.gitattributes

@@ -4,5 +4,5 @@
 docs/speeches export-ignore
 docs/video export-ignore
 docs/src/man7 export-ignore
-bin/cdist-build-helper export-ignore
+bin/build-helper export-ignore
 README-maintainers export-ignore

.gitlab-ci.yml

@@ -1,23 +1,20 @@
----
-image: code.ungleich.ch:5050/ungleich-public/cdist/cdist-ci:latest
-
 stages:
     - test
 
-before_script:
-    - ./bin/cdist-build-helper version
-
-shellcheck:
-    stage: test
-    script:
-        - ./bin/cdist-build-helper shellcheck
-
-pycodestyle:
-    stage: test
-    script:
-        - ./bin/cdist-build-helper pycodestyle
+image: code.ungleich.ch:5050/ungleich-public/cdist/cdist-ci:latest
 
 unit_tests:
     stage: test
     script:
-        - ./bin/cdist-build-helper test
+        - ./bin/build-helper version
+        - ./bin/build-helper test
+
+pycodestyle:
+    stage: test
+    script:
+        - ./bin/build-helper pycodestyle
+
+shellcheck:
+    stage: test
+    script:
+        - ./bin/build-helper shellcheck

Makefile

@@ -35,9 +35,9 @@ DOCS_SRC_DIR=./docs/src
 SPEECHDIR=./docs/speeches
 TYPEDIR=./cdist/conf/type
 
-SPHINXM=$(MAKE) -C $(DOCS_SRC_DIR) man
-SPHINXH=$(MAKE) -C $(DOCS_SRC_DIR) html
-SPHINXC=$(MAKE) -C $(DOCS_SRC_DIR) clean
+SPHINXM=make -C $(DOCS_SRC_DIR) man
+SPHINXH=make -C $(DOCS_SRC_DIR) html
+SPHINXC=make -C $(DOCS_SRC_DIR) clean
 
 ################################################################################
 # Manpages

README-maintainers

@@ -1,4 +1,4 @@
-Maintainers should use ./bin/cdist-build-helper script.
+Maintainers should use ./bin/build-helper script.
 
 Makefile is intended for end users. It can be used for non-maintaining
 targets that can be run from pure source (without git repository).

README.md

@@ -24,8 +24,8 @@ For community-maintained types there is
 
 ## Participating
 
-IRC: ``#cdist`` @ [libera](https://libera.chat)
+IRC: ``#cdist`` @ freenode
 
 Matrix: ``#cdist:ungleich.ch``
 
-Matrix and IRC are bridged.
+Mattermost: https://chat.ungleich.ch/ungleich/channels/cdist

bin/build-helper

@@ -45,7 +45,7 @@ usage() {
         shellcheck-manifests
         shellcheck-local-gencodes
         shellcheck-remote-gencodes
-        shellcheck-bin
+        shellcheck-scripts
         shellcheck-gencodes
         shellcheck-types
         shellcheck
@@ -100,7 +100,7 @@ case "$option" in
                     if (\$0 ~ /^$end/) {
                         exit
                     } else {
-                        print \$0
+                        print \$0 
                     }
                 }
             }" "$basedir/docs/changelog"
@@ -135,7 +135,7 @@ case "$option" in
 
         version=$1; shift
 
-        (
+        ( 
         cat << eof
 Subject: cdist $version has been released
 
@@ -336,7 +336,7 @@ eof
         make docs-clean
         make docs
 
-        #############################################################
+        ############################################################# 
         # Everything green, let's do the release
 
         # Tag the current commit
@@ -405,7 +405,7 @@ eof
     ;;
 
     pycodestyle|pep8)
-        pycodestyle "${basedir}" "${basedir}/bin/cdist"
+        pycodestyle "${basedir}" "${basedir}/scripts/cdist"
     ;;
 
     check-pycodestyle)
@@ -460,34 +460,27 @@ eof
         test ! -s "${SHELLCHECKTMP}" || { cat "${SHELLCHECKTMP}"; exit 1; }
     ;;
 
-    # NOTE: shellcheck-scripts is kept for compatibility
-    shellcheck-bin|shellcheck-scripts)
+    shellcheck-scripts)
         # shellcheck disable=SC2086
-        ${SHELLCHECKCMD} bin/cdist-dump bin/cdist-new-type > "${SHELLCHECKTMP}"
+        ${SHELLCHECKCMD} scripts/cdist-dump scripts/cdist-new-type > "${SHELLCHECKTMP}"
         test ! -s "${SHELLCHECKTMP}" || { cat "${SHELLCHECKTMP}"; exit 1; }
     ;;
 
     shellcheck-gencodes)
-        errors=false
-        "$0" shellcheck-local-gencodes || errors=true
-        "$0" shellcheck-remote-gencodes || errors=true
-        ! $errors || exit 1
+        "$0" shellcheck-local-gencodes || exit 1
+        "$0" shellcheck-remote-gencodes || exit 1
     ;;
 
     shellcheck-types)
-        errors=false
-        "$0" shellcheck-type-explorers || errors=true
-        "$0" shellcheck-manifests || errors=true
-        "$0" shellcheck-gencodes || errors=true
-        ! $errors || exit 1
+        "$0" shellcheck-type-explorers || exit 1
+        "$0" shellcheck-manifests || exit 1
+        "$0" shellcheck-gencodes || exit 1
     ;;
 
     shellcheck)
-        errors=false
-        "$0" shellcheck-global-explorers || errors=true
-        "$0" shellcheck-types || errors=true
-        "$0" shellcheck-bin || errors=true
-        ! $errors || exit 1
+        "$0" shellcheck-global-explorers || exit 1
+        "$0" shellcheck-types || exit 1
+        "$0" shellcheck-scripts || exit 1
     ;;
 
     shellcheck-type-files)
@@ -497,14 +490,12 @@ eof
     ;;
 
     shellcheck-with-files)
-        errors=false
-        "$0" shellcheck || errors=true
-        "$0" shellcheck-type-files || errors=true
-        ! $errors || exit 1
+        "$0" shellcheck || exit 1
+        "$0" shellcheck-type-files || exit 1
     ;;
 
     shellcheck-build-helper)
-        ${SHELLCHECKCMD} ./bin/cdist-build-helper
+        ${SHELLCHECKCMD} ./bin/build-helper
     ;;
 
     check-shellcheck)

bin/cdist

@@ -1,8 +1,7 @@
-#!/usr/bin/env python3
+#!/bin/sh
 # -*- coding: utf-8 -*-
 #
-# 2010-2016 Nico Schottelius (nico-cdist at schottelius.org)
-# 2016 Darko Poljak (darko.poljak at gmail.com)
+# 2012 Nico Schottelius (nico-cdist at schottelius.org)
 #
 # This file is part of cdist.
 #
@@ -21,83 +20,14 @@
 #
 #
 
-import logging
-import os
-import sys
+# Wrapper for real script to allow execution from checkout
+dir=${0%/*}
 
-# See if this file's parent is cdist module
-# and if so add it to module search path.
-cdist_dir = os.path.realpath(
-    os.path.join(
-        os.path.dirname(os.path.realpath(__file__)),
-        os.pardir))
-cdist_init_dir = os.path.join(cdist_dir, 'cdist', '__init__.py')
-if os.path.exists(cdist_init_dir):
-    sys.path.insert(0, cdist_dir)
+# Ensure version is present - the bundled/shipped version contains a static version,
+# the git version contains a dynamic version
+"$dir/build-helper" version
 
-import cdist            # noqa 402
-import cdist.argparse   # noqa 402
-import cdist.banner     # noqa 402
-import cdist.config     # noqa 402
-import cdist.install    # noqa 402
-import cdist.shell      # noqa 402
-import cdist.inventory  # noqa 402
+libdir=$(cd "${dir}/../" && pwd -P)
+export PYTHONPATH="${libdir}"
 
-
-def commandline():
-    """Parse command line"""
-
-    # preos subcommand hack
-    if len(sys.argv) > 1 and sys.argv[1] == 'preos':
-        return cdist.preos.PreOS.commandline(sys.argv[1:])
-    parser, cfg = cdist.argparse.parse_and_configure(sys.argv[1:])
-    args = cfg.get_args()
-
-    # Work around python 3.3 bug:
-    # http://bugs.python.org/issue16308
-    # http://bugs.python.org/issue9253
-
-    # FIXME: catching AttributeError also hides
-    # real problems.. try a different way
-
-    # FIXME: we always print main help, not
-    # the help of the actual parser being used!
-    try:
-        getattr(args, "func")
-    except AttributeError:
-        parser['main'].print_help()
-        sys.exit(0)
-
-    args.func(args)
-
-
-if __name__ == "__main__":
-    if sys.version_info[:3] < cdist.MIN_SUPPORTED_PYTHON_VERSION:
-        print(
-            'Python >= {} is required on the source host.'.format(
-                ".".join(map(str, cdist.MIN_SUPPORTED_PYTHON_VERSION))),
-            file=sys.stderr)
-        sys.exit(1)
-
-    exit_code = 0
-
-    try:
-        import re
-        import os
-
-        if re.match("__", os.path.basename(sys.argv[0])):
-            import cdist.emulator
-            emulator = cdist.emulator.Emulator(sys.argv)
-            emulator.run()
-        else:
-            commandline()
-
-    except KeyboardInterrupt:
-        exit_code = 2
-
-    except cdist.Error as e:
-        log = logging.getLogger("cdist")
-        log.error(e)
-        exit_code = 1
-
-    sys.exit(exit_code)
+"$dir/../scripts/cdist" "$@"

cdist/__init__.py

@@ -22,27 +22,12 @@
 
 import os
 import hashlib
-import subprocess
 
 import cdist.log
+import cdist.version
 
 
-VERSION = 'unknown version'
-
-try:
-    import cdist.version
-    VERSION = cdist.version.VERSION
-except ModuleNotFoundError:
-    cdist_dir = os.path.abspath(
-        os.path.join(os.path.dirname(__file__), os.pardir))
-    if os.path.isdir(os.path.join(cdist_dir, '.git')):
-        try:
-            VERSION = subprocess.check_output(
-                ['git', 'describe', '--always'],
-                cwd=cdist_dir,
-                universal_newlines=True)
-        except Exception:
-            pass
+VERSION = cdist.version.VERSION
 
 BANNER = """
              ..          .       .x+=:.        s
@@ -64,7 +49,7 @@ REMOTE_EXEC = "ssh -o User=root"
 REMOTE_CMDS_CLEANUP_PATTERN = "ssh -o User=root -O exit -S {}"
 
 
-MIN_SUPPORTED_PYTHON_VERSION = (3, 5)
+MIN_SUPPORTED_PYTHON_VERSION = '3.5'
 
 
 class Error(Exception):

cdist/argparse.py

@@ -485,31 +485,19 @@ def get_parsers():
     parser['scan'].add_argument(
         '-m', '--mode', help='Which modes should run',
         action='append', default=[],
-        choices=['scan', 'trigger', 'config'])
-    parser['scan'].add_argument(
-        '--list',
-        action='store_true',
-        help='List the known hosts and exit')
+        choices=['scan', 'trigger'])
     parser['scan'].add_argument(
         '--config',
         action='store_true',
         help='Try to configure detected hosts')
     parser['scan'].add_argument(
-        '-I', '--interface',
-        action='append',  default=[], required=True,
+        '-I', '--interfaces',
+        action='append',  default=[],
         help='On which interfaces to scan/trigger')
     parser['scan'].add_argument(
-        '--name-mapper',
-        action='store',  default=None,
-        help='Map addresses to names, required for config mode')
-    parser['scan'].add_argument(
-        '-d', '--config-delay',
-        action='store',  default=3600, type=int,
-        help='How long (seconds) to wait before reconfiguring after last try')
-    parser['scan'].add_argument(
-        '-t', '--trigger-delay',
-        action='store',  default=5, type=int,
-        help='How long (seconds) to wait between ICMPv6 echo requests')
+        '-d', '--delay',
+        action='store',  default=3600,
+        help='How long to wait before reconfiguring after last try')
     parser['scan'].set_defaults(func=cdist.scan.commandline.commandline)
 
     for p in parser:
@@ -545,10 +533,10 @@ def parse_and_configure(argv, singleton=True):
 
     log = logging.getLogger("cdist")
 
-    log.verbose("version %s", cdist.VERSION)
-    log.trace('command line args: %s', cfg.command_line_args)
-    log.trace('configuration: %s', cfg.get_config())
-    log.trace('configured args: %s', args)
+    log.verbose("version %s" % cdist.VERSION)
+    log.trace('command line args: {}'.format(cfg.command_line_args))
+    log.trace('configuration: {}'.format(cfg.get_config()))
+    log.trace('configured args: {}'.format(args))
 
     check_beta(vars(args))
 

cdist/conf/explorer/memory

@@ -1,9 +1,8 @@
-#!/bin/sh -e
+#!/bin/sh
 #
 # 2014 Daniel Heule  (hda at sfs.biz)
 # 2014 Thomas Oettli (otho at sfs.biz)
 # Copyright 2017, Philippe Gregoire <pg@pgregoire.xyz>
-# 2020 Dennis Camera <dennis.camera at ssrq-sds-fds.ch>
 #
 # This file is part of cdist.
 #
@@ -20,73 +19,24 @@
 # You should have received a copy of the GNU General Public License
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
-# Returns the amount of memory physically installed in the system, or if that
-# cannot be determined the amount available to the operating system kernel,
-# in kibibytes (kiB).
+#
 
-str2bytes() {
-	awk -F' ' '
-	$2 ==   "B" || !$2 { print $1 }
-	$2 ==  "kB" { printf "%.f\n", ($1 * 1000) }
-	$2 ==  "MB" { printf "%.f\n", ($1 * 1000 * 1000) }
-	$2 ==  "GB" { printf "%.f\n", ($1 * 1000 * 1000 * 1000) }
-	$2 ==  "TB" { printf "%.f\n", ($1 * 1000 * 1000 * 1000 * 1000) }
-	$2 == "kiB" { printf "%.f\n", ($1 * 1024) }
-	$2 == "MiB" { printf "%.f\n", ($1 * 1024 * 1024) }
-	$2 == "GiB" { printf "%.f\n", ($1 * 1024 * 1024 * 1024) }
-	$2 == "TiB" { printf "%.f\n", ($1 * 1024 * 1024 * 1024 * 1024) }'
-}
+# FIXME: other system types (not linux ...)
 
-bytes2kib() {
-	awk '$0 > 0 { printf "%.f\n", ($0 / 1024) }'
-}
+os=$("$__explorer/os")
+case "$os" in
+    "macosx")
+        echo "$(sysctl -n hw.memsize)/1024" | bc
+    ;;
 
+    *"bsd")
+        PATH=$(getconf PATH)
+        echo "$(sysctl -n hw.physmem) / 1048576" | bc
+    ;;
 
-case $(uname -s)
-in
-	(Darwin)
-		sysctl -n hw.memsize | bytes2kib
-		;;
-	(FreeBSD)
-		sysctl -n hw.realmem | bytes2kib
-		;;
-	(NetBSD|OpenBSD)
-		# NOTE: This reports "usable" memory, not physically installed memory.
-		command -p sysctl -n hw.physmem | bytes2kib
-		;;
-	(SunOS)
-		# Make sure that awk from xpg4 is used for the scripts to work
-		export PATH="/usr/xpg4/bin:${PATH}"
-		prtconf \
-		| awk -F ': ' '
-		  $1 == "Memory size" { sub(/Megabytes/, "MiB", $2); print $2 }
-		  /^$/ { exit }' \
-		| str2bytes \
-		| bytes2kib
-		;;
-	(Linux)
-		if test -d /sys/devices/system/memory
-		then
-			# Use memory blocks if the architecture (e.g. x86, PPC64, s390)
-			# supports them (they denote physical memory)
-			num_mem_blocks=$(cat /sys/devices/system/memory/memory[0-9]*/state | grep -cxF online)
-			mem_block_size=$(cat /sys/devices/system/memory/block_size_bytes)
-
-			echo $((num_mem_blocks * 0x$mem_block_size)) | bytes2kib && exit
-		fi
-		if test -r /proc/meminfo
-		then
-			# Fall back to meminfo file on other architectures (e.g. ARM, MIPS,
-			# PowerPC)
-			# NOTE: This is "usable" memory, not physically installed memory.
-			awk -F ': +' '$1 == "MemTotal" { sub(/B$/, "iB", $2); print $2 }' /proc/meminfo \
-			| str2bytes \
-			| bytes2kib
-		fi
-		;;
-	(*)
-		printf "Your kernel (%s) is currently not supported by the memory explorer\n" "$(uname -s)" >&2
-		printf "Please contribute an implementation for it if you can.\n" >&2
-		exit 1
-		;;
+    *)
+    if [ -r /proc/meminfo ]; then
+        grep "MemTotal:" /proc/meminfo | awk '{print $2}'
+    fi
+    ;;
 esac

cdist/conf/explorer/os_version

@@ -1,7 +1,6 @@
-#!/bin/sh -e
+#!/bin/sh
 #
 # 2010-2011 Nico Schottelius (nico-cdist at schottelius.org)
-# 2020-2021 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
 #
 # This file is part of cdist.
 #
@@ -18,22 +17,12 @@
 # You should have received a copy of the GNU General Public License
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
+#
 # All os variables are lower case
 #
+#
 
-rc_getvar() {
-   awk -F= -v varname="$2" '
-      function unquote(s) {
-         if (s ~ /^".*"$/ || s ~ /^'\''.*'\''$/)
-            return substr(s, 2, length(s) - 2)
-         else
-            return s
-      }
-      $1 == varname { print unquote(substr($0, index($0, "=") + 1)) }' "$1"
-}
-
-case $("${__explorer:?}/os")
-in
+case "$("$__explorer/os")" in
    amazon)
       cat /etc/system-release
    ;;
@@ -54,8 +43,6 @@ in
               # sid versions don't have a number, so we decode by codename:
               case $(expr "$debian_version" : '\([a-z]\{1,\}\)/')
               in
-                  trixie) echo 12.99 ;;
-                  bookworm) echo 11.99 ;;
                   bullseye) echo 10.99 ;;
                   buster) echo 9.99 ;;
                   stretch) echo 8.99 ;;
@@ -63,7 +50,7 @@ in
                   wheezy) echo 6.99 ;;
                   squeeze) echo 5.99 ;;
                   lenny) echo 4.99 ;;
-                  *) echo 99.99 ;;
+                  *) exit 1
               esac
               ;;
           *)
@@ -72,23 +59,7 @@ in
       esac
    ;;
    devuan)
-      devuan_version=$(cat /etc/devuan_version)
-      case ${devuan_version}
-      in
-         (*/ceres)
-            # ceres versions don't have a number, so we decode by codename:
-            case ${devuan_version}
-            in
-               (chimaera/ceres) echo 3.99 ;;
-               (beowulf/ceres) echo 2.99 ;;
-               (ascii/ceres) echo 1.99 ;;
-               (*) exit 1
-            esac
-            ;;
-         (*)
-            echo "${devuan_version}"
-            ;;
-      esac
+      cat /etc/devuan_version
    ;;
    fedora)
       cat /etc/fedora-release
@@ -97,20 +68,7 @@ in
       cat /etc/gentoo-release
    ;;
    macosx)
-      # NOTE: Legacy versions (< 10.3) do not support options
-      sw_vers | awk -F ':[ \t]+' '$1 == "ProductVersion" { print $2 }'
-   ;;
-   freebsd)
-      # Apparently uname -r is not a reliable way to get the patch level.
-      # See: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=251743
-      if command -v freebsd-version >/dev/null 2>&1
-      then
-         # get userland version
-         freebsd-version -u
-      else
-         # fallback to kernel release for FreeBSD < 10.0
-         uname -r
-      fi
+      sw_vers -productVersion
    ;;
    *bsd|solaris)
       uname -r
@@ -135,20 +93,7 @@ in
       fi
    ;;
    ubuntu)
-      if command -v lsb_release >/dev/null 2>&1
-      then
-         lsb_release -sr
-      elif test -r /usr/lib/os-release
-      then
-         # fallback to /usr/lib/os-release if lsb_release is not present (like
-         # on minimized Ubuntu installations)
-         rc_getvar /usr/lib/os-release VERSION_ID
-      elif test -r /etc/lsb-release
-      then
-         # extract DISTRIB_RELEASE= variable from /etc/lsb-release on old
-         # versions without /usr/lib/os-release.
-         rc_getvar /etc/lsb-release DISTRIB_RELEASE
-      fi
+      lsb_release -sr
    ;;
    alpine)
        cat /etc/alpine-release

cdist/conf/type/__apt_backports/man.rst

@@ -1,104 +0,0 @@
-cdist-type__debian_backports(7)
-===============================
-
-NAME
-----
-cdist-type__apt_backports - Install backports
-
-
-DESCRIPTION
------------
-This singleton type installs backports for the current OS release.
-It aborts if backports are not supported for the specified OS or
-no version codename could be fetched (like Debian unstable).
-
-The package index will be automatically updated if required.
-
-It supports backports from following OSes:
-
-- Debian
-- Devuan
-- Ubuntu
-
-
-REQUIRED PARAMETERS
--------------------
-None.
-
-
-OPTIONAL PARAMETERS
--------------------
-state
-    Represents the state of the backports repository. ``present`` or
-    ``absent``, defaults to ``present``.
-
-    Will be directly passed to :strong:`cdist-type__apt_source`\ (7).
-
-mirror
-    The mirror to fetch the backports from. Will defaults to the generic
-    mirror of the current OS.
-
-    Will be directly passed to :strong:`cdist-type__apt_source`\ (7).
-
-
-BOOLEAN PARAMETERS
-------------------
-None.
-
-
-MESSAGES
---------
-None.
-
-
-EXAMPLES
---------
-
-.. code-block:: sh
-
-   # setup the backports
-   __apt_backports
-   __apt_backports --state absent
-   __apt_backports --state present --mirror "http://ftp.de.debian.org/debian/"
-
-   # install a backports package
-   # currently for the buster release backports
-   require="__apt_backports" __package_apt wireguard \
-        --target-release buster-backports
-
-
-ABORTS
-------
-Aborts if the detected os is not Debian.
-
-Aborts if no distribuition codename could be detected. This is common for the
-unstable distribution, but there is no backports repository for it already.
-
-
-CAVEATS
--------
-For Ubuntu, it setup all componenents for the backports repository: ``main``,
-``restricted``, ``universe`` and ``multiverse``. The user may not want to
-install proprietary packages, which will only be installed if the user
-explicitly uses the backports target-release. The user may change this behavior
-to install backports packages without the need of explicitly select it.
-
-
-SEE ALSO
---------
-`Official Debian Backports site <https://backports.debian.org/>`_
-
-:strong:`cdist-type__apt_source`\ (7)
-
-
-AUTHORS
--------
-Matthias Stecher <matthiasstecher at gmx.de>
-
-
-COPYING
--------
-Copyright \(C) 2020 Matthias Stecher. You can redistribute it
-and/or modify it under the terms of the GNU General Public License as
-published by the Free Software Foundation, either version 3 of the
-License, or (at your option) any later version.

cdist/conf/type/__apt_backports/manifest

@@ -1,82 +0,0 @@
-#!/bin/sh -e
-# __apt_backports/manifest
-#
-# 2020 Matthias Stecher (matthiasstecher at gmx.de)
-#
-# This file is part of cdist.
-#
-# cdist is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# cdist is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with cdist. If not, see <http://www.gnu.org/licenses/>.
-#
-#
-# Enables/disables backports repository. Utilises __apt_source for it.
-#
-
-
-# Get the distribution codename by /etc/os-release.
-#  is already executed in a subshell by string substitution
-#  lsb_release may not be given in all installations
-codename_os_release() {
-    # shellcheck disable=SC1090
-    # shellcheck disable=SC1091
-    . "$__global/explorer/os_release"
-    printf "%s" "$VERSION_CODENAME"
-}
-
-# detect backport distribution
-os="$(cat "$__global/explorer/os")"
-case "$os" in
-    debian)
-        dist="$( codename_os_release )"
-        components="main"
-        mirror="http://deb.debian.org/debian/"
-        ;;
-    devuan)
-        dist="$( codename_os_release )"
-        components="main"
-        mirror="http://deb.devuan.org/merged"
-        ;;
-    ubuntu)
-        dist="$( codename_os_release )"
-        components="main restricted universe multiverse"
-        mirror="http://archive.ubuntu.com/ubuntu"
-        ;;
-
-    *)
-        printf "Backports for %s are not supported!\n" "$os" >&2
-        exit 1
-        ;;
-esac
-
-# error if no codename given (e.g. on Debian unstable)
-if [ -z "$dist" ]; then
-    printf "No backports for unkown version of distribution %s!\n" "$os" >&2
-    exit 1
-fi
-
-
-# parameters
-state="$(cat "$__object/parameter/state")"
-
-# mirror already set for the os, only override user-values
-if [ -f "$__object/parameter/mirror" ]; then
-    mirror="$(cat "$__object/parameter/mirror")"
-fi
-
-
-# install the given backports repository
-__apt_source "${dist}-backports" \
-    --state "$state" \
-    --distribution "${dist}-backports" \
-    --component "$components" \
-    --uri "$mirror"

cdist/conf/type/__apt_backports/parameter/default/state

@@ -1 +0,0 @@
-present

cdist/conf/type/__apt_backports/parameter/optional

@@ -1,2 +0,0 @@
-state
-mirror

cdist/conf/type/__apt_key/explorer/state

@@ -27,25 +27,18 @@ else
    keyid="$__object_id"
 fi
 
-# From apt-key(8):
-#   Use of apt-key is deprecated, except for the use of apt-key del in
-#   maintainer scripts to remove existing keys from the main keyring.
-#   If such usage of apt-key is desired the additional installation of
-#   the GNU Privacy Guard suite (packaged in gnupg) is required.
-if [ -f "${__object}/parameter/use-deprecated-apt-key" ]; then
-   if apt-key export "$keyid" | head -n 1 | grep -Fqe "BEGIN PGP PUBLIC KEY BLOCK"
-      then echo present
-      else echo absent
-   fi
-   exit
-fi
-
 keydir="$(cat "$__object/parameter/keydir")"
 keyfile="$keydir/$__object_id.gpg"
 
-if [ -f "$keyfile" ]
+if [ -d "$keydir" ]
 then
-   echo present
-   exit
+   if [ -f "$keyfile" ]
+   then echo present
+   else echo absent
+   fi
+else
+   # fallback to deprecated apt-key
+   apt-key export "$keyid" | head -n 1 | grep -Fqe "BEGIN PGP PUBLIC KEY BLOCK" \
+      && echo present \
+      || echo absent
 fi
-echo absent

cdist/conf/type/__apt_key/gencode-remote

@@ -25,7 +25,11 @@ else
 fi
 state_should="$(cat "$__object/parameter/state")"
 state_is="$(cat "$__object/explorer/state")"
-method="$(cat "$__object/key_method")"
+
+if [ "$state_should" = "$state_is" ]; then
+   # nothing to do
+   exit 0
+fi
 
 keydir="$(cat "$__object/parameter/keydir")"
 keyfile="$keydir/$__object_id.gpg"
@@ -33,18 +37,30 @@ keyfile="$keydir/$__object_id.gpg"
 case "$state_should" in
    present)
       keyserver="$(cat "$__object/parameter/keyserver")"
-      # Using __download or __file as key source
-      # Propagate messages if needed
-      if [ "${method}" = "uri" ] || [ "${method}" = "source" ]; then
-         if grep -Eq "^__(file|download)$keyfile" "$__messages_in"; then
-            echo "added '$keyid'" >> "$__messages_out"
+
+      if [ -f "$__object/parameter/uri" ]; then
+         uri="$(cat "$__object/parameter/uri")"
+
+         if [ -d "$keydir" ]; then
+            cat << EOF
+
+curl -s -L \\
+    -o "$keyfile" \\
+    "$uri"
+
+key="\$( cat "$keyfile" )"
+
+if echo "\$key" | grep -Fq 'BEGIN PGP PUBLIC KEY BLOCK'
+then
+    echo "\$key" | gpg --dearmor > "$keyfile"
+fi
+
+EOF
+         else
+            # fallback to deprecated apt-key
+            echo "curl -s -L '$uri' | apt-key add -"
          fi
-         exit 0
-      elif [ "${state_is}" = "present" ]; then
-         exit 0
-      fi
-      # Using key servers to fetch the key
-      if [ ! -f "$__object/parameter/use-deprecated-apt-key" ]; then
+      elif [ -d "$keydir" ]; then
          # we need to kill gpg after 30 seconds, because gpg
          # can get stuck if keyserver is not responding.
          # exporting env var and not exit 1,
@@ -84,16 +100,13 @@ EOF
       echo "added '$keyid'" >> "$__messages_out"
    ;;
    absent)
-      # Removal for keys added from a keyserver without this flag
-      # is done in the manifest
-      if [ "$state_is" != "absent" ] && \
-            [ -f "$__object/parameter/use-deprecated-apt-key" ]; then
+      if [ -f "$keyfile" ]; then
+         echo "rm '$keyfile'"
+      else
          # fallback to deprecated apt-key
          echo "apt-key del \"$keyid\""
-         echo "removed '$keyid'" >> "$__messages_out"
-      # Propagate messages if needed
-      elif grep -Eq "^__file$keyfile" "$__messages_in"; then
-         echo "removed '$keyid'" >> "$__messages_out"
       fi
+
+      echo "removed '$keyid'" >> "$__messages_out"
    ;;
 esac

cdist/conf/type/__apt_key/man.rst

@@ -10,14 +10,6 @@ DESCRIPTION
 -----------
 Manages the list of keys used by apt to authenticate packages.
 
-This is done by placing the requested key in a file named
-``$__object_id.gpg`` in the ``keydir`` directory.
-
-This is supported by modern releases of Debian-based distributions.
-
-In order of preference, exactly one of: ``source``, ``uri`` or ``keyid``
-must be specified.
-
 
 REQUIRED PARAMETERS
 -------------------
@@ -26,49 +18,21 @@ None.
 
 OPTIONAL PARAMETERS
 -------------------
-keydir
-   keyring directory, defaults to ``/etc/apt/trusted.pgp.d``, which is
-   enabled system-wide by default.
-
-source
-   path to a file containing the GPG key of the repository.
-   Using this is recommended as it ensures that the manifest/type manintainer
-   has validated the key.
-   If ``-``, the GPG key is read from the type's stdin.
-
 state
    'present' or 'absent'. Defaults to 'present'
 
-uri
-   the URI from which to download the key.
-   It is highly recommended that you only use protocols with TLS like HTTPS.
-   This uses ``__download`` but does not use checksums, if you want to ensure
-   that the key doesn't change, you are better off downloading it and using
-   ``--source``.
-
-
-DEPRECATED OPTIONAL PARAMETERS
-------------------------------
 keyid
-   the id of the key to download from the ``keyserver``.
-   This is to be used in absence of ``--source`` and ``--uri`` or together
-   with ``--use-deprecated-apt-key`` for key removal.
-   Defaults to ``$__object_id``.
+   the id of the key to add. Defaults to __object_id
 
 keyserver
-   the keyserver from which to fetch the key.
-   Defaults to ``pool.sks-keyservers.net``.
+   the keyserver from which to fetch the key. If omitted the default set
+   in ./parameter/default/keyserver is used.
 
+keydir
+   key save location, defaults to ``/etc/apt/trusted.pgp.d``
 
-DEPRECATED BOOLEAN PARAMETERS
------------------------------
-use-deprecated-apt-key
-   ``apt-key(8)`` will last be available in Debian 11 and Ubuntu 22.04.
-   You can use this parameter to force usage of ``apt-key(8)``.
-   Please only use this parameter to *remove* keys from the keyring,
-   in order to prepare for removal of ``apt-key``.
-   Adding keys should be done without this parameter.
-   This parameter will be removed when Debian 11 stops being supported.
+uri
+   the URI from which to download the key
 
 
 EXAMPLES
@@ -76,39 +40,33 @@ EXAMPLES
 
 .. code-block:: sh
 
-    # add a key that has been verified by a type maintainer
-    __apt_key jitsi_meet_2021 \
-       --source cdist-contrib/type/__jitsi_meet/files/apt_2021.gpg
+    # Add Ubuntu Archive Automatic Signing Key
+    __apt_key 437D05B5
+    # Same thing
+    __apt_key 437D05B5 --state present
+    # Get rid of it
+    __apt_key 437D05B5 --state absent
 
-    # remove an old, deprecated or expired key
-    __apt_key jitsi_meet_2016 --state absent
+    # same thing with human readable name and explicit keyid
+    __apt_key UbuntuArchiveKey --keyid 437D05B5
 
-    # Get rid of a key that might have been added to
-    # /etc/apt/trusted.gpg with apt-key
-    __apt_key 0x40976EAF437D05B5 --use-deprecated-apt-key --state absent
+    # same thing with other keyserver
+    __apt_key UbuntuArchiveKey --keyid 437D05B5 --keyserver keyserver.ubuntu.com
 
-    # add a key that we define in-line
-    __apt_key jitsi_meet_2021 --source '-' <<EOF
-    -----BEGIN PGP PUBLIC KEY BLOCK-----
-    [...]
-    -----END PGP PUBLIC KEY BLOCK-----
-    EOF
-
-    # download or update key from the internet
-    __apt_key rabbitmq_2007 \
-       --uri https://www.rabbitmq.com/rabbitmq-signing-key-public.asc
+    # download key from the internet
+    __apt_key rabbitmq \
+       --uri http://www.rabbitmq.com/rabbitmq-signing-key-public.asc
 
 
 AUTHORS
 -------
 Steven Armstrong <steven-cdist--@--armstrong.cc>
 Ander Punnar <ander-at-kvlt-dot-ee>
-Evilham <contact~~@~~evilham.com>
 
 
 COPYING
 -------
-Copyright \(C) 2011-2021 Steven Armstrong, Ander Punnar and Evilham. You can
+Copyright \(C) 2011-2019 Steven Armstrong and Ander Punnar. You can
 redistribute it and/or modify it under the terms of the GNU General Public
 License as published by the Free Software Foundation, either version 3 of the
 License, or (at your option) any later version.

cdist/conf/type/__apt_key/manifest

@@ -2,105 +2,7 @@
 
 __package gnupg
 
-state_should="$(cat "${__object}/parameter/state")"
-
-incompatible_args()
-{
-	cat >> /dev/stderr <<-EOF
-	This type does not support --${1} and --${method} simultaneously.
-	EOF
-	exit 1
-}
-
-if [ -f "${__object}/parameter/source" ]; then
-	method="source"
-	src="$(cat "${__object}/parameter/source")"
-	if [ "${src}" = "-" ]; then
-		src="${__object}/stdin"
-	fi
-fi
-if [ -f "${__object}/parameter/uri" ]; then
-	if [ -n "${method}" ]; then
-		incompatible_args uri
-	fi
-	method="uri"
-	src="$(cat "${__object}/parameter/uri")"
-fi
-if [ -f "${__object}/parameter/keyid" ]; then
-	if [ -n "${method}" ]; then
-		incompatible_args keyid
-	fi
-	method="keyid"
-fi
-# Keep old default
-if [ -z "${method}" ]; then
-	method="keyid"
-fi
-# Save this for later in gencode-remote
-echo "${method}" > "${__object}/key_method"
-
-# Required remotely (most likely already installed)
-__package dirmngr
-# We need this in case a key has to be dearmor'd
-__package gnupg
-export require="__package/gnupg"
-
-if [ -f "${__object}/parameter/use-deprecated-apt-key" ]; then
-	# This is required if apt-key(8) is to be used
-	if [ "${method}" = "source" ] || [ "${method}" = "uri" ]; then
-		incompatible_args use-deprecated-apt-key
-	fi
-else
-	if [ "${state_should}" = "absent" ] && \
-			[ -f "${__object}/parameter/keyid" ]; then
-		cat >> /dev/stderr <<EOF
-You can't reliably remove by keyid without --use-deprecated-apt-key.
-This would very likely do something you do not intend.
-EOF
-		exit 1
-	fi
-fi
-
-keydir="$(cat "${__object}/parameter/keydir")"
-keyfile="${keydir}/${__object_id}.gpg"
-keyfilecdist="${keyfile}.cdist"
-if [ "${state_should}" != "absent" ]; then
-	# Ensure keydir exists
-	__directory "${keydir}" --state exists --mode 0755
-fi
-
-if [ "${state_should}" = "absent" ]; then
-	__file "${keyfile}" --state "absent"
-	__file "${keyfilecdist}" --state "absent"
-elif [ "${method}" = "source" ] || [ "${method}" = "uri" ]; then
-	dearmor="$(cat <<-EOF
-	if [ '${state_should}' = 'present' ]; then
-		# Dearmor if necessary
-		if grep -Fq 'BEGIN PGP PUBLIC KEY BLOCK' '${keyfilecdist}'; then
-			gpg --dearmor < '${keyfilecdist}' > '${keyfile}'
-		else
-			cp '${keyfilecdist}' '${keyfile}'
-		fi
-		# Ensure permissions
-		chown root '${keyfile}'
-		chmod 0444 '${keyfile}'
-	fi
-	EOF
-	)"
-
-	if [ "${method}" = "uri" ]; then
-		__download "${keyfilecdist}" \
-			--url "${src}" \
-			--onchange "${dearmor}"
-		require="__download${keyfilecdist}" \
-			__file "${keyfile}" \
-				--owner root \
-				--mode 0444 \
-				--state pre-exists
-	else
-		__file "${keyfilecdist}" --state "${state_should}" \
-			--mode 0444 \
-			--source "${src}" \
-			--onchange "${dearmor}"
-	fi
+if [ -f "$__object/parameter/uri" ]
+then __package curl
+else __package dirmngr
 fi

cdist/conf/type/__apt_key/parameter/boolean

@@ -1 +0,0 @@
-use-deprecated-apt-key

cdist/conf/type/__apt_key/parameter/deprecated/use-deprecated-apt-key

@@ -1,3 +0,0 @@
-apt-key(8) will last be available in Debian 11 and Ubuntu 22.04.
-Use this flag *only* to migrate to placing a keyring directly in the
-/etc/apt/trusted.gpg.d/ directory with a descriptive name.

cdist/conf/type/__apt_key/parameter/optional

@@ -1,6 +1,5 @@
-keydir
+state
 keyid
 keyserver
-source
-state
+keydir
 uri

cdist/conf/type/__apt_key_uri/deprecated

@@ -1 +0,0 @@
-Please migrate to using __apt_key key_id --uri URI.

cdist/conf/type/__apt_pin/man.rst

@@ -1,79 +0,0 @@
-cdist-type__apt_pin(7)
-======================
-
-NAME
-----
-cdist-type__apt_pin - Manage apt pinning rules
-
-
-DESCRIPTION
------------
-Adds/removes/edits rules to pin some packages to a specific distribution. Useful if using multiple debian repositories at the same time. (Useful, if one wants to use a few specific packages from backports or perhaps Debain testing... or even sid.)
-
-
-REQUIRED PARAMETERS
--------------------
-distribution
-   Specifies what distribution the package should be pinned to. Accepts both codenames (buster/bullseye/sid) and suite names (stable/testing/...).
-
-
-OPTIONAL PARAMETERS
--------------------
-package
-   Package name, glob or regular expression to match (multiple) packages. If not specified `__object_id` is used.
-
-priority
-   The priority value to assign to matching packages. Deafults to 500. (To match the default target distro's priority)
-
-state
-   Will be passed to underlying `__file` type; see there for valid values and defaults.
-
-
-
-BOOLEAN PARAMETERS
-------------------
-None.
-
-
-EXAMPLES
---------
-
-.. code-block:: sh
-
-   # Add the bullseye repo to buster, but do not install any packages by default,
-   # only if explicitely asked for (-1 means "never" for apt)
-    __apt_pin bullseye-default \
-       --package "*" \
-       --distribution bullseye \
-       --priority -1
-
-    require="__apt_pin/bullseye-default" __apt_source bullseye \
-       --uri http://deb.debian.org/debian/ \
-       --distribution bullseye \
-       --component main
-
-    __apt_pin foo --package "foo foo-*" --distribution bullseye
-
-    __foo # Assuming, this installs the `foo` package internally
-
-    __package foo-plugin-extras # Assuming we also need some extra stuff
-
-
-SEE ALSO
---------
-:strong:`apt_preferences`\ (5)
-:strong:`cdist-type__apt_source`\ (7)
-:strong:`cdist-type__apt_backports`\ (7)
-:strong:`cdist-type__file`\ (7)
-
-AUTHORS
--------
-Daniel Fancsali <fancsali@gmail.com>
-
-
-COPYING
--------
-Copyright \(C) 2021 Daniel Fancsali. You can redistribute it
-and/or modify it under the terms of the GNU General Public License as
-published by the Free Software Foundation, either version 3 of the
-License, or (at your option) any later version.

cdist/conf/type/__apt_pin/manifest

@@ -1,68 +0,0 @@
-#!/bin/sh -e
-#
-# 2021 Daniel Fancsali (fancsali@gmail.com)
-#
-# This file is part of cdist.
-#
-# cdist is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# cdist is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with cdist. If not, see <http://www.gnu.org/licenses/>.
-#
-
-
-name="$__object_id"
-
-os=$(cat "$__global/explorer/os")
-state="$(cat "$__object/parameter/state")"
-
-if [ -f "$__object/parameter/package" ]; then
-    package="$(cat "$__object/parameter/package")"
-else
-    package=$name
-fi
-
-distribution="$(cat "$__object/parameter/distribution")"
-priority="$(cat "$__object/parameter/priority")"
-
-
-case "$os" in
-   debian|ubuntu|devuan)
-   ;;
-   *)
-      printf "This type is specific to Debian and it's derivatives" >&2
-      exit 1
-   ;;
-esac
-
-case $distribution in
-    stable|testing|unstable|experimental)
-        pin="release a=$distribution"
-        ;;
-    *)
-        pin="release n=$distribution"
-        ;;
-esac
-
-
-__file "/etc/apt/preferences.d/$name" \
-    --owner root --group root --mode 0644 \
-    --state "$state" \
-    --source - << EOF
-# Created by cdist ${__type##*/}
-# Do not change. Changes will be overwritten.
-#
-
-# $name
-Package: $package
-Pin: $pin
-Pin-Priority: $priority
-EOF

cdist/conf/type/__apt_pin/parameter/default/priority

@@ -1 +0,0 @@
-500

cdist/conf/type/__apt_pin/parameter/default/state

@@ -1 +0,0 @@
-present

cdist/conf/type/__apt_pin/parameter/optional

@@ -1,3 +0,0 @@
-state
-package
-priority

cdist/conf/type/__apt_pin/parameter/required

@@ -1 +0,0 @@
-distribution

cdist/conf/type/__apt_source/gencode-remote

@@ -22,21 +22,7 @@
 name="$__object_id"
 destination="/etc/apt/sources.list.d/${name}.list"
 
-# There are special arguments to apt(8) to prevent aborts if apt woudn't been
-# updated after the 19th April 2021 till the bullseye release. The additional
-# arguments acknoledge the happend suite change (the apt(8) update does the
-# same by itself).
-#
-# Using '-o $config' instead of the --allow-releaseinfo-change-* parameter
-# allows backward compatablility to pre-buster Debian versions.
-#
-# See more: ticket #861
-# https://code.ungleich.ch/ungleich-public/cdist/-/issues/861
-apt_opts="-o Acquire::AllowReleaseInfoChange::Suite=true -o Acquire::AllowReleaseInfoChange::Version=true"
-
-# run 'apt-get update' only if something changed with our sources.list file
-#   it will be run a second time on error as a redundancy messure to success
 if grep -q "^__file${destination}" "$__messages_in"; then
-   printf 'apt-get %s update || apt-get %s update\n' "$apt_opts" "$apt_opts"
+   printf 'apt-get update || apt-get update\n'
 fi
 

cdist/conf/type/__apt_update_index/gencode-remote

@@ -18,23 +18,9 @@
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 
-
-# There are special arguments to apt(8) to prevent aborts if apt woudn't been
-# updated after the 19th April 2021 till the bullseye release. The additional
-# arguments acknoledge the happend suite change (the apt(8) update does the
-# same by itself).
-#
-# Using '-o $config' instead of the --allow-releaseinfo-change-* parameter
-# allows backward compatablility to pre-buster Debian versions.
-#
-# See more: ticket #861
-# https://code.ungleich.ch/ungleich-public/cdist/-/issues/861
-apt_opts="-o Acquire::AllowReleaseInfoChange::Suite=true -o Acquire::AllowReleaseInfoChange::Version=true"
-
 # run 'apt-get update' if anything in /etc/apt is newer then /var/lib/apt/lists
-#   it will be run a second time on error as a redundancy messure to success
 cat << DONE
 if find /etc/apt -mindepth 1 -cnewer /var/lib/apt/lists | grep . > /dev/null; then
-   apt-get $apt_opts update || apt-get $apt_opts update
+   apt-get update || apt-get update
 fi
 DONE

cdist/conf/type/__block/gencode-remote

@@ -46,29 +46,28 @@ fi
 
 remove_block() {
    cat << DONE
-tmpfile=\$(mktemp ${quoted_file}.cdist.XXXXXXXXXX)
+tmpfile=\$(mktemp ${file}.cdist.XXXXXXXXXX)
 # preserve ownership and permissions of existing file
-if [ -f $quoted_file ]; then
-   cp -p $quoted_file "\$tmpfile"
+if [ -f "$file" ]; then
+   cp -p "$file" "\$tmpfile"
 fi
-awk -v prefix=$(quote "$prefix") -v suffix=$(quote "$suffix") '
+awk -v prefix=^$(quote "$prefix")\$ -v suffix=^$(quote "$suffix")\$ '
 {
-   if (\$0 == prefix) {
+   if (match(\$0,prefix)) {
       triggered=1
    }
    if (triggered) {
-      if (\$0 == suffix) {
+      if (match(\$0,suffix)) {
          triggered=0
       }
    } else {
       print
    }
-}' $quoted_file > "\$tmpfile"
-mv -f "\$tmpfile" $quoted_file
+}' "$file" > "\$tmpfile"
+mv -f "\$tmpfile" "$file"
 DONE
 }
 
-quoted_file="$(quote "$file")"
 case "$state_should" in
    present)
       if [ "$state_is" = "changed" ]; then
@@ -78,7 +77,7 @@ case "$state_should" in
          echo add >> "$__messages_out"
       fi
       cat << DONE
-cat >> $quoted_file << '${__type##*/}_DONE'
+cat >> "$file" << ${__type##*/}_DONE
 $(cat "$block")
 ${__type##*/}_DONE
 DONE

cdist/conf/type/__debconf_set_selections/explorer/state

@@ -1,142 +0,0 @@
-#!/bin/sh -e
-#
-# 2021 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
-#
-# This file is part of cdist.
-#
-# cdist is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# cdist is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.	See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with cdist. If not, see <http://www.gnu.org/licenses/>.
-#
-# Determine current debconf selections' state.
-# Prints one of:
-#   present: all selections are already set as they should.
-#   different: one or more of the selections have a different value.
-#   absent: one or more of the selections are not (currently) defined.
-#
-
-test -x /usr/bin/perl || {
-	# cannot find perl (no perl ~ no debconf)
-	echo 'absent'
-	exit 0
-}
-
-linesfile="${__object:?}/parameter/line"
-test -s "${linesfile}" || {
-	if test -s "${__object:?}/parameter/file"
-	then
-		echo absent
-	else
-		echo present
-	fi
-	exit 0
-}
-
-# assert __type_explorer is set (because it is used by the Perl script)
-: "${__type_explorer:?}"
-
-/usr/bin/perl -- - "${linesfile}" <<'EOF'
-use strict;
-use warnings "all";
-
-use Fcntl qw(:DEFAULT :flock);
-
-use Debconf::Db;
-use Debconf::Question;
-
-# Extract @known... arrays from debconf-set-selections
-# These values are required to distinguish flags and values in the given lines.
-# DC: I couldn't think of a more ugly solution to the problem…
-my @knownflags;
-my @knowntypes;
-my $debconf_set_selections = '/usr/bin/debconf-set-selections';
-if (-e $debconf_set_selections) {
-	my $sed_known = 's/^my \(@known\(flags\|types\) = qw([a-z ]*);\).*$/\1/p';
-	eval `sed -n '$sed_known' '$debconf_set_selections'`;
-}
-
-sub mungeline ($) {
-	my $line = shift;
-	chomp $line;
-	$line =~ s/\r$//;
-	return $line;
-}
-
-sub fatal { printf STDERR @_; exit 1; }
-
-my $state = 'present';
-
-sub state {
-	my $new = shift;
-	if ($state eq 'present'
-	    or ($state eq 'different' and $new eq 'absent')) {
-		$state = $new;
-	}
-}
-
-
-# Load Debconf DB but manually lock on the state explorer script,
-# because Debconf aborts immediately if executed concurrently.
-# This is not really an ideal solution because the Debconf DB could be locked by
-# another process (e.g. apt-get), but no way to achieve this could be found.
-# If you know how to, please provide a patch.
-my $lockfile = "%ENV{'__type_explorer'}/state";
-if (open my $lock_fh, '+<', $lockfile) {
-   flock $lock_fh, LOCK_EX or die "Cannot lock $lockfile";
-}
-{
-	Debconf::Db->load(readonly => 'true');
-}
-
-
-while (<>) {
-	# Read and process lines (taken from debconf-set-selections)
-	$_ = mungeline($_);
-	while (/\\$/ && ! eof) {
-		s/\\$//;
-		$_ .= mungeline(<>);
-	}
-	next if /^\s*$/ || /^\s*\#/;
-
-	my ($owner, $label, $type, $content) = /^\s*(\S+)\s+(\S+)\s+(\S+)(?:\s(.*))?/
-		or fatal "invalid line: %s\n", $_;
-	$content = '' unless defined $content;
-
-
-	# Compare is and should state
-	my $q = Debconf::Question->get($label);
-
-	unless (defined $q) {
-		# probably a preseed
-		state 'absent';
-		next;
-	}
-
-	if (grep { $_ eq $q->type } @knownflags) {
-		# This line wants to set a flag, presumably.
-		if ($q->flag($q->type) ne $content) {
-			state 'different';
-		}
-	} else {
-		# Otherwise, it's probably a value…
-		if ($q->value ne $content) {
-			state 'different';
-		}
-
-		unless (grep { $_ eq $owner } (split /, /, $q->owners)) {
-			state 'different';
-		}
-	}
-}
-
-printf "%s\n", $state;
-EOF

cdist/conf/type/__debconf_set_selections/gencode-remote

@@ -1,7 +1,6 @@
 #!/bin/sh -e
 #
 # 2011-2014 Nico Schottelius (nico-cdist at schottelius.org)
-# 2021 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
 #
 # This file is part of cdist.
 #
@@ -18,37 +17,16 @@
 # You should have received a copy of the GNU General Public License
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
+#
+# Setup selections
+#
 
-if test -f "${__object:?}/parameter/line"
-then
-	filename="${__object:?}/parameter/line"
-elif test -s "${__object:?}/parameter/file"
-then
-	filename=$(cat "${__object:?}/parameter/file")
-	if test "${filename}" = '-'
-	then
-		filename="${__object:?}/stdin"
-	fi
-else
-	printf 'Neither --line nor --file set.\n' >&2
-	exit 1
+filename="$(cat "$__object/parameter/file")"
+
+if [ "$filename" = "-" ]; then
+    filename="$__object/stdin"
 fi
 
-# setting no lines makes no sense
-test -s "${filename}" || exit 0
-
-state_is=$(cat "${__object:?}/explorer/state")
-
-if test "${state_is}" != 'present'
-then
-	cat <<-CODE
-	debconf-set-selections <<'EOF'
-	$(cat "${filename}")
-	EOF
-	CODE
-
-	awk '
-		{
-			printf "set %s %s %s %s\n", $1, $2, $3, $4
-		}' "${filename}" >>"${__messages_out:?}"
-fi
+echo "debconf-set-selections << __file-eof"
+cat "$filename"
+echo "__file-eof"

cdist/conf/type/__debconf_set_selections/man.rst

@@ -8,33 +8,15 @@ cdist-type__debconf_set_selections - Setup debconf selections
 
 DESCRIPTION
 -----------
-On Debian and alike systems :strong:`debconf-set-selections`\ (1) can be used
+On Debian and alike systems debconf-set-selections(1) can be used
 to setup configuration parameters.
 
 
 REQUIRED PARAMETERS
 -------------------
-cf. ``--line``.
-
-
-OPTIONAL PARAMETERS
--------------------
 file
-   Use the given filename as input for :strong:`debconf-set-selections`\ (1)
-   If filename is ``-``, read from stdin.
-
-   **This parameter is deprecated, because it doesn't work with state detection.**
-line
-   A line in :strong:`debconf-set-selections`\ (1) compatible format.
-   This parameter can be used multiple times to set multiple options.
-
-   (This parameter is actually required, but marked optional because the
-   deprecated ``--file`` is still accepted.)
-
-
-BOOLEAN PARAMETERS
-------------------
-None.
+   Use the given filename as input for debconf-set-selections(1)
+   If filename is "-", read from stdin.
 
 
 EXAMPLES
@@ -42,29 +24,30 @@ EXAMPLES
 
 .. code-block:: sh
 
-    # Setup gitolite's gituser
-    __debconf_set_selections nslcd --line 'gitolite gitolite/gituser string git'
+    # Setup configuration for nslcd
+    __debconf_set_selections nslcd --file /path/to/file
 
-    # Setup configuration for nslcd from a file.
-    # NB: Multiple lines can be passed to --line, although this can be considered a hack.
-    __debconf_set_selections nslcd --line "$(cat "${__files:?}/preseed/nslcd.debconf")"
+    # Setup configuration for nslcd from another type
+    __debconf_set_selections nslcd --file "$__type/files/preseed/nslcd"
+
+    __debconf_set_selections nslcd --file - << eof
+    gitolite gitolite/gituser string git
+    eof
 
 
 SEE ALSO
 --------
-- :strong:`cdist-type__update_alternatives`\ (7)
-- :strong:`debconf-set-selections`\ (1)
+:strong:`debconf-set-selections`\ (1), :strong:`cdist-type__update_alternatives`\ (7)
 
 
 AUTHORS
 -------
-| Nico Schottelius <nico-cdist--@--schottelius.org>
-| Dennis Camera <dennis.camera--@--ssrq-sds-fds.ch>
+Nico Schottelius <nico-cdist--@--schottelius.org>
 
 
 COPYING
 -------
-Copyright \(C) 2011-2014 Nico Schottelius, 2021 Dennis Camera.
-You can redistribute it and/or modify it under the terms of the GNU General
-Public License as published by the Free Software Foundation, either version 3 of
-the License, or (at your option) any later version.
+Copyright \(C) 2011-2014 Nico Schottelius. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

cdist/conf/type/__debconf_set_selections/manifest

@@ -1,21 +0,0 @@
-#!/bin/sh -e
-#
-# 2021 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
-#
-# This file is part of cdist.
-#
-# cdist is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# cdist is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with cdist. If not, see <http://www.gnu.org/licenses/>.
-#
-
-__package_apt debconf

cdist/conf/type/__debconf_set_selections/parameter/deprecated/file

@@ -1 +0,0 @@
-'file' has been deprecated in favour of 'line' in order to provide idempotency.

cdist/conf/type/__debconf_set_selections/parameter/optional_multiple

@@ -1 +0,0 @@
-line

cdist/conf/type/__dot_file/man.rst

@@ -25,9 +25,6 @@ user
 OPTIONAL PARAMETERS
 -------------------
 
-dirmode
-    forwarded to :strong:`__directory` type as mode
-
 mode
     forwarded to :strong:`__file` type
 

cdist/conf/type/__dot_file/manifest

@@ -19,7 +19,6 @@ set -eu
 user="$(cat "${__object}/parameter/user")"
 home="$(cat "${__object}/explorer/home")"
 primary_group="$(cat "${__object}/explorer/primary_group")"
-dirmode="$(cat "${__object}/parameter/dirmode")"
 
 # Create parent directory. Type __directory has flag 'parents', but it
 # will leave us with root-owned directory in user home, which is not
@@ -37,7 +36,6 @@ export CDIST_ORDER_DEPENDENCY
 for dir ; do
 	__directory "${home}/${dir}"   \
 	    --group "${primary_group}" \
-            --mode "${dirmode}" \
 	    --owner "${user}"
 done
 

cdist/conf/type/__dot_file/parameter/default/dirmode

@@ -1 +0,0 @@
-0700

cdist/conf/type/__dot_file/parameter/optional

@@ -1,4 +1,3 @@
 state
 mode
 source
-dirmode

cdist/conf/type/__download/explorer/remote_cmd

@@ -0,0 +1,19 @@
+#!/bin/sh -e
+
+if [ -f "$__object/parameter/cmd-get" ]
+then
+    cmd="$( cat "$__object/parameter/cmd-get" )"
+
+elif command -v curl > /dev/null
+then
+    cmd="curl -L -o - '%s'"
+
+elif command -v fetch > /dev/null
+then
+    cmd="fetch -o - '%s'"
+
+else
+    cmd="wget -O - '%s'"
+fi
+
+echo "$cmd"

cdist/conf/type/__download/explorer/remote_cmd_get

@@ -1,16 +0,0 @@
-#!/bin/sh -e
-
-if [ -f "$__object/parameter/cmd-get" ]
-then
-    cat "$__object/parameter/cmd-get"
-elif
-    command -v curl > /dev/null
-then
-    echo "curl -sSL -o - '%s'"
-elif
-    command -v fetch > /dev/null
-then
-    echo "fetch -o - '%s'"
-else
-    echo "wget -O - '%s'"
-fi

cdist/conf/type/__download/explorer/remote_cmd_sum

@@ -1,82 +0,0 @@
-#!/bin/sh -e
-
-if [ ! -f "$__object/parameter/sum" ]
-then
-    exit 0
-fi
-
-if [ -f "$__object/parameter/cmd-sum" ]
-then
-    cat "$__object/parameter/cmd-sum"
-    exit 0
-fi
-
-sum_should="$( cat "$__object/parameter/sum" )"
-
-if echo "$sum_should" | grep -Fq ':'
-then
-    sum_hash="$( echo "$sum_should" | cut -d : -f 1 )"
-else
-    if echo "$sum_should" | grep -Eq '^[0-9]+\s[0-9]+$'
-    then
-        sum_hash='cksum'
-    elif
-        echo "$sum_should" | grep -Eiq '^[a-f0-9]{32}$'
-    then
-        sum_hash='md5'
-    elif
-        echo "$sum_should" | grep -Eiq '^[a-f0-9]{40}$'
-    then
-        sum_hash='sha1'
-    elif
-        echo "$sum_should" | grep -Eiq '^[a-f0-9]{64}$'
-    then
-        sum_hash='sha256'
-    else
-        echo 'hash format detection failed' >&2
-        exit 1
-    fi
-fi
-
-os="$( "$__explorer/os" )"
-
-case "$sum_hash" in
-    cksum)
-        echo "cksum %s | awk '{print \$1\" \"\$2}'"
-    ;;
-    md5)
-        case "$os" in
-            freebsd)
-                echo "md5 -q %s"
-            ;;
-            *)
-                echo "md5sum %s | awk '{print \$1}'"
-            ;;
-        esac
-    ;;
-    sha1)
-        case "$os" in
-            freebsd)
-                echo "sha1 -q %s"
-            ;;
-            *)
-                echo "sha1sum %s | awk '{print \$1}'"
-            ;;
-        esac
-    ;;
-    sha256)
-        case "$os" in
-            freebsd)
-                echo "sha256 -q %s"
-            ;;
-            *)
-                echo "sha256sum %s | awk '{print \$1}'"
-            ;;
-        esac
-    ;;
-    *)
-        # we arrive here only if --sum is given with unknown format prefix
-        echo "unknown hash format: $sum_hash" >&2
-        exit 1
-    ;;
-esac

cdist/conf/type/__download/explorer/state

@@ -1,11 +1,6 @@
 #!/bin/sh -e
 
-if [ -f "$__object/parameter/destination" ]
-then
-    dst="$( cat "$__object/parameter/destination" )"
-else
-    dst="/$__object_id"
-fi
+dst="/$__object_id"
 
 if [ ! -f "$dst" ]
 then
@@ -13,27 +8,59 @@ then
     exit 0
 fi
 
-if [ ! -f "$__object/parameter/sum" ]
-then
-    echo 'present'
-    exit 0
-fi
-
 sum_should="$( cat "$__object/parameter/sum" )"
 
-if echo "$sum_should" | grep -Fq ':'
+if [ -f "$__object/parameter/cmd-sum" ]
 then
-    sum_should="$( echo "$sum_should" | cut -d : -f 2 )"
+    # shellcheck disable=SC2059
+    sum_is="$( eval "$( printf \
+        "$( cat "$__object/parameter/cmd-sum" )" \
+        "$dst" )" )"
+else
+    os="$( "$__explorer/os" )"
+
+    if echo "$sum_should" | grep -Eq '^[0-9]+\s[0-9]+$'
+    then
+        sum_is="$( cksum "$dst" | awk '{print $1" "$2}' )"
+
+    elif echo "$sum_should" | grep -Eiq '^md5:[a-f0-9]{32}$'
+    then
+        case "$os" in
+            freebsd)
+                sum_is="md5:$( md5 -q "$dst" )"
+            ;;
+            *)
+                sum_is="md5:$( md5sum "$dst" | awk '{print $1}' )"
+            ;;
+        esac
+
+    elif echo "$sum_should" | grep -Eiq '^sha1:[a-f0-9]{40}$'
+    then
+        case "$os" in
+            freebsd)
+                sum_is="sha1:$( sha1 -q "$dst" )"
+            ;;
+            *)
+                sum_is="sha1:$( sha1sum "$dst" | awk '{print $1}' )"
+            ;;
+        esac
+
+    elif echo "$sum_should" | grep -Eiq '^sha256:[a-f0-9]{64}$'
+    then
+        case "$os" in
+            freebsd)
+                sum_is="sha256:$( sha256 -q "$dst" )"
+            ;;
+            *)
+                sum_is="sha256:$( sha256sum "$dst" | awk '{print $1}' )"
+            ;;
+        esac
+    fi
 fi
 
-sum_cmd="$( "$__type_explorer/remote_cmd_sum" )"
-
-# shellcheck disable=SC2059
-sum_is="$( eval "$( printf "$sum_cmd" "'$dst'" )" )"
-
 if [ -z "$sum_is" ]
 then
-    echo 'existing destination checksum failed' >&2
+    echo 'no checksum from target' >&2
     exit 1
 fi
 

cdist/conf/type/__download/gencode-local

@@ -11,133 +11,34 @@ fi
 
 url="$( cat "$__object/parameter/url" )"
 
-if [ -f "$__object/parameter/destination" ]
-then
-    dst="$( cat "$__object/parameter/destination" )"
-else
-    dst="/$__object_id"
-fi
+tmp="$( mktemp )"
+
+dst="/$__object_id"
 
 if [ -f "$__object/parameter/cmd-get" ]
 then
     cmd="$( cat "$__object/parameter/cmd-get" )"
 
+elif command -v wget > /dev/null
+then
+    cmd="wget -O - '%s'"
+
 elif command -v curl > /dev/null
 then
-    cmd="curl -sSL -o - '%s'"
+    cmd="curl -L -o - '%s'"
 
 elif command -v fetch > /dev/null
 then
     cmd="fetch -o - '%s'"
 
-elif command -v wget > /dev/null
-then
-    cmd="wget -O - '%s'"
-
 else
-    echo 'local download failed, no usable utility' >&2
+    echo 'no usable locally installed utility for downloading' >&2
     exit 1
 fi
 
-echo "download_tmp=\"\$( mktemp )\""
-
-# shellcheck disable=SC2059
-printf "$cmd > \"\$download_tmp\"\n" "$url"
-
-if [ -f "$__object/parameter/sum" ]
-then
-    sum_should="$( cat "$__object/parameter/sum" )"
-
-    if [ -f "$__object/parameter/cmd-sum" ]
-    then
-        local_cmd_sum="$( cat "$__object/parameter/cmd-sum" )"
-    else
-        if echo "$sum_should" | grep -Fq ':'
-        then
-            sum_hash="$( echo "$sum_should" | cut -d : -f 1 )"
-
-            sum_should="$( echo "$sum_should" | cut -d : -f 2 )"
-        else
-            if echo "$sum_should" | grep -Eq '^[0-9]+\s[0-9]+$'
-            then
-                sum_hash='cksum'
-            elif
-                echo "$sum_should" | grep -Eiq '^[a-f0-9]{32}$'
-            then
-                sum_hash='md5'
-            elif
-                echo "$sum_should" | grep -Eiq '^[a-f0-9]{40}$'
-            then
-                sum_hash='sha1'
-            elif
-                echo "$sum_should" | grep -Eiq '^[a-f0-9]{64}$'
-            then
-                sum_hash='sha256'
-            else
-                echo 'hash format detection failed' >&2
-                exit 1
-            fi
-        fi
-
-        case "$sum_hash" in
-            cksum)
-                local_cmd_sum="cksum %s | awk '{print \$1\" \"\$2}'"
-            ;;
-            md5)
-                if command -v md5 > /dev/null
-                then
-                    local_cmd_sum="md5 -q %s"
-                elif
-                    command -v md5sum > /dev/null
-                then
-                    local_cmd_sum="md5sum %s | awk '{print \$1}'"
-                fi
-            ;;
-            sha1)
-                if command -v sha1 > /dev/null
-                then
-                    local_cmd_sum="sha1 -q %s"
-                elif
-                    command -v sha1sum > /dev/null
-                then
-                    local_cmd_sum="sha1sum %s | awk '{print \$1}'"
-                fi
-            ;;
-            sha256)
-                if command -v sha256 > /dev/null
-                then
-                    local_cmd_sum="sha256 -q %s"
-                elif
-                    command -v sha256sum > /dev/null
-                then
-                    local_cmd_sum="sha256sum %s | awk '{print \$1}'"
-                fi
-            ;;
-            *)
-                # we arrive here only if --sum is given with unknown format prefix
-                echo "unknown hash format: $sum_hash" >&2
-                exit 1
-            ;;
-        esac
-
-        if [ -z "$local_cmd_sum" ]
-        then
-            echo 'local checksum verification failed, no usable utility' >&2
-            exit 1
-        fi
-    fi
-
-    # shellcheck disable=SC2059
-    echo "sum_is=\"\$( $( printf "$local_cmd_sum" "\"\$download_tmp\"" ) )\""
-
-    echo "if [ \"\$sum_is\" != '$sum_should' ]; then"
-
-    echo "echo 'local download checksum mismatch' >&2"
-
-    echo "rm -f \"\$download_tmp\""
-
-    echo 'exit 1; fi'
-fi
+printf "$cmd > %s\n" \
+    "$url" \
+    "$tmp"
 
 if echo "$__target_host" | grep -Eq '^[0-9a-fA-F:]+$'
 then
@@ -146,10 +47,12 @@ else
     target_host="$__target_host"
 fi
 
-# shellcheck disable=SC2016
-printf '%s "$download_tmp" %s:%s\n' \
+printf '%s %s %s:%s\n' \
     "$__remote_copy" \
+    "$tmp" \
     "$target_host" \
     "$dst"
 
-echo "rm -f \"\$download_tmp\""
+echo "rm -f '$tmp'"
+
+echo 'downloaded' > "$__messages_out"

cdist/conf/type/__download/gencode-remote

@@ -6,51 +6,17 @@ state_is="$( cat "$__object/explorer/state" )"
 
 if [ "$download" = 'remote' ] && [ "$state_is" != 'present' ]
 then
-    cmd_get="$( cat "$__object/explorer/remote_cmd_get" )"
+    cmd="$( cat "$__object/explorer/remote_cmd" )"
 
     url="$( cat "$__object/parameter/url" )"
 
-    if [ -f "$__object/parameter/destination" ]
-    then
-        dst="$( cat "$__object/parameter/destination" )"
-    else
-        dst="/$__object_id"
-    fi
+    dst="/$__object_id"
 
-    echo "download_tmp=\"\$( mktemp )\""
+    printf "$cmd > %s\n" \
+        "$url" \
+        "$dst"
 
-    # shellcheck disable=SC2059
-    printf "$cmd_get > \"\$download_tmp\"\n" "$url"
-
-    if [ -f "$__object/parameter/sum" ]
-    then
-        sum_should="$( cat "$__object/parameter/sum" )"
-
-        if [ -f "$__object/parameter/cmd-sum" ]
-        then
-            remote_cmd_sum="$( cat "$__object/parameter/cmd-sum" )"
-        else
-            remote_cmd_sum="$( cat "$__object/explorer/remote_cmd_sum" )"
-
-            if echo "$sum_should" | grep -Fq ':'
-            then
-                sum_should="$( echo "$sum_should" | cut -d : -f 2 )"
-            fi
-        fi
-
-        # shellcheck disable=SC2059
-        echo "sum_is=\"\$( $( printf "$remote_cmd_sum" "\"\$download_tmp\"" ) )\""
-
-        echo "if [ \"\$sum_is\" != '$sum_should' ]; then"
-
-        echo "echo 'remote download checksum mismatch' >&2"
-
-        echo "rm -f \"\$download_tmp\""
-
-        echo 'exit 1; fi'
-    fi
-
-    echo "mv \"\$download_tmp\" '$dst'"
+    echo 'downloaded' > "$__messages_out"
 fi
 
 if [ -f "$__object/parameter/onchange" ] && [ "$state_is" != "present" ]

cdist/conf/type/__download/man.rst

@@ -8,7 +8,10 @@ cdist-type__download - Download a file
 
 DESCRIPTION
 -----------
-By default type will try to use ``curl``, ``fetch`` or ``wget``.
+Destination (``$__object_id``) in target host must be persistent storage
+in order to calculate checksum and decide if file must be (re-)downloaded.
+
+By default type will try to use ``wget``, ``curl`` or ``fetch``.
 If download happens in target (see ``--download``) then type will
 fallback to (and install) ``wget``.
 
@@ -16,40 +19,23 @@ If download happens in local machine, then environment variables like
 ``{http,https,ftp}_proxy`` etc can be used on cdist execution
 (``http_proxy=foo cdist config ...``).
 
-To change downloaded file's owner, group or permissions, use ``require='__download/path/to/file' __file ...``.
-
 
 REQUIRED PARAMETERS
 -------------------
 url
    File's URL.
 
+sum
+   Checksum of file going to be downloaded.
+   By default output of ``cksum`` without filename is expected.
+   Other hash formats supported with prefixes: ``md5:``, ``sha1:`` and ``sha256:``.
+
 
 OPTIONAL PARAMETERS
 -------------------
-destination
-   Downloaded file's destination in target. If unset, ``$__object_id`` is used.
-
-sum
-   Supported formats: ``cksum`` output without file name, MD5, SHA1 and SHA256.
-
-   Type tries to detect hash format with regexes, but prefixes
-   ``cksum:``, ``md5:``, ``sha1:`` and ``sha256:`` are also supported.
-
-   Checksum have two purposes - state check and post-download verification.
-   In state check, if destination checksum mismatches, then content of URL
-   will be downloaded to temporary file. If downloaded temporary file's
-   checksum matches, then it will be moved to destination (overwritten).
-
-   For local downloads it is expected that usable utilities for checksum
-   calculation exist in the system.
-
 download
-   If ``local`` (default), then file is downloaded to local storage and copied
-   to target host. If ``remote``, then download happens in target.
-
-   For local downloads it is expected that usable utilities for downloading
-   exist in the system. Type will try to use ``curl``, ``fetch`` or ``wget``.
+   If ``local`` (default), then download file to local storage and copy
+   it to target host. If ``remote``, then download happens in target.
 
 cmd-get
    Command used for downloading.
@@ -79,7 +65,7 @@ EXAMPLES
     require='__directory/opt/cpma' \
         __download /opt/cpma/cnq3.zip \
             --url https://cdn.playmorepromode.com/files/cnq3/cnq3-1.51.zip \
-            --sum 46da3021ca9eace277115ec9106c5b46
+            --sum md5:46da3021ca9eace277115ec9106c5b46
 
     require='__download/opt/cpma/cnq3.zip' \
         __unpack /opt/cpma/cnq3.zip \
@@ -95,7 +81,7 @@ Ander Punnar <ander-at-kvlt-dot-ee>
 
 COPYING
 -------
-Copyright \(C) 2021 Ander Punnar. You can redistribute it
+Copyright \(C) 2020 Ander Punnar. You can redistribute it
 and/or modify it under the terms of the GNU General Public License as
 published by the Free Software Foundation, either version 3 of the
 License, or (at your option) any later version.

cdist/conf/type/__download/manifest

@@ -1,6 +1,6 @@
 #!/bin/sh -e
 
-if grep -Eq '^wget' "$__object/explorer/remote_cmd_get"
+if grep -Eq '^wget' "$__object/explorer/remote_cmd"
 then
     __package wget
 fi

cdist/conf/type/__download/parameter/optional

@@ -1,6 +1,4 @@
 cmd-get
 cmd-sum
-destination
 download
 onchange
-sum

cdist/conf/type/__download/parameter/required

@@ -1 +1,2 @@
 url
+sum

cdist/conf/type/__filesystem/explorer/lsblk

@@ -27,7 +27,7 @@ else
 fi
 
 case "$os" in
-    alpine|centos|fedora|gentoo|redhat|suse|ubuntu)
+    alpine|centos|fedora|redhat|suse|gentoo)
         if [ ! -x "$(command -v lsblk)" ]; then
             echo "lsblk is required for __filesystem type" >&2
             exit 1

cdist/conf/type/__git/explorer/group

@@ -1,24 +1,5 @@
-#!/bin/sh -e
+#!/bin/sh
 
-destination="/${__object_id:?}/.git"
+destination="/$__object_id/.git"
 
-# shellcheck disable=SC2012
-group_gid=$(ls -ldn "${destination}" | awk '{ print $4 }')
-
-# NOTE: +1 because $((notanum)) prints 0.
-if test $((group_gid + 1)) -ge 0
-then
-	group_should=$(cat "${__object:?}/parameter/group")
-
-	if expr "${group_should}" : '[0-9]*$' >/dev/null
-	then
-		printf '%u\n' "${group_gid}"
-	else
-		if command -v getent > /dev/null
-		then
-			getent group "${group_gid}" | cut -d : -f 1
-		else
-			awk -F: -v gid="${group_gid}" '$3 == gid { print $1 }' /etc/group
-		fi
-	fi
-fi
+stat --print "%G" "${destination}" 2>/dev/null || exit 0

cdist/conf/type/__git/explorer/owner

@@ -1,19 +1,5 @@
-#!/bin/sh -e
+#!/bin/sh
 
-destination="/${__object_id:?}/.git"
+destination="/$__object_id/.git"
 
-# shellcheck disable=SC2012
-owner_uid=$(ls -ldn "${destination}" | awk '{ print $3 }')
-
-# NOTE: +1 because $((notanum)) prints 0.
-if test $((owner_uid + 1)) -ge 0
-then
-	owner_should=$(cat "${__object:?}/parameter/owner")
-
-	if expr "${owner_should}" : '[0-9]*$' >/dev/null
-	then
-		printf '%u\n' "${owner_uid}"
-	else
-		printf '%s\n' "$(id -u -n "${owner_uid}")"
-	fi
-fi
+stat --print "%U" "${destination}" 2>/dev/null || exit 0

cdist/conf/type/__grafana_dashboard/manifest

@@ -15,7 +15,7 @@ case $os in
                 # Differntation not needed anymore
                 apt_source_distribution=stable
                 ;;
-            10*|11*)
+            10*)
                 # Differntation not needed anymore
                 apt_source_distribution=stable
                 ;;

cdist/conf/type/__haproxy_dualstack/files/http

@@ -1,8 +0,0 @@
-frontend http
-	bind	BIND@:80
-	mode	http
-	option	httplog
-	default_backend	http
-
-backend http
-	mode	http

cdist/conf/type/__haproxy_dualstack/files/https

@@ -1,10 +0,0 @@
-frontend https
-	bind	BIND@:443
-	mode	tcp
-	option	tcplog
-	tcp-request	inspect-delay 5s
-	tcp-request	content accept if { req_ssl_hello_type 1 }
-	default_backend	https
-
-backend https
-	mode	tcp

cdist/conf/type/__haproxy_dualstack/files/imaps

@@ -1,12 +0,0 @@
-frontend imaps
-	bind	BIND@:143
-	bind	BIND@:993
-
-	mode	tcp
-	option	tcplog
-	tcp-request	inspect-delay 5s
-	tcp-request	content accept if { req_ssl_hello_type 1 }
-	default_backend	imaps
-
-backend imaps
-	mode	tcp

cdist/conf/type/__haproxy_dualstack/files/smtps

@@ -1,12 +0,0 @@
-frontend smtps
-	bind	BIND@:25
-	bind	BIND@:465
-
-	mode	tcp
-	option	tcplog
-	tcp-request	inspect-delay 5s
-	tcp-request	content accept if { req_ssl_hello_type 1 }
-	default_backend	smtps
-
-backend smtps
-	mode	tcp

cdist/conf/type/__haproxy_dualstack/man.rst

@@ -1,121 +0,0 @@
-cdist-type__haproxy_dualstack(7)
-================================
-
-
-NAME
-----
-cdist-type__haproxy_dualstack - Proxy services from a dual-stack server
-
-
-DESCRIPTION
------------
-This (singleton) type installs and configures haproxy to act as a dual-stack
-proxy for single-stack services.
-
-This can be useful to add IPv4 support to IPv6-only services while only using
-one IPv4 for many such services.
-
-By default this type uses the plain TCP proxy mode, which means that there is no
-need for TLS termination on this host when SNI is supported.
-This also means that proxied services will not receive the client's IP address,
-but will see the proxy's IP address instead (that of `$__target_host`).
-
-This can be solved by using the PROXY protocol, but do take into account that,
-e.g. nginx cannot serve both regular HTTP(S) and PROXY protocols on the same
-port, so you will need to use other ports for that.
-
-As a recommendation in this type: use TCP ports 8080 and 591 respectively to
-serve HTTP and HTTPS using the PROXY protocol.
-
-See the EXAMPLES for more details.
-
-
-OPTIONAL PARAMETERS
--------------------
-v4proxy
-    Proxy incoming IPv4 connections to the equivalent IPv6 endpoint.
-    In its simplest use, it must be a NAME with an `AAAA` DNS entry, which is
-    the IP address actually providing the proxied services.
-    The full format of this argument is:
-    `[proxy:]NAME[[:PROTOCOL_1=PORT_1]...[:PROTOCOL_N=PORT_N]]`
-    Where starting with `proxy:` determines that the PROXY protocol must be
-    used and each `:PROTOCOL=PORT` (e.g. `:http=8080` or `:https=591`) is a PORT
-    override for the given PROTOCOL (see `--protocol`), if not present the
-    PROTOCOL's default port will be used.
-
-
-v6proxy
-    Proxy incoming IPv6 connections to the equivalent IPv4 endpoint.
-    In its simplest use, it must be a NAME with an `A` DNS entry, which is
-    the IP address actually providing the proxied services.
-    See `--v4proxy` for more options and details.
-
-protocol
-    Can be passed multiple times or as a space-separated list of protocols.
-    Currently supported protocols are: `http`, `https`, `imaps`, `smtps`.
-    This defaults to: `http https imaps smtps`.
-
-
-EXAMPLES
---------
-
-.. code-block:: sh
-
-    # Proxy the IPv6-only services so IPv4-only clients can access them
-    # This uses HAProxy's TCP mode for http, https, imaps and smtps
-    __haproxy_dualstack \
-        --v4proxy ipv6.chat \
-        --v4proxy matrix.ungleich.ch
-
-    # Proxy the IPv6-only HTTP(S) services so IPv4-only clients can access them
-    # Note this means that the backend IPv6-only server will only see
-    # the IPv6 address of the haproxy host managed by cdist, which can be
-    # troublesome if this information is relevant for analytics/security/...
-    # See the PROXY example below
-    __haproxy_dualstack \
-        --protocol http --protocol https \
-        --v4proxy ipv6.chat \
-        --v4proxy matrix.ungleich.ch
-
-    # Use the PROXY protocol to proxy the IPv6-only HTTP(S) services enabling
-    # IPv4-only clients to access them while maintaining the client's IP address
-    __haproxy_dualstack \
-        --protocol http --protocol https \
-        --v4proxy proxy:ipv6.chat:http=8080:https=591 \
-        --v4proxy proxy:matrix.ungleich.ch:http=8080:https=591
-    # Note however that the PROXY protocol is not compatible with regular
-    # HTTP(S) protocols, so your nginx will have to listen on different ports
-    # with the PROXY settings.
-    # Note that you will need to restrict access to the 8080 port to prevent
-    # Client IP spoofing.
-    # This can be something like:
-    # server {
-    #     # listen for regular HTTP connections
-    #     listen [::]:80 default_server;
-    #     listen 80 default_server;
-    #     # listen for PROXY HTTP connections
-    #     listen [::]:8080 proxy_protocol;
-    #     # Accept the Client's IP from the PROXY protocol
-    #     real_ip_header proxy_protocol;
-    # }
-
-
-SEE ALSO
---------
-- https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/
-- https://www.haproxy.com/blog/haproxy/proxy-protocol/
-- https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/
-
-
-AUTHORS
--------
-ungleich <foss--@--ungleich.ch>
-Evilham <cvs--@--evilham.com>
-
-
-COPYING
--------
-Copyright \(C) 2021 ungleich glarus ag. You can redistribute it
-and/or modify it under the terms of the GNU General Public License as
-published by the Free Software Foundation, either version 3 of the
-License, or (at your option) any later version.

cdist/conf/type/__haproxy_dualstack/manifest

@@ -1,155 +0,0 @@
-#!/bin/sh -eu
-
-__package haproxy
-require="__package/haproxy" __start_on_boot haproxy
-
-tmpdir="$__object/files"
-mkdir "$tmpdir"
-configtmp="$__object/files/haproxy.cfg"
-
-os=$(cat "$__global/explorer/os")
-case $os in
-	freebsd)
-		CONFIG_FILE="/usr/local/etc/haproxy.conf"
-		cat <<EOF > "$configtmp"
-global
-	maxconn	4000
-	user	nobody
-	group	nogroup
-	daemon
-
-EOF
-
-		;;
-	*)
-		CONFIG_FILE="/etc/haproxy/haproxy.cfg"
-		cat <<EOF > "$configtmp"
-global
-	log	[::1] local2
-	chroot	/var/lib/haproxy
-	pidfile	/var/run/haproxy.pid
-	maxconn	4000
-	user	haproxy
-	group	haproxy
-	daemon
-
-	# turn on stats unix socket
-	stats socket	/var/lib/haproxy/stats
-
-EOF
-		;;
-esac
-
-cat <<EOF >> "$configtmp"
-defaults
-	retries	3
-	log	global
-	timeout http-request	10s
-	timeout queue		1m
-	timeout connect		10s
-	timeout client		1m
-	timeout server		1m
-	timeout http-keep-alive	10s
-	timeout check		10s
-EOF
-
-dig_cmd="$(command -v dig || true)"
-get_ip() {
-	# Usage: get_ip (ipv4|ipv6) NAME
-	# uses "dig" if available, else fallback to "host"
-	case $1 in
-		ipv4)
-			if [ -n "${dig_cmd}" ]; then
-				${dig_cmd} +short A "$2"
-			else
-				host -t A "$2" | cut -d ' ' -f 4 | grep -v 'found:'
-			fi
-			;;
-		ipv6)
-			if [ -n "${dig_cmd}" ]; then
-				${dig_cmd} +short AAAA "$2"
-			else
-				host -t AAAA "$2" | cut -d ' ' -f 5 | grep -v 'NXDOMAIN'
-			fi
-			;;
-	esac
-}
-
-PROTOCOLS="$(cat "$__object/parameter/protocol")"
-
-for proxy in v4proxy v6proxy; do
-	param=$__object/parameter/$proxy
-	# no backend? skip generating code
-	if [ ! -f "$param" ]; then
-		continue
-	fi
-
-	# turn backend name into bind parameter: v4backend -> ipv4@
-	bind=$(echo $proxy | sed -e 's/^/ip/' -e 's/proxy//')
-
-	case $bind in
-		ipv4)
-			backendproto=ipv6
-			;;
-		ipv6)
-			backendproto=ipv4
-			;;
-	esac
-
-	for proto in ${PROTOCOLS}; do
-		# Add protocol "header"
-		printf "\n# %s %s \n" "${bind}" "${proto}" >> "$configtmp"
-
-		sed -e "s/BIND/$bind/" \
-			-e "s/\(frontend[[:space:]].*\)/\1$bind/" \
-			-e "s/\(backend[[:space:]].*\)/\\1$bind/" \
-			"$__type/files/$proto" >> "$configtmp"
-
-		while read -r hostdefinition; do
-			if echo "$hostdefinition" | grep -qE '^proxy:'; then
-				# Proxy protocol was requested
-				host="$(echo "$hostdefinition" | sed -E 's/^proxy:([^:]+).*$/\1/')"
-				send_proxy=" send-proxy"
-			else
-				# Just use tcp proxy mode
-				host="$hostdefinition"
-				send_proxy=""
-			fi
-			if echo "$hostdefinition" | grep -qE ":${proto}="; then
-				# Use custom port definition if requested
-				port="$(echo "$hostdefinition" | sed -E "s/^(.*:)?${proto}=([0-9]+).*$/:\2/")"
-			else
-				# Else use the default
-				port=""
-			fi
-			servername=$host
-
-			res=$(get_ip "$bind" "$servername")
-
-			if [ -z "$res" ]; then
-				echo "$servername does not resolve - aborting config" >&2
-				exit 1
-			fi
-
-			# Treat protocols without TLS+SNI specially
-			if [ "$proto" = http ]; then
-				echo "	use-server $servername if { hdr(host) -i $host }" >> "$configtmp"
-			else
-				echo "	use-server $servername if { req_ssl_sni -i $host }" >> "$configtmp"
-			fi
-
-			# Create the "server" itself.
-			# Note that port and send_proxy will be empty unless
-			# they were requested by the type user
-			echo "	server $servername ${backendproto}@${host}${port}${send_proxy}" >> "$configtmp"
-
-		done < "$param"
-	done
-done
-
-# Create config file
-require="__package/haproxy" __file ${CONFIG_FILE} --source "$configtmp" --mode 0644
-
-require="__file${CONFIG_FILE}" __check_messages "haproxy_reload" \
-	--pattern "^__file${CONFIG_FILE}" \
-	--execute "service haproxy reload || service haproxy restart"

cdist/conf/type/__haproxy_dualstack/parameter/default/protocol

@@ -1 +0,0 @@
-http https imaps smtps

cdist/conf/type/__haproxy_dualstack/parameter/optional_multiple

@@ -1,3 +0,0 @@
-protocol
-v4proxy
-v6proxy

cdist/conf/type/__hostname/gencode-remote

@@ -20,27 +20,26 @@
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 
-os=$(cat "${__global:?}/explorer/os")
-name_running=$(cat "${__global:?}/explorer/hostname")
-has_hostnamectl=$(cat "${__object:?}/explorer/has_hostnamectl")
+os=$(cat "$__global/explorer/os")
+name_running=$(cat "$__global/explorer/hostname")
+has_hostnamectl=$(cat "$__object/explorer/has_hostnamectl")
 
 
-if test -s "${__object:?}/parameter/name"
+if test -s "$__object/parameter/name"
 then
-    name_should=$(cat "${__object:?}/parameter/name")
+    name_should=$(cat "$__object/parameter/name")
 else
-    case ${os}
+    case $os
     in
         # RedHat-derivatives and BSDs
-        (centos|fedora|redhat|scientific|freebsd|macosx|netbsd|openbsd)
+        centos|fedora|redhat|scientific|freebsd|macosx|netbsd|openbsd)
             # Hostname is FQDN
-            name_should=${__target_host:?}
-            ;;
-        (*)
+            name_should="${__target_host}"
+        ;;
+        *)
             # Hostname is only first component of FQDN
-            name_should=${__target_host:?}
-            name_should=${name_should%%.*}
-            ;;
+            name_should="${__target_host%%.*}"
+        ;;
     esac
 fi
 
@@ -48,46 +47,46 @@ fi
 ################################################################################
 # Check if the (running) hostname is already correct
 #
-test "${name_running}" != "${name_should}" || exit 0
+test "$name_running" != "$name_should" || exit 0
 
 
 ################################################################################
 # Setup hostname
 #
-echo 'changed' >>"${__messages_out:?}"
+echo 'changed' >>"$__messages_out"
 
 # Use the good old way to set the hostname.
-case ${os}
+case $os
 in
-    (alpine|debian|devuan|ubuntu)
+    alpine|debian|devuan|ubuntu)
         echo 'hostname -F /etc/hostname'
-        ;;
-    (archlinux)
+    ;;
+    archlinux)
         echo 'command -v hostnamectl >/dev/null 2>&1' \
-            "&& hostnamectl set-hostname '${name_should}'" \
-            "|| hostname '${name_should}'"
-        ;;
-    (centos|fedora|redhat|scientific|freebsd|netbsd|openbsd|gentoo|void)
-        echo "hostname '${name_should}'"
-        ;;
-    (openwrt)
-        echo "echo '${name_should}' >/proc/sys/kernel/hostname"
-        ;;
-    (macosx)
-        echo "scutil --set HostName '${name_should}'"
-        ;;
-    (solaris)
-        echo "uname -S '${name_should}'"
-        ;;
-    (slackware|suse)
+            "&& hostnamectl set-hostname '$name_should'" \
+            "|| hostname '$name_should'"
+    ;;
+    centos|fedora|redhat|scientific|freebsd|netbsd|openbsd|gentoo|void)
+        echo "hostname '$name_should'"
+    ;;
+    openwrt)
+        echo "echo '$name_should' >/proc/sys/kernel/hostname"
+    ;;
+    macosx)
+        echo "scutil --set HostName '$name_should'"
+    ;;
+    solaris)
+        echo "uname -S '$name_should'"
+    ;;
+    slackware|suse|opensuse-leap)
         # We do not read from /etc/HOSTNAME, because the running
         # hostname is the first component only while the file contains
         # the FQDN.
-        echo "hostname '${name_should}'"
-        ;;
-    (*)
+        echo "hostname '$name_should'"
+    ;;
+    *)
         # Fall back to set the hostname using hostnamectl, if available.
-        if test -n "${has_hostnamectl}"
+        if test -n "$has_hostnamectl"
         then
             # Don't use hostnamectl as the primary means to set the hostname for
             # systemd systems, because it cannot be trusted to work reliably and
@@ -98,8 +97,7 @@ in
             echo "test \"\$(hostname)\" = \"\$(cat /etc/hostname)\"" \
                  " || hostname -F /etc/hostname"
         else
-            printf "echo 'Unsupported OS: %s' >&2\n" "${os}"
-            printf 'exit 1\n'
+            printf "echo 'Unsupported OS: %s' >&2\nexit 1\n" "$os"
         fi
-        ;;
+    ;;
 esac

cdist/conf/type/__hostname/manifest

@@ -20,49 +20,69 @@
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 
+not_supported() {
+    echo "Your operating system ($os) is currently not supported by this type (${__type##*/})." >&2
+    echo "Please contribute an implementation for it if you can." >&2
+    exit 1
+}
+
 set_hostname_systemd() {
     echo "$1" | __file /etc/hostname --source -
 }
 
-os=$(cat "${__global:?}/explorer/os")
+os=$(cat "$__global/explorer/os")
+os_version=$(cat "$__global/explorer/os_version")
+os_major=$(echo "$os_version" | grep -o '^[0-9][0-9]*' || true)
 
-max_len=$(cat "${__object:?}/explorer/max_len")
-has_hostnamectl=$(cat "${__object:?}/explorer/has_hostnamectl")
+max_len=$(cat "$__object/explorer/max_len")
+has_hostnamectl=$(cat "$__object/explorer/has_hostnamectl")
 
-if test -s "${__object:?}/parameter/name"
+if test -s "$__object/parameter/name"
 then
-    name_should=$(cat "${__object:?}/parameter/name")
+    name_should=$(cat "$__object/parameter/name")
 else
-    case ${os}
+    case $os
     in
         # RedHat-derivatives and BSDs
-        (centos|fedora|redhat|scientific|freebsd|netbsd|openbsd|slackware|suse)
+        centos|fedora|redhat|scientific|freebsd|netbsd|openbsd|slackware)
             # Hostname is FQDN
-            name_should=${__target_host:?}
-            ;;
+            name_should="${__target_host}"
+        ;;
+        suse|opensuse-leap)
+            # Classic SuSE stores the FQDN in /etc/HOSTNAME, while
+            # systemd does not. The running hostname is the first
+            # component in both cases.
+            # In versions before 15.x, the FQDN is stored in /etc/hostname.
+            if test -n "$has_hostnamectl" && test "$os_major" -ge 15 \
+                    && test "$os_major" -ne 42
+            then
+                name_should="${__target_host%%.*}"
+            else
+                name_should="${__target_host}"
+            fi
+        ;;
         *)
             # Hostname is only first component of FQDN on all other systems.
-            name_should=${__target_host:?}
-            name_should=${name_should%%.*}
-            ;;
+            name_should="${__target_host%%.*}"
+        ;;
     esac
 fi
 
-if test -n "${max_len}" && test "$(printf '%s' "${name_should}" | wc -c)" -gt "${max_len}"
+if test -n "$max_len" && test "$(printf '%s' "$name_should" | wc -c)" -gt "$max_len"
 then
     printf "Host name too long. Up to %u characters allowed.\n" "${max_len}" >&2
     exit 1
 fi
 
-case ${os}
+case $os
 in
-    (alpine|debian|devuan|ubuntu|void)
-        echo "${name_should}" | __file /etc/hostname --source -
-        ;;
-    (archlinux)
-        if test -n "${has_hostnamectl}"
+    alpine|debian|devuan|ubuntu|void)
+        echo "$name_should" | __file /etc/hostname --source -
+    ;;
+    archlinux)
+        if test -n "$has_hostnamectl"
         then
-            set_hostname_systemd "${name_should}"
+            set_hostname_systemd "$name_should"
         else
             echo 'Ancient ArchLinux variants without hostnamectl are not supported.' >&2
             exit 1
@@ -77,8 +97,8 @@ in
             #     --value "\"$name_should\""
         fi
         ;;
-    (centos|fedora|redhat|scientific)
-        if test -z "${has_hostnamectl}"
+    centos|fedora|redhat|scientific)
+        if test -z "$has_hostnamectl"
         then
             # Only write to /etc/sysconfig/network on non-systemd versions.
             # On systemd-based versions this entry is ignored.
@@ -86,83 +106,63 @@ in
                 --file /etc/sysconfig/network \
                 --delimiter '=' --exact_delimiter \
                 --key HOSTNAME \
-                --value "\"${name_should}\""
+                --value "\"$name_should\""
         else
-            set_hostname_systemd "${name_should}"
+            set_hostname_systemd "$name_should"
         fi
-        ;;
-    (gentoo)
+    ;;
+    gentoo)
         # Only write to /etc/conf.d/hostname on OpenRC-based installations.
         # On systemd use hostnamectl(1) in gencode-remote.
-        if test -z "${has_hostnamectl}"
+        if test -z "$has_hostnamectl"
         then
             __key_value '/etc/conf.d/hostname:hostname' \
                 --file /etc/conf.d/hostname \
                 --delimiter '=' --exact_delimiter \
                 --key 'hostname' \
-                --value "\"${name_should}\""
+                --value "\"$name_should\""
         else
             set_hostname_systemd "$name_should"
         fi
-        ;;
-    (freebsd)
+    ;;
+    freebsd)
         __key_value '/etc/rc.conf:hostname' \
             --file /etc/rc.conf \
             --delimiter '=' --exact_delimiter \
             --key 'hostname' \
-            --value "\"${name_should}\""
-        ;;
-    (macosx)
+            --value "\"$name_should\""
+    ;;
+    macosx)
         # handled in gencode-remote
-        ;;
-    (netbsd)
+        :
+    ;;
+    netbsd)
         __key_value '/etc/rc.conf:hostname' \
             --file /etc/rc.conf \
             --delimiter '=' --exact_delimiter \
             --key 'hostname' \
-            --value "\"${name_should}\""
+            --value "\"$name_should\""
 
         # To avoid confusion, ensure that the hostname is only stored once.
         __file /etc/myname --state absent
-        ;;
-    (openbsd)
-        echo "${name_should}" | __file /etc/myname --source -
-        ;;
-    (openwrt)
-        __uci system.@system[0].hostname --value "${name_should}"
+    ;;
+    openbsd)
+        echo "$name_should" | __file /etc/myname --source -
+    ;;
+    openwrt)
+        __uci system.@system[0].hostname --value "$name_should"
             # --transaction hostname
-        ;;
-    (slackware)
+    ;;
+    slackware)
         # We write the FQDN into /etc/HOSTNAME.  But /etc/rc.d/rc.M will only
         # read the first component from this file and set it as the running
         # hostname on boot.
-        echo "${name_should}" | __file /etc/HOSTNAME --source -
-        ;;
-    (solaris)
-        echo "${name_should}" | __file /etc/nodename --source -
-        ;;
-    (suse)
-        if test -s "${__global:?}/explorer/os_release"
-        then
-            # shellcheck source=/dev/null
-            os_version=$(. "${__global:?}/explorer/os_release" && echo "${VERSION}")
-        else
-            os_version=$(sed -n 's/^VERSION\ *=\ *//p' "${__global:?}/explorer/os_version")
-        fi
-        os_major=$(expr "${os_version}" : '\([0-9]\{1,\}\)')
-
-        # Classic SuSE stores the FQDN in /etc/HOSTNAME, while
-        # systemd does not. The running hostname is the first
-        # component in both cases.
-        # In versions before 15.x, the FQDN is stored in /etc/hostname.
-        if test -n "${has_hostnamectl}" \
-                && test "${os_major}" -ge 15 \
-                && test "${os_major}" -ne 42
-        then
-            # strip away everything but the first part from $name_should
-            name_should=${name_should%%.*}
-        fi
-
+        echo "$name_should" | __file /etc/HOSTNAME --source -
+    ;;
+    solaris)
+        echo "$name_should" | __file /etc/nodename --source -
+    ;;
+    suse|opensuse-leap)
         # Modern SuSE provides /etc/HOSTNAME as a symlink for
         # backwards-compatibility. Unfortunately it cannot be used
         # here as __file does not follow the symlink.
@@ -171,25 +171,23 @@ in
         # not work correctly on openSUSE 12.x which provides
         # hostnamectl but not /etc/hostname.
 
-        if test -n "${has_hostnamectl}" -a "${os_major}" -gt 12
+        if test -n "$has_hostnamectl" -a "$os_major" -gt 12
         then
-            hostname_file=/etc/hostname
+            hostname_file='/etc/hostname'
         else
-            hostname_file=/etc/HOSTNAME
+            hostname_file='/etc/HOSTNAME'
         fi
 
-        echo "${name_should}" | __file "${hostname_file}" --source -
-        ;;
-    (*)
+        echo "$name_should" | __file "$hostname_file" --source -
+    ;;
+    *)
         # On other operating systems we fall back to systemd's
         # hostnamectl if available…
-        if test -n "${has_hostnamectl}"
+        if test -n "$has_hostnamectl"
         then
-            set_hostname_systemd "${name_should}"
+            set_hostname_systemd "$name_should"
         else
-            echo "Your operating system (${os}) is currently not supported by this type (${__type##*/})." >&2
-            echo "Please contribute an implementation for it if you can." >&2
-            exit 1
+            not_supported
         fi
-        ;;
+    ;;
 esac

cdist/conf/type/__hwclock/explorer/adjtime_mode

@@ -1,28 +0,0 @@
-#!/bin/sh -e
-#
-# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
-#
-# This file is part of cdist.
-#
-# cdist is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# cdist is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with cdist. If not, see <http://www.gnu.org/licenses/>.
-#
-# Prints the clock mode read from the /etc/adjtime file, if present.
-#
-
-# not all operating systems use an adjfile
-test -f /etc/adjtime || exit 0
-
-# 3rd line is clock mode
-# adjtime(5) https://man7.org/linux/man-pages/man5/adjtime.5.html
-sed -n 3p /etc/adjtime

cdist/conf/type/__hwclock/explorer/timedatectl_localrtc

@@ -1,27 +0,0 @@
-#!/bin/sh -e
-#
-# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
-#
-# This file is part of cdist.
-#
-# cdist is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# cdist is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with cdist. If not, see <http://www.gnu.org/licenses/>.
-#
-# Prints the LocalRTC property using timedatectl on systemd-based systems.
-#
-
-command -v timedatectl >/dev/null 2>&1 || exit 0
-
-# NOTE: Older versions of timedatectl do not support `timedatectl show'
-timedatectl --no-pager status \
-| awk -F': ' '$1 ~ "RTC in local TZ$" { sub(/[ \t]*$/, "", $2); print $2 }'

cdist/conf/type/__hwclock/gencode-remote

@@ -1,62 +0,0 @@
-#!/bin/sh -e
-#
-# 2020 Dennis Camera (dennis.camera@ssrq-sds-fds.ch)
-#
-# This file is part of cdist.
-#
-# cdist is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# cdist is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with cdist. If not, see <http://www.gnu.org/licenses/>.
-#
-
-mode=$(cat "${__object:?}/parameter/mode")
-
-timedatectl_localrtc=$(cat "${__object:?}/explorer/timedatectl_localrtc")
-adjtime_mode=$(cat "${__object:?}/explorer/adjtime_mode")
-
-
-case ${mode}
-in
-	(localtime)
-		adjtime_str=LOCAL
-		local_rtc_str=yes
-		;;
-	(UTC|utc)
-		adjtime_str=UTC
-		local_rtc_str=no
-		;;
-	(*)
-		printf 'Invalid value for --mode: %s\n' "${mode}" >&2
-		printf 'Acceptable values are: localtime, utc.\n' >&2
-		exit 1
-esac
-
-
-if test -n "${timedatectl_localrtc}"
-then
-	# systemd
-	timedatectl_should=${local_rtc_str}
-	if test "${timedatectl_localrtc}" != "${timedatectl_should}"
-	then
-		printf 'timedatectl set-local-rtc %s\n' "${timedatectl_should}"
-	fi
-elif test -n "${adjtime_mode}"
-then
-	# others (update /etc/adjtime if present)
-	if test "${adjtime_mode}" != "${adjtime_str}"
-	then
-		# Update /etc/adjtime (3rd line is clock mode)
-		# adjtime(5) https://man7.org/linux/man-pages/man5/adjtime.5.html
-		# FIXME: Should maybe add third line if adjfile only contains two lines
-		printf "sed -i '3c\\\\\\n%s\\n' /etc/adjtime\\n" "${adjtime_str}"
-	fi
-fi

cdist/conf/type/__hwclock/man.rst

@@ -1,63 +0,0 @@
-cdist-type__hwclock(7)
-======================
-
-NAME
-----
-cdist-type__hwclock - Manage the hardware real time clock.
-
-
-DESCRIPTION
------------
-This type can be used to control how the hardware clock is used by the operating
-system.
-
-
-REQUIRED PARAMETERS
--------------------
-mode
-    What mode the hardware clock is in.
-
-    Acceptable values:
-
-    localtime
-        The hardware clock is set to local time (common for systems also running
-        Windows.)
-    UTC
-        The hardware clock is set to UTC (common on UNIX systems.)
-
-
-OPTIONAL PARAMETERS
--------------------
-None.
-
-
-BOOLEAN PARAMETERS
-------------------
-None.
-
-
-EXAMPLES
---------
-
-.. code-block:: sh
-
-    # Make the operating system treat the time read from the hwclock as UTC.
-    __hwclock --mode UTC
-
-
-SEE ALSO
---------
-:strong:`hwclock`\ (8)
-
-
-AUTHORS
--------
-Dennis Camera <dennis.camera@ssrq-sds-fds.ch>
-
-
-COPYING
--------
-Copyright \(C) 2020 Dennis Camera. You can redistribute it
-and/or modify it under the terms of the GNU General Public License as
-published by the Free Software Foundation, either version 3 of the
-License, or (at your option) any later version.

cdist/conf/type/__hwclock/manifest

@@ -1,222 +0,0 @@
-#!/bin/sh -e
-#
-# 2020 Dennis Camera (dennis.camera@ssrq-sds-fds.ch)
-#
-# This file is part of cdist.
-#
-# cdist is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# cdist is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with cdist. If not, see <http://www.gnu.org/licenses/>.
-#
-
-# TODO: Consider supporting BADYEAR
-
-os=$(cat "${__global:?}/explorer/os")
-mode=$(cat "${__object:?}/parameter/mode")
-
-has_systemd_timedatectl=$(test -s "${__object:?}/explorer/timedatectl_localrtc" && echo true || echo false)
-
-
-case ${mode}
-in
-	(localtime)
-		local_clock=true
-		;;
-	(UTC|utc)
-		local_clock=false
-		;;
-	(*)
-		printf 'Invalid value for --mode: %s\n' "${mode}" >&2
-		printf 'Acceptable values are: UTC, localtime.\n' >&2
-		exit 1
-esac
-
-
-case ${os}
-in
-	(alpine|gentoo)
-		if ! $has_systemd_timedatectl
-		then
-			# NOTE: Gentoo also supports systemd, in which case /etc/conf.d is
-			#       not used. So we check for systemd presence here and only
-			#       update /etc/conf.d if systemd is not installed.
-			# https://wiki.gentoo.org/wiki/System_time#Hardware_clock
-
-			export CDIST_ORDER_DEPENDENCY=true
-			__file /etc/conf.d/hwclock --state present \
-				--owner root --group root --mode 0644
-			__key_value /etc/conf.d/hwclock:clock \
-				--file /etc/conf.d/hwclock \
-				--key clock \
-				--delimiter '=' --exact_delimiter \
-				--value "\"$($local_clock && echo local || echo UTC)\""
-			unset CDIST_ORDER_DEPENDENCY
-		fi
-		;;
-	(centos|fedora|redhat|scientific)
-		os_version=$(cat "${__global:?}/explorer/os_version")
-		os_major=$(expr "${os_version}" : '.* release \([0-9]*\)')
-		case ${os}
-		in
-			(centos|scientific)
-				update_sysconfig=$(test "${os_major}" -lt 6 && echo true || echo false)
-				;;
-			(fedora)
-				update_sysconfig=$(test "${os_major}" -lt 10 && echo true || echo false)
-				;;
-			(redhat|*)
-				case ${os_version}
-				in
-					('Red Hat Enterprise Linux'*)
-						update_sysconfig=$(test "${os_major}" -lt 6 && echo true || echo false)
-						;;
-					('Red Hat Linux'*)
-						update_sysconfig=true
-						;;
-					(*)
-						printf 'Could not determine Red Hat distribution.\n' >&2
-						printf "Please contribute an implementation for it if you can.\n" >&2
-						exit 1
-						;;
-				esac
-				;;
-		esac
-
-		if ${update_sysconfig:?}
-		then
-			export CDIST_ORDER_DEPENDENCY=true
-			__file /etc/sysconfig/clock --state present \
-				--owner root --group root --mode 0644
-			__key_value /etc/sysconfig/clock:UTC \
-				--file /etc/sysconfig/clock \
-				--key UTC \
-				--delimiter '=' --exact_delimiter \
-				--value "$($local_clock && echo false || echo true)"
-			unset CDIST_ORDER_DEPENDENCY
-		fi
-		;;
-	(debian|devuan|ubuntu)
-		os_major=$(sed 's/[^0-9].*$//' "${__global:?}/explorer/os_version")
-
-		case ${os}
-		in
-			(debian)
-				if test "${os_major}" -ge 7
-				then
-					update_rcS=false
-				elif test "${os_major}" -ge 3
-				then
-					update_rcS=true
-				else
-					# Debian 2.2 should be supportable using rcS.
-					# Debian 2.1 uses the ancient GMT key.
-					# Debian 1.3 does not have rcS.
-					printf "Your operating system (Debian %s) is currently not supported by this type (%s)\n" \
-						"$(cat "${__global:?}/explorer/os_version")" "${__type##*/}" >&2
-					printf "Please contribute an implementation for it if you can.\n" >&2
-					exit 1
-				fi
-				;;
-			(devuan)
-				update_rcS=false
-				;;
-			(ubuntu)
-				update_rcS=$(test "${os_major}" -lt 16 && echo true || echo false)
-				;;
-		esac
-
-		if ${update_rcS}
-		then
-			export CDIST_ORDER_DEPENDENCY=true
-			__file /etc/default/rcS --state present \
-				--owner root --group root --mode 0644
-			__key_value /etc/default/rcS:UTC \
-				--file /etc/default/rcS \
-				--key UTC \
-				--delimiter '=' --exact_delimiter \
-				--value "$($local_clock && echo no || echo yes)"
-			unset CDIST_ORDER_DEPENDENCY
-		fi		  
-		;;
-	(freebsd)
-		# cf. adjkerntz(8)
-		__file /etc/wall_cmos_clock \
-			--state "$($local_clock && echo present || echo absent)" \
-			--owner root --group wheel --mode 0444
-		;;
-	(netbsd)
-		# https://wiki.netbsd.org/guide/boot/#index9h2
-		__key_value /etc/rc.conf:rtclocaltime \
-			--file /etc/rc.conf \
-			--key rtclocaltime \
-			--delimiter '=' --exact_delimiter \
-			--value "$($local_clock && echo YES || echo NO)"
-		;;
-	(slackware)
-		__file /etc/hardwareclock --owner root --group root --mode 0644 \
-			--source - <<-EOF
-		# /etc/hardwareclock
-		#
-		# Tells how the hardware clock time is stored.
-		# This file is managed by cdist.
-
-		$($local_clock && echo localtime || echo UTC)
-		EOF
-		;;
-	(suse)
-		if test -s "${__global:?}/explorer/os_release"
-		then
-			# shellcheck source=/dev/null
-			os_version=$(. "${__global:?}/explorer/os_release" && echo "${VERSION}")
-		else
-			os_version=$(sed -n 's/^VERSION\ *=\ *//p' "${__global:?}/explorer/os_version")
-		fi
-		os_major=$(expr "${os_version}" : '\([0-9]\{1,\}\)')
-
-		# TODO: Consider using `yast2 timezone set hwclock' instead
-		if expr "${os_major}" \< 12
-		then
-			# Starting with SuSE 12 (first systemd-based version)
-			# /etc/sysconfig/clock does not contain the HWCLOCK line
-			# anymore.
-			# With SuSE 13, it has been reduced to TIMEZONE configuration.
-			__key_value /etc/sysconfig/clock:HWCLOCK \
-				--file /etc/sysconfig/clock \
-				--delimiter '=' --exact_delimiter \
-				--key HWCLOCK \
-				--value "$($local_clock && echo '"--localtime"' || echo '"-u"')"
-		fi
-		;;
-	(void)
-		export CDIST_ORDER_DEPENDENCY=true
-		__file /etc/rc.conf \
-			--owner root --group root --mode 0644 \
-			--state present
-		__key_value /etc/rc.conf:HARDWARECLOCK \
-			--file /etc/rc.conf \
-			--delimiter '=' --exact_delimiter \
-			--key HARDWARECLOCK \
-			--value "\"$($local_clock && echo localtime || echo UTC)\""
-		unset CDIST_ORDER_DEPENDENCY
-		;;
-	(*)
-		if ! $has_systemd_timedatectl
-		then
-			printf "Your operating system (%s) is currently not supported by this type (%s)\n" "$os" "${__type##*/}" >&2
-			printf "Please contribute an implementation for it if you can.\n" >&2
-			exit 1
-		fi
-		;;
-esac
-
-# NOTE: timedatectl set-local-rtc for systemd is in gencode-remote
-# NOTE: /etc/adjtime is also updated in gencode-remote

cdist/conf/type/__hwclock/parameter/required

@@ -1 +0,0 @@
-mode

cdist/conf/type/__iptables_apply/files/init-script

@@ -1,4 +1,7 @@
 #!/bin/sh
+# Nico Schottelius
+# Zürisee, Mon Sep  2 18:38:27 CEST 2013
+#
 ### BEGIN INIT INFO
 # Provides:          iptables
 # Required-Start:    $local_fs $remote_fs
@@ -11,72 +14,34 @@
 #                    and saves/restores previous status
 ### END INIT INFO
 
-# Originally written by:
-#   Nico Schottelius
-#   Zürisee, Mon Sep  2 18:38:27 CEST 2013
-#
-# 2013 Nico Schottelius (nico-cdist at schottelius.org)
-# 2020 Matthias Stecher (matthiasstecher at gmx.de)
-#
-# This file is distributed with cdist and licenced under the
-# GNU GPLv3+ WITHOUT ANY WARRANTY.
-
-
-# Read files and execute the content with the given commands
-#
-# Arguments:
-#  1:    Directory
-#  2..n: Commands which should be used to execute the file content
-gothrough() {
-    cd "$1" || return
-    shift
-
-    # iterate through all rules and continue if it's not a file
-    for rule in *; do
-        [ -f "$rule" ] || continue
-        echo "Appling iptables rule $rule ..."
-
-        # execute it with all commands specificed
-        ruleparam="$(cat "$rule")"
-        for cmd in "$@"; do
-            # Command and Rule should be split.
-            # shellcheck disable=SC2046
-            command $cmd $ruleparam
-        done
-    done
-}
-
-# Shortcut for iptables command to do IPv4 and v6
-# only applies to the "reset" target
-iptables() {
-    command iptables "$@"
-    command ip6tables "$@"
-}
 
 basedir=/etc/iptables.d
-status4="${basedir}/.pre-start"
-status6="${basedir}/.pre-start6"
+status="${basedir}/.pre-start"
 
 case $1 in
     start)
         # Save status
-        iptables-save > "$status4"
-        ip6tables-save > "$status6"
+        iptables-save > "$status"
 
         # Apply our ruleset
-        gothrough "$basedir"     iptables
-        #gothrough "$basedir/v4"  iptables  # conflicts with $basedir
-        gothrough "$basedir/v6"  ip6tables
-        gothrough "$basedir/all" iptables  ip6tables
+        cd "$basedir" || exit
+        count="$(find . ! -name . -prune | wc -l)"
+
+        # Only do something if there are rules
+        if [ "$count" -ge 1 ]; then
+            for rule in *; do
+                echo "Applying iptables rule $rule ..."
+                # Rule should be split.
+                # shellcheck disable=SC2046
+                iptables $(cat "$rule")
+            done
+        fi
     ;;
 
     stop)
         # Restore from status before, if there is something to restore
-        if [ -f "$status4" ]; then
-            iptables-restore < "$status4"
-        fi
-        if [ -f "$status6" ]; then
-            ip6tables-restore < "$status6"
+        if [ -f "$status" ]; then
+            iptables-restore < "$status"
         fi
     ;;
     restart)

cdist/conf/type/__iptables_apply/man.rst

@@ -10,24 +10,7 @@ DESCRIPTION
 -----------
 This cdist type deploys an init script that triggers
 the configured rules and also re-applies them on
-configuration. Rules are written from __iptables_rule
-into the folder ``/etc/iptables.d/``.
-
-It reads all rules from the base folder as rules for IPv4.
-Rules in the subfolder ``v6/`` are IPv6 rules. Rules in
-the subfolder ``all/`` are applied to both rule tables. All
-files contain the arguments for a single ``iptables`` and/or
-``ip6tables`` command.
-
-Rules are applied in the following order:
-1. All IPv4 rules
-2. All IPv6 rules
-2. All rules that should be applied to both tables
-
-The order of the rules that will be applied are definite
-from the result the shell glob returns, which should be
-alphabetical. If rules must be applied in a special order,
-prefix them with a number like ``02-some-rule``.
+configuration.
 
 
 REQUIRED PARAMETERS
@@ -41,7 +24,7 @@ None
 EXAMPLES
 --------
 
-None (__iptables_apply is used by __iptables_rule automatically)
+None (__iptables_apply is used by __iptables_rule)
 
 
 SEE ALSO
@@ -52,13 +35,11 @@ SEE ALSO
 AUTHORS
 -------
 Nico Schottelius <nico-cdist--@--schottelius.org>
-Matthias Stecher <matthiasstecher--@--gmx.de>
 
 
 COPYING
 -------
-Copyright \(C) 2013 Nico Schottelius.
-Copyright \(C) 2020 Matthias Stecher.
-You can redistribute it and/or modify it under the terms of the GNU
-General Public License as published by the Free Software Foundation,
-either version 3 of the License, or (at your option) any later version.
+Copyright \(C) 2013 Nico Schottelius. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

cdist/conf/type/__iptables_rule/man.rst

@@ -11,10 +11,6 @@ DESCRIPTION
 This cdist type allows you to manage iptable rules
 in a distribution independent manner.
 
-See :strong:`cdist-type__iptables_apply`\ (7) for the
-execution order of these rules. It will be executed
-automaticly to apply all rules non-volaite.
-
 
 REQUIRED PARAMETERS
 -------------------
@@ -29,24 +25,6 @@ state
    'present' or 'absent', defaults to 'present'
 
 
-BOOLEAN PARAMETERS
-------------------
-All rules without any of these parameters will be treated like ``--v4`` because
-of backward compatibility.
-
-v4
-    Explicitly set it as rule for IPv4. If IPv6 is set, too, it will be
-    threaten like ``--all``. Will be the default if nothing else is set.
-
-v6
-    Explicitly set it as rule for IPv6. If IPv4 is set, too, it will be
-    threaten like ``--all``.
-
-all
-    Set the rule for both IPv4 and IPv6. It will be saved separately from the
-    other rules.
-
-
 EXAMPLES
 --------
 
@@ -70,16 +48,6 @@ EXAMPLES
         --state absent
 
 
-    # IPv4-only rule for ICMPv4
-    __iptables_rule icmp-v4 --v4 --rule "-A INPUT -p icmp -j ACCEPT"
-    # IPv6-only rule for ICMPv6
-    __iptables_rule icmp-v6 --v6 --rule "-A INPUT -p icmpv6 -j ACCEPT"
-
-    # doing something for the dual stack
-    __iptables_rule fwd-eth0-eth1 --v4 --v6 --rule "-A INPUT -i eth0 -o eth1 -j ACCEPT"
-    __iptables_rule fwd-eth1-eth0 --all --rule "-A -o eth1 -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT"
-
-
 SEE ALSO
 --------
 :strong:`cdist-type__iptables_apply`\ (7), :strong:`iptables`\ (8)
@@ -88,13 +56,11 @@ SEE ALSO
 AUTHORS
 -------
 Nico Schottelius <nico-cdist--@--schottelius.org>
-Matthias Stecher <matthiasstecher--@--gmx.de>
 
 
 COPYING
 -------
-Copyright \(C) 2013 Nico Schottelius.
-Copyright \(C) 2020 Matthias Stecher.
-You can redistribute it and/or modify it under the terms of the GNU
-General Public License as published by the Free Software Foundation,
-either version 3 of the License, or (at your option) any later version.
+Copyright \(C) 2013 Nico Schottelius. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

cdist/conf/type/__iptables_rule/manifest

@@ -1,7 +1,6 @@
 #!/bin/sh -e
 #
 # 2013 Nico Schottelius (nico-cdist at schottelius.org)
-# 2020 Matthias Stecher (matthiasstecher at gmx.de)
 #
 # This file is part of cdist.
 #
@@ -25,36 +24,12 @@ base_dir=/etc/iptables.d
 name="$__object_id"
 state="$(cat "$__object/parameter/state")"
 
-if [ -f "$__object/parameter/v4" ]; then
-    only_v4="yes"
-    # $specific_dir is $base_dir
-fi
-if [ -f "$__object/parameter/v6" ]; then
-    only_v6="yes"
-    specific_dir="$base_dir/v6"
-fi
-# If rules should be set for both protocols
-if { [ "$only_v4" = "yes" ] && [ "$only_v6" = "yes" ]; } ||
-    [ -f "$__object/parameter/all" ]; then
-
-    # all to a specific directory
-    specific_dir="$base_dir/all"
-fi
-
-# set rule directory based on if it's the base or subdirectory
-rule_dir="${specific_dir:-$base_dir}"
-
 ################################################################################
 # Basic setup
 #
 
 __directory "$base_dir" --state present
 
-# sub-directory if required
-if [ "$specific_dir" ]; then
-    require="__directory/$base_dir" __directory "$specific_dir" --state present
-fi
-
 # Have apply do the real job
 require="$__object_name" __iptables_apply
 
@@ -62,15 +37,6 @@ require="$__object_name" __iptables_apply
 # The rule
 #
 
-for dir in "$base_dir" "$base_dir/v6" "$base_dir/all"; do
-    # defaults to absent except the directory that should contain the file
-    if [ "$rule_dir" = "$dir" ]; then
-        curr_state="$state"
-    else
-        curr_state="absent"
-    fi
-
-    require="__directory/$rule_dir" __file "$dir/$name" \
-        --source "$__object/parameter/rule" \
-        --state "$curr_state"
-done
+require="__directory/$base_dir" __file "$base_dir/${name}" \
+    --source "$__object/parameter/rule" \
+    --state "$state"

cdist/conf/type/__iptables_rule/parameter/boolean

@@ -1,3 +0,0 @@
-all
-v4
-v6

cdist/conf/type/__letsencrypt_cert/explorer/certbot-path

@@ -0,0 +1,3 @@
+#!/bin/sh -e
+
+command -v certbot 2>/dev/null || true

cdist/conf/type/__letsencrypt_cert/explorer/certificate-data

@@ -1,78 +0,0 @@
-#!/bin/sh -e
-certbot_path="$(command -v certbot 2>/dev/null || true)"
-# Defaults
-certificate_exists="no"
-certificate_is_test="no"
-
-if [ -n "${certbot_path}" ]; then
-	# Find python executable that has access to certbot's module
-	python_path=$(sed -n '1s/^#! *//p' "${certbot_path}")
-
-	# Use a lock for cdist due to certbot not exiting with failure
-	# or having any flags for concurrent use.
-	_certbot() {
-		${python_path} - 2>/dev/null <<EOF
-from certbot.main import main
-import fcntl
-lock_file = "/tmp/certbot.cdist.lock"
-timeout=60
-with open(lock_file, 'w') as fd:
-    for i in range(timeout):
-        try:
-            # Get exclusive lock
-            fcntl.flock(fd, fcntl.LOCK_EX | fcntl.LOCK_NB)
-            break
-        except:
-            # Wait if that fails
-            import time
-            time.sleep(1)
-    else:
-        # Timed out, exit with failure
-        import sys
-        sys.exit(1)
-    # Do list certificates
-    main(["certificates", "--cert-name", "${__object_id:?}"])
-EOF
-	}
-
-
-	_certificate_exists() {
-		if grep -q "  Certificate Name: ${__object_id:?}$"; then
-			echo yes
-		else
-			echo no
-		fi
-	}
-
-	_certificate_is_test() {
-		if grep -q 'INVALID: TEST_CERT'; then
-			echo yes
-		else
-			echo no
-		fi
-	}
-
-	_certificate_domains() {
-		grep '    Domains: ' | cut -d ' ' -f 6- | tr ' ' '\n'
-	}
-
-	# Get data about all available certificates
-	certificates="$(_certbot)"
-
-	# Check whether or not the certificate exists
-	certificate_exists="$(echo "${certificates}" | _certificate_exists)"
-
-	# Check whether or not the certificate is for testing
-	certificate_is_test="$(echo "${certificates}" | _certificate_is_test)"
-
-	# Get domains for certificate
-	certificate_domains="$(echo "${certificates}" | _certificate_domains)"
-fi
-
-# Return received data
-cat <<EOF
-certbot_path:${certbot_path}
-certificate_exists:${certificate_exists}
-certificate_is_test:${certificate_is_test}
-${certificate_domains}
-EOF

cdist/conf/type/__letsencrypt_cert/explorer/certificate-domains

@@ -0,0 +1,8 @@
+#!/bin/sh -e
+
+certbot_path=$("${__type_explorer}/certbot-path")
+if [ -n "${certbot_path}" ]
+then
+	certbot certificates --cert-name "${__object_id:?}" | grep '    Domains: ' | \
+		cut -d ' ' -f 6- | tr ' ' '\n'
+fi

cdist/conf/type/__letsencrypt_cert/explorer/certificate-exists

@@ -0,0 +1,13 @@
+#!/bin/sh -e
+
+certbot_path=$("${__type_explorer}/certbot-path")
+if [ -n "${certbot_path}" ]
+then
+	if certbot certificates | grep -q "  Certificate Name: ${__object_id:?}$"; then
+		echo yes
+	else
+		echo no
+	fi
+else
+	echo no
+fi

cdist/conf/type/__letsencrypt_cert/explorer/certificate-is-test

@@ -0,0 +1,14 @@
+#!/bin/sh -e
+
+certbot_path=$("${__type_explorer}/certbot-path")
+if [ -n "${certbot_path}" ]
+then
+	if certbot certificates --cert-name "${__object_id:?}" | \
+		grep -q 'INVALID: TEST_CERT'; then
+		echo yes
+	else
+		echo no
+	fi
+else
+	echo no
+fi

cdist/conf/type/__letsencrypt_cert/files/gen_hook.sh

@@ -1,84 +0,0 @@
-#!/bin/sh -e
-
-# It is expected that this defines hook_contents
-
-# Reasonable defaults
-hook_source="${__object}/parameter/${hook}-hook"
-hook_state="absent"
-hook_contents_head="#!/bin/sh -e"
-hook_contents_logic=""
-hook_contents_tail=""
-
-# Backwards compatibility
-# Remove this when renew-hook is removed
-# Falling back to renew-hook if deploy-hook is not passed
-if [ "${hook}" = "deploy" ] && [ ! -f "${hook_source}" ]; then
-	hook_source="${__object}/parameter/renew-hook"
-fi
-if [ "${state}" = "present" ] && \
-	[ -f "${hook_source}" ]; then
-	# This hook is to be installed, let's generate it with some
-	# safety boilerplate
-	# Since certbot runs all hooks for all renewal processes
-	# (at each state for deploy, pre, post), it is up to us to
-	# differentiate whether or not the hook must run
-	hook_state="present"
-	hook_contents_head="$(cat <<EOF
-#!/bin/sh -e
-#
-# Managed remotely with https://cdi.st
-#
-# Domains for which this hook is supposed to apply
-lineage="${LE_DIR}/live/${__object_id}"
-domains="\$(cat <<eof
-${domains}
-eof
-)"
-EOF
-)"
-	case "${hook}" in
-		pre|post)
-			# Certbot is kind of terrible, we have
-			# no way of knowing what domain/lineage the
-			# hook is running for
-			hook_contents_logic="$(cat <<EOF
-# pre/post-hooks apply always due to a certbot limitation
-APPLY_HOOK="YES"
-EOF
-)"
-		;;
-		deploy)
-			hook_contents_logic="$(cat <<EOF
-# certbot defines these environment variables:
-# RENEWED_DOMAINS="DOMAIN1 DOMAIN2"
-# RENEWED_LINEAGE="/etc/letsencrypt/live/__object_id"
-# It feels more stable to use RENEWED_LINEAGE
-if [ "\${lineage}" = "\${RENEWED_LINEAGE}" ]; then
-	APPLY_HOOK="YES"
-fi
-EOF
-)"
-		;;
-		*)
-			echo "Unknown hook '${hook}'" >> /dev/stderr
-			exit 1
-		;;
-	esac
-
-	hook_contents_tail="$(cat <<EOF
-if [ -n "\${APPLY_HOOK}" ]; then
-	# Messing with indentation can eff up the users' scripts, let's not
-$(cat "${hook_source}")
-fi
-EOF
-)"
-fi
-
-hook_contents="$(cat <<EOF
-${hook_contents_head}
-
-${hook_contents_logic}
-
-${hook_contents_tail}
-EOF
-)"

cdist/conf/type/__letsencrypt_cert/gencode-remote

@@ -1,10 +1,6 @@
 #!/bin/sh -e
 
-_explorer_var() {
-	grep "^$1:" "${__object:?}/explorer/certificate-data" | cut -d ':' -f 2-
-}
-
-certificate_exists="$(_explorer_var certificate_exists)"
+certificate_exists=$(cat "${__object:?}/explorer/certificate-exists")
 name="${__object_id:?}"
 state=$(cat "${__object}/parameter/state")
 
@@ -33,9 +29,8 @@ case "${state}" in
 		fi
 
 		if [ "${certificate_exists}" = "yes" ]; then
-			existing_domains=$(mktemp "${TMPDIR:-/tmp}/existing_domains.cdist.XXXXXXXXXX")
-			tail -n +4 "${__object:?}/explorer/certificate-data" | grep -v '^$' > "${existing_domains}"
-			certificate_is_test="$(_explorer_var certificate_is_test)"
+			existing_domains="${__object}/explorer/certificate-domains"
+			certificate_is_test=$(cat "${__object}/explorer/certificate-is-test")
 
 			sort -uo "${requested_domains}" "${requested_domains}"
 			sort -uo "${existing_domains}" "${existing_domains}"

cdist/conf/type/__letsencrypt_cert/man.rst

@@ -1,33 +1,16 @@
 cdist-type__letsencrypt_cert(7)
 ===============================
 
-
 NAME
 ----
 
 cdist-type__letsencrypt_cert - Get an SSL certificate from Let's Encrypt
 
-
 DESCRIPTION
 -----------
 
 Automatically obtain a Let's Encrypt SSL certificate using Certbot.
 
-This type attempts to setup automatic renewals always. In many Linux
-distributions, that is the case out of the box, see:
-https://certbot.eff.org/docs/using.html#automated-renewals
-
-For Alpine Linux and Arch Linux, we setup a system-wide cronjob that
-attempts to renew certificates daily.
-
-If you are using FreeBSD, we configure periodic(8) as recommended by
-the port mantainer, so there will be a weekly attempt at renewal.
-
-If your OS is not mentioned here or on Certbot's docs as having
-support for automated renewals, please make sure you check your OS
-and possibly patch this type so the system-wide cronjob is installed.
-
-
 REQUIRED PARAMETERS
 -------------------
 
@@ -38,7 +21,6 @@ object id
 admin-email
     Where to send Let's Encrypt emails like "certificate needs renewal".
 
-
 OPTIONAL PARAMETERS
 -------------------
 
@@ -54,68 +36,25 @@ webroot
     The path to your webroot, as set up in your webserver config. If this
     parameter is not present, Certbot will be run in standalone mode.
 
-
 OPTIONAL MULTIPLE PARAMETERS
 ----------------------------
 
+renew-hook
+    Renew hook command directly passed to Certbot in cron job.
+
 domain
     Domains to be included in the certificate. When specified then object id
     is not used as a domain.
 
-deploy-hook
-    Command to be executed only when the certificate associated with this
-    ``$__object_id`` is issued or renewed.
-    You can specify it multiple times, but any failure will prevent further
-    commands from being executed.
-
-    For this command, the
-    shell variable ``$RENEWED_LINEAGE`` will point to the
-    config live subdirectory (for example,
-    ``/etc/letsencrypt/live/${__object_id}``) containing the
-    new certificates and keys; the shell variable
-    ``$RENEWED_DOMAINS`` will contain a space-delimited list
-    of renewed certificate domains (for example,
-    ``example.com www.example.com``)
-
-pre-hook
-    Command to be run in a shell before obtaining any
-    certificates.
-    You can specify it multiple times, but any failure will prevent further
-    commands from being executed.
-
-    Note these run regardless of which certificate is attempted, you may want to
-    manage these system-wide hooks with ``__file`` in
-    ``/etc/letsencrypt/renewal-hooks/pre/``.
-
-    Intended primarily for renewal, where it
-    can be used to temporarily shut down a webserver that
-    might conflict with the standalone plugin. This will
-    only be called if a certificate is actually to be
-    obtained/renewed.
-
-post-hook
-    Command to be run in a shell after attempting to
-    obtain/renew certificates.
-    You can specify it multiple times, but any failure will prevent further
-    commands from being executed.
-
-    Note these run regardless of which certificate was attempted, you may want to
-    manage these system-wide hooks with ``__file`` in
-    ``/etc/letsencrypt/renewal-hooks/post/``.
-
-    Can be used to deploy
-    renewed certificates, or to restart any servers that
-    were stopped by --pre-hook. This is only run if an
-    attempt was made to obtain/renew a certificate.
-
-
 BOOLEAN PARAMETERS
 ------------------
 
+automatic-renewal
+    Install a cron job, which attempts to renew certificates daily.
+
 staging
     Obtain a test certificate from a staging server.
 
-
 MESSAGES
 --------
 
@@ -128,7 +67,6 @@ create
 remove
     Certificate was removed.
 
-
 EXAMPLES
 --------
 
@@ -137,7 +75,8 @@ EXAMPLES
     # use object id as domain
     __letsencrypt_cert example.com \
         --admin-email root@example.com \
-        --deploy-hook "service nginx reload" \
+        --automatic-renewal \
+        --renew-hook "service nginx reload" \
         --webroot /data/letsencrypt/root
 
 .. code-block:: sh
@@ -146,10 +85,11 @@ EXAMPLES
     # and example.com needs to be included again with domain parameter
     __letsencrypt_cert example.com \
         --admin-email root@example.com \
+        --automatic-renewal \
         --domain example.com \
         --domain foo.example.com \
         --domain bar.example.com \
-        --deploy-hook "service nginx reload" \
+        --renew-hook "service nginx reload" \
         --webroot /data/letsencrypt/root
 
 AUTHORS
@@ -159,13 +99,11 @@ AUTHORS
 | Kamila Součková <kamila--@--ksp.sk>
 | Darko Poljak <darko.poljak--@--gmail.com>
 | Ľubomír Kučera <lubomir.kucera.jr at gmail.com>
-| Evilham <contact@evilham.com>
-
 
 COPYING
 -------
 
-Copyright \(C) 2017-2021 Nico Schottelius, Kamila Součková, Darko Poljak and
+Copyright \(C) 2017-2018 Nico Schottelius, Kamila Součková, Darko Poljak and
 Ľubomír Kučera. You can redistribute it and/or modify it under the terms of
 the GNU General Public License as published by the Free Software Foundation,
 either version 3 of the License, or (at your option) any later version.

cdist/conf/type/__letsencrypt_cert/manifest

@@ -1,20 +1,18 @@
 #!/bin/sh
 
-certbot_fullpath="$(grep "^certbot_path:" "${__object:?}/explorer/certificate-data" | cut -d ':' -f 2-)"
-state=$(cat "${__object}/parameter/state")
-os="$(cat "${__global:?}/explorer/os")"
+certbot_fullpath="$(cat "${__object:?}/explorer/certbot-path")"
 
 if [ -z "${certbot_fullpath}" ]; then
+	os="$(cat "${__global:?}/explorer/os")"
 	os_version="$(cat "${__global}/explorer/os_version")"
-	# Use this, very common value, as a default. It is OS-dependent
-	certbot_fullpath="/usr/bin/certbot"
+
 	case "$os" in
-		archlinux)
-			__package certbot
-		;;
-		alpine)
-			__package certbot
-		;;
+        archlinux)
+            __package certbot
+            ;;
+        alpine)
+            __package certbot
+            ;;
 		debian)
 			case "$os_version" in
 				8*)
@@ -41,7 +39,7 @@ if [ -z "${certbot_fullpath}" ]; then
 					require="__apt_source/stretch-backports" __package_apt certbot \
 						--target-release stretch-backports
 				;;
-				10*|11*)
+				10*)
 					__package_apt certbot
 				;;
 
@@ -50,7 +48,9 @@ if [ -z "${certbot_fullpath}" ]; then
 					exit 1
 				;;
 			esac
-		;;
+
+			certbot_fullpath=/usr/bin/certbot
+			;;
 		devuan)
 			case "$os_version" in
 				jessie)
@@ -83,14 +83,17 @@ if [ -z "${certbot_fullpath}" ]; then
 					exit 1
 				;;
 			esac
+
+			certbot_fullpath=/usr/bin/certbot
 		;;
 		freebsd)
-			__package py37-certbot
-			certbot_fullpath="/usr/local/bin/certbot"
+			__package py27-certbot
+
+			certbot_fullpath=/usr/local/bin/certbot
 		;;
 		ubuntu)
-			__package certbot
-		;;
+            __package certbot
+            ;;
 		*)
 			echo "Unsupported os: $os" >&2
 			exit 1
@@ -98,61 +101,18 @@ if [ -z "${certbot_fullpath}" ]; then
 	esac
 fi
 
-# Other OS-dependent values that we want to set every time
-LE_DIR="/etc/letsencrypt"
-certbot_cronjob_state="absent"
-case "$os" in
-	archlinux|alpine)
-		certbot_cronjob_state="present"
-	;;
-	freebsd)
-		LE_DIR="/usr/local/etc/letsencrypt"
-		# FreeBSD uses periodic(8) instead of crontabs for this
-		__line "periodic.conf_weekly_certbot" \
-			--file "/etc/periodic.conf" \
-			--regex "^(#[[:space:]]*)?weekly_certbot_enable=.*" \
-			--state "replace" \
-			--line 'weekly_certbot_enable="YES"'
-	;;
-	*)
-	;;
-esac
+if [ -f "${__object}/parameter/automatic-renewal" ]; then
+	renew_hook_param="${__object}/parameter/renew-hook"
+	renew_hook=""
+	if [ -f "${renew_hook_param}" ]; then
+		while read -r hook; do
+			renew_hook="${renew_hook} --renew-hook \"${hook}\""
+		done < "${renew_hook_param}"
+	fi
 
-# This is only necessary in certain OS
-__cron letsencrypt-certbot \
-	--user root \
-	--command "${certbot_fullpath} renew -q" \
-	--hour 0 \
-	--minute 47 \
-	--state "${certbot_cronjob_state}"
-
-# Ensure hook directories
-HOOKS_DIR="${LE_DIR}/renewal-hooks"
-__directory "${LE_DIR}" --mode 0755
-require="__directory/${LE_DIR}" __directory "${HOOKS_DIR}" --mode 0755
-
-if [ -f "${__object}/parameter/domain" ]; then
-	domains="$(sort "${__object}/parameter/domain")"
-else
-	domains="${__object_id}"
+	__cron letsencrypt-certbot  \
+		--user root \
+		--command "${certbot_fullpath} renew -q ${renew_hook}" \
+		--hour 0 \
+		--minute 47
 fi
-
-# Install hooks as needed
-for hook in deploy pre post; do
-	# Using something unique and specific to this object
-	hook_file="${HOOKS_DIR}/${hook}/${__object_id}.cdist.sh"
-
-	# This defines hook_contents
-	# shellcheck source=cdist/conf/type/__letsencrypt_cert/files/gen_hook.sh
-	. "${__type}/files/gen_hook.sh"
-
-	# Ensure hook directory exists
-	require="__directory/${HOOKS_DIR}" __directory "${HOOKS_DIR}/${hook}" \
-		--mode 0755
-	require="__directory/${HOOKS_DIR}/${hook}" __file "${hook_file}" \
-		--mode 0555 \
-		--source '-' \
-		--state "${hook_state}" <<EOF
-${hook_contents}
-EOF
-done

cdist/conf/type/__letsencrypt_cert/parameter/deprecated/automatic-renewal

@@ -1,2 +0,0 @@
-Deprecated in favour of consistent behaviour. It has no effect, see:
-https://code.ungleich.ch/ungleich-public/cdist/-/issues/853

cdist/conf/type/__letsencrypt_cert/parameter/deprecated/renew-hook

@@ -1,2 +0,0 @@
-This parameter has been deprecated in favour of --deploy-hook.
-See: https://code.ungleich.ch/ungleich-public/cdist/-/issues/853

cdist/conf/type/__letsencrypt_cert/parameter/optional_multiple

@@ -1,5 +1,2 @@
-deploy-hook
 domain
-post-hook
-pre-hook
 renew-hook

cdist/conf/type/__locale/deprecated

@@ -1 +0,0 @@
-This type is deprecated. Please use __localedef instead.

cdist/conf/type/__locale/gencode-remote

@@ -23,15 +23,6 @@
 
 locale="$__object_id"
 
-state_is=$(cat "$__object/explorer/state")
-state_should=$(cat "$__object/parameter/state")
-
-# short circuit if there is nothing to do
-if [ "$state_is" = "$state_should" ]; then
-    exit 0
-fi
-
-
 # Hardcoded, create a pull request with
 # branching on $os in case it is at another location
 alias=/usr/share/locale/locale.alias
@@ -44,6 +35,8 @@ charmap=$(echo "$locale" | cut -d . -f 2)
 # W-T-F!
 locale_remove=$(echo "$locale" | sed 's/UTF-8/utf8/')
 
+state=$(cat "$__object/parameter/state")
+
 os=$(cat "$__global/explorer/os")
 
 # Nothing to be done on alpine
@@ -53,7 +46,7 @@ case "$os" in
         ;;
 esac
 
-case "$state_should" in
+case "$state" in
     present)
         echo localedef -A "$alias" -f "$charmap" -i "$input" "$locale"
     ;;
@@ -61,7 +54,7 @@ case "$state_should" in
         echo localedef --delete-from-archive "$locale_remove"
     ;;
     *)
-        echo "Unsupported state: $state_should" >&2
+        echo "Unsupported state: $state" >&2
         exit 1
     ;;
 esac

cdist/conf/type/__localedef/explorer/state

@@ -1,100 +0,0 @@
-#!/bin/sh -e
-#
-# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
-#
-# This file is part of cdist.
-#
-# cdist is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# cdist is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with cdist. If not, see <http://www.gnu.org/licenses/>.
-#
-# This explorer determines if the locale is defined on the target system.
-# Will print nothing on error.
-#
-# Possible output:
-#  present:
-#    the main locale (and possibly aliases) is present
-#  absent:
-#    neither the main locale nor any aliases are present
-#  alias-present:
-#    the main locale is absent, but at least one of its aliases is present
-#
-
-# Hardcoded, create a pull request in case it is at another location for
-# some other distro. (cf. gencode-remote)
-aliasfile='/usr/share/locale/locale.alias'
-
-command -v locale >/dev/null 2>&1 || exit 0
-
-locales=$(locale -a)
-
-parse_locale() {
-	# This function will split locales into their parts. Locale strings are
-	# usually of the form: [language[_territory][.codeset][@modifier]]
-	# For simplicity, language and territory are not separated by this function.
-	# Old Linux systems were also using "english" or "german" as locale strings.
-	# Usage: parse_locale locale_str lang_var codeset_var modifier_var
-	eval "${2:?}"="$(expr "$1" : '\([^.@]*\)')"
-	eval "${3:?}"="$(expr "$1" : '[^.]*\.\([^@]*\)')"
-	eval "${4:?}"="$(expr "$1" : '.*@\(.*\)$')"
-}
-
-format_locale() {
-	# Usage: format_locale language codeset modifier
-	printf '%s' "$1"
-	test -z "$2" || printf '.%s' "$2"
-	test -z "$3" || printf '@%s' "$3"
-	printf '\n'
-}
-
-gnu_normalize_codeset() {
-	# reimplementation of glibc/locale/programs/localedef.c normalize_codeset()
-	echo "$*" | tr '[:upper:]' '[:lower:]' | tr -cd '[:alnum:]'
-}
-
-locale_available() (
-	echo "${locales}" | grep -qxF "$1" || {
-		# glibc uses "normalized" locale names in archives.
-		# If a locale is stored in an archive, the normalized name will be
-		# printed by locale, so that needs to be checked, too.
-		localename=$(
-			parse_locale "$1" _lang _codeset _modifier \
-			&& format_locale "${_lang:?}" "$(gnu_normalize_codeset "${_codeset?}")" \
-			   "${_modifier?}")
-		echo "${locales}" | grep -qxF "${localename}"
-	}
-)
-
-if locale_available "${__object_id:?}"
-then
-	echo present
-else
-	# NOTE: locale.alias can be symlinked.
-	if test -e "${aliasfile}"
-	then
-		# Check if one of the aliases of the locale is defined
-		baselocale=$(
-			parse_locale "${__object_id:?}" _lang _codeset _modifiers \
-			&& format_locale "${_lang}" "${_codeset}")
-		while read -r _alias _localename
-		do
-			if test "${_localename}" = "${baselocale}" \
-				&& echo "${locales}" | grep -qxF "${_alias}"
-			then
-				echo alias-present
-				exit 0
-			fi
-		done <"${aliasfile}"
-	fi
-
-	echo absent
-fi

cdist/conf/type/__localedef/files/lib/glibc.sh

@@ -1,5 +0,0 @@
-# -*- mode: sh; indent-tabs-mode: t -*-
-
-gnu_normalize_codeset() {
-	echo "$*" | tr -cd '[:alnum:]' | tr '[:upper:]' '[:lower:]'
-}