from CAPsMAN
-# https://rsc.eworm.de/doc/capsman-download-packages.md
-#
-# !! Do not edit this file, it is generated from template!
-
-:global GlobalFunctionsReady;
-:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
-
-:local ExitOK false;
-:do {
-  :local ScriptName [ :jobname ];
-
-  :global CleanFilePath;
-  :global DownloadPackage;
-  :global LogPrint;
-  :global MkDir;
-  :global RmFile;
-  :global ScriptLock;
-  :global WaitFullyConnected;
-
-  :if ([ $ScriptLock $ScriptName ] = false) do={
-    :set ExitOK true;
-    :error false;
-  }
-  $WaitFullyConnected;
-
-  :local PackagePath [ $CleanFilePath [ /interface/wifi/capsman/get package-path ] ];
-  :local InstalledVersion [ /system/package/update/get installed-version ];
-  :local Updated false;
-
-  :if ([ :len $PackagePath ] = 0) do={
-    $LogPrint warning $ScriptName ("The CAPsMAN package path is not defined, can not download packages.");
-    :set ExitOK true;
-    :error false;
-  }
-
-  :if ([ :len [ /file/find where name=$PackagePath type="directory" ] ] = 0) do={
-    :if ([ $MkDir $PackagePath ] = false) do={
-      $LogPrint warning $ScriptName ("Creating directory at CAPsMAN package path (" . \
-        $PackagePath . ") failed!");
-      :set ExitOK true;
-      :error false;
-    }
-    $LogPrint info $ScriptName ("Created directory at CAPsMAN package path (" . $PackagePath . \
-      "). Please place your packages!");
-  }
-
-  :foreach Package in=[ /file/find where type=package \
-        package-version!=$InstalledVersion name~("^" . $PackagePath) ] do={
-    :local File [ /file/get $Package ];
-    :if ($File->"package-architecture" = "mips") do={
-      :set ($File->"package-architecture") "mipsbe";
-    }
-    :if ([ $DownloadPackage ($File->"package-name") $InstalledVersion \
-         ($File->"package-architecture") $PackagePath ] = true) do={
-      :set Updated true;
-      $RmFile ($File->"name");
-    }
-  }
-
-  :if ([ :len [ /file/find where type=package name~("^" . $PackagePath) ] ] = 0) do={
-    $LogPrint info $ScriptName ("No packages available, downloading default set.");
-    :foreach Arch in={ "arm"; "arm64" } do={
-      :local Packages { "arm"={ "routeros"; "wifi-qcom"; "wifi-qcom-ac" };
-                      "arm64"={ "routeros"; "wifi-qcom" } };
-      :foreach Package in=($Packages->$Arch) do={
-        :if ([ $DownloadPackage $Package $InstalledVersion $Arch $PackagePath ] = true) do={
-          :set Updated true;
-        }
-      }
-    }
-  }
-
-  :if ($Updated = true) do={
-    :local Scripts [ /system/script/find where source~"\n# provides: capsman-rolling-upgrade.wifi\r?\n" ];
-    :if ([ :len $Scripts ] > 0) do={
-      :foreach Script in=$Scripts do={
-        /system/script/run $Script;
-      }
-    } else={
-      /interface/wifi/capsman/remote-cap/upgrade [ find where version!=$InstalledVersion ];
-    }
-  }
-} on-error={
-  :global ExitError; $ExitError $ExitOK [ :jobname ];
-}

capsman-rolling-upgrade

@@ -0,0 +1,20 @@
+#!rsc
+# RouterOS script: capsman-rolling-upgrade
+# Copyright (c) 2018-2019 Christian Hesse <mail@eworm.de>
+#                         Michael Gisbers <michael@gisbers.de>
+#
+# upgrade CAPs one after another
+
+:local InstalledVersion [ / system package update get installed-version ];
+
+:local RemoteCapCount [ /caps-man remote-cap print count-only ];
+:if ($RemoteCapCount > 0) do={
+  :local Delay (600 / $RemoteCapCount);
+  :if ($Delay > 120) do={ :set Delay 120; }
+  :foreach RemoteCap in=[ / caps-man remote-cap find where version!=$InstalledVersion ] do={
+    :local RemoteCapName [ / caps-man remote-cap get $RemoteCap name ];
+    :log debug ("Starting upgrade for CAP " . $RemoteCapName . "...");
+    / caps-man remote-cap upgrade $RemoteCap;
+    :delay ($Delay . "s");
+  }
+}

capsman-rolling-upgrade.capsman.rsc

@@ -1,50 +0,0 @@
-#!rsc by RouterOS
-# RouterOS script: capsman-rolling-upgrade.capsman
-# Copyright (c) 2018-2025 Christian Hesse <mail@eworm.de>
-#                         Michael Gisbers <michael@gisbers.de>
-# https://rsc.eworm.de/COPYING.md
-#
-# provides: capsman-rolling-upgrade.capsman
-# requires RouterOS, version=7.15
-#
-# upgrade CAPs one after another
-# https://rsc.eworm.de/doc/capsman-rolling-upgrade.md
-#
-# !! Do not edit this file, it is generated from template!
-
-:global GlobalFunctionsReady;
-:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
-
-:local ExitOK false;
-:do {
-  :local ScriptName [ :jobname ];
-
-  :global LogPrint;
-  :global ScriptLock;
-
-  :if ([ $ScriptLock $ScriptName ] = false) do={
-    :set ExitOK true;
-    :error false;
-  }
-
-  :local InstalledVersion [ /system/package/update/get installed-version ];
-
-  :local RemoteCapCount [ :len [ /caps-man/remote-cap/find ] ];
-  :if ($RemoteCapCount > 0) do={
-    :local Delay (600 / $RemoteCapCount);
-    :if ($Delay > 120) do={ :set Delay 120; }
-    :foreach RemoteCap in=[ /caps-man/remote-cap/find where version!=$InstalledVersion ] do={
-      :local RemoteCapVal [ /caps-man/remote-cap/get $RemoteCap ];
-      :if ([ :len $RemoteCapVal ] > 1) do={
-        $LogPrint info $ScriptName ("Starting upgrade for " . $RemoteCapVal->"name" . \
-          " (" . $RemoteCapVal->"identity" . ")...");
-        /caps-man/remote-cap/upgrade $RemoteCap;
-      } else={
-        $LogPrint warning $ScriptName ("Remote CAP vanished, skipping upgrade.");
-      }
-      :delay ($Delay . "s");
-    }
-  }
-} on-error={
-  :global ExitError; $ExitError $ExitOK [ :jobname ];
-}

capsman-rolling-upgrade.template.rsc

@@ -1,58 +0,0 @@
-#!rsc by RouterOS
-# RouterOS script: capsman-rolling-upgrade%TEMPL%
-# Copyright (c) 2018-2025 Christian Hesse <mail@eworm.de>
-#                         Michael Gisbers <michael@gisbers.de>
-# https://rsc.eworm.de/COPYING.md
-#
-# provides: capsman-rolling-upgrade%TEMPL%
-# requires RouterOS, version=7.15
-#
-# upgrade CAPs one after another
-# https://rsc.eworm.de/doc/capsman-rolling-upgrade.md
-#
-# !! This is just a template to generate the real script!
-# !! Pattern '%TEMPL%' is replaced, paths are filtered.
-
-:global GlobalFunctionsReady;
-:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
-
-:local ExitOK false;
-:do {
-  :local ScriptName [ :jobname ];
-
-  :global LogPrint;
-  :global ScriptLock;
-
-  :if ([ $ScriptLock $ScriptName ] = false) do={
-    :set ExitOK true;
-    :error false;
-  }
-
-  :local InstalledVersion [ /system/package/update/get installed-version ];
-
-  :local RemoteCapCount [ :len [ /caps-man/remote-cap/find ] ];
-  :local RemoteCapCount [ :len [ /interface/wifi/capsman/remote-cap/find ] ];
-  :if ($RemoteCapCount > 0) do={
-    :local Delay (600 / $RemoteCapCount);
-    :if ($Delay > 120) do={ :set Delay 120; }
-    :foreach RemoteCap in=[ /caps-man/remote-cap/find where version!=$InstalledVersion ] do={
-    :foreach RemoteCap in=[ /interface/wifi/capsman/remote-cap/find where version!=$InstalledVersion ] do={
-      :local RemoteCapVal [ /caps-man/remote-cap/get $RemoteCap ];
-      :local RemoteCapVal [ /interface/wifi/capsman/remote-cap/get $RemoteCap ];
-      :if ([ :len $RemoteCapVal ] > 1) do={
-# NOT /caps-man/ #
-        :set ($RemoteCapVal->"name") ($RemoteCapVal->"common-name");
-# NOT /caps-man/ #
-        $LogPrint info $ScriptName ("Starting upgrade for " . $RemoteCapVal->"name" . \
-          " (" . $RemoteCapVal->"identity" . ")...");
-        /caps-man/remote-cap/upgrade $RemoteCap;
-        /interface/wifi/capsman/remote-cap/upgrade $RemoteCap;
-      } else={
-        $LogPrint warning $ScriptName ("Remote CAP vanished, skipping upgrade.");
-      }
-      :delay ($Delay . "s");
-    }
-  }
-} on-error={
-  :global ExitError; $ExitError $ExitOK [ :jobname ];
-}

capsman-rolling-upgrade.wifi.rsc

@@ -1,51 +0,0 @@
-#!rsc by RouterOS
-# RouterOS script: capsman-rolling-upgrade.wifi
-# Copyright (c) 2018-2025 Christian Hesse <mail@eworm.de>
-#                         Michael Gisbers <michael@gisbers.de>
-# https://rsc.eworm.de/COPYING.md
-#
-# provides: capsman-rolling-upgrade.wifi
-# requires RouterOS, version=7.15
-#
-# upgrade CAPs one after another
-# https://rsc.eworm.de/doc/capsman-rolling-upgrade.md
-#
-# !! Do not edit this file, it is generated from template!
-
-:global GlobalFunctionsReady;
-:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
-
-:local ExitOK false;
-:do {
-  :local ScriptName [ :jobname ];
-
-  :global LogPrint;
-  :global ScriptLock;
-
-  :if ([ $ScriptLock $ScriptName ] = false) do={
-    :set ExitOK true;
-    :error false;
-  }
-
-  :local InstalledVersion [ /system/package/update/get installed-version ];
-
-  :local RemoteCapCount [ :len [ /interface/wifi/capsman/remote-cap/find ] ];
-  :if ($RemoteCapCount > 0) do={
-    :local Delay (600 / $RemoteCapCount);
-    :if ($Delay > 120) do={ :set Delay 120; }
-    :foreach RemoteCap in=[ /interface/wifi/capsman/remote-cap/find where version!=$InstalledVersion ] do={
-      :local RemoteCapVal [ /interface/wifi/capsman/remote-cap/get $RemoteCap ];
-      :if ([ :len $RemoteCapVal ] > 1) do={
-        :set ($RemoteCapVal->"name") ($RemoteCapVal->"common-name");
-        $LogPrint info $ScriptName ("Starting upgrade for " . $RemoteCapVal->"name" . \
-          " (" . $RemoteCapVal->"identity" . ")...");
-        /interface/wifi/capsman/remote-cap/upgrade $RemoteCap;
-      } else={
-        $LogPrint warning $ScriptName ("Remote CAP vanished, skipping upgrade.");
-      }
-      :delay ($Delay . "s");
-    }
-  }
-} on-error={
-  :global ExitError; $ExitError $ExitOK [ :jobname ];
-}

certificate-renew-issued.rsc

@@ -1,52 +0,0 @@
-#!rsc by RouterOS
-# RouterOS script: certificate-renew-issued
-# Copyright (c) 2019-2025 Christian Hesse <mail@eworm.de>
-# https://rsc.eworm.de/COPYING.md
-#
-# requires RouterOS, version=7.15
-#
-# renew locally issued certificates
-# https://rsc.eworm.de/doc/certificate-renew-issued.md
-
-:global GlobalFunctionsReady;
-:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
-
-:local ExitOK false;
-:do {
-  :local ScriptName [ :jobname ];
-
-  :global CertIssuedExportPass;
-
-  :global LogPrint;
-  :global MkDir;
-  :global ScriptLock;
-
-  :if ([ $ScriptLock $ScriptName ] = false) do={
-    :set ExitOK true;
-    :error false;
-  }
-
-  :foreach Cert in=[ /certificate/find where issued expires-after<3w ] do={
-    :local CertVal [ /certificate/get $Cert ];
-    /certificate/issued-revoke $Cert;
-    /certificate/set name=($CertVal->"name" . "-revoked-" . [ /system/clock/get date ]) $Cert;
-    /certificate/add name=($CertVal->"name") common-name=($CertVal->"common-name") \
-        key-usage=($CertVal->"key-usage") subject-alt-name=($CertVal->"subject-alt-name");
-    /certificate/sign ($CertVal->"name") ca=($CertVal->"ca");
-    :if ([ :typeof ($CertIssuedExportPass->($CertVal->"common-name")) ] = "str") do={
-      :if ([ $MkDir "cert-issued" ] = true) do={
-        /certificate/export-certificate ($CertVal->"name") type=pkcs12 \
-            file-name=("cert-issued/" . $CertVal->"common-name") \
-            export-passphrase=($CertIssuedExportPass->($CertVal->"common-name"));
-        $LogPrint info $ScriptName ("Issued a new certificate for '" . $CertVal->"common-name" . \
-          "', exported to 'cert-issued/" . $CertVal->"common-name" . ".p12'.");
-      } else={
-        $LogPrint warning $ScriptName ("Failed creating directory, not exporting certificate.");
-      }
-    } else={
-      $LogPrint info $ScriptName ("Issued a new certificate for '" . $CertVal->"common-name" . "'.");
-    }
-  }
-} on-error={
-  :global ExitError; $ExitError $ExitOK [ :jobname ];
-}

certs/Certum-Trusted-Network-CA.pem

@@ -1,29 +0,0 @@
-# Issuer: CN=Certum Trusted Network CA O=Unizeto Technologies S.A. OU=Certum Certification Authority
-# Subject: CN=Certum Trusted Network CA O=Unizeto Technologies S.A. OU=Certum Certification Authority
-# Label: "Certum Trusted Network CA"
-# Serial: 279744
-# MD5 Fingerprint: d5:e9:81:40:c5:18:69:fc:46:2c:89:75:62:0f:aa:78
-# SHA1 Fingerprint: 07:e0:32:e0:20:b7:2c:3f:19:2f:06:28:a2:59:3a:19:a7:0f:06:9e
-# SHA256 Fingerprint: 5c:58:46:8d:55:f5:8e:49:7e:74:39:82:d2:b5:00:10:b6:d1:65:37:4a:cf:83:a7:d4:a3:2d:b7:68:c4:40:8e
------BEGIN CERTIFICATE-----
-MIIDuzCCAqOgAwIBAgIDBETAMA0GCSqGSIb3DQEBBQUAMH4xCzAJBgNVBAYTAlBM
-MSIwIAYDVQQKExlVbml6ZXRvIFRlY2hub2xvZ2llcyBTLkEuMScwJQYDVQQLEx5D
-ZXJ0dW0gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIjAgBgNVBAMTGUNlcnR1bSBU
-cnVzdGVkIE5ldHdvcmsgQ0EwHhcNMDgxMDIyMTIwNzM3WhcNMjkxMjMxMTIwNzM3
-WjB+MQswCQYDVQQGEwJQTDEiMCAGA1UEChMZVW5pemV0byBUZWNobm9sb2dpZXMg
-Uy5BLjEnMCUGA1UECxMeQ2VydHVtIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSIw
-IAYDVQQDExlDZXJ0dW0gVHJ1c3RlZCBOZXR3b3JrIENBMIIBIjANBgkqhkiG9w0B
-AQEFAAOCAQ8AMIIBCgKCAQEA4/t9o3K6wvDJFIf1awFO4W5AB7ptJ11/91sts1rH
-UV+rpDKmYYe2bg+G0jACl/jXaVehGDldamR5xgFZrDwxSjh80gTSSyjoIF87B6LM
-TXPb865Px1bVWqeWifrzq2jUI4ZZJ88JJ7ysbnKDHDBy3+Ci6dLhdHUZvSqeexVU
-BBvXQzmtVSjF4hq79MDkrjhJM8x2hZ85RdKknvISjFH4fOQtf/WsX+sWn7Et0brM
-kUJ3TCXJkDhv2/DM+44el1k+1WBO5gUo7Ul5E0u6SNsv+XLTOcr+H9g0cvW0QM8x
-AcPs3hEtF10fuFDRXhmnad4HMyjKUJX5p1TLVIZQRan5SQIDAQABo0IwQDAPBgNV
-HRMBAf8EBTADAQH/MB0GA1UdDgQWBBQIds3LB/8k9sXN7buQvOKEN0Z19zAOBgNV
-HQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEFBQADggEBAKaorSLOAT2mo/9i0Eidi15y
-sHhE49wcrwn9I0j6vSrEuVUEtRCjjSfeC4Jj0O7eDDd5QVsisrCaQVymcODU0HfL
-I9MA4GxWL+FpDQ3Zqr8hgVDZBqWo/5U30Kr+4rP1mS1FhIrlQgnXdAIv94nYmem8
-J9RHjboNRhx3zxSkHLmkMcScKHQDNP8zGSal6Q10tz6XxnboJ5ajZt3hrvJBW8qY
-VoNzcOSGGtIxQbovvi0TWnZvTuhOgQ4/WwMioBK+ZlgRSssDxLQqKi2WF+A5VLxI
-03YnnZotBqbJ7DnSq9ufmgsnAjUpsUCV5/nonFWIGUbWtzT1fs45mtk48VH3Tyw=
------END CERTIFICATE-----

certs/DigiCert-Global-Root-G2.pem

@@ -1,29 +0,0 @@
-# Issuer: CN=DigiCert Global Root G2 O=DigiCert Inc OU=www.digicert.com
-# Subject: CN=DigiCert Global Root G2 O=DigiCert Inc OU=www.digicert.com
-# Label: "DigiCert Global Root G2"
-# Serial: 4293743540046975378534879503202253541
-# MD5 Fingerprint: e4:a6:8a:c8:54:ac:52:42:46:0a:fd:72:48:1b:2a:44
-# SHA1 Fingerprint: df:3c:24:f9:bf:d6:66:76:1b:26:80:73:fe:06:d1:cc:8d:4f:82:a4
-# SHA256 Fingerprint: cb:3c:cb:b7:60:31:e5:e0:13:8f:8d:d3:9a:23:f9:de:47:ff:c3:5e:43:c1:14:4c:ea:27:d4:6a:5a:b1:cb:5f
------BEGIN CERTIFICATE-----
-MIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSxHQn65TANBgkqhkiG9w0BAQsFADBh
-MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
-d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH
-MjAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYTAlVT
-MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
-b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEcyMIIBIjANBgkqhkiG
-9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzfNNNx7a8myaJCtSnX/RrohCgiN9RlUyfuI
-2/Ou8jqJkTx65qsGGmvPrC3oXgkkRLpimn7Wo6h+4FR1IAWsULecYxpsMNzaHxmx
-1x7e/dfgy5SDN67sH0NO3Xss0r0upS/kqbitOtSZpLYl6ZtrAGCSYP9PIUkY92eQ
-q2EGnI/yuum06ZIya7XzV+hdG82MHauVBJVJ8zUtluNJbd134/tJS7SsVQepj5Wz
-tCO7TG1F8PapspUwtP1MVYwnSlcUfIKdzXOS0xZKBgyMUNGPHgm+F6HmIcr9g+UQ
-vIOlCsRnKPZzFBQ9RnbDhxSJITRNrw9FDKZJobq7nMWxM4MphQIDAQABo0IwQDAP
-BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUTiJUIBiV
-5uNu5g/6+rkS7QYXjzkwDQYJKoZIhvcNAQELBQADggEBAGBnKJRvDkhj6zHd6mcY
-1Yl9PMWLSn/pvtsrF9+wX3N3KjITOYFnQoQj8kVnNeyIv/iPsGEMNKSuIEyExtv4
-NeF22d+mQrvHRAiGfzZ0JFrabA0UWTW98kndth/Jsw1HKj2ZL7tcu7XUIOGZX1NG
-Fdtom/DzMNU+MeKNhJ7jitralj41E6Vf8PlwUHBHQRFXGU7Aj64GxJUTFy8bJZ91
-8rGOmaFvE7FBcf6IKshPECBV1/MUReXgRPTqh5Uykw7+U0b6LJ3/iyK5S9kJRaTe
-pLiaWN0bfVKfjllDiIGknibVb63dDcY3fe0Dkhvld1927jyNxF1WW6LZZm6zNTfl
-MrY=
------END CERTIFICATE-----

certs/DigiCert-Global-Root-G3.pem

@@ -1,22 +0,0 @@
-# Issuer: CN=DigiCert Global Root G3 O=DigiCert Inc OU=www.digicert.com
-# Subject: CN=DigiCert Global Root G3 O=DigiCert Inc OU=www.digicert.com
-# Label: "DigiCert Global Root G3"
-# Serial: 7089244469030293291760083333884364146
-# MD5 Fingerprint: f5:5d:a4:50:a5:fb:28:7e:1e:0f:0d:cc:96:57:56:ca
-# SHA1 Fingerprint: 7e:04:de:89:6a:3e:66:6d:00:e6:87:d3:3f:fa:d9:3b:e8:3d:34:9e
-# SHA256 Fingerprint: 31:ad:66:48:f8:10:41:38:c7:38:f3:9e:a4:32:01:33:39:3e:3a:18:cc:02:29:6e:f9:7c:2a:c9:ef:67:31:d0
------BEGIN CERTIFICATE-----
-MIICPzCCAcWgAwIBAgIQBVVWvPJepDU1w6QP1atFcjAKBggqhkjOPQQDAzBhMQsw
-CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cu
-ZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBHMzAe
-Fw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYTAlVTMRUw
-EwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20x
-IDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEczMHYwEAYHKoZIzj0CAQYF
-K4EEACIDYgAE3afZu4q4C/sLfyHS8L6+c/MzXRq8NOrexpu80JX28MzQC7phW1FG
-fp4tn+6OYwwX7Adw9c+ELkCDnOg/QW07rdOkFFk2eJ0DQ+4QE2xy3q6Ip6FrtUPO
-Z9wj/wMco+I+o0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAd
-BgNVHQ4EFgQUs9tIpPmhxdiuNkHMEWNpYim8S8YwCgYIKoZIzj0EAwMDaAAwZQIx
-AK288mw/EkrRLTnDCgmXc/SINoyIJ7vmiI1Qhadj+Z4y3maTD/HMsQmP3Wyr+mt/
-oAIwOWZbwmSNuJ5Q3KjVSaLtx9zRSX8XAbjIho9OjIgrqJqpisXRAL34VOKa5Vt8
-sycX
------END CERTIFICATE-----

certs/GTS-Root-R1.pem

@@ -1,38 +0,0 @@
-# Issuer: CN=GTS Root R1 O=Google Trust Services LLC
-# Subject: CN=GTS Root R1 O=Google Trust Services LLC
-# Label: "GTS Root R1"
-# Serial: 159662320309726417404178440727
-# MD5 Fingerprint: 05:fe:d0:bf:71:a8:a3:76:63:da:01:e0:d8:52:dc:40
-# SHA1 Fingerprint: e5:8c:1c:c4:91:3b:38:63:4b:e9:10:6e:e3:ad:8e:6b:9d:d9:81:4a
-# SHA256 Fingerprint: d9:47:43:2a:bd:e7:b7:fa:90:fc:2e:6b:59:10:1b:12:80:e0:e1:c7:e4:e4:0f:a3:c6:88:7f:ff:57:a7:f4:cf
------BEGIN CERTIFICATE-----
-MIIFVzCCAz+gAwIBAgINAgPlk28xsBNJiGuiFzANBgkqhkiG9w0BAQwFADBHMQsw
-CQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEU
-MBIGA1UEAxMLR1RTIFJvb3QgUjEwHhcNMTYwNjIyMDAwMDAwWhcNMzYwNjIyMDAw
-MDAwWjBHMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZp
-Y2VzIExMQzEUMBIGA1UEAxMLR1RTIFJvb3QgUjEwggIiMA0GCSqGSIb3DQEBAQUA
-A4ICDwAwggIKAoICAQC2EQKLHuOhd5s73L+UPreVp0A8of2C+X0yBoJx9vaMf/vo
-27xqLpeXo4xL+Sv2sfnOhB2x+cWX3u+58qPpvBKJXqeqUqv4IyfLpLGcY9vXmX7w
-Cl7raKb0xlpHDU0QM+NOsROjyBhsS+z8CZDfnWQpJSMHobTSPS5g4M/SCYe7zUjw
-TcLCeoiKu7rPWRnWr4+wB7CeMfGCwcDfLqZtbBkOtdh+JhpFAz2weaSUKK0Pfybl
-qAj+lug8aJRT7oM6iCsVlgmy4HqMLnXWnOunVmSPlk9orj2XwoSPwLxAwAtcvfaH
-szVsrBhQf4TgTM2S0yDpM7xSma8ytSmzJSq0SPly4cpk9+aCEI3oncKKiPo4Zor8
-Y/kB+Xj9e1x3+naH+uzfsQ55lVe0vSbv1gHR6xYKu44LtcXFilWr06zqkUspzBmk
-MiVOKvFlRNACzqrOSbTqn3yDsEB750Orp2yjj32JgfpMpf/VjsPOS+C12LOORc92
-wO1AK/1TD7Cn1TsNsYqiA94xrcx36m97PtbfkSIS5r762DL8EGMUUXLeXdYWk70p
-aDPvOmbsB4om3xPXV2V4J95eSRQAogB/mqghtqmxlbCluQ0WEdrHbEg8QOB+DVrN
-VjzRlwW5y0vtOUucxD/SVRNuJLDWcfr0wbrM7Rv1/oFB2ACYPTrIrnqYNxgFlQID
-AQABo0IwQDAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E
-FgQU5K8rJnEaK0gnhS9SZizv8IkTcT4wDQYJKoZIhvcNAQEMBQADggIBAJ+qQibb
-C5u+/x6Wki4+omVKapi6Ist9wTrYggoGxval3sBOh2Z5ofmmWJyq+bXmYOfg6LEe
-QkEzCzc9zolwFcq1JKjPa7XSQCGYzyI0zzvFIoTgxQ6KfF2I5DUkzps+GlQebtuy
-h6f88/qBVRRiClmpIgUxPoLW7ttXNLwzldMXG+gnoot7TiYaelpkttGsN/H9oPM4
-7HLwEXWdyzRSjeZ2axfG34arJ45JK3VmgRAhpuo+9K4l/3wV3s6MJT/KYnAK9y8J
-ZgfIPxz88NtFMN9iiMG1D53Dn0reWVlHxYciNuaCp+0KueIHoI17eko8cdLiA6Ef
-MgfdG+RCzgwARWGAtQsgWSl4vflVy2PFPEz0tv/bal8xa5meLMFrUKTX5hgUvYU/
-Z6tGn6D/Qqc6f1zLXbBwHSs09dR2CQzreExZBfMzQsNhFRAbd03OIozUhfJFfbdT
-6u9AWpQKXCBfTkBdYiJ23//OYb2MI3jSNwLgjt7RETeJ9r/tSQdirpLsQBqvFAnZ
-0E6yove+7u7Y/9waLd64NnHi/Hm3lCXRSHNboTXns5lndcEZOitHTtNCjv0xyBZm
-2tIMPNuzjsmhDYAPexZ3FL//2wmUspO8IFgV6dtxQ/PeEMMA3KgqlbbC1j+Qa3bb
-bP6MvPJwNQzcmRk13NfIRmPVNnGuV/u3gm3c
------END CERTIFICATE-----

certs/GTS-Root-R4.pem

@@ -1,20 +0,0 @@
-# Issuer: CN=GTS Root R4 O=Google Trust Services LLC
-# Subject: CN=GTS Root R4 O=Google Trust Services LLC
-# Label: "GTS Root R4"
-# Serial: 159662532700760215368942768210
-# MD5 Fingerprint: 43:96:83:77:19:4d:76:b3:9d:65:52:e4:1d:22:a5:e8
-# SHA1 Fingerprint: 77:d3:03:67:b5:e0:0c:15:f6:0c:38:61:df:7c:e1:3b:92:46:4d:47
-# SHA256 Fingerprint: 34:9d:fa:40:58:c5:e2:63:12:3b:39:8a:e7:95:57:3c:4e:13:13:c8:3f:e6:8f:93:55:6c:d5:e8:03:1b:3c:7d
------BEGIN CERTIFICATE-----
-MIICCTCCAY6gAwIBAgINAgPlwGjvYxqccpBQUjAKBggqhkjOPQQDAzBHMQswCQYD
-VQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEUMBIG
-A1UEAxMLR1RTIFJvb3QgUjQwHhcNMTYwNjIyMDAwMDAwWhcNMzYwNjIyMDAwMDAw
-WjBHMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2Vz
-IExMQzEUMBIGA1UEAxMLR1RTIFJvb3QgUjQwdjAQBgcqhkjOPQIBBgUrgQQAIgNi
-AATzdHOnaItgrkO4NcWBMHtLSZ37wWHO5t5GvWvVYRg1rkDdc/eJkTBa6zzuhXyi
-QHY7qca4R9gq55KRanPpsXI5nymfopjTX15YhmUPoYRlBtHci8nHc8iMai/lxKvR
-HYqjQjBAMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
-BBSATNbrdP9JNqPV2Py1PsVq8JQdjDAKBggqhkjOPQQDAwNpADBmAjEA6ED/g94D
-9J+uHXqnLrmvT/aDHQ4thQEd0dlq7A/Cr8deVl5c1RxYIigL9zC2L7F8AjEA8GE8
-p/SgguMh1YQdc4acLa/KNJvxn7kjNuK8YAOdgLOaVsjh4rsUecrNIdSUtUlD
------END CERTIFICATE-----

certs/Go-Daddy-Root-Certificate-Authority-G2.pem

@@ -1,30 +0,0 @@
-# Issuer: CN=Go Daddy Root Certificate Authority - G2 O=GoDaddy.com, Inc.
-# Subject: CN=Go Daddy Root Certificate Authority - G2 O=GoDaddy.com, Inc.
-# Label: "Go Daddy Root Certificate Authority - G2"
-# Serial: 0
-# MD5 Fingerprint: 80:3a:bc:22:c1:e6:fb:8d:9b:3b:27:4a:32:1b:9a:01
-# SHA1 Fingerprint: 47:be:ab:c9:22:ea:e8:0e:78:78:34:62:a7:9f:45:c2:54:fd:e6:8b
-# SHA256 Fingerprint: 45:14:0b:32:47:eb:9c:c8:c5:b4:f0:d7:b5:30:91:f7:32:92:08:9e:6e:5a:63:e2:74:9d:d3:ac:a9:19:8e:da
------BEGIN CERTIFICATE-----
-MIIDxTCCAq2gAwIBAgIBADANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
-EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
-EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
-ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAwMFoXDTM3MTIzMTIz
-NTk1OVowgYMxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
-EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjExMC8GA1UE
-AxMoR28gRGFkZHkgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjCCASIw
-DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL9xYgjx+lk09xvJGKP3gElY6SKD
-E6bFIEMBO4Tx5oVJnyfq9oQbTqC023CYxzIBsQU+B07u9PpPL1kwIuerGVZr4oAH
-/PMWdYA5UXvl+TW2dE6pjYIT5LY/qQOD+qK+ihVqf94Lw7YZFAXK6sOoBJQ7Rnwy
-DfMAZiLIjWltNowRGLfTshxgtDj6AozO091GB94KPutdfMh8+7ArU6SSYmlRJQVh
-GkSBjCypQ5Yj36w6gZoOKcUcqeldHraenjAKOc7xiID7S13MMuyFYkMlNAJWJwGR
-tDtwKj9useiciAF9n9T521NtYJ2/LOdYq7hfRvzOxBsDPAnrSTFcaUaz4EcCAwEA
-AaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE
-FDqahQcQZyi27/a9BUFuIMGU2g/eMA0GCSqGSIb3DQEBCwUAA4IBAQCZ21151fmX
-WWcDYfF+OwYxdS2hII5PZYe096acvNjpL9DbWu7PdIxztDhC2gV7+AJ1uP2lsdeu
-9tfeE8tTEH6KRtGX+rcuKxGrkLAngPnon1rpN5+r5N9ss4UXnT3ZJE95kTXWXwTr
-gIOrmgIttRD02JDHBHNA7XIloKmf7J6raBKZV8aPEjoJpL1E/QYVN8Gb5DKj7Tjo
-2GTzLH4U/ALqn83/B2gX2yKQOC16jdFU8WnjXzPKej17CuPKf1855eJ1usV2GDPO
-LPAvTK33sefOT6jEm0pUBsV/fdUID+Ic/n4XuKxe9tQWskMJDE32p2u0mYRlynqI
-4uJEvlz36hz1
------END CERTIFICATE-----

certs/ISRG-Root-X1.pem

@@ -1,38 +0,0 @@
-# Issuer: CN=ISRG Root X1 O=Internet Security Research Group
-# Subject: CN=ISRG Root X1 O=Internet Security Research Group
-# Label: "ISRG Root X1"
-# Serial: 172886928669790476064670243504169061120
-# MD5 Fingerprint: 0c:d2:f9:e0:da:17:73:e9:ed:86:4d:a5:e3:70:e7:4e
-# SHA1 Fingerprint: ca:bd:2a:79:a1:07:6a:31:f2:1d:25:36:35:cb:03:9d:43:29:a5:e8
-# SHA256 Fingerprint: 96:bc:ec:06:26:49:76:f3:74:60:77:9a:cf:28:c5:a7:cf:e8:a3:c0:aa:e1:1a:8f:fc:ee:05:c0:bd:df:08:c6
------BEGIN CERTIFICATE-----
-MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
-TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
-cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
-WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
-ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
-MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
-h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
-0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
-A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
-T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
-B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
-B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
-KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
-OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
-jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
-qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
-rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
-HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
-hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
-ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
-3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
-NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
-ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
-TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
-jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
-oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
-4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
-mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
-emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
------END CERTIFICATE-----

certs/ISRG-Root-X2.pem

@@ -1,21 +0,0 @@
-# Issuer: CN=ISRG Root X2 O=Internet Security Research Group
-# Subject: CN=ISRG Root X2 O=Internet Security Research Group
-# Label: "ISRG Root X2"
-# Serial: 87493402998870891108772069816698636114
-# MD5 Fingerprint: d3:9e:c4:1e:23:3c:a6:df:cf:a3:7e:6d:e0:14:e6:e5
-# SHA1 Fingerprint: bd:b1:b9:3c:d5:97:8d:45:c6:26:14:55:f8:db:95:c7:5a:d1:53:af
-# SHA256 Fingerprint: 69:72:9b:8e:15:a8:6e:fc:17:7a:57:af:b7:17:1d:fc:64:ad:d2:8c:2f:ca:8c:f1:50:7e:34:45:3c:cb:14:70
------BEGIN CERTIFICATE-----
-MIICGzCCAaGgAwIBAgIQQdKd0XLq7qeAwSxs6S+HUjAKBggqhkjOPQQDAzBPMQsw
-CQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFyY2gg
-R3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMjAeFw0yMDA5MDQwMDAwMDBaFw00
-MDA5MTcxNjAwMDBaME8xCzAJBgNVBAYTAlVTMSkwJwYDVQQKEyBJbnRlcm5ldCBT
-ZWN1cml0eSBSZXNlYXJjaCBHcm91cDEVMBMGA1UEAxMMSVNSRyBSb290IFgyMHYw
-EAYHKoZIzj0CAQYFK4EEACIDYgAEzZvVn4CDCuwJSvMWSj5cz3es3mcFDR0HttwW
-+1qLFNvicWDEukWVEYmO6gbf9yoWHKS5xcUy4APgHoIYOIvXRdgKam7mAHf7AlF9
-ItgKbppbd9/w+kHsOdx1ymgHDB/qo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0T
-AQH/BAUwAwEB/zAdBgNVHQ4EFgQUfEKWrt5LSDv6kviejM9ti6lyN5UwCgYIKoZI
-zj0EAwMDaAAwZQIwe3lORlCEwkSHRhtFcP9Ymd70/aTSVaYgLXTWNLxBo1BfASdW
-tL4ndQavEi51mI38AjEAi/V3bNTIZargCyzuFJ0nN6T5U6VR5CmD1/iQMVtCnwr1
-/q4AaOeMSQ+2b1tbFfLn
------END CERTIFICATE-----

certs/Makefile

@@ -1,58 +0,0 @@
-# Makefile to check certificates
-
-CURL = curl \
-	--capath /dev/null \
-	--connect-timeout 5 \
-	--output /dev/null \
-	--silent
-
-DOMAINS_DUAL = \
-	api.macvendors.com/GTS-Root-R4 \
-	api.telegram.org/Go-Daddy-Root-Certificate-Authority-G2 \
-	cloudflare-dns.com/DigiCert-Global-Root-G2 \
-	dns.google/GTS-Root-R4 \
-	dns.quad9.net/DigiCert-Global-Root-G3 \
-	git.eworm.de/ISRG-Root-X2 \
-	lists.blocklist.de/Certum-Trusted-Network-CA \
-	matrix.org/GTS-Root-R4 \
-	raw.githubusercontent.com/USERTrust-RSA-Certification-Authority \
-	rsc.eworm.de/ISRG-Root-X2 \
-	upgrade.mikrotik.com/ISRG-Root-X1
-DOMAINS_IPV4 = \
-	1.1.1.1/DigiCert-Global-Root-G2 \
-	8.8.8.8/GTS-Root-R1 \
-	9.9.9.9/DigiCert-Global-Root-G3 \
-	api.mullvad.net/ISRG-Root-X1 \
-	ipv4.showipv6.de/ISRG-Root-X1 \
-	ipv4.tunnelbroker.net/Starfield-Root-Certificate-Authority-G2 \
-	mkcert.org/ISRG-Root-X1 \
-	ntfy.sh/ISRG-Root-X1 \
-	www.dshield.org/ISRG-Root-X1 \
-	www.spamhaus.org/GTS-Root-R4
-DOMAINS_IPV6 = \
-	[2606\:4700\:4700\:\:1111]/DigiCert-Global-Root-G2 \
-	[2001\:4860\:4860\:\:8888]/GTS-Root-R1 \
-	[2620\:fe\:\:9]/DigiCert-Global-Root-G3 \
-	ipv6.showipv6.de/ISRG-Root-X1
-
-.PHONY: $(DOMAINS_DUAL) $(DOMAINS_IPV4) $(DOMAINS_IPV6)
-
-all: $(DOMAINS_DUAL) $(DOMAINS_IPV4) $(DOMAINS_IPV6)
-
-$(DOMAINS_DUAL):
-ifndef NOIPV4
-	$(CURL) -4 --cacert $(notdir $@).pem https://$(dir $@)
-endif
-ifndef NOIPV6
-	$(CURL) -6 --cacert $(notdir $@).pem https://$(dir $@)
-endif
-
-$(DOMAINS_IPV4):
-ifndef NOIPV4
-	$(CURL) -4 --cacert $(notdir $@).pem https://$(dir $@)
-endif
-
-$(DOMAINS_IPV6):
-ifndef NOIPV6
-	$(CURL) -6 --cacert $(notdir $@).pem https://$(dir $@)
-endif

certs/Starfield-Root-Certificate-Authority-G2.pem

@@ -1,30 +0,0 @@
-# Issuer: CN=Starfield Root Certificate Authority - G2 O=Starfield Technologies, Inc.
-# Subject: CN=Starfield Root Certificate Authority - G2 O=Starfield Technologies, Inc.
-# Label: "Starfield Root Certificate Authority - G2"
-# Serial: 0
-# MD5 Fingerprint: d6:39:81:c6:52:7e:96:69:fc:fc:ca:66:ed:05:f2:96
-# SHA1 Fingerprint: b5:1c:06:7c:ee:2b:0c:3d:f8:55:ab:2d:92:f4:fe:39:d4:e7:0f:0e
-# SHA256 Fingerprint: 2c:e1:cb:0b:f9:d2:f9:e1:02:99:3f:be:21:51:52:c3:b2:dd:0c:ab:de:1c:68:e5:31:9b:83:91:54:db:b7:f5
------BEGIN CERTIFICATE-----
-MIID3TCCAsWgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMx
-EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAjBgNVBAoT
-HFN0YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAMTKVN0YXJmaWVs
-ZCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAw
-MFoXDTM3MTIzMTIzNTk1OVowgY8xCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6
-b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMSUwIwYDVQQKExxTdGFyZmllbGQgVGVj
-aG5vbG9naWVzLCBJbmMuMTIwMAYDVQQDEylTdGFyZmllbGQgUm9vdCBDZXJ0aWZp
-Y2F0ZSBBdXRob3JpdHkgLSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
-ggEBAL3twQP89o/8ArFvW59I2Z154qK3A2FWGMNHttfKPTUuiUP3oWmb3ooa/RMg
-nLRJdzIpVv257IzdIvpy3Cdhl+72WoTsbhm5iSzchFvVdPtrX8WJpRBSiUZV9Lh1
-HOZ/5FSuS/hVclcCGfgXcVnrHigHdMWdSL5stPSksPNkN3mSwOxGXn/hbVNMYq/N
-Hwtjuzqd+/x5AJhhdM8mgkBj87JyahkNmcrUDnXMN/uLicFZ8WJ/X7NfZTD4p7dN
-dloedl40wOiWVpmKs/B/pM293DIxfJHP4F8R+GuqSVzRmZTRouNjWwl2tVZi4Ut0
-HZbUJtQIBFnQmA4O5t78w+wfkPECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAO
-BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFHwMMh+n2TB/xH1oo2Kooc6rB1snMA0G
-CSqGSIb3DQEBCwUAA4IBAQARWfolTwNvlJk7mh+ChTnUdgWUXuEok21iXQnCoKjU
-sHU48TRqneSfioYmUeYs0cYtbpUgSpIB7LiKZ3sx4mcujJUDJi5DnUox9g61DLu3
-4jd/IroAow57UvtruzvE03lRTs2Q9GcHGcg8RnoNAX3FWOdt5oUwF5okxBDgBPfg
-8n/Uqgr/Qh037ZTlZFkSIHc40zI+OIF1lnP6aI+xy84fxez6nH7PfrHxBy22/L/K
-pL/QlwVKvOoYKAKQvVR4CSFx09F9HdkWsKlhPdAKACL8x3vLCWRFCztAgfd9fDL1
-mMpYjn0q7pBZc2T5NnReJaH1ZgUufzkVqSr7UIuOhWn0
------END CERTIFICATE-----

certs/USERTrust-RSA-Certification-Authority.pem

@@ -1,41 +0,0 @@
-# Issuer: CN=USERTrust RSA Certification Authority O=The USERTRUST Network
-# Subject: CN=USERTrust RSA Certification Authority O=The USERTRUST Network
-# Label: "USERTrust RSA Certification Authority"
-# Serial: 2645093764781058787591871645665788717
-# MD5 Fingerprint: 1b:fe:69:d1:91:b7:19:33:a3:72:a8:0f:e1:55:e5:b5
-# SHA1 Fingerprint: 2b:8f:1b:57:33:0d:bb:a2:d0:7a:6c:51:f7:0e:e9:0d:da:b9:ad:8e
-# SHA256 Fingerprint: e7:93:c9:b0:2f:d8:aa:13:e2:1c:31:22:8a:cc:b0:81:19:64:3b:74:9c:89:89:64:b1:74:6d:46:c3:d4:cb:d2
------BEGIN CERTIFICATE-----
-MIIF3jCCA8agAwIBAgIQAf1tMPyjylGoG7xkDjUDLTANBgkqhkiG9w0BAQwFADCB
-iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
-cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
-BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAw
-MjAxMDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNV
-BAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVU
-aGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2Vy
-dGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
-AoICAQCAEmUXNg7D2wiz0KxXDXbtzSfTTK1Qg2HiqiBNCS1kCdzOiZ/MPans9s/B
-3PHTsdZ7NygRK0faOca8Ohm0X6a9fZ2jY0K2dvKpOyuR+OJv0OwWIJAJPuLodMkY
-tJHUYmTbf6MG8YgYapAiPLz+E/CHFHv25B+O1ORRxhFnRghRy4YUVD+8M/5+bJz/
-Fp0YvVGONaanZshyZ9shZrHUm3gDwFA66Mzw3LyeTP6vBZY1H1dat//O+T23LLb2
-VN3I5xI6Ta5MirdcmrS3ID3KfyI0rn47aGYBROcBTkZTmzNg95S+UzeQc0PzMsNT
-79uq/nROacdrjGCT3sTHDN/hMq7MkztReJVni+49Vv4M0GkPGw/zJSZrM233bkf6
-c0Plfg6lZrEpfDKEY1WJxA3Bk1QwGROs0303p+tdOmw1XNtB1xLaqUkL39iAigmT
-Yo61Zs8liM2EuLE/pDkP2QKe6xJMlXzzawWpXhaDzLhn4ugTncxbgtNMs+1b/97l
-c6wjOy0AvzVVdAlJ2ElYGn+SNuZRkg7zJn0cTRe8yexDJtC/QV9AqURE9JnnV4ee
-UB9XVKg+/XRjL7FQZQnmWEIuQxpMtPAlR1n6BB6T1CZGSlCBst6+eLf8ZxXhyVeE
-Hg9j1uliutZfVS7qXMYoCAQlObgOK6nyTJccBz8NUvXt7y+CDwIDAQABo0IwQDAd
-BgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/BAQDAgEGMA8G
-A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAFzUfA3P9wF9QZllDHPF
-Up/L+M+ZBn8b2kMVn54CVVeWFPFSPCeHlCjtHzoBN6J2/FNQwISbxmtOuowhT6KO
-VWKR82kV2LyI48SqC/3vqOlLVSoGIG1VeCkZ7l8wXEskEVX/JJpuXior7gtNn3/3
-ATiUFJVDBwn7YKnuHKsSjKCaXqeYalltiz8I+8jRRa8YFWSQEg9zKC7F4iRO/Fjs
-8PRF/iKz6y+O0tlFYQXBl2+odnKPi4w2r78NBc5xjeambx9spnFixdjQg3IM8WcR
-iQycE0xyNN+81XHfqnHd4blsjDwSXWXavVcStkNr/+XeTWYRUc+ZruwXtuhxkYze
-Sf7dNXGiFSeUHM9h4ya7b6NnJSFd5t0dCy5oGzuCr+yDZ4XUmFF0sbmZgIn/f3gZ
-XHlKYC6SQK5MNyosycdiyA5d9zZbyuAlJQG03RoHnHcAP9Dc1ew91Pq7P8yF1m9/
-qS3fuQL39ZeatTXaw2ewh0qpKJ4jjv9cJ2vhsE/zB+4ALtRZh8tSQZXq9EfX7mRB
-VXyNWQKV3WKdwrnuWih0hKWbt5DHDAff9Yk2dDLWKMGwsAvgnEzDHNb842m1R0aB
-L6KCq9NjRHDEjf8tM7qtj3u1cIiuPhnPQCjY/MiQu12ZIvVS5ljFH4gxQ+6IHdfG
-jjxDah2nGN59PRbxYvnKkKj9
------END CERTIFICATE-----

certs/godaddy.pem

@@ -0,0 +1,51 @@
+-----BEGIN CERTIFICATE-----
+MIIDxTCCAq2gAwIBAgIBADANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
+EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
+EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
+ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAwMFoXDTM3MTIzMTIz
+NTk1OVowgYMxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
+EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjExMC8GA1UE
+AxMoR28gRGFkZHkgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL9xYgjx+lk09xvJGKP3gElY6SKD
+E6bFIEMBO4Tx5oVJnyfq9oQbTqC023CYxzIBsQU+B07u9PpPL1kwIuerGVZr4oAH
+/PMWdYA5UXvl+TW2dE6pjYIT5LY/qQOD+qK+ihVqf94Lw7YZFAXK6sOoBJQ7Rnwy
+DfMAZiLIjWltNowRGLfTshxgtDj6AozO091GB94KPutdfMh8+7ArU6SSYmlRJQVh
+GkSBjCypQ5Yj36w6gZoOKcUcqeldHraenjAKOc7xiID7S13MMuyFYkMlNAJWJwGR
+tDtwKj9useiciAF9n9T521NtYJ2/LOdYq7hfRvzOxBsDPAnrSTFcaUaz4EcCAwEA
+AaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE
+FDqahQcQZyi27/a9BUFuIMGU2g/eMA0GCSqGSIb3DQEBCwUAA4IBAQCZ21151fmX
+WWcDYfF+OwYxdS2hII5PZYe096acvNjpL9DbWu7PdIxztDhC2gV7+AJ1uP2lsdeu
+9tfeE8tTEH6KRtGX+rcuKxGrkLAngPnon1rpN5+r5N9ss4UXnT3ZJE95kTXWXwTr
+gIOrmgIttRD02JDHBHNA7XIloKmf7J6raBKZV8aPEjoJpL1E/QYVN8Gb5DKj7Tjo
+2GTzLH4U/ALqn83/B2gX2yKQOC16jdFU8WnjXzPKej17CuPKf1855eJ1usV2GDPO
+LPAvTK33sefOT6jEm0pUBsV/fdUID+Ic/n4XuKxe9tQWskMJDE32p2u0mYRlynqI
+4uJEvlz36hz1
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIE0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
+EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
+EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
+ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAwMFoXDTMxMDUwMzA3
+MDAwMFowgbQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
+EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UE
+CxMkaHR0cDovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQD
+EypHbyBEYWRkeSBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC54MsQ1K92vdSTYuswZLiBCGzD
+BNliF44v/z5lz4/OYuY8UhzaFkVLVat4a2ODYpDOD2lsmcgaFItMzEUz6ojcnqOv
+K/6AYZ15V8TPLvQ/MDxdR/yaFrzDN5ZBUY4RS1T4KL7QjL7wMDge87Am+GZHY23e
+cSZHjzhHU9FGHbTj3ADqRay9vHHZqm8A29vNMDp5T19MR/gd71vCxJ1gO7GyQ5HY
+pDNO6rPWJ0+tJYqlxvTV0KaudAVkV4i1RFXULSo6Pvi4vekyCgKUZMQWOlDxSq7n
+eTOvDCAHf+jfBDnCaQJsY1L6d8EbyHSHyLmTGFBUNUtpTrw700kuH9zB0lL7AgMB
+AAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV
+HQ4EFgQUQMK9J47MNIMwojPX+2yz8LQsgM4wHwYDVR0jBBgwFoAUOpqFBxBnKLbv
+9r0FQW4gwZTaD94wNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v
+b2NzcC5nb2RhZGR5LmNvbS8wNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2NybC5n
+b2RhZGR5LmNvbS9nZHJvb3QtZzIuY3JsMEYGA1UdIAQ/MD0wOwYEVR0gADAzMDEG
+CCsGAQUFBwIBFiVodHRwczovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkv
+MA0GCSqGSIb3DQEBCwUAA4IBAQAIfmyTEMg4uJapkEv/oV9PBO9sPpyIBslQj6Zz
+91cxG7685C/b+LrTW+C05+Z5Yg4MotdqY3MxtfWoSKQ7CC2iXZDXtHwlTxFWMMS2
+RJ17LJ3lXubvDGGqv+QqG+6EnriDfcFDzkSnE3ANkR/0yBOtg2DZ2HKocyQetawi
+DsoXiWJYRBuriSUBAA/NxBti21G00w9RKpv0vHP8ds42pM3Z2Czqrpv1KrKQ0U11
+GIo/ikGQI31bS/6kA1ibRrLDYGCD+H1QQc7CoZDDu+8CL9IVVO5EFdkKrqeKM+2x
+LXY2JtwE65/3YR8V3Idv7kaWKK2hJn0KCacuBKONvPi8BDAB
+-----END CERTIFICATE-----

certs/letsencrypt.pem

@@ -0,0 +1,83 @@
+-----BEGIN CERTIFICATE-----
+MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
+WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
+ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
+MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
+h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
+0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
+A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
+T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
+B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
+B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
+KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
+OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
+jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
+qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
+rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
+HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
+hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
+ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
+3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
+NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
+ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
+TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
+jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
+oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
+4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
+mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
+emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFjTCCA3WgAwIBAgIRANOxciY0IzLc9AUoUSrsnGowDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTYxMDA2MTU0MzU1
+WhcNMjExMDA2MTU0MzU1WjBKMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
+RW5jcnlwdDEjMCEGA1UEAxMaTGV0J3MgRW5jcnlwdCBBdXRob3JpdHkgWDMwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCc0wzwWuUuR7dyXTeDs2hjMOrX
+NSYZJeG9vjXxcJIvt7hLQQWrqZ41CFjssSrEaIcLo+N15Obzp2JxunmBYB/XkZqf
+89B4Z3HIaQ6Vkc/+5pnpYDxIzH7KTXcSJJ1HG1rrueweNwAcnKx7pwXqzkrrvUHl
+Npi5y/1tPJZo3yMqQpAMhnRnyH+lmrhSYRQTP2XpgofL2/oOVvaGifOFP5eGr7Dc
+Gu9rDZUWfcQroGWymQQ2dYBrrErzG5BJeC+ilk8qICUpBMZ0wNAxzY8xOJUWuqgz
+uEPxsR/DMH+ieTETPS02+OP88jNquTkxxa/EjQ0dZBYzqvqEKbbUC8DYfcOTAgMB
+AAGjggFnMIIBYzAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADBU
+BgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsGAQUFBwIB
+FiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMB0GA1UdDgQWBBSo
+SmpjBH3duubRObemRWXv86jsoTAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3Js
+LnJvb3QteDEubGV0c2VuY3J5cHQub3JnMHIGCCsGAQUFBwEBBGYwZDAwBggrBgEF
+BQcwAYYkaHR0cDovL29jc3Aucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcvMDAGCCsG
+AQUFBzAChiRodHRwOi8vY2VydC5yb290LXgxLmxldHNlbmNyeXB0Lm9yZy8wHwYD
+VR0jBBgwFoAUebRZ5nu25eQBc4AIiMgaWPbpm24wDQYJKoZIhvcNAQELBQADggIB
+ABnPdSA0LTqmRf/Q1eaM2jLonG4bQdEnqOJQ8nCqxOeTRrToEKtwT++36gTSlBGx
+A/5dut82jJQ2jxN8RI8L9QFXrWi4xXnA2EqA10yjHiR6H9cj6MFiOnb5In1eWsRM
+UM2v3e9tNsCAgBukPHAg1lQh07rvFKm/Bz9BCjaxorALINUfZ9DD64j2igLIxle2
+DPxW8dI/F2loHMjXZjqG8RkqZUdoxtID5+90FgsGIfkMpqgRS05f4zPbCEHqCXl1
+eO5HyELTgcVlLXXQDgAWnRzut1hFJeczY1tjQQno6f6s+nMydLN26WuU4s3UYvOu
+OsUxRlJu7TSRHqDC3lSE5XggVkzdaPkuKGQbGpny+01/47hfXXNB7HntWNZ6N2Vw
+p7G6OfY+YQrZwIaQmhrIqJZuigsrbe3W+gdn5ykE9+Ky0VgVUsfxo52mwFYs1JKY
+2PGDuWx8M6DlS6qQkvHaRUo0FMd8TsSlbF0/v965qGFKhSDeQoMpYnwcmQilRh/0
+ayLThlHLN81gSkJjVrPI0Y8xCVPB4twb1PFUd2fPM3sA1tJ83sZ5v8vgFv2yofKR
+PB0t6JzUA81mSqM3kxl5e+IZwhYAyO0OTg3/fs8HqGTNKd9BqoUwSRBzp06JMg5b
+rUCGwbCUDI0mxadJ3Bz4WxR6fyNpBK2yAinWEsikxqEt
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
+PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
+Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
+rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
+OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
+xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
+7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
+aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
+HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
+SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
+ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
+AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
+R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
+JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
+Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
+-----END CERTIFICATE-----

certs/starfield.pem

@@ -0,0 +1,52 @@
+-----BEGIN CERTIFICATE-----
+MIID3TCCAsWgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMx
+EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAjBgNVBAoT
+HFN0YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAMTKVN0YXJmaWVs
+ZCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAw
+MFoXDTM3MTIzMTIzNTk1OVowgY8xCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6
+b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMSUwIwYDVQQKExxTdGFyZmllbGQgVGVj
+aG5vbG9naWVzLCBJbmMuMTIwMAYDVQQDEylTdGFyZmllbGQgUm9vdCBDZXJ0aWZp
+Y2F0ZSBBdXRob3JpdHkgLSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAL3twQP89o/8ArFvW59I2Z154qK3A2FWGMNHttfKPTUuiUP3oWmb3ooa/RMg
+nLRJdzIpVv257IzdIvpy3Cdhl+72WoTsbhm5iSzchFvVdPtrX8WJpRBSiUZV9Lh1
+HOZ/5FSuS/hVclcCGfgXcVnrHigHdMWdSL5stPSksPNkN3mSwOxGXn/hbVNMYq/N
+Hwtjuzqd+/x5AJhhdM8mgkBj87JyahkNmcrUDnXMN/uLicFZ8WJ/X7NfZTD4p7dN
+dloedl40wOiWVpmKs/B/pM293DIxfJHP4F8R+GuqSVzRmZTRouNjWwl2tVZi4Ut0
+HZbUJtQIBFnQmA4O5t78w+wfkPECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAO
+BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFHwMMh+n2TB/xH1oo2Kooc6rB1snMA0G
+CSqGSIb3DQEBCwUAA4IBAQARWfolTwNvlJk7mh+ChTnUdgWUXuEok21iXQnCoKjU
+sHU48TRqneSfioYmUeYs0cYtbpUgSpIB7LiKZ3sx4mcujJUDJi5DnUox9g61DLu3
+4jd/IroAow57UvtruzvE03lRTs2Q9GcHGcg8RnoNAX3FWOdt5oUwF5okxBDgBPfg
+8n/Uqgr/Qh037ZTlZFkSIHc40zI+OIF1lnP6aI+xy84fxez6nH7PfrHxBy22/L/K
+pL/QlwVKvOoYKAKQvVR4CSFx09F9HdkWsKlhPdAKACL8x3vLCWRFCztAgfd9fDL1
+mMpYjn0q7pBZc2T5NnReJaH1ZgUufzkVqSr7UIuOhWn0
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFADCCA+igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMx
+EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAjBgNVBAoT
+HFN0YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAMTKVN0YXJmaWVs
+ZCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAw
+MFoXDTMxMDUwMzA3MDAwMFowgcYxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6
+b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMSUwIwYDVQQKExxTdGFyZmllbGQgVGVj
+aG5vbG9naWVzLCBJbmMuMTMwMQYDVQQLEypodHRwOi8vY2VydHMuc3RhcmZpZWxk
+dGVjaC5jb20vcmVwb3NpdG9yeS8xNDAyBgNVBAMTK1N0YXJmaWVsZCBTZWN1cmUg
+Q2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDlkGZL7PlGcakgg77pbL9KyUhpgXVObST2yxcT+LBxWYR6ayuF
+pDS1FuXLzOlBcCykLtb6Mn3hqN6UEKwxwcDYav9ZJ6t21vwLdGu4p64/xFT0tDFE
+3ZNWjKRMXpuJyySDm+JXfbfYEh/JhW300YDxUJuHrtQLEAX7J7oobRfpDtZNuTlV
+Bv8KJAV+L8YdcmzUiymMV33a2etmGtNPp99/UsQwxaXJDgLFU793OGgGJMNmyDd+
+MB5FcSM1/5DYKp2N57CSTTx/KgqT3M0WRmX3YISLdkuRJ3MUkuDq7o8W6o0OPnYX
+v32JgIBEQ+ct4EMJddo26K3biTr1XRKOIwSDAgMBAAGjggEsMIIBKDAPBgNVHRMB
+Af8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUJUWBaFAmOD07LSy+
+zWrZtj2zZmMwHwYDVR0jBBgwFoAUfAwyH6fZMH/EfWijYqihzqsHWycwOgYIKwYB
+BQUHAQEELjAsMCoGCCsGAQUFBzABhh5odHRwOi8vb2NzcC5zdGFyZmllbGR0ZWNo
+LmNvbS8wOwYDVR0fBDQwMjAwoC6gLIYqaHR0cDovL2NybC5zdGFyZmllbGR0ZWNo
+LmNvbS9zZnJvb3QtZzIuY3JsMEwGA1UdIARFMEMwQQYEVR0gADA5MDcGCCsGAQUF
+BwIBFitodHRwczovL2NlcnRzLnN0YXJmaWVsZHRlY2guY29tL3JlcG9zaXRvcnkv
+MA0GCSqGSIb3DQEBCwUAA4IBAQBWZcr+8z8KqJOLGMfeQ2kTNCC+Tl94qGuc22pN
+QdvBE+zcMQAiXvcAngzgNGU0+bE6TkjIEoGIXFs+CFN69xpk37hQYcxTUUApS8L0
+rjpf5MqtJsxOYUPl/VemN3DOQyuwlMOS6eFfqhBJt2nk4NAfZKQrzR9voPiEJBjO
+eT2pkb9UGBOJmVQRDVXFJgt5T1ocbvlj2xSApAer+rKluYjdkf5lO6Sjeb6JTeHQ
+sPTIFwwKlhR8Cbds4cLYVdQYoKpBaXAko7nv6VrcPuuUSvC33l8Odvr7+2kDRUBQ
+7nIMpBKGgc0T0U7EPMpODdIm8QC3tKai4W56gf0wrHofx1l7
+-----END CERTIFICATE-----

check-certificates

@@ -0,0 +1,117 @@
+#!rsc
+# RouterOS script: check-certificates
+# Copyright (c) 2013-2019 Christian Hesse <mail@eworm.de>
+#
+# check for certificate validity
+
+:global Identity;
+:global CertRenewUrl;
+:global CertRenewPass;
+
+:global SendNotification;
+
+:local GetIssuerCN do={
+  :foreach IssuerI in=$1 do={
+    :if ([ :pick $IssuerI 0 3 ] = "CN=") do={
+      :return [ :pick $IssuerI 3 99 ];
+    }
+  }
+}
+
+:local FormatExpire do={
+  :global CharacterReplace;
+  :return [ $CharacterReplace [ $CharacterReplace [ :tostr $1 ] "w" "w " ] "d" "d " ];
+}
+
+:foreach Cert in=[ / certificate find where !revoked expires-after<3w ] do={
+  :local CertName [ / certificate get $Cert name ];
+  :local CommonName [ / certificate get $Cert common-name ];
+  :local FingerPrint [ / certificate get $Cert fingerprint ];
+
+  :do {
+    :if ([ :len $CertRenewUrl ] = 0) do={
+      :error "No CertRenewUrl given.";
+    }
+
+    / tool fetch mode=https check-certificate=yes-without-crl url=($CertRenewUrl . $CommonName . ".pem");
+    :foreach PassPhrase in=$CertRenewPass do={
+      / certificate import file-name=($CommonName . ".pem") passphrase=$PassPhrase;
+    }
+    / file remove [ find where name=($CommonName . ".pem") ];
+
+    :local CertNew [ / certificate find where common-name=$CommonName fingerprint!=$FingerPrint expires-after>3w ];
+    :local CertNameNew [ / certificate get $CertNew name ];
+
+    :foreach IpService in=[ / ip service find where certificate=$CertName ] do={
+      / ip service set $IpService certificate=$CertNameNew;
+    }
+
+    :do {
+      :foreach Identity in=[ / ip ipsec identity find where certificate=$CertName ] do={
+        / ip ipsec identity set $Identity certificate=$CertNameNew;
+      }
+      :foreach Identity in=[ / ip ipsec identity find where remote-certificate=$CertName ] do={
+        / ip ipsec identity set $Identity remote-certificate=$CertNameNew;
+      }
+    } on-error={
+      :log debug ("Setting IPSEC certificates failed. Package 'security' not installed?");
+    }
+
+    :do {
+      :foreach Hotspot in=[ / ip hotspot profile find where ssl-certificate=$CertName ] do={
+        / ip hotspot profile set $Hotspot ssl-certificate=$CertNameNew;
+      }
+    } on-error={
+      :log debug ("Setting hotspot certificates failed. Package 'hotspot' not installed?");
+    }
+
+    / certificate remove $Cert;
+    / certificate set $CertNew name=$CertName;
+
+    :set CommonName [ / certificate get $CertNew common-name ];
+    :set FingerPrint [ / certificate get $CertNew fingerprint ];
+    :local Issuer [ $GetIssuerCN [ / certificate get $CertNew issuer ] ];
+    :local InvalidBefore [ / certificate get $CertNew invalid-before ];
+    :local InvalidAfter [ / certificate get $CertNew invalid-after ];
+    :local ExpiresAfter [ $FormatExpire [ / certificate get $CertNew expires-after ] ];
+
+    $SendNotification ("Certificate renewed") \
+      ("A certificate on " . $Identity . " has been renewed.\n\n" . \
+        "Name:        " . $CertName . "\n" . \
+        "CommonName:  " . $CommonName . "\n" . \
+        "Fingerprint: " . $FingerPrint . "\n" . \
+        "Issuer:      " . $Issuer . "\n" . \
+        "Validity:    " . $InvalidBefore . " to " . $InvalidAfter . "\n" . \
+        "Expires in:  " . $ExpiresAfter);
+    :log info ("The certificate " . $CertName . " has been renewed.");
+  } on-error={
+    :log debug ("Could not renew certificate " . $CertName ".");
+  }
+}
+
+:foreach Cert in=[ / certificate find where !revoked expires-after<2w ] do={
+  :local CertName [ / certificate get $Cert name ];
+  :local CommonName [ / certificate get $Cert common-name ];
+  :local FingerPrint [ / certificate get $Cert fingerprint ];
+  :local Issuer [ $GetIssuerCN [ / certificate get $Cert issuer ] ];
+  :local InvalidBefore [ / certificate get $Cert invalid-before ];
+  :local InvalidAfter [ / certificate get $Cert invalid-after ];
+
+  :local ExpiresAfter [ $FormatExpire [ / certificate get $Cert expires-after ] ];
+  :local State "is about to expire";
+  :if ([ / certificate get $Cert expired ] = true) do={
+    :set ExpiresAfter "expired";
+    :set State "expired";
+  }
+
+  $SendNotification ("Certificate warning!") \
+    ("A certificate on " . $Identity . " " . $State . ".\n\n" . \
+      "Name:        " . $CertName . "\n" . \
+      "CommonName:  " . $CommonName . "\n" . \
+      "Fingerprint: " . $FingerPrint . "\n" . \
+      "Issuer:      " . $Issuer . "\n" . \
+      "Validity:    " . $InvalidBefore . " to " . $InvalidAfter . "\n" . \
+      "Expires in:  " . $ExpiresAfter);
+  :log warning ("The certificate " . $CertName . " " . $State . \
+      ", it is invalid after " . $InvalidAfter . ".");
+}

check-certificates.rsc

@@ -1,242 +0,0 @@
-#!rsc by RouterOS
-# RouterOS script: check-certificates
-# Copyright (c) 2013-2025 Christian Hesse <mail@eworm.de>
-# https://rsc.eworm.de/COPYING.md
-#
-# requires RouterOS, version=7.15
-# requires device-mode, fetch
-#
-# check for certificate validity
-# https://rsc.eworm.de/doc/check-certificates.md
-
-:global GlobalFunctionsReady;
-:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
-
-:local ExitOK false;
-:do {
-  :local ScriptName [ :jobname ];
-
-  :global CertRenewTime;
-  :global CertRenewUrl;
-  :global CertWarnTime;
-  :global Identity;
-
-  :global CertificateAvailable
-  :global EscapeForRegEx;
-  :global IfThenElse;
-  :global LogPrint;
-  :global ParseKeyValueStore;
-  :global ScriptLock;
-  :global SendNotification2;
-  :global SymbolForNotification;
-  :global UrlEncode;
-  :global WaitFullyConnected;
-
-  :local CheckCertificatesDownloadImport do={
-    :local ScriptName [ :tostr $1 ];
-    :local CertName   [ :tostr $2 ];
-    :local FetchName  [ :tostr $3 ];
-
-    :global CertRenewUrl;
-    :global CertRenewPass;
-
-    :global CertificateNameByCN;
-    :global EscapeForRegEx;
-    :global FetchUserAgentStr;
-    :global LogPrint;
-    :global RmFile;
-    :global UrlEncode;
-    :global WaitForFile;
-
-    :foreach Type in={ "p12"; "pem" } do={
-      :local CertFileName ([ $UrlEncode $FetchName ] . "." . $Type);
-      $LogPrint debug $ScriptName ("Trying type '" . $Type . "' for '" . $CertName . \
-          "' (file '" . $CertFileName . "')...");
-
-      :do {
-        /tool/fetch check-certificate=yes-without-crl http-header-field=({ [ $FetchUserAgentStr $ScriptName ] }) \
-            ($CertRenewUrl . $CertFileName) dst-path=$CertFileName as-value;
-        $WaitForFile $CertFileName;
-
-        :local DecryptionFailed true;
-        :foreach I,PassPhrase in=$CertRenewPass do={
-          :do {
-            $LogPrint debug $ScriptName ("Trying " . $I . ". passphrase... ");
-            :local Result [ /certificate/import file-name=$CertFileName passphrase=$PassPhrase as-value ];
-            :if ($Result->"decryption-failures" = 0) do={
-              $LogPrint debug $ScriptName ("Success!");
-              :set DecryptionFailed false;
-            }
-          } on-error={ }
-        }
-        $RmFile $CertFileName;
-
-        :if ($DecryptionFailed = true) do={
-          $LogPrint warning $ScriptName ("Decryption failed for certificate file '" . $CertFileName . "'.");
-        }
-
-        :foreach CertInChain in=[ /certificate/find where common-name!=$CertName !private-key \
-            name~("^" . [ $EscapeForRegEx $CertFileName ] . "_[0-9]+\$") \
-            !(subject-alt-name~("(^|\\W)(DNS|IP):" . [ $EscapeForRegEx $CertName ] . "(\\W|\$)")) \
-            !(common-name=[]) ] do={
-          $CertificateNameByCN [ /certificate/get $CertInChain common-name ];
-        }
-
-        :return true;
-      } on-error={
-        $LogPrint debug $ScriptName ("Could not download certificate file '" . $CertFileName . "'.");
-      }
-    }
-
-    :return false;
-  }
-
-  :local FormatInfo do={
-    :local Cert $1;
-
-    :global FormatLine;
-    :global FormatMultiLines;
-    :global IfThenElse;
-
-    :local FormatExpire do={
-      :global CharacterReplace;
-      :return [ $CharacterReplace [ $CharacterReplace [ :tostr $1 ] "w" "w " ] "d" "d " ];
-    }
-
-    :local FormatCertChain do={
-      :local Cert $1;
-
-      :global EitherOr;
-      :global ParseKeyValueStore;
-
-      :local CertVal [ /certificate/get $Cert ];
-
-      :if ([ :typeof ($CertVal->"issuer") ] = "nothing") do={
-        :return "self-signed";
-      }
-
-      :local Return "";
-      :for I from=0 to=5 do={
-        :set Return ($Return . [ $EitherOr ([ $ParseKeyValueStore ($CertVal->"issuer") ]->"CN") \
-          ([ $ParseKeyValueStore (($CertVal->"issuer")->0) ]->"CN") ]);
-        :set CertVal [ /certificate/get [ find where skid=($CertVal->"akid") ] ];
-        :if (($CertVal->"akid") = "" || ($CertVal->"akid") = ($CertVal->"skid")) do={
-          :return $Return;
-        }
-        :set Return ($Return . " -> ");
-      }
-      :return ($Return . "...");
-    }
-
-    :local CertVal [ /certificate/get $Cert ];
-
-    :return ( \
-      [ $FormatLine "Name" ($CertVal->"name") ] . "\n" . \
-      [ $IfThenElse ([ :len ($CertVal->"common-name") ] > 0) ([ $FormatLine "CommonName" ($CertVal->"common-name") ] . "\n") ] . \
-      [ $IfThenElse ([ :len ($CertVal->"subject-alt-name") ] > 0) ([ $FormatMultiLines "SubjectAltNames" ($CertVal->"subject-alt-name") ] . "\n") ] . \
-      [ $FormatLine "Private key" [ $IfThenElse (($CertVal->"private-key") = true) "available" "missing" ] ] . "\n" . \
-      [ $FormatLine "Fingerprint" ($CertVal->"fingerprint") ] . "\n" . \
-      [ $IfThenElse ([ :len ($CertVal->"ca") ] > 0) [ $FormatLine "Issuer" ($CertVal->"ca") ] [ $FormatLine "Issuer chain" [ $FormatCertChain $Cert ] ] ] . "\n" . \
-      "Validity:\n" . \
-      [ $FormatLine "    from" ($CertVal->"invalid-before") ] . "\n" . \
-      [ $FormatLine "    to" ($CertVal->"invalid-after") ] . "\n" . \
-      [ $FormatLine "Expires in" [ $IfThenElse (($CertVal->"expired") = true) "expired" [ $FormatExpire ($CertVal->"expires-after") ] ] ]);
-  }
-
-  :if ([ $ScriptLock $ScriptName ] = false) do={
-    :set ExitOK true;
-    :error false;
-  }
-  $WaitFullyConnected;
-
-  :foreach Cert in=[ /certificate/find where !revoked !ca !scep-url expires-after<$CertRenewTime ] do={
-    :local CertVal [ /certificate/get $Cert ];
-    :local LastName;
-    :local FetchName;
-
-    :do {
-      :if ([ :len $CertRenewUrl ] = 0) do={
-        $LogPrint info $ScriptName ("No CertRenewUrl given.");
-        :error false;
-      }
-      $LogPrint info $ScriptName ("Attempting to renew certificate '" . ($CertVal->"name") . "'.");
-
-      :local ImportSuccess false;
-      :set LastName ($CertVal->"common-name");
-      :set FetchName $LastName;
-      :set ImportSuccess [ $CheckCertificatesDownloadImport $ScriptName $LastName $FetchName ];
-      :foreach SAN in=($CertVal->"subject-alt-name") do={
-        :if ($ImportSuccess = false) do={
-          :set LastName [ :pick $SAN ([ :find $SAN ":" ] + 1) [ :len $SAN ] ];
-          :set FetchName $LastName;
-          :set ImportSuccess [ $CheckCertificatesDownloadImport $ScriptName $LastName $FetchName ];
-          :if ($ImportSuccess = false && [ :pick $LastName 0 2 ] = "*.") do={
-            :set FetchName ("star." . [ :pick $LastName 2 [ :len $LastName ] ]);
-            :set ImportSuccess [ $CheckCertificatesDownloadImport $ScriptName $LastName $FetchName ];
-          }
-        }
-      }
-      :if ($ImportSuccess = false) do={ :error false; }
-
-      :if ([ :len ($CertVal->"fingerprint") ] > 0 && $CertVal->"fingerprint" != [ /certificate/get $Cert fingerprint ]) do={
-        $LogPrint debug $ScriptName ("Certificate '" . $CertVal->"name" . "' was updated in place.");
-        :set CertVal [ /certificate/get $Cert ];
-      } else={
-        $LogPrint debug $ScriptName ("Certificate '" . $CertVal->"name" . "' was not updated, but replaced.");
-
-        :local CertNew [ /certificate/find where name~("^" . [ $EscapeForRegEx [ $UrlEncode $FetchName ] ] . "\\.(p12|pem)_[0-9]+\$") \
-          (common-name=($CertVal->"common-name") or subject-alt-name~("(^|\\W)(DNS|IP):" . [ $EscapeForRegEx $LastName ] . "(\\W|\$)")) \
-          fingerprint!=[ :tostr ($CertVal->"fingerprint") ] expires-after>$CertRenewTime ];
-        :local CertNewVal [ /certificate/get $CertNew ];
-
-        :if ([ $CertificateAvailable ([ $ParseKeyValueStore ($CertNewVal->"issuer") ]->"CN") ] = false) do={
-          $LogPrint warning $ScriptName ("The certificate chain is not available!");
-        }
-
-        :if (($CertVal->"private-key") = true && ($CertVal->"private-key") != ($CertNewVal->"private-key")) do={
-          /certificate/remove $CertNew;
-          $LogPrint warning $ScriptName ("Old certificate '" . ($CertVal->"name") . "' has a private key, new certificate does not. Aborting renew.");
-          :error false;
-        }
-
-        /ip/service/set certificate=($CertNewVal->"name") [ find where certificate=($CertVal->"name") ];
-
-        /ip/ipsec/identity/set certificate=($CertNewVal->"name") [ find where certificate=($CertVal->"name") ];
-        /ip/ipsec/identity/set remote-certificate=($CertNewVal->"name") [ find where remote-certificate=($CertVal->"name") ];
-
-        /ip/hotspot/profile/set ssl-certificate=($CertNewVal->"name") [ find where ssl-certificate=($CertVal->"name") ];
-
-        /certificate/remove $Cert;
-        /certificate/set $CertNew name=($CertVal->"name");
-        :set Cert $CertNew;
-        :set CertVal [ /certificate/get $CertNew ];
-      }
-
-      $SendNotification2 ({ origin=$ScriptName; silent=true; \
-        subject=([ $SymbolForNotification "lock-with-ink-pen" ] . "Certificate renewed: " . ($CertVal->"name")); \
-        message=("A certificate on " . $Identity . " has been renewed.\n\n" . [ $FormatInfo $Cert ]) });
-      $LogPrint info $ScriptName ("The certificate '" . ($CertVal->"name") . "' has been renewed.");
-    } on-error={
-      $LogPrint debug $ScriptName ("Could not renew certificate '" . ($CertVal->"name") . "'.");
-    }
-  }
-
-  :foreach Cert in=[ /certificate/find where !revoked !scep-url !(expires-after=[]) \
-                     expires-after<$CertWarnTime !(fingerprint=[]) ] do={
-    :local CertVal [ /certificate/get $Cert ];
-
-    :if ([ :len [ /certificate/scep-server/find where ca-cert=($CertVal->"ca") ] ] > 0) do={
-      $LogPrint debug $ScriptName ("Certificate '" . ($CertVal->"name") . "' is handled by SCEP, skipping.");
-    } else={
-      :local State [ $IfThenElse (($CertVal->"expired") = true) "expired" "is about to expire" ];
-
-      $SendNotification2 ({ origin=$ScriptName; \
-        subject=([ $SymbolForNotification "warning-sign" ] . "Certificate warning: " . ($CertVal->"name")); \
-        message=("A certificate on " . $Identity . " " . $State . ".\n\n" . [ $FormatInfo $Cert ]) });
-      $LogPrint info $ScriptName ("The certificate '" . ($CertVal->"name") . "' " . $State . \
-          ", it is invalid after " . ($CertVal->"invalid-after") . ".");
-    }
-  }
-} on-error={
-  :global ExitError; $ExitError $ExitOK [ :jobname ];
-}

check-health.d/state.rsc

@@ -1,48 +0,0 @@
-#!rsc by RouterOS
-# RouterOS script: check-health.d/state
-# Copyright (c) 2019-2025 Christian Hesse <mail@eworm.de>
-# https://rsc.eworm.de/COPYING.md
-#
-# requires RouterOS, version=7.15
-#
-# check for RouterOS health state - state plugin
-# https://rsc.eworm.de/doc/check-health.md
-
-:global CheckHealthPlugins;
-
-:set ($CheckHealthPlugins->[ :jobname ]) do={
-  :local FuncName [ :tostr $0 ];
-
-  :global CheckHealthLast;
-  :global Identity;
-
-  :global LogPrint;
-  :global SendNotification2;
-  :global SymbolForNotification;
-
-  :if ([ :len [ /system/health/find where type="" name~"-state\$"] ] = 0) do={
-    $LogPrint debug $FuncName ("Your device does not provide any state health values.");
-    :return false;
-  }
-
-  :foreach State in=[ /system/health/find where type="" name~"-state\$" ] do={
-    :local Name  [ /system/health/get $State name  ];
-    :local Value [ /system/health/get $State value ];
-
-    :if ([ :typeof ($CheckHealthLast->$Name) ] != "nothing") do={
-      :if ($CheckHealthLast->$Name = "ok" && \
-           $Value != "ok") do={
-        $SendNotification2 ({ origin=$FuncName; \
-          subject=([ $SymbolForNotification "cross-mark" ] . "Health warning: " . $Name); \
-          message=("The device '" . $Name . "' on " . $Identity . " failed!") });
-      }
-      :if ($CheckHealthLast->$Name != "ok" && \
-           $Value = "ok") do={
-        $SendNotification2 ({ origin=$FuncName; \
-          subject=([ $SymbolForNotification "white-heavy-check-mark" ] . "Health recovery: " . $Name); \
-          message=("The device '" . $Name . "' on " . $Identity . " recovered!") });
-      }
-    }
-    :set ($CheckHealthLast->$Name) $Value;
-  }
-}

check-health.d/temperature.rsc

@@ -1,74 +0,0 @@
-#!rsc by RouterOS
-# RouterOS script: check-health.d/temperature
-# Copyright (c) 2019-2025 Christian Hesse <mail@eworm.de>
-# https://rsc.eworm.de/COPYING.md
-#
-# requires RouterOS, version=7.15
-#
-# check for RouterOS health state - temperature plugin
-# https://rsc.eworm.de/doc/check-health.md
-
-:global CheckHealthPlugins;
-
-:set ($CheckHealthPlugins->[ :jobname ]) do={
-  :local FuncName [ :tostr $0 ];
-
-  :global CheckHealthLast;
-  :global CheckHealthTemperature;
-  :global CheckHealthTemperatureDeviation;
-  :global CheckHealthTemperatureNotified;
-  :global Identity;
-
-  :global LogPrint;
-  :global SendNotification2;
-  :global SymbolForNotification;
-
-  :if ([ :len [ /system/health/find where type="C" ] ] = 0) do={
-    $LogPrint debug $FuncName ("Your device does not provide any voltage health values.");
-    :return false;
-  }
-
-  :local TempToNum do={
-    :global CharacterReplace;
-    :local T [ :toarray [ $CharacterReplace $1 "." "," ] ];
-    :return ($T->0 * 10 + $T->1);
-  }
-
-  :if ([ :typeof $CheckHealthTemperatureNotified ] != "array") do={
-    :set CheckHealthTemperatureNotified ({});
-  }
-
-  :foreach Temperature in=[ /system/health/find where type="C" ] do={
-    :local Name  [ /system/health/get $Temperature name  ];
-    :local Value [ /system/health/get $Temperature value ];
-
-    :if ([ :typeof ($CheckHealthLast->$Name) ] != "nothing") do={
-      :if ([ :typeof ($CheckHealthTemperature->$Name) ] != "num" ) do={
-        $LogPrint info $FuncName ("No threshold given for " . $Name . ", assuming 50C.");
-        :set ($CheckHealthTemperature->$Name) 50;
-      }
-      :local Validate [ /system/health/get [ find where name=$Name ] value ];
-      :while ($Value != $Validate) do={
-        :set Value $Validate;
-        :set Validate [ /system/health/get [ find where name=$Name ] value ];
-      }
-      :if ($Value > $CheckHealthTemperature->$Name && \
-           $CheckHealthTemperatureNotified->$Name != true) do={
-        $SendNotification2 ({ origin=$FuncName; \
-          subject=([ $SymbolForNotification "fire" ] . "Health warning: " . $Name); \
-          message=("The " . $Name . " on " . $Identity . " is above threshold: " . \
-            $Value . "\C2\B0" . "C") });
-        :set ($CheckHealthTemperatureNotified->$Name) true;
-      }
-      :if ($Value <= ($CheckHealthTemperature->$Name - $CheckHealthTemperatureDeviation) && \
-           $CheckHealthTemperatureNotified->$Name = true) do={
-        $SendNotification2 ({ origin=$FuncName; \
-          subject=([ $SymbolForNotification "white-heavy-check-mark" ] . "Health recovery: " . $Name); \
-          message=("The " . $Name . " on " . $Identity . " dropped below threshold: " .  \
-            $Value . "\C2\B0" . "C") });
-        :set ($CheckHealthTemperatureNotified->$Name) false;
-      }
-    }
-    :set ($CheckHealthLast->$Name) $Value;
-  }
-}

check-health.d/voltage.rsc

@@ -1,63 +0,0 @@
-#!rsc by RouterOS
-# RouterOS script: check-health.d/voltage
-# Copyright (c) 2019-2025 Christian Hesse <mail@eworm.de>
-# https://rsc.eworm.de/COPYING.md
-#
-# requires RouterOS, version=7.15
-#
-# check for RouterOS health state - voltage plugin
-# https://rsc.eworm.de/doc/check-health.md
-
-:global CheckHealthPlugins;
-
-:set ($CheckHealthPlugins->[ :jobname ]) do={
-  :local FuncName [ :tostr $0 ];
-
-  :global CheckHealthLast;
-  :global CheckHealthVoltageLow;
-  :global CheckHealthVoltagePercent;
-  :global Identity;
-
-  :global FormatLine;
-  :global IfThenElse;
-  :global LogPrint;
-  :global SendNotification2;
-  :global SymbolForNotification;
-
-  :if ([ :len [ /system/health/find where type="V" ] ] = 0) do={
-    $LogPrint debug $FuncName ("Your device does not provide any voltage health values.");
-    :return false;
-  }
-
-  :foreach Voltage in=[ /system/health/find where type="V" ] do={
-    :local Name  [ /system/health/get $Voltage name  ];
-    :local Value [ /system/health/get $Voltage value ];
-
-    :if ([ :typeof ($CheckHealthLast->$Name) ] != "nothing") do={
-      :local NumCurr [ $TempToNum $Value ];
-      :local NumLast [ $TempToNum ($CheckHealthLast->$Name) ];
-
-      :if ($NumLast * (100 + $CheckHealthVoltagePercent) < $NumCurr * 100 || \
-           $NumLast * 100 > $NumCurr * (100 + $CheckHealthVoltagePercent)) do={
-        $SendNotification2 ({ origin=$FuncName; \
-          subject=([ $SymbolForNotification ("high-voltage-sign,chart-" . [ $IfThenElse ($NumLast < \
-            $NumCurr) "in" "de" ] . "creasing") ] . "Health warning: " . $Name); \
-          message=("The " . $Name . " on " . $Identity . " jumped more than " . $CheckHealthVoltagePercent . "%.\n\n" . \
-            [ $FormatLine "old value" ($CheckHealthLast->$Name . " V") 12 ] . "\n" . \
-            [ $FormatLine "new value" ($Value . " V") 12 ]) });
-      } else={ 
-        :if ($NumCurr <= $CheckHealthVoltageLow && $NumLast > $CheckHealthVoltageLow) do={ 
-          $SendNotification2 ({ origin=$FuncName; \
-            subject=([ $SymbolForNotification "high-voltage-sign,chart-decreasing" ] . "Health warning: Low " . $Name); \ 
-            message=("The " . $Name . " on " . $Identity . " dropped to " . $Value . " V below hard limit.") }); 
-        } 
-        :if ($NumCurr > $CheckHealthVoltageLow && $NumLast <= $CheckHealthVoltageLow) do={ 
-          $SendNotification2 ({ origin=$FuncName; \
-            subject=([ $SymbolForNotification "high-voltage-sign,chart-increasing" ] . "Health recovery: Low " . $Name); \ 
-            message=("The " . $Name . " on " . $Identity . " recovered to " . $Value . " V above hard limit.") }); 
-        }
-      }
-    }
-    :set ($CheckHealthLast->$Name) $Value;
-  }
-}

check-health.rsc

@@ -1,110 +0,0 @@
-#!rsc by RouterOS
-# RouterOS script: check-health
-# Copyright (c) 2019-2025 Christian Hesse <mail@eworm.de>
-# https://rsc.eworm.de/COPYING.md
-#
-# requires RouterOS, version=7.15
-#
-# check for RouterOS health state
-# https://rsc.eworm.de/doc/check-health.md
-
-:global GlobalFunctionsReady;
-:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
-
-:local ExitOK false;
-:do {
-  :local ScriptName [ :jobname ];
-
-  :global CheckHealthCPUUtilization;
-  :global CheckHealthCPUUtilizationNotified;
-  :global CheckHealthLast;
-  :global CheckHealthRAMUtilizationNotified;
-  :global Identity;
-
-  :global FormatLine;
-  :global HumanReadableNum;
-  :global IfThenElse;
-  :global LogPrint;
-  :global ScriptLock;
-  :global SendNotification2;
-  :global SymbolForNotification;
-  :global ValidateSyntax;
-
-  :local TempToNum do={
-    :global CharacterReplace;
-    :local T [ :toarray [ $CharacterReplace $1 "." "," ] ];
-    :return ($T->0 * 10 + $T->1);
-  }
-
-  :if ([ $ScriptLock $ScriptName ] = false) do={
-    :set ExitOK true;
-    :error false;
-  }
-
-  :local Resource [ /system/resource/get ];
-
-  :set CheckHealthCPUUtilization (($CheckHealthCPUUtilization * 4 + ($Resource->"cpu-load") * 10) / 5);
-  :if ($CheckHealthCPUUtilization > 750 && $CheckHealthCPUUtilizationNotified != true) do={
-    $SendNotification2 ({ origin=$ScriptName; \
-      subject=([ $SymbolForNotification "abacus,chart-increasing" ] . "Health warning: CPU utilization"); \
-      message=("The average CPU utilization on " . $Identity . " is at " . ($CheckHealthCPUUtilization / 10) . "%!") });
-    :set CheckHealthCPUUtilizationNotified true;
-  }
-  :if ($CheckHealthCPUUtilization < 650 && $CheckHealthCPUUtilizationNotified = true) do={
-    $SendNotification2 ({ origin=$ScriptName; \
-      subject=([ $SymbolForNotification "abacus,chart-decreasing" ] . "Health recovery: CPU utilization"); \
-      message=("The average CPU utilization on " . $Identity . " decreased to " . ($CheckHealthCPUUtilization / 10) . "%.") });
-    :set CheckHealthCPUUtilizationNotified false;
-  }
-
-  :local CheckHealthRAMUtilization (($Resource->"total-memory" - $Resource->"free-memory") * 100 / $Resource->"total-memory");
-  :if ($CheckHealthRAMUtilization >=80 && $CheckHealthRAMUtilizationNotified != true) do={
-    $SendNotification2 ({ origin=$ScriptName; \
-      subject=([ $SymbolForNotification "card-file-box,chart-increasing" ] . "Health warning: RAM utilization"); \
-      message=("The RAM utilization on " . $Identity . " is at " . $CheckHealthRAMUtilization . "%!\n\n" . \
-      [ $FormatLine "total" ([ $HumanReadableNum ($Resource->"total-memory") 1024 ] . "B") 8 ] . "\n" . \
-      [ $FormatLine "used" ([ $HumanReadableNum ($Resource->"total-memory" - $Resource->"free-memory") 1024 ] . "B") 8 ] . "\n" . \
-      [ $FormatLine "free" ([ $HumanReadableNum ($Resource->"free-memory") 1024 ] . "B") 8 ]) });
-    :set CheckHealthRAMUtilizationNotified true;
-  }
-  :if ($CheckHealthRAMUtilization < 70 && $CheckHealthRAMUtilizationNotified = true) do={
-    $SendNotification2 ({ origin=$ScriptName; \
-      subject=([ $SymbolForNotification "card-file-box,chart-decreasing" ] . "Health recovery: RAM utilization"); \
-      message=("The RAM utilization on " . $Identity . " decreased to " . $CheckHealthRAMUtilization . "%.") });
-    :set CheckHealthRAMUtilizationNotified false;
-  }
-
-  :local Plugins [ /system/script/find where name~"^check-health.d/." ];
-  :if ([ :len $Plugins ] = 0) do={
-    $LogPrint debug $ScriptName ("No plugins installed.");
-    :set ExitOK true;
-    :error true;
-  }
-
-  :global CheckHealthPlugins ({});
-  :if ([ :typeof $CheckHealthLast ] != "array") do={
-    :set CheckHealthLast ({});
-  }
-
-  :foreach Plugin in=$Plugins do={
-    :local PluginVal [ /system/script/get $Plugin ];
-    :if ([ $ValidateSyntax ($PluginVal->"source") ] = true) do={
-      :do {
-        /system/script/run $Plugin;
-      } on-error={
-        $LogPrint error $ScriptName ("Plugin '" . $ScriptVal->"name" . "' failed to run.");
-      }
-    } else={
-      $LogPrint error $ScriptName ("Plugin '" . $ScriptVal->"name" . "' failed syntax validation, skipping.");
-    }
-  }
-
-  :foreach PluginName,Discard in=$CheckHealthPlugins do={
-    ($CheckHealthPlugins->$PluginName) \
-         ("\$CheckHealthPlugins->\"" . $PluginName . "\"");
-  }
-
-  :set CheckHealthPlugins;
-} on-error={
-  :global ExitError; $ExitError $ExitOK [ :jobname ];
-}

check-lte-firmware-upgrade

@@ -0,0 +1,32 @@
+#!rsc
+# RouterOS script: check-lte-firmware-upgrade
+# Copyright (c) 2018-2019 Christian Hesse <mail@eworm.de>
+#
+# check for LTE firmware upgrade, send notification e-mails
+
+:global Identity;
+:global SentLteFirmwareUpgradeNotification;
+
+:global SendNotification;
+
+:foreach Interface in=[ / interface lte find ] do={
+  :local IntName [ / interface lte get $Interface name ];
+  :do {
+    :local Firmware [ / interface lte firmware-upgrade $Interface once as-value ];
+    
+    :if ($SentLteFirmwareUpgradeNotification = ($Firmware->"latest")) do={
+      :log debug ("Already sent the LTE firmware upgrade notification for version " . \
+        ($Firmware->"latest") . ".");
+    } else={
+      :if (($Firmware->"installed") != ($Firmware->"latest")) do={
+        $SendNotification ("LTE firmware upgrade notification") \
+          ("A new firmware version " . ($Firmware->"latest") . " is available for " . \
+          "LTE interface " . $IntName . " on " . $Identity . ".");
+        :set SentLteFirmwareUpgradeNotification ($Firmware->"latest");
+      }
+    }
+  } on-error={
+    :log debug ("Could not get latest LTE firmware version for interface " . \
+      $IntName . ".");
+  }
+}

check-lte-firmware-upgrade.rsc

@@ -1,107 +0,0 @@
-#!rsc by RouterOS
-# RouterOS script: check-lte-firmware-upgrade
-# Copyright (c) 2018-2025 Christian Hesse <mail@eworm.de>
-# https://rsc.eworm.de/COPYING.md
-#
-# requires RouterOS, version=7.15
-#
-# check for LTE firmware upgrade, send notification
-# https://rsc.eworm.de/doc/check-lte-firmware-upgrade.md
-
-:global GlobalFunctionsReady;
-:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
-
-:local ExitOK false;
-:do {
-  :local ScriptName [ :jobname ];
-
-  :global SentLteFirmwareUpgradeNotification;
-
-  :global ScriptLock;
-
-  :if ([ $ScriptLock $ScriptName ] = false) do={
-    :set ExitOK true;
-    :error false;
-  }
-
-  :if ([ :typeof $SentLteFirmwareUpgradeNotification ] != "array") do={
-    :global SentLteFirmwareUpgradeNotification ({});
-  }
-
-  :local CheckInterface do={
-    :local ScriptName $1;
-    :local Interface  $2;
-
-    :global Identity;
-    :global SentLteFirmwareUpgradeNotification;
-
-    :global FormatLine;
-    :global IfThenElse;
-    :global LogPrint;
-    :global ScriptFromTerminal;
-    :global SendNotification2;
-    :global SymbolForNotification;
-
-    :local IntName [ /interface/lte/get $Interface name ];
-    :local Firmware;
-    :local Info;
-    :do {
-      :set Firmware [ /interface/lte/firmware-upgrade $Interface as-value ];
-      :set Info [ /interface/lte/monitor $Interface once as-value ];
-    } on-error={
-      $LogPrint debug $ScriptName ("Could not get latest LTE firmware version for interface " . \
-        $IntName . ".");
-      :return false;
-    }
-
-    :if ([ :len ($Firmware->"latest") ] = 0) do={
-      $LogPrint info $ScriptName ("An empty string is not a valid version.");
-      :return false;
-    }
-
-    :if (($Firmware->"installed") = ($Firmware->"latest")) do={
-      :if ([ $ScriptFromTerminal $ScriptName ] = true) do={
-        $LogPrint info $ScriptName ("No firmware upgrade available for LTE interface " . $IntName . ".");
-      }
-      :return true;
-    }
-
-    :if ([ $ScriptFromTerminal $ScriptName ] = true && \
-        [ :len [ /system/script/find where name="unattended-lte-firmware-upgrade" ] ] > 0) do={
-      :put ("Do you want to start unattended lte firmware upgrade for interface " . $IntName . "? [y/N]");
-      :if (([ /terminal/inkey timeout=60 ] % 32) = 25) do={
-          /system/script/run unattended-lte-firmware-upgrade;
-          $LogPrint info $ScriptName ("Scheduled lte firmware upgrade for interface " . $IntName . "...");
-        :return true;
-      } else={
-        :put "Canceled...";
-      }
-    }
-
-    :if (($SentLteFirmwareUpgradeNotification->$IntName) = ($Firmware->"latest")) do={
-      $LogPrint debug $ScriptName ("Already sent the LTE firmware upgrade notification for version " . \
-        ($Firmware->"latest") . ".");
-      :return false;
-    }
-
-    $LogPrint info $ScriptName ("A new firmware version " . ($Firmware->"latest") . " is available for " . \
-      "LTE interface " . $IntName . ".");
-    $SendNotification2 ({ origin=$ScriptName; \
-      subject=([ $SymbolForNotification "sparkles" ] . "LTE firmware upgrade"); \
-      message=("A new firmware version " . ($Firmware->"latest") . " is available for " . \
-        "LTE interface " . $IntName . " on " . $Identity . ".\n\n" . \
-        [ $IfThenElse ([ :len ($Info->"manufacturer") ] > 0) ([ $FormatLine "Manufacturer" ($Info->"manufacturer") ] . "\n") ] . \
-        [ $IfThenElse ([ :len ($Info->"model") ] > 0) ([ $FormatLine "Model" ($Info->"model") ] . "\n") ] . \
-        [ $IfThenElse ([ :len ($Info->"revision") ] > 0) ([ $FormatLine "Revision" ($Info->"revision") ] . "\n") ] . \
-        "Firmware version:\n" . \
-        [ $FormatLine "    Installed" ($Firmware->"installed") ] . "\n" . \
-        [ $FormatLine "    Available" ($Firmware->"latest") ]); silent=true });
-    :set ($SentLteFirmwareUpgradeNotification->$IntName) ($Firmware->"latest");
-  }
-
-  :foreach Interface in=[ /interface/lte/find ] do={
-    $CheckInterface $ScriptName $Interface;
-  }
-} on-error={
-  :global ExitError; $ExitError $ExitOK [ :jobname ];
-}

check-routeros-update

@@ -0,0 +1,82 @@
+#!rsc
+# RouterOS script: check-routeros-update
+# Copyright (c) 2013-2019 Christian Hesse <mail@eworm.de>
+#
+# check for RouterOS update, send notification e-mails
+
+:global Identity;
+:global SafeUpdateUrl;
+:global SentRouterosUpdateNotification;
+
+:global SendNotification;
+
+:local Update do={
+  :if ([ / system script print count-only where name="packages-update" ] > 0) do={
+    / system script run packages-update;
+  } else={
+    / system package update install without-paging;
+  }
+  :error "Waiting for system to reboot.";
+}
+
+:if ([ / system package print count-only where name="wireless" disabled=no ] > 0) do={
+  :if ([ / interface wireless cap get enabled ] = true && \
+      [ / caps-man manager get enabled ] = false) do={
+    :error "System is managed by CAPsMAN, not checking.";
+  }
+}
+
+/ system package update check-for-updates without-paging;
+:local InstalledVersion [ / system package update get installed-version ];
+:local LatestVersion [ / system package update get latest-version ];
+
+:if ($InstalledVersion != $LatestVersion) do={
+  :local Channel [ / system package update get channel ];
+  :local BoardName [ / system resource get board-name ];
+  :local Model [ / system routerboard get model ];
+  :local SerialNumber [ / system routerboard get serial-number ];
+
+  :if ([ :len $SafeUpdateUrl ] > 0) do={
+    :local Result;
+    :do {
+      :set Result [ / tool fetch check-certificate=yes-without-crl \
+          ($SafeUpdateUrl . $Channel . "?installed=" . $InstalledVersion . \
+          "&latest=" . $LatestVersion) output=user as-value ];
+    } on-error={
+      :log warning ("Failed receiving safe version for " . $Channel . ".");
+    }
+    :if ($Result->"status" = "finished" && $Result->"data" = $LatestVersion) do={
+      :log info ("Version " . $LatestVersion . " is considered safe, updating...");
+      $SendNotification ("RouterOS update notification") \
+          ("Version " . $LatestVersion . " is considered safe for " . $Channel . \
+          ", updating on " . $Identity . "...");
+      $Update;
+    }
+  }
+
+  :if ([ / system script job print count-only where script="check-routeros-update" parent~"." ] > 0) do={
+    :put ("Do you want to install RouterOS version " . $LatestVersion . "? [y/N]");
+    :if ([ :terminal inkey timeout=60 ] = 121) do={
+      $Update;
+    } else={
+      :put "Canceled...";
+    }
+  }
+
+  :if ($SentRouterosUpdateNotification = $LatestVersion) do={
+    :error ("Already sent the RouterOS update notification for version " . \
+        $LatestVersion . ".");
+  }
+
+  $SendNotification ("RouterOS update notification") \
+    ("There is a RouterOS update available\n\n" . \
+      "Board name:    " . $BoardName . "\n" . \
+      "Model:         " . $Model . "\n" . \
+      "Serial number: " . $SerialNumber . "\n" . \
+      "Hostname:      " . $Identity . "\n" . \
+      "Channel:       " . $Channel . "\n" . \
+      "Installed:     " . $InstalledVersion . "\n" . \
+      "Available:     " . $LatestVersion . "\n\n" .\
+      "https://upgrade.mikrotik.com/routeros/" . $LatestVersion . "/CHANGELOG");
+  :set SentRouterosUpdateNotification $LatestVersion;
+}

check-routeros-update.rsc

@@ -1,239 +0,0 @@
-#!rsc by RouterOS
-# RouterOS script: check-routeros-update
-# Copyright (c) 2013-2025 Christian Hesse <mail@eworm.de>
-# https://rsc.eworm.de/COPYING.md
-#
-# requires RouterOS, version=7.15
-# requires device-mode, fetch, scheduler
-#
-# check for RouterOS update, send notification and/or install
-# https://rsc.eworm.de/doc/check-routeros-update.md
-
-:global GlobalFunctionsReady;
-:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
-
-:local ExitOK false;
-:do {
-  :local ScriptName [ :jobname ];
-
-  :global Identity;
-  :global SafeUpdateAll;
-  :global SafeUpdateNeighbor;
-  :global SafeUpdateNeighborIdentity;
-  :global SafeUpdatePatch;
-  :global SafeUpdateUrl;
-  :global SentRouterosUpdateNotification;
-
-  :global DeviceInfo;
-  :global EscapeForRegEx;
-  :global FetchUserAgentStr;
-  :global LogPrint;
-  :global ScriptFromTerminal;
-  :global ScriptLock;
-  :global SendNotification2;
-  :global SymbolForNotification;
-  :global VersionToNum;
-  :global WaitFullyConnected;
-
-  :local DoUpdate do={
-    :local ScriptName [ :tostr $1 ];
-
-    :global LogPrint;
-
-    :if ([ :len [ /system/script/find where name="packages-update" ] ] > 0) do={
-      /system/script/run packages-update;
-    } else={
-      /system/package/update/install without-paging;
-    }
-    $LogPrint info $ScriptName ("Waiting for system to reboot.");
-  }
-
-  :if ([ $ScriptLock $ScriptName ] = false) do={
-    :set ExitOK true;
-    :error false;
-  }
-
-  :if ([ :len [ /system/scheduler/find where name="running-from-backup-partition" ] ] > 0) do={
-    $LogPrint warning $ScriptName ("Running from backup partition, refusing to act.");
-    :set ExitOK true;
-    :error false;
-  }
-
-  $WaitFullyConnected;
-
-  :if ([ :len [ /system/scheduler/find where name="_RebootForUpdate" ] ] > 0) do={
-    :set ExitOK true;
-    :error "A reboot for update is already scheduled.";
-  }
-
-  :local License [ /system/license/get ];
-  :if ([ :typeof ($License->"deadline-at") ] = "str") do={
-    :if ([ :len ($License->"next-renewal-at") ] = 0 && ($License->"limited-upgrades") = true) do={
-      $LogPrint warning $ScriptName ("Your license expired on " . ($License->"deadline-at") . "!");
-      $SendNotification2 ({ origin=$ScriptName; \
-        subject=([ $SymbolForNotification "warning-sign" ] . "License expired!"); \
-        message=("Your license expired on " . ($License->"deadline-at") . \
-          ", can no longer update RouterOS on " . $Identity . "...") });
-      :set ExitOK true;
-      :error false;
-    }
-
-    :if ([ :totime ($License->"deadline-at") ] - 3w < [ :timestamp ]) do={
-      $LogPrint warning $ScriptName ("Your license will expire on " . ($License->"deadline-at") . "!");
-      $SendNotification2 ({ origin=$ScriptName; \
-        subject=([ $SymbolForNotification "warning-sign" ] . "License about to expire!"); \
-        message=("Your license failed to renew and is about to expire on " . \
-          ($License->"deadline-at") . " on " . $Identity . "...") });
-    }
-  }
-
-  $LogPrint debug $ScriptName ("Checking for updates...");
-  /system/package/update/check-for-updates without-paging as-value;
-  :local Update [ /system/package/update/get ];
-
-  :if (($Update->"installed-version") = ($Update->"latest-version")) do={
-    :if ([ $ScriptFromTerminal $ScriptName ] = true) do={
-      $LogPrint info $ScriptName ("System is already up to date.");
-    }
-    :set ExitOK true;
-    :error true;
-  }
-
-  :if ([ :len ($Update->"latest-version") ] = 0) do={
-    $LogPrint info $ScriptName ("Received an empty version string from server.");
-    :set ExitOK true;
-    :error false;
-  }
-
-  :local NumInstalled [ $VersionToNum ($Update->"installed-version") ];
-  :local NumLatest [ $VersionToNum ($Update->"latest-version") ];
-  :local BitMask [ $VersionToNum "255.255zero0" ];
-  :local NumInstalledFeature ($NumInstalled & $BitMask);
-  :local NumLatestFeature ($NumLatest & $BitMask);
-  :local Link ("https://mikrotik.com/download/changelogs/" . $Update->"channel" . "-release-tree");
-
-  :if ($NumLatest < [ $VersionToNum "7.0" ]) do={
-    $LogPrint warning $ScriptName ("The version '" . ($Update->"latest-version") . "' is not a valid version.");
-    :set ExitOK true;
-    :error false;
-  }
-
-  :if ($NumInstalled < $NumLatest) do={
-    :if ($SafeUpdateAll ~ "^YES,? ?PLEASE!?\$") do={
-      $LogPrint info $ScriptName ("Installing ALL versions automatically, including " . \
-        $Update->"latest-version" . "...");
-      $SendNotification2 ({ origin=$ScriptName; \
-        subject=([ $SymbolForNotification "sparkles" ] . "RouterOS update: " . $Update->"latest-version"); \
-        message=("Installing ALL versions automatically, including " . $Update->"latest-version" . \
-          "... Updating on " . $Identity . "..."); link=$Link; silent=true });
-      $DoUpdate $ScriptName;
-      :set ExitOK true;
-      :error true;
-    }
-
-    :if ($SafeUpdatePatch = true && $NumInstalledFeature = $NumLatestFeature) do={
-      $LogPrint info $ScriptName ("Version " . $Update->"latest-version" . " is a patch release, updating...");
-      $SendNotification2 ({ origin=$ScriptName; \
-        subject=([ $SymbolForNotification "sparkles" ] . "RouterOS update: " . $Update->"latest-version"); \
-        message=("Version " . $Update->"latest-version" . " is a patch update for " . $Update->"channel" . \
-          ", updating on " . $Identity . "..."); link=$Link; silent=true });
-      $DoUpdate $ScriptName;
-      :set ExitOK true;
-      :error true;
-    }
-
-    :if ($SafeUpdateNeighbor = true) do={
-      :local Neighbors [ /ip/neighbor/find where platform="MikroTik" identity~$SafeUpdateNeighborIdentity \
-         version~("^" . [ $EscapeForRegEx ($Update->"latest-version") ] . "\\b") ];
-      :if ([ :len $Neighbors ] > 0) do={
-        :local Neighbor [ /ip/neighbor/get ($Neighbors->0) identity ];
-        $LogPrint info $ScriptName ("Seen a neighbor (" . $Neighbor . ") running version " . \
-          $Update->"latest-version" . " from " . $Update->"channel" . ", updating...");
-        $SendNotification2 ({ origin=$ScriptName; \
-          subject=([ $SymbolForNotification "sparkles" ] . "RouterOS update: " . $Update->"latest-version"); \
-          message=("Seen a neighbor (" . $Neighbor . ") running version " . $Update->"latest-version" . \
-            " from " . $Update->"channel" . ", updating on " . $Identity . "..."); link=$Link; silent=true });
-        $DoUpdate $ScriptName;
-        :set ExitOK true;
-        :error true;
-      }
-    }
-
-    :if ([ :len $SafeUpdateUrl ] > 0) do={
-      :local Result;
-      :do {
-        :set Result [ /tool/fetch check-certificate=yes-without-crl \
-            ($SafeUpdateUrl . $Update->"channel" . "?installed=" . $Update->"installed-version" . \
-            "&latest=" . $Update->"latest-version") http-header-field=({ [ $FetchUserAgentStr $ScriptName ] }) \
-            output=user as-value ];
-      } on-error={
-        $LogPrint warning $ScriptName ("Failed receiving safe version for " . $Update->"channel" . ".");
-      }
-      :if ($Result->"status" = "finished" && $Result->"data" = $Update->"latest-version") do={
-        $LogPrint info $ScriptName ("Version " . $Update->"latest-version" . " is considered safe, updating...");
-        $SendNotification2 ({ origin=$ScriptName; \
-          subject=([ $SymbolForNotification "sparkles" ] . "RouterOS update: " . $Update->"latest-version"); \
-          message=("Version " . $Update->"latest-version" . " is considered safe for " . $Update->"channel" . \
-            ", updating on " . $Identity . "..."); link=$Link; silent=true });
-        $DoUpdate $ScriptName;
-        :set ExitOK true;
-        :error true;
-      }
-    }
-
-    :if ([ $ScriptFromTerminal $ScriptName ] = true) do={
-      :if (($Update->"channel") = "testing" && $NumInstalledFeature < $NumLatestFeature) do={
-        :put ("This is a feature update in testing channel. Switch to channel 'stable'? [y/N]");
-        :if (([ /terminal/inkey timeout=60 ] % 32) = 25) do={
-          /system/package/update/set channel=stable;
-          $LogPrint info $ScriptName ("Switched to channel 'stable', please re-run!");
-          :set ExitOK true;
-          :error true;
-        }
-      }
-
-      :put ("Do you want to install RouterOS version " . $Update->"latest-version" . "? [y/N]");
-      :if (([ /terminal/inkey timeout=60 ] % 32) = 25) do={
-        $DoUpdate $ScriptName;
-        :set ExitOK true;
-        :error true;
-      } else={
-        :put "Canceled...";
-      }
-    }
-
-    :if ($SentRouterosUpdateNotification = $Update->"latest-version") do={
-      $LogPrint info $ScriptName ("Already sent the RouterOS update notification for version " . \
-          $Update->"latest-version" . ".");
-      :set ExitOK true;
-      :error true;
-    }
-
-    $SendNotification2 ({ origin=$ScriptName; \
-      subject=([ $SymbolForNotification "sparkles" ] . "RouterOS update: " . $Update->"latest-version"); \
-      message=("A new RouterOS version " . ($Update->"latest-version") . \
-        " is available for " . $Identity . ".\n\n" . \
-        [ $DeviceInfo ]); link=$Link; silent=true });
-    :set SentRouterosUpdateNotification ($Update->"latest-version");
-  }
-
-  :if ($NumInstalled > $NumLatest) do={
-    :if ($SentRouterosUpdateNotification = $Update->"latest-version") do={
-      $LogPrint info $ScriptName ("Already sent the RouterOS downgrade notification for version " . \
-          $Update->"latest-version" . ".");
-      :set ExitOK true;
-      :error true;
-    }
-
-    $SendNotification2 ({ origin=$ScriptName; \
-      subject=([ $SymbolForNotification "warning-sign" ] . "RouterOS version: " . $Update->"latest-version"); \
-      message=("A different RouterOS version " . ($Update->"latest-version") . \
-        " is available for " . $Identity . ", but it is a downgrade.\n\n" . \
-        [ $DeviceInfo ]); link=$Link; silent=true });
-    $LogPrint info $ScriptName ("A different RouterOS version " . ($Update->"latest-version") . \
-      " is available for downgrade.");
-    :set SentRouterosUpdateNotification ($Update->"latest-version");
-  }
-} on-error={
-  :global ExitError; $ExitError $ExitOK [ :jobname ];
-}

collect-wireless-mac.capsman

@@ -0,0 +1,62 @@
+#!rsc
+# RouterOS script: collect-wireless-mac.capsman
+# Copyright (c) 2013-2019 Christian Hesse <mail@eworm.de>
+#
+# collect wireless mac adresses in access list
+#
+# !! Do not edit this file, it is generated from template!
+
+:global Identity;
+
+:global GetMacVendor;
+:global SendNotification;
+:global ScriptLock;
+
+$ScriptLock "collect-wireless-mac.capsman";
+
+:local PlaceBefore [ / caps-man access-list find where comment="--- collected above ---" disabled ];
+:if ([ :len $PlaceBefore ] = 0) do={
+  :error "Missing disabled access-list entry with comment '--- collected above ---'";
+}
+
+:foreach RegTbl in=[ / caps-man registration-table find ] do={
+  :local Mac [ / caps-man registration-table get $RegTbl mac-address ];
+  :local AccessList ([ / caps-man access-list find where mac-address=$Mac ]->0);
+  :if ([ :len $AccessList ] = 0) do={
+    :local HostName "no dhcp lease";
+    :local Address "no dhcp lease";
+    :local Lease [ / ip dhcp-server lease find where mac-address=$Mac ];
+    :if ([ :len $Lease ] > 0) do={
+      :set HostName [ / ip dhcp-server lease get $Lease host-name ];
+      :set Address [ / ip dhcp-server lease get $Lease address ];
+    }
+    :if ([ :len $HostName ] = 0) do={
+      :set HostName "no hostname";
+    }
+    :if ([ :len $Address ] = 0) do={
+      :set Address "no address";
+    }
+    :local RegEntry [ / caps-man registration-table find where mac-address=$Mac ];
+    :local Interface [ / caps-man registration-table get $RegEntry interface ];
+    :local Ssid [ / caps-man registration-table get $RegEntry ssid ];
+    :local DateTime ([ / system clock get date ] . " " . [ / system clock get time ]);
+    :local Vendor [ $GetMacVendor $Mac ];
+    :local Message ("unknown MAC address " . $Mac . " (" . $Vendor . ", " . $HostName . ") " . \
+      "first seen on " . $DateTime . " connected to SSID " . $Ssid . ", interface " . $Interface);
+    / log info $Message;
+    / caps-man access-list add place-before=$PlaceBefore comment=$Message mac-address=$Mac disabled=yes;
+    $SendNotification ($Mac . " connected to " . $Ssid) \
+      ("A device with unknown MAC address connected to " . $Ssid . " on " . $Identity . ".\n\n" . \
+        "Controller: " . $Identity . "\n" . \
+        "Interface:  " . $Interface . "\n" . \
+        "SSID:       " . $Ssid . "\n" . \
+        "MAC:        " . $Mac . "\n" . \
+        "Vendor:     " . $Vendor . "\n" . \
+        "Hostname:   " . $HostName . "\n" . \
+        "Address:    " . $Address . "\n" . \
+        "Date:       " . $DateTime);
+  } else={
+    :local Comment [ / caps-man access-list get $AccessList comment ];
+    :log debug ("MAC address " . $Mac . " already known: " . $Comment);
+  }
+}

collect-wireless-mac.capsman.rsc

@@ -1,100 +0,0 @@
-#!rsc by RouterOS
-# RouterOS script: collect-wireless-mac.capsman
-# Copyright (c) 2013-2025 Christian Hesse <mail@eworm.de>
-# https://rsc.eworm.de/COPYING.md
-#
-# provides: lease-script, order=40
-# requires RouterOS, version=7.15
-#
-# collect wireless mac adresses in access list
-# https://rsc.eworm.de/doc/collect-wireless-mac.md
-#
-# !! Do not edit this file, it is generated from template!
-
-:global GlobalFunctionsReady;
-:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
-
-:local ExitOK false;
-:do {
-  :local ScriptName [ :jobname ];
-
-  :global Identity;
-
-  :global EitherOr;
-  :global FormatLine;
-  :global FormatMultiLines;
-  :global GetMacVendor;
-  :global LogPrint;
-  :global ScriptLock;
-  :global SendNotification2;
-  :global SymbolForNotification;
-
-  :if ([ $ScriptLock $ScriptName 10 ] = false) do={
-    :set ExitOK true;
-    :error false;
-  }
-
-  :if ([ :len [ /caps-man/access-list/find where comment="--- collected above ---" disabled ] ] = 0) do={
-    /caps-man/access-list/add comment="--- collected above ---" disabled=yes;
-    $LogPrint warning $ScriptName ("Added disabled access-list entry with comment '--- collected above ---'.");
-  }
-  :local PlaceBefore ([ /caps-man/access-list/find where comment="--- collected above ---" disabled ]->0);
-
-  :foreach Reg in=[ /caps-man/registration-table/find ] do={
-    :local RegVal;
-    :do {
-      :set RegVal [ /caps-man/registration-table/get $Reg ];
-    } on-error={
-      $LogPrint debug $ScriptName ("Device already gone... Ignoring.");
-    }
-
-    :if ([ :len ($RegVal->"mac-address") ] > 0) do={
-      :local AccessList ([ /caps-man/access-list/find where mac-address=($RegVal->"mac-address") ]->0);
-      :if ([ :len $AccessList ] > 0) do={
-        $LogPrint debug $ScriptName ("MAC address " . $RegVal->"mac-address" . " already known: " . \
-          [ /caps-man/access-list/get $AccessList comment ]);
-      }
-
-      :if ([ :len $AccessList ] = 0) do={
-        :local Address "no dhcp lease";
-        :local DnsName "no dhcp lease";
-        :local HostName "no dhcp lease";
-        :local Lease ([ /ip/dhcp-server/lease/find where active-mac-address=($RegVal->"mac-address") dynamic=yes status=bound ]->0);
-        :if ([ :len $Lease ] > 0) do={
-          :set Address [ /ip/dhcp-server/lease/get $Lease active-address ];
-          :set HostName [ $EitherOr [ /ip/dhcp-server/lease/get $Lease host-name ] "no hostname" ];
-          :set DnsName "no dns name";
-          :local DnsRec ([ /ip/dns/static/find where address=$Address ]->0);
-          :if ([ :len $DnsRec ] > 0) do={
-            :set DnsName ({ [ /ip/dns/static/get $DnsRec name ] });
-            :foreach CName in=[ /ip/dns/static/find where type=CNAME cname=($DnsName->0) ] do={
-              :set DnsName ($DnsName, [ /ip/dns/static/get $CName name ]);
-            }
-          }
-        }
-        :local DateTime ([ /system/clock/get date ] . " " . [ /system/clock/get time ]);
-        :local Vendor [ $GetMacVendor ($RegVal->"mac-address") ];
-        :local Message ("MAC address " . $RegVal->"mac-address" . " (" . $Vendor . ", " . $HostName . ") " . \
-          "first seen on " . $DateTime . " connected to SSID " . $RegVal->"ssid" . ", interface " . $RegVal->"interface");
-        $LogPrint info $ScriptName $Message;
-        /caps-man/access-list/add place-before=$PlaceBefore comment=$Message mac-address=($RegVal->"mac-address") disabled=yes;
-        $SendNotification2 ({ origin=$ScriptName; \
-          subject=([ $SymbolForNotification "mobile-phone" ] . $RegVal->"mac-address" . " connected to " . $RegVal->"ssid"); \
-          message=("A device with unknown MAC address connected to " . $RegVal->"ssid" . " on " . $Identity . ".\n\n" . \
-            [ $FormatLine "Controller" $Identity ] . "\n" . \
-            [ $FormatLine "Interface" ($RegVal->"interface") ] . "\n" . \
-            [ $FormatLine "SSID" ($RegVal->"ssid") ] . "\n" . \
-            [ $FormatLine "MAC" ($RegVal->"mac-address") ] . "\n" . \
-            [ $FormatLine "Vendor" $Vendor ] . "\n" . \
-            [ $FormatLine "Hostname" $HostName ] . "\n" . \
-            [ $FormatLine "Address" $Address ] . "\n" . \
-            [ $FormatMultiLines "DNS name" $DnsName ] . "\n" . \
-            [ $FormatLine "Date" $DateTime ]) });
-      }
-    } else={
-      $LogPrint debug $ScriptName ("No mac address available... Ignoring.");
-    }
-  }
-} on-error={
-  :global ExitError; $ExitError $ExitOK [ :jobname ];
-}

collect-wireless-mac.local

@@ -0,0 +1,62 @@
+#!rsc
+# RouterOS script: collect-wireless-mac.local
+# Copyright (c) 2013-2019 Christian Hesse <mail@eworm.de>
+#
+# collect wireless mac adresses in access list
+#
+# !! Do not edit this file, it is generated from template!
+
+:global Identity;
+
+:global GetMacVendor;
+:global SendNotification;
+:global ScriptLock;
+
+$ScriptLock "collect-wireless-mac.local";
+
+:local PlaceBefore [ / interface wireless access-list find where comment="--- collected above ---" disabled ];
+:if ([ :len $PlaceBefore ] = 0) do={
+  :error "Missing disabled access-list entry with comment '--- collected above ---'";
+}
+
+:foreach RegTbl in=[ / interface wireless registration-table find ] do={
+  :local Mac [ / interface wireless registration-table get $RegTbl mac-address ];
+  :local AccessList ([ / interface wireless access-list find where mac-address=$Mac ]->0);
+  :if ([ :len $AccessList ] = 0) do={
+    :local HostName "no dhcp lease";
+    :local Address "no dhcp lease";
+    :local Lease [ / ip dhcp-server lease find where mac-address=$Mac ];
+    :if ([ :len $Lease ] > 0) do={
+      :set HostName [ / ip dhcp-server lease get $Lease host-name ];
+      :set Address [ / ip dhcp-server lease get $Lease address ];
+    }
+    :if ([ :len $HostName ] = 0) do={
+      :set HostName "no hostname";
+    }
+    :if ([ :len $Address ] = 0) do={
+      :set Address "no address";
+    }
+    :local RegEntry [ / interface wireless registration-table find where mac-address=$Mac ];
+    :local Interface [ / interface wireless registration-table get $RegEntry interface ];
+    :local Ssid [ / interface wireless get [ find where name=$Interface ] ssid ];
+    :local DateTime ([ / system clock get date ] . " " . [ / system clock get time ]);
+    :local Vendor [ $GetMacVendor $Mac ];
+    :local Message ("unknown MAC address " . $Mac . " (" . $Vendor . ", " . $HostName . ") " . \
+      "first seen on " . $DateTime . " connected to SSID " . $Ssid . ", interface " . $Interface);
+    / log info $Message;
+    / interface wireless access-list add place-before=$PlaceBefore comment=$Message mac-address=$Mac disabled=yes;
+    $SendNotification ($Mac . " connected to " . $Ssid) \
+      ("A device with unknown MAC address connected to " . $Ssid . " on " . $Identity . ".\n\n" . \
+        "Controller: " . $Identity . "\n" . \
+        "Interface:  " . $Interface . "\n" . \
+        "SSID:       " . $Ssid . "\n" . \
+        "MAC:        " . $Mac . "\n" . \
+        "Vendor:     " . $Vendor . "\n" . \
+        "Hostname:   " . $HostName . "\n" . \
+        "Address:    " . $Address . "\n" . \
+        "Date:       " . $DateTime);
+  } else={
+    :local Comment [ / interface wireless access-list get $AccessList comment ];
+    :log debug ("MAC address " . $Mac . " already known: " . $Comment);
+  }
+}

collect-wireless-mac.local.rsc

@@ -1,101 +0,0 @@
-#!rsc by RouterOS
-# RouterOS script: collect-wireless-mac.local
-# Copyright (c) 2013-2025 Christian Hesse <mail@eworm.de>
-# https://rsc.eworm.de/COPYING.md
-#
-# provides: lease-script, order=40
-# requires RouterOS, version=7.15
-#
-# collect wireless mac adresses in access list
-# https://rsc.eworm.de/doc/collect-wireless-mac.md
-#
-# !! Do not edit this file, it is generated from template!
-
-:global GlobalFunctionsReady;
-:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
-
-:local ExitOK false;
-:do {
-  :local ScriptName [ :jobname ];
-
-  :global Identity;
-
-  :global EitherOr;
-  :global FormatLine;
-  :global FormatMultiLines;
-  :global GetMacVendor;
-  :global LogPrint;
-  :global ScriptLock;
-  :global SendNotification2;
-  :global SymbolForNotification;
-
-  :if ([ $ScriptLock $ScriptName 10 ] = false) do={
-    :set ExitOK true;
-    :error false;
-  }
-
-  :if ([ :len [ /interface/wireless/access-list/find where comment="--- collected above ---" disabled ] ] = 0) do={
-    /interface/wireless/access-list/add comment="--- collected above ---" disabled=yes;
-    $LogPrint warning $ScriptName ("Added disabled access-list entry with comment '--- collected above ---'.");
-  }
-  :local PlaceBefore ([ /interface/wireless/access-list/find where comment="--- collected above ---" disabled ]->0);
-
-  :foreach Reg in=[ /interface/wireless/registration-table/find where ap=no ] do={
-    :local RegVal;
-    :do {
-      :set RegVal [ /interface/wireless/registration-table/get $Reg ];
-    } on-error={
-      $LogPrint debug $ScriptName ("Device already gone... Ignoring.");
-    }
-
-    :if ([ :len ($RegVal->"mac-address") ] > 0) do={
-      :local AccessList ([ /interface/wireless/access-list/find where mac-address=($RegVal->"mac-address") ]->0);
-      :if ([ :len $AccessList ] > 0) do={
-        $LogPrint debug $ScriptName ("MAC address " . $RegVal->"mac-address" . " already known: " . \
-          [ /interface/wireless/access-list/get $AccessList comment ]);
-      }
-
-      :if ([ :len $AccessList ] = 0) do={
-        :local Address "no dhcp lease";
-        :local DnsName "no dhcp lease";
-        :local HostName "no dhcp lease";
-        :local Lease ([ /ip/dhcp-server/lease/find where active-mac-address=($RegVal->"mac-address") dynamic=yes status=bound ]->0);
-        :if ([ :len $Lease ] > 0) do={
-          :set Address [ /ip/dhcp-server/lease/get $Lease active-address ];
-          :set HostName [ $EitherOr [ /ip/dhcp-server/lease/get $Lease host-name ] "no hostname" ];
-          :set DnsName "no dns name";
-          :local DnsRec ([ /ip/dns/static/find where address=$Address ]->0);
-          :if ([ :len $DnsRec ] > 0) do={
-            :set DnsName ({ [ /ip/dns/static/get $DnsRec name ] });
-            :foreach CName in=[ /ip/dns/static/find where type=CNAME cname=($DnsName->0) ] do={
-              :set DnsName ($DnsName, [ /ip/dns/static/get $CName name ]);
-            }
-          }
-        }
-        :set ($RegVal->"ssid") [ /interface/wireless/get [ find where name=($RegVal->"interface") ] ssid ];
-        :local DateTime ([ /system/clock/get date ] . " " . [ /system/clock/get time ]);
-        :local Vendor [ $GetMacVendor ($RegVal->"mac-address") ];
-        :local Message ("MAC address " . $RegVal->"mac-address" . " (" . $Vendor . ", " . $HostName . ") " . \
-          "first seen on " . $DateTime . " connected to SSID " . $RegVal->"ssid" . ", interface " . $RegVal->"interface");
-        $LogPrint info $ScriptName $Message;
-        /interface/wireless/access-list/add place-before=$PlaceBefore comment=$Message mac-address=($RegVal->"mac-address") disabled=yes;
-        $SendNotification2 ({ origin=$ScriptName; \
-          subject=([ $SymbolForNotification "mobile-phone" ] . $RegVal->"mac-address" . " connected to " . $RegVal->"ssid"); \
-          message=("A device with unknown MAC address connected to " . $RegVal->"ssid" . " on " . $Identity . ".\n\n" . \
-            [ $FormatLine "Controller" $Identity ] . "\n" . \
-            [ $FormatLine "Interface" ($RegVal->"interface") ] . "\n" . \
-            [ $FormatLine "SSID" ($RegVal->"ssid") ] . "\n" . \
-            [ $FormatLine "MAC" ($RegVal->"mac-address") ] . "\n" . \
-            [ $FormatLine "Vendor" $Vendor ] . "\n" . \
-            [ $FormatLine "Hostname" $HostName ] . "\n" . \
-            [ $FormatLine "Address" $Address ] . "\n" . \
-            [ $FormatMultiLines "DNS name" $DnsName ] . "\n" . \
-            [ $FormatLine "Date" $DateTime ]) });
-      }
-    } else={
-      $LogPrint debug $ScriptName ("No mac address available... Ignoring.");
-    }
-  }
-} on-error={
-  :global ExitError; $ExitError $ExitOK [ :jobname ];
-}

collect-wireless-mac.template

@@ -0,0 +1,64 @@
+#!rsc
+# RouterOS script: collect-wireless-mac%TEMPL%
+# Copyright (c) 2013-2019 Christian Hesse <mail@eworm.de>
+#
+# collect wireless mac adresses in access list
+#
+# !! This is just a template! Replace '%PATH%' with 'caps-man'
+# !! or 'interface wireless'!
+
+:global Identity;
+
+:global GetMacVendor;
+:global SendNotification;
+:global ScriptLock;
+
+$ScriptLock "collect-wireless-mac%TEMPL%";
+
+:local PlaceBefore [ / %PATH% access-list find where comment="--- collected above ---" disabled ];
+:if ([ :len $PlaceBefore ] = 0) do={
+  :error "Missing disabled access-list entry with comment '--- collected above ---'";
+}
+
+:foreach RegTbl in=[ / %PATH% registration-table find ] do={
+  :local Mac [ / %PATH% registration-table get $RegTbl mac-address ];
+  :local AccessList ([ / %PATH% access-list find where mac-address=$Mac ]->0);
+  :if ([ :len $AccessList ] = 0) do={
+    :local HostName "no dhcp lease";
+    :local Address "no dhcp lease";
+    :local Lease [ / ip dhcp-server lease find where mac-address=$Mac ];
+    :if ([ :len $Lease ] > 0) do={
+      :set HostName [ / ip dhcp-server lease get $Lease host-name ];
+      :set Address [ / ip dhcp-server lease get $Lease address ];
+    }
+    :if ([ :len $HostName ] = 0) do={
+      :set HostName "no hostname";
+    }
+    :if ([ :len $Address ] = 0) do={
+      :set Address "no address";
+    }
+    :local RegEntry [ / %PATH% registration-table find where mac-address=$Mac ];
+    :local Interface [ / %PATH% registration-table get $RegEntry interface ];
+    :local Ssid [ / caps-man registration-table get $RegEntry ssid ];
+    :local Ssid [ / interface wireless get [ find where name=$Interface ] ssid ];
+    :local DateTime ([ / system clock get date ] . " " . [ / system clock get time ]);
+    :local Vendor [ $GetMacVendor $Mac ];
+    :local Message ("unknown MAC address " . $Mac . " (" . $Vendor . ", " . $HostName . ") " . \
+      "first seen on " . $DateTime . " connected to SSID " . $Ssid . ", interface " . $Interface);
+    / log info $Message;
+    / %PATH% access-list add place-before=$PlaceBefore comment=$Message mac-address=$Mac disabled=yes;
+    $SendNotification ($Mac . " connected to " . $Ssid) \
+      ("A device with unknown MAC address connected to " . $Ssid . " on " . $Identity . ".\n\n" . \
+        "Controller: " . $Identity . "\n" . \
+        "Interface:  " . $Interface . "\n" . \
+        "SSID:       " . $Ssid . "\n" . \
+        "MAC:        " . $Mac . "\n" . \
+        "Vendor:     " . $Vendor . "\n" . \
+        "Hostname:   " . $HostName . "\n" . \
+        "Address:    " . $Address . "\n" . \
+        "Date:       " . $DateTime);
+  } else={
+    :local Comment [ / %PATH% access-list get $AccessList comment ];
+    :log debug ("MAC address " . $Mac . " already known: " . $Comment);
+  }
+}

collect-wireless-mac.template.rsc

@@ -1,118 +0,0 @@
-#!rsc by RouterOS
-# RouterOS script: collect-wireless-mac%TEMPL%
-# Copyright (c) 2013-2025 Christian Hesse <mail@eworm.de>
-# https://rsc.eworm.de/COPYING.md
-#
-# provides: lease-script, order=40
-# requires RouterOS, version=7.15
-#
-# collect wireless mac adresses in access list
-# https://rsc.eworm.de/doc/collect-wireless-mac.md
-#
-# !! This is just a template to generate the real script!
-# !! Pattern '%TEMPL%' is replaced, paths are filtered.
-
-:global GlobalFunctionsReady;
-:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
-
-:local ExitOK false;
-:do {
-  :local ScriptName [ :jobname ];
-
-  :global Identity;
-
-  :global EitherOr;
-  :global FormatLine;
-  :global FormatMultiLines;
-  :global GetMacVendor;
-  :global LogPrint;
-  :global ScriptLock;
-  :global SendNotification2;
-  :global SymbolForNotification;
-
-  :if ([ $ScriptLock $ScriptName 10 ] = false) do={
-    :set ExitOK true;
-    :error false;
-  }
-
-  :if ([ :len [ /caps-man/access-list/find where comment="--- collected above ---" disabled ] ] = 0) do={
-  :if ([ :len [ /interface/wifi/access-list/find where comment="--- collected above ---" disabled ] ] = 0) do={
-  :if ([ :len [ /interface/wireless/access-list/find where comment="--- collected above ---" disabled ] ] = 0) do={
-    /caps-man/access-list/add comment="--- collected above ---" disabled=yes;
-    /interface/wifi/access-list/add comment="--- collected above ---" disabled=yes;
-    /interface/wireless/access-list/add comment="--- collected above ---" disabled=yes;
-    $LogPrint warning $ScriptName ("Added disabled access-list entry with comment '--- collected above ---'.");
-  }
-  :local PlaceBefore ([ /caps-man/access-list/find where comment="--- collected above ---" disabled ]->0);
-  :local PlaceBefore ([ /interface/wifi/access-list/find where comment="--- collected above ---" disabled ]->0);
-  :local PlaceBefore ([ /interface/wireless/access-list/find where comment="--- collected above ---" disabled ]->0);
-
-  :foreach Reg in=[ /caps-man/registration-table/find ] do={
-  :foreach Reg in=[ /interface/wifi/registration-table/find ] do={
-  :foreach Reg in=[ /interface/wireless/registration-table/find where ap=no ] do={
-    :local RegVal;
-    :do {
-      :set RegVal [ /caps-man/registration-table/get $Reg ];
-      :set RegVal [ /interface/wifi/registration-table/get $Reg ];
-      :set RegVal [ /interface/wireless/registration-table/get $Reg ];
-    } on-error={
-      $LogPrint debug $ScriptName ("Device already gone... Ignoring.");
-    }
-
-    :if ([ :len ($RegVal->"mac-address") ] > 0) do={
-      :local AccessList ([ /caps-man/access-list/find where mac-address=($RegVal->"mac-address") ]->0);
-      :local AccessList ([ /interface/wifi/access-list/find where mac-address=($RegVal->"mac-address") ]->0);
-      :local AccessList ([ /interface/wireless/access-list/find where mac-address=($RegVal->"mac-address") ]->0);
-      :if ([ :len $AccessList ] > 0) do={
-        $LogPrint debug $ScriptName ("MAC address " . $RegVal->"mac-address" . " already known: " . \
-          [ /caps-man/access-list/get $AccessList comment ]);
-          [ /interface/wifi/access-list/get $AccessList comment ]);
-          [ /interface/wireless/access-list/get $AccessList comment ]);
-      }
-
-      :if ([ :len $AccessList ] = 0) do={
-        :local Address "no dhcp lease";
-        :local DnsName "no dhcp lease";
-        :local HostName "no dhcp lease";
-        :local Lease ([ /ip/dhcp-server/lease/find where active-mac-address=($RegVal->"mac-address") dynamic=yes status=bound ]->0);
-        :if ([ :len $Lease ] > 0) do={
-          :set Address [ /ip/dhcp-server/lease/get $Lease active-address ];
-          :set HostName [ $EitherOr [ /ip/dhcp-server/lease/get $Lease host-name ] "no hostname" ];
-          :set DnsName "no dns name";
-          :local DnsRec ([ /ip/dns/static/find where address=$Address ]->0);
-          :if ([ :len $DnsRec ] > 0) do={
-            :set DnsName ({ [ /ip/dns/static/get $DnsRec name ] });
-            :foreach CName in=[ /ip/dns/static/find where type=CNAME cname=($DnsName->0) ] do={
-              :set DnsName ($DnsName, [ /ip/dns/static/get $CName name ]);
-            }
-          }
-        }
-        :set ($RegVal->"ssid") [ /interface/wireless/get [ find where name=($RegVal->"interface") ] ssid ];
-        :local DateTime ([ /system/clock/get date ] . " " . [ /system/clock/get time ]);
-        :local Vendor [ $GetMacVendor ($RegVal->"mac-address") ];
-        :local Message ("MAC address " . $RegVal->"mac-address" . " (" . $Vendor . ", " . $HostName . ") " . \
-          "first seen on " . $DateTime . " connected to SSID " . $RegVal->"ssid" . ", interface " . $RegVal->"interface");
-        $LogPrint info $ScriptName $Message;
-        /caps-man/access-list/add place-before=$PlaceBefore comment=$Message mac-address=($RegVal->"mac-address") disabled=yes;
-        /interface/wifi/access-list/add place-before=$PlaceBefore comment=$Message mac-address=($RegVal->"mac-address") disabled=yes;
-        /interface/wireless/access-list/add place-before=$PlaceBefore comment=$Message mac-address=($RegVal->"mac-address") disabled=yes;
-        $SendNotification2 ({ origin=$ScriptName; \
-          subject=([ $SymbolForNotification "mobile-phone" ] . $RegVal->"mac-address" . " connected to " . $RegVal->"ssid"); \
-          message=("A device with unknown MAC address connected to " . $RegVal->"ssid" . " on " . $Identity . ".\n\n" . \
-            [ $FormatLine "Controller" $Identity ] . "\n" . \
-            [ $FormatLine "Interface" ($RegVal->"interface") ] . "\n" . \
-            [ $FormatLine "SSID" ($RegVal->"ssid") ] . "\n" . \
-            [ $FormatLine "MAC" ($RegVal->"mac-address") ] . "\n" . \
-            [ $FormatLine "Vendor" $Vendor ] . "\n" . \
-            [ $FormatLine "Hostname" $HostName ] . "\n" . \
-            [ $FormatLine "Address" $Address ] . "\n" . \
-            [ $FormatMultiLines "DNS name" $DnsName ] . "\n" . \
-            [ $FormatLine "Date" $DateTime ]) });
-      }
-    } else={
-      $LogPrint debug $ScriptName ("No mac address available... Ignoring.");
-    }
-  }
-} on-error={
-  :global ExitError; $ExitError $ExitOK [ :jobname ];
-}

collect-wireless-mac.wifi.rsc

@@ -1,100 +0,0 @@
-#!rsc by RouterOS
-# RouterOS script: collect-wireless-mac.wifi
-# Copyright (c) 2013-2025 Christian Hesse <mail@eworm.de>
-# https://rsc.eworm.de/COPYING.md
-#
-# provides: lease-script, order=40
-# requires RouterOS, version=7.15
-#
-# collect wireless mac adresses in access list
-# https://rsc.eworm.de/doc/collect-wireless-mac.md
-#
-# !! Do not edit this file, it is generated from template!
-
-:global GlobalFunctionsReady;
-:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
-
-:local ExitOK false;
-:do {
-  :local ScriptName [ :jobname ];
-
-  :global Identity;
-
-  :global EitherOr;
-  :global FormatLine;
-  :global FormatMultiLines;
-  :global GetMacVendor;
-  :global LogPrint;
-  :global ScriptLock;
-  :global SendNotification2;
-  :global SymbolForNotification;
-
-  :if ([ $ScriptLock $ScriptName 10 ] = false) do={
-    :set ExitOK true;
-    :error false;
-  }
-
-  :if ([ :len [ /interface/wifi/access-list/find where comment="--- collected above ---" disabled ] ] = 0) do={
-    /interface/wifi/access-list/add comment="--- collected above ---" disabled=yes;
-    $LogPrint warning $ScriptName ("Added disabled access-list entry with comment '--- collected above ---'.");
-  }
-  :local PlaceBefore ([ /interface/wifi/access-list/find where comment="--- collected above ---" disabled ]->0);
-
-  :foreach Reg in=[ /interface/wifi/registration-table/find ] do={
-    :local RegVal;
-    :do {
-      :set RegVal [ /interface/wifi/registration-table/get $Reg ];
-    } on-error={
-      $LogPrint debug $ScriptName ("Device already gone... Ignoring.");
-    }
-
-    :if ([ :len ($RegVal->"mac-address") ] > 0) do={
-      :local AccessList ([ /interface/wifi/access-list/find where mac-address=($RegVal->"mac-address") ]->0);
-      :if ([ :len $AccessList ] > 0) do={
-        $LogPrint debug $ScriptName ("MAC address " . $RegVal->"mac-address" . " already known: " . \
-          [ /interface/wifi/access-list/get $AccessList comment ]);
-      }
-
-      :if ([ :len $AccessList ] = 0) do={
-        :local Address "no dhcp lease";
-        :local DnsName "no dhcp lease";
-        :local HostName "no dhcp lease";
-        :local Lease ([ /ip/dhcp-server/lease/find where active-mac-address=($RegVal->"mac-address") dynamic=yes status=bound ]->0);
-        :if ([ :len $Lease ] > 0) do={
-          :set Address [ /ip/dhcp-server/lease/get $Lease active-address ];
-          :set HostName [ $EitherOr [ /ip/dhcp-server/lease/get $Lease host-name ] "no hostname" ];
-          :set DnsName "no dns name";
-          :local DnsRec ([ /ip/dns/static/find where address=$Address ]->0);
-          :if ([ :len $DnsRec ] > 0) do={
-            :set DnsName ({ [ /ip/dns/static/get $DnsRec name ] });
-            :foreach CName in=[ /ip/dns/static/find where type=CNAME cname=($DnsName->0) ] do={
-              :set DnsName ($DnsName, [ /ip/dns/static/get $CName name ]);
-            }
-          }
-        }
-        :local DateTime ([ /system/clock/get date ] . " " . [ /system/clock/get time ]);
-        :local Vendor [ $GetMacVendor ($RegVal->"mac-address") ];
-        :local Message ("MAC address " . $RegVal->"mac-address" . " (" . $Vendor . ", " . $HostName . ") " . \
-          "first seen on " . $DateTime . " connected to SSID " . $RegVal->"ssid" . ", interface " . $RegVal->"interface");
-        $LogPrint info $ScriptName $Message;
-        /interface/wifi/access-list/add place-before=$PlaceBefore comment=$Message mac-address=($RegVal->"mac-address") disabled=yes;
-        $SendNotification2 ({ origin=$ScriptName; \
-          subject=([ $SymbolForNotification "mobile-phone" ] . $RegVal->"mac-address" . " connected to " . $RegVal->"ssid"); \
-          message=("A device with unknown MAC address connected to " . $RegVal->"ssid" . " on " . $Identity . ".\n\n" . \
-            [ $FormatLine "Controller" $Identity ] . "\n" . \
-            [ $FormatLine "Interface" ($RegVal->"interface") ] . "\n" . \
-            [ $FormatLine "SSID" ($RegVal->"ssid") ] . "\n" . \
-            [ $FormatLine "MAC" ($RegVal->"mac-address") ] . "\n" . \
-            [ $FormatLine "Vendor" $Vendor ] . "\n" . \
-            [ $FormatLine "Hostname" $HostName ] . "\n" . \
-            [ $FormatLine "Address" $Address ] . "\n" . \
-            [ $FormatMultiLines "DNS name" $DnsName ] . "\n" . \
-            [ $FormatLine "Date" $DateTime ]) });
-      }
-    } else={
-      $LogPrint debug $ScriptName ("No mac address available... Ignoring.");
-    }
-  }
-} on-error={
-  :global ExitError; $ExitError $ExitOK [ :jobname ];
-}

contrib/logo-color.d/script.js

@@ -1,12 +0,0 @@
-function invertHex(hex) {
-  return (Number("0x1" + hex) ^ 0xffffff).toString(16).substr(1);
-}
-
-function color() {
-  var svg = document.querySelector(".logo").getSVGDocument();
-  svg.getElementById("dark-1").setAttribute("stop-color", document.getElementById("color1").value);
-  svg.getElementById("dark-2").setAttribute("stop-color", document.getElementById("color2").value);
-  var background = document.getElementById("color3").value;
-  svg.getElementById("background").setAttribute("fill", background);
-  svg.getElementById("hexagon").setAttribute("stroke", "#" + invertHex(background.substring(1)));
-}

contrib/logo-color.d/style.css

@@ -1,5 +0,0 @@
-body {
-  font-family: fira-sans, sans-serif;
-  font-size: 10pt;
-  background-color: transparent;
-}

contrib/logo-color.html

@@ -1,40 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-<head>
-<meta charset="UTF-8">
-<title>RouterOS-Scripts Logo Color Changer</title>
-<link rel="stylesheet" type="text/css" href="logo-color.d/style.css">
-<script src="logo-color.d/script.js"></script>
-</head>
-<body>
-
-<h1>RouterOS-Scripts Logo Color Changer</h1>
-
-<p>You want the logo for your own notifications? But you joined the
-<a href="https://t.me/routeros_scripts">Telegram Group</a> and want
-something that differentiates? Color it!</p>
-
-<embed class="logo" src="../logo.svg" width="192" height="192" type="image/svg+xml">
-
-<p>Select the colors here:
-<input id="color1" type="color" value="#222222" onchange="color();">
-<input id="color2" type="color" value="#444444" onchange="color();">
-<input id="color3" type="color" value="#ffffff" onchange="color();"></p>
-
-<p>Then right-click, click "<i>Take Screenshot</i>" and finally select the
-logo and download it.</p>
-
-<p><img src="logo-color.d/browser-01.avif" width=533 height=482 alt="Screenshot Browser 01">
-<img src="logo-color.d/browser-02.avif" width=533 height=482 alt="Screenshot Browser 02">
-<img src="logo-color.d/browser-03.avif" width=533 height=482 alt="Screenshot Browser 03"></p>
-
-<p>(This example is with
-<a href="https://www.mozilla.org/de/firefox/new/">Firefox</a>. The workflow
-for other browsers may differ.)</p>
-
-<p>See how to
-<a href="../../about/doc/mod/notification-telegram.md#set-a-profile-photo">Set
-a profile photo</a> for your Telegram bot.</p>
-
-</body>
-</html>

contrib/notification.d/script.js

@@ -1,6 +0,0 @@
-function visible(cb, element) {
-  document.getElementById(element).style.display = cb.checked ? "block" : "none";
-}
-function update(cb, element) {
-  document.getElementById(element).innerHTML = cb.value;
-}

contrib/notification.d/style.css

@@ -1,36 +0,0 @@
-body {
-  font-family: fira-sans, sans-serif;
-  font-size: 10pt;
-  background-color: transparent;
-}
-div.notification {
-  position: relative;
-  float: right;
-  width: 600px;
-  border: 3px outset #6c5d53;
-  /* border-radius: 5px; */
-  padding: 10px;
-  background-color: #e6e6e6;
-}
-div.content {
-  padding-left: 60px;
-}
-img.logo {
-  float: left;
-  border-radius: 50%;
-}
-p.heading {
-  margin: 0px;
-  font-weight: bold;
-  text-decoration: underline;
-}
-p.hint {
-  display: none;
-}
-pre {
-  font-family: fira-mono, monospace;
-  white-space: pre-wrap;
-}
-span.link {
-  color: #863600;
-}

contrib/notification.html

@@ -1,35 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-<head>
-<meta charset="UTF-8">
-<title>RouterOS-Scripts Notification Generator</title>
-<link rel="stylesheet" type="text/css" href="notification.d/style.css">
-<script src="notification.d/script.js"></script> 
-</head>
-<body>
-
-<h1>RouterOS-Scripts Notification Generator</h1>
-
-<div class="notification">
-  <img src="../logo.svg" alt="logo" class="logo" width=48 height=48>
-  <div class="content">
-  <p id="heading" class="heading">[<span id="hostname">MikroTik</span>] <span id="subject">ℹ️  Subject</span></p>
-  <pre id="message">Message</pre>
-  <p id="link" class="hint">🔗 <span id="link-text" class="link">https://eworm.de/</span></p>
-  <p id="queued" class="hint">⏰ This message was queued since <span id="queued-since">oct/18/2022 18:30:48</span> and may be obsolete.</p>
-  <p id="cut" class="hint">✂️ The message was too long and has been truncated, cut off <span id="cut-percent">13</span>%!</p>
-  </div>
-</div>
-
-<p>Hostname: <input type="text" value="MikroTik" onchange="update(this, 'hostname')"></p>
-<p>Subject: <input type="text" size=50 value="ℹ️  Subject" onchange="update(this, 'subject')"></p>
-<p>Message: <textarea id="w3review" name="w3review" rows="4" cols="50" onchange="update(this, 'message')">Message</textarea></p>
-<p><input type="checkbox" onclick="visible(this, 'link')"> Show link: <input type="text" value="https://eworm.de/" onchange="update(this, 'link-text')"></p>
-<p><input type="checkbox" onclick="visible(this, 'queued')"> Queued since <input type="text" value="oct/18/2022 18:30:48" onchange="update(this, 'queued-since')"></p>
-<p><input type="checkbox" onclick="visible(this, 'cut')"> Cut-off with <input type="number" min=1 max=99 value=13 onchange="update(this, 'cut-percent')"> percent</p>
-
-<p>Then right-click, click "<i>Take Screenshot</i>" and finally select the
-notification and download it.</p>
-
-</body>
-</html>

daily-psk-schedule

@@ -0,0 +1,23 @@
+#!rsc
+# RouterOS script: daily-psk-schedule
+# Copyright (c) 2013-2019 Christian Hesse <mail@eworm.de>
+#
+# schedule daily-psk on startup
+
+:local Scheduler [ / system scheduler find where name="daily-psk-schedule" ];
+
+:if ([ / system scheduler get $Scheduler interval ] = 0s) do={
+  / system scheduler set interval=15s $Scheduler;
+} else={
+  :if ([ / tool netwatch get [ find where comment=[ / tool e-mail get address ] ] status ] != "up") do={
+    :error "Mail server is not up.";
+  }
+
+  :if ([ / system ntp client get status ] != "synchronized") do={
+    :error "Time is not yet synchronized from ntp.";
+  }
+
+  / system script run [ find where name~"daily-psk\\.(capsman|local)" ];
+
+  / system scheduler set interval=0s $Scheduler;
+}

daily-psk.capsman

@@ -0,0 +1,90 @@
+#!rsc
+# RouterOS script: daily-psk.capsman
+# Copyright (c) 2013-2019 Christian Hesse <mail@eworm.de>
+#                         Michael Gisbers <michael@gisbers.de>
+#
+# update daily PSK (pre shared key)
+
+:global Identity;
+:global DailyPskMatchComment;
+:global UrlEncode;
+
+:global SendNotification;
+
+:local Seen [ :toarray "" ];
+
+# return pseudo-random string for PSK
+:local GeneratePSK do={
+  :local Date [ :tostr $1 ];
+
+  :global DailyPskSecrets;
+
+  :local Months { "jan"; "feb"; "mar"; "apr"; "may"; "jun";
+                  "jul"; "aug"; "sep"; "oct"; "nov"; "dec" };
+
+  :local Month [ :pick $Date 0 3 ];
+  :local Day [ :tonum [ :pick $Date 4 6 ] ];
+  :local Year [ :pick $Date 7 11 ];
+
+  :for MIndex from=0 to=[ :len $Months ] do={
+    :if ($Months->$MIndex = $Month) do={
+      :set Month ($MIndex + 1);
+    }
+  }
+
+  :local A ((14 - $Month) / 12);
+  :local B ($Year - $A);
+  :local C ($Month + 12 * $A - 2);
+  :local WeekDay (7000 + $Day + $B + ($B / 4) - ($B / 100) + ($B / 400) + ((31 * $C) / 12));
+  :set WeekDay ($WeekDay - (($WeekDay / 7) * 7));
+
+  :return (($DailyPskSecrets->0->($Day - 1)) . \
+    ($DailyPskSecrets->1->($Month - 1)) . \
+    ($DailyPskSecrets->2->$WeekDay));
+}
+
+:local Date [ / system clock get date ];
+:local NewPsk [ $GeneratePSK $Date ];
+
+:foreach AccList in=[ / caps-man access-list find where comment~$DailyPskMatchComment ] do={
+  :local Ssid [ / caps-man access-list get $AccList ssid-regexp ];
+  :local Configuration [ / caps-man configuration get [ find where ssid=$Ssid ] name ];
+  :local OldPsk [ / caps-man access-list get $AccList private-passphrase ];
+  :local Skip 0;
+
+  :if ($NewPsk != $OldPsk) do={
+    :log info ("Updating daily PSK for " . $Ssid . " to " . $NewPsk . " (was " . $OldPsk . ")");
+    / caps-man access-list set $AccList private-passphrase=$NewPsk;
+
+    :if ([ / caps-man interface print count-only where configuration=$Configuration ] > 0) do={
+      :foreach SeenSsid in=$Seen do={
+        :if ($SeenSsid = $Ssid) do={
+          :log debug ("Already sent a mail for SSID " . $Ssid . ", skipping.");
+          :set Skip 1;
+        }
+      }
+
+      :if ($Skip = 0) do={
+        :set Seen ($Seen, $Ssid);
+
+        :local Url ("https://www.eworm.de/cgi-bin/cqrlogo-wifi.cgi" . \
+            "?scale=8&level=1&ssid=" . [ $UrlEncode $Ssid ] . "&pass=" . [ $UrlEncode $NewPsk ]);
+        :local Attach "qrcode-daily.png";
+
+        :do {
+          / tool fetch mode=https check-certificate=yes-without-crl \
+              $Url dst-path=$Attach;
+        } on-error={
+          :set Attach "";
+        }
+
+        $SendNotification ("daily PSK " . $Ssid) \
+          ("This is the daily PSK on " . $Identity . ":\n\n" . \
+            "SSID: " . $Ssid . "\n" . \
+            "PSK:  " . $NewPsk . "\n" . \
+            "Date: " . $Date . "\n\n" . \
+            $Url) $Attach;
+      }
+    }
+  }
+}

daily-psk.capsman.rsc

@@ -1,96 +0,0 @@
-#!rsc by RouterOS
-# RouterOS script: daily-psk.capsman
-# Copyright (c) 2013-2025 Christian Hesse <mail@eworm.de>
-#                         Michael Gisbers <michael@gisbers.de>
-# https://rsc.eworm.de/COPYING.md
-#
-# requires RouterOS, version=7.15
-#
-# update daily PSK (pre shared key)
-# https://rsc.eworm.de/doc/daily-psk.md
-#
-# !! Do not edit this file, it is generated from template!
-
-:global GlobalFunctionsReady;
-:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
-
-:local ExitOK false;
-:do {
-  :local ScriptName [ :jobname ];
-
-  :global DailyPskMatchComment;
-  :global DailyPskQrCodeUrl;
-  :global Identity;
-
-  :global FormatLine;
-  :global LogPrint;
-  :global ScriptLock;
-  :global SendNotification2;
-  :global SymbolForNotification;
-  :global UrlEncode;
-  :global WaitForFile;
-  :global WaitFullyConnected;
-
-  :if ([ $ScriptLock $ScriptName ] = false) do={
-    :set ExitOK true;
-    :error false;
-  }
-  $WaitFullyConnected;
-
-  # return pseudo-random string for PSK
-  :local GeneratePSK do={
-    :local Date [ :tostr $1 ];
-
-    :global DailyPskSecrets;
-
-    :global ParseDate;
-
-    :set Date [ $ParseDate $Date ];
-
-    :local A ((14 - ($Date->"month")) / 12);
-    :local B (($Date->"year") - $A);
-    :local C (($Date->"month") + 12 * $A - 2);
-    :local WeekDay (7000 + ($Date->"day") + $B + ($B / 4) - ($B / 100) + ($B / 400) + ((31 * $C) / 12));
-    :set WeekDay ($WeekDay - (($WeekDay / 7) * 7));
-
-    :return (($DailyPskSecrets->0->(($Date->"day") - 1)) . \
-      ($DailyPskSecrets->1->(($Date->"month") - 1)) . \
-      ($DailyPskSecrets->2->$WeekDay));
-  }
-
-  :local Seen ({});
-  :local Date [ /system/clock/get date ];
-  :local NewPsk [ $GeneratePSK $Date ];
-
-  :foreach AccList in=[ /caps-man/access-list/find where comment~$DailyPskMatchComment ] do={
-    :local SsidRegExp [ /caps-man/access-list/get $AccList ssid-regexp ];
-    :local Configuration ([ /caps-man/configuration/find where ssid~$SsidRegExp ]->0);
-    :local Ssid [ /caps-man/configuration/get $Configuration ssid ];
-    :local OldPsk [ /caps-man/access-list/get $AccList private-passphrase ];
-    :local Skip 0;
-
-    :if ($NewPsk != $OldPsk) do={
-      $LogPrint info $ScriptName ("Updating daily PSK for '" . $Ssid . "' to '" . $NewPsk . "' (was '" . $OldPsk . "')");
-      /caps-man/access-list/set $AccList private-passphrase=$NewPsk;
-
-      :if ([ :len [ /caps-man/actual-interface-configuration/find where configuration.ssid=$Ssid !disabled ] ] > 0) do={
-        :if ($Seen->$Ssid = 1) do={
-          $LogPrint debug $ScriptName ("Already sent a mail for SSID " . $Ssid . ", skipping.");
-        } else={
-          :local Link ($DailyPskQrCodeUrl . \
-              "?scale=8&level=1&ssid=" . [ $UrlEncode $Ssid ] . "&pass=" . [ $UrlEncode $NewPsk ]);
-          $SendNotification2 ({ origin=$ScriptName; \
-            subject=([ $SymbolForNotification "calendar" ] . "daily PSK " . $Ssid); \
-            message=("This is the daily PSK on " . $Identity . ":\n\n" . \
-              [ $FormatLine "SSID" $Ssid 8 ] . "\n" . \
-              [ $FormatLine "PSK" $NewPsk 8 ] . "\n" . \
-              [ $FormatLine "Date" $Date 8 ] . "\n\n" . \
-              "A client device specific rule must not exist!"); link=$Link });
-          :set ($Seen->$Ssid) 1;
-        }
-      }
-    }
-  }
-} on-error={
-  :global ExitError; $ExitError $ExitOK [ :jobname ];
-}

daily-psk.local

@@ -0,0 +1,90 @@
+#!rsc
+# RouterOS script: daily-psk.local
+# Copyright (c) 2013-2019 Christian Hesse <mail@eworm.de>
+#                         Michael Gisbers <michael@gisbers.de>
+#
+# update daily PSK (pre shared key)
+
+:global Identity;
+:global DailyPskMatchComment;
+:global UrlEncode;
+
+:global SendNotification;
+
+:local Seen [ :toarray "" ];
+
+# return pseudo-random string for PSK
+:local GeneratePSK do={
+  :local Date [ :tostr $1 ];
+
+  :global DailyPskSecrets;
+
+  :local Months { "jan"; "feb"; "mar"; "apr"; "may"; "jun";
+                  "jul"; "aug"; "sep"; "oct"; "nov"; "dec" };
+
+  :local Month [ :pick $Date 0 3 ];
+  :local Day [ :tonum [ :pick $Date 4 6 ] ];
+  :local Year [ :pick $Date 7 11 ];
+
+  :for MIndex from=0 to=[ :len $Months ] do={
+    :if ($Months->$MIndex = $Month) do={
+      :set Month ($MIndex + 1);
+    }
+  }
+
+  :local A ((14 - $Month) / 12);
+  :local B ($Year - $A);
+  :local C ($Month + 12 * $A - 2);
+  :local WeekDay (7000 + $Day + $B + ($B / 4) - ($B / 100) + ($B / 400) + ((31 * $C) / 12));
+  :set WeekDay ($WeekDay - (($WeekDay / 7) * 7));
+
+  :return (($DailyPskSecrets->0->($Day - 1)) . \
+    ($DailyPskSecrets->1->($Month - 1)) . \
+    ($DailyPskSecrets->2->$WeekDay));
+}
+
+:local Date [ / system clock get date ];
+:local NewPsk [ $GeneratePSK $Date ];
+
+:foreach AccList in=[ / interface wireless access-list find where comment~$DailyPskMatchComment ] do={
+  :local IntName [ / interface wireless access-list get $AccList interface ];
+  :local Ssid [ / interface wireless get $IntName ssid ];
+  :local OldPsk [ / interface wireless access-list get $AccList private-pre-shared-key ];
+  :local Skip 0;
+
+  :if ($NewPsk != $OldPsk) do={
+    :log info ("Updating daily PSK for " . $Ssid . " to " . $NewPsk . " (was " . $OldPsk . ")");
+    / interface wireless access-list set $AccList private-pre-shared-key=$NewPsk;
+
+    :if ([ / interface wireless print count-only where name=$IntName disabled=no ] = 1) do={
+      :foreach SeenSsid in=$Seen do={
+        :if ($SeenSsid = $Ssid) do={
+          :log debug ("Already sent a mail for SSID " . $Ssid . ", skipping.");
+          :set Skip 1;
+        }
+      }
+
+      :if ($Skip = 0) do={
+        :set Seen ($Seen, $Ssid);
+
+        :local Url ("https://www.eworm.de/cgi-bin/cqrlogo-wifi.cgi" . \
+            "?scale=8&level=1&ssid=" . [ $UrlEncode $Ssid ] . "&pass=" . [ $UrlEncode $NewPsk ]);
+        :local Attach "qrcode-daily.png";
+
+        :do {
+          / tool fetch mode=https check-certificate=yes-without-crl \
+              $Url dst-path=$Attach;
+        } on-error={
+          :set Attach "";
+        }
+
+        $SendNotification ("daily PSK " . $Ssid) \
+          ("This is the daily PSK on " . $Identity . ":\n\n" . \
+            "SSID: " . $Ssid . "\n" . \
+            "PSK:  " . $NewPsk . "\n" . \
+            "Date: " . $Date . "\n\n" . \
+            $Url) $Attach;
+      }
+    }
+  }
+}

daily-psk.local.rsc

@@ -1,95 +0,0 @@
-#!rsc by RouterOS
-# RouterOS script: daily-psk.local
-# Copyright (c) 2013-2025 Christian Hesse <mail@eworm.de>
-#                         Michael Gisbers <michael@gisbers.de>
-# https://rsc.eworm.de/COPYING.md
-#
-# requires RouterOS, version=7.15
-#
-# update daily PSK (pre shared key)
-# https://rsc.eworm.de/doc/daily-psk.md
-#
-# !! Do not edit this file, it is generated from template!
-
-:global GlobalFunctionsReady;
-:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
-
-:local ExitOK false;
-:do {
-  :local ScriptName [ :jobname ];
-
-  :global DailyPskMatchComment;
-  :global DailyPskQrCodeUrl;
-  :global Identity;
-
-  :global FormatLine;
-  :global LogPrint;
-  :global ScriptLock;
-  :global SendNotification2;
-  :global SymbolForNotification;
-  :global UrlEncode;
-  :global WaitForFile;
-  :global WaitFullyConnected;
-
-  :if ([ $ScriptLock $ScriptName ] = false) do={
-    :set ExitOK true;
-    :error false;
-  }
-  $WaitFullyConnected;
-
-  # return pseudo-random string for PSK
-  :local GeneratePSK do={
-    :local Date [ :tostr $1 ];
-
-    :global DailyPskSecrets;
-
-    :global ParseDate;
-
-    :set Date [ $ParseDate $Date ];
-
-    :local A ((14 - ($Date->"month")) / 12);
-    :local B (($Date->"year") - $A);
-    :local C (($Date->"month") + 12 * $A - 2);
-    :local WeekDay (7000 + ($Date->"day") + $B + ($B / 4) - ($B / 100) + ($B / 400) + ((31 * $C) / 12));
-    :set WeekDay ($WeekDay - (($WeekDay / 7) * 7));
-
-    :return (($DailyPskSecrets->0->(($Date->"day") - 1)) . \
-      ($DailyPskSecrets->1->(($Date->"month") - 1)) . \
-      ($DailyPskSecrets->2->$WeekDay));
-  }
-
-  :local Seen ({});
-  :local Date [ /system/clock/get date ];
-  :local NewPsk [ $GeneratePSK $Date ];
-
-  :foreach AccList in=[ /interface/wireless/access-list/find where comment~$DailyPskMatchComment ] do={
-    :local IntName [ /interface/wireless/access-list/get $AccList interface ];
-    :local Ssid [ /interface/wireless/get $IntName ssid ];
-    :local OldPsk [ /interface/wireless/access-list/get $AccList private-pre-shared-key ];
-    :local Skip 0;
-
-    :if ($NewPsk != $OldPsk) do={
-      $LogPrint info $ScriptName ("Updating daily PSK for '" . $Ssid . "' to '" . $NewPsk . "' (was '" . $OldPsk . "')");
-      /interface/wireless/access-list/set $AccList private-pre-shared-key=$NewPsk;
-
-      :if ([ :len [ /interface/wireless/find where name=$IntName !disabled ] ] = 1) do={
-        :if ($Seen->$Ssid = 1) do={
-          $LogPrint debug $ScriptName ("Already sent a mail for SSID " . $Ssid . ", skipping.");
-        } else={
-          :local Link ($DailyPskQrCodeUrl . \
-              "?scale=8&level=1&ssid=" . [ $UrlEncode $Ssid ] . "&pass=" . [ $UrlEncode $NewPsk ]);
-          $SendNotification2 ({ origin=$ScriptName; \
-            subject=([ $SymbolForNotification "calendar" ] . "daily PSK " . $Ssid); \
-            message=("This is the daily PSK on " . $Identity . ":\n\n" . \
-              [ $FormatLine "SSID" $Ssid 8 ] . "\n" . \
-              [ $FormatLine "PSK" $NewPsk 8 ] . "\n" . \
-              [ $FormatLine "Date" $Date 8 ] . "\n\n" . \
-              "A client device specific rule must not exist!"); link=$Link });
-          :set ($Seen->$Ssid) 1;
-        }
-      }
-    }
-  }
-} on-error={
-  :global ExitError; $ExitError $ExitOK [ :jobname ];
-}

daily-psk.template

@@ -0,0 +1,96 @@
+#!rsc
+# RouterOS script: daily-psk%TEMPL%
+# Copyright (c) 2013-2019 Christian Hesse <mail@eworm.de>
+#                         Michael Gisbers <michael@gisbers.de>
+#
+# update daily PSK (pre shared key)
+
+:global Identity;
+:global DailyPskMatchComment;
+:global UrlEncode;
+
+:global SendNotification;
+
+:local Seen [ :toarray "" ];
+
+# return pseudo-random string for PSK
+:local GeneratePSK do={
+  :local Date [ :tostr $1 ];
+
+  :global DailyPskSecrets;
+
+  :local Months { "jan"; "feb"; "mar"; "apr"; "may"; "jun";
+                  "jul"; "aug"; "sep"; "oct"; "nov"; "dec" };
+
+  :local Month [ :pick $Date 0 3 ];
+  :local Day [ :tonum [ :pick $Date 4 6 ] ];
+  :local Year [ :pick $Date 7 11 ];
+
+  :for MIndex from=0 to=[ :len $Months ] do={
+    :if ($Months->$MIndex = $Month) do={
+      :set Month ($MIndex + 1);
+    }
+  }
+
+  :local A ((14 - $Month) / 12);
+  :local B ($Year - $A);
+  :local C ($Month + 12 * $A - 2);
+  :local WeekDay (7000 + $Day + $B + ($B / 4) - ($B / 100) + ($B / 400) + ((31 * $C) / 12));
+  :set WeekDay ($WeekDay - (($WeekDay / 7) * 7));
+
+  :return (($DailyPskSecrets->0->($Day - 1)) . \
+    ($DailyPskSecrets->1->($Month - 1)) . \
+    ($DailyPskSecrets->2->$WeekDay));
+}
+
+:local Date [ / system clock get date ];
+:local NewPsk [ $GeneratePSK $Date ];
+
+:foreach AccList in=[ / interface wireless access-list find where comment~$DailyPskMatchComment ] do={
+:foreach AccList in=[ / caps-man access-list find where comment~$DailyPskMatchComment ] do={
+  :local IntName [ / interface wireless access-list get $AccList interface ];
+  :local Ssid [ / interface wireless get $IntName ssid ];
+  :local Ssid [ / caps-man access-list get $AccList ssid-regexp ];
+  :local Configuration [ / caps-man configuration get [ find where ssid=$Ssid ] name ];
+  :local OldPsk [ / interface wireless access-list get $AccList private-pre-shared-key ];
+  :local OldPsk [ / caps-man access-list get $AccList private-passphrase ];
+  :local Skip 0;
+
+  :if ($NewPsk != $OldPsk) do={
+    :log info ("Updating daily PSK for " . $Ssid . " to " . $NewPsk . " (was " . $OldPsk . ")");
+    / interface wireless access-list set $AccList private-pre-shared-key=$NewPsk;
+    / caps-man access-list set $AccList private-passphrase=$NewPsk;
+
+    :if ([ / interface wireless print count-only where name=$IntName disabled=no ] = 1) do={
+    :if ([ / caps-man interface print count-only where configuration=$Configuration ] > 0) do={
+      :foreach SeenSsid in=$Seen do={
+        :if ($SeenSsid = $Ssid) do={
+          :log debug ("Already sent a mail for SSID " . $Ssid . ", skipping.");
+          :set Skip 1;
+        }
+      }
+
+      :if ($Skip = 0) do={
+        :set Seen ($Seen, $Ssid);
+
+        :local Url ("https://www.eworm.de/cgi-bin/cqrlogo-wifi.cgi" . \
+            "?scale=8&level=1&ssid=" . [ $UrlEncode $Ssid ] . "&pass=" . [ $UrlEncode $NewPsk ]);
+        :local Attach "qrcode-daily.png";
+
+        :do {
+          / tool fetch mode=https check-certificate=yes-without-crl \
+              $Url dst-path=$Attach;
+        } on-error={
+          :set Attach "";
+        }
+
+        $SendNotification ("daily PSK " . $Ssid) \
+          ("This is the daily PSK on " . $Identity . ":\n\n" . \
+            "SSID: " . $Ssid . "\n" . \
+            "PSK:  " . $NewPsk . "\n" . \
+            "Date: " . $Date . "\n\n" . \
+            $Url) $Attach;
+      }
+    }
+  }
+}

daily-psk.template.rsc

@@ -1,111 +0,0 @@
-#!rsc by RouterOS
-# RouterOS script: daily-psk%TEMPL%
-# Copyright (c) 2013-2025 Christian Hesse <mail@eworm.de>
-#                         Michael Gisbers <michael@gisbers.de>
-# https://rsc.eworm.de/COPYING.md
-#
-# requires RouterOS, version=7.15
-#
-# update daily PSK (pre shared key)
-# https://rsc.eworm.de/doc/daily-psk.md
-#
-# !! This is just a template to generate the real script!
-# !! Pattern '%TEMPL%' is replaced, paths are filtered.
-
-:global GlobalFunctionsReady;
-:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
-
-:local ExitOK false;
-:do {
-  :local ScriptName [ :jobname ];
-
-  :global DailyPskMatchComment;
-  :global DailyPskQrCodeUrl;
-  :global Identity;
-
-  :global FormatLine;
-  :global LogPrint;
-  :global ScriptLock;
-  :global SendNotification2;
-  :global SymbolForNotification;
-  :global UrlEncode;
-  :global WaitForFile;
-  :global WaitFullyConnected;
-
-  :if ([ $ScriptLock $ScriptName ] = false) do={
-    :set ExitOK true;
-    :error false;
-  }
-  $WaitFullyConnected;
-
-  # return pseudo-random string for PSK
-  :local GeneratePSK do={
-    :local Date [ :tostr $1 ];
-
-    :global DailyPskSecrets;
-
-    :global ParseDate;
-
-    :set Date [ $ParseDate $Date ];
-
-    :local A ((14 - ($Date->"month")) / 12);
-    :local B (($Date->"year") - $A);
-    :local C (($Date->"month") + 12 * $A - 2);
-    :local WeekDay (7000 + ($Date->"day") + $B + ($B / 4) - ($B / 100) + ($B / 400) + ((31 * $C) / 12));
-    :set WeekDay ($WeekDay - (($WeekDay / 7) * 7));
-
-    :return (($DailyPskSecrets->0->(($Date->"day") - 1)) . \
-      ($DailyPskSecrets->1->(($Date->"month") - 1)) . \
-      ($DailyPskSecrets->2->$WeekDay));
-  }
-
-  :local Seen ({});
-  :local Date [ /system/clock/get date ];
-  :local NewPsk [ $GeneratePSK $Date ];
-
-  :foreach AccList in=[ /caps-man/access-list/find where comment~$DailyPskMatchComment ] do={
-  :foreach AccList in=[ /interface/wifi/access-list/find where comment~$DailyPskMatchComment ] do={
-  :foreach AccList in=[ /interface/wireless/access-list/find where comment~$DailyPskMatchComment ] do={
-    :local SsidRegExp [ /caps-man/access-list/get $AccList ssid-regexp ];
-    :local SsidRegExp [ /interface/wifi/access-list/get $AccList ssid-regexp ];
-    :local Configuration ([ /caps-man/configuration/find where ssid~$SsidRegExp ]->0);
-    :local Configuration ([ /interface/wifi/configuration/find where ssid~$SsidRegExp ]->0);
-    :local Ssid [ /caps-man/configuration/get $Configuration ssid ];
-    :local Ssid [ /interface/wifi/configuration/get $Configuration ssid ];
-    :local OldPsk [ /caps-man/access-list/get $AccList private-passphrase ];
-    :local OldPsk [ /interface/wifi/access-list/get $AccList passphrase ];
-    # /caps-man/ /interface/wifi/ above - /interface/wireless/ below
-    :local IntName [ /interface/wireless/access-list/get $AccList interface ];
-    :local Ssid [ /interface/wireless/get $IntName ssid ];
-    :local OldPsk [ /interface/wireless/access-list/get $AccList private-pre-shared-key ];
-    :local Skip 0;
-
-    :if ($NewPsk != $OldPsk) do={
-      $LogPrint info $ScriptName ("Updating daily PSK for '" . $Ssid . "' to '" . $NewPsk . "' (was '" . $OldPsk . "')");
-      /caps-man/access-list/set $AccList private-passphrase=$NewPsk;
-      /interface/wifi/access-list/set $AccList passphrase=$NewPsk;
-      /interface/wireless/access-list/set $AccList private-pre-shared-key=$NewPsk;
-
-      :if ([ :len [ /caps-man/actual-interface-configuration/find where configuration.ssid=$Ssid !disabled ] ] > 0) do={
-      :if ([ :len [ /interface/wifi/find where configuration.ssid=$Ssid !disabled ] ] > 0) do={
-      :if ([ :len [ /interface/wireless/find where name=$IntName !disabled ] ] = 1) do={
-        :if ($Seen->$Ssid = 1) do={
-          $LogPrint debug $ScriptName ("Already sent a mail for SSID " . $Ssid . ", skipping.");
-        } else={
-          :local Link ($DailyPskQrCodeUrl . \
-              "?scale=8&level=1&ssid=" . [ $UrlEncode $Ssid ] . "&pass=" . [ $UrlEncode $NewPsk ]);
-          $SendNotification2 ({ origin=$ScriptName; \
-            subject=([ $SymbolForNotification "calendar" ] . "daily PSK " . $Ssid); \
-            message=("This is the daily PSK on " . $Identity . ":\n\n" . \
-              [ $FormatLine "SSID" $Ssid 8 ] . "\n" . \
-              [ $FormatLine "PSK" $NewPsk 8 ] . "\n" . \
-              [ $FormatLine "Date" $Date 8 ] . "\n\n" . \
-              "A client device specific rule must not exist!"); link=$Link });
-          :set ($Seen->$Ssid) 1;
-        }
-      }
-    }
-  }
-} on-error={
-  :global ExitError; $ExitError $ExitOK [ :jobname ];
-}