[__jitsi_meet] Add --abort-conference-count parameter

Only has an effect if the prometheus exporter is enabled and if it is not
empty (default).
If at least this many conferences are active on the server, the type will
bail out before making any changes.
This is useful if you want to avoid service disruptions due to e.g. an SLA.

Sponsored by:	camilion.eu

.gitlab-ci.yml

@@ -1,14 +1,29 @@
 stages:
     - test
+    - doc
 
-image: code.ungleich.ch:5050/ungleich-public/cdist/cdist-ci:latest
+image: code.ungleich.ch:5050/ungleich-public/cdist-contrib/ci-container:latest
 
 shellcheck:
     stage: test
     script:
-        - ./scripts/run-shellcheck.sh
+        - make lint
 
 manpages:
     stage: test
     script:
-      - ./scripts/run-manpage-checks.sh
+      - make check-manpages
+
+docs:
+    stage: doc
+    only:
+      - master@ungleich-public/cdist-contrib
+    before_script:
+      - eval $(ssh-agent -s)
+      - echo "$CD_SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add - > /dev/null
+      - mkdir -p ~/.ssh
+      - echo "$CD_SSH_SERVER_HOSTKEYS" > ~/.ssh/known_hosts
+      - chmod 644 ~/.ssh/known_hosts
+    script:
+      - make html
+      - sftp fnux@staticwebhosting.ungleich.ch:public_html/cdist-contrib <<< "put -r docs/dist/html/*"

CHANGELOG.md

@@ -1,4 +0,0 @@
-# cdist-contrib changes
-
-* 2020-06-03: New type: __unbound (Timothée Floure)
-* 2020-04-28: New type: __find_exec (Ander Punnar)

Makefile

@@ -0,0 +1,70 @@
+.PHONY: help
+help:
+	@echo "Please use \`make <target>' where <target> is one of"
+	@echo "man             build only man user documentation"
+	@echo "html            build only html user documentation"
+	@echo "docs            build both man and html user documentation"
+	@echo "check-manpages  check for manpage in types"
+	@echo "lint            run shellcheck on types"
+	@echo "check           run both type manpage checks and linting"
+	@echo "clean           clean"
+
+DOCS_SRC_DIR=./docs/src
+TYPEDIR=./type
+
+SPHINXM=make -C $(DOCS_SRC_DIR) man
+SPHINXH=make -C $(DOCS_SRC_DIR) html
+SPHINXC=make -C $(DOCS_SRC_DIR) clean
+
+################################################################################
+# Manpages
+#
+MAN7DSTDIR=$(DOCS_SRC_DIR)/man7
+
+# Use shell / ls to get complete list - $(TYPEDIR)/*/man.rst does not work
+# Using ls does not work if no file with given pattern exist, so use wildcard
+MANTYPESRC=$(wildcard $(TYPEDIR)/*/man.rst)
+MANTYPEPREFIX=$(subst $(TYPEDIR)/,$(MAN7DSTDIR)/cdist-type,$(MANTYPESRC))
+MANTYPES=$(subst /man.rst,.rst,$(MANTYPEPREFIX))
+
+# Link manpage: do not create man.html but correct named file
+$(MAN7DSTDIR)/cdist-type%.rst: $(TYPEDIR)/%/man.rst
+	mkdir -p $(MAN7DSTDIR)
+	ln -sf "../../../$^" $@
+
+DOCSINDEX=$(MAN7DSTDIR)/index.rst
+DOCSINDEXH=$(DOCS_SRC_DIR)/index.rst.sh
+
+$(DOCSINDEX): $(DOCSINDEXH)
+	$(DOCSINDEXH)
+
+# Manpages: .cdist Types
+DOT_CDIST_PATH=${HOME}/.cdist
+DOTMAN7DSTDIR=$(MAN7DSTDIR)
+DOTTYPEDIR=$(DOT_CDIST_PATH)/type
+
+# Link manpage: do not create man.html but correct named file
+$(DOTMAN7DSTDIR)/cdist-type%.rst: $(DOTTYPEDIR)/%/man.rst
+	ln -sf "$^" $@
+
+man: $(MANTYPES) $(DOCSINDEX)
+	$(SPHINXM)
+
+html: $(MANTYPES) $(DOCSINDEX)
+	$(SPHINXH)
+
+docs: man html
+
+check-manpages:
+	./scripts/run-manpage-checks.sh
+
+lint:
+	./scripts/run-shellcheck.sh
+
+check: check-manpages lint
+
+clean:
+	$(SPHINXC)
+	rm -f docs/src/index.rst
+	rm -rf docs/src/man7/
+	rm -rf docs/src/__pycache__/

README.md

@@ -5,8 +5,9 @@ tool with community-maitained types which are either too specific to fit/be
 maintained in cdist itself or were not accepted in code cdist but could still
 be useful.
 
-This project does not have releases and is continously updated: see
-`CHANGELOG.md` for details.
+This project does not have releases and is continously updated: see git history
+for change log. You will find HTML documentation at
+[contrib.cdi.st](https://contrib.cdi.st).
 
 ## Using cdist-contrib
 
@@ -32,14 +33,11 @@ And you would run [cdist][cdist] from the same directory as follows:
 
 ## Participating in the [cdist][cdist] community
 
-Join us on [#cdist:ungleich.ch][cdistmatrix] on matrix or on
-[#cdist over mattermost][cdistmattermost].
-
+Join us on [#cdist:ungleich.ch][cdistmatrix] on matrix!
 
 [cdist]: https://www.cdi.st/
 [cdistconfig]: https://www.cdi.st/manual/latest/cdist-configuration.html
 [cdistmatrix]: https://matrix.to/#/#cdist:ungleich.ch
-[cdistmattermost]: https://chat.ungleich.ch/ungleich/channels/cdist
 
 ## Contributing
 
@@ -53,3 +51,12 @@ Every type in cdist-contrib must:
 
   * Have a `man.rst` documentation page.
   * Pass [shellcheck](http://shellcheck.net/) without errors.
+
+## Other resources
+
+Some people/organizations are known to keep some cdist types that might be of
+interest to others:
+
+* [cdist-evilham](https://git.sr.ht/~evilham/cdist-evilham): Evilham's cdist-types
+* [cdist-recycledcloud](https://code.recycled.cloud/RecycledCloud/cdist-recycledcloud): e-Durable SA / Recycled Cloud public types
+* [cdist-ungleich](https://code.ungleich.ch/ungleich-public/cdist-ungleich): ungleich public types

docs/src/Makefile

@@ -0,0 +1,235 @@
+# Makefile for Sphinx documentation
+#
+
+# You can set these variables from the command line.
+SPHINXOPTS   ?=
+SPHINXBUILD  ?= sphinx-build
+PAPER        ?=
+BUILDDIR     ?= ../dist
+# for cache, etc.
+_BUILDDIR     = _build
+
+# User-friendly check for sphinx-build
+ifeq ($(shell which $(SPHINXBUILD) >/dev/null 2>&1; echo $$?), 1)
+    $(error The '$(SPHINXBUILD)' command was not found. Make sure you have Sphinx installed, then set the SPHINXBUILD environment variable to point to the full path of the '$(SPHINXBUILD)' executable. Alternatively you can add the directory with the executable to your PATH. If you don\'t have Sphinx installed, grab it from http://sphinx-doc.org/)
+endif
+
+# Internal variables.
+PAPEROPT_a4     = -D latex_paper_size=a4
+PAPEROPT_letter = -D latex_paper_size=letter
+ALLSPHINXOPTS   = -d $(_BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) .
+# the i18n builder cannot share the environment and doctrees with the others
+I18NSPHINXOPTS  = $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) .
+
+.PHONY: help
+help:
+	@echo "Please use \`make <target>' where <target> is one of"
+	@echo "  html       to make standalone HTML files"
+	@echo "  dirhtml    to make HTML files named index.html in directories"
+	@echo "  singlehtml to make a single large HTML file"
+	@echo "  pickle     to make pickle files"
+	@echo "  json       to make JSON files"
+	@echo "  htmlhelp   to make HTML files and a HTML help project"
+	@echo "  qthelp     to make HTML files and a qthelp project"
+	@echo "  applehelp  to make an Apple Help Book"
+	@echo "  devhelp    to make HTML files and a Devhelp project"
+	@echo "  epub       to make an epub"
+	@echo "  epub3      to make an epub3"
+	@echo "  latex      to make LaTeX files, you can set PAPER=a4 or PAPER=letter"
+	@echo "  latexpdf   to make LaTeX files and run them through pdflatex"
+	@echo "  latexpdfja to make LaTeX files and run them through platex/dvipdfmx"
+	@echo "  text       to make text files"
+	@echo "  man        to make manual pages"
+	@echo "  texinfo    to make Texinfo files"
+	@echo "  info       to make Texinfo files and run them through makeinfo"
+	@echo "  gettext    to make PO message catalogs"
+	@echo "  changes    to make an overview of all changed/added/deprecated items"
+	@echo "  xml        to make Docutils-native XML files"
+	@echo "  pseudoxml  to make pseudoxml-XML files for display purposes"
+	@echo "  linkcheck  to check all external links for integrity"
+	@echo "  doctest    to run all doctests embedded in the documentation (if enabled)"
+	@echo "  coverage   to run coverage check of the documentation (if enabled)"
+	@echo "  dummy      to check syntax errors of document sources"
+
+.PHONY: clean
+clean:
+	rm -rf $(BUILDDIR)/*
+	rm -rf $(_BUILDDIR)/*
+
+.PHONY: html
+html:
+	$(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html
+	@echo
+	@echo "Build finished. The HTML pages are in $(BUILDDIR)/html."
+
+.PHONY: dirhtml
+dirhtml:
+	$(SPHINXBUILD) -b dirhtml $(ALLSPHINXOPTS) $(BUILDDIR)/dirhtml
+	@echo
+	@echo "Build finished. The HTML pages are in $(BUILDDIR)/dirhtml."
+
+.PHONY: singlehtml
+singlehtml:
+	$(SPHINXBUILD) -b singlehtml $(ALLSPHINXOPTS) $(BUILDDIR)/singlehtml
+	@echo
+	@echo "Build finished. The HTML page is in $(BUILDDIR)/singlehtml."
+
+.PHONY: pickle
+pickle:
+	$(SPHINXBUILD) -b pickle $(ALLSPHINXOPTS) $(BUILDDIR)/pickle
+	@echo
+	@echo "Build finished; now you can process the pickle files."
+
+.PHONY: json
+json:
+	$(SPHINXBUILD) -b json $(ALLSPHINXOPTS) $(BUILDDIR)/json
+	@echo
+	@echo "Build finished; now you can process the JSON files."
+
+.PHONY: htmlhelp
+htmlhelp:
+	$(SPHINXBUILD) -b htmlhelp $(ALLSPHINXOPTS) $(BUILDDIR)/htmlhelp
+	@echo
+	@echo "Build finished; now you can run HTML Help Workshop with the" \
+	      ".hhp project file in $(BUILDDIR)/htmlhelp."
+
+.PHONY: qthelp
+qthelp:
+	$(SPHINXBUILD) -b qthelp $(ALLSPHINXOPTS) $(BUILDDIR)/qthelp
+	@echo
+	@echo "Build finished; now you can run "qcollectiongenerator" with the" \
+	      ".qhcp project file in $(BUILDDIR)/qthelp, like this:"
+	@echo "# qcollectiongenerator $(BUILDDIR)/qthelp/cdist-docs.qhcp"
+	@echo "To view the help file:"
+	@echo "# assistant -collectionFile $(BUILDDIR)/qthelp/cdist-docs.qhc"
+
+.PHONY: applehelp
+applehelp:
+	$(SPHINXBUILD) -b applehelp $(ALLSPHINXOPTS) $(BUILDDIR)/applehelp
+	@echo
+	@echo "Build finished. The help book is in $(BUILDDIR)/applehelp."
+	@echo "N.B. You won't be able to view it unless you put it in" \
+	      "~/Library/Documentation/Help or install it in your application" \
+	      "bundle."
+
+.PHONY: devhelp
+devhelp:
+	$(SPHINXBUILD) -b devhelp $(ALLSPHINXOPTS) $(BUILDDIR)/devhelp
+	@echo
+	@echo "Build finished."
+	@echo "To view the help file:"
+	@echo "# mkdir -p $$HOME/.local/share/devhelp/cdist-docs"
+	@echo "# ln -s $(BUILDDIR)/devhelp $$HOME/.local/share/devhelp/cdist-docs"
+	@echo "# devhelp"
+
+.PHONY: epub
+epub:
+	$(SPHINXBUILD) -b epub $(ALLSPHINXOPTS) $(BUILDDIR)/epub
+	@echo
+	@echo "Build finished. The epub file is in $(BUILDDIR)/epub."
+
+.PHONY: epub3
+epub3:
+	$(SPHINXBUILD) -b epub3 $(ALLSPHINXOPTS) $(BUILDDIR)/epub3
+	@echo
+	@echo "Build finished. The epub3 file is in $(BUILDDIR)/epub3."
+
+.PHONY: latex
+latex:
+	$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
+	@echo
+	@echo "Build finished; the LaTeX files are in $(BUILDDIR)/latex."
+	@echo "Run \`make' in that directory to run these through (pdf)latex" \
+	      "(use \`make latexpdf' here to do that automatically)."
+
+.PHONY: latexpdf
+latexpdf:
+	$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
+	@echo "Running LaTeX files through pdflatex..."
+	$(MAKE) -C $(BUILDDIR)/latex all-pdf
+	@echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex."
+
+.PHONY: latexpdfja
+latexpdfja:
+	$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
+	@echo "Running LaTeX files through platex and dvipdfmx..."
+	$(MAKE) -C $(BUILDDIR)/latex all-pdf-ja
+	@echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex."
+
+.PHONY: text
+text:
+	$(SPHINXBUILD) -b text $(ALLSPHINXOPTS) $(BUILDDIR)/text
+	@echo
+	@echo "Build finished. The text files are in $(BUILDDIR)/text."
+
+.PHONY: man
+man:
+	$(SPHINXBUILD) -b cman $(ALLSPHINXOPTS) $(BUILDDIR)/man
+	mkdir -p $(BUILDDIR)/man/man7
+	mv -f $(BUILDDIR)/man/*.7 $(BUILDDIR)/man/man7/
+	@echo
+	@echo "Build finished. The manual pages are in $(BUILDDIR)/man."
+
+.PHONY: texinfo
+texinfo:
+	$(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo
+	@echo
+	@echo "Build finished. The Texinfo files are in $(BUILDDIR)/texinfo."
+	@echo "Run \`make' in that directory to run these through makeinfo" \
+	      "(use \`make info' here to do that automatically)."
+
+.PHONY: info
+info:
+	$(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo
+	@echo "Running Texinfo files through makeinfo..."
+	make -C $(BUILDDIR)/texinfo info
+	@echo "makeinfo finished; the Info files are in $(BUILDDIR)/texinfo."
+
+.PHONY: gettext
+gettext:
+	$(SPHINXBUILD) -b gettext $(I18NSPHINXOPTS) $(BUILDDIR)/locale
+	@echo
+	@echo "Build finished. The message catalogs are in $(BUILDDIR)/locale."
+
+.PHONY: changes
+changes:
+	$(SPHINXBUILD) -b changes $(ALLSPHINXOPTS) $(BUILDDIR)/changes
+	@echo
+	@echo "The overview file is in $(BUILDDIR)/changes."
+
+.PHONY: linkcheck
+linkcheck:
+	$(SPHINXBUILD) -b linkcheck $(ALLSPHINXOPTS) $(BUILDDIR)/linkcheck
+	@echo
+	@echo "Link check complete; look for any errors in the above output " \
+	      "or in $(BUILDDIR)/linkcheck/output.txt."
+
+.PHONY: doctest
+doctest:
+	$(SPHINXBUILD) -b doctest $(ALLSPHINXOPTS) $(BUILDDIR)/doctest
+	@echo "Testing of doctests in the sources finished, look at the " \
+	      "results in $(BUILDDIR)/doctest/output.txt."
+
+.PHONY: coverage
+coverage:
+	$(SPHINXBUILD) -b coverage $(ALLSPHINXOPTS) $(BUILDDIR)/coverage
+	@echo "Testing of coverage in the sources finished, look at the " \
+	      "results in $(BUILDDIR)/coverage/python.txt."
+
+.PHONY: xml
+xml:
+	$(SPHINXBUILD) -b xml $(ALLSPHINXOPTS) $(BUILDDIR)/xml
+	@echo
+	@echo "Build finished. The XML files are in $(BUILDDIR)/xml."
+
+.PHONY: pseudoxml
+pseudoxml:
+	$(SPHINXBUILD) -b pseudoxml $(ALLSPHINXOPTS) $(BUILDDIR)/pseudoxml
+	@echo
+	@echo "Build finished. The pseudo-XML files are in $(BUILDDIR)/pseudoxml."
+
+.PHONY: dummy
+dummy:
+	$(SPHINXBUILD) -b dummy $(ALLSPHINXOPTS) $(BUILDDIR)/dummy
+	@echo
+	@echo "Build finished. Dummy builder generates no files."

docs/src/conf.py

@@ -0,0 +1,101 @@
+#!/usr/bin/env python3
+
+import sys
+import os
+import sphinx_rtd_theme
+
+from datetime import date
+
+# If extensions (or modules to document with autodoc) are in another directory,
+# add these directories to sys.path here. If the directory is relative to the
+# documentation root, use os.path.abspath to make it absolute, like shown here.
+# sys.path.insert(0, os.path.abspath('.'))
+sys.path.insert(0, os.path.abspath(os.path.join(
+    os.path.dirname(os.path.realpath(__file__)), "..", "..")))
+
+# -- General configuration ------------------------------------------------
+
+# If your documentation needs a minimal Sphinx version, state it here.
+# needs_sphinx = '1.0'
+
+# Add any Sphinx extension module names here, as strings. They can be
+# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
+# ones.
+extensions = [
+    'docs.src.manpage',
+    'sphinx.ext.extlinks',
+]
+
+# The suffix(es) of source filenames.
+# You can specify multiple suffix as a list of string:
+source_suffix = ['.rst']
+
+# The encoding of source files.
+# source_encoding = 'utf-8-sig'
+
+# The master toctree document.
+master_doc = 'index'
+
+# General information about the project.
+project = 'cdist-contrib'
+copyright = 'cdist-contrib contributors'
+
+# The version info for the project you're documenting, acts as replacement for
+# |version| and |release|, also used in various other places throughout the
+# built documents.
+
+version = str(date.today())
+release = os.popen('git rev-parse HEAD').read()
+
+# The language for content autogenerated by Sphinx. Refer to documentation
+# for a list of supported languages.
+#
+# This is also used if you do content translation via gettext catalogs.
+# Usually you set "language" from the command line for these cases.
+language = None
+
+# The name of the Pygments (syntax highlighting) style to use.
+pygments_style = 'sphinx'
+
+# If true, `todo` and `todoList` produce output, else they produce nothing.
+todo_include_todos = False
+
+# -- Options for HTML output ----------------------------------------------
+
+# The theme to use for HTML and HTML Help pages.  See the documentation for
+# a list of builtin themes.
+html_theme = 'sphinx_rtd_theme'
+html_theme_path = [sphinx_rtd_theme.get_html_theme_path()]
+
+# Output file base name for HTML help builder.
+htmlhelp_basename = 'cdistcontribdoc'
+
+# -- Options for manual page output ---------------------------------------
+
+# One entry per manual page. List of tuples
+# (source start file, name, description, authors, manual section).
+root_mandir = os.path.dirname(os.path.realpath(__file__))
+mandirs = []
+for mansubdir in ('man7',):
+    mandirs.append((os.path.join(root_mandir, mansubdir), mansubdir[-1]))
+man_pages = []
+for mandir, section in mandirs:
+    for root, dirs, files in os.walk(mandir):
+        for fname in files:
+            froot, fext = os.path.splitext(fname)
+            if fext == '.rst':
+                man_page = (os.path.join('man' + str(section), froot),
+                            froot, '', [], section)
+                man_pages.append(man_page)
+
+# man_pages = [
+#    ('cdist-type', 'cdist-type', 'cdist-type documentation',
+#         [author], 1),
+#    ('man7/cdist-type__file', 'cdist-type__file',
+#        '', [], 1),
+#    ('cdist-type__directory', 'cdist-type__directory',
+#        'cdist-type__directory documentation', [author], 1),
+# ]
+
+# If true, show URL addresses after external links.
+# man_show_urls = False

docs/src/index.rst.sh

@@ -0,0 +1,40 @@
+#!/bin/sh
+
+__cdist_pwd="$(pwd -P)"
+__cdist_mydir="${0%/*}";
+__cdist_abs_mydir="$(cd "$__cdist_mydir" && pwd -P)"
+__cdist_myname=${0##*/};
+__cdist_abs_myname="$__cdist_abs_mydir/$__cdist_myname"
+
+filename="${__cdist_myname%.sh}"
+dest="$__cdist_abs_mydir/$filename"
+
+if ! command -v pandoc > /dev/null; then
+	echo "Pandoc is required to generate HTML index from README." >&2
+	exit 1
+fi
+
+cd "$__cdist_abs_mydir"
+
+exec > "$dest"
+
+pandoc -f markdown -t rst ../../README.md
+
+cat << EOF
+
+.. toctree::
+   :hidden:
+
+EOF
+
+# If there is no such file then ls prints error to stderr,
+# so redirect stderr to /dev/null.
+for type in $(ls man7/cdist-type__*.rst 2>/dev/null | LC_ALL=C sort); do
+    no_dir="${type#man7/}";
+    no_type="${no_dir#cdist-type}";
+    name="${no_type%.rst}";
+    manref="${no_dir%.rst}"
+    man="${manref}(7)"
+
+    echo "      $name" "<man7/${manref}>"
+done

docs/src/manpage.py

@@ -0,0 +1,87 @@
+import sphinx.builders.manpage
+import sphinx.writers.manpage
+from docutils.frontend import OptionParser
+from sphinx.util.console import bold, darkgreen
+from six import string_types
+from docutils.io import FileOutput
+from os import path
+from sphinx.util.nodes import inline_all_toctrees
+from sphinx import addnodes
+from sphinx.util import logging
+
+"""
+    Extension based on sphinx builtin manpage.
+    It does not write its own .SH NAME based on config,
+    but leaves everything to actual reStructuredText file content.
+"""
+
+
+logger = logging.getLogger(__name__)
+
+
+class ManualPageTranslator(sphinx.writers.manpage.ManualPageTranslator):
+
+    def header(self):
+        tmpl = (".TH \"%(title_upper)s\" \"%(manual_section)s\""
+                " \"%(date)s\" \"%(version)s\" \"%(manual_group)s\"\n")
+        return tmpl % self._docinfo
+
+
+class ManualPageWriter(sphinx.writers.manpage.ManualPageWriter):
+
+    def __init__(self, builder):
+        super().__init__(builder)
+        self.translator_class = (
+            self.builder.get_translator_class() or ManualPageTranslator)
+
+
+class ManualPageBuilder(sphinx.builders.manpage.ManualPageBuilder):
+
+    name = 'cman'
+    default_translator_class = ManualPageTranslator
+
+    def write(self, *ignored):
+        docwriter = ManualPageWriter(self)
+        docsettings = OptionParser(
+            defaults=self.env.settings,
+            components=(docwriter,),
+            read_config_files=True).get_default_values()
+
+        logger.info(bold('writing... '), nonl=True)
+
+        for info in self.config.man_pages:
+            docname, name, description, authors, section = info
+            if isinstance(authors, string_types):
+                if authors:
+                    authors = [authors]
+                else:
+                    authors = []
+
+            targetname = '%s.%s' % (name, section)
+            logger.info(darkgreen(targetname) + ' { ', nonl=True)
+            destination = FileOutput(
+                destination_path=path.join(self.outdir, targetname),
+                encoding='utf-8')
+
+            tree = self.env.get_doctree(docname)
+            docnames = set()
+            largetree = inline_all_toctrees(self, docnames, docname, tree,
+                                            darkgreen, [docname])
+            logger.info('} ', nonl=True)
+            self.env.resolve_references(largetree, docname, self)
+            # remove pending_xref nodes
+            for pendingnode in largetree.traverse(addnodes.pending_xref):
+                pendingnode.replace_self(pendingnode.children)
+
+            largetree.settings = docsettings
+            largetree.settings.title = name
+            largetree.settings.subtitle = description
+            largetree.settings.authors = authors
+            largetree.settings.section = section
+
+            docwriter.write(largetree, destination)
+        logger.info("")
+
+
+def setup(app):
+    app.add_builder(ManualPageBuilder)

scripts/ci-container/Dockerfile

@@ -0,0 +1,7 @@
+# This image is used in the cdist-contrib CI for linting and generating the
+# documentation.
+FROM fedora:latest
+MAINTAINER Timothée Floure <fnux@ungleich.ch>
+
+RUN dnf install -y git findutils make python3-sphinx python3-sphinx_rtd_theme \
+			ShellCheck openssh-clients pandoc

scripts/run-shellcheck.sh

@@ -1,21 +1,29 @@
-#!/bin/sh
+#!/bin/sh -eu
 
-SHELLCHECKCMD="shellcheck -s sh -f gcc -x"
+SHELLCHECKCMD='shellcheck -s sh -f gcc -x'
 # Skip SC2154 for variables starting with __ since such variables are cdist
 # environment variables.
 SHELLCHECK_SKIP=': __.*is referenced but not assigned.*\[SC2154\]'
-SHELLCHECKTMP=".shellcheck.tmp"
+SHELLCHECKTMP='.shellcheck.tmp'
 
 # Move to top-level cdist-contrib directory.
-cd $(dirname $0)/..
+cd "$(dirname $0)"/..
 
-check () {
-	find type/ -type f $1 $2 -exec ${SHELLCHECKCMD} {} + | grep -v "${SHELLCHECK_SKIP}"  > "${SHELLCHECKTMP}"
-	test ! -s "${SHELLCHECKTMP}" || { cat "${SHELLCHECKTMP}"; exit 1; }
+check() {
+	find type/ -type f "$@" -exec ${SHELLCHECKCMD} {} + \
+	| grep -v "${SHELLCHECK_SKIP}" >>"${SHELLCHECKTMP}" || true
 }
 
-check -path "*/explorer/*"
-check -path "*/files/*"
+rm -f "${SHELLCHECKTMP}"
+
+check -path '*/explorer/*'
+check -path '*/files/*' -name '*.sh'
 check -name manifest
 check -name gencode-local
 check -name gencode-remote
+
+if test -s "${SHELLCHECKTMP}"
+then
+	cat "${SHELLCHECKTMP}" >&2
+	exit 1
+fi

type/__bird_bgp/files/template.sh

@@ -0,0 +1,45 @@
+#!/bin/sh
+# Template to generate a bgp protocol configuration file for bird(1).
+# Required non-empty variables:
+# __object_id, local_{ip,as}, neighbor_{ip,as}
+#
+# Required defined variables:
+# description, password, ipv{4,6}_{import,export}
+
+# Header
+echo "protocol bgp ${__object_id:?} {"
+
+# Optional description
+[ -n "${description?}" ] && printf "\tdescription \"%s\";\n" "${description?}"
+
+# Mandatory session information
+cat << EOF
+	local ${local_ip?} as ${local_as:?};
+	neighbor ${neighbor_ip:?} as ${neighbor_as:?};
+EOF
+
+# Direct connection ?
+[ -n "${direct?}" ] && printf "\tdirect;\n"
+
+# Password-protected session ?
+[ -n "${password?}" ] && printf "\tpassword \"%s\";\n" "${password?}"
+
+if [ -n "${ipv4_import?}" ] || [ -n "${ipv4_export?}" ] || "${ipv4_extended_next_hop?}";
+then
+	printf "\tipv4 {\n"
+	[ -n "${ipv4_import?}" ] && printf "\t\timport %s;\n" "${ipv4_import:?}"
+	[ -n "${ipv4_export?}" ] && printf "\t\texport %s;\n" "${ipv4_export:?}"
+	[ -n "${ipv4_extended_next_hop?}" ] && printf "\t\textended next hop;\n"
+	printf "\t};\n"
+fi
+if [ -n "${ipv6_import?}" ] || [ -n "${ipv6_export?}" ] || "${ipv6_extended_next_hop?}";
+then
+	printf "\tipv6 {\n"
+	[ -n "${ipv6_import?}" ] && printf "\t\timport %s;\n" "${ipv6_import:?}"
+	[ -n "${ipv6_export?}" ] && printf "\t\texport %s;\n" "${ipv6_export:?}"
+	[ -n "${ipv6_extended_next_hop?}" ] && printf "\t\textended next hop;\n"
+	printf "\t};\n"
+fi
+
+# Header close
+echo "}"

type/__bird_bgp/man.rst

@@ -0,0 +1,105 @@
+cdist-type__bird_bgp(7)
+=======================
+
+NAME
+----
+cdist-type__bird_bgp - configure an instance of the BGP protocol.
+
+
+DESCRIPTION
+-----------
+This type writes the configuration for an instance of the BGP protocol to be
+ran by the bird internet routing daemon. It **expects** to depend on the
+`cdist-type__bird_core(7)` type.
+
+
+REQUIRED PARAMETERS
+-------------------
+local-as
+    The number for the AS in which the daemon is running.
+
+neighbor-as
+    The number of the AS with which we are peering.
+
+neighbor-ip
+    The IP address of the peer we are opening a session with.
+
+
+OPTIONAL PARAMETERS
+-------------------
+description
+    An instance desciption to be printed when `birdc show protocols` is called.
+
+local-ip
+    The IP address used as a source address for the BGP session.
+
+password
+    A password for the BGP session.
+
+ipv4-import
+    A string suitable for the bird `import` directive. Usually `all`, `none` or
+    a filter definition.
+
+ipv4-export
+    See ipv4-import.
+
+ipv4-extended-next-hop
+    Allow IPv6 next hop in IPv4 NLRI.
+
+ipv6-import
+    See ipv4-import.
+
+ipv6-export
+    See ipv4-import.
+
+ipv6-extended-next-hop
+    Allow IPv4 next hop in IPv6 NLRI.
+
+
+BOOLEAN PARAMETERS
+------------------
+direct
+    Specify that the two routers are directly connected.
+
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+    # Setup bird and open a BGP session.
+    __bird_core --router-id 198.51.100.4
+
+    require='__bird_core' __bird_bgp bgp4 \
+        --description "a test IPv4 BGP instance" \
+        --ipv4-export all \
+        --ipv4-import all \
+        --ipv6-export none \
+        --ipv6-import none \
+        --local-as 1234 \
+        --local-ip 198.51.100.4 \
+        --neighbor-as 4321 \
+        --neighbor-ip 198.51.100.3 \
+        --password hunter01
+
+
+SEE ALSO
+--------
+cdist-type__bird_core(7)
+cdist-type__bird_filter(7)
+cdist-type__bird_kernel(7)
+cdist-type__bird_ospf(7)
+cdist-type__bird_static(7)
+
+
+AUTHORS
+-------
+Joachim Desroches <joachim.desroches@epfl.ch>
+
+
+COPYING
+-------
+Copyright \(C) 2021 Joachim Desroches. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

type/__bird_bgp/manifest

@@ -0,0 +1,122 @@
+#!/bin/sh -e
+#
+# 2021 Joachim Desroches (joachim.desroches@epfl.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+
+os=$(cat "${__global:?}/explorer/os")
+
+case "$os" in
+	"alpine"|"debian"|"ubuntu")
+		confdir="/etc/bird.d"
+	;;
+	*)
+		printf "Your operating system (%s) is currently not supported by __bird_bgp\n" "$os" >&2
+		printf "Please contribute an implementation for it if you can.\n" >&2
+		exit 1
+	;;
+esac
+
+# Required parameters
+local_as="$(cat "${__object:?}"/parameter/local-as)"
+export local_as
+
+neighbor_as="$(cat "${__object:?}"/parameter/neighbor-as)"
+export neighbor_as
+
+neighbor_ip="$(cat "${__object:?}"/parameter/neighbor-ip)"
+export neighbor_ip
+
+# Optional parameters
+description=
+if [ -f "${__object:?}"/parameter/description ];
+then
+	description="$(cat "${__object:?}"/parameter/description)"
+fi
+export description
+
+direct=
+if [ -f "${__object:?}"/parameter/direct ];
+then
+	direct="true"
+fi
+export direct
+
+ipv4_extended_next_hop=
+if [ -f "${__object:?}"/parameter/ipv4-extended-next-hop ];
+then
+	ipv4_extended_next_hop="true"
+fi
+export ipv4_extended_next_hop
+
+ipv6_extended_next_hop=
+if [ -f "${__object:?}"/parameter/ipv6-extended-next-hop ];
+then
+	ipv6_extended_next_hop="true"
+fi
+export ipv6_extended_next_hop
+
+local_ip=
+if [ -f "${__object:?}"/parameter/local-ip ];
+then
+	local_ip="$(cat "${__object:?}"/parameter/local-ip)"
+fi
+export local_ip
+
+password=
+if [ -f "${__object:?}"/parameter/password ];
+then
+	password="$(cat "${__object:?}"/parameter/password)"
+fi
+export password
+
+ipv4_import=
+if [ -f "${__object:?}"/parameter/ipv4-import ];
+then
+	ipv4_import="$(cat "${__object:?}"/parameter/ipv4-import)"
+fi
+export ipv4_import
+
+ipv4_export=
+if [ -f "${__object:?}"/parameter/ipv4-export ];
+then
+	ipv4_export="$(cat "${__object:?}"/parameter/ipv4-export)"
+fi
+export ipv4_export
+
+ipv6_import=
+if [ -f "${__object:?}"/parameter/ipv6-import ];
+then
+	ipv6_import="$(cat "${__object:?}"/parameter/ipv6-import)"
+fi
+export ipv6_import
+
+ipv6_export=
+if [ -f "${__object:?}"/parameter/ipv6-export ];
+then
+	ipv6_export="$(cat "${__object:?}"/parameter/ipv6-export)"
+fi
+export ipv6_export
+
+# Run template
+"${__type:?}"/files/template.sh > "${__files:?}/bgp-${__object_id:?}.conf"
+
+# Install resulting configuration
+__file "${confdir:?}"/bgp-"${__object_id:?}".conf \
+	--mode 0640 --owner root --group bird \
+	--source "${__files:?}/bgp-${__object_id:?}.conf"

type/__bird_bgp/parameter/boolean

@@ -0,0 +1,3 @@
+direct
+ipv4-extended-next-hop
+ipv6-extended-next-hop

type/__bird_bgp/parameter/optional

@@ -0,0 +1,7 @@
+description
+ipv4-export
+ipv4-import
+ipv6-export
+ipv6-import
+local-ip
+password

type/__bird_bgp/parameter/required

@@ -0,0 +1,3 @@
+local-as
+neighbor-as
+neighbor-ip

type/__bird_core/man.rst

@@ -0,0 +1,65 @@
+cdist-type__bird-core(7)
+========================
+
+NAME
+----
+cdist-type__bird-core - setup a skeleton bird configuration.
+
+
+DESCRIPTION
+-----------
+The `bird`_ daemon is an internet routing daemon, running protocols such as
+OSPF and BGP. This type creates a skeleton configuration file suitable for
+running a no-op bird. It is then intended to be combined - and depended on - by
+types specific to the instances of the various protocols that bird should run.
+
+.. _bird: https://bird.network.cz/
+
+OPTIONAL PARAMETERS
+-------------------
+router-id
+    This parameter follows the format of an IPv4 address, and will be used by
+    bird as its router id. See `the documentation for router id`_.
+
+.. _the documentation for router id: https://bird.network.cz/?get_doc&v=20&f=bird-3.html#opt-router-id
+
+log-params
+
+    This parameter expects a string suitable to follow the `log` bird
+    configuration key. If this parameter is not include, the value `syslog all`
+    is used. See `the documentation for log`_.
+
+.. _the documentation for log: https://bird.network.cz/?get_doc&v=20&f=bird-3.html#opt-log
+
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+    __bird-core --router-id 198.51.100.4
+
+    require='__bird-core' __bird_bgp <...>
+    require='__bird-core' __bird_ospf <...>
+
+
+SEE ALSO
+--------
+cdist-type__bird_bgp(7)
+cdist-type__bird_filter(7)
+cdist-type__bird_kernel(7)
+cdist-type__bird_ospf(7)
+cdist-type__bird_static(7)
+
+
+AUTHORS
+-------
+Joachim Desroches <joachim.desroches@epfl.ch>
+
+
+COPYING
+-------
+Copyright \(C) 2021 Joachim Desroches. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

type/__bird_core/manifest

@@ -0,0 +1,72 @@
+#!/bin/sh -e
+#
+# 2021 Joachim Desroches (joachim.desroches@epfl.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+
+os=$(cat "${__global:?}/explorer/os")
+
+package=
+conffile=
+confdir=
+case "$os" in
+	"alpine")
+		package=bird
+		conffile=/etc/bird.conf
+		confdir=/etc/bird.d
+	;;
+	*)
+		printf "Your operating system (%s) is currently not supported by __bird_core\n" "$os" >&2
+		printf "Please contribute an implementation for it if you can.\n" >&2
+		exit 1
+	;;
+esac
+
+router_id=
+if [ -f "${__object:?}/parameter/router-id" ];
+then
+	router_id="router id $(cat "${__object:?}"/parameter/router-id);"
+fi
+
+log_params="syslog all"
+if [ -f "${__object:?}/parameter/log-params" ];
+then
+	log_params="$(cat "${__object:?}"/parameter/log-params)"
+fi
+
+__package "$package"
+
+export require="__package/$package"
+__directory "$confdir"
+__file "$conffile" \
+	--mode 0640 --owner root --group bird \
+	--source - << EOF
+# $conffile - bird(1) configuration file.
+# Managed by cdist. Do not edit by hand.
+
+${router_id}
+log ${log_params};
+
+# Always include this "protocol": all it does is expose the available
+# interfaces to bird.
+protocol device {
+	description "Obtain a list of device interfaces.";
+}
+
+include "$confdir/*.conf";
+EOF

type/__bird_core/parameter/optional

@@ -0,0 +1 @@
+log-params

type/__bird_core/parameter/required

@@ -0,0 +1 @@
+router-id

type/__bird_filter/man.rst

@@ -0,0 +1,63 @@
+cdist-type__bird_filter(7)
+==========================
+
+NAME
+----
+cdist-type__bird_filter - Create a named filter to use in configuring bird.
+
+
+DESCRIPTION
+-----------
+This type writes a configuration file defining a filter named `__object_id` for
+the bird internet routing daemon. It is guaranteed that all filters defined
+through this type will be loaded before any other protocol defined using the
+cdist __bird_xxx types, except functions. However, note that if two filters
+have a dependency, they will be loaded in alphabetical order, so some care may
+need to be taken in the naming.
+
+This type takes it's input through stdin, expecting valid filter statements as
+per the bird configuration file syntax. The standard input will be printed out
+between a `filter __object_id {\n ... \n}`, so only the inner statements are
+needed.
+
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+    # Setup bird, a filter and open a BGP session.
+    __bird_core --router-id 198.51.100.4
+
+    require='__bird_core' __bird_filter bgp_export <<- EOF
+        if (source = RTS_DEVICE) then accept;
+        reject;
+    EOF
+
+    require='__bird_core' __bird_bgp bgp4 \
+        --description "a test IPv4 BGP instance" \
+        --ipv4-export "filter bgp_export" \
+        --[...]
+
+
+SEE ALSO
+--------
+cdist-type__bird_core(7)
+cdist-type__bird_bgp(7)
+cdist-type__bird_function(7)
+cdist-type__bird_kernel(7)
+cdist-type__bird_ospf(7)
+cdist-type__bird_static(7)
+
+
+AUTHORS
+-------
+Joachim Desroches <joachim.desroches@epfl.ch>
+
+
+COPYING
+-------
+Copyright \(C) 2021 Joachim Desroches. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

type/__bird_filter/manifest

@@ -0,0 +1,44 @@
+#!/bin/sh -e
+#
+# 2021 Joachim Desroches (joachim.desroches@epfl.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+
+os=$(cat "${__global:?}/explorer/os")
+
+case "$os" in
+'alpine'|'debian'|'ubuntu')
+	confdir=/etc/bird.d
+	;;
+*)
+	printf "Your operating system (%s) is currently not supported by __bird_filter\n" "$os" >&2
+	printf "Please contribute an implementation for it if you can.\n" >&2
+	exit 1
+	;;
+esac
+
+# Filters start with 1 because bird loads the config in alphanumerical order
+# and we need them to be defined to be used in the rest of the stuff, but after
+# functions.
+__file "$confdir/1-filter-${__object_id:?}.conf" \
+	--owner root --group bird --mode 0640 \
+	--source - << EOF
+filter ${__object_id:?} {
+$(cat "${__object:?}"/stdin)
+}
+EOF

type/__bird_function/man.rst

@@ -0,0 +1,58 @@
+cdist-type__bird_function(7)
+============================
+
+NAME
+----
+cdist-type__bird_function - Create a named function to use in configuring bird.
+
+
+DESCRIPTION
+-----------
+
+This type writes a configuration file for the bird internet routing daemon. It
+is guaranteed that all functions defined through this type will be loaded
+before any other protocol defined using the cdist __bird_xxx types. However,
+note that if two functions have a dependency, they will be loaded in
+alphabetical order, so some care may need to be taken in the naming.
+
+This type takes it's input through stdin, expecting a valid function definition
+as per the bird configuration file syntax.
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+    # Setup bird, a function and open a BGP session.
+    __bird_core --router-id 198.51.100.4
+
+    require='__bird_core' __bird_function is_device <<- EOF
+        function is_device (enum source)
+        {
+        if (source = RTS_DEVICE) then return true;
+        return false;
+        }
+    EOF
+
+
+SEE ALSO
+--------
+cdist-type__bird_core(7)
+cdist-type__bird_bgp(7)
+cdist-type__bird_filter(7)
+cdist-type__bird_kernel(7)
+cdist-type__bird_ospf(7)
+cdist-type__bird_static(7)
+
+
+AUTHORS
+-------
+Joachim Desroches <joachim.desroches@epfl.ch>
+
+
+COPYING
+-------
+Copyright \(C) 2021 Joachim Desroches. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

type/__bird_function/manifest

@@ -0,0 +1,41 @@
+#!/bin/sh -e
+#
+# 2021 Joachim Desroches (joachim.desroches@epfl.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+
+os=$(cat "${__global:?}/explorer/os")
+
+case "$os" in
+'alpine'|'debian'|'ubuntu')
+	confdir=/etc/bird.d
+	;;
+*)
+	printf "Your operating system (%s) is currently not supported by __bird_filter\n" "$os" >&2
+	printf "Please contribute an implementation for it if you can.\n" >&2
+	exit 1
+	;;
+esac
+
+# Functions start with 0 because bird loads the config in alphanumerical order
+# and we need them to be defined to be used in the rest of the stuff.
+__file "$confdir/0-function-${__object_id:?}.conf" \
+	--owner root --group bird --mode 0640 \
+	--source - << EOF
+$(cat "${__object:?}"/stdin)
+EOF

type/__bird_kernel/man.rst

@@ -0,0 +1,73 @@
+cdist-type__bird_kernel(7)
+==========================
+
+NAME
+----
+cdist-type__bird_kernel - configure syncing of routes with the kernel.
+
+
+DESCRIPTION
+-----------
+
+This type writes the configuration for an instance of the kernel protocol to be
+ran by the bird internet routing daemon. It **expects** to depend on the
+`cdist-type__bird_core(7)` type.
+
+OPTIONAL PARAMETERS
+-------------------
+description
+    An instance desciption to be printed when `birdc show protocols` is called.
+
+persist
+    Instruct bird to leave routes in kernel table after exiting. See the bird
+    `persist` keyword.
+
+learn
+    Learn routes added externally to the kernel routing table. See the bird
+    `learn` keyword.
+
+channel
+    The channel to connect the protocol to. Usually `ipv4` or `ipv6`.
+
+import
+    A string suitable for the bird `import` directive. Usually `all`, `none` or
+    a filter definition.
+
+export
+    See import.
+
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+    # Setup bird and open a BGP session.
+    __bird_core --router-id 198.51.100.4
+
+    require='__bird_core' __bird_kernel k4 \
+        --learn --persist --channel ipv4 \
+        --import all \
+        --export all
+
+
+SEE ALSO
+--------
+cdist-type__bird_bgp(7)
+cdist-type__bird_core(7)
+cdist-type__bird_filter(7)
+cdist-type__bird_ospf(7)
+cdist-type__bird_static(7)
+
+
+AUTHORS
+-------
+Joachim Desroches <joachim.desroches@epfl.ch>
+
+
+COPYING
+-------
+Copyright \(C) 2021 Joachim Desroches. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

type/__bird_kernel/manifest

@@ -0,0 +1,83 @@
+#!/bin/sh -e
+#
+# 2021 Joachim Desroches (joachim.desroches@epfl.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+
+os=$(cat "${__global:?}/explorer/os")
+
+case "$os" in
+	"alpine"|"debian"|"ubuntu")
+		confdir="/etc/bird.d"
+	;;
+	*)
+		printf "Your operating system (%s) is currently not supported by __bird_kernel\n" "$os" >&2
+		printf "Please contribute an implementation for it if you can.\n" >&2
+		exit 1
+	;;
+esac
+
+# Required parameters
+channel="$(cat "${__object:?}/parameter/channel")"
+
+# Boolean switches
+persist=
+if [ -f "${__object:?}"/parameter/persist ];
+then
+	persist=true
+fi
+
+learn=
+if [ -f "${__object:?}"/parameter/learn ];
+then
+	learn=true
+fi
+
+# Optional parameters
+description=
+if [ -f "${__object:?}"/parameter/description ];
+then
+	description="$(cat "${__object:?}/parameter/description")"
+fi
+
+import=
+if [ -f "${__object:?}"/parameter/import ];
+then
+	import="$(cat "${__object:?}/parameter/import")"
+fi
+
+_export=
+if [ -f "${__object:?}"/parameter/export ];
+then
+	_export="$(cat "${__object:?}/parameter/export")"
+fi
+
+# Install resulting configuration
+__file "${confdir:?}"/kernel-"${__object_id:?}".conf \
+	--mode 0640 --owner root --group bird \
+	--source - << EOF
+protocol kernel ${__object_id:?} {
+$([ -n "${description?}" ] && printf "\tdescription \"%s\";\n" "${description?}")
+$([ -n "${persist?}" ] && printf "\tpersist;\n")
+$([ -n "${learn?}" ] && printf "\tlearn;\n")
+	${channel:?} {
+		import ${import:?};
+		export ${_export:?};
+	};
+}
+EOF

type/__bird_kernel/parameter/boolean

@@ -0,0 +1,2 @@
+learn
+persist

type/__bird_kernel/parameter/optional

@@ -0,0 +1 @@
+description

type/__bird_kernel/parameter/required

@@ -0,0 +1,3 @@
+channel
+import
+export

type/__bird_ospf/man.rst

@@ -0,0 +1,63 @@
+cdist-type__bird-ospf(7)
+========================
+
+NAME
+----
+cdist-type__bird-ospf - Configure an instance of the OSPF protocol
+
+
+DESCRIPTION
+-----------
+
+This type is an *extremely rudimentary* method to configure a simple OSPF
+protocol instance for bird, the internet routing daemon. Even this manpage is
+pretty crude and will be fixed and expanded.
+
+REQUIRED PARAMETERS
+-------------------
+channel
+    The channel the protocol should connect to. Usually `ipv4` or `ipv6`.
+
+import
+    The keyword or filter to decide what to import in the above channel.
+
+export
+    The keyword or filter to decide what to export in the above channel.
+
+OPTIONAL PARAMETERS
+-------------------
+description
+    A description given with `show protocol all`
+
+instance-id
+    An OSPF instance ID, allowing several OSPF instances to run on the same
+    links.
+
+extra-area-configuration
+    Configuration string added to the `area` section of the OSPF configuration.
+
+OPTIONAL MULTIPLE PARAMETERS
+----------------------------
+
+stubnet
+    Add an optionless stubnet definition to the configuration.
+
+interface
+    An interface to include in OSPF area 0. Is required unless
+    extra-area-configuration is set.
+
+SEE ALSO
+--------
+cdist-type__bird_core(7)
+
+AUTHORS
+-------
+Joachim Desroches <joachim.desroches@epfl.ch>
+
+
+COPYING
+-------
+Copyright \(C) 2021 Joachim Desroches. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

type/__bird_ospf/manifest

@@ -0,0 +1,81 @@
+#!/bin/sh -e
+#
+# 2021 Joachim Desroches (joachim.desroches@epfl.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+
+os=$(cat "${__global:?}/explorer/os")
+
+case "$os" in
+'alpine'|'debian'|'ubuntu')
+	confdir='/etc/bird.d'
+;;
+*)
+	printf "Your operating system (%s) is currently not supported by this __bird_ospf\n" "$os" >&2
+	printf "Please contribute an implementation for it if you can.\n" >&2
+	exit 1
+;;
+esac
+
+description=
+if [ -f "${__object:?}/parameter/description" ];
+then
+	description="$(cat "${__object:?}/parameter/description")"
+fi
+
+instance_id=
+if [ -f "${__object:?}/parameter/instance-id" ];
+then
+	instance_id="$(cat "${__object:?}/parameter/instance-id")"
+fi
+
+extra_area_configuration=
+if [ -f "${__object:?}/parameter/extra-area-configuration" ];
+then
+	extra_area_configuration="$(cat "${__object:?}/parameter/extra-area-configuration")"
+
+	if [ "$extra_area_configuration" = "-" ]; then
+		extra_area_configuration=$(cat "$__object/stdin")
+	fi
+fi
+
+if [ ! -f "${__object:?}/parameter/interface" ] && [ -z "$extra_area_configuration" ]; then
+	echo "Either --interface or --extra-area-configuration must be set." >&2
+	exit 1
+fi
+
+__file "${confdir:?}/ospf-${__object_id:?}.conf" \
+	--mode 0640 --owner root --group bird \
+	--source - << EOF
+protocol ospf v3 ${__object_id:?} {
+$([ -n "${description?}" ] && printf "\tdescription \"%s\";\n" "${description?}")
+$([ -n "${instance_id?}" ] && printf "\tinstance id %s;\n" "${instance_id?}")
+
+	$(cat "${__object:?}/parameter/channel") {
+		import $(cat "${__object:?}/parameter/import");
+		export $(cat "${__object:?}/parameter/export");
+	};
+
+	area 0 {
+$(sed -e 's/^/\t\tinterface "/' -e 's/$/";/' "${__object:?}/parameter/interface")
+$(sed -e 's/^/\t\tsubnet /' -e 's/$/;/' "${__object:?}/parameter/subnet")
+
+		$extra_area_configuration
+	};
+}
+EOF

type/__bird_ospf/parameter/optional

@@ -0,0 +1,3 @@
+description
+instance-id
+extra-area-configuration

type/__bird_ospf/parameter/optional_multiple

@@ -0,0 +1,2 @@
+stubnet
+interface

type/__bird_ospf/parameter/required

@@ -0,0 +1,3 @@
+channel
+import
+export

type/__bird_radv/man.rst

@@ -0,0 +1,71 @@
+cdist-type__bird_radv(7)
+========================
+
+NAME
+----
+cdist-type__bird_radv - Configure the Bird Internet Router Daemon to send RAdvs.
+
+
+DESCRIPTION
+-----------
+
+The Bird Internet Router Daemon knows about a bunch of internet routing
+protocols. In particular, it can send Router Advertisements to help
+autoconfigure IPv6 hosts, this type is a rudimentary implementation to generate
+configuration for Bird to do so.
+
+
+REQUIRED PARAMETERS
+-------------------
+interface
+  The interfaces to activate the protocol on. RAs will be sent using the
+  prefixes configured on these interfaces.
+
+OPTIONAL PARAMETERS
+-------------------
+mtu
+  An optional MTU setting to include in the router advertisements.
+
+
+OPTIONAL MULTIPLE PARAMETERS
+----------------------------
+route
+  Routes to be added to the RA for hosts.
+
+ns
+  Recursive DNS servers given to the hosts through RAs.
+
+dnssl
+  Search domain to be given to the hosts through RAs.
+
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+    __bird_radv datacenter \
+        --interface eth1 \
+        --mtu 9000 \
+        --route ::/0 \
+        --ns 2001:DB8:cafe::4 \
+        --ns 2001:DB8:cafe::14 \
+        --dnssl "example.com"
+
+
+SEE ALSO
+--------
+`__bird_core(7)`
+
+
+AUTHORS
+-------
+Joachim Desroches <joachim.desroches@epfl.ch>
+
+
+COPYING
+-------
+Copyright \(C) 2021 Joachim Desroches. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

type/__bird_radv/manifest

@@ -0,0 +1,89 @@
+#!/bin/sh -e
+#
+# 2021 Joachim Desroches (joachim.desroches@epfl.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+os=$(cat "${__global:?}/explorer/os")
+
+case "$os" in
+'alpine'|'debian'|'ubuntu')
+	confdir='/etc/bird.d'
+;;
+*)
+	printf "Your operating system (%s) is currently not supported by __bird_radv\n" "$os" >&2
+	printf "Please contribute an implementation for it if you can.\n" >&2
+	exit 1
+;;
+esac
+
+have_routes=no
+if [ -f "${__object:?}/parameter/route" ];
+then
+	have_routes=yes
+fi
+
+RDNS=
+if [ -f "${__object:?}/parameter/ns" ];
+then
+	RDNS=$(cat << EOF
+	rdnss {
+$(sed -e 's/^/\t\tns /' -e 's/$/;/' "${__object:?}/parameter/ns")
+	};
+
+EOF
+)
+fi
+
+DNSSL=
+if [ -f "${__object:?}/parameter/dnssl" ];
+then
+	DNSSL=$(sed -e 's/^/\tdnssl "/' -e 's/$/";/' "${__object:?}/parameter/dnssl")
+fi
+
+MTU=
+if [ -f "${__object:?}/parameter/mtu" ];
+then
+	MTU="link mtu $(cat "${__object:?}/parameter/mtu")"
+fi
+
+__file "${confdir:?}/radv-${__object_id:?}.conf" \
+	--mode 0640 --owner root --group bird \
+	--source - << EOF
+ipv6 table radv_routes;
+
+protocol static {
+	description "Routes advertised via RAs";
+	ipv6 { table radv_routes; };
+
+$(sed -e 's/^/\troute /' -e 's/$/ unreachable;/' "${__object:?}/parameter/route")
+}
+
+protocol radv ${__object_id:?} {
+	propagate routes ${have_routes:?};
+	ipv6 { table radv_routes; export all; };
+
+	interface "$(cat "${__object:?}/parameter/interface")" {
+	$MTU
+	};
+
+$RDNS
+
+$DNSSL
+
+}
+EOF

type/__bird_radv/parameter/optional

@@ -0,0 +1 @@
+mtu

type/__bird_radv/parameter/optional_multiple

@@ -0,0 +1,3 @@
+dnssl
+ns
+route

type/__bird_radv/parameter/required

@@ -0,0 +1 @@
+interface

type/__bird_static/files/template.sh

@@ -0,0 +1,25 @@
+#!/bin/sh
+# Template to generate a static protocol configuration file for bird(1).
+# Required non-empty variables:
+# __object_id, object
+#
+# Required defined variables:
+# description
+
+# Header
+printf "protocol static %s {\n" "${__object_id:?}"
+
+# Optional description
+[ -n "${description?}" ] && printf "\tdescription \"%s\";\n" "${description:?}"
+
+# Channel choice
+printf "\t%s;\n" "$(cat "${__object:?}/parameter/channel")"
+
+# Routes
+while read -r route
+do
+	printf "\troute %s;\n" "${route?}"
+done < "${__object:?}/parameter/route"
+
+# Header close
+printf "}\n"

type/__bird_static/man.rst

@@ -0,0 +1,69 @@
+cdist-type__bird_static(7)
+==========================
+
+NAME
+----
+cdist-type__bird_static - configure an instance of the bird static protocol.
+
+
+DESCRIPTION
+-----------
+This type write the configuration file for an instance of the static protocl to
+be ran bu the bird internet routing daemon, allowing an administrator to inject
+static routes into the daemon's routing tables. This protocol allows for only
+one of two channels to be used, either `ipv4` or `ipv6`, by default `ipv6` is
+used unless the `ipv4` flag is passed. This type **expects** to depend on the
+`cdist-type__bird_core(7)` type.
+
+
+REQUIRED PARAMETERS
+-------------------
+channel
+   The channel to use between the protocol and the table.
+
+REQUIRED MULTIPLE PARAMETERS
+----------------------------
+route
+    This flag expects a valid route to be inserted between the bird `route`
+    keyword and the end of line. It may be specified as many times as necessary.
+
+
+OPTIONAL PARAMETERS
+-------------------
+description
+    An instance desciption to be printed when `birdc show protocols` is called.
+
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+    # Setup bird and open a BGP session.
+    __bird_core --router-id 198.51.100.4
+
+    require='__bird_core' __bird_static static4 \
+        --description "static ipv4 routes plugged into bird" \
+        --route "198.51.0.0/16 via 192.51.100.1" \
+        --route "192.52.0.0/16 via 192.51.100.1"
+
+
+SEE ALSO
+--------
+cdist-type__bird_core(7)
+cdist-type__bird_bgp(7)
+cdist-type__bird_kernel(7)
+cdist-type__bird_ospf(7)
+
+
+AUTHORS
+-------
+Joachim Desroches <joachim.desroches@epfl.ch>
+
+
+COPYING
+-------
+Copyright \(C) 2021 Joachim Desroches. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

type/__bird_static/manifest

@@ -0,0 +1,51 @@
+#!/bin/sh -e
+#
+# 2021 Joachim Desroches (joachim.desroches@epfl.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+
+os=$(cat "${__global:?}/explorer/os")
+
+case "$os" in
+	'alpine'|'debian'|'ubuntu')
+		confdir=/etc/bird.d
+	;;
+	*)
+		printf "Your operating system (%s) is currently not supported by __bird_static\n" "$os" >&2
+		printf "Please contribute an implementation for it if you can.\n" >&2
+		exit 1
+	;;
+esac
+
+# Required parameter route is directly accessed in template.
+# Boolean  parameter ipv4  is directly accessed in template.
+# Optional parameter description
+description=
+if [ -f "${__object:?}/parameter/description" ];
+then
+	description="$(cat "${__object:?}/parameter/description")"
+fi
+export description
+
+# Run template
+"${__type:?}"/files/template.sh > "${__files:?}/static-${__object_id:?}.conf"
+
+# Install resulting configuration
+__file "${confdir:?}"/static-"${__object_id:?}".conf \
+	--mode 0640 --owner root --group bird \
+	--source "${__files:?}/static-${__object_id:?}.conf"

type/__bird_static/parameter/optional

@@ -0,0 +1 @@
+description

type/__bird_static/parameter/required

@@ -0,0 +1 @@
+channel

type/__bird_static/parameter/required_multiple

@@ -0,0 +1 @@
+route

type/__borg_repo/gencode-remote

@@ -0,0 +1,41 @@
+#!/bin/sh
+
+passphrase=
+appendonly=
+
+case "$(cat "${__object:?}/parameter/encryption")" in
+	none)
+		enc=none
+		;;
+	repokey)
+		enc=repokey
+		if [ -f "${__object:?}/parameter/passphrase" ];
+		then
+			passphrase="$(cat "${__object:?}/parameter/passphrase")"
+		else
+			echo "__borg_repo cannot use repokey encryption with no passphrase. Aborting." >&2;
+			exit 1;
+		fi
+		;;
+	*)
+		echo "$enc is not a known encryption mode for __borg_repo. Aborting." >&2
+		exit 1;
+esac
+
+if [ -f "${__object:?}/parameter/append-only" ];
+then
+	appendonly='--append-only'
+fi
+
+if [ -f "${__object:?}/parameter/owner" ];
+then
+	doas="sudo -u '$(cat "${__object:?}/parameter/owner")'"
+fi
+
+cat <<- EOF
+	set -x
+	if [ ! -d "/${__object_id:?}" ]; then
+		$doas BORG_NEW_PASSPHRASE=$passphrase borg init -e ${enc:?} $appendonly /${__object_id:?}
+	fi
+EOF
+

type/__borg_repo/man.rst

@@ -0,0 +1,46 @@
+cdist-type__borg_repo(7)
+========================
+
+NAME
+----
+cdist-type__borg_repo - Configure a borg repository on host
+
+
+DESCRIPTION
+-----------
+
+Initializes a borg repository at the location specified in the
+`${__object_id}`. Nothing is done if the repository already exists.
+
+Currently, only `none` and `repokey` are supported as encryption modes;
+`repokey` requires the `passphrase` argument to be given. The default is
+`none`.
+
+REQUIRED PARAMETERS
+-------------------
+encryption
+  The encryption to use.
+
+OPTIONAL PARAMETERS
+-------------------
+passphrase
+  The passphrase to encrypt the keyfile with.
+
+owner
+  Remote user owning the repository.
+
+BOOLEAN PARAMETERS
+------------------
+append-only
+  If the repository is append-only
+
+AUTHORS
+-------
+Joachim Desroches <joachim.desroches@epfl.ch>
+
+COPYING
+-------
+Copyright \(C) 2020 Joachim Desroches. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

type/__borg_repo/manifest

@@ -0,0 +1,20 @@
+#!/bin/sh
+
+os="$(cat "${__global:?}"/explorer/os)"
+
+case "$os" in
+	"alpine"|"ubuntu")
+		borg_package=borgbackup
+		;;
+	*)
+		echo "__borg_repo is not yet implemented for os $os. Aborting." >&2;
+		exit 1;
+esac
+
+__package "$borg_package"
+
+if [ -f "${__object:?}/parameter/owner" ];
+then
+	__package sudo
+fi
+

type/__borg_repo/parameter/boolean

@@ -0,0 +1 @@
+append-only

type/__borg_repo/parameter/default/encryption

@@ -0,0 +1 @@
+none

type/__borg_repo/parameter/optional

@@ -0,0 +1,2 @@
+passphrase
+owner

type/__borg_repo/parameter/required

@@ -0,0 +1 @@
+encryption

type/__dma/explorer/auth_conf

@@ -0,0 +1,49 @@
+#!/bin/sh -e
+#
+# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+# This explorer determines the path of dma's auth.conf file
+
+# No dma.conf -> use default
+test -f /etc/dma/dma.conf || {
+	echo /etc/dma/auth.conf
+	exit 0
+}
+test -r /etc/dma/dma.conf || {
+	echo 'Cannot read /etc/dma/dma.conf' >&2
+	exit 1
+}
+
+# Get AUTHPATH from dma.conf
+awk -F'[ \t]' '
+{
+	sub(/#.*$/, "", $0)  # remove comments
+	if (!$0) next  # ignore empty lines
+}
+$1 == "AUTHPATH" {
+	# Store authpath. In dma conf parsing last wins.
+	if ($2) authpath = substr($0, index($0, " ") + 1)
+}
+END {
+	if (authpath) {
+		print authpath
+		exit 0
+	} else exit 1
+}
+' /etc/dma/dma.conf \
+|| echo /etc/dma/auth.conf  # default

type/__dma/explorer/conf

@@ -0,0 +1,34 @@
+#!/bin/sh -e
+#
+# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+# This explorer returns a sorted list of "active" (= non-commented) lines
+# in the dma.conf file.
+# "Trailing" line comments are stripped off.
+#
+# NOTE: This explorer assumes that the sort(1) utility supports the non-POXIX
+#       -s (stable sort) option.
+
+CONF_PATH=/etc/dma  # set in Makefile
+dma_conf="${CONF_PATH:?}/dma.conf"
+
+test -f "${dma_conf}" || exit 0
+
+grep -v -e '^[ \t]*#\|^$' "${dma_conf}" \
+| sed -e 's/[ \t]*#.*$//' \
+| sort -s -k 1,1

type/__dma/files/update_dma_conf.awk

@@ -0,0 +1,178 @@
+#!/usr/bin/awk -f
+#
+# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+
+function comment_line(line) {
+	# returns the position in line at which the comment's text starts
+	# (0 if the line is not a comment)
+	match(line, /^[ \t]*\#+[ \t]*/)
+	return RSTART ? (RLENGTH + 1) : 0
+}
+function empty_line(line) { return line ~ /^[ \t]*$/ }
+function is_word(s) { return s ~ /^[A-Z_]+$/ }  # "looks like a plausible word"
+
+function first(line, sep_re) {
+	# returns the part of the line until sep is found
+	# (or the whole line if sep is not found)
+	if (!sep_re) sep_re = "[" SUBSEP "]"
+	match(line, sep_re)
+	return RSTART ? substr(line, 1, RSTART - 1) : line
+}
+
+function rest(line, sep_re) {
+	# returns the part of the line after the first occurrence of sep is found.
+	# (or nothing if sep is not found)
+	if (!sep_re) sep_re = "[" SUBSEP "]"
+	if (match(line, sep_re))
+		return substr(line, RSTART + RLENGTH)
+}
+
+function conf_pop(word, value) {
+	# returns the next value for the config `word` and delete it from the list.
+	# if value is set, this function will only return value if it is the first
+	# option in the list, otherwise it returns 0.
+
+	if (!(word in conf)) return 0
+	if (!value) {
+		if (index(conf[word], SUBSEP))  # more than one element?
+			value = substr(conf[word], 1, index(conf[word], SUBSEP) - 1)
+		else
+			value = conf[word]
+	}
+
+	if (index(conf[word], SUBSEP)) {
+		if (index(conf[word], value SUBSEP) != 1) return 0
+		conf[word] = substr(conf[word], length(value) + 2)
+	} else {
+		if (conf[word] != value) return 0
+		delete conf[word]
+	}
+	return value
+}
+
+function print_conf(word, value) {
+	# print a config line with the given parameters
+	printf "%s", word
+	if (value) printf " %s", value
+	printf "\n"
+}
+
+function print_confs(word,    value) {
+	# print config lines for all values stored in conf[word].
+	if (!(word in conf)) return
+	if (conf[word]) {
+		while (value = conf_pop(word))
+			print_conf(word, value)
+	} else {
+		print_conf(word)
+		delete conf[word]
+	}
+}
+
+BEGIN {
+	FS = "\n"
+	EQS = "[ \t]"  # copied from dma/conf.c
+
+	if (ARGV[2]) exit (e=1)
+
+	# Loop over file twice!
+	ARGV[2] = ARGV[1]
+	ARGC++
+
+	# read the "should" state into the `conf` array.
+	while (getline < "/dev/stdin") {
+		word = first($0, EQS)
+		if ((word in conf))
+			conf[word] = conf[word] SUBSEP rest($0, EQS)
+		else
+			conf[word] = rest($0, EQS)
+	}
+}
+
+# first pass, gather information about where which information is stored in the
+# current config file. This information will be used in the second pass.
+NR == FNR {
+	if (comment_line($0)) {
+		# comment line
+		word = first(substr($0, comment_line($0)), " ")
+		if (is_word(word)) last_occ["#" word] = FNR
+	} else {
+		word = first($0, EQS)
+		if (is_word(word)) last_occ[word] = FNR
+	}
+}
+
+# before second pass prepare hashes containing location information to be used
+# in the second pass.
+NR > FNR && FNR == 1 {
+	# First we drop the locations of commented-out options if a non-commented
+	# option is available. If a non-commented option is available, we will
+	# append new config options there to have them all at one place.
+	for (k in last_occ)
+		if (k ~ /^\#/ && (substr(k, 2) in last_occ))
+			delete last_occ[k]
+
+	# Reverse the option => line mapping. The line_map allows for easier lookups
+	# in the second pass.
+	for (k in last_occ) line_map[last_occ[k]] = k
+}
+
+# second pass, generate and output new config
+NR > FNR {
+	if (comment_line($0) || empty_line($0)) {
+		# comment or empty line
+		print
+
+		if ((FNR in line_map)) {
+			if (line_map[FNR] ~ /^\#/) {
+				# This line contains a commented config option. If the conf hash
+				# contains options to be set, we output them here because this
+				# option is not used in the current config.
+				k = substr(line_map[FNR], 2)
+				if ((k in conf)) print_confs(k)
+			}
+
+			if (("INSECURE" in conf) && line_map[FNR] ~ /^\#?SECURE$/) {
+				# INSECURE goes where SECURE comment is.
+				print_confs("INSECURE")
+			}
+		}
+	} else {
+		word = first($0, EQS)
+		value = rest($0, EQS)
+		sub(/[ \t]*\#.*$/, "", value)  # ignore comments in value
+
+		if ((word in conf) && value == first(conf[word])) {
+			# keep config options we want
+			conf_pop(word)
+			print
+		}
+
+		if ((FNR in line_map) && line_map[FNR] == word) {
+			# rest of config options should be here
+			print_confs(word)
+		}
+	}
+}
+
+END {
+	if (e) exit
+
+	# print rest of config options (
+	for (word in conf) print_confs(word)
+}

type/__dma/gencode-remote

@@ -0,0 +1,177 @@
+#!/bin/sh -e
+#
+# 2020 Dennis Camera (dennis.camera@ssrq-sds-fds.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+quote() { printf "'%s'" "$(printf '%s' "$*" | sed -e "s/'/'\\\\''/g")"; }
+drop_awk_comments() { quote "$(sed '/^[[:blank:]]*#.*$/d;/^$/d' "$@")"; }
+
+CONF_PATH=/etc/dma  # set in Makefile
+
+# Determine mailname
+if test -f "${__object:?}/parameter/mailname"
+then
+	mailname=$(cat "${__object:?}/parameter/mailname")
+else
+	case $(cat "${__global:?}/explorer/os")
+	in
+		(debian|devuan|ubuntu)
+			# On Debian-like systems use /etc/mailname unless --mailname is used
+			mailname='/etc/mailname'
+			;;
+		(*)
+			mailname=${__target_fqdn:?}
+			;;
+	esac
+fi
+
+
+# Generate "should" values for config
+conf_should=$(
+	if test -s "${__object:?}/parameter/smarthost"
+	then
+		printf 'SMARTHOST %s\n' "$(cat "${__object:?}/parameter/smarthost")"
+	fi
+
+	printf 'MAILNAME %s\n' "${mailname}"
+
+	if test -s "${__object:?}/explorer/auth_conf"
+	then
+		printf "AUTHPATH %s\n" "$(cat "${__object:?}/explorer/auth_conf")"
+	fi
+
+	case $(cat "${__object:?}/parameter/security")
+	in
+		(ssl|tls)
+			default_smtp_port=465
+			echo 'SECURETRANSFER'
+			;;
+		(starttls)
+			default_smtp_port=587
+			echo 'SECURETRANSFER'
+			echo 'STARTTLS'
+			;;
+		(opportunistic)
+			default_smtp_port=25
+			echo 'SECURETRANSFER'
+			echo 'STARTTLS'
+			echo 'OPPORTUNISTIC_TLS'
+			;;
+		(insecure)
+			default_smtp_port=25
+			echo 'INSECURE'
+			;;
+	esac
+
+	if test -s "${__object:?}/parameter/port"
+	then
+		printf 'PORT %u\n' "$(cat "${__object:?}/parameter/port")"
+	elif test "${default_smtp_port}" -ne 25  # DMA uses port 25 by default
+	then
+		printf 'PORT %u\n' "${default_smtp_port}"
+	fi
+
+	if test -f "${__object:?}/parameter/masquerade"
+	then
+		while read -r line
+		do
+			printf 'MASQUERADE %s\n' "${line}"
+		done <"${__object:?}/parameter/masquerade"
+	fi
+
+	if test -f "${__object:?}/parameter/defer"
+	then
+		echo 'DEFER'
+	fi
+
+	if test -f "${__object:?}/parameter/fullbounce"
+	then
+		echo 'FULLBOUNCE'
+	fi
+
+	if test -f "${__object:?}/parameter/nullclient"
+	then
+		test -s "${__object:?}/parameter/smarthost" || {
+			echo '--nullclient requires a --smarthost to be defined' >&2
+			exit 1
+		}
+
+		echo 'NULLCLIENT'
+	fi
+)
+# Sort conf_should to compare against "conf_is"
+conf_should=$(echo "${conf_should}" | sort -s -k 1,1)
+
+config_updated=false
+if ! echo "${conf_should}" | cmp -s "${__object:?}/explorer/conf" -
+then
+	# config needs to be updated
+	dma_conf="${CONF_PATH:?}/dma.conf"
+
+	# The following AWK script will output the new config file to be stored on
+	# disk. To do so it reads the current dma.conf file and the config options
+	# that should be set (from stdin).
+	# Note that the path to the current dma.conf is passed to AWK twice, because
+	# the new file cannot be generated in one pass.
+
+	# The logic tries to place options at a sensible location, that is:
+	# a) if the option is already used in the config file:
+	#    group all similar options (e.g. MASQUERADE) at one place in the order
+	#    they are listed in stdin.
+	# b) if it is a new option and a "default comment" (e.g. "#PORT 25") exists:
+	#    place options grouped directly after the comment (the comment is left
+	#    alone)
+	# c) otherwise:
+	#    options are grouped by word (the first word in the line) and appended
+	#    at the end of the file.
+
+	cat <<-CODE
+	awk $(drop_awk_comments "${__type:?}/files/update_dma_conf.awk") $(quote "${dma_conf}") <<'EOF' >$(quote "${dma_conf}.tmp") \
+	&& cat $(quote "${dma_conf}.tmp") >$(quote "${dma_conf}")
+	${conf_should}
+	EOF
+	rm $(quote "${dma_conf}.tmp")
+	CODE
+
+	config_updated=true
+	echo 'config updated' >>"${__messages_out:?}"
+fi
+
+
+# Send a test email if enabled and necessary (=configuration changed)
+if test -f "${__object:?}/parameter/send-test-mail"
+then
+	if grep -q '^__mail_alias/root:' "${__messages_in:?}" \
+	|| grep -q '^__dma_auth/' "${__messages_in:?}" \
+	|| ${config_updated}
+	then
+		cat <<-CODE
+		sendmail root <<'EOF'
+		Subject: [cdist] Test mail from '${__target_fqdn:?}'
+
+		Hi,
+
+		you can ignore this message.
+		Its sole purpose is to notify you that root mail on ${__target_fqdn:?}
+		will be redirected to you.
+
+		Enjoy!
+		EOF
+		CODE
+	fi
+fi

type/__dma/man.rst

@@ -0,0 +1,112 @@
+cdist-type__dma(7)
+============================
+
+NAME
+----
+cdist-type__dma - Setup the DragonFly Mail Agent as the MTA.
+
+
+DESCRIPTION
+-----------
+This (singleton) type uses DMA, a small Mail Transport Agent (MTA), to accept
+mails from locally installed Mail User Agents (MUA) and either deliver the mails
+to a remote smart host for delivery or communicate with remote SMTP servers
+directly.
+
+
+REQUIRED PARAMETERS
+-------------------
+None.
+
+
+BOOLEAN PARAMETERS
+------------------
+defer
+    If enabled, mail will not be sent immediately, but stored in a queue.
+    To flush the queue and send the mails, ```dma -q`` has to be run
+    periodically (e.g. using a cron job.)
+    This type does not manage such a cron job, but some operating systems ship
+    such a cron job with the package.
+fullbounce
+    Enable if bounce messages should include the complete original message,
+    not just the headers.
+nullclient
+    Enable to bypass aliases and local delivery, and instead forward all mails
+    to the defined ``--smarthost``.
+send-test-mail
+    If set, this type will send a test email to root after setup, to check if
+    the configured settings work.
+
+
+OPTIONAL PARAMETERS
+-------------------
+mailname
+    If present, this will be the hostname used to identify this host and the
+    remote part of the sender addresses.
+    If not defined, it defaults to ``/etc/mailname`` on Debian derivatives and
+    to ``__target_fqdn`` otherwise.
+    See `dma(8)` for more information.
+
+    Note: on Debian derivatives the ``/etc/mailname`` file should be updated
+    instead of using this parameter.
+masquerade
+    Masquerade the envelope-from addresses with this address/hostname.
+    Use this setting if mails are not accepted by destination mail servers
+    because your sender domain is invalid.
+    This option can be used multiple times.
+    For more information see the `dma(8)` man page.
+port
+    The port on which to deliver email.
+    If not provided, a sensible default port will be used based on the
+    ``--security`` argument.
+security
+    Configures whether and how DMA should use secure connections.
+
+    ssl/tls
+        Enable TLS/SSL secured transfer.
+    starttls
+        Use STARTTLS to establish a secure connection.
+    opportunistic (default)
+        Will try to establish a secure connection using STARTTLS, but allow
+        unencrypted transfer if STARTTLS fails.
+        Most useful when dma is used without a smarthost, delivering remote
+        messages directly to the outside mail exchangers.
+    insecure
+        allow plain text SMTP login over an insecure connection.
+        Should really *not* be used anymore!
+smarthost
+    The mail server used to send email.
+    It must be configured to act as a relay for the host being configured by
+    this type so that mail can be sent to users non-local to the smarthost.
+
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+    # Install DMA and use the smarthost mx1.domain.tld to send mail.
+    __dma --smarthost mx1.domain.tld --send-test-mail
+
+    # Install DMA in a default configuration.
+    __dma
+
+
+SEE ALSO
+--------
+- `DragonFly Mail Agent <https://github.com/corecode/dma>`_
+- `DragonFly Handbook MTA <https://www.dragonflybsd.org/handbook/mta/>`_
+
+
+AUTHORS
+-------
+Evilham <contact@evilham.com>
+Dennis Camera <dennis.camera@ssrq-sds-fds.ch>
+
+
+COPYING
+-------
+Copyright \(C) 2020 Evilham and Dennis Camera. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

type/__dma/manifest

@@ -0,0 +1,66 @@
+#!/bin/sh -e
+#
+# 2020 Dennis Camera (dennis.camera@ssrq-sds-fds.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+os=$(cat "${__global:?}/explorer/os")
+
+# Install DMA
+case ${os}
+in
+	(alpine)
+		__package dma --state present
+		export require='__package/dma'
+		;;
+	(debian|devuan|ubuntu)
+		__package dma --state present
+		export require='__package/dma'
+		;;
+	(freebsd)
+		# Stop sendmail if necessary
+		__process 'sendmail' --name 'sendmail.*' --state absent \
+			--stop '/etc/rc.d/sendmail onestop'
+
+		# ... and disable it
+		__key_value 'rcconf-sendmail-enable' --file '/etc/rc.conf' \
+			--key 'sendmail_enable' --delimiter '=' --value '"NONE"' \
+			--exact_delimiter
+
+		# Setup mailwrapper accordingly
+		__file '/etc/mail/mailer.conf' --mode 0644 --source - <<-'EOF'
+			#
+			# Execute the "real" sendmail program, named /usr/libexec/sendmail/sendmail
+			#
+			sendmail	/usr/libexec/dma
+			send-mail	/usr/libexec/dma
+			mailq		/usr/libexec/dma
+			newaliases	/usr/libexec/dma
+			rmail		/usr/libexec/dma
+		EOF
+		;;
+	(*)
+		cat <<EOF >&2
+Your OS (${os}) is not supported yet.
+
+Maybe adding support is as simple as adapting the packages or allowing it,
+we highly encourage you to open a PR with the necessary changes.
+See: https://code.ungleich.ch/ungleich-public/cdist-contrib/
+EOF
+		exit 1
+		;;
+esac

type/__dma/parameter/boolean

@@ -0,0 +1,4 @@
+defer
+fullbounce
+nullclient
+send-test-mail

type/__dma/parameter/default/security

@@ -0,0 +1 @@
+opportunistic

type/__dma/parameter/optional

@@ -0,0 +1,4 @@
+mailname
+port
+security
+smarthost

type/__dma/parameter/optional_multiple

@@ -0,0 +1 @@
+masquerade

type/__dma_auth/explorer/auth_conf

@@ -0,0 +1 @@
+../../__dma/explorer/auth_conf

type/__dma_auth/explorer/state

@@ -0,0 +1,91 @@
+#!/bin/sh -e
+#
+# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+# This explorer looks for a line matching the server parameter
+# in dma's auth.conf and reports:
+#   present:            a line matching login + host + password exists
+#   absent:             no line matching login + host exists
+#   different_login:    a line exists but with a different login user
+#   different_password: a line exists but with a different password
+#   multiple:           multiple lines matching host exist (should not happen)
+
+auth_conf=$("${__type_explorer:?}/auth_conf")
+test -r "${auth_conf}" || exit 0
+
+awk -F'\n' '
+function getvalue(path) {
+	# Reads the first line of the file located at path and returns it.
+	getline < path
+	close(path)
+	return $0
+}
+
+BEGIN {
+	DP = "[: \t]"  # copied from dma/conf.c
+
+	parameter_dir = ENVIRON["__object"] "/parameter/"
+
+	# Read the parameters of this object
+	host_param = ENVIRON["__object_id"]
+	login_param = getvalue(parameter_dir "login")
+	passwd_param = getvalue(parameter_dir "password")
+
+	state = "absent"
+}
+
+/^#/ || /^$/ {
+	# skip comments and empty lines
+	next
+}
+
+{
+	# parse line
+
+	login = substr($0, 1, index($0, "|") - 1)
+	if (!login) { login = $0 }  # if no "|" found
+
+	host = substr($0, length(login) + 2)
+
+	if (match(host, DP)) {
+		passwd = substr(host, RSTART + 1)
+		host = substr(host, 1, RSTART - 1)
+	} else {
+		passwd = ""
+	}
+}
+
+host == host_param {
+	# a match…
+	if (state == "absent") {
+		if (login != login_param)
+			state = "different_login"
+		else if (passwd != passwd_param)
+			state = "different_password"
+		else
+			state = "present"
+	} else {
+		# report "multiple" to that the type can remove the duplicates.
+		state = "multiple"
+	}
+}
+
+END {
+	print state
+}
+' "${auth_conf}"

type/__dma_auth/files/update_dma_auth.awk

@@ -0,0 +1,93 @@
+#!/usr/bin/awk -f
+#
+# 2020 Dennis Camera (dennis.camera@ssrq-sds-fds.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+function getvalue(path) {
+	# Reads the first line of the file located at path and returns it.
+	getline < path
+	close(path)
+	return $0
+}
+
+function print_should() {
+	printf "%s|%s:%s\n", login_param, host_param, passwd_param
+}
+
+BEGIN {
+	FS = "\n"
+	DP = "[: \t]"  # copied from dma/conf.c
+
+	parameter_dir = ENVIRON["__object"] "/parameter/"
+
+	mode = (getvalue(parameter_dir "state") != "absent")
+
+	host_param = ENVIRON["__object_id"]
+	login_param = getvalue(parameter_dir "login")
+	passwd_param = getvalue(parameter_dir "password")
+}
+
+# skip comments and empty lines
+/^#/ || /^$/ {
+	print
+	next
+}
+
+{
+	# parse line (like dma/conf.c would)
+
+	login = substr($0, 1, index($0, "|") - 1)
+	if (!login) { login = $0 }  # if no "|" found
+
+	host = substr($0, length(login) + 2)
+
+	if (match(host, DP)) {
+		passwd = substr(host, RSTART + 1)
+		host = substr(host, 1, RSTART - 1)
+	} else {
+		passwd = ""
+	}
+}
+
+host == host_param {
+	if (mode) {
+		# state_should == present
+		if (!written) {
+			# replace first line if host matches (but only if no line has
+			# been written already -> no duplicates)
+			print_should()
+			written = 1
+		}
+		next
+	} else {
+		# state_should == absent
+		next
+	}
+}
+
+# leave other lines alone
+{
+	print
+}
+
+END {
+	if (mode && !written) {
+		# append line if no match to replace was found
+		print_should()
+	}
+}

type/__dma_auth/gencode-remote

@@ -0,0 +1,72 @@
+#!/bin/sh -e
+#
+# 2020 Dennis Camera (dennis.camera@ssrq-sds-fds.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+quote() { printf "'%s'" "$(printf '%s' "$*" | sed -e "s/'/'\\\\''/g")"; }
+drop_awk_comments() { quote "$(sed '/^[[:blank:]]*#.*$/d;/^$/d' "$@")"; }
+
+state_is=$(cat "${__object:?}/explorer/state")
+state_should=$(cat "${__object:?}/parameter/state")
+
+server=${__object_id:?}
+login=$(cat "${__object:?}/parameter/login")
+
+
+auth_conf=$(cat "${__object:?}/explorer/auth_conf")
+test -n "${auth_conf}" || {
+	echo 'Cannot determine path of dma auth.conf' >&2
+	exit 1
+}
+
+if test "${state_is}" = "${state_should}"
+then
+	# state is as it should
+	exit 0
+fi
+
+case ${state_should}
+in
+	(present)
+		test -n "${login}" || { echo '--login must be non-empty' >&2; exit 1; }
+
+		if test "${state_is}" = 'absent'
+		then
+			printf 'add authuser %s on %s\n' "${login}" "${server}" >>"${__messages_out:?}"
+		else
+			printf 'set authuser %s on %s\n' "${login}" "${server}" >>"${__messages_out:?}"
+		fi
+		;;
+	(absent)
+		printf 'delete authuser %s on %s\n' "${login}" "${server}" >>"${__messages_out:?}"
+		;;
+	(*)
+		printf 'Invalid --state: %s.\n' "${state_should}" >&2
+		printf 'Acceptable values are: present, absent.\n' >&2
+		exit 1
+		;;
+esac
+
+
+cat <<EOF
+test -f $(quote "${auth_conf}") || touch $(quote "${auth_conf}")
+
+awk $(drop_awk_comments "${__type:?}/files/update_dma_auth.awk") <$(quote "${auth_conf}") >$(quote "${auth_conf}.tmp") \
+&& cat $(quote "${auth_conf}.tmp") >$(quote "${auth_conf}")
+rm -f $(quote "${auth_conf}.tmp")
+EOF

type/__dma_auth/man.rst

@@ -0,0 +1,66 @@
+cdist-type__dma_auth(7)
+=======================
+
+NAME
+----
+cdist-type__dma_auth - Configure SMTP logins for the DragonFly Mail Agent MTA.
+
+
+DESCRIPTION
+-----------
+This cdist type allows you to set up credentials to log in to remote SMTP
+servers.
+
+NB: dma currently (v0.13) does not differentiate between users on a host.
+    It will use whatever user it finds in the ``auth.conf`` first.
+    Thus, this type will use the ``__object_id`` as the host specifier.
+
+
+REQUIRED PARAMETERS
+-------------------
+login
+    The user's LOGIN name on the SMTP server.
+password
+    The user's password (in plain text.)
+
+
+OPTIONAL PARAMETERS
+-------------------
+state
+    Either ``present`` or ``absent``. Defaults to ``present``.
+
+BOOLEAN PARAMETERS
+------------------
+None.
+
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+    # Set the password for smarthost
+    __dma_auth smarthost.example.com --login joe --password hunter2
+
+    # Set credentials for user at an external provider
+    __dma_auth mail.provider.com --login paul@example.com --password letmein
+
+    # Delete credentials for example.com (for all users)
+    __dma_auth example.com --login '' --password '' --state absent
+
+SEE ALSO
+--------
+:strong:`cdist-type__dma`\ (7), :strong:`dma`\ (8)
+
+
+AUTHORS
+-------
+Dennis Camera <dennis.camera@ssrq-sds-fds.ch>
+
+
+COPYING
+-------
+Copyright \(C) 2020 Dennis Camera. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

type/__dma_auth/parameter/default/state

@@ -0,0 +1 @@
+present

type/__dma_auth/parameter/optional

@@ -0,0 +1 @@
+state

type/__dma_auth/parameter/required

@@ -0,0 +1,2 @@
+login
+password

type/__jitsi_meet/explorer/configured-memory

@@ -0,0 +1,15 @@
+#!/bin/sh -eu
+
+JICOFO="/usr/share/jicofo/jicofo.sh"
+VIDEOBRIDGE="/usr/share/jitsi-videobridge/lib/videobridge.rc"
+
+if [ -f "${JICOFO:?}" ]; then
+	jicofo_memory="$(grep JICOFO_MAX_MEMORY= "${JICOFO:?}" | cut -d= -f 2 | cut -d ";" -f 1)"
+fi
+if [ -f "${VIDEOBRIDGE:?}" ]; then
+	vb_memory="$(grep VIDEOBRIDGE_MAX_MEMORY= "${VIDEOBRIDGE:?}" | cut -d= -f 2)"
+fi
+cat <<EOF
+jicofo	${jicofo_memory:-n/a}
+videobridge	${vb_memory:-n/a}
+EOF

type/__jitsi_meet/explorer/jitsi-status

@@ -0,0 +1,6 @@
+#!/bin/sh -eu
+
+if [ ! -f "${__object}/parameter/disable-prometheus-exporter" ]; then
+	# TODO: detect curl / depend on it?
+	curl -s localhost:9888/metrics
+fi

type/__jitsi_meet/files/apt_2021.gpg

@@ -0,0 +1,51 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGB4bEkBEADffHELs6RBZEEgme2L6KXyO5XThI5ROFCMZ+4X1mZTKPyihuMX
+u1IQeaLQhUKEw60NZH1HyvH11L33LYcimlyLDG7N6s/MjWtLAI+wkgb6iYY2mArM
+3TqPTzVgZUcJl5Strft2U8QNq9N2qslbF7hm3g35M78r5CJmlVQYO298rz6ybovO
+9TTB/C3KbDMHohEXIdVlAIKAtu+/5dWQtP7NR3RZHpfMoOvf65NiZRsudZ5SZcd1
+8G7n0nv6NF5Ul+cuLsOMh7r2KiPjpHuQwobwEJpc8Nags6xTqQ8riyJsv8KXJNZh
+51OQWYyQhMz/O3mVSbfdfmS4u4HUb3pheUmjq2Lx4vTlSzyCRniRC4VIhViRawTL
+QyIpdw85CN7iJPN+2ZYOU4knZgSv9CDmuKFqxGSd/j4QHtL/K4e3wFE/kwD+4SWL
++xAsCZQPnZu9RNdmTfaSfsPqSwQFErTGWyuGJBzN0EFGRFIMI3m3AJSC6OOFycDV
+4KPJHBQKcTH4oVF3opAJj3X45oa6886TAjwAsPG1R5FapqhWRzWsq8Cn3rr6EKJ/
+8xf9Ep/KIMNJtZoout7f2AEmP/oQTNft+wWEejprd0aJMX4O6NOSG4UNxRbm32gf
+rBEajiLUA0cJW+se40ACZXri36Ea8HnKnYsCaXZba9FMy9Te0OkySJpQYwARAQAB
+tBVKaXRzaSA8ZGV2QGppdHNpLm9yZz6JAk4EEwEIADgWIQT/1loNor6963PUTIu0
+0tIW8f14BgUCYHhsSQIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRC00tIW
+8f14Bt8eEADPmi1X9ycjevFR82sGo0qTUEgndu9tWiGQzS3E7SG1wIkRqiwSk7X2
+J1Mrxa5kIEkl0KctpYQjhEJWV8TfATOekKhoxtanZef9q9EvpNLBJGifXAHt9b2o
+Dzk7437cytW71jlByrbjUe7tVQtaEJZuOczjZGnHw70Yv6H0DUQuRDlJmocHzzU3
+AgpXJ+XoS1p8gI64OgIzXVOhvyZVyNqbn0PyqeroRbxC0DPwGsTA8MYgf3ujowAI
+ntVtSv0kzbZP0xU/3zpmuD+Lw0Msq4idnE0e+nApfThF28w+MAF4EikXovwr+FEh
+6Czt3KGrUuoCUY1YmLqSpLQaHYvF1oRsnZIVEecXBY/sRxxOvLk4HsJtIV6jJ3qS
+XAGPsxAJJBlsT0nvPC+x46wvOxBYv2WgmVRrnrz7vpp1C8yRYAaab10lUq+PufYr
+S4wQXvbTKAelpOZhR00qJ1Ati7y1TFv3xFhlhEjg/r2TUc2oFEYdlIPpfkiCPeCz
+kcTXB6iwuUn59Qm6ksGCL/ITo3sWZSDbOQIG63hb0FRZkF8mWnmPcGoPmR5kmvr7
+QzHKmfomaORyLofXqrXf3zfhDpe5kSxfLbTsRnHCx46XJWXMFh70T19j4ILnWaGj
+bnA9OWWtEyMCp9GeJPtmWKsBhP8ywt0jbbfHzczBfWRO06n47/BLSLkCDQRgeGxJ
+ARAA1pi0AZ0kcW1aW9sKZNYJ2JXjsefqnqtUUDI0xOSSl5+Lzjtj1lPA1Xr2L9V4
+FyUGG6N8BeQcyfl7ZAFp6EWS/RATaOze/rKxImArHdY0L48rEQNBCg6lDsvvPJYd
+cMFuNFm9e+2vggKU+o0zpDiV0WIjar/I5aVyObQ77EBOJlEPDSjz2essTbZZ5Bpr
+w6pRSQ8CjpOpSrNwoDDhNfHPEcokkccmPlE8xdmXn1oM5Zj/LKOEKBqJUh1Ucykh
+EE9g/Mch6GV6AnuFrtAeWYzx5kfNlBvz1Y7w3TXnboQP8b9IeQwNyZTWaMMstn8z
+nt8RKnrTA2eOGO61ySgtMU3fEJSN0mqH3cjpAzPX9rcdipMLe3ZDGYlixFAXpctc
+dhKvEqxd+bxtvFTQlSsSSQe9DvXQOfb9pp+6SjejhTvsWhWwhPzWIOLX4IBiX13q
+D5ct/IxsLwhk23+r9zpk74xwRplX4FTc3o1m+NpoWXRRAekcKd5AgnlAhY9O7Tv+
+31ORR6X/hCYcs1vnxbHJgWrzv01Gx8mcOj/+7aCctsQ32oQWM6FQY/vcpSxTjJsb
+npiS3ZIUYNXf32UnAuZUyCaqrpLAVAwNGBxmpwQb1SUx7HBA8e2lHbEqKW/qnUQG
+bnRv0g/oSkkimADazkwojNcVdgkrF91zkUtzIya+NOiGO7cAEQEAAYkCNgQYAQgA
+IBYhBP/WWg2ivr3rc9RMi7TS0hbx/XgGBQJgeGxJAhsMAAoJELTS0hbx/XgGEyQQ
+ALAHIiRoFkhypGpFt3+bt3ZLQf6OD+H0ZiOcy43DlBAUz7PbNlW4bDvINkgTaGRa
++cIMwdW5lWO9fsChsEoDVnjl9rcNcTJcN5Fc/L+XnW6k9RzW1nK+mj3NiGfR7OI1
+V6eNM346+EpA2ZnqVTfr14+Vu49TV7vSsfnZg6brl+t1qNzJLHcsnVxxACw95OOK
+joGu56ozuxEWjsGwnvvkH7dR/HLGtk+XP0NWSBOoEpHj7bF+6h81MpcMcj4BYoaZ
+AJfQyfx8rP2JQC/HNrY0bAW0ahN2x+fE9Vd6iPkrPGSGibWRv6Db/KLk1R8/8W4B
+YKti313EXV8g0gc0TdwqbhLWOinCjtLW+anXsqxmVFNG1cS1CvsFi2WDRtjHP3eY
+aEdnXHcnPL4gKPTeXlHf3HGDCeboGOWFeim2bHwOzbzg9Kp+lGYyi/qJW496n+Yp
+wBWDVHgVlS51Y8hS7xB4FY71S4OY4W9S8XX0KUQihqoh3E44eow+Z8OE1g0CosPz
+2cRioAiEeVPNra0IgD2iD7LKuEVd6zJ7RbxzWCWko+sOgCm0lqz87R5IQibEFbRV
+ATvmI/B3DPYHjk7toPT5+jgcgY0QPq9JYSORbgXvoWG0f83TFIfFV6yGgmaG1DMX
+YPNx6EOVTWjMMoXNbskDkw3HdcVdVz41ZnW/1lJZejvW
+=uIZN
+-----END PGP PUBLIC KEY BLOCK-----

type/__jitsi_meet/files/debconf_settings.sh

@@ -0,0 +1,56 @@
+#!/bin/sh -e
+
+# This can be obtained with debconf-get-selections on a host with jitsi
+# (and also analysing the deb-src)
+if false; then
+	# We are currently not using these, just here as documentation
+	DEBCONF_SETTINGS="$(cat <<EOF
+# Jicofo user password:
+jicofo	jicofo/jicofo-authpassword	password	STH
+jitsi-meet-prosody	jicofo/jicofo-authpassword	password	STH
+# The secret used to connect to xmpp server as component
+jitsi-meet-prosody	jitsi-videobridge/jvbsecret	password	STH
+jitsi-videobridge	jitsi-videobridge/jvbsecret	password	STH
+jitsi-videobridge2	jitsi-videobridge/jvbsecret	password	STH
+# Jicofo Component secret:
+jicofo	jicofo/jicofosecret	password	STH
+jitsi-meet-prosody	jicofo/jicofosecret	password	STH
+# Jicofo username:
+jicofo jicofo/jicofo-authuser	string	focus
+jitsi-meet-prosody	jicofo/jicofo-authuser	string	focus
+# The hostname of the current installation:
+jitsi-meet-turnserver	jitsi-meet-turnserver/jvb-hostname	string	${JITSI_HOST}
+# Full local server path to the SSL certificate file:
+jitsi-meet-web-config	jitsi-meet/cert-path-crt	string
+# Full local server path to the SSL key file:
+jitsi-meet-web-config	jitsi-meet/cert-path-key	string
+EOF
+)"
+fi
+
+DEBCONF_SETTINGS="$(cat <<EOF
+# The hostname of the current installation:
+jitsi-meet-web-config	jitsi-meet/jvb-hostname	string	${JITSI_HOST}
+# Hostname:
+jicofo	jitsi-videobridge/jvb-hostname	string	${JITSI_HOST}
+jitsi-meet-prosody	jitsi-videobridge/jvb-hostname	string	${JITSI_HOST}
+jitsi-meet-turnserver	jitsi-videobridge/jvb-hostname	string	${TURN_SERVER}
+jitsi-meet-web-config	jitsi-videobridge/jvb-hostname	string	${JITSI_HOST}
+jitsi-videobridge	jitsi-videobridge/jvb-hostname	string	${JITSI_HOST}
+jitsi-videobridge2	jitsi-videobridge/jvb-hostname	string	${JITSI_HOST}
+# The hostname of the current installation:
+jitsi-meet-prosody	jitsi-meet-prosody/jvb-hostname string	${JITSI_HOST}
+# SSL certificate for the Jitsi Meet instance
+# Choices: Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate), I want to use my own certificate
+jitsi-meet-web-config	jitsi-meet/cert-choice	select	Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate)
+EOF
+)"
+
+if [ -n "${TURN_SECRET}" ]; then
+	DEBCONF_SETTINGS="$(cat <<EOF
+${DEBCONF_SETTINGS}
+# The turn server secret
+jitsi-meet-prosody	jitsi-meet-prosody/turn-secret	string	${TURN_SECRET}
+EOF
+)"
+fi

type/__jitsi_meet/files/jicofo.conf.sh

@@ -0,0 +1,34 @@
+#!/bin/sh -eu
+
+# Start
+cat <<EOF
+# Managed remotely, changes will be lost
+
+# Jicofo HOCON configuration. See /usr/share/jicofo/jicofo.jar/reference.conf for
+#available options, syntax, and default values.
+jicofo {
+  xmpp: {
+    client: {
+      client-proxy: focus.${JITSI_HOST:?}
+    }
+    trusted-domains: [ "recorder.${JITSI_HOST:?}" ]
+  }
+  bridge: {
+    brewery-jid: "JvbBrewery@internal.auth.${JITSI_HOST:?}"
+  }
+EOF
+
+# Secured domains if needed
+if [ "${SECURED_DOMAINS_STATE:?}" = "present" ]; then
+cat <<EOF
+
+  authentication: {
+    enabled: true
+    type: XMPP
+    login-url: ${JITSI_HOST:?}
+  }
+EOF
+fi
+
+# End
+echo '}'

type/__jitsi_meet/files/jitsi-version

@@ -0,0 +1 @@
+../../__jitsi_meet_domain/files/jitsi-version

type/__jitsi_meet/files/prosody.cfg.lua.sh

@@ -0,0 +1 @@
+../../__jitsi_meet_domain/files/prosody.cfg.lua.sh

type/__jitsi_meet/files/ufw

@@ -0,0 +1,10 @@
+#!/bin/sh -e
+
+# Setup firewall
+__ufw
+# Allow jitsi ports
+require="__ufw" __ufw_rule http --rule 'allow 80/tcp'
+require="__ufw" __ufw_rule https --rule 'allow 443/tcp'
+require="__ufw" __ufw_rule jitsi_prom --rule 'allow 9888/tcp'
+require="__ufw" __ufw_rule avfallback --rule 'allow 4443/tcp'
+require="__ufw" __ufw_rule avdefault --rule 'allow 10000/udp'

type/__jitsi_meet/gencode-remote

@@ -0,0 +1,44 @@
+#!/bin/sh -e
+
+memory="$(cat "${__global}/explorer/memory")"
+G="000000"  # Will totally eff up the zero-count otherwise
+# MAX_MEMORY will affect jicofo and videobridge
+#  As a rule of thumb, the machine's RAM should be more than 2.5 * MAX_MEMORY
+if [ "${memory}" -lt "3${G}" ]; then
+	# If you use this, let us know how it works!
+	MAX_MEMORY="768m"
+elif [ "${memory}" -lt "5${G}" ]; then
+	MAX_MEMORY="1024m"
+elif [ "${memory}" -lt "8${G}" ]; then
+	MAX_MEMORY="2048m"
+else
+	# Jitsi recommends running on 8G RAM and these are the defaults
+	MAX_MEMORY="3072m"
+fi
+
+if cut -f 2 "${__object}/explorer/configured-memory" | grep -qvE "^${MAX_MEMORY}$"; then
+	# At least one service has different memory settings
+	RESTART_SERVICES="YES"
+	cat <<-EOF
+	sed -i.tmp -E \
+		-e 's!^(#[[:space:]]*)?(VIDEOBRIDGE_MAX_MEMORY)=.*\$!\2=${MAX_MEMORY}!' \
+		/usr/share/jitsi-videobridge/lib/videobridge.rc
+	sed -i.tmp -E \
+		-e 's!(JICOFO_MAX_MEMORY)[^";]+;!\1=${MAX_MEMORY};!' \
+		/usr/share/jicofo/jicofo.sh
+	EOF
+fi
+
+if grep -qE "^__file/etc/nginx" "${__messages_in}"; then
+	echo "service nginx reload"
+fi
+
+if grep -qE "^(__line/jitsi_jicofo_secured_domains|(__file|__link)/etc/prosody/conf.d/|__file/etc/jitsi/(jicofo/jicofo.conf|videobridge/jvb.conf))" "${__messages_in}"; then
+	RESTART_SERVICES="YES"
+fi
+
+if [ -n "${RESTART_SERVICES}" ]; then
+  echo "systemctl restart prosody"
+  echo "systemctl restart jicofo"
+  echo "systemctl restart jitsi-videobridge2"
+fi

type/__jitsi_meet/man.rst

@@ -0,0 +1,111 @@
+cdist-type__jitsi_meet(7)
+=========================
+
+
+NAME
+----
+cdist-type__jitsi_meet - Setup the server-side of Jitsi-Meet.
+
+
+DESCRIPTION
+-----------
+This (singleton) type installs and configures jitsi-meet automatically.
+
+It does so by following loosely the official quick-install instructions and
+eXO's notes for installing and managing Jitsi Meet instances.
+
+This type also sets up nginx in a way that is compatible with
+`__letsencrypt_cert` and assumes that it will only serve Jitsi instances.
+
+You will also need the `__jitsi_meet_domain` type in order to finish setting up
+the web frontend (including TLS certificates) and its settings.
+
+You may want to use the `files/ufw` example manifest for a `__ufw`-based
+firewall compatible with this type that allows all ports needed by Jitsi-Meet.
+Note however that this will not deal with rules for SSH or for TCP port 9888,
+which exposes the prometheus exporter if not disabled.
+Remember to apply your own rules here, particularly regarding SSH.
+
+This type only works on De{bi,vu}an systems.
+
+It is very important for this type to stay up to date with the software, as
+otherwise new deployments or maintenance of existing instances might be
+negatively affected.
+If you can, please contribute updates to `__jitsi_meet` and
+`__jitsi_meet_domain` promptly and regularly.
+Alternatively, you can help finance that work; get in touch with the type
+authors for that (see below).
+
+This type takes care of adapting the maximum memory used by jicofo and
+videobridge in function of the hosts installed memory.
+
+NOTE: This type currently does not deal with setting up coturn.
+      For that, you might want to check `__coturn` in
+      https://code.ungleich.ch/ungleich-public/cdist-contrib
+      In that case, this type should run *after* `__coturn`.
+
+
+OPTIONAL PARAMETERS
+-------------------
+abort-conference-count
+    Only has an effect if the prometheus exporter is enabled and if it is not
+    empty (default).
+    If at least this many conferences are active on the server, the type will
+    bail out before making any changes.
+    This is useful if you want to avoid service disruptions due to e.g. an SLA.
+
+
+turn-secret
+    The shared secret for the TURN server.
+
+turn-server
+    The hostname of the TURN server.
+    This will assume that it is listening with TLS on port 443.
+
+
+BOOLEAN PARAMETERS
+------------------
+disable-prometheus-exporter
+    This type enables a prometheus exporter for jitsi by default, if you would
+    rather not have that, pass this parameter.
+    The explorer is based on:
+    https://github.com/systemli/prometheus-jitsi-meet-exporter
+
+secured-domains
+    If this flag is present, all domains that use this Jitsi instance will
+    require that an authenticated user starts a meeting.
+    For information on how this is achieved, see
+    https://jitsi.github.io/handbook/docs/devops-guide/secure-domain .
+    You will need to create the users with `__jitsi_meet_user(7)`.
+
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+    # Setup the firewall for Jitsi-Meet
+    . "${__global}/type/__jitsi_meet/files/ufw"
+    export require="__ufw"
+    # Setup firewall SSH rules as necessary
+    __ufw_rule ssh --rule 'allow 22/tcp from 10.0.0.0/24'
+    # Setup Jitsi on this host
+    __jitsi_meet \
+      --turn-server "turn.exo.cat" \
+      --turn-secret "WeNeedGoodSecurity"
+
+
+SEE ALSO
+--------
+- `__jitsi_meet_domain(7)`
+- `__jitsi_meet_user(7)`
+
+
+AUTHORS
+-------
+Evilham <contact@evilham.com>
+
+
+COPYING
+-------
+Copyright \(C) 2022 Evilham.

type/__jitsi_meet/manifest

@@ -0,0 +1,309 @@
+#!/bin/sh -e
+
+os="$(cat "${__global}/explorer/os")"
+case "${os}" in
+	devuan|debian)
+	;;
+	*)
+		echo "Your OS '${os}' is currently not supported." > /dev/stderr
+		exit 1
+	;;
+esac
+
+current_conferences="$(cat "${__object}/explorer/jitsi-status" | grep -E "^jitsi_conferences[[:space:]]" | cut -d ' ' -f 2)"
+
+ABORT_CONFERENCE_COUNT="$(cat "${__object}/parameter/abort-conference-count")"
+
+if [ -n "${current_conferences}" ] && [ -n "${ABORT_CONFERENCE_COUNT}" ] && \
+	[ "${ABORT_CONFERENCE_COUNT}" -le "${current_conferences}" ]; then
+	cat <<-EOF
+Early bail out was requested when at least ${ABORT_CONFERENCE_COUNT} conferences are taking place.
+There are currently ${current_conferences} active conferences.
+
+Try again at a later time or remove or increase --abort-conference-count
+	EOF
+	exit 1
+fi
+
+JITSI_HOST="${__target_host}"
+if [ -f "${__object}/parameter/jitsi-version" ]; then
+	# This has been deprecated and will be removed 'soon'
+	JITSI_VERSION="$(cat "${__object}/parameter/jitsi-version")"
+else
+	# Note this won't be a parameter anymore, we won't let users stay behind
+	JITSI_VERSION="$(cat "${__type}/files/jitsi-version")"
+fi
+TURN_SERVER="$(cat "${__object}/parameter/turn-server")"
+TURN_SECRET="$(cat "${__object}/parameter/turn-secret")"
+
+if [ -z "${TURN_SERVER}" ]; then
+	TURN_SERVER="${JITSI_HOST}"
+fi
+
+# The rest is loosely based on Jitsi's documentation
+# https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-quickstart
+
+# Setup repositories
+## First the signing keys
+### Remove old signing key
+__apt_key "jitsi_meet_2016" \
+	--keyid "66A9 CD05 95D6 AFA2 4729  0D3B EF8B 479E 2DC1 389C" \
+	--use-deprecated-apt-key \
+	--state "absent"
+### Add new signing key
+require="__apt_key/jitsi_meet_2016" __apt_key jitsi_meet_2021 \
+	--source "${__type}/files/apt_2021.gpg" \
+	--state "present"
+## Now the repositories (they are a tad weird, so distribution is 'stable/')
+require="__apt_key/jitsi_meet_2021" __apt_source jitsi_meet \
+	--uri 'https://download.jitsi.org' \
+	--distribution 'stable/' \
+	--state present
+## Ensure apt cache is up-to-date
+require="__apt_source/jitsi_meet" __apt_update_index
+
+export require="${require} __apt_source/jitsi_meet __apt_update_index"
+
+# Pre-feed debconf settings, so Jitsi's installation has a good config
+# shellcheck source=type/__jitsi_meet/files/debconf_settings.sh
+. "${__type}/files/debconf_settings.sh"  # This defines DEBCONF_SETTINGS
+__debconf_set_selections jitsi_meet --line "${DEBCONF_SETTINGS}"
+export require="${require} __debconf_set_selections/jitsi_meet"
+
+# Install and upgrade packages as needed
+#   NOTE: we are doing version pinning again, but it breaks sometimes when
+#         the version is not the latest.
+#         This happens because dependencies might not be properly resolved.
+#         To avoid this, this type must be maintained up to date.
+#         If we don't use this, keeping Jitsi's up to date is very difficult.
+__package_apt jitsi-meet --version "${JITSI_VERSION}"
+
+# Proceed only after installation/upgrade has finished
+export require="__package_apt/jitsi-meet"
+
+# TODO: generalise and move out
+# Prep nginx for acme settings
+
+NGINX_ETC="/etc/nginx"
+
+#
+# Setup the acme-challenge snippet
+#
+__directory "${NGINX_ETC}/snippets" --state present
+require="__directory${NGINX_ETC}/snippets" __file "${NGINX_ETC}/snippets/acme-challenge.conf" \
+  --mode 644 \
+  --source - << EOF
+# This file is managed remotely, all changes will be lost
+
+# This was heavily inspired by debops.org.
+
+# Automatic Certificate Management Environment (ACME) support.
+# https://tools.ietf.org/html/draft-ietf-acme-acme-01
+# https://en.wikipedia.org/wiki/Automated_Certificate_Management_Environment
+
+
+# Return the ACME challenge present in the server public root.
+# If not found, switch to global web server root.
+location ^~ /.well-known/acme-challenge/ {
+        default_type "text/plain";
+        try_files \$uri @well-known-acme-challenge;
+}
+
+# Return the ACME challenge present in the global server public root.
+# If not present, redirect request to a specified domain.
+location @well-known-acme-challenge {
+        root /usr/share/jitsi-meet;
+        default_type "text/plain";
+        try_files \$uri @redirect-acme-challenge;
+}
+
+# Redirect the ACME challenge to a different host. If a redirect loop is
+# detected, return 404.
+location @redirect-acme-challenge {
+        if (\$arg_redirect) {
+                return 404;
+        }
+        return 307 \$scheme://${ACME_DOMAIN}\$request_uri?redirect=yes;
+}
+
+# Return 404 if ACME challenge well known path is accessed directly.
+location = /.well-known/acme-challenge/ {
+    return 404;
+}
+EOF
+
+__directory "${NGINX_ETC}/sites-available" --state present
+require="__directory${NGINX_ETC}/sites-available" __file "${NGINX_ETC}/sites-available/default" \
+  --mode 644 \
+  --source - << EOF
+# This file is managed remotely, all changes will be lost
+
+server_names_hash_bucket_size 64;
+
+types {
+# nginx's default mime.types doesn't include a mapping for wasm
+    application/wasm     wasm;
+}
+
+server {
+
+        # Listen on IPv4
+        listen 80;
+        # Note: there is an ipv6only=off flag, but it is Linux-only
+        #       incidentally, that defaults to "on", which is what causes
+        #       not having the double listen to listen on IPv6-only
+        listen [::]:80;
+
+        server_name welcome;
+
+        root /srv/www/sites/welcome/public;
+
+        include snippets/acme-challenge.conf;
+
+        location / {
+                return 301 https://\$host\$request_uri;
+        }
+}
+EOF
+
+# Starting from 2.0.7210, jitsi defines following nginx upstreams
+__directory "${NGINX_ETC}/conf.d" --state present
+require="__directory${NGINX_ETC}/conf.d" __file "${NGINX_ETC}/conf.d/prosody.conf" \
+  --mode 644 \
+  --source - << EOF
+upstream prosody {
+    zone upstreams 64K;
+    server 127.0.0.1:5280;
+    keepalive 2;
+}
+EOF
+require="__directory${NGINX_ETC}/conf.d" __file "${NGINX_ETC}/conf.d/jvb1.conf" \
+  --mode 644 \
+  --source - << EOF
+upstream jvb1 {
+    zone upstreams 64K;
+    server 127.0.0.1:9090;
+    keepalive 2;
+}
+EOF
+
+if [ -f "${__object}/parameter/secured-domains" ]; then
+  SECURED_DOMAINS_STATE='present'
+else
+  SECURED_DOMAINS_STATE='absent'
+fi
+
+# This is the main host config
+PROSODY_MAIN_CONFIG="YES"
+# Prosody settings for common components (jvb, focus, ...)
+# shellcheck source=type/__jitsi_meet/files/prosody.cfg.lua.sh
+. "${__type}/files/prosody.cfg.lua.sh"  # This defines PROSODY_CONFIG
+__file "/etc/prosody/conf.d/00_jitsi_base.cfg.lua" \
+	--group prosody \
+	--mode 0440 \
+	--source - <<EOF
+${PROSODY_CONFIG}
+EOF
+
+# Clean up zauth.cfg.lua file, which we don't use now
+__file "/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua" \
+  --state absent
+
+export SECURED_DOMAINS_STATE
+export JITSI_HOST
+"${__type}/files/jicofo.conf.sh" | \
+	__file /etc/jitsi/jicofo/jicofo.conf --mode 0444 --source '-'
+
+# Enable the private colibri REST API end point for better stats
+__file "/etc/jitsi/videobridge/jvb.conf" --mode 0444 --source '-' <<EOFJVB
+videobridge {
+    http-servers {
+        public {
+            port = 9090
+        }
+        private {
+            port = 8080
+        }
+    }
+    websockets {
+        enabled = true
+        domain = "${JITSI_HOST}:443"
+        tls = true
+    }
+    apis {
+        rest {
+            enabled = true
+        }
+    }
+}
+EOFJVB
+
+# Enable simple per-domain body customisation
+__file "/usr/share/jitsi-meet/body.html" \
+	--mode 0644 \
+	--source '-' <<EOF
+<!--#include virtual="body-\${host}.html" -->
+EOF
+
+# These two should be changed on new release
+EXPORTER_VERSION="1.2.0"
+EXPORTER_CHECKSUM="sha256:6377ffa7be0c7deb66545616add7245da96f8b7746d6712f41cfa9fe72c935ce"
+EXPORTER_URL="https://github.com/systemli/prometheus-jitsi-meet-exporter/releases/download/${EXPORTER_VERSION}/prometheus-jitsi-meet-exporter_${EXPORTER_VERSION}_linux_amd64.tar.gz"
+if [ -f "${__object}/parameter/disable-prometheus-exporter" ]; then
+	EXPORTER_STATE="absent"
+else
+	EXPORTER_STATE="present"
+fi
+__evilham_single_binary_service prometheus-jitsi-meet-exporter \
+	--state "${EXPORTER_STATE}" \
+	--do-not-manage-user \
+	--user "nobody" \
+	--group "nogroup" \
+	--version "${EXPORTER_VERSION}" \
+	--checksum "${EXPORTER_CHECKSUM}" \
+	--url "${EXPORTER_URL}" \
+	--unpack \
+	--service-args "-videobridge-url 'http://localhost:8080/colibri/stats' -web.listen-address ':9888'"
+
+#
+# Setup interpreter assets if requested
+# See: https://gitlab.com/mfmt/jsi/
+#
+jsi_updated_on="2022-04-21"
+__link "/usr/share/jitsi-meet/interpreters.html" \
+	--type symbolic \
+	--source "/opt/jsi/static/index.html.sample"
+__directory /opt/jsi --mode 0755
+export require="__directory/opt/jsi"
+__download /opt/jsi/jsi.tar.gz \
+	--url 'https://gitlab.com/mfmt/jsi/-/archive/1d2cceaf615ee61c0bba80e5bddc61c5d1018303/jsi-1d2cceaf615ee61c0bba80e5bddc61c5d1018303.tar.gz' \
+	--sum "sha256:b020141093daa9937507b098f358d0be994834c3e23866a457fc5140415a0c53"
+export require="__download/opt/jsi/jsi.tar.gz"
+__unpack /opt/jsi/jsi.tar.gz \
+	--preserve-archive \
+	--tar-strip 1 \
+	--destination /opt/jsi/static \
+	--onchange "$(cat <<EOF
+# Patch style.css to be served on /i/
+sed -i.tmp -E \
+	-e 's!url[(]/img/welcome-background.png[)]!url(/i/img/welcome-background.png)!' \
+	/opt/jsi/static/style.css
+# Patch jsi.js to be served on /i/
+#   and so it always uses the domain it's served from
+#   and so it uses /i/ROOM for the form
+sed -i.tmp -E \
+	-e 's!substr[(][0-9]+[)]!substr(3)!' \
+	-e 's!config[.]jitsimeet_url!url.host!' \
+	-e 's!(window[.]location[.]href)[[:space:]]*=[[:space:]]*"/"!\1 = "/i/"!' \
+	/opt/jsi/static/jsi.js
+# Patch the sample index.html, so it loads external_api.js from same host
+#   and to easen up on the branding
+#   and to enable browser cache
+sed -i.tmp -E \
+	-e "s!src=[^>]*(/external_api.js).!src='\1'!" \
+	-e "s!<h1>[^<]*</h1>!<h1>Jitsi Meetings with interpreter</h1>!" \
+	-e "s!https://meet.mayfirst.org!/!" \
+	-e "s!(style.css|jsi.js)([^?])!\1?v=${jsi_updated_on:?}\2!" \
+	/opt/jsi/static/index.html.sample
+EOF
+)"

type/__jitsi_meet/parameter/boolean

@@ -0,0 +1,2 @@
+disable-prometheus-exporter
+secured-domains

type/__jitsi_meet/parameter/deprecated/jitsi-version

@@ -0,0 +1,4 @@
+Supporting different versions lead to strange issues in the life-time of a
+Jitsi instance. Chiefly: difficulties upgrading.
+
+If you are specifying this for a valid reason, please get in touch.

type/__jitsi_meet/parameter/optional

@@ -0,0 +1,4 @@
+abort-conference-count
+jitsi-version
+turn-secret
+turn-server

type/__jitsi_meet_domain/boolean

@@ -0,0 +1 @@
+secured-domains

type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh

@@ -0,0 +1,35 @@
+#!/bin/sh -eu
+
+# This is a helper to update the '.sh.orig' files for jitsi's
+# configuration files.
+# Then the changes must be propagated to their corresponding .sh
+# files by the type maintainer or a contributor
+
+# We could automate this, but are using it as an indicator for the
+# latest branch with which we conciliated changes.
+BRANCH="jitsi-meet_7439"
+REPO="https://github.com/jitsi/jitsi-meet"
+
+get_url() {
+	file="${1}"
+	printf "%s/raw/stable/%s/%s" "${REPO}" "${BRANCH}" "${file}"
+
+}
+
+download_file() {
+	file="${1}"
+	destination="${2:-${file}.sh.orig}"
+	url="$(get_url "${file}")"
+	echo "Downloading ${destination}"
+	curl -L "${url}" > "${destination}"
+	echo
+}
+
+download_file config.js
+download_file interface_config.js
+download_file doc/debian/jitsi-meet/jitsi-meet.example nginx.sh.orig
+download_file doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example prosody.cfg.lua.sh.orig
+
+# Change the version file, maintainers should check that it matches
+# the deb version
+printf "2.0.%s-1" "${BRANCH#*_}" > jitsi-version

type/__jitsi_meet_domain/files/interface_config.js.sh

@@ -0,0 +1,281 @@
+#!/bin/sh -e
+
+# default jitsi logo in svg
+BRANDING_WATERMARK_PATH='images/watermark.svg'
+# overrides default jitsi logo with the provided custom png logo
+if [ -n "${BRANDING_WATERMARK}" ]; then
+  BRANDING_WATERMARK_PATH='images/watermark.png'
+fi
+
+# shellcheck disable=SC2034  # This is intended to be included
+JITSI_INTERFACE_CONFIG_JS="$(cat <<EOF
+/* eslint-disable no-unused-vars, no-var, max-len */
+/* eslint sort-keys: ["error", "asc", {"caseSensitive": false}] */
+
+/**
+ * !!!IMPORTANT!!!
+ *
+ * This file is considered deprecated. All options will eventually be moved to
+ * config.js, and no new options should be added here.
+ */
+
+var interfaceConfig = {
+    APP_NAME: '${BRANDING_APP_NAME}',
+    AUDIO_LEVEL_PRIMARY_COLOR: 'rgba(255,255,255,0.4)',
+    AUDIO_LEVEL_SECONDARY_COLOR: 'rgba(255,255,255,0.2)',
+
+    /**
+     * A UX mode where the last screen share participant is automatically
+     * pinned. Valid values are the string "remote-only" so remote participants
+     * get pinned but not local, otherwise any truthy value for all participants,
+     * and any falsy value to disable the feature.
+     *
+     * Note: this mode is experimental and subject to breakage.
+     */
+    AUTO_PIN_LATEST_SCREEN_SHARE: 'remote-only',
+    BRAND_WATERMARK_LINK: '',
+
+    CLOSE_PAGE_GUEST_HINT: false, // A html text to be shown to guests on the close page, false disables it
+
+    DEFAULT_BACKGROUND: '#040404',
+    DEFAULT_LOGO_URL: '${BRANDING_WATERMARK_PATH}',
+    DEFAULT_WELCOME_PAGE_LOGO_URL: '${BRANDING_WATERMARK_PATH}',
+
+    DISABLE_DOMINANT_SPEAKER_INDICATOR: false,
+
+    /**
+     * If true, notifications regarding joining/leaving are no longer displayed.
+     */
+    DISABLE_JOIN_LEAVE_NOTIFICATIONS: false,
+
+    /**
+     * If true, presence status: busy, calling, connected etc. is not displayed.
+     */
+    DISABLE_PRESENCE_STATUS: false,
+
+    /**
+     * Whether the ringing sound in the call/ring overlay is disabled. If
+     * {@code undefined}, defaults to {@code false}.
+     *
+     * @type {boolean}
+     */
+    DISABLE_RINGING: false,
+
+    /**
+     * Whether the speech to text transcription subtitles panel is disabled.
+     * If {@code undefined}, defaults to {@code false}.
+     *
+     * @type {boolean}
+     */
+    DISABLE_TRANSCRIPTION_SUBTITLES: false,
+
+    /**
+     * Whether or not the blurred video background for large video should be
+     * displayed on browsers that can support it.
+     */
+    DISABLE_VIDEO_BACKGROUND: false,
+
+    DISPLAY_WELCOME_FOOTER: true,
+    DISPLAY_WELCOME_PAGE_ADDITIONAL_CARD: false,
+    DISPLAY_WELCOME_PAGE_CONTENT: false,
+    DISPLAY_WELCOME_PAGE_TOOLBAR_ADDITIONAL_CONTENT: false,
+
+    ENABLE_DIAL_OUT: true,
+
+    ENABLE_FEEDBACK_ANIMATION: false, // Enables feedback star animation.
+
+    FILM_STRIP_MAX_HEIGHT: 120,
+
+    GENERATE_ROOMNAMES_ON_WELCOME_PAGE: true,
+
+    /**
+     * Hide the logo on the deep linking pages.
+     */
+    HIDE_DEEP_LINKING_LOGO: false,
+
+    /**
+     * Hide the invite prompt in the header when alone in the meeting.
+     */
+    HIDE_INVITE_MORE_HEADER: false,
+
+    JITSI_WATERMARK_LINK: 'https://jitsi.org',
+
+    LANG_DETECTION: true, // Allow i18n to detect the system language
+    LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live', // Documentation reference for the live streaming feature.
+    LOCAL_THUMBNAIL_RATIO: 16 / 9, // 16:9
+
+    /**
+     * Maximum coefficient of the ratio of the large video to the visible area
+     * after the large video is scaled to fit the window.
+     *
+     * @type {number}
+     */
+    MAXIMUM_ZOOMING_COEFFICIENT: 1.3,
+
+    /**
+     * Whether the mobile app Jitsi Meet is to be promoted to participants
+     * attempting to join a conference in a mobile Web browser. If
+     * {@code undefined}, defaults to {@code true}.
+     *
+     * @type {boolean}
+     */
+    MOBILE_APP_PROMO: true,
+
+    /**
+     * Specify custom URL for downloading android mobile app.
+     */
+    MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet',
+
+    /**
+     * Specify custom URL for downloading f droid app.
+     */
+    MOBILE_DOWNLOAD_LINK_F_DROID: 'https://f-droid.org/en/packages/org.jitsi.meet/',
+
+    /**
+     * Specify URL for downloading ios mobile app.
+     */
+    MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905',
+
+    NATIVE_APP_NAME: 'Jitsi Meet',
+
+    // Names of browsers which should show a warning stating the current browser
+    // has a suboptimal experience. Browsers which are not listed as optimal or
+    // unsupported are considered suboptimal. Valid values are:
+    // chrome, chromium, edge, electron, firefox, nwjs, opera, safari
+    OPTIMAL_BROWSERS: [ 'chrome', 'chromium', 'firefox', 'nwjs', 'electron', 'safari' ],
+
+    POLICY_LOGO: null,
+    PROVIDER_NAME: 'Jitsi',
+
+    /**
+     * If true, will display recent list
+     *
+     * @type {boolean}
+     */
+    RECENT_LIST_ENABLED: true,
+    REMOTE_THUMBNAIL_RATIO: 1, // 1:1
+
+    SETTINGS_SECTIONS: [ 'devices', 'language', 'moderator', 'profile', 'calendar', 'sounds' ],
+
+    /**
+     * Specify which sharing features should be displayed. If the value is not set
+     * all sharing features will be shown. You can set [] to disable all.
+     */
+    // SHARING_FEATURES: ['email', 'url', 'dial-in', 'embed'],
+
+    SHOW_BRAND_WATERMARK: false,
+
+    /**
+     * Decides whether the chrome extension banner should be rendered on the landing page and during the meeting.
+     * If this is set to false, the banner will not be rendered at all. If set to true, the check for extension(s)
+     * being already installed is done before rendering.
+     */
+    SHOW_CHROME_EXTENSION_BANNER: false,
+
+    SHOW_DEEP_LINKING_IMAGE: false,
+    SHOW_JITSI_WATERMARK: true,
+    SHOW_POWERED_BY: false,
+    SHOW_PROMOTIONAL_CLOSE_PAGE: false,
+
+    /*
+     * If indicated some of the error dialogs may point to the support URL for
+     * help.
+     */
+    SUPPORT_URL: 'https://community.jitsi.org/',
+
+    // Browsers, in addition to those which do not fully support WebRTC, that
+    // are not supported and should show the unsupported browser page.
+    UNSUPPORTED_BROWSERS: [],
+
+    /**
+     * Whether to show thumbnails in filmstrip as a column instead of as a row.
+     */
+    VERTICAL_FILMSTRIP: true,
+
+    // Determines how the video would fit the screen. 'both' would fit the whole
+    // screen, 'height' would fit the original video height to the height of the
+    // screen, 'width' would fit the original video width to the width of the
+    // screen respecting ratio, 'nocrop' would make the video as large as
+    // possible and preserve aspect ratio without cropping.
+    VIDEO_LAYOUT_FIT: 'both',
+
+    /**
+     * If true, hides the video quality label indicating the resolution status
+     * of the current large video.
+     *
+     * @type {boolean}
+     */
+    VIDEO_QUALITY_LABEL_DISABLED: false,
+
+    /**
+     * How many columns the tile view can expand to. The respected range is
+     * between 1 and 5.
+     */
+    // TILE_VIEW_MAX_COLUMNS: 5,
+
+    /**
+     * Specify Firebase dynamic link properties for the mobile apps.
+     */
+    // MOBILE_DYNAMIC_LINK: {
+    //    APN: 'org.jitsi.meet',
+    //    APP_CODE: 'w2atb',
+    //    CUSTOM_DOMAIN: undefined,
+    //    IBI: 'com.atlassian.JitsiMeet.ios',
+    //    ISI: '1165103905'
+    // },
+
+    /**
+     * Specify mobile app scheme for opening the app from the mobile browser.
+     */
+    // APP_SCHEME: 'org.jitsi.meet',
+
+    /**
+     * Specify the Android app package name.
+     */
+    // ANDROID_APP_PACKAGE: 'org.jitsi.meet',
+
+    // List of undocumented settings
+    /**
+     INDICATOR_FONT_SIZES
+     PHONE_NUMBER_REGEX
+    */
+
+    // -----------------DEPRECATED CONFIGS BELOW THIS LINE-----------------------------
+
+    // Connection indicators (
+    // CONNECTION_INDICATOR_AUTO_HIDE_ENABLED,
+    // CONNECTION_INDICATOR_AUTO_HIDE_TIMEOUT,
+    // CONNECTION_INDICATOR_DISABLED) got moved to config.js.
+
+    // Please use disableModeratorIndicator from config.js
+    // DISABLE_FOCUS_INDICATOR: false,
+
+    // Please use defaultLocalDisplayName from config.js
+    // DEFAULT_LOCAL_DISPLAY_NAME: 'me',
+
+    // Please use defaultRemoteDisplayName from config.js
+    // DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster',
+
+    // Moved to config.js as \`toolbarConfig.initialTimeout\`.
+    // INITIAL_TOOLBAR_TIMEOUT: 20000,
+
+    // Moved to config.js as \`toolbarConfig.alwaysVisible\`.
+    // TOOLBAR_ALWAYS_VISIBLE: false,
+
+    // This config was moved to config.js as \`toolbarButtons\`.
+    // TOOLBAR_BUTTONS: [],
+
+    // Moved to config.js as \`toolbarConfig.timeout\`.
+    // TOOLBAR_TIMEOUT: 4000,
+
+    // Allow all above example options to include a trailing comma and
+    // prevent fear when commenting out the last value.
+    // eslint-disable-next-line sort-keys
+    makeJsonParserHappy: 'even if last key had a trailing comma'
+
+    // No configuration value should follow this line.
+};
+
+/* eslint-enable no-unused-vars, no-var, max-len */
+EOF
+)"

type/__jitsi_meet_domain/files/interface_config.js.sh.orig

@@ -0,0 +1,268 @@
+/* eslint-disable no-unused-vars, no-var, max-len */
+/* eslint sort-keys: ["error", "asc", {"caseSensitive": false}] */
+
+/**
+ * !!!IMPORTANT!!!
+ *
+ * This file is considered deprecated. All options will eventually be moved to
+ * config.js, and no new options should be added here.
+ */
+
+var interfaceConfig = {
+    APP_NAME: 'Jitsi Meet',
+    AUDIO_LEVEL_PRIMARY_COLOR: 'rgba(255,255,255,0.4)',
+    AUDIO_LEVEL_SECONDARY_COLOR: 'rgba(255,255,255,0.2)',
+
+    /**
+     * A UX mode where the last screen share participant is automatically
+     * pinned. Valid values are the string "remote-only" so remote participants
+     * get pinned but not local, otherwise any truthy value for all participants,
+     * and any falsy value to disable the feature.
+     *
+     * Note: this mode is experimental and subject to breakage.
+     */
+    AUTO_PIN_LATEST_SCREEN_SHARE: 'remote-only',
+    BRAND_WATERMARK_LINK: '',
+
+    CLOSE_PAGE_GUEST_HINT: false, // A html text to be shown to guests on the close page, false disables it
+
+    DEFAULT_BACKGROUND: '#040404',
+    DEFAULT_LOGO_URL: 'images/watermark.svg',
+    DEFAULT_WELCOME_PAGE_LOGO_URL: 'images/watermark.svg',
+
+    DISABLE_DOMINANT_SPEAKER_INDICATOR: false,
+
+    /**
+     * If true, notifications regarding joining/leaving are no longer displayed.
+     */
+    DISABLE_JOIN_LEAVE_NOTIFICATIONS: false,
+
+    /**
+     * If true, presence status: busy, calling, connected etc. is not displayed.
+     */
+    DISABLE_PRESENCE_STATUS: false,
+
+    /**
+     * Whether the ringing sound in the call/ring overlay is disabled. If
+     * {@code undefined}, defaults to {@code false}.
+     *
+     * @type {boolean}
+     */
+    DISABLE_RINGING: false,
+
+    /**
+     * Whether the speech to text transcription subtitles panel is disabled.
+     * If {@code undefined}, defaults to {@code false}.
+     *
+     * @type {boolean}
+     */
+    DISABLE_TRANSCRIPTION_SUBTITLES: false,
+
+    /**
+     * Whether or not the blurred video background for large video should be
+     * displayed on browsers that can support it.
+     */
+    DISABLE_VIDEO_BACKGROUND: false,
+
+    DISPLAY_WELCOME_FOOTER: true,
+    DISPLAY_WELCOME_PAGE_ADDITIONAL_CARD: false,
+    DISPLAY_WELCOME_PAGE_CONTENT: false,
+    DISPLAY_WELCOME_PAGE_TOOLBAR_ADDITIONAL_CONTENT: false,
+
+    ENABLE_DIAL_OUT: true,
+
+    ENABLE_FEEDBACK_ANIMATION: false, // Enables feedback star animation.
+
+    FILM_STRIP_MAX_HEIGHT: 120,
+
+    GENERATE_ROOMNAMES_ON_WELCOME_PAGE: true,
+
+    /**
+     * Hide the logo on the deep linking pages.
+     */
+    HIDE_DEEP_LINKING_LOGO: false,
+
+    /**
+     * Hide the invite prompt in the header when alone in the meeting.
+     */
+    HIDE_INVITE_MORE_HEADER: false,
+
+    JITSI_WATERMARK_LINK: 'https://jitsi.org',
+
+    LANG_DETECTION: true, // Allow i18n to detect the system language
+    LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live', // Documentation reference for the live streaming feature.
+    LOCAL_THUMBNAIL_RATIO: 16 / 9, // 16:9
+
+    /**
+     * Maximum coefficient of the ratio of the large video to the visible area
+     * after the large video is scaled to fit the window.
+     *
+     * @type {number}
+     */
+    MAXIMUM_ZOOMING_COEFFICIENT: 1.3,
+
+    /**
+     * Whether the mobile app Jitsi Meet is to be promoted to participants
+     * attempting to join a conference in a mobile Web browser. If
+     * {@code undefined}, defaults to {@code true}.
+     *
+     * @type {boolean}
+     */
+    MOBILE_APP_PROMO: true,
+
+    /**
+     * Specify custom URL for downloading android mobile app.
+     */
+    MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet',
+
+    /**
+     * Specify custom URL for downloading f droid app.
+     */
+    MOBILE_DOWNLOAD_LINK_F_DROID: 'https://f-droid.org/en/packages/org.jitsi.meet/',
+
+    /**
+     * Specify URL for downloading ios mobile app.
+     */
+    MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905',
+
+    NATIVE_APP_NAME: 'Jitsi Meet',
+
+    // Names of browsers which should show a warning stating the current browser
+    // has a suboptimal experience. Browsers which are not listed as optimal or
+    // unsupported are considered suboptimal. Valid values are:
+    // chrome, chromium, edge, electron, firefox, nwjs, opera, safari
+    OPTIMAL_BROWSERS: [ 'chrome', 'chromium', 'firefox', 'nwjs', 'electron', 'safari' ],
+
+    POLICY_LOGO: null,
+    PROVIDER_NAME: 'Jitsi',
+
+    /**
+     * If true, will display recent list
+     *
+     * @type {boolean}
+     */
+    RECENT_LIST_ENABLED: true,
+    REMOTE_THUMBNAIL_RATIO: 1, // 1:1
+
+    SETTINGS_SECTIONS: [ 'devices', 'language', 'moderator', 'profile', 'calendar', 'sounds' ],
+
+    /**
+     * Specify which sharing features should be displayed. If the value is not set
+     * all sharing features will be shown. You can set [] to disable all.
+     */
+    // SHARING_FEATURES: ['email', 'url', 'dial-in', 'embed'],
+
+    SHOW_BRAND_WATERMARK: false,
+
+    /**
+     * Decides whether the chrome extension banner should be rendered on the landing page and during the meeting.
+     * If this is set to false, the banner will not be rendered at all. If set to true, the check for extension(s)
+     * being already installed is done before rendering.
+     */
+    SHOW_CHROME_EXTENSION_BANNER: false,
+
+    SHOW_DEEP_LINKING_IMAGE: false,
+    SHOW_JITSI_WATERMARK: true,
+    SHOW_POWERED_BY: false,
+    SHOW_PROMOTIONAL_CLOSE_PAGE: false,
+
+    /*
+     * If indicated some of the error dialogs may point to the support URL for
+     * help.
+     */
+    SUPPORT_URL: 'https://community.jitsi.org/',
+
+    // Browsers, in addition to those which do not fully support WebRTC, that
+    // are not supported and should show the unsupported browser page.
+    UNSUPPORTED_BROWSERS: [],
+
+    /**
+     * Whether to show thumbnails in filmstrip as a column instead of as a row.
+     */
+    VERTICAL_FILMSTRIP: true,
+
+    // Determines how the video would fit the screen. 'both' would fit the whole
+    // screen, 'height' would fit the original video height to the height of the
+    // screen, 'width' would fit the original video width to the width of the
+    // screen respecting ratio, 'nocrop' would make the video as large as
+    // possible and preserve aspect ratio without cropping.
+    VIDEO_LAYOUT_FIT: 'both',
+
+    /**
+     * If true, hides the video quality label indicating the resolution status
+     * of the current large video.
+     *
+     * @type {boolean}
+     */
+    VIDEO_QUALITY_LABEL_DISABLED: false,
+
+    /**
+     * How many columns the tile view can expand to. The respected range is
+     * between 1 and 5.
+     */
+    // TILE_VIEW_MAX_COLUMNS: 5,
+
+    /**
+     * Specify Firebase dynamic link properties for the mobile apps.
+     */
+    // MOBILE_DYNAMIC_LINK: {
+    //    APN: 'org.jitsi.meet',
+    //    APP_CODE: 'w2atb',
+    //    CUSTOM_DOMAIN: undefined,
+    //    IBI: 'com.atlassian.JitsiMeet.ios',
+    //    ISI: '1165103905'
+    // },
+
+    /**
+     * Specify mobile app scheme for opening the app from the mobile browser.
+     */
+    // APP_SCHEME: 'org.jitsi.meet',
+
+    /**
+     * Specify the Android app package name.
+     */
+    // ANDROID_APP_PACKAGE: 'org.jitsi.meet',
+
+    // List of undocumented settings
+    /**
+     INDICATOR_FONT_SIZES
+     PHONE_NUMBER_REGEX
+    */
+
+    // -----------------DEPRECATED CONFIGS BELOW THIS LINE-----------------------------
+
+    // Connection indicators (
+    // CONNECTION_INDICATOR_AUTO_HIDE_ENABLED,
+    // CONNECTION_INDICATOR_AUTO_HIDE_TIMEOUT,
+    // CONNECTION_INDICATOR_DISABLED) got moved to config.js.
+
+    // Please use disableModeratorIndicator from config.js
+    // DISABLE_FOCUS_INDICATOR: false,
+
+    // Please use defaultLocalDisplayName from config.js
+    // DEFAULT_LOCAL_DISPLAY_NAME: 'me',
+
+    // Please use defaultRemoteDisplayName from config.js
+    // DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster',
+
+    // Moved to config.js as `toolbarConfig.initialTimeout`.
+    // INITIAL_TOOLBAR_TIMEOUT: 20000,
+
+    // Moved to config.js as `toolbarConfig.alwaysVisible`.
+    // TOOLBAR_ALWAYS_VISIBLE: false,
+
+    // This config was moved to config.js as `toolbarButtons`.
+    // TOOLBAR_BUTTONS: [],
+
+    // Moved to config.js as `toolbarConfig.timeout`.
+    // TOOLBAR_TIMEOUT: 4000,
+
+    // Allow all above example options to include a trailing comma and
+    // prevent fear when commenting out the last value.
+    // eslint-disable-next-line sort-keys
+    makeJsonParserHappy: 'even if last key had a trailing comma'
+
+    // No configuration value should follow this line.
+};
+
+/* eslint-enable no-unused-vars, no-var, max-len */

type/__jitsi_meet_domain/files/jitsi-version

@@ -0,0 +1 @@
+2.0.7439-1

type/__jitsi_meet_domain/files/nginx.sh

@@ -0,0 +1,204 @@
+#!/bin/sh -e
+
+# shellcheck disable=SC2034  # This is intended to be included
+JITSI_NGINX_CONFIG="$(cat <<EOF
+# Jitsi uses following lines by default, in our cdist types they must be commented
+# out as we already set it with __jitsi_meet in the default server config.
+#server_names_hash_bucket_size 64;
+#
+#types {
+## nginx's default mime.types doesn't include a mapping for wasm
+#    application/wasm     wasm;
+#}
+# These upstreams are managed by __jitsi_meet
+#upstream prosody {
+#    zone upstreams 64K;
+#    server 127.0.0.1:5280;
+#    keepalive 2;
+#}
+#upstream jvb1 {
+#    zone upstreams 64K;
+#    server 127.0.0.1:9090;
+#    keepalive 2;
+#}
+server {
+    listen 80;
+    listen [::]:80;
+    server_name ${DOMAIN};
+
+    include snippets/acme-challenge.conf;
+
+    location / {
+        return 301 https://\$host\$request_uri;
+    }
+}
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name ${DOMAIN};
+
+    include snippets/acme-challenge.conf;
+
+    # Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:10m;  # about 40000 sessions
+    ssl_session_tickets off;
+
+    add_header Strict-Transport-Security "max-age=63072000" always;
+    set \$prefix "";
+
+    ssl_certificate /etc/letsencrypt/live/${DOMAIN}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/${DOMAIN}/privkey.pem;
+
+    root /usr/share/jitsi-meet;
+
+    # ssi on with javascript for multidomain variables in config.js
+    ssi on;
+    ssi_types application/x-javascript application/javascript;
+
+    # Try the custom page for this domain, fallback to default page
+    index index-${DOMAIN}.html index.html index.htm;
+    error_page 404 /static/404.html;
+
+    gzip on;
+    gzip_types text/plain text/css application/javascript application/json image/x-icon application/octet-stream application/wasm;
+    gzip_vary on;
+    gzip_proxied no-cache no-store private expired auth;
+    gzip_min_length 512;
+
+    # We expect this domain to be properly configured, the file should exist
+    location = /config.js {
+        alias /etc/jitsi/meet/${DOMAIN}-config.js;
+    }
+    # We expect this domain to be properly configured, the file should exist
+    location = /interface_config.js {
+        alias /etc/jitsi/meet/${DOMAIN}-interface_config.js;
+    }
+    # This may or may not exist; it will be set up in config.js if needed
+    location = /branding.json {
+        alias /etc/jitsi/meet/${DOMAIN}-branding.json;
+    }
+    # Try custom image and fallback to default
+    location = /images/watermark.png {
+        try_files /images/watermark-${DOMAIN}.png \$uri;
+    }
+
+    location = /external_api.js {
+        alias /usr/share/jitsi-meet/libs/external_api.min.js;
+    }
+
+    # ensure all static content can always be found first
+    location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)\$
+    {
+        add_header 'Access-Control-Allow-Origin' '*';
+        alias /usr/share/jitsi-meet/\$1/\$2;
+
+        # cache all versioned files
+        if (\$arg_v) {
+            expires 1y;
+        }
+    }
+    # Paths for jsi / interpreters
+    location ~ ^/i/(img/[^./]*.png|jsi.js|style.css)$
+    {
+        add_header 'Access-Control-Allow-Origin' '*';
+        alias /opt/jsi/static/\$1;
+
+        # cache all versioned files
+        if (\$arg_v) {
+            expires 1y;
+        }
+    }
+    location ~ ^/i/
+    {
+        try_files /${DOMAIN}-interpreters.html /interpreters.html \$uri;
+    }
+
+    # BOSH
+    location = /http-bind {
+        proxy_pass http://prosody/http-bind?prefix=\$prefix&\$args;
+        proxy_http_version 1.1;
+        proxy_set_header X-Forwarded-For \$remote_addr;
+	# Prevision for 'multi-domain' jitsi instances
+	# https://community.jitsi.org/t/same-jitsi-meet-instance-with-multiple-domain-names/17391
+        proxy_set_header Host ${DOMAIN};
+        proxy_set_header Connection "";
+    }
+
+    # xmpp websockets
+    location = /xmpp-websocket {
+        proxy_pass http://prosody/xmpp-websocket?prefix=\$prefix&\$args;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade \$http_upgrade;
+        proxy_set_header Connection "upgrade";
+	# Prevision for 'multi-domain' jitsi instances
+	# https://community.jitsi.org/t/same-jitsi-meet-instance-with-multiple-domain-names/17391
+        proxy_set_header Host ${DOMAIN};
+        tcp_nodelay on;
+    }
+
+    # colibri (JVB) websockets for jvb1
+    location ~ ^/colibri-ws/default-id/(.*) {
+        proxy_pass http://jvb1/colibri-ws/default-id/\$1\$is_args\$args;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade \$http_upgrade;
+        proxy_set_header Connection "upgrade";
+        tcp_nodelay on;
+    }
+
+    # load test minimal client, uncomment when used
+    #location ~ ^/_load-test/([^/?&:'"]+)\$ {
+    #    rewrite ^/_load-test/(.*)\$ /load-test/index.html break;
+    #}
+    #location ~ ^/_load-test/libs/(.*)\$ {
+    #    add_header 'Access-Control-Allow-Origin' '*';
+    #    alias /usr/share/jitsi-meet/load-test/libs/\$1;
+    #}
+
+    location ~ ^/([^/?&:'"]+)\$ {
+        try_files \$uri @root_path;
+    }
+
+    location @root_path {
+        rewrite ^/(.*)\$ / break;
+    }
+
+    location ~ ^/([^/?&:'"]+)/config.js\$
+    {
+        set \$subdomain "\$1.";
+        set \$subdir "\$1/";
+
+        alias /etc/jitsi/meet/jitsi-meet.example.com-config.js;
+    }
+
+    # BOSH for subdomains
+    location ~ ^/([^/?&:'"]+)/http-bind {
+        set \$subdomain "\$1.";
+        set \$subdir "\$1/";
+        set \$prefix "\$1";
+
+        rewrite ^/(.*)\$ /http-bind;
+    }
+
+    # websockets for subdomains
+    location ~ ^/([^/?&:'"]+)/xmpp-websocket {
+        set \$subdomain "\$1.";
+        set \$subdir "\$1/";
+        set \$prefix "\$1";
+
+        rewrite ^/(.*)\$ /xmpp-websocket;
+    }
+
+    # Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
+    location ~ ^/([^/?&:'"]+)/(.*)\$ {
+        set \$subdomain "\$1.";
+        set \$subdir "\$1/";
+        rewrite ^/([^/?&:'"]+)/(.*)\$ /\$2;
+    }
+}
+EOF
+)"

type/__jitsi_meet_domain/files/nginx.sh.orig

@@ -0,0 +1,165 @@
+server_names_hash_bucket_size 64;
+
+types {
+# nginx's default mime.types doesn't include a mapping for wasm
+    application/wasm     wasm;
+}
+upstream prosody {
+    zone upstreams 64K;
+    server 127.0.0.1:5280;
+    keepalive 2;
+}
+upstream jvb1 {
+    zone upstreams 64K;
+    server 127.0.0.1:9090;
+    keepalive 2;
+}
+server {
+    listen 80;
+    listen [::]:80;
+    server_name jitsi-meet.example.com;
+
+    location ^~ /.well-known/acme-challenge/ {
+        default_type "text/plain";
+        root         /usr/share/jitsi-meet;
+    }
+    location = /.well-known/acme-challenge/ {
+        return 404;
+    }
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name jitsi-meet.example.com;
+
+    # Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:10m;  # about 40000 sessions
+    ssl_session_tickets off;
+
+    add_header Strict-Transport-Security "max-age=63072000" always;
+    set $prefix "";
+
+    ssl_certificate /etc/jitsi/meet/jitsi-meet.example.com.crt;
+    ssl_certificate_key /etc/jitsi/meet/jitsi-meet.example.com.key;
+
+    root /usr/share/jitsi-meet;
+
+    # ssi on with javascript for multidomain variables in config.js
+    ssi on;
+    ssi_types application/x-javascript application/javascript;
+
+    index index.html index.htm;
+    error_page 404 /static/404.html;
+
+    gzip on;
+    gzip_types text/plain text/css application/javascript application/json image/x-icon application/octet-stream application/wasm;
+    gzip_vary on;
+    gzip_proxied no-cache no-store private expired auth;
+    gzip_min_length 512;
+
+    location = /config.js {
+        alias /etc/jitsi/meet/jitsi-meet.example.com-config.js;
+    }
+
+    location = /external_api.js {
+        alias /usr/share/jitsi-meet/libs/external_api.min.js;
+    }
+
+    # ensure all static content can always be found first
+    location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$
+    {
+        add_header 'Access-Control-Allow-Origin' '*';
+        alias /usr/share/jitsi-meet/$1/$2;
+
+        # cache all versioned files
+        if ($arg_v) {
+            expires 1y;
+        }
+    }
+
+    # BOSH
+    location = /http-bind {
+        proxy_pass http://prosody/http-bind?prefix=$prefix&$args;
+        proxy_http_version 1.1;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header Host $http_host;
+        proxy_set_header Connection "";
+    }
+
+    # xmpp websockets
+    location = /xmpp-websocket {
+        proxy_pass http://prosody/xmpp-websocket?prefix=$prefix&$args;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $http_host;
+        tcp_nodelay on;
+    }
+
+    # colibri (JVB) websockets for jvb1
+    location ~ ^/colibri-ws/default-id/(.*) {
+        proxy_pass http://jvb1/colibri-ws/default-id/$1$is_args$args;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        tcp_nodelay on;
+    }
+
+    # load test minimal client, uncomment when used
+    #location ~ ^/_load-test/([^/?&:'"]+)$ {
+    #    rewrite ^/_load-test/(.*)$ /load-test/index.html break;
+    #}
+    #location ~ ^/_load-test/libs/(.*)$ {
+    #    add_header 'Access-Control-Allow-Origin' '*';
+    #    alias /usr/share/jitsi-meet/load-test/libs/$1;
+    #}
+
+    location ~ ^/([^/?&:'"]+)$ {
+        try_files $uri @root_path;
+    }
+
+    location @root_path {
+        rewrite ^/(.*)$ / break;
+    }
+
+    location ~ ^/([^/?&:'"]+)/config.js$
+    {
+        set $subdomain "$1.";
+        set $subdir "$1/";
+
+        alias /etc/jitsi/meet/jitsi-meet.example.com-config.js;
+    }
+
+    # BOSH for subdomains
+    location ~ ^/([^/?&:'"]+)/http-bind {
+        set $subdomain "$1.";
+        set $subdir "$1/";
+        set $prefix "$1";
+
+        rewrite ^/(.*)$ /http-bind;
+    }
+
+    # websockets for subdomains
+    location ~ ^/([^/?&:'"]+)/xmpp-websocket {
+        set $subdomain "$1.";
+        set $subdir "$1/";
+        set $prefix "$1";
+
+        rewrite ^/(.*)$ /xmpp-websocket;
+    }
+
+    # Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
+    location ~ ^/([^/?&:'"]+)/(.*)$ {
+        set $subdomain "$1.";
+        set $subdir "$1/";
+        rewrite ^/([^/?&:'"]+)/(.*)$ /$2;
+    }
+}

type/__jitsi_meet_domain/files/prosody.cfg.lua.sh

@@ -0,0 +1,228 @@
+#!/bin/sh -eu
+
+# Source:
+# https://github.com/jitsi/jitsi-meet/blob/master/doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example
+FOCUS_USER="focus"
+JITSI_DOMAIN="${JITSI_DOMAIN:-${JITSI_HOST:?}}"
+# PROSODY_MAIN_CONFIG: defined in __jitsi_meet, empty in __jitsi_meet_domain
+PROSODY_SECUREDOMAIN_START="--[["
+PROSODY_SECUREDOMAIN_END="--]]"
+if [ -n "${PROSODY_MAIN_CONFIG}" ]; then
+	PROSODY_MAIN_START=""
+	PROSODY_MAIN_END=""
+	PROSODY_DOMAIN_START="--[["
+	PROSODY_DOMAIN_END="--]]"
+else
+	PROSODY_MAIN_START="--[["
+	PROSODY_MAIN_END="--]]"
+	PROSODY_DOMAIN_START=""
+	PROSODY_DOMAIN_END=""
+	if [ -n "${SECURED_DOMAINS}" ]; then
+		PROSODY_SECUREDOMAIN_START=""
+		PROSODY_SECUREDOMAIN_END=""
+	fi
+fi
+# Websockets haven't been fully tested in this type and don't work reliably
+PROSODY_WEBSOCKET="-- "
+
+# shellcheck disable=SC2034  # This is intended to be included
+PROSODY_CONFIG="$(cat <<EOFPROSODY
+-- Managed remotely, changes will be lost
+${PROSODY_MAIN_START}
+-- This will be managed by __jitsi_meet
+plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }
+
+-- domain mapper options, must at least have domain base set to use the mapper
+muc_mapper_domain_base = "${JITSI_HOST:?}";
+
+external_service_secret = "${TURN_SECRET:-TurnSecret}";
+external_services = {
+     { type = "stun", host = "${JITSI_HOST:?}", port = 3478 },
+     { type = "turn", host = "${JITSI_HOST:?}", port = 3478, transport = "udp", secret = true, ttl = 86400, algorithm = "turn" },
+     { type = "turns", host = "${JITSI_HOST:?}", port = 5349, transport = "tcp", secret = true, ttl = 86400, algorithm = "turn" }
+};
+
+cross_domain_bosh = false;
+consider_bosh_secure = true;
+-- Use websockets
+-- https://community.jitsi.org/t/how-to-how-to-enable-websockets-xmpp-websocket-and-smacks-for-prosody/87920
+${PROSODY_WEBSOCKET}consider_websocket_secure = true;
+
+-- https_ports = { }; -- Remove this line to prevent listening on port 5284
+
+-- by default prosody 0.12 sends cors headers, if you want to disable it uncomment the following (the config is available on 0.12.1)
+--http_cors_override = {
+--    bosh = {
+--        enabled = false;
+--    };
+--    websocket = {
+--        enabled = false;
+--    };
+--}
+
+-- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
+ssl = {
+    protocol = "tlsv1_2+";
+    ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
+}
+
+unlimited_jids = {
+    "${FOCUS_USER:?}@auth.${JITSI_HOST:?}",
+    "jvb@auth.${JITSI_HOST:?}"
+}
+${PROSODY_MAIN_END}
+
+${PROSODY_DOMAIN_START}
+-- This will be managed by __jitsi_meet_domain
+VirtualHost "${JITSI_DOMAIN:?}"
+    -- enabled = false -- Remove this line to enable this host
+    authentication = "anonymous"
+    -- Properties below are modified by jitsi-meet-tokens package config
+    -- and authentication above is switched to "token"
+    --app_id="example_app_id"
+    --app_secret="example_app_secret"
+    -- Assign this host a certificate for TLS, otherwise it would use the one
+    -- set in the global section (if any).
+    -- Note that old-style SSL on port 5223 only supports one certificate, and will always
+    -- use the global one.
+    ssl = {
+        key = "/etc/prosody/certs/${JITSI_DOMAIN:?}.key";
+        certificate = "/etc/prosody/certs/${JITSI_DOMAIN:?}.crt";
+    }
+    av_moderation_component = "avmoderation.${JITSI_DOMAIN:?}"
+    speakerstats_component = "speakerstats.${JITSI_DOMAIN:?}"
+    conference_duration_component = "conferenceduration.${JITSI_DOMAIN:?}"
+    -- we need bosh
+    modules_enabled = {
+        "bosh";
+        "pubsub";
+        "ping"; -- Enable mod_ping
+        "speakerstats";
+        "external_services";
+        "conference_duration";
+        "muc_lobby_rooms";
+        "muc_breakout_rooms";
+        "av_moderation";
+${PROSODY_WEBSOCKET}        "websocket";
+${PROSODY_WEBSOCKET}        "smacks";
+    }
+    smacks_max_unacked_stanzas = 5;
+    smacks_hibernation_time = 60;
+    smacks_max_hibernated_sessions = 1;
+    smacks_max_old_sessions = 1;
+    c2s_require_encryption = false
+    lobby_muc = "lobby.${JITSI_DOMAIN:?}"
+    breakout_rooms_muc = "breakout.${JITSI_DOMAIN:?}"
+    main_muc = "conference.${JITSI_DOMAIN:?}"
+    -- muc_lobby_whitelist = { "recorder.${JITSI_DOMAIN:?}" } -- Here we can whitelist jibri to enter lobby enabled rooms
+
+Component "conference.${JITSI_DOMAIN:?}" "muc"
+    restrict_room_creation = true
+    storage = "memory"
+    modules_enabled = {
+        "muc_meeting_id";
+        "muc_domain_mapper";
+        "polls";
+        --"token_verification";
+        "muc_rate_limit";
+    }
+    admins = { "${FOCUS_USER:?}@auth.${JITSI_HOST:?}" }
+    muc_room_locking = false
+    muc_room_default_public_jids = true
+
+Component "breakout.${JITSI_DOMAIN:?}" "muc"
+    restrict_room_creation = true
+    storage = "memory"
+    modules_enabled = {
+        "muc_meeting_id";
+        "muc_domain_mapper";
+        --"token_verification";
+        "muc_rate_limit";
+        "polls";
+    }
+    admins = { "${FOCUS_USER:?}@auth.${JITSI_HOST:?}" }
+    muc_room_locking = false
+    muc_room_default_public_jids = true
+
+-- internal muc component
+Component "internal.auth.${JITSI_DOMAIN:?}" "muc"
+    storage = "memory"
+    modules_enabled = {
+        "ping";
+    }
+    admins = { "${FOCUS_USER:?}@auth.${JITSI_HOST:?}", "jvb@auth.${JITSI_HOST:?}" }
+    muc_room_locking = false
+    muc_room_default_public_jids = true
+    -- https://prosody.im/doc/modules/mod_muc
+    muc_room_cache_size = 1000
+${PROSODY_DOMAIN_END}
+${PROSODY_MAIN_START}
+-- This will be managed by __jitsi_meet
+
+VirtualHost "auth.${JITSI_DOMAIN:?}"
+    ssl = {
+       key = "/etc/prosody/certs/auth.${JITSI_DOMAIN:?}.key";
+       certificate = "/etc/prosody/certs/auth.${JITSI_DOMAIN:?}.crt";
+    }
+
+    modules_enabled = {
+        "limits_exception";
+    }
+    authentication = "internal_hashed"
+${PROSODY_MAIN_END}
+${PROSODY_DOMAIN_START}
+-- This will be managed by __jitsi_meet_domain
+
+-- Proxy to jicofo's user JID, so that it doesn't have to register as a component.
+Component "focus.${JITSI_DOMAIN:?}" "client_proxy"
+    -- Single focus user for the whole instance
+    target_address = "${FOCUS_USER:?}@auth.${JITSI_HOST:?}"
+
+Component "speakerstats.${JITSI_DOMAIN:?}" "speakerstats_component"
+    muc_component = "conference.${JITSI_DOMAIN:?}"
+
+Component "conferenceduration.${JITSI_DOMAIN:?}" "conference_duration_component"
+    muc_component = "conference.${JITSI_DOMAIN:?}"
+
+Component "avmoderation.${JITSI_DOMAIN:?}" "av_moderation_component"
+    muc_component = "conference.${JITSI_DOMAIN:?}"
+
+Component "lobby.${JITSI_DOMAIN:?}" "muc"
+    storage = "memory"
+    restrict_room_creation = true
+    muc_room_locking = false
+    muc_room_default_public_jids = true
+    modules_enabled = {
+        "muc_rate_limit";
+        "polls";
+    }
+${PROSODY_DOMAIN_END}
+
+--[[
+-- Enables dial-in for Jitsi meet components customers
+-- Note: make sure you have the following packages installed: lua-basexx, liblua5.3-dev, libssl-dev, luarocks
+-- and execute $ sudo luarocks install luajwtjitsi 3.0-0
+VirtualHost "jigasi.meet.jitsi"
+    enabled = false -- Jitsi meet components customers remove this line
+    modules_enabled = {
+      "ping";
+      "bosh";
+    }
+    authentication = "token"
+    app_id = "jitsi";
+    asap_key_server = "https://jaas-public-keys.jitsi.net/jitsi-components/prod-8x8"
+    asap_accepted_issuers = { "jaas-components" }
+    asap_accepted_audiences = { "jigasi.jitmeet.example.com" }
+--]]
+
+${PROSODY_SECUREDOMAIN_START}
+-- Only used on secured domains
+VirtualHost "${JITSI_DOMAIN}"
+    authentication = "internal_plain"
+
+VirtualHost "guest.${JITSI_DOMAIN}"
+    authentication = "anonymous"
+    c2s_require_encryption = false
+${PROSODY_SECUREDOMAIN_END}
+EOFPROSODY
+)"