diff --git a/README b/README
deleted file mode 100644
index caf2dac8..00000000
--- a/README
+++ /dev/null
@@ -1,7 +0,0 @@
-cdist
------
-
-cdist is a usable configuration management system.
-
-For the web documentation have a look at https://www.cdi.st/
-or at docs/src for reStructuredText manual.
diff --git a/README.md b/README.md
new file mode 100644
index 00000000..de6901c7
--- /dev/null
+++ b/README.md
@@ -0,0 +1,31 @@
+# cdist
+
+**cdist** is a usable configuration management system.
+
+It adheres to the [**KISS principle**](https://en.wikipedia.org/wiki/KISS_principle)
+and is being used in small up to enterprise grade environments.
+
+For more information have a look at [**homepage**](https://cdi.st)
+or at **``docs/src``** for manual in **reStructuredText** format.
+
+## Contributing
+
+Merge/Pull requests can be made in both
+[upstream **GitLab**](https://code.ungleich.ch/ungleich-public/cdist/merge_requests)
+(managed by [**ungleich**](https://ungleich.ch))
+and [**GitHub** project](https://github.com/ungleich/cdist/pulls).
+
+Issues can be made and other project management activites happen
+[**only in GitLab**](https://code.ungleich.ch/ungleich-public/cdist)
+(needs [**ungleich** account](https://account.ungleich.ch)).
+
+For community-maintained types there is
+[**cdist-contrib** project](https://code.ungleich.ch/ungleich-public/cdist-contrib).
+
+## Participating
+
+IRC: ``#cdist`` @ freenode
+
+Matrix: ``#cdist:ungleich.ch``
+
+Mattermost: https://chat.ungleich.ch/ungleich/channels/cdist
diff --git a/cdist/conf/explorer/cpu_cores b/cdist/conf/explorer/cpu_cores
index a52bddac..c6744142 100755
--- a/cdist/conf/explorer/cpu_cores
+++ b/cdist/conf/explorer/cpu_cores
@@ -32,6 +32,10 @@ case "$os" in
sysctl -n hw.ncpuonline
;;
+ "freebsd"|"netbsd")
+ sysctl -n hw.ncpu
+ ;;
+
*)
if [ -r /proc/cpuinfo ]; then
cores="$(grep "core id" /proc/cpuinfo | sort | uniq | wc -l)"
diff --git a/cdist/conf/explorer/machine_type b/cdist/conf/explorer/machine_type
index bb21f69c..fe0ae7d5 100755
--- a/cdist/conf/explorer/machine_type
+++ b/cdist/conf/explorer/machine_type
@@ -2,6 +2,7 @@
#
# 2014 Daniel Heule (hda at sfs.biz)
# 2014 Thomas Oettli (otho at sfs.biz)
+# 2020 Evilham (contact at evilham.com)
#
# This file is part of cdist.
#
@@ -18,9 +19,27 @@
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see .
#
-#
-# FIXME: other system types (not linux ...)
+os=$("$__explorer/os")
+
+case "$os" in
+ "freebsd")
+ # FreeBSD does not have /proc/cpuinfo even when procfs is used.
+ # Instead there is a sysctl kern.vm_guest.
+ # Which is 'none' if physical, else the virtualisation.
+ vm_guest="$(sysctl -n kern.vm_guest 2>/dev/null || true)"
+ if [ -n "${vm_guest}" ]; then
+ if [ "${vm_guest}" = "none" ]; then
+ echo "physical"
+ exit
+ fi
+ echo "virtual_by_${vm_guest}"
+ exit
+ fi
+ ;;
+
+ *)
+ # Defaulting to linux for compatibility with previous cdist behaviour
if [ -d "/proc/vz" ] && [ ! -d "/proc/bc" ]; then
echo openvz
@@ -72,9 +91,13 @@ if [ -r /proc/cpuinfo ]; then
fi
fi
echo "virtual_by_unknown"
+ exit
else
echo "physical"
+ exit
fi
-else
- echo "unknown"
fi
+ ;;
+esac
+
+echo "unknown"
diff --git a/cdist/conf/explorer/memory b/cdist/conf/explorer/memory
index 4e3efff8..302b4cda 100755
--- a/cdist/conf/explorer/memory
+++ b/cdist/conf/explorer/memory
@@ -29,7 +29,7 @@ case "$os" in
echo "$(sysctl -n hw.memsize)/1024" | bc
;;
- "openbsd")
+ *"bsd")
echo "$(sysctl -n hw.physmem) / 1048576" | bc
;;
diff --git a/cdist/conf/type/__daemontools_service/man.rst b/cdist/conf/type/__daemontools_service/man.rst
index 9bbbe2f8..ec1d20ff 100644
--- a/cdist/conf/type/__daemontools_service/man.rst
+++ b/cdist/conf/type/__daemontools_service/man.rst
@@ -40,12 +40,6 @@ run-file
log-run
Command to run for log consumption. Default: `multilog t ./main`
-owner
- User to chown to.
-
-group
- User to chgrp to.
-
servicedir
Directory to install into. Default: `/service`
diff --git a/cdist/conf/type/__daemontools_service/manifest b/cdist/conf/type/__daemontools_service/manifest
index 8a81b5f5..78bae285 100755
--- a/cdist/conf/type/__daemontools_service/manifest
+++ b/cdist/conf/type/__daemontools_service/manifest
@@ -9,8 +9,6 @@ servicedir=$(cat "$__object/parameter/servicedir")
run=$(cat "$__object/parameter/run")
runfile=$(cat "$__object/parameter/run-file")
logrun=$(cat "$__object/parameter/log-run")
-owner=$(cat "$__object/parameter/owner")
-group=$(cat "$__object/parameter/group")
svc=$(cat "$__type/explorer/svc")
@@ -27,22 +25,14 @@ badusage() {
[ -z "$run$runfile" ] && badusage
[ -n "$run" ] && [ -n "$runfile" ] && badusage
-flags=""
-if [ -n "$owner" ]; then
- flags="$flags --owner $owner"
-fi
-if [ -n "$group" ]; then
- flags="$flags --group $group"
-fi
-
-__directory "$servicedir/$name/log/main" --parents $flags
+__directory "$servicedir/$name/log/main" --parents
echo "$RUN_PREFIX$run" | require="__directory/$servicedir/$name/log/main" __config_file "$servicedir/$name/run" \
--onchange "svc -t '$servicedir/$name' 2>/dev/null" \
- --mode 755 $flags \
+ --mode 755 \
--source "${runfile:--}"
echo "$RUN_PREFIX$logrun" | require="__directory/$servicedir/$name/log/main" __config_file "$servicedir/$name/log/run" \
--onchange "svc -t '$servicedir/$name/log' 2>/dev/null" \
- --mode 755 $flags \
+ --mode 755 \
--source "-"
diff --git a/cdist/conf/type/__daemontools_service/parameter/default/group b/cdist/conf/type/__daemontools_service/parameter/default/group
deleted file mode 100644
index e69de29b..00000000
diff --git a/cdist/conf/type/__daemontools_service/parameter/default/owner b/cdist/conf/type/__daemontools_service/parameter/default/owner
deleted file mode 100644
index e69de29b..00000000
diff --git a/cdist/conf/type/__daemontools_service/parameter/optional b/cdist/conf/type/__daemontools_service/parameter/optional
index 7c66b514..7e54985f 100644
--- a/cdist/conf/type/__daemontools_service/parameter/optional
+++ b/cdist/conf/type/__daemontools_service/parameter/optional
@@ -1,6 +1,4 @@
-group
log-run
-owner
run
run-file
servicedir
diff --git a/cdist/conf/type/__iocage_clone/gencode-remote b/cdist/conf/type/__iocage_clone/gencode-remote
deleted file mode 100755
index 30d77099..00000000
--- a/cdist/conf/type/__iocage_clone/gencode-remote
+++ /dev/null
@@ -1,152 +0,0 @@
-#!/bin/sh
-
-state="$(cat $__object/parameter/state)"
-template="$(cat $__object/parameter/template)"
-ip4_addr="$(cat $__object/parameter/bridge)|$(cat $__object/parameter/ip)"
-interfaces="none:none"
-defaultrouter="none"
-vnet="off"
-jail_zfs_dataset="$(cat $__object/parameter/jail_zfs_dataset)"
-devfs_ruleset="$(cat $__object/parameter/devfs_ruleset)"
-allow_socket_af="$(cat $__object/parameter/allow_socket_af)"
-mount_procfs="$(cat $__object/parameter/mount_procfs)"
-mount_linprocfs="$(cat $__object/parameter/mount_linprocfs)"
-
-if [ "X$state" = "Xabsent" ]; then
- cat <&2
- create_new=1
- fi
-fi
-
-if [ \$create_new -eq 0 ]; then
- if [ "off" == "\$(get_property_iocage jail_zfs "$__object_id")" ]; then
- current_jail_zfs_dataset=""
- else
- current_jail_zfs_dataset="\$(get_property_iocage jail_zfs_dataset "$__object_id")"
- fi
-fi
-
-configure=0
-if [ \$create_new -eq 1 ]; then
- configure=1
-elif [ "X$vnet" != "X\$(get_property_iocage vnet "$__object_id")" ]; then
- configure=1
-elif [ "X$ip4_addr" != "X\$(get_property_iocage ip4_addr "$__object_id")" ]; then
- configure=1
-elif [ "X$interfaces" != "X\$(get_property_iocage interfaces "$__object_id")" ]; then
- configure=1
-elif [ "X$defaultrouter" != "X\$(get_property_iocage defaultrouter "$__object_id")" ]; then
- configure=1
-elif [ "X$mount_procfs" != "X\$(get_property_iocage mount_procfs "$__object_id")" ]; then
- configure=1
-elif [ "X$devfs_ruleset" != "X\$(get_property_iocage devfs_ruleset "$__object_id")" ]; then
- configure=1
-elif [ "X$allow_socket_af" != "X\$(get_property_iocage allow_socket_af "$__object_id")" ]; then
- configure=1
-elif [ "X$jail_zfs_dataset" != "X\$current_jail_zfs_dataset" ]; then
- configure=1
-fi
-
-if [ \$create_new -eq 1 ]; then
- echo "Creating jail $__object_id" >&2
-
- iocage stop $__object_id || true
- iocage destroy -f $__object_id || true
- # Without VNETs, we should not need this.
- # TODO(riso): Use nicer path
- # /root/cdist/ioc deconfigure $__object_id
-
- rm -f /iocage/jails/$__object_id
-
- iocage clone $template tag=$__object_id
- iocage set boot=on $__object_id
- UUID=\$(iocage list | grep " $__object_id " | awk "{ print \\\$2; }")
- rm -f /iocage/jails/$__object_id
- ln -s /iocage/jails/\$UUID /iocage/jails/$__object_id
-else
- UUID=\$(iocage list | grep " $__object_id " | awk "{ print \\\$2; }")
- echo "Jail $__object_id already exists, UUID=\$UUID" >&2
-fi
-
-ROOT="/iocage/jails/\$UUID/root"
-FSTAB="/iocage/jails/\$UUID/fstab"
-rm -f \$FSTAB.new
-touch \$FSTAB.new
-cat $__object/parameter/mount 2>/dev/null | \\
-while read mount; do
- src=\$(echo \$mount | awk -F: "{ print \\\$1; }")
- dst_rel=\$(echo \$mount | awk -F: "{ print \\\$2; }")
- dst="/iocage/jails/\$UUID/root/\$dst_rel"
- mkdir -p "\$dst"
- echo "\$src \$dst nullfs rw 0 0" >>\$FSTAB.new
-done
-if [ $mount_linprocfs -eq 1 ]; then
- echo "linproc /iocage/jails/\$UUID/root/compat/linux/proc linprocfs rw 0 0" >>\$FSTAB.new
-fi
-
-fstab_changed=0
-if diff -q \$FSTAB \$FSTAB.new >/dev/null; then
- # pass
-else
- configure=1
- fstab_changed=1
-fi
-
-if [ \$configure -eq 1 ]; then
- echo "Configuring jail $__object_id." >&2
- iocage stop $__object_id || true
-
- iocage set vnet="$vnet" $__object_id
- iocage set interfaces="$interfaces" $__object_id
- iocage set hostname="$__object_id" $__object_id
- iocage set ip4_addr="$ip4_addr" $__object_id
- iocage set defaultrouter="$defaultrouter" $__object_id
- iocage set mount_procfs="$mount_procfs" $__object_id
- iocage set devfs_ruleset="$devfs_ruleset" $__object_id
- iocage set allow_socket_af="$allow_socket_af" $__object_id
- if [ -n "$jail_zfs_dataset" ]; then
- iocage set jail_zfs=on $__object_id
- iocage set jail_zfs_dataset="$jail_zfs_dataset" $__object_id
- else
- iocage set jail_zfs=off $__object_id
- fi
-
- if [ \$fstab_changed -eq 1 ]; then
- umount -afF \$FSTAB || true
- mv \$FSTAB.new \$FSTAB
- fi
-
- iocage start $__object_id || true
-
- # Iocage creates new mac address, but arp can have an old mac cached.
- # TODO(riso): Is this true without VNETs?
- arp -d -a
-else
- echo "Jail $__object_id is already configured." >&2
-fi
-rm -f \$FSTAB.new
-EOF
-fi
diff --git a/cdist/conf/type/__iocage_clone/manifest b/cdist/conf/type/__iocage_clone/manifest
deleted file mode 100644
index 0684fce8..00000000
--- a/cdist/conf/type/__iocage_clone/manifest
+++ /dev/null
@@ -1 +0,0 @@
-__package iocage
diff --git a/cdist/conf/type/__iocage_clone/parameter/default/allow_socket_af b/cdist/conf/type/__iocage_clone/parameter/default/allow_socket_af
deleted file mode 100644
index 573541ac..00000000
--- a/cdist/conf/type/__iocage_clone/parameter/default/allow_socket_af
+++ /dev/null
@@ -1 +0,0 @@
-0
diff --git a/cdist/conf/type/__iocage_clone/parameter/default/bridge b/cdist/conf/type/__iocage_clone/parameter/default/bridge
deleted file mode 100644
index 092f51c8..00000000
--- a/cdist/conf/type/__iocage_clone/parameter/default/bridge
+++ /dev/null
@@ -1 +0,0 @@
-bridge0
diff --git a/cdist/conf/type/__iocage_clone/parameter/default/devfs_ruleset b/cdist/conf/type/__iocage_clone/parameter/default/devfs_ruleset
deleted file mode 100644
index b8626c4c..00000000
--- a/cdist/conf/type/__iocage_clone/parameter/default/devfs_ruleset
+++ /dev/null
@@ -1 +0,0 @@
-4
diff --git a/cdist/conf/type/__iocage_clone/parameter/default/jail_zfs_dataset b/cdist/conf/type/__iocage_clone/parameter/default/jail_zfs_dataset
deleted file mode 100644
index e69de29b..00000000
diff --git a/cdist/conf/type/__iocage_clone/parameter/default/mount_linprocfs b/cdist/conf/type/__iocage_clone/parameter/default/mount_linprocfs
deleted file mode 100644
index 573541ac..00000000
--- a/cdist/conf/type/__iocage_clone/parameter/default/mount_linprocfs
+++ /dev/null
@@ -1 +0,0 @@
-0
diff --git a/cdist/conf/type/__iocage_clone/parameter/default/mount_procfs b/cdist/conf/type/__iocage_clone/parameter/default/mount_procfs
deleted file mode 100644
index 573541ac..00000000
--- a/cdist/conf/type/__iocage_clone/parameter/default/mount_procfs
+++ /dev/null
@@ -1 +0,0 @@
-0
diff --git a/cdist/conf/type/__iocage_clone/parameter/default/net b/cdist/conf/type/__iocage_clone/parameter/default/net
deleted file mode 100644
index a45fd52c..00000000
--- a/cdist/conf/type/__iocage_clone/parameter/default/net
+++ /dev/null
@@ -1 +0,0 @@
-24
diff --git a/cdist/conf/type/__iocage_clone/parameter/default/state b/cdist/conf/type/__iocage_clone/parameter/default/state
deleted file mode 100644
index e7f6134f..00000000
--- a/cdist/conf/type/__iocage_clone/parameter/default/state
+++ /dev/null
@@ -1 +0,0 @@
-present
diff --git a/cdist/conf/type/__iocage_clone/parameter/optional b/cdist/conf/type/__iocage_clone/parameter/optional
deleted file mode 100644
index 8ca73ed9..00000000
--- a/cdist/conf/type/__iocage_clone/parameter/optional
+++ /dev/null
@@ -1,7 +0,0 @@
-state
-bridge
-jail_zfs_dataset
-mount_procfs
-mount_linprocfs
-devfs_ruleset
-allow_socket_af
diff --git a/cdist/conf/type/__iocage_clone/parameter/optional_multiple b/cdist/conf/type/__iocage_clone/parameter/optional_multiple
deleted file mode 100644
index fde64773..00000000
--- a/cdist/conf/type/__iocage_clone/parameter/optional_multiple
+++ /dev/null
@@ -1 +0,0 @@
-mount
diff --git a/cdist/conf/type/__iocage_clone/parameter/required b/cdist/conf/type/__iocage_clone/parameter/required
deleted file mode 100644
index 209d1544..00000000
--- a/cdist/conf/type/__iocage_clone/parameter/required
+++ /dev/null
@@ -1,2 +0,0 @@
-ip
-template
diff --git a/cdist/conf/type/__letsencrypt_acmetiny/gencode-remote b/cdist/conf/type/__letsencrypt_acmetiny/gencode-remote
deleted file mode 100644
index 9243acc9..00000000
--- a/cdist/conf/type/__letsencrypt_acmetiny/gencode-remote
+++ /dev/null
@@ -1,112 +0,0 @@
-#!/bin/sh -e
-
-ACME_TINY_CERT_REQUEST_DIR="/var/acme-tiny/cert-requests"
-ACME_TINY_ACCOUNT_KEY="/var/acme-tiny/account.key"
-ACME_CHALLENGE_DIR="/srv/www/sites/acme/public/.well-known/acme-challenge"
-
-REALM="${__object_id}"
-EXTRA_DOMAINS=""
-if [ -f "${__object}/parameter/extra-domain" ]; then
- EXTRA_DOMAINS="$(cat "${__object}/parameter/extra-domain")"
-fi
-
-#TODO: support linux too
-REALMS_DIR="/usr/local/etc/pki/realms"
-REALM_DIR="${REALMS_DIR}/${REALM}"
-REALM_CERT="${REALM_DIR}/default.crt"
-REALM_KEY="${REALM_DIR}/default.key"
-REALM_CERT_REQUEST="${ACME_TINY_CERT_REQUEST_DIR}/${REALM}.csr"
-REALM_CERT_REQUEST_CNF="${ACME_TINY_CERT_REQUEST_DIR}/${REALM}.cnf"
-
-CSR_ALT_NAMES=""
-REALM_CERT_REQUEST_CNF_LINE=""
-if [ -n "${EXTRA_DOMAINS}" ]; then
- CSR_ALT_NAMES="DNS:${REALM}"
- for domain in ${EXTRA_DOMAINS}; do
- CSR_ALT_NAMES="${CSR_ALT_NAMES},DNS:${domain}"
- done
- # CSR requests are executed always against .new, only after succeeding .new replaces the .cnf
- REALM_CERT_REQUEST_CNF_LINE="-reqexts SAN -config '${REALM_CERT_REQUEST_CNF}.new'"
-fi
-
-cat << EOF
-if [ ! -d '${REALM_DIR}' ]; then
- mkdir -p '${REALM_DIR}'
-fi
-if [ ! -f '${REALM_KEY}' ]; then
- openssl genrsa 4096 > '${REALM_KEY}'
-fi
-
-if [ ! -d '${ACME_TINY_CERT_REQUEST_DIR}' ]; then
- mkdir '${ACME_TINY_CERT_REQUEST_DIR}'
-fi
-
-FORCE_CSR_REGEN=""
-if [ -n '${CSR_ALT_NAMES}' ]; then
- # Generate new config
- cat /etc/ssl/openssl.cnf > '${REALM_CERT_REQUEST_CNF}.new'
- printf '[SAN]\nsubjectAltName=${CSR_ALT_NAMES}' >> '${REALM_CERT_REQUEST_CNF}.new'
- # Compare to previous config if necessary
- if [ -f '${REALM_CERT_REQUEST_CNF}' ]; then
- CNF_DIFF=\$(diff -q '${REALM_CERT_REQUEST_CNF}' '${REALM_CERT_REQUEST_CNF}.new' || true)
- if [ -n "\${CNF_DIFF}" ]; then
- # Options have changed
- FORCE_CSR_REGEN="YES"
- else
- # Since they match, we won't be using this, clean it
- rm '${REALM_CERT_REQUEST_CNF}.new'
- fi
- else
- # We never used SAN here, CSR regen needed.
- FORCE_CSR_REGEN="YES"
- fi
-else
- # We used SAN at some point, not any more
- if [ -f '${REALM_CERT_REQUEST_CNF}' ]; then
- rm '${REALM_CERT_REQUEST_CNF}'
- FORCE_CSR_REGEN="YES"
- fi
-fi
-
-# Create or re-create when params have changed
-if [ ! -f '${REALM_CERT_REQUEST}' -o -n "\${FORCE_CSR_REGEN}" ]; then
- openssl req -new -sha256 -key '${REALM_KEY}' -subj '/CN=${REALM}' -out '${REALM_CERT_REQUEST}' ${REALM_CERT_REQUEST_CNF_LINE}
-fi
-
-# Check if cert exists, and if so whether or not it's older than a month
-if [ -f '${REALM_CERT}' ]; then
- MODIFIED_IN_30d="\$(find '${REALM_CERT}' -mtime -30d)"
- if [ -z "\${MODIFIED_IN_30d}" ]; then
- # Cert is over a month old, it's fine to regenerate
- FORCE_CRT_REGEN="YES"
- fi
-else
- # This cert doesn't exist
- FORCE_CRT_REGEN="YES"
-fi
-
-
-# Only request certificate when needed
-# TODO: support linux too
-if [ -n "\${FORCE_CSR_REGEN}" -o -n "\${FORCE_CRT_REGEN}" ]; then
- doas -u acme-tiny -- acme_tiny \
- --account '${ACME_TINY_ACCOUNT_KEY}' \
- --csr '${REALM_CERT_REQUEST}' \
- --acme-dir '${ACME_CHALLENGE_DIR}' > '${REALM_CERT}.new'
-
- if [ -s '${REALM_CERT}.new' ]; then
- mv '${REALM_CERT}.new' '${REALM_CERT}'
- else
- echo "Failed to generate cert for realm '${REALM}'."
- exit 1
- fi
-fi
-
-cat "${REALM_CERT}" "${REALMS_DIR}/chain.pem" > ${REALM_DIR}/fullchain.pem
-
-if [ -n '${REALM_CERT_REQUEST_CNF_LINE}' -a -f '${REALM_CERT_REQUEST_CNF}.new' ]; then
- # CSR and cert generation succeded with a new config, put new config in-place.
- # This is the last thing we do, so we try again next time if sth fails.
- mv '${REALM_CERT_REQUEST_CNF}.new' '${REALM_CERT_REQUEST_CNF}'
-fi
-EOF
diff --git a/cdist/conf/type/__letsencrypt_acmetiny/manifest b/cdist/conf/type/__letsencrypt_acmetiny/manifest
deleted file mode 100644
index 48438abb..00000000
--- a/cdist/conf/type/__letsencrypt_acmetiny/manifest
+++ /dev/null
@@ -1 +0,0 @@
-#__letsencrypt_acmetiny_base
diff --git a/cdist/conf/type/__letsencrypt_acmetiny/nonparallel b/cdist/conf/type/__letsencrypt_acmetiny/nonparallel
deleted file mode 100644
index e69de29b..00000000
diff --git a/cdist/conf/type/__letsencrypt_acmetiny/parameter/optional_multiple b/cdist/conf/type/__letsencrypt_acmetiny/parameter/optional_multiple
deleted file mode 100644
index 7bfb11da..00000000
--- a/cdist/conf/type/__letsencrypt_acmetiny/parameter/optional_multiple
+++ /dev/null
@@ -1 +0,0 @@
-extra-domain
diff --git a/cdist/conf/type/__letsencrypt_acmetiny_base/gencode-remote b/cdist/conf/type/__letsencrypt_acmetiny_base/gencode-remote
deleted file mode 100644
index 1e4174a4..00000000
--- a/cdist/conf/type/__letsencrypt_acmetiny_base/gencode-remote
+++ /dev/null
@@ -1,12 +0,0 @@
-#!/bin/sh -e
-
-ACME_HOME="/var/acme-tiny"
-ACME_ACCOUNT_KEY="${ACME_HOME}/account.key"
-
-cat << EOF
-if [ ! -f '${ACME_ACCOUNT_KEY}' ]; then
- openssl genrsa 4096 > '${ACME_ACCOUNT_KEY}'
- chown acme-tiny:acme-tiny '${ACME_ACCOUNT_KEY}'
- chmod 640 '${ACME_ACCOUNT_KEY}'
-fi
-EOF
diff --git a/cdist/conf/type/__letsencrypt_acmetiny_base/manifest b/cdist/conf/type/__letsencrypt_acmetiny_base/manifest
deleted file mode 100644
index cbedcdff..00000000
--- a/cdist/conf/type/__letsencrypt_acmetiny_base/manifest
+++ /dev/null
@@ -1,227 +0,0 @@
-# Arguments
-ACME_DOMAIN="$(cat "${__object}/parameter/acme_domain" || true)"
-
-if [ -z "${ACME_DOMAIN}" ]; then
- ACME_DOMAIN="${__target_host}"
-fi
-
-
-# Install needed stuffz
-
-## TODO: consider not depending on nginx? It is... practical though.
-## TODO: Maybe just move this out to a sepecial type?
-__package "nginx"
-
-NGINX_ETC="/usr/local/etc/nginx"
-
-# Setup the acme-challenge snippet
-require="__package/nginx" __directory "${NGINX_ETC}/snippets" --state present
-require="__directory${NGINX_ETC}/snippets" __file "${NGINX_ETC}/snippets/acme-challenge.conf" \
- --mode 644 \
- --source - << EOF
-# This file is managed remotely, all changes will be lost
-
-# This was heavily inspired by debops.org.
-
-# Automatic Certificate Management Environment (ACME) support.
-# https://tools.ietf.org/html/draft-ietf-acme-acme-01
-# https://en.wikipedia.org/wiki/Automated_Certificate_Management_Environment
-
-
-# Return the ACME challenge present in the server public root.
-# If not found, switch to global web server root.
-location ^~ /.well-known/acme-challenge/ {
- default_type "text/plain";
- try_files \$uri @well-known-acme-challenge;
-}
-
-# Return the ACME challenge present in the global server public root.
-# If not present, redirect request to a specified domain.
-location @well-known-acme-challenge {
- root /srv/www/sites/acme/public;
- default_type "text/plain";
- try_files \$uri @redirect-acme-challenge;
-}
-
-# Redirect the ACME challenge to a different host. If a redirect loop is
-# detected, return 404.
-location @redirect-acme-challenge {
- if (\$arg_redirect) {
- return 404;
- }
- return 307 \$scheme://${ACME_DOMAIN}\$request_uri?redirect=yes;
-}
-
-# Return 404 if ACME challenge well known path is accessed directly.
-location = /.well-known/acme-challenge/ {
- return 404;
-}
-EOF
-
-require="__package/nginx" __directory "${NGINX_ETC}/sites-enabled" --state present
-require="__directory${NGINX_ETC}/sites-enabled" __file "${NGINX_ETC}/nginx.conf" \
- --mode 644 \
- --source - << EOF
-# This file is managed remotely, all changes will be lost
-
-worker_processes 1;
-
-# This default error log path is compiled-in to make sure configuration parsing
-# errors are logged somewhere, especially during unattended boot when stderr
-# isn't normally logged anywhere. This path will be touched on every nginx
-# start regardless of error log location configured here. See
-# https://trac.nginx.org/nginx/ticket/147 for more info.
-#
-#error_log /var/log/nginx/error.log;
-#
-
-#pid logs/nginx.pid;
-
-
-events {
- worker_connections 1024;
-}
-
-
-http {
-
- include mime.types;
- default_type application/octet-stream;
-
- server_tokens off;
-
- ssl_session_cache shared:SSL:10m;
- ssl_session_timeout 5m;
- sendfile on;
- tcp_nopush on;
- tcp_nodelay on;
- types_hash_max_size 2048;
- gzip on;
- gzip_disable "msie6";
- gzip_comp_level 5;
- gzip_min_length 256;
- gzip_proxied any;
- gzip_vary on;
- gzip_types
- application/atom+xml
- application/javascript
- application/json
- application/ld+json
- application/manifest+json
- application/rss+xml
- application/vnd.geo+json
- application/vnd.ms-fontobject
- application/x-font-ttf
- application/x-web-app-manifest+json
- application/xhtml+xml
- application/xml
- font/opentype
- image/bmp
- image/svg+xml
- image/x-icon
- text/cache-manifest
- text/css
- text/plain
- text/vcard
- text/vnd.rim.location.xloc
- text/vtt
- text/x-component
- text/x-cross-domain-policy;
-
- # Logging
- access_log /var/log/nginx/access.log;
- error_log /var/log/nginx/error.log;
-
- #add_header X-Clacks-Overhead "GNU Terry Pratchett";
-
- # Virtual Hosts Configs
- include ${NGINX_ETC}/sites-enabled/*.conf;
-}
-EOF
-
-require="__directory${NGINX_ETC}/sites-enabled" __file "${NGINX_ETC}/sites-enabled/welcome.conf" \
- --mode 644 \
- --source - << EOF
-# This file is managed remotely, all changes will be lost
-
-# nginx server configuration for:
-# - https://welcome/
-
-server {
-
- listen [::]:80;
-
- server_name welcome;
-
- root /srv/www/sites/welcome/public;
-
- include snippets/acme-challenge.conf;
-
- location / {
- return 301 https://\$host\$request_uri;
- }
-}
-EOF
-
-## TODO: this is kinda bad, don't restart every time.
-## Otherwise this isn't idempotent.
-require="__package/nginx" __service nginx --action onerestart
-require="__package/nginx" __start_on_boot nginx
-
-
-__package "acme-tiny"
-
-# Create acme-tiny user and secure home dir
-ACME_TINY_HOME="/var/acme-tiny"
-require="__package/acme-tiny" __user acme-tiny --system --home ${ACME_TINY_HOME} --comment "acme-tiny client"
-require="__user/acme-tiny" __directory "${ACME_TINY_HOME}" --state present --mode 0750 --owner acme-tiny --group acme-tiny
-
-# Create ACME challenge dirs to be served by nginx
-ACME_PUBLIC_DIR="/srv/www/sites/acme/public"
-ACME_WELLKNOWN_DIR="${ACME_PUBLIC_DIR}/.well-known"
-ACME_CHALLENGE_DIR="${ACME_WELLKNOWN_DIR}/acme-challenge"
-__directory "${ACME_PUBLIC_DIR}" \
- --parents \
- --state present \
- --owner acme-tiny --group www \
- --mode 2750 # TODO: check whether this does require gid?
-require="__directory${ACME_PUBLIC_DIR}" __directory "${ACME_WELLKNOWN_DIR}" \
- --state present \
- --owner acme-tiny --group www \
- --mode 0750
-require="__directory${ACME_WELLKNOWN_DIR}" __directory "${ACME_CHALLENGE_DIR}" \
- --state present \
- --owner acme-tiny --group www \
- --mode 0750
-
-__package doas
-DOAS_CONF="/usr/local/etc/doas.conf"
-require="__package/doas" __file "${DOAS_CONF}" --mode 0640
-require="__file${DOAS_CONF}" __line "${DOAS_CONF}" \
- --regex 'root as acme-tiny' \
- --line 'permit nopass root as acme-tiny'
-
-# Setup CA
-REALMS_DIR="/usr/local/etc/pki/realms"
-__directory "${REALMS_DIR}" \
- --parents \
- --state present \
- --mode 0755
-
-require="__directory${REALMS_DIR}" __file ${REALMS_DIR}/intermediate.pem \
- --mode 0644 \
- --source - << EOF
-$(curl -s https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt)
-EOF
-require="__directory${REALMS_DIR}" __file ${REALMS_DIR}/root.pem \
- --mode 0644 \
- --source - << EOF
-$(curl -s https://letsencrypt.org/certs/trustid-x3-root.pem.txt)
-EOF
-require="__directory${REALMS_DIR}" __file ${REALMS_DIR}/chain.pem \
- --mode 0644 \
- --source - << EOF
-$(curl -s https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt)
-$(curl -s https://letsencrypt.org/certs/trustid-x3-root.pem.txt)
-EOF
-
diff --git a/cdist/conf/type/__letsencrypt_acmetiny_base/parameter/optional b/cdist/conf/type/__letsencrypt_acmetiny_base/parameter/optional
deleted file mode 100644
index fb20814d..00000000
--- a/cdist/conf/type/__letsencrypt_acmetiny_base/parameter/optional
+++ /dev/null
@@ -1 +0,0 @@
-acme_domain
diff --git a/cdist/conf/type/__letsencrypt_acmetiny_base/singleton b/cdist/conf/type/__letsencrypt_acmetiny_base/singleton
deleted file mode 100644
index e69de29b..00000000
diff --git a/cdist/conf/type/__letsencrypt_cert/manifest b/cdist/conf/type/__letsencrypt_cert/manifest
index 68ecf9d4..b4464366 100755
--- a/cdist/conf/type/__letsencrypt_cert/manifest
+++ b/cdist/conf/type/__letsencrypt_cert/manifest
@@ -91,6 +91,9 @@ if [ -z "${certbot_fullpath}" ]; then
certbot_fullpath=/usr/local/bin/certbot
;;
+ ubuntu)
+ __package certbot
+ ;;
*)
echo "Unsupported os: $os" >&2
exit 1
diff --git a/cdist/conf/type/__pf_rdr/manifest b/cdist/conf/type/__pf_rdr/manifest
deleted file mode 100644
index 39ab4470..00000000
--- a/cdist/conf/type/__pf_rdr/manifest
+++ /dev/null
@@ -1,40 +0,0 @@
-#!/bin/sh -e
-#
-# 2016 Kamila Součková (coding at kamila.is)
-#
-# This file is part of cdist.
-#
-# cdist is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# cdist is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with cdist. If not, see .
-#
-
-# TODO it would be cool to print a warning if a generated anchor is unused in pf.conf
-
-ANCHORS_DIR=/etc/pf.d
-
-proto="$(cat "${__object}/parameter/proto")"
-from="$(cat "${__object}/parameter/from")"
-to="$(cat "${__object}/parameter/to")"
-state="$(cat "${__object}/parameter/state")"
-
-# This breaks utterly with IPv6
-from="$(echo ${from} | sed 's/:/ port /')"
-to="$(echo ${to} | sed 's/:/ port /')"
-
-anchor_name="$(echo ${__object_id} | cut -d/ -f1)"
-rule="rdr pass log proto ${proto} from any to ${from} -> ${to}"
-
-__directory "${ANCHORS_DIR}" --parents
-
-require="__directory/${ANCHORS_DIR}" \
-__line __pf_rdr/${__object_id} --state ${state} --line "${rule}" --file ${ANCHORS_DIR}/${anchor_name}
diff --git a/cdist/conf/type/__pf_rdr/parameter/default/proto b/cdist/conf/type/__pf_rdr/parameter/default/proto
deleted file mode 100644
index 28a29e6f..00000000
--- a/cdist/conf/type/__pf_rdr/parameter/default/proto
+++ /dev/null
@@ -1 +0,0 @@
-tcp
diff --git a/cdist/conf/type/__pf_rdr/parameter/default/state b/cdist/conf/type/__pf_rdr/parameter/default/state
deleted file mode 100644
index e7f6134f..00000000
--- a/cdist/conf/type/__pf_rdr/parameter/default/state
+++ /dev/null
@@ -1 +0,0 @@
-present
diff --git a/cdist/conf/type/__pf_rdr/parameter/optional b/cdist/conf/type/__pf_rdr/parameter/optional
deleted file mode 100644
index 09ec92ca..00000000
--- a/cdist/conf/type/__pf_rdr/parameter/optional
+++ /dev/null
@@ -1,2 +0,0 @@
-proto
-state
diff --git a/cdist/conf/type/__pf_rdr/parameter/required b/cdist/conf/type/__pf_rdr/parameter/required
deleted file mode 100644
index 4a568482..00000000
--- a/cdist/conf/type/__pf_rdr/parameter/required
+++ /dev/null
@@ -1,2 +0,0 @@
-from
-to
diff --git a/cdist/conf/type/__pyvenv/gencode-remote b/cdist/conf/type/__pyvenv/gencode-remote
index 9c7b7fab..c5b64eff 100755
--- a/cdist/conf/type/__pyvenv/gencode-remote
+++ b/cdist/conf/type/__pyvenv/gencode-remote
@@ -1,6 +1,7 @@
#!/bin/sh -e
#
# 2016 Darko Poljak (darko.poljak at gmail.com)
+# 2020 Nico Schotetlius (nico.schottelius at ungleich.ch)
#
# This file is part of cdist.
#
@@ -45,7 +46,7 @@ then
pyvenv=$(cat "$pyvenvparam")
else
case "$os" in
- alpine) # no pyvenv on alpine - I assume others will follow
+ alpine|ubuntu) # no pyvenv on alpine - I assume others will follow
pyvenv="python3 -m venv"
;;
*)
diff --git a/cdist/conf/type/__pyvenv/man.rst b/cdist/conf/type/__pyvenv/man.rst
index d7de92fa..8085ff12 100644
--- a/cdist/conf/type/__pyvenv/man.rst
+++ b/cdist/conf/type/__pyvenv/man.rst
@@ -9,7 +9,7 @@ cdist-type__pyvenv - Create or remove python virtual environment
DESCRIPTION
-----------
This cdist type allows you to create or remove python virtual
-environment using pyvenv.
+environment using pyvenv on python3 -m venv.
It assumes pyvenv is already installed. Concrete package depends
on concrete OS and/or OS version/distribution.
Ensure this for e.g. in your init manifest as in the following example:
@@ -57,7 +57,7 @@ EXAMPLES
__pyvenv /home/services/djangoenv
- # Use specific pyvenv
+ # Use specific pyvenv
__pyvenv /home/foo/fooenv --pyvenv /usr/local/bin/pyvenv-3.4
# Create python virtualenv for user foo.
@@ -76,4 +76,3 @@ COPYING
-------
Copyright \(C) 2016 Darko Poljak. Free use of this software is
granted under the terms of the GNU General Public License v3 or later (GPLv3+).
-
diff --git a/cdist/conf/type/__tinydns/gencode-remote b/cdist/conf/type/__tinydns/gencode-remote
deleted file mode 100644
index 824479b6..00000000
--- a/cdist/conf/type/__tinydns/gencode-remote
+++ /dev/null
@@ -1,7 +0,0 @@
-servicename=$__object_id
-user="$(cat "$__object/parameter/user")"
-server_ip="$(cat "$__object/parameter/server-ip")"
-
-cat</dev/null || ./add-host $name $ip
-make
-EOF
diff --git a/cdist/conf/type/__tinydns_host/manifest b/cdist/conf/type/__tinydns_host/manifest
deleted file mode 100644
index e69de29b..00000000
diff --git a/cdist/conf/type/__tinydns_host/parameter/required b/cdist/conf/type/__tinydns_host/parameter/required
deleted file mode 100644
index 93d111b2..00000000
--- a/cdist/conf/type/__tinydns_host/parameter/required
+++ /dev/null
@@ -1 +0,0 @@
-ip
diff --git a/cdist/conf/type/__tinydns_ns/gencode-remote b/cdist/conf/type/__tinydns_ns/gencode-remote
deleted file mode 100644
index 7305e605..00000000
--- a/cdist/conf/type/__tinydns_ns/gencode-remote
+++ /dev/null
@@ -1,13 +0,0 @@
-set -x
-
-servicename=$(echo $__object_id | cut -d/ -f1)
-name=$(echo $__object_id | cut -d/ -f2-)
-ip="$(cat "$__object/parameter/ip")"
-
-cat</dev/null || ./add-ns $name $ip
-make
-EOF
-
-set +x
diff --git a/cdist/conf/type/__tinydns_ns/parameter/required b/cdist/conf/type/__tinydns_ns/parameter/required
deleted file mode 100644
index 93d111b2..00000000
--- a/cdist/conf/type/__tinydns_ns/parameter/required
+++ /dev/null
@@ -1 +0,0 @@
-ip
diff --git a/cdist/exec/remote.py b/cdist/exec/remote.py
index e0ef66ec..f72bf3bf 100644
--- a/cdist/exec/remote.py
+++ b/cdist/exec/remote.py
@@ -280,9 +280,6 @@ class Remote(object):
assert isinstance(command, (list, tuple)), (
"list or tuple argument expected, got: %s" % command)
- if return_output and stdout is not subprocess.PIPE:
- self.log.debug("return_output is True, ignoring stdout")
-
close_stdout = False
close_stderr = False
if self.save_output_streams:
diff --git a/configuration/cdist.cfg.skeleton b/configuration/cdist.cfg.skeleton
index 22c1ccaf..bfac9f5c 100644
--- a/configuration/cdist.cfg.skeleton
+++ b/configuration/cdist.cfg.skeleton
@@ -19,6 +19,9 @@
# such as ':' for POSIX or ';' for Windows.
# If also specified at command line then values from command line are
# appended to this value.
+# Notice that this works in a "last one wins" fashion, so if a type is redefined
+# in multiple conf_dirs, the last one in which it is defined will be used.
+# Consider using a unique prefix for your own roles if this can be an issue.
# conf_dir = :
#
# init_manifest
diff --git a/docs/changelog b/docs/changelog
index 7cacf3cf..e61933ab 100644
--- a/docs/changelog
+++ b/docs/changelog
@@ -2,6 +2,10 @@ Changelog
---------
next:
+ * Type __pyvenv: Switch to python3 -m venv for Ubuntu (Nico Schottelius)
+ * Type __letsencrypt_cert: Whitelist Ubuntu (Nico Schottelius)
+
+6.5.5: 2020-05-01
* Core: Fix XDG_CONFIG_HOME config file location (Joachim Desroches)
* Type __postgres_database: Add encoding, lc-collate, lc-ctype, template parameters (Timothée Floure)
* Type __motd: Improve documentation and support for FreeBSD (Evil Ham)
@@ -10,6 +14,9 @@ next:
* New type: __pf_apply_anchor (Kamila Součková, Evil Ham)
* Type __pf_ruleset: Refactor (Kamila Součková, Evil Ham)
* Type __pf_apply: Deprecate type (Kamila Součková, Evil Ham)
+ * Configuration: Add notes to cdist.cfg.skeleton (Evil Ham)
+ * Explorers cpu_cores, memory: Improve *BSD support (Evil Ham)
+ * Core: Remove debug logging noise (Evil Ham)
6.5.4: 2020-04-11
* Explorer init: Do not grep on non-existent init (Steven Armstrong)
diff --git a/docs/src/cdist-support.rst b/docs/src/cdist-support.rst
index 19afde2f..f9f61f01 100644
--- a/docs/src/cdist-support.rst
+++ b/docs/src/cdist-support.rst
@@ -3,7 +3,7 @@ Support
Chat
~~~~
-Chat with us: `ungleich chat `_.
+Chat with us on `#cdist:ungleich.ch `_.
Mailing list
~~~~~~~~~~~~