reconfigure arayat

README.md

@@ -328,6 +328,12 @@ The following table is giving a list of error codes with explanation:
 | 18        | Module file don't exists or is empty                        |
 | 20        | Ambigous realm with autodetection                           |
 | 21        | Unconsistant directory structure with configured realm      |
+| 22        | Required secret management software missing                 |
+| 23        | Secret key not found in secret database                     |
+| 24        | File is not readable                                        |
+| 25        | Needed variable not set or not declared                     |
+| 26        | Secret reference missing or malformed                       |
+| 27        | Unknown secret reference                                    |
 | 50..100   | Error in module execution                                   |
 | 126       | Command exists but is not executable                        |
 | 127       | Command not found                                           |
@@ -394,7 +400,7 @@ You can mail author to fatalerrors \<at\> geoffray-levasseur \<dot\> org.
 
 -----------------------------------------------------------------------------
 
-Documentation (c) 2019-2022 Geoffray Levasseur.
+Documentation (c) 2019-2025 Geoffray Levasseur.
 
 This file is distributed under3-clause BSD license. The complete license
 agreement can be obtained at: https://opensource.org/licenses/BSD-3-Clause

README.txt

@@ -1,4 +0,0 @@
-This is deployment scripts for LEGOS git repository created on 2021-05-31-11:31:04
-An english version for general purpose is available at https://www.geoffray-levasseur.org/init
-
-Check README.md for details.

conf/auto/debian-13.conf.sh

@@ -0,0 +1,6 @@
+# Check debian.conf file for general declaration
+# This is specific for version 13
+
+export NTP_SERV=ntpsec
+export SOURCE_EXT=source
+export NO_MAIN_SOURCE=true

conf/auto/debian.conf.sh

@@ -19,6 +19,9 @@ export COM_AUTOREM="autoremove --purge -y"
 # This is not used by init.sh
 export DEBIAN_FRONTEND=noninteractive
 
+# Configure how apt behave regarding source.list files
+export NO_MAIN_SOURCE=false
+
 # Conf chemin
 export RC_SCRIPTS_PATH="/etc/init.d"
 

conf/auto/devuan-6.conf.sh

@@ -0,0 +1,4 @@
+# Check devuan.conf file for general declaration
+# This is specific for version 6
+
+export NTP_SERV=ntpsec

conf/geoffray-levasseur.org/arayat.conf.sh

@@ -41,10 +41,10 @@ NET4_NS_eth0="192.168.1.205 192.168.1.206"
 NET4_NS_SEARCH_eth0=$REALM
 
 NET4_MODE_eth1="static"
-NET4_IP_eth1="192.168.74.220/24"
+NET4_IP_eth1="192.168.74.100/24"
 
 NET4_MODE_eth2="static"
-NET4_IP_eth2="10.0.254.220/16"
+NET4_IP_eth2="10.42.250.100/16"
 
 IPV6_IFACES="eth0 eth1"
 
@@ -63,7 +63,7 @@ NET6_IP_eth1="2a03:7220:8081:b34a::dc/64"
 INTALL_MODE=full
 
 # Paquets additionnels
-PKGSEL="$PKGSEL iptables fail2ban curl"
+PKGSEL="$PKGSEL iptables curl"
 
 # ------------------------------------------------------------------------------
 # -------------------------- Section modules d'init ----------------------------

conf/geoffray-levasseur.org/labo.conf.sh

@@ -26,8 +26,6 @@ MAINUSER=root
 WITH_LDAP_KERB=no
 
 # Users to create, add or remove
-#LOCAL_USERS="$MAINUSER"
-#REMOTE_USERS="kroot"
 REMOVE_USERS="fatal"
 
 # Network
@@ -40,7 +38,7 @@ NET4_NS_eth0="192.168.1.205 192.168.1.206"
 NET4_NS_SEARCH_eth0=$REALM
 
 NET4_MODE_eth1="static"
-NET4_IP_eth1="10.42.0.207/16"
+NET4_IP_eth1="10.42.250.180/16"
 
 IPV6_IFACES=""
 
@@ -64,5 +62,5 @@ PKGSEL="$PKGSEL nsd ldnsutils haveged"
 
 # Liste des modules à executer (surchargeable en ligne de commande)
 MODULE_LIST="conf_ntp upgrade_dist conf_ceph authnz conf_locale conf_ssh \
-	conf_mail install_pkg install_profile patch_snmp install_mkagent \
+	conf_mail install_pkg install_profile patch_snmp \
         conf_syslog conf_network"

conf/geoffray-levasseur.org/latukan.conf.sh

@@ -31,29 +31,30 @@ WITH_LDAP_KERB=no
 REMOVE_USERS=
 
 # Network
-IPV4_IFACES="ens18 ens19"
+IPV4_IFACES="eth0 eth1"
 
-NET4_MODE_ens18="static"
+NET4_MODE_eth0="static"
-NET4_IP_ens18="192.168.1.235/24"
+NET4_IP_eth0="192.168.1.235/24"
-NET4_GW_ens18="192.168.1.230"
+NET4_GW_eth0="192.168.1.230"
-NET4_NS_ens18="192.168.1.205 192.168.1.206"
+NET4_NS_eth0="192.168.1.205 192.168.1.206"
-NET4_NS_SEARCH_ens18=$REALM
+NET4_NS_SEARCH_eth0=$REALM
 
-NET4_MODE_ens19="static"
+NET4_MODE_eth1="static"
-NET4_IP_ens19="10.42.250.30/24"
+NET4_IP_eth1="10.42.250.30/24"
 
-IPV6_IFACES="ens18"
+IPV6_IFACES="eth0"
-
-NET6_MODE_ens18="static"
-NET6_IP_ens18="2a03:7220:8081:b301::1e/64"
-NET6_GW_ens18="2a03:7220:8081:b301::e7"
-NET6_NS_ens18="2a03:7220:8081:b301::cd 2a03:7220:8081:b301::ce"
-NET6_NS_SEARCH_ens18=$REALM
 
+NET6_MODE_eth0="static"
+NET6_IP_eth0="2a03:7220:8081:b301::1e/64"
+NET6_GW_eth0="2a03:7220:8081:b301::e7"
+NET6_NS_eth0="2a03:7220:8081:b301::cd 2a03:7220:8081:b301::ce"
+NET6_NS_SEARCH_eth0=$REALM
 
+# Gestionnaire de paquet :
 # Mode d'installation :
 # * dev : installe les paquets un par un avec apt (lent)
 # * full : envoie d'un seul coup la liste de tous les paquets à apt (rapide)
+NO_MAIN_SOURCE=false
 INTALL_MODE=full
 
 # Paquets additionnels

conf/includes/gl.conf.sh

@@ -24,16 +24,22 @@ export CEPHIP_mayon="192.168.1.254"
 export CEPHIP_pinatubo="192.168.1.253"
 export CEPHIP_ragang="192.168.1.252"
 export CEPHIP_taal="192.168.1.251"
-export CEPH_SECRET="AQAxSf5c2A/CMxAAnOu1RrSf7Yr2h60CLttq4g=="
+export CEPH_SECRET="file:/tmp/ceph_secret"
+export CEPH_MOUNTS="datastore mediastore"
+export CEPH_MP_datastore="/srv/ceph"
+export CEPH_MP_mediastore="/srv/media"
 export SHARED_HOME="false"
 
 # SSH
 export SSHD_PERMITROOT_RANGE="192.168.1.0/24"
 
 # Check MK
-export MK_VERSION="2.3.0p27-1"
+#export MK_VERSION="2.4.0p12-1" #shoud be autodetected now
-export MK_URL="http://10.250.42.20/check_mk/check_mk/agents/check-mk-agent_${MK_VERSION}_all.deb"
+export MK_SERVER_IP="192.168.1.201"
-export MK_SERVER_IP="10.250.42.20"
+export MK_SITE="check_mk"
+export MK_URL="http://$MK_SERVER_IP/$MK_SITE/check_mk/agents/check-mk-agent_latest_all.deb"
+export MK_SECRET="file:/share/services/gestparc/mk_secret"
+export MK_USER="cmk-agent"
 
 # Samba
 export SMBSRV="silay.$REALM"

conf/includes/pkgsel.base.conf.sh

@@ -7,12 +7,12 @@ export PKGS_RMLIST="apparmor laptop-detect resolvconf snapd wamerican chafa"
 export PKGS_BLACKLIST="apparmor resolvconf chafa snapd"
 
 # Base
-export PKGS_BASE="debconf-utils debhelper deborphan ethtool cpufrequtils \
+export PKGS_BASE="debconf-utils debhelper ethtool \
     curl hwinfo lm-sensors libatasmart-bin lsscsi pciutils vim emacs-nox \
     mailutils htop lsof ltrace strace bash-completion host dnsutils \
     sysstat ifstat iftop iotop mtr-tiny tcpdump mc pbzip2 pigz \
     xz-utils zip unzip plzip lzip ftp lftp bc dc dos2unix psmisc udunits-bin \
-    whois tmux screen debconf-doc dump figlet gawk multitail neofetch nmap \
+    whois tmux screen debconf-doc dump figlet gawk multitail fastfetch nmap \
     oping pv traceroute rsync tree git qemu-guest-agent ca-certificates"
 
 # Agregation of the package lists

init.sh

@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 # ------------------------------------------------------------------------------
 # Init.sh: initialise a computer and conform it
-# Copyright (c) 2019-2023 Geoffray Levasseur <fatalerrors@geoffray-levasseur.org>
+# Copyright (c) 2019-2025 Geoffray Levasseur <fatalerrors@geoffray-levasseur.org>
 # ------------------------------------------------------------------------------
 # This file is distributed under 3-clause BSD license.
 # The complete license agreement can be obtained at:
@@ -36,7 +36,7 @@ export LC_ALL=C
 export LANG=C
 
 # Version of init
-export VERSION="0.99.22"
+export VERSION="0.99.24"
 
 # Store script's path (realpath -s resolve symlinks if init.sh is a symlink)
 export MYPATH=$(dirname "$(realpath -s "$0")")

lib/display.sh

@@ -95,28 +95,28 @@ export On_IWhite='\e[0;107m'
 prnt()
 {
     if [[ $1 == "-n" ]]; then
-	local echoopt=$1
+        local echoopt=$1
-	shift
+        shift
     else
-	local echoopt=""
+        local echoopt=""
     fi
     case $1 in
-	"I")
+        "I")
-	    local heads="[ ${IGreen}info${DEFAULTFG}  ]"
+            local heads="[ ${IGreen}info${DEFAULTFG}  ]"
-	    shift
+            shift
-	    ;;
+            ;;
-	"W")
+        "W")
-	    local heads="[${IYellow}Warning${DEFAULTFG}]"
+            local heads="[${IYellow}Warning${DEFAULTFG}]"
-	    shift
+            shift
-	    ;;
+            ;;
-	"E")
+        "E")
-	    local heads="[ ${IRed}ERROR${DEFAULTFG} ]"
+            local heads="[ ${IRed}ERROR${DEFAULTFG} ]"
-	    shift
+            shift
-	    ;;
+            ;;
-	"m")
+        "m")
-	    local heads="         "
+            local heads="         "
-	    shift
+            shift
-	    ;;
+            ;;
     esac
     echo $echoopt -e "${IWhite}$(date $DATEFORMAT)${DEFAULTFG} ${heads} $@"
 

lib/filefct.sh

@@ -25,35 +25,35 @@ export   COMM_REPO_PATH=${COMM_REPO_PATH:-"$MYPATH/repo/common"}
 backup_dist()
 {
     if [[ $# -lt 1 ]]; then
-	prnt E "backup_dist(): At least one argument is required."
+        prnt E "backup_dist(): At least one argument is required."
-	exit 11
+        exit 11
     fi
 
     local file=
     for file in $@; do
-	local tmstmp=$(stdtime)
+        local tmstmp=$(stdtime)
-	if [[ -L ${file} ]]; then
+        if [[ -L ${file} ]]; then
-	    # With symbolik links we call again backup_dist to treat target
+            # With symbolik links we call again backup_dist to treat target
-	    prnt I "Following the symbolic link $file to do a proper backup..."
+            prnt I "Following the symbolic link $file to do a proper backup..."
-	    backup_dist $(readlink -f "${file}")
+            backup_dist $(readlink -f "${file}")
-	elif [[ -f ${file} ]]; then
+        elif [[ -f ${file} ]]; then
-	    prnt I "Creating a backup of ${file} on $tmstmp..."
+            prnt I "Creating a backup of ${file} on $tmstmp..."
-	    cp -av $file ${file}.dist.${tmstmp}
+            cp -av $file ${file}.dist.${tmstmp}
-	    if [[ $? -ne 0 ]]; then
+            if [[ $? -ne 0 ]]; then
-		prnt E "backup_dist(): Failed copying file."
+                prnt E "backup_dist(): Failed copying file."
-		die 12
+                die 12
-	    fi
+            fi
-	elif [[ -d ${file} ]]; then
+        elif [[ -d ${file} ]]; then
-	    prnt I "Creating a backup of the directory ${file} on $tmstmp..."
+            prnt I "Creating a backup of the directory ${file} on $tmstmp..."
-	    cp -av $file ${file}.dist.${tmstmp}
+            cp -av $file ${file}.dist.${tmstmp}
-	    if [[ $? -ne 0 ]]; then
+            if [[ $? -ne 0 ]]; then
-		prnt E "backup_dist(): Failed copying directory recursively."
+                prnt E "backup_dist(): Failed copying directory recursively."
-		die 12
+                die 12
-	    fi
+            fi
-	else
+        else
-	    prnt W "backup_dist(): $file don't exists, nothing to do."
+            prnt W "backup_dist(): $file don't exists, nothing to do."
-	fi
+        fi
-	unset tmstmp
+        unset tmstmp
     done
     unset file
 }
@@ -74,20 +74,20 @@ select_file()
 {
     local infile=$1
     if [[ -f $RLMHST_REPO_PATH/$infile ]]; then
-	local source="$RLMHST_REPO_PATH/$infile"
+        local source="$RLMHST_REPO_PATH/$infile"
     elif [[ -f $RLMGRP_REPO_PATH/$infile ]]; then
-	local source="$RLMGRP_REPO_PATH/$infile"
+        local source="$RLMGRP_REPO_PATH/$infile"
     elif [[ -f $HOST_REPO_PATH/$infile ]]; then
-	local source="$HOST_REPO_PATH/$infile"
+        local source="$HOST_REPO_PATH/$infile"
     elif [[ -f $GROUP_REPO_PATH/$infile ]]; then
-	local source="$GROUP_REPO_PATH/$infile"
+        local source="$GROUP_REPO_PATH/$infile"
     elif [[ -f $REALM_REPO_PATH/$infile ]]; then
-	local source="$REALM_REPO_PATH/$infile"
+        local source="$REALM_REPO_PATH/$infile"
     elif [[ -f $COMM_REPO_PATH/$infile ]]; then
-	local source="$COMM_REPO_PATH/$infile"
+        local source="$COMM_REPO_PATH/$infile"
     else
-	# Not found in repository, we expect full name
+        # Not found in repository, we expect full name
-	local source="$infile"
+        local source="$infile"
     fi
     unset infile
     echo $source
@@ -103,20 +103,20 @@ select_directory()
 {
     local indir=$1
     if [[ -d $RLMHST_REPO_PATH/$indir ]]; then
-	local source="$RLMHST_REPO_PATH/$indir"
+        local source="$RLMHST_REPO_PATH/$indir"
     elif [[ -d $RLMGRP_REPO_PATH/$indir ]]; then
-	local source="$RLMGRP_REPO_PATH/$indir"
+        local source="$RLMGRP_REPO_PATH/$indir"
     elif [[ -d $HOST_REPO_PATH/$indir ]]; then
-	local source="$HOST_REPO_PATH/$indir"
+        local source="$HOST_REPO_PATH/$indir"
     elif [[ -d $GROUP_REPO_PATH/$indir ]]; then
-	local source="$GROUP_REPO_PATH/$indir"
+        local source="$GROUP_REPO_PATH/$indir"
     elif [[ -d $REALM_REPO_PATH/$indir ]]; then
-	local source="$REALM_REPO_PATH/$indir"
+        local source="$REALM_REPO_PATH/$indir"
     elif [[ -d $COMM_REPO_PATH/$indir ]]; then
-	local source="$COMM_REPO_PATH/$indir"
+        local source="$COMM_REPO_PATH/$indir"
     else
-	# Not found in repository, we expect full name
+        # Not found in repository, we expect full name
-	local source="$indir"
+        local source="$indir"
     fi
     unset indir
     echo $source
@@ -135,41 +135,41 @@ install_file()
     local i=0
 
     if [[ $# -lt 2 ]]; then
-	prnt E "install_file(): At least two arguments are required."
+        prnt E "install_file(): At least two arguments are required."
-	die 11
+        die 11
     fi
     if [[ -n $(echo $@ | grep "\*\|\?") ]]; then
-	prnt E "install_file(): Wildcards are not authorized."
+        prnt E "install_file(): Wildcards are not authorized."
-	die 7
+        die 7
     fi
 
     local arg=
     for arg in $@; do
-	filelist="$filelist $(select_file $arg)"
+        filelist="$filelist $(select_file $arg)"
         # We always replace until the last argument being the target
         target="$arg"
     done
     unset arg
 
     if [[ ! $target == /* ]]; then
-	prnt E "install_file(): Target must be on the root filesystem and full path must be provided."
+        prnt E "install_file(): Target must be on the root filesystem and full path must be provided."
-	die 13
+        die 13
     fi
     unset target
 
     if [[ -d $(dirname $i) ]]; then
-	prnt I "Creating required target directory $(dirname $i)..."
+        prnt I "Creating required target directory $(dirname $i)..."
-	mkdir -pv $(dirname $i)
+        mkdir -pv $(dirname $i)
-	if [[ $? -ne 0 ]]; then
+        if [[ $? -ne 0 ]]; then
-	    prnt E "install_file(): Can't create target directory!"
+            prnt E "install_file(): Can't create target directory!"
-	    die 12
+            die 12
-	fi
+        fi
     fi
     prnt I "Copying files ${filelist} to target directory $(dirname $i)..."
     cp -av $filelist
     if [[ $? -ne 0 ]]; then
-	prnt E "install_file(): Couldn't copy some required files!"
+        prnt E "install_file(): Couldn't copy some required files!"
-	die 12
+        die 12
     fi
 }
 export -f install_file
@@ -181,26 +181,26 @@ export -f install_file
 append_file()
 {
     if [[ $# -ne 2 ]]; then
-	prnt E "append_file(): Two arguments are required, source and destination."
+        prnt E "append_file(): Two arguments are required, source and destination."
-	die 11
+        die 11
     fi
 
     local srcfile=$(select_file $1)
     local dstfile=$2
     if [[ ! $dstfile == /* ]]; then
-	prnt E "append_file(): Target must be on the root filesystem and full path must be provided."
+        prnt E "append_file(): Target must be on the root filesystem and full path must be provided."
-	die 13
+        die 13
     fi
     if [[ -e $dstfile ]]; then
-	prnt E "append_file(): Target file must exist (use touch first to create it if required)."
+        prnt E "append_file(): Target file must exist (use touch first to create it if required)."
-	die 13
+        die 13
     fi
 
     prnt I "Adding content to file $dstfile..."
     cat $srcfile >> $dstfile
     if [[ $? -ne 0 ]]; then
-	prnt E "append_file(): Couldn't append a file!"
+        prnt E "append_file(): Couldn't append a file!"
-	die 12
+        die 12
     fi
 }
 export -f append_file
@@ -214,16 +214,16 @@ is_dir_empty()
     dir=$1
 
     if [[ -f $dir ]]; then
-	prnt E "is_dir_empty(): The given parameter is not a directory."
+        prnt E "is_dir_empty(): The given parameter is not a directory."
-	die 15
+        die 15
     fi
     if [[ ! -d $dir ]]; then
-	return 0
+        return 0
     fi
 
     nbfiles=$(ls -a1 $dir | grep -Evc '^.$|^..$')
     if [[ $nbfiles -eq 0 ]]; then
-	return 0
+        return 0
     fi
     return 1
 }
@@ -231,64 +231,17 @@ export -f is_dir_empty
 # ------------------------------------------------------------------------------
 
 
-# ------------------------------------------------------------------------------
-# copy and patch a file replacing all @var@ by the corresponding value in
-# the environment or the variable list given in parameter
-patch_file()
-{
-    local srcfile=$(select_file $1) && shift
-    local dstfile=$1 && shift
-    local workfile=${dstfile}.work
-
-    if [[ ! -s $srcfile ]]; then
-	prnt E "patch_file(): Source file is empty, is not a file or don't exists!"
-	die 10
-    fi
-
-    # Create a sub-process, to avoid bash environment pollution
-    (
-	local varlist='' pattern=''
-	if [[ $# -eq 0 ]] ; then
-	    pattern="-e s/<\(.*\)>/\$\1\$\1/g"
-	else
-	    local var=
-	    for var in $* ; do
-		if ! declare -p $var >/dev/null 2>&1 ; then
-		    local $var=$(eval echo \$$var)
-		fi
-		pattern="$pattern -e s/@$var@/\$$var/g"
-		varlist=$varlist\$$var
-	    done
-	fi
-
-	# sed replace <VAR> with \$$VAR and envsubst do the replace by value
-	sed $pattern $srcfile | envsubst ${varlist:+"$varlist"} > "$workfile"
-    )
-
-    local -a rights=( $(stat --printf="%a %u %g" "$srcfile") )
-    unset srcfile
-    mv "$workfile" "$dstfile"
-    chmod ${rights[0]} "$dstfile"
-    chown ${rights[1]}:${rights[2]} "$dstfile"
-
-    unset rights dstfile
-}
-export -f patch_file
-# ------------------------------------------------------------------------------
-
-
 # ------------------------------------------------------------------------------
 # Put a small header in a file showing it have been automatically modified
 tag_file()
 {
     for f in $@; do
-	local text="# File automatically modified by init.sh on $(stdtime)."
+        local text="# File automatically modified by init.sh on $(stdtime)."
-	if [[ -e $f ]]; then
+        if [[ -e $f ]]; then
-	    sed -i "1s/^/$text\n/" $f
+            sed -i "1s/^/$text\n/" $f
-	else
+        else
-	    echo $text > $f
+            echo $text | sed "s/modified/generated/" > $f
-	    sed -i -e "s/modified/generated/" $f
+        fi
-	fi
     done
 }
 export -f tag_file
@@ -300,10 +253,10 @@ export -f tag_file
 file_exists()
 {
     for f in $@; do
-	if [[ ! -f $(select_file $f) ]]; then
+        if [[ ! -f $(select_file $f) ]]; then
-	    echo $f
+            echo $f
-	    return 1
+            return 1
-	fi
+        fi
     done
     return 0
 }
@@ -318,8 +271,8 @@ file_must_exists()
     prnt I "Checking $@ files existance..."
     local mf=$(file_exists $@)
     if [[ $? -ne 0 ]]; then
-	prnt E "file_must_exists(): The $mf file is missing, can't continue."
+        prnt E "file_must_exists(): The $mf file is missing, can't continue."
-	die 10
+        die 10
     fi
     unset mf
 }
@@ -332,10 +285,10 @@ export -f file_must_exists
 directory_exists()
 {
     for d in $@; do
-	if [[ ! -d $(select_directory $d) ]]; then
+        if [[ ! -d $(select_directory $d) ]]; then
-	    echo $d
+            echo $d
-	    return 1
+            return 1
-	fi
+        fi
     done
     return 0
 }
@@ -350,8 +303,8 @@ directory_must_exists()
     prnt I "Checking $@ directories existance..."
     local md=$(directory_exists $@)
     if [[ $? -ne 0 ]]; then
-	prnt E "directory_must_exists(): The $md directory is missing, can't continue."
+        prnt E "directory_must_exists(): The $md directory is missing, can't continue."
-	die 10
+        die 10
     fi
     unset md
 }

lib/secret.sh

@@ -0,0 +1,194 @@
+#!/bin/bash
+# ------------------------------------------------------------------------------
+# Secret management functions
+# This file is part of the init.sh project
+# Copyright (c) 2025 Geoffray Levasseur <fatalerrors@geoffray-levasseur.org>
+# ------------------------------------------------------------------------------
+# This file is distributed under 3-clause BSD license.
+# The complete license agreement can be obtained at:
+# https://opensource.org/licenses/BSD-3-Clause
+# ------------------------------------------------------------------------------
+
+
+# ------------------------------------------------------------------------------
+# Get Passbolt
+get_passbolt_secret()
+{
+    local name="$1" secret
+
+    if ! command -v passbolt >/dev/null 2>&1; then
+        prnt E "Passbolt CLI not found (required to fetch passbolt:$name)."
+        die 22
+    fi
+
+    # Exemple basé sur CLI Passbolt + jq
+    secret=$(passbolt secret list --json 2>/dev/null | jq -r --arg NAME "$name" \
+        '.[] | select(.name == $NAME) | .secrets[0].data' 2>/dev/null)
+
+    if [[ -z "$secret" || "$secret" == "null" ]]; then
+        prnt E "Secret '$name' not found in Passbolt."
+        die 23
+    fi
+
+    printf '%s' "$secret"
+}
+export -f get_passbolt_secret
+# ------------------------------------------------------------------------------
+
+
+# ------------------------------------------------------------------------------
+# Get File
+get_file_secret()
+{
+    local path="$1" secret
+
+    if [[ ! -s "$path" ]]; then
+        prnt E "get_file_secret: missing secret file"
+        die 10
+    fi
+    if [[ ! -r "$path" ]]; then
+        prnt E "get_file_secret: '$path' not readable"
+        die 24
+    fi
+
+    secret=$(<"$path")
+    secret="${secret%$'\r'}"
+    secret="${secret%$'\n'}"
+    printf '%s' "$secret"
+}
+export -f get_file_secret
+# ------------------------------------------------------------------------------
+
+
+# ------------------------------------------------------------------------------
+# Get Environment variable
+get_var_secret()
+{
+    local var="$1" secret
+
+    if [[ -z "$var" ]]; then
+        prnt E "get_var_secret: missing variable name"
+        die 25
+    fi
+    if ! printenv "$var" >/dev/null 2>&1; then
+        prnt E "get_var_secret: variable '$var' not set"
+        die 25
+    fi
+
+    secret="$(printenv "$var")"
+    secret="${secret%$'\r'}"
+    secret="${secret%$'\n'}"
+    printf '%s' "$secret"
+}
+export -f get_var_secret
+# ------------------------------------------------------------------------------
+
+
+# ------------------------------------------------------------------------------
+# Main get dispatcher
+# Usage: fetch_secret "scheme:identifier"
+fetch_secret()
+{
+    local ref="$1"
+    local scheme identifier func
+
+    if [[ -z "$ref" ]]; then
+        prnt E "fetch_secret: no reference provided"
+        die 26
+    fi
+
+    # par défaut, si pas de scheme -> "file"
+    if [[ "$ref" != *:* ]]; then
+        scheme="file"
+        identifier="$ref"
+    else
+        scheme="${ref%%:*}"
+        identifier="${ref#*:}"
+    fi
+
+    func="get_${scheme}_secret"
+
+    if ! declare -f "$func" >/dev/null 2>&1; then
+        prnt E "fetch_secret: unsupported scheme '$scheme' (no function $func)"
+        die 27
+    fi
+
+    "$func" "$identifier"
+}
+export -f fetch_secret
+# ------------------------------------------------------------------------------
+
+
+# ------------------------------------------------------------------------------
+# Check Passbolt
+check_passbolt_secret() {
+    local name="$1" found
+
+    if ! command -v passbolt >/dev/null 2>&1; then
+        return 1
+    fi
+
+    found=$(passbolt secret list --json 2>/dev/null | jq -e --arg NAME "$name" \
+        '.[] | select(.name == $NAME) | .secrets[0].data' 2>/dev/null)
+
+    [[ -n "$found" && "$found" != "null" ]]
+}
+export -f check_passbolt_secret
+# ------------------------------------------------------------------------------
+
+
+# ------------------------------------------------------------------------------
+# Check File
+check_file_secret() {
+    local path="$1"
+
+    [[ -r "$path" && -s "$path" ]]
+}
+export -f check_file_secret
+# ------------------------------------------------------------------------------
+
+
+# ------------------------------------------------------------------------------
+# Check Environment variable
+check_var_secret() {
+    local var="$1"
+
+    [[ -n "$var" ]] && printenv "$var" >/dev/null 2>&1
+}
+export -f check_var_secret
+# ------------------------------------------------------------------------------
+
+
+# ------------------------------------------------------------------------------
+# Check Dispatcher
+check_secret() {
+    local ref="$1"
+    local scheme identifier func
+
+    if [[ -z "$ref" ]]; then
+        prnt E "check_secret: no reference provided"
+        return 1
+    fi
+
+    if [[ "$ref" != *:* ]]; then
+        scheme="file"
+        identifier="$ref"
+    else
+        scheme="${ref%%:*}"
+        identifier="${ref#*:}"
+    fi
+
+    func="check_${scheme}_secret"
+
+    if ! declare -f "$func" >/dev/null 2>&1; then
+        prnt E "check_secret: unsupported scheme '$scheme' (no function $func)"
+        return 1
+    fi
+
+    "$func" "$identifier"
+}
+export -f check_secret
+# ------------------------------------------------------------------------------
+
+
+# EOF

lib/users.sh

@@ -2,7 +2,7 @@
 # ------------------------------------------------------------------------------
 # Users related functions
 # This file is part of the init.sh project
-# Copyright (c) 2019-2024 Geoffray Levasseur <fatalerrors@geoffray-levasseur.org>
+# Copyright (c) 2019-2025 Geoffray Levasseur <fatalerrors@geoffray-levasseur.org>
 # ------------------------------------------------------------------------------
 # This file is distributed under 3-clause BSD license.
 # The complete license agreement can be obtained at:
@@ -14,21 +14,24 @@
 # Users (from Ldap)
 add_remote_user()
 {
-    if [[ -n $(grep "^$1:" /etc/passwd) ]]; then
+    local users=$@
-        prnt W "A local user with name $1 already exists, adding anyway!"
+    for usr in ${users[@]}; do
-    fi
+        if [[ -n $(grep "^$usr:" /etc/passwd) ]]; then
-    if [[ -n $(grep "^+$1:" /etc/passwd) ]]; then
+            prnt W "A local user with name $usr already exists, adding anyway!"
-        prnt W "The remote user $1 is already declared, nothing to do in passwd."
+        fi
-    else
+        if [[ -n $(grep "^+$usr:" /etc/passwd) ]]; then
-        echo "+$1::::::" >> /etc/passwd
+            prnt W "The remote user $usr is already declared, nothing to do in passwd."
-        prnt I "User $1 added to passwd..."
+        else
-    fi
+            echo "+$usr::::::" >> /etc/passwd
-    if [[ -n $(grep "^+$1:" /etc/shadow) ]]; then
+            prnt I "User $usr added to passwd..."
-        prnt W "The remote user $1 is already connectable, nothing to do in shadow."
+        fi
-    else
+        if [[ -n $(grep "^+$usr:" /etc/shadow) ]]; then
-        echo "+$1::::::::" >> /etc/shadow
+            prnt W "The remote user $usr is already connectable, nothing to do in shadow."
-        prnt I "User $1 added to shadow..."
+        else
-    fi
+            echo "+$usr::::::::" >> /etc/shadow
+            prnt I "User $usr added to shadow..."
+        fi
+    done
 }
 export -f add_remote_user
 # ------------------------------------------------------------------------------
@@ -38,15 +41,18 @@ export -f add_remote_user
 # Remove users
 remove_user()
 {
-    if [[ -n $(grep "^$1:" /etc/{passwd,shadow,group,gshadow}) ]]; then
+    local users=$@
-        # Using sed is more universal than any distro commands - local case
+    for usr in ${users[@]}; do
-        sed -i -e "/^$1:/d" /etc/{passwd,shadow,group,gshadow}
+        if [[ -n $(grep "^$usr:" /etc/{passwd,shadow,group,gshadow}) ]]; then
-    elif [[ -n $(grep "^+$1:" /etc/{passwd,shadow,group,gshadow}) ]]; then
+            # Using sed is more universal than any distro commands - local case
-        # remote case
+            sed -i -e "/^$usr:/d" /etc/{passwd,shadow,group,gshadow}
-        sed -i -e "/^+$1:/d" /etc/{passwd,shadow,group,gshadow}
+        elif [[ -n $(grep "^+$usr:" /etc/{passwd,shadow,group,gshadow}) ]]; then
-    else
+            # remote case
-        prnt W "User $1 don't exists in auth files, nothing to do."
+            sed -i -e "/^+$usr:/d" /etc/{passwd,shadow,group,gshadow}
-    fi
+        else
+            prnt W "User $usr don't exists in auth files, nothing to do."
+        fi
+    done
 }
 # ------------------------------------------------------------------------------
 
@@ -55,17 +61,21 @@ remove_user()
 # Create a local user
 create_local_user()
 {
-    if [[ $(noerror --noout id $1) != 0 ]]; then
+    local users=$@
-        prnt I "Creating user $1..."
+    for usr in ${users[@]}; do
-        if [[ $(directory_exists home_skell) ]]; then
+        if [[ $(noerror --noout id $usr) != 0 ]]; then
-            useradd --create-home --shell $DEFAULT_SHELL --user-group $1 \
+            prnt I "Creating user $usr..."
-                --skell $(select_directory home_skell)
+            if [[ $(directory_exists home_skell) ]]; then
+                useradd --create-home --shell $DEFAULT_SHELL \
+                    --user-group $usr \
+                    --skell $(select_directory home_skell)
+            else
+                useradd --create-home --shell $DEFAULT_SHELL --user-group $usr
+            fi
         else
-            useradd --create-home --shell $DEFAULT_SHELL --user-group $1
+            prnt W "The user $usr already exists. Nothing to do..."
         fi
-    else
+    done
-        prnt W "The user $1 already exists. Nothing to do..."
-    fi
 }
 # ------------------------------------------------------------------------------
 

lib/vars.sh

@@ -0,0 +1,108 @@
+#!/bin/bash
+# ------------------------------------------------------------------------------
+# Variables substitution function
+# This file is part of the init.sh project
+# Copyright (c) 2019-2024 Geoffray Levasseur <fatalerrors@geoffray-levasseur.org>
+# ------------------------------------------------------------------------------
+# This file is distributed under 3-clause BSD license.
+# The complete license agreement can be obtained at:
+# https://opensource.org/licenses/BSD-3-Clause
+# ------------------------------------------------------------------------------
+
+
+# ------------------------------------------------------------------------------
+# Replace @VAR@ in a text file by the corresponding $VAR value
+# The --delimiter or -d option allow to use something else than @
+setvar()
+{
+    local delimiter="@"
+    local vars=()
+    local file
+
+    # Parse arguments
+    while [[ $# -gt 0 ]]; do
+        case "$1" in
+            --delimiter|-d)
+                shift
+                delimiter="${1:-@}"
+                ;;
+            -*)
+                prnt E "setvar(): Unknown option: $1"
+                die 7
+                ;;
+            *)
+                if [[ -f $1 && $# -eq 1 ]]; then
+                    file="$1"
+                else
+                    vars+=("$1")
+                fi
+                ;;
+        esac
+        shift
+    done
+
+    if [[ -z $file ]]; then
+        prnt E "Usage: setvar [--delimiter D] VAR1 [VAR2 ...] <file>"
+        die 7
+    fi
+    if [[ ${#vars[@]} -eq 0 ]]; then
+        prnt E "No variable name(s) provided."
+        die 7
+    fi
+
+    local var val escaped pattern
+    for var in "${vars[@]}"; do
+        val="${!var}"
+        if [[ -z $val ]]; then
+            prnt W "Variable '$var' is unset or empty; skipped."
+            continue
+        fi
+
+        # Échapper les caractères spéciaux pour sed
+        escaped=$(printf '%s' "$val" | sed -e 's/[\/&]/\\&/g')
+
+        pattern="${delimiter}${var}${delimiter}"
+
+        prnt I "Replacing $pattern with $val in $file"
+        sed -i -e "s|$pattern|$escaped|g" "$file"
+    done
+}
+export -f setvar
+# ------------------------------------------------------------------------------
+
+
+# ------------------------------------------------------------------------------
+# Replace @VAR@ in a text file by the corresponding values available in the
+# environment. The --delimiter or -d option allow to use something else than @
+setvars_from_env()
+{
+    local file delimiter="@"
+    while [[ $# -gt 0 ]]; do
+        case "$1" in
+            -d|--delimiter)
+                shift
+                delimiter="${1:-@}"
+                ;;
+            *)
+                file="$1"
+                ;;
+        esac
+        shift
+    done
+
+    [[ -f $file ]] || {
+        prnt E "File not found: $file"
+        die 10
+    }
+
+    local vars
+    vars=$(grep -o "${delimiter}[A-Z0-9_]\+${delimiter}" "$file" | sort -u | tr -d "$delimiter")
+    [[ -z $vars ]] && return 0
+
+    setvar --delimiter "$delimiter" $vars "$file"
+}
+export -f setvars_from_env
+# ------------------------------------------------------------------------------
+
+
+# EOF

modules/authnz.sh

@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------------
 # Add local or remote users
 # This file is part of the init.sh project
-# Copyright (c) 2019-2022 Geoffray Levasseur <fatalerrors@geoffray-levasseur.org>
+# Copyright (c) 2019-2025 Geoffray Levasseur <fatalerrors@geoffray-levasseur.org>
 # ------------------------------------------------------------------------------
 # This file is distributed under 3-clause BSD license.
 # The complete license agreement can be obtained at:
@@ -23,55 +23,6 @@
 export VER_authnz="0.2.2"
 export DEP_authnz=""
 
-# Users (from Ldap)
-add_remote_user()
-{
-    if [[ -n $(grep "^$1:" /etc/passwd) ]]; then
-        prnt W "A local user with name $1 already exists, adding anyway!"
-    fi
-    if [[ -n $(grep "^+$1:" /etc/passwd) ]]; then
-        prnt W "The remote user $1 is already declared, nothing to do in passwd."
-    else
-        echo "+$1::::::" >> /etc/passwd
-        prnt I "User $1 added to passwd..."
-    fi
-    if [[ -n $(grep "^+$1:" /etc/shadow) ]]; then
-        prnt W "The remote user $1 is already connectable, nothing to do in shadow."
-    else
-        echo "+$1::::::::" >> /etc/shadow
-        prnt I "User $1 added to shadow..."
-    fi
-}
-
-# Remove users
-remove_user()
-{
-    if [[ -n $(grep "^$1:" /etc/{passwd,shadow,group,gshadow}) ]]; then
-        # Using sed is more universal than any distro commands - local case
-        sed -i -e "/^$1:/d" /etc/{passwd,shadow,group,gshadow}
-    elif [[ -n $(grep "^+$1:" /etc/{passwd,shadow,group,gshadow}) ]]; then
-        # remote case
-        sed -i -e "/^+$1:/d" /etc/{passwd,shadow,group,gshadow}
-    else
-        prnt W "User $1 don't exists in auth files, nothing to do."
-    fi
-}
-
-# Create a local user
-create_local_user()
-{
-    if [[ $(noerror --noout id $1) != 0 ]]; then
-        prnt I "Creating user $1..."
-        if [[ $(directory_exists home_skell) ]]; then
-            useradd --create-home --shell $DEFAULT_SHELL --user-group $1 \
-                --skell $(select_directory home_skell)
-        else
-            useradd --create-home --shell $DEFAULT_SHELL --user-group $1
-        fi
-    else
-        prnt W "The user $1 already exists. Nothing to do..."
-    fi
-}
 
 # Authentication
 authnz()

modules/conf_ceph.sh

@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------------
-# Configure machine for ceph (or samba) mount
+# Configure machine for ceph (or samba / NFS) mount
 # This file is part of the init.sh project
-# Copyright (c) 2019-2021 Geoffray Levasseur <fatalerrors@geoffray-levasseur.org>
+# Copyright (c) 2019-2025 Geoffray Levasseur <fatalerrors@geoffray-levasseur.org>
 # ------------------------------------------------------------------------------
 # This file is distributed under 3-clause BSD license.
 # The complete license agreement can be obtained at:
@@ -10,43 +10,52 @@
 # Variable:
 #   * CEPH_SRV_NAMES: hosts names of ceph servers
 #   * CEPHIP_srv: with "srv" being a ceph server hostname, its corresponding IP
-#   * SHARED_HOME: Set at yes if homedir is a directory of the ceph mount
+#   * CEPH_MOUNTS: list of mounts to create
-#   * SMBSRV: Fallback samba server on unsupported architectures
+#   * CEPH_MP_mount: mount point for the given "mount"
-# Mount points are hardcoded and should bet set differently
+#   * SHARED_HOME: Set at yes if homedir is a directory of the ceph mount (to be removed)
+#   * SMBSRV: Fallback samba server on unsupported architectures (not doing
+#             anything if undeclared)
+#   * NFSSRV: Fallback NFS server on unsupported architectures (not doing
+#             anything if undeclared)
+# If both SMBSRV and NFSSRV are set on unsupported hardware, Samba will have a
+# higher priority.
 # ------------------------------------------------------------------------------
 
-export VER_conf_ceph="0.0.5"
+export VER_conf_ceph="1.0.2"
 export DEP_conf_ceph=""
 
 conf_ceph()
 {
-    # Create mount point directories
-    prnt I "Creating mount points"
-    mkdir -pv /srv/ceph/share
-    mkdir -pv /share
-
     local success=undef
-    local fstabchanged=false
+
+    # Determine the type of installation
     if [[ $SYS_ARCH == "x86_64" || $SYS_ARCH == "i386" ]]; then
         export CEPH_STATUS=ceph
-    else
+    elif [[ -n $SMBSRV ]]; then
         export CEPH_STATUS=smb
+    elif [[ -n $NFSSRV ]]; then
+        export CEPH_STATUS=nfs
+    else
+        export CEPH_STATUS=none
     fi
+
     if [[ $CEPH_STATUS == ceph ]]; then
         # Install ceph package
         pkginst ceph-common
 
         # hosts files required for Ceph bootstrap when DNS not yet started
-        if [[ -z $(grep "# Ceph" /etc/hosts) ]]; then
+        if ! grep -q "^# Ceph" /etc/hosts; then
             prnt I "Adding server list to /etc/hosts"
             backup_dist /etc/hosts
             tag_file /etc/hosts
             echo >> /etc/hosts
             echo "# Ceph servers:" >> /etc/hosts
             for srv in $CEPH_SRV_NAMES; do
-                local line="$(eval echo \$CEPHIP_$srv)    $srv.$REALM   $srv"
+                local line
+                line="$(eval echo \$CEPHIP_$srv)    $srv.$REALM   $srv"
                 prnt m "     - Adding line $line to /etc/hosts"
                 echo "$line" >> /etc/hosts
+                unset line
             done
         else
             prnt W "Ceph servers already in /etc/hosts, nothing to do"
@@ -54,37 +63,59 @@ conf_ceph()
 
         backup_dist /etc/fstab
         prnt I "Adding ceph entries to /etc/fstab"
-        fstabchanged=true
+        tag_file /etc/fstab
         echo >> /etc/fstab
-        local srvlist=$(echo $CEPH_SRV_NAMES | sed "s/ /,/g")
+        local srvlist=${CEPH_SRV_NAMES// /,}
-        if [[ -z $(grep $srvlist /etc/fstab) ]]; then
+
+        prnt I "Fetching secret $CEPH_SECRET..."
+        local secret
+        secret=$(fetch_secret "$CEPH_SECRET")
+        if ! grep -q "$srvlist" /etc/fstab; then
             echo "# Ceph :" >> /etc/fstab
-            echo "$srvlist:/    /srv/ceph       ceph    defaults,_netdev,name=admin,secret=$CEPH_SECRET  0 0" >> /etc/fstab
+            for mnt in $CEPH_MOUNTS; do
+                local mp=$(eval echo \$CEPH_MP_$mnt)
+                mkdir -pv "$mp"
+                echo "$srvlist:/    $mp       ceph    defaults,_netdev,name=admin,secret=$secret,mds_namespace=$mnt  0 0" >> /etc/fstab
+                unset mp
+            done
         else
             prnt W "Ceph entry already in /etc/fstab, nothing to do"
         fi
-        unset srvlist
+        unset srvlist secret
         success=yes
     elif [[ $CEPH_STATUS == smb ]]; then
         pkginst smbclient
 
         backup_dist /etc/fstab
         prnt I "Adding Samba entries to /etc/fstab"
-        fstabchanged=true
         echo >> /etc/fstab
-        if [[ -z $(grep $SMBSRV /etc/fstab) ]]; then
+        tag_file /etc/fstab
+        if ! grep -q "$SMBSRV" /etc/fstab; then
             echo "# Samba:" >> /etc/fstab
-            echo "//$SMBSRV/share       /srv/ceph/share cifs    defaults,_netdev,username=root,password=        0 0" >> /etc/fstab
+            for mnt in $CEPH_MOUNTS; do
+                local mp=$(eval echo \$CEPH_MP_$mnt)
+                mkdir -pv $mp
+                echo "//$SMBSRV/$mnt       $mp     cifs    defaults,_netdev,username=root,password=        0 0" >> /etc/fstab
+                unset $mp
+            done
         else
             prnt W "Samba entry already in /etc/fstab, nothing to do"
         fi
         success=yes
+    elif [[ $CEPH_STATUS == nfs ]]; then
+        tag_file /etc/fstab
+        # To be implemented
+    elif [[ $CEPH_STATUS == none ]]; then
+        prnt W "No alternative set for unsuported hardware, nothing will be done."
+        return 0
     else
-        prnt E "Ceph status not understood, the next tasks will probably fail"
+        prnt E "Ceph status not understood, something is wrong."
+        return 1
     fi
     if [[ $success == yes ]]; then
-        if [[ -z $(grep "^/srv/ceph/share" /etc/fstab) ]]; then
+        # Create some mount binds for convenience
-            fstabchanged=true
+        # TODO: That part should be a different module with own configuration
+        if grep -q "^/srv/ceph/share" /etc/fstab; then
             echo "/srv/ceph/share       /share  none    defaults,_netdev,bind   0 0" >> /etc/fstab
             if [[ $SHARED_HOME == 1 ]]; then
                 echo "/srv/ceph/share/home      /home   none    defaults,_netdev,bind   0 0" >> /etc/fstab
@@ -94,18 +125,15 @@ conf_ceph()
         prnt E "Failed creating original mount, not adding binded ones"
     fi
 
-    if [[ $fstabchanged == true ]]; then
-        tag_file /etc/fstab
-    fi
-    unset fstabchanged
 
     # Mount Ceph volumes if required
     prnt I "Mounting ceph volumes"
-    [[ -z $(mount | grep "on /srv/ceph") ]] && mount -v /srv/ceph || mount -v /srv/ceph/share
+    for mnt in $CEPH_MOUNTS; do
-    [[ -z $(mount | grep "on /share") ]] && mount -v /share
+        if ! mountpoint -q "$(eval echo \$CEPH_MP_$mnt)"; then
-    if [[ $SHARED_HOME == "true" ]]; then
+            mount -v "$(eval echo \$CEPH_MP_$mnt)" ||
-        [[ -z $(mount | grep "on /home") ]] && mount -v /home
+                prnt W "Error while mounting CEPH filesystem (check CEPH logs), ignoring"
-    fi
+        fi
+    done
 }
 
 precheck_conf_ceph()
@@ -124,17 +152,24 @@ precheck_conf_ceph()
             done
             if [[ -z $CEPH_SECRET ]]; then
                 prnt E "CEPH secret key is not declared, can't continue!"
-                prnt I "If you don't want to put tour CEPH secret in configuration file,"
+                prnt I "If you don't want to put a CEPH secret var in configuration file,"
                 prnt m "you need to export it temporarily in your environment, using the"
                 prnt m "\"CEPH_SECRET\" variable."
-                exit 181
+                die 181
+            elif ! check_secret $CEPH_SECRET; then
+                prnt E "The declared $CEPH_SECRET is not accessible."
+                die 183
+            fi
+            if [[ -z $CEPH_MOUNTS ]]; then
+                prnt E "No CEPH mounts declared, despite reachable servers."
+                die 182
             fi
         else
             prnt E "No CEPH server declared!"
             die 182
         fi
     else
-        prnt W "System incompatible with ceph, falling back to samba..."
+        prnt W "System incompatible with ceph, falling back to Samba or NFS..."
     fi
 }
 

modules/conf_network.sh

@@ -100,11 +100,10 @@ conf_network()
 	fi
     done
 
-    prnt I "Trying to raise down iface up. Allready configured iface will require a reboot"
+    prnt I "Restart network to apply changes"
-    ifup -a || true && prnt W "Ignoring errors here."
+    svc_restart networking || true && prnt W "Ignoring errors here."
 
     unset iface if_file
-    export NEED_REBOOT=true
 }
 
 precheck_conf_network()
@@ -119,7 +118,7 @@ precheck_conf_network()
 		die 175
 	    else
 		if [[ $(grep "up" /sys/class/net/$iface/operstate) ]]; then
-		    prnt W "The IPv4 iface $iface, is already configured, a reboot will be required."
+		    prnt W "The IPv4 iface $iface, is already configured, a reboot could be required."
 		fi
 	    fi
 	    if [[ -z $(eval echo \$NET4_MODE_$iface) ]]; then
@@ -157,7 +156,7 @@ precheck_conf_network()
 		die 175
 	    else
 		if [[ $(grep "up" /sys/class/net/$iface/operstate) ]]; then
-		    prnt W "The IPv6 iface $iface, is already configured, a reboot will be required."
+		    prnt W "The IPv6 iface $iface, is already configured, a reboot could be required."
 		fi
 	    fi
 	    if [[ -z $(eval echo \$NET6_MODE_$iface) ]]; then

modules/conf_ntp.sh

@@ -11,7 +11,7 @@
 #  * NTPSERVERS: list of NTP servers
 # ------------------------------------------------------------------------------
 
-export VER_conf_ntp="0.1.6"
+export VER_conf_ntp="0.2.0"
 export DEP_conf_ntp=""
 
 conf_ntp()
@@ -21,16 +21,13 @@ conf_ntp()
 	systemctl disable systemd-timesyncd || true
     fi
 
+    NTP_SERV=${NTP_SERV:-ntp}
     prnt I "Installing ntp daemon..."
-    pkginst ntp
+    pkginst $NTP_SERV
     prnt I "Stopping service ntp..."
-    if [[ -n $NTP_SERV ]]; then
+    svc_stop $NTP_SERV
-	svc_stop $NTP_SERV
-    else
-	svc_stop ntp
-    fi
 
-    if [[ -n $NTP_SERV ]]; then
+    if [[ $NTP_SERV == ntpsec ]]; then
 	local conf_file="/etc/$NTP_SERV/ntp.conf"
     else
 	local conf_file="/etc/ntp.conf"
@@ -39,7 +36,11 @@ conf_ntp()
     prnt I "Installing NTP configuration file..."
     local dest="${conf_file}.work"
     backup_dist "$conf_file"
-    install_file ntp.conf "$dest"
+    if [[ -s $NTP_SERV ]]; then
+	install_file ${NTP_SERV}.conf "$dest"
+    else
+	install_file ntp.conf "$dest"
+    fi
     tag_file "$dest"
     local line=""
     for srv in $NTP_SERVERS; do

modules/install_mkagent.sh

@@ -9,54 +9,164 @@
 # ------------------------------------------------------------------------------
 # Variable:
 #  * MK_SERVER: Server IP address
-#  * MK_PORT: Port check_mk agent will use to communicate with server
+#  * MK_SITE: The check_mk site (or instance) to use
+#  * MK_URL: The URL to use to download the agent
+#  * MK_SECRET: The secret to use to register the agent
+#  * MK_USER: The user to use to register
 # ------------------------------------------------------------------------------
 
-export VER_install_mkagent="0.0.7"
+export VER_install_mkagent="0.1.0"
 export DEP_install_mkagent=""
 
+
+# ------------------------------------------------------------------------------
+# Extract CheckMK version from the server
+get_checkmk_version_from_server()
+{
+    local ip="$1"
+    local site="${2:-$MK_SITE}"
+    local proto out v header
+    local re_version='[0-9]+\.[0-9]+(\.[0-9]+)?p?[0-9]+'
+
+    [[ -n "$MK_VERSION" ]] && { printf '%s' "$MK_VERSION"; return 0; }
+
+    for proto in http https; do
+        # 1) Tentative via version.py (souvent non protégée)
+        if out=$(curl -fsS --max-time 3 "$proto://$ip/$site/check_mk/version.py" 2>/dev/null); then
+            v=$(grep -oE "$re_version" <<<"$out" | head -n1)
+            [[ -n "$v" ]] && { printf '%s' "$v"; return 0; }
+        fi
+
+        # 2) Tentative via login.py (page de connexion)
+        if out=$(curl -fsS --max-time 3 "$proto://$ip/$site/check_mk/login.py" 2>/dev/null); then
+            v=$(grep -oE "$re_version" <<<"$out" | grep -vE '2\.[0-9]{1,3}\.[0-9]{2,3}' | head -n1)
+            [[ -n "$v" ]] && { printf '%s' "$v"; return 0; }
+        fi
+
+        # 3) En-têtes HTTP éventuels
+        header=$(curl -fsSI --max-time 3 "$proto://$ip/$site/" 2>/dev/null || true)
+        if [[ -n "$header" ]]; then
+            v=$(grep -oiE "$re_version" <<<"$header" | head -n1)
+            [[ -n "$v" ]] && { printf '%s' "$v"; return 0; }
+        fi
+
+        # 4) Fallback : page d'accueil, mais filtrer les faux positifs du JS
+        out=$(curl -fsS --max-time 5 "$proto://$ip/$site/" 2>/dev/null || true)
+        if [[ -n "$out" ]]; then
+            # Filtre plus strict : commence par 1.x ou 2.x et max 2 chiffres après le point
+            v=$(grep -oE "$re_version" <<<"$out" \
+                | grep -E '^2\.[0-9]+(\.[0-9]+)?p?[0-9]*$' \
+                | grep -vE '\.[0-9]{3,}' \
+                | head -n1)
+            [[ -n "$v" ]] && { printf '%s' "$v"; return 0; }
+        fi
+    done
+
+    return 1
+}
+
 install_mkagent()
 {
-    wget $MK_URL -O /tmp/check-mk-agent_${MK_VERSION}_all.deb
+    local debfile="/tmp/check-mk-agent_latest_all.deb"
-    pkginst xinetd /tmp/check-mk-agent_${MK_VERSION}_all.deb
+    prnt I "Downloading CheckMK agent from: $MK_URL"
-    rm /tmp/check-mk-agent_${MK_VERSION}_all.deb
 
-    backup_dist /etc/xinetd.d/check_mk
+    # try primary URL
-    install_file cmk/check_mk /etc/xinetd.d/check_mk
+    if ! wget -q "$MK_URL" -O "$debfile"; then
-    tag_file /etc/xinetd.d/check_mk
+        prnt W "Primary download failed. Attempting to detect server version and fallback..."
-    sed -i -e "s/@MK_SERVER_IP@/$MK_SERVER_IP/" /etc/xinetd.d/check_mk
+        local mkver
+        mkver=$(get_checkmk_version_from_server "$MK_SERVER_IP" 2>/dev/null || true)
 
-    mkdir -pv /usr/lib/check_mk_agent/plugins/7200
+        if [[ -n "$mkver" ]]; then
-    install_file cmk/mk_apt /usr/lib/check_mk_agent/plugins/7200/mk_apt
+            prnt I "Detected Check_MK version: $mkver — building fallback URL"
-
+            # replace the literal 'latest' token in MK_URL with the detected version
-    # Cmk > 2.1, configure agent
+            local fallback_url
-    if [[ -e /var/lib/cmk-agent/cmk-agent-ctl.gz ]]; then
+            fallback_url="${MK_URL/latest/$mkver-1}"
-        gunzip /var/lib/cmk-agent/cmk-agent-ctl.gz
+            prnt I "Trying fallback URL: $fallback_url"
-        chmod +x /var/lib/cmk-agent/cmk-agent-ctl
+            if ! wget -q "$fallback_url" -O "$debfile"; then
-        scp -O $MK_SERVER_IP:/etc/check_mk/agentpwd /tmp/mk-pwd
+                prnt E "Fallback download with version $mkver failed."
-	sleep 1 # Some execution of cmk-agent-ctl have failed with file not found without that line
+                die 163
-        /var/lib/cmk-agent/cmk-agent-ctl register --hostname $HOSTNAME \
+            fi
-            --server $MK_SERVER_IP --site check_mk --user check_mk --password \
+        else
-            "$(read /tmp/mk-pwd)"
+            prnt E "Unable to detect Check_MK version on $MK_SERVER_IP and primary download failed."
+            die 163
+        fi
+    fi
+
+    # On non-systemd systems, install xinetd before the .deb to avoid postinst failures
+    if ! pidof systemd >/dev/null; then
+        pkginst xinetd
+    fi
+
+    # Install agent package
+    pkginst "$debfile"
+    rm -f "$debfile"
+
+    # Enable service depending on init system
+    if pidof systemd >/dev/null; then
+        systemctl enable --now check-mk-agent.socket
+    else
+        backup_dist /etc/xinetd.d/check-mk-agent
+        install_file cmk/check_mk /etc/xinetd.d/check-mk-agent
+        tag_file /etc/xinetd.d/check-mk-agent
+        sed -i -e "s/@MK_SERVER_IP@/$MK_SERVER_IP/" /etc/xinetd.d/check-mk-agent
+        svc_restart xinetd
+    fi
+
+    # Debian plugin
+    if [[ $PKG_MAN == "apt-get" ]]; then
+        mkdir -pv /usr/lib/check_mk_agent/plugins/3600
+        install_file cmk/mk_apt /usr/lib/check_mk_agent/plugins/3600/mk_apt
+    fi
+
+    # Registration (if secret provided)
+    if [[ -n $MK_SECRET ]]; then
+        local secret
+        prnt I "Fetching secret $MK_SECRET..."
+        secret=$(fetch_secret "$MK_SECRET")
+        if [[ -e /var/lib/cmk-agent/cmk-agent-ctl.gz ]]; then
+            gunzip -v -f  /var/lib/cmk-agent/cmk-agent-ctl.gz
+            chmod -v +x /var/lib/cmk-agent/cmk-agent-ctl
+        fi
+        if [[ -x /var/lib/cmk-agent/cmk-agent-ctl ]]; then
+            /var/lib/cmk-agent/cmk-agent-ctl register \
+                --hostname "$HOSTNAME" \
+                --server "$MK_SERVER_IP" \
+                --site "$MK_SITE" \
+                --user "$MK_USER" \
+                --password "$secret"
+        else
+            prnt W "Agent control tool not found; skipping registration."
+        fi
+        unset secret
+    else
+        prnt W "No secret configured, agent cannot be registered."
     fi
-    svc_restart xinetd
 }
 
 precheck_install_mkagent()
 {
-    if [[ -z $MK_VERSION ]]; then
+    if [[ -z $MK_SITE ]]; then
-	prnt E "Undeclared check_mk version of the agent to install."
+        prnt E "Undeclared check_mk site to use."
-	die 162
+        die 162
     fi
     if [[ -z $MK_URL ]]; then
-	prnt E "Undeclared check_mk download URL."
+        prnt E "Undeclared check_mk download URL."
-	die 162
+        die 162
     fi
     if [[ -z $MK_SERVER_IP ]]; then
-	prnt E "Undeclared check_mk server."
+        prnt E "Undeclared check_mk server."
-	die 162
+        die 162
+    fi
+    if [[ $PKG_MAN == "apt-get" ]]; then
+        file_must_exists cmk/check_mk cmk/mk_apt
+    fi
+    if [[ -z $MK_SECRET ]]; then
+        prnt W "No secret set for CheckMK, registration won't be possible."
+        if [[ -z $MK_USER ]]; then
+            prnt E "A CheckMK user is required to register."
+            die 162
+        fi
     fi
-    file_must_exists cmk/check_mk cmk/mk_apt
 }
 
 export -f install_mkagent

modules/upgrade_dist.sh

@@ -13,14 +13,19 @@
 #   * PROXY_APT_PORT: Working port for APT proxy if one declared
 #   * PROXY_SRV: General purpose proxy if PROXY_APT is undefined
 #   * PROXY_SRV_PORT: Working port for general purpose proxy if one declared
+# TODO: Split apt conf and actuel update to avoid repeating configuration if
+#       for a reason apt fail
+# TODO: This is Debian only, make this universal (at least yum/dnf compatible)
 # ------------------------------------------------------------------------------
 
-export VER_upgrade_dist="0.2.4"
+export VER_upgrade_dist="0.3.0"
 
 # As aptitude might fail if clock is too far from real time, we need to depend
 # on ntp
 export DEP_upgrade_dist="conf_ntp"
 
+export SOURCE_EXT="${SOURCE_EXT:-list}"
+
 upgrade_dist()
 {
     local proxyfile=/etc/apt/apt.conf.d/00proxy
@@ -29,6 +34,8 @@ upgrade_dist()
     # We backup entire apt dir
     backup_dist /etc/apt
     prnt I "Basic apt configuration..."
+
+    # TODO: No recommend section should be optionnal
     tag_file $norecommends
     {
         echo 'APT::Install-Recommends "false";'
@@ -38,31 +45,36 @@ upgrade_dist()
 
     prnt I "Configuring proxy for APT..."
     if [[ -n $PROXY_APT ]]; then
-	if [[ ! -d $(dirname $proxyfile) ]]; then
+        if [[ ! -d $(dirname $proxyfile) ]]; then
-	    mkdir -pv $(dirname $proxyfile) || (
+            mkdir -pv "$(dirname $proxyfile)" || (
-		prnt E "Impossible to create directory to receive APT configuration."
+                prnt E "Impossible to create directory to receive APT configuration."
-		die 60
+                die 60
-	    )
+            )
-	else
+        else
             # Cleanup
             if [[ -s $proxyfile ]]; then
-                emptyflie $proxyfile
+                true > "$proxyfile"
             fi
-            if [[ $(grep "^Acquire::http::Proxy" /etc/apt/apt.conf) ]]; then
+            if grep -q "^Acquire::http::Proxy" /etc/apt/apt.conf; then
                 sed -i -e "/^Acquire::http::Proxy/d" /etc/apt/apt.conf
             fi
         fi
         tag_file $proxyfile
         echo "Acquire::http::Proxy \"http://${PROXY_APT}:${PROXY_APT_PORT}\";" >> $proxyfile
     elif [[ -n $PROXY_SRV ]]; then
-	tag_file $proxyfile
+        tag_file $proxyfile
-	echo "Acquire::http::Proxy \"http://${PROXY_SRV}:${PROXY_SRV_PORT}\";" >> $proxyfile
+        echo "Acquire::http::Proxy \"http://${PROXY_SRV}:${PROXY_SRV_PORT}\";" >> $proxyfile
     else
-	prnt I "No proxy configured, nothing to do."
+        prnt I "No proxy configured, nothing to do."
     fi
 
     # Remplace source.list from dist with ours (be smarter)
-    install_file "pkgman/${SYS_DIST}_${SYS_VER}.list" /etc/apt/sources.list
+    if [[ NO_MAIN_SOURCE == true ]]; then
+        install_file "pkgman/${SYS_DIST}_${SYS_VER}.list" "/etc/apt/sources.list.d/debian.${SOURCE_EXT}"
+    else
+	# We don't use SOURCE_EXT
+        install_file "pkgman/${SYS_DIST}_${SYS_VER}.list" "/etc/apt/sources.list"
+    fi
 
     prnt I "Updating package list..."
     pkgupdt
@@ -79,18 +91,22 @@ precheck_upgrade_dist()
     prnt I "Checking network connectivity..."
 
     if [[ $(noerror wget -q --tries=10 --timeout=20 --spider http://www.tetaneutral.net) != 0 ]]; then
-	prnt E "It seems network configuration is not functionnal! Giving up."
+        prnt E "It seems network configuration is not functionnal! Giving up."
-	die 160
+        die 160
     fi
     if [[ -n $PROXY_APT && -z $PROXY_APT_PORT ]]; then
-	prnt E "An APT proxy server have been specified but not its working port."
+        prnt E "An APT proxy server have been specified but not its working port."
-	die 160
+        die 160
     fi
     if [[ -n $PROXY_SRV && -z $PROXY_SRV_PORT ]]; then
-	prnt E "A general proxy server have been specified but not its working port."
+        prnt E "A general proxy server have been specified but not its working port."
-	die 160
+        die 160
     fi
     file_must_exists pkgman/${SYS_DIST}_${SYS_VER}.list
+    if [[ -z $NO_MAIN_SOURCE ]]; then
+        prnt E "A required variable to configure apt is not defined."
+        die 160
+    fi
 }
 
 cron_upgrade_dist()

repo/common/ntpsec.conf

@@ -0,0 +1,53 @@
+# /etc/ntpsec/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
+
+driftfile /var/lib/ntpsec/ntp.drift
+leapfile /usr/share/zoneinfo/leap-seconds.list
+
+# To enable Network Time Security support as a server, obtain a certificate
+# (e.g., with Let's Encrypt), place the cert and key in the paths below, and
+# uncomment:
+# nts cert /etc/ntpsec/cert-chain.pem
+# nts key /etc/ntpsec/key.pem
+# nts enable
+
+# You must create /var/log/ntpsec (owned by ntpsec:ntpsec) to enable logging.
+#statsdir /var/log/ntpsec/
+#statistics loopstats peerstats clockstats
+#filegen loopstats file loopstats type day enable
+#filegen peerstats file peerstats type day enable
+#filegen clockstats file clockstats type day enable
+
+# This should be maxclock 7, but the pool entries count towards maxclock.
+tos maxclock 11
+
+# Comment this out if you have a refclock and want it to be able to discipline
+# the clock by itself (e.g. if the system is not connected to the network).
+tos minclock 4 minsane 3
+
+# Specify one or more NTP servers.
+
+# Public NTP servers supporting Network Time Security:
+# server time.cloudflare.com nts
+@SERVERLIST@
+
+# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
+# pick a different set every time it starts up.  Please consider joining the
+# pool: <https://www.pool.ntp.org/join.html>
+#pool 0.debian.pool.ntp.org iburst
+#pool 1.debian.pool.ntp.org iburst
+#pool 2.debian.pool.ntp.org iburst
+#pool 3.debian.pool.ntp.org iburst
+
+# Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html
+# for details.
+#
+# Note that "restrict" applies to both servers and clients, so a configuration
+# that might be intended to block requests from certain clients could also end
+# up blocking replies from your own upstream servers.
+
+# By default, exchange time with everybody, but don't allow configuration.
+restrict default kod nomodify noquery limited
+
+# Local users may interrogate the ntp server more closely.
+restrict 127.0.0.1
+restrict ::1

repo/common/pkgman/devuan_5.list

@@ -6,4 +6,4 @@ deb http://fr.deb.devuan.org/merged daedalus-updates main contrib non-free non-f
 deb-src http://fr.deb.devuan.org/merged daedalus-updates main contrib non-free non-free-firmware
 
 deb http://fr.deb.devuan.org/merged daedalus-security main contrib non-free non-free-firmware
-deb-src http://fr.deb.devuan.org/merged daedalus-securtity main contrib non-free non-free-firmware
+deb-src http://fr.deb.devuan.org/merged daedalus-security main contrib non-free non-free-firmware

repo/common/pkgman/devuan_6.list

@@ -0,0 +1,10 @@
+deb http://fr.deb.devuan.org/merged excalibur main non-free-firmware contrib
+deb-src http://fr.deb.devuan.org/merged excalibur main non-free-firmware contrib
+
+deb http://fr.deb.devuan.org/merged excalibur-security main non-free-firmware contrib
+deb-src http://fr.deb.devuan.org/merged excalibur-security main non-free-firmware contrib
+
+# excalibur-updates, to get updates before a point release is made;
+# see https://www.debian.org/doc/manuals/debian-reference/ch02.en.html#_updates_and_backports
+deb http://fr.deb.devuan.org/merged excalibur-updates main non-free-firmware contrib
+deb-src http://fr.deb.devuan.org/merged excalibur-updates main non-free-firmware contrib

repo/hosts/cagua/ntp.conf

@@ -1,64 +1,48 @@
-*# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
+# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
 
+# State files
 driftfile /var/lib/ntp/ntp.drift
+leapfile /usr/share/zoneinfo/leap-seconds.list
 
-# Enable this if you want statistics to be logged.
+# Statistics
-#statsdir /var/log/ntpstats/
 
-statistics loopstats peerstats clockstats
+statistics loopstats peerstats clockstats sysstats
 filegen loopstats file loopstats type day enable
 filegen peerstats file peerstats type day enable
 filegen clockstats file clockstats type day enable
+filegen sysstats file sysstats type day enable
 
+# Interfaces to listen on:
+interface listen 192.168.1.0/24
+interface listen 10.250.42.0/24
+interface listen 10.42.250.0/16
+interface ignore wildcard
 
-# You do need to talk to an NTP server or two (or three).
+# NTP sources
-#server ntp.your-provider.example
+# Our other NTP server, to have consistant REFID
+server didicas prefer                   iburst
 
-# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
+server ntp.laas.fr                      iburst
-# pick a different set every time it starts up.  Please consider joining the
+server ntp.sophia.cnrs.fr               iburst
-# pool: <http://www.pool.ntp.org/join.html>
+server ntp2.emn.fr                      iburst
-server ntp.laas.fr			iburst
+server delphi.phys.univ-tours.fr        iburst
-server ntp.sophia.cnrs.fr		iburst
+server ntp.crashdump.fr                 iburst
-server ntp2.emn.fr			iburst
+server ntp.ilianum.com                  iburst
-server delphi.phys.univ-tours.fr	iburst
+server ntp.unice.fr                     iburst
-server ntp.crashdump.fr			iburst
+server ntp.accelance.net                iburst
-server ntp.ilianum.com			iburst
+server ntp.deuza.net                    iburst
-server ntp.unice.fr			iburst
+server ntp1.jussieu.fr                  iburst
-server ntp.accelance.net		iburst
+server time.resolvlab.com               iburst
-server ntp.deuza.net			iburst
-server ntp1.jussieu.fr			iburst
-server time.resolvlab.com		iburst
 
 # Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
 # details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
 # might also be helpful.
 #
-# Note that "restrict" applies to both servers and clients, so a configuration
+restrict default limited nomodify notrap nopeer noquery
-# that might be intended to block requests from certain clients could also end
-# up blocking replies from your own upstream servers.
-
-# By default, exchange time with everybody, but don't allow configuration.
-restrict -4 default kod notrap nomodify nopeer noquery limited
-restrict -6 default kod notrap nomodify nopeer noquery limited
-
-# Local users may interrogate the ntp server more closely.
-restrict 192.168.1.0/24
-restrict 127.0.0.1
-restrict ::1
-
-# Needed for adding pool entries
 restrict source notrap nomodify noquery
 
-# Clients from this (example!) subnet have unlimited access, but only if
+restrict 192.168.1.0/24
-# cryptographically authenticated.
+restrict 10.250.42.0/24
-restrict 192.168.0.0 mask 255.255.0.0 trust
+restrict 10.42.250.0/16
-
+restrict 127.0.0.1
-
+restrict ::1
-# If you want to provide time to your local subnet, change the next line.
-# (Again, the address is an example only.)
-broadcast 192.168.1.255
-
-# If you want to listen to time broadcasts on your local subnet, de-comment the
-# next lines.  Please do this only if you trust everybody on the network!
-#disable auth
-#broadcastclient

repo/hosts/didicas/ntp.conf

@@ -1,64 +1,48 @@
-*# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
+# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
 
+# State files
 driftfile /var/lib/ntp/ntp.drift
+leapfile /usr/share/zoneinfo/leap-seconds.list
 
-# Enable this if you want statistics to be logged.
+# Statistics
-#statsdir /var/log/ntpstats/
 
-statistics loopstats peerstats clockstats
+statistics loopstats peerstats clockstats sysstats
 filegen loopstats file loopstats type day enable
 filegen peerstats file peerstats type day enable
 filegen clockstats file clockstats type day enable
+filegen sysstats file sysstats type day enable
 
+# Interfaces to listen on:
+interface listen 192.168.1.0/24
+interface listen 10.250.42.0/24
+interface listen 10.42.250.0/16
+interface ignore wildcard
 
-# You do need to talk to an NTP server or two (or three).
+# NTP sources
-#server ntp.your-provider.example
+# Our other NTP server, to have consistant REFID
+server cagua prefer                     iburst
 
-# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
+server ntp.laas.fr                      iburst
-# pick a different set every time it starts up.  Please consider joining the
+server ntp.sophia.cnrs.fr               iburst
-# pool: <http://www.pool.ntp.org/join.html>
+server ntp2.emn.fr                      iburst
-server ntp.laas.fr			iburst
+server delphi.phys.univ-tours.fr        iburst
-server ntp.sophia.cnrs.fr		iburst
+server ntp.crashdump.fr                 iburst
-server ntp2.emn.fr			iburst
+server ntp.ilianum.com                  iburst
-server delphi.phys.univ-tours.fr	iburst
+server ntp.unice.fr                     iburst
-server ntp.crashdump.fr			iburst
+server ntp.accelance.net                iburst
-server ntp.ilianum.com			iburst
+server ntp.deuza.net                    iburst
-server ntp.unice.fr			iburst
+server ntp1.jussieu.fr                  iburst
-server ntp.accelance.net		iburst
+server time.resolvlab.com               iburst
-server ntp.deuza.net			iburst
-server ntp1.jussieu.fr			iburst
-server time.resolvlab.com		iburst
 
 # Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
 # details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
 # might also be helpful.
 #
-# Note that "restrict" applies to both servers and clients, so a configuration
+restrict default limited nomodify notrap nopeer noquery
-# that might be intended to block requests from certain clients could also end
-# up blocking replies from your own upstream servers.
-
-# By default, exchange time with everybody, but don't allow configuration.
-restrict -4 default kod notrap nomodify nopeer noquery limited
-restrict -6 default kod notrap nomodify nopeer noquery limited
-
-# Local users may interrogate the ntp server more closely.
-restrict 192.168.1.0/24
-restrict 127.0.0.1
-restrict ::1
-
-# Needed for adding pool entries
 restrict source notrap nomodify noquery
 
-# Clients from this (example!) subnet have unlimited access, but only if
+restrict 192.168.1.0/24
-# cryptographically authenticated.
+restrict 10.250.42.0/24
-restrict 192.168.0.0 mask 255.255.0.0 trust
+restrict 10.42.250.0/16
-
+restrict 127.0.0.1
-
+restrict ::1
-# If you want to provide time to your local subnet, change the next line.
-# (Again, the address is an example only.)
-broadcast 192.168.1.255
-
-# If you want to listen to time broadcasts on your local subnet, de-comment the
-# next lines.  Please do this only if you trust everybody on the network!
-#disable auth
-#broadcastclient