Import __matterbridge type

.gitattributes

@@ -4,5 +4,5 @@
 docs/speeches export-ignore
 docs/video export-ignore
 docs/src/man7 export-ignore
-bin/cdist-build-helper export-ignore
+bin/build-helper export-ignore
 README-maintainers export-ignore

.gitlab-ci.yml

@@ -1,23 +1,18 @@
----
-image: code.ungleich.ch:5050/ungleich-public/cdist/cdist-ci:latest
-
 stages:
     - test
 
-before_script:
-    - ./bin/cdist-build-helper version
-
-shellcheck:
-    stage: test
-    script:
-        - ./bin/cdist-build-helper shellcheck
-
-pycodestyle:
-    stage: test
-    script:
-        - ./bin/cdist-build-helper pycodestyle
-
 unit_tests:
     stage: test
     script:
-        - ./bin/cdist-build-helper test
+        - ./bin/build-helper version
+        - ./bin/build-helper test
+
+pycodestyle:
+    stage: test
+    script:
+        - ./bin/build-helper pycodestyle
+
+shellcheck:
+    stage: test
+    script:
+        - ./bin/build-helper shellcheck

Makefile

@@ -35,9 +35,9 @@ DOCS_SRC_DIR=./docs/src
 SPEECHDIR=./docs/speeches
 TYPEDIR=./cdist/conf/type
 
-SPHINXM=$(MAKE) -C $(DOCS_SRC_DIR) man
-SPHINXH=$(MAKE) -C $(DOCS_SRC_DIR) html
-SPHINXC=$(MAKE) -C $(DOCS_SRC_DIR) clean
+SPHINXM=make -C $(DOCS_SRC_DIR) man
+SPHINXH=make -C $(DOCS_SRC_DIR) html
+SPHINXC=make -C $(DOCS_SRC_DIR) clean
 
 ################################################################################
 # Manpages
@@ -81,7 +81,7 @@ version:
 	}
 
 # Manpages #3: generic part
-man: version configskel $(MANTYPES) $(DOCSREF) $(DOCSTYPESREF)
+man: version $(MANTYPES) $(DOCSREF)
 	$(SPHINXM)
 
 html: version configskel $(MANTYPES) $(DOCSREF) $(DOCSTYPESREF)
@@ -104,7 +104,7 @@ DOTMANTYPES=$(subst /man.rst,.rst,$(DOTMANTYPEPREFIX))
 $(DOTMAN7DSTDIR)/cdist-type%.rst: $(DOTTYPEDIR)/%/man.rst
 	ln -sf "$^" $@
 
-dotman: version configskel $(DOTMANTYPES) $(DOCSREF) $(DOCSTYPESREF)
+dotman: version $(DOTMANTYPES)
 	$(SPHINXM)
 
 ################################################################################

README

@@ -0,0 +1,7 @@
+cdist
+-----
+
+cdist is a usable configuration management system.
+
+For the web documentation have a look at https://www.cdi.st/
+or at docs/src for reStructuredText manual.

README-maintainers

@@ -1,4 +1,4 @@
-Maintainers should use ./bin/cdist-build-helper script.
+Maintainers should use ./bin/build-helper script.
 
 Makefile is intended for end users. It can be used for non-maintaining
 targets that can be run from pure source (without git repository).

README.md

@@ -1,31 +0,0 @@
-# cdist
-
-**cdist** is a usable configuration management system.
-
-It adheres to the [**KISS principle**](https://en.wikipedia.org/wiki/KISS_principle)
-and is being used in small up to enterprise grade environments.
-
-For more information have a look at [**homepage**](https://cdi.st)
-or at **``docs/src``** for manual in **reStructuredText** format.
-
-## Contributing
-
-Merge/Pull requests can be made in both
-[upstream **GitLab**](https://code.ungleich.ch/ungleich-public/cdist/merge_requests)
-(managed by [**ungleich**](https://ungleich.ch))
-and [**GitHub** project](https://github.com/ungleich/cdist/pulls).
-
-Issues can be made and other project management activites happen
-[**only in GitLab**](https://code.ungleich.ch/ungleich-public/cdist)
-(needs [**ungleich** account](https://account.ungleich.ch)).
-
-For community-maintained types there is
-[**cdist-contrib** project](https://code.ungleich.ch/ungleich-public/cdist-contrib).
-
-## Participating
-
-IRC: ``#cdist`` @ [libera](https://libera.chat)
-
-Matrix: ``#cdist:ungleich.ch``
-
-Matrix and IRC are bridged.

bin/build-helper

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# 2011-2022 Nico Schottelius (nico-cdist at schottelius.org)
+# 2011-2013 Nico Schottelius (nico-cdist at schottelius.org)
 # 2016-2019 Darko Poljak (darko.poljak at gmail.com)
 #
 # This file is part of cdist.
@@ -45,7 +45,7 @@ usage() {
         shellcheck-manifests
         shellcheck-local-gencodes
         shellcheck-remote-gencodes
-        shellcheck-bin
+        shellcheck-scripts
         shellcheck-gencodes
         shellcheck-types
         shellcheck
@@ -100,7 +100,7 @@ case "$option" in
                     if (\$0 ~ /^$end/) {
                         exit
                     } else {
-                        print \$0
+                        print \$0 
                     }
                 }
             }" "$basedir/docs/changelog"
@@ -135,7 +135,7 @@ case "$option" in
 
         version=$1; shift
 
-        (
+        ( 
         cat << eof
 Subject: cdist $version has been released
 
@@ -336,7 +336,7 @@ eof
         make docs-clean
         make docs
 
-        #############################################################
+        ############################################################# 
         # Everything green, let's do the release
 
         # Tag the current commit
@@ -371,6 +371,7 @@ eof
 Manual steps post release:
     - cdist-web
     - send generated mailinglist.tmp mail
+    - twitter
 eof
     ;;
 
@@ -405,7 +406,7 @@ eof
     ;;
 
     pycodestyle|pep8)
-        pycodestyle "${basedir}" "${basedir}/bin/cdist"
+        pycodestyle "${basedir}" "${basedir}/scripts/cdist"
     ;;
 
     check-pycodestyle)
@@ -460,34 +461,27 @@ eof
         test ! -s "${SHELLCHECKTMP}" || { cat "${SHELLCHECKTMP}"; exit 1; }
     ;;
 
-    # NOTE: shellcheck-scripts is kept for compatibility
-    shellcheck-bin|shellcheck-scripts)
+    shellcheck-scripts)
         # shellcheck disable=SC2086
-        ${SHELLCHECKCMD} bin/cdist-dump bin/cdist-new-type > "${SHELLCHECKTMP}"
+        ${SHELLCHECKCMD} scripts/cdist-dump scripts/cdist-new-type > "${SHELLCHECKTMP}"
         test ! -s "${SHELLCHECKTMP}" || { cat "${SHELLCHECKTMP}"; exit 1; }
     ;;
 
     shellcheck-gencodes)
-        errors=false
-        "$0" shellcheck-local-gencodes || errors=true
-        "$0" shellcheck-remote-gencodes || errors=true
-        ! $errors || exit 1
+        "$0" shellcheck-local-gencodes || exit 1
+        "$0" shellcheck-remote-gencodes || exit 1
     ;;
 
     shellcheck-types)
-        errors=false
-        "$0" shellcheck-type-explorers || errors=true
-        "$0" shellcheck-manifests || errors=true
-        "$0" shellcheck-gencodes || errors=true
-        ! $errors || exit 1
+        "$0" shellcheck-type-explorers || exit 1
+        "$0" shellcheck-manifests || exit 1
+        "$0" shellcheck-gencodes || exit 1
     ;;
 
     shellcheck)
-        errors=false
-        "$0" shellcheck-global-explorers || errors=true
-        "$0" shellcheck-types || errors=true
-        "$0" shellcheck-bin || errors=true
-        ! $errors || exit 1
+        "$0" shellcheck-global-explorers || exit 1
+        "$0" shellcheck-types || exit 1
+        "$0" shellcheck-scripts || exit 1
     ;;
 
     shellcheck-type-files)
@@ -497,14 +491,12 @@ eof
     ;;
 
     shellcheck-with-files)
-        errors=false
-        "$0" shellcheck || errors=true
-        "$0" shellcheck-type-files || errors=true
-        ! $errors || exit 1
+        "$0" shellcheck || exit 1
+        "$0" shellcheck-type-files || exit 1
     ;;
 
     shellcheck-build-helper)
-        ${SHELLCHECKCMD} ./bin/cdist-build-helper
+        ${SHELLCHECKCMD} ./bin/build-helper
     ;;
 
     check-shellcheck)

bin/cdist

@@ -1,8 +1,7 @@
-#!/usr/bin/env python3
+#!/bin/sh
 # -*- coding: utf-8 -*-
 #
-# 2010-2016 Nico Schottelius (nico-cdist at schottelius.org)
-# 2016 Darko Poljak (darko.poljak at gmail.com)
+# 2012 Nico Schottelius (nico-cdist at schottelius.org)
 #
 # This file is part of cdist.
 #
@@ -21,83 +20,14 @@
 #
 #
 
-import logging
-import os
-import sys
+# Wrapper for real script to allow execution from checkout
+dir=${0%/*}
 
-# See if this file's parent is cdist module
-# and if so add it to module search path.
-cdist_dir = os.path.realpath(
-    os.path.join(
-        os.path.dirname(os.path.realpath(__file__)),
-        os.pardir))
-cdist_init_dir = os.path.join(cdist_dir, 'cdist', '__init__.py')
-if os.path.exists(cdist_init_dir):
-    sys.path.insert(0, cdist_dir)
+# Ensure version is present - the bundled/shipped version contains a static version,
+# the git version contains a dynamic version
+"$dir/build-helper" version
 
-import cdist            # noqa 402
-import cdist.argparse   # noqa 402
-import cdist.banner     # noqa 402
-import cdist.config     # noqa 402
-import cdist.install    # noqa 402
-import cdist.shell      # noqa 402
-import cdist.inventory  # noqa 402
+libdir=$(cd "${dir}/../" && pwd -P)
+export PYTHONPATH="${libdir}"
 
-
-def commandline():
-    """Parse command line"""
-
-    # preos subcommand hack
-    if len(sys.argv) > 1 and sys.argv[1] == 'preos':
-        return cdist.preos.PreOS.commandline(sys.argv[1:])
-    parser, cfg = cdist.argparse.parse_and_configure(sys.argv[1:])
-    args = cfg.get_args()
-
-    # Work around python 3.3 bug:
-    # http://bugs.python.org/issue16308
-    # http://bugs.python.org/issue9253
-
-    # FIXME: catching AttributeError also hides
-    # real problems.. try a different way
-
-    # FIXME: we always print main help, not
-    # the help of the actual parser being used!
-    try:
-        getattr(args, "func")
-    except AttributeError:
-        parser['main'].print_help()
-        sys.exit(0)
-
-    args.func(args)
-
-
-if __name__ == "__main__":
-    if sys.version_info[:3] < cdist.MIN_SUPPORTED_PYTHON_VERSION:
-        print(
-            'Python >= {} is required on the source host.'.format(
-                ".".join(map(str, cdist.MIN_SUPPORTED_PYTHON_VERSION))),
-            file=sys.stderr)
-        sys.exit(1)
-
-    exit_code = 0
-
-    try:
-        import re
-        import os
-
-        if re.match("__", os.path.basename(sys.argv[0])):
-            import cdist.emulator
-            emulator = cdist.emulator.Emulator(sys.argv)
-            emulator.run()
-        else:
-            commandline()
-
-    except KeyboardInterrupt:
-        exit_code = 2
-
-    except cdist.Error as e:
-        log = logging.getLogger("cdist")
-        log.error(e)
-        exit_code = 1
-
-    sys.exit(exit_code)
+"$dir/../scripts/cdist" "$@"

cdist/__init__.py

@@ -22,27 +22,11 @@
 
 import os
 import hashlib
-import subprocess
 
 import cdist.log
+import cdist.version
 
-
-VERSION = 'unknown version'
-
-try:
-    import cdist.version
-    VERSION = cdist.version.VERSION
-except ModuleNotFoundError:
-    cdist_dir = os.path.abspath(
-        os.path.join(os.path.dirname(__file__), os.pardir))
-    if os.path.isdir(os.path.join(cdist_dir, '.git')):
-        try:
-            VERSION = subprocess.check_output(
-                ['git', 'describe', '--always'],
-                cwd=cdist_dir,
-                universal_newlines=True)
-        except Exception:
-            pass
+VERSION = cdist.version.VERSION
 
 BANNER = """
              ..          .       .x+=:.        s
@@ -64,9 +48,6 @@ REMOTE_EXEC = "ssh -o User=root"
 REMOTE_CMDS_CLEANUP_PATTERN = "ssh -o User=root -O exit -S {}"
 
 
-MIN_SUPPORTED_PYTHON_VERSION = (3, 5)
-
-
 class Error(Exception):
     """Base exception class for this project"""
     pass

cdist/argparse.py

@@ -5,14 +5,12 @@ import logging
 import collections
 import functools
 import cdist.configuration
-import cdist.log
 import cdist.preos
 import cdist.info
-import cdist.scan.commandline
 
 
 # set of beta sub-commands
-BETA_COMMANDS = set(('install', 'inventory', 'scan', ))
+BETA_COMMANDS = set(('install', 'inventory', ))
 # set of beta arguments for sub-commands
 BETA_ARGS = {
     'config': set(('tag', 'all_tagged_hosts', 'use_archiving', )),
@@ -127,14 +125,6 @@ def get_parsers():
                   'value.'),
             action='count', default=None)
 
-    parser['colored_output'] = argparse.ArgumentParser(add_help=False)
-    parser['colored_output'].add_argument(
-            '--colors', metavar='WHEN',
-            help="Colorize cdist's output based on log level; "
-                 "WHEN is 'always', 'never', or 'auto'.",
-            action='store', dest='colored_output', required=False,
-            choices=cdist.configuration.ColoredOutputOption.CHOICES)
-
     parser['beta'] = argparse.ArgumentParser(add_help=False)
     parser['beta'].add_argument(
            '-b', '--beta',
@@ -207,13 +197,6 @@ def get_parsers():
                  'supported. Without argument CPU count is used by default. '),
            action='store', dest='jobs',
            const=multiprocessing.cpu_count())
-    parser['config_main'].add_argument(
-           '--log-server',
-           action='store_true',
-           help=('Start a log server for sub processes to use. '
-                 'This is mainly useful when running cdist nested '
-                 'from a code-local script. Log server is alwasy '
-                 'implicitly started for \'install\' command.'))
     parser['config_main'].add_argument(
            '-n', '--dry-run',
            help='Do not execute code.', action='store_true')
@@ -274,7 +257,8 @@ def get_parsers():
             '-f', '--file',
             help=('Read specified file for a list of additional hosts to '
                   'operate on or if \'-\' is given, read stdin (one host per '
-                  'line).'),
+                  'line). If no host or host file is specified then, by '
+                  'default, read hosts from stdin.'),
             dest='hostfile', required=False)
     parser['config_args'].add_argument(
            '-p', '--parallel', nargs='?', metavar='HOST_MAX',
@@ -299,7 +283,6 @@ def get_parsers():
             'host', nargs='*', help='Host(s) to operate on.')
     parser['config'] = parser['sub'].add_parser(
             'config', parents=[parser['loglevel'], parser['beta'],
-                               parser['colored_output'],
                                parser['common'],
                                parser['config_main'],
                                parser['inventory_common'],
@@ -318,7 +301,6 @@ def get_parsers():
 
     parser['add-host'] = parser['invsub'].add_parser(
             'add-host', parents=[parser['loglevel'], parser['beta'],
-                                 parser['colored_output'],
                                  parser['common'],
                                  parser['inventory_common']])
     parser['add-host'].add_argument(
@@ -326,12 +308,13 @@ def get_parsers():
     parser['add-host'].add_argument(
            '-f', '--file',
            help=('Read additional hosts to add from specified file '
-                 'or from stdin if \'-\' (each host on separate line). '),
+                 'or from stdin if \'-\' (each host on separate line). '
+                 'If no host or host file is specified then, by default, '
+                 'read from stdin.'),
            dest='hostfile', required=False)
 
     parser['add-tag'] = parser['invsub'].add_parser(
             'add-tag', parents=[parser['loglevel'], parser['beta'],
-                                parser['colored_output'],
                                 parser['common'],
                                 parser['inventory_common']])
     parser['add-tag'].add_argument(
@@ -340,12 +323,20 @@ def get_parsers():
     parser['add-tag'].add_argument(
            '-f', '--file',
            help=('Read additional hosts to add tags from specified file '
-                 'or from stdin if \'-\' (each host on separate line). '),
+                 'or from stdin if \'-\' (each host on separate line). '
+                 'If no host or host file is specified then, by default, '
+                 'read from stdin. If no tags/tagfile nor hosts/hostfile'
+                 ' are specified then tags are read from stdin and are'
+                 ' added to all hosts.'),
            dest='hostfile', required=False)
     parser['add-tag'].add_argument(
            '-T', '--tag-file',
            help=('Read additional tags to add from specified file '
-                 'or from stdin if \'-\' (each tag on separate line). '),
+                 'or from stdin if \'-\' (each tag on separate line). '
+                 'If no tag or tag file is specified then, by default, '
+                 'read from stdin. If no tags/tagfile nor hosts/hostfile'
+                 ' are specified then tags are read from stdin and are'
+                 ' added to all hosts.'),
            dest='tagfile', required=False)
     parser['add-tag'].add_argument(
            '-t', '--taglist',
@@ -355,7 +346,6 @@ def get_parsers():
 
     parser['del-host'] = parser['invsub'].add_parser(
             'del-host', parents=[parser['loglevel'], parser['beta'],
-                                 parser['colored_output'],
                                  parser['common'],
                                  parser['inventory_common']])
     parser['del-host'].add_argument(
@@ -366,12 +356,13 @@ def get_parsers():
     parser['del-host'].add_argument(
             '-f', '--file',
             help=('Read additional hosts to delete from specified file '
-                  'or from stdin if \'-\' (each host on separate line). '),
+                  'or from stdin if \'-\' (each host on separate line). '
+                  'If no host or host file is specified then, by default, '
+                  'read from stdin.'),
             dest='hostfile', required=False)
 
     parser['del-tag'] = parser['invsub'].add_parser(
             'del-tag', parents=[parser['loglevel'], parser['beta'],
-                                parser['colored_output'],
                                 parser['common'],
                                 parser['inventory_common']])
     parser['del-tag'].add_argument(
@@ -384,13 +375,20 @@ def get_parsers():
     parser['del-tag'].add_argument(
             '-f', '--file',
             help=('Read additional hosts to delete tags for from specified '
-                  'file or from stdin if \'-\' (each host on separate '
-                  'line). '),
+                  'file or from stdin if \'-\' (each host on separate line). '
+                  'If no host or host file is specified then, by default, '
+                  'read from stdin. If no tags/tagfile nor hosts/hostfile'
+                  ' are specified then tags are read from stdin and are'
+                  ' deleted from all hosts.'),
             dest='hostfile', required=False)
     parser['del-tag'].add_argument(
             '-T', '--tag-file',
             help=('Read additional tags from specified file '
-                  'or from stdin if \'-\' (each tag on separate line). '),
+                  'or from stdin if \'-\' (each tag on separate line). '
+                  'If no tag or tag file is specified then, by default, '
+                  'read from stdin. If no tags/tagfile nor'
+                  ' hosts/hostfile are specified then tags are read from'
+                  ' stdin and are added to all hosts.'),
             dest='tagfile', required=False)
     parser['del-tag'].add_argument(
             '-t', '--taglist',
@@ -400,7 +398,6 @@ def get_parsers():
 
     parser['list'] = parser['invsub'].add_parser(
             'list', parents=[parser['loglevel'], parser['beta'],
-                             parser['colored_output'],
                              parser['common'],
                              parser['inventory_common']])
     parser['list'].add_argument(
@@ -433,7 +430,7 @@ def get_parsers():
 
     # Shell
     parser['shell'] = parser['sub'].add_parser(
-            'shell', parents=[parser['loglevel'], parser['colored_output']])
+            'shell', parents=[parser['loglevel']])
     parser['shell'].add_argument(
             '-s', '--shell',
             help=('Select shell to use, defaults to current shell. Used shell'
@@ -471,44 +468,6 @@ def get_parsers():
             'pattern', nargs='?', help='Glob pattern.')
     parser['info'].set_defaults(func=cdist.info.Info.commandline)
 
-    # Scan = config + further
-    parser['scan'] = parser['sub'].add_parser(
-            'scan', parents=[parser['loglevel'],
-                             parser['beta'],
-                             parser['colored_output'],
-                             parser['common'],
-                             parser['config_main']])
-
-    parser['scan'].add_argument(
-        '-m', '--mode', help='Which modes should run',
-        action='append', default=[],
-        choices=['scan', 'trigger', 'config'])
-    parser['scan'].add_argument(
-        '--list',
-        action='store_true',
-        help='List the known hosts and exit')
-    parser['scan'].add_argument(
-        '--config',
-        action='store_true',
-        help='Try to configure detected hosts')
-    parser['scan'].add_argument(
-        '-I', '--interface',
-        action='append',  default=[], required=True,
-        help='On which interfaces to scan/trigger')
-    parser['scan'].add_argument(
-        '--name-mapper',
-        action='store',  default=None,
-        help='Map addresses to names, required for config mode')
-    parser['scan'].add_argument(
-        '-d', '--config-delay',
-        action='store',  default=3600, type=int,
-        help='How long (seconds) to wait before reconfiguring after last try')
-    parser['scan'].add_argument(
-        '-t', '--trigger-delay',
-        action='store',  default=5, type=int,
-        help='How long (seconds) to wait between ICMPv6 echo requests')
-    parser['scan'].set_defaults(func=cdist.scan.commandline.commandline)
-
     for p in parser:
         parser[p].epilog = EPILOG
 
@@ -519,12 +478,7 @@ def handle_loglevel(args):
     if hasattr(args, 'quiet') and args.quiet:
         args.verbose = _verbosity_level_off
 
-    logging.getLogger().setLevel(_verbosity_level[args.verbose])
-
-
-def handle_log_colors(args):
-    if cdist.configuration.ColoredOutputOption.translate(args.colored_output):
-        cdist.log.CdistFormatter.USE_COLORS = True
+    logging.root.setLevel(_verbosity_level[args.verbose])
 
 
 def parse_and_configure(argv, singleton=True):
@@ -538,14 +492,13 @@ def parse_and_configure(argv, singleton=True):
         raise cdist.Error(str(e))
     # Loglevels are handled globally in here
     handle_loglevel(args)
-    handle_log_colors(args)
 
     log = logging.getLogger("cdist")
 
-    log.verbose("version %s", cdist.VERSION)
-    log.trace('command line args: %s', cfg.command_line_args)
-    log.trace('configuration: %s', cfg.get_config())
-    log.trace('configured args: %s', args)
+    log.verbose("version %s" % cdist.VERSION)
+    log.trace('command line args: {}'.format(cfg.command_line_args))
+    log.trace('configuration: {}'.format(cfg.get_config()))
+    log.trace('configured args: {}'.format(args))
 
     check_beta(vars(args))
 

cdist/conf/explorer/cpu_cores

@@ -32,11 +32,6 @@ case "$os" in
         sysctl -n hw.ncpuonline
     ;;
 
-    "freebsd"|"netbsd")
-        PATH=$(getconf PATH)
-        sysctl -n hw.ncpu
-    ;;
-
     *)
         if [ -r /proc/cpuinfo ]; then
             cores="$(grep "core id" /proc/cpuinfo | sort | uniq | wc -l)"

cdist/conf/explorer/disks

@@ -1,66 +1,27 @@
-#!/bin/sh -e
-#
-# based on previous work by other people, modified by:
-# 2020 Dennis Camera <dennis.camera at ssrq-sds-fds.ch>
-#
-# This file is part of cdist.
-#
-# cdist is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# cdist is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with cdist. If not, see <http://www.gnu.org/licenses/>.
-#
-# Finds disks of the system (excl. ram disks, floppy, cdrom)
+#!/bin/sh
 
 uname_s="$(uname -s)"
 
-case $uname_s in
+case "${uname_s}" in
     FreeBSD)
         sysctl -n kern.disks
     ;;
-    OpenBSD)
-        sysctl -n hw.disknames | grep -Eo '[lsw]d[0-9]+'
-    ;;
-    NetBSD)
-        PATH=$(getconf PATH)
-        sysctl -n hw.disknames | awk -v RS=' ' '/^[lsw]d[0-9]+/'
+    OpenBSD|NetBSD)
+        sysctl -n hw.disknames | grep -Eo '[lsw]d[0-9]+' | xargs
     ;;
     Linux)
-        # list of major device numbers toexclude:
-        #  ram disks, floppies, cdroms
-        # https://www.kernel.org/doc/Documentation/admin-guide/devices.txt
-        ign_majors='1 2 11'
-
-        if command -v lsblk >/dev/null 2>&1
+        if command -v lsblk > /dev/null
         then
-            lsblk -e "$(echo "$ign_majors" | tr ' ' ',')" -dno name
-        elif test -d /sys/block/
-        then
-            # shellcheck disable=SC2012
-            ls -1 /sys/block/ \
-            | awk -v ign_majors="$(echo "$ign_majors" | tr ' ' '|')" '
-                {
-                  devfile = "/sys/block/" $0 "/dev"
-                  getline devno < devfile
-                  close(devfile)
-                  if (devno !~ "^(" ign_majors "):") print
-                }'
+            # exclude ram disks, floppies and cdroms
+            # https://www.kernel.org/doc/Documentation/admin-guide/devices.txt
+            lsblk -e 1,2,11 -dno name | xargs
         else
-            echo "Don't know how to list disks on Linux without lsblk and sysfs." >&2
-            echo 'If you can, please submit a patch.'>&2
+            printf "Don't know how to list disks for %s operating system without lsblk, if you can please submit a patch\n" "${uname_s}" >&2
         fi
     ;;
     *)
-        printf "Don't know how to list disks for %s operating system.\n" "${uname_s}" >&2
-        printf 'If you can please submit a patch\n' >&2
+        printf "Don't know how to list disks for %s operating system, if you can please submit a patch\n" "${uname_s}" >&2
     ;;
-esac \
-| xargs
+esac
+
+exit 0

cdist/conf/explorer/init

@@ -221,7 +221,6 @@ check_systemstarter() {
 
 check_sysvinit() (
 	init_path=${1:-/sbin/init}
-	test -x "${init_path}" || return 1
 	grep -q 'INIT_VERSION=sysvinit-[0-9.]*' "${init_path}" || return 1
 
 	# It is quite common to use SysVinit to stack other init systemd

cdist/conf/explorer/lsb_codename

@@ -21,9 +21,6 @@
 
 set +e
 case "$("$__explorer/os")" in
-   checkpoint)
-       awk '{printf("%s\n", $(NF-1))}' /etc/cp-release
-   ;;
    openwrt)
       # shellcheck disable=SC1091
       (. /etc/openwrt_release && echo "$DISTRIB_CODENAME")

cdist/conf/explorer/lsb_description

@@ -21,9 +21,6 @@
 
 set +e
 case "$("$__explorer/os")" in
-   checkpoint)
-       cat /etc/cp-release
-   ;;
    openwrt)
       # shellcheck disable=SC1091
       (. /etc/openwrt_release && echo "$DISTRIB_DESCRIPTION")

cdist/conf/explorer/lsb_id

@@ -21,9 +21,6 @@
 
 set +e
 case "$("$__explorer/os")" in
-   checkpoint)
-       echo "CheckPoint"
-   ;;
    openwrt)
       # shellcheck disable=SC1091
       (. /etc/openwrt_release && echo "$DISTRIB_ID")

cdist/conf/explorer/lsb_release

@@ -21,9 +21,6 @@
 
 set +e
 case "$("$__explorer/os")" in
-   checkpoint)
-       sed /etc/cp-release -e 's/.* R\([1-9][0-9]*\)\.[0-9]*$/\1/'
-   ;;
    openwrt)
       # shellcheck disable=SC1091
       (. /etc/openwrt_release && echo "$DISTRIB_RELEASE")

cdist/conf/explorer/memory

@@ -1,9 +1,8 @@
-#!/bin/sh -e
+#!/bin/sh
 #
 # 2014 Daniel Heule  (hda at sfs.biz)
 # 2014 Thomas Oettli (otho at sfs.biz)
 # Copyright 2017, Philippe Gregoire <pg@pgregoire.xyz>
-# 2020 Dennis Camera <dennis.camera at ssrq-sds-fds.ch>
 #
 # This file is part of cdist.
 #
@@ -20,73 +19,23 @@
 # You should have received a copy of the GNU General Public License
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
-# Returns the amount of memory physically installed in the system, or if that
-# cannot be determined the amount available to the operating system kernel,
-# in kibibytes (kiB).
+#
 
-str2bytes() {
-	awk -F' ' '
-	$2 ==   "B" || !$2 { print $1 }
-	$2 ==  "kB" { printf "%.f\n", ($1 * 1000) }
-	$2 ==  "MB" { printf "%.f\n", ($1 * 1000 * 1000) }
-	$2 ==  "GB" { printf "%.f\n", ($1 * 1000 * 1000 * 1000) }
-	$2 ==  "TB" { printf "%.f\n", ($1 * 1000 * 1000 * 1000 * 1000) }
-	$2 == "kiB" { printf "%.f\n", ($1 * 1024) }
-	$2 == "MiB" { printf "%.f\n", ($1 * 1024 * 1024) }
-	$2 == "GiB" { printf "%.f\n", ($1 * 1024 * 1024 * 1024) }
-	$2 == "TiB" { printf "%.f\n", ($1 * 1024 * 1024 * 1024 * 1024) }'
-}
+# FIXME: other system types (not linux ...)
 
-bytes2kib() {
-	awk '$0 > 0 { printf "%.f\n", ($0 / 1024) }'
-}
+os=$("$__explorer/os")
+case "$os" in
+    "macosx")
+        echo "$(sysctl -n hw.memsize)/1024" | bc
+    ;;
 
+    "openbsd")
+        echo "$(sysctl -n hw.physmem) / 1048576" | bc
+    ;;
 
-case $(uname -s)
-in
-	(Darwin)
-		sysctl -n hw.memsize | bytes2kib
-		;;
-	(FreeBSD)
-		sysctl -n hw.realmem | bytes2kib
-		;;
-	(NetBSD|OpenBSD)
-		# NOTE: This reports "usable" memory, not physically installed memory.
-		command -p sysctl -n hw.physmem | bytes2kib
-		;;
-	(SunOS)
-		# Make sure that awk from xpg4 is used for the scripts to work
-		export PATH="/usr/xpg4/bin:${PATH}"
-		prtconf \
-		| awk -F ': ' '
-		  $1 == "Memory size" { sub(/Megabytes/, "MiB", $2); print $2 }
-		  /^$/ { exit }' \
-		| str2bytes \
-		| bytes2kib
-		;;
-	(Linux)
-		if test -d /sys/devices/system/memory
-		then
-			# Use memory blocks if the architecture (e.g. x86, PPC64, s390)
-			# supports them (they denote physical memory)
-			num_mem_blocks=$(cat /sys/devices/system/memory/memory[0-9]*/state | grep -cxF online)
-			mem_block_size=$(cat /sys/devices/system/memory/block_size_bytes)
-
-			echo $((num_mem_blocks * 0x$mem_block_size)) | bytes2kib && exit
-		fi
-		if test -r /proc/meminfo
-		then
-			# Fall back to meminfo file on other architectures (e.g. ARM, MIPS,
-			# PowerPC)
-			# NOTE: This is "usable" memory, not physically installed memory.
-			awk -F ': +' '$1 == "MemTotal" { sub(/B$/, "iB", $2); print $2 }' /proc/meminfo \
-			| str2bytes \
-			| bytes2kib
-		fi
-		;;
-	(*)
-		printf "Your kernel (%s) is currently not supported by the memory explorer\n" "$(uname -s)" >&2
-		printf "Please contribute an implementation for it if you can.\n" >&2
-		exit 1
-		;;
+    *)
+    if [ -r /proc/meminfo ]; then
+        grep "MemTotal:" /proc/meminfo | awk '{print $2}'
+    fi
+    ;;
 esac

cdist/conf/explorer/os

@@ -116,13 +116,6 @@ if [ -f /etc/slackware-version ]; then
    exit 0
 fi
 
-# Appliances
-
-if grep -q '^Check Point Gaia' /etc/cp-release 2>/dev/null; then
-    echo checkpoint
-    exit 0
-fi
-
 uname_s="$(uname -s)"
 
 # Assume there is no tr on the client -> do lower case ourselves
@@ -150,13 +143,6 @@ case "$uname_s" in
 esac
 
 if [ -f /etc/os-release ]; then
-   # after sles15, suse don't provide an /etc/SuSE-release anymore, but there is almost no difference between sles and opensuse leap, so call it suse
-   # shellcheck disable=SC1091
-   if (. /etc/os-release && echo "${ID_LIKE}" | grep -q '\(^\|\ \)suse\($\|\ \)')
-   then
-      echo suse
-      exit 0
-   fi
    # already lowercase, according to:
    # https://www.freedesktop.org/software/systemd/man/os-release.html
    awk -F= '/^ID=/ { if ($2 ~ /^'"'"'(.*)'"'"'$/ || $2 ~ /^"(.*)"$/) { print substr($2, 2, length($2) - 2) } else { print $2 } }' /etc/os-release

cdist/conf/explorer/os_release

@@ -34,9 +34,5 @@ elif test -f /var/run/os-release
 then
 	# FreeBSD (created by os-release service)
 	cat /var/run/os-release
-elif test -f /etc/cp-release
-then
-        # Checkpoint firewall or management (actually linux based)
-        cat /etc/cp-release
 fi
 

cdist/conf/explorer/os_version

@@ -1,7 +1,6 @@
-#!/bin/sh -e
+#!/bin/sh
 #
 # 2010-2011 Nico Schottelius (nico-cdist at schottelius.org)
-# 2020-2021 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
 #
 # This file is part of cdist.
 #
@@ -18,22 +17,12 @@
 # You should have received a copy of the GNU General Public License
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
+#
 # All os variables are lower case
 #
+#
 
-rc_getvar() {
-   awk -F= -v varname="$2" '
-      function unquote(s) {
-         if (s ~ /^".*"$/ || s ~ /^'\''.*'\''$/)
-            return substr(s, 2, length(s) - 2)
-         else
-            return s
-      }
-      $1 == varname { print unquote(substr($0, index($0, "=") + 1)) }' "$1"
-}
-
-case $("${__explorer:?}/os")
-in
+case "$("$__explorer/os")" in
    amazon)
       cat /etc/system-release
    ;;
@@ -41,58 +30,11 @@ in
       # empty, but well...
       cat /etc/arch-release
    ;;
-   checkpoint)
-       awk '{version=$NF; printf("%s\n", substr(version, 2))}' /etc/cp-release
-    ;;
    debian)
-      debian_version=$(cat /etc/debian_version)
-      case $debian_version
-      in
-          testing/unstable)
-              # previous to Debian 4.0 testing/unstable was used
-              # cf. https://metadata.ftp-master.debian.org/changelogs/main/b/base-files/base-files_11_changelog
-              echo 3.99
-              ;;
-          */sid)
-              # sid versions don't have a number, so we decode by codename:
-              case $(expr "$debian_version" : '\([a-z]\{1,\}\)/')
-              in
-                  trixie) echo 12.99 ;;
-                  bookworm) echo 11.99 ;;
-                  bullseye) echo 10.99 ;;
-                  buster) echo 9.99 ;;
-                  stretch) echo 8.99 ;;
-                  jessie) echo 7.99 ;;
-                  wheezy) echo 6.99 ;;
-                  squeeze) echo 5.99 ;;
-                  lenny) echo 4.99 ;;
-                  *) echo 99.99 ;;
-              esac
-              ;;
-          *)
-              echo "$debian_version"
-              ;;
-      esac
+      cat /etc/debian_version
    ;;
    devuan)
-      devuan_version=$(cat /etc/devuan_version)
-      case ${devuan_version}
-      in
-         (*/ceres)
-            # ceres versions don't have a number, so we decode by codename:
-            case ${devuan_version}
-            in
-               (daedalus/ceres) echo 4.99 ;;
-               (chimaera/ceres) echo 3.99 ;;
-               (beowulf/ceres) echo 2.99 ;;
-               (ascii/ceres) echo 1.99 ;;
-               (*) exit 1
-            esac
-            ;;
-         (*)
-            echo "${devuan_version}"
-            ;;
-      esac
+      cat /etc/devuan_version
    ;;
    fedora)
       cat /etc/fedora-release
@@ -101,20 +43,7 @@ in
       cat /etc/gentoo-release
    ;;
    macosx)
-      # NOTE: Legacy versions (< 10.3) do not support options
-      sw_vers | awk -F ':[ \t]+' '$1 == "ProductVersion" { print $2 }'
-   ;;
-   freebsd)
-      # Apparently uname -r is not a reliable way to get the patch level.
-      # See: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=251743
-      if command -v freebsd-version >/dev/null 2>&1
-      then
-         # get userland version
-         freebsd-version -u
-      else
-         # fallback to kernel release for FreeBSD < 10.0
-         uname -r
-      fi
+      sw_vers -productVersion
    ;;
    *bsd|solaris)
       uname -r
@@ -139,22 +68,9 @@ in
       fi
    ;;
    ubuntu)
-      if command -v lsb_release >/dev/null 2>&1
-      then
-         lsb_release -sr
-      elif test -r /usr/lib/os-release
-      then
-         # fallback to /usr/lib/os-release if lsb_release is not present (like
-         # on minimized Ubuntu installations)
-         rc_getvar /usr/lib/os-release VERSION_ID
-      elif test -r /etc/lsb-release
-      then
-         # extract DISTRIB_RELEASE= variable from /etc/lsb-release on old
-         # versions without /usr/lib/os-release.
-         rc_getvar /etc/lsb-release DISTRIB_RELEASE
-      fi
+      lsb_release -sr
    ;;
    alpine)
        cat /etc/alpine-release
    ;;
-esac
+esac

cdist/conf/type/__acl/explorer/checks

@@ -1,7 +1,6 @@
 #!/bin/sh -e
-# -*- mode: sh; indent-tabs-mode: t -*-
 #
-# 2021 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
+# 2019 Ander Punnar (ander-at-kvlt-dot-ee)
 #
 # This file is part of cdist.
 #
@@ -18,24 +17,23 @@
 # You should have received a copy of the GNU General Public License
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
-# Prints "present" if the extension is currently installed.
-# "absent" otherwise.
 
-quote() { printf '%s\n' "$*" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/'/"; }
+# TODO check if filesystem has ACL turned on etc
 
-postgres_user=$("${__type_explorer:?}/postgres_user")
-
-IFS=: read -r dbname extname <<EOF
-${__object_id:?}
-EOF
-
-psql_exec() {
-	su - "${postgres_user}" -c "psql $(quote "$1") -twAc $(quote "$2")"
-}
-
-if psql_exec "${dbname}" 'SELECT extname FROM pg_extension' | grep -qFx "${extname}"
+if [ -f "$__object/parameter/acl" ]
 then
-	echo present
-else
-	echo absent
+    grep -E '^(default:)?(user|group):' "$__object/parameter/acl" \
+    | while read -r acl
+    do
+        param="$( echo "$acl" | awk -F: '{print $(NF-2)}' )"
+        check="$( echo "$acl" | awk -F: '{print $(NF-1)}' )"
+
+        [ "$param" = 'user' ] && db=passwd || db="$param"
+
+        if ! getent "$db" "$check" > /dev/null
+        then
+            echo "missing $param '$check'" >&2
+            exit 1
+        fi
+    done
 fi

cdist/conf/type/__acl/explorer/getent

@@ -1,4 +0,0 @@
-#!/bin/sh -e
-
-getent passwd | awk -F: '{print "user:"$1}'
-getent group | awk -F: '{print "group:"$1}'

cdist/conf/type/__acl/gencode-remote

@@ -22,8 +22,8 @@ file_is="$( cat "$__object/explorer/file_is" )"
 
 if [ "$file_is" = 'missing' ] \
     && [ -z "$__cdist_dry_run" ] \
-    && [ ! -f "$__object/parameter/file" ] \
-    && [ ! -f "$__object/parameter/directory" ]
+    && \( [ ! -f "$__object/parameter/file" ] \
+        || [ ! -f "$__object/parameter/directory" ] \)
 then
     exit 0
 fi
@@ -47,26 +47,28 @@ then
 elif [ -f "$__object/parameter/entry" ]
 then
     acl_should="$( cat "$__object/parameter/entry" )"
+elif [ -f "$__object/parameter/acl" ]
+then
+    acl_should="$( cat "$__object/parameter/acl" )"
+elif
+    [ -f "$__object/parameter/user" ] \
+        || [ -f "$__object/parameter/group" ] \
+        || [ -f "$__object/parameter/mask" ] \
+        || [ -f "$__object/parameter/other" ]
+then
+    acl_should="$( for param in user group mask other
+    do
+        [ ! -f "$__object/parameter/$param" ] && continue
+
+        echo "$param" | grep -Eq 'mask|other' && sep=:: || sep=:
+
+        echo "$param$sep$( cat "$__object/parameter/$param" )"
+    done )"
 else
     echo 'no parameters set' >&2
     exit 1
 fi
 
-# instead of setfacl's non-helpful message "Option -m: Invalid argument near character X"
-# let's check if target has necessary users and groups, since mistyped or missing
-# users/groups in target is most common reason.
-echo "$acl_should" \
-    | grep -Po '(user|group):[^:]+' \
-    | sort -u \
-    | while read -r l
-    do
-        if ! grep "$l" -Fxq "$__object/explorer/getent"
-        then
-            echo "no $l' in target" | sed "s/:/ '/" >&2
-            exit 1
-        fi
-    done
-
 if [ -f "$__object/parameter/default" ]
 then
     acl_should="$( echo "$acl_should" \

cdist/conf/type/__acl/man.rst

@@ -12,14 +12,11 @@ Fully supported and tested on Linux (ext4 filesystem), partial support for FreeB
 
 See ``setfacl`` and ``acl`` manpages for more details.
 
-One of ``--entry`` or ``--source`` must be used.
 
-
-OPTIONAL MULTIPLE PARAMETERS
+REQUIRED MULTIPLE PARAMETERS
 ----------------------------
 entry
    Set ACL entry following ``getfacl`` output syntax.
-   Must be used if ``--source`` is not used.
 
 
 OPTIONAL PARAMETERS
@@ -28,7 +25,6 @@ source
    Read ACL entries from stdin or file.
    Ordering of entries is not important.
    When reading from file, comments and empty lines are ignored.
-   Must be used if ``--entry`` is not used.
 
 file
    Create/change file with ``__file`` using ``user:group:mode`` pattern.
@@ -52,6 +48,12 @@ remove
    ``mask`` and ``other`` entries can't be removed, but only changed.
 
 
+DEPRECATED PARAMETERS
+---------------------
+Parameters ``acl``, ``user``, ``group``, ``mask`` and ``other`` are deprecated and they
+will be removed in future versions. Please use ``entry`` parameter instead.
+
+
 EXAMPLES
 --------
 

cdist/conf/type/__acl/parameter/deprecated/acl

@@ -0,0 +1 @@
+see manual for details

cdist/conf/type/__acl/parameter/deprecated/group

@@ -0,0 +1 @@
+see manual for details

cdist/conf/type/__acl/parameter/deprecated/mask

@@ -0,0 +1 @@
+see manual for details

cdist/conf/type/__acl/parameter/deprecated/other

@@ -0,0 +1 @@
+see manual for details

cdist/conf/type/__acl/parameter/deprecated/user

@@ -0,0 +1 @@
+see manual for details

cdist/conf/type/__acl/parameter/optional

@@ -1,3 +1,5 @@
+mask
+other
 source
 file
 directory

cdist/conf/type/__acl/parameter/optional_multiple

@@ -1 +1,4 @@
 entry
+acl
+user
+group

cdist/conf/type/__apt_backports/man.rst

@@ -1,104 +0,0 @@
-cdist-type__debian_backports(7)
-===============================
-
-NAME
-----
-cdist-type__apt_backports - Install backports
-
-
-DESCRIPTION
------------
-This singleton type installs backports for the current OS release.
-It aborts if backports are not supported for the specified OS or
-no version codename could be fetched (like Debian unstable).
-
-The package index will be automatically updated if required.
-
-It supports backports from following OSes:
-
-- Debian
-- Devuan
-- Ubuntu
-
-
-REQUIRED PARAMETERS
--------------------
-None.
-
-
-OPTIONAL PARAMETERS
--------------------
-state
-    Represents the state of the backports repository. ``present`` or
-    ``absent``, defaults to ``present``.
-
-    Will be directly passed to :strong:`cdist-type__apt_source`\ (7).
-
-mirror
-    The mirror to fetch the backports from. Will defaults to the generic
-    mirror of the current OS.
-
-    Will be directly passed to :strong:`cdist-type__apt_source`\ (7).
-
-
-BOOLEAN PARAMETERS
-------------------
-None.
-
-
-MESSAGES
---------
-None.
-
-
-EXAMPLES
---------
-
-.. code-block:: sh
-
-   # setup the backports
-   __apt_backports
-   __apt_backports --state absent
-   __apt_backports --state present --mirror "http://ftp.de.debian.org/debian/"
-
-   # install a backports package
-   # currently for the buster release backports
-   require="__apt_backports" __package_apt wireguard \
-        --target-release buster-backports
-
-
-ABORTS
-------
-Aborts if the detected os is not Debian.
-
-Aborts if no distribuition codename could be detected. This is common for the
-unstable distribution, but there is no backports repository for it already.
-
-
-CAVEATS
--------
-For Ubuntu, it setup all componenents for the backports repository: ``main``,
-``restricted``, ``universe`` and ``multiverse``. The user may not want to
-install proprietary packages, which will only be installed if the user
-explicitly uses the backports target-release. The user may change this behavior
-to install backports packages without the need of explicitly select it.
-
-
-SEE ALSO
---------
-`Official Debian Backports site <https://backports.debian.org/>`_
-
-:strong:`cdist-type__apt_source`\ (7)
-
-
-AUTHORS
--------
-Matthias Stecher <matthiasstecher at gmx.de>
-
-
-COPYING
--------
-Copyright \(C) 2020 Matthias Stecher. You can redistribute it
-and/or modify it under the terms of the GNU General Public License as
-published by the Free Software Foundation, either version 3 of the
-License, or (at your option) any later version.

cdist/conf/type/__apt_backports/manifest

@@ -1,82 +0,0 @@
-#!/bin/sh -e
-# __apt_backports/manifest
-#
-# 2020 Matthias Stecher (matthiasstecher at gmx.de)
-#
-# This file is part of cdist.
-#
-# cdist is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# cdist is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with cdist. If not, see <http://www.gnu.org/licenses/>.
-#
-#
-# Enables/disables backports repository. Utilises __apt_source for it.
-#
-
-
-# Get the distribution codename by /etc/os-release.
-#  is already executed in a subshell by string substitution
-#  lsb_release may not be given in all installations
-codename_os_release() {
-    # shellcheck disable=SC1090
-    # shellcheck disable=SC1091
-    . "$__global/explorer/os_release"
-    printf "%s" "$VERSION_CODENAME"
-}
-
-# detect backport distribution
-os="$(cat "$__global/explorer/os")"
-case "$os" in
-    debian)
-        dist="$( codename_os_release )"
-        components="main"
-        mirror="http://deb.debian.org/debian/"
-        ;;
-    devuan)
-        dist="$( codename_os_release )"
-        components="main"
-        mirror="http://deb.devuan.org/merged"
-        ;;
-    ubuntu)
-        dist="$( codename_os_release )"
-        components="main restricted universe multiverse"
-        mirror="http://archive.ubuntu.com/ubuntu"
-        ;;
-
-    *)
-        printf "Backports for %s are not supported!\n" "$os" >&2
-        exit 1
-        ;;
-esac
-
-# error if no codename given (e.g. on Debian unstable)
-if [ -z "$dist" ]; then
-    printf "No backports for unkown version of distribution %s!\n" "$os" >&2
-    exit 1
-fi
-
-
-# parameters
-state="$(cat "$__object/parameter/state")"
-
-# mirror already set for the os, only override user-values
-if [ -f "$__object/parameter/mirror" ]; then
-    mirror="$(cat "$__object/parameter/mirror")"
-fi
-
-
-# install the given backports repository
-__apt_source "${dist}-backports" \
-    --state "$state" \
-    --distribution "${dist}-backports" \
-    --component "$components" \
-    --uri "$mirror"

cdist/conf/type/__apt_backports/parameter/default/state

@@ -1 +0,0 @@
-present

cdist/conf/type/__apt_backports/parameter/optional

@@ -1,2 +0,0 @@
-state
-mirror

cdist/conf/type/__apt_key/explorer/state

@@ -27,25 +27,18 @@ else
    keyid="$__object_id"
 fi
 
-# From apt-key(8):
-#   Use of apt-key is deprecated, except for the use of apt-key del in
-#   maintainer scripts to remove existing keys from the main keyring.
-#   If such usage of apt-key is desired the additional installation of
-#   the GNU Privacy Guard suite (packaged in gnupg) is required.
-if [ -f "${__object}/parameter/use-deprecated-apt-key" ]; then
-   if apt-key export "$keyid" | head -n 1 | grep -Fqe "BEGIN PGP PUBLIC KEY BLOCK"
-      then echo present
-      else echo absent
-   fi
-   exit
-fi
-
 keydir="$(cat "$__object/parameter/keydir")"
 keyfile="$keydir/$__object_id.gpg"
 
-if [ -f "$keyfile" ]
+if [ -d "$keydir" ]
 then
-   echo present
-   exit
+   if [ -f "$keyfile" ]
+   then echo present
+   else echo absent
+   fi
+else
+   # fallback to deprecated apt-key
+   apt-key export "$keyid" | head -n 1 | grep -Fqe "BEGIN PGP PUBLIC KEY BLOCK" \
+      && echo present \
+      || echo absent
 fi
-echo absent

cdist/conf/type/__apt_key/gencode-remote

@@ -25,7 +25,11 @@ else
 fi
 state_should="$(cat "$__object/parameter/state")"
 state_is="$(cat "$__object/explorer/state")"
-method="$(cat "$__object/key_method")"
+
+if [ "$state_should" = "$state_is" ]; then
+   # nothing to do
+   exit 0
+fi
 
 keydir="$(cat "$__object/parameter/keydir")"
 keyfile="$keydir/$__object_id.gpg"
@@ -33,18 +37,30 @@ keyfile="$keydir/$__object_id.gpg"
 case "$state_should" in
    present)
       keyserver="$(cat "$__object/parameter/keyserver")"
-      # Using __download or __file as key source
-      # Propagate messages if needed
-      if [ "${method}" = "uri" ] || [ "${method}" = "source" ]; then
-         if grep -Eq "^__(file|download)$keyfile" "$__messages_in"; then
-            echo "added '$keyid'" >> "$__messages_out"
+
+      if [ -f "$__object/parameter/uri" ]; then
+         uri="$(cat "$__object/parameter/uri")"
+
+         if [ -d "$keydir" ]; then
+            cat << EOF
+
+curl -s -L \\
+    -o "$keyfile" \\
+    "$uri"
+
+key="\$( cat "$keyfile" )"
+
+if echo "\$key" | grep -Fq 'BEGIN PGP PUBLIC KEY BLOCK'
+then
+    echo "\$key" | gpg --dearmor > "$keyfile"
+fi
+
+EOF
+         else
+            # fallback to deprecated apt-key
+            echo "curl -s -L '$uri' | apt-key add -"
          fi
-         exit 0
-      elif [ "${state_is}" = "present" ]; then
-         exit 0
-      fi
-      # Using key servers to fetch the key
-      if [ ! -f "$__object/parameter/use-deprecated-apt-key" ]; then
+      elif [ -d "$keydir" ]; then
          # we need to kill gpg after 30 seconds, because gpg
          # can get stuck if keyserver is not responding.
          # exporting env var and not exit 1,
@@ -84,16 +100,13 @@ EOF
       echo "added '$keyid'" >> "$__messages_out"
    ;;
    absent)
-      # Removal for keys added from a keyserver without this flag
-      # is done in the manifest
-      if [ "$state_is" != "absent" ] && \
-            [ -f "$__object/parameter/use-deprecated-apt-key" ]; then
+      if [ -f "$keyfile" ]; then
+         echo "rm '$keyfile'"
+      else
          # fallback to deprecated apt-key
          echo "apt-key del \"$keyid\""
-         echo "removed '$keyid'" >> "$__messages_out"
-      # Propagate messages if needed
-      elif grep -Eq "^__file$keyfile" "$__messages_in"; then
-         echo "removed '$keyid'" >> "$__messages_out"
       fi
+
+      echo "removed '$keyid'" >> "$__messages_out"
    ;;
 esac

cdist/conf/type/__apt_key/man.rst

@@ -10,14 +10,6 @@ DESCRIPTION
 -----------
 Manages the list of keys used by apt to authenticate packages.
 
-This is done by placing the requested key in a file named
-``$__object_id.gpg`` in the ``keydir`` directory.
-
-This is supported by modern releases of Debian-based distributions.
-
-In order of preference, exactly one of: ``source``, ``uri`` or ``keyid``
-must be specified.
-
 
 REQUIRED PARAMETERS
 -------------------
@@ -26,49 +18,21 @@ None.
 
 OPTIONAL PARAMETERS
 -------------------
-keydir
-   keyring directory, defaults to ``/etc/apt/trusted.pgp.d``, which is
-   enabled system-wide by default.
-
-source
-   path to a file containing the GPG key of the repository.
-   Using this is recommended as it ensures that the manifest/type manintainer
-   has validated the key.
-   If ``-``, the GPG key is read from the type's stdin.
-
 state
    'present' or 'absent'. Defaults to 'present'
 
-uri
-   the URI from which to download the key.
-   It is highly recommended that you only use protocols with TLS like HTTPS.
-   This uses ``__download`` but does not use checksums, if you want to ensure
-   that the key doesn't change, you are better off downloading it and using
-   ``--source``.
-
-
-DEPRECATED OPTIONAL PARAMETERS
-------------------------------
 keyid
-   the id of the key to download from the ``keyserver``.
-   This is to be used in absence of ``--source`` and ``--uri`` or together
-   with ``--use-deprecated-apt-key`` for key removal.
-   Defaults to ``$__object_id``.
+   the id of the key to add. Defaults to __object_id
 
 keyserver
-   the keyserver from which to fetch the key.
-   Defaults to ``pool.sks-keyservers.net``.
+   the keyserver from which to fetch the key. If omitted the default set
+   in ./parameter/default/keyserver is used.
 
+keydir
+   key save location, defaults to ``/etc/apt/trusted.pgp.d``
 
-DEPRECATED BOOLEAN PARAMETERS
------------------------------
-use-deprecated-apt-key
-   ``apt-key(8)`` will last be available in Debian 11 and Ubuntu 22.04.
-   You can use this parameter to force usage of ``apt-key(8)``.
-   Please only use this parameter to *remove* keys from the keyring,
-   in order to prepare for removal of ``apt-key``.
-   Adding keys should be done without this parameter.
-   This parameter will be removed when Debian 11 stops being supported.
+uri
+   the URI from which to download the key
 
 
 EXAMPLES
@@ -76,39 +40,33 @@ EXAMPLES
 
 .. code-block:: sh
 
-    # add a key that has been verified by a type maintainer
-    __apt_key jitsi_meet_2021 \
-       --source cdist-contrib/type/__jitsi_meet/files/apt_2021.gpg
+    # Add Ubuntu Archive Automatic Signing Key
+    __apt_key 437D05B5
+    # Same thing
+    __apt_key 437D05B5 --state present
+    # Get rid of it
+    __apt_key 437D05B5 --state absent
 
-    # remove an old, deprecated or expired key
-    __apt_key jitsi_meet_2016 --state absent
+    # same thing with human readable name and explicit keyid
+    __apt_key UbuntuArchiveKey --keyid 437D05B5
 
-    # Get rid of a key that might have been added to
-    # /etc/apt/trusted.gpg with apt-key
-    __apt_key 0x40976EAF437D05B5 --use-deprecated-apt-key --state absent
+    # same thing with other keyserver
+    __apt_key UbuntuArchiveKey --keyid 437D05B5 --keyserver keyserver.ubuntu.com
 
-    # add a key that we define in-line
-    __apt_key jitsi_meet_2021 --source '-' <<EOF
-    -----BEGIN PGP PUBLIC KEY BLOCK-----
-    [...]
-    -----END PGP PUBLIC KEY BLOCK-----
-    EOF
-
-    # download or update key from the internet
-    __apt_key rabbitmq_2007 \
-       --uri https://www.rabbitmq.com/rabbitmq-signing-key-public.asc
+    # download key from the internet
+    __apt_key rabbitmq \
+       --uri http://www.rabbitmq.com/rabbitmq-signing-key-public.asc
 
 
 AUTHORS
 -------
 Steven Armstrong <steven-cdist--@--armstrong.cc>
 Ander Punnar <ander-at-kvlt-dot-ee>
-Evilham <contact~~@~~evilham.com>
 
 
 COPYING
 -------
-Copyright \(C) 2011-2021 Steven Armstrong, Ander Punnar and Evilham. You can
+Copyright \(C) 2011-2019 Steven Armstrong and Ander Punnar. You can
 redistribute it and/or modify it under the terms of the GNU General Public
 License as published by the Free Software Foundation, either version 3 of the
 License, or (at your option) any later version.

cdist/conf/type/__apt_key/manifest

@@ -2,105 +2,7 @@
 
 __package gnupg
 
-state_should="$(cat "${__object}/parameter/state")"
-
-incompatible_args()
-{
-	cat >> /dev/stderr <<-EOF
-	This type does not support --${1} and --${method} simultaneously.
-	EOF
-	exit 1
-}
-
-if [ -f "${__object}/parameter/source" ]; then
-	method="source"
-	src="$(cat "${__object}/parameter/source")"
-	if [ "${src}" = "-" ]; then
-		src="${__object}/stdin"
-	fi
-fi
-if [ -f "${__object}/parameter/uri" ]; then
-	if [ -n "${method}" ]; then
-		incompatible_args uri
-	fi
-	method="uri"
-	src="$(cat "${__object}/parameter/uri")"
-fi
-if [ -f "${__object}/parameter/keyid" ]; then
-	if [ -n "${method}" ]; then
-		incompatible_args keyid
-	fi
-	method="keyid"
-fi
-# Keep old default
-if [ -z "${method}" ]; then
-	method="keyid"
-fi
-# Save this for later in gencode-remote
-echo "${method}" > "${__object}/key_method"
-
-# Required remotely (most likely already installed)
-__package dirmngr
-# We need this in case a key has to be dearmor'd
-__package gnupg
-export require="__package/gnupg"
-
-if [ -f "${__object}/parameter/use-deprecated-apt-key" ]; then
-	# This is required if apt-key(8) is to be used
-	if [ "${method}" = "source" ] || [ "${method}" = "uri" ]; then
-		incompatible_args use-deprecated-apt-key
-	fi
-else
-	if [ "${state_should}" = "absent" ] && \
-			[ -f "${__object}/parameter/keyid" ]; then
-		cat >> /dev/stderr <<EOF
-You can't reliably remove by keyid without --use-deprecated-apt-key.
-This would very likely do something you do not intend.
-EOF
-		exit 1
-	fi
-fi
-
-keydir="$(cat "${__object}/parameter/keydir")"
-keyfile="${keydir}/${__object_id}.gpg"
-keyfilecdist="${keyfile}.cdist"
-if [ "${state_should}" != "absent" ]; then
-	# Ensure keydir exists
-	__directory "${keydir}" --state exists --mode 0755
-fi
-
-if [ "${state_should}" = "absent" ]; then
-	__file "${keyfile}" --state "absent"
-	__file "${keyfilecdist}" --state "absent"
-elif [ "${method}" = "source" ] || [ "${method}" = "uri" ]; then
-	dearmor="$(cat <<-EOF
-	if [ '${state_should}' = 'present' ]; then
-		# Dearmor if necessary
-		if grep -Fq 'BEGIN PGP PUBLIC KEY BLOCK' '${keyfilecdist}'; then
-			gpg --dearmor < '${keyfilecdist}' > '${keyfile}'
-		else
-			cp '${keyfilecdist}' '${keyfile}'
-		fi
-		# Ensure permissions
-		chown root '${keyfile}'
-		chmod 0444 '${keyfile}'
-	fi
-	EOF
-	)"
-
-	if [ "${method}" = "uri" ]; then
-		__download "${keyfilecdist}" \
-			--url "${src}" \
-			--onchange "${dearmor}"
-		require="__download${keyfilecdist}" \
-			__file "${keyfile}" \
-				--owner root \
-				--mode 0444 \
-				--state pre-exists
-	else
-		__file "${keyfilecdist}" --state "${state_should}" \
-			--mode 0444 \
-			--source "${src}" \
-			--onchange "${dearmor}"
-	fi
+if [ -f "$__object/parameter/uri" ]
+then __package curl
+else __package dirmngr
 fi

cdist/conf/type/__apt_key/parameter/boolean

@@ -1 +0,0 @@
-use-deprecated-apt-key

cdist/conf/type/__apt_key/parameter/deprecated/use-deprecated-apt-key

@@ -1,3 +0,0 @@
-apt-key(8) will last be available in Debian 11 and Ubuntu 22.04.
-Use this flag *only* to migrate to placing a keyring directly in the
-/etc/apt/trusted.gpg.d/ directory with a descriptive name.

cdist/conf/type/__apt_key/parameter/optional

@@ -1,6 +1,5 @@
-keydir
+state
 keyid
 keyserver
-source
-state
+keydir
 uri

cdist/conf/type/__apt_key_uri/deprecated

@@ -1 +0,0 @@
-Please migrate to using __apt_key key_id --uri URI.

cdist/conf/type/__apt_mark/explorer/state

@@ -24,4 +24,4 @@ else
     name="$__object_id"
 fi
 
-apt-mark showhold | grep -q "^${name}$" && echo hold || echo unhold
+apt-mark showhold | grep -Fq "$name" && echo hold || echo unhold

cdist/conf/type/__apt_norecommends/man.rst

@@ -32,12 +32,11 @@ EXAMPLES
 AUTHORS
 -------
 Steven Armstrong <steven-cdist--@--armstrong.cc>
-Dennis Camera <dennis.camera--@--ssrq-sds-fds.ch>
 
 
 COPYING
 -------
-Copyright \(C) 2014 Steven Armstrong, 2020 Dennis Camera.
-You can redistribute it and/or modify it under the terms of the GNU General
-Public License as published by the Free Software Foundation, either version 3 of
-the License, or (at your option) any later version.
+Copyright \(C) 2014 Steven Armstrong. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

cdist/conf/type/__apt_norecommends/manifest

@@ -1,7 +1,6 @@
 #!/bin/sh -e
 #
 # 2014 Steven Armstrong (steven-cdist at armstrong.cc)
-# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
 #
 # This file is part of cdist.
 #
@@ -20,28 +19,26 @@
 #
 
 
-os=$(cat "${__global:?}/explorer/os")
+os=$(cat "$__global/explorer/os")
 
-case ${os}
-in
-	(ubuntu|debian|devuan)
-		__file /etc/apt/apt.conf.d/00InstallRecommends --state present \
-			--owner root --group root --mode 0644 --source - <<-'EOF'
-		APT::Install-Recommends "false";
-		APT::Install-Suggests "false";
-		APT::AutoRemove::RecommendsImportant "false";
-		APT::AutoRemove::SuggestsImportant "false";
-		EOF
-
-		# TODO: Remove the following object after some time
-		require=__file/etc/apt/apt.conf.d/00InstallRecommends \
-		__file /etc/apt/apt.conf.d/99-no-recommends --state absent
-		;;
-	(*)
-		cat >&2 <<EOF
+case "$os" in
+   ubuntu|debian|devuan)
+      # No stinking recommends thank you very much.
+      # If I want something installed I will do so myself.
+      __file /etc/apt/apt.conf.d/99-no-recommends \
+         --owner root --group root --mode 644 \
+         --source - << DONE
+APT::Install-Recommends "0";
+APT::Install-Suggests "0";
+APT::AutoRemove::RecommendsImportant "0";
+APT::AutoRemove::SuggestsImportant "0";
+DONE
+   ;;
+   *)
+      cat >&2 << DONE
 The developer of this type (${__type##*/}) did not think your operating system
 ($os) would have any use for it. If you think otherwise please submit a patch.
-EOF
-		exit 1
-		;;
+DONE
+      exit 1
+   ;;
 esac

cdist/conf/type/__apt_pin/man.rst

@@ -1,79 +0,0 @@
-cdist-type__apt_pin(7)
-======================
-
-NAME
-----
-cdist-type__apt_pin - Manage apt pinning rules
-
-
-DESCRIPTION
------------
-Adds/removes/edits rules to pin some packages to a specific distribution. Useful if using multiple debian repositories at the same time. (Useful, if one wants to use a few specific packages from backports or perhaps Debain testing... or even sid.)
-
-
-REQUIRED PARAMETERS
--------------------
-distribution
-   Specifies what distribution the package should be pinned to. Accepts both codenames (buster/bullseye/sid) and suite names (stable/testing/...).
-
-
-OPTIONAL PARAMETERS
--------------------
-package
-   Package name, glob or regular expression to match (multiple) packages. If not specified `__object_id` is used.
-
-priority
-   The priority value to assign to matching packages. Deafults to 500. (To match the default target distro's priority)
-
-state
-   Will be passed to underlying `__file` type; see there for valid values and defaults.
-
-
-
-BOOLEAN PARAMETERS
-------------------
-None.
-
-
-EXAMPLES
---------
-
-.. code-block:: sh
-
-   # Add the bullseye repo to buster, but do not install any packages by default,
-   # only if explicitely asked for (-1 means "never" for apt)
-    __apt_pin bullseye-default \
-       --package "*" \
-       --distribution bullseye \
-       --priority -1
-
-    require="__apt_pin/bullseye-default" __apt_source bullseye \
-       --uri http://deb.debian.org/debian/ \
-       --distribution bullseye \
-       --component main
-
-    __apt_pin foo --package "foo foo-*" --distribution bullseye
-
-    __foo # Assuming, this installs the `foo` package internally
-
-    __package foo-plugin-extras # Assuming we also need some extra stuff
-
-
-SEE ALSO
---------
-:strong:`apt_preferences`\ (5)
-:strong:`cdist-type__apt_source`\ (7)
-:strong:`cdist-type__apt_backports`\ (7)
-:strong:`cdist-type__file`\ (7)
-
-AUTHORS
--------
-Daniel Fancsali <fancsali@gmail.com>
-
-
-COPYING
--------
-Copyright \(C) 2021 Daniel Fancsali. You can redistribute it
-and/or modify it under the terms of the GNU General Public License as
-published by the Free Software Foundation, either version 3 of the
-License, or (at your option) any later version.

cdist/conf/type/__apt_pin/manifest

@@ -1,68 +0,0 @@
-#!/bin/sh -e
-#
-# 2021 Daniel Fancsali (fancsali@gmail.com)
-#
-# This file is part of cdist.
-#
-# cdist is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# cdist is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with cdist. If not, see <http://www.gnu.org/licenses/>.
-#
-
-
-name="$__object_id"
-
-os=$(cat "$__global/explorer/os")
-state="$(cat "$__object/parameter/state")"
-
-if [ -f "$__object/parameter/package" ]; then
-    package="$(cat "$__object/parameter/package")"
-else
-    package=$name
-fi
-
-distribution="$(cat "$__object/parameter/distribution")"
-priority="$(cat "$__object/parameter/priority")"
-
-
-case "$os" in
-   debian|ubuntu|devuan)
-   ;;
-   *)
-      printf "This type is specific to Debian and it's derivatives" >&2
-      exit 1
-   ;;
-esac
-
-case $distribution in
-    stable|testing|unstable|experimental)
-        pin="release a=$distribution"
-        ;;
-    *)
-        pin="release n=$distribution"
-        ;;
-esac
-
-
-__file "/etc/apt/preferences.d/$name" \
-    --owner root --group root --mode 0644 \
-    --state "$state" \
-    --source - << EOF
-# Created by cdist ${__type##*/}
-# Do not change. Changes will be overwritten.
-#
-
-# $name
-Package: $package
-Pin: $pin
-Pin-Priority: $priority
-EOF

cdist/conf/type/__apt_pin/parameter/default/priority

@@ -1 +0,0 @@
-500

cdist/conf/type/__apt_pin/parameter/default/state

@@ -1 +0,0 @@
-present

cdist/conf/type/__apt_pin/parameter/optional

@@ -1,3 +0,0 @@
-state
-package
-priority

cdist/conf/type/__apt_pin/parameter/required

@@ -1 +0,0 @@
-distribution

cdist/conf/type/__apt_ppa/files/remove-apt-repository

@@ -0,0 +1,55 @@
+#!/usr/bin/env python
+#
+# Remove the given apt repository.
+#
+# Exit with:
+#   0: if it worked
+#   1: if not
+#   2: on other error
+
+import os
+import sys
+from aptsources import distro, sourceslist
+from softwareproperties import ppa
+from softwareproperties.SoftwareProperties import SoftwareProperties
+
+
+def remove_if_empty(file_name):
+    with open(file_name, 'r') as f:
+        if f.read().strip():
+            return
+        os.unlink(file_name)
+
+def remove_repository(repository):
+    #print 'repository:', repository
+    codename = distro.get_distro().codename
+    #print 'codename:', codename
+    (line, file) = ppa.expand_ppa_line(repository.strip(), codename)
+    #print 'line:', line
+    #print 'file:', file
+    deb_source_entry = sourceslist.SourceEntry(line, file)
+    src_source_entry = sourceslist.SourceEntry('deb-src{}'.format(line[3:]), file)
+
+    try:
+        sp = SoftwareProperties()
+        sp.remove_source(deb_source_entry)
+        try:
+            # If there's a deb-src entry, remove that too
+            sp.remove_source(src_source_entry)
+        except:
+            pass
+        remove_if_empty(file)
+        return True
+    except ValueError:
+        print >> sys.stderr, "Error: '%s' doesn't exists in a sourcelist file" % line
+        return False
+
+if __name__ == '__main__':
+    if (len(sys.argv) != 2):
+        print >> sys.stderr, 'Error: need a repository as argument'
+        sys.exit(2)
+    repository = sys.argv[1]
+    if remove_repository(repository):
+        sys.exit(0)
+    else:
+        sys.exit(1)

cdist/conf/type/__apt_ppa/gencode-remote

@@ -29,9 +29,9 @@ fi
 
 case "$state_should" in
    present)
-      echo "add-apt-repository -y '$name'"
+      echo "add-apt-repository '$name'"
    ;;
    absent)
-      echo "add-apt-repository -r -y '$name'"
+      echo "remove-apt-repository '$name'"
    ;;
 esac

cdist/conf/type/__apt_ppa/manifest

@@ -20,4 +20,9 @@
 
 __package software-properties-common
 
+require="__package/software-properties-common" \
+   __file /usr/local/bin/remove-apt-repository \
+   --source "$__type/files/remove-apt-repository" \
+   --mode 0755
+
 require="$__object_name" __apt_update_index

cdist/conf/type/__apt_source/files/source.list.template

@@ -2,14 +2,13 @@
 set -u
 
 entry="$uri $distribution $component"
-
 cat << DONE
 # Created by cdist ${__type##*/}
 # Do not change. Changes will be overwritten.
 #
 
 # $name
-deb ${options} $entry
+deb ${forcedarch} $entry
 DONE
 if [ -f "$__object/parameter/include-src" ]; then
    echo "deb-src $entry"

cdist/conf/type/__apt_source/gencode-remote

@@ -22,21 +22,7 @@
 name="$__object_id"
 destination="/etc/apt/sources.list.d/${name}.list"
 
-# There are special arguments to apt(8) to prevent aborts if apt woudn't been
-# updated after the 19th April 2021 till the bullseye release. The additional
-# arguments acknoledge the happend suite change (the apt(8) update does the
-# same by itself).
-#
-# Using '-o $config' instead of the --allow-releaseinfo-change-* parameter
-# allows backward compatablility to pre-buster Debian versions.
-#
-# See more: ticket #861
-# https://code.ungleich.ch/ungleich-public/cdist/-/issues/861
-apt_opts="-o Acquire::AllowReleaseInfoChange::Suite=true -o Acquire::AllowReleaseInfoChange::Version=true"
-
-# run 'apt-get update' only if something changed with our sources.list file
-#   it will be run a second time on error as a redundancy messure to success
 if grep -q "^__file${destination}" "$__messages_in"; then
-   printf 'apt-get %s update || apt-get %s update\n' "$apt_opts" "$apt_opts"
+   printf 'apt-get update || apt-get update\n'
 fi
 

cdist/conf/type/__apt_source/man.rst

@@ -23,9 +23,6 @@ OPTIONAL PARAMETERS
 arch
    set this if you need to force and specific arch (ubuntu specific)
 
-signed-by
-   provide a GPG key fingerprint or keyring path for signature checks
-
 state
    'present' or 'absent', defaults to 'present'
 
@@ -59,11 +56,6 @@ EXAMPLES
        --uri http://archive.canonical.com/ \
        --component partner --state present
 
-    __apt_source goaccess \
-       --uri http://deb.goaccess.io/ \
-       --component main \
-       --signed-by C03B48887D5E56B046715D3297BD1A0133449C3D
-
 
 AUTHORS
 -------

cdist/conf/type/__apt_source/manifest

@@ -21,7 +21,6 @@
 name="$__object_id"
 state="$(cat "$__object/parameter/state")"
 uri="$(cat "$__object/parameter/uri")"
-options=""
 
 if [ -f "$__object/parameter/distribution" ]; then
    distribution="$(cat "$__object/parameter/distribution")"
@@ -32,15 +31,9 @@ fi
 component="$(cat "$__object/parameter/component")"
 
 if [ -f "$__object/parameter/arch" ]; then
-   options="arch=$(cat "$__object/parameter/arch")"
-fi
-
-if [ -f "$__object/parameter/signed-by" ]; then
-   options="$options signed-by=$(cat "$__object/parameter/signed-by")"
-fi
-
-if [ "$options" ]; then
-    options="[$options]"
+   forcedarch="[arch=$(cat "$__object/parameter/arch")]"
+else
+   forcedarch=""
 fi
 
 # export variables for use in template
@@ -48,7 +41,7 @@ export name
 export uri
 export distribution
 export component
-export options
+export forcedarch
 
 # generate file from template
 mkdir "$__object/files"

cdist/conf/type/__apt_source/parameter/optional

@@ -1,5 +1,4 @@
 state
 distribution
 component
-arch
-signed-by
+arch

cdist/conf/type/__apt_update_index/gencode-remote

@@ -18,23 +18,9 @@
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 
-
-# There are special arguments to apt(8) to prevent aborts if apt woudn't been
-# updated after the 19th April 2021 till the bullseye release. The additional
-# arguments acknoledge the happend suite change (the apt(8) update does the
-# same by itself).
-#
-# Using '-o $config' instead of the --allow-releaseinfo-change-* parameter
-# allows backward compatablility to pre-buster Debian versions.
-#
-# See more: ticket #861
-# https://code.ungleich.ch/ungleich-public/cdist/-/issues/861
-apt_opts="-o Acquire::AllowReleaseInfoChange::Suite=true -o Acquire::AllowReleaseInfoChange::Version=true"
-
 # run 'apt-get update' if anything in /etc/apt is newer then /var/lib/apt/lists
-#   it will be run a second time on error as a redundancy messure to success
 cat << DONE
 if find /etc/apt -mindepth 1 -cnewer /var/lib/apt/lists | grep . > /dev/null; then
-   apt-get $apt_opts update || apt-get $apt_opts update
+   apt-get update || apt-get update
 fi
 DONE

cdist/conf/type/__block/gencode-remote

@@ -46,29 +46,28 @@ fi
 
 remove_block() {
    cat << DONE
-tmpfile=\$(mktemp ${quoted_file}.cdist.XXXXXXXXXX)
+tmpfile=\$(mktemp ${file}.cdist.XXXXXXXXXX)
 # preserve ownership and permissions of existing file
-if [ -f $quoted_file ]; then
-   cp -p $quoted_file "\$tmpfile"
+if [ -f "$file" ]; then
+   cp -p "$file" "\$tmpfile"
 fi
-awk -v prefix=$(quote "$prefix") -v suffix=$(quote "$suffix") '
+awk -v prefix=^$(quote "$prefix")\$ -v suffix=^$(quote "$suffix")\$ '
 {
-   if (\$0 == prefix) {
+   if (match(\$0,prefix)) {
       triggered=1
    }
    if (triggered) {
-      if (\$0 == suffix) {
+      if (match(\$0,suffix)) {
          triggered=0
       }
    } else {
       print
    }
-}' $quoted_file > "\$tmpfile"
-mv -f "\$tmpfile" $quoted_file
+}' "$file" > "\$tmpfile"
+mv -f "\$tmpfile" "$file"
 DONE
 }
 
-quoted_file="$(quote "$file")"
 case "$state_should" in
    present)
       if [ "$state_is" = "changed" ]; then
@@ -78,7 +77,7 @@ case "$state_should" in
          echo add >> "$__messages_out"
       fi
       cat << DONE
-cat >> $quoted_file << '${__type##*/}_DONE'
+cat >> "$file" << ${__type##*/}_DONE
 $(cat "$block")
 ${__type##*/}_DONE
 DONE

cdist/conf/type/__cdist/manifest

@@ -37,7 +37,6 @@ source="$(cat "$__object/parameter/source")"
 # out of it
 home=/home/$username
 
-# shellcheck disable=SC2086
 __user "$username" --home "$home" $shell
 
 require="__user/$username" __directory "$home" \

cdist/conf/type/__clean_path/explorer/list

@@ -18,12 +18,7 @@
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 
-if [ -f "$__object/parameter/path" ]
-then
-    path="$( cat "$__object/parameter/path" )"
-else
-    path="/$__object_id"
-fi
+path="/$__object_id"
 
 [ ! -d "$path" ] && exit 0
 

cdist/conf/type/__clean_path/gencode-remote

@@ -20,12 +20,7 @@
 
 [ ! -s "$__object/explorer/list" ] && exit 0
 
-if [ -f "$__object/parameter/path" ]
-then
-    path="$( cat "$__object/parameter/path" )"
-else
-    path="/$__object_id"
-fi
+path="/$__object_id"
 
 pattern="$( cat "$__object/parameter/pattern" )"
 

cdist/conf/type/__clean_path/man.rst

@@ -10,7 +10,7 @@ DESCRIPTION
 -----------
 Remove files and directories which match the pattern.
 
-Provided path must be a directory.
+Provided path (as __object_id) must be a directory.
 
 Patterns are passed to ``find``'s ``-regex`` - see ``find(1)`` for more details.
 
@@ -29,9 +29,6 @@ pattern
 
 OPTIONAL PARAMETERS
 -------------------
-path
-   Path which will be cleaned. Defaults to ``$__object_id``.
-
 exclude
    Pattern of files which are excluded from removal.
 
@@ -49,11 +46,6 @@ EXAMPLES
         --exclude '.+\(charset\.conf\|security\.conf\)' \
         --onchange 'service apache2 restart'
 
-    __clean_path apache2-conf-enabled \
-        --path /etc/apache2/conf-enabled \
-        --pattern '.+' \
-        --exclude '.+\(charset\.conf\|security\.conf\)' \
-        --onchange 'service apache2 restart'
 
 AUTHORS
 -------

cdist/conf/type/__clean_path/parameter/optional

@@ -1,3 +1,2 @@
 exclude
 onchange
-path

cdist/conf/type/__consul_agent/manifest

@@ -1,7 +1,7 @@
 #!/bin/sh -e
 #
 # 2015 Steven Armstrong (steven-cdist at armstrong.cc)
-# 2015-2020 Nico Schottelius (nico-cdist at schottelius.org)
+# 2015-2019 Nico Schottelius (nico-cdist at schottelius.org)
 # 2019 Timothée Floure (timothee.floure at ungleich.ch)
 #
 # This file is part of cdist.
@@ -37,22 +37,10 @@ fi
 # Those are default that might be overriden by os-specific logic.
 
 data_dir="/var/lib/consul"
-
-
-
+conf_dir="/etc/consul/conf.d"
+conf_file="config.json"
 tls_dir="$conf_dir/tls"
 
-case "$os" in
-    alpine)
-        conf_dir="/etc/consul"
-        conf_file="server.json"
-        ;;
-    *)
-        conf_dir="/etc/consul/conf.d"
-        conf_file="config.json"
-        ;;
-esac
-
 ###
 # Sane deployment, based on distribution package when available.
 
@@ -232,7 +220,7 @@ if [ -f "$__object/parameter/ca-file-source" ] || \
    [ -f "$__object/parameter/cert-file-source" ] || \
    [ -f "$__object/parameter/key-file-source" ]; then
 
-   requires="$config_deployment_requires" __directory "$tls_dir" \
+   requires="$config_deployment_requires" __directory $tls_dir \
      --owner root --group "$group" --mode 750 --state "$state"
 
    # Append to service restart requirements.

cdist/conf/type/__coturn/files/turnserver.conf.sh

@@ -0,0 +1,744 @@
+#!/bin/sh
+
+generate_use_auth_secret () {
+  if [ $USE_AUTH_SECRET ]; then
+    echo 'use-auth-secret'
+  else
+    echo '#use-auth-secret'
+  fi
+}
+
+generate_static_auth_secret () {
+  if [ "$STATIC_AUTH_SECRET" $! "" ]; then
+    echo "static-auth-secret=$STATIC_AUTH_SECRET"
+  else
+    echo "#static-auth-secret=north"
+  fi
+}
+
+generate_realm () {
+  if [ "$REALM" != "" ]; then
+    echo "realm=$REALM"
+  else
+    echo "#realm=mycompany.org"
+  fi
+}
+
+generate_no_tcp_relay () {
+  if [ $NO_TCP_RELAY ]; then
+    echo 'no-tcp-releay'
+  else
+    echo '#no-tcp-relay'
+  fi
+}
+
+cat << EOF
+# Coturn TURN SERVER configuration file
+#
+# Boolean values note: where boolean value is supposed to be used,
+# you can use '0', 'off', 'no', 'false', 'f' as 'false,
+# and you can use '1', 'on', 'yes', 'true', 't' as 'true'
+# If the value is missed, then it means 'true'.
+#
+
+# Listener interface device (optional, Linux only).
+# NOT RECOMMENDED.
+#
+#listening-device=eth0
+
+# TURN listener port for UDP and TCP (Default: 3478).
+# Note: actually, TLS & DTLS sessions can connect to the
+# "plain" TCP & UDP port(s), too - if allowed by configuration.
+#
+#listening-port=3478
+
+# TURN listener port for TLS (Default: 5349).
+# Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
+# port(s), too - if allowed by configuration. The TURN server
+# "automatically" recognizes the type of traffic. Actually, two listening
+# endpoints (the "plain" one and the "tls" one) are equivalent in terms of
+# functionality; but we keep both endpoints to satisfy the RFC 5766 specs.
+# For secure TCP connections, we currently support SSL version 3 and
+# TLS version 1.0, 1.1 and 1.2.
+# For secure UDP connections, we support DTLS version 1.
+#
+#tls-listening-port=5349
+
+# Alternative listening port for UDP and TCP listeners;
+# default (or zero) value means "listening port plus one".
+# This is needed for RFC 5780 support
+# (STUN extension specs, NAT behavior discovery). The TURN Server
+# supports RFC 5780 only if it is started with more than one
+# listening IP address of the same family (IPv4 or IPv6).
+# RFC 5780 is supported only by UDP protocol, other protocols
+# are listening to that endpoint only for "symmetry".
+#
+#alt-listening-port=0
+
+# Alternative listening port for TLS and DTLS protocols.
+# Default (or zero) value means "TLS listening port plus one".
+#
+#alt-tls-listening-port=0
+
+# Listener IP address of relay server. Multiple listeners can be specified.
+# If no IP(s) specified in the config file or in the command line options,
+# then all IPv4 and IPv6 system IPs will be used for listening.
+#
+#listening-ip=172.17.19.101
+#listening-ip=10.207.21.238
+#listening-ip=2607:f0d0:1002:51::4
+
+# Auxiliary STUN/TURN server listening endpoint.
+# Aux servers have almost full TURN and STUN functionality.
+# The (minor) limitations are:
+#
+# 1) Auxiliary servers do not have alternative ports and
+# they do not support STUN RFC 5780 functionality (CHANGE REQUEST).
+#
+# 2) Auxiliary servers also are never returning ALTERNATIVE-SERVER reply.
+#
+# Valid formats are 1.2.3.4:5555 for IPv4 and [1:2::3:4]:5555 for IPv6.
+#
+# There may be multiple aux-server options, each will be used for listening
+# to client requests.
+#
+#aux-server=172.17.19.110:33478
+#aux-server=[2607:f0d0:1002:51::4]:33478
+
+# (recommended for older Linuxes only)
+# Automatically balance UDP traffic over auxiliary servers (if configured).
+# The load balancing is using the ALTERNATE-SERVER mechanism.
+# The TURN client must support 300 ALTERNATE-SERVER response for this
+# functionality.
+#
+#udp-self-balance
+
+# Relay interface device for relay sockets (optional, Linux only).
+# NOT RECOMMENDED.
+#
+#relay-device=eth1
+
+# Relay address (the local IP address that will be used to relay the
+# packets to the peer).
+# Multiple relay addresses may be used.
+# The same IP(s) can be used as both listening IP(s) and relay IP(s).
+#
+# If no relay IP(s) specified, then the turnserver will apply the default
+# policy: it will decide itself which relay addresses to be used, and it
+# will always be using the client socket IP address as the relay IP address
+# of the TURN session (if the requested relay address family is the same
+# as the family of the client socket).
+#
+#relay-ip=172.17.19.105
+#relay-ip=2607:f0d0:1002:51::5
+
+# For Amazon EC2 users:
+#
+# TURN Server public/private address mapping, if the server is behind NAT.
+# In that situation, if a -X is used in form "-X <ip>" then that ip will be reported
+# as relay IP address of all allocations. This scenario works only in a simple case
+# when one single relay address is be used, and no RFC5780 functionality is required.
+# That single relay address must be mapped by NAT to the 'external' IP.
+# The "external-ip" value, if not empty, is returned in XOR-RELAYED-ADDRESS field.
+# For that 'external' IP, NAT must forward ports directly (relayed port 12345
+# must be always mapped to the same 'external' port 12345).
+#
+# In more complex case when more than one IP address is involved,
+# that option must be used several times, each entry must
+# have form "-X <public-ip/private-ip>", to map all involved addresses.
+# RFC5780 NAT discovery STUN functionality will work correctly,
+# if the addresses are mapped properly, even when the TURN server itself
+# is behind A NAT.
+#
+# By default, this value is empty, and no address mapping is used.
+#
+#external-ip=60.70.80.91
+#
+#OR:
+#
+#external-ip=60.70.80.91/172.17.19.101
+#external-ip=60.70.80.92/172.17.19.102
+
+
+# Number of the relay threads to handle the established connections
+# (in addition to authentication thread and the listener thread).
+# If explicitly set to 0 then application runs relay process in a
+# single thread, in the same thread with the listener process
+# (the authentication thread will still be a separate thread).
+#
+# If this parameter is not set, then the default OS-dependent
+# thread pattern algorithm will be employed. Usually the default
+# algorithm is the most optimal, so you have to change this option
+# only if you want to make some fine tweaks.
+#
+# In the older systems (Linux kernel before 3.9),
+# the number of UDP threads is always one thread per network listening
+# endpoint - including the auxiliary endpoints - unless 0 (zero) or
+# 1 (one) value is set.
+#
+#relay-threads=0
+
+# Lower and upper bounds of the UDP relay endpoints:
+# (default values are 49152 and 65535)
+#
+#min-port=49152
+#max-port=65535
+
+# Uncomment to run TURN server in 'normal' 'moderate' verbose mode.
+# By default the verbose mode is off.
+#verbose
+
+# Uncomment to run TURN server in 'extra' verbose mode.
+# This mode is very annoying and produces lots of output.
+# Not recommended under any normal circumstances.
+#
+#Verbose
+
+# Uncomment to use fingerprints in the TURN messages.
+# By default the fingerprints are off.
+#
+#fingerprint
+
+# Uncomment to use long-term credential mechanism.
+# By default no credentials mechanism is used (any user allowed).
+#
+#lt-cred-mech
+
+# This option is opposite to lt-cred-mech.
+# (TURN Server with no-auth option allows anonymous access).
+# If neither option is defined, and no users are defined,
+# then no-auth is default. If at least one user is defined,
+# in this file or in command line or in usersdb file, then
+# lt-cred-mech is default.
+#
+#no-auth
+
+# TURN REST API flag.
+# (Time Limited Long Term Credential)
+# Flag that sets a special authorization option that is based upon authentication secret.
+#
+# This feature's purpose is to support "TURN Server REST API", see
+# "TURN REST API" link in the project's page
+# https://github.com/coturn/coturn/
+#
+# This option is used with timestamp:
+#
+# usercombo -> "timestamp:userid"
+# turn user -> usercombo
+# turn password -> base64(hmac(secret key, usercombo))
+#
+# This allows TURN credentials to be accounted for a specific user id.
+# If you don't have a suitable id, the timestamp alone can be used.
+# This option is just turning on secret-based authentication.
+# The actual value of the secret is defined either by option static-auth-secret,
+# or can be found in the turn_secret table in the database (see below).
+#
+# Read more about it:
+#  - https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00
+#  - https://www.ietf.org/proceedings/87/slides/slides-87-behave-10.pdf
+#
+# Be aware that use-auth-secret overrides some part of lt-cred-mech.
+# Notice that this feature depends internally on lt-cred-mech, so if you set
+# use-auth-secret then it enables internally automatically lt-cred-mech option
+# like if you enable both.
+#
+# You can use only one of the to auth mechanisms in the same time because,
+# both mechanism use the username and password validation in different way.
+#
+# This way be aware that you can't use both auth mechnaism in the same time!
+# Use in config either the lt-cred-mech or the use-auth-secret
+# to avoid any confusion.
+#
+$(generate_use_auth_secret)
+
+# 'Static' authentication secret value (a string) for TURN REST API only.
+# If not set, then the turn server
+# will try to use the 'dynamic' value in turn_secret table
+# in user database (if present). The database-stored  value can be changed on-the-fly
+# by a separate program, so this is why that other mode is 'dynamic'.
+#
+$(generate_static_auth_secret)
+
+# Server name used for
+# the oAuth authentication purposes.
+# The default value is the realm name.
+#
+#server-name=blackdow.carleon.gov
+
+# Flag that allows oAuth authentication.
+#
+#oauth
+
+# 'Static' user accounts for long term credentials mechanism, only.
+# This option cannot be used with TURN REST API.
+# 'Static' user accounts are NOT dynamically checked by the turnserver process,
+# so that they can NOT be changed while the turnserver is running.
+#
+#user=username1:key1
+#user=username2:key2
+# OR:
+#user=username1:password1
+#user=username2:password2
+#
+# Keys must be generated by turnadmin utility. The key value depends
+# on user name, realm, and password:
+#
+# Example:
+# $ turnadmin -k -u ninefingers -r north.gov -p youhavetoberealistic
+# Output: 0xbc807ee29df3c9ffa736523fb2c4e8ee
+# ('0x' in the beginning of the key is what differentiates the key from
+# password. If it has 0x then it is a key, otherwise it is a password).
+#
+# The corresponding user account entry in the config file will be:
+#
+#user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee
+# Or, equivalently, with open clear password (less secure):
+#user=ninefingers:youhavetoberealistic
+#
+
+# SQLite database file name.
+#
+# Default file name is /var/db/turndb or /usr/local/var/db/turndb or
+# /var/lib/turn/turndb.
+#
+#userdb=/var/db/turndb
+
+# PostgreSQL database connection string in the case that we are using PostgreSQL
+# as the user database.
+# This database can be used for long-term credential mechanism
+# and it can store the secret value for secret-based timed authentication in TURN RESP API.
+# See http://www.postgresql.org/docs/8.4/static/libpq-connect.html for 8.x PostgreSQL
+# versions connection string format, see
+# http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING
+# for 9.x and newer connection string formats.
+#
+#psql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> connect_timeout=30"
+
+# MySQL database connection string in the case that we are using MySQL
+# as the user database.
+# This database can be used for long-term credential mechanism
+# and it can store the secret value for secret-based timed authentication in TURN RESP API.
+#
+# Optional connection string parameters for the secure communications (SSL):
+# ca, capath, cert, key, cipher
+# (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the
+# command options description).
+#
+# Use string format as below (space separated parameters, all optional):
+#
+#mysql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> port=<port> connect_timeout=<seconds> read_timeout=<seconds>"
+
+# If you want to use in the MySQL connection string the password in encrypted format,
+# then set in this option the MySQL password encryption secret key file.
+#
+# Warning: If this option is set, then mysql password must be set in "mysql-userdb" in encrypted format!
+# If you want to use cleartext password then do not set this option!
+#
+# This is the file path which contain secret key of aes encryption while using password encryption.
+#
+#secret-key-file=/path/
+
+# MongoDB database connection string in the case that we are using MongoDB
+# as the user database.
+# This database can be used for long-term credential mechanism
+# and it can store the secret value for secret-based timed authentication in TURN RESP API.
+# Use string format is described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html
+#
+#mongo-userdb="mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]"
+
+# Redis database connection string in the case that we are using Redis
+# as the user database.
+# This database can be used for long-term credential mechanism
+# and it can store the secret value for secret-based timed authentication in TURN RESP API.
+# Use string format as below (space separated parameters, all optional):
+#
+#redis-userdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
+
+# Redis status and statistics database connection string, if used (default - empty, no Redis stats DB used).
+# This database keeps allocations status information, and it can be also used for publishing
+# and delivering traffic and allocation event notifications.
+# The connection string has the same parameters as redis-userdb connection string.
+# Use string format as below (space separated parameters, all optional):
+#
+#redis-statsdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
+
+# The default realm to be used for the users when no explicit
+# origin/realm relationship was found in the database, or if the TURN
+# server is not using any database (just the commands-line settings
+# and the userdb file). Must be used with long-term credentials
+# mechanism or with TURN REST API.
+#
+# Note: If default realm is not specified at all, then realm falls back to the host domain name.
+#       If domain name is empty string, or '(None)', then it is initialized to am empty string.
+#
+$(generate_realm)
+
+# The flag that sets the origin consistency
+# check: across the session, all requests must have the same
+# main ORIGIN attribute value (if the ORIGIN was
+# initially used by the session).
+#
+#check-origin-consistency
+
+# Per-user allocation quota.
+# default value is 0 (no quota, unlimited number of sessions per user).
+# This option can also be set through the database, for a particular realm.
+#
+#user-quota=0
+
+# Total allocation quota.
+# default value is 0 (no quota).
+# This option can also be set through the database, for a particular realm.
+#
+#total-quota=0
+
+# Max bytes-per-second bandwidth a TURN session is allowed to handle
+# (input and output network streams are treated separately). Anything above
+# that limit will be dropped or temporary suppressed (within
+# the available buffer limits).
+# This option can also be set through the database, for a particular realm.
+#
+#max-bps=0
+
+#
+# Maximum server capacity.
+# Total bytes-per-second bandwidth the TURN server is allowed to allocate
+# for the sessions, combined (input and output network streams are treated separately).
+#
+# bps-capacity=0
+
+# Uncomment if no UDP client listener is desired.
+# By default UDP client listener is always started.
+#
+#no-udp
+
+# Uncomment if no TCP client listener is desired.
+# By default TCP client listener is always started.
+#
+#no-tcp
+
+# Uncomment if no TLS client listener is desired.
+# By default TLS client listener is always started.
+#
+#no-tls
+
+# Uncomment if no DTLS client listener is desired.
+# By default DTLS client listener is always started.
+#
+#no-dtls
+
+# Uncomment if no UDP relay endpoints are allowed.
+# By default UDP relay endpoints are enabled (like in RFC 5766).
+#
+#no-udp-relay
+
+# Uncomment if no TCP relay endpoints are allowed.
+# By default TCP relay endpoints are enabled (like in RFC 6062).
+#
+$(generate_no_tcp_relay)
+
+# Uncomment if extra security is desired,
+# with nonce value having limited lifetime.
+# By default, the nonce value is unique for a session,
+# and has unlimited lifetime.
+# Set this option to limit the nonce lifetime.
+# It defaults to 600 secs (10 min) if no value is provided. After that delay,
+# the client will get 438 error and will have to re-authenticate itself.
+#
+#stale-nonce=600
+
+# Uncomment if you want to set the maximum allocation
+# time before it has to be refreshed.
+# Default is 3600s.
+#
+#max-allocate-lifetime=3600
+
+
+# Uncomment to set the lifetime for the channel.
+# Default value is 600 secs (10 minutes).
+# This value MUST not be changed for production purposes.
+#
+#channel-lifetime=600
+
+# Uncomment to set the permission lifetime.
+# Default to 300 secs (5 minutes).
+# In production this value MUST not be changed,
+# however it can be useful for test purposes.
+#
+#permission-lifetime=300
+
+# Certificate file.
+# Use an absolute path or path relative to the
+# configuration file.
+#
+#cert=/usr/local/etc/turn_server_cert.pem
+
+# Private key file.
+# Use an absolute path or path relative to the
+# configuration file.
+# Use PEM file format.
+#
+#pkey=/usr/local/etc/turn_server_pkey.pem
+
+# Private key file password, if it is in encoded format.
+# This option has no default value.
+#
+#pkey-pwd=...
+
+# Allowed OpenSSL cipher list for TLS/DTLS connections.
+# Default value is "DEFAULT".
+#
+#cipher-list="DEFAULT"
+
+# CA file in OpenSSL format.
+# Forces TURN server to verify the client SSL certificates.
+# By default it is not set: there is no default value and the client
+# certificate is not checked.
+#
+# Example:
+#CA-file=/etc/ssh/id_rsa.cert
+
+# Curve name for EC ciphers, if supported by OpenSSL
+# library (TLS and DTLS). The default value is prime256v1,
+# if pre-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+,
+# an optimal curve will be automatically calculated, if not defined
+# by this option.
+#
+#ec-curve-name=prime256v1
+
+# Use 566 bits predefined DH TLS key. Default size of the key is 1066.
+#
+#dh566
+
+# Use 2066 bits predefined DH TLS key. Default size of the key is 1066.
+#
+#dh2066
+
+# Use custom DH TLS key, stored in PEM format in the file.
+# Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.
+#
+#dh-file=<DH-PEM-file-name>
+
+# Flag to prevent stdout log messages.
+# By default, all log messages are going to both stdout and to
+# the configured log file. With this option everything will be
+# going to the configured log only (unless the log file itself is stdout).
+#
+#no-stdout-log
+
+# Option to set the log file name.
+# By default, the turnserver tries to open a log file in
+# /var/log, /var/tmp, /tmp and current directories directories
+# (which open operation succeeds first that file will be used).
+# With this option you can set the definite log file name.
+# The special names are "stdout" and "-" - they will force everything
+# to the stdout. Also, the "syslog" name will force everything to
+# the system log (syslog).
+# In the runtime, the logfile can be reset with the SIGHUP signal
+# to the turnserver process.
+#
+#log-file=/var/tmp/turn.log
+
+# Option to redirect all log output into system log (syslog).
+#
+syslog
+
+# This flag means that no log file rollover will be used, and the log file
+# name will be constructed as-is, without PID and date appendage.
+# This option can be used, for example, together with the logrotate tool.
+#
+#simple-log
+
+# Option to set the "redirection" mode. The value of this option
+# will be the address of the alternate server for UDP & TCP service in form of
+# <ip>[:<port>]. The server will send this value in the attribute
+# ALTERNATE-SERVER, with error 300, on ALLOCATE request, to the client.
+# Client will receive only values with the same address family
+# as the client network endpoint address family.
+# See RFC 5389 and RFC 5766 for ALTERNATE-SERVER functionality description.
+# The client must use the obtained value for subsequent TURN communications.
+# If more than one --alternate-server options are provided, then the functionality
+# can be more accurately described as "load-balancing" than a mere "redirection".
+# If the port number is omitted, then the default port
+# number 3478 for the UDP/TCP protocols will be used.
+# Colon (:) characters in IPv6 addresses may conflict with the syntax of
+# the option. To alleviate this conflict, literal IPv6 addresses are enclosed
+# in square brackets in such resource identifiers, for example:
+# [2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 .
+# Multiple alternate servers can be set. They will be used in the
+# round-robin manner. All servers in the pool are considered of equal weight and
+# the load will be distributed equally. For example, if we have 4 alternate servers,
+# then each server will receive 25% of ALLOCATE requests. A alternate TURN server
+# address can be used more than one time with the alternate-server option, so this
+# can emulate "weighting" of the servers.
+#
+# Examples:
+#alternate-server=1.2.3.4:5678
+#alternate-server=11.22.33.44:56789
+#alternate-server=5.6.7.8
+#alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
+
+# Option to set alternative server for TLS & DTLS services in form of
+# <ip>:<port>. If the port number is omitted, then the default port
+# number 5349 for the TLS/DTLS protocols will be used. See the previous
+# option for the functionality description.
+#
+# Examples:
+#tls-alternate-server=1.2.3.4:5678
+#tls-alternate-server=11.22.33.44:56789
+#tls-alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
+
+# Option to suppress TURN functionality, only STUN requests will be processed.
+# Run as STUN server only, all TURN requests will be ignored.
+# By default, this option is NOT set.
+#
+#stun-only
+
+# Option to suppress STUN functionality, only TURN requests will be processed.
+# Run as TURN server only, all STUN requests will be ignored.
+# By default, this option is NOT set.
+#
+#no-stun
+
+# This is the timestamp/username separator symbol (character) in TURN REST API.
+# The default value is ':'.
+# rest-api-separator=:
+
+# Flag that can be used to allow peers on the loopback addresses (127.x.x.x and ::1).
+# This is an extra security measure.
+#
+# (To avoid any security issue that allowing loopback access may raise,
+# the no-loopback-peers option is replaced by allow-loopback-peers.)
+#
+# Allow it only for testing in a development environment!
+# In production it adds a possible security vulnerability, so for security reasons
+# it is not allowed using it together with empty cli-password.
+#
+#allow-loopback-peers
+
+# Flag that can be used to disallow peers on well-known broadcast addresses (224.0.0.0 and above, and FFXX:*).
+# This is an extra security measure.
+#
+#no-multicast-peers
+
+# Option to set the max time, in seconds, allowed for full allocation establishment.
+# Default is 60 seconds.
+#
+#max-allocate-timeout=60
+
+# Option to allow or ban specific ip addresses or ranges of ip addresses.
+# If an ip address is specified as both allowed and denied, then the ip address is
+# considered to be allowed. This is useful when you wish to ban a range of ip
+# addresses, except for a few specific ips within that range.
+#
+# This can be used when you do not want users of the turn server to be able to access
+# machines reachable by the turn server, but would otherwise be unreachable from the
+# internet (e.g. when the turn server is sitting behind a NAT)
+#
+# Examples:
+# denied-peer-ip=83.166.64.0-83.166.95.255
+# allowed-peer-ip=83.166.68.45
+
+# File name to store the pid of the process.
+# Default is /var/run/turnserver.pid (if superuser account is used) or
+# /var/tmp/turnserver.pid .
+#
+#pidfile="/var/run/turnserver.pid"
+
+# Require authentication of the STUN Binding request.
+# By default, the clients are allowed anonymous access to the STUN Binding functionality.
+#
+#secure-stun
+
+# Mobility with ICE (MICE) specs support.
+#
+#mobility
+
+# Allocate Address Family according
+# If enabled then TURN server allocates address family according  the TURN
+# Client <=> Server communication address family.
+# (By default coTURN works according RFC 6156.)
+# !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!!
+#
+#keep-address-family
+
+
+# User name to run the process. After the initialization, the turnserver process
+# will make an attempt to change the current user ID to that user.
+#
+#proc-user=<user-name>
+
+# Group name to run the process. After the initialization, the turnserver process
+# will make an attempt to change the current group ID to that group.
+#
+#proc-group=<group-name>
+
+# Turn OFF the CLI support.
+# By default it is always ON.
+# See also options cli-ip and cli-port.
+#
+#no-cli
+
+#Local system IP address to be used for CLI server endpoint. Default value
+# is 127.0.0.1.
+#
+#cli-ip=127.0.0.1
+
+# CLI server port. Default is 5766.
+#
+#cli-port=5766
+
+# CLI access password. Default is empty (no password).
+# For the security reasons, it is recommended to use the encrypted
+# for of the password (see the -P command in the turnadmin utility).
+#
+# Secure form for password 'qwerty':
+#
+#cli-password=$5$79a316b350311570$81df9cfb9af7f5e5a76eada31e7097b663a0670f99a3c07ded3f1c8e59c5658a
+#
+# Or unsecure form for the same password:
+#
+#cli-password=qwerty
+
+# Enable Web-admin support on https. By default it is Disabled.
+# If it is enabled it also enables a http a simple static banner page
+# with a small reminder that the admin page is available only on https.
+#
+#web-admin
+
+# Local system IP address to be used for Web-admin server endpoint. Default value is 127.0.0.1.
+#
+#web-admin-ip=127.0.0.1
+
+# Web-admin server port. Default is 8080.
+#
+#web-admin-port=8080
+
+# Web-admin server listen on STUN/TURN worker threads
+# By default it is disabled for security resons! (Not recommended in any production environment!)
+#
+#web-admin-listen-on-workers
+
+# Server relay. NON-STANDARD AND DANGEROUS OPTION.
+# Only for those applications when we want to run
+# server applications on the relay endpoints.
+# This option eliminates the IP permissions check on
+# the packets incoming to the relay endpoints.
+#
+#server-relay
+
+# Maximum number of output sessions in ps CLI command.
+# This value can be changed on-the-fly in CLI. The default value is 256.
+#
+#cli-max-output-sessions
+
+# Set network engine type for the process (for internal purposes).
+#
+#ne=[1|2|3]
+
+# Do not allow an TLS/DTLS version of protocol
+#
+#no-tlsv1
+#no-tlsv1_1
+#no-tlsv1_2
+EOF

cdist/conf/type/__coturn/man.rst

@@ -0,0 +1,61 @@
+cdist-type__coturn(7)
+=====================
+
+NAME
+----
+cdist-type__coturn - Install and configure a coturn TURN server
+
+
+DESCRIPTION
+-----------
+This (singleton) type install and configure a coturn TURN
+server.
+
+
+REQUIRED PARAMETERS
+-------------------
+None.
+
+
+OPTIONAL PARAMETERS
+-------------------
+static_auth_secret
+  Secret used to access the TURN REST API.
+
+realm
+  Defailt realm.
+
+BOOLEAN PARAMETERS
+------------------
+use_auth_secret
+  Allows TURN credentials to be accounted for a specific user id.
+
+no_tcp_relay
+  Disable TCP relay endpoints.
+
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+    __coturn \
+      --realm turn.domain.tld \
+      --no_tcp_relay
+
+
+SEE ALSO
+--------
+- `coturn Github repository <https://github.com/coturn/coturn>`_
+
+AUTHORS
+-------
+Timothée Floure <timothee.floure@ungleich.ch>
+
+
+COPYING
+-------
+Copyright \(C) 2020 Timothée Floure. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

cdist/conf/type/__coturn/manifest

@@ -0,0 +1,55 @@
+#!/bin/sh -e
+#
+# 2020 Timothée Floure (timothee.floure@ungleich.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+__package coturn
+
+# Optional parameters.
+if [ -f "$__object/parameter/use_auth_secret" ]; then
+    export USE_AUTH_SECRET=1
+fi
+
+if [ -f "$__object/parameter/static_auth_secret" ]; then
+    static_auth_secret=$(cat "$__object/parameter/static_auth_secret")
+    export STATIC_AUTH_SECRET=$static_auth_secret
+fi
+
+if [ -f "$__object/parameter/realm" ]; then
+    realm=$(cat "$__object/parameter/realm")
+    export REALM=$realm
+fi
+
+if [ -f "$__object/parameter/no_tcp_relay" ]; then
+    no_tcp_relay=$(cat "$__object/parameter/no_tcp_relay")
+    export NO_TCP_RELAY=$no_tcp_relay
+fi
+
+# Hardcoded.
+coturn_config='/etc/turnserver.conf'
+
+# Generate and deploy configuration file.
+mkdir -p "$__object/files"
+"$__type/files/turnserver.conf.sh" > "$__object/files/turnserver.conf"
+
+__file $coturn_config \
+  --source "$__object/files/turnserver.conf" \
+  --state present
+
+# Restart coturn server.
+require="__file/$coturn_config" __service coturn --action restart

cdist/conf/type/__coturn/parameter/boolean

@@ -0,0 +1,2 @@
+use_auth_secret
+no_tcp_relay

cdist/conf/type/__coturn/parameter/optional

@@ -0,0 +1,2 @@
+static_auth_secret
+realm

cdist/conf/type/__cron/man.rst

@@ -21,11 +21,6 @@ command
 
 OPTIONAL PARAMETERS
 -------------------
-**NOTE**: All time-related parameters (``--minute``, ``--hour``, ``--day_of_month``
-``--month`` and ``--day_of_week``) defaults to ``*``, which means to execute it
-**always**. If you set ``--hour 0`` to execute the cronjob only at midnight, it
-will execute **every** minute in the first hour of the morning all days.
-
 state
    Either present or absent. Defaults to present.
 minute

cdist/conf/type/__debconf_set_selections/explorer/state

@@ -1,142 +0,0 @@
-#!/bin/sh -e
-#
-# 2021 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
-#
-# This file is part of cdist.
-#
-# cdist is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# cdist is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.	See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with cdist. If not, see <http://www.gnu.org/licenses/>.
-#
-# Determine current debconf selections' state.
-# Prints one of:
-#   present: all selections are already set as they should.
-#   different: one or more of the selections have a different value.
-#   absent: one or more of the selections are not (currently) defined.
-#
-
-test -x /usr/bin/perl || {
-	# cannot find perl (no perl ~ no debconf)
-	echo 'absent'
-	exit 0
-}
-
-linesfile="${__object:?}/parameter/line"
-test -s "${linesfile}" || {
-	if test -s "${__object:?}/parameter/file"
-	then
-		echo absent
-	else
-		echo present
-	fi
-	exit 0
-}
-
-# assert __type_explorer is set (because it is used by the Perl script)
-: "${__type_explorer:?}"
-
-/usr/bin/perl -- - "${linesfile}" <<'EOF'
-use strict;
-use warnings "all";
-
-use Fcntl qw(:DEFAULT :flock);
-
-use Debconf::Db;
-use Debconf::Question;
-
-# Extract @known... arrays from debconf-set-selections
-# These values are required to distinguish flags and values in the given lines.
-# DC: I couldn't think of a more ugly solution to the problem…
-my @knownflags;
-my @knowntypes;
-my $debconf_set_selections = '/usr/bin/debconf-set-selections';
-if (-e $debconf_set_selections) {
-	my $sed_known = 's/^my \(@known\(flags\|types\) = qw([a-z ]*);\).*$/\1/p';
-	eval `sed -n '$sed_known' '$debconf_set_selections'`;
-}
-
-sub mungeline ($) {
-	my $line = shift;
-	chomp $line;
-	$line =~ s/\r$//;
-	return $line;
-}
-
-sub fatal { printf STDERR @_; exit 1; }
-
-my $state = 'present';
-
-sub state {
-	my $new = shift;
-	if ($state eq 'present'
-	    or ($state eq 'different' and $new eq 'absent')) {
-		$state = $new;
-	}
-}
-
-
-# Load Debconf DB but manually lock on the state explorer script,
-# because Debconf aborts immediately if executed concurrently.
-# This is not really an ideal solution because the Debconf DB could be locked by
-# another process (e.g. apt-get), but no way to achieve this could be found.
-# If you know how to, please provide a patch.
-my $lockfile = "%ENV{'__type_explorer'}/state";
-if (open my $lock_fh, '+<', $lockfile) {
-   flock $lock_fh, LOCK_EX or die "Cannot lock $lockfile";
-}
-{
-	Debconf::Db->load(readonly => 'true');
-}
-
-
-while (<>) {
-	# Read and process lines (taken from debconf-set-selections)
-	$_ = mungeline($_);
-	while (/\\$/ && ! eof) {
-		s/\\$//;
-		$_ .= mungeline(<>);
-	}
-	next if /^\s*$/ || /^\s*\#/;
-
-	my ($owner, $label, $type, $content) = /^\s*(\S+)\s+(\S+)\s+(\S+)(?:\s(.*))?/
-		or fatal "invalid line: %s\n", $_;
-	$content = '' unless defined $content;
-
-
-	# Compare is and should state
-	my $q = Debconf::Question->get($label);
-
-	unless (defined $q) {
-		# probably a preseed
-		state 'absent';
-		next;
-	}
-
-	if (grep { $_ eq $q->type } @knownflags) {
-		# This line wants to set a flag, presumably.
-		if ($q->flag($q->type) ne $content) {
-			state 'different';
-		}
-	} else {
-		# Otherwise, it's probably a value…
-		if ($q->value ne $content) {
-			state 'different';
-		}
-
-		unless (grep { $_ eq $owner } (split /, /, $q->owners)) {
-			state 'different';
-		}
-	}
-}
-
-printf "%s\n", $state;
-EOF

cdist/conf/type/__debconf_set_selections/gencode-remote

@@ -1,7 +1,6 @@
 #!/bin/sh -e
 #
 # 2011-2014 Nico Schottelius (nico-cdist at schottelius.org)
-# 2021 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
 #
 # This file is part of cdist.
 #
@@ -18,37 +17,16 @@
 # You should have received a copy of the GNU General Public License
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
+#
+# Setup selections
+#
 
-if test -f "${__object:?}/parameter/line"
-then
-	filename="${__object:?}/parameter/line"
-elif test -s "${__object:?}/parameter/file"
-then
-	filename=$(cat "${__object:?}/parameter/file")
-	if test "${filename}" = '-'
-	then
-		filename="${__object:?}/stdin"
-	fi
-else
-	printf 'Neither --line nor --file set.\n' >&2
-	exit 1
+filename="$(cat "$__object/parameter/file")"
+
+if [ "$filename" = "-" ]; then
+    filename="$__object/stdin"
 fi
 
-# setting no lines makes no sense
-test -s "${filename}" || exit 0
-
-state_is=$(cat "${__object:?}/explorer/state")
-
-if test "${state_is}" != 'present'
-then
-	cat <<-CODE
-	debconf-set-selections <<'EOF'
-	$(cat "${filename}")
-	EOF
-	CODE
-
-	awk '
-		{
-			printf "set %s %s %s %s\n", $1, $2, $3, $4
-		}' "${filename}" >>"${__messages_out:?}"
-fi
+echo "debconf-set-selections << __file-eof"
+cat "$filename"
+echo "__file-eof"

cdist/conf/type/__debconf_set_selections/man.rst

@@ -8,33 +8,15 @@ cdist-type__debconf_set_selections - Setup debconf selections
 
 DESCRIPTION
 -----------
-On Debian and alike systems :strong:`debconf-set-selections`\ (1) can be used
+On Debian and alike systems debconf-set-selections(1) can be used
 to setup configuration parameters.
 
 
 REQUIRED PARAMETERS
 -------------------
-cf. ``--line``.
-
-
-OPTIONAL PARAMETERS
--------------------
 file
-   Use the given filename as input for :strong:`debconf-set-selections`\ (1)
-   If filename is ``-``, read from stdin.
-
-   **This parameter is deprecated, because it doesn't work with state detection.**
-line
-   A line in :strong:`debconf-set-selections`\ (1) compatible format.
-   This parameter can be used multiple times to set multiple options.
-
-   (This parameter is actually required, but marked optional because the
-   deprecated ``--file`` is still accepted.)
-
-
-BOOLEAN PARAMETERS
-------------------
-None.
+   Use the given filename as input for debconf-set-selections(1)
+   If filename is "-", read from stdin.
 
 
 EXAMPLES
@@ -42,29 +24,30 @@ EXAMPLES
 
 .. code-block:: sh
 
-    # Setup gitolite's gituser
-    __debconf_set_selections nslcd --line 'gitolite gitolite/gituser string git'
+    # Setup configuration for nslcd
+    __debconf_set_selections nslcd --file /path/to/file
 
-    # Setup configuration for nslcd from a file.
-    # NB: Multiple lines can be passed to --line, although this can be considered a hack.
-    __debconf_set_selections nslcd --line "$(cat "${__files:?}/preseed/nslcd.debconf")"
+    # Setup configuration for nslcd from another type
+    __debconf_set_selections nslcd --file "$__type/files/preseed/nslcd"
+
+    __debconf_set_selections nslcd --file - << eof
+    gitolite gitolite/gituser string git
+    eof
 
 
 SEE ALSO
 --------
-- :strong:`cdist-type__update_alternatives`\ (7)
-- :strong:`debconf-set-selections`\ (1)
+:strong:`debconf-set-selections`\ (1), :strong:`cdist-type__update_alternatives`\ (7)
 
 
 AUTHORS
 -------
-| Nico Schottelius <nico-cdist--@--schottelius.org>
-| Dennis Camera <dennis.camera--@--ssrq-sds-fds.ch>
+Nico Schottelius <nico-cdist--@--schottelius.org>
 
 
 COPYING
 -------
-Copyright \(C) 2011-2014 Nico Schottelius, 2021 Dennis Camera.
-You can redistribute it and/or modify it under the terms of the GNU General
-Public License as published by the Free Software Foundation, either version 3 of
-the License, or (at your option) any later version.
+Copyright \(C) 2011-2014 Nico Schottelius. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

cdist/conf/type/__debconf_set_selections/manifest

@@ -1,21 +0,0 @@
-#!/bin/sh -e
-#
-# 2021 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
-#
-# This file is part of cdist.
-#
-# cdist is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# cdist is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with cdist. If not, see <http://www.gnu.org/licenses/>.
-#
-
-__package_apt debconf

cdist/conf/type/__debconf_set_selections/parameter/deprecated/file

@@ -1 +0,0 @@
-'file' has been deprecated in favour of 'line' in order to provide idempotency.

cdist/conf/type/__debconf_set_selections/parameter/optional_multiple

@@ -1 +0,0 @@
-line

cdist/conf/type/__directory/explorer/stat

@@ -30,10 +30,10 @@ fallback() {
    gid=$(echo "$ls_line" | awk '{ print $4 }')
 
    owner=$(awk -F: -v uid="$uid" '$3 == uid { print $1; f=1 } END { if (!f) print "UNKNOWN" }' /etc/passwd)
-   group=$(awk -F: -v gid="$gid" '$3 == gid { print $1; f=1 } END { if (!f) print "UNKNOWN" }' /etc/group)
+   group=$(awk -F: -v uid="$uid" '$3 == uid { print $1; f=1 } END { if (!f) print "UNKNOWN" }' /etc/group)
 
    mode_text=$(echo "$ls_line" | awk '{ print $1 }')
-   mode=$(echo "$mode_text" | awk '{for(i=8;i>=0;--i){c=substr($1,10-i,1);k+=((c~/[rwxst]/)*2^i);if(!(i%3))k+=(tolower(c)~/[lst]/)*2^(9+i/3)}printf("%04o",k)}')
+   mode=$(echo "$mode_text" | awk '{ k=0; for (i=0; i<=8; i++) k += ((substr($1, i+2, 1) ~ /[rwx]/) * 2^(8-i)); printf("%0o", k) }')
 
    printf 'type: %s\nowner: %d %s\ngroup: %d %s\nmode: %s %s\n' \
       "$("$__type_explorer/type")" \
@@ -45,27 +45,56 @@ fallback() {
 # nothing to work with, nothing we could do
 [ -e "$destination" ] || exit 0
 
-command -v stat >/dev/null 2>&1 || {
+if ! command -v stat >/dev/null
+then
    fallback
    exit
-}
+fi
 
-case $("$__explorer/os")
-in
-   freebsd|netbsd|openbsd|macosx)
-      stat -f 'type: %HT
+case $("$__explorer/os") in
+   "freebsd"|"netbsd"|"openbsd"|"macosx")
+      stat -f "type: %HT
 owner: %Du %Su
 group: %Dg %Sg
-mode: %Mp%03Lp %Sp
-' "$destination" | awk '/^type/ { print tolower($0); next } { print }'
+mode: %Lp %Sp
+" "$destination" | awk '/^type/ { print tolower($0); next } { print }'
       ;;
+    solaris)
+        ls1="$( ls -ld "$destination" )"
+        ls2="$( ls -ldn "$destination" )"
+
+        if [ -f "$__object/parameter/mode" ]
+        then mode_should="$( cat "$__object/parameter/mode" )"
+        fi
+
+        # yes, it is ugly hack, but if you know better way...
+        if [ -z "$( find "$destination" -perm "$mode_should" )" ]
+        then octets=888
+        else octets="$( echo "$mode_should" | sed 's/^0//' )"
+        fi
+
+        case "$( echo "$ls1" | cut -c1-1 )" in
+            -) echo 'type: regular file' ;;
+            d) echo 'type: directory' ;;
+        esac
+
+        echo "owner: $( echo "$ls2" \
+            | awk '{print $3}' ) $( echo "$ls1" \
+                | awk '{print $3}' )"
+
+        echo "group: $( echo "$ls2" \
+            | awk '{print $4}' ) $( echo "$ls1" \
+                | awk '{print $4}' )"
+
+        echo "mode: $octets $( echo "$ls1" | awk '{print $1}' )"
+    ;;
    *)
       # NOTE: Do not use --printf here as it is not supported by BusyBox stat.
       # NOTE: BusyBox's stat might not support the "-c" option, in which case
       #       we fall through to the shell fallback.
-      stat -c 'type: %F
+       stat -c "type: %F
 owner: %u %U
 group: %g %G
-mode: %04a %A' "$destination" 2>/dev/null || fallback
-      ;;
+mode: %a %A" "$destination" 2>/dev/null || fallback
+   ;;
 esac

cdist/conf/type/__directory/gencode-remote

@@ -3,7 +3,6 @@
 # 2011-2013 Nico Schottelius (nico-cdist at schottelius.org)
 # 2013 Steven Armstrong (steven-cdist armstrong.cc)
 # 2014 Daniel Heule (hda at sfs.biz)
-# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
 #
 # This file is part of cdist.
 #
@@ -22,8 +21,8 @@
 #
 
 destination="/$__object_id"
-state_should=$(cat "$__object/parameter/state")
-type=$(cat "$__object/explorer/type")
+state_should="$(cat "$__object/parameter/state")"
+type="$(cat "$__object/explorer/type")"
 stat_file="$__object/explorer/stat"
 
 # variable to keep track if we have to set directory attributes
@@ -73,7 +72,7 @@ set_mode() {
 }
 
 case "$state_should" in
-   present|exists)
+   present)
       if [ "$type" != "directory" ]; then
          set_attributes=1
          if [ "$type" != "none" ]; then
@@ -84,10 +83,6 @@ case "$state_should" in
          fi
          echo "mkdir $mkdiropt '$destination'"
          echo "create" >> "$__messages_out"
-      elif [ "$state_should" = 'exists' ]; then
-         # The type is directory and --state exists. We are done and do not
-         # check or set the attributes.
-         exit 0
       fi
 
       # Note: Mode - needs to happen last as a chown/chgrp can alter mode by
@@ -97,11 +92,9 @@ case "$state_should" in
             value_should="$(cat "$__object/parameter/$attribute")"
             value_is="$(get_current_value "$attribute" "$value_should")"
 
-            # format mode in four digits => same as stat returns
+            # change 0xxx format to xxx format => same as stat returns
             if [ "$attribute" = mode ]; then
-                # Convert to four-digit octal number (printf interprets
-                # strings with leading 0s as octal!)
-                value_should=$(printf '%04o' "0${value_should}")
+                value_should="$(echo "$value_should" | sed 's/^0\(...\)/\1/')"
             fi
 
             if [ "$set_attributes" = 1 ] || [ "$value_should" != "$value_is" ]; then
@@ -110,26 +103,6 @@ case "$state_should" in
          fi
       done
    ;;
-   pre-exists)
-      case $type in
-         directory)
-            # all good
-            exit 0
-         ;;
-         none)
-            printf 'Directory "%s" does not exist\n' "$destination" >&2
-            exit 1
-         ;;
-         file|symlink)
-            printf 'File "%s" exists and is a %s, but should be a directory\n' "$destination" "$type" >&2
-            exit 1
-         ;;
-         *)
-            printf 'File or directory "%s" is in an unknown state\n' "$destination" >&2
-            exit 1
-         ;;
-      esac
-   ;;
    absent)
         if [ "$type" = "directory" ]; then
             echo "rm -rf '$destination'"

cdist/conf/type/__directory/man.rst

@@ -19,18 +19,7 @@ None.
 OPTIONAL PARAMETERS
 -------------------
 state
-   'present', 'absent', 'exists' or 'pre-exists', defaults to 'present' where:
-
-   present
-      the directory exists and the given attributes are set.
-   absent
-      the directory does not exist.
-   exists
-      the directory exists, but its attributes are not altered if it already
-      existed.
-   pre-exists
-      check that the directory exists and is indeed a directory, but do not
-      create or modify it.
+   'present' or 'absent', defaults to 'present'
 
 group
    Group to chgrp to.
@@ -47,7 +36,7 @@ BOOLEAN PARAMETERS
 parents
    Whether to create parents as well (mkdir -p behaviour).
    Warning: all intermediate directory permissions default
-   to whatever mkdir -p does.
+   to whatever mkdir -p does. 
 
    Usually this means root:root, 0700.
 

cdist/conf/type/__dot_file/man.rst

@@ -25,9 +25,6 @@ user
 OPTIONAL PARAMETERS
 -------------------
 
-dirmode
-    forwarded to :strong:`__directory` type as mode
-
 mode
     forwarded to :strong:`__file` type
 
@@ -37,12 +34,6 @@ state
 source
     forwarded to :strong:`__file` type
 
-file
-    forwarded to :strong:`__file` type
-    This can be used if multiple users need to have a dotfile updated,
-    which will result in duplicate object id errors. When using the
-    file parameter the object id can be some unique value.
-
 MESSAGES
 --------
 
@@ -67,15 +58,6 @@ EXAMPLES
     # Install default xmonad config for user 'eve'. Parent directory is created automatically.
     __dot_file .xmonad/xmonad.hs --user eve --state exists --source "$__files/xmonad.hs"
 
-    # install .vimrc for root and some users
-    for user in root userx usery userz; do
-        __dot_file "${user}_dot_vimrc" \
-            --user $user \
-            --file .vimrc \
-            --state exists \
-            --source "$__files/$user/.vimrc"
-    done
-
 SEE ALSO
 --------
 

cdist/conf/type/__dot_file/manifest

@@ -19,20 +19,13 @@ set -eu
 user="$(cat "${__object}/parameter/user")"
 home="$(cat "${__object}/explorer/home")"
 primary_group="$(cat "${__object}/explorer/primary_group")"
-dirmode="$(cat "${__object}/parameter/dirmode")"
-if [ -f "${__object}/parameter/file" ]; then
-    file="$(cat "${__object}/parameter/file")"
-else
-    file="${__object_id}"
-fi
-
 
 # Create parent directory. Type __directory has flag 'parents', but it
 # will leave us with root-owned directory in user home, which is not
 # acceptable. So we create parent directories one-by-one. XXX: maybe
 # it should be fixed in '__directory'?
 set --
-subpath=${file}
+subpath=${__object_id}
 while subpath="$(dirname "${subpath}")" ; do
 	[ "${subpath}" = . ] && break
 	set -- "${subpath}" "$@"
@@ -43,7 +36,6 @@ export CDIST_ORDER_DEPENDENCY
 for dir ; do
 	__directory "${home}/${dir}"   \
 	    --group "${primary_group}" \
-            --mode "${dirmode}" \
 	    --owner "${user}"
 done
 
@@ -70,4 +62,4 @@ if [ "${source}" = "-" ] ; then
 fi
 unset source
 
-__file "${home}/${file}" --owner "$user" --group "$primary_group" "$@"
+__file "${home}/${__object_id}" --owner "$user" --group "$primary_group" "$@"

cdist/conf/type/__dot_file/parameter/default/dirmode

@@ -1 +0,0 @@
-0700

cdist/conf/type/__dot_file/parameter/optional

@@ -1,4 +1,3 @@
 state
 mode
 source
-dirmode

cdist/conf/type/__download/explorer/remote_cmd_get

@@ -1,16 +0,0 @@
-#!/bin/sh -e
-
-if [ -f "$__object/parameter/cmd-get" ]
-then
-    cat "$__object/parameter/cmd-get"
-elif
-    command -v curl > /dev/null
-then
-    echo "curl -sSL -o - '%s'"
-elif
-    command -v fetch > /dev/null
-then
-    echo "fetch -o - '%s'"
-else
-    echo "wget -O - '%s'"
-fi

cdist/conf/type/__download/explorer/remote_cmd_sum

@@ -1,82 +0,0 @@
-#!/bin/sh -e
-
-if [ ! -f "$__object/parameter/sum" ]
-then
-    exit 0
-fi
-
-if [ -f "$__object/parameter/cmd-sum" ]
-then
-    cat "$__object/parameter/cmd-sum"
-    exit 0
-fi
-
-sum_should="$( cat "$__object/parameter/sum" )"
-
-if echo "$sum_should" | grep -Fq ':'
-then
-    sum_hash="$( echo "$sum_should" | cut -d : -f 1 )"
-else
-    if echo "$sum_should" | grep -Eq '^[0-9]+\s[0-9]+$'
-    then
-        sum_hash='cksum'
-    elif
-        echo "$sum_should" | grep -Eiq '^[a-f0-9]{32}$'
-    then
-        sum_hash='md5'
-    elif
-        echo "$sum_should" | grep -Eiq '^[a-f0-9]{40}$'
-    then
-        sum_hash='sha1'
-    elif
-        echo "$sum_should" | grep -Eiq '^[a-f0-9]{64}$'
-    then
-        sum_hash='sha256'
-    else
-        echo 'hash format detection failed' >&2
-        exit 1
-    fi
-fi
-
-os="$( "$__explorer/os" )"
-
-case "$sum_hash" in
-    cksum)
-        echo "cksum %s | awk '{print \$1\" \"\$2}'"
-    ;;
-    md5)
-        case "$os" in
-            freebsd)
-                echo "md5 -q %s"
-            ;;
-            *)
-                echo "md5sum %s | awk '{print \$1}'"
-            ;;
-        esac
-    ;;
-    sha1)
-        case "$os" in
-            freebsd)
-                echo "sha1 -q %s"
-            ;;
-            *)
-                echo "sha1sum %s | awk '{print \$1}'"
-            ;;
-        esac
-    ;;
-    sha256)
-        case "$os" in
-            freebsd)
-                echo "sha256 -q %s"
-            ;;
-            *)
-                echo "sha256sum %s | awk '{print \$1}'"
-            ;;
-        esac
-    ;;
-    *)
-        # we arrive here only if --sum is given with unknown format prefix
-        echo "unknown hash format: $sum_hash" >&2
-        exit 1
-    ;;
-esac

cdist/conf/type/__download/explorer/state

@@ -1,45 +0,0 @@
-#!/bin/sh -e
-
-if [ -f "$__object/parameter/destination" ]
-then
-    dst="$( cat "$__object/parameter/destination" )"
-else
-    dst="/$__object_id"
-fi
-
-if [ ! -f "$dst" ]
-then
-    echo 'absent'
-    exit 0
-fi
-
-if [ ! -f "$__object/parameter/sum" ]
-then
-    echo 'present'
-    exit 0
-fi
-
-sum_should="$( cat "$__object/parameter/sum" )"
-
-if echo "$sum_should" | grep -Fq ':'
-then
-    sum_should="$( echo "$sum_should" | cut -d : -f 2 )"
-fi
-
-sum_cmd="$( "$__type_explorer/remote_cmd_sum" )"
-
-# shellcheck disable=SC2059
-sum_is="$( eval "$( printf "$sum_cmd" "'$dst'" )" )"
-
-if [ -z "$sum_is" ]
-then
-    echo 'existing destination checksum failed' >&2
-    exit 1
-fi
-
-if [ "$sum_is" = "$sum_should" ]
-then
-    echo 'present'
-else
-    echo 'mismatch'
-fi

cdist/conf/type/__download/gencode-local

@@ -1,155 +0,0 @@
-#!/bin/sh -e
-
-download="$( cat "$__object/parameter/download" )"
-
-state_is="$( cat "$__object/explorer/state" )"
-
-if [ "$download" != 'local' ] || [ "$state_is" = 'present' ]
-then
-    exit 0
-fi
-
-url="$( cat "$__object/parameter/url" )"
-
-if [ -f "$__object/parameter/destination" ]
-then
-    dst="$( cat "$__object/parameter/destination" )"
-else
-    dst="/$__object_id"
-fi
-
-if [ -f "$__object/parameter/cmd-get" ]
-then
-    cmd="$( cat "$__object/parameter/cmd-get" )"
-
-elif command -v curl > /dev/null
-then
-    cmd="curl -sSL -o - '%s'"
-
-elif command -v fetch > /dev/null
-then
-    cmd="fetch -o - '%s'"
-
-elif command -v wget > /dev/null
-then
-    cmd="wget -O - '%s'"
-
-else
-    echo 'local download failed, no usable utility' >&2
-    exit 1
-fi
-
-echo "download_tmp=\"\$( mktemp )\""
-
-# shellcheck disable=SC2059
-printf "$cmd > \"\$download_tmp\"\n" "$url"
-
-if [ -f "$__object/parameter/sum" ]
-then
-    sum_should="$( cat "$__object/parameter/sum" )"
-
-    if [ -f "$__object/parameter/cmd-sum" ]
-    then
-        local_cmd_sum="$( cat "$__object/parameter/cmd-sum" )"
-    else
-        if echo "$sum_should" | grep -Fq ':'
-        then
-            sum_hash="$( echo "$sum_should" | cut -d : -f 1 )"
-
-            sum_should="$( echo "$sum_should" | cut -d : -f 2 )"
-        else
-            if echo "$sum_should" | grep -Eq '^[0-9]+\s[0-9]+$'
-            then
-                sum_hash='cksum'
-            elif
-                echo "$sum_should" | grep -Eiq '^[a-f0-9]{32}$'
-            then
-                sum_hash='md5'
-            elif
-                echo "$sum_should" | grep -Eiq '^[a-f0-9]{40}$'
-            then
-                sum_hash='sha1'
-            elif
-                echo "$sum_should" | grep -Eiq '^[a-f0-9]{64}$'
-            then
-                sum_hash='sha256'
-            else
-                echo 'hash format detection failed' >&2
-                exit 1
-            fi
-        fi
-
-        case "$sum_hash" in
-            cksum)
-                local_cmd_sum="cksum %s | awk '{print \$1\" \"\$2}'"
-            ;;
-            md5)
-                if command -v md5 > /dev/null
-                then
-                    local_cmd_sum="md5 -q %s"
-                elif
-                    command -v md5sum > /dev/null
-                then
-                    local_cmd_sum="md5sum %s | awk '{print \$1}'"
-                fi
-            ;;
-            sha1)
-                if command -v sha1 > /dev/null
-                then
-                    local_cmd_sum="sha1 -q %s"
-                elif
-                    command -v sha1sum > /dev/null
-                then
-                    local_cmd_sum="sha1sum %s | awk '{print \$1}'"
-                fi
-            ;;
-            sha256)
-                if command -v sha256 > /dev/null
-                then
-                    local_cmd_sum="sha256 -q %s"
-                elif
-                    command -v sha256sum > /dev/null
-                then
-                    local_cmd_sum="sha256sum %s | awk '{print \$1}'"
-                fi
-            ;;
-            *)
-                # we arrive here only if --sum is given with unknown format prefix
-                echo "unknown hash format: $sum_hash" >&2
-                exit 1
-            ;;
-        esac
-
-        if [ -z "$local_cmd_sum" ]
-        then
-            echo 'local checksum verification failed, no usable utility' >&2
-            exit 1
-        fi
-    fi
-
-    # shellcheck disable=SC2059
-    echo "sum_is=\"\$( $( printf "$local_cmd_sum" "\"\$download_tmp\"" ) )\""
-
-    echo "if [ \"\$sum_is\" != '$sum_should' ]; then"
-
-    echo "echo 'local download checksum mismatch' >&2"
-
-    echo "rm -f \"\$download_tmp\""
-
-    echo 'exit 1; fi'
-fi
-
-if echo "$__target_host" | grep -Eq '^[0-9a-fA-F:]+$'
-then
-    target_host="[$__target_host]"
-else
-    target_host="$__target_host"
-fi
-
-# shellcheck disable=SC2016
-printf '%s "$download_tmp" %s:%s\n' \
-    "$__remote_copy" \
-    "$target_host" \
-    "$dst"
-
-echo "rm -f \"\$download_tmp\""

cdist/conf/type/__download/gencode-remote

@@ -1,59 +0,0 @@
-#!/bin/sh -e
-
-download="$( cat "$__object/parameter/download" )"
-
-state_is="$( cat "$__object/explorer/state" )"
-
-if [ "$download" = 'remote' ] && [ "$state_is" != 'present' ]
-then
-    cmd_get="$( cat "$__object/explorer/remote_cmd_get" )"
-
-    url="$( cat "$__object/parameter/url" )"
-
-    if [ -f "$__object/parameter/destination" ]
-    then
-        dst="$( cat "$__object/parameter/destination" )"
-    else
-        dst="/$__object_id"
-    fi
-
-    echo "download_tmp=\"\$( mktemp )\""
-
-    # shellcheck disable=SC2059
-    printf "$cmd_get > \"\$download_tmp\"\n" "$url"
-
-    if [ -f "$__object/parameter/sum" ]
-    then
-        sum_should="$( cat "$__object/parameter/sum" )"
-
-        if [ -f "$__object/parameter/cmd-sum" ]
-        then
-            remote_cmd_sum="$( cat "$__object/parameter/cmd-sum" )"
-        else
-            remote_cmd_sum="$( cat "$__object/explorer/remote_cmd_sum" )"
-
-            if echo "$sum_should" | grep -Fq ':'
-            then
-                sum_should="$( echo "$sum_should" | cut -d : -f 2 )"
-            fi
-        fi
-
-        # shellcheck disable=SC2059
-        echo "sum_is=\"\$( $( printf "$remote_cmd_sum" "\"\$download_tmp\"" ) )\""
-
-        echo "if [ \"\$sum_is\" != '$sum_should' ]; then"
-
-        echo "echo 'remote download checksum mismatch' >&2"
-
-        echo "rm -f \"\$download_tmp\""
-
-        echo 'exit 1; fi'
-    fi
-
-    echo "mv \"\$download_tmp\" '$dst'"
-fi
-
-if [ -f "$__object/parameter/onchange" ] && [ "$state_is" != "present" ]
-then
-    cat "$__object/parameter/onchange"
-fi

cdist/conf/type/__download/man.rst

@@ -1,101 +0,0 @@
-cdist-type__download(7)
-=======================
-
-NAME
-----
-cdist-type__download - Download a file
-
-
-DESCRIPTION
------------
-By default type will try to use ``curl``, ``fetch`` or ``wget``.
-If download happens in target (see ``--download``) then type will
-fallback to (and install) ``wget``.
-
-If download happens in local machine, then environment variables like
-``{http,https,ftp}_proxy`` etc can be used on cdist execution
-(``http_proxy=foo cdist config ...``).
-
-To change downloaded file's owner, group or permissions, use ``require='__download/path/to/file' __file ...``.
-
-
-REQUIRED PARAMETERS
--------------------
-url
-   File's URL.
-
-
-OPTIONAL PARAMETERS
--------------------
-destination
-   Downloaded file's destination in target. If unset, ``$__object_id`` is used.
-
-sum
-   Supported formats: ``cksum`` output without file name, MD5, SHA1 and SHA256.
-
-   Type tries to detect hash format with regexes, but prefixes
-   ``cksum:``, ``md5:``, ``sha1:`` and ``sha256:`` are also supported.
-
-   Checksum have two purposes - state check and post-download verification.
-   In state check, if destination checksum mismatches, then content of URL
-   will be downloaded to temporary file. If downloaded temporary file's
-   checksum matches, then it will be moved to destination (overwritten).
-
-   For local downloads it is expected that usable utilities for checksum
-   calculation exist in the system.
-
-download
-   If ``local`` (default), then file is downloaded to local storage and copied
-   to target host. If ``remote``, then download happens in target.
-
-   For local downloads it is expected that usable utilities for downloading
-   exist in the system. Type will try to use ``curl``, ``fetch`` or ``wget``.
-
-cmd-get
-   Command used for downloading.
-   Command must output to ``stdout``.
-   Parameter will be used for ``printf`` and must include only one
-   format specification ``%s`` which will become URL.
-   For example: ``wget -O - '%s'``.
-
-cmd-sum
-   Command used for checksum calculation.
-   Command output and ``--sum`` parameter must match.
-   Parameter will be used for ``printf`` and must include only one
-   format specification ``%s`` which will become destination.
-   For example: ``md5sum '%s' | awk '{print $1}'``.
-
-onchange
-   Execute this command after download.
-
-
-EXAMPLES
---------
-
-.. code-block:: sh
-
-    __directory /opt/cpma
-
-    require='__directory/opt/cpma' \
-        __download /opt/cpma/cnq3.zip \
-            --url https://cdn.playmorepromode.com/files/cnq3/cnq3-1.51.zip \
-            --sum 46da3021ca9eace277115ec9106c5b46
-
-    require='__download/opt/cpma/cnq3.zip' \
-        __unpack /opt/cpma/cnq3.zip \
-            --backup-destination \
-            --preserve-archive \
-            --destination /opt/cpma/server
-
-
-AUTHORS
--------
-Ander Punnar <ander-at-kvlt-dot-ee>
-
-
-COPYING
--------
-Copyright \(C) 2021 Ander Punnar. You can redistribute it
-and/or modify it under the terms of the GNU General Public License as
-published by the Free Software Foundation, either version 3 of the
-License, or (at your option) any later version.

cdist/conf/type/__download/manifest

@@ -1,6 +0,0 @@
-#!/bin/sh -e
-
-if grep -Eq '^wget' "$__object/explorer/remote_cmd_get"
-then
-    __package wget
-fi

cdist/conf/type/__download/parameter/default/download

@@ -1 +0,0 @@
-local

cdist/conf/type/__download/parameter/optional

@@ -1,6 +0,0 @@
-cmd-get
-cmd-sum
-destination
-download
-onchange
-sum