100 changed files with 818 additions and 4384 deletions
--- a/type/__bird_bgp/manifest
+++ b/type/__bird_bgp/manifest
@ -89,6 +89,7 @@ ipv4_import=
 if [ -f "${__object:?}"/parameter/ipv4-import ];
 then
 	ipv4_import="$(cat "${__object:?}"/parameter/ipv4-import)"
 	echo "FOO" >&2
 fi
 export ipv4_import
--- a/type/__bird_ospf/man.rst
+++ b/type/__bird_ospf/man.rst
@ -24,6 +24,12 @@ import
 export
    The keyword or filter to decide what to export in the above channel.
 REQUIRED MULTIPLE PARAMETERS
 ----------------------------
 interface
    An interface to include in OSPF area 0.
 OPTIONAL PARAMETERS
 -------------------
 description
@ -33,19 +39,12 @@ instance-id
    An OSPF instance ID, allowing several OSPF instances to run on the same
    links.
 extra-area-configuration
    Configuration string added to the `area` section of the OSPF configuration.
 OPTIONAL MULTIPLE PARAMETERS
 ----------------------------
 stubnet
    Add an optionless stubnet definition to the configuration.
 interface
    An interface to include in OSPF area 0. Is required unless
    extra-area-configuration is set.
 SEE ALSO
 --------
 cdist-type__bird_core(7)
--- a/type/__bird_ospf/manifest
+++ b/type/__bird_ospf/manifest
@ -44,21 +44,6 @@ then
 	instance_id="$(cat "${__object:?}/parameter/instance-id")"
 fi
 extra_area_configuration=
 if [ -f "${__object:?}/parameter/extra-area-configuration" ];
 then
 	extra_area_configuration="$(cat "${__object:?}/parameter/extra-area-configuration")"
 	if [ "$extra_area_configuration" = "-" ]; then
 		extra_area_configuration=$(cat "$__object/stdin")
 	fi
 fi
 if [ ! -f "${__object:?}/parameter/interface" ] && [ -z "$extra_area_configuration" ]; then
 	echo "Either --interface or --extra-area-configuration must be set." >&2
 	exit 1
 fi
 __file "${confdir:?}/ospf-${__object_id:?}.conf" \
 	--mode 0640 --owner root --group bird \
 	--source - << EOF
@ -74,8 +59,6 @@ $([ -n "${instance_id?}" ] && printf "\tinstance id %s;\n" "${instance_id?}")
 	area 0 {
 $(sed -e 's/^/\t\tinterface "/' -e 's/$/";/' "${__object:?}/parameter/interface")
 $(sed -e 's/^/\t\tsubnet /' -e 's/$/;/' "${__object:?}/parameter/subnet")
 		$extra_area_configuration
 	};
 }
 EOF
--- a/type/__bird_ospf/parameter/optional
+++ b/type/__bird_ospf/parameter/optional
@ -1,3 +1,2 @@
 description
 instance-id
 extra-area-configuration
--- a/type/__bird_ospf/parameter/optional_multiple
+++ b/type/__bird_ospf/parameter/optional_multiple
@ -1,2 +1 @@
 stubnet
 interface
--- a/type/__bird_ospf/parameter/required_multiple
+++ b/type/__bird_ospf/parameter/required_multiple
--- a/type/__bird_radv/man.rst
+++ b/type/__bird_radv/man.rst
@ -15,29 +15,12 @@ autoconfigure IPv6 hosts, this type is a rudimentary implementation to generate
 configuration for Bird to do so.
-REQUIRED PARAMETERS
+REQUIRED MULTIPLE PARAMETERS
-------------------
+----------------------------
 interface
  The interfaces to activate the protocol on. RAs will be sent using the
  prefixes configured on these interfaces.
 OPTIONAL PARAMETERS
 -------------------
 mtu
  An optional MTU setting to include in the router advertisements.
 default-preference
  This option specifies the Default Router Preference value to advertise to
  hosts. Default: medium.
 route-preference
  This option specifies the default value of advertised route preference for
  specific routes. Default: medium.
 default-lifetime
  This option specifies the time (in seconds) how long (since the receipt of RA)
  hosts may use the router as a default router. 0 means do not use as a default
  router. Default: 3.
 OPTIONAL MULTIPLE PARAMETERS
 ----------------------------
@ -58,7 +41,6 @@ EXAMPLES
    __bird_radv datacenter \
        --interface eth1 \
        --mtu 9000 \
        --route ::/0 \
        --ns 2001:DB8:cafe::4 \
        --ns 2001:DB8:cafe::14 \
--- a/type/__bird_radv/manifest
+++ b/type/__bird_radv/manifest
@ -55,52 +55,23 @@ then
 	DNSSL=$(sed -e 's/^/\tdnssl "/' -e 's/$/";/' "${__object:?}/parameter/dnssl")
 fi
 MTU=
 if [ -f "${__object:?}/parameter/mtu" ];
 then
 	MTU="link mtu $(cat "${__object:?}/parameter/mtu");"
 fi
 DEFAULT_PREFERENCE=
 if [ -f "${__object:?}/parameter/default-preference" ];
 then
 	DEFAULT_PREFERENCE="default preference $(cat "${__object:?}/parameter/default-preference");"
 fi
 ROUTE_PREFERENCE=
 if [ -f "${__object:?}/parameter/route-preference" ];
 then
 	ROUTE_PREFERENCE="route preference $(cat "${__object:?}/parameter/route-preference");"
 fi
 DEFAULT_LIFETIME=
 if [ -f "${__object:?}/parameter/default-lifetime" ];
 then
 	DEFAULT_LIFETIME="default lifetime $(cat "${__object:?}/parameter/default-lifetime");"
 fi
 __file "${confdir:?}/radv-${__object_id:?}.conf" \
 	--mode 0640 --owner root --group bird \
 	--source - << EOF
-ipv6 table radv_routes_${__object_id};
+ipv6 table radv_routes;
 protocol static {
 	description "Routes advertised via RAs";
-	ipv6 { table radv_routes_${__object_id}; };
+	ipv6 { table radv_routes; };
 $(sed -e 's/^/\troute /' -e 's/$/ unreachable;/' "${__object:?}/parameter/route")
 }
 protocol radv ${__object_id:?} {
 	propagate routes ${have_routes:?};
-	ipv6 { table radv_routes_${__object_id}; export all; };
+	ipv6 { table radv_routes; export all; };
-	interface "$(cat "${__object:?}/parameter/interface")" {
+$(sed -e 's/^/\tinterface "/' -e 's/$/";/' "${__object:?}/parameter/interface")
 	$MTU
 	$DEFAULT_LIFETIME
 	$DEFAULT_PREFERENCE
 	$ROUTE_PREFERENCE
 	};
 $RDNS
--- a/type/__bird_radv/parameter/optional
+++ b/type/__bird_radv/parameter/optional
@ -1,4 +0,0 @@
 mtu
 default-preference
 route-preference
 default-lifetime
--- a/type/__bird_radv/parameter/required_multiple
+++ b/type/__bird_radv/parameter/required_multiple
@ -0,0 +1 @@
 interface
--- a/type/__borg_repo/manifest
+++ b/type/__borg_repo/manifest
@ -3,7 +3,7 @@
 os="$(cat "${__global:?}"/explorer/os)"
 case "$os" in
-	"alpine"|"ubuntu")
+	"alpine")
 		borg_package=borgbackup
 		;;
 	*)
@ -17,4 +17,3 @@ if [ -f "${__object:?}/parameter/owner" ];
 then
 	__package sudo
 fi
--- a/type/__jitsi_meet/explorer/configured-memory
+++ b/type/__jitsi_meet/explorer/configured-memory
@ -1,15 +0,0 @@
 #!/bin/sh -eu
 JICOFO="/usr/share/jicofo/jicofo.sh"
 VIDEOBRIDGE="/usr/share/jitsi-videobridge/lib/videobridge.rc"
 if [ -f "${JICOFO:?}" ]; then
 	jicofo_memory="$(grep JICOFO_MAX_MEMORY= "${JICOFO:?}" | cut -d= -f 2 | cut -d ";" -f 1)"
 fi
 if [ -f "${VIDEOBRIDGE:?}" ]; then
 	vb_memory="$(grep VIDEOBRIDGE_MAX_MEMORY= "${VIDEOBRIDGE:?}" | cut -d= -f 2)"
 fi
 cat <<EOF
 jicofo	${jicofo_memory:-n/a}
 videobridge	${vb_memory:-n/a}
 EOF
--- a/type/__jitsi_meet/explorer/jicofo-authpassword
+++ b/type/__jitsi_meet/explorer/jicofo-authpassword
@ -1,26 +0,0 @@
 #!/bin/sh -eu
 JICOFO_AUTHPASSWORD=""
 # We need this to properly configure jicofo
 # Default to reading debconf
 DEBCONF_PASS_FILE="/var/cache/debconf/passwords.dat"
 if [ -f "${DEBCONF_PASS_FILE}" ]; then
 	JICOFO_AUTHPASSWORD="$(grep -A1 'Template: jicofo/jicofo-authpassword' "${DEBCONF_PASS_FILE}" | tail -n 1 | cut -d ' ' -f 2-)"
 fi
 # Try jicofo.conf if necessary
 JICOFO_CONF_FILE="/etc/jitsi/jicofo/jicofo.conf"
 if [ -z "${JICOFO_AUTHPASSWORD}" ] && [ -f "${JICOFO_CONF_FILE}" ]; then
 	JICOFO_AUTHPASSWORD="$(grep -E '^[[:space:]]*password:' "${JICOFO_CONF_FILE}" | sed -E 's!^[^:]*:[[:space:]]*"(.*)"$!\1!')"
 fi
 # And fallback to config file if necessary
 JICOFO_CONFIG_FILE="/etc/jitsi/jicofo/config"
 if [ -z "${JICOFO_AUTHPASSWORD}" ] && [ -f "${JICOFO_CONFIG_FILE}" ]; then
 	JICOFO_AUTHPASSWORD="$(grep -E '^JICOFO_AUTH_PASSWORD=' "${JICOFO_CONFIG_FILE}" | cut -d '=' -f 2-)"
 fi
 # If we didn't find it, this is likely a new installation and we'll generate
 # the password on the manifest
 echo "${JICOFO_AUTHPASSWORD:-}"
--- a/type/__jitsi_meet/explorer/jitsi-status
+++ b/type/__jitsi_meet/explorer/jitsi-status
@ -1,6 +0,0 @@
 #!/bin/sh -eu
 if [ ! -f "${__object}/parameter/disable-prometheus-exporter" ]; then
 	# TODO: detect curl / depend on it?
 	curl -s localhost:9888/metrics
 fi
--- a/type/__jitsi_meet/explorer/prometheus-jitsi-meet-explorer-version
+++ b/type/__jitsi_meet/explorer/prometheus-jitsi-meet-explorer-version
@ -0,0 +1,7 @@
 #!/bin/sh -e
 EXPORTER_VERSION_FILE="/usr/local/bin/.prometheus-jitsi-meet-exporter.cdist.version"
 if [ -f "${EXPORTER_VERSION_FILE}" ]; then
 	cat "${EXPORTER_VERSION_FILE}"
 fi
--- a/type/__jitsi_meet/files/debconf_settings.sh
+++ b/type/__jitsi_meet/files/debconf_settings.sh
@ -5,6 +5,9 @@
 if false; then
 	# We are currently not using these, just here as documentation
 	DEBCONF_SETTINGS="$(cat <<EOF
 # Jicofo user password:
 jicofo	jicofo/jicofo-authpassword	password	STH
 jitsi-meet-prosody	jicofo/jicofo-authpassword	password	STH
 # The secret used to connect to xmpp server as component
 jitsi-meet-prosody	jitsi-videobridge/jvbsecret	password	STH
 jitsi-videobridge	jitsi-videobridge/jvbsecret	password	STH
@ -37,9 +40,6 @@ jitsi-videobridge	jitsi-videobridge/jvb-hostname	string	${JITSI_HOST}
 jitsi-videobridge2	jitsi-videobridge/jvb-hostname	string	${JITSI_HOST}
 # The hostname of the current installation:
 jitsi-meet-prosody	jitsi-meet-prosody/jvb-hostname string	${JITSI_HOST}
 # Jicofo user password:
 jicofo	jicofo/jicofo-authpassword	password	${JICOFO_AUTHPASSWORD}
 jitsi-meet-prosody	jicofo/jicofo-authpassword	password	${JICOFO_AUTHPASSWORD}
 # SSL certificate for the Jitsi Meet instance
 # Choices: Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate), I want to use my own certificate
 jitsi-meet-web-config	jitsi-meet/cert-choice	select	Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate)
--- a/type/__jitsi_meet/files/jicofo.conf.sh
+++ b/type/__jitsi_meet/files/jicofo.conf.sh
@ -1,38 +0,0 @@
 #!/bin/sh -eu
 # Start
 cat <<EOF
 # Managed remotely, changes will be lost
 # Jicofo HOCON configuration. See /usr/share/jicofo/jicofo.jar/reference.conf for
 #available options, syntax, and default values.
 jicofo {
  xmpp: {
    client: {
      client-proxy: focus.${JITSI_HOST:?}
      xmpp-domain: "${JITSI_HOST:?}"
      domain: "auth.${JITSI_HOST:?}"
      username: "focus"
      password: "${JICOFO_AUTHPASSWORD:?}"
    }
    trusted-domains: [ "recorder.${JITSI_HOST:?}" ]
  }
  bridge: {
    brewery-jid: "JvbBrewery@internal.auth.${JITSI_HOST:?}"
  }
 EOF
 # Secured domains if needed
 if [ "${SECURED_DOMAINS_STATE:?}" = "present" ]; then
 cat <<EOF
  authentication: {
    enabled: true
    type: XMPP
    login-url: ${JITSI_HOST:?}
  }
 EOF
 fi
 # End
 echo '}'
--- a/type/__jitsi_meet/files/jitsi-version
+++ b/type/__jitsi_meet/files/jitsi-version
@ -1 +0,0 @@
 ../../__jitsi_meet_domain/files/jitsi-version
--- a/type/__jitsi_meet/files/prosody.cfg.lua.sh
+++ b/type/__jitsi_meet/files/prosody.cfg.lua.sh
@ -1 +0,0 @@
 ../../__jitsi_meet_domain/files/prosody.cfg.lua.sh
--- a/type/__jitsi_meet/gencode-remote
+++ b/type/__jitsi_meet/gencode-remote
@ -1,43 +1,11 @@
 #!/bin/sh -e
 memory="$(cat "${__global}/explorer/memory")"
 G="000000"  # Will totally eff up the zero-count otherwise
 # MAX_MEMORY will affect jicofo and videobridge
 #  As a rule of thumb, the machine's RAM should be more than 2.5 * MAX_MEMORY
 if [ "${memory}" -lt "3${G}" ]; then
 	# If you use this, let us know how it works!
 	MAX_MEMORY="768m"
 elif [ "${memory}" -lt "5${G}" ]; then
 	MAX_MEMORY="1024m"
 elif [ "${memory}" -lt "8${G}" ]; then
 	MAX_MEMORY="2048m"
 else
 	# Jitsi recommends running on 8G RAM and these are the defaults
 	MAX_MEMORY="3072m"
 fi
 if cut -f 2 "${__object}/explorer/configured-memory" | grep -qvE "^${MAX_MEMORY}$"; then
 	# At least one service has different memory settings
 	RESTART_SERVICES="YES"
 	cat <<-EOF
 	sed -i.tmp -E \
 		-e 's!^(#[[:space:]]*)?(VIDEOBRIDGE_MAX_MEMORY)=.*\$!\2=${MAX_MEMORY}!' \
 		/usr/share/jitsi-videobridge/lib/videobridge.rc
 	sed -i.tmp -E \
 		-e 's!(JICOFO_MAX_MEMORY)[^";]+;!\1=${MAX_MEMORY};!' \
 		/usr/share/jicofo/jicofo.sh
 	EOF
 fi
 if grep -qE "^__file/etc/nginx" "${__messages_in}"; then
 	echo "service nginx reload"
 fi
-if grep -qE "^(__line/jitsi_jicofo_secured_domains|(__file|__link)/etc/prosody/conf.d/|__file/etc/jitsi/(jicofo/jicofo.conf|videobridge/jvb.conf))" "${__messages_in}"; then
+JITSI_HOST="${__object_id}"
-	RESTART_SERVICES="YES"
+if grep -qE "^(__line/jitsi_jicofo_secured_domains|__file/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua)" "${__messages_in}"; then
 fi
 if [ -n "${RESTART_SERVICES}" ]; then
  echo "systemctl restart prosody"
  echo "systemctl restart jicofo"
  echo "systemctl restart jitsi-videobridge2"
--- a/type/__jitsi_meet/man.rst
+++ b/type/__jitsi_meet/man.rst
@ -21,24 +21,13 @@ You will also need the `__jitsi_meet_domain` type in order to finish setting up
 the web frontend (including TLS certificates) and its settings.
 You may want to use the `files/ufw` example manifest for a `__ufw`-based
-firewall compatible with this type that allows all ports needed by Jitsi-Meet.
+firewall compatible with this type.
-Note however that this will not deal with rules for SSH or for TCP port 9888,
+This file does not include rules for TCP port 9888, which exposes the
-which exposes the prometheus exporter if not disabled.
+prometheus exporter if not disabled.
-Remember to apply your own rules here, particularly regarding SSH.
+You should apply your own rules here.
 This type only works on De{bi,vu}an systems.
 It is very important for this type to stay up to date with the software, as
 otherwise new deployments or maintenance of existing instances might be
 negatively affected.
 If you can, please contribute updates to `__jitsi_meet` and
 `__jitsi_meet_domain` promptly and regularly.
 Alternatively, you can help finance that work; get in touch with the type
 authors for that (see below).
 This type takes care of adapting the maximum memory used by jicofo and
 videobridge in function of the hosts installed memory.
 NOTE: This type currently does not deal with setting up coturn.
      For that, you might want to check `__coturn` in
      https://code.ungleich.ch/ungleich-public/cdist-contrib
@ -47,14 +36,6 @@ NOTE: This type currently does not deal with setting up coturn.
 OPTIONAL PARAMETERS
 -------------------
 abort-conference-count
    Only has an effect if the prometheus exporter is enabled and if it is not
    empty (default).
    If at least this many conferences are active on the server, the type will
    bail out before making any changes.
    This is useful if you want to avoid service disruptions due to e.g. an SLA.
 turn-secret
    The shared secret for the TURN server.
@ -62,6 +43,11 @@ turn-server
    The hostname of the TURN server.
    This will assume that it is listening with TLS on port 443.
 jitsi-version
    The jitsi-meet version of the Debian package to be installed.
    While this can be specified, only the default value is known to work
    properly with this type.
 BOOLEAN PARAMETERS
 ------------------
@ -84,11 +70,9 @@ EXAMPLES
 .. code-block:: sh
-    # Setup the firewall for Jitsi-Meet
+    # Setup the firewall 
    . "${__global}/type/__jitsi_meet/files/ufw"
    export require="__ufw"
    # Setup firewall SSH rules as necessary
    __ufw_rule ssh --rule 'allow 22/tcp from 10.0.0.0/24'
    # Setup Jitsi on this host
    __jitsi_meet \
      --turn-server "turn.exo.cat" \
@ -108,4 +92,4 @@ Evilham <contact@evilham.com>
 COPYING
 -------
-Copyright \(C) 2022 Evilham.
+Copyright \(C) 2021 Evilham.
--- a/type/__jitsi_meet/manifest
+++ b/type/__jitsi_meet/manifest
@ -1,6 +1,7 @@
 #!/bin/sh -e
 os="$(cat "${__global}/explorer/os")"
 init="$(cat "${__global}/explorer/init")"
 case "${os}" in
 	devuan|debian)
 	;;
@ -10,37 +11,10 @@ case "${os}" in
 	;;
 esac
 current_conferences="$(cat "${__object}/explorer/jitsi-status" | grep -E "^jitsi_conferences[[:space:]]" | cut -d ' ' -f 2)"
 JICOFO_AUTHPASSWORD="$(cat "${__object}/explorer/jicofo-authpassword")"
 if [ -z "${JICOFO_AUTHPASSWORD}" ]; then
 	# This is probably a first time installation, we'll generate the
 	# password which will be set in debconf by this type
 	# https://github.com/jitsi/jicofo/blob/aafb61b5363a1c4abdbf08e1444a6276b807993e/debian/postinst#L43
 	JICOFO_AUTHPASSWORD="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | head -c 16)"
 fi
 ABORT_CONFERENCE_COUNT="$(cat "${__object}/parameter/abort-conference-count")"
 if [ -n "${current_conferences}" ] && [ -n "${ABORT_CONFERENCE_COUNT}" ] && \
 	[ "${ABORT_CONFERENCE_COUNT}" -le "${current_conferences}" ]; then
 	cat <<-EOF
 Early bail out was requested when at least ${ABORT_CONFERENCE_COUNT} conferences are taking place.
 There are currently ${current_conferences} active conferences.
 Try again at a later time or remove or increase --abort-conference-count
 	EOF
 	exit 1
 fi
 JITSI_HOST="${__target_host}"
-if [ -f "${__object}/parameter/jitsi-version" ]; then
+# Currently unused, see below
-	# This has been deprecated and will be removed 'soon'
+# JITSI_VERSION="$(cat "${__object}/parameter/jitsi-version")"
 	JITSI_VERSION="$(cat "${__object}/parameter/jitsi-version")"
 else
 	# Note this won't be a parameter anymore, we won't let users stay behind
 	JITSI_VERSION="$(cat "${__type}/files/jitsi-version")"
 fi
 TURN_SERVER="$(cat "${__object}/parameter/turn-server")"
 TURN_SECRET="$(cat "${__object}/parameter/turn-secret")"
@ -48,6 +22,8 @@ if [ -z "${TURN_SERVER}" ]; then
 	TURN_SERVER="${JITSI_HOST}"
 fi
 PROMETHEUS_JITSI_EXPORTER_IS_VERSION="$(cat "${__object}/explorer/prometheus-jitsi-meet-explorer-version")"
 # The rest is loosely based on Jitsi's documentation
 # https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-quickstart
@ -75,16 +51,17 @@ export require="${require} __apt_source/jitsi_meet __apt_update_index"
 # Pre-feed debconf settings, so Jitsi's installation has a good config
 # shellcheck source=type/__jitsi_meet/files/debconf_settings.sh
 . "${__type}/files/debconf_settings.sh"  # This defines DEBCONF_SETTINGS
-__debconf_set_selections jitsi_meet --line "${DEBCONF_SETTINGS}"
+__debconf_set_selections jitsi_meet --file - <<EOF
 ${DEBCONF_SETTINGS}
 EOF
 export require="${require} __debconf_set_selections/jitsi_meet"
 # Install and upgrade packages as needed
-#   NOTE: we are doing version pinning again, but it breaks sometimes when
+__package_apt jitsi-meet
-#         the version is not the latest.
+# We are not doing version pinning anymore because it breaks when
-#         This happens because dependencies might not be properly resolved.
+# the version is not the latest.
-#         To avoid this, this type must be maintained up to date.
+# This happens because dependencies cannot be properly resolved.
-#         If we don't use this, keeping Jitsi's up to date is very difficult.
+# --version "${JITSI_VERSION}"
 __package_apt jitsi-meet --version "${JITSI_VERSION}"
 # Proceed only after installation/upgrade has finished
 export require="__package_apt/jitsi-meet"
@ -148,11 +125,7 @@ require="__directory${NGINX_ETC}/sites-available" __file "${NGINX_ETC}/sites-ava
 server_names_hash_bucket_size 64;
-types {
+# nginx server configuration for:
 # nginx's default mime.types doesn't include a mapping for wasm or wav.
    application/wasm     wasm;
    audio/wav            wav;
 }
 server {
@ -175,145 +148,95 @@ server {
 }
 EOF
 # Starting from 2.0.7210, jitsi defines following nginx upstreams
 __directory "${NGINX_ETC}/conf.d" --state present
 require="__directory${NGINX_ETC}/conf.d" __file "${NGINX_ETC}/conf.d/prosody.conf" \
  --mode 644 \
  --source - << EOF
 upstream prosody {
    zone upstreams 64K;
    server 127.0.0.1:5280;
    keepalive 2;
 }
 EOF
 require="__directory${NGINX_ETC}/conf.d" __file "${NGINX_ETC}/conf.d/jvb1.conf" \
  --mode 644 \
  --source - << EOF
 upstream jvb1 {
    zone upstreams 64K;
    server 127.0.0.1:9090;
    keepalive 2;
 }
 EOF
 if [ -f "${__object}/parameter/secured-domains" ]; then
  SECURED_DOMAINS_STATE='present'
  SECURED_DOMAINS_STATE_JICOFO='replace'
 else
  SECURED_DOMAINS_STATE='absent'
  SECURED_DOMAINS_STATE_JICOFO='absent'
 fi
-# This is the main host config
+__file "/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua" \
-PROSODY_MAIN_CONFIG="YES"
+  --owner prosody --group prosody --mode 0440 \
-# Prosody settings for common components (jvb, focus, ...)
+  --state ${SECURED_DOMAINS_STATE} \
-# shellcheck source=type/__jitsi_meet/files/prosody.cfg.lua.sh
+  --source - <<EOF
-. "${__type}/files/prosody.cfg.lua.sh"  # This defines PROSODY_CONFIG
+VirtualHost "${JITSI_HOST}"
-__file "/etc/prosody/conf.d/00_jitsi_base.cfg.lua" \
+    authentication = "internal_plain"
-	--group prosody \
+
-	--mode 0440 \
+VirtualHost "guest.${JITSI_HOST}"
-	--source - <<EOF
+    authentication = "anonymous"
-${PROSODY_CONFIG}
+    c2s_require_encryption = false
 EOF
-# Clean up zauth.cfg.lua file, which we don't use now
+__block jitsi_jicofo_secured_domains \
-__file "/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua" \
+  --prefix "// begin cdist: jicofo_secured_domains" \
-  --state absent
+  --suffix "// end   cdist: jicofo_secured_domains" \
-
+  --file /etc/jitsi/jicofo/jicofo.conf \
-export SECURED_DOMAINS_STATE
+  --state "${SECURED_DOMAINS_STATE_JICOFO}" \
-export JITSI_HOST
+  --text '-' <<EOF
-export JICOFO_AUTHPASSWORD
+  authentication: {
-"${__type}/files/jicofo.conf.sh" | \
+    enabled: true
-	__file /etc/jitsi/jicofo/jicofo.conf --mode 0444 --source '-'
+    type: XMPP
-
+    login-url: ${JITSI_HOST}
-# Enable the private colibri REST API end point for better stats
+  }
 __file "/etc/jitsi/videobridge/jvb.conf" --mode 0444 --source '-' <<EOFJVB
 videobridge {
    http-servers {
        public {
            port = 9090
        }
        private {
            port = 8080
        }
    }
    websockets {
        enabled = true
        domain = "${JITSI_HOST}:443"
        tls = true
    }
    apis {
        rest {
            enabled = true
        }
    }
 }
 EOFJVB
 # Enable simple per-domain body customisation
 __file "/usr/share/jitsi-meet/body.html" \
 	--mode 0644 \
 	--source '-' <<EOF
 <!--#include virtual="body-\${host}.html" -->
 EOF
 # These two should be changed on new release
-EXPORTER_VERSION="1.2.1"
+PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION="1.1.5"
-EXPORTER_CHECKSUM="sha256:46d4b8475b72fd7632a5203f1cc3c7067bed4629902b7780a1da85e4e06c2129"
+PROMETHEUS_JITSI_EXPORTER_CHECKSUM="sha256:3ddf43a48d9a2f62be1bc6db9e7ba75d61994f9423e5c5b28be019f41f06f745"
-EXPORTER_URL="https://github.com/systemli/prometheus-jitsi-meet-exporter/releases/download/${EXPORTER_VERSION}/prometheus-jitsi-meet-exporter_${EXPORTER_VERSION}_linux_amd64.tar.gz"
+PROMETHEUS_JITSI_EXPORTER_URL="https://github.com/systemli/prometheus-jitsi-meet-exporter/releases/download/${PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION}/prometheus-jitsi-meet-exporter-linux-amd64"
-if [ -f "${__object}/parameter/disable-prometheus-exporter" ]; then
+PROMETHEUS_JITSI_EXPORTER_VERSION_FILE="/usr/local/bin/.prometheus-jitsi-meet-exporter.cdist.version"
-	EXPORTER_STATE="absent"
+if [ ! -f "${__object}/parameter/disable-prometheus-exporter" ]; then
-else
+	case "${init}" in
-	EXPORTER_STATE="present"
+		init|sysvinit)
-fi
+			__runit
-__evilham_single_binary_service prometheus-jitsi-meet-exporter \
+			require="__runit" __runit_service \
-	--state "${EXPORTER_STATE}" \
+				prometheus-jitsi-meet-exporter --log --source - <<EOF
-	--do-not-manage-user \
+			#!/bin/sh -e
-	--user "nobody" \
+			cd /tmp
-	--group "nogroup" \
+			exec chpst -u "nobody:nogroup" env HOME="/tmp" \\
-	--version "${EXPORTER_VERSION}" \
+			     prometheus-jitsi-meet-exporter \\
-	--checksum "${EXPORTER_CHECKSUM}" \
+				-videobridge-url 'http://localhost:8888/stats' \\
-	--url "${EXPORTER_URL}" \
+				-web.listen-address ':9888' 2>&1
 	--unpack \
 	--service-args "-videobridge-url 'http://localhost:8080/colibri/stats' -web.listen-address ':9888'"
 #
 # Setup interpreter assets if requested
 # See: https://gitlab.com/mfmt/jsi/
 #
 jsi_updated_on="2022-04-21"
 __link "/usr/share/jitsi-meet/interpreters.html" \
 	--type symbolic \
 	--source "/opt/jsi/static/index.html.sample"
 __directory /opt/jsi --mode 0755
 export require="__directory/opt/jsi"
 __download /opt/jsi/jsi.tar.gz \
 	--url 'https://gitlab.com/mfmt/jsi/-/archive/1d2cceaf615ee61c0bba80e5bddc61c5d1018303/jsi-1d2cceaf615ee61c0bba80e5bddc61c5d1018303.tar.gz' \
 	--sum "sha256:b020141093daa9937507b098f358d0be994834c3e23866a457fc5140415a0c53"
 export require="__download/opt/jsi/jsi.tar.gz"
 __unpack /opt/jsi/jsi.tar.gz \
 	--preserve-archive \
 	--tar-strip 1 \
 	--destination /opt/jsi/static \
 	--onchange "$(cat <<EOF
 # Patch style.css to be served on /i/
 sed -i.tmp -E \
 	-e 's!url[(]/img/welcome-background.png[)]!url(/i/img/welcome-background.png)!' \
 	/opt/jsi/static/style.css
 # Patch jsi.js to be served on /i/
 #   and so it always uses the domain it's served from
 #   and so it uses /i/ROOM for the form
 sed -i.tmp -E \
 	-e 's!substr[(][0-9]+[)]!substr(3)!' \
 	-e 's!config[.]jitsimeet_url!url.host!' \
 	-e 's!(window[.]location[.]href)[[:space:]]*=[[:space:]]*"/"!\1 = "/i/"!' \
 	/opt/jsi/static/jsi.js
 # Patch the sample index.html, so it loads external_api.js from same host
 #   and to easen up on the branding
 #   and to enable browser cache
 sed -i.tmp -E \
 	-e "s!src=[^>]*(/external_api.js).!src='\1'!" \
 	-e "s!<h1>[^<]*</h1>!<h1>Jitsi Meetings with interpreter</h1>!" \
 	-e "s!https://meet.mayfirst.org!/!" \
 	-e "s!(style.css|jsi.js)([^?])!\1?v=${jsi_updated_on:?}\2!" \
 	/opt/jsi/static/index.html.sample
 EOF
-)"
+
 			export require="__runit_service/prometheus-jitsi-meet-exporter"
 			JITSI_MEET_EXPORTER_SERVICE="sv %s prometheus-jitsi-meet-exporter"
 		;;
 		systemd)
 			__systemd_unit prometheus-jitsi-meet-exporter.service \
 				--source "-" \
 				--enablement-state "enabled" <<EOF
 [Unit]
 Description=Metrics Exporter for Jitsi Meet
 After=network.target
 [Service]
 Type=simple
 DynamicUser=yes
 ExecStart=/usr/local/bin/prometheus-jitsi-meet-exporter -videobridge-url 'http://localhost:8888/stats' -web.listen-address ':9888'
 Restart=always
 [Install]
 WantedBy=multi-user.target
 EOF
 			export require="__systemd_unit/prometheus-jitsi-meet-exporter.service"
 			JITSI_MEET_EXPORTER_SERVICE="service prometheus-jitsi-meet-exporter %s"
 		;;
 	esac
 	if [ "${PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION}" != \
 		"${PROMETHEUS_JITSI_EXPORTER_IS_VERSION}" ]; then
 		# shellcheck disable=SC2059
 		__download \
 			/tmp/prometheus-jitsi-meet-exporter \
 			--url "${PROMETHEUS_JITSI_EXPORTER_URL}" \
 			--download remote \
 			--sum "${PROMETHEUS_JITSI_EXPORTER_CHECKSUM}" \
 			--onchange "$(printf "${JITSI_MEET_EXPORTER_SERVICE}" "stop") || true; chmod 555 /tmp/prometheus-jitsi-meet-exporter && mv /tmp/prometheus-jitsi-meet-exporter /usr/local/bin/prometheus-jitsi-meet-exporter && $(printf "${JITSI_MEET_EXPORTER_SERVICE}" "restart")"
 		printf "%s" "${PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION}" | \
 			require="${require} __download/tmp/prometheus-jitsi-meet-exporter" __file \
 			"${PROMETHEUS_JITSI_EXPORTER_VERSION_FILE}" \
 			--source "-"
 	fi
 fi
 # TODO: disable the exporter if it is deployed and then admin changes their mind
--- a/type/__jitsi_meet/parameter/default/abort-conference-count
+++ b/type/__jitsi_meet/parameter/default/abort-conference-count
--- a/type/__jitsi_meet/parameter/default/jitsi-version
+++ b/type/__jitsi_meet/parameter/default/jitsi-version
@ -0,0 +1 @@
 2.0.5765-1
--- a/type/__jitsi_meet/parameter/deprecated/jitsi-version
+++ b/type/__jitsi_meet/parameter/deprecated/jitsi-version
@ -1,4 +0,0 @@
 Supporting different versions lead to strange issues in the life-time of a
 Jitsi instance. Chiefly: difficulties upgrading.
 If you are specifying this for a valid reason, please get in touch.
--- a/type/__jitsi_meet/parameter/optional
+++ b/type/__jitsi_meet/parameter/optional
@ -1,4 +1,3 @@
 abort-conference-count
 jitsi-version
 turn-secret
 turn-server
--- a/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh
+++ b/type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh
@ -1,35 +0,0 @@
 #!/bin/sh -eu
 # This is a helper to update the '.sh.orig' files for jitsi's
 # configuration files.
 # Then the changes must be propagated to their corresponding .sh
 # files by the type maintainer or a contributor
 # We could automate this, but are using it as an indicator for the
 # latest branch with which we conciliated changes.
 BRANCH="jitsi-meet_8319"
 REPO="https://github.com/jitsi/jitsi-meet"
 get_url() {
 	file="${1}"
 	printf "%s/raw/stable/%s/%s" "${REPO}" "${BRANCH}" "${file}"
 }
 download_file() {
 	file="${1}"
 	destination="${2:-${file}.sh.orig}"
 	url="$(get_url "${file}")"
 	echo "Downloading ${destination}"
 	curl -L "${url}" > "${destination}"
 	echo
 }
 download_file config.js
 download_file interface_config.js
 download_file doc/debian/jitsi-meet/jitsi-meet.example nginx.sh.orig
 download_file doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example prosody.cfg.lua.sh.orig
 # Change the version file, maintainers should check that it matches
 # the deb version
 printf "2.0.%s-1" "${BRANCH#*_}" > jitsi-version
--- a/type/__jitsi_meet_domain/files/config.js.sh
+++ b/type/__jitsi_meet_domain/files/config.js.sh
--- a/type/__jitsi_meet_domain/files/config.js.sh.orig
+++ b/type/__jitsi_meet_domain/files/config.js.sh.orig
--- a/type/__jitsi_meet_domain/files/interface_config.js.sh
+++ b/type/__jitsi_meet_domain/files/interface_config.js.sh
@ -20,7 +20,7 @@ JITSI_INTERFACE_CONFIG_JS="$(cat <<EOF
 */
 var interfaceConfig = {
-    APP_NAME: '${BRANDING_APP_NAME}',
+    APP_NAME: 'Jitsi Meet',
    AUDIO_LEVEL_PRIMARY_COLOR: 'rgba(255,255,255,0.4)',
    AUDIO_LEVEL_SECONDARY_COLOR: 'rgba(255,255,255,0.2)',
@ -36,12 +36,42 @@ var interfaceConfig = {
    BRAND_WATERMARK_LINK: '',
    CLOSE_PAGE_GUEST_HINT: false, // A html text to be shown to guests on the close page, false disables it
    /**
     * Whether the connection indicator icon should hide itself based on
     * connection strength. If true, the connection indicator will remain
     * displayed while the participant has a weak connection and will hide
     * itself after the CONNECTION_INDICATOR_HIDE_TIMEOUT when the connection is
     * strong.
     *
     * @type {boolean}
     */
    CONNECTION_INDICATOR_AUTO_HIDE_ENABLED: true,
-    DEFAULT_BACKGROUND: '#040404',
+    /**
     * How long the connection indicator should remain displayed before hiding.
     * Used in conjunction with CONNECTION_INDICATOR_AUTOHIDE_ENABLED.
     *
     * @type {number}
     */
    CONNECTION_INDICATOR_AUTO_HIDE_TIMEOUT: 5000,
    /**
     * If true, hides the connection indicators completely.
     *
     * @type {boolean}
     */
    CONNECTION_INDICATOR_DISABLED: false,
    DEFAULT_BACKGROUND: '#474747',
    DEFAULT_LOCAL_DISPLAY_NAME: 'me',
    DEFAULT_LOGO_URL: '${BRANDING_WATERMARK_PATH}',
    DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster',
    DEFAULT_WELCOME_PAGE_LOGO_URL: '${BRANDING_WATERMARK_PATH}',
    DISABLE_DOMINANT_SPEAKER_INDICATOR: false,
    DISABLE_FOCUS_INDICATOR: false,
    /**
     * If true, notifications regarding joining/leaving are no longer displayed.
     */
@ -87,14 +117,21 @@ var interfaceConfig = {
    GENERATE_ROOMNAMES_ON_WELCOME_PAGE: true,
    /**
     * Hide the logo on the deep linking pages.
     */
    HIDE_DEEP_LINKING_LOGO: false,
    /**
     * Hide the invite prompt in the header when alone in the meeting.
     */
    HIDE_INVITE_MORE_HEADER: false,
    INITIAL_TOOLBAR_TIMEOUT: 20000,
    JITSI_WATERMARK_LINK: 'https://jitsi.org',
    LANG_DETECTION: true, // Allow i18n to detect the system language
    LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live', // Documentation reference for the live streaming feature.
    LOCAL_THUMBNAIL_RATIO: 16 / 9, // 16:9
    /**
@ -114,6 +151,23 @@ var interfaceConfig = {
     */
    MOBILE_APP_PROMO: true,
    /**
     * Specify custom URL for downloading android mobile app.
     */
    MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet',
    /**
     * Specify custom URL for downloading f droid app.
     */
    MOBILE_DOWNLOAD_LINK_F_DROID: 'https://f-droid.org/en/packages/org.jitsi.meet/',
    /**
     * Specify URL for downloading ios mobile app.
     */
    MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905',
    NATIVE_APP_NAME: 'Jitsi Meet',
    // Names of browsers which should show a warning stating the current browser
    // has a suboptimal experience. Browsers which are not listed as optimal or
    // unsupported are considered suboptimal. Valid values are:
@ -131,7 +185,7 @@ var interfaceConfig = {
    RECENT_LIST_ENABLED: true,
    REMOTE_THUMBNAIL_RATIO: 1, // 1:1
-    SETTINGS_SECTIONS: [ 'devices', 'language', 'moderator', 'profile', 'calendar', 'sounds', 'more' ],
+    SETTINGS_SECTIONS: [ 'devices', 'language', 'moderator', 'profile', 'calendar', 'sounds' ],
    /**
     * Specify which sharing features should be displayed. If the value is not set
@ -142,12 +196,13 @@ var interfaceConfig = {
    SHOW_BRAND_WATERMARK: false,
    /**
-     * Decides whether the chrome extension banner should be rendered on the landing page and during the meeting.
+    * Decides whether the chrome extension banner should be rendered on the landing page and during the meeting.
-     * If this is set to false, the banner will not be rendered at all. If set to true, the check for extension(s)
+    * If this is set to false, the banner will not be rendered at all. If set to true, the check for extension(s)
-     * being already installed is done before rendering.
+    * being already installed is done before rendering.
-     */
+    */
    SHOW_CHROME_EXTENSION_BANNER: false,
    SHOW_DEEP_LINKING_IMAGE: false,
    SHOW_JITSI_WATERMARK: true,
    SHOW_POWERED_BY: false,
    SHOW_PROMOTIONAL_CLOSE_PAGE: false,
@ -158,6 +213,16 @@ var interfaceConfig = {
     */
    SUPPORT_URL: 'https://community.jitsi.org/',
    TOOLBAR_ALWAYS_VISIBLE: false,
    /**
     * DEPRECATED!
     * This config was moved to config.js as \`toolbarButtons\`.
     */
    // TOOLBAR_BUTTONS: [],
    TOOLBAR_TIMEOUT: 4000,
    // Browsers, in addition to those which do not fully support WebRTC, that
    // are not supported and should show the unsupported browser page.
    UNSUPPORTED_BROWSERS: [],
@ -188,31 +253,6 @@ var interfaceConfig = {
     */
    // TILE_VIEW_MAX_COLUMNS: 5,
    // List of undocumented settings
    /**
     INDICATOR_FONT_SIZES
     PHONE_NUMBER_REGEX
    */
    // -----------------DEPRECATED CONFIGS BELOW THIS LINE-----------------------------
    /**
     * Specify URL for downloading ios mobile app.
     */
    // MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905',
    /**
     * Specify custom URL for downloading android mobile app.
     */
    // MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet',
    /**
     * Specify mobile app scheme for opening the app from the mobile browser.
     */
    // APP_SCHEME: 'org.jitsi.meet',
    // NATIVE_APP_NAME: 'Jitsi Meet',
    /**
     * Specify Firebase dynamic link properties for the mobile apps.
     */
@ -225,9 +265,9 @@ var interfaceConfig = {
    // },
    /**
-     * Hide the logo on the deep linking pages.
+     * Specify mobile app scheme for opening the app from the mobile browser.
     */
-    // HIDE_DEEP_LINKING_LOGO: false,
+    // APP_SCHEME: 'org.jitsi.meet',
    /**
     * Specify the Android app package name.
@ -235,42 +275,17 @@ var interfaceConfig = {
    // ANDROID_APP_PACKAGE: 'org.jitsi.meet',
    /**
-     * Specify custom URL for downloading f droid app.
+     * Override the behavior of some notifications to remain displayed until
     * explicitly dismissed through a user action. The value is how long, in
     * milliseconds, those notifications should remain displayed.
     */
-    // MOBILE_DOWNLOAD_LINK_F_DROID: 'https://f-droid.org/en/packages/org.jitsi.meet/',
+    // ENFORCE_NOTIFICATION_AUTO_DISMISS_TIMEOUT: 15000,
-    // Connection indicators (
+    // List of undocumented settings
-    // CONNECTION_INDICATOR_AUTO_HIDE_ENABLED,
+    /**
-    // CONNECTION_INDICATOR_AUTO_HIDE_TIMEOUT,
+     INDICATOR_FONT_SIZES
-    // CONNECTION_INDICATOR_DISABLED) got moved to config.js.
+     PHONE_NUMBER_REGEX
-
+    */
    // Please use disableModeratorIndicator from config.js
    // DISABLE_FOCUS_INDICATOR: false,
    // Please use defaultLocalDisplayName from config.js
    // DEFAULT_LOCAL_DISPLAY_NAME: 'me',
    // Please use defaultLogoUrl from config.js
    DEFAULT_LOGO_URL: '${BRANDING_WATERMARK_PATH}',
    // Please use defaultRemoteDisplayName from config.js
    // DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster',
    // Moved to config.js as \`toolbarConfig.initialTimeout\`.
    // INITIAL_TOOLBAR_TIMEOUT: 20000,
    // Moved to config.js as \`toolbarConfig.alwaysVisible\`.
    // Documentation reference for the live streaming feature.
    // LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live',
    // Moved to config.js as \`toolbarConfig.alwaysVisible\`.
    // TOOLBAR_ALWAYS_VISIBLE: false,
    // This config was moved to config.js as \`toolbarButtons\`.
    // TOOLBAR_BUTTONS: [],
    // Moved to config.js as \`toolbarConfig.timeout\`.
    // TOOLBAR_TIMEOUT: 4000,
    // Allow all above example options to include a trailing comma and
    // prevent fear when commenting out the last value.
--- a/type/__jitsi_meet_domain/files/interface_config.js.sh.orig
+++ b/type/__jitsi_meet_domain/files/interface_config.js.sh.orig
@ -25,12 +25,42 @@ var interfaceConfig = {
    BRAND_WATERMARK_LINK: '',
    CLOSE_PAGE_GUEST_HINT: false, // A html text to be shown to guests on the close page, false disables it
    /**
     * Whether the connection indicator icon should hide itself based on
     * connection strength. If true, the connection indicator will remain
     * displayed while the participant has a weak connection and will hide
     * itself after the CONNECTION_INDICATOR_HIDE_TIMEOUT when the connection is
     * strong.
     *
     * @type {boolean}
     */
    CONNECTION_INDICATOR_AUTO_HIDE_ENABLED: true,
-    DEFAULT_BACKGROUND: '#040404',
+    /**
     * How long the connection indicator should remain displayed before hiding.
     * Used in conjunction with CONNECTION_INDICATOR_AUTOHIDE_ENABLED.
     *
     * @type {number}
     */
    CONNECTION_INDICATOR_AUTO_HIDE_TIMEOUT: 5000,
    /**
     * If true, hides the connection indicators completely.
     *
     * @type {boolean}
     */
    CONNECTION_INDICATOR_DISABLED: false,
    DEFAULT_BACKGROUND: '#474747',
    DEFAULT_LOCAL_DISPLAY_NAME: 'me',
    DEFAULT_LOGO_URL: 'images/watermark.svg',
    DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster',
    DEFAULT_WELCOME_PAGE_LOGO_URL: 'images/watermark.svg',
    DISABLE_DOMINANT_SPEAKER_INDICATOR: false,
    DISABLE_FOCUS_INDICATOR: false,
    /**
     * If true, notifications regarding joining/leaving are no longer displayed.
     */
@ -76,14 +106,21 @@ var interfaceConfig = {
    GENERATE_ROOMNAMES_ON_WELCOME_PAGE: true,
    /**
     * Hide the logo on the deep linking pages.
     */
    HIDE_DEEP_LINKING_LOGO: false,
    /**
     * Hide the invite prompt in the header when alone in the meeting.
     */
    HIDE_INVITE_MORE_HEADER: false,
    INITIAL_TOOLBAR_TIMEOUT: 20000,
    JITSI_WATERMARK_LINK: 'https://jitsi.org',
    LANG_DETECTION: true, // Allow i18n to detect the system language
    LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live', // Documentation reference for the live streaming feature.
    LOCAL_THUMBNAIL_RATIO: 16 / 9, // 16:9
    /**
@ -103,6 +140,23 @@ var interfaceConfig = {
     */
    MOBILE_APP_PROMO: true,
    /**
     * Specify custom URL for downloading android mobile app.
     */
    MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet',
    /**
     * Specify custom URL for downloading f droid app.
     */
    MOBILE_DOWNLOAD_LINK_F_DROID: 'https://f-droid.org/en/packages/org.jitsi.meet/',
    /**
     * Specify URL for downloading ios mobile app.
     */
    MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905',
    NATIVE_APP_NAME: 'Jitsi Meet',
    // Names of browsers which should show a warning stating the current browser
    // has a suboptimal experience. Browsers which are not listed as optimal or
    // unsupported are considered suboptimal. Valid values are:
@ -120,7 +174,7 @@ var interfaceConfig = {
    RECENT_LIST_ENABLED: true,
    REMOTE_THUMBNAIL_RATIO: 1, // 1:1
-    SETTINGS_SECTIONS: [ 'devices', 'language', 'moderator', 'profile', 'calendar', 'sounds', 'more' ],
+    SETTINGS_SECTIONS: [ 'devices', 'language', 'moderator', 'profile', 'calendar', 'sounds' ],
    /**
     * Specify which sharing features should be displayed. If the value is not set
@ -131,12 +185,13 @@ var interfaceConfig = {
    SHOW_BRAND_WATERMARK: false,
    /**
-     * Decides whether the chrome extension banner should be rendered on the landing page and during the meeting.
+    * Decides whether the chrome extension banner should be rendered on the landing page and during the meeting.
-     * If this is set to false, the banner will not be rendered at all. If set to true, the check for extension(s)
+    * If this is set to false, the banner will not be rendered at all. If set to true, the check for extension(s)
-     * being already installed is done before rendering.
+    * being already installed is done before rendering.
-     */
+    */
    SHOW_CHROME_EXTENSION_BANNER: false,
    SHOW_DEEP_LINKING_IMAGE: false,
    SHOW_JITSI_WATERMARK: true,
    SHOW_POWERED_BY: false,
    SHOW_PROMOTIONAL_CLOSE_PAGE: false,
@ -147,6 +202,16 @@ var interfaceConfig = {
     */
    SUPPORT_URL: 'https://community.jitsi.org/',
    TOOLBAR_ALWAYS_VISIBLE: false,
    /**
     * DEPRECATED!
     * This config was moved to config.js as `toolbarButtons`.
     */
    // TOOLBAR_BUTTONS: [],
    TOOLBAR_TIMEOUT: 4000,
    // Browsers, in addition to those which do not fully support WebRTC, that
    // are not supported and should show the unsupported browser page.
    UNSUPPORTED_BROWSERS: [],
@ -177,31 +242,6 @@ var interfaceConfig = {
     */
    // TILE_VIEW_MAX_COLUMNS: 5,
    // List of undocumented settings
    /**
     INDICATOR_FONT_SIZES
     PHONE_NUMBER_REGEX
    */
    // -----------------DEPRECATED CONFIGS BELOW THIS LINE-----------------------------
    /**
     * Specify URL for downloading ios mobile app.
     */
    // MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905',
    /**
     * Specify custom URL for downloading android mobile app.
     */
    // MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet',
    /**
     * Specify mobile app scheme for opening the app from the mobile browser.
     */
    // APP_SCHEME: 'org.jitsi.meet',
    // NATIVE_APP_NAME: 'Jitsi Meet',
    /**
     * Specify Firebase dynamic link properties for the mobile apps.
     */
@ -214,9 +254,9 @@ var interfaceConfig = {
    // },
    /**
-     * Hide the logo on the deep linking pages.
+     * Specify mobile app scheme for opening the app from the mobile browser.
     */
-    // HIDE_DEEP_LINKING_LOGO: false,
+    // APP_SCHEME: 'org.jitsi.meet',
    /**
     * Specify the Android app package name.
@ -224,42 +264,17 @@ var interfaceConfig = {
    // ANDROID_APP_PACKAGE: 'org.jitsi.meet',
    /**
-     * Specify custom URL for downloading f droid app.
+     * Override the behavior of some notifications to remain displayed until
     * explicitly dismissed through a user action. The value is how long, in
     * milliseconds, those notifications should remain displayed.
     */
-    // MOBILE_DOWNLOAD_LINK_F_DROID: 'https://f-droid.org/en/packages/org.jitsi.meet/',
+    // ENFORCE_NOTIFICATION_AUTO_DISMISS_TIMEOUT: 15000,
-    // Connection indicators (
+    // List of undocumented settings
-    // CONNECTION_INDICATOR_AUTO_HIDE_ENABLED,
+    /**
-    // CONNECTION_INDICATOR_AUTO_HIDE_TIMEOUT,
+     INDICATOR_FONT_SIZES
-    // CONNECTION_INDICATOR_DISABLED) got moved to config.js.
+     PHONE_NUMBER_REGEX
-
+    */
    // Please use disableModeratorIndicator from config.js
    // DISABLE_FOCUS_INDICATOR: false,
    // Please use defaultLocalDisplayName from config.js
    // DEFAULT_LOCAL_DISPLAY_NAME: 'me',
    // Please use defaultLogoUrl from config.js
    // DEFAULT_LOGO_URL: 'images/watermark.svg',
    // Please use defaultRemoteDisplayName from config.js
    // DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster',
    // Moved to config.js as `toolbarConfig.initialTimeout`.
    // INITIAL_TOOLBAR_TIMEOUT: 20000,
    // Please use `liveStreaming.helpLink` from config.js
    // Documentation reference for the live streaming feature.
    // LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live',
    // Moved to config.js as `toolbarConfig.alwaysVisible`.
    // TOOLBAR_ALWAYS_VISIBLE: false,
    // This config was moved to config.js as `toolbarButtons`.
    // TOOLBAR_BUTTONS: [],
    // Moved to config.js as `toolbarConfig.timeout`.
    // TOOLBAR_TIMEOUT: 4000,
    // Allow all above example options to include a trailing comma and
    // prevent fear when commenting out the last value.
--- a/type/__jitsi_meet_domain/files/jitsi-version
+++ b/type/__jitsi_meet_domain/files/jitsi-version
@ -1 +0,0 @@
 2.0.8319-1
--- a/type/__jitsi_meet_domain/files/nginx.sh
+++ b/type/__jitsi_meet_domain/files/nginx.sh
@ -2,37 +2,6 @@
 # shellcheck disable=SC2034  # This is intended to be included
 JITSI_NGINX_CONFIG="$(cat <<EOF
 # Jitsi uses following lines by default, in our cdist types they must be commented
 # out as we already set it with __jitsi_meet in the default server config.
 #server_names_hash_bucket_size 64;
 #
 #types {
 ## nginx's default mime.types doesn't include a mapping for wasm or wav.
 #    application/wasm     wasm;
 #    audio/wav            wav;
 #}
 # These upstreams are managed by __jitsi_meet
 #upstream prosody {
 #    zone upstreams 64K;
 #    server 127.0.0.1:5280;
 #    keepalive 2;
 #}
 #upstream jvb1 {
 #    zone upstreams 64K;
 #    server 127.0.0.1:9090;
 #    keepalive 2;
 #}
 #map \$arg_vnode \$prosody_node {
 #    default prosody;
 #    v1 v1;
 #    v2 v2;
 #    v3 v3;
 #    v4 v4;
 #    v5 v5;
 #    v6 v6;
 #    v7 v7;
 #    v8 v8;
 #}
 server {
    listen 80;
    listen [::]:80;
@ -41,7 +10,7 @@ server {
    include snippets/acme-challenge.conf;
    location / {
-        return 301 https://\$host\$request_uri;
+       return 301 https://\$host\$request_uri;
    }
 }
 server {
@ -51,7 +20,7 @@ server {
    include snippets/acme-challenge.conf;
-    # Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration
+# Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
@ -61,7 +30,6 @@ server {
    ssl_session_tickets off;
    add_header Strict-Transport-Security "max-age=63072000" always;
    set \$prefix "";
    ssl_certificate /etc/letsencrypt/live/${DOMAIN}/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/${DOMAIN}/privkey.pem;
@ -103,14 +71,7 @@ server {
        alias /usr/share/jitsi-meet/libs/external_api.min.js;
    }
-    location = /_api/room-info {
+    #ensure all static content can always be found first
        proxy_pass http://prosody/room-info?prefix=\$prefix&\$args;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For \$remote_addr;
        proxy_set_header Host \$http_host;
    }
    # ensure all static content can always be found first
    location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)\$
    {
        add_header 'Access-Control-Allow-Origin' '*';
@ -118,67 +79,40 @@ server {
        # cache all versioned files
        if (\$arg_v) {
-            expires 1y;
+          expires 1y;
        }
    }
    # Paths for jsi / interpreters
    location ~ ^/i/(img/[^./]*.png|jsi.js|style.css)$
    {
        add_header 'Access-Control-Allow-Origin' '*';
        alias /opt/jsi/static/\$1;
        # cache all versioned files
        if (\$arg_v) {
            expires 1y;
        }
    }
    location ~ ^/i/
    {
        try_files /${DOMAIN}-interpreters.html /interpreters.html \$uri;
    }
    # BOSH
    location = /http-bind {
-        proxy_pass http://prosody/http-bind?prefix=\$prefix&\$args;
+        proxy_pass      http://localhost:5280/http-bind;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For \$remote_addr;
 	# Prevision for 'multi-domain' jitsi instances
 	# https://community.jitsi.org/t/same-jitsi-meet-instance-with-multiple-domain-names/17391
-        proxy_set_header Host ${DOMAIN};
+        proxy_set_header Host ${JITSI_HOST};
        proxy_set_header Connection "";
    }
    # xmpp websockets
    location = /xmpp-websocket {
-        proxy_pass http://prosody/xmpp-websocket?prefix=\$prefix&\$args;
+        proxy_pass http://127.0.0.1:5280/xmpp-websocket?prefix=\$prefix&\$args;
        proxy_http_version 1.1;
        proxy_set_header Upgrade \$http_upgrade;
        proxy_set_header Connection "upgrade";
 	# Prevision for 'multi-domain' jitsi instances
 	# https://community.jitsi.org/t/same-jitsi-meet-instance-with-multiple-domain-names/17391
-        proxy_set_header Host ${DOMAIN};
+        proxy_set_header Host ${JITSI_HOST};
        tcp_nodelay on;
    }
    # colibri (JVB) websockets for jvb1
    location ~ ^/colibri-ws/default-id/(.*) {
-        proxy_pass http://jvb1/colibri-ws/default-id/\$1\$is_args\$args;
+       proxy_pass http://127.0.0.1:9090/colibri-ws/default-id/\$1\$is_args\$args;
-        proxy_http_version 1.1;
+       proxy_http_version 1.1;
-        proxy_set_header Upgrade \$http_upgrade;
+       proxy_set_header Upgrade \$http_upgrade;
-        proxy_set_header Connection "upgrade";
+       proxy_set_header Connection "upgrade";
-        tcp_nodelay on;
+       tcp_nodelay on;
    }
    # load test minimal client, uncomment when used
    #location ~ ^/_load-test/([^/?&:'"]+)\$ {
    #    rewrite ^/_load-test/(.*)\$ /load-test/index.html break;
    #}
    #location ~ ^/_load-test/libs/(.*)\$ {
    #    add_header 'Access-Control-Allow-Origin' '*';
    #    alias /usr/share/jitsi-meet/load-test/libs/\$1;
    #}
    location ~ ^/([^/?&:'"]+)\$ {
        try_files \$uri @root_path;
    }
@ -189,10 +123,17 @@ server {
    location ~ ^/([^/?&:'"]+)/config.js\$
    {
       set \$subdomain "\$1.";
       set \$subdir "\$1/";
       alias /etc/jitsi/meet/jitsi-meet.example.com-config.js;
    }
    #Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
    location ~ ^/([^/?&:'"]+)/(.*)\$ {
        set \$subdomain "\$1.";
        set \$subdir "\$1/";
-
+        rewrite ^/([^/?&:'"]+)/(.*)\$ /\$2;
        alias /etc/jitsi/meet/jitsi-meet.example.com-config.js;
    }
    # BOSH for subdomains
@ -212,21 +153,6 @@ server {
        rewrite ^/(.*)\$ /xmpp-websocket;
    }
    location ~ ^/([^/?&:'"]+)/_api/room-info {
        set \$subdomain "\$1.";
        set \$subdir "\$1/";
        set \$prefix "\$1";
        rewrite ^/(.*)\$ /_api/room-info;
    }
    # Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
    location ~ ^/([^/?&:'"]+)/(.*)\$ {
        set \$subdomain "\$1.";
        set \$subdir "\$1/";
        rewrite ^/([^/?&:'"]+)/(.*)\$ /\$2;
    }
 }
 EOF
 )"
--- a/type/__jitsi_meet_domain/files/nginx.sh.orig
+++ b/type/__jitsi_meet_domain/files/nginx.sh.orig
@ -1,45 +1,19 @@
 server_names_hash_bucket_size 64;
 types {
 # nginx's default mime.types doesn't include a mapping for wasm or wav.
    application/wasm     wasm;
    audio/wav            wav;
 }
 upstream prosody {
    zone upstreams 64K;
    server 127.0.0.1:5280;
    keepalive 2;
 }
 upstream jvb1 {
    zone upstreams 64K;
    server 127.0.0.1:9090;
    keepalive 2;
 }
 map $arg_vnode $prosody_node {
    default prosody;
    v1 v1;
    v2 v2;
    v3 v3;
    v4 v4;
    v5 v5;
    v6 v6;
    v7 v7;
    v8 v8;
 }
 server {
    listen 80;
    listen [::]:80;
    server_name jitsi-meet.example.com;
    location ^~ /.well-known/acme-challenge/ {
-        default_type "text/plain";
+       default_type "text/plain";
-        root         /usr/share/jitsi-meet;
+       root         /usr/share/jitsi-meet;
    }
    location = /.well-known/acme-challenge/ {
-        return 404;
+       return 404;
    }
    location / {
-        return 301 https://$host$request_uri;
+       return 301 https://$host$request_uri;
    }
 }
 server {
@ -47,7 +21,7 @@ server {
    listen [::]:443 ssl;
    server_name jitsi-meet.example.com;
-    # Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration
+# Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
@ -57,7 +31,6 @@ server {
    ssl_session_tickets off;
    add_header Strict-Transport-Security "max-age=63072000" always;
    set $prefix "";
    ssl_certificate /etc/jitsi/meet/jitsi-meet.example.com.crt;
    ssl_certificate_key /etc/jitsi/meet/jitsi-meet.example.com.key;
@ -85,14 +58,7 @@ server {
        alias /usr/share/jitsi-meet/libs/external_api.min.js;
    }
-    location = /_api/room-info {
+    #ensure all static content can always be found first
        proxy_pass http://prosody/room-info?prefix=$prefix&$args;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $http_host;
    }
    # ensure all static content can always be found first
    location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$
    {
        add_header 'Access-Control-Allow-Origin' '*';
@ -100,22 +66,20 @@ server {
        # cache all versioned files
        if ($arg_v) {
-            expires 1y;
+          expires 1y;
        }
    }
    # BOSH
    location = /http-bind {
-        proxy_pass http://$prosody_node/http-bind?prefix=$prefix&$args;
+        proxy_pass      http://localhost:5280/http-bind;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $http_host;
        proxy_set_header Connection "";
    }
    # xmpp websockets
    location = /xmpp-websocket {
-        proxy_pass http://$prosody_node/xmpp-websocket?prefix=$prefix&$args;
+        proxy_pass http://127.0.0.1:5280/xmpp-websocket?prefix=$prefix&$args;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
@ -125,22 +89,13 @@ server {
    # colibri (JVB) websockets for jvb1
    location ~ ^/colibri-ws/default-id/(.*) {
-        proxy_pass http://jvb1/colibri-ws/default-id/$1$is_args$args;
+       proxy_pass http://127.0.0.1:9090/colibri-ws/default-id/$1$is_args$args;
-        proxy_http_version 1.1;
+       proxy_http_version 1.1;
-        proxy_set_header Upgrade $http_upgrade;
+       proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection "upgrade";
+       proxy_set_header Connection "upgrade";
-        tcp_nodelay on;
+       tcp_nodelay on;
    }
    # load test minimal client, uncomment when used
    #location ~ ^/_load-test/([^/?&:'"]+)$ {
    #    rewrite ^/_load-test/(.*)$ /load-test/index.html break;
    #}
    #location ~ ^/_load-test/libs/(.*)$ {
    #    add_header 'Access-Control-Allow-Origin' '*';
    #    alias /usr/share/jitsi-meet/load-test/libs/$1;
    #}
    location ~ ^/([^/?&:'"]+)$ {
        try_files $uri @root_path;
    }
@ -151,10 +106,17 @@ server {
    location ~ ^/([^/?&:'"]+)/config.js$
    {
       set $subdomain "$1.";
       set $subdir "$1/";
       alias /etc/jitsi/meet/jitsi-meet.example.com-config.js;
    }
    #Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
    location ~ ^/([^/?&:'"]+)/(.*)$ {
        set $subdomain "$1.";
        set $subdir "$1/";
-
+        rewrite ^/([^/?&:'"]+)/(.*)$ /$2;
        alias /etc/jitsi/meet/jitsi-meet.example.com-config.js;
    }
    # BOSH for subdomains
@ -174,19 +136,4 @@ server {
        rewrite ^/(.*)$ /xmpp-websocket;
    }
    location ~ ^/([^/?&:'"]+)/_api/room-info {
        set $subdomain "$1.";
        set $subdir "$1/";
        set $prefix "$1";
        rewrite ^/(.*)$ /_api/room-info;
    }
    # Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
    location ~ ^/([^/?&:'"]+)/(.*)$ {
        set $subdomain "$1.";
        set $subdir "$1/";
        rewrite ^/([^/?&:'"]+)/(.*)$ /$2;
    }
 }
--- a/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh
+++ b/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh
@ -1,220 +0,0 @@
 #!/bin/sh -eu
 # Source:
 # https://github.com/jitsi/jitsi-meet/blob/master/doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example
 FOCUS_USER="focus"
 JITSI_DOMAIN="${JITSI_DOMAIN:-${JITSI_HOST:?}}"
 # PROSODY_MAIN_CONFIG: defined in __jitsi_meet, empty in __jitsi_meet_domain
 PROSODY_SECUREDOMAIN_START="--[["
 PROSODY_SECUREDOMAIN_END="--]]"
 if [ -n "${PROSODY_MAIN_CONFIG}" ]; then
 	PROSODY_MAIN_START=""
 	PROSODY_MAIN_END=""
 	PROSODY_DOMAIN_START="--[["
 	PROSODY_DOMAIN_END="--]]"
 else
 	PROSODY_MAIN_START="--[["
 	PROSODY_MAIN_END="--]]"
 	PROSODY_DOMAIN_START=""
 	PROSODY_DOMAIN_END=""
 	if [ -n "${SECURED_DOMAINS}" ]; then
 		PROSODY_SECUREDOMAIN_START=""
 		PROSODY_SECUREDOMAIN_END=""
 	fi
 fi
 # Websockets haven't been fully tested in this type and don't work reliably
 PROSODY_WEBSOCKET="-- "
 # shellcheck disable=SC2034  # This is intended to be included
 PROSODY_CONFIG="$(cat <<EOFPROSODY
 -- Managed remotely, changes will be lost
 ${PROSODY_MAIN_START}
 -- This will be managed by __jitsi_meet
 plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }
 -- domain mapper options, must at least have domain base set to use the mapper
 muc_mapper_domain_base = "${JITSI_HOST:?}";
 external_service_secret = "${TURN_SECRET:-TurnSecret}";
 external_services = {
     { type = "stun", host = "${JITSI_HOST:?}", port = 3478 },
     { type = "turn", host = "${JITSI_HOST:?}", port = 3478, transport = "udp", secret = true, ttl = 86400, algorithm = "turn" },
     { type = "turns", host = "${JITSI_HOST:?}", port = 5349, transport = "tcp", secret = true, ttl = 86400, algorithm = "turn" }
 };
 cross_domain_bosh = false;
 consider_bosh_secure = true;
 -- Use websockets
 -- https://community.jitsi.org/t/how-to-how-to-enable-websockets-xmpp-websocket-and-smacks-for-prosody/87920
 ${PROSODY_WEBSOCKET}consider_websocket_secure = true;
 -- https_ports = { }; -- Remove this line to prevent listening on port 5284
 -- by default prosody 0.12 sends cors headers, if you want to disable it uncomment the following (the config is available on 0.12.1)
 --http_cors_override = {
 --    bosh = {
 --        enabled = false;
 --    };
 --    websocket = {
 --        enabled = false;
 --    };
 --}
 -- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
 ssl = {
    protocol = "tlsv1_2+";
    ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
 }
 unlimited_jids = {
    "${FOCUS_USER:?}@auth.${JITSI_HOST:?}",
    "jvb@auth.${JITSI_HOST:?}"
 }
 ${PROSODY_MAIN_END}
 ${PROSODY_DOMAIN_START}
 -- This will be managed by __jitsi_meet_domain
 VirtualHost "${JITSI_DOMAIN:?}"
    authentication = "jitsi-anonymous" -- do not delete me
    -- Properties below are modified by jitsi-meet-tokens package config
    -- and authentication above is switched to "token"
    --app_id="example_app_id"
    --app_secret="example_app_secret"
    -- Assign this host a certificate for TLS, otherwise it would use the one
    -- set in the global section (if any).
    -- Note that old-style SSL on port 5223 only supports one certificate, and will always
    -- use the global one.
    ssl = {
        key = "/etc/prosody/certs/${JITSI_DOMAIN:?}.key";
        certificate = "/etc/prosody/certs/${JITSI_DOMAIN:?}.crt";
    }
    av_moderation_component = "avmoderation.${JITSI_DOMAIN:?}"
    speakerstats_component = "speakerstats.${JITSI_DOMAIN:?}"
    conference_duration_component = "conferenceduration.${JITSI_DOMAIN:?}"
    end_conference_component = "endconference.${JITSI_DOMAIN:?}"
    -- we need bosh
    modules_enabled = {
        "bosh";
        "pubsub";
        "ping"; -- Enable mod_ping
        "speakerstats";
        "external_services";
        "conference_duration";
        "end_conference";
        "muc_lobby_rooms";
        "muc_breakout_rooms";
        "av_moderation";
        "room_metadata";
 ${PROSODY_WEBSOCKET}        "websocket";
 ${PROSODY_WEBSOCKET}        "smacks";
    }
    smacks_max_unacked_stanzas = 5;
    smacks_hibernation_time = 60;
    smacks_max_hibernated_sessions = 1;
    smacks_max_old_sessions = 1;
    c2s_require_encryption = false
    lobby_muc = "lobby.${JITSI_DOMAIN:?}"
    breakout_rooms_muc = "breakout.${JITSI_DOMAIN:?}"
    room_metadata_component = "metadata.${JITSI_DOMAIN:?}"
    main_muc = "conference.${JITSI_DOMAIN:?}"
    -- muc_lobby_whitelist = { "recorder.${JITSI_DOMAIN:?}" } -- Here we can whitelist jibri to enter lobby enabled rooms
 Component "conference.${JITSI_DOMAIN:?}" "muc"
    restrict_room_creation = true
    storage = "memory"
    modules_enabled = {
        "muc_meeting_id";
        "muc_domain_mapper";
        "polls";
        --"token_verification";
        "muc_rate_limit";
    }
    admins = { "${FOCUS_USER:?}@auth.${JITSI_HOST:?}" }
    muc_room_locking = false
    muc_room_default_public_jids = true
 Component "breakout.${JITSI_DOMAIN:?}" "muc"
    restrict_room_creation = true
    storage = "memory"
    modules_enabled = {
        "muc_meeting_id";
        "muc_domain_mapper";
        "muc_rate_limit";
        "polls";
    }
    admins = { "${FOCUS_USER:?}@auth.${JITSI_HOST:?}" }
    muc_room_locking = false
    muc_room_default_public_jids = true
 -- internal muc component
 Component "internal.auth.${JITSI_DOMAIN:?}" "muc"
    storage = "memory"
    modules_enabled = {
        "ping";
    }
    admins = { "${FOCUS_USER:?}@auth.${JITSI_HOST:?}", "jvb@auth.${JITSI_HOST:?}" }
    muc_room_locking = false
    muc_room_default_public_jids = true
    -- https://prosody.im/doc/modules/mod_muc
    muc_room_cache_size = 1000
 ${PROSODY_DOMAIN_END}
 ${PROSODY_MAIN_START}
 -- This will be managed by __jitsi_meet
 VirtualHost "auth.${JITSI_DOMAIN:?}"
    ssl = {
       key = "/etc/prosody/certs/auth.${JITSI_DOMAIN:?}.key";
       certificate = "/etc/prosody/certs/auth.${JITSI_DOMAIN:?}.crt";
    }
    modules_enabled = {
        "limits_exception";
    }
    authentication = "internal_hashed"
 ${PROSODY_MAIN_END}
 ${PROSODY_DOMAIN_START}
 -- This will be managed by __jitsi_meet_domain
 -- Proxy to jicofo's user JID, so that it doesn't have to register as a component.
 Component "focus.${JITSI_DOMAIN:?}" "client_proxy"
    -- Single focus user for the whole instance
    target_address = "${FOCUS_USER:?}@auth.${JITSI_HOST:?}"
 Component "speakerstats.${JITSI_DOMAIN:?}" "speakerstats_component"
    muc_component = "conference.${JITSI_DOMAIN:?}"
 Component "conferenceduration.${JITSI_DOMAIN:?}" "conference_duration_component"
    muc_component = "conference.${JITSI_DOMAIN:?}"
 Component "endconference.${JITSI_DOMAIN:?}" "end_conference"
    muc_component = "conference.${JITSI_DOMAIN:?}"
 Component "avmoderation.${JITSI_DOMAIN:?}" "av_moderation_component"
    muc_component = "conference.${JITSI_DOMAIN:?}"
 Component "lobby.${JITSI_DOMAIN:?}" "muc"
    storage = "memory"
    restrict_room_creation = true
    muc_room_locking = false
    muc_room_default_public_jids = true
    modules_enabled = {
        "muc_rate_limit";
        "polls";
    }
 Component "metadata.${JITSI_DOMAIN:?}" "room_metadata_component"
    muc_component = "conference.${JITSI_DOMAIN:?}"
    breakout_rooms_component = "breakout.${JITSI_DOMAIN:?}"
 ${PROSODY_DOMAIN_END}
 ${PROSODY_SECUREDOMAIN_START}
 -- Only used on secured domains
 VirtualHost "${JITSI_DOMAIN}"
    authentication = "internal_plain"
 VirtualHost "guest.${JITSI_DOMAIN}"
    authentication = "anonymous"
    c2s_require_encryption = false
 ${PROSODY_SECUREDOMAIN_END}
 EOFPROSODY
 )"
--- a/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh.orig
+++ b/type/__jitsi_meet_domain/files/prosody.cfg.lua.sh.orig
@ -1,148 +0,0 @@
 plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }
 -- domain mapper options, must at least have domain base set to use the mapper
 muc_mapper_domain_base = "jitmeet.example.com";
 external_service_secret = "__turnSecret__";
 external_services = {
     { type = "stun", host = "jitmeet.example.com", port = 3478 },
     { type = "turn", host = "jitmeet.example.com", port = 3478, transport = "udp", secret = true, ttl = 86400, algorithm = "turn" },
     { type = "turns", host = "jitmeet.example.com", port = 5349, transport = "tcp", secret = true, ttl = 86400, algorithm = "turn" }
 };
 cross_domain_bosh = false;
 consider_bosh_secure = true;
 -- https_ports = { }; -- Remove this line to prevent listening on port 5284
 -- by default prosody 0.12 sends cors headers, if you want to disable it uncomment the following (the config is available on 0.12.1)
 --http_cors_override = {
 --    bosh = {
 --        enabled = false;
 --    };
 --    websocket = {
 --        enabled = false;
 --    };
 --}
 -- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
 ssl = {
    protocol = "tlsv1_2+";
    ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
 }
 unlimited_jids = {
    "focusUser@auth.jitmeet.example.com",
    "jvb@auth.jitmeet.example.com"
 }
 VirtualHost "jitmeet.example.com"
    authentication = "jitsi-anonymous" -- do not delete me
    -- Properties below are modified by jitsi-meet-tokens package config
    -- and authentication above is switched to "token"
    --app_id="example_app_id"
    --app_secret="example_app_secret"
    -- Assign this host a certificate for TLS, otherwise it would use the one
    -- set in the global section (if any).
    -- Note that old-style SSL on port 5223 only supports one certificate, and will always
    -- use the global one.
    ssl = {
        key = "/etc/prosody/certs/jitmeet.example.com.key";
        certificate = "/etc/prosody/certs/jitmeet.example.com.crt";
    }
    av_moderation_component = "avmoderation.jitmeet.example.com"
    speakerstats_component = "speakerstats.jitmeet.example.com"
    conference_duration_component = "conferenceduration.jitmeet.example.com"
    end_conference_component = "endconference.jitmeet.example.com"
    -- we need bosh
    modules_enabled = {
        "bosh";
        "pubsub";
        "ping"; -- Enable mod_ping
        "speakerstats";
        "external_services";
        "conference_duration";
        "end_conference";
        "muc_lobby_rooms";
        "muc_breakout_rooms";
        "av_moderation";
        "room_metadata";
    }
    c2s_require_encryption = false
    lobby_muc = "lobby.jitmeet.example.com"
    breakout_rooms_muc = "breakout.jitmeet.example.com"
    room_metadata_component = "metadata.jitmeet.example.com"
    main_muc = "conference.jitmeet.example.com"
    -- muc_lobby_whitelist = { "recorder.jitmeet.example.com" } -- Here we can whitelist jibri to enter lobby enabled rooms
 Component "conference.jitmeet.example.com" "muc"
    restrict_room_creation = true
    storage = "memory"
    modules_enabled = {
        "muc_meeting_id";
        "muc_domain_mapper";
        "polls";
        --"token_verification";
        "muc_rate_limit";
    }
    admins = { "focusUser@auth.jitmeet.example.com" }
    muc_room_locking = false
    muc_room_default_public_jids = true
 Component "breakout.jitmeet.example.com" "muc"
    restrict_room_creation = true
    storage = "memory"
    modules_enabled = {
        "muc_meeting_id";
        "muc_domain_mapper";
        "muc_rate_limit";
        "polls";
    }
    admins = { "focusUser@auth.jitmeet.example.com" }
    muc_room_locking = false
    muc_room_default_public_jids = true
 -- internal muc component
 Component "internal.auth.jitmeet.example.com" "muc"
    storage = "memory"
    modules_enabled = {
        "ping";
    }
    admins = { "focusUser@auth.jitmeet.example.com", "jvb@auth.jitmeet.example.com" }
    muc_room_locking = false
    muc_room_default_public_jids = true
 VirtualHost "auth.jitmeet.example.com"
    modules_enabled = {
        "limits_exception";
    }
    authentication = "internal_hashed"
 -- Proxy to jicofo's user JID, so that it doesn't have to register as a component.
 Component "focus.jitmeet.example.com" "client_proxy"
    target_address = "focusUser@auth.jitmeet.example.com"
 Component "speakerstats.jitmeet.example.com" "speakerstats_component"
    muc_component = "conference.jitmeet.example.com"
 Component "conferenceduration.jitmeet.example.com" "conference_duration_component"
    muc_component = "conference.jitmeet.example.com"
 Component "endconference.jitmeet.example.com" "end_conference"
    muc_component = "conference.jitmeet.example.com"
 Component "avmoderation.jitmeet.example.com" "av_moderation_component"
    muc_component = "conference.jitmeet.example.com"
 Component "lobby.jitmeet.example.com" "muc"
    storage = "memory"
    restrict_room_creation = true
    muc_room_locking = false
    muc_room_default_public_jids = true
    modules_enabled = {
        "muc_rate_limit";
        "polls";
    }
 Component "metadata.jitmeet.example.com" "room_metadata_component"
    muc_component = "conference.jitmeet.example.com"
    breakout_rooms_component = "breakout.jitmeet.example.com"
--- a/type/__jitsi_meet_domain/man.rst
+++ b/type/__jitsi_meet_domain/man.rst
@ -11,24 +11,14 @@ DESCRIPTION
 -----------
 This type installs and configures the frontend for Jitsi-Meet.
-Additionally to regular Jitsi-Meet, users can load `DOMAIN/i/` and
+This supports "multi-domain" installations, notice that in such a setup, all
-`DOMAIN/i/ROOM` for an interpreter-enabled interface; this is done with a
+rooms are shared across the different URLs, e.g.
 patched version of Jitsi Simultaneous Interpretation (jsi; see references).
 At least a user with `interpreter` in their name must be present.
 This type supports "multi-domain" installations.
 New in April 2022: rooms are independent for each domain, that is:
 https://jitsi1.example.org/room1 and https://jitsi2.example.org/room1 are
-different rooms.
+equivalent.
 Note however, that right now if using secured domains, users are still shared
 across any domains hosted in the same instance.
 One way to work around that could be to run multiple jicofos, but we do not
 want to bloat the servers.
 A better way is to patch jicofo, get in touch with the type authors if you want
 the gory details.
 This is due to the underlying XMPP and signaling rooms being common.
 There might be a way to perform tricks on the Nginx-side to avoid this, but
 time is lacking :-).
 This assumes `__jitsi_meet` has already been ran on the target host, and,
 amongst others, that Jitsi was set up with `__target_host` as the Jitsi domain.
@ -51,11 +41,6 @@ admin-email
 OPTIONAL PARAMETERS
 -------------------
 analytics-settings
    This goes inside the `analytics` part of `config.js`.
    Defaults to: `disabled: true`.
    See: https://github.com/jitsi/jitsi-meet/blob/master/config.js
 channel-last-n
    Default value for the "last N" attribute.
    Defaults to 20. Set to -1 for unlimited.
@ -75,10 +60,6 @@ start-video-muted
    Defaults to 10.
 state
    Whether the domain is 'present' or 'absent', defaults to 'present'.
 turn-server
    The TURN server to be used.
    Defaults to `__target_host`.
@ -93,15 +74,6 @@ video-constraints
    It must not have a trailing comma, see `constraints` in
    `__jitsi_meet_domain/files/config.js.sh`.
 branding-app-name
    This will change `Jitsi Meet` in many places to the brand you desire.
    Defaults to `Jitsi Meet`.
 branding-extra-body
    This must be valid HTML, it will be included server-side and delivered to
    clients alongside the default `index.html`.
    This is useful if you would rather not replace the whole `index`, but
    still want the chance to do some heavier branding / add instructions / etc.
 branding-json
    Path to a JSON file that will be served as the `dynamicBrandingUrl`.
@ -109,12 +81,14 @@ branding-json
    `__jitsi_meet_domain/files/config.js.sh`.
    If not set, no branding will be set up.
 branding-index
    Path to an HTML file that will be served instead of Jitsi-Meet's default
    one.
    If not set, the default index file will be used.
    If set to `-`, the type's standard input will be used.
 branding-watermark
    Path to a png file that will be served instead of Jitsi-Meet's default
    one.
@ -169,7 +143,6 @@ SEE ALSO
 --------
 - `__jitsi_meet(7)`
 - `__jitsi_meet_user(7)`
 - Jitsi Meet Simultaneous Interpretation: https://gitlab.com/mfmt/jsi
 AUTHORS
--- a/type/__jitsi_meet_domain/manifest
+++ b/type/__jitsi_meet_domain/manifest
@ -18,12 +18,9 @@ NOTICE_MESSAGE="$(cat "${__object}/parameter/notice-message")"
 START_VIDEO_MUTED="$(cat "${__object}/parameter/start-video-muted")"
 TURN_SERVER="$(cat "${__object}/parameter/turn-server")"
 VIDEO_CONSTRAINTS="$(cat "${__object}/parameter/video-constraints")"
 ANALYTICS_SETTINGS="$(cat "${__object}/parameter/analytics-settings")"
 BRANDING_APP_NAME="$(cat "${__object}/parameter/branding-app-name")"
 BRANDING_INDEX="$(cat "${__object}/parameter/branding-index")"
 BRANDING_JSON="$(cat "${__object}/parameter/branding-json")"
 BRANDING_WATERMARK="$(cat "${__object}/parameter/branding-watermark")"
 STATE="$(cat "${__object}/parameter/state")"
 if [ "${BRANDING_INDEX}" = "-" ]; then
 	BRANDING_INDEX="${__object}/stdin"
@ -50,31 +47,11 @@ if [ -n "${BRANDING_JSON}" ]; then
 	DYNAMIC_BRANDING_URL="/branding.json"
 fi
 case "${STATE}" in
 	present)
 		# When adding the domain, Let's Encrypt must come before nginx
 		le_require=""
 		nginx_require="__letsencrypt_cert/${DOMAIN}"
 		;;
 	absent)
 		# When removing, nginx must come before Let's Encrypt
 		le_require="__file/etc/nginx/sites-enabled/${DOMAIN}.conf"
 		nginx_require=""
 		;;
 	*)
 		cat >> /dev/stderr <<-EOM
 		Unsupported state '${STATE}', must be 'present' or 'absent'.
 		EOM
 		exit 1
 		;;
 esac
 #
 # Deal with certbot
 #
 # use object id as domain
-require="${le_require}" __letsencrypt_cert "${DOMAIN}" \
+__letsencrypt_cert "${DOMAIN}" \
 	--state "${STATE}" \
 	--admin-email "${ADMIN_EMAIL}" \
 	--deploy-hook "service nginx reload" \
 	--webroot /usr/share/jitsi-meet
@ -82,9 +59,8 @@ require="${le_require}" __letsencrypt_cert "${DOMAIN}" \
 # Create virtualhost for nginx
 # shellcheck source=type/__jitsi_meet_domain/files/nginx.sh
 . "${__type}/files/nginx.sh"  # This defines JITSI_NGINX_CONFIG
-require="${nginx_require}" __file \
+require="__letsencrypt_cert/${DOMAIN}" __file \
 	"/etc/nginx/sites-enabled/${DOMAIN}.conf" \
 	--state "${STATE}" \
 	--mode 0644 --source "-" <<EOF
 ${JITSI_NGINX_CONFIG}
 EOF
@ -93,7 +69,6 @@ EOF
 # shellcheck source=type/__jitsi_meet_domain/files/config.js.sh
 . "${__type}/files/config.js.sh"  # This defines JITSI_CONFIG_JS
 __file "/etc/jitsi/meet/${DOMAIN}-config.js" \
 	--state "${STATE}" \
 	--mode 0644 --source "-" <<EOF
 ${JITSI_CONFIG_JS}
 EOF
@ -102,7 +77,6 @@ EOF
 # shellcheck source=type/__jitsi_meet_domain/files/interface_config.js.sh
 . "${__type}/files/interface_config.js.sh"  # This defines JITSI_CONFIG_JS
 __file "/etc/jitsi/meet/${DOMAIN}-interface_config.js" \
 	--state "${STATE}" \
 	--mode 0644 --source "-" <<EOF
 ${JITSI_INTERFACE_CONFIG_JS}
 EOF
@ -113,7 +87,7 @@ EOF
 #
 # Helper function to manage the state of the target branding file
 _var_state() {
-	if [ "${STATE}" = "present" ] && [ -n "${1}" ]; then
+	if [ -n "${1}" ]; then
 		echo "present"
 	else
 		echo "absent"
@ -132,43 +106,3 @@ __file "/usr/share/jitsi-meet/images/watermark-${DOMAIN}.png" \
 	--mode 0644 \
 	--state "$(_var_state "${BRANDING_WATERMARK}")" \
 	--source "${BRANDING_WATERMARK}"
 # Simple body customisation
 __file "/usr/share/jitsi-meet/body-${DOMAIN}.html" \
 	--mode 0644 \
 	--state "$(_var_state "${STATE}")" \
 	--source "${__object}/parameter/branding-extra-body"
 #
 # Take care of prosody settings for the domain
 #
 JITSI_DOMAIN="${DOMAIN}"
 # Prosody settings for common components (jvb, focus, ...)
 # shellcheck source=type/__jitsi_meet_domain/files/prosody.cfg.lua.sh
 . "${__type}/files/prosody.cfg.lua.sh"  # This defines PROSODY_CONFIG
 __file "/etc/prosody/conf.avail/${DOMAIN}.cfg.lua" \
 	--group prosody \
 	--mode 0440 \
 	--state "${STATE}" \
 	--source '-' <<EOF
 ${PROSODY_CONFIG}
 EOF
 __link "/etc/prosody/conf.d/${DOMAIN}.cfg.lua" \
 	--source "/etc/prosody/conf.avail/${DOMAIN}.cfg.lua" \
 	--state "${STATE}" \
 	--type symbolic
 if [ "${STATE}" = "present" ]; then
 	export require="${require} __file/etc/prosody/conf.avail/${DOMAIN}.cfg.lua __link/etc/prosody/conf.d/${DOMAIN}.cfg.lua"
 	__check_messages "prosody/${DOMAIN}" \
 		--pattern '^(__file|__link)/etc/prosody/conf[.](avail|d)/' \
 		--execute "$(cat <<EOF
 if [ ! -f "/var/lib/prosody/${DOMAIN}.crt" ]; then
 	echo | prosodyctl cert generate '${DOMAIN}';
 	ln -sf '/var/lib/prosody/${DOMAIN}.key' '/etc/prosody/certs/${DOMAIN}.key'
 	ln -sf '/var/lib/prosody/${DOMAIN}.crt' '/etc/prosody/certs/${DOMAIN}.crt'
 fi
 # Surprisingly, a reload is not enough
 service prosody restart
 EOF
 )"
 fi
--- a/type/__jitsi_meet_domain/parameter/default/analytics-settings
+++ b/type/__jitsi_meet_domain/parameter/default/analytics-settings
@ -1 +0,0 @@
        disabled: true
--- a/type/__jitsi_meet_domain/parameter/default/branding-app-name
+++ b/type/__jitsi_meet_domain/parameter/default/branding-app-name
@ -1 +0,0 @@
 Jitsi Meet
--- a/type/__jitsi_meet_domain/parameter/default/branding-extra-body
+++ b/type/__jitsi_meet_domain/parameter/default/branding-extra-body
--- a/type/__jitsi_meet_domain/parameter/default/state
+++ b/type/__jitsi_meet_domain/parameter/default/state
@ -1 +0,0 @@
 present
--- a/type/__jitsi_meet_domain/parameter/optional
+++ b/type/__jitsi_meet_domain/parameter/optional
@ -1,13 +1,9 @@
 analytics-settings
 channel-last-n
 default-language
 notice-message
 start-video-muted
 turn-server
 video-constraints
 branding-app-name
 branding-json
 branding-index
 branding-extra-body
 branding-watermark
 state
--- a/type/__matrix_element/files/config.json.sh
+++ b/type/__matrix_element/files/config.json.sh
@ -34,12 +34,12 @@ EOF
    if [ "$BRANDING_AUTH_FOOTER_LINKS" != "" ]; then
        cat << EOF
-        "authFooterLinks": $BRANDING_AUTH_FOOTER_LINKS,
+        "authFooterLinks": "$BRANDING_AUTH_FOOTER_LINKS",
 EOF
    fi
    cat << EOF
-    "welcomeBackgroundUrl": "$BRANDING_WELCOME_BACKGROUND_URL"
+    "welcomeBackgroundUrl": "themes/element/img/backgrounds/lake.jpg"
 EOF
    echo '},'
 }
@ -52,7 +52,7 @@ cat << EOF
            "server_name": "$DEFAULT_SERVER_NAME"
        },
        "m.identity_server": {
-            "base_url": "$IDENTITY_SERVER_URL"
+            "base_url": "https://vector.im"
        }
    },
    "brand": "$BRAND",
@ -85,10 +85,6 @@ cat << EOF
            "url": "$COOKIE_POLICY_URL",
            "text": "Cookie Policy"
        }
-    ],
+    ]
   "embeddedPages": {
        "welcomeUrl": "$WELCOME_PAGE_URL",
        "homeUrl": "$HOME_PAGE_URL"
    }
 }
 EOF
--- a/type/__matrix_element/man.rst
+++ b/type/__matrix_element/man.rst
@ -27,28 +27,12 @@ default_server_name
 default_server_url
  URL of matrix homeserver to connect to, defaults to 'https://matrix-client.matrix.org'.
 identity_server_url
  URL of matrix identity server to connect to, defaults to 'https://vector.im'.
  See element documentation
  `<https://github.com/vector-im/element-web/blob/develop/docs/config.md#identity-servers>_`
  for details.
 owner
  Owner of the deployed files, passed to `chown`. Defaults to 'root'.
 brand
  Web UI branding, defaults to 'Element'.
 branding_auth_header_logo_url
  A logo image that is shown in the header during authentication flows.
 branding_welcome_background_url
  An image to use as a wallpaper outside the app during authentication flows. If an array is passed, an image is chosen randomly for each visit.
 branding_auth_footer_links
  a list of links to show in the authentication page footer: `[{"text": "Link
  text", "url": "https://link.target"}, {"text": "Other link", ...}]`
 default_country_code
  ISO 3166 alpha2 country code to use when showing country selectors, such as
  phone number inputs. Defaults to GB.
--- a/type/__matrix_element/manifest
+++ b/type/__matrix_element/manifest
@ -25,13 +25,11 @@ INSTALL_DIR=$(cat "$__object/parameter/install_dir")
 export DEFAULT_SERVER_NAME=$(cat "$__object/parameter/default_server_name")
 export DEFAULT_SERVER_URL=$(cat "$__object/parameter/default_server_url")
 export IDENTITY_SERVER_URL=$(cat "$__object/parameter/identity_server_url")
 export BRAND=$(cat "$__object/parameter/brand")
 export DEFAULT_COUNTRY_CODE=$(cat "$__object/parameter/default_country_code")
 export ROOM_DIRECTORY_SERVERS=$(cat "$__object/parameter/room_directory_servers")
 export PRIVACY_POLICY_URL=$(cat "$__object/parameter/privacy_policy_url")
 export COOKIE_POLICY_URL=$(cat "$__object/parameter/cookie_policy_url")
 export BRANDING_WELCOME_BACKGROUND_URL=$(cat "$__object/parameter/branding_welcome_background_url")
 if [ -f "$__object/parameter/jitsi_domain" ]; then
    export JITSI_DOMAIN=$(cat "$__object/parameter/jitsi_domain")
@ -46,24 +44,14 @@ if [ -f "$__object/parameter/branding_auth_footer_links" ]; then
 fi
 if [ -f "$__object/parameter/homepage" ]; then
    export EMBED_HOMEPAGE=1
    homepage=$(cat "$__object/parameter/homepage")
    if [ -f "$homepage" ]; then
      upload_homepage=1
    else
      export HOME_PAGE_URL=$homepage
    fi
 fi
 WELCOME_PAGE_URL="welcome.html"
 if [ -f "$__object/parameter/welcomepage" ]; then
    export EMBED_WELCOMEPAGE=1
    welcomepage=$(cat "$__object/parameter/welcomepage")
    if [ -f welcomepage ]; then
      export UPLOAD_WELCOMEPAGE=1
    else
      WELCOME_PAGE_URL=$welcomepage
    fi
 fi
 export WELCOME_PAGE_URL
 if [ -f "$__object/parameter/custom_asset" ]; then
   "$__object/parameter/custom_asset" | while IFS= read -r file; do
@ -103,14 +91,14 @@ require="__directory/$INSTALL_DIR/cdist" __file "$INSTALL_DIR/cdist/config.json"
  --mode 0664 \
  --state present
-if [ $upload_homepage ]; then
+if [ $EMBED_HOMEPAGE ]; then
    require="__directory/$INSTALL_DIR/cdist" __file "$INSTALL_DIR/cdist/home.html" \
      --source "$homepage" \
      --mode 0664 \
      --state present
 fi
-if [ $upload_welcomepage ]; then
+if [ $EMBED_WELCOMEPAGE ]; then
    require="__directory/$INSTALL_DIR/cdist" __file "$INSTALL_DIR/cdist/welcome.html" \
      --source "$welcomepage" \
      --mode 0664 \
--- a/type/__matrix_element/parameter/default/branding_welcome_background_url
+++ b/type/__matrix_element/parameter/default/branding_welcome_background_url
@ -1 +0,0 @@
 themes/element/img/backgrounds/lake.jpg
--- a/type/__matrix_element/parameter/default/identity_server
+++ b/type/__matrix_element/parameter/default/identity_server
--- a/type/__matrix_element/parameter/optional
+++ b/type/__matrix_element/parameter/optional
@ -1,6 +1,5 @@
 default_server_url
 default_server_name
 identity_server_url
 brand
 default_country_code
 privacy_policy_url
@ -12,4 +11,3 @@ welcomepage
 jitsi_domain
 branding_auth_header_logo_url
 branding_auth_footer_links
 branding_welcome_background_url
--- a/type/__matrix_synapse/files/homeserver.yaml.sh
+++ b/type/__matrix_synapse/files/homeserver.yaml.sh
@ -448,7 +448,7 @@ retention:
  # matter much because Synapse doesn't take it into account yet.
  #
  default_policy:
-    min_lifetime: ${MESSAGE_RETENTION_POLICY_MIN_LIFETIME:?}
+    min_lifetime: 1d
    max_lifetime: ${MESSAGE_RETENTION_POLICY_MAX_LIFETIME:?}
  # Retention policy limits. If set, and the state of a room contains a
@ -1175,26 +1175,14 @@ fi
 cat << EOF
 # The shared secret used to compute passwords for the TURN server
 #
-EOF
+turn_shared_secret: "$TURN_SHARED_SECRET"
 if [ -n "$TURN_SHARED_SECRET" ]; then
 	echo "turn_shared_secret: \"$TURN_SHARED_SECRET\""
 fi
 cat << EOF
 # The Username and password if the TURN server needs them and
 # does not use a token
 #
-EOF
+#turn_username: "TURNSERVER_USERNAME"
 #turn_password: "TURNSERVER_PASSWORD"
 if [ -n "$TURN_USERNAME" ] || [ "$TURN_PASSWORD" ]; then
 	cat <<- EOF
 	turn_username: "$TURN_USERNAME"
 	turn_password: "$TURN_PASSWORD"
 	EOF
 fi
 cat << EOF
 # How long generated TURN credentials last
 #
 turn_user_lifetime: ${TURN_USER_LIFETIME:?}
@ -1334,7 +1322,7 @@ fi
 cat << EOF
 # Enable 3PIDs lookup requests to identity servers from this server.
 #
-enable_3pid_lookup: ${ENABLE_3PID_LOOKUPS:?}
+#enable_3pid_lookup: true
 # If set, allows registration of standard or admin accounts by anyone who
 # has the shared secret, even if registration is otherwise disabled.
@ -1342,12 +1330,9 @@ EOF
 if [ -n "$REGISTRATION_SHARED_SECRET" ]; then
 	echo "registration_shared_secret: '$REGISTRATION_SHARED_SECRET'"
 else
 	echo "# registration_shared_secret: 'secret'"
 fi
 cat << EOF
 # Set the number of bcrypt rounds used to generate password hash.
 # Larger numbers increase the work factor needed to generate the hash.
 # The default number is 12 (which equates to 2^12 rounds).
@ -1368,13 +1353,7 @@ allow_guest_access: ${ALLOW_GUEST_ACCESS:?}
 # (By default, no suggestion is made, so it is left up to the client.)
 #
 #default_identity_server: https://matrix.org
 EOF
 if [ -n "$DEFAULT_IDENTITY_SERVER" ]; then
 	echo "default_identity_server: \"$DEFAULT_IDENTITY_SERVER\""
 fi
 cat << EOF
 # Handle threepid (email/phone etc) registration and password resets through a set of
 # *trusted* identity servers. Note that this allows the configured identity server to
 # reset passwords for accounts!
@ -1406,7 +1385,7 @@ account_threepid_delegates:
 #
 # Does not apply to server administrators. Defaults to 'true'
 #
-enable_set_displayname: ${ENABLE_SET_DISPLAYNAME:?}
+#enable_set_displayname: false
 # Whether users are allowed to change their avatar after it has been
 # initially set. Useful when provisioning users based on the contents
@ -1421,7 +1400,7 @@ enable_set_displayname: ${ENABLE_SET_DISPLAYNAME:?}
 #
 # Defaults to 'true'
 #
-enable_3pid_changes: ${ENABLE_3PID_CHANGES:?}
+#enable_3pid_changes: false
 # Users who register on this homeserver will automatically be joined
 # to these rooms.
@ -1717,24 +1696,7 @@ saml2_config:
    #  local: ["saml2/idp.xml"]
    #  remote:
    #    - url: https://our_idp/metadata.xml
 EOF
 if [ -n "$SAML2_IDP_METADATA_URL" ]; then
 	cat << EOF
    metadata:
      remote:
        - url: "$SAML2_IDP_METADATA_URL"
 EOF
 fi
 if [ -n "$SAML2_SP_CERT" ] || [ -n "$SAML2_SP_KEY" ]; then
 	cat << EOF
    key_file: "$SAML2_SP_KEY"
    cert_file: "$SAML2_SP_CERT"
 EOF
 fi
 cat << EOF
    # Allowed clock difference in seconds between the homeserver and IdP.
    #
    # Uncomment the below to increase the accepted time difference from 0 to 3 seconds.
@ -1808,15 +1770,7 @@ cat << EOF
    # The custom module's class. Uncomment to use a custom module.
    #
    #module: mapping_provider.SamlMappingProvider
 EOF
 if [ -n "$SAML2_MAPPING_PROVIDER_MODULE" ]; then
 	cat << EOF
    module: "$SAML2_MAPPING_PROVIDER_MODULE"
 EOF
 fi
 cat << EOF
    # Custom configuration values for the module. Below options are
    # intended for the built-in provider, they should be changed if
    # using a custom module. This section will be passed as a Python
@ -1846,17 +1800,6 @@ cat << EOF
      # value will be used instead.
      #
      #mxid_mapping: dotreplace
 EOF
 if [ -n "$SAML2_MAPPING_PROVIDER_EXTRA_CONFIG" ]; then
 	echo "$SAML2_MAPPING_PROVIDER_EXTRA_CONFIG" | while IFS= read -r entry; do
 		cat << EOF
      $entry
 EOF
 	done
 fi
 cat << EOF
  # In previous versions of synapse, the mapping from SAML attribute to
  # MXID was always calculated dynamically rather than stored in a
@ -2191,7 +2134,7 @@ sso:
    # You can see the default templates at:
    # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates
    #
-    template_dir: "${SSO_TEMPLATE_DIR:?}"
+    #template_dir: "res/templates"
 # JSON web token integration. The following settings can be used to make
--- a/type/__matrix_synapse/gencode-remote
+++ b/type/__matrix_synapse/gencode-remote
@ -8,7 +8,7 @@ case "$os" in
 		synapse_conf_dir=/etc/synapse
 		synapse_service=synapse
 		;;
-	debian|ubuntu)
+	debian)
 		synapse_conf_dir=/etc/matrix-synapse
 		synapse_service=matrix-synapse
 		;;
--- a/type/__matrix_synapse/man.rst
+++ b/type/__matrix_synapse/man.rst
@ -1,5 +1,5 @@
 cdist-type__matrix_synapse(7)
-=============================
+======================
 NAME
 ----
@ -8,7 +8,7 @@ cdist-type__matrix_synapse - Install and configure Synapse, a Matrix homeserver
 DESCRIPTION
 -----------
-This type installs and configures the Synapse Matrix homeserver. This is a
+This type install and configure the Synapse Matrix homeserver. This is a
 signleton type.
@ -52,13 +52,13 @@ ldap-base-dn
  Base DN of your LDAP tree.
 ldap-uid-attribute
-  LDAP attribute mapping to Synapse's uid field, default to uid.
+  LDAP attriute mapping to Synapse's uid field, default to uid.
 ldap-mail-attribute
-  LDAP attribute mapping to Synapse's mail field, default to mail.
+  LDAP attriute mapping to Synapse's mail field, default to mail.
 ldap-name-attribute
-  LDAP attribute mapping to Synapse's name field, default to givenName.
+  LDAP attriute mapping to Synapse's name field, default to givenName.
 ldap-bind-dn
  User used to authenticate against your LDAP server in 'search' mode.
@ -81,7 +81,7 @@ smtp-host
  The hostname of the outgoing SMTP server to use. Defaults to 'localhost'.
 smtp-port
-  The port on the mail server for outgoing SMTP. Defaults to 25.
+  # The port on the mail server for outgoing SMTP. Defaults to 25.
 smtp-user
  Username for authentication to the SMTP server. By
@ -133,14 +133,6 @@ turn-uri
 turn-shared-secret
  Shared secret used to access the TURN REST API.
 turn-username
  Username used to authenticate against the TURN server if needed / a shared
  secret token is not used.
 turn-password
  Password used to authenticate against the TURN server if needed / a shared
  secret token is not used.
 turn-user-lifetime
  Lifetime of TURN credentials. Defaults to 1h.
@ -162,12 +154,6 @@ rc-login-burst
 registration-allows-email-pattern
    Only allow email addresses matching specified filter. Can be specified multiple times. A pattern must look like `.*@vector\.im`.
 disable-displayname-changes
  Whether users are allowed to change their displayname after it has been initially set.
 disable-3pid-changes
  Whether users can change the 3PIDs associated with their accounts (email address and msisdn).
 auto-join-room
  Room where newly-registered users are automatically added. Can be specified multiple times.
@ -195,25 +181,6 @@ bind-address
  Address used to bind the synapse listeners. Can be specified multiple times.
  Defaults to '::1' and '127.0.0.1'.
 saml2-idp-metadata-url
  HTTP(S) url to SAML2 Identity Provider (IdP), used for Single Sign On (SSO) logic.
 saml2-sp-key
  Path to PEM-formatted key file for use by PySAML2.
 saml2-sp-cert
  Path to PEM-formatted cert file for use by PySAML2.
 saml2-mapping-provider-module
  Name of custom Python module used to map SAML2 attributes to synapse internals.
 saml2-mapping-provider-extra-settings
  Extra YAML-formatted key/pair values provided as configuration to the SAML2
  mapping provider module (e.g. 'key: value'). Can be specified multiple times.
 sso-template-dir
  Directory used to source SSO-related HTML templates.
 extra-setting
  Arbitrary string to be added to the configuration file. Can be specified multiple times.
@ -255,9 +222,6 @@ allow-public-rooms-without-auth
 enable-server-notices
  Enable the server notices room.
 enable-3pid-lookups
  Enable 3PIDs lookup requests to identity servers from this server.
 allow-guest-access
  Allows users to register as guests without a password/email/etc, and
  participate in rooms hosted on this server which have been made accessible
--- a/type/__matrix_synapse/manifest
+++ b/type/__matrix_synapse/manifest
@ -20,9 +20,10 @@
 # OS-specific configuration.
 os=$(cat "$__global/explorer/os")
 distribution=$(cat "$__global/explorer/lsb_codename")
 case "$os" in
-	debian|ubuntu)
+	debian)
 		synapse_user=matrix-synapse
 		synapse_pkg=matrix-synapse-py3
 		synapse_service=matrix-synapse
@ -30,14 +31,23 @@ case "$os" in
 		synapse_conf_dir='/etc/matrix-synapse'
 		synapse_data_dir='/var/lib/matrix-synapse'
-		__apt_key matrix-org \
+		# We use upstream's APT repository in order to stay up-to-date: upstream
-			--uri https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg
+		# moves fast and downstream debian package is necessarily delayed.
-
+		case "$distribution" in
-		require="__apt_key/matrix-org" __apt_source matrix-org \
+			buster|bulleye|bookworm|sid)
-			--uri https://packages.matrix.org/debian/ \
+				__apt_key matrix-org \
-			--component main
+					--uri https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg
-		package_req="__apt_source/matrix-org"
+				require="__apt_key/matrix-org" __apt_source matrix-org \
-	;;
+					--uri https://packages.matrix.org/debian/ \
 					--component main
 				package_req="__apt_source/matrix-org"
 				;;
 				*)
 					echo "Unknown debian release '$distribution'. Exiting" >&2
 					exit 1
 				;;
 		esac
 		;;
 	alpine)
 		synapse_user=synapse
 		synapse_pkg=synapse
@ -96,7 +106,7 @@ export SERVER_NAME BASE_URL REPORT_STATS MAX_UPLOAD_SIZE EXPOSE_METRICS \
 	WEB_CLIENT_URL ROOM_ENCRYPTION_POLICY BIND_ADDRESSES
 if [ -f "$__object/parameter/enable-server-notices" ]; then
-	export ENABLE_SERVER_NOTICES=1
+    export ENABLE_SERVER_NOTICES=1
 fi
 # TLS.
@ -172,88 +182,25 @@ ENABLE_REGISTRATIONS=$(get_boolean_for 'enable-registrations')
 USER_DIRECTORY_SEARCH_ALL_USERS=$(get_boolean_for 'user-directory-search-all-users')
 export ALLOW_GUEST_ACCESS ENABLE_REGISTRATIONS USER_DIRECTORY_SEARCH_ALL_USERS
-if [ -f "$__object/parameter/registration-shared-secret" ]; then
+if [ -f "$__object/parameter/registration-shared-token" ]; then
 	REGISTRATION_SHARED_SECRET=$(cat "$__object/parameter/registration-shared-secret")
 	export REGISTRATION_SHARED_SECRET
 fi
 if [ -f "$__object/parameter/registration-requires-email" ]; then
-	export REGISTRATION_REQUIRES_EMAIL=1
+    export REGISTRATION_REQUIRES_EMAIL=1
 fi
 ENABLE_SET_DISPLAYNAME='true'
 if [ -f "$__object/parameter/disable-displayname-changes" ]; then
 	ENABLE_SET_DISPLAYNAME='false'
 fi
 export ENABLE_SET_DISPLAYNAME
 ENABLE_3PID_CHANGES='true'
 if [ -f "$__object/parameter/disable-3pid-changes" ]; then
 	ENABLE_3PID_CHANGES='false'
 fi
 export ENABLE_3PID_CHANGES
 if [ -f "$__object/parameter/auto-join-room" ]; then
-	AUTO_JOIN_ROOMS="$(cat "$__object/parameter/auto-join-room")"
+    AUTO_JOIN_ROOMS="$(cat "$__object/parameter/auto-join-room")"
-	export AUTO_JOIN_ROOMS
+    export AUTO_JOIN_ROOMS
 fi
 if [ -f "$__object/parameter/registration-allows-email-pattern" ]; then
-	RESGISTRATION_ALLOWS_EMAIL_PATTERN=$(cat "$__object/parameter/registration-allows-email-pattern")
+    RESGISTRATION_ALLOWS_EMAIL_PATTERN=$(cat "$__object/parameter/registration-allows-email-pattern")
-	export RESGISTRATION_ALLOWS_EMAIL_PATTERN
+    export RESGISTRATION_ALLOWS_EMAIL_PATTERN
 fi
 if [ -f "$__object/parameter/saml2-idp-metadata-url" ]; then
 	# Synapse fails to start while trying to parse IDP metadata if this package
 	# is not installed.
 	__package xmlsec1
 	SAML2_IDP_METADATA_URL=$(cat "$__object/parameter/saml2-idp-metadata-url")
 	export SAML2_IDP_METADATA_URL
 fi
 if [ -f "$__object/parameter/saml2-sp-key" ]; then
 	SAML2_SP_KEY=$(cat "$__object/parameter/saml2-sp-key")
 	export SAML2_SP_KEY
 fi
 if [ -f "$__object/parameter/saml2-sp-cert" ]; then
 	SAML2_SP_CERT=$(cat "$__object/parameter/saml2-sp-cert")
 	export SAML2_SP_CERT
 fi
 if [ -f "$__object/parameter/saml2-mapping-provider-module" ]; then
 	SAML2_MAPPING_PROVIDER_MODULE=$(cat "$__object/parameter/saml2-mapping-provider-module")
 	export SAML2_MAPPING_PROVIDER_MODULE
 fi
 if [ -f "$__object/parameter/saml2-mapping-provider-extra-config" ]; then
 	SAML2_MAPPING_PROVIDER_EXTRA_CONFIG=$(cat "$__object/parameter/saml2-mapping-provider-extra-config")
 	export SAML2_MAPPING_PROVIDER_EXTRA_CONFIG
 fi
 SSO_TEMPLATE_DIR=$(cat "$__object/parameter/sso-template-dir")
 export SSO_TEMPLATE_DIR
 if [ -n "$SAML2_SP_KEY" ] && [ -z "$SAML2_SP_CERT" ]; then
 	echo "--saml2-sp-cert must be set if --saml2-sp-key is provided." >&2
 	exit 1
 elif [ -n "$SAML2_SP_CERT" ] && [ -z "$SAML2_SP_KEY" ]; then
 	echo "--saml2-sp-key must be set if --saml2-sp-cert is provided." >&2
 	exit 1
 fi
 if [ -f "$__object/parameter/default-identity-server" ]; then
 	DEFAULT_IDENTITY_SERVER=$(cat "$__object/parameter/default-identity-server")
 	export DEFAULT_IDENTITY_SERVER
 fi
 ENABLE_3PID_LOOKUPS='false'
 if [ -f "$__object/parameter/enable-3pid-lookups" ]; then
 	ENABLE_3PID_LOOKUPS='true'
 fi
 export ENABLE_3PID_LOOKUPS
 # Federation.
 ALLOW_PUBLIC_ROOMS_OVER_FEDERATION=$(get_boolean_for 'allow-public-room-over-federation')
 ALLOW_PUBLIC_ROOMS_WITHOUT_AUTH=$(get_boolean_for 'allow-public-rooms-without-auth')
@ -269,8 +216,7 @@ fi
 # Message retention.
 ENABLE_MESSAGE_RETENTION_POLICY=$(get_boolean_for 'enable-message-retention-policy')
 MESSAGE_RETENTION_POLICY_MAX_LIFETIME=$(cat "$__object/parameter/message-max-lifetime")
-MESSAGE_RETENTION_POLICY_MIN_LIFETIME=$MESSAGE_RETENTION_POLICY_MAX_LIFETIME
+export ENABLE_MESSAGE_RETENTION_POLICY MESSAGE_RETENTION_POLICY_MAX_LIFETIME
 export ENABLE_MESSAGE_RETENTION_POLICY MESSAGE_RETENTION_POLICY_MAX_LIFETIME MESSAGE_RETENTION_POLICY_MIN_LIFETIME
 # Previews.
 ENABLE_URL_PREVIEW=$(get_boolean_for 'enable-url-preview')
@ -310,16 +256,6 @@ if [ -f "$__object/parameter/turn-uri" ]; then
 	export TURN_URIS
 fi
 if [ -f "$__object/parameter/turn-username" ]; then
 	TURN_USERNAME=$(cat "$__object/parameter/turn-username")
 	export TURN_USERNAME
 fi
 if [ -f "$__object/parameter/turn-password" ]; then
 	TURN_PASSWORD=$(cat "$__object/parameter/turn-password")
 	export TURN_PASSWORD
 fi
 # Worker-mode configuration.
 export MAIN_LISTENER_PORT=8008
 export ENABLE_MEDIA_REPO='true'
@ -353,16 +289,16 @@ export ENABLE_REPLICATION ENABLE_REDIS_SUPPORT WORKER_REPLICATION_SECRET \
 case "$DATABASE_ENGINE" in
 	sqlite3)
 		:
-		;;
+	;;
 	psycopg2)
 		when='database engine is psycopg2'
 		is_required_when "$DATABASE_HOST" '--database-host' "$when"
 		is_required_when "$DATABASE_USER" '--database-user' "$when"
-		;;
+	;;
 	*)
 		echo "Invalid database engine: $DATABASE_ENGINE." >&2
 		exit 1
-		;;
+	;;
 esac
@ -380,13 +316,13 @@ mkdir -p "$__object/files"
 "$__type/files/log.config.sh" > "$__object/files/log.config"
 require="$synapse_req" __file "$synapse_conf_dir/homeserver.yaml" \
-	--owner $synapse_user \
+  --owner $synapse_user \
-	--mode 600 \
+  --mode 600 \
-	--source "$__object/files/homeserver.yaml"
+  --source "$__object/files/homeserver.yaml"
 require="$synapse_req" __file "$LOG_CONFIG_PATH" \
-	--owner $synapse_user \
+  --owner $synapse_user \
-	--mode 600 \
+  --mode 600 \
-	--source "$__object/files/log.config"
+  --source "$__object/files/log.config"
 for directory in $DATA_DIR $LOG_DIR; do
 	require="$synapse_req" __directory $directory \
@ -394,8 +330,8 @@ for directory in $DATA_DIR $LOG_DIR; do
 		--owner $synapse_user
 done
-# Make dpkg-reconfigure happy on debian-based systems.
+# Make dpkg-reconfigure happy on debian systems.
-if [ "$os" = "debian" ] || [ "$os" = "ubuntu" ]; then
+if [ "$os" = "debian" ]; then
 	require="$synapse_req" __file "$synapse_conf_dir/conf.d/server_name.yaml" \
 		--owner $synapse_user \
 		--source - <<- EOF
--- a/type/__matrix_synapse/parameter/boolean
+++ b/type/__matrix_synapse/parameter/boolean
@ -17,6 +17,3 @@ user-directory-search-all-users
 enable-message-retention-policy
 worker-mode
 enable-url-preview
 enable-3pid-lookups
 disable-3pid-changes
 disable-displayname-changes
--- a/type/__matrix_synapse/parameter/default/sso-template-dir
+++ b/type/__matrix_synapse/parameter/default/sso-template-dir
@ -1 +0,0 @@
 res/template
--- a/type/__matrix_synapse/parameter/optional
+++ b/type/__matrix_synapse/parameter/optional
@ -13,8 +13,6 @@ ldap-bind-password
 ldap-filter
 turn-shared-secret
 turn-user-lifetime
 turn-username
 turn-password
 max-upload-size
 smtp-host
 smtp-port
@ -36,9 +34,3 @@ background-tasks-worker
 tls-cert
 tls-private-key
 registration-shared-secret
 saml2-idp-metadata-url
 saml2-sp-key
 saml2-sp-cert
 default-identity-server
 saml2-mapping-provider-module
 sso-template-dir
--- a/type/__matrix_synapse/parameter/optional_multiple
+++ b/type/__matrix_synapse/parameter/optional_multiple
@ -5,4 +5,3 @@ app-service-config-file
 extra-setting
 bind-address
 outbound-federation-worker
 saml2-mapping-provider-extra-config
--- a/type/__matterbridge/manifest
+++ b/type/__matterbridge/manifest
@ -20,7 +20,7 @@
 os=$(cat "$__global/explorer/os")
 case "$os" in
-   debian|ubuntu)
+   debian)
     # This type assume systemd for service installation.
   ;;
   *)
@ -31,13 +31,11 @@ case "$os" in
 esac
 # Required parameters.
-version=$(cat "$__object/parameter/version")
+VERSION=$(cat "$__object/parameter/version")
 if [ -f "$__object/parameter/config" ]; then
-    config="$(cat "$__object/parameter/config")"
+    CONFIG="$(cat "$__object/parameter/config")"
-    if [ "$config" = "-" ]; then
+    if [ "$CONFIG" = "-" ]; then
-        mkdir -p "$__object/files"
+        CONFIG=$(cat "$__object/stdin")
        config="$__object/files/matterbridge.toml"
        cat "$__object/stdin" > "$config"
    fi
 fi
@ -48,11 +46,11 @@ export USER=matterbridge
 export GROUP=$USER
 # Internal variables.
-artefact="matterbridge-$version-linux-64bit"
+artefact="matterbridge-$VERSION-linux-64bit"
 checksum_file="checksums.txt"
 release_download_url=https://github.com/42wim/matterbridge/releases/download
-binary_url="$release_download_url/v$version/$artefact"
+binary_url="$release_download_url/v$VERSION/$artefact"
-checksum_file_url="$release_download_url/v$version/$checksum_file"
+checksum_file_url="$release_download_url/v$VERSION/$checksum_file"
 config_dir=$(dirname $CONFIG_PATH)
 systemd_unit_path='/etc/systemd/system/matterbridge.service'
@ -90,7 +88,7 @@ require="__user/$USER" __directory "$config_dir" \
 require="__directory/$config_dir" __file "$CONFIG_PATH" \
  --owner "$USER" \
  --mode 0640 \
-  --source "$config"
+  --source "$CONFIG"
 __file "$systemd_unit_path" \
  --source "$__object/files/matterbridge.service"
--- a/type/__nginx/man.rst
+++ b/type/__nginx/man.rst
@ -28,16 +28,6 @@ uacme-hookscript
  Custom hook passed to the __uacme_obtain type: useful to integrate the
  dns-01 challenge with third-party DNS providers.
 acme-url
  ACMEv2 server directory object URL. Lets'Encrypt is used by default.
 acme-eab-credentials
  Specify RFC8555 External Account Binding credentials according to
  https://tools.ietf.org/html/rfc8555#section-7.3.4, in order to associate a new
  ACME account with an existing account in a non-ACME system such as a CA
  customer database. KEYID must be an ASCII string. KEY must be
  base64url-encoded.
 EXAMPLES
 --------
--- a/type/__nginx/manifest
+++ b/type/__nginx/manifest
@ -36,20 +36,6 @@ then
 	set_custom_uacme_hookscript="--hookscript $uacme_hookscript"
 fi
 set_custom_acme_url=
 if [ -f "${__object:?}/parameter/acme-url" ];
 then
 	custom_acme_url=$(cat "${__object:?}/parameter/acme-url")
 	set_custom_acme_url="--acme-url $custom_acme_url"
 fi
 set_acme_eab_credentials=
 if [ -f "${__object:?}/parameter/acme-eab-credentials" ];
 then
 	acme_eab_credentials=$(cat "${__object:?}/parameter/acme-eab-credentials")
 	set_acme_eab_credentials="--eab-credentials $acme_eab_credentials"
 fi
 # Deploy simple HTTP vhost, allowing to serve ACME challenges.
 __nginx_vhost "301-to-https-$domain" \
 	--domain "$domain" --altdomains "$altdomains" --to-https
@ -60,18 +46,12 @@ if [ -f "${__object:?}/parameter/force-cert-ownership-to" ]; then
 	cert_ownership=$(cat "${__object:?}/parameter/force-cert-ownership-to")
 fi
-# shellcheck disable=SC2086
+__uacme_account
 __uacme_account \
 	$set_custom_acme_url \
 	$set_acme_eab_credentials \
 # shellcheck disable=SC2086
 require="__nginx_vhost/301-to-https-$domain __uacme_account" \
 	__uacme_obtain "$domain" \
 		--altdomains "$altdomains" \
 		$set_custom_uacme_hookscript \
 		$set_custom_acme_url \
 		$set_acme_eab_credentials \
 		--owner "$cert_ownership" \
 		--install-key-to "$nginx_certdir/$domain/privkey.pem" \
 		--install-cert-to "/$nginx_certdir/$domain/fullchain.pem" \
--- a/type/__nginx/parameter/optional
+++ b/type/__nginx/parameter/optional
@ -2,6 +2,4 @@ config
 domain
 altdomains
 uacme-hookscript
 acme-url
 acme-eab-credentials
 force-cert-ownership-to
--- a/type/__nginx_vhost/manifest
+++ b/type/__nginx_vhost/manifest
@ -32,7 +32,7 @@ case "$os" in
 		require="$install_reqs" __start_on_boot nginx
-		export NGINX_SITEDIR="$nginx_confdir/http.d"
+		export NGINX_SITEDIR="$nginx_confdir/conf.d"
 		export NGINX_CERTDIR="$nginx_confdir/ssl"
 		export NGINX_SNIPPETSDIR="$nginx_confdir/snippets"
 		export NGINX_WEBROOT="/var/www"
@ -158,7 +158,6 @@ for snippet in hsts 301-to-https; do
 done
 # Install vhost.
-require="$install_reqs" __directory "$NGINX_SITEDIR"
+require="$install_reqs" __file "$NGINX_SITEDIR/$__object_id.conf" \
 require="__directory/$NGINX_SITEDIR" __file "$NGINX_SITEDIR/$__object_id.conf" \
 	--source "$vhost_conf" \
 	--mode 0644
--- a/type/__opendkim/files/opendkim.conf.sh
+++ b/type/__opendkim/files/opendkim.conf.sh
@ -1,7 +1,6 @@
 #!/bin/sh -e
 # Generate an opendkim.conf(5) file for opendkim(8).
 echo "# Managed remotely, manual changes will be lost."
 # Optional chdir(2)
 if [ "$BASEDIR" ];
@ -34,8 +33,8 @@ then
 fi
 # Key and Domain tables
-echo "KeyTable ${CFG_DIR}/KeyTable"
+echo 'KeyTable /etc/opendkim/KeyTable'
-echo "SigningTable ${CFG_DIR}/SigningTable"
+echo 'SigningTable /etc/opendkim/SigningTable'
 # Required socket to listen on
 printf "Socket %s\n" "${SOCKET:?}"
--- a/type/__opendkim/man.rst
+++ b/type/__opendkim/man.rst
@ -14,8 +14,8 @@ installation and basic configuration of an instance of OpenDKIM.
 Note that this type does not generate or ensure that a key is present: use
 `cdist-type__opendkim-genkey(7)` for that.
-Note that this type is currently only implemented for Alpine Linux and FreeBSD.
+Note that this type is currently only implemented for Alpine Linux. Please
-Please contribute an implementation if you can.
+contribute an implementation if you can.
 REQUIRED PARAMETERS
@ -42,9 +42,8 @@ umask
  Set the umask for the socket and PID file.
 userid
-  Change the user the opendkim program is to run as.
+  Change the user the opendkim program is to run as. By default, Alpine Linux's
-  By default, Alpine Linux's OpenRC service will set this to `opendkim` on the
+  OpenRC service will set this to `opendkim` on the command-line.
  command-line and FreeBSD's rc will set it to `mailnull`.
 custom-config
  The string following this parameter is appended as-is in the configuration, to
@ -87,12 +86,11 @@ SEE ALSO
 AUTHORS
 -------
 Joachim Desroches <joachim.desroches@epfl.ch>
 Evilham <contact@evilham.com>
 COPYING
 -------
-Copyright \(C) 2022 Joachim Desroches, Evilham. You can redistribute it
+Copyright \(C) 2021 Joachim Desroches. You can redistribute it
 and/or modify it under the terms of the GNU General Public License as
 published by the Free Software Foundation, either version 3 of the
 License, or (at your option) any later version.
--- a/type/__opendkim/manifest
+++ b/type/__opendkim/manifest
@ -20,23 +20,16 @@
 os=$(cat "${__global:?}/explorer/os")
 CFG_DIR="/etc/opendkim"
 service="opendkim"
 case "$os" in
 'alpine')
 	:
 	;;
 'freebsd')
 	CFG_DIR="/usr/local/etc/mail"
 	service="milter-opendkim"
 	;;
 *)
 	printf "__opendkim does not yet support %s.\n" "$os" >&2
 	printf "Please contribute an implementation if you can.\n" >&2
 	exit 1
 	;;
 esac
 export CFG_DIR
 __package opendkim
@ -75,7 +68,7 @@ fi
 # Generate and deploy configuration file.
 source_file="${__object:?}/files/opendkim.conf"
-target_file="${CFG_DIR}/opendkim.conf"
+target_file="/etc/opendkim/opendkim.conf"
 mkdir -p "${__object:?}/files"
@ -90,22 +83,9 @@ fi
 require="__package/opendkim" __file "$target_file" \
 	--source "$source_file" --mode 0644
-require="__package/opendkim" __start_on_boot "${service}"
+require="__package/opendkim" __start_on_boot opendkim
-# Ensure Key and Signing tables exist and have proper permissions
+require="__file${target_file}" \
 key_table="${CFG_DIR}/KeyTable"
 signing_table="${CFG_DIR}/SigningTable"
 require="__package/opendkim" \
 	__file "${key_table}" \
 	--mode 444
 require="__package/opendkim" \
 	__file "${signing_table}" \
 	--mode 444
 require="__file${target_file} __file${key_table}
 		__file${signing_table} __start_on_boot/${service}" \
 	__check_messages opendkim \
 		--pattern "^__file${target_file}" \
-		--execute "service ${service} restart"
+		--execute "service opendkim restart"
--- a/type/__opendkim_genkey/gencode-remote
+++ b/type/__opendkim_genkey/gencode-remote
@ -30,8 +30,7 @@ fi
 DIRECTORY="/var/db/dkim/"
 if [ -f "${__object:?}/parameter/directory" ]; then
-	# Be forgiving about a lack of trailing slash
+	DIRECTORY="$(cat "${__object:?}/parameter/directory")"
 	DIRECTORY="$(sed -E 's!([^/])$!\1/!' < "${__object:?}/parameter/directory")"
 fi
 # Boolean parameters
@ -45,12 +44,7 @@ if [ -f "${__object:?}/parameters/unrestricted" ]; then
 	RESTRICTED=
 fi
 user="$(cat "${__object:?}/user")"
 group="$(cat "${__object:?}/group")"
 if ! [ -f "${DIRECTORY}${SELECTOR}.private" ]; then
 	echo "opendkim-genkey $BITS --domain=$DOMAIN --directory=$DIRECTORY $RESTRICTED --selector=$SELECTOR $SUBDOMAINS"
-	echo "chown ${user}:${group} ${DIRECTORY}${SELECTOR}.private"
+	echo "chown opendkim:opendkim ${DIRECTORY}${SELECTOR}.private"
 	# This is usually generated, if it weren't we do not want to fail
 	echo "chown ${user}:${group} ${DIRECTORY}${SELECTOR}.txt || true"
 fi
--- a/type/__opendkim_genkey/man.rst
+++ b/type/__opendkim_genkey/man.rst
@ -17,8 +17,8 @@ will be added to the OpenDKIM signing table, using either the domain or the
 provided key for the `domain:selector:keyfile` value in the table. An existing
 key will not be overwritten.
-Currently, this type is only implemented for Alpine Linux and FreeBSD.
+Currently, this type is only implemented for Alpine Linux. Please contribute an
-Please contribute an implementation if you can.
+implementation if you can.
 REQUIRED PARAMETERS
 -------------------
@ -85,12 +85,11 @@ SEE ALSO
 AUTHORS
 -------
 Joachim Desroches <joachim.desroches@epfl.ch>
 Evilham <contact@evilham.com>
 COPYING
 -------
-Copyright \(C) 2022 Joachim Desroches, Evilham. You can redistribute it
+Copyright \(C) 2021 Joachim Desroches. You can redistribute it
 and/or modify it under the terms of the GNU General Public License as
 published by the Free Software Foundation, either version 3 of the
 License, or (at your option) any later version.
--- a/type/__opendkim_genkey/manifest
+++ b/type/__opendkim_genkey/manifest
@ -21,18 +21,10 @@
 os=$(cat "${__global:?}/explorer/os")
 CFG_DIR="/etc/opendkim"
 user="opendkim"
 group="opendkim"
 case "$os" in
 'alpine')
 	:
 ;;
 'freebsd')
 	CFG_DIR="/usr/local/etc/mail"
 	user="mailnull"
 	group="mailnull"
 ;;
 *)
 	cat <<- EOF >&2
 	__opendkim_genkey currently only supports Alpine Linux. Please
@ -40,9 +32,6 @@ case "$os" in
 	EOF
 ;;
 esac
 # Persist user and group for gencode-remote
 printf '%s' "${user}" > "${__object:?}/user"
 printf '%s' "${group}" > "${__object:?}/group"
 SELECTOR="$(cat "${__object:?}/parameter/selector")"
 DOMAIN="$(cat "${__object:?}/parameter/domain")"
@ -50,8 +39,7 @@ DOMAIN="$(cat "${__object:?}/parameter/domain")"
 DIRECTORY="/var/db/dkim/"
 if [ -f "${__object:?}/parameter/directory" ];
 then
-	# Be forgiving about a lack of trailing slash
+	DIRECTORY="$(cat "${__object:?}/parameter/directory")"
 	DIRECTORY="$(sed -E 's!([^/])$!\1/!' < "${__object:?}/parameter/directory")"
 fi
 SIGKEY="${DOMAIN:?}"
@ -60,26 +48,19 @@ then
 	SIGKEY="$(cat "${__object:?}/parameter/sigkey")"
 fi
-# Ensure the key-container directory exists with the proper permissions
+__package opendkim-utils
 __directory "${DIRECTORY}" \
 	--mode 0750 \
 	--owner "${user}" --group "${group}"
-# OS-specific code
+require='__package/opendkim-utils' \
-case "$os" in
+	__file /etc/opendkim/KeyTable
-'alpine')
+require='__package/opendkim-utils' \
-	# This is needed for opendkim-genkey
+	__file /etc/opendkim/SigningTable
 	__package opendkim-utils
 ;;
 esac
-key_table="${CFG_DIR}/KeyTable"
+require='__file/etc/opendkim/KeyTable' \
-signing_table="${CFG_DIR}/SigningTable"
+	__line "line-key-${__object_id:?}" \
 		--file /etc/opendkim/KeyTable \
 		--line "${SELECTOR:?}._domainkey.${DOMAIN:?} ${DOMAIN:?}:${SELECTOR:?}:${DIRECTORY:?}${SELECTOR:?}.private"
-__line "line-key-${__object_id:?}" \
+require='__file/etc/opendkim/SigningTable' \
-	--file "${key_table}" \
+	__line "line-sig-${__object_id:?}" \
-	--line "${SELECTOR:?}._domainkey.${DOMAIN:?} ${DOMAIN:?}:${SELECTOR:?}:${DIRECTORY:?}${SELECTOR:?}.private"
+		--file /etc/opendkim/SigningTable \
-
+		--line "${SIGKEY:?} ${SELECTOR:?}._domainkey.${DOMAIN:?}"
 __line "line-sig-${__object_id:?}" \
 	--file "${signing_table}" \
 	--line "${SIGKEY:?} ${SELECTOR:?}._domainkey.${DOMAIN:?}"
--- a/type/__runit/manifest
+++ b/type/__runit/manifest
@ -6,14 +6,7 @@ os="$(cat "${__global}/explorer/os")"
 case "${os}" in
 	debian|devuan)
 		# zero-config sysvinit and systemd compatibility
-		os_version="$(cat "${__global}/explorer/os_version")"
+		__package runit-run
 		debian_package="runit-run"
 		case "${os_version}" in
 			beowulf)
 				debian_package="runit"
 			;;
 		esac
 		__package "${debian_package}"
 	;;
 	freebsd)
 		__key_value \
--- a/type/__runit_service/manifest
+++ b/type/__runit_service/manifest
@ -33,25 +33,18 @@ if [ "${state}" != "present" ]; then
 	exit
 fi
 # Setup run file
 __file --state "${state}" --mode 0550 --source "${source}" \
 	--onchange "sv restart '${sv}' || true" \
 	"${run_file}"
 export require="${require} __file${run_file}"
 if [ -f "${__object}/parameter/log" ]; then
 	# Setup logger if requested
-	logdir="/var/log/runit"
+	__directory --parents "${svdir}/${sv}/log/main"
-	__directory --parents "${svdir}/${sv}/log"
+	export require="${require} __directory${svdir}/${sv}/log/main"
 	__directory --state absent "${svdir}/${sv}/log/main"  # Remove lingering old fashioned log
 	__directory --parents "${logdir}/${sv}"
 	export require="${require} __directory${svdir}/${sv}/log __directory${logdir}/${sv}"
 	__file "${svdir}/${sv}/log/run" \
 		--state "${state}" \
 		--mode 0755 \
 		--onchange "sv restart '${sv}/log' || true" \
 		--source "-" <<EOF
 #!/bin/sh
-exec svlogd -tt '${logdir}/${sv}'
+exec svlogd -tt ./main
 EOF
 fi
 # Setup run file
 __file --state "${state}" --mode 0755 --source "${source}" "${run_file}"
--- a/type/__single_binary_service/explorer/explorer-version
+++ b/type/__single_binary_service/explorer/explorer-version
@ -1,10 +0,0 @@
 #!/bin/sh -e
 BIN_PREFIX="/usr/local/bin"
 SERVICE_NAME="${__object_id}"
 VERSION_FILE="${BIN_PREFIX}/.${SERVICE_NAME}.cdist.version"
 if [ -f "${VERSION_FILE}" ]; then
 	cat "${VERSION_FILE}"
 fi
--- a/type/__single_binary_service/man.rst
+++ b/type/__single_binary_service/man.rst
@ -1,195 +0,0 @@
 cdist-type__single_binary_service(7)
 ====================================
 NAME
 ----
 cdist-type__single_binary_service - Setup a single-binary service
 DESCRIPTION
 -----------
 This type is designed to easily deploy and configure a single-binary service
 named `${__object_id}`.
 A good example of this are Prometheus exporters.
 This type makes certain assumptions that might not be correct on your system.
 If you need more flexibility, please get in touch and provide a use-case
 (and hopefully a backwards-compatible patch).
 This type will place the downloaded binary and, if requested, other extra
 binaries in `/usr/local/bin`.
 If a `--config-file-source` is provided, it will be placed under:
 `/etc/${__object_id}.conf`.
 This type supports services managed by `__runit(7)` when `systemd` is not
 the init system being used.
 REQUIRED PARAMETERS
 -------------------
 checksum
    This will be passed verbatim to `__download(7)`.
    Use something like `sha256:...`.
 url
    This will be passed verbatim to `__download(7)`.
 version
    This type will use a thumbstone file with a "version" number to track
    whether or not a service must be updated.
    This thumbstone file is placed under
    `/usr/local/bin/.${__object_id}.cdist.version`.
 BOOLEAN PARAMETERS
 ------------------
 unpack
    If present, the contents of `--url` will be treated as an archive to be
    unpacked with `__unpack(7)`.
    See also `--unpack-args` and `--extra-binary`.
 do-not-manage-user
    Always considered present when `--user` is `root`.
    If present, the user in `--user` will not be managed by this type with
    `__user`, this means it *must* exist beforehand when installing the service
    and it will not be removed by this type.
 OPTIONAL PARAMETERS
 -------------------
 config-file-source
    If present, this file's contents will be placed under
    `/etc/${__object_id}.conf` with permissions `0440` and ownership assigned to
    `--user` and `--group`.
    If `-` is passed, this type's `stdin` will be used.
 user
    The user under which the service will run. Defaults to `root`.
    If this user is not `root` and `--do-not-manage-user` is not present,
    this user will be created or removed as per the `--state` parameter.
 user-home-dir
    Does not have an effect if `--do-not-manage-user` is used or `--user` is
    `root`.
    The home directory of the service user. It will be created.
    Defaults to `/nonexistent`, in this case the home directory will not be
    created.
 group
    The group under which the service will run. Defaults to `--user`.
 state
    Whether the service is to be `present` (default) or `absent`.
    When `absent`, this type will clean any binaries listed in `--extra-binary`
    and also the config file as described in `--config-file-source`.
 binary
    This will be the binary name. Defaults to `${__object_id}`.
    If `--unpack` is used, a binary with this name must be unpacked.
    Otherwise, the contents of `--url` will be placed under this binary name.
 env
    An `env` file consiting of `ENVIRONMENT_VARIABLE=VALUE`, one variable per
    line.
    Empty lines and those starting with `#` are ignored.
 service-args
    Any extra arguments to pass along with `--service-exec`. Beware that any
    service-args having the format `--config=/etc/foo.cfg` should be
    represented in the following way `--service-exec='--config=/etc/foo.cfg'`
 service-exec
    The executable to use for this service.
    Defaults to `/usr/local/bin/BINARY_NAME` where `BINARY_NAME` is the
    resulting value of `--binary`.
 service-definition
    The service definition to be used as an override.
    Note that this type decides dinammically between runit and systemd, and
    you can currently only define either a systemd unit or a runit script here.
    Use this parameter only for testing and get in touch to discuss how your
    particular use-case can be supported by the type.
 service-description
    The service description to be used in, e.g. the systemd unit file.
    Defaults to `cdist-managed '${__object_id}' service`.
 unpack-args
    Only has an effect if `--unpack` is used.
    These arguments will be passed verbatim to `__unpack(7)`.
    Very useful as this type assumes the archive does not have the binaries in
    subdirectories; that can be worked around with
    `--unpack-args '--tar-strip 1'`.
 unpack-extension
    Only has an effect if `--unpack` is used.
    The file extension of the file to unpack, defaults to `.tar.gz`.
 working-directory
    If set, the working directory with which the service will be started.
 OPTIONAL MULTIPLE PARAMETERS
 ----------------------------
 extra-binary
    Only useful with `--unpack`.
    If passed, these binaries will also be installed when `--state` is `present`
    and removed when `--state` is `absent`.
    Handle with care :-).
 EXAMPLES
 --------
 .. code-block:: sh
 	# Install and enable the ipmi_exporter service
 	#   The variables are defined in the manifest previously
 	__single_binary_service ipmi_exporter \
 		--user "${USER}" \
 		--service-args ' --config.file=/etc/ipmi_exporter.conf' \
 		--version "${SHOULD_VERSION}" \
 		--checksum "${CHECKSUM}" \
 		--url "${DOWNLOAD_URL}" \
 		--state "present" \
 		--unpack \
 		--unpack-args "--tar-strip 1" \
 		--config-file-source '-' <<-EOF
 	# Remotely managed, changes will be lost
 	# [...] config contents goes here
 	EOF
 	# Remove the ipmi_exporter service along with the user and its config
 	__single_binary_service ipmi_exporter \
 		--user "${USER}" \
 		--version "${SHOULD_VERSION}" \
 		--checksum "${CHECKSUM}" \
 		--url "${DOWNLOAD_URL}" \
 		--state "absent"
 	# Same, but the service was using my user! Let's not delete that!
 	__single_binary_service ipmi_exporter \
 		--user "evilham" \
 		--do-not-manage-user \
 		--version "${SHOULD_VERSION}" \
 		--checksum "${CHECKSUM}" \
 		--url "${DOWNLOAD_URL}" \
 		--state "absent"
 SEE ALSO
 --------
 - `__download(7)`
 - `__unpack(7)`
 AUTHORS
 -------
 Evilham <contact@evilham.com>
 COPYING
 -------
 Copyright \(C) 2022 Evilham.
--- a/type/__single_binary_service/manifest
+++ b/type/__single_binary_service/manifest
@ -1,305 +0,0 @@
 #!/bin/sh -e
 SERVICE_NAME="${__object_id}"
 OS="$(cat "${__global}/explorer/os")"
 case "${OS}" in
 	debian|devuan)
 		SUPER_USER_GROUP=root
 		ETC_DIR="/etc"
 	;;
 	*bsd)
 		SUPER_USER_GROUP=wheel
 		ETC_DIR="/usr/local/etc"
 	;;
 	*)
 		echo "Your OS '${OS}' is currently not supported." >&2
 		exit 1
 	;;
 esac
 INIT="$(cat "${__global}/explorer/init")"
 case "${INIT}" in
 	systemd)
 		service_definition_require="__systemd_unit/${SERVICE_NAME}.service"
 		service_command="service ${SERVICE_NAME} %s"
 	;;
 	runit|sysvinit)
 		# We will use runit to manage these services
 		__runit
 		export require="__runit"
 		service_definition_require="__runit_service/${SERVICE_NAME}"
 		service_command="sv %s ${SERVICE_NAME}"
 	;;
 	*)
 		echo "Init system ${INIT}' is currently not supported." >&2
 		exit 1
 	;;
 esac
 BIN_DIR="/usr/local/bin"
 # Ensure the target bin dir exists
 #   Care, we never want to remove it :-D
 __directory "${BIN_DIR}" \
 	--state "exists" \
 	--mode 0755
 export require="${require} __directory${BIN_DIR}"
 STATE="$(cat "${__object}/parameter/state")"
 USER="$(cat "${__object}/parameter/user")"
 GROUP="$(cat "${__object}/parameter/group" 2>/dev/null || true)"
 if [ -z "${GROUP}" ]; then
 	if [ "${USER}" != "root" ]; then
 		GROUP="${USER}"
 	else
 		GROUP="${SUPER_USER_GROUP}"
 	fi
 fi
 BINARY="$(cat "${__object}/parameter/binary" 2>/dev/null || true)"
 if [ -z "${BINARY}" ]; then
 	BINARY="${SERVICE_NAME}"
 fi
 EXTRA_BINARIES="$(cat "${__object}/parameter/extra-binary" 2>/dev/null || true)"
 # This only makes sense for file archives
 if [ -n "${EXTRA_BINARIES}" ] && [ -f "${__object}/parameter/unpack" ]; then
 	cat >&2 <<-EOF
 	You cannot specify extra binaries without the --unpack argument.
 	Make sure that the --url argument points to a file archive.
 EOF
 fi
 SERVICE_EXEC="$(cat "${__object}/parameter/service-exec" 2>/dev/null || true)"
 if [ -z "${SERVICE_EXEC}" ]; then
 	SERVICE_EXEC="${BIN_DIR}/${BINARY}"
 fi
 SERVICE_ARGS="$(cat "${__object}/parameter/service-args")"
 SERVICE_EXEC="${SERVICE_EXEC} ${SERVICE_ARGS}"
 SERVICE_DESCRIPTION="$(cat "${__object}/parameter/service-description" \
 	2>/dev/null || true)"
 if [ -z "${SERVICE_DESCRIPTION}" ]; then
 	SERVICE_DESCRIPTION="cdist-managed '${SERVICE_NAME}' service"
 fi
 SERVICE_DEFINITION="$(cat "${__object}/parameter/service-definition" 2>/dev/null || true)"
 WORKING_DIRECTORY_PATH="$(cat "${__object}/parameter/working-directory" 2>/dev/null || true)"
 if [ -n "${WORKING_DIRECTORY_PATH}" ]; then
 	WORKING_DIRECTORY_SYSTEMD="WorkingDirectory=${WORKING_DIRECTORY_PATH}"
 	WORKING_DIRECTORY_RUNIT="cd '${WORKING_DIRECTORY_PATH}'"
 fi
 DOWNLOAD_URL="$(cat "${__object}/parameter/url")"
 CHECKSUM="$(cat "${__object}/parameter/checksum")"
 SHOULD_VERSION="$(cat "${__object}/parameter/version")"
 # Create a user for the service if it is not root
 USER_HOME_DIR="/root"
 if [ "${USER}" != "root" ] && \
 		[ ! -f "${__object}/parameter/do-not-manage-user" ]; then
 	if [ "${STATE}" = "absent" ]; then
 		# When removing, ensure user is not being used
 		user_require="${service_definition_require}"
 	fi
 	USER_HOME_DIR="$(cat "${__object}/parameter/user-home-dir")"
 	if [ "${USER_HOME_DIR}" != "/nonexistent" ]; then
 		USER_CREATE_HOME="--create-home"
 	fi
 	require="${require} ${user_require}" __user "${USER}" \
 		--system \
 		--state "${STATE}" \
 		--home "${USER_HOME_DIR}" \
 		--comment "cdist-managed service user" \
 		${USER_CREATE_HOME}
 	# Track dependencies
 	service_require="${service_require} __user/${USER}"
 fi
 # Place config file if necessary
 CONFIG_FILE_DEST="${ETC_DIR}/${SERVICE_NAME}.conf"
 CONFIG_FILE_SOURCE="$(cat "${__object}/parameter/config-file-source" 2>/dev/null || true)"
 if [ "${CONFIG_FILE_SOURCE}" = "-" ]; then
 	CONFIG_FILE_SOURCE="${__object}/stdin"
 fi
 if [ -n "${CONFIG_FILE_SOURCE}" ] && [ "${STATE}" = "present" ]; then
 	require="${require} __user/${USER}" __file \
 		"${CONFIG_FILE_DEST}" \
 		--owner "${USER}" \
 		--group "${GROUP}" \
 		--mode "0440" \
 		--source "${CONFIG_FILE_SOURCE}"
 	service_require="${service_require} __file${CONFIG_FILE_DEST}"
 fi
 # These messages will trigger a service restart (overridden for systemd)
 service_config_reload_pattern="^__file${CONFIG_FILE_DEST}"
 # This should setup the object in $service_definition_require
 # See above.
 case "${INIT}" in
 	systemd)
 		if [ -z "${SERVICE_DEFINITION}" ]; then
 			SYSTEMD_ENV_FILE="/etc/systemd/system/${SERVICE_NAME}.env"
 			__file "${SYSTEMD_ENV_FILE}" \
 				--mode 0400 \
 				--source "${__object}/parameter/env"
 			# We need to take into account the envionment file for systemd too
 			service_config_reload_pattern="(${service_config_reload_pattern}|^__file${SYSTEMD_ENV_FILE})"
 			SERVICE_DEFINITION="$(cat <<EOF
 [Unit]
 Description=${SERVICE_DESCRIPTION}
 After=network.target
 [Service]
 Type=simple
 User=${USER}
 Group=${GROUP}
 ExecStart=${SERVICE_EXEC}
 Restart=always
 EnvironmentFile=${SYSTEMD_ENV_FILE}
 ${WORKING_DIRECTORY_SYSTEMD}
 [Install]
 WantedBy=multi-user.target
 EOF
 )"
 		fi
 		__systemd_unit "${SERVICE_NAME}.service" \
 			--source "-" \
 			--state "${STATE}" \
 			--enablement-state "enabled" <<EOF
 ${SERVICE_DEFINITION}
 EOF
 	;;
 	runit|sysvinit)
 		if [ -z "${SERVICE_DEFINITION}" ]; then
 			RUNIT_ENV="$(sed -Ee 's!^([[:alnum:]_]+)=(.*)$!export \1=\2!' "${__object}/parameter/env")"
 			SERVICE_DEFINITION="$(cat <<EOF
 #!/bin/sh -e
 ${WORKING_DIRECTORY_RUNIT}
 # User-provided environment
 ${RUNIT_ENV}
 # System vars
 export HOME="\$(getent passwd '${USER}' | cut -d: -f6)"
 export USER="${USER}"
 export GROUP="${GROUP}"
 exec 2>&1
 exec chpst -u "${USER}:${GROUP}" ${SERVICE_EXEC}
 EOF
 )"
 		fi
 		__runit_service "${SERVICE_NAME}" \
 			--state "${STATE}" \
 			--log \
 			--source - <<EOF
 ${SERVICE_DEFINITION}
 EOF
 	;;
 esac
 service_require="${service_require} ${service_definition_require}"
 # Proceed after user and service description have been prepared
 export require="${require} ${service_require}"
 VERSION_FILE="${BIN_DIR}/.${SERVICE_NAME}.cdist.version"
 IS_VERSION="$(cat "${__object}/explorer/explorer-version")"
 if [ "${STATE}" = "absent" ]; then
 	# Perform cleanup of generated files
 	for bin_file in ${BINARY} ${EXTRA_BINARIES}; do
 		__file "${BIN_DIR}/${bin_file}" --state "absent"
 	done
 	__file "${VERSION_FILE}" --state "absent"
 	__file "${CONFIG_FILE_DEST}" --state "absent"
 fi
 if [ "${STATE}" != "present" ]; then
 	exit
 fi
 sv_cmd() {
 	# This is intentional
 	# shellcheck disable=SC2059
 	printf "${service_command}" "$1"
 }
 if [ "${SHOULD_VERSION}" != "${IS_VERSION}" ]; then
 	# We are installing the service and there has been a version change
 	# (or it is first-time install)
 	TMP_PATH="/tmp/${SERVICE_NAME}-${SHOULD_VERSION}"
 	# This is what will stop the service, replace the binaries and
 	# start the service again
 	perform_service_upgrade="$(cat <<EOF
 $(sv_cmd stop) || true
 if [ -f '${TMP_PATH}' ]; then
 	chown root:${SUPER_USER_GROUP} '${TMP_PATH}'
 	chmod 0555 '${TMP_PATH}'
 	cp -af '${TMP_PATH}' '${BIN_DIR}/${BINARY}'
 else
 	for bin_file in ${BINARY} ${EXTRA_BINARIES}; do
 		bin_path="${TMP_PATH}/\${bin_file}"
 		chown root:${SUPER_USER_GROUP} "\${bin_path}"
 		chmod 0555 "\${bin_path}"
 		cp -af "\${bin_path}" "${BIN_DIR}/\${bin_file}"
 	done
 fi
 $(sv_cmd start) || true
 EOF
 )"
 	if [ -f "${__object}/parameter/unpack" ]; then
 		UNPACK_EXTENSION="$(cat "${__object}/parameter/unpack-extension")"
 		UNPACK_ARGS="$(cat "${__object}/parameter/unpack-args" \
 			2>/dev/null || true)"
 		# Download packed file
 		__download "${TMP_PATH}${UNPACK_EXTENSION}" \
 			--url "${DOWNLOAD_URL}" \
 			--download remote \
 			--sum "${CHECKSUM}"
 		# Unpack file and also perform service upgrade
 		# shellcheck disable=SC2086
 		require="__download${TMP_PATH}${UNPACK_EXTENSION}" \
 			__unpack "${TMP_PATH}${UNPACK_EXTENSION}" \
 			${UNPACK_ARGS} \
 			--destination "${TMP_PATH}"
 		version_bump_require="__unpack${TMP_PATH}${UNPACK_EXTENSION}"
 	else
 		# Create temp directory
 		__directory "${TMP_PATH}"
 		# Download binary directoy to the temp directory with the
 		# specified binary name
 		require="__directory${TMP_PATH}" __download \
 			"${TMP_PATH}/${BINARY}" \
 			--url "${DOWNLOAD_URL}" \
 			--download remote \
 			--sum "${CHECKSUM}"
 		version_bump_require="__download${TMP_PATH}/${BINARY}"
 	fi
 	# Perform update of cdist-managed version file
 	# And also perform service upgrade
 	# This is a bug if service_upgrade fails >,<
 	printf "%s" "${SHOULD_VERSION}" | \
 		require="${version_bump_require}" __file \
 			"${VERSION_FILE}" \
 			--onchange "${perform_service_upgrade}" \
 			--source "-"
 else
 	# We only restart here if there was a config or env change
 	# but there was not a version change
 	require="${service_require}" __check_messages \
 		"single_binary_service_${__object_id}" \
 		--pattern "${service_config_reload_pattern}" \
 		--execute "$(sv_cmd restart)"
 fi
--- a/type/__single_binary_service/parameter/boolean
+++ b/type/__single_binary_service/parameter/boolean
@ -1,2 +0,0 @@
 do-not-manage-user
 unpack
--- a/type/__single_binary_service/parameter/default/env
+++ b/type/__single_binary_service/parameter/default/env
--- a/type/__single_binary_service/parameter/default/service-args
+++ b/type/__single_binary_service/parameter/default/service-args
--- a/type/__single_binary_service/parameter/default/state
+++ b/type/__single_binary_service/parameter/default/state
@ -1 +0,0 @@
 present
--- a/type/__single_binary_service/parameter/default/unpack-extension
+++ b/type/__single_binary_service/parameter/default/unpack-extension
@ -1 +0,0 @@
 .tar.gz
--- a/type/__single_binary_service/parameter/default/user
+++ b/type/__single_binary_service/parameter/default/user
@ -1 +0,0 @@
 root
--- a/type/__single_binary_service/parameter/default/user-home-dir
+++ b/type/__single_binary_service/parameter/default/user-home-dir
@ -1 +0,0 @@
 /nonexistent
--- a/type/__single_binary_service/parameter/optional
+++ b/type/__single_binary_service/parameter/optional
@ -1,14 +0,0 @@
 config-file-source
 env
 user
 group
 state
 binary
 service-args
 service-exec
 service-description
 service-definition
 unpack-extension
 unpack-args
 user-home-dir
 working-directory
--- a/type/__single_binary_service/parameter/optional_multiple
+++ b/type/__single_binary_service/parameter/optional_multiple
@ -1 +0,0 @@
 extra-binary
--- a/type/__single_binary_service/parameter/required
+++ b/type/__single_binary_service/parameter/required
@ -1,3 +0,0 @@
 url
 checksum
 version
--- a/type/__systemd_network/gencode-remote
+++ b/type/__systemd_network/gencode-remote
@ -1,20 +0,0 @@
 #!/bin/sh -e
 #
 # 2022 Joachim Desroches (joachim.desroches@epfl.ch)
 #
 # This file is part of cdist.
 #
 # cdist is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # cdist is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 echo "systemctl enable systemd-networkd"
--- a/type/__systemd_network/man.rst
+++ b/type/__systemd_network/man.rst
@ -1,68 +0,0 @@
 cdist-type__systemd-network(7)
 ==============================
 NAME
 ----
 cdist-type__systemd-network - Configure systemd.network(5) file.
 DESCRIPTION
 -----------
 This type allows you to configure network interfaces by generating a
 systemd.network(5) file. It will enable systemd-networkd, so be sure to remove
 any conflicting network configuration tool if appropriate!
 Note that the systemd.network(5) system is very complete, and this type does
 not aim at providing every possible option. Are currently available only the
 most common options: feel free to add anything you need to this type which
 hopefully will grow over time.
 REQUIRED PARAMETERS
 -------------------
 None.
 OPTIONAL PARAMETERS
 -------------------
 description
  A text field used when displaying details about this network.
 OPTIONAL MULTIPLE PARAMETERS
 ----------------------------
 match-name
  A text field that will be set in the `Name` option of the `[Match]` section.
 BOOLEAN PARAMETERS
 ------------------
 ipv6ra-usedomains
  Set the `UseDomains` option of the `[IPv6AcceptRA]` section to `True`.
 EXAMPLES
 --------
 .. code-block:: sh
    # TODO
    __systemd-network
 SEE ALSO
 --------
 `cdist-type_systemd-resolved`\ (7)
 `systemd.network`\ (5)
 AUTHORS
 -------
 Joachim Desroches <joachim.desroches@epfl.ch>
 COPYING
 -------
 Copyright \(C) 2022 Joachim Desroches. You can redistribute it
 and/or modify it under the terms of the GNU General Public License as
 published by the Free Software Foundation, either version 3 of the
 License, or (at your option) any later version.
--- a/type/__systemd_network/manifest
+++ b/type/__systemd_network/manifest
@ -1,86 +0,0 @@
 #!/bin/sh -e
 #
 # 2022 Joachim Desroches (joachim.desroches@epfl.ch)
 #
 # This file is part of cdist.
 #
 # cdist is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # cdist is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 os=$(cat "${__global:?}/explorer/os")
 case "$os" in
 'debian' | 'ubuntu' | 'archlinux')
 	:
 	;;
 *)
 	printf "Your operating system (%s) is currently not supported by systemd-network\n" "$os" >&2
 	printf "Please contribute an implementation for it if you can.\n" >&2
 	exit 1
 	;;
 esac
 # XXX: Please keep the option parsing organized in order per-section, with
 # sections in the same order as they are in the manpage. This will make hacking
 # and maintaining this type much easier.
 mkdir "${__object:?}/files"
 output_file="${__object:?}/files/${__object_id:?}.network"
 cat << EOF > "$output_file"
 # This file is managed by cdist. Do not edit by hand!
 EOF
 # Match section
 # Ensure section is needed, OR existence of optional params.
 if [ -f "${__object:?}/parameter/match-name" ];
 then
 	printf "\n[Match]\n" >> "$output_file"
 	if [ -f "${__object:?}/parameter/match-name" ];
 	then
 		sed -e 's/^/Name=/' \
 			"${__object:?}/parameter/match-name" >> "$output_file"
 	fi
 fi
 # Network section
 # Ensure section is needed, OR existence of optional params.
 if [ -f "${__object:?}/parameter/description" ];
 then
 	printf "\n[Network]\n" >> "$output_file"
 	if [ -f "${__object:?}/parameter/description" ];
 	then
 		sed -e 's/^/Description=/' \
 			"${__object:?}/parameter/description" >> "$output_file"
 	fi
 fi
 # IPv6AcceptRA section
 # Ensure section is needed, OR existence of optional params.
 if [ -f "${__object:?}/parameter/ipv6ra-usedomains" ];
 then
 	printf "\n[IPv6AcceptRA]\n" >> "$output_file"
 	if [ -f "${__object:?}/parameter/ipv6ra-usedomains" ];
 	then
 		printf "UseDomains=True\n" >> "$output_file"
 	fi
 fi
 __file "/etc/systemd/network/${__object_id:?}.network" \
 	--source "$output_file" \
 	--mode 0644
--- a/type/__systemd_network/parameter/boolean
+++ b/type/__systemd_network/parameter/boolean
@ -1 +0,0 @@
 ipv6ra-usedomains
--- a/type/__systemd_network/parameter/optional
+++ b/type/__systemd_network/parameter/optional
@ -1 +0,0 @@
 description
--- a/type/__systemd_network/parameter/optional_multiple
+++ b/type/__systemd_network/parameter/optional_multiple
@ -1 +0,0 @@
 match-name
--- a/type/__systemd_resolved/gencode-remote
+++ b/type/__systemd_resolved/gencode-remote
@ -1,21 +0,0 @@
 #!/bin/sh -e
 #
 # 2022 Joachim Desroches (joachim.desroches@epfl.ch)
 #
 # This file is part of cdist.
 #
 # cdist is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # cdist is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 echo "systemctl enable systemd-resolved"
--- a/type/__systemd_resolved/man.rst
+++ b/type/__systemd_resolved/man.rst
@ -1,47 +0,0 @@
 cdist-type__systemd_resolved(7)
 ===============================
 NAME
 ----
 cdist-type__systemd_resolved - Configure system to use systemd-resolved.
 DESCRIPTION
 -----------
 *systemd-resolved* is a systemd service that provides network name resolution
 to local applications via a D-Bus interface, the resolve NSS service
 (nss-resolve(8)), and a local DNS stub listener on 127.0.0.53.
 This type enables and starts this type, and helps with some minimal
 configuration. In particular, systemd-resolved has four modes of handling the
 `/etc/resolv.conf` file: stub, static, uplink and foreign. See the
 systemd-resolved(8) manpage for details. By default, this type uses stub mode:
 if you need another one, please provide an implementation in this type!
 EXAMPLES
 --------
 .. code-block:: sh
    __systemd_resolved
 SEE ALSO
 --------
 `systemd.network`\ (5)
 `systemd-resolved`\ (8)
 `nss-resolve`\ (8)
 AUTHORS
 -------
 Joachim Desroches <joachim.desroches@epfl.ch>
 COPYING
 -------
 Copyright \(C) 2022 Joachim Desroches. You can redistribute it
 and/or modify it under the terms of the GNU General Public License as
 published by the Free Software Foundation, either version 3 of the
 License, or (at your option) any later version.
--- a/type/__systemd_resolved/manifest
+++ b/type/__systemd_resolved/manifest
@ -1,42 +0,0 @@
 #!/bin/sh -e
 #
 # 2022 Joachim Desroches (joachim.desroches@epfl.ch)
 #
 # This file is part of cdist.
 #
 # cdist is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # cdist is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 os=$(cat "${__global:?}/explorer/os")
 case "$os" in
 'debian')
 	:
 	;;
 *)
 	printf "Your operating system (%s) is currently not supported by __systemd_resolved\n" "$os" >&2
 	printf "Please contribute an implementation for it if you can.\n" >&2
 	exit 1
 	;;
 esac
 __link /etc/resolv.conf \
 	--type symbolic \
 	--source ../run/systemd/resolve/stub-resolv.conf
 require=__link/etc/resolv.conf \
 	__systemd_service systemd-resolved \
 		--state running \
 		--action restart \
 		--if-required
--- a/type/__systemd_resolved/singleton
+++ b/type/__systemd_resolved/singleton
--- a/type/__uacme_account/gencode-remote
+++ b/type/__uacme_account/gencode-remote
@ -18,21 +18,6 @@ then
 	admin_mail="$(cat "${__object:?}/parameter/admin-mail")";
 fi
 # Autoaccept ACME server terms (if any) upon new account creation.
 uacme_opts="--yes"
 # Non-default ACMEv2 server directory object URL.
 if [ -f "${__object:?}/parameter/acme-url" ]; then
 	custom_acme_url=$(cat "${__object:?}/parameter/acme-url")
 	uacme_opts="$uacme_opts --acme-url $custom_acme_url"
 fi
 # Specify RFC8555 External Account Binding credentials.
 if [ -f "${__object:?}/parameter/eab-credentials" ]; then
 	eab_credentials=$(cat "${__object:?}/parameter/eab-credentials")
 	uacme_opts="$uacme_opts --eab $eab_credentials"
 fi
 confdir="${default_confdir:?}"
 if [ -f "${__object:?}/parameter/confdir" ];
 then
@ -42,6 +27,6 @@ fi
 cat << EOF
 if ! [ -f "${confdir}/private/key.pem" ];
 then
-	uacme $uacme_opts new ${admin_mail}
+	uacme -y new ${admin_mail}
 fi
 EOF
--- a/type/__uacme_account/man.rst
+++ b/type/__uacme_account/man.rst
@ -23,16 +23,6 @@ confdir
 admin-mail
    Administrative contact email to register the account with.
 acme-url
   ACMEv2 server directory object URL. Lets'Encrypt is used by default.
 eab-credentials
   Specify RFC8555 External Account Binding credentials according to
   https://tools.ietf.org/html/rfc8555#section-7.3.4, in order to associate a new
   ACME account with an existing account in a non-ACME system such as a CA
   customer database. KEYID must be an ASCII string. KEY must be
   base64url-encoded. This is parameter is not supported by uacme < 1.6.
 EXAMPLES
 --------
@ -53,7 +43,6 @@ SEE ALSO
 AUTHORS
 -------
 Joachim Desroches <joachim.desroches@epfl.ch>
 Timothée Floure <timothee.floure@posteo.net>
 COPYING
 -------
--- a/type/__uacme_account/parameter/optional
+++ b/type/__uacme_account/parameter/optional
@ -1,4 +1,2 @@
 confdir
 admin-mail
 acme-url
 eab-credentials
--- a/type/__uacme_obtain/files/renew.sh.sh
+++ b/type/__uacme_obtain/files/renew.sh.sh
@ -7,8 +7,8 @@ UACME_CHALLENGE_PATH=${CHALLENGEDIR:?}
 export UACME_CHALLENGE_PATH
 # Issue certificate.
-uacme -c ${CONFDIR:?} -h ${HOOKSCRIPT:?} ${DISABLE_OCSP?} ${ACME_URL?} \\
+uacme -c ${CONFDIR:?} -h ${HOOKSCRIPT:?} ${DISABLE_OCSP?} ${MUST_STAPLE?} ${KEYTYPE?} \\
-	${EAB_CREDENTIALS?} ${MUST_STAPLE?} ${KEYTYPE?} issue -- ${DOMAIN:?}
+	issue -- ${DOMAIN:?}
 # Note: exit code 0 means that certificate was issued.
 # Note: exit code 1 means that certificate was still valid, hence not renewed.
--- a/type/__uacme_obtain/man.rst
+++ b/type/__uacme_obtain/man.rst
@ -38,8 +38,7 @@ install-key-to
  Installation path of the certificate's private key.
 renew-hook
-  Renew hook executed on certificate renewal (e.g. `service nginx reload`, `-`
+  Renew hook executed on certificate renewal (e.g. `service nginx reload`).
  for the standard input).
 force-cert-ownership-to
  Override default ownership for TLS certificate, passed as argument to chown.
--- a/type/__uacme_obtain/manifest
+++ b/type/__uacme_obtain/manifest
@ -69,22 +69,6 @@ then
 fi
 export MUST_STAPLE
 # Non-default ACMEv2 server directory object URL.
 ACME_URL=
 if [ -f "${__object:?}/parameter/acme-url" ]; then
 	custom_acme_url=$(cat "${__object:?}/parameter/acme-url")
 	ACME_URL="--acme-url $custom_acme_url"
 fi
 export ACME_URL
 # Specify RFC8555 External Account Binding credentials.
 EAB_CREDENTIALS=
 if [ -f "${__object:?}/parameter/eab-credentials" ]; then
 	eab_credentials_param=$(cat "${__object:?}/parameter/eab-credentials")
 	EAB_CREDENTIALS="--eab $eab_credentials_param"
 fi
 export EAB_CREDENTIALS
 OWNER=root
 if [ -f "${__object:?}/parameter/owner" ];
 then
@ -109,11 +93,7 @@ export CERT_TARGET
 RENEW_HOOK=
 if [ -f "${__object:?}/parameter/renew-hook" ];
 then
-	if [ "$(cat "${__object:?}/parameter/renew-hook")" = "-" ]; then
+	RENEW_HOOK="$(cat "${__object:?}/parameter/renew-hook")"
 		RENEW_HOOK="$(cat ${__object:?}/stdin)"
 	else
 		RENEW_HOOK="$(cat "${__object:?}/parameter/renew-hook")"
 	fi
 fi
 export RENEW_HOOK
--- a/type/__uacme_obtain/parameter/optional
+++ b/type/__uacme_obtain/parameter/optional
@ -5,5 +5,3 @@ owner
 install-cert-to
 install-key-to
 renew-hook
 acme-url
 eab-credentials
		`@ -1 +0,0 @@`
			`../../__jitsi_meet_domain/files/jitsi-version`
		`@ -1 +0,0 @@`
			`../../__jitsi_meet_domain/files/prosody.cfg.lua.sh`