fix typo

Fix for alpine "getent shadow" missing functionality in __user type

See merge request ungleich-public/cdist!855

cdist/conf/explorer/disks

@@ -1,27 +1,67 @@
-#!/bin/sh
+#!/bin/sh -e
+#
+# based on previous work by other people, modified by:
+# 2020 Dennis Camera <dennis.camera at ssrq-sds-fds.ch>
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+# Finds disks of the system (excl. ram disks, floppy, cdrom)
 
 uname_s="$(uname -s)"
 
-case "${uname_s}" in
+case $uname_s in
     FreeBSD)
         sysctl -n kern.disks
     ;;
-    OpenBSD|NetBSD)
-        sysctl -n hw.disknames | grep -Eo '[lsw]d[0-9]+' | xargs
+    OpenBSD)
+        sysctl -n hw.disknames | grep -Eo '[lsw]d[0-9]+'
+    ;;
+    NetBSD)
+        PATH="${PATH}:/usr/local/sbin:/usr/sbin:/sbin"
+        sysctl -n hw.disknames \
+        | awk 'BEGIN { RS = " " } /^[lsw]d[0-9]+/'
     ;;
     Linux)
-        if command -v lsblk > /dev/null
+        # list of major device numbers toexclude:
+        #  ram disks, floppies, cdroms
+        # https://www.kernel.org/doc/Documentation/admin-guide/devices.txt
+        ign_majors='1 2 11'
+
+        if command -v lsblk >/dev/null 2>&1
         then
-            # exclude ram disks, floppies and cdroms
-            # https://www.kernel.org/doc/Documentation/admin-guide/devices.txt
-            lsblk -e 1,2,11 -dno name | xargs
+            lsblk -e "$(echo "$ign_majors" | tr ' ' ',')" -dno name
+        elif test -d /sys/block/
+        then
+            # shellcheck disable=SC2012
+            ls -1 /sys/block/ \
+            | awk -v ign_majors="$(echo "$ign_majors" | tr ' ' '|')" '
+                {
+                  devfile = "/sys/block/" $0 "/dev"
+                  getline devno < devfile
+                  close(devfile)
+                  if (devno !~ "^(" ign_majors "):") print
+                }'
         else
-            printf "Don't know how to list disks for %s operating system without lsblk, if you can please submit a patch\n" "${uname_s}" >&2
+            echo "Don't know how to list disks on Linux without lsblk and sysfs." >&2
+            echo 'If you can, please submit a patch.'>&2
         fi
     ;;
     *)
-        printf "Don't know how to list disks for %s operating system, if you can please submit a patch\n" "${uname_s}" >&2
+        printf "Don't know how to list disks for %s operating system.\n" "${uname_s}" >&2
+        printf 'If you can please submit a patch\n' >&2
     ;;
-esac
-
-exit 0
+esac \
+| xargs

cdist/conf/explorer/init

@@ -1,7 +1,8 @@
-#!/bin/sh
+#!/bin/sh -e
 #
 # 2016 Daniel Heule (hda at sfs.biz)
 # Copyright 2017, Philippe Gregoire <pg@pgregoire.xyz>
+# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
 #
 # This file is part of cdist.
 #
@@ -19,21 +20,422 @@
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 #
-# Returns the process name of pid 1 ( normaly the init system )
-# for example at linux this value is "init" or "systemd" in most cases
+# Returns the name of the init system (PID 1)
+
+# Expected values:
+# Linux:
+#  Adélie Linux:
+#    sysvinit+openrc
+#  Alpine Linux:
+#    busybox-init+openrc
+#  ArchLinux:
+#    systemd, sysvinit
+#  CRUX:
+#    sysvinit
+#  Debian:
+#    systemd, upstart, sysvinit, openrc, ???
+#  Devuan:
+#    sysvinit, sysvinit+openrc
+#  Gentoo:
+#    sysvinit+openrc, openrc-init, systemd
+#  OpenBMC:
+#    systemd
+#  OpenWrt:
+#    procd, init???
+#  RedHat (RHEL, CentOS, Fedora, RedHat Linux, ...):
+#    systemd, upstart, upstart-legacy, sysvinit
+#  Slackware:
+#    sysvinit
+#  SuSE:
+#    systemd, sysvinit
+#  Ubuntu:
+#    systemd, upstart, upstart-legacy, sysvinit
+#  VoidLinux:
+#    runit
 #
+# GNU:
+#   Debian:
+#     sysvinit, hurd-init
+#
+# BSD:
+#  {Free,Open,Net}BSD:
+#    init
+#
+# Mac OS X:
+#   launchd, init+SystemStarter
+#
+# Solaris/Illumos:
+#   smf, init???
 
-uname_s="$(uname -s)"
+# NOTE: init systems can be stacked. This is popular to run OpenRC on top of
+# sysvinit (Gentoo) or busybox-init (Alpine), but can also be used to run runit
+# as a systemd service.  This makes init system detection very complicated
+# (which result is expected?)  This script tries to untangle some combinations,
+# OpenRC on top of sysv or busybox (X+openrc), but will ignore others (runit as
+# a systemd service)
 
-case "$uname_s" in
-    Linux)
-        (pgrep -P0 -l | awk '/^1[ \t]/ {print $2;}') || true
-    ;;
-    FreeBSD|OpenBSD)
-        ps -o comm= -p 1 || true
-    ;;
-    *)
-        # return a empty string as unknown value
-        echo ""
-    ;;
-esac
+# NOTE: When we have no idea, nothing will be printed!
+
+# NOTE:
+# When trying to gather information about the init system make sure to do so
+# without calling the binary!   On some systems this triggers a reinitialisation
+# of the system which we don't want (e.g. embedded systems).
+
+
+set -e
+
+KERNEL_NAME=$(uname -s)
+
+KNOWN_INIT_SYSTEMS=$(cat <<EOF
+systemd
+sysvinit
+upstart
+runit
+procd
+smf
+launchd
+init
+hurd_init
+systemstarter
+EOF
+)
+
+
+common_candidates_by_kernel() {
+	case $KERNEL_NAME
+	in
+		FreeBSD|NetBSD|OpenBSD)
+			echo init
+			;;
+		Linux)
+			echo systemd
+			echo sysvinit
+			echo upstart
+			;;
+		GNU)
+			echo sysvinit
+			echo hurd-init
+			;;
+		Darwin)
+			echo launchd
+			echo systemstarter
+			;;
+		SunOS)
+			echo smf
+			;;
+	esac
+}
+
+
+## Helpers
+
+trim() {
+	sed -e 's/^[[:blank:]]*//' -e 's/[[:blank:]]*$//' -e '/^[[:blank:]]*$/d'
+}
+
+unique() {
+	# Delete duplicate lines (keeping input order)
+	# NOTE: Solaris AWK breaks without if/print construct.
+	awk '{ if (!x[$0]++) print }'
+}
+
+
+## Check functions
+# These functions are used to verify if a guess is correct by checking some
+# common property of a running system (presence of a directory in /run etc.)
+
+check_busybox_init() (
+	busybox_path=${1:-/bin/busybox}
+	test -x "${busybox_path}" || return 1
+	grep -q 'BusyBox v[0-9]' "${busybox_path}" || return 1
+
+	# It is quite common to use Busybox init to stack other init systemd
+	# (like OpenRC) on top of it. So we check for that, too.
+	if stacked=$(check_openrc)
+	then
+		echo "busybox-init+${stacked}"
+	else
+		echo busybox-init
+	fi
+)
+
+check_hurd_init() (
+	init_exe=${1:-/hurd/init}
+	test -x "${init_exe}" || return 1
+	grep -q 'GNU Hurd' "${init_exe}" || return 1
+	echo hurd-init
+)
+
+check_init() {
+	# Checks for various BSD inits...
+	test -x /sbin/init || return 1
+
+	if grep -q -E '(Free|Net|Open)BSD' /sbin/init
+	then
+		echo init
+		return 0
+	fi
+}
+
+check_launchd() {
+	command -v launchctl >/dev/null 2>&1 || return 1
+	launchctl getenv PATH >/dev/null || return 1
+	echo launchd
+}
+
+check_openrc() {
+	test -f /run/openrc/softlevel || return 1
+	echo openrc
+}
+
+check_procd() (
+	procd_path=${1:-/sbin/procd}
+	test -x "${procd_path}" || return 1
+	grep -q 'procd' "${procd_path}" || return 1
+	echo procd
+)
+
+check_runit() {
+	test -d /run/runit || return 1
+	echo runit
+}
+
+check_smf() {
+	# XXX: Is this the correct way??
+	test -f /etc/svc/volatile/svc_nonpersist.db || return 1
+	echo smf
+}
+
+check_systemd() {
+	# NOTE: sd_booted(3)
+	test -d /run/systemd/system/ || return 1
+	# systemctl --version | sed -e '/^systemd/!d;s/^systemd //'
+	echo systemd
+}
+
+check_systemstarter() {
+	test -d /System/Library/StartupItems/ || return 1
+	test -f /System/Library/StartupItems/LoginWindow/StartupParameters.plist || return 1
+	echo init+SystemStarter
+}
+
+check_sysvinit() (
+	init_path=${1:-/sbin/init}
+	grep -q 'INIT_VERSION=sysvinit-[0-9.]*' "${init_path}" || return 1
+
+	# It is quite common to use SysVinit to stack other init systemd
+	# (like OpenRC) on top of it. So we check for that, too.
+	if stacked=$(check_openrc)
+	then
+		echo "sysvinit+${stacked}"
+	else
+		echo sysvinit
+	fi
+	unset stacked
+)
+
+check_upstart() {
+	test -x "$(command -v initctl)" || return 1
+	case $(initctl version)
+	in
+		*'(upstart '*')')
+			if test -d /etc/init
+			then
+				# modern (DBus-based?) upstart >= 0.5
+				echo upstart
+			elif test -d /etc/event.d
+			then
+				# ancient upstart
+				echo upstart-legacy
+			else
+				# whatever...
+				echo upstart
+			fi
+			;;
+		*)
+			return 1
+			;;
+	esac
+}
+
+find_init_procfs() (
+	# First, check if the required file in procfs exists...
+	test -h /proc/1/exe || return 1
+
+	# Find init executable
+	init_exe=$(ls -l /proc/1/exe 2>/dev/null) || return 1
+	init_exe=${init_exe#* -> }
+
+	if ! test -x "$init_exe"
+	then
+		# On some rare occasions it can happen that the
+		# running init's binary has been replaced. In this
+		# case Linux adjusts the symlink to "X (deleted)"
+
+		# [root@fedora-12 ~]# readlink /proc/1/exe
+		# /sbin/init (deleted)
+		# [root@fedora-12 ~]# ls -l /proc/1/exe
+		# lrwxrwxrwx. 1 root root 0 2020-01-30 23:00 /proc/1/exe -> /sbin/init (deleted)
+
+		init_exe=${init_exe% (deleted)}
+		test -x "$init_exe" || return 1
+	fi
+
+	echo "${init_exe}"
+)
+
+guess_by_path() {
+	case $1
+	in
+		/bin/busybox)
+			check_busybox_init "$1" && return
+			;;
+		/lib/systemd/systemd)
+			check_systemd "$1" && return
+			;;
+		/hurd/init)
+			check_hurd_init "$1" && return
+			;;
+		/sbin/launchd)
+			check_launchd "$1" && return
+			;;
+		/usr/bin/runit|/sbin/runit)
+			check_runit "$1" && return
+			;;
+		/sbin/openrc-init)
+			if check_openrc "$1" >/dev/null
+			then
+				echo openrc-init
+				return
+			fi
+			;;
+		/sbin/procd)
+			check_procd "$1" && return
+			;;
+		/sbin/init|*/init)
+			# init: it could be anything -> (explicit) no match
+			return 1
+			;;
+	esac
+
+	# No match
+	return 1
+}
+
+guess_by_comm_name() {
+	case $1
+	in
+		busybox)
+			check_busybox_init && return
+			;;
+		openrc-init)
+			if check_openrc >/dev/null
+			then
+				echo openrc-init
+				return 0
+			fi
+			;;
+		init)
+			# init could be anything -> no match
+			return 1
+			;;
+		*)
+			# Run check function by comm name if available.
+			# Fall back to comm name if either it does not exist or
+			# returns non-zero.
+			if type "check_$1" >/dev/null
+			then
+				"check_$1" && return
+			else
+				echo "$1" ; return 0
+			fi
+	esac
+
+	return 1
+}
+
+check_list() (
+	# List must be a multi-line input on stdin (one name per line)
+	while read -r init
+	do
+		"check_${init}" || continue
+		return 0
+	done
+	return 1
+)
+
+
+# BusyBox's versions of ps and pgrep do not support some options
+# depending on which compile-time options have been used.
+
+find_init_pgrep() {
+	pgrep -P0 -fl 2>/dev/null | awk -F '[[:blank:]]' '$1 == 1 { print $2 }'
+}
+
+find_init_ps() {
+	case $KERNEL_NAME
+	in
+		Darwin)
+			ps -o command -p 1 2>/dev/null | tail -n +2
+			;;
+		FreeBSD)
+			ps -o args= -p 1 2>/dev/null | cut -d ' ' -f 1
+			;;
+		Linux)
+			ps -o comm= -p 1 2>/dev/null
+			;;
+		NetBSD)
+			ps -o comm= -p 1 2>/dev/null
+			;;
+		OpenBSD)
+			ps -o args -p 1 2>/dev/null | tail -n +2 | cut -d ' ' -f 1
+			;;
+		*)
+			ps -o args= -p 1 2>/dev/null
+			;;
+	esac | trim  # trim trailing whitespace (some ps like Darwin add it)
+}
+
+find_init() {
+	case $KERNEL_NAME
+	in
+		Linux|GNU|NetBSD)
+			find_init_procfs || find_init_pgrep || find_init_ps
+			;;
+		FreeBSD)
+			find_init_procfs || find_init_ps
+			;;
+		OpenBSD)
+			find_init_pgrep || find_init_ps
+			;;
+		Darwin|SunOS)
+			find_init_ps
+			;;
+		*)
+			echo "Don't know how to determine init." >&2
+			echo 'Please send a patch.' >&2
+			exit 1
+	esac
+}
+
+# -----
+
+init=$(find_init)
+
+# If we got a path, guess by the path first (fall back to file name if no match)
+# else guess by file name directly.
+# shellcheck disable=SC2015
+{
+	test -x "${init}" \
+		&& guess_by_path "${init}" \
+		|| guess_by_comm_name "$(basename "${init}")"
+} && exit 0 || true
+
+
+# Guessing based on the file path and name didn’t lead to a definitive result.
+#
+# We go through all of the checks until we find a match. To speed up the
+# process, common cases will be checked first based on the underlying kernel.
+
+{ common_candidates_by_kernel; echo "${KNOWN_INIT_SYSTEMS}"; } \
+	| unique | check_list

cdist/conf/explorer/os_release

@@ -1,6 +1,7 @@
 #!/bin/sh
 #
 # 2018 Adam Dej (dejko.a at gmail.com)
+# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
 #
 # This file is part of cdist.
 #
@@ -21,6 +22,17 @@
 
 # See os-release(5) and http://0pointer.de/blog/projects/os-release
 
-set +e
+if test -f /etc/os-release
+then
+	# Linux and FreeBSD (usually a symlink)
+	cat /etc/os-release
+elif test -f /usr/lib/os-release
+then
+	# systemd
+	cat /usr/lib/os-release
+elif test -f /var/run/os-release
+then
+	# FreeBSD (created by os-release service)
+	cat /var/run/os-release
+fi
 
-cat /etc/os-release || cat /usr/lib/os-release || true

cdist/conf/explorer/os_version

@@ -70,4 +70,7 @@ case "$("$__explorer/os")" in
    ubuntu)
       lsb_release -sr
    ;;
-esac
+   alpine)
+       cat /etc/alpine-release
+   ;;
+esac

cdist/conf/type/__consul_agent/man.rst

@@ -116,6 +116,9 @@ verify-incoming
 verify-outgoing
    enforce the use of TLS and verify the peers authenticity on outgoing connections
 
+use-distribution-package
+   uses distribution package instead of upstream binary
+
 
 EXAMPLES
 --------

cdist/conf/type/__consul_agent/manifest

@@ -2,6 +2,7 @@
 #
 # 2015 Steven Armstrong (steven-cdist at armstrong.cc)
 # 2015-2019 Nico Schottelius (nico-cdist at schottelius.org)
+# 2019 Timothée Floure (timothee.floure at ungleich.ch)
 #
 # This file is part of cdist.
 #
@@ -19,133 +20,75 @@
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 
-
 os=$(cat "$__global/explorer/os")
 
-case "$os" in
-   alpine|scientific|centos|debian|devuan|redhat|ubuntu)
-      # whitelist safeguard
-      :
-   ;;
-   *)
-      echo "Your operating system ($os) is currently not supported by this type (${__type##*/})." >&2
-      echo "Please contribute an implementation for it if you can." >&2
-      exit 1
-   ;;
-esac
+###
+# Type parameters.
 
 state="$(cat "$__object/parameter/state")"
 user="$(cat "$__object/parameter/user")"
 group="$(cat "$__object/parameter/group")"
+release=$(cat "$__global/explorer/lsb_release")
+if [ -f "$__object/parameter/use-distribution-package" ]; then
+  use_distribution_package=1
+fi
+
+###
+# Those are default that might be overriden by os-specific logic.
+
 data_dir="/var/lib/consul"
 conf_dir="/etc/consul/conf.d"
 conf_file="config.json"
+tls_dir="$conf_dir/tls"
 
-# FIXME: there has got to be a better way to handle the dependencies in this case
-case "$state" in
-   present)
-      __group "$group" --system --state "$state"
-      require="__group/$group" \
-         __user "$user" --system --gid "$group" \
-            --home "$data_dir" --state "$state"
-      export require="__user/consul"
-   ;;
-   absent)
-      echo "Sorry, state=absent currently not supported :-(" >&2
-      exit 1
-      require="$__object_name" \
-         __user "$user" --system --gid "$group" --state "$state"
-      require="__user/$user" \
-         __group "$group" --system --state "$state"
-   ;;
-esac
+###
+# Sane deployment, based on distribution package when available.
 
-__directory /etc/consul \
-   --owner root --group "$group" --mode 750 --state "$state"
-require="__directory/etc/consul" \
-   __directory "$conf_dir" \
-      --owner root --group "$group" --mode 750 --state "$state"
+distribution_setup () {
+  case "$os" in
+     debian)
+       # consul is only available starting Debian 10 (buster).
+       # See https://packages.debian.org/buster/consul
+       if [ "$release" -lt 10 ]; then
+         echo "Consul is not available for your debian release." >&2
+         echo "Please use the 'manual' (i.e. non-package) installation or \
+           upgrade the target system." >&2
+         exit 1
+       fi
 
-if [ -f "$__object/parameter/ca-file-source" ] || [ -f "$__object/parameter/cert-file-source" ] || [ -f "$__object/parameter/key-file-source" ]; then
-   # create directory for ssl certs
-   require="__directory/etc/consul" \
-      __directory /etc/consul/ssl \
-         --owner root --group "$group" --mode 750 --state "$state"
-fi
+       # Override previously defined environment to match debian packaging.
+       conf_dir='/etc/consul.d'
+       user='consul'
+       group='consul'
+     ;;
+     alpine)
+       # consul is only available starting Alpine 3.12 (= edge during the 3.11 cycle).
+       # See https://pkgs.alpinelinux.org/packages?name=consul&branch=edge
 
-__directory "$data_dir" \
-   --owner "$user" --group "$group" --mode 770 --state "$state"
+       # Override previously defined environment to match alpine packaging.
+       conf_dir='/etc/consul'
+       conf_file='server.json'
+       data_dir='/var/consul'
+       user='consul'
+       group='consul'
+     ;;
+     *)
+        echo "Your operating system ($os) is currently not supported with the \
+          --use-distribution-package flag (${__type##*/})." >&2
+        echo "Please use non-package installation or contribute an \
+          implementation for if you can." >&2
+        exit 1
+     ;;
+  esac
 
+  # Install consul package.
+  __package consul --state "$state"
 
-# Generate json config file
-(
-echo "{"
+  export config_deployment_requires="__package/consul"
+}
 
-# parameters we define ourself
-printf '   "data_dir": "%s"\n' "$data_dir"
-
-cd "$__object/parameter/"
-for param in *; do
-   case "$param" in
-      state|user|group|json-config) continue ;;
-      ca-file-source|cert-file-source|key-file-source)
-         source="$(cat "$__object/parameter/$param")"
-         destination="/etc/consul/ssl/${source##*/}"
-         require="__directory/etc/consul/ssl" \
-            __file "$destination" \
-               --owner root --group consul --mode 640 \
-               --source "$source" \
-               --state "$state"
-         key="$(echo "${param%-*}" | tr '-' '_')"
-         printf '   ,"%s": "%s"\n' "$key" "$destination"
-      ;;
-      disable-remote-exec|disable-update-check|leave-on-terminate|rejoin-after-leave|server|enable-syslog|verify-incoming|verify-outgoing)
-         # handle boolean parameters
-         key="$(echo "$param" | tr '-' '_')"
-         printf '   ,"%s": true\n' "$key"
-      ;;
-      retry-join)
-         # join multiple parameters into json array
-         retry_join="$(awk '{printf "\""$1"\","}' "$__object/parameter/retry-join")"
-         # remove trailing ,
-         printf '   ,"retry_join": [%s]\n' "${retry_join%*,}"
-      ;;
-      retry-join-wan)
-         # join multiple parameters into json array over wan
-         retry_join_wan="$(awk '{printf "\""$1"\","}' "$__object/parameter/retry-join-wan")"
-         # remove trailing ,
-         printf '   ,"retry_join_wan": [%s]\n' "${retry_join_wan%*,}"
-      ;;
-      bootstrap-expect)
-         # integer key=value parameters
-         key="$(echo "$param" | tr '-' '_')"
-         printf '   ,"%s": %s\n' "$key" "$(cat "$__object/parameter/$param")"
-      ;;
-      *)
-         # string key=value parameters
-         key="$(echo "$param" | tr '-' '_')"
-         printf '   ,"%s": "%s"\n' "$key" "$(cat "$__object/parameter/$param")"
-      ;;
-   esac
-done
-if [ -f "$__object/parameter/json-config" ]; then
-   json_config="$(cat "$__object/parameter/json-config")"
-   if [ "$json_config" = "-" ]; then
-      json_config="$__object/stdin"
-   fi
-   # remove leading and trailing whitespace and commas from first and last line
-   # indent each line with 3 spaces for consistency
-   json=$(sed -e 's/^[ \t]*/   /' -e '1s/^[ \t,]*//' -e '$s/[ \t,]*$//' "$json_config")
-   printf '   ,%s\n' "$json"
-fi
-echo "}"
-) | \
-require="__directory${conf_dir}" \
-   __config_file "${conf_dir}/${conf_file}" \
-      --owner root --group "$group" --mode 640 \
-      --state "$state" \
-      --onchange 'service consul status >/dev/null && service consul reload || true' \
-      --source -
+###
+# LEGACY manual deployment, kept for compatibility reasons.
 
 init_sysvinit()
 {
@@ -179,47 +122,186 @@ init_upstart()
     require="__file/etc/init/consul.conf" __start_on_boot consul
 }
 
-# Install init script to start on boot
-case "$os" in
-    devuan)
-        init_sysvinit debian
-        ;;
-    centos|redhat)
-        os_version="$(sed 's/[^0-9.]//g' "$__global/explorer/os_version")"
-        major_version="${os_version%%.*}"
-        case "$major_version" in
-            [456])
-                init_sysvinit redhat
-                ;;
-            7)
-                init_systemd
-                ;;
-            *)
-                echo "Unsupported CentOS/Redhat version: $os_version" >&2
-                exit 1
-                ;;
-        esac
-        ;;
+manual_setup () {
+  case "$os" in
+     alpine|scientific|centos|debian|devuan|redhat|ubuntu)
+        # whitelist safeguard
+        :
+     ;;
+     *)
+        echo "Your operating system ($os) is currently not supported by this \
+          type (${__type##*/})." >&2
+        echo "Please contribute an implementation for it if you can." >&2
+        exit 1
+     ;;
+  esac
 
-    debian)
-        os_version=$(cat "$__global/explorer/os_version")
-        major_version="${os_version%%.*}"
+  # FIXME: there has got to be a better way to handle the dependencies in this case
+  case "$state" in
+     present)
+        __group "$group" --system --state "$state"
+        require="__group/$group" __user "$user" \
+          --system --gid "$group" --home "$data_dir" --state "$state"
+     ;;
+     *)
+        echo "The $state state is not (yet?) supported by this type." >&2
+        exit 1
+     ;;
+  esac
 
-        case "$major_version" in
-            [567])
-                init_sysvinit debian
-            ;;
-            [89])
-                init_systemd
-            ;;
-            *)
-                echo "Unsupported Debian version $os_version" >&2
-                exit 1
-            ;;
-        esac
-        ;;
+  # Create data directory.
+  require="__user/consul" __directory "$data_dir" \
+    --owner "$user" --group "$group" --mode 770 --state "$state"
 
-    ubuntu)
-        init_upstart
+  # Create config directory.
+  require="__user/consul" __directory "$conf_dir" \
+    --parents --owner root --group "$group" --mode 750 --state "$state"
+
+  # Install init script to start on boot
+  case "$os" in
+      devuan)
+          init_sysvinit debian
+          ;;
+      centos|redhat)
+          os_version="$(sed 's/[^0-9.]//g' "$__global/explorer/os_version")"
+          major_version="${os_version%%.*}"
+          case "$major_version" in
+              [456])
+                  init_sysvinit redhat
+                  ;;
+              7)
+                  init_systemd
+                  ;;
+              *)
+                  echo "Unsupported CentOS/Redhat version: $os_version" >&2
+                  exit 1
+                  ;;
+          esac
+          ;;
+
+      debian)
+          os_version=$(cat "$__global/explorer/os_version")
+          major_version="${os_version%%.*}"
+
+          case "$major_version" in
+              [567])
+                  init_sysvinit debian
+              ;;
+              [89]|10)
+                  init_systemd
+              ;;
+              *)
+                  echo "Unsupported Debian version $os_version" >&2
+                  exit 1
+              ;;
+          esac
+          ;;
+
+      ubuntu)
+          init_upstart
+          ;;
+  esac
+
+  config_deployment_requires="__user/consul __directory/$conf_dir"
+}
+
+###
+# Trigger requested installation method.
+if [ $use_distribution_package ]; then
+  distribution_setup
+else
+  manual_setup
+fi
+
+###
+# Install TLS certificates.
+
+if [ -f "$__object/parameter/ca-file-source" ] || \
+   [ -f "$__object/parameter/cert-file-source" ] || \
+   [ -f "$__object/parameter/key-file-source" ]; then
+
+   requires="$config_deployment_requires" __directory $tls_dir \
+     --owner root --group "$group" --mode 750 --state "$state"
+
+   # Append to service restart requirements.
+   restart_requires="$restart_requires __directory/$conf_dir/tls"
+fi
+
+###
+# Generate and deploy configuration.
+
+json_configuration=$(
+  echo "{"
+
+  # parameters we define ourself
+  printf '   "data_dir": "%s"\n' "$data_dir"
+
+  cd "$__object/parameter/"
+  for param in *; do
+     case "$param" in
+        state|user|group|json-config|use-distribution-package) continue ;;
+        ca-file-source|cert-file-source|key-file-source)
+           source="$(cat "$__object/parameter/$param")"
+           destination="$tls_dir/${source##*/}"
+           require="__directory/$tls_dir" \
+              __file "$destination" \
+                 --owner root --group consul --mode 640 \
+                 --source "$source" \
+                 --state "$state"
+           key="$(echo "${param%-*}" | tr '-' '_')"
+           printf '   ,"%s": "%s"\n' "$key" "$destination"
         ;;
-esac
+        disable-remote-exec|disable-update-check|leave-on-terminate\
+          |rejoin-after-leave|server|enable-syslog|verify-incoming|verify-outgoing)
+           # handle boolean parameters
+           key="$(echo "$param" | tr '-' '_')"
+           printf '   ,"%s": true\n' "$key"
+        ;;
+        retry-join)
+           # join multiple parameters into json array
+           retry_join="$(awk '{printf "\""$1"\","}' "$__object/parameter/retry-join")"
+           # remove trailing ,
+           printf '   ,"retry_join": [%s]\n' "${retry_join%*,}"
+        ;;
+        retry-join-wan)
+           # join multiple parameters into json array over wan
+           retry_join_wan="$(awk '{printf "\""$1"\","}' "$__object/parameter/retry-join-wan")"
+           # remove trailing ,
+           printf '   ,"retry_join_wan": [%s]\n' "${retry_join_wan%*,}"
+        ;;
+        bootstrap-expect)
+           # integer key=value parameters
+           key="$(echo "$param" | tr '-' '_')"
+           printf '   ,"%s": %s\n' "$key" "$(cat "$__object/parameter/$param")"
+        ;;
+        *)
+           # string key=value parameters
+           key="$(echo "$param" | tr '-' '_')"
+           printf '   ,"%s": "%s"\n' "$key" "$(cat "$__object/parameter/$param")"
+        ;;
+     esac
+  done
+  if [ -f "$__object/parameter/json-config" ]; then
+     json_config="$(cat "$__object/parameter/json-config")"
+     if [ "$json_config" = "-" ]; then
+        json_config="$__object/stdin"
+     fi
+     # remove leading and trailing whitespace and commas from first and last line
+     # indent each line with 3 spaces for consistency
+     json=$(sed -e 's/^[ \t]*/   /' -e '1s/^[ \t,]*//' -e '$s/[ \t,]*$//' "$json_config")
+     printf '   ,%s\n' "$json"
+  fi
+  echo "}"
+)
+echo "$json_configuration" | require="$config_deployment_requires" \
+  __file "$conf_dir/$conf_file" \
+      --owner root --group "$group" --mode 640 \
+      --state "$state" \
+      --source -
+
+# Set configuration deployment as requirement for service restart.
+restart_requires="__file/$conf_dir/$conf_file"
+
+###
+# Restart consul agent after everything else.
+require="$restart_requires" __service consul --action restart

cdist/conf/type/__consul_agent/parameter/boolean

@@ -6,3 +6,4 @@ server
 enable-syslog
 verify-incoming
 verify-outgoing
+use-distribution-package

cdist/conf/type/__consul_check/explorer/conf-dir

@@ -0,0 +1 @@
+../../__consul_service/explorer/conf-dir

cdist/conf/type/__consul_check/manifest

@@ -19,7 +19,7 @@
 #
 
 name="$(cat "$__object/parameter/name" 2>/dev/null || echo "$__object_id")"
-conf_dir="/etc/consul/conf.d"
+conf_dir=$(cat "$__object/explorer/conf-dir")
 conf_file="check_${name}.json"
 state="$(cat "$__object/parameter/state")"
 

cdist/conf/type/__consul_service/explorer/conf-dir

@@ -0,0 +1,15 @@
+# Determine the configuration directory used by consul.
+
+check_dir () {
+  if [ -d "$1" ]; then
+    printf '%s' "$1"
+    exit
+  fi
+}
+
+check_dir '/etc/consul/conf.d'
+check_dir '/etc/consul.d'
+check_dir '/etc/consul'
+
+echo 'Could not determine consul configuration dir. Exiting.' >&2
+exit 1

cdist/conf/type/__consul_service/manifest

@@ -19,7 +19,7 @@
 #
 
 name="$(cat "$__object/parameter/name" 2>/dev/null || echo "$__object_id")"
-conf_dir="/etc/consul/conf.d"
+conf_dir=$(cat "$__object/explorer/conf-dir")
 conf_file="service_${name}.json"
 state="$(cat "$__object/parameter/state")"
 
@@ -45,7 +45,7 @@ printf '      "name": "%s"\n' "$name"
 cd "$__object/parameter/"
 for param in *; do
    case "$param" in
-      state|name|check-interval) continue ;;
+      state|name|check-interval|conf-dir) continue ;;
       check-script)
          printf '     ,"check": {\n'
          printf '         "script": "%s"\n' "$(cat "$__object/parameter/check-script")"
@@ -86,7 +86,6 @@ echo "   }"
 # end json file
 echo "}"
 ) | \
-require="__directory${conf_dir}" \
    __config_file "${conf_dir}/${conf_file}" \
       --owner root --group consul --mode 640 \
       --state "$state" \

cdist/conf/type/__consul_watch_checks/explorer/conf-dir

@@ -0,0 +1 @@
+../../__consul_service/explorer/conf-dir

cdist/conf/type/__consul_watch_checks/manifest

@@ -20,7 +20,7 @@
 
 cdist_type="${__type##*/}"
 watch_type="${cdist_type##*_}"
-conf_dir="/etc/consul/conf.d"
+conf_dir=$(cat "$__object/explorer/conf-dir")
 conf_file="watch_${watch_type}_${__object_id}.json"
 state="$(cat "$__object/parameter/state")"
 

cdist/conf/type/__consul_watch_event/explorer/conf-dir

@@ -0,0 +1 @@
+../../__consul_service/explorer/conf-dir

cdist/conf/type/__consul_watch_event/manifest

@@ -20,7 +20,7 @@
 
 cdist_type="${__type##*/}"
 watch_type="${cdist_type##*_}"
-conf_dir="/etc/consul/conf.d"
+conf_dir=$(cat "$__object/explorer/conf-dir")
 conf_file="watch_${watch_type}_${__object_id}.json"
 state="$(cat "$__object/parameter/state")"
 

cdist/conf/type/__consul_watch_key/explorer/conf-dir

@@ -0,0 +1 @@
+../../__consul_service/explorer/conf-dir

cdist/conf/type/__consul_watch_key/manifest

@@ -20,7 +20,7 @@
 
 cdist_type="${__type##*/}"
 watch_type="${cdist_type##*_}"
-conf_dir="/etc/consul/conf.d"
+conf_dir=$(cat "$__object/explorer/conf-dir")
 conf_file="watch_${watch_type}_${__object_id}.json"
 state="$(cat "$__object/parameter/state")"
 

cdist/conf/type/__consul_watch_keyprefix/explorer/conf-dir

@@ -0,0 +1 @@
+../../__consul_service/explorer/conf-dir

cdist/conf/type/__consul_watch_keyprefix/manifest

@@ -20,7 +20,7 @@
 
 cdist_type="${__type##*/}"
 watch_type="${cdist_type##*_}"
-conf_dir="/etc/consul/conf.d"
+conf_dir=$(cat "$__object/explorer/conf-dir")
 conf_file="watch_${watch_type}_${__object_id}.json"
 state="$(cat "$__object/parameter/state")"
 

cdist/conf/type/__consul_watch_nodes/explorer/conf-dir

@@ -0,0 +1 @@
+../../__consul_service/explorer/conf-dir

cdist/conf/type/__consul_watch_nodes/manifest

@@ -20,7 +20,7 @@
 
 cdist_type="${__type##*/}"
 watch_type="${cdist_type##*_}"
-conf_dir="/etc/consul/conf.d"
+conf_dir=$(cat "$__object/explorer/conf-dir")
 conf_file="watch_${watch_type}_${__object_id}.json"
 state="$(cat "$__object/parameter/state")"
 

cdist/conf/type/__consul_watch_service/explorer/conf-dir

@@ -0,0 +1 @@
+../../__consul_service/explorer/conf-dir

cdist/conf/type/__consul_watch_service/manifest

@@ -20,7 +20,7 @@
 
 cdist_type="${__type##*/}"
 watch_type="${cdist_type##*_}"
-conf_dir="/etc/consul/conf.d"
+conf_dir=$(cat "$__object/explorer/conf-dir")
 conf_file="watch_${watch_type}_${__object_id}.json"
 state="$(cat "$__object/parameter/state")"
 

cdist/conf/type/__consul_watch_services/explorer/conf-dir

@@ -0,0 +1 @@
+../../__consul_service/explorer/conf-dir

cdist/conf/type/__consul_watch_services/manifest

@@ -20,7 +20,7 @@
 
 cdist_type="${__type##*/}"
 watch_type="${cdist_type##*_}"
-conf_dir="/etc/consul/conf.d"
+conf_dir=$(cat "$__object/explorer/conf-dir")
 conf_file="watch_${watch_type}_${__object_id}.json"
 state="$(cat "$__object/parameter/state")"
 

cdist/conf/type/__cron/gencode-remote

@@ -31,24 +31,28 @@ if [ -f "$__object/parameter/raw" ]; then
 elif [ -f "$__object/parameter/raw_command" ]; then
    entry="$command"
 else
-   minute="$(cat "$__object/parameter/minute" 2>/dev/null || echo "*")"
-   hour="$(cat "$__object/parameter/hour" 2>/dev/null || echo "*")"
-   day_of_month="$(cat "$__object/parameter/day_of_month" 2>/dev/null || echo "*")"
-   month="$(cat "$__object/parameter/month" 2>/dev/null || echo "*")"
-   day_of_week="$(cat "$__object/parameter/day_of_week" 2>/dev/null || echo "*")"
+   minute="$(cat "$__object/parameter/minute")"
+   hour="$(cat "$__object/parameter/hour")"
+   day_of_month="$(cat "$__object/parameter/day_of_month")"
+   month="$(cat "$__object/parameter/month")"
+   day_of_week="$(cat "$__object/parameter/day_of_week")"
    entry="$minute $hour $day_of_month $month $day_of_week $command # $name"
 fi
 
 mkdir "$__object/files"
 echo "$entry" > "$__object/files/entry"
 
-if diff -q "$__object/files/entry" "$__object/explorer/entry" >/dev/null; then
-    state_is=present
+if [ -s "$__object/explorer/entry" ]; then
+    if diff -q "$__object/files/entry" "$__object/explorer/entry" >/dev/null; then
+        state_is=present
+    else
+        state_is=modified
+    fi
 else
     state_is=absent
 fi
 
-state_should="$(cat "$__object/parameter/state" 2>/dev/null || echo "present")"
+state_should="$(cat "$__object/parameter/state")"
 
 [ "$state_is" = "$state_should" ] && exit 0
 

cdist/conf/type/__cron/manifest

@@ -22,3 +22,12 @@ if [ -f "$__object/parameter/raw" ] && [ -f "$__object/parameter/raw_command" ];
     echo "ERROR: both raw and raw_command specified" >&2
     exit 1
 fi
+
+case "$(cat "$__object/parameter/state")" in
+    present) ;;
+    absent) ;;
+
+    *)
+        echo "ERROR: unkown cron state" >&2
+        exit 2
+esac

cdist/conf/type/__cron/parameter/default/day_of_month

@@ -0,0 +1 @@
+*

cdist/conf/type/__cron/parameter/default/day_of_week

@@ -0,0 +1 @@
+*

cdist/conf/type/__cron/parameter/default/hour

@@ -0,0 +1 @@
+*

cdist/conf/type/__cron/parameter/default/minute

@@ -0,0 +1 @@
+*

cdist/conf/type/__cron/parameter/default/month

@@ -0,0 +1 @@
+*

cdist/conf/type/__directory/explorer/stat

@@ -1,6 +1,7 @@
 #!/bin/sh
 #
 # 2013 Steven Armstrong (steven-cdist armstrong.cc)
+# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
 #
 # This file is part of cdist.
 #
@@ -20,24 +21,43 @@
 
 destination="/$__object_id"
 
+fallback() {
+   # Patch the output together, manually
+
+   ls_line=$(ls -ldn "$destination")
+
+   uid=$(echo "$ls_line" | awk '{ print $3 }')
+   gid=$(echo "$ls_line" | awk '{ print $4 }')
+
+   owner=$(awk -F: -v uid="$uid" '$3 == uid { print $1; f=1 } END { if (!f) print "UNKNOWN" }' /etc/passwd)
+   group=$(awk -F: -v uid="$uid" '$3 == uid { print $1; f=1 } END { if (!f) print "UNKNOWN" }' /etc/group)
+
+   mode_text=$(echo "$ls_line" | awk '{ print $1 }')
+   mode=$(echo "$mode_text" | awk '{ k=0; for (i=0; i<=8; i++) k += ((substr($1, i+2, 1) ~ /[rwx]/) * 2^(8-i)); printf("%0o", k) }')
+
+   printf 'type: %s\nowner: %d %s\ngroup: %d %s\nmode: %s %s\n' \
+      "$("$__type_explorer/type")" \
+      "$uid" "$owner" \
+      "$gid" "$group" \
+      "$mode" "$mode_text"
+}
+
 # nothing to work with, nothing we could do
 [ -e "$destination" ] || exit 0
 
-os=$("$__explorer/os")
-case "$os" in
+if ! command -v stat >/dev/null
+then
+   fallback
+   exit
+fi
+
+case $("$__explorer/os") in
    "freebsd"|"netbsd"|"openbsd"|"macosx")
       stat -f "type: %HT
 owner: %Du %Su
 group: %Dg %Sg
 mode: %Lp %Sp
-" "$destination" | awk '/^type/ { print tolower($0); next; } { print; }'
-      ;;
-   alpine)
-      stat -c "type: %F
-owner: %u %U
-group: %g %G
-mode: %a %A
-" "$destination"
+" "$destination" | awk '/^type/ { print tolower($0); next } { print }'
       ;;
     solaris)
         ls1="$( ls -ld "$destination" )"
@@ -69,10 +89,12 @@ mode: %a %A
         echo "mode: $octets $( echo "$ls1" | awk '{print $1}' )"
     ;;
    *)
-       stat --printf="type: %F
+      # NOTE: Do not use --printf here as it is not supported by BusyBox stat.
+      # NOTE: BusyBox's stat might not support the "-c" option, in which case
+      #       we fall through to the shell fallback.
+       stat -c "type: %F
 owner: %u %U
 group: %g %G
-mode: %a %A
-" "$destination"
+mode: %a %A" "$destination" 2>/dev/null || fallback
    ;;
 esac

cdist/conf/type/__directory/gencode-remote

@@ -3,6 +3,7 @@
 # 2011-2013 Nico Schottelius (nico-cdist at schottelius.org)
 # 2013 Steven Armstrong (steven-cdist armstrong.cc)
 # 2014 Daniel Heule (hda at sfs.biz)
+# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
 #
 # This file is part of cdist.
 #
@@ -21,8 +22,8 @@
 #
 
 destination="/$__object_id"
-state_should="$(cat "$__object/parameter/state")"
-type="$(cat "$__object/explorer/type")"
+state_should=$(cat "$__object/parameter/state")
+type=$(cat "$__object/explorer/type")
 stat_file="$__object/explorer/stat"
 
 # variable to keep track if we have to set directory attributes
@@ -72,7 +73,7 @@ set_mode() {
 }
 
 case "$state_should" in
-   present)
+   present|exists)
       if [ "$type" != "directory" ]; then
          set_attributes=1
          if [ "$type" != "none" ]; then
@@ -83,6 +84,10 @@ case "$state_should" in
          fi
          echo "mkdir $mkdiropt '$destination'"
          echo "create" >> "$__messages_out"
+      elif [ "$state_should" = 'exists' ]; then
+         # The type is directory and --state exists. We are done and do not
+         # check or set the attributes.
+         exit 0
       fi
 
       # Note: Mode - needs to happen last as a chown/chgrp can alter mode by
@@ -103,6 +108,26 @@ case "$state_should" in
          fi
       done
    ;;
+   pre-exists)
+      case $type in
+         directory)
+            # all good
+            exit 0
+         ;;
+         none)
+            printf 'Directory "%s" does not exist\n' "$destination" >&2
+            exit 1
+         ;;
+         file|symlink)
+            printf 'File "%s" exists and is a %s, but should be a directory\n' "$destination" "$type" >&2
+            exit 1
+         ;;
+         *)
+            printf 'File or directory "%s" is in an unknown state\n' "$destination" >&2
+            exit 1
+         ;;
+      esac
+   ;;
    absent)
         if [ "$type" = "directory" ]; then
             echo "rm -rf '$destination'"

cdist/conf/type/__directory/man.rst

@@ -19,7 +19,18 @@ None.
 OPTIONAL PARAMETERS
 -------------------
 state
-   'present' or 'absent', defaults to 'present'
+   'present', 'absent', 'exists' or 'pre-exists', defaults to 'present' where:
+
+   present
+      the directory exists and the given attributes are set.
+   absent
+      the directory does not exist.
+   exists
+      the directory exists, but its attributes are not altered if it already
+      existed.
+   pre-exists
+      check that the directory exists and is indeed a directory, but do not
+      create or modify it.
 
 group
    Group to chgrp to.
@@ -36,7 +47,7 @@ BOOLEAN PARAMETERS
 parents
    Whether to create parents as well (mkdir -p behaviour).
    Warning: all intermediate directory permissions default
-   to whatever mkdir -p does. 
+   to whatever mkdir -p does.
 
    Usually this means root:root, 0700.
 

cdist/conf/type/__file/explorer/stat

@@ -2,6 +2,7 @@
 #
 # 2013 Steven Armstrong (steven-cdist armstrong.cc)
 # 2019 Nico Schottelius (nico-cdist at schottelius.org)
+# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
 #
 # This file is part of cdist.
 #
@@ -21,29 +22,54 @@
 
 destination="/$__object_id"
 
+fallback() {
+   # Fallback: Patch the output together, manually.
+
+   ls_line=$(ls -ldn "$destination")
+
+   uid=$(echo "$ls_line" | awk '{ print $3 }')
+   gid=$(echo "$ls_line" | awk '{ print $4 }')
+
+   owner=$(awk -F: -v uid="$uid" '$3 == uid { print $1; f=1 } END { if (!f) print "UNKNOWN" }' /etc/passwd)
+   group=$(awk -F: -v uid="$uid" '$3 == uid { print $1; f=1 } END { if (!f) print "UNKNOWN" }' /etc/group)
+
+   mode_text=$(echo "$ls_line" | awk '{ print $1 }')
+   mode=$(echo "$mode_text" | awk '{ k=0; for (i=0; i<=8; i++) k += ((substr($1, i+2, 1) ~ /[rwx]/) * 2^(8-i)); printf("%0o", k) }')
+
+   size=$(echo "$ls_line" | awk '{ print $5 }')
+   links=$(echo "$ls_line" | awk '{ print $2 }')
+
+   printf 'type: %s\nowner: %d %s\ngroup: %d %s\nmode: %s %s\nsize: %d\nlinks: %d\n' \
+      "$("$__type_explorer/type")" \
+      "$uid" "$owner" \
+      "$gid" "$group" \
+      "$mode" "$mode_text" \
+      "$size" \
+      "$links"
+}
+
+
 # nothing to work with, nothing we could do
 [ -e "$destination" ] || exit 0
 
-os=$("$__explorer/os")
-case "$os" in
-   "freebsd"|"netbsd"|"openbsd"|"macosx")
+
+if ! command -v stat >/dev/null
+then
+   fallback
+   exit
+fi
+
+
+case $("$__explorer/os")
+in
+   freebsd|netbsd|openbsd|macosx)
       stat -f "type: %HT
 owner: %Du %Su
 group: %Dg %Sg
 mode: %Lp %Sp
 size: %Dz
 links: %Dl
-" "$destination" | awk '/^type/ { print tolower($0); next; } { print; }'
-      ;;
-   alpine)
-       # busybox stat
-      stat -c "type: %F
-owner: %u %U
-group: %g %G
-mode: %a %A
-size: %s
-links: %h
-" "$destination"
+" "$destination" | awk '/^type/ { print tolower($0); next } { print }'
       ;;
     solaris)
         ls1="$( ls -ld "$destination" )"
@@ -77,12 +103,14 @@ links: %h
         echo "links: $( echo "$ls1" | awk '{print $2}' )"
     ;;
    *)
-      stat --printf="type: %F
+      # NOTE: Do not use --printf here as it is not supported by BusyBox stat.
+      # NOTE: BusyBox's stat might not support the "-c" option, in which case
+      #       we fall through to the shell fallback.
+      stat -c "type: %F
 owner: %u %U
 group: %g %G
 mode: %a %A
 size: %s
-links: %h
-" "$destination"
-      ;;
+links: %h" "$destination" 2>/dev/null || fallback
+         ;;
 esac

cdist/conf/type/__file/gencode-local

@@ -31,12 +31,24 @@ if [ "$state_should" = "pre-exists" ]; then
       exit 1
    fi
 
-   if [ "$type" = "file" ]; then
-      exit 0 # nothing to do
-   else
-      echo "File \"$destination\" does not exist"
-      exit 1
-   fi
+   case $type in
+      file)
+         # nothing to do
+         exit 0
+      ;;
+      none)
+         printf 'File "%s" does not exist\n' "$destination" >&2
+         exit 1
+      ;;
+      directory|symlink)
+         printf 'File "%s" exists and is a %s, but should be a regular file\n' "$destination" "$type" >&2
+         exit 1
+      ;;
+      *)
+         printf 'File or directory "%s" is in an unknown state\n' "$destination" >&2
+         exit 1
+      ;;
+   esac
 fi
 
 upload_file=

cdist/conf/type/__file/gencode-remote

@@ -55,37 +55,41 @@ set_owner() {
 }
 
 set_mode() {
-   echo "chmod '$1' '$destination'"
-   echo "chmod '$1'" >> "$__messages_out"
-   fire_onchange=1
+    echo "chmod '$1' '$destination'"
+    echo "chmod '$1'" >> "$__messages_out"
+    fire_onchange=1
 }
 
 case "$state_should" in
-    present|exists|pre-exists)
-    # Note: Mode - needs to happen last as a chown/chgrp can alter mode by
-    #  clearing S_ISUID and S_ISGID bits (see chown(2))
-    for attribute in group owner mode; do
-        if [ -f "$__object/parameter/$attribute" ]; then
-            value_should="$(cat "$__object/parameter/$attribute")"
+    present|exists)
+        # Note: Mode - needs to happen last as a chown/chgrp can alter mode by
+        #  clearing S_ISUID and S_ISGID bits (see chown(2))
+        for attribute in group owner mode; do
+            if [ -f "$__object/parameter/$attribute" ]; then
+                value_should="$(cat "$__object/parameter/$attribute")"
 
-            # change 0xxx format to xxx format => same as stat returns
-            if [ "$attribute" = mode ]; then
-                value_should="$(echo "$value_should" | sed 's/^0\(...\)/\1/')"
-            fi
-            
-            value_is="$(get_current_value "$attribute" "$value_should")"
-            if [ -f "$__object/files/set-attributes" ] || [ "$value_should" != "$value_is" ]; then
-                "set_$attribute" "$value_should"
+                # change 0xxx format to xxx format => same as stat returns
+                if [ "$attribute" = mode ]; then
+                    value_should="$(echo "$value_should" | sed 's/^0\(...\)/\1/')"
+                fi
+
+                value_is="$(get_current_value "$attribute" "$value_should")"
+                if [ -f "$__object/files/set-attributes" ] || [ "$value_should" != "$value_is" ]; then
+                    "set_$attribute" "$value_should"
+                fi
             fi
+        done
+        if [ -f "$__object/files/set-attributes" ]; then
+            # set-attributes is created if file is created or uploaded in gencode-local
+            fire_onchange=1
         fi
-    done
-    if [ -f "$__object/files/set-attributes" ]; then
-        # set-attributes is created if file is created or uploaded in gencode-local
-        fire_onchange=1
-    fi
-
     ;;
 
+    pre-exists)
+        # pre-exists should never reach gencode-remote…
+        exit 1
+   ;;
+
     absent)
         if [ "$type" = "file" ]; then
             echo "rm -f '$destination'"
@@ -101,7 +105,7 @@ case "$state_should" in
 esac
 
 if [ -f "$__object/parameter/onchange" ]; then
-   if [ -n "$fire_onchange" ]; then
-      cat "$__object/parameter/onchange"
-   fi
+    if [ -n "$fire_onchange" ]; then
+        cat "$__object/parameter/onchange"
+    fi
 fi

cdist/conf/type/__letsencrypt_cert/man.rst

@@ -59,13 +59,13 @@ MESSAGES
 --------
 
 change
-    Certificte was changed.
+    Certificate was changed.
 
 create
-    Certificte was created.
+    Certificate was created.
 
 remove
-    Certificte was removed.
+    Certificate was removed.
 
 EXAMPLES
 --------

cdist/conf/type/__mysql_privileges/explorer/state

@@ -30,7 +30,7 @@ host="$( cat "$__object/parameter/host" )"
 
 check_privileges="$( 
     mysql -B -N -e "show grants for '$user'@'$host'" \
-        | grep -Ei "^grant $privileges on .$database.\..$table. to " || true )"
+        | grep -Ei "^grant $privileges on .$database.\..?$table.? to " || true )"
 
 if [ -n "$check_privileges" ]
 then

cdist/conf/type/__mysql_privileges/gencode-remote

@@ -37,13 +37,19 @@ user="$( cat "$__object/parameter/user" )"
 
 host="$( cat "$__object/parameter/host" )"
 
+if [ "$table" != '*' ]
+then
+    # shellcheck disable=SC2016
+    table="$( printf '`%s`' "$table" )"
+fi
+
 case "$state_should" in
     present)
-        echo "mysql -e 'grant $privileges on \`$database\`.\`$table\` to \`$user\`@\`$host\`'"
+        echo "mysql -e 'grant $privileges on \`$database\`.$table to \`$user\`@\`$host\`'"
         echo "grant $privileges on $database.$table to $user@$host" >> "$__messages_out"
     ;;
     absent)
-        echo "mysql -e 'revoke $privileges on \`$database\`.\`$table\` from \`$user\`@\`$host\`'"
+        echo "mysql -e 'revoke $privileges on \`$database\`.$table from \`$user\`@\`$host\`'"
         echo "revoke $privileges on $database.$table from $user@$host" >> "$__messages_out"
     ;;
 esac

cdist/conf/type/__mysql_privileges/man.rst

@@ -17,7 +17,7 @@ REQUIRED PARAMETERS
 database
    Name of database.
 
-User
+user
    Name of user.
 
 

cdist/conf/type/__network_interface/files/debian/00000-wait-for-ip

@@ -1,38 +0,0 @@
-#!/bin/sh
-#
-# workaround the bloody upstart race conditions
-# by delaying the emission of the net-device-up signal until the interface is
-# really up and configured.
-#
-# environment variables:
-# METHOD=dhcp
-# MODE=start
-# LOGICAL=eth0
-# PHASE=post-up
-# ADDRFAM=inet
-# VERBOSITY=0
-# PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
-# IF_METRIC=100
-# IFACE=eth0
-# PWD=/root
-
-# nothing to do for loopback
-[ "$IFACE" = lo ] && exit 0
-
-LOG_FILE="/tmp/wait-for-ip-${IFACE}.log"
-cp /dev/null $LOG_FILE
-RETRY=20
-index=0
-
-if [ "$ADDRFAM" = "inet" -a "$METHOD" = "dhcp" ]; then
-   until [ -n "$ip" -o $index -eq $RETRY ]; do
-      ip=$(ip -o -family inet addr show dev $IFACE | awk '{split($4, a, "/"); print a[1]}')
-      index=$((index+1))
-      sleep 0.5
-   done
-   if [ -n "$ip" ]; then
-      echo "Interface $IFACE is up with ip $ip after $index of $RETRY tries." >> $LOG_FILE
-   else
-      echo "Interface $IFACE failed to come up with an ip address, giving up after $RETRY tries." >> $LOG_FILE
-   fi
-fi

cdist/conf/type/__network_interface/files/debian/ifupdown-symmetric-routing

@@ -1,64 +0,0 @@
-#!/bin/sh
-#
-# See 'IFACE OPTIONS' in interfaces(5) for available variables.
-#
-
-DEBUG=
-#DEBUG=1
-debug() {
-   if [ "$DEBUG" ]; then
-      echo "[DEBUG] $@" >&2
-   fi
-}
-
-interface="$IFACE"
-
-# noop for loopback
-[ "$interface" = "lo" ] && exit 0
-
-# only work with ipv4
-[ "$ADDRFAM" = "inet" ] || exit 0
-
-# Interface must be explicitly configured to do symmetric routing.
-[ "${IF_SYMMETRIC_ROUTING:-no}" = "no" ] && exit 0
-
-
-case "$MODE" in
-   start)
-      action="up"
-   ;;
-   stop)
-      action="down"
-   ;;
-esac
-
-case "$METHOD" in
-   dhcp)
-      LEASEFILE="/var/lib/dhcp/dhclient.${interface}.leases"
-      ip_address="$(awk '/fixed-address/ {sub(/;$/,""); print $2}' "$LEASEFILE" | tail -1)"
-      subnet_mask_or_prefix="$(awk '/option subnet-mask/ {sub(/;$/,""); print $3}' "$LEASEFILE" | tail -1)"
-      gateway="$(awk '/option routers/ {sub(/;$/,""); print $3}' "$LEASEFILE" | tail -1)"
-   ;;
-   static)
-      [ -n "$IF_ADDRESS" ] && ip_address="$IF_ADDRESS"
-      [ -n "$IF_NETMASK" ] && subnet_mask_or_prefix="$IF_NETMASK"
-      [ -n "$IF_GATEWAY" ] && gateway="$IF_GATEWAY"
-   ;;
-   *)
-      echo "Unknown/unsupported METHOD: $METHOD" >&2
-      exit 1
-   ;;
-esac
-
-debug "$interface -----"
-debug "action: $action"
-debug "interface: $interface"
-debug "ip_address: $ip_address"
-debug "subnet_mask_or_prefix: $subnet_mask_or_prefix"
-debug "gateway: $gateway"
-debug "/$interface -----"
-
-if [ -n "$action" -a -n "$interface" -a -n "$ip_address" -a -n "$subnet_mask_or_prefix" ]; then
-   symmetric-routing "$action" "$interface" "$ip_address" "$subnet_mask_or_prefix" "$gateway"
-fi
-

cdist/conf/type/__network_interface/files/debian/interfaces

@@ -1,9 +0,0 @@
-# Generated by cdist __network_interface
-# Changes will be overwritten.
-
-# loopback
-auto lo
-iface lo inet loopback
-
-# include per interface configurations
-source /etc/network/interfaces.d/*.conf

cdist/conf/type/__network_interface/files/debian/manifest

@@ -1,238 +0,0 @@
-#!/bin/sh -e
-#
-# 2012-2018 Steven Armstrong (steven-cdist at armstrong.cc)
-#
-# This file is part of cdist.
-#
-# cdist is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# cdist is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with cdist. If not, see <http://www.gnu.org/licenses/>.
-#
-
-__package ifupdown
-# Use cumulus ifupdown2 instead of ifupown and ifenslave
-# ifupdown2 is currently not compatible with network-wait-online.
-#__package ifupdown \
-#   --name ifupdown2
-
-type_files="$__type/files/debian"
-mkdir "$__object/files"
-interface_filename="${__object_id}.conf"
-
-(
-cat << DONE
-# Created by cdist ${__type##*/}
-# Do not change. Changes will be overwritten.
-#
-
-DONE
-
-if [ -f "$__object/parameter/comment" ]; then
-    awk '{ print "# "$0 }' < "$__object/parameter/comment"
-fi
-
-if [ -f "$__object/parameter/onboot" ]; then
-   # shellcheck disable=SC2154
-   printf "auto %s\n" "$name"
-elif [ -f "$__object/parameter/hotplug" ]; then
-   # shellcheck disable=SC2154
-   printf "allow-hotplug %s\n" "$name"
-fi
-
-ignored_parameters="linkdelay"
-manually_handled_parameters="name comment extra-config state method onboot hotplug nodns noroute no-network-wait-online symmetric-routing bond-slaves"
-# shellcheck disable=SC2154
-case "$method" in
-   dhcp)
-      printf "iface %s inet %s\n" "$name" "$method"
-      ignored_parameters="$ignored_parameters address broadcast gateway netmask"
-   ;;
-   static|manual)
-      printf "iface %s inet %s\n" "$name" "$method"
-   ;;
-   *)
-      echo "Unsupported value for parameter --method. Got '$method'. See man page for supported values." >&2
-      exit 1
-   ;;
-esac
-
-for param in "$__object"/parameter/*; do
-   if echo "$ignored_parameters" | grep -w -q "$param"; then
-      continue
-   fi
-   if echo "$manually_handled_parameters" | grep -w -q "$param"; then
-      continue
-   fi
-
-   if [ -f "$type_files/name-map" ]; then
-      key="$(awk -v param="$param" '{ if ($1 == param) {print $2;} else { print param;} }' "$type_files/name-map")"
-   else
-      key="$param"
-   fi
-   printf "  %s %s\n" "$key" "$(cat "$__object/parameter/$param")"
-done
-
-if [ -f "$__object/parameter/bond-mode" ] || [ -f "$__object/parameter/bond-primary" ]; then
-   # Note: ifenslave is not needed when using ifupdown2
-   # install package required for bonding
-   __package ifenslave
-   if [ -f "$__object/parameter/bond-slaves" ]; then
-      printf '  bond-slaves %s\n' "$(cat "$__object/parameter/bond-slaves")"
-   else
-      # need this or the slave tries to bring the master up, but the master hangs waiting for a slave
-      printf '  bond-slaves none\n'
-   fi
-fi
-
-if [ -f "$__object/parameter/no-network-wait-online" ]; then
-   # Do not consider this interface in network-wait-online.service
-   printf '  no-network-wait-online yes\n'
-fi
-
-if [ -f "$__object/parameter/symmetric-routing" ]; then
-   # Deploy scripts that implement the feature ...
-   __file /sbin/symmetric-routing \
-      --owner root --group root --mode 0755 \
-      --source "$__type/files/symmetric-routing"
-   require="__package/ifupdown __file/sbin/symmetric-routing" \
-      __file /etc/network/if-up.d/symmetric-routing \
-         --owner root --group root --mode 0755 \
-         --source "$__type/files/debian/ifupdown-symmetric-routing"
-   require="__package/ifupdown __file/etc/network/if-up.d/symmetric-routing" \
-      __link /etc/network/if-down.d/symmetric-routing \
-         --type symbolic \
-         --source ../if-up.d/symmetric-routing
-   # ... then enable it in interface stanza file.
-   printf '  symmetric-routing yes\n'
-fi
-
-# shellcheck disable=SC2154
-if [ -n "$vlan" ] && [ -n "$device" ]; then
-   # Explicit parent interface for vlans
-   printf '  vlan-raw-device %s\n' "$device"
-fi
-
-if [ -f "$__object/parameter/extra-config" ]; then
-   extra_config="$(cat "$__object/parameter/extra-config")"
-   if [ "$extra_config" = "-" ]; then
-      extra_config="$__object/stdin"
-   fi
-   awk '{print "  " $0}' "$extra_config"
-fi
-
-) >> "$__object/files/$interface_filename"
-
-__directory /etc/network \
-   --state present \
-   --owner root \
-   --group root \
-   --mode 755
-
-require="__directory/etc/network" \
-   __directory /etc/network/interfaces.d \
-      --state present \
-      --owner root \
-      --group root \
-      --mode 755
-
-require="__directory/etc/network" \
-   __file /etc/network/interfaces \
-      --source "$type_files/interfaces" \
-      --owner root \
-      --group root \
-      --mode 644
-
-# shellcheck disable=SC2154
-require="__file/etc/network/interfaces __directory/etc/network/interfaces.d" \
-   __file "/etc/network/interfaces.d/$interface_filename" \
-      --owner root \
-      --group root \
-      --mode 644 \
-      --source "$__object/files/$interface_filename" \
-      --state "$state"
-
-
-if [ "$method" = "dhcp" ] && [ -f "$__object/parameter/noroute" ]; then
-(
-cat << DONE
-# Created by cdist ${__type##*/}
-# Do not change. Changes will be overwritten.
-#
-
-if [ "\$interface" = "$name" ]; then
-
-case "\$reason" in
-   BOUND|RENEW|REBIND|REBOOT)
-      # prevent default gateway to be set by this interface
-      unset new_routers
-   ;;
-esac
-
-fi
-DONE
-) | \
-__file "/etc/dhcp/dhclient-enter-hooks.d/cdist-__network_interface-${name}-noroute" \
-   --owner root \
-   --group root \
-   --mode 644 \
-   --source - \
-   --state "$state"
-fi # end noroute
-
-if [ "$method" = "dhcp" ] && [ -f "$__object/parameter/nodns" ]; then
-(
-cat << DONE
-# Created by cdist ${__type##*/}
-# Do not change. Changes will be overwritten.
-#
-
-if [ "\$interface" = "$name" ]; then
-
-# Prevent /etc/resolv.conf from being changed by this interface
-# by overriding the default 'make_resolv_conf' function.
-make_resolv_conf(){
-   :
-}
-
-fi
-DONE
-) | \
-__file "/etc/dhcp/dhclient-enter-hooks.d/cdist-__network_interface-${name}-nodns" \
-   --owner root \
-   --group root \
-   --mode 644 \
-   --source - \
-   --state "$state"
-fi # end nodns
-
-
-os=$(cat "$__global/explorer/os")
-if [ "$os" = "ubuntu" ]; then
-   # workaround the bloody upstart race conditions
-   # by deploying a script that delays the emission of the net-device-up
-   # signal until the interface is really up and configured.
-   #script_name="00000-wait-for-ip"
-   #__file "/etc/network/if-up.d/$script_name" \
-   #   --owner root --group root --mode 755 \
-   #   --source "$type_files/$script_name"
-
-   # Deal with systemd network-online.target race conditions
-   require="__package/ifupdown" \
-      __file /etc/network/if-pre-up.d/network-online \
-         --owner root --group root --mode 0755 \
-         --source "$__type/files/debian/network-online"
-   require="__file/etc/network/if-pre-up.d/network-online" \
-      __link /etc/network/if-up.d/network-online \
-         --type symbolic \
-         --source ../if-pre-up.d/network-online
-fi
-

cdist/conf/type/__network_interface/files/debian/network-online

@@ -1,49 +0,0 @@
-#!/bin/sh
-#
-# See 'IFACE OPTIONS' in interfaces(5) for available variables.
-#
-
-DEBUG=
-#DEBUG=1
-debug() {
-   if [ "$DEBUG" ]; then
-      echo "[DEBUG] $@" >&2
-   fi
-}
-
-interface="$IFACE"
-
-# noop for loopback
-[ "$interface" = "lo" ] && exit 0
-
-# nothing usefull we could do for '--all'
-[ "$interface" = "--all" ] && exit 0
-
-# Interface is configured to not be considered by network-wait-online.service
-[ "${IF_NO_NETWORK_WAIT_ONLINE:-no}" = "yes" ] && exit 0
-
-
-case "$MODE" in
-   start)
-      action="up"
-   ;;
-   stop)
-      action="down"
-   ;;
-esac
-
-state_dir=/run/network-online-interfaces
-mkdir -p "$state_dir"
-
-case "$PHASE" in
-   pre-up)
-      # Create flag file to wait for in network-wait-online.service
-      touch "$state_dir/$interface"
-   ;;
-   post-up)
-      # This interface is up!
-      # Remove the flag file that was created in /sbin/ifup-pre-local
-      # so that the network-wait-online.service can reach the network-online.target
-      rm -rf "$state_dir/$interface"
-   ;;
-esac

cdist/conf/type/__network_interface/files/network-wait-online.service

@@ -1,17 +0,0 @@
-[Unit]
-Description=Wait for network to be configured
-Documentation=man:ifup(8)
-DefaultDependencies=no
-Conflicts=shutdown.target
-After=%NETWORK_SERVICE_NAME%
-Before=network-online.target
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-TimeoutStartSec=3min
-ExecStart=/bin/sh -ec 'while [ "$(ls -1 /run/network-online-interfaces/)" ]; do sleep 1; done'
-
-[Install]
-WantedBy=network-online.target
-

cdist/conf/type/__network_interface/files/redhat/ifup-pre-local

@@ -1,39 +0,0 @@
-#!/bin/sh
-
-#echo "/sbin/ifup-pre-local" >&2
-#set -x
-
-config="$1"
-interface="$1"
-
-cd /etc/sysconfig/network-scripts
-. ./network-functions
-
-[ -f ../network ] && . ../network
-
-need_config "$config"
-
-source_config
-
-# If not started at boot we don't care
-[ "${ONBOOT:-no}" = "no" ] && exit 0
-
-# noop for loopback
-[ "$DEVICE" = "lo" ] && exit 0
-
-state_dir=/run/network-online-interfaces
-mkdir -p "$state_dir"
-
-if [ "${NO_NETWORK_WAIT_ONLINE:-no}" = "no" ]; then
-   # remember device for later use in network-wait-online.service
-   touch "$state_dir/$DEVICE"
-fi
-
-# hackaround bugs in /etc/sysconfig/network-scripts/ifup
-wait_for_device=20
-index=0
-until [ -d "/sys/class/net/$DEVICE" -o $index -eq $wait_for_device ]; do
-   echo "waiting for /sys/class/net/$DEVICE $index/$wait_for_device" >&2
-   sleep 1
-   index=$(($index + 1))
-done

cdist/conf/type/__network_interface/files/redhat/ifupdown-local

@@ -1,84 +0,0 @@
-#!/bin/sh
-
-myname="${0##*/}"
-
-case "$myname" in
-   ifup-local)
-      action="up"
-   ;;
-   ifdown-local|ifdown-pre-local)
-      action="down"
-   ;;
-   *)
-      echo "Unable to determine action from script name: $myname" >&2
-      exit 1
-   ;;
-esac
-
-DEBUG=
-#DEBUG=1
-debug() {
-   if [ "$DEBUG" ]; then
-      echo "[DEBUG] $@" >&2
-   fi
-}
-
-interface="$1"
-
-# noop for loopback
-[ "$interface" = "lo" ] && exit 0
-
-
-cd /etc/sysconfig/network-scripts
-. ./network-functions
-
-[ -f ../network ] && . ../network
-
-need_config "$interface"
-source_config
-
-case "${BOOTPROTO}" in
-   bootp|dhcp)
-      generate_lease_file_name
-      ip_address="$(awk '/fixed-address/ {sub(/;$/,""); print $2}' "$LEASEFILE" | tail -1)"
-      subnet_mask_or_prefix="$(awk '/option subnet-mask/ {sub(/;$/,""); print $3}' "$LEASEFILE" | tail -1)"
-      gateway="$(awk '/option routers/ {sub(/;$/,""); print $3}' "$LEASEFILE" | tail -1)"
-   ;;
-   none)
-      # No ip address set -> nothing we could do
-      [ -n "$IPADDR" ] && ip_address="$IPADDR"
-      [ -n "$PREFIX" ] && subnet_mask_or_prefix="$PREFIX" || {
-         [ -n "$NETMASK" ] && subnet_mask_or_prefix="$NETMASK"
-      }
-      [ -n "$GATEWAY" ] && gateway="$GATEWAY"
-   ;;
-   *)
-      echo "Unknown/unsupported BOOTPROTO: $BOOTPROTO" >&2
-      exit 1
-   ;;
-esac
-
-debug "$interface -----"
-debug "action: $action"
-debug "interface: $interface"
-debug "ip_address: $ip_address"
-debug "subnet_mask_or_prefix: $subnet_mask_or_prefix"
-debug "gateway: $gateway"
-debug "/$interface -----"
-
-# Interface must be explicitly configured to do symmetric routing.
-if [ "${SYMMETRIC_ROUTING:-no}" = "yes" ]; then
-   if [ -n "$action" -a -n "$interface" -a -n "$ip_address" -a -n "$subnet_mask_or_prefix" ]; then
-      symmetric-routing "$action" "$interface" "$ip_address" "$subnet_mask_or_prefix" "$gateway"
-   fi
-fi
-
-case "$action" in
-   up)
-      # This interface is up!
-      # Remove the flag file that was created in /sbin/ifup-pre-local
-      # so that the network-wait-online.service can reach the network-online.target
-      state_dir=/run/network-online-interfaces
-      rm -rf "$state_dir/$interface"
-   ;;
-esac

cdist/conf/type/__network_interface/files/redhat/manifest

@@ -1,175 +0,0 @@
-#!/bin/sh -e
-#
-# 2014 Steven Armstrong (steven-cdist at armstrong.cc)
-#
-# This file is part of cdist.
-#
-# cdist is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# cdist is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with cdist. If not, see <http://www.gnu.org/licenses/>.
-#
-
-type_files="$__type/files/redhat"
-mkdir "$__object/files"
-# shellcheck disable=SC2154
-interface_filename="ifcfg-${name}"
-
-(
-cat << DONE
-# Created by cdist ${__type##*/}
-# Do not change. Changes will be overwritten.
-#
-
-DONE
-
-if [ -f "$__object/parameter/comment" ]; then
-    awk '{ print "# "$0 }' < "$__object/parameter/comment"
-fi
-
-printf 'DEVICE="%s"\n' "$name"
-printf 'NM_CONTROLLED=no\n'
-printf 'USERCTL=no\n'
-
-if [ -f "$__object/parameter/onboot" ]; then
-   printf 'ONBOOT=yes\n'
-else
-   printf 'ONBOOT=no\n'
-fi
-if [ -f "$__object/parameter/hotplug" ]; then
-   printf 'HOTPLUG=yes\n'
-else
-   printf 'HOTPLUG=no\n'
-fi
-if [ -f "$__object/parameter/nodns" ]; then
-   printf 'PEERDNS=no\n'
-else
-   printf 'PEERDNS=yes\n'
-fi
-if [ -f "$__object/parameter/noroute" ]; then
-   printf 'DEFROUTE=no\n'
-else
-   printf 'DEFROUTE=yes\n'
-fi
-if [ -f "$__object/parameter/no-network-wait-online" ]; then
-   printf 'NO_NETWORK_WAIT_ONLINE=yes\n'
-fi
-if [ -f "$__object/parameter/symmetric-routing" ]; then
-   # Deploy scripts that implement the feature ...
-   __file /sbin/symmetric-routing \
-      --owner root --group root --mode 0755 \
-      --source "$__type/files/symmetric-routing"
-   # ... then enable it in interface cfg file.
-   printf 'SYMMETRIC_ROUTING=yes\n'
-fi
-
-ignored_parameters=""
-manually_handled_parameters="name comment extra-config state method onboot hotplug nodns noroute no-network-wait-online symmetric-routing"
-# shellcheck disable=SC2154
-case "$method" in
-   dhcp)
-      printf 'BOOTPROTO=dhcp\n'
-      ignored_parameters="$ignored_parameters address broadcast gateway netmask"
-   ;;
-   static|manual)
-      printf 'BOOTPROTO=none\n'
-   ;;
-   *)
-      echo "Unsupported value for parameter --method. Got '$method'. See man page for supported values." >&2
-      exit 1
-   ;;
-esac
-
-for param in "$__object"/parameter/*; do
-   if echo "$ignored_parameters" | grep -w -q "$param"; then
-      continue
-   fi
-   if echo "$manually_handled_parameters" | grep -w -q "$param"; then
-      continue
-   fi
-
-   case "$param" in
-      bond-master)
-         # if someone is my master, I am a slave
-         printf 'SLAVE=yes\n'
-         printf 'MASTER=%s\n' "$(cat "$__object/parameter/$param")"
-      ;;
-      bond-*)
-         key="$(echo "${param#*bond-}" | tr - _)"
-         if [ "$param" = "bond-arp-ip-target" ]; then
-            value="$(tr '\n' , < "$__object/parameter/$param")"
-            # strip trailing comma
-            value="${value%,}"
-         else
-            value="$(cat "$__object/parameter/$param")"
-         fi
-         printf '%s=%s\n' "$key" "$value" >> "$__object/files/bonding_opts"
-      ;;
-      *)
-         # check for redhat specific name for this parameter
-         if [ -f "$type_files/name-map" ]; then
-            key="$(awk -v param="$param" '{ if ($1 == param) {print $2;} else { print param;} }' "$type_files/name-map")"
-         else
-            key="$param"
-         fi
-         # redhat likes things uppercase
-         key="$(echo "$key" | tr '[:lower:]' '[:upper:]')"
-         printf '%s=%s\n' "$key" "$(cat "$__object/parameter/$param")"
-      ;;
-   esac
-done
-if [ -f "$__object/files/bonding_opts" ]; then
-   value="$(tr '\n' ' ' < "$__object/files/bonding_opts")"
-   # strip trailing space
-   value="${value% }"
-   printf 'BONDING_OPTS="%s"\n' "$value"
-fi
-
-# shellcheck disable=SC2154
-if [ -n "$vlan" ] && [ -n "$device" ]; then
-   # Enable vlan for this interface
-   printf 'VLAN=yes\n'
-fi
-
-if [ -f "$__object/parameter/extra-config" ]; then
-   extra_config="$(cat "$__object/parameter/extra-config")"
-   if [ "$extra_config" = "-" ]; then
-      extra_config="$__object/stdin"
-   fi
-   cat "$extra_config"
-fi
-
-
-) >> "$__object/files/$interface_filename"
-
-# shellcheck disable=SC2154
-__file "/etc/sysconfig/network-scripts/$interface_filename" \
-   --owner root \
-   --group root \
-   --mode 644 \
-   --source "$__object/files/$interface_filename" \
-   --state "$state"
-
-# Deploy helper scripts
-__file /sbin/ifupdown-local \
-   --owner root --group root --mode 0755 \
-   --source "$__type/files/redhat/ifupdown-local"
-require="__file/sbin/ifupdown-local" \
-   __link /sbin/ifup-local \
-      --type symbolic \
-      --source ./ifupdown-local
-require="__file/sbin/ifupdown-local" \
-   __link /sbin/ifdown-pre-local \
-      --type symbolic \
-      --source ./ifupdown-local
-__file /sbin/ifup-pre-local \
-   --owner root --group root --mode 0755 \
-   --source "$__type/files/redhat/ifup-pre-local"

cdist/conf/type/__network_interface/files/redhat/name-map

@@ -1 +0,0 @@
-address ipaddr

cdist/conf/type/__network_interface/files/symmetric-routing

@@ -1,240 +0,0 @@
-#!/bin/sh
-#
-
-set -e
-
-error() {
-   echo "[ERROR] $@" >&2
-}
-die() {
-   error "$@"
-   exit 1
-}
-info() {
-   echo "[INFO] $@" >&2
-}
-debug() {
-   if [ "$DEBUG" ]; then
-      echo "[DEBUG] $@" >&2
-   fi
-}
-
-usage() {
-   cat << EOS 1>&2
-Usage: ${0##*/} [OPTIONS] ACTION INTERFACE IP_ADDRESS SUBNET_MASK_OR_PREFIX [GATEWAY]
-(see -h for more information)
-EOS
-}
-
-help() {
-   usage 2>&1 | head -n -1 1>&2
-
-   cat << EOS 1>&2
-
-Setup policy based routing for the given interface
-to ensure symmetric routing.
-
-ACTION must be either 'up' or 'down' to add respectively remove the
-routing table entries.
-
-Options:
-    -h    show this help message
-    -d    run in debug mode
-    -x    run with 'set -x' set
-    -n    no action, just show what would be done without doing it
-
-Examples:
-   ${0##*/} up eth1 192.168.42.23 255.255.255.0 192.168.0.1
-   ${0##*/} down eth1 192.168.42.23 255.255.255.0 192.168.0.1
-   # gateway is optional
-   ${0##*/} up eth1 192.168.42.23 255.255.255.0
-   ${0##*/} down eth1 192.168.42.23 255.255.255.0
-   # same but using prefix instead of subnet mask
-   ${0##*/} up eth1 192.168.42.23 24 192.168.0.1
-   ${0##*/} down eth1 192.168.42.23 24 192.168.0.1
-
-EOS
-}
-
-die_usage() {
-   error "$@"
-   usage
-   exit 1
-}
-
-
-### Utility functions
-
-# Convert ip to int.
-ip2int() {
-   _ip="$1"
-   { IFS=. read _a _b _c _d; } << _done
-$_ip
-_done
-   echo $(((((((_a << 8) | _b) << 8) | _c) << 8) | _d))
-   unset _ip _a _b _c _d
-}
-
-# Convert int to ip.
-int2ip() {
-   _ui32=$1; shift
-   _ip=
-   for _n in 1 2 3 4; do
-      _ip=$((_ui32 & 0xff))${_ip:+.}$_ip
-      _ui32=$((_ui32 >> 8))
-   done
-   echo $_ip
-   unset _ui32 _ip _n
-}
-
-# Convert the given prefix into a subnet mask.
-mask_from_prefix() {
-   _prefix="$1"
-   _mask=$((0xffffffff << (32 - $_prefix)))
-   int2ip $_mask
-   unset _prefix _mask
-}
-
-# Calculate network number from the given ip and prefix.
-network_from_ip_and_prefix() {
-   _ip="$1"
-   _prefix="$2"
-   _addr=$(ip2int $_ip)
-   _mask=$((0xffffffff << (32 - $_prefix)))
-   int2ip $((_addr & _mask))
-   unset _ip _prefix _addr _mask
-}
-
-# Calculate number of bits in the given subnet mask.
-prefix_from_mask() {
-   # Assumes there's no "255." after a non-255 byte in the mask
-   _mask="$1"
-   _x=${_mask##*255.}
-   set -- 0^^^128^192^224^240^248^252^254^ $(( (${#1} - ${#_x})*2 )) ${_x%%.*}
-   _x=${1%%$3*}
-   echo $(( $2 + (${#_x}/4) ))
-   unset _mask _x
-}
-
-rt_tables=/etc/iproute2/rt_tables
-#rt_tables=/tmp/rt_tables
-# Get and if required create a routing table for the given table name.
-table_id_from_name() {
-   _interface="$1"
-   _table_id=$(awk -vname=$_interface '{ if ($2 == name) print $1 }' "$rt_tables")
-   if [ -z "$_table_id" ]; then
-      # find unused table id and create a new table for this interface
-      _used_ids=$(awk '$1 !~ /^(#| |255|254|253|0)/ { print $1 }' "$rt_tables")
-      for _tid in $(seq 1 252); do
-         if echo "$_used_ids" | grep -q "$_tid"; then
-            continue
-         else
-            _table_id="$_tid"
-            [ $NOACTION ] || printf '%s %s\n' "$_table_id" "$_interface" >> "$rt_tables"
-            break
-         fi
-      done
-   fi
-   echo "$_table_id"
-   unset _interface _table_id _used_ids _tid
-}
-
-
-### Parse command line arguments
-
-NOACTION=
-DEBUG=
-SETX=
-while getopts "ndxh" options
-do
-   #echo "$flag" $OPTIND $OPTARG
-   case $options in
-      n) NOACTION=1;;
-      d) DEBUG=1;;
-      x) SETX=1;;
-      ?|h) help
-         exit 0
-      ;;
-      *) usage
-         exit 1
-      ;;
-   esac
-done
-# Strip arguments allready handled by getopts
-shift $((OPTIND-1))
-
-[ "$SETX" ] && set -x
-
-# Validate arguments
-[ "$#" -ge 4 ] || die_usage "Expected at least 4 arguments, got: $#"
-
-action="$1" # up | down
-interface="$2"
-ip_address="$3"
-subnet_mask_or_prefix="$4"
-gateway="$5"
-
-debug "action: $action"
-debug "interface: $interface"
-debug "ip_address: $ip_address"
-debug "subnet_mask_or_prefix: $subnet_mask_or_prefix"
-debug "gateway: $gateway"
-
-
-case "$subnet_mask_or_prefix" in
-   *.*)
-      # has a dot, must be a subnet mask
-      subnet_mask="$subnet_mask_or_prefix"
-      prefix=$(prefix_from_mask "$subnet_mask")
-      network="$(network_from_ip_and_prefix "$ip_address" "$prefix")"
-   ;;
-   *)
-      # no dot, must be prefix
-      prefix="$subnet_mask_or_prefix"
-      subnet_mask="$(mask_from_prefix "$prefix")"
-      network="$(network_from_ip_and_prefix "$ip_address" "$prefix")"
-   ;;
-esac
-
-table_name="$interface"
-table_id="$(table_id_from_name "$table_name")"
-
-debug "subnet_mask: $subnet_mask"
-debug "prefix: $prefix"
-debug "network: $network"
-debug "table_name: $table_name"
-debug "table_id: $table_id"
-
-(
-case "$action" in
-   up)
-      # setup routing table for interface
-      printf 'ip route add "%s/%s" dev "%s" proto static src "%s" table "%s"\n' \
-         "$network" "$prefix" "$interface" "$ip_address" "$table_name"
-      if [ -n "$gateway" ]; then
-         printf 'ip route add default via "%s" table "%s"\n' "$gateway" "$table_name"
-      fi
-      printf 'ip rule add from "%s" table "%s"\n' "$ip_address" "$table_name"
-   ;;
-   down)
-      printf 'ip rule del from "%s" table "%s"\n' "$ip_address" "$table_name"
-      if [ -n "$gateway" ]; then
-         printf 'ip route del default via "%s" table "%s"\n' "$gateway" "$table_name"
-      fi
-      printf 'ip route del "%s/%s" dev "%s" proto static src "%s" table "%s"\n' \
-         "$network" "$prefix" "$interface" "$ip_address" "$table_name"
-   ;;
-   *)
-      echo "Unknown action: $action" >&2
-      exit 1
-   ;;
-esac
-# tell the kernel that it needs to re-parse the policy database
-printf 'ip route flush cache\n'
-) | (
-   if [ "$NOACTION" ]; then
-      cat
-   else
-      /bin/sh -s
-   fi
-)

cdist/conf/type/__network_interface/man.rst

@@ -1,200 +0,0 @@
-cdist-type__network_interface(7)
-================================
-
-NAME
-----
-cdist-type__network_interface - configure network interfaces
-
-
-DESCRIPTION
------------
-Configures network interfaces on debian an redhat based systems.
-Interface names containing a dot are assumed to be vlan tagged sub interfaces.
-e.g. eth0.10 is vlan 10 on physical device eth0.
-
-Note that this type rewrites network interface files.
-
-
-REQUIRED PARAMETERS
--------------------
-None.
-
-OPTIONAL PARAMETERS
--------------------
-name
-    The name of the physical or logical network device.
-    Defaults to __object_id.
-
-method
-    The method for determining an IP address for the interface.
-    'dhcp', 'static' or 'manual'.
-    Defaults to 'dhcp'.
-
-address
-    The IP address of the network interface.
-    Only used if --method is not 'dhcp'.
-
-broadcast
-    Only used if --method is not 'dhcp'.
-
-comment
-    Comment.
-
-extra-config
-    Additional config that is added to the generated interfaces file verbatim.
-
-gateway
-    Default gateway (dotted quad).
-    Only used if --method is not 'dhcp'.
-
-netmask
-    The subnet mask to apply to the interface.
-    Only used if --method is not 'dhcp'.
-
-metric
-    Routing metric for the default gateway.
-
-mtu
-    The Maximum Transmission Unit size to use for the interface.
-
-state
-    'present' or 'absent', defaults to 'present'.
-
-bond-arp-interval
-    Specifies (in milliseconds) how often ARP monitoring occurs.
-
-bond-arp-ip-target
-    Specifies the target IP address of ARP requests when the arp_interval parameter is enabled.
-    Can be specified up to 16 times.
-
-bond-master
-    The name of the master (bonding) interface to which this slave should be enslaved.
-
-bond-miimon
-    Specifies (in milliseconds) how often MII link monitoring occurs.
-
-bond-mode
-    Allows you to specify the bonding policy. The value can be one of:
-
-    - balance-rr (0)
-    - active-backup (1)
-    - balance-xor (2)
-    - broadcast (3)
-    - 802.3ad (4)
-    - balance-tlb (5)
-    - balance-alb (6)
-
-bond-primary
-    Specifies the interface name, such as eth0, of the primary device.
-
-bond-slaves
-    The slave interfaces that form this bonding.
-
-linkdelay
-    Only useable on Redhat based systems.
-    Time in seconds that the system should pause after the specific interface
-    is enabled.  This may be useful if one interface is connected to a
-    switch which has spanning tree enabled and must wait for STP to
-    converge before the interface should be considered usable.
-
-BOOLEAN PARAMETERS
-------------------
-onboot
-    Whether to bring the interface up on boot.
-
-hotplug
-    Allow/disallow hotplug support for this interface.
-
-nodns
-    Do not configure nameservers in /etc/resolv.conf.
-
-noroute
-    Do not set default route.
-
-no-network-wait-online
-    Do not consider this network interface in the network-wait-online.service unit.
-
-symmetric-routing
-    Manage routing tables and rules to ensure symmetric routing.
-
-
-EXAMPLES
---------
-
-.. code-block:: sh
-
-    __network_interface eth0 --onboot
-
-    # Same thing, but explicitly define method
-    __network_interface eth0 --method dhcp --onboot
-
-    __network_interface eth1 \
-        --method static \
-        --address 192.168.42.23 \
-        --netmask 255.255.255.0 \
-        --gateway 192.168.42.1 \
-        --onboot
-
-    __network_interface eth3 --method dhcp --hotplug
-
-    # Don't wait for Infiniband interface to be up before reaching systemd network-online.target
-    __network_interface ib0 --method dhcp --no-network-wait-online
-
-    # active-backup bonding with 2 slaves
-    __network_interface bond0 \
-        --onboot \
-        --method static \
-        --bond-mode active-backup \
-        --bond-miimon 500 \
-        --bond-primary eth5 \
-        --address 10.205.9.65 \
-        --netmask 255.255.224.0
-
-    __network_interface eth5 \
-        --onboot \
-        --method manual \
-        --bond-master bond0
-
-    __network_interface eth6 \
-        --onboot \
-        --method manual \
-        --bond-master bond0
-
-    # extra config
-    __network_interface eth0 \
-        --method dhcp \
-        --extra-config - << DONE
-    post-up ip route add 10.205.0.0/19 via 10.205.161.1
-    post-up ip route add 10.205.96.0/19 via 10.205.161.1
-    pre-down ip route del 10.205.0.0/19 via 10.205.161.1
-    pre-down ip route del 10.205.96.0/19 via 10.205.161.1
-    DONE
-
-
-SEE ALSO
---------
-Redhat bonding documentation:
-
-* https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sec-Using_Channel_Bonding.html
-* https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/sec-Using_Channel_Bonding.html
-* https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/s2-networkscripts-interfaces-chan.html
-
-Debian bonding documentation
-
-* /usr/share/doc/ifenslave-2.6/README.Debian.gz
-
-Symmetric routing
-
-* http://www.microhowto.info/howto/ensure_symmetric_routing_on_a_server_with_multiple_default_gateways.html
-
-
-AUTHORS
--------
-Steven Armstrong <steven-cdist--@--armstrong.cc>
-
-COPYING
--------
-Copyright \(C) 2012-2016 Steven Armstrong. You can redistribute it
-and/or modify it under the terms of the GNU General Public License as
-published by the Free Software Foundation, either version 3 of the
-License, or (at your option) any later version.

cdist/conf/type/__network_interface/manifest

@@ -1,86 +0,0 @@
-#!/bin/sh -e
-#
-# 2012-2014 Steven Armstrong (steven-cdist at armstrong.cc)
-# 2020 Adapted for upstream cdist by Darko Poljak (darko.poljak at gmail.com)
-#
-# This file is part of cdist.
-#
-# cdist is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# cdist is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with cdist. If not, see <http://www.gnu.org/licenses/>.
-#
-
-os=$(cat "$__global/explorer/os")
-osv="$(cat "$__global/explorer/os_version")"
-
-not_supported() {
-   echo "Your operating system ($os $osv) is currently not supported by this type (${__type##*/})." >&2
-   echo "Please contribute an implementation for it if you can." >&2
-   exit 1
-}
-
-case "$os" in
-   ubuntu)
-      osv_int="$(echo "$osv" | tr -d .)"
-      if [ "$osv_int" -lt 1110 ]; then
-         not_supported
-      fi
-      manifest_file="$__type/files/debian/manifest"
-      systemd_network_service_name="networking.service"
-   ;;
-   debian)
-      manifest_file="$__type/files/debian/manifest"
-      systemd_network_service_name="networking.service"
-   ;;
-   centos|redhat)
-      manifest_file="$__type/files/redhat/manifest"
-      systemd_network_service_name="network.service"
-   ;;
-   *)
-      not_supported
-   ;;
-esac
-
-name="$(cat "$__object/parameter/name" 2>/dev/null || echo "$__object_id")"
-method="$(cat "$__object/parameter/method")"
-state="$(cat "$__object/parameter/state")"
-
-device=
-vlan=
-case "$name" in
-   *.*)
-      device="${name%.*}"
-      vlan="${name#*.}"
-   ;;
-esac
-
-
-# export variables
-export name
-export device
-export vlan
-export method
-export state
-
-# run os specific manifest
-"$manifest_file"
-
-
-if grep -q systemd "$__global/explorer/init"; then
-   sed -e "s|%NETWORK_SERVICE_NAME%|${systemd_network_service_name}|" \
-      "$__type/files/network-wait-online.service" | \
-      __file /etc/systemd/system/network-wait-online.service \
-         --owner root --group root --mode 0644 \
-         --source -
-   require="__file/etc/systemd/system/network-wait-online.service" \
-      __start_on_boot network-wait-online
-fi

cdist/conf/type/__network_interface/parameter/boolean

@@ -1,6 +0,0 @@
-hotplug
-nodns
-noroute
-onboot
-no-network-wait-online
-symmetric-routing

cdist/conf/type/__network_interface/parameter/default/method

@@ -1 +0,0 @@
-dhcp

cdist/conf/type/__network_interface/parameter/optional

@@ -1,20 +0,0 @@
-address
-bond-arp-interval
-bond-arp-ip-target
-bond-master
-bond-miimon
-bond-mode
-bond-primary
-bond-slaves
-broadcast
-comment
-extra-config
-gateway
-linkdelay
-method
-metric
-mtu
-name
-netmask
-network
-state

cdist/conf/type/__package_apt/gencode-remote

@@ -74,6 +74,14 @@ fi
 
 case "$state_should" in
     present)
+        # following is bit ugly, but important hack.
+        # due to how cdist config run works, there isn't
+        # currently better way to do it :(
+        cat << EOF
+if [ ! -f /var/cache/apt/pkgcache.bin ] || [ "\$( stat --format %Y /var/cache/apt/pkgcache.bin )" -lt "\$( date +%s -d '-1 day' )" ]
+then echo apt-get update > /dev/null 2>&1 || true
+fi
+EOF
         if [ -n "$version" ]; then
             name="${name}=${version}"
         fi

cdist/conf/type/__package_apt/man.rst

@@ -11,6 +11,9 @@ DESCRIPTION
 apt-get is usually used on Debian and variants (like Ubuntu) to
 manage packages.
 
+This type will also update package index, if it is older
+than one day, to avoid missing package error messages.
+
 
 REQUIRED PARAMETERS
 -------------------

cdist/conf/type/__postgres_role/gencode-remote

@@ -54,7 +54,7 @@ case "$state_should" in
 
         [ -n "$password" ] && password="PASSWORD '$password'"
         cat << EOF
-su - '$postgres_user' -c "psql postgres -wc 'CREATE ROLE \"$name\" WITH $password $booleans;'"
+su - '$postgres_user' -c "psql postgres -wc \"CREATE ROLE \\\\\"$name\\\\\" WITH $password $booleans;\""
 EOF
     ;;
     absent)

cdist/conf/type/__service/explorer/service-manager

@@ -0,0 +1,8 @@
+#!/bin/sh
+
+# Assume systemd if systemctl is in PATH.
+if [ "$(command -v systemctl)" ]; then
+	printf "systemd"
+else
+	printf "unknown"
+fi

cdist/conf/type/__service/gencode-remote

@@ -0,0 +1,9 @@
+#!/bin/sh
+
+manager="$(cat "$__object/explorer/service-manager")"
+name=$__object_id
+action="$(cat "$__object/parameter/action")"
+
+if [ "$manager" = "unknown" ]; then
+	echo "service '$name' '$action'"
+fi

cdist/conf/type/__service/man.rst

@@ -0,0 +1,51 @@
+cdist-type__service(7)
+======================
+
+NAME
+----
+cdist-type__service - Run action on a system service
+
+
+DESCRIPTION
+-----------
+This type allows you to run an action against a system service.
+
+
+REQUIRED PARAMETERS
+-------------------
+action
+  Arbitrary parameter passed as action. Usually 'start', 'stop', 'reload' or 'restart'.
+
+OPTIONAL PARAMETERS
+-------------------
+None.
+
+
+BOOLEAN PARAMETERS
+------------------
+None.
+
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+    # Restart nginx service.
+    __service nginx --action restart
+
+    # Stop postfix service.
+    __service postfix --action stop
+
+
+AUTHORS
+-------
+Timothée Floure <timothee.floure@ungleich.ch>
+
+
+COPYING
+-------
+Copyright \(C) 2019 Timothée Floure. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

cdist/conf/type/__service/manifest

@@ -0,0 +1,15 @@
+#!/bin/sh
+
+manager="$(cat "$__object/explorer/service-manager")"
+
+name=$__object_id
+action="$(cat "$__object/parameter/action")"
+
+case "$manager" in
+	systemd)
+		__systemd_service "$name" --action "$action"
+	;;
+	*)
+		# Unknown: handled by `service $NAME $action` in gencode-remote.
+	;;
+esac

cdist/conf/type/__service/parameter/required

@@ -0,0 +1 @@
+action

cdist/conf/type/__systemd_service/explorer/state

@@ -0,0 +1,43 @@
+#!/bin/sh -e
+# explorer/state
+#
+# 2020 Matthias Stecher <matthiasstecher at gmx.de>
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+# Check if the service is running or stopped.
+#
+# The explorer must check before if the service exist, because 'systemctl is-active'
+# will return "inactive" even if there is no service there:
+#   systemctl cat foo        # does not exist
+#   systemctl is-active foo  # is "inactive"
+
+
+# get name of the service
+if [ -f "$__object/parameter/name" ]; then
+    name="$(cat "$__object/parameter/name")"
+else
+    name="$__object_id"
+fi
+
+
+# check if the service exist, else exit without output (also if systemd doesn't exist)
+# do not exit here with an error code, will be done in the gencode-remote script
+systemctl cat "$name" > /dev/null 2>&1 || exit 0
+
+# print if the service is running or not
+systemctl is-active -q "$name" && printf "running" || printf "stopped"

cdist/conf/type/__systemd_service/gencode-remote

@@ -0,0 +1,98 @@
+#!/bin/sh -e
+# gencode-remote
+#
+# 2020 Matthias Stecher <matthiasstecher at gmx.de>
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+# Checks the given state of the service and set it to the given
+# state. Optionally, it executes the action if service running.
+
+
+# get name of the service
+name="$__object/parameter/name"
+if [ -f "$name" ]; then
+    name="$(cat "$name")"
+else
+    name="$__object_id"
+fi
+
+
+# read current status and parameters
+state="$(cat "$__object/explorer/state")"
+should="$(cat "$__object/parameter/state")"
+
+# if systemd/service does not exist
+if [ -z "$state" ]; then
+    printf "systemd or service '%s' does not exist!\n" "$name" >&2
+    exit 1
+fi
+
+
+# save the action required
+required_action=""
+
+# check the state of the service that should be
+if [ "$state" != "$should" ]; then
+    # select what to do to get the $should state
+    case "$should" in
+        running)
+            if [ "$state" = "stopped" ]; then required_action="start"; fi
+            ;;
+
+        stopped)
+            if [ "$state" = "running" ]; then required_action="stop"; fi
+            ;;
+    esac
+fi
+
+# check if the action can be achieved if given
+if [ -f "$__object/parameter/action" ] \
+    && [ -z "$required_action" ] && [ "$state" = "running" ]; then
+
+    # there must be an action
+    action="$(cat "$__object/parameter/action")"
+
+    # select the action to the required element
+    case "$action" in
+        restart)
+            required_action="restart"
+            ;;
+
+        reload)
+            required_action="reload"
+            ;;
+
+        *)
+            printf "action '%s' does not exist!" "$action" >&2
+            exit 2
+    esac
+
+    # Make a special check: only do this action if a dependency did something
+    # it is required that the dependencies write there action to $__messages_in
+    if [ -f "$__object/parameter/if-required" ]; then
+        # exit here if there are no changes from the dependencies affected (nothing to do)
+        if ! grep -q -f "$__object/require" "$__messages_in"; then exit 0; fi
+    fi
+fi
+
+# print the execution command if a action given
+if [ -n "$required_action" ]; then
+    # also print it as message
+    echo "$required_action" >> "$__messages_out"
+    echo "systemctl $required_action '$name'"
+fi

cdist/conf/type/__systemd_service/man.rst

@@ -0,0 +1,110 @@
+cdist-type__systemd-service(7)
+==============================
+
+NAME
+----
+cdist-type__systemd-service - Controls a systemd service state
+
+DESCRIPTION
+-----------
+This type controls systemd services to define a state of the service,
+or an action like reloading or restarting. It is useful to reload a
+service after configuration applied or shutdown one service.
+
+The activation or deactivation is out of scope. Look for the
+:strong:`cdist-type__systemd_util`\ (7) type instead.
+
+REQUIRED PARAMETERS
+-------------------
+
+None.
+
+OPTIONAL PARAMETERS
+-------------------
+
+name
+    String which will used as name instead of the object id.
+
+state
+    The state which the service should be in:
+
+    running
+        Service should run (default)
+
+    stoppend
+        Service should stopped
+
+action
+    Executes an action on on the service. It will only execute it if the
+    service keeps the state **running**. There are following actions, where:
+
+    reload
+        Reloads the service
+
+    restart
+        Restarts the service
+
+BOOLEAN PARAMETERS
+------------------
+
+if-required
+    Only execute the action if minimum one required type outputs a message to
+    **$__messages_out**. Through this, the action should only executed if a
+    dependency did something. The action will not executed if no dependencies
+    given.
+
+MESSAGES
+--------
+
+start
+    Started the service
+
+stop
+    Stopped the service
+
+restart
+    Restarted the service
+
+reload
+    Reloaded the service
+
+ABORTS
+------
+Aborts in following cases:
+
+systemd or the service does not exist
+
+EXAMPLES
+--------
+.. code-block:: sh
+
+    # service must run
+    __systemd_service nginx
+
+    # service must stopped
+    __systemd_service sshd \
+        --state stopped
+
+    # restart the service
+    __systemd_service apache2 \
+        --action restart
+
+    # makes sure the service exist with an alternative name
+    __systemd_service foo \
+        --name sshd
+
+    # reload the service for a modified configuration file
+    # only reloads the service if the file really changed
+    require="__config_file/etc/foo.conf" __systemd_service foo \
+        --action reload --if-required
+
+AUTHORS
+-------
+Matthias Stecher <matthiasstecher at gmx.de>
+
+COPYRIGHT
+---------
+Copyright \(C) 2020 Matthias Stecher. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

cdist/conf/type/__systemd_service/parameter/boolean

@@ -0,0 +1 @@
+if-required

cdist/conf/type/__systemd_service/parameter/default/state

@@ -0,0 +1 @@
+running

cdist/conf/type/__systemd_service/parameter/optional

@@ -0,0 +1,3 @@
+name
+state
+action

cdist/conf/type/__update_alternatives/explorer/state

@@ -0,0 +1,8 @@
+#!/bin/sh -e
+path="$(cat "$__object/parameter/path")"
+name="$__object_id"
+link="$(readlink "/etc/alternatives/$name")"
+if [ "$path" = "$link" ]
+then echo present
+else echo absent
+fi

cdist/conf/type/__update_alternatives/gencode-remote

@@ -17,9 +17,10 @@
 # You should have received a copy of the GNU General Public License
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
-#
-# Setup alternative - no standard way to create, always set
-#
+
+if [ "$(cat "$__object/explorer/state")" = 'present' ]
+then exit 0
+fi
 
 path="$(cat "$__object/parameter/path")"
 name="$__object_id"

cdist/conf/type/__user/explorer/shadow

@@ -24,7 +24,7 @@
 name=$__object_id
 
 case $("$__explorer/os") in
-  'freebsd'|'netbsd'|'openbsd')
+  'freebsd'|'netbsd'|'openbsd'|'alpine')
     database='passwd'
     ;;
   # Default to using shadow passwords

docs/changelog

@@ -1,6 +1,29 @@
 Changelog
 ---------
 
+next:
+	* Type __user: Fix missing shadow for alpine (llnu)
+
+6.5.2: 2020-02-27
+	* Type __update_alternatives: Add state explorer (Ander Punnar)
+	* Explorer os_version: Add support for Alpine Linux (Jin-Guk Kwon)
+	* Explorer init: Rewrite and support more init systems (Dennis Camera)
+	* New type: __service (Timothée Floure)
+	* Types __consul_*: Add optional parameter for using distribution packages (Timothée Floure)
+	* Explorer disks: Fix NetBSD, support Linux w/o lsblk (Dennis Camera)
+	* Type __directory: Add 'exists' and 'pre-exists' states (Dennis Camera)
+	* Type __file: Improve error messages for pre-exists state (Dennis Camera)
+
+6.5.1: 2020-02-15
+	* Type __consul_agent: Add Debian 10 support (Nico Schottelius)
+	* Explorer os_release: Add fallbacks (Dennis Camera)
+	* Types __file, __directory: Add fallback for systems without stat (Dennis Camera)
+	* Type __mysql_privileges: Fix quoting (Ander Punnar)
+	* Type __package_apt: Update package index if it is older than one day (Ander Punnar)
+	* Type __cron: Fix job removal if 'is' and 'should' don't match (Matthias Stecher)
+	* New type: __systemd_service (Matthias Stecher)
+	* Type __postgres_role: Fix password command syntax (Timothée Floure)
+
 6.5.0: 2020-01-23
 	* Type __acl: Add --entry parameter to replace --acl, deprecate --acl (Ander Punnar)
 	* Core: preos: Fix missing configuration file usage, support -g, --config-file option (Darko Poljak)

docs/src/index.rst

@@ -2,8 +2,9 @@ cdist - usable configuration management
 =======================================
 
 cdist is a usable configuration management system.
-It adheres to the KISS principle and 
+It adheres to the KISS principle and
 is being used in small up to enterprise grade environments.
+It natively supports IPv6 since the first release.
 
 
 .. toctree::