Support Added for Debian 10* in __letsencrypt_cert

++changelog
Merge branch 'unquote-os-release' into 'master'
2019-10-04 14:13:10 +05:00 · 2019-10-03 20:36:25 +02:00 · 2019-10-03 20:32:28 +02:00 · 2019-10-03 18:30:52 +02:00 · 2019-10-03 07:56:36 +02:00 · 2019-10-03 07:55:14 +02:00
242 changed files with 13170 additions and 1751 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -4,3 +4,5 @@
 docs/speeches export-ignore
 docs/video export-ignore
 docs/src/man7 export-ignore
 bin/build-helper export-ignore
 README-maintainers export-ignore
--- a/.gitignore
+++ b/.gitignore
@ -12,6 +12,7 @@ Session.vim
 # Temporary
 .netrwhist
 *~
 *.tmp
 # Auto-generated tag files
 tags
 # Persistent undo
@ -43,6 +44,7 @@ _build/
 docs/dist
 # Ignore temp files used for signing
 cdist-*.tar
 cdist-*.tar.gz
 cdist-*.tar.gz.asc
--- a/216
+++ b/216
@ -18,36 +18,30 @@
 #
 #
-helper=./bin/build-helper
+.PHONY: help
 help:
 	@echo "Please use \`make <target>' where <target> is one of"
 	@echo "man             build only man user documentation"
 	@echo "html            build only html user documentation"
 	@echo "docs            build both man and html user documentation"
 	@echo "dotman          build man pages for types in your ~/.cdist directory"
 	@echo "speeches        build speeches pdf files"
 	@echo "install         install in the system site-packages directory"
 	@echo "install-user    install in the user site-packages directory"
 	@echo "docs-clean      clean documentation"
 	@echo "clean           clean"
-DOCS_SRC_DIR=docs/src
+DOCS_SRC_DIR=./docs/src
-SPEECHDIR=docs/speeches
+SPEECHDIR=./docs/speeches
-TYPEDIR=cdist/conf/type
+TYPEDIR=./cdist/conf/type
 WEBSRCDIR=docs/web
 WEBDIR=$$HOME/vcs/www.nico.schottelius.org
 WEBBLOG=$(WEBDIR)/blog
 WEBBASE=$(WEBDIR)/software/cdist
 WEBPAGE=$(WEBBASE).mdwn
 CHANGELOG_VERSION=$(shell $(helper) changelog-version)
 CHANGELOG_FILE=docs/changelog
 PYTHON_VERSION=cdist/version.py
 SPHINXM=make -C $(DOCS_SRC_DIR) man
 SPHINXH=make -C $(DOCS_SRC_DIR) html
 SPHINXC=make -C $(DOCS_SRC_DIR) clean
 SHELLCHECKCMD=shellcheck -s sh -f gcc -x
 # Skip SC2154 for variables starting with __ since such variables are cdist
 # environment variables.
 SHELLCHECK_SKIP=grep -v ': __.*is referenced but not assigned.*\[SC2154\]'
 ################################################################################
 # Manpages
 #
 MAN1DSTDIR=$(DOCS_SRC_DIR)/man1
 MAN7DSTDIR=$(DOCS_SRC_DIR)/man7
 # Manpages #1: Types
@ -69,11 +63,16 @@ DOCSREFSH=$(DOCS_SRC_DIR)/cdist-reference.rst.sh
 $(DOCSREF): $(DOCSREFSH)
 	$(DOCSREFSH)
 version:
 	@[ -f "cdist/version.py" ] || { \
 		printf "Missing 'cdist/version.py', please generate it first.\n" && exit 1; \
 	}
 # Manpages #3: generic part
-man: $(MANTYPES) $(DOCSREF) $(PYTHON_VERSION)
+man: version $(MANTYPES) $(DOCSREF)
 	$(SPHINXM)
-html: $(MANTYPES) $(DOCSREF) $(PYTHON_VERSION)
+html: version $(MANTYPES) $(DOCSREF)
 	$(SPHINXH)
 docs: man html
@ -81,24 +80,6 @@ docs: man html
 docs-clean:
 	$(SPHINXC)
 # Manpages #5: release part
 MANWEBDIR=$(WEBBASE)/man/$(CHANGELOG_VERSION)
 HTMLBUILDDIR=docs/dist/html
 docs-dist: html
 	rm -rf "${MANWEBDIR}"
 	mkdir -p "${MANWEBDIR}"
 	# mkdir -p "${MANWEBDIR}/man1" "${MANWEBDIR}/man7"
 	# cp ${MAN1DSTDIR}/*.html ${MAN1DSTDIR}/*.css ${MANWEBDIR}/man1
 	# cp ${MAN7DSTDIR}/*.html ${MAN7DSTDIR}/*.css ${MANWEBDIR}/man7
 	cp -R ${HTMLBUILDDIR}/* ${MANWEBDIR}
 	cd ${MANWEBDIR} && git add . && git commit -m "cdist manpages update: $(CHANGELOG_VERSION)" || true
 man-latest-link: web-pub
 	# Fix ikiwiki, which does not like symlinks for pseudo security
 	ssh staticweb.ungleich.ch \
 		"cd /home/services/www/nico/nico.schottelius.org/www/software/cdist/man/ && rm -f latest && ln -sf "$(CHANGELOG_VERSION)" latest"
 # Manpages: .cdist Types
 DOT_CDIST_PATH=${HOME}/.cdist
 DOTMAN7DSTDIR=$(MAN7DSTDIR)
@ -111,8 +92,7 @@ DOTMANTYPES=$(subst /man.rst,.rst,$(DOTMANTYPEPREFIX))
 $(DOTMAN7DSTDIR)/cdist-type%.rst: $(DOTTYPEDIR)/%/man.rst
 	ln -sf "$^" $@
-# Manpages #3: generic part
+dotman: version $(DOTMANTYPES)
 dotman: $(DOTMANTYPES)
 	$(SPHINXM)
 ################################################################################
@ -120,7 +100,6 @@ dotman: $(DOTMANTYPES)
 #
 SPEECHESOURCES=$(SPEECHDIR)/*.tex
 SPEECHES=$(SPEECHESOURCES:.tex=.pdf)
 SPEECHESWEBDIR=$(WEBBASE)/speeches
 # Create speeches and ensure Toc is up-to-date
 $(SPEECHDIR)/%.pdf: $(SPEECHDIR)/%.tex
@ -130,157 +109,26 @@ $(SPEECHDIR)/%.pdf: $(SPEECHDIR)/%.tex
 speeches: $(SPEECHES)
 speeches-dist: speeches
 	rm -rf "${SPEECHESWEBDIR}"
 	mkdir -p "${SPEECHESWEBDIR}"
 	cp ${SPEECHES} "${SPEECHESWEBDIR}"
 	cd ${SPEECHESWEBDIR} && git add . && git commit -m "cdist speeches updated" || true
 ################################################################################
-# Website
+# Misc
 #
-
+clean: docs-clean
 BLOGFILE=$(WEBBLOG)/cdist-$(CHANGELOG_VERSION)-released.mdwn
 $(BLOGFILE): $(CHANGELOG_FILE)
 	$(helper) blog $(CHANGELOG_VERSION) $(BLOGFILE)
 web-blog: $(BLOGFILE)
 web-doc:
 	# Go to top level, because of cdist.mdwn
 	rsync -av "$(WEBSRCDIR)/" "${WEBBASE}/.."
 	cd "${WEBBASE}/.." && git add cdist* && git commit -m "cdist doc update" cdist* || true
 web-dist: web-blog web-doc
 web-pub: web-dist docs-dist speeches-dist
 	cd "${WEBDIR}" && make pub
 web-release-all: man-latest-link
 web-release-all-no-latest: web-pub
 ################################################################################
 # Release: Mailinglist
 #
 ML_FILE=.lock-ml
 # Only send mail once - lock until new changelog things happened
 $(ML_FILE): $(CHANGELOG_FILE)
 	$(helper) ml-release $(CHANGELOG_VERSION)
 	touch $@
 ml-release: $(ML_FILE)
 ################################################################################
 # pypi
 #
 PYPI_FILE=.pypi-release
 $(PYPI_FILE): man $(PYTHON_VERSION)
 	python3 setup.py sdist upload
 	touch $@
 pypi-release: $(PYPI_FILE)
 ################################################################################
 # archlinux
 #
 ARCHLINUX_FILE=.lock-archlinux
 ARCHLINUXTAR=cdist-$(CHANGELOG_VERSION)-1.src.tar.gz
 $(ARCHLINUXTAR): PKGBUILD
 	umask 022; mkaurball
 PKGBUILD: PKGBUILD.in $(PYTHON_VERSION)
 	./PKGBUILD.in $(CHANGELOG_VERSION)
 $(ARCHLINUX_FILE): $(ARCHLINUXTAR) $(PYTHON_VERSION)
 	burp -c system $(ARCHLINUXTAR)
 	touch $@
 archlinux-release: $(ARCHLINUX_FILE)
 ################################################################################
 # Release
 #
 $(PYTHON_VERSION) version: .git/refs/heads/master
 	$(helper) version
 # Code that is better handled in a shell script
 check-%:
 	$(helper) $@
 release:
 	$(helper) $@
 ################################################################################
 # Cleanup
 #
 clean:
 	rm -f $(DOCS_SRC_DIR)/cdist-reference.rst
 	find "$(DOCS_SRC_DIR)" -mindepth 2 -type l \
 	| xargs rm -f
 	make -C $(DOCS_SRC_DIR) clean
 	find * -name __pycache__  | xargs rm -rf
-	# Archlinux
+	# distutils
-	rm -f cdist-*.pkg.tar.xz cdist-*.tar.gz
+	rm -rf ./build
 	rm -rf pkg/ src/
 	rm -f MANIFEST PKGBUILD
 	rm -rf dist/
 	# Signed release
 	rm -f cdist-*.tar.gz
 	rm -f cdist-*.tar.gz.asc
 distclean: clean
 	rm -f cdist/version.py
 ################################################################################
-# Misc
+# install
 #
-# The pub is Nico's "push to all git remotes" way ("make pub")
+install:
-pub:
+	python3 setup.py install
 	git push --mirror
-test:
+install-user:
-	$(helper) $@
+	python3 setup.py install --user
 test-remote:
 	$(helper) $@
 pycodestyle pep8:
 	$(helper) $@
 shellcheck-global-explorers:
 	@find cdist/conf/explorer -type f -exec $(SHELLCHECKCMD) {} + | $(SHELLCHECK_SKIP) || exit 0
 shellcheck-type-explorers:
 	@find cdist/conf/type -type f -path "*/explorer/*" -exec $(SHELLCHECKCMD) {} + | $(SHELLCHECK_SKIP) || exit 0
 shellcheck-manifests:
 	@find cdist/conf/type -type f -name manifest -exec $(SHELLCHECKCMD) {} + | $(SHELLCHECK_SKIP) || exit 0
 shellcheck-local-gencodes:
 	@find cdist/conf/type -type f -name gencode-local -exec $(SHELLCHECKCMD) {} + | $(SHELLCHECK_SKIP) || exit 0
 shellcheck-remote-gencodes:
 	@find cdist/conf/type -type f -name gencode-remote -exec $(SHELLCHECKCMD) {} + | $(SHELLCHECK_SKIP) || exit 0
 shellcheck-gencodes: shellcheck-local-gencodes shellcheck-remote-gencodes
 shellcheck-types: shellcheck-type-explorers shellcheck-manifests shellcheck-gencodes
 shellcheck: shellcheck-global-explorers shellcheck-types
 shellcheck-type-files:
 	@find cdist/conf/type -type f -path "*/files/*" -exec $(SHELLCHECKCMD) {} + | $(SHELLCHECK_SKIP) || exit 0
 shellcheck-with-files: shellcheck shellcheck-type-files
--- a/PKGBUILD.in
+++ b/PKGBUILD.in
@ -9,7 +9,7 @@ pkgver=$version
 pkgrel=1
 pkgdesc='A Usable Configuration Management System"'
 arch=('any')
-url='http://www.nico.schottelius.org/software/cdist/'
+url='https://www.cdi.st/'
 license=('GPL3')
 depends=('python>=3.2.0')
 source=("http://pypi.python.org/packages/source/c/cdist/cdist-\${pkgver}.tar.gz")
--- a/3
+++ b/3
@ -3,4 +3,5 @@ cdist
 cdist is a usable configuration management system.
-For the web documentation have a look at docs/web/.
+For the web documentation have a look at https://www.cdi.st/
 or at docs/src for reStructuredText manual.
--- a/4
+++ b/4
@ -0,0 +1,4 @@
 Maintainers should use ./bin/build-helper script.
 Makefile is intended for end users. It can be used for non-maintaining
 targets that can be run from pure source (without git repository).
--- a/bin/build-helper
+++ b/bin/build-helper
@ -1,6 +1,7 @@
 #!/bin/sh
 #
 # 2011-2013 Nico Schottelius (nico-cdist at schottelius.org)
 # 2016-2019 Darko Poljak (darko.poljak at gmail.com)
 #
 # This file is part of cdist.
 #
@ -18,17 +19,66 @@
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 #
-# This file contains the heavy lifting found usually in the Makefile
+# This file contains the heavy lifting found usually in the Makefile.
 #
-basedir=${0%/*}/../
+usage() {
-# Change to checkout directory
+    printf "usage: %s TARGET [TARGET-ARGS...]
-cd "$basedir"
+    Available targets:
        changelog-changes
        changelog-version
        check-date
        check-unittest
        ml-release
        archlinux-release
        pypi-release
        release-git-tag
        sign-git-release
        release
        test
        test-remote
        pycodestyle
        pep8
        check-pycodestyle
        shellcheck-global-explorers
        shellcheck-type-explorers
        shellcheck-manifests
        shellcheck-local-gencodes
        shellcheck-remote-gencodes
        shellcheck-scripts
        shellcheck-gencodes
        shellcheck-types
        shellcheck
        shellcheck-type-files
        shellcheck-with-files
        shellcheck-build-helper
        check-shellcheck
        version-branch
        version
        target-version
        clean
        distclean\n" "$1"
 }
-version=$(git describe)
+basename="${0##*/}"
 if [ $# -lt 1 ]
 then
    usage "${basename}"
    exit 1
 fi
 option=$1; shift
 SHELLCHECKCMD="shellcheck -s sh -f gcc -x"
 # Skip SC2154 for variables starting with __ since such variables are cdist
 # environment variables.
 SHELLCHECK_SKIP=': __.*is referenced but not assigned.*\[SC2154\]'
 # Change to checkout directory
 basedir="${0%/*}/../"
 cd "$basedir"
 case "$option" in
    changelog-changes)
        if [ "$#" -eq 1 ]; then
@ -66,8 +116,8 @@ case "$option" in
        date_changelog=$(grep '^[[:digit:]]' "$basedir/docs/changelog" | head -n1 | sed 's/.*: //')
        if [ "$date_today" != "$date_changelog" ]; then
-            echo "Date in changelog is not today"
+            printf "Date in changelog is not today\n"
-            echo "Changelog: $date_changelog"
+            printf "Changelog date: %s\n" "${date_changelog}"
            exit 1
        fi
    ;;
@ -76,54 +126,17 @@ case "$option" in
        "$0" test
    ;;
    blog)
        version=$1; shift
        blogfile=$1; shift
        dir=${blogfile%/*}
        file=${blogfile##*/}
        cat << eof > "$blogfile"
 [[!meta title="Cdist $version released"]]
 Here's a short overview about the changes found in version ${version}:
 eof
        $0 changelog-changes "$version" >> "$blogfile"
        cat << eof >> "$blogfile"
 For more information visit the [[cdist homepage|software/cdist]].
 [[!tag cdist config unix]]
 eof
        cd "$dir"
        git add "$file"
        # Allow git commit to fail if there are no changes
        git commit -m "cdist blog update: $version" "$blogfile" || true
    ;;
    ml-release)
        if [ $# -ne 1 ]; then
-            echo "$0 ml-release version" >&2
+            printf "%s ml-release version\n" "$0" >&2
            exit 1
        fi
        version=$1; shift
        to_a=cdist
        to_d=l.schottelius.org
        to=${to_a}@${to_d}
        from_a=nico-cdist
        from_d=schottelius.org
        from=${from_a}@${from_d}
        ( 
        cat << eof
-From: Nico -telmich- Schottelius <$from>
+Subject: cdist $version has been released
 To: cdist mailing list <$to>
 Subject: cdist $version released
 Hello .*,
@ -134,25 +147,41 @@ eof
        "$0" changelog-changes "$version"
        cat << eof
 Cheers,
 Nico
 -- 
 Automatisation at its best level. With cdist.
 eof
-        ) | /usr/sbin/sendmail -f "$from" "$to"
+        ) > mailinglist.tmp
    ;;
    archlinux-release)
        if [ $# -ne 1 ]; then
            printf "%s archlinux-release version\n" "$0" >&2
            exit 1
        fi
        version=$1; shift
        ARCHLINUXTAR="cdist-${version}-1.src.tar.gz"
        ./PKGBUILD.in "${version}"
        umask 022
        mkaurball
        burp -c system "${ARCHLINUXTAR}"
    ;;
    pypi-release)
        # Ensure that pypi release has the right version
        "$0" version
        make docs-clean
        make docs
        python3 setup.py sdist upload
    ;;
    release-git-tag)
        target_version=$($0 changelog-version)
-        if git rev-parse --verify refs/tags/$target_version 2>/dev/null; then
+        if git rev-parse --verify "refs/tags/${target_version}" 2>/dev/null; then
-            echo "Tag for $target_version exists, aborting"
+            printf "Tag for %s exists, aborting\n" "${target_version}"
            exit 1
        fi
-        printf "Enter tag description for ${target_version}: "
+        printf "Enter tag description for %s: " "${target_version}"
-        read tagmessage
+        read -r tagmessage
        # setup for signed tags:
        # gpg --fulL-gen-key
@ -170,7 +199,8 @@ eof
        # gpg --verify <asc-file> <file>
        # gpg --no-default-keyring --keyring <pubkey.gpg> --verify <asc-file> <file>
        # Ensure gpg-agent is running.
-        export GPG_TTY=$(tty)
+        GPG_TTY=$(tty)
        export GPG_TTY
        gpg-agent
        git tag -s "$target_version" -m "$tagmessage"
@ -180,14 +210,14 @@ eof
    sign-git-release)
        if [ $# -lt 2 ]
        then
-            printf "usage: $0 sign-git-release TAG TOKEN [ARCHIVE]\n"
+            printf "usage: %s sign-git-release TAG TOKEN [ARCHIVE]\n" "$0"
            printf "    if ARCHIVE is not specified then it is created\n"
            exit 1
        fi
        tag="$1"
        if ! git rev-parse -q --verify "${tag}" >/dev/null 2>&1
        then
-            printf "Tag \"${tag}\" not found.\n"
+            printf "Tag \"%s\" not found.\n" "${tag}"
            exit 1
        fi
        token="$2"
@ -195,40 +225,49 @@ eof
        then
            archivename="$3"
        else
-            archivename="cdist-${tag}.tar.gz"
+            archivename="cdist-${tag}.tar"
            git archive --prefix="cdist-${tag}/" -o "${archivename}" "${tag}" \
                || exit 1
            # make sure target version is generated
            "$0" target-version
            tar -x -f "${archivename}" || exit 1
            cp cdist/version.py "cdist-${tag}/cdist/version.py" || exit 1
            tar -c -f "${archivename}" "cdist-${tag}/" || exit 1
            rm -r -f "cdist-${tag}/"
            gzip "${archivename}" || exit 1
            archivename="${archivename}.gz"
        fi
        gpg --armor --detach-sign "${archivename}" || exit 1
-        # make github release
+        project="ungleich-public%2Fcdist"
-        curl -H "Authorization: token ${token}" \
+        sed_cmd='s/^.*"markdown":"\([^"]*\)".*$/\1/'
            --request POST \
            --data "{ \"tag_name\":\"${tag}\", \
                      \"target_commitish\":\"master\", \
                      \"name\": \"${tag}\", \
                      \"body\":\"${tag}\", \
                      \"draft\":false, \
                      \"prerelease\": false}" \
            "https://api.github.com/repos/ungleich/cdist/releases" || exit 1
-        # get release ID
+        # upload archive
-        repoid=$(curl "https://api.github.com/repos/ungleich/cdist/releases/tags/${tag}" \
+        response_archive=$(curl -f -X POST \
-            | python3 -c 'import json; import sys; print(json.loads(sys.stdin.read())["id"])') \
+             --http1.1 \
-            || exit 1
+             -H "PRIVATE-TOKEN: ${token}" \
             -F "file=@${archivename}" \
             "https://code.ungleich.ch/api/v4/projects/${project}/uploads" \
             | sed "${sed_cmd}") || exit 1
-        # upload archive and then signature
+        # upload archive signature
-        curl -H "Authorization: token ${token}" \
+        response_archive_sig=$(curl -f -X POST \
-             -H "Accept: application/vnd.github.manifold-preview" \
+             --http1.1 \
-             -H "Content-Type: application/x-gtar" \
+             -H "PRIVATE-TOKEN: ${token}" \
-             --data-binary @${archivename} \
+             -F "file=@${archivename}.asc" \
-            "https://uploads.github.com/repos/ungleich/cdist/releases/${repoid}/assets?name=${archivename}" \
+            "https://code.ungleich.ch/api/v4/projects/${project}/uploads" \
-            || exit 1
+             | sed "${sed_cmd}") || exit 1
-        curl -H "Authorization: token ${token}" \
+
-             -H "Accept: application/vnd.github.manifold-preview" \
+        # make release
-             -H "Content-Type: application/pgp-signature" \
+        changelog=$("$0" changelog-changes "$1" | sed 's/^[[:space:]]*//')
-             --data-binary @${archivename}.asc \
+        release_notes=$(
-            "https://uploads.github.com/repos/ungleich/cdist/releases/${repoid}/assets?name=${archivename}.asc" \
+            printf "%s\n\n%s\n\n**Changelog**\n\n%s\n" \
                "${response_archive}" "${response_archive_sig}" "${changelog}"
        )
        curl -f -X POST \
             -H "PRIVATE-TOKEN: ${token}" \
             -F "description=${release_notes}" \
            "https://code.ungleich.ch/api/v4/projects/${project}/repository/tags/${tag}/release" \
            || exit 1
        # remove generated files (archive and asc)
@ -244,30 +283,30 @@ eof
        target_version=$($0 changelog-version)
        target_branch=$($0 version-branch)
-        echo "Beginning release process for $target_version"
+        printf "Beginning release process for %s\n" "${target_version}"
        # First check everything is sane
        "$0" check-date
        "$0" check-unittest
        "$0" check-pycodestyle
-        "$0" shellcheck
+        "$0" check-shellcheck
        # Generate version file to be included in packaging
        "$0" target-version
        # Ensure the git status is clean, else abort
        if ! git diff-index --name-only --exit-code HEAD ; then
-            echo "Unclean tree, see files above, aborting"
+            printf "Unclean tree, see files above, aborting.\n"
            exit 1
        fi
        # Ensure we are on the master branch
        masterbranch=yes
        if [ "$(git rev-parse --abbrev-ref HEAD)" != "master" ]; then
-            echo "Releases are happening from the master branch, aborting"
+            printf "Releases are happening from the master branch, aborting.\n"
-            echo "Enter the magic word to release anyway"
+            printf "Enter the magic word to release anyway:"
-            read magicword
+            read -r magicword
            if [ "$magicword" = "iknowwhatido" ]; then
                masterbranch=no
@ -278,7 +317,7 @@ eof
        if [ "$masterbranch" = yes ]; then
            # Ensure version branch exists
-            if ! git rev-parse --verify refs/heads/$target_branch 2>/dev/null; then
+            if ! git rev-parse --verify "refs/heads/${target_branch}" 2>/dev/null; then
                git branch "$target_branch"
            fi
@ -296,20 +335,12 @@ eof
        make docs-clean
        make docs
        # Generate speeches (indirect check if they build)
        make speeches
        ############################################################# 
        # Everything green, let's do the release
        # Tag the current commit
        "$0" release-git-tag
        # sign git tag
        printf "Enter github authentication token: "
        read token
        "$0" sign-git-release "${target_version}" "${token}"
        # Also merge back the version branch
        if [ "$masterbranch" = yes ]; then
            git checkout master
@ -317,41 +348,41 @@ eof
        fi
        # Publish git changes
-        make pub
+        # if you want to have mirror locally then uncomment this and comment below
-
+        #     git push --mirror
-        # publish man, speeches, website
+            git push
-        if [ "$masterbranch" = yes ]; then
+            # push also new branch and set up tracking
-            make web-release-all
+            git push -u origin "${target_branch}"
-        else
+        # fi
            make web-release-all-no-latest
        fi
        # Ensure that pypi release has the right version
        "$0" version
        # Create and publish package for pypi
-        make pypi-release
+        "$0" pypi-release
-        # Archlinux release is based on pypi
+        # sign git tag
-        make archlinux-release
+        printf "Enter upstream repository authentication token: "
        read -r token
        "$0" sign-git-release "${target_version}" "${token}"
        # Announce change on ML
-        make ml-release
+        "$0" ml-release "${target_version}"
        cat << eof
 Manual steps post release:
-
+    - cdist-web
-    - linkedin
+    - send mail body generated in mailinglist.tmp and inform Dmitry for deb
    - hackernews
    - reddit
    - twitter
 eof
    ;;
    test)
-        export PYTHONPATH="$(pwd -P)"
+        if [ ! -f "cdist/version.py" ]
        then
            printf "cdist/version.py is missing, generate it first.\n"
            exit 1
        fi
        PYTHONPATH="$(pwd -P)"
        export PYTHONPATH
        if [ $# -lt 1 ]; then
            python3 -m cdist.test
@ -361,7 +392,15 @@ eof
    ;;
    test-remote)
-        export PYTHONPATH="$(pwd -P)"
+        if [ ! -f "cdist/version.py" ]
        then
            printf "cdist/version.py is missing, generate it first.\n"
            exit 1
        fi
        PYTHONPATH="$(pwd -P)"
        export PYTHONPATH
        python3 -m cdist.test.exec.remote
    ;;
@ -374,9 +413,9 @@ eof
        printf "\\nPlease review pycodestyle report.\\n"
        while true
        do
-            echo "Continue (yes/no)?"
+            printf "Continue (yes/no)?\n"
            any=
-            read any
+            read -r any
            case "$any" in
                yes)
                    break
@ -385,20 +424,74 @@ eof
                    exit 1
                ;;
                *)
-                    echo "Please answer with 'yes' or 'no' explicitly."
+                    printf "Please answer with 'yes' or 'no' explicitly.\n"
                ;;
        esac
        done
    ;;
    shellcheck-global-explorers)
        find cdist/conf/explorer -type f -exec ${SHELLCHECKCMD} {} + | grep -v "${SHELLCHECK_SKIP}" || exit 0
    ;;
    shellcheck-type-explorers)
        find cdist/conf/type -type f -path "*/explorer/*" -exec ${SHELLCHECKCMD} {} + | grep -v "${SHELLCHECK_SKIP}" || exit 0
    ;;
    shellcheck-manifests)
        find cdist/conf/type -type f -name manifest -exec ${SHELLCHECKCMD} {} + | grep -v "${SHELLCHECK_SKIP}" || exit 0
    ;;
    shellcheck-local-gencodes)
        find cdist/conf/type -type f -name gencode-local -exec ${SHELLCHECKCMD} {} + | grep -v "${SHELLCHECK_SKIP}" || exit 0
    ;;
    shellcheck-remote-gencodes)
        find cdist/conf/type -type f -name gencode-remote -exec ${SHELLCHECKCMD} {} + | grep -v "${SHELLCHECK_SKIP}" || exit 0
    ;;
    shellcheck-scripts)
        ${SHELLCHECKCMD} scripts/cdist-dump scripts/cdist-new-type || exit 0
    ;;
    shellcheck-gencodes)
        "$0" shellcheck-local-gencodes
        "$0" shellcheck-remote-gencodes
    ;;
    shellcheck-types)
        "$0" shellcheck-type-explorers
        "$0" shellcheck-manifests
        "$0" shellcheck-gencodes
    ;;
    shellcheck)
-        make helper=${helper} WEBDIR=${WEBDIR} shellcheck
+        "$0" shellcheck-global-explorers
        "$0" shellcheck-types
        "$0" shellcheck-scripts
    ;;
    shellcheck-type-files)
        find cdist/conf/type -type f -path "*/files/*" -exec ${SHELLCHECKCMD} {} + | grep -v "${SHELLCHECK_SKIP}" || exit 0
    ;;
    shellcheck-with-files)
        "$0" shellcheck
        "$0" shellcheck-type-files
    ;;
    shellcheck-build-helper)
        ${SHELLCHECKCMD} ./bin/build-helper
    ;;
    check-shellcheck)
        "$0" shellcheck
        printf "\\nPlease review shellcheck report.\\n"
        while true
        do
-            echo "Continue (yes/no)?"
+            printf "Continue (yes/no)?\n"
            any=
-            read any
+            read -r any
            case "$any" in
                yes)
                    break
@ -407,7 +500,7 @@ eof
                    exit 1
                ;;
                *)
-                    echo "Please answer with 'yes' or 'no' explicitly."
+                    printf "Please answer with 'yes' or 'no' explicitly.\n"
                ;;
        esac
        done
@ -418,16 +511,39 @@ eof
    ;;
    version)
-        echo "VERSION = \"$(git describe)\"" > cdist/version.py
+        printf "VERSION = \"%s\"\n" "$(git describe)" > cdist/version.py
    ;;
    target-version)
        target_version=$($0 changelog-version)
-        echo "VERSION = \"${target_version}\"" > cdist/version.py
+        printf "VERSION = \"%s\"\n" "${target_version}" > cdist/version.py
    ;;
    clean)
        make clean
        # Archlinux
        rm -f cdist-*.pkg.tar.xz cdist-*.tar.gz
        rm -rf pkg/ src/
        rm -f MANIFEST PKGBUILD
        rm -rf dist/
        # Signed release
        rm -f cdist-*.tar.gz
        rm -f cdist-*.tar.gz.asc
        # Temp files
        rm -f ./*.tmp
    ;;
    distclean)
        "$0" clean
        rm -f cdist/version.py
    ;;
    *)
-        echo "Unknown helper target $@ - aborting"
+        printf "Unknown target: '%s'.\n" "${option}" >&2
        usage "${basename}"
        exit 1
    ;;
--- a/bin/build-helper.freebsd
+++ b/bin/build-helper.freebsd
@ -1,496 +0,0 @@
 #!/bin/sh
 #
 # 2011-2013 Nico Schottelius (nico-cdist at schottelius.org)
 # 2016 Darko Poljak (darko.poljak at gmail.com)
 #
 # This file is part of cdist.
 #
 # cdist is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # cdist is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 #
 # This file contains the heavy lifting found usually in the Makefile
 #
 # vars for make
 helper=$0
 basedir=${0%/*}/../
 # run_as is used to check how the script is called (by $0 value)
 # currently supported sufixes for $0 are:
 # .freebsd - run as freebsd
 basename=${0##*/}
 run_as=${basename#*.}
 case "$run_as" in
    freebsd)
        to_a=cdist-configuration-management
        to_d=googlegroups.com
        from_a=darko.poljak
        from_d=gmail.com
        ml_name="Darko Poljak"
        ml_sig_name="Darko"
        # vars for make
        WEBDIR=../vcs/www.nico.schottelius.org
    ;;
    *)
        to_a=cdist
        to_d=l.schottelius.org
        from_a=nico-cdist
        from_d=schottelius.org
        ml_name="Nico -telmich- Schottelius"
        ml_sig_name="Nico"
        # vars for make
        WEBDIR=$$HOME/vcs/www.nico.schottelius.org
    ;;
 esac
 # Change to checkout directory
 cd "$basedir"
 version=$(git describe)
 option=$1; shift
 case "$option" in
    print-make-vars)
        printf "helper: ${helper}\n"
        printf "WEBDIR: ${WEBDIR}\n"
    ;;
    print-runas)
        printf "run_as: $run_as\n"
    ;;
    changelog-changes)
        if [ "$#" -eq 1 ]; then
            start=$1
        else
            start="[[:digit:]]"
        fi
        end="[[:digit:]]"
        awk -F: "BEGIN { start=0 }
            {
                if(start == 0) {
                    if (\$0 ~ /^$start/) {
                        start = 1
                    }
                } else {
                    if (\$0 ~ /^$end/) {
                        exit
                    } else {
                        print \$0 
                    }
                }
            }" "$basedir/docs/changelog"
    ;;
    changelog-version)
        # get version from changelog
        grep '^[[:digit:]]' "$basedir/docs/changelog" | head -n1 | sed 's/:.*//'
    ;;
    check-date)
        # verify date in changelog is today
        date_today="$(date +%Y-%m-%d)"
        date_changelog=$(grep '^[[:digit:]]' "$basedir/docs/changelog" | head -n1 | sed 's/.*: //')
        if [ "$date_today" != "$date_changelog" ]; then
            echo "Date in changelog is not today"
            echo "Changelog: $date_changelog"
            exit 1
        fi
    ;;
    check-unittest)
        "$0" test
    ;;
    blog)
        version=$1; shift
        blogfile=$1; shift
        dir=${blogfile%/*}
        file=${blogfile##*/}
        cat << eof > "$blogfile"
 [[!meta title="Cdist $version released"]]
 Here's a short overview about the changes found in version ${version}:
 eof
        $0 changelog-changes "$version" >> "$blogfile"
        cat << eof >> "$blogfile"
 For more information visit the [[cdist homepage|software/cdist]].
 [[!tag cdist config unix]]
 eof
        cd "$dir"
        git add "$file"
        # Allow git commit to fail if there are no changes
        git commit -m "cdist blog update: $version" "$blogfile" || true
    ;;
    ml-release)
        if [ $# -ne 1 ]; then
            echo "$0 ml-release version" >&2
            exit 1
        fi
        version=$1; shift
        to=${to_a}@${to_d}
        from=${from_a}@${from_d}
        ( 
        cat << eof
 From: ${ml_name} <$from>
 To: cdist mailing list <$to>
 Subject: cdist $version released
 Hello .*,
 cdist $version has been released with the following changes:
 eof
        "$0" changelog-changes "$version"
        cat << eof
 Cheers,
 ${ml_sig_name}
 -- 
 Automatisation at its best level. With cdist.
 eof
        ) | /usr/sbin/sendmail -f "$from" "$to"
    ;;
    release-git-tag)
        target_version=$($0 changelog-version)
        if git rev-parse --verify refs/tags/$target_version 2>/dev/null; then
            echo "Tag for $target_version exists, aborting"
            exit 1
        fi
        printf "Enter tag description for ${target_version}: "
        read tagmessage
        # setup for signed tags:
        # gpg --fulL-gen-key
        # gpg --list-secret-keys --keyid-format LONG
        # git config --local user.signingkey <id>
        # for exporting pub key:
        #     gpg --armor --export <id> > pubkey.asc
        #     gpg --output pubkey.gpg --export <id>
        # show tag with signature
        # git show <tag>
        # verify tag signature
        # git tag -v <tag>
        #
        # gpg verify signature
        # gpg --verify <asc-file> <file>
        # gpg --no-default-keyring --keyring <pubkey.gpg> --verify <asc-file> <file>
        # Ensure gpg-agent is running.
        export GPG_TTY=$(tty)
        gpg-agent
        git tag -s "$target_version" -m "$tagmessage"
        git push --tags
    ;;
    sign-git-release)
        if [ $# -lt 2 ]
        then
            printf "usage: $0 sign-git-release TAG TOKEN [ARCHIVE]\n"
            printf "    if ARCHIVE is not specified then it is created\n"
            exit 1
        fi
        tag="$1"
        if ! git rev-parse -q --verify "${tag}" >/dev/null 2>&1
        then
            printf "Tag \"${tag}\" not found.\n"
            exit 1
        fi
        token="$2"
        if [ $# -gt 2 ]
        then
            archivename="$3"
        else
            archivename="cdist-${tag}.tar.gz"
            git archive --prefix="cdist-${tag}/" -o "${archivename}" "${tag}" \
                || exit 1
        fi
        gpg --armor --detach-sign "${archivename}" || exit 1
        # make github release
        curl -H "Authorization: token ${token}" \
            --request POST \
            --data "{ \"tag_name\":\"${tag}\", \
                      \"target_commitish\":\"master\", \
                      \"name\": \"${tag}\", \
                      \"body\":\"${tag}\", \
                      \"draft\":false, \
                      \"prerelease\": false}" \
            "https://api.github.com/repos/ungleich/cdist/releases" || exit 1
        # get release ID
        repoid=$(curl "https://api.github.com/repos/ungleich/cdist/releases/tags/${tag}" \
            | python3 -c 'import json; import sys; print(json.loads(sys.stdin.read())["id"])') \
            || exit 1
        # upload archive and then signature
        curl -H "Authorization: token ${token}" \
             -H "Accept: application/vnd.github.manifold-preview" \
             -H "Content-Type: application/x-gtar" \
             --data-binary @${archivename} \
            "https://uploads.github.com/repos/ungleich/cdist/releases/${repoid}/assets?name=${archivename}" \
            || exit 1
        curl -H "Authorization: token ${token}" \
             -H "Accept: application/vnd.github.manifold-preview" \
             -H "Content-Type: application/pgp-signature" \
             --data-binary @${archivename}.asc \
            "https://uploads.github.com/repos/ungleich/cdist/releases/${repoid}/assets?name=${archivename}.asc" \
            || exit 1
        # remove generated files (archive and asc)
        if [ $# -eq 2]
        then
            rm -f "${archivename}"
        fi
        rm -f "${archivename}.asc"
    ;;
    release)
        set -e
        target_version=$($0 changelog-version)
        target_branch=$($0 version-branch)
        echo "Beginning release process for $target_version"
        # First check everything is sane
        "$0" check-date
        "$0" check-unittest
        "$0" check-pycodestyle
        "$0" shellcheck
        # Generate version file to be included in packaging
        "$0" target-version
        # Ensure the git status is clean, else abort
        if ! git diff-index --name-only --exit-code HEAD ; then
            echo "Unclean tree, see files above, aborting"
            exit 1
        fi
        # Ensure we are on the master branch
        masterbranch=yes
        if [ "$(git rev-parse --abbrev-ref HEAD)" != "master" ]; then
            echo "Releases are happening from the master branch, aborting"
            echo "Enter the magic word to release anyway"
            read magicword
            if [ "$magicword" = "iknowwhatido" ]; then
                masterbranch=no
            else
                exit 1
            fi
        fi
        if [ "$masterbranch" = yes ]; then
            # Ensure version branch exists
            if ! git rev-parse --verify refs/heads/$target_branch 2>/dev/null; then
                git branch "$target_branch"
            fi
            # Merge master branch into version branch
            git checkout "$target_branch"
            git merge master
        fi
        # Verify that after the merge everything works
        "$0" check-date
        "$0" check-unittest
        # Generate documentation (man and html)
        # First, clean old generated docs
        make helper=${helper} WEBDIR=${WEBDIR} docs-clean
        make helper=${helper} WEBDIR=${WEBDIR} docs
        # Generate speeches (indirect check if they build)
        make helper=${helper} WEBDIR=${WEBDIR} speeches
        ############################################################# 
        # Everything green, let's do the release
        # Tag the current commit
        "$0" release-git-tag
        # sign git tag
        printf "Enter github authentication token: "
        read token
        "$0" sign-git-release "${target_version}" "${token}"
        # Also merge back the version branch
        if [ "$masterbranch" = yes ]; then
            git checkout master
            git merge "$target_branch"
        fi
        # Publish git changes
        case "$run_as" in
            freebsd)
                # if we are not Nico :) then just push, no mirror
                git push
                # push also new branch and set up tracking
                git push -u origin "${target_branch}"
            ;;
            *)
                make helper=${helper} WEBDIR=${WEBDIR} pub
            ;;
        esac
        # publish man, speeches, website
        if [ "$masterbranch" = yes ]; then
            make helper=${helper} WEBDIR=${WEBDIR} web-release-all
        else
            make helper=${helper} WEBDIR=${WEBDIR} web-release-all-no-latest
        fi
        # Ensure that pypi release has the right version
        "$0" version
        # Create and publish package for pypi
        make helper=${helper} WEBDIR=${WEBDIR} pypi-release
        case "$run_as" in
            freebsd)
            ;;
            *)
                # Archlinux release is based on pypi
                make archlinux-release
            ;;
        esac
        # Announce change on ML
        make helper=${helper} WEBDIR=${WEBDIR} ml-release
        cat << eof
 Manual steps post release:
    - linkedin
    - hackernews
    - reddit
    - twitter
 eof
        case "$run_as" in
            freebsd)
                cat <<eof
 Additional steps post release:
    - archlinux release
 eof
            ;;
            *)
            ;;
        esac
    ;;
    test)
        export PYTHONPATH="$(pwd -P)"
        if [ $# -lt 1 ]; then
            python3 -m cdist.test
        else
            python3 -m unittest "$@"
        fi
    ;;
    test-remote)
        export PYTHONPATH="$(pwd -P)"
        python3 -m cdist.test.exec.remote
    ;;
    pycodestyle|pep8)
        pycodestyle "${basedir}" "${basedir}/scripts/cdist" | less
    ;;
    check-pycodestyle)
        "$0" pycodestyle
        printf "\\nPlease review pycodestyle report.\\n"
        while true
        do
            echo "Continue (yes/no)?"
            any=
            read any
            case "$any" in
                yes)
                    break
                ;;
                no)
                    exit 1
                ;;
                *)
                    echo "Please answer with 'yes' or 'no' explicitly."
                ;;
        esac
        done
    ;;
    shellcheck)
        make helper=${helper} WEBDIR=${WEBDIR} shellcheck
        printf "\\nPlease review shellcheck report.\\n"
        while true
        do
            echo "Continue (yes/no)?"
            any=
            read any
            case "$any" in
                yes)
                    break
                ;;
                no)
                    exit 1
                ;;
                *)
                    echo "Please answer with 'yes' or 'no' explicitly."
                ;;
        esac
        done
    ;;
    version-branch)
        "$0" changelog-version | cut -d. -f '1,2'
    ;;
    version)
        echo "VERSION = \"$(git describe)\"" > cdist/version.py
    ;;
    target-version)
        target_version=$($0 changelog-version)
        echo "VERSION = \"${target_version}\"" > cdist/version.py
    ;;
    *)
        echo "Unknown helper target $@ - aborting"
        exit 1
    ;;
 esac
--- a/cdist/init.py
+++ b/cdist/init.py
@ -181,17 +181,40 @@ class CdistObjectError(CdistEntityError):
                         params, stdout_paths, stderr_paths, subject)
 class CdistObjectExplorerError(CdistEntityError):
    """
    Something went wrong while working on a specific
    cdist object explorer
    """
    def __init__(self, cdist_object, explorer_name, explorer_path,
                 stderr_path, subject=''):
        params = [
            ('object name', cdist_object.name, ),
            ('object path', cdist_object.absolute_path, ),
            ('object source', " ".join(cdist_object.source), ),
            ('object type', os.path.realpath(
                cdist_object.cdist_type.absolute_path), ),
            ('explorer name', explorer_name, ),
            ('explorer path', explorer_path, ),
        ]
        stdout_paths = []
        stderr_paths = [
            ('remote', stderr_path, ),
        ]
        super().__init__("explorer '{}' of object '{}'".format(
            explorer_name, cdist_object.name), params, stdout_paths,
            stderr_paths, subject)
 class InitialManifestError(CdistEntityError):
    """Something went wrong while executing initial manifest"""
    def __init__(self, initial_manifest, stdout_path, stderr_path, subject=''):
        params = [
            ('path', initial_manifest, ),
        ]
        stdout_paths = []
        stdout_paths = [
            ('init', stdout_path, ),
        ]
        stderr_paths = []
        stderr_paths = [
            ('init', stderr_path, ),
        ]
@ -199,6 +222,20 @@ class InitialManifestError(CdistEntityError):
                         stderr_paths, subject)
 class GlobalExplorerError(CdistEntityError):
    """Something went wrong while executing global explorer"""
    def __init__(self, name, path, stderr_path, subject=''):
        params = [
            ('name', name, ),
            ('path', path, ),
        ]
        stderr_paths = [
            ('remote', stderr_path, ),
        ]
        super().__init__("global explorer '{}'".format(name),
                         params, [], stderr_paths, subject)
 def file_to_list(filename):
    """Return list from \n seperated file"""
    if os.path.isfile(filename):
--- a/cdist/argparse.py
+++ b/cdist/argparse.py
@ -5,21 +5,23 @@ import logging
 import collections
 import functools
 import cdist.configuration
 import cdist.preos
 # set of beta sub-commands
 BETA_COMMANDS = set(('install', 'inventory', ))
 # set of beta arguments for sub-commands
 BETA_ARGS = {
-    'config': set(('jobs', 'tag', 'all_tagged_hosts', 'use_archiving', )),
+    'config': set(('tag', 'all_tagged_hosts', 'use_archiving', )),
 }
-EPILOG = "Get cdist at http://www.nico.schottelius.org/software/cdist/"
+EPILOG = "Get cdist at https://code.ungleich.ch/ungleich-public/cdist"
 # Parser others can reuse
 parser = None
 _verbosity_level_off = -2
 _verbosity_level = {
    None: logging.WARNING,
    _verbosity_level_off: logging.OFF,
    -1: logging.ERROR,
    0: logging.WARNING,
@ -191,8 +193,7 @@ def get_parsers():
                                  name="positive int"),
           help=('Operate in parallel in specified maximum number of jobs. '
                 'Global explorers, object prepare and object run are '
-                 'supported. Without argument CPU count is used by default. '
+                 'supported. Without argument CPU count is used by default. '),
                 'Currently in beta.'),
           action='store', dest='jobs',
           const=multiprocessing.cpu_count())
    parser['config_main'].add_argument(
@ -423,6 +424,9 @@ def get_parsers():
    parser['inventory'].set_defaults(
            func=cdist.inventory.Inventory.commandline)
    # PreOs
    parser['preos'] = parser['sub'].add_parser('preos', add_help=False)
    # Shell
    parser['shell'] = parser['sub'].add_parser(
            'shell', parents=[parser['loglevel']])
--- a/cdist/conf/explorer/disks
+++ b/cdist/conf/explorer/disks
@ -1,16 +1,27 @@
-#!/bin/sh -e
+#!/bin/sh
-os=$("$__explorer/os")
+uname_s="$(uname -s)"
-case "$os" in
+
-    openbsd)
+case "${uname_s}" in
-        IFS=',' disks=$(sysctl -n hw.disknames)
+    FreeBSD)
-        for d in $disks; do
+        sysctl -n kern.disks
-            echo "${d%%:*}"
+    ;;
-        done | sed -n '/^[sw]d[0-9][0-9]*/p'
+    OpenBSD|NetBSD)
        sysctl -n hw.disknames | grep -Eo '[lsw]d[0-9]+' | xargs
    ;;
    Linux)
        if command -v lsblk > /dev/null
        then
            # exclude ram disks, floppies and cdroms
            # https://www.kernel.org/doc/Documentation/admin-guide/devices.txt
            lsblk -e 1,2,11 -dno name | xargs
        else
            printf "Don't know how to list disks for %s operating system without lsblk, if you can please submit a patch\n" "${uname_s}" >&2
        fi
    ;;
    *)
-        cd /dev || exit 0
+        printf "Don't know how to list disks for %s operating system, if you can please submit a patch\n" "${uname_s}" >&2
        echo sd? hd? vd?
    ;;
 esac
 exit 0
--- a/cdist/conf/explorer/init
+++ b/cdist/conf/explorer/init
@ -29,7 +29,7 @@ case "$uname_s" in
    Linux)
        (pgrep -P0 -l | awk '/^1[ \t]/ {print $2;}') || true
    ;;
-    FreeBSD)
+    FreeBSD|OpenBSD)
        ps -o comm= -p 1 || true
    ;;
    *)
--- a/cdist/conf/explorer/interfaces
+++ b/cdist/conf/explorer/interfaces
@ -1,6 +1,6 @@
-#!/bin/sh
+#!/bin/sh -e
 #
-# 2012 Sébastien Gross <seb•ɑƬ•chezwam•ɖɵʈ•org>
+# 2019 Ander Punnar (ander-at-kvlt-dot-ee)
 #
 # This file is part of cdist.
 #
@ -17,35 +17,12 @@
 # You should have received a copy of the GNU General Public License
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 #
 # List all network interfaces in explorer/ifaces. One interface per line.
 #
 # If your OS is not supported please provide a ifconfig output
 #
-# Use ip, if available
+if command -v ip >/dev/null
-if command -v ip >/dev/null; then
+then
 	ip -o link show | sed -n 's/^[0-9]\+: \(.\+\): <.*/\1/p'
-    exit 0
+elif command -v ifconfig >/dev/null
-fi
+then
-
+	ifconfig -a | sed -n -E 's/^(.*)(:[[:space:]]*flags=|Link encap).*/\1/p'
-if ! command -v ifconfig >/dev/null; then
+fi \
-   # no ifconfig, nothing we could do
+ | sort -u
   exit 0
 fi
 uname_s="$(uname -s)"
 REGEXP='s/^(.*)(:[[:space:]]*flags=|Link encap).*/\1/p'
 case "$uname_s" in
    Darwin)
 	ifconfig -a | sed -n -E "$REGEXP"
 	;;
    Linux|*BSD)
 	ifconfig -a | sed -n -r "$REGEXP"
 	;;
    *)
 	echo "Unsupported ifconfig output for $uname_s" >&2
 	exit 1
 	;;
 esac
--- a/cdist/conf/explorer/os
+++ b/cdist/conf/explorer/os
@ -145,7 +145,7 @@ esac
 if [ -f /etc/os-release ]; then
   # already lowercase, according to:
   # https://www.freedesktop.org/software/systemd/man/os-release.html
-   awk -F= '/^ID=/ {print $2;}' /etc/os-release
+   awk -F= '/^ID=/ { if ($2 ~ /^'"'"'(.*)'"'"'$/ || $2 ~ /^"(.*)"$/) { print substr($2, 2, length($2) - 2) } else { print $2 } }' /etc/os-release
   exit 0
 fi
--- a/cdist/conf/type/__acl/explorer/acl_is
+++ b/cdist/conf/type/__acl/explorer/acl_is
@ -18,6 +18,14 @@
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
-if [ -e "/$__object_id" ]
+[ ! -e "/$__object_id" ] && exit 0
-then getfacl "/$__object_id" | grep -E '^((default:|)(user|group)):[a-z]' || true
+
 if ! command -v getfacl > /dev/null
 then
    echo 'getfacl not available' >&2
    exit 1
 fi
 getfacl "/$__object_id" 2>/dev/null \
    | grep -Eo '^(default:)?(user|group|(mask|other):):[^:][[:graph:]]+' \
    || true
--- a/cdist/conf/type/__acl/explorer/checks
+++ b/cdist/conf/type/__acl/explorer/checks
@ -0,0 +1,39 @@
 #!/bin/sh -e
 #
 # 2019 Ander Punnar (ander-at-kvlt-dot-ee)
 #
 # This file is part of cdist.
 #
 # cdist is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # cdist is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 # TODO check if filesystem has ACL turned on etc
 if [ -f "$__object/parameter/acl" ]
 then
    grep -E '^(default:)?(user|group):' "$__object/parameter/acl" \
    | while read -r acl
    do
        param="$( echo "$acl" | awk -F: '{print $(NF-2)}' )"
        check="$( echo "$acl" | awk -F: '{print $(NF-1)}' )"
        [ "$param" = 'user' ] && db=passwd || db="$param"
        if ! getent "$db" "$check" > /dev/null
        then
            echo "missing $param '$check'" >&2
            exit 1
        fi
    done
 fi
--- a/cdist/conf/type/__acl/explorer/file_is
+++ b/cdist/conf/type/__acl/explorer/file_is
@ -0,0 +1,31 @@
 #!/bin/sh -e
 #
 # 2018 Ander Punnar (ander-at-kvlt-dot-ee)
 #
 # This file is part of cdist.
 #
 # cdist is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # cdist is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 if [ -e "/$__object_id" ]
 then
    if [ -d "/$__object_id" ]
    then echo directory
    elif [ -f "/$__object_id" ]
    then echo regular
    else echo other
    fi
 else
    echo missing
 fi
--- a/cdist/conf/type/__acl/gencode-remote
+++ b/cdist/conf/type/__acl/gencode-remote
@ -18,32 +18,67 @@
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 file_is="$( cat "$__object/explorer/file_is" )"
 [ "$file_is" = 'missing' ] && [ -z "$__cdist_dry_run" ] && exit 0
 os="$( cat "$__global/explorer/os" )"
 acl_path="/$__object_id"
 acl_is="$( cat "$__object/explorer/acl_is" )"
-acl_should="$( for parameter in user group
+if [ -f "$__object/parameter/acl" ]
 then
    acl_should="$( cat "$__object/parameter/acl" )"
 elif
    [ -f "$__object/parameter/user" ] \
        || [ -f "$__object/parameter/group" ] \
        || [ -f "$__object/parameter/mask" ] \
        || [ -f "$__object/parameter/other" ]
 then
    acl_should="$( for param in user group mask other
    do
-    if [ ! -f "$__object/parameter/$parameter" ]
+        [ ! -f "$__object/parameter/$param" ] && continue
-    then continue
+
        echo "$param" | grep -Eq 'mask|other' && sep=:: || sep=:
        echo "$param$sep$( cat "$__object/parameter/$param" )"
    done )"
 else
    echo 'no parameters set' >&2
    exit 1
 fi
    while read -r l
    do
        echo "$parameter:$l"
 if [ -f "$__object/parameter/default" ]
-        then echo "default:$parameter:$l"
+then
    acl_should="$( echo "$acl_should" \
        | sed 's/^default://' \
        | sort -u \
        | sed 's/\(.*\)/default:\1\n\1/' )"
 fi
 if [ "$file_is" = 'regular' ] \
    && echo "$acl_should" | grep -Eq '^default:'
 then
    # only directories can have default ACLs,
    # but instead of error,
    # let's just remove default entries
    acl_should="$( echo "$acl_should" | grep -Ev '^default:' )"
 fi
 if echo "$acl_should" | awk -F: '{ print $NF }' | grep -Fq 'X'
 then
    [ "$file_is" = 'directory' ] && rep=x || rep=-
    acl_should="$( echo "$acl_should" | sed "s/\\(.*\\)X/\\1$rep/" )"
 fi
    done < "$__object/parameter/$parameter"
 done )"
 setfacl_exec='setfacl'
 if [ -f "$__object/parameter/recursive" ]
 then
-    if echo "$os" | grep -E 'macosx|netbsd|freebsd|openbsd'
+    if echo "$os" | grep -Fq 'freebsd'
    then
        echo "$os setfacl do not support recursive operations" >&2
    else
@ -53,29 +88,39 @@ fi
 if [ -f "$__object/parameter/remove" ]
 then
    if echo "$os" | grep 'solaris'
    then
        # Solaris setfacl behaves differently.
        # We will not support Solaris for now, because no way to test it.
        # But adding support should be easy (use -s instead of -m on modify).
        echo "$os setfacl do not support -x flag for ACL remove" >&2
    else
    echo "$acl_is" | while read -r acl
    do
-            if echo "$acl_should" | grep -Fq "$acl"
+        # skip wanted ACL entries which already exist
        # and skip mask and other entries, because we
        # can't actually remove them, but only change.
        if echo "$acl_should" | grep -Eq "^$acl" \
            || echo "$acl" | grep -Eq '^(default:)?(mask|other)'
        then continue
        fi
-            no_bits="$( echo "$acl" | sed -r 's/:[rwx-]+$//' )"
+        if echo "$os" | grep -Fq 'freebsd'
-
+        then
-            echo "$setfacl_exec -x \"$no_bits\" \"$acl_path\""
+            remove="$acl"
-        done
+        else
            remove="$( echo "$acl" | sed 's/:...$//' )"
        fi
        echo "$setfacl_exec -x \"$remove\" \"$acl_path\""
        echo "removed '$remove'" >> "$__messages_out"
    done
 fi
 for acl in $acl_should
 do
    if ! echo "$acl_is" | grep -Eq "^$acl"
-    then echo "$setfacl_exec -m \"$acl\" \"$acl_path\""
+    then
        if echo "$os" | grep -Fq 'freebsd' \
            && echo "$acl" | grep -Eq '^default:'
        then
            echo "setting default ACL in $os is currently not supported" >&2
        else
            echo "$setfacl_exec -m \"$acl\" \"$acl_path\""
            echo "added '$acl'" >> "$__messages_out"
        fi
    fi
 done
--- a/cdist/conf/type/__acl/man.rst
+++ b/cdist/conf/type/__acl/man.rst
@ -3,35 +3,41 @@ cdist-type__acl(7)
 NAME
 ----
-cdist-type__acl - Basic wrapper around `setfacl`
+cdist-type__acl - Set ACL entries
 DESCRIPTION
 -----------
-ACL must be defined as 3-symbol combination, using `r`, `w`, `x` and `-`.
+Fully supported and tested on Linux (ext4 filesystem), partial support for FreeBSD.
-See setfacl(1) and acl(5) for more details.
+See ``setfacl`` and ``acl`` manpages for more details.
-OPTIONAL MULTIPLE PARAMETERS
+REQUIRED MULTIPLE PARAMETERS
 ----------------------------
-user
+acl
-   Add user ACL entry.
+   Set ACL entry following ``getfacl`` output syntax.
 group
   Add group ACL entry.
 BOOLEAN PARAMETERS
 ------------------
 recursive
   Operate recursively (Linux only).
 default
-   Add default ACL entries.
+   Set all ACL entries as default too.
   Only directories can have default ACLs.
   Setting default ACL in FreeBSD is currently not supported.
 recursive
   Make ``setfacl`` recursive (Linux only), but not ``getfacl`` in explorer.
 remove
-   Remove undefined ACL entries (Solaris not supported).
+   Remove undefined ACL entries.
   ``mask`` and ``other`` entries can't be removed, but only changed.
 DEPRECATED PARAMETERS
 ---------------------
 Parameters ``user``, ``group``, ``mask`` and ``other`` are deprecated and they
 will be removed in future versions. Please use ``acl`` parameter instead.
 EXAMPLES
@ -40,13 +46,30 @@ EXAMPLES
 .. code-block:: sh
    __acl /srv/project \
        --default \
        --recursive \
        --remove \
        --acl user:alice:rwx \
        --acl user:bob:r-x \
        --acl group:project-group:rwx \
        --acl group:some-other-group:r-x \
        --acl mask::r-x \
        --acl other::r-x
    # give Alice read-only access to subdir,
    # but don't allow her to see parent content.
    __acl /srv/project2 \
        --remove \
        --acl default:group:secret-project:rwx \
        --acl group:secret-project:rwx \
        --acl user:alice:--x
    __acl /srv/project2/subdir \
        --default \
        --remove \
-        --user alice:rwx \
+        --acl group:secret-project:rwx \
-        --user bob:r-x \
+        --acl user:alice:r-x
        --group project-group:rwx \
        --group some-other-group:r-x
 AUTHORS
--- a/cdist/conf/type/__acl/parameter/deprecated/group
+++ b/cdist/conf/type/__acl/parameter/deprecated/group
@ -0,0 +1 @@
 see manual for details
--- a/cdist/conf/type/__acl/parameter/deprecated/mask
+++ b/cdist/conf/type/__acl/parameter/deprecated/mask
@ -0,0 +1 @@
 see manual for details
--- a/cdist/conf/type/__acl/parameter/deprecated/other
+++ b/cdist/conf/type/__acl/parameter/deprecated/other
@ -0,0 +1 @@
 see manual for details
--- a/cdist/conf/type/__acl/parameter/deprecated/user
+++ b/cdist/conf/type/__acl/parameter/deprecated/user
@ -0,0 +1 @@
 see manual for details
--- a/cdist/conf/type/__acl/parameter/optional
+++ b/cdist/conf/type/__acl/parameter/optional
@ -0,0 +1,2 @@
 mask
 other
--- a/cdist/conf/type/__acl/parameter/optional_multiple
+++ b/cdist/conf/type/__acl/parameter/optional_multiple
@ -1,2 +1,3 @@
 acl
 user
 group
--- a/cdist/conf/type/__apt_key/explorer/state
+++ b/cdist/conf/type/__apt_key/explorer/state
@ -27,6 +27,18 @@ else
   keyid="$__object_id"
 fi
 keydir="$(cat "$__object/parameter/keydir")"
 keyfile="$keydir/$__object_id.gpg"
 if [ -d "$keydir" ]
 then
   if [ -f "$keyfile" ]
   then echo present
   else echo absent
   fi
 else
   # fallback to deprecated apt-key
   apt-key export "$keyid" | head -n 1 | grep -Fqe "BEGIN PGP PUBLIC KEY BLOCK" \
      && echo present \
      || echo absent
 fi
--- a/cdist/conf/type/__apt_key/gencode-remote
+++ b/cdist/conf/type/__apt_key/gencode-remote
@ -31,12 +31,84 @@ if [ "$state_should" = "$state_is" ]; then
   exit 0
 fi
 keydir="$(cat "$__object/parameter/keydir")"
 keyfile="$keydir/$__object_id.gpg"
 case "$state_should" in
   present)
      keyserver="$(cat "$__object/parameter/keyserver")"
      if [ -f "$__object/parameter/uri" ]; then
         uri="$(cat "$__object/parameter/uri")"
         if [ -d "$keydir" ]; then
            cat << EOF
 curl -s -L \\
    -o "$keyfile" \\
    "$uri"
 key="\$( cat "$keyfile" )"
 if echo "\$key" | grep -Fq 'BEGIN PGP PUBLIC KEY BLOCK'
 then
    echo "\$key" | gpg --dearmor > "$keyfile"
 fi
 EOF
         else
            # fallback to deprecated apt-key
            echo "curl -s -L '$uri' | apt-key add -"
         fi
      elif [ -d "$keydir" ]; then
         tmp='/tmp/cdist_apt_key_tmp'
         # we need to kill gpg after 30 seconds, because gpg
         # can get stuck if keyserver is not responding.
         # exporting env var and not exit 1,
         # because we need to clean up and kill dirmngr.
         cat << EOF
 mkdir -m 700 -p "$tmp"
 if timeout 30s \\
    gpg --homedir "$tmp" \\
        --keyserver "$keyserver" \\
        --recv-keys "$keyid"
 then
    gpg --homedir "$tmp" \\
        --export "$keyid" \\
        > "$keyfile"
 else
    export GPG_GOT_STUCK=1
 fi
 GNUPGHOME="$tmp" gpgconf --kill dirmngr
 rm -rf "$tmp"
 if [ -n "\$GPG_GOT_STUCK" ]
 then
    echo "GPG GOT STUCK - no response from keyserver after 30 seconds" >&2
    exit 1
 fi
 EOF
      else
         # fallback to deprecated apt-key
         echo "apt-key adv --keyserver \"$keyserver\" --recv-keys \"$keyid\""
      fi
      echo "added '$keyid'" >> "$__messages_out"
   ;;
   absent)
      if [ -f "$keyfile" ]; then
         echo "rm '$keyfile'"
      else
         # fallback to deprecated apt-key
         echo "apt-key del \"$keyid\""
      fi
      echo "removed '$keyid'" >> "$__messages_out"
   ;;
 esac
--- a/cdist/conf/type/__apt_key/man.rst
+++ b/cdist/conf/type/__apt_key/man.rst
@ -28,6 +28,12 @@ keyserver
   the keyserver from which to fetch the key. If omitted the default set
   in ./parameter/default/keyserver is used.
 keydir
   key save location, defaults to ``/etc/apt/trusted.pgp.d``
 uri
   the URI from which to download the key
 EXAMPLES
 --------
@ -47,15 +53,20 @@ EXAMPLES
    # same thing with other keyserver
    __apt_key UbuntuArchiveKey --keyid 437D05B5 --keyserver keyserver.ubuntu.com
    # download key from the internet
    __apt_key rabbitmq \
       --uri http://www.rabbitmq.com/rabbitmq-signing-key-public.asc
 AUTHORS
 -------
 Steven Armstrong <steven-cdist--@--armstrong.cc>
 Ander Punnar <ander-at-kvlt-dot-ee>
 COPYING
 -------
-Copyright \(C) 2011-2014 Steven Armstrong. You can redistribute it
+Copyright \(C) 2011-2019 Steven Armstrong and Ander Punnar. You can
-and/or modify it under the terms of the GNU General Public License as
+redistribute it and/or modify it under the terms of the GNU General Public
-published by the Free Software Foundation, either version 3 of the
+License as published by the Free Software Foundation, either version 3 of the
 License, or (at your option) any later version.
--- a/cdist/conf/type/__apt_key/manifest
+++ b/cdist/conf/type/__apt_key/manifest
@ -0,0 +1,8 @@
 #!/bin/sh -e
 __package gnupg
 if [ -f "$__object/parameter/uri" ]
 then __package curl
 else __package dirmngr
 fi
--- a/cdist/conf/type/__apt_key/parameter/default/keydir
+++ b/cdist/conf/type/__apt_key/parameter/default/keydir
@ -0,0 +1 @@
 /etc/apt/trusted.gpg.d
--- a/cdist/conf/type/__apt_key/parameter/optional
+++ b/cdist/conf/type/__apt_key/parameter/optional
@ -1,3 +1,5 @@
 state
 keyid
 keyserver
 keydir
 uri
--- a/cdist/conf/type/__block/gencode-remote
+++ b/cdist/conf/type/__block/gencode-remote
@ -18,6 +18,11 @@
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 # quote function from http://www.etalabs.net/sh_tricks.html
 quote() {
   printf '%s\n' "$1" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/'/"
 }
 file="$(cat "$__object/parameter/file" 2>/dev/null || echo "/$__object_id")"
 state_should=$(cat "$__object/parameter/state")
 prefix=$(cat "$__object/parameter/prefix" 2>/dev/null || echo "#cdist:__block/$__object_id")
@ -46,7 +51,7 @@ tmpfile=\$(mktemp ${file}.cdist.XXXXXXXXXX)
 if [ -f "$file" ]; then
   cp -p "$file" "\$tmpfile"
 fi
-awk -v prefix="^$prefix\$" -v suffix="^$suffix\$" '
+awk -v prefix=^$(quote "$prefix")\$ -v suffix=^$(quote "$suffix")\$ '
 {
   if (match(\$0,prefix)) {
      triggered=1
--- a/cdist/conf/type/__cdist/man.rst
+++ b/cdist/conf/type/__cdist/man.rst
@ -30,7 +30,7 @@ username
 source
    Select the source from which to clone cdist from.
-    Defaults to "git://github.com/ungleich/cdist.git".
+    Defaults to "git@code.ungleich.ch:ungleich-public/cdist.git".
 branch
@ -47,7 +47,7 @@ EXAMPLES
    __cdist /home/cdist/cdist
    # Use alternative source
-    __cdist --source "git://github.com/ungleich/cdist" /home/cdist/cdist
+    __cdist --source "git@code.ungleich.ch:ungleich-public/cdist.git" /home/cdist/cdist
 AUTHORS
--- a/cdist/conf/type/__cdist/parameter/default/source
+++ b/cdist/conf/type/__cdist/parameter/default/source
@ -1 +1 @@
-git://github.com/ungleich/cdist.git
+git@code.ungleich.ch:ungleich-public/cdist.git
--- a/cdist/conf/type/__check_messages/gencode-remote
+++ b/cdist/conf/type/__check_messages/gencode-remote
@ -0,0 +1,26 @@
 #!/bin/sh -e
 #
 # 2019 Ander Punnar (ander-at-kvlt-dot-ee)
 #
 # This file is part of cdist.
 #
 # cdist is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # cdist is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 if grep -Eq \
    "$( cat "$__object/parameter/pattern" )" \
    "$__messages_in"
 then
    tee "$__messages_out" < "$__object/parameter/execute"
 fi
--- a/cdist/conf/type/__check_messages/man.rst
+++ b/cdist/conf/type/__check_messages/man.rst
@ -0,0 +1,52 @@
 cdist-type__check_messages(7)
 =============================
 NAME
 ----
 cdist-type__check_messages - Check messages for pattern and execute command on match.
 DESCRIPTION
 -----------
 Check messages for pattern and execute command on match.
 This type is useful if you chain together multiple related types using
 dependencies and want to restart service if at least one type changes
 something.
 For more information about messages see `cdist messaging <cdist-messaging.html>`_.
 For more information about dependencies and execution order see
 `cdist manifest <cdist-manifest.html#dependencies>`_ documentation.
 REQUIRED PARAMETERS
 -------------------
 pattern
   Extended regular expression pattern for search (passed to ``grep -E``).
 execute
   Command to execute on pattern match.
 EXAMPLES
 --------
 .. code-block:: sh
    __check_messages munin \
        --pattern '^__(file|link|line)/etc/munin/' \
        --execute 'service munin-node restart'
 AUTHORS
 -------
 Ander Punnar <ander-at-kvlt-dot-ee>
 COPYING
 -------
 Copyright \(C) 2019 Ander Punnar. You can redistribute it
 and/or modify it under the terms of the GNU General Public License as
 published by the Free Software Foundation, either version 3 of the
 License, or (at your option) any later version.
--- a/cdist/conf/type/__check_messages/parameter/required
+++ b/cdist/conf/type/__check_messages/parameter/required
@ -0,0 +1,2 @@
 pattern
 execute
--- a/cdist/conf/type/__clean_path/explorer/list
+++ b/cdist/conf/type/__clean_path/explorer/list
@ -20,11 +20,7 @@
 path="/$__object_id"
-if [ ! -d "$path" ]
+[ ! -d "$path" ] && exit 0
 then
    echo "$path is not a directory" >&2
    exit 1
 fi
 pattern="$( cat "$__object/parameter/pattern" )"
--- a/cdist/conf/type/__consul/files/versions/1.5.0/cksum
+++ b/cdist/conf/type/__consul/files/versions/1.5.0/cksum
@ -0,0 +1 @@
 886614099 103959898 consul
--- a/cdist/conf/type/__consul/files/versions/1.5.0/source
+++ b/cdist/conf/type/__consul/files/versions/1.5.0/source
@ -0,0 +1 @@
 https://releases.hashicorp.com/consul/1.5.0/consul_1.5.0_linux_amd64.zip
--- a/cdist/conf/type/__consul/gencode-remote
+++ b/cdist/conf/type/__consul/gencode-remote
@ -42,7 +42,7 @@ source_file_name="${source##*/}"
 cksum_should=$(cut -d' ' -f1,2 "$version_dir/cksum")
 cat << eof
-    tmpdir=\$(mktemp -d --tmpdir="/tmp" "${__type##*/}.XXXXXXXXXX")
+    tmpdir=\$(mktemp -d -p /tmp "${__type##*/}.XXXXXXXXXX")
    curl -s -L "$source" > "\$tmpdir/$source_file_name"
    unzip -p "\$tmpdir/$source_file_name" > "${destination}.tmp"
    rm -rf "\$tmpdir"
--- a/cdist/conf/type/__consul/manifest
+++ b/cdist/conf/type/__consul/manifest
@ -24,7 +24,7 @@
 os=$(cat "$__global/explorer/os")
 case "$os" in
-   scientific|centos|redhat|ubuntu|debian|devuan|archlinux|gentoo)
+   alpine|scientific|centos|redhat|ubuntu|debian|devuan|archlinux|gentoo)
      # any linux should work
      :
   ;;
@ -47,6 +47,7 @@ fi
 if [ -f "$__object/parameter/direct" ]; then
    __package unzip
    __package curl
 else
    __staged_file /usr/local/bin/consul \
       --source "$(cat "$version_dir/source")" \
--- a/cdist/conf/type/__consul_agent/files/consul.sys-openrc
+++ b/cdist/conf/type/__consul_agent/files/consul.sys-openrc
@ -0,0 +1,38 @@
 #!/sbin/openrc-run
 # 2019 Nico Schottelius (nico-cdist at schottelius.org)
 description="consul agent"
 pidfile="${CONSUL_PIDFILE:-"/var/run/$RC_SVCNAME/pidfile"}"
 command="${CONSUL_BINARY:-"/usr/local/bin/consul"}"
 checkconfig() {
 	if [ ! -d /var/run/consul ] ; then
 		mkdir -p /var/run/consul || return 1
        chown consul:consul /var/run/$NAME || return 1
        chmod 2770 /var/run/$NAME || return 1
 	fi
 }
 start() {
    need net
    start-stop-daemon --start --quiet --oknodo \
            --pidfile "$pidfile" --background \
            --exec $command -- agent -pid-file="$pidfile" -config-dir /etc/consul/conf.d
 }
 start_pre() {
 	checkconfig
 }
 stop() {
 	if [ "${RC_CMD}" = "restart" ] ; then
 		checkconfig || return 1
 	fi
 	ebegin "Stopping $RC_SVCNAME"
 	start-stop-daemon --stop --exec "$command" \
 		--pidfile "$pidfile" --quiet
 	eend $?
 }
--- a/cdist/conf/type/__consul_agent/manifest
+++ b/cdist/conf/type/__consul_agent/manifest
@ -1,7 +1,7 @@
 #!/bin/sh -e
 #
 # 2015 Steven Armstrong (steven-cdist at armstrong.cc)
-# 2015 Nico Schottelius (nico-cdist at schottelius.org)
+# 2015-2019 Nico Schottelius (nico-cdist at schottelius.org)
 #
 # This file is part of cdist.
 #
@ -23,7 +23,7 @@
 os=$(cat "$__global/explorer/os")
 case "$os" in
-   scientific|centos|debian|devuan|redhat|ubuntu)
+   alpine|scientific|centos|debian|devuan|redhat|ubuntu)
      # whitelist safeguard
      :
   ;;
@ -181,6 +181,9 @@ init_upstart()
 # Install init script to start on boot
 case "$os" in
    alpine|devuan)
        init_sysvinit debian
        ;;
    centos|redhat)
        os_version="$(sed 's/[^0-9.]//g' "$__global/explorer/os_version")"
        major_version="${os_version%%.*}"
@ -216,10 +219,6 @@ case "$os" in
        esac
        ;;
    devuan)
        init_sysvinit debian
    ;;
    ubuntu)
        init_upstart
        ;;
--- a/cdist/conf/type/__directory/explorer/stat
+++ b/cdist/conf/type/__directory/explorer/stat
@ -25,21 +25,49 @@ destination="/$__object_id"
 os=$("$__explorer/os")
 case "$os" in
-   "freebsd"|"netbsd"|"openbsd")
+   "freebsd"|"netbsd"|"openbsd"|"macosx")
      # FIXME: should be something like this based on man page, but can not test
      stat -f "type: %ST
 owner: %Du %Su
 group: %Dg %Sg
 mode: %Op %Sp
 " "$destination"
   ;;
    "macosx")
      stat -f "type: %HT
 owner: %Du %Su
 group: %Dg %Sg
 mode: %Lp %Sp
 " "$destination" | awk '/^type/ { print tolower($0); next; } { print; }'
      ;;
   alpine)
      stat -c "type: %F
 owner: %u %U
 group: %g %G
 mode: %a %A
 " "$destination"
      ;;
    solaris)
        ls1="$( ls -ld "$destination" )"
        ls2="$( ls -ldn "$destination" )"
        if [ -f "$__object/parameter/mode" ]
        then mode_should="$( cat "$__object/parameter/mode" )"
        fi
        # yes, it is ugly hack, but if you know better way...
        if [ -z "$( find "$destination" -perm "$mode_should" )" ]
        then octets=888
        else octets="$( echo "$mode_should" | sed 's/^0//' )"
        fi
        case "$( echo "$ls1" | cut -c1-1 )" in
            -) echo 'type: regular file' ;;
            d) echo 'type: directory' ;;
        esac
        echo "owner: $( echo "$ls2" \
            | awk '{print $3}' ) $( echo "$ls1" \
                | awk '{print $3}' )"
        echo "group: $( echo "$ls2" \
            | awk '{print $4}' ) $( echo "$ls1" \
                | awk '{print $4}' )"
        echo "mode: $octets $( echo "$ls1" | awk '{print $1}' )"
    ;;
   *)
       stat --printf="type: %F
 owner: %u %U
--- a/cdist/conf/type/__docker/manifest
+++ b/cdist/conf/type/__docker/manifest
@ -64,6 +64,43 @@ case "$os" in
        require="__apt_source/docker" __package docker-ce --state "${state}"
      fi
   ;;
   devuan)
      os_version="$(cat "$__global/explorer/os_version")"
      case "$os_version" in
        ascii)
          distribution="stretch"
        ;;
        jessie)
          distribution="jessie"
        ;;
        *)
          echo "Your devuan release ($os_version) is currently not supported by this type (${__type##*/}).">&2
          echo "Please contribute an implementation for it if you can." >&2
          exit 1
        ;;
      esac
      if [ "${state}" = "present" ]; then
        __package apt-transport-https
        __package ca-certificates
        __package gnupg2
      fi
      __apt_key_uri docker --name "Docker Release (CE deb) <docker@docker.com>" \
        --uri "https://download.docker.com/linux/${os}/gpg" --state "${state}"
      require="__apt_key_uri/docker" __apt_source docker \
         --uri "https://download.docker.com/linux/${os}" \
         --distribution "${distribution}" \
         --state "${state}" \
         --component "stable"
      if [ "$version" != "latest" ]; then
        require="__apt_source/docker" __package docker-ce --version "${version}" --state "${state}"
      else
        require="__apt_source/docker" __package docker-ce --state "${state}"
      fi
   ;;
   *)
      echo "Your operating system ($os) is currently not supported by this type (${__type##*/})." >&2
      echo "Please contribute an implementation for it if you can." >&2
--- a/cdist/conf/type/__docker_swarm/explorer/swarm-state
+++ b/cdist/conf/type/__docker_swarm/explorer/swarm-state
@ -18,4 +18,4 @@
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
-docker info 2>/dev/null | grep "^Swarm: " | cut -d " " -f 2-
+docker info 2>/dev/null | grep '^ *Swarm: ' | awk '{print $2}'
--- a/cdist/conf/type/__file/explorer/stat
+++ b/cdist/conf/type/__file/explorer/stat
@ -1,6 +1,7 @@
 #!/bin/sh
 #
 # 2013 Steven Armstrong (steven-cdist armstrong.cc)
 # 2019 Nico Schottelius (nico-cdist at schottelius.org)
 #
 # This file is part of cdist.
 #
@ -25,25 +26,56 @@ destination="/$__object_id"
 os=$("$__explorer/os")
 case "$os" in
-   "freebsd"|"netbsd"|"openbsd")
+   "freebsd"|"netbsd"|"openbsd"|"macosx")
      # FIXME: should be something like this based on man page, but can not test
      stat -f "type: %ST
 owner: %Du %Su
 group: %Dg %Sg
 mode: %Op %Sp
 size: %Dz
 links: %Dl
 " "$destination"
   ;;
   "macosx")
      stat -f "type: %HT
 owner: %Du %Su
 group: %Dg %Sg
 mode: %Lp %Sp
 size: %Dz
 links: %Dl
 " "$destination" | awk '/^type/ { print tolower($0); next; } { print; }'
      ;;
   alpine)
       # busybox stat
      stat -c "type: %F
 owner: %u %U
 group: %g %G
 mode: %a %A
 size: %s
 links: %h
 " "$destination"
      ;;
    solaris)
        ls1="$( ls -ld "$destination" )"
        ls2="$( ls -ldn "$destination" )"
        if [ -f "$__object/parameter/mode" ]
        then mode_should="$( cat "$__object/parameter/mode" )"
        fi
        # yes, it is ugly hack, but if you know better way...
        if [ -z "$( find "$destination" -perm "$mode_should" )" ]
        then octets=888
        else octets="$( echo "$mode_should" | sed 's/^0//' )"
        fi
        case "$( echo "$ls1" | cut -c1-1 )" in
            -) echo 'type: regular file' ;;
            d) echo 'type: directory' ;;
        esac
        echo "owner: $( echo "$ls2" \
            | awk '{print $3}' ) $( echo "$ls1" \
                | awk '{print $3}' )"
        echo "group: $( echo "$ls2" \
            | awk '{print $4}' ) $( echo "$ls1" \
                | awk '{print $4}' )"
        echo "mode: $octets $( echo "$ls1" | awk '{print $1}' )"
        echo "size: $( echo "$ls1" | awk '{print $5}' )"
        echo "links: $( echo "$ls1" | awk '{print $2}' )"
    ;;
   *)
      stat --printf="type: %F
 owner: %u %U
--- a/cdist/conf/type/__file/gencode-remote
+++ b/cdist/conf/type/__file/gencode-remote
@ -79,6 +79,10 @@ case "$state_should" in
            fi
        fi
    done
    if [ -f "$__object/files/set-attributes" ]; then
        # set-attributes is created if file is created or uploaded in gencode-local
        fire_onchange=1
    fi
    ;;
--- a/cdist/conf/type/__git/gencode-remote
+++ b/cdist/conf/type/__git/gencode-remote
@ -19,32 +19,33 @@
 #
 #
-state_is="$(cat "$__object/explorer/state")"
+state_is=$(cat "$__object/explorer/state")
-owner_is="$(cat "$__object/explorer/owner")"
+owner_is=$(cat "$__object/explorer/owner")
-group_is="$(cat "$__object/explorer/group")"
+group_is=$(cat "$__object/explorer/group")
-state_should="$(cat "$__object/parameter/state")"
+state_should=$(cat "$__object/parameter/state")
-branch="$(cat "$__object/parameter/branch")"
+branch=$(cat "$__object/parameter/branch")
-source="$(cat "$__object/parameter/source")"
+source=$(cat "$__object/parameter/source")
 destination="/$__object_id"
-owner="$(cat "$__object/parameter/owner")"
+owner=$(cat "$__object/parameter/owner")
-group="$(cat "$__object/parameter/group")"
+group=$(cat "$__object/parameter/group")
-mode="$(cat "$__object/parameter/mode")"
+mode=$(cat "$__object/parameter/mode")
-[  "$state_should" = "$state_is" ] && \
+[ -f "$__object/parameter/recursive" ] && recursive='--recursive' || recursive=''
-[  "$owner" = "$owner_is" ] && \
+
-[  "$group" = "$group_is" ] && \
+[ "$state_should" = "$state_is" ] \
-[  -n "$mode" ] && exit 0
+ && [ "$owner" = "$owner_is" ] \
 && [ "$group" = "$group_is" ] \
 && [ -n "$mode" ] && exit 0
 case $state_should in
    present)
        if [ "$state_should" != "$state_is" ]; then
-            echo git clone --quiet --branch "$branch" "$source" "$destination"
+            echo git clone --quiet "$recursive" --branch "$branch" "$source" "$destination"
        fi
        if { [ -n "$owner" ] && [ "$owner_is" != "$owner" ]; } || \
           { [ -n "$group" ] && [ "$group_is" != "$group" ]; }; then
@ -54,8 +55,9 @@ case $state_should in
            echo chmod -R "$mode" "$destination"
        fi
    ;;
-    # Handled in manifest
+
    absent)
        # Handled in manifest
    ;;
    *)
--- a/cdist/conf/type/__git/man.rst
+++ b/cdist/conf/type/__git/man.rst
@ -35,6 +35,8 @@ mode
 owner
   User to chown to.
 recursive
   Passes the --recursive flag to git when cloning the repository.
 EXAMPLES
 --------
@ -44,7 +46,7 @@ EXAMPLES
    __git /home/services/dokuwiki --source git://github.com/splitbrain/dokuwiki.git
    # Checkout cdist, stay on branch 2.1
-    __git /home/nico/cdist --source git://github.com/ungleich/cdist.git --branch 2.1
+    __git /home/nico/cdist --source git@code.ungleich.ch:ungleich-public/cdist.git --branch 2.1
 AUTHORS
--- a/cdist/conf/type/__git/parameter/boolean
+++ b/cdist/conf/type/__git/parameter/boolean
@ -0,0 +1 @@
 recursive
--- a/cdist/conf/type/__grafana_dashboard/manifest
+++ b/cdist/conf/type/__grafana_dashboard/manifest
@ -8,10 +8,12 @@ case $os in
    debian|devuan)
        case $os_version in
            8*|jessie)
-                apt_source_distribution=jessie
+                # Differntation not needed anymore
                apt_source_distribution=stable
                ;;
            9*|ascii/ceres|ascii)
-                apt_source_distribution=stretch
+                # Differntation not needed anymore
                apt_source_distribution=stable
                ;;
            *)
                echo "Don't know how to install Grafana on $os $os_version. Send us a pull request!" >&2
@ -21,10 +23,10 @@ case $os in
        __apt_key_uri grafana \
            --name 'Grafana Release Signing Key' \
-            --uri https://packagecloud.io/gpg.key
+            --uri https://packages.grafana.com/gpg.key
        require="$require __apt_key_uri/grafana" __apt_source grafana \
-                    --uri https://packagecloud.io/grafana/stable/debian/ \
+                    --uri https://packages.grafana.com/oss/deb \
                    --distribution $apt_source_distribution \
                    --component main
--- a/cdist/conf/type/__group/explorer/group
+++ b/cdist/conf/type/__group/explorer/group
@ -1,6 +1,7 @@
 #!/bin/sh
 #
 # 2011-2015 Steven Armstrong (steven-cdist at armstrong.cc)
 # 2019 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
 #
 # This file is part of cdist.
 #
@ -21,7 +22,21 @@
 # Get an existing groups group entry.
 #
 not_supported() {
 	echo "Your operating system ($("$__explorer/os")) is currently not supported." >&2
 	echo "Cannot extract group information." >&2
 	echo "Please contribute an implementation for it if you can." >&2
 	exit 1
 }
 name=$__object_id
 if command -v getent >/dev/null
 then
 	getent group "$name" || true
-
+elif [ -f /etc/group ]
 then
 	grep "^${name}:" /etc/group || true
 else
 	not_supported
 fi
--- a/cdist/conf/type/__group/explorer/gshadow
+++ b/cdist/conf/type/__group/explorer/gshadow
@ -1,6 +1,7 @@
 #!/bin/sh
 #
 # 2011-2015 Steven Armstrong (steven-cdist at armstrong.cc)
 # 2019 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
 #
 # This file is part of cdist.
 #
@ -22,13 +23,28 @@
 #
 name=$__object_id
-os="$("$__explorer/os")"
+os=$("$__explorer/os")
-case "$os" in
+not_supported() {
 	echo "Your operating system ($os) is currently not supported." >&2
 	echo "Cannot extract group information." >&2
 	echo "Please contribute an implementation for it if you can." >&2
 	exit 1
 }
 case $os in
 	"freebsd"|"netbsd")
-	echo "$os does not have getent gshadow"
+		echo "$os does not have getent gshadow" >&2
 		exit 0
 	;;
 esac
 if command -v getent >/dev/null
 then
 	getent gshadow "$name" || true
 elif [ -f /etc/gshadow ]
 then
 	grep "^${name}:" /etc/gshadow || true
 else
 	not_supported
 fi
--- a/cdist/conf/type/__hostname/gencode-remote
+++ b/cdist/conf/type/__hostname/gencode-remote
@ -35,7 +35,7 @@ has_hostnamectl=$(cat "$__object/explorer/has_hostnamectl")
 # If everything is ok -> exit
 #
 case "$os" in
-    archlinux|debian|suse|ubuntu|devuan|coreos)
+    archlinux|debian|suse|ubuntu|devuan|coreos|alpine)
        if [ "$name_config" = "$name_should" ] && [ "$name_running" = "$name_should" ]; then
            exit 0
        fi
@ -58,7 +58,7 @@ echo changed >> "$__messages_out"
 # Use the good old way to set the hostname even on machines running systemd.
 case "$os" in
-    archlinux|debian|ubuntu|devuan|centos|coreos)
+    archlinux|debian|ubuntu|devuan|centos|coreos|alpine)
        printf "printf '%%s\\\\n' '$name_should' > /etc/hostname\\n"
        echo "hostname -F /etc/hostname"
    ;;
--- a/cdist/conf/type/__hostname/manifest
+++ b/cdist/conf/type/__hostname/manifest
@ -41,7 +41,7 @@ not_supported() {
 }
 case "$os" in
-    archlinux|debian|suse|ubuntu|devuan|coreos)
+    archlinux|debian|suse|ubuntu|devuan|coreos|alpine)
        # handled in gencode-remote
        :
    ;;
--- a/cdist/conf/type/__letsencrypt_cert/manifest
+++ b/cdist/conf/type/__letsencrypt_cert/manifest
@ -33,6 +33,9 @@ if [ -z "${certbot_fullpath}" ]; then
 					require="__apt_source/stretch-backports" __package_apt certbot \
 						--target-release stretch-backports
 				;;
 				10*)
 					__package_apt certbot
 				;;
 				*)
 					echo "Unsupported OS version: $os_version" >&2
 					exit 1
@ -62,11 +65,12 @@ if [ -z "${certbot_fullpath}" ]; then
 								 --distribution ascii-backports \
 								 --component main
 					require="__apt_source/ascii-backports" __package_apt python-certbot \
 						--target-release ascii-backports
 					require="__apt_source/ascii-backports" __package_apt certbot \
 						--target-release ascii-backports
 				;;
 				beowulf*)
 					__package_apt certbot
 				;;
 				*)
 					echo "Unsupported OS version: $os_version" >&2
 					exit 1
--- a/cdist/conf/type/__link/gencode-remote
+++ b/cdist/conf/type/__link/gencode-remote
@ -48,21 +48,25 @@ case "$state_should" in
        if [ "$file_type" = "directory" ]; then
            # our destination is currently a directory, delete it
            printf 'rm -rf "%s" &&\n' "$destination"
            echo "removed '$destination' (directory)" >> "$__messages_out"
        else
           if [ "$state_is" = "wrongsource" ]; then
               # our destination is a symlink but points to the wrong source,
               # delete it
               printf 'rm -f "%s" &&\n' "$destination"
               echo "removed '$destination' (wrongsource)" >> "$__messages_out"
           fi
        fi
        # create our link
        printf 'ln %s -f "%s" "%s"\n' "$lnopt" "$source" "$destination"
        echo "created '$destination'" >> "$__messages_out"
    ;;
    absent)
        # only delete if it is a sym/hard link
        if [ "$file_type" = "symlink" ] || [ "$file_type" = "hardlink" ]; then
            printf 'rm -f "%s"\n' "$destination"
            echo "removed '$destination'" >> "$__messages_out"
        fi
    ;;
    *)
--- a/cdist/conf/type/__link/man.rst
+++ b/cdist/conf/type/__link/man.rst
@ -27,6 +27,22 @@ state
   'present' or 'absent', defaults to 'present'
 MESSAGES
 --------
 created <destination>
   Link to destination was created.
 removed <destination>
   Link to destination was removed.
 removed <destination> (directory)
   Destination was removed because state is ``present`` and destination was directory.
 removed <destination> (wrongsource)
   Destination was removed because state is ``present`` and destination link source was wrong.
 EXAMPLES
 --------
--- a/cdist/conf/type/__locale/gencode-remote
+++ b/cdist/conf/type/__locale/gencode-remote
@ -1,6 +1,6 @@
 #!/bin/sh -e
 #
-# 2013 Nico Schottelius (nico-cdist at schottelius.org)
+# 2013-2019 Nico Schottelius (nico-cdist at schottelius.org)
 #
 # This file is part of cdist.
 #
@ -37,6 +37,15 @@ locale_remove=$(echo "$locale" | sed 's/UTF-8/utf8/')
 state=$(cat "$__object/parameter/state")
 os=$(cat "$__global/explorer/os")
 # Nothing to be done on alpine
 case "$os" in
    alpine)
        exit 0
        ;;
 esac
 case "$state" in
    present)
        echo localedef -A "$alias" -f "$charmap" -i "$input" "$locale"
--- a/cdist/conf/type/__locale/man.rst
+++ b/cdist/conf/type/__locale/man.rst
@ -8,7 +8,8 @@ cdist-type__locale - Configure locales
 DESCRIPTION
 -----------
-This cdist type allows you to setup locales.
+This cdist type allows you to setup locales. On systems that don't
 support locale setting like alpine/musl libc, it is a no-op.
 OPTIONAL PARAMETERS
@ -44,6 +45,6 @@ Nico Schottelius <nico-cdist--@--schottelius.org>
 COPYING
 -------
-Copyright \(C) 2013-2016 Nico Schottelius. Free use of this software is
+Copyright \(C) 2013-2019 Nico Schottelius. Free use of this software is
 granted under the terms of the GNU General Public License version 3 or
 later (GPLv3+).
--- a/cdist/conf/type/__locale/manifest
+++ b/cdist/conf/type/__locale/manifest
@ -1,6 +1,6 @@
 #!/bin/sh -e
 #
-# 2013-2015 Nico Schottelius (nico-cdist at schottelius.org)
+# 2013-2019 Nico Schottelius (nico-cdist at schottelius.org)
 # 2015 David Hürlimann (david at ungleich.ch)
 #
 # This file is part of cdist.
@ -30,7 +30,7 @@ case "$os" in
        # Debian needs a seperate package
        __package locales --state present
    ;;
-    archlinux|suse|ubuntu|scientific|centos)
+    archlinux|suse|ubuntu|scientific|centos|alpine)
        :
    ;;
    *)
--- a/cdist/conf/type/__package/manifest
+++ b/cdist/conf/type/__package/manifest
@ -1,6 +1,7 @@
 #!/bin/sh -e
 #
 # 2011-2013 Steven Armstrong (steven-cdist at armstrong.cc)
 # 2019 Nico Schottelius (nico-cdist at schottelius.org)
 #
 # This file is part of cdist.
 #
@ -44,6 +45,7 @@ else
         suse) type="zypper" ;;
         openwrt) type="opkg" ;;
         openbsd) type="pkg_openbsd" ;;
         alpine) type="apk" ;;
         *)
            echo "Don't know how to manage packages on: $os" >&2
            exit 1
--- a/cdist/conf/type/__package_apk/explorer/state
+++ b/cdist/conf/type/__package_apk/explorer/state
@ -0,0 +1,38 @@
 #!/bin/sh
 #
 # 2019 Nico Schottelius (nico-cdist at schottelius.org)
 #
 # This file is part of cdist.
 #
 # cdist is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # cdist is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 #
 # Retrieve the status of a package - parsed apk output
 #
 if [ -f "$__object/parameter/name" ]; then
   name="$(cat "$__object/parameter/name")"
 else
   name="$__object_id"
 fi
 # Remove the @.. repo tag for finding out whether it is installed
 # f.i. pass@testing => pass
 name="$(echo "$name" | sed 's/@.*//')"
 if [ "$(apk list -I "$name")" ]; then
    echo present
 else
    echo absent
 fi
--- a/cdist/conf/type/__package_apk/gencode-remote
+++ b/cdist/conf/type/__package_apk/gencode-remote
@ -0,0 +1,49 @@
 #!/bin/sh -e
 #
 # 2019 Nico Schottelius (nico-cdist at schottelius.org)
 #
 # This file is part of cdist.
 #
 # cdist is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # cdist is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 #
 # Manage packages on Debian and co.
 #
 if [ -f "$__object/parameter/name" ]; then
   name="$(cat "$__object/parameter/name")"
 else
   name="$__object_id"
 fi
 state_should="$(cat "$__object/parameter/state")"
 state_is="$(cat "$__object/explorer/state")"
 # Nothing to be done
 [ "$state_is" = "$state_should" ] && exit 0
 case "$state_should" in
    present)
        echo "apk add -q '$name'"
        echo "installed" >> "$__messages_out"
    ;;
    absent)
        echo "apk del -q '$name'"
        echo "removed" >> "$__messages_out"
    ;;
    *)
        echo "Unknown state: $state_should" >&2
        exit 1
    ;;
 esac
--- a/cdist/conf/type/__package_apk/man.rst
+++ b/cdist/conf/type/__package_apk/man.rst
@ -0,0 +1,55 @@
 cdist-type__package_akp(7)
 ==========================
 NAME
 ----
 cdist-type__package_akp - Manage packages with akp
 DESCRIPTION
 -----------
 apk is usually used on Alpine to manage packages.
 REQUIRED PARAMETERS
 -------------------
 None
 OPTIONAL PARAMETERS
 -------------------
 name
   If supplied, use the name and not the object id as the package name.
 state
    Either "present" or "absent", defaults to "present"
 EXAMPLES
 --------
 .. code-block:: sh
    # Ensure zsh in installed
    __package_apk zsh --state present
    # Remove package
    __package_apk apache2 --state absent
 SEE ALSO
 --------
 :strong:`cdist-type__package`\ (7)
 AUTHORS
 -------
 Nico Schottelius <nico-cdist--@--schottelius.org>
 COPYING
 -------
 Copyright \(C) 2019 Nico Schottelius. You can redistribute it
 and/or modify it under the terms of the GNU General Public License as
 published by the Free Software Foundation, either version 3 of the
 License, or (at your option) any later version.
--- a/cdist/conf/type/__package_apk/nonparallel
+++ b/cdist/conf/type/__package_apk/nonparallel
--- a/cdist/conf/type/__package_apk/parameter/default/state
+++ b/cdist/conf/type/__package_apk/parameter/default/state
@ -0,0 +1 @@
 present
--- a/cdist/conf/type/__package_apk/parameter/optional
+++ b/cdist/conf/type/__package_apk/parameter/optional
@ -0,0 +1,2 @@
 name
 state
--- a/cdist/conf/type/__postfix/manifest
+++ b/cdist/conf/type/__postfix/manifest
@ -1,6 +1,7 @@
 #!/bin/sh -e
 #
 # 2012-2014 Steven Armstrong (steven-cdist at armstrong.cc)
 # 2019 Nico Schottelius (nico-cdist at schottelius.org)
 #
 # This file is part of cdist.
 #
@ -22,7 +23,7 @@
 os=$(cat "$__global/explorer/os")
 case "$os" in
-   ubuntu|debian|archlinux|suse|scientific|centos|devuan)
+   alpine|ubuntu|debian|archlinux|suse|scientific|centos|devuan)
      __package postfix --state present
   ;;
   *)
--- a/cdist/conf/type/__postfix_postconf/explorer/value
+++ b/cdist/conf/type/__postfix_postconf/explorer/value
@ -22,7 +22,7 @@
 os=$("$__explorer/os")
 case "$os" in
-   ubuntu|debian|archlinux|suse|scientific|centos|devuan)
+   alpine|ubuntu|debian|archlinux|suse|scientific|centos|devuan)
      :
   ;;
   *)
--- a/cdist/conf/type/__postfix_postconf/gencode-remote
+++ b/cdist/conf/type/__postfix_postconf/gencode-remote
@ -1,6 +1,7 @@
 #!/bin/sh -e
 #
 # 2012-2014 Steven Armstrong (steven-cdist at armstrong.cc)
 # 2019 Nico Schottelius (nico-cdist at schottelius.org)
 #
 # This file is part of cdist.
 #
@ -21,7 +22,7 @@
 os=$(cat "$__global/explorer/os")
 case "$os" in
-   ubuntu|debian|archlinux|suse|scientific|centos|devuan)
+   alpine|archlinux|centos|debian|devuan|suse|scientific|ubuntu)
      :
   ;;
   *)
--- a/cdist/conf/type/__postgres_database/explorer/state
+++ b/cdist/conf/type/__postgres_database/explorer/state
@ -34,7 +34,7 @@ esac
 name="$__object_id"
-if test -n "$(su - "$postgres_user" -c "psql postgres -tAc \"SELECT 1 FROM pg_database WHERE datname='$name'\"")"
+if test -n "$(su - "$postgres_user" -c "psql postgres -twAc \"SELECT 1 FROM pg_database WHERE datname='$name'\"")"
 then
    echo 'present'
 else
--- a/cdist/conf/type/__postgres_role/explorer/state
+++ b/cdist/conf/type/__postgres_role/explorer/state
@ -34,7 +34,7 @@ esac
 name="$__object_id"
-if test -n "$(su - "$postgres_user" -c "psql postgres -tAc \"SELECT 1 FROM pg_roles WHERE rolname='$name'\"")"
+if test -n "$(su - "$postgres_user" -c "psql postgres -twAc \"SELECT 1 FROM pg_roles WHERE rolname='$name'\"")"
 then
    echo 'present'
 else
--- a/cdist/conf/type/__postgres_role/gencode-remote
+++ b/cdist/conf/type/__postgres_role/gencode-remote
@ -55,7 +55,7 @@ case "$state_should" in
        [ -n "$password" ] && password="PASSWORD '$password'"
        cmd="CREATE ROLE $name WITH $password $booleans"
-        echo "su - '$postgres_user' -c \"psql postgres -c \\\"$cmd\\\"\""
+        echo "su - '$postgres_user' -c \"psql postgres -wc \\\"$cmd\\\"\""
    ;;
    absent)
        echo "su - '$postgres_user' -c \"dropuser \\\"$name\\\"\""
--- a/cdist/conf/type/__ssh_authorized_keys/explorer/file
+++ b/cdist/conf/type/__ssh_authorized_keys/explorer/file
@ -1,6 +1,7 @@
 #!/bin/sh
 #
 # 2014 Steven Armstrong (steven-cdist at armstrong.cc)
 # 2019 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
 #
 # This file is part of cdist.
 #
@ -21,7 +22,40 @@
 if [ -f "$__object/parameter/file" ]; then
 	cat "$__object/parameter/file"
 else
-   owner="$(cat "$__object/parameter/owner" 2>/dev/null || echo "$__object_id")"
+	if [ -s "$__object/parameter/owner" ]
-   home=$(getent passwd "$owner" | cut -d':' -f 6)
+	then
-   echo "$home/.ssh/authorized_keys"
+		owner=$(cat "$__object/parameter/owner")
 	else
 		owner="$__object_id"
 	fi
 	if command -v getent >/dev/null
 	then
 		owner_line=$(getent passwd "$owner")
 	elif [ -f /etc/passwd ]
 	then
 		case $owner
 		in
 			[0-9][0-9]*)
 				owner_line=$(awk -F: "\$3 == \"${owner}\" { print }" /etc/passwd)
 				;;
 			*)
 				owner_line=$(awk -F: "\$1 == \"${owner}\" { print }" /etc/passwd)
 				;;
 		esac
 	fi
 	if [ "$owner_line" ]
 	then
 		home=$(echo "$owner_line" | cut -d':' -f6)
 	fi
 	if [ ! -d "$home" ]
 	then
 		# Don't know how to determine user's home directory, fall back to ~
 		home="~$owner"
 		command -v realpath >/dev/null && home=$(realpath "$home")
 	fi
 	[ -d "$home" ] && echo "$home/.ssh/authorized_keys"
 fi
--- a/cdist/conf/type/__ssh_authorized_keys/explorer/group
+++ b/cdist/conf/type/__ssh_authorized_keys/explorer/group
@ -1,6 +1,7 @@
 #!/bin/sh
 #
 # 2014 Steven Armstrong (steven-cdist at armstrong.cc)
 # 2019 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
 #
 # This file is part of cdist.
 #
@ -18,6 +19,28 @@
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
-owner="$(cat "$__object/parameter/owner" 2>/dev/null || echo "$__object_id")"
+if [ -s "$__object/parameter/owner" ]
-gid="$(getent passwd "$owner" | cut -d':' -f 4)"
+then
 	owner=$(cat "$__object/parameter/owner")
 else
 	owner="$__object_id"
 fi
 if command -v getent >/dev/null
 then
 	gid=$(getent passwd "$owner" | cut -d':' -f4)
 	getent group "$gid" || true
 else
 	# Fallback to local file scanning
 	case $owner
 	in
 		[0-9][0-9]*)
 			gid=$(awk -F: "\$3 == \"${owner}\" { print \$4 }" /etc/passwd)
 			;;
 		*)
 			gid=$(awk -F: "\$1 == \"${owner}\" { print \$4 }" /etc/passwd)
 			;;
 	esac
 	awk -F: "\$3 == \"$gid\" { print }" /etc/group
 fi
--- a/cdist/conf/type/__ssh_authorized_keys/manifest
+++ b/cdist/conf/type/__ssh_authorized_keys/manifest
@ -23,6 +23,12 @@ owner="$(cat "$__object/parameter/owner" 2>/dev/null || echo "$__object_id")"
 state="$(cat "$__object/parameter/state" 2>/dev/null)"
 file="$(cat "$__object/explorer/file")"
 if [ ! -f "$__object/parameter/nofile" ] && [ -z "$file" ]
 then
 	echo "Cannot determine path of authorized_keys file" >&2
 	exit 1
 fi
 if [ ! -f "$__object/parameter/noparent" ] || [ ! -f "$__object/parameter/nofile" ]; then
   group="$(cut -d':' -f 1 "$__object/explorer/group")"
   if [ -z "$group" ]; then
@ -45,18 +51,6 @@ if [ ! -f "$__object/parameter/noparent" ] || [ ! -f "$__object/parameter/nofile
   fi
 fi
 # Remove legacy blocks created by old versions of this type
 # FIXME: remove me in 3.2+
 __block "$__object_name" \
   --file "$file" \
   --prefix "#cdist:$__object_name" \
   --suffix "#/cdist:$__object_name" \
   --state 'absent' \
   --text - << DONE
 remove legacy block
 DONE
 export require="__block/$__object_name"
 _cksum() {
   echo "$1" | cksum | cut -d' ' -f 1
 }
@ -69,7 +63,8 @@ while read -r key; do
   set -- "$@" --key "$key"
   set -- "$@" --state "$state"
   if [ -f "$__object/parameter/option" ]; then
-      set -- "$@" --option "$(cat "$__object/parameter/option")"
+      # shellcheck disable=SC2046
      set -- "$@" $(printf -- '--option %s ' $(cat "$__object/parameter/option"))
   fi
   if [ -f "$__object/parameter/comment" ]; then
      set -- "$@" --comment "$(cat "$__object/parameter/comment")"
--- a/cdist/conf/type/__ssh_dot_ssh/explorer/group
+++ b/cdist/conf/type/__ssh_dot_ssh/explorer/group
@ -1,6 +1,7 @@
 #!/bin/sh
 #
 # 2014 Steven Armstrong (steven-cdist at armstrong.cc)
 # 2019 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
 #
 # This file is part of cdist.
 #
@ -18,5 +19,11 @@
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
-gid="$("$__type_explorer/passwd" | cut -d':' -f 4)"
+gid=$("$__type_explorer/passwd" | cut -d':' -f4)
 if command -v getent >/dev/null
 then
 	getent group "$gid" || true
 else
 	awk -F: "\$3 == \"$gid\" { print }" /etc/group
 fi
--- a/cdist/conf/type/__ssh_dot_ssh/explorer/passwd
+++ b/cdist/conf/type/__ssh_dot_ssh/explorer/passwd
@ -2,6 +2,7 @@
 #
 # 2012 Steven Armstrong (steven-cdist at armstrong.cc)
 # 2014 Nico Schottelius (nico-cdist at schottelius.org)
 # 2019 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
 #
 # This file is part of cdist.
 #
@ -21,4 +22,16 @@
 owner="$__object_id"
 if command -v getent >/dev/null
 then
    getent passwd "$owner" || true
 else
    case $owner in
        [0-9][0-9]*)
            awk -F: "\$3 == \"$owner\" { print }" /etc/passwd
            ;;
        *)
            grep "^$owner:" /etc/passwd || true
            ;;
    esac
 fi
--- a/cdist/conf/type/__start_on_boot/explorer/state
+++ b/cdist/conf/type/__start_on_boot/explorer/state
@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# 2012-2015 Nico Schottelius (nico-cdist at schottelius.org)
+# 2012-2019 Nico Schottelius (nico-cdist at schottelius.org)
 # 2013 Daniel Heule (hda at sfs.biz)
 #
 # This file is part of cdist.
@ -75,9 +75,14 @@ else
            state=$(chkconfig --check "$name" "$runlevel" || echo absent)
            [ "$state" ] || state="present"
        ;;
-        gentoo)
+        gentoo|alpine)
            state="absent"
            for d in /etc/runlevels/*; do
                if [ -f "/etc/runlevels/${d}/${name}" ];then
                    state="present"
-            [ -f "/etc/runlevels/${target_runlevel}/${name}" ] || state="absent"
+                    break
                fi
            done
        ;;
        freebsd)
            state="absent"
@ -88,6 +93,7 @@ else
            # OpenBSD 5.7 and higher
            rcctl ls on | grep "^${name}$" && state='present'
        ;;
        *)
           echo "Unsupported os: $os" >&2
           exit 1
--- a/cdist/conf/type/__start_on_boot/gencode-remote
+++ b/cdist/conf/type/__start_on_boot/gencode-remote
@ -58,7 +58,7 @@ case "$state_should" in
                    echo "update-rc.d '$name' defaults >/dev/null"
                ;;
-                gentoo)
+                alpine|gentoo)
                    echo "rc-update add '$name' '$target_runlevel'"
                ;;
@ -106,7 +106,7 @@ case "$state_should" in
                    echo "update-rc.d -f '$name' remove"
                ;;
-                gentoo)
+                alpine|gentoo)
                    echo "rc-update del '$name' '$target_runlevel'"
                ;;
--- a/cdist/conf/type/__start_on_boot/man.rst
+++ b/cdist/conf/type/__start_on_boot/man.rst
@ -55,7 +55,7 @@ Nico Schottelius <nico-cdist--@--schottelius.org>
 COPYING
 -------
-Copyright \(C) 2012 Nico Schottelius. You can redistribute it
+Copyright \(C) 2012-2019 Nico Schottelius. You can redistribute it
 and/or modify it under the terms of the GNU General Public License as
 published by the Free Software Foundation, either version 3 of the
 License, or (at your option) any later version.
--- a/cdist/conf/type/__sysctl/manifest
+++ b/cdist/conf/type/__sysctl/manifest
@ -2,6 +2,7 @@
 #
 # 2014 Steven Armstrong (steven-cdist at armstrong.cc)
 # 2018 Takashi Yoshi (takashi at yoshi.email)
 # 2019 Nico Schottelius (nico-cdist at schottelius.org)
 #
 # This file is part of cdist.
 #
@ -24,7 +25,7 @@ os=$(cat "$__global/explorer/os")
 case "$os" in
   # Linux
-   redhat|centos|ubuntu|debian|devuan|archlinux|coreos)
+   alpine|redhat|centos|ubuntu|debian|devuan|archlinux|coreos)
      :
   ;;
   # BSD
--- a/cdist/conf/type/__timezone/gencode-remote
+++ b/cdist/conf/type/__timezone/gencode-remote
@ -1,6 +1,7 @@
 #!/bin/sh -e
 #
 # 2012 Steven Armstrong (steven-cdist at armstrong.cc)
 # 2019 Nico Schottelius (nico-cdist at schottelius.org)
 #
 # This file is part of cdist.
 #
@ -29,7 +30,7 @@ if [ "$timezone_is" = "$timezone_should" ]; then
 fi
 case "$os" in
-   ubuntu|debian|devuan|coreos)
+   ubuntu|debian|devuan|coreos|alpine)
      echo "echo \"$timezone_should\" > /etc/timezone"
   ;;
 esac
--- a/cdist/conf/type/__timezone/manifest
+++ b/cdist/conf/type/__timezone/manifest
@ -2,7 +2,7 @@
 #
 # 2011 Ramon Salvadó (rsalvado at gnuine dot com)
 # 2012-2015 Steven Armstrong (steven-cdist at armstrong.cc)
-# 2012 Nico Schottelius (nico-cdist at schottelius.org)
+# 2012-2019 Nico Schottelius (nico-cdist at schottelius.org)
 #
 # This file is part of cdist.
 #
@ -26,7 +26,7 @@ timezone="$__object_id"
 os=$(cat "$__global/explorer/os")
 case "$os" in
-    archlinux|debian|ubuntu|devuan)
+    archlinux|debian|ubuntu|devuan|alpine)
        __package tzdata
        export require="__package/tzdata"
    ;;
--- a/cdist/conf/type/__ufw/gencode-remote
+++ b/cdist/conf/type/__ufw/gencode-remote
@ -0,0 +1,62 @@
 #!/bin/sh -e
 #
 # 2019 Mark Polyakov (mark--@--markasoftware.com)
 #
 # This file is part of cdist.
 #
 # cdist is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # cdist is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 state="$(cat "$__object/parameter/state")"
 case "$state" in
    enabled)
        echo 'ufw --force enable'
        ;;
    present)
        echo 'ufw --force disable'
        ;;
    # absent will be uninstalled in manifest
 esac
 if [ "$state" != absent ]; then
    if [ -f "$__object/parameter/logging" ]; then
        logging="$(cat "$__object/parameter/logging")"
        case "$logging" in
            off|low|medium|high|full)
                echo "ufw --force logging $logging"
                ;;
            *)
                echo 'Logging parameter must be off, low, medium, high, or full!' >&2
                exit 1
                ;;
        esac
    fi
    for direction in incoming outgoing routed; do
        if [ -f "$__object/parameter/default_$direction" ]; then
            treatment="$(cat "$__object/parameter/default_$direction")"
            case "$treatment" in
                allow|deny|reject)
                    echo "ufw --force default $treatment $direction"
                    ;;
                *)
                    echo 'UFW default policies must be either "allow", "deny", or "reject".' >&2
                    exit 1
                    ;;
            esac
        fi
    done
 fi
--- a/cdist/conf/type/__ufw/man.rst
+++ b/cdist/conf/type/__ufw/man.rst
@ -0,0 +1,59 @@
 cdist-type__ufw(7)
 ==================
 NAME
 ----
 cdist-type__ufw - Install the Uncomplicated FireWall
 DESCRIPTION
 -----------
 Installs the Uncomplicated FireWall. Most modern distributions carry UFW in their main repositories, but on CentOS this type will automatically enable the EPEL repository.
 Some global configuration can also be set with this type.
 OPTIONAL PARAMETERS
 -------------------
 state
    Either "enabled", "running", "present", or "absent". Defaults to "enabled", which registers UFW to start on boot.
 logging
    Either "off", "low", "medium", "high", or "full". Will be passed to `ufw logging`. If not specified, logging level is not modified.
 default_incoming
    Either "allow", "deny", or "reject". The default policy for dealing with ingress packets.
 default_outgoing
    Either "allow", "deny", or "reject". The default policy for dealing with egress packets.
 default_routed
    Either "allow", "deny", or "reject". The default policy for dealing with routed packets (passing through this machine).
 EXAMPLES
 --------
 .. code-block:: sh
    # Install UFW
    __ufw
    # Setup UFW with maximum logging and no restrictions on routed packets.
    __ufw --logging full --default_routed allow
 SEE ALSO
 --------
 :strong:`ufw`\ (8)
 AUTHORS
 -------
 Mark Polyakov <mark@markasoftware.com>
 COPYING
 -------
 Copyright \(C) 2019 Mark Polyakov. You can redistribute it
 and/or modify it under the terms of the GNU General Public License as
 published by the Free Software Foundation, either version 3 of the
 License, or (at your option) any later version.
--- a/cdist/conf/type/__ufw/manifest
+++ b/cdist/conf/type/__ufw/manifest
@ -0,0 +1,67 @@
 #!/bin/sh -e
 #
 # 2019 Mark Polyakov (mark--@--markasoftware.com)
 #
 # This file is part of cdist.
 #
 # cdist is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # cdist is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 state="$(cat "$__object/parameter/state")"
 case "$state" in
    present|enabled)
        os="$(cat "$__global/explorer/os")"
        case "$os" in
            centos)
                # shellcheck source=/dev/null
                if (. "$__global/explorer/os_release" && [ "${VERSION_ID}" = "7" ]); then
                    __package epel-release
                    require='__package/epel-release' __package ufw
                else
                    echo 'CentOS version 7 is required!'
                    exit 1
                fi
                ;;
            *)
                __package ufw
                ;;
        esac
        # ufw expects to always be enabled, then uses a switch in /etc to
        # determine whether to "actually start" after the init system calls it.
        # So, we have to both enable on bootup through init and run `ufw enable`
        # operators ae left-associative, so if !enabled it will never run
        if [ "$(cat "$__global/explorer/os")" != ubuntu ] || \
           [ "$(cat "$__global/explorer/init")" != init ] && \
           [ "$state" = enabled ]; then
            # Why don't we disable start_on_boot when state=present|absent?
            # Because UFW should always be enabled at boot -- /etc/ufw/ufw.conf
            # will stop it from "really" starting
            require='__package/ufw' __start_on_boot ufw
        fi
        ;;
    absent)
        __package ufw --state absent
        ;;
    *)
        echo 'State must be "enabled", "present", or "absent".'
        exit 1
        ;;
 esac
--- a/cdist/conf/type/__ufw/parameter/default/state
+++ b/cdist/conf/type/__ufw/parameter/default/state
@ -0,0 +1 @@
 enabled
--- a/cdist/conf/type/__ufw/parameter/optional
+++ b/cdist/conf/type/__ufw/parameter/optional
@ -0,0 +1,5 @@
 state
 logging
 default_incoming
 default_outgoing
 default_routed
--- a/cdist/conf/type/__ufw/singleton
+++ b/cdist/conf/type/__ufw/singleton
--- a/cdist/conf/type/__ufw_rule/gencode-remote
+++ b/cdist/conf/type/__ufw_rule/gencode-remote
@ -0,0 +1,45 @@
 #!/bin/sh -e
 #
 # 2019 Mark Polyakov (mark@markasoftware.com)
 #
 # This file is part of cdist.
 #
 # cdist is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # cdist is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 # This type does not bother with checking the current state of the rules.
 # While it is possible to retrieve the list of rules in a consistent format from
 # `ufw status`, it is a completely different format than the one used on the
 # command line. I also do not suspect it is any faster.
 ufw='ufw --force rule'
 case "$(cat "$__object/parameter/state")" in
    present) ;;
    absent)
        ufw="$ufw delete"
        ;;
    *)
        echo 'State must be "present" or "absent".' >&2
        exit 1
        ;;
 esac
 if [ -f "$__object/parameter/rule" ]; then
    ufw="$ufw $(cat "$__object/parameter/rule")"
 else
    ufw="$ufw allow $__object_id"
 fi
 echo "$ufw"
--- a/cdist/conf/type/__ufw_rule/man.rst
+++ b/cdist/conf/type/__ufw_rule/man.rst
@ -0,0 +1,53 @@
 cdist-type__ufw_rule(7)
 =======================
 NAME
 ----
 cdist-type__ufw_rule - A single UFW rule
 DESCRIPTION
 -----------
 Adds or removes a single UFW rule. This type supports adding and deleting rules for port ranges or applications.
 Understanding what is "to" and what is "from" can be confusing. If the rule is ingress (default), then "from" is the remote machine and "to" is the local one. The opposite is true for egress traffic (--out).
 OPTIONAL PARAMETERS
 -------------------
 state
    Either "present" or "absent". Defaults to "present". If "absent", only removes rules that exactly match the rule expected.
 rule
    A firewall rule in UFW syntax. This is what you would usually write after `ufw` on the command line. Defaults to "allow" followed by the object ID. You can use either the short syntax (just allow|deny|reject|limit followed by a port or application name) or the full syntax. Do not include `delete` in your command. Set `--state absent` instead.
 EXAMPLES
 --------
 .. code-block:: sh
    # open port 80 (ufw allow 80)
    __ufw_rule 80
    # Allow mosh application (if installed)
    __ufw_rule mosh
    # Allow all traffic from local network (ufw allow from 10.0.0.0/24)
    __ufw_rule local --rule 'allow from 10.0.0.0/24'
    # Block egress traffic from port 25 to 111.55.55.55 on interface eth0
    __ufw_rule block_smtp --rule 'deny out on eth0 from any port 25 to 111.55.55.55'
 SEE ALSO
 --------
 :strong:`ufw`\ (8)
 AUTHORS
 -------
 Mark Polyakov <mark@markasoftware.com>
 COPYING
 -------
 Copyright \(C) 2019 Mark Polyakov. You can redistribute it
 and/or modify it under the terms of the GNU General Public License as
 published by the Free Software Foundation, either version 3 of the
 License, or (at your option) any later version.
--- a/cdist/conf/type/__ufw_rule/parameter/default/state
+++ b/cdist/conf/type/__ufw_rule/parameter/default/state
@ -0,0 +1 @@
 present
--- a/cdist/conf/type/__ufw_rule/parameter/optional
+++ b/cdist/conf/type/__ufw_rule/parameter/optional
@ -0,0 +1,2 @@
 state
 rule
--- a/cdist/conf/type/__user/explorer/group
+++ b/cdist/conf/type/__user/explorer/group
@ -23,11 +23,9 @@
 if [ -f "$__object/parameter/gid" ]; then
   gid=$(cat "$__object/parameter/gid")
-   getent=$(command -v getent)
+   if command -v getent >/dev/null; then
-   if [ X != X"${getent}" ]; then
+      getent group "$gid" || true
      "${getent}" group "$gid" || true
   elif [ -f /etc/group ]; then
      grep -E "^(${gid}|([^:]+:){2}${gid}):" /etc/group || true
   fi
 fi
--- a/cdist/conf/type/__user/explorer/passwd
+++ b/cdist/conf/type/__user/explorer/passwd
@ -23,9 +23,8 @@
 name=$__object_id
-getent=$(command -v getent)
+if command -v getent >/dev/null; then
-if [ X != X"${getent}" ]; then
+  getent passwd "$name" || true
  "${getent}" passwd "$name" || true
 elif [ -f /etc/passwd ]; then
  grep "^${name}:" /etc/passwd || true
 fi
--- a/cdist/conf/type/__user/explorer/shadow
+++ b/cdist/conf/type/__user/explorer/shadow
@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/sh -e
 #
 # 2011 Steven Armstrong (steven-cdist at armstrong.cc)
 #
@ -22,18 +22,19 @@
 #
 name=$__object_id
 os="$("$__explorer/os")"
 # Default to using shadow passwords
 database="shadow"
-case "$os" in
+case $("$__explorer/os") in
-  "freebsd"|"netbsd"|"openbsd")  database="passwd";;
+  'freebsd'|'netbsd'|'openbsd')
    database='passwd'
    ;;
  # Default to using shadow passwords
  *)
    database='shadow'
    ;;
 esac
-
+if command -v getent >/dev/null; then
-getent=$(command -v getent)
+  getent "$database" "$name" || true
 if [ X != X"${getent}" ]; then
  "${getent}" "$database" "$name" || true
 elif [ -f /etc/shadow ]; then
  grep "^${name}:" /etc/shadow || true
 fi
--- a/Show more
+++ b/Show more
`@ -1 +1 @@`
	`git://github.com/ungleich/cdist.git`	`git@code.ungleich.ch:ungleich-public/cdist.git`
		`@ -0,0 +1 @@`
							`https://releases.hashicorp.com/consul/1.5.0/consul_1.5.0_linux_amd64.zip`