__jitsi_meet: upgrade to 2.0.10655

We were requiring too many arguments

.gitlab-ci.yml

@@ -1,14 +1,29 @@
 stages:
     - test
+    - doc
 
-image: code.ungleich.ch:5050/ungleich-public/cdist/cdist-ci:latest
+image: code.ungleich.ch:5050/ungleich-public/cdist-contrib/ci-container:latest
 
 shellcheck:
     stage: test
     script:
-        - ./scripts/run-shellcheck.sh
+        - make lint
 
 manpages:
     stage: test
     script:
-      - ./scripts/run-manpage-checks.sh
+      - make check-manpages
+
+docs:
+    stage: doc
+    only:
+      - master@ungleich-public/cdist-contrib
+    before_script:
+      - eval $(ssh-agent -s)
+      - echo "$CD_SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add - > /dev/null
+      - mkdir -p ~/.ssh
+      - echo "$CD_SSH_SERVER_HOSTKEYS" > ~/.ssh/known_hosts
+      - chmod 644 ~/.ssh/known_hosts
+    script:
+      - make html
+      - sftp fnux@staticwebhosting.ungleich.ch:public_html/cdist-contrib <<< "put -r docs/dist/html/*"

CHANGELOG.md

@@ -1,3 +0,0 @@
-# cdist-contrib changes
-
-* 2020-04-28: New type: __find_exec (Ander Punnar)

Makefile

@@ -0,0 +1,70 @@
+.PHONY: help
+help:
+	@echo "Please use \`make <target>' where <target> is one of"
+	@echo "man             build only man user documentation"
+	@echo "html            build only html user documentation"
+	@echo "docs            build both man and html user documentation"
+	@echo "check-manpages  check for manpage in types"
+	@echo "lint            run shellcheck on types"
+	@echo "check           run both type manpage checks and linting"
+	@echo "clean           clean"
+
+DOCS_SRC_DIR=./docs/src
+TYPEDIR=./type
+
+SPHINXM=make -C $(DOCS_SRC_DIR) man
+SPHINXH=make -C $(DOCS_SRC_DIR) html
+SPHINXC=make -C $(DOCS_SRC_DIR) clean
+
+################################################################################
+# Manpages
+#
+MAN7DSTDIR=$(DOCS_SRC_DIR)/man7
+
+# Use shell / ls to get complete list - $(TYPEDIR)/*/man.rst does not work
+# Using ls does not work if no file with given pattern exist, so use wildcard
+MANTYPESRC=$(wildcard $(TYPEDIR)/*/man.rst)
+MANTYPEPREFIX=$(subst $(TYPEDIR)/,$(MAN7DSTDIR)/cdist-type,$(MANTYPESRC))
+MANTYPES=$(subst /man.rst,.rst,$(MANTYPEPREFIX))
+
+# Link manpage: do not create man.html but correct named file
+$(MAN7DSTDIR)/cdist-type%.rst: $(TYPEDIR)/%/man.rst
+	mkdir -p $(MAN7DSTDIR)
+	ln -sf "../../../$^" $@
+
+DOCSINDEX=$(MAN7DSTDIR)/index.rst
+DOCSINDEXH=$(DOCS_SRC_DIR)/index.rst.sh
+
+$(DOCSINDEX): $(DOCSINDEXH)
+	$(DOCSINDEXH)
+
+# Manpages: .cdist Types
+DOT_CDIST_PATH=${HOME}/.cdist
+DOTMAN7DSTDIR=$(MAN7DSTDIR)
+DOTTYPEDIR=$(DOT_CDIST_PATH)/type
+
+# Link manpage: do not create man.html but correct named file
+$(DOTMAN7DSTDIR)/cdist-type%.rst: $(DOTTYPEDIR)/%/man.rst
+	ln -sf "$^" $@
+
+man: $(MANTYPES) $(DOCSINDEX)
+	$(SPHINXM)
+
+html: $(MANTYPES) $(DOCSINDEX)
+	$(SPHINXH)
+
+docs: man html
+
+check-manpages:
+	./scripts/run-manpage-checks.sh
+
+lint:
+	./scripts/run-shellcheck.sh
+
+check: check-manpages lint
+
+clean:
+	$(SPHINXC)
+	rm -f docs/src/index.rst
+	rm -rf docs/src/man7/
+	rm -rf docs/src/__pycache__/

README.md

@@ -5,8 +5,9 @@ tool with community-maitained types which are either too specific to fit/be
 maintained in cdist itself or were not accepted in code cdist but could still
 be useful.
 
-This project does not have releases and is continously updated: see
-`CHANGELOG.md` for details.
+This project does not have releases and is continously updated: see git history
+for change log. You will find HTML documentation at
+[contrib.cdi.st](https://contrib.cdi.st).
 
 ## Using cdist-contrib
 
@@ -32,14 +33,11 @@ And you would run [cdist][cdist] from the same directory as follows:
 
 ## Participating in the [cdist][cdist] community
 
-Join us on [#cdist:ungleich.ch][cdistmatrix] on matrix or on
-[#cdist over mattermost][cdistmattermost].
-
+Join us on [#cdist:ungleich.ch][cdistmatrix] on matrix!
 
 [cdist]: https://www.cdi.st/
 [cdistconfig]: https://www.cdi.st/manual/latest/cdist-configuration.html
 [cdistmatrix]: https://matrix.to/#/#cdist:ungleich.ch
-[cdistmattermost]: https://chat.ungleich.ch/ungleich/channels/cdist
 
 ## Contributing
 
@@ -53,3 +51,12 @@ Every type in cdist-contrib must:
 
   * Have a `man.rst` documentation page.
   * Pass [shellcheck](http://shellcheck.net/) without errors.
+
+## Other resources
+
+Some people/organizations are known to keep some cdist types that might be of
+interest to others:
+
+* [cdist-evilham](https://git.sr.ht/~evilham/cdist-evilham): Evilham's cdist-types
+* [cdist-recycledcloud](https://code.recycled.cloud/RecycledCloud/cdist-recycledcloud): e-Durable SA / Recycled Cloud public types
+* [cdist-ungleich](https://code.ungleich.ch/ungleich-public/cdist-ungleich): ungleich public types

docs/src/Makefile

@@ -0,0 +1,235 @@
+# Makefile for Sphinx documentation
+#
+
+# You can set these variables from the command line.
+SPHINXOPTS   ?=
+SPHINXBUILD  ?= sphinx-build
+PAPER        ?=
+BUILDDIR     ?= ../dist
+# for cache, etc.
+_BUILDDIR     = _build
+
+# User-friendly check for sphinx-build
+ifeq ($(shell which $(SPHINXBUILD) >/dev/null 2>&1; echo $$?), 1)
+    $(error The '$(SPHINXBUILD)' command was not found. Make sure you have Sphinx installed, then set the SPHINXBUILD environment variable to point to the full path of the '$(SPHINXBUILD)' executable. Alternatively you can add the directory with the executable to your PATH. If you don\'t have Sphinx installed, grab it from http://sphinx-doc.org/)
+endif
+
+# Internal variables.
+PAPEROPT_a4     = -D latex_paper_size=a4
+PAPEROPT_letter = -D latex_paper_size=letter
+ALLSPHINXOPTS   = -d $(_BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) .
+# the i18n builder cannot share the environment and doctrees with the others
+I18NSPHINXOPTS  = $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) .
+
+.PHONY: help
+help:
+	@echo "Please use \`make <target>' where <target> is one of"
+	@echo "  html       to make standalone HTML files"
+	@echo "  dirhtml    to make HTML files named index.html in directories"
+	@echo "  singlehtml to make a single large HTML file"
+	@echo "  pickle     to make pickle files"
+	@echo "  json       to make JSON files"
+	@echo "  htmlhelp   to make HTML files and a HTML help project"
+	@echo "  qthelp     to make HTML files and a qthelp project"
+	@echo "  applehelp  to make an Apple Help Book"
+	@echo "  devhelp    to make HTML files and a Devhelp project"
+	@echo "  epub       to make an epub"
+	@echo "  epub3      to make an epub3"
+	@echo "  latex      to make LaTeX files, you can set PAPER=a4 or PAPER=letter"
+	@echo "  latexpdf   to make LaTeX files and run them through pdflatex"
+	@echo "  latexpdfja to make LaTeX files and run them through platex/dvipdfmx"
+	@echo "  text       to make text files"
+	@echo "  man        to make manual pages"
+	@echo "  texinfo    to make Texinfo files"
+	@echo "  info       to make Texinfo files and run them through makeinfo"
+	@echo "  gettext    to make PO message catalogs"
+	@echo "  changes    to make an overview of all changed/added/deprecated items"
+	@echo "  xml        to make Docutils-native XML files"
+	@echo "  pseudoxml  to make pseudoxml-XML files for display purposes"
+	@echo "  linkcheck  to check all external links for integrity"
+	@echo "  doctest    to run all doctests embedded in the documentation (if enabled)"
+	@echo "  coverage   to run coverage check of the documentation (if enabled)"
+	@echo "  dummy      to check syntax errors of document sources"
+
+.PHONY: clean
+clean:
+	rm -rf $(BUILDDIR)/*
+	rm -rf $(_BUILDDIR)/*
+
+.PHONY: html
+html:
+	$(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html
+	@echo
+	@echo "Build finished. The HTML pages are in $(BUILDDIR)/html."
+
+.PHONY: dirhtml
+dirhtml:
+	$(SPHINXBUILD) -b dirhtml $(ALLSPHINXOPTS) $(BUILDDIR)/dirhtml
+	@echo
+	@echo "Build finished. The HTML pages are in $(BUILDDIR)/dirhtml."
+
+.PHONY: singlehtml
+singlehtml:
+	$(SPHINXBUILD) -b singlehtml $(ALLSPHINXOPTS) $(BUILDDIR)/singlehtml
+	@echo
+	@echo "Build finished. The HTML page is in $(BUILDDIR)/singlehtml."
+
+.PHONY: pickle
+pickle:
+	$(SPHINXBUILD) -b pickle $(ALLSPHINXOPTS) $(BUILDDIR)/pickle
+	@echo
+	@echo "Build finished; now you can process the pickle files."
+
+.PHONY: json
+json:
+	$(SPHINXBUILD) -b json $(ALLSPHINXOPTS) $(BUILDDIR)/json
+	@echo
+	@echo "Build finished; now you can process the JSON files."
+
+.PHONY: htmlhelp
+htmlhelp:
+	$(SPHINXBUILD) -b htmlhelp $(ALLSPHINXOPTS) $(BUILDDIR)/htmlhelp
+	@echo
+	@echo "Build finished; now you can run HTML Help Workshop with the" \
+	      ".hhp project file in $(BUILDDIR)/htmlhelp."
+
+.PHONY: qthelp
+qthelp:
+	$(SPHINXBUILD) -b qthelp $(ALLSPHINXOPTS) $(BUILDDIR)/qthelp
+	@echo
+	@echo "Build finished; now you can run "qcollectiongenerator" with the" \
+	      ".qhcp project file in $(BUILDDIR)/qthelp, like this:"
+	@echo "# qcollectiongenerator $(BUILDDIR)/qthelp/cdist-docs.qhcp"
+	@echo "To view the help file:"
+	@echo "# assistant -collectionFile $(BUILDDIR)/qthelp/cdist-docs.qhc"
+
+.PHONY: applehelp
+applehelp:
+	$(SPHINXBUILD) -b applehelp $(ALLSPHINXOPTS) $(BUILDDIR)/applehelp
+	@echo
+	@echo "Build finished. The help book is in $(BUILDDIR)/applehelp."
+	@echo "N.B. You won't be able to view it unless you put it in" \
+	      "~/Library/Documentation/Help or install it in your application" \
+	      "bundle."
+
+.PHONY: devhelp
+devhelp:
+	$(SPHINXBUILD) -b devhelp $(ALLSPHINXOPTS) $(BUILDDIR)/devhelp
+	@echo
+	@echo "Build finished."
+	@echo "To view the help file:"
+	@echo "# mkdir -p $$HOME/.local/share/devhelp/cdist-docs"
+	@echo "# ln -s $(BUILDDIR)/devhelp $$HOME/.local/share/devhelp/cdist-docs"
+	@echo "# devhelp"
+
+.PHONY: epub
+epub:
+	$(SPHINXBUILD) -b epub $(ALLSPHINXOPTS) $(BUILDDIR)/epub
+	@echo
+	@echo "Build finished. The epub file is in $(BUILDDIR)/epub."
+
+.PHONY: epub3
+epub3:
+	$(SPHINXBUILD) -b epub3 $(ALLSPHINXOPTS) $(BUILDDIR)/epub3
+	@echo
+	@echo "Build finished. The epub3 file is in $(BUILDDIR)/epub3."
+
+.PHONY: latex
+latex:
+	$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
+	@echo
+	@echo "Build finished; the LaTeX files are in $(BUILDDIR)/latex."
+	@echo "Run \`make' in that directory to run these through (pdf)latex" \
+	      "(use \`make latexpdf' here to do that automatically)."
+
+.PHONY: latexpdf
+latexpdf:
+	$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
+	@echo "Running LaTeX files through pdflatex..."
+	$(MAKE) -C $(BUILDDIR)/latex all-pdf
+	@echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex."
+
+.PHONY: latexpdfja
+latexpdfja:
+	$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
+	@echo "Running LaTeX files through platex and dvipdfmx..."
+	$(MAKE) -C $(BUILDDIR)/latex all-pdf-ja
+	@echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex."
+
+.PHONY: text
+text:
+	$(SPHINXBUILD) -b text $(ALLSPHINXOPTS) $(BUILDDIR)/text
+	@echo
+	@echo "Build finished. The text files are in $(BUILDDIR)/text."
+
+.PHONY: man
+man:
+	$(SPHINXBUILD) -b cman $(ALLSPHINXOPTS) $(BUILDDIR)/man
+	mkdir -p $(BUILDDIR)/man/man7
+	mv -f $(BUILDDIR)/man/*.7 $(BUILDDIR)/man/man7/
+	@echo
+	@echo "Build finished. The manual pages are in $(BUILDDIR)/man."
+
+.PHONY: texinfo
+texinfo:
+	$(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo
+	@echo
+	@echo "Build finished. The Texinfo files are in $(BUILDDIR)/texinfo."
+	@echo "Run \`make' in that directory to run these through makeinfo" \
+	      "(use \`make info' here to do that automatically)."
+
+.PHONY: info
+info:
+	$(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo
+	@echo "Running Texinfo files through makeinfo..."
+	make -C $(BUILDDIR)/texinfo info
+	@echo "makeinfo finished; the Info files are in $(BUILDDIR)/texinfo."
+
+.PHONY: gettext
+gettext:
+	$(SPHINXBUILD) -b gettext $(I18NSPHINXOPTS) $(BUILDDIR)/locale
+	@echo
+	@echo "Build finished. The message catalogs are in $(BUILDDIR)/locale."
+
+.PHONY: changes
+changes:
+	$(SPHINXBUILD) -b changes $(ALLSPHINXOPTS) $(BUILDDIR)/changes
+	@echo
+	@echo "The overview file is in $(BUILDDIR)/changes."
+
+.PHONY: linkcheck
+linkcheck:
+	$(SPHINXBUILD) -b linkcheck $(ALLSPHINXOPTS) $(BUILDDIR)/linkcheck
+	@echo
+	@echo "Link check complete; look for any errors in the above output " \
+	      "or in $(BUILDDIR)/linkcheck/output.txt."
+
+.PHONY: doctest
+doctest:
+	$(SPHINXBUILD) -b doctest $(ALLSPHINXOPTS) $(BUILDDIR)/doctest
+	@echo "Testing of doctests in the sources finished, look at the " \
+	      "results in $(BUILDDIR)/doctest/output.txt."
+
+.PHONY: coverage
+coverage:
+	$(SPHINXBUILD) -b coverage $(ALLSPHINXOPTS) $(BUILDDIR)/coverage
+	@echo "Testing of coverage in the sources finished, look at the " \
+	      "results in $(BUILDDIR)/coverage/python.txt."
+
+.PHONY: xml
+xml:
+	$(SPHINXBUILD) -b xml $(ALLSPHINXOPTS) $(BUILDDIR)/xml
+	@echo
+	@echo "Build finished. The XML files are in $(BUILDDIR)/xml."
+
+.PHONY: pseudoxml
+pseudoxml:
+	$(SPHINXBUILD) -b pseudoxml $(ALLSPHINXOPTS) $(BUILDDIR)/pseudoxml
+	@echo
+	@echo "Build finished. The pseudo-XML files are in $(BUILDDIR)/pseudoxml."
+
+.PHONY: dummy
+dummy:
+	$(SPHINXBUILD) -b dummy $(ALLSPHINXOPTS) $(BUILDDIR)/dummy
+	@echo
+	@echo "Build finished. Dummy builder generates no files."

docs/src/conf.py

@@ -0,0 +1,101 @@
+#!/usr/bin/env python3
+
+import sys
+import os
+import sphinx_rtd_theme
+
+from datetime import date
+
+# If extensions (or modules to document with autodoc) are in another directory,
+# add these directories to sys.path here. If the directory is relative to the
+# documentation root, use os.path.abspath to make it absolute, like shown here.
+# sys.path.insert(0, os.path.abspath('.'))
+sys.path.insert(0, os.path.abspath(os.path.join(
+    os.path.dirname(os.path.realpath(__file__)), "..", "..")))
+
+# -- General configuration ------------------------------------------------
+
+# If your documentation needs a minimal Sphinx version, state it here.
+# needs_sphinx = '1.0'
+
+# Add any Sphinx extension module names here, as strings. They can be
+# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
+# ones.
+extensions = [
+    'docs.src.manpage',
+    'sphinx.ext.extlinks',
+]
+
+# The suffix(es) of source filenames.
+# You can specify multiple suffix as a list of string:
+source_suffix = ['.rst']
+
+# The encoding of source files.
+# source_encoding = 'utf-8-sig'
+
+# The master toctree document.
+master_doc = 'index'
+
+# General information about the project.
+project = 'cdist-contrib'
+copyright = 'cdist-contrib contributors'
+
+# The version info for the project you're documenting, acts as replacement for
+# |version| and |release|, also used in various other places throughout the
+# built documents.
+
+version = str(date.today())
+release = os.popen('git rev-parse HEAD').read()
+
+# The language for content autogenerated by Sphinx. Refer to documentation
+# for a list of supported languages.
+#
+# This is also used if you do content translation via gettext catalogs.
+# Usually you set "language" from the command line for these cases.
+language = None
+
+# The name of the Pygments (syntax highlighting) style to use.
+pygments_style = 'sphinx'
+
+# If true, `todo` and `todoList` produce output, else they produce nothing.
+todo_include_todos = False
+
+# -- Options for HTML output ----------------------------------------------
+
+# The theme to use for HTML and HTML Help pages.  See the documentation for
+# a list of builtin themes.
+html_theme = 'sphinx_rtd_theme'
+html_theme_path = [sphinx_rtd_theme.get_html_theme_path()]
+
+# Output file base name for HTML help builder.
+htmlhelp_basename = 'cdistcontribdoc'
+
+# -- Options for manual page output ---------------------------------------
+
+# One entry per manual page. List of tuples
+# (source start file, name, description, authors, manual section).
+root_mandir = os.path.dirname(os.path.realpath(__file__))
+mandirs = []
+for mansubdir in ('man7',):
+    mandirs.append((os.path.join(root_mandir, mansubdir), mansubdir[-1]))
+man_pages = []
+for mandir, section in mandirs:
+    for root, dirs, files in os.walk(mandir):
+        for fname in files:
+            froot, fext = os.path.splitext(fname)
+            if fext == '.rst':
+                man_page = (os.path.join('man' + str(section), froot),
+                            froot, '', [], section)
+                man_pages.append(man_page)
+
+# man_pages = [
+#    ('cdist-type', 'cdist-type', 'cdist-type documentation',
+#         [author], 1),
+#    ('man7/cdist-type__file', 'cdist-type__file',
+#        '', [], 1),
+#    ('cdist-type__directory', 'cdist-type__directory',
+#        'cdist-type__directory documentation', [author], 1),
+# ]
+
+# If true, show URL addresses after external links.
+# man_show_urls = False

docs/src/index.rst.sh

@@ -0,0 +1,40 @@
+#!/bin/sh
+
+__cdist_pwd="$(pwd -P)"
+__cdist_mydir="${0%/*}";
+__cdist_abs_mydir="$(cd "$__cdist_mydir" && pwd -P)"
+__cdist_myname=${0##*/};
+__cdist_abs_myname="$__cdist_abs_mydir/$__cdist_myname"
+
+filename="${__cdist_myname%.sh}"
+dest="$__cdist_abs_mydir/$filename"
+
+if ! command -v pandoc > /dev/null; then
+	echo "Pandoc is required to generate HTML index from README." >&2
+	exit 1
+fi
+
+cd "$__cdist_abs_mydir"
+
+exec > "$dest"
+
+pandoc -f markdown -t rst ../../README.md
+
+cat << EOF
+
+.. toctree::
+   :hidden:
+
+EOF
+
+# If there is no such file then ls prints error to stderr,
+# so redirect stderr to /dev/null.
+for type in $(ls man7/cdist-type__*.rst 2>/dev/null | LC_ALL=C sort); do
+    no_dir="${type#man7/}";
+    no_type="${no_dir#cdist-type}";
+    name="${no_type%.rst}";
+    manref="${no_dir%.rst}"
+    man="${manref}(7)"
+
+    echo "      $name" "<man7/${manref}>"
+done

docs/src/manpage.py

@@ -0,0 +1,87 @@
+import sphinx.builders.manpage
+import sphinx.writers.manpage
+from docutils.frontend import OptionParser
+from sphinx.util.console import bold, darkgreen
+from six import string_types
+from docutils.io import FileOutput
+from os import path
+from sphinx.util.nodes import inline_all_toctrees
+from sphinx import addnodes
+from sphinx.util import logging
+
+"""
+    Extension based on sphinx builtin manpage.
+    It does not write its own .SH NAME based on config,
+    but leaves everything to actual reStructuredText file content.
+"""
+
+
+logger = logging.getLogger(__name__)
+
+
+class ManualPageTranslator(sphinx.writers.manpage.ManualPageTranslator):
+
+    def header(self):
+        tmpl = (".TH \"%(title_upper)s\" \"%(manual_section)s\""
+                " \"%(date)s\" \"%(version)s\" \"%(manual_group)s\"\n")
+        return tmpl % self._docinfo
+
+
+class ManualPageWriter(sphinx.writers.manpage.ManualPageWriter):
+
+    def __init__(self, builder):
+        super().__init__(builder)
+        self.translator_class = (
+            self.builder.get_translator_class() or ManualPageTranslator)
+
+
+class ManualPageBuilder(sphinx.builders.manpage.ManualPageBuilder):
+
+    name = 'cman'
+    default_translator_class = ManualPageTranslator
+
+    def write(self, *ignored):
+        docwriter = ManualPageWriter(self)
+        docsettings = OptionParser(
+            defaults=self.env.settings,
+            components=(docwriter,),
+            read_config_files=True).get_default_values()
+
+        logger.info(bold('writing... '), nonl=True)
+
+        for info in self.config.man_pages:
+            docname, name, description, authors, section = info
+            if isinstance(authors, string_types):
+                if authors:
+                    authors = [authors]
+                else:
+                    authors = []
+
+            targetname = '%s.%s' % (name, section)
+            logger.info(darkgreen(targetname) + ' { ', nonl=True)
+            destination = FileOutput(
+                destination_path=path.join(self.outdir, targetname),
+                encoding='utf-8')
+
+            tree = self.env.get_doctree(docname)
+            docnames = set()
+            largetree = inline_all_toctrees(self, docnames, docname, tree,
+                                            darkgreen, [docname])
+            logger.info('} ', nonl=True)
+            self.env.resolve_references(largetree, docname, self)
+            # remove pending_xref nodes
+            for pendingnode in largetree.traverse(addnodes.pending_xref):
+                pendingnode.replace_self(pendingnode.children)
+
+            largetree.settings = docsettings
+            largetree.settings.title = name
+            largetree.settings.subtitle = description
+            largetree.settings.authors = authors
+            largetree.settings.section = section
+
+            docwriter.write(largetree, destination)
+        logger.info("")
+
+
+def setup(app):
+    app.add_builder(ManualPageBuilder)

scripts/ci-container/Dockerfile

@@ -0,0 +1,7 @@
+# This image is used in the cdist-contrib CI for linting and generating the
+# documentation.
+FROM fedora:latest
+MAINTAINER Timothée Floure <fnux@ungleich.ch>
+
+RUN dnf install -y git findutils make python3-sphinx python3-sphinx_rtd_theme \
+			ShellCheck openssh-clients pandoc

scripts/run-shellcheck.sh

@@ -1,21 +1,29 @@
-#!/bin/sh
+#!/bin/sh -eu
 
-SHELLCHECKCMD="shellcheck -s sh -f gcc -x"
+SHELLCHECKCMD='shellcheck -s sh -f gcc -x'
 # Skip SC2154 for variables starting with __ since such variables are cdist
 # environment variables.
 SHELLCHECK_SKIP=': __.*is referenced but not assigned.*\[SC2154\]'
-SHELLCHECKTMP=".shellcheck.tmp"
+SHELLCHECKTMP='.shellcheck.tmp'
 
 # Move to top-level cdist-contrib directory.
-cd $(dirname $0)/..
+cd "$(dirname $0)"/..
 
-check () {
-	find type/ -type f $1 $2 -exec ${SHELLCHECKCMD} {} + | grep -v "${SHELLCHECK_SKIP}"  > "${SHELLCHECKTMP}"
-	test ! -s "${SHELLCHECKTMP}" || { cat "${SHELLCHECKTMP}"; exit 1; }
+check() {
+	find type/ -type f "$@" -exec ${SHELLCHECKCMD} {} + \
+	| grep -v "${SHELLCHECK_SKIP}" >>"${SHELLCHECKTMP}" || true
 }
 
-check -path "*/explorer/*"
-check -path "*/files/*"
+rm -f "${SHELLCHECKTMP}"
+
+check -path '*/explorer/*'
+check -path '*/files/*' -name '*.sh'
 check -name manifest
 check -name gencode-local
 check -name gencode-remote
+
+if test -s "${SHELLCHECKTMP}"
+then
+	cat "${SHELLCHECKTMP}" >&2
+	exit 1
+fi

type/__bird_bgp/files/template.sh

@@ -0,0 +1,45 @@
+#!/bin/sh
+# Template to generate a bgp protocol configuration file for bird(1).
+# Required non-empty variables:
+# __object_id, local_{ip,as}, neighbor_{ip,as}
+#
+# Required defined variables:
+# description, password, ipv{4,6}_{import,export}
+
+# Header
+echo "protocol bgp ${__object_id:?} {"
+
+# Optional description
+[ -n "${description?}" ] && printf "\tdescription \"%s\";\n" "${description?}"
+
+# Mandatory session information
+cat << EOF
+	local ${local_ip?} as ${local_as:?};
+	neighbor ${neighbor_ip:?} as ${neighbor_as:?};
+EOF
+
+# Direct connection ?
+[ -n "${direct?}" ] && printf "\tdirect;\n"
+
+# Password-protected session ?
+[ -n "${password?}" ] && printf "\tpassword \"%s\";\n" "${password?}"
+
+if [ -n "${ipv4_import?}" ] || [ -n "${ipv4_export?}" ] || "${ipv4_extended_next_hop?}";
+then
+	printf "\tipv4 {\n"
+	[ -n "${ipv4_import?}" ] && printf "\t\timport %s;\n" "${ipv4_import:?}"
+	[ -n "${ipv4_export?}" ] && printf "\t\texport %s;\n" "${ipv4_export:?}"
+	[ -n "${ipv4_extended_next_hop?}" ] && printf "\t\textended next hop;\n"
+	printf "\t};\n"
+fi
+if [ -n "${ipv6_import?}" ] || [ -n "${ipv6_export?}" ] || "${ipv6_extended_next_hop?}";
+then
+	printf "\tipv6 {\n"
+	[ -n "${ipv6_import?}" ] && printf "\t\timport %s;\n" "${ipv6_import:?}"
+	[ -n "${ipv6_export?}" ] && printf "\t\texport %s;\n" "${ipv6_export:?}"
+	[ -n "${ipv6_extended_next_hop?}" ] && printf "\t\textended next hop;\n"
+	printf "\t};\n"
+fi
+
+# Header close
+echo "}"

type/__bird_bgp/man.rst

@@ -0,0 +1,105 @@
+cdist-type__bird_bgp(7)
+=======================
+
+NAME
+----
+cdist-type__bird_bgp - configure an instance of the BGP protocol.
+
+
+DESCRIPTION
+-----------
+This type writes the configuration for an instance of the BGP protocol to be
+ran by the bird internet routing daemon. It **expects** to depend on the
+`cdist-type__bird_core(7)` type.
+
+
+REQUIRED PARAMETERS
+-------------------
+local-as
+    The number for the AS in which the daemon is running.
+
+neighbor-as
+    The number of the AS with which we are peering.
+
+neighbor-ip
+    The IP address of the peer we are opening a session with.
+
+
+OPTIONAL PARAMETERS
+-------------------
+description
+    An instance desciption to be printed when `birdc show protocols` is called.
+
+local-ip
+    The IP address used as a source address for the BGP session.
+
+password
+    A password for the BGP session.
+
+ipv4-import
+    A string suitable for the bird `import` directive. Usually `all`, `none` or
+    a filter definition.
+
+ipv4-export
+    See ipv4-import.
+
+ipv4-extended-next-hop
+    Allow IPv6 next hop in IPv4 NLRI.
+
+ipv6-import
+    See ipv4-import.
+
+ipv6-export
+    See ipv4-import.
+
+ipv6-extended-next-hop
+    Allow IPv4 next hop in IPv6 NLRI.
+
+
+BOOLEAN PARAMETERS
+------------------
+direct
+    Specify that the two routers are directly connected.
+
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+    # Setup bird and open a BGP session.
+    __bird_core --router-id 198.51.100.4
+
+    require='__bird_core' __bird_bgp bgp4 \
+        --description "a test IPv4 BGP instance" \
+        --ipv4-export all \
+        --ipv4-import all \
+        --ipv6-export none \
+        --ipv6-import none \
+        --local-as 1234 \
+        --local-ip 198.51.100.4 \
+        --neighbor-as 4321 \
+        --neighbor-ip 198.51.100.3 \
+        --password hunter01
+
+
+SEE ALSO
+--------
+cdist-type__bird_core(7)
+cdist-type__bird_filter(7)
+cdist-type__bird_kernel(7)
+cdist-type__bird_ospf(7)
+cdist-type__bird_static(7)
+
+
+AUTHORS
+-------
+Joachim Desroches <joachim.desroches@epfl.ch>
+
+
+COPYING
+-------
+Copyright \(C) 2021 Joachim Desroches. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

type/__bird_bgp/manifest

@@ -0,0 +1,122 @@
+#!/bin/sh -e
+#
+# 2021 Joachim Desroches (joachim.desroches@epfl.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+
+os=$(cat "${__global:?}/explorer/os")
+
+case "$os" in
+	"alpine"|"debian"|"ubuntu")
+		confdir="/etc/bird.d"
+	;;
+	*)
+		printf "Your operating system (%s) is currently not supported by __bird_bgp\n" "$os" >&2
+		printf "Please contribute an implementation for it if you can.\n" >&2
+		exit 1
+	;;
+esac
+
+# Required parameters
+local_as="$(cat "${__object:?}"/parameter/local-as)"
+export local_as
+
+neighbor_as="$(cat "${__object:?}"/parameter/neighbor-as)"
+export neighbor_as
+
+neighbor_ip="$(cat "${__object:?}"/parameter/neighbor-ip)"
+export neighbor_ip
+
+# Optional parameters
+description=
+if [ -f "${__object:?}"/parameter/description ];
+then
+	description="$(cat "${__object:?}"/parameter/description)"
+fi
+export description
+
+direct=
+if [ -f "${__object:?}"/parameter/direct ];
+then
+	direct="true"
+fi
+export direct
+
+ipv4_extended_next_hop=
+if [ -f "${__object:?}"/parameter/ipv4-extended-next-hop ];
+then
+	ipv4_extended_next_hop="true"
+fi
+export ipv4_extended_next_hop
+
+ipv6_extended_next_hop=
+if [ -f "${__object:?}"/parameter/ipv6-extended-next-hop ];
+then
+	ipv6_extended_next_hop="true"
+fi
+export ipv6_extended_next_hop
+
+local_ip=
+if [ -f "${__object:?}"/parameter/local-ip ];
+then
+	local_ip="$(cat "${__object:?}"/parameter/local-ip)"
+fi
+export local_ip
+
+password=
+if [ -f "${__object:?}"/parameter/password ];
+then
+	password="$(cat "${__object:?}"/parameter/password)"
+fi
+export password
+
+ipv4_import=
+if [ -f "${__object:?}"/parameter/ipv4-import ];
+then
+	ipv4_import="$(cat "${__object:?}"/parameter/ipv4-import)"
+fi
+export ipv4_import
+
+ipv4_export=
+if [ -f "${__object:?}"/parameter/ipv4-export ];
+then
+	ipv4_export="$(cat "${__object:?}"/parameter/ipv4-export)"
+fi
+export ipv4_export
+
+ipv6_import=
+if [ -f "${__object:?}"/parameter/ipv6-import ];
+then
+	ipv6_import="$(cat "${__object:?}"/parameter/ipv6-import)"
+fi
+export ipv6_import
+
+ipv6_export=
+if [ -f "${__object:?}"/parameter/ipv6-export ];
+then
+	ipv6_export="$(cat "${__object:?}"/parameter/ipv6-export)"
+fi
+export ipv6_export
+
+# Run template
+"${__type:?}"/files/template.sh > "${__files:?}/bgp-${__object_id:?}.conf"
+
+# Install resulting configuration
+__file "${confdir:?}"/bgp-"${__object_id:?}".conf \
+	--mode 0640 --owner root --group bird \
+	--source "${__files:?}/bgp-${__object_id:?}.conf"

type/__bird_bgp/parameter/boolean

@@ -0,0 +1,3 @@
+direct
+ipv4-extended-next-hop
+ipv6-extended-next-hop

type/__bird_bgp/parameter/optional

@@ -0,0 +1,7 @@
+description
+ipv4-export
+ipv4-import
+ipv6-export
+ipv6-import
+local-ip
+password

type/__bird_bgp/parameter/required

@@ -0,0 +1,3 @@
+local-as
+neighbor-as
+neighbor-ip

type/__bird_core/man.rst

@@ -0,0 +1,65 @@
+cdist-type__bird-core(7)
+========================
+
+NAME
+----
+cdist-type__bird-core - setup a skeleton bird configuration.
+
+
+DESCRIPTION
+-----------
+The `bird`_ daemon is an internet routing daemon, running protocols such as
+OSPF and BGP. This type creates a skeleton configuration file suitable for
+running a no-op bird. It is then intended to be combined - and depended on - by
+types specific to the instances of the various protocols that bird should run.
+
+.. _bird: https://bird.network.cz/
+
+OPTIONAL PARAMETERS
+-------------------
+router-id
+    This parameter follows the format of an IPv4 address, and will be used by
+    bird as its router id. See `the documentation for router id`_.
+
+.. _the documentation for router id: https://bird.network.cz/?get_doc&v=20&f=bird-3.html#opt-router-id
+
+log-params
+
+    This parameter expects a string suitable to follow the `log` bird
+    configuration key. If this parameter is not include, the value `syslog all`
+    is used. See `the documentation for log`_.
+
+.. _the documentation for log: https://bird.network.cz/?get_doc&v=20&f=bird-3.html#opt-log
+
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+    __bird-core --router-id 198.51.100.4
+
+    require='__bird-core' __bird_bgp <...>
+    require='__bird-core' __bird_ospf <...>
+
+
+SEE ALSO
+--------
+cdist-type__bird_bgp(7)
+cdist-type__bird_filter(7)
+cdist-type__bird_kernel(7)
+cdist-type__bird_ospf(7)
+cdist-type__bird_static(7)
+
+
+AUTHORS
+-------
+Joachim Desroches <joachim.desroches@epfl.ch>
+
+
+COPYING
+-------
+Copyright \(C) 2021 Joachim Desroches. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

type/__bird_core/manifest

@@ -0,0 +1,72 @@
+#!/bin/sh -e
+#
+# 2021 Joachim Desroches (joachim.desroches@epfl.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+
+os=$(cat "${__global:?}/explorer/os")
+
+package=
+conffile=
+confdir=
+case "$os" in
+	"alpine")
+		package=bird
+		conffile=/etc/bird.conf
+		confdir=/etc/bird.d
+	;;
+	*)
+		printf "Your operating system (%s) is currently not supported by __bird_core\n" "$os" >&2
+		printf "Please contribute an implementation for it if you can.\n" >&2
+		exit 1
+	;;
+esac
+
+router_id=
+if [ -f "${__object:?}/parameter/router-id" ];
+then
+	router_id="router id $(cat "${__object:?}"/parameter/router-id);"
+fi
+
+log_params="syslog all"
+if [ -f "${__object:?}/parameter/log-params" ];
+then
+	log_params="$(cat "${__object:?}"/parameter/log-params)"
+fi
+
+__package "$package"
+
+export require="__package/$package"
+__directory "$confdir"
+__file "$conffile" \
+	--mode 0640 --owner root --group bird \
+	--source - << EOF
+# $conffile - bird(1) configuration file.
+# Managed by cdist. Do not edit by hand.
+
+${router_id}
+log ${log_params};
+
+# Always include this "protocol": all it does is expose the available
+# interfaces to bird.
+protocol device {
+	description "Obtain a list of device interfaces.";
+}
+
+include "$confdir/*.conf";
+EOF

type/__bird_core/parameter/optional

@@ -0,0 +1 @@
+log-params

type/__bird_core/parameter/required

@@ -0,0 +1 @@
+router-id

type/__bird_filter/man.rst

@@ -0,0 +1,63 @@
+cdist-type__bird_filter(7)
+==========================
+
+NAME
+----
+cdist-type__bird_filter - Create a named filter to use in configuring bird.
+
+
+DESCRIPTION
+-----------
+This type writes a configuration file defining a filter named `__object_id` for
+the bird internet routing daemon. It is guaranteed that all filters defined
+through this type will be loaded before any other protocol defined using the
+cdist __bird_xxx types, except functions. However, note that if two filters
+have a dependency, they will be loaded in alphabetical order, so some care may
+need to be taken in the naming.
+
+This type takes it's input through stdin, expecting valid filter statements as
+per the bird configuration file syntax. The standard input will be printed out
+between a `filter __object_id {\n ... \n}`, so only the inner statements are
+needed.
+
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+    # Setup bird, a filter and open a BGP session.
+    __bird_core --router-id 198.51.100.4
+
+    require='__bird_core' __bird_filter bgp_export <<- EOF
+        if (source = RTS_DEVICE) then accept;
+        reject;
+    EOF
+
+    require='__bird_core' __bird_bgp bgp4 \
+        --description "a test IPv4 BGP instance" \
+        --ipv4-export "filter bgp_export" \
+        --[...]
+
+
+SEE ALSO
+--------
+cdist-type__bird_core(7)
+cdist-type__bird_bgp(7)
+cdist-type__bird_function(7)
+cdist-type__bird_kernel(7)
+cdist-type__bird_ospf(7)
+cdist-type__bird_static(7)
+
+
+AUTHORS
+-------
+Joachim Desroches <joachim.desroches@epfl.ch>
+
+
+COPYING
+-------
+Copyright \(C) 2021 Joachim Desroches. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

type/__bird_filter/manifest

@@ -0,0 +1,44 @@
+#!/bin/sh -e
+#
+# 2021 Joachim Desroches (joachim.desroches@epfl.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+
+os=$(cat "${__global:?}/explorer/os")
+
+case "$os" in
+'alpine'|'debian'|'ubuntu')
+	confdir=/etc/bird.d
+	;;
+*)
+	printf "Your operating system (%s) is currently not supported by __bird_filter\n" "$os" >&2
+	printf "Please contribute an implementation for it if you can.\n" >&2
+	exit 1
+	;;
+esac
+
+# Filters start with 1 because bird loads the config in alphanumerical order
+# and we need them to be defined to be used in the rest of the stuff, but after
+# functions.
+__file "$confdir/1-filter-${__object_id:?}.conf" \
+	--owner root --group bird --mode 0640 \
+	--source - << EOF
+filter ${__object_id:?} {
+$(cat "${__object:?}"/stdin)
+}
+EOF

type/__bird_function/man.rst

@@ -0,0 +1,58 @@
+cdist-type__bird_function(7)
+============================
+
+NAME
+----
+cdist-type__bird_function - Create a named function to use in configuring bird.
+
+
+DESCRIPTION
+-----------
+
+This type writes a configuration file for the bird internet routing daemon. It
+is guaranteed that all functions defined through this type will be loaded
+before any other protocol defined using the cdist __bird_xxx types. However,
+note that if two functions have a dependency, they will be loaded in
+alphabetical order, so some care may need to be taken in the naming.
+
+This type takes it's input through stdin, expecting a valid function definition
+as per the bird configuration file syntax.
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+    # Setup bird, a function and open a BGP session.
+    __bird_core --router-id 198.51.100.4
+
+    require='__bird_core' __bird_function is_device <<- EOF
+        function is_device (enum source)
+        {
+        if (source = RTS_DEVICE) then return true;
+        return false;
+        }
+    EOF
+
+
+SEE ALSO
+--------
+cdist-type__bird_core(7)
+cdist-type__bird_bgp(7)
+cdist-type__bird_filter(7)
+cdist-type__bird_kernel(7)
+cdist-type__bird_ospf(7)
+cdist-type__bird_static(7)
+
+
+AUTHORS
+-------
+Joachim Desroches <joachim.desroches@epfl.ch>
+
+
+COPYING
+-------
+Copyright \(C) 2021 Joachim Desroches. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

type/__bird_function/manifest

@@ -0,0 +1,41 @@
+#!/bin/sh -e
+#
+# 2021 Joachim Desroches (joachim.desroches@epfl.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+
+os=$(cat "${__global:?}/explorer/os")
+
+case "$os" in
+'alpine'|'debian'|'ubuntu')
+	confdir=/etc/bird.d
+	;;
+*)
+	printf "Your operating system (%s) is currently not supported by __bird_filter\n" "$os" >&2
+	printf "Please contribute an implementation for it if you can.\n" >&2
+	exit 1
+	;;
+esac
+
+# Functions start with 0 because bird loads the config in alphanumerical order
+# and we need them to be defined to be used in the rest of the stuff.
+__file "$confdir/0-function-${__object_id:?}.conf" \
+	--owner root --group bird --mode 0640 \
+	--source - << EOF
+$(cat "${__object:?}"/stdin)
+EOF

type/__bird_kernel/man.rst

@@ -0,0 +1,73 @@
+cdist-type__bird_kernel(7)
+==========================
+
+NAME
+----
+cdist-type__bird_kernel - configure syncing of routes with the kernel.
+
+
+DESCRIPTION
+-----------
+
+This type writes the configuration for an instance of the kernel protocol to be
+ran by the bird internet routing daemon. It **expects** to depend on the
+`cdist-type__bird_core(7)` type.
+
+OPTIONAL PARAMETERS
+-------------------
+description
+    An instance desciption to be printed when `birdc show protocols` is called.
+
+persist
+    Instruct bird to leave routes in kernel table after exiting. See the bird
+    `persist` keyword.
+
+learn
+    Learn routes added externally to the kernel routing table. See the bird
+    `learn` keyword.
+
+channel
+    The channel to connect the protocol to. Usually `ipv4` or `ipv6`.
+
+import
+    A string suitable for the bird `import` directive. Usually `all`, `none` or
+    a filter definition.
+
+export
+    See import.
+
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+    # Setup bird and open a BGP session.
+    __bird_core --router-id 198.51.100.4
+
+    require='__bird_core' __bird_kernel k4 \
+        --learn --persist --channel ipv4 \
+        --import all \
+        --export all
+
+
+SEE ALSO
+--------
+cdist-type__bird_bgp(7)
+cdist-type__bird_core(7)
+cdist-type__bird_filter(7)
+cdist-type__bird_ospf(7)
+cdist-type__bird_static(7)
+
+
+AUTHORS
+-------
+Joachim Desroches <joachim.desroches@epfl.ch>
+
+
+COPYING
+-------
+Copyright \(C) 2021 Joachim Desroches. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

type/__bird_kernel/manifest

@@ -0,0 +1,83 @@
+#!/bin/sh -e
+#
+# 2021 Joachim Desroches (joachim.desroches@epfl.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+
+os=$(cat "${__global:?}/explorer/os")
+
+case "$os" in
+	"alpine"|"debian"|"ubuntu")
+		confdir="/etc/bird.d"
+	;;
+	*)
+		printf "Your operating system (%s) is currently not supported by __bird_kernel\n" "$os" >&2
+		printf "Please contribute an implementation for it if you can.\n" >&2
+		exit 1
+	;;
+esac
+
+# Required parameters
+channel="$(cat "${__object:?}/parameter/channel")"
+
+# Boolean switches
+persist=
+if [ -f "${__object:?}"/parameter/persist ];
+then
+	persist=true
+fi
+
+learn=
+if [ -f "${__object:?}"/parameter/learn ];
+then
+	learn=true
+fi
+
+# Optional parameters
+description=
+if [ -f "${__object:?}"/parameter/description ];
+then
+	description="$(cat "${__object:?}/parameter/description")"
+fi
+
+import=
+if [ -f "${__object:?}"/parameter/import ];
+then
+	import="$(cat "${__object:?}/parameter/import")"
+fi
+
+_export=
+if [ -f "${__object:?}"/parameter/export ];
+then
+	_export="$(cat "${__object:?}/parameter/export")"
+fi
+
+# Install resulting configuration
+__file "${confdir:?}"/kernel-"${__object_id:?}".conf \
+	--mode 0640 --owner root --group bird \
+	--source - << EOF
+protocol kernel ${__object_id:?} {
+$([ -n "${description?}" ] && printf "\tdescription \"%s\";\n" "${description?}")
+$([ -n "${persist?}" ] && printf "\tpersist;\n")
+$([ -n "${learn?}" ] && printf "\tlearn;\n")
+	${channel:?} {
+		import ${import:?};
+		export ${_export:?};
+	};
+}
+EOF

type/__bird_kernel/parameter/boolean

@@ -0,0 +1,2 @@
+learn
+persist

type/__bird_kernel/parameter/optional

@@ -0,0 +1 @@
+description

type/__bird_kernel/parameter/required

@@ -0,0 +1,3 @@
+channel
+import
+export

type/__bird_ospf/man.rst

@@ -0,0 +1,63 @@
+cdist-type__bird-ospf(7)
+========================
+
+NAME
+----
+cdist-type__bird-ospf - Configure an instance of the OSPF protocol
+
+
+DESCRIPTION
+-----------
+
+This type is an *extremely rudimentary* method to configure a simple OSPF
+protocol instance for bird, the internet routing daemon. Even this manpage is
+pretty crude and will be fixed and expanded.
+
+REQUIRED PARAMETERS
+-------------------
+channel
+    The channel the protocol should connect to. Usually `ipv4` or `ipv6`.
+
+import
+    The keyword or filter to decide what to import in the above channel.
+
+export
+    The keyword or filter to decide what to export in the above channel.
+
+OPTIONAL PARAMETERS
+-------------------
+description
+    A description given with `show protocol all`
+
+instance-id
+    An OSPF instance ID, allowing several OSPF instances to run on the same
+    links.
+
+extra-area-configuration
+    Configuration string added to the `area` section of the OSPF configuration.
+
+OPTIONAL MULTIPLE PARAMETERS
+----------------------------
+
+stubnet
+    Add an optionless stubnet definition to the configuration.
+
+interface
+    An interface to include in OSPF area 0. Is required unless
+    extra-area-configuration is set.
+
+SEE ALSO
+--------
+cdist-type__bird_core(7)
+
+AUTHORS
+-------
+Joachim Desroches <joachim.desroches@epfl.ch>
+
+
+COPYING
+-------
+Copyright \(C) 2021 Joachim Desroches. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

type/__bird_ospf/manifest

@@ -0,0 +1,81 @@
+#!/bin/sh -e
+#
+# 2021 Joachim Desroches (joachim.desroches@epfl.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+
+os=$(cat "${__global:?}/explorer/os")
+
+case "$os" in
+'alpine'|'debian'|'ubuntu')
+	confdir='/etc/bird.d'
+;;
+*)
+	printf "Your operating system (%s) is currently not supported by this __bird_ospf\n" "$os" >&2
+	printf "Please contribute an implementation for it if you can.\n" >&2
+	exit 1
+;;
+esac
+
+description=
+if [ -f "${__object:?}/parameter/description" ];
+then
+	description="$(cat "${__object:?}/parameter/description")"
+fi
+
+instance_id=
+if [ -f "${__object:?}/parameter/instance-id" ];
+then
+	instance_id="$(cat "${__object:?}/parameter/instance-id")"
+fi
+
+extra_area_configuration=
+if [ -f "${__object:?}/parameter/extra-area-configuration" ];
+then
+	extra_area_configuration="$(cat "${__object:?}/parameter/extra-area-configuration")"
+
+	if [ "$extra_area_configuration" = "-" ]; then
+		extra_area_configuration=$(cat "$__object/stdin")
+	fi
+fi
+
+if [ ! -f "${__object:?}/parameter/interface" ] && [ -z "$extra_area_configuration" ]; then
+	echo "Either --interface or --extra-area-configuration must be set." >&2
+	exit 1
+fi
+
+__file "${confdir:?}/ospf-${__object_id:?}.conf" \
+	--mode 0640 --owner root --group bird \
+	--source - << EOF
+protocol ospf v3 ${__object_id:?} {
+$([ -n "${description?}" ] && printf "\tdescription \"%s\";\n" "${description?}")
+$([ -n "${instance_id?}" ] && printf "\tinstance id %s;\n" "${instance_id?}")
+
+	$(cat "${__object:?}/parameter/channel") {
+		import $(cat "${__object:?}/parameter/import");
+		export $(cat "${__object:?}/parameter/export");
+	};
+
+	area 0 {
+$(sed -e 's/^/\t\tinterface "/' -e 's/$/";/' "${__object:?}/parameter/interface")
+$(sed -e 's/^/\t\tsubnet /' -e 's/$/;/' "${__object:?}/parameter/subnet")
+
+		$extra_area_configuration
+	};
+}
+EOF

type/__bird_ospf/parameter/optional

@@ -0,0 +1,3 @@
+description
+instance-id
+extra-area-configuration

type/__bird_ospf/parameter/optional_multiple

@@ -0,0 +1,2 @@
+stubnet
+interface

type/__bird_ospf/parameter/required

@@ -0,0 +1,3 @@
+channel
+import
+export

type/__bird_radv/man.rst

@@ -0,0 +1,83 @@
+cdist-type__bird_radv(7)
+========================
+
+NAME
+----
+cdist-type__bird_radv - Configure the Bird Internet Router Daemon to send RAdvs.
+
+
+DESCRIPTION
+-----------
+
+The Bird Internet Router Daemon knows about a bunch of internet routing
+protocols. In particular, it can send Router Advertisements to help
+autoconfigure IPv6 hosts, this type is a rudimentary implementation to generate
+configuration for Bird to do so.
+
+
+REQUIRED PARAMETERS
+-------------------
+interface
+  The interfaces to activate the protocol on. RAs will be sent using the
+  prefixes configured on these interfaces.
+
+OPTIONAL PARAMETERS
+-------------------
+mtu
+  An optional MTU setting to include in the router advertisements.
+
+default-preference
+  This option specifies the Default Router Preference value to advertise to
+  hosts. Default: medium.
+
+route-preference
+  This option specifies the default value of advertised route preference for
+  specific routes. Default: medium.
+
+default-lifetime
+  This option specifies the time (in seconds) how long (since the receipt of RA)
+  hosts may use the router as a default router. 0 means do not use as a default
+  router. Default: 3.
+
+OPTIONAL MULTIPLE PARAMETERS
+----------------------------
+route
+  Routes to be added to the RA for hosts.
+
+ns
+  Recursive DNS servers given to the hosts through RAs.
+
+dnssl
+  Search domain to be given to the hosts through RAs.
+
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+    __bird_radv datacenter \
+        --interface eth1 \
+        --mtu 9000 \
+        --route ::/0 \
+        --ns 2001:DB8:cafe::4 \
+        --ns 2001:DB8:cafe::14 \
+        --dnssl "example.com"
+
+
+SEE ALSO
+--------
+`__bird_core(7)`
+
+
+AUTHORS
+-------
+Joachim Desroches <joachim.desroches@epfl.ch>
+
+
+COPYING
+-------
+Copyright \(C) 2021 Joachim Desroches. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

type/__bird_radv/manifest

@@ -0,0 +1,110 @@
+#!/bin/sh -e
+#
+# 2021 Joachim Desroches (joachim.desroches@epfl.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+os=$(cat "${__global:?}/explorer/os")
+
+case "$os" in
+'alpine'|'debian'|'ubuntu')
+	confdir='/etc/bird.d'
+;;
+*)
+	printf "Your operating system (%s) is currently not supported by __bird_radv\n" "$os" >&2
+	printf "Please contribute an implementation for it if you can.\n" >&2
+	exit 1
+;;
+esac
+
+have_routes=no
+if [ -f "${__object:?}/parameter/route" ];
+then
+	have_routes=yes
+fi
+
+RDNS=
+if [ -f "${__object:?}/parameter/ns" ];
+then
+	RDNS=$(cat << EOF
+	rdnss {
+$(sed -e 's/^/\t\tns /' -e 's/$/;/' "${__object:?}/parameter/ns")
+	};
+
+EOF
+)
+fi
+
+DNSSL=
+if [ -f "${__object:?}/parameter/dnssl" ];
+then
+	DNSSL=$(sed -e 's/^/\tdnssl "/' -e 's/$/";/' "${__object:?}/parameter/dnssl")
+fi
+
+MTU=
+if [ -f "${__object:?}/parameter/mtu" ];
+then
+	MTU="link mtu $(cat "${__object:?}/parameter/mtu");"
+fi
+
+DEFAULT_PREFERENCE=
+if [ -f "${__object:?}/parameter/default-preference" ];
+then
+	DEFAULT_PREFERENCE="default preference $(cat "${__object:?}/parameter/default-preference");"
+fi
+
+ROUTE_PREFERENCE=
+if [ -f "${__object:?}/parameter/route-preference" ];
+then
+	ROUTE_PREFERENCE="route preference $(cat "${__object:?}/parameter/route-preference");"
+fi
+
+DEFAULT_LIFETIME=
+if [ -f "${__object:?}/parameter/default-lifetime" ];
+then
+	DEFAULT_LIFETIME="default lifetime $(cat "${__object:?}/parameter/default-lifetime");"
+fi
+
+__file "${confdir:?}/radv-${__object_id:?}.conf" \
+	--mode 0640 --owner root --group bird \
+	--source - << EOF
+ipv6 table radv_routes_${__object_id};
+
+protocol static {
+	description "Routes advertised via RAs";
+	ipv6 { table radv_routes_${__object_id}; };
+
+$(sed -e 's/^/\troute /' -e 's/$/ unreachable;/' "${__object:?}/parameter/route")
+}
+
+protocol radv ${__object_id:?} {
+	propagate routes ${have_routes:?};
+	ipv6 { table radv_routes_${__object_id}; export all; };
+
+	interface "$(cat "${__object:?}/parameter/interface")" {
+	$MTU
+	$DEFAULT_LIFETIME
+	$DEFAULT_PREFERENCE
+	$ROUTE_PREFERENCE
+	};
+
+$RDNS
+
+$DNSSL
+
+}
+EOF

type/__bird_radv/parameter/optional

@@ -0,0 +1,4 @@
+mtu
+default-preference
+route-preference
+default-lifetime

type/__bird_radv/parameter/optional_multiple

@@ -0,0 +1,3 @@
+dnssl
+ns
+route

type/__bird_radv/parameter/required

@@ -0,0 +1 @@
+interface

type/__bird_static/files/template.sh

@@ -0,0 +1,25 @@
+#!/bin/sh
+# Template to generate a static protocol configuration file for bird(1).
+# Required non-empty variables:
+# __object_id, object
+#
+# Required defined variables:
+# description
+
+# Header
+printf "protocol static %s {\n" "${__object_id:?}"
+
+# Optional description
+[ -n "${description?}" ] && printf "\tdescription \"%s\";\n" "${description:?}"
+
+# Channel choice
+printf "\t%s;\n" "$(cat "${__object:?}/parameter/channel")"
+
+# Routes
+while read -r route
+do
+	printf "\troute %s;\n" "${route?}"
+done < "${__object:?}/parameter/route"
+
+# Header close
+printf "}\n"

type/__bird_static/man.rst

@@ -0,0 +1,69 @@
+cdist-type__bird_static(7)
+==========================
+
+NAME
+----
+cdist-type__bird_static - configure an instance of the bird static protocol.
+
+
+DESCRIPTION
+-----------
+This type write the configuration file for an instance of the static protocl to
+be ran bu the bird internet routing daemon, allowing an administrator to inject
+static routes into the daemon's routing tables. This protocol allows for only
+one of two channels to be used, either `ipv4` or `ipv6`, by default `ipv6` is
+used unless the `ipv4` flag is passed. This type **expects** to depend on the
+`cdist-type__bird_core(7)` type.
+
+
+REQUIRED PARAMETERS
+-------------------
+channel
+   The channel to use between the protocol and the table.
+
+REQUIRED MULTIPLE PARAMETERS
+----------------------------
+route
+    This flag expects a valid route to be inserted between the bird `route`
+    keyword and the end of line. It may be specified as many times as necessary.
+
+
+OPTIONAL PARAMETERS
+-------------------
+description
+    An instance desciption to be printed when `birdc show protocols` is called.
+
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+    # Setup bird and open a BGP session.
+    __bird_core --router-id 198.51.100.4
+
+    require='__bird_core' __bird_static static4 \
+        --description "static ipv4 routes plugged into bird" \
+        --route "198.51.0.0/16 via 192.51.100.1" \
+        --route "192.52.0.0/16 via 192.51.100.1"
+
+
+SEE ALSO
+--------
+cdist-type__bird_core(7)
+cdist-type__bird_bgp(7)
+cdist-type__bird_kernel(7)
+cdist-type__bird_ospf(7)
+
+
+AUTHORS
+-------
+Joachim Desroches <joachim.desroches@epfl.ch>
+
+
+COPYING
+-------
+Copyright \(C) 2021 Joachim Desroches. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

type/__bird_static/manifest

@@ -0,0 +1,51 @@
+#!/bin/sh -e
+#
+# 2021 Joachim Desroches (joachim.desroches@epfl.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+
+os=$(cat "${__global:?}/explorer/os")
+
+case "$os" in
+	'alpine'|'debian'|'ubuntu')
+		confdir=/etc/bird.d
+	;;
+	*)
+		printf "Your operating system (%s) is currently not supported by __bird_static\n" "$os" >&2
+		printf "Please contribute an implementation for it if you can.\n" >&2
+		exit 1
+	;;
+esac
+
+# Required parameter route is directly accessed in template.
+# Boolean  parameter ipv4  is directly accessed in template.
+# Optional parameter description
+description=
+if [ -f "${__object:?}/parameter/description" ];
+then
+	description="$(cat "${__object:?}/parameter/description")"
+fi
+export description
+
+# Run template
+"${__type:?}"/files/template.sh > "${__files:?}/static-${__object_id:?}.conf"
+
+# Install resulting configuration
+__file "${confdir:?}"/static-"${__object_id:?}".conf \
+	--mode 0640 --owner root --group bird \
+	--source "${__files:?}/static-${__object_id:?}.conf"

type/__bird_static/parameter/optional

@@ -0,0 +1 @@
+description

type/__bird_static/parameter/required

@@ -0,0 +1 @@
+channel

type/__bird_static/parameter/required_multiple

@@ -0,0 +1 @@
+route

type/__borg_repo/gencode-remote

@@ -0,0 +1,41 @@
+#!/bin/sh
+
+passphrase=
+appendonly=
+
+case "$(cat "${__object:?}/parameter/encryption")" in
+	none)
+		enc=none
+		;;
+	repokey)
+		enc=repokey
+		if [ -f "${__object:?}/parameter/passphrase" ];
+		then
+			passphrase="$(cat "${__object:?}/parameter/passphrase")"
+		else
+			echo "__borg_repo cannot use repokey encryption with no passphrase. Aborting." >&2;
+			exit 1;
+		fi
+		;;
+	*)
+		echo "$enc is not a known encryption mode for __borg_repo. Aborting." >&2
+		exit 1;
+esac
+
+if [ -f "${__object:?}/parameter/append-only" ];
+then
+	appendonly='--append-only'
+fi
+
+if [ -f "${__object:?}/parameter/owner" ];
+then
+	doas="sudo -u '$(cat "${__object:?}/parameter/owner")'"
+fi
+
+cat <<- EOF
+	set -x
+	if [ ! -d "/${__object_id:?}" ]; then
+		$doas BORG_NEW_PASSPHRASE=$passphrase borg init -e ${enc:?} $appendonly /${__object_id:?}
+	fi
+EOF
+

type/__borg_repo/man.rst

@@ -0,0 +1,46 @@
+cdist-type__borg_repo(7)
+========================
+
+NAME
+----
+cdist-type__borg_repo - Configure a borg repository on host
+
+
+DESCRIPTION
+-----------
+
+Initializes a borg repository at the location specified in the
+`${__object_id}`. Nothing is done if the repository already exists.
+
+Currently, only `none` and `repokey` are supported as encryption modes;
+`repokey` requires the `passphrase` argument to be given. The default is
+`none`.
+
+REQUIRED PARAMETERS
+-------------------
+encryption
+  The encryption to use.
+
+OPTIONAL PARAMETERS
+-------------------
+passphrase
+  The passphrase to encrypt the keyfile with.
+
+owner
+  Remote user owning the repository.
+
+BOOLEAN PARAMETERS
+------------------
+append-only
+  If the repository is append-only
+
+AUTHORS
+-------
+Joachim Desroches <joachim.desroches@epfl.ch>
+
+COPYING
+-------
+Copyright \(C) 2020 Joachim Desroches. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

type/__borg_repo/manifest

@@ -0,0 +1,20 @@
+#!/bin/sh
+
+os="$(cat "${__global:?}"/explorer/os)"
+
+case "$os" in
+	"alpine"|"ubuntu")
+		borg_package=borgbackup
+		;;
+	*)
+		echo "__borg_repo is not yet implemented for os $os. Aborting." >&2;
+		exit 1;
+esac
+
+__package "$borg_package"
+
+if [ -f "${__object:?}/parameter/owner" ];
+then
+	__package sudo
+fi
+

type/__borg_repo/parameter/boolean

@@ -0,0 +1 @@
+append-only

type/__borg_repo/parameter/default/encryption

@@ -0,0 +1 @@
+none

type/__borg_repo/parameter/optional

@@ -0,0 +1,2 @@
+passphrase
+owner

type/__borg_repo/parameter/required

@@ -0,0 +1 @@
+encryption

type/__dma/explorer/auth_conf

@@ -0,0 +1,49 @@
+#!/bin/sh -e
+#
+# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+# This explorer determines the path of dma's auth.conf file
+
+# No dma.conf -> use default
+test -f /etc/dma/dma.conf || {
+	echo /etc/dma/auth.conf
+	exit 0
+}
+test -r /etc/dma/dma.conf || {
+	echo 'Cannot read /etc/dma/dma.conf' >&2
+	exit 1
+}
+
+# Get AUTHPATH from dma.conf
+awk -F'[ \t]' '
+{
+	sub(/#.*$/, "", $0)  # remove comments
+	if (!$0) next  # ignore empty lines
+}
+$1 == "AUTHPATH" {
+	# Store authpath. In dma conf parsing last wins.
+	if ($2) authpath = substr($0, index($0, " ") + 1)
+}
+END {
+	if (authpath) {
+		print authpath
+		exit 0
+	} else exit 1
+}
+' /etc/dma/dma.conf \
+|| echo /etc/dma/auth.conf  # default

type/__dma/explorer/conf

@@ -0,0 +1,34 @@
+#!/bin/sh -e
+#
+# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+# This explorer returns a sorted list of "active" (= non-commented) lines
+# in the dma.conf file.
+# "Trailing" line comments are stripped off.
+#
+# NOTE: This explorer assumes that the sort(1) utility supports the non-POXIX
+#       -s (stable sort) option.
+
+CONF_PATH=/etc/dma  # set in Makefile
+dma_conf="${CONF_PATH:?}/dma.conf"
+
+test -f "${dma_conf}" || exit 0
+
+grep -v -e '^[ \t]*#\|^$' "${dma_conf}" \
+| sed -e 's/[ \t]*#.*$//' \
+| sort -s -k 1,1

type/__dma/files/update_dma_conf.awk

@@ -0,0 +1,178 @@
+#!/usr/bin/awk -f
+#
+# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+
+function comment_line(line) {
+	# returns the position in line at which the comment's text starts
+	# (0 if the line is not a comment)
+	match(line, /^[ \t]*\#+[ \t]*/)
+	return RSTART ? (RLENGTH + 1) : 0
+}
+function empty_line(line) { return line ~ /^[ \t]*$/ }
+function is_word(s) { return s ~ /^[A-Z_]+$/ }  # "looks like a plausible word"
+
+function first(line, sep_re) {
+	# returns the part of the line until sep is found
+	# (or the whole line if sep is not found)
+	if (!sep_re) sep_re = "[" SUBSEP "]"
+	match(line, sep_re)
+	return RSTART ? substr(line, 1, RSTART - 1) : line
+}
+
+function rest(line, sep_re) {
+	# returns the part of the line after the first occurrence of sep is found.
+	# (or nothing if sep is not found)
+	if (!sep_re) sep_re = "[" SUBSEP "]"
+	if (match(line, sep_re))
+		return substr(line, RSTART + RLENGTH)
+}
+
+function conf_pop(word, value) {
+	# returns the next value for the config `word` and delete it from the list.
+	# if value is set, this function will only return value if it is the first
+	# option in the list, otherwise it returns 0.
+
+	if (!(word in conf)) return 0
+	if (!value) {
+		if (index(conf[word], SUBSEP))  # more than one element?
+			value = substr(conf[word], 1, index(conf[word], SUBSEP) - 1)
+		else
+			value = conf[word]
+	}
+
+	if (index(conf[word], SUBSEP)) {
+		if (index(conf[word], value SUBSEP) != 1) return 0
+		conf[word] = substr(conf[word], length(value) + 2)
+	} else {
+		if (conf[word] != value) return 0
+		delete conf[word]
+	}
+	return value
+}
+
+function print_conf(word, value) {
+	# print a config line with the given parameters
+	printf "%s", word
+	if (value) printf " %s", value
+	printf "\n"
+}
+
+function print_confs(word,    value) {
+	# print config lines for all values stored in conf[word].
+	if (!(word in conf)) return
+	if (conf[word]) {
+		while (value = conf_pop(word))
+			print_conf(word, value)
+	} else {
+		print_conf(word)
+		delete conf[word]
+	}
+}
+
+BEGIN {
+	FS = "\n"
+	EQS = "[ \t]"  # copied from dma/conf.c
+
+	if (ARGV[2]) exit (e=1)
+
+	# Loop over file twice!
+	ARGV[2] = ARGV[1]
+	ARGC++
+
+	# read the "should" state into the `conf` array.
+	while (getline < "/dev/stdin") {
+		word = first($0, EQS)
+		if ((word in conf))
+			conf[word] = conf[word] SUBSEP rest($0, EQS)
+		else
+			conf[word] = rest($0, EQS)
+	}
+}
+
+# first pass, gather information about where which information is stored in the
+# current config file. This information will be used in the second pass.
+NR == FNR {
+	if (comment_line($0)) {
+		# comment line
+		word = first(substr($0, comment_line($0)), " ")
+		if (is_word(word)) last_occ["#" word] = FNR
+	} else {
+		word = first($0, EQS)
+		if (is_word(word)) last_occ[word] = FNR
+	}
+}
+
+# before second pass prepare hashes containing location information to be used
+# in the second pass.
+NR > FNR && FNR == 1 {
+	# First we drop the locations of commented-out options if a non-commented
+	# option is available. If a non-commented option is available, we will
+	# append new config options there to have them all at one place.
+	for (k in last_occ)
+		if (k ~ /^\#/ && (substr(k, 2) in last_occ))
+			delete last_occ[k]
+
+	# Reverse the option => line mapping. The line_map allows for easier lookups
+	# in the second pass.
+	for (k in last_occ) line_map[last_occ[k]] = k
+}
+
+# second pass, generate and output new config
+NR > FNR {
+	if (comment_line($0) || empty_line($0)) {
+		# comment or empty line
+		print
+
+		if ((FNR in line_map)) {
+			if (line_map[FNR] ~ /^\#/) {
+				# This line contains a commented config option. If the conf hash
+				# contains options to be set, we output them here because this
+				# option is not used in the current config.
+				k = substr(line_map[FNR], 2)
+				if ((k in conf)) print_confs(k)
+			}
+
+			if (("INSECURE" in conf) && line_map[FNR] ~ /^\#?SECURE$/) {
+				# INSECURE goes where SECURE comment is.
+				print_confs("INSECURE")
+			}
+		}
+	} else {
+		word = first($0, EQS)
+		value = rest($0, EQS)
+		sub(/[ \t]*\#.*$/, "", value)  # ignore comments in value
+
+		if ((word in conf) && value == first(conf[word])) {
+			# keep config options we want
+			conf_pop(word)
+			print
+		}
+
+		if ((FNR in line_map) && line_map[FNR] == word) {
+			# rest of config options should be here
+			print_confs(word)
+		}
+	}
+}
+
+END {
+	if (e) exit
+
+	# print rest of config options (
+	for (word in conf) print_confs(word)
+}

type/__dma/gencode-remote

@@ -0,0 +1,177 @@
+#!/bin/sh -e
+#
+# 2020 Dennis Camera (dennis.camera@ssrq-sds-fds.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+quote() { printf "'%s'" "$(printf '%s' "$*" | sed -e "s/'/'\\\\''/g")"; }
+drop_awk_comments() { quote "$(sed '/^[[:blank:]]*#.*$/d;/^$/d' "$@")"; }
+
+CONF_PATH=/etc/dma  # set in Makefile
+
+# Determine mailname
+if test -f "${__object:?}/parameter/mailname"
+then
+	mailname=$(cat "${__object:?}/parameter/mailname")
+else
+	case $(cat "${__global:?}/explorer/os")
+	in
+		(debian|devuan|ubuntu)
+			# On Debian-like systems use /etc/mailname unless --mailname is used
+			mailname='/etc/mailname'
+			;;
+		(*)
+			mailname=${__target_fqdn:?}
+			;;
+	esac
+fi
+
+
+# Generate "should" values for config
+conf_should=$(
+	if test -s "${__object:?}/parameter/smarthost"
+	then
+		printf 'SMARTHOST %s\n' "$(cat "${__object:?}/parameter/smarthost")"
+	fi
+
+	printf 'MAILNAME %s\n' "${mailname}"
+
+	if test -s "${__object:?}/explorer/auth_conf"
+	then
+		printf "AUTHPATH %s\n" "$(cat "${__object:?}/explorer/auth_conf")"
+	fi
+
+	case $(cat "${__object:?}/parameter/security")
+	in
+		(ssl|tls)
+			default_smtp_port=465
+			echo 'SECURETRANSFER'
+			;;
+		(starttls)
+			default_smtp_port=587
+			echo 'SECURETRANSFER'
+			echo 'STARTTLS'
+			;;
+		(opportunistic)
+			default_smtp_port=25
+			echo 'SECURETRANSFER'
+			echo 'STARTTLS'
+			echo 'OPPORTUNISTIC_TLS'
+			;;
+		(insecure)
+			default_smtp_port=25
+			echo 'INSECURE'
+			;;
+	esac
+
+	if test -s "${__object:?}/parameter/port"
+	then
+		printf 'PORT %u\n' "$(cat "${__object:?}/parameter/port")"
+	elif test "${default_smtp_port}" -ne 25  # DMA uses port 25 by default
+	then
+		printf 'PORT %u\n' "${default_smtp_port}"
+	fi
+
+	if test -f "${__object:?}/parameter/masquerade"
+	then
+		while read -r line
+		do
+			printf 'MASQUERADE %s\n' "${line}"
+		done <"${__object:?}/parameter/masquerade"
+	fi
+
+	if test -f "${__object:?}/parameter/defer"
+	then
+		echo 'DEFER'
+	fi
+
+	if test -f "${__object:?}/parameter/fullbounce"
+	then
+		echo 'FULLBOUNCE'
+	fi
+
+	if test -f "${__object:?}/parameter/nullclient"
+	then
+		test -s "${__object:?}/parameter/smarthost" || {
+			echo '--nullclient requires a --smarthost to be defined' >&2
+			exit 1
+		}
+
+		echo 'NULLCLIENT'
+	fi
+)
+# Sort conf_should to compare against "conf_is"
+conf_should=$(echo "${conf_should}" | sort -s -k 1,1)
+
+config_updated=false
+if ! echo "${conf_should}" | cmp -s "${__object:?}/explorer/conf" -
+then
+	# config needs to be updated
+	dma_conf="${CONF_PATH:?}/dma.conf"
+
+	# The following AWK script will output the new config file to be stored on
+	# disk. To do so it reads the current dma.conf file and the config options
+	# that should be set (from stdin).
+	# Note that the path to the current dma.conf is passed to AWK twice, because
+	# the new file cannot be generated in one pass.
+
+	# The logic tries to place options at a sensible location, that is:
+	# a) if the option is already used in the config file:
+	#    group all similar options (e.g. MASQUERADE) at one place in the order
+	#    they are listed in stdin.
+	# b) if it is a new option and a "default comment" (e.g. "#PORT 25") exists:
+	#    place options grouped directly after the comment (the comment is left
+	#    alone)
+	# c) otherwise:
+	#    options are grouped by word (the first word in the line) and appended
+	#    at the end of the file.
+
+	cat <<-CODE
+	awk $(drop_awk_comments "${__type:?}/files/update_dma_conf.awk") $(quote "${dma_conf}") <<'EOF' >$(quote "${dma_conf}.tmp") \
+	&& cat $(quote "${dma_conf}.tmp") >$(quote "${dma_conf}")
+	${conf_should}
+	EOF
+	rm $(quote "${dma_conf}.tmp")
+	CODE
+
+	config_updated=true
+	echo 'config updated' >>"${__messages_out:?}"
+fi
+
+
+# Send a test email if enabled and necessary (=configuration changed)
+if test -f "${__object:?}/parameter/send-test-mail"
+then
+	if grep -q '^__mail_alias/root:' "${__messages_in:?}" \
+	|| grep -q '^__dma_auth/' "${__messages_in:?}" \
+	|| ${config_updated}
+	then
+		cat <<-CODE
+		sendmail root <<'EOF'
+		Subject: [cdist] Test mail from '${__target_fqdn:?}'
+
+		Hi,
+
+		you can ignore this message.
+		Its sole purpose is to notify you that root mail on ${__target_fqdn:?}
+		will be redirected to you.
+
+		Enjoy!
+		EOF
+		CODE
+	fi
+fi

type/__dma/man.rst

@@ -0,0 +1,112 @@
+cdist-type__dma(7)
+============================
+
+NAME
+----
+cdist-type__dma - Setup the DragonFly Mail Agent as the MTA.
+
+
+DESCRIPTION
+-----------
+This (singleton) type uses DMA, a small Mail Transport Agent (MTA), to accept
+mails from locally installed Mail User Agents (MUA) and either deliver the mails
+to a remote smart host for delivery or communicate with remote SMTP servers
+directly.
+
+
+REQUIRED PARAMETERS
+-------------------
+None.
+
+
+BOOLEAN PARAMETERS
+------------------
+defer
+    If enabled, mail will not be sent immediately, but stored in a queue.
+    To flush the queue and send the mails, ```dma -q`` has to be run
+    periodically (e.g. using a cron job.)
+    This type does not manage such a cron job, but some operating systems ship
+    such a cron job with the package.
+fullbounce
+    Enable if bounce messages should include the complete original message,
+    not just the headers.
+nullclient
+    Enable to bypass aliases and local delivery, and instead forward all mails
+    to the defined ``--smarthost``.
+send-test-mail
+    If set, this type will send a test email to root after setup, to check if
+    the configured settings work.
+
+
+OPTIONAL PARAMETERS
+-------------------
+mailname
+    If present, this will be the hostname used to identify this host and the
+    remote part of the sender addresses.
+    If not defined, it defaults to ``/etc/mailname`` on Debian derivatives and
+    to ``__target_fqdn`` otherwise.
+    See `dma(8)` for more information.
+
+    Note: on Debian derivatives the ``/etc/mailname`` file should be updated
+    instead of using this parameter.
+masquerade
+    Masquerade the envelope-from addresses with this address/hostname.
+    Use this setting if mails are not accepted by destination mail servers
+    because your sender domain is invalid.
+    This option can be used multiple times.
+    For more information see the `dma(8)` man page.
+port
+    The port on which to deliver email.
+    If not provided, a sensible default port will be used based on the
+    ``--security`` argument.
+security
+    Configures whether and how DMA should use secure connections.
+
+    ssl/tls
+        Enable TLS/SSL secured transfer.
+    starttls
+        Use STARTTLS to establish a secure connection.
+    opportunistic (default)
+        Will try to establish a secure connection using STARTTLS, but allow
+        unencrypted transfer if STARTTLS fails.
+        Most useful when dma is used without a smarthost, delivering remote
+        messages directly to the outside mail exchangers.
+    insecure
+        allow plain text SMTP login over an insecure connection.
+        Should really *not* be used anymore!
+smarthost
+    The mail server used to send email.
+    It must be configured to act as a relay for the host being configured by
+    this type so that mail can be sent to users non-local to the smarthost.
+
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+    # Install DMA and use the smarthost mx1.domain.tld to send mail.
+    __dma --smarthost mx1.domain.tld --send-test-mail
+
+    # Install DMA in a default configuration.
+    __dma
+
+
+SEE ALSO
+--------
+- `DragonFly Mail Agent <https://github.com/corecode/dma>`_
+- `DragonFly Handbook MTA <https://www.dragonflybsd.org/handbook/mta/>`_
+
+
+AUTHORS
+-------
+Evilham <contact@evilham.com>
+Dennis Camera <dennis.camera@ssrq-sds-fds.ch>
+
+
+COPYING
+-------
+Copyright \(C) 2020 Evilham and Dennis Camera. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

type/__dma/manifest

@@ -0,0 +1,66 @@
+#!/bin/sh -e
+#
+# 2020 Dennis Camera (dennis.camera@ssrq-sds-fds.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+os=$(cat "${__global:?}/explorer/os")
+
+# Install DMA
+case ${os}
+in
+	(alpine)
+		__package dma --state present
+		export require='__package/dma'
+		;;
+	(debian|devuan|ubuntu)
+		__package dma --state present
+		export require='__package/dma'
+		;;
+	(freebsd)
+		# Stop sendmail if necessary
+		__process 'sendmail' --name 'sendmail.*' --state absent \
+			--stop '/etc/rc.d/sendmail onestop'
+
+		# ... and disable it
+		__key_value 'rcconf-sendmail-enable' --file '/etc/rc.conf' \
+			--key 'sendmail_enable' --delimiter '=' --value '"NONE"' \
+			--exact_delimiter
+
+		# Setup mailwrapper accordingly
+		__file '/etc/mail/mailer.conf' --mode 0644 --source - <<-'EOF'
+			#
+			# Execute the "real" sendmail program, named /usr/libexec/sendmail/sendmail
+			#
+			sendmail	/usr/libexec/dma
+			send-mail	/usr/libexec/dma
+			mailq		/usr/libexec/dma
+			newaliases	/usr/libexec/dma
+			rmail		/usr/libexec/dma
+		EOF
+		;;
+	(*)
+		cat <<EOF >&2
+Your OS (${os}) is not supported yet.
+
+Maybe adding support is as simple as adapting the packages or allowing it,
+we highly encourage you to open a PR with the necessary changes.
+See: https://code.ungleich.ch/ungleich-public/cdist-contrib/
+EOF
+		exit 1
+		;;
+esac

type/__dma/parameter/boolean

@@ -0,0 +1,4 @@
+defer
+fullbounce
+nullclient
+send-test-mail

type/__dma/parameter/default/security

@@ -0,0 +1 @@
+opportunistic

type/__dma/parameter/optional

@@ -0,0 +1,4 @@
+mailname
+port
+security
+smarthost

type/__dma/parameter/optional_multiple

@@ -0,0 +1 @@
+masquerade

type/__dma_auth/explorer/auth_conf

@@ -0,0 +1 @@
+../../__dma/explorer/auth_conf

type/__dma_auth/explorer/state

@@ -0,0 +1,91 @@
+#!/bin/sh -e
+#
+# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+# This explorer looks for a line matching the server parameter
+# in dma's auth.conf and reports:
+#   present:            a line matching login + host + password exists
+#   absent:             no line matching login + host exists
+#   different_login:    a line exists but with a different login user
+#   different_password: a line exists but with a different password
+#   multiple:           multiple lines matching host exist (should not happen)
+
+auth_conf=$("${__type_explorer:?}/auth_conf")
+test -r "${auth_conf}" || exit 0
+
+awk -F'\n' '
+function getvalue(path) {
+	# Reads the first line of the file located at path and returns it.
+	getline < path
+	close(path)
+	return $0
+}
+
+BEGIN {
+	DP = "[: \t]"  # copied from dma/conf.c
+
+	parameter_dir = ENVIRON["__object"] "/parameter/"
+
+	# Read the parameters of this object
+	host_param = ENVIRON["__object_id"]
+	login_param = getvalue(parameter_dir "login")
+	passwd_param = getvalue(parameter_dir "password")
+
+	state = "absent"
+}
+
+/^#/ || /^$/ {
+	# skip comments and empty lines
+	next
+}
+
+{
+	# parse line
+
+	login = substr($0, 1, index($0, "|") - 1)
+	if (!login) { login = $0 }  # if no "|" found
+
+	host = substr($0, length(login) + 2)
+
+	if (match(host, DP)) {
+		passwd = substr(host, RSTART + 1)
+		host = substr(host, 1, RSTART - 1)
+	} else {
+		passwd = ""
+	}
+}
+
+host == host_param {
+	# a match…
+	if (state == "absent") {
+		if (login != login_param)
+			state = "different_login"
+		else if (passwd != passwd_param)
+			state = "different_password"
+		else
+			state = "present"
+	} else {
+		# report "multiple" to that the type can remove the duplicates.
+		state = "multiple"
+	}
+}
+
+END {
+	print state
+}
+' "${auth_conf}"

type/__dma_auth/files/update_dma_auth.awk

@@ -0,0 +1,93 @@
+#!/usr/bin/awk -f
+#
+# 2020 Dennis Camera (dennis.camera@ssrq-sds-fds.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+function getvalue(path) {
+	# Reads the first line of the file located at path and returns it.
+	getline < path
+	close(path)
+	return $0
+}
+
+function print_should() {
+	printf "%s|%s:%s\n", login_param, host_param, passwd_param
+}
+
+BEGIN {
+	FS = "\n"
+	DP = "[: \t]"  # copied from dma/conf.c
+
+	parameter_dir = ENVIRON["__object"] "/parameter/"
+
+	mode = (getvalue(parameter_dir "state") != "absent")
+
+	host_param = ENVIRON["__object_id"]
+	login_param = getvalue(parameter_dir "login")
+	passwd_param = getvalue(parameter_dir "password")
+}
+
+# skip comments and empty lines
+/^#/ || /^$/ {
+	print
+	next
+}
+
+{
+	# parse line (like dma/conf.c would)
+
+	login = substr($0, 1, index($0, "|") - 1)
+	if (!login) { login = $0 }  # if no "|" found
+
+	host = substr($0, length(login) + 2)
+
+	if (match(host, DP)) {
+		passwd = substr(host, RSTART + 1)
+		host = substr(host, 1, RSTART - 1)
+	} else {
+		passwd = ""
+	}
+}
+
+host == host_param {
+	if (mode) {
+		# state_should == present
+		if (!written) {
+			# replace first line if host matches (but only if no line has
+			# been written already -> no duplicates)
+			print_should()
+			written = 1
+		}
+		next
+	} else {
+		# state_should == absent
+		next
+	}
+}
+
+# leave other lines alone
+{
+	print
+}
+
+END {
+	if (mode && !written) {
+		# append line if no match to replace was found
+		print_should()
+	}
+}

type/__dma_auth/gencode-remote

@@ -0,0 +1,72 @@
+#!/bin/sh -e
+#
+# 2020 Dennis Camera (dennis.camera@ssrq-sds-fds.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+quote() { printf "'%s'" "$(printf '%s' "$*" | sed -e "s/'/'\\\\''/g")"; }
+drop_awk_comments() { quote "$(sed '/^[[:blank:]]*#.*$/d;/^$/d' "$@")"; }
+
+state_is=$(cat "${__object:?}/explorer/state")
+state_should=$(cat "${__object:?}/parameter/state")
+
+server=${__object_id:?}
+login=$(cat "${__object:?}/parameter/login")
+
+
+auth_conf=$(cat "${__object:?}/explorer/auth_conf")
+test -n "${auth_conf}" || {
+	echo 'Cannot determine path of dma auth.conf' >&2
+	exit 1
+}
+
+if test "${state_is}" = "${state_should}"
+then
+	# state is as it should
+	exit 0
+fi
+
+case ${state_should}
+in
+	(present)
+		test -n "${login}" || { echo '--login must be non-empty' >&2; exit 1; }
+
+		if test "${state_is}" = 'absent'
+		then
+			printf 'add authuser %s on %s\n' "${login}" "${server}" >>"${__messages_out:?}"
+		else
+			printf 'set authuser %s on %s\n' "${login}" "${server}" >>"${__messages_out:?}"
+		fi
+		;;
+	(absent)
+		printf 'delete authuser %s on %s\n' "${login}" "${server}" >>"${__messages_out:?}"
+		;;
+	(*)
+		printf 'Invalid --state: %s.\n' "${state_should}" >&2
+		printf 'Acceptable values are: present, absent.\n' >&2
+		exit 1
+		;;
+esac
+
+
+cat <<EOF
+test -f $(quote "${auth_conf}") || touch $(quote "${auth_conf}")
+
+awk $(drop_awk_comments "${__type:?}/files/update_dma_auth.awk") <$(quote "${auth_conf}") >$(quote "${auth_conf}.tmp") \
+&& cat $(quote "${auth_conf}.tmp") >$(quote "${auth_conf}")
+rm -f $(quote "${auth_conf}.tmp")
+EOF

type/__dma_auth/man.rst

@@ -0,0 +1,66 @@
+cdist-type__dma_auth(7)
+=======================
+
+NAME
+----
+cdist-type__dma_auth - Configure SMTP logins for the DragonFly Mail Agent MTA.
+
+
+DESCRIPTION
+-----------
+This cdist type allows you to set up credentials to log in to remote SMTP
+servers.
+
+NB: dma currently (v0.13) does not differentiate between users on a host.
+    It will use whatever user it finds in the ``auth.conf`` first.
+    Thus, this type will use the ``__object_id`` as the host specifier.
+
+
+REQUIRED PARAMETERS
+-------------------
+login
+    The user's LOGIN name on the SMTP server.
+password
+    The user's password (in plain text.)
+
+
+OPTIONAL PARAMETERS
+-------------------
+state
+    Either ``present`` or ``absent``. Defaults to ``present``.
+
+BOOLEAN PARAMETERS
+------------------
+None.
+
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+    # Set the password for smarthost
+    __dma_auth smarthost.example.com --login joe --password hunter2
+
+    # Set credentials for user at an external provider
+    __dma_auth mail.provider.com --login paul@example.com --password letmein
+
+    # Delete credentials for example.com (for all users)
+    __dma_auth example.com --login '' --password '' --state absent
+
+SEE ALSO
+--------
+:strong:`cdist-type__dma`\ (7), :strong:`dma`\ (8)
+
+
+AUTHORS
+-------
+Dennis Camera <dennis.camera@ssrq-sds-fds.ch>
+
+
+COPYING
+-------
+Copyright \(C) 2020 Dennis Camera. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

type/__dma_auth/parameter/default/state

@@ -0,0 +1 @@
+present

type/__dma_auth/parameter/optional

@@ -0,0 +1 @@
+state

type/__dma_auth/parameter/required

@@ -0,0 +1,2 @@
+login
+password

type/__jitsi_meet/explorer/configured-memory

@@ -0,0 +1,15 @@
+#!/bin/sh -eu
+
+JICOFO="/usr/share/jicofo/jicofo.sh"
+VIDEOBRIDGE="/usr/share/jitsi-videobridge/lib/videobridge.rc"
+
+if [ -f "${JICOFO:?}" ]; then
+	jicofo_memory="$(grep JICOFO_MAX_MEMORY= "${JICOFO:?}" | cut -d= -f 2 | cut -d ";" -f 1)"
+fi
+if [ -f "${VIDEOBRIDGE:?}" ]; then
+	vb_memory="$(grep VIDEOBRIDGE_MAX_MEMORY= "${VIDEOBRIDGE:?}" | cut -d= -f 2)"
+fi
+cat <<EOF
+jicofo	${jicofo_memory:-n/a}
+videobridge	${vb_memory:-n/a}
+EOF

type/__jitsi_meet/explorer/jicofo-authpassword

@@ -0,0 +1,26 @@
+#!/bin/sh -eu
+
+JICOFO_AUTHPASSWORD=""
+# We need this to properly configure jicofo
+
+# Default to reading debconf
+DEBCONF_PASS_FILE="/var/cache/debconf/passwords.dat"
+if [ -f "${DEBCONF_PASS_FILE}" ]; then
+	JICOFO_AUTHPASSWORD="$(grep -A1 'Template: jicofo/jicofo-authpassword' "${DEBCONF_PASS_FILE}" | tail -n 1 | cut -d ' ' -f 2-)"
+fi
+
+# Try jicofo.conf if necessary
+JICOFO_CONF_FILE="/etc/jitsi/jicofo/jicofo.conf"
+if [ -z "${JICOFO_AUTHPASSWORD}" ] && [ -f "${JICOFO_CONF_FILE}" ]; then
+	JICOFO_AUTHPASSWORD="$(grep -E '^[[:space:]]*password:' "${JICOFO_CONF_FILE}" | sed -E 's!^[^:]*:[[:space:]]*"(.*)"$!\1!')"
+fi
+
+# And fallback to config file if necessary
+JICOFO_CONFIG_FILE="/etc/jitsi/jicofo/config"
+if [ -z "${JICOFO_AUTHPASSWORD}" ] && [ -f "${JICOFO_CONFIG_FILE}" ]; then
+	JICOFO_AUTHPASSWORD="$(grep -E '^JICOFO_AUTH_PASSWORD=' "${JICOFO_CONFIG_FILE}" | cut -d '=' -f 2-)"
+fi
+
+# If we didn't find it, this is likely a new installation and we'll generate
+# the password on the manifest
+echo "${JICOFO_AUTHPASSWORD:-}"

type/__jitsi_meet/explorer/jitsi-status

@@ -0,0 +1,6 @@
+#!/bin/sh -eu
+
+if [ ! -f "${__object}/parameter/disable-prometheus-exporter" ]; then
+	# TODO: detect curl / depend on it?
+	curl -s localhost:9888/metrics
+fi

type/__jitsi_meet/files/apt_2021.gpg

@@ -0,0 +1,51 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGB4bEkBEADffHELs6RBZEEgme2L6KXyO5XThI5ROFCMZ+4X1mZTKPyihuMX
+u1IQeaLQhUKEw60NZH1HyvH11L33LYcimlyLDG7N6s/MjWtLAI+wkgb6iYY2mArM
+3TqPTzVgZUcJl5Strft2U8QNq9N2qslbF7hm3g35M78r5CJmlVQYO298rz6ybovO
+9TTB/C3KbDMHohEXIdVlAIKAtu+/5dWQtP7NR3RZHpfMoOvf65NiZRsudZ5SZcd1
+8G7n0nv6NF5Ul+cuLsOMh7r2KiPjpHuQwobwEJpc8Nags6xTqQ8riyJsv8KXJNZh
+51OQWYyQhMz/O3mVSbfdfmS4u4HUb3pheUmjq2Lx4vTlSzyCRniRC4VIhViRawTL
+QyIpdw85CN7iJPN+2ZYOU4knZgSv9CDmuKFqxGSd/j4QHtL/K4e3wFE/kwD+4SWL
++xAsCZQPnZu9RNdmTfaSfsPqSwQFErTGWyuGJBzN0EFGRFIMI3m3AJSC6OOFycDV
+4KPJHBQKcTH4oVF3opAJj3X45oa6886TAjwAsPG1R5FapqhWRzWsq8Cn3rr6EKJ/
+8xf9Ep/KIMNJtZoout7f2AEmP/oQTNft+wWEejprd0aJMX4O6NOSG4UNxRbm32gf
+rBEajiLUA0cJW+se40ACZXri36Ea8HnKnYsCaXZba9FMy9Te0OkySJpQYwARAQAB
+tBVKaXRzaSA8ZGV2QGppdHNpLm9yZz6JAk4EEwEIADgWIQT/1loNor6963PUTIu0
+0tIW8f14BgUCYHhsSQIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRC00tIW
+8f14Bt8eEADPmi1X9ycjevFR82sGo0qTUEgndu9tWiGQzS3E7SG1wIkRqiwSk7X2
+J1Mrxa5kIEkl0KctpYQjhEJWV8TfATOekKhoxtanZef9q9EvpNLBJGifXAHt9b2o
+Dzk7437cytW71jlByrbjUe7tVQtaEJZuOczjZGnHw70Yv6H0DUQuRDlJmocHzzU3
+AgpXJ+XoS1p8gI64OgIzXVOhvyZVyNqbn0PyqeroRbxC0DPwGsTA8MYgf3ujowAI
+ntVtSv0kzbZP0xU/3zpmuD+Lw0Msq4idnE0e+nApfThF28w+MAF4EikXovwr+FEh
+6Czt3KGrUuoCUY1YmLqSpLQaHYvF1oRsnZIVEecXBY/sRxxOvLk4HsJtIV6jJ3qS
+XAGPsxAJJBlsT0nvPC+x46wvOxBYv2WgmVRrnrz7vpp1C8yRYAaab10lUq+PufYr
+S4wQXvbTKAelpOZhR00qJ1Ati7y1TFv3xFhlhEjg/r2TUc2oFEYdlIPpfkiCPeCz
+kcTXB6iwuUn59Qm6ksGCL/ITo3sWZSDbOQIG63hb0FRZkF8mWnmPcGoPmR5kmvr7
+QzHKmfomaORyLofXqrXf3zfhDpe5kSxfLbTsRnHCx46XJWXMFh70T19j4ILnWaGj
+bnA9OWWtEyMCp9GeJPtmWKsBhP8ywt0jbbfHzczBfWRO06n47/BLSLkCDQRgeGxJ
+ARAA1pi0AZ0kcW1aW9sKZNYJ2JXjsefqnqtUUDI0xOSSl5+Lzjtj1lPA1Xr2L9V4
+FyUGG6N8BeQcyfl7ZAFp6EWS/RATaOze/rKxImArHdY0L48rEQNBCg6lDsvvPJYd
+cMFuNFm9e+2vggKU+o0zpDiV0WIjar/I5aVyObQ77EBOJlEPDSjz2essTbZZ5Bpr
+w6pRSQ8CjpOpSrNwoDDhNfHPEcokkccmPlE8xdmXn1oM5Zj/LKOEKBqJUh1Ucykh
+EE9g/Mch6GV6AnuFrtAeWYzx5kfNlBvz1Y7w3TXnboQP8b9IeQwNyZTWaMMstn8z
+nt8RKnrTA2eOGO61ySgtMU3fEJSN0mqH3cjpAzPX9rcdipMLe3ZDGYlixFAXpctc
+dhKvEqxd+bxtvFTQlSsSSQe9DvXQOfb9pp+6SjejhTvsWhWwhPzWIOLX4IBiX13q
+D5ct/IxsLwhk23+r9zpk74xwRplX4FTc3o1m+NpoWXRRAekcKd5AgnlAhY9O7Tv+
+31ORR6X/hCYcs1vnxbHJgWrzv01Gx8mcOj/+7aCctsQ32oQWM6FQY/vcpSxTjJsb
+npiS3ZIUYNXf32UnAuZUyCaqrpLAVAwNGBxmpwQb1SUx7HBA8e2lHbEqKW/qnUQG
+bnRv0g/oSkkimADazkwojNcVdgkrF91zkUtzIya+NOiGO7cAEQEAAYkCNgQYAQgA
+IBYhBP/WWg2ivr3rc9RMi7TS0hbx/XgGBQJgeGxJAhsMAAoJELTS0hbx/XgGEyQQ
+ALAHIiRoFkhypGpFt3+bt3ZLQf6OD+H0ZiOcy43DlBAUz7PbNlW4bDvINkgTaGRa
++cIMwdW5lWO9fsChsEoDVnjl9rcNcTJcN5Fc/L+XnW6k9RzW1nK+mj3NiGfR7OI1
+V6eNM346+EpA2ZnqVTfr14+Vu49TV7vSsfnZg6brl+t1qNzJLHcsnVxxACw95OOK
+joGu56ozuxEWjsGwnvvkH7dR/HLGtk+XP0NWSBOoEpHj7bF+6h81MpcMcj4BYoaZ
+AJfQyfx8rP2JQC/HNrY0bAW0ahN2x+fE9Vd6iPkrPGSGibWRv6Db/KLk1R8/8W4B
+YKti313EXV8g0gc0TdwqbhLWOinCjtLW+anXsqxmVFNG1cS1CvsFi2WDRtjHP3eY
+aEdnXHcnPL4gKPTeXlHf3HGDCeboGOWFeim2bHwOzbzg9Kp+lGYyi/qJW496n+Yp
+wBWDVHgVlS51Y8hS7xB4FY71S4OY4W9S8XX0KUQihqoh3E44eow+Z8OE1g0CosPz
+2cRioAiEeVPNra0IgD2iD7LKuEVd6zJ7RbxzWCWko+sOgCm0lqz87R5IQibEFbRV
+ATvmI/B3DPYHjk7toPT5+jgcgY0QPq9JYSORbgXvoWG0f83TFIfFV6yGgmaG1DMX
+YPNx6EOVTWjMMoXNbskDkw3HdcVdVz41ZnW/1lJZejvW
+=uIZN
+-----END PGP PUBLIC KEY BLOCK-----

type/__jitsi_meet/files/debconf_settings.sh

@@ -0,0 +1,56 @@
+#!/bin/sh -e
+
+# This can be obtained with debconf-get-selections on a host with jitsi
+# (and also analysing the deb-src)
+if false; then
+	# We are currently not using these, just here as documentation
+	DEBCONF_SETTINGS="$(cat <<EOF
+# The secret used to connect to xmpp server as component
+jitsi-meet-prosody	jitsi-videobridge/jvbsecret	password	STH
+jitsi-videobridge	jitsi-videobridge/jvbsecret	password	STH
+jitsi-videobridge2	jitsi-videobridge/jvbsecret	password	STH
+# Jicofo Component secret:
+jicofo	jicofo/jicofosecret	password	STH
+jitsi-meet-prosody	jicofo/jicofosecret	password	STH
+# Jicofo username:
+jicofo jicofo/jicofo-authuser	string	focus
+jitsi-meet-prosody	jicofo/jicofo-authuser	string	focus
+# The hostname of the current installation:
+jitsi-meet-turnserver	jitsi-meet-turnserver/jvb-hostname	string	${JITSI_HOST}
+# Full local server path to the SSL certificate file:
+jitsi-meet-web-config	jitsi-meet/cert-path-crt	string
+# Full local server path to the SSL key file:
+jitsi-meet-web-config	jitsi-meet/cert-path-key	string
+EOF
+)"
+fi
+
+DEBCONF_SETTINGS="$(cat <<EOF
+# The hostname of the current installation:
+jitsi-meet-web-config	jitsi-meet/jvb-hostname	string	${JITSI_HOST}
+# Hostname:
+jicofo	jitsi-videobridge/jvb-hostname	string	${JITSI_HOST}
+jitsi-meet-prosody	jitsi-videobridge/jvb-hostname	string	${JITSI_HOST}
+jitsi-meet-turnserver	jitsi-videobridge/jvb-hostname	string	${TURN_SERVER}
+jitsi-meet-web-config	jitsi-videobridge/jvb-hostname	string	${JITSI_HOST}
+jitsi-videobridge	jitsi-videobridge/jvb-hostname	string	${JITSI_HOST}
+jitsi-videobridge2	jitsi-videobridge/jvb-hostname	string	${JITSI_HOST}
+# The hostname of the current installation:
+jitsi-meet-prosody	jitsi-meet-prosody/jvb-hostname string	${JITSI_HOST}
+# Jicofo user password:
+jicofo	jicofo/jicofo-authpassword	password	${JICOFO_AUTHPASSWORD}
+jitsi-meet-prosody	jicofo/jicofo-authpassword	password	${JICOFO_AUTHPASSWORD}
+# SSL certificate for the Jitsi Meet instance
+# Choices: Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate), I want to use my own certificate
+jitsi-meet-web-config	jitsi-meet/cert-choice	select	Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate)
+EOF
+)"
+
+if [ -n "${TURN_SECRET}" ]; then
+	DEBCONF_SETTINGS="$(cat <<EOF
+${DEBCONF_SETTINGS}
+# The turn server secret
+jitsi-meet-prosody	jitsi-meet-prosody/turn-secret	string	${TURN_SECRET}
+EOF
+)"
+fi

type/__jitsi_meet/files/jicofo.conf.sh

@@ -0,0 +1,38 @@
+#!/bin/sh -eu
+
+# Start
+cat <<EOF
+# Managed remotely, changes will be lost
+
+# Jicofo HOCON configuration. See /usr/share/jicofo/jicofo.jar/reference.conf for
+#available options, syntax, and default values.
+jicofo {
+  xmpp: {
+    client: {
+      client-proxy: focus.${JITSI_HOST:?}
+      xmpp-domain: "${JITSI_HOST:?}"
+      domain: "auth.${JITSI_HOST:?}"
+      username: "focus"
+      password: "${JICOFO_AUTHPASSWORD:?}"
+    }
+    trusted-domains: [ "recorder.${JITSI_HOST:?}" ]
+  }
+  bridge: {
+    brewery-jid: "JvbBrewery@internal.auth.${JITSI_HOST:?}"
+  }
+EOF
+
+# Secured domains if needed
+if [ "${SECURED_DOMAINS_STATE:?}" = "present" ]; then
+cat <<EOF
+
+  authentication: {
+    enabled: true
+    type: XMPP
+    login-url: ${JITSI_HOST:?}
+  }
+EOF
+fi
+
+# End
+echo '}'

type/__jitsi_meet/files/jitsi-version

@@ -0,0 +1 @@
+../../__jitsi_meet_domain/files/jitsi-version

type/__jitsi_meet/files/prosody.cfg.lua.sh

@@ -0,0 +1 @@
+../../__jitsi_meet_domain/files/prosody.cfg.lua.sh

type/__jitsi_meet/files/ufw

@@ -0,0 +1,10 @@
+#!/bin/sh -e
+
+# Setup firewall
+__ufw
+# Allow jitsi ports
+require="__ufw" __ufw_rule http --rule 'allow 80/tcp'
+require="__ufw" __ufw_rule https --rule 'allow 443/tcp'
+require="__ufw" __ufw_rule jitsi_prom --rule 'allow 9888/tcp'
+require="__ufw" __ufw_rule avfallback --rule 'allow 4443/tcp'
+require="__ufw" __ufw_rule avdefault --rule 'allow 10000/udp'

type/__jitsi_meet/gencode-remote

@@ -0,0 +1,44 @@
+#!/bin/sh -e
+
+memory="$(cat "${__global}/explorer/memory")"
+G="000000"  # Will totally eff up the zero-count otherwise
+# MAX_MEMORY will affect jicofo and videobridge
+#  As a rule of thumb, the machine's RAM should be more than 2.5 * MAX_MEMORY
+if [ "${memory}" -lt "3${G}" ]; then
+	# If you use this, let us know how it works!
+	MAX_MEMORY="768m"
+elif [ "${memory}" -lt "5${G}" ]; then
+	MAX_MEMORY="1024m"
+elif [ "${memory}" -lt "8${G}" ]; then
+	MAX_MEMORY="2048m"
+else
+	# Jitsi recommends running on 8G RAM and these are the defaults
+	MAX_MEMORY="3072m"
+fi
+
+if cut -f 2 "${__object}/explorer/configured-memory" | grep -qvE "^${MAX_MEMORY}$"; then
+	# At least one service has different memory settings
+	RESTART_SERVICES="YES"
+	cat <<-EOF
+	sed -i.tmp -E \
+		-e 's!^(#[[:space:]]*)?(VIDEOBRIDGE_MAX_MEMORY)=.*\$!\2=${MAX_MEMORY}!' \
+		/usr/share/jitsi-videobridge/lib/videobridge.rc
+	sed -i.tmp -E \
+		-e 's!(JICOFO_MAX_MEMORY)[^";]+;!\1=${MAX_MEMORY};!' \
+		/usr/share/jicofo/jicofo.sh
+	EOF
+fi
+
+if grep -qE "^__file/etc/nginx" "${__messages_in}"; then
+	echo "service nginx reload"
+fi
+
+if grep -qE "^(__line/jitsi_jicofo_secured_domains|(__file|__link)/etc/prosody/conf.d/|__file/etc/jitsi/(jicofo/jicofo.conf|videobridge/jvb.conf))" "${__messages_in}"; then
+	RESTART_SERVICES="YES"
+fi
+
+if [ -n "${RESTART_SERVICES}" ]; then
+  echo "systemctl restart prosody"
+  echo "systemctl restart jicofo"
+  echo "systemctl restart jitsi-videobridge2"
+fi

type/__jitsi_meet/man.rst

@@ -0,0 +1,111 @@
+cdist-type__jitsi_meet(7)
+=========================
+
+
+NAME
+----
+cdist-type__jitsi_meet - Setup the server-side of Jitsi-Meet.
+
+
+DESCRIPTION
+-----------
+This (singleton) type installs and configures jitsi-meet automatically.
+
+It does so by following loosely the official quick-install instructions and
+eXO's notes for installing and managing Jitsi Meet instances.
+
+This type also sets up nginx in a way that is compatible with
+`__letsencrypt_cert` and assumes that it will only serve Jitsi instances.
+
+You will also need the `__jitsi_meet_domain` type in order to finish setting up
+the web frontend (including TLS certificates) and its settings.
+
+You may want to use the `files/ufw` example manifest for a `__ufw`-based
+firewall compatible with this type that allows all ports needed by Jitsi-Meet.
+Note however that this will not deal with rules for SSH or for TCP port 9888,
+which exposes the prometheus exporter if not disabled.
+Remember to apply your own rules here, particularly regarding SSH.
+
+This type only works on De{bi,vu}an systems.
+
+It is very important for this type to stay up to date with the software, as
+otherwise new deployments or maintenance of existing instances might be
+negatively affected.
+If you can, please contribute updates to `__jitsi_meet` and
+`__jitsi_meet_domain` promptly and regularly.
+Alternatively, you can help finance that work; get in touch with the type
+authors for that (see below).
+
+This type takes care of adapting the maximum memory used by jicofo and
+videobridge in function of the hosts installed memory.
+
+NOTE: This type currently does not deal with setting up coturn.
+      For that, you might want to check `__coturn` in
+      https://code.ungleich.ch/ungleich-public/cdist-contrib
+      In that case, this type should run *after* `__coturn`.
+
+
+OPTIONAL PARAMETERS
+-------------------
+abort-conference-count
+    Only has an effect if the prometheus exporter is enabled and if it is not
+    empty (default).
+    If at least this many conferences are active on the server, the type will
+    bail out before making any changes.
+    This is useful if you want to avoid service disruptions due to e.g. an SLA.
+
+
+turn-secret
+    The shared secret for the TURN server.
+
+turn-server
+    The hostname of the TURN server.
+    This will assume that it is listening with TLS on port 443.
+
+
+BOOLEAN PARAMETERS
+------------------
+disable-prometheus-exporter
+    This type enables a prometheus exporter for jitsi by default, if you would
+    rather not have that, pass this parameter.
+    The explorer is based on:
+    https://github.com/systemli/prometheus-jitsi-meet-exporter
+
+secured-domains
+    If this flag is present, all domains that use this Jitsi instance will
+    require that an authenticated user starts a meeting.
+    For information on how this is achieved, see
+    https://jitsi.github.io/handbook/docs/devops-guide/secure-domain .
+    You will need to create the users with `__jitsi_meet_user(7)`.
+
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+    # Setup the firewall for Jitsi-Meet
+    . "${__global}/type/__jitsi_meet/files/ufw"
+    export require="__ufw"
+    # Setup firewall SSH rules as necessary
+    __ufw_rule ssh --rule 'allow 22/tcp from 10.0.0.0/24'
+    # Setup Jitsi on this host
+    __jitsi_meet \
+      --turn-server "turn.exo.cat" \
+      --turn-secret "WeNeedGoodSecurity"
+
+
+SEE ALSO
+--------
+- `__jitsi_meet_domain(7)`
+- `__jitsi_meet_user(7)`
+
+
+AUTHORS
+-------
+Evilham <contact@evilham.com>
+
+
+COPYING
+-------
+Copyright \(C) 2022 Evilham.

type/__jitsi_meet/manifest

@@ -0,0 +1,331 @@
+#!/bin/sh -e
+
+os="$(cat "${__global}/explorer/os")"
+case "${os}" in
+	devuan|debian)
+	;;
+	*)
+		echo "Your OS '${os}' is currently not supported." > /dev/stderr
+		exit 1
+	;;
+esac
+
+current_conferences="$(cat "${__object}/explorer/jitsi-status" | grep -E "^jitsi_conferences[[:space:]]" | cut -d ' ' -f 2)"
+
+JICOFO_AUTHPASSWORD="$(cat "${__object}/explorer/jicofo-authpassword")"
+if [ -z "${JICOFO_AUTHPASSWORD}" ]; then
+	# This is probably a first time installation, we'll generate the
+	# password which will be set in debconf by this type
+	# https://github.com/jitsi/jicofo/blob/aafb61b5363a1c4abdbf08e1444a6276b807993e/debian/postinst#L43
+	JICOFO_AUTHPASSWORD="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | head -c 16)"
+fi
+
+ABORT_CONFERENCE_COUNT="$(cat "${__object}/parameter/abort-conference-count")"
+
+if [ -n "${current_conferences}" ] && [ -n "${ABORT_CONFERENCE_COUNT}" ] && \
+	[ "${ABORT_CONFERENCE_COUNT}" -le "${current_conferences}" ]; then
+	cat <<-EOF
+Early bail out was requested when at least ${ABORT_CONFERENCE_COUNT} conferences are taking place.
+There are currently ${current_conferences} active conferences.
+
+Try again at a later time or remove or increase --abort-conference-count
+	EOF
+	exit 1
+fi
+
+JITSI_HOST="${__target_host}"
+if [ -f "${__object}/parameter/jitsi-version" ]; then
+	# This has been deprecated and will be removed 'soon'
+	JITSI_VERSION="$(cat "${__object}/parameter/jitsi-version")"
+else
+	# Note this won't be a parameter anymore, we won't let users stay behind
+	JITSI_VERSION="$(cat "${__type}/files/jitsi-version")"
+fi
+TURN_SERVER="$(cat "${__object}/parameter/turn-server")"
+TURN_SECRET="$(cat "${__object}/parameter/turn-secret")"
+
+if [ -z "${TURN_SERVER}" ]; then
+	TURN_SERVER="${JITSI_HOST}"
+fi
+
+# The rest is loosely based on Jitsi's documentation
+# https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-quickstart
+
+# Setup repositories
+## First the signing keys
+### Remove old signing key
+__apt_key "jitsi_meet_2016" \
+	--keyid "66A9 CD05 95D6 AFA2 4729  0D3B EF8B 479E 2DC1 389C" \
+	--use-deprecated-apt-key \
+	--state "absent"
+### Add new signing key
+require="__apt_key/jitsi_meet_2016" __apt_key jitsi_meet_2021 \
+	--source "${__type}/files/apt_2021.gpg" \
+	--state "present"
+## Now the repositories (they are a tad weird, so distribution is 'stable/')
+require="__apt_key/jitsi_meet_2021" __apt_source jitsi_meet \
+	--uri 'https://download.jitsi.org' \
+	--distribution 'stable/' \
+	--state present
+## Ensure apt cache is up-to-date
+require="__apt_source/jitsi_meet" __apt_update_index
+
+export require="${require} __apt_source/jitsi_meet __apt_update_index"
+
+# Pre-feed debconf settings, so Jitsi's installation has a good config
+# shellcheck source=type/__jitsi_meet/files/debconf_settings.sh
+. "${__type}/files/debconf_settings.sh"  # This defines DEBCONF_SETTINGS
+__debconf_set_selections jitsi_meet --line "${DEBCONF_SETTINGS}"
+export require="${require} __debconf_set_selections/jitsi_meet"
+
+# Install and upgrade packages as needed
+#   NOTE: we are doing version pinning again, but it breaks sometimes when
+#         the version is not the latest.
+#         This happens because dependencies might not be properly resolved.
+#         To avoid this, this type must be maintained up to date.
+#         If we don't use this, keeping Jitsi's up to date is very difficult.
+__package_apt jitsi-meet --version "${JITSI_VERSION}"
+
+# Proceed only after installation/upgrade has finished
+export require="__package_apt/jitsi-meet"
+
+# TODO: generalise and move out
+# Prep nginx for acme settings
+
+NGINX_ETC="/etc/nginx"
+
+#
+# Setup the acme-challenge snippet
+#
+__directory "${NGINX_ETC}/snippets" --state present
+require="__directory${NGINX_ETC}/snippets" __file "${NGINX_ETC}/snippets/acme-challenge.conf" \
+  --mode 644 \
+  --source - << EOF
+# This file is managed remotely, all changes will be lost
+
+# This was heavily inspired by debops.org.
+
+# Automatic Certificate Management Environment (ACME) support.
+# https://tools.ietf.org/html/draft-ietf-acme-acme-01
+# https://en.wikipedia.org/wiki/Automated_Certificate_Management_Environment
+
+
+# Return the ACME challenge present in the server public root.
+# If not found, switch to global web server root.
+location ^~ /.well-known/acme-challenge/ {
+        default_type "text/plain";
+        try_files \$uri @well-known-acme-challenge;
+}
+
+# Return the ACME challenge present in the global server public root.
+# If not present, redirect request to a specified domain.
+location @well-known-acme-challenge {
+        root /usr/share/jitsi-meet;
+        default_type "text/plain";
+        try_files \$uri @redirect-acme-challenge;
+}
+
+# Redirect the ACME challenge to a different host. If a redirect loop is
+# detected, return 404.
+location @redirect-acme-challenge {
+        if (\$arg_redirect) {
+                return 404;
+        }
+        return 307 \$scheme://${ACME_DOMAIN}\$request_uri?redirect=yes;
+}
+
+# Return 404 if ACME challenge well known path is accessed directly.
+location = /.well-known/acme-challenge/ {
+    return 404;
+}
+EOF
+
+__directory "${NGINX_ETC}/sites-available" --state present
+require="__directory${NGINX_ETC}/sites-available" __file "${NGINX_ETC}/sites-available/default" \
+  --mode 644 \
+  --source - << EOF
+# This file is managed remotely, all changes will be lost
+
+server_names_hash_bucket_size 64;
+
+types {
+# nginx's default mime.types doesn't include a mapping for wasm or wav.
+    application/wasm     wasm;
+    audio/wav            wav;
+}
+
+server {
+
+        # Listen on IPv4
+        listen 80;
+        # Note: there is an ipv6only=off flag, but it is Linux-only
+        #       incidentally, that defaults to "on", which is what causes
+        #       not having the double listen to listen on IPv6-only
+        listen [::]:80;
+
+        server_name welcome;
+
+        root /srv/www/sites/welcome/public;
+
+        include snippets/acme-challenge.conf;
+
+        location / {
+                return 301 https://\$host\$request_uri;
+        }
+}
+EOF
+
+# Starting from 2.0.7210, jitsi defines following nginx upstreams
+__directory "${NGINX_ETC}/conf.d" --state present
+require="__directory${NGINX_ETC}/conf.d" __file "${NGINX_ETC}/conf.d/prosody.conf" \
+  --mode 644 \
+  --source - << EOF
+upstream prosody {
+    zone upstreams 64K;
+    server 127.0.0.1:5280;
+    keepalive 2;
+}
+EOF
+require="__directory${NGINX_ETC}/conf.d" __file "${NGINX_ETC}/conf.d/jvb1.conf" \
+  --mode 644 \
+  --source - << EOF
+upstream jvb1 {
+    zone upstreams 64K;
+    server 127.0.0.1:9090;
+    keepalive 2;
+}
+EOF
+require="__directory${NGINX_ETC}/conf.d" __file "${NGINX_ETC}/conf.d/jicofo.conf" \
+  --mode 644 \
+  --source - << EOF
+upstream jicofo {
+    zone upstreams 64K;
+    server 127.0.0.1:8888;
+    keepalive 2;
+}
+EOF
+
+if [ -f "${__object}/parameter/secured-domains" ]; then
+  SECURED_DOMAINS_STATE='present'
+else
+  SECURED_DOMAINS_STATE='absent'
+fi
+
+# This is the main host config
+PROSODY_MAIN_CONFIG="YES"
+# Prosody settings for common components (jvb, focus, ...)
+# shellcheck source=type/__jitsi_meet/files/prosody.cfg.lua.sh
+. "${__type}/files/prosody.cfg.lua.sh"  # This defines PROSODY_CONFIG
+__file "/etc/prosody/conf.d/00_jitsi_base.cfg.lua" \
+	--group prosody \
+	--mode 0440 \
+	--source - <<EOF
+${PROSODY_CONFIG}
+EOF
+
+# Clean up zauth.cfg.lua file, which we don't use now
+__file "/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua" \
+  --state absent
+
+export SECURED_DOMAINS_STATE
+export JITSI_HOST
+export JICOFO_AUTHPASSWORD
+"${__type}/files/jicofo.conf.sh" | \
+	__file /etc/jitsi/jicofo/jicofo.conf --mode 0444 --source '-'
+
+# Enable the private colibri REST API end point for better stats
+__file "/etc/jitsi/videobridge/jvb.conf" --mode 0444 --source '-' <<EOFJVB
+videobridge {
+    http-servers {
+        public {
+            port = 9090
+        }
+        private {
+            port = 8080
+        }
+    }
+    websockets {
+        enabled = true
+        domain = "${JITSI_HOST}:443"
+        tls = true
+    }
+    apis {
+        rest {
+            enabled = true
+        }
+    }
+    cc {
+        trust-bwe = false
+    }
+}
+EOFJVB
+
+# Enable simple per-domain body customisation
+__file "/usr/share/jitsi-meet/body.html" \
+	--mode 0644 \
+	--source '-' <<EOF
+<!--#include virtual="body-\${host}.html" -->
+EOF
+
+# These two should be changed on new release
+EXPORTER_VERSION="1.2.1"
+EXPORTER_CHECKSUM="sha256:46d4b8475b72fd7632a5203f1cc3c7067bed4629902b7780a1da85e4e06c2129"
+EXPORTER_URL="https://github.com/systemli/prometheus-jitsi-meet-exporter/releases/download/${EXPORTER_VERSION}/prometheus-jitsi-meet-exporter_${EXPORTER_VERSION}_linux_amd64.tar.gz"
+if [ -f "${__object}/parameter/disable-prometheus-exporter" ]; then
+	EXPORTER_STATE="absent"
+else
+	EXPORTER_STATE="present"
+fi
+__single_binary_service prometheus-jitsi-meet-exporter \
+	--state "${EXPORTER_STATE}" \
+	--do-not-manage-user \
+	--user "nobody" \
+	--group "nogroup" \
+	--version "${EXPORTER_VERSION}" \
+	--checksum "${EXPORTER_CHECKSUM}" \
+	--url "${EXPORTER_URL}" \
+	--unpack \
+	--service-args "-videobridge-url 'http://localhost:8080/colibri/stats' -web.listen-address ':9888'"
+
+#
+# Setup interpreter assets if requested
+# See: https://gitlab.com/mfmt/jsi/
+#
+jsi_updated_on="2022-04-21"
+__link "/usr/share/jitsi-meet/interpreters.html" \
+	--type symbolic \
+	--source "/opt/jsi/static/index.html.sample"
+__directory /opt/jsi --mode 0755
+export require="__directory/opt/jsi"
+__download /opt/jsi/jsi.tar.gz \
+	--url 'https://gitlab.com/mfmt/jsi/-/archive/1d2cceaf615ee61c0bba80e5bddc61c5d1018303/jsi-1d2cceaf615ee61c0bba80e5bddc61c5d1018303.tar.gz' \
+	--sum "sha256:b020141093daa9937507b098f358d0be994834c3e23866a457fc5140415a0c53"
+export require="__download/opt/jsi/jsi.tar.gz"
+__unpack /opt/jsi/jsi.tar.gz \
+	--preserve-archive \
+	--tar-strip 1 \
+	--destination /opt/jsi/static \
+	--onchange "$(cat <<EOF
+# Patch style.css to be served on /i/
+sed -i.tmp -E \
+	-e 's!url[(]/img/welcome-background.png[)]!url(/i/img/welcome-background.png)!' \
+	/opt/jsi/static/style.css
+# Patch jsi.js to be served on /i/
+#   and so it always uses the domain it's served from
+#   and so it uses /i/ROOM for the form
+sed -i.tmp -E \
+	-e 's!substr[(][0-9]+[)]!substr(3)!' \
+	-e 's!config[.]jitsimeet_url!url.host!' \
+	-e 's!(window[.]location[.]href)[[:space:]]*=[[:space:]]*"/"!\1 = "/i/"!' \
+	/opt/jsi/static/jsi.js
+# Patch the sample index.html, so it loads external_api.js from same host
+#   and to easen up on the branding
+#   and to enable browser cache
+sed -i.tmp -E \
+	-e "s!src=[^>]*(/external_api.js).!src='\1'!" \
+	-e "s!<h1>[^<]*</h1>!<h1>Jitsi Meetings with interpreter</h1>!" \
+	-e "s!https://meet.mayfirst.org!/!" \
+	-e "s!(style.css|jsi.js)([^?])!\1?v=${jsi_updated_on:?}\2!" \
+	/opt/jsi/static/index.html.sample
+EOF
+)"

type/__jitsi_meet/parameter/boolean

@@ -0,0 +1,2 @@
+disable-prometheus-exporter
+secured-domains

type/__jitsi_meet/parameter/deprecated/jitsi-version

@@ -0,0 +1,4 @@
+Supporting different versions lead to strange issues in the life-time of a
+Jitsi instance. Chiefly: difficulties upgrading.
+
+If you are specifying this for a valid reason, please get in touch.

type/__jitsi_meet/parameter/optional

@@ -0,0 +1,4 @@
+abort-conference-count
+jitsi-version
+turn-secret
+turn-server

type/__jitsi_meet_domain/boolean

@@ -0,0 +1 @@
+secured-domains

type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh

@@ -0,0 +1,35 @@
+#!/bin/sh -eu
+
+# This is a helper to update the '.sh.orig' files for jitsi's
+# configuration files.
+# Then the changes must be propagated to their corresponding .sh
+# files by the type maintainer or a contributor
+
+# We could automate this, but are using it as an indicator for the
+# latest branch with which we conciliated changes.
+BRANCH="jitsi-meet_10655"
+REPO="https://github.com/jitsi/jitsi-meet"
+
+get_url() {
+	file="${1}"
+	printf "%s/raw/stable/%s/%s" "${REPO}" "${BRANCH}" "${file}"
+
+}
+
+download_file() {
+	file="${1}"
+	destination="${2:-${file}.sh.orig}"
+	url="$(get_url "${file}")"
+	echo "Downloading ${destination}"
+	curl -L "${url}" > "${destination}"
+	echo
+}
+
+download_file config.js
+download_file interface_config.js
+download_file doc/debian/jitsi-meet/jitsi-meet.example nginx.sh.orig
+download_file doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example prosody.cfg.lua.sh.orig
+
+# Change the version file, maintainers should check that it matches
+# the deb version
+printf "2.0.%s-1" "${BRANCH#*_}" > jitsi-version

type/__jitsi_meet_domain/files/interface_config.js.sh

@@ -0,0 +1,264 @@
+#!/bin/sh -e
+
+# default jitsi logo in svg
+BRANDING_WATERMARK_PATH='images/watermark.svg'
+# overrides default jitsi logo with the provided custom png logo
+if [ -n "${BRANDING_WATERMARK}" ]; then
+  BRANDING_WATERMARK_PATH='images/watermark.png'
+fi
+
+# shellcheck disable=SC2034  # This is intended to be included
+JITSI_INTERFACE_CONFIG_JS="$(cat <<EOF
+/* eslint-disable no-unused-vars, no-var, max-len */
+/* eslint sort-keys: ["error", "asc", {"caseSensitive": false}] */
+
+/**
+ * !!!IMPORTANT!!!
+ *
+ * This file is considered deprecated. All options will eventually be moved to
+ * config.js, and no new options should be added here.
+ */
+
+var interfaceConfig = {
+    APP_NAME: '${BRANDING_APP_NAME}',
+    AUDIO_LEVEL_PRIMARY_COLOR: 'rgba(255,255,255,0.4)',
+    AUDIO_LEVEL_SECONDARY_COLOR: 'rgba(255,255,255,0.2)',
+
+    /**
+     * A UX mode where the last screen share participant is automatically
+     * pinned. Valid values are the string "remote-only" so remote participants
+     * get pinned but not local, otherwise any truthy value for all participants,
+     * and any falsy value to disable the feature.
+     *
+     * Note: this mode is experimental and subject to breakage.
+     */
+    AUTO_PIN_LATEST_SCREEN_SHARE: 'remote-only',
+    BRAND_WATERMARK_LINK: '',
+
+    CLOSE_PAGE_GUEST_HINT: false, // A html text to be shown to guests on the close page, false disables it
+
+    DEFAULT_BACKGROUND: '#040404',
+    DEFAULT_WELCOME_PAGE_LOGO_URL: '${BRANDING_WATERMARK_PATH}',
+
+    DISABLE_DOMINANT_SPEAKER_INDICATOR: false,
+
+    /**
+     * If true, notifications regarding joining/leaving are no longer displayed.
+     */
+    DISABLE_JOIN_LEAVE_NOTIFICATIONS: false,
+
+    /**
+     * If true, presence status: busy, calling, connected etc. is not displayed.
+     */
+    DISABLE_PRESENCE_STATUS: false,
+
+    /**
+     * Whether the speech to text transcription subtitles panel is disabled.
+     * If {@code undefined}, defaults to {@code false}.
+     *
+     * @type {boolean}
+     */
+    DISABLE_TRANSCRIPTION_SUBTITLES: false,
+
+    /**
+     * Whether or not the blurred video background for large video should be
+     * displayed on browsers that can support it.
+     */
+    DISABLE_VIDEO_BACKGROUND: false,
+
+    DISPLAY_WELCOME_FOOTER: true,
+    DISPLAY_WELCOME_PAGE_ADDITIONAL_CARD: false,
+    DISPLAY_WELCOME_PAGE_CONTENT: false,
+    DISPLAY_WELCOME_PAGE_TOOLBAR_ADDITIONAL_CONTENT: false,
+
+    ENABLE_DIAL_OUT: true,
+
+    FILM_STRIP_MAX_HEIGHT: 120,
+
+    GENERATE_ROOMNAMES_ON_WELCOME_PAGE: true,
+
+    /**
+     * Hide the invite prompt in the header when alone in the meeting.
+     */
+    HIDE_INVITE_MORE_HEADER: false,
+
+    JITSI_WATERMARK_LINK: 'https://jitsi.org',
+
+    LANG_DETECTION: true, // Allow i18n to detect the system language
+    LOCAL_THUMBNAIL_RATIO: 16 / 9, // 16:9
+
+    /**
+     * Maximum coefficient of the ratio of the large video to the visible area
+     * after the large video is scaled to fit the window.
+     *
+     * @type {number}
+     */
+    MAXIMUM_ZOOMING_COEFFICIENT: 1.3,
+
+    /**
+     * Whether the mobile app Jitsi Meet is to be promoted to participants
+     * attempting to join a conference in a mobile Web browser. If
+     * {@code undefined}, defaults to {@code true}.
+     *
+     * @type {boolean}
+     */
+    MOBILE_APP_PROMO: true,
+
+    // Names of browsers which should show a warning stating the current browser
+    // has a suboptimal experience. Browsers which are not listed as optimal or
+    // unsupported are considered suboptimal. Valid values are:
+    // chrome, chromium, electron, firefox , safari, webkit
+    OPTIMAL_BROWSERS: [ 'chrome', 'chromium', 'firefox', 'electron', 'safari', 'webkit' ],
+
+    POLICY_LOGO: null,
+    PROVIDER_NAME: 'Jitsi',
+
+    /**
+     * If true, will display recent list
+     *
+     * @type {boolean}
+     */
+    RECENT_LIST_ENABLED: true,
+    REMOTE_THUMBNAIL_RATIO: 1, // 1:1
+
+    SETTINGS_SECTIONS: [ 'devices', 'language', 'moderator', 'profile', 'calendar', 'sounds', 'more' ],
+
+    /**
+     * Specify which sharing features should be displayed. If the value is not set
+     * all sharing features will be shown. You can set [] to disable all.
+     */
+    // SHARING_FEATURES: ['email', 'url', 'dial-in', 'embed'],
+
+    SHOW_BRAND_WATERMARK: false,
+
+    /**
+     * Decides whether the chrome extension banner should be rendered on the landing page and during the meeting.
+     * If this is set to false, the banner will not be rendered at all. If set to true, the check for extension(s)
+     * being already installed is done before rendering.
+     */
+    SHOW_CHROME_EXTENSION_BANNER: false,
+
+    SHOW_JITSI_WATERMARK: true,
+    SHOW_POWERED_BY: false,
+    SHOW_PROMOTIONAL_CLOSE_PAGE: false,
+
+    /*
+     * If indicated some of the error dialogs may point to the support URL for
+     * help.
+     */
+    SUPPORT_URL: 'https://community.jitsi.org/',
+
+    // Browsers, in addition to those which do not fully support WebRTC, that
+    // are not supported and should show the unsupported browser page.
+    UNSUPPORTED_BROWSERS: [],
+
+    /**
+     * Whether to show thumbnails in filmstrip as a column instead of as a row.
+     */
+    VERTICAL_FILMSTRIP: true,
+
+    // Determines how the video would fit the screen. 'both' would fit the whole
+    // screen, 'height' would fit the original video height to the height of the
+    // screen, 'width' would fit the original video width to the width of the
+    // screen respecting ratio, 'nocrop' would make the video as large as
+    // possible and preserve aspect ratio without cropping.
+    VIDEO_LAYOUT_FIT: 'both',
+
+    /**
+     * If true, hides the video quality label indicating the resolution status
+     * of the current large video.
+     *
+     * @type {boolean}
+     */
+    VIDEO_QUALITY_LABEL_DISABLED: false,
+
+    /**
+     * How many columns the tile view can expand to. The respected range is
+     * between 1 and 5.
+     */
+    // TILE_VIEW_MAX_COLUMNS: 5,
+
+    // List of undocumented settings
+    /**
+     INDICATOR_FONT_SIZES
+     PHONE_NUMBER_REGEX
+    */
+
+    // -----------------DEPRECATED CONFIGS BELOW THIS LINE-----------------------------
+
+    /**
+     * Specify URL for downloading ios mobile app.
+     */
+    // MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905',
+
+    /**
+     * Specify custom URL for downloading android mobile app.
+     */
+    // MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet',
+
+    /**
+     * Specify mobile app scheme for opening the app from the mobile browser.
+     */
+    // APP_SCHEME: 'org.jitsi.meet',
+
+    // NATIVE_APP_NAME: 'Jitsi Meet',
+
+    /**
+     * Hide the logo on the deep linking pages.
+     */
+    // HIDE_DEEP_LINKING_LOGO: false,
+
+    /**
+     * Specify the Android app package name.
+     */
+    // ANDROID_APP_PACKAGE: 'org.jitsi.meet',
+
+    /**
+     * Specify custom URL for downloading f droid app.
+     */
+    // MOBILE_DOWNLOAD_LINK_F_DROID: 'https://f-droid.org/packages/org.jitsi.meet/',
+
+    // Connection indicators (
+    // CONNECTION_INDICATOR_AUTO_HIDE_ENABLED,
+    // CONNECTION_INDICATOR_AUTO_HIDE_TIMEOUT,
+    // CONNECTION_INDICATOR_DISABLED) got moved to config.js.
+
+    // Please use disableModeratorIndicator from config.js
+    // DISABLE_FOCUS_INDICATOR: false,
+
+    // Please use defaultLocalDisplayName from config.js
+    // DEFAULT_LOCAL_DISPLAY_NAME: 'me',
+
+    // Please use defaultLogoUrl from config.js
+    DEFAULT_LOGO_URL: '${BRANDING_WATERMARK_PATH}',
+
+    // Please use defaultRemoteDisplayName from config.js
+    // DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster',
+
+    // Moved to config.js as \`toolbarConfig.initialTimeout\`.
+    // INITIAL_TOOLBAR_TIMEOUT: 20000,
+
+    // Moved to config.js as \`toolbarConfig.alwaysVisible\`.
+    // Documentation reference for the live streaming feature.
+    // LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live',
+
+    // Moved to config.js as \`toolbarConfig.alwaysVisible\`.
+    // TOOLBAR_ALWAYS_VISIBLE: false,
+
+    // This config was moved to config.js as \`toolbarButtons\`.
+    // TOOLBAR_BUTTONS: [],
+
+    // Moved to config.js as \`toolbarConfig.timeout\`.
+    // TOOLBAR_TIMEOUT: 4000,
+
+    // Allow all above example options to include a trailing comma and
+    // prevent fear when commenting out the last value.
+    // eslint-disable-next-line sort-keys
+    makeJsonParserHappy: 'even if last key had a trailing comma'
+
+    // No configuration value should follow this line.
+};
+
+/* eslint-enable no-unused-vars, no-var, max-len */
+EOF
+)"

type/__jitsi_meet_domain/files/interface_config.js.sh.orig

@@ -0,0 +1,251 @@
+/* eslint-disable no-unused-vars, no-var, max-len */
+/* eslint sort-keys: ["error", "asc", {"caseSensitive": false}] */
+
+/**
+ * !!!IMPORTANT!!!
+ *
+ * This file is considered deprecated. All options will eventually be moved to
+ * config.js, and no new options should be added here.
+ */
+
+var interfaceConfig = {
+    APP_NAME: 'Jitsi Meet',
+    AUDIO_LEVEL_PRIMARY_COLOR: 'rgba(255,255,255,0.4)',
+    AUDIO_LEVEL_SECONDARY_COLOR: 'rgba(255,255,255,0.2)',
+
+    /**
+     * A UX mode where the last screen share participant is automatically
+     * pinned. Valid values are the string "remote-only" so remote participants
+     * get pinned but not local, otherwise any truthy value for all participants,
+     * and any falsy value to disable the feature.
+     *
+     * Note: this mode is experimental and subject to breakage.
+     */
+    AUTO_PIN_LATEST_SCREEN_SHARE: 'remote-only',
+    BRAND_WATERMARK_LINK: '',
+
+    CLOSE_PAGE_GUEST_HINT: false, // A html text to be shown to guests on the close page, false disables it
+
+    DEFAULT_BACKGROUND: '#040404',
+    DEFAULT_WELCOME_PAGE_LOGO_URL: 'images/watermark.svg',
+
+    DISABLE_DOMINANT_SPEAKER_INDICATOR: false,
+
+    /**
+     * If true, notifications regarding joining/leaving are no longer displayed.
+     */
+    DISABLE_JOIN_LEAVE_NOTIFICATIONS: false,
+
+    /**
+     * If true, presence status: busy, calling, connected etc. is not displayed.
+     */
+    DISABLE_PRESENCE_STATUS: false,
+
+    /**
+     * Whether the speech to text transcription subtitles panel is disabled.
+     * If {@code undefined}, defaults to {@code false}.
+     *
+     * @type {boolean}
+     */
+    DISABLE_TRANSCRIPTION_SUBTITLES: false,
+
+    /**
+     * Whether or not the blurred video background for large video should be
+     * displayed on browsers that can support it.
+     */
+    DISABLE_VIDEO_BACKGROUND: false,
+
+    DISPLAY_WELCOME_FOOTER: true,
+    DISPLAY_WELCOME_PAGE_ADDITIONAL_CARD: false,
+    DISPLAY_WELCOME_PAGE_CONTENT: false,
+    DISPLAY_WELCOME_PAGE_TOOLBAR_ADDITIONAL_CONTENT: false,
+
+    ENABLE_DIAL_OUT: true,
+
+    FILM_STRIP_MAX_HEIGHT: 120,
+
+    GENERATE_ROOMNAMES_ON_WELCOME_PAGE: true,
+
+    /**
+     * Hide the invite prompt in the header when alone in the meeting.
+     */
+    HIDE_INVITE_MORE_HEADER: false,
+
+    JITSI_WATERMARK_LINK: 'https://jitsi.org',
+
+    LANG_DETECTION: true, // Allow i18n to detect the system language
+    LOCAL_THUMBNAIL_RATIO: 16 / 9, // 16:9
+
+    /**
+     * Maximum coefficient of the ratio of the large video to the visible area
+     * after the large video is scaled to fit the window.
+     *
+     * @type {number}
+     */
+    MAXIMUM_ZOOMING_COEFFICIENT: 1.3,
+
+    /**
+     * Whether the mobile app Jitsi Meet is to be promoted to participants
+     * attempting to join a conference in a mobile Web browser. If
+     * {@code undefined}, defaults to {@code true}.
+     *
+     * @type {boolean}
+     */
+    MOBILE_APP_PROMO: true,
+
+    // Names of browsers which should show a warning stating the current browser
+    // has a suboptimal experience. Browsers which are not listed as optimal or
+    // unsupported are considered suboptimal. Valid values are:
+    // chrome, chromium, electron, firefox , safari, webkit
+    OPTIMAL_BROWSERS: [ 'chrome', 'chromium', 'firefox', 'electron', 'safari', 'webkit' ],
+
+    POLICY_LOGO: null,
+    PROVIDER_NAME: 'Jitsi',
+
+    /**
+     * If true, will display recent list
+     *
+     * @type {boolean}
+     */
+    RECENT_LIST_ENABLED: true,
+    REMOTE_THUMBNAIL_RATIO: 1, // 1:1
+
+    SETTINGS_SECTIONS: [ 'devices', 'language', 'moderator', 'profile', 'calendar', 'sounds', 'more' ],
+
+    /**
+     * Specify which sharing features should be displayed. If the value is not set
+     * all sharing features will be shown. You can set [] to disable all.
+     */
+    // SHARING_FEATURES: ['email', 'url', 'dial-in', 'embed'],
+
+    SHOW_BRAND_WATERMARK: false,
+
+    /**
+     * Decides whether the chrome extension banner should be rendered on the landing page and during the meeting.
+     * If this is set to false, the banner will not be rendered at all. If set to true, the check for extension(s)
+     * being already installed is done before rendering.
+     */
+    SHOW_CHROME_EXTENSION_BANNER: false,
+
+    SHOW_JITSI_WATERMARK: true,
+    SHOW_POWERED_BY: false,
+    SHOW_PROMOTIONAL_CLOSE_PAGE: false,
+
+    /*
+     * If indicated some of the error dialogs may point to the support URL for
+     * help.
+     */
+    SUPPORT_URL: 'https://community.jitsi.org/',
+
+    // Browsers, in addition to those which do not fully support WebRTC, that
+    // are not supported and should show the unsupported browser page.
+    UNSUPPORTED_BROWSERS: [],
+
+    /**
+     * Whether to show thumbnails in filmstrip as a column instead of as a row.
+     */
+    VERTICAL_FILMSTRIP: true,
+
+    // Determines how the video would fit the screen. 'both' would fit the whole
+    // screen, 'height' would fit the original video height to the height of the
+    // screen, 'width' would fit the original video width to the width of the
+    // screen respecting ratio, 'nocrop' would make the video as large as
+    // possible and preserve aspect ratio without cropping.
+    VIDEO_LAYOUT_FIT: 'both',
+
+    /**
+     * If true, hides the video quality label indicating the resolution status
+     * of the current large video.
+     *
+     * @type {boolean}
+     */
+    VIDEO_QUALITY_LABEL_DISABLED: false,
+
+    /**
+     * How many columns the tile view can expand to. The respected range is
+     * between 1 and 5.
+     */
+    // TILE_VIEW_MAX_COLUMNS: 5,
+
+    // List of undocumented settings
+    /**
+     INDICATOR_FONT_SIZES
+     PHONE_NUMBER_REGEX
+    */
+
+    // -----------------DEPRECATED CONFIGS BELOW THIS LINE-----------------------------
+
+    /**
+     * Specify URL for downloading ios mobile app.
+     */
+    // MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905',
+
+    /**
+     * Specify custom URL for downloading android mobile app.
+     */
+    // MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet',
+
+    /**
+     * Specify mobile app scheme for opening the app from the mobile browser.
+     */
+    // APP_SCHEME: 'org.jitsi.meet',
+
+    // NATIVE_APP_NAME: 'Jitsi Meet',
+
+    /**
+     * Hide the logo on the deep linking pages.
+     */
+    // HIDE_DEEP_LINKING_LOGO: false,
+
+    /**
+     * Specify the Android app package name.
+     */
+    // ANDROID_APP_PACKAGE: 'org.jitsi.meet',
+
+    /**
+     * Specify custom URL for downloading f droid app.
+     */
+    // MOBILE_DOWNLOAD_LINK_F_DROID: 'https://f-droid.org/packages/org.jitsi.meet/',
+
+    // Connection indicators (
+    // CONNECTION_INDICATOR_AUTO_HIDE_ENABLED,
+    // CONNECTION_INDICATOR_AUTO_HIDE_TIMEOUT,
+    // CONNECTION_INDICATOR_DISABLED) got moved to config.js.
+
+    // Please use disableModeratorIndicator from config.js
+    // DISABLE_FOCUS_INDICATOR: false,
+
+    // Please use defaultLocalDisplayName from config.js
+    // DEFAULT_LOCAL_DISPLAY_NAME: 'me',
+
+    // Please use defaultLogoUrl from config.js
+    // DEFAULT_LOGO_URL: 'images/watermark.svg',
+
+    // Please use defaultRemoteDisplayName from config.js
+    // DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster',
+
+    // Moved to config.js as `toolbarConfig.initialTimeout`.
+    // INITIAL_TOOLBAR_TIMEOUT: 20000,
+
+    // Please use `liveStreaming.helpLink` from config.js
+    // Documentation reference for the live streaming feature.
+    // LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live',
+
+    // Moved to config.js as `toolbarConfig.alwaysVisible`.
+    // TOOLBAR_ALWAYS_VISIBLE: false,
+
+    // This config was moved to config.js as `toolbarButtons`.
+    // TOOLBAR_BUTTONS: [],
+
+    // Moved to config.js as `toolbarConfig.timeout`.
+    // TOOLBAR_TIMEOUT: 4000,
+
+    // Allow all above example options to include a trailing comma and
+    // prevent fear when commenting out the last value.
+    // eslint-disable-next-line sort-keys
+    makeJsonParserHappy: 'even if last key had a trailing comma'
+
+    // No configuration value should follow this line.
+};
+
+/* eslint-enable no-unused-vars, no-var, max-len */

type/__jitsi_meet_domain/files/jitsi-version

@@ -0,0 +1 @@
+2.0.10655-1

type/__jitsi_meet_domain/files/nginx.sh

@@ -0,0 +1,273 @@
+#!/bin/sh -e
+
+# shellcheck disable=SC2034  # This is intended to be included
+JITSI_NGINX_CONFIG="$(cat <<EOF
+# Jitsi uses following lines by default, in our cdist types they must be commented
+# out as we already set it with __jitsi_meet in the default server config.
+#server_names_hash_bucket_size 64;
+#
+#types {
+## nginx's default mime.types doesn't include a mapping for wasm or wav.
+#    application/wasm     wasm;
+#    audio/wav            wav;
+#}
+# These upstreams are managed by __jitsi_meet
+#upstream jicofo {
+#    zone upstreams 64K;
+#    server 127.0.0.1:8888;
+#    keepalive 2;
+#}
+#upstream prosody {
+#    zone upstreams 64K;
+#    server 127.0.0.1:5280;
+#    keepalive 2;
+#}
+#upstream jvb1 {
+#    zone upstreams 64K;
+#    server 127.0.0.1:9090;
+#    keepalive 2;
+#}
+#map \$arg_vnode \$prosody_node {
+#    default prosody;
+#    v1 v1;
+#    v2 v2;
+#    v3 v3;
+#    v4 v4;
+#    v5 v5;
+#    v6 v6;
+#    v7 v7;
+#    v8 v8;
+#}
+server {
+    listen 80;
+    listen [::]:80;
+    server_name ${DOMAIN};
+
+    include snippets/acme-challenge.conf;
+
+    location / {
+        return 301 https://\$host\$request_uri;
+    }
+}
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name ${DOMAIN};
+
+    include snippets/acme-challenge.conf;
+
+    # Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:10m;  # about 40000 sessions
+    ssl_session_tickets off;
+
+    add_header Strict-Transport-Security "max-age=63072000" always;
+    set \$prefix "";
+    # Try the custom page for this domain, fallback to default page
+    set \$custom_index "index-${DOMAIN}.html";
+    # We expect this domain to be properly configured, the file should exist
+    set \$config_js_location "/etc/jitsi/meet/${DOMAIN}-config.js";
+
+    ssl_certificate /etc/letsencrypt/live/${DOMAIN}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/${DOMAIN}/privkey.pem;
+
+    root /usr/share/jitsi-meet;
+
+    # ssi on with javascript for multidomain variables in config.js
+    ssi on;
+    ssi_types application/x-javascript application/javascript;
+
+    # Try the custom page for this domain, fallback to default page
+    index \$custom_index index.html index.htm;
+    error_page 404 /static/404.html;
+
+    gzip on;
+    gzip_types text/plain text/css application/javascript application/json image/x-icon application/octet-stream application/wasm;
+    gzip_vary on;
+    gzip_proxied no-cache no-store private expired auth;
+    gzip_min_length 512;
+
+    # include /etc/jitsi/meet/jaas/*.conf;
+
+    location = /config.js {
+        alias \$config_js_location;
+    }
+    # We expect this domain to be properly configured, the file should exist
+    location = /interface_config.js {
+        alias /etc/jitsi/meet/${DOMAIN}-interface_config.js;
+    }
+    # This may or may not exist; it will be set up in config.js if needed
+    location = /branding.json {
+        alias /etc/jitsi/meet/${DOMAIN}-branding.json;
+    }
+    # Try custom image and fallback to default
+    location = /images/watermark.png {
+        try_files /images/watermark-${DOMAIN}.png \$uri;
+    }
+
+    location = /external_api.js {
+        alias /usr/share/jitsi-meet/libs/external_api.min.js;
+    }
+
+    location = /_api/room-info {
+        proxy_pass http://prosody/room-info?prefix=\$prefix&\$args;
+        proxy_http_version 1.1;
+        proxy_set_header X-Forwarded-For \$remote_addr;
+        proxy_set_header Host \$http_host;
+    }
+
+    location ~ ^/_api/public/(.*)\$ {
+        autoindex off;
+        alias /etc/jitsi/meet/public/\$1;
+    }
+
+    # ensure all static content can always be found first
+    location ~ ^/(libs|css|static|images|fonts|lang|sounds|.well-known)/(.*)\$
+    {
+        add_header 'Access-Control-Allow-Origin' '*';
+        alias /usr/share/jitsi-meet/\$1/\$2;
+
+        # cache all versioned files
+        if (\$arg_v) {
+            expires 1y;
+        }
+    }
+
+    # Paths for jsi / interpreters
+    location ~ ^/i/(img/[^./]*.png|jsi.js|style.css)$
+    {
+        add_header 'Access-Control-Allow-Origin' '*';
+        alias /opt/jsi/static/\$1;
+
+        # cache all versioned files
+        if (\$arg_v) {
+            expires 1y;
+        }
+    }
+    location ~ ^/i/
+    {
+        try_files /${DOMAIN}-interpreters.html /interpreters.html \$uri;
+    }
+
+    # BOSH
+    location = /http-bind {
+        proxy_pass http://prosody/http-bind?prefix=\$prefix&\$args;
+        proxy_http_version 1.1;
+        proxy_set_header X-Forwarded-For \$remote_addr;
+	# Prevision for 'multi-domain' jitsi instances
+	# https://community.jitsi.org/t/same-jitsi-meet-instance-with-multiple-domain-names/17391
+        proxy_set_header Host ${DOMAIN};
+        proxy_set_header Connection "";
+    }
+
+    # xmpp websockets
+    location = /xmpp-websocket {
+        proxy_pass http://prosody/xmpp-websocket?prefix=\$prefix&\$args;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade \$http_upgrade;
+        proxy_set_header Connection "upgrade";
+	# Prevision for 'multi-domain' jitsi instances
+	# https://community.jitsi.org/t/same-jitsi-meet-instance-with-multiple-domain-names/17391
+        proxy_set_header Host ${DOMAIN};
+        tcp_nodelay on;
+    }
+
+    # colibri (JVB) websockets for jvb1
+    location ~ ^/colibri-ws/default-id/(.*) {
+        proxy_pass http://jvb1/colibri-ws/default-id/\$1\$is_args\$args;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade \$http_upgrade;
+        proxy_set_header Connection "upgrade";
+        tcp_nodelay on;
+    }
+
+    # load test minimal client, uncomment when used
+    #location ~ ^/_load-test/([^/?&:'"]+)\$ {
+    #    rewrite ^/_load-test/(.*)\$ /load-test/index.html break;
+    #}
+    #location ~ ^/_load-test/libs/(.*)\$ {
+    #    add_header 'Access-Control-Allow-Origin' '*';
+    #    alias /usr/share/jitsi-meet/load-test/libs/\$1;
+    #}
+
+    location = /_unlock {
+        add_header 'Access-Control-Allow-Origin' '*';
+        add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains';
+        add_header "Cache-Control" "no-cache, no-store";
+    }
+
+    location ~ ^/conference-request/v1([/].*)?\$ {
+        proxy_pass http://jicofo/conference-request/v1\$1;
+        add_header "Cache-Control" "no-cache, no-store";
+        add_header 'Access-Control-Allow-Origin' '*';
+        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Content-Type';
+    }
+    location ~ ^/([^/?&:'"]+)/conference-request/v1([/].*)?\$ {
+        rewrite ^/([^/?&:'"]+)/conference-request/v1([/].*)?\$ /conference-request/v1\$2;
+    }
+
+    location ~ ^/([^/?&:'"]+)\$ {
+        set \$roomname "\$1";
+        try_files \$uri @root_path;
+    }
+
+    location @root_path {
+        # rewrite ^/(.*)\$ /\$custom_index break;
+        rewrite ^/(.*)\$ / break;
+    }
+
+    location ~ ^/([^/?&:'"]+)/config.js\$
+    {
+        set \$subdomain "\$1.";
+        set \$subdir "\$1/";
+
+        alias \$config_js_location;
+    }
+
+    ## Matches /(TENANT)/pwa-worker.js or /(TENANT)/manifest.json to rewrite to / and look for file
+    #location ~ ^/([^/?&:'"]+)/(pwa-worker.js|manifest.json)\$ {
+    #    set \$subdomain "\$1.";
+    #    set \$subdir "\$1/";
+    #    rewrite ^/([^/?&:'"]+)/(pwa-worker.js|manifest.json)\$ /\$2;
+    #}
+
+    # BOSH for subdomains
+    location ~ ^/([^/?&:'"]+)/http-bind {
+        set \$subdomain "\$1.";
+        set \$subdir "\$1/";
+        set \$prefix "\$1";
+
+        rewrite ^/(.*)\$ /http-bind;
+    }
+
+    # websockets for subdomains
+    location ~ ^/([^/?&:'"]+)/xmpp-websocket {
+        set \$subdomain "\$1.";
+        set \$subdir "\$1/";
+        set \$prefix "\$1";
+
+        rewrite ^/(.*)\$ /xmpp-websocket;
+    }
+
+    location ~ ^/([^/?&:'"]+)/_api/room-info {
+        set \$subdomain "\$1.";
+        set \$subdir "\$1/";
+        set \$prefix "\$1";
+
+        rewrite ^/(.*)\$ /_api/room-info;
+    }
+
+    # Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
+    location ~ ^/([^/?&:'"]+)/(.*)\$ {
+        set \$subdomain "\$1.";
+        set \$subdir "\$1/";
+        rewrite ^/([^/?&:'"]+)/(.*)\$ /\$2;
+    }
+}
+EOF
+)"

type/__jitsi_meet_domain/files/nginx.sh.orig

@@ -0,0 +1,226 @@
+server_names_hash_bucket_size 64;
+
+types {
+# nginx's default mime.types doesn't include a mapping for wasm or wav.
+    application/wasm     wasm;
+    audio/wav            wav;
+}
+upstream prosody {
+    zone upstreams 64K;
+    server 127.0.0.1:5280;
+    keepalive 2;
+}
+upstream jvb1 {
+    zone upstreams 64K;
+    server 127.0.0.1:9090;
+    keepalive 2;
+}
+map $arg_vnode $prosody_node {
+    default prosody;
+    v1 v1;
+    v2 v2;
+    v3 v3;
+    v4 v4;
+    v5 v5;
+    v6 v6;
+    v7 v7;
+    v8 v8;
+}
+server {
+    listen 80;
+    listen [::]:80;
+    server_name jitsi-meet.example.com;
+
+    location ^~ /.well-known/acme-challenge/ {
+        default_type "text/plain";
+        root         /usr/share/jitsi-meet;
+    }
+    location = /.well-known/acme-challenge/ {
+        return 404;
+    }
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name jitsi-meet.example.com;
+
+    # Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:10m;  # about 40000 sessions
+    ssl_session_tickets off;
+
+    add_header Strict-Transport-Security "max-age=63072000" always;
+    set $prefix "";
+    set $custom_index "";
+    set $config_js_location /etc/jitsi/meet/jitsi-meet.example.com-config.js;
+
+    ssl_certificate /etc/jitsi/meet/jitsi-meet.example.com.crt;
+    ssl_certificate_key /etc/jitsi/meet/jitsi-meet.example.com.key;
+
+    root /usr/share/jitsi-meet;
+
+    # ssi on with javascript for multidomain variables in config.js
+    ssi on;
+    ssi_types application/x-javascript application/javascript;
+
+    index index.html index.htm;
+    error_page 404 /static/404.html;
+
+    gzip on;
+    gzip_types text/plain text/css application/javascript application/json image/x-icon application/octet-stream application/wasm;
+    gzip_vary on;
+    gzip_proxied no-cache no-store private expired auth;
+    gzip_min_length 512;
+
+    include /etc/jitsi/meet/jaas/*.conf;
+
+    location = /config.js {
+        alias $config_js_location;
+    }
+
+    location = /external_api.js {
+        alias /usr/share/jitsi-meet/libs/external_api.min.js;
+    }
+
+    location = /_api/room-info {
+        proxy_pass http://prosody/room-info?prefix=$prefix&$args;
+        proxy_http_version 1.1;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header Host $http_host;
+    }
+
+    location ~ ^/_api/public/(.*)$ {
+        autoindex off;
+        alias /etc/jitsi/meet/public/$1;
+    }
+
+    # ensure all static content can always be found first
+    location ~ ^/(libs|css|static|images|fonts|lang|sounds|.well-known)/(.*)$
+    {
+        add_header 'Access-Control-Allow-Origin' '*';
+        alias /usr/share/jitsi-meet/$1/$2;
+
+        # cache all versioned files
+        if ($arg_v) {
+            expires 1y;
+        }
+    }
+
+    # BOSH
+    location = /http-bind {
+        proxy_pass http://$prosody_node/http-bind?prefix=$prefix&$args;
+        proxy_http_version 1.1;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header Host $http_host;
+        proxy_set_header Connection "";
+    }
+
+    # xmpp websockets
+    location = /xmpp-websocket {
+        proxy_pass http://$prosody_node/xmpp-websocket?prefix=$prefix&$args;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $http_host;
+        tcp_nodelay on;
+    }
+
+    # colibri (JVB) websockets for jvb1
+    location ~ ^/colibri-ws/default-id/(.*) {
+        proxy_pass http://jvb1/colibri-ws/default-id/$1$is_args$args;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        tcp_nodelay on;
+    }
+
+    # load test minimal client, uncomment when used
+    #location ~ ^/_load-test/([^/?&:'"]+)$ {
+    #    rewrite ^/_load-test/(.*)$ /load-test/index.html break;
+    #}
+    #location ~ ^/_load-test/libs/(.*)$ {
+    #    add_header 'Access-Control-Allow-Origin' '*';
+    #    alias /usr/share/jitsi-meet/load-test/libs/$1;
+    #}
+
+    location = /_unlock {
+        add_header 'Access-Control-Allow-Origin' '*';
+        add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains';
+        add_header "Cache-Control" "no-cache, no-store";
+    }
+
+    location ~ ^/conference-request/v1(\/.*)?$ {
+        proxy_pass http://127.0.0.1:8888/conference-request/v1$1;
+        add_header "Cache-Control" "no-cache, no-store";
+        add_header 'Access-Control-Allow-Origin' '*';
+        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Content-Type';
+    }
+    location ~ ^/([^/?&:'"]+)/conference-request/v1(\/.*)?$ {
+        rewrite ^/([^/?&:'"]+)/conference-request/v1(\/.*)?$ /conference-request/v1$2;
+    }
+
+    location ~ ^/([^/?&:'"]+)$ {
+        set $roomname "$1";
+        try_files $uri @root_path;
+    }
+
+    location @root_path {
+        rewrite ^/(.*)$ /$custom_index break;
+    }
+
+    location ~ ^/([^/?&:'"]+)/config.js$
+    {
+        set $subdomain "$1.";
+        set $subdir "$1/";
+
+        alias $config_js_location;
+    }
+
+    # Matches /(TENANT)/pwa-worker.js or /(TENANT)/manifest.json to rewrite to / and look for file
+    location ~ ^/([^/?&:'"]+)/(pwa-worker.js|manifest.json)$ {
+        set $subdomain "$1.";
+        set $subdir "$1/";
+        rewrite ^/([^/?&:'"]+)/(pwa-worker.js|manifest.json)$ /$2;
+    }
+
+    # BOSH for subdomains
+    location ~ ^/([^/?&:'"]+)/http-bind {
+        set $subdomain "$1.";
+        set $subdir "$1/";
+        set $prefix "$1";
+
+        rewrite ^/(.*)$ /http-bind;
+    }
+
+    # websockets for subdomains
+    location ~ ^/([^/?&:'"]+)/xmpp-websocket {
+        set $subdomain "$1.";
+        set $subdir "$1/";
+        set $prefix "$1";
+
+        rewrite ^/(.*)$ /xmpp-websocket;
+    }
+
+    location ~ ^/([^/?&:'"]+)/_api/room-info {
+        set $subdomain "$1.";
+        set $subdir "$1/";
+        set $prefix "$1";
+
+        rewrite ^/(.*)$ /_api/room-info;
+    }
+
+    # Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
+    location ~ ^/([^/?&:'"]+)/(.*)$ {
+        set $subdomain "$1.";
+        set $subdir "$1/";
+        rewrite ^/([^/?&:'"]+)/(.*)$ /$2;
+    }
+}