Support user defined processes

User defined processes are defined by new cdist beta command 'process'. Processes can be defined in `process` subdirectory in `$HOME/.cdist` or in custom directories specified through CDIST_PROCESS_PATH environment variable. `<path>/process` processes are defined in subdirectories, where a directory must contain `__init__.py` file to be recognized as a process, and it is then imported as a module. Since scanning and registering processes happens before cdist arguments are parsed, then standard cdist logging cannot be used in this stage. This is why CDIST_PROCESS_DEBUG environemnt variable turns on debug messages. Dummy example (`~/.cdist/process/homeprocess/__init__.py`): #!/usr/bin/env python3 # -*- coding: utf-8 -*- import logging import subprocess log = logging.getLogger(__name__) def register(parent_parser): parser = parent_parser.add_parser('cdist-help') parser.set_defaults(func=cdist_help) def cdist_help(args): cmd = [ "cdist", "-h", ] log.info("Running my process cdist help") subprocess.check_call(cmd)
2020-01-12 15:00:24 +01:00
76 changed files with 418 additions and 1634 deletions
--- a/cdist/argparse.py
+++ b/cdist/argparse.py
@ -7,10 +7,11 @@ import functools
 import cdist.configuration
 import cdist.preos
 import cdist.info
 import cdist.process
 # set of beta sub-commands
-BETA_COMMANDS = set(('install', 'inventory', ))
+BETA_COMMANDS = set(('install', 'inventory', 'process', ))
 # set of beta arguments for sub-commands
 BETA_ARGS = {
    'config': set(('tag', 'all_tagged_hosts', 'use_archiving', )),
@ -468,6 +469,14 @@ def get_parsers():
            'pattern', nargs='?', help='Glob pattern.')
    parser['info'].set_defaults(func=cdist.info.Info.commandline)
    # Process
    parser['process'] = parser['sub'].add_parser(
        'process', parents=[parser['loglevel'], parser['beta'], ])
    parser['process_sub'] = parser['process'].add_subparsers(title="Processes")
    parser['process'].set_defaults(func=functools.partial(
        cdist.process.commandline, parser=parser['process']))
    cdist.process.setup(parser['process_sub'])
    for p in parser:
        parser[p].epilog = EPILOG
--- a/cdist/conf/explorer/disks
+++ b/cdist/conf/explorer/disks
@ -1,67 +1,27 @@
-#!/bin/sh -e
+#!/bin/sh
 #
 # based on previous work by other people, modified by:
 # 2020 Dennis Camera <dennis.camera at ssrq-sds-fds.ch>
 #
 # This file is part of cdist.
 #
 # cdist is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # cdist is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 # Finds disks of the system (excl. ram disks, floppy, cdrom)
 uname_s="$(uname -s)"
-case $uname_s in
+case "${uname_s}" in
    FreeBSD)
        sysctl -n kern.disks
    ;;
-    OpenBSD)
+    OpenBSD|NetBSD)
-        sysctl -n hw.disknames | grep -Eo '[lsw]d[0-9]+'
+        sysctl -n hw.disknames | grep -Eo '[lsw]d[0-9]+' | xargs
    ;;
    NetBSD)
        PATH="${PATH}:/usr/local/sbin:/usr/sbin:/sbin"
        sysctl -n hw.disknames \
        | awk 'BEGIN { RS = " " } /^[lsw]d[0-9]+/'
    ;;
    Linux)
-        # list of major device numbers toexclude:
+        if command -v lsblk > /dev/null
        #  ram disks, floppies, cdroms
        # https://www.kernel.org/doc/Documentation/admin-guide/devices.txt
        ign_majors='1 2 11'
        if command -v lsblk >/dev/null 2>&1
        then
-            lsblk -e "$(echo "$ign_majors" | tr ' ' ',')" -dno name
+            # exclude ram disks, floppies and cdroms
-        elif test -d /sys/block/
+            # https://www.kernel.org/doc/Documentation/admin-guide/devices.txt
-        then
+            lsblk -e 1,2,11 -dno name | xargs
            # shellcheck disable=SC2012
            ls -1 /sys/block/ \
            | awk -v ign_majors="$(echo "$ign_majors" | tr ' ' '|')" '
                {
                  devfile = "/sys/block/" $0 "/dev"
                  getline devno < devfile
                  close(devfile)
                  if (devno !~ "^(" ign_majors "):") print
                }'
        else
-            echo "Don't know how to list disks on Linux without lsblk and sysfs." >&2
+            printf "Don't know how to list disks for %s operating system without lsblk, if you can please submit a patch\n" "${uname_s}" >&2
            echo 'If you can, please submit a patch.'>&2
        fi
    ;;
    *)
-        printf "Don't know how to list disks for %s operating system.\n" "${uname_s}" >&2
+        printf "Don't know how to list disks for %s operating system, if you can please submit a patch\n" "${uname_s}" >&2
        printf 'If you can please submit a patch\n' >&2
    ;;
-esac \
+esac
-| xargs
+
 exit 0
--- a/cdist/conf/explorer/init
+++ b/cdist/conf/explorer/init
@ -1,8 +1,7 @@
-#!/bin/sh -e
+#!/bin/sh
 #
 # 2016 Daniel Heule (hda at sfs.biz)
 # Copyright 2017, Philippe Gregoire <pg@pgregoire.xyz>
 # 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
 #
 # This file is part of cdist.
 #
@ -20,422 +19,21 @@
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 #
-# Returns the name of the init system (PID 1)
+# Returns the process name of pid 1 ( normaly the init system )
-
+# for example at linux this value is "init" or "systemd" in most cases
 # Expected values:
 # Linux:
 #  Adélie Linux:
 #    sysvinit+openrc
 #  Alpine Linux:
 #    busybox-init+openrc
 #  ArchLinux:
 #    systemd, sysvinit
 #  CRUX:
 #    sysvinit
 #  Debian:
 #    systemd, upstart, sysvinit, openrc, ???
 #  Devuan:
 #    sysvinit, sysvinit+openrc
 #  Gentoo:
 #    sysvinit+openrc, openrc-init, systemd
 #  OpenBMC:
 #    systemd
 #  OpenWrt:
 #    procd, init???
 #  RedHat (RHEL, CentOS, Fedora, RedHat Linux, ...):
 #    systemd, upstart, upstart-legacy, sysvinit
 #  Slackware:
 #    sysvinit
 #  SuSE:
 #    systemd, sysvinit
 #  Ubuntu:
 #    systemd, upstart, upstart-legacy, sysvinit
 #  VoidLinux:
 #    runit
 #
 # GNU:
 #   Debian:
 #     sysvinit, hurd-init
 #
 # BSD:
 #  {Free,Open,Net}BSD:
 #    init
 #
 # Mac OS X:
 #   launchd, init+SystemStarter
 #
 # Solaris/Illumos:
 #   smf, init???
-# NOTE: init systems can be stacked. This is popular to run OpenRC on top of
+uname_s="$(uname -s)"
 # sysvinit (Gentoo) or busybox-init (Alpine), but can also be used to run runit
 # as a systemd service.  This makes init system detection very complicated
 # (which result is expected?)  This script tries to untangle some combinations,
 # OpenRC on top of sysv or busybox (X+openrc), but will ignore others (runit as
 # a systemd service)
-# NOTE: When we have no idea, nothing will be printed!
+case "$uname_s" in
-
+    Linux)
-# NOTE:
+        (pgrep -P0 -l | awk '/^1[ \t]/ {print $2;}') || true
-# When trying to gather information about the init system make sure to do so
+    ;;
-# without calling the binary!   On some systems this triggers a reinitialisation
+    FreeBSD|OpenBSD)
-# of the system which we don't want (e.g. embedded systems).
+        ps -o comm= -p 1 || true
-
+    ;;
-
+    *)
-set -e
+        # return a empty string as unknown value
-
+        echo ""
-KERNEL_NAME=$(uname -s)
+    ;;
-
+esac
 KNOWN_INIT_SYSTEMS=$(cat <<EOF
 systemd
 sysvinit
 upstart
 runit
 procd
 smf
 launchd
 init
 hurd_init
 systemstarter
 EOF
 )
 common_candidates_by_kernel() {
 	case $KERNEL_NAME
 	in
 		FreeBSD|NetBSD|OpenBSD)
 			echo init
 			;;
 		Linux)
 			echo systemd
 			echo sysvinit
 			echo upstart
 			;;
 		GNU)
 			echo sysvinit
 			echo hurd-init
 			;;
 		Darwin)
 			echo launchd
 			echo systemstarter
 			;;
 		SunOS)
 			echo smf
 			;;
 	esac
 }
 ## Helpers
 trim() {
 	sed -e 's/^[[:blank:]]*//' -e 's/[[:blank:]]*$//' -e '/^[[:blank:]]*$/d'
 }
 unique() {
 	# Delete duplicate lines (keeping input order)
 	# NOTE: Solaris AWK breaks without if/print construct.
 	awk '{ if (!x[$0]++) print }'
 }
 ## Check functions
 # These functions are used to verify if a guess is correct by checking some
 # common property of a running system (presence of a directory in /run etc.)
 check_busybox_init() (
 	busybox_path=${1:-/bin/busybox}
 	test -x "${busybox_path}" || return 1
 	grep -q 'BusyBox v[0-9]' "${busybox_path}" || return 1
 	# It is quite common to use Busybox init to stack other init systemd
 	# (like OpenRC) on top of it. So we check for that, too.
 	if stacked=$(check_openrc)
 	then
 		echo "busybox-init+${stacked}"
 	else
 		echo busybox-init
 	fi
 )
 check_hurd_init() (
 	init_exe=${1:-/hurd/init}
 	test -x "${init_exe}" || return 1
 	grep -q 'GNU Hurd' "${init_exe}" || return 1
 	echo hurd-init
 )
 check_init() {
 	# Checks for various BSD inits...
 	test -x /sbin/init || return 1
 	if grep -q -E '(Free|Net|Open)BSD' /sbin/init
 	then
 		echo init
 		return 0
 	fi
 }
 check_launchd() {
 	command -v launchctl >/dev/null 2>&1 || return 1
 	launchctl getenv PATH >/dev/null || return 1
 	echo launchd
 }
 check_openrc() {
 	test -f /run/openrc/softlevel || return 1
 	echo openrc
 }
 check_procd() (
 	procd_path=${1:-/sbin/procd}
 	test -x "${procd_path}" || return 1
 	grep -q 'procd' "${procd_path}" || return 1
 	echo procd
 )
 check_runit() {
 	test -d /run/runit || return 1
 	echo runit
 }
 check_smf() {
 	# XXX: Is this the correct way??
 	test -f /etc/svc/volatile/svc_nonpersist.db || return 1
 	echo smf
 }
 check_systemd() {
 	# NOTE: sd_booted(3)
 	test -d /run/systemd/system/ || return 1
 	# systemctl --version | sed -e '/^systemd/!d;s/^systemd //'
 	echo systemd
 }
 check_systemstarter() {
 	test -d /System/Library/StartupItems/ || return 1
 	test -f /System/Library/StartupItems/LoginWindow/StartupParameters.plist || return 1
 	echo init+SystemStarter
 }
 check_sysvinit() (
 	init_path=${1:-/sbin/init}
 	grep -q 'INIT_VERSION=sysvinit-[0-9.]*' "${init_path}" || return 1
 	# It is quite common to use SysVinit to stack other init systemd
 	# (like OpenRC) on top of it. So we check for that, too.
 	if stacked=$(check_openrc)
 	then
 		echo "sysvinit+${stacked}"
 	else
 		echo sysvinit
 	fi
 	unset stacked
 )
 check_upstart() {
 	test -x "$(command -v initctl)" || return 1
 	case $(initctl version)
 	in
 		*'(upstart '*')')
 			if test -d /etc/init
 			then
 				# modern (DBus-based?) upstart >= 0.5
 				echo upstart
 			elif test -d /etc/event.d
 			then
 				# ancient upstart
 				echo upstart-legacy
 			else
 				# whatever...
 				echo upstart
 			fi
 			;;
 		*)
 			return 1
 			;;
 	esac
 }
 find_init_procfs() (
 	# First, check if the required file in procfs exists...
 	test -h /proc/1/exe || return 1
 	# Find init executable
 	init_exe=$(ls -l /proc/1/exe 2>/dev/null) || return 1
 	init_exe=${init_exe#* -> }
 	if ! test -x "$init_exe"
 	then
 		# On some rare occasions it can happen that the
 		# running init's binary has been replaced. In this
 		# case Linux adjusts the symlink to "X (deleted)"
 		# [root@fedora-12 ~]# readlink /proc/1/exe
 		# /sbin/init (deleted)
 		# [root@fedora-12 ~]# ls -l /proc/1/exe
 		# lrwxrwxrwx. 1 root root 0 2020-01-30 23:00 /proc/1/exe -> /sbin/init (deleted)
 		init_exe=${init_exe% (deleted)}
 		test -x "$init_exe" || return 1
 	fi
 	echo "${init_exe}"
 )
 guess_by_path() {
 	case $1
 	in
 		/bin/busybox)
 			check_busybox_init "$1" && return
 			;;
 		/lib/systemd/systemd)
 			check_systemd "$1" && return
 			;;
 		/hurd/init)
 			check_hurd_init "$1" && return
 			;;
 		/sbin/launchd)
 			check_launchd "$1" && return
 			;;
 		/usr/bin/runit|/sbin/runit)
 			check_runit "$1" && return
 			;;
 		/sbin/openrc-init)
 			if check_openrc "$1" >/dev/null
 			then
 				echo openrc-init
 				return
 			fi
 			;;
 		/sbin/procd)
 			check_procd "$1" && return
 			;;
 		/sbin/init|*/init)
 			# init: it could be anything -> (explicit) no match
 			return 1
 			;;
 	esac
 	# No match
 	return 1
 }
 guess_by_comm_name() {
 	case $1
 	in
 		busybox)
 			check_busybox_init && return
 			;;
 		openrc-init)
 			if check_openrc >/dev/null
 			then
 				echo openrc-init
 				return 0
 			fi
 			;;
 		init)
 			# init could be anything -> no match
 			return 1
 			;;
 		*)
 			# Run check function by comm name if available.
 			# Fall back to comm name if either it does not exist or
 			# returns non-zero.
 			if type "check_$1" >/dev/null
 			then
 				"check_$1" && return
 			else
 				echo "$1" ; return 0
 			fi
 	esac
 	return 1
 }
 check_list() (
 	# List must be a multi-line input on stdin (one name per line)
 	while read -r init
 	do
 		"check_${init}" || continue
 		return 0
 	done
 	return 1
 )
 # BusyBox's versions of ps and pgrep do not support some options
 # depending on which compile-time options have been used.
 find_init_pgrep() {
 	pgrep -P0 -fl 2>/dev/null | awk -F '[[:blank:]]' '$1 == 1 { print $2 }'
 }
 find_init_ps() {
 	case $KERNEL_NAME
 	in
 		Darwin)
 			ps -o command -p 1 2>/dev/null | tail -n +2
 			;;
 		FreeBSD)
 			ps -o args= -p 1 2>/dev/null | cut -d ' ' -f 1
 			;;
 		Linux)
 			ps -o comm= -p 1 2>/dev/null
 			;;
 		NetBSD)
 			ps -o comm= -p 1 2>/dev/null
 			;;
 		OpenBSD)
 			ps -o args -p 1 2>/dev/null | tail -n +2 | cut -d ' ' -f 1
 			;;
 		*)
 			ps -o args= -p 1 2>/dev/null
 			;;
 	esac | trim  # trim trailing whitespace (some ps like Darwin add it)
 }
 find_init() {
 	case $KERNEL_NAME
 	in
 		Linux|GNU|NetBSD)
 			find_init_procfs || find_init_pgrep || find_init_ps
 			;;
 		FreeBSD)
 			find_init_procfs || find_init_ps
 			;;
 		OpenBSD)
 			find_init_pgrep || find_init_ps
 			;;
 		Darwin|SunOS)
 			find_init_ps
 			;;
 		*)
 			echo "Don't know how to determine init." >&2
 			echo 'Please send a patch.' >&2
 			exit 1
 	esac
 }
 # -----
 init=$(find_init)
 # If we got a path, guess by the path first (fall back to file name if no match)
 # else guess by file name directly.
 # shellcheck disable=SC2015
 {
 	test -x "${init}" \
 		&& guess_by_path "${init}" \
 		|| guess_by_comm_name "$(basename "${init}")"
 } && exit 0 || true
 # Guessing based on the file path and name didn’t lead to a definitive result.
 #
 # We go through all of the checks until we find a match. To speed up the
 # process, common cases will be checked first based on the underlying kernel.
 { common_candidates_by_kernel; echo "${KNOWN_INIT_SYSTEMS}"; } \
 	| unique | check_list
--- a/cdist/conf/explorer/os_release
+++ b/cdist/conf/explorer/os_release
@ -1,7 +1,6 @@
 #!/bin/sh
 #
 # 2018 Adam Dej (dejko.a at gmail.com)
 # 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
 #
 # This file is part of cdist.
 #
@ -22,17 +21,6 @@
 # See os-release(5) and http://0pointer.de/blog/projects/os-release
-if test -f /etc/os-release
+set +e
 then
 	# Linux and FreeBSD (usually a symlink)
 	cat /etc/os-release
 elif test -f /usr/lib/os-release
 then
 	# systemd
 	cat /usr/lib/os-release
 elif test -f /var/run/os-release
 then
 	# FreeBSD (created by os-release service)
 	cat /var/run/os-release
 fi
 cat /etc/os-release || cat /usr/lib/os-release || true
--- a/cdist/conf/explorer/os_version
+++ b/cdist/conf/explorer/os_version
@ -70,7 +70,4 @@ case "$("$__explorer/os")" in
   ubuntu)
      lsb_release -sr
   ;;
-   alpine)
+esac
       cat /etc/alpine-release
   ;;
 esac
--- a/cdist/conf/type/__acl/gencode-remote
+++ b/cdist/conf/type/__acl/gencode-remote
@ -20,13 +20,7 @@
 file_is="$( cat "$__object/explorer/file_is" )"
-if [ "$file_is" = 'missing' ] \
+[ "$file_is" = 'missing' ] && [ -z "$__cdist_dry_run" ] && exit 0
    && [ -z "$__cdist_dry_run" ] \
    && \( [ ! -f "$__object/parameter/file" ] \
        || [ ! -f "$__object/parameter/directory" ] \)
 then
    exit 0
 fi
 os="$( cat "$__global/explorer/os" )"
@ -34,17 +28,7 @@ acl_path="/$__object_id"
 acl_is="$( cat "$__object/explorer/acl_is" )"
-if [ -f "$__object/parameter/source" ]
+if [ -f "$__object/parameter/entry" ]
 then
    acl_source="$( cat "$__object/parameter/source" )"
    if [ "$acl_source" = '-' ]
    then
        acl_should="$( cat "$__object/stdin" )"
    else
        acl_should="$( grep -Ev '^#|^$' "$acl_source" )"
    fi
 elif [ -f "$__object/parameter/entry" ]
 then
    acl_should="$( cat "$__object/parameter/entry" )"
 elif [ -f "$__object/parameter/acl" ]
--- a/cdist/conf/type/__acl/man.rst
+++ b/cdist/conf/type/__acl/man.rst
@ -19,20 +19,6 @@ entry
   Set ACL entry following ``getfacl`` output syntax.
 OPTIONAL PARAMETERS
 -------------------
 source
   Read ACL entries from stdin or file.
   Ordering of entries is not important.
   When reading from file, comments and empty lines are ignored.
 file
   Create/change file with ``__file`` using ``user:group:mode`` pattern.
 directory
   Create/change directory with ``__directory`` using ``user:group:mode`` pattern.
 BOOLEAN PARAMETERS
 ------------------
 default
@ -85,17 +71,6 @@ EXAMPLES
        --entry group:secret-project:rwx \
        --entry user:alice:r-x
    # read acl from stdin
    echo 'user:alice:rwx' \
        | __acl /path/to/directory --source -
    # create/change directory too
    __acl /path/to/directory \
        --default \
        --remove \
        --directory root:root:770 \
        --entry user:nobody:rwx
 AUTHORS
 -------
--- a/cdist/conf/type/__acl/manifest
+++ b/cdist/conf/type/__acl/manifest
@ -1,11 +0,0 @@
 #!/bin/sh -e
 for p in file directory
 do
    [ ! -f "$__object/parameter/$p" ] && continue
    "__$p" "/$__object_id" \
        --owner "$( awk -F: '{print $1}' "$__object/parameter/$p" )" \
        --group "$( awk -F: '{print $2}' "$__object/parameter/$p" )" \
        --mode  "$( awk -F: '{print $3}' "$__object/parameter/$p" )"
 done
--- a/cdist/conf/type/__acl/parameter/optional
+++ b/cdist/conf/type/__acl/parameter/optional
@ -1,5 +1,2 @@
 mask
 other
 source
 file
 directory
--- a/cdist/conf/type/__apt_unattended_upgrades/man.rst
+++ b/cdist/conf/type/__apt_unattended_upgrades/man.rst
@ -1,68 +0,0 @@
 cdist-type__apt_unattended_upgrades(7)
 ======================================
 NAME
 ----
 cdist-type__apt_unattended_upgrades - automatic installation of updates
 DESCRIPTION
 -----------
 Install and configure unattended-upgrades package.
 For more information see https://wiki.debian.org/UnattendedUpgrades.
 OPTIONAL MULTIPLE PARAMETERS
 ----------------------------
 option
   Set options for unattended-upgrades. See examples.
   Supported options with default values (as of 2020-01-17) are:
   - AutoFixInterruptedDpkg, default is "true"
   - MinimalSteps, default is "true"
   - InstallOnShutdown, default is "false"
   - Mail, default is "" (empty)
   - MailOnlyOnError, default is "false"
   - Remove-Unused-Kernel-Packages, default is "true"
   - Remove-New-Unused-Dependencies, default is "true"
   - Remove-Unused-Dependencies, default is "false"
   - Automatic-Reboot, default is "false"
   - Automatic-Reboot-WithUsers, default is "true"
   - Automatic-Reboot-Time, default is "02:00"
   - SyslogEnable, default is "false"
   - SyslogFacility, default is "daemon"
   - OnlyOnACPower, default is "true"
   - Skip-Updates-On-Metered-Connections, default is "true"
   - Verbose, default is "false"
   - Debug, default is "false"
 blacklist
   Python regular expressions, matching packages to exclude from upgrading.
 EXAMPLES
 --------
 .. code-block:: sh
    __apt_unattended_upgrades \
        --option Mail=root \
        --option MailOnlyOnError=true \
        --blacklist multipath-tools \
        --blacklist open-iscsi
 AUTHORS
 -------
 Ander Punnar <ander-at-kvlt-dot-ee>
 COPYING
 -------
 Copyright \(C) 2020 Ander Punnar. You can redistribute it and/or modify it
 under the terms of the GNU General Public License as published by the Free
 Software Foundation, either version 3 of the License, or (at your option) any
 later version.
--- a/cdist/conf/type/__apt_unattended_upgrades/manifest
+++ b/cdist/conf/type/__apt_unattended_upgrades/manifest
@ -1,80 +0,0 @@
 #!/bin/sh -e
 #
 # 2020 Ander Punnar (ander-at-kvlt-dot-ee)
 #
 # This file is part of cdist.
 #
 # cdist is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # cdist is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 __package unattended-upgrades
 export require='__package/unattended-upgrades'
 # in normal circumstances 20auto-upgrades is managed
 # by debconf and it can only contain these lines
 __file /etc/apt/apt.conf.d/20auto-upgrades \
    --owner root \
    --group root \
    --mode 644 \
    --source - << EOF
 APT::Periodic::Update-Package-Lists "1";
 APT::Periodic::Unattended-Upgrade "1";
 EOF
 # lets not write into upstream 50unattended-upgrades file,
 # but use our own config file to avoid clashes
 conf_file='/etc/apt/apt.conf.d/51unattended-upgrades-cdist'
 conf='# this file is managed by cdist'
 if [ -f "$__object/parameter/option" ]
 then
    o=''
    while read -r l
    do
        o="$( printf '%s\nUnattended-Upgrade::%s "%s";\n' "$o" "${l%%=*}" "${l#*=}" )"
    done \
        < "$__object/parameter/option"
    conf="$( printf '%s\n%s\n' "$conf" "$o" )"
 fi
 if [ -f "$__object/parameter/blacklist" ]
 then
    b='Unattended-Upgrade::Package-Blacklist {'
    while read -r l
    do
        b="$( printf '%s\n"%s";\n' "$b" "$l" )"
    done \
        < "$__object/parameter/blacklist"
    conf="$( printf '%s\n%s\n}\n' "$conf" "$b" )"
 fi
 if [ "$( echo "$conf" | wc -l )" -gt 1 ]
 then
    echo "$conf" \
        | __file "$conf_file" \
            --owner root \
            --group root \
            --mode 644 \
            --source -
 else
    __file "$conf_file" --state absent
 fi
--- a/cdist/conf/type/__apt_unattended_upgrades/parameter/optional_multiple
+++ b/cdist/conf/type/__apt_unattended_upgrades/parameter/optional_multiple
@ -1,2 +0,0 @@
 option
 blacklist
--- a/cdist/conf/type/__apt_unattended_upgrades/singleton
+++ b/cdist/conf/type/__apt_unattended_upgrades/singleton
--- a/cdist/conf/type/__consul_agent/man.rst
+++ b/cdist/conf/type/__consul_agent/man.rst
@ -116,9 +116,6 @@ verify-incoming
 verify-outgoing
   enforce the use of TLS and verify the peers authenticity on outgoing connections
 use-distribution-package
   uses distribution package instead of upstream binary
 EXAMPLES
 --------
--- a/cdist/conf/type/__consul_agent/manifest
+++ b/cdist/conf/type/__consul_agent/manifest
@ -2,7 +2,6 @@
 #
 # 2015 Steven Armstrong (steven-cdist at armstrong.cc)
 # 2015-2019 Nico Schottelius (nico-cdist at schottelius.org)
 # 2019 Timothée Floure (timothee.floure at ungleich.ch)
 #
 # This file is part of cdist.
 #
@ -20,75 +19,133 @@
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 os=$(cat "$__global/explorer/os")
-###
+case "$os" in
-# Type parameters.
+   alpine|scientific|centos|debian|devuan|redhat|ubuntu)
      # whitelist safeguard
      :
   ;;
   *)
      echo "Your operating system ($os) is currently not supported by this type (${__type##*/})." >&2
      echo "Please contribute an implementation for it if you can." >&2
      exit 1
   ;;
 esac
 state="$(cat "$__object/parameter/state")"
 user="$(cat "$__object/parameter/user")"
 group="$(cat "$__object/parameter/group")"
 release=$(cat "$__global/explorer/lsb_release")
 if [ -f "$__object/parameter/use-distribution-package" ]; then
  use_distribution_package=1
 fi
 ###
 # Those are default that might be overriden by os-specific logic.
 data_dir="/var/lib/consul"
 conf_dir="/etc/consul/conf.d"
 conf_file="config.json"
 tls_dir="$conf_dir/tls"
-###
+# FIXME: there has got to be a better way to handle the dependencies in this case
-# Sane deployment, based on distribution package when available.
+case "$state" in
   present)
      __group "$group" --system --state "$state"
      require="__group/$group" \
         __user "$user" --system --gid "$group" \
            --home "$data_dir" --state "$state"
      export require="__user/consul"
   ;;
   absent)
      echo "Sorry, state=absent currently not supported :-(" >&2
      exit 1
      require="$__object_name" \
         __user "$user" --system --gid "$group" --state "$state"
      require="__user/$user" \
         __group "$group" --system --state "$state"
   ;;
 esac
-distribution_setup () {
+__directory /etc/consul \
-  case "$os" in
+   --owner root --group "$group" --mode 750 --state "$state"
-     debian)
+require="__directory/etc/consul" \
-       # consul is only available starting Debian 10 (buster).
+   __directory "$conf_dir" \
-       # See https://packages.debian.org/buster/consul
+      --owner root --group "$group" --mode 750 --state "$state"
       if [ "$release" -lt 10 ]; then
         echo "Consul is not available for your debian release." >&2
         echo "Please use the 'manual' (i.e. non-package) installation or \
           upgrade the target system." >&2
         exit 1
       fi
-       # Override previously defined environment to match debian packaging.
+if [ -f "$__object/parameter/ca-file-source" ] || [ -f "$__object/parameter/cert-file-source" ] || [ -f "$__object/parameter/key-file-source" ]; then
-       conf_dir='/etc/consul.d'
+   # create directory for ssl certs
-       user='consul'
+   require="__directory/etc/consul" \
-       group='consul'
+      __directory /etc/consul/ssl \
-     ;;
+         --owner root --group "$group" --mode 750 --state "$state"
-     alpine)
+fi
       # consul is only available starting Alpine 3.12 (= edge during the 3.11 cycle).
       # See https://pkgs.alpinelinux.org/packages?name=consul&branch=edge
-       # Override previously defined environment to match alpine packaging.
+__directory "$data_dir" \
-       conf_dir='/etc/consul'
+   --owner "$user" --group "$group" --mode 770 --state "$state"
       conf_file='server.json'
       data_dir='/var/consul'
       user='consul'
       group='consul'
     ;;
     *)
        echo "Your operating system ($os) is currently not supported with the \
          --use-distribution-package flag (${__type##*/})." >&2
        echo "Please use non-package installation or contribute an \
          implementation for if you can." >&2
        exit 1
     ;;
  esac
  # Install consul package.
  __package consul --state "$state"
-  export config_deployment_requires="__package/consul"
+# Generate json config file
-}
+(
 echo "{"
-###
+# parameters we define ourself
-# LEGACY manual deployment, kept for compatibility reasons.
+printf '   "data_dir": "%s"\n' "$data_dir"
 cd "$__object/parameter/"
 for param in *; do
   case "$param" in
      state|user|group|json-config) continue ;;
      ca-file-source|cert-file-source|key-file-source)
         source="$(cat "$__object/parameter/$param")"
         destination="/etc/consul/ssl/${source##*/}"
         require="__directory/etc/consul/ssl" \
            __file "$destination" \
               --owner root --group consul --mode 640 \
               --source "$source" \
               --state "$state"
         key="$(echo "${param%-*}" | tr '-' '_')"
         printf '   ,"%s": "%s"\n' "$key" "$destination"
      ;;
      disable-remote-exec|disable-update-check|leave-on-terminate|rejoin-after-leave|server|enable-syslog|verify-incoming|verify-outgoing)
         # handle boolean parameters
         key="$(echo "$param" | tr '-' '_')"
         printf '   ,"%s": true\n' "$key"
      ;;
      retry-join)
         # join multiple parameters into json array
         retry_join="$(awk '{printf "\""$1"\","}' "$__object/parameter/retry-join")"
         # remove trailing ,
         printf '   ,"retry_join": [%s]\n' "${retry_join%*,}"
      ;;
      retry-join-wan)
         # join multiple parameters into json array over wan
         retry_join_wan="$(awk '{printf "\""$1"\","}' "$__object/parameter/retry-join-wan")"
         # remove trailing ,
         printf '   ,"retry_join_wan": [%s]\n' "${retry_join_wan%*,}"
      ;;
      bootstrap-expect)
         # integer key=value parameters
         key="$(echo "$param" | tr '-' '_')"
         printf '   ,"%s": %s\n' "$key" "$(cat "$__object/parameter/$param")"
      ;;
      *)
         # string key=value parameters
         key="$(echo "$param" | tr '-' '_')"
         printf '   ,"%s": "%s"\n' "$key" "$(cat "$__object/parameter/$param")"
      ;;
   esac
 done
 if [ -f "$__object/parameter/json-config" ]; then
   json_config="$(cat "$__object/parameter/json-config")"
   if [ "$json_config" = "-" ]; then
      json_config="$__object/stdin"
   fi
   # remove leading and trailing whitespace and commas from first and last line
   # indent each line with 3 spaces for consistency
   json=$(sed -e 's/^[ \t]*/   /' -e '1s/^[ \t,]*//' -e '$s/[ \t,]*$//' "$json_config")
   printf '   ,%s\n' "$json"
 fi
 echo "}"
 ) | \
 require="__directory${conf_dir}" \
   __config_file "${conf_dir}/${conf_file}" \
      --owner root --group "$group" --mode 640 \
      --state "$state" \
      --onchange 'service consul status >/dev/null && service consul reload || true' \
      --source -
 init_sysvinit()
 {
@ -122,186 +179,47 @@ init_upstart()
    require="__file/etc/init/consul.conf" __start_on_boot consul
 }
-manual_setup () {
+# Install init script to start on boot
-  case "$os" in
+case "$os" in
-     alpine|scientific|centos|debian|devuan|redhat|ubuntu)
+    devuan)
-        # whitelist safeguard
+        init_sysvinit debian
        :
     ;;
     *)
        echo "Your operating system ($os) is currently not supported by this \
          type (${__type##*/})." >&2
        echo "Please contribute an implementation for it if you can." >&2
        exit 1
     ;;
  esac
  # FIXME: there has got to be a better way to handle the dependencies in this case
  case "$state" in
     present)
        __group "$group" --system --state "$state"
        require="__group/$group" __user "$user" \
          --system --gid "$group" --home "$data_dir" --state "$state"
     ;;
     *)
        echo "The $state state is not (yet?) supported by this type." >&2
        exit 1
     ;;
  esac
  # Create data directory.
  require="__user/consul" __directory "$data_dir" \
    --owner "$user" --group "$group" --mode 770 --state "$state"
  # Create config directory.
  require="__user/consul" __directory "$conf_dir" \
    --parents --owner root --group "$group" --mode 750 --state "$state"
  # Install init script to start on boot
  case "$os" in
      devuan)
          init_sysvinit debian
          ;;
      centos|redhat)
          os_version="$(sed 's/[^0-9.]//g' "$__global/explorer/os_version")"
          major_version="${os_version%%.*}"
          case "$major_version" in
              [456])
                  init_sysvinit redhat
                  ;;
              7)
                  init_systemd
                  ;;
              *)
                  echo "Unsupported CentOS/Redhat version: $os_version" >&2
                  exit 1
                  ;;
          esac
          ;;
      debian)
          os_version=$(cat "$__global/explorer/os_version")
          major_version="${os_version%%.*}"
          case "$major_version" in
              [567])
                  init_sysvinit debian
              ;;
              [89]|10)
                  init_systemd
              ;;
              *)
                  echo "Unsupported Debian version $os_version" >&2
                  exit 1
              ;;
          esac
          ;;
      ubuntu)
          init_upstart
          ;;
  esac
  config_deployment_requires="__user/consul __directory/$conf_dir"
 }
 ###
 # Trigger requested installation method.
 if [ $use_distribution_package ]; then
  distribution_setup
 else
  manual_setup
 fi
 ###
 # Install TLS certificates.
 if [ -f "$__object/parameter/ca-file-source" ] || \
   [ -f "$__object/parameter/cert-file-source" ] || \
   [ -f "$__object/parameter/key-file-source" ]; then
   requires="$config_deployment_requires" __directory $tls_dir \
     --owner root --group "$group" --mode 750 --state "$state"
   # Append to service restart requirements.
   restart_requires="$restart_requires __directory/$conf_dir/tls"
 fi
 ###
 # Generate and deploy configuration.
 json_configuration=$(
  echo "{"
  # parameters we define ourself
  printf '   "data_dir": "%s"\n' "$data_dir"
  cd "$__object/parameter/"
  for param in *; do
     case "$param" in
        state|user|group|json-config|use-distribution-package) continue ;;
        ca-file-source|cert-file-source|key-file-source)
           source="$(cat "$__object/parameter/$param")"
           destination="$tls_dir/${source##*/}"
           require="__directory/$tls_dir" \
              __file "$destination" \
                 --owner root --group consul --mode 640 \
                 --source "$source" \
                 --state "$state"
           key="$(echo "${param%-*}" | tr '-' '_')"
           printf '   ,"%s": "%s"\n' "$key" "$destination"
        ;;
-        disable-remote-exec|disable-update-check|leave-on-terminate\
+    centos|redhat)
-          |rejoin-after-leave|server|enable-syslog|verify-incoming|verify-outgoing)
+        os_version="$(sed 's/[^0-9.]//g' "$__global/explorer/os_version")"
-           # handle boolean parameters
+        major_version="${os_version%%.*}"
-           key="$(echo "$param" | tr '-' '_')"
+        case "$major_version" in
-           printf '   ,"%s": true\n' "$key"
+            [456])
                init_sysvinit redhat
                ;;
            7)
                init_systemd
                ;;
            *)
                echo "Unsupported CentOS/Redhat version: $os_version" >&2
                exit 1
                ;;
        esac
        ;;
        retry-join)
           # join multiple parameters into json array
           retry_join="$(awk '{printf "\""$1"\","}' "$__object/parameter/retry-join")"
           # remove trailing ,
           printf '   ,"retry_join": [%s]\n' "${retry_join%*,}"
        ;;
        retry-join-wan)
           # join multiple parameters into json array over wan
           retry_join_wan="$(awk '{printf "\""$1"\","}' "$__object/parameter/retry-join-wan")"
           # remove trailing ,
           printf '   ,"retry_join_wan": [%s]\n' "${retry_join_wan%*,}"
        ;;
        bootstrap-expect)
           # integer key=value parameters
           key="$(echo "$param" | tr '-' '_')"
           printf '   ,"%s": %s\n' "$key" "$(cat "$__object/parameter/$param")"
        ;;
        *)
           # string key=value parameters
           key="$(echo "$param" | tr '-' '_')"
           printf '   ,"%s": "%s"\n' "$key" "$(cat "$__object/parameter/$param")"
        ;;
     esac
  done
  if [ -f "$__object/parameter/json-config" ]; then
     json_config="$(cat "$__object/parameter/json-config")"
     if [ "$json_config" = "-" ]; then
        json_config="$__object/stdin"
     fi
     # remove leading and trailing whitespace and commas from first and last line
     # indent each line with 3 spaces for consistency
     json=$(sed -e 's/^[ \t]*/   /' -e '1s/^[ \t,]*//' -e '$s/[ \t,]*$//' "$json_config")
     printf '   ,%s\n' "$json"
  fi
  echo "}"
 )
 echo "$json_configuration" | require="$config_deployment_requires" \
  __file "$conf_dir/$conf_file" \
      --owner root --group "$group" --mode 640 \
      --state "$state" \
      --source -
-# Set configuration deployment as requirement for service restart.
+    debian)
-restart_requires="__file/$conf_dir/$conf_file"
+        os_version=$(cat "$__global/explorer/os_version")
        major_version="${os_version%%.*}"
-###
+        case "$major_version" in
-# Restart consul agent after everything else.
+            [567])
-require="$restart_requires" __service consul --action restart
+                init_sysvinit debian
            ;;
            [89])
                init_systemd
            ;;
            *)
                echo "Unsupported Debian version $os_version" >&2
                exit 1
            ;;
        esac
        ;;
    ubuntu)
        init_upstart
        ;;
 esac
--- a/cdist/conf/type/__consul_agent/parameter/boolean
+++ b/cdist/conf/type/__consul_agent/parameter/boolean
@ -6,4 +6,3 @@ server
 enable-syslog
 verify-incoming
 verify-outgoing
 use-distribution-package
--- a/cdist/conf/type/__consul_check/explorer/conf-dir
+++ b/cdist/conf/type/__consul_check/explorer/conf-dir
@ -1 +0,0 @@
 ../../__consul_service/explorer/conf-dir
--- a/cdist/conf/type/__consul_check/manifest
+++ b/cdist/conf/type/__consul_check/manifest
@ -19,7 +19,7 @@
 #
 name="$(cat "$__object/parameter/name" 2>/dev/null || echo "$__object_id")"
-conf_dir=$(cat "$__object/explorer/conf-dir")
+conf_dir="/etc/consul/conf.d"
 conf_file="check_${name}.json"
 state="$(cat "$__object/parameter/state")"
--- a/cdist/conf/type/__consul_service/explorer/conf-dir
+++ b/cdist/conf/type/__consul_service/explorer/conf-dir
@ -1,15 +0,0 @@
 # Determine the configuration directory used by consul.
 check_dir () {
  if [ -d "$1" ]; then
    printf '%s' "$1"
    exit
  fi
 }
 check_dir '/etc/consul/conf.d'
 check_dir '/etc/consul.d'
 check_dir '/etc/consul'
 echo 'Could not determine consul configuration dir. Exiting.' >&2
 exit 1
--- a/cdist/conf/type/__consul_service/manifest
+++ b/cdist/conf/type/__consul_service/manifest
@ -19,7 +19,7 @@
 #
 name="$(cat "$__object/parameter/name" 2>/dev/null || echo "$__object_id")"
-conf_dir=$(cat "$__object/explorer/conf-dir")
+conf_dir="/etc/consul/conf.d"
 conf_file="service_${name}.json"
 state="$(cat "$__object/parameter/state")"
@ -45,7 +45,7 @@ printf '      "name": "%s"\n' "$name"
 cd "$__object/parameter/"
 for param in *; do
   case "$param" in
-      state|name|check-interval|conf-dir) continue ;;
+      state|name|check-interval) continue ;;
      check-script)
         printf '     ,"check": {\n'
         printf '         "script": "%s"\n' "$(cat "$__object/parameter/check-script")"
@ -86,6 +86,7 @@ echo "   }"
 # end json file
 echo "}"
 ) | \
 require="__directory${conf_dir}" \
   __config_file "${conf_dir}/${conf_file}" \
      --owner root --group consul --mode 640 \
      --state "$state" \
--- a/cdist/conf/type/__consul_watch_checks/explorer/conf-dir
+++ b/cdist/conf/type/__consul_watch_checks/explorer/conf-dir
@ -1 +0,0 @@
 ../../__consul_service/explorer/conf-dir
--- a/cdist/conf/type/__consul_watch_checks/manifest
+++ b/cdist/conf/type/__consul_watch_checks/manifest
@ -20,7 +20,7 @@
 cdist_type="${__type##*/}"
 watch_type="${cdist_type##*_}"
-conf_dir=$(cat "$__object/explorer/conf-dir")
+conf_dir="/etc/consul/conf.d"
 conf_file="watch_${watch_type}_${__object_id}.json"
 state="$(cat "$__object/parameter/state")"
--- a/cdist/conf/type/__consul_watch_event/explorer/conf-dir
+++ b/cdist/conf/type/__consul_watch_event/explorer/conf-dir
@ -1 +0,0 @@
 ../../__consul_service/explorer/conf-dir
--- a/cdist/conf/type/__consul_watch_event/manifest
+++ b/cdist/conf/type/__consul_watch_event/manifest
@ -20,7 +20,7 @@
 cdist_type="${__type##*/}"
 watch_type="${cdist_type##*_}"
-conf_dir=$(cat "$__object/explorer/conf-dir")
+conf_dir="/etc/consul/conf.d"
 conf_file="watch_${watch_type}_${__object_id}.json"
 state="$(cat "$__object/parameter/state")"
--- a/cdist/conf/type/__consul_watch_key/explorer/conf-dir
+++ b/cdist/conf/type/__consul_watch_key/explorer/conf-dir
@ -1 +0,0 @@
 ../../__consul_service/explorer/conf-dir
--- a/cdist/conf/type/__consul_watch_key/manifest
+++ b/cdist/conf/type/__consul_watch_key/manifest
@ -20,7 +20,7 @@
 cdist_type="${__type##*/}"
 watch_type="${cdist_type##*_}"
-conf_dir=$(cat "$__object/explorer/conf-dir")
+conf_dir="/etc/consul/conf.d"
 conf_file="watch_${watch_type}_${__object_id}.json"
 state="$(cat "$__object/parameter/state")"
--- a/cdist/conf/type/__consul_watch_keyprefix/explorer/conf-dir
+++ b/cdist/conf/type/__consul_watch_keyprefix/explorer/conf-dir
@ -1 +0,0 @@
 ../../__consul_service/explorer/conf-dir
--- a/cdist/conf/type/__consul_watch_keyprefix/manifest
+++ b/cdist/conf/type/__consul_watch_keyprefix/manifest
@ -20,7 +20,7 @@
 cdist_type="${__type##*/}"
 watch_type="${cdist_type##*_}"
-conf_dir=$(cat "$__object/explorer/conf-dir")
+conf_dir="/etc/consul/conf.d"
 conf_file="watch_${watch_type}_${__object_id}.json"
 state="$(cat "$__object/parameter/state")"
--- a/cdist/conf/type/__consul_watch_nodes/explorer/conf-dir
+++ b/cdist/conf/type/__consul_watch_nodes/explorer/conf-dir
@ -1 +0,0 @@
 ../../__consul_service/explorer/conf-dir
--- a/cdist/conf/type/__consul_watch_nodes/manifest
+++ b/cdist/conf/type/__consul_watch_nodes/manifest
@ -20,7 +20,7 @@
 cdist_type="${__type##*/}"
 watch_type="${cdist_type##*_}"
-conf_dir=$(cat "$__object/explorer/conf-dir")
+conf_dir="/etc/consul/conf.d"
 conf_file="watch_${watch_type}_${__object_id}.json"
 state="$(cat "$__object/parameter/state")"
--- a/cdist/conf/type/__consul_watch_service/explorer/conf-dir
+++ b/cdist/conf/type/__consul_watch_service/explorer/conf-dir
@ -1 +0,0 @@
 ../../__consul_service/explorer/conf-dir
--- a/cdist/conf/type/__consul_watch_service/manifest
+++ b/cdist/conf/type/__consul_watch_service/manifest
@ -20,7 +20,7 @@
 cdist_type="${__type##*/}"
 watch_type="${cdist_type##*_}"
-conf_dir=$(cat "$__object/explorer/conf-dir")
+conf_dir="/etc/consul/conf.d"
 conf_file="watch_${watch_type}_${__object_id}.json"
 state="$(cat "$__object/parameter/state")"
--- a/cdist/conf/type/__consul_watch_services/explorer/conf-dir
+++ b/cdist/conf/type/__consul_watch_services/explorer/conf-dir
@ -1 +0,0 @@
 ../../__consul_service/explorer/conf-dir
--- a/cdist/conf/type/__consul_watch_services/manifest
+++ b/cdist/conf/type/__consul_watch_services/manifest
@ -20,7 +20,7 @@
 cdist_type="${__type##*/}"
 watch_type="${cdist_type##*_}"
-conf_dir=$(cat "$__object/explorer/conf-dir")
+conf_dir="/etc/consul/conf.d"
 conf_file="watch_${watch_type}_${__object_id}.json"
 state="$(cat "$__object/parameter/state")"
--- a/cdist/conf/type/__cron/gencode-remote
+++ b/cdist/conf/type/__cron/gencode-remote
@ -31,28 +31,24 @@ if [ -f "$__object/parameter/raw" ]; then
 elif [ -f "$__object/parameter/raw_command" ]; then
   entry="$command"
 else
-   minute="$(cat "$__object/parameter/minute")"
+   minute="$(cat "$__object/parameter/minute" 2>/dev/null || echo "*")"
-   hour="$(cat "$__object/parameter/hour")"
+   hour="$(cat "$__object/parameter/hour" 2>/dev/null || echo "*")"
-   day_of_month="$(cat "$__object/parameter/day_of_month")"
+   day_of_month="$(cat "$__object/parameter/day_of_month" 2>/dev/null || echo "*")"
-   month="$(cat "$__object/parameter/month")"
+   month="$(cat "$__object/parameter/month" 2>/dev/null || echo "*")"
-   day_of_week="$(cat "$__object/parameter/day_of_week")"
+   day_of_week="$(cat "$__object/parameter/day_of_week" 2>/dev/null || echo "*")"
   entry="$minute $hour $day_of_month $month $day_of_week $command # $name"
 fi
 mkdir "$__object/files"
 echo "$entry" > "$__object/files/entry"
-if [ -s "$__object/explorer/entry" ]; then
+if diff -q "$__object/files/entry" "$__object/explorer/entry" >/dev/null; then
-    if diff -q "$__object/files/entry" "$__object/explorer/entry" >/dev/null; then
+    state_is=present
        state_is=present
    else
        state_is=modified
    fi
 else
    state_is=absent
 fi
-state_should="$(cat "$__object/parameter/state")"
+state_should="$(cat "$__object/parameter/state" 2>/dev/null || echo "present")"
 [ "$state_is" = "$state_should" ] && exit 0
--- a/cdist/conf/type/__cron/manifest
+++ b/cdist/conf/type/__cron/manifest
@ -22,12 +22,3 @@ if [ -f "$__object/parameter/raw" ] && [ -f "$__object/parameter/raw_command" ];
    echo "ERROR: both raw and raw_command specified" >&2
    exit 1
 fi
 case "$(cat "$__object/parameter/state")" in
    present) ;;
    absent) ;;
    *)
        echo "ERROR: unkown cron state" >&2
        exit 2
 esac
--- a/cdist/conf/type/__cron/parameter/default/day_of_month
+++ b/cdist/conf/type/__cron/parameter/default/day_of_month
@ -1 +0,0 @@
 *
--- a/cdist/conf/type/__cron/parameter/default/day_of_week
+++ b/cdist/conf/type/__cron/parameter/default/day_of_week
@ -1 +0,0 @@
 *
--- a/cdist/conf/type/__cron/parameter/default/hour
+++ b/cdist/conf/type/__cron/parameter/default/hour
@ -1 +0,0 @@
 *
--- a/cdist/conf/type/__cron/parameter/default/minute
+++ b/cdist/conf/type/__cron/parameter/default/minute
@ -1 +0,0 @@
 *
--- a/cdist/conf/type/__cron/parameter/default/month
+++ b/cdist/conf/type/__cron/parameter/default/month
@ -1 +0,0 @@
 *
--- a/cdist/conf/type/__cron/parameter/default/state
+++ b/cdist/conf/type/__cron/parameter/default/state
@ -1 +0,0 @@
 present
--- a/cdist/conf/type/__directory/explorer/stat
+++ b/cdist/conf/type/__directory/explorer/stat
@ -1,7 +1,6 @@
 #!/bin/sh
 #
 # 2013 Steven Armstrong (steven-cdist armstrong.cc)
 # 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
 #
 # This file is part of cdist.
 #
@ -21,43 +20,24 @@
 destination="/$__object_id"
 fallback() {
   # Patch the output together, manually
   ls_line=$(ls -ldn "$destination")
   uid=$(echo "$ls_line" | awk '{ print $3 }')
   gid=$(echo "$ls_line" | awk '{ print $4 }')
   owner=$(awk -F: -v uid="$uid" '$3 == uid { print $1; f=1 } END { if (!f) print "UNKNOWN" }' /etc/passwd)
   group=$(awk -F: -v uid="$uid" '$3 == uid { print $1; f=1 } END { if (!f) print "UNKNOWN" }' /etc/group)
   mode_text=$(echo "$ls_line" | awk '{ print $1 }')
   mode=$(echo "$mode_text" | awk '{ k=0; for (i=0; i<=8; i++) k += ((substr($1, i+2, 1) ~ /[rwx]/) * 2^(8-i)); printf("%0o", k) }')
   printf 'type: %s\nowner: %d %s\ngroup: %d %s\nmode: %s %s\n' \
      "$("$__type_explorer/type")" \
      "$uid" "$owner" \
      "$gid" "$group" \
      "$mode" "$mode_text"
 }
 # nothing to work with, nothing we could do
 [ -e "$destination" ] || exit 0
-if ! command -v stat >/dev/null
+os=$("$__explorer/os")
-then
+case "$os" in
   fallback
   exit
 fi
 case $("$__explorer/os") in
   "freebsd"|"netbsd"|"openbsd"|"macosx")
      stat -f "type: %HT
 owner: %Du %Su
 group: %Dg %Sg
 mode: %Lp %Sp
-" "$destination" | awk '/^type/ { print tolower($0); next } { print }'
+" "$destination" | awk '/^type/ { print tolower($0); next; } { print; }'
      ;;
   alpine)
      stat -c "type: %F
 owner: %u %U
 group: %g %G
 mode: %a %A
 " "$destination"
      ;;
    solaris)
        ls1="$( ls -ld "$destination" )"
@ -89,12 +69,10 @@ mode: %Lp %Sp
        echo "mode: $octets $( echo "$ls1" | awk '{print $1}' )"
    ;;
   *)
-      # NOTE: Do not use --printf here as it is not supported by BusyBox stat.
+       stat --printf="type: %F
      # NOTE: BusyBox's stat might not support the "-c" option, in which case
      #       we fall through to the shell fallback.
       stat -c "type: %F
 owner: %u %U
 group: %g %G
-mode: %a %A" "$destination" 2>/dev/null || fallback
+mode: %a %A
 " "$destination"
   ;;
 esac
--- a/cdist/conf/type/__directory/gencode-remote
+++ b/cdist/conf/type/__directory/gencode-remote
@ -3,7 +3,6 @@
 # 2011-2013 Nico Schottelius (nico-cdist at schottelius.org)
 # 2013 Steven Armstrong (steven-cdist armstrong.cc)
 # 2014 Daniel Heule (hda at sfs.biz)
 # 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
 #
 # This file is part of cdist.
 #
@ -22,8 +21,8 @@
 #
 destination="/$__object_id"
-state_should=$(cat "$__object/parameter/state")
+state_should="$(cat "$__object/parameter/state")"
-type=$(cat "$__object/explorer/type")
+type="$(cat "$__object/explorer/type")"
 stat_file="$__object/explorer/stat"
 # variable to keep track if we have to set directory attributes
@ -73,7 +72,7 @@ set_mode() {
 }
 case "$state_should" in
-   present|exists)
+   present)
      if [ "$type" != "directory" ]; then
         set_attributes=1
         if [ "$type" != "none" ]; then
@ -84,10 +83,6 @@ case "$state_should" in
         fi
         echo "mkdir $mkdiropt '$destination'"
         echo "create" >> "$__messages_out"
      elif [ "$state_should" = 'exists' ]; then
         # The type is directory and --state exists. We are done and do not
         # check or set the attributes.
         exit 0
      fi
      # Note: Mode - needs to happen last as a chown/chgrp can alter mode by
@ -108,26 +103,6 @@ case "$state_should" in
         fi
      done
   ;;
   pre-exists)
      case $type in
         directory)
            # all good
            exit 0
         ;;
         none)
            printf 'Directory "%s" does not exist\n' "$destination" >&2
            exit 1
         ;;
         file|symlink)
            printf 'File "%s" exists and is a %s, but should be a directory\n' "$destination" "$type" >&2
            exit 1
         ;;
         *)
            printf 'File or directory "%s" is in an unknown state\n' "$destination" >&2
            exit 1
         ;;
      esac
   ;;
   absent)
        if [ "$type" = "directory" ]; then
            echo "rm -rf '$destination'"
--- a/cdist/conf/type/__directory/man.rst
+++ b/cdist/conf/type/__directory/man.rst
@ -19,18 +19,7 @@ None.
 OPTIONAL PARAMETERS
 -------------------
 state
-   'present', 'absent', 'exists' or 'pre-exists', defaults to 'present' where:
+   'present' or 'absent', defaults to 'present'
   present
      the directory exists and the given attributes are set.
   absent
      the directory does not exist.
   exists
      the directory exists, but its attributes are not altered if it already
      existed.
   pre-exists
      check that the directory exists and is indeed a directory, but do not
      create or modify it.
 group
   Group to chgrp to.
@ -47,7 +36,7 @@ BOOLEAN PARAMETERS
 parents
   Whether to create parents as well (mkdir -p behaviour).
   Warning: all intermediate directory permissions default
-   to whatever mkdir -p does.
+   to whatever mkdir -p does. 
   Usually this means root:root, 0700.
--- a/cdist/conf/type/__file/explorer/stat
+++ b/cdist/conf/type/__file/explorer/stat
@ -2,7 +2,6 @@
 #
 # 2013 Steven Armstrong (steven-cdist armstrong.cc)
 # 2019 Nico Schottelius (nico-cdist at schottelius.org)
 # 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
 #
 # This file is part of cdist.
 #
@ -22,54 +21,29 @@
 destination="/$__object_id"
 fallback() {
   # Fallback: Patch the output together, manually.
   ls_line=$(ls -ldn "$destination")
   uid=$(echo "$ls_line" | awk '{ print $3 }')
   gid=$(echo "$ls_line" | awk '{ print $4 }')
   owner=$(awk -F: -v uid="$uid" '$3 == uid { print $1; f=1 } END { if (!f) print "UNKNOWN" }' /etc/passwd)
   group=$(awk -F: -v uid="$uid" '$3 == uid { print $1; f=1 } END { if (!f) print "UNKNOWN" }' /etc/group)
   mode_text=$(echo "$ls_line" | awk '{ print $1 }')
   mode=$(echo "$mode_text" | awk '{ k=0; for (i=0; i<=8; i++) k += ((substr($1, i+2, 1) ~ /[rwx]/) * 2^(8-i)); printf("%0o", k) }')
   size=$(echo "$ls_line" | awk '{ print $5 }')
   links=$(echo "$ls_line" | awk '{ print $2 }')
   printf 'type: %s\nowner: %d %s\ngroup: %d %s\nmode: %s %s\nsize: %d\nlinks: %d\n' \
      "$("$__type_explorer/type")" \
      "$uid" "$owner" \
      "$gid" "$group" \
      "$mode" "$mode_text" \
      "$size" \
      "$links"
 }
 # nothing to work with, nothing we could do
 [ -e "$destination" ] || exit 0
-
+os=$("$__explorer/os")
-if ! command -v stat >/dev/null
+case "$os" in
-then
+   "freebsd"|"netbsd"|"openbsd"|"macosx")
   fallback
   exit
 fi
 case $("$__explorer/os")
 in
   freebsd|netbsd|openbsd|macosx)
      stat -f "type: %HT
 owner: %Du %Su
 group: %Dg %Sg
 mode: %Lp %Sp
 size: %Dz
 links: %Dl
-" "$destination" | awk '/^type/ { print tolower($0); next } { print }'
+" "$destination" | awk '/^type/ { print tolower($0); next; } { print; }'
      ;;
   alpine)
       # busybox stat
      stat -c "type: %F
 owner: %u %U
 group: %g %G
 mode: %a %A
 size: %s
 links: %h
 " "$destination"
      ;;
    solaris)
        ls1="$( ls -ld "$destination" )"
@ -103,14 +77,12 @@ links: %Dl
        echo "links: $( echo "$ls1" | awk '{print $2}' )"
    ;;
   *)
-      # NOTE: Do not use --printf here as it is not supported by BusyBox stat.
+      stat --printf="type: %F
      # NOTE: BusyBox's stat might not support the "-c" option, in which case
      #       we fall through to the shell fallback.
      stat -c "type: %F
 owner: %u %U
 group: %g %G
 mode: %a %A
 size: %s
-links: %h" "$destination" 2>/dev/null || fallback
+links: %h
-         ;;
+" "$destination"
      ;;
 esac
--- a/cdist/conf/type/__file/gencode-local
+++ b/cdist/conf/type/__file/gencode-local
@ -31,24 +31,12 @@ if [ "$state_should" = "pre-exists" ]; then
      exit 1
   fi
-   case $type in
+   if [ "$type" = "file" ]; then
-      file)
+      exit 0 # nothing to do
-         # nothing to do
+   else
-         exit 0
+      echo "File \"$destination\" does not exist"
-      ;;
+      exit 1
-      none)
+   fi
         printf 'File "%s" does not exist\n' "$destination" >&2
         exit 1
      ;;
      directory|symlink)
         printf 'File "%s" exists and is a %s, but should be a regular file\n' "$destination" "$type" >&2
         exit 1
      ;;
      *)
         printf 'File or directory "%s" is in an unknown state\n' "$destination" >&2
         exit 1
      ;;
   esac
 fi
 upload_file=
--- a/cdist/conf/type/__file/gencode-remote
+++ b/cdist/conf/type/__file/gencode-remote
@ -55,40 +55,36 @@ set_owner() {
 }
 set_mode() {
-    echo "chmod '$1' '$destination'"
+   echo "chmod '$1' '$destination'"
-    echo "chmod '$1'" >> "$__messages_out"
+   echo "chmod '$1'" >> "$__messages_out"
-    fire_onchange=1
+   fire_onchange=1
 }
 case "$state_should" in
-    present|exists)
+    present|exists|pre-exists)
-        # Note: Mode - needs to happen last as a chown/chgrp can alter mode by
+    # Note: Mode - needs to happen last as a chown/chgrp can alter mode by
-        #  clearing S_ISUID and S_ISGID bits (see chown(2))
+    #  clearing S_ISUID and S_ISGID bits (see chown(2))
-        for attribute in group owner mode; do
+    for attribute in group owner mode; do
-            if [ -f "$__object/parameter/$attribute" ]; then
+        if [ -f "$__object/parameter/$attribute" ]; then
-                value_should="$(cat "$__object/parameter/$attribute")"
+            value_should="$(cat "$__object/parameter/$attribute")"
-                # change 0xxx format to xxx format => same as stat returns
+            # change 0xxx format to xxx format => same as stat returns
-                if [ "$attribute" = mode ]; then
+            if [ "$attribute" = mode ]; then
-                    value_should="$(echo "$value_should" | sed 's/^0\(...\)/\1/')"
+                value_should="$(echo "$value_should" | sed 's/^0\(...\)/\1/')"
-                fi
+            fi
-
+            
-                value_is="$(get_current_value "$attribute" "$value_should")"
+            value_is="$(get_current_value "$attribute" "$value_should")"
-                if [ -f "$__object/files/set-attributes" ] || [ "$value_should" != "$value_is" ]; then
+            if [ -f "$__object/files/set-attributes" ] || [ "$value_should" != "$value_is" ]; then
-                    "set_$attribute" "$value_should"
+                "set_$attribute" "$value_should"
                fi
            fi
        done
        if [ -f "$__object/files/set-attributes" ]; then
            # set-attributes is created if file is created or uploaded in gencode-local
            fire_onchange=1
        fi
-    ;;
+    done
    if [ -f "$__object/files/set-attributes" ]; then
        # set-attributes is created if file is created or uploaded in gencode-local
        fire_onchange=1
    fi
-    pre-exists)
+    ;;
        # pre-exists should never reach gencode-remote…
        exit 1
   ;;
    absent)
        if [ "$type" = "file" ]; then
@ -105,7 +101,7 @@ case "$state_should" in
 esac
 if [ -f "$__object/parameter/onchange" ]; then
-    if [ -n "$fire_onchange" ]; then
+   if [ -n "$fire_onchange" ]; then
-        cat "$__object/parameter/onchange"
+      cat "$__object/parameter/onchange"
-    fi
+   fi
 fi
--- a/cdist/conf/type/__letsencrypt_cert/man.rst
+++ b/cdist/conf/type/__letsencrypt_cert/man.rst
@ -59,13 +59,13 @@ MESSAGES
 --------
 change
-    Certificate was changed.
+    Certificte was changed.
 create
-    Certificate was created.
+    Certificte was created.
 remove
-    Certificate was removed.
+    Certificte was removed.
 EXAMPLES
 --------
--- a/cdist/conf/type/__line/explorer/state
+++ b/cdist/conf/type/__line/explorer/state
@ -1,7 +1,6 @@
 #!/bin/sh -e
 #
 # 2018 Steven Armstrong (steven-cdist at armstrong.cc)
 # 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
 #
 # This file is part of cdist.
 #
@ -19,14 +18,6 @@
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 if [ -f "$__object/parameter/file" ]; then
   file=$(cat "$__object/parameter/file")
 else
   file="/$__object_id"
 fi
 [ -f "$file" ] || exit 0
 if [ -f "$__object/parameter/before" ]; then
   position="before"
 elif [ -f "$__object/parameter/after" ]; then
@ -42,56 +33,63 @@ else
   needle="line"
 fi
 if [ -f "$__object/parameter/file" ]; then
   file="$(cat "$__object/parameter/file")"
 else
   file="/$__object_id"
 fi
 if [ ! -f "$file" ]; then
  echo "file_missing"
  exit 0
 fi
 awk -v position="$position" -v needle="$needle" '
 function _find(_text, _pattern) {
   if (needle == "regex") {
      return match(_text, _pattern)
   } else {
-      return index(_text, _pattern) == 1
+      return index(_text, _pattern)
   }
 }
 BEGIN {
   getline anchor < (ENVIRON["__object"] "/parameter/" position)
   getline pattern < (ENVIRON["__object"] "/parameter/" needle)
-
+   state = "absent"
   found_line = 0
   correct_pos = (position != "after" && position != "before")
 }
 {
   if (position == "after") {
      if (match($0, anchor)) {
         getline
         if (_find($0, pattern)) {
-            found_line++
+            state = "present"
            correct_pos = 1
            exit 0
         }
-      } else if (_find($0, pattern)) {
+         else {
-         found_line++
+            state = "wrongposition"
         }
         exit 0
      }
-   } else if (position == "before") {
+   }
   else if (position == "before") {
      if (_find($0, pattern)) {
         found_line++
         getline
         if (match($0, anchor)) {
-            correct_pos = 1
+            state = "present"
            exit 0
         }
         else {
            state = "wrongposition"
         }
         exit 0
      }
-   } else {
+   }
   else {
      if (_find($0, pattern)) {
-         found_line++
+         state = "present"
         exit 0
      }
   }
 }
 END {
-   if (found_line && correct_pos) {
+   print state
      print "present"
   } else if (found_line) {
      print "wrongposition"
   } else {
      print "absent"
   }
 }
 ' "$file"
--- a/cdist/conf/type/__line/gencode-remote
+++ b/cdist/conf/type/__line/gencode-remote
@ -1,7 +1,6 @@
 #!/bin/sh -e
 #
 # 2018 Steven Armstrong (steven-cdist at armstrong.cc)
 # 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
 #
 # This file is part of cdist.
 #
@ -24,20 +23,9 @@ if [ -f "$__object/parameter/before" ] && [ -f "$__object/parameter/after" ]; th
   exit 1
 fi
 if [ -f "$__object/parameter/file" ]; then
   file="$(cat "$__object/parameter/file")"
 else
   file="/$__object_id"
 fi
 state_should="$(cat "$__object/parameter/state")"
 state_is="$(cat "$__object/explorer/state")"
 if [ -z "$state_is" ]; then
   printf 'The file "%s" is missing. Please create it before using %s on it.\n' "$file" "${__type##*/}" >&2
   exit 1
 fi
 if [ "$state_should" = "$state_is" ]; then
   # nothing to do
   exit 0
@ -58,6 +46,12 @@ else
   needle="line"
 fi
 if [ -f "$__object/parameter/file" ]; then
   file="$(cat "$__object/parameter/file")"
 else
   file="/$__object_id"
 fi
 add=0
 remove=0
 case "$state_should" in
@ -110,12 +104,10 @@ BEGIN {
      if (anchor && match(\$0, anchor)) {
         if (position == "before") {
            print line
            add = 0
            print
         } else if (position == "after") {
            print
            print line
            add = 0
         }
         next
      }
@ -123,7 +115,7 @@ BEGIN {
   print
 }
 END {
-   if (add) {
+   if (add && position == "end") {
      print line
   }
 }
--- a/cdist/conf/type/__mysql_privileges/explorer/state
+++ b/cdist/conf/type/__mysql_privileges/explorer/state
@ -30,7 +30,7 @@ host="$( cat "$__object/parameter/host" )"
 check_privileges="$( 
    mysql -B -N -e "show grants for '$user'@'$host'" \
-        | grep -Ei "^grant $privileges on .$database.\..?$table.? to " || true )"
+        | grep -Ei "^grant $privileges on .$database.\..$table. to " || true )"
 if [ -n "$check_privileges" ]
 then
--- a/cdist/conf/type/__mysql_privileges/gencode-remote
+++ b/cdist/conf/type/__mysql_privileges/gencode-remote
@ -37,19 +37,13 @@ user="$( cat "$__object/parameter/user" )"
 host="$( cat "$__object/parameter/host" )"
 if [ "$table" != '*' ]
 then
    # shellcheck disable=SC2016
    table="$( printf '`%s`' "$table" )"
 fi
 case "$state_should" in
    present)
-        echo "mysql -e 'grant $privileges on \`$database\`.$table to \`$user\`@\`$host\`'"
+        echo "mysql -e 'grant $privileges on \`$database\`.\`$table\` to \`$user\`@\`$host\`'"
        echo "grant $privileges on $database.$table to $user@$host" >> "$__messages_out"
    ;;
    absent)
-        echo "mysql -e 'revoke $privileges on \`$database\`.$table from \`$user\`@\`$host\`'"
+        echo "mysql -e 'revoke $privileges on \`$database\`.\`$table\` from \`$user\`@\`$host\`'"
        echo "revoke $privileges on $database.$table from $user@$host" >> "$__messages_out"
    ;;
 esac
--- a/cdist/conf/type/__mysql_privileges/man.rst
+++ b/cdist/conf/type/__mysql_privileges/man.rst
@ -17,7 +17,7 @@ REQUIRED PARAMETERS
 database
   Name of database.
-user
+User
   Name of user.
--- a/cdist/conf/type/__package_apt/gencode-remote
+++ b/cdist/conf/type/__package_apt/gencode-remote
@ -74,14 +74,6 @@ fi
 case "$state_should" in
    present)
        # following is bit ugly, but important hack.
        # due to how cdist config run works, there isn't
        # currently better way to do it :(
        cat << EOF
 if [ ! -f /var/cache/apt/pkgcache.bin ] || [ "\$( stat --format %Y /var/cache/apt/pkgcache.bin )" -lt "\$( date +%s -d '-1 day' )" ]
 then echo apt-get update > /dev/null 2>&1 || true
 fi
 EOF
        if [ -n "$version" ]; then
            name="${name}=${version}"
        fi
--- a/cdist/conf/type/__package_apt/man.rst
+++ b/cdist/conf/type/__package_apt/man.rst
@ -11,9 +11,6 @@ DESCRIPTION
 apt-get is usually used on Debian and variants (like Ubuntu) to
 manage packages.
 This type will also update package index, if it is older
 than one day, to avoid missing package error messages.
 REQUIRED PARAMETERS
 -------------------
--- a/cdist/conf/type/__postgres_database/gencode-remote
+++ b/cdist/conf/type/__postgres_database/gencode-remote
@ -43,14 +43,10 @@ if [ "$state_should" != "$state_is" ]; then
         if [ -f "$__object/parameter/owner" ]; then
            owner="-O \"$(cat "$__object/parameter/owner")\""
         fi
-         cat << EOF
+         echo "su - '$postgres_user' -c \"createdb $owner \"$name\"\""
 su - '$postgres_user' -c "createdb $owner \"$name\""
 EOF
      ;;
      absent)
-         cat << EOF
+         echo "su - '$postgres_user' -c \"dropdb \"$name\"\""
 su - '$postgres_user' -c "dropdb \"$name\""
 EOF
      ;;
   esac
 fi
--- a/cdist/conf/type/__postgres_role/gencode-remote
+++ b/cdist/conf/type/__postgres_role/gencode-remote
@ -53,13 +53,11 @@ case "$state_should" in
        done
        [ -n "$password" ] && password="PASSWORD '$password'"
-        cat << EOF
+
-su - '$postgres_user' -c "psql postgres -wc \"CREATE ROLE \\\\\"$name\\\\\" WITH $password $booleans;\""
+        cmd="CREATE ROLE \"$name\" WITH $password $booleans"
-EOF
+        echo "su - '$postgres_user' -c \"psql postgres -wc \\\"$cmd\\\"\""
    ;;
    absent)
-        cat << EOF
+        echo "su - '$postgres_user' -c \"dropuser \\\"$name\\\"\""
 su - '$postgres_user' -c "dropuser \"$name\""
 EOF
    ;;
 esac
--- a/cdist/conf/type/__service/explorer/service-manager
+++ b/cdist/conf/type/__service/explorer/service-manager
@ -1,8 +0,0 @@
 #!/bin/sh
 # Assume systemd if systemctl is in PATH.
 if [ "$(command -v systemctl)" ]; then
 	printf "systemd"
 else
 	printf "unknown"
 fi
--- a/cdist/conf/type/__service/gencode-remote
+++ b/cdist/conf/type/__service/gencode-remote
@ -1,9 +0,0 @@
 #!/bin/sh
 manager="$(cat "$__object/explorer/service-manager")"
 name=$__object_id
 action="$(cat "$__object/parameter/action")"
 if [ "$manager" = "unknown" ]; then
 	echo "service '$name' '$action'"
 fi
--- a/cdist/conf/type/__service/man.rst
+++ b/cdist/conf/type/__service/man.rst
@ -1,51 +0,0 @@
 cdist-type__service(7)
 ======================
 NAME
 ----
 cdist-type__service - Run action on a system service
 DESCRIPTION
 -----------
 This type allows you to run an action against a system service.
 REQUIRED PARAMETERS
 -------------------
 action
  Arbitrary parameter passed as action. Usually 'start', 'stop', 'reload' or 'restart'.
 OPTIONAL PARAMETERS
 -------------------
 None.
 BOOLEAN PARAMETERS
 ------------------
 None.
 EXAMPLES
 --------
 .. code-block:: sh
    # Restart nginx service.
    __service nginx --action restart
    # Stop postfix service.
    __service postfix --action stop
 AUTHORS
 -------
 Timothée Floure <timothee.floure@ungleich.ch>
 COPYING
 -------
 Copyright \(C) 2019 Timothée Floure. You can redistribute it
 and/or modify it under the terms of the GNU General Public License as
 published by the Free Software Foundation, either version 3 of the
 License, or (at your option) any later version.
--- a/cdist/conf/type/__service/manifest
+++ b/cdist/conf/type/__service/manifest
@ -1,15 +0,0 @@
 #!/bin/sh
 manager="$(cat "$__object/explorer/service-manager")"
 name=$__object_id
 action="$(cat "$__object/parameter/action")"
 case "$manager" in
 	systemd)
 		__systemd_service "$name" --action "$action"
 	;;
 	*)
 		# Unknown: handled by `service $NAME $action` in gencode-remote.
 	;;
 esac
--- a/cdist/conf/type/__service/parameter/required
+++ b/cdist/conf/type/__service/parameter/required
@ -1 +0,0 @@
 action
--- a/cdist/conf/type/__systemd_service/explorer/state
+++ b/cdist/conf/type/__systemd_service/explorer/state
@ -1,43 +0,0 @@
 #!/bin/sh -e
 # explorer/state
 #
 # 2020 Matthias Stecher <matthiasstecher at gmx.de>
 #
 # This file is part of cdist.
 #
 # cdist is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # cdist is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 # Check if the service is running or stopped.
 #
 # The explorer must check before if the service exist, because 'systemctl is-active'
 # will return "inactive" even if there is no service there:
 #   systemctl cat foo        # does not exist
 #   systemctl is-active foo  # is "inactive"
 # get name of the service
 if [ -f "$__object/parameter/name" ]; then
    name="$(cat "$__object/parameter/name")"
 else
    name="$__object_id"
 fi
 # check if the service exist, else exit without output (also if systemd doesn't exist)
 # do not exit here with an error code, will be done in the gencode-remote script
 systemctl cat "$name" > /dev/null 2>&1 || exit 0
 # print if the service is running or not
 systemctl is-active -q "$name" && printf "running" || printf "stopped"
--- a/cdist/conf/type/__systemd_service/gencode-remote
+++ b/cdist/conf/type/__systemd_service/gencode-remote
@ -1,98 +0,0 @@
 #!/bin/sh -e
 # gencode-remote
 #
 # 2020 Matthias Stecher <matthiasstecher at gmx.de>
 #
 # This file is part of cdist.
 #
 # cdist is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # cdist is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 # Checks the given state of the service and set it to the given
 # state. Optionally, it executes the action if service running.
 # get name of the service
 name="$__object/parameter/name"
 if [ -f "$name" ]; then
    name="$(cat "$name")"
 else
    name="$__object_id"
 fi
 # read current status and parameters
 state="$(cat "$__object/explorer/state")"
 should="$(cat "$__object/parameter/state")"
 # if systemd/service does not exist
 if [ -z "$state" ]; then
    printf "systemd or service '%s' does not exist!\n" "$name" >&2
    exit 1
 fi
 # save the action required
 required_action=""
 # check the state of the service that should be
 if [ "$state" != "$should" ]; then
    # select what to do to get the $should state
    case "$should" in
        running)
            if [ "$state" = "stopped" ]; then required_action="start"; fi
            ;;
        stopped)
            if [ "$state" = "running" ]; then required_action="stop"; fi
            ;;
    esac
 fi
 # check if the action can be achieved if given
 if [ -f "$__object/parameter/action" ] \
    && [ -z "$required_action" ] && [ "$state" = "running" ]; then
    # there must be an action
    action="$(cat "$__object/parameter/action")"
    # select the action to the required element
    case "$action" in
        restart)
            required_action="restart"
            ;;
        reload)
            required_action="reload"
            ;;
        *)
            printf "action '%s' does not exist!" "$action" >&2
            exit 2
    esac
    # Make a special check: only do this action if a dependency did something
    # it is required that the dependencies write there action to $__messages_in
    if [ -f "$__object/parameter/if-required" ]; then
        # exit here if there are no changes from the dependencies affected (nothing to do)
        if ! grep -q -f "$__object/require" "$__messages_in"; then exit 0; fi
    fi
 fi
 # print the execution command if a action given
 if [ -n "$required_action" ]; then
    # also print it as message
    echo "$required_action" >> "$__messages_out"
    echo "systemctl $required_action '$name'"
 fi
--- a/cdist/conf/type/__systemd_service/man.rst
+++ b/cdist/conf/type/__systemd_service/man.rst
@ -1,110 +0,0 @@
 cdist-type__systemd-service(7)
 ==============================
 NAME
 ----
 cdist-type__systemd-service - Controls a systemd service state
 DESCRIPTION
 -----------
 This type controls systemd services to define a state of the service,
 or an action like reloading or restarting. It is useful to reload a
 service after configuration applied or shutdown one service.
 The activation or deactivation is out of scope. Look for the
 :strong:`cdist-type__systemd_util`\ (7) type instead.
 REQUIRED PARAMETERS
 -------------------
 None.
 OPTIONAL PARAMETERS
 -------------------
 name
    String which will used as name instead of the object id.
 state
    The state which the service should be in:
    running
        Service should run (default)
    stoppend
        Service should stopped
 action
    Executes an action on on the service. It will only execute it if the
    service keeps the state **running**. There are following actions, where:
    reload
        Reloads the service
    restart
        Restarts the service
 BOOLEAN PARAMETERS
 ------------------
 if-required
    Only execute the action if minimum one required type outputs a message to
    **$__messages_out**. Through this, the action should only executed if a
    dependency did something. The action will not executed if no dependencies
    given.
 MESSAGES
 --------
 start
    Started the service
 stop
    Stopped the service
 restart
    Restarted the service
 reload
    Reloaded the service
 ABORTS
 ------
 Aborts in following cases:
 systemd or the service does not exist
 EXAMPLES
 --------
 .. code-block:: sh
    # service must run
    __systemd_service nginx
    # service must stopped
    __systemd_service sshd \
        --state stopped
    # restart the service
    __systemd_service apache2 \
        --action restart
    # makes sure the service exist with an alternative name
    __systemd_service foo \
        --name sshd
    # reload the service for a modified configuration file
    # only reloads the service if the file really changed
    require="__config_file/etc/foo.conf" __systemd_service foo \
        --action reload --if-required
 AUTHORS
 -------
 Matthias Stecher <matthiasstecher at gmx.de>
 COPYRIGHT
 ---------
 Copyright \(C) 2020 Matthias Stecher. You can redistribute it
 and/or modify it under the terms of the GNU General Public License as
 published by the Free Software Foundation, either version 3 of the
 License, or (at your option) any later version.
--- a/cdist/conf/type/__systemd_service/parameter/boolean
+++ b/cdist/conf/type/__systemd_service/parameter/boolean
@ -1 +0,0 @@
 if-required
--- a/cdist/conf/type/__systemd_service/parameter/default/state
+++ b/cdist/conf/type/__systemd_service/parameter/default/state
@ -1 +0,0 @@
 running
--- a/cdist/conf/type/__systemd_service/parameter/optional
+++ b/cdist/conf/type/__systemd_service/parameter/optional
@ -1,3 +0,0 @@
 name
 state
 action
--- a/cdist/conf/type/__update_alternatives/explorer/state
+++ b/cdist/conf/type/__update_alternatives/explorer/state
@ -1,8 +0,0 @@
 #!/bin/sh -e
 path="$(cat "$__object/parameter/path")"
 name="$__object_id"
 link="$(readlink "/etc/alternatives/$name")"
 if [ "$path" = "$link" ]
 then echo present
 else echo absent
 fi
--- a/cdist/conf/type/__update_alternatives/gencode-remote
+++ b/cdist/conf/type/__update_alternatives/gencode-remote
@ -17,10 +17,9 @@
 # You should have received a copy of the GNU General Public License
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
-
+#
-if [ "$(cat "$__object/explorer/state")" = 'present' ]
+# Setup alternative - no standard way to create, always set
-then exit 0
+#
 fi
 path="$(cat "$__object/parameter/path")"
 name="$__object_id"
--- a/cdist/conf/type/__user/explorer/shadow
+++ b/cdist/conf/type/__user/explorer/shadow
@ -24,7 +24,7 @@
 name=$__object_id
 case $("$__explorer/os") in
-  'freebsd'|'netbsd'|'openbsd'|'alpine')
+  'freebsd'|'netbsd'|'openbsd')
    database='passwd'
    ;;
  # Default to using shadow passwords
--- a/cdist/process.py
+++ b/cdist/process.py
@ -0,0 +1,81 @@
 #!/usr/bin/env python3
 # -*- coding: utf-8 -*-
 #
 # 2020 Darko Poljak (darko.poljak at gmail.com)
 #
 # This file is part of cdist.
 #
 # cdist is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # cdist is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 #
 import os
 import sys
 import importlib
 import re
 import cdist
 PROCESS_PARENT = 'process'
 _PROCESS_DEBUG = os.environ.get('CDIST_PROCESS_DEBUG', None)
 if _PROCESS_DEBUG:
    def _debug(msg):
        print('[cdist process debug] {}'.format(msg))
 else:
    def _debug(msg):
        pass
 _process_path = []
 _env_path = os.environ.get('CDIST_PROCESS_PATH', None)
 if _env_path:
    for x in re.split(r'(?<!\\):', _env_path):
        if x:
            _debug('Adding CDIST_PROCESS_PATH {}'.format(x))
            _process_path.append(x)
 _home_dir = cdist.home_dir()
 if _home_dir:
    _debug('Adding cdist home dir process path {}'.format(_home_dir))
    _process_path.append(_home_dir)
 def _scan_processes():
    for path in _process_path:
        process_path = os.path.join(path, PROCESS_PARENT)
        for fname in os.listdir(process_path):
            entry = os.path.join(process_path, fname)
            if not os.path.isdir(entry):
                continue
            _debug('Scanning {}'.format(entry))
            pfile = os.path.join(entry, '__init__.py')
            _debug('Scanning {}'.format(pfile))
            if os.path.exists(pfile):
                _debug('Found process in {}: {}'.format(entry, pfile))
                yield entry
 def setup(parent_parser):
    for entry in _scan_processes():
        mod_name = os.path.basename(entry)
        mod_dir = os.path.dirname(entry)
        sys.path.insert(0, mod_dir)
        proc_mod = importlib.import_module(mod_name)
        _debug('Registering process module {} from {}'.format(
            mod_name, entry))
        proc_mod.register(parent_parser)
 def commandline(args, parser):
    parser.print_help()
--- a/docs/changelog
+++ b/docs/changelog
@ -2,41 +2,9 @@ Changelog
 ---------
 next:
 	* Type __user: Fix missing shadow for alpine (llnu)
 6.5.2: 2020-02-27
 	* Type __update_alternatives: Add state explorer (Ander Punnar)
 	* Explorer os_version: Add support for Alpine Linux (Jin-Guk Kwon)
 	* Explorer init: Rewrite and support more init systems (Dennis Camera)
 	* New type: __service (Timothée Floure)
 	* Types __consul_*: Add optional parameter for using distribution packages (Timothée Floure)
 	* Explorer disks: Fix NetBSD, support Linux w/o lsblk (Dennis Camera)
 	* Type __directory: Add 'exists' and 'pre-exists' states (Dennis Camera)
 	* Type __file: Improve error messages for pre-exists state (Dennis Camera)
 6.5.1: 2020-02-15
 	* Type __consul_agent: Add Debian 10 support (Nico Schottelius)
 	* Explorer os_release: Add fallbacks (Dennis Camera)
 	* Types __file, __directory: Add fallback for systems without stat (Dennis Camera)
 	* Type __mysql_privileges: Fix quoting (Ander Punnar)
 	* Type __package_apt: Update package index if it is older than one day (Ander Punnar)
 	* Type __cron: Fix job removal if 'is' and 'should' don't match (Matthias Stecher)
 	* New type: __systemd_service (Matthias Stecher)
 	* Type __postgres_role: Fix password command syntax (Timothée Floure)
 6.5.0: 2020-01-23
 	* Type __acl: Add --entry parameter to replace --acl, deprecate --acl (Ander Punnar)
 	* Core: preos: Fix missing configuration file usage, support -g, --config-file option (Darko Poljak)
 	* Core info command: Support tilde expansion of conf directories (Darko Poljak)
 	* Types __postgres_*: Fix edge cases in quoted identifiers (Timothée Floure)
 	* New type: __apt_unattended_upgrades (Ander Punnar)
 	* Type __line: Bugfixes: (Dennis Camera)
 		- ensure the line is only added once
 		- always add line to end if anchor is not found
 		- match line at the beginning when not regex
 		- fix incorrect 'wrongposition' in state explorer
 		- produce error when file does not exist
 	* Type __acl: Add --source, --file and --directory parameters (Ander Punnar)
 6.4.0: 2020-01-04
 	* Type __consul_agent: Don't deploy init script on Alpine anymore, it ships with one itself (Nico Schottelius)
--- a/docs/src/conf.py
+++ b/docs/src/conf.py
@ -56,7 +56,7 @@ master_doc = 'index'
 # General information about the project.
 project = 'cdist'
-copyright = 'ungleich GmbH 2020'
+copyright = 'ungleich GmbH 2019'
 # author = 'Darko Poljak'
 # The version info for the project you're documenting, acts as replacement for
--- a/docs/src/index.rst
+++ b/docs/src/index.rst
@ -2,9 +2,8 @@ cdist - usable configuration management
 =======================================
 cdist is a usable configuration management system.
-It adheres to the KISS principle and
+It adheres to the KISS principle and 
 is being used in small up to enterprise grade environments.
 It natively supports IPv6 since the first release.
 .. toctree::