Merge branch 'master' of github.com:ungleich/cdist

Signed-off-by: Nico Schottelius <nico@nico-notebook.schottelius.org>

.gitattributes

@@ -0,0 +1,6 @@
+.gitignore export-ignore
+.gitattributes export-ignore
+.gitkeep export-ignore
+docs/speeches export-ignore
+docs/video export-ignore
+docs/src/man7 export-ignore

Makefile

@@ -39,6 +39,11 @@ PYTHON_VERSION=cdist/version.py
 SPHINXM=make -C $(DOCS_SRC_DIR) man
 SPHINXH=make -C $(DOCS_SRC_DIR) html
 SPHINXC=make -C $(DOCS_SRC_DIR) clean
+
+SHELLCHECKCMD=shellcheck -s sh -f gcc -x
+# Skip SC2154 for variables starting with __ since such variables are cdist
+# environment variables.
+SHELLCHECK_SKIP=grep -v ': __.*is referenced but not assigned.*\[SC2154\]'
 ################################################################################
 # Manpages
 #
@@ -54,6 +59,7 @@ MANTYPES=$(subst /man.rst,.rst,$(MANTYPEPREFIX))
 
 # Link manpage: do not create man.html but correct named file
 $(MAN7DSTDIR)/cdist-type%.rst: $(TYPEDIR)/%/man.rst
+	mkdir -p $(MAN7DSTDIR)
 	ln -sf "../../../$^" $@
 
 # Manpages #2: reference
@@ -247,5 +253,34 @@ pub:
 test:
 	$(helper) $@
 
+test-remote:
+	$(helper) $@
+
 pep8:
 	$(helper) $@
+
+shellcheck-global-explorers:
+	@find cdist/conf/explorer -type f -exec $(SHELLCHECKCMD) {} + | $(SHELLCHECK_SKIP) || exit 0
+
+shellcheck-type-explorers:
+	@find cdist/conf/type -type f -path "*/explorer/*" -exec $(SHELLCHECKCMD) {} + | $(SHELLCHECK_SKIP) || exit 0
+
+shellcheck-manifests:
+	@find cdist/conf/type -type f -name manifest -exec $(SHELLCHECKCMD) {} + | $(SHELLCHECK_SKIP) || exit 0
+
+shellcheck-local-gencodes:
+	@find cdist/conf/type -type f -name gencode-local -exec $(SHELLCHECKCMD) {} + | $(SHELLCHECK_SKIP) || exit 0
+
+shellcheck-remote-gencodes:
+	@find cdist/conf/type -type f -name gencode-remote -exec $(SHELLCHECKCMD) {} + | $(SHELLCHECK_SKIP) || exit 0
+
+shellcheck-gencodes: shellcheck-local-gencodes shellcheck-remote-gencodes
+
+shellcheck-types: shellcheck-type-explorers shellcheck-manifests shellcheck-gencodes
+
+shellcheck: shellcheck-global-explorers shellcheck-types
+
+shellcheck-type-files:
+	@find cdist/conf/type -type f -path "*/files/*" -exec $(SHELLCHECKCMD) {} + | $(SHELLCHECK_SKIP) || exit 0
+
+shellcheck-with-files: shellcheck shellcheck-type-files

bin/build-helper

@@ -250,6 +250,7 @@ eof
         "$0" check-date
         "$0" check-unittest
         "$0" check-pep8
+        "$0" shellcheck
 
         # Generate version file to be included in packaging
         "$0" target-version
@@ -359,13 +360,40 @@ eof
         fi
     ;;
 
+    test-remote)
+        export PYTHONPATH="$(pwd -P)"
+        python3 -m cdist.test.exec.remote
+    ;;
+
     pep8)
         pep8 "${basedir}" "${basedir}/scripts/cdist" | less
     ;;
 
     check-pep8)
         "$0" pep8
-        echo "Please review pep8 report."
+        printf "\\nPlease review pep8 report.\\n"
+        while true
+        do
+            echo "Continue (yes/no)?"
+            any=
+            read any
+            case "$any" in
+                yes)
+                    break
+                ;;
+                no)
+                    exit 1
+                ;;
+                *)
+                    echo "Please answer with 'yes' or 'no' explicitly."
+                ;;
+        esac
+        done
+    ;;
+
+    shellcheck)
+        make helper=${helper} WEBDIR=${WEBDIR} shellcheck
+        printf "\\nPlease review shellcheck report.\\n"
         while true
         do
             echo "Continue (yes/no)?"

bin/build-helper.freebsd

@@ -285,6 +285,7 @@ eof
         "$0" check-date
         "$0" check-unittest
         "$0" check-pep8
+        "$0" shellcheck
 
         # Generate version file to be included in packaging
         "$0" target-version
@@ -421,13 +422,40 @@ eof
         fi
     ;;
 
+    test-remote)
+        export PYTHONPATH="$(pwd -P)"
+        python3 -m cdist.test.exec.remote
+    ;;
+
     pep8)
         pep8 "${basedir}" "${basedir}/scripts/cdist" | less
     ;;
 
     check-pep8)
         "$0" pep8
-        echo "Please review pep8 report."
+        printf "\\nPlease review pep8 report.\\n"
+        while true
+        do
+            echo "Continue (yes/no)?"
+            any=
+            read any
+            case "$any" in
+                yes)
+                    break
+                ;;
+                no)
+                    exit 1
+                ;;
+                *)
+                    echo "Please answer with 'yes' or 'no' explicitly."
+                ;;
+        esac
+        done
+    ;;
+
+    shellcheck)
+        make helper=${helper} WEBDIR=${WEBDIR} shellcheck
+        printf "\\nPlease review shellcheck report.\\n"
         while true
         do
             echo "Continue (yes/no)?"

cdist/__init__.py

@@ -83,41 +83,78 @@ class CdistBetaRequired(cdist.Error):
 
 class CdistEntityError(Error):
     """Something went wrong while executing cdist entity"""
-    def __init__(self, entity_name, entity_params, stderr_paths, subject=''):
+    def __init__(self, entity_name, entity_params, stdout_paths,
+                 stderr_paths, subject=''):
         self.entity_name = entity_name
         self.entity_params = entity_params
         self.stderr_paths = stderr_paths
+        self.stdout_paths = stdout_paths
         if isinstance(subject, Error):
             self.original_error = subject
         else:
             self.original_error = None
         self.message = str(subject)
 
+    def _stdpath(self, stdpaths, header_name):
+        result = {}
+        for name, path in stdpaths:
+            if name not in result:
+                result[name] = []
+            try:
+                if os.path.exists(path) and os.path.getsize(path) > 0:
+                    output = []
+                    label_begin = name + ":" + header_name
+                    output.append(label_begin)
+                    output.append('\n')
+                    output.append('-' * len(label_begin))
+                    output.append('\n')
+                    with open(path, 'r') as fd:
+                        output.append(fd.read())
+                    output.append('\n')
+                    result[name].append(''.join(output))
+            except UnicodeError as ue:
+                result[name].append(('Cannot output {}:{} due to: {}.\n'
+                                     'You can try to read the error file "{}"'
+                                     ' yourself.').format(
+                                         name, header_name, ue, path))
+        return result
+
+    def _stderr(self):
+        return self._stdpath(self.stderr_paths, 'stderr')
+
+    def _stdout(self):
+        return self._stdpath(self.stdout_paths, 'stdout')
+
+    def _update_dict_list(self, target, source):
+        for x in source:
+            if x not in target:
+                target[x] = []
+            target[x].extend(source[x])
+
     @property
-    def stderr(self):
+    def std_streams(self):
-        output = []
+        std_dict = {}
-        for stderr_name, stderr_path in self.stderr_paths:
+        self._update_dict_list(std_dict, self._stdout())
-            if (os.path.exists(stderr_path) and
+        self._update_dict_list(std_dict, self._stderr())
-                    os.path.getsize(stderr_path) > 0):
+        return std_dict
-                label_begin = '---- BEGIN ' + stderr_name + ':stderr ----'
-                label_end = '---- END ' + stderr_name + ':stderr ----'
-                output.append('\n' + label_begin)
-                with open(stderr_path, 'r') as fd:
-                    output.append(fd.read())
-                output.append(label_end)
-        return '\n'.join(output)
 
     def __str__(self):
         output = []
         output.append(self.message)
-        header = "\nError processing " + self.entity_name
+        output.append('\n\n')
+        header = "Error processing " + self.entity_name
         under_header = '=' * len(header)
         output.append(header)
+        output.append('\n')
         output.append(under_header)
+        output.append('\n')
         for param_name, param_value in self.entity_params:
             output.append(param_name + ': ' + str(param_value))
-        output.append(self.stderr + '\n')
+            output.append('\n')
-        return '\n'.join(output)
+        output.append('\n')
+        for x in self.std_streams:
+            output.append(''.join(self.std_streams[x]))
+        return ''.join(output)
 
 
 class CdistObjectError(CdistEntityError):
@@ -127,28 +164,39 @@ class CdistObjectError(CdistEntityError):
             ('name', cdist_object.name, ),
             ('path', cdist_object.absolute_path, ),
             ('source', " ".join(cdist_object.source), ),
-            ('type', cdist_object.cdist_type.absolute_path, ),
+            ('type', os.path.realpath(
+                cdist_object.cdist_type.absolute_path), ),
         ]
         stderr_paths = []
         for stderr_name in os.listdir(cdist_object.stderr_path):
             stderr_path = os.path.join(cdist_object.stderr_path,
                                        stderr_name)
             stderr_paths.append((stderr_name, stderr_path, ))
+        stdout_paths = []
+        for stdout_name in os.listdir(cdist_object.stdout_path):
+            stdout_path = os.path.join(cdist_object.stdout_path,
+                                       stdout_name)
+            stdout_paths.append((stdout_name, stdout_path, ))
         super().__init__("object '{}'".format(cdist_object.name),
-                         params, stderr_paths, subject)
+                         params, stdout_paths, stderr_paths, subject)
 
 
 class InitialManifestError(CdistEntityError):
     """Something went wrong while executing initial manifest"""
-    def __init__(self, initial_manifest, stderr_path, subject=''):
+    def __init__(self, initial_manifest, stdout_path, stderr_path, subject=''):
         params = [
             ('path', initial_manifest, ),
         ]
+        stdout_paths = []
+        stdout_paths = [
+            ('init', stdout_path, ),
+        ]
         stderr_paths = []
         stderr_paths = [
             ('init', stderr_path, ),
         ]
-        super().__init__('initial manifest', params, stderr_paths, subject)
+        super().__init__('initial manifest', params, stdout_paths,
+                         stderr_paths, subject)
 
 
 def file_to_list(filename):

cdist/argparse.py

@@ -251,6 +251,11 @@ def get_parsers():
                   'line). If no host or host file is specified then, by '
                   'default, read hosts from stdin.'),
             dest='hostfile', required=False)
+    parser['config_args'].add_argument(
+           '-P', '--timestamp',
+           help=('Timestamp log messages with the current local date and time '
+                 'in the format: YYYYMMDDHHMMSS.us.'),
+           action='store_true', dest='timestamp')
     parser['config_args'].add_argument(
            '-p', '--parallel', nargs='?', metavar='HOST_MAX',
            type=functools.partial(check_lower_bounded_int, lower_bound=1,
@@ -434,7 +439,7 @@ def get_parsers():
 
 
 def handle_loglevel(args):
-    if args.quiet:
+    if hasattr(args, 'quiet') and args.quiet:
         args.verbose = _verbosity_level_off
 
     logging.root.setLevel(_verbosity_level[args.verbose])

cdist/conf/explorer/cpu_cores

@@ -25,13 +25,13 @@
 os=$("$__explorer/os")
 case "$os" in
     "macosx")
-        echo "$(sysctl -n hw.physicalcpu)"
+        sysctl -n hw.physicalcpu
     ;;
 
     *)
         if [ -r /proc/cpuinfo ]; then
             cores="$(grep "core id" /proc/cpuinfo | sort | uniq | wc -l)"
-            if [ ${cores} -eq 0 ]; then
+            if [ "${cores}" -eq 0 ]; then
                 cores="1"
             fi
             echo "$cores"

cdist/conf/explorer/cpu_sockets

@@ -25,14 +25,14 @@
 os=$("$__explorer/os")
 case "$os" in
     "macosx")
-        echo "$(system_profiler SPHardwareDataType | grep "Number of Processors" | awk -F': ' '{print $2}')"
+        system_profiler SPHardwareDataType | grep "Number of Processors" | awk -F': ' '{print $2}'
     ;;
 
     *)
     if [ -r /proc/cpuinfo ]; then
-        sockets="$(grep "physical id" /proc/cpuinfo | sort | uniq | wc -l)"
+        sockets="$(grep "physical id" /proc/cpuinfo | sort -u | wc -l)"
-        if [ ${sockets} -eq 0 ]; then
+        if [ "${sockets}" -eq 0 ]; then
-            sockets="$(cat /proc/cpuinfo | grep "processor" | wc -l)"
+            sockets="$(grep -c "processor" /proc/cpuinfo)"
         fi
         echo "${sockets}"
     fi

cdist/conf/explorer/disks

@@ -1,2 +1,3 @@
-cd /dev
+#!/bin/sh
+cd /dev || exit 0
 echo sd? hd? vd?

cdist/conf/explorer/is-freebsd-jail

@@ -0,0 +1,2 @@
+#!/bin/sh
+sysctl -n security.jail.jailed 2>/dev/null | grep "1" || true

cdist/conf/explorer/kernel_name

@@ -1 +1,2 @@
+#!/bin/sh
 uname -s

cdist/conf/explorer/lsb_codename

@@ -20,8 +20,9 @@
 #
 
 set +e
-case "$($__explorer/os)" in
+case "$("$__explorer/os")" in
    openwrt)
+      # shellcheck disable=SC1091
       (. /etc/openwrt_release && echo "$DISTRIB_CODENAME")
    ;;
    *)

cdist/conf/explorer/lsb_description

@@ -20,8 +20,9 @@
 #
 
 set +e
-case "$($__explorer/os)" in
+case "$("$__explorer/os")" in
    openwrt)
+      # shellcheck disable=SC1091
       (. /etc/openwrt_release && echo "$DISTRIB_DESCRIPTION")
    ;;
    *)

cdist/conf/explorer/lsb_id

@@ -20,8 +20,9 @@
 #
 
 set +e
-case "$($__explorer/os)" in
+case "$("$__explorer/os")" in
    openwrt)
+      # shellcheck disable=SC1091
       (. /etc/openwrt_release && echo "$DISTRIB_ID")
    ;;
    *)

cdist/conf/explorer/lsb_release

@@ -20,8 +20,9 @@
 #
 
 set +e
-case "$($__explorer/os)" in
+case "$("$__explorer/os")" in
    openwrt)
+      # shellcheck disable=SC1091
       (. /etc/openwrt_release && echo "$DISTRIB_RELEASE")
    ;;
    *)

cdist/conf/explorer/machine

@@ -22,6 +22,6 @@
 #
 #
 
-if command -v uname 2>&1 >/dev/null; then
+if command -v uname >/dev/null 2>&1 ; then
    uname -m
 fi

cdist/conf/explorer/machine_type

@@ -22,13 +22,13 @@
 
 # FIXME: other system types (not linux ...)
 
-if [ -d "/proc/vz" -a ! -d "/proc/bc" ]; then
+if [ -d "/proc/vz" ] && [ ! -d "/proc/bc" ]; then
     echo openvz
     exit
 fi
 
 if [ -e "/proc/1/environ" ] &&
-    cat "/proc/1/environ" | tr '\000' '\n' | grep -Eiq '^container='; then
+    tr '\000' '\n' < "/proc/1/environ" | grep -Eiq '^container='; then
     echo lxc
     exit
 fi

cdist/conf/explorer/os_release

@@ -0,0 +1,26 @@
+#!/bin/sh
+#
+# 2018 Adam Dej (dejko.a at gmail.com)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+#
+
+# See os-release(5) and http://0pointer.de/blog/projects/os-release
+
+set +e
+
+cat /etc/os-release || cat /usr/lib/os-release || true

cdist/conf/explorer/os_version

@@ -22,7 +22,7 @@
 #
 #
 
-case "$($__explorer/os)" in
+case "$("$__explorer/os")" in
    amazon)
       cat /etc/system-release
    ;;

cdist/conf/type/__acl/explorer/acl_is

@@ -1,6 +1,6 @@
 #!/bin/sh -e
 #
-# 2011 Steven Armstrong (steven-cdist at armstrong.cc)
+# 2018 Ander Punnar (ander-at-kvlt-dot-ee)
 #
 # This file is part of cdist.
 #
@@ -18,6 +18,6 @@
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 
-# set defaults
+if [ -e "/$__object_id" ]
-options="$(cat "$__object/parameter/options" 2>/dev/null \
+then getfacl "/$__object_id" | grep -E '^((default:|)(user|group)):[a-z]' || true
-   || echo "" | tee "$__object/parameter/options")"
+fi

cdist/conf/type/__acl/gencode-remote

@@ -0,0 +1,81 @@
+#!/bin/sh -e
+#
+# 2018 Ander Punnar (ander-at-kvlt-dot-ee)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+os="$( cat "$__global/explorer/os" )"
+
+acl_path="/$__object_id"
+
+acl_is="$( cat "$__object/explorer/acl_is" )"
+
+acl_should="$( for parameter in user group
+do
+    if [ ! -f "$__object/parameter/$parameter" ]
+    then continue
+    fi
+    while read -r l
+    do
+        echo "$parameter:$l"
+
+        if [ -f "$__object/parameter/default" ]
+        then echo "default:$parameter:$l"
+        fi
+    done < "$__object/parameter/$parameter"
+done )"
+
+setfacl_exec='setfacl'
+
+if [ -f "$__object/parameter/recursive" ]
+then
+    if echo "$os" | grep -E 'macosx|netbsd|freebsd|openbsd'
+    then
+        echo "$os setfacl do not support recursive operations" >&2
+    else
+        setfacl_exec="$setfacl_exec -R"
+    fi
+fi
+
+if [ -f "$__object/parameter/remove" ]
+then
+    if echo "$os" | grep 'solaris'
+    then
+        # Solaris setfacl behaves differently.
+        # We will not support Solaris for now, because no way to test it.
+        # But adding support should be easy (use -s instead of -m on modify).
+        echo "$os setfacl do not support -x flag for ACL remove" >&2
+    else
+        echo "$acl_is" | while read -r acl
+        do
+            if echo "$acl_should" | grep -Fq "$acl"
+            then continue
+            fi
+
+            no_bits="$( echo "$acl" | sed -r 's/:[rwx-]+$//' )"
+
+            echo "$setfacl_exec -x \"$no_bits\" \"$acl_path\""
+        done
+    fi
+fi
+
+for acl in $acl_should
+do
+    if ! echo "$acl_is" | grep -Eq "^$acl"
+    then echo "$setfacl_exec -m \"$acl\" \"$acl_path\""
+    fi
+done

cdist/conf/type/__acl/man.rst

@@ -0,0 +1,62 @@
+cdist-type__acl(7)
+==================
+
+NAME
+----
+cdist-type__acl - Basic wrapper around `setfacl`
+
+
+DESCRIPTION
+-----------
+ACL must be defined as 3-symbol combination, using `r`, `w`, `x` and `-`.
+
+See setfacl(1) and acl(5) for more details.
+
+
+OPTIONAL MULTIPLE PARAMETERS
+----------------------------
+user
+   Add user ACL entry.
+
+group
+   Add group ACL entry.
+
+
+BOOLEAN PARAMETERS
+------------------
+recursive
+   Operate recursively (Linux only).
+
+default
+   Add default ACL entries.
+
+remove
+   Remove undefined ACL entries (Solaris not supported).
+
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+    __acl /srv/project \
+        --recursive \
+        --default \
+        --remove \
+        --user alice:rwx \
+        --user bob:r-x \
+        --group project-group:rwx \
+        --group some-other-group:r-x
+
+
+AUTHORS
+-------
+Ander Punnar <ander-at-kvlt-dot-ee>
+
+
+COPYING
+-------
+Copyright \(C) 2018 Ander Punnar. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

cdist/conf/type/__acl/parameter/boolean

@@ -0,0 +1,3 @@
+recursive
+default
+remove

cdist/conf/type/__acl/parameter/optional_multiple

@@ -0,0 +1,2 @@
+user
+group

cdist/conf/type/__apt_ppa/explorer/state

@@ -23,10 +23,11 @@
 
 name="$__object_id"
 
+# shellcheck disable=SC1091
 . /etc/lsb-release
 
 repo_name="${name#ppa:}"
-repo_file_name="$(echo "$repo_name" | sed -e "s|[/:]|-|" -e "s|\.|_|")-${DISTRIB_CODENAME}.list"
+repo_file_name="$(echo "$repo_name" | sed -e 's|[/:]|-|' -e 's|\.|_|')-${DISTRIB_CODENAME}.list"
 
 [ -s "/etc/apt/sources.list.d/${repo_file_name}" ] \
    && echo present || echo absent

cdist/conf/type/__apt_ppa/gencode-remote

@@ -29,9 +29,9 @@ fi
 
 case "$state_should" in
    present)
-      echo add-apt-repository \"$name\"
+      echo "add-apt-repository '$name'"
    ;;
    absent)
-      echo remove-apt-repository \"$name\"
+      echo "remove-apt-repository '$name'"
    ;;
 esac

cdist/conf/type/__apt_ppa/manifest

@@ -18,8 +18,6 @@
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 
-name="$__object_id"
-
 __package software-properties-common
 
 require="__package/software-properties-common" \

cdist/conf/type/__block/manifest

@@ -18,8 +18,6 @@
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 
-
-file="$(cat "$__object/parameter/file" 2>/dev/null || echo "/$__object_id")"
 prefix=$(cat "$__object/parameter/prefix" 2>/dev/null || echo "#cdist:__block/$__object_id")
 suffix=$(cat "$__object/parameter/suffix" 2>/dev/null || echo "#/cdist:__block/$__object_id")
 text=$(cat "$__object/parameter/text")

cdist/conf/type/__ccollect_source/gencode-remote

@@ -42,21 +42,20 @@ get_current_value() {
 }
 
 set_group() {
-    echo chgrp \"$1\" \"$destination\"
+    echo "chgrp '$1' '$destination'"
-    echo chgrp $1 >> "$__messages_out"
+    echo "chgrp '$1'" >> "$__messages_out"
 }
 
 set_owner() {
-    echo chown \"$1\" \"$destination\"
+    echo "chown '$1' '$destination'"
-    echo chown $1 >> "$__messages_out"
+    echo "chown '$1'" >> "$__messages_out"
 }
 
 set_mode() {
-   echo chmod \"$1\" \"$destination\"
+   echo "chmod '$1' '$destination'"
-   echo chmod $1 >> "$__messages_out"
+   echo "chmod '$1'" >> "$__messages_out"
 }
 
-set_attributes=
 case "$state_should" in
     present|exists)
     # Note: Mode - needs to happen last as a chown/chgrp can alter mode by
@@ -67,11 +66,11 @@ case "$state_should" in
 
             # change 0xxx format to xxx format => same as stat returns
             if [ "$attribute" = mode ]; then
-                value_should="$(echo $value_should | sed 's/^0\(...\)/\1/')"
+                value_should="$(echo "$value_should" | sed 's/^0\(...\)/\1/')"
             fi
             
             value_is="$(get_current_value "$attribute" "$value_should")"
-            if [ -f "$__object/files/set-attributes" -o "$value_should" != "$value_is" ]; then
+            if [ -f "$__object/files/set-attributes" ] || [ "$value_should" != "$value_is" ]; then
                 "set_$attribute" "$value_should"
             fi
         fi
@@ -81,7 +80,7 @@ case "$state_should" in
 
     absent)
         if [ "$type" = "file" ]; then
-            echo rm -f \"$destination\"
+            echo "rm -f '$destination'"
             echo remove >> "$__messages_out"
         fi
     ;;

cdist/conf/type/__ccollect_source/manifest

@@ -22,7 +22,7 @@ name="$__object_id"
 state="$(cat "$__object/parameter/state")"
 source="$(cat "$__object/parameter/source")"
 destination="$(cat "$__object/parameter/destination")"
-ccollectconf="$(cat "$__object/parameter/ccollectconf" | sed 's,/$,,')"
+ccollectconf="$(sed 's,/$,,' "$__object/parameter/ccollectconf")"
 
 sourcedir="$ccollectconf/sources"
 basedir="$sourcedir/$name"
@@ -55,5 +55,5 @@ if [ -f "$__object/parameter/exclude" ]; then
 fi
 
 if [ -f "$__object/parameter/create-destination" ]; then
-    __directory "${destination}" --parents --state ${state}
+    __directory "${destination}" --parents --state "${state}"
 fi

cdist/conf/type/__config_file/manifest

@@ -19,7 +19,8 @@
 #
 
 set -- "/${__object_id}"
-for param in $(ls "$__object/parameter/"); do
+cd "$__object/parameter/"
+for param in *; do
    case "$param" in
       source)
          source="$(cat "$__object/parameter/source")"

cdist/conf/type/__consul/gencode-remote

@@ -39,7 +39,7 @@ version_dir="$versions_dir/$version"
 
 source=$(cat "$version_dir/source")
 source_file_name="${source##*/}"
-cksum_should=$(cat "$version_dir/cksum" | cut -d' ' -f1,2)
+cksum_should=$(cut -d' ' -f1,2 "$version_dir/cksum")
 
 cat << eof
     tmpdir=\$(mktemp -d --tmpdir="/tmp" "${__type##*/}.XXXXXXXXXX")

cdist/conf/type/__consul/man.rst

@@ -40,9 +40,11 @@ MESSAGES
 If consul binary is created using __staged_file then underlaying __file type messages are emitted.
 
 If consul binary is created by direct method then the following messages are emitted:
+
 /usr/local/bin/consul created
     consul binary was created
 
+
 EXAMPLES
 --------
 

cdist/conf/type/__consul_agent/files/consul.sysv-debian

@@ -20,14 +20,14 @@
 #
 ### BEGIN INIT INFO
 # Provides:          consul
-# Required-Start:    $remote_fs
+# Required-Start:    $network $local_fs $remote_fs
-# Required-Stop:     $remote_fs
+# Required-Stop:     $local_fs
-# Should-Start:      $all
+# Should-Start:
-# Should-Stop:       $all
+# Should-Stop:
-# Default-Start:     2 3 4 5
-# Default-Stop:      0 1 6
 # Short-Description: consul
 # Description:       consul agent
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
 ### END INIT INFO
 
 if [ -f "/etc/default/consul" ]; then

cdist/conf/type/__consul_agent/manifest

@@ -66,7 +66,7 @@ require="__directory/etc/consul" \
    __directory "$conf_dir" \
       --owner root --group "$group" --mode 750 --state "$state"
 
-if [ -f "$__object/parameter/ca-file-source" -o -f "$__object/parameter/cert-file-source" -o -f "$__object/parameter/key-file-source" ]; then
+if [ -f "$__object/parameter/ca-file-source" ] || [ -f "$__object/parameter/cert-file-source" ] || [ -f "$__object/parameter/key-file-source" ]; then
    # create directory for ssl certs
    require="__directory/etc/consul" \
       __directory /etc/consul/ssl \
@@ -84,7 +84,8 @@ echo "{"
 # parameters we define ourself
 printf '   "data_dir": "%s"\n' "$data_dir"
 
-for param in $(ls "$__object/parameter/"); do
+cd "$__object/parameter/"
+for param in *; do
    case "$param" in
       state|user|group|json-config) continue ;;
       ca-file-source|cert-file-source|key-file-source)

cdist/conf/type/__consul_check/manifest

@@ -40,7 +40,7 @@ if [ ! -f "$__object/parameter/interval" ]; then
       fi
    done
 fi
-if [ -f "$__object/parameter/docker-container-id" -a ! -f "$__object/parameter/script" ]; then
+if [ -f "$__object/parameter/docker-container-id" ] && [ ! -f "$__object/parameter/script" ]; then
    echo "When using --docker-container-id you must also define --script." >&2
    exit 1
 fi
@@ -50,7 +50,8 @@ fi
 echo "{"
 printf '   "check": {\n'
 printf '      "name": "%s"\n' "$name"
-for param in $(ls "$__object/parameter/"); do
+cd "$__object/parameter/"
+for param in *; do
    case "$param" in
       state|name) continue ;;
       *)

cdist/conf/type/__consul_service/manifest

@@ -24,15 +24,15 @@ conf_file="service_${name}.json"
 state="$(cat "$__object/parameter/state")"
 
 # Sanity checks
-if [ -f "$__object/parameter/check-script" -a -f "$__object/parameter/check-ttl" ]; then
+if [ -f "$__object/parameter/check-script" ] && [ -f "$__object/parameter/check-ttl" ]; then
    echo "Use either --check-script together with --check-interval OR --check-ttl, but not both" >&2
    exit 1
 fi
-if [ -f "$__object/parameter/check-script" -a ! -f "$__object/parameter/check-interval" ]; then
+if [ -f "$__object/parameter/check-script" ] && [ ! -f "$__object/parameter/check-interval" ]; then
    echo "When using --check-script you must also define --check-interval" >&2
    exit 1
 fi
-if [ -f "$__object/parameter/check-http" -a ! -f "$__object/parameter/check-interval" ]; then
+if [ -f "$__object/parameter/check-http" ] && [ ! -f "$__object/parameter/check-interval" ]; then
    echo "When using --check-http you must also define --check-interval" >&2
    exit 1
 fi
@@ -42,7 +42,8 @@ fi
 echo "{"
 printf '   "service": {\n'
 printf '      "name": "%s"\n' "$name"
-for param in $(ls "$__object/parameter/"); do
+cd "$__object/parameter/"
+for param in *; do
    case "$param" in
       state|name|check-interval) continue ;;
       check-script)

cdist/conf/type/__consul_template/manifest

@@ -75,7 +75,8 @@ require="__directory/etc/consul-template" \
 
 # Generate hcl config file
 (
-for param in $(ls "$__object/parameter/"); do
+cd "$__object/parameter/"
+for param in *; do
    case "$param" in
       auth-password|state|ssl-*|syslog-*|version|vault-token|vault-ssl*) continue ;;
       auth-username)

cdist/conf/type/__consul_template_template/manifest

@@ -26,32 +26,36 @@ template_dir="/etc/consul-template/template"
 require=""
 
 # Sanity checks
-if [ -f "$__object/parameter/source" -a -f "$__object/parameter/source-file" ]; then
+if [ -f "$__object/parameter/source" ] && [ -f "$__object/parameter/source-file" ]; then
    echo "Use either --source OR --source-file, but not both." >&2
    exit 1
 fi
-if [ ! -f "$__object/parameter/source" -a ! -f "$__object/parameter/source-file" ]; then
+if [ ! -f "$__object/parameter/source" ] && [ ! -f "$__object/parameter/source-file" ]; then
    echo "Either --source OR --source-file must be given." >&2
    exit 1
 fi
 
+if [ -f "$__object/parameter/source-file" ]; then
+    destination="${template_dir}/${name}"
+    require="__file${destination}"
+fi
+
 # Generate hcl config file
-(
+{
 printf 'template {\n'
-for param in $(ls "$__object/parameter/"); do
+cd "$__object/parameter/"
+for param in *; do
    case "$param" in
       source-file)
          source="$(cat "$__object/parameter/$param")"
          if [ "$source" = "-" ]; then
             source="$__object/stdin"
          fi
-         destination="${template_dir}/${name}"
          require="__directory${template_dir}" \
             __file "$destination" \
                --owner root --group root --mode 640 \
                --source "$source" \
                --state "$state"
-         export require="__file${destination}"
          printf '   source = "%s"\n' "$destination"
 
       ;;
@@ -65,7 +69,7 @@ for param in $(ls "$__object/parameter/"); do
    esac
 done
 printf '}\n'
-) | \
+} | \
 require="$require __directory${conf_dir}" \
    __config_file "${conf_dir}/${conf_file}" \
       --owner root --group root --mode 640 \

cdist/conf/type/__consul_watch_checks/manifest

@@ -25,7 +25,7 @@ conf_file="watch_${watch_type}_${__object_id}.json"
 state="$(cat "$__object/parameter/state")"
 
 # Sanity checks
-if [ -f "$__object/parameter/filter-service" -a -f "$__object/parameter/filter-state" ]; then
+if [ -f "$__object/parameter/filter-service" ] && [ -f "$__object/parameter/filter-state" ]; then
    echo "Use either --filter-service or --filter-state but not both." >&2
    exit 1
 fi
@@ -35,7 +35,8 @@ fi
 echo "{"
 printf '   "watches": [{\n'
 printf '      "type": "%s"\n' "$watch_type"
-for param in $(ls "$__object/parameter/"); do
+cd "$__object/parameter/"
+for param in *; do
    case "$param" in
       state) continue ;;
       filter-*)

cdist/conf/type/__consul_watch_event/manifest

@@ -29,7 +29,8 @@ state="$(cat "$__object/parameter/state")"
 echo "{"
 printf '   "watches": [{\n'
 printf '      "type": "%s"\n' "$watch_type"
-for param in $(ls "$__object/parameter/"); do
+cd "$__object/parameter/"
+for param in *; do
    case "$param" in
       state) continue ;;
       *)

cdist/conf/type/__consul_watch_key/manifest

@@ -29,7 +29,8 @@ state="$(cat "$__object/parameter/state")"
 echo "{"
 printf '   "watches": [{\n'
 printf '      "type": "%s"\n' "$watch_type"
-for param in $(ls "$__object/parameter/"); do
+cd "$__object/parameter/"
+for param in *; do
    case "$param" in
       state) continue ;;
       *)

cdist/conf/type/__consul_watch_keyprefix/manifest

@@ -29,7 +29,8 @@ state="$(cat "$__object/parameter/state")"
 echo "{"
 printf '   "watches": [{\n'
 printf '      "type": "%s"\n' "$watch_type"
-for param in $(ls "$__object/parameter/"); do
+cd "$__object/parameter/"
+for param in *; do
    case "$param" in
       state) continue ;;
       *)

cdist/conf/type/__consul_watch_nodes/manifest

@@ -29,7 +29,8 @@ state="$(cat "$__object/parameter/state")"
 echo "{"
 printf '   "watches": [{\n'
 printf '      "type": "%s"\n' "$watch_type"
-for param in $(ls "$__object/parameter/"); do
+cd "$__object/parameter/"
+for param in *; do
    case "$param" in
       state) continue ;;
       *)

cdist/conf/type/__consul_watch_service/manifest

@@ -29,7 +29,8 @@ state="$(cat "$__object/parameter/state")"
 echo "{"
 printf '   "watches": [{\n'
 printf '      "type": "%s"\n' "$watch_type"
-for param in $(ls "$__object/parameter/"); do
+cd "$__object/parameter/"
+for param in *; do
    case "$param" in
       state) continue ;;
       passingonly)

cdist/conf/type/__consul_watch_services/manifest

@@ -29,7 +29,8 @@ state="$(cat "$__object/parameter/state")"
 echo "{"
 printf '   "watches": [{\n'
 printf '      "type": "%s"\n' "$watch_type"
-for param in $(ls "$__object/parameter/"); do
+cd "$__object/parameter/"
+for param in *; do
    case "$param" in
       state) continue ;;
       *)

cdist/conf/type/__cron/explorer/entry

@@ -24,7 +24,7 @@ user="$(cat "$__object/parameter/user")"
 
 if [ -f "$__object/parameter/raw_command" ]; then
     command="$(cat "$__object/parameter/command")"
-    crontab -u $user -l 2>/dev/null | grep "^$command\$" || true
+    crontab -u "$user" -l 2>/dev/null | grep "^$command\$" || true
 else
-    crontab -u $user -l 2>/dev/null | grep "# $name\$" || true
+    crontab -u "$user" -l 2>/dev/null | grep "# $name\$" || true
 fi

cdist/conf/type/__cron/gencode-remote

@@ -58,7 +58,7 @@ state_should="$(cat "$__object/parameter/state" 2>/dev/null || echo "present")"
 # These are the old markers
 prefix="#cdist:__cron/$__object_id"
 suffix="#/cdist:__cron/$__object_id"
-filter="^# DO NOT EDIT THIS FILE|^# \(.* installed on |^# \(Cron version V|^# \(Cronie version .\..\)$"
+filter='^# DO NOT EDIT THIS FILE|^# \(.* installed on |^# \(Cron version V|^# \(Cronie version .\..\)$'
 cat << DONE
 crontab -u $user -l 2>/dev/null | grep -v -E "$filter" | awk -v prefix="$prefix" -v suffix="$suffix" '
 {

cdist/conf/type/__daemontools/manifest

@@ -3,12 +3,13 @@
 pkg=$(cat "$__object/parameter/from-package")
 servicedir=$(cat "$__object/parameter/servicedir")
 
-__package $pkg
+__package "$pkg"
-__directory $servicedir --mode 700
+__directory "$servicedir" --mode 700
 
 os=$(cat "$__global/explorer/os")
 init=$(cat "$__global/explorer/init")
 
+require=""
 case $os in
 	freebsd)
 		# TODO change to __start_on_boot once it supports freebsd

cdist/conf/type/__daemontools_service/explorer/svc

@@ -1 +1,2 @@
+#!/bin/sh
 command -v svc || true

cdist/conf/type/__daemontools_service/manifest

@@ -25,14 +25,14 @@ badusage() {
 [ -z "$run$runfile" ] && badusage
 [ -n "$run" ] && [ -n "$runfile" ] && badusage
 
-__directory $servicedir/$name/log/main --parents
+__directory "$servicedir/$name/log/main" --parents
 
 echo "$RUN_PREFIX$run" | require="__directory/$servicedir/$name/log/main" __config_file "$servicedir/$name/run" \
 	--onchange "svc -t '$servicedir/$name' 2>/dev/null" \
 	--mode 755 \
 	--source "${runfile:--}"
 
-echo "$RUN_PREFIX$logrun" | require="__directory/$servicedir/$name/log/main" __config_file $servicedir/$name/log/run \
+echo "$RUN_PREFIX$logrun" | require="__directory/$servicedir/$name/log/main" __config_file "$servicedir/$name/log/run" \
 	--onchange "svc -t '$servicedir/$name/log' 2>/dev/null" \
 	--mode 755 \
 	--source "-"

cdist/conf/type/__directory/gencode-remote

@@ -57,18 +57,18 @@ get_current_value() {
 }
 
 set_group() {
-    echo chgrp $recursive \"$1\" \"$destination\"
+    echo "chgrp $recursive '$1' '$destination'"
-    echo chgrp $recursive $1 >> "$__messages_out"
+    echo "chgrp $recursive '$1'" >> "$__messages_out"
 }
 
 set_owner() {
-    echo chown $recursive \"$1\" \"$destination\"
+    echo "chown $recursive '$1' '$destination'"
-    echo chown $recursive $1 >> "$__messages_out"
+    echo "chown $recursive '$1'" >> "$__messages_out"
 }
 
 set_mode() {
-    echo chmod $recursive \"$1\" \"$destination\"
+    echo "chmod $recursive '$1' '$destination'"
-    echo chmod $recursive $1 >> "$__messages_out"
+    echo "chmod $recursive '$1'" >> "$__messages_out"
 }
 
 case "$state_should" in
@@ -78,10 +78,10 @@ case "$state_should" in
          if [ "$type" != "none" ]; then
             # our destination is not a directory, remove whatever is there
             # and then create our directory and set all attributes
-            echo rm -f "\"$destination\""
+            echo "rm -f '$destination'"
             echo "remove non directory" >> "$__messages_out"
          fi
-         echo "mkdir $mkdiropt \"$destination\""
+         echo "mkdir $mkdiropt '$destination'"
          echo "create" >> "$__messages_out"
       fi
 
@@ -94,7 +94,7 @@ case "$state_should" in
 
             # change 0xxx format to xxx format => same as stat returns
             if [ "$attribute" = mode ]; then
-                value_should="$(echo $value_should | sed 's/^0\(...\)/\1/')"
+                value_should="$(echo "$value_should" | sed 's/^0\(...\)/\1/')"
             fi
 
             if [ "$set_attributes" = 1 ] || [ "$value_should" != "$value_is" ]; then
@@ -105,7 +105,7 @@ case "$state_should" in
    ;;
    absent)
         if [ "$type" = "directory" ]; then
-            echo rm -rf \"$destination\"
+            echo "rm -rf '$destination'"
             echo remove >> "$__messages_out"
         fi
    ;;

cdist/conf/type/__docker/man.rst

@@ -3,12 +3,12 @@ cdist-type__docker(7)
 
 NAME
 ----
-cdist-type__docker - install docker-engine
+cdist-type__docker - install Docker CE
 
 
 DESCRIPTION
 -----------
-Installs latest docker-engine package from dockerproject.org.
+Installs latest Docker Community Edition package.
 
 
 REQUIRED PARAMETERS
@@ -18,16 +18,13 @@ None.
 
 OPTIONAL PARAMETERS
 -------------------
-None.
+state
+   'present' or 'absent', defaults to 'present'
 
 
 BOOLEAN PARAMETERS
 ------------------
-experimental
+None.
-   Install the experimental docker-engine package instead of the latest stable release.
-
-state
-   'present' or 'absent', defaults to 'present'
 
 
 EXAMPLES
@@ -38,9 +35,6 @@ EXAMPLES
     # Install docker
     __docker
 
-    # Install experimental
-    __docker --experimental
-
     # Remove docker
     __docker --state absent
 

cdist/conf/type/__docker/manifest

@@ -24,57 +24,38 @@ state=$(cat "$__object/parameter/state")
 
 case "$os" in
     centos)
-        component="main"
+        # shellcheck source=/dev/null
-        if [ -f "$__object/parameter/experimental" ]; then
+        if (. "$__global/explorer/os_release" && [ "${VERSION_ID}" = "7" ]); then
-          component="experimental"
+          __yum_repo docker-ce-stable \
+            --name 'Docker CE Stable' \
+            --baseurl "https://download.docker.com/linux/centos/7/\$basearch/stable" \
+            --enabled \
+            --gpgcheck 1 \
+            --gpgkey 'https://download.docker.com/linux/centos/gpg' \
+            --state "${state}"
+          require="__yum_repo/docker-ce-stable" __package docker-ce --state "${state}"
+        else
+          echo "CentOS version 7 is required!" >&2
+          exit 1
         fi
-        __yum_repo docker \
-          --name 'Docker Repository' \
-          --baseurl "https://yum.dockerproject.org/repo/$component/centos/\$releasever/" \
-          --enabled \
-          --gpgcheck 1 \
-          --gpgkey 'https://yum.dockerproject.org/gpg' \
-          --state ${state} 
-        require="__yum_repo/docker" __package docker-engine --state ${state}
     ;;
-    ubuntu)
+    ubuntu|debian)
-        component="main"
+      if [ "${state}" = "present" ]; then
-      if [ -f "$__object/parameter/experimental" ]; then
+        __package apt-transport-https
-         component="experimental"
+        __package ca-certificates
+        __package gnupg2
       fi
-      __package apparmor --state ${state}
+      __apt_key_uri docker --name "Docker Release (CE deb) <docker@docker.com>" \
-      __package ca-certificates --state ${state}
+        --uri "https://download.docker.com/linux/${os}/gpg" --state "${state}"
-      __package apt-transport-https --state ${state}
-      __apt_key docker --keyid 58118E89F3A912897C070ADBF76221572C52609D --state ${state}
       export CDIST_ORDER_DEPENDENCY=on
       __apt_source docker \
-         --uri https://apt.dockerproject.org/repo \
+         --uri "https://download.docker.com/linux/${os}" \
-         --distribution "ubuntu-$(cat "$__global/explorer/lsb_codename")" \
+         --distribution "$(cat "$__global/explorer/lsb_codename")" \
-         --state ${state} \
+         --state "${state}" \
-         --component "$component"
+         --component "stable"
-      __package docker-engine --state ${state}
+      __package docker-ce --state "${state}"
       unset CDIST_ORDER_DEPENDENCY
    ;;
-   debian)
-       component="main"
-      if [ -f "$__object/parameter/experimental" ]; then
-         component="experimental"
-      fi
-
-      __package apt-transport-https --state ${state}
-      __package ca-certificates --state ${state}
-      __package gnupg2 --state ${state}
-      __apt_key docker --keyid 58118E89F3A912897C070ADBF76221572C52609D --state ${state}
-      export CDIST_ORDER_DEPENDENCY=on
-      __apt_source docker \
-          --uri https://apt.dockerproject.org/repo \
-          --distribution "debian-$(cat "$__global/explorer/lsb_codename")" \
-          --state ${state} \
-          --component "$component"
-      __package docker-engine --state ${state}
-      unset CDIST_ORDER_DEPENDENCY
-
-   ;;
    *)
       echo "Your operating system ($os) is currently not supported by this type (${__type##*/})." >&2
       echo "Please contribute an implementation for it if you can." >&2

cdist/conf/type/__docker/parameter/boolean

@@ -1 +0,0 @@
-experimental

cdist/conf/type/__docker_compose/gencode-remote

@@ -22,10 +22,11 @@
 version="$(cat "$__object/parameter/version")"
 state="$(cat "$__object/parameter/state")"
 
-if [ ${state} = "present" ]; then
+if [ "${state}" = "present" ]; then
     # Download docker-compose file
-        echo 'curl -L "https://github.com/docker/compose/releases/download/'${version}'/docker-compose-$(uname -s)-$(uname -m)" -o /tmp/docker-compose'
+    #shellcheck disable=SC2016
-        echo 'mv /tmp/docker-compose /usr/local/bin/docker-compose'
+    echo 'curl -L "https://github.com/docker/compose/releases/download/'"${version}"'/docker-compose-$(uname -s)-$(uname -m)" -o /tmp/docker-compose'
+    echo 'mv /tmp/docker-compose /usr/local/bin/docker-compose'
     # Change permissions
     echo 'chmod +x /usr/local/bin/docker-compose'
 fi

cdist/conf/type/__docker_compose/manifest

@@ -22,10 +22,10 @@
 state="$(cat "$__object/parameter/state")"
 
 # Needed packages
-if [ ${state} = "present" ]; then
+if [ "${state}" = "present" ]; then
     __docker
     __package curl
-elif [ ${state} = "absent" ]; then
+elif [ "${state}" = "absent" ]; then
     __file /usr/local/bin/docker-compose --state absent
 else
     echo "Unknown state: ${state}" >&2

cdist/conf/type/__docker_config/explorer/config-data

@@ -1,6 +1,6 @@
 #!/bin/sh -e
 #
-# 2011 Steven Armstrong (steven-cdist at armstrong.cc)
+# 2018 Ľubomír Kučera <lubomir.kucera.jr at gmail.com>
 #
 # This file is part of cdist.
 #
@@ -18,6 +18,5 @@
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 
-# set defaults
+docker config inspect "${__object_id:?}" --format '{{json .Spec.Data}}' \
-target="$(cat "$__object/parameter/target" 2>/dev/null \
+	2>/dev/null | tr -d '"' | base64 -d
-   || echo "/target" | tee "$__object/parameter/target")"

cdist/conf/type/__docker_config/explorer/config-exists

@@ -0,0 +1,25 @@
+#!/bin/sh -e
+#
+# 2018 Ľubomír Kučera <lubomir.kucera.jr at gmail.com>
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+if docker config ls | grep -q " ${__object_id:?} "; then
+	echo yes
+else
+	echo no
+fi

cdist/conf/type/__docker_config/gencode-remote

@@ -0,0 +1,69 @@
+#!/bin/sh -e
+#
+# 2018 Ľubomír Kučera <lubomir.kucera.jr at gmail.com>
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+config="${__object_id:?}"
+config_exists=$(cat "${__object:?}/explorer/config-exists")
+state=$(cat "${__object:?}/parameter/state")
+
+case "${state}" in
+	absent)
+		if [ "${config_exists}" != "yes" ]; then
+			exit 0
+		fi
+
+		echo "docker config rm \"${config}\""
+	;;
+	present)
+		source=$(cat "${__object}/parameter/source")
+
+		if [ -z "${source}" ]; then
+			exit 0
+		fi
+
+		if [ "${source}" = "-" ]; then
+			source="${__object}/stdin"
+		fi
+
+		if [ "${config_exists}" = "yes" ]; then
+			if cmp -s "${source}" "${__object}/explorer/config-data"; then
+				exit 0
+			else
+				echo "docker config rm \"${config}\""
+			fi
+		fi
+
+		cat <<-EOF
+		source_file="\$(mktemp cdist.XXXXXXXXXX)"
+
+		base64 -d > "\${source_file}" << eof
+		$(base64 "${source}")
+		eof
+
+		docker config create "${config}" "\${source_file}"
+
+		rm "\${source_file}"
+		EOF
+	;;
+	*)
+		echo "Unsupported state: ${state}" >&2
+
+		exit 1
+	;;
+esac

cdist/conf/type/__docker_config/man.rst

@@ -0,0 +1,55 @@
+cdist-type__docker_config(7)
+============================
+
+NAME
+----
+
+cdist-type__docker_config - Manage Docker configs
+
+DESCRIPTION
+-----------
+
+This type manages Docker configs.
+
+OPTIONAL PARAMETERS
+-------------------
+
+source
+    Path to the source file. If it is '-' (dash), read standard input.
+
+state
+    'present' or 'absent', defaults to 'present' where:
+
+    present
+        if the config does not exist, it is created
+    absent
+        the config is removed
+
+CAVEATS
+-------
+
+Since Docker configs cannot be updated once created, this type tries removing
+and recreating the config if it changes. If the config is used by a service at
+the time of removing, then this type will fail.
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+    # Creates "foo" config from "bar" source file
+    __docker_config foo --source bar
+
+
+AUTHORS
+-------
+
+Ľubomír Kučera <lubomir.kucera.jr at gmail.com>
+
+COPYING
+-------
+
+Copyright \(C) 2018 Ľubomír Kučera. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

cdist/conf/type/__docker_config/parameter/default/state

@@ -0,0 +1 @@
+present

cdist/conf/type/__docker_config/parameter/optional

@@ -0,0 +1,2 @@
+source
+state

cdist/conf/type/__docker_secret/explorer/secret-exists

@@ -0,0 +1,25 @@
+#!/bin/sh -e
+#
+# 2018 Ľubomír Kučera <lubomir.kucera.jr at gmail.com>
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+if docker secret ls | grep -q " ${__object_id:?} "; then
+	echo yes
+else
+	echo no
+fi

cdist/conf/type/__docker_secret/gencode-remote

@@ -0,0 +1,65 @@
+#!/bin/sh -e
+#
+# 2018 Ľubomír Kučera <lubomir.kucera.jr at gmail.com>
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+secret="${__object_id:?}"
+secret_exists=$(cat "${__object:?}/explorer/secret-exists")
+state=$(cat "${__object:?}/parameter/state")
+
+case "${state}" in
+	absent)
+		if [ "${secret_exists}" != "yes" ]; then
+			exit 0
+		fi
+
+		echo "docker secret rm ${secret}"
+	;;
+	present)
+		if [ "${secret_exists}" = "yes" ]; then
+			exit 0
+		fi
+
+		source=$(cat "${__object}/parameter/source")
+
+		if [ -z "${source}" ]; then
+			exit 0
+		fi
+
+		if [ "${source}" = "-" ]; then
+			source="${__object}/stdin"
+		fi
+
+		cat <<-EOF
+		source_file="\$(mktemp cdist.XXXXXXXXXX)"
+
+		base64 -d > "\${source_file}" << eof
+		$(base64 "${source}")
+		eof
+
+		docker secret create "${secret}" "\${source_file}"
+
+		rm "\${source_file}"
+		EOF
+	;;
+	*)
+		echo "Unsupported state: ${state}" >&2
+
+		exit 1
+	;;
+esac

cdist/conf/type/__docker_secret/man.rst

@@ -0,0 +1,54 @@
+cdist-type__docker_secret(7)
+============================
+
+NAME
+----
+
+cdist-type__docker_secret - Manage Docker secrets
+
+DESCRIPTION
+-----------
+
+This type manages Docker secrets.
+
+OPTIONAL PARAMETERS
+-------------------
+
+source
+    Path to the source file. If it is '-' (dash), read standard input.
+
+state
+    'present' or 'absent', defaults to 'present' where:
+
+    present
+        if the secret does not exist, it is created
+    absent
+        the secret is removed
+
+CAVEATS
+-------
+
+Since Docker secrets cannot be updated once created, this type takes no action
+if the specified secret already exists.
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+    # Creates "foo" secret from "bar" source file
+    __docker_secret foo --source bar
+
+
+AUTHORS
+-------
+
+Ľubomír Kučera <lubomir.kucera.jr at gmail.com>
+
+COPYING
+-------
+
+Copyright \(C) 2018 Ľubomír Kučera. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

cdist/conf/type/__docker_secret/parameter/default/state

@@ -0,0 +1 @@
+present

cdist/conf/type/__docker_secret/parameter/optional

@@ -0,0 +1,2 @@
+source
+state

cdist/conf/type/__docker_stack/explorer/stack-exists

@@ -0,0 +1,25 @@
+#!/bin/sh -e
+#
+# 2018 Ľubomír Kučera <lubomir.kucera.jr at gmail.com>
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+if docker stack ls | grep -q "^${__object_id:?} "; then
+	echo 1
+else
+	echo 0
+fi

cdist/conf/type/__docker_stack/gencode-remote

@@ -0,0 +1,63 @@
+#!/bin/sh -e
+#
+# 2018 Ľubomír Kučera <lubomir.kucera.jr at gmail.com>
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+stack="${__object_id:?}"
+state=$(cat "${__object:?}/parameter/state")
+
+case "${state}" in
+	absent)
+		stack_exists=$(cat "${__object:?}/explorer/stack-exists")
+
+		if [ "${stack_exists}" -ne 1 ]; then
+			exit 0
+		fi
+
+		echo "docker stack rm ${stack}"
+	;;
+	present)
+		compose_file=$(cat "${__object}/parameter/compose-file")
+
+		if [ -z "${compose_file}" ]; then
+			exit 0
+		fi
+
+		if [ "${compose_file}" = "-" ]; then
+			compose_file="${__object}/stdin"
+		fi
+
+		cat <<-EOF
+		compose_file="\$(mktemp cdist.XXXXXXXXXX)"
+
+		base64 -d > "\${compose_file}" << eof
+		$(base64 "${compose_file}")
+		eof
+
+		docker stack deploy --compose-file "\${compose_file}" \
+			--prune --with-registry-auth ${stack}
+
+		rm "\${compose_file}"
+		EOF
+	;;
+	*)
+		echo "Unsupported state: ${state}" >&2
+
+		exit 1
+	;;
+esac

cdist/conf/type/__docker_stack/man.rst

@@ -0,0 +1,54 @@
+cdist-type__docker_stack(7)
+===========================
+
+NAME
+----
+
+cdist-type__docker_stack - Manage Docker stacks
+
+DESCRIPTION
+-----------
+
+This type manages service stacks.
+
+.. note::
+    Since there is no easy way to tell whether a stack needs to be updated,
+    `docker stack deploy` is being run every time this type is invoked.
+    However, it does not mean this type is not idempotent. If Docker does not
+    detect changes, the existing stack will not be updated.
+
+OPTIONAL PARAMETERS
+-------------------
+
+compose-file
+    Path to the compose file. If it is '-' (dash), read standard input.
+
+state
+    'present' or 'absent', defaults to 'present' where:
+
+    present
+        the stack is deployed
+    absent
+        the stack is removed
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+    # Deploys 'foo' stack defined in 'docker-compose.yml' compose file
+    __docker_stack foo --compose-file docker-compose.yml
+
+
+AUTHORS
+-------
+
+Ľubomír Kučera <lubomir.kucera.jr at gmail.com>
+
+COPYING
+-------
+
+Copyright \(C) 2018 Ľubomír Kučera. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

cdist/conf/type/__docker_stack/parameter/default/state

@@ -0,0 +1 @@
+present

cdist/conf/type/__docker_stack/parameter/optional

@@ -0,0 +1,2 @@
+compose-file
+state

cdist/conf/type/__docker_swarm/explorer/swarm-state

@@ -0,0 +1,21 @@
+#!/bin/sh -e
+#
+# 2018 Ľubomír Kučera <lubomir.kucera.jr at gmail.com>
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+docker info 2>/dev/null | grep "^Swarm: " | cut -d " " -f 2-

cdist/conf/type/__docker_swarm/gencode-remote

@@ -0,0 +1,46 @@
+#!/bin/sh -e
+#
+# 2018 Ľubomír Kučera <lubomir.kucera.jr at gmail.com>
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+state=$(cat "${__object:?}/parameter/state")
+swarm_state="$(cat "${__object}/explorer/swarm-state")"
+
+if [ -z "${swarm_state}" ]; then
+    echo "Unable to determine Swarm state. Is compatible version of Docker installed?" >&2
+
+    exit 1
+fi
+
+case "${state}" in
+    absent)
+        if [ "${swarm_state}" = "active" ]; then
+            echo "docker swarm leave --force"
+        fi
+    ;;
+    present)
+        if [ "${swarm_state}" = "inactive" ]; then
+            echo "docker swarm init"
+        fi
+    ;;
+    *)
+        echo "Unsupported state: ${state}" >&2
+
+        exit 1
+    ;;
+esac

cdist/conf/type/__docker_swarm/man.rst

@@ -0,0 +1,49 @@
+cdist-type__docker_swarm(7)
+===========================
+
+NAME
+----
+
+cdist-type__docker_swarm - Manage Swarm
+
+DESCRIPTION
+-----------
+
+This type can initialize Docker swarm mode. For more information about swarm
+mode, see `Swarm mode overview <https://docs.docker.com/engine/swarm/>`_.
+
+OPTIONAL PARAMETERS
+-------------------
+
+state
+    'present' or 'absent', defaults to 'present' where:
+
+    present
+        Swarm is initialized
+    absent
+        Swarm is left
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+    # Initializes a swarm
+    __docker_swarm
+
+    # Leaves a swarm
+    __docker_swarm --state absent
+
+
+AUTHORS
+-------
+
+Ľubomír Kučera <lubomir.kucera.jr at gmail.com>
+
+COPYING
+-------
+
+Copyright \(C) 2018 Ľubomír Kučera. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

cdist/conf/type/__docker_swarm/parameter/default/state

@@ -0,0 +1 @@
+present

cdist/conf/type/__docker_swarm/parameter/optional

@@ -0,0 +1 @@
+state

cdist/conf/type/__dot_file/explorer/home

@@ -19,7 +19,7 @@ set -eu
 
 user="$(cat "${__object}/parameter/user")"
 
-if which getent >/dev/null 2>&1; then
+if command -v getent >/dev/null 2>&1; then
 	line=$(getent passwd "${user}")
 else
 	line=$(grep "^${user}:" /etc/passwd)

cdist/conf/type/__file/gencode-local

@@ -23,7 +23,7 @@ destination="/$__object_id"
 state_should="$(cat "$__object/parameter/state")"
 type="$(cat "$__object/explorer/type")"
 
-[ "$state_should" = "exists" -a "$type" = "file" ] && exit 0 # nothing to do
+[ "$state_should" = "exists" ] && [ "$type" = "file" ] && exit 0 # nothing to do
 
 if [ "$state_should" = "pre-exists" ]; then
    if [ -f "$__object/parameter/source" ]; then
@@ -41,7 +41,7 @@ fi
 
 upload_file=
 create_file=
-if [ "$state_should" = "present" -o "$state_should" = "exists" ]; then
+if [ "$state_should" = "present" ] || [ "$state_should" = "exists" ]; then
    if [ ! -f "$__object/parameter/source" ]; then
       remote_stat="$(cat "$__object/explorer/stat")"
       if [ -z "$remote_stat" ]; then
@@ -70,7 +70,7 @@ if [ "$state_should" = "present" -o "$state_should" = "exists" ]; then
          fi
       fi
    fi
-   if [ "$create_file" -o "$upload_file" ]; then
+   if [ "$create_file" ] || [ "$upload_file" ]; then
       # tell gencode-remote that we created or uploaded a file and that it must
       # set all attributes no matter what the explorer retreived
       mkdir "$__object/files"
@@ -84,7 +84,7 @@ DONE
       if [ "$upload_file" ]; then
          echo upload >> "$__messages_out"
          # IPv6 fix
-         if $(echo "${__target_host}" | grep -q -E '^[0-9a-fA-F:]+$')
+         if echo "${__target_host}" | grep -q -E '^[0-9a-fA-F:]+$'
          then
              my_target_host="[${__target_host}]"
          else

cdist/conf/type/__file/gencode-remote

@@ -43,21 +43,20 @@ get_current_value() {
 }
 
 set_group() {
-    echo chgrp \"$1\" \"$destination\"
+    echo "chgrp '$1' '$destination'"
-    echo chgrp $1 >> "$__messages_out"
+    echo "chgrp '$1'" >> "$__messages_out"
 }
 
 set_owner() {
-    echo chown \"$1\" \"$destination\"
+    echo "chown '$1' '$destination'"
-    echo chown $1 >> "$__messages_out"
+    echo "chown '$1'" >> "$__messages_out"
 }
 
 set_mode() {
-   echo chmod \"$1\" \"$destination\"
+   echo "chmod '$1' '$destination'"
-   echo chmod $1 >> "$__messages_out"
+   echo "chmod '$1'" >> "$__messages_out"
 }
 
-set_attributes=
 case "$state_should" in
     present|exists|pre-exists)
     # Note: Mode - needs to happen last as a chown/chgrp can alter mode by
@@ -68,11 +67,11 @@ case "$state_should" in
 
             # change 0xxx format to xxx format => same as stat returns
             if [ "$attribute" = mode ]; then
-                value_should="$(echo $value_should | sed 's/^0\(...\)/\1/')"
+                value_should="$(echo "$value_should" | sed 's/^0\(...\)/\1/')"
             fi
             
             value_is="$(get_current_value "$attribute" "$value_should")"
-            if [ -f "$__object/files/set-attributes" -o "$value_should" != "$value_is" ]; then
+            if [ -f "$__object/files/set-attributes" ] || [ "$value_should" != "$value_is" ]; then
                 "set_$attribute" "$value_should"
             fi
         fi
@@ -82,7 +81,7 @@ case "$state_should" in
 
     absent)
         if [ "$type" = "file" ]; then
-            echo rm -f \"$destination\"
+            echo "rm -f '$destination'"
             echo remove >> "$__messages_out"
         fi
     ;;

cdist/conf/type/__firewalld_rule/explorer/rule

@@ -25,7 +25,7 @@ chain="$(cat "$__object/parameter/chain")"
 priority="$(cat "$__object/parameter/priority")"
 rule="$(cat "$__object/parameter/rule")"
 
-if firewall-cmd --permanent --direct --query-rule "$protocol" "$table" "$chain" "$priority" $rule >/dev/null; then
+if firewall-cmd --permanent --direct --query-rule "$protocol" "$table" "$chain" "$priority" "$rule" >/dev/null; then
     echo present
 else
     echo absent

cdist/conf/type/__firewalld_rule/gencode-remote

@@ -19,7 +19,6 @@
 #
 #
 
-name="$__object_id"
 state_should="$(cat "$__object/parameter/state")"
 state_is="$(cat "$__object/explorer/rule")"
 
@@ -33,13 +32,13 @@ rule="$(cat "$__object/parameter/rule")"
 
 case "$state_should" in
     present)
-        echo firewall-cmd --quiet --permanent --direct --add-rule \"$protocol\" \"$table\" \"$chain\" \"$priority\" $rule
+        echo "firewall-cmd --quiet --permanent --direct --add-rule '$protocol' '$table' '$chain' '$priority' $rule"
-        echo firewall-cmd --quiet --direct --add-rule \"$protocol\" \"$table\" \"$chain\" \"$priority\" $rule
+        echo "firewall-cmd --quiet --direct --add-rule '$protocol' '$table' '$chain' '$priority' $rule"
     ;;
 
     absent)
-        echo firewall-cmd --quiet --permanent --direct --remove-rule \"$protocol\" \"$table\" \"$chain\" \"$priority\" $rule
+        echo "firewall-cmd --quiet --permanent --direct --remove-rule '$protocol' '$table' '$chain' '$priority' $rule"
-        echo firewall-cmd --quiet --direct --remove-rule \"$protocol\" \"$table\" \"$chain\" \"$priority\" $rule
+        echo "firewall-cmd --quiet --direct --remove-rule '$protocol' '$table' '$chain' '$priority' $rule"
     ;;
     *)
         echo "Unknown state $state_should" >&2

cdist/conf/type/__git/explorer/group

@@ -2,4 +2,4 @@
 
 destination="/$__object_id/.git"
 
-stat --print "%G" ${destination} 2>/dev/null || exit 0
+stat --print "%G" "${destination}" 2>/dev/null || exit 0

cdist/conf/type/__git/explorer/owner

@@ -2,4 +2,4 @@
 
 destination="/$__object_id/.git"
 
-stat --print "%U" ${destination} 2>/dev/null || exit 0
+stat --print "%U" "${destination}" 2>/dev/null || exit 0

cdist/conf/type/__git/gencode-remote

@@ -35,10 +35,10 @@ owner="$(cat "$__object/parameter/owner")"
 group="$(cat "$__object/parameter/group")"
 mode="$(cat "$__object/parameter/mode")"
 
-[  "$state_should" = "$state_is" -a \
+[  "$state_should" = "$state_is" ] && \
-   "$owner" = "$owner_is" -a \
+[  "$owner" = "$owner_is" ] && \
-   "$group" = "$group_is" -a \
+[  "$group" = "$group_is" ] && \
-   -n "$mode" ] && exit 0
+[  -n "$mode" ] && exit 0
 
 case $state_should in
     present)
@@ -46,8 +46,8 @@ case $state_should in
         if [ "$state_should" != "$state_is" ]; then
             echo git clone --quiet --branch "$branch" "$source" "$destination"
         fi
-        if [ \( -n "$owner" -a "$owner_is" != "$owner" \) -o \
+        if { [ -n "$owner" ] && [ "$owner_is" != "$owner" ]; } || \
-             \( -n "$group" -a "$group_is" != "$group" \) ]; then
+           { [ -n "$group" ] && [ "$group_is" != "$group" ]; }; then
             echo chown -R "${owner}:${group}" "$destination"
         fi
         if [ -n "$mode" ]; then

cdist/conf/type/__go_get/explorer/go-executable

@@ -1,3 +1,6 @@
+#!/bin/sh
+# shellcheck disable=SC1091
 [ -f /etc/environment ] && . /etc/environment
+# shellcheck disable=SC1091
 [ -f /etc/profile     ] && . /etc/profile
 go version 2>/dev/null || true

cdist/conf/type/__golang_from_vendor/gencode-remote

@@ -2,7 +2,7 @@
 
 version=$(cat "$__object/parameter/version")
 
-kernel_name=$(cat "$__global/explorer/kernel_name" | tr '[:upper:]' '[:lower:]')
+kernel_name=$(tr '[:upper:]' '[:lower:]' < "$__global/explorer/kernel_name")
 machine=$(cat "$__global/explorer/machine")
 case $machine in
 	x86_64|amd64)

cdist/conf/type/__golang_from_vendor/manifest

@@ -1,3 +1,4 @@
 #!/bin/sh -e
 
+# shellcheck disable=SC2016
 __line go_in_path --line 'export PATH=/usr/local/go/bin:$PATH' --file /etc/profile

cdist/conf/type/__grafana_dashboard/manifest

@@ -1,50 +1,41 @@
 #!/bin/sh -e
 
-os=$(cat $__global/explorer/os)
+os=$(cat "$__global/explorer/os")
-os_version=$(cat $__global/explorer/os_version)
+os_version=$(cat "$__global/explorer/os_version")
 
+require=""
 case $os in
     debian|devuan)
         case $os_version in
             8*|jessie)
-                __apt_key_uri grafana \
+                apt_source_distribution=jessie
-                   --name 'Grafana Release Signing Key' \
-                   --uri https://packagecloud.io/gpg.key
-
-                require="__apt_key_uri/grafana" __apt_source grafana \
-                   --uri https://packagecloud.io/grafana/stable/debian/ \
-                   --distribution jessie \
-                   --component main
-
-                __package apt-transport-https
-
-                require="__apt_source/grafana __package/apt-transport-https" __package grafana
-                require="__package/grafana" __start_on_boot grafana-server
                 ;;
-            9*|ascii/ceres)
+            9*|ascii/ceres|ascii)
-                __apt_key_uri grafana \
+                apt_source_distribution=stretch
-                   --name 'Grafana Release Signing Key' \
-                   --uri https://packagecloud.io/gpg.key
-
-                require="__apt_key_uri/grafana" __apt_source grafana \
-                   --uri https://packagecloud.io/grafana/stable/debian/ \
-                   --distribution stretch \
-                   --component main
-
-                __package apt-transport-https
-
-                require="__apt_source/grafana __package/apt-transport-https" __package grafana
-                require="__package/grafana" __start_on_boot grafana-server
                 ;;
-
             *)
-                echo "Don't know how to install Grafana on $os $os_version. Send us a pull request!"
+                echo "Don't know how to install Grafana on $os $os_version. Send us a pull request!" >&2
                 exit 1
-            ;;
+                ;;
         esac
-    ;;
+
+        __apt_key_uri grafana \
+            --name 'Grafana Release Signing Key' \
+            --uri https://packagecloud.io/gpg.key
+
+        require="$require __apt_key_uri/grafana" __apt_source grafana \
+                    --uri https://packagecloud.io/grafana/stable/debian/ \
+                    --distribution $apt_source_distribution \
+                    --component main
+
+        __package apt-transport-https
+
+        require="$require __apt_source/grafana __package/apt-transport-https" __package grafana
+        require="$require __package/grafana" __start_on_boot grafana-server
+        require="$require __start_on_boot/grafana-server" __process grafana-server --start "service grafana-server start"
+        ;;
     *)
-        echo "Don't know how to install Grafana on $os. Send us a pull request!"
+        echo "Don't know how to install Grafana on $os. Send us a pull request!" >&2
         exit 1
-    ;;
+        ;;
 esac

cdist/conf/type/__group/explorer/gshadow

@@ -22,7 +22,7 @@
 #
 
 name=$__object_id
-os="$($__explorer/os)"
+os="$("$__explorer/os")"
 
 case "$os" in
     "freebsd"|"netbsd")

cdist/conf/type/__group/gencode-remote

@@ -30,9 +30,9 @@ state="$(cat "$__object/parameter/state")"
 # Use short option names for portability
 shorten_property() {
    case "$1" in
-      gid) echo "-g";;
+      gid) echo -- "-g";;
-      password) echo "-p";;
+      password) echo -- "-p";;
-      system) echo "-r";;
+      system) echo -- "-r";;
    esac
 }
 
@@ -40,11 +40,9 @@ shorten_property() {
 if [ "$state" = "present" ]; then
    case "$os" in
       freebsd)
-         supported_add_properties="gid"
          supported_change_properties="gid"
       ;;
       *)
-         supported_add_properties="gid password system"
          supported_change_properties="gid password"
       ;;
    esac
@@ -63,8 +61,8 @@ if [ "$state" = "present" ]; then
                ;;
             esac
             if [ "$new_value" != "$current_value" ]; then
-               set -- "$@" "$(shorten_property $property)" \'$new_value\'
+               set -- "$@" "$(shorten_property "$property")" \'"$new_value"\'
-               echo change $property $new_value $current_value >> "$__messages_out"
+               echo "change $property $new_value $current_value" >> "$__messages_out"
             fi
          fi
       done
@@ -83,9 +81,9 @@ if [ "$state" = "present" ]; then
             new_value="$(cat "$__object/parameter/$property")"
             if [ -z "$new_value" ]; then
                # Boolean parameters have no value
-               set -- "$@" "$(shorten_property $property)"
+               set -- "$@" "$(shorten_property "$property")"
             else
-               set -- "$@" "$(shorten_property $property)" \'$new_value\'
+               set -- "$@" "$(shorten_property "$property")" \'"$new_value"\'
             fi
          fi
       done

cdist/conf/type/__hostname/gencode-remote

@@ -22,7 +22,7 @@
 if [ -f "$__object/parameter/name" ]; then
     name_should="$(cat "$__object/parameter/name")"
 else
-    name_should="$(echo "${__target_host%%.*}")"
+    name_should="${__target_host%%.*}"
 fi
 
 os=$(cat "$__global/explorer/os")
@@ -36,12 +36,12 @@ has_hostnamectl=$(cat "$__object/explorer/has_hostnamectl")
 #
 case "$os" in
     archlinux|debian|suse|ubuntu|devuan|coreos)
-        if [ "$name_config" = "$name_should" -a "$name_running" = "$name_should" ]; then
+        if [ "$name_config" = "$name_should" ] && [ "$name_running" = "$name_should" ]; then
             exit 0
         fi
     ;;
-    scientific|centos|openbsd)
+    scientific|centos|freebsd|openbsd)
-        if [ "$name_sysconfig" = "$name_should" -a "$name_running" = "$name_should" ]; then
+        if [ "$name_sysconfig" = "$name_should" ] && [ "$name_running" = "$name_should" ]; then
             exit 0
         fi
     ;;
@@ -59,15 +59,15 @@ echo changed >> "$__messages_out"
 # Use the good old way to set the hostname even on machines running systemd.
 case "$os" in
     archlinux|debian|ubuntu|devuan|centos|coreos)
-        echo "printf '%s\n' '$name_should' > /etc/hostname"
+        printf "printf '%s\\n' '$name_should' > /etc/hostname\\n"
         echo "hostname -F /etc/hostname"
     ;;
-    openbsd)
+    freebsd|openbsd)
         echo "hostname '$name_should'"
     ;;
     suse)
         echo "hostname '$name_should'"
-        echo "printf '%s\n' '$name_should' > /etc/HOSTNAME"
+        printf "printf '%s\\n' '$name_should' > /etc/HOSTNAME\\n"
     ;;
 esac
 

cdist/conf/type/__hostname/manifest

@@ -25,10 +25,10 @@ if [ -f "$__object/parameter/name" ]; then
 else
     case "$os" in
     openbsd)
-        name_should="$(echo "${__target_host}")"
+        name_should="${__target_host}"
     ;;
     *)
-        name_should="$(echo "${__target_host%%.*}")"
+        name_should="${__target_host%%.*}"
     ;;
     esac
 fi
@@ -52,6 +52,13 @@ case "$os" in
             --key HOSTNAME \
             --value "$name_should" --exact_delimiter
     ;;
+    freebsd)
+        __key_value rcconf-hostname \
+            --file /etc/rc.conf \
+            --delimiter '=' \
+            --key 'hostname' \
+            --value "$name_should"
+    ;;
     openbsd)
         echo "$name_should" | __file /etc/myname --source -
     ;;

cdist/conf/type/__install_bootloader_grub/gencode-remote

@@ -28,7 +28,7 @@ install_script="$__object/files/install_script"
 # Link file descriptor #6 with stdout
 exec 6>&1
 # Link stdout with $install_script
-exec > $install_script
+exec > "$install_script"
 
 # Generate script to install bootloader on distro
 printf '#!/bin/sh -l\n'