diff --git a/cdist/conf/type/__letsencrypt_acmetiny/gencode-remote b/cdist/conf/type/__letsencrypt_acmetiny/gencode-remote
index 466b889d..9243acc9 100644
--- a/cdist/conf/type/__letsencrypt_acmetiny/gencode-remote
+++ b/cdist/conf/type/__letsencrypt_acmetiny/gencode-remote
@@ -11,7 +11,8 @@ if [ -f "${__object}/parameter/extra-domain" ]; then
fi
#TODO: support linux too
-REALM_DIR="/usr/local/etc/pki/realms/${REALM}"
+REALMS_DIR="/usr/local/etc/pki/realms"
+REALM_DIR="${REALMS_DIR}/${REALM}"
REALM_CERT="${REALM_DIR}/default.crt"
REALM_KEY="${REALM_DIR}/default.key"
REALM_CERT_REQUEST="${ACME_TINY_CERT_REQUEST_DIR}/${REALM}.csr"
@@ -101,6 +102,8 @@ if [ -n "\${FORCE_CSR_REGEN}" -o -n "\${FORCE_CRT_REGEN}" ]; then
fi
fi
+cat "${REALM_CERT}" "${REALMS_DIR}/chain.pem" > ${REALM_DIR}/fullchain.pem
+
if [ -n '${REALM_CERT_REQUEST_CNF_LINE}' -a -f '${REALM_CERT_REQUEST_CNF}.new' ]; then
# CSR and cert generation succeded with a new config, put new config in-place.
# This is the last thing we do, so we try again next time if sth fails.
diff --git a/cdist/conf/type/__letsencrypt_acmetiny_base/manifest b/cdist/conf/type/__letsencrypt_acmetiny_base/manifest
index 7bce9a63..cbedcdff 100644
--- a/cdist/conf/type/__letsencrypt_acmetiny_base/manifest
+++ b/cdist/conf/type/__letsencrypt_acmetiny_base/manifest
@@ -200,3 +200,28 @@ require="__package/doas" __file "${DOAS_CONF}" --mode 0640
require="__file${DOAS_CONF}" __line "${DOAS_CONF}" \
--regex 'root as acme-tiny' \
--line 'permit nopass root as acme-tiny'
+
+# Setup CA
+REALMS_DIR="/usr/local/etc/pki/realms"
+__directory "${REALMS_DIR}" \
+ --parents \
+ --state present \
+ --mode 0755
+
+require="__directory${REALMS_DIR}" __file ${REALMS_DIR}/intermediate.pem \
+ --mode 0644 \
+ --source - << EOF
+$(curl -s https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt)
+EOF
+require="__directory${REALMS_DIR}" __file ${REALMS_DIR}/root.pem \
+ --mode 0644 \
+ --source - << EOF
+$(curl -s https://letsencrypt.org/certs/trustid-x3-root.pem.txt)
+EOF
+require="__directory${REALMS_DIR}" __file ${REALMS_DIR}/chain.pem \
+ --mode 0644 \
+ --source - << EOF
+$(curl -s https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt)
+$(curl -s https://letsencrypt.org/certs/trustid-x3-root.pem.txt)
+EOF
+
diff --git a/cdist/conf/type/__openldap_server/manifest b/cdist/conf/type/__openldap_server/manifest
index dadc9f20..88fdbafa 100644
--- a/cdist/conf/type/__openldap_server/manifest
+++ b/cdist/conf/type/__openldap_server/manifest
@@ -9,6 +9,7 @@ slapd_modules=$(cat "${__object}/parameter/module" 2>/dev/null || true)
schemas=$(cat "${__object}/parameter/schema")
slapd_urls=$(tr '\n' ' ' < "${__object}/parameter/slapd-url")
tls_cipher_suite=$(cat "${__object}/parameter/tls-cipher-suite" 2>/dev/null || true)
+extra_config=$(cat "${__object}/parameter/extra-config" || true)
os="$(cat "${__global}/explorer/os")"
@@ -230,6 +231,8 @@ index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index entryCSN,entryUUID eq
+${extra_config}
+
serverid ${serverid}
EOF
diff --git a/cdist/conf/type/__openldap_server/parameter/optional b/cdist/conf/type/__openldap_server/parameter/optional
index a92b9c6e..71c64659 100644
--- a/cdist/conf/type/__openldap_server/parameter/optional
+++ b/cdist/conf/type/__openldap_server/parameter/optional
@@ -5,4 +5,5 @@ admin-email
tls-cipher-suite
tls-cert
tls-privkey
-tls-ca
\ No newline at end of file
+tls-ca
+extra-config
diff --git a/cdist/conf/type/__pf_ruleset/explorer/cksum b/cdist/conf/type/__pf_apply_anchor/gencode-remote
similarity index 62%
rename from cdist/conf/type/__pf_ruleset/explorer/cksum
rename to cdist/conf/type/__pf_apply_anchor/gencode-remote
index 9be6c901..3d259aca 100755
--- a/cdist/conf/type/__pf_ruleset/explorer/cksum
+++ b/cdist/conf/type/__pf_apply_anchor/gencode-remote
@@ -18,24 +18,23 @@
# along with cdist. If not, see .
#
#
-# Get the 256 bit SHA2 checksum of the pf ruleset on the target host.
+# Apply pf(4) ruleset on *BSD
#
# Debug
-#exec >&2
+# exec >&2
#set -x
-# Check /etc/rc.conf for pf's configuration file name. Default to /etc/pf.conf
-# See if file exists and if so, get checksum
+ANCHORS_DIR="/etc/pf.d"
-RC="/etc/rc.conf"
-TMP="$(grep '^pf_rules=' ${RC} | cut -d= -f2 | sed 's/"//g')"
-PFCONF="${TMP:-"/etc/pf.conf"}"
-
-if [ -f "${PFCONF}" ]; then # The pf config file exists, find its cksum.
- cksum -o 1 "${PFCONF}" | cut -d= -f2 | awk '{print $1}'
+if [ -f "${__object}/parameter/anchor_name" ]; then
+ anchor_name="$(cat "${__object}/parameter/anchor_name")"
+else
+ anchor_name="${__object_id}"
fi
+anchor_file="${ANCHORS_DIR}/${anchor_name}"
+
+echo "pfctl -a \"${anchor_name}\" -f \"${anchor_file}\""
# Debug
#set +x
-
diff --git a/cdist/conf/type/__pf_apply_anchor/parameter/optional b/cdist/conf/type/__pf_apply_anchor/parameter/optional
new file mode 100644
index 00000000..b9f61e28
--- /dev/null
+++ b/cdist/conf/type/__pf_apply_anchor/parameter/optional
@@ -0,0 +1 @@
+anchor_name
diff --git a/cdist/conf/type/__pf_rdr/manifest b/cdist/conf/type/__pf_rdr/manifest
new file mode 100644
index 00000000..83bf2ed8
--- /dev/null
+++ b/cdist/conf/type/__pf_rdr/manifest
@@ -0,0 +1,20 @@
+# TODO header :D
+# TODO it would be cool to print a warning if a generated anchor is unused in pf.conf
+
+DESTDIR=/etc/pf.d
+
+proto="$(cat "$__object/parameter/proto")"
+from="$(cat "$__object/parameter/from")"
+to="$(cat "$__object/parameter/to")"
+state="$(cat "$__object/parameter/state")"
+
+from="$(echo $from | sed 's/:/ port /')"
+to="$(echo $to | sed 's/:/ port /')"
+
+anchorname="$(echo $__object_id | cut -d/ -f1)"
+rule="rdr pass log proto $proto from any to $from -> $to"
+
+__directory "$DESTDIR" --parents
+
+require="__directory/$DESTDIR" \
+__line __pf_rdr/$__object_id --state $state --line "$rule" --file $DESTDIR/$anchorname
diff --git a/cdist/conf/type/__pf_rdr/parameter/default/proto b/cdist/conf/type/__pf_rdr/parameter/default/proto
new file mode 100644
index 00000000..28a29e6f
--- /dev/null
+++ b/cdist/conf/type/__pf_rdr/parameter/default/proto
@@ -0,0 +1 @@
+tcp
diff --git a/cdist/conf/type/__pf_rdr/parameter/default/state b/cdist/conf/type/__pf_rdr/parameter/default/state
new file mode 100644
index 00000000..e7f6134f
--- /dev/null
+++ b/cdist/conf/type/__pf_rdr/parameter/default/state
@@ -0,0 +1 @@
+present
diff --git a/cdist/conf/type/__pf_rdr/parameter/optional b/cdist/conf/type/__pf_rdr/parameter/optional
new file mode 100644
index 00000000..09ec92ca
--- /dev/null
+++ b/cdist/conf/type/__pf_rdr/parameter/optional
@@ -0,0 +1,2 @@
+proto
+state
diff --git a/cdist/conf/type/__pf_rdr/parameter/required b/cdist/conf/type/__pf_rdr/parameter/required
new file mode 100644
index 00000000..4a568482
--- /dev/null
+++ b/cdist/conf/type/__pf_rdr/parameter/required
@@ -0,0 +1,2 @@
+from
+to
diff --git a/cdist/conf/type/__pf_ruleset/gencode-local b/cdist/conf/type/__pf_ruleset/gencode-local
deleted file mode 100755
index 11bfb0b1..00000000
--- a/cdist/conf/type/__pf_ruleset/gencode-local
+++ /dev/null
@@ -1,81 +0,0 @@
-#!/bin/sh -e
-#
-# 2012 Jake Guffey (jake.guffey at eprotex.com)
-#
-# This file is part of cdist.
-#
-# cdist is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# cdist is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with cdist. If not, see .
-#
-#
-# Manage pf(4) on *BSD
-#
-
-# Debug
-#exec >&2
-#set -x
-
-# Send files to $__target_host via $__remote_copy
-
-uname=$(uname) # Need to know what the cdist host is running so we know how to compute the ruleset's checksum
-state=$(cat "$__object/parameter/state")
-
-if [ "$state" = "absent" ]; then # There is nothing more for a *local* script to do
- exit 0
-fi
-
-if [ -f "$__object/parameter/source" ]; then
- source=$(cat "$__object/parameter/source")
-fi
-
-rcvar=$(cat "$__object/explorer/rcvar")
-cksum=$(cat "$__object/explorer/cksum")
-
-
-cat <&2
- exit 1
- ;;
-esac
-
-# IPv6 fix
-if $(echo "${__target_host}" | grep -q -E '^[0-9a-fA-F:]+$')
-then
- my_target_host="[${__target_host}]"
-else
- my_target_host="${__target_host}"
-fi
-
-if [ -n "${cksum}" ]; then
- if [ ! "\${currentSum}" = "${cksum}" ]; then
- $__remote_copy "${source}" "\${my_target_host}:${rcvar}.new"
- fi
-else # File just doesn't exist yet
- $__remote_copy "${source}" "\${my_target_host}:${rcvar}.new"
-fi
-EOF
-
-# Debug
-#exec +x
-
diff --git a/cdist/conf/type/__pf_ruleset/gencode-remote b/cdist/conf/type/__pf_ruleset/manifest
similarity index 58%
rename from cdist/conf/type/__pf_ruleset/gencode-remote
rename to cdist/conf/type/__pf_ruleset/manifest
index 12760fdf..25206add 100755
--- a/cdist/conf/type/__pf_ruleset/gencode-remote
+++ b/cdist/conf/type/__pf_ruleset/manifest
@@ -1,6 +1,6 @@
#!/bin/sh -e
#
-# 2012 Jake Guffey (jake.guffey at eprotex.com)
+# 2016 Kamila Součková (kamila at ksp.sk)
#
# This file is part of cdist.
#
@@ -25,25 +25,29 @@
#exec >&2
#set -x
-# Remove ${rcvar} in the case of --state absent
-
-state=$(cat "$__object/parameter/state")
rcvar=$(cat "$__object/explorer/rcvar")
-
-if [ "$state" = "present" ]; then # There is nothing more for a *remote* script to do
- exit 0
-elif [ "$state" = "absent" ]; then
- # --state absent, so ensure that .new doesn't exist and that conf is renamed to .old
- cat <&2
- exit 1
+state=$(cat "$__object/parameter/state")
+if [ -f "$__object/parameter/source" ]; then
+ source=$(cat "$__object/parameter/source")
fi
+if [ "$state" = "absent" ]; then
+ action="/etc/rc.d/pf stop"
+else
+ action="/etc/rc.d/pf reload || /etc/rc.d/pf start"
+fi
+
+__key_value __pf_ruleset/rcvar \
+ --state "$state" \
+ --file /etc/rc.conf \
+ --delimiter "=" \
+ --key "pf_enable" \
+ --value "YES"
+
+require="${require} __key_value/__pf_ruleset/rcvar" __config_file $rcvar \
+ --source "$source" \
+ --state "$state" \
+ --onchange "$action"
+
+# Debug
+#exec +x
diff --git a/cdist/conf/type/__postfix/manifest b/cdist/conf/type/__postfix/manifest
index f3616979..121bba96 100755
--- a/cdist/conf/type/__postfix/manifest
+++ b/cdist/conf/type/__postfix/manifest
@@ -19,16 +19,4 @@
# along with cdist. If not, see .
#
-
-os=$(cat "$__global/explorer/os")
-
-case "$os" in
- alpine|ubuntu|debian|archlinux|suse|scientific|centos|devuan)
- __package postfix --state present
- ;;
- *)
- echo "Your operating system ($os) is currently not supported by this type (${__type##*/})." >&2
- echo "Please contribute an implementation for it if you can." >&2
- exit 1
- ;;
-esac
+__package postfix --state present