[__package_pkgng_freebsd] Bootstrap pkg if necessary

In a pristine FreeBSD base installation, pkg is really a bootstrapper utility, in such cases the type used to fail instead of automatically bootstrapping pkg.
++changelog
2020-09-29 19:47:59 +02:00 · 2020-09-29 05:57:54 +02:00 · 2020-09-29 05:56:38 +02:00 · 2020-09-27 10:17:35 +02:00 · 2020-09-24 06:55:30 +02:00 · 2020-09-23 20:29:47 +02:00
137 changed files with 2322 additions and 747 deletions
--- a/4
+++ b/4
@ -81,7 +81,7 @@ version:
 	}
 # Manpages #3: generic part
-man: version $(MANTYPES) $(DOCSREF)
+man: version configskel $(MANTYPES) $(DOCSREF) $(DOCSTYPESREF)
 	$(SPHINXM)
 html: version configskel $(MANTYPES) $(DOCSREF) $(DOCSTYPESREF)
@ -104,7 +104,7 @@ DOTMANTYPES=$(subst /man.rst,.rst,$(DOTMANTYPEPREFIX))
 $(DOTMAN7DSTDIR)/cdist-type%.rst: $(DOTTYPEDIR)/%/man.rst
 	ln -sf "$^" $@
-dotman: version $(DOTMANTYPES)
+dotman: version configskel $(DOTMANTYPES) $(DOCSREF) $(DOCSTYPESREF)
 	$(SPHINXM)
 ################################################################################
--- a/7
+++ b/7
@ -1,7 +0,0 @@
 cdist
 -----
 cdist is a usable configuration management system.
 For the web documentation have a look at https://www.cdi.st/
 or at docs/src for reStructuredText manual.
--- a/README.md
+++ b/README.md
@ -0,0 +1,31 @@
 # cdist
 **cdist** is a usable configuration management system.
 It adheres to the [**KISS principle**](https://en.wikipedia.org/wiki/KISS_principle)
 and is being used in small up to enterprise grade environments.
 For more information have a look at [**homepage**](https://cdi.st)
 or at **``docs/src``** for manual in **reStructuredText** format.
 ## Contributing
 Merge/Pull requests can be made in both
 [upstream **GitLab**](https://code.ungleich.ch/ungleich-public/cdist/merge_requests)
 (managed by [**ungleich**](https://ungleich.ch))
 and [**GitHub** project](https://github.com/ungleich/cdist/pulls).
 Issues can be made and other project management activites happen
 [**only in GitLab**](https://code.ungleich.ch/ungleich-public/cdist)
 (needs [**ungleich** account](https://account.ungleich.ch)).
 For community-maintained types there is
 [**cdist-contrib** project](https://code.ungleich.ch/ungleich-public/cdist-contrib).
 ## Participating
 IRC: ``#cdist`` @ freenode
 Matrix: ``#cdist:ungleich.ch``
 Mattermost: https://chat.ungleich.ch/ungleich/channels/cdist
--- a/bin/build-helper
+++ b/bin/build-helper
@ -371,7 +371,6 @@ eof
 Manual steps post release:
    - cdist-web
    - send generated mailinglist.tmp mail
    - twitter
 eof
    ;;
--- a/cdist/init.py
+++ b/cdist/init.py
@ -26,6 +26,7 @@ import hashlib
 import cdist.log
 import cdist.version
 VERSION = cdist.version.VERSION
 BANNER = """
@ -48,6 +49,9 @@ REMOTE_EXEC = "ssh -o User=root"
 REMOTE_CMDS_CLEANUP_PATTERN = "ssh -o User=root -O exit -S {}"
 MIN_SUPPORTED_PYTHON_VERSION = '3.5'
 class Error(Exception):
    """Base exception class for this project"""
    pass
--- a/cdist/argparse.py
+++ b/cdist/argparse.py
@ -5,6 +5,7 @@ import logging
 import collections
 import functools
 import cdist.configuration
 import cdist.log
 import cdist.preos
 import cdist.info
@ -125,6 +126,14 @@ def get_parsers():
                  'value.'),
            action='count', default=None)
    parser['colored_output'] = argparse.ArgumentParser(add_help=False)
    parser['colored_output'].add_argument(
            '--colors', metavar='WHEN',
            help="Colorize cdist's output based on log level; "
                 "WHEN is 'always', 'never', or 'auto'.",
            action='store', dest='colored_output', required=False,
            choices=cdist.configuration.ColoredOutputOption.CHOICES)
    parser['beta'] = argparse.ArgumentParser(add_help=False)
    parser['beta'].add_argument(
           '-b', '--beta',
@ -197,6 +206,13 @@ def get_parsers():
                 'supported. Without argument CPU count is used by default. '),
           action='store', dest='jobs',
           const=multiprocessing.cpu_count())
    parser['config_main'].add_argument(
           '--log-server',
           action='store_true',
           help=('Start a log server for sub processes to use. '
                 'This is mainly useful when running cdist nested '
                 'from a code-local script. Log server is alwasy '
                 'implicitly started for \'install\' command.'))
    parser['config_main'].add_argument(
           '-n', '--dry-run',
           help='Do not execute code.', action='store_true')
@ -257,8 +273,7 @@ def get_parsers():
            '-f', '--file',
            help=('Read specified file for a list of additional hosts to '
                  'operate on or if \'-\' is given, read stdin (one host per '
-                  'line). If no host or host file is specified then, by '
+                  'line).'),
                  'default, read hosts from stdin.'),
            dest='hostfile', required=False)
    parser['config_args'].add_argument(
           '-p', '--parallel', nargs='?', metavar='HOST_MAX',
@ -283,6 +298,7 @@ def get_parsers():
            'host', nargs='*', help='Host(s) to operate on.')
    parser['config'] = parser['sub'].add_parser(
            'config', parents=[parser['loglevel'], parser['beta'],
                               parser['colored_output'],
                               parser['common'],
                               parser['config_main'],
                               parser['inventory_common'],
@ -301,6 +317,7 @@ def get_parsers():
    parser['add-host'] = parser['invsub'].add_parser(
            'add-host', parents=[parser['loglevel'], parser['beta'],
                                 parser['colored_output'],
                                 parser['common'],
                                 parser['inventory_common']])
    parser['add-host'].add_argument(
@ -308,13 +325,12 @@ def get_parsers():
    parser['add-host'].add_argument(
           '-f', '--file',
           help=('Read additional hosts to add from specified file '
-                 'or from stdin if \'-\' (each host on separate line). '
+                 'or from stdin if \'-\' (each host on separate line). '),
                 'If no host or host file is specified then, by default, '
                 'read from stdin.'),
           dest='hostfile', required=False)
    parser['add-tag'] = parser['invsub'].add_parser(
            'add-tag', parents=[parser['loglevel'], parser['beta'],
                                parser['colored_output'],
                                parser['common'],
                                parser['inventory_common']])
    parser['add-tag'].add_argument(
@ -323,20 +339,12 @@ def get_parsers():
    parser['add-tag'].add_argument(
           '-f', '--file',
           help=('Read additional hosts to add tags from specified file '
-                 'or from stdin if \'-\' (each host on separate line). '
+                 'or from stdin if \'-\' (each host on separate line). '),
                 'If no host or host file is specified then, by default, '
                 'read from stdin. If no tags/tagfile nor hosts/hostfile'
                 ' are specified then tags are read from stdin and are'
                 ' added to all hosts.'),
           dest='hostfile', required=False)
    parser['add-tag'].add_argument(
           '-T', '--tag-file',
           help=('Read additional tags to add from specified file '
-                 'or from stdin if \'-\' (each tag on separate line). '
+                 'or from stdin if \'-\' (each tag on separate line). '),
                 'If no tag or tag file is specified then, by default, '
                 'read from stdin. If no tags/tagfile nor hosts/hostfile'
                 ' are specified then tags are read from stdin and are'
                 ' added to all hosts.'),
           dest='tagfile', required=False)
    parser['add-tag'].add_argument(
           '-t', '--taglist',
@ -346,6 +354,7 @@ def get_parsers():
    parser['del-host'] = parser['invsub'].add_parser(
            'del-host', parents=[parser['loglevel'], parser['beta'],
                                 parser['colored_output'],
                                 parser['common'],
                                 parser['inventory_common']])
    parser['del-host'].add_argument(
@ -356,13 +365,12 @@ def get_parsers():
    parser['del-host'].add_argument(
            '-f', '--file',
            help=('Read additional hosts to delete from specified file '
-                  'or from stdin if \'-\' (each host on separate line). '
+                  'or from stdin if \'-\' (each host on separate line). '),
                  'If no host or host file is specified then, by default, '
                  'read from stdin.'),
            dest='hostfile', required=False)
    parser['del-tag'] = parser['invsub'].add_parser(
            'del-tag', parents=[parser['loglevel'], parser['beta'],
                                parser['colored_output'],
                                parser['common'],
                                parser['inventory_common']])
    parser['del-tag'].add_argument(
@ -375,20 +383,13 @@ def get_parsers():
    parser['del-tag'].add_argument(
            '-f', '--file',
            help=('Read additional hosts to delete tags for from specified '
-                  'file or from stdin if \'-\' (each host on separate line). '
+                  'file or from stdin if \'-\' (each host on separate '
-                  'If no host or host file is specified then, by default, '
+                  'line). '),
                  'read from stdin. If no tags/tagfile nor hosts/hostfile'
                  ' are specified then tags are read from stdin and are'
                  ' deleted from all hosts.'),
            dest='hostfile', required=False)
    parser['del-tag'].add_argument(
            '-T', '--tag-file',
            help=('Read additional tags from specified file '
-                  'or from stdin if \'-\' (each tag on separate line). '
+                  'or from stdin if \'-\' (each tag on separate line). '),
                  'If no tag or tag file is specified then, by default, '
                  'read from stdin. If no tags/tagfile nor'
                  ' hosts/hostfile are specified then tags are read from'
                  ' stdin and are added to all hosts.'),
            dest='tagfile', required=False)
    parser['del-tag'].add_argument(
            '-t', '--taglist',
@ -398,6 +399,7 @@ def get_parsers():
    parser['list'] = parser['invsub'].add_parser(
            'list', parents=[parser['loglevel'], parser['beta'],
                             parser['colored_output'],
                             parser['common'],
                             parser['inventory_common']])
    parser['list'].add_argument(
@ -430,7 +432,7 @@ def get_parsers():
    # Shell
    parser['shell'] = parser['sub'].add_parser(
-            'shell', parents=[parser['loglevel']])
+            'shell', parents=[parser['loglevel'], parser['colored_output']])
    parser['shell'].add_argument(
            '-s', '--shell',
            help=('Select shell to use, defaults to current shell. Used shell'
@ -478,7 +480,12 @@ def handle_loglevel(args):
    if hasattr(args, 'quiet') and args.quiet:
        args.verbose = _verbosity_level_off
-    logging.root.setLevel(_verbosity_level[args.verbose])
+    logging.getLogger().setLevel(_verbosity_level[args.verbose])
 def handle_log_colors(args):
    if cdist.configuration.ColoredOutputOption.translate(args.colored_output):
        cdist.log.CdistFormatter.USE_COLORS = True
 def parse_and_configure(argv, singleton=True):
@ -492,6 +499,7 @@ def parse_and_configure(argv, singleton=True):
        raise cdist.Error(str(e))
    # Loglevels are handled globally in here
    handle_loglevel(args)
    handle_log_colors(args)
    log = logging.getLogger("cdist")
--- a/cdist/conf/explorer/cpu_cores
+++ b/cdist/conf/explorer/cpu_cores
@ -32,6 +32,11 @@ case "$os" in
        sysctl -n hw.ncpuonline
    ;;
    "freebsd"|"netbsd")
        PATH=$(getconf PATH)
        sysctl -n hw.ncpu
    ;;
    *)
        if [ -r /proc/cpuinfo ]; then
            cores="$(grep "core id" /proc/cpuinfo | sort | uniq | wc -l)"
--- a/cdist/conf/explorer/disks
+++ b/cdist/conf/explorer/disks
@ -30,9 +30,8 @@ case $uname_s in
        sysctl -n hw.disknames | grep -Eo '[lsw]d[0-9]+'
    ;;
    NetBSD)
-        PATH="${PATH}:/usr/local/sbin:/usr/sbin:/sbin"
+        PATH=$(getconf PATH)
-        sysctl -n hw.disknames \
+        sysctl -n hw.disknames | awk -v RS=' ' '/^[lsw]d[0-9]+/'
        | awk 'BEGIN { RS = " " } /^[lsw]d[0-9]+/'
    ;;
    Linux)
        # list of major device numbers toexclude:
--- a/cdist/conf/explorer/machine_type
+++ b/cdist/conf/explorer/machine_type
@ -2,6 +2,7 @@
 #
 # 2014 Daniel Heule  (hda at sfs.biz)
 # 2014 Thomas Oettli (otho at sfs.biz)
 # 2020 Evilham (contact at evilham.com)
 #
 # This file is part of cdist.
 #
@ -18,63 +19,91 @@
 # You should have received a copy of the GNU General Public License
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 #
-# FIXME: other system types (not linux ...)
+os=$("$__explorer/os")
-if [ -d "/proc/vz" ] && [ ! -d "/proc/bc" ]; then
+vendor_string_to_machine_type() {
-    echo openvz
+    for vendor in vmware bochs kvm qemu virtualbox bhyve; do
-    exit
+        if echo "${1}" | grep -q -i "${vendor}"; then
-fi
+            if [ "${vendor}" = "bochs" ] || [ "${vendor}" = "qemu" ]; then
-
+                vendor="kvm"
 if [ -e "/proc/1/environ" ] &&
    tr '\000' '\n' < "/proc/1/environ" | grep -Eiq '^container='; then
    echo lxc
    exit
 fi
 if [ -r /proc/cpuinfo ]; then
    # this should only exist on virtual guest machines,
    # tested on vmware, xen, kvm
    if grep -q "hypervisor" /proc/cpuinfo; then
        # this file is aviable in xen guest systems
        if [ -r /sys/hypervisor/type ]; then
            if grep -q -i "xen" /sys/hypervisor/type; then
                echo virtual_by_xen
                exit 
            fi
-        else
+            echo "virtual_by_${vendor}"
-            if [ -r /sys/class/dmi/id/product_name ]; then
+            exit
                if grep -q -i 'vmware' /sys/class/dmi/id/product_name; then
                    echo "virtual_by_vmware"
                    exit
                elif grep -q -i 'bochs' /sys/class/dmi/id/product_name; then
                    echo "virtual_by_kvm"
                    exit 
                elif grep -q -i 'virtualbox' /sys/class/dmi/id/product_name; then
                    echo "virtual_by_virtualbox"
                    exit 
                fi
            fi
            if [ -r /sys/class/dmi/id/sys_vendor ]; then
                if grep -q -i 'qemu' /sys/class/dmi/id/sys_vendor; then
                    echo "virtual_by_kvm"
                    exit
                fi
            fi
            if [ -r /sys/class/dmi/id/chassis_vendor ]; then
                if grep -q -i 'qemu' /sys/class/dmi/id/chassis_vendor; then
                    echo "virtual_by_kvm"
                    exit
                fi
            fi                        
        fi
-        echo "virtual_by_unknown"
+    done
-    else
+}
-        echo "physical"
+
-    fi
+case "$os" in
-else
+    "freebsd")
-    echo "unknown"
+        # FreeBSD does not have /proc/cpuinfo even when procfs is used.
-fi
+        # Instead there is a sysctl kern.vm_guest.
        # Which is 'none' if physical, else the virtualisation.
        vm_guest="$(sysctl -n kern.vm_guest 2>/dev/null || true)"
        if [ -n "${vm_guest}" ]; then
            if [ "${vm_guest}" = "none" ]; then
                echo "physical"
                exit
            fi
            echo "virtual_by_${vm_guest}"
            exit
        fi
    ;;
    "openbsd")
        # OpenBSD can also use the sysctl's: hw.vendor or hw.product.
        # Note we can be reasonably sure about a machine being virtualised
        # as long as we can identify the virtualisation technology.
        # But not so much about it being physical...
        # Patches are welcome / reach out if you have better ideas.
        for sysctl in hw.vendor hw.product; do
            # This exits if we can make a reasonable judgement
            vendor_string_to_machine_type "$(sysctl -n "${sysctl}")"
        done
    ;;
    *)
        # Defaulting to linux for compatibility with previous cdist behaviour
        if [ -d "/proc/vz" ] && [ ! -d "/proc/bc" ]; then
            echo openvz
            exit
        fi
        if [ -e "/proc/1/environ" ] &&
            tr '\000' '\n' < "/proc/1/environ" | grep -Eiq '^container='; then
            echo lxc
            exit
        fi
        if [ -r /proc/cpuinfo ]; then
            # this should only exist on virtual guest machines,
            # tested on vmware, xen, kvm, bhyve
            if grep -q "hypervisor" /proc/cpuinfo; then
                # this file is aviable in xen guest systems
                if [ -r /sys/hypervisor/type ]; then
                    if grep -q -i "xen" /sys/hypervisor/type; then
                        echo virtual_by_xen
                        exit
                    fi
                else
                    for vendor_file in /sys/class/dmi/id/product_name \
                                       /sys/class/dmi/id/sys_vendor \
                                       /sys/class/dmi/id/chasis_vendor; do
                        if [ -r ${vendor_file} ]; then
                            # This exits if we can make a reasonable judgement
                            vendor_string_to_machine_type "$(cat "${vendor_file}")"
                        fi
                    done
                fi
                echo "virtual_by_unknown"
                exit
            else
                echo "physical"
                exit
            fi
        fi
    ;;
 esac
 echo "unknown"
--- a/cdist/conf/explorer/memory
+++ b/cdist/conf/explorer/memory
@ -29,7 +29,8 @@ case "$os" in
        echo "$(sysctl -n hw.memsize)/1024" | bc
    ;;
-    "openbsd")
+    *"bsd")
        PATH=$(getconf PATH)
        echo "$(sysctl -n hw.physmem) / 1048576" | bc
    ;;
--- a/cdist/conf/explorer/os
+++ b/cdist/conf/explorer/os
@ -143,6 +143,13 @@ case "$uname_s" in
 esac
 if [ -f /etc/os-release ]; then
   # after sles15, suse don't provide an /etc/SuSE-release anymore, but there is almost no difference between sles and opensuse leap, so call it suse
   # shellcheck disable=SC1091
   if (. /etc/os-release && echo "${ID_LIKE}" | grep -q '\(^\|\ \)suse\($\|\ \)')
   then
      echo suse
      exit 0
   fi
   # already lowercase, according to:
   # https://www.freedesktop.org/software/systemd/man/os-release.html
   awk -F= '/^ID=/ { if ($2 ~ /^'"'"'(.*)'"'"'$/ || $2 ~ /^"(.*)"$/) { print substr($2, 2, length($2) - 2) } else { print $2 } }' /etc/os-release
--- a/cdist/conf/explorer/os_version
+++ b/cdist/conf/explorer/os_version
@ -31,7 +31,32 @@ case "$("$__explorer/os")" in
      cat /etc/arch-release
   ;;
   debian)
-      cat /etc/debian_version
+      debian_version=$(cat /etc/debian_version)
      case $debian_version
      in
          testing/unstable)
              # previous to Debian 4.0 testing/unstable was used
              # cf. https://metadata.ftp-master.debian.org/changelogs/main/b/base-files/base-files_11_changelog
              echo 3.99
              ;;
          */sid)
              # sid versions don't have a number, so we decode by codename:
              case $(expr "$debian_version" : '\([a-z]\{1,\}\)/')
              in
                  bullseye) echo 10.99 ;;
                  buster) echo 9.99 ;;
                  stretch) echo 8.99 ;;
                  jessie) echo 7.99 ;;
                  wheezy) echo 6.99 ;;
                  squeeze) echo 5.99 ;;
                  lenny) echo 4.99 ;;
                  *) exit 1
              esac
              ;;
          *)
              echo "$debian_version"
              ;;
      esac
   ;;
   devuan)
      cat /etc/devuan_version
@ -73,4 +98,4 @@ case "$("$__explorer/os")" in
   alpine)
       cat /etc/alpine-release
   ;;
-esac
+esac
--- a/cdist/conf/type/__clean_path/explorer/list
+++ b/cdist/conf/type/__clean_path/explorer/list
@ -18,7 +18,12 @@
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
-path="/$__object_id"
+if [ -f "$__object/parameter/path" ]
 then
    path="$( cat "$__object/parameter/path" )"
 else
    path="/$__object_id"
 fi
 [ ! -d "$path" ] && exit 0
--- a/cdist/conf/type/__clean_path/gencode-remote
+++ b/cdist/conf/type/__clean_path/gencode-remote
@ -20,7 +20,12 @@
 [ ! -s "$__object/explorer/list" ] && exit 0
-path="/$__object_id"
+if [ -f "$__object/parameter/path" ]
 then
    path="$( cat "$__object/parameter/path" )"
 else
    path="/$__object_id"
 fi
 pattern="$( cat "$__object/parameter/pattern" )"
--- a/cdist/conf/type/__clean_path/man.rst
+++ b/cdist/conf/type/__clean_path/man.rst
@ -10,7 +10,7 @@ DESCRIPTION
 -----------
 Remove files and directories which match the pattern.
-Provided path (as __object_id) must be a directory.
+Provided path must be a directory.
 Patterns are passed to ``find``'s ``-regex`` - see ``find(1)`` for more details.
@ -29,6 +29,9 @@ pattern
 OPTIONAL PARAMETERS
 -------------------
 path
   Path which will be cleaned. Defaults to ``$__object_id``.
 exclude
   Pattern of files which are excluded from removal.
@ -46,6 +49,11 @@ EXAMPLES
        --exclude '.+\(charset\.conf\|security\.conf\)' \
        --onchange 'service apache2 restart'
    __clean_path apache2-conf-enabled \
        --path /etc/apache2/conf-enabled \
        --pattern '.+' \
        --exclude '.+\(charset\.conf\|security\.conf\)' \
        --onchange 'service apache2 restart'
 AUTHORS
 -------
--- a/cdist/conf/type/__clean_path/parameter/optional
+++ b/cdist/conf/type/__clean_path/parameter/optional
@ -1,2 +1,3 @@
 exclude
 onchange
 path
--- a/cdist/conf/type/__cron/man.rst
+++ b/cdist/conf/type/__cron/man.rst
@ -21,6 +21,11 @@ command
 OPTIONAL PARAMETERS
 -------------------
 **NOTE**: All time-related parameters (``--minute``, ``--hour``, ``--day_of_month``
 ``--month`` and ``--day_of_week``) defaults to ``*``, which means to execute it
 **always**. If you set ``--hour 0`` to execute the cronjob only at midnight, it
 will execute **every** minute in the first hour of the morning all days.
 state
   Either present or absent. Defaults to present.
 minute
--- a/cdist/conf/type/__directory/explorer/stat
+++ b/cdist/conf/type/__directory/explorer/stat
@ -30,10 +30,10 @@ fallback() {
   gid=$(echo "$ls_line" | awk '{ print $4 }')
   owner=$(awk -F: -v uid="$uid" '$3 == uid { print $1; f=1 } END { if (!f) print "UNKNOWN" }' /etc/passwd)
-   group=$(awk -F: -v uid="$uid" '$3 == uid { print $1; f=1 } END { if (!f) print "UNKNOWN" }' /etc/group)
+   group=$(awk -F: -v gid="$gid" '$3 == gid { print $1; f=1 } END { if (!f) print "UNKNOWN" }' /etc/group)
   mode_text=$(echo "$ls_line" | awk '{ print $1 }')
-   mode=$(echo "$mode_text" | awk '{ k=0; for (i=0; i<=8; i++) k += ((substr($1, i+2, 1) ~ /[rwx]/) * 2^(8-i)); printf("%0o", k) }')
+   mode=$(echo "$mode_text" | awk '{for(i=8;i>=0;--i){c=substr($1,10-i,1);k+=((c~/[rwxst]/)*2^i);if(!(i%3))k+=(tolower(c)~/[lst]/)*2^(9+i/3)}printf("%04o",k)}')
   printf 'type: %s\nowner: %d %s\ngroup: %d %s\nmode: %s %s\n' \
      "$("$__type_explorer/type")" \
@ -45,56 +45,27 @@ fallback() {
 # nothing to work with, nothing we could do
 [ -e "$destination" ] || exit 0
-if ! command -v stat >/dev/null
+command -v stat >/dev/null 2>&1 || {
 then
   fallback
   exit
-fi
+}
-case $("$__explorer/os") in
+case $("$__explorer/os")
-   "freebsd"|"netbsd"|"openbsd"|"macosx")
+in
-      stat -f "type: %HT
+   freebsd|netbsd|openbsd|macosx)
      stat -f 'type: %HT
 owner: %Du %Su
 group: %Dg %Sg
-mode: %Lp %Sp
+mode: %Mp%03Lp %Sp
-" "$destination" | awk '/^type/ { print tolower($0); next } { print }'
+' "$destination" | awk '/^type/ { print tolower($0); next } { print }'
      ;;
    solaris)
        ls1="$( ls -ld "$destination" )"
        ls2="$( ls -ldn "$destination" )"
        if [ -f "$__object/parameter/mode" ]
        then mode_should="$( cat "$__object/parameter/mode" )"
        fi
        # yes, it is ugly hack, but if you know better way...
        if [ -z "$( find "$destination" -perm "$mode_should" )" ]
        then octets=888
        else octets="$( echo "$mode_should" | sed 's/^0//' )"
        fi
        case "$( echo "$ls1" | cut -c1-1 )" in
            -) echo 'type: regular file' ;;
            d) echo 'type: directory' ;;
        esac
        echo "owner: $( echo "$ls2" \
            | awk '{print $3}' ) $( echo "$ls1" \
                | awk '{print $3}' )"
        echo "group: $( echo "$ls2" \
            | awk '{print $4}' ) $( echo "$ls1" \
                | awk '{print $4}' )"
        echo "mode: $octets $( echo "$ls1" | awk '{print $1}' )"
    ;;
   *)
      # NOTE: Do not use --printf here as it is not supported by BusyBox stat.
      # NOTE: BusyBox's stat might not support the "-c" option, in which case
      #       we fall through to the shell fallback.
-       stat -c "type: %F
+      stat -c 'type: %F
 owner: %u %U
 group: %g %G
-mode: %a %A" "$destination" 2>/dev/null || fallback
+mode: %04a %A' "$destination" 2>/dev/null || fallback
-   ;;
+      ;;
 esac
--- a/cdist/conf/type/__directory/gencode-remote
+++ b/cdist/conf/type/__directory/gencode-remote
@ -97,9 +97,11 @@ case "$state_should" in
            value_should="$(cat "$__object/parameter/$attribute")"
            value_is="$(get_current_value "$attribute" "$value_should")"
-            # change 0xxx format to xxx format => same as stat returns
+            # format mode in four digits => same as stat returns
            if [ "$attribute" = mode ]; then
-                value_should="$(echo "$value_should" | sed 's/^0\(...\)/\1/')"
+                # Convert to four-digit octal number (printf interprets
                # strings with leading 0s as octal!)
                value_should=$(printf '%04o' "0${value_should}")
            fi
            if [ "$set_attributes" = 1 ] || [ "$value_should" != "$value_is" ]; then
--- a/cdist/conf/type/__download/explorer/remote_cmd
+++ b/cdist/conf/type/__download/explorer/remote_cmd
@ -0,0 +1,19 @@
 #!/bin/sh -e
 if [ -f "$__object/parameter/cmd-get" ]
 then
    cmd="$( cat "$__object/parameter/cmd-get" )"
 elif command -v curl > /dev/null
 then
    cmd="curl -L -o - '%s'"
 elif command -v fetch > /dev/null
 then
    cmd="fetch -o - '%s'"
 else
    cmd="wget -O - '%s'"
 fi
 echo "$cmd"
--- a/cdist/conf/type/__download/explorer/state
+++ b/cdist/conf/type/__download/explorer/state
@ -0,0 +1,72 @@
 #!/bin/sh -e
 dst="/$__object_id"
 if [ ! -f "$dst" ]
 then
    echo 'absent'
    exit 0
 fi
 sum_should="$( cat "$__object/parameter/sum" )"
 if [ -f "$__object/parameter/cmd-sum" ]
 then
    # shellcheck disable=SC2059
    sum_is="$( eval "$( printf \
        "$( cat "$__object/parameter/cmd-sum" )" \
        "$dst" )" )"
 else
    os="$( "$__explorer/os" )"
    if echo "$sum_should" | grep -Eq '^[0-9]+\s[0-9]+$'
    then
        sum_is="$( cksum "$dst" | awk '{print $1" "$2}' )"
    elif echo "$sum_should" | grep -Eiq '^md5:[a-f0-9]{32}$'
    then
        case "$os" in
            freebsd)
                sum_is="md5:$( md5 -q "$dst" )"
            ;;
            *)
                sum_is="md5:$( md5sum "$dst" | awk '{print $1}' )"
            ;;
        esac
    elif echo "$sum_should" | grep -Eiq '^sha1:[a-f0-9]{40}$'
    then
        case "$os" in
            freebsd)
                sum_is="sha1:$( sha1 -q "$dst" )"
            ;;
            *)
                sum_is="sha1:$( sha1sum "$dst" | awk '{print $1}' )"
            ;;
        esac
    elif echo "$sum_should" | grep -Eiq '^sha256:[a-f0-9]{64}$'
    then
        case "$os" in
            freebsd)
                sum_is="sha256:$( sha256 -q "$dst" )"
            ;;
            *)
                sum_is="sha256:$( sha256sum "$dst" | awk '{print $1}' )"
            ;;
        esac
    fi
 fi
 if [ -z "$sum_is" ]
 then
    echo 'no checksum from target' >&2
    exit 1
 fi
 if [ "$sum_is" = "$sum_should" ]
 then
    echo 'present'
 else
    echo 'mismatch'
 fi
--- a/cdist/conf/type/__download/gencode-local
+++ b/cdist/conf/type/__download/gencode-local
@ -0,0 +1,58 @@
 #!/bin/sh -e
 download="$( cat "$__object/parameter/download" )"
 state_is="$( cat "$__object/explorer/state" )"
 if [ "$download" != 'local' ] || [ "$state_is" = 'present' ]
 then
    exit 0
 fi
 url="$( cat "$__object/parameter/url" )"
 tmp="$( mktemp )"
 dst="/$__object_id"
 if [ -f "$__object/parameter/cmd-get" ]
 then
    cmd="$( cat "$__object/parameter/cmd-get" )"
 elif command -v wget > /dev/null
 then
    cmd="wget -O - '%s'"
 elif command -v curl > /dev/null
 then
    cmd="curl -L -o - '%s'"
 elif command -v fetch > /dev/null
 then
    cmd="fetch -o - '%s'"
 else
    echo 'no usable locally installed utility for downloading' >&2
    exit 1
 fi
 printf "$cmd > %s\n" \
    "$url" \
    "$tmp"
 if echo "$__target_host" | grep -Eq '^[0-9a-fA-F:]+$'
 then
    target_host="[$__target_host]"
 else
    target_host="$__target_host"
 fi
 printf '%s %s %s:%s\n' \
    "$__remote_copy" \
    "$tmp" \
    "$target_host" \
    "$dst"
 echo "rm -f '$tmp'"
 echo 'downloaded' > "$__messages_out"
--- a/cdist/conf/type/__download/gencode-remote
+++ b/cdist/conf/type/__download/gencode-remote
@ -0,0 +1,25 @@
 #!/bin/sh -e
 download="$( cat "$__object/parameter/download" )"
 state_is="$( cat "$__object/explorer/state" )"
 if [ "$download" = 'remote' ] && [ "$state_is" != 'present' ]
 then
    cmd="$( cat "$__object/explorer/remote_cmd" )"
    url="$( cat "$__object/parameter/url" )"
    dst="/$__object_id"
    printf "$cmd > %s\n" \
        "$url" \
        "$dst"
    echo 'downloaded' > "$__messages_out"
 fi
 if [ -f "$__object/parameter/onchange" ] && [ "$state_is" != "present" ]
 then
    cat "$__object/parameter/onchange"
 fi
--- a/cdist/conf/type/__download/man.rst
+++ b/cdist/conf/type/__download/man.rst
@ -0,0 +1,86 @@
 cdist-type__download(7)
 =======================
 NAME
 ----
 cdist-type__download - Download a file
 DESCRIPTION
 -----------
 Destination (``$__object_id``) in target host must be persistent storage
 in order to calculate checksum and decide if file must be (re-)downloaded.
 By default type will try to use ``wget``, ``curl`` or ``fetch``.
 If download happens in target (see ``--download``) then type will
 fallback to (and install) ``wget``.
 If download happens in local machine, then environment variables like
 ``{http,https,ftp}_proxy`` etc can be used on cdist execution
 (``http_proxy=foo cdist config ...``).
 REQUIRED PARAMETERS
 -------------------
 url
   File's URL.
 sum
   Checksum of file going to be downloaded.
   By default output of ``cksum`` without filename is expected.
   Other hash formats supported with prefixes: ``md5:``, ``sha1:`` and ``sha256:``.
 OPTIONAL PARAMETERS
 -------------------
 download
   If ``local`` (default), then download file to local storage and copy
   it to target host. If ``remote``, then download happens in target.
 cmd-get
   Command used for downloading.
   Command must output to ``stdout``.
   Parameter will be used for ``printf`` and must include only one
   format specification ``%s`` which will become URL.
   For example: ``wget -O - '%s'``.
 cmd-sum
   Command used for checksum calculation.
   Command output and ``--sum`` parameter must match.
   Parameter will be used for ``printf`` and must include only one
   format specification ``%s`` which will become destination.
   For example: ``md5sum '%s' | awk '{print $1}'``.
 onchange
   Execute this command after download.
 EXAMPLES
 --------
 .. code-block:: sh
    __directory /opt/cpma
    require='__directory/opt/cpma' \
        __download /opt/cpma/cnq3.zip \
            --url https://cdn.playmorepromode.com/files/cnq3/cnq3-1.51.zip \
            --sum md5:46da3021ca9eace277115ec9106c5b46
    require='__download/opt/cpma/cnq3.zip' \
        __unpack /opt/cpma/cnq3.zip \
            --move-existing-destination \
            --destination /opt/cpma/server
 AUTHORS
 -------
 Ander Punnar <ander-at-kvlt-dot-ee>
 COPYING
 -------
 Copyright \(C) 2020 Ander Punnar. You can redistribute it
 and/or modify it under the terms of the GNU General Public License as
 published by the Free Software Foundation, either version 3 of the
 License, or (at your option) any later version.
--- a/cdist/conf/type/__download/manifest
+++ b/cdist/conf/type/__download/manifest
@ -0,0 +1,6 @@
 #!/bin/sh -e
 if grep -Eq '^wget' "$__object/explorer/remote_cmd"
 then
    __package wget
 fi
--- a/cdist/conf/type/__download/parameter/default/download
+++ b/cdist/conf/type/__download/parameter/default/download
@ -0,0 +1 @@
 local
--- a/cdist/conf/type/__download/parameter/optional
+++ b/cdist/conf/type/__download/parameter/optional
@ -0,0 +1,4 @@
 cmd-get
 cmd-sum
 download
 onchange
--- a/cdist/conf/type/__download/parameter/required
+++ b/cdist/conf/type/__download/parameter/required
@ -0,0 +1,2 @@
 url
 sum
--- a/cdist/conf/type/__file/explorer/stat
+++ b/cdist/conf/type/__file/explorer/stat
@ -31,10 +31,10 @@ fallback() {
   gid=$(echo "$ls_line" | awk '{ print $4 }')
   owner=$(awk -F: -v uid="$uid" '$3 == uid { print $1; f=1 } END { if (!f) print "UNKNOWN" }' /etc/passwd)
-   group=$(awk -F: -v uid="$uid" '$3 == uid { print $1; f=1 } END { if (!f) print "UNKNOWN" }' /etc/group)
+   group=$(awk -F: -v gid="$gid" '$3 == gid { print $1; f=1 } END { if (!f) print "UNKNOWN" }' /etc/group)
   mode_text=$(echo "$ls_line" | awk '{ print $1 }')
-   mode=$(echo "$mode_text" | awk '{ k=0; for (i=0; i<=8; i++) k += ((substr($1, i+2, 1) ~ /[rwx]/) * 2^(8-i)); printf("%0o", k) }')
+   mode=$(echo "$mode_text" | awk '{for(i=8;i>=0;--i){c=substr($1,10-i,1);k+=((c~/[rwxst]/)*2^i);if(!(i%3))k+=(tolower(c)~/[lst]/)*2^(9+i/3)}printf("%04o",k)}')
   size=$(echo "$ls_line" | awk '{ print $5 }')
   links=$(echo "$ls_line" | awk '{ print $2 }')
@ -53,64 +53,32 @@ fallback() {
 [ -e "$destination" ] || exit 0
-if ! command -v stat >/dev/null
+command -v stat >/dev/null 2>&1 || {
 then
   fallback
   exit
-fi
+}
 case $("$__explorer/os")
 in
   freebsd|netbsd|openbsd|macosx)
-      stat -f "type: %HT
+      stat -f 'type: %HT
 owner: %Du %Su
 group: %Dg %Sg
-mode: %Lp %Sp
+mode: %Mp%03Lp %Sp
 size: %Dz
 links: %Dl
-" "$destination" | awk '/^type/ { print tolower($0); next } { print }'
+' "$destination" | awk '/^type/ { print tolower($0); next } { print }'
      ;;
    solaris)
        ls1="$( ls -ld "$destination" )"
        ls2="$( ls -ldn "$destination" )"
        if [ -f "$__object/parameter/mode" ]
        then mode_should="$( cat "$__object/parameter/mode" )"
        fi
        # yes, it is ugly hack, but if you know better way...
        if [ -z "$( find "$destination" -perm "$mode_should" )" ]
        then octets=888
        else octets="$( echo "$mode_should" | sed 's/^0//' )"
        fi
        case "$( echo "$ls1" | cut -c1-1 )" in
            -) echo 'type: regular file' ;;
            d) echo 'type: directory' ;;
        esac
        echo "owner: $( echo "$ls2" \
            | awk '{print $3}' ) $( echo "$ls1" \
                | awk '{print $3}' )"
        echo "group: $( echo "$ls2" \
            | awk '{print $4}' ) $( echo "$ls1" \
                | awk '{print $4}' )"
        echo "mode: $octets $( echo "$ls1" | awk '{print $1}' )"
        echo "size: $( echo "$ls1" | awk '{print $5}' )"
        echo "links: $( echo "$ls1" | awk '{print $2}' )"
    ;;
   *)
      # NOTE: Do not use --printf here as it is not supported by BusyBox stat.
      # NOTE: BusyBox's stat might not support the "-c" option, in which case
      #       we fall through to the shell fallback.
-      stat -c "type: %F
+      stat -c 'type: %F
 owner: %u %U
 group: %g %G
-mode: %a %A
+mode: %04a %A
 size: %s
-links: %h" "$destination" 2>/dev/null || fallback
+links: %h' "$destination" 2>/dev/null || fallback
-         ;;
+      ;;
 esac
--- a/cdist/conf/type/__file/gencode-remote
+++ b/cdist/conf/type/__file/gencode-remote
@ -68,9 +68,11 @@ case "$state_should" in
            if [ -f "$__object/parameter/$attribute" ]; then
                value_should="$(cat "$__object/parameter/$attribute")"
-                # change 0xxx format to xxx format => same as stat returns
+                # format mode in four digits => same as stat returns
                if [ "$attribute" = mode ]; then
-                    value_should="$(echo "$value_should" | sed 's/^0\(...\)/\1/')"
+                    # Convert to four-digit octal number (printf interprets
                    # strings with leading 0s as octal!)
                    value_should=$(printf '%04o' "0${value_should}")
                fi
                value_is="$(get_current_value "$attribute" "$value_should")"
--- a/cdist/conf/type/__file/man.rst
+++ b/cdist/conf/type/__file/man.rst
@ -50,13 +50,13 @@ state
      create or modify it
 group
-   Group to chgrp to.
+   Group to chgrp to. Defaults to ``root``.
 mode
-   Unix permissions, suitable for chmod.
+   Unix permissions, suitable for chmod. Defaults to a very secure ``0600``.
 owner
-   User to chown to.
+   User to chown to. Defaults to ``root``.
 source
   If supplied, copy this file from the host running cdist to the target.
--- a/cdist/conf/type/__filesystem/explorer/lsblk
+++ b/cdist/conf/type/__filesystem/explorer/lsblk
@ -18,16 +18,16 @@
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
-os=$("$__explorer/os")
+os=$("${__explorer:?}/os")
-if [ -f "$__object/parameter/device" ]; then
+if [ -f "${__object:?}/parameter/device" ]; then
    blkdev="$(cat "$__object/parameter/device")"
 else
-    blkdev="$__object_id"
+    blkdev="${__object_id:?}"
 fi
 case "$os" in
-    centos|fedora|redhat|suse|gentoo)
+    alpine|centos|fedora|redhat|suse|gentoo)
        if [ ! -x "$(command -v lsblk)" ]; then
            echo "lsblk is required for __filesystem type" >&2
            exit 1
--- a/cdist/conf/type/__group/gencode-remote
+++ b/cdist/conf/type/__group/gencode-remote
@ -88,7 +88,7 @@ if [ "$state" = "present" ]; then
         fi
      done
      if [ "$os" = "freebsd" ]; then
-         echo pw groupadd "$@" "$name"
+         echo pw groupadd "$name" "$@"
      else
         echo groupadd "$@" "$name"
      fi
--- a/cdist/conf/type/__hosts/man.rst
+++ b/cdist/conf/type/__hosts/man.rst
@ -25,6 +25,10 @@ ip
    state is ``present``, this parameter is mandatory, if state is
    ``absent``, this parameter is silently ignored.
 alias
    An alias for the hostname.
    This parameter can be specified multiple times (once per alias).
 EXAMPLES
 --------
@ -36,6 +40,8 @@ EXAMPLES
    # previously configured via __hosts.
    __hosts happy --state absent
    __hosts srv1.example.com --ip 192.168.0.42 --alias srv1
 SEE ALSO
 --------
@ -43,13 +49,14 @@ SEE ALSO
 AUTHORS
 -------
-
+| Dmitry Bogatov <KAction@gnu.org>
-Dmitry Bogatov <KAction@gnu.org>
+| Dennis Camera <dennis.camera--@--ssrq-sds-fds.ch>
 COPYING
 -------
-Copyright (C) 2015,2016 Dmitry Bogatov. Free use of this software is granted
+Copyright \(C) 2015-2016 Dmitry Bogatov, 2019 Dennis Camera.
-under the terms of the GNU General Public License version 3 or later
+You can redistribute it and/or modify it under the terms of the GNU General
-(GPLv3+).
+Public License as published by the Free Software Foundation, either version 3 of
 the License, or (at your option) any later version.
--- a/cdist/conf/type/__hosts/manifest
+++ b/cdist/conf/type/__hosts/manifest
@ -1,29 +1,42 @@
 #!/bin/sh -e
 # Copyright (C) 2015  Bogatov Dmitry <KAction@gnu.org>
 #
-# This program is free software: you can redistribute it and/or modify
+# Copyright (C) 2015  Bogatov Dmitry <KAction@gnu.org>
 # 2019 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
 #
 # This file is part of cdist.
 #
 # cdist is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
-# This program is distributed in the hope that it will be useful,
+# cdist is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-set -ue
+#
-hostname="$__object_id"
+set -e
 state="$(cat "$__object/parameter/state")"
 marker="# __hosts/$hostname"
-set -- "__hosts/$hostname" --file /etc/hosts --state "$state"
+hostname=$__object_id
 state=$(cat "${__object}/parameter/state")
 marker="# __hosts/${hostname}"
-if [ "$state" = absent ] ; then
+if test "${state}" != 'absent'
-	__line "$@" --regex "$marker"
+then
 	ip=$(cat "${__object}/parameter/ip")
 	if test -s "${__object}/parameter/alias"
 	then
 		aliases=$(while read -r a; do printf '\t%s' "$a"; done <"$__object/parameter/alias")
 	fi
 	set -- --line "$(printf '%s\t%s%s  %s' \
 		"${ip}" "${hostname}" "${aliases}" "${marker}")"
 else
-	ip="$(cat "$__object/parameter/ip")"
+	set -- --regex "$(echo "${marker}" | sed -e 's/\./\\./')$"
 	__line "$@" --line "$ip $hostname $marker"
 fi
 __line "/etc/hosts:${hostname}" --file /etc/hosts --state "${state}" "$@"
--- a/cdist/conf/type/__hosts/parameter/optional_multiple
+++ b/cdist/conf/type/__hosts/parameter/optional_multiple
@ -0,0 +1 @@
 alias
--- a/cdist/conf/type/__key_value/explorer/state
+++ b/cdist/conf/type/__key_value/explorer/state
@ -40,7 +40,9 @@ else
 fi
 export key state delimiter value exact_delimiter
-awk -f - "$file" <<"AWK_EOF"
+awk_bin=$(PATH=$(getconf PATH 2>/dev/null) && command -v awk || echo awk)
 "${awk_bin}" -f - "$file" <<"AWK_EOF"
 BEGIN {
    state=ENVIRON["state"]
    key=ENVIRON["key"]
--- a/cdist/conf/type/__key_value/files/remote_script.sh
+++ b/cdist/conf/type/__key_value/files/remote_script.sh
@ -24,7 +24,10 @@ if [ -f "$file" ]; then
 else
    touch "$file"
 fi
-awk -f - "$file" >"$tmpfile" <<"AWK_EOF"
+
 awk_bin=$(PATH=$(getconf PATH 2>/dev/null) && command -v awk || echo awk)
 "${awk_bin}" -f - "$file" >"$tmpfile" <<"AWK_EOF"
 BEGIN {
    # import variables in a secure way ..
    state=ENVIRON["state"]
--- a/cdist/conf/type/__key_value/gencode-remote
+++ b/cdist/conf/type/__key_value/gencode-remote
@ -25,7 +25,7 @@ state_should="$(cat "$__object/parameter/state")"
 state_is="$(cat "$__object/explorer/state")"
 fire_onchange=''
-if [  "$state_is" = "$state_should" ]; then
+if [ "$state_is" = "$state_should" ]; then
    exit 0
 fi
--- a/cdist/conf/type/__letsencrypt_cert/manifest
+++ b/cdist/conf/type/__letsencrypt_cert/manifest
@ -91,6 +91,9 @@ if [ -z "${certbot_fullpath}" ]; then
 			certbot_fullpath=/usr/local/bin/certbot
 		;;
 		ubuntu)
            __package certbot
            ;;
 		*)
 			echo "Unsupported os: $os" >&2
 			exit 1
--- a/cdist/conf/type/__link/man.rst
+++ b/cdist/conf/type/__link/man.rst
@ -18,7 +18,7 @@ source
   Specifies the link source.
 type
-   Specifies the link type: Either hard or symoblic.
+   Specifies the link type: Either hard or symbolic.
 OPTIONAL PARAMETERS
--- a/cdist/conf/type/__locale_system/manifest
+++ b/cdist/conf/type/__locale_system/manifest
@ -3,6 +3,7 @@
 # 2012-2016 Steven Armstrong (steven-cdist at armstrong.cc)
 # 2016 Carlos Ortigoza (carlos.ortigoza at ungleich.ch)
 # 2016 Nico Schottelius (nico.schottelius at ungleich.ch)
 # 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
 #
 # This file is part of cdist.
 #
@ -23,17 +24,171 @@
 # Configure system-wide locale by modifying i18n file.
 #
 version_ge() {
    awk -F '[^0-9.]' -v target="${1:?}" '
    function max(x, y) { return x > y ? x : y }
    BEGIN {
        getline
        nx = split($1, x, ".")
        ny = split(target, y, ".")
        for (i = 1; i <= max(nx, ny); ++i) {
            diff = int(x[i]) - int(y[i])
            if (diff == 0) continue
            exit (diff < 0)
        }
    }'
 }
 key=$__object_id
 onchange_cmd=  # none, by default
 quote_value=false
 catval() {
    # shellcheck disable=SC2059
    printf "$($quote_value && echo '"%s"' || echo '%s')" "$(cat "$1")"
 }
 state_should=$(cat "${__object}/parameter/state")
 os=$(cat "$__global/explorer/os")
-case "$os" in
+case $os
-    debian|ubuntu)
+in
    debian)
        if version_ge 4 <"${__global}/explorer/os_version"
        then
            # Debian 4 (etch) and later
            locale_conf="/etc/default/locale"
        else
            locale_conf="/etc/environment"
        fi
        ;;
    devuan)
        locale_conf="/etc/default/locale"
        ;;
    ubuntu)
        if version_ge 6.10 <"${__global}/explorer/os_version"
        then
            # Ubuntu 6.10 (edgy) and later
            locale_conf="/etc/default/locale"
        else
            locale_conf="/etc/environment"
        fi
        ;;
    archlinux)
        locale_conf="/etc/locale.conf"
        ;;
-    redhat|centos)
+    centos|redhat|scientific)
-        locale_conf="/etc/sysconfig/i18n"
+        # shellcheck source=/dev/null
        version_id=$(. "${__global}/explorer/os_release" && echo "${VERSION_ID:-0}")
        if echo "${version_id}" | version_ge 7
        then
            locale_conf="/etc/locale.conf"
        else
            locale_conf="/etc/sysconfig/i18n"
        fi
        ;;
    fedora)
        # shellcheck source=/dev/null
        version_id=$(. "${__global}/explorer/os_release" && echo "${VERSION_ID:-0}")
        if echo "${version_id}" | version_ge 18
        then
            locale_conf="/etc/locale.conf"
            quote_value=false
        else
            locale_conf="/etc/sysconfig/i18n"
        fi
        ;;
    gentoo)
        case $(cat "${__global}/explorer/init")
        in
            (*openrc*)
                locale_conf="/etc/env.d/02locale"
                onchange_cmd="env-update --no-ldconfig"
                quote_value=true
                ;;
            (systemd)
                locale_conf="/etc/locale.conf"
                ;;
        esac
        ;;
    freebsd|netbsd)
        # NetBSD doesn't have a separate configuration file to set locales.
        # In FreeBSD locales could be configured via /etc/login.conf but parsing
        # that would be annoying, so the shell login file will have to do.
        # "Non-POSIX" shells like csh will not be updated here.
        locale_conf="/etc/profile"
        quote_value=true
        value="$(catval "${__object}/parameter/value"); export ${key}"
        ;;
    solaris)
        locale_conf="/etc/default/init"
        locale_conf_group="sys"
        if version_ge 5.11 <"${__global}/explorer/os_version"
        then
            # mode on Oracle Solaris 11 is actually 0444,
            # but the write bit makes sense, IMO
            locale_conf_mode=0644
            # Oracle Solaris 11.2 and later uses SMF to store environment info.
            # This is a hack, but I didn't feel like modifying the whole type
            # just for some Oracle nonsense.
            # 11.3 apparently added nlsadm(1m), but it is missing from 11.2.
            # Illumos continues to use /etc/default/init
            # NOTE: Remember not to use "cool" POSIX features like -q or -e with
            # Solaris grep.
            release_regex='Oracle Solaris 11.[2-9][0-9]*'
            case $state_should
            in
                (present)
                    svccfg_cmd="svccfg -s svc:/system/environment:init setprop environment/${key} = astring: '$(cat "${__object}/parameter/value")'"
                    ;;
                (absent)
                    svccfg_cmd="svccfg -s svc:/system/environment:init delprop environment/${key}"
                    ;;
            esac
            refresh_cmd='svcadm refresh svc:/system/environment'
            onchange_cmd="grep '${release_regex}' /etc/release >&- || exit 0; ${svccfg_cmd:-:} && ${refresh_cmd}"
        else
            locale_conf_mode=0555
        fi
        ;;
    slackware)
        # NOTE: lang.csh (csh config) is ignored here.
        locale_conf="/etc/profile.d/lang.sh"
        locale_conf_mode=0755
        key="export ${__object_id}"
        ;;
    suse)
        if test -s "${__global}/explorer/os_release"
        then
            # shellcheck source=/dev/null
            os_version=$(. "${__global}/explorer/os_release" && echo "${VERSION}")
        else
            os_version=$(sed -n 's/^VERSION\ *=\ *//p' "${__global}/explorer/os_version")
        fi
        os_major=$(expr "${os_version}" : '\([0-9]\{1,\}\)')
        # https://documentation.suse.com/sles/15-SP2/html/SLES-all/cha-suse.html#sec-suse-l10n
        if expr "${os_major}" '>=' 15 \& "${os_major}" != 42
        then
            # It seems that starting with SuSE 15 the systemd /etc/locale.conf
            # is the preferred way to set locales, although
            # /etc/sysconfig/language is still available.
            # Older documentation doesn't mention /etc/locale.conf, even though
            # is it created when localectl is used.
            locale_conf="/etc/locale.conf"
        else
            locale_conf="/etc/sysconfig/language"
            quote_value=true
            key="RC_${__object_id}"
        fi
        ;;
    voidlinux)
        locale_conf="/etc/locale.conf"
        ;;
    *)
        echo "Your operating system ($os) is currently not supported by this type (${__type##*/})." >&2
@ -42,14 +197,16 @@ case "$os" in
        ;;
 esac
-__file "$locale_conf" \
+__file "${locale_conf}" --state exists \
-       --owner root --group root --mode 644 \
+    --owner "${locale_conf_owner:-0}" \
-       --state exists
+    --group "${locale_conf_group:-0}" \
    --mode "${locale_conf_mode:-0644}"
-require="__file/$locale_conf" \
+require="__file/${locale_conf}" \
-       __key_value "$locale_conf:$__object_id" \
+__key_value "${locale_conf}:${key#export }" \
-       --file "$locale_conf" \
+    --file "${locale_conf}" \
-       --key "$__object_id" \
+    --key "${key}" \
-       --delimiter = \
+    --delimiter '=' --exact_delimiter \
-       --state "$(cat "$__object/parameter/state")" \
+    --state "${state_should}" \
-       --value "$(cat "$__object/parameter/value")"
+    --value "${value:-$(catval "${__object}/parameter/value")}" \
    --onchange "${onchange_cmd}"
--- a/cdist/conf/type/__motd/gencode-remote
+++ b/cdist/conf/type/__motd/gencode-remote
@ -22,13 +22,6 @@
 os=$(cat "$__global/explorer/os")
 case "$os" in
    debian|ubuntu|devuan)
        # Debian and Ubuntu need to be updated,
        # as seen in /etc/init.d/bootlogs
        echo "uname -snrvm > /var/run/motd"
        echo "cat /etc/motd.tail >> /var/run/motd"
    ;;
    freebsd)
        # FreeBSD only updates /etc/motd on boot,
 	# as seen in /etc/rc.d/motd
--- a/cdist/conf/type/__motd/manifest
+++ b/cdist/conf/type/__motd/manifest
@ -33,10 +33,6 @@ os=$(cat "$__global/explorer/os")
 case "$os" in
   debian|ubuntu|devuan)
      # Debian-based systems use /etc/motd.tail as a template
      destination=/etc/motd.tail
   ;;
   freebsd)
      # FreeBSD uses motd.template to prepend system information on boot
      # (this actually only applies starting with version 13,
--- a/cdist/conf/type/__openldap_server/man.rst
+++ b/cdist/conf/type/__openldap_server/man.rst
@ -31,8 +31,8 @@ manager-password-hash
    Generate e.g. with: `slappasswd -s weneedgoodsecurity`.
    See `slappasswd(8C)`, `slapd.conf(5)`.
    TODO: implement this: http://blog.adamsbros.org/2015/06/09/openldap-ssha-salted-hashes-by-hand/
-      to derive from the manager-password parameter and ensure idempotency (care with salts).
+    to derive from the manager-password parameter and ensure idempotency (care with salts).
-      At that point, manager-password-hash should be deprecated and ignored.
+    At that point, manager-password-hash should be deprecated and ignored.
 serverid
    The server for the directory.
@ -103,8 +103,8 @@ syncrepl-host
    Set once per host that will replicate the directory.
 module
-    LDAP module to load. See `slapd.conf(5)`.
+    LDAP module to load. See `slapd.conf(5)`. Some dependencies might have to
-    Default value is OS-dependent, see manifest.
+    be installed beforehand. Default value is OS-dependent, see manifest.
 schema
    Name of LDAP schema to load. Must be the name without extension of a
--- a/cdist/conf/type/__openldap_server/manifest
+++ b/cdist/conf/type/__openldap_server/manifest
@ -25,6 +25,7 @@ case "${os}" in
        SLAPD_DATA_DIR="/var/db/openldap-data"
        SLAPD_RUN_DIR="/var/run/openldap"
        SLAPD_MODULE_PATH="/usr/local/libexec/openldap"
        SLAPD_MODULE_TYPE="la"
        if [ -z "${slapd_modules}" ]; then
            # It looks like ppolicy and syncprov must be compiled
            slapd_modules="back_mdb back_monitor"
@ -43,13 +44,34 @@ case "${os}" in
        SLAPD_DATA_DIR="/var/lib/ldap"
        SLAPD_RUN_DIR="/var/run/slapd"
        SLAPD_MODULE_PATH="/usr/lib/ldap"
        SLAPD_MODULE_TYPE="la"
        if [ -z "${slapd_modules}" ]; then
            slapd_modules="back_mdb ppolicy syncprov back_monitor"
        fi
        CONF_OWNER="openldap"
        CONF_GROUP="openldap"
        if [ -z "${tls_cipher_suite}" ]; then
            tls_cipher_suite="NORMAL"
        fi
        ;;
    alpine)
        PKGS="openldap openldap-clients"
        ETC="/etc"
        SLAPD_DIR="/etc/openldap"
        SLAPD_DATA_DIR="/var/lib/openldap"
        SLAPD_RUN_DIR="/var/run/openldap"
        SLAPD_MODULE_PATH="/usr/lib/openldap"
        SLAPD_MODULE_TYPE="so"
        if [ -z "${slapd_modules}" ]; then
            slapd_modules="back_mdb ppolicy syncprov back_monitor"
            PKGS="$PKGS openldap-back-mdb openldap-back-monitor openldap-overlay-all"
        fi
        CONF_OWNER="ldap"
        CONF_GROUP="$SLAPD_USER"
        if [ -z "${tls_cipher_suite}" ]; then
            tls_cipher_suite="DEFAULT"
        fi
        ;;
    *)
        echo "Don't know the openldap defaults for: $os" >&2
        exit 1
@ -156,6 +178,12 @@ case "${os}" in
               --line "SLAPD_SERVICES=\"${slapd_urls}\"" \
               --state present
        ;;
    alpine)
        require="__package/${PKG_MAIN}" __line add_slapd_services \
               --file ${ETC}/conf.d/slapd \
               --line "command_args=\"-h '${slapd_urls}'\"" \
               --state present
        ;;
    *)
        # Nothing to do here, move on.
        ;;
@ -170,20 +198,22 @@ if [ -z "${_skip_letsencrypt_cert}" ]; then
    fi
    # shellcheck disable=SC2086
-    __letsencrypt_cert "${name}" --admin-email "${admin_email}" \
+    __directory ${SLAPD_DIR}/sasl2
-        --renew-hook "cp ${ETC}/letsencrypt/live/${name}/*.pem ${SLAPD_DIR}/sasl2 && chown -R openldap:openldap ${SLAPD_DIR}/sasl2 && service slapd restart" \
+    require="__directory/${SLAPD_DIR}/sasl2" __letsencrypt_cert "${name}" \
-        --automatic-renewal ${staging}
+        --admin-email "${admin_email}" \
        --renew-hook "cp ${ETC}/letsencrypt/live/${name}/*.pem ${SLAPD_DIR}/sasl2 && chown -R ${CONF_OWNER}:${CONF_GROUP} ${SLAPD_DIR}/sasl2 && service slapd restart" \
        --automatic-renewal "${staging}"
 fi
 require="__package/${PKG_MAIN}" __directory ${SLAPD_DIR}/slapd.d --state absent
 if [ -z "${_skip_letsencrypt_cert}" ]; then
    require="__package/${PKG_MAIN} __letsencrypt_cert/${name}" \
-           __file ${SLAPD_DIR}/slapd.conf --owner ${CONF_OWNER} --group ${CONF_GROUP} --mode 644 \
+           __file "${SLAPD_DIR}/slapd.conf" --owner "${CONF_OWNER}" --group "${CONF_GROUP}" --mode 644 \
           --source "${ldapconf}"
 else
    require="__package/${PKG_MAIN}" \
-           __file ${SLAPD_DIR}/slapd.conf --owner ${CONF_OWNER} --group ${CONF_GROUP} --mode 644 \
+           __file "${SLAPD_DIR}/slapd.conf" --owner "${CONF_OWNER}" --group "${CONF_GROUP}" --mode 644 \
           --source "${ldapconf}"
 fi
@ -210,7 +240,7 @@ done
 # Add specified modules
 echo "modulepath ${SLAPD_MODULE_PATH}" >> "${ldapconf}"
 for module in ${slapd_modules}; do
-    echo "moduleload ${module}.la" >> "${ldapconf}"
+    echo "moduleload ${module}.${SLAPD_MODULE_TYPE}" >> "${ldapconf}"
 done
 # Rest of the config
--- a/cdist/conf/type/__package_apt/gencode-remote
+++ b/cdist/conf/type/__package_apt/gencode-remote
@ -64,7 +64,7 @@ esac
 # Hint if we need to avoid questions at some point:
 # DEBIAN_PRIORITY=critical can reduce the number of questions
-aptget="DEBIAN_FRONTEND=noninteractive apt-get --quiet --yes --no-install-recommends -o Dpkg::Options::=\"--force-confdef\" -o Dpkg::Options::=\"--force-confold\""
+aptget="DEBIAN_FRONTEND=noninteractive apt-get --quiet --yes -o APT::Install-Recommends=0 -o Dpkg::Options::=\"--force-confdef\" -o Dpkg::Options::=\"--force-confold\""
 if [ "$state_is" = "$state_should" ]; then
    if [ -z "$version" ] || [ "$version" = "$version_is" ]; then
--- a/cdist/conf/type/__package_opkg/explorer/pkg_status
+++ b/cdist/conf/type/__package_opkg/explorer/pkg_status
@ -1,7 +1,8 @@
-#!/bin/sh
+#!/bin/sh -e
 #
 # 2011 Nico Schottelius (nico-cdist at schottelius.org)
 # 2012 Giel van Schijndel (giel plus cdist at mortis dot eu)
 # 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
 #
 # This file is part of cdist.
 #
@ -19,21 +20,78 @@
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 #
-# Retrieve the status of a package - parsed opkg output
+# Retrieve the status of a package - parses opkg output
 #
-if [ -f "$__object/parameter/name" ]; then
+readonly __type_path=${__object%%${__object_id}*}
-   name="$(cat "$__object/parameter/name")"
+test -d "${__type_path}" || { echo 'Cannot determine __type_path' >&2; exit 1; }
 readonly LOCKFILE="${__type_path:?}/.cdist_opkg.lock"
 if command -v flock >/dev/null 2>&1
 then
 	# use flock (if available) on FD 9
 	_lock() {
 		exec 9<>"${LOCKFILE:?}"
 		flock -x 9
 		echo $$>&9
 	}
 	_unlock() {
 		:>"${LOCKFILE:?}"
 		flock -u 9
 		exec 9<&-
 	}
 else
-   name="$__object_id"
+	# fallback to mkdir if flock is missing
 	_lock() {
 		until mkdir "${LOCKFILE:?}.dir" 2>/dev/null
 		do
 			while test -d "${LOCKFILE}.dir"
 			do
 				# DEBUG:
 				# printf 'Locked by PID: %u\n' "$(cat "${LOCKFILE}.dir/pid")"
 				sleep 1
 			done
 		done
 		echo $$ >"${LOCKFILE:?}.dir/pid"
 	}
 	_unlock() {
 		test -d "${LOCKFILE}.dir" || return 0
 		if test -s "${LOCKFILE}.dir/pid"
 		then
 			test "$(cat "${LOCKFILE}.dir/pid")" = $$ || return 1
 			rm "${LOCKFILE:?}.dir/pid"
 		fi
 		rmdir "${LOCKFILE:?}.dir"
 	}
 fi
-# Except dpkg failing, if package is not known / installed
+
-if opkg status "$name" 2>/dev/null | grep -q "^Status: install user installed$"; then
+if test -f "${__object}/parameter/name"
-   echo "present"
+then
-   exit 0
+	pkg_name=$(cat "${__object}/parameter/name")
-elif [ "$(opkg info "$name" 2> /dev/null | wc -l)" -eq 0 ]; then
+else
-   echo "absent notpresent"
+	pkg_name=$__object_id
-   exit 0
+fi
 # NOTE: We need to lock parallel execution of type explorers and code-remote
 # because opkg will try to acquire the OPKG lock (usually /var/lock/opkg.lock)
 # using lockf(2) for every operation.
 # It will not wait for the lock but terminate with an error.
 # This leads to incorrect 'absent notpresent' statuses when parallel execution
 # is enabled.
 trap _unlock EXIT
 _lock
 # Except opkg failing, if package is not known / installed
 if opkg status "${pkg_name}" 2>/dev/null \
 	| grep -q -e '^Status: [^ ][^ ]* [^ ][^ ]* installed$'
 then
 	echo 'present'
 elif opkg info "${pkg_name}" 2>/dev/null | grep -q .
 then
 	echo 'absent notpresent'
 else
 	echo 'absent'
 fi
 echo "absent"
--- a/cdist/conf/type/__package_opkg/gencode-remote
+++ b/cdist/conf/type/__package_opkg/gencode-remote
@ -2,6 +2,7 @@
 #
 # 2011,2013 Nico Schottelius (nico-cdist at schottelius.org)
 # 2012 Giel van Schijndel (giel plus cdist at mortis dot eu)
 # 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
 #
 # This file is part of cdist.
 #
@ -19,41 +20,50 @@
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 #
-# Manage packages on OpenWRT and co.
+# Manage packages on OpenWrt, optware, and co.
 #
-if [ -f "$__object/parameter/name" ]; then
+if test -f "${__object}/parameter/name"
-   name="$(cat "$__object/parameter/name")"
+then
 	name=$(cat "${__object}/parameter/name")
 else
-   name="$__object_id"
+	name=$__object_id
 fi
-state_should="$(cat "$__object/parameter/state")"
+state_should=$(cat "${__object}/parameter/state")
 state_is=$(cat "${__object}/explorer/pkg_status")
-state_is="$(cat "$__object/explorer/pkg_status")"
+case $state_is
-case "$state_is" in
+in
-    absent*)
+	(absent*)
-       present="$(echo "$state_is" | cut -d ' ' -f 2)"
+		presence=$(echo "${state_is}" | cut -d ' ' -f 2)
-       state_is="absent"
+		state_is='absent'
-    ;;
+		;;
 esac
-[ "$state_is" = "$state_should" ] && exit 0
+if test "${state_is}" = "${state_should}"
 then
 	exit 0
 fi
-case "$state_should" in
+
-    present)
+case $state_should
-        if [ "$present" = "notpresent" ]; then
+in
-            echo "opkg --verbosity=0 update"
+	(present)
-        fi
+		if test "${presence}" = 'notpresent'
-        echo "opkg --verbosity=0 install '$name'"
+		then
-        echo "installed" >> "$__messages_out"
+			echo 'opkg --verbosity=0 update'
-    ;;
+		fi
-    absent)
+
-        echo "opkg --verbosity=0 remove '$name'"
+		printf "opkg --verbosity=0 install '%s'\n" "${name}"
-        echo "removed" >> "$__messages_out"
+		echo 'installed' >>"${__messages_out}"
-    ;;
+		;;
-    *)
+	(absent)
-        echo "Unknown state: ${state_should}" >&2
+		printf "opkg --verbosity=0 remove '%s'" "${name}"
-        exit 1
+		echo 'removed' >>"${__messages_out}"
-    ;;
+		;;
 	(*)
 		printf 'Unknown state: %s\n' "${state_should}" >&2
 		exit 1
 		;;
 esac
--- a/cdist/conf/type/__package_pip/explorer/pip
+++ b/cdist/conf/type/__package_pip/explorer/pip
@ -0,0 +1,10 @@
 #!/bin/sh -e
 for bin in pip3 pip
 do
    if check="$( command -v "$bin" )"
    then
        echo "$check"
        break
    fi
 done
--- a/cdist/conf/type/__package_pip/explorer/state
+++ b/cdist/conf/type/__package_pip/explorer/state
@ -32,7 +32,7 @@ pipparam="$__object/parameter/pip"
 if [ -f "$pipparam" ]; then
    pip=$(cat "$pipparam")
 else
-    pip="pip"
+    pip="$( "$__type_explorer/pip" )"
 fi
 # If there is no pip, it may get created from somebody else.
--- a/cdist/conf/type/__package_pip/gencode-remote
+++ b/cdist/conf/type/__package_pip/gencode-remote
@ -38,7 +38,12 @@ pipparam="$__object/parameter/pip"
 if [ -f "$pipparam" ]; then
    pip=$(cat "$pipparam")
 else
-    pip="pip"
+    pip="$( cat "$__object/explorer/pip" )"
    if [ -z "$pip" ]
    then
        echo 'pip not found in path' >&2
        exit 1
    fi
 fi
 runasparam="$__object/parameter/runas"
@ -55,7 +60,7 @@ case "$state_should" in
        then
            echo "su -c '$pip install -q $name' $runas"
        else
-            echo $pip install -q "$name"
+            echo "$pip" install -q "$name"
        fi
        echo "installed" >> "$__messages_out"
    ;;
@ -64,7 +69,7 @@ case "$state_should" in
        then
            echo "su -c '$pip uninstall -q -y $name' $runas"
        else
-            echo $pip uninstall -q -y "$name"
+            echo "$pip" uninstall -q -y "$name"
        fi
        echo "removed" >> "$__messages_out"
    ;;
--- a/cdist/conf/type/__package_pkgng_freebsd/explorer/pkg_bootstrapped
+++ b/cdist/conf/type/__package_pkgng_freebsd/explorer/pkg_bootstrapped
@ -0,0 +1,4 @@
 #!/bin/sh -e
 if pkg -N >/dev/null 2>&1; then
 	echo "YES"
 fi
--- a/cdist/conf/type/__package_pkgng_freebsd/explorer/pkg_version
+++ b/cdist/conf/type/__package_pkgng_freebsd/explorer/pkg_version
@ -21,6 +21,11 @@
 # Retrieve the status of a package - parsed dpkg output
 #
 if ! pkg -N >/dev/null 2>&1; then
   # Nothing to do if pkg is not bootstrapped
   exit
 fi
 if [ -f "$__object/parameter/name" ]; then
   name="$(cat "$__object/parameter/name")"
 else
--- a/cdist/conf/type/__package_pkgng_freebsd/gencode-remote
+++ b/cdist/conf/type/__package_pkgng_freebsd/gencode-remote
@ -43,6 +43,7 @@ fi
 repo="$(cat "$__object/parameter/repo")"
 state="$(cat "$__object/parameter/state")"
 curr_version="$(cat "$__object/explorer/pkg_version")"
 pkg_bootstrapped="$(cat "$__object/explorer/pkg_bootstrapped")"
 add_cmd="pkg install -y"
 rm_cmd="pkg delete -y"
 upg_cmd="pkg upgrade -y"
@ -73,6 +74,10 @@ execcmd(){
         ;;
   esac
   if [ -z "${pkg_bootstrapped}" ]; then
       echo "pkg bootstrap -y >/dev/null 2>&1"
   fi
   echo "$_cmd >/dev/null 2>&1"   # Silence the output of the command
   echo "status=\$?"
   echo "if [ \"\$status\" -ne \"0\" ]; then"
--- a/cdist/conf/type/__pf_apply/deprecated
+++ b/cdist/conf/type/__pf_apply/deprecated
@ -1 +0,0 @@
 Consider moving to __pf_apply_anchor. Get in touch if you need __pf_apply.
--- a/cdist/conf/type/__pf_apply/explorer/rcvar
+++ b/cdist/conf/type/__pf_apply/explorer/rcvar
@ -1,36 +0,0 @@
 #!/bin/sh
 #
 # 2012 Jake Guffey (jake.guffey at eprotex.com)
 #
 # This file is part of cdist.
 #
 # cdist is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # cdist is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 #
 # Get the location of the pf ruleset on the target host.
 #
 # Debug
 #exec >&2
 #set -x
 # Check /etc/rc.conf for pf's configuration file name. Default to /etc/pf.conf
 RC="/etc/rc.conf"
 PFCONF="$(grep '^pf_rules=' ${RC} | cut -d= -f2 | sed 's/"//g')"
 echo "${PFCONF:-"/etc/pf.conf"}"
 # Debug
 #set +x
--- a/cdist/conf/type/__pf_apply/gencode-remote
+++ b/cdist/conf/type/__pf_apply/gencode-remote
@ -1,51 +0,0 @@
 #!/bin/sh -e
 #
 # 2012 Jake Guffey (jake.guffey at eprotex.com)
 #
 # This file is part of cdist.
 #
 # cdist is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # cdist is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 #
 # Apply pf(4) ruleset on *BSD
 #
 # Debug
 #exec >&2
 #set -x
 rcvar=$(cat "$__object/explorer/rcvar")
 cat <<EOF
 if [ -f "${rcvar}.old" ]; then # rcvar.old exists, we must need to disable pf
   # Disable pf
   # If it already is disabled, pfctl -d returns 1, go on with life
   pfctl -d || true
   # Cleanup
   rm -f "${rcvar}.old"
 elif [ -f "${rcvar}.new" ]; then # rcvar.new exists, we must need to apply it
   # Ensure that pf is enabled in the first place
   # If it already is enabled, pfctl -e returns 1, go on with life
   mv "${rcvar}.new" "${rcvar}"
   pfctl -e || true
   pfctl -f "${rcvar}"
   if [ "\$?" -ne "0" ]; then # failed to configure new ruleset
      echo "Failed to configure the new ruleset on ${__target_host}!" >&2
   fi
 fi
 EOF
 # Debug
 #set +x
--- a/cdist/conf/type/__pf_apply/man.rst
+++ b/cdist/conf/type/__pf_apply/man.rst
@ -1,55 +0,0 @@
 cdist-type__pf_apply(7)
 =======================
 NAME
 ----
 cdist-type__pf_apply - Apply pf(4) ruleset on \*BSD
 DESCRIPTION
 -----------
 This type is used on \*BSD systems to manage the pf firewall's active ruleset.
 REQUIRED PARAMETERS
 -------------------
 NONE
 OPTIONAL PARAMETERS
 -------------------
 NONE
 EXAMPLES
 --------
 .. code-block:: sh
    # Modify the ruleset on $__target_host:
    __pf_ruleset --state present --source /my/pf/ruleset.conf
    require="__pf_ruleset" \
       __pf_apply
    # Remove the ruleset on $__target_host (implies disabling pf(4):
    __pf_ruleset --state absent
    require="__pf_ruleset" \
       __pf_apply
 SEE ALSO
 --------
 :strong:`pf`\ (4), :strong:`cdist-type__pf_ruleset`\ (7)
 AUTHORS
 -------
 Jake Guffey <jake.guffey--@--eprotex.com>
 COPYING
 -------
 Copyright \(C) 2012 Jake Guffey. You can redistribute it
 and/or modify it under the terms of the GNU General Public License as
 published by the Free Software Foundation, either version 3 of the
 License, or (at your option) any later version.
--- a/cdist/conf/type/__postfix_master/gencode-remote
+++ b/cdist/conf/type/__postfix_master/gencode-remote
@ -67,7 +67,7 @@ case "$state_should" in
         remove_entry
      fi
      cat << DONE
-cat >> "$config" << ${__type##*/}_DONE
+cat >> "$config" << "${__type##*/}_DONE"
 $(cat "$entry")
 ${__type##*/}_DONE
 DONE
--- a/cdist/conf/type/__postfix_master/parameter/optional
+++ b/cdist/conf/type/__postfix_master/parameter/optional
@ -4,6 +4,5 @@ unpriv
 chroot
 wakeup
 maxproc
 option
 comment
 state
--- a/cdist/conf/type/__postfix_master/parameter/optional_multiple
+++ b/cdist/conf/type/__postfix_master/parameter/optional_multiple
@ -0,0 +1 @@
 option
--- a/cdist/conf/type/__pyvenv/gencode-remote
+++ b/cdist/conf/type/__pyvenv/gencode-remote
@ -1,6 +1,7 @@
 #!/bin/sh -e
 #
 # 2016 Darko Poljak (darko.poljak at gmail.com)
 # 2020 Nico Schotetlius (nico.schottelius at ungleich.ch)
 #
 # This file is part of cdist.
 #
@ -45,7 +46,7 @@ then
    pyvenv=$(cat "$pyvenvparam")
 else
    case "$os" in
-        alpine) # no pyvenv on alpine - I assume others will follow
+        alpine|ubuntu) # no pyvenv on alpine - I assume others will follow
            pyvenv="python3 -m venv"
            ;;
        *)
--- a/cdist/conf/type/__pyvenv/man.rst
+++ b/cdist/conf/type/__pyvenv/man.rst
@ -9,7 +9,7 @@ cdist-type__pyvenv - Create or remove python virtual environment
 DESCRIPTION
 -----------
 This cdist type allows you to create or remove python virtual
-environment using pyvenv.
+environment using pyvenv on python3 -m venv.
 It assumes pyvenv is already installed. Concrete package depends
 on concrete OS and/or OS version/distribution.
 Ensure this for e.g. in your init manifest as in the following example:
@ -57,7 +57,7 @@ EXAMPLES
    __pyvenv /home/services/djangoenv
-    # Use specific pyvenv 
+    # Use specific pyvenv
    __pyvenv /home/foo/fooenv --pyvenv /usr/local/bin/pyvenv-3.4
    # Create python virtualenv for user foo.
@ -76,4 +76,3 @@ COPYING
 -------
 Copyright \(C) 2016 Darko Poljak. Free use of this software is
 granted under the terms of the GNU General Public License v3 or later (GPLv3+).
--- a/cdist/conf/type/__ssh_authorized_key/man.rst
+++ b/cdist/conf/type/__ssh_authorized_key/man.rst
@ -15,25 +15,27 @@ This type was created to be used by the __ssh_authorized_keys type.
 REQUIRED PARAMETERS
 -------------------
 file
-   the authorized_keys file to which the given key should be added
+   The authorized_keys file where the given key should be managed.
 key
-   a string containing the ssh keytype, base 64 encoded key and optional
+   The ssh key which shall be managed in this authorized_keys file.
-   trailing comment which shall be added to the given authorized_keys file.
+   Must be a string containing the ssh keytype, base 64 encoded key and
   optional trailing comment which shall be added to the given
   authorized_keys file.
 OPTIONAL PARAMETERS
 -------------------
 comment
-   explicit comment instead of the one which may be trailing the given key
+   Use this comment instead of the one which may be trailing in the key.
 option
-   an option to set for this authorized_key entry.
+   An option to set for this authorized_key entry.
   Can be specified multiple times.
   See sshd(8) for available options.
 state
-   if the given keys should be 'present' or 'absent', defaults to 'present'.
+   If the managed key should be 'present' or 'absent', defaults to 'present'.
 MESSAGES
@ -64,7 +66,7 @@ EXAMPLES
 SEE ALSO
 --------
-:strong:`cdist__ssh_authorized_keys`\ (7), :strong:`sshd`\ (8)
+:strong:`cdist-type__ssh_authorized_keys`\ (7), :strong:`sshd`\ (8)
 AUTHORS
--- a/cdist/conf/type/__ssh_authorized_keys/explorer/keys
+++ b/cdist/conf/type/__ssh_authorized_keys/explorer/keys
@ -0,0 +1,9 @@
 #!/bin/sh -e
 # shellcheck disable=SC1090
 file="$( . "$__type_explorer/file" )"
 if [ -f "$file" ]
 then
    cat "$file"
 fi
--- a/cdist/conf/type/__ssh_authorized_keys/man.rst
+++ b/cdist/conf/type/__ssh_authorized_keys/man.rst
@ -20,42 +20,48 @@ then left to the user to ensure that the file exists and that ownership and
 permissions work with ssh.
-REQUIRED PARAMETERS
+REQUIRED MULTIPLE PARAMETERS
-------------------
+----------------------------
 key
-   the ssh key which shall be added to this authorized_keys file.
+   An ssh key which shall be managed in this authorized_keys file.
-   Must be a string and can be specified multiple times.
+   Must be a string containing the ssh keytype, base 64 encoded key and
   optional trailing comment which shall be added to the given
   authorized_keys file.
   Can be specified multiple times.
 OPTIONAL PARAMETERS
 -------------------
 comment
-   explicit comment instead of the one which may be trailing the given key
+   Use this comment instead of the one which may be trailing in each key.
 file
-   an alternative destination file, defaults to ~$owner/.ssh/authorized_keys
+   An alternative destination file, defaults to ~$owner/.ssh/authorized_keys.
 option
-   an option to set for all created authorized_key entries.
+   An option to set for all authorized_key entries in the key parameter.
   Can be specified multiple times.
   See sshd(8) for available options.
 owner
-   the user owning the authorized_keys file, defaults to object_id.
+   The user owning the authorized_keys file, defaults to object_id.
 state
-   if the given keys should be 'present' or 'absent', defaults to 'present'.
+   If the given keys should be 'present' or 'absent', defaults to 'present'.
 BOOLEAN PARAMETERS
 ------------------
 noparent
-   don't create or change ownership and permissions of the directory containing
+   Don't create or change ownership and permissions of the directory containing
-   the authorized_keys file
+   the authorized_keys file.
 nofile
-   don't manage existence, ownership and permissions of the the authorized_keys
+   Don't manage existence, ownership and permissions of the the authorized_keys
-   file
+   file.
 remove-unknown
   Remove undefined keys.
 EXAMPLES
@ -67,6 +73,12 @@ EXAMPLES
    __ssh_authorized_keys root \
       --key "$(cat ~/.ssh/id_rsa.pub)"
    # same as above, but make sure your key is only key in
    # root's authorized_keys file
    __ssh_authorized_keys root \
       --key "$(cat ~/.ssh/id_rsa.pub)" \
       --remove-unknown
    # allow key to login as user-name
    __ssh_authorized_keys user-name \
       --key "ssh-rsa AXYZAAB3NzaC1yc2..."
--- a/cdist/conf/type/__ssh_authorized_keys/manifest
+++ b/cdist/conf/type/__ssh_authorized_keys/manifest
@ -55,8 +55,12 @@ _cksum() {
   echo "$1" | cksum | cut -d' ' -f 1
 }
 _type_and_key() {
   echo "$1" | tr ' ' '\n' | awk '/^(ssh|ecdsa)-[^ ]+/ { printf $1" "; getline; printf $1 }'
 }
 while read -r key; do
-   type_and_key="$(echo "$key" | tr ' ' '\n' | awk '/^(ssh|ecdsa)-[^ ]+/ { printf $1" "; getline; printf $1 }')"
+   type_and_key="$( _type_and_key "$key" )"
   object_id="$(_cksum "$file")-$(_cksum "$type_and_key")"
   set -- "$object_id"
   set -- "$@" --file "$file"
@ -72,3 +76,24 @@ while read -r key; do
   # Ensure __ssh_authorized_key does not read stdin
   __ssh_authorized_key "$@" < /dev/null
 done < "$__object/parameter/key"
 if [ -f "$__object/parameter/remove-unknown" ] &&
    [ -s "$__object/explorer/keys" ]
 then
    while read -r key
    do
        type_and_key="$( _type_and_key "$key" )"
        if grep -Fq "$type_and_key" "$__object/parameter/key"
        then
            continue
        fi
        __ssh_authorized_key "remove-$( _cksum "$file$key" )" \
            --file "$file" \
            --key "$key" \
            --state absent \
                < /dev/null
    done \
        < "$__object/explorer/keys"
 fi
--- a/cdist/conf/type/__ssh_authorized_keys/parameter/boolean
+++ b/cdist/conf/type/__ssh_authorized_keys/parameter/boolean
@ -1,2 +1,3 @@
 noparent
 nofile
 remove-unknown
--- a/cdist/conf/type/__ssh_authorized_keys/parameter/optional
+++ b/cdist/conf/type/__ssh_authorized_keys/parameter/optional
@ -1,5 +1,4 @@
 comment
 file
 option
 owner
 state
--- a/cdist/conf/type/__ssh_authorized_keys/parameter/optional_multiple
+++ b/cdist/conf/type/__ssh_authorized_keys/parameter/optional_multiple
@ -0,0 +1 @@
 option
--- a/cdist/conf/type/__sysctl/explorer/value
+++ b/cdist/conf/type/__sysctl/explorer/value
@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/sh -e
 #
 # 2014 Steven Armstrong (steven-cdist at armstrong.cc)
 #
@ -18,5 +18,10 @@
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 if test "$(uname -s)" = NetBSD
 then
 	PATH=$(getconf PATH)
 fi
 # get the current runtime value
-sysctl -n "$__object_id" || true
+sysctl -n "${__object_id}" || true
--- a/cdist/conf/type/__sysctl/gencode-remote
+++ b/cdist/conf/type/__sysctl/gencode-remote
@ -44,6 +44,8 @@ case "$os" in
      flag='-w'
      ;;
   netbsd)
      # shellcheck disable=SC2016
      echo 'PATH=$(getconf PATH)'
      flag='-w'
      ;;
   freebsd|openbsd)
--- a/cdist/conf/type/__sysctl/man.rst
+++ b/cdist/conf/type/__sysctl/man.rst
@ -26,6 +26,13 @@ EXAMPLES
    __sysctl net.ipv4.ip_forward --value 1
    # On some operating systems, e.g. NetBSD, to prevent an error if the
    # MIB style name does not exist (e.g. optional kernel components),
    # name and value can be separated by `?=`. The same effect can be achieved
    # in cdist by appending a `?` to the key:
    __sysctl ddb.onpanic? --value -1
 AUTHORS
 -------
--- a/cdist/conf/type/__systemd_service/man.rst
+++ b/cdist/conf/type/__systemd_service/man.rst
@ -1,9 +1,10 @@
-cdist-type__systemd-service(7)
+cdist-type__systemd_service(7)
 ==============================
 NAME
 ----
-cdist-type__systemd-service - Controls a systemd service state
+cdist-type__systemd_service - Controls a systemd service state
 DESCRIPTION
 -----------
@ -14,11 +15,12 @@ service after configuration applied or shutdown one service.
 The activation or deactivation is out of scope. Look for the
 :strong:`cdist-type__systemd_util`\ (7) type instead.
 REQUIRED PARAMETERS
 -------------------
 None.
 OPTIONAL PARAMETERS
 -------------------
@ -31,12 +33,12 @@ state
    running
        Service should run (default)
-    stoppend
+    stopped
-        Service should stopped
+        Service should be stopped
 action
    Executes an action on on the service. It will only execute it if the
-    service keeps the state **running**. There are following actions, where:
+    service keeps the state ``running``. There are following actions, where:
    reload
        Reloads the service
@ -48,11 +50,12 @@ BOOLEAN PARAMETERS
 ------------------
 if-required
-    Only execute the action if minimum one required type outputs a message to
+    Only execute the action if at minimum one required type outputs a message
-    **$__messages_out**. Through this, the action should only executed if a
+    to ``$__messages_out``. Through this, the action should only executed if a
    dependency did something. The action will not executed if no dependencies
    given.
 MESSAGES
 --------
@ -68,12 +71,14 @@ restart
 reload
    Reloaded the service
 ABORTS
 ------
 Aborts in following cases:
 systemd or the service does not exist
 EXAMPLES
 --------
 .. code-block:: sh
@ -95,13 +100,15 @@ EXAMPLES
    # reload the service for a modified configuration file
    # only reloads the service if the file really changed
-    require="__config_file/etc/foo.conf" __systemd_service foo \
+    require="__file/etc/foo.conf" __systemd_service foo \
        --action reload --if-required
 AUTHORS
 -------
 Matthias Stecher <matthiasstecher at gmx.de>
 COPYRIGHT
 ---------
 Copyright \(C) 2020 Matthias Stecher. You can redistribute it
--- a/cdist/conf/type/__timezone/gencode-remote
+++ b/cdist/conf/type/__timezone/gencode-remote
@ -22,7 +22,7 @@
 # This type allows to configure the desired localtime timezone.
 timezone_is=$(cat "$__object/explorer/timezone_is")
-timezone_should="$__object_id"
+timezone_should=$(cat "$__object/parameter/tz")
 os=$(cat "$__global/explorer/os")
 if [ "$timezone_is" = "$timezone_should" ]; then
--- a/cdist/conf/type/__timezone/man.rst
+++ b/cdist/conf/type/__timezone/man.rst
@ -14,7 +14,8 @@ This type creates a symlink (/etc/localtime) to the selected timezone
 REQUIRED PARAMETERS
 -------------------
-None.
+tz
    The name of timezone to set.
 OPTIONAL PARAMETERS
@ -27,19 +28,24 @@ EXAMPLES
 .. code-block:: sh
-    #Set up Europe/Andorra as our timezone.
+    # Set up Europe/Andorra as our timezone.
-    __timezone Europe/Andorra
+    __timezone --tz Europe/Andorra
-    #Set up US/Central as our timezone.
+    # Set up US/Central as our timezone.
-    __timezone US/Central
+    __timezone --tz US/Central
 AUTHORS
 -------
-Ramon Salvadó <rsalvado--@--gnuine--dot--com>
+| Steven Armstrong <steven-cdist--@--armstrong.cc>
 | Nico Schottelius <nico-cdist--@--schottelius.org>
 | Ramon Salvadó <rsalvado--@--gnuine--dot--com>
 | Dennis Camera <dennis.camera--@--ssrq-sds-fds.ch>
 COPYING
 -------
-Free use of this software is
+Copyright \(C) 2012-2020 the `AUTHORS`_. You can redistribute it
-granted under the terms of the GNU General Public License version 3 (GPLv3).
+and/or modify it under the terms of the GNU General Public License as
 published by the Free Software Foundation, either version 3 of the
 License, or (at your option) any later version.
--- a/cdist/conf/type/__timezone/manifest
+++ b/cdist/conf/type/__timezone/manifest
@ -22,7 +22,7 @@
 #
 # This type allows to configure the desired localtime timezone.
-timezone="$__object_id"
+timezone=$(cat "$__object/parameter/tz")
 os=$(cat "$__global/explorer/os")
 case "$os" in
--- a/cdist/conf/type/__timezone/parameter/required
+++ b/cdist/conf/type/__timezone/parameter/required
@ -0,0 +1 @@
 tz
--- a/cdist/conf/type/__timezone/singleton
+++ b/cdist/conf/type/__timezone/singleton
--- a/cdist/conf/type/__unpack/explorer/state
+++ b/cdist/conf/type/__unpack/explorer/state
@ -0,0 +1,37 @@
 #!/bin/sh -e
 src="/$__object_id"
 if [ -f "$__object/parameter/sum-file" ]
 then
    src_sum_was_file="$( cat "$__object/parameter/sum-file" )"
 else
    src_sum_was_file="$src.cdist__unpack_sum"
 fi
 if [ ! -f "$src" ]
 then
    if [ -n "$__cdist_dry_run" ]
    then
        echo 'mismatch'
    else
        echo 'missing'
    fi
 else
    if [ ! -f "$src_sum_was_file" ]
    then
        echo 'mismatch'
        exit 0
    fi
    src_sum_was="$( cat "$src_sum_was_file" )"
    src_sum_is="$( cksum "$src" | awk '{ print $1$2 }' )"
    if [ "$src_sum_was" = "$src_sum_is" ]
    then
        echo 'match'
    else
        echo 'mismatch'
    fi
 fi
--- a/cdist/conf/type/__unpack/gencode-remote
+++ b/cdist/conf/type/__unpack/gencode-remote
@ -0,0 +1,87 @@
 #!/bin/sh -e
 if grep -Eq '^(missing|match)$' "$__object/explorer/state"
 then
    exit 0
 fi
 os="$( cat "$__global/explorer/os" )"
 src="/$__object_id"
 dst="$( sed 's/\/$//' "$__object/parameter/destination" )"
 cmd=''
 case "$src" in
    *.tar|*.tgz|*.tar.*)
        cmd="mkdir -p '$dst' && tar --directory='$dst' --extract --file='$src'"
        if [ -f "$__object/parameter/tar-strip" ]
        then
            tar_strip="$( cat "$__object/parameter/tar-strip" )"
            cmd="$cmd --strip-components=$tar_strip"
        fi
        if [ -f "$__object/parameter/tar-extra-args" ]
        then
            tar_extra_args="$( cat "$__object/parameter/tar-extra-args" )"
            cmd="$cmd $tar_extra_args"
        fi
    ;;
    *.7z)
        case "$os" in
            centos|fedora|redhat)
                cmd='7za'
            ;;
            *)
                cmd='7zr'
            ;;
        esac
        cmd="$cmd e -aoa -o'$dst' '$src'"
    ;;
    *.bz2)
        cmd="bunzip2 --stdout '$src' > '$dst'"
    ;;
    *.gz)
        cmd="gunzip --stdout '$src' > '$dst'"
    ;;
    *.lzma|*.xz)
        cmd="xz --uncompress --stdout '$src' > '$dst'"
    ;;
    *.rar)
        cmd="unrar x -o+ '$src' '$dst/'"
    ;;
    *.zip)
        cmd="unzip -o '$src' -d '$dst'"
    ;;
 esac
 if [ -f "$__object/parameter/backup-destination" ]
 then
    echo "if [ -e '$dst' ]; then mv '$dst' '$dst.cdist__unpack_backup_$( date +%s )'; fi"
 fi
 echo "$cmd"
 if [ -f "$__object/parameter/sum-file" ]
 then
    sum_file="$( cat "$__object/parameter/sum-file" )"
 else
    sum_file="$src.cdist__unpack_sum"
 fi
 echo "cksum '$src' | awk '{ print \$1\$2 }' > '$sum_file'"
 if [ ! -f "$__object/parameter/preserve-archive" ]
 then
    echo "rm -f '$src'"
 fi
 if [ -f "$__object/parameter/onchange" ]
 then
    cat "$__object/parameter/onchange"
 fi
--- a/cdist/conf/type/__unpack/man.rst
+++ b/cdist/conf/type/__unpack/man.rst
@ -0,0 +1,93 @@
 cdist-type__unpack(7)
 =====================
 NAME
 ----
 cdist-type__unpack - Unpack archives
 DESCRIPTION
 -----------
 Unpack ``.tar``, ``.tgz``, ``.tar.*``, ``.7z``, ``.bz2``, ``.gz``,
 ``.lzma``, ``.xz``, ``.rar`` and ``.zip`` archives. Archive type is
 detected by extension.
 To achieve idempotency, checksum file will be created in target. See
 ``--sum-file`` parameter for details.
 REQUIRED PARAMETERS
 -------------------
 destination
   Depending on archive format file or directory to where archive
   contents will be written.
 OPTIONAL PARAMETERS
 -------------------
 sum-file
    Override archive's checksum file in target. By default
    ``XXX.cdist__unpack_sum`` will be used, where ``XXX`` is source
    archive path. This file must be kept in target's persistent storage.
 tar-strip
    Tarball specific. See ``man tar`` for ``--strip-components``.
 tar-extra-args
    Tarball sepcific. Append additional arguments to ``tar`` command.
    See ``man tar`` for possible arguments.
 OPTIONAL BOOLEAN PARAMETERS
 ---------------------------
 backup-destination
    By default destination file will be overwritten. In case destination
    is directory, files from archive will be added to or overwritten in
    directory. This parameter moves existing destination to
    ``XXX.cdist__unpack_backup_YYY``, where ``XXX`` is destination and
    ``YYY`` current UNIX timestamp.
 preserve-archive
    Don't delete archive after unpacking.
 onchange
    Execute this command after unpack.
 EXAMPLES
 --------
 .. code-block:: sh
    __directory /opt/cpma
    require='__directory/opt/cpma' \
        __download /opt/cpma/cnq3.zip \
            --url https://cdn.playmorepromode.com/files/cnq3/cnq3-1.51.zip \
            --sum md5:46da3021ca9eace277115ec9106c5b46
    require='__download/opt/cpma/cnq3.zip' \
        __unpack /opt/cpma/cnq3.zip \
            --backup-destination \
            --preserve-archive \
            --destination /opt/cpma/server
    # example usecase for --tar-* args
    __unpack /root/strelaysrv.tar.gz \
        --preserve-archive \
        --destination /usr/local/bin \
        --tar-strip 1 \
        --tar-extra-args '--wildcards "*/strelaysrv"'
 AUTHORS
 -------
 Ander Punnar <ander-at-kvlt-dot-ee>
 COPYING
 -------
 Copyright \(C) 2020 Ander Punnar. You can redistribute it
 and/or modify it under the terms of the GNU General Public License as
 published by the Free Software Foundation, either version 3 of the
 License, or (at your option) any later version.
--- a/cdist/conf/type/__unpack/manifest
+++ b/cdist/conf/type/__unpack/manifest
@ -0,0 +1,41 @@
 #!/bin/sh -e
 os="$( cat "$__global/explorer/os" )"
 src="/$__object_id"
 case "$src" in
    *.7z)
        __package p7zip
    ;;
    *.bz2)
        case "$os" in
            freebsd)
                # bzip2 is part of freebsd base system
            ;;
            *)
                __package bzip2
            ;;
        esac
    ;;
    *.lzma|*.xz|*.txz)
        case "$os" in
            debian|ubuntu|devuan)
                __package xz-utils
            ;;
            alpine|centos)
                __package xz
            ;;
        esac
    ;;
    *.rar)
        case "$os" in
            debian|ubuntu|devuan|alpine|freebsd)
                __package unrar
            ;;
        esac
    ;;
    *.zip)
        __package unzip
    ;;
 esac
--- a/cdist/conf/type/__unpack/parameter/boolean
+++ b/cdist/conf/type/__unpack/parameter/boolean
@ -0,0 +1,2 @@
 backup-destination
 preserve-archive
--- a/cdist/conf/type/__unpack/parameter/optional
+++ b/cdist/conf/type/__unpack/parameter/optional
@ -0,0 +1,4 @@
 sum-file
 tar-strip
 tar-extra-args
 onchange
--- a/cdist/conf/type/__unpack/parameter/required
+++ b/cdist/conf/type/__unpack/parameter/required
@ -0,0 +1 @@
 destination
--- a/cdist/conf/type/__unpack/test/README
+++ b/cdist/conf/type/__unpack/test/README
@ -0,0 +1,3 @@
 ./make-test-files.sh
 ./make-init-manifest.sh | cdist config -i - localhost
 sudo find /tmp/cdist__unpack_test/ -type f -exec cat {} \; | sort
--- a/cdist/conf/type/__unpack/test/make-init-manifest.sh
+++ b/cdist/conf/type/__unpack/test/make-init-manifest.sh
@ -0,0 +1,22 @@
 #!/bin/sh -e
 p="$( pwd )"
 d=/tmp/cdist__unpack_test
 echo 'export CDIST_ORDER_DEPENDENCY=1'
 echo "__directory $d"
 find "$p" -name 'test.*' -and -not -name '*.cdist__unpack_sum' \
    | sort \
    | while read -r l
 do
    n="$( basename "$l" )"
    printf '__unpack %s --destination %s/%s\n' \
        "$l" \
        "$d" \
        "$n"
 done
 echo "__clean_path $p --pattern '.+/test\..+'"
--- a/cdist/conf/type/__unpack/test/make-test-files.sh
+++ b/cdist/conf/type/__unpack/test/make-test-files.sh
@ -0,0 +1,44 @@
 #!/bin/sh -ex
 echo test.7z > test
 7z a test.7z test > /dev/null
 echo test.bz2 > test
 bzip2 test
 echo test.gz > test
 gzip test
 echo test.lzma > test
 lzma test
 echo test.rar > test
 rar a test.rar test > /dev/null
 echo test.tar.bz2 > test
 tar cf test.tar test
 bzip2 test.tar
 echo test.tar.xz > test
 tar cf test.tar test
 xz test.tar
 echo test.tgz > test
 tar cf test.tar test
 gzip test.tar
 mv test.tar.gz test.tgz
 echo test.tar.gz > test
 tar cf test.tar test
 gzip test.tar
 echo test.tar > test
 tar cf test.tar test
 echo test.xz > test
 xz test
 echo test.zip > test
 zip test.zip test > /dev/null
 rm test
--- a/cdist/conf/type/__user/explorer/shadow
+++ b/cdist/conf/type/__user/explorer/shadow
@ -23,18 +23,25 @@
 name=$__object_id
-case $("$__explorer/os") in
+case $("${__explorer}/os") in
-  'freebsd'|'netbsd'|'openbsd'|'alpine')
+  freebsd|netbsd)
    database='passwd'
    ;;
-  # Default to using shadow passwords
+  openbsd)
    database='master.passwd'
    ;;
  *)
    # Default to using shadow passwords
    database='shadow'
    ;;
 esac
-if command -v getent >/dev/null; then
+if command -v getent >/dev/null 2>&1
-  getent "$database" "$name" || true
+then
-elif [ -f /etc/shadow ]; then
+  # shellcheck disable=SC2015
-  grep "^${name}:" /etc/shadow || true
+  getent "${database}" "${name}" 2>/dev/null && exit || true  # fallback to file
 fi
 if test -n "${database}" -a -f "/etc/${database}"
 then
  grep -e "^${name}:" "/etc/${database}" || true  # ignore failure
 fi
--- a/cdist/conf/type/__user/gencode-remote
+++ b/cdist/conf/type/__user/gencode-remote
@ -135,11 +135,19 @@ elif [ "$state" = "absent" ]; then
    if grep -q "^${name}:" "$__object/explorer/passwd"; then
        #user exists, but state != present, so delete it
        if [ -f "$__object/parameter/remove-home" ]; then
-            printf "userdel -r '%s' >/dev/null 2>&1\\n" "${name}"
+            if [ "$os" = "freebsd" ]; then
-	    echo "userdel -r" >> "$__messages_out"
+                printf "pw userdel '%s' -r >/dev/null 2>&1\\n" "${name}"
            else
                printf "userdel -r '%s' >/dev/null 2>&1\\n" "${name}"
            fi
            echo "userdel -r" >> "$__messages_out"
        else
-            printf "userdel '%s' >/dev/null 2>&1\\n" "${name}"
+            if [ "$os" = "freebsd" ]; then
-	    echo "userdel" >> "$__messages_out"
+                printf "pw userdel '%s' >/dev/null 2>&1\\n" "${name}"
            else
                printf "userdel '%s' >/dev/null 2>&1\\n" "${name}"
            fi
            echo "userdel" >> "$__messages_out"
        fi
    fi
 else
--- a/cdist/conf/type/__user/manifest
+++ b/cdist/conf/type/__user/manifest
@ -1,6 +1,7 @@
 #!/bin/sh -e
 #
 # 2019 Nico Schottelius (nico-cdist at schottelius.org)
 # 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
 #
 # This file is part of cdist.
 #
@ -17,16 +18,37 @@
 # You should have received a copy of the GNU General Public License
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 #
 # Manage users.
 #
-os=$(cat "$__global/explorer/os")
+case $(cat "${__global}/explorer/os")
-
+in
-case "$os" in
+	(alpine)
-    alpine)
+		__package shadow
-        __package shadow
+		;;
-        ;;
+	(openwrt)
-    *)
+		case $(cat "${__object}/parameter/state")
-        :
+		in
-        ;;
+			(present)
 				if test -s "${__object}/explorer/passwd"
 				then
 					# NOTE: The package might not be required if no changes
 					# are required, but determining if changes are required is
 					# out of scope here, and 40k should be okay, I hope.
 					__package shadow-usermod
 				else
 					__package shadow-useradd
 				fi
 				;;
 			(absent)
 				if test -s "${__object}/explorer/passwd"
 				then
 					__package shadow-userdel
 				fi
 				;;
 		esac
 		;;
 	(*)
 		:
 		;;
 esac
--- a/cdist/config.py
+++ b/cdist/config.py
@ -1,4 +1,3 @@
 #!/usr/bin/env python3
 # -*- coding: utf-8 -*-
 #
 # 2010-2015 Nico Schottelius (nico-cdist at schottelius.org)
@ -29,18 +28,20 @@ import time
 import itertools
 import tempfile
 import multiprocessing
 from cdist.mputil import mp_pool_run, mp_sig_handler
 import atexit
 import shutil
 import socket
 from cdist.mputil import mp_pool_run, mp_sig_handler
 from cdist import core, inventory
 from cdist.util.remoteutil import inspect_ssh_mux_opts
 import cdist
 import cdist.hostsource
 import cdist.exec.local
 import cdist.exec.remote
 import cdist.util.ipaddr as ipaddr
 import cdist.configuration
 from cdist import core, inventory
 from cdist.util.remoteutil import inspect_ssh_mux_opts
 def graph_check_cycle(graph):
@ -70,7 +71,7 @@ def _graph_dfs_cycle(graph, node, path):
    return False
-class Config(object):
+class Config:
    """Cdist main class to hold arbitrary data"""
    # list of paths (files and/or directories) that will be removed on finish
@ -174,9 +175,11 @@ class Config(object):
            raise cdist.Error(("Cannot read both, manifest and host file, "
                               "from stdin"))
        # if no host source is specified then read hosts from stdin
        if not (args.hostfile or args.host):
-            args.hostfile = '-'
+            if args.tag or args.all_tagged_hosts:
                raise cdist.Error(("Target host tag(s) missing"))
            else:
                raise cdist.Error(("Target host(s) missing"))
        if args.manifest == '-':
            # read initial manifest from stdin
@ -195,7 +198,6 @@ class Config(object):
    @classmethod
    def commandline(cls, args):
        """Configure remote system"""
        if (args.parallel and args.parallel != 1) or args.jobs:
            if args.timestamp:
                cdist.log.setupTimestampingParallelLogging()
@ -203,6 +205,7 @@ class Config(object):
                cdist.log.setupParallelLogging()
        elif args.timestamp:
            cdist.log.setupTimestampingLogging()
        log = logging.getLogger("config")
        # No new child process if only one host at a time.
@ -381,10 +384,16 @@ class Config(object):
           If operating in parallel then return tuple (host, True|False, )
           so that main process knows for which host function was successful.
        """
        log = logging.getLogger(host)
        try:
            if args.log_server:
                # Start a log server so that nested `cdist config` runs
                # have a place to send their logs to.
                log_server_socket_dir = tempfile.mkdtemp()
                cls._register_path_for_removal(log_server_socket_dir)
                cdist.log.setupLogServer(log_server_socket_dir, log)
            remote_exec, remote_copy, cleanup_cmd = cls._resolve_remote_cmds(
                args)
            log.debug("remote_exec for host \"{}\": {}".format(
--- a/cdist/configuration.py
+++ b/cdist/configuration.py
@ -27,6 +27,7 @@ import cdist.argparse
 import re
 import multiprocessing
 import logging
 import sys
 class Singleton(type):
@ -246,9 +247,33 @@ class LogLevelOption(OptionBase):
        return VerbosityOption().translate(val)
 class ColoredOutputOption(BooleanOption):
    CHOICES = ('always', 'never', 'auto')
    DEFAULT = 'auto'
    def get_converter(self):
        return self.translate
    @staticmethod
    def translate(val):
        if isinstance(val, bool):
            return val
        elif val == 'always':
            return True
        elif val == 'never':
            return False
        elif val == 'auto':
            return 'NO_COLOR' not in os.environ and sys.stdout.isatty()
 ColoredOutputOption.DEFAULT = ColoredOutputOption.translate(
    ColoredOutputOption.DEFAULT)
 _ARG_OPTION_MAPPING = {
    'beta': 'beta',
    'cache_path_pattern': 'cache_path_pattern',
    'colored_output': 'colored_output',
    'conf_dir': 'conf_dir',
    'manifest': 'init_manifest',
    'out_path': 'out_path',
@ -294,6 +319,7 @@ class Configuration(metaclass=Singleton):
            'remote_shell': StringOption('remote_shell'),
            'cache_path_pattern': StringOption('cache_path_pattern'),
            'conf_dir': ConfDirOption(),
            'colored_output': ColoredOutputOption('colored_output'),
            'init_manifest': StringOption('init_manifest'),
            'out_path': StringOption('out_path'),
            'remote_out_path': StringOption('remote_out_path'),
@ -319,6 +345,7 @@ class Configuration(metaclass=Singleton):
        'CDIST_REMOTE_COPY': 'remote_copy',
        'CDIST_INVENTORY_DIR': 'inventory_dir',
        'CDIST_CACHE_PATH_PATTERN': 'cache_path_pattern',
        'CDIST_COLORED_OUTPUT': 'colored_output',
        '__cdist_log_level': 'verbosity',
    }
    ENV_VAR_BOOLEAN_OPTIONS = ('CDIST_BETA', )
@ -327,11 +354,10 @@ class Configuration(metaclass=Singleton):
    }
    ARG_OPTION_MAPPING = _ARG_OPTION_MAPPING
-    ADJUST_ARG_OPTION_MAPPING = {
+    ADJUST_ARG_OPTION_MAPPING = {v: k for k, v in _ARG_OPTION_MAPPING.items()}
       _ARG_OPTION_MAPPING[key]: key for key in _ARG_OPTION_MAPPING
    }
    REQUIRED_DEFAULT_CONFIG_VALUES = {
        'GLOBAL': {
            'colored_output': 'auto',
            'verbosity': 0,
        },
    }
@ -484,8 +510,7 @@ class Configuration(metaclass=Singleton):
            newconfig = self._read_config_file(config_file)
            self._update_config_dict(config, newconfig)
        # command line config file
-        if (self.args and 'config_file' in self.args and
+        if (self.args and self.args.get('config_file', None)):
                self.args['config_file']):
            newconfig = self._read_config_file(self.args['config_file'])
            self._update_config_dict(config, newconfig)
        # command line
--- a/cdist/core/cdist_object.py
+++ b/cdist/core/cdist_object.py
@ -47,7 +47,7 @@ class MissingObjectIdError(cdist.Error):
        return '%s' % (self.message)
-class CdistObject(object):
+class CdistObject:
    """Represents a cdist object.
    All interaction with objects in cdist should be done through this class.
--- a/cdist/core/cdist_type.py
+++ b/cdist/core/cdist_type.py
@ -38,7 +38,7 @@ class InvalidTypeError(cdist.Error):
                self.type_path, self.type_absolute_path, self.source_path)
-class CdistType(object):
+class CdistType:
    """Represents a cdist type.
    All interaction with types in cdist should be done through this class.
--- a/cdist/core/code.py
+++ b/cdist/core/code.py
@ -92,7 +92,7 @@ code-remote
 '''
-class Code(object):
+class Code:
    """Generates and executes cdist code scripts.
    """
@ -116,6 +116,10 @@ class Code(object):
        if dry_run:
            self.env['__cdist_dry_run'] = '1'
        if '__cdist_log_server_socket_export' in os.environ:
            self.env['__cdist_log_server_socket'] = os.environ[
                '__cdist_log_server_socket_export']
    def _run_gencode(self, cdist_object, which):
        cdist_type = cdist_object.cdist_type
        script = os.path.join(self.local.type_path,
--- a/cdist/core/explorer.py
+++ b/cdist/core/explorer.py
@ -63,7 +63,7 @@ type explorer is:
 '''
-class Explorer(object):
+class Explorer:
    """Executes cdist explorers.
    """
--- a/cdist/core/manifest.py
+++ b/cdist/core/manifest.py
@ -92,7 +92,7 @@ class NoInitialManifestError(cdist.Error):
        return repr(self.message)
-class Manifest(object):
+class Manifest:
    """Executes cdist manifests.
    """
@ -119,6 +119,8 @@ class Manifest(object):
            '__cdist_log_level': util.log_level_env_var_val(self.log),
            '__cdist_log_level_name': util.log_level_name_env_var_val(
                self.log),
            '__cdist_colored_log': str(
                cdist.log.CdistFormatter.USE_COLORS).lower(),
        }
        if dry_run:
--- a/Show more
+++ b/Show more
		`@ -1 +0,0 @@`
			`Consider moving to __pf_apply_anchor. Get in touch if you need __pf_apply.`