[logging] Mute return_output warning for explorers.

This adds a `warn_return_output` flag to
`cdist.exec.remote.Remote.(run_script|run|_run_command)`.

It defaults to `True` keeping current behaviour except when called from
`cdist.core.explorer.Explorer`.
This way debug logging is significantly cleaner.

Fixes #806

README

@@ -1,7 +0,0 @@
-cdist
------
-
-cdist is a usable configuration management system.
-
-For the web documentation have a look at https://www.cdi.st/
-or at docs/src for reStructuredText manual.

README.md

@@ -0,0 +1,31 @@
+# cdist
+
+**cdist** is a usable configuration management system.
+
+It adheres to the [**KISS principle**](https://en.wikipedia.org/wiki/KISS_principle)
+and is being used in small up to enterprise grade environments.
+
+For more information have a look at [**homepage**](https://cdi.st)
+or at **``docs/src``** for manual in **reStructuredText** format.
+
+## Contributing
+
+Merge/Pull requests can be made in both
+[upstream **GitLab**](https://code.ungleich.ch/ungleich-public/cdist/merge_requests)
+(managed by [**ungleich**](https://ungleich.ch))
+and [**GitHub** project](https://github.com/ungleich/cdist/pulls).
+
+Issues can be made and other project management activites happen
+[**only in GitLab**](https://code.ungleich.ch/ungleich-public/cdist)
+(needs [**ungleich** account](https://account.ungleich.ch)).
+
+For community-maintained types there is
+[**cdist-contrib** project](https://code.ungleich.ch/ungleich-public/cdist-contrib).
+
+## Participating
+
+IRC: ``#cdist`` @ freenode
+
+Matrix: ``#cdist:ungleich.ch``
+
+Mattermost: https://chat.ungleich.ch/ungleich/channels/cdist

cdist/conf/explorer/cpu_cores

@@ -32,6 +32,10 @@ case "$os" in
         sysctl -n hw.ncpuonline
     ;;
 
+    "freebsd"|"netbsd")
+        sysctl -n hw.ncpu
+    ;;
+
     *)
         if [ -r /proc/cpuinfo ]; then
             cores="$(grep "core id" /proc/cpuinfo | sort | uniq | wc -l)"

cdist/conf/explorer/memory

@@ -29,7 +29,7 @@ case "$os" in
         echo "$(sysctl -n hw.memsize)/1024" | bc
     ;;
 
-    "openbsd")
+    *"bsd")
         echo "$(sysctl -n hw.physmem) / 1048576" | bc
     ;;
 

cdist/conf/type/__daemontools_service/man.rst

@@ -40,12 +40,6 @@ run-file
 log-run
    Command to run for log consumption. Default: `multilog t ./main`
 
-owner
-   User to chown to.
-
-group
-   User to chgrp to.
-
 servicedir
    Directory to install into. Default: `/service`
 

cdist/conf/type/__daemontools_service/manifest

@@ -9,8 +9,6 @@ servicedir=$(cat "$__object/parameter/servicedir")
 run=$(cat "$__object/parameter/run")
 runfile=$(cat "$__object/parameter/run-file")
 logrun=$(cat "$__object/parameter/log-run")
-owner=$(cat "$__object/parameter/owner")
-group=$(cat "$__object/parameter/group")
 
 svc=$(cat "$__type/explorer/svc")
 
@@ -27,22 +25,14 @@ badusage() {
 [ -z "$run$runfile" ] && badusage
 [ -n "$run" ] && [ -n "$runfile" ] && badusage
 
-flags=""
-if [ -n "$owner" ]; then
-  flags="$flags --owner $owner"
-fi
-if [ -n "$group" ]; then
-  flags="$flags --group $group"
-fi
-
-__directory "$servicedir/$name/log/main" --parents $flags
+__directory "$servicedir/$name/log/main" --parents
 
 echo "$RUN_PREFIX$run" | require="__directory/$servicedir/$name/log/main" __config_file "$servicedir/$name/run" \
 	--onchange "svc -t '$servicedir/$name' 2>/dev/null" \
-	--mode 755 $flags \
+	--mode 755 \
 	--source "${runfile:--}"
 
 echo "$RUN_PREFIX$logrun" | require="__directory/$servicedir/$name/log/main" __config_file "$servicedir/$name/log/run" \
 	--onchange "svc -t '$servicedir/$name/log' 2>/dev/null" \
-	--mode 755 $flags \
+	--mode 755 \
 	--source "-"

cdist/conf/type/__daemontools_service/parameter/optional

@@ -1,6 +1,4 @@
-group
 log-run
-owner
 run
 run-file
 servicedir

cdist/conf/type/__iocage_clone/gencode-remote

@@ -1,152 +0,0 @@
-#!/bin/sh
-
-state="$(cat $__object/parameter/state)"
-template="$(cat $__object/parameter/template)"
-ip4_addr="$(cat $__object/parameter/bridge)|$(cat $__object/parameter/ip)"
-interfaces="none:none"
-defaultrouter="none"
-vnet="off"
-jail_zfs_dataset="$(cat $__object/parameter/jail_zfs_dataset)"
-devfs_ruleset="$(cat $__object/parameter/devfs_ruleset)"
-allow_socket_af="$(cat $__object/parameter/allow_socket_af)"
-mount_procfs="$(cat $__object/parameter/mount_procfs)"
-mount_linprocfs="$(cat $__object/parameter/mount_linprocfs)"
-
-if [ "X$state" = "Xabsent" ]; then
-  cat <<EOF
-    iocage stop $__object_id || true
-    iocage destroy -f $__object_id || true
-    rm -f /iocage/jails/$__object_id
-EOF
-else 
-  cat <<EOF
-get_property_zfs () {
-  zfs get -H -o value \$1 "\$2"
-}
-
-get_property_iocage () {
-  get_property_zfs "org.freebsd.iocage:\$1" "/iocage/jails/\$2"
-}
-
-create_new=0
-if [ ! -d /iocage/jails/"$__object_id" ]; then
-  echo "Jail $__object_id does not exist, going to create."
-  create_new=1
-else
-  base=\$(get_property_zfs origin "/iocage/jails/$__object_id")
-  current_template=\$(get_property_zfs org.freebsd.iocage:tag "\$base")
-  if [ "X\$current_template" != "X$template" ]; then
-    echo "Jail $__object_id has base \$current_template, which is not $template. " >&2
-    create_new=1
-  fi
-fi
-
-if [ \$create_new -eq 0 ]; then
-  if [ "off" == "\$(get_property_iocage jail_zfs "$__object_id")" ]; then
-    current_jail_zfs_dataset=""
-  else
-    current_jail_zfs_dataset="\$(get_property_iocage jail_zfs_dataset "$__object_id")"
-  fi
-fi
-
-configure=0
-if [ \$create_new -eq 1 ]; then
-  configure=1
-elif [ "X$vnet" != "X\$(get_property_iocage vnet "$__object_id")" ]; then
-  configure=1
-elif [ "X$ip4_addr" != "X\$(get_property_iocage ip4_addr "$__object_id")" ]; then
-  configure=1
-elif [ "X$interfaces" != "X\$(get_property_iocage interfaces "$__object_id")" ]; then
-  configure=1
-elif [ "X$defaultrouter" != "X\$(get_property_iocage defaultrouter "$__object_id")" ]; then
-  configure=1
-elif [ "X$mount_procfs" != "X\$(get_property_iocage mount_procfs "$__object_id")" ]; then
-  configure=1
-elif [ "X$devfs_ruleset" != "X\$(get_property_iocage devfs_ruleset "$__object_id")" ]; then
-  configure=1
-elif [ "X$allow_socket_af" != "X\$(get_property_iocage allow_socket_af "$__object_id")" ]; then
-  configure=1
-elif [ "X$jail_zfs_dataset" != "X\$current_jail_zfs_dataset" ]; then
-  configure=1
-fi
-
-if [ \$create_new -eq 1 ]; then
-  echo "Creating jail $__object_id" >&2
-
-  iocage stop $__object_id || true
-  iocage destroy -f $__object_id || true
-  # Without VNETs, we should not need this.
-  # TODO(riso): Use nicer path
-  # /root/cdist/ioc deconfigure $__object_id
-
-  rm -f /iocage/jails/$__object_id
-
-  iocage clone $template tag=$__object_id
-  iocage set boot=on $__object_id
-  UUID=\$(iocage list | grep " $__object_id " | awk "{ print \\\$2; }")
-  rm -f /iocage/jails/$__object_id
-  ln -s /iocage/jails/\$UUID /iocage/jails/$__object_id
-else
-  UUID=\$(iocage list | grep " $__object_id " | awk "{ print \\\$2; }")
-  echo "Jail $__object_id already exists, UUID=\$UUID" >&2
-fi
-
-ROOT="/iocage/jails/\$UUID/root"
-FSTAB="/iocage/jails/\$UUID/fstab"
-rm -f \$FSTAB.new
-touch \$FSTAB.new
-cat $__object/parameter/mount 2>/dev/null | \\
-while read mount; do
-  src=\$(echo \$mount | awk -F: "{ print \\\$1; }")
-  dst_rel=\$(echo \$mount | awk -F: "{ print \\\$2; }")
-  dst="/iocage/jails/\$UUID/root/\$dst_rel"
-  mkdir -p "\$dst"
-  echo "\$src	\$dst	nullfs	rw	0	0" >>\$FSTAB.new
-done
-if [ $mount_linprocfs -eq 1 ]; then
-  echo "linproc /iocage/jails/\$UUID/root/compat/linux/proc linprocfs rw 0 0" >>\$FSTAB.new
-fi
-
-fstab_changed=0
-if diff -q \$FSTAB \$FSTAB.new >/dev/null; then
-  # pass
-else
-  configure=1
-  fstab_changed=1
-fi
-
-if [ \$configure -eq 1 ]; then
-  echo "Configuring jail $__object_id." >&2
-  iocage stop $__object_id || true
-
-  iocage set vnet="$vnet" $__object_id
-  iocage set interfaces="$interfaces" $__object_id
-  iocage set hostname="$__object_id" $__object_id
-  iocage set ip4_addr="$ip4_addr" $__object_id
-  iocage set defaultrouter="$defaultrouter" $__object_id
-  iocage set mount_procfs="$mount_procfs" $__object_id
-  iocage set devfs_ruleset="$devfs_ruleset" $__object_id
-  iocage set allow_socket_af="$allow_socket_af" $__object_id
-  if [ -n "$jail_zfs_dataset" ]; then
-    iocage set jail_zfs=on $__object_id
-    iocage set jail_zfs_dataset="$jail_zfs_dataset" $__object_id
-  else
-    iocage set jail_zfs=off $__object_id
-  fi
-
-  if [ \$fstab_changed -eq 1 ]; then
-    umount -afF \$FSTAB || true
-    mv \$FSTAB.new \$FSTAB
-  fi
-
-  iocage start $__object_id || true
-
-  # Iocage creates new mac address, but arp can have an old mac cached.
-  # TODO(riso): Is this true without VNETs?
-  arp -d -a
-else
-  echo "Jail $__object_id is already configured." >&2
-fi
-rm -f \$FSTAB.new
-EOF
-fi

cdist/conf/type/__iocage_clone/manifest

@@ -1 +0,0 @@
-__package iocage

cdist/conf/type/__iocage_clone/parameter/default/allow_socket_af

@@ -1 +0,0 @@
-0

cdist/conf/type/__iocage_clone/parameter/default/bridge

@@ -1 +0,0 @@
-bridge0

cdist/conf/type/__iocage_clone/parameter/default/devfs_ruleset

@@ -1 +0,0 @@
-4

cdist/conf/type/__iocage_clone/parameter/default/mount_linprocfs

@@ -1 +0,0 @@
-0

cdist/conf/type/__iocage_clone/parameter/default/mount_procfs

@@ -1 +0,0 @@
-0

cdist/conf/type/__iocage_clone/parameter/default/net

@@ -1 +0,0 @@
-24

cdist/conf/type/__iocage_clone/parameter/default/state

@@ -1 +0,0 @@
-present

cdist/conf/type/__iocage_clone/parameter/optional

@@ -1,7 +0,0 @@
-state
-bridge
-jail_zfs_dataset
-mount_procfs
-mount_linprocfs
-devfs_ruleset
-allow_socket_af

cdist/conf/type/__iocage_clone/parameter/optional_multiple

@@ -1 +0,0 @@
-mount

cdist/conf/type/__iocage_clone/parameter/required

@@ -1,2 +0,0 @@
-ip
-template

cdist/conf/type/__letsencrypt_acmetiny/gencode-remote

@@ -1,112 +0,0 @@
-#!/bin/sh -e
-
-ACME_TINY_CERT_REQUEST_DIR="/var/acme-tiny/cert-requests"
-ACME_TINY_ACCOUNT_KEY="/var/acme-tiny/account.key"
-ACME_CHALLENGE_DIR="/srv/www/sites/acme/public/.well-known/acme-challenge"
-
-REALM="${__object_id}"
-EXTRA_DOMAINS=""
-if [ -f "${__object}/parameter/extra-domain" ]; then
-  EXTRA_DOMAINS="$(cat "${__object}/parameter/extra-domain")"
-fi
-
-#TODO: support linux too
-REALMS_DIR="/usr/local/etc/pki/realms"
-REALM_DIR="${REALMS_DIR}/${REALM}"
-REALM_CERT="${REALM_DIR}/default.crt"
-REALM_KEY="${REALM_DIR}/default.key"
-REALM_CERT_REQUEST="${ACME_TINY_CERT_REQUEST_DIR}/${REALM}.csr"
-REALM_CERT_REQUEST_CNF="${ACME_TINY_CERT_REQUEST_DIR}/${REALM}.cnf"
-
-CSR_ALT_NAMES=""
-REALM_CERT_REQUEST_CNF_LINE=""
-if [ -n "${EXTRA_DOMAINS}" ]; then
-  CSR_ALT_NAMES="DNS:${REALM}"
-  for domain in ${EXTRA_DOMAINS}; do
-    CSR_ALT_NAMES="${CSR_ALT_NAMES},DNS:${domain}"
-  done
-  # CSR requests are executed always against .new, only after succeeding .new replaces the .cnf
-  REALM_CERT_REQUEST_CNF_LINE="-reqexts SAN -config '${REALM_CERT_REQUEST_CNF}.new'"
-fi
-
-cat << EOF
-if [ ! -d '${REALM_DIR}' ]; then
-  mkdir -p '${REALM_DIR}'
-fi
-if [ ! -f '${REALM_KEY}' ]; then
-  openssl genrsa 4096 > '${REALM_KEY}'
-fi
-
-if [ ! -d '${ACME_TINY_CERT_REQUEST_DIR}' ]; then
-  mkdir '${ACME_TINY_CERT_REQUEST_DIR}'
-fi
-
-FORCE_CSR_REGEN=""
-if [ -n '${CSR_ALT_NAMES}' ]; then
-  # Generate new config
-  cat /etc/ssl/openssl.cnf > '${REALM_CERT_REQUEST_CNF}.new'
-  printf '[SAN]\nsubjectAltName=${CSR_ALT_NAMES}' >> '${REALM_CERT_REQUEST_CNF}.new'
-  # Compare to previous config if necessary
-  if [ -f '${REALM_CERT_REQUEST_CNF}' ]; then
-    CNF_DIFF=\$(diff -q '${REALM_CERT_REQUEST_CNF}' '${REALM_CERT_REQUEST_CNF}.new' || true)
-    if [ -n "\${CNF_DIFF}" ]; then
-      # Options have changed
-      FORCE_CSR_REGEN="YES"
-    else
-      # Since they match, we won't be using this, clean it
-      rm '${REALM_CERT_REQUEST_CNF}.new'
-    fi
-  else
-    # We never used SAN here, CSR regen needed.
-    FORCE_CSR_REGEN="YES"
-  fi
-else
-  # We used SAN at some point, not any more
-  if [ -f '${REALM_CERT_REQUEST_CNF}' ]; then
-    rm '${REALM_CERT_REQUEST_CNF}'
-    FORCE_CSR_REGEN="YES"
-  fi
-fi
-
-# Create or re-create when params have changed
-if [ ! -f '${REALM_CERT_REQUEST}' -o -n "\${FORCE_CSR_REGEN}" ]; then
-  openssl req -new -sha256 -key '${REALM_KEY}' -subj '/CN=${REALM}' -out '${REALM_CERT_REQUEST}' ${REALM_CERT_REQUEST_CNF_LINE}
-fi
-
-# Check if cert exists, and if so whether or not it's older than a month
-if [ -f '${REALM_CERT}' ]; then
-  MODIFIED_IN_30d="\$(find '${REALM_CERT}' -mtime -30d)"
-  if [ -z "\${MODIFIED_IN_30d}" ]; then
-    # Cert is over a month old, it's fine to regenerate
-    FORCE_CRT_REGEN="YES"
-  fi
-else
-  # This cert doesn't exist
-  FORCE_CRT_REGEN="YES"
-fi
-
-
-# Only request certificate when needed
-# TODO: support linux too
-if [ -n "\${FORCE_CSR_REGEN}" -o -n "\${FORCE_CRT_REGEN}" ]; then
-  doas -u acme-tiny -- acme_tiny \
-    --account '${ACME_TINY_ACCOUNT_KEY}' \
-    --csr '${REALM_CERT_REQUEST}' \
-    --acme-dir '${ACME_CHALLENGE_DIR}' > '${REALM_CERT}.new'
-
-  if [ -s '${REALM_CERT}.new' ]; then
-    mv '${REALM_CERT}.new' '${REALM_CERT}'
-  else
-    echo "Failed to generate cert for realm '${REALM}'."
-    exit 1
-  fi
-fi
-
-cat "${REALM_CERT}" "${REALMS_DIR}/chain.pem" > ${REALM_DIR}/fullchain.pem
-
-if [ -n '${REALM_CERT_REQUEST_CNF_LINE}' -a -f '${REALM_CERT_REQUEST_CNF}.new' ]; then
-  # CSR and cert generation succeded with a new config, put new config in-place.
-  # This is the last thing we do, so we try again next time if sth fails.
-  mv '${REALM_CERT_REQUEST_CNF}.new' '${REALM_CERT_REQUEST_CNF}'
-fi
-EOF

cdist/conf/type/__letsencrypt_acmetiny/manifest

@@ -1 +0,0 @@
-#__letsencrypt_acmetiny_base

cdist/conf/type/__letsencrypt_acmetiny/parameter/optional_multiple

@@ -1 +0,0 @@
-extra-domain

cdist/conf/type/__letsencrypt_acmetiny_base/gencode-remote

@@ -1,12 +0,0 @@
-#!/bin/sh -e
-
-ACME_HOME="/var/acme-tiny"
-ACME_ACCOUNT_KEY="${ACME_HOME}/account.key"
-
-cat << EOF
-if [ ! -f '${ACME_ACCOUNT_KEY}' ]; then
-  openssl genrsa 4096 > '${ACME_ACCOUNT_KEY}'
-  chown acme-tiny:acme-tiny '${ACME_ACCOUNT_KEY}'
-  chmod 640 '${ACME_ACCOUNT_KEY}'
-fi
-EOF

cdist/conf/type/__letsencrypt_acmetiny_base/manifest

@@ -1,227 +0,0 @@
-# Arguments
-ACME_DOMAIN="$(cat "${__object}/parameter/acme_domain" || true)"
-
-if [ -z "${ACME_DOMAIN}" ]; then
-  ACME_DOMAIN="${__target_host}"
-fi
-
-
-# Install needed stuffz
-
-## TODO: consider not depending on nginx? It is... practical though.
-## TODO: Maybe just move this out to a sepecial type?
-__package "nginx"
-
-NGINX_ETC="/usr/local/etc/nginx"
-
-# Setup the acme-challenge snippet
-require="__package/nginx" __directory "${NGINX_ETC}/snippets" --state present
-require="__directory${NGINX_ETC}/snippets" __file "${NGINX_ETC}/snippets/acme-challenge.conf" \
-  --mode 644 \
-  --source - << EOF
-# This file is managed remotely, all changes will be lost
-
-# This was heavily inspired by debops.org.
-
-# Automatic Certificate Management Environment (ACME) support.
-# https://tools.ietf.org/html/draft-ietf-acme-acme-01
-# https://en.wikipedia.org/wiki/Automated_Certificate_Management_Environment
-
-
-# Return the ACME challenge present in the server public root.
-# If not found, switch to global web server root.
-location ^~ /.well-known/acme-challenge/ {
-        default_type "text/plain";
-        try_files \$uri @well-known-acme-challenge;
-}
-
-# Return the ACME challenge present in the global server public root.
-# If not present, redirect request to a specified domain.
-location @well-known-acme-challenge {
-        root /srv/www/sites/acme/public;
-        default_type "text/plain";
-        try_files \$uri @redirect-acme-challenge;
-}
-
-# Redirect the ACME challenge to a different host. If a redirect loop is
-# detected, return 404.
-location @redirect-acme-challenge {
-        if (\$arg_redirect) {
-                return 404;
-        }
-        return 307 \$scheme://${ACME_DOMAIN}\$request_uri?redirect=yes;
-}
-
-# Return 404 if ACME challenge well known path is accessed directly.
-location = /.well-known/acme-challenge/ {
-    return 404;
-}
-EOF
-
-require="__package/nginx" __directory "${NGINX_ETC}/sites-enabled" --state present
-require="__directory${NGINX_ETC}/sites-enabled" __file "${NGINX_ETC}/nginx.conf" \
-  --mode 644 \
-  --source - << EOF
-# This file is managed remotely, all changes will be lost
-
-worker_processes  1;
-
-# This default error log path is compiled-in to make sure configuration parsing
-# errors are logged somewhere, especially during unattended boot when stderr
-# isn't normally logged anywhere. This path will be touched on every nginx
-# start regardless of error log location configured here. See
-# https://trac.nginx.org/nginx/ticket/147 for more info. 
-#
-#error_log  /var/log/nginx/error.log;
-#
-
-#pid        logs/nginx.pid;
-
-
-events {
-        worker_connections  1024;
-}
-
-
-http {
-
-        include       mime.types;
-        default_type  application/octet-stream;
-
-        server_tokens off;
-
-        ssl_session_cache shared:SSL:10m;
-        ssl_session_timeout 5m;
-        sendfile on;
-        tcp_nopush on;
-        tcp_nodelay on;
-        types_hash_max_size 2048;
-        gzip on;
-        gzip_disable "msie6";
-        gzip_comp_level    5;
-        gzip_min_length    256;
-        gzip_proxied       any;
-        gzip_vary          on;
-        gzip_types
-          application/atom+xml
-          application/javascript
-          application/json
-          application/ld+json
-          application/manifest+json
-          application/rss+xml
-          application/vnd.geo+json
-          application/vnd.ms-fontobject
-          application/x-font-ttf
-          application/x-web-app-manifest+json
-          application/xhtml+xml
-          application/xml
-          font/opentype
-          image/bmp
-          image/svg+xml
-          image/x-icon
-          text/cache-manifest
-          text/css
-          text/plain
-          text/vcard
-          text/vnd.rim.location.xloc
-          text/vtt
-          text/x-component
-          text/x-cross-domain-policy;
-
-        # Logging
-        access_log /var/log/nginx/access.log;
-        error_log  /var/log/nginx/error.log;
-
-        #add_header X-Clacks-Overhead "GNU Terry Pratchett";
-
-        # Virtual Hosts Configs
-        include ${NGINX_ETC}/sites-enabled/*.conf;
-}
-EOF
-
-require="__directory${NGINX_ETC}/sites-enabled" __file "${NGINX_ETC}/sites-enabled/welcome.conf" \
-  --mode 644 \
-  --source - << EOF
-# This file is managed remotely, all changes will be lost
-
-# nginx server configuration for:
-#    - https://welcome/
-
-server {
-
-        listen [::]:80;
-
-        server_name welcome;
-
-        root /srv/www/sites/welcome/public;
-
-        include snippets/acme-challenge.conf;
-
-        location / {
-                return 301 https://\$host\$request_uri;
-        }
-}
-EOF
-
-## TODO: this is kinda bad, don't restart every time.
-##       Otherwise this isn't idempotent.
-require="__package/nginx" __service nginx --action onerestart
-require="__package/nginx" __start_on_boot nginx
-
-
-__package "acme-tiny"
-
-# Create acme-tiny user and secure home dir
-ACME_TINY_HOME="/var/acme-tiny"
-require="__package/acme-tiny" __user acme-tiny --system --home ${ACME_TINY_HOME} --comment "acme-tiny client"
-require="__user/acme-tiny" __directory "${ACME_TINY_HOME}" --state present --mode 0750 --owner acme-tiny --group acme-tiny
-
-# Create ACME challenge dirs to be served by nginx
-ACME_PUBLIC_DIR="/srv/www/sites/acme/public"
-ACME_WELLKNOWN_DIR="${ACME_PUBLIC_DIR}/.well-known"
-ACME_CHALLENGE_DIR="${ACME_WELLKNOWN_DIR}/acme-challenge"
-__directory "${ACME_PUBLIC_DIR}" \
-  --parents \
-  --state present \
-  --owner acme-tiny --group www \
-  --mode 2750 # TODO: check whether this does require gid?
-require="__directory${ACME_PUBLIC_DIR}" __directory "${ACME_WELLKNOWN_DIR}" \
-  --state present \
-  --owner acme-tiny --group www \
-  --mode 0750
-require="__directory${ACME_WELLKNOWN_DIR}" __directory "${ACME_CHALLENGE_DIR}" \
-  --state present \
-  --owner acme-tiny --group www \
-  --mode 0750
-
-__package doas
-DOAS_CONF="/usr/local/etc/doas.conf"
-require="__package/doas" __file "${DOAS_CONF}" --mode 0640
-require="__file${DOAS_CONF}" __line "${DOAS_CONF}" \
-  --regex 'root as acme-tiny' \
-  --line 'permit nopass root as acme-tiny'
-
-# Setup CA 
-REALMS_DIR="/usr/local/etc/pki/realms"
-__directory "${REALMS_DIR}" \
-  --parents \
-  --state present \
-  --mode 0755
-
-require="__directory${REALMS_DIR}" __file ${REALMS_DIR}/intermediate.pem \
-  --mode 0644 \
-  --source - << EOF
-$(curl -s https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt)
-EOF
-require="__directory${REALMS_DIR}" __file ${REALMS_DIR}/root.pem \
-  --mode 0644 \
-  --source - << EOF
-$(curl -s https://letsencrypt.org/certs/trustid-x3-root.pem.txt)
-EOF
-require="__directory${REALMS_DIR}" __file ${REALMS_DIR}/chain.pem \
-  --mode 0644 \
-  --source - << EOF
-$(curl -s https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt)
-$(curl -s https://letsencrypt.org/certs/trustid-x3-root.pem.txt)
-EOF
-

cdist/conf/type/__letsencrypt_acmetiny_base/parameter/optional

@@ -1 +0,0 @@
-acme_domain

cdist/conf/type/__pf_rdr/manifest

@@ -1,40 +0,0 @@
-#!/bin/sh -e
-#
-# 2016 Kamila Součková (coding at kamila.is)
-#
-# This file is part of cdist.
-#
-# cdist is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# cdist is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with cdist. If not, see <http://www.gnu.org/licenses/>.
-#
-
-# TODO it would be cool to print a warning if a generated anchor is unused in pf.conf
-
-ANCHORS_DIR=/etc/pf.d
-
-proto="$(cat "${__object}/parameter/proto")"
-from="$(cat "${__object}/parameter/from")"
-to="$(cat "${__object}/parameter/to")"
-state="$(cat "${__object}/parameter/state")"
-
-# This breaks utterly with IPv6
-from="$(echo ${from} | sed 's/:/ port /')"
-to="$(echo ${to} | sed 's/:/ port /')"
-
-anchor_name="$(echo ${__object_id} | cut -d/ -f1)"
-rule="rdr pass log proto ${proto} from any to ${from} -> ${to}"
-
-__directory "${ANCHORS_DIR}" --parents
-
-require="__directory/${ANCHORS_DIR}" \
-__line __pf_rdr/${__object_id} --state ${state} --line "${rule}" --file ${ANCHORS_DIR}/${anchor_name}

cdist/conf/type/__pf_rdr/parameter/default/proto

@@ -1 +0,0 @@
-tcp

cdist/conf/type/__pf_rdr/parameter/default/state

@@ -1 +0,0 @@
-present

cdist/conf/type/__pf_rdr/parameter/optional

@@ -1,2 +0,0 @@
-proto
-state

cdist/conf/type/__pf_rdr/parameter/required

@@ -1,2 +0,0 @@
-from
-to

cdist/conf/type/__tinydns/gencode-remote

@@ -1,7 +0,0 @@
-servicename=$__object_id
-user="$(cat "$__object/parameter/user")"
-server_ip="$(cat "$__object/parameter/server-ip")"
-
-cat<<EOF
-test -d /etc/tinydns/$servicename || tinydns-conf $user $user /etc/tinydns/$servicename $server_ip
-EOF

cdist/conf/type/__tinydns/manifest

@@ -1,8 +0,0 @@
-service_name=$__object_id
-user="$(cat "$__object/parameter/user")"
-
-__package djbdns
-__directory /etc/tinydns --mode 755
-__user $user --system --shell /bin/false
-
-require="__daemontools" __link /service/tinydns-$service_name --type symbolic --source /etc/tinydns/$service_name

cdist/conf/type/__tinydns/parameter/required

@@ -1,2 +0,0 @@
-user
-server-ip

cdist/conf/type/__tinydns_host/gencode-remote

@@ -1,9 +0,0 @@
-servicename=$(echo $__object_id | cut -d/ -f1)
-name=$(echo $__object_id | cut -d/ -f2-)
-ip="$(cat "$__object/parameter/ip")"
-
-cat<<EOF
-cd /etc/tinydns/$servicename/root
-grep '=$name:$ip' data 2>/dev/null || ./add-host $name $ip
-make
-EOF

cdist/conf/type/__tinydns_host/parameter/required

@@ -1 +0,0 @@
-ip

cdist/conf/type/__tinydns_ns/gencode-remote

@@ -1,13 +0,0 @@
-set -x
-
-servicename=$(echo $__object_id | cut -d/ -f1)
-name=$(echo $__object_id | cut -d/ -f2-)
-ip="$(cat "$__object/parameter/ip")"
-
-cat<<EOF
-cd /etc/tinydns/$servicename/root
-grep .$host:$ip data 2>/dev/null || ./add-ns $name $ip
-make
-EOF
-
-set +x

cdist/conf/type/__tinydns_ns/parameter/required

@@ -1 +0,0 @@
-ip

cdist/core/explorer.py

@@ -167,7 +167,8 @@ class Explorer(object):
     def run_global_explorer(self, explorer):
         """Run the given global explorer and return it's output."""
         script = os.path.join(self.remote.global_explorer_path, explorer)
-        return self.remote.run_script(script, env=self.env, return_output=True)
+        return self.remote.run_script(script, env=self.env, return_output=True,
+                                      warn_return_output=False)
 
     # type
 
@@ -229,7 +230,8 @@ class Explorer(object):
         })
         script = os.path.join(self.remote.type_path, cdist_type.explorer_path,
                               explorer)
-        return self.remote.run_script(script, env=env, return_output=True)
+        return self.remote.run_script(script, env=env, return_output=True,
+                                      warn_return_output=False)
 
     def transfer_type_explorers(self, cdist_type):
         """Transfer the type explorers for the given type to the

cdist/exec/remote.py

@@ -219,7 +219,7 @@ class Remote(object):
         self._run_command(command)
 
     def run_script(self, script, env=None, return_output=False, stdout=None,
-                   stderr=None):
+                   stderr=None, warn_return_output=True):
         """Run the given script with the given environment on the remote side.
         Return the output as a string.
 
@@ -232,10 +232,11 @@ class Remote(object):
         command.append(script)
 
         return self.run(command, env=env, return_output=return_output,
-                        stdout=stdout, stderr=stderr)
+                        stdout=stdout, stderr=stderr,
+                        warn_return_output=warn_return_output)
 
     def run(self, command, env=None, return_output=False, stdout=None,
-            stderr=None):
+            stderr=None, warn_return_output=True):
         """Run the given command with the given environment on the remote side.
         Return the output as a string.
 
@@ -269,10 +270,11 @@ class Remote(object):
         else:
             cmd.extend(command)
         return self._run_command(cmd, env=env, return_output=return_output,
-                                 stdout=stdout, stderr=stderr)
+                                 stdout=stdout, stderr=stderr,
+                                 warn_return_output=warn_return_output)
 
     def _run_command(self, command, env=None, return_output=False, stdout=None,
-                     stderr=None):
+                     stderr=None, warn_return_output=True):
         """Run the given command with the given environment.
         Return the output as a string.
 
@@ -280,7 +282,8 @@ class Remote(object):
         assert isinstance(command, (list, tuple)), (
                 "list or tuple argument expected, got: %s" % command)
 
-        if return_output and stdout is not subprocess.PIPE:
+        warn_return_output_applies = warn_return_output and return_output
+        if warn_return_output_applies and stdout is not subprocess.PIPE:
             self.log.debug("return_output is True, ignoring stdout")
 
         close_stdout = False

configuration/cdist.cfg.skeleton

@@ -19,6 +19,9 @@
 #     such as ':' for POSIX or ';' for Windows.
 #     If also specified at command line then values from command line are
 #     appended to this value.
+#     Notice that this works in a "last one wins" fashion, so if a type is redefined
+#     in multiple conf_dirs, the last one in which it is defined will be used.
+#     Consider using a unique prefix for your own roles if this can be an issue.
 # conf_dir = <dir1>:<dir2>
 #
 # init_manifest

docs/changelog

@@ -10,6 +10,8 @@ next:
 	* New type: __pf_apply_anchor (Kamila Součková, Evil Ham)
 	* Type __pf_ruleset: Refactor (Kamila Součková, Evil Ham)
 	* Type __pf_apply: Deprecate type (Kamila Součková, Evil Ham)
+	* Configuration: Add notes to cdist.cfg.skeleton (Evil Ham)
+	* Explorers cpu_cores, memory: Improve *BSD support (Evil Ham)
 
 6.5.4: 2020-04-11
 	* Explorer init: Do not grep on non-existent init (Steven Armstrong)