__opendkim: fix start_on_boot on FreeBSD

There was a bit of an oddity with this, it is implemented in a way
that should not be an issue for other systems.

Reviewed at:	ungleich-public/cdist-contrib#31

type/__bird_radv/man.rst

@@ -26,6 +26,18 @@ OPTIONAL PARAMETERS
 mtu
   An optional MTU setting to include in the router advertisements.
 
+default-preference
+  This option specifies the Default Router Preference value to advertise to
+  hosts. Default: medium.
+
+route-preference
+  This option specifies the default value of advertised route preference for
+  specific routes. Default: medium.
+
+default-lifetime
+  This option specifies the time (in seconds) how long (since the receipt of RA)
+  hosts may use the router as a default router. 0 means do not use as a default
+  router. Default: 3.
 
 OPTIONAL MULTIPLE PARAMETERS
 ----------------------------

type/__bird_radv/manifest

@@ -58,27 +58,48 @@ fi
 MTU=
 if [ -f "${__object:?}/parameter/mtu" ];
 then
-	MTU="link mtu $(cat "${__object:?}/parameter/mtu")"
+	MTU="link mtu $(cat "${__object:?}/parameter/mtu");"
+fi
+
+DEFAULT_PREFERENCE=
+if [ -f "${__object:?}/parameter/default-preference" ];
+then
+	DEFAULT_PREFERENCE="default preference $(cat "${__object:?}/parameter/default-preference");"
+fi
+
+ROUTE_PREFERENCE=
+if [ -f "${__object:?}/parameter/route-preference" ];
+then
+	ROUTE_PREFERENCE="route preference $(cat "${__object:?}/parameter/route-preference");"
+fi
+
+DEFAULT_LIFETIME=
+if [ -f "${__object:?}/parameter/default-lifetime" ];
+then
+	DEFAULT_LIFETIME="default lifetime $(cat "${__object:?}/parameter/default-lifetime");"
 fi
 
 __file "${confdir:?}/radv-${__object_id:?}.conf" \
 	--mode 0640 --owner root --group bird \
 	--source - << EOF
-ipv6 table radv_routes;
+ipv6 table radv_routes_${__object_id};
 
 protocol static {
 	description "Routes advertised via RAs";
-	ipv6 { table radv_routes; };
+	ipv6 { table radv_routes_${__object_id}; };
 
 $(sed -e 's/^/\troute /' -e 's/$/ unreachable;/' "${__object:?}/parameter/route")
 }
 
 protocol radv ${__object_id:?} {
 	propagate routes ${have_routes:?};
-	ipv6 { table radv_routes; export all; };
+	ipv6 { table radv_routes_${__object_id}; export all; };
 
 	interface "$(cat "${__object:?}/parameter/interface")" {
 	$MTU
+	$DEFAULT_LIFETIME
+	$DEFAULT_PREFERENCE
+	$ROUTE_PREFERENCE
 	};
 
 $RDNS

type/__bird_radv/parameter/optional

@@ -1 +1,4 @@
 mtu
+default-preference
+route-preference
+default-lifetime

type/__jitsi_meet/explorer/jicofo-authpassword

@@ -0,0 +1,26 @@
+#!/bin/sh -eu
+
+JICOFO_AUTHPASSWORD=""
+# We need this to properly configure jicofo
+
+# Default to reading debconf
+DEBCONF_PASS_FILE="/var/cache/debconf/passwords.dat"
+if [ -f "${DEBCONF_PASS_FILE}" ]; then
+	JICOFO_AUTHPASSWORD="$(grep -A1 'Template: jicofo/jicofo-authpassword' "${DEBCONF_PASS_FILE}" | tail -n 1 | cut -d ' ' -f 2-)"
+fi
+
+# Try jicofo.conf if necessary
+JICOFO_CONF_FILE="/etc/jitsi/jicofo/jicofo.conf"
+if [ -z "${JICOFO_AUTHPASSWORD}" ] && [ -f "${JICOFO_CONF_FILE}" ]; then
+	JICOFO_AUTHPASSWORD="$(grep -E '^[[:space:]]*password:' "${JICOFO_CONF_FILE}" | sed -E 's!^[^:]*:[[:space:]]*"(.*)"$!\1!')"
+fi
+
+# And fallback to config file if necessary
+JICOFO_CONFIG_FILE="/etc/jitsi/jicofo/config"
+if [ -z "${JICOFO_AUTHPASSWORD}" ] && [ -f "${JICOFO_CONFIG_FILE}" ]; then
+	JICOFO_AUTHPASSWORD="$(grep -E '^JICOFO_AUTH_PASSWORD=' "${JICOFO_CONFIG_FILE}" | cut -d '=' -f 2-)"
+fi
+
+# If we didn't find it, this is likely a new installation and we'll generate
+# the password on the manifest
+echo "${JICOFO_AUTHPASSWORD:-}"

type/__jitsi_meet/explorer/jitsi-status

@@ -0,0 +1,6 @@
+#!/bin/sh -eu
+
+if [ ! -f "${__object}/parameter/disable-prometheus-exporter" ]; then
+	# TODO: detect curl / depend on it?
+	curl -s localhost:9888/metrics
+fi

type/__jitsi_meet/files/debconf_settings.sh

@@ -5,9 +5,6 @@
 if false; then
 	# We are currently not using these, just here as documentation
 	DEBCONF_SETTINGS="$(cat <<EOF
-# Jicofo user password:
-jicofo	jicofo/jicofo-authpassword	password	STH
-jitsi-meet-prosody	jicofo/jicofo-authpassword	password	STH
 # The secret used to connect to xmpp server as component
 jitsi-meet-prosody	jitsi-videobridge/jvbsecret	password	STH
 jitsi-videobridge	jitsi-videobridge/jvbsecret	password	STH
@@ -40,6 +37,9 @@ jitsi-videobridge	jitsi-videobridge/jvb-hostname	string	${JITSI_HOST}
 jitsi-videobridge2	jitsi-videobridge/jvb-hostname	string	${JITSI_HOST}
 # The hostname of the current installation:
 jitsi-meet-prosody	jitsi-meet-prosody/jvb-hostname string	${JITSI_HOST}
+# Jicofo user password:
+jicofo	jicofo/jicofo-authpassword	password	${JICOFO_AUTHPASSWORD}
+jitsi-meet-prosody	jicofo/jicofo-authpassword	password	${JICOFO_AUTHPASSWORD}
 # SSL certificate for the Jitsi Meet instance
 # Choices: Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate), I want to use my own certificate
 jitsi-meet-web-config	jitsi-meet/cert-choice	select	Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate)

type/__jitsi_meet/files/jicofo.conf.sh

@@ -10,6 +10,10 @@ jicofo {
   xmpp: {
     client: {
       client-proxy: focus.${JITSI_HOST:?}
+      xmpp-domain: "${JITSI_HOST:?}"
+      domain: "auth.${JITSI_HOST:?}"
+      username: "focus"
+      password: "${JICOFO_AUTHPASSWORD:?}"
     }
     trusted-domains: [ "recorder.${JITSI_HOST:?}" ]
   }

type/__jitsi_meet/man.rst

@@ -21,10 +21,10 @@ You will also need the `__jitsi_meet_domain` type in order to finish setting up
 the web frontend (including TLS certificates) and its settings.
 
 You may want to use the `files/ufw` example manifest for a `__ufw`-based
-firewall compatible with this type.
-This file does not include rules for TCP port 9888, which exposes the
-prometheus exporter if not disabled.
-You should apply your own rules here.
+firewall compatible with this type that allows all ports needed by Jitsi-Meet.
+Note however that this will not deal with rules for SSH or for TCP port 9888,
+which exposes the prometheus exporter if not disabled.
+Remember to apply your own rules here, particularly regarding SSH.
 
 This type only works on De{bi,vu}an systems.
 
@@ -47,6 +47,14 @@ NOTE: This type currently does not deal with setting up coturn.
 
 OPTIONAL PARAMETERS
 -------------------
+abort-conference-count
+    Only has an effect if the prometheus exporter is enabled and if it is not
+    empty (default).
+    If at least this many conferences are active on the server, the type will
+    bail out before making any changes.
+    This is useful if you want to avoid service disruptions due to e.g. an SLA.
+
+
 turn-secret
     The shared secret for the TURN server.
 
@@ -76,9 +84,11 @@ EXAMPLES
 
 .. code-block:: sh
 
-    # Setup the firewall
+    # Setup the firewall for Jitsi-Meet
     . "${__global}/type/__jitsi_meet/files/ufw"
     export require="__ufw"
+    # Setup firewall SSH rules as necessary
+    __ufw_rule ssh --rule 'allow 22/tcp from 10.0.0.0/24'
     # Setup Jitsi on this host
     __jitsi_meet \
       --turn-server "turn.exo.cat" \

type/__jitsi_meet/manifest

@@ -10,6 +10,28 @@ case "${os}" in
 	;;
 esac
 
+current_conferences="$(cat "${__object}/explorer/jitsi-status" | grep -E "^jitsi_conferences[[:space:]]" | cut -d ' ' -f 2)"
+
+JICOFO_AUTHPASSWORD="$(cat "${__object}/explorer/jicofo-authpassword")"
+if [ -z "${JICOFO_AUTHPASSWORD}" ]; then
+	# This is probably a first time installation, we'll generate the
+	# password which will be set in debconf by this type
+	# https://github.com/jitsi/jicofo/blob/aafb61b5363a1c4abdbf08e1444a6276b807993e/debian/postinst#L43
+	JICOFO_AUTHPASSWORD="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | head -c 16)"
+fi
+
+ABORT_CONFERENCE_COUNT="$(cat "${__object}/parameter/abort-conference-count")"
+
+if [ -n "${current_conferences}" ] && [ -n "${ABORT_CONFERENCE_COUNT}" ] && \
+	[ "${ABORT_CONFERENCE_COUNT}" -le "${current_conferences}" ]; then
+	cat <<-EOF
+Early bail out was requested when at least ${ABORT_CONFERENCE_COUNT} conferences are taking place.
+There are currently ${current_conferences} active conferences.
+
+Try again at a later time or remove or increase --abort-conference-count
+	EOF
+	exit 1
+fi
 
 JITSI_HOST="${__target_host}"
 if [ -f "${__object}/parameter/jitsi-version" ]; then
@@ -127,8 +149,9 @@ require="__directory${NGINX_ETC}/sites-available" __file "${NGINX_ETC}/sites-ava
 server_names_hash_bucket_size 64;
 
 types {
-# nginx's default mime.types doesn't include a mapping for wasm
+# nginx's default mime.types doesn't include a mapping for wasm or wav.
     application/wasm     wasm;
+    audio/wav            wav;
 }
 
 server {
@@ -172,6 +195,15 @@ upstream jvb1 {
     keepalive 2;
 }
 EOF
+require="__directory${NGINX_ETC}/conf.d" __file "${NGINX_ETC}/conf.d/jicofo.conf" \
+  --mode 644 \
+  --source - << EOF
+upstream jicofo {
+    zone upstreams 64K;
+    server 127.0.0.1:8888;
+    keepalive 2;
+}
+EOF
 
 if [ -f "${__object}/parameter/secured-domains" ]; then
   SECURED_DOMAINS_STATE='present'
@@ -197,6 +229,7 @@ __file "/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua" \
 
 export SECURED_DOMAINS_STATE
 export JITSI_HOST
+export JICOFO_AUTHPASSWORD
 "${__type}/files/jicofo.conf.sh" | \
 	__file /etc/jitsi/jicofo/jicofo.conf --mode 0444 --source '-'
 
@@ -221,6 +254,9 @@ videobridge {
             enabled = true
         }
     }
+    cc {
+        trust-bwe = false
+    }
 }
 EOFJVB
 
@@ -232,15 +268,15 @@ __file "/usr/share/jitsi-meet/body.html" \
 EOF
 
 # These two should be changed on new release
-EXPORTER_VERSION="1.2.0"
-EXPORTER_CHECKSUM="sha256:6377ffa7be0c7deb66545616add7245da96f8b7746d6712f41cfa9fe72c935ce"
+EXPORTER_VERSION="1.2.1"
+EXPORTER_CHECKSUM="sha256:46d4b8475b72fd7632a5203f1cc3c7067bed4629902b7780a1da85e4e06c2129"
 EXPORTER_URL="https://github.com/systemli/prometheus-jitsi-meet-exporter/releases/download/${EXPORTER_VERSION}/prometheus-jitsi-meet-exporter_${EXPORTER_VERSION}_linux_amd64.tar.gz"
 if [ -f "${__object}/parameter/disable-prometheus-exporter" ]; then
 	EXPORTER_STATE="absent"
 else
 	EXPORTER_STATE="present"
 fi
-__evilham_single_binary_service prometheus-jitsi-meet-exporter \
+__single_binary_service prometheus-jitsi-meet-exporter \
 	--state "${EXPORTER_STATE}" \
 	--do-not-manage-user \
 	--user "nobody" \

type/__jitsi_meet/parameter/optional

@@ -1,3 +1,4 @@
+abort-conference-count
 jitsi-version
 turn-secret
 turn-server

type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh

@@ -7,7 +7,7 @@
 
 # We could automate this, but are using it as an indicator for the
 # latest branch with which we conciliated changes.
-BRANCH="jitsi-meet_7210"
+BRANCH="jitsi-meet_9457"
 REPO="https://github.com/jitsi/jitsi-meet"
 
 get_url() {

type/__jitsi_meet_domain/files/interface_config.js.sh

@@ -38,7 +38,6 @@ var interfaceConfig = {
     CLOSE_PAGE_GUEST_HINT: false, // A html text to be shown to guests on the close page, false disables it
 
     DEFAULT_BACKGROUND: '#040404',
-    DEFAULT_LOGO_URL: '${BRANDING_WATERMARK_PATH}',
     DEFAULT_WELCOME_PAGE_LOGO_URL: '${BRANDING_WATERMARK_PATH}',
 
     DISABLE_DOMINANT_SPEAKER_INDICATOR: false,
@@ -82,17 +81,13 @@ var interfaceConfig = {
 
     ENABLE_DIAL_OUT: true,
 
-    ENABLE_FEEDBACK_ANIMATION: false, // Enables feedback star animation.
+    // DEPRECATED. Animation no longer supported.
+    // ENABLE_FEEDBACK_ANIMATION: false,
 
     FILM_STRIP_MAX_HEIGHT: 120,
 
     GENERATE_ROOMNAMES_ON_WELCOME_PAGE: true,
 
-    /**
-     * Hide the logo on the deep linking pages.
-     */
-    HIDE_DEEP_LINKING_LOGO: false,
-
     /**
      * Hide the invite prompt in the header when alone in the meeting.
      */
@@ -101,7 +96,6 @@ var interfaceConfig = {
     JITSI_WATERMARK_LINK: 'https://jitsi.org',
 
     LANG_DETECTION: true, // Allow i18n to detect the system language
-    LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live', // Documentation reference for the live streaming feature.
     LOCAL_THUMBNAIL_RATIO: 16 / 9, // 16:9
 
     /**
@@ -121,28 +115,11 @@ var interfaceConfig = {
      */
     MOBILE_APP_PROMO: true,
 
-    /**
-     * Specify custom URL for downloading android mobile app.
-     */
-    MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet',
-
-    /**
-     * Specify custom URL for downloading f droid app.
-     */
-    MOBILE_DOWNLOAD_LINK_F_DROID: 'https://f-droid.org/en/packages/org.jitsi.meet/',
-
-    /**
-     * Specify URL for downloading ios mobile app.
-     */
-    MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905',
-
-    NATIVE_APP_NAME: 'Jitsi Meet',
-
     // Names of browsers which should show a warning stating the current browser
     // has a suboptimal experience. Browsers which are not listed as optimal or
     // unsupported are considered suboptimal. Valid values are:
-    // chrome, chromium, edge, electron, firefox, nwjs, opera, safari
-    OPTIMAL_BROWSERS: [ 'chrome', 'chromium', 'firefox', 'nwjs', 'electron', 'safari' ],
+    // chrome, chromium, electron, firefox , safari, webkit
+    OPTIMAL_BROWSERS: [ 'chrome', 'chromium', 'firefox', 'electron', 'safari', 'webkit' ],
 
     POLICY_LOGO: null,
     PROVIDER_NAME: 'Jitsi',
@@ -155,7 +132,7 @@ var interfaceConfig = {
     RECENT_LIST_ENABLED: true,
     REMOTE_THUMBNAIL_RATIO: 1, // 1:1
 
-    SETTINGS_SECTIONS: [ 'devices', 'language', 'moderator', 'profile', 'calendar', 'sounds' ],
+    SETTINGS_SECTIONS: [ 'devices', 'language', 'moderator', 'profile', 'calendar', 'sounds', 'more' ],
 
     /**
      * Specify which sharing features should be displayed. If the value is not set
@@ -172,7 +149,6 @@ var interfaceConfig = {
      */
     SHOW_CHROME_EXTENSION_BANNER: false,
 
-    SHOW_DEEP_LINKING_IMAGE: false,
     SHOW_JITSI_WATERMARK: true,
     SHOW_POWERED_BY: false,
     SHOW_PROMOTIONAL_CLOSE_PAGE: false,
@@ -213,6 +189,31 @@ var interfaceConfig = {
      */
     // TILE_VIEW_MAX_COLUMNS: 5,
 
+    // List of undocumented settings
+    /**
+     INDICATOR_FONT_SIZES
+     PHONE_NUMBER_REGEX
+    */
+
+    // -----------------DEPRECATED CONFIGS BELOW THIS LINE-----------------------------
+
+    /**
+     * Specify URL for downloading ios mobile app.
+     */
+    // MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905',
+
+    /**
+     * Specify custom URL for downloading android mobile app.
+     */
+    // MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet',
+
+    /**
+     * Specify mobile app scheme for opening the app from the mobile browser.
+     */
+    // APP_SCHEME: 'org.jitsi.meet',
+
+    // NATIVE_APP_NAME: 'Jitsi Meet',
+
     /**
      * Specify Firebase dynamic link properties for the mobile apps.
      */
@@ -225,22 +226,19 @@ var interfaceConfig = {
     // },
 
     /**
-     * Specify mobile app scheme for opening the app from the mobile browser.
+     * Hide the logo on the deep linking pages.
      */
-    // APP_SCHEME: 'org.jitsi.meet',
+    // HIDE_DEEP_LINKING_LOGO: false,
 
     /**
      * Specify the Android app package name.
      */
     // ANDROID_APP_PACKAGE: 'org.jitsi.meet',
 
-    // List of undocumented settings
     /**
-     INDICATOR_FONT_SIZES
-     PHONE_NUMBER_REGEX
-    */
-
-    // -----------------DEPRECATED CONFIGS BELOW THIS LINE-----------------------------
+     * Specify custom URL for downloading f droid app.
+     */
+    // MOBILE_DOWNLOAD_LINK_F_DROID: 'https://f-droid.org/en/packages/org.jitsi.meet/',
 
     // Connection indicators (
     // CONNECTION_INDICATOR_AUTO_HIDE_ENABLED,
@@ -253,12 +251,19 @@ var interfaceConfig = {
     // Please use defaultLocalDisplayName from config.js
     // DEFAULT_LOCAL_DISPLAY_NAME: 'me',
 
+    // Please use defaultLogoUrl from config.js
+    DEFAULT_LOGO_URL: '${BRANDING_WATERMARK_PATH}',
+
     // Please use defaultRemoteDisplayName from config.js
     // DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster',
 
     // Moved to config.js as \`toolbarConfig.initialTimeout\`.
     // INITIAL_TOOLBAR_TIMEOUT: 20000,
 
+    // Moved to config.js as \`toolbarConfig.alwaysVisible\`.
+    // Documentation reference for the live streaming feature.
+    // LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live',
+
     // Moved to config.js as \`toolbarConfig.alwaysVisible\`.
     // TOOLBAR_ALWAYS_VISIBLE: false,
 

type/__jitsi_meet_domain/files/interface_config.js.sh.orig

@@ -27,7 +27,6 @@ var interfaceConfig = {
     CLOSE_PAGE_GUEST_HINT: false, // A html text to be shown to guests on the close page, false disables it
 
     DEFAULT_BACKGROUND: '#040404',
-    DEFAULT_LOGO_URL: 'images/watermark.svg',
     DEFAULT_WELCOME_PAGE_LOGO_URL: 'images/watermark.svg',
 
     DISABLE_DOMINANT_SPEAKER_INDICATOR: false,
@@ -71,17 +70,13 @@ var interfaceConfig = {
 
     ENABLE_DIAL_OUT: true,
 
-    ENABLE_FEEDBACK_ANIMATION: false, // Enables feedback star animation.
+    // DEPRECATED. Animation no longer supported.
+    // ENABLE_FEEDBACK_ANIMATION: false,
 
     FILM_STRIP_MAX_HEIGHT: 120,
 
     GENERATE_ROOMNAMES_ON_WELCOME_PAGE: true,
 
-    /**
-     * Hide the logo on the deep linking pages.
-     */
-    HIDE_DEEP_LINKING_LOGO: false,
-
     /**
      * Hide the invite prompt in the header when alone in the meeting.
      */
@@ -90,7 +85,6 @@ var interfaceConfig = {
     JITSI_WATERMARK_LINK: 'https://jitsi.org',
 
     LANG_DETECTION: true, // Allow i18n to detect the system language
-    LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live', // Documentation reference for the live streaming feature.
     LOCAL_THUMBNAIL_RATIO: 16 / 9, // 16:9
 
     /**
@@ -110,28 +104,11 @@ var interfaceConfig = {
      */
     MOBILE_APP_PROMO: true,
 
-    /**
-     * Specify custom URL for downloading android mobile app.
-     */
-    MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet',
-
-    /**
-     * Specify custom URL for downloading f droid app.
-     */
-    MOBILE_DOWNLOAD_LINK_F_DROID: 'https://f-droid.org/en/packages/org.jitsi.meet/',
-
-    /**
-     * Specify URL for downloading ios mobile app.
-     */
-    MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905',
-
-    NATIVE_APP_NAME: 'Jitsi Meet',
-
     // Names of browsers which should show a warning stating the current browser
     // has a suboptimal experience. Browsers which are not listed as optimal or
     // unsupported are considered suboptimal. Valid values are:
-    // chrome, chromium, edge, electron, firefox, nwjs, opera, safari
-    OPTIMAL_BROWSERS: [ 'chrome', 'chromium', 'firefox', 'nwjs', 'electron', 'safari' ],
+    // chrome, chromium, electron, firefox , safari, webkit
+    OPTIMAL_BROWSERS: [ 'chrome', 'chromium', 'firefox', 'electron', 'safari', 'webkit' ],
 
     POLICY_LOGO: null,
     PROVIDER_NAME: 'Jitsi',
@@ -144,7 +121,7 @@ var interfaceConfig = {
     RECENT_LIST_ENABLED: true,
     REMOTE_THUMBNAIL_RATIO: 1, // 1:1
 
-    SETTINGS_SECTIONS: [ 'devices', 'language', 'moderator', 'profile', 'calendar', 'sounds' ],
+    SETTINGS_SECTIONS: [ 'devices', 'language', 'moderator', 'profile', 'calendar', 'sounds', 'more' ],
 
     /**
      * Specify which sharing features should be displayed. If the value is not set
@@ -161,7 +138,6 @@ var interfaceConfig = {
      */
     SHOW_CHROME_EXTENSION_BANNER: false,
 
-    SHOW_DEEP_LINKING_IMAGE: false,
     SHOW_JITSI_WATERMARK: true,
     SHOW_POWERED_BY: false,
     SHOW_PROMOTIONAL_CLOSE_PAGE: false,
@@ -202,6 +178,31 @@ var interfaceConfig = {
      */
     // TILE_VIEW_MAX_COLUMNS: 5,
 
+    // List of undocumented settings
+    /**
+     INDICATOR_FONT_SIZES
+     PHONE_NUMBER_REGEX
+    */
+
+    // -----------------DEPRECATED CONFIGS BELOW THIS LINE-----------------------------
+
+    /**
+     * Specify URL for downloading ios mobile app.
+     */
+    // MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905',
+
+    /**
+     * Specify custom URL for downloading android mobile app.
+     */
+    // MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet',
+
+    /**
+     * Specify mobile app scheme for opening the app from the mobile browser.
+     */
+    // APP_SCHEME: 'org.jitsi.meet',
+
+    // NATIVE_APP_NAME: 'Jitsi Meet',
+
     /**
      * Specify Firebase dynamic link properties for the mobile apps.
      */
@@ -214,22 +215,19 @@ var interfaceConfig = {
     // },
 
     /**
-     * Specify mobile app scheme for opening the app from the mobile browser.
+     * Hide the logo on the deep linking pages.
      */
-    // APP_SCHEME: 'org.jitsi.meet',
+    // HIDE_DEEP_LINKING_LOGO: false,
 
     /**
      * Specify the Android app package name.
      */
     // ANDROID_APP_PACKAGE: 'org.jitsi.meet',
 
-    // List of undocumented settings
     /**
-     INDICATOR_FONT_SIZES
-     PHONE_NUMBER_REGEX
-    */
-
-    // -----------------DEPRECATED CONFIGS BELOW THIS LINE-----------------------------
+     * Specify custom URL for downloading f droid app.
+     */
+    // MOBILE_DOWNLOAD_LINK_F_DROID: 'https://f-droid.org/en/packages/org.jitsi.meet/',
 
     // Connection indicators (
     // CONNECTION_INDICATOR_AUTO_HIDE_ENABLED,
@@ -242,12 +240,19 @@ var interfaceConfig = {
     // Please use defaultLocalDisplayName from config.js
     // DEFAULT_LOCAL_DISPLAY_NAME: 'me',
 
+    // Please use defaultLogoUrl from config.js
+    // DEFAULT_LOGO_URL: 'images/watermark.svg',
+
     // Please use defaultRemoteDisplayName from config.js
     // DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster',
 
     // Moved to config.js as `toolbarConfig.initialTimeout`.
     // INITIAL_TOOLBAR_TIMEOUT: 20000,
 
+    // Please use `liveStreaming.helpLink` from config.js
+    // Documentation reference for the live streaming feature.
+    // LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live',
+
     // Moved to config.js as `toolbarConfig.alwaysVisible`.
     // TOOLBAR_ALWAYS_VISIBLE: false,
 

type/__jitsi_meet_domain/files/jitsi-version

@@ -1 +1 @@
-2.0.7210-1
+2.0.9457-1

type/__jitsi_meet_domain/files/nginx.sh

@@ -7,10 +7,16 @@ JITSI_NGINX_CONFIG="$(cat <<EOF
 #server_names_hash_bucket_size 64;
 #
 #types {
-## nginx's default mime.types doesn't include a mapping for wasm
+## nginx's default mime.types doesn't include a mapping for wasm or wav.
 #    application/wasm     wasm;
+#    audio/wav            wav;
 #}
 # These upstreams are managed by __jitsi_meet
+#upstream jicofo {
+#    zone upstreams 64K;
+#    server 127.0.0.1:8888;
+#    keepalive 2;
+#}
 #upstream prosody {
 #    zone upstreams 64K;
 #    server 127.0.0.1:5280;
@@ -21,6 +27,17 @@ JITSI_NGINX_CONFIG="$(cat <<EOF
 #    server 127.0.0.1:9090;
 #    keepalive 2;
 #}
+#map \$arg_vnode \$prosody_node {
+#    default prosody;
+#    v1 v1;
+#    v2 v2;
+#    v3 v3;
+#    v4 v4;
+#    v5 v5;
+#    v6 v6;
+#    v7 v7;
+#    v8 v8;
+#}
 server {
     listen 80;
     listen [::]:80;
@@ -33,8 +50,8 @@ server {
     }
 }
 server {
-    listen 443 ssl;
-    listen [::]:443 ssl;
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
     server_name ${DOMAIN};
 
     include snippets/acme-challenge.conf;
@@ -50,6 +67,10 @@ server {
 
     add_header Strict-Transport-Security "max-age=63072000" always;
     set \$prefix "";
+    # Try the custom page for this domain, fallback to default page
+    set \$custom_index "index-${DOMAIN}.html";
+    # We expect this domain to be properly configured, the file should exist
+    set \$config_js_location "/etc/jitsi/meet/${DOMAIN}-config.js";
 
     ssl_certificate /etc/letsencrypt/live/${DOMAIN}/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/${DOMAIN}/privkey.pem;
@@ -61,7 +82,7 @@ server {
     ssi_types application/x-javascript application/javascript;
 
     # Try the custom page for this domain, fallback to default page
-    index index-${DOMAIN}.html index.html index.htm;
+    index \$custom_index index.html index.htm;
     error_page 404 /static/404.html;
 
     gzip on;
@@ -70,9 +91,10 @@ server {
     gzip_proxied no-cache no-store private expired auth;
     gzip_min_length 512;
 
-    # We expect this domain to be properly configured, the file should exist
+    # include /etc/jitsi/meet/jaas/*.conf;
+
     location = /config.js {
-        alias /etc/jitsi/meet/${DOMAIN}-config.js;
+        alias \$config_js_location;
     }
     # We expect this domain to be properly configured, the file should exist
     location = /interface_config.js {
@@ -91,8 +113,20 @@ server {
         alias /usr/share/jitsi-meet/libs/external_api.min.js;
     }
 
+    location = /_api/room-info {
+        proxy_pass http://prosody/room-info?prefix=\$prefix&\$args;
+        proxy_http_version 1.1;
+        proxy_set_header X-Forwarded-For \$remote_addr;
+        proxy_set_header Host \$http_host;
+    }
+
+    location ~ ^/_api/public/(.*)\$ {
+        autoindex off;
+        alias /etc/jitsi/meet/public/\$1;
+    }
+
     # ensure all static content can always be found first
-    location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)\$
+    location ~ ^/(libs|css|static|images|fonts|lang|sounds|.well-known)/(.*)\$
     {
         add_header 'Access-Control-Allow-Origin' '*';
         alias /usr/share/jitsi-meet/\$1/\$2;
@@ -102,6 +136,7 @@ server {
             expires 1y;
         }
     }
+
     # Paths for jsi / interpreters
     location ~ ^/i/(img/[^./]*.png|jsi.js|style.css)$
     {
@@ -159,11 +194,22 @@ server {
     #    alias /usr/share/jitsi-meet/load-test/libs/\$1;
     #}
 
+    location ~ ^/conference-request/v1([/].*)?\$ {
+        proxy_pass http://jicofo/conference-request/v1\$1;
+        add_header "Cache-Control" "no-cache, no-store";
+        add_header 'Access-Control-Allow-Origin' '*';
+    }
+    location ~ ^/([^/?&:'"]+)/conference-request/v1([/].*)?\$ {
+        rewrite ^/([^/?&:'"]+)/conference-request/v1([/].*)?\$ /conference-request/v1\$2;
+    }
+
     location ~ ^/([^/?&:'"]+)\$ {
+        set \$roomname "\$1";
         try_files \$uri @root_path;
     }
 
     location @root_path {
+        # rewrite ^/(.*)\$ /\$custom_index break;
         rewrite ^/(.*)\$ / break;
     }
 
@@ -172,9 +218,16 @@ server {
         set \$subdomain "\$1.";
         set \$subdir "\$1/";
 
-        alias /etc/jitsi/meet/jitsi-meet.example.com-config.js;
+        alias \$config_js_location;
     }
 
+    ## Matches /(TENANT)/pwa-worker.js or /(TENANT)/manifest.json to rewrite to / and look for file
+    #location ~ ^/([^/?&:'"]+)/(pwa-worker.js|manifest.json)\$ {
+    #    set \$subdomain "\$1.";
+    #    set \$subdir "\$1/";
+    #    rewrite ^/([^/?&:'"]+)/(pwa-worker.js|manifest.json)\$ /\$2;
+    #}
+
     # BOSH for subdomains
     location ~ ^/([^/?&:'"]+)/http-bind {
         set \$subdomain "\$1.";
@@ -193,6 +246,14 @@ server {
         rewrite ^/(.*)\$ /xmpp-websocket;
     }
 
+    location ~ ^/([^/?&:'"]+)/_api/room-info {
+        set \$subdomain "\$1.";
+        set \$subdir "\$1/";
+        set \$prefix "\$1";
+
+        rewrite ^/(.*)\$ /_api/room-info;
+    }
+
     # Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
     location ~ ^/([^/?&:'"]+)/(.*)\$ {
         set \$subdomain "\$1.";

type/__jitsi_meet_domain/files/nginx.sh.orig

@@ -1,8 +1,9 @@
 server_names_hash_bucket_size 64;
 
 types {
-# nginx's default mime.types doesn't include a mapping for wasm
+# nginx's default mime.types doesn't include a mapping for wasm or wav.
     application/wasm     wasm;
+    audio/wav            wav;
 }
 upstream prosody {
     zone upstreams 64K;
@@ -14,6 +15,17 @@ upstream jvb1 {
     server 127.0.0.1:9090;
     keepalive 2;
 }
+map $arg_vnode $prosody_node {
+    default prosody;
+    v1 v1;
+    v2 v2;
+    v3 v3;
+    v4 v4;
+    v5 v5;
+    v6 v6;
+    v7 v7;
+    v8 v8;
+}
 server {
     listen 80;
     listen [::]:80;
@@ -31,8 +43,8 @@ server {
     }
 }
 server {
-    listen 443 ssl;
-    listen [::]:443 ssl;
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
     server_name jitsi-meet.example.com;
 
     # Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration
@@ -46,6 +58,8 @@ server {
 
     add_header Strict-Transport-Security "max-age=63072000" always;
     set $prefix "";
+    set $custom_index "";
+    set $config_js_location /etc/jitsi/meet/jitsi-meet.example.com-config.js;
 
     ssl_certificate /etc/jitsi/meet/jitsi-meet.example.com.crt;
     ssl_certificate_key /etc/jitsi/meet/jitsi-meet.example.com.key;
@@ -65,16 +79,30 @@ server {
     gzip_proxied no-cache no-store private expired auth;
     gzip_min_length 512;
 
+    include /etc/jitsi/meet/jaas/*.conf;
+
     location = /config.js {
-        alias /etc/jitsi/meet/jitsi-meet.example.com-config.js;
+        alias $config_js_location;
     }
 
     location = /external_api.js {
         alias /usr/share/jitsi-meet/libs/external_api.min.js;
     }
 
+    location = /_api/room-info {
+        proxy_pass http://prosody/room-info?prefix=$prefix&$args;
+        proxy_http_version 1.1;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header Host $http_host;
+    }
+
+    location ~ ^/_api/public/(.*)$ {
+        autoindex off;
+        alias /etc/jitsi/meet/public/$1;
+    }
+
     # ensure all static content can always be found first
-    location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$
+    location ~ ^/(libs|css|static|images|fonts|lang|sounds|.well-known)/(.*)$
     {
         add_header 'Access-Control-Allow-Origin' '*';
         alias /usr/share/jitsi-meet/$1/$2;
@@ -87,7 +115,7 @@ server {
 
     # BOSH
     location = /http-bind {
-        proxy_pass http://prosody/http-bind?prefix=$prefix&$args;
+        proxy_pass http://$prosody_node/http-bind?prefix=$prefix&$args;
         proxy_http_version 1.1;
         proxy_set_header X-Forwarded-For $remote_addr;
         proxy_set_header Host $http_host;
@@ -96,7 +124,7 @@ server {
 
     # xmpp websockets
     location = /xmpp-websocket {
-        proxy_pass http://prosody/xmpp-websocket?prefix=$prefix&$args;
+        proxy_pass http://$prosody_node/xmpp-websocket?prefix=$prefix&$args;
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection "upgrade";
@@ -122,12 +150,22 @@ server {
     #    alias /usr/share/jitsi-meet/load-test/libs/$1;
     #}
 
+    location ~ ^/conference-request/v1(\/.*)?$ {
+        proxy_pass http://127.0.0.1:8888/conference-request/v1$1;
+        add_header "Cache-Control" "no-cache, no-store";
+        add_header 'Access-Control-Allow-Origin' '*';
+    }
+    location ~ ^/([^/?&:'"]+)/conference-request/v1(\/.*)?$ {
+        rewrite ^/([^/?&:'"]+)/conference-request/v1(\/.*)?$ /conference-request/v1$2;
+    }
+
     location ~ ^/([^/?&:'"]+)$ {
+        set $roomname "$1";
         try_files $uri @root_path;
     }
 
     location @root_path {
-        rewrite ^/(.*)$ / break;
+        rewrite ^/(.*)$ /$custom_index break;
     }
 
     location ~ ^/([^/?&:'"]+)/config.js$
@@ -135,7 +173,14 @@ server {
         set $subdomain "$1.";
         set $subdir "$1/";
 
-        alias /etc/jitsi/meet/jitsi-meet.example.com-config.js;
+        alias $config_js_location;
+    }
+
+    # Matches /(TENANT)/pwa-worker.js or /(TENANT)/manifest.json to rewrite to / and look for file
+    location ~ ^/([^/?&:'"]+)/(pwa-worker.js|manifest.json)$ {
+        set $subdomain "$1.";
+        set $subdir "$1/";
+        rewrite ^/([^/?&:'"]+)/(pwa-worker.js|manifest.json)$ /$2;
     }
 
     # BOSH for subdomains
@@ -156,6 +201,14 @@ server {
         rewrite ^/(.*)$ /xmpp-websocket;
     }
 
+    location ~ ^/([^/?&:'"]+)/_api/room-info {
+        set $subdomain "$1.";
+        set $subdir "$1/";
+        set $prefix "$1";
+
+        rewrite ^/(.*)$ /_api/room-info;
+    }
+
     # Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
     location ~ ^/([^/?&:'"]+)/(.*)$ {
         set $subdomain "$1.";

type/__jitsi_meet_domain/files/prosody.cfg.lua.sh

@@ -75,8 +75,7 @@ ${PROSODY_MAIN_END}
 ${PROSODY_DOMAIN_START}
 -- This will be managed by __jitsi_meet_domain
 VirtualHost "${JITSI_DOMAIN:?}"
-    -- enabled = false -- Remove this line to enable this host
-    authentication = "anonymous"
+    authentication = "jitsi-anonymous" -- do not delete me
     -- Properties below are modified by jitsi-meet-tokens package config
     -- and authentication above is switched to "token"
     --app_id="example_app_id"
@@ -91,18 +90,19 @@ VirtualHost "${JITSI_DOMAIN:?}"
     }
     av_moderation_component = "avmoderation.${JITSI_DOMAIN:?}"
     speakerstats_component = "speakerstats.${JITSI_DOMAIN:?}"
-    conference_duration_component = "conferenceduration.${JITSI_DOMAIN:?}"
+    end_conference_component = "endconference.${JITSI_DOMAIN:?}"
     -- we need bosh
     modules_enabled = {
         "bosh";
-        "pubsub";
         "ping"; -- Enable mod_ping
         "speakerstats";
         "external_services";
         "conference_duration";
+        "end_conference";
         "muc_lobby_rooms";
         "muc_breakout_rooms";
         "av_moderation";
+        "room_metadata";
 ${PROSODY_WEBSOCKET}        "websocket";
 ${PROSODY_WEBSOCKET}        "smacks";
     }
@@ -113,6 +113,7 @@ ${PROSODY_WEBSOCKET}        "smacks";
     c2s_require_encryption = false
     lobby_muc = "lobby.${JITSI_DOMAIN:?}"
     breakout_rooms_muc = "breakout.${JITSI_DOMAIN:?}"
+    room_metadata_component = "metadata.${JITSI_DOMAIN:?}"
     main_muc = "conference.${JITSI_DOMAIN:?}"
     -- muc_lobby_whitelist = { "recorder.${JITSI_DOMAIN:?}" } -- Here we can whitelist jibri to enter lobby enabled rooms
 
@@ -120,13 +121,18 @@ Component "conference.${JITSI_DOMAIN:?}" "muc"
     restrict_room_creation = true
     storage = "memory"
     modules_enabled = {
+        "muc_hide_all";
         "muc_meeting_id";
         "muc_domain_mapper";
         "polls";
         --"token_verification";
         "muc_rate_limit";
+        "muc_password_whitelist";
     }
     admins = { "${FOCUS_USER:?}@auth.${JITSI_HOST:?}" }
+    muc_password_whitelist = {
+        "${FOCUS_USER:?}@auth.${JITSI_HOST:?}"
+    }
     muc_room_locking = false
     muc_room_default_public_jids = true
 
@@ -134,9 +140,9 @@ Component "breakout.${JITSI_DOMAIN:?}" "muc"
     restrict_room_creation = true
     storage = "memory"
     modules_enabled = {
+        "muc_hide_all";
         "muc_meeting_id";
         "muc_domain_mapper";
-        --"token_verification";
         "muc_rate_limit";
         "polls";
     }
@@ -148,6 +154,7 @@ Component "breakout.${JITSI_DOMAIN:?}" "muc"
 Component "internal.auth.${JITSI_DOMAIN:?}" "muc"
     storage = "memory"
     modules_enabled = {
+        "muc_hide_all";
         "ping";
     }
     admins = { "${FOCUS_USER:?}@auth.${JITSI_HOST:?}", "jvb@auth.${JITSI_HOST:?}" }
@@ -181,7 +188,7 @@ Component "focus.${JITSI_DOMAIN:?}" "client_proxy"
 Component "speakerstats.${JITSI_DOMAIN:?}" "speakerstats_component"
     muc_component = "conference.${JITSI_DOMAIN:?}"
 
-Component "conferenceduration.${JITSI_DOMAIN:?}" "conference_duration_component"
+Component "endconference.${JITSI_DOMAIN:?}" "end_conference"
     muc_component = "conference.${JITSI_DOMAIN:?}"
 
 Component "avmoderation.${JITSI_DOMAIN:?}" "av_moderation_component"
@@ -193,9 +200,14 @@ Component "lobby.${JITSI_DOMAIN:?}" "muc"
     muc_room_locking = false
     muc_room_default_public_jids = true
     modules_enabled = {
+        "muc_hide_all";
         "muc_rate_limit";
         "polls";
     }
+
+Component "metadata.${JITSI_DOMAIN:?}" "room_metadata_component"
+    muc_component = "conference.${JITSI_DOMAIN:?}"
+    breakout_rooms_component = "breakout.${JITSI_DOMAIN:?}"
 ${PROSODY_DOMAIN_END}
 
 ${PROSODY_SECUREDOMAIN_START}

type/__jitsi_meet_domain/files/prosody.cfg.lua.sh.orig

@@ -36,8 +36,7 @@ unlimited_jids = {
 }
 
 VirtualHost "jitmeet.example.com"
-    -- enabled = false -- Remove this line to enable this host
-    authentication = "anonymous"
+    authentication = "jitsi-anonymous" -- do not delete me
     -- Properties below are modified by jitsi-meet-tokens package config
     -- and authentication above is switched to "token"
     --app_id="example_app_id"
@@ -52,22 +51,24 @@ VirtualHost "jitmeet.example.com"
     }
     av_moderation_component = "avmoderation.jitmeet.example.com"
     speakerstats_component = "speakerstats.jitmeet.example.com"
-    conference_duration_component = "conferenceduration.jitmeet.example.com"
+    end_conference_component = "endconference.jitmeet.example.com"
     -- we need bosh
     modules_enabled = {
         "bosh";
-        "pubsub";
         "ping"; -- Enable mod_ping
         "speakerstats";
         "external_services";
         "conference_duration";
+        "end_conference";
         "muc_lobby_rooms";
         "muc_breakout_rooms";
         "av_moderation";
+        "room_metadata";
     }
     c2s_require_encryption = false
     lobby_muc = "lobby.jitmeet.example.com"
     breakout_rooms_muc = "breakout.jitmeet.example.com"
+    room_metadata_component = "metadata.jitmeet.example.com"
     main_muc = "conference.jitmeet.example.com"
     -- muc_lobby_whitelist = { "recorder.jitmeet.example.com" } -- Here we can whitelist jibri to enter lobby enabled rooms
 
@@ -75,13 +76,18 @@ Component "conference.jitmeet.example.com" "muc"
     restrict_room_creation = true
     storage = "memory"
     modules_enabled = {
+        "muc_hide_all";
         "muc_meeting_id";
         "muc_domain_mapper";
         "polls";
         --"token_verification";
         "muc_rate_limit";
+        "muc_password_whitelist";
     }
     admins = { "focusUser@auth.jitmeet.example.com" }
+    muc_password_whitelist = {
+        "focusUser@auth.jitmeet.example.com"
+    }
     muc_room_locking = false
     muc_room_default_public_jids = true
 
@@ -89,9 +95,9 @@ Component "breakout.jitmeet.example.com" "muc"
     restrict_room_creation = true
     storage = "memory"
     modules_enabled = {
+        "muc_hide_all";
         "muc_meeting_id";
         "muc_domain_mapper";
-        --"token_verification";
         "muc_rate_limit";
         "polls";
     }
@@ -103,6 +109,7 @@ Component "breakout.jitmeet.example.com" "muc"
 Component "internal.auth.jitmeet.example.com" "muc"
     storage = "memory"
     modules_enabled = {
+        "muc_hide_all";
         "ping";
     }
     admins = { "focusUser@auth.jitmeet.example.com", "jvb@auth.jitmeet.example.com" }
@@ -122,7 +129,7 @@ Component "focus.jitmeet.example.com" "client_proxy"
 Component "speakerstats.jitmeet.example.com" "speakerstats_component"
     muc_component = "conference.jitmeet.example.com"
 
-Component "conferenceduration.jitmeet.example.com" "conference_duration_component"
+Component "endconference.jitmeet.example.com" "end_conference"
     muc_component = "conference.jitmeet.example.com"
 
 Component "avmoderation.jitmeet.example.com" "av_moderation_component"
@@ -134,6 +141,11 @@ Component "lobby.jitmeet.example.com" "muc"
     muc_room_locking = false
     muc_room_default_public_jids = true
     modules_enabled = {
+        "muc_hide_all";
         "muc_rate_limit";
         "polls";
     }
+
+Component "metadata.jitmeet.example.com" "room_metadata_component"
+    muc_component = "conference.jitmeet.example.com"
+    breakout_rooms_component = "breakout.jitmeet.example.com"

type/__opendkim/man.rst

@@ -41,21 +41,25 @@ subdomains
 umask
   Set the umask for the socket and PID file.
 
-userid
-  Change the user the opendkim program is to run as.
-  By default, Alpine Linux's OpenRC service will set this to `opendkim` on the
-  command-line and FreeBSD's rc will set it to `mailnull`.
-
 custom-config
   The string following this parameter is appended as-is in the configuration, to
   enable more complex configurations.
 
+
 BOOLEAN PARAMETERS
 ------------------
 syslog
   Log to syslog.
 
 
+DEPRECATED PARAMETERS
+---------------------
+userid
+  Change the user the opendkim program is to run as.
+  By default, Alpine Linux's OpenRC service will set this to `opendkim` on the
+  command-line and FreeBSD's rc will set it to `mailnull`.
+
+
 EXAMPLES
 --------
 

type/__opendkim/manifest

@@ -29,6 +29,7 @@ case "$os" in
 'freebsd')
 	CFG_DIR="/usr/local/etc/mail"
 	service="milter-opendkim"
+	start_service="milteropendkim"
 	;;
 *)
 	printf "__opendkim does not yet support %s.\n" "$os" >&2
@@ -90,7 +91,11 @@ fi
 require="__package/opendkim" __file "$target_file" \
 	--source "$source_file" --mode 0644
 
-require="__package/opendkim" __start_on_boot "${service}"
+# Due to the way rc.conf works on *BSD, we find ourselves in the awkward
+# situation, where a service's name can contain a '-' symbol, but the
+# rc.conf setting to enable a service at boot cannot.
+# Unless start_service has been defined before, these two match.
+require="__package/opendkim" __start_on_boot "${start_service:-${service}}"
 
 # Ensure Key and Signing tables exist and have proper permissions
 key_table="${CFG_DIR}/KeyTable"
@@ -105,7 +110,7 @@ require="__package/opendkim" \
 	--mode 444
 
 require="__file${target_file} __file${key_table}
-		__file${signing_table} __start_on_boot/${service}" \
+		__file${signing_table} __start_on_boot/${start_service:-${service}}" \
 	__check_messages opendkim \
 		--pattern "^__file${target_file}" \
 		--execute "service ${service} restart"

type/__opendkim/parameter/deprecated/userid

@@ -0,0 +1,2 @@
+This can cause inconsistencies with permissions and will stop being supported.
+If you still need this, you can use --custom-config 'UserId $USERID'.

type/__opendkim_genkey/explorer/key-state

@@ -0,0 +1,32 @@
+#!/bin/sh -e
+DIRECTORY="/var/db/dkim/"
+if [ -f "${__object:?}/parameter/directory" ];
+then
+	# Be forgiving about a lack of trailing slash
+	DIRECTORY="$(sed -E 's!([^/])$!\1/!' < "${__object:?}/parameter/directory")"
+fi
+
+
+KEY_ID="$(echo "${__object_id:?)}" | tr '/' '_')"
+DEFAULT_PATH="${DIRECTORY:?}${KEY_ID:?}.private"
+if [ -s "${DEFAULT_PATH}" ]; then
+	# This is the main location for the key
+	FOUND_PATH="${DEFAULT_PATH}"
+else
+	# This is a backwards-compatible location for the key
+	# Keys generated post March 2022 should not land here
+	if [ -f "${__object:?}/parameter/selector" ]; then
+		SELECTOR="$(cat "${__object:?}/parameter/selector")"
+		if [ -s "${DIRECTORY}${SELECTOR:?}.private" ]; then
+			FOUND_PATH="${DIRECTORY}${SELECTOR:?}.private"
+		fi
+	fi
+fi
+
+if [ -n "${FOUND_PATH}" ]; then
+	printf "present\t%s" "${FOUND_PATH}"
+else
+	# We didn't find the key
+	# We pass the default path here, to easen logic in the rest of the type
+	printf "absent\t%s" "${DEFAULT_PATH}"
+fi

type/__opendkim_genkey/gencode-remote

@@ -19,8 +19,8 @@
 #
 
 # Required parameters
-DOMAIN="$(cat "${__object:?}/parameter/domain")"
-SELECTOR="$(cat "${__object:?}/parameter/selector")"
+DOMAIN="$(cat "${__object:?}/domain")"
+SELECTOR="$(cat "${__object:?}/selector")"
 
 # Optional parameters
 BITS=
@@ -28,12 +28,6 @@ if [ -f "${__object:?}/parameter/bits" ]; then
 	BITS="-b $(cat "${__object:?}/parameter/bits")"
 fi
 
-DIRECTORY="/var/db/dkim/"
-if [ -f "${__object:?}/parameter/directory" ]; then
-	# Be forgiving about a lack of trailing slash
-	DIRECTORY="$(sed -E 's!([^/])$!\1/!' < "${__object:?}/parameter/directory")"
-fi
-
 # Boolean parameters
 SUBDOMAINS=
 if [ -f "${__object:?}/parameter/no-subdomains" ]; then
@@ -48,9 +42,24 @@ fi
 user="$(cat "${__object:?}/user")"
 group="$(cat "${__object:?}/group")"
 
-if ! [ -f "${DIRECTORY}${SELECTOR}.private" ]; then
-	echo "opendkim-genkey $BITS --domain=$DOMAIN --directory=$DIRECTORY $RESTRICTED --selector=$SELECTOR $SUBDOMAINS"
-	echo "chown ${user}:${group} ${DIRECTORY}${SELECTOR}.private"
+KEY_STATE="$(cut -f 1 "${__object:?}/explorer/key-state")"
+KEY_LOCATION="$(cut -f 2- "${__object:?}/explorer/key-state")"
+
+if [ "${KEY_STATE:?}" = "absent" ]; then
+	# opendkim-genkey(8) does not allow specifying the file name.
+	# To err on the safe side (and avoid potentially killing other keys)
+	# we operate on a temporary directory first, then move the resulting key
+	cat <<-EOF
+	tmp_dir="\$(mktemp -d cdist-dkim.XXXXXXXXXXX)"
+	opendkim-genkey $BITS --domain=${DOMAIN:?} --directory=\${tmp_dir:?} $RESTRICTED --selector=${SELECTOR:?} $SUBDOMAINS
+	# Relocate and ensure permissions
+	mv "\${tmp_dir:?}/${SELECTOR:?}.private" '${KEY_LOCATION:?}'
+	chown ${user}:${group} '${KEY_LOCATION}'
+	chmod 0600 '${KEY_LOCATION}'
 	# This is usually generated, if it weren't we do not want to fail
-	echo "chown ${user}:${group} ${DIRECTORY}${SELECTOR}.txt || true"
+	mv "\${tmp_dir:?}/${SELECTOR:?}.txt" '${KEY_LOCATION%.private}.txt' || true
+	chown ${user}:${group} '${KEY_LOCATION%.private}.txt' || true
+	# Cleanup after ourselves
+	rmdir "\${tmp_dir:?}" || true
+	EOF
 fi

type/__opendkim_genkey/man.rst

@@ -10,23 +10,27 @@ DESCRIPTION
 -----------
 
 This type uses the `opendkim-genkey(8)` to generate signing keys suitable for
-usage by `opendkim(8)` to sign outgoing emails. Then, a line with the domain,
-selector and keyname in the `$selector._domainkey.$domain` format will be added
-to the OpenDKIM key table located at `/etc/opendkim/KeyTable`. Finally, a line
-will be added to the OpenDKIM signing table, using either the domain or the
-provided key for the `domain:selector:keyfile` value in the table. An existing
-key will not be overwritten.
+usage by `opendkim(8)` to sign outgoing emails.
+
+It also manages the key, identified by its `$__object_id` in OpenDKIM's
+KeyTable and sets its `s=` and `d=` parameters (see: `--selector` and
+`--sigdomain` respectively).
+
+This type will also manage the entries in the OpenDKIM's SigningTable by
+associating any given `sigkey` values to this key.
+
+Take into account that if you use this type without the `--domain` and
+`--selector` parameters, the `$__object_id` must be in form `$domain/$selector`.
 
 Currently, this type is only implemented for Alpine Linux and FreeBSD.
 Please contribute an implementation if you can.
 
-REQUIRED PARAMETERS
--------------------
-domain
-  The domain to generate the key for.
-
-selector
-  The DKIM selector to generate the key for.
+NOTE: the name of the key file under `--directory` will default to
+`$__object_id.private`, but if that fails and `--selector` is used,
+`SELECTOR.private` will be considered.
+Take care when using unrelated keys that might collide this way.
+For more information see:
+https://code.ungleich.ch/ungleich-public/cdist-contrib/issues/20
 
 
 OPTIONAL PARAMETERS
@@ -38,10 +42,36 @@ bits
 directory
   The directory in which to generate the key, `/var/db/dkim/` by default.
 
+domain
+  The domain to generate the key for.
+  If omitted, `--selector` must be omitted as well and `$__object_id` must be
+  in form: `$domain/$selector`.
+
+selector
+  The DKIM selector to generate the key for.
+  If omitted, `--domain` must be omitted as well and `$__object_id` must be
+  in form: `$domain/$selector`.
+
+sigdomain
+  Specified in the KeyTable, the domain to use in the signature's "d=" value.
+  Defaults to the specified domain. If `%`, it will be replaced by the apparent
+  domain of the sender when generating a signature.
+  Note you probably don't want to set both `--sigdomain` and `--sigkey` to `%`.
+  See `KeyTable` in `opendkim.conf(5)` for more information.
+
+
+OPTIONAL MULTIPLE PARAMETERS
+----------------------------
 sigkey
-  The key used in the SigningTable for this signing key. Defaults to the
+  The key used in the `SigningTable` for this signing key. Defaults to the
   specified domain. If `%`, OpenDKIM will replace it with the domain found
   in the `From:` header. See `opendkim.conf(5)` for more options.
+  Note you probably don't want to set both `--sigdomain` and `--sigkey` to `%`.
+  This can be passed multiple times, resulting in multiple lines in the
+  SigningTable, which can be used to support signing of subdomains or multiple
+  domains with the same key; in that case, you probably want to set
+  `--sigdomain` to `%`, else the domains will not be aligned.
+
 
 BOOLEAN PARAMETERS
 ------------------
@@ -57,6 +87,7 @@ EXAMPLES
 
 .. code-block:: sh
 
+    # Setup the OpenDKIM service
     __opendkim \
         --socket inet:8891@localhost \
         --basedir /var/lib/opendkim \
@@ -65,14 +96,24 @@ EXAMPLES
         --umask 002 \
         --syslog
 
-    require='__opendkim' \
-        __opendkim_genkey default \
-                --domain example.com \
-                --selector default
+    # Continue only after the service has been set up
+    export require="__opendkim"
 
-        __opendkim_genkey myfoo \
-                --domain foo.com \
-                --selector backup
+    # Generate a key for 'example.com' with selector 'default'
+    __opendkim_genkey default \
+        --domain example.com \
+        --selector default
+
+    # Generate a key for 'foo.com' with selector 'backup'
+    __opendkim_genkey 'foo.com/backup'
+
+    # Generate a key for 'example.org' with selector 'main'
+    # that can also sign 'cdi.st' and subdomains of 'example.org'
+    __opendkim_genkey 'example.org/main' \
+        --sigdomain '%' \
+        --sigkey 'example.org' \
+        --sigkey '.example.org' \
+        --sigkey 'cdi.st'
 
 
 SEE ALSO

type/__opendkim_genkey/manifest

@@ -35,17 +35,48 @@ case "$os" in
 ;;
 *)
 	cat <<- EOF >&2
-	__opendkim_genkey currently only supports Alpine Linux. Please
-	contribute an implementation for $os if you can.
+	__opendkim_genkey currently only supports Alpine Linux and FreeBSD.
+	Please contribute an implementation for $os if you can.
 	EOF
+	exit 1
 ;;
 esac
-# Persist user and group for gencode-remote
-printf '%s' "${user}" > "${__object:?}/user"
-printf '%s' "${group}" > "${__object:?}/group"
 
-SELECTOR="$(cat "${__object:?}/parameter/selector")"
-DOMAIN="$(cat "${__object:?}/parameter/domain")"
+# Logic to simplify the type as documented in
+# https://code.ungleich.ch/ungleich-public/cdist-contrib/issues/20#issuecomment-14711
+DOMAIN="$(cat "${__object:?}/parameter/domain" 2>/dev/null || true)"
+SELECTOR="$(cat "${__object:?}/parameter/selector" 2>/dev/null || true)"
+if [ -z "${DOMAIN}${SELECTOR}" ]; then
+	# Neither SELECTOR nor DOMAIN were passed, try to use __object_id
+	if echo "${__object_id:?}" | \
+			grep -qE '^[^/[:space:]]+/[^/[:space:]]+$'; then
+		# __object_id matches, let's get the data
+		DOMAIN="$(echo "${__object_id:?}" | cut -d '/' -f 1)"
+		SELECTOR="$(echo "${__object_id:?}" | cut -d '/' -f 2)"
+	else
+		# It doesn't match the pattern, this is sad
+		cat <<- EOF >&2
+		The arguments --domain and --selector were not used.
+		So __object_id must match DOMAIN/SELECTOR.
+		But instead the type got: ${__object_id:?}
+		EOF
+		exit 1
+	fi
+elif [ -z "${DOMAIN}" ] || [ -z "${SELECTOR}" ]; then
+	# Only one was passed, this is sad :-(
+	cat <<- EOF >&2
+	You must pass either both --selector and --domain or none of them.
+	If these arguments are absent, __object_id must match: DOMAIN/SELECTOR.
+	EOF
+	exit 1
+# else: both were passed
+fi
+
+# Persist data for gencode-remote
+printf '%s' "${user:?}" > "${__object:?}/user"
+printf '%s' "${group:?}" > "${__object:?}/group"
+printf '%s' "${DOMAIN:?}" > "${__object:?}/domain"
+printf '%s' "${SELECTOR:?}" > "${__object:?}/selector"
 
 DIRECTORY="/var/db/dkim/"
 if [ -f "${__object:?}/parameter/directory" ];
@@ -59,6 +90,11 @@ if [ -f "${__object:?}/parameter/sigkey" ];
 then
 	SIGKEY="$(cat "${__object:?}/parameter/sigkey")"
 fi
+SIGDOMAIN="${DOMAIN:?}"
+if [ -f "${__object:?}/parameter/sigdomain" ];
+then
+	SIGDOMAIN="$(cat "${__object:?}/parameter/sigdomain")"
+fi
 
 # Ensure the key-container directory exists with the proper permissions
 __directory "${DIRECTORY}" \
@@ -76,10 +112,28 @@ esac
 key_table="${CFG_DIR}/KeyTable"
 signing_table="${CFG_DIR}/SigningTable"
 
-__line "line-key-${__object_id:?}" \
-	--file "${key_table}" \
-	--line "${SELECTOR:?}._domainkey.${DOMAIN:?} ${DOMAIN:?}:${SELECTOR:?}:${DIRECTORY:?}${SELECTOR:?}.private"
+KEY_STATE="$(cut -f 1 "${__object:?}/explorer/key-state")"
+KEY_LOCATION="$(cut -f 2- "${__object:?}/explorer/key-state")"
 
-__line "line-sig-${__object_id:?}" \
+__line "__opendkim_genkey/${__object_id:?}" \
+	--file "${key_table}" \
+	--line "${__object_id:?} ${SIGDOMAIN:?}:${SELECTOR:?}:${KEY_LOCATION:?}" \
+	--regex "^${__object_id:?}[[:space:]]" \
+	--state 'replace'
+
+sigtable_block() {
+	for sigkey in ${SIGKEY:?}; do
+		echo "${sigkey:?} ${__object_id:?}"
+	done
+}
+__block "__opendkim_genkey/${__object_id:?}" \
 	--file "${signing_table}" \
-	--line "${SIGKEY:?} ${SELECTOR:?}._domainkey.${DOMAIN:?}"
+	--text "$(sigtable_block)"
+
+if [ "${KEY_STATE:?}" = "present" ]; then
+	# Ensure proper permissions for the key file
+	__file "${KEY_LOCATION}" \
+		--owner "${user}" \
+		--group "${group}" \
+		--mode 0600
+fi

type/__opendkim_genkey/parameter/optional

@@ -1,4 +1,6 @@
 bits
 directory
+domain
 unrestricted
-sigkey
+selector
+sigdomain

type/__opendkim_genkey/parameter/optional_multiple

@@ -0,0 +1 @@
+sigkey

type/__opendkim_genkey/parameter/required

@@ -1,2 +0,0 @@
-domain
-selector

type/__php_fpm/files/php.ini.sh

@@ -0,0 +1,45 @@
+#!/bin/sh
+
+cat <<EOF
+; This file is managed by cdist, and has been shortened for readability.
+; The fine manual is at http://php.net/configuration.file.
+
+[PHP]
+
+; Production recommended defaults
+display_errors = Off
+display_startup_errors = Off
+enable_dl = Off
+error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
+log_errors = On
+output_buffering = 4096
+register_argc_argv = Off
+request_order = "GP"
+short_open_tag = Off
+variables_order = "GPCS"
+zend.assertions = -1
+
+; Local custom variations
+include_path = ".:${PHP_INCLUDEDIR}"
+memory_limit = ${MEMORY_LIMIT:?}
+post_max_size = ${UPLOAD_MAX_FILESIZE:?}
+upload_max_filesize = ${UPLOAD_MAX_FILESIZE:?}
+
+EOF
+
+if [ -f "${__object:?}/parameter/enable-opcache" ]; then
+	cat <<-EOF
+		; opcache enabled by type flag
+		opcache.enable=1
+		opcache.enable_cli=1
+	EOF
+fi
+
+if [ -f "${__object:?}/parameter/enable-apcu" ]; then
+	cat <<-EOF
+		; acpu enabled by type flag
+		apc.enabled=1
+		apc.enable_cli=1
+		apc.shm_size=512M
+	EOF
+fi

type/__php_fpm/man.rst

@@ -0,0 +1,74 @@
+cdist-type__php_fpm(7)
+======================
+
+NAME
+----
+cdist-type__php_fpm - Setup and configure PHP-FPM
+
+
+DESCRIPTION
+-----------
+This type installs and configures PHP-FPM for a given version of PHP. It is
+expected to be used in combination with cdist-type__php_fpm_pool, which
+configures specific pools.
+
+This type supports Debian, Ubuntu and Alpine Linux.
+
+REQUIRED PARAMETERS
+-------------------
+php-version
+        The PHP version for which the type is working. Will impact installed
+        packages, configuration files, &c
+
+
+OPTIONAL PARAMETERS
+-------------------
+memory-limit
+        The system-wide memory limit for PHP-FPM. Can be overriden per-pool.
+        Default is 512M.
+
+upload-max-filesize
+        The maximum filesize accepted by PHP-FPM for file uploads. Default is
+        2M.
+
+BOOLEAN PARAMETERS
+------------------
+enable-opcache
+        Enable PHP opcache.
+
+enable-apcu
+        Enable PHP APCu.
+
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+    # Dead simple setup
+    __php_fpm --php-version 8.1
+
+    # Custom setup
+    __php_fpm \
+        --php-version 8.1 \
+        --memory-limit 768M \
+        --upload-max-filesize 200M \
+        --enable-opcache \
+        --enable-apcu
+
+SEE ALSO
+--------
+cdist-type__php_fpm_pool(7)
+
+
+AUTHORS
+-------
+Joachim Desroches <joachim.desroches@epfl.ch>
+
+
+COPYING
+-------
+Copyright \(C) 2022 Joachim Desroches. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

type/__php_fpm/manifest

@@ -0,0 +1,68 @@
+#!/bin/sh
+
+os=$(cat "${__global:?}/explorer/os")
+
+PHPVER=$(cat "${__object:?}/parameter/php-version")
+export PHPVER
+
+case "$os" in
+	'alpine')
+		# Alpine packages looks like php81-fpm - we make sure to remove dots from user
+		# input.
+		PHPVER=$(echo "$PHPVER" | tr -d '.')
+
+		package="php${PHPVER}-fpm"
+		opcache_package="php${PHPVER}-opcache"
+		apcu_package="php${PHPVER}-pecl-apcu"
+
+		service="php-fpm${PHPVER}"
+		php_confdir="/etc/php${PHPVER}"
+		php_ini="${php_confdir:?}/php.ini"
+
+		PHP_INCLUDEDIR="/usr/share/php${PHPVER:?}"
+		export PHP_INCLUDEDIR
+	;;
+	'debian'|'ubuntu')
+		package="php${PHPVER}-fpm"
+		opcache_package="php${PHPVER}-opcache"
+		apcu_package="php${PHPVER}-apcu"
+
+		service="php${PHPVER}-fpm"
+		php_confdir="/etc/php/${PHPVER}"
+		php_ini="${php_confdir:?}/fpm/php.ini"
+
+		PHP_INCLUDEDIR="/usr/share/php/${PHPVER:?}"
+		export PHP_INCLUDEDIR
+	;;
+	*)
+		printf "Your operating system is currently not supported by this type\n" >&2
+		printf "Please contribute an implementation for it if you can.\n" >&2
+		exit 1
+		;;
+esac
+
+__package "$package"
+require="__package/$package" __start_on_boot "$service"
+
+if [ -f "${__object:?}/parameter/enable-opcache" ]; then
+	__package "$opcache_package"
+fi
+
+if [ -f "${__object:?}/parameter/enable-apcu" ]; then
+	__package "$apcu_package"
+fi
+
+MEMORY_LIMIT=$(cat "${__object:?}/parameter/memory-limit")
+export MEMORY_LIMIT
+
+UPLOAD_MAX_FILESIZE=$(cat "${__object:?}/parameter/upload-max-filesize")
+export UPLOAD_MAX_FILESIZE
+
+mkdir -p "${__object:?}/files"
+"${__type:?}/files/php.ini.sh" >"${__object:?}/files/php.ini"
+
+require="__package/$package" __file "${php_ini:?}" \
+	--mode 644 --source "${__object:?}/files/php.ini" \
+	--onchange "service $service restart"
+
+require="__file/${php_ini:?}" __service "$service" --action start

type/__php_fpm/parameter/boolean

@@ -0,0 +1,2 @@
+enable-opcache
+enable-apcu

type/__php_fpm/parameter/default/memory-limit

@@ -0,0 +1 @@
+512M

type/__php_fpm/parameter/default/upload-max-filesize

@@ -0,0 +1 @@
+2M

type/__php_fpm/parameter/optional

@@ -0,0 +1,2 @@
+upload-max-filesize
+memory-limit

type/__php_fpm/parameter/required

@@ -0,0 +1 @@
+php-version

type/__php_fpm_pool/files/www.conf.sh

@@ -0,0 +1,34 @@
+#!/bin/sh
+
+cat <<EOF
+; PHP-FPM configuration file for $POOL_NAME, PHP version $PHPVER.
+; This file is managed by cdist, do not edit by hand!
+[$POOL_NAME]
+
+; Local non-default configuration
+user = $POOL_USER
+group = $POOL_GROUP
+listen = $POOL_LISTEN_ADDR
+listen.owner = $POOL_LISTEN_OWNER
+
+; Mandatory configuration options with default production values
+pm = dynamic
+pm.max_children = 10
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
+
+env[HOSTNAME] = \$HOSTNAME
+env[PATH] = /usr/local/bin:/usr/bin:/bin
+env[TMP] = /tmp
+env[TMPDIR] = /tmp
+env[TEMP] = /tmp
+
+EOF
+
+if [ -f "${__object:?}/parameter/memory-limit" ]; then
+	echo "php_admin_value[memory_limit] = $(cat "$__object/parameter/memory-limit")"
+fi
+
+if [ -f "${__object:?}/parameter/open-basedir" ]; then
+	echo "php_admin_value[open_basedir] = $(cat "${__object:?}/parameter/open-basedir")"
+fi

type/__php_fpm_pool/man.rst

@@ -0,0 +1,79 @@
+cdist-type__php_fpm_pool(7)
+===========================
+
+NAME
+----
+cdist-type__php_fpm_pool - Setup and configure a PHP-FPM pool
+
+
+DESCRIPTION
+-----------
+
+This type configures a pool named after the `__object_id` for a specified PHP
+version. Note that this types expects a same-version cdist-type__php_fpm type
+to have been run first: the user is responsible for doing so.
+
+This type supports Debian, Ubuntu and Alpine Linux.
+
+
+REQUIRED PARAMETERS
+-------------------
+php-version
+        The PHP version for which the type is working. Will impact installed
+        packages, configuration files, &c
+
+pool-user
+        The local user under which the pool processes should run.
+
+pool-group
+        The local group under which the pool processes should run.
+
+pool-listen-addr
+        The socket or address to which the pool should bind for listening.
+
+pool-listen-owner
+        The owner of the socket if a socket is used.
+
+OPTIONAL PARAMETERS
+-------------------
+memory-limit
+        The pool memory limit for PHP-FPM. Will default to the setting in the
+        system-wide php.ini file.
+
+openbasedir
+        Limit the files that can be accessed by PHP to the specified
+        directory-tree, including the file itself.
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+    # Setup PHP-FPM
+    __php_fpm --php-version 8
+
+    # Setup the pool
+    __php_fpm_pool www \
+        --php-version 8 \
+        --pool-user nextcloud \
+        --pool-group www-data \
+        --pool-listen-addr "/run/php8/php-fpm.sock" \
+        --pool-listen-owner nginx \
+        --memory-limit 1G
+
+SEE ALSO
+--------
+cdist-type__php_fpm(7)
+
+
+AUTHORS
+-------
+Joachim Desroches <joachim.desroches@epfl.ch>
+
+
+COPYING
+-------
+Copyright \(C) 2022 Joachim Desroches. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

type/__php_fpm_pool/manifest

@@ -0,0 +1,40 @@
+#!/bin/sh
+
+os=$(cat "${__global:?}/explorer/os")
+name=${__object_id:?}
+
+PHPVER=$(cat "${__object:?}/parameter/php-version")
+export PHPVER
+
+case "$os" in
+	'alpine')
+		PHPVER=$(echo "$PHP_VERSION" | tr -d '.')
+		service="php-fpm${PHPVER}"
+		php_confdir="/etc/php${PHPVER}"
+		php_pooldir="${php_confdir:?}/php-fpm.d"
+	;;
+	'debian'|'ubuntu')
+		service="php${PHPVER}-fpm"
+		php_confdir="/etc/php/${PHPVER}"
+		php_pooldir="${php_confdir:?}/fpm/pool.d"
+	;;
+	*)
+		printf "Your operating system is currently not supported by this type\n" >&2
+		printf "Please contribute an implementation for it if you can.\n" >&2
+		exit 1
+		;;
+esac
+
+POOL_NAME="$name"
+POOL_USER=$(cat "${__object:?}/parameter/pool-user")
+POOL_GROUP=$(cat "${__object:?}/parameter/pool-group")
+POOL_LISTEN_ADDR=$(cat "${__object:?}/parameter/pool-listen-addr")
+POOL_LISTEN_OWNER=$(cat "${__object:?}/parameter/pool-listen-owner")
+export POOL_USER POOL_GROUP POOL_LISTEN_ADDR POOL_LISTEN_OWNER POOL_NAME
+
+mkdir -p "${__object:?}/files"
+"${__type:?}/files/www.conf.sh" >"${__object:?}/files/www.conf"
+
+__file "${php_pooldir:?}/${name}.conf" \
+	--mode 644 --source "${__object:?}/files/www.conf" \
+	--onchange "service $service reload"

type/__php_fpm_pool/parameter/optional

@@ -0,0 +1,2 @@
+memory-limit
+open-basedir

type/__php_fpm_pool/parameter/required

@@ -0,0 +1,5 @@
+php-version
+pool-user
+pool-group
+pool-listen-addr
+pool-listen-owner

type/__runit/manifest

@@ -6,7 +6,14 @@ os="$(cat "${__global}/explorer/os")"
 case "${os}" in
 	debian|devuan)
 		# zero-config sysvinit and systemd compatibility
-		__package runit-run
+		os_version="$(cat "${__global}/explorer/os_version")"
+		debian_package="runit-run"
+		case "${os_version}" in
+			beowulf)
+				debian_package="runit"
+			;;
+		esac
+		__package "${debian_package}"
 	;;
 	freebsd)
 		__key_value \

type/__runit_service/manifest

@@ -33,18 +33,25 @@ if [ "${state}" != "present" ]; then
 	exit
 fi
 
+# Setup run file
+__file --state "${state}" --mode 0550 --source "${source}" \
+	--onchange "sv restart '${sv}' || true" \
+	"${run_file}"
+export require="${require} __file${run_file}"
+
 if [ -f "${__object}/parameter/log" ]; then
 	# Setup logger if requested
-	__directory --parents "${svdir}/${sv}/log/main"
-	export require="${require} __directory${svdir}/${sv}/log/main"
+	logdir="/var/log/runit"
+	__directory --parents "${svdir}/${sv}/log"
+	__directory --state absent "${svdir}/${sv}/log/main"  # Remove lingering old fashioned log
+	__directory --parents "${logdir}/${sv}"
+	export require="${require} __directory${svdir}/${sv}/log __directory${logdir}/${sv}"
 	__file "${svdir}/${sv}/log/run" \
 		--state "${state}" \
 		--mode 0755 \
+		--onchange "sv restart '${sv}/log' || true" \
 		--source "-" <<EOF
 #!/bin/sh
-exec svlogd -tt ./main
+exec svlogd -tt '${logdir}/${sv}'
 EOF
 fi
-
-# Setup run file
-__file --state "${state}" --mode 0755 --source "${source}" "${run_file}"

type/__single_binary_service/man.rst

@@ -90,6 +90,11 @@ binary
     If `--unpack` is used, a binary with this name must be unpacked.
     Otherwise, the contents of `--url` will be placed under this binary name.
 
+env
+    An `env` file consiting of `ENVIRONMENT_VARIABLE=VALUE`, one variable per
+    line.
+    Empty lines and those starting with `#` are ignored.
+
 service-args
     Any extra arguments to pass along with `--service-exec`. Beware that any
     service-args having the format `--config=/etc/foo.cfg` should be

type/__single_binary_service/manifest

@@ -112,7 +112,7 @@ if [ "${USER}" != "root" ] && \
 		--system \
 		--state "${STATE}" \
 		--home "${USER_HOME_DIR}" \
-		--comment "cdist-managed ${SERVICE_NAME} user" \
+		--comment "cdist-managed service user" \
 		${USER_CREATE_HOME}
 	# Track dependencies
 	service_require="${service_require} __user/${USER}"
@@ -136,11 +136,21 @@ fi
 
 
 
+# These messages will trigger a service restart (overridden for systemd)
+service_config_reload_pattern="^__file${CONFIG_FILE_DEST}"
+
 # This should setup the object in $service_definition_require
 # See above.
 case "${INIT}" in
 	systemd)
 		if [ -z "${SERVICE_DEFINITION}" ]; then
+			SYSTEMD_ENV_FILE="/etc/systemd/system/${SERVICE_NAME}.env"
+			__file "${SYSTEMD_ENV_FILE}" \
+				--mode 0400 \
+				--source "${__object}/parameter/env"
+			# We need to take into account the envionment file for systemd too
+			service_config_reload_pattern="(${service_config_reload_pattern}|^__file${SYSTEMD_ENV_FILE})"
+
 			SERVICE_DEFINITION="$(cat <<EOF
 [Unit]
 Description=${SERVICE_DESCRIPTION}
@@ -153,6 +163,7 @@ User=${USER}
 Group=${GROUP}
 ExecStart=${SERVICE_EXEC}
 Restart=always
+EnvironmentFile=${SYSTEMD_ENV_FILE}
 ${WORKING_DIRECTORY_SYSTEMD}
 
 [Install]
@@ -169,12 +180,18 @@ EOF
 	;;
 	runit|sysvinit)
 		if [ -z "${SERVICE_DEFINITION}" ]; then
+			RUNIT_ENV="$(sed -Ee 's!^([[:alnum:]_]+)=(.*)$!export \1=\2!' "${__object}/parameter/env")"
 			SERVICE_DEFINITION="$(cat <<EOF
 #!/bin/sh -e
 ${WORKING_DIRECTORY_RUNIT}
+# User-provided environment
+${RUNIT_ENV}
+# System vars
 export HOME="\$(getent passwd '${USER}' | cut -d: -f6)"
 export USER="${USER}"
 export GROUP="${GROUP}"
+
+exec 2>&1
 exec chpst -u "${USER}:${GROUP}" ${SERVICE_EXEC}
 EOF
 )"
@@ -279,10 +296,10 @@ EOF
 			--onchange "${perform_service_upgrade}" \
 			--source "-"
 else
-	# We only restart here if there was a config change
+	# We only restart here if there was a config or env change
 	# but there was not a version change
 	require="${service_require}" __check_messages \
 		"single_binary_service_${__object_id}" \
-		--pattern "^__file${CONFIG_FILE_DEST}" \
+		--pattern "${service_config_reload_pattern}" \
 		--execute "$(sv_cmd restart)"
 fi

type/__single_binary_service/parameter/optional

@@ -1,4 +1,5 @@
 config-file-source
+env
 user
 group
 state