[__bird_radv] add --default-lifetime parameter

Some systems use etckeeper and having the logs there was not a great
idea to begin with :-).

type/__bird_bgp/manifest

@@ -89,7 +89,6 @@ ipv4_import=
 if [ -f "${__object:?}"/parameter/ipv4-import ];
 then
 	ipv4_import="$(cat "${__object:?}"/parameter/ipv4-import)"
-	echo "FOO" >&2
 fi
 export ipv4_import
 

type/__bird_ospf/man.rst

@@ -24,12 +24,6 @@ import
 export
     The keyword or filter to decide what to export in the above channel.
 
-
-REQUIRED MULTIPLE PARAMETERS
-----------------------------
-interface
-    An interface to include in OSPF area 0.
-
 OPTIONAL PARAMETERS
 -------------------
 description
@@ -39,12 +33,19 @@ instance-id
     An OSPF instance ID, allowing several OSPF instances to run on the same
     links.
 
+extra-area-configuration
+    Configuration string added to the `area` section of the OSPF configuration.
+
 OPTIONAL MULTIPLE PARAMETERS
 ----------------------------
 
 stubnet
     Add an optionless stubnet definition to the configuration.
 
+interface
+    An interface to include in OSPF area 0. Is required unless
+    extra-area-configuration is set.
+
 SEE ALSO
 --------
 cdist-type__bird_core(7)

type/__bird_ospf/manifest

@@ -44,6 +44,21 @@ then
 	instance_id="$(cat "${__object:?}/parameter/instance-id")"
 fi
 
+extra_area_configuration=
+if [ -f "${__object:?}/parameter/extra-area-configuration" ];
+then
+	extra_area_configuration="$(cat "${__object:?}/parameter/extra-area-configuration")"
+
+	if [ "$extra_area_configuration" = "-" ]; then
+		extra_area_configuration=$(cat "$__object/stdin")
+	fi
+fi
+
+if [ ! -f "${__object:?}/parameter/interface" ] && [ -z "$extra_area_configuration" ]; then
+	echo "Either --interface or --extra-area-configuration must be set." >&2
+	exit 1
+fi
+
 __file "${confdir:?}/ospf-${__object_id:?}.conf" \
 	--mode 0640 --owner root --group bird \
 	--source - << EOF
@@ -59,6 +74,8 @@ $([ -n "${instance_id?}" ] && printf "\tinstance id %s;\n" "${instance_id?}")
 	area 0 {
 $(sed -e 's/^/\t\tinterface "/' -e 's/$/";/' "${__object:?}/parameter/interface")
 $(sed -e 's/^/\t\tsubnet /' -e 's/$/;/' "${__object:?}/parameter/subnet")
+
+		$extra_area_configuration
 	};
 }
 EOF

type/__bird_ospf/parameter/optional

@@ -1,2 +1,3 @@
 description
 instance-id
+extra-area-configuration

type/__bird_ospf/parameter/optional_multiple

@@ -1 +1,2 @@
 stubnet
+interface

type/__bird_radv/man.rst

@@ -15,12 +15,29 @@ autoconfigure IPv6 hosts, this type is a rudimentary implementation to generate
 configuration for Bird to do so.
 
 
-REQUIRED MULTIPLE PARAMETERS
-----------------------------
+REQUIRED PARAMETERS
+-------------------
 interface
   The interfaces to activate the protocol on. RAs will be sent using the
   prefixes configured on these interfaces.
 
+OPTIONAL PARAMETERS
+-------------------
+mtu
+  An optional MTU setting to include in the router advertisements.
+
+default-preference
+  This option specifies the Default Router Preference value to advertise to
+  hosts. Default: medium.
+
+route-preference
+  This option specifies the default value of advertised route preference for
+  specific routes. Default: medium.
+
+default-lifetime
+  This option specifies the time (in seconds) how long (since the receipt of RA)
+  hosts may use the router as a default router. 0 means do not use as a default
+  router. Default: 3.
 
 OPTIONAL MULTIPLE PARAMETERS
 ----------------------------
@@ -41,6 +58,7 @@ EXAMPLES
 
     __bird_radv datacenter \
         --interface eth1 \
+        --mtu 9000 \
         --route ::/0 \
         --ns 2001:DB8:cafe::4 \
         --ns 2001:DB8:cafe::14 \

type/__bird_radv/manifest

@@ -55,23 +55,52 @@ then
 	DNSSL=$(sed -e 's/^/\tdnssl "/' -e 's/$/";/' "${__object:?}/parameter/dnssl")
 fi
 
+MTU=
+if [ -f "${__object:?}/parameter/mtu" ];
+then
+	MTU="link mtu $(cat "${__object:?}/parameter/mtu");"
+fi
+
+DEFAULT_PREFERENCE=
+if [ -f "${__object:?}/parameter/default-preference" ];
+then
+	DEFAULT_PREFERENCE="default preference $(cat "${__object:?}/parameter/default-preference");"
+fi
+
+ROUTE_PREFERENCE=
+if [ -f "${__object:?}/parameter/route-preference" ];
+then
+	ROUTE_PREFERENCE="route preference $(cat "${__object:?}/parameter/route-preference");"
+fi
+
+DEFAULT_LIFETIME=
+if [ -f "${__object:?}/parameter/default-lifetime" ];
+then
+	DEFAULT_LIFETIME="default lifetime $(cat "${__object:?}/parameter/default-lifetime");"
+fi
+
 __file "${confdir:?}/radv-${__object_id:?}.conf" \
 	--mode 0640 --owner root --group bird \
 	--source - << EOF
-ipv6 table radv_routes;
+ipv6 table radv_routes_${__object_id};
 
 protocol static {
 	description "Routes advertised via RAs";
-	ipv6 { table radv_routes; };
+	ipv6 { table radv_routes_${__object_id}; };
 
 $(sed -e 's/^/\troute /' -e 's/$/ unreachable;/' "${__object:?}/parameter/route")
 }
 
 protocol radv ${__object_id:?} {
 	propagate routes ${have_routes:?};
-	ipv6 { table radv_routes; export all; };
+	ipv6 { table radv_routes_${__object_id}; export all; };
 
-$(sed -e 's/^/\tinterface "/' -e 's/$/";/' "${__object:?}/parameter/interface")
+	interface "$(cat "${__object:?}/parameter/interface")" {
+	$MTU
+	$DEFAULT_LIFETIME
+	$DEFAULT_PREFERENCE
+	$ROUTE_PREFERENCE
+	};
 
 $RDNS
 

type/__bird_radv/parameter/optional

@@ -0,0 +1,4 @@
+mtu
+default-preference
+route-preference
+default-lifetime

type/__bird_radv/parameter/required_multiple

@@ -1 +0,0 @@
-interface

type/__borg_repo/manifest

@@ -3,7 +3,7 @@
 os="$(cat "${__global:?}"/explorer/os)"
 
 case "$os" in
-	"alpine")
+	"alpine"|"ubuntu")
 		borg_package=borgbackup
 		;;
 	*)
@@ -17,3 +17,4 @@ if [ -f "${__object:?}/parameter/owner" ];
 then
 	__package sudo
 fi
+

type/__jitsi_meet/explorer/configured-memory

@@ -0,0 +1,15 @@
+#!/bin/sh -eu
+
+JICOFO="/usr/share/jicofo/jicofo.sh"
+VIDEOBRIDGE="/usr/share/jitsi-videobridge/lib/videobridge.rc"
+
+if [ -f "${JICOFO:?}" ]; then
+	jicofo_memory="$(grep JICOFO_MAX_MEMORY= "${JICOFO:?}" | cut -d= -f 2 | cut -d ";" -f 1)"
+fi
+if [ -f "${VIDEOBRIDGE:?}" ]; then
+	vb_memory="$(grep VIDEOBRIDGE_MAX_MEMORY= "${VIDEOBRIDGE:?}" | cut -d= -f 2)"
+fi
+cat <<EOF
+jicofo	${jicofo_memory:-n/a}
+videobridge	${vb_memory:-n/a}
+EOF

type/__jitsi_meet/explorer/jicofo-authpassword

@@ -0,0 +1,26 @@
+#!/bin/sh -eu
+
+JICOFO_AUTHPASSWORD=""
+# We need this to properly configure jicofo
+
+# Default to reading debconf
+DEBCONF_PASS_FILE="/var/cache/debconf/passwords.dat"
+if [ -f "${DEBCONF_PASS_FILE}" ]; then
+	JICOFO_AUTHPASSWORD="$(grep -A1 'Template: jicofo/jicofo-authpassword' "${DEBCONF_PASS_FILE}" | tail -n 1 | cut -d ' ' -f 2-)"
+fi
+
+# Try jicofo.conf if necessary
+JICOFO_CONF_FILE="/etc/jitsi/jicofo/jicofo.conf"
+if [ -z "${JICOFO_AUTHPASSWORD}" ] && [ -f "${JICOFO_CONF_FILE}" ]; then
+	JICOFO_AUTHPASSWORD="$(grep -E '^[[:space:]]*password:' "${JICOFO_CONF_FILE}" | sed -E 's!^[^:]*:[[:space:]]*"(.*)"$!\1!')"
+fi
+
+# And fallback to config file if necessary
+JICOFO_CONFIG_FILE="/etc/jitsi/jicofo/config"
+if [ -z "${JICOFO_AUTHPASSWORD}" ] && [ -f "${JICOFO_CONFIG_FILE}" ]; then
+	JICOFO_AUTHPASSWORD="$(grep -E '^JICOFO_AUTH_PASSWORD=' "${JICOFO_CONFIG_FILE}" | cut -d '=' -f 2-)"
+fi
+
+# If we didn't find it, this is likely a new installation and we'll generate
+# the password on the manifest
+echo "${JICOFO_AUTHPASSWORD:-}"

type/__jitsi_meet/explorer/jitsi-status

@@ -0,0 +1,6 @@
+#!/bin/sh -eu
+
+if [ ! -f "${__object}/parameter/disable-prometheus-exporter" ]; then
+	# TODO: detect curl / depend on it?
+	curl -s localhost:9888/metrics
+fi

type/__jitsi_meet/explorer/prometheus-jitsi-meet-explorer-version

@@ -1,7 +0,0 @@
-#!/bin/sh -e
-
-EXPORTER_VERSION_FILE="/usr/local/bin/.prometheus-jitsi-meet-exporter.cdist.version"
-
-if [ -f "${EXPORTER_VERSION_FILE}" ]; then
-	cat "${EXPORTER_VERSION_FILE}"
-fi

type/__jitsi_meet/files/debconf_settings.sh

@@ -5,9 +5,6 @@
 if false; then
 	# We are currently not using these, just here as documentation
 	DEBCONF_SETTINGS="$(cat <<EOF
-# Jicofo user password:
-jicofo	jicofo/jicofo-authpassword	password	STH
-jitsi-meet-prosody	jicofo/jicofo-authpassword	password	STH
 # The secret used to connect to xmpp server as component
 jitsi-meet-prosody	jitsi-videobridge/jvbsecret	password	STH
 jitsi-videobridge	jitsi-videobridge/jvbsecret	password	STH
@@ -40,6 +37,9 @@ jitsi-videobridge	jitsi-videobridge/jvb-hostname	string	${JITSI_HOST}
 jitsi-videobridge2	jitsi-videobridge/jvb-hostname	string	${JITSI_HOST}
 # The hostname of the current installation:
 jitsi-meet-prosody	jitsi-meet-prosody/jvb-hostname string	${JITSI_HOST}
+# Jicofo user password:
+jicofo	jicofo/jicofo-authpassword	password	${JICOFO_AUTHPASSWORD}
+jitsi-meet-prosody	jicofo/jicofo-authpassword	password	${JICOFO_AUTHPASSWORD}
 # SSL certificate for the Jitsi Meet instance
 # Choices: Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate), I want to use my own certificate
 jitsi-meet-web-config	jitsi-meet/cert-choice	select	Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate)

type/__jitsi_meet/files/jicofo.conf.sh

@@ -0,0 +1,38 @@
+#!/bin/sh -eu
+
+# Start
+cat <<EOF
+# Managed remotely, changes will be lost
+
+# Jicofo HOCON configuration. See /usr/share/jicofo/jicofo.jar/reference.conf for
+#available options, syntax, and default values.
+jicofo {
+  xmpp: {
+    client: {
+      client-proxy: focus.${JITSI_HOST:?}
+      xmpp-domain: "${JITSI_HOST:?}"
+      domain: "auth.${JITSI_HOST:?}"
+      username: "focus"
+      password: "${JICOFO_AUTHPASSWORD:?}"
+    }
+    trusted-domains: [ "recorder.${JITSI_HOST:?}" ]
+  }
+  bridge: {
+    brewery-jid: "JvbBrewery@internal.auth.${JITSI_HOST:?}"
+  }
+EOF
+
+# Secured domains if needed
+if [ "${SECURED_DOMAINS_STATE:?}" = "present" ]; then
+cat <<EOF
+
+  authentication: {
+    enabled: true
+    type: XMPP
+    login-url: ${JITSI_HOST:?}
+  }
+EOF
+fi
+
+# End
+echo '}'

type/__jitsi_meet/files/jitsi-version

@@ -0,0 +1 @@
+../../__jitsi_meet_domain/files/jitsi-version

type/__jitsi_meet/files/prosody.cfg.lua.sh

@@ -0,0 +1 @@
+../../__jitsi_meet_domain/files/prosody.cfg.lua.sh

type/__jitsi_meet/gencode-remote

@@ -1,11 +1,43 @@
 #!/bin/sh -e
 
+memory="$(cat "${__global}/explorer/memory")"
+G="000000"  # Will totally eff up the zero-count otherwise
+# MAX_MEMORY will affect jicofo and videobridge
+#  As a rule of thumb, the machine's RAM should be more than 2.5 * MAX_MEMORY
+if [ "${memory}" -lt "3${G}" ]; then
+	# If you use this, let us know how it works!
+	MAX_MEMORY="768m"
+elif [ "${memory}" -lt "5${G}" ]; then
+	MAX_MEMORY="1024m"
+elif [ "${memory}" -lt "8${G}" ]; then
+	MAX_MEMORY="2048m"
+else
+	# Jitsi recommends running on 8G RAM and these are the defaults
+	MAX_MEMORY="3072m"
+fi
+
+if cut -f 2 "${__object}/explorer/configured-memory" | grep -qvE "^${MAX_MEMORY}$"; then
+	# At least one service has different memory settings
+	RESTART_SERVICES="YES"
+	cat <<-EOF
+	sed -i.tmp -E \
+		-e 's!^(#[[:space:]]*)?(VIDEOBRIDGE_MAX_MEMORY)=.*\$!\2=${MAX_MEMORY}!' \
+		/usr/share/jitsi-videobridge/lib/videobridge.rc
+	sed -i.tmp -E \
+		-e 's!(JICOFO_MAX_MEMORY)[^";]+;!\1=${MAX_MEMORY};!' \
+		/usr/share/jicofo/jicofo.sh
+	EOF
+fi
+
 if grep -qE "^__file/etc/nginx" "${__messages_in}"; then
 	echo "service nginx reload"
 fi
 
-JITSI_HOST="${__object_id}"
-if grep -qE "^(__line/jitsi_jicofo_secured_domains|__file/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua)" "${__messages_in}"; then
+if grep -qE "^(__line/jitsi_jicofo_secured_domains|(__file|__link)/etc/prosody/conf.d/|__file/etc/jitsi/(jicofo/jicofo.conf|videobridge/jvb.conf))" "${__messages_in}"; then
+	RESTART_SERVICES="YES"
+fi
+
+if [ -n "${RESTART_SERVICES}" ]; then
   echo "systemctl restart prosody"
   echo "systemctl restart jicofo"
   echo "systemctl restart jitsi-videobridge2"

type/__jitsi_meet/man.rst

@@ -21,13 +21,24 @@ You will also need the `__jitsi_meet_domain` type in order to finish setting up
 the web frontend (including TLS certificates) and its settings.
 
 You may want to use the `files/ufw` example manifest for a `__ufw`-based
-firewall compatible with this type.
-This file does not include rules for TCP port 9888, which exposes the
-prometheus exporter if not disabled.
-You should apply your own rules here.
+firewall compatible with this type that allows all ports needed by Jitsi-Meet.
+Note however that this will not deal with rules for SSH or for TCP port 9888,
+which exposes the prometheus exporter if not disabled.
+Remember to apply your own rules here, particularly regarding SSH.
 
 This type only works on De{bi,vu}an systems.
 
+It is very important for this type to stay up to date with the software, as
+otherwise new deployments or maintenance of existing instances might be
+negatively affected.
+If you can, please contribute updates to `__jitsi_meet` and
+`__jitsi_meet_domain` promptly and regularly.
+Alternatively, you can help finance that work; get in touch with the type
+authors for that (see below).
+
+This type takes care of adapting the maximum memory used by jicofo and
+videobridge in function of the hosts installed memory.
+
 NOTE: This type currently does not deal with setting up coturn.
       For that, you might want to check `__coturn` in
       https://code.ungleich.ch/ungleich-public/cdist-contrib
@@ -36,6 +47,14 @@ NOTE: This type currently does not deal with setting up coturn.
 
 OPTIONAL PARAMETERS
 -------------------
+abort-conference-count
+    Only has an effect if the prometheus exporter is enabled and if it is not
+    empty (default).
+    If at least this many conferences are active on the server, the type will
+    bail out before making any changes.
+    This is useful if you want to avoid service disruptions due to e.g. an SLA.
+
+
 turn-secret
     The shared secret for the TURN server.
 
@@ -43,11 +62,6 @@ turn-server
     The hostname of the TURN server.
     This will assume that it is listening with TLS on port 443.
 
-jitsi-version
-    The jitsi-meet version of the Debian package to be installed.
-    While this can be specified, only the default value is known to work
-    properly with this type.
-
 
 BOOLEAN PARAMETERS
 ------------------
@@ -70,9 +84,11 @@ EXAMPLES
 
 .. code-block:: sh
 
-    # Setup the firewall 
+    # Setup the firewall for Jitsi-Meet
     . "${__global}/type/__jitsi_meet/files/ufw"
     export require="__ufw"
+    # Setup firewall SSH rules as necessary
+    __ufw_rule ssh --rule 'allow 22/tcp from 10.0.0.0/24'
     # Setup Jitsi on this host
     __jitsi_meet \
       --turn-server "turn.exo.cat" \
@@ -92,4 +108,4 @@ Evilham <contact@evilham.com>
 
 COPYING
 -------
-Copyright \(C) 2021 Evilham.
+Copyright \(C) 2022 Evilham.

type/__jitsi_meet/manifest

@@ -1,7 +1,6 @@
 #!/bin/sh -e
 
 os="$(cat "${__global}/explorer/os")"
-init="$(cat "${__global}/explorer/init")"
 case "${os}" in
 	devuan|debian)
 	;;
@@ -11,10 +10,37 @@ case "${os}" in
 	;;
 esac
 
+current_conferences="$(cat "${__object}/explorer/jitsi-status" | grep -E "^jitsi_conferences[[:space:]]" | cut -d ' ' -f 2)"
+
+JICOFO_AUTHPASSWORD="$(cat "${__object}/explorer/jicofo-authpassword")"
+if [ -z "${JICOFO_AUTHPASSWORD}" ]; then
+	# This is probably a first time installation, we'll generate the
+	# password which will be set in debconf by this type
+	# https://github.com/jitsi/jicofo/blob/aafb61b5363a1c4abdbf08e1444a6276b807993e/debian/postinst#L43
+	JICOFO_AUTHPASSWORD="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | head -c 16)"
+fi
+
+ABORT_CONFERENCE_COUNT="$(cat "${__object}/parameter/abort-conference-count")"
+
+if [ -n "${current_conferences}" ] && [ -n "${ABORT_CONFERENCE_COUNT}" ] && \
+	[ "${ABORT_CONFERENCE_COUNT}" -le "${current_conferences}" ]; then
+	cat <<-EOF
+Early bail out was requested when at least ${ABORT_CONFERENCE_COUNT} conferences are taking place.
+There are currently ${current_conferences} active conferences.
+
+Try again at a later time or remove or increase --abort-conference-count
+	EOF
+	exit 1
+fi
 
 JITSI_HOST="${__target_host}"
-# Currently unused, see below
-# JITSI_VERSION="$(cat "${__object}/parameter/jitsi-version")"
+if [ -f "${__object}/parameter/jitsi-version" ]; then
+	# This has been deprecated and will be removed 'soon'
+	JITSI_VERSION="$(cat "${__object}/parameter/jitsi-version")"
+else
+	# Note this won't be a parameter anymore, we won't let users stay behind
+	JITSI_VERSION="$(cat "${__type}/files/jitsi-version")"
+fi
 TURN_SERVER="$(cat "${__object}/parameter/turn-server")"
 TURN_SECRET="$(cat "${__object}/parameter/turn-secret")"
 
@@ -22,8 +48,6 @@ if [ -z "${TURN_SERVER}" ]; then
 	TURN_SERVER="${JITSI_HOST}"
 fi
 
-PROMETHEUS_JITSI_EXPORTER_IS_VERSION="$(cat "${__object}/explorer/prometheus-jitsi-meet-explorer-version")"
-
 # The rest is loosely based on Jitsi's documentation
 # https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-quickstart
 
@@ -51,17 +75,16 @@ export require="${require} __apt_source/jitsi_meet __apt_update_index"
 # Pre-feed debconf settings, so Jitsi's installation has a good config
 # shellcheck source=type/__jitsi_meet/files/debconf_settings.sh
 . "${__type}/files/debconf_settings.sh"  # This defines DEBCONF_SETTINGS
-__debconf_set_selections jitsi_meet --file - <<EOF
-${DEBCONF_SETTINGS}
-EOF
+__debconf_set_selections jitsi_meet --line "${DEBCONF_SETTINGS}"
 export require="${require} __debconf_set_selections/jitsi_meet"
 
 # Install and upgrade packages as needed
-__package_apt jitsi-meet
-# We are not doing version pinning anymore because it breaks when
-# the version is not the latest.
-# This happens because dependencies cannot be properly resolved.
-# --version "${JITSI_VERSION}"
+#   NOTE: we are doing version pinning again, but it breaks sometimes when
+#         the version is not the latest.
+#         This happens because dependencies might not be properly resolved.
+#         To avoid this, this type must be maintained up to date.
+#         If we don't use this, keeping Jitsi's up to date is very difficult.
+__package_apt jitsi-meet --version "${JITSI_VERSION}"
 
 # Proceed only after installation/upgrade has finished
 export require="__package_apt/jitsi-meet"
@@ -125,7 +148,11 @@ require="__directory${NGINX_ETC}/sites-available" __file "${NGINX_ETC}/sites-ava
 
 server_names_hash_bucket_size 64;
 
-# nginx server configuration for:
+types {
+# nginx's default mime.types doesn't include a mapping for wasm or wav.
+    application/wasm     wasm;
+    audio/wav            wav;
+}
 
 server {
 
@@ -148,95 +175,145 @@ server {
 }
 EOF
 
-if [ -f "${__object}/parameter/secured-domains" ]; then
-  SECURED_DOMAINS_STATE='present'
-  SECURED_DOMAINS_STATE_JICOFO='replace'
-else
-  SECURED_DOMAINS_STATE='absent'
-  SECURED_DOMAINS_STATE_JICOFO='absent'
-fi
-
-__file "/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua" \
-  --owner prosody --group prosody --mode 0440 \
-  --state ${SECURED_DOMAINS_STATE} \
-  --source - <<EOF
-VirtualHost "${JITSI_HOST}"
-    authentication = "internal_plain"
-
-VirtualHost "guest.${JITSI_HOST}"
-    authentication = "anonymous"
-    c2s_require_encryption = false
+# Starting from 2.0.7210, jitsi defines following nginx upstreams
+__directory "${NGINX_ETC}/conf.d" --state present
+require="__directory${NGINX_ETC}/conf.d" __file "${NGINX_ETC}/conf.d/prosody.conf" \
+  --mode 644 \
+  --source - << EOF
+upstream prosody {
+    zone upstreams 64K;
+    server 127.0.0.1:5280;
+    keepalive 2;
+}
+EOF
+require="__directory${NGINX_ETC}/conf.d" __file "${NGINX_ETC}/conf.d/jvb1.conf" \
+  --mode 644 \
+  --source - << EOF
+upstream jvb1 {
+    zone upstreams 64K;
+    server 127.0.0.1:9090;
+    keepalive 2;
+}
 EOF
 
-__block jitsi_jicofo_secured_domains \
-  --prefix "// begin cdist: jicofo_secured_domains" \
-  --suffix "// end   cdist: jicofo_secured_domains" \
-  --file /etc/jitsi/jicofo/jicofo.conf \
-  --state "${SECURED_DOMAINS_STATE_JICOFO}" \
-  --text '-' <<EOF
-  authentication: {
-    enabled: true
-    type: XMPP
-    login-url: ${JITSI_HOST}
-  }
+if [ -f "${__object}/parameter/secured-domains" ]; then
+  SECURED_DOMAINS_STATE='present'
+else
+  SECURED_DOMAINS_STATE='absent'
+fi
+
+# This is the main host config
+PROSODY_MAIN_CONFIG="YES"
+# Prosody settings for common components (jvb, focus, ...)
+# shellcheck source=type/__jitsi_meet/files/prosody.cfg.lua.sh
+. "${__type}/files/prosody.cfg.lua.sh"  # This defines PROSODY_CONFIG
+__file "/etc/prosody/conf.d/00_jitsi_base.cfg.lua" \
+	--group prosody \
+	--mode 0440 \
+	--source - <<EOF
+${PROSODY_CONFIG}
+EOF
+
+# Clean up zauth.cfg.lua file, which we don't use now
+__file "/etc/prosody/conf.d/${JITSI_HOST}.zauth.cfg.lua" \
+  --state absent
+
+export SECURED_DOMAINS_STATE
+export JITSI_HOST
+export JICOFO_AUTHPASSWORD
+"${__type}/files/jicofo.conf.sh" | \
+	__file /etc/jitsi/jicofo/jicofo.conf --mode 0444 --source '-'
+
+# Enable the private colibri REST API end point for better stats
+__file "/etc/jitsi/videobridge/jvb.conf" --mode 0444 --source '-' <<EOFJVB
+videobridge {
+    http-servers {
+        public {
+            port = 9090
+        }
+        private {
+            port = 8080
+        }
+    }
+    websockets {
+        enabled = true
+        domain = "${JITSI_HOST}:443"
+        tls = true
+    }
+    apis {
+        rest {
+            enabled = true
+        }
+    }
+}
+EOFJVB
+
+# Enable simple per-domain body customisation
+__file "/usr/share/jitsi-meet/body.html" \
+	--mode 0644 \
+	--source '-' <<EOF
+<!--#include virtual="body-\${host}.html" -->
 EOF
 
 # These two should be changed on new release
-PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION="1.1.5"
-PROMETHEUS_JITSI_EXPORTER_CHECKSUM="sha256:3ddf43a48d9a2f62be1bc6db9e7ba75d61994f9423e5c5b28be019f41f06f745"
-PROMETHEUS_JITSI_EXPORTER_URL="https://github.com/systemli/prometheus-jitsi-meet-exporter/releases/download/${PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION}/prometheus-jitsi-meet-exporter-linux-amd64"
-PROMETHEUS_JITSI_EXPORTER_VERSION_FILE="/usr/local/bin/.prometheus-jitsi-meet-exporter.cdist.version"
-if [ ! -f "${__object}/parameter/disable-prometheus-exporter" ]; then
-	case "${init}" in
-		init|sysvinit)
-			__runit
-			require="__runit" __runit_service \
-				prometheus-jitsi-meet-exporter --log --source - <<EOF
-			#!/bin/sh -e
-			cd /tmp
-			exec chpst -u "nobody:nogroup" env HOME="/tmp" \\
-			     prometheus-jitsi-meet-exporter \\
-				-videobridge-url 'http://localhost:8888/stats' \\
-				-web.listen-address ':9888' 2>&1
-EOF
-
-			export require="__runit_service/prometheus-jitsi-meet-exporter"
-			JITSI_MEET_EXPORTER_SERVICE="sv %s prometheus-jitsi-meet-exporter"
-		;;
-		systemd)
-			__systemd_unit prometheus-jitsi-meet-exporter.service \
-				--source "-" \
-				--enablement-state "enabled" <<EOF
-[Unit]
-Description=Metrics Exporter for Jitsi Meet
-After=network.target
-
-[Service]
-Type=simple
-DynamicUser=yes
-ExecStart=/usr/local/bin/prometheus-jitsi-meet-exporter -videobridge-url 'http://localhost:8888/stats' -web.listen-address ':9888'
-Restart=always
-
-[Install]
-WantedBy=multi-user.target
-EOF
-			export require="__systemd_unit/prometheus-jitsi-meet-exporter.service"
-			JITSI_MEET_EXPORTER_SERVICE="service prometheus-jitsi-meet-exporter %s"
-		;;
-	esac
-	if [ "${PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION}" != \
-		"${PROMETHEUS_JITSI_EXPORTER_IS_VERSION}" ]; then
-		# shellcheck disable=SC2059
-		__download \
-			/tmp/prometheus-jitsi-meet-exporter \
-			--url "${PROMETHEUS_JITSI_EXPORTER_URL}" \
-			--download remote \
-			--sum "${PROMETHEUS_JITSI_EXPORTER_CHECKSUM}" \
-			--onchange "$(printf "${JITSI_MEET_EXPORTER_SERVICE}" "stop") || true; chmod 555 /tmp/prometheus-jitsi-meet-exporter && mv /tmp/prometheus-jitsi-meet-exporter /usr/local/bin/prometheus-jitsi-meet-exporter && $(printf "${JITSI_MEET_EXPORTER_SERVICE}" "restart")"
-		printf "%s" "${PROMETHEUS_JITSI_EXPORTER_SHOULD_VERSION}" | \
-			require="${require} __download/tmp/prometheus-jitsi-meet-exporter" __file \
-			"${PROMETHEUS_JITSI_EXPORTER_VERSION_FILE}" \
-			--source "-"
-	fi
+EXPORTER_VERSION="1.2.1"
+EXPORTER_CHECKSUM="sha256:46d4b8475b72fd7632a5203f1cc3c7067bed4629902b7780a1da85e4e06c2129"
+EXPORTER_URL="https://github.com/systemli/prometheus-jitsi-meet-exporter/releases/download/${EXPORTER_VERSION}/prometheus-jitsi-meet-exporter_${EXPORTER_VERSION}_linux_amd64.tar.gz"
+if [ -f "${__object}/parameter/disable-prometheus-exporter" ]; then
+	EXPORTER_STATE="absent"
+else
+	EXPORTER_STATE="present"
 fi
-# TODO: disable the exporter if it is deployed and then admin changes their mind
+__evilham_single_binary_service prometheus-jitsi-meet-exporter \
+	--state "${EXPORTER_STATE}" \
+	--do-not-manage-user \
+	--user "nobody" \
+	--group "nogroup" \
+	--version "${EXPORTER_VERSION}" \
+	--checksum "${EXPORTER_CHECKSUM}" \
+	--url "${EXPORTER_URL}" \
+	--unpack \
+	--service-args "-videobridge-url 'http://localhost:8080/colibri/stats' -web.listen-address ':9888'"
+
+#
+# Setup interpreter assets if requested
+# See: https://gitlab.com/mfmt/jsi/
+#
+jsi_updated_on="2022-04-21"
+__link "/usr/share/jitsi-meet/interpreters.html" \
+	--type symbolic \
+	--source "/opt/jsi/static/index.html.sample"
+__directory /opt/jsi --mode 0755
+export require="__directory/opt/jsi"
+__download /opt/jsi/jsi.tar.gz \
+	--url 'https://gitlab.com/mfmt/jsi/-/archive/1d2cceaf615ee61c0bba80e5bddc61c5d1018303/jsi-1d2cceaf615ee61c0bba80e5bddc61c5d1018303.tar.gz' \
+	--sum "sha256:b020141093daa9937507b098f358d0be994834c3e23866a457fc5140415a0c53"
+export require="__download/opt/jsi/jsi.tar.gz"
+__unpack /opt/jsi/jsi.tar.gz \
+	--preserve-archive \
+	--tar-strip 1 \
+	--destination /opt/jsi/static \
+	--onchange "$(cat <<EOF
+# Patch style.css to be served on /i/
+sed -i.tmp -E \
+	-e 's!url[(]/img/welcome-background.png[)]!url(/i/img/welcome-background.png)!' \
+	/opt/jsi/static/style.css
+# Patch jsi.js to be served on /i/
+#   and so it always uses the domain it's served from
+#   and so it uses /i/ROOM for the form
+sed -i.tmp -E \
+	-e 's!substr[(][0-9]+[)]!substr(3)!' \
+	-e 's!config[.]jitsimeet_url!url.host!' \
+	-e 's!(window[.]location[.]href)[[:space:]]*=[[:space:]]*"/"!\1 = "/i/"!' \
+	/opt/jsi/static/jsi.js
+# Patch the sample index.html, so it loads external_api.js from same host
+#   and to easen up on the branding
+#   and to enable browser cache
+sed -i.tmp -E \
+	-e "s!src=[^>]*(/external_api.js).!src='\1'!" \
+	-e "s!<h1>[^<]*</h1>!<h1>Jitsi Meetings with interpreter</h1>!" \
+	-e "s!https://meet.mayfirst.org!/!" \
+	-e "s!(style.css|jsi.js)([^?])!\1?v=${jsi_updated_on:?}\2!" \
+	/opt/jsi/static/index.html.sample
+EOF
+)"

type/__jitsi_meet/parameter/default/jitsi-version

@@ -1 +0,0 @@
-2.0.5765-1

type/__jitsi_meet/parameter/deprecated/jitsi-version

@@ -0,0 +1,4 @@
+Supporting different versions lead to strange issues in the life-time of a
+Jitsi instance. Chiefly: difficulties upgrading.
+
+If you are specifying this for a valid reason, please get in touch.

type/__jitsi_meet/parameter/optional

@@ -1,3 +1,4 @@
+abort-conference-count
 jitsi-version
 turn-secret
 turn-server

type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh

@@ -0,0 +1,35 @@
+#!/bin/sh -eu
+
+# This is a helper to update the '.sh.orig' files for jitsi's
+# configuration files.
+# Then the changes must be propagated to their corresponding .sh
+# files by the type maintainer or a contributor
+
+# We could automate this, but are using it as an indicator for the
+# latest branch with which we conciliated changes.
+BRANCH="jitsi-meet_8319"
+REPO="https://github.com/jitsi/jitsi-meet"
+
+get_url() {
+	file="${1}"
+	printf "%s/raw/stable/%s/%s" "${REPO}" "${BRANCH}" "${file}"
+
+}
+
+download_file() {
+	file="${1}"
+	destination="${2:-${file}.sh.orig}"
+	url="$(get_url "${file}")"
+	echo "Downloading ${destination}"
+	curl -L "${url}" > "${destination}"
+	echo
+}
+
+download_file config.js
+download_file interface_config.js
+download_file doc/debian/jitsi-meet/jitsi-meet.example nginx.sh.orig
+download_file doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example prosody.cfg.lua.sh.orig
+
+# Change the version file, maintainers should check that it matches
+# the deb version
+printf "2.0.%s-1" "${BRANCH#*_}" > jitsi-version

type/__jitsi_meet_domain/files/interface_config.js.sh

@@ -20,7 +20,7 @@ JITSI_INTERFACE_CONFIG_JS="$(cat <<EOF
  */
 
 var interfaceConfig = {
-    APP_NAME: 'Jitsi Meet',
+    APP_NAME: '${BRANDING_APP_NAME}',
     AUDIO_LEVEL_PRIMARY_COLOR: 'rgba(255,255,255,0.4)',
     AUDIO_LEVEL_SECONDARY_COLOR: 'rgba(255,255,255,0.2)',
 
@@ -36,42 +36,12 @@ var interfaceConfig = {
     BRAND_WATERMARK_LINK: '',
 
     CLOSE_PAGE_GUEST_HINT: false, // A html text to be shown to guests on the close page, false disables it
-    /**
-     * Whether the connection indicator icon should hide itself based on
-     * connection strength. If true, the connection indicator will remain
-     * displayed while the participant has a weak connection and will hide
-     * itself after the CONNECTION_INDICATOR_HIDE_TIMEOUT when the connection is
-     * strong.
-     *
-     * @type {boolean}
-     */
-    CONNECTION_INDICATOR_AUTO_HIDE_ENABLED: true,
 
-    /**
-     * How long the connection indicator should remain displayed before hiding.
-     * Used in conjunction with CONNECTION_INDICATOR_AUTOHIDE_ENABLED.
-     *
-     * @type {number}
-     */
-    CONNECTION_INDICATOR_AUTO_HIDE_TIMEOUT: 5000,
-
-    /**
-     * If true, hides the connection indicators completely.
-     *
-     * @type {boolean}
-     */
-    CONNECTION_INDICATOR_DISABLED: false,
-
-    DEFAULT_BACKGROUND: '#474747',
-    DEFAULT_LOCAL_DISPLAY_NAME: 'me',
-    DEFAULT_LOGO_URL: '${BRANDING_WATERMARK_PATH}',
-    DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster',
+    DEFAULT_BACKGROUND: '#040404',
     DEFAULT_WELCOME_PAGE_LOGO_URL: '${BRANDING_WATERMARK_PATH}',
 
     DISABLE_DOMINANT_SPEAKER_INDICATOR: false,
 
-    DISABLE_FOCUS_INDICATOR: false,
-
     /**
      * If true, notifications regarding joining/leaving are no longer displayed.
      */
@@ -117,21 +87,14 @@ var interfaceConfig = {
 
     GENERATE_ROOMNAMES_ON_WELCOME_PAGE: true,
 
-    /**
-     * Hide the logo on the deep linking pages.
-     */
-    HIDE_DEEP_LINKING_LOGO: false,
-
     /**
      * Hide the invite prompt in the header when alone in the meeting.
      */
     HIDE_INVITE_MORE_HEADER: false,
 
-    INITIAL_TOOLBAR_TIMEOUT: 20000,
     JITSI_WATERMARK_LINK: 'https://jitsi.org',
 
     LANG_DETECTION: true, // Allow i18n to detect the system language
-    LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live', // Documentation reference for the live streaming feature.
     LOCAL_THUMBNAIL_RATIO: 16 / 9, // 16:9
 
     /**
@@ -151,23 +114,6 @@ var interfaceConfig = {
      */
     MOBILE_APP_PROMO: true,
 
-    /**
-     * Specify custom URL for downloading android mobile app.
-     */
-    MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet',
-
-    /**
-     * Specify custom URL for downloading f droid app.
-     */
-    MOBILE_DOWNLOAD_LINK_F_DROID: 'https://f-droid.org/en/packages/org.jitsi.meet/',
-
-    /**
-     * Specify URL for downloading ios mobile app.
-     */
-    MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905',
-
-    NATIVE_APP_NAME: 'Jitsi Meet',
-
     // Names of browsers which should show a warning stating the current browser
     // has a suboptimal experience. Browsers which are not listed as optimal or
     // unsupported are considered suboptimal. Valid values are:
@@ -185,7 +131,7 @@ var interfaceConfig = {
     RECENT_LIST_ENABLED: true,
     REMOTE_THUMBNAIL_RATIO: 1, // 1:1
 
-    SETTINGS_SECTIONS: [ 'devices', 'language', 'moderator', 'profile', 'calendar', 'sounds' ],
+    SETTINGS_SECTIONS: [ 'devices', 'language', 'moderator', 'profile', 'calendar', 'sounds', 'more' ],
 
     /**
      * Specify which sharing features should be displayed. If the value is not set
@@ -196,13 +142,12 @@ var interfaceConfig = {
     SHOW_BRAND_WATERMARK: false,
 
     /**
-    * Decides whether the chrome extension banner should be rendered on the landing page and during the meeting.
-    * If this is set to false, the banner will not be rendered at all. If set to true, the check for extension(s)
-    * being already installed is done before rendering.
-    */
+     * Decides whether the chrome extension banner should be rendered on the landing page and during the meeting.
+     * If this is set to false, the banner will not be rendered at all. If set to true, the check for extension(s)
+     * being already installed is done before rendering.
+     */
     SHOW_CHROME_EXTENSION_BANNER: false,
 
-    SHOW_DEEP_LINKING_IMAGE: false,
     SHOW_JITSI_WATERMARK: true,
     SHOW_POWERED_BY: false,
     SHOW_PROMOTIONAL_CLOSE_PAGE: false,
@@ -213,16 +158,6 @@ var interfaceConfig = {
      */
     SUPPORT_URL: 'https://community.jitsi.org/',
 
-    TOOLBAR_ALWAYS_VISIBLE: false,
-
-    /**
-     * DEPRECATED!
-     * This config was moved to config.js as \`toolbarButtons\`.
-     */
-    // TOOLBAR_BUTTONS: [],
-
-    TOOLBAR_TIMEOUT: 4000,
-
     // Browsers, in addition to those which do not fully support WebRTC, that
     // are not supported and should show the unsupported browser page.
     UNSUPPORTED_BROWSERS: [],
@@ -253,6 +188,31 @@ var interfaceConfig = {
      */
     // TILE_VIEW_MAX_COLUMNS: 5,
 
+    // List of undocumented settings
+    /**
+     INDICATOR_FONT_SIZES
+     PHONE_NUMBER_REGEX
+    */
+
+    // -----------------DEPRECATED CONFIGS BELOW THIS LINE-----------------------------
+
+    /**
+     * Specify URL for downloading ios mobile app.
+     */
+    // MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905',
+
+    /**
+     * Specify custom URL for downloading android mobile app.
+     */
+    // MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet',
+
+    /**
+     * Specify mobile app scheme for opening the app from the mobile browser.
+     */
+    // APP_SCHEME: 'org.jitsi.meet',
+
+    // NATIVE_APP_NAME: 'Jitsi Meet',
+
     /**
      * Specify Firebase dynamic link properties for the mobile apps.
      */
@@ -265,9 +225,9 @@ var interfaceConfig = {
     // },
 
     /**
-     * Specify mobile app scheme for opening the app from the mobile browser.
+     * Hide the logo on the deep linking pages.
      */
-    // APP_SCHEME: 'org.jitsi.meet',
+    // HIDE_DEEP_LINKING_LOGO: false,
 
     /**
      * Specify the Android app package name.
@@ -275,17 +235,42 @@ var interfaceConfig = {
     // ANDROID_APP_PACKAGE: 'org.jitsi.meet',
 
     /**
-     * Override the behavior of some notifications to remain displayed until
-     * explicitly dismissed through a user action. The value is how long, in
-     * milliseconds, those notifications should remain displayed.
+     * Specify custom URL for downloading f droid app.
      */
-    // ENFORCE_NOTIFICATION_AUTO_DISMISS_TIMEOUT: 15000,
+    // MOBILE_DOWNLOAD_LINK_F_DROID: 'https://f-droid.org/en/packages/org.jitsi.meet/',
 
-    // List of undocumented settings
-    /**
-     INDICATOR_FONT_SIZES
-     PHONE_NUMBER_REGEX
-    */
+    // Connection indicators (
+    // CONNECTION_INDICATOR_AUTO_HIDE_ENABLED,
+    // CONNECTION_INDICATOR_AUTO_HIDE_TIMEOUT,
+    // CONNECTION_INDICATOR_DISABLED) got moved to config.js.
+
+    // Please use disableModeratorIndicator from config.js
+    // DISABLE_FOCUS_INDICATOR: false,
+
+    // Please use defaultLocalDisplayName from config.js
+    // DEFAULT_LOCAL_DISPLAY_NAME: 'me',
+
+    // Please use defaultLogoUrl from config.js
+    DEFAULT_LOGO_URL: '${BRANDING_WATERMARK_PATH}',
+
+    // Please use defaultRemoteDisplayName from config.js
+    // DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster',
+
+    // Moved to config.js as \`toolbarConfig.initialTimeout\`.
+    // INITIAL_TOOLBAR_TIMEOUT: 20000,
+
+    // Moved to config.js as \`toolbarConfig.alwaysVisible\`.
+    // Documentation reference for the live streaming feature.
+    // LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live',
+
+    // Moved to config.js as \`toolbarConfig.alwaysVisible\`.
+    // TOOLBAR_ALWAYS_VISIBLE: false,
+
+    // This config was moved to config.js as \`toolbarButtons\`.
+    // TOOLBAR_BUTTONS: [],
+
+    // Moved to config.js as \`toolbarConfig.timeout\`.
+    // TOOLBAR_TIMEOUT: 4000,
 
     // Allow all above example options to include a trailing comma and
     // prevent fear when commenting out the last value.

type/__jitsi_meet_domain/files/interface_config.js.sh.orig

@@ -25,42 +25,12 @@ var interfaceConfig = {
     BRAND_WATERMARK_LINK: '',
 
     CLOSE_PAGE_GUEST_HINT: false, // A html text to be shown to guests on the close page, false disables it
-    /**
-     * Whether the connection indicator icon should hide itself based on
-     * connection strength. If true, the connection indicator will remain
-     * displayed while the participant has a weak connection and will hide
-     * itself after the CONNECTION_INDICATOR_HIDE_TIMEOUT when the connection is
-     * strong.
-     *
-     * @type {boolean}
-     */
-    CONNECTION_INDICATOR_AUTO_HIDE_ENABLED: true,
 
-    /**
-     * How long the connection indicator should remain displayed before hiding.
-     * Used in conjunction with CONNECTION_INDICATOR_AUTOHIDE_ENABLED.
-     *
-     * @type {number}
-     */
-    CONNECTION_INDICATOR_AUTO_HIDE_TIMEOUT: 5000,
-
-    /**
-     * If true, hides the connection indicators completely.
-     *
-     * @type {boolean}
-     */
-    CONNECTION_INDICATOR_DISABLED: false,
-
-    DEFAULT_BACKGROUND: '#474747',
-    DEFAULT_LOCAL_DISPLAY_NAME: 'me',
-    DEFAULT_LOGO_URL: 'images/watermark.svg',
-    DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster',
+    DEFAULT_BACKGROUND: '#040404',
     DEFAULT_WELCOME_PAGE_LOGO_URL: 'images/watermark.svg',
 
     DISABLE_DOMINANT_SPEAKER_INDICATOR: false,
 
-    DISABLE_FOCUS_INDICATOR: false,
-
     /**
      * If true, notifications regarding joining/leaving are no longer displayed.
      */
@@ -106,21 +76,14 @@ var interfaceConfig = {
 
     GENERATE_ROOMNAMES_ON_WELCOME_PAGE: true,
 
-    /**
-     * Hide the logo on the deep linking pages.
-     */
-    HIDE_DEEP_LINKING_LOGO: false,
-
     /**
      * Hide the invite prompt in the header when alone in the meeting.
      */
     HIDE_INVITE_MORE_HEADER: false,
 
-    INITIAL_TOOLBAR_TIMEOUT: 20000,
     JITSI_WATERMARK_LINK: 'https://jitsi.org',
 
     LANG_DETECTION: true, // Allow i18n to detect the system language
-    LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live', // Documentation reference for the live streaming feature.
     LOCAL_THUMBNAIL_RATIO: 16 / 9, // 16:9
 
     /**
@@ -140,23 +103,6 @@ var interfaceConfig = {
      */
     MOBILE_APP_PROMO: true,
 
-    /**
-     * Specify custom URL for downloading android mobile app.
-     */
-    MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet',
-
-    /**
-     * Specify custom URL for downloading f droid app.
-     */
-    MOBILE_DOWNLOAD_LINK_F_DROID: 'https://f-droid.org/en/packages/org.jitsi.meet/',
-
-    /**
-     * Specify URL for downloading ios mobile app.
-     */
-    MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905',
-
-    NATIVE_APP_NAME: 'Jitsi Meet',
-
     // Names of browsers which should show a warning stating the current browser
     // has a suboptimal experience. Browsers which are not listed as optimal or
     // unsupported are considered suboptimal. Valid values are:
@@ -174,7 +120,7 @@ var interfaceConfig = {
     RECENT_LIST_ENABLED: true,
     REMOTE_THUMBNAIL_RATIO: 1, // 1:1
 
-    SETTINGS_SECTIONS: [ 'devices', 'language', 'moderator', 'profile', 'calendar', 'sounds' ],
+    SETTINGS_SECTIONS: [ 'devices', 'language', 'moderator', 'profile', 'calendar', 'sounds', 'more' ],
 
     /**
      * Specify which sharing features should be displayed. If the value is not set
@@ -185,13 +131,12 @@ var interfaceConfig = {
     SHOW_BRAND_WATERMARK: false,
 
     /**
-    * Decides whether the chrome extension banner should be rendered on the landing page and during the meeting.
-    * If this is set to false, the banner will not be rendered at all. If set to true, the check for extension(s)
-    * being already installed is done before rendering.
-    */
+     * Decides whether the chrome extension banner should be rendered on the landing page and during the meeting.
+     * If this is set to false, the banner will not be rendered at all. If set to true, the check for extension(s)
+     * being already installed is done before rendering.
+     */
     SHOW_CHROME_EXTENSION_BANNER: false,
 
-    SHOW_DEEP_LINKING_IMAGE: false,
     SHOW_JITSI_WATERMARK: true,
     SHOW_POWERED_BY: false,
     SHOW_PROMOTIONAL_CLOSE_PAGE: false,
@@ -202,16 +147,6 @@ var interfaceConfig = {
      */
     SUPPORT_URL: 'https://community.jitsi.org/',
 
-    TOOLBAR_ALWAYS_VISIBLE: false,
-
-    /**
-     * DEPRECATED!
-     * This config was moved to config.js as `toolbarButtons`.
-     */
-    // TOOLBAR_BUTTONS: [],
-
-    TOOLBAR_TIMEOUT: 4000,
-
     // Browsers, in addition to those which do not fully support WebRTC, that
     // are not supported and should show the unsupported browser page.
     UNSUPPORTED_BROWSERS: [],
@@ -242,6 +177,31 @@ var interfaceConfig = {
      */
     // TILE_VIEW_MAX_COLUMNS: 5,
 
+    // List of undocumented settings
+    /**
+     INDICATOR_FONT_SIZES
+     PHONE_NUMBER_REGEX
+    */
+
+    // -----------------DEPRECATED CONFIGS BELOW THIS LINE-----------------------------
+
+    /**
+     * Specify URL for downloading ios mobile app.
+     */
+    // MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905',
+
+    /**
+     * Specify custom URL for downloading android mobile app.
+     */
+    // MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet',
+
+    /**
+     * Specify mobile app scheme for opening the app from the mobile browser.
+     */
+    // APP_SCHEME: 'org.jitsi.meet',
+
+    // NATIVE_APP_NAME: 'Jitsi Meet',
+
     /**
      * Specify Firebase dynamic link properties for the mobile apps.
      */
@@ -254,9 +214,9 @@ var interfaceConfig = {
     // },
 
     /**
-     * Specify mobile app scheme for opening the app from the mobile browser.
+     * Hide the logo on the deep linking pages.
      */
-    // APP_SCHEME: 'org.jitsi.meet',
+    // HIDE_DEEP_LINKING_LOGO: false,
 
     /**
      * Specify the Android app package name.
@@ -264,17 +224,42 @@ var interfaceConfig = {
     // ANDROID_APP_PACKAGE: 'org.jitsi.meet',
 
     /**
-     * Override the behavior of some notifications to remain displayed until
-     * explicitly dismissed through a user action. The value is how long, in
-     * milliseconds, those notifications should remain displayed.
+     * Specify custom URL for downloading f droid app.
      */
-    // ENFORCE_NOTIFICATION_AUTO_DISMISS_TIMEOUT: 15000,
+    // MOBILE_DOWNLOAD_LINK_F_DROID: 'https://f-droid.org/en/packages/org.jitsi.meet/',
 
-    // List of undocumented settings
-    /**
-     INDICATOR_FONT_SIZES
-     PHONE_NUMBER_REGEX
-    */
+    // Connection indicators (
+    // CONNECTION_INDICATOR_AUTO_HIDE_ENABLED,
+    // CONNECTION_INDICATOR_AUTO_HIDE_TIMEOUT,
+    // CONNECTION_INDICATOR_DISABLED) got moved to config.js.
+
+    // Please use disableModeratorIndicator from config.js
+    // DISABLE_FOCUS_INDICATOR: false,
+
+    // Please use defaultLocalDisplayName from config.js
+    // DEFAULT_LOCAL_DISPLAY_NAME: 'me',
+
+    // Please use defaultLogoUrl from config.js
+    // DEFAULT_LOGO_URL: 'images/watermark.svg',
+
+    // Please use defaultRemoteDisplayName from config.js
+    // DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster',
+
+    // Moved to config.js as `toolbarConfig.initialTimeout`.
+    // INITIAL_TOOLBAR_TIMEOUT: 20000,
+
+    // Please use `liveStreaming.helpLink` from config.js
+    // Documentation reference for the live streaming feature.
+    // LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live',
+
+    // Moved to config.js as `toolbarConfig.alwaysVisible`.
+    // TOOLBAR_ALWAYS_VISIBLE: false,
+
+    // This config was moved to config.js as `toolbarButtons`.
+    // TOOLBAR_BUTTONS: [],
+
+    // Moved to config.js as `toolbarConfig.timeout`.
+    // TOOLBAR_TIMEOUT: 4000,
 
     // Allow all above example options to include a trailing comma and
     // prevent fear when commenting out the last value.

type/__jitsi_meet_domain/files/jitsi-version

@@ -0,0 +1 @@
+2.0.8319-1

type/__jitsi_meet_domain/files/nginx.sh

@@ -2,6 +2,37 @@
 
 # shellcheck disable=SC2034  # This is intended to be included
 JITSI_NGINX_CONFIG="$(cat <<EOF
+# Jitsi uses following lines by default, in our cdist types they must be commented
+# out as we already set it with __jitsi_meet in the default server config.
+#server_names_hash_bucket_size 64;
+#
+#types {
+## nginx's default mime.types doesn't include a mapping for wasm or wav.
+#    application/wasm     wasm;
+#    audio/wav            wav;
+#}
+# These upstreams are managed by __jitsi_meet
+#upstream prosody {
+#    zone upstreams 64K;
+#    server 127.0.0.1:5280;
+#    keepalive 2;
+#}
+#upstream jvb1 {
+#    zone upstreams 64K;
+#    server 127.0.0.1:9090;
+#    keepalive 2;
+#}
+#map \$arg_vnode \$prosody_node {
+#    default prosody;
+#    v1 v1;
+#    v2 v2;
+#    v3 v3;
+#    v4 v4;
+#    v5 v5;
+#    v6 v6;
+#    v7 v7;
+#    v8 v8;
+#}
 server {
     listen 80;
     listen [::]:80;
@@ -10,7 +41,7 @@ server {
     include snippets/acme-challenge.conf;
 
     location / {
-       return 301 https://\$host\$request_uri;
+        return 301 https://\$host\$request_uri;
     }
 }
 server {
@@ -20,7 +51,7 @@ server {
 
     include snippets/acme-challenge.conf;
 
-# Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration
+    # Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration
     ssl_protocols TLSv1.2 TLSv1.3;
     ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
     ssl_prefer_server_ciphers off;
@@ -30,6 +61,7 @@ server {
     ssl_session_tickets off;
 
     add_header Strict-Transport-Security "max-age=63072000" always;
+    set \$prefix "";
 
     ssl_certificate /etc/letsencrypt/live/${DOMAIN}/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/${DOMAIN}/privkey.pem;
@@ -71,7 +103,14 @@ server {
         alias /usr/share/jitsi-meet/libs/external_api.min.js;
     }
 
-    #ensure all static content can always be found first
+    location = /_api/room-info {
+        proxy_pass http://prosody/room-info?prefix=\$prefix&\$args;
+        proxy_http_version 1.1;
+        proxy_set_header X-Forwarded-For \$remote_addr;
+        proxy_set_header Host \$http_host;
+    }
+
+    # ensure all static content can always be found first
     location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)\$
     {
         add_header 'Access-Control-Allow-Origin' '*';
@@ -79,40 +118,67 @@ server {
 
         # cache all versioned files
         if (\$arg_v) {
-          expires 1y;
+            expires 1y;
         }
     }
 
+    # Paths for jsi / interpreters
+    location ~ ^/i/(img/[^./]*.png|jsi.js|style.css)$
+    {
+        add_header 'Access-Control-Allow-Origin' '*';
+        alias /opt/jsi/static/\$1;
+
+        # cache all versioned files
+        if (\$arg_v) {
+            expires 1y;
+        }
+    }
+    location ~ ^/i/
+    {
+        try_files /${DOMAIN}-interpreters.html /interpreters.html \$uri;
+    }
+
     # BOSH
     location = /http-bind {
-        proxy_pass      http://localhost:5280/http-bind;
+        proxy_pass http://prosody/http-bind?prefix=\$prefix&\$args;
+        proxy_http_version 1.1;
         proxy_set_header X-Forwarded-For \$remote_addr;
 	# Prevision for 'multi-domain' jitsi instances
 	# https://community.jitsi.org/t/same-jitsi-meet-instance-with-multiple-domain-names/17391
-        proxy_set_header Host ${JITSI_HOST};
+        proxy_set_header Host ${DOMAIN};
+        proxy_set_header Connection "";
     }
 
     # xmpp websockets
     location = /xmpp-websocket {
-        proxy_pass http://127.0.0.1:5280/xmpp-websocket?prefix=\$prefix&\$args;
+        proxy_pass http://prosody/xmpp-websocket?prefix=\$prefix&\$args;
         proxy_http_version 1.1;
         proxy_set_header Upgrade \$http_upgrade;
         proxy_set_header Connection "upgrade";
 	# Prevision for 'multi-domain' jitsi instances
 	# https://community.jitsi.org/t/same-jitsi-meet-instance-with-multiple-domain-names/17391
-        proxy_set_header Host ${JITSI_HOST};
+        proxy_set_header Host ${DOMAIN};
         tcp_nodelay on;
     }
 
     # colibri (JVB) websockets for jvb1
     location ~ ^/colibri-ws/default-id/(.*) {
-       proxy_pass http://127.0.0.1:9090/colibri-ws/default-id/\$1\$is_args\$args;
-       proxy_http_version 1.1;
-       proxy_set_header Upgrade \$http_upgrade;
-       proxy_set_header Connection "upgrade";
-       tcp_nodelay on;
+        proxy_pass http://jvb1/colibri-ws/default-id/\$1\$is_args\$args;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade \$http_upgrade;
+        proxy_set_header Connection "upgrade";
+        tcp_nodelay on;
     }
 
+    # load test minimal client, uncomment when used
+    #location ~ ^/_load-test/([^/?&:'"]+)\$ {
+    #    rewrite ^/_load-test/(.*)\$ /load-test/index.html break;
+    #}
+    #location ~ ^/_load-test/libs/(.*)\$ {
+    #    add_header 'Access-Control-Allow-Origin' '*';
+    #    alias /usr/share/jitsi-meet/load-test/libs/\$1;
+    #}
+
     location ~ ^/([^/?&:'"]+)\$ {
         try_files \$uri @root_path;
     }
@@ -123,17 +189,10 @@ server {
 
     location ~ ^/([^/?&:'"]+)/config.js\$
     {
-       set \$subdomain "\$1.";
-       set \$subdir "\$1/";
-
-       alias /etc/jitsi/meet/jitsi-meet.example.com-config.js;
-    }
-
-    #Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
-    location ~ ^/([^/?&:'"]+)/(.*)\$ {
         set \$subdomain "\$1.";
         set \$subdir "\$1/";
-        rewrite ^/([^/?&:'"]+)/(.*)\$ /\$2;
+
+        alias /etc/jitsi/meet/jitsi-meet.example.com-config.js;
     }
 
     # BOSH for subdomains
@@ -153,6 +212,21 @@ server {
 
         rewrite ^/(.*)\$ /xmpp-websocket;
     }
+
+    location ~ ^/([^/?&:'"]+)/_api/room-info {
+        set \$subdomain "\$1.";
+        set \$subdir "\$1/";
+        set \$prefix "\$1";
+
+        rewrite ^/(.*)\$ /_api/room-info;
+    }
+
+    # Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
+    location ~ ^/([^/?&:'"]+)/(.*)\$ {
+        set \$subdomain "\$1.";
+        set \$subdir "\$1/";
+        rewrite ^/([^/?&:'"]+)/(.*)\$ /\$2;
+    }
 }
 EOF
 )"

type/__jitsi_meet_domain/files/nginx.sh.orig

@@ -1,19 +1,45 @@
 server_names_hash_bucket_size 64;
 
+types {
+# nginx's default mime.types doesn't include a mapping for wasm or wav.
+    application/wasm     wasm;
+    audio/wav            wav;
+}
+upstream prosody {
+    zone upstreams 64K;
+    server 127.0.0.1:5280;
+    keepalive 2;
+}
+upstream jvb1 {
+    zone upstreams 64K;
+    server 127.0.0.1:9090;
+    keepalive 2;
+}
+map $arg_vnode $prosody_node {
+    default prosody;
+    v1 v1;
+    v2 v2;
+    v3 v3;
+    v4 v4;
+    v5 v5;
+    v6 v6;
+    v7 v7;
+    v8 v8;
+}
 server {
     listen 80;
     listen [::]:80;
     server_name jitsi-meet.example.com;
 
     location ^~ /.well-known/acme-challenge/ {
-       default_type "text/plain";
-       root         /usr/share/jitsi-meet;
+        default_type "text/plain";
+        root         /usr/share/jitsi-meet;
     }
     location = /.well-known/acme-challenge/ {
-       return 404;
+        return 404;
     }
     location / {
-       return 301 https://$host$request_uri;
+        return 301 https://$host$request_uri;
     }
 }
 server {
@@ -21,7 +47,7 @@ server {
     listen [::]:443 ssl;
     server_name jitsi-meet.example.com;
 
-# Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration
+    # Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration
     ssl_protocols TLSv1.2 TLSv1.3;
     ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
     ssl_prefer_server_ciphers off;
@@ -31,6 +57,7 @@ server {
     ssl_session_tickets off;
 
     add_header Strict-Transport-Security "max-age=63072000" always;
+    set $prefix "";
 
     ssl_certificate /etc/jitsi/meet/jitsi-meet.example.com.crt;
     ssl_certificate_key /etc/jitsi/meet/jitsi-meet.example.com.key;
@@ -58,7 +85,14 @@ server {
         alias /usr/share/jitsi-meet/libs/external_api.min.js;
     }
 
-    #ensure all static content can always be found first
+    location = /_api/room-info {
+        proxy_pass http://prosody/room-info?prefix=$prefix&$args;
+        proxy_http_version 1.1;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header Host $http_host;
+    }
+
+    # ensure all static content can always be found first
     location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$
     {
         add_header 'Access-Control-Allow-Origin' '*';
@@ -66,20 +100,22 @@ server {
 
         # cache all versioned files
         if ($arg_v) {
-          expires 1y;
+            expires 1y;
         }
     }
 
     # BOSH
     location = /http-bind {
-        proxy_pass      http://localhost:5280/http-bind;
+        proxy_pass http://$prosody_node/http-bind?prefix=$prefix&$args;
+        proxy_http_version 1.1;
         proxy_set_header X-Forwarded-For $remote_addr;
         proxy_set_header Host $http_host;
+        proxy_set_header Connection "";
     }
 
     # xmpp websockets
     location = /xmpp-websocket {
-        proxy_pass http://127.0.0.1:5280/xmpp-websocket?prefix=$prefix&$args;
+        proxy_pass http://$prosody_node/xmpp-websocket?prefix=$prefix&$args;
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection "upgrade";
@@ -89,13 +125,22 @@ server {
 
     # colibri (JVB) websockets for jvb1
     location ~ ^/colibri-ws/default-id/(.*) {
-       proxy_pass http://127.0.0.1:9090/colibri-ws/default-id/$1$is_args$args;
-       proxy_http_version 1.1;
-       proxy_set_header Upgrade $http_upgrade;
-       proxy_set_header Connection "upgrade";
-       tcp_nodelay on;
+        proxy_pass http://jvb1/colibri-ws/default-id/$1$is_args$args;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        tcp_nodelay on;
     }
 
+    # load test minimal client, uncomment when used
+    #location ~ ^/_load-test/([^/?&:'"]+)$ {
+    #    rewrite ^/_load-test/(.*)$ /load-test/index.html break;
+    #}
+    #location ~ ^/_load-test/libs/(.*)$ {
+    #    add_header 'Access-Control-Allow-Origin' '*';
+    #    alias /usr/share/jitsi-meet/load-test/libs/$1;
+    #}
+
     location ~ ^/([^/?&:'"]+)$ {
         try_files $uri @root_path;
     }
@@ -106,17 +151,10 @@ server {
 
     location ~ ^/([^/?&:'"]+)/config.js$
     {
-       set $subdomain "$1.";
-       set $subdir "$1/";
-
-       alias /etc/jitsi/meet/jitsi-meet.example.com-config.js;
-    }
-
-    #Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
-    location ~ ^/([^/?&:'"]+)/(.*)$ {
         set $subdomain "$1.";
         set $subdir "$1/";
-        rewrite ^/([^/?&:'"]+)/(.*)$ /$2;
+
+        alias /etc/jitsi/meet/jitsi-meet.example.com-config.js;
     }
 
     # BOSH for subdomains
@@ -136,4 +174,19 @@ server {
 
         rewrite ^/(.*)$ /xmpp-websocket;
     }
+
+    location ~ ^/([^/?&:'"]+)/_api/room-info {
+        set $subdomain "$1.";
+        set $subdir "$1/";
+        set $prefix "$1";
+
+        rewrite ^/(.*)$ /_api/room-info;
+    }
+
+    # Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
+    location ~ ^/([^/?&:'"]+)/(.*)$ {
+        set $subdomain "$1.";
+        set $subdir "$1/";
+        rewrite ^/([^/?&:'"]+)/(.*)$ /$2;
+    }
 }

type/__jitsi_meet_domain/files/prosody.cfg.lua.sh

@@ -0,0 +1,220 @@
+#!/bin/sh -eu
+
+# Source:
+# https://github.com/jitsi/jitsi-meet/blob/master/doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example
+FOCUS_USER="focus"
+JITSI_DOMAIN="${JITSI_DOMAIN:-${JITSI_HOST:?}}"
+# PROSODY_MAIN_CONFIG: defined in __jitsi_meet, empty in __jitsi_meet_domain
+PROSODY_SECUREDOMAIN_START="--[["
+PROSODY_SECUREDOMAIN_END="--]]"
+if [ -n "${PROSODY_MAIN_CONFIG}" ]; then
+	PROSODY_MAIN_START=""
+	PROSODY_MAIN_END=""
+	PROSODY_DOMAIN_START="--[["
+	PROSODY_DOMAIN_END="--]]"
+else
+	PROSODY_MAIN_START="--[["
+	PROSODY_MAIN_END="--]]"
+	PROSODY_DOMAIN_START=""
+	PROSODY_DOMAIN_END=""
+	if [ -n "${SECURED_DOMAINS}" ]; then
+		PROSODY_SECUREDOMAIN_START=""
+		PROSODY_SECUREDOMAIN_END=""
+	fi
+fi
+# Websockets haven't been fully tested in this type and don't work reliably
+PROSODY_WEBSOCKET="-- "
+
+# shellcheck disable=SC2034  # This is intended to be included
+PROSODY_CONFIG="$(cat <<EOFPROSODY
+-- Managed remotely, changes will be lost
+${PROSODY_MAIN_START}
+-- This will be managed by __jitsi_meet
+plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }
+
+-- domain mapper options, must at least have domain base set to use the mapper
+muc_mapper_domain_base = "${JITSI_HOST:?}";
+
+external_service_secret = "${TURN_SECRET:-TurnSecret}";
+external_services = {
+     { type = "stun", host = "${JITSI_HOST:?}", port = 3478 },
+     { type = "turn", host = "${JITSI_HOST:?}", port = 3478, transport = "udp", secret = true, ttl = 86400, algorithm = "turn" },
+     { type = "turns", host = "${JITSI_HOST:?}", port = 5349, transport = "tcp", secret = true, ttl = 86400, algorithm = "turn" }
+};
+
+cross_domain_bosh = false;
+consider_bosh_secure = true;
+-- Use websockets
+-- https://community.jitsi.org/t/how-to-how-to-enable-websockets-xmpp-websocket-and-smacks-for-prosody/87920
+${PROSODY_WEBSOCKET}consider_websocket_secure = true;
+
+-- https_ports = { }; -- Remove this line to prevent listening on port 5284
+
+-- by default prosody 0.12 sends cors headers, if you want to disable it uncomment the following (the config is available on 0.12.1)
+--http_cors_override = {
+--    bosh = {
+--        enabled = false;
+--    };
+--    websocket = {
+--        enabled = false;
+--    };
+--}
+
+-- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
+ssl = {
+    protocol = "tlsv1_2+";
+    ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
+}
+
+unlimited_jids = {
+    "${FOCUS_USER:?}@auth.${JITSI_HOST:?}",
+    "jvb@auth.${JITSI_HOST:?}"
+}
+${PROSODY_MAIN_END}
+
+${PROSODY_DOMAIN_START}
+-- This will be managed by __jitsi_meet_domain
+VirtualHost "${JITSI_DOMAIN:?}"
+    authentication = "jitsi-anonymous" -- do not delete me
+    -- Properties below are modified by jitsi-meet-tokens package config
+    -- and authentication above is switched to "token"
+    --app_id="example_app_id"
+    --app_secret="example_app_secret"
+    -- Assign this host a certificate for TLS, otherwise it would use the one
+    -- set in the global section (if any).
+    -- Note that old-style SSL on port 5223 only supports one certificate, and will always
+    -- use the global one.
+    ssl = {
+        key = "/etc/prosody/certs/${JITSI_DOMAIN:?}.key";
+        certificate = "/etc/prosody/certs/${JITSI_DOMAIN:?}.crt";
+    }
+    av_moderation_component = "avmoderation.${JITSI_DOMAIN:?}"
+    speakerstats_component = "speakerstats.${JITSI_DOMAIN:?}"
+    conference_duration_component = "conferenceduration.${JITSI_DOMAIN:?}"
+    end_conference_component = "endconference.${JITSI_DOMAIN:?}"
+    -- we need bosh
+    modules_enabled = {
+        "bosh";
+        "pubsub";
+        "ping"; -- Enable mod_ping
+        "speakerstats";
+        "external_services";
+        "conference_duration";
+        "end_conference";
+        "muc_lobby_rooms";
+        "muc_breakout_rooms";
+        "av_moderation";
+        "room_metadata";
+${PROSODY_WEBSOCKET}        "websocket";
+${PROSODY_WEBSOCKET}        "smacks";
+    }
+    smacks_max_unacked_stanzas = 5;
+    smacks_hibernation_time = 60;
+    smacks_max_hibernated_sessions = 1;
+    smacks_max_old_sessions = 1;
+    c2s_require_encryption = false
+    lobby_muc = "lobby.${JITSI_DOMAIN:?}"
+    breakout_rooms_muc = "breakout.${JITSI_DOMAIN:?}"
+    room_metadata_component = "metadata.${JITSI_DOMAIN:?}"
+    main_muc = "conference.${JITSI_DOMAIN:?}"
+    -- muc_lobby_whitelist = { "recorder.${JITSI_DOMAIN:?}" } -- Here we can whitelist jibri to enter lobby enabled rooms
+
+Component "conference.${JITSI_DOMAIN:?}" "muc"
+    restrict_room_creation = true
+    storage = "memory"
+    modules_enabled = {
+        "muc_meeting_id";
+        "muc_domain_mapper";
+        "polls";
+        --"token_verification";
+        "muc_rate_limit";
+    }
+    admins = { "${FOCUS_USER:?}@auth.${JITSI_HOST:?}" }
+    muc_room_locking = false
+    muc_room_default_public_jids = true
+
+Component "breakout.${JITSI_DOMAIN:?}" "muc"
+    restrict_room_creation = true
+    storage = "memory"
+    modules_enabled = {
+        "muc_meeting_id";
+        "muc_domain_mapper";
+        "muc_rate_limit";
+        "polls";
+    }
+    admins = { "${FOCUS_USER:?}@auth.${JITSI_HOST:?}" }
+    muc_room_locking = false
+    muc_room_default_public_jids = true
+
+-- internal muc component
+Component "internal.auth.${JITSI_DOMAIN:?}" "muc"
+    storage = "memory"
+    modules_enabled = {
+        "ping";
+    }
+    admins = { "${FOCUS_USER:?}@auth.${JITSI_HOST:?}", "jvb@auth.${JITSI_HOST:?}" }
+    muc_room_locking = false
+    muc_room_default_public_jids = true
+    -- https://prosody.im/doc/modules/mod_muc
+    muc_room_cache_size = 1000
+${PROSODY_DOMAIN_END}
+${PROSODY_MAIN_START}
+-- This will be managed by __jitsi_meet
+
+VirtualHost "auth.${JITSI_DOMAIN:?}"
+    ssl = {
+       key = "/etc/prosody/certs/auth.${JITSI_DOMAIN:?}.key";
+       certificate = "/etc/prosody/certs/auth.${JITSI_DOMAIN:?}.crt";
+    }
+
+    modules_enabled = {
+        "limits_exception";
+    }
+    authentication = "internal_hashed"
+${PROSODY_MAIN_END}
+${PROSODY_DOMAIN_START}
+-- This will be managed by __jitsi_meet_domain
+
+-- Proxy to jicofo's user JID, so that it doesn't have to register as a component.
+Component "focus.${JITSI_DOMAIN:?}" "client_proxy"
+    -- Single focus user for the whole instance
+    target_address = "${FOCUS_USER:?}@auth.${JITSI_HOST:?}"
+
+Component "speakerstats.${JITSI_DOMAIN:?}" "speakerstats_component"
+    muc_component = "conference.${JITSI_DOMAIN:?}"
+
+Component "conferenceduration.${JITSI_DOMAIN:?}" "conference_duration_component"
+    muc_component = "conference.${JITSI_DOMAIN:?}"
+
+Component "endconference.${JITSI_DOMAIN:?}" "end_conference"
+    muc_component = "conference.${JITSI_DOMAIN:?}"
+
+Component "avmoderation.${JITSI_DOMAIN:?}" "av_moderation_component"
+    muc_component = "conference.${JITSI_DOMAIN:?}"
+
+Component "lobby.${JITSI_DOMAIN:?}" "muc"
+    storage = "memory"
+    restrict_room_creation = true
+    muc_room_locking = false
+    muc_room_default_public_jids = true
+    modules_enabled = {
+        "muc_rate_limit";
+        "polls";
+    }
+
+Component "metadata.${JITSI_DOMAIN:?}" "room_metadata_component"
+    muc_component = "conference.${JITSI_DOMAIN:?}"
+    breakout_rooms_component = "breakout.${JITSI_DOMAIN:?}"
+${PROSODY_DOMAIN_END}
+
+${PROSODY_SECUREDOMAIN_START}
+-- Only used on secured domains
+VirtualHost "${JITSI_DOMAIN}"
+    authentication = "internal_plain"
+
+VirtualHost "guest.${JITSI_DOMAIN}"
+    authentication = "anonymous"
+    c2s_require_encryption = false
+${PROSODY_SECUREDOMAIN_END}
+EOFPROSODY
+)"

type/__jitsi_meet_domain/files/prosody.cfg.lua.sh.orig

@@ -0,0 +1,148 @@
+plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }
+
+-- domain mapper options, must at least have domain base set to use the mapper
+muc_mapper_domain_base = "jitmeet.example.com";
+
+external_service_secret = "__turnSecret__";
+external_services = {
+     { type = "stun", host = "jitmeet.example.com", port = 3478 },
+     { type = "turn", host = "jitmeet.example.com", port = 3478, transport = "udp", secret = true, ttl = 86400, algorithm = "turn" },
+     { type = "turns", host = "jitmeet.example.com", port = 5349, transport = "tcp", secret = true, ttl = 86400, algorithm = "turn" }
+};
+
+cross_domain_bosh = false;
+consider_bosh_secure = true;
+-- https_ports = { }; -- Remove this line to prevent listening on port 5284
+
+-- by default prosody 0.12 sends cors headers, if you want to disable it uncomment the following (the config is available on 0.12.1)
+--http_cors_override = {
+--    bosh = {
+--        enabled = false;
+--    };
+--    websocket = {
+--        enabled = false;
+--    };
+--}
+
+-- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
+ssl = {
+    protocol = "tlsv1_2+";
+    ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
+}
+
+unlimited_jids = {
+    "focusUser@auth.jitmeet.example.com",
+    "jvb@auth.jitmeet.example.com"
+}
+
+VirtualHost "jitmeet.example.com"
+    authentication = "jitsi-anonymous" -- do not delete me
+    -- Properties below are modified by jitsi-meet-tokens package config
+    -- and authentication above is switched to "token"
+    --app_id="example_app_id"
+    --app_secret="example_app_secret"
+    -- Assign this host a certificate for TLS, otherwise it would use the one
+    -- set in the global section (if any).
+    -- Note that old-style SSL on port 5223 only supports one certificate, and will always
+    -- use the global one.
+    ssl = {
+        key = "/etc/prosody/certs/jitmeet.example.com.key";
+        certificate = "/etc/prosody/certs/jitmeet.example.com.crt";
+    }
+    av_moderation_component = "avmoderation.jitmeet.example.com"
+    speakerstats_component = "speakerstats.jitmeet.example.com"
+    conference_duration_component = "conferenceduration.jitmeet.example.com"
+    end_conference_component = "endconference.jitmeet.example.com"
+    -- we need bosh
+    modules_enabled = {
+        "bosh";
+        "pubsub";
+        "ping"; -- Enable mod_ping
+        "speakerstats";
+        "external_services";
+        "conference_duration";
+        "end_conference";
+        "muc_lobby_rooms";
+        "muc_breakout_rooms";
+        "av_moderation";
+        "room_metadata";
+    }
+    c2s_require_encryption = false
+    lobby_muc = "lobby.jitmeet.example.com"
+    breakout_rooms_muc = "breakout.jitmeet.example.com"
+    room_metadata_component = "metadata.jitmeet.example.com"
+    main_muc = "conference.jitmeet.example.com"
+    -- muc_lobby_whitelist = { "recorder.jitmeet.example.com" } -- Here we can whitelist jibri to enter lobby enabled rooms
+
+Component "conference.jitmeet.example.com" "muc"
+    restrict_room_creation = true
+    storage = "memory"
+    modules_enabled = {
+        "muc_meeting_id";
+        "muc_domain_mapper";
+        "polls";
+        --"token_verification";
+        "muc_rate_limit";
+    }
+    admins = { "focusUser@auth.jitmeet.example.com" }
+    muc_room_locking = false
+    muc_room_default_public_jids = true
+
+Component "breakout.jitmeet.example.com" "muc"
+    restrict_room_creation = true
+    storage = "memory"
+    modules_enabled = {
+        "muc_meeting_id";
+        "muc_domain_mapper";
+        "muc_rate_limit";
+        "polls";
+    }
+    admins = { "focusUser@auth.jitmeet.example.com" }
+    muc_room_locking = false
+    muc_room_default_public_jids = true
+
+-- internal muc component
+Component "internal.auth.jitmeet.example.com" "muc"
+    storage = "memory"
+    modules_enabled = {
+        "ping";
+    }
+    admins = { "focusUser@auth.jitmeet.example.com", "jvb@auth.jitmeet.example.com" }
+    muc_room_locking = false
+    muc_room_default_public_jids = true
+
+VirtualHost "auth.jitmeet.example.com"
+    modules_enabled = {
+        "limits_exception";
+    }
+    authentication = "internal_hashed"
+
+-- Proxy to jicofo's user JID, so that it doesn't have to register as a component.
+Component "focus.jitmeet.example.com" "client_proxy"
+    target_address = "focusUser@auth.jitmeet.example.com"
+
+Component "speakerstats.jitmeet.example.com" "speakerstats_component"
+    muc_component = "conference.jitmeet.example.com"
+
+Component "conferenceduration.jitmeet.example.com" "conference_duration_component"
+    muc_component = "conference.jitmeet.example.com"
+
+Component "endconference.jitmeet.example.com" "end_conference"
+    muc_component = "conference.jitmeet.example.com"
+
+Component "avmoderation.jitmeet.example.com" "av_moderation_component"
+    muc_component = "conference.jitmeet.example.com"
+
+Component "lobby.jitmeet.example.com" "muc"
+    storage = "memory"
+    restrict_room_creation = true
+    muc_room_locking = false
+    muc_room_default_public_jids = true
+    modules_enabled = {
+        "muc_rate_limit";
+        "polls";
+    }
+
+Component "metadata.jitmeet.example.com" "room_metadata_component"
+    muc_component = "conference.jitmeet.example.com"
+    breakout_rooms_component = "breakout.jitmeet.example.com"

type/__jitsi_meet_domain/man.rst

@@ -11,14 +11,24 @@ DESCRIPTION
 -----------
 This type installs and configures the frontend for Jitsi-Meet.
 
-This supports "multi-domain" installations, notice that in such a setup, all
-rooms are shared across the different URLs, e.g.
-https://jitsi1.example.org/room1 and https://jitsi2.example.org/room1 are
-equivalent.
+Additionally to regular Jitsi-Meet, users can load `DOMAIN/i/` and
+`DOMAIN/i/ROOM` for an interpreter-enabled interface; this is done with a
+patched version of Jitsi Simultaneous Interpretation (jsi; see references).
+At least a user with `interpreter` in their name must be present.
+
+
+This type supports "multi-domain" installations.
+
+New in April 2022: rooms are independent for each domain, that is:
+https://jitsi1.example.org/room1 and https://jitsi2.example.org/room1 are
+different rooms.
+Note however, that right now if using secured domains, users are still shared
+across any domains hosted in the same instance.
+One way to work around that could be to run multiple jicofos, but we do not
+want to bloat the servers.
+A better way is to patch jicofo, get in touch with the type authors if you want
+the gory details.
 
-This is due to the underlying XMPP and signaling rooms being common.
-There might be a way to perform tricks on the Nginx-side to avoid this, but
-time is lacking :-).
 
 This assumes `__jitsi_meet` has already been ran on the target host, and,
 amongst others, that Jitsi was set up with `__target_host` as the Jitsi domain.
@@ -41,6 +51,11 @@ admin-email
 
 OPTIONAL PARAMETERS
 -------------------
+analytics-settings
+    This goes inside the `analytics` part of `config.js`.
+    Defaults to: `disabled: true`.
+    See: https://github.com/jitsi/jitsi-meet/blob/master/config.js
+
 channel-last-n
     Default value for the "last N" attribute.
     Defaults to 20. Set to -1 for unlimited.
@@ -60,6 +75,10 @@ start-video-muted
     Defaults to 10.
 
 
+state
+    Whether the domain is 'present' or 'absent', defaults to 'present'.
+
+
 turn-server
     The TURN server to be used.
     Defaults to `__target_host`.
@@ -74,6 +93,15 @@ video-constraints
     It must not have a trailing comma, see `constraints` in
     `__jitsi_meet_domain/files/config.js.sh`.
 
+branding-app-name
+    This will change `Jitsi Meet` in many places to the brand you desire.
+    Defaults to `Jitsi Meet`.
+
+branding-extra-body
+    This must be valid HTML, it will be included server-side and delivered to
+    clients alongside the default `index.html`.
+    This is useful if you would rather not replace the whole `index`, but
+    still want the chance to do some heavier branding / add instructions / etc.
 
 branding-json
     Path to a JSON file that will be served as the `dynamicBrandingUrl`.
@@ -81,14 +109,12 @@ branding-json
     `__jitsi_meet_domain/files/config.js.sh`.
     If not set, no branding will be set up.
 
-
 branding-index
     Path to an HTML file that will be served instead of Jitsi-Meet's default
     one.
     If not set, the default index file will be used.
     If set to `-`, the type's standard input will be used.
 
-
 branding-watermark
     Path to a png file that will be served instead of Jitsi-Meet's default
     one.
@@ -143,6 +169,7 @@ SEE ALSO
 --------
 - `__jitsi_meet(7)`
 - `__jitsi_meet_user(7)`
+- Jitsi Meet Simultaneous Interpretation: https://gitlab.com/mfmt/jsi
 
 
 AUTHORS

type/__jitsi_meet_domain/manifest

@@ -18,9 +18,12 @@ NOTICE_MESSAGE="$(cat "${__object}/parameter/notice-message")"
 START_VIDEO_MUTED="$(cat "${__object}/parameter/start-video-muted")"
 TURN_SERVER="$(cat "${__object}/parameter/turn-server")"
 VIDEO_CONSTRAINTS="$(cat "${__object}/parameter/video-constraints")"
+ANALYTICS_SETTINGS="$(cat "${__object}/parameter/analytics-settings")"
+BRANDING_APP_NAME="$(cat "${__object}/parameter/branding-app-name")"
 BRANDING_INDEX="$(cat "${__object}/parameter/branding-index")"
 BRANDING_JSON="$(cat "${__object}/parameter/branding-json")"
 BRANDING_WATERMARK="$(cat "${__object}/parameter/branding-watermark")"
+STATE="$(cat "${__object}/parameter/state")"
 
 if [ "${BRANDING_INDEX}" = "-" ]; then
 	BRANDING_INDEX="${__object}/stdin"
@@ -47,11 +50,31 @@ if [ -n "${BRANDING_JSON}" ]; then
 	DYNAMIC_BRANDING_URL="/branding.json"
 fi
 
+case "${STATE}" in
+	present)
+		# When adding the domain, Let's Encrypt must come before nginx
+		le_require=""
+		nginx_require="__letsencrypt_cert/${DOMAIN}"
+		;;
+	absent)
+		# When removing, nginx must come before Let's Encrypt
+		le_require="__file/etc/nginx/sites-enabled/${DOMAIN}.conf"
+		nginx_require=""
+		;;
+	*)
+		cat >> /dev/stderr <<-EOM
+		Unsupported state '${STATE}', must be 'present' or 'absent'.
+		EOM
+		exit 1
+		;;
+esac
+
 #
 # Deal with certbot
 #
 # use object id as domain
-__letsencrypt_cert "${DOMAIN}" \
+require="${le_require}" __letsencrypt_cert "${DOMAIN}" \
+	--state "${STATE}" \
 	--admin-email "${ADMIN_EMAIL}" \
 	--deploy-hook "service nginx reload" \
 	--webroot /usr/share/jitsi-meet
@@ -59,8 +82,9 @@ __letsencrypt_cert "${DOMAIN}" \
 # Create virtualhost for nginx
 # shellcheck source=type/__jitsi_meet_domain/files/nginx.sh
 . "${__type}/files/nginx.sh"  # This defines JITSI_NGINX_CONFIG
-require="__letsencrypt_cert/${DOMAIN}" __file \
+require="${nginx_require}" __file \
 	"/etc/nginx/sites-enabled/${DOMAIN}.conf" \
+	--state "${STATE}" \
 	--mode 0644 --source "-" <<EOF
 ${JITSI_NGINX_CONFIG}
 EOF
@@ -69,6 +93,7 @@ EOF
 # shellcheck source=type/__jitsi_meet_domain/files/config.js.sh
 . "${__type}/files/config.js.sh"  # This defines JITSI_CONFIG_JS
 __file "/etc/jitsi/meet/${DOMAIN}-config.js" \
+	--state "${STATE}" \
 	--mode 0644 --source "-" <<EOF
 ${JITSI_CONFIG_JS}
 EOF
@@ -77,6 +102,7 @@ EOF
 # shellcheck source=type/__jitsi_meet_domain/files/interface_config.js.sh
 . "${__type}/files/interface_config.js.sh"  # This defines JITSI_CONFIG_JS
 __file "/etc/jitsi/meet/${DOMAIN}-interface_config.js" \
+	--state "${STATE}" \
 	--mode 0644 --source "-" <<EOF
 ${JITSI_INTERFACE_CONFIG_JS}
 EOF
@@ -87,7 +113,7 @@ EOF
 #
 # Helper function to manage the state of the target branding file
 _var_state() {
-	if [ -n "${1}" ]; then
+	if [ "${STATE}" = "present" ] && [ -n "${1}" ]; then
 		echo "present"
 	else
 		echo "absent"
@@ -106,3 +132,43 @@ __file "/usr/share/jitsi-meet/images/watermark-${DOMAIN}.png" \
 	--mode 0644 \
 	--state "$(_var_state "${BRANDING_WATERMARK}")" \
 	--source "${BRANDING_WATERMARK}"
+# Simple body customisation
+__file "/usr/share/jitsi-meet/body-${DOMAIN}.html" \
+	--mode 0644 \
+	--state "$(_var_state "${STATE}")" \
+	--source "${__object}/parameter/branding-extra-body"
+
+#
+# Take care of prosody settings for the domain
+#
+JITSI_DOMAIN="${DOMAIN}"
+# Prosody settings for common components (jvb, focus, ...)
+# shellcheck source=type/__jitsi_meet_domain/files/prosody.cfg.lua.sh
+. "${__type}/files/prosody.cfg.lua.sh"  # This defines PROSODY_CONFIG
+__file "/etc/prosody/conf.avail/${DOMAIN}.cfg.lua" \
+	--group prosody \
+	--mode 0440 \
+	--state "${STATE}" \
+	--source '-' <<EOF
+${PROSODY_CONFIG}
+EOF
+__link "/etc/prosody/conf.d/${DOMAIN}.cfg.lua" \
+	--source "/etc/prosody/conf.avail/${DOMAIN}.cfg.lua" \
+	--state "${STATE}" \
+	--type symbolic
+
+if [ "${STATE}" = "present" ]; then
+	export require="${require} __file/etc/prosody/conf.avail/${DOMAIN}.cfg.lua __link/etc/prosody/conf.d/${DOMAIN}.cfg.lua"
+	__check_messages "prosody/${DOMAIN}" \
+		--pattern '^(__file|__link)/etc/prosody/conf[.](avail|d)/' \
+		--execute "$(cat <<EOF
+if [ ! -f "/var/lib/prosody/${DOMAIN}.crt" ]; then
+	echo | prosodyctl cert generate '${DOMAIN}';
+	ln -sf '/var/lib/prosody/${DOMAIN}.key' '/etc/prosody/certs/${DOMAIN}.key'
+	ln -sf '/var/lib/prosody/${DOMAIN}.crt' '/etc/prosody/certs/${DOMAIN}.crt'
+fi
+# Surprisingly, a reload is not enough
+service prosody restart
+EOF
+)"
+fi

type/__jitsi_meet_domain/parameter/default/analytics-settings

@@ -0,0 +1 @@
+        disabled: true

type/__jitsi_meet_domain/parameter/default/branding-app-name

@@ -0,0 +1 @@
+Jitsi Meet

type/__jitsi_meet_domain/parameter/default/state

@@ -0,0 +1 @@
+present

type/__jitsi_meet_domain/parameter/optional

@@ -1,9 +1,13 @@
+analytics-settings
 channel-last-n
 default-language
 notice-message
 start-video-muted
 turn-server
 video-constraints
+branding-app-name
 branding-json
 branding-index
+branding-extra-body
 branding-watermark
+state

type/__matrix_element/files/config.json.sh

@@ -34,12 +34,12 @@ EOF
 
     if [ "$BRANDING_AUTH_FOOTER_LINKS" != "" ]; then
         cat << EOF
-        "authFooterLinks": "$BRANDING_AUTH_FOOTER_LINKS",
+        "authFooterLinks": $BRANDING_AUTH_FOOTER_LINKS,
 EOF
     fi
 
     cat << EOF
-    "welcomeBackgroundUrl": "themes/element/img/backgrounds/lake.jpg"
+    "welcomeBackgroundUrl": "$BRANDING_WELCOME_BACKGROUND_URL"
 EOF
     echo '},'
 }
@@ -52,7 +52,7 @@ cat << EOF
             "server_name": "$DEFAULT_SERVER_NAME"
         },
         "m.identity_server": {
-            "base_url": "https://vector.im"
+            "base_url": "$IDENTITY_SERVER_URL"
         }
     },
     "brand": "$BRAND",
@@ -85,6 +85,10 @@ cat << EOF
             "url": "$COOKIE_POLICY_URL",
             "text": "Cookie Policy"
         }
-    ]
+    ],
+   "embeddedPages": {
+        "welcomeUrl": "$WELCOME_PAGE_URL",
+        "homeUrl": "$HOME_PAGE_URL"
+    }
 }
 EOF

type/__matrix_element/man.rst

@@ -27,12 +27,28 @@ default_server_name
 default_server_url
   URL of matrix homeserver to connect to, defaults to 'https://matrix-client.matrix.org'.
 
+identity_server_url
+  URL of matrix identity server to connect to, defaults to 'https://vector.im'.
+  See element documentation
+  `<https://github.com/vector-im/element-web/blob/develop/docs/config.md#identity-servers>_`
+  for details.
+
 owner
   Owner of the deployed files, passed to `chown`. Defaults to 'root'.
 
 brand
   Web UI branding, defaults to 'Element'.
 
+branding_auth_header_logo_url
+  A logo image that is shown in the header during authentication flows.
+
+branding_welcome_background_url
+  An image to use as a wallpaper outside the app during authentication flows. If an array is passed, an image is chosen randomly for each visit.
+
+branding_auth_footer_links
+  a list of links to show in the authentication page footer: `[{"text": "Link
+  text", "url": "https://link.target"}, {"text": "Other link", ...}]`
+
 default_country_code
   ISO 3166 alpha2 country code to use when showing country selectors, such as
   phone number inputs. Defaults to GB.

type/__matrix_element/manifest

@@ -25,11 +25,13 @@ INSTALL_DIR=$(cat "$__object/parameter/install_dir")
 
 export DEFAULT_SERVER_NAME=$(cat "$__object/parameter/default_server_name")
 export DEFAULT_SERVER_URL=$(cat "$__object/parameter/default_server_url")
+export IDENTITY_SERVER_URL=$(cat "$__object/parameter/identity_server_url")
 export BRAND=$(cat "$__object/parameter/brand")
 export DEFAULT_COUNTRY_CODE=$(cat "$__object/parameter/default_country_code")
 export ROOM_DIRECTORY_SERVERS=$(cat "$__object/parameter/room_directory_servers")
 export PRIVACY_POLICY_URL=$(cat "$__object/parameter/privacy_policy_url")
 export COOKIE_POLICY_URL=$(cat "$__object/parameter/cookie_policy_url")
+export BRANDING_WELCOME_BACKGROUND_URL=$(cat "$__object/parameter/branding_welcome_background_url")
 
 if [ -f "$__object/parameter/jitsi_domain" ]; then
     export JITSI_DOMAIN=$(cat "$__object/parameter/jitsi_domain")
@@ -44,14 +46,24 @@ if [ -f "$__object/parameter/branding_auth_footer_links" ]; then
 fi
 
 if [ -f "$__object/parameter/homepage" ]; then
-    export EMBED_HOMEPAGE=1
     homepage=$(cat "$__object/parameter/homepage")
+    if [ -f "$homepage" ]; then
+      upload_homepage=1
+    else
+      export HOME_PAGE_URL=$homepage
+    fi
 fi
 
+WELCOME_PAGE_URL="welcome.html"
 if [ -f "$__object/parameter/welcomepage" ]; then
-    export EMBED_WELCOMEPAGE=1
     welcomepage=$(cat "$__object/parameter/welcomepage")
+    if [ -f welcomepage ]; then
+      export UPLOAD_WELCOMEPAGE=1
+    else
+      WELCOME_PAGE_URL=$welcomepage
+    fi
 fi
+export WELCOME_PAGE_URL
 
 if [ -f "$__object/parameter/custom_asset" ]; then
    "$__object/parameter/custom_asset" | while IFS= read -r file; do
@@ -91,14 +103,14 @@ require="__directory/$INSTALL_DIR/cdist" __file "$INSTALL_DIR/cdist/config.json"
   --mode 0664 \
   --state present
 
-if [ $EMBED_HOMEPAGE ]; then
+if [ $upload_homepage ]; then
     require="__directory/$INSTALL_DIR/cdist" __file "$INSTALL_DIR/cdist/home.html" \
       --source "$homepage" \
       --mode 0664 \
       --state present
 fi
 
-if [ $EMBED_WELCOMEPAGE ]; then
+if [ $upload_welcomepage ]; then
     require="__directory/$INSTALL_DIR/cdist" __file "$INSTALL_DIR/cdist/welcome.html" \
       --source "$welcomepage" \
       --mode 0664 \

type/__matrix_element/parameter/default/branding_welcome_background_url

@@ -0,0 +1 @@
+themes/element/img/backgrounds/lake.jpg

type/__matrix_element/parameter/optional

@@ -1,5 +1,6 @@
 default_server_url
 default_server_name
+identity_server_url
 brand
 default_country_code
 privacy_policy_url
@@ -11,3 +12,4 @@ welcomepage
 jitsi_domain
 branding_auth_header_logo_url
 branding_auth_footer_links
+branding_welcome_background_url

type/__matrix_synapse/files/homeserver.yaml.sh

@@ -448,7 +448,7 @@ retention:
   # matter much because Synapse doesn't take it into account yet.
   #
   default_policy:
-    min_lifetime: 1d
+    min_lifetime: ${MESSAGE_RETENTION_POLICY_MIN_LIFETIME:?}
     max_lifetime: ${MESSAGE_RETENTION_POLICY_MAX_LIFETIME:?}
 
   # Retention policy limits. If set, and the state of a room contains a
@@ -1175,14 +1175,26 @@ fi
 cat << EOF
 # The shared secret used to compute passwords for the TURN server
 #
-turn_shared_secret: "$TURN_SHARED_SECRET"
+EOF
 
+if [ -n "$TURN_SHARED_SECRET" ]; then
+	echo "turn_shared_secret: \"$TURN_SHARED_SECRET\""
+fi
+
+cat << EOF
 # The Username and password if the TURN server needs them and
 # does not use a token
 #
-#turn_username: "TURNSERVER_USERNAME"
-#turn_password: "TURNSERVER_PASSWORD"
+EOF
 
+if [ -n "$TURN_USERNAME" ] || [ "$TURN_PASSWORD" ]; then
+	cat <<- EOF
+	turn_username: "$TURN_USERNAME"
+	turn_password: "$TURN_PASSWORD"
+	EOF
+fi
+
+cat << EOF
 # How long generated TURN credentials last
 #
 turn_user_lifetime: ${TURN_USER_LIFETIME:?}
@@ -1322,7 +1334,7 @@ fi
 cat << EOF
 # Enable 3PIDs lookup requests to identity servers from this server.
 #
-#enable_3pid_lookup: true
+enable_3pid_lookup: ${ENABLE_3PID_LOOKUPS:?}
 
 # If set, allows registration of standard or admin accounts by anyone who
 # has the shared secret, even if registration is otherwise disabled.
@@ -1330,9 +1342,12 @@ EOF
 
 if [ -n "$REGISTRATION_SHARED_SECRET" ]; then
 	echo "registration_shared_secret: '$REGISTRATION_SHARED_SECRET'"
+else
+	echo "# registration_shared_secret: 'secret'"
 fi
 
 cat << EOF
+
 # Set the number of bcrypt rounds used to generate password hash.
 # Larger numbers increase the work factor needed to generate the hash.
 # The default number is 12 (which equates to 2^12 rounds).
@@ -1353,7 +1368,13 @@ allow_guest_access: ${ALLOW_GUEST_ACCESS:?}
 # (By default, no suggestion is made, so it is left up to the client.)
 #
 #default_identity_server: https://matrix.org
+EOF
 
+if [ -n "$DEFAULT_IDENTITY_SERVER" ]; then
+	echo "default_identity_server: \"$DEFAULT_IDENTITY_SERVER\""
+fi
+
+cat << EOF
 # Handle threepid (email/phone etc) registration and password resets through a set of
 # *trusted* identity servers. Note that this allows the configured identity server to
 # reset passwords for accounts!
@@ -1385,7 +1406,7 @@ account_threepid_delegates:
 #
 # Does not apply to server administrators. Defaults to 'true'
 #
-#enable_set_displayname: false
+enable_set_displayname: ${ENABLE_SET_DISPLAYNAME:?}
 
 # Whether users are allowed to change their avatar after it has been
 # initially set. Useful when provisioning users based on the contents
@@ -1400,7 +1421,7 @@ account_threepid_delegates:
 #
 # Defaults to 'true'
 #
-#enable_3pid_changes: false
+enable_3pid_changes: ${ENABLE_3PID_CHANGES:?}
 
 # Users who register on this homeserver will automatically be joined
 # to these rooms.
@@ -1696,7 +1717,24 @@ saml2_config:
     #  local: ["saml2/idp.xml"]
     #  remote:
     #    - url: https://our_idp/metadata.xml
+EOF
 
+if [ -n "$SAML2_IDP_METADATA_URL" ]; then
+	cat << EOF
+    metadata:
+      remote:
+        - url: "$SAML2_IDP_METADATA_URL"
+EOF
+fi
+
+if [ -n "$SAML2_SP_CERT" ] || [ -n "$SAML2_SP_KEY" ]; then
+	cat << EOF
+    key_file: "$SAML2_SP_KEY"
+    cert_file: "$SAML2_SP_CERT"
+EOF
+fi
+
+cat << EOF
     # Allowed clock difference in seconds between the homeserver and IdP.
     #
     # Uncomment the below to increase the accepted time difference from 0 to 3 seconds.
@@ -1770,7 +1808,15 @@ saml2_config:
     # The custom module's class. Uncomment to use a custom module.
     #
     #module: mapping_provider.SamlMappingProvider
+EOF
 
+if [ -n "$SAML2_MAPPING_PROVIDER_MODULE" ]; then
+	cat << EOF
+    module: "$SAML2_MAPPING_PROVIDER_MODULE"
+EOF
+fi
+
+cat << EOF
     # Custom configuration values for the module. Below options are
     # intended for the built-in provider, they should be changed if
     # using a custom module. This section will be passed as a Python
@@ -1800,6 +1846,17 @@ saml2_config:
       # value will be used instead.
       #
       #mxid_mapping: dotreplace
+EOF
+
+if [ -n "$SAML2_MAPPING_PROVIDER_EXTRA_CONFIG" ]; then
+	echo "$SAML2_MAPPING_PROVIDER_EXTRA_CONFIG" | while IFS= read -r entry; do
+		cat << EOF
+      $entry
+EOF
+	done
+fi
+
+cat << EOF
 
   # In previous versions of synapse, the mapping from SAML attribute to
   # MXID was always calculated dynamically rather than stored in a
@@ -2134,7 +2191,7 @@ sso:
     # You can see the default templates at:
     # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates
     #
-    #template_dir: "res/templates"
+    template_dir: "${SSO_TEMPLATE_DIR:?}"
 
 
 # JSON web token integration. The following settings can be used to make

type/__matrix_synapse/gencode-remote

@@ -8,7 +8,7 @@ case "$os" in
 		synapse_conf_dir=/etc/synapse
 		synapse_service=synapse
 		;;
-	debian)
+	debian|ubuntu)
 		synapse_conf_dir=/etc/matrix-synapse
 		synapse_service=matrix-synapse
 		;;

type/__matrix_synapse/man.rst

@@ -1,5 +1,5 @@
 cdist-type__matrix_synapse(7)
-======================
+=============================
 
 NAME
 ----
@@ -8,7 +8,7 @@ cdist-type__matrix_synapse - Install and configure Synapse, a Matrix homeserver
 
 DESCRIPTION
 -----------
-This type install and configure the Synapse Matrix homeserver. This is a
+This type installs and configures the Synapse Matrix homeserver. This is a
 signleton type.
 
 
@@ -52,13 +52,13 @@ ldap-base-dn
   Base DN of your LDAP tree.
 
 ldap-uid-attribute
-  LDAP attriute mapping to Synapse's uid field, default to uid.
+  LDAP attribute mapping to Synapse's uid field, default to uid.
 
 ldap-mail-attribute
-  LDAP attriute mapping to Synapse's mail field, default to mail.
+  LDAP attribute mapping to Synapse's mail field, default to mail.
 
 ldap-name-attribute
-  LDAP attriute mapping to Synapse's name field, default to givenName.
+  LDAP attribute mapping to Synapse's name field, default to givenName.
 
 ldap-bind-dn
   User used to authenticate against your LDAP server in 'search' mode.
@@ -81,7 +81,7 @@ smtp-host
   The hostname of the outgoing SMTP server to use. Defaults to 'localhost'.
 
 smtp-port
-  # The port on the mail server for outgoing SMTP. Defaults to 25.
+  The port on the mail server for outgoing SMTP. Defaults to 25.
 
 smtp-user
   Username for authentication to the SMTP server. By
@@ -133,6 +133,14 @@ turn-uri
 turn-shared-secret
   Shared secret used to access the TURN REST API.
 
+turn-username
+  Username used to authenticate against the TURN server if needed / a shared
+  secret token is not used.
+
+turn-password
+  Password used to authenticate against the TURN server if needed / a shared
+  secret token is not used.
+
 turn-user-lifetime
   Lifetime of TURN credentials. Defaults to 1h.
 
@@ -154,6 +162,12 @@ rc-login-burst
 registration-allows-email-pattern
     Only allow email addresses matching specified filter. Can be specified multiple times. A pattern must look like `.*@vector\.im`.
 
+disable-displayname-changes
+  Whether users are allowed to change their displayname after it has been initially set.
+
+disable-3pid-changes
+  Whether users can change the 3PIDs associated with their accounts (email address and msisdn).
+
 auto-join-room
   Room where newly-registered users are automatically added. Can be specified multiple times.
 
@@ -181,6 +195,25 @@ bind-address
   Address used to bind the synapse listeners. Can be specified multiple times.
   Defaults to '::1' and '127.0.0.1'.
 
+saml2-idp-metadata-url
+  HTTP(S) url to SAML2 Identity Provider (IdP), used for Single Sign On (SSO) logic.
+
+saml2-sp-key
+  Path to PEM-formatted key file for use by PySAML2.
+
+saml2-sp-cert
+  Path to PEM-formatted cert file for use by PySAML2.
+
+saml2-mapping-provider-module
+  Name of custom Python module used to map SAML2 attributes to synapse internals.
+
+saml2-mapping-provider-extra-settings
+  Extra YAML-formatted key/pair values provided as configuration to the SAML2
+  mapping provider module (e.g. 'key: value'). Can be specified multiple times.
+
+sso-template-dir
+  Directory used to source SSO-related HTML templates.
+
 extra-setting
   Arbitrary string to be added to the configuration file. Can be specified multiple times.
 
@@ -222,6 +255,9 @@ allow-public-rooms-without-auth
 enable-server-notices
   Enable the server notices room.
 
+enable-3pid-lookups
+  Enable 3PIDs lookup requests to identity servers from this server.
+
 allow-guest-access
   Allows users to register as guests without a password/email/etc, and
   participate in rooms hosted on this server which have been made accessible

type/__matrix_synapse/manifest

@@ -20,10 +20,9 @@
 
 # OS-specific configuration.
 os=$(cat "$__global/explorer/os")
-distribution=$(cat "$__global/explorer/lsb_codename")
 
 case "$os" in
-	debian)
+	debian|ubuntu)
 		synapse_user=matrix-synapse
 		synapse_pkg=matrix-synapse-py3
 		synapse_service=matrix-synapse
@@ -31,23 +30,14 @@ case "$os" in
 		synapse_conf_dir='/etc/matrix-synapse'
 		synapse_data_dir='/var/lib/matrix-synapse'
 
-		# We use upstream's APT repository in order to stay up-to-date: upstream
-		# moves fast and downstream debian package is necessarily delayed.
-		case "$distribution" in
-			buster|bulleye|bookworm|sid)
-				__apt_key matrix-org \
-					--uri https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg
-				require="__apt_key/matrix-org" __apt_source matrix-org \
-					--uri https://packages.matrix.org/debian/ \
-					--component main
-				package_req="__apt_source/matrix-org"
-				;;
-				*)
-					echo "Unknown debian release '$distribution'. Exiting" >&2
-					exit 1
-				;;
-		esac
-		;;
+		__apt_key matrix-org \
+			--uri https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg
+
+		require="__apt_key/matrix-org" __apt_source matrix-org \
+			--uri https://packages.matrix.org/debian/ \
+			--component main
+		package_req="__apt_source/matrix-org"
+	;;
 	alpine)
 		synapse_user=synapse
 		synapse_pkg=synapse
@@ -106,7 +96,7 @@ export SERVER_NAME BASE_URL REPORT_STATS MAX_UPLOAD_SIZE EXPOSE_METRICS \
 	WEB_CLIENT_URL ROOM_ENCRYPTION_POLICY BIND_ADDRESSES
 
 if [ -f "$__object/parameter/enable-server-notices" ]; then
-    export ENABLE_SERVER_NOTICES=1
+	export ENABLE_SERVER_NOTICES=1
 fi
 
 # TLS.
@@ -182,25 +172,88 @@ ENABLE_REGISTRATIONS=$(get_boolean_for 'enable-registrations')
 USER_DIRECTORY_SEARCH_ALL_USERS=$(get_boolean_for 'user-directory-search-all-users')
 export ALLOW_GUEST_ACCESS ENABLE_REGISTRATIONS USER_DIRECTORY_SEARCH_ALL_USERS
 
-if [ -f "$__object/parameter/registration-shared-token" ]; then
+if [ -f "$__object/parameter/registration-shared-secret" ]; then
 	REGISTRATION_SHARED_SECRET=$(cat "$__object/parameter/registration-shared-secret")
 	export REGISTRATION_SHARED_SECRET
 fi
 
 if [ -f "$__object/parameter/registration-requires-email" ]; then
-    export REGISTRATION_REQUIRES_EMAIL=1
+	export REGISTRATION_REQUIRES_EMAIL=1
 fi
 
+ENABLE_SET_DISPLAYNAME='true'
+if [ -f "$__object/parameter/disable-displayname-changes" ]; then
+	ENABLE_SET_DISPLAYNAME='false'
+fi
+export ENABLE_SET_DISPLAYNAME
+
+ENABLE_3PID_CHANGES='true'
+if [ -f "$__object/parameter/disable-3pid-changes" ]; then
+	ENABLE_3PID_CHANGES='false'
+fi
+export ENABLE_3PID_CHANGES
+
 if [ -f "$__object/parameter/auto-join-room" ]; then
-    AUTO_JOIN_ROOMS="$(cat "$__object/parameter/auto-join-room")"
-    export AUTO_JOIN_ROOMS
+	AUTO_JOIN_ROOMS="$(cat "$__object/parameter/auto-join-room")"
+	export AUTO_JOIN_ROOMS
 fi
 
 if [ -f "$__object/parameter/registration-allows-email-pattern" ]; then
-    RESGISTRATION_ALLOWS_EMAIL_PATTERN=$(cat "$__object/parameter/registration-allows-email-pattern")
-    export RESGISTRATION_ALLOWS_EMAIL_PATTERN
+	RESGISTRATION_ALLOWS_EMAIL_PATTERN=$(cat "$__object/parameter/registration-allows-email-pattern")
+	export RESGISTRATION_ALLOWS_EMAIL_PATTERN
 fi
 
+if [ -f "$__object/parameter/saml2-idp-metadata-url" ]; then
+	# Synapse fails to start while trying to parse IDP metadata if this package
+	# is not installed.
+	__package xmlsec1
+
+	SAML2_IDP_METADATA_URL=$(cat "$__object/parameter/saml2-idp-metadata-url")
+	export SAML2_IDP_METADATA_URL
+fi
+
+if [ -f "$__object/parameter/saml2-sp-key" ]; then
+	SAML2_SP_KEY=$(cat "$__object/parameter/saml2-sp-key")
+	export SAML2_SP_KEY
+fi
+
+if [ -f "$__object/parameter/saml2-sp-cert" ]; then
+	SAML2_SP_CERT=$(cat "$__object/parameter/saml2-sp-cert")
+	export SAML2_SP_CERT
+fi
+
+if [ -f "$__object/parameter/saml2-mapping-provider-module" ]; then
+	SAML2_MAPPING_PROVIDER_MODULE=$(cat "$__object/parameter/saml2-mapping-provider-module")
+	export SAML2_MAPPING_PROVIDER_MODULE
+fi
+
+if [ -f "$__object/parameter/saml2-mapping-provider-extra-config" ]; then
+	SAML2_MAPPING_PROVIDER_EXTRA_CONFIG=$(cat "$__object/parameter/saml2-mapping-provider-extra-config")
+	export SAML2_MAPPING_PROVIDER_EXTRA_CONFIG
+fi
+
+SSO_TEMPLATE_DIR=$(cat "$__object/parameter/sso-template-dir")
+export SSO_TEMPLATE_DIR
+
+if [ -n "$SAML2_SP_KEY" ] && [ -z "$SAML2_SP_CERT" ]; then
+	echo "--saml2-sp-cert must be set if --saml2-sp-key is provided." >&2
+	exit 1
+elif [ -n "$SAML2_SP_CERT" ] && [ -z "$SAML2_SP_KEY" ]; then
+	echo "--saml2-sp-key must be set if --saml2-sp-cert is provided." >&2
+	exit 1
+fi
+
+if [ -f "$__object/parameter/default-identity-server" ]; then
+	DEFAULT_IDENTITY_SERVER=$(cat "$__object/parameter/default-identity-server")
+	export DEFAULT_IDENTITY_SERVER
+fi
+
+ENABLE_3PID_LOOKUPS='false'
+if [ -f "$__object/parameter/enable-3pid-lookups" ]; then
+	ENABLE_3PID_LOOKUPS='true'
+fi
+export ENABLE_3PID_LOOKUPS
+
 # Federation.
 ALLOW_PUBLIC_ROOMS_OVER_FEDERATION=$(get_boolean_for 'allow-public-room-over-federation')
 ALLOW_PUBLIC_ROOMS_WITHOUT_AUTH=$(get_boolean_for 'allow-public-rooms-without-auth')
@@ -216,7 +269,8 @@ fi
 # Message retention.
 ENABLE_MESSAGE_RETENTION_POLICY=$(get_boolean_for 'enable-message-retention-policy')
 MESSAGE_RETENTION_POLICY_MAX_LIFETIME=$(cat "$__object/parameter/message-max-lifetime")
-export ENABLE_MESSAGE_RETENTION_POLICY MESSAGE_RETENTION_POLICY_MAX_LIFETIME
+MESSAGE_RETENTION_POLICY_MIN_LIFETIME=$MESSAGE_RETENTION_POLICY_MAX_LIFETIME
+export ENABLE_MESSAGE_RETENTION_POLICY MESSAGE_RETENTION_POLICY_MAX_LIFETIME MESSAGE_RETENTION_POLICY_MIN_LIFETIME
 
 # Previews.
 ENABLE_URL_PREVIEW=$(get_boolean_for 'enable-url-preview')
@@ -256,6 +310,16 @@ if [ -f "$__object/parameter/turn-uri" ]; then
 	export TURN_URIS
 fi
 
+if [ -f "$__object/parameter/turn-username" ]; then
+	TURN_USERNAME=$(cat "$__object/parameter/turn-username")
+	export TURN_USERNAME
+fi
+
+if [ -f "$__object/parameter/turn-password" ]; then
+	TURN_PASSWORD=$(cat "$__object/parameter/turn-password")
+	export TURN_PASSWORD
+fi
+
 # Worker-mode configuration.
 export MAIN_LISTENER_PORT=8008
 export ENABLE_MEDIA_REPO='true'
@@ -289,16 +353,16 @@ export ENABLE_REPLICATION ENABLE_REDIS_SUPPORT WORKER_REPLICATION_SECRET \
 case "$DATABASE_ENGINE" in
 	sqlite3)
 		:
-	;;
+		;;
 	psycopg2)
 		when='database engine is psycopg2'
 		is_required_when "$DATABASE_HOST" '--database-host' "$when"
 		is_required_when "$DATABASE_USER" '--database-user' "$when"
-	;;
+		;;
 	*)
 		echo "Invalid database engine: $DATABASE_ENGINE." >&2
 		exit 1
-	;;
+		;;
 esac
 
 
@@ -316,13 +380,13 @@ mkdir -p "$__object/files"
 "$__type/files/log.config.sh" > "$__object/files/log.config"
 
 require="$synapse_req" __file "$synapse_conf_dir/homeserver.yaml" \
-  --owner $synapse_user \
-  --mode 600 \
-  --source "$__object/files/homeserver.yaml"
+	--owner $synapse_user \
+	--mode 600 \
+	--source "$__object/files/homeserver.yaml"
 require="$synapse_req" __file "$LOG_CONFIG_PATH" \
-  --owner $synapse_user \
-  --mode 600 \
-  --source "$__object/files/log.config"
+	--owner $synapse_user \
+	--mode 600 \
+	--source "$__object/files/log.config"
 
 for directory in $DATA_DIR $LOG_DIR; do
 	require="$synapse_req" __directory $directory \
@@ -330,8 +394,8 @@ for directory in $DATA_DIR $LOG_DIR; do
 		--owner $synapse_user
 done
 
-# Make dpkg-reconfigure happy on debian systems.
-if [ "$os" = "debian" ]; then
+# Make dpkg-reconfigure happy on debian-based systems.
+if [ "$os" = "debian" ] || [ "$os" = "ubuntu" ]; then
 	require="$synapse_req" __file "$synapse_conf_dir/conf.d/server_name.yaml" \
 		--owner $synapse_user \
 		--source - <<- EOF

type/__matrix_synapse/parameter/boolean

@@ -17,3 +17,6 @@ user-directory-search-all-users
 enable-message-retention-policy
 worker-mode
 enable-url-preview
+enable-3pid-lookups
+disable-3pid-changes
+disable-displayname-changes

type/__matrix_synapse/parameter/default/sso-template-dir

@@ -0,0 +1 @@
+res/template

type/__matrix_synapse/parameter/optional

@@ -13,6 +13,8 @@ ldap-bind-password
 ldap-filter
 turn-shared-secret
 turn-user-lifetime
+turn-username
+turn-password
 max-upload-size
 smtp-host
 smtp-port
@@ -34,3 +36,9 @@ background-tasks-worker
 tls-cert
 tls-private-key
 registration-shared-secret
+saml2-idp-metadata-url
+saml2-sp-key
+saml2-sp-cert
+default-identity-server
+saml2-mapping-provider-module
+sso-template-dir

type/__matrix_synapse/parameter/optional_multiple

@@ -5,3 +5,4 @@ app-service-config-file
 extra-setting
 bind-address
 outbound-federation-worker
+saml2-mapping-provider-extra-config

type/__matterbridge/manifest

@@ -20,7 +20,7 @@
 
 os=$(cat "$__global/explorer/os")
 case "$os" in
-   debian)
+   debian|ubuntu)
      # This type assume systemd for service installation.
    ;;
    *)
@@ -31,11 +31,13 @@ case "$os" in
 esac
 
 # Required parameters.
-VERSION=$(cat "$__object/parameter/version")
+version=$(cat "$__object/parameter/version")
 if [ -f "$__object/parameter/config" ]; then
-    CONFIG="$(cat "$__object/parameter/config")"
-    if [ "$CONFIG" = "-" ]; then
-        CONFIG=$(cat "$__object/stdin")
+    config="$(cat "$__object/parameter/config")"
+    if [ "$config" = "-" ]; then
+        mkdir -p "$__object/files"
+        config="$__object/files/matterbridge.toml"
+        cat "$__object/stdin" > "$config"
     fi
 fi
 
@@ -46,11 +48,11 @@ export USER=matterbridge
 export GROUP=$USER
 
 # Internal variables.
-artefact="matterbridge-$VERSION-linux-64bit"
+artefact="matterbridge-$version-linux-64bit"
 checksum_file="checksums.txt"
 release_download_url=https://github.com/42wim/matterbridge/releases/download
-binary_url="$release_download_url/v$VERSION/$artefact"
-checksum_file_url="$release_download_url/v$VERSION/$checksum_file"
+binary_url="$release_download_url/v$version/$artefact"
+checksum_file_url="$release_download_url/v$version/$checksum_file"
 config_dir=$(dirname $CONFIG_PATH)
 systemd_unit_path='/etc/systemd/system/matterbridge.service'
 
@@ -88,7 +90,7 @@ require="__user/$USER" __directory "$config_dir" \
 require="__directory/$config_dir" __file "$CONFIG_PATH" \
   --owner "$USER" \
   --mode 0640 \
-  --source "$CONFIG"
+  --source "$config"
 
 __file "$systemd_unit_path" \
   --source "$__object/files/matterbridge.service"

type/__nginx/man.rst

@@ -28,6 +28,16 @@ uacme-hookscript
   Custom hook passed to the __uacme_obtain type: useful to integrate the
   dns-01 challenge with third-party DNS providers.
 
+acme-url
+  ACMEv2 server directory object URL. Lets'Encrypt is used by default.
+
+acme-eab-credentials
+  Specify RFC8555 External Account Binding credentials according to
+  https://tools.ietf.org/html/rfc8555#section-7.3.4, in order to associate a new
+  ACME account with an existing account in a non-ACME system such as a CA
+  customer database. KEYID must be an ASCII string. KEY must be
+  base64url-encoded.
+
 EXAMPLES
 --------
 

type/__nginx/manifest

@@ -36,6 +36,20 @@ then
 	set_custom_uacme_hookscript="--hookscript $uacme_hookscript"
 fi
 
+set_custom_acme_url=
+if [ -f "${__object:?}/parameter/acme-url" ];
+then
+	custom_acme_url=$(cat "${__object:?}/parameter/acme-url")
+	set_custom_acme_url="--acme-url $custom_acme_url"
+fi
+
+set_acme_eab_credentials=
+if [ -f "${__object:?}/parameter/acme-eab-credentials" ];
+then
+	acme_eab_credentials=$(cat "${__object:?}/parameter/acme-eab-credentials")
+	set_acme_eab_credentials="--eab-credentials $acme_eab_credentials"
+fi
+
 # Deploy simple HTTP vhost, allowing to serve ACME challenges.
 __nginx_vhost "301-to-https-$domain" \
 	--domain "$domain" --altdomains "$altdomains" --to-https
@@ -46,12 +60,18 @@ if [ -f "${__object:?}/parameter/force-cert-ownership-to" ]; then
 	cert_ownership=$(cat "${__object:?}/parameter/force-cert-ownership-to")
 fi
 
-__uacme_account
+# shellcheck disable=SC2086
+__uacme_account \
+	$set_custom_acme_url \
+	$set_acme_eab_credentials \
+
 # shellcheck disable=SC2086
 require="__nginx_vhost/301-to-https-$domain __uacme_account" \
 	__uacme_obtain "$domain" \
 		--altdomains "$altdomains" \
 		$set_custom_uacme_hookscript \
+		$set_custom_acme_url \
+		$set_acme_eab_credentials \
 		--owner "$cert_ownership" \
 		--install-key-to "$nginx_certdir/$domain/privkey.pem" \
 		--install-cert-to "/$nginx_certdir/$domain/fullchain.pem" \

type/__nginx/parameter/optional

@@ -2,4 +2,6 @@ config
 domain
 altdomains
 uacme-hookscript
+acme-url
+acme-eab-credentials
 force-cert-ownership-to

type/__nginx_vhost/manifest

@@ -32,7 +32,7 @@ case "$os" in
 
 		require="$install_reqs" __start_on_boot nginx
 
-		export NGINX_SITEDIR="$nginx_confdir/conf.d"
+		export NGINX_SITEDIR="$nginx_confdir/http.d"
 		export NGINX_CERTDIR="$nginx_confdir/ssl"
 		export NGINX_SNIPPETSDIR="$nginx_confdir/snippets"
 		export NGINX_WEBROOT="/var/www"
@@ -158,6 +158,7 @@ for snippet in hsts 301-to-https; do
 done
 
 # Install vhost.
-require="$install_reqs" __file "$NGINX_SITEDIR/$__object_id.conf" \
+require="$install_reqs" __directory "$NGINX_SITEDIR"
+require="__directory/$NGINX_SITEDIR" __file "$NGINX_SITEDIR/$__object_id.conf" \
 	--source "$vhost_conf" \
 	--mode 0644

type/__opendkim/files/opendkim.conf.sh

@@ -1,6 +1,7 @@
 #!/bin/sh -e
 # Generate an opendkim.conf(5) file for opendkim(8).
 
+echo "# Managed remotely, manual changes will be lost."
 
 # Optional chdir(2)
 if [ "$BASEDIR" ];
@@ -33,8 +34,8 @@ then
 fi
 
 # Key and Domain tables
-echo 'KeyTable /etc/opendkim/KeyTable'
-echo 'SigningTable /etc/opendkim/SigningTable'
+echo "KeyTable ${CFG_DIR}/KeyTable"
+echo "SigningTable ${CFG_DIR}/SigningTable"
 
 # Required socket to listen on
 printf "Socket %s\n" "${SOCKET:?}"

type/__opendkim/man.rst

@@ -14,8 +14,8 @@ installation and basic configuration of an instance of OpenDKIM.
 Note that this type does not generate or ensure that a key is present: use
 `cdist-type__opendkim-genkey(7)` for that.
 
-Note that this type is currently only implemented for Alpine Linux. Please
-contribute an implementation if you can.
+Note that this type is currently only implemented for Alpine Linux and FreeBSD.
+Please contribute an implementation if you can.
 
 
 REQUIRED PARAMETERS
@@ -42,8 +42,9 @@ umask
   Set the umask for the socket and PID file.
 
 userid
-  Change the user the opendkim program is to run as. By default, Alpine Linux's
-  OpenRC service will set this to `opendkim` on the command-line.
+  Change the user the opendkim program is to run as.
+  By default, Alpine Linux's OpenRC service will set this to `opendkim` on the
+  command-line and FreeBSD's rc will set it to `mailnull`.
 
 custom-config
   The string following this parameter is appended as-is in the configuration, to
@@ -86,11 +87,12 @@ SEE ALSO
 AUTHORS
 -------
 Joachim Desroches <joachim.desroches@epfl.ch>
+Evilham <contact@evilham.com>
 
 
 COPYING
 -------
-Copyright \(C) 2021 Joachim Desroches. You can redistribute it
+Copyright \(C) 2022 Joachim Desroches, Evilham. You can redistribute it
 and/or modify it under the terms of the GNU General Public License as
 published by the Free Software Foundation, either version 3 of the
 License, or (at your option) any later version.

type/__opendkim/manifest

@@ -20,16 +20,23 @@
 
 os=$(cat "${__global:?}/explorer/os")
 
+CFG_DIR="/etc/opendkim"
+service="opendkim"
 case "$os" in
 'alpine')
 	:
 	;;
+'freebsd')
+	CFG_DIR="/usr/local/etc/mail"
+	service="milter-opendkim"
+	;;
 *)
 	printf "__opendkim does not yet support %s.\n" "$os" >&2
 	printf "Please contribute an implementation if you can.\n" >&2
 	exit 1
 	;;
 esac
+export CFG_DIR
 
 __package opendkim
 
@@ -68,7 +75,7 @@ fi
 
 # Generate and deploy configuration file.
 source_file="${__object:?}/files/opendkim.conf"
-target_file="/etc/opendkim/opendkim.conf"
+target_file="${CFG_DIR}/opendkim.conf"
 
 mkdir -p "${__object:?}/files"
 
@@ -83,9 +90,22 @@ fi
 require="__package/opendkim" __file "$target_file" \
 	--source "$source_file" --mode 0644
 
-require="__package/opendkim" __start_on_boot opendkim
+require="__package/opendkim" __start_on_boot "${service}"
 
-require="__file${target_file}" \
+# Ensure Key and Signing tables exist and have proper permissions
+key_table="${CFG_DIR}/KeyTable"
+signing_table="${CFG_DIR}/SigningTable"
+
+require="__package/opendkim" \
+	__file "${key_table}" \
+	--mode 444
+
+require="__package/opendkim" \
+	__file "${signing_table}" \
+	--mode 444
+
+require="__file${target_file} __file${key_table}
+		__file${signing_table} __start_on_boot/${service}" \
 	__check_messages opendkim \
 		--pattern "^__file${target_file}" \
-		--execute "service opendkim restart"
+		--execute "service ${service} restart"

type/__opendkim_genkey/gencode-remote

@@ -30,7 +30,8 @@ fi
 
 DIRECTORY="/var/db/dkim/"
 if [ -f "${__object:?}/parameter/directory" ]; then
-	DIRECTORY="$(cat "${__object:?}/parameter/directory")"
+	# Be forgiving about a lack of trailing slash
+	DIRECTORY="$(sed -E 's!([^/])$!\1/!' < "${__object:?}/parameter/directory")"
 fi
 
 # Boolean parameters
@@ -44,7 +45,12 @@ if [ -f "${__object:?}/parameters/unrestricted" ]; then
 	RESTRICTED=
 fi
 
+user="$(cat "${__object:?}/user")"
+group="$(cat "${__object:?}/group")"
+
 if ! [ -f "${DIRECTORY}${SELECTOR}.private" ]; then
 	echo "opendkim-genkey $BITS --domain=$DOMAIN --directory=$DIRECTORY $RESTRICTED --selector=$SELECTOR $SUBDOMAINS"
-	echo "chown opendkim:opendkim ${DIRECTORY}${SELECTOR}.private"
+	echo "chown ${user}:${group} ${DIRECTORY}${SELECTOR}.private"
+	# This is usually generated, if it weren't we do not want to fail
+	echo "chown ${user}:${group} ${DIRECTORY}${SELECTOR}.txt || true"
 fi

type/__opendkim_genkey/man.rst

@@ -17,8 +17,8 @@ will be added to the OpenDKIM signing table, using either the domain or the
 provided key for the `domain:selector:keyfile` value in the table. An existing
 key will not be overwritten.
 
-Currently, this type is only implemented for Alpine Linux. Please contribute an
-implementation if you can.
+Currently, this type is only implemented for Alpine Linux and FreeBSD.
+Please contribute an implementation if you can.
 
 REQUIRED PARAMETERS
 -------------------
@@ -85,11 +85,12 @@ SEE ALSO
 AUTHORS
 -------
 Joachim Desroches <joachim.desroches@epfl.ch>
+Evilham <contact@evilham.com>
 
 
 COPYING
 -------
-Copyright \(C) 2021 Joachim Desroches. You can redistribute it
+Copyright \(C) 2022 Joachim Desroches, Evilham. You can redistribute it
 and/or modify it under the terms of the GNU General Public License as
 published by the Free Software Foundation, either version 3 of the
 License, or (at your option) any later version.

type/__opendkim_genkey/manifest

@@ -21,10 +21,18 @@
 
 os=$(cat "${__global:?}/explorer/os")
 
+CFG_DIR="/etc/opendkim"
+user="opendkim"
+group="opendkim"
 case "$os" in
 'alpine')
 	:
 ;;
+'freebsd')
+	CFG_DIR="/usr/local/etc/mail"
+	user="mailnull"
+	group="mailnull"
+;;
 *)
 	cat <<- EOF >&2
 	__opendkim_genkey currently only supports Alpine Linux. Please
@@ -32,6 +40,9 @@ case "$os" in
 	EOF
 ;;
 esac
+# Persist user and group for gencode-remote
+printf '%s' "${user}" > "${__object:?}/user"
+printf '%s' "${group}" > "${__object:?}/group"
 
 SELECTOR="$(cat "${__object:?}/parameter/selector")"
 DOMAIN="$(cat "${__object:?}/parameter/domain")"
@@ -39,7 +50,8 @@ DOMAIN="$(cat "${__object:?}/parameter/domain")"
 DIRECTORY="/var/db/dkim/"
 if [ -f "${__object:?}/parameter/directory" ];
 then
-	DIRECTORY="$(cat "${__object:?}/parameter/directory")"
+	# Be forgiving about a lack of trailing slash
+	DIRECTORY="$(sed -E 's!([^/])$!\1/!' < "${__object:?}/parameter/directory")"
 fi
 
 SIGKEY="${DOMAIN:?}"
@@ -48,19 +60,26 @@ then
 	SIGKEY="$(cat "${__object:?}/parameter/sigkey")"
 fi
 
-__package opendkim-utils
+# Ensure the key-container directory exists with the proper permissions
+__directory "${DIRECTORY}" \
+	--mode 0750 \
+	--owner "${user}" --group "${group}"
 
-require='__package/opendkim-utils' \
-	__file /etc/opendkim/KeyTable
-require='__package/opendkim-utils' \
-	__file /etc/opendkim/SigningTable
+# OS-specific code
+case "$os" in
+'alpine')
+	# This is needed for opendkim-genkey
+	__package opendkim-utils
+;;
+esac
 
-require='__file/etc/opendkim/KeyTable' \
-	__line "line-key-${__object_id:?}" \
-		--file /etc/opendkim/KeyTable \
-		--line "${SELECTOR:?}._domainkey.${DOMAIN:?} ${DOMAIN:?}:${SELECTOR:?}:${DIRECTORY:?}${SELECTOR:?}.private"
+key_table="${CFG_DIR}/KeyTable"
+signing_table="${CFG_DIR}/SigningTable"
 
-require='__file/etc/opendkim/SigningTable' \
-	__line "line-sig-${__object_id:?}" \
-		--file /etc/opendkim/SigningTable \
-		--line "${SIGKEY:?} ${SELECTOR:?}._domainkey.${DOMAIN:?}"
+__line "line-key-${__object_id:?}" \
+	--file "${key_table}" \
+	--line "${SELECTOR:?}._domainkey.${DOMAIN:?} ${DOMAIN:?}:${SELECTOR:?}:${DIRECTORY:?}${SELECTOR:?}.private"
+
+__line "line-sig-${__object_id:?}" \
+	--file "${signing_table}" \
+	--line "${SIGKEY:?} ${SELECTOR:?}._domainkey.${DOMAIN:?}"

type/__runit/manifest

@@ -6,7 +6,14 @@ os="$(cat "${__global}/explorer/os")"
 case "${os}" in
 	debian|devuan)
 		# zero-config sysvinit and systemd compatibility
-		__package runit-run
+		os_version="$(cat "${__global}/explorer/os_version")"
+		debian_package="runit-run"
+		case "${os_version}" in
+			beowulf)
+				debian_package="runit"
+			;;
+		esac
+		__package "${debian_package}"
 	;;
 	freebsd)
 		__key_value \

type/__runit_service/manifest

@@ -33,18 +33,25 @@ if [ "${state}" != "present" ]; then
 	exit
 fi
 
+# Setup run file
+__file --state "${state}" --mode 0550 --source "${source}" \
+	--onchange "sv restart '${sv}' || true" \
+	"${run_file}"
+export require="${require} __file${run_file}"
+
 if [ -f "${__object}/parameter/log" ]; then
 	# Setup logger if requested
-	__directory --parents "${svdir}/${sv}/log/main"
-	export require="${require} __directory${svdir}/${sv}/log/main"
+	logdir="/var/log/runit"
+	__directory --parents "${svdir}/${sv}/log"
+	__directory --state absent "${svdir}/${sv}/log/main"  # Remove lingering old fashioned log
+	__directory --parents "${logdir}/${sv}"
+	export require="${require} __directory${svdir}/${sv}/log __directory${logdir}/${sv}"
 	__file "${svdir}/${sv}/log/run" \
 		--state "${state}" \
 		--mode 0755 \
+		--onchange "sv restart '${sv}/log' || true" \
 		--source "-" <<EOF
 #!/bin/sh
-exec svlogd -tt ./main
+exec svlogd -tt '${logdir}/${sv}'
 EOF
 fi
-
-# Setup run file
-__file --state "${state}" --mode 0755 --source "${source}" "${run_file}"

type/__single_binary_service/explorer/explorer-version

@@ -0,0 +1,10 @@
+#!/bin/sh -e
+
+BIN_PREFIX="/usr/local/bin"
+SERVICE_NAME="${__object_id}"
+
+VERSION_FILE="${BIN_PREFIX}/.${SERVICE_NAME}.cdist.version"
+
+if [ -f "${VERSION_FILE}" ]; then
+	cat "${VERSION_FILE}"
+fi

type/__single_binary_service/man.rst

@@ -0,0 +1,195 @@
+cdist-type__single_binary_service(7)
+====================================
+
+NAME
+----
+cdist-type__single_binary_service - Setup a single-binary service
+
+
+DESCRIPTION
+-----------
+This type is designed to easily deploy and configure a single-binary service
+named `${__object_id}`.
+
+A good example of this are Prometheus exporters.
+
+This type makes certain assumptions that might not be correct on your system.
+If you need more flexibility, please get in touch and provide a use-case
+(and hopefully a backwards-compatible patch).
+
+This type will place the downloaded binary and, if requested, other extra
+binaries in `/usr/local/bin`.
+
+If a `--config-file-source` is provided, it will be placed under:
+`/etc/${__object_id}.conf`.
+
+This type supports services managed by `__runit(7)` when `systemd` is not
+the init system being used.
+
+
+REQUIRED PARAMETERS
+-------------------
+checksum
+    This will be passed verbatim to `__download(7)`.
+    Use something like `sha256:...`.
+
+url
+    This will be passed verbatim to `__download(7)`.
+
+version
+    This type will use a thumbstone file with a "version" number to track
+    whether or not a service must be updated.
+    This thumbstone file is placed under
+    `/usr/local/bin/.${__object_id}.cdist.version`.
+
+
+BOOLEAN PARAMETERS
+------------------
+unpack
+    If present, the contents of `--url` will be treated as an archive to be
+    unpacked with `__unpack(7)`.
+    See also `--unpack-args` and `--extra-binary`.
+
+do-not-manage-user
+    Always considered present when `--user` is `root`.
+    If present, the user in `--user` will not be managed by this type with
+    `__user`, this means it *must* exist beforehand when installing the service
+    and it will not be removed by this type.
+
+
+OPTIONAL PARAMETERS
+-------------------
+config-file-source
+    If present, this file's contents will be placed under
+    `/etc/${__object_id}.conf` with permissions `0440` and ownership assigned to
+    `--user` and `--group`.
+    If `-` is passed, this type's `stdin` will be used.
+
+user
+    The user under which the service will run. Defaults to `root`.
+    If this user is not `root` and `--do-not-manage-user` is not present,
+    this user will be created or removed as per the `--state` parameter.
+
+user-home-dir
+    Does not have an effect if `--do-not-manage-user` is used or `--user` is
+    `root`.
+    The home directory of the service user. It will be created.
+    Defaults to `/nonexistent`, in this case the home directory will not be
+    created.
+
+group
+    The group under which the service will run. Defaults to `--user`.
+
+state
+    Whether the service is to be `present` (default) or `absent`.
+    When `absent`, this type will clean any binaries listed in `--extra-binary`
+    and also the config file as described in `--config-file-source`.
+
+binary
+    This will be the binary name. Defaults to `${__object_id}`.
+    If `--unpack` is used, a binary with this name must be unpacked.
+    Otherwise, the contents of `--url` will be placed under this binary name.
+
+env
+    An `env` file consiting of `ENVIRONMENT_VARIABLE=VALUE`, one variable per
+    line.
+    Empty lines and those starting with `#` are ignored.
+
+service-args
+    Any extra arguments to pass along with `--service-exec`. Beware that any
+    service-args having the format `--config=/etc/foo.cfg` should be
+    represented in the following way `--service-exec='--config=/etc/foo.cfg'`
+
+service-exec
+    The executable to use for this service.
+    Defaults to `/usr/local/bin/BINARY_NAME` where `BINARY_NAME` is the
+    resulting value of `--binary`.
+
+service-definition
+    The service definition to be used as an override.
+    Note that this type decides dinammically between runit and systemd, and
+    you can currently only define either a systemd unit or a runit script here.
+    Use this parameter only for testing and get in touch to discuss how your
+    particular use-case can be supported by the type.
+
+service-description
+    The service description to be used in, e.g. the systemd unit file.
+    Defaults to `cdist-managed '${__object_id}' service`.
+
+unpack-args
+    Only has an effect if `--unpack` is used.
+    These arguments will be passed verbatim to `__unpack(7)`.
+    Very useful as this type assumes the archive does not have the binaries in
+    subdirectories; that can be worked around with
+    `--unpack-args '--tar-strip 1'`.
+
+unpack-extension
+    Only has an effect if `--unpack` is used.
+    The file extension of the file to unpack, defaults to `.tar.gz`.
+
+working-directory
+    If set, the working directory with which the service will be started.
+
+
+OPTIONAL MULTIPLE PARAMETERS
+----------------------------
+extra-binary
+    Only useful with `--unpack`.
+    If passed, these binaries will also be installed when `--state` is `present`
+    and removed when `--state` is `absent`.
+    Handle with care :-).
+
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+	# Install and enable the ipmi_exporter service
+	#   The variables are defined in the manifest previously
+	__single_binary_service ipmi_exporter \
+		--user "${USER}" \
+		--service-args ' --config.file=/etc/ipmi_exporter.conf' \
+		--version "${SHOULD_VERSION}" \
+		--checksum "${CHECKSUM}" \
+		--url "${DOWNLOAD_URL}" \
+		--state "present" \
+		--unpack \
+		--unpack-args "--tar-strip 1" \
+		--config-file-source '-' <<-EOF
+	# Remotely managed, changes will be lost
+	# [...] config contents goes here
+	EOF
+
+	# Remove the ipmi_exporter service along with the user and its config
+	__single_binary_service ipmi_exporter \
+		--user "${USER}" \
+		--version "${SHOULD_VERSION}" \
+		--checksum "${CHECKSUM}" \
+		--url "${DOWNLOAD_URL}" \
+		--state "absent"
+
+	# Same, but the service was using my user! Let's not delete that!
+	__single_binary_service ipmi_exporter \
+		--user "evilham" \
+		--do-not-manage-user \
+		--version "${SHOULD_VERSION}" \
+		--checksum "${CHECKSUM}" \
+		--url "${DOWNLOAD_URL}" \
+		--state "absent"
+
+
+SEE ALSO
+--------
+- `__download(7)`
+- `__unpack(7)`
+
+
+AUTHORS
+-------
+Evilham <contact@evilham.com>
+
+
+COPYING
+-------
+Copyright \(C) 2022 Evilham.

type/__single_binary_service/manifest

@@ -0,0 +1,305 @@
+#!/bin/sh -e
+SERVICE_NAME="${__object_id}"
+
+OS="$(cat "${__global}/explorer/os")"
+
+case "${OS}" in
+	debian|devuan)
+		SUPER_USER_GROUP=root
+		ETC_DIR="/etc"
+	;;
+	*bsd)
+		SUPER_USER_GROUP=wheel
+		ETC_DIR="/usr/local/etc"
+	;;
+	*)
+		echo "Your OS '${OS}' is currently not supported." >&2
+		exit 1
+	;;
+esac
+INIT="$(cat "${__global}/explorer/init")"
+
+case "${INIT}" in
+	systemd)
+		service_definition_require="__systemd_unit/${SERVICE_NAME}.service"
+		service_command="service ${SERVICE_NAME} %s"
+	;;
+	runit|sysvinit)
+		# We will use runit to manage these services
+		__runit
+		export require="__runit"
+		service_definition_require="__runit_service/${SERVICE_NAME}"
+		service_command="sv %s ${SERVICE_NAME}"
+	;;
+	*)
+		echo "Init system ${INIT}' is currently not supported." >&2
+		exit 1
+	;;
+esac
+
+BIN_DIR="/usr/local/bin"
+
+# Ensure the target bin dir exists
+#   Care, we never want to remove it :-D
+__directory "${BIN_DIR}" \
+	--state "exists" \
+	--mode 0755
+export require="${require} __directory${BIN_DIR}"
+
+STATE="$(cat "${__object}/parameter/state")"
+USER="$(cat "${__object}/parameter/user")"
+GROUP="$(cat "${__object}/parameter/group" 2>/dev/null || true)"
+if [ -z "${GROUP}" ]; then
+	if [ "${USER}" != "root" ]; then
+		GROUP="${USER}"
+	else
+		GROUP="${SUPER_USER_GROUP}"
+	fi
+fi
+
+
+BINARY="$(cat "${__object}/parameter/binary" 2>/dev/null || true)"
+if [ -z "${BINARY}" ]; then
+	BINARY="${SERVICE_NAME}"
+fi
+EXTRA_BINARIES="$(cat "${__object}/parameter/extra-binary" 2>/dev/null || true)"
+# This only makes sense for file archives
+if [ -n "${EXTRA_BINARIES}" ] && [ -f "${__object}/parameter/unpack" ]; then
+	cat >&2 <<-EOF
+	You cannot specify extra binaries without the --unpack argument.
+	Make sure that the --url argument points to a file archive.
+EOF
+fi
+
+SERVICE_EXEC="$(cat "${__object}/parameter/service-exec" 2>/dev/null || true)"
+if [ -z "${SERVICE_EXEC}" ]; then
+	SERVICE_EXEC="${BIN_DIR}/${BINARY}"
+fi
+SERVICE_ARGS="$(cat "${__object}/parameter/service-args")"
+SERVICE_EXEC="${SERVICE_EXEC} ${SERVICE_ARGS}"
+
+SERVICE_DESCRIPTION="$(cat "${__object}/parameter/service-description" \
+	2>/dev/null || true)"
+if [ -z "${SERVICE_DESCRIPTION}" ]; then
+	SERVICE_DESCRIPTION="cdist-managed '${SERVICE_NAME}' service"
+fi
+
+SERVICE_DEFINITION="$(cat "${__object}/parameter/service-definition" 2>/dev/null || true)"
+
+WORKING_DIRECTORY_PATH="$(cat "${__object}/parameter/working-directory" 2>/dev/null || true)"
+if [ -n "${WORKING_DIRECTORY_PATH}" ]; then
+	WORKING_DIRECTORY_SYSTEMD="WorkingDirectory=${WORKING_DIRECTORY_PATH}"
+	WORKING_DIRECTORY_RUNIT="cd '${WORKING_DIRECTORY_PATH}'"
+fi
+
+DOWNLOAD_URL="$(cat "${__object}/parameter/url")"
+CHECKSUM="$(cat "${__object}/parameter/checksum")"
+SHOULD_VERSION="$(cat "${__object}/parameter/version")"
+
+# Create a user for the service if it is not root
+USER_HOME_DIR="/root"
+if [ "${USER}" != "root" ] && \
+		[ ! -f "${__object}/parameter/do-not-manage-user" ]; then
+	if [ "${STATE}" = "absent" ]; then
+		# When removing, ensure user is not being used
+		user_require="${service_definition_require}"
+	fi
+	USER_HOME_DIR="$(cat "${__object}/parameter/user-home-dir")"
+	if [ "${USER_HOME_DIR}" != "/nonexistent" ]; then
+		USER_CREATE_HOME="--create-home"
+	fi
+	require="${require} ${user_require}" __user "${USER}" \
+		--system \
+		--state "${STATE}" \
+		--home "${USER_HOME_DIR}" \
+		--comment "cdist-managed service user" \
+		${USER_CREATE_HOME}
+	# Track dependencies
+	service_require="${service_require} __user/${USER}"
+fi
+
+# Place config file if necessary
+CONFIG_FILE_DEST="${ETC_DIR}/${SERVICE_NAME}.conf"
+CONFIG_FILE_SOURCE="$(cat "${__object}/parameter/config-file-source" 2>/dev/null || true)"
+if [ "${CONFIG_FILE_SOURCE}" = "-" ]; then
+	CONFIG_FILE_SOURCE="${__object}/stdin"
+fi
+if [ -n "${CONFIG_FILE_SOURCE}" ] && [ "${STATE}" = "present" ]; then
+	require="${require} __user/${USER}" __file \
+		"${CONFIG_FILE_DEST}" \
+		--owner "${USER}" \
+		--group "${GROUP}" \
+		--mode "0440" \
+		--source "${CONFIG_FILE_SOURCE}"
+	service_require="${service_require} __file${CONFIG_FILE_DEST}"
+fi
+
+
+
+# These messages will trigger a service restart (overridden for systemd)
+service_config_reload_pattern="^__file${CONFIG_FILE_DEST}"
+
+# This should setup the object in $service_definition_require
+# See above.
+case "${INIT}" in
+	systemd)
+		if [ -z "${SERVICE_DEFINITION}" ]; then
+			SYSTEMD_ENV_FILE="/etc/systemd/system/${SERVICE_NAME}.env"
+			__file "${SYSTEMD_ENV_FILE}" \
+				--mode 0400 \
+				--source "${__object}/parameter/env"
+			# We need to take into account the envionment file for systemd too
+			service_config_reload_pattern="(${service_config_reload_pattern}|^__file${SYSTEMD_ENV_FILE})"
+
+			SERVICE_DEFINITION="$(cat <<EOF
+[Unit]
+Description=${SERVICE_DESCRIPTION}
+After=network.target
+
+[Service]
+Type=simple
+
+User=${USER}
+Group=${GROUP}
+ExecStart=${SERVICE_EXEC}
+Restart=always
+EnvironmentFile=${SYSTEMD_ENV_FILE}
+${WORKING_DIRECTORY_SYSTEMD}
+
+[Install]
+WantedBy=multi-user.target
+EOF
+)"
+		fi
+		__systemd_unit "${SERVICE_NAME}.service" \
+			--source "-" \
+			--state "${STATE}" \
+			--enablement-state "enabled" <<EOF
+${SERVICE_DEFINITION}
+EOF
+	;;
+	runit|sysvinit)
+		if [ -z "${SERVICE_DEFINITION}" ]; then
+			RUNIT_ENV="$(sed -Ee 's!^([[:alnum:]_]+)=(.*)$!export \1=\2!' "${__object}/parameter/env")"
+			SERVICE_DEFINITION="$(cat <<EOF
+#!/bin/sh -e
+${WORKING_DIRECTORY_RUNIT}
+# User-provided environment
+${RUNIT_ENV}
+# System vars
+export HOME="\$(getent passwd '${USER}' | cut -d: -f6)"
+export USER="${USER}"
+export GROUP="${GROUP}"
+
+exec 2>&1
+exec chpst -u "${USER}:${GROUP}" ${SERVICE_EXEC}
+EOF
+)"
+		fi
+		__runit_service "${SERVICE_NAME}" \
+			--state "${STATE}" \
+			--log \
+			--source - <<EOF
+${SERVICE_DEFINITION}
+EOF
+	;;
+esac
+service_require="${service_require} ${service_definition_require}"
+
+# Proceed after user and service description have been prepared
+export require="${require} ${service_require}"
+
+VERSION_FILE="${BIN_DIR}/.${SERVICE_NAME}.cdist.version"
+IS_VERSION="$(cat "${__object}/explorer/explorer-version")"
+
+
+if [ "${STATE}" = "absent" ]; then
+	# Perform cleanup of generated files
+	for bin_file in ${BINARY} ${EXTRA_BINARIES}; do
+		__file "${BIN_DIR}/${bin_file}" --state "absent"
+	done
+	__file "${VERSION_FILE}" --state "absent"
+	__file "${CONFIG_FILE_DEST}" --state "absent"
+fi
+
+if [ "${STATE}" != "present" ]; then
+	exit
+fi
+
+sv_cmd() {
+	# This is intentional
+	# shellcheck disable=SC2059
+	printf "${service_command}" "$1"
+}
+
+if [ "${SHOULD_VERSION}" != "${IS_VERSION}" ]; then
+	# We are installing the service and there has been a version change
+	# (or it is first-time install)
+	TMP_PATH="/tmp/${SERVICE_NAME}-${SHOULD_VERSION}"
+
+	# This is what will stop the service, replace the binaries and
+	# start the service again
+	perform_service_upgrade="$(cat <<EOF
+$(sv_cmd stop) || true
+if [ -f '${TMP_PATH}' ]; then
+	chown root:${SUPER_USER_GROUP} '${TMP_PATH}'
+	chmod 0555 '${TMP_PATH}'
+	cp -af '${TMP_PATH}' '${BIN_DIR}/${BINARY}'
+else
+	for bin_file in ${BINARY} ${EXTRA_BINARIES}; do
+		bin_path="${TMP_PATH}/\${bin_file}"
+		chown root:${SUPER_USER_GROUP} "\${bin_path}"
+		chmod 0555 "\${bin_path}"
+		cp -af "\${bin_path}" "${BIN_DIR}/\${bin_file}"
+	done
+fi
+$(sv_cmd start) || true
+EOF
+)"
+
+	if [ -f "${__object}/parameter/unpack" ]; then
+		UNPACK_EXTENSION="$(cat "${__object}/parameter/unpack-extension")"
+		UNPACK_ARGS="$(cat "${__object}/parameter/unpack-args" \
+			2>/dev/null || true)"
+		# Download packed file
+		__download "${TMP_PATH}${UNPACK_EXTENSION}" \
+			--url "${DOWNLOAD_URL}" \
+			--download remote \
+			--sum "${CHECKSUM}"
+
+		# Unpack file and also perform service upgrade
+		# shellcheck disable=SC2086
+		require="__download${TMP_PATH}${UNPACK_EXTENSION}" \
+			__unpack "${TMP_PATH}${UNPACK_EXTENSION}" \
+			${UNPACK_ARGS} \
+			--destination "${TMP_PATH}"
+		version_bump_require="__unpack${TMP_PATH}${UNPACK_EXTENSION}"
+	else
+		# Create temp directory
+		__directory "${TMP_PATH}"
+		# Download binary directoy to the temp directory with the
+		# specified binary name
+		require="__directory${TMP_PATH}" __download \
+			"${TMP_PATH}/${BINARY}" \
+			--url "${DOWNLOAD_URL}" \
+			--download remote \
+			--sum "${CHECKSUM}"
+		version_bump_require="__download${TMP_PATH}/${BINARY}"
+	fi
+
+	# Perform update of cdist-managed version file
+	# And also perform service upgrade
+	# This is a bug if service_upgrade fails >,<
+	printf "%s" "${SHOULD_VERSION}" | \
+		require="${version_bump_require}" __file \
+			"${VERSION_FILE}" \
+			--onchange "${perform_service_upgrade}" \
+			--source "-"
+else
+	# We only restart here if there was a config or env change
+	# but there was not a version change
+	require="${service_require}" __check_messages \
+		"single_binary_service_${__object_id}" \
+		--pattern "${service_config_reload_pattern}" \
+		--execute "$(sv_cmd restart)"
+fi

type/__single_binary_service/parameter/boolean

@@ -0,0 +1,2 @@
+do-not-manage-user
+unpack

type/__single_binary_service/parameter/default/state

@@ -0,0 +1 @@
+present

type/__single_binary_service/parameter/default/unpack-extension

@@ -0,0 +1 @@
+.tar.gz

type/__single_binary_service/parameter/default/user

@@ -0,0 +1 @@
+root

type/__single_binary_service/parameter/default/user-home-dir

@@ -0,0 +1 @@
+/nonexistent

type/__single_binary_service/parameter/optional

@@ -0,0 +1,14 @@
+config-file-source
+env
+user
+group
+state
+binary
+service-args
+service-exec
+service-description
+service-definition
+unpack-extension
+unpack-args
+user-home-dir
+working-directory

type/__single_binary_service/parameter/optional_multiple

@@ -0,0 +1 @@
+extra-binary

type/__single_binary_service/parameter/required

@@ -0,0 +1,3 @@
+url
+checksum
+version

type/__systemd_network/gencode-remote

@@ -0,0 +1,20 @@
+#!/bin/sh -e
+#
+# 2022 Joachim Desroches (joachim.desroches@epfl.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+
+echo "systemctl enable systemd-networkd"

type/__systemd_network/man.rst

@@ -0,0 +1,68 @@
+cdist-type__systemd-network(7)
+==============================
+
+NAME
+----
+cdist-type__systemd-network - Configure systemd.network(5) file.
+
+
+DESCRIPTION
+-----------
+
+This type allows you to configure network interfaces by generating a
+systemd.network(5) file. It will enable systemd-networkd, so be sure to remove
+any conflicting network configuration tool if appropriate!
+
+Note that the systemd.network(5) system is very complete, and this type does
+not aim at providing every possible option. Are currently available only the
+most common options: feel free to add anything you need to this type which
+hopefully will grow over time.
+
+
+REQUIRED PARAMETERS
+-------------------
+None.
+
+
+OPTIONAL PARAMETERS
+-------------------
+description
+  A text field used when displaying details about this network.
+
+OPTIONAL MULTIPLE PARAMETERS
+----------------------------
+match-name
+  A text field that will be set in the `Name` option of the `[Match]` section.
+
+
+BOOLEAN PARAMETERS
+------------------
+ipv6ra-usedomains
+  Set the `UseDomains` option of the `[IPv6AcceptRA]` section to `True`.
+
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+    # TODO
+    __systemd-network
+
+
+SEE ALSO
+--------
+`cdist-type_systemd-resolved`\ (7)
+`systemd.network`\ (5)
+
+AUTHORS
+-------
+Joachim Desroches <joachim.desroches@epfl.ch>
+
+
+COPYING
+-------
+Copyright \(C) 2022 Joachim Desroches. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

type/__systemd_network/manifest

@@ -0,0 +1,86 @@
+#!/bin/sh -e
+#
+# 2022 Joachim Desroches (joachim.desroches@epfl.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+os=$(cat "${__global:?}/explorer/os")
+
+case "$os" in
+'debian' | 'ubuntu' | 'archlinux')
+	:
+	;;
+*)
+	printf "Your operating system (%s) is currently not supported by systemd-network\n" "$os" >&2
+	printf "Please contribute an implementation for it if you can.\n" >&2
+	exit 1
+	;;
+esac
+
+# XXX: Please keep the option parsing organized in order per-section, with
+# sections in the same order as they are in the manpage. This will make hacking
+# and maintaining this type much easier.
+
+mkdir "${__object:?}/files"
+output_file="${__object:?}/files/${__object_id:?}.network"
+
+cat << EOF > "$output_file"
+# This file is managed by cdist. Do not edit by hand!
+EOF
+
+# Match section
+# Ensure section is needed, OR existence of optional params.
+if [ -f "${__object:?}/parameter/match-name" ];
+then
+	printf "\n[Match]\n" >> "$output_file"
+
+	if [ -f "${__object:?}/parameter/match-name" ];
+	then
+		sed -e 's/^/Name=/' \
+			"${__object:?}/parameter/match-name" >> "$output_file"
+	fi
+fi
+
+# Network section
+# Ensure section is needed, OR existence of optional params.
+if [ -f "${__object:?}/parameter/description" ];
+then
+	printf "\n[Network]\n" >> "$output_file"
+
+	if [ -f "${__object:?}/parameter/description" ];
+	then
+		sed -e 's/^/Description=/' \
+			"${__object:?}/parameter/description" >> "$output_file"
+	fi
+fi
+
+# IPv6AcceptRA section
+# Ensure section is needed, OR existence of optional params.
+if [ -f "${__object:?}/parameter/ipv6ra-usedomains" ];
+then
+	printf "\n[IPv6AcceptRA]\n" >> "$output_file"
+
+	if [ -f "${__object:?}/parameter/ipv6ra-usedomains" ];
+	then
+		printf "UseDomains=True\n" >> "$output_file"
+	fi
+	
+fi
+
+__file "/etc/systemd/network/${__object_id:?}.network" \
+	--source "$output_file" \
+	--mode 0644

type/__systemd_network/parameter/boolean

@@ -0,0 +1 @@
+ipv6ra-usedomains

type/__systemd_network/parameter/optional

@@ -0,0 +1 @@
+description

type/__systemd_network/parameter/optional_multiple

@@ -0,0 +1 @@
+match-name

type/__systemd_resolved/gencode-remote

@@ -0,0 +1,21 @@
+#!/bin/sh -e
+#
+# 2022 Joachim Desroches (joachim.desroches@epfl.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+echo "systemctl enable systemd-resolved"

type/__systemd_resolved/man.rst

@@ -0,0 +1,47 @@
+cdist-type__systemd_resolved(7)
+===============================
+
+NAME
+----
+cdist-type__systemd_resolved - Configure system to use systemd-resolved.
+
+
+DESCRIPTION
+-----------
+*systemd-resolved* is a systemd service that provides network name resolution
+to local applications via a D-Bus interface, the resolve NSS service
+(nss-resolve(8)), and a local DNS stub listener on 127.0.0.53.
+
+This type enables and starts this type, and helps with some minimal
+configuration. In particular, systemd-resolved has four modes of handling the
+`/etc/resolv.conf` file: stub, static, uplink and foreign. See the
+systemd-resolved(8) manpage for details. By default, this type uses stub mode:
+if you need another one, please provide an implementation in this type!
+
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+    __systemd_resolved
+
+
+SEE ALSO
+--------
+`systemd.network`\ (5)
+`systemd-resolved`\ (8)
+`nss-resolve`\ (8)
+
+
+AUTHORS
+-------
+Joachim Desroches <joachim.desroches@epfl.ch>
+
+
+COPYING
+-------
+Copyright \(C) 2022 Joachim Desroches. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

type/__systemd_resolved/manifest

@@ -0,0 +1,42 @@
+#!/bin/sh -e
+#
+# 2022 Joachim Desroches (joachim.desroches@epfl.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+os=$(cat "${__global:?}/explorer/os")
+
+case "$os" in
+'debian')
+	:
+	;;
+*)
+	printf "Your operating system (%s) is currently not supported by __systemd_resolved\n" "$os" >&2
+	printf "Please contribute an implementation for it if you can.\n" >&2
+	exit 1
+	;;
+esac
+
+__link /etc/resolv.conf \
+	--type symbolic \
+	--source ../run/systemd/resolve/stub-resolv.conf
+
+require=__link/etc/resolv.conf \
+	__systemd_service systemd-resolved \
+		--state running \
+		--action restart \
+		--if-required

type/__uacme_account/gencode-remote

@@ -18,6 +18,21 @@ then
 	admin_mail="$(cat "${__object:?}/parameter/admin-mail")";
 fi
 
+# Autoaccept ACME server terms (if any) upon new account creation.
+uacme_opts="--yes"
+
+# Non-default ACMEv2 server directory object URL.
+if [ -f "${__object:?}/parameter/acme-url" ]; then
+	custom_acme_url=$(cat "${__object:?}/parameter/acme-url")
+	uacme_opts="$uacme_opts --acme-url $custom_acme_url"
+fi
+
+# Specify RFC8555 External Account Binding credentials.
+if [ -f "${__object:?}/parameter/eab-credentials" ]; then
+	eab_credentials=$(cat "${__object:?}/parameter/eab-credentials")
+	uacme_opts="$uacme_opts --eab $eab_credentials"
+fi
+
 confdir="${default_confdir:?}"
 if [ -f "${__object:?}/parameter/confdir" ];
 then
@@ -27,6 +42,6 @@ fi
 cat << EOF
 if ! [ -f "${confdir}/private/key.pem" ];
 then
-	uacme -y new ${admin_mail}
+	uacme $uacme_opts new ${admin_mail}
 fi
 EOF

type/__uacme_account/man.rst

@@ -23,6 +23,16 @@ confdir
 admin-mail
     Administrative contact email to register the account with.
 
+acme-url
+   ACMEv2 server directory object URL. Lets'Encrypt is used by default.
+
+eab-credentials
+   Specify RFC8555 External Account Binding credentials according to
+   https://tools.ietf.org/html/rfc8555#section-7.3.4, in order to associate a new
+   ACME account with an existing account in a non-ACME system such as a CA
+   customer database. KEYID must be an ASCII string. KEY must be
+   base64url-encoded. This is parameter is not supported by uacme < 1.6.
+
 EXAMPLES
 --------
 
@@ -43,6 +53,7 @@ SEE ALSO
 AUTHORS
 -------
 Joachim Desroches <joachim.desroches@epfl.ch>
+Timothée Floure <timothee.floure@posteo.net>
 
 COPYING
 -------

type/__uacme_account/parameter/optional

@@ -1,2 +1,4 @@
 confdir
 admin-mail
+acme-url
+eab-credentials

type/__uacme_obtain/files/renew.sh.sh

@@ -7,8 +7,8 @@ UACME_CHALLENGE_PATH=${CHALLENGEDIR:?}
 export UACME_CHALLENGE_PATH
 
 # Issue certificate.
-uacme -c ${CONFDIR:?} -h ${HOOKSCRIPT:?} ${DISABLE_OCSP?} ${MUST_STAPLE?} ${KEYTYPE?} \\
-	issue -- ${DOMAIN:?}
+uacme -c ${CONFDIR:?} -h ${HOOKSCRIPT:?} ${DISABLE_OCSP?} ${ACME_URL?} \\
+	${EAB_CREDENTIALS?} ${MUST_STAPLE?} ${KEYTYPE?} issue -- ${DOMAIN:?}
 
 # Note: exit code 0 means that certificate was issued.
 # Note: exit code 1 means that certificate was still valid, hence not renewed.

type/__uacme_obtain/man.rst

@@ -38,7 +38,8 @@ install-key-to
   Installation path of the certificate's private key.
 
 renew-hook
-  Renew hook executed on certificate renewal (e.g. `service nginx reload`).
+  Renew hook executed on certificate renewal (e.g. `service nginx reload`, `-`
+  for the standard input).
 
 force-cert-ownership-to
   Override default ownership for TLS certificate, passed as argument to chown.

type/__uacme_obtain/manifest

@@ -69,6 +69,22 @@ then
 fi
 export MUST_STAPLE
 
+# Non-default ACMEv2 server directory object URL.
+ACME_URL=
+if [ -f "${__object:?}/parameter/acme-url" ]; then
+	custom_acme_url=$(cat "${__object:?}/parameter/acme-url")
+	ACME_URL="--acme-url $custom_acme_url"
+fi
+export ACME_URL
+
+# Specify RFC8555 External Account Binding credentials.
+EAB_CREDENTIALS=
+if [ -f "${__object:?}/parameter/eab-credentials" ]; then
+	eab_credentials_param=$(cat "${__object:?}/parameter/eab-credentials")
+	EAB_CREDENTIALS="--eab $eab_credentials_param"
+fi
+export EAB_CREDENTIALS
+
 OWNER=root
 if [ -f "${__object:?}/parameter/owner" ];
 then
@@ -93,7 +109,11 @@ export CERT_TARGET
 RENEW_HOOK=
 if [ -f "${__object:?}/parameter/renew-hook" ];
 then
-	RENEW_HOOK="$(cat "${__object:?}/parameter/renew-hook")"
+	if [ "$(cat "${__object:?}/parameter/renew-hook")" = "-" ]; then
+		RENEW_HOOK="$(cat ${__object:?}/stdin)"
+	else
+		RENEW_HOOK="$(cat "${__object:?}/parameter/renew-hook")"
+	fi
 fi
 export RENEW_HOOK
 

type/__uacme_obtain/parameter/optional

@@ -5,3 +5,5 @@ owner
 install-cert-to
 install-key-to
 renew-hook
+acme-url
+eab-credentials