185 changed files with 1238 additions and 5258 deletions
--- a/6
+++ b/6
@ -35,9 +35,9 @@ DOCS_SRC_DIR=./docs/src
 SPEECHDIR=./docs/speeches
 TYPEDIR=./cdist/conf/type
-SPHINXM=$(MAKE) -C $(DOCS_SRC_DIR) man
+SPHINXM=make -C $(DOCS_SRC_DIR) man
-SPHINXH=$(MAKE) -C $(DOCS_SRC_DIR) html
+SPHINXH=make -C $(DOCS_SRC_DIR) html
-SPHINXC=$(MAKE) -C $(DOCS_SRC_DIR) clean
+SPHINXC=make -C $(DOCS_SRC_DIR) clean
 ################################################################################
 # Manpages
--- a/README.md
+++ b/README.md
@ -24,8 +24,8 @@ For community-maintained types there is
 ## Participating
-IRC: ``#cdist`` @ [libera](https://libera.chat)
+IRC: ``#cdist`` @ freenode
 Matrix: ``#cdist:ungleich.ch``
-Matrix and IRC are bridged.
+Mattermost: https://chat.ungleich.ch/ungleich/channels/cdist
--- a/bin/cdist
+++ b/bin/cdist
@ -72,11 +72,9 @@ def commandline():
 if __name__ == "__main__":
-    if sys.version_info[:3] < cdist.MIN_SUPPORTED_PYTHON_VERSION:
+    if sys.version < cdist.MIN_SUPPORTED_PYTHON_VERSION:
-        print(
+        print('Python >= {} is required on the source host.'.format(
-            'Python >= {} is required on the source host.'.format(
+                cdist.MIN_SUPPORTED_PYTHON_VERSIO), file=sys.stderr)
                ".".join(map(str, cdist.MIN_SUPPORTED_PYTHON_VERSION))),
            file=sys.stderr)
        sys.exit(1)
    exit_code = 0
--- a/bin/cdist-build-helper
+++ b/bin/cdist-build-helper
@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# 2011-2022 Nico Schottelius (nico-cdist at schottelius.org)
+# 2011-2013 Nico Schottelius (nico-cdist at schottelius.org)
 # 2016-2019 Darko Poljak (darko.poljak at gmail.com)
 #
 # This file is part of cdist.
--- a/cdist/init.py
+++ b/cdist/init.py
@ -64,7 +64,7 @@ REMOTE_EXEC = "ssh -o User=root"
 REMOTE_CMDS_CLEANUP_PATTERN = "ssh -o User=root -O exit -S {}"
-MIN_SUPPORTED_PYTHON_VERSION = (3, 5)
+MIN_SUPPORTED_PYTHON_VERSION = '3.5'
 class Error(Exception):
--- a/cdist/argparse.py
+++ b/cdist/argparse.py
@ -485,31 +485,19 @@ def get_parsers():
    parser['scan'].add_argument(
        '-m', '--mode', help='Which modes should run',
        action='append', default=[],
-        choices=['scan', 'trigger', 'config'])
+        choices=['scan', 'trigger'])
    parser['scan'].add_argument(
        '--list',
        action='store_true',
        help='List the known hosts and exit')
    parser['scan'].add_argument(
        '--config',
        action='store_true',
        help='Try to configure detected hosts')
    parser['scan'].add_argument(
-        '-I', '--interface',
+        '-I', '--interfaces',
-        action='append',  default=[], required=True,
+        action='append',  default=[],
        help='On which interfaces to scan/trigger')
    parser['scan'].add_argument(
-        '--name-mapper',
+        '-d', '--delay',
-        action='store',  default=None,
+        action='store',  default=3600,
-        help='Map addresses to names, required for config mode')
+        help='How long to wait before reconfiguring after last try')
    parser['scan'].add_argument(
        '-d', '--config-delay',
        action='store',  default=3600, type=int,
        help='How long (seconds) to wait before reconfiguring after last try')
    parser['scan'].add_argument(
        '-t', '--trigger-delay',
        action='store',  default=5, type=int,
        help='How long (seconds) to wait between ICMPv6 echo requests')
    parser['scan'].set_defaults(func=cdist.scan.commandline.commandline)
    for p in parser:
@ -545,10 +533,10 @@ def parse_and_configure(argv, singleton=True):
    log = logging.getLogger("cdist")
-    log.verbose("version %s", cdist.VERSION)
+    log.verbose("version %s" % cdist.VERSION)
-    log.trace('command line args: %s', cfg.command_line_args)
+    log.trace('command line args: {}'.format(cfg.command_line_args))
-    log.trace('configuration: %s', cfg.get_config())
+    log.trace('configuration: {}'.format(cfg.get_config()))
-    log.trace('configured args: %s', args)
+    log.trace('configured args: {}'.format(args))
    check_beta(vars(args))
--- a/cdist/conf/explorer/lsb_codename
+++ b/cdist/conf/explorer/lsb_codename
@ -21,9 +21,6 @@
 set +e
 case "$("$__explorer/os")" in
   checkpoint)
       awk '{printf("%s\n", $(NF-1))}' /etc/cp-release
   ;;
   openwrt)
      # shellcheck disable=SC1091
      (. /etc/openwrt_release && echo "$DISTRIB_CODENAME")
--- a/cdist/conf/explorer/lsb_description
+++ b/cdist/conf/explorer/lsb_description
@ -21,9 +21,6 @@
 set +e
 case "$("$__explorer/os")" in
   checkpoint)
       cat /etc/cp-release
   ;;
   openwrt)
      # shellcheck disable=SC1091
      (. /etc/openwrt_release && echo "$DISTRIB_DESCRIPTION")
--- a/cdist/conf/explorer/lsb_id
+++ b/cdist/conf/explorer/lsb_id
@ -21,9 +21,6 @@
 set +e
 case "$("$__explorer/os")" in
   checkpoint)
       echo "CheckPoint"
   ;;
   openwrt)
      # shellcheck disable=SC1091
      (. /etc/openwrt_release && echo "$DISTRIB_ID")
--- a/cdist/conf/explorer/lsb_release
+++ b/cdist/conf/explorer/lsb_release
@ -21,9 +21,6 @@
 set +e
 case "$("$__explorer/os")" in
   checkpoint)
       sed /etc/cp-release -e 's/.* R\([1-9][0-9]*\)\.[0-9]*$/\1/'
   ;;
   openwrt)
      # shellcheck disable=SC1091
      (. /etc/openwrt_release && echo "$DISTRIB_RELEASE")
--- a/cdist/conf/explorer/machine_type
+++ b/cdist/conf/explorer/machine_type
--- a/cdist/conf/explorer/memory
+++ b/cdist/conf/explorer/memory
@ -1,9 +1,8 @@
-#!/bin/sh -e
+#!/bin/sh
 #
 # 2014 Daniel Heule  (hda at sfs.biz)
 # 2014 Thomas Oettli (otho at sfs.biz)
 # Copyright 2017, Philippe Gregoire <pg@pgregoire.xyz>
 # 2020 Dennis Camera <dennis.camera at ssrq-sds-fds.ch>
 #
 # This file is part of cdist.
 #
@ -20,73 +19,24 @@
 # You should have received a copy of the GNU General Public License
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
-# Returns the amount of memory physically installed in the system, or if that
+#
 # cannot be determined the amount available to the operating system kernel,
 # in kibibytes (kiB).
-str2bytes() {
+# FIXME: other system types (not linux ...)
 	awk -F' ' '
 	$2 ==   "B" || !$2 { print $1 }
 	$2 ==  "kB" { printf "%.f\n", ($1 * 1000) }
 	$2 ==  "MB" { printf "%.f\n", ($1 * 1000 * 1000) }
 	$2 ==  "GB" { printf "%.f\n", ($1 * 1000 * 1000 * 1000) }
 	$2 ==  "TB" { printf "%.f\n", ($1 * 1000 * 1000 * 1000 * 1000) }
 	$2 == "kiB" { printf "%.f\n", ($1 * 1024) }
 	$2 == "MiB" { printf "%.f\n", ($1 * 1024 * 1024) }
 	$2 == "GiB" { printf "%.f\n", ($1 * 1024 * 1024 * 1024) }
 	$2 == "TiB" { printf "%.f\n", ($1 * 1024 * 1024 * 1024 * 1024) }'
 }
-bytes2kib() {
+os=$("$__explorer/os")
-	awk '$0 > 0 { printf "%.f\n", ($0 / 1024) }'
+case "$os" in
-}
+    "macosx")
        echo "$(sysctl -n hw.memsize)/1024" | bc
    ;;
    *"bsd")
        PATH=$(getconf PATH)
        echo "$(sysctl -n hw.physmem) / 1048576" | bc
    ;;
-case $(uname -s)
+    *)
-in
+    if [ -r /proc/meminfo ]; then
-	(Darwin)
+        grep "MemTotal:" /proc/meminfo | awk '{print $2}'
-		sysctl -n hw.memsize | bytes2kib
+    fi
-		;;
+    ;;
 	(FreeBSD)
 		sysctl -n hw.realmem | bytes2kib
 		;;
 	(NetBSD|OpenBSD)
 		# NOTE: This reports "usable" memory, not physically installed memory.
 		command -p sysctl -n hw.physmem | bytes2kib
 		;;
 	(SunOS)
 		# Make sure that awk from xpg4 is used for the scripts to work
 		export PATH="/usr/xpg4/bin:${PATH}"
 		prtconf \
 		| awk -F ': ' '
 		  $1 == "Memory size" { sub(/Megabytes/, "MiB", $2); print $2 }
 		  /^$/ { exit }' \
 		| str2bytes \
 		| bytes2kib
 		;;
 	(Linux)
 		if test -d /sys/devices/system/memory
 		then
 			# Use memory blocks if the architecture (e.g. x86, PPC64, s390)
 			# supports them (they denote physical memory)
 			num_mem_blocks=$(cat /sys/devices/system/memory/memory[0-9]*/state | grep -cxF online)
 			mem_block_size=$(cat /sys/devices/system/memory/block_size_bytes)
 			echo $((num_mem_blocks * 0x$mem_block_size)) | bytes2kib && exit
 		fi
 		if test -r /proc/meminfo
 		then
 			# Fall back to meminfo file on other architectures (e.g. ARM, MIPS,
 			# PowerPC)
 			# NOTE: This is "usable" memory, not physically installed memory.
 			awk -F ': +' '$1 == "MemTotal" { sub(/B$/, "iB", $2); print $2 }' /proc/meminfo \
 			| str2bytes \
 			| bytes2kib
 		fi
 		;;
 	(*)
 		printf "Your kernel (%s) is currently not supported by the memory explorer\n" "$(uname -s)" >&2
 		printf "Please contribute an implementation for it if you can.\n" >&2
 		exit 1
 		;;
 esac
--- a/cdist/conf/explorer/os
+++ b/cdist/conf/explorer/os
@ -116,13 +116,6 @@ if [ -f /etc/slackware-version ]; then
   exit 0
 fi
 # Appliances
 if grep -q '^Check Point Gaia' /etc/cp-release 2>/dev/null; then
    echo checkpoint
    exit 0
 fi
 uname_s="$(uname -s)"
 # Assume there is no tr on the client -> do lower case ourselves
--- a/cdist/conf/explorer/os_release
+++ b/cdist/conf/explorer/os_release
@ -34,9 +34,5 @@ elif test -f /var/run/os-release
 then
 	# FreeBSD (created by os-release service)
 	cat /var/run/os-release
 elif test -f /etc/cp-release
 then
        # Checkpoint firewall or management (actually linux based)
        cat /etc/cp-release
 fi
--- a/cdist/conf/explorer/os_version
+++ b/cdist/conf/explorer/os_version
@ -1,7 +1,6 @@
-#!/bin/sh -e
+#!/bin/sh
 #
 # 2010-2011 Nico Schottelius (nico-cdist at schottelius.org)
 # 2020-2021 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
 #
 # This file is part of cdist.
 #
@ -18,22 +17,12 @@
 # You should have received a copy of the GNU General Public License
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 #
 # All os variables are lower case
 #
 #
-rc_getvar() {
+case "$("$__explorer/os")" in
   awk -F= -v varname="$2" '
      function unquote(s) {
         if (s ~ /^".*"$/ || s ~ /^'\''.*'\''$/)
            return substr(s, 2, length(s) - 2)
         else
            return s
      }
      $1 == varname { print unquote(substr($0, index($0, "=") + 1)) }' "$1"
 }
 case $("${__explorer:?}/os")
 in
   amazon)
      cat /etc/system-release
   ;;
@ -41,9 +30,6 @@ in
      # empty, but well...
      cat /etc/arch-release
   ;;
   checkpoint)
       awk '{version=$NF; printf("%s\n", substr(version, 2))}' /etc/cp-release
    ;;
   debian)
      debian_version=$(cat /etc/debian_version)
      case $debian_version
@ -57,8 +43,6 @@ in
              # sid versions don't have a number, so we decode by codename:
              case $(expr "$debian_version" : '\([a-z]\{1,\}\)/')
              in
                  trixie) echo 12.99 ;;
                  bookworm) echo 11.99 ;;
                  bullseye) echo 10.99 ;;
                  buster) echo 9.99 ;;
                  stretch) echo 8.99 ;;
@ -66,7 +50,7 @@ in
                  wheezy) echo 6.99 ;;
                  squeeze) echo 5.99 ;;
                  lenny) echo 4.99 ;;
-                  *) echo 99.99 ;;
+                  *) exit 1
              esac
              ;;
          *)
@ -75,23 +59,7 @@ in
      esac
   ;;
   devuan)
-      devuan_version=$(cat /etc/devuan_version)
+      cat /etc/devuan_version
      case ${devuan_version}
      in
         (*/ceres)
            # ceres versions don't have a number, so we decode by codename:
            case ${devuan_version}
            in
               (chimaera/ceres) echo 3.99 ;;
               (beowulf/ceres) echo 2.99 ;;
               (ascii/ceres) echo 1.99 ;;
               (*) exit 1
            esac
            ;;
         (*)
            echo "${devuan_version}"
            ;;
      esac
   ;;
   fedora)
      cat /etc/fedora-release
@ -100,20 +68,12 @@ in
      cat /etc/gentoo-release
   ;;
   macosx)
-      # NOTE: Legacy versions (< 10.3) do not support options
+      sw_vers -productVersion
      sw_vers | awk -F ':[ \t]+' '$1 == "ProductVersion" { print $2 }'
   ;;
   freebsd)
      # Apparently uname -r is not a reliable way to get the patch level.
      # See: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=251743
-      if command -v freebsd-version >/dev/null 2>&1
+      freebsd-version
      then
         # get userland version
         freebsd-version -u
      else
         # fallback to kernel release for FreeBSD < 10.0
         uname -r
      fi
   ;;
   *bsd|solaris)
      uname -r
@ -138,20 +98,7 @@ in
      fi
   ;;
   ubuntu)
-      if command -v lsb_release >/dev/null 2>&1
+      lsb_release -sr
      then
         lsb_release -sr
      elif test -r /usr/lib/os-release
      then
         # fallback to /usr/lib/os-release if lsb_release is not present (like
         # on minimized Ubuntu installations)
         rc_getvar /usr/lib/os-release VERSION_ID
      elif test -r /etc/lsb-release
      then
         # extract DISTRIB_RELEASE= variable from /etc/lsb-release on old
         # versions without /usr/lib/os-release.
         rc_getvar /etc/lsb-release DISTRIB_RELEASE
      fi
   ;;
   alpine)
       cat /etc/alpine-release
--- a/cdist/conf/type/__apt_backports/manifest
+++ b/cdist/conf/type/__apt_backports/manifest
@ -28,7 +28,6 @@
 #  lsb_release may not be given in all installations
 codename_os_release() {
    # shellcheck disable=SC1090
    # shellcheck disable=SC1091
    . "$__global/explorer/os_release"
    printf "%s" "$VERSION_CODENAME"
 }
--- a/cdist/conf/type/__apt_key/explorer/state
+++ b/cdist/conf/type/__apt_key/explorer/state
@ -27,25 +27,18 @@ else
   keyid="$__object_id"
 fi
 # From apt-key(8):
 #   Use of apt-key is deprecated, except for the use of apt-key del in
 #   maintainer scripts to remove existing keys from the main keyring.
 #   If such usage of apt-key is desired the additional installation of
 #   the GNU Privacy Guard suite (packaged in gnupg) is required.
 if [ -f "${__object}/parameter/use-deprecated-apt-key" ]; then
   if apt-key export "$keyid" | head -n 1 | grep -Fqe "BEGIN PGP PUBLIC KEY BLOCK"
      then echo present
      else echo absent
   fi
   exit
 fi
 keydir="$(cat "$__object/parameter/keydir")"
 keyfile="$keydir/$__object_id.gpg"
-if [ -f "$keyfile" ]
+if [ -d "$keydir" ]
 then
-   echo present
+   if [ -f "$keyfile" ]
-   exit
+   then echo present
   else echo absent
   fi
 else
   # fallback to deprecated apt-key
   apt-key export "$keyid" | head -n 1 | grep -Fqe "BEGIN PGP PUBLIC KEY BLOCK" \
      && echo present \
      || echo absent
 fi
 echo absent
--- a/cdist/conf/type/__apt_key/gencode-remote
+++ b/cdist/conf/type/__apt_key/gencode-remote
@ -25,7 +25,11 @@ else
 fi
 state_should="$(cat "$__object/parameter/state")"
 state_is="$(cat "$__object/explorer/state")"
-method="$(cat "$__object/key_method")"
+
 if [ "$state_should" = "$state_is" ]; then
   # nothing to do
   exit 0
 fi
 keydir="$(cat "$__object/parameter/keydir")"
 keyfile="$keydir/$__object_id.gpg"
@ -33,18 +37,30 @@ keyfile="$keydir/$__object_id.gpg"
 case "$state_should" in
   present)
      keyserver="$(cat "$__object/parameter/keyserver")"
-      # Using __download or __file as key source
+
-      # Propagate messages if needed
+      if [ -f "$__object/parameter/uri" ]; then
-      if [ "${method}" = "uri" ] || [ "${method}" = "source" ]; then
+         uri="$(cat "$__object/parameter/uri")"
-         if grep -Eq "^__(file|download)$keyfile" "$__messages_in"; then
+
-            echo "added '$keyid'" >> "$__messages_out"
+         if [ -d "$keydir" ]; then
            cat << EOF
 curl -s -L \\
    -o "$keyfile" \\
    "$uri"
 key="\$( cat "$keyfile" )"
 if echo "\$key" | grep -Fq 'BEGIN PGP PUBLIC KEY BLOCK'
 then
    echo "\$key" | gpg --dearmor > "$keyfile"
 fi
 EOF
         else
            # fallback to deprecated apt-key
            echo "curl -s -L '$uri' | apt-key add -"
         fi
-         exit 0
+      elif [ -d "$keydir" ]; then
      elif [ "${state_is}" = "present" ]; then
         exit 0
      fi
      # Using key servers to fetch the key
      if [ ! -f "$__object/parameter/use-deprecated-apt-key" ]; then
         # we need to kill gpg after 30 seconds, because gpg
         # can get stuck if keyserver is not responding.
         # exporting env var and not exit 1,
@ -84,16 +100,13 @@ EOF
      echo "added '$keyid'" >> "$__messages_out"
   ;;
   absent)
-      # Removal for keys added from a keyserver without this flag
+      if [ -f "$keyfile" ]; then
-      # is done in the manifest
+         echo "rm '$keyfile'"
-      if [ "$state_is" != "absent" ] && \
+      else
            [ -f "$__object/parameter/use-deprecated-apt-key" ]; then
         # fallback to deprecated apt-key
         echo "apt-key del \"$keyid\""
         echo "removed '$keyid'" >> "$__messages_out"
      # Propagate messages if needed
      elif grep -Eq "^__file$keyfile" "$__messages_in"; then
         echo "removed '$keyid'" >> "$__messages_out"
      fi
      echo "removed '$keyid'" >> "$__messages_out"
   ;;
 esac
--- a/cdist/conf/type/__apt_key/man.rst
+++ b/cdist/conf/type/__apt_key/man.rst
@ -10,14 +10,6 @@ DESCRIPTION
 -----------
 Manages the list of keys used by apt to authenticate packages.
 This is done by placing the requested key in a file named
 ``$__object_id.gpg`` in the ``keydir`` directory.
 This is supported by modern releases of Debian-based distributions.
 In order of preference, exactly one of: ``source``, ``uri`` or ``keyid``
 must be specified.
 REQUIRED PARAMETERS
 -------------------
@ -26,49 +18,21 @@ None.
 OPTIONAL PARAMETERS
 -------------------
 keydir
   keyring directory, defaults to ``/etc/apt/trusted.pgp.d``, which is
   enabled system-wide by default.
 source
   path to a file containing the GPG key of the repository.
   Using this is recommended as it ensures that the manifest/type manintainer
   has validated the key.
   If ``-``, the GPG key is read from the type's stdin.
 state
   'present' or 'absent'. Defaults to 'present'
 uri
   the URI from which to download the key.
   It is highly recommended that you only use protocols with TLS like HTTPS.
   This uses ``__download`` but does not use checksums, if you want to ensure
   that the key doesn't change, you are better off downloading it and using
   ``--source``.
 DEPRECATED OPTIONAL PARAMETERS
 ------------------------------
 keyid
-   the id of the key to download from the ``keyserver``.
+   the id of the key to add. Defaults to __object_id
   This is to be used in absence of ``--source`` and ``--uri`` or together
   with ``--use-deprecated-apt-key`` for key removal.
   Defaults to ``$__object_id``.
 keyserver
-   the keyserver from which to fetch the key.
+   the keyserver from which to fetch the key. If omitted the default set
-   Defaults to ``pool.sks-keyservers.net``.
+   in ./parameter/default/keyserver is used.
 keydir
   key save location, defaults to ``/etc/apt/trusted.pgp.d``
-DEPRECATED BOOLEAN PARAMETERS
+uri
-----------------------------
+   the URI from which to download the key
 use-deprecated-apt-key
   ``apt-key(8)`` will last be available in Debian 11 and Ubuntu 22.04.
   You can use this parameter to force usage of ``apt-key(8)``.
   Please only use this parameter to *remove* keys from the keyring,
   in order to prepare for removal of ``apt-key``.
   Adding keys should be done without this parameter.
   This parameter will be removed when Debian 11 stops being supported.
 EXAMPLES
@ -76,39 +40,33 @@ EXAMPLES
 .. code-block:: sh
-    # add a key that has been verified by a type maintainer
+    # Add Ubuntu Archive Automatic Signing Key
-    __apt_key jitsi_meet_2021 \
+    __apt_key 437D05B5
-       --source cdist-contrib/type/__jitsi_meet/files/apt_2021.gpg
+    # Same thing
    __apt_key 437D05B5 --state present
    # Get rid of it
    __apt_key 437D05B5 --state absent
-    # remove an old, deprecated or expired key
+    # same thing with human readable name and explicit keyid
-    __apt_key jitsi_meet_2016 --state absent
+    __apt_key UbuntuArchiveKey --keyid 437D05B5
-    # Get rid of a key that might have been added to
+    # same thing with other keyserver
-    # /etc/apt/trusted.gpg with apt-key
+    __apt_key UbuntuArchiveKey --keyid 437D05B5 --keyserver keyserver.ubuntu.com
    __apt_key 0x40976EAF437D05B5 --use-deprecated-apt-key --state absent
-    # add a key that we define in-line
+    # download key from the internet
-    __apt_key jitsi_meet_2021 --source '-' <<EOF
+    __apt_key rabbitmq \
-    -----BEGIN PGP PUBLIC KEY BLOCK-----
+       --uri http://www.rabbitmq.com/rabbitmq-signing-key-public.asc
    [...]
    -----END PGP PUBLIC KEY BLOCK-----
    EOF
    # download or update key from the internet
    __apt_key rabbitmq_2007 \
       --uri https://www.rabbitmq.com/rabbitmq-signing-key-public.asc
 AUTHORS
 -------
 Steven Armstrong <steven-cdist--@--armstrong.cc>
 Ander Punnar <ander-at-kvlt-dot-ee>
 Evilham <contact~~@~~evilham.com>
 COPYING
 -------
-Copyright \(C) 2011-2021 Steven Armstrong, Ander Punnar and Evilham. You can
+Copyright \(C) 2011-2019 Steven Armstrong and Ander Punnar. You can
 redistribute it and/or modify it under the terms of the GNU General Public
 License as published by the Free Software Foundation, either version 3 of the
 License, or (at your option) any later version.
--- a/cdist/conf/type/__apt_key/manifest
+++ b/cdist/conf/type/__apt_key/manifest
@ -2,105 +2,7 @@
 __package gnupg
-state_should="$(cat "${__object}/parameter/state")"
+if [ -f "$__object/parameter/uri" ]
-
+then __package curl
-incompatible_args()
+else __package dirmngr
 {
 	cat >> /dev/stderr <<-EOF
 	This type does not support --${1} and --${method} simultaneously.
 	EOF
 	exit 1
 }
 if [ -f "${__object}/parameter/source" ]; then
 	method="source"
 	src="$(cat "${__object}/parameter/source")"
 	if [ "${src}" = "-" ]; then
 		src="${__object}/stdin"
 	fi
 fi
 if [ -f "${__object}/parameter/uri" ]; then
 	if [ -n "${method}" ]; then
 		incompatible_args uri
 	fi
 	method="uri"
 	src="$(cat "${__object}/parameter/uri")"
 fi
 if [ -f "${__object}/parameter/keyid" ]; then
 	if [ -n "${method}" ]; then
 		incompatible_args keyid
 	fi
 	method="keyid"
 fi
 # Keep old default
 if [ -z "${method}" ]; then
 	method="keyid"
 fi
 # Save this for later in gencode-remote
 echo "${method}" > "${__object}/key_method"
 # Required remotely (most likely already installed)
 __package dirmngr
 # We need this in case a key has to be dearmor'd
 __package gnupg
 export require="__package/gnupg"
 if [ -f "${__object}/parameter/use-deprecated-apt-key" ]; then
 	# This is required if apt-key(8) is to be used
 	if [ "${method}" = "source" ] || [ "${method}" = "uri" ]; then
 		incompatible_args use-deprecated-apt-key
 	fi
 else
 	if [ "${state_should}" = "absent" ] && \
 			[ -f "${__object}/parameter/keyid" ]; then
 		cat >> /dev/stderr <<EOF
 You can't reliably remove by keyid without --use-deprecated-apt-key.
 This would very likely do something you do not intend.
 EOF
 		exit 1
 	fi
 fi
 keydir="$(cat "${__object}/parameter/keydir")"
 keyfile="${keydir}/${__object_id}.gpg"
 keyfilecdist="${keyfile}.cdist"
 if [ "${state_should}" != "absent" ]; then
 	# Ensure keydir exists
 	__directory "${keydir}" --state exists --mode 0755
 fi
 if [ "${state_should}" = "absent" ]; then
 	__file "${keyfile}" --state "absent"
 	__file "${keyfilecdist}" --state "absent"
 elif [ "${method}" = "source" ] || [ "${method}" = "uri" ]; then
 	dearmor="$(cat <<-EOF
 	if [ '${state_should}' = 'present' ]; then
 		# Dearmor if necessary
 		if grep -Fq 'BEGIN PGP PUBLIC KEY BLOCK' '${keyfilecdist}'; then
 			gpg --dearmor < '${keyfilecdist}' > '${keyfile}'
 		else
 			cp '${keyfilecdist}' '${keyfile}'
 		fi
 		# Ensure permissions
 		chown root '${keyfile}'
 		chmod 0444 '${keyfile}'
 	fi
 	EOF
 	)"
 	if [ "${method}" = "uri" ]; then
 		__download "${keyfilecdist}" \
 			--url "${src}" \
 			--onchange "${dearmor}"
 		require="__download${keyfilecdist}" \
 			__file "${keyfile}" \
 				--owner root \
 				--mode 0444 \
 				--state pre-exists
 	else
 		__file "${keyfilecdist}" --state "${state_should}" \
 			--mode 0444 \
 			--source "${src}" \
 			--onchange "${dearmor}"
 	fi
 fi
--- a/cdist/conf/type/__apt_key/parameter/boolean
+++ b/cdist/conf/type/__apt_key/parameter/boolean
@ -1 +0,0 @@
 use-deprecated-apt-key
--- a/cdist/conf/type/__apt_key/parameter/deprecated/use-deprecated-apt-key
+++ b/cdist/conf/type/__apt_key/parameter/deprecated/use-deprecated-apt-key
@ -1,3 +0,0 @@
 apt-key(8) will last be available in Debian 11 and Ubuntu 22.04.
 Use this flag *only* to migrate to placing a keyring directly in the
 /etc/apt/trusted.gpg.d/ directory with a descriptive name.
--- a/cdist/conf/type/__apt_key/parameter/optional
+++ b/cdist/conf/type/__apt_key/parameter/optional
@ -1,6 +1,5 @@
-keydir
+state
 keyid
 keyserver
-source
+keydir
 state
 uri
--- a/cdist/conf/type/__apt_key_uri/deprecated
+++ b/cdist/conf/type/__apt_key_uri/deprecated
@ -1 +0,0 @@
 Please migrate to using __apt_key key_id --uri URI.
--- a/cdist/conf/type/__apt_pin/man.rst
+++ b/cdist/conf/type/__apt_pin/man.rst
@ -1,79 +0,0 @@
 cdist-type__apt_pin(7)
 ======================
 NAME
 ----
 cdist-type__apt_pin - Manage apt pinning rules
 DESCRIPTION
 -----------
 Adds/removes/edits rules to pin some packages to a specific distribution. Useful if using multiple debian repositories at the same time. (Useful, if one wants to use a few specific packages from backports or perhaps Debain testing... or even sid.)
 REQUIRED PARAMETERS
 -------------------
 distribution
   Specifies what distribution the package should be pinned to. Accepts both codenames (buster/bullseye/sid) and suite names (stable/testing/...).
 OPTIONAL PARAMETERS
 -------------------
 package
   Package name, glob or regular expression to match (multiple) packages. If not specified `__object_id` is used.
 priority
   The priority value to assign to matching packages. Deafults to 500. (To match the default target distro's priority)
 state
   Will be passed to underlying `__file` type; see there for valid values and defaults.
 BOOLEAN PARAMETERS
 ------------------
 None.
 EXAMPLES
 --------
 .. code-block:: sh
   # Add the bullseye repo to buster, but do not install any packages by default,
   # only if explicitely asked for (-1 means "never" for apt)
    __apt_pin bullseye-default \
       --package "*" \
       --distribution bullseye \
       --priority -1
    require="__apt_pin/bullseye-default" __apt_source bullseye \
       --uri http://deb.debian.org/debian/ \
       --distribution bullseye \
       --component main
    __apt_pin foo --package "foo foo-*" --distribution bullseye
    __foo # Assuming, this installs the `foo` package internally
    __package foo-plugin-extras # Assuming we also need some extra stuff
 SEE ALSO
 --------
 :strong:`apt_preferences`\ (5)
 :strong:`cdist-type__apt_source`\ (7)
 :strong:`cdist-type__apt_backports`\ (7)
 :strong:`cdist-type__file`\ (7)
 AUTHORS
 -------
 Daniel Fancsali <fancsali@gmail.com>
 COPYING
 -------
 Copyright \(C) 2021 Daniel Fancsali. You can redistribute it
 and/or modify it under the terms of the GNU General Public License as
 published by the Free Software Foundation, either version 3 of the
 License, or (at your option) any later version.
--- a/cdist/conf/type/__apt_pin/manifest
+++ b/cdist/conf/type/__apt_pin/manifest
@ -1,68 +0,0 @@
 #!/bin/sh -e
 #
 # 2021 Daniel Fancsali (fancsali@gmail.com)
 #
 # This file is part of cdist.
 #
 # cdist is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # cdist is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 name="$__object_id"
 os=$(cat "$__global/explorer/os")
 state="$(cat "$__object/parameter/state")"
 if [ -f "$__object/parameter/package" ]; then
    package="$(cat "$__object/parameter/package")"
 else
    package=$name
 fi
 distribution="$(cat "$__object/parameter/distribution")"
 priority="$(cat "$__object/parameter/priority")"
 case "$os" in
   debian|ubuntu|devuan)
   ;;
   *)
      printf "This type is specific to Debian and it's derivatives" >&2
      exit 1
   ;;
 esac
 case $distribution in
    stable|testing|unstable|experimental)
        pin="release a=$distribution"
        ;;
    *)
        pin="release n=$distribution"
        ;;
 esac
 __file "/etc/apt/preferences.d/$name" \
    --owner root --group root --mode 0644 \
    --state "$state" \
    --source - << EOF
 # Created by cdist ${__type##*/}
 # Do not change. Changes will be overwritten.
 #
 # $name
 Package: $package
 Pin: $pin
 Pin-Priority: $priority
 EOF
--- a/cdist/conf/type/__apt_pin/nonparallel
+++ b/cdist/conf/type/__apt_pin/nonparallel
--- a/cdist/conf/type/__apt_pin/parameter/default/priority
+++ b/cdist/conf/type/__apt_pin/parameter/default/priority
@ -1 +0,0 @@
 500
--- a/cdist/conf/type/__apt_pin/parameter/default/state
+++ b/cdist/conf/type/__apt_pin/parameter/default/state
@ -1 +0,0 @@
 present
--- a/cdist/conf/type/__apt_pin/parameter/optional
+++ b/cdist/conf/type/__apt_pin/parameter/optional
@ -1,3 +0,0 @@
 state
 package
 priority
--- a/cdist/conf/type/__apt_pin/parameter/required
+++ b/cdist/conf/type/__apt_pin/parameter/required
@ -1 +0,0 @@
 distribution
--- a/cdist/conf/type/__apt_ppa/files/remove-apt-repository
+++ b/cdist/conf/type/__apt_ppa/files/remove-apt-repository
@ -0,0 +1,55 @@
 #!/usr/bin/env python
 #
 # Remove the given apt repository.
 #
 # Exit with:
 #   0: if it worked
 #   1: if not
 #   2: on other error
 import os
 import sys
 from aptsources import distro, sourceslist
 from softwareproperties import ppa
 from softwareproperties.SoftwareProperties import SoftwareProperties
 def remove_if_empty(file_name):
    with open(file_name, 'r') as f:
        if f.read().strip():
            return
        os.unlink(file_name)
 def remove_repository(repository):
    #print 'repository:', repository
    codename = distro.get_distro().codename
    #print 'codename:', codename
    (line, file) = ppa.expand_ppa_line(repository.strip(), codename)
    #print 'line:', line
    #print 'file:', file
    deb_source_entry = sourceslist.SourceEntry(line, file)
    src_source_entry = sourceslist.SourceEntry('deb-src{}'.format(line[3:]), file)
    try:
        sp = SoftwareProperties()
        sp.remove_source(deb_source_entry)
        try:
            # If there's a deb-src entry, remove that too
            sp.remove_source(src_source_entry)
        except:
            pass
        remove_if_empty(file)
        return True
    except ValueError:
        print >> sys.stderr, "Error: '%s' doesn't exists in a sourcelist file" % line
        return False
 if __name__ == '__main__':
    if (len(sys.argv) != 2):
        print >> sys.stderr, 'Error: need a repository as argument'
        sys.exit(2)
    repository = sys.argv[1]
    if remove_repository(repository):
        sys.exit(0)
    else:
        sys.exit(1)
--- a/cdist/conf/type/__apt_ppa/gencode-remote
+++ b/cdist/conf/type/__apt_ppa/gencode-remote
@ -29,9 +29,9 @@ fi
 case "$state_should" in
   present)
-      echo "add-apt-repository -y '$name'"
+      echo "add-apt-repository '$name'"
   ;;
   absent)
-      echo "add-apt-repository -r -y '$name'"
+      echo "remove-apt-repository '$name'"
   ;;
 esac
--- a/cdist/conf/type/__apt_ppa/manifest
+++ b/cdist/conf/type/__apt_ppa/manifest
@ -20,4 +20,9 @@
 __package software-properties-common
 require="__package/software-properties-common" \
   __file /usr/local/bin/remove-apt-repository \
   --source "$__type/files/remove-apt-repository" \
   --mode 0755
 require="$__object_name" __apt_update_index
--- a/cdist/conf/type/__apt_source/files/source.list.template
+++ b/cdist/conf/type/__apt_source/files/source.list.template
@ -2,14 +2,13 @@
 set -u
 entry="$uri $distribution $component"
 cat << DONE
 # Created by cdist ${__type##*/}
 # Do not change. Changes will be overwritten.
 #
 # $name
-deb ${options} $entry
+deb ${forcedarch} $entry
 DONE
 if [ -f "$__object/parameter/include-src" ]; then
   echo "deb-src $entry"
--- a/cdist/conf/type/__apt_source/gencode-remote
+++ b/cdist/conf/type/__apt_source/gencode-remote
@ -22,21 +22,7 @@
 name="$__object_id"
 destination="/etc/apt/sources.list.d/${name}.list"
 # There are special arguments to apt(8) to prevent aborts if apt woudn't been
 # updated after the 19th April 2021 till the bullseye release. The additional
 # arguments acknoledge the happend suite change (the apt(8) update does the
 # same by itself).
 #
 # Using '-o $config' instead of the --allow-releaseinfo-change-* parameter
 # allows backward compatablility to pre-buster Debian versions.
 #
 # See more: ticket #861
 # https://code.ungleich.ch/ungleich-public/cdist/-/issues/861
 apt_opts="-o Acquire::AllowReleaseInfoChange::Suite=true -o Acquire::AllowReleaseInfoChange::Version=true"
 # run 'apt-get update' only if something changed with our sources.list file
 #   it will be run a second time on error as a redundancy messure to success
 if grep -q "^__file${destination}" "$__messages_in"; then
-   printf 'apt-get %s update || apt-get %s update\n' "$apt_opts" "$apt_opts"
+   printf 'apt-get update || apt-get update\n'
 fi
--- a/cdist/conf/type/__apt_source/man.rst
+++ b/cdist/conf/type/__apt_source/man.rst
@ -23,9 +23,6 @@ OPTIONAL PARAMETERS
 arch
   set this if you need to force and specific arch (ubuntu specific)
 signed-by
   provide a GPG key fingerprint or keyring path for signature checks
 state
   'present' or 'absent', defaults to 'present'
@ -59,11 +56,6 @@ EXAMPLES
       --uri http://archive.canonical.com/ \
       --component partner --state present
    __apt_source goaccess \
       --uri http://deb.goaccess.io/ \
       --component main \
       --signed-by C03B48887D5E56B046715D3297BD1A0133449C3D
 AUTHORS
 -------
--- a/cdist/conf/type/__apt_source/manifest
+++ b/cdist/conf/type/__apt_source/manifest
@ -31,15 +31,9 @@ fi
 component="$(cat "$__object/parameter/component")"
 if [ -f "$__object/parameter/arch" ]; then
-   options="arch=$(cat "$__object/parameter/arch")"
+   forcedarch="[arch=$(cat "$__object/parameter/arch")]"
-fi
+else
-
+   forcedarch=""
 if [ -f "$__object/parameter/signed-by" ]; then
   options="$options signed-by=$(cat "$__object/parameter/signed-by")"
 fi
 if [ "$options" ]; then
    options="[$options]"
 fi
 # export variables for use in template
@ -47,7 +41,7 @@ export name
 export uri
 export distribution
 export component
-export options
+export forcedarch
 # generate file from template
 mkdir "$__object/files"
--- a/cdist/conf/type/__apt_source/parameter/optional
+++ b/cdist/conf/type/__apt_source/parameter/optional
@ -1,5 +1,4 @@
 state
 distribution
 component
-arch
+arch
 signed-by
--- a/cdist/conf/type/__apt_update_index/gencode-remote
+++ b/cdist/conf/type/__apt_update_index/gencode-remote
@ -18,23 +18,9 @@
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 # There are special arguments to apt(8) to prevent aborts if apt woudn't been
 # updated after the 19th April 2021 till the bullseye release. The additional
 # arguments acknoledge the happend suite change (the apt(8) update does the
 # same by itself).
 #
 # Using '-o $config' instead of the --allow-releaseinfo-change-* parameter
 # allows backward compatablility to pre-buster Debian versions.
 #
 # See more: ticket #861
 # https://code.ungleich.ch/ungleich-public/cdist/-/issues/861
 apt_opts="-o Acquire::AllowReleaseInfoChange::Suite=true -o Acquire::AllowReleaseInfoChange::Version=true"
 # run 'apt-get update' if anything in /etc/apt is newer then /var/lib/apt/lists
 #   it will be run a second time on error as a redundancy messure to success
 cat << DONE
 if find /etc/apt -mindepth 1 -cnewer /var/lib/apt/lists | grep . > /dev/null; then
-   apt-get $apt_opts update || apt-get $apt_opts update
+   apt-get update || apt-get update
 fi
 DONE
--- a/cdist/conf/type/__debconf_set_selections/explorer/state
+++ b/cdist/conf/type/__debconf_set_selections/explorer/state
@ -1,142 +0,0 @@
 #!/bin/sh -e
 #
 # 2021 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
 #
 # This file is part of cdist.
 #
 # cdist is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # cdist is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.	See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 # Determine current debconf selections' state.
 # Prints one of:
 #   present: all selections are already set as they should.
 #   different: one or more of the selections have a different value.
 #   absent: one or more of the selections are not (currently) defined.
 #
 test -x /usr/bin/perl || {
 	# cannot find perl (no perl ~ no debconf)
 	echo 'absent'
 	exit 0
 }
 linesfile="${__object:?}/parameter/line"
 test -s "${linesfile}" || {
 	if test -s "${__object:?}/parameter/file"
 	then
 		echo absent
 	else
 		echo present
 	fi
 	exit 0
 }
 # assert __type_explorer is set (because it is used by the Perl script)
 : "${__type_explorer:?}"
 /usr/bin/perl -- - "${linesfile}" <<'EOF'
 use strict;
 use warnings "all";
 use Fcntl qw(:DEFAULT :flock);
 use Debconf::Db;
 use Debconf::Question;
 # Extract @known... arrays from debconf-set-selections
 # These values are required to distinguish flags and values in the given lines.
 # DC: I couldn't think of a more ugly solution to the problem…
 my @knownflags;
 my @knowntypes;
 my $debconf_set_selections = '/usr/bin/debconf-set-selections';
 if (-e $debconf_set_selections) {
 	my $sed_known = 's/^my \(@known\(flags\|types\) = qw([a-z ]*);\).*$/\1/p';
 	eval `sed -n '$sed_known' '$debconf_set_selections'`;
 }
 sub mungeline ($) {
 	my $line = shift;
 	chomp $line;
 	$line =~ s/\r$//;
 	return $line;
 }
 sub fatal { printf STDERR @_; exit 1; }
 my $state = 'present';
 sub state {
 	my $new = shift;
 	if ($state eq 'present'
 	    or ($state eq 'different' and $new eq 'absent')) {
 		$state = $new;
 	}
 }
 # Load Debconf DB but manually lock on the state explorer script,
 # because Debconf aborts immediately if executed concurrently.
 # This is not really an ideal solution because the Debconf DB could be locked by
 # another process (e.g. apt-get), but no way to achieve this could be found.
 # If you know how to, please provide a patch.
 my $lockfile = "%ENV{'__type_explorer'}/state";
 if (open my $lock_fh, '+<', $lockfile) {
   flock $lock_fh, LOCK_EX or die "Cannot lock $lockfile";
 }
 {
 	Debconf::Db->load(readonly => 'true');
 }
 while (<>) {
 	# Read and process lines (taken from debconf-set-selections)
 	$_ = mungeline($_);
 	while (/\\$/ && ! eof) {
 		s/\\$//;
 		$_ .= mungeline(<>);
 	}
 	next if /^\s*$/ || /^\s*\#/;
 	my ($owner, $label, $type, $content) = /^\s*(\S+)\s+(\S+)\s+(\S+)(?:\s(.*))?/
 		or fatal "invalid line: %s\n", $_;
 	$content = '' unless defined $content;
 	# Compare is and should state
 	my $q = Debconf::Question->get($label);
 	unless (defined $q) {
 		# probably a preseed
 		state 'absent';
 		next;
 	}
 	if (grep { $_ eq $q->type } @knownflags) {
 		# This line wants to set a flag, presumably.
 		if ($q->flag($q->type) ne $content) {
 			state 'different';
 		}
 	} else {
 		# Otherwise, it's probably a value…
 		if ($q->value ne $content) {
 			state 'different';
 		}
 		unless (grep { $_ eq $owner } (split /, /, $q->owners)) {
 			state 'different';
 		}
 	}
 }
 printf "%s\n", $state;
 EOF
--- a/cdist/conf/type/__debconf_set_selections/gencode-remote
+++ b/cdist/conf/type/__debconf_set_selections/gencode-remote
@ -1,7 +1,6 @@
 #!/bin/sh -e
 #
 # 2011-2014 Nico Schottelius (nico-cdist at schottelius.org)
 # 2021 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
 #
 # This file is part of cdist.
 #
@ -18,37 +17,16 @@
 # You should have received a copy of the GNU General Public License
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 #
 # Setup selections
 #
-if test -f "${__object:?}/parameter/line"
+filename="$(cat "$__object/parameter/file")"
-then
+
-	filename="${__object:?}/parameter/line"
+if [ "$filename" = "-" ]; then
-elif test -s "${__object:?}/parameter/file"
+    filename="$__object/stdin"
 then
 	filename=$(cat "${__object:?}/parameter/file")
 	if test "${filename}" = '-'
 	then
 		filename="${__object:?}/stdin"
 	fi
 else
 	printf 'Neither --line nor --file set.\n' >&2
 	exit 1
 fi
-# setting no lines makes no sense
+echo "debconf-set-selections << __file-eof"
-test -s "${filename}" || exit 0
+cat "$filename"
-
+echo "__file-eof"
 state_is=$(cat "${__object:?}/explorer/state")
 if test "${state_is}" != 'present'
 then
 	cat <<-CODE
 	debconf-set-selections <<'EOF'
 	$(cat "${filename}")
 	EOF
 	CODE
 	awk '
 		{
 			printf "set %s %s %s %s\n", $1, $2, $3, $4
 		}' "${filename}" >>"${__messages_out:?}"
 fi
--- a/cdist/conf/type/__debconf_set_selections/man.rst
+++ b/cdist/conf/type/__debconf_set_selections/man.rst
@ -8,33 +8,15 @@ cdist-type__debconf_set_selections - Setup debconf selections
 DESCRIPTION
 -----------
-On Debian and alike systems :strong:`debconf-set-selections`\ (1) can be used
+On Debian and alike systems debconf-set-selections(1) can be used
 to setup configuration parameters.
 REQUIRED PARAMETERS
 -------------------
 cf. ``--line``.
 OPTIONAL PARAMETERS
 -------------------
 file
-   Use the given filename as input for :strong:`debconf-set-selections`\ (1)
+   Use the given filename as input for debconf-set-selections(1)
-   If filename is ``-``, read from stdin.
+   If filename is "-", read from stdin.
   **This parameter is deprecated, because it doesn't work with state detection.**
 line
   A line in :strong:`debconf-set-selections`\ (1) compatible format.
   This parameter can be used multiple times to set multiple options.
   (This parameter is actually required, but marked optional because the
   deprecated ``--file`` is still accepted.)
 BOOLEAN PARAMETERS
 ------------------
 None.
 EXAMPLES
@ -42,29 +24,30 @@ EXAMPLES
 .. code-block:: sh
-    # Setup gitolite's gituser
+    # Setup configuration for nslcd
-    __debconf_set_selections nslcd --line 'gitolite gitolite/gituser string git'
+    __debconf_set_selections nslcd --file /path/to/file
-    # Setup configuration for nslcd from a file.
+    # Setup configuration for nslcd from another type
-    # NB: Multiple lines can be passed to --line, although this can be considered a hack.
+    __debconf_set_selections nslcd --file "$__type/files/preseed/nslcd"
-    __debconf_set_selections nslcd --line "$(cat "${__files:?}/preseed/nslcd.debconf")"
+
    __debconf_set_selections nslcd --file - << eof
    gitolite gitolite/gituser string git
    eof
 SEE ALSO
 --------
- :strong:`cdist-type__update_alternatives`\ (7)
+:strong:`debconf-set-selections`\ (1), :strong:`cdist-type__update_alternatives`\ (7)
 - :strong:`debconf-set-selections`\ (1)
 AUTHORS
 -------
-| Nico Schottelius <nico-cdist--@--schottelius.org>
+Nico Schottelius <nico-cdist--@--schottelius.org>
 | Dennis Camera <dennis.camera--@--ssrq-sds-fds.ch>
 COPYING
 -------
-Copyright \(C) 2011-2014 Nico Schottelius, 2021 Dennis Camera.
+Copyright \(C) 2011-2014 Nico Schottelius. You can redistribute it
-You can redistribute it and/or modify it under the terms of the GNU General
+and/or modify it under the terms of the GNU General Public License as
-Public License as published by the Free Software Foundation, either version 3 of
+published by the Free Software Foundation, either version 3 of the
-the License, or (at your option) any later version.
+License, or (at your option) any later version.
--- a/cdist/conf/type/__debconf_set_selections/nonparallel
+++ b/cdist/conf/type/__debconf_set_selections/nonparallel
--- a/cdist/conf/type/__debconf_set_selections/parameter/deprecated/file
+++ b/cdist/conf/type/__debconf_set_selections/parameter/deprecated/file
@ -1 +0,0 @@
 'file' has been deprecated in favour of 'line' in order to provide idempotency.
--- a/cdist/conf/type/__debconf_set_selections/parameter/optional_multiple
+++ b/cdist/conf/type/__debconf_set_selections/parameter/optional_multiple
@ -1 +0,0 @@
 line
--- a/cdist/conf/type/__debconf_set_selections/parameter/required
+++ b/cdist/conf/type/__debconf_set_selections/parameter/required
--- a/cdist/conf/type/__dot_file/man.rst
+++ b/cdist/conf/type/__dot_file/man.rst
@ -37,12 +37,6 @@ state
 source
    forwarded to :strong:`__file` type
 file
    forwarded to :strong:`__file` type
    This can be used if multiple users need to have a dotfile updated,
    which will result in duplicate object id errors. When using the
    file parameter the object id can be some unique value.
 MESSAGES
 --------
@ -67,15 +61,6 @@ EXAMPLES
    # Install default xmonad config for user 'eve'. Parent directory is created automatically.
    __dot_file .xmonad/xmonad.hs --user eve --state exists --source "$__files/xmonad.hs"
    # install .vimrc for root and some users
    for user in root userx usery userz; do
        __dot_file "${user}_dot_vimrc" \
            --user $user \
            --file .vimrc \
            --state exists \
            --source "$__files/$user/.vimrc"
    done
 SEE ALSO
 --------
--- a/cdist/conf/type/__dot_file/manifest
+++ b/cdist/conf/type/__dot_file/manifest
@ -20,19 +20,13 @@ user="$(cat "${__object}/parameter/user")"
 home="$(cat "${__object}/explorer/home")"
 primary_group="$(cat "${__object}/explorer/primary_group")"
 dirmode="$(cat "${__object}/parameter/dirmode")"
 if [ -f "${__object}/parameter/file" ]; then
    file="$(cat "${__object}/parameter/file")"
 else
    file="${__object_id}"
 fi
 # Create parent directory. Type __directory has flag 'parents', but it
 # will leave us with root-owned directory in user home, which is not
 # acceptable. So we create parent directories one-by-one. XXX: maybe
 # it should be fixed in '__directory'?
 set --
-subpath=${file}
+subpath=${__object_id}
 while subpath="$(dirname "${subpath}")" ; do
 	[ "${subpath}" = . ] && break
 	set -- "${subpath}" "$@"
@ -70,4 +64,4 @@ if [ "${source}" = "-" ] ; then
 fi
 unset source
-__file "${home}/${file}" --owner "$user" --group "$primary_group" "$@"
+__file "${home}/${__object_id}" --owner "$user" --group "$primary_group" "$@"
--- a/cdist/conf/type/__download/explorer/remote_cmd
+++ b/cdist/conf/type/__download/explorer/remote_cmd
@ -0,0 +1,19 @@
 #!/bin/sh -e
 if [ -f "$__object/parameter/cmd-get" ]
 then
    cmd="$( cat "$__object/parameter/cmd-get" )"
 elif command -v curl > /dev/null
 then
    cmd="curl -L -o - '%s'"
 elif command -v fetch > /dev/null
 then
    cmd="fetch -o - '%s'"
 else
    cmd="wget -O - '%s'"
 fi
 echo "$cmd"
--- a/cdist/conf/type/__download/explorer/remote_cmd_get
+++ b/cdist/conf/type/__download/explorer/remote_cmd_get
@ -1,16 +0,0 @@
 #!/bin/sh -e
 if [ -f "$__object/parameter/cmd-get" ]
 then
    cat "$__object/parameter/cmd-get"
 elif
    command -v curl > /dev/null
 then
    echo "curl -sSL -o - '%s'"
 elif
    command -v fetch > /dev/null
 then
    echo "fetch -o - '%s'"
 else
    echo "wget -O - '%s'"
 fi
--- a/cdist/conf/type/__download/explorer/remote_cmd_sum
+++ b/cdist/conf/type/__download/explorer/remote_cmd_sum
@ -1,82 +0,0 @@
 #!/bin/sh -e
 if [ ! -f "$__object/parameter/sum" ]
 then
    exit 0
 fi
 if [ -f "$__object/parameter/cmd-sum" ]
 then
    cat "$__object/parameter/cmd-sum"
    exit 0
 fi
 sum_should="$( cat "$__object/parameter/sum" )"
 if echo "$sum_should" | grep -Fq ':'
 then
    sum_hash="$( echo "$sum_should" | cut -d : -f 1 )"
 else
    if echo "$sum_should" | grep -Eq '^[0-9]+\s[0-9]+$'
    then
        sum_hash='cksum'
    elif
        echo "$sum_should" | grep -Eiq '^[a-f0-9]{32}$'
    then
        sum_hash='md5'
    elif
        echo "$sum_should" | grep -Eiq '^[a-f0-9]{40}$'
    then
        sum_hash='sha1'
    elif
        echo "$sum_should" | grep -Eiq '^[a-f0-9]{64}$'
    then
        sum_hash='sha256'
    else
        echo 'hash format detection failed' >&2
        exit 1
    fi
 fi
 os="$( "$__explorer/os" )"
 case "$sum_hash" in
    cksum)
        echo "cksum %s | awk '{print \$1\" \"\$2}'"
    ;;
    md5)
        case "$os" in
            freebsd)
                echo "md5 -q %s"
            ;;
            *)
                echo "md5sum %s | awk '{print \$1}'"
            ;;
        esac
    ;;
    sha1)
        case "$os" in
            freebsd)
                echo "sha1 -q %s"
            ;;
            *)
                echo "sha1sum %s | awk '{print \$1}'"
            ;;
        esac
    ;;
    sha256)
        case "$os" in
            freebsd)
                echo "sha256 -q %s"
            ;;
            *)
                echo "sha256sum %s | awk '{print \$1}'"
            ;;
        esac
    ;;
    *)
        # we arrive here only if --sum is given with unknown format prefix
        echo "unknown hash format: $sum_hash" >&2
        exit 1
    ;;
 esac
--- a/cdist/conf/type/__download/explorer/state
+++ b/cdist/conf/type/__download/explorer/state
@ -1,11 +1,6 @@
 #!/bin/sh -e
-if [ -f "$__object/parameter/destination" ]
+dst="/$__object_id"
 then
    dst="$( cat "$__object/parameter/destination" )"
 else
    dst="/$__object_id"
 fi
 if [ ! -f "$dst" ]
 then
@ -13,27 +8,59 @@ then
    exit 0
 fi
 if [ ! -f "$__object/parameter/sum" ]
 then
    echo 'present'
    exit 0
 fi
 sum_should="$( cat "$__object/parameter/sum" )"
-if echo "$sum_should" | grep -Fq ':'
+if [ -f "$__object/parameter/cmd-sum" ]
 then
-    sum_should="$( echo "$sum_should" | cut -d : -f 2 )"
+    # shellcheck disable=SC2059
    sum_is="$( eval "$( printf \
        "$( cat "$__object/parameter/cmd-sum" )" \
        "$dst" )" )"
 else
    os="$( "$__explorer/os" )"
    if echo "$sum_should" | grep -Eq '^[0-9]+\s[0-9]+$'
    then
        sum_is="$( cksum "$dst" | awk '{print $1" "$2}' )"
    elif echo "$sum_should" | grep -Eiq '^md5:[a-f0-9]{32}$'
    then
        case "$os" in
            freebsd)
                sum_is="md5:$( md5 -q "$dst" )"
            ;;
            *)
                sum_is="md5:$( md5sum "$dst" | awk '{print $1}' )"
            ;;
        esac
    elif echo "$sum_should" | grep -Eiq '^sha1:[a-f0-9]{40}$'
    then
        case "$os" in
            freebsd)
                sum_is="sha1:$( sha1 -q "$dst" )"
            ;;
            *)
                sum_is="sha1:$( sha1sum "$dst" | awk '{print $1}' )"
            ;;
        esac
    elif echo "$sum_should" | grep -Eiq '^sha256:[a-f0-9]{64}$'
    then
        case "$os" in
            freebsd)
                sum_is="sha256:$( sha256 -q "$dst" )"
            ;;
            *)
                sum_is="sha256:$( sha256sum "$dst" | awk '{print $1}' )"
            ;;
        esac
    fi
 fi
 sum_cmd="$( "$__type_explorer/remote_cmd_sum" )"
 # shellcheck disable=SC2059
 sum_is="$( eval "$( printf "$sum_cmd" "'$dst'" )" )"
 if [ -z "$sum_is" ]
 then
-    echo 'existing destination checksum failed' >&2
+    echo 'no checksum from target' >&2
    exit 1
 fi
--- a/cdist/conf/type/__download/gencode-local
+++ b/cdist/conf/type/__download/gencode-local
@ -11,133 +11,34 @@ fi
 url="$( cat "$__object/parameter/url" )"
-if [ -f "$__object/parameter/destination" ]
+tmp="$( mktemp )"
-then
+
-    dst="$( cat "$__object/parameter/destination" )"
+dst="/$__object_id"
 else
    dst="/$__object_id"
 fi
 if [ -f "$__object/parameter/cmd-get" ]
 then
    cmd="$( cat "$__object/parameter/cmd-get" )"
 elif command -v wget > /dev/null
 then
    cmd="wget -O - '%s'"
 elif command -v curl > /dev/null
 then
-    cmd="curl -sSL -o - '%s'"
+    cmd="curl -L -o - '%s'"
 elif command -v fetch > /dev/null
 then
    cmd="fetch -o - '%s'"
 elif command -v wget > /dev/null
 then
    cmd="wget -O - '%s'"
 else
-    echo 'local download failed, no usable utility' >&2
+    echo 'no usable locally installed utility for downloading' >&2
    exit 1
 fi
-echo "download_tmp=\"\$( mktemp )\""
+printf "$cmd > %s\n" \
-
+    "$url" \
-# shellcheck disable=SC2059
+    "$tmp"
 printf "$cmd > \"\$download_tmp\"\n" "$url"
 if [ -f "$__object/parameter/sum" ]
 then
    sum_should="$( cat "$__object/parameter/sum" )"
    if [ -f "$__object/parameter/cmd-sum" ]
    then
        local_cmd_sum="$( cat "$__object/parameter/cmd-sum" )"
    else
        if echo "$sum_should" | grep -Fq ':'
        then
            sum_hash="$( echo "$sum_should" | cut -d : -f 1 )"
            sum_should="$( echo "$sum_should" | cut -d : -f 2 )"
        else
            if echo "$sum_should" | grep -Eq '^[0-9]+\s[0-9]+$'
            then
                sum_hash='cksum'
            elif
                echo "$sum_should" | grep -Eiq '^[a-f0-9]{32}$'
            then
                sum_hash='md5'
            elif
                echo "$sum_should" | grep -Eiq '^[a-f0-9]{40}$'
            then
                sum_hash='sha1'
            elif
                echo "$sum_should" | grep -Eiq '^[a-f0-9]{64}$'
            then
                sum_hash='sha256'
            else
                echo 'hash format detection failed' >&2
                exit 1
            fi
        fi
        case "$sum_hash" in
            cksum)
                local_cmd_sum="cksum %s | awk '{print \$1\" \"\$2}'"
            ;;
            md5)
                if command -v md5 > /dev/null
                then
                    local_cmd_sum="md5 -q %s"
                elif
                    command -v md5sum > /dev/null
                then
                    local_cmd_sum="md5sum %s | awk '{print \$1}'"
                fi
            ;;
            sha1)
                if command -v sha1 > /dev/null
                then
                    local_cmd_sum="sha1 -q %s"
                elif
                    command -v sha1sum > /dev/null
                then
                    local_cmd_sum="sha1sum %s | awk '{print \$1}'"
                fi
            ;;
            sha256)
                if command -v sha256 > /dev/null
                then
                    local_cmd_sum="sha256 -q %s"
                elif
                    command -v sha256sum > /dev/null
                then
                    local_cmd_sum="sha256sum %s | awk '{print \$1}'"
                fi
            ;;
            *)
                # we arrive here only if --sum is given with unknown format prefix
                echo "unknown hash format: $sum_hash" >&2
                exit 1
            ;;
        esac
        if [ -z "$local_cmd_sum" ]
        then
            echo 'local checksum verification failed, no usable utility' >&2
            exit 1
        fi
    fi
    # shellcheck disable=SC2059
    echo "sum_is=\"\$( $( printf "$local_cmd_sum" "\"\$download_tmp\"" ) )\""
    echo "if [ \"\$sum_is\" != '$sum_should' ]; then"
    echo "echo 'local download checksum mismatch' >&2"
    echo "rm -f \"\$download_tmp\""
    echo 'exit 1; fi'
 fi
 if echo "$__target_host" | grep -Eq '^[0-9a-fA-F:]+$'
 then
@ -146,10 +47,12 @@ else
    target_host="$__target_host"
 fi
-# shellcheck disable=SC2016
+printf '%s %s %s:%s\n' \
 printf '%s "$download_tmp" %s:%s\n' \
    "$__remote_copy" \
    "$tmp" \
    "$target_host" \
    "$dst"
-echo "rm -f \"\$download_tmp\""
+echo "rm -f '$tmp'"
 echo 'downloaded' > "$__messages_out"
--- a/cdist/conf/type/__download/gencode-remote
+++ b/cdist/conf/type/__download/gencode-remote
@ -6,51 +6,17 @@ state_is="$( cat "$__object/explorer/state" )"
 if [ "$download" = 'remote' ] && [ "$state_is" != 'present' ]
 then
-    cmd_get="$( cat "$__object/explorer/remote_cmd_get" )"
+    cmd="$( cat "$__object/explorer/remote_cmd" )"
    url="$( cat "$__object/parameter/url" )"
-    if [ -f "$__object/parameter/destination" ]
+    dst="/$__object_id"
    then
        dst="$( cat "$__object/parameter/destination" )"
    else
        dst="/$__object_id"
    fi
-    echo "download_tmp=\"\$( mktemp )\""
+    printf "$cmd > %s\n" \
        "$url" \
        "$dst"
-    # shellcheck disable=SC2059
+    echo 'downloaded' > "$__messages_out"
    printf "$cmd_get > \"\$download_tmp\"\n" "$url"
    if [ -f "$__object/parameter/sum" ]
    then
        sum_should="$( cat "$__object/parameter/sum" )"
        if [ -f "$__object/parameter/cmd-sum" ]
        then
            remote_cmd_sum="$( cat "$__object/parameter/cmd-sum" )"
        else
            remote_cmd_sum="$( cat "$__object/explorer/remote_cmd_sum" )"
            if echo "$sum_should" | grep -Fq ':'
            then
                sum_should="$( echo "$sum_should" | cut -d : -f 2 )"
            fi
        fi
        # shellcheck disable=SC2059
        echo "sum_is=\"\$( $( printf "$remote_cmd_sum" "\"\$download_tmp\"" ) )\""
        echo "if [ \"\$sum_is\" != '$sum_should' ]; then"
        echo "echo 'remote download checksum mismatch' >&2"
        echo "rm -f \"\$download_tmp\""
        echo 'exit 1; fi'
    fi
    echo "mv \"\$download_tmp\" '$dst'"
 fi
 if [ -f "$__object/parameter/onchange" ] && [ "$state_is" != "present" ]
--- a/cdist/conf/type/__download/man.rst
+++ b/cdist/conf/type/__download/man.rst
@ -8,7 +8,10 @@ cdist-type__download - Download a file
 DESCRIPTION
 -----------
-By default type will try to use ``curl``, ``fetch`` or ``wget``.
+Destination (``$__object_id``) in target host must be persistent storage
 in order to calculate checksum and decide if file must be (re-)downloaded.
 By default type will try to use ``wget``, ``curl`` or ``fetch``.
 If download happens in target (see ``--download``) then type will
 fallback to (and install) ``wget``.
@ -16,40 +19,23 @@ If download happens in local machine, then environment variables like
 ``{http,https,ftp}_proxy`` etc can be used on cdist execution
 (``http_proxy=foo cdist config ...``).
 To change downloaded file's owner, group or permissions, use ``require='__download/path/to/file' __file ...``.
 REQUIRED PARAMETERS
 -------------------
 url
   File's URL.
 sum
   Checksum of file going to be downloaded.
   By default output of ``cksum`` without filename is expected.
   Other hash formats supported with prefixes: ``md5:``, ``sha1:`` and ``sha256:``.
 OPTIONAL PARAMETERS
 -------------------
 destination
   Downloaded file's destination in target. If unset, ``$__object_id`` is used.
 sum
   Supported formats: ``cksum`` output without file name, MD5, SHA1 and SHA256.
   Type tries to detect hash format with regexes, but prefixes
   ``cksum:``, ``md5:``, ``sha1:`` and ``sha256:`` are also supported.
   Checksum have two purposes - state check and post-download verification.
   In state check, if destination checksum mismatches, then content of URL
   will be downloaded to temporary file. If downloaded temporary file's
   checksum matches, then it will be moved to destination (overwritten).
   For local downloads it is expected that usable utilities for checksum
   calculation exist in the system.
 download
-   If ``local`` (default), then file is downloaded to local storage and copied
+   If ``local`` (default), then download file to local storage and copy
-   to target host. If ``remote``, then download happens in target.
+   it to target host. If ``remote``, then download happens in target.
   For local downloads it is expected that usable utilities for downloading
   exist in the system. Type will try to use ``curl``, ``fetch`` or ``wget``.
 cmd-get
   Command used for downloading.
@ -79,7 +65,7 @@ EXAMPLES
    require='__directory/opt/cpma' \
        __download /opt/cpma/cnq3.zip \
            --url https://cdn.playmorepromode.com/files/cnq3/cnq3-1.51.zip \
-            --sum 46da3021ca9eace277115ec9106c5b46
+            --sum md5:46da3021ca9eace277115ec9106c5b46
    require='__download/opt/cpma/cnq3.zip' \
        __unpack /opt/cpma/cnq3.zip \
@ -95,7 +81,7 @@ Ander Punnar <ander-at-kvlt-dot-ee>
 COPYING
 -------
-Copyright \(C) 2021 Ander Punnar. You can redistribute it
+Copyright \(C) 2020 Ander Punnar. You can redistribute it
 and/or modify it under the terms of the GNU General Public License as
 published by the Free Software Foundation, either version 3 of the
 License, or (at your option) any later version.
--- a/cdist/conf/type/__download/manifest
+++ b/cdist/conf/type/__download/manifest
@ -1,6 +1,6 @@
 #!/bin/sh -e
-if grep -Eq '^wget' "$__object/explorer/remote_cmd_get"
+if grep -Eq '^wget' "$__object/explorer/remote_cmd"
 then
    __package wget
 fi
--- a/cdist/conf/type/__download/parameter/optional
+++ b/cdist/conf/type/__download/parameter/optional
@ -1,6 +1,4 @@
 cmd-get
 cmd-sum
 destination
 download
 onchange
 sum
--- a/cdist/conf/type/__download/parameter/required
+++ b/cdist/conf/type/__download/parameter/required
@ -1 +1,2 @@
 url
 sum
--- a/cdist/conf/type/__file/gencode-local
+++ b/cdist/conf/type/__file/gencode-local
@ -1,7 +1,7 @@
 #!/bin/sh -e
 #
 # 2011-2012 Nico Schottelius (nico-cdist at schottelius.org)
-# 2013-2022 Steven Armstrong (steven-cdist armstrong.cc)
+# 2013 Steven Armstrong (steven-cdist armstrong.cc)
 #
 # This file is part of cdist.
 #
@ -72,7 +72,6 @@ if [ "$state_should" = "present" ] || [ "$state_should" = "exists" ]; then
         if [ "$type" != "file" ]; then
            # destination is not a regular file, upload source to replace it
            upload_file=1
            echo upload >> "$__messages_out"
         else
            local_cksum="$(cksum < "$source")"
            remote_cksum="$(cat "$__object/explorer/cksum")"
@ -89,39 +88,27 @@ if [ "$state_should" = "present" ] || [ "$state_should" = "exists" ]; then
      mkdir "$__object/files"
      touch "$__object/files/set-attributes"
      if [ "$create_file" ]; then
         # When creating an empty file we create it locally and then
         # upload it so that permissions can be set before moving the file
         # into place.
         source="$__object/files/empty"
         touch "$source"
      fi
      # upload file to temp location
-      upload_destination="${destination}.cdist.${__cdist_object_marker}.$$"
+      tempfile_template="${destination}.cdist.XXXXXXXXXX"
      # Yes, we are aware that this is a race condition.
      # However:
      # a) cdist usually writes to directories that are not user writable
      #    (probably > 99.9%)
      # b) if they are user owned, the user / attacker always wins
      #    (probably < 0.1%)
      # c) the only case which we could improve are tmp directories and we
      #    don't think managing tmp directories with cdist is a typical case
      #    ("the rest %)"
      # Tell gencode-remote to where we uploaded the file so it can move
      # it to its final destination.
      echo "$upload_destination" > "$__object/files/upload-destination"
      # IPv6 fix
      if echo "${__target_host}" | grep -q -E '^[0-9a-fA-F:]+$'
      then
          my_target_host="[${__target_host}]"
      else
          my_target_host="${__target_host}"
      fi
      cat << DONE
-$__remote_copy "$source" "${my_target_host}:${upload_destination}"
+destination_upload="\$($__remote_exec $__target_host "mktemp $tempfile_template")"
 DONE
      if [ "$upload_file" ]; then
         echo upload >> "$__messages_out"
         # IPv6 fix
         if echo "${__target_host}" | grep -q -E '^[0-9a-fA-F:]+$'
         then
             my_target_host="[${__target_host}]"
         else
             my_target_host="${__target_host}"
         fi
         cat << DONE
 $__remote_copy "$source" "${my_target_host}:\$destination_upload"
 DONE
      fi
 # move uploaded file into place
 cat << DONE
 $__remote_exec $__target_host "rm -rf \"$destination\"; mv \"\$destination_upload\" \"$destination\""
 DONE
   fi
 fi
--- a/cdist/conf/type/__file/gencode-remote
+++ b/cdist/conf/type/__file/gencode-remote
@ -1,7 +1,7 @@
 #!/bin/sh -e
 #
 # 2011-2013 Nico Schottelius (nico-cdist at schottelius.org)
-# 2013-2022 Steven Armstrong (steven-cdist armstrong.cc)
+# 2013 Steven Armstrong (steven-cdist armstrong.cc)
 #
 # This file is part of cdist.
 #
@ -62,13 +62,6 @@ set_mode() {
 case "$state_should" in
    present|exists)
        if [ -f "$__object/files/upload-destination" ]; then
            final_destination="$destination"
            # We change the 'global' $destination variable here so we can
            # change attributes of the new/uploaded file before moving it
            # to it's final destination.
            destination="$(cat "$__object/files/upload-destination")"
        fi
        # Note: Mode - needs to happen last as a chown/chgrp can alter mode by
        #  clearing S_ISUID and S_ISGID bits (see chown(2))
        for attribute in group owner mode; do
@ -88,11 +81,6 @@ case "$state_should" in
                fi
            fi
        done
        if [ -f "$__object/files/upload-destination" ]; then
            # move uploaded file into place
            printf 'rm -rf "%s"\n' "$final_destination"
            printf 'mv "%s" "%s"\n' "$destination" "$final_destination"
        fi
        if [ -f "$__object/files/set-attributes" ]; then
            # set-attributes is created if file is created or uploaded in gencode-local
            fire_onchange=1
--- a/cdist/conf/type/__filesystem/explorer/lsblk
+++ b/cdist/conf/type/__filesystem/explorer/lsblk
@ -27,7 +27,7 @@ else
 fi
 case "$os" in
-    alpine|centos|fedora|gentoo|redhat|suse|ubuntu)
+    alpine|centos|fedora|redhat|suse|gentoo)
        if [ ! -x "$(command -v lsblk)" ]; then
            echo "lsblk is required for __filesystem type" >&2
            exit 1
--- a/cdist/conf/type/__git/explorer/group
+++ b/cdist/conf/type/__git/explorer/group
@ -1,24 +1,5 @@
-#!/bin/sh -e
+#!/bin/sh
-destination="/${__object_id:?}/.git"
+destination="/$__object_id/.git"
-# shellcheck disable=SC2012
+stat --print "%G" "${destination}" 2>/dev/null || exit 0
 group_gid=$(ls -ldn "${destination}" | awk '{ print $4 }')
 # NOTE: +1 because $((notanum)) prints 0.
 if test $((group_gid + 1)) -ge 0
 then
 	group_should=$(cat "${__object:?}/parameter/group")
 	if expr "${group_should}" : '[0-9]*$' >/dev/null
 	then
 		printf '%u\n' "${group_gid}"
 	else
 		if command -v getent > /dev/null
 		then
 			getent group "${group_gid}" | cut -d : -f 1
 		else
 			awk -F: -v gid="${group_gid}" '$3 == gid { print $1 }' /etc/group
 		fi
 	fi
 fi
--- a/cdist/conf/type/__git/explorer/owner
+++ b/cdist/conf/type/__git/explorer/owner
@ -1,19 +1,5 @@
-#!/bin/sh -e
+#!/bin/sh
-destination="/${__object_id:?}/.git"
+destination="/$__object_id/.git"
-# shellcheck disable=SC2012
+stat --print "%U" "${destination}" 2>/dev/null || exit 0
 owner_uid=$(ls -ldn "${destination}" | awk '{ print $3 }')
 # NOTE: +1 because $((notanum)) prints 0.
 if test $((owner_uid + 1)) -ge 0
 then
 	owner_should=$(cat "${__object:?}/parameter/owner")
 	if expr "${owner_should}" : '[0-9]*$' >/dev/null
 	then
 		printf '%u\n' "${owner_uid}"
 	else
 		printf '%s\n' "$(id -u -n "${owner_uid}")"
 	fi
 fi
--- a/cdist/conf/type/__grafana_dashboard/manifest
+++ b/cdist/conf/type/__grafana_dashboard/manifest
@ -15,7 +15,7 @@ case $os in
                # Differntation not needed anymore
                apt_source_distribution=stable
                ;;
-            10*|11*)
+            10*)
                # Differntation not needed anymore
                apt_source_distribution=stable
                ;;
--- a/cdist/conf/type/__haproxy_dualstack/files/http
+++ b/cdist/conf/type/__haproxy_dualstack/files/http
@ -1,8 +0,0 @@
 frontend http
 	bind	BIND@:80
 	mode	http
 	option	httplog
 	default_backend	http
 backend http
 	mode	http
--- a/cdist/conf/type/__haproxy_dualstack/files/https
+++ b/cdist/conf/type/__haproxy_dualstack/files/https
@ -1,10 +0,0 @@
 frontend https
 	bind	BIND@:443
 	mode	tcp
 	option	tcplog
 	tcp-request	inspect-delay 5s
 	tcp-request	content accept if { req_ssl_hello_type 1 }
 	default_backend	https
 backend https
 	mode	tcp
--- a/cdist/conf/type/__haproxy_dualstack/files/imaps
+++ b/cdist/conf/type/__haproxy_dualstack/files/imaps
@ -1,12 +0,0 @@
 frontend imaps
 	bind	BIND@:143
 	bind	BIND@:993
 	mode	tcp
 	option	tcplog
 	tcp-request	inspect-delay 5s
 	tcp-request	content accept if { req_ssl_hello_type 1 }
 	default_backend	imaps
 backend imaps
 	mode	tcp
--- a/cdist/conf/type/__haproxy_dualstack/files/smtps
+++ b/cdist/conf/type/__haproxy_dualstack/files/smtps
@ -1,12 +0,0 @@
 frontend smtps
 	bind	BIND@:25
 	bind	BIND@:465
 	mode	tcp
 	option	tcplog
 	tcp-request	inspect-delay 5s
 	tcp-request	content accept if { req_ssl_hello_type 1 }
 	default_backend	smtps
 backend smtps
 	mode	tcp
--- a/cdist/conf/type/__haproxy_dualstack/man.rst
+++ b/cdist/conf/type/__haproxy_dualstack/man.rst
@ -1,121 +0,0 @@
 cdist-type__haproxy_dualstack(7)
 ================================
 NAME
 ----
 cdist-type__haproxy_dualstack - Proxy services from a dual-stack server
 DESCRIPTION
 -----------
 This (singleton) type installs and configures haproxy to act as a dual-stack
 proxy for single-stack services.
 This can be useful to add IPv4 support to IPv6-only services while only using
 one IPv4 for many such services.
 By default this type uses the plain TCP proxy mode, which means that there is no
 need for TLS termination on this host when SNI is supported.
 This also means that proxied services will not receive the client's IP address,
 but will see the proxy's IP address instead (that of `$__target_host`).
 This can be solved by using the PROXY protocol, but do take into account that,
 e.g. nginx cannot serve both regular HTTP(S) and PROXY protocols on the same
 port, so you will need to use other ports for that.
 As a recommendation in this type: use TCP ports 8080 and 591 respectively to
 serve HTTP and HTTPS using the PROXY protocol.
 See the EXAMPLES for more details.
 OPTIONAL PARAMETERS
 -------------------
 v4proxy
    Proxy incoming IPv4 connections to the equivalent IPv6 endpoint.
    In its simplest use, it must be a NAME with an `AAAA` DNS entry, which is
    the IP address actually providing the proxied services.
    The full format of this argument is:
    `[proxy:]NAME[[:PROTOCOL_1=PORT_1]...[:PROTOCOL_N=PORT_N]]`
    Where starting with `proxy:` determines that the PROXY protocol must be
    used and each `:PROTOCOL=PORT` (e.g. `:http=8080` or `:https=591`) is a PORT
    override for the given PROTOCOL (see `--protocol`), if not present the
    PROTOCOL's default port will be used.
 v6proxy
    Proxy incoming IPv6 connections to the equivalent IPv4 endpoint.
    In its simplest use, it must be a NAME with an `A` DNS entry, which is
    the IP address actually providing the proxied services.
    See `--v4proxy` for more options and details.
 protocol
    Can be passed multiple times or as a space-separated list of protocols.
    Currently supported protocols are: `http`, `https`, `imaps`, `smtps`.
    This defaults to: `http https imaps smtps`.
 EXAMPLES
 --------
 .. code-block:: sh
    # Proxy the IPv6-only services so IPv4-only clients can access them
    # This uses HAProxy's TCP mode for http, https, imaps and smtps
    __haproxy_dualstack \
        --v4proxy ipv6.chat \
        --v4proxy matrix.ungleich.ch
    # Proxy the IPv6-only HTTP(S) services so IPv4-only clients can access them
    # Note this means that the backend IPv6-only server will only see
    # the IPv6 address of the haproxy host managed by cdist, which can be
    # troublesome if this information is relevant for analytics/security/...
    # See the PROXY example below
    __haproxy_dualstack \
        --protocol http --protocol https \
        --v4proxy ipv6.chat \
        --v4proxy matrix.ungleich.ch
    # Use the PROXY protocol to proxy the IPv6-only HTTP(S) services enabling
    # IPv4-only clients to access them while maintaining the client's IP address
    __haproxy_dualstack \
        --protocol http --protocol https \
        --v4proxy proxy:ipv6.chat:http=8080:https=591 \
        --v4proxy proxy:matrix.ungleich.ch:http=8080:https=591
    # Note however that the PROXY protocol is not compatible with regular
    # HTTP(S) protocols, so your nginx will have to listen on different ports
    # with the PROXY settings.
    # Note that you will need to restrict access to the 8080 port to prevent
    # Client IP spoofing.
    # This can be something like:
    # server {
    #     # listen for regular HTTP connections
    #     listen [::]:80 default_server;
    #     listen 80 default_server;
    #     # listen for PROXY HTTP connections
    #     listen [::]:8080 proxy_protocol;
    #     # Accept the Client's IP from the PROXY protocol
    #     real_ip_header proxy_protocol;
    # }
 SEE ALSO
 --------
 - https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/
 - https://www.haproxy.com/blog/haproxy/proxy-protocol/
 - https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/
 AUTHORS
 -------
 ungleich <foss--@--ungleich.ch>
 Evilham <cvs--@--evilham.com>
 COPYING
 -------
 Copyright \(C) 2021 ungleich glarus ag. You can redistribute it
 and/or modify it under the terms of the GNU General Public License as
 published by the Free Software Foundation, either version 3 of the
 License, or (at your option) any later version.
--- a/cdist/conf/type/__haproxy_dualstack/manifest
+++ b/cdist/conf/type/__haproxy_dualstack/manifest
@ -1,155 +0,0 @@
 #!/bin/sh -eu
 __package haproxy
 require="__package/haproxy" __start_on_boot haproxy
 tmpdir="$__object/files"
 mkdir "$tmpdir"
 configtmp="$__object/files/haproxy.cfg"
 os=$(cat "$__global/explorer/os")
 case $os in
 	freebsd)
 		CONFIG_FILE="/usr/local/etc/haproxy.conf"
 		cat <<EOF > "$configtmp"
 global
 	maxconn	4000
 	user	nobody
 	group	nogroup
 	daemon
 EOF
 		;;
 	*)
 		CONFIG_FILE="/etc/haproxy/haproxy.cfg"
 		cat <<EOF > "$configtmp"
 global
 	log	[::1] local2
 	chroot	/var/lib/haproxy
 	pidfile	/var/run/haproxy.pid
 	maxconn	4000
 	user	haproxy
 	group	haproxy
 	daemon
 	# turn on stats unix socket
 	stats socket	/var/lib/haproxy/stats
 EOF
 		;;
 esac
 cat <<EOF >> "$configtmp"
 defaults
 	retries	3
 	log	global
 	timeout http-request	10s
 	timeout queue		1m
 	timeout connect		10s
 	timeout client		1m
 	timeout server		1m
 	timeout http-keep-alive	10s
 	timeout check		10s
 EOF
 dig_cmd="$(command -v dig || true)"
 get_ip() {
 	# Usage: get_ip (ipv4|ipv6) NAME
 	# uses "dig" if available, else fallback to "host"
 	case $1 in
 		ipv4)
 			if [ -n "${dig_cmd}" ]; then
 				${dig_cmd} +short A "$2"
 			else
 				host -t A "$2" | cut -d ' ' -f 4 | grep -v 'found:'
 			fi
 			;;
 		ipv6)
 			if [ -n "${dig_cmd}" ]; then
 				${dig_cmd} +short AAAA "$2"
 			else
 				host -t AAAA "$2" | cut -d ' ' -f 5 | grep -v 'NXDOMAIN'
 			fi
 			;;
 	esac
 }
 PROTOCOLS="$(cat "$__object/parameter/protocol")"
 for proxy in v4proxy v6proxy; do
 	param=$__object/parameter/$proxy
 	# no backend? skip generating code
 	if [ ! -f "$param" ]; then
 		continue
 	fi
 	# turn backend name into bind parameter: v4backend -> ipv4@
 	bind=$(echo $proxy | sed -e 's/^/ip/' -e 's/proxy//')
 	case $bind in
 		ipv4)
 			backendproto=ipv6
 			;;
 		ipv6)
 			backendproto=ipv4
 			;;
 	esac
 	for proto in ${PROTOCOLS}; do
 		# Add protocol "header"
 		printf "\n# %s %s \n" "${bind}" "${proto}" >> "$configtmp"
 		sed -e "s/BIND/$bind/" \
 			-e "s/\(frontend[[:space:]].*\)/\1$bind/" \
 			-e "s/\(backend[[:space:]].*\)/\\1$bind/" \
 			"$__type/files/$proto" >> "$configtmp"
 		while read -r hostdefinition; do
 			if echo "$hostdefinition" | grep -qE '^proxy:'; then
 				# Proxy protocol was requested
 				host="$(echo "$hostdefinition" | sed -E 's/^proxy:([^:]+).*$/\1/')"
 				send_proxy=" send-proxy"
 			else
 				# Just use tcp proxy mode
 				host="$hostdefinition"
 				send_proxy=""
 			fi
 			if echo "$hostdefinition" | grep -qE ":${proto}="; then
 				# Use custom port definition if requested
 				port="$(echo "$hostdefinition" | sed -E "s/^(.*:)?${proto}=([0-9]+).*$/:\2/")"
 			else
 				# Else use the default
 				port=""
 			fi
 			servername=$host
 			res=$(get_ip "$bind" "$servername")
 			if [ -z "$res" ]; then
 				echo "$servername does not resolve - aborting config" >&2
 				exit 1
 			fi
 			# Treat protocols without TLS+SNI specially
 			if [ "$proto" = http ]; then
 				echo "	use-server $servername if { hdr(host) -i $host }" >> "$configtmp"
 			else
 				echo "	use-server $servername if { req_ssl_sni -i $host }" >> "$configtmp"
 			fi
 			# Create the "server" itself.
 			# Note that port and send_proxy will be empty unless
 			# they were requested by the type user
 			echo "	server $servername ${backendproto}@${host}${port}${send_proxy}" >> "$configtmp"
 		done < "$param"
 	done
 done
 # Create config file
 require="__package/haproxy" __file ${CONFIG_FILE} --source "$configtmp" --mode 0644
 require="__file${CONFIG_FILE}" __check_messages "haproxy_reload" \
 	--pattern "^__file${CONFIG_FILE}" \
 	--execute "service haproxy reload || service haproxy restart"
--- a/cdist/conf/type/__haproxy_dualstack/parameter/default/protocol
+++ b/cdist/conf/type/__haproxy_dualstack/parameter/default/protocol
@ -1 +0,0 @@
 http https imaps smtps
--- a/cdist/conf/type/__haproxy_dualstack/parameter/optional_multiple
+++ b/cdist/conf/type/__haproxy_dualstack/parameter/optional_multiple
@ -1,3 +0,0 @@
 protocol
 v4proxy
 v6proxy
--- a/cdist/conf/type/__haproxy_dualstack/singleton
+++ b/cdist/conf/type/__haproxy_dualstack/singleton
--- a/cdist/conf/type/__letsencrypt_cert/explorer/certbot-path
+++ b/cdist/conf/type/__letsencrypt_cert/explorer/certbot-path
@ -0,0 +1,3 @@
 #!/bin/sh -e
 command -v certbot 2>/dev/null || true
--- a/cdist/conf/type/__letsencrypt_cert/explorer/certificate-data
+++ b/cdist/conf/type/__letsencrypt_cert/explorer/certificate-data
@ -1,78 +0,0 @@
 #!/bin/sh -e
 certbot_path="$(command -v certbot 2>/dev/null || true)"
 # Defaults
 certificate_exists="no"
 certificate_is_test="no"
 if [ -n "${certbot_path}" ]; then
 	# Find python executable that has access to certbot's module
 	python_path=$(sed -n '1s/^#! *//p' "${certbot_path}")
 	# Use a lock for cdist due to certbot not exiting with failure
 	# or having any flags for concurrent use.
 	_certbot() {
 		${python_path} - 2>/dev/null <<EOF
 from certbot.main import main
 import fcntl
 lock_file = "/tmp/certbot.cdist.lock"
 timeout=60
 with open(lock_file, 'w') as fd:
    for i in range(timeout):
        try:
            # Get exclusive lock
            fcntl.flock(fd, fcntl.LOCK_EX | fcntl.LOCK_NB)
            break
        except:
            # Wait if that fails
            import time
            time.sleep(1)
    else:
        # Timed out, exit with failure
        import sys
        sys.exit(1)
    # Do list certificates
    main(["certificates", "--cert-name", "${__object_id:?}"])
 EOF
 	}
 	_certificate_exists() {
 		if grep -q "  Certificate Name: ${__object_id:?}$"; then
 			echo yes
 		else
 			echo no
 		fi
 	}
 	_certificate_is_test() {
 		if grep -q 'INVALID: TEST_CERT'; then
 			echo yes
 		else
 			echo no
 		fi
 	}
 	_certificate_domains() {
 		grep '    Domains: ' | cut -d ' ' -f 6- | tr ' ' '\n'
 	}
 	# Get data about all available certificates
 	certificates="$(_certbot)"
 	# Check whether or not the certificate exists
 	certificate_exists="$(echo "${certificates}" | _certificate_exists)"
 	# Check whether or not the certificate is for testing
 	certificate_is_test="$(echo "${certificates}" | _certificate_is_test)"
 	# Get domains for certificate
 	certificate_domains="$(echo "${certificates}" | _certificate_domains)"
 fi
 # Return received data
 cat <<EOF
 certbot_path:${certbot_path}
 certificate_exists:${certificate_exists}
 certificate_is_test:${certificate_is_test}
 ${certificate_domains}
 EOF
--- a/cdist/conf/type/__letsencrypt_cert/explorer/certificate-domains
+++ b/cdist/conf/type/__letsencrypt_cert/explorer/certificate-domains
@ -0,0 +1,8 @@
 #!/bin/sh -e
 certbot_path=$("${__type_explorer}/certbot-path")
 if [ -n "${certbot_path}" ]
 then
 	certbot certificates --cert-name "${__object_id:?}" | grep '    Domains: ' | \
 		cut -d ' ' -f 6- | tr ' ' '\n'
 fi
--- a/cdist/conf/type/__letsencrypt_cert/explorer/certificate-exists
+++ b/cdist/conf/type/__letsencrypt_cert/explorer/certificate-exists
@ -0,0 +1,13 @@
 #!/bin/sh -e
 certbot_path=$("${__type_explorer}/certbot-path")
 if [ -n "${certbot_path}" ]
 then
 	if certbot certificates | grep -q "  Certificate Name: ${__object_id:?}$"; then
 		echo yes
 	else
 		echo no
 	fi
 else
 	echo no
 fi
--- a/cdist/conf/type/__letsencrypt_cert/explorer/certificate-is-test
+++ b/cdist/conf/type/__letsencrypt_cert/explorer/certificate-is-test
@ -0,0 +1,14 @@
 #!/bin/sh -e
 certbot_path=$("${__type_explorer}/certbot-path")
 if [ -n "${certbot_path}" ]
 then
 	if certbot certificates --cert-name "${__object_id:?}" | \
 		grep -q 'INVALID: TEST_CERT'; then
 		echo yes
 	else
 		echo no
 	fi
 else
 	echo no
 fi
--- a/cdist/conf/type/__letsencrypt_cert/files/gen_hook.sh
+++ b/cdist/conf/type/__letsencrypt_cert/files/gen_hook.sh
@ -1,84 +0,0 @@
 #!/bin/sh -e
 # It is expected that this defines hook_contents
 # Reasonable defaults
 hook_source="${__object}/parameter/${hook}-hook"
 hook_state="absent"
 hook_contents_head="#!/bin/sh -e"
 hook_contents_logic=""
 hook_contents_tail=""
 # Backwards compatibility
 # Remove this when renew-hook is removed
 # Falling back to renew-hook if deploy-hook is not passed
 if [ "${hook}" = "deploy" ] && [ ! -f "${hook_source}" ]; then
 	hook_source="${__object}/parameter/renew-hook"
 fi
 if [ "${state}" = "present" ] && \
 	[ -f "${hook_source}" ]; then
 	# This hook is to be installed, let's generate it with some
 	# safety boilerplate
 	# Since certbot runs all hooks for all renewal processes
 	# (at each state for deploy, pre, post), it is up to us to
 	# differentiate whether or not the hook must run
 	hook_state="present"
 	hook_contents_head="$(cat <<EOF
 #!/bin/sh -e
 #
 # Managed remotely with https://cdi.st
 #
 # Domains for which this hook is supposed to apply
 lineage="${LE_DIR}/live/${__object_id}"
 domains="\$(cat <<eof
 ${domains}
 eof
 )"
 EOF
 )"
 	case "${hook}" in
 		pre|post)
 			# Certbot is kind of terrible, we have
 			# no way of knowing what domain/lineage the
 			# hook is running for
 			hook_contents_logic="$(cat <<EOF
 # pre/post-hooks apply always due to a certbot limitation
 APPLY_HOOK="YES"
 EOF
 )"
 		;;
 		deploy)
 			hook_contents_logic="$(cat <<EOF
 # certbot defines these environment variables:
 # RENEWED_DOMAINS="DOMAIN1 DOMAIN2"
 # RENEWED_LINEAGE="/etc/letsencrypt/live/__object_id"
 # It feels more stable to use RENEWED_LINEAGE
 if [ "\${lineage}" = "\${RENEWED_LINEAGE}" ]; then
 	APPLY_HOOK="YES"
 fi
 EOF
 )"
 		;;
 		*)
 			echo "Unknown hook '${hook}'" >> /dev/stderr
 			exit 1
 		;;
 	esac
 	hook_contents_tail="$(cat <<EOF
 if [ -n "\${APPLY_HOOK}" ]; then
 	# Messing with indentation can eff up the users' scripts, let's not
 $(cat "${hook_source}")
 fi
 EOF
 )"
 fi
 hook_contents="$(cat <<EOF
 ${hook_contents_head}
 ${hook_contents_logic}
 ${hook_contents_tail}
 EOF
 )"
--- a/cdist/conf/type/__letsencrypt_cert/gencode-remote
+++ b/cdist/conf/type/__letsencrypt_cert/gencode-remote
@ -1,10 +1,6 @@
 #!/bin/sh -e
-_explorer_var() {
+certificate_exists=$(cat "${__object:?}/explorer/certificate-exists")
 	grep "^$1:" "${__object:?}/explorer/certificate-data" | cut -d ':' -f 2-
 }
 certificate_exists="$(_explorer_var certificate_exists)"
 name="${__object_id:?}"
 state=$(cat "${__object}/parameter/state")
@ -33,9 +29,8 @@ case "${state}" in
 		fi
 		if [ "${certificate_exists}" = "yes" ]; then
-			existing_domains=$(mktemp "${TMPDIR:-/tmp}/existing_domains.cdist.XXXXXXXXXX")
+			existing_domains="${__object}/explorer/certificate-domains"
-			tail -n +4 "${__object:?}/explorer/certificate-data" | grep -v '^$' > "${existing_domains}"
+			certificate_is_test=$(cat "${__object}/explorer/certificate-is-test")
 			certificate_is_test="$(_explorer_var certificate_is_test)"
 			sort -uo "${requested_domains}" "${requested_domains}"
 			sort -uo "${existing_domains}" "${existing_domains}"
--- a/cdist/conf/type/__letsencrypt_cert/man.rst
+++ b/cdist/conf/type/__letsencrypt_cert/man.rst
@ -1,33 +1,16 @@
 cdist-type__letsencrypt_cert(7)
 ===============================
 NAME
 ----
 cdist-type__letsencrypt_cert - Get an SSL certificate from Let's Encrypt
 DESCRIPTION
 -----------
 Automatically obtain a Let's Encrypt SSL certificate using Certbot.
 This type attempts to setup automatic renewals always. In many Linux
 distributions, that is the case out of the box, see:
 https://certbot.eff.org/docs/using.html#automated-renewals
 For Alpine Linux and Arch Linux, we setup a system-wide cronjob that
 attempts to renew certificates daily.
 If you are using FreeBSD, we configure periodic(8) as recommended by
 the port mantainer, so there will be a weekly attempt at renewal.
 If your OS is not mentioned here or on Certbot's docs as having
 support for automated renewals, please make sure you check your OS
 and possibly patch this type so the system-wide cronjob is installed.
 REQUIRED PARAMETERS
 -------------------
@ -38,7 +21,6 @@ object id
 admin-email
    Where to send Let's Encrypt emails like "certificate needs renewal".
 OPTIONAL PARAMETERS
 -------------------
@ -54,68 +36,25 @@ webroot
    The path to your webroot, as set up in your webserver config. If this
    parameter is not present, Certbot will be run in standalone mode.
 OPTIONAL MULTIPLE PARAMETERS
 ----------------------------
 renew-hook
    Renew hook command directly passed to Certbot in cron job.
 domain
    Domains to be included in the certificate. When specified then object id
    is not used as a domain.
 deploy-hook
    Command to be executed only when the certificate associated with this
    ``$__object_id`` is issued or renewed.
    You can specify it multiple times, but any failure will prevent further
    commands from being executed.
    For this command, the
    shell variable ``$RENEWED_LINEAGE`` will point to the
    config live subdirectory (for example,
    ``/etc/letsencrypt/live/${__object_id}``) containing the
    new certificates and keys; the shell variable
    ``$RENEWED_DOMAINS`` will contain a space-delimited list
    of renewed certificate domains (for example,
    ``example.com www.example.com``)
 pre-hook
    Command to be run in a shell before obtaining any
    certificates.
    You can specify it multiple times, but any failure will prevent further
    commands from being executed.
    Note these run regardless of which certificate is attempted, you may want to
    manage these system-wide hooks with ``__file`` in
    ``/etc/letsencrypt/renewal-hooks/pre/``.
    Intended primarily for renewal, where it
    can be used to temporarily shut down a webserver that
    might conflict with the standalone plugin. This will
    only be called if a certificate is actually to be
    obtained/renewed.
 post-hook
    Command to be run in a shell after attempting to
    obtain/renew certificates.
    You can specify it multiple times, but any failure will prevent further
    commands from being executed.
    Note these run regardless of which certificate was attempted, you may want to
    manage these system-wide hooks with ``__file`` in
    ``/etc/letsencrypt/renewal-hooks/post/``.
    Can be used to deploy
    renewed certificates, or to restart any servers that
    were stopped by --pre-hook. This is only run if an
    attempt was made to obtain/renew a certificate.
 BOOLEAN PARAMETERS
 ------------------
 automatic-renewal
    Install a cron job, which attempts to renew certificates daily.
 staging
    Obtain a test certificate from a staging server.
 MESSAGES
 --------
@ -128,7 +67,6 @@ create
 remove
    Certificate was removed.
 EXAMPLES
 --------
@ -137,7 +75,8 @@ EXAMPLES
    # use object id as domain
    __letsencrypt_cert example.com \
        --admin-email root@example.com \
-        --deploy-hook "service nginx reload" \
+        --automatic-renewal \
        --renew-hook "service nginx reload" \
        --webroot /data/letsencrypt/root
 .. code-block:: sh
@ -146,10 +85,11 @@ EXAMPLES
    # and example.com needs to be included again with domain parameter
    __letsencrypt_cert example.com \
        --admin-email root@example.com \
        --automatic-renewal \
        --domain example.com \
        --domain foo.example.com \
        --domain bar.example.com \
-        --deploy-hook "service nginx reload" \
+        --renew-hook "service nginx reload" \
        --webroot /data/letsencrypt/root
 AUTHORS
@ -159,13 +99,11 @@ AUTHORS
 | Kamila Součková <kamila--@--ksp.sk>
 | Darko Poljak <darko.poljak--@--gmail.com>
 | Ľubomír Kučera <lubomir.kucera.jr at gmail.com>
 | Evilham <contact@evilham.com>
 COPYING
 -------
-Copyright \(C) 2017-2021 Nico Schottelius, Kamila Součková, Darko Poljak and
+Copyright \(C) 2017-2018 Nico Schottelius, Kamila Součková, Darko Poljak and
 Ľubomír Kučera. You can redistribute it and/or modify it under the terms of
 the GNU General Public License as published by the Free Software Foundation,
 either version 3 of the License, or (at your option) any later version.
--- a/cdist/conf/type/__letsencrypt_cert/manifest
+++ b/cdist/conf/type/__letsencrypt_cert/manifest
@ -1,20 +1,18 @@
 #!/bin/sh
-certbot_fullpath="$(grep "^certbot_path:" "${__object:?}/explorer/certificate-data" | cut -d ':' -f 2-)"
+certbot_fullpath="$(cat "${__object:?}/explorer/certbot-path")"
 state=$(cat "${__object}/parameter/state")
 os="$(cat "${__global:?}/explorer/os")"
 if [ -z "${certbot_fullpath}" ]; then
 	os="$(cat "${__global:?}/explorer/os")"
 	os_version="$(cat "${__global}/explorer/os_version")"
-	# Use this, very common value, as a default. It is OS-dependent
+
 	certbot_fullpath="/usr/bin/certbot"
 	case "$os" in
-		archlinux)
+        archlinux)
-			__package certbot
+            __package certbot
-		;;
+            ;;
-		alpine)
+        alpine)
-			__package certbot
+            __package certbot
-		;;
+            ;;
 		debian)
 			case "$os_version" in
 				8*)
@ -41,7 +39,7 @@ if [ -z "${certbot_fullpath}" ]; then
 					require="__apt_source/stretch-backports" __package_apt certbot \
 						--target-release stretch-backports
 				;;
-				10*|11*)
+				10*)
 					__package_apt certbot
 				;;
@ -50,7 +48,9 @@ if [ -z "${certbot_fullpath}" ]; then
 					exit 1
 				;;
 			esac
-		;;
+
 			certbot_fullpath=/usr/bin/certbot
 			;;
 		devuan)
 			case "$os_version" in
 				jessie)
@ -83,14 +83,17 @@ if [ -z "${certbot_fullpath}" ]; then
 					exit 1
 				;;
 			esac
 			certbot_fullpath=/usr/bin/certbot
 		;;
 		freebsd)
-			__package py37-certbot
+			__package py27-certbot
-			certbot_fullpath="/usr/local/bin/certbot"
+
 			certbot_fullpath=/usr/local/bin/certbot
 		;;
 		ubuntu)
-			__package certbot
+            __package certbot
-		;;
+            ;;
 		*)
 			echo "Unsupported os: $os" >&2
 			exit 1
@ -98,61 +101,18 @@ if [ -z "${certbot_fullpath}" ]; then
 	esac
 fi
-# Other OS-dependent values that we want to set every time
+if [ -f "${__object}/parameter/automatic-renewal" ]; then
-LE_DIR="/etc/letsencrypt"
+	renew_hook_param="${__object}/parameter/renew-hook"
-certbot_cronjob_state="absent"
+	renew_hook=""
-case "$os" in
+	if [ -f "${renew_hook_param}" ]; then
-	archlinux|alpine)
+		while read -r hook; do
-		certbot_cronjob_state="present"
+			renew_hook="${renew_hook} --renew-hook \"${hook}\""
-	;;
+		done < "${renew_hook_param}"
-	freebsd)
+	fi
 		LE_DIR="/usr/local/etc/letsencrypt"
 		# FreeBSD uses periodic(8) instead of crontabs for this
 		__line "periodic.conf_weekly_certbot" \
 			--file "/etc/periodic.conf" \
 			--regex "^(#[[:space:]]*)?weekly_certbot_enable=.*" \
 			--state "replace" \
 			--line 'weekly_certbot_enable="YES"'
 	;;
 	*)
 	;;
 esac
-# This is only necessary in certain OS
+	__cron letsencrypt-certbot  \
-__cron letsencrypt-certbot \
+		--user root \
-	--user root \
+		--command "${certbot_fullpath} renew -q ${renew_hook}" \
-	--command "${certbot_fullpath} renew -q" \
+		--hour 0 \
-	--hour 0 \
+		--minute 47
 	--minute 47 \
 	--state "${certbot_cronjob_state}"
 # Ensure hook directories
 HOOKS_DIR="${LE_DIR}/renewal-hooks"
 __directory "${LE_DIR}" --mode 0755
 require="__directory/${LE_DIR}" __directory "${HOOKS_DIR}" --mode 0755
 if [ -f "${__object}/parameter/domain" ]; then
 	domains="$(sort "${__object}/parameter/domain")"
 else
 	domains="${__object_id}"
 fi
 # Install hooks as needed
 for hook in deploy pre post; do
 	# Using something unique and specific to this object
 	hook_file="${HOOKS_DIR}/${hook}/${__object_id}.cdist.sh"
 	# This defines hook_contents
 	# shellcheck source=cdist/conf/type/__letsencrypt_cert/files/gen_hook.sh
 	. "${__type}/files/gen_hook.sh"
 	# Ensure hook directory exists
 	require="__directory/${HOOKS_DIR}" __directory "${HOOKS_DIR}/${hook}" \
 		--mode 0755
 	require="__directory/${HOOKS_DIR}/${hook}" __file "${hook_file}" \
 		--mode 0555 \
 		--source '-' \
 		--state "${hook_state}" <<EOF
 ${hook_contents}
 EOF
 done
--- a/cdist/conf/type/__letsencrypt_cert/parameter/deprecated/automatic-renewal
+++ b/cdist/conf/type/__letsencrypt_cert/parameter/deprecated/automatic-renewal
@ -1,2 +0,0 @@
 Deprecated in favour of consistent behaviour. It has no effect, see:
 https://code.ungleich.ch/ungleich-public/cdist/-/issues/853
--- a/cdist/conf/type/__letsencrypt_cert/parameter/deprecated/renew-hook
+++ b/cdist/conf/type/__letsencrypt_cert/parameter/deprecated/renew-hook
@ -1,2 +0,0 @@
 This parameter has been deprecated in favour of --deploy-hook.
 See: https://code.ungleich.ch/ungleich-public/cdist/-/issues/853
--- a/cdist/conf/type/__letsencrypt_cert/parameter/optional_multiple
+++ b/cdist/conf/type/__letsencrypt_cert/parameter/optional_multiple
@ -1,5 +1,2 @@
 deploy-hook
 domain
 post-hook
 pre-hook
 renew-hook
--- a/cdist/conf/type/__package_apt/gencode-remote
+++ b/cdist/conf/type/__package_apt/gencode-remote
@ -81,24 +81,12 @@ aptget="DEBIAN_FRONTEND=noninteractive apt-get --quiet --yes -o Dpkg::Options::=
 case "$state_should" in
    present)
        # There are special arguments to apt(8) to prevent aborts if apt woudn't been
        # updated after the 19th April 2021 till the bullseye release. The additional
        # arguments acknoledge the happend suite change (the apt(8) update does the
        # same by itself).
        #
        # Using '-o $config' instead of the --allow-releaseinfo-change-* parameter
        # allows backward compatablility to pre-buster Debian versions.
        #
        # See more: ticket #861
        # https://code.ungleich.ch/ungleich-public/cdist/-/issues/861
        apt_opts="-o Acquire::AllowReleaseInfoChange::Suite=true -o Acquire::AllowReleaseInfoChange::Version=true"
        # following is bit ugly, but important hack.
        # due to how cdist config run works, there isn't
        # currently better way to do it :(
        cat << EOF
 if [ ! -f /var/cache/apt/pkgcache.bin ] || [ "\$( stat --format %Y /var/cache/apt/pkgcache.bin )" -lt "\$( date +%s -d '-1 day' )" ]
-then echo apt-get $apt_opts update > /dev/null 2>&1 || true
+then echo apt-get update > /dev/null 2>&1 || true
 fi
 EOF
        if [ -n "$version" ]; then
--- a/cdist/conf/type/__package_pip/explorer/distinfo-dir
+++ b/cdist/conf/type/__package_pip/explorer/distinfo-dir
@ -1,45 +0,0 @@
 #!/bin/sh
 #
 # 2021 Matthias Stecher (matthiasstecher at gmx.de)
 #
 # This file is part of cdist.
 #
 # cdist is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # cdist is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 nameparam="$__object/parameter/name"
 if [ -f "$nameparam" ]; then
    name=$(cat "$nameparam")
 else
    name="$__object_id"
 fi
 pipparam="$__object/parameter/pip"
 if [ -f "$pipparam" ]; then
    pip=$(cat "$pipparam")
 else
    pip="$( "$__type_explorer/pip" )"
 fi
 if command -v "$pip" >/dev/null 2>&1; then
    # assemble the path where pip stores all pip package info
    "$pip" show "$name" \
        | awk -F': ' '
            $1 == "Name" {name=$2; gsub(/-/,"_",name); next}
            $1 == "Version" {version=$2; next}
            $1 == "Location" {location=$2; next}
            END {if (version != "") printf "%s/%s-%s.dist-info", location, name, version}'
 fi
--- a/cdist/conf/type/__package_pip/explorer/extras
+++ b/cdist/conf/type/__package_pip/explorer/extras
@ -1,66 +0,0 @@
 #!/bin/sh
 #
 # 2021 Matthias Stecher (matthiasstecher at gmx.de)
 #
 # This file is part of cdist.
 #
 # cdist is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # cdist is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 #
 # Checks if the given extras are really installed or not. It will be
 # done by querring all dependencies for that extra and return it as
 # "to be installed" if no dependency was found.
 #
 distinfo_dir="$("$__type_explorer/distinfo-dir")"
 # check if we have something to check
 if [ "$distinfo_dir" ] && [ -s "$__object/parameter/extra" ]
 then
    # save cause freezing is slow
    mkdir "$__object/files"
    pip_freeze="$__object/files/pip-freeze.tmp"
    pip3 freeze > "$pip_freeze"
    # If all is set, it searches all available extras to separatly check them.
    # It would work with just 'all' (cause dependencies are specified for
    # 'all'), but will not update if one extra is already present. Side effect
    # is that it will not use [all] but instead name all extras seperatly.
    for extra in $(if grep -qFx all "$__object/parameter/extra";
        then awk -F': ' '$1 == "Provides-Extra" && $2 != "all"{print $2}' "$distinfo_dir/METADATA";
        else tr ',' '\n' < "$__object/parameter/extra";
        fi)
    do
        # create a grep BRE pattern to search all packages
        # maybe a file full of patterns for -F could be written
        grep_pattern="$(
            awk -F'(: | ; )' -v check="$extra" '
                $1 == "Requires-Dist" {
                    split($2, r, " ");
                    sub("extra == ", "", $3); gsub("'"'"'", "", $3);
                    if($3 == check) print r[1]
                }' "$distinfo_dir/METADATA" \
                | sed ':a; $!N; s/\n/\\|/; ta'
        )"
        # echo the extra if no packages where found for it
        # if there is no pattern, we don't need to search ;-)
        # pip matches packages case-insensetive, we need to do that, too
        if [ "$grep_pattern" ] && ! grep -qi "$grep_pattern" "$pip_freeze"
        then
            echo "$extra"
        fi
    done
 fi
--- a/cdist/conf/type/__package_pip/explorer/state
+++ b/cdist/conf/type/__package_pip/explorer/state
--- a/cdist/conf/type/__package_pip/gencode-remote
+++ b/cdist/conf/type/__package_pip/gencode-remote
@ -2,7 +2,6 @@
 #
 # 2012 Nico Schottelius (nico-cdist at schottelius.org)
 # 2016 Darko Poljak (darko.poljak at gmail.com)
 # 2021 Matthias Stecher (matthiasstecher at gmx.de)
 #
 # This file is part of cdist.
 #
@ -26,10 +25,7 @@
 state_is=$(cat "$__object/explorer/state")
 state_should="$(cat "$__object/parameter/state")"
-# short circuit if state is the same and no extras to install
+[ "$state_is" = "$state_should" ] && exit 0
 [ "$state_is" = "$state_should" ] && ! [ -s "$__object/explorer/extras" ] \
    && exit 0
 nameparam="$__object/parameter/name"
 if [ -f "$nameparam" ]; then
@ -60,14 +56,6 @@ fi
 case "$state_should" in
    present)
        if [ -s "$__object/explorer/extras" ]
        then
            # all extras are passed to pip in a comma-separated list in the name
            # sed loops through all input lines and add commas between them
            extras="$(sed ':a; $!N; s/\n/,/; ta' "$__object/explorer/extras")"
            name="${name}[${extras}]"
        fi
        if [ "$runas" ]
        then
            echo "su -c '$pip install -q $name' $runas"
--- a/cdist/conf/type/__package_pip/man.rst
+++ b/cdist/conf/type/__package_pip/man.rst
@ -22,16 +22,6 @@ OPTIONAL PARAMETERS
 name
    If supplied, use the name and not the object id as the package name.
 extra
    Extra optional dependencies which should be installed along the selected
    package. Can be specified multiple times. Multiple extras can be passed
    in one `--extra` as a comma-separated list.
    Extra optional dependencies will be installed even when the base package
    is already installed. Notice that the type will not remove installed extras
    that are not explicitly named for the type because pip does not offer a
    management for orphaned packages and they may be used by other packages.
 pip
    Instead of using pip from PATH, use the specific pip path.
@ -56,14 +46,6 @@ EXAMPLES
    # Use pip in a virtualenv located at /foo/shinken_virtualenv as user foo
    __package_pip pyro --state present --pip /foo/shinken_virtualenv/bin/pip --runas foo
    # Install package with optional dependencies
    __package_pip mautrix-telegram --extra speedups --extra webp_convert --extra hq_thumbnails
    # the extras can also be specified comma-separated
    __package_pip mautrix-telegram --extra speedups,webp_convert,hq_thumbnails --extra postgres
    # or take all extras
    __package_pip mautrix-telegram --extra all
 SEE ALSO
 --------
@ -72,13 +54,12 @@ SEE ALSO
 AUTHORS
 -------
-| Nico Schottelius <nico-cdist--@--schottelius.org>
+Nico Schottelius <nico-cdist--@--schottelius.org>
 | Matthias Stecher <matthiasstecher--@--gmx.de>
 COPYING
 -------
-Copyright \(C) 2012 Nico Schottelius, 2021 Matthias Stecher. You can
+Copyright \(C) 2012 Nico Schottelius. You can redistribute it
-redistribute it and/or modify it under the terms of the GNU General
+and/or modify it under the terms of the GNU General Public License as
-Public License as published by the Free Software Foundation, either
+published by the Free Software Foundation, either version 3 of the
-version 3 of the License, or (at your option) any later version.
+License, or (at your option) any later version.
--- a/cdist/conf/type/__package_pip/parameter/optional_multiple
+++ b/cdist/conf/type/__package_pip/parameter/optional_multiple
@ -1 +0,0 @@
 extra
--- a/cdist/conf/type/__package_pkg_freebsd/gencode-remote
+++ b/cdist/conf/type/__package_pkg_freebsd/gencode-remote
@ -37,7 +37,6 @@ assert ()                 #  If condition false,
 	then
 		echo "Assertion failed:  \"$1\""
 		# shellcheck disable=SC2039
 		# shellcheck disable=SC3044
 		echo "File \"$0\", line $lineno, called by $(caller 0)"
 		exit $E_ASSERT_FAILED
 	fi
--- a/cdist/conf/type/__package_update_index/gencode-remote
+++ b/cdist/conf/type/__package_update_index/gencode-remote
@ -41,19 +41,7 @@ fi
 case "$type" in
    yum) ;;
    apt)
-        # There are special arguments to apt(8) to prevent aborts if apt woudn't been
+        echo "apt-get --quiet update"
        # updated after the 19th April 2021 till the bullseye release. The additional
        # arguments acknoledge the happend suite change (the apt(8) update does the
        # same by itself).
        #
        # Using '-o $config' instead of the --allow-releaseinfo-change-* parameter
        # allows backward compatablility to pre-buster Debian versions.
        #
        # See more: ticket #861
        # https://code.ungleich.ch/ungleich-public/cdist/-/issues/861
        apt_opts="-o Acquire::AllowReleaseInfoChange::Suite=true -o Acquire::AllowReleaseInfoChange::Version=true"
        echo "apt-get --quiet $apt_opts update"
        echo "apt-cache updated (age was: $currage)" >> "$__messages_out"
        ;;
    pacman)
--- a/cdist/conf/type/__package_upgrade_all/gencode-remote
+++ b/cdist/conf/type/__package_upgrade_all/gencode-remote
@ -28,10 +28,6 @@ apt_clean="$__object/parameter/apt-clean"
 apt_dist_upgrade="$__object/parameter/apt-dist-upgrade"
 if [ -f "$__object/parameter/apt-with-new-pkgs" ]; then
 	apt_with_new_pkgs="--with-new-pkgs"
 fi
 if [ -f "$type" ]; then
    type="$(cat "$type")"
 else
@ -58,7 +54,7 @@ case "$type" in
    apt)
        if [ -f "$apt_dist_upgrade" ]
        then echo "$aptget dist-upgrade"
-        else echo "$aptget $apt_with_new_pkgs upgrade"
+        else echo "$aptget upgrade"
        fi
        if [ -f "$apt_clean" ]
--- a/cdist/conf/type/__package_upgrade_all/man.rst
+++ b/cdist/conf/type/__package_upgrade_all/man.rst
@ -33,14 +33,6 @@ BOOLEAN PARAMETERS
 apt-dist-upgrade
    Do dist-upgrade instead of upgrade.
 apt-with-new-pkg
    Allow installing new packages when used in conjunction with
    upgrade. This is useful if the update of an installed package
    requires new dependencies to be installed. Instead of holding the
    package back upgrade will upgrade the package and install the new
    dependencies. Note that upgrade with this option will never remove
    packages, only allow adding new ones.
 apt-clean
    Clean out the local repository of retrieved package files.
--- a/cdist/conf/type/__package_upgrade_all/parameter/boolean
+++ b/cdist/conf/type/__package_upgrade_all/parameter/boolean
@ -1,3 +1,2 @@
 apt-clean
 apt-dist-upgrade
 apt-with-new-pkgs
--- a/cdist/conf/type/__postgres_conf/explorer/postgres_user
+++ b/cdist/conf/type/__postgres_conf/explorer/postgres_user
@ -1,64 +0,0 @@
 #!/bin/sh -e
 # -*- mode: sh; indent-tabs-mode: t -*-
 #
 # 2021 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
 #
 # This file is part of cdist.
 #
 # cdist is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # cdist is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 os=$("${__explorer:?}/os")
 case ${os}
 in
 	(alpine)
 		echo 'postgres'
 		;;
 	(centos|rhel|scientific)
 		echo 'postgres'
 		;;
 	(debian|devuan|ubuntu)
 		echo 'postgres'
 		;;
 	(freebsd)
 		test -x /usr/local/etc/rc.d/postgresql || {
 			printf 'could not find postgresql rc script./n' >&2
 			exit 1
 		}
 		pg_status=$(/usr/local/etc/rc.d/postgresql onestatus) || {
 			printf 'postgresql daemon is not running.\n' >&2
 			exit 1
 		}
 		pg_pid=$(printf '%s\n' "${pg_status}" \
 			| sed -n 's/^pg_ctl:.*(PID: *\([0-9]*\))$/\1/p')
 		# PostgreSQL < 9.6: pgsql
 		# PostgreSQL >= 9.6: postgres
 		ps -o user -p "${pg_pid}" | sed -n '2p'
 		;;
 	(netbsd)
 		echo 'pgsql'
 		;;
 	(openbsd)
 		echo '_postgresql'
 		;;
 	(suse)
 		echo 'postgres'
 		;;
 	(*)
 		echo "Unsupported OS: ${os}" >&2
 		exit 1
 		;;
 esac
--- a/cdist/conf/type/__postgres_conf/explorer/state
+++ b/cdist/conf/type/__postgres_conf/explorer/state
@ -1,223 +0,0 @@
 #!/bin/sh -e
 # -*- mode: sh; indent-tabs-mode: t -*-
 #
 # 2021 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
 #
 # This file is part of cdist.
 #
 # cdist is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # cdist is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 postgres_user=$("${__type_explorer:?}/postgres_user")
 conf_name=${__object_id:?}
 tolower() { printf '%s' "$*" | tr '[:upper:]' '[:lower:]'; }
 tobytes() {
 	# NOTE: This function treats everything as base 2.
 	#       It is not compatible with SI units.
 	awk 'BEGIN { FS = "\n" }
 	/TB$/ { $0 = ($0 * 1024) "GB" }
 	/GB$/ { $0 = ($0 * 1024) "MB" }
 	/MB$/ { $0 = ($0 * 1024) "kB" }
 	/kB$/ { $0 = ($0 * 1024) "B" }
 	 /B?$/ { sub(/ *B?$/, "") }
 	($0*1) == $0  # is number
 	' <<-EOF
 	$1
 	EOF
 }
 tomillisecs() {
 	awk 'BEGIN { FS = "\n" }
 	    /d$/ { $0 = ($0 * 24) "h" }
 	    /h$/ { $0 = ($0 * 60) "min" }
 	  /min$/ { $0 = ($0 * 60) "s" }
 	/[^m]s$/ { $0 = ($0 * 1000) "ms" }
 	   /ms$/ { $0 *= 1 }
 	($0*1) == $0  # is number
 	' <<-EOF
 	$1
 	EOF
 }
 tobool() {
 	# prints either 'on' or 'off'
 	case $(tolower "$1")
 	in
 		(t|true|y|yes|on|1)
 			echo 'on' ;;
 		(f|false|n|no|off|0)
 			echo 'off' ;;
 		(*)
 			printf 'Inavlid bool value: %s\n' "$2" >&2
 			return 1
 			;;
 	esac
 	return 0
 }
 quote() { printf '%s\n' "$*" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/'/"; }
 psql_exec() {
 	su - "${postgres_user}" -c "psql postgres -twAc $(quote "$*")"
 }
 psql_conf_source() {
 	# NOTE: SHOW/SET are case-insentitive, so this command should also be.
 	psql_exec "SELECT CASE WHEN source = 'default' OR setting = boot_val THEN 'default' ELSE source END FROM pg_settings WHERE lower(name) = lower('$1')"
 }
 psql_conf_cmp() (
 	IFS='|' read -r lower_name vartype setting unit <<-EOF
 	$(psql_exec "SELECT lower(name), vartype, setting, unit FROM pg_settings WHERE lower(name) = lower('$1')")
 	EOF
 	should_value=$2
 	is_value=${setting}
 	# The following case contains special cases for special settings.
 	case ${lower_name}
 	in
 		(archive_command)
 			if test "${setting}" = '(disabled)'
 			then
 				# DAFUQ PostgreSQL?!
 				# PostgreSQL returns (disabled) if the feature is inactive.
 				# We cannot compare the values unless it is enabled, first.
 				return 0
 			fi
 			;;
 		(archive_mode|backslash_quote|constraint_exclusion|force_parallel_mode|huge_pages|synchronous_commit)
 			# Although only 'on', 'off' are documented, PostgreSQL accepts all
 			# the "likely" variants of "on" and "off".
 			case $(tolower "${should_value}")
 			in
 				(on|off|true|false|yes|no|1|0)
 					should_value=$(tobool "${should_value}")
 					;;
 			esac
 			;;
 	esac
 	case ${vartype}
 	in
 		(bool)
 			test -z "${unit}" || {
 				# please fix the explorer if this error occurs.
 				printf 'units are not supported for vartype: %s\n' "${vartype}" >&2
 				exit 1
 			}
 			should_value=$(tobool "${should_value}")
 			test "${is_value}" = "${should_value}"
 			;;
 		(enum)
 			test -z "${unit}" || {
 				# please fix the explorer if this error occurs.
 				printf 'units are not supported with vartype: %s\n' "${vartype}" >&2
 				exit 1
 			}
 			# NOTE: All enums that are currently defined are lower case, but
 			#       PostgreSQL also accepts upper case spelling.
 			should_value=$(tolower "$2")
 			test "${is_value}" = "${should_value}"
 			;;
 		(integer)
 			# split multiples from unit, first (e.g. 8kB -> 8, kB)
 			case ${unit}
 			in
 				([0-9]*)
 					multiple=${unit%%[!0-9]*}
 					unit=${unit##*[0-9 ]}
 					;;
 				(*) multiple=1 ;;
 			esac
 			is_value=$((setting * multiple))${unit}
 			if expr "${should_value}" : '-\{0,1\}[0-9]*$' >/dev/null
 			then
 				# default unit
 				should_value=$((should_value * multiple))${unit}
 			fi
 			# then, do conversion
 			# NOTE: these conversions work for integers only!
 			case ${unit}
 			in
 				(B|[kMGT]B)
 					# bytes
 					is_bytes=$(tobytes "${is_value}")
 					should_bytes=$(tobytes "${should_value}")
 					test $((is_bytes)) -eq $((should_bytes))
 					;;
 				(ms|s|min|h|d)
 					# seconds
 					is_ms=$(tomillisecs "${is_value}")
 					should_ms=$(tomillisecs "${should_value}")
 					test $((is_ms)) -eq $((should_ms))
 					;;
 				('')
 					# no unit
 					is_int=${is_value}
 					should_int=${should_value}
 					test $((is_int)) -eq $((should_int))
 					;;
 			esac
 			;;
 		(real|string)
 			# NOTE: reals could possibly have units, but currently there none.
 			test -z "${unit}" || {
 				# please fix the explorer if this error occurs.
 				printf 'units are not supported with vartype: %s\n' "${vartype}" >&2
 				exit 1
 			}
 			test "${is_value}" = "${should_value}"
 			;;
 	esac
 )
 psql_exec 'SELECT 1' >/dev/null || {
 	echo 'Connection to PostgreSQL server failed' >&2
 	exit 1
 }
 case $(psql_conf_source "${conf_name}")
 in
 	('')
 		printf 'Invalid configuration parameter: %s\n' "${conf_name}" >&2
 		exit 1
 		;;
 	(default)
 		echo absent
 		;;
 	(*)
 		if ! test -f "${__object:?}/parameter/value"
 		then
 			echo present
 		elif psql_conf_cmp "${conf_name}" "$(cat "${__object:?}/parameter/value")"
 		then
 			echo present
 		else
 			echo different
 		fi
 		;;
 esac
--- a/Show more
+++ b/Show more
		`@ -1 +0,0 @@`
			`Please migrate to using __apt_key key_id --uri URI.`
		`@ -1 +0,0 @@`
			`'file' has been deprecated in favour of 'line' in order to provide idempotency.`
		`@ -0,0 +1,3 @@`
							`#!/bin/sh -e`

							`command -v certbot 2>/dev/null \|\| true`
		`@ -1,2 +0,0 @@`
			`Deprecated in favour of consistent behaviour. It has no effect, see:`
			`https://code.ungleich.ch/ungleich-public/cdist/-/issues/853`
		`@ -1,2 +0,0 @@`
			`This parameter has been deprecated in favour of --deploy-hook.`
			`See: https://code.ungleich.ch/ungleich-public/cdist/-/issues/853`