[__haproxy_dualstack] Improve manpage

[__haproxy_dualstack] New type with PROXY protocol support
This is backwards compatible with what is already used internally @ungleich, but adds on top of that the ability to customise ports and, most importantly, it adds PROXY protocol support.
2021-10-30 12:49:00 +02:00 · 2021-10-30 12:34:14 +02:00
128 changed files with 1318 additions and 5547 deletions
--- a/type/__bird_bgp/manifest
+++ b/type/__bird_bgp/manifest
@ -89,6 +89,7 @@ ipv4_import=
 if [ -f "${__object:?}"/parameter/ipv4-import ];
 then
 	ipv4_import="$(cat "${__object:?}"/parameter/ipv4-import)"
 	echo "FOO" >&2
 fi
 export ipv4_import
--- a/type/__bird_ospf/man.rst
+++ b/type/__bird_ospf/man.rst
@ -24,6 +24,12 @@ import
 export
    The keyword or filter to decide what to export in the above channel.
 REQUIRED MULTIPLE PARAMETERS
 ----------------------------
 interface
    An interface to include in OSPF area 0.
 OPTIONAL PARAMETERS
 -------------------
 description
@ -33,19 +39,12 @@ instance-id
    An OSPF instance ID, allowing several OSPF instances to run on the same
    links.
 extra-area-configuration
    Configuration string added to the `area` section of the OSPF configuration.
 OPTIONAL MULTIPLE PARAMETERS
 ----------------------------
 stubnet
    Add an optionless stubnet definition to the configuration.
 interface
    An interface to include in OSPF area 0. Is required unless
    extra-area-configuration is set.
 SEE ALSO
 --------
 cdist-type__bird_core(7)
--- a/type/__bird_ospf/manifest
+++ b/type/__bird_ospf/manifest
@ -44,21 +44,6 @@ then
 	instance_id="$(cat "${__object:?}/parameter/instance-id")"
 fi
 extra_area_configuration=
 if [ -f "${__object:?}/parameter/extra-area-configuration" ];
 then
 	extra_area_configuration="$(cat "${__object:?}/parameter/extra-area-configuration")"
 	if [ "$extra_area_configuration" = "-" ]; then
 		extra_area_configuration=$(cat "$__object/stdin")
 	fi
 fi
 if [ ! -f "${__object:?}/parameter/interface" ] && [ -z "$extra_area_configuration" ]; then
 	echo "Either --interface or --extra-area-configuration must be set." >&2
 	exit 1
 fi
 __file "${confdir:?}/ospf-${__object_id:?}.conf" \
 	--mode 0640 --owner root --group bird \
 	--source - << EOF
@ -74,8 +59,6 @@ $([ -n "${instance_id?}" ] && printf "\tinstance id %s;\n" "${instance_id?}")
 	area 0 {
 $(sed -e 's/^/\t\tinterface "/' -e 's/$/";/' "${__object:?}/parameter/interface")
 $(sed -e 's/^/\t\tsubnet /' -e 's/$/;/' "${__object:?}/parameter/subnet")
 		$extra_area_configuration
 	};
 }
 EOF
--- a/type/__bird_ospf/parameter/optional
+++ b/type/__bird_ospf/parameter/optional
@ -1,3 +1,2 @@
 description
 instance-id
 extra-area-configuration
--- a/type/__bird_ospf/parameter/optional_multiple
+++ b/type/__bird_ospf/parameter/optional_multiple
@ -1,2 +1 @@
 stubnet
 interface
--- a/type/__bird_ospf/parameter/required_multiple
+++ b/type/__bird_ospf/parameter/required_multiple
--- a/type/__bird_radv/man.rst
+++ b/type/__bird_radv/man.rst
@ -15,29 +15,12 @@ autoconfigure IPv6 hosts, this type is a rudimentary implementation to generate
 configuration for Bird to do so.
-REQUIRED PARAMETERS
+REQUIRED MULTIPLE PARAMETERS
-------------------
+----------------------------
 interface
  The interfaces to activate the protocol on. RAs will be sent using the
  prefixes configured on these interfaces.
 OPTIONAL PARAMETERS
 -------------------
 mtu
  An optional MTU setting to include in the router advertisements.
 default-preference
  This option specifies the Default Router Preference value to advertise to
  hosts. Default: medium.
 route-preference
  This option specifies the default value of advertised route preference for
  specific routes. Default: medium.
 default-lifetime
  This option specifies the time (in seconds) how long (since the receipt of RA)
  hosts may use the router as a default router. 0 means do not use as a default
  router. Default: 3.
 OPTIONAL MULTIPLE PARAMETERS
 ----------------------------
@ -58,7 +41,6 @@ EXAMPLES
    __bird_radv datacenter \
        --interface eth1 \
        --mtu 9000 \
        --route ::/0 \
        --ns 2001:DB8:cafe::4 \
        --ns 2001:DB8:cafe::14 \
--- a/type/__bird_radv/manifest
+++ b/type/__bird_radv/manifest
@ -55,52 +55,23 @@ then
 	DNSSL=$(sed -e 's/^/\tdnssl "/' -e 's/$/";/' "${__object:?}/parameter/dnssl")
 fi
 MTU=
 if [ -f "${__object:?}/parameter/mtu" ];
 then
 	MTU="link mtu $(cat "${__object:?}/parameter/mtu");"
 fi
 DEFAULT_PREFERENCE=
 if [ -f "${__object:?}/parameter/default-preference" ];
 then
 	DEFAULT_PREFERENCE="default preference $(cat "${__object:?}/parameter/default-preference");"
 fi
 ROUTE_PREFERENCE=
 if [ -f "${__object:?}/parameter/route-preference" ];
 then
 	ROUTE_PREFERENCE="route preference $(cat "${__object:?}/parameter/route-preference");"
 fi
 DEFAULT_LIFETIME=
 if [ -f "${__object:?}/parameter/default-lifetime" ];
 then
 	DEFAULT_LIFETIME="default lifetime $(cat "${__object:?}/parameter/default-lifetime");"
 fi
 __file "${confdir:?}/radv-${__object_id:?}.conf" \
 	--mode 0640 --owner root --group bird \
 	--source - << EOF
-ipv6 table radv_routes_${__object_id};
+ipv6 table radv_routes;
 protocol static {
 	description "Routes advertised via RAs";
-	ipv6 { table radv_routes_${__object_id}; };
+	ipv6 { table radv_routes; };
 $(sed -e 's/^/\troute /' -e 's/$/ unreachable;/' "${__object:?}/parameter/route")
 }
 protocol radv ${__object_id:?} {
 	propagate routes ${have_routes:?};
-	ipv6 { table radv_routes_${__object_id}; export all; };
+	ipv6 { table radv_routes; export all; };
-	interface "$(cat "${__object:?}/parameter/interface")" {
+$(sed -e 's/^/\tinterface "/' -e 's/$/";/' "${__object:?}/parameter/interface")
 	$MTU
 	$DEFAULT_LIFETIME
 	$DEFAULT_PREFERENCE
 	$ROUTE_PREFERENCE
 	};
 $RDNS
--- a/type/__bird_radv/parameter/optional
+++ b/type/__bird_radv/parameter/optional
@ -1,4 +0,0 @@
 mtu
 default-preference
 route-preference
 default-lifetime
--- a/type/__bird_radv/parameter/required_multiple
+++ b/type/__bird_radv/parameter/required_multiple
@ -0,0 +1 @@
 interface
--- a/type/__borg_repo/manifest
+++ b/type/__borg_repo/manifest
@ -3,7 +3,7 @@
 os="$(cat "${__global:?}"/explorer/os)"
 case "$os" in
-	"alpine"|"ubuntu")
+	"alpine")
 		borg_package=borgbackup
 		;;
 	*)
@ -17,4 +17,3 @@ if [ -f "${__object:?}/parameter/owner" ];
 then
 	__package sudo
 fi
--- a/type/__haproxy_dualstack/files/http
+++ b/type/__haproxy_dualstack/files/http
@ -0,0 +1,8 @@
 frontend http
 	bind	BIND@:80
 	mode	http
 	option	httplog
 	default_backend	http
 backend http
 	mode	http
--- a/type/__haproxy_dualstack/files/https
+++ b/type/__haproxy_dualstack/files/https
@ -0,0 +1,10 @@
 frontend https
 	bind	BIND@:443
 	mode	tcp
 	option	tcplog
 	tcp-request	inspect-delay 5s
 	tcp-request	content accept if { req_ssl_hello_type 1 }
 	default_backend	https
 backend https
 	mode	tcp
--- a/type/__haproxy_dualstack/files/imaps
+++ b/type/__haproxy_dualstack/files/imaps
@ -0,0 +1,12 @@
 frontend imaps
 	bind	BIND@:143
 	bind	BIND@:993
 	mode	tcp
 	option	tcplog
 	tcp-request	inspect-delay 5s
 	tcp-request	content accept if { req_ssl_hello_type 1 }
 	default_backend	imaps
 backend imaps
 	mode	tcp
--- a/type/__haproxy_dualstack/files/smtps
+++ b/type/__haproxy_dualstack/files/smtps
@ -0,0 +1,12 @@
 frontend smtps
 	bind	BIND@:25
 	bind	BIND@:465
 	mode	tcp
 	option	tcplog
 	tcp-request	inspect-delay 5s
 	tcp-request	content accept if { req_ssl_hello_type 1 }
 	default_backend	smtps
 backend smtps
 	mode	tcp
--- a/type/__haproxy_dualstack/man.rst
+++ b/type/__haproxy_dualstack/man.rst
@ -0,0 +1,121 @@
 cdist-type__haproxy_dualstack(7)
 ================================
 NAME
 ----
 cdist-type__haproxy_dualstack - Proxy services from a dual-stack server
 DESCRIPTION
 -----------
 This (singleton) type installs and configures haproxy to act as a dual-stack
 proxy for single-stack services.
 This can be useful to add IPv4 support to IPv6-only services while only using
 one IPv4 for many such services.
 By default this type uses the plain TCP proxy mode, which means that there is no
 need for TLS termination on this host when SNI is supported.
 This also means that proxied services will not receive the client's IP address,
 but will see the proxy's IP address instead (that of `$__target_host`).
 This can be solved by using the PROXY protocol, but do take into account that,
 e.g. nginx cannot serve both regular HTTP(S) and PROXY protocols on the same
 port, so you will need to use other ports for that.
 As a recommendation in this type: use TCP ports 8080 and 591 respectively to
 serve HTTP and HTTPS using the PROXY protocol.
 See the EXAMPLES for more details.
 OPTIONAL PARAMETERS
 -------------------
 v4proxy
    Proxy incoming IPv4 connections to the equivalent IPv6 endpoint.
    In its simplest use, it must be a NAME with an `AAAA` DNS entry, which is
    the IP address actually providing the proxied services.
    The full format of this argument is:
    `[proxy:]NAME[[:PROTOCOL_1=PORT_1]...[:PROTOCOL_N=PORT_N]]`
    Where starting with `proxy:` determines that the PROXY protocol must be
    used and each `:PROTOCOL=PORT` (e.g. `:http=8080` or `:https=591`) is a PORT
    override for the given PROTOCOL (see `--protocol`), if not present the
    PROTOCOL's default port will be used.
 v6proxy
    Proxy incoming IPv6 connections to the equivalent IPv4 endpoint.
    In its simplest use, it must be a NAME with an `A` DNS entry, which is
    the IP address actually providing the proxied services.
    See `--v4proxy` for more options and details.
 protocol
    Can be passed multiple times or as a space-separated list of protocols.
    Currently supported protocols are: `http`, `https`, `imaps`, `smtps`.
    This defaults to: `http https imaps smtps`.
 EXAMPLES
 --------
 .. code-block:: sh
    # Proxy the IPv6-only services so IPv4-only clients can access them
    # This uses HAProxy's TCP mode for http, https, imaps and smtps
    __haproxy_dualstack \
        --v4proxy ipv6.chat \
        --v4proxy matrix.ungleich.ch
    # Proxy the IPv6-only HTTP(S) services so IPv4-only clients can access them
    # Note this means that the backend IPv6-only server will only see
    # the IPv6 address of the haproxy host managed by cdist, which can be
    # troublesome if this information is relevant for analytics/security/...
    # See the PROXY example below
    __haproxy_dualstack \
        --protocol http --protocol https \
        --v4proxy ipv6.chat \
        --v4proxy matrix.ungleich.ch
    # Use the PROXY protocol to proxy the IPv6-only HTTP(S) services enabling
    # IPv4-only clients to access them while maintaining the client's IP address
    __haproxy_dualstack \
        --protocol http --protocol https \
        --v4proxy proxy:ipv6.chat:http=8080:https=591 \
        --v4proxy proxy:matrix.ungleich.ch:http=8080:https=591
    # Note however that the PROXY protocol is not compatible with regular
    # HTTP(S) protocols, so your nginx will have to listen on different ports
    # with the PROXY settings.
    # Note that you will need to restrict access to the 8080 port to prevent
    # Client IP spoofing.
    # This can be something like:
    # server {
    #     # listen for regular HTTP connections
    #     listen [::]:80 default_server;
    #     listen 80 default_server;
    #     # listen for PROXY HTTP connections
    #     listen [::]:8080 proxy_protocol;
    #     # Accept the Client's IP from the PROXY protocol
    #     real_ip_header proxy_protocol;
    # }
 SEE ALSO
 --------
 - https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/
 - https://www.haproxy.com/blog/haproxy/proxy-protocol/
 - https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/
 AUTHORS
 -------
 ungleich <foss--@--ungleich.ch>
 Evilham <cvs--@--evilham.com>
 COPYING
 -------
 Copyright \(C) 2021 ungleich glarus ag. You can redistribute it
 and/or modify it under the terms of the GNU General Public License as
 published by the Free Software Foundation, either version 3 of the
 License, or (at your option) any later version.
--- a/type/__haproxy_dualstack/manifest
+++ b/type/__haproxy_dualstack/manifest
@ -0,0 +1,155 @@
 #!/bin/sh -eu
 __package haproxy
 require="__package/haproxy" __start_on_boot haproxy
 tmpdir="$__object/files"
 mkdir "$tmpdir"
 configtmp="$__object/files/haproxy.cfg"
 os=$(cat "$__global/explorer/os")
 case $os in
 	freebsd)
 		CONFIG_FILE="/usr/local/etc/haproxy.conf"
 		cat <<EOF > "$configtmp"
 global
 	maxconn	4000
 	user	nobody
 	group	nogroup
 	daemon
 EOF
 		;;
 	*)
 		CONFIG_FILE="/etc/haproxy/haproxy.cfg"
 		cat <<EOF > "$configtmp"
 global
 	log	[::1] local2
 	chroot	/var/lib/haproxy
 	pidfile	/var/run/haproxy.pid
 	maxconn	4000
 	user	haproxy
 	group	haproxy
 	daemon
 	# turn on stats unix socket
 	stats socket	/var/lib/haproxy/stats
 EOF
 		;;
 esac
 cat <<EOF >> "$configtmp"
 defaults
 	retries	3
 	log	global
 	timeout http-request	10s
 	timeout queue		1m
 	timeout connect		10s
 	timeout client		1m
 	timeout server		1m
 	timeout http-keep-alive	10s
 	timeout check		10s
 EOF
 dig_cmd="$(command -v dig || true)"
 get_ip() {
 	# Usage: get_ip (ipv4|ipv6) NAME
 	# uses "dig" if available, else fallback to "host"
 	case $1 in
 		ipv4)
 			if [ -n "${dig_cmd}" ]; then
 				${dig_cmd} +short A "$2"
 			else
 				host -t A "$2" | cut -d ' ' -f 4 | grep -v 'found:'
 			fi
 			;;
 		ipv6)
 			if [ -n "${dig_cmd}" ]; then
 				${dig_cmd} +short AAAA "$2"
 			else
 				host -t AAAA "$2" | cut -d ' ' -f 5 | grep -v 'NXDOMAIN'
 			fi
 			;;
 	esac
 }
 PROTOCOLS="$(cat "$__object/parameter/protocol")"
 for proxy in v4proxy v6proxy; do
 	param=$__object/parameter/$proxy
 	# no backend? skip generating code
 	if [ ! -f "$param" ]; then
 		continue
 	fi
 	# turn backend name into bind parameter: v4backend -> ipv4@
 	bind=$(echo $proxy | sed -e 's/^/ip/' -e 's/proxy//')
 	case $bind in
 		ipv4)
 			backendproto=ipv6
 			;;
 		ipv6)
 			backendproto=ipv4
 			;;
 	esac
 	for proto in ${PROTOCOLS}; do
 		# Add protocol "header"
 		printf "\n# %s %s \n" "${bind}" "${proto}" >> "$configtmp"
 		sed -e "s/BIND/$bind/" \
 			-e "s/\(frontend[[:space:]].*\)/\1$bind/" \
 			-e "s/\(backend[[:space:]].*\)/\\1$bind/" \
 			"$__type/files/$proto" >> "$configtmp"
 		while read -r hostdefinition; do
 			if echo "$hostdefinition" | grep -qE '^proxy:'; then
 				# Proxy protocol was requested
 				host="$(echo "$hostdefinition" | sed -E 's/^proxy:([^:]+).*$/\1/')"
 				send_proxy=" send-proxy"
 			else
 				# Just use tcp proxy mode
 				host="$hostdefinition"
 				send_proxy=""
 			fi
 			if echo "$hostdefinition" | grep -qE ":${proto}="; then
 				# Use custom port definition if requested
 				port="$(echo "$hostdefinition" | sed -E "s/^(.*:)?${proto}=([0-9]+).*$/:\2/")"
 			else
 				# Else use the default
 				port=""
 			fi
 			servername=$host
 			res=$(get_ip "$bind" "$servername")
 			if [ -z "$res" ]; then
 				echo "$servername does not resolve - aborting config" >&2
 				exit 1
 			fi
 			# Treat protocols without TLS+SNI specially
 			if [ "$proto" = http ]; then
 				echo "	use-server $servername if { hdr(host) -i $host }" >> "$configtmp"
 			else
 				echo "	use-server $servername if { req_ssl_sni -i $host }" >> "$configtmp"
 			fi
 			# Create the "server" itself.
 			# Note that port and send_proxy will be empty unless
 			# they were requested by the type user
 			echo "	server $servername ${backendproto}@${host}${port}${send_proxy}" >> "$configtmp"
 		done < "$param"
 	done
 done
 # Create config file
 require="__package/haproxy" __file ${CONFIG_FILE} --source "$configtmp" --mode 0644
 require="__file${CONFIG_FILE}" __check_messages "haproxy_reload" \
 	--pattern "^__file${CONFIG_FILE}" \
 	--execute "service haproxy reload || service haproxy restart"
--- a/type/__haproxy_dualstack/parameter/default/protocol
+++ b/type/__haproxy_dualstack/parameter/default/protocol
@ -0,0 +1 @@
 http https imaps smtps
--- a/type/__haproxy_dualstack/parameter/optional_multiple
+++ b/type/__haproxy_dualstack/parameter/optional_multiple
@ -0,0 +1,3 @@
 protocol
 v4proxy
 v6proxy
--- a/type/__haproxy_dualstack/singleton
+++ b/type/__haproxy_dualstack/singleton
--- a/type/__jitsi_meet/explorer/configured-memory
+++ b/type/__jitsi_meet/explorer/configured-memory
@ -1,15 +0,0 @@
 #!/bin/sh -eu
 JICOFO="/usr/share/jicofo/jicofo.sh"
 VIDEOBRIDGE="/usr/share/jitsi-videobridge/lib/videobridge.rc"
 if [ -f "${JICOFO:?}" ]; then
 	jicofo_memory="$(grep JICOFO_MAX_MEMORY= "${JICOFO:?}" | cut -d= -f 2 | cut -d ";" -f 1)"
 fi
 if [ -f "${VIDEOBRIDGE:?}" ]; then
 	vb_memory="$(grep VIDEOBRIDGE_MAX_MEMORY= "${VIDEOBRIDGE:?}" | cut -d= -f 2)"
 fi
 cat <<EOF
 jicofo	${jicofo_memory:-n/a}
 videobridge	${vb_memory:-n/a}
 EOF
--- a/type/__jitsi_meet/explorer/jicofo-authpassword
+++ b/type/__jitsi_meet/explorer/jicofo-authpassword
@ -1,26 +0,0 @@
 #!/bin/sh -eu
 JICOFO_AUTHPASSWORD=""
 # We need this to properly configure jicofo
 # Default to reading debconf
 DEBCONF_PASS_FILE="/var/cache/debconf/passwords.dat"
 if [ -f "${DEBCONF_PASS_FILE}" ]; then
 	JICOFO_AUTHPASSWORD="$(grep -A1 'Template: jicofo/jicofo-authpassword' "${DEBCONF_PASS_FILE}" | tail -n 1 | cut -d ' ' -f 2-)"
 fi
 # Try jicofo.conf if necessary
 JICOFO_CONF_FILE="/etc/jitsi/jicofo/jicofo.conf"
 if [ -z "${JICOFO_AUTHPASSWORD}" ] && [ -f "${JICOFO_CONF_FILE}" ]; then
 	JICOFO_AUTHPASSWORD="$(grep -E '^[[:space:]]*password:' "${JICOFO_CONF_FILE}" | sed -E 's!^[^:]*:[[:space:]]*"(.*)"$!\1!')"
 fi
 # And fallback to config file if necessary
 JICOFO_CONFIG_FILE="/etc/jitsi/jicofo/config"
 if [ -z "${JICOFO_AUTHPASSWORD}" ] && [ -f "${JICOFO_CONFIG_FILE}" ]; then
 	JICOFO_AUTHPASSWORD="$(grep -E '^JICOFO_AUTH_PASSWORD=' "${JICOFO_CONFIG_FILE}" | cut -d '=' -f 2-)"
 fi
 # If we didn't find it, this is likely a new installation and we'll generate
 # the password on the manifest
 echo "${JICOFO_AUTHPASSWORD:-}"
--- a/type/__jitsi_meet/explorer/jitsi-status
+++ b/type/__jitsi_meet/explorer/jitsi-status
@ -1,6 +0,0 @@
 #!/bin/sh -eu
 if [ ! -f "${__object}/parameter/disable-prometheus-exporter" ]; then
 	# TODO: detect curl / depend on it?
 	curl -s localhost:9888/metrics
 fi
--- a/type/__jitsi_meet/explorer/prometheus-jitsi-meet-explorer-version
+++ b/type/__jitsi_meet/explorer/prometheus-jitsi-meet-explorer-version
@ -0,0 +1,7 @@
 #!/bin/sh -e
 EXPORTER_VERSION_FILE="/usr/local/bin/.prometheus-jitsi-meet-exporter.cdist.version"
 if [ -f "${EXPORTER_VERSION_FILE}" ]; then
 	cat "${EXPORTER_VERSION_FILE}"
 fi
--- a/type/__jitsi_meet/files/debconf_settings.sh
+++ b/type/__jitsi_meet/files/debconf_settings.sh
@ -5,6 +5,9 @@
 if false; then
 	# We are currently not using these, just here as documentation
 	DEBCONF_SETTINGS="$(cat <<EOF
 # Jicofo user password:
 jicofo	jicofo/jicofo-authpassword	password	STH
 jitsi-meet-prosody	jicofo/jicofo-authpassword	password	STH
 # The secret used to connect to xmpp server as component
 jitsi-meet-prosody	jitsi-videobridge/jvbsecret	password	STH
 jitsi-videobridge	jitsi-videobridge/jvbsecret	password	STH
@ -37,9 +40,6 @@ jitsi-videobridge	jitsi-videobridge/jvb-hostname	string	${JITSI_HOST}
 jitsi-videobridge2	jitsi-videobridge/jvb-hostname	string	${JITSI_HOST}
 # The hostname of the current installation:
 jitsi-meet-prosody	jitsi-meet-prosody/jvb-hostname string	${JITSI_HOST}
 # Jicofo user password:
 jicofo	jicofo/jicofo-authpassword	password	${JICOFO_AUTHPASSWORD}
 jitsi-meet-prosody	jicofo/jicofo-authpassword	password	${JICOFO_AUTHPASSWORD}
 # SSL certificate for the Jitsi Meet instance
 # Choices: Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate), I want to use my own certificate
 jitsi-meet-web-config	jitsi-meet/cert-choice	select	Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate)
--- a/type/__jitsi_meet/files/jicofo.conf.sh
+++ b/type/__jitsi_meet/files/jicofo.conf.sh
@ -1,38 +0,0 @@
 #!/bin/sh -eu
 # Start
 cat <<EOF
 # Managed remotely, changes will be lost
 # Jicofo HOCON configuration. See /usr/share/jicofo/jicofo.jar/reference.conf for
 #available options, syntax, and default values.
 jicofo {
  xmpp: {
    client: {
      client-proxy: focus.${JITSI_HOST:?}
      xmpp-domain: "${JITSI_HOST:?}"
      domain: "auth.${JITSI_HOST:?}"
      username: "focus"
      password: "${JICOFO_AUTHPASSWORD:?}"
    }
    trusted-domains: [ "recorder.${JITSI_HOST:?}" ]
  }
  bridge: {
    brewery-jid: "JvbBrewery@internal.auth.${JITSI_HOST:?}"
  }
 EOF
 # Secured domains if needed
 if [ "${SECURED_DOMAINS_STATE:?}" = "present" ]; then
 cat <<EOF
  authentication: {
    enabled: true
    type: XMPP
    login-url: ${JITSI_HOST:?}
  }
 EOF
 fi
 # End
 echo '}'
--- a/type/__jitsi_meet/files/jitsi-version
+++ b/type/__jitsi_meet/files/jitsi-version
@ -1 +0,0 @@
 ../../__jitsi_meet_domain/files/jitsi-version
--- a/type/__jitsi_meet/files/prosody.cfg.lua.sh
+++ b/type/__jitsi_meet/files/prosody.cfg.lua.sh
@ -1 +0,0 @@
 ../../__jitsi_meet_domain/files/prosody.cfg.lua.sh
--- a/type/__jitsi_meet/gencode-remote
+++ b/type/__jitsi_meet/gencode-remote
@ -1,43 +1,11 @@
 #!/bin/sh -e
 memory="$(cat "${__global}/explorer/memory")"
 G="000000"  # Will totally eff up the zero-count otherwise
 # MAX_MEMORY will affect jicofo and videobridge
 #  As a rule of thumb, the machine's RAM should be more than 2.5 * MAX_MEMORY
 if [ "${memory}" -lt "3${G}" ]; then
 	# If you use this, let us know how it works!
 	MAX_MEMORY="768m"
 elif [ "${memory}" -lt "5${G}" ]; then
 	MAX_MEMORY="1024m"
 elif [ "${memory}" -lt "8${G}" ]; then
 	MAX_MEMORY="2048m"
 else
 	# Jitsi recommends running on 8G RAM and these are the defaults
 	MAX_MEMORY="3072m"
 fi
 if cut -f 2 "${__object}/explorer/configured-memory" | grep -qvE "^${MAX_MEMORY}$"; then
 	# At least one service has different memory settings
 	RESTART_SERVICES="YES"
 	cat <<-EOF
 	sed -i.tmp -E \
 		-e 's!^(#[[:space:]]*)?(VIDEOBRIDGE_MAX_MEMORY)=.*\$!\2=${MAX_MEMORY}!' \
 		/usr/share/jitsi-videobridge/lib/videobridge.rc
 	sed -i.tmp -E \
 		-e 's!(JICOFO_MAX_MEMORY)[^";]+;!\1=${MAX_MEMORY};!' \
 		/usr/share/jicofo/jicofo.sh
 	EOF
 fi
 if grep -qE "^__file/etc/nginx" "${__messages_in}"; then
 	echo "service nginx reload"
 fi
-if grep -qE "^(__line/jitsi_jicofo_secured_domains|(__file|__link)/etc/prosody/conf.d/|__file/etc/jitsi/(jicofo/jicofo.conf|videobridge/jvb.conf))" "${__messages_in}"; then
+JITSI_HOST="${__object_id}"
-	RESTART_SERVICES="YES"
+if grep -qE "^(__line/jitsi_jicofo_secured_domains|__file/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua)" "${__messages_in}"; then
 fi
 if [ -n "${RESTART_SERVICES}" ]; then
  echo "systemctl restart prosody"
  echo "systemctl restart jicofo"
  echo "systemctl restart jitsi-videobridge2"
--- a/type/__jitsi_meet/man.rst
+++ b/type/__jitsi_meet/man.rst
@ -21,24 +21,13 @@ You will also need the `__jitsi_meet_domain` type in order to finish setting up
 the web frontend (including TLS certificates) and its settings.
 You may want to use the `files/ufw` example manifest for a `__ufw`-based
-firewall compatible with this type that allows all ports needed by Jitsi-Meet.
+firewall compatible with this type.
-Note however that this will not deal with rules for SSH or for TCP port 9888,
+This file does not include rules for TCP port 9888, which exposes the
-which exposes the prometheus exporter if not disabled.
+prometheus exporter if not disabled.
-Remember to apply your own rules here, particularly regarding SSH.
+You should apply your own rules here.
 This type only works on De{bi,vu}an systems.
 It is very important for this type to stay up to date with the software, as
 otherwise new deployments or maintenance of existing instances might be
 negatively affected.
 If you can, please contribute updates to `__jitsi_meet` and
 `__jitsi_meet_domain` promptly and regularly.
 Alternatively, you can help finance that work; get in touch with the type
 authors for that (see below).
 This type takes care of adapting the maximum memory used by jicofo and
 videobridge in function of the hosts installed memory.
 NOTE: This type currently does not deal with setting up coturn.
      For that, you might want to check `__coturn` in
      https://code.ungleich.ch/ungleich-public/cdist-contrib
@ -47,14 +36,6 @@ NOTE: This type currently does not deal with setting up coturn.
 OPTIONAL PARAMETERS
 -------------------
 abort-conference-count
    Only has an effect if the prometheus exporter is enabled and if it is not
    empty (default).
    If at least this many conferences are active on the server, the type will
    bail out before making any changes.
    This is useful if you want to avoid service disruptions due to e.g. an SLA.
 turn-secret
    The shared secret for the TURN server.
@ -62,6 +43,11 @@ turn-server
    The hostname of the TURN server.
    This will assume that it is listening with TLS on port 443.
 jitsi-version
    The jitsi-meet version of the Debian package to be installed.
    While this can be specified, only the default value is known to work
    properly with this type.
 BOOLEAN PARAMETERS
 ------------------
@ -84,11 +70,9 @@ EXAMPLES
 .. code-block:: sh
-    # Setup the firewall for Jitsi-Meet
+    # Setup the firewall 
    . "${__global}/type/__jitsi_meet/files/ufw"
    export require="__ufw"
    # Setup firewall SSH rules as necessary
    __ufw_rule ssh --rule 'allow 22/tcp from 10.0.0.0/24'
    # Setup Jitsi on this host
    __jitsi_meet \
      --turn-server "turn.exo.cat" \
@ -108,4 +92,4 @@ Evilham <contact@evilham.com>
 COPYING
 -------
-Copyright \(C) 2022 Evilham.
+Copyright \(C) 2021 Evilham.
--- a/type/__jitsi_meet/manifest
+++ b/type/__jitsi_meet/manifest
@ -1,6 +1,7 @@
 #!/bin/sh -e
 os="$(cat "${__global}/explorer/os")"
 init="$(cat "${__global}/explorer/init")"
 case "${os}" in
 	devuan|debian)
 	;;
@ -10,37 +11,10 @@ case "${os}" in
 	;;
 esac
 current_conferences="$(cat "${__object}/explorer/jitsi-status" | grep -E "^jitsi_conferences[[:space:]]" | cut -d ' ' -f 2)"
 JICOFO_AUTHPASSWORD="$(cat "${__object}/explorer/jicofo-authpassword")"
 if [ -z "${JICOFO_AUTHPASSWORD}" ]; then
 	# This is probably a first time installation, we'll generate the
 	# password which will be set in debconf by this type
 	# https://github.com/jitsi/jicofo/blob/aafb61b5363a1c4abdbf08e1444a6276b807993e/debian/postinst#L43
 	JICOFO_AUTHPASSWORD="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | head -c 16)"
 fi
 ABORT_CONFERENCE_COUNT="$(cat "${__object}/parameter/abort-conference-count")"
 if [ -n "${current_conferences}" ] && [ -n "${ABORT_CONFERENCE_COUNT}" ] && \
 	[ "${ABORT_CONFERENCE_COUNT}" -le "${current_conferences}" ]; then
 	cat <<-EOF
 Early bail out was requested when at least ${ABORT_CONFERENCE_COUNT} conferences are taking place.
 There are currently ${current_conferences} active conferences.
 Try again at a later time or remove or increase --abort-conference-count
 	EOF
 	exit 1
 fi
 JITSI_HOST="${__target_host}"
-if [ -f "${__object}/parameter/jitsi-version" ]; then
+# Currently unused, see below
-	# This has been deprecated and will be removed 'soon'
+# JITSI_VERSION="$(cat "${__object}/parameter/jitsi-version")"
 	JITSI_VERSION="$(cat "${__object}/parameter/jitsi-version")"
 else
 	# Note this won't be a parameter anymore, we won't let users stay behind
 	JITSI_VERSION="$(cat "${__type}/files/jitsi-version")"
 fi
 TURN_SERVER="$(cat "${__object}/parameter/turn-server")"
 TURN_SECRET="$(cat "${__object}/parameter/turn-secret")"
@ -48,6 +22,8 @@ if [ -z "${TURN_SERVER}" ]; then
 	TURN_SERVER="${JITSI_HOST}"
 fi
 PROMETHEUS_JITSI_EXPORTER_IS_VERSION="$(cat "${__object}/explorer/prometheus-jitsi-meet-explorer-version")"
 # The rest is loosely based on Jitsi's documentation
 # https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-quickstart
@ -75,16 +51,17 @@ export require="${require} __apt_source/jitsi_meet __apt_update_index"
 # Pre-feed debconf settings, so Jitsi's installation has a good config
 # shellcheck source=type/__jitsi_meet/files/debconf_settings.sh
 . "${__type}/files/debconf_settings.sh"  # This defines DEBCONF_SETTINGS
-__debconf_set_selections jitsi_meet --line "${DEBCONF_SETTINGS}"
+__debconf_set_selections jitsi_meet --file - <<EOF
 ${DEBCONF_SETTINGS}
 EOF
 export require="${require} __debconf_set_selections/jitsi_meet"
 # Install and upgrade packages as needed
-#   NOTE: we are doing version pinning again, but it breaks sometimes when
+__package_apt jitsi-meet
-#         the version is not the latest.
+# We are not doing version pinning anymore because it breaks when
-#         This happens because dependencies might not be properly resolved.
+# the version is not the latest.
-#         To avoid this, this type must be maintained up to date.
+# This happens because dependencies cannot be properly resolved.
-#         If we don't use this, keeping Jitsi's up to date is very difficult.
+# --version "${JITSI_VERSION}"
 __package_apt jitsi-meet --version "${JITSI_VERSION}"
 # Proceed only after installation/upgrade has finished
 export require="__package_apt/jitsi-meet"
@ -148,11 +125,7 @@ require="__directory${NGINX_ETC}/sites-available" __file "${NGINX_ETC}/sites-ava
 server_names_hash_bucket_size 64;
-types {
+# nginx server configuration for:
 # nginx's default mime.types doesn't include a mapping for wasm or wav.
    application/wasm     wasm;
    audio/wav            wav;
 }
 server {
@ -175,157 +148,95 @@ server {
 }
 EOF
 # Starting from 2.0.7210, jitsi defines following nginx upstreams
 __directory "${NGINX_ETC}/conf.d" --state present
 require="__directory${NGINX_ETC}/conf.d" __file "${NGINX_ETC}/conf.d/prosody.conf" \
  --mode 644 \
  --source - << EOF
 upstream prosody {
    zone upstreams 64K;
    server 127.0.0.1:5280;
    keepalive 2;
 }
 EOF
 require="__directory${NGINX_ETC}/conf.d" __file "${NGINX_ETC}/conf.d/jvb1.conf" \
  --mode 644 \
  --source - << EOF
 upstream jvb1 {
    zone upstreams 64K;
    server 127.0.0.1:9090;
    keepalive 2;
 }
 EOF
 require="__directory${NGINX_ETC}/conf.d" __file "${NGINX_ETC}/conf.d/jicofo.conf" \
  --mode 644 \
  --source - << EOF
 upstream jicofo {
    zone upstreams 64K;
    server 127.0.0.1:8888;
    keepalive 2;
 }
 EOF
 if [ -f "${__object}/parameter/secured-domains" ]; then
  SECURED_DOMAINS_STATE='present'
  SECURED_DOMAINS_STATE_JICOFO='replace'
 else
  SECURED_DOMAINS_STATE='absent'
  SECURED_DOMAINS_STATE_JICOFO='absent'
 fi
-# This is the main host config
+__file "/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua" \
-PROSODY_MAIN_CONFIG="YES"
+  --owner prosody --group prosody --mode 0440 \
-# Prosody settings for common components (jvb, focus, ...)
+  --state ${SECURED_DOMAINS_STATE} \
-# shellcheck source=type/__jitsi_meet/files/prosody.cfg.lua.sh
+  --source - <<EOF
-. "${__type}/files/prosody.cfg.lua.sh"  # This defines PROSODY_CONFIG
+VirtualHost "${JITSI_HOST}"
-__file "/etc/prosody/conf.d/00_jitsi_base.cfg.lua" \
+    authentication = "internal_plain"
-	--group prosody \
+
-	--mode 0440 \
+VirtualHost "guest.${JITSI_HOST}"
-	--source - <<EOF
+    authentication = "anonymous"
-${PROSODY_CONFIG}
+    c2s_require_encryption = false
 EOF
-# Clean up zauth.cfg.lua file, which we don't use now
+__block jitsi_jicofo_secured_domains \
-__file "/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua" \
+  --prefix "// begin cdist: jicofo_secured_domains" \
-  --state absent
+  --suffix "// end   cdist: jicofo_secured_domains" \
-
+  --file /etc/jitsi/jicofo/jicofo.conf \
-export SECURED_DOMAINS_STATE
+  --state "${SECURED_DOMAINS_STATE_JICOFO}" \
-export JITSI_HOST
+  --text '-' <<EOF
-export JICOFO_AUTHPASSWORD
+  authentication: {
-"${__type}/files/jicofo.conf.sh" | \
+    enabled: true
-	__file /etc/jitsi/jicofo/jicofo.conf --mode 0444 --source '-'
+    type: XMPP
-
+    login-url: ${JITSI_HOST}
-# Enable the private colibri REST API end point for better stats
+  }
 __file "/etc/jitsi/videobridge/jvb.conf" --mode 0444 --source '-' <<EOFJVB
 videobridge {
    http-servers {
        public {
            port = 9090
        }
        private {
            port = 8080
        }
    }
    websockets {
        enabled = true
        domain = "${JITSI_HOST}:443"
        tls = true
    }
    apis {
        rest {
            enabled = true
        }
    }
    cc {
        trust-bwe = false
    }
 }
 EOFJVB
 # Enable simple per-domain body customisation
 __file "/usr/share/jitsi-meet/body.html" \
 	--mode 0644 \
 	--source '-' <<EOF
 <!--#include virtual="body-\${host}.html" -->
 EOF
 # These two should be changed on new release
-EXPORTER_VERSION="1.2.1"
+PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION="1.1.5"
-EXPORTER_CHECKSUM="sha256:46d4b8475b72fd7632a5203f1cc3c7067bed4629902b7780a1da85e4e06c2129"
+PROMETHEUS_JITSI_EXPORTER_CHECKSUM="sha256:3ddf43a48d9a2f62be1bc6db9e7ba75d61994f9423e5c5b28be019f41f06f745"
-EXPORTER_URL="https://github.com/systemli/prometheus-jitsi-meet-exporter/releases/download/${EXPORTER_VERSION}/prometheus-jitsi-meet-exporter_${EXPORTER_VERSION}_linux_amd64.tar.gz"
+PROMETHEUS_JITSI_EXPORTER_URL="https://github.com/systemli/prometheus-jitsi-meet-exporter/releases/download/${PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION}/prometheus-jitsi-meet-exporter-linux-amd64"
-if [ -f "${__object}/parameter/disable-prometheus-exporter" ]; then
+PROMETHEUS_JITSI_EXPORTER_VERSION_FILE="/usr/local/bin/.prometheus-jitsi-meet-exporter.cdist.version"
-	EXPORTER_STATE="absent"
+if [ ! -f "${__object}/parameter/disable-prometheus-exporter" ]; then
-else
+	case "${init}" in
-	EXPORTER_STATE="present"
+		init|sysvinit)
-fi
+			__runit
-__single_binary_service prometheus-jitsi-meet-exporter \
+			require="__runit" __runit_service \
-	--state "${EXPORTER_STATE}" \
+				prometheus-jitsi-meet-exporter --log --source - <<EOF
-	--do-not-manage-user \
+			#!/bin/sh -e
-	--user "nobody" \
+			cd /tmp
-	--group "nogroup" \
+			exec chpst -u "nobody:nogroup" env HOME="/tmp" \\
-	--version "${EXPORTER_VERSION}" \
+			     prometheus-jitsi-meet-exporter \\
-	--checksum "${EXPORTER_CHECKSUM}" \
+				-videobridge-url 'http://localhost:8888/stats' \\
-	--url "${EXPORTER_URL}" \
+				-web.listen-address ':9888' 2>&1
 	--unpack \
 	--service-args "-videobridge-url 'http://localhost:8080/colibri/stats' -web.listen-address ':9888'"
 #
 # Setup interpreter assets if requested
 # See: https://gitlab.com/mfmt/jsi/
 #
 jsi_updated_on="2022-04-21"
 __link "/usr/share/jitsi-meet/interpreters.html" \
 	--type symbolic \
 	--source "/opt/jsi/static/index.html.sample"
 __directory /opt/jsi --mode 0755
 export require="__directory/opt/jsi"
 __download /opt/jsi/jsi.tar.gz \
 	--url 'https://gitlab.com/mfmt/jsi/-/archive/1d2cceaf615ee61c0bba80e5bddc61c5d1018303/jsi-1d2cceaf615ee61c0bba80e5bddc61c5d1018303.tar.gz' \
 	--sum "sha256:b020141093daa9937507b098f358d0be994834c3e23866a457fc5140415a0c53"
 export require="__download/opt/jsi/jsi.tar.gz"
 __unpack /opt/jsi/jsi.tar.gz \
 	--preserve-archive \
 	--tar-strip 1 \
 	--destination /opt/jsi/static \
 	--onchange "$(cat <<EOF
 # Patch style.css to be served on /i/
 sed -i.tmp -E \
 	-e 's!url[(]/img/welcome-background.png[)]!url(/i/img/welcome-background.png)!' \
 	/opt/jsi/static/style.css
 # Patch jsi.js to be served on /i/
 #   and so it always uses the domain it's served from
 #   and so it uses /i/ROOM for the form
 sed -i.tmp -E \
 	-e 's!substr[(][0-9]+[)]!substr(3)!' \
 	-e 's!config[.]jitsimeet_url!url.host!' \
 	-e 's!(window[.]location[.]href)[[:space:]]*=[[:space:]]*"/"!\1 = "/i/"!' \
 	/opt/jsi/static/jsi.js
 # Patch the sample index.html, so it loads external_api.js from same host
 #   and to easen up on the branding
 #   and to enable browser cache
 sed -i.tmp -E \
 	-e "s!src=[^>]*(/external_api.js).!src='\1'!" \
 	-e "s!<h1>[^<]*</h1>!<h1>Jitsi Meetings with interpreter</h1>!" \
 	-e "s!https://meet.mayfirst.org!/!" \
 	-e "s!(style.css|jsi.js)([^?])!\1?v=${jsi_updated_on:?}\2!" \
 	/opt/jsi/static/index.html.sample
 EOF
-)"
+
 			export require="__runit_service/prometheus-jitsi-meet-exporter"
 			JITSI_MEET_EXPORTER_SERVICE="sv %s prometheus-jitsi-meet-exporter"
 		;;
 		systemd)
 			__systemd_unit prometheus-jitsi-meet-exporter.service \
 				--source "-" \
 				--enablement-state "enabled" <<EOF
 [Unit]
 Description=Metrics Exporter for Jitsi Meet
 After=network.target
 [Service]
 Type=simple
 DynamicUser=yes
 ExecStart=/usr/local/bin/prometheus-jitsi-meet-exporter -videobridge-url 'http://localhost:8888/stats' -web.listen-address ':9888'
 Restart=always
 [Install]
 WantedBy=multi-user.target
 EOF
 			export require="__systemd_unit/prometheus-jitsi-meet-exporter.service"
 			JITSI_MEET_EXPORTER_SERVICE="service prometheus-jitsi-meet-exporter %s"
 		;;
 	esac
 	if [ "${PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION}" != \
 		"${PROMETHEUS_JITSI_EXPORTER_IS_VERSION}" ]; then
 		# shellcheck disable=SC2059
 		__download \
 			/tmp/prometheus-jitsi-meet-exporter \
 			--url "${PROMETHEUS_JITSI_EXPORTER_URL}" \
 			--download remote \
 			--sum "${PROMETHEUS_JITSI_EXPORTER_CHECKSUM}" \
 			--onchange "$(printf "${JITSI_MEET_EXPORTER_SERVICE}" "stop") || true; chmod 555 /tmp/prometheus-jitsi-meet-exporter && mv /tmp/prometheus-jitsi-meet-exporter /usr/local/bin/prometheus-jitsi-meet-exporter && $(printf "${JITSI_MEET_EXPORTER_SERVICE}" "restart")"
 		printf "%s" "${PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION}" | \
 			require="${require} __download/tmp/prometheus-jitsi-meet-exporter" __file \
 			"${PROMETHEUS_JITSI_EXPORTER_VERSION_FILE}" \
 			--source "-"
 	fi
 fi
 # TODO: disable the exporter if it is deployed and then admin changes their mind
--- a/type/__jitsi_meet/parameter/default/abort-conference-count
+++ b/type/__jitsi_meet/parameter/default/abort-conference-count
--- a/type/__jitsi_meet/parameter/default/jitsi-version
+++ b/type/__jitsi_meet/parameter/default/jitsi-version
@ -0,0 +1 @@
 2.0.5765-1
--- a/type/__jitsi_meet/parameter/deprecated/jitsi-version
+++ b/type/__jitsi_meet/parameter/deprecated/jitsi-version
@ -1,4 +0,0 @@
 Supporting different versions lead to strange issues in the life-time of a
 Jitsi instance. Chiefly: difficulties upgrading.
 If you are specifying this for a valid reason, please get in touch.
--- a/type/__jitsi_meet/parameter/optional
+++ b/type/__jitsi_meet/parameter/optional
@ -1,4 +1,3 @@
 abort-conference-count
 jitsi-version
 turn-secret
 turn-server
--- a/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh
+++ b/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh
@ -1,35 +0,0 @@
 #!/bin/sh -eu
 # This is a helper to update the '.sh.orig' files for jitsi's
 # configuration files.
 # Then the changes must be propagated to their corresponding .sh
 # files by the type maintainer or a contributor
 # We could automate this, but are using it as an indicator for the
 # latest branch with which we conciliated changes.
 BRANCH="jitsi-meet_9457"
 REPO="https://github.com/jitsi/jitsi-meet"
 get_url() {
 	file="${1}"
 	printf "%s/raw/stable/%s/%s" "${REPO}" "${BRANCH}" "${file}"
 }
 download_file() {
 	file="${1}"
 	destination="${2:-${file}.sh.orig}"
 	url="$(get_url "${file}")"
 	echo "Downloading ${destination}"
 	curl -L "${url}" > "${destination}"
 	echo
 }
 download_file config.js
 download_file interface_config.js
 download_file doc/debian/jitsi-meet/jitsi-meet.example nginx.sh.orig
 download_file doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example prosody.cfg.lua.sh.orig
 # Change the version file, maintainers should check that it matches
 # the deb version
 printf "2.0.%s-1" "${BRANCH#*_}" > jitsi-version
--- a/type/__jitsi_meet_domain/files/config.js.sh
+++ b/type/__jitsi_meet_domain/files/config.js.sh
--- a/type/__jitsi_meet_domain/files/config.js.sh.orig
+++ b/type/__jitsi_meet_domain/files/config.js.sh.orig
--- a/type/__jitsi_meet_domain/files/interface_config.js.sh
+++ b/type/__jitsi_meet_domain/files/interface_config.js.sh
@ -20,7 +20,7 @@ JITSI_INTERFACE_CONFIG_JS="$(cat <<EOF
 */
 var interfaceConfig = {
-    APP_NAME: '${BRANDING_APP_NAME}',
+    APP_NAME: 'Jitsi Meet',
    AUDIO_LEVEL_PRIMARY_COLOR: 'rgba(255,255,255,0.4)',
    AUDIO_LEVEL_SECONDARY_COLOR: 'rgba(255,255,255,0.2)',
@ -36,12 +36,42 @@ var interfaceConfig = {
    BRAND_WATERMARK_LINK: '',
    CLOSE_PAGE_GUEST_HINT: false, // A html text to be shown to guests on the close page, false disables it
    /**
     * Whether the connection indicator icon should hide itself based on
     * connection strength. If true, the connection indicator will remain
     * displayed while the participant has a weak connection and will hide
     * itself after the CONNECTION_INDICATOR_HIDE_TIMEOUT when the connection is
     * strong.
     *
     * @type {boolean}
     */
    CONNECTION_INDICATOR_AUTO_HIDE_ENABLED: true,
-    DEFAULT_BACKGROUND: '#040404',
+    /**
     * How long the connection indicator should remain displayed before hiding.
     * Used in conjunction with CONNECTION_INDICATOR_AUTOHIDE_ENABLED.
     *
     * @type {number}
     */
    CONNECTION_INDICATOR_AUTO_HIDE_TIMEOUT: 5000,
    /**
     * If true, hides the connection indicators completely.
     *
     * @type {boolean}
     */
    CONNECTION_INDICATOR_DISABLED: false,
    DEFAULT_BACKGROUND: '#474747',
    DEFAULT_LOCAL_DISPLAY_NAME: 'me',
    DEFAULT_LOGO_URL: '${BRANDING_WATERMARK_PATH}',
    DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster',
    DEFAULT_WELCOME_PAGE_LOGO_URL: '${BRANDING_WATERMARK_PATH}',
    DISABLE_DOMINANT_SPEAKER_INDICATOR: false,
    DISABLE_FOCUS_INDICATOR: false,
    /**
     * If true, notifications regarding joining/leaving are no longer displayed.
     */
@ -81,21 +111,27 @@ var interfaceConfig = {
    ENABLE_DIAL_OUT: true,
-    // DEPRECATED. Animation no longer supported.
+    ENABLE_FEEDBACK_ANIMATION: false, // Enables feedback star animation.
    // ENABLE_FEEDBACK_ANIMATION: false,
    FILM_STRIP_MAX_HEIGHT: 120,
    GENERATE_ROOMNAMES_ON_WELCOME_PAGE: true,
    /**
     * Hide the logo on the deep linking pages.
     */
    HIDE_DEEP_LINKING_LOGO: false,
    /**
     * Hide the invite prompt in the header when alone in the meeting.
     */
    HIDE_INVITE_MORE_HEADER: false,
    INITIAL_TOOLBAR_TIMEOUT: 20000,
    JITSI_WATERMARK_LINK: 'https://jitsi.org',
    LANG_DETECTION: true, // Allow i18n to detect the system language
    LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live', // Documentation reference for the live streaming feature.
    LOCAL_THUMBNAIL_RATIO: 16 / 9, // 16:9
    /**
@ -115,11 +151,28 @@ var interfaceConfig = {
     */
    MOBILE_APP_PROMO: true,
    /**
     * Specify custom URL for downloading android mobile app.
     */
    MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet',
    /**
     * Specify custom URL for downloading f droid app.
     */
    MOBILE_DOWNLOAD_LINK_F_DROID: 'https://f-droid.org/en/packages/org.jitsi.meet/',
    /**
     * Specify URL for downloading ios mobile app.
     */
    MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905',
    NATIVE_APP_NAME: 'Jitsi Meet',
    // Names of browsers which should show a warning stating the current browser
    // has a suboptimal experience. Browsers which are not listed as optimal or
    // unsupported are considered suboptimal. Valid values are:
-    // chrome, chromium, electron, firefox , safari, webkit
+    // chrome, chromium, edge, electron, firefox, nwjs, opera, safari
-    OPTIMAL_BROWSERS: [ 'chrome', 'chromium', 'firefox', 'electron', 'safari', 'webkit' ],
+    OPTIMAL_BROWSERS: [ 'chrome', 'chromium', 'firefox', 'nwjs', 'electron', 'safari' ],
    POLICY_LOGO: null,
    PROVIDER_NAME: 'Jitsi',
@ -132,7 +185,7 @@ var interfaceConfig = {
    RECENT_LIST_ENABLED: true,
    REMOTE_THUMBNAIL_RATIO: 1, // 1:1
-    SETTINGS_SECTIONS: [ 'devices', 'language', 'moderator', 'profile', 'calendar', 'sounds', 'more' ],
+    SETTINGS_SECTIONS: [ 'devices', 'language', 'moderator', 'profile', 'calendar', 'sounds' ],
    /**
     * Specify which sharing features should be displayed. If the value is not set
@ -143,12 +196,13 @@ var interfaceConfig = {
    SHOW_BRAND_WATERMARK: false,
    /**
-     * Decides whether the chrome extension banner should be rendered on the landing page and during the meeting.
+    * Decides whether the chrome extension banner should be rendered on the landing page and during the meeting.
-     * If this is set to false, the banner will not be rendered at all. If set to true, the check for extension(s)
+    * If this is set to false, the banner will not be rendered at all. If set to true, the check for extension(s)
-     * being already installed is done before rendering.
+    * being already installed is done before rendering.
-     */
+    */
    SHOW_CHROME_EXTENSION_BANNER: false,
    SHOW_DEEP_LINKING_IMAGE: false,
    SHOW_JITSI_WATERMARK: true,
    SHOW_POWERED_BY: false,
    SHOW_PROMOTIONAL_CLOSE_PAGE: false,
@ -159,6 +213,16 @@ var interfaceConfig = {
     */
    SUPPORT_URL: 'https://community.jitsi.org/',
    TOOLBAR_ALWAYS_VISIBLE: false,
    /**
     * DEPRECATED!
     * This config was moved to config.js as \`toolbarButtons\`.
     */
    // TOOLBAR_BUTTONS: [],
    TOOLBAR_TIMEOUT: 4000,
    // Browsers, in addition to those which do not fully support WebRTC, that
    // are not supported and should show the unsupported browser page.
    UNSUPPORTED_BROWSERS: [],
@ -189,31 +253,6 @@ var interfaceConfig = {
     */
    // TILE_VIEW_MAX_COLUMNS: 5,
    // List of undocumented settings
    /**
     INDICATOR_FONT_SIZES
     PHONE_NUMBER_REGEX
    */
    // -----------------DEPRECATED CONFIGS BELOW THIS LINE-----------------------------
    /**
     * Specify URL for downloading ios mobile app.
     */
    // MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905',
    /**
     * Specify custom URL for downloading android mobile app.
     */
    // MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet',
    /**
     * Specify mobile app scheme for opening the app from the mobile browser.
     */
    // APP_SCHEME: 'org.jitsi.meet',
    // NATIVE_APP_NAME: 'Jitsi Meet',
    /**
     * Specify Firebase dynamic link properties for the mobile apps.
     */
@ -226,9 +265,9 @@ var interfaceConfig = {
    // },
    /**
-     * Hide the logo on the deep linking pages.
+     * Specify mobile app scheme for opening the app from the mobile browser.
     */
-    // HIDE_DEEP_LINKING_LOGO: false,
+    // APP_SCHEME: 'org.jitsi.meet',
    /**
     * Specify the Android app package name.
@ -236,42 +275,17 @@ var interfaceConfig = {
    // ANDROID_APP_PACKAGE: 'org.jitsi.meet',
    /**
-     * Specify custom URL for downloading f droid app.
+     * Override the behavior of some notifications to remain displayed until
     * explicitly dismissed through a user action. The value is how long, in
     * milliseconds, those notifications should remain displayed.
     */
-    // MOBILE_DOWNLOAD_LINK_F_DROID: 'https://f-droid.org/en/packages/org.jitsi.meet/',
+    // ENFORCE_NOTIFICATION_AUTO_DISMISS_TIMEOUT: 15000,
-    // Connection indicators (
+    // List of undocumented settings
-    // CONNECTION_INDICATOR_AUTO_HIDE_ENABLED,
+    /**
-    // CONNECTION_INDICATOR_AUTO_HIDE_TIMEOUT,
+     INDICATOR_FONT_SIZES
-    // CONNECTION_INDICATOR_DISABLED) got moved to config.js.
+     PHONE_NUMBER_REGEX
-
+    */
    // Please use disableModeratorIndicator from config.js
    // DISABLE_FOCUS_INDICATOR: false,
    // Please use defaultLocalDisplayName from config.js
    // DEFAULT_LOCAL_DISPLAY_NAME: 'me',
    // Please use defaultLogoUrl from config.js
    DEFAULT_LOGO_URL: '${BRANDING_WATERMARK_PATH}',
    // Please use defaultRemoteDisplayName from config.js
    // DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster',
    // Moved to config.js as \`toolbarConfig.initialTimeout\`.
    // INITIAL_TOOLBAR_TIMEOUT: 20000,
    // Moved to config.js as \`toolbarConfig.alwaysVisible\`.
    // Documentation reference for the live streaming feature.
    // LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live',
    // Moved to config.js as \`toolbarConfig.alwaysVisible\`.
    // TOOLBAR_ALWAYS_VISIBLE: false,
    // This config was moved to config.js as \`toolbarButtons\`.
    // TOOLBAR_BUTTONS: [],
    // Moved to config.js as \`toolbarConfig.timeout\`.
    // TOOLBAR_TIMEOUT: 4000,
    // Allow all above example options to include a trailing comma and
    // prevent fear when commenting out the last value.
--- a/type/__jitsi_meet_domain/files/interface_config.js.sh.orig
+++ b/type/__jitsi_meet_domain/files/interface_config.js.sh.orig
@ -25,12 +25,42 @@ var interfaceConfig = {
    BRAND_WATERMARK_LINK: '',
    CLOSE_PAGE_GUEST_HINT: false, // A html text to be shown to guests on the close page, false disables it
    /**
     * Whether the connection indicator icon should hide itself based on
     * connection strength. If true, the connection indicator will remain
     * displayed while the participant has a weak connection and will hide
     * itself after the CONNECTION_INDICATOR_HIDE_TIMEOUT when the connection is
     * strong.
     *
     * @type {boolean}
     */
    CONNECTION_INDICATOR_AUTO_HIDE_ENABLED: true,
-    DEFAULT_BACKGROUND: '#040404',
+    /**
     * How long the connection indicator should remain displayed before hiding.
     * Used in conjunction with CONNECTION_INDICATOR_AUTOHIDE_ENABLED.
     *
     * @type {number}
     */
    CONNECTION_INDICATOR_AUTO_HIDE_TIMEOUT: 5000,
    /**
     * If true, hides the connection indicators completely.
     *
     * @type {boolean}
     */
    CONNECTION_INDICATOR_DISABLED: false,
    DEFAULT_BACKGROUND: '#474747',
    DEFAULT_LOCAL_DISPLAY_NAME: 'me',
    DEFAULT_LOGO_URL: 'images/watermark.svg',
    DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster',
    DEFAULT_WELCOME_PAGE_LOGO_URL: 'images/watermark.svg',
    DISABLE_DOMINANT_SPEAKER_INDICATOR: false,
    DISABLE_FOCUS_INDICATOR: false,
    /**
     * If true, notifications regarding joining/leaving are no longer displayed.
     */
@ -70,21 +100,27 @@ var interfaceConfig = {
    ENABLE_DIAL_OUT: true,
-    // DEPRECATED. Animation no longer supported.
+    ENABLE_FEEDBACK_ANIMATION: false, // Enables feedback star animation.
    // ENABLE_FEEDBACK_ANIMATION: false,
    FILM_STRIP_MAX_HEIGHT: 120,
    GENERATE_ROOMNAMES_ON_WELCOME_PAGE: true,
    /**
     * Hide the logo on the deep linking pages.
     */
    HIDE_DEEP_LINKING_LOGO: false,
    /**
     * Hide the invite prompt in the header when alone in the meeting.
     */
    HIDE_INVITE_MORE_HEADER: false,
    INITIAL_TOOLBAR_TIMEOUT: 20000,
    JITSI_WATERMARK_LINK: 'https://jitsi.org',
    LANG_DETECTION: true, // Allow i18n to detect the system language
    LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live', // Documentation reference for the live streaming feature.
    LOCAL_THUMBNAIL_RATIO: 16 / 9, // 16:9
    /**
@ -104,11 +140,28 @@ var interfaceConfig = {
     */
    MOBILE_APP_PROMO: true,
    /**
     * Specify custom URL for downloading android mobile app.
     */
    MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet',
    /**
     * Specify custom URL for downloading f droid app.
     */
    MOBILE_DOWNLOAD_LINK_F_DROID: 'https://f-droid.org/en/packages/org.jitsi.meet/',
    /**
     * Specify URL for downloading ios mobile app.
     */
    MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905',
    NATIVE_APP_NAME: 'Jitsi Meet',
    // Names of browsers which should show a warning stating the current browser
    // has a suboptimal experience. Browsers which are not listed as optimal or
    // unsupported are considered suboptimal. Valid values are:
-    // chrome, chromium, electron, firefox , safari, webkit
+    // chrome, chromium, edge, electron, firefox, nwjs, opera, safari
-    OPTIMAL_BROWSERS: [ 'chrome', 'chromium', 'firefox', 'electron', 'safari', 'webkit' ],
+    OPTIMAL_BROWSERS: [ 'chrome', 'chromium', 'firefox', 'nwjs', 'electron', 'safari' ],
    POLICY_LOGO: null,
    PROVIDER_NAME: 'Jitsi',
@ -121,7 +174,7 @@ var interfaceConfig = {
    RECENT_LIST_ENABLED: true,
    REMOTE_THUMBNAIL_RATIO: 1, // 1:1
-    SETTINGS_SECTIONS: [ 'devices', 'language', 'moderator', 'profile', 'calendar', 'sounds', 'more' ],
+    SETTINGS_SECTIONS: [ 'devices', 'language', 'moderator', 'profile', 'calendar', 'sounds' ],
    /**
     * Specify which sharing features should be displayed. If the value is not set
@ -132,12 +185,13 @@ var interfaceConfig = {
    SHOW_BRAND_WATERMARK: false,
    /**
-     * Decides whether the chrome extension banner should be rendered on the landing page and during the meeting.
+    * Decides whether the chrome extension banner should be rendered on the landing page and during the meeting.
-     * If this is set to false, the banner will not be rendered at all. If set to true, the check for extension(s)
+    * If this is set to false, the banner will not be rendered at all. If set to true, the check for extension(s)
-     * being already installed is done before rendering.
+    * being already installed is done before rendering.
-     */
+    */
    SHOW_CHROME_EXTENSION_BANNER: false,
    SHOW_DEEP_LINKING_IMAGE: false,
    SHOW_JITSI_WATERMARK: true,
    SHOW_POWERED_BY: false,
    SHOW_PROMOTIONAL_CLOSE_PAGE: false,
@ -148,6 +202,16 @@ var interfaceConfig = {
     */
    SUPPORT_URL: 'https://community.jitsi.org/',
    TOOLBAR_ALWAYS_VISIBLE: false,
    /**
     * DEPRECATED!
     * This config was moved to config.js as `toolbarButtons`.
     */
    // TOOLBAR_BUTTONS: [],
    TOOLBAR_TIMEOUT: 4000,
    // Browsers, in addition to those which do not fully support WebRTC, that
    // are not supported and should show the unsupported browser page.
    UNSUPPORTED_BROWSERS: [],
@ -178,31 +242,6 @@ var interfaceConfig = {
     */
    // TILE_VIEW_MAX_COLUMNS: 5,
    // List of undocumented settings
    /**
     INDICATOR_FONT_SIZES
     PHONE_NUMBER_REGEX
    */
    // -----------------DEPRECATED CONFIGS BELOW THIS LINE-----------------------------
    /**
     * Specify URL for downloading ios mobile app.
     */
    // MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905',
    /**
     * Specify custom URL for downloading android mobile app.
     */
    // MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet',
    /**
     * Specify mobile app scheme for opening the app from the mobile browser.
     */
    // APP_SCHEME: 'org.jitsi.meet',
    // NATIVE_APP_NAME: 'Jitsi Meet',
    /**
     * Specify Firebase dynamic link properties for the mobile apps.
     */
@ -215,9 +254,9 @@ var interfaceConfig = {
    // },
    /**
-     * Hide the logo on the deep linking pages.
+     * Specify mobile app scheme for opening the app from the mobile browser.
     */
-    // HIDE_DEEP_LINKING_LOGO: false,
+    // APP_SCHEME: 'org.jitsi.meet',
    /**
     * Specify the Android app package name.
@ -225,42 +264,17 @@ var interfaceConfig = {
    // ANDROID_APP_PACKAGE: 'org.jitsi.meet',
    /**
-     * Specify custom URL for downloading f droid app.
+     * Override the behavior of some notifications to remain displayed until
     * explicitly dismissed through a user action. The value is how long, in
     * milliseconds, those notifications should remain displayed.
     */
-    // MOBILE_DOWNLOAD_LINK_F_DROID: 'https://f-droid.org/en/packages/org.jitsi.meet/',
+    // ENFORCE_NOTIFICATION_AUTO_DISMISS_TIMEOUT: 15000,
-    // Connection indicators (
+    // List of undocumented settings
-    // CONNECTION_INDICATOR_AUTO_HIDE_ENABLED,
+    /**
-    // CONNECTION_INDICATOR_AUTO_HIDE_TIMEOUT,
+     INDICATOR_FONT_SIZES
-    // CONNECTION_INDICATOR_DISABLED) got moved to config.js.
+     PHONE_NUMBER_REGEX
-
+    */
    // Please use disableModeratorIndicator from config.js
    // DISABLE_FOCUS_INDICATOR: false,
    // Please use defaultLocalDisplayName from config.js
    // DEFAULT_LOCAL_DISPLAY_NAME: 'me',
    // Please use defaultLogoUrl from config.js
    // DEFAULT_LOGO_URL: 'images/watermark.svg',
    // Please use defaultRemoteDisplayName from config.js
    // DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster',
    // Moved to config.js as `toolbarConfig.initialTimeout`.
    // INITIAL_TOOLBAR_TIMEOUT: 20000,
    // Please use `liveStreaming.helpLink` from config.js
    // Documentation reference for the live streaming feature.
    // LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live',
    // Moved to config.js as `toolbarConfig.alwaysVisible`.
    // TOOLBAR_ALWAYS_VISIBLE: false,
    // This config was moved to config.js as `toolbarButtons`.
    // TOOLBAR_BUTTONS: [],
    // Moved to config.js as `toolbarConfig.timeout`.
    // TOOLBAR_TIMEOUT: 4000,
    // Allow all above example options to include a trailing comma and
    // prevent fear when commenting out the last value.
--- a/type/__jitsi_meet_domain/files/jitsi-version
+++ b/type/__jitsi_meet_domain/files/jitsi-version
@ -1 +0,0 @@
 2.0.9457-1
--- a/type/__jitsi_meet_domain/files/nginx.sh
+++ b/type/__jitsi_meet_domain/files/nginx.sh
@ -2,42 +2,6 @@
 # shellcheck disable=SC2034  # This is intended to be included
 JITSI_NGINX_CONFIG="$(cat <<EOF
 # Jitsi uses following lines by default, in our cdist types they must be commented
 # out as we already set it with __jitsi_meet in the default server config.
 #server_names_hash_bucket_size 64;
 #
 #types {
 ## nginx's default mime.types doesn't include a mapping for wasm or wav.
 #    application/wasm     wasm;
 #    audio/wav            wav;
 #}
 # These upstreams are managed by __jitsi_meet
 #upstream jicofo {
 #    zone upstreams 64K;
 #    server 127.0.0.1:8888;
 #    keepalive 2;
 #}
 #upstream prosody {
 #    zone upstreams 64K;
 #    server 127.0.0.1:5280;
 #    keepalive 2;
 #}
 #upstream jvb1 {
 #    zone upstreams 64K;
 #    server 127.0.0.1:9090;
 #    keepalive 2;
 #}
 #map \$arg_vnode \$prosody_node {
 #    default prosody;
 #    v1 v1;
 #    v2 v2;
 #    v3 v3;
 #    v4 v4;
 #    v5 v5;
 #    v6 v6;
 #    v7 v7;
 #    v8 v8;
 #}
 server {
    listen 80;
    listen [::]:80;
@ -46,17 +10,17 @@ server {
    include snippets/acme-challenge.conf;
    location / {
-        return 301 https://\$host\$request_uri;
+       return 301 https://\$host\$request_uri;
    }
 }
 server {
-    listen 443 ssl http2;
+    listen 443 ssl;
-    listen [::]:443 ssl http2;
+    listen [::]:443 ssl;
    server_name ${DOMAIN};
    include snippets/acme-challenge.conf;
-    # Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration
+# Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
@ -66,11 +30,6 @@ server {
    ssl_session_tickets off;
    add_header Strict-Transport-Security "max-age=63072000" always;
    set \$prefix "";
    # Try the custom page for this domain, fallback to default page
    set \$custom_index "index-${DOMAIN}.html";
    # We expect this domain to be properly configured, the file should exist
    set \$config_js_location "/etc/jitsi/meet/${DOMAIN}-config.js";
    ssl_certificate /etc/letsencrypt/live/${DOMAIN}/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/${DOMAIN}/privkey.pem;
@ -82,7 +41,7 @@ server {
    ssi_types application/x-javascript application/javascript;
    # Try the custom page for this domain, fallback to default page
-    index \$custom_index index.html index.htm;
+    index index-${DOMAIN}.html index.html index.htm;
    error_page 404 /static/404.html;
    gzip on;
@ -91,10 +50,9 @@ server {
    gzip_proxied no-cache no-store private expired auth;
    gzip_min_length 512;
-    # include /etc/jitsi/meet/jaas/*.conf;
+    # We expect this domain to be properly configured, the file should exist
    location = /config.js {
-        alias \$config_js_location;
+        alias /etc/jitsi/meet/${DOMAIN}-config.js;
    }
    # We expect this domain to be properly configured, the file should exist
    location = /interface_config.js {
@ -113,120 +71,70 @@ server {
        alias /usr/share/jitsi-meet/libs/external_api.min.js;
    }
-    location = /_api/room-info {
+    #ensure all static content can always be found first
-        proxy_pass http://prosody/room-info?prefix=\$prefix&\$args;
+    location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)\$
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For \$remote_addr;
        proxy_set_header Host \$http_host;
    }
    location ~ ^/_api/public/(.*)\$ {
        autoindex off;
        alias /etc/jitsi/meet/public/\$1;
    }
    # ensure all static content can always be found first
    location ~ ^/(libs|css|static|images|fonts|lang|sounds|.well-known)/(.*)\$
    {
        add_header 'Access-Control-Allow-Origin' '*';
        alias /usr/share/jitsi-meet/\$1/\$2;
        # cache all versioned files
        if (\$arg_v) {
-            expires 1y;
+          expires 1y;
        }
    }
    # Paths for jsi / interpreters
    location ~ ^/i/(img/[^./]*.png|jsi.js|style.css)$
    {
        add_header 'Access-Control-Allow-Origin' '*';
        alias /opt/jsi/static/\$1;
        # cache all versioned files
        if (\$arg_v) {
            expires 1y;
        }
    }
    location ~ ^/i/
    {
        try_files /${DOMAIN}-interpreters.html /interpreters.html \$uri;
    }
    # BOSH
    location = /http-bind {
-        proxy_pass http://prosody/http-bind?prefix=\$prefix&\$args;
+        proxy_pass      http://localhost:5280/http-bind;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For \$remote_addr;
 	# Prevision for 'multi-domain' jitsi instances
 	# https://community.jitsi.org/t/same-jitsi-meet-instance-with-multiple-domain-names/17391
-        proxy_set_header Host ${DOMAIN};
+        proxy_set_header Host ${JITSI_HOST};
        proxy_set_header Connection "";
    }
    # xmpp websockets
    location = /xmpp-websocket {
-        proxy_pass http://prosody/xmpp-websocket?prefix=\$prefix&\$args;
+        proxy_pass http://127.0.0.1:5280/xmpp-websocket?prefix=\$prefix&\$args;
        proxy_http_version 1.1;
        proxy_set_header Upgrade \$http_upgrade;
        proxy_set_header Connection "upgrade";
 	# Prevision for 'multi-domain' jitsi instances
 	# https://community.jitsi.org/t/same-jitsi-meet-instance-with-multiple-domain-names/17391
-        proxy_set_header Host ${DOMAIN};
+        proxy_set_header Host ${JITSI_HOST};
        tcp_nodelay on;
    }
    # colibri (JVB) websockets for jvb1
    location ~ ^/colibri-ws/default-id/(.*) {
-        proxy_pass http://jvb1/colibri-ws/default-id/\$1\$is_args\$args;
+       proxy_pass http://127.0.0.1:9090/colibri-ws/default-id/\$1\$is_args\$args;
-        proxy_http_version 1.1;
+       proxy_http_version 1.1;
-        proxy_set_header Upgrade \$http_upgrade;
+       proxy_set_header Upgrade \$http_upgrade;
-        proxy_set_header Connection "upgrade";
+       proxy_set_header Connection "upgrade";
-        tcp_nodelay on;
+       tcp_nodelay on;
    }
    # load test minimal client, uncomment when used
    #location ~ ^/_load-test/([^/?&:'"]+)\$ {
    #    rewrite ^/_load-test/(.*)\$ /load-test/index.html break;
    #}
    #location ~ ^/_load-test/libs/(.*)\$ {
    #    add_header 'Access-Control-Allow-Origin' '*';
    #    alias /usr/share/jitsi-meet/load-test/libs/\$1;
    #}
    location ~ ^/conference-request/v1([/].*)?\$ {
        proxy_pass http://jicofo/conference-request/v1\$1;
        add_header "Cache-Control" "no-cache, no-store";
        add_header 'Access-Control-Allow-Origin' '*';
    }
    location ~ ^/([^/?&:'"]+)/conference-request/v1([/].*)?\$ {
        rewrite ^/([^/?&:'"]+)/conference-request/v1([/].*)?\$ /conference-request/v1\$2;
    }
    location ~ ^/([^/?&:'"]+)\$ {
        set \$roomname "\$1";
        try_files \$uri @root_path;
    }
    location @root_path {
        # rewrite ^/(.*)\$ /\$custom_index break;
        rewrite ^/(.*)\$ / break;
    }
    location ~ ^/([^/?&:'"]+)/config.js\$
    {
-        set \$subdomain "\$1.";
+       set \$subdomain "\$1.";
-        set \$subdir "\$1/";
+       set \$subdir "\$1/";
-        alias \$config_js_location;
+       alias /etc/jitsi/meet/jitsi-meet.example.com-config.js;
    }
-    ## Matches /(TENANT)/pwa-worker.js or /(TENANT)/manifest.json to rewrite to / and look for file
+    #Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
-    #location ~ ^/([^/?&:'"]+)/(pwa-worker.js|manifest.json)\$ {
+    location ~ ^/([^/?&:'"]+)/(.*)\$ {
-    #    set \$subdomain "\$1.";
+        set \$subdomain "\$1.";
-    #    set \$subdir "\$1/";
+        set \$subdir "\$1/";
-    #    rewrite ^/([^/?&:'"]+)/(pwa-worker.js|manifest.json)\$ /\$2;
+        rewrite ^/([^/?&:'"]+)/(.*)\$ /\$2;
-    #}
+    }
    # BOSH for subdomains
    location ~ ^/([^/?&:'"]+)/http-bind {
@ -245,21 +153,6 @@ server {
        rewrite ^/(.*)\$ /xmpp-websocket;
    }
    location ~ ^/([^/?&:'"]+)/_api/room-info {
        set \$subdomain "\$1.";
        set \$subdir "\$1/";
        set \$prefix "\$1";
        rewrite ^/(.*)\$ /_api/room-info;
    }
    # Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
    location ~ ^/([^/?&:'"]+)/(.*)\$ {
        set \$subdomain "\$1.";
        set \$subdir "\$1/";
        rewrite ^/([^/?&:'"]+)/(.*)\$ /\$2;
    }
 }
 EOF
 )"
--- a/type/__jitsi_meet_domain/files/nginx.sh.orig
+++ b/type/__jitsi_meet_domain/files/nginx.sh.orig
@ -1,53 +1,27 @@
 server_names_hash_bucket_size 64;
 types {
 # nginx's default mime.types doesn't include a mapping for wasm or wav.
    application/wasm     wasm;
    audio/wav            wav;
 }
 upstream prosody {
    zone upstreams 64K;
    server 127.0.0.1:5280;
    keepalive 2;
 }
 upstream jvb1 {
    zone upstreams 64K;
    server 127.0.0.1:9090;
    keepalive 2;
 }
 map $arg_vnode $prosody_node {
    default prosody;
    v1 v1;
    v2 v2;
    v3 v3;
    v4 v4;
    v5 v5;
    v6 v6;
    v7 v7;
    v8 v8;
 }
 server {
    listen 80;
    listen [::]:80;
    server_name jitsi-meet.example.com;
    location ^~ /.well-known/acme-challenge/ {
-        default_type "text/plain";
+       default_type "text/plain";
-        root         /usr/share/jitsi-meet;
+       root         /usr/share/jitsi-meet;
    }
    location = /.well-known/acme-challenge/ {
-        return 404;
+       return 404;
    }
    location / {
-        return 301 https://$host$request_uri;
+       return 301 https://$host$request_uri;
    }
 }
 server {
-    listen 443 ssl http2;
+    listen 443 ssl;
-    listen [::]:443 ssl http2;
+    listen [::]:443 ssl;
    server_name jitsi-meet.example.com;
-    # Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration
+# Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
@ -57,9 +31,6 @@ server {
    ssl_session_tickets off;
    add_header Strict-Transport-Security "max-age=63072000" always;
    set $prefix "";
    set $custom_index "";
    set $config_js_location /etc/jitsi/meet/jitsi-meet.example.com-config.js;
    ssl_certificate /etc/jitsi/meet/jitsi-meet.example.com.crt;
    ssl_certificate_key /etc/jitsi/meet/jitsi-meet.example.com.key;
@ -79,52 +50,36 @@ server {
    gzip_proxied no-cache no-store private expired auth;
    gzip_min_length 512;
    include /etc/jitsi/meet/jaas/*.conf;
    location = /config.js {
-        alias $config_js_location;
+        alias /etc/jitsi/meet/jitsi-meet.example.com-config.js;
    }
    location = /external_api.js {
        alias /usr/share/jitsi-meet/libs/external_api.min.js;
    }
-    location = /_api/room-info {
+    #ensure all static content can always be found first
-        proxy_pass http://prosody/room-info?prefix=$prefix&$args;
+    location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $http_host;
    }
    location ~ ^/_api/public/(.*)$ {
        autoindex off;
        alias /etc/jitsi/meet/public/$1;
    }
    # ensure all static content can always be found first
    location ~ ^/(libs|css|static|images|fonts|lang|sounds|.well-known)/(.*)$
    {
        add_header 'Access-Control-Allow-Origin' '*';
        alias /usr/share/jitsi-meet/$1/$2;
        # cache all versioned files
        if ($arg_v) {
-            expires 1y;
+          expires 1y;
        }
    }
    # BOSH
    location = /http-bind {
-        proxy_pass http://$prosody_node/http-bind?prefix=$prefix&$args;
+        proxy_pass      http://localhost:5280/http-bind;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $http_host;
        proxy_set_header Connection "";
    }
    # xmpp websockets
    location = /xmpp-websocket {
-        proxy_pass http://$prosody_node/xmpp-websocket?prefix=$prefix&$args;
+        proxy_pass http://127.0.0.1:5280/xmpp-websocket?prefix=$prefix&$args;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
@ -134,53 +89,34 @@ server {
    # colibri (JVB) websockets for jvb1
    location ~ ^/colibri-ws/default-id/(.*) {
-        proxy_pass http://jvb1/colibri-ws/default-id/$1$is_args$args;
+       proxy_pass http://127.0.0.1:9090/colibri-ws/default-id/$1$is_args$args;
-        proxy_http_version 1.1;
+       proxy_http_version 1.1;
-        proxy_set_header Upgrade $http_upgrade;
+       proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection "upgrade";
+       proxy_set_header Connection "upgrade";
-        tcp_nodelay on;
+       tcp_nodelay on;
    }
    # load test minimal client, uncomment when used
    #location ~ ^/_load-test/([^/?&:'"]+)$ {
    #    rewrite ^/_load-test/(.*)$ /load-test/index.html break;
    #}
    #location ~ ^/_load-test/libs/(.*)$ {
    #    add_header 'Access-Control-Allow-Origin' '*';
    #    alias /usr/share/jitsi-meet/load-test/libs/$1;
    #}
    location ~ ^/conference-request/v1(\/.*)?$ {
        proxy_pass http://127.0.0.1:8888/conference-request/v1$1;
        add_header "Cache-Control" "no-cache, no-store";
        add_header 'Access-Control-Allow-Origin' '*';
    }
    location ~ ^/([^/?&:'"]+)/conference-request/v1(\/.*)?$ {
        rewrite ^/([^/?&:'"]+)/conference-request/v1(\/.*)?$ /conference-request/v1$2;
    }
    location ~ ^/([^/?&:'"]+)$ {
        set $roomname "$1";
        try_files $uri @root_path;
    }
    location @root_path {
-        rewrite ^/(.*)$ /$custom_index break;
+        rewrite ^/(.*)$ / break;
    }
    location ~ ^/([^/?&:'"]+)/config.js$
    {
-        set $subdomain "$1.";
+       set $subdomain "$1.";
-        set $subdir "$1/";
+       set $subdir "$1/";
-        alias $config_js_location;
+       alias /etc/jitsi/meet/jitsi-meet.example.com-config.js;
    }
-    # Matches /(TENANT)/pwa-worker.js or /(TENANT)/manifest.json to rewrite to / and look for file
+    #Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
-    location ~ ^/([^/?&:'"]+)/(pwa-worker.js|manifest.json)$ {
+    location ~ ^/([^/?&:'"]+)/(.*)$ {
        set $subdomain "$1.";
        set $subdir "$1/";
-        rewrite ^/([^/?&:'"]+)/(pwa-worker.js|manifest.json)$ /$2;
+        rewrite ^/([^/?&:'"]+)/(.*)$ /$2;
    }
    # BOSH for subdomains
@ -200,19 +136,4 @@ server {
        rewrite ^/(.*)$ /xmpp-websocket;
    }
    location ~ ^/([^/?&:'"]+)/_api/room-info {
        set $subdomain "$1.";
        set $subdir "$1/";
        set $prefix "$1";
        rewrite ^/(.*)$ /_api/room-info;
    }
    # Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
    location ~ ^/([^/?&:'"]+)/(.*)$ {
        set $subdomain "$1.";
        set $subdir "$1/";
        rewrite ^/([^/?&:'"]+)/(.*)$ /$2;
    }
 }
--- a/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh
+++ b/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh
@ -1,223 +0,0 @@
 #!/bin/sh -eu
 # Source:
 # https://github.com/jitsi/jitsi-meet/blob/master/doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example
 FOCUS_USER="focus"
 JITSI_DOMAIN="${JITSI_DOMAIN:-${JITSI_HOST:?}}"
 # PROSODY_MAIN_CONFIG: defined in __jitsi_meet, empty in __jitsi_meet_domain
 PROSODY_SECUREDOMAIN_START="--[["
 PROSODY_SECUREDOMAIN_END="--]]"
 if [ -n "${PROSODY_MAIN_CONFIG}" ]; then
 	PROSODY_MAIN_START=""
 	PROSODY_MAIN_END=""
 	PROSODY_DOMAIN_START="--[["
 	PROSODY_DOMAIN_END="--]]"
 else
 	PROSODY_MAIN_START="--[["
 	PROSODY_MAIN_END="--]]"
 	PROSODY_DOMAIN_START=""
 	PROSODY_DOMAIN_END=""
 	if [ -n "${SECURED_DOMAINS}" ]; then
 		PROSODY_SECUREDOMAIN_START=""
 		PROSODY_SECUREDOMAIN_END=""
 	fi
 fi
 # Websockets haven't been fully tested in this type and don't work reliably
 PROSODY_WEBSOCKET="-- "
 # shellcheck disable=SC2034  # This is intended to be included
 PROSODY_CONFIG="$(cat <<EOFPROSODY
 -- Managed remotely, changes will be lost
 ${PROSODY_MAIN_START}
 -- This will be managed by __jitsi_meet
 plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }
 -- domain mapper options, must at least have domain base set to use the mapper
 muc_mapper_domain_base = "${JITSI_HOST:?}";
 external_service_secret = "${TURN_SECRET:-TurnSecret}";
 external_services = {
     { type = "stun", host = "${JITSI_HOST:?}", port = 3478 },
     { type = "turn", host = "${JITSI_HOST:?}", port = 3478, transport = "udp", secret = true, ttl = 86400, algorithm = "turn" },
     { type = "turns", host = "${JITSI_HOST:?}", port = 5349, transport = "tcp", secret = true, ttl = 86400, algorithm = "turn" }
 };
 cross_domain_bosh = false;
 consider_bosh_secure = true;
 -- Use websockets
 -- https://community.jitsi.org/t/how-to-how-to-enable-websockets-xmpp-websocket-and-smacks-for-prosody/87920
 ${PROSODY_WEBSOCKET}consider_websocket_secure = true;
 -- https_ports = { }; -- Remove this line to prevent listening on port 5284
 -- by default prosody 0.12 sends cors headers, if you want to disable it uncomment the following (the config is available on 0.12.1)
 --http_cors_override = {
 --    bosh = {
 --        enabled = false;
 --    };
 --    websocket = {
 --        enabled = false;
 --    };
 --}
 -- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
 ssl = {
    protocol = "tlsv1_2+";
    ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
 }
 unlimited_jids = {
    "${FOCUS_USER:?}@auth.${JITSI_HOST:?}",
    "jvb@auth.${JITSI_HOST:?}"
 }
 ${PROSODY_MAIN_END}
 ${PROSODY_DOMAIN_START}
 -- This will be managed by __jitsi_meet_domain
 VirtualHost "${JITSI_DOMAIN:?}"
    authentication = "jitsi-anonymous" -- do not delete me
    -- Properties below are modified by jitsi-meet-tokens package config
    -- and authentication above is switched to "token"
    --app_id="example_app_id"
    --app_secret="example_app_secret"
    -- Assign this host a certificate for TLS, otherwise it would use the one
    -- set in the global section (if any).
    -- Note that old-style SSL on port 5223 only supports one certificate, and will always
    -- use the global one.
    ssl = {
        key = "/etc/prosody/certs/${JITSI_DOMAIN:?}.key";
        certificate = "/etc/prosody/certs/${JITSI_DOMAIN:?}.crt";
    }
    av_moderation_component = "avmoderation.${JITSI_DOMAIN:?}"
    speakerstats_component = "speakerstats.${JITSI_DOMAIN:?}"
    end_conference_component = "endconference.${JITSI_DOMAIN:?}"
    -- we need bosh
    modules_enabled = {
        "bosh";
        "ping"; -- Enable mod_ping
        "speakerstats";
        "external_services";
        "conference_duration";
        "end_conference";
        "muc_lobby_rooms";
        "muc_breakout_rooms";
        "av_moderation";
        "room_metadata";
 ${PROSODY_WEBSOCKET}        "websocket";
 ${PROSODY_WEBSOCKET}        "smacks";
    }
    smacks_max_unacked_stanzas = 5;
    smacks_hibernation_time = 60;
    smacks_max_hibernated_sessions = 1;
    smacks_max_old_sessions = 1;
    c2s_require_encryption = false
    lobby_muc = "lobby.${JITSI_DOMAIN:?}"
    breakout_rooms_muc = "breakout.${JITSI_DOMAIN:?}"
    room_metadata_component = "metadata.${JITSI_DOMAIN:?}"
    main_muc = "conference.${JITSI_DOMAIN:?}"
    -- muc_lobby_whitelist = { "recorder.${JITSI_DOMAIN:?}" } -- Here we can whitelist jibri to enter lobby enabled rooms
 Component "conference.${JITSI_DOMAIN:?}" "muc"
    restrict_room_creation = true
    storage = "memory"
    modules_enabled = {
        "muc_hide_all";
        "muc_meeting_id";
        "muc_domain_mapper";
        "polls";
        --"token_verification";
        "muc_rate_limit";
        "muc_password_whitelist";
    }
    admins = { "${FOCUS_USER:?}@auth.${JITSI_HOST:?}" }
    muc_password_whitelist = {
        "${FOCUS_USER:?}@auth.${JITSI_HOST:?}"
    }
    muc_room_locking = false
    muc_room_default_public_jids = true
 Component "breakout.${JITSI_DOMAIN:?}" "muc"
    restrict_room_creation = true
    storage = "memory"
    modules_enabled = {
        "muc_hide_all";
        "muc_meeting_id";
        "muc_domain_mapper";
        "muc_rate_limit";
        "polls";
    }
    admins = { "${FOCUS_USER:?}@auth.${JITSI_HOST:?}" }
    muc_room_locking = false
    muc_room_default_public_jids = true
 -- internal muc component
 Component "internal.auth.${JITSI_DOMAIN:?}" "muc"
    storage = "memory"
    modules_enabled = {
        "muc_hide_all";
        "ping";
    }
    admins = { "${FOCUS_USER:?}@auth.${JITSI_HOST:?}", "jvb@auth.${JITSI_HOST:?}" }
    muc_room_locking = false
    muc_room_default_public_jids = true
    -- https://prosody.im/doc/modules/mod_muc
    muc_room_cache_size = 1000
 ${PROSODY_DOMAIN_END}
 ${PROSODY_MAIN_START}
 -- This will be managed by __jitsi_meet
 VirtualHost "auth.${JITSI_DOMAIN:?}"
    ssl = {
       key = "/etc/prosody/certs/auth.${JITSI_DOMAIN:?}.key";
       certificate = "/etc/prosody/certs/auth.${JITSI_DOMAIN:?}.crt";
    }
    modules_enabled = {
        "limits_exception";
    }
    authentication = "internal_hashed"
 ${PROSODY_MAIN_END}
 ${PROSODY_DOMAIN_START}
 -- This will be managed by __jitsi_meet_domain
 -- Proxy to jicofo's user JID, so that it doesn't have to register as a component.
 Component "focus.${JITSI_DOMAIN:?}" "client_proxy"
    -- Single focus user for the whole instance
    target_address = "${FOCUS_USER:?}@auth.${JITSI_HOST:?}"
 Component "speakerstats.${JITSI_DOMAIN:?}" "speakerstats_component"
    muc_component = "conference.${JITSI_DOMAIN:?}"
 Component "endconference.${JITSI_DOMAIN:?}" "end_conference"
    muc_component = "conference.${JITSI_DOMAIN:?}"
 Component "avmoderation.${JITSI_DOMAIN:?}" "av_moderation_component"
    muc_component = "conference.${JITSI_DOMAIN:?}"
 Component "lobby.${JITSI_DOMAIN:?}" "muc"
    storage = "memory"
    restrict_room_creation = true
    muc_room_locking = false
    muc_room_default_public_jids = true
    modules_enabled = {
        "muc_hide_all";
        "muc_rate_limit";
        "polls";
    }
 Component "metadata.${JITSI_DOMAIN:?}" "room_metadata_component"
    muc_component = "conference.${JITSI_DOMAIN:?}"
    breakout_rooms_component = "breakout.${JITSI_DOMAIN:?}"
 ${PROSODY_DOMAIN_END}
 ${PROSODY_SECUREDOMAIN_START}
 -- Only used on secured domains
 VirtualHost "${JITSI_DOMAIN}"
    authentication = "internal_plain"
 VirtualHost "guest.${JITSI_DOMAIN}"
    authentication = "anonymous"
    c2s_require_encryption = false
 ${PROSODY_SECUREDOMAIN_END}
 EOFPROSODY
 )"
--- a/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh.orig
+++ b/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh.orig
@ -1,151 +0,0 @@
 plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }
 -- domain mapper options, must at least have domain base set to use the mapper
 muc_mapper_domain_base = "jitmeet.example.com";
 external_service_secret = "__turnSecret__";
 external_services = {
     { type = "stun", host = "jitmeet.example.com", port = 3478 },
     { type = "turn", host = "jitmeet.example.com", port = 3478, transport = "udp", secret = true, ttl = 86400, algorithm = "turn" },
     { type = "turns", host = "jitmeet.example.com", port = 5349, transport = "tcp", secret = true, ttl = 86400, algorithm = "turn" }
 };
 cross_domain_bosh = false;
 consider_bosh_secure = true;
 -- https_ports = { }; -- Remove this line to prevent listening on port 5284
 -- by default prosody 0.12 sends cors headers, if you want to disable it uncomment the following (the config is available on 0.12.1)
 --http_cors_override = {
 --    bosh = {
 --        enabled = false;
 --    };
 --    websocket = {
 --        enabled = false;
 --    };
 --}
 -- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
 ssl = {
    protocol = "tlsv1_2+";
    ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
 }
 unlimited_jids = {
    "focusUser@auth.jitmeet.example.com",
    "jvb@auth.jitmeet.example.com"
 }
 VirtualHost "jitmeet.example.com"
    authentication = "jitsi-anonymous" -- do not delete me
    -- Properties below are modified by jitsi-meet-tokens package config
    -- and authentication above is switched to "token"
    --app_id="example_app_id"
    --app_secret="example_app_secret"
    -- Assign this host a certificate for TLS, otherwise it would use the one
    -- set in the global section (if any).
    -- Note that old-style SSL on port 5223 only supports one certificate, and will always
    -- use the global one.
    ssl = {
        key = "/etc/prosody/certs/jitmeet.example.com.key";
        certificate = "/etc/prosody/certs/jitmeet.example.com.crt";
    }
    av_moderation_component = "avmoderation.jitmeet.example.com"
    speakerstats_component = "speakerstats.jitmeet.example.com"
    end_conference_component = "endconference.jitmeet.example.com"
    -- we need bosh
    modules_enabled = {
        "bosh";
        "ping"; -- Enable mod_ping
        "speakerstats";
        "external_services";
        "conference_duration";
        "end_conference";
        "muc_lobby_rooms";
        "muc_breakout_rooms";
        "av_moderation";
        "room_metadata";
    }
    c2s_require_encryption = false
    lobby_muc = "lobby.jitmeet.example.com"
    breakout_rooms_muc = "breakout.jitmeet.example.com"
    room_metadata_component = "metadata.jitmeet.example.com"
    main_muc = "conference.jitmeet.example.com"
    -- muc_lobby_whitelist = { "recorder.jitmeet.example.com" } -- Here we can whitelist jibri to enter lobby enabled rooms
 Component "conference.jitmeet.example.com" "muc"
    restrict_room_creation = true
    storage = "memory"
    modules_enabled = {
        "muc_hide_all";
        "muc_meeting_id";
        "muc_domain_mapper";
        "polls";
        --"token_verification";
        "muc_rate_limit";
        "muc_password_whitelist";
    }
    admins = { "focusUser@auth.jitmeet.example.com" }
    muc_password_whitelist = {
        "focusUser@auth.jitmeet.example.com"
    }
    muc_room_locking = false
    muc_room_default_public_jids = true
 Component "breakout.jitmeet.example.com" "muc"
    restrict_room_creation = true
    storage = "memory"
    modules_enabled = {
        "muc_hide_all";
        "muc_meeting_id";
        "muc_domain_mapper";
        "muc_rate_limit";
        "polls";
    }
    admins = { "focusUser@auth.jitmeet.example.com" }
    muc_room_locking = false
    muc_room_default_public_jids = true
 -- internal muc component
 Component "internal.auth.jitmeet.example.com" "muc"
    storage = "memory"
    modules_enabled = {
        "muc_hide_all";
        "ping";
    }
    admins = { "focusUser@auth.jitmeet.example.com", "jvb@auth.jitmeet.example.com" }
    muc_room_locking = false
    muc_room_default_public_jids = true
 VirtualHost "auth.jitmeet.example.com"
    modules_enabled = {
        "limits_exception";
    }
    authentication = "internal_hashed"
 -- Proxy to jicofo's user JID, so that it doesn't have to register as a component.
 Component "focus.jitmeet.example.com" "client_proxy"
    target_address = "focusUser@auth.jitmeet.example.com"
 Component "speakerstats.jitmeet.example.com" "speakerstats_component"
    muc_component = "conference.jitmeet.example.com"
 Component "endconference.jitmeet.example.com" "end_conference"
    muc_component = "conference.jitmeet.example.com"
 Component "avmoderation.jitmeet.example.com" "av_moderation_component"
    muc_component = "conference.jitmeet.example.com"
 Component "lobby.jitmeet.example.com" "muc"
    storage = "memory"
    restrict_room_creation = true
    muc_room_locking = false
    muc_room_default_public_jids = true
    modules_enabled = {
        "muc_hide_all";
        "muc_rate_limit";
        "polls";
    }
 Component "metadata.jitmeet.example.com" "room_metadata_component"
    muc_component = "conference.jitmeet.example.com"
    breakout_rooms_component = "breakout.jitmeet.example.com"
--- a/type/__jitsi_meet_domain/man.rst
+++ b/type/__jitsi_meet_domain/man.rst
@ -11,24 +11,14 @@ DESCRIPTION
 -----------
 This type installs and configures the frontend for Jitsi-Meet.
-Additionally to regular Jitsi-Meet, users can load `DOMAIN/i/` and
+This supports "multi-domain" installations, notice that in such a setup, all
-`DOMAIN/i/ROOM` for an interpreter-enabled interface; this is done with a
+rooms are shared across the different URLs, e.g.
 patched version of Jitsi Simultaneous Interpretation (jsi; see references).
 At least a user with `interpreter` in their name must be present.
 This type supports "multi-domain" installations.
 New in April 2022: rooms are independent for each domain, that is:
 https://jitsi1.example.org/room1 and https://jitsi2.example.org/room1 are
-different rooms.
+equivalent.
 Note however, that right now if using secured domains, users are still shared
 across any domains hosted in the same instance.
 One way to work around that could be to run multiple jicofos, but we do not
 want to bloat the servers.
 A better way is to patch jicofo, get in touch with the type authors if you want
 the gory details.
 This is due to the underlying XMPP and signaling rooms being common.
 There might be a way to perform tricks on the Nginx-side to avoid this, but
 time is lacking :-).
 This assumes `__jitsi_meet` has already been ran on the target host, and,
 amongst others, that Jitsi was set up with `__target_host` as the Jitsi domain.
@ -51,11 +41,6 @@ admin-email
 OPTIONAL PARAMETERS
 -------------------
 analytics-settings
    This goes inside the `analytics` part of `config.js`.
    Defaults to: `disabled: true`.
    See: https://github.com/jitsi/jitsi-meet/blob/master/config.js
 channel-last-n
    Default value for the "last N" attribute.
    Defaults to 20. Set to -1 for unlimited.
@ -75,10 +60,6 @@ start-video-muted
    Defaults to 10.
 state
    Whether the domain is 'present' or 'absent', defaults to 'present'.
 turn-server
    The TURN server to be used.
    Defaults to `__target_host`.
@ -93,15 +74,6 @@ video-constraints
    It must not have a trailing comma, see `constraints` in
    `__jitsi_meet_domain/files/config.js.sh`.
 branding-app-name
    This will change `Jitsi Meet` in many places to the brand you desire.
    Defaults to `Jitsi Meet`.
 branding-extra-body
    This must be valid HTML, it will be included server-side and delivered to
    clients alongside the default `index.html`.
    This is useful if you would rather not replace the whole `index`, but
    still want the chance to do some heavier branding / add instructions / etc.
 branding-json
    Path to a JSON file that will be served as the `dynamicBrandingUrl`.
@ -109,12 +81,14 @@ branding-json
    `__jitsi_meet_domain/files/config.js.sh`.
    If not set, no branding will be set up.
 branding-index
    Path to an HTML file that will be served instead of Jitsi-Meet's default
    one.
    If not set, the default index file will be used.
    If set to `-`, the type's standard input will be used.
 branding-watermark
    Path to a png file that will be served instead of Jitsi-Meet's default
    one.
@ -169,7 +143,6 @@ SEE ALSO
 --------
 - `__jitsi_meet(7)`
 - `__jitsi_meet_user(7)`
 - Jitsi Meet Simultaneous Interpretation: https://gitlab.com/mfmt/jsi
 AUTHORS
--- a/type/__jitsi_meet_domain/manifest
+++ b/type/__jitsi_meet_domain/manifest
@ -18,12 +18,9 @@ NOTICE_MESSAGE="$(cat "${__object}/parameter/notice-message")"
 START_VIDEO_MUTED="$(cat "${__object}/parameter/start-video-muted")"
 TURN_SERVER="$(cat "${__object}/parameter/turn-server")"
 VIDEO_CONSTRAINTS="$(cat "${__object}/parameter/video-constraints")"
 ANALYTICS_SETTINGS="$(cat "${__object}/parameter/analytics-settings")"
 BRANDING_APP_NAME="$(cat "${__object}/parameter/branding-app-name")"
 BRANDING_INDEX="$(cat "${__object}/parameter/branding-index")"
 BRANDING_JSON="$(cat "${__object}/parameter/branding-json")"
 BRANDING_WATERMARK="$(cat "${__object}/parameter/branding-watermark")"
 STATE="$(cat "${__object}/parameter/state")"
 if [ "${BRANDING_INDEX}" = "-" ]; then
 	BRANDING_INDEX="${__object}/stdin"
@ -50,31 +47,11 @@ if [ -n "${BRANDING_JSON}" ]; then
 	DYNAMIC_BRANDING_URL="/branding.json"
 fi
 case "${STATE}" in
 	present)
 		# When adding the domain, Let's Encrypt must come before nginx
 		le_require=""
 		nginx_require="__letsencrypt_cert/${DOMAIN}"
 		;;
 	absent)
 		# When removing, nginx must come before Let's Encrypt
 		le_require="__file/etc/nginx/sites-enabled/${DOMAIN}.conf"
 		nginx_require=""
 		;;
 	*)
 		cat >> /dev/stderr <<-EOM
 		Unsupported state '${STATE}', must be 'present' or 'absent'.
 		EOM
 		exit 1
 		;;
 esac
 #
 # Deal with certbot
 #
 # use object id as domain
-require="${le_require}" __letsencrypt_cert "${DOMAIN}" \
+__letsencrypt_cert "${DOMAIN}" \
 	--state "${STATE}" \
 	--admin-email "${ADMIN_EMAIL}" \
 	--deploy-hook "service nginx reload" \
 	--webroot /usr/share/jitsi-meet
@ -82,9 +59,8 @@ require="${le_require}" __letsencrypt_cert "${DOMAIN}" \
 # Create virtualhost for nginx
 # shellcheck source=type/__jitsi_meet_domain/files/nginx.sh
 . "${__type}/files/nginx.sh"  # This defines JITSI_NGINX_CONFIG
-require="${nginx_require}" __file \
+require="__letsencrypt_cert/${DOMAIN}" __file \
 	"/etc/nginx/sites-enabled/${DOMAIN}.conf" \
 	--state "${STATE}" \
 	--mode 0644 --source "-" <<EOF
 ${JITSI_NGINX_CONFIG}
 EOF
@ -93,7 +69,6 @@ EOF
 # shellcheck source=type/__jitsi_meet_domain/files/config.js.sh
 . "${__type}/files/config.js.sh"  # This defines JITSI_CONFIG_JS
 __file "/etc/jitsi/meet/${DOMAIN}-config.js" \
 	--state "${STATE}" \
 	--mode 0644 --source "-" <<EOF
 ${JITSI_CONFIG_JS}
 EOF
@ -102,7 +77,6 @@ EOF
 # shellcheck source=type/__jitsi_meet_domain/files/interface_config.js.sh
 . "${__type}/files/interface_config.js.sh"  # This defines JITSI_CONFIG_JS
 __file "/etc/jitsi/meet/${DOMAIN}-interface_config.js" \
 	--state "${STATE}" \
 	--mode 0644 --source "-" <<EOF
 ${JITSI_INTERFACE_CONFIG_JS}
 EOF
@ -113,7 +87,7 @@ EOF
 #
 # Helper function to manage the state of the target branding file
 _var_state() {
-	if [ "${STATE}" = "present" ] && [ -n "${1}" ]; then
+	if [ -n "${1}" ]; then
 		echo "present"
 	else
 		echo "absent"
@ -132,43 +106,3 @@ __file "/usr/share/jitsi-meet/images/watermark-${DOMAIN}.png" \
 	--mode 0644 \
 	--state "$(_var_state "${BRANDING_WATERMARK}")" \
 	--source "${BRANDING_WATERMARK}"
 # Simple body customisation
 __file "/usr/share/jitsi-meet/body-${DOMAIN}.html" \
 	--mode 0644 \
 	--state "$(_var_state "${STATE}")" \
 	--source "${__object}/parameter/branding-extra-body"
 #
 # Take care of prosody settings for the domain
 #
 JITSI_DOMAIN="${DOMAIN}"
 # Prosody settings for common components (jvb, focus, ...)
 # shellcheck source=type/__jitsi_meet_domain/files/prosody.cfg.lua.sh
 . "${__type}/files/prosody.cfg.lua.sh"  # This defines PROSODY_CONFIG
 __file "/etc/prosody/conf.avail/${DOMAIN}.cfg.lua" \
 	--group prosody \
 	--mode 0440 \
 	--state "${STATE}" \
 	--source '-' <<EOF
 ${PROSODY_CONFIG}
 EOF
 __link "/etc/prosody/conf.d/${DOMAIN}.cfg.lua" \
 	--source "/etc/prosody/conf.avail/${DOMAIN}.cfg.lua" \
 	--state "${STATE}" \
 	--type symbolic
 if [ "${STATE}" = "present" ]; then
 	export require="${require} __file/etc/prosody/conf.avail/${DOMAIN}.cfg.lua __link/etc/prosody/conf.d/${DOMAIN}.cfg.lua"
 	__check_messages "prosody/${DOMAIN}" \
 		--pattern '^(__file|__link)/etc/prosody/conf[.](avail|d)/' \
 		--execute "$(cat <<EOF
 if [ ! -f "/var/lib/prosody/${DOMAIN}.crt" ]; then
 	echo | prosodyctl cert generate '${DOMAIN}';
 	ln -sf '/var/lib/prosody/${DOMAIN}.key' '/etc/prosody/certs/${DOMAIN}.key'
 	ln -sf '/var/lib/prosody/${DOMAIN}.crt' '/etc/prosody/certs/${DOMAIN}.crt'
 fi
 # Surprisingly, a reload is not enough
 service prosody restart
 EOF
 )"
 fi
--- a/type/__jitsi_meet_domain/parameter/default/analytics-settings
+++ b/type/__jitsi_meet_domain/parameter/default/analytics-settings
@ -1 +0,0 @@
        disabled: true
--- a/type/__jitsi_meet_domain/parameter/default/branding-app-name
+++ b/type/__jitsi_meet_domain/parameter/default/branding-app-name
@ -1 +0,0 @@
 Jitsi Meet
--- a/type/__jitsi_meet_domain/parameter/default/branding-extra-body
+++ b/type/__jitsi_meet_domain/parameter/default/branding-extra-body
--- a/type/__jitsi_meet_domain/parameter/default/state
+++ b/type/__jitsi_meet_domain/parameter/default/state
@ -1 +0,0 @@
 present
--- a/type/__jitsi_meet_domain/parameter/optional
+++ b/type/__jitsi_meet_domain/parameter/optional
@ -1,13 +1,9 @@
 analytics-settings
 channel-last-n
 default-language
 notice-message
 start-video-muted
 turn-server
 video-constraints
 branding-app-name
 branding-json
 branding-index
 branding-extra-body
 branding-watermark
 state
--- a/type/__matrix_element/files/config.json.sh
+++ b/type/__matrix_element/files/config.json.sh
@ -34,12 +34,12 @@ EOF
    if [ "$BRANDING_AUTH_FOOTER_LINKS" != "" ]; then
        cat << EOF
-        "authFooterLinks": $BRANDING_AUTH_FOOTER_LINKS,
+        "authFooterLinks": "$BRANDING_AUTH_FOOTER_LINKS",
 EOF
    fi
    cat << EOF
-    "welcomeBackgroundUrl": "$BRANDING_WELCOME_BACKGROUND_URL"
+    "welcomeBackgroundUrl": "themes/element/img/backgrounds/lake.jpg"
 EOF
    echo '},'
 }
@ -52,7 +52,7 @@ cat << EOF
            "server_name": "$DEFAULT_SERVER_NAME"
        },
        "m.identity_server": {
-            "base_url": "$IDENTITY_SERVER_URL"
+            "base_url": "https://vector.im"
        }
    },
    "brand": "$BRAND",
@ -85,10 +85,6 @@ cat << EOF
            "url": "$COOKIE_POLICY_URL",
            "text": "Cookie Policy"
        }
-    ],
+    ]
   "embeddedPages": {
        "welcomeUrl": "$WELCOME_PAGE_URL",
        "homeUrl": "$HOME_PAGE_URL"
    }
 }
 EOF
--- a/type/__matrix_element/man.rst
+++ b/type/__matrix_element/man.rst
@ -27,28 +27,12 @@ default_server_name
 default_server_url
  URL of matrix homeserver to connect to, defaults to 'https://matrix-client.matrix.org'.
 identity_server_url
  URL of matrix identity server to connect to, defaults to 'https://vector.im'.
  See element documentation
  `<https://github.com/vector-im/element-web/blob/develop/docs/config.md#identity-servers>_`
  for details.
 owner
  Owner of the deployed files, passed to `chown`. Defaults to 'root'.
 brand
  Web UI branding, defaults to 'Element'.
 branding_auth_header_logo_url
  A logo image that is shown in the header during authentication flows.
 branding_welcome_background_url
  An image to use as a wallpaper outside the app during authentication flows. If an array is passed, an image is chosen randomly for each visit.
 branding_auth_footer_links
  a list of links to show in the authentication page footer: `[{"text": "Link
  text", "url": "https://link.target"}, {"text": "Other link", ...}]`
 default_country_code
  ISO 3166 alpha2 country code to use when showing country selectors, such as
  phone number inputs. Defaults to GB.
--- a/type/__matrix_element/manifest
+++ b/type/__matrix_element/manifest
@ -25,13 +25,11 @@ INSTALL_DIR=$(cat "$__object/parameter/install_dir")
 export DEFAULT_SERVER_NAME=$(cat "$__object/parameter/default_server_name")
 export DEFAULT_SERVER_URL=$(cat "$__object/parameter/default_server_url")
 export IDENTITY_SERVER_URL=$(cat "$__object/parameter/identity_server_url")
 export BRAND=$(cat "$__object/parameter/brand")
 export DEFAULT_COUNTRY_CODE=$(cat "$__object/parameter/default_country_code")
 export ROOM_DIRECTORY_SERVERS=$(cat "$__object/parameter/room_directory_servers")
 export PRIVACY_POLICY_URL=$(cat "$__object/parameter/privacy_policy_url")
 export COOKIE_POLICY_URL=$(cat "$__object/parameter/cookie_policy_url")
 export BRANDING_WELCOME_BACKGROUND_URL=$(cat "$__object/parameter/branding_welcome_background_url")
 if [ -f "$__object/parameter/jitsi_domain" ]; then
    export JITSI_DOMAIN=$(cat "$__object/parameter/jitsi_domain")
@ -46,24 +44,14 @@ if [ -f "$__object/parameter/branding_auth_footer_links" ]; then
 fi
 if [ -f "$__object/parameter/homepage" ]; then
    export EMBED_HOMEPAGE=1
    homepage=$(cat "$__object/parameter/homepage")
    if [ -f "$homepage" ]; then
      upload_homepage=1
    else
      export HOME_PAGE_URL=$homepage
    fi
 fi
 WELCOME_PAGE_URL="welcome.html"
 if [ -f "$__object/parameter/welcomepage" ]; then
    export EMBED_WELCOMEPAGE=1
    welcomepage=$(cat "$__object/parameter/welcomepage")
    if [ -f welcomepage ]; then
      export UPLOAD_WELCOMEPAGE=1
    else
      WELCOME_PAGE_URL=$welcomepage
    fi
 fi
 export WELCOME_PAGE_URL
 if [ -f "$__object/parameter/custom_asset" ]; then
   "$__object/parameter/custom_asset" | while IFS= read -r file; do
@ -103,14 +91,14 @@ require="__directory/$INSTALL_DIR/cdist" __file "$INSTALL_DIR/cdist/config.json"
  --mode 0664 \
  --state present
-if [ $upload_homepage ]; then
+if [ $EMBED_HOMEPAGE ]; then
    require="__directory/$INSTALL_DIR/cdist" __file "$INSTALL_DIR/cdist/home.html" \
      --source "$homepage" \
      --mode 0664 \
      --state present
 fi
-if [ $upload_welcomepage ]; then
+if [ $EMBED_WELCOMEPAGE ]; then
    require="__directory/$INSTALL_DIR/cdist" __file "$INSTALL_DIR/cdist/welcome.html" \
      --source "$welcomepage" \
      --mode 0664 \
--- a/type/__matrix_element/parameter/default/branding_welcome_background_url
+++ b/type/__matrix_element/parameter/default/branding_welcome_background_url
@ -1 +0,0 @@
 themes/element/img/backgrounds/lake.jpg
--- a/type/__matrix_element/parameter/default/identity_server
+++ b/type/__matrix_element/parameter/default/identity_server
--- a/type/__matrix_element/parameter/optional
+++ b/type/__matrix_element/parameter/optional
@ -1,6 +1,5 @@
 default_server_url
 default_server_name
 identity_server_url
 brand
 default_country_code
 privacy_policy_url
@ -12,4 +11,3 @@ welcomepage
 jitsi_domain
 branding_auth_header_logo_url
 branding_auth_footer_links
 branding_welcome_background_url
--- a/type/__matrix_synapse/files/homeserver.yaml.sh
+++ b/type/__matrix_synapse/files/homeserver.yaml.sh
@ -448,7 +448,7 @@ retention:
  # matter much because Synapse doesn't take it into account yet.
  #
  default_policy:
-    min_lifetime: ${MESSAGE_RETENTION_POLICY_MIN_LIFETIME:?}
+    min_lifetime: 1d
    max_lifetime: ${MESSAGE_RETENTION_POLICY_MAX_LIFETIME:?}
  # Retention policy limits. If set, and the state of a room contains a
@ -1175,26 +1175,14 @@ fi
 cat << EOF
 # The shared secret used to compute passwords for the TURN server
 #
-EOF
+turn_shared_secret: "$TURN_SHARED_SECRET"
 if [ -n "$TURN_SHARED_SECRET" ]; then
 	echo "turn_shared_secret: \"$TURN_SHARED_SECRET\""
 fi
 cat << EOF
 # The Username and password if the TURN server needs them and
 # does not use a token
 #
-EOF
+#turn_username: "TURNSERVER_USERNAME"
 #turn_password: "TURNSERVER_PASSWORD"
 if [ -n "$TURN_USERNAME" ] || [ "$TURN_PASSWORD" ]; then
 	cat <<- EOF
 	turn_username: "$TURN_USERNAME"
 	turn_password: "$TURN_PASSWORD"
 	EOF
 fi
 cat << EOF
 # How long generated TURN credentials last
 #
 turn_user_lifetime: ${TURN_USER_LIFETIME:?}
@ -1334,7 +1322,7 @@ fi
 cat << EOF
 # Enable 3PIDs lookup requests to identity servers from this server.
 #
-enable_3pid_lookup: ${ENABLE_3PID_LOOKUPS:?}
+#enable_3pid_lookup: true
 # If set, allows registration of standard or admin accounts by anyone who
 # has the shared secret, even if registration is otherwise disabled.
@ -1342,12 +1330,9 @@ EOF
 if [ -n "$REGISTRATION_SHARED_SECRET" ]; then
 	echo "registration_shared_secret: '$REGISTRATION_SHARED_SECRET'"
 else
 	echo "# registration_shared_secret: 'secret'"
 fi
 cat << EOF
 # Set the number of bcrypt rounds used to generate password hash.
 # Larger numbers increase the work factor needed to generate the hash.
 # The default number is 12 (which equates to 2^12 rounds).
@ -1368,13 +1353,7 @@ allow_guest_access: ${ALLOW_GUEST_ACCESS:?}
 # (By default, no suggestion is made, so it is left up to the client.)
 #
 #default_identity_server: https://matrix.org
 EOF
 if [ -n "$DEFAULT_IDENTITY_SERVER" ]; then
 	echo "default_identity_server: \"$DEFAULT_IDENTITY_SERVER\""
 fi
 cat << EOF
 # Handle threepid (email/phone etc) registration and password resets through a set of
 # *trusted* identity servers. Note that this allows the configured identity server to
 # reset passwords for accounts!
@ -1406,7 +1385,7 @@ account_threepid_delegates:
 #
 # Does not apply to server administrators. Defaults to 'true'
 #
-enable_set_displayname: ${ENABLE_SET_DISPLAYNAME:?}
+#enable_set_displayname: false
 # Whether users are allowed to change their avatar after it has been
 # initially set. Useful when provisioning users based on the contents
@ -1421,7 +1400,7 @@ enable_set_displayname: ${ENABLE_SET_DISPLAYNAME:?}
 #
 # Defaults to 'true'
 #
-enable_3pid_changes: ${ENABLE_3PID_CHANGES:?}
+#enable_3pid_changes: false
 # Users who register on this homeserver will automatically be joined
 # to these rooms.
@ -1717,24 +1696,7 @@ saml2_config:
    #  local: ["saml2/idp.xml"]
    #  remote:
    #    - url: https://our_idp/metadata.xml
 EOF
 if [ -n "$SAML2_IDP_METADATA_URL" ]; then
 	cat << EOF
    metadata:
      remote:
        - url: "$SAML2_IDP_METADATA_URL"
 EOF
 fi
 if [ -n "$SAML2_SP_CERT" ] || [ -n "$SAML2_SP_KEY" ]; then
 	cat << EOF
    key_file: "$SAML2_SP_KEY"
    cert_file: "$SAML2_SP_CERT"
 EOF
 fi
 cat << EOF
    # Allowed clock difference in seconds between the homeserver and IdP.
    #
    # Uncomment the below to increase the accepted time difference from 0 to 3 seconds.
@ -1808,15 +1770,7 @@ cat << EOF
    # The custom module's class. Uncomment to use a custom module.
    #
    #module: mapping_provider.SamlMappingProvider
 EOF
 if [ -n "$SAML2_MAPPING_PROVIDER_MODULE" ]; then
 	cat << EOF
    module: "$SAML2_MAPPING_PROVIDER_MODULE"
 EOF
 fi
 cat << EOF
    # Custom configuration values for the module. Below options are
    # intended for the built-in provider, they should be changed if
    # using a custom module. This section will be passed as a Python
@ -1846,17 +1800,6 @@ cat << EOF
      # value will be used instead.
      #
      #mxid_mapping: dotreplace
 EOF
 if [ -n "$SAML2_MAPPING_PROVIDER_EXTRA_CONFIG" ]; then
 	echo "$SAML2_MAPPING_PROVIDER_EXTRA_CONFIG" | while IFS= read -r entry; do
 		cat << EOF
      $entry
 EOF
 	done
 fi
 cat << EOF
  # In previous versions of synapse, the mapping from SAML attribute to
  # MXID was always calculated dynamically rather than stored in a
@ -2191,7 +2134,7 @@ sso:
    # You can see the default templates at:
    # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates
    #
-    template_dir: "${SSO_TEMPLATE_DIR:?}"
+    #template_dir: "res/templates"
 # JSON web token integration. The following settings can be used to make
--- a/type/__matrix_synapse/gencode-remote
+++ b/type/__matrix_synapse/gencode-remote
@ -8,7 +8,7 @@ case "$os" in
 		synapse_conf_dir=/etc/synapse
 		synapse_service=synapse
 		;;
-	debian|ubuntu)
+	debian)
 		synapse_conf_dir=/etc/matrix-synapse
 		synapse_service=matrix-synapse
 		;;
--- a/type/__matrix_synapse/man.rst
+++ b/type/__matrix_synapse/man.rst
@ -1,5 +1,5 @@
 cdist-type__matrix_synapse(7)
-=============================
+======================
 NAME
 ----
@ -8,7 +8,7 @@ cdist-type__matrix_synapse - Install and configure Synapse, a Matrix homeserver
 DESCRIPTION
 -----------
-This type installs and configures the Synapse Matrix homeserver. This is a
+This type install and configure the Synapse Matrix homeserver. This is a
 signleton type.
@ -52,13 +52,13 @@ ldap-base-dn
  Base DN of your LDAP tree.
 ldap-uid-attribute
-  LDAP attribute mapping to Synapse's uid field, default to uid.
+  LDAP attriute mapping to Synapse's uid field, default to uid.
 ldap-mail-attribute
-  LDAP attribute mapping to Synapse's mail field, default to mail.
+  LDAP attriute mapping to Synapse's mail field, default to mail.
 ldap-name-attribute
-  LDAP attribute mapping to Synapse's name field, default to givenName.
+  LDAP attriute mapping to Synapse's name field, default to givenName.
 ldap-bind-dn
  User used to authenticate against your LDAP server in 'search' mode.
@ -81,7 +81,7 @@ smtp-host
  The hostname of the outgoing SMTP server to use. Defaults to 'localhost'.
 smtp-port
-  The port on the mail server for outgoing SMTP. Defaults to 25.
+  # The port on the mail server for outgoing SMTP. Defaults to 25.
 smtp-user
  Username for authentication to the SMTP server. By
@ -133,14 +133,6 @@ turn-uri
 turn-shared-secret
  Shared secret used to access the TURN REST API.
 turn-username
  Username used to authenticate against the TURN server if needed / a shared
  secret token is not used.
 turn-password
  Password used to authenticate against the TURN server if needed / a shared
  secret token is not used.
 turn-user-lifetime
  Lifetime of TURN credentials. Defaults to 1h.
@ -162,12 +154,6 @@ rc-login-burst
 registration-allows-email-pattern
    Only allow email addresses matching specified filter. Can be specified multiple times. A pattern must look like `.*@vector\.im`.
 disable-displayname-changes
  Whether users are allowed to change their displayname after it has been initially set.
 disable-3pid-changes
  Whether users can change the 3PIDs associated with their accounts (email address and msisdn).
 auto-join-room
  Room where newly-registered users are automatically added. Can be specified multiple times.
@ -195,25 +181,6 @@ bind-address
  Address used to bind the synapse listeners. Can be specified multiple times.
  Defaults to '::1' and '127.0.0.1'.
 saml2-idp-metadata-url
  HTTP(S) url to SAML2 Identity Provider (IdP), used for Single Sign On (SSO) logic.
 saml2-sp-key
  Path to PEM-formatted key file for use by PySAML2.
 saml2-sp-cert
  Path to PEM-formatted cert file for use by PySAML2.
 saml2-mapping-provider-module
  Name of custom Python module used to map SAML2 attributes to synapse internals.
 saml2-mapping-provider-extra-settings
  Extra YAML-formatted key/pair values provided as configuration to the SAML2
  mapping provider module (e.g. 'key: value'). Can be specified multiple times.
 sso-template-dir
  Directory used to source SSO-related HTML templates.
 extra-setting
  Arbitrary string to be added to the configuration file. Can be specified multiple times.
@ -255,9 +222,6 @@ allow-public-rooms-without-auth
 enable-server-notices
  Enable the server notices room.
 enable-3pid-lookups
  Enable 3PIDs lookup requests to identity servers from this server.
 allow-guest-access
  Allows users to register as guests without a password/email/etc, and
  participate in rooms hosted on this server which have been made accessible
--- a/type/__matrix_synapse/manifest
+++ b/type/__matrix_synapse/manifest
@ -20,24 +20,41 @@
 # OS-specific configuration.
 os=$(cat "$__global/explorer/os")
 distribution=$(cat "$__global/explorer/lsb_codename")
 case "$os" in
-	debian|ubuntu)
+	debian)
 		synapse_user=matrix-synapse
-		synapse_pkg=matrix-synapse-py3
+		synapse_pkg=matrix-synapse
 		synapse_service=matrix-synapse
 		ldap_auth_provider_pkg=matrix-synapse-ldap3
 		synapse_conf_dir='/etc/matrix-synapse'
 		synapse_data_dir='/var/lib/matrix-synapse'
-		__apt_key matrix-org \
+		# See https://packages.debian.org/bullseye/matrix-synapse for state of
-			--uri https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg
+		# synapse packaging in debian.
-
+		case "$distribution" in
-		require="__apt_key/matrix-org" __apt_source matrix-org \
+			stretch)
-			--uri https://packages.matrix.org/debian/ \
+				echo "The matrix-synapse package in debian stretch is outdated and unusable." >&2
-			--component main
+				exit 1
-		package_req="__apt_source/matrix-org"
+				;;
-	;;
+			buster)
 				# Enable debian-backports for debian Buster, as the 'stable'
 				# matrix-synapse package is ways too old (< 1.0).
 				apt_target_release=buster-backports
 				__apt_backports
 				;;
 				bullseye|sid)
 					# As of writting (2021-02), the default matrix-synapse of those
 					# release is perfectly usable.
 					:
 				;;
 				*)
 					echo "Unknown debian release '$distribution'. Exiting" >&2
 					exit 1
 				;;
 		esac
 		;;
 	alpine)
 		synapse_user=synapse
 		synapse_pkg=synapse
@ -96,7 +113,7 @@ export SERVER_NAME BASE_URL REPORT_STATS MAX_UPLOAD_SIZE EXPOSE_METRICS \
 	WEB_CLIENT_URL ROOM_ENCRYPTION_POLICY BIND_ADDRESSES
 if [ -f "$__object/parameter/enable-server-notices" ]; then
-	export ENABLE_SERVER_NOTICES=1
+    export ENABLE_SERVER_NOTICES=1
 fi
 # TLS.
@ -172,88 +189,25 @@ ENABLE_REGISTRATIONS=$(get_boolean_for 'enable-registrations')
 USER_DIRECTORY_SEARCH_ALL_USERS=$(get_boolean_for 'user-directory-search-all-users')
 export ALLOW_GUEST_ACCESS ENABLE_REGISTRATIONS USER_DIRECTORY_SEARCH_ALL_USERS
-if [ -f "$__object/parameter/registration-shared-secret" ]; then
+if [ -f "$__object/parameter/registration-shared-token" ]; then
 	REGISTRATION_SHARED_SECRET=$(cat "$__object/parameter/registration-shared-secret")
 	export REGISTRATION_SHARED_SECRET
 fi
 if [ -f "$__object/parameter/registration-requires-email" ]; then
-	export REGISTRATION_REQUIRES_EMAIL=1
+    export REGISTRATION_REQUIRES_EMAIL=1
 fi
 ENABLE_SET_DISPLAYNAME='true'
 if [ -f "$__object/parameter/disable-displayname-changes" ]; then
 	ENABLE_SET_DISPLAYNAME='false'
 fi
 export ENABLE_SET_DISPLAYNAME
 ENABLE_3PID_CHANGES='true'
 if [ -f "$__object/parameter/disable-3pid-changes" ]; then
 	ENABLE_3PID_CHANGES='false'
 fi
 export ENABLE_3PID_CHANGES
 if [ -f "$__object/parameter/auto-join-room" ]; then
-	AUTO_JOIN_ROOMS="$(cat "$__object/parameter/auto-join-room")"
+    AUTO_JOIN_ROOMS="$(cat "$__object/parameter/auto-join-room")"
-	export AUTO_JOIN_ROOMS
+    export AUTO_JOIN_ROOMS
 fi
 if [ -f "$__object/parameter/registration-allows-email-pattern" ]; then
-	RESGISTRATION_ALLOWS_EMAIL_PATTERN=$(cat "$__object/parameter/registration-allows-email-pattern")
+    RESGISTRATION_ALLOWS_EMAIL_PATTERN=$(cat "$__object/parameter/registration-allows-email-pattern")
-	export RESGISTRATION_ALLOWS_EMAIL_PATTERN
+    export RESGISTRATION_ALLOWS_EMAIL_PATTERN
 fi
 if [ -f "$__object/parameter/saml2-idp-metadata-url" ]; then
 	# Synapse fails to start while trying to parse IDP metadata if this package
 	# is not installed.
 	__package xmlsec1
 	SAML2_IDP_METADATA_URL=$(cat "$__object/parameter/saml2-idp-metadata-url")
 	export SAML2_IDP_METADATA_URL
 fi
 if [ -f "$__object/parameter/saml2-sp-key" ]; then
 	SAML2_SP_KEY=$(cat "$__object/parameter/saml2-sp-key")
 	export SAML2_SP_KEY
 fi
 if [ -f "$__object/parameter/saml2-sp-cert" ]; then
 	SAML2_SP_CERT=$(cat "$__object/parameter/saml2-sp-cert")
 	export SAML2_SP_CERT
 fi
 if [ -f "$__object/parameter/saml2-mapping-provider-module" ]; then
 	SAML2_MAPPING_PROVIDER_MODULE=$(cat "$__object/parameter/saml2-mapping-provider-module")
 	export SAML2_MAPPING_PROVIDER_MODULE
 fi
 if [ -f "$__object/parameter/saml2-mapping-provider-extra-config" ]; then
 	SAML2_MAPPING_PROVIDER_EXTRA_CONFIG=$(cat "$__object/parameter/saml2-mapping-provider-extra-config")
 	export SAML2_MAPPING_PROVIDER_EXTRA_CONFIG
 fi
 SSO_TEMPLATE_DIR=$(cat "$__object/parameter/sso-template-dir")
 export SSO_TEMPLATE_DIR
 if [ -n "$SAML2_SP_KEY" ] && [ -z "$SAML2_SP_CERT" ]; then
 	echo "--saml2-sp-cert must be set if --saml2-sp-key is provided." >&2
 	exit 1
 elif [ -n "$SAML2_SP_CERT" ] && [ -z "$SAML2_SP_KEY" ]; then
 	echo "--saml2-sp-key must be set if --saml2-sp-cert is provided." >&2
 	exit 1
 fi
 if [ -f "$__object/parameter/default-identity-server" ]; then
 	DEFAULT_IDENTITY_SERVER=$(cat "$__object/parameter/default-identity-server")
 	export DEFAULT_IDENTITY_SERVER
 fi
 ENABLE_3PID_LOOKUPS='false'
 if [ -f "$__object/parameter/enable-3pid-lookups" ]; then
 	ENABLE_3PID_LOOKUPS='true'
 fi
 export ENABLE_3PID_LOOKUPS
 # Federation.
 ALLOW_PUBLIC_ROOMS_OVER_FEDERATION=$(get_boolean_for 'allow-public-room-over-federation')
 ALLOW_PUBLIC_ROOMS_WITHOUT_AUTH=$(get_boolean_for 'allow-public-rooms-without-auth')
@ -269,8 +223,7 @@ fi
 # Message retention.
 ENABLE_MESSAGE_RETENTION_POLICY=$(get_boolean_for 'enable-message-retention-policy')
 MESSAGE_RETENTION_POLICY_MAX_LIFETIME=$(cat "$__object/parameter/message-max-lifetime")
-MESSAGE_RETENTION_POLICY_MIN_LIFETIME=$MESSAGE_RETENTION_POLICY_MAX_LIFETIME
+export ENABLE_MESSAGE_RETENTION_POLICY MESSAGE_RETENTION_POLICY_MAX_LIFETIME
 export ENABLE_MESSAGE_RETENTION_POLICY MESSAGE_RETENTION_POLICY_MAX_LIFETIME MESSAGE_RETENTION_POLICY_MIN_LIFETIME
 # Previews.
 ENABLE_URL_PREVIEW=$(get_boolean_for 'enable-url-preview')
@ -310,16 +263,6 @@ if [ -f "$__object/parameter/turn-uri" ]; then
 	export TURN_URIS
 fi
 if [ -f "$__object/parameter/turn-username" ]; then
 	TURN_USERNAME=$(cat "$__object/parameter/turn-username")
 	export TURN_USERNAME
 fi
 if [ -f "$__object/parameter/turn-password" ]; then
 	TURN_PASSWORD=$(cat "$__object/parameter/turn-password")
 	export TURN_PASSWORD
 fi
 # Worker-mode configuration.
 export MAIN_LISTENER_PORT=8008
 export ENABLE_MEDIA_REPO='true'
@ -353,25 +296,38 @@ export ENABLE_REPLICATION ENABLE_REDIS_SUPPORT WORKER_REPLICATION_SECRET \
 case "$DATABASE_ENGINE" in
 	sqlite3)
 		:
-		;;
+	;;
 	psycopg2)
 		when='database engine is psycopg2'
 		is_required_when "$DATABASE_HOST" '--database-host' "$when"
 		is_required_when "$DATABASE_USER" '--database-user' "$when"
-		;;
+	;;
 	*)
 		echo "Invalid database engine: $DATABASE_ENGINE." >&2
 		exit 1
-		;;
+	;;
 esac
-# Install OS packages.
+# Install OS packages. We have a bit of boilerplate to handle the debian
-require="$package_req" __package "$synapse_pkg"
+# backports situation.
-synapse_req="__package/$synapse_pkg"
+synapse_req=
 if [ -n "$apt_target_release" ]; then
 	require="__apt_backports" __package_apt "$synapse_pkg" \
 		--target-release "$apt_target_release"
 	synapse_req="__package_apt/$synapse_pkg"
 else
 	__package "$synapse_pkg"
 	synapse_req="__package/$synapse_pkg"
 fi
 if [ -n "$ENABLE_LDAP_AUTH" ]; then
-	require="$package_req" __package "$ldap_auth_provider_pkg"
+	if [ -n "$apt_target_release" ]; then
 		require="__package_apt/$synapse_pkg" __package_apt "$ldap_auth_provider_pkg" \
 			--target-release "$apt_target_release"
 		else
 			__package "$ldap_auth_provider_pkg"
 	fi
 fi
 # Generate and deploy configuration files.
@ -380,13 +336,13 @@ mkdir -p "$__object/files"
 "$__type/files/log.config.sh" > "$__object/files/log.config"
 require="$synapse_req" __file "$synapse_conf_dir/homeserver.yaml" \
-	--owner $synapse_user \
+  --owner $synapse_user \
-	--mode 600 \
+  --mode 600 \
-	--source "$__object/files/homeserver.yaml"
+  --source "$__object/files/homeserver.yaml"
 require="$synapse_req" __file "$LOG_CONFIG_PATH" \
-	--owner $synapse_user \
+  --owner $synapse_user \
-	--mode 600 \
+  --mode 600 \
-	--source "$__object/files/log.config"
+  --source "$__object/files/log.config"
 for directory in $DATA_DIR $LOG_DIR; do
 	require="$synapse_req" __directory $directory \
@ -394,8 +350,8 @@ for directory in $DATA_DIR $LOG_DIR; do
 		--owner $synapse_user
 done
-# Make dpkg-reconfigure happy on debian-based systems.
+# Make dpkg-reconfigure happy on debian systems.
-if [ "$os" = "debian" ] || [ "$os" = "ubuntu" ]; then
+if [ "$os" = "debian" ]; then
 	require="$synapse_req" __file "$synapse_conf_dir/conf.d/server_name.yaml" \
 		--owner $synapse_user \
 		--source - <<- EOF
--- a/type/__matrix_synapse/parameter/boolean
+++ b/type/__matrix_synapse/parameter/boolean
@ -17,6 +17,3 @@ user-directory-search-all-users
 enable-message-retention-policy
 worker-mode
 enable-url-preview
 enable-3pid-lookups
 disable-3pid-changes
 disable-displayname-changes
--- a/type/__matrix_synapse/parameter/default/sso-template-dir
+++ b/type/__matrix_synapse/parameter/default/sso-template-dir
@ -1 +0,0 @@
 res/template
--- a/type/__matrix_synapse/parameter/optional
+++ b/type/__matrix_synapse/parameter/optional
@ -13,8 +13,6 @@ ldap-bind-password
 ldap-filter
 turn-shared-secret
 turn-user-lifetime
 turn-username
 turn-password
 max-upload-size
 smtp-host
 smtp-port
@ -36,9 +34,3 @@ background-tasks-worker
 tls-cert
 tls-private-key
 registration-shared-secret
 saml2-idp-metadata-url
 saml2-sp-key
 saml2-sp-cert
 default-identity-server
 saml2-mapping-provider-module
 sso-template-dir
--- a/type/__matrix_synapse/parameter/optional_multiple
+++ b/type/__matrix_synapse/parameter/optional_multiple
@ -5,4 +5,3 @@ app-service-config-file
 extra-setting
 bind-address
 outbound-federation-worker
 saml2-mapping-provider-extra-config
--- a/type/__matrix_synapse_worker/files/matrix-synapse-worker@.service
+++ b/type/__matrix_synapse_worker/files/matrix-synapse-worker@.service
@ -15,7 +15,7 @@ NotifyAccess=main
 User=matrix-synapse
 WorkingDirectory=/var/lib/matrix-synapse
 EnvironmentFile=/etc/default/matrix-synapse
-ExecStart=/opt/venvs/matrix-synapse/bin/python -m synapse.app.generic_worker --config-path=/etc/matrix-synapse/homeserver.yaml --config-path=/etc/matrix-synapse/conf.d/ --config-path=/etc/matrix-synapse/workers/%i.yaml
+ExecStart=/usr/bin/python3 -m synapse.app.generic_worker --config-path=/etc/matrix-synapse/homeserver.yaml --config-path=/etc/matrix-synapse/conf.d/ --config-path=/etc/matrix-synapse/workers/%i.yaml
 ExecReload=/bin/kill -HUP $MAINPID
 Restart=on-failure
 RestartSec=3
--- a/type/__matterbridge/manifest
+++ b/type/__matterbridge/manifest
@ -20,7 +20,7 @@
 os=$(cat "$__global/explorer/os")
 case "$os" in
-   debian|ubuntu)
+   debian)
     # This type assume systemd for service installation.
   ;;
   *)
@ -31,13 +31,11 @@ case "$os" in
 esac
 # Required parameters.
-version=$(cat "$__object/parameter/version")
+VERSION=$(cat "$__object/parameter/version")
 if [ -f "$__object/parameter/config" ]; then
-    config="$(cat "$__object/parameter/config")"
+    CONFIG="$(cat "$__object/parameter/config")"
-    if [ "$config" = "-" ]; then
+    if [ "$CONFIG" = "-" ]; then
-        mkdir -p "$__object/files"
+        CONFIG=$(cat "$__object/stdin")
        config="$__object/files/matterbridge.toml"
        cat "$__object/stdin" > "$config"
    fi
 fi
@ -48,11 +46,11 @@ export USER=matterbridge
 export GROUP=$USER
 # Internal variables.
-artefact="matterbridge-$version-linux-64bit"
+artefact="matterbridge-$VERSION-linux-64bit"
 checksum_file="checksums.txt"
 release_download_url=https://github.com/42wim/matterbridge/releases/download
-binary_url="$release_download_url/v$version/$artefact"
+binary_url="$release_download_url/v$VERSION/$artefact"
-checksum_file_url="$release_download_url/v$version/$checksum_file"
+checksum_file_url="$release_download_url/v$VERSION/$checksum_file"
 config_dir=$(dirname $CONFIG_PATH)
 systemd_unit_path='/etc/systemd/system/matterbridge.service'
@ -90,7 +88,7 @@ require="__user/$USER" __directory "$config_dir" \
 require="__directory/$config_dir" __file "$CONFIG_PATH" \
  --owner "$USER" \
  --mode 0640 \
-  --source "$config"
+  --source "$CONFIG"
 __file "$systemd_unit_path" \
  --source "$__object/files/matterbridge.service"
--- a/type/__nginx/man.rst
+++ b/type/__nginx/man.rst
@ -28,16 +28,6 @@ uacme-hookscript
  Custom hook passed to the __uacme_obtain type: useful to integrate the
  dns-01 challenge with third-party DNS providers.
 acme-url
  ACMEv2 server directory object URL. Lets'Encrypt is used by default.
 acme-eab-credentials
  Specify RFC8555 External Account Binding credentials according to
  https://tools.ietf.org/html/rfc8555#section-7.3.4, in order to associate a new
  ACME account with an existing account in a non-ACME system such as a CA
  customer database. KEYID must be an ASCII string. KEY must be
  base64url-encoded.
 EXAMPLES
 --------
--- a/type/__nginx/manifest
+++ b/type/__nginx/manifest
@ -36,20 +36,6 @@ then
 	set_custom_uacme_hookscript="--hookscript $uacme_hookscript"
 fi
 set_custom_acme_url=
 if [ -f "${__object:?}/parameter/acme-url" ];
 then
 	custom_acme_url=$(cat "${__object:?}/parameter/acme-url")
 	set_custom_acme_url="--acme-url $custom_acme_url"
 fi
 set_acme_eab_credentials=
 if [ -f "${__object:?}/parameter/acme-eab-credentials" ];
 then
 	acme_eab_credentials=$(cat "${__object:?}/parameter/acme-eab-credentials")
 	set_acme_eab_credentials="--eab-credentials $acme_eab_credentials"
 fi
 # Deploy simple HTTP vhost, allowing to serve ACME challenges.
 __nginx_vhost "301-to-https-$domain" \
 	--domain "$domain" --altdomains "$altdomains" --to-https
@ -60,18 +46,12 @@ if [ -f "${__object:?}/parameter/force-cert-ownership-to" ]; then
 	cert_ownership=$(cat "${__object:?}/parameter/force-cert-ownership-to")
 fi
-# shellcheck disable=SC2086
+__uacme_account
 __uacme_account \
 	$set_custom_acme_url \
 	$set_acme_eab_credentials \
 # shellcheck disable=SC2086
 require="__nginx_vhost/301-to-https-$domain __uacme_account" \
 	__uacme_obtain "$domain" \
 		--altdomains "$altdomains" \
 		$set_custom_uacme_hookscript \
 		$set_custom_acme_url \
 		$set_acme_eab_credentials \
 		--owner "$cert_ownership" \
 		--install-key-to "$nginx_certdir/$domain/privkey.pem" \
 		--install-cert-to "/$nginx_certdir/$domain/fullchain.pem" \
--- a/type/__nginx/parameter/optional
+++ b/type/__nginx/parameter/optional
@ -2,6 +2,4 @@ config
 domain
 altdomains
 uacme-hookscript
 acme-url
 acme-eab-credentials
 force-cert-ownership-to
--- a/type/__nginx_vhost/manifest
+++ b/type/__nginx_vhost/manifest
@ -32,7 +32,7 @@ case "$os" in
 		require="$install_reqs" __start_on_boot nginx
-		export NGINX_SITEDIR="$nginx_confdir/http.d"
+		export NGINX_SITEDIR="$nginx_confdir/conf.d"
 		export NGINX_CERTDIR="$nginx_confdir/ssl"
 		export NGINX_SNIPPETSDIR="$nginx_confdir/snippets"
 		export NGINX_WEBROOT="/var/www"
@ -158,7 +158,6 @@ for snippet in hsts 301-to-https; do
 done
 # Install vhost.
-require="$install_reqs" __directory "$NGINX_SITEDIR"
+require="$install_reqs" __file "$NGINX_SITEDIR/$__object_id.conf" \
 require="__directory/$NGINX_SITEDIR" __file "$NGINX_SITEDIR/$__object_id.conf" \
 	--source "$vhost_conf" \
 	--mode 0644
--- a/type/__opendkim/files/opendkim.conf.sh
+++ b/type/__opendkim/files/opendkim.conf.sh
@ -1,7 +1,6 @@
 #!/bin/sh -e
 # Generate an opendkim.conf(5) file for opendkim(8).
 echo "# Managed remotely, manual changes will be lost."
 # Optional chdir(2)
 if [ "$BASEDIR" ];
@ -34,8 +33,8 @@ then
 fi
 # Key and Domain tables
-echo "KeyTable ${CFG_DIR}/KeyTable"
+echo 'KeyTable /etc/opendkim/KeyTable'
-echo "SigningTable ${CFG_DIR}/SigningTable"
+echo 'SigningTable /etc/opendkim/SigningTable'
 # Required socket to listen on
 printf "Socket %s\n" "${SOCKET:?}"
--- a/type/__opendkim/man.rst
+++ b/type/__opendkim/man.rst
@ -14,8 +14,8 @@ installation and basic configuration of an instance of OpenDKIM.
 Note that this type does not generate or ensure that a key is present: use
 `cdist-type__opendkim-genkey(7)` for that.
-Note that this type is currently only implemented for Alpine Linux and FreeBSD.
+Note that this type is currently only implemented for Alpine Linux. Please
-Please contribute an implementation if you can.
+contribute an implementation if you can.
 REQUIRED PARAMETERS
@ -41,25 +41,20 @@ subdomains
 umask
  Set the umask for the socket and PID file.
 userid
  Change the user the opendkim program is to run as. By default, Alpine Linux's
  OpenRC service will set this to `opendkim` on the command-line.
 custom-config
  The string following this parameter is appended as-is in the configuration, to
  enable more complex configurations.
 BOOLEAN PARAMETERS
 ------------------
 syslog
  Log to syslog.
 DEPRECATED PARAMETERS
 ---------------------
 userid
  Change the user the opendkim program is to run as.
  By default, Alpine Linux's OpenRC service will set this to `opendkim` on the
  command-line and FreeBSD's rc will set it to `mailnull`.
 EXAMPLES
 --------
@ -91,12 +86,11 @@ SEE ALSO
 AUTHORS
 -------
 Joachim Desroches <joachim.desroches@epfl.ch>
 Evilham <contact@evilham.com>
 COPYING
 -------
-Copyright \(C) 2022 Joachim Desroches, Evilham. You can redistribute it
+Copyright \(C) 2021 Joachim Desroches. You can redistribute it
 and/or modify it under the terms of the GNU General Public License as
 published by the Free Software Foundation, either version 3 of the
 License, or (at your option) any later version.
--- a/type/__opendkim/manifest
+++ b/type/__opendkim/manifest
@ -20,24 +20,16 @@
 os=$(cat "${__global:?}/explorer/os")
 CFG_DIR="/etc/opendkim"
 service="opendkim"
 case "$os" in
 'alpine')
 	:
 	;;
 'freebsd')
 	CFG_DIR="/usr/local/etc/mail"
 	service="milter-opendkim"
 	start_service="milteropendkim"
 	;;
 *)
 	printf "__opendkim does not yet support %s.\n" "$os" >&2
 	printf "Please contribute an implementation if you can.\n" >&2
 	exit 1
 	;;
 esac
 export CFG_DIR
 __package opendkim
@ -76,7 +68,7 @@ fi
 # Generate and deploy configuration file.
 source_file="${__object:?}/files/opendkim.conf"
-target_file="${CFG_DIR}/opendkim.conf"
+target_file="/etc/opendkim/opendkim.conf"
 mkdir -p "${__object:?}/files"
@ -91,26 +83,9 @@ fi
 require="__package/opendkim" __file "$target_file" \
 	--source "$source_file" --mode 0644
-# Due to the way rc.conf works on *BSD, we find ourselves in the awkward
+require="__package/opendkim" __start_on_boot opendkim
 # situation, where a service's name can contain a '-' symbol, but the
 # rc.conf setting to enable a service at boot cannot.
 # Unless start_service has been defined before, these two match.
 require="__package/opendkim" __start_on_boot "${start_service:-${service}}"
-# Ensure Key and Signing tables exist and have proper permissions
+require="__file${target_file}" \
 key_table="${CFG_DIR}/KeyTable"
 signing_table="${CFG_DIR}/SigningTable"
 require="__package/opendkim" \
 	__file "${key_table}" \
 	--mode 444
 require="__package/opendkim" \
 	__file "${signing_table}" \
 	--mode 444
 require="__file${target_file} __file${key_table}
 		__file${signing_table} __start_on_boot/${start_service:-${service}}" \
 	__check_messages opendkim \
 		--pattern "^__file${target_file}" \
-		--execute "service ${service} restart"
+		--execute "service opendkim restart"
--- a/type/__opendkim/parameter/deprecated/userid
+++ b/type/__opendkim/parameter/deprecated/userid
@ -1,2 +0,0 @@
 This can cause inconsistencies with permissions and will stop being supported.
 If you still need this, you can use --custom-config 'UserId $USERID'.
--- a/type/__opendkim_genkey/explorer/key-state
+++ b/type/__opendkim_genkey/explorer/key-state
@ -1,32 +0,0 @@
 #!/bin/sh -e
 DIRECTORY="/var/db/dkim/"
 if [ -f "${__object:?}/parameter/directory" ];
 then
 	# Be forgiving about a lack of trailing slash
 	DIRECTORY="$(sed -E 's!([^/])$!\1/!' < "${__object:?}/parameter/directory")"
 fi
 KEY_ID="$(echo "${__object_id:?)}" | tr '/' '_')"
 DEFAULT_PATH="${DIRECTORY:?}${KEY_ID:?}.private"
 if [ -s "${DEFAULT_PATH}" ]; then
 	# This is the main location for the key
 	FOUND_PATH="${DEFAULT_PATH}"
 else
 	# This is a backwards-compatible location for the key
 	# Keys generated post March 2022 should not land here
 	if [ -f "${__object:?}/parameter/selector" ]; then
 		SELECTOR="$(cat "${__object:?}/parameter/selector")"
 		if [ -s "${DIRECTORY}${SELECTOR:?}.private" ]; then
 			FOUND_PATH="${DIRECTORY}${SELECTOR:?}.private"
 		fi
 	fi
 fi
 if [ -n "${FOUND_PATH}" ]; then
 	printf "present\t%s" "${FOUND_PATH}"
 else
 	# We didn't find the key
 	# We pass the default path here, to easen logic in the rest of the type
 	printf "absent\t%s" "${DEFAULT_PATH}"
 fi
--- a/type/__opendkim_genkey/gencode-remote
+++ b/type/__opendkim_genkey/gencode-remote
@ -19,8 +19,8 @@
 #
 # Required parameters
-DOMAIN="$(cat "${__object:?}/domain")"
+DOMAIN="$(cat "${__object:?}/parameter/domain")"
-SELECTOR="$(cat "${__object:?}/selector")"
+SELECTOR="$(cat "${__object:?}/parameter/selector")"
 # Optional parameters
 BITS=
@ -28,6 +28,11 @@ if [ -f "${__object:?}/parameter/bits" ]; then
 	BITS="-b $(cat "${__object:?}/parameter/bits")"
 fi
 DIRECTORY="/var/db/dkim/"
 if [ -f "${__object:?}/parameter/directory" ]; then
 	DIRECTORY="$(cat "${__object:?}/parameter/directory")"
 fi
 # Boolean parameters
 SUBDOMAINS=
 if [ -f "${__object:?}/parameter/no-subdomains" ]; then
@ -39,27 +44,7 @@ if [ -f "${__object:?}/parameters/unrestricted" ]; then
 	RESTRICTED=
 fi
-user="$(cat "${__object:?}/user")"
+if ! [ -f "${DIRECTORY}${SELECTOR}.private" ]; then
-group="$(cat "${__object:?}/group")"
+	echo "opendkim-genkey $BITS --domain=$DOMAIN --directory=$DIRECTORY $RESTRICTED --selector=$SELECTOR $SUBDOMAINS"
-
+	echo "chown opendkim:opendkim ${DIRECTORY}${SELECTOR}.private"
 KEY_STATE="$(cut -f 1 "${__object:?}/explorer/key-state")"
 KEY_LOCATION="$(cut -f 2- "${__object:?}/explorer/key-state")"
 if [ "${KEY_STATE:?}" = "absent" ]; then
 	# opendkim-genkey(8) does not allow specifying the file name.
 	# To err on the safe side (and avoid potentially killing other keys)
 	# we operate on a temporary directory first, then move the resulting key
 	cat <<-EOF
 	tmp_dir="\$(mktemp -d cdist-dkim.XXXXXXXXXXX)"
 	opendkim-genkey $BITS --domain=${DOMAIN:?} --directory=\${tmp_dir:?} $RESTRICTED --selector=${SELECTOR:?} $SUBDOMAINS
 	# Relocate and ensure permissions
 	mv "\${tmp_dir:?}/${SELECTOR:?}.private" '${KEY_LOCATION:?}'
 	chown ${user}:${group} '${KEY_LOCATION}'
 	chmod 0600 '${KEY_LOCATION}'
 	# This is usually generated, if it weren't we do not want to fail
 	mv "\${tmp_dir:?}/${SELECTOR:?}.txt" '${KEY_LOCATION%.private}.txt' || true
 	chown ${user}:${group} '${KEY_LOCATION%.private}.txt' || true
 	# Cleanup after ourselves
 	rmdir "\${tmp_dir:?}" || true
 	EOF
 fi
--- a/type/__opendkim_genkey/man.rst
+++ b/type/__opendkim_genkey/man.rst
@ -10,27 +10,23 @@ DESCRIPTION
 -----------
 This type uses the `opendkim-genkey(8)` to generate signing keys suitable for
-usage by `opendkim(8)` to sign outgoing emails.
+usage by `opendkim(8)` to sign outgoing emails. Then, a line with the domain,
 selector and keyname in the `$selector._domainkey.$domain` format will be added
 to the OpenDKIM key table located at `/etc/opendkim/KeyTable`. Finally, a line
 will be added to the OpenDKIM signing table, using either the domain or the
 provided key for the `domain:selector:keyfile` value in the table. An existing
 key will not be overwritten.
-It also manages the key, identified by its `$__object_id` in OpenDKIM's
+Currently, this type is only implemented for Alpine Linux. Please contribute an
-KeyTable and sets its `s=` and `d=` parameters (see: `--selector` and
+implementation if you can.
 `--sigdomain` respectively).
-This type will also manage the entries in the OpenDKIM's SigningTable by
+REQUIRED PARAMETERS
-associating any given `sigkey` values to this key.
+-------------------
 domain
  The domain to generate the key for.
-Take into account that if you use this type without the `--domain` and
+selector
-`--selector` parameters, the `$__object_id` must be in form `$domain/$selector`.
+  The DKIM selector to generate the key for.
 Currently, this type is only implemented for Alpine Linux and FreeBSD.
 Please contribute an implementation if you can.
 NOTE: the name of the key file under `--directory` will default to
 `$__object_id.private`, but if that fails and `--selector` is used,
 `SELECTOR.private` will be considered.
 Take care when using unrelated keys that might collide this way.
 For more information see:
 https://code.ungleich.ch/ungleich-public/cdist-contrib/issues/20
 OPTIONAL PARAMETERS
@ -42,36 +38,10 @@ bits
 directory
  The directory in which to generate the key, `/var/db/dkim/` by default.
 domain
  The domain to generate the key for.
  If omitted, `--selector` must be omitted as well and `$__object_id` must be
  in form: `$domain/$selector`.
 selector
  The DKIM selector to generate the key for.
  If omitted, `--domain` must be omitted as well and `$__object_id` must be
  in form: `$domain/$selector`.
 sigdomain
  Specified in the KeyTable, the domain to use in the signature's "d=" value.
  Defaults to the specified domain. If `%`, it will be replaced by the apparent
  domain of the sender when generating a signature.
  Note you probably don't want to set both `--sigdomain` and `--sigkey` to `%`.
  See `KeyTable` in `opendkim.conf(5)` for more information.
 OPTIONAL MULTIPLE PARAMETERS
 ----------------------------
 sigkey
-  The key used in the `SigningTable` for this signing key. Defaults to the
+  The key used in the SigningTable for this signing key. Defaults to the
  specified domain. If `%`, OpenDKIM will replace it with the domain found
  in the `From:` header. See `opendkim.conf(5)` for more options.
  Note you probably don't want to set both `--sigdomain` and `--sigkey` to `%`.
  This can be passed multiple times, resulting in multiple lines in the
  SigningTable, which can be used to support signing of subdomains or multiple
  domains with the same key; in that case, you probably want to set
  `--sigdomain` to `%`, else the domains will not be aligned.
 BOOLEAN PARAMETERS
 ------------------
@ -87,7 +57,6 @@ EXAMPLES
 .. code-block:: sh
    # Setup the OpenDKIM service
    __opendkim \
        --socket inet:8891@localhost \
        --basedir /var/lib/opendkim \
@ -96,24 +65,14 @@ EXAMPLES
        --umask 002 \
        --syslog
-    # Continue only after the service has been set up
+    require='__opendkim' \
-    export require="__opendkim"
+        __opendkim_genkey default \
                --domain example.com \
                --selector default
-    # Generate a key for 'example.com' with selector 'default'
+        __opendkim_genkey myfoo \
-    __opendkim_genkey default \
+                --domain foo.com \
-        --domain example.com \
+                --selector backup
        --selector default
    # Generate a key for 'foo.com' with selector 'backup'
    __opendkim_genkey 'foo.com/backup'
    # Generate a key for 'example.org' with selector 'main'
    # that can also sign 'cdi.st' and subdomains of 'example.org'
    __opendkim_genkey 'example.org/main' \
        --sigdomain '%' \
        --sigkey 'example.org' \
        --sigkey '.example.org' \
        --sigkey 'cdi.st'
 SEE ALSO
@ -126,12 +85,11 @@ SEE ALSO
 AUTHORS
 -------
 Joachim Desroches <joachim.desroches@epfl.ch>
 Evilham <contact@evilham.com>
 COPYING
 -------
-Copyright \(C) 2022 Joachim Desroches, Evilham. You can redistribute it
+Copyright \(C) 2021 Joachim Desroches. You can redistribute it
 and/or modify it under the terms of the GNU General Public License as
 published by the Free Software Foundation, either version 3 of the
 License, or (at your option) any later version.
--- a/type/__opendkim_genkey/manifest
+++ b/type/__opendkim_genkey/manifest
@ -21,68 +21,25 @@
 os=$(cat "${__global:?}/explorer/os")
 CFG_DIR="/etc/opendkim"
 user="opendkim"
 group="opendkim"
 case "$os" in
 'alpine')
 	:
 ;;
 'freebsd')
 	CFG_DIR="/usr/local/etc/mail"
 	user="mailnull"
 	group="mailnull"
 ;;
 *)
 	cat <<- EOF >&2
-	__opendkim_genkey currently only supports Alpine Linux and FreeBSD.
+	__opendkim_genkey currently only supports Alpine Linux. Please
-	Please contribute an implementation for $os if you can.
+	contribute an implementation for $os if you can.
 	EOF
 	exit 1
 ;;
 esac
-# Logic to simplify the type as documented in
+SELECTOR="$(cat "${__object:?}/parameter/selector")"
-# https://code.ungleich.ch/ungleich-public/cdist-contrib/issues/20#issuecomment-14711
+DOMAIN="$(cat "${__object:?}/parameter/domain")"
 DOMAIN="$(cat "${__object:?}/parameter/domain" 2>/dev/null || true)"
 SELECTOR="$(cat "${__object:?}/parameter/selector" 2>/dev/null || true)"
 if [ -z "${DOMAIN}${SELECTOR}" ]; then
 	# Neither SELECTOR nor DOMAIN were passed, try to use __object_id
 	if echo "${__object_id:?}" | \
 			grep -qE '^[^/[:space:]]+/[^/[:space:]]+$'; then
 		# __object_id matches, let's get the data
 		DOMAIN="$(echo "${__object_id:?}" | cut -d '/' -f 1)"
 		SELECTOR="$(echo "${__object_id:?}" | cut -d '/' -f 2)"
 	else
 		# It doesn't match the pattern, this is sad
 		cat <<- EOF >&2
 		The arguments --domain and --selector were not used.
 		So __object_id must match DOMAIN/SELECTOR.
 		But instead the type got: ${__object_id:?}
 		EOF
 		exit 1
 	fi
 elif [ -z "${DOMAIN}" ] || [ -z "${SELECTOR}" ]; then
 	# Only one was passed, this is sad :-(
 	cat <<- EOF >&2
 	You must pass either both --selector and --domain or none of them.
 	If these arguments are absent, __object_id must match: DOMAIN/SELECTOR.
 	EOF
 	exit 1
 # else: both were passed
 fi
 # Persist data for gencode-remote
 printf '%s' "${user:?}" > "${__object:?}/user"
 printf '%s' "${group:?}" > "${__object:?}/group"
 printf '%s' "${DOMAIN:?}" > "${__object:?}/domain"
 printf '%s' "${SELECTOR:?}" > "${__object:?}/selector"
 DIRECTORY="/var/db/dkim/"
 if [ -f "${__object:?}/parameter/directory" ];
 then
-	# Be forgiving about a lack of trailing slash
+	DIRECTORY="$(cat "${__object:?}/parameter/directory")"
 	DIRECTORY="$(sed -E 's!([^/])$!\1/!' < "${__object:?}/parameter/directory")"
 fi
 SIGKEY="${DOMAIN:?}"
@ -90,50 +47,20 @@ if [ -f "${__object:?}/parameter/sigkey" ];
 then
 	SIGKEY="$(cat "${__object:?}/parameter/sigkey")"
 fi
 SIGDOMAIN="${DOMAIN:?}"
 if [ -f "${__object:?}/parameter/sigdomain" ];
 then
 	SIGDOMAIN="$(cat "${__object:?}/parameter/sigdomain")"
 fi
-# Ensure the key-container directory exists with the proper permissions
+__package opendkim-utils
 __directory "${DIRECTORY}" \
 	--mode 0750 \
 	--owner "${user}" --group "${group}"
-# OS-specific code
+require='__package/opendkim-utils' \
-case "$os" in
+	__file /etc/opendkim/KeyTable
-'alpine')
+require='__package/opendkim-utils' \
-	# This is needed for opendkim-genkey
+	__file /etc/opendkim/SigningTable
 	__package opendkim-utils
 ;;
 esac
-key_table="${CFG_DIR}/KeyTable"
+require='__file/etc/opendkim/KeyTable' \
-signing_table="${CFG_DIR}/SigningTable"
+	__line "line-key-${__object_id:?}" \
 		--file /etc/opendkim/KeyTable \
 		--line "${SELECTOR:?}._domainkey.${DOMAIN:?} ${DOMAIN:?}:${SELECTOR:?}:${DIRECTORY:?}${SELECTOR:?}.private"
-KEY_STATE="$(cut -f 1 "${__object:?}/explorer/key-state")"
+require='__file/etc/opendkim/SigningTable' \
-KEY_LOCATION="$(cut -f 2- "${__object:?}/explorer/key-state")"
+	__line "line-sig-${__object_id:?}" \
-
+		--file /etc/opendkim/SigningTable \
-__line "__opendkim_genkey/${__object_id:?}" \
+		--line "${SIGKEY:?} ${SELECTOR:?}._domainkey.${DOMAIN:?}"
 	--file "${key_table}" \
 	--line "${__object_id:?} ${SIGDOMAIN:?}:${SELECTOR:?}:${KEY_LOCATION:?}" \
 	--regex "^${__object_id:?}[[:space:]]" \
 	--state 'replace'
 sigtable_block() {
 	for sigkey in ${SIGKEY:?}; do
 		echo "${sigkey:?} ${__object_id:?}"
 	done
 }
 __block "__opendkim_genkey/${__object_id:?}" \
 	--file "${signing_table}" \
 	--text "$(sigtable_block)"
 if [ "${KEY_STATE:?}" = "present" ]; then
 	# Ensure proper permissions for the key file
 	__file "${KEY_LOCATION}" \
 		--owner "${user}" \
 		--group "${group}" \
 		--mode 0600
 fi
--- a/type/__opendkim_genkey/parameter/optional
+++ b/type/__opendkim_genkey/parameter/optional
@ -1,6 +1,4 @@
 bits
 directory
 domain
 unrestricted
-selector
+sigkey
 sigdomain
--- a/type/__opendkim_genkey/parameter/optional_multiple
+++ b/type/__opendkim_genkey/parameter/optional_multiple
@ -1 +0,0 @@
 sigkey
--- a/type/__opendkim_genkey/parameter/required
+++ b/type/__opendkim_genkey/parameter/required
@ -0,0 +1,2 @@
 domain
 selector
--- a/type/__php_fpm/files/php.ini.sh
+++ b/type/__php_fpm/files/php.ini.sh
@ -1,45 +0,0 @@
 #!/bin/sh
 cat <<EOF
 ; This file is managed by cdist, and has been shortened for readability.
 ; The fine manual is at http://php.net/configuration.file.
 [PHP]
 ; Production recommended defaults
 display_errors = Off
 display_startup_errors = Off
 enable_dl = Off
 error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
 log_errors = On
 output_buffering = 4096
 register_argc_argv = Off
 request_order = "GP"
 short_open_tag = Off
 variables_order = "GPCS"
 zend.assertions = -1
 ; Local custom variations
 include_path = ".:${PHP_INCLUDEDIR}"
 memory_limit = ${MEMORY_LIMIT:?}
 post_max_size = ${UPLOAD_MAX_FILESIZE:?}
 upload_max_filesize = ${UPLOAD_MAX_FILESIZE:?}
 EOF
 if [ -f "${__object:?}/parameter/enable-opcache" ]; then
 	cat <<-EOF
 		; opcache enabled by type flag
 		opcache.enable=1
 		opcache.enable_cli=1
 	EOF
 fi
 if [ -f "${__object:?}/parameter/enable-apcu" ]; then
 	cat <<-EOF
 		; acpu enabled by type flag
 		apc.enabled=1
 		apc.enable_cli=1
 		apc.shm_size=512M
 	EOF
 fi
--- a/type/__php_fpm/man.rst
+++ b/type/__php_fpm/man.rst
@ -1,74 +0,0 @@
 cdist-type__php_fpm(7)
 ======================
 NAME
 ----
 cdist-type__php_fpm - Setup and configure PHP-FPM
 DESCRIPTION
 -----------
 This type installs and configures PHP-FPM for a given version of PHP. It is
 expected to be used in combination with cdist-type__php_fpm_pool, which
 configures specific pools.
 This type supports Debian, Ubuntu and Alpine Linux.
 REQUIRED PARAMETERS
 -------------------
 php-version
        The PHP version for which the type is working. Will impact installed
        packages, configuration files, &c
 OPTIONAL PARAMETERS
 -------------------
 memory-limit
        The system-wide memory limit for PHP-FPM. Can be overriden per-pool.
        Default is 512M.
 upload-max-filesize
        The maximum filesize accepted by PHP-FPM for file uploads. Default is
        2M.
 BOOLEAN PARAMETERS
 ------------------
 enable-opcache
        Enable PHP opcache.
 enable-apcu
        Enable PHP APCu.
 EXAMPLES
 --------
 .. code-block:: sh
    # Dead simple setup
    __php_fpm --php-version 8.1
    # Custom setup
    __php_fpm \
        --php-version 8.1 \
        --memory-limit 768M \
        --upload-max-filesize 200M \
        --enable-opcache \
        --enable-apcu
 SEE ALSO
 --------
 cdist-type__php_fpm_pool(7)
 AUTHORS
 -------
 Joachim Desroches <joachim.desroches@epfl.ch>
 COPYING
 -------
 Copyright \(C) 2022 Joachim Desroches. You can redistribute it
 and/or modify it under the terms of the GNU General Public License as
 published by the Free Software Foundation, either version 3 of the
 License, or (at your option) any later version.
--- a/type/__php_fpm/manifest
+++ b/type/__php_fpm/manifest
@ -1,68 +0,0 @@
 #!/bin/sh
 os=$(cat "${__global:?}/explorer/os")
 PHPVER=$(cat "${__object:?}/parameter/php-version")
 export PHPVER
 case "$os" in
 	'alpine')
 		# Alpine packages looks like php81-fpm - we make sure to remove dots from user
 		# input.
 		PHPVER=$(echo "$PHPVER" | tr -d '.')
 		package="php${PHPVER}-fpm"
 		opcache_package="php${PHPVER}-opcache"
 		apcu_package="php${PHPVER}-pecl-apcu"
 		service="php-fpm${PHPVER}"
 		php_confdir="/etc/php${PHPVER}"
 		php_ini="${php_confdir:?}/php.ini"
 		PHP_INCLUDEDIR="/usr/share/php${PHPVER:?}"
 		export PHP_INCLUDEDIR
 	;;
 	'debian'|'ubuntu')
 		package="php${PHPVER}-fpm"
 		opcache_package="php${PHPVER}-opcache"
 		apcu_package="php${PHPVER}-apcu"
 		service="php${PHPVER}-fpm"
 		php_confdir="/etc/php/${PHPVER}"
 		php_ini="${php_confdir:?}/fpm/php.ini"
 		PHP_INCLUDEDIR="/usr/share/php/${PHPVER:?}"
 		export PHP_INCLUDEDIR
 	;;
 	*)
 		printf "Your operating system is currently not supported by this type\n" >&2
 		printf "Please contribute an implementation for it if you can.\n" >&2
 		exit 1
 		;;
 esac
 __package "$package"
 require="__package/$package" __start_on_boot "$service"
 if [ -f "${__object:?}/parameter/enable-opcache" ]; then
 	__package "$opcache_package"
 fi
 if [ -f "${__object:?}/parameter/enable-apcu" ]; then
 	__package "$apcu_package"
 fi
 MEMORY_LIMIT=$(cat "${__object:?}/parameter/memory-limit")
 export MEMORY_LIMIT
 UPLOAD_MAX_FILESIZE=$(cat "${__object:?}/parameter/upload-max-filesize")
 export UPLOAD_MAX_FILESIZE
 mkdir -p "${__object:?}/files"
 "${__type:?}/files/php.ini.sh" >"${__object:?}/files/php.ini"
 require="__package/$package" __file "${php_ini:?}" \
 	--mode 644 --source "${__object:?}/files/php.ini" \
 	--onchange "service $service restart"
 require="__file/${php_ini:?}" __service "$service" --action start
--- a/type/__php_fpm/parameter/boolean
+++ b/type/__php_fpm/parameter/boolean
@ -1,2 +0,0 @@
 enable-opcache
 enable-apcu
--- a/type/__php_fpm/parameter/default/memory-limit
+++ b/type/__php_fpm/parameter/default/memory-limit
@ -1 +0,0 @@
 512M
--- a/type/__php_fpm/parameter/default/upload-max-filesize
+++ b/type/__php_fpm/parameter/default/upload-max-filesize
@ -1 +0,0 @@
 2M
--- a/type/__php_fpm/parameter/optional
+++ b/type/__php_fpm/parameter/optional
@ -1,2 +0,0 @@
 upload-max-filesize
 memory-limit
--- a/type/__php_fpm/parameter/required
+++ b/type/__php_fpm/parameter/required
@ -1 +0,0 @@
 php-version
--- a/type/__php_fpm_pool/files/www.conf.sh
+++ b/type/__php_fpm_pool/files/www.conf.sh
@ -1,34 +0,0 @@
 #!/bin/sh
 cat <<EOF
 ; PHP-FPM configuration file for $POOL_NAME, PHP version $PHPVER.
 ; This file is managed by cdist, do not edit by hand!
 [$POOL_NAME]
 ; Local non-default configuration
 user = $POOL_USER
 group = $POOL_GROUP
 listen = $POOL_LISTEN_ADDR
 listen.owner = $POOL_LISTEN_OWNER
 ; Mandatory configuration options with default production values
 pm = dynamic
 pm.max_children = 10
 pm.min_spare_servers = 1
 pm.max_spare_servers = 3
 env[HOSTNAME] = \$HOSTNAME
 env[PATH] = /usr/local/bin:/usr/bin:/bin
 env[TMP] = /tmp
 env[TMPDIR] = /tmp
 env[TEMP] = /tmp
 EOF
 if [ -f "${__object:?}/parameter/memory-limit" ]; then
 	echo "php_admin_value[memory_limit] = $(cat "$__object/parameter/memory-limit")"
 fi
 if [ -f "${__object:?}/parameter/open-basedir" ]; then
 	echo "php_admin_value[open_basedir] = $(cat "${__object:?}/parameter/open-basedir")"
 fi
--- a/type/__php_fpm_pool/man.rst
+++ b/type/__php_fpm_pool/man.rst
@ -1,79 +0,0 @@
 cdist-type__php_fpm_pool(7)
 ===========================
 NAME
 ----
 cdist-type__php_fpm_pool - Setup and configure a PHP-FPM pool
 DESCRIPTION
 -----------
 This type configures a pool named after the `__object_id` for a specified PHP
 version. Note that this types expects a same-version cdist-type__php_fpm type
 to have been run first: the user is responsible for doing so.
 This type supports Debian, Ubuntu and Alpine Linux.
 REQUIRED PARAMETERS
 -------------------
 php-version
        The PHP version for which the type is working. Will impact installed
        packages, configuration files, &c
 pool-user
        The local user under which the pool processes should run.
 pool-group
        The local group under which the pool processes should run.
 pool-listen-addr
        The socket or address to which the pool should bind for listening.
 pool-listen-owner
        The owner of the socket if a socket is used.
 OPTIONAL PARAMETERS
 -------------------
 memory-limit
        The pool memory limit for PHP-FPM. Will default to the setting in the
        system-wide php.ini file.
 openbasedir
        Limit the files that can be accessed by PHP to the specified
        directory-tree, including the file itself.
 EXAMPLES
 --------
 .. code-block:: sh
    # Setup PHP-FPM
    __php_fpm --php-version 8
    # Setup the pool
    __php_fpm_pool www \
        --php-version 8 \
        --pool-user nextcloud \
        --pool-group www-data \
        --pool-listen-addr "/run/php8/php-fpm.sock" \
        --pool-listen-owner nginx \
        --memory-limit 1G
 SEE ALSO
 --------
 cdist-type__php_fpm(7)
 AUTHORS
 -------
 Joachim Desroches <joachim.desroches@epfl.ch>
 COPYING
 -------
 Copyright \(C) 2022 Joachim Desroches. You can redistribute it
 and/or modify it under the terms of the GNU General Public License as
 published by the Free Software Foundation, either version 3 of the
 License, or (at your option) any later version.
--- a/type/__php_fpm_pool/manifest
+++ b/type/__php_fpm_pool/manifest
@ -1,40 +0,0 @@
 #!/bin/sh
 os=$(cat "${__global:?}/explorer/os")
 name=${__object_id:?}
 PHPVER=$(cat "${__object:?}/parameter/php-version")
 export PHPVER
 case "$os" in
 	'alpine')
 		PHPVER=$(echo "$PHP_VERSION" | tr -d '.')
 		service="php-fpm${PHPVER}"
 		php_confdir="/etc/php${PHPVER}"
 		php_pooldir="${php_confdir:?}/php-fpm.d"
 	;;
 	'debian'|'ubuntu')
 		service="php${PHPVER}-fpm"
 		php_confdir="/etc/php/${PHPVER}"
 		php_pooldir="${php_confdir:?}/fpm/pool.d"
 	;;
 	*)
 		printf "Your operating system is currently not supported by this type\n" >&2
 		printf "Please contribute an implementation for it if you can.\n" >&2
 		exit 1
 		;;
 esac
 POOL_NAME="$name"
 POOL_USER=$(cat "${__object:?}/parameter/pool-user")
 POOL_GROUP=$(cat "${__object:?}/parameter/pool-group")
 POOL_LISTEN_ADDR=$(cat "${__object:?}/parameter/pool-listen-addr")
 POOL_LISTEN_OWNER=$(cat "${__object:?}/parameter/pool-listen-owner")
 export POOL_USER POOL_GROUP POOL_LISTEN_ADDR POOL_LISTEN_OWNER POOL_NAME
 mkdir -p "${__object:?}/files"
 "${__type:?}/files/www.conf.sh" >"${__object:?}/files/www.conf"
 __file "${php_pooldir:?}/${name}.conf" \
 	--mode 644 --source "${__object:?}/files/www.conf" \
 	--onchange "service $service reload"
--- a/type/__php_fpm_pool/parameter/optional
+++ b/type/__php_fpm_pool/parameter/optional
@ -1,2 +0,0 @@
 memory-limit
 open-basedir
--- a/type/__php_fpm_pool/parameter/required
+++ b/type/__php_fpm_pool/parameter/required
@ -1,5 +0,0 @@
 php-version
 pool-user
 pool-group
 pool-listen-addr
 pool-listen-owner
--- a/type/__runit/manifest
+++ b/type/__runit/manifest
@ -6,14 +6,7 @@ os="$(cat "${__global}/explorer/os")"
 case "${os}" in
 	debian|devuan)
 		# zero-config sysvinit and systemd compatibility
-		os_version="$(cat "${__global}/explorer/os_version")"
+		__package runit-run
 		debian_package="runit-run"
 		case "${os_version}" in
 			beowulf)
 				debian_package="runit"
 			;;
 		esac
 		__package "${debian_package}"
 	;;
 	freebsd)
 		__key_value \
--- a/type/__runit_service/manifest
+++ b/type/__runit_service/manifest
@ -33,25 +33,18 @@ if [ "${state}" != "present" ]; then
 	exit
 fi
 # Setup run file
 __file --state "${state}" --mode 0550 --source "${source}" \
 	--onchange "sv restart '${sv}' || true" \
 	"${run_file}"
 export require="${require} __file${run_file}"
 if [ -f "${__object}/parameter/log" ]; then
 	# Setup logger if requested
-	logdir="/var/log/runit"
+	__directory --parents "${svdir}/${sv}/log/main"
-	__directory --parents "${svdir}/${sv}/log"
+	export require="${require} __directory${svdir}/${sv}/log/main"
 	__directory --state absent "${svdir}/${sv}/log/main"  # Remove lingering old fashioned log
 	__directory --parents "${logdir}/${sv}"
 	export require="${require} __directory${svdir}/${sv}/log __directory${logdir}/${sv}"
 	__file "${svdir}/${sv}/log/run" \
 		--state "${state}" \
 		--mode 0755 \
 		--onchange "sv restart '${sv}/log' || true" \
 		--source "-" <<EOF
 #!/bin/sh
-exec svlogd -tt '${logdir}/${sv}'
+exec svlogd -tt ./main
 EOF
 fi
 # Setup run file
 __file --state "${state}" --mode 0755 --source "${source}" "${run_file}"
--- a/type/__single_binary_service/explorer/explorer-version
+++ b/type/__single_binary_service/explorer/explorer-version
@ -1,10 +0,0 @@
 #!/bin/sh -e
 BIN_PREFIX="/usr/local/bin"
 SERVICE_NAME="${__object_id}"
 VERSION_FILE="${BIN_PREFIX}/.${SERVICE_NAME}.cdist.version"
 if [ -f "${VERSION_FILE}" ]; then
 	cat "${VERSION_FILE}"
 fi
--- a/type/__single_binary_service/man.rst
+++ b/type/__single_binary_service/man.rst
@ -1,195 +0,0 @@
 cdist-type__single_binary_service(7)
 ====================================
 NAME
 ----
 cdist-type__single_binary_service - Setup a single-binary service
 DESCRIPTION
 -----------
 This type is designed to easily deploy and configure a single-binary service
 named `${__object_id}`.
 A good example of this are Prometheus exporters.
 This type makes certain assumptions that might not be correct on your system.
 If you need more flexibility, please get in touch and provide a use-case
 (and hopefully a backwards-compatible patch).
 This type will place the downloaded binary and, if requested, other extra
 binaries in `/usr/local/bin`.
 If a `--config-file-source` is provided, it will be placed under:
 `/etc/${__object_id}.conf`.
 This type supports services managed by `__runit(7)` when `systemd` is not
 the init system being used.
 REQUIRED PARAMETERS
 -------------------
 checksum
    This will be passed verbatim to `__download(7)`.
    Use something like `sha256:...`.
 url
    This will be passed verbatim to `__download(7)`.
 version
    This type will use a thumbstone file with a "version" number to track
    whether or not a service must be updated.
    This thumbstone file is placed under
    `/usr/local/bin/.${__object_id}.cdist.version`.
 BOOLEAN PARAMETERS
 ------------------
 unpack
    If present, the contents of `--url` will be treated as an archive to be
    unpacked with `__unpack(7)`.
    See also `--unpack-args` and `--extra-binary`.
 do-not-manage-user
    Always considered present when `--user` is `root`.
    If present, the user in `--user` will not be managed by this type with
    `__user`, this means it *must* exist beforehand when installing the service
    and it will not be removed by this type.
 OPTIONAL PARAMETERS
 -------------------
 config-file-source
    If present, this file's contents will be placed under
    `/etc/${__object_id}.conf` with permissions `0440` and ownership assigned to
    `--user` and `--group`.
    If `-` is passed, this type's `stdin` will be used.
 user
    The user under which the service will run. Defaults to `root`.
    If this user is not `root` and `--do-not-manage-user` is not present,
    this user will be created or removed as per the `--state` parameter.
 user-home-dir
    Does not have an effect if `--do-not-manage-user` is used or `--user` is
    `root`.
    The home directory of the service user. It will be created.
    Defaults to `/nonexistent`, in this case the home directory will not be
    created.
 group
    The group under which the service will run. Defaults to `--user`.
 state
    Whether the service is to be `present` (default) or `absent`.
    When `absent`, this type will clean any binaries listed in `--extra-binary`
    and also the config file as described in `--config-file-source`.
 binary
    This will be the binary name. Defaults to `${__object_id}`.
    If `--unpack` is used, a binary with this name must be unpacked.
    Otherwise, the contents of `--url` will be placed under this binary name.
 env
    An `env` file consiting of `ENVIRONMENT_VARIABLE=VALUE`, one variable per
    line.
    Empty lines and those starting with `#` are ignored.
 service-args
    Any extra arguments to pass along with `--service-exec`. Beware that any
    service-args having the format `--config=/etc/foo.cfg` should be
    represented in the following way `--service-exec='--config=/etc/foo.cfg'`
 service-exec
    The executable to use for this service.
    Defaults to `/usr/local/bin/BINARY_NAME` where `BINARY_NAME` is the
    resulting value of `--binary`.
 service-definition
    The service definition to be used as an override.
    Note that this type decides dinammically between runit and systemd, and
    you can currently only define either a systemd unit or a runit script here.
    Use this parameter only for testing and get in touch to discuss how your
    particular use-case can be supported by the type.
 service-description
    The service description to be used in, e.g. the systemd unit file.
    Defaults to `cdist-managed '${__object_id}' service`.
 unpack-args
    Only has an effect if `--unpack` is used.
    These arguments will be passed verbatim to `__unpack(7)`.
    Very useful as this type assumes the archive does not have the binaries in
    subdirectories; that can be worked around with
    `--unpack-args '--tar-strip 1'`.
 unpack-extension
    Only has an effect if `--unpack` is used.
    The file extension of the file to unpack, defaults to `.tar.gz`.
 working-directory
    If set, the working directory with which the service will be started.
 OPTIONAL MULTIPLE PARAMETERS
 ----------------------------
 extra-binary
    Only useful with `--unpack`.
    If passed, these binaries will also be installed when `--state` is `present`
    and removed when `--state` is `absent`.
    Handle with care :-).
 EXAMPLES
 --------
 .. code-block:: sh
 	# Install and enable the ipmi_exporter service
 	#   The variables are defined in the manifest previously
 	__single_binary_service ipmi_exporter \
 		--user "${USER}" \
 		--service-args ' --config.file=/etc/ipmi_exporter.conf' \
 		--version "${SHOULD_VERSION}" \
 		--checksum "${CHECKSUM}" \
 		--url "${DOWNLOAD_URL}" \
 		--state "present" \
 		--unpack \
 		--unpack-args "--tar-strip 1" \
 		--config-file-source '-' <<-EOF
 	# Remotely managed, changes will be lost
 	# [...] config contents goes here
 	EOF
 	# Remove the ipmi_exporter service along with the user and its config
 	__single_binary_service ipmi_exporter \
 		--user "${USER}" \
 		--version "${SHOULD_VERSION}" \
 		--checksum "${CHECKSUM}" \
 		--url "${DOWNLOAD_URL}" \
 		--state "absent"
 	# Same, but the service was using my user! Let's not delete that!
 	__single_binary_service ipmi_exporter \
 		--user "evilham" \
 		--do-not-manage-user \
 		--version "${SHOULD_VERSION}" \
 		--checksum "${CHECKSUM}" \
 		--url "${DOWNLOAD_URL}" \
 		--state "absent"
 SEE ALSO
 --------
 - `__download(7)`
 - `__unpack(7)`
 AUTHORS
 -------
 Evilham <contact@evilham.com>
 COPYING
 -------
 Copyright \(C) 2022 Evilham.
--- a/Show more
+++ b/Show more
Author	SHA1	Message	Date
Evilham	f9515def92	[__haproxy_dualstack] Improve manpage	2021-10-30 12:49:00 +02:00
Evilham	1d867f4778	[__haproxy_dualstack] New type with PROXY protocol support This is backwards compatible with what is already used internally @ungleich, but adds on top of that the ability to customise ports and, most importantly, it adds PROXY protocol support.	2021-10-30 12:34:14 +02:00
		`@ -1 +0,0 @@`
			`../../__jitsi_meet_domain/files/jitsi-version`
		`@ -1 +0,0 @@`
			`../../__jitsi_meet_domain/files/prosody.cfg.lua.sh`
		`@ -1,2 +0,0 @@`
			`This can cause inconsistencies with permissions and will stop being supported.`
			`If you still need this, you can use --custom-config 'UserId $USERID'.`