Merge branch 'wikijs' into 'master'

Add a type for wikijs.

See merge request ungleich-public/cdist-contrib!15

.gitlab-ci.yml

@@ -1,14 +1,29 @@
 stages:
     - test
+    - doc
 
-image: code.ungleich.ch:5050/ungleich-public/cdist/cdist-ci:latest
+image: code.ungleich.ch:5050/ungleich-public/cdist-contrib/ci-container:latest
 
 shellcheck:
     stage: test
     script:
-        - ./scripts/run-shellcheck.sh
+        - make lint
 
 manpages:
     stage: test
     script:
-      - ./scripts/run-manpage-checks.sh
+      - make check-manpages
+
+docs:
+    stage: doc
+    only:
+      - master
+    before_script:
+      - eval $(ssh-agent -s)
+      - echo "$CD_SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add - > /dev/null
+      - mkdir -p ~/.ssh
+      - echo "$CD_SSH_SERVER_HOSTKEYS" > ~/.ssh/known_hosts
+      - chmod 644 ~/.ssh/known_hosts
+    script:
+      - make html
+      - sftp fnux@staticwebhosting.ungleich.ch:public_html/cdist-contrib <<< "put -r docs/dist/html/*"

CHANGELOG.md

@@ -1,4 +0,0 @@
-# cdist-contrib changes
-
-* 2020-06-03: New type: __unbound (Timothée Floure)
-* 2020-04-28: New type: __find_exec (Ander Punnar)

Makefile

@@ -0,0 +1,70 @@
+.PHONY: help
+help:
+	@echo "Please use \`make <target>' where <target> is one of"
+	@echo "man             build only man user documentation"
+	@echo "html            build only html user documentation"
+	@echo "docs            build both man and html user documentation"
+	@echo "check-manpages  check for manpage in types"
+	@echo "lint            run shellcheck on types"
+	@echo "check           run both type manpage checks and linting"
+	@echo "clean           clean"
+
+DOCS_SRC_DIR=./docs/src
+TYPEDIR=./type
+
+SPHINXM=make -C $(DOCS_SRC_DIR) man
+SPHINXH=make -C $(DOCS_SRC_DIR) html
+SPHINXC=make -C $(DOCS_SRC_DIR) clean
+
+################################################################################
+# Manpages
+#
+MAN7DSTDIR=$(DOCS_SRC_DIR)/man7
+
+# Use shell / ls to get complete list - $(TYPEDIR)/*/man.rst does not work
+# Using ls does not work if no file with given pattern exist, so use wildcard
+MANTYPESRC=$(wildcard $(TYPEDIR)/*/man.rst)
+MANTYPEPREFIX=$(subst $(TYPEDIR)/,$(MAN7DSTDIR)/cdist-type,$(MANTYPESRC))
+MANTYPES=$(subst /man.rst,.rst,$(MANTYPEPREFIX))
+
+# Link manpage: do not create man.html but correct named file
+$(MAN7DSTDIR)/cdist-type%.rst: $(TYPEDIR)/%/man.rst
+	mkdir -p $(MAN7DSTDIR)
+	ln -sf "../../../$^" $@
+
+DOCSINDEX=$(MAN7DSTDIR)/index.rst
+DOCSINDEXH=$(DOCS_SRC_DIR)/index.rst.sh
+
+$(DOCSINDEX): $(DOCSINDEXH)
+	$(DOCSINDEXH)
+
+# Manpages: .cdist Types
+DOT_CDIST_PATH=${HOME}/.cdist
+DOTMAN7DSTDIR=$(MAN7DSTDIR)
+DOTTYPEDIR=$(DOT_CDIST_PATH)/type
+
+# Link manpage: do not create man.html but correct named file
+$(DOTMAN7DSTDIR)/cdist-type%.rst: $(DOTTYPEDIR)/%/man.rst
+	ln -sf "$^" $@
+
+man: $(MANTYPES) $(DOCSINDEX)
+	$(SPHINXM)
+
+html: $(MANTYPES) $(DOCSINDEX)
+	$(SPHINXH)
+
+docs: man html
+
+check-manpages:
+	./scripts/run-manpage-checks.sh
+
+lint:
+	./scripts/run-shellcheck.sh
+
+check: check-manpages lint
+
+clean:
+	$(SPHINXC)
+	rm -f docs/src/index.rst
+	rm -rf docs/src/man7/
+	rm -rf docs/src/__pycache__/

README.md

@@ -5,8 +5,9 @@ tool with community-maitained types which are either too specific to fit/be
 maintained in cdist itself or were not accepted in code cdist but could still
 be useful.
 
-This project does not have releases and is continously updated: see
-`CHANGELOG.md` for details.
+This project does not have releases and is continously updated: see git history
+for change log. You will find HTML documentation at
+[contrib.cdi.st](https://contrib.cdi.st).
 
 ## Using cdist-contrib
 
@@ -32,14 +33,11 @@ And you would run [cdist][cdist] from the same directory as follows:
 
 ## Participating in the [cdist][cdist] community
 
-Join us on [#cdist:ungleich.ch][cdistmatrix] on matrix or on
-[#cdist over mattermost][cdistmattermost].
-
+Join us on [#cdist:ungleich.ch][cdistmatrix] on matrix!
 
 [cdist]: https://www.cdi.st/
 [cdistconfig]: https://www.cdi.st/manual/latest/cdist-configuration.html
 [cdistmatrix]: https://matrix.to/#/#cdist:ungleich.ch
-[cdistmattermost]: https://chat.ungleich.ch/ungleich/channels/cdist
 
 ## Contributing
 
@@ -53,3 +51,11 @@ Every type in cdist-contrib must:
 
   * Have a `man.rst` documentation page.
   * Pass [shellcheck](http://shellcheck.net/) without errors.
+
+## Other resources
+
+Some people/organizations are known to keep some cdist types that might be of
+interest to others:
+
+* [cdist-evilham](https://git.sr.ht/~evilham/cdist-evilham): Evilham's cdist-types
+* [cdist-recycledcloud](https://code.recycled.cloud/e-Durable/cdist-recycledcloud): e-Durable SA / Recycled Cloud public types

docs/src/Makefile

@@ -0,0 +1,235 @@
+# Makefile for Sphinx documentation
+#
+
+# You can set these variables from the command line.
+SPHINXOPTS   ?=
+SPHINXBUILD  ?= sphinx-build
+PAPER        ?=
+BUILDDIR     ?= ../dist
+# for cache, etc.
+_BUILDDIR     = _build
+
+# User-friendly check for sphinx-build
+ifeq ($(shell which $(SPHINXBUILD) >/dev/null 2>&1; echo $$?), 1)
+    $(error The '$(SPHINXBUILD)' command was not found. Make sure you have Sphinx installed, then set the SPHINXBUILD environment variable to point to the full path of the '$(SPHINXBUILD)' executable. Alternatively you can add the directory with the executable to your PATH. If you don\'t have Sphinx installed, grab it from http://sphinx-doc.org/)
+endif
+
+# Internal variables.
+PAPEROPT_a4     = -D latex_paper_size=a4
+PAPEROPT_letter = -D latex_paper_size=letter
+ALLSPHINXOPTS   = -d $(_BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) .
+# the i18n builder cannot share the environment and doctrees with the others
+I18NSPHINXOPTS  = $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) .
+
+.PHONY: help
+help:
+	@echo "Please use \`make <target>' where <target> is one of"
+	@echo "  html       to make standalone HTML files"
+	@echo "  dirhtml    to make HTML files named index.html in directories"
+	@echo "  singlehtml to make a single large HTML file"
+	@echo "  pickle     to make pickle files"
+	@echo "  json       to make JSON files"
+	@echo "  htmlhelp   to make HTML files and a HTML help project"
+	@echo "  qthelp     to make HTML files and a qthelp project"
+	@echo "  applehelp  to make an Apple Help Book"
+	@echo "  devhelp    to make HTML files and a Devhelp project"
+	@echo "  epub       to make an epub"
+	@echo "  epub3      to make an epub3"
+	@echo "  latex      to make LaTeX files, you can set PAPER=a4 or PAPER=letter"
+	@echo "  latexpdf   to make LaTeX files and run them through pdflatex"
+	@echo "  latexpdfja to make LaTeX files and run them through platex/dvipdfmx"
+	@echo "  text       to make text files"
+	@echo "  man        to make manual pages"
+	@echo "  texinfo    to make Texinfo files"
+	@echo "  info       to make Texinfo files and run them through makeinfo"
+	@echo "  gettext    to make PO message catalogs"
+	@echo "  changes    to make an overview of all changed/added/deprecated items"
+	@echo "  xml        to make Docutils-native XML files"
+	@echo "  pseudoxml  to make pseudoxml-XML files for display purposes"
+	@echo "  linkcheck  to check all external links for integrity"
+	@echo "  doctest    to run all doctests embedded in the documentation (if enabled)"
+	@echo "  coverage   to run coverage check of the documentation (if enabled)"
+	@echo "  dummy      to check syntax errors of document sources"
+
+.PHONY: clean
+clean:
+	rm -rf $(BUILDDIR)/*
+	rm -rf $(_BUILDDIR)/*
+
+.PHONY: html
+html:
+	$(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html
+	@echo
+	@echo "Build finished. The HTML pages are in $(BUILDDIR)/html."
+
+.PHONY: dirhtml
+dirhtml:
+	$(SPHINXBUILD) -b dirhtml $(ALLSPHINXOPTS) $(BUILDDIR)/dirhtml
+	@echo
+	@echo "Build finished. The HTML pages are in $(BUILDDIR)/dirhtml."
+
+.PHONY: singlehtml
+singlehtml:
+	$(SPHINXBUILD) -b singlehtml $(ALLSPHINXOPTS) $(BUILDDIR)/singlehtml
+	@echo
+	@echo "Build finished. The HTML page is in $(BUILDDIR)/singlehtml."
+
+.PHONY: pickle
+pickle:
+	$(SPHINXBUILD) -b pickle $(ALLSPHINXOPTS) $(BUILDDIR)/pickle
+	@echo
+	@echo "Build finished; now you can process the pickle files."
+
+.PHONY: json
+json:
+	$(SPHINXBUILD) -b json $(ALLSPHINXOPTS) $(BUILDDIR)/json
+	@echo
+	@echo "Build finished; now you can process the JSON files."
+
+.PHONY: htmlhelp
+htmlhelp:
+	$(SPHINXBUILD) -b htmlhelp $(ALLSPHINXOPTS) $(BUILDDIR)/htmlhelp
+	@echo
+	@echo "Build finished; now you can run HTML Help Workshop with the" \
+	      ".hhp project file in $(BUILDDIR)/htmlhelp."
+
+.PHONY: qthelp
+qthelp:
+	$(SPHINXBUILD) -b qthelp $(ALLSPHINXOPTS) $(BUILDDIR)/qthelp
+	@echo
+	@echo "Build finished; now you can run "qcollectiongenerator" with the" \
+	      ".qhcp project file in $(BUILDDIR)/qthelp, like this:"
+	@echo "# qcollectiongenerator $(BUILDDIR)/qthelp/cdist-docs.qhcp"
+	@echo "To view the help file:"
+	@echo "# assistant -collectionFile $(BUILDDIR)/qthelp/cdist-docs.qhc"
+
+.PHONY: applehelp
+applehelp:
+	$(SPHINXBUILD) -b applehelp $(ALLSPHINXOPTS) $(BUILDDIR)/applehelp
+	@echo
+	@echo "Build finished. The help book is in $(BUILDDIR)/applehelp."
+	@echo "N.B. You won't be able to view it unless you put it in" \
+	      "~/Library/Documentation/Help or install it in your application" \
+	      "bundle."
+
+.PHONY: devhelp
+devhelp:
+	$(SPHINXBUILD) -b devhelp $(ALLSPHINXOPTS) $(BUILDDIR)/devhelp
+	@echo
+	@echo "Build finished."
+	@echo "To view the help file:"
+	@echo "# mkdir -p $$HOME/.local/share/devhelp/cdist-docs"
+	@echo "# ln -s $(BUILDDIR)/devhelp $$HOME/.local/share/devhelp/cdist-docs"
+	@echo "# devhelp"
+
+.PHONY: epub
+epub:
+	$(SPHINXBUILD) -b epub $(ALLSPHINXOPTS) $(BUILDDIR)/epub
+	@echo
+	@echo "Build finished. The epub file is in $(BUILDDIR)/epub."
+
+.PHONY: epub3
+epub3:
+	$(SPHINXBUILD) -b epub3 $(ALLSPHINXOPTS) $(BUILDDIR)/epub3
+	@echo
+	@echo "Build finished. The epub3 file is in $(BUILDDIR)/epub3."
+
+.PHONY: latex
+latex:
+	$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
+	@echo
+	@echo "Build finished; the LaTeX files are in $(BUILDDIR)/latex."
+	@echo "Run \`make' in that directory to run these through (pdf)latex" \
+	      "(use \`make latexpdf' here to do that automatically)."
+
+.PHONY: latexpdf
+latexpdf:
+	$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
+	@echo "Running LaTeX files through pdflatex..."
+	$(MAKE) -C $(BUILDDIR)/latex all-pdf
+	@echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex."
+
+.PHONY: latexpdfja
+latexpdfja:
+	$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
+	@echo "Running LaTeX files through platex and dvipdfmx..."
+	$(MAKE) -C $(BUILDDIR)/latex all-pdf-ja
+	@echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex."
+
+.PHONY: text
+text:
+	$(SPHINXBUILD) -b text $(ALLSPHINXOPTS) $(BUILDDIR)/text
+	@echo
+	@echo "Build finished. The text files are in $(BUILDDIR)/text."
+
+.PHONY: man
+man:
+	$(SPHINXBUILD) -b cman $(ALLSPHINXOPTS) $(BUILDDIR)/man
+	mkdir -p $(BUILDDIR)/man/man7
+	mv -f $(BUILDDIR)/man/*.7 $(BUILDDIR)/man/man7/
+	@echo
+	@echo "Build finished. The manual pages are in $(BUILDDIR)/man."
+
+.PHONY: texinfo
+texinfo:
+	$(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo
+	@echo
+	@echo "Build finished. The Texinfo files are in $(BUILDDIR)/texinfo."
+	@echo "Run \`make' in that directory to run these through makeinfo" \
+	      "(use \`make info' here to do that automatically)."
+
+.PHONY: info
+info:
+	$(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo
+	@echo "Running Texinfo files through makeinfo..."
+	make -C $(BUILDDIR)/texinfo info
+	@echo "makeinfo finished; the Info files are in $(BUILDDIR)/texinfo."
+
+.PHONY: gettext
+gettext:
+	$(SPHINXBUILD) -b gettext $(I18NSPHINXOPTS) $(BUILDDIR)/locale
+	@echo
+	@echo "Build finished. The message catalogs are in $(BUILDDIR)/locale."
+
+.PHONY: changes
+changes:
+	$(SPHINXBUILD) -b changes $(ALLSPHINXOPTS) $(BUILDDIR)/changes
+	@echo
+	@echo "The overview file is in $(BUILDDIR)/changes."
+
+.PHONY: linkcheck
+linkcheck:
+	$(SPHINXBUILD) -b linkcheck $(ALLSPHINXOPTS) $(BUILDDIR)/linkcheck
+	@echo
+	@echo "Link check complete; look for any errors in the above output " \
+	      "or in $(BUILDDIR)/linkcheck/output.txt."
+
+.PHONY: doctest
+doctest:
+	$(SPHINXBUILD) -b doctest $(ALLSPHINXOPTS) $(BUILDDIR)/doctest
+	@echo "Testing of doctests in the sources finished, look at the " \
+	      "results in $(BUILDDIR)/doctest/output.txt."
+
+.PHONY: coverage
+coverage:
+	$(SPHINXBUILD) -b coverage $(ALLSPHINXOPTS) $(BUILDDIR)/coverage
+	@echo "Testing of coverage in the sources finished, look at the " \
+	      "results in $(BUILDDIR)/coverage/python.txt."
+
+.PHONY: xml
+xml:
+	$(SPHINXBUILD) -b xml $(ALLSPHINXOPTS) $(BUILDDIR)/xml
+	@echo
+	@echo "Build finished. The XML files are in $(BUILDDIR)/xml."
+
+.PHONY: pseudoxml
+pseudoxml:
+	$(SPHINXBUILD) -b pseudoxml $(ALLSPHINXOPTS) $(BUILDDIR)/pseudoxml
+	@echo
+	@echo "Build finished. The pseudo-XML files are in $(BUILDDIR)/pseudoxml."
+
+.PHONY: dummy
+dummy:
+	$(SPHINXBUILD) -b dummy $(ALLSPHINXOPTS) $(BUILDDIR)/dummy
+	@echo
+	@echo "Build finished. Dummy builder generates no files."

docs/src/conf.py

@@ -0,0 +1,101 @@
+#!/usr/bin/env python3
+
+import sys
+import os
+import sphinx_rtd_theme
+
+from datetime import date
+
+# If extensions (or modules to document with autodoc) are in another directory,
+# add these directories to sys.path here. If the directory is relative to the
+# documentation root, use os.path.abspath to make it absolute, like shown here.
+# sys.path.insert(0, os.path.abspath('.'))
+sys.path.insert(0, os.path.abspath(os.path.join(
+    os.path.dirname(os.path.realpath(__file__)), "..", "..")))
+
+# -- General configuration ------------------------------------------------
+
+# If your documentation needs a minimal Sphinx version, state it here.
+# needs_sphinx = '1.0'
+
+# Add any Sphinx extension module names here, as strings. They can be
+# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
+# ones.
+extensions = [
+    'docs.src.manpage',
+    'sphinx.ext.extlinks',
+]
+
+# The suffix(es) of source filenames.
+# You can specify multiple suffix as a list of string:
+source_suffix = ['.rst']
+
+# The encoding of source files.
+# source_encoding = 'utf-8-sig'
+
+# The master toctree document.
+master_doc = 'index'
+
+# General information about the project.
+project = 'cdist-contrib'
+copyright = 'cdist-contrib contributors'
+
+# The version info for the project you're documenting, acts as replacement for
+# |version| and |release|, also used in various other places throughout the
+# built documents.
+
+version = str(date.today())
+release = os.popen('git rev-parse HEAD').read()
+
+# The language for content autogenerated by Sphinx. Refer to documentation
+# for a list of supported languages.
+#
+# This is also used if you do content translation via gettext catalogs.
+# Usually you set "language" from the command line for these cases.
+language = None
+
+# The name of the Pygments (syntax highlighting) style to use.
+pygments_style = 'sphinx'
+
+# If true, `todo` and `todoList` produce output, else they produce nothing.
+todo_include_todos = False
+
+# -- Options for HTML output ----------------------------------------------
+
+# The theme to use for HTML and HTML Help pages.  See the documentation for
+# a list of builtin themes.
+html_theme = 'sphinx_rtd_theme'
+html_theme_path = [sphinx_rtd_theme.get_html_theme_path()]
+
+# Output file base name for HTML help builder.
+htmlhelp_basename = 'cdistcontribdoc'
+
+# -- Options for manual page output ---------------------------------------
+
+# One entry per manual page. List of tuples
+# (source start file, name, description, authors, manual section).
+root_mandir = os.path.dirname(os.path.realpath(__file__))
+mandirs = []
+for mansubdir in ('man7',):
+    mandirs.append((os.path.join(root_mandir, mansubdir), mansubdir[-1]))
+man_pages = []
+for mandir, section in mandirs:
+    for root, dirs, files in os.walk(mandir):
+        for fname in files:
+            froot, fext = os.path.splitext(fname)
+            if fext == '.rst':
+                man_page = (os.path.join('man' + str(section), froot),
+                            froot, '', [], section)
+                man_pages.append(man_page)
+
+# man_pages = [
+#    ('cdist-type', 'cdist-type', 'cdist-type documentation',
+#         [author], 1),
+#    ('man7/cdist-type__file', 'cdist-type__file',
+#        '', [], 1),
+#    ('cdist-type__directory', 'cdist-type__directory',
+#        'cdist-type__directory documentation', [author], 1),
+# ]
+
+# If true, show URL addresses after external links.
+# man_show_urls = False

docs/src/index.rst.sh

@@ -0,0 +1,40 @@
+#!/bin/sh
+
+__cdist_pwd="$(pwd -P)"
+__cdist_mydir="${0%/*}";
+__cdist_abs_mydir="$(cd "$__cdist_mydir" && pwd -P)"
+__cdist_myname=${0##*/};
+__cdist_abs_myname="$__cdist_abs_mydir/$__cdist_myname"
+
+filename="${__cdist_myname%.sh}"
+dest="$__cdist_abs_mydir/$filename"
+
+if ! command -v pandoc > /dev/null; then
+	echo "Pandoc is required to generate HTML index from README." >&2
+	exit 1
+fi
+
+cd "$__cdist_abs_mydir"
+
+exec > "$dest"
+
+pandoc -f markdown -t rst ../../README.md
+
+cat << EOF
+
+.. toctree::
+   :hidden:
+
+EOF
+
+# If there is no such file then ls prints error to stderr,
+# so redirect stderr to /dev/null.
+for type in $(ls man7/cdist-type__*.rst 2>/dev/null | LC_ALL=C sort); do
+    no_dir="${type#man7/}";
+    no_type="${no_dir#cdist-type}";
+    name="${no_type%.rst}";
+    manref="${no_dir%.rst}"
+    man="${manref}(7)"
+
+    echo "      $name" "<man7/${manref}>"
+done

docs/src/manpage.py

@@ -0,0 +1,87 @@
+import sphinx.builders.manpage
+import sphinx.writers.manpage
+from docutils.frontend import OptionParser
+from sphinx.util.console import bold, darkgreen
+from six import string_types
+from docutils.io import FileOutput
+from os import path
+from sphinx.util.nodes import inline_all_toctrees
+from sphinx import addnodes
+from sphinx.util import logging
+
+"""
+    Extension based on sphinx builtin manpage.
+    It does not write its own .SH NAME based on config,
+    but leaves everything to actual reStructuredText file content.
+"""
+
+
+logger = logging.getLogger(__name__)
+
+
+class ManualPageTranslator(sphinx.writers.manpage.ManualPageTranslator):
+
+    def header(self):
+        tmpl = (".TH \"%(title_upper)s\" \"%(manual_section)s\""
+                " \"%(date)s\" \"%(version)s\" \"%(manual_group)s\"\n")
+        return tmpl % self._docinfo
+
+
+class ManualPageWriter(sphinx.writers.manpage.ManualPageWriter):
+
+    def __init__(self, builder):
+        super().__init__(builder)
+        self.translator_class = (
+            self.builder.get_translator_class() or ManualPageTranslator)
+
+
+class ManualPageBuilder(sphinx.builders.manpage.ManualPageBuilder):
+
+    name = 'cman'
+    default_translator_class = ManualPageTranslator
+
+    def write(self, *ignored):
+        docwriter = ManualPageWriter(self)
+        docsettings = OptionParser(
+            defaults=self.env.settings,
+            components=(docwriter,),
+            read_config_files=True).get_default_values()
+
+        logger.info(bold('writing... '), nonl=True)
+
+        for info in self.config.man_pages:
+            docname, name, description, authors, section = info
+            if isinstance(authors, string_types):
+                if authors:
+                    authors = [authors]
+                else:
+                    authors = []
+
+            targetname = '%s.%s' % (name, section)
+            logger.info(darkgreen(targetname) + ' { ', nonl=True)
+            destination = FileOutput(
+                destination_path=path.join(self.outdir, targetname),
+                encoding='utf-8')
+
+            tree = self.env.get_doctree(docname)
+            docnames = set()
+            largetree = inline_all_toctrees(self, docnames, docname, tree,
+                                            darkgreen, [docname])
+            logger.info('} ', nonl=True)
+            self.env.resolve_references(largetree, docname, self)
+            # remove pending_xref nodes
+            for pendingnode in largetree.traverse(addnodes.pending_xref):
+                pendingnode.replace_self(pendingnode.children)
+
+            largetree.settings = docsettings
+            largetree.settings.title = name
+            largetree.settings.subtitle = description
+            largetree.settings.authors = authors
+            largetree.settings.section = section
+
+            docwriter.write(largetree, destination)
+        logger.info("")
+
+
+def setup(app):
+    app.add_builder(ManualPageBuilder)

scripts/ci-container/Dockerfile

@@ -0,0 +1,7 @@
+# This image is used in the cdist-contrib CI for linting and generating the
+# documentation.
+FROM fedora:latest
+MAINTAINER Timothée Floure <fnux@ungleich.ch>
+
+RUN dnf install -y git findutils make python3-sphinx python3-sphinx_rtd_theme \
+			ShellCheck openssh-clients pandoc

scripts/run-shellcheck.sh

@@ -1,21 +1,29 @@
-#!/bin/sh
+#!/bin/sh -eu
 
-SHELLCHECKCMD="shellcheck -s sh -f gcc -x"
+SHELLCHECKCMD='shellcheck -s sh -f gcc -x'
 # Skip SC2154 for variables starting with __ since such variables are cdist
 # environment variables.
 SHELLCHECK_SKIP=': __.*is referenced but not assigned.*\[SC2154\]'
-SHELLCHECKTMP=".shellcheck.tmp"
+SHELLCHECKTMP='.shellcheck.tmp'
 
 # Move to top-level cdist-contrib directory.
-cd $(dirname $0)/..
+cd "$(dirname $0)"/..
 
-check () {
-	find type/ -type f $1 $2 -exec ${SHELLCHECKCMD} {} + | grep -v "${SHELLCHECK_SKIP}"  > "${SHELLCHECKTMP}"
-	test ! -s "${SHELLCHECKTMP}" || { cat "${SHELLCHECKTMP}"; exit 1; }
+check() {
+	find type/ -type f "$@" -exec ${SHELLCHECKCMD} {} + \
+	| grep -v "${SHELLCHECK_SKIP}" >>"${SHELLCHECKTMP}" || true
 }
 
-check -path "*/explorer/*"
-check -path "*/files/*"
+rm -f "${SHELLCHECKTMP}"
+
+check -path '*/explorer/*'
+check -path '*/files/*' -name '*.sh'
 check -name manifest
 check -name gencode-local
 check -name gencode-remote
+
+if test -s "${SHELLCHECKTMP}"
+then
+	cat "${SHELLCHECKTMP}" >&2
+	exit 1
+fi

type/__borg_repo/gencode-remote

@@ -0,0 +1,36 @@
+#!/bin/sh
+
+passphrase=
+appendonly=
+
+case "$(cat "${__object:?}/parameter/encryption")" in
+	none)
+		enc=none
+		;;
+	repokey)
+		enc=repokey
+		if [ -f "${__object:?}/parameter/passphrase" ];
+		then
+			passphrase="$(cat "${__object:?}/parameter/passphrase")"
+		else
+			echo "__borg_repo cannot use repokey encryption with no passphrase. Aborting." >&2;
+			exit 1;
+		fi
+		;;
+	*)
+		echo "$enc is not a known encryption mode for __borg_repo. Aborting." >&2
+		exit 1;
+esac
+
+if [ -f "${__object:?}/parameter/append-only" ];
+then
+	appendonly='--append-only'
+fi
+
+cat <<- EOF
+	if ! borg check --repository-only 1>&2 2>/dev/null "/${__object_id:?}";
+	then
+		BORG_NEW_PASSPHRASE=$passphrase borg init -e ${enc:?} $appendonly /${__object_id:?}
+	fi
+EOF
+

type/__borg_repo/man.rst

@@ -0,0 +1,43 @@
+cdist-type__borg_repo(7)
+========================
+
+NAME
+----
+cdist-type__borg_repo - Configure a borg repository on host
+
+
+DESCRIPTION
+-----------
+
+Initializes a borg repository at the location specified in the
+`${__object_id}`. Nothing is done if the repository already exists.
+
+Currently, only `none` and `repokey` are supported as encryption modes;
+`repokey` requires the `passphrase` argument to be given. The default is
+`none`.
+
+REQUIRED PARAMETERS
+-------------------
+encryption
+  The encryption to use.
+
+OPTIONAL PARAMETERS
+-------------------
+passphrase
+  The passphrase to encrypt the keyfile with.
+
+BOOLEAN PARAMETERS
+------------------
+append-only
+  If the repository is append-only
+
+AUTHORS
+-------
+Joachim Desroches <joachim.desroches@epfl.ch>
+
+COPYING
+-------
+Copyright \(C) 2020 Joachim Desroches. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

type/__borg_repo/manifest

@@ -0,0 +1,14 @@
+#!/bin/sh
+
+os="$(cat "${__global:?}"/explorer/os)"
+
+case "$os" in
+	"alpine")
+		borg_package=borgbackup
+		;;
+	*)
+		echo "__borg_repo is not yet implemented for os $os. Aborting." >&2;
+		exit 1;
+esac
+
+__package "$borg_package"

type/__borg_repo/parameter/boolean

@@ -0,0 +1 @@
+append-only

type/__borg_repo/parameter/default/encryption

@@ -0,0 +1 @@
+none

type/__borg_repo/parameter/optional

@@ -0,0 +1 @@
+passphrase

type/__borg_repo/parameter/required

@@ -0,0 +1 @@
+encryption

type/__dma/explorer/auth_conf

@@ -0,0 +1,49 @@
+#!/bin/sh -e
+#
+# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+# This explorer determines the path of dma's auth.conf file
+
+# No dma.conf -> use default
+test -f /etc/dma/dma.conf || {
+	echo /etc/dma/auth.conf
+	exit 0
+}
+test -r /etc/dma/dma.conf || {
+	echo 'Cannot read /etc/dma/dma.conf' >&2
+	exit 1
+}
+
+# Get AUTHPATH from dma.conf
+awk -F'[ \t]' '
+{
+	sub(/#.*$/, "", $0)  # remove comments
+	if (!$0) next  # ignore empty lines
+}
+$1 == "AUTHPATH" {
+	# Store authpath. In dma conf parsing last wins.
+	if ($2) authpath = substr($0, index($0, " ") + 1)
+}
+END {
+	if (authpath) {
+		print authpath
+		exit 0
+	} else exit 1
+}
+' /etc/dma/dma.conf \
+|| echo /etc/dma/auth.conf  # default

type/__dma/explorer/conf

@@ -0,0 +1,34 @@
+#!/bin/sh -e
+#
+# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+# This explorer returns a sorted list of "active" (= non-commented) lines
+# in the dma.conf file.
+# "Trailing" line comments are stripped off.
+#
+# NOTE: This explorer assumes that the sort(1) utility supports the non-POXIX
+#       -s (stable sort) option.
+
+CONF_PATH=/etc/dma  # set in Makefile
+dma_conf="${CONF_PATH:?}/dma.conf"
+
+test -f "${dma_conf}" || exit 0
+
+grep -v -e '^[ \t]*#\|^$' "${dma_conf}" \
+| sed -e 's/[ \t]*#.*$//' \
+| sort -s -k 1,1

type/__dma/files/update_dma_conf.awk

@@ -0,0 +1,178 @@
+#!/usr/bin/awk -f
+#
+# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+
+function comment_line(line) {
+	# returns the position in line at which the comment's text starts
+	# (0 if the line is not a comment)
+	match(line, /^[ \t]*\#+[ \t]*/)
+	return RSTART ? (RLENGTH + 1) : 0
+}
+function empty_line(line) { return line ~ /^[ \t]*$/ }
+function is_word(s) { return s ~ /^[A-Z_]+$/ }  # "looks like a plausible word"
+
+function first(line, sep_re) {
+	# returns the part of the line until sep is found
+	# (or the whole line if sep is not found)
+	if (!sep_re) sep_re = "[" SUBSEP "]"
+	match(line, sep_re)
+	return RSTART ? substr(line, 1, RSTART - 1) : line
+}
+
+function rest(line, sep_re) {
+	# returns the part of the line after the first occurrence of sep is found.
+	# (or nothing if sep is not found)
+	if (!sep_re) sep_re = "[" SUBSEP "]"
+	if (match(line, sep_re))
+		return substr(line, RSTART + RLENGTH)
+}
+
+function conf_pop(word, value) {
+	# returns the next value for the config `word` and delete it from the list.
+	# if value is set, this function will only return value if it is the first
+	# option in the list, otherwise it returns 0.
+
+	if (!(word in conf)) return 0
+	if (!value) {
+		if (index(conf[word], SUBSEP))  # more than one element?
+			value = substr(conf[word], 1, index(conf[word], SUBSEP) - 1)
+		else
+			value = conf[word]
+	}
+
+	if (index(conf[word], SUBSEP)) {
+		if (index(conf[word], value SUBSEP) != 1) return 0
+		conf[word] = substr(conf[word], length(value) + 2)
+	} else {
+		if (conf[word] != value) return 0
+		delete conf[word]
+	}
+	return value
+}
+
+function print_conf(word, value) {
+	# print a config line with the given parameters
+	printf "%s", word
+	if (value) printf " %s", value
+	printf "\n"
+}
+
+function print_confs(word,    value) {
+	# print config lines for all values stored in conf[word].
+	if (!(word in conf)) return
+	if (conf[word]) {
+		while (value = conf_pop(word))
+			print_conf(word, value)
+	} else {
+		print_conf(word)
+		delete conf[word]
+	}
+}
+
+BEGIN {
+	FS = "\n"
+	EQS = "[ \t]"  # copied from dma/conf.c
+
+	if (ARGV[2]) exit (e=1)
+
+	# Loop over file twice!
+	ARGV[2] = ARGV[1]
+	ARGC++
+
+	# read the "should" state into the `conf` array.
+	while (getline < "/dev/stdin") {
+		word = first($0, EQS)
+		if ((word in conf))
+			conf[word] = conf[word] SUBSEP rest($0, EQS)
+		else
+			conf[word] = rest($0, EQS)
+	}
+}
+
+# first pass, gather information about where which information is stored in the
+# current config file. This information will be used in the second pass.
+NR == FNR {
+	if (comment_line($0)) {
+		# comment line
+		word = first(substr($0, comment_line($0)), " ")
+		if (is_word(word)) last_occ["#" word] = FNR
+	} else {
+		word = first($0, EQS)
+		if (is_word(word)) last_occ[word] = FNR
+	}
+}
+
+# before second pass prepare hashes containing location information to be used
+# in the second pass.
+NR > FNR && FNR == 1 {
+	# First we drop the locations of commented-out options if a non-commented
+	# option is available. If a non-commented option is available, we will
+	# append new config options there to have them all at one place.
+	for (k in last_occ)
+		if (k ~ /^\#/ && (substr(k, 2) in last_occ))
+			delete last_occ[k]
+
+	# Reverse the option => line mapping. The line_map allows for easier lookups
+	# in the second pass.
+	for (k in last_occ) line_map[last_occ[k]] = k
+}
+
+# second pass, generate and output new config
+NR > FNR {
+	if (comment_line($0) || empty_line($0)) {
+		# comment or empty line
+		print
+
+		if ((FNR in line_map)) {
+			if (line_map[FNR] ~ /^\#/) {
+				# This line contains a commented config option. If the conf hash
+				# contains options to be set, we output them here because this
+				# option is not used in the current config.
+				k = substr(line_map[FNR], 2)
+				if ((k in conf)) print_confs(k)
+			}
+
+			if (("INSECURE" in conf) && line_map[FNR] ~ /^\#?SECURE$/) {
+				# INSECURE goes where SECURE comment is.
+				print_confs("INSECURE")
+			}
+		}
+	} else {
+		word = first($0, EQS)
+		value = rest($0, EQS)
+		sub(/[ \t]*\#.*$/, "", value)  # ignore comments in value
+
+		if ((word in conf) && value == first(conf[word])) {
+			# keep config options we want
+			conf_pop(word)
+			print
+		}
+
+		if ((FNR in line_map) && line_map[FNR] == word) {
+			# rest of config options should be here
+			print_confs(word)
+		}
+	}
+}
+
+END {
+	if (e) exit
+
+	# print rest of config options (
+	for (word in conf) print_confs(word)
+}

type/__dma/gencode-remote

@@ -0,0 +1,177 @@
+#!/bin/sh -e
+#
+# 2020 Dennis Camera (dennis.camera@ssrq-sds-fds.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+quote() { printf "'%s'" "$(printf '%s' "$*" | sed -e "s/'/'\\\\''/g")"; }
+drop_awk_comments() { quote "$(sed '/^[[:blank:]]*#.*$/d;/^$/d' "$@")"; }
+
+CONF_PATH=/etc/dma  # set in Makefile
+
+# Determine mailname
+if test -f "${__object:?}/parameter/mailname"
+then
+	mailname=$(cat "${__object:?}/parameter/mailname")
+else
+	case $(cat "${__global:?}/explorer/os")
+	in
+		(debian|devuan|ubuntu)
+			# On Debian-like systems use /etc/mailname unless --mailname is used
+			mailname='/etc/mailname'
+			;;
+		(*)
+			mailname=${__target_fqdn:?}
+			;;
+	esac
+fi
+
+
+# Generate "should" values for config
+conf_should=$(
+	if test -s "${__object:?}/parameter/smarthost"
+	then
+		printf 'SMARTHOST %s\n' "$(cat "${__object:?}/parameter/smarthost")"
+	fi
+
+	printf 'MAILNAME %s\n' "${mailname}"
+
+	if test -s "${__object:?}/explorer/auth_conf"
+	then
+		printf "AUTHPATH %s\n" "$(cat "${__object:?}/explorer/auth_conf")"
+	fi
+
+	case $(cat "${__object:?}/parameter/security")
+	in
+		(ssl|tls)
+			default_smtp_port=465
+			echo 'SECURETRANSFER'
+			;;
+		(starttls)
+			default_smtp_port=587
+			echo 'SECURETRANSFER'
+			echo 'STARTTLS'
+			;;
+		(opportunistic)
+			default_smtp_port=25
+			echo 'SECURETRANSFER'
+			echo 'STARTTLS'
+			echo 'OPPORTUNISTIC_TLS'
+			;;
+		(insecure)
+			default_smtp_port=25
+			echo 'INSECURE'
+			;;
+	esac
+
+	if test -s "${__object:?}/parameter/port"
+	then
+		printf 'PORT %u\n' "$(cat "${__object:?}/parameter/port")"
+	elif test "${default_smtp_port}" -ne 25  # DMA uses port 25 by default
+	then
+		printf 'PORT %u\n' "${default_smtp_port}"
+	fi
+
+	if test -f "${__object:?}/parameter/masquerade"
+	then
+		while read -r line
+		do
+			printf 'MASQUERADE %s\n' "${line}"
+		done <"${__object:?}/parameter/masquerade"
+	fi
+
+	if test -f "${__object:?}/parameter/defer"
+	then
+		echo 'DEFER'
+	fi
+
+	if test -f "${__object:?}/parameter/fullbounce"
+	then
+		echo 'FULLBOUNCE'
+	fi
+
+	if test -f "${__object:?}/parameter/nullclient"
+	then
+		test -s "${__object:?}/parameter/smarthost" || {
+			echo '--nullclient requires a --smarthost to be defined' >&2
+			exit 1
+		}
+
+		echo 'NULLCLIENT'
+	fi
+)
+# Sort conf_should to compare against "conf_is"
+conf_should=$(echo "${conf_should}" | sort -s -k 1,1)
+
+config_updated=false
+if ! echo "${conf_should}" | cmp -s "${__object:?}/explorer/conf" -
+then
+	# config needs to be updated
+	dma_conf="${CONF_PATH:?}/dma.conf"
+
+	# The following AWK script will output the new config file to be stored on
+	# disk. To do so it reads the current dma.conf file and the config options
+	# that should be set (from stdin).
+	# Note that the path to the current dma.conf is passed to AWK twice, because
+	# the new file cannot be generated in one pass.
+
+	# The logic tries to place options at a sensible location, that is:
+	# a) if the option is already used in the config file:
+	#    group all similar options (e.g. MASQUERADE) at one place in the order
+	#    they are listed in stdin.
+	# b) if it is a new option and a "default comment" (e.g. "#PORT 25") exists:
+	#    place options grouped directly after the comment (the comment is left
+	#    alone)
+	# c) otherwise:
+	#    options are grouped by word (the first word in the line) and appended
+	#    at the end of the file.
+
+	cat <<-CODE
+	awk $(drop_awk_comments "${__type:?}/files/update_dma_conf.awk") $(quote "${dma_conf}") <<'EOF' >$(quote "${dma_conf}.tmp") \
+	&& cat $(quote "${dma_conf}.tmp") >$(quote "${dma_conf}")
+	${conf_should}
+	EOF
+	rm $(quote "${dma_conf}.tmp")
+	CODE
+
+	config_updated=true
+	echo 'config updated' >>"${__messages_out:?}"
+fi
+
+
+# Send a test email if enabled and necessary (=configuration changed)
+if test -f "${__object:?}/parameter/send-test-mail"
+then
+	if grep -q '^__mail_alias/root:' "${__messages_in:?}" \
+	|| grep -q '^__dma_auth/' "${__messages_in:?}" \
+	|| ${config_updated}
+	then
+		cat <<-CODE
+		sendmail root <<'EOF'
+		Subject: [cdist] Test mail from '${__target_fqdn:?}'
+
+		Hi,
+
+		you can ignore this message.
+		Its sole purpose is to notify you that root mail on ${__target_fqdn:?}
+		will be redirected to you.
+
+		Enjoy!
+		EOF
+		CODE
+	fi
+fi

type/__dma/man.rst

@@ -0,0 +1,112 @@
+cdist-type__dma(7)
+============================
+
+NAME
+----
+cdist-type__dma - Setup the DragonFly Mail Agent as the MTA.
+
+
+DESCRIPTION
+-----------
+This (singleton) type uses DMA, a small Mail Transport Agent (MTA), to accept
+mails from locally installed Mail User Agents (MUA) and either deliver the mails
+to a remote smart host for delivery or communicate with remote SMTP servers
+directly.
+
+
+REQUIRED PARAMETERS
+-------------------
+None.
+
+
+BOOLEAN PARAMETERS
+------------------
+defer
+    If enabled, mail will not be sent immediately, but stored in a queue.
+    To flush the queue and send the mails, ```dma -q`` has to be run
+    periodically (e.g. using a cron job.)
+    This type does not manage such a cron job, but some operating systems ship
+    such a cron job with the package.
+fullbounce
+    Enable if bounce messages should include the complete original message,
+    not just the headers.
+nullclient
+    Enable to bypass aliases and local delivery, and instead forward all mails
+    to the defined ``--smarthost``.
+send-test-mail
+    If set, this type will send a test email to root after setup, to check if
+    the configured settings work.
+
+
+OPTIONAL PARAMETERS
+-------------------
+mailname
+    If present, this will be the hostname used to identify this host and the
+    remote part of the sender addresses.
+    If not defined, it defaults to ``/etc/mailname`` on Debian derivatives and
+    to ``__target_fqdn`` otherwise.
+    See `dma(8)` for more information.
+
+    Note: on Debian derivatives the ``/etc/mailname`` file should be updated
+    instead of using this parameter.
+masquerade
+    Masquerade the envelope-from addresses with this address/hostname.
+    Use this setting if mails are not accepted by destination mail servers
+    because your sender domain is invalid.
+    This option can be used multiple times.
+    For more information see the `dma(8)` man page.
+port
+    The port on which to deliver email.
+    If not provided, a sensible default port will be used based on the
+    ``--security`` argument.
+security
+    Configures whether and how DMA should use secure connections.
+
+    ssl/tls
+        Enable TLS/SSL secured transfer.
+    starttls
+        Use STARTTLS to establish a secure connection.
+    opportunistic (default)
+        Will try to establish a secure connection using STARTTLS, but allow
+        unencrypted transfer if STARTTLS fails.
+        Most useful when dma is used without a smarthost, delivering remote
+        messages directly to the outside mail exchangers.
+    insecure
+        allow plain text SMTP login over an insecure connection.
+        Should really *not* be used anymore!
+smarthost
+    The mail server used to send email.
+    It must be configured to act as a relay for the host being configured by
+    this type so that mail can be sent to users non-local to the smarthost.
+
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+    # Install DMA and use the smarthost mx1.domain.tld to send mail.
+    __dma --smarthost mx1.domain.tld --send-test-mail
+
+    # Install DMA in a default configuration.
+    __dma
+
+
+SEE ALSO
+--------
+- `DragonFly Mail Agent <https://github.com/corecode/dma>`_
+- `DragonFly Handbook MTA <https://www.dragonflybsd.org/handbook/mta/>`_
+
+
+AUTHORS
+-------
+Evilham <contact@evilham.com>
+Dennis Camera <dennis.camera@ssrq-sds-fds.ch>
+
+
+COPYING
+-------
+Copyright \(C) 2020 Evilham and Dennis Camera. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

type/__dma/manifest

@@ -0,0 +1,66 @@
+#!/bin/sh -e
+#
+# 2020 Dennis Camera (dennis.camera@ssrq-sds-fds.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+os=$(cat "${__global:?}/explorer/os")
+
+# Install DMA
+case ${os}
+in
+	(alpine)
+		__package dma --state present
+		export require='__package/dma'
+		;;
+	(debian|devuan|ubuntu)
+		__package dma --state present
+		export require='__package/dma'
+		;;
+	(freebsd)
+		# Stop sendmail if necessary
+		__process 'sendmail' --name 'sendmail.*' --state absent \
+			--stop '/etc/rc.d/sendmail onestop'
+
+		# ... and disable it
+		__key_value 'rcconf-sendmail-enable' --file '/etc/rc.conf' \
+			--key 'sendmail_enable' --delimiter '=' --value '"NONE"' \
+			--exact_delimiter
+
+		# Setup mailwrapper accordingly
+		__file '/etc/mail/mailer.conf' --mode 0644 --source - <<-'EOF'
+			#
+			# Execute the "real" sendmail program, named /usr/libexec/sendmail/sendmail
+			#
+			sendmail	/usr/libexec/dma
+			send-mail	/usr/libexec/dma
+			mailq		/usr/libexec/dma
+			newaliases	/usr/libexec/dma
+			rmail		/usr/libexec/dma
+		EOF
+		;;
+	(*)
+		cat <<EOF >&2
+Your OS (${os}) is not supported yet.
+
+Maybe adding support is as simple as adapting the packages or allowing it,
+we highly encourage you to open a PR with the necessary changes.
+See: https://code.ungleich.ch/ungleich-public/cdist-contrib/
+EOF
+		exit 1
+		;;
+esac

type/__dma/parameter/boolean

@@ -0,0 +1,4 @@
+defer
+fullbounce
+nullclient
+send-test-mail

type/__dma/parameter/default/security

@@ -0,0 +1 @@
+opportunistic

type/__dma/parameter/optional

@@ -0,0 +1,4 @@
+mailname
+port
+security
+smarthost

type/__dma/parameter/optional_multiple

@@ -0,0 +1 @@
+masquerade

type/__dma_auth/explorer/auth_conf

@@ -0,0 +1 @@
+../../__dma/explorer/auth_conf

type/__dma_auth/explorer/state

@@ -0,0 +1,91 @@
+#!/bin/sh -e
+#
+# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+# This explorer looks for a line matching the server parameter
+# in dma's auth.conf and reports:
+#   present:            a line matching login + host + password exists
+#   absent:             no line matching login + host exists
+#   different_login:    a line exists but with a different login user
+#   different_password: a line exists but with a different password
+#   multiple:           multiple lines matching host exist (should not happen)
+
+auth_conf=$("${__type_explorer:?}/auth_conf")
+test -r "${auth_conf}" || exit 0
+
+awk -F'\n' '
+function getvalue(path) {
+	# Reads the first line of the file located at path and returns it.
+	getline < path
+	close(path)
+	return $0
+}
+
+BEGIN {
+	DP = "[: \t]"  # copied from dma/conf.c
+
+	parameter_dir = ENVIRON["__object"] "/parameter/"
+
+	# Read the parameters of this object
+	host_param = ENVIRON["__object_id"]
+	login_param = getvalue(parameter_dir "login")
+	passwd_param = getvalue(parameter_dir "password")
+
+	state = "absent"
+}
+
+/^#/ || /^$/ {
+	# skip comments and empty lines
+	next
+}
+
+{
+	# parse line
+
+	login = substr($0, 1, index($0, "|") - 1)
+	if (!login) { login = $0 }  # if no "|" found
+
+	host = substr($0, length(login) + 2)
+
+	if (match(host, DP)) {
+		passwd = substr(host, RSTART + 1)
+		host = substr(host, 1, RSTART - 1)
+	} else {
+		passwd = ""
+	}
+}
+
+host == host_param {
+	# a match…
+	if (state == "absent") {
+		if (login != login_param)
+			state = "different_login"
+		else if (passwd != passwd_param)
+			state = "different_password"
+		else
+			state = "present"
+	} else {
+		# report "multiple" to that the type can remove the duplicates.
+		state = "multiple"
+	}
+}
+
+END {
+	print state
+}
+' "${auth_conf}"

type/__dma_auth/files/update_dma_auth.awk

@@ -0,0 +1,93 @@
+#!/usr/bin/awk -f
+#
+# 2020 Dennis Camera (dennis.camera@ssrq-sds-fds.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+function getvalue(path) {
+	# Reads the first line of the file located at path and returns it.
+	getline < path
+	close(path)
+	return $0
+}
+
+function print_should() {
+	printf "%s|%s:%s\n", login_param, host_param, passwd_param
+}
+
+BEGIN {
+	FS = "\n"
+	DP = "[: \t]"  # copied from dma/conf.c
+
+	parameter_dir = ENVIRON["__object"] "/parameter/"
+
+	mode = (getvalue(parameter_dir "state") != "absent")
+
+	host_param = ENVIRON["__object_id"]
+	login_param = getvalue(parameter_dir "login")
+	passwd_param = getvalue(parameter_dir "password")
+}
+
+# skip comments and empty lines
+/^#/ || /^$/ {
+	print
+	next
+}
+
+{
+	# parse line (like dma/conf.c would)
+
+	login = substr($0, 1, index($0, "|") - 1)
+	if (!login) { login = $0 }  # if no "|" found
+
+	host = substr($0, length(login) + 2)
+
+	if (match(host, DP)) {
+		passwd = substr(host, RSTART + 1)
+		host = substr(host, 1, RSTART - 1)
+	} else {
+		passwd = ""
+	}
+}
+
+host == host_param {
+	if (mode) {
+		# state_should == present
+		if (!written) {
+			# replace first line if host matches (but only if no line has
+			# been written already -> no duplicates)
+			print_should()
+			written = 1
+		}
+		next
+	} else {
+		# state_should == absent
+		next
+	}
+}
+
+# leave other lines alone
+{
+	print
+}
+
+END {
+	if (mode && !written) {
+		# append line if no match to replace was found
+		print_should()
+	}
+}

type/__dma_auth/gencode-remote

@@ -0,0 +1,72 @@
+#!/bin/sh -e
+#
+# 2020 Dennis Camera (dennis.camera@ssrq-sds-fds.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+quote() { printf "'%s'" "$(printf '%s' "$*" | sed -e "s/'/'\\\\''/g")"; }
+drop_awk_comments() { quote "$(sed '/^[[:blank:]]*#.*$/d;/^$/d' "$@")"; }
+
+state_is=$(cat "${__object:?}/explorer/state")
+state_should=$(cat "${__object:?}/parameter/state")
+
+server=${__object_id:?}
+login=$(cat "${__object:?}/parameter/login")
+
+
+auth_conf=$(cat "${__object:?}/explorer/auth_conf")
+test -n "${auth_conf}" || {
+	echo 'Cannot determine path of dma auth.conf' >&2
+	exit 1
+}
+
+if test "${state_is}" = "${state_should}"
+then
+	# state is as it should
+	exit 0
+fi
+
+case ${state_should}
+in
+	(present)
+		test -n "${login}" || { echo '--login must be non-empty' >&2; exit 1; }
+
+		if test "${state_is}" = 'absent'
+		then
+			printf 'add authuser %s on %s\n' "${login}" "${server}" >>"${__messages_out:?}"
+		else
+			printf 'set authuser %s on %s\n' "${login}" "${server}" >>"${__messages_out:?}"
+		fi
+		;;
+	(absent)
+		printf 'delete authuser %s on %s\n' "${login}" "${server}" >>"${__messages_out:?}"
+		;;
+	(*)
+		printf 'Invalid --state: %s.\n' "${state_should}" >&2
+		printf 'Acceptable values are: present, absent.\n' >&2
+		exit 1
+		;;
+esac
+
+
+cat <<EOF
+test -f $(quote "${auth_conf}") || touch $(quote "${auth_conf}")
+
+awk $(drop_awk_comments "${__type:?}/files/update_dma_auth.awk") <$(quote "${auth_conf}") >$(quote "${auth_conf}.tmp") \
+&& cat $(quote "${auth_conf}.tmp") >$(quote "${auth_conf}")
+rm -f $(quote "${auth_conf}.tmp")
+EOF

type/__dma_auth/man.rst

@@ -0,0 +1,66 @@
+cdist-type__dma_auth(7)
+=======================
+
+NAME
+----
+cdist-type__dma_auth - Configure SMTP logins for the DragonFly Mail Agent MTA.
+
+
+DESCRIPTION
+-----------
+This cdist type allows you to set up credentials to log in to remote SMTP
+servers.
+
+NB: dma currently (v0.13) does not differentiate between users on a host.
+    It will use whatever user it finds in the ``auth.conf`` first.
+    Thus, this type will use the ``__object_id`` as the host specifier.
+
+
+REQUIRED PARAMETERS
+-------------------
+login
+    The user's LOGIN name on the SMTP server.
+password
+    The user's password (in plain text.)
+
+
+OPTIONAL PARAMETERS
+-------------------
+state
+    Either ``present`` or ``absent``. Defaults to ``present``.
+
+BOOLEAN PARAMETERS
+------------------
+None.
+
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+    # Set the password for smarthost
+    __dma_auth smarthost.example.com --login joe --password hunter2
+
+    # Set credentials for user at an external provider
+    __dma_auth mail.provider.com --login paul@example.com --password letmein
+
+    # Delete credentials for example.com (for all users)
+    __dma_auth example.com --login '' --password '' --state absent
+
+SEE ALSO
+--------
+:strong:`cdist-type__dma`\ (7), :strong:`dma`\ (8)
+
+
+AUTHORS
+-------
+Dennis Camera <dennis.camera@ssrq-sds-fds.ch>
+
+
+COPYING
+-------
+Copyright \(C) 2020 Dennis Camera. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

type/__dma_auth/parameter/default/state

@@ -0,0 +1 @@
+present

type/__dma_auth/parameter/optional

@@ -0,0 +1 @@
+state

type/__dma_auth/parameter/required

@@ -0,0 +1,2 @@
+login
+password

type/__mail_alias/explorer/aliases

@@ -0,0 +1,73 @@
+#!/bin/sh -e
+#
+# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+# Find aliases for a given user name and print the aliases (each one on a
+# separate line)
+
+aliases_file=$("${__type_explorer:?}/aliases_file")
+test -r "${aliases_file}" || exit 0
+
+: "${__object_id:?}"  # assert __object_id is set, because it is used in AWK
+
+awk -F ':[ \t]*' '
+function print_aliases(aliases,    matches) {
+	# prints comma-separated aliases (one per line)
+	split(aliases, matches, /,[ \t]*/)
+	for (i in matches) {
+		gsub(/^[ \t]*|[ \t]*$/, "", matches[i])
+		if (matches[i]) print matches[i]
+	}
+}
+
+/^#/ {
+	# comment line (ignore)
+	select = 0; cont = 0  # comments terminate alias lists and continuations
+	next
+}
+
+{
+	# is this line a continuation line?
+	# (the prev. line ended in a backslash or the line starts with whitespace)
+	is_cont = /^[ \t]/ || cont
+
+	# detect if the line is a line to be continued (ends with a backslash)
+	cont = /\\$/
+
+	# if it is, we drop the backslash from the line
+	if (cont) sub(/[ \t]*\\$/, "", $0)
+}
+
+is_cont {
+	# if in the alias list of the "target" user, we also print these aliases.
+	if (select) print_aliases($0)
+	next
+}
+
+$1 == ENVIRON["__object_id"] {
+	# "target" user -> print alias list
+	select = 1
+	print_aliases($2)
+	next
+}
+
+{
+	# other user
+	select = 0
+}
+' "${aliases_file}"

type/__mail_alias/explorer/aliases_file

@@ -0,0 +1,52 @@
+#!/bin/sh -e
+#
+# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+# This explorer finds the aliases file to modify.
+
+found() { echo "$*"; exit 0; }
+
+check_file() {
+	if test -f "$1"
+	then
+		found "$1"
+	fi
+}
+
+case $("${__explorer:?}/os")
+in
+	(freebsd|openbsd|solaris)
+		check_file /etc/mail/aliases
+
+		# default
+		found /etc/mail/aliases
+		;;
+	(alpine|debian|devuan|ubuntu)
+		check_file /etc/aliases
+
+		# default
+		found /etc/aliases
+		;;
+	(*)
+		check_file /etc/mail/aliases
+		check_file /etc/aliases
+
+		# default
+		found /etc/aliases
+		;;
+esac

type/__mail_alias/files/update_aliases.awk

@@ -0,0 +1,96 @@
+#!/usr/bin/awk -f
+#
+# 2020 Dennis Camera (dennis.camera@ssrq-sds-fds.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+function getvalue(path,    line) {
+	# Reads the first line of the file located at path and returns it.
+	getline line < path
+	close(path)
+	return line
+}
+
+function sepafter(f, def,    _) {
+	# finds the separator between field $f and $(f+1)
+	_ = substr($0, length($f)+1, index(substr($0, length($f)+1), $(f+1))-1)
+	return _ ? _ : def
+}
+
+function write_aliases(    line) {
+	if (aliases_written) return
+
+	# print aliases line
+	printf "%s%s", ENVIRON["__object_id"], sepafter(1, ": ")
+	while ((getline line < aliases_should_file) > 0) {
+		if (aliases_written) printf ", "
+		printf "%s", line
+		aliases_written = 1
+	}
+	printf "\n"
+	close(aliases_should_file)
+}
+
+BEGIN {
+	FS = ":[ \t]*"
+
+	parameter_dir = ENVIRON["__object"] "/parameter/"
+
+	mode = (getvalue(parameter_dir "state") != "absent")
+	aliases_should_file = (parameter_dir "/alias")
+}
+
+/^[ \t]*\#/ {
+	# comment line (leave alone)
+	select = 0; cont = 0  # comments terminate alias lists and continuations
+	print
+	next
+}
+
+{
+	# is this line a continuation line?
+	# (the prev. line ended in a backslash or the line starts with whitespace)
+	is_cont = /^[ \t]/ || cont
+
+	# detect if the line is a line to be continued (ends with a backslash)
+	cont = /\\$/
+}
+
+is_cont {
+	# we only print the line if it has not been rewritten (select)
+	if (!select) print
+	next
+}
+
+$1 == ENVIRON["__object_id"] {
+	# "target" user -> rewrite aliases list
+	select = 1
+	if (mode) write_aliases()
+	next
+}
+
+{
+	# other user
+	select = 0
+	print
+}
+
+END {
+	# if the last line was an alias, the separator will be reused (looks better)
+	if (mode && !aliases_written)
+		write_aliases()
+}

type/__mail_alias/gencode-remote

@@ -0,0 +1,87 @@
+#!/bin/sh -e
+#
+# 2020 Dennis Camera (dennis.camera@ssrq-sds-fds.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+quote() { printf "'%s'" "$(printf '%s' "$*" | sed -e "s/'/'\\\\''/g")"; }
+drop_awk_comments() { quote "$(sed '/^[[:blank:]]*#.*$/d;/^$/d' "$@")"; }
+
+aliases_file=$(cat "${__object:?}/explorer/aliases_file")
+
+test -n "${aliases_file}" || {
+	echo 'Could not determine aliases file path.' >&2
+	exit 1
+}
+
+
+state_should=$(cat "${__object:?}/parameter/state")
+
+case ${state_should}
+in
+	(present)
+		if cmp -s "${__object:?}/explorer/aliases" "${__object:?}/parameter/alias"
+		then
+			# all good!
+			exit 0
+		fi
+
+		test -s "${__object:?}/parameter/alias" || {
+			printf 'The --alias parameter is required if --state present.\n' >&2
+			printf 'Use --state absent to remove all aliases.\n' >&2
+			exit 1
+		}
+
+		if test -s "${__object:?}/explorer/aliases"
+		then
+			echo "update aliases" >>"${__messages_out:?}"
+		else
+			echo "add aliases" >>"${__messages_out:?}"
+		fi
+		;;
+	(absent)
+		# nothing to do if no aliases found.
+		test -s "${__object:?}/explorer/aliases" || exit 0
+
+		echo "delete aliases" >>"${__messages_out:?}"
+		;;
+	(*)
+		printf 'Invalid --state: %s.\n' "${state_should}" >&2
+		printf 'Acceptable values are: present, absent.\n' >&2
+		exit 1
+esac
+
+cat <<EOF
+test -f $(quote "${aliases_file}") || touch $(quote "${aliases_file}")
+
+awk $(drop_awk_comments "${__type:?}/files/update_aliases.awk") <$(quote "${aliases_file}") >$(quote "${aliases_file}.tmp") \
+|| {
+	rm -f $(quote "${aliases_file}.tmp")
+	echo 'Generating new aliases file failed!' >&2
+	exit 1
+}
+
+if ! cmp -s $(quote "${aliases_file}") $(quote "${aliases_file}.tmp")
+then
+	# aliases file was modified, replace:
+	cat $(quote "${aliases_file}.tmp") >$(quote "${aliases_file}")
+
+	# then, run newaliases if present ("missing" on Alpine Linux because of typo)
+	command -v newaliases >/dev/null 2>&1 && newaliases || true
+fi
+rm -f $(quote "${aliases_file}.tmp")
+EOF

type/__mail_alias/man.rst

@@ -0,0 +1,76 @@
+cdist-type__mail_alias(7)
+=========================
+
+NAME
+----
+cdist-type__mail_alias - Manage mail aliases.
+
+
+DESCRIPTION
+-----------
+This cdist type allows you to configure mail aliases (/etc/aliases).
+
+
+REQUIRED PARAMETERS
+-------------------
+None.
+
+
+OPTIONAL PARAMETERS
+-------------------
+state
+    'present' or 'absent', defaults to 'present'
+alias
+    an alias, i.e. a mail address where mail for the user should be redirected
+    to.
+    This parameter can be specified multiple times to redirect to multiple
+    recipients.
+    If ``--state`` is ``present`` this parameter is required.
+    See `aliases(5)` for the different forms this parameter can take.
+
+
+BOOLEAN PARAMETERS
+------------------
+None.
+
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+    # Redirect root mail to a "real" email address
+    __mail_alias root --alias admin@example.com
+
+    # Disable redirection of mail for joe
+    __mail_alias joe --state absent
+
+
+BUGS
+----
+- Quoted strings are not parsed by this type. As a result, aliases
+  containing ``,`` (commas) are treated incorrectly (they are treated as
+  separate aliases.)
+  Make sure that email addresses, file names, and pipe commands do not contain
+  commas.
+- ``:include:`` directives in the aliases file are not evaluated by this type.
+  They are treated like a regular alias, the values of the included file are
+  not expanded.
+
+
+SEE ALSO
+--------
+:strong:`aliases`\ (5)
+
+
+AUTHORS
+-------
+Dennis Camera <dennis.camera@ssrq-sds-fds.ch>
+
+
+COPYING
+-------
+Copyright \(C) 2020 Dennis Camera. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

type/__mail_alias/parameter/default/state

@@ -0,0 +1 @@
+present

type/__mail_alias/parameter/optional

@@ -0,0 +1 @@
+state

type/__mail_alias/parameter/optional_multiple

@@ -0,0 +1 @@
+alias

type/__matrix_element/files/config.json.sh

@@ -0,0 +1,90 @@
+#!/bin/sh
+#
+# Upstream configuration guide/documentation:
+#   https://github.com/vector-im/riot-web/blob/develop/docs/config.md
+
+generate_embedded_pages () {
+    if [ "$EMBED_HOMEPAGE" != "" ]; then
+        cat << EOF
+    "embeddedPages": {
+        "homeUrl": "home.html"
+    },
+EOF
+    fi
+}
+
+generate_jitsi_config () {
+    if [ "$JITSI_DOMAIN" != "" ]; then
+        cat << EOF
+    "jitsi": {
+        "preferredDomain": "$JITSI_DOMAIN"
+     },
+EOF
+    fi
+}
+
+generate_branding () {
+    echo '"branding": {'
+
+    if [ "$BRANDING_AUTH_HEADER_LOGO_URL" != "" ]; then
+        cat << EOF
+        "authHeaderLogoUrl": "$BRANDING_AUTH_HEADER_LOGO_URL",
+EOF
+    fi
+
+    if [ "$BRANDING_AUTH_FOOTER_LINKS" != "" ]; then
+        cat << EOF
+        "authFooterLinks": "$BRANDING_AUTH_FOOTER_LINKS",
+EOF
+    fi
+
+    cat << EOF
+    "welcomeBackgroundUrl": "themes/element/img/backgrounds/lake.jpg"
+EOF
+    echo '},'
+}
+
+cat << EOF
+{
+    "default_server_config": {
+        "m.homeserver": {
+            "base_url": "$DEFAULT_SERVER_URL",
+            "server_name": "$DEFAULT_SERVER_NAME"
+        },
+        "m.identity_server": {
+            "base_url": "https://vector.im"
+        }
+    },
+    "brand": "$BRAND",
+    $(generate_branding)
+    "defaultCountryCode": "$DEFAULT_COUNTRY_CODE",
+    "integrations_ui_url": "https://scalar.vector.im/",
+    "integrations_rest_url": "https://scalar.vector.im/api",
+    "integrations_widgets_urls": [
+        "https://scalar.vector.im/_matrix/integrations/v1",
+        "https://scalar.vector.im/api",
+        "https://scalar-staging.vector.im/_matrix/integrations/v1",
+        "https://scalar-staging.vector.im/api",
+        "https://scalar-staging.riot.im/scalar/api"
+    ],
+    "bug_report_endpoint_url": "https://riot.im/bugreports/submit",
+    "roomDirectory": {
+        "servers": [
+            $ROOM_DIRECTORY_SERVERS
+        ]
+    },
+    "disable_custom_urls": "$DISABLE_CUSTOM_URLS",
+    $(generate_embedded_pages)
+    $(generate_jitsi_config)
+    "terms_and_conditions_links": [
+        {
+            "url": "$PRIVACY_POLICY_URL",
+            "text": "Privacy Policy"
+        },
+        {
+            "url": "$COOKIE_POLICY_URL",
+            "text": "Cookie Policy"
+        }
+    ]
+}
+EOF

type/__matrix_element/gencode-remote

@@ -0,0 +1,69 @@
+#!/bin/sh -e
+#
+# 2019 Timothée Floure (timothee.floure@ungleich.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+VERSION=$(cat "$__object/parameter/version")
+INSTALL_DIR=$(cat "$__object/parameter/install_dir")
+OWNER=$(cat "$__object/parameter/owner")
+
+src="riot-v$VERSION"
+archive="$src.tar.gz"
+url="https://github.com/vector-im/riot-web/releases/download/v$VERSION/$archive"
+
+# tar and curl are installed by the __matrix-riot manifest. mktemp is usually
+# provided by coreutils and assumed installed.
+cat << EOF
+set -e
+
+# Ensure that coreutils is installed.
+if [ ! -x \$(which mktemp) ]; then
+  echo "mktemp is not available on the remote host." >&2
+  exit 1
+fi
+
+# Create temporary working directory.
+tmpdir=\$(mktemp -d)
+custom_files_dir="\$tmpdir/custom_files"
+cd \$tmpdir
+
+# Download and extract sources.
+curl -L '$url' > $archive
+tar xf $archive
+
+# Backup files deployed by __matrix_element.
+mkdir -p \$custom_files_dir
+for file in $INSTALL_DIR/cdist/*; do
+  cp "\$file" "\$custom_files_dir"
+done
+
+# Deploy sources and restore configuration.
+rm -r '$INSTALL_DIR'
+mv '$src' '$INSTALL_DIR'
+
+for file in \$custom_files_dir/*; do
+    cp "\$file" '$INSTALL_DIR'
+done
+
+# Chown deployed files to requested owner.
+chown -R '$OWNER' '$INSTALL_DIR'
+
+# Remove temporary working directory.
+cd /
+rm -r \$tmpdir
+EOF

type/__matrix_element/man.rst

@@ -0,0 +1,87 @@
+cdist-type__matrix_element(7)
+=============================
+
+NAME
+----
+cdist-type__matrix_element - Install and configure Element, a web Matrix client.
+
+
+DESCRIPTION
+-----------
+This type install and configure the Element web client.
+
+
+REQUIRED PARAMETERS
+-------------------
+install_dir
+  Root directory of Element's static files.
+
+version
+  Release of Element to install.
+
+OPTIONAL PARAMETERS
+-------------------
+default_server_name
+  Name of matrix homeserver to connect to, defaults to 'matrix.org'.
+
+default_server_url
+  URL of matrix homeserver to connect to, defaults to 'https://matrix-client.matrix.org'.
+
+owner
+  Owner of the deployed files, passed to `chown`. Defaults to 'root'.
+
+brand
+  Web UI branding, defaults to 'Element'.
+
+default_country_code
+  ISO 3166 alpha2 country code to use when showing country selectors, such as
+  phone number inputs. Defaults to GB.
+
+privacy_policy_url
+  Defaults to 'https://element.io/privacy'.
+
+cookie_policy_url
+  Defaults to 'https://matrix.org/docs/guides/element_im_cookie_policy'.
+
+jitsi_domain
+  Domain name of preferred Jitsi instance (default is jitsi.element.im). This is
+  used whenever a user clicks on the voice/video call buttons.
+
+homepage
+  Path to custom homepage, displayed once logged in.
+
+welcomepage
+  Path to custom welcome (= login) page.
+
+custom_asset
+  Serve a file a the top-level directory (e.g. /my-custom-logo.svg). Can be specified multiple times.
+
+BOOLEAN PARAMETERS
+-------------------
+disable_custom_urls
+  Disallow the user to change the default homeserver when signing up or logging in.
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+    __matrix_element my-element --install_dir /var/www/element-web --version 1.5.6
+
+
+SEE ALSO
+--------
+- `cdist-type__matrix_synapse(7) <cdist-type__matrix_synapse.html>`_
+
+
+AUTHORS
+-------
+Timothée Floure <timothee.floure@ungleich.ch>
+
+
+COPYING
+-------
+Copyright \(C) 2019 Timothée Floure. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

type/__matrix_element/manifest

@@ -0,0 +1,106 @@
+#!/bin/sh -e
+#
+# 2019 Timothée Floure (timothee.floure@ungleich.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+
+# Ignore "Declare and assign separately to avoid masking return values. [SC2155]"
+# => not relevant for the type arguments.
+# shellcheck disable=SC2155
+
+INSTALL_DIR=$(cat "$__object/parameter/install_dir")
+
+export DEFAULT_SERVER_NAME=$(cat "$__object/parameter/default_server_name")
+export DEFAULT_SERVER_URL=$(cat "$__object/parameter/default_server_url")
+export BRAND=$(cat "$__object/parameter/brand")
+export DEFAULT_COUNTRY_CODE=$(cat "$__object/parameter/default_country_code")
+export ROOM_DIRECTORY_SERVERS=$(cat "$__object/parameter/room_directory_servers")
+export PRIVACY_POLICY_URL=$(cat "$__object/parameter/privacy_policy_url")
+export COOKIE_POLICY_URL=$(cat "$__object/parameter/cookie_policy_url")
+
+if [ -f "$__object/parameter/jitsi_domain" ]; then
+    export JITSI_DOMAIN=$(cat "$__object/parameter/jitsi_domain")
+fi
+
+if [ -f "$__object/parameter/branding_auth_header_logo_url" ]; then
+    export BRANDING_AUTH_HEADER_LOGO_URL=$(cat "$__object/parameter/branding_auth_header_logo_url")
+fi
+
+if [ -f "$__object/parameter/branding_auth_footer_links" ]; then
+    export BRANDING_AUTH_FOOTER_LINKS=$(cat "$__object/parameter/branding_auth_footer_links")
+fi
+
+if [ -f "$__object/parameter/homepage" ]; then
+    export EMBED_HOMEPAGE=1
+    homepage=$(cat "$__object/parameter/homepage")
+fi
+
+if [ -f "$__object/parameter/welcomepage" ]; then
+    export EMBED_WELCOMEPAGE=1
+    welcomepage=$(cat "$__object/parameter/welcomepage")
+fi
+
+if [ -f "$__object/parameter/custom_asset" ]; then
+   "$__object/parameter/custom_asset" | while IFS= read -r file; do
+       require="__directory/$INSTALL_DIR/cdist" __file "$INSTALL_DIR/cdist/$(basename "$file")" \
+           --source "$file" \
+           --mode 0664 \
+           --state present
+   done
+fi
+
+if [ -f "$__object/parameter/disable_custom_urls" ]; then
+    export DISABLE_CUSTOM_URLS='true'
+else
+    export DISABLE_CUSTOM_URLS='false'
+fi
+
+# Owner of the uploaded files.
+owner=$(cat "$__object/parameter/owner")
+
+# Ensure that curl and tar are installed, as they will be required by the
+# gencode-remote script.
+__package curl --state present
+__package tar --state present
+
+# Generate and deploy configuration file.
+mkdir -p "$__object/files"
+"$__type/files/config.json.sh" > "$__object/files/config.json"
+
+# Install the config.json configuration file. The application's sources are
+# downloaded and deployed by gencode-remote.
+__directory "$INSTALL_DIR/cdist" \
+    --owner "$owner" --mode 0755 --parents \
+    --state present
+
+require="__directory/$INSTALL_DIR/cdist" __file "$INSTALL_DIR/cdist/config.json" \
+  --source "$__object/files/config.json" \
+  --mode 0664 \
+  --state present
+
+if [ $EMBED_HOMEPAGE ]; then
+    require="__directory/$INSTALL_DIR/cdist" __file "$INSTALL_DIR/cdist/home.html" \
+      --source "$homepage" \
+      --mode 0664 \
+      --state present
+fi
+
+if [ $EMBED_WELCOMEPAGE ]; then
+    require="__directory/$INSTALL_DIR/cdist" __file "$INSTALL_DIR/cdist/welcome.html" \
+      --source "$welcomepage" \
+      --mode 0664 \
+      --state present
+fi

type/__matrix_element/parameter/boolean

@@ -0,0 +1 @@
+disable_custom_urls

type/__matrix_element/parameter/default/brand

@@ -0,0 +1 @@
+Element

type/__matrix_element/parameter/default/cookie_policy_url

@@ -0,0 +1 @@
+https://matrix.org/docs/guides/riot_im_cookie_policy

type/__matrix_element/parameter/default/default_country_code

@@ -0,0 +1 @@
+GB

type/__matrix_element/parameter/default/default_server_name

@@ -0,0 +1 @@
+matrix.org

type/__matrix_element/parameter/default/default_server_url

@@ -0,0 +1 @@
+https://matrix-client.matrix.org

type/__matrix_element/parameter/default/owner

@@ -0,0 +1 @@
+root

type/__matrix_element/parameter/default/privacy_policy_url

@@ -0,0 +1 @@
+https://element.io/privacy

type/__matrix_element/parameter/default/room_directory_servers

@@ -0,0 +1 @@
+"matrix.org"

type/__matrix_element/parameter/optional

@@ -0,0 +1,13 @@
+default_server_url
+default_server_name
+brand
+default_country_code
+privacy_policy_url
+cookie_policy_url
+room_directory_servers
+owner
+homepage
+welcomepage
+jitsi_domain
+branding_auth_header_logo_url
+branding_auth_footer_links

type/__matrix_element/parameter/optional_multiple

@@ -0,0 +1 @@
+custom_asset

type/__matrix_element/parameter/required

@@ -0,0 +1,2 @@
+version
+install_dir

type/__matrix_synapse/files/environment.sh

@@ -1,6 +0,0 @@
-#!/bin/sh
-
-cat << EOF
-# Specify environment variables used when running Synapse
-SYNAPSE_CACHE_FACTOR=$CACHE_FACTOR
-EOF

type/__matrix_synapse/files/log.config.sh

@@ -1,60 +0,0 @@
-#!/bin/sh
-
-cat << EOF
-
-version: 1
-
-formatters:
-  precise:
-   format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s- %(message)s'
-  journal_fmt:
-   format: '%(name)s: [%(request)s] %(message)s'
-
-filters:
-  context:
-    (): synapse.util.logcontext.LoggingContextFilter
-    request: ""
-
-handlers:
-  file:
-    class: logging.handlers.WatchedFileHandler
-    formatter: precise
-    filename: $LOG_DIR/homeserver.log
-    filters: [context]
-    level: DEBUG
-    encoding: utf8
-  console:
-    class: logging.StreamHandler
-    formatter: precise
-    level: WARN
-  journal:
-    class: systemd.journal.JournalHandler
-    formatter: journal_fmt
-    filters: [context]
-    SYSLOG_IDENTIFIER: synapse
-
-loggers:
-    twisted:
-        level: WARN
-
-    synapse:
-        level: INFO
-
-    # the following levels are more verbose than most users want
-    # set them to INFO if you need more logging
-    synapse.metrics:
-        level: WARN
-
-    synapse.http.federation.well_known_resolver:
-        level: WARN
-
-    synapse.storage.TIME:
-        level: WARN
-
-    synapse.http.matrixfederationclient:
-        level: WARN
-
-root:
-    level: INFO
-    handlers: [file, journal]
-EOF

type/__matrix_synapse/man.rst

@@ -1,180 +0,0 @@
-cdist-type__matrix_synapse(7)
-======================
-
-NAME
-----
-cdist-type__matrix_synapse - Install and configure Synapse, a Matrix homeserver
-
-
-DESCRIPTION
------------
-This type install and configure the Synapse Matrix homeserver. This is a
-signleton type.
-
-
-REQUIRED PARAMETERS
--------------------
-server_name
-  Name of your homeserver (e.g. ungleich.ch) used as part of your MXIDs. This
-  value cannot be changed without meddling with the database once the server is
-  being used.
-
-base_url
-  Public URL of your homeserver (e.g. http://matrix.ungleich.ch).
-
-database_engine
-  'sqlite3' or 'postgresql'
-
-database_name
-  Path to the database if SQLite3 is used or database name if PostgresSQL is
-  used.
-
-OPTIONAL PARAMETERS
--------------------
-database_host
-  Database node address, only used with PostgresSQL.
-
-database_user
-  Database user, only used with PostgresSQL.
-
-database_password
-  Database password, only used with PostgresSQL.
-
-ldap_uri
-  Address of your LDAP server.
-
-ldap_base_dn
-  Base DN of your LDAP tree.
-
-ldap_uid_attribute
-  LDAP attriute mapping to Synapse's uid field, default to uid.
-
-ldap_mail_attribute
-  LDAP attriute mapping to Synapse's mail field, default to mail.
-
-ldap_name_attribute
-  LDAP attriute mapping to Synapse's name field, default to givenName.
-
-ldap_bind_dn
-  User used to authenticate against your LDAP server in 'search' mode.
-
-ldap_bind_password
-  Password used to authenticate against your LDAP server in 'search' mode.
-
-ldap_filter
-  LDAP user filter, defaulting to `(objectClass=posixAccount)`.
-
-turn_uri
-  URI to TURN server, can be provided multiple times if there is more than one
-  server.
-
-turn_shared_secret
-  Shared secret used to access the TURN REST API.
-
-turn_user_lifetime
-  Lifetime of TURN credentials. Defaults to 1h.
-
-max_upload_size
-  Maximum size for user-uploaded files. Defaults to 10M.
-
-rc_message_per_second
-  Message rate-limiting (per second). Defaults to 0.17.
-
-rc_message_burst
-  Message rate-limiting (burst). Defaults to 3.
-
-rc_login_per_second
-  Login rate-limiting (per-second). Defaults to 0.17.
-
-rc_login_burst
-  Login rate-limiting (burst). Defaults to 3.
-
-branding_auth_header_logo_url
-  A logo that is shown in the header during authentication flows.
-
-branding_auth_footer_links
-  A list of links to show in the authentication page footer: `[{"text": "Link text", "url": "https://link.target"}, {"text": "Other link", ...}]`
-
-registration_allows_email_pattern
-    Only allow email addresses matching specified filter. Can be specified multiple times. A pattern must look like `.*@vector\.im`.
-
-auto_join_room
-  Room where newly-registered users are automatically added. Can be specified multiple times.
-
-app_service_config_file
-  Path (on remote) of an application service configuration file to load. Can be specified multiple times.
-
-extra_setting
-  Arbitrary string to be added to the configuration file. Can be specified multiple times.
-
-BOOLEAN PARAMETERS
-------------------
-allow_registration
-  Enables user registration on the homeserver.
-
-enable_ldap_auth
-  Enables ldap-backed authentication.
-
-ldap_search_mode
-  Enables 'search' mode for LDAP auth backend.
-
-report_stats
-  Whether or not to report anonymized homeserver usage statistics.
-
-expose_metrics
-  Expose metrics endpoint for Prometheus.
-
-disable_federation
-  Disable federation to the broader matrix network.
-
-registration_require_email
-  Make email a required field on registration.
-
-allow_public_rooms_over_federation
-  Allow other homeservers to fetch this server's public room directory.
-
-allow_public_rooms_without_auth
-  If set to 'false', requires authentication to access the server's public rooms directory through the client API.
-
-enable_server_notices
-  Enable the server notices room.
-
-global_cache_factor
-  Controls the global cache factor, which is the default cache factor
-  for all caches if a specific factor for that cache is not otherwise
-  set. Defaults to 0.5.
-
-event_cache_size
-  Number of events to cache in memory. Defaults to 10K.
-
-allow_guest_access
-  Allows users to register as guests without a password/email/etc, and
-  participate in rooms hosted on this server which have been made accessible to
-  anonymous users.
-
-EXAMPLES
---------
-
-.. code-block:: sh
-
-    __matrix_synapse --server_name ungleich.ch \
-      --base_url https://matrix.ungleich.ch \
-      --database_engine sqlite3 \
-      --database_name /var/lib/matrix-syanpse/homeserver.db
-
-SEE ALSO
---------
-- `cdist-type__matrix_riot(7) <cdist-type__matrix_riot.html>`_
-
-
-AUTHORS
--------
-Timothée Floure <timothee.floure@ungleich.ch>
-
-
-COPYING
--------
-Copyright \(C) 2019 Timothée Floure. You can redistribute it
-and/or modify it under the terms of the GNU General Public License as
-published by the Free Software Foundation, either version 3 of the
-License, or (at your option) any later version.

type/__matrix_synapse/manifest

@@ -1,320 +0,0 @@
-#!/bin/sh -e
-#
-# 2019 Timothée Floure (timothee.floure@ungleich.ch)
-#
-# This file is part of cdist.
-#
-# cdist is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# cdist is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with cdist. If not, see <http://www.gnu.org/licenses/>.
-#
-
-# OS-specific configuration.
-os=$(cat "$__global/explorer/os")
-distribution=$(cat "$__global/explorer/lsb_codename")
-
-case "$os" in
-   debian)
-     synapse_user=matrix-synapse
-     synapse_pkg=matrix-synapse
-     synapse_service=matrix-synapse
-     ldap_auth_provider_pkg=matrix-synapse-ldap3
-     psycopg2_pkg=python3-psycopg2
-     synapse_conf_dir='/etc/matrix-synapse'
-     synapse_data_dir='/var/lib/matrix-synapse'
-
-     if [ ! -f "$__global/explorer/lsb_codename" ]; then
-       ls "$__global/explorer" >&2
-       echo "Could not determine Debian release, ensure that lsb-release is installed on the target." >&2
-       exit 1
-     fi
-     ;;
-   fedora)
-     synapse_user=synapse
-     synapse_pkg=matrix-synapse
-     synapse_service=synapse
-     ldap_auth_provider_pkg=python-matrix-synapse-ldap3
-     synapse_conf_dir='/etc/synapse'
-     synapse_data_dir='/var/lib/synapse'
-     ;;
-   freebsd)
-     synapse_user=synapse
-     synapse_pkg=py36-matrix-synapse
-     synapse_service=synapse
-     ldap_auth_provider_pkg=py36-matrix-synapse-ldap3
-     synapse_conf_dir='/usr/local/etc/matrix-synapse'
-     synapse_data_dir='/var/matrix-synapse'
-     ;;
-   alpine)
-     echo "As of 2019-12-19  matrix-synapse is not in alpine stable. Exiting."
-     exit 1
-     ;;
-   *)
-      printf "Your operating system (%s) is currently not supported by this type (%s)\n" "$os" "${__type##*/}" >&2
-      printf "Please contribute an implementation for it if you can.\n" >&2
-      exit 1
-   ;;
-esac
-
-# Required parameters:
-SERVER_NAME=$(cat "$__object/parameter/server_name")
-export SERVER_NAME
-BASE_URL=$(cat "$__object/parameter/base_url")
-export BASE_URL
-
-export DATA_DIR=$synapse_data_dir
-export LOG_DIR='/var/log/matrix-synapse'
-export PIDFILE='/var/run/matrix/homeserver.pid'
-export LOG_CONFIG_PATH="$synapse_conf_dir/log.yaml"
-export SIGNING_KEY_PATH="$synapse_conf_dir/signin.key"
-
-DATABASE_ENGINE=$(cat "$__object/parameter/database_engine")
-export DATABASE_ENGINE
-DATABASE_NAME=$(cat "$__object/parameter/database_name")
-export DATABASE_NAME
-
-# Optional parameters:
-DATABASE_HOST=$(cat "$__object/parameter/database_host")
-export DATABASE_HOST
-DATABASE_USER=$(cat "$__object/parameter/database_user")
-export DATABASE_USER
-DATABASE_PASSWORD=$(cat "$__object/parameter/database_password")
-export DATABASE_PASSWORD
-
-GLOBAL_CACHE_FACTOR=$(cat "$__object/parameter/global_cache_factor")
-export GLOBAL_CACHE_FACTOR
-EVENT_CACHE_SIZE=$(cat "$__object/parameter/event_cache_size")
-export EVENT_CACHE_SIZE
-
-LDAP_FILTER=$(cat "$__object/parameter/ldap_filter")
-export LDAP_FILTER
-LDAP_UID_ATTRIBUTE=$(cat "$__object/parameter/ldap_uid_attribute")
-export LDAP_UID_ATTRIBUTE
-LDAP_MAIL_ATTRIBUTE=$(cat "$__object/parameter/ldap_mail_attribute")
-export LDAP_MAIL_ATTRIBUTE
-LDAP_NAME_ATTRIBUTE=$(cat "$__object/parameter/ldap_name_attribute")
-export LDAP_NAME_ATTRIBUTE
-LDAP_URI=$(cat "$__object/parameter/ldap_uri")
-export LDAP_URI
-LDAP_BASE_DN=$(cat "$__object/parameter/ldap_base_dn")
-export LDAP_BASE_DN
-LDAP_BIND_DN=$(cat "$__object/parameter/ldap_bind_dn")
-export LDAP_BIND_DN
-LDAP_BIND_PASSWORD=$(cat "$__object/parameter/ldap_bind_password")
-export LDAP_BIND_PASSWORD
-
-TURN_USER_LIFETIME=$(cat "$__object/parameter/turn_user_lifetime")
-export TURN_USER_LIFETIME
-if [ -f "$__object/parameter/turn_shared_secret" ]; then
-    TURN_SHARED_SECRET=$(cat "$__object/parameter/turn_shared_secret")
-    export TURN_SHARED_SECRET
-fi
-if [ -f "$__object/parameter/turn_uri" ]; then
-    uris=$(tr "\n" "," < "$__object/parameter/turn_uri" | sed 's/,$//')
-    export TURN_URIS="[$uris]"
-fi
-
-if [ -f "$__object/parameter/registration_allows_email_pattern" ]; then
-    RESGISTRATION_ALLOWS_EMAIL_PATTERN=$(cat "$__object/parameter/registration_allows_email_pattern")
-    export RESGISTRATION_ALLOWS_EMAIL_PATTERN
-fi
-
-if [ -f "$__object/parameter/auto_join_room" ]; then
-    AUTO_JOIN_ROOMS="$(cat "$__object/parameter/auto_join_room")"
-    export AUTO_JOIN_ROOMS
-fi
-
-if [ -f "$__object/parameter/app_service_config_file" ]; then
-    APP_SERVICE_CONFIG_FILES=$(cat "$__object/parameter/app_service_config_file")
-    export APP_SERVICE_CONFIG_FILES
-fi
-
-MAX_UPLOAD_SIZE=$(cat "$__object/parameter/max_upload_size")
-export MAX_UPLOAD_SIZE
-RIOT_BASE_URL=$(cat "$__object/parameter/riot_base_url")
-export RIOT_BASE_URL
-
-SMTP_HOST=$(cat "$__object/parameter/smtp_host")
-export SMTP_HOST
-SMTP_PORT=$(cat "$__object/parameter/smtp_port")
-export SMTP_PORT
-SMTP_USER=$(cat "$__object/parameter/smtp_user")
-export SMTP_USER
-SMTP_PASS=$(cat "$__object/parameter/smtp_pass")
-export SMTP_PASS
-
-RC_MESSAGE_PER_SECOND=$(cat "$__object/parameter/rc_message_per_second")
-export RC_MESSAGE_PER_SECOND
-RC_MESSAGE_BURST=$(cat "$__object/parameter/rc_message_burst")
-export RC_MESSAGE_BURST
-RC_LOGIN_PER_SECOND=$(cat "$__object/parameter/rc_login_per_second")
-export RC_LOGIN_PER_SECOND
-RC_LOGIN_BURST=$(cat "$__object/parameter/rc_login_burst")
-export RC_LOGIN_BURST
-
-if [ -f "$__object/parameter/extra_setting" ]; then
-    EXTRA_SETTINGS=$(cat "$__object/parameter/extra_setting")
-    export EXTRA_SETTINGS
-fi
-
-# Boolean parameters:
-if [ -f "$__object/parameter/report_stats" ]; then
-    export REPORT_STATS='true'
-else
-    export REPORT_STATS='false'
-fi
-if [ -f "$__object/parameter/allow_registration" ]; then
-    export ALLOW_REGISTRATION='true'
-else
-    export ALLOW_REGISTRATION='false'
-fi
-if [ -f "$__object/parameter/enable_ldap_auth" ]; then
-    export ENABLE_LDAP_AUTH='true'
-else
-    export ENABLE_LDAP_AUTH='false'
-fi
-if [ -f "$__object/parameter/ldap_search_mode" ]; then
-    export LDAP_SEARCH_MODE=1
-fi
-if [ -f "$__object/parameter/expose_metrics" ]; then
-    export EXPOSE_METRICS='true'
-else
-    export EXPOSE_METRICS='false'
-fi
-if [ -f "$__object/parameter/enable_notifications" ]; then
-    export ENABLE_NOTIFICATIONS='true'
-else
-    export ENABLE_NOTIFICATIONS='false'
-fi
-if [ -f "$__object/parameter/enable_notifications_by_default" ]; then
-    export ENABLE_NOTIFICATIONS_BY_DEFAULT='true'
-else
-    export ENABLE_NOTIFICATIONS_BY_DEFAULT='false'
-fi
-if [ -f "$__object/parameter/smtp_requires_tls" ]; then
-    export SMTP_TLS='true'
-else
-    export SMTP_TLS='false'
-fi
-if [ -f "$__object/parameter/disable_federation" ]; then
-    export DISABLE_FEDERATION='true'
-else
-    export DISABLE_FEDERATION='false'
-fi
-if [ -f "$__object/parameter/allow_guest_access" ]; then
-    export ALLOW_GUEST_ACCESS='true'
-else
-    export ALLOW_GUEST_ACCESS='false'
-fi
-if [ -f "$__object/parameter/registration_requires_email" ]; then
-    export REGISTRATION_REQUIRES_EMAIL=1
-fi
-if [ -f "$__object/parameter/allow_public_rooms_over_federation" ]; then
-    export ALLOW_PUBLIC_ROOMS_OVER_FEDERATION='true'
-else
-    export ALLOW_PUBLIC_ROOMS_OVER_FEDERATION='false'
-fi
-if [ -f "$__object/parameter/allow_public_rooms_without_auth" ]; then
-    export ALLOW_PUBLIC_ROOMS_WITHOUT_AUTH='true'
-else
-    export ALLOW_PUBLIC_ROOMS_WITHOUT_AUTH='false'
-fi
-if [ -f "$__object/parameter/enable_server_notices" ]; then
-    export ENABLE_SERVER_NOTICES=1
-fi
-
-# Specific case for debian-buster, boilerplate but there's not much I can do
-# about it.
-
-installation_reqs=""
-if [ "$os" = "debian" ] && [ "$distribution" = "buster" ]; then
-  # Enable debian-backports for debian Buster, as the 'stable'
-  # matrix-synapse package is ways too old (< 1.0).
-  __apt_source debian-backports \
-    --uri http://deb.debian.org/debian/ \
-    --distribution "$distribution-backports" \
-    --component main
-   require="__apt_source/debian-backports" __apt_update_index
-
-  # Install base matrix-synapse package.
-  require="__apt_update_index" __package_apt $synapse_pkg \
-    --state present \
-    --target-release "$distribution-backports"
-
-  # Install LdapAuthProvider module if LDAP auth is enabled.
-  if [ "$ENABLE_LDAP_AUTH" = "true" ]; then
-    require="__package_apt/$synapse_pkg" __package_apt $ldap_auth_provider_pkg \
-      --state present \
-      --target-release "$distribution-backports"
-    installation_reqs="$installation_reqs __package_apt/$ldap_auth_provider_pkg"
-  fi
-
-  # For some reason, psycopg2 is not considered a dependency of
-  # matrix-synapse in matrix.org's APT repository.
-  if [ "$DATABASE_ENGINE" = "psycopg2" ]; then
-    require="__package_apt/$synapse_pkg" __package_apt $psycopg2_pkg \
-      --state present
-      installation_reqs="$installation_reqs __package_apt/$psycopg2_pkg"
-  fi
-
-  # Used for dependency order resolution.
-  installation_reqs="$installation_reqs __package_apt/$synapse_pkg"
-else
-  # Install base matrix-synapse package.
-  __package $synapse_pkg --state present
-
-  # Install LdapAuthProvider module if LDAP auth is enabled.
-  if [ "$ENABLE_LDAP_AUTH" = "true" ]; then
-    require="__package/$synapse_pkg" __package $ldap_auth_provider_pkg \
-      --state present
-  fi
-
-  # Used for dependency order resolution.
-  installation_reqs="__package/$synapse_pkg"
-fi
-
-# Generate and deploy configuration files.
-mkdir -p "$__object/files"
-"$__type/files/homeserver.yaml.sh" > "$__object/files/homeserver.yaml"
-"$__type/files/log.config.sh" > "$__object/files/log.config"
-
-require="$installation_reqs" __file "$synapse_conf_dir/homeserver.yaml" \
-  --state present \
-  --owner $synapse_user \
-  --mode 600 \
-  --source "$__object/files/homeserver.yaml"
-require="$installation_reqs" __file "$LOG_CONFIG_PATH" \
-  --state present \
-  --owner $synapse_user \
-  --mode 600 \
-  --source "$__object/files/log.config"
-require="$installation_reqs" __directory $DATA_DIR --state present --owner $synapse_user
-require="$installation_reqs" __directory $LOG_DIR --state present --owner $synapse_user
-
-# Work around dpkg-reconfigure for Debian package.
-RESTART_REQUIRES="__file/$synapse_conf_dir/homeserver.yaml"
-if [ "$os" = "debian" ]; then
-  require="$installation_reqs" __file "$synapse_conf_dir/conf.d/server_name.yaml" \
-    --state present --owner $synapse_user --source - << EOF
-server_name: "$SERVER_NAME"
-EOF
-  require="$installation_reqs" __file "$synapse_conf_dir/conf.d/report_stats.yaml" \
-    --state present --owner $synapse_user --source - << EOF
-report_stats: $REPORT_STATS
-EOF
-
-  RESTART_REQUIRES="$RESTART_REQUIRES __file/$synapse_conf_dir/conf.d/server_name.yaml \
-      __file/$synapse_conf_dir/conf.d/report_stats.yaml"
-fi
-
-# Restart synapse homeserver to reload configuration.
-require="$RESTART_REQUIRES" __service $synapse_service --action restart

type/__matrix_synapse/parameter/boolean

@@ -1,14 +0,0 @@
-allow_registration
-enable_ldap_auth
-ldap_search_mode
-report_stats
-expose_metrics
-enable_notifications
-enable_notifications_by_default
-smtp_requires_tls
-disable_federation
-registration_requires_email
-allow_public_rooms_over_federation
-enable_server_notices
-allow_guest_access
-allow_public_rooms_without_auth

type/__matrix_synapse/parameter/default/event_cache_size

@@ -1 +0,0 @@
-10K

type/__matrix_synapse/parameter/default/global_cache_factor

@@ -1 +0,0 @@
-0.5

type/__matrix_synapse/parameter/default/ldap_filter

@@ -1 +0,0 @@
-(objectClass=posixAccount)

type/__matrix_synapse/parameter/default/ldap_mail_attribute

@@ -1 +0,0 @@
-mail

type/__matrix_synapse/parameter/default/ldap_name_attribute

@@ -1 +0,0 @@
-givenName

type/__matrix_synapse/parameter/default/ldap_uid_attribute

@@ -1 +0,0 @@
-uid

type/__matrix_synapse/parameter/default/max_upload_size

@@ -1 +0,0 @@
-10M

type/__matrix_synapse/parameter/default/rc_login_burst

@@ -1 +0,0 @@
-3

type/__matrix_synapse/parameter/default/rc_login_per_second

@@ -1 +0,0 @@
-0.17

type/__matrix_synapse/parameter/default/rc_message_burst

@@ -1 +0,0 @@
-3

type/__matrix_synapse/parameter/default/rc_message_per_second

@@ -1 +0,0 @@
-0.17

type/__matrix_synapse/parameter/default/turn_user_lifetime

@@ -1 +0,0 @@
-1h

type/__matrix_synapse/parameter/optional

@@ -1,25 +0,0 @@
-database_host
-database_user
-database_password
-ldap_uri
-ldap_base_dn
-ldap_uid_attribute
-ldap_mail_attribute
-ldap_name_attribute
-ldap_bind_dn
-ldap_bind_password
-ldap_filter
-turn_shared_secret
-turn_user_lifetime
-max_upload_size
-smtp_host
-smtp_port
-smtp_user
-smtp_pass
-riot_base_url
-rc_message_per_second
-rc_message_burst
-rc_login_per_second
-rc_login_burst
-global_cache_factor
-event_cache_size

type/__matrix_synapse/parameter/optional_multiple

@@ -1,5 +0,0 @@
-turn_uri
-registration_allows_email_pattern
-auto_join_room
-app_service_config_file
-extra_setting

type/__matrix_synapse/parameter/required

@@ -1,4 +0,0 @@
-server_name
-base_url
-database_engine
-database_name

type/__matterbridge/files/matterbridge.service.sh

@@ -0,0 +1,18 @@
+#!/bin/sh
+
+cat <<EOF
+[Unit]
+Description=IM bridging daemon
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+User=$USER
+Group=$GROUP
+Type=simple
+Restart=on-failure
+ExecStart=$BINARY_PATH -conf=/etc/matterbridge/matterbridge.toml
+
+[Install]
+WantedBy=multi-user.target
+EOF

type/__matterbridge/man.rst

@@ -0,0 +1,56 @@
+cdist-type__matterbridge(7)
+===========================
+
+NAME
+----
+cdist-type__matterbridge - Install matterbridge from upstream binary
+
+
+DESCRIPTION
+-----------
+This singleton type install a matterbridge service from binary.
+
+REQUIRED PARAMETERS
+-------------------
+version
+  Release (git tag) to fetch from the project github's page.
+
+config
+  Matterbridge configuration (TOML).
+
+OPTIONAL PARAMETERS
+-------------------
+None.
+
+
+BOOLEAN PARAMETERS
+------------------
+None.
+
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+    __matterbridge --version 1.16.3 --config - <<- EOF
+    [...]
+    EOF
+
+
+SEE ALSO
+--------
+- `Matterbridge github repository <https://github.com/42wim/matterbridge>`_
+
+
+AUTHORS
+-------
+Timothée Floure <timothee.floure@ungleich.ch>
+
+
+COPYING
+-------
+Copyright \(C) 2020 Timothée Floure. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

type/__matterbridge/manifest

@@ -0,0 +1,98 @@
+#!/bin/sh -e
+#
+# 2020 Timothée Floure (timothee.floure@ungleich.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+os=$(cat "$__global/explorer/os")
+case "$os" in
+   debian)
+     # This type assume systemd for service installation.
+   ;;
+   *)
+      printf "Your operating system (%s) is currently not supported by this type (%s)\n" "$os" "${__type##*/}" >&2
+      printf "Please contribute an implementation for it if you can.\n" >&2
+      exit 1
+   ;;
+esac
+
+# Required parameters.
+VERSION=$(cat "$__object/parameter/version")
+if [ -f "$__object/parameter/config" ]; then
+    CONFIG="$(cat "$__object/parameter/config")"
+    if [ "$CONFIG" = "-" ]; then
+        CONFIG=$(cat "$__object/stdin")
+    fi
+fi
+
+# Hardcoded values used in templates.
+export BINARY_PATH=/usr/local/bin/matterbridge
+export CONFIG_PATH=/etc/matterbridge/matterbridge.toml
+export USER=matterbridge
+export GROUP=$USER
+
+# Internal variables.
+artefact="matterbridge-$VERSION-linux-64bit"
+checksum_file="checksums.txt"
+release_download_url=https://github.com/42wim/matterbridge/releases/download
+binary_url="$release_download_url/v$VERSION/$artefact"
+checksum_file_url="$release_download_url/v$VERSION/$checksum_file"
+config_dir=$(dirname $CONFIG_PATH)
+systemd_unit_path='/etc/systemd/system/matterbridge.service'
+
+# Check if curl is available.
+if ! command -v curl; then
+     echo "curl is required for this type, but could not be found. Exiting." >&2
+     exit 1
+fi
+
+# Initialize working directory.
+mkdir -p "$__object/files"
+
+# Download and check matterbridge binary.
+curl -L "$binary_url" -o "$__object/files/$artefact"
+curl -Ls "$checksum_file_url" | grep "$artefact" > "$__object/files/$checksum_file"
+if ! (cd "$__object/files"; sha256sum --check $checksum_file); then
+    echo "Matterbridge binary checksum failed." >&2
+    exit 1
+fi
+
+# Create service user.
+__user $USER --home "/var/lib/$USER"
+
+# Deploy matterbridge binary.
+require="__user/$USER" __file "$BINARY_PATH" \
+  --source "$__object/files/$artefact" \
+  --owner "$USER" --mode 755
+
+# Generate and deploy configuration file.
+"$__type/files/matterbridge.service.sh" > "$__object/files/matterbridge.service"
+
+require="__user/$USER" __directory "$config_dir" \
+  --owner "$USER" --mode 0755 --parents \
+
+require="__directory/$config_dir" __file "$CONFIG_PATH" \
+  --owner "$USER" \
+  --mode 0640 \
+  --source "$CONFIG"
+
+__file "$systemd_unit_path" \
+  --source "$__object/files/matterbridge.service"
+
+# Deal with init system.
+require="__file/$systemd_unit_path" __start_on_boot matterbridge
+require="__file/$BINARY_PATH __file/$CONFIG_PATH __file/$systemd_unit_path" __service matterbridge --action restart

type/__matterbridge/parameter/required

@@ -0,0 +1,2 @@
+version
+config

type/__netbox/explorer/secretkey

@@ -0,0 +1,8 @@
+#!/bin/sh -e
+
+# Explorer will output the key if he exists.
+
+secretkey="/opt/netbox/cdist/secretkey"
+if [ -f "$secretkey" ]; then
+    cat "$secretkey"
+fi

type/__netbox/explorer/version

@@ -0,0 +1,5 @@
+#!/bin/sh -e
+
+# output version if exist
+version_path="/opt/netbox/cdist/version"
+if [ -f "$version_path" ]; then cat "$version_path"; fi

type/__netbox/files/configuration.py.sh

@@ -0,0 +1,319 @@
+#!/bin/sh
+
+cat << EOF
+#########################
+#                       #
+#   Required settings   #
+#                       #
+#########################
+
+# This is a list of valid fully-qualified domain names (FQDNs) for the NetBox server. NetBox will not permit write
+# access to the server via any other hostnames. The first FQDN in the list will be treated as the preferred name.
+#
+# Example: ALLOWED_HOSTS = ['netbox.example.com', 'netbox.internal.local']
+ALLOWED_HOSTS = [$ALLOWED_HOSTS ]
+
+# PostgreSQL database configuration. See the Django documentation for a complete list of available parameters:
+#   https://docs.djangoproject.com/en/stable/ref/settings/#databases
+DATABASE = {
+    'NAME': '$DATABASE_NAME', # Database name
+    'USER': '$DATABASE_USER', # PostgreSQL username
+    'PASSWORD': '$DATABASE_PASSWORD', # PostgreSQL password
+    'HOST': '$DATABASE_HOST', # Database server
+    'PORT': '$DATABASE_PORT', # Database port (leave blank for default)
+    'CONN_MAX_AGE': 300,      # Max database connection age
+}
+
+# Redis database settings. Redis is used for caching and for queuing background tasks such as webhook events. A separate
+# configuration exists for each. Full connection details are required in both sections, and it is strongly recommended
+# to use two separate database IDs.
+REDIS = {
+    'tasks': {
+        'HOST': '$REDIS_HOST',
+        'PORT': $REDIS_PORT,
+        # Comment out \`HOST\` and \`PORT\` lines and uncomment the following if using Redis Sentinel
+        # 'SENTINELS': [('mysentinel.redis.example.com', 6379)],
+        # 'SENTINEL_SERVICE': 'netbox',
+        'PASSWORD': '$REDIS_PASSWORD',
+        'DATABASE': $((REDIS_DBID_OFFSET + 0)),
+        'SSL': $REDIS_SSL,
+    },
+    'caching': {
+        'HOST': '$REDIS_HOST',
+        'PORT': $REDIS_PORT,
+        # Comment out \`HOST\` and \`PORT\` lines and uncomment the following if using Redis Sentinel
+        # 'SENTINELS': [('mysentinel.redis.example.com', 6379)],
+        # 'SENTINEL_SERVICE': 'netbox',
+        'PASSWORD': '$REDIS_PASSWORD',
+        'DATABASE': $((REDIS_DBID_OFFSET + 1)),
+        'SSL': $REDIS_SSL,
+    }
+}
+RQ_DEFAULT_TIMEOUT = 300
+
+# This key is used for secure generation of random numbers and strings. It must never be exposed outside of this file.
+# For optimal security, SECRET_KEY should be at least 50 characters in length and contain a mix of letters, numbers, and
+# symbols. NetBox will not run without this defined. For more information, see
+# https://docs.djangoproject.com/en/stable/ref/settings/#std:setting-SECRET_KEY
+SECRET_KEY = '$SECRET_KEY'
+
+
+#########################
+#                       #
+#   Optional settings   #
+#                       #
+#########################
+
+# Specify one or more name and email address tuples representing NetBox administrators. These people will be notified of
+# application errors (assuming correct email settings are provided).
+ADMINS = [
+    # ['John Doe', 'jdoe@example.com'],
+]
+
+# URL schemes that are allowed within links in NetBox
+ALLOWED_URL_SCHEMES = (
+    'file', 'ftp', 'ftps', 'http', 'https', 'irc', 'mailto', 'sftp', 'ssh', 'tel', 'telnet', 'tftp', 'vnc', 'xmpp',
+)
+
+# Optionally display a persistent banner at the top and/or bottom of every page. HTML is allowed. To display the same
+# content in both banners, define BANNER_TOP and set BANNER_BOTTOM = BANNER_TOP.
+BANNER_TOP = ''
+BANNER_BOTTOM = ''
+
+# Text to include on the login page above the login form. HTML is allowed.
+BANNER_LOGIN = ''
+
+# Base URL path if accessing NetBox within a directory. For example, if installed at http://example.com/netbox/, set:
+# BASE_PATH = 'netbox/'
+BASE_PATH = '$BASEPATH'
+
+# Cache timeout in seconds. Set to 0 to dissable caching. Defaults to 900 (15 minutes)
+CACHE_TIMEOUT = 900
+
+# Maximum number of days to retain logged changes. Set to 0 to retain changes indefinitely. (Default: 90)
+CHANGELOG_RETENTION = 90
+
+# API Cross-Origin Resource Sharing (CORS) settings. If CORS_ORIGIN_ALLOW_ALL is set to True, all origins will be
+# allowed. Otherwise, define a list of allowed origins using either CORS_ORIGIN_WHITELIST or
+# CORS_ORIGIN_REGEX_WHITELIST. For more information, see https://github.com/ottoyiu/django-cors-headers
+CORS_ORIGIN_ALLOW_ALL = False
+CORS_ORIGIN_WHITELIST = [
+    # 'https://hostname.example.com',
+]
+CORS_ORIGIN_REGEX_WHITELIST = [
+    # r'^(https?://)?(\w+\.)?example\.com$',
+]
+
+# Set to True to enable server debugging. WARNING: Debugging introduces a substantial performance penalty and may reveal
+# sensitive information about your installation. Only enable debugging while performing testing. Never enable debugging
+# on a production system.
+DEBUG = False
+
+# Email settings
+EMAIL = {
+    'SERVER': '$SMTP_HOST',
+    'PORT': $SMTP_PORT,
+    'USERNAME': '$SMTP_USER',
+    'PASSWORD': '$SMTP_PASSWORD',
+    'USE_SSL': $SMTP_USE_SSL,
+    'USE_TLS': $SMTP_USE_TLS,
+    'TIMEOUT': 10,  # seconds
+    'FROM_EMAIL': '$SMTP_FROM_EMAIL',
+}
+
+# Enforcement of unique IP space can be toggled on a per-VRF basis. To enforce unique IP space within the global table
+# (all prefixes and IP addresses not assigned to a VRF), set ENFORCE_GLOBAL_UNIQUE to True.
+ENFORCE_GLOBAL_UNIQUE = False
+
+# Exempt certain models from the enforcement of view permissions. Models listed here will be viewable by all users and
+# by anonymous users. List models in the form \`<app>.<model>\`. Add '*' to this list to exempt all models.
+EXEMPT_VIEW_PERMISSIONS = [
+    # 'dcim.site',
+    # 'dcim.region',
+    # 'ipam.prefix',
+]
+
+EOF
+
+if [ "$HTTP_PROXY" != "" ] || [ "$HTTPS_PROXY" != "" ]; then
+    cat << EOF
+# HTTP proxies NetBox should use when sending outbound HTTP requests (e.g. for webhooks).
+HTTP_PROXIES = {
+EOF
+    if [ "$HTTP_PROXY" != "" ]; then
+        cat << EOF
+    'http': '$HTTP_PROXY',
+EOF
+    fi
+    if [ "$HTTPS_PROXY" != "" ]; then
+        cat << EOF
+    'https': '$HTTPS_PROXY',
+EOF
+    fi
+    cat << EOF
+}
+EOF
+fi
+
+cat << EOF
+# IP addresses recognized as internal to the system. The debugging toolbar will be available only to clients accessing
+# NetBox from an internal IP.
+INTERNAL_IPS = ('127.0.0.1', '::1')
+
+# Enable custom logging. Please see the Django documentation for detailed guidance on configuring custom logs:
+#   https://docs.djangoproject.com/en/stable/topics/logging/
+LOGGING = {}
+
+# Setting this to True will permit only authenticated users to access any part of NetBox. By default, anonymous users
+# are permitted to access most data in NetBox (excluding secrets) but not make any changes.
+LOGIN_REQUIRED = $LOGIN_REQUIRED
+
+# The length of time (in seconds) for which a user will remain logged into the web UI before being prompted to
+# re-authenticate. (Default: 1209600 [14 days])
+LOGIN_TIMEOUT = None
+
+# Setting this to True will display a "maintenance mode" banner at the top of every page.
+MAINTENANCE_MODE = False
+
+# An API consumer can request an arbitrary number of objects =by appending the "limit" parameter to the URL (e.g.
+# "?limit=1000"). This setting defines the maximum limit. Setting it to 0 or None will allow an API consumer to request
+# all objects by specifying "?limit=0".
+MAX_PAGE_SIZE = 1000
+
+EOF
+
+if [ "$MEDIA_ROOT" != "" ]; then
+    cat << EOF
+# The file path where uploaded media such as image attachments are stored. A trailing slash is not needed. Note that
+# the default value of this setting is derived from the installed location.
+MEDIA_ROOT = '$MEDIA_ROOT'
+
+EOF
+fi
+
+cat << EOF
+# By default uploaded media is stored on the local filesystem. Using Django-storages is also supported. Provide the
+# class path of the storage driver in STORAGE_BACKEND and any configuration options in STORAGE_CONFIG. For example:
+# STORAGE_BACKEND = 'storages.backends.s3boto3.S3Boto3Storage'
+# STORAGE_CONFIG = {
+#     'AWS_ACCESS_KEY_ID': 'Key ID',
+#     'AWS_SECRET_ACCESS_KEY': 'Secret',
+#     'AWS_STORAGE_BUCKET_NAME': 'netbox',
+#     'AWS_S3_REGION_NAME': 'eu-west-1',
+# }
+
+# Expose Prometheus monitoring metrics at the HTTP endpoint '/metrics'
+METRICS_ENABLED = False
+
+# Credentials that NetBox will uses to authenticate to devices when connecting via NAPALM.
+NAPALM_USERNAME = ''
+NAPALM_PASSWORD = ''
+
+# NAPALM timeout (in seconds). (Default: 30)
+NAPALM_TIMEOUT = 30
+
+# NAPALM optional arguments (see http://napalm.readthedocs.io/en/latest/support/#optional-arguments). Arguments must
+# be provided as a dictionary.
+NAPALM_ARGS = {}
+
+# Determine how many objects to display per page within a list. (Default: 50)
+PAGINATE_COUNT = 50
+
+# Enable installed plugins. Add the name of each plugin to the list.
+PLUGINS = []
+
+# Plugins configuration settings. These settings are used by various plugins that the user may have installed.
+# Each key in the dictionary is the name of an installed plugin and its value is a dictionary of settings.
+# PLUGINS_CONFIG = {
+#     'my_plugin': {
+#         'foo': 'bar',
+#         'buzz': 'bazz'
+#     }
+# }
+
+# When determining the primary IP address for a device, IPv6 is preferred over IPv4 by default. Set this to True to
+# prefer IPv4 instead.
+PREFER_IPV4 = False
+
+# Rack elevation size defaults, in pixels. For best results, the ratio of width to height should be roughly 10:1.
+RACK_ELEVATION_DEFAULT_UNIT_HEIGHT = 22
+RACK_ELEVATION_DEFAULT_UNIT_WIDTH = 220
+
+EOF
+
+if [ "$USE_LDAP" ]; then
+    cat << EOF
+# Remote authentication support with ldap
+REMOTE_AUTH_ENABLED = True
+REMOTE_AUTH_BACKEND = 'netbox.authentication.LDAPBackend'
+EOF
+else
+    cat << EOF
+# Remote authentication support
+REMOTE_AUTH_ENABLED = False
+REMOTE_AUTH_BACKEND = 'netbox.authentication.RemoteUserBackend'
+EOF
+fi
+
+cat << EOF
+REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER'
+REMOTE_AUTH_AUTO_CREATE_USER = True
+REMOTE_AUTH_DEFAULT_GROUPS = []
+REMOTE_AUTH_DEFAULT_PERMISSIONS = {}
+
+# This determines how often the GitHub API is called to check the latest release of NetBox. Must be at least 1 hour.
+RELEASE_CHECK_TIMEOUT = 24 * 3600
+
+# This repository is used to check whether there is a new release of NetBox available. Set to None to disable the
+# version check or use the URL below to check for release in the official NetBox repository.
+
+EOF
+
+if [ "$UPDATE_CHECK" != "" ]; then
+    cat << EOF
+RELEASE_CHECK_URL = 'https://api.github.com/repos/netbox-community/netbox/releases'
+
+EOF
+else
+    cat << EOF
+RELEASE_CHECK_URL = None
+
+EOF
+fi
+
+if [ "$REPORTS_ROOT" != "" ]; then
+    cat << EOF
+# The file path where custom reports will be stored. A trailing slash is not needed. Note that the default value of
+# this setting is derived from the installed location.
+REPORTS_ROOT = '$REPORTS_ROOT'
+
+EOF
+fi
+
+if [ "$SCRIPTS_ROOT" != "" ]; then
+    cat << EOF
+# The file path where custom scripts will be stored. A trailing slash is not needed. Note that the default value of
+# this setting is derived from the installed location.
+SCRIPTS_ROOT = '$SCRIPTS_ROOT'
+
+EOF
+fi
+
+cat << EOF
+# By default, NetBox will store session data in the database. Alternatively, a file path can be specified here to use
+# local file storage instead. (This can be useful for enabling authentication on a standby instance with read-only
+# database access.) Note that the user as which NetBox runs must have read and write permissions to this path.
+SESSION_FILE_PATH = None
+
+# Time zone (default: UTC)
+TIME_ZONE = 'UTC'
+
+# Date/time formatting. See the following link for supported formats:
+# https://docs.djangoproject.com/en/stable/ref/templates/builtins/#date
+DATE_FORMAT = 'N j, Y'
+SHORT_DATE_FORMAT = 'Y-m-d'
+TIME_FORMAT = 'g:i a'
+SHORT_TIME_FORMAT = 'H:i:s'
+DATETIME_FORMAT = 'N j, Y g:i a'
+SHORT_DATETIME_FORMAT = 'Y-m-d H:i'
+EOF

type/__netbox/files/ldap_config.py.sh

@@ -0,0 +1,82 @@
+#!/bin/sh
+
+# no configuration if there are no ldap parameters
+if [ -z "$USE_LDAP" ]; then
+    # skip
+    cat << EOF
+##############################
+# LDAP-backed authentication #
+##############################
+
+# no options set
+EOF
+    exit 0
+fi
+
+
+cat << EOF
+##############################
+# LDAP-backed authentication #
+##############################
+
+import ldap
+from django_auth_ldap.config import LDAPSearch, PosixGroupType
+
+# Server URI
+AUTH_LDAP_SERVER_URI = "$LDAP_SERVER"
+
+# Set the DN and password for the NetBox service account.
+AUTH_LDAP_BIND_DN = "$LDAP_BIND_DN"
+AUTH_LDAP_BIND_PASSWORD = "$LDAP_BIND_PASSWORD"
+
+# Search for user entry.
+AUTH_LDAP_USER_SEARCH = LDAPSearch("$LDAP_USER_BASE",
+                                    ldap.SCOPE_SUBTREE,
+                                    "(uid=%(user)s)")
+
+# You can map user attributes to Django attributes as so.
+AUTH_LDAP_USER_ATTR_MAP = {
+    "first_name": "givenName",
+    "last_name": "sn",
+    "email": "mail"
+}
+EOF
+
+if [ "$LDAP_GROUP_BASE" != "" ]; then
+    cat << EOF
+
+# This search ought to return all groups to which the user belongs. django_auth_ldap uses this to determine group
+# hierarchy.
+AUTH_LDAP_GROUP_SEARCH = LDAPSearch("$LDAP_GROUP_BASE", ldap.SCOPE_SUBTREE,
+                                    "(objectClass=posixGroup)")
+AUTH_LDAP_GROUP_TYPE = PosixGroupType()
+
+# Mirror LDAP group assignments.
+AUTH_LDAP_MIRROR_GROUPS = True
+# For more granular permissions, map LDAP groups to Django groups.
+AUTH_LDAP_FIND_GROUP_PERMS = True
+EOF
+
+    if [ "$LDAP_REQUIRE_GROUP" != "" ]; then
+        cat << EOF
+
+# Define a group required to login.
+AUTH_LDAP_REQUIRE_GROUP = "$LDAP_REQUIRE_GROUP"
+EOF
+    fi
+
+    cat << EOF
+
+# Define special user types using groups. Exercise great caution when assigning superuser status.
+AUTH_LDAP_USER_FLAGS_BY_GROUP = {
+EOF
+    # superuser
+    if [ "$LDAP_SUPERUSER_GROUP" != "" ]; then
+        echo "    \"is_superuser\": \"$LDAP_SUPERUSER_GROUP\","
+    fi
+    # staff user
+    if [ "$LDAP_STAFF_GROUP" != "" ]; then
+        echo "    \"is_staff\": \"$LDAP_STAFF_GROUP\","
+    fi
+    echo "}"
+fi

type/__netbox/files/netbox-rq.service

@@ -0,0 +1,24 @@
+[Unit]
+Description=NetBox Request Queue Worker
+Documentation=https://netbox.readthedocs.io/en/stable/
+PartOf=netbox.service
+Wants=network.target
+After=netbox.service
+After=network.target
+After=redis-server.service postgresql.service
+
+[Service]
+Type=simple
+
+User=netbox
+Group=netbox
+WorkingDirectory=/opt/netbox
+
+ExecStart=/opt/netbox/venv/bin/python3 /opt/netbox/netbox/manage.py rqworker
+
+Restart=on-failure
+RestartSec=30
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target

type/__netbox/files/netbox.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=NetBox Service Wrapper
+Documentation=https://netbox.readthedocs.io/en/stable/
+Wants=network.target
+After=network.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/bin/true
+
+[Install]
+WantedBy=multi-user.target

type/__netbox/files/netbox.socket.sh

@@ -0,0 +1,33 @@
+#!/bin/sh -e
+# __netbox/files/netbox.socket.sh
+
+# This is shared between all WSGI-server types.
+
+# Arguments:
+#  1: File which list all sockets to listen on (sepearated by \n)
+
+if [ $# -ne 1 ]; then
+    printf "netbox.socket.sh: argument \$1 missing or too much given!\n" >&2
+    exit 1
+fi
+
+
+cat << UNIT
+[Unit]
+Description=Socket for NetBox via $TYPE
+
+[Socket]
+UNIT
+
+# read all sockets to listen to
+while read -r line; do
+    printf "ListenStream=%s\n" "$line"
+done < "$1"
+
+cat << UNIT
+SocketUser=netbox
+SocketGroup=www-data
+
+[Install]
+WantedBy=sockets.target
+UNIT

type/__netbox/gencode-remote

@@ -0,0 +1,120 @@
+#!/bin/sh -e
+
+old_version="$(cat "$__object/explorer/version")"
+VERSION=$(cat "$__object/parameter/version")
+
+src="netbox-$VERSION"
+archive="v$VERSION.tar.gz"
+url="https://github.com/netbox-community/netbox/archive/$archive"
+install_dir=/opt/netbox/netbox
+
+if [ "$VERSION" != "$old_version" ]; then
+    cat << EOF
+# Ensure that coreutils is installed.
+if [ ! -x \$(which mktemp) ]; then
+  echo "mktemp is not available on the remote host." >&2
+  exit 1
+fi
+
+# Create temporary working directory.
+tmpdir=\$(mktemp -d)
+cd "\$tmpdir"
+
+# Download and extract sources.
+curl -sS -L '$url' > '$archive'
+tar xf '$archive'
+
+
+# virtualenv is given already by __pyvenv, just using it
+
+# backup requirement files
+if [ -f /opt/netbox/requirements.txt ]; then
+    mv /opt/netbox/requirements.txt /opt/netbox/old-requirements.txt
+else
+    # preseve file-not-found errors and warnings
+    touch /opt/netbox/old-requirements.txt
+fi
+cp '$src/requirements.txt' /opt/netbox/
+
+# Uninstall packages not required anymore
+# if versions not be shortend, they will be ignored by pip, but not by comm
+# all of this could be done with grep, too, but it's still must be shortend with awk
+awk -F== '{print \$1}' '/opt/netbox/requirements.txt' | sort > "\$tmpdir/curr-reqs.txt"
+awk -F== '{print \$1}' '/opt/netbox/old-requirements.txt' | sort > "\$tmpdir/old-reqs.txt"
+comm -23 "\$tmpdir/old-reqs.txt" "\$tmpdir/curr-reqs.txt" > "\$tmpdir/pip-uninstall.txt"
+
+# only uninstall if something is available (to avoid errors cause of this)
+if [ -s "\$tmpdir/pip-uninstall.txt" ]; then
+    /opt/netbox/venv/bin/pip3 uninstall -qy -r "\$tmpdir/pip-uninstall.txt"
+fi
+
+# Install python dependencies.
+#  avoid gunicorn, because it will be done in an other type
+grep -v "^gunicorn==" "\$tmpdir/$src/requirements.txt" \
+    | xargs /opt/netbox/venv/bin/pip3 install -q
+EOF
+
+    if [ -f "$__object/parameter/ldap-server" ]; then
+        echo "/opt/netbox/venv/bin/pip3 install -q django-auth-ldap"
+    else
+        echo "/opt/netbox/venv/bin/pip3 uninstall -qy django-auth-ldap"
+    fi
+
+    cat << EOF
+
+# Deploy sources and restore configuration.
+rm -rf '$install_dir'
+cp -r '$src/netbox' '$install_dir'
+# force links to the cdist directory
+ln -fs /opt/netbox/cdist/configuration.py '$install_dir/netbox/configuration.py'
+ln -fs /opt/netbox/cdist/ldap_config.py '$install_dir/netbox/ldap_config.py'
+
+# Set final permissions.
+chown -R netbox /opt/netbox
+
+
+# NetBox manage scripts
+# Run database migrations.
+sudo -u netbox /opt/netbox/venv/bin/python3 /opt/netbox/netbox/manage.py migrate
+# Generate static assets.
+sudo -u netbox /opt/netbox/venv/bin/python3 /opt/netbox/netbox/manage.py collectstatic --no-input
+# Delete any stale content types
+sudo -u netbox /opt/netbox/venv/bin/python3 /opt/netbox/netbox/manage.py remove_stale_contenttypes --no-input
+# Delete any expired user sessions
+sudo -u netbox /opt/netbox/venv/bin/python3 /opt/netbox/netbox/manage.py clearsessions
+# Clear all cached data
+sudo -u netbox /opt/netbox/venv/bin/python3 /opt/netbox/netbox/manage.py invalidate all
+
+# Remove temporary working directory.
+cd /
+rm -rf "\$tmpdir"
+
+# Save version after successful installation
+printf "%s\\n" "$VERSION" > /opt/netbox/cdist/version
+
+EOF
+
+    # meta
+    printf "installed %s\n" "$VERSION" >> "$__messages_out"
+    changes=yes
+fi
+
+# check if configuration changed
+if grep -q "^__file/opt/netbox/" "$__messages_in"; then
+    # meta
+    printf "configured\n" >> "$__messages_out"
+    changes=yes
+fi
+
+
+# Check for changes
+if [ "$changes" = "yes" ]; then
+    # After the upstream upgrade.sh script, it's ok to migrate while the
+    # application is running ;)
+
+    # restarting after changes
+    cat << EOF
+# Restart service. All required services are included with netbox.service.
+systemctl restart netbox
+EOF
+fi

type/__netbox/man.rst

@@ -0,0 +1,274 @@
+cdist-type__netbox(7)
+=====================
+
+NAME
+----
+cdist-type__netbox - Install and configure NetBox
+
+
+DESCRIPTION
+-----------
+This (singleton) type installs and configures a NetBox instance, a web
+application to help manage and document computer networks.
+
+It installs it with the user ``netbox`` at ``/opt/netbox`` with `python-venv`.
+It setup systemd unit files for the services `netbox` and `netbox-rq`. The
+`netbox` service only wrap all netbox related services, e.g. restarting and
+so one will be delegated to all related services.
+
+The application is still not accessable because a WSGI server is required. To
+access the application through WSGI, uWSGI or Gunicorn can be used. The setup
+can be done via there own types `__netbox_gunicorn` and `__netbox_uwsgi`.
+
+The Gunicorn setup is recommended from the NetBox documentation. Consult each
+manual page to decide. The types must be called after the `__netbox` type.
+
+
+REQUIRED PARAMETERS
+-------------------
+version
+    NetBox version to be installed. You can find the correct and newest version
+    on GitHub at the NetBox project page under
+    "`Releases <https://github.com/netbox-community/netbox/releases>`_".
+
+database
+    PostgreSQL database name.
+
+database-user
+    PostgreSQL database user.
+
+database-password
+    PostgreSQL database password.
+
+host
+    Hostname (domain or IP address) on which the application is served.
+    Multiple hostnames are possible; given as multiple arguments.
+
+
+OPTIONAL PARAMETERS
+-------------------
+secret-key
+    Random secret key of at least 50 alphanumeric characters and symbols. This
+    key must be unique to this installation and must not be shared outside the
+    local system. If no secret key is given, the type generates an own 50 chars
+    long key and saves it on the remote host to remember it for the next run.
+
+    The secret, random string is used to assist in the creation new
+    cryptographic hashes for passwords and HTTP cookies. It is not directly
+    used for hasing user passwords or for encrpted storage. It can be changed
+    at any time, but will invalidate all existing sessions.
+
+database-host
+    PostgreSQL database hostname. Defaults to ``localhost``.
+
+database-port
+    PostgreSQL database port. Defaults to empty (uses the default port).
+
+ldap-server
+    LDAP server URI. Enables LDAP-backed authentication if specified.
+
+ldap-bind-dn
+    DN for the NetBox service account. Required for LDAP authentication.
+
+ldap-bind-password
+    Password for the NetBox service account. Required for LDAP authentication.
+
+ldap-user-base
+    Base used for searching user entries. Required for LDAP authentication.
+
+ldap-group-base
+    Base used for searching group entries.
+
+ldap-require-group
+    Group required to login.
+
+ldap-staff-group
+    Make members of this group to "staff". This gives the users "Admin Access",
+    which means access to the "NetBox Administration" site.
+
+ldap-superuser-group
+    Make members of this groups superusers.
+
+redis-host
+    Redis database hostname. Defaults to ``localhost``.
+
+redis-port
+    Redis database port. Defaults to ``6379``.
+
+redis-password
+    Redis password. Defaults to empty password.
+
+redis-dbid-offset
+    Offset to set the redis database id's. The `tasks` database id is
+    `offset + 0` and `caching` is `offset + 1`. The offset defaults to ``0``.
+
+smtp-host
+    Host of the SMTP email server. Defaults to ``localhost``.
+
+smtp-port
+    Port of the SMTP email server. Defaults to ``25``.
+
+smtp-user
+    Username to access the SMTP email server. Defaults to empty.
+
+smtp-password
+    Password to access the SMTP email server. Defaults to empty.
+
+smtp-from-email
+    Email from which NetBox will be sent of. Defaults to empty.
+
+basepath
+    Base URL path if accessing netbox within a directory instead of directly the
+    webroot ``/``. For example, if installed at https://example.com/netbox/, set
+    the value ``netbox/``.
+
+https-proxy
+    Proxy which will be used with any HTTP request like webhooks.
+
+data-root
+    This parameter set's the media, reports and scripts root to subdirectories
+    of the given directory. Values can be overwritten by special parameters like
+    `--media-root` for example. Use this option if you want to store persistant
+    data of netbox on an other partition. A trailing slash is not needed.
+
+    The data directories have following predefined sub-directory names:
+
+    media root:
+        ``$data_root/media``
+    reports root:
+        ``$data_root/reports``
+    scripts root:
+        ``$data_root/scripts``
+
+    To preserve all data from installation upgrades - which just replace the
+    installation directory - the data will be kept in the netbox home directory
+    rather than the installation directory by default (``/opt/netbox/data/``).
+    This way, no data will be deleted after the installation directory
+    replacement because it remains outside of the installation directory.
+
+media-root
+    The file path to where media files (like image attachments) are stored.
+    Change this path if you require to store data on an other partiotion.
+    A trailing slash is not needed. Defaults to ``$data_root/media``.
+
+reports-root
+    The file path of where custom reports are kept. Change this path if you
+    require to store data on an other partition. A trailing slash is not
+    needed. Defaults to ``$data_root/reports``.
+
+scripts-root
+    The file path of where custom scripts are kept. Change this path if you
+    require to store data on an other partition. A trailing slash is not
+    needed. Defaults to ``$data_root/scripts``.
+
+
+BOOLEAN PARAMETERS
+------------------
+redis-ssl
+    Enables a secure TLS/SSL connection to the redis database. By default, ssl
+    is disabled.
+
+smtp-use-tls
+    Uses TLS to connect to the SMTP email server. `See documentation
+    <https://docs.djangoproject.com/en/3.1/ref/settings/#email-use-tls>`__
+    for more information.
+
+smtp-use-ssl
+    Uses implicit TLS with the SMTP email server. `See documentation
+    <https://docs.djangoproject.com/en/3.1/ref/settings/#email-use-ssl>`__
+    for more information.
+
+login-required
+    Sets if a login is required to access all sites. By default, anonymous
+    users can see most data (excluding secrets) but not make any changes.
+
+update-notify
+    Enables the NetBox version check for new upstream updates. It checks every
+    24 hours for new releases and notify the admin users in the gui if any.
+
+
+MESSAGES
+--------
+installed $VERSION
+    Netbox was fresh installed or updated. The new version number is appended.
+
+configured
+    Some configuration files got updated and therefore the service was
+    restarted. This message will not be echoed if configuration got updated due
+    a standard installation.
+
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+  __netbox --version 2.8.7 --database netbox \
+                --database-password "secretsecretsecret" \
+                --secret-key "secretsecretsecret" \
+                --host "${__target_host:?}" \
+                --host "cool-netbox.xyz" \
+                --ldap-server "ldaps://ldap.domain.tld" \
+                --ldap-bind-dn "uid=netbox,ou=services,dc=domain,dc=tld" \
+                --ldap-bind-password "secretsecretsecret" \
+                --ldap-user-base "ou=users,dc=domain,dc=tld" \
+                --ldap-group-base "ou=groups,dc=domain,dc=tld" \
+                --ldap-require-group "cn=netbox-login,ou=groups,dc=domain,dc=tld" \
+                --ldap-superuser-group "cn=netbox-admin,ou=groups,dc=domain,dc=tld"
+  # using recommended gunicorn setup
+  require="__netbox" __netbox_gunicorn
+
+
+NOTES
+-----
+The configuration of NetBox contains more optional settings than that what can
+be set with this type. If you think an important setting is missing or there
+is a more good way to inject python code for dynamic configuration variables,
+you are welcome to contribute!
+
+- `Possible optional settings
+  <https://netbox.readthedocs.io/en/stable/configuration/optional-settings/>`_
+
+If you not setup ldap authentification, you may be interested into how to
+`setting up a super user
+<https://netbox.readthedocs.io/en/stable/installation/3-netbox/#create-a-super-user>`_
+directly on the machine to be able to access and use NetBox.
+
+You may also be interested of writing a own type which handles the creation of
+the super user. To do this non-interactivly, see the ansible role as `reference
+<https://github.com/lae/ansible-role-netbox/blob/18f46a3345f100936c5116abe716c480e1886676/vars/main.yml#L15>`_.
+
+If you change the secret key while the netbox instance is running, there is a
+time frame where the access to the application corrupts the whole database.
+Then, you need to restore a backup or wipe the database.
+
+Currently, the cause is not clear, but it should work if you do not touch
+netbox while the configuration is done (do not shut it down, too). It only
+applies for changes of the secret key, which not happen normally.
+
+Maybe the `--restart` flag for the `__systemd_unit` types is not the best idea,
+but avoids that the changes will not be applied. It could be solved if the type
+would send messages from his actions.
+
+
+SEE ALSO
+--------
+`NetBox documentation <https://netbox.readthedocs.io/en/stable/>`_
+
+:strong:`cdist-type__netbox_gunicorn`\ (7)
+:strong:`cdist-type__netbox_uwsgi`\ (7)
+
+
+AUTHORS
+-------
+Timothée Floure <t.floure@e-durable.ch>
+Matthias Stecher <matthiasstecher@gmx.de>
+
+
+COPYING
+-------
+Copyright \(C) 2020 Timothée Floure.
+Copyright \(C) 2020 Matthias Stecher.
+You can redistribute it and/or modify it under the terms of the GNU
+General Public License as published by the Free Software Foundation,
+either version 3 of the License, or (at your option) any later version.

type/__netbox/manifest

@@ -0,0 +1,226 @@
+#!/bin/sh -e
+
+os=$(cat "$__global/explorer/os")
+
+case "$os" in
+    debian|ubuntu)
+        # Install netbox dependencies.
+        for pkg in python3-pip python3-venv python3-dev build-essential libxml2-dev \
+                   libxslt1-dev libffi-dev libpq-dev libssl-dev zlib1g-dev curl sudo; do
+            __package $pkg
+        done
+
+        if [ -f "$__object/parameter/ldap-server" ]; then
+            for pkg in libldap2-dev libsasl2-dev libssl-dev; do
+                __package $pkg
+            done
+        fi
+        ;;
+    *)
+        printf "Your operating system (%s) is currently not supported by this type (%s)\n" "$os" "${__type##*/}" >&2
+        printf "Please contribute an implementation for it if you can.\n" >&2
+        exit 1
+        ;;
+esac
+
+
+DATABASE_NAME=$(cat "$__object/parameter/database")
+export DATABASE_NAME
+DATABASE_USER="$(cat "$__object/parameter/database-user")"
+export DATABASE_USER
+DATABASE_PASSWORD=$(cat "$__object/parameter/database-password")
+export DATABASE_PASSWORD
+DATABASE_HOST="$(cat "$__object/parameter/database-host")"
+export DATABASE_HOST
+DATABASE_PORT="$(cat "$__object/parameter/database-port")"
+export DATABASE_PORT
+
+# list of hosts
+ALLOWED_HOSTS=""
+while read -r hostname; do
+    # shellcheck disable=SC2089
+    ALLOWED_HOSTS="$ALLOWED_HOSTS '$hostname',"
+done < "$__object/parameter/host"
+# shellcheck disable=SC2090
+export ALLOWED_HOSTS
+
+if [ -f "$__object/parameter/secret-key" ]; then
+    SECRET_KEY=$(cat "$__object/parameter/secret-key")
+elif [ -s "$__object/explorer/secretkey" ]; then
+    # take the key that is already used
+    SECRET_KEY="$(cat "$__object/explorer/secretkey")"
+else
+    # Can be done over netbox/generate_secret_key.py too, but it can't be
+    # generated right now where it's required (only if it's preloaded for
+    # this type to execute it now).
+    # Generates a 50-character long key with the same character set like
+    # the helper script. Must escape the '-' to be no character range.
+    SECRET_KEY="$(tr -cd '!@#$%^&*(\-_=+)[:alnum:]' < /dev/urandom | head -c50)"
+fi
+export SECRET_KEY
+
+if [ -f "$__object/parameter/ldap-server" ]; then
+    LDAP_SERVER=$(cat "$__object/parameter/ldap-server")
+    USE_LDAP=yes
+    export LDAP_SERVER
+fi
+if [ -f "$__object/parameter/ldap-bind-dn" ]; then
+    LDAP_BIND_DN=$(cat "$__object/parameter/ldap-bind-dn")
+    USE_LDAP=yes
+    export LDAP_BIND_DN
+fi
+if [ -f "$__object/parameter/ldap-bind-password" ]; then
+    LDAP_BIND_PASSWORD=$(cat "$__object/parameter/ldap-bind-password")
+    USE_LDAP=yes
+    export LDAP_BIND_PASSWORD
+fi
+if [ -f "$__object/parameter/ldap-user-base" ]; then
+    LDAP_USER_BASE=$(cat "$__object/parameter/ldap-user-base")
+    USE_LDAP=yes
+    export LDAP_USER_BASE
+fi
+if [ -f "$__object/parameter/ldap-group-base" ]; then
+    LDAP_GROUP_BASE=$(cat "$__object/parameter/ldap-group-base")
+    export LDAP_GROUP_BASE
+fi
+if [ -f "$__object/parameter/ldap-require-group" ]; then
+    LDAP_REQUIRE_GROUP=$(cat "$__object/parameter/ldap-require-group")
+    export LDAP_REQUIRE_GROUP
+fi
+if [ -f "$__object/parameter/ldap-superuser-group" ]; then
+    LDAP_SUPERUSER_GROUP=$(cat "$__object/parameter/ldap-superuser-group")
+    export LDAP_SUPERUSER_GROUP
+fi
+if [ -f "$__object/parameter/ldap-staff-group" ]; then
+    LDAP_STAFF_GROUP="$(cat "$__object/parameter/ldap-staff-group")"
+    export LDAP_STAFF_GROUP
+fi
+# export if base ldap parameters are used
+export USE_LDAP
+
+# have default values
+REDIS_HOST="$(cat "$__object/parameter/redis-host")"
+export REDIS_HOST
+REDIS_PORT="$(cat "$__object/parameter/redis-port")"
+export REDIS_PORT
+REDIS_PASSWORD="$(cat "$__object/parameter/redis-password")"
+export REDIS_PASSWORD
+REDIS_DBID_OFFSET="$(cat "$__object/parameter/redis-dbid-offset")"
+export REDIS_DBID_OFFSET
+if [ -f "$__object/parameter/redis-ssl" ]; then
+    REDIS_SSL="True"
+else
+    REDIS_SSL="False"
+fi
+export REDIS_SSL
+
+SMTP_HOST="$(cat "$__object/parameter/smtp-host")"
+export SMTP_HOST
+SMTP_PORT="$(cat "$__object/parameter/smtp-port")"
+export SMTP_PORT
+SMTP_USER="$(cat "$__object/parameter/smtp-user")"
+export SMTP_USER
+SMTP_PASSWORD="$(cat "$__object/parameter/smtp-password")"
+export SMTP_PASSWORD
+SMTP_FROM_EMAIL="$(cat "$__object/parameter/smtp-from-email")"
+export SMTP_FROM_EMAIL
+
+if [ -f "$__object/parameter/smtp-use-ssl" ]; then
+    SMTP_USE_SSL="True"
+else
+    SMTP_USE_SSL="False"
+fi
+export SMTP_USE_SSL
+if [ -f "$__object/parameter/smtp-use-tls" ]; then
+    if [ "$SMTP_USE_SSL" = "True" ]; then
+        echo "options --smtp-use-ssl and --smtp-use-tls are not compatible" >&2
+        exit 2
+    fi
+    SMTP_USE_TLS="True"
+else
+    SMTP_USE_TLS="False"
+fi
+export SMTP_USE_TLS
+
+BASEPATH="$(cat "$__object/parameter/basepath")"
+export BASEPATH
+
+if [ -f "$__object/parameter/http-proxy" ]; then
+    HTTP_PROXY=$(cat "$__object/parameter/http-proxy")
+    export HTTP_PROXY
+fi
+if [ -f "$__object/parameter/https-proxy" ]; then
+    HTTPS_PROXY=$(cat "$__object/parameter/https-proxy")
+    export HTTPS_PROXY
+fi
+
+if [ -f "$__object/parameter/login-required" ]; then
+    LOGIN_REQUIRED="True"
+else
+    LOGIN_REQUIRED="False"
+fi
+export LOGIN_REQUIRED
+
+data_root="$(cat "$__object/parameter/data-root")"
+MEDIA_ROOT="$data_root/media"
+REPORTS_ROOT="$data_root/reports"
+SCRIPTS_ROOT="$data_root/scripts"
+
+if [ -f "$__object/parameter/media-root" ]; then
+    MEDIA_ROOT="$(cat "$__object/parameter/media-root")"
+fi
+export MEDIA_ROOT
+if [ -f "$__object/parameter/reports-root" ]; then
+    REPORTS_ROOT="$(cat "$__object/parameter/reports-root")"
+fi
+export REPORTS_ROOT
+if [ -f "$__object/parameter/scripts-root" ]; then
+    SCRIPTS_ROOT="$(cat "$__object/parameter/scripts-root")"
+fi
+export SCRIPTS_ROOT
+
+if [ -f "$__object/parameter/update-notify" ]; then
+    UPDATE_CHECK="yes"
+    export UPDATE_CHECK
+fi
+
+
+# Create system user used to run netbox.
+__user netbox --system --home /opt/netbox --create-home
+# Generate python environment (user will be set by gencode-remote)
+require="__user/netbox" __pyvenv /opt/netbox/venv/
+
+# Generate and upload netbox configuration.
+mkdir -p "$__object/files"
+"$__type/files/configuration.py.sh" > "$__object/files/configuration.py"
+"$__type/files/ldap_config.py.sh" > "$__object/files/ldap_config.py"
+
+require="__user/netbox" __directory /opt/netbox/cdist
+require="__directory/opt/netbox/cdist" __file \
+    /opt/netbox/cdist/configuration.py --mode 640 --owner netbox \
+    --source "$__object/files/configuration.py"
+
+if [ -f "$__object/parameter/ldap-server" ]; then
+    require="__directory/opt/netbox/cdist" __file \
+        /opt/netbox/cdist/ldap_config.py --mode 640 --owner netbox \
+        --source "$__object/files/ldap_config.py"
+else
+    require="__directory/opt/netbox/cdist" __file \
+        /opt/netbox/cdist/ldap_config.py --state absent
+fi
+
+# save secret
+require="__directory/opt/netbox/cdist" __file /opt/netbox/cdist/secretkey \
+    --mode 400 --owner netbox --source - << SECRET
+$SECRET_KEY
+SECRET
+
+
+# Upload systemd unit for worker and wsgi service
+# does not restart netbox on change cause it only restart all other services
+__systemd_unit netbox.service \
+    --source "$__type/files/netbox.service" \
+    --enablement-state enabled
+__systemd_unit netbox-rq.service \
+    --source "$__type/files/netbox-rq.service" \
+    --enablement-state enabled --restart

type/__netbox/parameter/boolean

@@ -0,0 +1,5 @@
+redis-ssl
+smtp-use-ssl
+smtp-use-tls
+login-required
+update-notify