280 changed files with 2352 additions and 15133 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,13 +1,3 @@
 # backup and temporary files
 *~
 # patches and related files
 *.orig
 *.patch
 *.rej
 # html files (as generated from markdown)
 *.html
 # Mac OS X folder settings file
 .DS_Store
--- a/BRANCHES.md
+++ b/BRANCHES.md
@ -1,50 +0,0 @@
 Installing from branches
 ========================
 [![GitHub stars](https://img.shields.io/github/stars/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=red)](https://github.com/eworm-de/routeros-scripts/stargazers)
 [![GitHub forks](https://img.shields.io/github/forks/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=green)](https://github.com/eworm-de/routeros-scripts/network)
 [![GitHub watchers](https://img.shields.io/github/watchers/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=blue)](https://github.com/eworm-de/routeros-scripts/watchers)
 [![required RouterOS version](https://img.shields.io/badge/RouterOS-7.15-yellow?style=flat)](https://mikrotik.com/download/changelogs/)
 [![Telegram group @routeros_scripts](https://img.shields.io/badge/Telegram-%40routeros__scripts-%2326A5E4?logo=telegram&style=flat)](https://t.me/routeros_scripts)
 [![donate with PayPal](https://img.shields.io/badge/Like_it%3F-Donate!-orange?logo=githubsponsors&logoColor=orange&style=flat)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J)
 [⬅️ Go back to main README](README.md)
 > ⚠️ **Warning**: Living on the edge? Great, read on!
 > If not: Please use the `main` branch and leave this page!
 These scripts are developed in a [git](https://git-scm.com/) repository.
 Development and experimental branches are used to provide early access
 for specific changes. You can install scripts from these branches
 for testing.
 ## Install single script
 To install a single script from `next` branch:
    $ScriptInstallUpdate script-name "base-url=https://rsc.eworm.de/next/";
 ## Switch existing script
 Alternatively switch an existing script to update from `next` branch:
    /system/script/set comment="base-url=https://rsc.eworm.de/next/" script-name;
    $ScriptInstallUpdate;
 ## Switch installation
 Last but not least - to switch the complete installation to the `next`
 branch edit `global-config-overlay` and add:
    :global ScriptUpdatesBaseUrl "https://rsc.eworm.de/next/";
 ... then reload the configuration and update:
    /system/script/run global-config;
    $ScriptInstallUpdate;
 > ℹ️ **Info**: Replace `next` with *whatever* to use another specific branch.
 ---
 [⬅️ Go back to main README](README.md)  
 [⬆️ Go back to top](#top)
--- a/CERTIFICATES.d/01-dialog-A.avif
+++ b/CERTIFICATES.d/01-dialog-A.avif
--- a/CERTIFICATES.d/02-dialog-B.avif
+++ b/CERTIFICATES.d/02-dialog-B.avif
--- a/CERTIFICATES.d/03-window.avif
+++ b/CERTIFICATES.d/03-window.avif
--- a/CERTIFICATES.d/04-certificate.avif
+++ b/CERTIFICATES.d/04-certificate.avif
--- a/CERTIFICATES.md
+++ b/CERTIFICATES.md
@ -1,82 +0,0 @@
 Certificate name from browser
 =============================
 [![GitHub stars](https://img.shields.io/github/stars/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=red)](https://github.com/eworm-de/routeros-scripts/stargazers)
 [![GitHub forks](https://img.shields.io/github/forks/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=green)](https://github.com/eworm-de/routeros-scripts/network)
 [![GitHub watchers](https://img.shields.io/github/watchers/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=blue)](https://github.com/eworm-de/routeros-scripts/watchers)
 [![required RouterOS version](https://img.shields.io/badge/RouterOS-7.15-yellow?style=flat)](https://mikrotik.com/download/changelogs/)
 [![Telegram group @routeros_scripts](https://img.shields.io/badge/Telegram-%40routeros__scripts-%2326A5E4?logo=telegram&style=flat)](https://t.me/routeros_scripts)
 [![donate with PayPal](https://img.shields.io/badge/Like_it%3F-Donate!-orange?logo=githubsponsors&logoColor=orange&style=flat)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J)
 [⬅️ Go back to main README](README.md)
 All well known desktop, mobile and server operating systems come with a
 certificate store that is populated with a set of well known and trusted
 certificates, acting as *trust anchors*.
 However RouterOS does not, still sometimes a specific certificate is
 required to properly verify a chain of trust. One example is downloading
 the scripts from this repository with `fetch` command, thus the very
 first step of [installation](README.md#the-long-way-in-detail) is importing
 the certificate.
 The scripts can install additional certificates when required. This happens
 from this repository if available, or from [mkcert.org](https://mkcert.org)
 as a fallback.
 Get the certificate's CommonName
 --------------------------------
 But how to determine what certificate may be required? Often easiest way
 is to use a desktop browser to get that information. This demonstration uses
 [Mozilla Firefox](https://www.mozilla.org/firefox/).
 Let's assume we want to make sure the certificate for
 [git.eworm.de](https://git.eworm.de/) is available. Open that page in the
 browser, then click the *lock* icon in addressbar, followed by "*Connection
 secure*".
 ![screenshot: dialog A](CERTIFICATES.d/01-dialog-A.avif)
 The dialog will change, click "*More information*".
 ![screenshot: dialog B](CERTIFICATES.d/02-dialog-B.avif)
 A new window opens, click the button "*View Certificate*". (That window
 can be closed now.)
 ![screenshot: window](CERTIFICATES.d/03-window.avif)
 A new tab opens, showing information on the server certificate and its
 chain of trust. The leftmost certificate is what we are interested in.
 ![screenshot: certificate](CERTIFICATES.d/04-certificate.avif)
 Now we know that "`ISRG Root X2`" is required, some scripts need just
 that information.
 Import a certificate by CommonName
 ----------------------------------
 Running the function `$CertificateAvailable` with that name as parameter
 makes sure the certificate is available in the device's store:
    $CertificateAvailable "ISRG Root X2";
 If the certificate is actually available already nothing happens, and there
 is no output. Otherwise the certificate is downloaded and imported.
 If importing a certificate with that exact name fails a warning is given
 and nothing is actually imported.
 See also
 --------
 * [Download, import and update firewall address-lists](doc/fw-addr-lists.md)
 * [Manage DNS and DoH servers from netwatch](doc/netwatch-dns.md)
 * [Send notifications via Matrix](doc/mod/notification-matrix.md)
 * [Send notifications via Ntfy](doc/mod/notification-ntfy.md)
 ---
 [⬅️ Go back to main README](README.md)  
 [⬆️ Go back to top](#top)
--- a/CONTRIBUTIONS.md
+++ b/CONTRIBUTIONS.md
@ -1,63 +0,0 @@
 Past Contributions
 ==================
 [![GitHub stars](https://img.shields.io/github/stars/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=red)](https://github.com/eworm-de/routeros-scripts/stargazers)
 [![GitHub forks](https://img.shields.io/github/forks/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=green)](https://github.com/eworm-de/routeros-scripts/network)
 [![GitHub watchers](https://img.shields.io/github/watchers/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=blue)](https://github.com/eworm-de/routeros-scripts/watchers)
 [![required RouterOS version](https://img.shields.io/badge/RouterOS-7.15-yellow?style=flat)](https://mikrotik.com/download/changelogs/)
 [![Telegram group @routeros_scripts](https://img.shields.io/badge/Telegram-%40routeros__scripts-%2326A5E4?logo=telegram&style=flat)](https://t.me/routeros_scripts)
 [![donate with PayPal](https://img.shields.io/badge/Like_it%3F-Donate!-orange?logo=githubsponsors&logoColor=orange&style=flat)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J)
 [⬅️ Go back to main README](README.md)
 Thanks a lot for your contributions! ❤️
 ## Patches
 These persons contributed code or documentation. See the git history
 for details!
 * [Anatoly Bubenkov](mailto:bubenkoff@gmail.com) (@bubenkoff)
 * [Ben Harris](mailto:mail@bharr.is) (@bharrisau)
 * [Daniel Ziegenberg](mailto:daniel@ziegenberg.at) (@ziegenberg)
 * [Ignacio Serrano](mailto:ignic@ignic.com) (@ignic)
 * [Michael Gisbers](mailto:michael@gisbers.de) (@mgisbers)
 * [Miquel Bonastre](mailto:mbonastre@yahoo.com) (@mbonastre)
 * @netravnen
 * [netztrip](mailto:dave-tvg@netztrip.de) (@netztrip)
 * [Stefan Müller](mailto:stefan.mueller.83@gmail.com) (@PackElend)
 ## Donations
 Add yourself to the list,
 [donate with PayPal](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J)!
 * Abdul Mannan Abbasi
 * Andrea Ruffini Perico
 * Andrew Cox
 * Christoph Boss (@Kampfwurst)
 * Daniel Ziegenberg (@ziegenberg)
 * Devin Dean (@dd2594gh)
 * Evaldo Gardenal
 * Florian Estraviz
 * Giorgio Bikos
 * Harold Schoemaker
 * Hugo BV
 * Klaus Michael Rübsam
 * Leonardo Valeri Manera
 * Linux-Schmie.de Michael Gisbers
 * Manuel Kuhn
 * Marek Čábák
 * Oleksandr Yukhymchuk
 * Peter Holtkamp
 * Peter Ponzel
 * Reiner Vehrenkamp
 * Richard Österreicher
 * Simon Hitzemann
 * Sunny Chu (@sunnychuchu)
 * Ulrich Wessendorf
 * Zac Kornilakis
 ---
 [⬅️ Go back to main README](README.md)  
 [⬆️ Go back to top](#top)
--- a/COPYING.md
+++ b/COPYING.md
@ -1,675 +0,0 @@
 ### GNU GENERAL PUBLIC LICENSE
 Version 3, 29 June 2007
 Copyright (C) 2007 Free Software Foundation, Inc.
 <https://fsf.org/>
 Everyone is permitted to copy and distribute verbatim copies of this
 license document, but changing it is not allowed.
 ### Preamble
 The GNU General Public License is a free, copyleft license for
 software and other kinds of works.
 The licenses for most software and other practical works are designed
 to take away your freedom to share and change the works. By contrast,
 the GNU General Public License is intended to guarantee your freedom
 to share and change all versions of a program--to make sure it remains
 free software for all its users. We, the Free Software Foundation, use
 the GNU General Public License for most of our software; it applies
 also to any other work released this way by its authors. You can apply
 it to your programs, too.
 When we speak of free software, we are referring to freedom, not
 price. Our General Public Licenses are designed to make sure that you
 have the freedom to distribute copies of free software (and charge for
 them if you wish), that you receive source code or can get it if you
 want it, that you can change the software or use pieces of it in new
 free programs, and that you know you can do these things.
 To protect your rights, we need to prevent others from denying you
 these rights or asking you to surrender the rights. Therefore, you
 have certain responsibilities if you distribute copies of the
 software, or if you modify it: responsibilities to respect the freedom
 of others.
 For example, if you distribute copies of such a program, whether
 gratis or for a fee, you must pass on to the recipients the same
 freedoms that you received. You must make sure that they, too, receive
 or can get the source code. And you must show them these terms so they
 know their rights.
 Developers that use the GNU GPL protect your rights with two steps:
 (1) assert copyright on the software, and (2) offer you this License
 giving you legal permission to copy, distribute and/or modify it.
 For the developers' and authors' protection, the GPL clearly explains
 that there is no warranty for this free software. For both users' and
 authors' sake, the GPL requires that modified versions be marked as
 changed, so that their problems will not be attributed erroneously to
 authors of previous versions.
 Some devices are designed to deny users access to install or run
 modified versions of the software inside them, although the
 manufacturer can do so. This is fundamentally incompatible with the
 aim of protecting users' freedom to change the software. The
 systematic pattern of such abuse occurs in the area of products for
 individuals to use, which is precisely where it is most unacceptable.
 Therefore, we have designed this version of the GPL to prohibit the
 practice for those products. If such problems arise substantially in
 other domains, we stand ready to extend this provision to those
 domains in future versions of the GPL, as needed to protect the
 freedom of users.
 Finally, every program is threatened constantly by software patents.
 States should not allow patents to restrict development and use of
 software on general-purpose computers, but in those that do, we wish
 to avoid the special danger that patents applied to a free program
 could make it effectively proprietary. To prevent this, the GPL
 assures that patents cannot be used to render the program non-free.
 The precise terms and conditions for copying, distribution and
 modification follow.
 ### TERMS AND CONDITIONS
 #### 0. Definitions.
 "This License" refers to version 3 of the GNU General Public License.
 "Copyright" also means copyright-like laws that apply to other kinds
 of works, such as semiconductor masks.
 "The Program" refers to any copyrightable work licensed under this
 License. Each licensee is addressed as "you". "Licensees" and
 "recipients" may be individuals or organizations.
 To "modify" a work means to copy from or adapt all or part of the work
 in a fashion requiring copyright permission, other than the making of
 an exact copy. The resulting work is called a "modified version" of
 the earlier work or a work "based on" the earlier work.
 A "covered work" means either the unmodified Program or a work based
 on the Program.
 To "propagate" a work means to do anything with it that, without
 permission, would make you directly or secondarily liable for
 infringement under applicable copyright law, except executing it on a
 computer or modifying a private copy. Propagation includes copying,
 distribution (with or without modification), making available to the
 public, and in some countries other activities as well.
 To "convey" a work means any kind of propagation that enables other
 parties to make or receive copies. Mere interaction with a user
 through a computer network, with no transfer of a copy, is not
 conveying.
 An interactive user interface displays "Appropriate Legal Notices" to
 the extent that it includes a convenient and prominently visible
 feature that (1) displays an appropriate copyright notice, and (2)
 tells the user that there is no warranty for the work (except to the
 extent that warranties are provided), that licensees may convey the
 work under this License, and how to view a copy of this License. If
 the interface presents a list of user commands or options, such as a
 menu, a prominent item in the list meets this criterion.
 #### 1. Source Code.
 The "source code" for a work means the preferred form of the work for
 making modifications to it. "Object code" means any non-source form of
 a work.
 A "Standard Interface" means an interface that either is an official
 standard defined by a recognized standards body, or, in the case of
 interfaces specified for a particular programming language, one that
 is widely used among developers working in that language.
 The "System Libraries" of an executable work include anything, other
 than the work as a whole, that (a) is included in the normal form of
 packaging a Major Component, but which is not part of that Major
 Component, and (b) serves only to enable use of the work with that
 Major Component, or to implement a Standard Interface for which an
 implementation is available to the public in source code form. A
 "Major Component", in this context, means a major essential component
 (kernel, window system, and so on) of the specific operating system
 (if any) on which the executable work runs, or a compiler used to
 produce the work, or an object code interpreter used to run it.
 The "Corresponding Source" for a work in object code form means all
 the source code needed to generate, install, and (for an executable
 work) run the object code and to modify the work, including scripts to
 control those activities. However, it does not include the work's
 System Libraries, or general-purpose tools or generally available free
 programs which are used unmodified in performing those activities but
 which are not part of the work. For example, Corresponding Source
 includes interface definition files associated with source files for
 the work, and the source code for shared libraries and dynamically
 linked subprograms that the work is specifically designed to require,
 such as by intimate data communication or control flow between those
 subprograms and other parts of the work.
 The Corresponding Source need not include anything that users can
 regenerate automatically from other parts of the Corresponding Source.
 The Corresponding Source for a work in source code form is that same
 work.
 #### 2. Basic Permissions.
 All rights granted under this License are granted for the term of
 copyright on the Program, and are irrevocable provided the stated
 conditions are met. This License explicitly affirms your unlimited
 permission to run the unmodified Program. The output from running a
 covered work is covered by this License only if the output, given its
 content, constitutes a covered work. This License acknowledges your
 rights of fair use or other equivalent, as provided by copyright law.
 You may make, run and propagate covered works that you do not convey,
 without conditions so long as your license otherwise remains in force.
 You may convey covered works to others for the sole purpose of having
 them make modifications exclusively for you, or provide you with
 facilities for running those works, provided that you comply with the
 terms of this License in conveying all material for which you do not
 control copyright. Those thus making or running the covered works for
 you must do so exclusively on your behalf, under your direction and
 control, on terms that prohibit them from making any copies of your
 copyrighted material outside their relationship with you.
 Conveying under any other circumstances is permitted solely under the
 conditions stated below. Sublicensing is not allowed; section 10 makes
 it unnecessary.
 #### 3. Protecting Users' Legal Rights From Anti-Circumvention Law.
 No covered work shall be deemed part of an effective technological
 measure under any applicable law fulfilling obligations under article
 11 of the WIPO copyright treaty adopted on 20 December 1996, or
 similar laws prohibiting or restricting circumvention of such
 measures.
 When you convey a covered work, you waive any legal power to forbid
 circumvention of technological measures to the extent such
 circumvention is effected by exercising rights under this License with
 respect to the covered work, and you disclaim any intention to limit
 operation or modification of the work as a means of enforcing, against
 the work's users, your or third parties' legal rights to forbid
 circumvention of technological measures.
 #### 4. Conveying Verbatim Copies.
 You may convey verbatim copies of the Program's source code as you
 receive it, in any medium, provided that you conspicuously and
 appropriately publish on each copy an appropriate copyright notice;
 keep intact all notices stating that this License and any
 non-permissive terms added in accord with section 7 apply to the code;
 keep intact all notices of the absence of any warranty; and give all
 recipients a copy of this License along with the Program.
 You may charge any price or no price for each copy that you convey,
 and you may offer support or warranty protection for a fee.
 #### 5. Conveying Modified Source Versions.
 You may convey a work based on the Program, or the modifications to
 produce it from the Program, in the form of source code under the
 terms of section 4, provided that you also meet all of these
 conditions:
 -   a) The work must carry prominent notices stating that you modified
    it, and giving a relevant date.
 -   b) The work must carry prominent notices stating that it is
    released under this License and any conditions added under
    section 7. This requirement modifies the requirement in section 4
    to "keep intact all notices".
 -   c) You must license the entire work, as a whole, under this
    License to anyone who comes into possession of a copy. This
    License will therefore apply, along with any applicable section 7
    additional terms, to the whole of the work, and all its parts,
    regardless of how they are packaged. This License gives no
    permission to license the work in any other way, but it does not
    invalidate such permission if you have separately received it.
 -   d) If the work has interactive user interfaces, each must display
    Appropriate Legal Notices; however, if the Program has interactive
    interfaces that do not display Appropriate Legal Notices, your
    work need not make them do so.
 A compilation of a covered work with other separate and independent
 works, which are not by their nature extensions of the covered work,
 and which are not combined with it such as to form a larger program,
 in or on a volume of a storage or distribution medium, is called an
 "aggregate" if the compilation and its resulting copyright are not
 used to limit the access or legal rights of the compilation's users
 beyond what the individual works permit. Inclusion of a covered work
 in an aggregate does not cause this License to apply to the other
 parts of the aggregate.
 #### 6. Conveying Non-Source Forms.
 You may convey a covered work in object code form under the terms of
 sections 4 and 5, provided that you also convey the machine-readable
 Corresponding Source under the terms of this License, in one of these
 ways:
 -   a) Convey the object code in, or embodied in, a physical product
    (including a physical distribution medium), accompanied by the
    Corresponding Source fixed on a durable physical medium
    customarily used for software interchange.
 -   b) Convey the object code in, or embodied in, a physical product
    (including a physical distribution medium), accompanied by a
    written offer, valid for at least three years and valid for as
    long as you offer spare parts or customer support for that product
    model, to give anyone who possesses the object code either (1) a
    copy of the Corresponding Source for all the software in the
    product that is covered by this License, on a durable physical
    medium customarily used for software interchange, for a price no
    more than your reasonable cost of physically performing this
    conveying of source, or (2) access to copy the Corresponding
    Source from a network server at no charge.
 -   c) Convey individual copies of the object code with a copy of the
    written offer to provide the Corresponding Source. This
    alternative is allowed only occasionally and noncommercially, and
    only if you received the object code with such an offer, in accord
    with subsection 6b.
 -   d) Convey the object code by offering access from a designated
    place (gratis or for a charge), and offer equivalent access to the
    Corresponding Source in the same way through the same place at no
    further charge. You need not require recipients to copy the
    Corresponding Source along with the object code. If the place to
    copy the object code is a network server, the Corresponding Source
    may be on a different server (operated by you or a third party)
    that supports equivalent copying facilities, provided you maintain
    clear directions next to the object code saying where to find the
    Corresponding Source. Regardless of what server hosts the
    Corresponding Source, you remain obligated to ensure that it is
    available for as long as needed to satisfy these requirements.
 -   e) Convey the object code using peer-to-peer transmission,
    provided you inform other peers where the object code and
    Corresponding Source of the work are being offered to the general
    public at no charge under subsection 6d.
 A separable portion of the object code, whose source code is excluded
 from the Corresponding Source as a System Library, need not be
 included in conveying the object code work.
 A "User Product" is either (1) a "consumer product", which means any
 tangible personal property which is normally used for personal,
 family, or household purposes, or (2) anything designed or sold for
 incorporation into a dwelling. In determining whether a product is a
 consumer product, doubtful cases shall be resolved in favor of
 coverage. For a particular product received by a particular user,
 "normally used" refers to a typical or common use of that class of
 product, regardless of the status of the particular user or of the way
 in which the particular user actually uses, or expects or is expected
 to use, the product. A product is a consumer product regardless of
 whether the product has substantial commercial, industrial or
 non-consumer uses, unless such uses represent the only significant
 mode of use of the product.
 "Installation Information" for a User Product means any methods,
 procedures, authorization keys, or other information required to
 install and execute modified versions of a covered work in that User
 Product from a modified version of its Corresponding Source. The
 information must suffice to ensure that the continued functioning of
 the modified object code is in no case prevented or interfered with
 solely because modification has been made.
 If you convey an object code work under this section in, or with, or
 specifically for use in, a User Product, and the conveying occurs as
 part of a transaction in which the right of possession and use of the
 User Product is transferred to the recipient in perpetuity or for a
 fixed term (regardless of how the transaction is characterized), the
 Corresponding Source conveyed under this section must be accompanied
 by the Installation Information. But this requirement does not apply
 if neither you nor any third party retains the ability to install
 modified object code on the User Product (for example, the work has
 been installed in ROM).
 The requirement to provide Installation Information does not include a
 requirement to continue to provide support service, warranty, or
 updates for a work that has been modified or installed by the
 recipient, or for the User Product in which it has been modified or
 installed. Access to a network may be denied when the modification
 itself materially and adversely affects the operation of the network
 or violates the rules and protocols for communication across the
 network.
 Corresponding Source conveyed, and Installation Information provided,
 in accord with this section must be in a format that is publicly
 documented (and with an implementation available to the public in
 source code form), and must require no special password or key for
 unpacking, reading or copying.
 #### 7. Additional Terms.
 "Additional permissions" are terms that supplement the terms of this
 License by making exceptions from one or more of its conditions.
 Additional permissions that are applicable to the entire Program shall
 be treated as though they were included in this License, to the extent
 that they are valid under applicable law. If additional permissions
 apply only to part of the Program, that part may be used separately
 under those permissions, but the entire Program remains governed by
 this License without regard to the additional permissions.
 When you convey a copy of a covered work, you may at your option
 remove any additional permissions from that copy, or from any part of
 it. (Additional permissions may be written to require their own
 removal in certain cases when you modify the work.) You may place
 additional permissions on material, added by you to a covered work,
 for which you have or can give appropriate copyright permission.
 Notwithstanding any other provision of this License, for material you
 add to a covered work, you may (if authorized by the copyright holders
 of that material) supplement the terms of this License with terms:
 -   a) Disclaiming warranty or limiting liability differently from the
    terms of sections 15 and 16 of this License; or
 -   b) Requiring preservation of specified reasonable legal notices or
    author attributions in that material or in the Appropriate Legal
    Notices displayed by works containing it; or
 -   c) Prohibiting misrepresentation of the origin of that material,
    or requiring that modified versions of such material be marked in
    reasonable ways as different from the original version; or
 -   d) Limiting the use for publicity purposes of names of licensors
    or authors of the material; or
 -   e) Declining to grant rights under trademark law for use of some
    trade names, trademarks, or service marks; or
 -   f) Requiring indemnification of licensors and authors of that
    material by anyone who conveys the material (or modified versions
    of it) with contractual assumptions of liability to the recipient,
    for any liability that these contractual assumptions directly
    impose on those licensors and authors.
 All other non-permissive additional terms are considered "further
 restrictions" within the meaning of section 10. If the Program as you
 received it, or any part of it, contains a notice stating that it is
 governed by this License along with a term that is a further
 restriction, you may remove that term. If a license document contains
 a further restriction but permits relicensing or conveying under this
 License, you may add to a covered work material governed by the terms
 of that license document, provided that the further restriction does
 not survive such relicensing or conveying.
 If you add terms to a covered work in accord with this section, you
 must place, in the relevant source files, a statement of the
 additional terms that apply to those files, or a notice indicating
 where to find the applicable terms.
 Additional terms, permissive or non-permissive, may be stated in the
 form of a separately written license, or stated as exceptions; the
 above requirements apply either way.
 #### 8. Termination.
 You may not propagate or modify a covered work except as expressly
 provided under this License. Any attempt otherwise to propagate or
 modify it is void, and will automatically terminate your rights under
 this License (including any patent licenses granted under the third
 paragraph of section 11).
 However, if you cease all violation of this License, then your license
 from a particular copyright holder is reinstated (a) provisionally,
 unless and until the copyright holder explicitly and finally
 terminates your license, and (b) permanently, if the copyright holder
 fails to notify you of the violation by some reasonable means prior to
 60 days after the cessation.
 Moreover, your license from a particular copyright holder is
 reinstated permanently if the copyright holder notifies you of the
 violation by some reasonable means, this is the first time you have
 received notice of violation of this License (for any work) from that
 copyright holder, and you cure the violation prior to 30 days after
 your receipt of the notice.
 Termination of your rights under this section does not terminate the
 licenses of parties who have received copies or rights from you under
 this License. If your rights have been terminated and not permanently
 reinstated, you do not qualify to receive new licenses for the same
 material under section 10.
 #### 9. Acceptance Not Required for Having Copies.
 You are not required to accept this License in order to receive or run
 a copy of the Program. Ancillary propagation of a covered work
 occurring solely as a consequence of using peer-to-peer transmission
 to receive a copy likewise does not require acceptance. However,
 nothing other than this License grants you permission to propagate or
 modify any covered work. These actions infringe copyright if you do
 not accept this License. Therefore, by modifying or propagating a
 covered work, you indicate your acceptance of this License to do so.
 #### 10. Automatic Licensing of Downstream Recipients.
 Each time you convey a covered work, the recipient automatically
 receives a license from the original licensors, to run, modify and
 propagate that work, subject to this License. You are not responsible
 for enforcing compliance by third parties with this License.
 An "entity transaction" is a transaction transferring control of an
 organization, or substantially all assets of one, or subdividing an
 organization, or merging organizations. If propagation of a covered
 work results from an entity transaction, each party to that
 transaction who receives a copy of the work also receives whatever
 licenses to the work the party's predecessor in interest had or could
 give under the previous paragraph, plus a right to possession of the
 Corresponding Source of the work from the predecessor in interest, if
 the predecessor has it or can get it with reasonable efforts.
 You may not impose any further restrictions on the exercise of the
 rights granted or affirmed under this License. For example, you may
 not impose a license fee, royalty, or other charge for exercise of
 rights granted under this License, and you may not initiate litigation
 (including a cross-claim or counterclaim in a lawsuit) alleging that
 any patent claim is infringed by making, using, selling, offering for
 sale, or importing the Program or any portion of it.
 #### 11. Patents.
 A "contributor" is a copyright holder who authorizes use under this
 License of the Program or a work on which the Program is based. The
 work thus licensed is called the contributor's "contributor version".
 A contributor's "essential patent claims" are all patent claims owned
 or controlled by the contributor, whether already acquired or
 hereafter acquired, that would be infringed by some manner, permitted
 by this License, of making, using, or selling its contributor version,
 but do not include claims that would be infringed only as a
 consequence of further modification of the contributor version. For
 purposes of this definition, "control" includes the right to grant
 patent sublicenses in a manner consistent with the requirements of
 this License.
 Each contributor grants you a non-exclusive, worldwide, royalty-free
 patent license under the contributor's essential patent claims, to
 make, use, sell, offer for sale, import and otherwise run, modify and
 propagate the contents of its contributor version.
 In the following three paragraphs, a "patent license" is any express
 agreement or commitment, however denominated, not to enforce a patent
 (such as an express permission to practice a patent or covenant not to
 sue for patent infringement). To "grant" such a patent license to a
 party means to make such an agreement or commitment not to enforce a
 patent against the party.
 If you convey a covered work, knowingly relying on a patent license,
 and the Corresponding Source of the work is not available for anyone
 to copy, free of charge and under the terms of this License, through a
 publicly available network server or other readily accessible means,
 then you must either (1) cause the Corresponding Source to be so
 available, or (2) arrange to deprive yourself of the benefit of the
 patent license for this particular work, or (3) arrange, in a manner
 consistent with the requirements of this License, to extend the patent
 license to downstream recipients. "Knowingly relying" means you have
 actual knowledge that, but for the patent license, your conveying the
 covered work in a country, or your recipient's use of the covered work
 in a country, would infringe one or more identifiable patents in that
 country that you have reason to believe are valid.
 If, pursuant to or in connection with a single transaction or
 arrangement, you convey, or propagate by procuring conveyance of, a
 covered work, and grant a patent license to some of the parties
 receiving the covered work authorizing them to use, propagate, modify
 or convey a specific copy of the covered work, then the patent license
 you grant is automatically extended to all recipients of the covered
 work and works based on it.
 A patent license is "discriminatory" if it does not include within the
 scope of its coverage, prohibits the exercise of, or is conditioned on
 the non-exercise of one or more of the rights that are specifically
 granted under this License. You may not convey a covered work if you
 are a party to an arrangement with a third party that is in the
 business of distributing software, under which you make payment to the
 third party based on the extent of your activity of conveying the
 work, and under which the third party grants, to any of the parties
 who would receive the covered work from you, a discriminatory patent
 license (a) in connection with copies of the covered work conveyed by
 you (or copies made from those copies), or (b) primarily for and in
 connection with specific products or compilations that contain the
 covered work, unless you entered into that arrangement, or that patent
 license was granted, prior to 28 March 2007.
 Nothing in this License shall be construed as excluding or limiting
 any implied license or other defenses to infringement that may
 otherwise be available to you under applicable patent law.
 #### 12. No Surrender of Others' Freedom.
 If conditions are imposed on you (whether by court order, agreement or
 otherwise) that contradict the conditions of this License, they do not
 excuse you from the conditions of this License. If you cannot convey a
 covered work so as to satisfy simultaneously your obligations under
 this License and any other pertinent obligations, then as a
 consequence you may not convey it at all. For example, if you agree to
 terms that obligate you to collect a royalty for further conveying
 from those to whom you convey the Program, the only way you could
 satisfy both those terms and this License would be to refrain entirely
 from conveying the Program.
 #### 13. Use with the GNU Affero General Public License.
 Notwithstanding any other provision of this License, you have
 permission to link or combine any covered work with a work licensed
 under version 3 of the GNU Affero General Public License into a single
 combined work, and to convey the resulting work. The terms of this
 License will continue to apply to the part which is the covered work,
 but the special requirements of the GNU Affero General Public License,
 section 13, concerning interaction through a network will apply to the
 combination as such.
 #### 14. Revised Versions of this License.
 The Free Software Foundation may publish revised and/or new versions
 of the GNU General Public License from time to time. Such new versions
 will be similar in spirit to the present version, but may differ in
 detail to address new problems or concerns.
 Each version is given a distinguishing version number. If the Program
 specifies that a certain numbered version of the GNU General Public
 License "or any later version" applies to it, you have the option of
 following the terms and conditions either of that numbered version or
 of any later version published by the Free Software Foundation. If the
 Program does not specify a version number of the GNU General Public
 License, you may choose any version ever published by the Free
 Software Foundation.
 If the Program specifies that a proxy can decide which future versions
 of the GNU General Public License can be used, that proxy's public
 statement of acceptance of a version permanently authorizes you to
 choose that version for the Program.
 Later license versions may give you additional or different
 permissions. However, no additional obligations are imposed on any
 author or copyright holder as a result of your choosing to follow a
 later version.
 #### 15. Disclaimer of Warranty.
 THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
 APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
 HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT
 WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT
 LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND
 PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE
 DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR
 CORRECTION.
 #### 16. Limitation of Liability.
 IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
 WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR
 CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
 INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES
 ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT
 NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR
 LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM
 TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER
 PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
 #### 17. Interpretation of Sections 15 and 16.
 If the disclaimer of warranty and limitation of liability provided
 above cannot be given local legal effect according to their terms,
 reviewing courts shall apply local law that most closely approximates
 an absolute waiver of all civil liability in connection with the
 Program, unless a warranty or assumption of liability accompanies a
 copy of the Program in return for a fee.
 END OF TERMS AND CONDITIONS
 ### How to Apply These Terms to Your New Programs
 If you develop a new program, and you want it to be of the greatest
 possible use to the public, the best way to achieve this is to make it
 free software which everyone can redistribute and change under these
 terms.
 To do so, attach the following notices to the program. It is safest to
 attach them to the start of each source file to most effectively state
 the exclusion of warranty; and each file should have at least the
 "copyright" line and a pointer to where the full notice is found.
        <one line to give the program's name and a brief idea of what it does.>
        Copyright (C) <year>  <name of author>
        This program is free software: you can redistribute it and/or modify
        it under the terms of the GNU General Public License as published by
        the Free Software Foundation, either version 3 of the License, or
        (at your option) any later version.
        This program is distributed in the hope that it will be useful,
        but WITHOUT ANY WARRANTY; without even the implied warranty of
        MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
        GNU General Public License for more details.
        You should have received a copy of the GNU General Public License
        along with this program.  If not, see <https://www.gnu.org/licenses/>.
 Also add information on how to contact you by electronic and paper
 mail.
 If the program does terminal interaction, make it output a short
 notice like this when it starts in an interactive mode:
        <program>  Copyright (C) <year>  <name of author>
        This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
        This is free software, and you are welcome to redistribute it
        under certain conditions; type `show c' for details.
 The hypothetical commands \`show w' and \`show c' should show the
 appropriate parts of the General Public License. Of course, your
 program's commands might be different; for a GUI interface, you would
 use an "about box".
 You should also get your employer (if you work as a programmer) or
 school, if any, to sign a "copyright disclaimer" for the program, if
 necessary. For more information on this, and how to apply and follow
 the GNU GPL, see <https://www.gnu.org/licenses/>.
 The GNU General Public License does not permit incorporating your
 program into proprietary programs. If your program is a subroutine
 library, you may consider it more useful to permit linking proprietary
 applications with the library. If this is what you want to do, use the
 GNU Lesser General Public License instead of this License. But first,
 please read <https://www.gnu.org/licenses/why-not-lgpl.html>.
--- a/DEBUG.md
+++ b/DEBUG.md
@ -1,63 +0,0 @@
 Debug output and logs
 =====================
 [![GitHub stars](https://img.shields.io/github/stars/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=red)](https://github.com/eworm-de/routeros-scripts/stargazers)
 [![GitHub forks](https://img.shields.io/github/forks/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=green)](https://github.com/eworm-de/routeros-scripts/network)
 [![GitHub watchers](https://img.shields.io/github/watchers/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=blue)](https://github.com/eworm-de/routeros-scripts/watchers)
 [![required RouterOS version](https://img.shields.io/badge/RouterOS-7.15-yellow?style=flat)](https://mikrotik.com/download/changelogs/)
 [![Telegram group @routeros_scripts](https://img.shields.io/badge/Telegram-%40routeros__scripts-%2326A5E4?logo=telegram&style=flat)](https://t.me/routeros_scripts)
 [![donate with PayPal](https://img.shields.io/badge/Like_it%3F-Donate!-orange?logo=githubsponsors&logoColor=orange&style=flat)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J)
 [⬅️ Go back to main README](README.md)
 Sometimes scripts do not behave as expected. In these cases debug output
 or logs can help.
 ## Debug output
 Run this command in a terminal:
    :set PrintDebug true;
 You will then see debug output when running the script from terminal.
 To revert to default output run:
    :set PrintDebug false;
 ### Debug output for specific script
 Even having debug output for a specific script or function only (or a
 set of) is possible. To enable debug output for `telegram-chat` run:
    :set ($PrintDebugOverride->"telegram-chat") true;
 ## Debug logs
 The debug info can go to system log. To make it show up in `memory` run:
    /system/logging/add topics=script,debug action=memory;
 Other actions (`disk`, `email`, `remote` or `support`) can be used as
 well. I do not recommend using `echo` - use [debug output](#debug-output)
 instead.
 Disable or remote that setting to restore regular logging.
 ## Verbose output
 Specific scripts can generate huge amount of output. These do use a function
 `$LogPrintVerbose`, which is declared, but has no code, intentionally.
 If you *really* want that output set the function to be the same as
 `$LogPrint`:
    :set LogPrintVerbose $LogPrint;
 To revert that change just run:
    :set LogPrintVerbose;
 ---
 [⬅️ Go back to main README](README.md)  
 [⬆️ Go back to top](#top)
--- a/INITIAL-COMMANDS.md
+++ b/INITIAL-COMMANDS.md
@ -1,53 +0,0 @@
 Initial commands
 ================
 [![GitHub stars](https://img.shields.io/github/stars/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=red)](https://github.com/eworm-de/routeros-scripts/stargazers)
 [![GitHub forks](https://img.shields.io/github/forks/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=green)](https://github.com/eworm-de/routeros-scripts/network)
 [![GitHub watchers](https://img.shields.io/github/watchers/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=blue)](https://github.com/eworm-de/routeros-scripts/watchers)
 [![required RouterOS version](https://img.shields.io/badge/RouterOS-7.15-yellow?style=flat)](https://mikrotik.com/download/changelogs/)
 [![Telegram group @routeros_scripts](https://img.shields.io/badge/Telegram-%40routeros__scripts-%2326A5E4?logo=telegram&style=flat)](https://t.me/routeros_scripts)
 [![donate with PayPal](https://img.shields.io/badge/Like_it%3F-Donate!-orange?logo=githubsponsors&logoColor=orange&style=flat)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J)
 [⬅️ Go back to main README](README.md)
 > ⚠️ **Warning**: These command are inteneded for initial setup. If you are
 > not aware of the procedure please follow
 > [the long way in detail](README.md#the-long-way-in-detail).
 Run the complete base installation:
    {
      /tool/fetch "https://git.eworm.de/cgit/routeros-scripts/plain/certs/ISRG-Root-X2.pem" dst-path="isrg-root-x2.pem" as-value;
      :delay 1s;
      /certificate/import file-name="isrg-root-x2.pem" passphrase="";
      :if ([ :len [ /certificate/find where fingerprint="69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470" ] ] != 1) do={
        :error "Something is wrong with your certificates!";
      };
      :delay 1s;
      /system/script/set name=("global-config-overlay-" . [ /system/clock/get date ] . "-" . [ /system/clock/get time ]) [ find where name="global-config-overlay" ];
      :foreach Script in={ "global-config"; "global-config-overlay"; "global-functions" } do={
        /system/script/remove [ find where name=$Script ];
        /system/script/add name=$Script owner=$Script source=([ /tool/fetch check-certificate=yes-without-crl ("https://git.eworm.de/cgit/routeros-scripts/plain/" . $Script . ".rsc") output=user as-value]->"data");
      };
      /system/script { run global-config; run global-functions; };
      /system/scheduler/remove [ find where name="global-scripts" ];
      /system/scheduler/add name="global-scripts" start-time=startup on-event="/system/script { run global-config; run global-functions; }";
      :global CertificateNameByCN;
      $CertificateNameByCN "ISRG Root X2";
    };
 Then continue setup with
 [scheduled automatic updates](README.md#scheduled-automatic-updates) or
 [editing configuration](README.md#editing-configuration).
 ## Fix existing installation
 The [initial commands](#initial-commands) above allow to fix an existing
 installation in case it ever breaks. If `global-config-overlay` did exist
 before it is renamed with a date and time suffix (like
 `global-config-overlay-2024-01-25-09:33:12`). Make sure to restore the
 configuration overlay if required.
 ---
 [⬅️ Go back to main README](README.md)  
 [⬆️ Go back to top](#top)
--- a/33
+++ b/33
@ -2,35 +2,24 @@
 #  template scripts -> final scripts
 #  markdown files -> html files
-CAPSMAN = $(wildcard *.capsman.rsc)
+TEMPLATE = $(wildcard *.template)
-LOCAL = $(wildcard *.local.rsc)
+CAPSMAN = $(TEMPLATE:.template=.capsman)
-WIFI = $(wildcard *.wifi.rsc)
+LOCAL = $(TEMPLATE:.template=.local)
-MARKDOWN = $(wildcard *.md doc/*.md doc/mod/*.md)
+MARKDOWN = $(wildcard *.md)
-HTML = $(MARKDOWN:.md=.html)
+HTML =  $(MARKDOWN:.md=.html)
-all: $(CAPSMAN) $(LOCAL) $(WIFI) $(HTML)
+all: $(CAPSMAN) $(LOCAL) $(HTML)
 %.html: %.md Makefile
-	markdown $< | sed 's/href="\([-_\./[:alnum:]]*\)\.md"/href="\1.html"/g' > $@
+	markdown $< | sed 's/href="\([-[:alnum:]]*\)\.md"/href="\1.html"/g' > $@
-%.capsman.rsc: %.template.rsc Makefile
+%.local: %.template Makefile
-	sed -e '/\/interface\/wifi\//d' -e '/\/interface\/wireless\//d' -e 's|%TEMPL%|.capsman|' \
+	sed -e '/\/ caps-man/d' -e 's|%PATH%|interface wireless|' -e 's|%TEMPL%|$(suffix $@)|' \
 		-e '/^# NOT \/caps-man\/ #$$/,/^# NOT \/caps-man\/ #$$/d' \
 		-e '/^# !!/,/^# !!/c # !! Do not edit this file, it is generated from template!' \
 		< $< > $@
-%.local.rsc: %.template.rsc Makefile
+%.capsman: %.template Makefile
-	sed -e '/\/caps-man\//d' -e '/\/interface\/wifi\//d' -e 's|%TEMPL%|.local|' \
+	sed -e '/\/ interface wireless/d' -e 's/%PATH%/caps-man/' -e 's/%TEMPL%/$(suffix $@)/' \
 		-e '/^# NOT \/interface\/wireless\/ #$$/,/^# NOT \/interface\/wireless\/ #$$/d' \
 		-e '/^# !!/,/^# !!/c # !! Do not edit this file, it is generated from template!' \
 		< $< > $@
 %.wifi.rsc: %.template.rsc Makefile
 	sed -e '/\/caps-man\//d' -e '/\/interface\/wireless\//d' -e 's|%TEMPL%|.wifi|' \
 		-e '/^# NOT \/interface\/wifi\/ #$$/,/^# NOT \/interface\/wifi\/ #$$/d' \
 		-e '/^# !!/,/^# !!/c # !! Do not edit this file, it is generated from template!' \
 		< $< > $@
 clean:
 	rm -f $(HTML)
--- a/README.d/01-download-certs.avif
+++ b/README.d/01-download-certs.avif
--- a/README.d/02-import-certs.avif
+++ b/README.d/02-import-certs.avif
--- a/README.d/03-check-certs.avif
+++ b/README.d/03-check-certs.avif
--- a/README.d/04-import-scripts.avif
+++ b/README.d/04-import-scripts.avif
--- a/README.d/05-run-and-schedule-scripts.avif
+++ b/README.d/05-run-and-schedule-scripts.avif
--- a/README.d/06-schedule-update.avif
+++ b/README.d/06-schedule-update.avif
--- a/README.d/07-edit-global-config-overlay.avif
+++ b/README.d/07-edit-global-config-overlay.avif
--- a/README.d/08-apply-configuration.avif
+++ b/README.d/08-apply-configuration.avif
--- a/README.d/09-update-scripts.avif
+++ b/README.d/09-update-scripts.avif
--- a/README.d/10-install-scripts.avif
+++ b/README.d/10-install-scripts.avif
--- a/README.d/11-schedule-script.avif
+++ b/README.d/11-schedule-script.avif
--- a/README.d/12-setup-lease-script.avif
+++ b/README.d/12-setup-lease-script.avif
--- a/README.d/13-install-custom-script.avif
+++ b/README.d/13-install-custom-script.avif
--- a/README.d/14-remove-script.avif
+++ b/README.d/14-remove-script.avif
--- a/README.d/hello-world.rsc
+++ b/README.d/hello-world.rsc
@ -1,3 +0,0 @@
 #!rsc by RouterOS
 :put ("Hello World from " . [ /system/identity/get name ] . "!");
--- a/README.d/notification-news-and-changes.avif
+++ b/README.d/notification-news-and-changes.avif
--- a/README.d/telegram-group.avif
+++ b/README.d/telegram-group.avif
--- a/README.d/upstream.png
+++ b/README.d/upstream.png
--- a/README.md
+++ b/README.md
@ -1,52 +1,23 @@
 RouterOS Scripts
 ================
 [![GitHub stars](https://img.shields.io/github/stars/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=red)](https://github.com/eworm-de/routeros-scripts/stargazers)
 [![GitHub forks](https://img.shields.io/github/forks/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=green)](https://github.com/eworm-de/routeros-scripts/network)
 [![GitHub watchers](https://img.shields.io/github/watchers/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=blue)](https://github.com/eworm-de/routeros-scripts/watchers)
 [![required RouterOS version](https://img.shields.io/badge/RouterOS-7.15-yellow?style=flat)](https://mikrotik.com/download/changelogs/)
 [![Telegram group @routeros_scripts](https://img.shields.io/badge/Telegram-%40routeros__scripts-%2326A5E4?logo=telegram&style=flat)](https://t.me/routeros_scripts)
 [![donate with PayPal](https://img.shields.io/badge/Like_it%3F-Donate!-orange?logo=githubsponsors&logoColor=orange&style=flat)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J)
 ![RouterOS Scripts Logo](logo.svg)
 [RouterOS](https://mikrotik.com/software) is the operating system developed
 by [MikroTik](https://mikrotik.com/aboutus) for networking tasks. This
 repository holds a number of [scripts](https://wiki.mikrotik.com/wiki/Manual:Scripting)
 to manage RouterOS devices or extend their functionality.
-*Use at your own risk*, pay attention to
+*Use at your own risk!*
 [license and warranty](#license-and-warranty)!
 Requirements
 ------------
-### Software (RouterOS)
+Latest version of the scripts require at least **RouterOS 6.43** to function
 properly. The changelog lists the corresponding change as follows:
-Latest version of the scripts require recent RouterOS to function properly.
+> *) fetch - added "as-value" output format;
 Make sure to install latest updates before you begin. If new functionality
 or a breaking change in RouterOS `7.n` is used in my scripts I push my
 change some time after `7.(n+1)` was released. At any time you should have
 at least two minor and their bugfix releases to choose from.
-Specific scripts may require even newer RouterOS version.
+Specific scripts may require even newer RouterOS version, for example cloud
-
+backup was added in 6.44.
 > ℹ️ **Info**: The `main` branch is now RouterOS v7 only. If you are still
 > running RouterOS v6 switch to `routeros-v6` branch!
 Starting with RouterOS 7.17 the
 [device-mode](https://help.mikrotik.com/docs/spaces/ROS/pages/93749258/Device-mode)
 has been extended to give more fine-grained control over what features are
 available. You need to enable `scheduler` and `fetch` at least, specific
 scripts may require additional features.
 ### Hardware
 RouterOS packages increase in size with each release. This becomes a
 problem for devices with 16MB storage and below, those with an ARM CPU
 are specifically affected.
 Huge configuration and lots of scripts give an extra risk. **Take care!**
 Initial setup
 -------------
@ -54,9 +25,9 @@ Initial setup
 ### Get me ready!
 If you know how things work just copy and paste the
-[initial commands](INITIAL-COMMANDS.md). Remember to edit and rerun
+[initial commands](initial-commands). Remember to edit and rerun
-`global-config-overlay`!
+`global-config`!
-First time users should take the long way below.
+First time useres should take the long way below.
 ### Live presentation
@ -65,9 +36,6 @@ RouterOS script distribution](https://www.youtube.com/watch?v=B9neG3oAhcY)
 including demonstation recorded live at [MUM Europe
 2019](https://mum.mikrotik.com/2019/EU/) in Vienna.
 > ⚠️ **Warning**: Some details changed. So see the presentation, then follow
 > the steps below for up-to-date commands.
 ### The long way in detail
 The update script does server certificate verification, so first step is to
@ -75,309 +43,107 @@ download the certificates. If you intend to download the scripts from a
 different location (for example from github.com) install the corresponding
 certificate chain.
-    /tool/fetch "https://git.eworm.de/cgit/routeros-scripts/plain/certs/ISRG-Root-X2.pem" dst-path="isrg-root-x2.pem";
+    [admin@MikroTik] > / tool fetch "https://git.eworm.de/cgit.cgi/routeros-scripts/plain/certs/letsencrypt.pem" dst-path="letsencrypt.pem"
-
+          status: finished
-![screenshot: download certs](README.d/01-download-certs.avif)
+      downloaded: 3KiBC-z pause]
           total: 3KiB
        duration: 1s
 Note that the commands above do *not* verify server certificate, so if you
 want to be safe download with your workstations's browser and transfer the
-file to your MikroTik device.
+files to your MikroTik device.
-* [ISRG Root X2](https://letsencrypt.org/certs/isrg-root-x2.pem)
+* [ISRG Root X1](https://letsencrypt.org/certs/isrgrootx1.pem.txt)
 * [Let's Encrypt Authority X3](https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt)
-Then we import the certificate.
+Then we import the certificates.
-    /certificate/import file-name="isrg-root-x2.pem" passphrase="";
+    [admin@MikroTik] > / certificate import file-name=letsencrypt.pem passphrase=""
         certificates-imported: 3
         private-keys-imported: 0
                files-imported: 1
           decryption-failures: 0
      keys-with-no-certificate: 0
-Do not worry that the command is not shown - that happens because it contains
+For basic verification we rename the certifiactes and print their count. Make
-a sensitive property, the passphrase.
+sure the certificate count is **three**.
-![screenshot: import certs](README.d/02-import-certs.avif)
+    [admin@MikroTik] > / certificate set name="ISRG-Root-X1" [ find where fingerprint="96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6" ]
-
+    [admin@MikroTik] > / certificate set name="Let-s-Encrypt-Authority-X3" [ find where fingerprint="731d3d9cfaa061487a1d71445a42f67df0afca2a6c2d2f98ff7b3ce112b1f568" ]
-For basic verification we rename the certificate and print it by
+    [admin@MikroTik] > / certificate set name="DST-Root-CA-X3" [ find where fingerprint="0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739" ]
-fingerprint. Make sure exactly this one certificate ("*ISRG-Root-X2*")
+    [admin@MikroTik] > / certificate print count-only where fingerprint="96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6" or fingerprint="731d3d9cfaa061487a1d71445a42f67df0afca2a6c2d2f98ff7b3ce112b1f568" or fingerprint="0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739"
-is shown.
+    3
    /certificate/set name="ISRG-Root-X2" [ find where common-name="ISRG Root X2" ];
    /certificate/print proplist=name,fingerprint where fingerprint="69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470";
 ![screenshot: check certs](README.d/03-check-certs.avif)
 Always make sure there are no certificates installed you do not know or want!
-All following commands will verify the server certificate. For validity the
+Actually we do not require the certificate named `DST Root CA X3`, but as it
-certificate's lifetime is checked with local time, so make sure the device's
+is used by `Let's Encrypt` to cross-sign we install it anyway - this makes
-date and time is set correctly!
+sure things do not go wrong if the intermediate certificate is replaced.
 The IdenTrust certificate *should* be available from their
 [download page](https://www.identrust.com/support/downloads). The site is
 crap and a good example how to *not* do it.
 Now let's download the main scripts and add them in configuration on the fly.
-    :foreach Script in={ "global-config"; "global-config-overlay"; "global-functions" } do={ /system/script/add name=$Script owner=$Script source=([ /tool/fetch check-certificate=yes-without-crl ("https://git.eworm.de/cgit/routeros-scripts/plain/" . $Script . ".rsc") output=user as-value]->"data"); };
+    [admin@MikroTik] > :foreach Script in={ "global-config"; "global-functions"; "script-updates" } do={ / system script add name=$Script source=([ / tool fetch check-certificate=yes-without-crl ("https://git.eworm.de/cgit.cgi/routeros-scripts/plain/" . $Script) output=user as-value]->"data"); }
-![screenshot: import scripts](README.d/04-import-scripts.avif)
+The configuration needs to be tweaked for your needs. Make sure not to send
 your mails to `mail@example.com`!
-And finally load configuration and functions and add the scheduler.
+    [admin@MikroTik] > / system script edit global-config source
-    /system/script { run global-config; run global-functions; };
+And finally load configuration and functions and add the schedulers.
    /system/scheduler/add name="global-scripts" start-time=startup on-event="/system/script { run global-config; run global-functions; }";
-![screenshot: run and schedule scripts](README.d/05-run-and-schedule-scripts.avif)
+    [admin@MikroTik] > / system script run global-config
-
+    [admin@MikroTik] > / system script run global-functions
-### Scheduled automatic updates
+    [admin@MikroTik] > / system scheduler add name=global-config start-time=startup on-event=global-config
-
+    [admin@MikroTik] > / system scheduler add name=global-functions start-time=startup on-event=global-functions
 The last step is optional: Add this scheduler **only** if you want the
 scripts to be updated automatically!
    /system/scheduler/add name="ScriptInstallUpdate" start-time=startup interval=1d on-event=":global ScriptInstallUpdate; \$ScriptInstallUpdate;";
 ![screenshot: schedule update](README.d/06-schedule-update.avif)
 Editing configuration
 ---------------------
 The configuration needs to be tweaked for your needs. Edit
 `global-config-overlay`, copy relevant configuration from
 [`global-config`](global-config.rsc) (the one without `-overlay`).
 Save changes and exit with `Ctrl-o`.
    /system/script/edit global-config-overlay source;
 ![screenshot: edit global-config-overlay](README.d/07-edit-global-config-overlay.avif)
 Additionally creating configuration snippets is supported. The script name
 of these snippets has to start with `global-config-overlay.d/` to make them
 being loaded automatically. This allows to split off parts of the
 configuration.
 To apply your changes run `global-config`, which will automatically load
 the overlay as well:
    /system/script/run global-config;
 ![screenshot: apply configuration](README.d/08-apply-configuration.avif)
 This last step is required when ever you make changes to your configuration.
 > ℹ️ **Info**: It is recommended to edit the configuration using the command
 > line interface. If using Winbox on Windows OS, the line endings may be
 > missing. To fix this run:
 > `/system/script/set source=[ :tocrlf [ get global-config-overlay source ] ] global-config-overlay;`
 Updating scripts
 ----------------
-To update existing scripts just run function `$ScriptInstallUpdate`. If
+To update existing scripts just run `script-updates`.
 everything is up-to-date it will not produce any output.
-    $ScriptInstallUpdate;
+    [admin@MikroTik] > / system script run script-updates
 ![screenshot: update scripts](README.d/09-update-scripts.avif)
 If the update includes news or requires configuration changes a notification
 is sent - in addition to terminal output and log messages.
 ![news and changes notification](README.d/notification-news-and-changes.avif)
 Adding a script
 ---------------
-To add a script from the repository run function `$ScriptInstallUpdate` with
+To add a script from the repository create a configuration item first, then
-a comma separated list of script names.
+update scripts to fetch the source.
-    $ScriptInstallUpdate check-certificates,check-routeros-update;
+    [admin@MikroTik] > / system script add name=check-routeros-update
-
+    [admin@MikroTik] > / system script run script-updates
 ![screenshot: install scripts](README.d/10-install-scripts.avif)
 Scheduler and events
 --------------------
 Most scripts are designed to run regularly from
 [scheduler](https://wiki.mikrotik.com/wiki/Manual:System/Scheduler). We just
-added `check-routeros-update`, so let's run it daily to make sure not to
+added `check-routeros-update`, so let's run it every hour to make sure not to
 miss an update.
-    /system/scheduler/add name="check-routeros-update" interval=1d start-time=startup on-event="/system/script/run check-routeros-update;";
+    [admin@MikroTik] > / system scheduler add name=check-routeros-update interval=1h on-event=check-routeros-update
 ![screenshot: schedule script](README.d/11-schedule-script.avif)
 Some events can run a script. If you want your DHCP hostnames to be available
 in DNS use `dhcp-to-dns` with the events from dhcp server. For a regular
 cleanup add a scheduler entry.
-    $ScriptInstallUpdate dhcp-to-dns,lease-script;
+    [admin@MikroTik] > / system script add name=dhcp-to-dns
-    /ip/dhcp-server/set lease-script=lease-script [ find ];
+    [admin@MikroTik] > / system script run script-updates
-    /system/scheduler/add name="dhcp-to-dns" interval=5m on-event="/system/script/run dhcp-to-dns;";
+    [admin@MikroTik] > / ip dhcp-server set lease-script=dhcp-to-dns [ find ]
-
+    [admin@MikroTik] > / system scheduler add name=dhcp-to-dns interval=5m on-event=dhcp-to-dns
 ![screenshot: setup lease script](README.d/12-setup-lease-script.avif)
 There's much more to explore... Have fun!
-Available scripts
+### Upstream
 -----------------
 * [Find and remove access list duplicates](doc/accesslist-duplicates.md)
 * [Upload backup to Mikrotik cloud](doc/backup-cloud.md)
 * [Send backup via e-mail](doc/backup-email.md)
 * [Save configuration to fallback partition](doc/backup-partition.md)
 * [Upload backup to server](doc/backup-upload.md)
 * [Download packages for CAP upgrade from CAPsMAN](doc/capsman-download-packages.md)
 * [Run rolling CAP upgrades from CAPsMAN](doc/capsman-rolling-upgrade.md)
 * [Renew locally issued certificates](doc/certificate-renew-issued.md)
 * [Renew certificates and notify on expiration](doc/check-certificates.md)
 * [Notify about health state](doc/check-health.md)
 * [Notify on LTE firmware upgrade](doc/check-lte-firmware-upgrade.md)
 * [Notify on RouterOS update](doc/check-routeros-update.md)
 * [Collect MAC addresses in wireless access list](doc/collect-wireless-mac.md)
 * [Use wireless network with daily psk](doc/daily-psk.md)
 * [Comment DHCP leases with info from access list](doc/dhcp-lease-comment.md)
 * [Create DNS records for DHCP leases](doc/dhcp-to-dns.md)
 * [Automatically upgrade firmware and reboot](doc/firmware-upgrade-reboot.md)
 * [Download, import and update firewall address-lists](doc/fw-addr-lists.md)
 * [Wait for global functions und modules](doc/global-wait.md)
 * [Send GPS position to server](doc/gps-track.md)
 * [Use WPA network with hotspot credentials](doc/hotspot-to-wpa.md)
 * [Create DNS records for IPSec peers](doc/ipsec-to-dns.md)
 * [Update configuration on IPv6 prefix change](doc/ipv6-update.md)
 * [Manage IP addresses with bridge status](doc/ip-addr-bridge.md)
 * [Run other scripts on DHCP lease](doc/lease-script.md)
 * [Manage LEDs dark mode](doc/leds-mode.md)
 * [Forward log messages via notification](doc/log-forward.md)
 * [Mode button with multiple presses](doc/mode-button.md)
 * [Manage DNS and DoH servers from netwatch](doc/netwatch-dns.md)
 * [Notify on host up and down](doc/netwatch-notify.md)
 * [Visualize OSPF state via LEDs](doc/ospf-to-leds.md)
 * [Manage system update](doc/packages-update.md)
 * [Run scripts on ppp connection](doc/ppp-on-up.md)
 * [Act on received SMS](doc/sms-action.md)
 * [Forward received SMS](doc/sms-forward.md)
 * [Play Super Mario theme](doc/super-mario-theme.md)
 * [Chat with your router and send commands via Telegram bot](doc/telegram-chat.md)
 * [Install LTE firmware upgrade](doc/unattended-lte-firmware-upgrade.md)
 * [Update GRE configuration with dynamic addresses](doc/update-gre-address.md)
 * [Update tunnelbroker configuration](doc/update-tunnelbroker.md)
 Available modules
 -----------------
 * [Manage ports in bridge](doc/mod/bridge-port-to.md)
 * [Manage VLANs on bridge ports](doc/mod/bridge-port-vlan.md)
 * [Inspect variables](doc/mod/inspectvar.md)
 * [IP address calculation](doc/mod/ipcalc.md)
 * [Send notifications via e-mail](doc/mod/notification-email.md)
 * [Send notifications via Matrix](doc/mod/notification-matrix.md)
 * [Send notifications via Ntfy](doc/mod/notification-ntfy.md)
 * [Send notifications via Telegram](doc/mod/notification-telegram.md)
 * [Download script and run it once](doc/mod/scriptrunonce.md)
 * [Import ssh keys for public key authentication](doc/mod/ssh-keys-import.md)
 Installing custom scripts & modules
 -----------------------------------
 My scripts cover a lot of use cases, but you may have your own ones. You can
 still use my scripts to manage and deploy yours, by specifying `base-url`
 (and `url-suffix`) for each script.
 This will fetch and install a script `hello-world.rsc` from the given url:
    $ScriptInstallUpdate hello-world "base-url=https://git.eworm.de/cgit/routeros-scripts-custom/plain/";
 ![screenshot: install custom script](README.d/13-install-custom-script.avif)
 For a script to be considered valid it has to begin with a *magic token*.
 Have a look at [any script](README.d/hello-world.rsc) and copy the first line
 without modification.
 Starting a script's name with `mod/` makes it a module and it is run
 automatically by `global-functions`.
 ### Linked custom scripts & modules
 > ⚠️ **Warning**: These links are being provided for your convenience only;
 > they do not constitute an endorsement or an approval by me. I bear no
 > responsibility for the accuracy, legality or content of the external site
 > or for that of subsequent links. Contact the external site for answers to
 > questions regarding its content.
 * [Hello World](https://git.eworm.de/cgit/routeros-scripts-custom/about/doc/hello-world.md)
  (This is a demo script to show how the linking to external documentation
  will be done.)
 > ℹ️ **Info**: You have your own set of scripts and/or modules and want these
 > to be listed here? There should be a general info page that links here,
 > and documentation for each script. You can start by cloning my
 > [Custom RouterOS-Scripts](https://git.eworm.de/cgit/routeros-scripts-custom/)
 > (or fork on [GitHub](https://github.com/eworm-de/routeros-scripts-custom)
 > or [GitLab](https://gitlab.com/eworm-de/routeros-scripts-custom)) and make
 > your changes. Then please [get in contact](#patches-issues-and-whishlist)...
 Removing a script
 -----------------
 There is no specific function for script removal. Just remove it from
 configuration...
    /system/script/remove to-be-removed;
 ![screenshot: remove script](README.d/14-remove-script.avif)
 Possibly a scheduler and other configuration has to be removed as well.
 Contact
 -------
 We have a Telegram Group [RouterOS-Scripts](https://t.me/routeros_scripts)!
 [![RouterOS Scripts Telegram Group](README.d/telegram-group.avif)](https://t.me/routeros_scripts)
 Get help, give feedback or just chat - but do not expect free professional
 support!
 Contribute
 ----------
 Thanks a lot for [past contributions](CONTRIBUTIONS.md)! ❤️
 ### Patches, issues and whishlist
 Feel free to contact me via e-mail or open an
 [issue](https://github.com/eworm-de/routeros-scripts/issues) or
 [pull request](https://github.com/eworm-de/routeros-scripts/pulls)
 at github.
 ### Donate
 This project is developed in private spare time and usage is free of charge
 for you. If you like the scripts and think this is of value for you or your
 business please consider to
 [donate with PayPal](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J).
 [![donate with PayPal](https://img.shields.io/badge/Like_it%3F-Donate!-orange?logo=githubsponsors&logoColor=orange&style=for-the-badge)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J)
 Thanks a lot for your support!
 License and warranty
 --------------------
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
 the Free Software Foundation, either version 3 of the License, or
 (at your option) any later version.
 This program is distributed in the hope that it will be useful,
 but WITHOUT ANY WARRANTY; without even the implied warranty of
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 [GNU General Public License](COPYING.md) for more details.
 Upstream
 --------
 [![upstream](README.d/upstream.png)](https://rsc.eworm.de/)
 URL:
 [GitHub.com](https://github.com/eworm-de/routeros-scripts#routeros-scripts)
 Mirror:
-[eworm.de](https://git.eworm.de/cgit/routeros-scripts/about/)
+[eworm.de](https://git.eworm.de/cgit.cgi/routeros-scripts/about/)
 [GitLab.com](https://gitlab.com/eworm-de/routeros-scripts#routeros-scripts)
 ---
-[⬆️ Go back to top](#top)
+[▲ Go back to top](#top)
--- a/accesslist-duplicates.capsman
+++ b/accesslist-duplicates.capsman
@ -0,0 +1,34 @@
 #!rsc
 # RouterOS script: accesslist-duplicates.capsman
 # Copyright (c) 2018-2019 Christian Hesse <mail@eworm.de>
 #
 # print duplicate antries in wireless access list
 #
 # !! Do not edit this file, it is generated from template!
 :local Seen [ :toarray "" ];
 :local Shown [ :toarray "" ];
 :foreach AccList in=[ / caps-man access-list find where mac-address!="00:00:00:00:00:00" ] do={
  :local Mac [ / caps-man access-list get $AccList mac-address ];
  :foreach SeenMac in=$Seen do={
    :if ($SeenMac = $Mac) do={
      :local Skip 0;
      :foreach ShownMac in=$Shown do={
        :if ($ShownMac = $Mac) do={ :set Skip 1; }
      }
      :if ($Skip = 0) do={
        / caps-man access-list print where mac-address=$Mac;
        :set Shown ($Shown, $Mac);
        :put "\nNumeric id to remove, any key to skip!";
        :local Remove ([ :terminal inkey ] - 48);
        :if ($Remove >= 0 && $Remove <= 9) do={
          :put ("Removing numeric id " . $Remove . "...\n");
          / caps-man access-list remove $Remove;
        }
      }
    }
  }
  :set Seen ($Seen, $Mac);
 }
--- a/accesslist-duplicates.capsman.rsc
+++ b/accesslist-duplicates.capsman.rsc
@ -1,37 +0,0 @@
 #!rsc by RouterOS
 # RouterOS script: accesslist-duplicates.capsman
 # Copyright (c) 2018-2025 Christian Hesse <mail@eworm.de>
 # https://rsc.eworm.de/COPYING.md
 #
 # requires RouterOS, version=7.15
 #
 # print duplicate antries in wireless access list
 # https://rsc.eworm.de/doc/accesslist-duplicates.md
 #
 # !! Do not edit this file, it is generated from template!
 :global GlobalFunctionsReady;
 :while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
 :local ExitOK false;
 :do {
  :local ScriptName [ :jobname ];
  :local Seen ({});
  :foreach AccList in=[ /caps-man/access-list/find where mac-address!="00:00:00:00:00:00" ] do={
    :local Mac [ /caps-man/access-list/get $AccList mac-address ];
    :if ($Seen->$Mac = 1) do={
      /caps-man/access-list/print where mac-address=$Mac;
      :local Remove [ :tonum [ /terminal/ask prompt="\nNumeric id to remove, any key to skip!" ] ];
      :if ([ :typeof $Remove ] = "num") do={
        :put ("Removing numeric id " . $Remove . "...\n");
        /caps-man/access-list/remove $Remove;
      }
    }
    :set ($Seen->$Mac) 1;
  }
 } on-error={
  :global ExitError; $ExitError $ExitOK [ :jobname ];
 }
--- a/accesslist-duplicates.local
+++ b/accesslist-duplicates.local
@ -0,0 +1,34 @@
 #!rsc
 # RouterOS script: accesslist-duplicates.local
 # Copyright (c) 2018-2019 Christian Hesse <mail@eworm.de>
 #
 # print duplicate antries in wireless access list
 #
 # !! Do not edit this file, it is generated from template!
 :local Seen [ :toarray "" ];
 :local Shown [ :toarray "" ];
 :foreach AccList in=[ / interface wireless access-list find where mac-address!="00:00:00:00:00:00" ] do={
  :local Mac [ / interface wireless access-list get $AccList mac-address ];
  :foreach SeenMac in=$Seen do={
    :if ($SeenMac = $Mac) do={
      :local Skip 0;
      :foreach ShownMac in=$Shown do={
        :if ($ShownMac = $Mac) do={ :set Skip 1; }
      }
      :if ($Skip = 0) do={
        / interface wireless access-list print where mac-address=$Mac;
        :set Shown ($Shown, $Mac);
        :put "\nNumeric id to remove, any key to skip!";
        :local Remove ([ :terminal inkey ] - 48);
        :if ($Remove >= 0 && $Remove <= 9) do={
          :put ("Removing numeric id " . $Remove . "...\n");
          / interface wireless access-list remove $Remove;
        }
      }
    }
  }
  :set Seen ($Seen, $Mac);
 }
--- a/accesslist-duplicates.local.rsc
+++ b/accesslist-duplicates.local.rsc
@ -1,37 +0,0 @@
 #!rsc by RouterOS
 # RouterOS script: accesslist-duplicates.local
 # Copyright (c) 2018-2025 Christian Hesse <mail@eworm.de>
 # https://rsc.eworm.de/COPYING.md
 #
 # requires RouterOS, version=7.15
 #
 # print duplicate antries in wireless access list
 # https://rsc.eworm.de/doc/accesslist-duplicates.md
 #
 # !! Do not edit this file, it is generated from template!
 :global GlobalFunctionsReady;
 :while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
 :local ExitOK false;
 :do {
  :local ScriptName [ :jobname ];
  :local Seen ({});
  :foreach AccList in=[ /interface/wireless/access-list/find where mac-address!="00:00:00:00:00:00" ] do={
    :local Mac [ /interface/wireless/access-list/get $AccList mac-address ];
    :if ($Seen->$Mac = 1) do={
      /interface/wireless/access-list/print where mac-address=$Mac;
      :local Remove [ :tonum [ /terminal/ask prompt="\nNumeric id to remove, any key to skip!" ] ];
      :if ([ :typeof $Remove ] = "num") do={
        :put ("Removing numeric id " . $Remove . "...\n");
        /interface/wireless/access-list/remove $Remove;
      }
    }
    :set ($Seen->$Mac) 1;
  }
 } on-error={
  :global ExitError; $ExitError $ExitOK [ :jobname ];
 }
--- a/accesslist-duplicates.template
+++ b/accesslist-duplicates.template
@ -0,0 +1,35 @@
 #!rsc
 # RouterOS script: accesslist-duplicates%TEMPL%
 # Copyright (c) 2018-2019 Christian Hesse <mail@eworm.de>
 #
 # print duplicate antries in wireless access list
 #
 # !! This is just a template! Replace '%PATH%' with 'caps-man'
 # !! or 'interface wireless'!
 :local Seen [ :toarray "" ];
 :local Shown [ :toarray "" ];
 :foreach AccList in=[ / %PATH% access-list find where mac-address!="00:00:00:00:00:00" ] do={
  :local Mac [ / %PATH% access-list get $AccList mac-address ];
  :foreach SeenMac in=$Seen do={
    :if ($SeenMac = $Mac) do={
      :local Skip 0;
      :foreach ShownMac in=$Shown do={
        :if ($ShownMac = $Mac) do={ :set Skip 1; }
      }
      :if ($Skip = 0) do={
        / %PATH% access-list print where mac-address=$Mac;
        :set Shown ($Shown, $Mac);
        :put "\nNumeric id to remove, any key to skip!";
        :local Remove ([ :terminal inkey ] - 48);
        :if ($Remove >= 0 && $Remove <= 9) do={
          :put ("Removing numeric id " . $Remove . "...\n");
          / %PATH% access-list remove $Remove;
        }
      }
    }
  }
  :set Seen ($Seen, $Mac);
 }
--- a/accesslist-duplicates.template.rsc
+++ b/accesslist-duplicates.template.rsc
@ -1,46 +0,0 @@
 #!rsc by RouterOS
 # RouterOS script: accesslist-duplicates%TEMPL%
 # Copyright (c) 2018-2025 Christian Hesse <mail@eworm.de>
 # https://rsc.eworm.de/COPYING.md
 #
 # requires RouterOS, version=7.15
 #
 # print duplicate antries in wireless access list
 # https://rsc.eworm.de/doc/accesslist-duplicates.md
 #
 # !! This is just a template to generate the real script!
 # !! Pattern '%TEMPL%' is replaced, paths are filtered.
 :global GlobalFunctionsReady;
 :while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
 :local ExitOK false;
 :do {
  :local ScriptName [ :jobname ];
  :local Seen ({});
  :foreach AccList in=[ /caps-man/access-list/find where mac-address!="00:00:00:00:00:00" ] do={
  :foreach AccList in=[ /interface/wifi/access-list/find where mac-address!="00:00:00:00:00:00" ] do={
  :foreach AccList in=[ /interface/wireless/access-list/find where mac-address!="00:00:00:00:00:00" ] do={
    :local Mac [ /caps-man/access-list/get $AccList mac-address ];
    :local Mac [ /interface/wifi/access-list/get $AccList mac-address ];
    :local Mac [ /interface/wireless/access-list/get $AccList mac-address ];
    :if ($Seen->$Mac = 1) do={
      /caps-man/access-list/print where mac-address=$Mac;
      /interface/wifi/access-list/print where mac-address=$Mac;
      /interface/wireless/access-list/print where mac-address=$Mac;
      :local Remove [ :tonum [ /terminal/ask prompt="\nNumeric id to remove, any key to skip!" ] ];
      :if ([ :typeof $Remove ] = "num") do={
        :put ("Removing numeric id " . $Remove . "...\n");
        /caps-man/access-list/remove $Remove;
        /interface/wifi/access-list/remove $Remove;
        /interface/wireless/access-list/remove $Remove;
      }
    }
    :set ($Seen->$Mac) 1;
  }
 } on-error={
  :global ExitError; $ExitError $ExitOK [ :jobname ];
 }
--- a/accesslist-duplicates.wifi.rsc
+++ b/accesslist-duplicates.wifi.rsc
@ -1,37 +0,0 @@
 #!rsc by RouterOS
 # RouterOS script: accesslist-duplicates.wifi
 # Copyright (c) 2018-2025 Christian Hesse <mail@eworm.de>
 # https://rsc.eworm.de/COPYING.md
 #
 # requires RouterOS, version=7.15
 #
 # print duplicate antries in wireless access list
 # https://rsc.eworm.de/doc/accesslist-duplicates.md
 #
 # !! Do not edit this file, it is generated from template!
 :global GlobalFunctionsReady;
 :while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
 :local ExitOK false;
 :do {
  :local ScriptName [ :jobname ];
  :local Seen ({});
  :foreach AccList in=[ /interface/wifi/access-list/find where mac-address!="00:00:00:00:00:00" ] do={
    :local Mac [ /interface/wifi/access-list/get $AccList mac-address ];
    :if ($Seen->$Mac = 1) do={
      /interface/wifi/access-list/print where mac-address=$Mac;
      :local Remove [ :tonum [ /terminal/ask prompt="\nNumeric id to remove, any key to skip!" ] ];
      :if ([ :typeof $Remove ] = "num") do={
        :put ("Removing numeric id " . $Remove . "...\n");
        /interface/wifi/access-list/remove $Remove;
      }
    }
    :set ($Seen->$Mac) 1;
  }
 } on-error={
  :global ExitError; $ExitError $ExitOK [ :jobname ];
 }
--- a/backup-cloud.rsc
+++ b/backup-cloud.rsc
@ -1,104 +0,0 @@
 #!rsc by RouterOS
 # RouterOS script: backup-cloud
 # Copyright (c) 2013-2025 Christian Hesse <mail@eworm.de>
 # https://rsc.eworm.de/COPYING.md
 #
 # provides: backup-script, order=40
 # requires RouterOS, version=7.15
 #
 # upload backup to MikroTik cloud
 # https://rsc.eworm.de/doc/backup-cloud.md
 :global GlobalFunctionsReady;
 :while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
 :local ExitOK false;
 :do {
  :local ScriptName [ :jobname ];
  :global BackupRandomDelay;
  :global Identity;
  :global PackagesUpdateBackupFailure;
  :global DeviceInfo;
  :global FormatLine;
  :global HumanReadableNum;
  :global LogPrint;
  :global MkDir;
  :global RandomDelay;
  :global RmDir;
  :global ScriptFromTerminal;
  :global ScriptLock;
  :global SendNotification2;
  :global SymbolForNotification;
  :global WaitForFile;
  :global WaitFullyConnected;
  :if ([ $ScriptLock $ScriptName ] = false) do={
    :set PackagesUpdateBackupFailure true;
    :set ExitOK true;
    :error false;
  }
  :if ([ :len [ /system/scheduler/find where name="running-from-backup-partition" ] ] > 0) do={
    $LogPrint warning $ScriptName ("Running from backup partition, refusing to act.");
    :set PackagesUpdateBackupFailure true;
    :set ExitOK true;
    :error false;
  }
  $WaitFullyConnected;
  :if ([ $ScriptFromTerminal $ScriptName ] = false && $BackupRandomDelay > 0) do={
    $RandomDelay $BackupRandomDelay;
  }
  :if ([ $MkDir ("tmpfs/backup-cloud") ] = false) do={
    $LogPrint error $ScriptName ("Failed creating directory!");
    :set ExitOK true;
    :error false;
  }
  :local I 5;
  :do {
    :execute {
      :global BackupPassword;
      :local Backup ([ /system/backup/cloud/find ]->0);
      :if ([ :typeof $Backup ] = "id") do={
        /system/backup/cloud/upload-file action=create-and-upload \
            password=$BackupPassword replace=$Backup;
      } else={
        /system/backup/cloud/upload-file action=create-and-upload \
            password=$BackupPassword;
      }
      /file/add name="tmpfs/backup-cloud/done";
    } as-string;
    :set I ($I - 1);
  } while=([ $WaitForFile "tmpfs/backup-cloud/done" 200ms ] = false && $I > 0);
  :if ([ $WaitForFile "tmpfs/backup-cloud/done" ] = true) do={
    :if ($I < 4) do={
      :log warning ($ScriptName . ": Retry successful, please discard previous connection errors.");
    }
    :local Cloud [ /system/backup/cloud/get ([ find ]->0) ];
    $SendNotification2 ({ origin=$ScriptName; \
      subject=([ $SymbolForNotification "floppy-disk,cloud" ] . "Cloud backup"); \
      message=("Uploaded backup for " . $Identity . " to cloud.\n\n" . \
        [ $DeviceInfo ] . "\n\n" . \
        [ $FormatLine "Name" ($Cloud->"name") ] . "\n" . \
        [ $FormatLine "Size" ([ $HumanReadableNum ($Cloud->"size") 1024 ] . "B") ] . "\n" . \
        [ $FormatLine "Download key" ($Cloud->"secret-download-key") ]); silent=true });
  } else={
    $SendNotification2 ({ origin=$ScriptName; \
      subject=([ $SymbolForNotification "floppy-disk,warning-sign" ] . "Cloud backup failed"); \
      message=("Failed uploading backup for " . $Identity . " to cloud!\n\n" . [ $DeviceInfo ]) });
    $LogPrint error $ScriptName ("Failed uploading backup for " . $Identity . " to cloud!");
    :set PackagesUpdateBackupFailure true;
  }
  $RmDir "tmpfs/backup-cloud";
 } on-error={
  :global ExitError; $ExitError $ExitOK [ :jobname ];
 }
--- a/backup-email.rsc
+++ b/backup-email.rsc
@ -1,140 +0,0 @@
 #!rsc by RouterOS
 # RouterOS script: backup-email
 # Copyright (c) 2013-2025 Christian Hesse <mail@eworm.de>
 # https://rsc.eworm.de/COPYING.md
 #
 # provides: backup-script, order=20
 # requires RouterOS, version=7.15
 #
 # create and email backup and config file
 # https://rsc.eworm.de/doc/backup-email.md
 :global GlobalFunctionsReady;
 :while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
 :local ExitOK false;
 :do {
  :local ScriptName [ :jobname ];
  :global BackupPassword;
  :global BackupRandomDelay;
  :global BackupSendBinary;
  :global BackupSendExport;
  :global BackupSendGlobalConfig;
  :global Domain;
  :global Identity;
  :global PackagesUpdateBackupFailure;
  :global CleanName;
  :global DeviceInfo;
  :global FormatLine;
  :global LogPrint;
  :global MkDir;
  :global RandomDelay;
  :global ScriptFromTerminal;
  :global ScriptLock;
  :global SendEMail2;
  :global SymbolForNotification;
  :global WaitForFile;
  :global WaitFullyConnected;
  :if ([ :typeof $SendEMail2 ] = "nothing") do={
    $LogPrint error $ScriptName ("The module for sending notifications via e-mail is not installed.");
    :set ExitOK true;
    :error false;
  }
  :if ($BackupSendBinary != true && \
       $BackupSendExport != true) do={
    $LogPrint error $ScriptName ("Configured to send neither backup nor config export.");
    :set ExitOK true;
    :error false;
  }
  :if ([ $ScriptLock $ScriptName ] = false) do={
    :set PackagesUpdateBackupFailure true;
    :set ExitOK true;
    :error false;
  }
  :if ([ :len [ /system/scheduler/find where name="running-from-backup-partition" ] ] > 0) do={
    $LogPrint warning $ScriptName ("Running from backup partition, refusing to act.");
    :set PackagesUpdateBackupFailure true;
    :set ExitOK true;
    :error false;
  }
  $WaitFullyConnected;
  :if ([ $ScriptFromTerminal $ScriptName ] = false && $BackupRandomDelay > 0) do={
    $RandomDelay $BackupRandomDelay;
  }
  # filename based on identity
  :local DirName ("tmpfs/" . $ScriptName);
  :local FileName [ $CleanName ($Identity . "." . $Domain) ];
  :local FilePath ($DirName . "/" . $FileName);
  :local BackupFile "none";
  :local ExportFile "none";
  :local ConfigFile "none";
  :local Attach ({});
  :if ([ $MkDir $DirName ] = false) do={
    $LogPrint error $ScriptName ("Failed creating directory!");
    :set ExitOK true;
    :error false;
  }
  # binary backup
  :if ($BackupSendBinary = true) do={
    /system/backup/save encryption=aes-sha256 name=$FilePath password=$BackupPassword;
    $WaitForFile ($FilePath . ".backup");
    :set BackupFile ($FileName . ".backup");
    :set Attach ($Attach, ($FilePath . ".backup"));
  }
  # create configuration export
  :if ($BackupSendExport = true) do={
    /export terse show-sensitive file=$FilePath;
    $WaitForFile ($FilePath . ".rsc");
    :set ExportFile ($FileName . ".rsc");
    :set Attach ($Attach, ($FilePath . ".rsc"));
  }
  # global-config-overlay
  :if ($BackupSendGlobalConfig = true) do={
    # Do *NOT* use '/file/add ...' here, as it is limited to 4095 bytes!
    :execute script={ :put [ /system/script/get global-config-overlay source ]; } \
        file=($FilePath . ".conf\00");
    $WaitForFile ($FilePath . ".conf");
    :set ConfigFile ($FileName . ".conf");
    :set Attach ($Attach, ($FilePath . ".conf"));
  }
  # send email with status and files
  $SendEMail2 ({ origin=$ScriptName; \
    subject=([ $SymbolForNotification "floppy-disk,incoming-envelope" ] . \
      "Backup & Config"); \
    message=("See attached files for backup and config export for " . \
      $Identity . ".\n\n" . \
      [ $DeviceInfo ] . "\n\n" . \
      [ $FormatLine "Backup file" $BackupFile ] . "\n" . \
      [ $FormatLine "Export file" $ExportFile ] . "\n" . \
      [ $FormatLine "Config file" $ConfigFile ]); \
    attach=$Attach; remove-attach=true });
  # wait for the mail to be sent
  :local I 0;
  :while ([ :len [ /file/find where name ~ ($FilePath . "\\.(backup|rsc)\$") ] ] > 0) do={
    :if ($I >= 120) do={
      $LogPrint warning $ScriptName ("Files are still available, sending e-mail failed.");
      :set PackagesUpdateBackupFailure true;
      :set ExitOK true;
      :error false;
    }
    :delay 1s;
    :set I ($I + 1);
  }
 } on-error={
  :global ExitError; $ExitError $ExitOK [ :jobname ];
 }
--- a/backup-partition.rsc
+++ b/backup-partition.rsc
@ -1,126 +0,0 @@
 #!rsc by RouterOS
 # RouterOS script: backup-partition
 # Copyright (c) 2022-2025 Christian Hesse <mail@eworm.de>
 # https://rsc.eworm.de/COPYING.md
 #
 # provides: backup-script, order=70
 # requires RouterOS, version=7.15
 # requires device-mode, scheduler
 #
 # save configuration to fallback partition
 # https://rsc.eworm.de/doc/backup-partition.md
 :global GlobalFunctionsReady;
 :while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
 :local ExitOK false;
 :do {
  :local ScriptName [ :jobname ];
  :global BackupPartitionCopyBeforeFeatureUpdate;
  :global PackagesUpdateBackupFailure;
  :global LogPrint;
  :global ScriptFromTerminal;
  :global ScriptLock;
  :global VersionToNum;
  :local CopyTo do={
    :local ScriptName     [ :tostr $1 ];
    :local FallbackTo     [ :toid  $2 ];
    :local FallbackToName [ :tostr $3 ];
    :global LogPrint;
    :do {
      /partitions/copy-to $FallbackTo;
      $LogPrint info $ScriptName ("Copied RouterOS to partition '" . $FallbackToName . "'.");
      :return true;
    } on-error={
      $LogPrint error $ScriptName ("Failed copying RouterOS to partition '" . $FallbackToName . "'!");
      :return false;
    }
  }
  :if ([ $ScriptLock $ScriptName ] = false) do={
    :set PackagesUpdateBackupFailure true;
    :set ExitOK true;
    :error false;
  }
  :if ([ :len [ /system/scheduler/find where name="running-from-backup-partition" ] ] > 0) do={
    $LogPrint warning $ScriptName ("Running from backup partition, refusing to act.");
    :set PackagesUpdateBackupFailure true;
    :set ExitOK true;
    :error false;
  }
  :if ([ :len [ /partitions/find ] ] < 2) do={
    $LogPrint error $ScriptName ("Device does not have a fallback partition.");
    :set PackagesUpdateBackupFailure true;
    :set ExitOK true;
    :error false;
  }
  :local ActiveRunning [ /partitions/find where active running ];
  :if ([ :len $ActiveRunning ] < 1) do={
    $LogPrint error $ScriptName ("Device is not running from active partition.");
    :set PackagesUpdateBackupFailure true;
    :set ExitOK true;
    :error false;
  }
  :local FallbackToName [ /partitions/get $ActiveRunning fallback-to ];
  :local FallbackTo [ /partition/find where name=$FallbackToName !active ];
  :if ([ :len $FallbackTo ] < 1) do={
    $LogPrint error $ScriptName ("There is no inactive partition named '" . $FallbackToName . "'.");
    :set PackagesUpdateBackupFailure true;
    :set ExitOK true;
    :error false;
  }
  :if ([ /partitions/get $ActiveRunning version ] != [ /partitions/get $FallbackTo version]) do={
    :if ([ $ScriptFromTerminal $ScriptName ] = true) do={
      :put ("The partitions have different RouterOS versions. Copy over to '" . $FallbackToName . "'? [y/N]");
      :if (([ /terminal/inkey timeout=60 ] % 32) = 25) do={
        :if ([ $CopyTo $ScriptName $FallbackTo $FallbackToName ] = false) do={
          :set PackagesUpdateBackupFailure true;
          :set ExitOK true;
          :error false;
        }
      }
    } else={
      :local Update [ /system/package/update/get ];
      :local NumInstalled [ $VersionToNum ($Update->"installed-version") ];
      :local NumLatest [ $VersionToNum ($Update->"latest-version") ];
      :local BitMask [ $VersionToNum "255.255zero0" ];
      :if ($BackupPartitionCopyBeforeFeatureUpdate = true && $NumLatest > 0 && \
           ($NumInstalled & $BitMask) != ($NumLatest & $BitMask)) do={
        :if ([ $CopyTo $ScriptName $FallbackTo $FallbackToName ] = false) do={
          :set PackagesUpdateBackupFailure true;
          :set ExitOK true;
          :error false;
        }
      }
    }
  }
  :do {
    /system/scheduler/add start-time=startup name="running-from-backup-partition" \
        on-event=(":log warning (\"Running from partition '\" . " . \
        "[ /partitions/get [ find where running ] name ] . \"'!\")");
    /partitions/save-config-to $FallbackTo;
    /system/scheduler/remove "running-from-backup-partition";
    $LogPrint info $ScriptName ("Saved configuration to partition '" . $FallbackToName . "'.");
  } on-error={
    /system/scheduler/remove [ find where name="running-from-backup-partition" ];
    $LogPrint error $ScriptName ("Failed saving configuration to partition '" . $FallbackToName . "'!");
    :set PackagesUpdateBackupFailure true;
    :set ExitOK true;
    :error false;
  }
 } on-error={
  :global ExitError; $ExitError $ExitOK [ :jobname ];
 }
--- a/backup-upload.rsc
+++ b/backup-upload.rsc
@ -1,178 +0,0 @@
 #!rsc by RouterOS
 # RouterOS script: backup-upload
 # Copyright (c) 2013-2025 Christian Hesse <mail@eworm.de>
 # https://rsc.eworm.de/COPYING.md
 #
 # provides: backup-script, order=50
 # requires RouterOS, version=7.15
 # requires device-mode, fetch
 #
 # create and upload backup and config file
 # https://rsc.eworm.de/doc/backup-upload.md
 :global GlobalFunctionsReady;
 :while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
 :local ExitOK false;
 :do {
  :local ScriptName [ :jobname ];
  :global BackupPassword;
  :global BackupRandomDelay;
  :global BackupSendBinary;
  :global BackupSendExport;
  :global BackupSendGlobalConfig;
  :global BackupUploadPass;
  :global BackupUploadUrl;
  :global BackupUploadUser;
  :global Domain;
  :global Identity;
  :global PackagesUpdateBackupFailure;
  :global CleanName;
  :global DeviceInfo;
  :global IfThenElse;
  :global LogPrint;
  :global MkDir;
  :global RandomDelay;
  :global RmDir;
  :global RmFile;
  :global ScriptFromTerminal;
  :global ScriptLock;
  :global SendNotification2;
  :global SymbolForNotification;
  :global WaitForFile;
  :global WaitFullyConnected;
  :if ($BackupSendBinary != true && \
       $BackupSendExport != true) do={
    $LogPrint error $ScriptName ("Configured to send neither backup nor config export.");
    :set ExitOK true;
    :error false;
  }
  :if ([ $ScriptLock $ScriptName ] = false) do={
    :set PackagesUpdateBackupFailure true;
    :set ExitOK true;
    :error false;
  }
  :if ([ :len [ /system/scheduler/find where name="running-from-backup-partition" ] ] > 0) do={
    $LogPrint warning $ScriptName ("Running from backup partition, refusing to act.");
    :set PackagesUpdateBackupFailure true;
    :set ExitOK true;
    :error false;
  }
  $WaitFullyConnected;
  :if ([ $ScriptFromTerminal $ScriptName ] = false && $BackupRandomDelay > 0) do={
    $RandomDelay $BackupRandomDelay;
  }
  # filename based on identity
  :local DirName ("tmpfs/" . $ScriptName);
  :local FileName [ $CleanName ($Identity . "." . $Domain) ];
  :local FilePath ($DirName . "/" . $FileName);
  :local BackupFile "none";
  :local ExportFile "none";
  :local ConfigFile "none";
  :local Failed 0;
  :if ([ $MkDir $DirName ] = false) do={
    $LogPrint error $ScriptName ("Failed creating directory!");
    :set ExitOK true;
    :error false;
  }
  # binary backup
  :if ($BackupSendBinary = true) do={
    /system/backup/save encryption=aes-sha256 name=$FilePath password=$BackupPassword;
    $WaitForFile ($FilePath . ".backup");
    :do {
      /tool/fetch upload=yes url=($BackupUploadUrl . "/" . $FileName . ".backup") \
          user=$BackupUploadUser password=$BackupUploadPass src-path=($FilePath . ".backup");
      :set BackupFile [ /file/get ($FilePath . ".backup") ];
      :set ($BackupFile->"name") ($FileName . ".backup");
    } on-error={
      $LogPrint error $ScriptName ("Uploading backup file failed!");
      :set BackupFile "failed";
      :set Failed 1;
    }
    $RmFile ($FilePath . ".backup");
  }
  # create configuration export
  :if ($BackupSendExport = true) do={
    /export terse show-sensitive file=$FilePath;
    $WaitForFile ($FilePath . ".rsc");
    :do {
      /tool/fetch upload=yes url=($BackupUploadUrl . "/" . $FileName . ".rsc") \
          user=$BackupUploadUser password=$BackupUploadPass src-path=($FilePath . ".rsc");
      :set ExportFile [ /file/get ($FilePath . ".rsc") ];
      :set ($ExportFile->"name") ($FileName . ".rsc");
    } on-error={
      $LogPrint error $ScriptName ("Uploading configuration export failed!");
      :set ExportFile "failed";
      :set Failed 1;
    }
    $RmFile ($FilePath . ".rsc");
  }
  # global-config-overlay
  :if ($BackupSendGlobalConfig = true) do={
    # Do *NOT* use '/file/add ...' here, as it is limited to 4095 bytes!
    :execute script={ :put [ /system/script/get global-config-overlay source ]; } \
        file=($FilePath . ".conf\00");
    $WaitForFile ($FilePath . ".conf");
    :do {
      /tool/fetch upload=yes url=($BackupUploadUrl . "/" . $FileName . ".conf") \
          user=$BackupUploadUser password=$BackupUploadPass src-path=($FilePath . ".conf");
      :set ConfigFile [ /file/get ($FilePath . ".conf") ];
      :set ($ConfigFile->"name") ($FileName . ".conf");
    } on-error={
      $LogPrint error $ScriptName ("Uploading global-config-overlay failed!");
      :set ConfigFile "failed";
      :set Failed 1;
    }
    $RmFile ($FilePath . ".conf");
  }
  :local FileInfo do={
    :local Name $1;
    :local File $2;
    :global FormatLine;
    :global HumanReadableNum;
    :global IfThenElse;
    :return \
      [ $IfThenElse ([ :typeof $File ] = "array") \
        ($Name . ":\n" . [ $FormatLine "    name" ($File->"name") ] . "\n" . \
          [ $FormatLine "    size" ([ $HumanReadableNum ($File->"size") 1024 ] . "B") ]) \
        [ $FormatLine $Name $File ] ];
  }
  $SendNotification2 ({ origin=$ScriptName; \
    subject=[ $IfThenElse ($Failed > 0) \
      ([ $SymbolForNotification "floppy-disk,warning-sign" ] . "Backup & Config upload with failure") \
      ([ $SymbolForNotification "floppy-disk,arrow-up" ] . "Backup & Config upload") ]; \
    message=("Backup and config export upload for " . $Identity . ".\n\n" . \
      [ $DeviceInfo ] . "\n\n" . \
      [ $FileInfo "Backup file" $BackupFile ] . "\n" . \
      [ $FileInfo "Export file" $ExportFile ] . "\n" . \
      [ $FileInfo "Config file" $ConfigFile ]); silent=true });
  :if ($Failed = 1) do={
    :set PackagesUpdateBackupFailure true;
  }
  $RmDir $DirName;
 } on-error={
  :global ExitError; $ExitError $ExitOK [ :jobname ];
 }
--- a/31
+++ b/31
@ -0,0 +1,31 @@
 #!rsc
 # RouterOS script: bridge-port-to-default
 # Copyright (c) 2013-2019 Christian Hesse <mail@eworm.de>
 #
 # reset bridge ports to default bridge
 :global BridgePortTo;
 :local Len ([ :len $BridgePortTo ] + 1);
 :if ($Len = 1) do={
  :delay 1s;
  :set Len ([ :len $BridgePortTo ] + 1);
 }
 :foreach Interface in=[ / interface bridge port find where comment!="" ] do={
  :foreach Comment in=[ :toarray [ / interface bridge port get $Interface comment ] ] do={
    :if ([ :pick $Comment 0 $Len ] = ($BridgePortTo . ":")) do={
      :local InterfaceName [ / interface bridge port get $Interface interface ];
      :local BridgeDefault [ :pick $Comment $Len [ :len $Comment ] ];
      :local BridgeCurrent [ / interface bridge port get $Interface bridge ];
      :if ($BridgeDefault != $BridgeCurrent) do={
        :log info ("Changing interface " . $InterfaceName . " to " . $BridgePortTo . " bridge " . $BridgeDefault);
        / interface bridge port set bridge=$BridgeDefault $Interface;
        / ip dhcp-client renew [ find where interface=$BridgeDefault ];
      } else={
        :log debug ("Interface " . $InterfaceName . " already connected to " . $BridgePortTo . " bridge " . $BridgeDefault);
      }
    }
  }
 }
--- a/15
+++ b/15
@ -0,0 +1,15 @@
 #!rsc
 # RouterOS script: bridge-port-toggle
 # Copyright (c) 2013-2019 Christian Hesse <mail@eworm.de>
 #
 # toggle bridge ports between default and alt bridge
 :global BridgePortTo;
 :if ($BridgePortTo != "default") do={
  :set BridgePortTo "default";
 } else={
  :set BridgePortTo "alt";
 }
 / system script run bridge-port-to-default;
--- a/39
+++ b/39
@ -0,0 +1,39 @@
 #!rsc
 # RouterOS script: capsman-download-packages
 # Copyright (c) 2018-2019 Christian Hesse <mail@eworm.de>
 #                         Michael Gisbers <michael@gisbers.de>
 #
 # requires: dont-require-permissions=yes
 #
 # download and cleanup packages for CAP installation from CAPsMAN
 :global DownloadPackage;
 :global CleanFilePath;
 :local PackagePath [ $CleanFilePath [ / caps-man manager get package-path ] ];
 :local InstalledVersion [ / system package update get installed-version ];
 :local Updated false;
 :foreach Package in=[ / file find where type=package \
      package-version!=$InstalledVersion name~("^" . $PackagePath) ] do={
  :local PackageName [ / file get $Package package-name ];
  :local PackageArchitecture [ / file get $Package package-architecture ];
  :if ($PackageArchitecture = "mips") do={
    :set PackageArchitecture "mipsbe";
  }
  :if ($PackageName = "wireless@") do={
    :set PackageName "wireless";
  }
  :if ([ $DownloadPackage $PackageName $InstalledVersion $PackageArchitecture $PackagePath ] = true) do={
    :set Updated true;
    / file remove $Package;
  }
 }
 :if ($Updated = true) do={
  :if ([ / system script print count-only where name="capsman-rolling-upgrade" ] > 0) do={
    / system script run capsman-rolling-upgrade;
  } else={
    / caps-man remote-cap upgrade [ find where version!=$InstalledVersion ];
  }
 }
--- a/capsman-download-packages.capsman.rsc
+++ b/capsman-download-packages.capsman.rsc
@ -1,92 +0,0 @@
 #!rsc by RouterOS
 # RouterOS script: capsman-download-packages.capsman
 # Copyright (c) 2018-2025 Christian Hesse <mail@eworm.de>
 #                         Michael Gisbers <michael@gisbers.de>
 # https://rsc.eworm.de/COPYING.md
 #
 # requires RouterOS, version=7.15
 #
 # download and cleanup packages for CAP installation from CAPsMAN
 # https://rsc.eworm.de/doc/capsman-download-packages.md
 #
 # !! Do not edit this file, it is generated from template!
 :global GlobalFunctionsReady;
 :while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
 :local ExitOK false;
 :do {
  :local ScriptName [ :jobname ];
  :global CleanFilePath;
  :global DownloadPackage;
  :global LogPrint;
  :global MkDir;
  :global RmFile;
  :global ScriptLock;
  :global WaitFullyConnected;
  :if ([ $ScriptLock $ScriptName ] = false) do={
    :set ExitOK true;
    :error false;
  }
  $WaitFullyConnected;
  :local PackagePath [ $CleanFilePath [ /caps-man/manager/get package-path ] ];
  :local InstalledVersion [ /system/package/update/get installed-version ];
  :local Updated false;
  :if ([ :len $PackagePath ] = 0) do={
    $LogPrint warning $ScriptName ("The CAPsMAN package path is not defined, can not download packages.");
    :set ExitOK true;
    :error false;
  }
  :if ([ :len [ /file/find where name=$PackagePath type="directory" ] ] = 0) do={
    :if ([ $MkDir $PackagePath ] = false) do={
      $LogPrint warning $ScriptName ("Creating directory at CAPsMAN package path (" . \
        $PackagePath . ") failed!");
      :set ExitOK true;
      :error false;
    }
    $LogPrint info $ScriptName ("Created directory at CAPsMAN package path (" . $PackagePath . \
      "). Please place your packages!");
  }
  :foreach Package in=[ /file/find where type=package \
        package-version!=$InstalledVersion name~("^" . $PackagePath) ] do={
    :local File [ /file/get $Package ];
    :if ($File->"package-architecture" = "mips") do={
      :set ($File->"package-architecture") "mipsbe";
    }
    :if ([ $DownloadPackage ($File->"package-name") $InstalledVersion \
         ($File->"package-architecture") $PackagePath ] = true) do={
      :set Updated true;
      $RmFile ($File->"name");
    }
  }
  :if ([ :len [ /file/find where type=package name~("^" . $PackagePath) ] ] = 0) do={
    $LogPrint info $ScriptName ("No packages available, downloading default set.");
    :foreach Arch in={ "arm"; "mipsbe" } do={
      :foreach Package in={ "routeros"; "wireless" } do={
        :if ([ $DownloadPackage $Package $InstalledVersion $Arch $PackagePath ] = true) do={
          :set Updated true;
        }
      }
    }
  }
  :if ($Updated = true) do={
    :local Scripts [ /system/script/find where source~"\n# provides: capsman-rolling-upgrade.capsman\r?\n" ];
    :if ([ :len $Scripts ] > 0) do={
      :foreach Script in=$Scripts do={
        /system/script/run $Script;
      }
    } else={
      /caps-man/remote-cap/upgrade [ find where version!=$InstalledVersion ];
    }
  }
 } on-error={
  :global ExitError; $ExitError $ExitOK [ :jobname ];
 }
--- a/capsman-download-packages.template.rsc
+++ b/capsman-download-packages.template.rsc
@ -1,103 +0,0 @@
 #!rsc by RouterOS
 # RouterOS script: capsman-download-packages%TEMPL%
 # Copyright (c) 2018-2025 Christian Hesse <mail@eworm.de>
 #                         Michael Gisbers <michael@gisbers.de>
 # https://rsc.eworm.de/COPYING.md
 #
 # requires RouterOS, version=7.15
 #
 # download and cleanup packages for CAP installation from CAPsMAN
 # https://rsc.eworm.de/doc/capsman-download-packages.md
 #
 # !! This is just a template to generate the real script!
 # !! Pattern '%TEMPL%' is replaced, paths are filtered.
 :global GlobalFunctionsReady;
 :while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
 :local ExitOK false;
 :do {
  :local ScriptName [ :jobname ];
  :global CleanFilePath;
  :global DownloadPackage;
  :global LogPrint;
  :global MkDir;
  :global RmFile;
  :global ScriptLock;
  :global WaitFullyConnected;
  :if ([ $ScriptLock $ScriptName ] = false) do={
    :set ExitOK true;
    :error false;
  }
  $WaitFullyConnected;
  :local PackagePath [ $CleanFilePath [ /caps-man/manager/get package-path ] ];
  :local PackagePath [ $CleanFilePath [ /interface/wifi/capsman/get package-path ] ];
  :local InstalledVersion [ /system/package/update/get installed-version ];
  :local Updated false;
  :if ([ :len $PackagePath ] = 0) do={
    $LogPrint warning $ScriptName ("The CAPsMAN package path is not defined, can not download packages.");
    :set ExitOK true;
    :error false;
  }
  :if ([ :len [ /file/find where name=$PackagePath type="directory" ] ] = 0) do={
    :if ([ $MkDir $PackagePath ] = false) do={
      $LogPrint warning $ScriptName ("Creating directory at CAPsMAN package path (" . \
        $PackagePath . ") failed!");
      :set ExitOK true;
      :error false;
    }
    $LogPrint info $ScriptName ("Created directory at CAPsMAN package path (" . $PackagePath . \
      "). Please place your packages!");
  }
  :foreach Package in=[ /file/find where type=package \
        package-version!=$InstalledVersion name~("^" . $PackagePath) ] do={
    :local File [ /file/get $Package ];
    :if ($File->"package-architecture" = "mips") do={
      :set ($File->"package-architecture") "mipsbe";
    }
    :if ([ $DownloadPackage ($File->"package-name") $InstalledVersion \
         ($File->"package-architecture") $PackagePath ] = true) do={
      :set Updated true;
      $RmFile ($File->"name");
    }
  }
  :if ([ :len [ /file/find where type=package name~("^" . $PackagePath) ] ] = 0) do={
    $LogPrint info $ScriptName ("No packages available, downloading default set.");
 # NOT /interface/wifi/ #
    :foreach Arch in={ "arm"; "mipsbe" } do={
      :foreach Package in={ "routeros"; "wireless" } do={
 # NOT /interface/wifi/ #
 # NOT /caps-man/ #
    :foreach Arch in={ "arm"; "arm64" } do={
      :local Packages { "arm"={ "routeros"; "wifi-qcom"; "wifi-qcom-ac" };
                      "arm64"={ "routeros"; "wifi-qcom" } };
      :foreach Package in=($Packages->$Arch) do={
 # NOT /caps-man/ #
        :if ([ $DownloadPackage $Package $InstalledVersion $Arch $PackagePath ] = true) do={
          :set Updated true;
        }
      }
    }
  }
  :if ($Updated = true) do={
    :local Scripts [ /system/script/find where source~"\n# provides: capsman-rolling-upgrade%TEMPL%\r?\n" ];
    :if ([ :len $Scripts ] > 0) do={
      :foreach Script in=$Scripts do={
        /system/script/run $Script;
      }
    } else={
      /caps-man/remote-cap/upgrade [ find where version!=$InstalledVersion ];
      /interface/wifi/capsman/remote-cap/upgrade [ find where version!=$InstalledVersion ];
    }
  }
 } on-error={
  :global ExitError; $ExitError $ExitOK [ :jobname ];
 }
--- a/capsman-download-packages.wifi.rsc
+++ b/capsman-download-packages.wifi.rsc
@ -1,94 +0,0 @@
 #!rsc by RouterOS
 # RouterOS script: capsman-download-packages.wifi
 # Copyright (c) 2018-2025 Christian Hesse <mail@eworm.de>
 #                         Michael Gisbers <michael@gisbers.de>
 # https://rsc.eworm.de/COPYING.md
 #
 # requires RouterOS, version=7.15
 #
 # download and cleanup packages for CAP installation from CAPsMAN
 # https://rsc.eworm.de/doc/capsman-download-packages.md
 #
 # !! Do not edit this file, it is generated from template!
 :global GlobalFunctionsReady;
 :while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
 :local ExitOK false;
 :do {
  :local ScriptName [ :jobname ];
  :global CleanFilePath;
  :global DownloadPackage;
  :global LogPrint;
  :global MkDir;
  :global RmFile;
  :global ScriptLock;
  :global WaitFullyConnected;
  :if ([ $ScriptLock $ScriptName ] = false) do={
    :set ExitOK true;
    :error false;
  }
  $WaitFullyConnected;
  :local PackagePath [ $CleanFilePath [ /interface/wifi/capsman/get package-path ] ];
  :local InstalledVersion [ /system/package/update/get installed-version ];
  :local Updated false;
  :if ([ :len $PackagePath ] = 0) do={
    $LogPrint warning $ScriptName ("The CAPsMAN package path is not defined, can not download packages.");
    :set ExitOK true;
    :error false;
  }
  :if ([ :len [ /file/find where name=$PackagePath type="directory" ] ] = 0) do={
    :if ([ $MkDir $PackagePath ] = false) do={
      $LogPrint warning $ScriptName ("Creating directory at CAPsMAN package path (" . \
        $PackagePath . ") failed!");
      :set ExitOK true;
      :error false;
    }
    $LogPrint info $ScriptName ("Created directory at CAPsMAN package path (" . $PackagePath . \
      "). Please place your packages!");
  }
  :foreach Package in=[ /file/find where type=package \
        package-version!=$InstalledVersion name~("^" . $PackagePath) ] do={
    :local File [ /file/get $Package ];
    :if ($File->"package-architecture" = "mips") do={
      :set ($File->"package-architecture") "mipsbe";
    }
    :if ([ $DownloadPackage ($File->"package-name") $InstalledVersion \
         ($File->"package-architecture") $PackagePath ] = true) do={
      :set Updated true;
      $RmFile ($File->"name");
    }
  }
  :if ([ :len [ /file/find where type=package name~("^" . $PackagePath) ] ] = 0) do={
    $LogPrint info $ScriptName ("No packages available, downloading default set.");
    :foreach Arch in={ "arm"; "arm64" } do={
      :local Packages { "arm"={ "routeros"; "wifi-qcom"; "wifi-qcom-ac" };
                      "arm64"={ "routeros"; "wifi-qcom" } };
      :foreach Package in=($Packages->$Arch) do={
        :if ([ $DownloadPackage $Package $InstalledVersion $Arch $PackagePath ] = true) do={
          :set Updated true;
        }
      }
    }
  }
  :if ($Updated = true) do={
    :local Scripts [ /system/script/find where source~"\n# provides: capsman-rolling-upgrade.wifi\r?\n" ];
    :if ([ :len $Scripts ] > 0) do={
      :foreach Script in=$Scripts do={
        /system/script/run $Script;
      }
    } else={
      /interface/wifi/capsman/remote-cap/upgrade [ find where version!=$InstalledVersion ];
    }
  }
 } on-error={
  :global ExitError; $ExitError $ExitOK [ :jobname ];
 }
--- a/20
+++ b/20
@ -0,0 +1,20 @@
 #!rsc
 # RouterOS script: capsman-rolling-upgrade
 # Copyright (c) 2018-2019 Christian Hesse <mail@eworm.de>
 #                         Michael Gisbers <michael@gisbers.de>
 #
 # upgrade CAPs one after another
 :local InstalledVersion [ / system package update get installed-version ];
 :local RemoteCapCount [ /caps-man remote-cap print count-only ];
 :if ($RemoteCapCount > 0) do={
  :local Delay (600 / $RemoteCapCount);
  :if ($Delay > 120) do={ :set Delay 120; }
  :foreach RemoteCap in=[ / caps-man remote-cap find where version!=$InstalledVersion ] do={
    :local RemoteCapName [ / caps-man remote-cap get $RemoteCap name ];
    :log debug ("Starting upgrade for CAP " . $RemoteCapName . "...");
    / caps-man remote-cap upgrade $RemoteCap;
    :delay ($Delay . "s");
  }
 }
--- a/capsman-rolling-upgrade.capsman.rsc
+++ b/capsman-rolling-upgrade.capsman.rsc
@ -1,50 +0,0 @@
 #!rsc by RouterOS
 # RouterOS script: capsman-rolling-upgrade.capsman
 # Copyright (c) 2018-2025 Christian Hesse <mail@eworm.de>
 #                         Michael Gisbers <michael@gisbers.de>
 # https://rsc.eworm.de/COPYING.md
 #
 # provides: capsman-rolling-upgrade.capsman
 # requires RouterOS, version=7.15
 #
 # upgrade CAPs one after another
 # https://rsc.eworm.de/doc/capsman-rolling-upgrade.md
 #
 # !! Do not edit this file, it is generated from template!
 :global GlobalFunctionsReady;
 :while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
 :local ExitOK false;
 :do {
  :local ScriptName [ :jobname ];
  :global LogPrint;
  :global ScriptLock;
  :if ([ $ScriptLock $ScriptName ] = false) do={
    :set ExitOK true;
    :error false;
  }
  :local InstalledVersion [ /system/package/update/get installed-version ];
  :local RemoteCapCount [ :len [ /caps-man/remote-cap/find ] ];
  :if ($RemoteCapCount > 0) do={
    :local Delay (600 / $RemoteCapCount);
    :if ($Delay > 120) do={ :set Delay 120; }
    :foreach RemoteCap in=[ /caps-man/remote-cap/find where version!=$InstalledVersion ] do={
      :local RemoteCapVal [ /caps-man/remote-cap/get $RemoteCap ];
      :if ([ :len $RemoteCapVal ] > 1) do={
        $LogPrint info $ScriptName ("Starting upgrade for " . $RemoteCapVal->"name" . \
          " (" . $RemoteCapVal->"identity" . ")...");
        /caps-man/remote-cap/upgrade $RemoteCap;
      } else={
        $LogPrint warning $ScriptName ("Remote CAP vanished, skipping upgrade.");
      }
      :delay ($Delay . "s");
    }
  }
 } on-error={
  :global ExitError; $ExitError $ExitOK [ :jobname ];
 }
--- a/capsman-rolling-upgrade.template.rsc
+++ b/capsman-rolling-upgrade.template.rsc
@ -1,58 +0,0 @@
 #!rsc by RouterOS
 # RouterOS script: capsman-rolling-upgrade%TEMPL%
 # Copyright (c) 2018-2025 Christian Hesse <mail@eworm.de>
 #                         Michael Gisbers <michael@gisbers.de>
 # https://rsc.eworm.de/COPYING.md
 #
 # provides: capsman-rolling-upgrade%TEMPL%
 # requires RouterOS, version=7.15
 #
 # upgrade CAPs one after another
 # https://rsc.eworm.de/doc/capsman-rolling-upgrade.md
 #
 # !! This is just a template to generate the real script!
 # !! Pattern '%TEMPL%' is replaced, paths are filtered.
 :global GlobalFunctionsReady;
 :while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
 :local ExitOK false;
 :do {
  :local ScriptName [ :jobname ];
  :global LogPrint;
  :global ScriptLock;
  :if ([ $ScriptLock $ScriptName ] = false) do={
    :set ExitOK true;
    :error false;
  }
  :local InstalledVersion [ /system/package/update/get installed-version ];
  :local RemoteCapCount [ :len [ /caps-man/remote-cap/find ] ];
  :local RemoteCapCount [ :len [ /interface/wifi/capsman/remote-cap/find ] ];
  :if ($RemoteCapCount > 0) do={
    :local Delay (600 / $RemoteCapCount);
    :if ($Delay > 120) do={ :set Delay 120; }
    :foreach RemoteCap in=[ /caps-man/remote-cap/find where version!=$InstalledVersion ] do={
    :foreach RemoteCap in=[ /interface/wifi/capsman/remote-cap/find where version!=$InstalledVersion ] do={
      :local RemoteCapVal [ /caps-man/remote-cap/get $RemoteCap ];
      :local RemoteCapVal [ /interface/wifi/capsman/remote-cap/get $RemoteCap ];
      :if ([ :len $RemoteCapVal ] > 1) do={
 # NOT /caps-man/ #
        :set ($RemoteCapVal->"name") ($RemoteCapVal->"common-name");
 # NOT /caps-man/ #
        $LogPrint info $ScriptName ("Starting upgrade for " . $RemoteCapVal->"name" . \
          " (" . $RemoteCapVal->"identity" . ")...");
        /caps-man/remote-cap/upgrade $RemoteCap;
        /interface/wifi/capsman/remote-cap/upgrade $RemoteCap;
      } else={
        $LogPrint warning $ScriptName ("Remote CAP vanished, skipping upgrade.");
      }
      :delay ($Delay . "s");
    }
  }
 } on-error={
  :global ExitError; $ExitError $ExitOK [ :jobname ];
 }
--- a/capsman-rolling-upgrade.wifi.rsc
+++ b/capsman-rolling-upgrade.wifi.rsc
@ -1,51 +0,0 @@
 #!rsc by RouterOS
 # RouterOS script: capsman-rolling-upgrade.wifi
 # Copyright (c) 2018-2025 Christian Hesse <mail@eworm.de>
 #                         Michael Gisbers <michael@gisbers.de>
 # https://rsc.eworm.de/COPYING.md
 #
 # provides: capsman-rolling-upgrade.wifi
 # requires RouterOS, version=7.15
 #
 # upgrade CAPs one after another
 # https://rsc.eworm.de/doc/capsman-rolling-upgrade.md
 #
 # !! Do not edit this file, it is generated from template!
 :global GlobalFunctionsReady;
 :while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
 :local ExitOK false;
 :do {
  :local ScriptName [ :jobname ];
  :global LogPrint;
  :global ScriptLock;
  :if ([ $ScriptLock $ScriptName ] = false) do={
    :set ExitOK true;
    :error false;
  }
  :local InstalledVersion [ /system/package/update/get installed-version ];
  :local RemoteCapCount [ :len [ /interface/wifi/capsman/remote-cap/find ] ];
  :if ($RemoteCapCount > 0) do={
    :local Delay (600 / $RemoteCapCount);
    :if ($Delay > 120) do={ :set Delay 120; }
    :foreach RemoteCap in=[ /interface/wifi/capsman/remote-cap/find where version!=$InstalledVersion ] do={
      :local RemoteCapVal [ /interface/wifi/capsman/remote-cap/get $RemoteCap ];
      :if ([ :len $RemoteCapVal ] > 1) do={
        :set ($RemoteCapVal->"name") ($RemoteCapVal->"common-name");
        $LogPrint info $ScriptName ("Starting upgrade for " . $RemoteCapVal->"name" . \
          " (" . $RemoteCapVal->"identity" . ")...");
        /interface/wifi/capsman/remote-cap/upgrade $RemoteCap;
      } else={
        $LogPrint warning $ScriptName ("Remote CAP vanished, skipping upgrade.");
      }
      :delay ($Delay . "s");
    }
  }
 } on-error={
  :global ExitError; $ExitError $ExitOK [ :jobname ];
 }
--- a/certificate-renew-issued.rsc
+++ b/certificate-renew-issued.rsc
@ -1,52 +0,0 @@
 #!rsc by RouterOS
 # RouterOS script: certificate-renew-issued
 # Copyright (c) 2019-2025 Christian Hesse <mail@eworm.de>
 # https://rsc.eworm.de/COPYING.md
 #
 # requires RouterOS, version=7.15
 #
 # renew locally issued certificates
 # https://rsc.eworm.de/doc/certificate-renew-issued.md
 :global GlobalFunctionsReady;
 :while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
 :local ExitOK false;
 :do {
  :local ScriptName [ :jobname ];
  :global CertIssuedExportPass;
  :global LogPrint;
  :global MkDir;
  :global ScriptLock;
  :if ([ $ScriptLock $ScriptName ] = false) do={
    :set ExitOK true;
    :error false;
  }
  :foreach Cert in=[ /certificate/find where issued expires-after<3w ] do={
    :local CertVal [ /certificate/get $Cert ];
    /certificate/issued-revoke $Cert;
    /certificate/set name=($CertVal->"name" . "-revoked-" . [ /system/clock/get date ]) $Cert;
    /certificate/add name=($CertVal->"name") common-name=($CertVal->"common-name") \
        key-usage=($CertVal->"key-usage") subject-alt-name=($CertVal->"subject-alt-name");
    /certificate/sign ($CertVal->"name") ca=($CertVal->"ca");
    :if ([ :typeof ($CertIssuedExportPass->($CertVal->"common-name")) ] = "str") do={
      :if ([ $MkDir "cert-issued" ] = true) do={
        /certificate/export-certificate ($CertVal->"name") type=pkcs12 \
            file-name=("cert-issued/" . $CertVal->"common-name") \
            export-passphrase=($CertIssuedExportPass->($CertVal->"common-name"));
        $LogPrint info $ScriptName ("Issued a new certificate for '" . $CertVal->"common-name" . \
          "', exported to 'cert-issued/" . $CertVal->"common-name" . ".p12'.");
      } else={
        $LogPrint warning $ScriptName ("Failed creating directory, not exporting certificate.");
      }
    } else={
      $LogPrint info $ScriptName ("Issued a new certificate for '" . $CertVal->"common-name" . "'.");
    }
  }
 } on-error={
  :global ExitError; $ExitError $ExitOK [ :jobname ];
 }
--- a/certs/Certum-Trusted-Network-CA.pem
+++ b/certs/Certum-Trusted-Network-CA.pem
@ -1,29 +0,0 @@
 # Issuer: CN=Certum Trusted Network CA O=Unizeto Technologies S.A. OU=Certum Certification Authority
 # Subject: CN=Certum Trusted Network CA O=Unizeto Technologies S.A. OU=Certum Certification Authority
 # Label: "Certum Trusted Network CA"
 # Serial: 279744
 # MD5 Fingerprint: d5:e9:81:40:c5:18:69:fc:46:2c:89:75:62:0f:aa:78
 # SHA1 Fingerprint: 07:e0:32:e0:20:b7:2c:3f:19:2f:06:28:a2:59:3a:19:a7:0f:06:9e
 # SHA256 Fingerprint: 5c:58:46:8d:55:f5:8e:49:7e:74:39:82:d2:b5:00:10:b6:d1:65:37:4a:cf:83:a7:d4:a3:2d:b7:68:c4:40:8e
 -----BEGIN CERTIFICATE-----
 MIIDuzCCAqOgAwIBAgIDBETAMA0GCSqGSIb3DQEBBQUAMH4xCzAJBgNVBAYTAlBM
 MSIwIAYDVQQKExlVbml6ZXRvIFRlY2hub2xvZ2llcyBTLkEuMScwJQYDVQQLEx5D
 ZXJ0dW0gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIjAgBgNVBAMTGUNlcnR1bSBU
 cnVzdGVkIE5ldHdvcmsgQ0EwHhcNMDgxMDIyMTIwNzM3WhcNMjkxMjMxMTIwNzM3
 WjB+MQswCQYDVQQGEwJQTDEiMCAGA1UEChMZVW5pemV0byBUZWNobm9sb2dpZXMg
 Uy5BLjEnMCUGA1UECxMeQ2VydHVtIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSIw
 IAYDVQQDExlDZXJ0dW0gVHJ1c3RlZCBOZXR3b3JrIENBMIIBIjANBgkqhkiG9w0B
 AQEFAAOCAQ8AMIIBCgKCAQEA4/t9o3K6wvDJFIf1awFO4W5AB7ptJ11/91sts1rH
 UV+rpDKmYYe2bg+G0jACl/jXaVehGDldamR5xgFZrDwxSjh80gTSSyjoIF87B6LM
 TXPb865Px1bVWqeWifrzq2jUI4ZZJ88JJ7ysbnKDHDBy3+Ci6dLhdHUZvSqeexVU
 BBvXQzmtVSjF4hq79MDkrjhJM8x2hZ85RdKknvISjFH4fOQtf/WsX+sWn7Et0brM
 kUJ3TCXJkDhv2/DM+44el1k+1WBO5gUo7Ul5E0u6SNsv+XLTOcr+H9g0cvW0QM8x
 AcPs3hEtF10fuFDRXhmnad4HMyjKUJX5p1TLVIZQRan5SQIDAQABo0IwQDAPBgNV
 HRMBAf8EBTADAQH/MB0GA1UdDgQWBBQIds3LB/8k9sXN7buQvOKEN0Z19zAOBgNV
 HQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEFBQADggEBAKaorSLOAT2mo/9i0Eidi15y
 sHhE49wcrwn9I0j6vSrEuVUEtRCjjSfeC4Jj0O7eDDd5QVsisrCaQVymcODU0HfL
 I9MA4GxWL+FpDQ3Zqr8hgVDZBqWo/5U30Kr+4rP1mS1FhIrlQgnXdAIv94nYmem8
 J9RHjboNRhx3zxSkHLmkMcScKHQDNP8zGSal6Q10tz6XxnboJ5ajZt3hrvJBW8qY
 VoNzcOSGGtIxQbovvi0TWnZvTuhOgQ4/WwMioBK+ZlgRSssDxLQqKi2WF+A5VLxI
 03YnnZotBqbJ7DnSq9ufmgsnAjUpsUCV5/nonFWIGUbWtzT1fs45mtk48VH3Tyw=
 -----END CERTIFICATE-----
--- a/certs/DigiCert-Global-Root-G2.pem
+++ b/certs/DigiCert-Global-Root-G2.pem
@ -1,29 +0,0 @@
 # Issuer: CN=DigiCert Global Root G2 O=DigiCert Inc OU=www.digicert.com
 # Subject: CN=DigiCert Global Root G2 O=DigiCert Inc OU=www.digicert.com
 # Label: "DigiCert Global Root G2"
 # Serial: 4293743540046975378534879503202253541
 # MD5 Fingerprint: e4:a6:8a:c8:54:ac:52:42:46:0a:fd:72:48:1b:2a:44
 # SHA1 Fingerprint: df:3c:24:f9:bf:d6:66:76:1b:26:80:73:fe:06:d1:cc:8d:4f:82:a4
 # SHA256 Fingerprint: cb:3c:cb:b7:60:31:e5:e0:13:8f:8d:d3:9a:23:f9:de:47:ff:c3:5e:43:c1:14:4c:ea:27:d4:6a:5a:b1:cb:5f
 -----BEGIN CERTIFICATE-----
 MIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSxHQn65TANBgkqhkiG9w0BAQsFADBh
 MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
 d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH
 MjAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYTAlVT
 MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
 b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEcyMIIBIjANBgkqhkiG
 9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzfNNNx7a8myaJCtSnX/RrohCgiN9RlUyfuI
 2/Ou8jqJkTx65qsGGmvPrC3oXgkkRLpimn7Wo6h+4FR1IAWsULecYxpsMNzaHxmx
 1x7e/dfgy5SDN67sH0NO3Xss0r0upS/kqbitOtSZpLYl6ZtrAGCSYP9PIUkY92eQ
 q2EGnI/yuum06ZIya7XzV+hdG82MHauVBJVJ8zUtluNJbd134/tJS7SsVQepj5Wz
 tCO7TG1F8PapspUwtP1MVYwnSlcUfIKdzXOS0xZKBgyMUNGPHgm+F6HmIcr9g+UQ
 vIOlCsRnKPZzFBQ9RnbDhxSJITRNrw9FDKZJobq7nMWxM4MphQIDAQABo0IwQDAP
 BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUTiJUIBiV
 5uNu5g/6+rkS7QYXjzkwDQYJKoZIhvcNAQELBQADggEBAGBnKJRvDkhj6zHd6mcY
 1Yl9PMWLSn/pvtsrF9+wX3N3KjITOYFnQoQj8kVnNeyIv/iPsGEMNKSuIEyExtv4
 NeF22d+mQrvHRAiGfzZ0JFrabA0UWTW98kndth/Jsw1HKj2ZL7tcu7XUIOGZX1NG
 Fdtom/DzMNU+MeKNhJ7jitralj41E6Vf8PlwUHBHQRFXGU7Aj64GxJUTFy8bJZ91
 8rGOmaFvE7FBcf6IKshPECBV1/MUReXgRPTqh5Uykw7+U0b6LJ3/iyK5S9kJRaTe
 pLiaWN0bfVKfjllDiIGknibVb63dDcY3fe0Dkhvld1927jyNxF1WW6LZZm6zNTfl
 MrY=
 -----END CERTIFICATE-----
--- a/certs/DigiCert-Global-Root-G3.pem
+++ b/certs/DigiCert-Global-Root-G3.pem
@ -1,22 +0,0 @@
 # Issuer: CN=DigiCert Global Root G3 O=DigiCert Inc OU=www.digicert.com
 # Subject: CN=DigiCert Global Root G3 O=DigiCert Inc OU=www.digicert.com
 # Label: "DigiCert Global Root G3"
 # Serial: 7089244469030293291760083333884364146
 # MD5 Fingerprint: f5:5d:a4:50:a5:fb:28:7e:1e:0f:0d:cc:96:57:56:ca
 # SHA1 Fingerprint: 7e:04:de:89:6a:3e:66:6d:00:e6:87:d3:3f:fa:d9:3b:e8:3d:34:9e
 # SHA256 Fingerprint: 31:ad:66:48:f8:10:41:38:c7:38:f3:9e:a4:32:01:33:39:3e:3a:18:cc:02:29:6e:f9:7c:2a:c9:ef:67:31:d0
 -----BEGIN CERTIFICATE-----
 MIICPzCCAcWgAwIBAgIQBVVWvPJepDU1w6QP1atFcjAKBggqhkjOPQQDAzBhMQsw
 CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cu
 ZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBHMzAe
 Fw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYTAlVTMRUw
 EwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20x
 IDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEczMHYwEAYHKoZIzj0CAQYF
 K4EEACIDYgAE3afZu4q4C/sLfyHS8L6+c/MzXRq8NOrexpu80JX28MzQC7phW1FG
 fp4tn+6OYwwX7Adw9c+ELkCDnOg/QW07rdOkFFk2eJ0DQ+4QE2xy3q6Ip6FrtUPO
 Z9wj/wMco+I+o0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAd
 BgNVHQ4EFgQUs9tIpPmhxdiuNkHMEWNpYim8S8YwCgYIKoZIzj0EAwMDaAAwZQIx
 AK288mw/EkrRLTnDCgmXc/SINoyIJ7vmiI1Qhadj+Z4y3maTD/HMsQmP3Wyr+mt/
 oAIwOWZbwmSNuJ5Q3KjVSaLtx9zRSX8XAbjIho9OjIgrqJqpisXRAL34VOKa5Vt8
 sycX
 -----END CERTIFICATE-----
--- a/certs/GTS-Root-R1.pem
+++ b/certs/GTS-Root-R1.pem
@ -1,38 +0,0 @@
 # Issuer: CN=GTS Root R1 O=Google Trust Services LLC
 # Subject: CN=GTS Root R1 O=Google Trust Services LLC
 # Label: "GTS Root R1"
 # Serial: 159662320309726417404178440727
 # MD5 Fingerprint: 05:fe:d0:bf:71:a8:a3:76:63:da:01:e0:d8:52:dc:40
 # SHA1 Fingerprint: e5:8c:1c:c4:91:3b:38:63:4b:e9:10:6e:e3:ad:8e:6b:9d:d9:81:4a
 # SHA256 Fingerprint: d9:47:43:2a:bd:e7:b7:fa:90:fc:2e:6b:59:10:1b:12:80:e0:e1:c7:e4:e4:0f:a3:c6:88:7f:ff:57:a7:f4:cf
 -----BEGIN CERTIFICATE-----
 MIIFVzCCAz+gAwIBAgINAgPlk28xsBNJiGuiFzANBgkqhkiG9w0BAQwFADBHMQsw
 CQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEU
 MBIGA1UEAxMLR1RTIFJvb3QgUjEwHhcNMTYwNjIyMDAwMDAwWhcNMzYwNjIyMDAw
 MDAwWjBHMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZp
 Y2VzIExMQzEUMBIGA1UEAxMLR1RTIFJvb3QgUjEwggIiMA0GCSqGSIb3DQEBAQUA
 A4ICDwAwggIKAoICAQC2EQKLHuOhd5s73L+UPreVp0A8of2C+X0yBoJx9vaMf/vo
 27xqLpeXo4xL+Sv2sfnOhB2x+cWX3u+58qPpvBKJXqeqUqv4IyfLpLGcY9vXmX7w
 Cl7raKb0xlpHDU0QM+NOsROjyBhsS+z8CZDfnWQpJSMHobTSPS5g4M/SCYe7zUjw
 TcLCeoiKu7rPWRnWr4+wB7CeMfGCwcDfLqZtbBkOtdh+JhpFAz2weaSUKK0Pfybl
 qAj+lug8aJRT7oM6iCsVlgmy4HqMLnXWnOunVmSPlk9orj2XwoSPwLxAwAtcvfaH
 szVsrBhQf4TgTM2S0yDpM7xSma8ytSmzJSq0SPly4cpk9+aCEI3oncKKiPo4Zor8
 Y/kB+Xj9e1x3+naH+uzfsQ55lVe0vSbv1gHR6xYKu44LtcXFilWr06zqkUspzBmk
 MiVOKvFlRNACzqrOSbTqn3yDsEB750Orp2yjj32JgfpMpf/VjsPOS+C12LOORc92
 wO1AK/1TD7Cn1TsNsYqiA94xrcx36m97PtbfkSIS5r762DL8EGMUUXLeXdYWk70p
 aDPvOmbsB4om3xPXV2V4J95eSRQAogB/mqghtqmxlbCluQ0WEdrHbEg8QOB+DVrN
 VjzRlwW5y0vtOUucxD/SVRNuJLDWcfr0wbrM7Rv1/oFB2ACYPTrIrnqYNxgFlQID
 AQABo0IwQDAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E
 FgQU5K8rJnEaK0gnhS9SZizv8IkTcT4wDQYJKoZIhvcNAQEMBQADggIBAJ+qQibb
 C5u+/x6Wki4+omVKapi6Ist9wTrYggoGxval3sBOh2Z5ofmmWJyq+bXmYOfg6LEe
 QkEzCzc9zolwFcq1JKjPa7XSQCGYzyI0zzvFIoTgxQ6KfF2I5DUkzps+GlQebtuy
 h6f88/qBVRRiClmpIgUxPoLW7ttXNLwzldMXG+gnoot7TiYaelpkttGsN/H9oPM4
 7HLwEXWdyzRSjeZ2axfG34arJ45JK3VmgRAhpuo+9K4l/3wV3s6MJT/KYnAK9y8J
 ZgfIPxz88NtFMN9iiMG1D53Dn0reWVlHxYciNuaCp+0KueIHoI17eko8cdLiA6Ef
 MgfdG+RCzgwARWGAtQsgWSl4vflVy2PFPEz0tv/bal8xa5meLMFrUKTX5hgUvYU/
 Z6tGn6D/Qqc6f1zLXbBwHSs09dR2CQzreExZBfMzQsNhFRAbd03OIozUhfJFfbdT
 6u9AWpQKXCBfTkBdYiJ23//OYb2MI3jSNwLgjt7RETeJ9r/tSQdirpLsQBqvFAnZ
 0E6yove+7u7Y/9waLd64NnHi/Hm3lCXRSHNboTXns5lndcEZOitHTtNCjv0xyBZm
 2tIMPNuzjsmhDYAPexZ3FL//2wmUspO8IFgV6dtxQ/PeEMMA3KgqlbbC1j+Qa3bb
 bP6MvPJwNQzcmRk13NfIRmPVNnGuV/u3gm3c
 -----END CERTIFICATE-----
--- a/certs/GTS-Root-R4.pem
+++ b/certs/GTS-Root-R4.pem
@ -1,20 +0,0 @@
 # Issuer: CN=GTS Root R4 O=Google Trust Services LLC
 # Subject: CN=GTS Root R4 O=Google Trust Services LLC
 # Label: "GTS Root R4"
 # Serial: 159662532700760215368942768210
 # MD5 Fingerprint: 43:96:83:77:19:4d:76:b3:9d:65:52:e4:1d:22:a5:e8
 # SHA1 Fingerprint: 77:d3:03:67:b5:e0:0c:15:f6:0c:38:61:df:7c:e1:3b:92:46:4d:47
 # SHA256 Fingerprint: 34:9d:fa:40:58:c5:e2:63:12:3b:39:8a:e7:95:57:3c:4e:13:13:c8:3f:e6:8f:93:55:6c:d5:e8:03:1b:3c:7d
 -----BEGIN CERTIFICATE-----
 MIICCTCCAY6gAwIBAgINAgPlwGjvYxqccpBQUjAKBggqhkjOPQQDAzBHMQswCQYD
 VQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEUMBIG
 A1UEAxMLR1RTIFJvb3QgUjQwHhcNMTYwNjIyMDAwMDAwWhcNMzYwNjIyMDAwMDAw
 WjBHMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2Vz
 IExMQzEUMBIGA1UEAxMLR1RTIFJvb3QgUjQwdjAQBgcqhkjOPQIBBgUrgQQAIgNi
 AATzdHOnaItgrkO4NcWBMHtLSZ37wWHO5t5GvWvVYRg1rkDdc/eJkTBa6zzuhXyi
 QHY7qca4R9gq55KRanPpsXI5nymfopjTX15YhmUPoYRlBtHci8nHc8iMai/lxKvR
 HYqjQjBAMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
 BBSATNbrdP9JNqPV2Py1PsVq8JQdjDAKBggqhkjOPQQDAwNpADBmAjEA6ED/g94D
 9J+uHXqnLrmvT/aDHQ4thQEd0dlq7A/Cr8deVl5c1RxYIigL9zC2L7F8AjEA8GE8
 p/SgguMh1YQdc4acLa/KNJvxn7kjNuK8YAOdgLOaVsjh4rsUecrNIdSUtUlD
 -----END CERTIFICATE-----
--- a/certs/Go-Daddy-Root-Certificate-Authority-G2.pem
+++ b/certs/Go-Daddy-Root-Certificate-Authority-G2.pem
@ -1,30 +0,0 @@
 # Issuer: CN=Go Daddy Root Certificate Authority - G2 O=GoDaddy.com, Inc.
 # Subject: CN=Go Daddy Root Certificate Authority - G2 O=GoDaddy.com, Inc.
 # Label: "Go Daddy Root Certificate Authority - G2"
 # Serial: 0
 # MD5 Fingerprint: 80:3a:bc:22:c1:e6:fb:8d:9b:3b:27:4a:32:1b:9a:01
 # SHA1 Fingerprint: 47:be:ab:c9:22:ea:e8:0e:78:78:34:62:a7:9f:45:c2:54:fd:e6:8b
 # SHA256 Fingerprint: 45:14:0b:32:47:eb:9c:c8:c5:b4:f0:d7:b5:30:91:f7:32:92:08:9e:6e:5a:63:e2:74:9d:d3:ac:a9:19:8e:da
 -----BEGIN CERTIFICATE-----
 MIIDxTCCAq2gAwIBAgIBADANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
 EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
 EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
 ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAwMFoXDTM3MTIzMTIz
 NTk1OVowgYMxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
 EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjExMC8GA1UE
 AxMoR28gRGFkZHkgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjCCASIw
 DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL9xYgjx+lk09xvJGKP3gElY6SKD
 E6bFIEMBO4Tx5oVJnyfq9oQbTqC023CYxzIBsQU+B07u9PpPL1kwIuerGVZr4oAH
 /PMWdYA5UXvl+TW2dE6pjYIT5LY/qQOD+qK+ihVqf94Lw7YZFAXK6sOoBJQ7Rnwy
 DfMAZiLIjWltNowRGLfTshxgtDj6AozO091GB94KPutdfMh8+7ArU6SSYmlRJQVh
 GkSBjCypQ5Yj36w6gZoOKcUcqeldHraenjAKOc7xiID7S13MMuyFYkMlNAJWJwGR
 tDtwKj9useiciAF9n9T521NtYJ2/LOdYq7hfRvzOxBsDPAnrSTFcaUaz4EcCAwEA
 AaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE
 FDqahQcQZyi27/a9BUFuIMGU2g/eMA0GCSqGSIb3DQEBCwUAA4IBAQCZ21151fmX
 WWcDYfF+OwYxdS2hII5PZYe096acvNjpL9DbWu7PdIxztDhC2gV7+AJ1uP2lsdeu
 9tfeE8tTEH6KRtGX+rcuKxGrkLAngPnon1rpN5+r5N9ss4UXnT3ZJE95kTXWXwTr
 gIOrmgIttRD02JDHBHNA7XIloKmf7J6raBKZV8aPEjoJpL1E/QYVN8Gb5DKj7Tjo
 2GTzLH4U/ALqn83/B2gX2yKQOC16jdFU8WnjXzPKej17CuPKf1855eJ1usV2GDPO
 LPAvTK33sefOT6jEm0pUBsV/fdUID+Ic/n4XuKxe9tQWskMJDE32p2u0mYRlynqI
 4uJEvlz36hz1
 -----END CERTIFICATE-----
--- a/certs/ISRG-Root-X1.pem
+++ b/certs/ISRG-Root-X1.pem
@ -1,38 +0,0 @@
 # Issuer: CN=ISRG Root X1 O=Internet Security Research Group
 # Subject: CN=ISRG Root X1 O=Internet Security Research Group
 # Label: "ISRG Root X1"
 # Serial: 172886928669790476064670243504169061120
 # MD5 Fingerprint: 0c:d2:f9:e0:da:17:73:e9:ed:86:4d:a5:e3:70:e7:4e
 # SHA1 Fingerprint: ca:bd:2a:79:a1:07:6a:31:f2:1d:25:36:35:cb:03:9d:43:29:a5:e8
 # SHA256 Fingerprint: 96:bc:ec:06:26:49:76:f3:74:60:77:9a:cf:28:c5:a7:cf:e8:a3:c0:aa:e1:1a:8f:fc:ee:05:c0:bd:df:08:c6
 -----BEGIN CERTIFICATE-----
 MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
 TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
 cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
 WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
 ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
 MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
 h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
 0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
 A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
 T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
 B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
 B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
 KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
 OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
 jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
 qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
 rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
 HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
 hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
 ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
 3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
 NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
 ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
 TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
 jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
 oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
 4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
 mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
 emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
 -----END CERTIFICATE-----
--- a/certs/ISRG-Root-X2.pem
+++ b/certs/ISRG-Root-X2.pem
@ -1,21 +0,0 @@
 # Issuer: CN=ISRG Root X2 O=Internet Security Research Group
 # Subject: CN=ISRG Root X2 O=Internet Security Research Group
 # Label: "ISRG Root X2"
 # Serial: 87493402998870891108772069816698636114
 # MD5 Fingerprint: d3:9e:c4:1e:23:3c:a6:df:cf:a3:7e:6d:e0:14:e6:e5
 # SHA1 Fingerprint: bd:b1:b9:3c:d5:97:8d:45:c6:26:14:55:f8:db:95:c7:5a:d1:53:af
 # SHA256 Fingerprint: 69:72:9b:8e:15:a8:6e:fc:17:7a:57:af:b7:17:1d:fc:64:ad:d2:8c:2f:ca:8c:f1:50:7e:34:45:3c:cb:14:70
 -----BEGIN CERTIFICATE-----
 MIICGzCCAaGgAwIBAgIQQdKd0XLq7qeAwSxs6S+HUjAKBggqhkjOPQQDAzBPMQsw
 CQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFyY2gg
 R3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMjAeFw0yMDA5MDQwMDAwMDBaFw00
 MDA5MTcxNjAwMDBaME8xCzAJBgNVBAYTAlVTMSkwJwYDVQQKEyBJbnRlcm5ldCBT
 ZWN1cml0eSBSZXNlYXJjaCBHcm91cDEVMBMGA1UEAxMMSVNSRyBSb290IFgyMHYw
 EAYHKoZIzj0CAQYFK4EEACIDYgAEzZvVn4CDCuwJSvMWSj5cz3es3mcFDR0HttwW
 +1qLFNvicWDEukWVEYmO6gbf9yoWHKS5xcUy4APgHoIYOIvXRdgKam7mAHf7AlF9
 ItgKbppbd9/w+kHsOdx1ymgHDB/qo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0T
 AQH/BAUwAwEB/zAdBgNVHQ4EFgQUfEKWrt5LSDv6kviejM9ti6lyN5UwCgYIKoZI
 zj0EAwMDaAAwZQIwe3lORlCEwkSHRhtFcP9Ymd70/aTSVaYgLXTWNLxBo1BfASdW
 tL4ndQavEi51mI38AjEAi/V3bNTIZargCyzuFJ0nN6T5U6VR5CmD1/iQMVtCnwr1
 /q4AaOeMSQ+2b1tbFfLn
 -----END CERTIFICATE-----
--- a/certs/Makefile
+++ b/certs/Makefile
@ -1,58 +0,0 @@
 # Makefile to check certificates
 CURL = curl \
 	--capath /dev/null \
 	--connect-timeout 5 \
 	--output /dev/null \
 	--silent
 DOMAINS_DUAL = \
 	api.macvendors.com/GTS-Root-R4 \
 	api.telegram.org/Go-Daddy-Root-Certificate-Authority-G2 \
 	cloudflare-dns.com/DigiCert-Global-Root-G2 \
 	dns.google/GTS-Root-R4 \
 	dns.quad9.net/DigiCert-Global-Root-G3 \
 	git.eworm.de/ISRG-Root-X2 \
 	lists.blocklist.de/Certum-Trusted-Network-CA \
 	matrix.org/GTS-Root-R4 \
 	raw.githubusercontent.com/USERTrust-RSA-Certification-Authority \
 	rsc.eworm.de/ISRG-Root-X2 \
 	upgrade.mikrotik.com/ISRG-Root-X1
 DOMAINS_IPV4 = \
 	1.1.1.1/DigiCert-Global-Root-G2 \
 	8.8.8.8/GTS-Root-R1 \
 	9.9.9.9/DigiCert-Global-Root-G3 \
 	api.mullvad.net/ISRG-Root-X1 \
 	ipv4.showipv6.de/ISRG-Root-X1 \
 	ipv4.tunnelbroker.net/Starfield-Root-Certificate-Authority-G2 \
 	mkcert.org/ISRG-Root-X1 \
 	ntfy.sh/ISRG-Root-X1 \
 	www.dshield.org/ISRG-Root-X1 \
 	www.spamhaus.org/GTS-Root-R4
 DOMAINS_IPV6 = \
 	[2606\:4700\:4700\:\:1111]/DigiCert-Global-Root-G2 \
 	[2001\:4860\:4860\:\:8888]/GTS-Root-R1 \
 	[2620\:fe\:\:9]/DigiCert-Global-Root-G3 \
 	ipv6.showipv6.de/ISRG-Root-X1
 .PHONY: $(DOMAINS_DUAL) $(DOMAINS_IPV4) $(DOMAINS_IPV6)
 all: $(DOMAINS_DUAL) $(DOMAINS_IPV4) $(DOMAINS_IPV6)
 $(DOMAINS_DUAL):
 ifndef NOIPV4
 	$(CURL) -4 --cacert $(notdir $@).pem https://$(dir $@)
 endif
 ifndef NOIPV6
 	$(CURL) -6 --cacert $(notdir $@).pem https://$(dir $@)
 endif
 $(DOMAINS_IPV4):
 ifndef NOIPV4
 	$(CURL) -4 --cacert $(notdir $@).pem https://$(dir $@)
 endif
 $(DOMAINS_IPV6):
 ifndef NOIPV6
 	$(CURL) -6 --cacert $(notdir $@).pem https://$(dir $@)
 endif
--- a/certs/Starfield-Root-Certificate-Authority-G2.pem
+++ b/certs/Starfield-Root-Certificate-Authority-G2.pem
@ -1,30 +0,0 @@
 # Issuer: CN=Starfield Root Certificate Authority - G2 O=Starfield Technologies, Inc.
 # Subject: CN=Starfield Root Certificate Authority - G2 O=Starfield Technologies, Inc.
 # Label: "Starfield Root Certificate Authority - G2"
 # Serial: 0
 # MD5 Fingerprint: d6:39:81:c6:52:7e:96:69:fc:fc:ca:66:ed:05:f2:96
 # SHA1 Fingerprint: b5:1c:06:7c:ee:2b:0c:3d:f8:55:ab:2d:92:f4:fe:39:d4:e7:0f:0e
 # SHA256 Fingerprint: 2c:e1:cb:0b:f9:d2:f9:e1:02:99:3f:be:21:51:52:c3:b2:dd:0c:ab:de:1c:68:e5:31:9b:83:91:54:db:b7:f5
 -----BEGIN CERTIFICATE-----
 MIID3TCCAsWgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMx
 EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAjBgNVBAoT
 HFN0YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAMTKVN0YXJmaWVs
 ZCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAw
 MFoXDTM3MTIzMTIzNTk1OVowgY8xCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6
 b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMSUwIwYDVQQKExxTdGFyZmllbGQgVGVj
 aG5vbG9naWVzLCBJbmMuMTIwMAYDVQQDEylTdGFyZmllbGQgUm9vdCBDZXJ0aWZp
 Y2F0ZSBBdXRob3JpdHkgLSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
 ggEBAL3twQP89o/8ArFvW59I2Z154qK3A2FWGMNHttfKPTUuiUP3oWmb3ooa/RMg
 nLRJdzIpVv257IzdIvpy3Cdhl+72WoTsbhm5iSzchFvVdPtrX8WJpRBSiUZV9Lh1
 HOZ/5FSuS/hVclcCGfgXcVnrHigHdMWdSL5stPSksPNkN3mSwOxGXn/hbVNMYq/N
 Hwtjuzqd+/x5AJhhdM8mgkBj87JyahkNmcrUDnXMN/uLicFZ8WJ/X7NfZTD4p7dN
 dloedl40wOiWVpmKs/B/pM293DIxfJHP4F8R+GuqSVzRmZTRouNjWwl2tVZi4Ut0
 HZbUJtQIBFnQmA4O5t78w+wfkPECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAO
 BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFHwMMh+n2TB/xH1oo2Kooc6rB1snMA0G
 CSqGSIb3DQEBCwUAA4IBAQARWfolTwNvlJk7mh+ChTnUdgWUXuEok21iXQnCoKjU
 sHU48TRqneSfioYmUeYs0cYtbpUgSpIB7LiKZ3sx4mcujJUDJi5DnUox9g61DLu3
 4jd/IroAow57UvtruzvE03lRTs2Q9GcHGcg8RnoNAX3FWOdt5oUwF5okxBDgBPfg
 8n/Uqgr/Qh037ZTlZFkSIHc40zI+OIF1lnP6aI+xy84fxez6nH7PfrHxBy22/L/K
 pL/QlwVKvOoYKAKQvVR4CSFx09F9HdkWsKlhPdAKACL8x3vLCWRFCztAgfd9fDL1
 mMpYjn0q7pBZc2T5NnReJaH1ZgUufzkVqSr7UIuOhWn0
 -----END CERTIFICATE-----
--- a/certs/USERTrust-RSA-Certification-Authority.pem
+++ b/certs/USERTrust-RSA-Certification-Authority.pem
@ -1,41 +0,0 @@
 # Issuer: CN=USERTrust RSA Certification Authority O=The USERTRUST Network
 # Subject: CN=USERTrust RSA Certification Authority O=The USERTRUST Network
 # Label: "USERTrust RSA Certification Authority"
 # Serial: 2645093764781058787591871645665788717
 # MD5 Fingerprint: 1b:fe:69:d1:91:b7:19:33:a3:72:a8:0f:e1:55:e5:b5
 # SHA1 Fingerprint: 2b:8f:1b:57:33:0d:bb:a2:d0:7a:6c:51:f7:0e:e9:0d:da:b9:ad:8e
 # SHA256 Fingerprint: e7:93:c9:b0:2f:d8:aa:13:e2:1c:31:22:8a:cc:b0:81:19:64:3b:74:9c:89:89:64:b1:74:6d:46:c3:d4:cb:d2
 -----BEGIN CERTIFICATE-----
 MIIF3jCCA8agAwIBAgIQAf1tMPyjylGoG7xkDjUDLTANBgkqhkiG9w0BAQwFADCB
 iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
 cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
 BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAw
 MjAxMDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNV
 BAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVU
 aGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2Vy
 dGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
 AoICAQCAEmUXNg7D2wiz0KxXDXbtzSfTTK1Qg2HiqiBNCS1kCdzOiZ/MPans9s/B
 3PHTsdZ7NygRK0faOca8Ohm0X6a9fZ2jY0K2dvKpOyuR+OJv0OwWIJAJPuLodMkY
 tJHUYmTbf6MG8YgYapAiPLz+E/CHFHv25B+O1ORRxhFnRghRy4YUVD+8M/5+bJz/
 Fp0YvVGONaanZshyZ9shZrHUm3gDwFA66Mzw3LyeTP6vBZY1H1dat//O+T23LLb2
 VN3I5xI6Ta5MirdcmrS3ID3KfyI0rn47aGYBROcBTkZTmzNg95S+UzeQc0PzMsNT
 79uq/nROacdrjGCT3sTHDN/hMq7MkztReJVni+49Vv4M0GkPGw/zJSZrM233bkf6
 c0Plfg6lZrEpfDKEY1WJxA3Bk1QwGROs0303p+tdOmw1XNtB1xLaqUkL39iAigmT
 Yo61Zs8liM2EuLE/pDkP2QKe6xJMlXzzawWpXhaDzLhn4ugTncxbgtNMs+1b/97l
 c6wjOy0AvzVVdAlJ2ElYGn+SNuZRkg7zJn0cTRe8yexDJtC/QV9AqURE9JnnV4ee
 UB9XVKg+/XRjL7FQZQnmWEIuQxpMtPAlR1n6BB6T1CZGSlCBst6+eLf8ZxXhyVeE
 Hg9j1uliutZfVS7qXMYoCAQlObgOK6nyTJccBz8NUvXt7y+CDwIDAQABo0IwQDAd
 BgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/BAQDAgEGMA8G
 A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAFzUfA3P9wF9QZllDHPF
 Up/L+M+ZBn8b2kMVn54CVVeWFPFSPCeHlCjtHzoBN6J2/FNQwISbxmtOuowhT6KO
 VWKR82kV2LyI48SqC/3vqOlLVSoGIG1VeCkZ7l8wXEskEVX/JJpuXior7gtNn3/3
 ATiUFJVDBwn7YKnuHKsSjKCaXqeYalltiz8I+8jRRa8YFWSQEg9zKC7F4iRO/Fjs
 8PRF/iKz6y+O0tlFYQXBl2+odnKPi4w2r78NBc5xjeambx9spnFixdjQg3IM8WcR
 iQycE0xyNN+81XHfqnHd4blsjDwSXWXavVcStkNr/+XeTWYRUc+ZruwXtuhxkYze
 Sf7dNXGiFSeUHM9h4ya7b6NnJSFd5t0dCy5oGzuCr+yDZ4XUmFF0sbmZgIn/f3gZ
 XHlKYC6SQK5MNyosycdiyA5d9zZbyuAlJQG03RoHnHcAP9Dc1ew91Pq7P8yF1m9/
 qS3fuQL39ZeatTXaw2ewh0qpKJ4jjv9cJ2vhsE/zB+4ALtRZh8tSQZXq9EfX7mRB
 VXyNWQKV3WKdwrnuWih0hKWbt5DHDAff9Yk2dDLWKMGwsAvgnEzDHNb842m1R0aB
 L6KCq9NjRHDEjf8tM7qtj3u1cIiuPhnPQCjY/MiQu12ZIvVS5ljFH4gxQ+6IHdfG
 jjxDah2nGN59PRbxYvnKkKj9
 -----END CERTIFICATE-----
--- a/certs/godaddy.pem
+++ b/certs/godaddy.pem
@ -0,0 +1,51 @@
 -----BEGIN CERTIFICATE-----
 MIIDxTCCAq2gAwIBAgIBADANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
 EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
 EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
 ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAwMFoXDTM3MTIzMTIz
 NTk1OVowgYMxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
 EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjExMC8GA1UE
 AxMoR28gRGFkZHkgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjCCASIw
 DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL9xYgjx+lk09xvJGKP3gElY6SKD
 E6bFIEMBO4Tx5oVJnyfq9oQbTqC023CYxzIBsQU+B07u9PpPL1kwIuerGVZr4oAH
 /PMWdYA5UXvl+TW2dE6pjYIT5LY/qQOD+qK+ihVqf94Lw7YZFAXK6sOoBJQ7Rnwy
 DfMAZiLIjWltNowRGLfTshxgtDj6AozO091GB94KPutdfMh8+7ArU6SSYmlRJQVh
 GkSBjCypQ5Yj36w6gZoOKcUcqeldHraenjAKOc7xiID7S13MMuyFYkMlNAJWJwGR
 tDtwKj9useiciAF9n9T521NtYJ2/LOdYq7hfRvzOxBsDPAnrSTFcaUaz4EcCAwEA
 AaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE
 FDqahQcQZyi27/a9BUFuIMGU2g/eMA0GCSqGSIb3DQEBCwUAA4IBAQCZ21151fmX
 WWcDYfF+OwYxdS2hII5PZYe096acvNjpL9DbWu7PdIxztDhC2gV7+AJ1uP2lsdeu
 9tfeE8tTEH6KRtGX+rcuKxGrkLAngPnon1rpN5+r5N9ss4UXnT3ZJE95kTXWXwTr
 gIOrmgIttRD02JDHBHNA7XIloKmf7J6raBKZV8aPEjoJpL1E/QYVN8Gb5DKj7Tjo
 2GTzLH4U/ALqn83/B2gX2yKQOC16jdFU8WnjXzPKej17CuPKf1855eJ1usV2GDPO
 LPAvTK33sefOT6jEm0pUBsV/fdUID+Ic/n4XuKxe9tQWskMJDE32p2u0mYRlynqI
 4uJEvlz36hz1
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIE0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
 EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
 EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
 ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAwMFoXDTMxMDUwMzA3
 MDAwMFowgbQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
 EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UE
 CxMkaHR0cDovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQD
 EypHbyBEYWRkeSBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEi
 MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC54MsQ1K92vdSTYuswZLiBCGzD
 BNliF44v/z5lz4/OYuY8UhzaFkVLVat4a2ODYpDOD2lsmcgaFItMzEUz6ojcnqOv
 K/6AYZ15V8TPLvQ/MDxdR/yaFrzDN5ZBUY4RS1T4KL7QjL7wMDge87Am+GZHY23e
 cSZHjzhHU9FGHbTj3ADqRay9vHHZqm8A29vNMDp5T19MR/gd71vCxJ1gO7GyQ5HY
 pDNO6rPWJ0+tJYqlxvTV0KaudAVkV4i1RFXULSo6Pvi4vekyCgKUZMQWOlDxSq7n
 eTOvDCAHf+jfBDnCaQJsY1L6d8EbyHSHyLmTGFBUNUtpTrw700kuH9zB0lL7AgMB
 AAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV
 HQ4EFgQUQMK9J47MNIMwojPX+2yz8LQsgM4wHwYDVR0jBBgwFoAUOpqFBxBnKLbv
 9r0FQW4gwZTaD94wNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v
 b2NzcC5nb2RhZGR5LmNvbS8wNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2NybC5n
 b2RhZGR5LmNvbS9nZHJvb3QtZzIuY3JsMEYGA1UdIAQ/MD0wOwYEVR0gADAzMDEG
 CCsGAQUFBwIBFiVodHRwczovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkv
 MA0GCSqGSIb3DQEBCwUAA4IBAQAIfmyTEMg4uJapkEv/oV9PBO9sPpyIBslQj6Zz
 91cxG7685C/b+LrTW+C05+Z5Yg4MotdqY3MxtfWoSKQ7CC2iXZDXtHwlTxFWMMS2
 RJ17LJ3lXubvDGGqv+QqG+6EnriDfcFDzkSnE3ANkR/0yBOtg2DZ2HKocyQetawi
 DsoXiWJYRBuriSUBAA/NxBti21G00w9RKpv0vHP8ds42pM3Z2Czqrpv1KrKQ0U11
 GIo/ikGQI31bS/6kA1ibRrLDYGCD+H1QQc7CoZDDu+8CL9IVVO5EFdkKrqeKM+2x
 LXY2JtwE65/3YR8V3Idv7kaWKK2hJn0KCacuBKONvPi8BDAB
 -----END CERTIFICATE-----
--- a/certs/letsencrypt.pem
+++ b/certs/letsencrypt.pem
@ -0,0 +1,83 @@
 -----BEGIN CERTIFICATE-----
 MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
 TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
 cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
 WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
 ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
 MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
 h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
 0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
 A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
 T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
 B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
 B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
 KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
 OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
 jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
 qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
 rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
 HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
 hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
 ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
 3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
 NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
 ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
 TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
 jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
 oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
 4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
 mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
 emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIFjTCCA3WgAwIBAgIRANOxciY0IzLc9AUoUSrsnGowDQYJKoZIhvcNAQELBQAw
 TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
 cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTYxMDA2MTU0MzU1
 WhcNMjExMDA2MTU0MzU1WjBKMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
 RW5jcnlwdDEjMCEGA1UEAxMaTGV0J3MgRW5jcnlwdCBBdXRob3JpdHkgWDMwggEi
 MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCc0wzwWuUuR7dyXTeDs2hjMOrX
 NSYZJeG9vjXxcJIvt7hLQQWrqZ41CFjssSrEaIcLo+N15Obzp2JxunmBYB/XkZqf
 89B4Z3HIaQ6Vkc/+5pnpYDxIzH7KTXcSJJ1HG1rrueweNwAcnKx7pwXqzkrrvUHl
 Npi5y/1tPJZo3yMqQpAMhnRnyH+lmrhSYRQTP2XpgofL2/oOVvaGifOFP5eGr7Dc
 Gu9rDZUWfcQroGWymQQ2dYBrrErzG5BJeC+ilk8qICUpBMZ0wNAxzY8xOJUWuqgz
 uEPxsR/DMH+ieTETPS02+OP88jNquTkxxa/EjQ0dZBYzqvqEKbbUC8DYfcOTAgMB
 AAGjggFnMIIBYzAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADBU
 BgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsGAQUFBwIB
 FiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMB0GA1UdDgQWBBSo
 SmpjBH3duubRObemRWXv86jsoTAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3Js
 LnJvb3QteDEubGV0c2VuY3J5cHQub3JnMHIGCCsGAQUFBwEBBGYwZDAwBggrBgEF
 BQcwAYYkaHR0cDovL29jc3Aucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcvMDAGCCsG
 AQUFBzAChiRodHRwOi8vY2VydC5yb290LXgxLmxldHNlbmNyeXB0Lm9yZy8wHwYD
 VR0jBBgwFoAUebRZ5nu25eQBc4AIiMgaWPbpm24wDQYJKoZIhvcNAQELBQADggIB
 ABnPdSA0LTqmRf/Q1eaM2jLonG4bQdEnqOJQ8nCqxOeTRrToEKtwT++36gTSlBGx
 A/5dut82jJQ2jxN8RI8L9QFXrWi4xXnA2EqA10yjHiR6H9cj6MFiOnb5In1eWsRM
 UM2v3e9tNsCAgBukPHAg1lQh07rvFKm/Bz9BCjaxorALINUfZ9DD64j2igLIxle2
 DPxW8dI/F2loHMjXZjqG8RkqZUdoxtID5+90FgsGIfkMpqgRS05f4zPbCEHqCXl1
 eO5HyELTgcVlLXXQDgAWnRzut1hFJeczY1tjQQno6f6s+nMydLN26WuU4s3UYvOu
 OsUxRlJu7TSRHqDC3lSE5XggVkzdaPkuKGQbGpny+01/47hfXXNB7HntWNZ6N2Vw
 p7G6OfY+YQrZwIaQmhrIqJZuigsrbe3W+gdn5ykE9+Ky0VgVUsfxo52mwFYs1JKY
 2PGDuWx8M6DlS6qQkvHaRUo0FMd8TsSlbF0/v965qGFKhSDeQoMpYnwcmQilRh/0
 ayLThlHLN81gSkJjVrPI0Y8xCVPB4twb1PFUd2fPM3sA1tJ83sZ5v8vgFv2yofKR
 PB0t6JzUA81mSqM3kxl5e+IZwhYAyO0OTg3/fs8HqGTNKd9BqoUwSRBzp06JMg5b
 rUCGwbCUDI0mxadJ3Bz4WxR6fyNpBK2yAinWEsikxqEt
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
 MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
 DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
 PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
 Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
 AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
 rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
 OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
 xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
 7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
 aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
 HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
 SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
 ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
 AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
 R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
 JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
 Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
 -----END CERTIFICATE-----
--- a/certs/starfield.pem
+++ b/certs/starfield.pem
@ -0,0 +1,52 @@
 -----BEGIN CERTIFICATE-----
 MIID3TCCAsWgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMx
 EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAjBgNVBAoT
 HFN0YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAMTKVN0YXJmaWVs
 ZCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAw
 MFoXDTM3MTIzMTIzNTk1OVowgY8xCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6
 b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMSUwIwYDVQQKExxTdGFyZmllbGQgVGVj
 aG5vbG9naWVzLCBJbmMuMTIwMAYDVQQDEylTdGFyZmllbGQgUm9vdCBDZXJ0aWZp
 Y2F0ZSBBdXRob3JpdHkgLSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
 ggEBAL3twQP89o/8ArFvW59I2Z154qK3A2FWGMNHttfKPTUuiUP3oWmb3ooa/RMg
 nLRJdzIpVv257IzdIvpy3Cdhl+72WoTsbhm5iSzchFvVdPtrX8WJpRBSiUZV9Lh1
 HOZ/5FSuS/hVclcCGfgXcVnrHigHdMWdSL5stPSksPNkN3mSwOxGXn/hbVNMYq/N
 Hwtjuzqd+/x5AJhhdM8mgkBj87JyahkNmcrUDnXMN/uLicFZ8WJ/X7NfZTD4p7dN
 dloedl40wOiWVpmKs/B/pM293DIxfJHP4F8R+GuqSVzRmZTRouNjWwl2tVZi4Ut0
 HZbUJtQIBFnQmA4O5t78w+wfkPECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAO
 BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFHwMMh+n2TB/xH1oo2Kooc6rB1snMA0G
 CSqGSIb3DQEBCwUAA4IBAQARWfolTwNvlJk7mh+ChTnUdgWUXuEok21iXQnCoKjU
 sHU48TRqneSfioYmUeYs0cYtbpUgSpIB7LiKZ3sx4mcujJUDJi5DnUox9g61DLu3
 4jd/IroAow57UvtruzvE03lRTs2Q9GcHGcg8RnoNAX3FWOdt5oUwF5okxBDgBPfg
 8n/Uqgr/Qh037ZTlZFkSIHc40zI+OIF1lnP6aI+xy84fxez6nH7PfrHxBy22/L/K
 pL/QlwVKvOoYKAKQvVR4CSFx09F9HdkWsKlhPdAKACL8x3vLCWRFCztAgfd9fDL1
 mMpYjn0q7pBZc2T5NnReJaH1ZgUufzkVqSr7UIuOhWn0
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIFADCCA+igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMx
 EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAjBgNVBAoT
 HFN0YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAMTKVN0YXJmaWVs
 ZCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAw
 MFoXDTMxMDUwMzA3MDAwMFowgcYxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6
 b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMSUwIwYDVQQKExxTdGFyZmllbGQgVGVj
 aG5vbG9naWVzLCBJbmMuMTMwMQYDVQQLEypodHRwOi8vY2VydHMuc3RhcmZpZWxk
 dGVjaC5jb20vcmVwb3NpdG9yeS8xNDAyBgNVBAMTK1N0YXJmaWVsZCBTZWN1cmUg
 Q2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
 DwAwggEKAoIBAQDlkGZL7PlGcakgg77pbL9KyUhpgXVObST2yxcT+LBxWYR6ayuF
 pDS1FuXLzOlBcCykLtb6Mn3hqN6UEKwxwcDYav9ZJ6t21vwLdGu4p64/xFT0tDFE
 3ZNWjKRMXpuJyySDm+JXfbfYEh/JhW300YDxUJuHrtQLEAX7J7oobRfpDtZNuTlV
 Bv8KJAV+L8YdcmzUiymMV33a2etmGtNPp99/UsQwxaXJDgLFU793OGgGJMNmyDd+
 MB5FcSM1/5DYKp2N57CSTTx/KgqT3M0WRmX3YISLdkuRJ3MUkuDq7o8W6o0OPnYX
 v32JgIBEQ+ct4EMJddo26K3biTr1XRKOIwSDAgMBAAGjggEsMIIBKDAPBgNVHRMB
 Af8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUJUWBaFAmOD07LSy+
 zWrZtj2zZmMwHwYDVR0jBBgwFoAUfAwyH6fZMH/EfWijYqihzqsHWycwOgYIKwYB
 BQUHAQEELjAsMCoGCCsGAQUFBzABhh5odHRwOi8vb2NzcC5zdGFyZmllbGR0ZWNo
 LmNvbS8wOwYDVR0fBDQwMjAwoC6gLIYqaHR0cDovL2NybC5zdGFyZmllbGR0ZWNo
 LmNvbS9zZnJvb3QtZzIuY3JsMEwGA1UdIARFMEMwQQYEVR0gADA5MDcGCCsGAQUF
 BwIBFitodHRwczovL2NlcnRzLnN0YXJmaWVsZHRlY2guY29tL3JlcG9zaXRvcnkv
 MA0GCSqGSIb3DQEBCwUAA4IBAQBWZcr+8z8KqJOLGMfeQ2kTNCC+Tl94qGuc22pN
 QdvBE+zcMQAiXvcAngzgNGU0+bE6TkjIEoGIXFs+CFN69xpk37hQYcxTUUApS8L0
 rjpf5MqtJsxOYUPl/VemN3DOQyuwlMOS6eFfqhBJt2nk4NAfZKQrzR9voPiEJBjO
 eT2pkb9UGBOJmVQRDVXFJgt5T1ocbvlj2xSApAer+rKluYjdkf5lO6Sjeb6JTeHQ
 sPTIFwwKlhR8Cbds4cLYVdQYoKpBaXAko7nv6VrcPuuUSvC33l8Odvr7+2kDRUBQ
 7nIMpBKGgc0T0U7EPMpODdIm8QC3tKai4W56gf0wrHofx1l7
 -----END CERTIFICATE-----
--- a/117
+++ b/117
@ -0,0 +1,117 @@
 #!rsc
 # RouterOS script: check-certificates
 # Copyright (c) 2013-2019 Christian Hesse <mail@eworm.de>
 #
 # check for certificate validity
 :global Identity;
 :global CertRenewUrl;
 :global CertRenewPass;
 :global SendNotification;
 :local GetIssuerCN do={
  :foreach IssuerI in=$1 do={
    :if ([ :pick $IssuerI 0 3 ] = "CN=") do={
      :return [ :pick $IssuerI 3 99 ];
    }
  }
 }
 :local FormatExpire do={
  :global CharacterReplace;
  :return [ $CharacterReplace [ $CharacterReplace [ :tostr $1 ] "w" "w " ] "d" "d " ];
 }
 :foreach Cert in=[ / certificate find where !revoked expires-after<3w ] do={
  :local CertName [ / certificate get $Cert name ];
  :local CommonName [ / certificate get $Cert common-name ];
  :local FingerPrint [ / certificate get $Cert fingerprint ];
  :do {
    :if ([ :len $CertRenewUrl ] = 0) do={
      :error "No CertRenewUrl given.";
    }
    / tool fetch mode=https check-certificate=yes-without-crl url=($CertRenewUrl . $CommonName . ".pem");
    :foreach PassPhrase in=$CertRenewPass do={
      / certificate import file-name=($CommonName . ".pem") passphrase=$PassPhrase;
    }
    / file remove [ find where name=($CommonName . ".pem") ];
    :local CertNew [ / certificate find where common-name=$CommonName fingerprint!=$FingerPrint expires-after>3w ];
    :local CertNameNew [ / certificate get $CertNew name ];
    :foreach IpService in=[ / ip service find where certificate=$CertName ] do={
      / ip service set $IpService certificate=$CertNameNew;
    }
    :do {
      :foreach Identity in=[ / ip ipsec identity find where certificate=$CertName ] do={
        / ip ipsec identity set $Identity certificate=$CertNameNew;
      }
      :foreach Identity in=[ / ip ipsec identity find where remote-certificate=$CertName ] do={
        / ip ipsec identity set $Identity remote-certificate=$CertNameNew;
      }
    } on-error={
      :log debug ("Setting IPSEC certificates failed. Package 'security' not installed?");
    }
    :do {
      :foreach Hotspot in=[ / ip hotspot profile find where ssl-certificate=$CertName ] do={
        / ip hotspot profile set $Hotspot ssl-certificate=$CertNameNew;
      }
    } on-error={
      :log debug ("Setting hotspot certificates failed. Package 'hotspot' not installed?");
    }
    / certificate remove $Cert;
    / certificate set $CertNew name=$CertName;
    :set CommonName [ / certificate get $CertNew common-name ];
    :set FingerPrint [ / certificate get $CertNew fingerprint ];
    :local Issuer [ $GetIssuerCN [ / certificate get $CertNew issuer ] ];
    :local InvalidBefore [ / certificate get $CertNew invalid-before ];
    :local InvalidAfter [ / certificate get $CertNew invalid-after ];
    :local ExpiresAfter [ $FormatExpire [ / certificate get $CertNew expires-after ] ];
    $SendNotification ("Certificate renewed") \
      ("A certificate on " . $Identity . " has been renewed.\n\n" . \
        "Name:        " . $CertName . "\n" . \
        "CommonName:  " . $CommonName . "\n" . \
        "Fingerprint: " . $FingerPrint . "\n" . \
        "Issuer:      " . $Issuer . "\n" . \
        "Validity:    " . $InvalidBefore . " to " . $InvalidAfter . "\n" . \
        "Expires in:  " . $ExpiresAfter);
    :log info ("The certificate " . $CertName . " has been renewed.");
  } on-error={
    :log debug ("Could not renew certificate " . $CertName ".");
  }
 }
 :foreach Cert in=[ / certificate find where !revoked expires-after<2w ] do={
  :local CertName [ / certificate get $Cert name ];
  :local CommonName [ / certificate get $Cert common-name ];
  :local FingerPrint [ / certificate get $Cert fingerprint ];
  :local Issuer [ $GetIssuerCN [ / certificate get $Cert issuer ] ];
  :local InvalidBefore [ / certificate get $Cert invalid-before ];
  :local InvalidAfter [ / certificate get $Cert invalid-after ];
  :local ExpiresAfter [ $FormatExpire [ / certificate get $Cert expires-after ] ];
  :local State "is about to expire";
  :if ([ / certificate get $Cert expired ] = true) do={
    :set ExpiresAfter "expired";
    :set State "expired";
  }
  $SendNotification ("Certificate warning!") \
    ("A certificate on " . $Identity . " " . $State . ".\n\n" . \
      "Name:        " . $CertName . "\n" . \
      "CommonName:  " . $CommonName . "\n" . \
      "Fingerprint: " . $FingerPrint . "\n" . \
      "Issuer:      " . $Issuer . "\n" . \
      "Validity:    " . $InvalidBefore . " to " . $InvalidAfter . "\n" . \
      "Expires in:  " . $ExpiresAfter);
  :log warning ("The certificate " . $CertName . " " . $State . \
      ", it is invalid after " . $InvalidAfter . ".");
 }
--- a/check-certificates.rsc
+++ b/check-certificates.rsc
@ -1,242 +0,0 @@
 #!rsc by RouterOS
 # RouterOS script: check-certificates
 # Copyright (c) 2013-2025 Christian Hesse <mail@eworm.de>
 # https://rsc.eworm.de/COPYING.md
 #
 # requires RouterOS, version=7.15
 # requires device-mode, fetch
 #
 # check for certificate validity
 # https://rsc.eworm.de/doc/check-certificates.md
 :global GlobalFunctionsReady;
 :while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
 :local ExitOK false;
 :do {
  :local ScriptName [ :jobname ];
  :global CertRenewTime;
  :global CertRenewUrl;
  :global CertWarnTime;
  :global Identity;
  :global CertificateAvailable
  :global EscapeForRegEx;
  :global IfThenElse;
  :global LogPrint;
  :global ParseKeyValueStore;
  :global ScriptLock;
  :global SendNotification2;
  :global SymbolForNotification;
  :global UrlEncode;
  :global WaitFullyConnected;
  :local CheckCertificatesDownloadImport do={
    :local ScriptName [ :tostr $1 ];
    :local CertName   [ :tostr $2 ];
    :local FetchName  [ :tostr $3 ];
    :global CertRenewUrl;
    :global CertRenewPass;
    :global CertificateNameByCN;
    :global EscapeForRegEx;
    :global FetchUserAgentStr;
    :global LogPrint;
    :global RmFile;
    :global UrlEncode;
    :global WaitForFile;
    :foreach Type in={ "p12"; "pem" } do={
      :local CertFileName ([ $UrlEncode $FetchName ] . "." . $Type);
      $LogPrint debug $ScriptName ("Trying type '" . $Type . "' for '" . $CertName . \
          "' (file '" . $CertFileName . "')...");
      :do {
        /tool/fetch check-certificate=yes-without-crl http-header-field=({ [ $FetchUserAgentStr $ScriptName ] }) \
            ($CertRenewUrl . $CertFileName) dst-path=$CertFileName as-value;
        $WaitForFile $CertFileName;
        :local DecryptionFailed true;
        :foreach I,PassPhrase in=$CertRenewPass do={
          :do {
            $LogPrint debug $ScriptName ("Trying " . $I . ". passphrase... ");
            :local Result [ /certificate/import file-name=$CertFileName passphrase=$PassPhrase as-value ];
            :if ($Result->"decryption-failures" = 0) do={
              $LogPrint debug $ScriptName ("Success!");
              :set DecryptionFailed false;
            }
          } on-error={ }
        }
        $RmFile $CertFileName;
        :if ($DecryptionFailed = true) do={
          $LogPrint warning $ScriptName ("Decryption failed for certificate file '" . $CertFileName . "'.");
        }
        :foreach CertInChain in=[ /certificate/find where common-name!=$CertName !private-key \
            name~("^" . [ $EscapeForRegEx $CertFileName ] . "_[0-9]+\$") \
            !(subject-alt-name~("(^|\\W)(DNS|IP):" . [ $EscapeForRegEx $CertName ] . "(\\W|\$)")) \
            !(common-name=[]) ] do={
          $CertificateNameByCN [ /certificate/get $CertInChain common-name ];
        }
        :return true;
      } on-error={
        $LogPrint debug $ScriptName ("Could not download certificate file '" . $CertFileName . "'.");
      }
    }
    :return false;
  }
  :local FormatInfo do={
    :local Cert $1;
    :global FormatLine;
    :global FormatMultiLines;
    :global IfThenElse;
    :local FormatExpire do={
      :global CharacterReplace;
      :return [ $CharacterReplace [ $CharacterReplace [ :tostr $1 ] "w" "w " ] "d" "d " ];
    }
    :local FormatCertChain do={
      :local Cert $1;
      :global EitherOr;
      :global ParseKeyValueStore;
      :local CertVal [ /certificate/get $Cert ];
      :if ([ :typeof ($CertVal->"issuer") ] = "nothing") do={
        :return "self-signed";
      }
      :local Return "";
      :for I from=0 to=5 do={
        :set Return ($Return . [ $EitherOr ([ $ParseKeyValueStore ($CertVal->"issuer") ]->"CN") \
          ([ $ParseKeyValueStore (($CertVal->"issuer")->0) ]->"CN") ]);
        :set CertVal [ /certificate/get [ find where skid=($CertVal->"akid") ] ];
        :if (($CertVal->"akid") = "" || ($CertVal->"akid") = ($CertVal->"skid")) do={
          :return $Return;
        }
        :set Return ($Return . " -> ");
      }
      :return ($Return . "...");
    }
    :local CertVal [ /certificate/get $Cert ];
    :return ( \
      [ $FormatLine "Name" ($CertVal->"name") ] . "\n" . \
      [ $IfThenElse ([ :len ($CertVal->"common-name") ] > 0) ([ $FormatLine "CommonName" ($CertVal->"common-name") ] . "\n") ] . \
      [ $IfThenElse ([ :len ($CertVal->"subject-alt-name") ] > 0) ([ $FormatMultiLines "SubjectAltNames" ($CertVal->"subject-alt-name") ] . "\n") ] . \
      [ $FormatLine "Private key" [ $IfThenElse (($CertVal->"private-key") = true) "available" "missing" ] ] . "\n" . \
      [ $FormatLine "Fingerprint" ($CertVal->"fingerprint") ] . "\n" . \
      [ $IfThenElse ([ :len ($CertVal->"ca") ] > 0) [ $FormatLine "Issuer" ($CertVal->"ca") ] [ $FormatLine "Issuer chain" [ $FormatCertChain $Cert ] ] ] . "\n" . \
      "Validity:\n" . \
      [ $FormatLine "    from" ($CertVal->"invalid-before") ] . "\n" . \
      [ $FormatLine "    to" ($CertVal->"invalid-after") ] . "\n" . \
      [ $FormatLine "Expires in" [ $IfThenElse (($CertVal->"expired") = true) "expired" [ $FormatExpire ($CertVal->"expires-after") ] ] ]);
  }
  :if ([ $ScriptLock $ScriptName ] = false) do={
    :set ExitOK true;
    :error false;
  }
  $WaitFullyConnected;
  :foreach Cert in=[ /certificate/find where !revoked !ca !scep-url expires-after<$CertRenewTime ] do={
    :local CertVal [ /certificate/get $Cert ];
    :local LastName;
    :local FetchName;
    :do {
      :if ([ :len $CertRenewUrl ] = 0) do={
        $LogPrint info $ScriptName ("No CertRenewUrl given.");
        :error false;
      }
      $LogPrint info $ScriptName ("Attempting to renew certificate '" . ($CertVal->"name") . "'.");
      :local ImportSuccess false;
      :set LastName ($CertVal->"common-name");
      :set FetchName $LastName;
      :set ImportSuccess [ $CheckCertificatesDownloadImport $ScriptName $LastName $FetchName ];
      :foreach SAN in=($CertVal->"subject-alt-name") do={
        :if ($ImportSuccess = false) do={
          :set LastName [ :pick $SAN ([ :find $SAN ":" ] + 1) [ :len $SAN ] ];
          :set FetchName $LastName;
          :set ImportSuccess [ $CheckCertificatesDownloadImport $ScriptName $LastName $FetchName ];
          :if ($ImportSuccess = false && [ :pick $LastName 0 2 ] = "*.") do={
            :set FetchName ("star." . [ :pick $LastName 2 [ :len $LastName ] ]);
            :set ImportSuccess [ $CheckCertificatesDownloadImport $ScriptName $LastName $FetchName ];
          }
        }
      }
      :if ($ImportSuccess = false) do={ :error false; }
      :if ([ :len ($CertVal->"fingerprint") ] > 0 && $CertVal->"fingerprint" != [ /certificate/get $Cert fingerprint ]) do={
        $LogPrint debug $ScriptName ("Certificate '" . $CertVal->"name" . "' was updated in place.");
        :set CertVal [ /certificate/get $Cert ];
      } else={
        $LogPrint debug $ScriptName ("Certificate '" . $CertVal->"name" . "' was not updated, but replaced.");
        :local CertNew [ /certificate/find where name~("^" . [ $EscapeForRegEx [ $UrlEncode $FetchName ] ] . "\\.(p12|pem)_[0-9]+\$") \
          (common-name=($CertVal->"common-name") or subject-alt-name~("(^|\\W)(DNS|IP):" . [ $EscapeForRegEx $LastName ] . "(\\W|\$)")) \
          fingerprint!=[ :tostr ($CertVal->"fingerprint") ] expires-after>$CertRenewTime ];
        :local CertNewVal [ /certificate/get $CertNew ];
        :if ([ $CertificateAvailable ([ $ParseKeyValueStore ($CertNewVal->"issuer") ]->"CN") ] = false) do={
          $LogPrint warning $ScriptName ("The certificate chain is not available!");
        }
        :if (($CertVal->"private-key") = true && ($CertVal->"private-key") != ($CertNewVal->"private-key")) do={
          /certificate/remove $CertNew;
          $LogPrint warning $ScriptName ("Old certificate '" . ($CertVal->"name") . "' has a private key, new certificate does not. Aborting renew.");
          :error false;
        }
        /ip/service/set certificate=($CertNewVal->"name") [ find where certificate=($CertVal->"name") ];
        /ip/ipsec/identity/set certificate=($CertNewVal->"name") [ find where certificate=($CertVal->"name") ];
        /ip/ipsec/identity/set remote-certificate=($CertNewVal->"name") [ find where remote-certificate=($CertVal->"name") ];
        /ip/hotspot/profile/set ssl-certificate=($CertNewVal->"name") [ find where ssl-certificate=($CertVal->"name") ];
        /certificate/remove $Cert;
        /certificate/set $CertNew name=($CertVal->"name");
        :set Cert $CertNew;
        :set CertVal [ /certificate/get $CertNew ];
      }
      $SendNotification2 ({ origin=$ScriptName; silent=true; \
        subject=([ $SymbolForNotification "lock-with-ink-pen" ] . "Certificate renewed: " . ($CertVal->"name")); \
        message=("A certificate on " . $Identity . " has been renewed.\n\n" . [ $FormatInfo $Cert ]) });
      $LogPrint info $ScriptName ("The certificate '" . ($CertVal->"name") . "' has been renewed.");
    } on-error={
      $LogPrint debug $ScriptName ("Could not renew certificate '" . ($CertVal->"name") . "'.");
    }
  }
  :foreach Cert in=[ /certificate/find where !revoked !scep-url !(expires-after=[]) \
                     expires-after<$CertWarnTime !(fingerprint=[]) ] do={
    :local CertVal [ /certificate/get $Cert ];
    :if ([ :len [ /certificate/scep-server/find where ca-cert=($CertVal->"ca") ] ] > 0) do={
      $LogPrint debug $ScriptName ("Certificate '" . ($CertVal->"name") . "' is handled by SCEP, skipping.");
    } else={
      :local State [ $IfThenElse (($CertVal->"expired") = true) "expired" "is about to expire" ];
      $SendNotification2 ({ origin=$ScriptName; \
        subject=([ $SymbolForNotification "warning-sign" ] . "Certificate warning: " . ($CertVal->"name")); \
        message=("A certificate on " . $Identity . " " . $State . ".\n\n" . [ $FormatInfo $Cert ]) });
      $LogPrint info $ScriptName ("The certificate '" . ($CertVal->"name") . "' " . $State . \
          ", it is invalid after " . ($CertVal->"invalid-after") . ".");
    }
  }
 } on-error={
  :global ExitError; $ExitError $ExitOK [ :jobname ];
 }
--- a/check-health.d/state.rsc
+++ b/check-health.d/state.rsc
@ -1,48 +0,0 @@
 #!rsc by RouterOS
 # RouterOS script: check-health.d/state
 # Copyright (c) 2019-2025 Christian Hesse <mail@eworm.de>
 # https://rsc.eworm.de/COPYING.md
 #
 # requires RouterOS, version=7.15
 #
 # check for RouterOS health state - state plugin
 # https://rsc.eworm.de/doc/check-health.md
 :global CheckHealthPlugins;
 :set ($CheckHealthPlugins->[ :jobname ]) do={
  :local FuncName [ :tostr $0 ];
  :global CheckHealthLast;
  :global Identity;
  :global LogPrint;
  :global SendNotification2;
  :global SymbolForNotification;
  :if ([ :len [ /system/health/find where type="" name~"-state\$"] ] = 0) do={
    $LogPrint debug $FuncName ("Your device does not provide any state health values.");
    :return false;
  }
  :foreach State in=[ /system/health/find where type="" name~"-state\$" ] do={
    :local Name  [ /system/health/get $State name  ];
    :local Value [ /system/health/get $State value ];
    :if ([ :typeof ($CheckHealthLast->$Name) ] != "nothing") do={
      :if ($CheckHealthLast->$Name = "ok" && \
           $Value != "ok") do={
        $SendNotification2 ({ origin=$FuncName; \
          subject=([ $SymbolForNotification "cross-mark" ] . "Health warning: " . $Name); \
          message=("The device '" . $Name . "' on " . $Identity . " failed!") });
      }
      :if ($CheckHealthLast->$Name != "ok" && \
           $Value = "ok") do={
        $SendNotification2 ({ origin=$FuncName; \
          subject=([ $SymbolForNotification "white-heavy-check-mark" ] . "Health recovery: " . $Name); \
          message=("The device '" . $Name . "' on " . $Identity . " recovered!") });
      }
    }
    :set ($CheckHealthLast->$Name) $Value;
  }
 }
--- a/check-health.d/temperature.rsc
+++ b/check-health.d/temperature.rsc
@ -1,74 +0,0 @@
 #!rsc by RouterOS
 # RouterOS script: check-health.d/temperature
 # Copyright (c) 2019-2025 Christian Hesse <mail@eworm.de>
 # https://rsc.eworm.de/COPYING.md
 #
 # requires RouterOS, version=7.15
 #
 # check for RouterOS health state - temperature plugin
 # https://rsc.eworm.de/doc/check-health.md
 :global CheckHealthPlugins;
 :set ($CheckHealthPlugins->[ :jobname ]) do={
  :local FuncName [ :tostr $0 ];
  :global CheckHealthLast;
  :global CheckHealthTemperature;
  :global CheckHealthTemperatureDeviation;
  :global CheckHealthTemperatureNotified;
  :global Identity;
  :global LogPrint;
  :global SendNotification2;
  :global SymbolForNotification;
  :if ([ :len [ /system/health/find where type="C" ] ] = 0) do={
    $LogPrint debug $FuncName ("Your device does not provide any voltage health values.");
    :return false;
  }
  :local TempToNum do={
    :global CharacterReplace;
    :local T [ :toarray [ $CharacterReplace $1 "." "," ] ];
    :return ($T->0 * 10 + $T->1);
  }
  :if ([ :typeof $CheckHealthTemperatureNotified ] != "array") do={
    :set CheckHealthTemperatureNotified ({});
  }
  :foreach Temperature in=[ /system/health/find where type="C" ] do={
    :local Name  [ /system/health/get $Temperature name  ];
    :local Value [ /system/health/get $Temperature value ];
    :if ([ :typeof ($CheckHealthLast->$Name) ] != "nothing") do={
      :if ([ :typeof ($CheckHealthTemperature->$Name) ] != "num" ) do={
        $LogPrint info $FuncName ("No threshold given for " . $Name . ", assuming 50C.");
        :set ($CheckHealthTemperature->$Name) 50;
      }
      :local Validate [ /system/health/get [ find where name=$Name ] value ];
      :while ($Value != $Validate) do={
        :set Value $Validate;
        :set Validate [ /system/health/get [ find where name=$Name ] value ];
      }
      :if ($Value > $CheckHealthTemperature->$Name && \
           $CheckHealthTemperatureNotified->$Name != true) do={
        $SendNotification2 ({ origin=$FuncName; \
          subject=([ $SymbolForNotification "fire" ] . "Health warning: " . $Name); \
          message=("The " . $Name . " on " . $Identity . " is above threshold: " . \
            $Value . "\C2\B0" . "C") });
        :set ($CheckHealthTemperatureNotified->$Name) true;
      }
      :if ($Value <= ($CheckHealthTemperature->$Name - $CheckHealthTemperatureDeviation) && \
           $CheckHealthTemperatureNotified->$Name = true) do={
        $SendNotification2 ({ origin=$FuncName; \
          subject=([ $SymbolForNotification "white-heavy-check-mark" ] . "Health recovery: " . $Name); \
          message=("The " . $Name . " on " . $Identity . " dropped below threshold: " .  \
            $Value . "\C2\B0" . "C") });
        :set ($CheckHealthTemperatureNotified->$Name) false;
      }
    }
    :set ($CheckHealthLast->$Name) $Value;
  }
 }
--- a/check-health.d/voltage.rsc
+++ b/check-health.d/voltage.rsc
@ -1,63 +0,0 @@
 #!rsc by RouterOS
 # RouterOS script: check-health.d/voltage
 # Copyright (c) 2019-2025 Christian Hesse <mail@eworm.de>
 # https://rsc.eworm.de/COPYING.md
 #
 # requires RouterOS, version=7.15
 #
 # check for RouterOS health state - voltage plugin
 # https://rsc.eworm.de/doc/check-health.md
 :global CheckHealthPlugins;
 :set ($CheckHealthPlugins->[ :jobname ]) do={
  :local FuncName [ :tostr $0 ];
  :global CheckHealthLast;
  :global CheckHealthVoltageLow;
  :global CheckHealthVoltagePercent;
  :global Identity;
  :global FormatLine;
  :global IfThenElse;
  :global LogPrint;
  :global SendNotification2;
  :global SymbolForNotification;
  :if ([ :len [ /system/health/find where type="V" ] ] = 0) do={
    $LogPrint debug $FuncName ("Your device does not provide any voltage health values.");
    :return false;
  }
  :foreach Voltage in=[ /system/health/find where type="V" ] do={
    :local Name  [ /system/health/get $Voltage name  ];
    :local Value [ /system/health/get $Voltage value ];
    :if ([ :typeof ($CheckHealthLast->$Name) ] != "nothing") do={
      :local NumCurr [ $TempToNum $Value ];
      :local NumLast [ $TempToNum ($CheckHealthLast->$Name) ];
      :if ($NumLast * (100 + $CheckHealthVoltagePercent) < $NumCurr * 100 || \
           $NumLast * 100 > $NumCurr * (100 + $CheckHealthVoltagePercent)) do={
        $SendNotification2 ({ origin=$FuncName; \
          subject=([ $SymbolForNotification ("high-voltage-sign,chart-" . [ $IfThenElse ($NumLast < \
            $NumCurr) "in" "de" ] . "creasing") ] . "Health warning: " . $Name); \
          message=("The " . $Name . " on " . $Identity . " jumped more than " . $CheckHealthVoltagePercent . "%.\n\n" . \
            [ $FormatLine "old value" ($CheckHealthLast->$Name . " V") 12 ] . "\n" . \
            [ $FormatLine "new value" ($Value . " V") 12 ]) });
      } else={ 
        :if ($NumCurr <= $CheckHealthVoltageLow && $NumLast > $CheckHealthVoltageLow) do={ 
          $SendNotification2 ({ origin=$FuncName; \
            subject=([ $SymbolForNotification "high-voltage-sign,chart-decreasing" ] . "Health warning: Low " . $Name); \ 
            message=("The " . $Name . " on " . $Identity . " dropped to " . $Value . " V below hard limit.") }); 
        } 
        :if ($NumCurr > $CheckHealthVoltageLow && $NumLast <= $CheckHealthVoltageLow) do={ 
          $SendNotification2 ({ origin=$FuncName; \
            subject=([ $SymbolForNotification "high-voltage-sign,chart-increasing" ] . "Health recovery: Low " . $Name); \ 
            message=("The " . $Name . " on " . $Identity . " recovered to " . $Value . " V above hard limit.") }); 
        }
      }
    }
    :set ($CheckHealthLast->$Name) $Value;
  }
 }
--- a/check-health.rsc
+++ b/check-health.rsc
@ -1,110 +0,0 @@
 #!rsc by RouterOS
 # RouterOS script: check-health
 # Copyright (c) 2019-2025 Christian Hesse <mail@eworm.de>
 # https://rsc.eworm.de/COPYING.md
 #
 # requires RouterOS, version=7.15
 #
 # check for RouterOS health state
 # https://rsc.eworm.de/doc/check-health.md
 :global GlobalFunctionsReady;
 :while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
 :local ExitOK false;
 :do {
  :local ScriptName [ :jobname ];
  :global CheckHealthCPUUtilization;
  :global CheckHealthCPUUtilizationNotified;
  :global CheckHealthLast;
  :global CheckHealthRAMUtilizationNotified;
  :global Identity;
  :global FormatLine;
  :global HumanReadableNum;
  :global IfThenElse;
  :global LogPrint;
  :global ScriptLock;
  :global SendNotification2;
  :global SymbolForNotification;
  :global ValidateSyntax;
  :local TempToNum do={
    :global CharacterReplace;
    :local T [ :toarray [ $CharacterReplace $1 "." "," ] ];
    :return ($T->0 * 10 + $T->1);
  }
  :if ([ $ScriptLock $ScriptName ] = false) do={
    :set ExitOK true;
    :error false;
  }
  :local Resource [ /system/resource/get ];
  :set CheckHealthCPUUtilization (($CheckHealthCPUUtilization * 4 + ($Resource->"cpu-load") * 10) / 5);
  :if ($CheckHealthCPUUtilization > 750 && $CheckHealthCPUUtilizationNotified != true) do={
    $SendNotification2 ({ origin=$ScriptName; \
      subject=([ $SymbolForNotification "abacus,chart-increasing" ] . "Health warning: CPU utilization"); \
      message=("The average CPU utilization on " . $Identity . " is at " . ($CheckHealthCPUUtilization / 10) . "%!") });
    :set CheckHealthCPUUtilizationNotified true;
  }
  :if ($CheckHealthCPUUtilization < 650 && $CheckHealthCPUUtilizationNotified = true) do={
    $SendNotification2 ({ origin=$ScriptName; \
      subject=([ $SymbolForNotification "abacus,chart-decreasing" ] . "Health recovery: CPU utilization"); \
      message=("The average CPU utilization on " . $Identity . " decreased to " . ($CheckHealthCPUUtilization / 10) . "%.") });
    :set CheckHealthCPUUtilizationNotified false;
  }
  :local CheckHealthRAMUtilization (($Resource->"total-memory" - $Resource->"free-memory") * 100 / $Resource->"total-memory");
  :if ($CheckHealthRAMUtilization >=80 && $CheckHealthRAMUtilizationNotified != true) do={
    $SendNotification2 ({ origin=$ScriptName; \
      subject=([ $SymbolForNotification "card-file-box,chart-increasing" ] . "Health warning: RAM utilization"); \
      message=("The RAM utilization on " . $Identity . " is at " . $CheckHealthRAMUtilization . "%!\n\n" . \
      [ $FormatLine "total" ([ $HumanReadableNum ($Resource->"total-memory") 1024 ] . "B") 8 ] . "\n" . \
      [ $FormatLine "used" ([ $HumanReadableNum ($Resource->"total-memory" - $Resource->"free-memory") 1024 ] . "B") 8 ] . "\n" . \
      [ $FormatLine "free" ([ $HumanReadableNum ($Resource->"free-memory") 1024 ] . "B") 8 ]) });
    :set CheckHealthRAMUtilizationNotified true;
  }
  :if ($CheckHealthRAMUtilization < 70 && $CheckHealthRAMUtilizationNotified = true) do={
    $SendNotification2 ({ origin=$ScriptName; \
      subject=([ $SymbolForNotification "card-file-box,chart-decreasing" ] . "Health recovery: RAM utilization"); \
      message=("The RAM utilization on " . $Identity . " decreased to " . $CheckHealthRAMUtilization . "%.") });
    :set CheckHealthRAMUtilizationNotified false;
  }
  :local Plugins [ /system/script/find where name~"^check-health.d/." ];
  :if ([ :len $Plugins ] = 0) do={
    $LogPrint debug $ScriptName ("No plugins installed.");
    :set ExitOK true;
    :error true;
  }
  :global CheckHealthPlugins ({});
  :if ([ :typeof $CheckHealthLast ] != "array") do={
    :set CheckHealthLast ({});
  }
  :foreach Plugin in=$Plugins do={
    :local PluginVal [ /system/script/get $Plugin ];
    :if ([ $ValidateSyntax ($PluginVal->"source") ] = true) do={
      :do {
        /system/script/run $Plugin;
      } on-error={
        $LogPrint error $ScriptName ("Plugin '" . $ScriptVal->"name" . "' failed to run.");
      }
    } else={
      $LogPrint error $ScriptName ("Plugin '" . $ScriptVal->"name" . "' failed syntax validation, skipping.");
    }
  }
  :foreach PluginName,Discard in=$CheckHealthPlugins do={
    ($CheckHealthPlugins->$PluginName) \
         ("\$CheckHealthPlugins->\"" . $PluginName . "\"");
  }
  :set CheckHealthPlugins;
 } on-error={
  :global ExitError; $ExitError $ExitOK [ :jobname ];
 }
--- a/32
+++ b/32
@ -0,0 +1,32 @@
 #!rsc
 # RouterOS script: check-lte-firmware-upgrade
 # Copyright (c) 2018-2019 Christian Hesse <mail@eworm.de>
 #
 # check for LTE firmware upgrade, send notification e-mails
 :global Identity;
 :global SentLteFirmwareUpgradeNotification;
 :global SendNotification;
 :foreach Interface in=[ / interface lte find ] do={
  :local IntName [ / interface lte get $Interface name ];
  :do {
    :local Firmware [ / interface lte firmware-upgrade $Interface once as-value ];
    :if ($SentLteFirmwareUpgradeNotification = ($Firmware->"latest")) do={
      :log debug ("Already sent the LTE firmware upgrade notification for version " . \
        ($Firmware->"latest") . ".");
    } else={
      :if (($Firmware->"installed") != ($Firmware->"latest")) do={
        $SendNotification ("LTE firmware upgrade notification") \
          ("A new firmware version " . ($Firmware->"latest") . " is available for " . \
          "LTE interface " . $IntName . " on " . $Identity . ".");
        :set SentLteFirmwareUpgradeNotification ($Firmware->"latest");
      }
    }
  } on-error={
    :log debug ("Could not get latest LTE firmware version for interface " . \
      $IntName . ".");
  }
 }
--- a/check-lte-firmware-upgrade.rsc
+++ b/check-lte-firmware-upgrade.rsc
@ -1,107 +0,0 @@
 #!rsc by RouterOS
 # RouterOS script: check-lte-firmware-upgrade
 # Copyright (c) 2018-2025 Christian Hesse <mail@eworm.de>
 # https://rsc.eworm.de/COPYING.md
 #
 # requires RouterOS, version=7.15
 #
 # check for LTE firmware upgrade, send notification
 # https://rsc.eworm.de/doc/check-lte-firmware-upgrade.md
 :global GlobalFunctionsReady;
 :while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
 :local ExitOK false;
 :do {
  :local ScriptName [ :jobname ];
  :global SentLteFirmwareUpgradeNotification;
  :global ScriptLock;
  :if ([ $ScriptLock $ScriptName ] = false) do={
    :set ExitOK true;
    :error false;
  }
  :if ([ :typeof $SentLteFirmwareUpgradeNotification ] != "array") do={
    :global SentLteFirmwareUpgradeNotification ({});
  }
  :local CheckInterface do={
    :local ScriptName $1;
    :local Interface  $2;
    :global Identity;
    :global SentLteFirmwareUpgradeNotification;
    :global FormatLine;
    :global IfThenElse;
    :global LogPrint;
    :global ScriptFromTerminal;
    :global SendNotification2;
    :global SymbolForNotification;
    :local IntName [ /interface/lte/get $Interface name ];
    :local Firmware;
    :local Info;
    :do {
      :set Firmware [ /interface/lte/firmware-upgrade $Interface as-value ];
      :set Info [ /interface/lte/monitor $Interface once as-value ];
    } on-error={
      $LogPrint debug $ScriptName ("Could not get latest LTE firmware version for interface " . \
        $IntName . ".");
      :return false;
    }
    :if ([ :len ($Firmware->"latest") ] = 0) do={
      $LogPrint info $ScriptName ("An empty string is not a valid version.");
      :return false;
    }
    :if (($Firmware->"installed") = ($Firmware->"latest")) do={
      :if ([ $ScriptFromTerminal $ScriptName ] = true) do={
        $LogPrint info $ScriptName ("No firmware upgrade available for LTE interface " . $IntName . ".");
      }
      :return true;
    }
    :if ([ $ScriptFromTerminal $ScriptName ] = true && \
        [ :len [ /system/script/find where name="unattended-lte-firmware-upgrade" ] ] > 0) do={
      :put ("Do you want to start unattended lte firmware upgrade for interface " . $IntName . "? [y/N]");
      :if (([ /terminal/inkey timeout=60 ] % 32) = 25) do={
          /system/script/run unattended-lte-firmware-upgrade;
          $LogPrint info $ScriptName ("Scheduled lte firmware upgrade for interface " . $IntName . "...");
        :return true;
      } else={
        :put "Canceled...";
      }
    }
    :if (($SentLteFirmwareUpgradeNotification->$IntName) = ($Firmware->"latest")) do={
      $LogPrint debug $ScriptName ("Already sent the LTE firmware upgrade notification for version " . \
        ($Firmware->"latest") . ".");
      :return false;
    }
    $LogPrint info $ScriptName ("A new firmware version " . ($Firmware->"latest") . " is available for " . \
      "LTE interface " . $IntName . ".");
    $SendNotification2 ({ origin=$ScriptName; \
      subject=([ $SymbolForNotification "sparkles" ] . "LTE firmware upgrade"); \
      message=("A new firmware version " . ($Firmware->"latest") . " is available for " . \
        "LTE interface " . $IntName . " on " . $Identity . ".\n\n" . \
        [ $IfThenElse ([ :len ($Info->"manufacturer") ] > 0) ([ $FormatLine "Manufacturer" ($Info->"manufacturer") ] . "\n") ] . \
        [ $IfThenElse ([ :len ($Info->"model") ] > 0) ([ $FormatLine "Model" ($Info->"model") ] . "\n") ] . \
        [ $IfThenElse ([ :len ($Info->"revision") ] > 0) ([ $FormatLine "Revision" ($Info->"revision") ] . "\n") ] . \
        "Firmware version:\n" . \
        [ $FormatLine "    Installed" ($Firmware->"installed") ] . "\n" . \
        [ $FormatLine "    Available" ($Firmware->"latest") ]); silent=true });
    :set ($SentLteFirmwareUpgradeNotification->$IntName) ($Firmware->"latest");
  }
  :foreach Interface in=[ /interface/lte/find ] do={
    $CheckInterface $ScriptName $Interface;
  }
 } on-error={
  :global ExitError; $ExitError $ExitOK [ :jobname ];
 }
--- a/82
+++ b/82
@ -0,0 +1,82 @@
 #!rsc
 # RouterOS script: check-routeros-update
 # Copyright (c) 2013-2019 Christian Hesse <mail@eworm.de>
 #
 # check for RouterOS update, send notification e-mails
 :global Identity;
 :global SafeUpdateUrl;
 :global SentRouterosUpdateNotification;
 :global SendNotification;
 :local Update do={
  :if ([ / system script print count-only where name="packages-update" ] > 0) do={
    / system script run packages-update;
  } else={
    / system package update install without-paging;
  }
  :error "Waiting for system to reboot.";
 }
 :if ([ / system package print count-only where name="wireless" disabled=no ] > 0) do={
  :if ([ / interface wireless cap get enabled ] = true && \
      [ / caps-man manager get enabled ] = false) do={
    :error "System is managed by CAPsMAN, not checking.";
  }
 }
 / system package update check-for-updates without-paging;
 :local InstalledVersion [ / system package update get installed-version ];
 :local LatestVersion [ / system package update get latest-version ];
 :if ($InstalledVersion != $LatestVersion) do={
  :local Channel [ / system package update get channel ];
  :local BoardName [ / system resource get board-name ];
  :local Model [ / system routerboard get model ];
  :local SerialNumber [ / system routerboard get serial-number ];
  :if ([ :len $SafeUpdateUrl ] > 0) do={
    :local Result;
    :do {
      :set Result [ / tool fetch check-certificate=yes-without-crl \
          ($SafeUpdateUrl . $Channel . "?installed=" . $InstalledVersion . \
          "&latest=" . $LatestVersion) output=user as-value ];
    } on-error={
      :log warning ("Failed receiving safe version for " . $Channel . ".");
    }
    :if ($Result->"status" = "finished" && $Result->"data" = $LatestVersion) do={
      :log info ("Version " . $LatestVersion . " is considered safe, updating...");
      $SendNotification ("RouterOS update notification") \
          ("Version " . $LatestVersion . " is considered safe for " . $Channel . \
          ", updating on " . $Identity . "...");
      $Update;
    }
  }
  :if ([ / system script job print count-only where script="check-routeros-update" parent~"." ] > 0) do={
    :put ("Do you want to install RouterOS version " . $LatestVersion . "? [y/N]");
    :if ([ :terminal inkey timeout=60 ] = 121) do={
      $Update;
    } else={
      :put "Canceled...";
    }
  }
  :if ($SentRouterosUpdateNotification = $LatestVersion) do={
    :error ("Already sent the RouterOS update notification for version " . \
        $LatestVersion . ".");
  }
  $SendNotification ("RouterOS update notification") \
    ("There is a RouterOS update available\n\n" . \
      "Board name:    " . $BoardName . "\n" . \
      "Model:         " . $Model . "\n" . \
      "Serial number: " . $SerialNumber . "\n" . \
      "Hostname:      " . $Identity . "\n" . \
      "Channel:       " . $Channel . "\n" . \
      "Installed:     " . $InstalledVersion . "\n" . \
      "Available:     " . $LatestVersion . "\n\n" .\
      "https://upgrade.mikrotik.com/routeros/" . $LatestVersion . "/CHANGELOG");
  :set SentRouterosUpdateNotification $LatestVersion;
 }
--- a/check-routeros-update.rsc
+++ b/check-routeros-update.rsc
@ -1,239 +0,0 @@
 #!rsc by RouterOS
 # RouterOS script: check-routeros-update
 # Copyright (c) 2013-2025 Christian Hesse <mail@eworm.de>
 # https://rsc.eworm.de/COPYING.md
 #
 # requires RouterOS, version=7.15
 # requires device-mode, fetch, scheduler
 #
 # check for RouterOS update, send notification and/or install
 # https://rsc.eworm.de/doc/check-routeros-update.md
 :global GlobalFunctionsReady;
 :while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
 :local ExitOK false;
 :do {
  :local ScriptName [ :jobname ];
  :global Identity;
  :global SafeUpdateAll;
  :global SafeUpdateNeighbor;
  :global SafeUpdateNeighborIdentity;
  :global SafeUpdatePatch;
  :global SafeUpdateUrl;
  :global SentRouterosUpdateNotification;
  :global DeviceInfo;
  :global EscapeForRegEx;
  :global FetchUserAgentStr;
  :global LogPrint;
  :global ScriptFromTerminal;
  :global ScriptLock;
  :global SendNotification2;
  :global SymbolForNotification;
  :global VersionToNum;
  :global WaitFullyConnected;
  :local DoUpdate do={
    :local ScriptName [ :tostr $1 ];
    :global LogPrint;
    :if ([ :len [ /system/script/find where name="packages-update" ] ] > 0) do={
      /system/script/run packages-update;
    } else={
      /system/package/update/install without-paging;
    }
    $LogPrint info $ScriptName ("Waiting for system to reboot.");
  }
  :if ([ $ScriptLock $ScriptName ] = false) do={
    :set ExitOK true;
    :error false;
  }
  :if ([ :len [ /system/scheduler/find where name="running-from-backup-partition" ] ] > 0) do={
    $LogPrint warning $ScriptName ("Running from backup partition, refusing to act.");
    :set ExitOK true;
    :error false;
  }
  $WaitFullyConnected;
  :if ([ :len [ /system/scheduler/find where name="_RebootForUpdate" ] ] > 0) do={
    :set ExitOK true;
    :error "A reboot for update is already scheduled.";
  }
  :local License [ /system/license/get ];
  :if ([ :typeof ($License->"deadline-at") ] = "str") do={
    :if ([ :len ($License->"next-renewal-at") ] = 0 && ($License->"limited-upgrades") = true) do={
      $LogPrint warning $ScriptName ("Your license expired on " . ($License->"deadline-at") . "!");
      $SendNotification2 ({ origin=$ScriptName; \
        subject=([ $SymbolForNotification "warning-sign" ] . "License expired!"); \
        message=("Your license expired on " . ($License->"deadline-at") . \
          ", can no longer update RouterOS on " . $Identity . "...") });
      :set ExitOK true;
      :error false;
    }
    :if ([ :totime ($License->"deadline-at") ] - 3w < [ :timestamp ]) do={
      $LogPrint warning $ScriptName ("Your license will expire on " . ($License->"deadline-at") . "!");
      $SendNotification2 ({ origin=$ScriptName; \
        subject=([ $SymbolForNotification "warning-sign" ] . "License about to expire!"); \
        message=("Your license failed to renew and is about to expire on " . \
          ($License->"deadline-at") . " on " . $Identity . "...") });
    }
  }
  $LogPrint debug $ScriptName ("Checking for updates...");
  /system/package/update/check-for-updates without-paging as-value;
  :local Update [ /system/package/update/get ];
  :if (($Update->"installed-version") = ($Update->"latest-version")) do={
    :if ([ $ScriptFromTerminal $ScriptName ] = true) do={
      $LogPrint info $ScriptName ("System is already up to date.");
    }
    :set ExitOK true;
    :error true;
  }
  :if ([ :len ($Update->"latest-version") ] = 0) do={
    $LogPrint info $ScriptName ("Received an empty version string from server.");
    :set ExitOK true;
    :error false;
  }
  :local NumInstalled [ $VersionToNum ($Update->"installed-version") ];
  :local NumLatest [ $VersionToNum ($Update->"latest-version") ];
  :local BitMask [ $VersionToNum "255.255zero0" ];
  :local NumInstalledFeature ($NumInstalled & $BitMask);
  :local NumLatestFeature ($NumLatest & $BitMask);
  :local Link ("https://mikrotik.com/download/changelogs/" . $Update->"channel" . "-release-tree");
  :if ($NumLatest < [ $VersionToNum "7.0" ]) do={
    $LogPrint warning $ScriptName ("The version '" . ($Update->"latest-version") . "' is not a valid version.");
    :set ExitOK true;
    :error false;
  }
  :if ($NumInstalled < $NumLatest) do={
    :if ($SafeUpdateAll ~ "^YES,? ?PLEASE!?\$") do={
      $LogPrint info $ScriptName ("Installing ALL versions automatically, including " . \
        $Update->"latest-version" . "...");
      $SendNotification2 ({ origin=$ScriptName; \
        subject=([ $SymbolForNotification "sparkles" ] . "RouterOS update: " . $Update->"latest-version"); \
        message=("Installing ALL versions automatically, including " . $Update->"latest-version" . \
          "... Updating on " . $Identity . "..."); link=$Link; silent=true });
      $DoUpdate $ScriptName;
      :set ExitOK true;
      :error true;
    }
    :if ($SafeUpdatePatch = true && $NumInstalledFeature = $NumLatestFeature) do={
      $LogPrint info $ScriptName ("Version " . $Update->"latest-version" . " is a patch release, updating...");
      $SendNotification2 ({ origin=$ScriptName; \
        subject=([ $SymbolForNotification "sparkles" ] . "RouterOS update: " . $Update->"latest-version"); \
        message=("Version " . $Update->"latest-version" . " is a patch update for " . $Update->"channel" . \
          ", updating on " . $Identity . "..."); link=$Link; silent=true });
      $DoUpdate $ScriptName;
      :set ExitOK true;
      :error true;
    }
    :if ($SafeUpdateNeighbor = true) do={
      :local Neighbors [ /ip/neighbor/find where platform="MikroTik" identity~$SafeUpdateNeighborIdentity \
         version~("^" . [ $EscapeForRegEx ($Update->"latest-version") ] . "\\b") ];
      :if ([ :len $Neighbors ] > 0) do={
        :local Neighbor [ /ip/neighbor/get ($Neighbors->0) identity ];
        $LogPrint info $ScriptName ("Seen a neighbor (" . $Neighbor . ") running version " . \
          $Update->"latest-version" . " from " . $Update->"channel" . ", updating...");
        $SendNotification2 ({ origin=$ScriptName; \
          subject=([ $SymbolForNotification "sparkles" ] . "RouterOS update: " . $Update->"latest-version"); \
          message=("Seen a neighbor (" . $Neighbor . ") running version " . $Update->"latest-version" . \
            " from " . $Update->"channel" . ", updating on " . $Identity . "..."); link=$Link; silent=true });
        $DoUpdate $ScriptName;
        :set ExitOK true;
        :error true;
      }
    }
    :if ([ :len $SafeUpdateUrl ] > 0) do={
      :local Result;
      :do {
        :set Result [ /tool/fetch check-certificate=yes-without-crl \
            ($SafeUpdateUrl . $Update->"channel" . "?installed=" . $Update->"installed-version" . \
            "&latest=" . $Update->"latest-version") http-header-field=({ [ $FetchUserAgentStr $ScriptName ] }) \
            output=user as-value ];
      } on-error={
        $LogPrint warning $ScriptName ("Failed receiving safe version for " . $Update->"channel" . ".");
      }
      :if ($Result->"status" = "finished" && $Result->"data" = $Update->"latest-version") do={
        $LogPrint info $ScriptName ("Version " . $Update->"latest-version" . " is considered safe, updating...");
        $SendNotification2 ({ origin=$ScriptName; \
          subject=([ $SymbolForNotification "sparkles" ] . "RouterOS update: " . $Update->"latest-version"); \
          message=("Version " . $Update->"latest-version" . " is considered safe for " . $Update->"channel" . \
            ", updating on " . $Identity . "..."); link=$Link; silent=true });
        $DoUpdate $ScriptName;
        :set ExitOK true;
        :error true;
      }
    }
    :if ([ $ScriptFromTerminal $ScriptName ] = true) do={
      :if (($Update->"channel") = "testing" && $NumInstalledFeature < $NumLatestFeature) do={
        :put ("This is a feature update in testing channel. Switch to channel 'stable'? [y/N]");
        :if (([ /terminal/inkey timeout=60 ] % 32) = 25) do={
          /system/package/update/set channel=stable;
          $LogPrint info $ScriptName ("Switched to channel 'stable', please re-run!");
          :set ExitOK true;
          :error true;
        }
      }
      :put ("Do you want to install RouterOS version " . $Update->"latest-version" . "? [y/N]");
      :if (([ /terminal/inkey timeout=60 ] % 32) = 25) do={
        $DoUpdate $ScriptName;
        :set ExitOK true;
        :error true;
      } else={
        :put "Canceled...";
      }
    }
    :if ($SentRouterosUpdateNotification = $Update->"latest-version") do={
      $LogPrint info $ScriptName ("Already sent the RouterOS update notification for version " . \
          $Update->"latest-version" . ".");
      :set ExitOK true;
      :error true;
    }
    $SendNotification2 ({ origin=$ScriptName; \
      subject=([ $SymbolForNotification "sparkles" ] . "RouterOS update: " . $Update->"latest-version"); \
      message=("A new RouterOS version " . ($Update->"latest-version") . \
        " is available for " . $Identity . ".\n\n" . \
        [ $DeviceInfo ]); link=$Link; silent=true });
    :set SentRouterosUpdateNotification ($Update->"latest-version");
  }
  :if ($NumInstalled > $NumLatest) do={
    :if ($SentRouterosUpdateNotification = $Update->"latest-version") do={
      $LogPrint info $ScriptName ("Already sent the RouterOS downgrade notification for version " . \
          $Update->"latest-version" . ".");
      :set ExitOK true;
      :error true;
    }
    $SendNotification2 ({ origin=$ScriptName; \
      subject=([ $SymbolForNotification "warning-sign" ] . "RouterOS version: " . $Update->"latest-version"); \
      message=("A different RouterOS version " . ($Update->"latest-version") . \
        " is available for " . $Identity . ", but it is a downgrade.\n\n" . \
        [ $DeviceInfo ]); link=$Link; silent=true });
    $LogPrint info $ScriptName ("A different RouterOS version " . ($Update->"latest-version") . \
      " is available for downgrade.");
    :set SentRouterosUpdateNotification ($Update->"latest-version");
  }
 } on-error={
  :global ExitError; $ExitError $ExitOK [ :jobname ];
 }
--- a/collect-wireless-mac.capsman
+++ b/collect-wireless-mac.capsman
@ -0,0 +1,62 @@
 #!rsc
 # RouterOS script: collect-wireless-mac.capsman
 # Copyright (c) 2013-2019 Christian Hesse <mail@eworm.de>
 #
 # collect wireless mac adresses in access list
 #
 # !! Do not edit this file, it is generated from template!
 :global Identity;
 :global GetMacVendor;
 :global SendNotification;
 :global ScriptLock;
 $ScriptLock "collect-wireless-mac.capsman";
 :local PlaceBefore [ / caps-man access-list find where comment="--- collected above ---" disabled ];
 :if ([ :len $PlaceBefore ] = 0) do={
  :error "Missing disabled access-list entry with comment '--- collected above ---'";
 }
 :foreach RegTbl in=[ / caps-man registration-table find ] do={
  :local Mac [ / caps-man registration-table get $RegTbl mac-address ];
  :local AccessList ([ / caps-man access-list find where mac-address=$Mac ]->0);
  :if ([ :len $AccessList ] = 0) do={
    :local HostName "no dhcp lease";
    :local Address "no dhcp lease";
    :local Lease [ / ip dhcp-server lease find where mac-address=$Mac ];
    :if ([ :len $Lease ] > 0) do={
      :set HostName [ / ip dhcp-server lease get $Lease host-name ];
      :set Address [ / ip dhcp-server lease get $Lease address ];
    }
    :if ([ :len $HostName ] = 0) do={
      :set HostName "no hostname";
    }
    :if ([ :len $Address ] = 0) do={
      :set Address "no address";
    }
    :local RegEntry [ / caps-man registration-table find where mac-address=$Mac ];
    :local Interface [ / caps-man registration-table get $RegEntry interface ];
    :local Ssid [ / caps-man registration-table get $RegEntry ssid ];
    :local DateTime ([ / system clock get date ] . " " . [ / system clock get time ]);
    :local Vendor [ $GetMacVendor $Mac ];
    :local Message ("unknown MAC address " . $Mac . " (" . $Vendor . ", " . $HostName . ") " . \
      "first seen on " . $DateTime . " connected to SSID " . $Ssid . ", interface " . $Interface);
    / log info $Message;
    / caps-man access-list add place-before=$PlaceBefore comment=$Message mac-address=$Mac disabled=yes;
    $SendNotification ($Mac . " connected to " . $Ssid) \
      ("A device with unknown MAC address connected to " . $Ssid . " on " . $Identity . ".\n\n" . \
        "Controller: " . $Identity . "\n" . \
        "Interface:  " . $Interface . "\n" . \
        "SSID:       " . $Ssid . "\n" . \
        "MAC:        " . $Mac . "\n" . \
        "Vendor:     " . $Vendor . "\n" . \
        "Hostname:   " . $HostName . "\n" . \
        "Address:    " . $Address . "\n" . \
        "Date:       " . $DateTime);
  } else={
    :local Comment [ / caps-man access-list get $AccessList comment ];
    :log debug ("MAC address " . $Mac . " already known: " . $Comment);
  }
 }
--- a/collect-wireless-mac.capsman.rsc
+++ b/collect-wireless-mac.capsman.rsc
@ -1,100 +0,0 @@
 #!rsc by RouterOS
 # RouterOS script: collect-wireless-mac.capsman
 # Copyright (c) 2013-2025 Christian Hesse <mail@eworm.de>
 # https://rsc.eworm.de/COPYING.md
 #
 # provides: lease-script, order=40
 # requires RouterOS, version=7.15
 #
 # collect wireless mac adresses in access list
 # https://rsc.eworm.de/doc/collect-wireless-mac.md
 #
 # !! Do not edit this file, it is generated from template!
 :global GlobalFunctionsReady;
 :while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
 :local ExitOK false;
 :do {
  :local ScriptName [ :jobname ];
  :global Identity;
  :global EitherOr;
  :global FormatLine;
  :global FormatMultiLines;
  :global GetMacVendor;
  :global LogPrint;
  :global ScriptLock;
  :global SendNotification2;
  :global SymbolForNotification;
  :if ([ $ScriptLock $ScriptName 10 ] = false) do={
    :set ExitOK true;
    :error false;
  }
  :if ([ :len [ /caps-man/access-list/find where comment="--- collected above ---" disabled ] ] = 0) do={
    /caps-man/access-list/add comment="--- collected above ---" disabled=yes;
    $LogPrint warning $ScriptName ("Added disabled access-list entry with comment '--- collected above ---'.");
  }
  :local PlaceBefore ([ /caps-man/access-list/find where comment="--- collected above ---" disabled ]->0);
  :foreach Reg in=[ /caps-man/registration-table/find ] do={
    :local RegVal;
    :do {
      :set RegVal [ /caps-man/registration-table/get $Reg ];
    } on-error={
      $LogPrint debug $ScriptName ("Device already gone... Ignoring.");
    }
    :if ([ :len ($RegVal->"mac-address") ] > 0) do={
      :local AccessList ([ /caps-man/access-list/find where mac-address=($RegVal->"mac-address") ]->0);
      :if ([ :len $AccessList ] > 0) do={
        $LogPrint debug $ScriptName ("MAC address " . $RegVal->"mac-address" . " already known: " . \
          [ /caps-man/access-list/get $AccessList comment ]);
      }
      :if ([ :len $AccessList ] = 0) do={
        :local Address "no dhcp lease";
        :local DnsName "no dhcp lease";
        :local HostName "no dhcp lease";
        :local Lease ([ /ip/dhcp-server/lease/find where active-mac-address=($RegVal->"mac-address") dynamic=yes status=bound ]->0);
        :if ([ :len $Lease ] > 0) do={
          :set Address [ /ip/dhcp-server/lease/get $Lease active-address ];
          :set HostName [ $EitherOr [ /ip/dhcp-server/lease/get $Lease host-name ] "no hostname" ];
          :set DnsName "no dns name";
          :local DnsRec ([ /ip/dns/static/find where address=$Address ]->0);
          :if ([ :len $DnsRec ] > 0) do={
            :set DnsName ({ [ /ip/dns/static/get $DnsRec name ] });
            :foreach CName in=[ /ip/dns/static/find where type=CNAME cname=($DnsName->0) ] do={
              :set DnsName ($DnsName, [ /ip/dns/static/get $CName name ]);
            }
          }
        }
        :local DateTime ([ /system/clock/get date ] . " " . [ /system/clock/get time ]);
        :local Vendor [ $GetMacVendor ($RegVal->"mac-address") ];
        :local Message ("MAC address " . $RegVal->"mac-address" . " (" . $Vendor . ", " . $HostName . ") " . \
          "first seen on " . $DateTime . " connected to SSID " . $RegVal->"ssid" . ", interface " . $RegVal->"interface");
        $LogPrint info $ScriptName $Message;
        /caps-man/access-list/add place-before=$PlaceBefore comment=$Message mac-address=($RegVal->"mac-address") disabled=yes;
        $SendNotification2 ({ origin=$ScriptName; \
          subject=([ $SymbolForNotification "mobile-phone" ] . $RegVal->"mac-address" . " connected to " . $RegVal->"ssid"); \
          message=("A device with unknown MAC address connected to " . $RegVal->"ssid" . " on " . $Identity . ".\n\n" . \
            [ $FormatLine "Controller" $Identity ] . "\n" . \
            [ $FormatLine "Interface" ($RegVal->"interface") ] . "\n" . \
            [ $FormatLine "SSID" ($RegVal->"ssid") ] . "\n" . \
            [ $FormatLine "MAC" ($RegVal->"mac-address") ] . "\n" . \
            [ $FormatLine "Vendor" $Vendor ] . "\n" . \
            [ $FormatLine "Hostname" $HostName ] . "\n" . \
            [ $FormatLine "Address" $Address ] . "\n" . \
            [ $FormatMultiLines "DNS name" $DnsName ] . "\n" . \
            [ $FormatLine "Date" $DateTime ]) });
      }
    } else={
      $LogPrint debug $ScriptName ("No mac address available... Ignoring.");
    }
  }
 } on-error={
  :global ExitError; $ExitError $ExitOK [ :jobname ];
 }
--- a/collect-wireless-mac.local
+++ b/collect-wireless-mac.local
@ -0,0 +1,62 @@
 #!rsc
 # RouterOS script: collect-wireless-mac.local
 # Copyright (c) 2013-2019 Christian Hesse <mail@eworm.de>
 #
 # collect wireless mac adresses in access list
 #
 # !! Do not edit this file, it is generated from template!
 :global Identity;
 :global GetMacVendor;
 :global SendNotification;
 :global ScriptLock;
 $ScriptLock "collect-wireless-mac.local";
 :local PlaceBefore [ / interface wireless access-list find where comment="--- collected above ---" disabled ];
 :if ([ :len $PlaceBefore ] = 0) do={
  :error "Missing disabled access-list entry with comment '--- collected above ---'";
 }
 :foreach RegTbl in=[ / interface wireless registration-table find ] do={
  :local Mac [ / interface wireless registration-table get $RegTbl mac-address ];
  :local AccessList ([ / interface wireless access-list find where mac-address=$Mac ]->0);
  :if ([ :len $AccessList ] = 0) do={
    :local HostName "no dhcp lease";
    :local Address "no dhcp lease";
    :local Lease [ / ip dhcp-server lease find where mac-address=$Mac ];
    :if ([ :len $Lease ] > 0) do={
      :set HostName [ / ip dhcp-server lease get $Lease host-name ];
      :set Address [ / ip dhcp-server lease get $Lease address ];
    }
    :if ([ :len $HostName ] = 0) do={
      :set HostName "no hostname";
    }
    :if ([ :len $Address ] = 0) do={
      :set Address "no address";
    }
    :local RegEntry [ / interface wireless registration-table find where mac-address=$Mac ];
    :local Interface [ / interface wireless registration-table get $RegEntry interface ];
    :local Ssid [ / interface wireless get [ find where name=$Interface ] ssid ];
    :local DateTime ([ / system clock get date ] . " " . [ / system clock get time ]);
    :local Vendor [ $GetMacVendor $Mac ];
    :local Message ("unknown MAC address " . $Mac . " (" . $Vendor . ", " . $HostName . ") " . \
      "first seen on " . $DateTime . " connected to SSID " . $Ssid . ", interface " . $Interface);
    / log info $Message;
    / interface wireless access-list add place-before=$PlaceBefore comment=$Message mac-address=$Mac disabled=yes;
    $SendNotification ($Mac . " connected to " . $Ssid) \
      ("A device with unknown MAC address connected to " . $Ssid . " on " . $Identity . ".\n\n" . \
        "Controller: " . $Identity . "\n" . \
        "Interface:  " . $Interface . "\n" . \
        "SSID:       " . $Ssid . "\n" . \
        "MAC:        " . $Mac . "\n" . \
        "Vendor:     " . $Vendor . "\n" . \
        "Hostname:   " . $HostName . "\n" . \
        "Address:    " . $Address . "\n" . \
        "Date:       " . $DateTime);
  } else={
    :local Comment [ / interface wireless access-list get $AccessList comment ];
    :log debug ("MAC address " . $Mac . " already known: " . $Comment);
  }
 }
--- a/collect-wireless-mac.local.rsc
+++ b/collect-wireless-mac.local.rsc
@ -1,101 +0,0 @@
 #!rsc by RouterOS
 # RouterOS script: collect-wireless-mac.local
 # Copyright (c) 2013-2025 Christian Hesse <mail@eworm.de>
 # https://rsc.eworm.de/COPYING.md
 #
 # provides: lease-script, order=40
 # requires RouterOS, version=7.15
 #
 # collect wireless mac adresses in access list
 # https://rsc.eworm.de/doc/collect-wireless-mac.md
 #
 # !! Do not edit this file, it is generated from template!
 :global GlobalFunctionsReady;
 :while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
 :local ExitOK false;
 :do {
  :local ScriptName [ :jobname ];
  :global Identity;
  :global EitherOr;
  :global FormatLine;
  :global FormatMultiLines;
  :global GetMacVendor;
  :global LogPrint;
  :global ScriptLock;
  :global SendNotification2;
  :global SymbolForNotification;
  :if ([ $ScriptLock $ScriptName 10 ] = false) do={
    :set ExitOK true;
    :error false;
  }
  :if ([ :len [ /interface/wireless/access-list/find where comment="--- collected above ---" disabled ] ] = 0) do={
    /interface/wireless/access-list/add comment="--- collected above ---" disabled=yes;
    $LogPrint warning $ScriptName ("Added disabled access-list entry with comment '--- collected above ---'.");
  }
  :local PlaceBefore ([ /interface/wireless/access-list/find where comment="--- collected above ---" disabled ]->0);
  :foreach Reg in=[ /interface/wireless/registration-table/find where ap=no ] do={
    :local RegVal;
    :do {
      :set RegVal [ /interface/wireless/registration-table/get $Reg ];
    } on-error={
      $LogPrint debug $ScriptName ("Device already gone... Ignoring.");
    }
    :if ([ :len ($RegVal->"mac-address") ] > 0) do={
      :local AccessList ([ /interface/wireless/access-list/find where mac-address=($RegVal->"mac-address") ]->0);
      :if ([ :len $AccessList ] > 0) do={
        $LogPrint debug $ScriptName ("MAC address " . $RegVal->"mac-address" . " already known: " . \
          [ /interface/wireless/access-list/get $AccessList comment ]);
      }
      :if ([ :len $AccessList ] = 0) do={
        :local Address "no dhcp lease";
        :local DnsName "no dhcp lease";
        :local HostName "no dhcp lease";
        :local Lease ([ /ip/dhcp-server/lease/find where active-mac-address=($RegVal->"mac-address") dynamic=yes status=bound ]->0);
        :if ([ :len $Lease ] > 0) do={
          :set Address [ /ip/dhcp-server/lease/get $Lease active-address ];
          :set HostName [ $EitherOr [ /ip/dhcp-server/lease/get $Lease host-name ] "no hostname" ];
          :set DnsName "no dns name";
          :local DnsRec ([ /ip/dns/static/find where address=$Address ]->0);
          :if ([ :len $DnsRec ] > 0) do={
            :set DnsName ({ [ /ip/dns/static/get $DnsRec name ] });
            :foreach CName in=[ /ip/dns/static/find where type=CNAME cname=($DnsName->0) ] do={
              :set DnsName ($DnsName, [ /ip/dns/static/get $CName name ]);
            }
          }
        }
        :set ($RegVal->"ssid") [ /interface/wireless/get [ find where name=($RegVal->"interface") ] ssid ];
        :local DateTime ([ /system/clock/get date ] . " " . [ /system/clock/get time ]);
        :local Vendor [ $GetMacVendor ($RegVal->"mac-address") ];
        :local Message ("MAC address " . $RegVal->"mac-address" . " (" . $Vendor . ", " . $HostName . ") " . \
          "first seen on " . $DateTime . " connected to SSID " . $RegVal->"ssid" . ", interface " . $RegVal->"interface");
        $LogPrint info $ScriptName $Message;
        /interface/wireless/access-list/add place-before=$PlaceBefore comment=$Message mac-address=($RegVal->"mac-address") disabled=yes;
        $SendNotification2 ({ origin=$ScriptName; \
          subject=([ $SymbolForNotification "mobile-phone" ] . $RegVal->"mac-address" . " connected to " . $RegVal->"ssid"); \
          message=("A device with unknown MAC address connected to " . $RegVal->"ssid" . " on " . $Identity . ".\n\n" . \
            [ $FormatLine "Controller" $Identity ] . "\n" . \
            [ $FormatLine "Interface" ($RegVal->"interface") ] . "\n" . \
            [ $FormatLine "SSID" ($RegVal->"ssid") ] . "\n" . \
            [ $FormatLine "MAC" ($RegVal->"mac-address") ] . "\n" . \
            [ $FormatLine "Vendor" $Vendor ] . "\n" . \
            [ $FormatLine "Hostname" $HostName ] . "\n" . \
            [ $FormatLine "Address" $Address ] . "\n" . \
            [ $FormatMultiLines "DNS name" $DnsName ] . "\n" . \
            [ $FormatLine "Date" $DateTime ]) });
      }
    } else={
      $LogPrint debug $ScriptName ("No mac address available... Ignoring.");
    }
  }
 } on-error={
  :global ExitError; $ExitError $ExitOK [ :jobname ];
 }
--- a/collect-wireless-mac.template
+++ b/collect-wireless-mac.template
@ -0,0 +1,64 @@
 #!rsc
 # RouterOS script: collect-wireless-mac%TEMPL%
 # Copyright (c) 2013-2019 Christian Hesse <mail@eworm.de>
 #
 # collect wireless mac adresses in access list
 #
 # !! This is just a template! Replace '%PATH%' with 'caps-man'
 # !! or 'interface wireless'!
 :global Identity;
 :global GetMacVendor;
 :global SendNotification;
 :global ScriptLock;
 $ScriptLock "collect-wireless-mac%TEMPL%";
 :local PlaceBefore [ / %PATH% access-list find where comment="--- collected above ---" disabled ];
 :if ([ :len $PlaceBefore ] = 0) do={
  :error "Missing disabled access-list entry with comment '--- collected above ---'";
 }
 :foreach RegTbl in=[ / %PATH% registration-table find ] do={
  :local Mac [ / %PATH% registration-table get $RegTbl mac-address ];
  :local AccessList ([ / %PATH% access-list find where mac-address=$Mac ]->0);
  :if ([ :len $AccessList ] = 0) do={
    :local HostName "no dhcp lease";
    :local Address "no dhcp lease";
    :local Lease [ / ip dhcp-server lease find where mac-address=$Mac ];
    :if ([ :len $Lease ] > 0) do={
      :set HostName [ / ip dhcp-server lease get $Lease host-name ];
      :set Address [ / ip dhcp-server lease get $Lease address ];
    }
    :if ([ :len $HostName ] = 0) do={
      :set HostName "no hostname";
    }
    :if ([ :len $Address ] = 0) do={
      :set Address "no address";
    }
    :local RegEntry [ / %PATH% registration-table find where mac-address=$Mac ];
    :local Interface [ / %PATH% registration-table get $RegEntry interface ];
    :local Ssid [ / caps-man registration-table get $RegEntry ssid ];
    :local Ssid [ / interface wireless get [ find where name=$Interface ] ssid ];
    :local DateTime ([ / system clock get date ] . " " . [ / system clock get time ]);
    :local Vendor [ $GetMacVendor $Mac ];
    :local Message ("unknown MAC address " . $Mac . " (" . $Vendor . ", " . $HostName . ") " . \
      "first seen on " . $DateTime . " connected to SSID " . $Ssid . ", interface " . $Interface);
    / log info $Message;
    / %PATH% access-list add place-before=$PlaceBefore comment=$Message mac-address=$Mac disabled=yes;
    $SendNotification ($Mac . " connected to " . $Ssid) \
      ("A device with unknown MAC address connected to " . $Ssid . " on " . $Identity . ".\n\n" . \
        "Controller: " . $Identity . "\n" . \
        "Interface:  " . $Interface . "\n" . \
        "SSID:       " . $Ssid . "\n" . \
        "MAC:        " . $Mac . "\n" . \
        "Vendor:     " . $Vendor . "\n" . \
        "Hostname:   " . $HostName . "\n" . \
        "Address:    " . $Address . "\n" . \
        "Date:       " . $DateTime);
  } else={
    :local Comment [ / %PATH% access-list get $AccessList comment ];
    :log debug ("MAC address " . $Mac . " already known: " . $Comment);
  }
 }
--- a/collect-wireless-mac.template.rsc
+++ b/collect-wireless-mac.template.rsc
@ -1,118 +0,0 @@
 #!rsc by RouterOS
 # RouterOS script: collect-wireless-mac%TEMPL%
 # Copyright (c) 2013-2025 Christian Hesse <mail@eworm.de>
 # https://rsc.eworm.de/COPYING.md
 #
 # provides: lease-script, order=40
 # requires RouterOS, version=7.15
 #
 # collect wireless mac adresses in access list
 # https://rsc.eworm.de/doc/collect-wireless-mac.md
 #
 # !! This is just a template to generate the real script!
 # !! Pattern '%TEMPL%' is replaced, paths are filtered.
 :global GlobalFunctionsReady;
 :while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
 :local ExitOK false;
 :do {
  :local ScriptName [ :jobname ];
  :global Identity;
  :global EitherOr;
  :global FormatLine;
  :global FormatMultiLines;
  :global GetMacVendor;
  :global LogPrint;
  :global ScriptLock;
  :global SendNotification2;
  :global SymbolForNotification;
  :if ([ $ScriptLock $ScriptName 10 ] = false) do={
    :set ExitOK true;
    :error false;
  }
  :if ([ :len [ /caps-man/access-list/find where comment="--- collected above ---" disabled ] ] = 0) do={
  :if ([ :len [ /interface/wifi/access-list/find where comment="--- collected above ---" disabled ] ] = 0) do={
  :if ([ :len [ /interface/wireless/access-list/find where comment="--- collected above ---" disabled ] ] = 0) do={
    /caps-man/access-list/add comment="--- collected above ---" disabled=yes;
    /interface/wifi/access-list/add comment="--- collected above ---" disabled=yes;
    /interface/wireless/access-list/add comment="--- collected above ---" disabled=yes;
    $LogPrint warning $ScriptName ("Added disabled access-list entry with comment '--- collected above ---'.");
  }
  :local PlaceBefore ([ /caps-man/access-list/find where comment="--- collected above ---" disabled ]->0);
  :local PlaceBefore ([ /interface/wifi/access-list/find where comment="--- collected above ---" disabled ]->0);
  :local PlaceBefore ([ /interface/wireless/access-list/find where comment="--- collected above ---" disabled ]->0);
  :foreach Reg in=[ /caps-man/registration-table/find ] do={
  :foreach Reg in=[ /interface/wifi/registration-table/find ] do={
  :foreach Reg in=[ /interface/wireless/registration-table/find where ap=no ] do={
    :local RegVal;
    :do {
      :set RegVal [ /caps-man/registration-table/get $Reg ];
      :set RegVal [ /interface/wifi/registration-table/get $Reg ];
      :set RegVal [ /interface/wireless/registration-table/get $Reg ];
    } on-error={
      $LogPrint debug $ScriptName ("Device already gone... Ignoring.");
    }
    :if ([ :len ($RegVal->"mac-address") ] > 0) do={
      :local AccessList ([ /caps-man/access-list/find where mac-address=($RegVal->"mac-address") ]->0);
      :local AccessList ([ /interface/wifi/access-list/find where mac-address=($RegVal->"mac-address") ]->0);
      :local AccessList ([ /interface/wireless/access-list/find where mac-address=($RegVal->"mac-address") ]->0);
      :if ([ :len $AccessList ] > 0) do={
        $LogPrint debug $ScriptName ("MAC address " . $RegVal->"mac-address" . " already known: " . \
          [ /caps-man/access-list/get $AccessList comment ]);
          [ /interface/wifi/access-list/get $AccessList comment ]);
          [ /interface/wireless/access-list/get $AccessList comment ]);
      }
      :if ([ :len $AccessList ] = 0) do={
        :local Address "no dhcp lease";
        :local DnsName "no dhcp lease";
        :local HostName "no dhcp lease";
        :local Lease ([ /ip/dhcp-server/lease/find where active-mac-address=($RegVal->"mac-address") dynamic=yes status=bound ]->0);
        :if ([ :len $Lease ] > 0) do={
          :set Address [ /ip/dhcp-server/lease/get $Lease active-address ];
          :set HostName [ $EitherOr [ /ip/dhcp-server/lease/get $Lease host-name ] "no hostname" ];
          :set DnsName "no dns name";
          :local DnsRec ([ /ip/dns/static/find where address=$Address ]->0);
          :if ([ :len $DnsRec ] > 0) do={
            :set DnsName ({ [ /ip/dns/static/get $DnsRec name ] });
            :foreach CName in=[ /ip/dns/static/find where type=CNAME cname=($DnsName->0) ] do={
              :set DnsName ($DnsName, [ /ip/dns/static/get $CName name ]);
            }
          }
        }
        :set ($RegVal->"ssid") [ /interface/wireless/get [ find where name=($RegVal->"interface") ] ssid ];
        :local DateTime ([ /system/clock/get date ] . " " . [ /system/clock/get time ]);
        :local Vendor [ $GetMacVendor ($RegVal->"mac-address") ];
        :local Message ("MAC address " . $RegVal->"mac-address" . " (" . $Vendor . ", " . $HostName . ") " . \
          "first seen on " . $DateTime . " connected to SSID " . $RegVal->"ssid" . ", interface " . $RegVal->"interface");
        $LogPrint info $ScriptName $Message;
        /caps-man/access-list/add place-before=$PlaceBefore comment=$Message mac-address=($RegVal->"mac-address") disabled=yes;
        /interface/wifi/access-list/add place-before=$PlaceBefore comment=$Message mac-address=($RegVal->"mac-address") disabled=yes;
        /interface/wireless/access-list/add place-before=$PlaceBefore comment=$Message mac-address=($RegVal->"mac-address") disabled=yes;
        $SendNotification2 ({ origin=$ScriptName; \
          subject=([ $SymbolForNotification "mobile-phone" ] . $RegVal->"mac-address" . " connected to " . $RegVal->"ssid"); \
          message=("A device with unknown MAC address connected to " . $RegVal->"ssid" . " on " . $Identity . ".\n\n" . \
            [ $FormatLine "Controller" $Identity ] . "\n" . \
            [ $FormatLine "Interface" ($RegVal->"interface") ] . "\n" . \
            [ $FormatLine "SSID" ($RegVal->"ssid") ] . "\n" . \
            [ $FormatLine "MAC" ($RegVal->"mac-address") ] . "\n" . \
            [ $FormatLine "Vendor" $Vendor ] . "\n" . \
            [ $FormatLine "Hostname" $HostName ] . "\n" . \
            [ $FormatLine "Address" $Address ] . "\n" . \
            [ $FormatMultiLines "DNS name" $DnsName ] . "\n" . \
            [ $FormatLine "Date" $DateTime ]) });
      }
    } else={
      $LogPrint debug $ScriptName ("No mac address available... Ignoring.");
    }
  }
 } on-error={
  :global ExitError; $ExitError $ExitOK [ :jobname ];
 }
--- a/collect-wireless-mac.wifi.rsc
+++ b/collect-wireless-mac.wifi.rsc
@ -1,100 +0,0 @@
 #!rsc by RouterOS
 # RouterOS script: collect-wireless-mac.wifi
 # Copyright (c) 2013-2025 Christian Hesse <mail@eworm.de>
 # https://rsc.eworm.de/COPYING.md
 #
 # provides: lease-script, order=40
 # requires RouterOS, version=7.15
 #
 # collect wireless mac adresses in access list
 # https://rsc.eworm.de/doc/collect-wireless-mac.md
 #
 # !! Do not edit this file, it is generated from template!
 :global GlobalFunctionsReady;
 :while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
 :local ExitOK false;
 :do {
  :local ScriptName [ :jobname ];
  :global Identity;
  :global EitherOr;
  :global FormatLine;
  :global FormatMultiLines;
  :global GetMacVendor;
  :global LogPrint;
  :global ScriptLock;
  :global SendNotification2;
  :global SymbolForNotification;
  :if ([ $ScriptLock $ScriptName 10 ] = false) do={
    :set ExitOK true;
    :error false;
  }
  :if ([ :len [ /interface/wifi/access-list/find where comment="--- collected above ---" disabled ] ] = 0) do={
    /interface/wifi/access-list/add comment="--- collected above ---" disabled=yes;
    $LogPrint warning $ScriptName ("Added disabled access-list entry with comment '--- collected above ---'.");
  }
  :local PlaceBefore ([ /interface/wifi/access-list/find where comment="--- collected above ---" disabled ]->0);
  :foreach Reg in=[ /interface/wifi/registration-table/find ] do={
    :local RegVal;
    :do {
      :set RegVal [ /interface/wifi/registration-table/get $Reg ];
    } on-error={
      $LogPrint debug $ScriptName ("Device already gone... Ignoring.");
    }
    :if ([ :len ($RegVal->"mac-address") ] > 0) do={
      :local AccessList ([ /interface/wifi/access-list/find where mac-address=($RegVal->"mac-address") ]->0);
      :if ([ :len $AccessList ] > 0) do={
        $LogPrint debug $ScriptName ("MAC address " . $RegVal->"mac-address" . " already known: " . \
          [ /interface/wifi/access-list/get $AccessList comment ]);
      }
      :if ([ :len $AccessList ] = 0) do={
        :local Address "no dhcp lease";
        :local DnsName "no dhcp lease";
        :local HostName "no dhcp lease";
        :local Lease ([ /ip/dhcp-server/lease/find where active-mac-address=($RegVal->"mac-address") dynamic=yes status=bound ]->0);
        :if ([ :len $Lease ] > 0) do={
          :set Address [ /ip/dhcp-server/lease/get $Lease active-address ];
          :set HostName [ $EitherOr [ /ip/dhcp-server/lease/get $Lease host-name ] "no hostname" ];
          :set DnsName "no dns name";
          :local DnsRec ([ /ip/dns/static/find where address=$Address ]->0);
          :if ([ :len $DnsRec ] > 0) do={
            :set DnsName ({ [ /ip/dns/static/get $DnsRec name ] });
            :foreach CName in=[ /ip/dns/static/find where type=CNAME cname=($DnsName->0) ] do={
              :set DnsName ($DnsName, [ /ip/dns/static/get $CName name ]);
            }
          }
        }
        :local DateTime ([ /system/clock/get date ] . " " . [ /system/clock/get time ]);
        :local Vendor [ $GetMacVendor ($RegVal->"mac-address") ];
        :local Message ("MAC address " . $RegVal->"mac-address" . " (" . $Vendor . ", " . $HostName . ") " . \
          "first seen on " . $DateTime . " connected to SSID " . $RegVal->"ssid" . ", interface " . $RegVal->"interface");
        $LogPrint info $ScriptName $Message;
        /interface/wifi/access-list/add place-before=$PlaceBefore comment=$Message mac-address=($RegVal->"mac-address") disabled=yes;
        $SendNotification2 ({ origin=$ScriptName; \
          subject=([ $SymbolForNotification "mobile-phone" ] . $RegVal->"mac-address" . " connected to " . $RegVal->"ssid"); \
          message=("A device with unknown MAC address connected to " . $RegVal->"ssid" . " on " . $Identity . ".\n\n" . \
            [ $FormatLine "Controller" $Identity ] . "\n" . \
            [ $FormatLine "Interface" ($RegVal->"interface") ] . "\n" . \
            [ $FormatLine "SSID" ($RegVal->"ssid") ] . "\n" . \
            [ $FormatLine "MAC" ($RegVal->"mac-address") ] . "\n" . \
            [ $FormatLine "Vendor" $Vendor ] . "\n" . \
            [ $FormatLine "Hostname" $HostName ] . "\n" . \
            [ $FormatLine "Address" $Address ] . "\n" . \
            [ $FormatMultiLines "DNS name" $DnsName ] . "\n" . \
            [ $FormatLine "Date" $DateTime ]) });
      }
    } else={
      $LogPrint debug $ScriptName ("No mac address available... Ignoring.");
    }
  }
 } on-error={
  :global ExitError; $ExitError $ExitOK [ :jobname ];
 }
--- a/contrib/logo-color.d/browser-01.avif
+++ b/contrib/logo-color.d/browser-01.avif
--- a/contrib/logo-color.d/browser-02.avif
+++ b/contrib/logo-color.d/browser-02.avif
--- a/contrib/logo-color.d/browser-03.avif
+++ b/contrib/logo-color.d/browser-03.avif
--- a/contrib/logo-color.d/script.js
+++ b/contrib/logo-color.d/script.js
@ -1,12 +0,0 @@
 function invertHex(hex) {
  return (Number("0x1" + hex) ^ 0xffffff).toString(16).substr(1);
 }
 function color() {
  var svg = document.querySelector(".logo").getSVGDocument();
  svg.getElementById("dark-1").setAttribute("stop-color", document.getElementById("color1").value);
  svg.getElementById("dark-2").setAttribute("stop-color", document.getElementById("color2").value);
  var background = document.getElementById("color3").value;
  svg.getElementById("background").setAttribute("fill", background);
  svg.getElementById("hexagon").setAttribute("stroke", "#" + invertHex(background.substring(1)));
 }
--- a/contrib/logo-color.d/style.css
+++ b/contrib/logo-color.d/style.css
@ -1,5 +0,0 @@
 body {
  font-family: fira-sans, sans-serif;
  font-size: 10pt;
  background-color: transparent;
 }
--- a/contrib/logo-color.html
+++ b/contrib/logo-color.html
@ -1,40 +0,0 @@
 <!DOCTYPE html>
 <html lang="en">
 <head>
 <meta charset="UTF-8">
 <title>RouterOS-Scripts Logo Color Changer</title>
 <link rel="stylesheet" type="text/css" href="logo-color.d/style.css">
 <script src="logo-color.d/script.js"></script>
 </head>
 <body>
 <h1>RouterOS-Scripts Logo Color Changer</h1>
 <p>You want the logo for your own notifications? But you joined the
 <a href="https://t.me/routeros_scripts">Telegram Group</a> and want
 something that differentiates? Color it!</p>
 <embed class="logo" src="../logo.svg" width="192" height="192" type="image/svg+xml">
 <p>Select the colors here:
 <input id="color1" type="color" value="#222222" onchange="color();">
 <input id="color2" type="color" value="#444444" onchange="color();">
 <input id="color3" type="color" value="#ffffff" onchange="color();"></p>
 <p>Then right-click, click "<i>Take Screenshot</i>" and finally select the
 logo and download it.</p>
 <p><img src="logo-color.d/browser-01.avif" width=533 height=482 alt="Screenshot Browser 01">
 <img src="logo-color.d/browser-02.avif" width=533 height=482 alt="Screenshot Browser 02">
 <img src="logo-color.d/browser-03.avif" width=533 height=482 alt="Screenshot Browser 03"></p>
 <p>(This example is with
 <a href="https://www.mozilla.org/de/firefox/new/">Firefox</a>. The workflow
 for other browsers may differ.)</p>
 <p>See how to
 <a href="../../about/doc/mod/notification-telegram.md#set-a-profile-photo">Set
 a profile photo</a> for your Telegram bot.</p>
 </body>
 </html>
--- a/contrib/notification.d/script.js
+++ b/contrib/notification.d/script.js
@ -1,6 +0,0 @@
 function visible(cb, element) {
  document.getElementById(element).style.display = cb.checked ? "block" : "none";
 }
 function update(cb, element) {
  document.getElementById(element).innerHTML = cb.value;
 }
--- a/contrib/notification.d/style.css
+++ b/contrib/notification.d/style.css
@ -1,36 +0,0 @@
 body {
  font-family: fira-sans, sans-serif;
  font-size: 10pt;
  background-color: transparent;
 }
 div.notification {
  position: relative;
  float: right;
  width: 600px;
  border: 3px outset #6c5d53;
  /* border-radius: 5px; */
  padding: 10px;
  background-color: #e6e6e6;
 }
 div.content {
  padding-left: 60px;
 }
 img.logo {
  float: left;
  border-radius: 50%;
 }
 p.heading {
  margin: 0px;
  font-weight: bold;
  text-decoration: underline;
 }
 p.hint {
  display: none;
 }
 pre {
  font-family: fira-mono, monospace;
  white-space: pre-wrap;
 }
 span.link {
  color: #863600;
 }
--- a/contrib/notification.html
+++ b/contrib/notification.html
@ -1,35 +0,0 @@
 <!DOCTYPE html>
 <html lang="en">
 <head>
 <meta charset="UTF-8">
 <title>RouterOS-Scripts Notification Generator</title>
 <link rel="stylesheet" type="text/css" href="notification.d/style.css">
 <script src="notification.d/script.js"></script> 
 </head>
 <body>
 <h1>RouterOS-Scripts Notification Generator</h1>
 <div class="notification">
  <img src="../logo.svg" alt="logo" class="logo" width=48 height=48>
  <div class="content">
  <p id="heading" class="heading">[<span id="hostname">MikroTik</span>] <span id="subject">ℹ️  Subject</span></p>
  <pre id="message">Message</pre>
  <p id="link" class="hint">🔗 <span id="link-text" class="link">https://eworm.de/</span></p>
  <p id="queued" class="hint">⏰ This message was queued since <span id="queued-since">oct/18/2022 18:30:48</span> and may be obsolete.</p>
  <p id="cut" class="hint">✂️ The message was too long and has been truncated, cut off <span id="cut-percent">13</span>%!</p>
  </div>
 </div>
 <p>Hostname: <input type="text" value="MikroTik" onchange="update(this, 'hostname')"></p>
 <p>Subject: <input type="text" size=50 value="ℹ️  Subject" onchange="update(this, 'subject')"></p>
 <p>Message: <textarea id="w3review" name="w3review" rows="4" cols="50" onchange="update(this, 'message')">Message</textarea></p>
 <p><input type="checkbox" onclick="visible(this, 'link')"> Show link: <input type="text" value="https://eworm.de/" onchange="update(this, 'link-text')"></p>
 <p><input type="checkbox" onclick="visible(this, 'queued')"> Queued since <input type="text" value="oct/18/2022 18:30:48" onchange="update(this, 'queued-since')"></p>
 <p><input type="checkbox" onclick="visible(this, 'cut')"> Cut-off with <input type="number" min=1 max=99 value=13 onchange="update(this, 'cut-percent')"> percent</p>
 <p>Then right-click, click "<i>Take Screenshot</i>" and finally select the
 notification and download it.</p>
 </body>
 </html>
--- a/23
+++ b/23
@ -0,0 +1,23 @@
 #!rsc
 # RouterOS script: daily-psk-schedule
 # Copyright (c) 2013-2019 Christian Hesse <mail@eworm.de>
 #
 # schedule daily-psk on startup
 :local Scheduler [ / system scheduler find where name="daily-psk-schedule" ];
 :if ([ / system scheduler get $Scheduler interval ] = 0s) do={
  / system scheduler set interval=15s $Scheduler;
 } else={
  :if ([ / tool netwatch get [ find where comment=[ / tool e-mail get address ] ] status ] != "up") do={
    :error "Mail server is not up.";
  }
  :if ([ / system ntp client get status ] != "synchronized") do={
    :error "Time is not yet synchronized from ntp.";
  }
  / system script run [ find where name~"daily-psk\\.(capsman|local)" ];
  / system scheduler set interval=0s $Scheduler;
 }
--- a/daily-psk.capsman
+++ b/daily-psk.capsman
@ -0,0 +1,90 @@
 #!rsc
 # RouterOS script: daily-psk.capsman
 # Copyright (c) 2013-2019 Christian Hesse <mail@eworm.de>
 #                         Michael Gisbers <michael@gisbers.de>
 #
 # update daily PSK (pre shared key)
 :global Identity;
 :global DailyPskMatchComment;
 :global UrlEncode;
 :global SendNotification;
 :local Seen [ :toarray "" ];
 # return pseudo-random string for PSK
 :local GeneratePSK do={
  :local Date [ :tostr $1 ];
  :global DailyPskSecrets;
  :local Months { "jan"; "feb"; "mar"; "apr"; "may"; "jun";
                  "jul"; "aug"; "sep"; "oct"; "nov"; "dec" };
  :local Month [ :pick $Date 0 3 ];
  :local Day [ :tonum [ :pick $Date 4 6 ] ];
  :local Year [ :pick $Date 7 11 ];
  :for MIndex from=0 to=[ :len $Months ] do={
    :if ($Months->$MIndex = $Month) do={
      :set Month ($MIndex + 1);
    }
  }
  :local A ((14 - $Month) / 12);
  :local B ($Year - $A);
  :local C ($Month + 12 * $A - 2);
  :local WeekDay (7000 + $Day + $B + ($B / 4) - ($B / 100) + ($B / 400) + ((31 * $C) / 12));
  :set WeekDay ($WeekDay - (($WeekDay / 7) * 7));
  :return (($DailyPskSecrets->0->($Day - 1)) . \
    ($DailyPskSecrets->1->($Month - 1)) . \
    ($DailyPskSecrets->2->$WeekDay));
 }
 :local Date [ / system clock get date ];
 :local NewPsk [ $GeneratePSK $Date ];
 :foreach AccList in=[ / caps-man access-list find where comment~$DailyPskMatchComment ] do={
  :local Ssid [ / caps-man access-list get $AccList ssid-regexp ];
  :local Configuration [ / caps-man configuration get [ find where ssid=$Ssid ] name ];
  :local OldPsk [ / caps-man access-list get $AccList private-passphrase ];
  :local Skip 0;
  :if ($NewPsk != $OldPsk) do={
    :log info ("Updating daily PSK for " . $Ssid . " to " . $NewPsk . " (was " . $OldPsk . ")");
    / caps-man access-list set $AccList private-passphrase=$NewPsk;
    :if ([ / caps-man interface print count-only where configuration=$Configuration ] > 0) do={
      :foreach SeenSsid in=$Seen do={
        :if ($SeenSsid = $Ssid) do={
          :log debug ("Already sent a mail for SSID " . $Ssid . ", skipping.");
          :set Skip 1;
        }
      }
      :if ($Skip = 0) do={
        :set Seen ($Seen, $Ssid);
        :local Url ("https://www.eworm.de/cgi-bin/cqrlogo-wifi.cgi" . \
            "?scale=8&level=1&ssid=" . [ $UrlEncode $Ssid ] . "&pass=" . [ $UrlEncode $NewPsk ]);
        :local Attach "qrcode-daily.png";
        :do {
          / tool fetch mode=https check-certificate=yes-without-crl \
              $Url dst-path=$Attach;
        } on-error={
          :set Attach "";
        }
        $SendNotification ("daily PSK " . $Ssid) \
          ("This is the daily PSK on " . $Identity . ":\n\n" . \
            "SSID: " . $Ssid . "\n" . \
            "PSK:  " . $NewPsk . "\n" . \
            "Date: " . $Date . "\n\n" . \
            $Url) $Attach;
      }
    }
  }
 }
--- a/daily-psk.capsman.rsc
+++ b/daily-psk.capsman.rsc
@ -1,96 +0,0 @@
 #!rsc by RouterOS
 # RouterOS script: daily-psk.capsman
 # Copyright (c) 2013-2025 Christian Hesse <mail@eworm.de>
 #                         Michael Gisbers <michael@gisbers.de>
 # https://rsc.eworm.de/COPYING.md
 #
 # requires RouterOS, version=7.15
 #
 # update daily PSK (pre shared key)
 # https://rsc.eworm.de/doc/daily-psk.md
 #
 # !! Do not edit this file, it is generated from template!
 :global GlobalFunctionsReady;
 :while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
 :local ExitOK false;
 :do {
  :local ScriptName [ :jobname ];
  :global DailyPskMatchComment;
  :global DailyPskQrCodeUrl;
  :global Identity;
  :global FormatLine;
  :global LogPrint;
  :global ScriptLock;
  :global SendNotification2;
  :global SymbolForNotification;
  :global UrlEncode;
  :global WaitForFile;
  :global WaitFullyConnected;
  :if ([ $ScriptLock $ScriptName ] = false) do={
    :set ExitOK true;
    :error false;
  }
  $WaitFullyConnected;
  # return pseudo-random string for PSK
  :local GeneratePSK do={
    :local Date [ :tostr $1 ];
    :global DailyPskSecrets;
    :global ParseDate;
    :set Date [ $ParseDate $Date ];
    :local A ((14 - ($Date->"month")) / 12);
    :local B (($Date->"year") - $A);
    :local C (($Date->"month") + 12 * $A - 2);
    :local WeekDay (7000 + ($Date->"day") + $B + ($B / 4) - ($B / 100) + ($B / 400) + ((31 * $C) / 12));
    :set WeekDay ($WeekDay - (($WeekDay / 7) * 7));
    :return (($DailyPskSecrets->0->(($Date->"day") - 1)) . \
      ($DailyPskSecrets->1->(($Date->"month") - 1)) . \
      ($DailyPskSecrets->2->$WeekDay));
  }
  :local Seen ({});
  :local Date [ /system/clock/get date ];
  :local NewPsk [ $GeneratePSK $Date ];
  :foreach AccList in=[ /caps-man/access-list/find where comment~$DailyPskMatchComment ] do={
    :local SsidRegExp [ /caps-man/access-list/get $AccList ssid-regexp ];
    :local Configuration ([ /caps-man/configuration/find where ssid~$SsidRegExp ]->0);
    :local Ssid [ /caps-man/configuration/get $Configuration ssid ];
    :local OldPsk [ /caps-man/access-list/get $AccList private-passphrase ];
    :local Skip 0;
    :if ($NewPsk != $OldPsk) do={
      $LogPrint info $ScriptName ("Updating daily PSK for '" . $Ssid . "' to '" . $NewPsk . "' (was '" . $OldPsk . "')");
      /caps-man/access-list/set $AccList private-passphrase=$NewPsk;
      :if ([ :len [ /caps-man/actual-interface-configuration/find where configuration.ssid=$Ssid !disabled ] ] > 0) do={
        :if ($Seen->$Ssid = 1) do={
          $LogPrint debug $ScriptName ("Already sent a mail for SSID " . $Ssid . ", skipping.");
        } else={
          :local Link ($DailyPskQrCodeUrl . \
              "?scale=8&level=1&ssid=" . [ $UrlEncode $Ssid ] . "&pass=" . [ $UrlEncode $NewPsk ]);
          $SendNotification2 ({ origin=$ScriptName; \
            subject=([ $SymbolForNotification "calendar" ] . "daily PSK " . $Ssid); \
            message=("This is the daily PSK on " . $Identity . ":\n\n" . \
              [ $FormatLine "SSID" $Ssid 8 ] . "\n" . \
              [ $FormatLine "PSK" $NewPsk 8 ] . "\n" . \
              [ $FormatLine "Date" $Date 8 ] . "\n\n" . \
              "A client device specific rule must not exist!"); link=$Link });
          :set ($Seen->$Ssid) 1;
        }
      }
    }
  }
 } on-error={
  :global ExitError; $ExitError $ExitOK [ :jobname ];
 }
--- a/daily-psk.local
+++ b/daily-psk.local
@ -0,0 +1,90 @@
 #!rsc
 # RouterOS script: daily-psk.local
 # Copyright (c) 2013-2019 Christian Hesse <mail@eworm.de>
 #                         Michael Gisbers <michael@gisbers.de>
 #
 # update daily PSK (pre shared key)
 :global Identity;
 :global DailyPskMatchComment;
 :global UrlEncode;
 :global SendNotification;
 :local Seen [ :toarray "" ];
 # return pseudo-random string for PSK
 :local GeneratePSK do={
  :local Date [ :tostr $1 ];
  :global DailyPskSecrets;
  :local Months { "jan"; "feb"; "mar"; "apr"; "may"; "jun";
                  "jul"; "aug"; "sep"; "oct"; "nov"; "dec" };
  :local Month [ :pick $Date 0 3 ];
  :local Day [ :tonum [ :pick $Date 4 6 ] ];
  :local Year [ :pick $Date 7 11 ];
  :for MIndex from=0 to=[ :len $Months ] do={
    :if ($Months->$MIndex = $Month) do={
      :set Month ($MIndex + 1);
    }
  }
  :local A ((14 - $Month) / 12);
  :local B ($Year - $A);
  :local C ($Month + 12 * $A - 2);
  :local WeekDay (7000 + $Day + $B + ($B / 4) - ($B / 100) + ($B / 400) + ((31 * $C) / 12));
  :set WeekDay ($WeekDay - (($WeekDay / 7) * 7));
  :return (($DailyPskSecrets->0->($Day - 1)) . \
    ($DailyPskSecrets->1->($Month - 1)) . \
    ($DailyPskSecrets->2->$WeekDay));
 }
 :local Date [ / system clock get date ];
 :local NewPsk [ $GeneratePSK $Date ];
 :foreach AccList in=[ / interface wireless access-list find where comment~$DailyPskMatchComment ] do={
  :local IntName [ / interface wireless access-list get $AccList interface ];
  :local Ssid [ / interface wireless get $IntName ssid ];
  :local OldPsk [ / interface wireless access-list get $AccList private-pre-shared-key ];
  :local Skip 0;
  :if ($NewPsk != $OldPsk) do={
    :log info ("Updating daily PSK for " . $Ssid . " to " . $NewPsk . " (was " . $OldPsk . ")");
    / interface wireless access-list set $AccList private-pre-shared-key=$NewPsk;
    :if ([ / interface wireless print count-only where name=$IntName disabled=no ] = 1) do={
      :foreach SeenSsid in=$Seen do={
        :if ($SeenSsid = $Ssid) do={
          :log debug ("Already sent a mail for SSID " . $Ssid . ", skipping.");
          :set Skip 1;
        }
      }
      :if ($Skip = 0) do={
        :set Seen ($Seen, $Ssid);
        :local Url ("https://www.eworm.de/cgi-bin/cqrlogo-wifi.cgi" . \
            "?scale=8&level=1&ssid=" . [ $UrlEncode $Ssid ] . "&pass=" . [ $UrlEncode $NewPsk ]);
        :local Attach "qrcode-daily.png";
        :do {
          / tool fetch mode=https check-certificate=yes-without-crl \
              $Url dst-path=$Attach;
        } on-error={
          :set Attach "";
        }
        $SendNotification ("daily PSK " . $Ssid) \
          ("This is the daily PSK on " . $Identity . ":\n\n" . \
            "SSID: " . $Ssid . "\n" . \
            "PSK:  " . $NewPsk . "\n" . \
            "Date: " . $Date . "\n\n" . \
            $Url) $Attach;
      }
    }
  }
 }
--- a/daily-psk.local.rsc
+++ b/daily-psk.local.rsc
@ -1,95 +0,0 @@
 #!rsc by RouterOS
 # RouterOS script: daily-psk.local
 # Copyright (c) 2013-2025 Christian Hesse <mail@eworm.de>
 #                         Michael Gisbers <michael@gisbers.de>
 # https://rsc.eworm.de/COPYING.md
 #
 # requires RouterOS, version=7.15
 #
 # update daily PSK (pre shared key)
 # https://rsc.eworm.de/doc/daily-psk.md
 #
 # !! Do not edit this file, it is generated from template!
 :global GlobalFunctionsReady;
 :while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
 :local ExitOK false;
 :do {
  :local ScriptName [ :jobname ];
  :global DailyPskMatchComment;
  :global DailyPskQrCodeUrl;
  :global Identity;
  :global FormatLine;
  :global LogPrint;
  :global ScriptLock;
  :global SendNotification2;
  :global SymbolForNotification;
  :global UrlEncode;
  :global WaitForFile;
  :global WaitFullyConnected;
  :if ([ $ScriptLock $ScriptName ] = false) do={
    :set ExitOK true;
    :error false;
  }
  $WaitFullyConnected;
  # return pseudo-random string for PSK
  :local GeneratePSK do={
    :local Date [ :tostr $1 ];
    :global DailyPskSecrets;
    :global ParseDate;
    :set Date [ $ParseDate $Date ];
    :local A ((14 - ($Date->"month")) / 12);
    :local B (($Date->"year") - $A);
    :local C (($Date->"month") + 12 * $A - 2);
    :local WeekDay (7000 + ($Date->"day") + $B + ($B / 4) - ($B / 100) + ($B / 400) + ((31 * $C) / 12));
    :set WeekDay ($WeekDay - (($WeekDay / 7) * 7));
    :return (($DailyPskSecrets->0->(($Date->"day") - 1)) . \
      ($DailyPskSecrets->1->(($Date->"month") - 1)) . \
      ($DailyPskSecrets->2->$WeekDay));
  }
  :local Seen ({});
  :local Date [ /system/clock/get date ];
  :local NewPsk [ $GeneratePSK $Date ];
  :foreach AccList in=[ /interface/wireless/access-list/find where comment~$DailyPskMatchComment ] do={
    :local IntName [ /interface/wireless/access-list/get $AccList interface ];
    :local Ssid [ /interface/wireless/get $IntName ssid ];
    :local OldPsk [ /interface/wireless/access-list/get $AccList private-pre-shared-key ];
    :local Skip 0;
    :if ($NewPsk != $OldPsk) do={
      $LogPrint info $ScriptName ("Updating daily PSK for '" . $Ssid . "' to '" . $NewPsk . "' (was '" . $OldPsk . "')");
      /interface/wireless/access-list/set $AccList private-pre-shared-key=$NewPsk;
      :if ([ :len [ /interface/wireless/find where name=$IntName !disabled ] ] = 1) do={
        :if ($Seen->$Ssid = 1) do={
          $LogPrint debug $ScriptName ("Already sent a mail for SSID " . $Ssid . ", skipping.");
        } else={
          :local Link ($DailyPskQrCodeUrl . \
              "?scale=8&level=1&ssid=" . [ $UrlEncode $Ssid ] . "&pass=" . [ $UrlEncode $NewPsk ]);
          $SendNotification2 ({ origin=$ScriptName; \
            subject=([ $SymbolForNotification "calendar" ] . "daily PSK " . $Ssid); \
            message=("This is the daily PSK on " . $Identity . ":\n\n" . \
              [ $FormatLine "SSID" $Ssid 8 ] . "\n" . \
              [ $FormatLine "PSK" $NewPsk 8 ] . "\n" . \
              [ $FormatLine "Date" $Date 8 ] . "\n\n" . \
              "A client device specific rule must not exist!"); link=$Link });
          :set ($Seen->$Ssid) 1;
        }
      }
    }
  }
 } on-error={
  :global ExitError; $ExitError $ExitOK [ :jobname ];
 }
--- a/daily-psk.template
+++ b/daily-psk.template
@ -0,0 +1,96 @@
 #!rsc
 # RouterOS script: daily-psk%TEMPL%
 # Copyright (c) 2013-2019 Christian Hesse <mail@eworm.de>
 #                         Michael Gisbers <michael@gisbers.de>
 #
 # update daily PSK (pre shared key)
 :global Identity;
 :global DailyPskMatchComment;
 :global UrlEncode;
 :global SendNotification;
 :local Seen [ :toarray "" ];
 # return pseudo-random string for PSK
 :local GeneratePSK do={
  :local Date [ :tostr $1 ];
  :global DailyPskSecrets;
  :local Months { "jan"; "feb"; "mar"; "apr"; "may"; "jun";
                  "jul"; "aug"; "sep"; "oct"; "nov"; "dec" };
  :local Month [ :pick $Date 0 3 ];
  :local Day [ :tonum [ :pick $Date 4 6 ] ];
  :local Year [ :pick $Date 7 11 ];
  :for MIndex from=0 to=[ :len $Months ] do={
    :if ($Months->$MIndex = $Month) do={
      :set Month ($MIndex + 1);
    }
  }
  :local A ((14 - $Month) / 12);
  :local B ($Year - $A);
  :local C ($Month + 12 * $A - 2);
  :local WeekDay (7000 + $Day + $B + ($B / 4) - ($B / 100) + ($B / 400) + ((31 * $C) / 12));
  :set WeekDay ($WeekDay - (($WeekDay / 7) * 7));
  :return (($DailyPskSecrets->0->($Day - 1)) . \
    ($DailyPskSecrets->1->($Month - 1)) . \
    ($DailyPskSecrets->2->$WeekDay));
 }
 :local Date [ / system clock get date ];
 :local NewPsk [ $GeneratePSK $Date ];
 :foreach AccList in=[ / interface wireless access-list find where comment~$DailyPskMatchComment ] do={
 :foreach AccList in=[ / caps-man access-list find where comment~$DailyPskMatchComment ] do={
  :local IntName [ / interface wireless access-list get $AccList interface ];
  :local Ssid [ / interface wireless get $IntName ssid ];
  :local Ssid [ / caps-man access-list get $AccList ssid-regexp ];
  :local Configuration [ / caps-man configuration get [ find where ssid=$Ssid ] name ];
  :local OldPsk [ / interface wireless access-list get $AccList private-pre-shared-key ];
  :local OldPsk [ / caps-man access-list get $AccList private-passphrase ];
  :local Skip 0;
  :if ($NewPsk != $OldPsk) do={
    :log info ("Updating daily PSK for " . $Ssid . " to " . $NewPsk . " (was " . $OldPsk . ")");
    / interface wireless access-list set $AccList private-pre-shared-key=$NewPsk;
    / caps-man access-list set $AccList private-passphrase=$NewPsk;
    :if ([ / interface wireless print count-only where name=$IntName disabled=no ] = 1) do={
    :if ([ / caps-man interface print count-only where configuration=$Configuration ] > 0) do={
      :foreach SeenSsid in=$Seen do={
        :if ($SeenSsid = $Ssid) do={
          :log debug ("Already sent a mail for SSID " . $Ssid . ", skipping.");
          :set Skip 1;
        }
      }
      :if ($Skip = 0) do={
        :set Seen ($Seen, $Ssid);
        :local Url ("https://www.eworm.de/cgi-bin/cqrlogo-wifi.cgi" . \
            "?scale=8&level=1&ssid=" . [ $UrlEncode $Ssid ] . "&pass=" . [ $UrlEncode $NewPsk ]);
        :local Attach "qrcode-daily.png";
        :do {
          / tool fetch mode=https check-certificate=yes-without-crl \
              $Url dst-path=$Attach;
        } on-error={
          :set Attach "";
        }
        $SendNotification ("daily PSK " . $Ssid) \
          ("This is the daily PSK on " . $Identity . ":\n\n" . \
            "SSID: " . $Ssid . "\n" . \
            "PSK:  " . $NewPsk . "\n" . \
            "Date: " . $Date . "\n\n" . \
            $Url) $Attach;
      }
    }
  }
 }
--- a/daily-psk.template.rsc
+++ b/daily-psk.template.rsc
@ -1,111 +0,0 @@
 #!rsc by RouterOS
 # RouterOS script: daily-psk%TEMPL%
 # Copyright (c) 2013-2025 Christian Hesse <mail@eworm.de>
 #                         Michael Gisbers <michael@gisbers.de>
 # https://rsc.eworm.de/COPYING.md
 #
 # requires RouterOS, version=7.15
 #
 # update daily PSK (pre shared key)
 # https://rsc.eworm.de/doc/daily-psk.md
 #
 # !! This is just a template to generate the real script!
 # !! Pattern '%TEMPL%' is replaced, paths are filtered.
 :global GlobalFunctionsReady;
 :while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
 :local ExitOK false;
 :do {
  :local ScriptName [ :jobname ];
  :global DailyPskMatchComment;
  :global DailyPskQrCodeUrl;
  :global Identity;
  :global FormatLine;
  :global LogPrint;
  :global ScriptLock;
  :global SendNotification2;
  :global SymbolForNotification;
  :global UrlEncode;
  :global WaitForFile;
  :global WaitFullyConnected;
  :if ([ $ScriptLock $ScriptName ] = false) do={
    :set ExitOK true;
    :error false;
  }
  $WaitFullyConnected;
  # return pseudo-random string for PSK
  :local GeneratePSK do={
    :local Date [ :tostr $1 ];
    :global DailyPskSecrets;
    :global ParseDate;
    :set Date [ $ParseDate $Date ];
    :local A ((14 - ($Date->"month")) / 12);
    :local B (($Date->"year") - $A);
    :local C (($Date->"month") + 12 * $A - 2);
    :local WeekDay (7000 + ($Date->"day") + $B + ($B / 4) - ($B / 100) + ($B / 400) + ((31 * $C) / 12));
    :set WeekDay ($WeekDay - (($WeekDay / 7) * 7));
    :return (($DailyPskSecrets->0->(($Date->"day") - 1)) . \
      ($DailyPskSecrets->1->(($Date->"month") - 1)) . \
      ($DailyPskSecrets->2->$WeekDay));
  }
  :local Seen ({});
  :local Date [ /system/clock/get date ];
  :local NewPsk [ $GeneratePSK $Date ];
  :foreach AccList in=[ /caps-man/access-list/find where comment~$DailyPskMatchComment ] do={
  :foreach AccList in=[ /interface/wifi/access-list/find where comment~$DailyPskMatchComment ] do={
  :foreach AccList in=[ /interface/wireless/access-list/find where comment~$DailyPskMatchComment ] do={
    :local SsidRegExp [ /caps-man/access-list/get $AccList ssid-regexp ];
    :local SsidRegExp [ /interface/wifi/access-list/get $AccList ssid-regexp ];
    :local Configuration ([ /caps-man/configuration/find where ssid~$SsidRegExp ]->0);
    :local Configuration ([ /interface/wifi/configuration/find where ssid~$SsidRegExp ]->0);
    :local Ssid [ /caps-man/configuration/get $Configuration ssid ];
    :local Ssid [ /interface/wifi/configuration/get $Configuration ssid ];
    :local OldPsk [ /caps-man/access-list/get $AccList private-passphrase ];
    :local OldPsk [ /interface/wifi/access-list/get $AccList passphrase ];
    # /caps-man/ /interface/wifi/ above - /interface/wireless/ below
    :local IntName [ /interface/wireless/access-list/get $AccList interface ];
    :local Ssid [ /interface/wireless/get $IntName ssid ];
    :local OldPsk [ /interface/wireless/access-list/get $AccList private-pre-shared-key ];
    :local Skip 0;
    :if ($NewPsk != $OldPsk) do={
      $LogPrint info $ScriptName ("Updating daily PSK for '" . $Ssid . "' to '" . $NewPsk . "' (was '" . $OldPsk . "')");
      /caps-man/access-list/set $AccList private-passphrase=$NewPsk;
      /interface/wifi/access-list/set $AccList passphrase=$NewPsk;
      /interface/wireless/access-list/set $AccList private-pre-shared-key=$NewPsk;
      :if ([ :len [ /caps-man/actual-interface-configuration/find where configuration.ssid=$Ssid !disabled ] ] > 0) do={
      :if ([ :len [ /interface/wifi/find where configuration.ssid=$Ssid !disabled ] ] > 0) do={
      :if ([ :len [ /interface/wireless/find where name=$IntName !disabled ] ] = 1) do={
        :if ($Seen->$Ssid = 1) do={
          $LogPrint debug $ScriptName ("Already sent a mail for SSID " . $Ssid . ", skipping.");
        } else={
          :local Link ($DailyPskQrCodeUrl . \
              "?scale=8&level=1&ssid=" . [ $UrlEncode $Ssid ] . "&pass=" . [ $UrlEncode $NewPsk ]);
          $SendNotification2 ({ origin=$ScriptName; \
            subject=([ $SymbolForNotification "calendar" ] . "daily PSK " . $Ssid); \
            message=("This is the daily PSK on " . $Identity . ":\n\n" . \
              [ $FormatLine "SSID" $Ssid 8 ] . "\n" . \
              [ $FormatLine "PSK" $NewPsk 8 ] . "\n" . \
              [ $FormatLine "Date" $Date 8 ] . "\n\n" . \
              "A client device specific rule must not exist!"); link=$Link });
          :set ($Seen->$Ssid) 1;
        }
      }
    }
  }
 } on-error={
  :global ExitError; $ExitError $ExitOK [ :jobname ];
 }
--- a/Show more
+++ b/Show more
		`@ -1,3 +0,0 @@`
			`#!rsc by RouterOS`

			`:put ("Hello World from " . [ /system/identity/get name ] . "!");`