Remove even the empty manifest

Makefile

@@ -35,9 +35,9 @@ DOCS_SRC_DIR=./docs/src
 SPEECHDIR=./docs/speeches
 TYPEDIR=./cdist/conf/type
 
-SPHINXM=$(MAKE) -C $(DOCS_SRC_DIR) man
-SPHINXH=$(MAKE) -C $(DOCS_SRC_DIR) html
-SPHINXC=$(MAKE) -C $(DOCS_SRC_DIR) clean
+SPHINXM=make -C $(DOCS_SRC_DIR) man
+SPHINXH=make -C $(DOCS_SRC_DIR) html
+SPHINXC=make -C $(DOCS_SRC_DIR) clean
 
 ################################################################################
 # Manpages

README.md

@@ -24,8 +24,8 @@ For community-maintained types there is
 
 ## Participating
 
-IRC: ``#cdist`` @ [libera](https://libera.chat)
+IRC: ``#cdist`` @ freenode
 
 Matrix: ``#cdist:ungleich.ch``
 
-Matrix and IRC are bridged.
+Mattermost: https://chat.ungleich.ch/ungleich/channels/cdist

bin/cdist

@@ -72,11 +72,9 @@ def commandline():
 
 
 if __name__ == "__main__":
-    if sys.version_info[:3] < cdist.MIN_SUPPORTED_PYTHON_VERSION:
-        print(
-            'Python >= {} is required on the source host.'.format(
-                ".".join(map(str, cdist.MIN_SUPPORTED_PYTHON_VERSION))),
-            file=sys.stderr)
+    if sys.version < cdist.MIN_SUPPORTED_PYTHON_VERSION:
+        print('Python >= {} is required on the source host.'.format(
+                cdist.MIN_SUPPORTED_PYTHON_VERSIO), file=sys.stderr)
         sys.exit(1)
 
     exit_code = 0

bin/cdist-build-helper

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# 2011-2022 Nico Schottelius (nico-cdist at schottelius.org)
+# 2011-2013 Nico Schottelius (nico-cdist at schottelius.org)
 # 2016-2019 Darko Poljak (darko.poljak at gmail.com)
 #
 # This file is part of cdist.

cdist/__init__.py

@@ -64,7 +64,7 @@ REMOTE_EXEC = "ssh -o User=root"
 REMOTE_CMDS_CLEANUP_PATTERN = "ssh -o User=root -O exit -S {}"
 
 
-MIN_SUPPORTED_PYTHON_VERSION = (3, 5)
+MIN_SUPPORTED_PYTHON_VERSION = '3.5'
 
 
 class Error(Exception):

cdist/argparse.py

@@ -485,31 +485,19 @@ def get_parsers():
     parser['scan'].add_argument(
         '-m', '--mode', help='Which modes should run',
         action='append', default=[],
-        choices=['scan', 'trigger', 'config'])
-    parser['scan'].add_argument(
-        '--list',
-        action='store_true',
-        help='List the known hosts and exit')
+        choices=['scan', 'trigger'])
     parser['scan'].add_argument(
         '--config',
         action='store_true',
         help='Try to configure detected hosts')
     parser['scan'].add_argument(
-        '-I', '--interface',
-        action='append',  default=[], required=True,
+        '-I', '--interfaces',
+        action='append',  default=[],
         help='On which interfaces to scan/trigger')
     parser['scan'].add_argument(
-        '--name-mapper',
-        action='store',  default=None,
-        help='Map addresses to names, required for config mode')
-    parser['scan'].add_argument(
-        '-d', '--config-delay',
-        action='store',  default=3600, type=int,
-        help='How long (seconds) to wait before reconfiguring after last try')
-    parser['scan'].add_argument(
-        '-t', '--trigger-delay',
-        action='store',  default=5, type=int,
-        help='How long (seconds) to wait between ICMPv6 echo requests')
+        '-d', '--delay',
+        action='store',  default=3600,
+        help='How long to wait before reconfiguring after last try')
     parser['scan'].set_defaults(func=cdist.scan.commandline.commandline)
 
     for p in parser:
@@ -545,10 +533,10 @@ def parse_and_configure(argv, singleton=True):
 
     log = logging.getLogger("cdist")
 
-    log.verbose("version %s", cdist.VERSION)
-    log.trace('command line args: %s', cfg.command_line_args)
-    log.trace('configuration: %s', cfg.get_config())
-    log.trace('configured args: %s', args)
+    log.verbose("version %s" % cdist.VERSION)
+    log.trace('command line args: {}'.format(cfg.command_line_args))
+    log.trace('configuration: {}'.format(cfg.get_config()))
+    log.trace('configured args: {}'.format(args))
 
     check_beta(vars(args))
 

cdist/conf/explorer/lsb_codename

@@ -21,9 +21,6 @@
 
 set +e
 case "$("$__explorer/os")" in
-   checkpoint)
-       awk '{printf("%s\n", $(NF-1))}' /etc/cp-release
-   ;;
    openwrt)
       # shellcheck disable=SC1091
       (. /etc/openwrt_release && echo "$DISTRIB_CODENAME")

cdist/conf/explorer/lsb_description

@@ -21,9 +21,6 @@
 
 set +e
 case "$("$__explorer/os")" in
-   checkpoint)
-       cat /etc/cp-release
-   ;;
    openwrt)
       # shellcheck disable=SC1091
       (. /etc/openwrt_release && echo "$DISTRIB_DESCRIPTION")

cdist/conf/explorer/lsb_id

@@ -21,9 +21,6 @@
 
 set +e
 case "$("$__explorer/os")" in
-   checkpoint)
-       echo "CheckPoint"
-   ;;
    openwrt)
       # shellcheck disable=SC1091
       (. /etc/openwrt_release && echo "$DISTRIB_ID")

cdist/conf/explorer/lsb_release

@@ -21,9 +21,6 @@
 
 set +e
 case "$("$__explorer/os")" in
-   checkpoint)
-       sed /etc/cp-release -e 's/.* R\([1-9][0-9]*\)\.[0-9]*$/\1/'
-   ;;
    openwrt)
       # shellcheck disable=SC1091
       (. /etc/openwrt_release && echo "$DISTRIB_RELEASE")

cdist/conf/explorer/memory

@@ -1,9 +1,8 @@
-#!/bin/sh -e
+#!/bin/sh
 #
 # 2014 Daniel Heule  (hda at sfs.biz)
 # 2014 Thomas Oettli (otho at sfs.biz)
 # Copyright 2017, Philippe Gregoire <pg@pgregoire.xyz>
-# 2020 Dennis Camera <dennis.camera at ssrq-sds-fds.ch>
 #
 # This file is part of cdist.
 #
@@ -20,73 +19,24 @@
 # You should have received a copy of the GNU General Public License
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
-# Returns the amount of memory physically installed in the system, or if that
-# cannot be determined the amount available to the operating system kernel,
-# in kibibytes (kiB).
+#
 
-str2bytes() {
-	awk -F' ' '
-	$2 ==   "B" || !$2 { print $1 }
-	$2 ==  "kB" { printf "%.f\n", ($1 * 1000) }
-	$2 ==  "MB" { printf "%.f\n", ($1 * 1000 * 1000) }
-	$2 ==  "GB" { printf "%.f\n", ($1 * 1000 * 1000 * 1000) }
-	$2 ==  "TB" { printf "%.f\n", ($1 * 1000 * 1000 * 1000 * 1000) }
-	$2 == "kiB" { printf "%.f\n", ($1 * 1024) }
-	$2 == "MiB" { printf "%.f\n", ($1 * 1024 * 1024) }
-	$2 == "GiB" { printf "%.f\n", ($1 * 1024 * 1024 * 1024) }
-	$2 == "TiB" { printf "%.f\n", ($1 * 1024 * 1024 * 1024 * 1024) }'
-}
+# FIXME: other system types (not linux ...)
 
-bytes2kib() {
-	awk '$0 > 0 { printf "%.f\n", ($0 / 1024) }'
-}
+os=$("$__explorer/os")
+case "$os" in
+    "macosx")
+        echo "$(sysctl -n hw.memsize)/1024" | bc
+    ;;
 
+    *"bsd")
+        PATH=$(getconf PATH)
+        echo "$(sysctl -n hw.physmem) / 1048576" | bc
+    ;;
 
-case $(uname -s)
-in
-	(Darwin)
-		sysctl -n hw.memsize | bytes2kib
-		;;
-	(FreeBSD)
-		sysctl -n hw.realmem | bytes2kib
-		;;
-	(NetBSD|OpenBSD)
-		# NOTE: This reports "usable" memory, not physically installed memory.
-		command -p sysctl -n hw.physmem | bytes2kib
-		;;
-	(SunOS)
-		# Make sure that awk from xpg4 is used for the scripts to work
-		export PATH="/usr/xpg4/bin:${PATH}"
-		prtconf \
-		| awk -F ': ' '
-		  $1 == "Memory size" { sub(/Megabytes/, "MiB", $2); print $2 }
-		  /^$/ { exit }' \
-		| str2bytes \
-		| bytes2kib
-		;;
-	(Linux)
-		if test -d /sys/devices/system/memory
-		then
-			# Use memory blocks if the architecture (e.g. x86, PPC64, s390)
-			# supports them (they denote physical memory)
-			num_mem_blocks=$(cat /sys/devices/system/memory/memory[0-9]*/state | grep -cxF online)
-			mem_block_size=$(cat /sys/devices/system/memory/block_size_bytes)
-
-			echo $((num_mem_blocks * 0x$mem_block_size)) | bytes2kib && exit
-		fi
-		if test -r /proc/meminfo
-		then
-			# Fall back to meminfo file on other architectures (e.g. ARM, MIPS,
-			# PowerPC)
-			# NOTE: This is "usable" memory, not physically installed memory.
-			awk -F ': +' '$1 == "MemTotal" { sub(/B$/, "iB", $2); print $2 }' /proc/meminfo \
-			| str2bytes \
-			| bytes2kib
-		fi
-		;;
-	(*)
-		printf "Your kernel (%s) is currently not supported by the memory explorer\n" "$(uname -s)" >&2
-		printf "Please contribute an implementation for it if you can.\n" >&2
-		exit 1
-		;;
+    *)
+    if [ -r /proc/meminfo ]; then
+        grep "MemTotal:" /proc/meminfo | awk '{print $2}'
+    fi
+    ;;
 esac

cdist/conf/explorer/os

@@ -116,13 +116,6 @@ if [ -f /etc/slackware-version ]; then
    exit 0
 fi
 
-# Appliances
-
-if grep -q '^Check Point Gaia' /etc/cp-release 2>/dev/null; then
-    echo checkpoint
-    exit 0
-fi
-
 uname_s="$(uname -s)"
 
 # Assume there is no tr on the client -> do lower case ourselves

cdist/conf/explorer/os_release

@@ -34,9 +34,5 @@ elif test -f /var/run/os-release
 then
 	# FreeBSD (created by os-release service)
 	cat /var/run/os-release
-elif test -f /etc/cp-release
-then
-        # Checkpoint firewall or management (actually linux based)
-        cat /etc/cp-release
 fi
 

cdist/conf/explorer/os_version

@@ -1,7 +1,6 @@
-#!/bin/sh -e
+#!/bin/sh
 #
 # 2010-2011 Nico Schottelius (nico-cdist at schottelius.org)
-# 2020-2021 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
 #
 # This file is part of cdist.
 #
@@ -18,22 +17,12 @@
 # You should have received a copy of the GNU General Public License
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
+#
 # All os variables are lower case
 #
+#
 
-rc_getvar() {
-   awk -F= -v varname="$2" '
-      function unquote(s) {
-         if (s ~ /^".*"$/ || s ~ /^'\''.*'\''$/)
-            return substr(s, 2, length(s) - 2)
-         else
-            return s
-      }
-      $1 == varname { print unquote(substr($0, index($0, "=") + 1)) }' "$1"
-}
-
-case $("${__explorer:?}/os")
-in
+case "$("$__explorer/os")" in
    amazon)
       cat /etc/system-release
    ;;
@@ -41,9 +30,6 @@ in
       # empty, but well...
       cat /etc/arch-release
    ;;
-   checkpoint)
-       awk '{version=$NF; printf("%s\n", substr(version, 2))}' /etc/cp-release
-    ;;
    debian)
       debian_version=$(cat /etc/debian_version)
       case $debian_version
@@ -57,8 +43,6 @@ in
               # sid versions don't have a number, so we decode by codename:
               case $(expr "$debian_version" : '\([a-z]\{1,\}\)/')
               in
-                  trixie) echo 12.99 ;;
-                  bookworm) echo 11.99 ;;
                   bullseye) echo 10.99 ;;
                   buster) echo 9.99 ;;
                   stretch) echo 8.99 ;;
@@ -66,7 +50,7 @@ in
                   wheezy) echo 6.99 ;;
                   squeeze) echo 5.99 ;;
                   lenny) echo 4.99 ;;
-                  *) echo 99.99 ;;
+                  *) exit 1
               esac
               ;;
           *)
@@ -75,23 +59,7 @@ in
       esac
    ;;
    devuan)
-      devuan_version=$(cat /etc/devuan_version)
-      case ${devuan_version}
-      in
-         (*/ceres)
-            # ceres versions don't have a number, so we decode by codename:
-            case ${devuan_version}
-            in
-               (chimaera/ceres) echo 3.99 ;;
-               (beowulf/ceres) echo 2.99 ;;
-               (ascii/ceres) echo 1.99 ;;
-               (*) exit 1
-            esac
-            ;;
-         (*)
-            echo "${devuan_version}"
-            ;;
-      esac
+      cat /etc/devuan_version
    ;;
    fedora)
       cat /etc/fedora-release
@@ -100,20 +68,12 @@ in
       cat /etc/gentoo-release
    ;;
    macosx)
-      # NOTE: Legacy versions (< 10.3) do not support options
-      sw_vers | awk -F ':[ \t]+' '$1 == "ProductVersion" { print $2 }'
+      sw_vers -productVersion
    ;;
    freebsd)
       # Apparently uname -r is not a reliable way to get the patch level.
       # See: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=251743
-      if command -v freebsd-version >/dev/null 2>&1
-      then
-         # get userland version
-         freebsd-version -u
-      else
-         # fallback to kernel release for FreeBSD < 10.0
-         uname -r
-      fi
+      freebsd-version
    ;;
    *bsd|solaris)
       uname -r
@@ -138,20 +98,7 @@ in
       fi
    ;;
    ubuntu)
-      if command -v lsb_release >/dev/null 2>&1
-      then
-         lsb_release -sr
-      elif test -r /usr/lib/os-release
-      then
-         # fallback to /usr/lib/os-release if lsb_release is not present (like
-         # on minimized Ubuntu installations)
-         rc_getvar /usr/lib/os-release VERSION_ID
-      elif test -r /etc/lsb-release
-      then
-         # extract DISTRIB_RELEASE= variable from /etc/lsb-release on old
-         # versions without /usr/lib/os-release.
-         rc_getvar /etc/lsb-release DISTRIB_RELEASE
-      fi
+      lsb_release -sr
    ;;
    alpine)
        cat /etc/alpine-release

cdist/conf/type/__apt_backports/manifest

@@ -28,7 +28,6 @@
 #  lsb_release may not be given in all installations
 codename_os_release() {
     # shellcheck disable=SC1090
-    # shellcheck disable=SC1091
     . "$__global/explorer/os_release"
     printf "%s" "$VERSION_CODENAME"
 }

cdist/conf/type/__apt_key/explorer/state

@@ -27,25 +27,18 @@ else
    keyid="$__object_id"
 fi
 
-# From apt-key(8):
-#   Use of apt-key is deprecated, except for the use of apt-key del in
-#   maintainer scripts to remove existing keys from the main keyring.
-#   If such usage of apt-key is desired the additional installation of
-#   the GNU Privacy Guard suite (packaged in gnupg) is required.
-if [ -f "${__object}/parameter/use-deprecated-apt-key" ]; then
-   if apt-key export "$keyid" | head -n 1 | grep -Fqe "BEGIN PGP PUBLIC KEY BLOCK"
-      then echo present
-      else echo absent
-   fi
-   exit
-fi
-
 keydir="$(cat "$__object/parameter/keydir")"
 keyfile="$keydir/$__object_id.gpg"
 
-if [ -f "$keyfile" ]
+if [ -d "$keydir" ]
 then
-   echo present
-   exit
+   if [ -f "$keyfile" ]
+   then echo present
+   else echo absent
+   fi
+else
+   # fallback to deprecated apt-key
+   apt-key export "$keyid" | head -n 1 | grep -Fqe "BEGIN PGP PUBLIC KEY BLOCK" \
+      && echo present \
+      || echo absent
 fi
-echo absent

cdist/conf/type/__apt_key/gencode-remote

@@ -25,7 +25,11 @@ else
 fi
 state_should="$(cat "$__object/parameter/state")"
 state_is="$(cat "$__object/explorer/state")"
-method="$(cat "$__object/key_method")"
+
+if [ "$state_should" = "$state_is" ]; then
+   # nothing to do
+   exit 0
+fi
 
 keydir="$(cat "$__object/parameter/keydir")"
 keyfile="$keydir/$__object_id.gpg"
@@ -33,18 +37,30 @@ keyfile="$keydir/$__object_id.gpg"
 case "$state_should" in
    present)
       keyserver="$(cat "$__object/parameter/keyserver")"
-      # Using __download or __file as key source
-      # Propagate messages if needed
-      if [ "${method}" = "uri" ] || [ "${method}" = "source" ]; then
-         if grep -Eq "^__(file|download)$keyfile" "$__messages_in"; then
-            echo "added '$keyid'" >> "$__messages_out"
+
+      if [ -f "$__object/parameter/uri" ]; then
+         uri="$(cat "$__object/parameter/uri")"
+
+         if [ -d "$keydir" ]; then
+            cat << EOF
+
+curl -s -L \\
+    -o "$keyfile" \\
+    "$uri"
+
+key="\$( cat "$keyfile" )"
+
+if echo "\$key" | grep -Fq 'BEGIN PGP PUBLIC KEY BLOCK'
+then
+    echo "\$key" | gpg --dearmor > "$keyfile"
+fi
+
+EOF
+         else
+            # fallback to deprecated apt-key
+            echo "curl -s -L '$uri' | apt-key add -"
          fi
-         exit 0
-      elif [ "${state_is}" = "present" ]; then
-         exit 0
-      fi
-      # Using key servers to fetch the key
-      if [ ! -f "$__object/parameter/use-deprecated-apt-key" ]; then
+      elif [ -d "$keydir" ]; then
          # we need to kill gpg after 30 seconds, because gpg
          # can get stuck if keyserver is not responding.
          # exporting env var and not exit 1,
@@ -84,16 +100,13 @@ EOF
       echo "added '$keyid'" >> "$__messages_out"
    ;;
    absent)
-      # Removal for keys added from a keyserver without this flag
-      # is done in the manifest
-      if [ "$state_is" != "absent" ] && \
-            [ -f "$__object/parameter/use-deprecated-apt-key" ]; then
+      if [ -f "$keyfile" ]; then
+         echo "rm '$keyfile'"
+      else
          # fallback to deprecated apt-key
          echo "apt-key del \"$keyid\""
-         echo "removed '$keyid'" >> "$__messages_out"
-      # Propagate messages if needed
-      elif grep -Eq "^__file$keyfile" "$__messages_in"; then
-         echo "removed '$keyid'" >> "$__messages_out"
       fi
+
+      echo "removed '$keyid'" >> "$__messages_out"
    ;;
 esac

cdist/conf/type/__apt_key/man.rst

@@ -10,14 +10,6 @@ DESCRIPTION
 -----------
 Manages the list of keys used by apt to authenticate packages.
 
-This is done by placing the requested key in a file named
-``$__object_id.gpg`` in the ``keydir`` directory.
-
-This is supported by modern releases of Debian-based distributions.
-
-In order of preference, exactly one of: ``source``, ``uri`` or ``keyid``
-must be specified.
-
 
 REQUIRED PARAMETERS
 -------------------
@@ -26,49 +18,21 @@ None.
 
 OPTIONAL PARAMETERS
 -------------------
-keydir
-   keyring directory, defaults to ``/etc/apt/trusted.pgp.d``, which is
-   enabled system-wide by default.
-
-source
-   path to a file containing the GPG key of the repository.
-   Using this is recommended as it ensures that the manifest/type manintainer
-   has validated the key.
-   If ``-``, the GPG key is read from the type's stdin.
-
 state
    'present' or 'absent'. Defaults to 'present'
 
-uri
-   the URI from which to download the key.
-   It is highly recommended that you only use protocols with TLS like HTTPS.
-   This uses ``__download`` but does not use checksums, if you want to ensure
-   that the key doesn't change, you are better off downloading it and using
-   ``--source``.
-
-
-DEPRECATED OPTIONAL PARAMETERS
-------------------------------
 keyid
-   the id of the key to download from the ``keyserver``.
-   This is to be used in absence of ``--source`` and ``--uri`` or together
-   with ``--use-deprecated-apt-key`` for key removal.
-   Defaults to ``$__object_id``.
+   the id of the key to add. Defaults to __object_id
 
 keyserver
-   the keyserver from which to fetch the key.
-   Defaults to ``pool.sks-keyservers.net``.
+   the keyserver from which to fetch the key. If omitted the default set
+   in ./parameter/default/keyserver is used.
 
+keydir
+   key save location, defaults to ``/etc/apt/trusted.pgp.d``
 
-DEPRECATED BOOLEAN PARAMETERS
------------------------------
-use-deprecated-apt-key
-   ``apt-key(8)`` will last be available in Debian 11 and Ubuntu 22.04.
-   You can use this parameter to force usage of ``apt-key(8)``.
-   Please only use this parameter to *remove* keys from the keyring,
-   in order to prepare for removal of ``apt-key``.
-   Adding keys should be done without this parameter.
-   This parameter will be removed when Debian 11 stops being supported.
+uri
+   the URI from which to download the key
 
 
 EXAMPLES
@@ -76,39 +40,33 @@ EXAMPLES
 
 .. code-block:: sh
 
-    # add a key that has been verified by a type maintainer
-    __apt_key jitsi_meet_2021 \
-       --source cdist-contrib/type/__jitsi_meet/files/apt_2021.gpg
+    # Add Ubuntu Archive Automatic Signing Key
+    __apt_key 437D05B5
+    # Same thing
+    __apt_key 437D05B5 --state present
+    # Get rid of it
+    __apt_key 437D05B5 --state absent
 
-    # remove an old, deprecated or expired key
-    __apt_key jitsi_meet_2016 --state absent
+    # same thing with human readable name and explicit keyid
+    __apt_key UbuntuArchiveKey --keyid 437D05B5
 
-    # Get rid of a key that might have been added to
-    # /etc/apt/trusted.gpg with apt-key
-    __apt_key 0x40976EAF437D05B5 --use-deprecated-apt-key --state absent
+    # same thing with other keyserver
+    __apt_key UbuntuArchiveKey --keyid 437D05B5 --keyserver keyserver.ubuntu.com
 
-    # add a key that we define in-line
-    __apt_key jitsi_meet_2021 --source '-' <<EOF
-    -----BEGIN PGP PUBLIC KEY BLOCK-----
-    [...]
-    -----END PGP PUBLIC KEY BLOCK-----
-    EOF
-
-    # download or update key from the internet
-    __apt_key rabbitmq_2007 \
-       --uri https://www.rabbitmq.com/rabbitmq-signing-key-public.asc
+    # download key from the internet
+    __apt_key rabbitmq \
+       --uri http://www.rabbitmq.com/rabbitmq-signing-key-public.asc
 
 
 AUTHORS
 -------
 Steven Armstrong <steven-cdist--@--armstrong.cc>
 Ander Punnar <ander-at-kvlt-dot-ee>
-Evilham <contact~~@~~evilham.com>
 
 
 COPYING
 -------
-Copyright \(C) 2011-2021 Steven Armstrong, Ander Punnar and Evilham. You can
+Copyright \(C) 2011-2019 Steven Armstrong and Ander Punnar. You can
 redistribute it and/or modify it under the terms of the GNU General Public
 License as published by the Free Software Foundation, either version 3 of the
 License, or (at your option) any later version.

cdist/conf/type/__apt_key/manifest

@@ -2,105 +2,7 @@
 
 __package gnupg
 
-state_should="$(cat "${__object}/parameter/state")"
-
-incompatible_args()
-{
-	cat >> /dev/stderr <<-EOF
-	This type does not support --${1} and --${method} simultaneously.
-	EOF
-	exit 1
-}
-
-if [ -f "${__object}/parameter/source" ]; then
-	method="source"
-	src="$(cat "${__object}/parameter/source")"
-	if [ "${src}" = "-" ]; then
-		src="${__object}/stdin"
-	fi
-fi
-if [ -f "${__object}/parameter/uri" ]; then
-	if [ -n "${method}" ]; then
-		incompatible_args uri
-	fi
-	method="uri"
-	src="$(cat "${__object}/parameter/uri")"
-fi
-if [ -f "${__object}/parameter/keyid" ]; then
-	if [ -n "${method}" ]; then
-		incompatible_args keyid
-	fi
-	method="keyid"
-fi
-# Keep old default
-if [ -z "${method}" ]; then
-	method="keyid"
-fi
-# Save this for later in gencode-remote
-echo "${method}" > "${__object}/key_method"
-
-# Required remotely (most likely already installed)
-__package dirmngr
-# We need this in case a key has to be dearmor'd
-__package gnupg
-export require="__package/gnupg"
-
-if [ -f "${__object}/parameter/use-deprecated-apt-key" ]; then
-	# This is required if apt-key(8) is to be used
-	if [ "${method}" = "source" ] || [ "${method}" = "uri" ]; then
-		incompatible_args use-deprecated-apt-key
-	fi
-else
-	if [ "${state_should}" = "absent" ] && \
-			[ -f "${__object}/parameter/keyid" ]; then
-		cat >> /dev/stderr <<EOF
-You can't reliably remove by keyid without --use-deprecated-apt-key.
-This would very likely do something you do not intend.
-EOF
-		exit 1
-	fi
-fi
-
-keydir="$(cat "${__object}/parameter/keydir")"
-keyfile="${keydir}/${__object_id}.gpg"
-keyfilecdist="${keyfile}.cdist"
-if [ "${state_should}" != "absent" ]; then
-	# Ensure keydir exists
-	__directory "${keydir}" --state exists --mode 0755
-fi
-
-if [ "${state_should}" = "absent" ]; then
-	__file "${keyfile}" --state "absent"
-	__file "${keyfilecdist}" --state "absent"
-elif [ "${method}" = "source" ] || [ "${method}" = "uri" ]; then
-	dearmor="$(cat <<-EOF
-	if [ '${state_should}' = 'present' ]; then
-		# Dearmor if necessary
-		if grep -Fq 'BEGIN PGP PUBLIC KEY BLOCK' '${keyfilecdist}'; then
-			gpg --dearmor < '${keyfilecdist}' > '${keyfile}'
-		else
-			cp '${keyfilecdist}' '${keyfile}'
-		fi
-		# Ensure permissions
-		chown root '${keyfile}'
-		chmod 0444 '${keyfile}'
-	fi
-	EOF
-	)"
-
-	if [ "${method}" = "uri" ]; then
-		__download "${keyfilecdist}" \
-			--url "${src}" \
-			--onchange "${dearmor}"
-		require="__download${keyfilecdist}" \
-			__file "${keyfile}" \
-				--owner root \
-				--mode 0444 \
-				--state pre-exists
-	else
-		__file "${keyfilecdist}" --state "${state_should}" \
-			--mode 0444 \
-			--source "${src}" \
-			--onchange "${dearmor}"
-	fi
+if [ -f "$__object/parameter/uri" ]
+then __package curl
+else __package dirmngr
 fi

cdist/conf/type/__apt_key/parameter/boolean

@@ -1 +0,0 @@
-use-deprecated-apt-key

cdist/conf/type/__apt_key/parameter/deprecated/use-deprecated-apt-key

@@ -1,3 +0,0 @@
-apt-key(8) will last be available in Debian 11 and Ubuntu 22.04.
-Use this flag *only* to migrate to placing a keyring directly in the
-/etc/apt/trusted.gpg.d/ directory with a descriptive name.

cdist/conf/type/__apt_key/parameter/optional

@@ -1,6 +1,5 @@
-keydir
+state
 keyid
 keyserver
-source
-state
+keydir
 uri

cdist/conf/type/__apt_key_uri/deprecated

@@ -1 +0,0 @@
-Please migrate to using __apt_key key_id --uri URI.

cdist/conf/type/__apt_pin/man.rst

@@ -1,79 +0,0 @@
-cdist-type__apt_pin(7)
-======================
-
-NAME
-----
-cdist-type__apt_pin - Manage apt pinning rules
-
-
-DESCRIPTION
------------
-Adds/removes/edits rules to pin some packages to a specific distribution. Useful if using multiple debian repositories at the same time. (Useful, if one wants to use a few specific packages from backports or perhaps Debain testing... or even sid.)
-
-
-REQUIRED PARAMETERS
--------------------
-distribution
-   Specifies what distribution the package should be pinned to. Accepts both codenames (buster/bullseye/sid) and suite names (stable/testing/...).
-
-
-OPTIONAL PARAMETERS
--------------------
-package
-   Package name, glob or regular expression to match (multiple) packages. If not specified `__object_id` is used.
-
-priority
-   The priority value to assign to matching packages. Deafults to 500. (To match the default target distro's priority)
-
-state
-   Will be passed to underlying `__file` type; see there for valid values and defaults.
-
-
-
-BOOLEAN PARAMETERS
-------------------
-None.
-
-
-EXAMPLES
---------
-
-.. code-block:: sh
-
-   # Add the bullseye repo to buster, but do not install any packages by default,
-   # only if explicitely asked for (-1 means "never" for apt)
-    __apt_pin bullseye-default \
-       --package "*" \
-       --distribution bullseye \
-       --priority -1
-
-    require="__apt_pin/bullseye-default" __apt_source bullseye \
-       --uri http://deb.debian.org/debian/ \
-       --distribution bullseye \
-       --component main
-
-    __apt_pin foo --package "foo foo-*" --distribution bullseye
-
-    __foo # Assuming, this installs the `foo` package internally
-
-    __package foo-plugin-extras # Assuming we also need some extra stuff
-
-
-SEE ALSO
---------
-:strong:`apt_preferences`\ (5)
-:strong:`cdist-type__apt_source`\ (7)
-:strong:`cdist-type__apt_backports`\ (7)
-:strong:`cdist-type__file`\ (7)
-
-AUTHORS
--------
-Daniel Fancsali <fancsali@gmail.com>
-
-
-COPYING
--------
-Copyright \(C) 2021 Daniel Fancsali. You can redistribute it
-and/or modify it under the terms of the GNU General Public License as
-published by the Free Software Foundation, either version 3 of the
-License, or (at your option) any later version.

cdist/conf/type/__apt_pin/manifest

@@ -1,68 +0,0 @@
-#!/bin/sh -e
-#
-# 2021 Daniel Fancsali (fancsali@gmail.com)
-#
-# This file is part of cdist.
-#
-# cdist is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# cdist is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with cdist. If not, see <http://www.gnu.org/licenses/>.
-#
-
-
-name="$__object_id"
-
-os=$(cat "$__global/explorer/os")
-state="$(cat "$__object/parameter/state")"
-
-if [ -f "$__object/parameter/package" ]; then
-    package="$(cat "$__object/parameter/package")"
-else
-    package=$name
-fi
-
-distribution="$(cat "$__object/parameter/distribution")"
-priority="$(cat "$__object/parameter/priority")"
-
-
-case "$os" in
-   debian|ubuntu|devuan)
-   ;;
-   *)
-      printf "This type is specific to Debian and it's derivatives" >&2
-      exit 1
-   ;;
-esac
-
-case $distribution in
-    stable|testing|unstable|experimental)
-        pin="release a=$distribution"
-        ;;
-    *)
-        pin="release n=$distribution"
-        ;;
-esac
-
-
-__file "/etc/apt/preferences.d/$name" \
-    --owner root --group root --mode 0644 \
-    --state "$state" \
-    --source - << EOF
-# Created by cdist ${__type##*/}
-# Do not change. Changes will be overwritten.
-#
-
-# $name
-Package: $package
-Pin: $pin
-Pin-Priority: $priority
-EOF

cdist/conf/type/__apt_pin/parameter/default/priority

@@ -1 +0,0 @@
-500

cdist/conf/type/__apt_pin/parameter/default/state

@@ -1 +0,0 @@
-present

cdist/conf/type/__apt_pin/parameter/optional

@@ -1,3 +0,0 @@
-state
-package
-priority

cdist/conf/type/__apt_pin/parameter/required

@@ -1 +0,0 @@
-distribution

cdist/conf/type/__apt_ppa/files/remove-apt-repository

@@ -0,0 +1,55 @@
+#!/usr/bin/env python
+#
+# Remove the given apt repository.
+#
+# Exit with:
+#   0: if it worked
+#   1: if not
+#   2: on other error
+
+import os
+import sys
+from aptsources import distro, sourceslist
+from softwareproperties import ppa
+from softwareproperties.SoftwareProperties import SoftwareProperties
+
+
+def remove_if_empty(file_name):
+    with open(file_name, 'r') as f:
+        if f.read().strip():
+            return
+        os.unlink(file_name)
+
+def remove_repository(repository):
+    #print 'repository:', repository
+    codename = distro.get_distro().codename
+    #print 'codename:', codename
+    (line, file) = ppa.expand_ppa_line(repository.strip(), codename)
+    #print 'line:', line
+    #print 'file:', file
+    deb_source_entry = sourceslist.SourceEntry(line, file)
+    src_source_entry = sourceslist.SourceEntry('deb-src{}'.format(line[3:]), file)
+
+    try:
+        sp = SoftwareProperties()
+        sp.remove_source(deb_source_entry)
+        try:
+            # If there's a deb-src entry, remove that too
+            sp.remove_source(src_source_entry)
+        except:
+            pass
+        remove_if_empty(file)
+        return True
+    except ValueError:
+        print >> sys.stderr, "Error: '%s' doesn't exists in a sourcelist file" % line
+        return False
+
+if __name__ == '__main__':
+    if (len(sys.argv) != 2):
+        print >> sys.stderr, 'Error: need a repository as argument'
+        sys.exit(2)
+    repository = sys.argv[1]
+    if remove_repository(repository):
+        sys.exit(0)
+    else:
+        sys.exit(1)

cdist/conf/type/__apt_ppa/gencode-remote

@@ -29,9 +29,9 @@ fi
 
 case "$state_should" in
    present)
-      echo "add-apt-repository -y '$name'"
+      echo "add-apt-repository '$name'"
    ;;
    absent)
-      echo "add-apt-repository -r -y '$name'"
+      echo "remove-apt-repository '$name'"
    ;;
 esac

cdist/conf/type/__apt_ppa/manifest

@@ -20,4 +20,9 @@
 
 __package software-properties-common
 
+require="__package/software-properties-common" \
+   __file /usr/local/bin/remove-apt-repository \
+   --source "$__type/files/remove-apt-repository" \
+   --mode 0755
+
 require="$__object_name" __apt_update_index

cdist/conf/type/__apt_source/files/source.list.template

@@ -2,14 +2,13 @@
 set -u
 
 entry="$uri $distribution $component"
-
 cat << DONE
 # Created by cdist ${__type##*/}
 # Do not change. Changes will be overwritten.
 #
 
 # $name
-deb ${options} $entry
+deb ${forcedarch} $entry
 DONE
 if [ -f "$__object/parameter/include-src" ]; then
    echo "deb-src $entry"

cdist/conf/type/__apt_source/gencode-remote

@@ -22,21 +22,7 @@
 name="$__object_id"
 destination="/etc/apt/sources.list.d/${name}.list"
 
-# There are special arguments to apt(8) to prevent aborts if apt woudn't been
-# updated after the 19th April 2021 till the bullseye release. The additional
-# arguments acknoledge the happend suite change (the apt(8) update does the
-# same by itself).
-#
-# Using '-o $config' instead of the --allow-releaseinfo-change-* parameter
-# allows backward compatablility to pre-buster Debian versions.
-#
-# See more: ticket #861
-# https://code.ungleich.ch/ungleich-public/cdist/-/issues/861
-apt_opts="-o Acquire::AllowReleaseInfoChange::Suite=true -o Acquire::AllowReleaseInfoChange::Version=true"
-
-# run 'apt-get update' only if something changed with our sources.list file
-#   it will be run a second time on error as a redundancy messure to success
 if grep -q "^__file${destination}" "$__messages_in"; then
-   printf 'apt-get %s update || apt-get %s update\n' "$apt_opts" "$apt_opts"
+   printf 'apt-get update || apt-get update\n'
 fi
 

cdist/conf/type/__apt_source/man.rst

@@ -23,9 +23,6 @@ OPTIONAL PARAMETERS
 arch
    set this if you need to force and specific arch (ubuntu specific)
 
-signed-by
-   provide a GPG key fingerprint or keyring path for signature checks
-
 state
    'present' or 'absent', defaults to 'present'
 
@@ -59,11 +56,6 @@ EXAMPLES
        --uri http://archive.canonical.com/ \
        --component partner --state present
 
-    __apt_source goaccess \
-       --uri http://deb.goaccess.io/ \
-       --component main \
-       --signed-by C03B48887D5E56B046715D3297BD1A0133449C3D
-
 
 AUTHORS
 -------

cdist/conf/type/__apt_source/manifest

@@ -31,15 +31,9 @@ fi
 component="$(cat "$__object/parameter/component")"
 
 if [ -f "$__object/parameter/arch" ]; then
-   options="arch=$(cat "$__object/parameter/arch")"
-fi
-
-if [ -f "$__object/parameter/signed-by" ]; then
-   options="$options signed-by=$(cat "$__object/parameter/signed-by")"
-fi
-
-if [ "$options" ]; then
-    options="[$options]"
+   forcedarch="[arch=$(cat "$__object/parameter/arch")]"
+else
+   forcedarch=""
 fi
 
 # export variables for use in template
@@ -47,7 +41,7 @@ export name
 export uri
 export distribution
 export component
-export options
+export forcedarch
 
 # generate file from template
 mkdir "$__object/files"

cdist/conf/type/__apt_source/parameter/optional

@@ -1,5 +1,4 @@
 state
 distribution
 component
-arch
-signed-by
+arch

cdist/conf/type/__apt_update_index/gencode-remote

@@ -18,23 +18,9 @@
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 
-
-# There are special arguments to apt(8) to prevent aborts if apt woudn't been
-# updated after the 19th April 2021 till the bullseye release. The additional
-# arguments acknoledge the happend suite change (the apt(8) update does the
-# same by itself).
-#
-# Using '-o $config' instead of the --allow-releaseinfo-change-* parameter
-# allows backward compatablility to pre-buster Debian versions.
-#
-# See more: ticket #861
-# https://code.ungleich.ch/ungleich-public/cdist/-/issues/861
-apt_opts="-o Acquire::AllowReleaseInfoChange::Suite=true -o Acquire::AllowReleaseInfoChange::Version=true"
-
 # run 'apt-get update' if anything in /etc/apt is newer then /var/lib/apt/lists
-#   it will be run a second time on error as a redundancy messure to success
 cat << DONE
 if find /etc/apt -mindepth 1 -cnewer /var/lib/apt/lists | grep . > /dev/null; then
-   apt-get $apt_opts update || apt-get $apt_opts update
+   apt-get update || apt-get update
 fi
 DONE

cdist/conf/type/__debconf_set_selections/explorer/state

@@ -1,142 +0,0 @@
-#!/bin/sh -e
-#
-# 2021 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
-#
-# This file is part of cdist.
-#
-# cdist is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# cdist is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.	See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with cdist. If not, see <http://www.gnu.org/licenses/>.
-#
-# Determine current debconf selections' state.
-# Prints one of:
-#   present: all selections are already set as they should.
-#   different: one or more of the selections have a different value.
-#   absent: one or more of the selections are not (currently) defined.
-#
-
-test -x /usr/bin/perl || {
-	# cannot find perl (no perl ~ no debconf)
-	echo 'absent'
-	exit 0
-}
-
-linesfile="${__object:?}/parameter/line"
-test -s "${linesfile}" || {
-	if test -s "${__object:?}/parameter/file"
-	then
-		echo absent
-	else
-		echo present
-	fi
-	exit 0
-}
-
-# assert __type_explorer is set (because it is used by the Perl script)
-: "${__type_explorer:?}"
-
-/usr/bin/perl -- - "${linesfile}" <<'EOF'
-use strict;
-use warnings "all";
-
-use Fcntl qw(:DEFAULT :flock);
-
-use Debconf::Db;
-use Debconf::Question;
-
-# Extract @known... arrays from debconf-set-selections
-# These values are required to distinguish flags and values in the given lines.
-# DC: I couldn't think of a more ugly solution to the problem…
-my @knownflags;
-my @knowntypes;
-my $debconf_set_selections = '/usr/bin/debconf-set-selections';
-if (-e $debconf_set_selections) {
-	my $sed_known = 's/^my \(@known\(flags\|types\) = qw([a-z ]*);\).*$/\1/p';
-	eval `sed -n '$sed_known' '$debconf_set_selections'`;
-}
-
-sub mungeline ($) {
-	my $line = shift;
-	chomp $line;
-	$line =~ s/\r$//;
-	return $line;
-}
-
-sub fatal { printf STDERR @_; exit 1; }
-
-my $state = 'present';
-
-sub state {
-	my $new = shift;
-	if ($state eq 'present'
-	    or ($state eq 'different' and $new eq 'absent')) {
-		$state = $new;
-	}
-}
-
-
-# Load Debconf DB but manually lock on the state explorer script,
-# because Debconf aborts immediately if executed concurrently.
-# This is not really an ideal solution because the Debconf DB could be locked by
-# another process (e.g. apt-get), but no way to achieve this could be found.
-# If you know how to, please provide a patch.
-my $lockfile = "%ENV{'__type_explorer'}/state";
-if (open my $lock_fh, '+<', $lockfile) {
-   flock $lock_fh, LOCK_EX or die "Cannot lock $lockfile";
-}
-{
-	Debconf::Db->load(readonly => 'true');
-}
-
-
-while (<>) {
-	# Read and process lines (taken from debconf-set-selections)
-	$_ = mungeline($_);
-	while (/\\$/ && ! eof) {
-		s/\\$//;
-		$_ .= mungeline(<>);
-	}
-	next if /^\s*$/ || /^\s*\#/;
-
-	my ($owner, $label, $type, $content) = /^\s*(\S+)\s+(\S+)\s+(\S+)(?:\s(.*))?/
-		or fatal "invalid line: %s\n", $_;
-	$content = '' unless defined $content;
-
-
-	# Compare is and should state
-	my $q = Debconf::Question->get($label);
-
-	unless (defined $q) {
-		# probably a preseed
-		state 'absent';
-		next;
-	}
-
-	if (grep { $_ eq $q->type } @knownflags) {
-		# This line wants to set a flag, presumably.
-		if ($q->flag($q->type) ne $content) {
-			state 'different';
-		}
-	} else {
-		# Otherwise, it's probably a value…
-		if ($q->value ne $content) {
-			state 'different';
-		}
-
-		unless (grep { $_ eq $owner } (split /, /, $q->owners)) {
-			state 'different';
-		}
-	}
-}
-
-printf "%s\n", $state;
-EOF

cdist/conf/type/__debconf_set_selections/gencode-remote

@@ -1,7 +1,6 @@
 #!/bin/sh -e
 #
 # 2011-2014 Nico Schottelius (nico-cdist at schottelius.org)
-# 2021 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
 #
 # This file is part of cdist.
 #
@@ -18,37 +17,16 @@
 # You should have received a copy of the GNU General Public License
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
+#
+# Setup selections
+#
 
-if test -f "${__object:?}/parameter/line"
-then
-	filename="${__object:?}/parameter/line"
-elif test -s "${__object:?}/parameter/file"
-then
-	filename=$(cat "${__object:?}/parameter/file")
-	if test "${filename}" = '-'
-	then
-		filename="${__object:?}/stdin"
-	fi
-else
-	printf 'Neither --line nor --file set.\n' >&2
-	exit 1
+filename="$(cat "$__object/parameter/file")"
+
+if [ "$filename" = "-" ]; then
+    filename="$__object/stdin"
 fi
 
-# setting no lines makes no sense
-test -s "${filename}" || exit 0
-
-state_is=$(cat "${__object:?}/explorer/state")
-
-if test "${state_is}" != 'present'
-then
-	cat <<-CODE
-	debconf-set-selections <<'EOF'
-	$(cat "${filename}")
-	EOF
-	CODE
-
-	awk '
-		{
-			printf "set %s %s %s %s\n", $1, $2, $3, $4
-		}' "${filename}" >>"${__messages_out:?}"
-fi
+echo "debconf-set-selections << __file-eof"
+cat "$filename"
+echo "__file-eof"

cdist/conf/type/__debconf_set_selections/man.rst

@@ -8,33 +8,15 @@ cdist-type__debconf_set_selections - Setup debconf selections
 
 DESCRIPTION
 -----------
-On Debian and alike systems :strong:`debconf-set-selections`\ (1) can be used
+On Debian and alike systems debconf-set-selections(1) can be used
 to setup configuration parameters.
 
 
 REQUIRED PARAMETERS
 -------------------
-cf. ``--line``.
-
-
-OPTIONAL PARAMETERS
--------------------
 file
-   Use the given filename as input for :strong:`debconf-set-selections`\ (1)
-   If filename is ``-``, read from stdin.
-
-   **This parameter is deprecated, because it doesn't work with state detection.**
-line
-   A line in :strong:`debconf-set-selections`\ (1) compatible format.
-   This parameter can be used multiple times to set multiple options.
-
-   (This parameter is actually required, but marked optional because the
-   deprecated ``--file`` is still accepted.)
-
-
-BOOLEAN PARAMETERS
-------------------
-None.
+   Use the given filename as input for debconf-set-selections(1)
+   If filename is "-", read from stdin.
 
 
 EXAMPLES
@@ -42,29 +24,30 @@ EXAMPLES
 
 .. code-block:: sh
 
-    # Setup gitolite's gituser
-    __debconf_set_selections nslcd --line 'gitolite gitolite/gituser string git'
+    # Setup configuration for nslcd
+    __debconf_set_selections nslcd --file /path/to/file
 
-    # Setup configuration for nslcd from a file.
-    # NB: Multiple lines can be passed to --line, although this can be considered a hack.
-    __debconf_set_selections nslcd --line "$(cat "${__files:?}/preseed/nslcd.debconf")"
+    # Setup configuration for nslcd from another type
+    __debconf_set_selections nslcd --file "$__type/files/preseed/nslcd"
+
+    __debconf_set_selections nslcd --file - << eof
+    gitolite gitolite/gituser string git
+    eof
 
 
 SEE ALSO
 --------
-- :strong:`cdist-type__update_alternatives`\ (7)
-- :strong:`debconf-set-selections`\ (1)
+:strong:`debconf-set-selections`\ (1), :strong:`cdist-type__update_alternatives`\ (7)
 
 
 AUTHORS
 -------
-| Nico Schottelius <nico-cdist--@--schottelius.org>
-| Dennis Camera <dennis.camera--@--ssrq-sds-fds.ch>
+Nico Schottelius <nico-cdist--@--schottelius.org>
 
 
 COPYING
 -------
-Copyright \(C) 2011-2014 Nico Schottelius, 2021 Dennis Camera.
-You can redistribute it and/or modify it under the terms of the GNU General
-Public License as published by the Free Software Foundation, either version 3 of
-the License, or (at your option) any later version.
+Copyright \(C) 2011-2014 Nico Schottelius. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

cdist/conf/type/__debconf_set_selections/parameter/deprecated/file

@@ -1 +0,0 @@
-'file' has been deprecated in favour of 'line' in order to provide idempotency.

cdist/conf/type/__debconf_set_selections/parameter/optional_multiple

@@ -1 +0,0 @@
-line

cdist/conf/type/__dot_file/man.rst

@@ -37,12 +37,6 @@ state
 source
     forwarded to :strong:`__file` type
 
-file
-    forwarded to :strong:`__file` type
-    This can be used if multiple users need to have a dotfile updated,
-    which will result in duplicate object id errors. When using the
-    file parameter the object id can be some unique value.
-
 MESSAGES
 --------
 
@@ -67,15 +61,6 @@ EXAMPLES
     # Install default xmonad config for user 'eve'. Parent directory is created automatically.
     __dot_file .xmonad/xmonad.hs --user eve --state exists --source "$__files/xmonad.hs"
 
-    # install .vimrc for root and some users
-    for user in root userx usery userz; do
-        __dot_file "${user}_dot_vimrc" \
-            --user $user \
-            --file .vimrc \
-            --state exists \
-            --source "$__files/$user/.vimrc"
-    done
-
 SEE ALSO
 --------
 

cdist/conf/type/__dot_file/manifest

@@ -20,19 +20,13 @@ user="$(cat "${__object}/parameter/user")"
 home="$(cat "${__object}/explorer/home")"
 primary_group="$(cat "${__object}/explorer/primary_group")"
 dirmode="$(cat "${__object}/parameter/dirmode")"
-if [ -f "${__object}/parameter/file" ]; then
-    file="$(cat "${__object}/parameter/file")"
-else
-    file="${__object_id}"
-fi
-
 
 # Create parent directory. Type __directory has flag 'parents', but it
 # will leave us with root-owned directory in user home, which is not
 # acceptable. So we create parent directories one-by-one. XXX: maybe
 # it should be fixed in '__directory'?
 set --
-subpath=${file}
+subpath=${__object_id}
 while subpath="$(dirname "${subpath}")" ; do
 	[ "${subpath}" = . ] && break
 	set -- "${subpath}" "$@"
@@ -70,4 +64,4 @@ if [ "${source}" = "-" ] ; then
 fi
 unset source
 
-__file "${home}/${file}" --owner "$user" --group "$primary_group" "$@"
+__file "${home}/${__object_id}" --owner "$user" --group "$primary_group" "$@"

cdist/conf/type/__download/explorer/remote_cmd

@@ -0,0 +1,19 @@
+#!/bin/sh -e
+
+if [ -f "$__object/parameter/cmd-get" ]
+then
+    cmd="$( cat "$__object/parameter/cmd-get" )"
+
+elif command -v curl > /dev/null
+then
+    cmd="curl -L -o - '%s'"
+
+elif command -v fetch > /dev/null
+then
+    cmd="fetch -o - '%s'"
+
+else
+    cmd="wget -O - '%s'"
+fi
+
+echo "$cmd"

cdist/conf/type/__download/explorer/remote_cmd_get

@@ -1,16 +0,0 @@
-#!/bin/sh -e
-
-if [ -f "$__object/parameter/cmd-get" ]
-then
-    cat "$__object/parameter/cmd-get"
-elif
-    command -v curl > /dev/null
-then
-    echo "curl -sSL -o - '%s'"
-elif
-    command -v fetch > /dev/null
-then
-    echo "fetch -o - '%s'"
-else
-    echo "wget -O - '%s'"
-fi

cdist/conf/type/__download/explorer/remote_cmd_sum

@@ -1,82 +0,0 @@
-#!/bin/sh -e
-
-if [ ! -f "$__object/parameter/sum" ]
-then
-    exit 0
-fi
-
-if [ -f "$__object/parameter/cmd-sum" ]
-then
-    cat "$__object/parameter/cmd-sum"
-    exit 0
-fi
-
-sum_should="$( cat "$__object/parameter/sum" )"
-
-if echo "$sum_should" | grep -Fq ':'
-then
-    sum_hash="$( echo "$sum_should" | cut -d : -f 1 )"
-else
-    if echo "$sum_should" | grep -Eq '^[0-9]+\s[0-9]+$'
-    then
-        sum_hash='cksum'
-    elif
-        echo "$sum_should" | grep -Eiq '^[a-f0-9]{32}$'
-    then
-        sum_hash='md5'
-    elif
-        echo "$sum_should" | grep -Eiq '^[a-f0-9]{40}$'
-    then
-        sum_hash='sha1'
-    elif
-        echo "$sum_should" | grep -Eiq '^[a-f0-9]{64}$'
-    then
-        sum_hash='sha256'
-    else
-        echo 'hash format detection failed' >&2
-        exit 1
-    fi
-fi
-
-os="$( "$__explorer/os" )"
-
-case "$sum_hash" in
-    cksum)
-        echo "cksum %s | awk '{print \$1\" \"\$2}'"
-    ;;
-    md5)
-        case "$os" in
-            freebsd)
-                echo "md5 -q %s"
-            ;;
-            *)
-                echo "md5sum %s | awk '{print \$1}'"
-            ;;
-        esac
-    ;;
-    sha1)
-        case "$os" in
-            freebsd)
-                echo "sha1 -q %s"
-            ;;
-            *)
-                echo "sha1sum %s | awk '{print \$1}'"
-            ;;
-        esac
-    ;;
-    sha256)
-        case "$os" in
-            freebsd)
-                echo "sha256 -q %s"
-            ;;
-            *)
-                echo "sha256sum %s | awk '{print \$1}'"
-            ;;
-        esac
-    ;;
-    *)
-        # we arrive here only if --sum is given with unknown format prefix
-        echo "unknown hash format: $sum_hash" >&2
-        exit 1
-    ;;
-esac

cdist/conf/type/__download/explorer/state

@@ -1,11 +1,6 @@
 #!/bin/sh -e
 
-if [ -f "$__object/parameter/destination" ]
-then
-    dst="$( cat "$__object/parameter/destination" )"
-else
-    dst="/$__object_id"
-fi
+dst="/$__object_id"
 
 if [ ! -f "$dst" ]
 then
@@ -13,27 +8,59 @@ then
     exit 0
 fi
 
-if [ ! -f "$__object/parameter/sum" ]
-then
-    echo 'present'
-    exit 0
-fi
-
 sum_should="$( cat "$__object/parameter/sum" )"
 
-if echo "$sum_should" | grep -Fq ':'
+if [ -f "$__object/parameter/cmd-sum" ]
 then
-    sum_should="$( echo "$sum_should" | cut -d : -f 2 )"
+    # shellcheck disable=SC2059
+    sum_is="$( eval "$( printf \
+        "$( cat "$__object/parameter/cmd-sum" )" \
+        "$dst" )" )"
+else
+    os="$( "$__explorer/os" )"
+
+    if echo "$sum_should" | grep -Eq '^[0-9]+\s[0-9]+$'
+    then
+        sum_is="$( cksum "$dst" | awk '{print $1" "$2}' )"
+
+    elif echo "$sum_should" | grep -Eiq '^md5:[a-f0-9]{32}$'
+    then
+        case "$os" in
+            freebsd)
+                sum_is="md5:$( md5 -q "$dst" )"
+            ;;
+            *)
+                sum_is="md5:$( md5sum "$dst" | awk '{print $1}' )"
+            ;;
+        esac
+
+    elif echo "$sum_should" | grep -Eiq '^sha1:[a-f0-9]{40}$'
+    then
+        case "$os" in
+            freebsd)
+                sum_is="sha1:$( sha1 -q "$dst" )"
+            ;;
+            *)
+                sum_is="sha1:$( sha1sum "$dst" | awk '{print $1}' )"
+            ;;
+        esac
+
+    elif echo "$sum_should" | grep -Eiq '^sha256:[a-f0-9]{64}$'
+    then
+        case "$os" in
+            freebsd)
+                sum_is="sha256:$( sha256 -q "$dst" )"
+            ;;
+            *)
+                sum_is="sha256:$( sha256sum "$dst" | awk '{print $1}' )"
+            ;;
+        esac
+    fi
 fi
 
-sum_cmd="$( "$__type_explorer/remote_cmd_sum" )"
-
-# shellcheck disable=SC2059
-sum_is="$( eval "$( printf "$sum_cmd" "'$dst'" )" )"
-
 if [ -z "$sum_is" ]
 then
-    echo 'existing destination checksum failed' >&2
+    echo 'no checksum from target' >&2
     exit 1
 fi
 

cdist/conf/type/__download/gencode-local

@@ -11,133 +11,34 @@ fi
 
 url="$( cat "$__object/parameter/url" )"
 
-if [ -f "$__object/parameter/destination" ]
-then
-    dst="$( cat "$__object/parameter/destination" )"
-else
-    dst="/$__object_id"
-fi
+tmp="$( mktemp )"
+
+dst="/$__object_id"
 
 if [ -f "$__object/parameter/cmd-get" ]
 then
     cmd="$( cat "$__object/parameter/cmd-get" )"
 
+elif command -v wget > /dev/null
+then
+    cmd="wget -O - '%s'"
+
 elif command -v curl > /dev/null
 then
-    cmd="curl -sSL -o - '%s'"
+    cmd="curl -L -o - '%s'"
 
 elif command -v fetch > /dev/null
 then
     cmd="fetch -o - '%s'"
 
-elif command -v wget > /dev/null
-then
-    cmd="wget -O - '%s'"
-
 else
-    echo 'local download failed, no usable utility' >&2
+    echo 'no usable locally installed utility for downloading' >&2
     exit 1
 fi
 
-echo "download_tmp=\"\$( mktemp )\""
-
-# shellcheck disable=SC2059
-printf "$cmd > \"\$download_tmp\"\n" "$url"
-
-if [ -f "$__object/parameter/sum" ]
-then
-    sum_should="$( cat "$__object/parameter/sum" )"
-
-    if [ -f "$__object/parameter/cmd-sum" ]
-    then
-        local_cmd_sum="$( cat "$__object/parameter/cmd-sum" )"
-    else
-        if echo "$sum_should" | grep -Fq ':'
-        then
-            sum_hash="$( echo "$sum_should" | cut -d : -f 1 )"
-
-            sum_should="$( echo "$sum_should" | cut -d : -f 2 )"
-        else
-            if echo "$sum_should" | grep -Eq '^[0-9]+\s[0-9]+$'
-            then
-                sum_hash='cksum'
-            elif
-                echo "$sum_should" | grep -Eiq '^[a-f0-9]{32}$'
-            then
-                sum_hash='md5'
-            elif
-                echo "$sum_should" | grep -Eiq '^[a-f0-9]{40}$'
-            then
-                sum_hash='sha1'
-            elif
-                echo "$sum_should" | grep -Eiq '^[a-f0-9]{64}$'
-            then
-                sum_hash='sha256'
-            else
-                echo 'hash format detection failed' >&2
-                exit 1
-            fi
-        fi
-
-        case "$sum_hash" in
-            cksum)
-                local_cmd_sum="cksum %s | awk '{print \$1\" \"\$2}'"
-            ;;
-            md5)
-                if command -v md5 > /dev/null
-                then
-                    local_cmd_sum="md5 -q %s"
-                elif
-                    command -v md5sum > /dev/null
-                then
-                    local_cmd_sum="md5sum %s | awk '{print \$1}'"
-                fi
-            ;;
-            sha1)
-                if command -v sha1 > /dev/null
-                then
-                    local_cmd_sum="sha1 -q %s"
-                elif
-                    command -v sha1sum > /dev/null
-                then
-                    local_cmd_sum="sha1sum %s | awk '{print \$1}'"
-                fi
-            ;;
-            sha256)
-                if command -v sha256 > /dev/null
-                then
-                    local_cmd_sum="sha256 -q %s"
-                elif
-                    command -v sha256sum > /dev/null
-                then
-                    local_cmd_sum="sha256sum %s | awk '{print \$1}'"
-                fi
-            ;;
-            *)
-                # we arrive here only if --sum is given with unknown format prefix
-                echo "unknown hash format: $sum_hash" >&2
-                exit 1
-            ;;
-        esac
-
-        if [ -z "$local_cmd_sum" ]
-        then
-            echo 'local checksum verification failed, no usable utility' >&2
-            exit 1
-        fi
-    fi
-
-    # shellcheck disable=SC2059
-    echo "sum_is=\"\$( $( printf "$local_cmd_sum" "\"\$download_tmp\"" ) )\""
-
-    echo "if [ \"\$sum_is\" != '$sum_should' ]; then"
-
-    echo "echo 'local download checksum mismatch' >&2"
-
-    echo "rm -f \"\$download_tmp\""
-
-    echo 'exit 1; fi'
-fi
+printf "$cmd > %s\n" \
+    "$url" \
+    "$tmp"
 
 if echo "$__target_host" | grep -Eq '^[0-9a-fA-F:]+$'
 then
@@ -146,10 +47,12 @@ else
     target_host="$__target_host"
 fi
 
-# shellcheck disable=SC2016
-printf '%s "$download_tmp" %s:%s\n' \
+printf '%s %s %s:%s\n' \
     "$__remote_copy" \
+    "$tmp" \
     "$target_host" \
     "$dst"
 
-echo "rm -f \"\$download_tmp\""
+echo "rm -f '$tmp'"
+
+echo 'downloaded' > "$__messages_out"

cdist/conf/type/__download/gencode-remote

@@ -6,51 +6,17 @@ state_is="$( cat "$__object/explorer/state" )"
 
 if [ "$download" = 'remote' ] && [ "$state_is" != 'present' ]
 then
-    cmd_get="$( cat "$__object/explorer/remote_cmd_get" )"
+    cmd="$( cat "$__object/explorer/remote_cmd" )"
 
     url="$( cat "$__object/parameter/url" )"
 
-    if [ -f "$__object/parameter/destination" ]
-    then
-        dst="$( cat "$__object/parameter/destination" )"
-    else
-        dst="/$__object_id"
-    fi
+    dst="/$__object_id"
 
-    echo "download_tmp=\"\$( mktemp )\""
+    printf "$cmd > %s\n" \
+        "$url" \
+        "$dst"
 
-    # shellcheck disable=SC2059
-    printf "$cmd_get > \"\$download_tmp\"\n" "$url"
-
-    if [ -f "$__object/parameter/sum" ]
-    then
-        sum_should="$( cat "$__object/parameter/sum" )"
-
-        if [ -f "$__object/parameter/cmd-sum" ]
-        then
-            remote_cmd_sum="$( cat "$__object/parameter/cmd-sum" )"
-        else
-            remote_cmd_sum="$( cat "$__object/explorer/remote_cmd_sum" )"
-
-            if echo "$sum_should" | grep -Fq ':'
-            then
-                sum_should="$( echo "$sum_should" | cut -d : -f 2 )"
-            fi
-        fi
-
-        # shellcheck disable=SC2059
-        echo "sum_is=\"\$( $( printf "$remote_cmd_sum" "\"\$download_tmp\"" ) )\""
-
-        echo "if [ \"\$sum_is\" != '$sum_should' ]; then"
-
-        echo "echo 'remote download checksum mismatch' >&2"
-
-        echo "rm -f \"\$download_tmp\""
-
-        echo 'exit 1; fi'
-    fi
-
-    echo "mv \"\$download_tmp\" '$dst'"
+    echo 'downloaded' > "$__messages_out"
 fi
 
 if [ -f "$__object/parameter/onchange" ] && [ "$state_is" != "present" ]

cdist/conf/type/__download/man.rst

@@ -8,7 +8,10 @@ cdist-type__download - Download a file
 
 DESCRIPTION
 -----------
-By default type will try to use ``curl``, ``fetch`` or ``wget``.
+Destination (``$__object_id``) in target host must be persistent storage
+in order to calculate checksum and decide if file must be (re-)downloaded.
+
+By default type will try to use ``wget``, ``curl`` or ``fetch``.
 If download happens in target (see ``--download``) then type will
 fallback to (and install) ``wget``.
 
@@ -16,40 +19,23 @@ If download happens in local machine, then environment variables like
 ``{http,https,ftp}_proxy`` etc can be used on cdist execution
 (``http_proxy=foo cdist config ...``).
 
-To change downloaded file's owner, group or permissions, use ``require='__download/path/to/file' __file ...``.
-
 
 REQUIRED PARAMETERS
 -------------------
 url
    File's URL.
 
+sum
+   Checksum of file going to be downloaded.
+   By default output of ``cksum`` without filename is expected.
+   Other hash formats supported with prefixes: ``md5:``, ``sha1:`` and ``sha256:``.
+
 
 OPTIONAL PARAMETERS
 -------------------
-destination
-   Downloaded file's destination in target. If unset, ``$__object_id`` is used.
-
-sum
-   Supported formats: ``cksum`` output without file name, MD5, SHA1 and SHA256.
-
-   Type tries to detect hash format with regexes, but prefixes
-   ``cksum:``, ``md5:``, ``sha1:`` and ``sha256:`` are also supported.
-
-   Checksum have two purposes - state check and post-download verification.
-   In state check, if destination checksum mismatches, then content of URL
-   will be downloaded to temporary file. If downloaded temporary file's
-   checksum matches, then it will be moved to destination (overwritten).
-
-   For local downloads it is expected that usable utilities for checksum
-   calculation exist in the system.
-
 download
-   If ``local`` (default), then file is downloaded to local storage and copied
-   to target host. If ``remote``, then download happens in target.
-
-   For local downloads it is expected that usable utilities for downloading
-   exist in the system. Type will try to use ``curl``, ``fetch`` or ``wget``.
+   If ``local`` (default), then download file to local storage and copy
+   it to target host. If ``remote``, then download happens in target.
 
 cmd-get
    Command used for downloading.
@@ -79,7 +65,7 @@ EXAMPLES
     require='__directory/opt/cpma' \
         __download /opt/cpma/cnq3.zip \
             --url https://cdn.playmorepromode.com/files/cnq3/cnq3-1.51.zip \
-            --sum 46da3021ca9eace277115ec9106c5b46
+            --sum md5:46da3021ca9eace277115ec9106c5b46
 
     require='__download/opt/cpma/cnq3.zip' \
         __unpack /opt/cpma/cnq3.zip \
@@ -95,7 +81,7 @@ Ander Punnar <ander-at-kvlt-dot-ee>
 
 COPYING
 -------
-Copyright \(C) 2021 Ander Punnar. You can redistribute it
+Copyright \(C) 2020 Ander Punnar. You can redistribute it
 and/or modify it under the terms of the GNU General Public License as
 published by the Free Software Foundation, either version 3 of the
 License, or (at your option) any later version.

cdist/conf/type/__download/manifest

@@ -1,6 +1,6 @@
 #!/bin/sh -e
 
-if grep -Eq '^wget' "$__object/explorer/remote_cmd_get"
+if grep -Eq '^wget' "$__object/explorer/remote_cmd"
 then
     __package wget
 fi

cdist/conf/type/__download/parameter/optional

@@ -1,6 +1,4 @@
 cmd-get
 cmd-sum
-destination
 download
 onchange
-sum

cdist/conf/type/__download/parameter/required

@@ -1 +1,2 @@
 url
+sum

cdist/conf/type/__file/gencode-local

@@ -1,7 +1,7 @@
 #!/bin/sh -e
 #
 # 2011-2012 Nico Schottelius (nico-cdist at schottelius.org)
-# 2013-2022 Steven Armstrong (steven-cdist armstrong.cc)
+# 2013 Steven Armstrong (steven-cdist armstrong.cc)
 #
 # This file is part of cdist.
 #
@@ -72,7 +72,6 @@ if [ "$state_should" = "present" ] || [ "$state_should" = "exists" ]; then
          if [ "$type" != "file" ]; then
             # destination is not a regular file, upload source to replace it
             upload_file=1
-            echo upload >> "$__messages_out"
          else
             local_cksum="$(cksum < "$source")"
             remote_cksum="$(cat "$__object/explorer/cksum")"
@@ -89,39 +88,27 @@ if [ "$state_should" = "present" ] || [ "$state_should" = "exists" ]; then
       mkdir "$__object/files"
       touch "$__object/files/set-attributes"
 
-      if [ "$create_file" ]; then
-         # When creating an empty file we create it locally and then
-         # upload it so that permissions can be set before moving the file
-         # into place.
-         source="$__object/files/empty"
-         touch "$source"
-      fi
-
       # upload file to temp location
-      upload_destination="${destination}.cdist.${__cdist_object_marker}.$$"
-      # Yes, we are aware that this is a race condition.
-      # However:
-      # a) cdist usually writes to directories that are not user writable
-      #    (probably > 99.9%)
-      # b) if they are user owned, the user / attacker always wins
-      #    (probably < 0.1%)
-      # c) the only case which we could improve are tmp directories and we
-      #    don't think managing tmp directories with cdist is a typical case
-      #    ("the rest %)"
-
-      # Tell gencode-remote to where we uploaded the file so it can move
-      # it to its final destination.
-      echo "$upload_destination" > "$__object/files/upload-destination"
-
-      # IPv6 fix
-      if echo "${__target_host}" | grep -q -E '^[0-9a-fA-F:]+$'
-      then
-          my_target_host="[${__target_host}]"
-      else
-          my_target_host="${__target_host}"
-      fi
+      tempfile_template="${destination}.cdist.XXXXXXXXXX"
       cat << DONE
-$__remote_copy "$source" "${my_target_host}:${upload_destination}"
+destination_upload="\$($__remote_exec $__target_host "mktemp $tempfile_template")"
+DONE
+      if [ "$upload_file" ]; then
+         echo upload >> "$__messages_out"
+         # IPv6 fix
+         if echo "${__target_host}" | grep -q -E '^[0-9a-fA-F:]+$'
+         then
+             my_target_host="[${__target_host}]"
+         else
+             my_target_host="${__target_host}"
+         fi
+         cat << DONE
+$__remote_copy "$source" "${my_target_host}:\$destination_upload"
+DONE
+      fi
+# move uploaded file into place
+cat << DONE
+$__remote_exec $__target_host "rm -rf \"$destination\"; mv \"\$destination_upload\" \"$destination\""
 DONE
    fi
 fi

cdist/conf/type/__file/gencode-remote

@@ -1,7 +1,7 @@
 #!/bin/sh -e
 #
 # 2011-2013 Nico Schottelius (nico-cdist at schottelius.org)
-# 2013-2022 Steven Armstrong (steven-cdist armstrong.cc)
+# 2013 Steven Armstrong (steven-cdist armstrong.cc)
 #
 # This file is part of cdist.
 #
@@ -62,13 +62,6 @@ set_mode() {
 
 case "$state_should" in
     present|exists)
-        if [ -f "$__object/files/upload-destination" ]; then
-            final_destination="$destination"
-            # We change the 'global' $destination variable here so we can
-            # change attributes of the new/uploaded file before moving it
-            # to it's final destination.
-            destination="$(cat "$__object/files/upload-destination")"
-        fi
         # Note: Mode - needs to happen last as a chown/chgrp can alter mode by
         #  clearing S_ISUID and S_ISGID bits (see chown(2))
         for attribute in group owner mode; do
@@ -88,11 +81,6 @@ case "$state_should" in
                 fi
             fi
         done
-        if [ -f "$__object/files/upload-destination" ]; then
-            # move uploaded file into place
-            printf 'rm -rf "%s"\n' "$final_destination"
-            printf 'mv "%s" "%s"\n' "$destination" "$final_destination"
-        fi
         if [ -f "$__object/files/set-attributes" ]; then
             # set-attributes is created if file is created or uploaded in gencode-local
             fire_onchange=1

cdist/conf/type/__filesystem/explorer/lsblk

@@ -27,7 +27,7 @@ else
 fi
 
 case "$os" in
-    alpine|centos|fedora|gentoo|redhat|suse|ubuntu)
+    alpine|centos|fedora|redhat|suse|gentoo)
         if [ ! -x "$(command -v lsblk)" ]; then
             echo "lsblk is required for __filesystem type" >&2
             exit 1

cdist/conf/type/__git/explorer/group

@@ -1,24 +1,5 @@
-#!/bin/sh -e
+#!/bin/sh
 
-destination="/${__object_id:?}/.git"
+destination="/$__object_id/.git"
 
-# shellcheck disable=SC2012
-group_gid=$(ls -ldn "${destination}" | awk '{ print $4 }')
-
-# NOTE: +1 because $((notanum)) prints 0.
-if test $((group_gid + 1)) -ge 0
-then
-	group_should=$(cat "${__object:?}/parameter/group")
-
-	if expr "${group_should}" : '[0-9]*$' >/dev/null
-	then
-		printf '%u\n' "${group_gid}"
-	else
-		if command -v getent > /dev/null
-		then
-			getent group "${group_gid}" | cut -d : -f 1
-		else
-			awk -F: -v gid="${group_gid}" '$3 == gid { print $1 }' /etc/group
-		fi
-	fi
-fi
+stat --print "%G" "${destination}" 2>/dev/null || exit 0

cdist/conf/type/__git/explorer/owner

@@ -1,19 +1,5 @@
-#!/bin/sh -e
+#!/bin/sh
 
-destination="/${__object_id:?}/.git"
+destination="/$__object_id/.git"
 
-# shellcheck disable=SC2012
-owner_uid=$(ls -ldn "${destination}" | awk '{ print $3 }')
-
-# NOTE: +1 because $((notanum)) prints 0.
-if test $((owner_uid + 1)) -ge 0
-then
-	owner_should=$(cat "${__object:?}/parameter/owner")
-
-	if expr "${owner_should}" : '[0-9]*$' >/dev/null
-	then
-		printf '%u\n' "${owner_uid}"
-	else
-		printf '%s\n' "$(id -u -n "${owner_uid}")"
-	fi
-fi
+stat --print "%U" "${destination}" 2>/dev/null || exit 0

cdist/conf/type/__grafana_dashboard/manifest

@@ -15,7 +15,7 @@ case $os in
                 # Differntation not needed anymore
                 apt_source_distribution=stable
                 ;;
-            10*|11*)
+            10*)
                 # Differntation not needed anymore
                 apt_source_distribution=stable
                 ;;

cdist/conf/type/__haproxy_dualstack/files/http

@@ -1,8 +0,0 @@
-frontend http
-	bind	BIND@:80
-	mode	http
-	option	httplog
-	default_backend	http
-
-backend http
-	mode	http

cdist/conf/type/__haproxy_dualstack/files/https

@@ -1,10 +0,0 @@
-frontend https
-	bind	BIND@:443
-	mode	tcp
-	option	tcplog
-	tcp-request	inspect-delay 5s
-	tcp-request	content accept if { req_ssl_hello_type 1 }
-	default_backend	https
-
-backend https
-	mode	tcp

cdist/conf/type/__haproxy_dualstack/files/imaps

@@ -1,12 +0,0 @@
-frontend imaps
-	bind	BIND@:143
-	bind	BIND@:993
-
-	mode	tcp
-	option	tcplog
-	tcp-request	inspect-delay 5s
-	tcp-request	content accept if { req_ssl_hello_type 1 }
-	default_backend	imaps
-
-backend imaps
-	mode	tcp

cdist/conf/type/__haproxy_dualstack/files/smtps

@@ -1,12 +0,0 @@
-frontend smtps
-	bind	BIND@:25
-	bind	BIND@:465
-
-	mode	tcp
-	option	tcplog
-	tcp-request	inspect-delay 5s
-	tcp-request	content accept if { req_ssl_hello_type 1 }
-	default_backend	smtps
-
-backend smtps
-	mode	tcp

cdist/conf/type/__haproxy_dualstack/man.rst

@@ -1,121 +0,0 @@
-cdist-type__haproxy_dualstack(7)
-================================
-
-
-NAME
-----
-cdist-type__haproxy_dualstack - Proxy services from a dual-stack server
-
-
-DESCRIPTION
------------
-This (singleton) type installs and configures haproxy to act as a dual-stack
-proxy for single-stack services.
-
-This can be useful to add IPv4 support to IPv6-only services while only using
-one IPv4 for many such services.
-
-By default this type uses the plain TCP proxy mode, which means that there is no
-need for TLS termination on this host when SNI is supported.
-This also means that proxied services will not receive the client's IP address,
-but will see the proxy's IP address instead (that of `$__target_host`).
-
-This can be solved by using the PROXY protocol, but do take into account that,
-e.g. nginx cannot serve both regular HTTP(S) and PROXY protocols on the same
-port, so you will need to use other ports for that.
-
-As a recommendation in this type: use TCP ports 8080 and 591 respectively to
-serve HTTP and HTTPS using the PROXY protocol.
-
-See the EXAMPLES for more details.
-
-
-OPTIONAL PARAMETERS
--------------------
-v4proxy
-    Proxy incoming IPv4 connections to the equivalent IPv6 endpoint.
-    In its simplest use, it must be a NAME with an `AAAA` DNS entry, which is
-    the IP address actually providing the proxied services.
-    The full format of this argument is:
-    `[proxy:]NAME[[:PROTOCOL_1=PORT_1]...[:PROTOCOL_N=PORT_N]]`
-    Where starting with `proxy:` determines that the PROXY protocol must be
-    used and each `:PROTOCOL=PORT` (e.g. `:http=8080` or `:https=591`) is a PORT
-    override for the given PROTOCOL (see `--protocol`), if not present the
-    PROTOCOL's default port will be used.
-
-
-v6proxy
-    Proxy incoming IPv6 connections to the equivalent IPv4 endpoint.
-    In its simplest use, it must be a NAME with an `A` DNS entry, which is
-    the IP address actually providing the proxied services.
-    See `--v4proxy` for more options and details.
-
-protocol
-    Can be passed multiple times or as a space-separated list of protocols.
-    Currently supported protocols are: `http`, `https`, `imaps`, `smtps`.
-    This defaults to: `http https imaps smtps`.
-
-
-EXAMPLES
---------
-
-.. code-block:: sh
-
-    # Proxy the IPv6-only services so IPv4-only clients can access them
-    # This uses HAProxy's TCP mode for http, https, imaps and smtps
-    __haproxy_dualstack \
-        --v4proxy ipv6.chat \
-        --v4proxy matrix.ungleich.ch
-
-    # Proxy the IPv6-only HTTP(S) services so IPv4-only clients can access them
-    # Note this means that the backend IPv6-only server will only see
-    # the IPv6 address of the haproxy host managed by cdist, which can be
-    # troublesome if this information is relevant for analytics/security/...
-    # See the PROXY example below
-    __haproxy_dualstack \
-        --protocol http --protocol https \
-        --v4proxy ipv6.chat \
-        --v4proxy matrix.ungleich.ch
-
-    # Use the PROXY protocol to proxy the IPv6-only HTTP(S) services enabling
-    # IPv4-only clients to access them while maintaining the client's IP address
-    __haproxy_dualstack \
-        --protocol http --protocol https \
-        --v4proxy proxy:ipv6.chat:http=8080:https=591 \
-        --v4proxy proxy:matrix.ungleich.ch:http=8080:https=591
-    # Note however that the PROXY protocol is not compatible with regular
-    # HTTP(S) protocols, so your nginx will have to listen on different ports
-    # with the PROXY settings.
-    # Note that you will need to restrict access to the 8080 port to prevent
-    # Client IP spoofing.
-    # This can be something like:
-    # server {
-    #     # listen for regular HTTP connections
-    #     listen [::]:80 default_server;
-    #     listen 80 default_server;
-    #     # listen for PROXY HTTP connections
-    #     listen [::]:8080 proxy_protocol;
-    #     # Accept the Client's IP from the PROXY protocol
-    #     real_ip_header proxy_protocol;
-    # }
-
-
-SEE ALSO
---------
-- https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/
-- https://www.haproxy.com/blog/haproxy/proxy-protocol/
-- https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/
-
-
-AUTHORS
--------
-ungleich <foss--@--ungleich.ch>
-Evilham <cvs--@--evilham.com>
-
-
-COPYING
--------
-Copyright \(C) 2021 ungleich glarus ag. You can redistribute it
-and/or modify it under the terms of the GNU General Public License as
-published by the Free Software Foundation, either version 3 of the
-License, or (at your option) any later version.

cdist/conf/type/__haproxy_dualstack/manifest

@@ -1,155 +0,0 @@
-#!/bin/sh -eu
-
-__package haproxy
-require="__package/haproxy" __start_on_boot haproxy
-
-tmpdir="$__object/files"
-mkdir "$tmpdir"
-configtmp="$__object/files/haproxy.cfg"
-
-os=$(cat "$__global/explorer/os")
-case $os in
-	freebsd)
-		CONFIG_FILE="/usr/local/etc/haproxy.conf"
-		cat <<EOF > "$configtmp"
-global
-	maxconn	4000
-	user	nobody
-	group	nogroup
-	daemon
-
-EOF
-
-		;;
-	*)
-		CONFIG_FILE="/etc/haproxy/haproxy.cfg"
-		cat <<EOF > "$configtmp"
-global
-	log	[::1] local2
-	chroot	/var/lib/haproxy
-	pidfile	/var/run/haproxy.pid
-	maxconn	4000
-	user	haproxy
-	group	haproxy
-	daemon
-
-	# turn on stats unix socket
-	stats socket	/var/lib/haproxy/stats
-
-EOF
-		;;
-esac
-
-cat <<EOF >> "$configtmp"
-defaults
-	retries	3
-	log	global
-	timeout http-request	10s
-	timeout queue		1m
-	timeout connect		10s
-	timeout client		1m
-	timeout server		1m
-	timeout http-keep-alive	10s
-	timeout check		10s
-EOF
-
-dig_cmd="$(command -v dig || true)"
-get_ip() {
-	# Usage: get_ip (ipv4|ipv6) NAME
-	# uses "dig" if available, else fallback to "host"
-	case $1 in
-		ipv4)
-			if [ -n "${dig_cmd}" ]; then
-				${dig_cmd} +short A "$2"
-			else
-				host -t A "$2" | cut -d ' ' -f 4 | grep -v 'found:'
-			fi
-			;;
-		ipv6)
-			if [ -n "${dig_cmd}" ]; then
-				${dig_cmd} +short AAAA "$2"
-			else
-				host -t AAAA "$2" | cut -d ' ' -f 5 | grep -v 'NXDOMAIN'
-			fi
-			;;
-	esac
-}
-
-PROTOCOLS="$(cat "$__object/parameter/protocol")"
-
-for proxy in v4proxy v6proxy; do
-	param=$__object/parameter/$proxy
-	# no backend? skip generating code
-	if [ ! -f "$param" ]; then
-		continue
-	fi
-
-	# turn backend name into bind parameter: v4backend -> ipv4@
-	bind=$(echo $proxy | sed -e 's/^/ip/' -e 's/proxy//')
-
-	case $bind in
-		ipv4)
-			backendproto=ipv6
-			;;
-		ipv6)
-			backendproto=ipv4
-			;;
-	esac
-
-	for proto in ${PROTOCOLS}; do
-		# Add protocol "header"
-		printf "\n# %s %s \n" "${bind}" "${proto}" >> "$configtmp"
-
-		sed -e "s/BIND/$bind/" \
-			-e "s/\(frontend[[:space:]].*\)/\1$bind/" \
-			-e "s/\(backend[[:space:]].*\)/\\1$bind/" \
-			"$__type/files/$proto" >> "$configtmp"
-
-		while read -r hostdefinition; do
-			if echo "$hostdefinition" | grep -qE '^proxy:'; then
-				# Proxy protocol was requested
-				host="$(echo "$hostdefinition" | sed -E 's/^proxy:([^:]+).*$/\1/')"
-				send_proxy=" send-proxy"
-			else
-				# Just use tcp proxy mode
-				host="$hostdefinition"
-				send_proxy=""
-			fi
-			if echo "$hostdefinition" | grep -qE ":${proto}="; then
-				# Use custom port definition if requested
-				port="$(echo "$hostdefinition" | sed -E "s/^(.*:)?${proto}=([0-9]+).*$/:\2/")"
-			else
-				# Else use the default
-				port=""
-			fi
-			servername=$host
-
-			res=$(get_ip "$bind" "$servername")
-
-			if [ -z "$res" ]; then
-				echo "$servername does not resolve - aborting config" >&2
-				exit 1
-			fi
-
-			# Treat protocols without TLS+SNI specially
-			if [ "$proto" = http ]; then
-				echo "	use-server $servername if { hdr(host) -i $host }" >> "$configtmp"
-			else
-				echo "	use-server $servername if { req_ssl_sni -i $host }" >> "$configtmp"
-			fi
-
-			# Create the "server" itself.
-			# Note that port and send_proxy will be empty unless
-			# they were requested by the type user
-			echo "	server $servername ${backendproto}@${host}${port}${send_proxy}" >> "$configtmp"
-
-		done < "$param"
-	done
-done
-
-# Create config file
-require="__package/haproxy" __file ${CONFIG_FILE} --source "$configtmp" --mode 0644
-
-require="__file${CONFIG_FILE}" __check_messages "haproxy_reload" \
-	--pattern "^__file${CONFIG_FILE}" \
-	--execute "service haproxy reload || service haproxy restart"

cdist/conf/type/__haproxy_dualstack/parameter/default/protocol

@@ -1 +0,0 @@
-http https imaps smtps

cdist/conf/type/__haproxy_dualstack/parameter/optional_multiple

@@ -1,3 +0,0 @@
-protocol
-v4proxy
-v6proxy

cdist/conf/type/__letsencrypt_cert/explorer/certbot-path

@@ -0,0 +1,3 @@
+#!/bin/sh -e
+
+command -v certbot 2>/dev/null || true

cdist/conf/type/__letsencrypt_cert/explorer/certificate-data

@@ -1,78 +0,0 @@
-#!/bin/sh -e
-certbot_path="$(command -v certbot 2>/dev/null || true)"
-# Defaults
-certificate_exists="no"
-certificate_is_test="no"
-
-if [ -n "${certbot_path}" ]; then
-	# Find python executable that has access to certbot's module
-	python_path=$(sed -n '1s/^#! *//p' "${certbot_path}")
-
-	# Use a lock for cdist due to certbot not exiting with failure
-	# or having any flags for concurrent use.
-	_certbot() {
-		${python_path} - 2>/dev/null <<EOF
-from certbot.main import main
-import fcntl
-lock_file = "/tmp/certbot.cdist.lock"
-timeout=60
-with open(lock_file, 'w') as fd:
-    for i in range(timeout):
-        try:
-            # Get exclusive lock
-            fcntl.flock(fd, fcntl.LOCK_EX | fcntl.LOCK_NB)
-            break
-        except:
-            # Wait if that fails
-            import time
-            time.sleep(1)
-    else:
-        # Timed out, exit with failure
-        import sys
-        sys.exit(1)
-    # Do list certificates
-    main(["certificates", "--cert-name", "${__object_id:?}"])
-EOF
-	}
-
-
-	_certificate_exists() {
-		if grep -q "  Certificate Name: ${__object_id:?}$"; then
-			echo yes
-		else
-			echo no
-		fi
-	}
-
-	_certificate_is_test() {
-		if grep -q 'INVALID: TEST_CERT'; then
-			echo yes
-		else
-			echo no
-		fi
-	}
-
-	_certificate_domains() {
-		grep '    Domains: ' | cut -d ' ' -f 6- | tr ' ' '\n'
-	}
-
-	# Get data about all available certificates
-	certificates="$(_certbot)"
-
-	# Check whether or not the certificate exists
-	certificate_exists="$(echo "${certificates}" | _certificate_exists)"
-
-	# Check whether or not the certificate is for testing
-	certificate_is_test="$(echo "${certificates}" | _certificate_is_test)"
-
-	# Get domains for certificate
-	certificate_domains="$(echo "${certificates}" | _certificate_domains)"
-fi
-
-# Return received data
-cat <<EOF
-certbot_path:${certbot_path}
-certificate_exists:${certificate_exists}
-certificate_is_test:${certificate_is_test}
-${certificate_domains}
-EOF

cdist/conf/type/__letsencrypt_cert/explorer/certificate-domains

@@ -0,0 +1,8 @@
+#!/bin/sh -e
+
+certbot_path=$("${__type_explorer}/certbot-path")
+if [ -n "${certbot_path}" ]
+then
+	certbot certificates --cert-name "${__object_id:?}" | grep '    Domains: ' | \
+		cut -d ' ' -f 6- | tr ' ' '\n'
+fi

cdist/conf/type/__letsencrypt_cert/explorer/certificate-exists

@@ -0,0 +1,13 @@
+#!/bin/sh -e
+
+certbot_path=$("${__type_explorer}/certbot-path")
+if [ -n "${certbot_path}" ]
+then
+	if certbot certificates | grep -q "  Certificate Name: ${__object_id:?}$"; then
+		echo yes
+	else
+		echo no
+	fi
+else
+	echo no
+fi

cdist/conf/type/__letsencrypt_cert/explorer/certificate-is-test

@@ -0,0 +1,14 @@
+#!/bin/sh -e
+
+certbot_path=$("${__type_explorer}/certbot-path")
+if [ -n "${certbot_path}" ]
+then
+	if certbot certificates --cert-name "${__object_id:?}" | \
+		grep -q 'INVALID: TEST_CERT'; then
+		echo yes
+	else
+		echo no
+	fi
+else
+	echo no
+fi

cdist/conf/type/__letsencrypt_cert/files/gen_hook.sh

@@ -1,84 +0,0 @@
-#!/bin/sh -e
-
-# It is expected that this defines hook_contents
-
-# Reasonable defaults
-hook_source="${__object}/parameter/${hook}-hook"
-hook_state="absent"
-hook_contents_head="#!/bin/sh -e"
-hook_contents_logic=""
-hook_contents_tail=""
-
-# Backwards compatibility
-# Remove this when renew-hook is removed
-# Falling back to renew-hook if deploy-hook is not passed
-if [ "${hook}" = "deploy" ] && [ ! -f "${hook_source}" ]; then
-	hook_source="${__object}/parameter/renew-hook"
-fi
-if [ "${state}" = "present" ] && \
-	[ -f "${hook_source}" ]; then
-	# This hook is to be installed, let's generate it with some
-	# safety boilerplate
-	# Since certbot runs all hooks for all renewal processes
-	# (at each state for deploy, pre, post), it is up to us to
-	# differentiate whether or not the hook must run
-	hook_state="present"
-	hook_contents_head="$(cat <<EOF
-#!/bin/sh -e
-#
-# Managed remotely with https://cdi.st
-#
-# Domains for which this hook is supposed to apply
-lineage="${LE_DIR}/live/${__object_id}"
-domains="\$(cat <<eof
-${domains}
-eof
-)"
-EOF
-)"
-	case "${hook}" in
-		pre|post)
-			# Certbot is kind of terrible, we have
-			# no way of knowing what domain/lineage the
-			# hook is running for
-			hook_contents_logic="$(cat <<EOF
-# pre/post-hooks apply always due to a certbot limitation
-APPLY_HOOK="YES"
-EOF
-)"
-		;;
-		deploy)
-			hook_contents_logic="$(cat <<EOF
-# certbot defines these environment variables:
-# RENEWED_DOMAINS="DOMAIN1 DOMAIN2"
-# RENEWED_LINEAGE="/etc/letsencrypt/live/__object_id"
-# It feels more stable to use RENEWED_LINEAGE
-if [ "\${lineage}" = "\${RENEWED_LINEAGE}" ]; then
-	APPLY_HOOK="YES"
-fi
-EOF
-)"
-		;;
-		*)
-			echo "Unknown hook '${hook}'" >> /dev/stderr
-			exit 1
-		;;
-	esac
-
-	hook_contents_tail="$(cat <<EOF
-if [ -n "\${APPLY_HOOK}" ]; then
-	# Messing with indentation can eff up the users' scripts, let's not
-$(cat "${hook_source}")
-fi
-EOF
-)"
-fi
-
-hook_contents="$(cat <<EOF
-${hook_contents_head}
-
-${hook_contents_logic}
-
-${hook_contents_tail}
-EOF
-)"

cdist/conf/type/__letsencrypt_cert/gencode-remote

@@ -1,10 +1,6 @@
 #!/bin/sh -e
 
-_explorer_var() {
-	grep "^$1:" "${__object:?}/explorer/certificate-data" | cut -d ':' -f 2-
-}
-
-certificate_exists="$(_explorer_var certificate_exists)"
+certificate_exists=$(cat "${__object:?}/explorer/certificate-exists")
 name="${__object_id:?}"
 state=$(cat "${__object}/parameter/state")
 
@@ -33,9 +29,8 @@ case "${state}" in
 		fi
 
 		if [ "${certificate_exists}" = "yes" ]; then
-			existing_domains=$(mktemp "${TMPDIR:-/tmp}/existing_domains.cdist.XXXXXXXXXX")
-			tail -n +4 "${__object:?}/explorer/certificate-data" | grep -v '^$' > "${existing_domains}"
-			certificate_is_test="$(_explorer_var certificate_is_test)"
+			existing_domains="${__object}/explorer/certificate-domains"
+			certificate_is_test=$(cat "${__object}/explorer/certificate-is-test")
 
 			sort -uo "${requested_domains}" "${requested_domains}"
 			sort -uo "${existing_domains}" "${existing_domains}"

cdist/conf/type/__letsencrypt_cert/man.rst

@@ -1,33 +1,16 @@
 cdist-type__letsencrypt_cert(7)
 ===============================
 
-
 NAME
 ----
 
 cdist-type__letsencrypt_cert - Get an SSL certificate from Let's Encrypt
 
-
 DESCRIPTION
 -----------
 
 Automatically obtain a Let's Encrypt SSL certificate using Certbot.
 
-This type attempts to setup automatic renewals always. In many Linux
-distributions, that is the case out of the box, see:
-https://certbot.eff.org/docs/using.html#automated-renewals
-
-For Alpine Linux and Arch Linux, we setup a system-wide cronjob that
-attempts to renew certificates daily.
-
-If you are using FreeBSD, we configure periodic(8) as recommended by
-the port mantainer, so there will be a weekly attempt at renewal.
-
-If your OS is not mentioned here or on Certbot's docs as having
-support for automated renewals, please make sure you check your OS
-and possibly patch this type so the system-wide cronjob is installed.
-
-
 REQUIRED PARAMETERS
 -------------------
 
@@ -38,7 +21,6 @@ object id
 admin-email
     Where to send Let's Encrypt emails like "certificate needs renewal".
 
-
 OPTIONAL PARAMETERS
 -------------------
 
@@ -54,68 +36,25 @@ webroot
     The path to your webroot, as set up in your webserver config. If this
     parameter is not present, Certbot will be run in standalone mode.
 
-
 OPTIONAL MULTIPLE PARAMETERS
 ----------------------------
 
+renew-hook
+    Renew hook command directly passed to Certbot in cron job.
+
 domain
     Domains to be included in the certificate. When specified then object id
     is not used as a domain.
 
-deploy-hook
-    Command to be executed only when the certificate associated with this
-    ``$__object_id`` is issued or renewed.
-    You can specify it multiple times, but any failure will prevent further
-    commands from being executed.
-
-    For this command, the
-    shell variable ``$RENEWED_LINEAGE`` will point to the
-    config live subdirectory (for example,
-    ``/etc/letsencrypt/live/${__object_id}``) containing the
-    new certificates and keys; the shell variable
-    ``$RENEWED_DOMAINS`` will contain a space-delimited list
-    of renewed certificate domains (for example,
-    ``example.com www.example.com``)
-
-pre-hook
-    Command to be run in a shell before obtaining any
-    certificates.
-    You can specify it multiple times, but any failure will prevent further
-    commands from being executed.
-
-    Note these run regardless of which certificate is attempted, you may want to
-    manage these system-wide hooks with ``__file`` in
-    ``/etc/letsencrypt/renewal-hooks/pre/``.
-
-    Intended primarily for renewal, where it
-    can be used to temporarily shut down a webserver that
-    might conflict with the standalone plugin. This will
-    only be called if a certificate is actually to be
-    obtained/renewed.
-
-post-hook
-    Command to be run in a shell after attempting to
-    obtain/renew certificates.
-    You can specify it multiple times, but any failure will prevent further
-    commands from being executed.
-
-    Note these run regardless of which certificate was attempted, you may want to
-    manage these system-wide hooks with ``__file`` in
-    ``/etc/letsencrypt/renewal-hooks/post/``.
-
-    Can be used to deploy
-    renewed certificates, or to restart any servers that
-    were stopped by --pre-hook. This is only run if an
-    attempt was made to obtain/renew a certificate.
-
-
 BOOLEAN PARAMETERS
 ------------------
 
+automatic-renewal
+    Install a cron job, which attempts to renew certificates daily.
+
 staging
     Obtain a test certificate from a staging server.
 
-
 MESSAGES
 --------
 
@@ -128,7 +67,6 @@ create
 remove
     Certificate was removed.
 
-
 EXAMPLES
 --------
 
@@ -137,7 +75,8 @@ EXAMPLES
     # use object id as domain
     __letsencrypt_cert example.com \
         --admin-email root@example.com \
-        --deploy-hook "service nginx reload" \
+        --automatic-renewal \
+        --renew-hook "service nginx reload" \
         --webroot /data/letsencrypt/root
 
 .. code-block:: sh
@@ -146,10 +85,11 @@ EXAMPLES
     # and example.com needs to be included again with domain parameter
     __letsencrypt_cert example.com \
         --admin-email root@example.com \
+        --automatic-renewal \
         --domain example.com \
         --domain foo.example.com \
         --domain bar.example.com \
-        --deploy-hook "service nginx reload" \
+        --renew-hook "service nginx reload" \
         --webroot /data/letsencrypt/root
 
 AUTHORS
@@ -159,13 +99,11 @@ AUTHORS
 | Kamila Součková <kamila--@--ksp.sk>
 | Darko Poljak <darko.poljak--@--gmail.com>
 | Ľubomír Kučera <lubomir.kucera.jr at gmail.com>
-| Evilham <contact@evilham.com>
-
 
 COPYING
 -------
 
-Copyright \(C) 2017-2021 Nico Schottelius, Kamila Součková, Darko Poljak and
+Copyright \(C) 2017-2018 Nico Schottelius, Kamila Součková, Darko Poljak and
 Ľubomír Kučera. You can redistribute it and/or modify it under the terms of
 the GNU General Public License as published by the Free Software Foundation,
 either version 3 of the License, or (at your option) any later version.

cdist/conf/type/__letsencrypt_cert/manifest

@@ -1,20 +1,18 @@
 #!/bin/sh
 
-certbot_fullpath="$(grep "^certbot_path:" "${__object:?}/explorer/certificate-data" | cut -d ':' -f 2-)"
-state=$(cat "${__object}/parameter/state")
-os="$(cat "${__global:?}/explorer/os")"
+certbot_fullpath="$(cat "${__object:?}/explorer/certbot-path")"
 
 if [ -z "${certbot_fullpath}" ]; then
+	os="$(cat "${__global:?}/explorer/os")"
 	os_version="$(cat "${__global}/explorer/os_version")"
-	# Use this, very common value, as a default. It is OS-dependent
-	certbot_fullpath="/usr/bin/certbot"
+
 	case "$os" in
-		archlinux)
-			__package certbot
-		;;
-		alpine)
-			__package certbot
-		;;
+        archlinux)
+            __package certbot
+            ;;
+        alpine)
+            __package certbot
+            ;;
 		debian)
 			case "$os_version" in
 				8*)
@@ -41,7 +39,7 @@ if [ -z "${certbot_fullpath}" ]; then
 					require="__apt_source/stretch-backports" __package_apt certbot \
 						--target-release stretch-backports
 				;;
-				10*|11*)
+				10*)
 					__package_apt certbot
 				;;
 
@@ -50,7 +48,9 @@ if [ -z "${certbot_fullpath}" ]; then
 					exit 1
 				;;
 			esac
-		;;
+
+			certbot_fullpath=/usr/bin/certbot
+			;;
 		devuan)
 			case "$os_version" in
 				jessie)
@@ -83,14 +83,17 @@ if [ -z "${certbot_fullpath}" ]; then
 					exit 1
 				;;
 			esac
+
+			certbot_fullpath=/usr/bin/certbot
 		;;
 		freebsd)
-			__package py37-certbot
-			certbot_fullpath="/usr/local/bin/certbot"
+			__package py27-certbot
+
+			certbot_fullpath=/usr/local/bin/certbot
 		;;
 		ubuntu)
-			__package certbot
-		;;
+            __package certbot
+            ;;
 		*)
 			echo "Unsupported os: $os" >&2
 			exit 1
@@ -98,61 +101,18 @@ if [ -z "${certbot_fullpath}" ]; then
 	esac
 fi
 
-# Other OS-dependent values that we want to set every time
-LE_DIR="/etc/letsencrypt"
-certbot_cronjob_state="absent"
-case "$os" in
-	archlinux|alpine)
-		certbot_cronjob_state="present"
-	;;
-	freebsd)
-		LE_DIR="/usr/local/etc/letsencrypt"
-		# FreeBSD uses periodic(8) instead of crontabs for this
-		__line "periodic.conf_weekly_certbot" \
-			--file "/etc/periodic.conf" \
-			--regex "^(#[[:space:]]*)?weekly_certbot_enable=.*" \
-			--state "replace" \
-			--line 'weekly_certbot_enable="YES"'
-	;;
-	*)
-	;;
-esac
+if [ -f "${__object}/parameter/automatic-renewal" ]; then
+	renew_hook_param="${__object}/parameter/renew-hook"
+	renew_hook=""
+	if [ -f "${renew_hook_param}" ]; then
+		while read -r hook; do
+			renew_hook="${renew_hook} --renew-hook \"${hook}\""
+		done < "${renew_hook_param}"
+	fi
 
-# This is only necessary in certain OS
-__cron letsencrypt-certbot \
-	--user root \
-	--command "${certbot_fullpath} renew -q" \
-	--hour 0 \
-	--minute 47 \
-	--state "${certbot_cronjob_state}"
-
-# Ensure hook directories
-HOOKS_DIR="${LE_DIR}/renewal-hooks"
-__directory "${LE_DIR}" --mode 0755
-require="__directory/${LE_DIR}" __directory "${HOOKS_DIR}" --mode 0755
-
-if [ -f "${__object}/parameter/domain" ]; then
-	domains="$(sort "${__object}/parameter/domain")"
-else
-	domains="${__object_id}"
+	__cron letsencrypt-certbot  \
+		--user root \
+		--command "${certbot_fullpath} renew -q ${renew_hook}" \
+		--hour 0 \
+		--minute 47
 fi
-
-# Install hooks as needed
-for hook in deploy pre post; do
-	# Using something unique and specific to this object
-	hook_file="${HOOKS_DIR}/${hook}/${__object_id}.cdist.sh"
-
-	# This defines hook_contents
-	# shellcheck source=cdist/conf/type/__letsencrypt_cert/files/gen_hook.sh
-	. "${__type}/files/gen_hook.sh"
-
-	# Ensure hook directory exists
-	require="__directory/${HOOKS_DIR}" __directory "${HOOKS_DIR}/${hook}" \
-		--mode 0755
-	require="__directory/${HOOKS_DIR}/${hook}" __file "${hook_file}" \
-		--mode 0555 \
-		--source '-' \
-		--state "${hook_state}" <<EOF
-${hook_contents}
-EOF
-done

cdist/conf/type/__letsencrypt_cert/parameter/deprecated/automatic-renewal

@@ -1,2 +0,0 @@
-Deprecated in favour of consistent behaviour. It has no effect, see:
-https://code.ungleich.ch/ungleich-public/cdist/-/issues/853

cdist/conf/type/__letsencrypt_cert/parameter/deprecated/renew-hook

@@ -1,2 +0,0 @@
-This parameter has been deprecated in favour of --deploy-hook.
-See: https://code.ungleich.ch/ungleich-public/cdist/-/issues/853

cdist/conf/type/__letsencrypt_cert/parameter/optional_multiple

@@ -1,5 +1,2 @@
-deploy-hook
 domain
-post-hook
-pre-hook
 renew-hook

cdist/conf/type/__nop/man.rst

@@ -0,0 +1,60 @@
+cdist-type__nop(7)
+==================
+
+NAME
+----
+cdist-type__nop - Do nothing, but allow dependencies to be specified.
+
+
+DESCRIPTION
+-----------
+If one has a type without any logic in the ``manifest`` (i.e. only some ``gencode-*`` logic), that depends on some other type, there are two ways make sure the dependencies taken into consideration:
+
+- Either remember to specify them "externally" *every time*, wherever and whenever those types are used
+- Include a ``manifest`` in the *dependent* type, that does something useless (or even nothing)
+
+This type provides a convenient solution for the latter one. It is guaranteed to have no effect on the target host, but it provides an 'anchor point' for type-writers to include in an otherwise empty ``manifest``.
+
+PARAMETERS
+----------
+None.
+
+The ``$__object_id`` is required though, so the type can be used several times.
+
+
+EXAMPLES
+--------
+
+Let's assume type ``__eggs`` depends on type ``__spam``, but has nothing in it's ``manifest``. In the simplest case, it's manifest can contain this:
+
+.. code-block:: sh
+    __spam
+
+If, ``__spam`` has parameters, however, one would resort to this at the place of use:
+
+.. code-block:: sh
+    __spam --foo bar
+    require="__spam" __ham --baz
+
+Or by using the ``__nop`` type, simply do away with the ``require``, and update ``__ham/manifest`` to specify the dependency:
+
+.. code-block:: sh
+    require="__spam" __nop $__object_id
+
+In this case, when the type is used, the depencency is automatic, and one could simply write:
+
+.. code-block:: sh
+    __spam --foo bar
+    __ham --baz
+
+AUTHORS
+-------
+Daniel Fancsali <fancsali@gmail.com>
+
+
+COPYING
+-------
+Copyright \(C) 2021 Daniel Fancsali. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

cdist/conf/type/__package_apt/gencode-remote

@@ -81,24 +81,12 @@ aptget="DEBIAN_FRONTEND=noninteractive apt-get --quiet --yes -o Dpkg::Options::=
 
 case "$state_should" in
     present)
-        # There are special arguments to apt(8) to prevent aborts if apt woudn't been
-        # updated after the 19th April 2021 till the bullseye release. The additional
-        # arguments acknoledge the happend suite change (the apt(8) update does the
-        # same by itself).
-        #
-        # Using '-o $config' instead of the --allow-releaseinfo-change-* parameter
-        # allows backward compatablility to pre-buster Debian versions.
-        #
-        # See more: ticket #861
-        # https://code.ungleich.ch/ungleich-public/cdist/-/issues/861
-        apt_opts="-o Acquire::AllowReleaseInfoChange::Suite=true -o Acquire::AllowReleaseInfoChange::Version=true"
-
         # following is bit ugly, but important hack.
         # due to how cdist config run works, there isn't
         # currently better way to do it :(
         cat << EOF
 if [ ! -f /var/cache/apt/pkgcache.bin ] || [ "\$( stat --format %Y /var/cache/apt/pkgcache.bin )" -lt "\$( date +%s -d '-1 day' )" ]
-then echo apt-get $apt_opts update > /dev/null 2>&1 || true
+then echo apt-get update > /dev/null 2>&1 || true
 fi
 EOF
         if [ -n "$version" ]; then

cdist/conf/type/__package_pip/explorer/distinfo-dir

@@ -1,45 +0,0 @@
-#!/bin/sh
-#
-# 2021 Matthias Stecher (matthiasstecher at gmx.de)
-#
-# This file is part of cdist.
-#
-# cdist is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# cdist is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with cdist. If not, see <http://www.gnu.org/licenses/>.
-#
-
-
-nameparam="$__object/parameter/name"
-if [ -f "$nameparam" ]; then
-    name=$(cat "$nameparam")
-else
-    name="$__object_id"
-fi
-
-pipparam="$__object/parameter/pip"
-if [ -f "$pipparam" ]; then
-    pip=$(cat "$pipparam")
-else
-    pip="$( "$__type_explorer/pip" )"
-fi
-
-
-if command -v "$pip" >/dev/null 2>&1; then
-    # assemble the path where pip stores all pip package info
-    "$pip" show "$name" \
-        | awk -F': ' '
-            $1 == "Name" {name=$2; gsub(/-/,"_",name); next}
-            $1 == "Version" {version=$2; next}
-            $1 == "Location" {location=$2; next}
-            END {if (version != "") printf "%s/%s-%s.dist-info", location, name, version}'
-fi

cdist/conf/type/__package_pip/explorer/extras

@@ -1,66 +0,0 @@
-#!/bin/sh
-#
-# 2021 Matthias Stecher (matthiasstecher at gmx.de)
-#
-# This file is part of cdist.
-#
-# cdist is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# cdist is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with cdist. If not, see <http://www.gnu.org/licenses/>.
-#
-#
-# Checks if the given extras are really installed or not. It will be
-# done by querring all dependencies for that extra and return it as
-# "to be installed" if no dependency was found.
-#
-
-
-distinfo_dir="$("$__type_explorer/distinfo-dir")"
-
-# check if we have something to check
-if [ "$distinfo_dir" ] && [ -s "$__object/parameter/extra" ]
-then
-    # save cause freezing is slow
-    mkdir "$__object/files"
-    pip_freeze="$__object/files/pip-freeze.tmp"
-    pip3 freeze > "$pip_freeze"
-
-    # If all is set, it searches all available extras to separatly check them.
-    # It would work with just 'all' (cause dependencies are specified for
-    # 'all'), but will not update if one extra is already present. Side effect
-    # is that it will not use [all] but instead name all extras seperatly.
-    for extra in $(if grep -qFx all "$__object/parameter/extra";
-        then awk -F': ' '$1 == "Provides-Extra" && $2 != "all"{print $2}' "$distinfo_dir/METADATA";
-        else tr ',' '\n' < "$__object/parameter/extra";
-        fi)
-    do
-        # create a grep BRE pattern to search all packages
-        # maybe a file full of patterns for -F could be written
-        grep_pattern="$(
-            awk -F'(: | ; )' -v check="$extra" '
-                $1 == "Requires-Dist" {
-                    split($2, r, " ");
-                    sub("extra == ", "", $3); gsub("'"'"'", "", $3);
-                    if($3 == check) print r[1]
-                }' "$distinfo_dir/METADATA" \
-                | sed ':a; $!N; s/\n/\\|/; ta'
-        )"
-
-        # echo the extra if no packages where found for it
-        # if there is no pattern, we don't need to search ;-)
-        # pip matches packages case-insensetive, we need to do that, too
-        if [ "$grep_pattern" ] && ! grep -qi "$grep_pattern" "$pip_freeze"
-        then
-            echo "$extra"
-        fi
-    done
-fi

cdist/conf/type/__package_pip/gencode-remote

@@ -2,7 +2,6 @@
 #
 # 2012 Nico Schottelius (nico-cdist at schottelius.org)
 # 2016 Darko Poljak (darko.poljak at gmail.com)
-# 2021 Matthias Stecher (matthiasstecher at gmx.de)
 #
 # This file is part of cdist.
 #
@@ -26,10 +25,7 @@
 state_is=$(cat "$__object/explorer/state")
 state_should="$(cat "$__object/parameter/state")"
 
-# short circuit if state is the same and no extras to install
-[ "$state_is" = "$state_should" ] && ! [ -s "$__object/explorer/extras" ] \
-    && exit 0
-
+[ "$state_is" = "$state_should" ] && exit 0
 
 nameparam="$__object/parameter/name"
 if [ -f "$nameparam" ]; then
@@ -60,14 +56,6 @@ fi
 
 case "$state_should" in
     present)
-        if [ -s "$__object/explorer/extras" ]
-        then
-            # all extras are passed to pip in a comma-separated list in the name
-            # sed loops through all input lines and add commas between them
-            extras="$(sed ':a; $!N; s/\n/,/; ta' "$__object/explorer/extras")"
-            name="${name}[${extras}]"
-        fi
-
         if [ "$runas" ]
         then
             echo "su -c '$pip install -q $name' $runas"

cdist/conf/type/__package_pip/man.rst

@@ -22,16 +22,6 @@ OPTIONAL PARAMETERS
 name
     If supplied, use the name and not the object id as the package name.
 
-extra
-    Extra optional dependencies which should be installed along the selected
-    package. Can be specified multiple times. Multiple extras can be passed
-    in one `--extra` as a comma-separated list.
-
-    Extra optional dependencies will be installed even when the base package
-    is already installed. Notice that the type will not remove installed extras
-    that are not explicitly named for the type because pip does not offer a
-    management for orphaned packages and they may be used by other packages.
-
 pip
     Instead of using pip from PATH, use the specific pip path.
 
@@ -56,14 +46,6 @@ EXAMPLES
     # Use pip in a virtualenv located at /foo/shinken_virtualenv as user foo
     __package_pip pyro --state present --pip /foo/shinken_virtualenv/bin/pip --runas foo
 
-    # Install package with optional dependencies
-    __package_pip mautrix-telegram --extra speedups --extra webp_convert --extra hq_thumbnails
-    # the extras can also be specified comma-separated
-    __package_pip mautrix-telegram --extra speedups,webp_convert,hq_thumbnails --extra postgres
-
-    # or take all extras
-    __package_pip mautrix-telegram --extra all
-
 
 SEE ALSO
 --------
@@ -72,13 +54,12 @@ SEE ALSO
 
 AUTHORS
 -------
-| Nico Schottelius <nico-cdist--@--schottelius.org>
-| Matthias Stecher <matthiasstecher--@--gmx.de>
+Nico Schottelius <nico-cdist--@--schottelius.org>
 
 
 COPYING
 -------
-Copyright \(C) 2012 Nico Schottelius, 2021 Matthias Stecher. You can
-redistribute it and/or modify it under the terms of the GNU General
-Public License as published by the Free Software Foundation, either
-version 3 of the License, or (at your option) any later version.
+Copyright \(C) 2012 Nico Schottelius. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

cdist/conf/type/__package_pip/parameter/optional_multiple

@@ -1 +0,0 @@
-extra

cdist/conf/type/__package_pkg_freebsd/gencode-remote

@@ -37,7 +37,6 @@ assert ()                 #  If condition false,
 	then
 		echo "Assertion failed:  \"$1\""
 		# shellcheck disable=SC2039
-		# shellcheck disable=SC3044
 		echo "File \"$0\", line $lineno, called by $(caller 0)"
 		exit $E_ASSERT_FAILED
 	fi

cdist/conf/type/__package_update_index/gencode-remote

@@ -41,19 +41,7 @@ fi
 case "$type" in
     yum) ;;
     apt)
-        # There are special arguments to apt(8) to prevent aborts if apt woudn't been
-        # updated after the 19th April 2021 till the bullseye release. The additional
-        # arguments acknoledge the happend suite change (the apt(8) update does the
-        # same by itself).
-        #
-        # Using '-o $config' instead of the --allow-releaseinfo-change-* parameter
-        # allows backward compatablility to pre-buster Debian versions.
-        #
-        # See more: ticket #861
-        # https://code.ungleich.ch/ungleich-public/cdist/-/issues/861
-        apt_opts="-o Acquire::AllowReleaseInfoChange::Suite=true -o Acquire::AllowReleaseInfoChange::Version=true"
-
-        echo "apt-get --quiet $apt_opts update"
+        echo "apt-get --quiet update"
         echo "apt-cache updated (age was: $currage)" >> "$__messages_out"
         ;;
     pacman)

cdist/conf/type/__package_upgrade_all/gencode-remote

@@ -28,10 +28,6 @@ apt_clean="$__object/parameter/apt-clean"
 
 apt_dist_upgrade="$__object/parameter/apt-dist-upgrade"
 
-if [ -f "$__object/parameter/apt-with-new-pkgs" ]; then
-	apt_with_new_pkgs="--with-new-pkgs"
-fi
-
 if [ -f "$type" ]; then
     type="$(cat "$type")"
 else
@@ -58,7 +54,7 @@ case "$type" in
     apt)
         if [ -f "$apt_dist_upgrade" ]
         then echo "$aptget dist-upgrade"
-        else echo "$aptget $apt_with_new_pkgs upgrade"
+        else echo "$aptget upgrade"
         fi
 
         if [ -f "$apt_clean" ]

cdist/conf/type/__package_upgrade_all/man.rst

@@ -33,14 +33,6 @@ BOOLEAN PARAMETERS
 apt-dist-upgrade
     Do dist-upgrade instead of upgrade.
 
-apt-with-new-pkg
-    Allow installing new packages when used in conjunction with
-    upgrade. This is useful if the update of an installed package
-    requires new dependencies to be installed. Instead of holding the
-    package back upgrade will upgrade the package and install the new
-    dependencies. Note that upgrade with this option will never remove
-    packages, only allow adding new ones.
-
 apt-clean
     Clean out the local repository of retrieved package files.
 

cdist/conf/type/__package_upgrade_all/parameter/boolean

@@ -1,3 +1,2 @@
 apt-clean
 apt-dist-upgrade
-apt-with-new-pkgs

cdist/conf/type/__postgres_conf/explorer/postgres_user

@@ -1,64 +0,0 @@
-#!/bin/sh -e
-# -*- mode: sh; indent-tabs-mode: t -*-
-#
-# 2021 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
-#
-# This file is part of cdist.
-#
-# cdist is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# cdist is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with cdist. If not, see <http://www.gnu.org/licenses/>.
-#
-
-os=$("${__explorer:?}/os")
-
-case ${os}
-in
-	(alpine)
-		echo 'postgres'
-		;;
-	(centos|rhel|scientific)
-		echo 'postgres'
-		;;
-	(debian|devuan|ubuntu)
-		echo 'postgres'
-		;;
-	(freebsd)
-		test -x /usr/local/etc/rc.d/postgresql || {
-			printf 'could not find postgresql rc script./n' >&2
-			exit 1
-		}
-		pg_status=$(/usr/local/etc/rc.d/postgresql onestatus) || {
-			printf 'postgresql daemon is not running.\n' >&2
-			exit 1
-		}
-		pg_pid=$(printf '%s\n' "${pg_status}" \
-			| sed -n 's/^pg_ctl:.*(PID: *\([0-9]*\))$/\1/p')
-
-		# PostgreSQL < 9.6: pgsql
-		# PostgreSQL >= 9.6: postgres
-		ps -o user -p "${pg_pid}" | sed -n '2p'
-		;;
-	(netbsd)
-		echo 'pgsql'
-		;;
-	(openbsd)
-		echo '_postgresql'
-		;;
-	(suse)
-		echo 'postgres'
-		;;
-	(*)
-		echo "Unsupported OS: ${os}" >&2
-		exit 1
-		;;
-esac