From b06532241b0e70341e67e5d0ea5256d949834e03 Mon Sep 17 00:00:00 2001
From: Franziska Kunsmann <hi@kunsmann.eu>
Date: Thu, 18 Feb 2021 18:12:25 +0100
Subject: [PATCH] bundles: use metastack syntax for metadata.get()

---
 bundles/apt/items.py                         | 6 +++---
 bundles/backup-client/items.py               | 6 +++---
 bundles/backup-server/items.py               | 2 +-
 bundles/basic/files/hosts                    | 2 +-
 bundles/c3voc-addons/items.py                | 6 +++---
 bundles/icinga2/files/icinga2/api-users.conf | 2 +-
 bundles/icinga2/files/icinga2/downtimes.conf | 2 +-
 bundles/icinga2/files/icinga2/hosts.conf     | 4 ++--
 bundles/icinga2/files/icinga2/users.conf     | 2 +-
 bundles/icinga2/items.py                     | 2 +-
 bundles/iptables/files/iptables-enforce      | 2 +-
 bundles/iptables/items.py                    | 2 +-
 bundles/letsencrypt/files/domains.txt        | 2 +-
 bundles/letsencrypt/files/hook.sh            | 4 ++--
 bundles/lldp/files/bundlewrap.conf           | 2 +-
 bundles/nfs-client/items.py                  | 2 +-
 bundles/nginx/items.py                       | 4 ++--
 bundles/octoprint/items.py                   | 2 +-
 bundles/openssh/items.py                     | 2 +-
 bundles/openvpn-client/items.py              | 2 +-
 bundles/pacman/items.py                      | 2 +-
 bundles/postfix/files/aliases                | 2 +-
 bundles/postfix/files/main.cf                | 4 ++--
 bundles/postfix/items.py                     | 2 +-
 bundles/postgresql/files/pg_hba.conf         | 2 +-
 bundles/postgresql/items.py                  | 6 +++---
 bundles/powerdns/items.py                    | 8 ++++----
 bundles/pppd/items.py                        | 2 +-
 bundles/radicale/items.py                    | 2 +-
 bundles/redis/files/redis.conf               | 4 ++--
 bundles/rspamd/files/ip_whitelist.map        | 2 +-
 bundles/smartd/files/smartd.conf             | 2 +-
 bundles/systemd-networkd/items.py            | 4 ++--
 bundles/systemd/items.py                     | 2 +-
 bundles/wireguard/files/pppd-ip-up           | 2 +-
 bundles/zfs/files/zfs-modprobe.conf          | 2 +-
 bundles/zfs/items.py                         | 6 +++---
 hooks/test_backup_metadata.py                | 4 ++--
 38 files changed, 58 insertions(+), 58 deletions(-)

diff --git a/bundles/apt/items.py b/bundles/apt/items.py
index 58319c9..d148891 100644
--- a/bundles/apt/items.py
+++ b/bundles/apt/items.py
@@ -31,7 +31,7 @@ files = {
         'content_type': 'mako',
         'mode': '0700',
         'context': {
-            'data': node.metadata.get('apt', {}).get('unattended-upgrades', {}),
+            'data': node.metadata.get('apt/unattended-upgrades', {}),
         }
     },
     '/etc/cloud': {
@@ -132,7 +132,7 @@ pkg_apt = {
 }
 
 
-for name, data in node.metadata.get('apt', {}).get('repos', {}).items():
+for name, data in node.metadata.get('apt/repos', {}).items():
     files['/etc/apt/sources.list.d/{}.list'.format(name)] = {
         'content_type': 'mako',
         'content': ("\n".join(sorted(data['items']))).format(
@@ -156,6 +156,6 @@ for name, data in node.metadata.get('apt', {}).get('repos', {}).items():
             },
         }
 
-if node.metadata.get('apt', {}).get('packages', {}):
+if node.metadata.get('apt/packages', {}):
     for package, options in node.metadata['apt']['packages'].items():
         pkg_apt[package] = options
diff --git a/bundles/backup-client/items.py b/bundles/backup-client/items.py
index e5144ce..baed1ad 100644
--- a/bundles/backup-client/items.py
+++ b/bundles/backup-client/items.py
@@ -1,6 +1,6 @@
 from os.path import join
 
-if node.metadata['backups'].get('exclude_from_backups', False):
+if node.metadata.get('backups/exclude_from_backups', False):
     files['/etc/backup.priv'] = {
         'delete': True,
     }
@@ -17,7 +17,7 @@ else:
             'username': node.metadata['backup-client']['user-name'],
             'server': server,
             'port': port,
-            'paths': node.metadata.get('backups', {}).get('paths', {}),
+            'paths': node.metadata.get('backups/paths', {}),
         },
         'mode': '0700',
     }
@@ -34,7 +34,7 @@ directories['/etc/backup-pre-hooks.d'] = {
     'purge': True,
 }
 
-for hname, hcontent in node.metadata['backup-client'].get('pre-hooks', {}).items():
+for hname, hcontent in node.metadata.get('backup-client/pre-hooks', {}).items():
     files[f'/etc/backup-pre-hooks.d/50-{hname}'] = {
         'content': '#!/bin/sh\n\n' + hcontent,
         'mode': '0700',
diff --git a/bundles/backup-server/items.py b/bundles/backup-server/items.py
index 0cbc9d0..c2c9d7f 100644
--- a/bundles/backup-server/items.py
+++ b/bundles/backup-server/items.py
@@ -2,7 +2,7 @@ assert node.has_bundle('zfs')
 
 from os.path import join
 
-for nodename, config in node.metadata.get('backup-server', {}).get('clients', {}).items():
+for nodename, config in node.metadata.get('backup-server/clients', {}).items():
     with open(join(repo.path, 'data', 'backup', 'keys', f'{nodename}.pub'), 'r') as f:
         pubkey = f.read().strip()
 
diff --git a/bundles/basic/files/hosts b/bundles/basic/files/hosts
index e14d8c5..2ecc921 100644
--- a/bundles/basic/files/hosts
+++ b/bundles/basic/files/hosts
@@ -7,6 +7,6 @@ ff02::1     ip6-allnodes
 ff02::2     ip6-allrouters
 ff02::3     ip6-allhosts
 
-% for ip, entries in sorted(node.metadata.get('hosts', {}).get('entries', {}).items()):
+% for ip, entries in sorted(node.metadata.get('hosts/entries', {}).items()):
 ${ip}       ${' '.join(sorted(entries))}
 % endfor
diff --git a/bundles/c3voc-addons/items.py b/bundles/c3voc-addons/items.py
index d692266..743d7f1 100644
--- a/bundles/c3voc-addons/items.py
+++ b/bundles/c3voc-addons/items.py
@@ -27,7 +27,7 @@ pkg_apt = {
     'wget': {},
 }
 
-if node.metadata.get('apt', {}).get('packages', {}):
+if node.metadata.get('apt/packages', {}):
     for package, options in node.metadata['apt']['packages'].items():
         pkg_apt[package] = options
 
@@ -62,7 +62,7 @@ files = {
         'content_type': 'mako',
         'mode': '0700',
         'context': {
-            'data': node.metadata.get('apt', {}).get('unattended-upgrades', {}),
+            'data': node.metadata.get('apt/unattended-upgrades', {}),
         }
     },
 }
@@ -76,7 +76,7 @@ for crontab, content in node.metadata.get('cron', {}).items():
         }
     }
 
-for vhost, config in node.metadata.get('nginx', {}).get('vhosts', {}).items():
+for vhost, config in node.metadata.get('nginx/vhosts', {}).items():
     if not 'domain' in config:
         config['domain'] = vhost
 
diff --git a/bundles/icinga2/files/icinga2/api-users.conf b/bundles/icinga2/files/icinga2/api-users.conf
index 822b152..2d87ad7 100644
--- a/bundles/icinga2/files/icinga2/api-users.conf
+++ b/bundles/icinga2/files/icinga2/api-users.conf
@@ -1,4 +1,4 @@
-% for user, config in sorted(node.metadata.get('icinga2', {}).get('api_users', {}).items()):
+% for user, config in sorted(node.metadata.get('icinga2/api_users', {}).items()):
 object ApiUser "${user}" {
     password = "${config['password']}"
     permissions = [ "${'", "'.join(sorted(config['permissions']))}" ]
diff --git a/bundles/icinga2/files/icinga2/downtimes.conf b/bundles/icinga2/files/icinga2/downtimes.conf
index e78da7c..31195be 100644
--- a/bundles/icinga2/files/icinga2/downtimes.conf
+++ b/bundles/icinga2/files/icinga2/downtimes.conf
@@ -9,7 +9,7 @@ object ScheduledDowntime "unattended_upgrades" {
     fixed = true
 
     ranges = {
-        "${days[monitored_node.metadata.get('apt', {}).get('unattended_upgrades', {}).get('day', 5)]}" = "01:${monitored_node.magic_number%30}-01:${(monitored_node.magic_number%30)+30}"
+        "${days[monitored_node.metadata.get('apt/unattended_upgrades/day', 5)]}" = "01:${monitored_node.magic_number%30}-01:${(monitored_node.magic_number%30)+30}"
     }
 
     child_options = "DowntimeTriggeredChildren"
diff --git a/bundles/icinga2/files/icinga2/hosts.conf b/bundles/icinga2/files/icinga2/hosts.conf
index a115fe0..baedc57 100644
--- a/bundles/icinga2/files/icinga2/hosts.conf
+++ b/bundles/icinga2/files/icinga2/hosts.conf
@@ -2,14 +2,14 @@
 object Host "${monitored_node.name}" {
     import "generic-host"
 
-    address = "${monitored_node.metadata.get('icinga_options', {}).get('hostname', monitored_node.hostname)}"
+    address = "${monitored_node.metadata.get('icinga_options/hostname', monitored_node.hostname)}"
 
     vars.os = "${monitored_node.os}"
     vars.sla = "${monitored_node.metadata.get('sla', '24x7')}"
     vars.period = "${sla_info[monitored_node.metadata.get('sla', '24x7')]}"
     vars.location = "${monitored_node.metadata.get('location', 'unknown')}"
     vars.bw_groups = [ "${'", "'.join(sorted({group.name for group in monitored_node.groups}))}" ]
-    vars.notification.sms = ${str(monitored_node.metadata.get('icinga_options', {}).get('vars.notification.sms', True)).lower()}
+    vars.notification.sms = ${str(monitored_node.metadata.get('icinga_options/vars.notification.sms', True)).lower()}
     vars.notification.mail = true
 }
 % endfor
diff --git a/bundles/icinga2/files/icinga2/users.conf b/bundles/icinga2/files/icinga2/users.conf
index 8a918ae..0d279ee 100644
--- a/bundles/icinga2/files/icinga2/users.conf
+++ b/bundles/icinga2/files/icinga2/users.conf
@@ -2,7 +2,7 @@ object UserGroup "on-call_sms" {
     display_name = "On-Call Support (with SMS)"
 }
 
-% for username, config in sorted(node.metadata.get('icinga2', {}).get('icinga_users', {}).items()):
+% for username, config in sorted(node.metadata.get('icinga2/icinga_users', {}).items()):
 object User "${username}" {
     display_name = "${username}"
     enable_notifications = true
diff --git a/bundles/icinga2/items.py b/bundles/icinga2/items.py
index ec55340..96a1c9a 100644
--- a/bundles/icinga2/items.py
+++ b/bundles/icinga2/items.py
@@ -290,7 +290,7 @@ svc_systemd = {
 monitored_nodes = repo.nodes
 
 for n in monitored_nodes[:]:
-    if n.metadata.get('icinga_options', {}).get('exclude_from_monitoring', False):
+    if n.metadata.get('icinga_options/exclude_from_monitoring', False):
         monitored_nodes.remove(n)
 
 bundle_metadata = {}
diff --git a/bundles/iptables/files/iptables-enforce b/bundles/iptables/files/iptables-enforce
index 1437601..ea7a206 100644
--- a/bundles/iptables/files/iptables-enforce
+++ b/bundles/iptables/files/iptables-enforce
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-% if not node.metadata.get('iptables', {}).get('enabled', True):
+% if not node.metadata.get('iptables/enabled', True):
 exit 0
 % endif
 
diff --git a/bundles/iptables/items.py b/bundles/iptables/items.py
index d8c1eb3..69fba15 100644
--- a/bundles/iptables/items.py
+++ b/bundles/iptables/items.py
@@ -28,7 +28,7 @@ files = {
     },
 }
 
-for bundle, rules in node.metadata.get('iptables', {}).get('bundle_rules', {}).items():
+for bundle, rules in node.metadata.get('iptables/bundle_rules', {}).items():
     files[f'/etc/iptables-rules.d/20-{bundle}'] = {
         # We must never use sorted() here. Bundles might rely on their order.
         'content': '\n'.join(rules) + '\n',
diff --git a/bundles/letsencrypt/files/domains.txt b/bundles/letsencrypt/files/domains.txt
index 467985d..d9d7824 100644
--- a/bundles/letsencrypt/files/domains.txt
+++ b/bundles/letsencrypt/files/domains.txt
@@ -1,5 +1,5 @@
 ${node.metadata['hostname']}
 
-% for domain, aliases in sorted(node.metadata.get('letsencrypt', {}).get('domains', {}).items()):
+% for domain, aliases in sorted(node.metadata.get('letsencrypt/domains', {}).items()):
 ${domain} ${' '.join(sorted(aliases))}
 % endfor
diff --git a/bundles/letsencrypt/files/hook.sh b/bundles/letsencrypt/files/hook.sh
index 2c3290f..4cdf79d 100644
--- a/bundles/letsencrypt/files/hook.sh
+++ b/bundles/letsencrypt/files/hook.sh
@@ -1,6 +1,6 @@
 deploy_cert() {<%text>
     local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}"</%text>
-% for service, config in node.metadata.get('letsencrypt', {}).get('concat_and_deploy', {}).items():
+% for service, config in node.metadata.get('letsencrypt/concat_and_deploy', {}).items():
 
     # concat_and_deploy ${service}
     if [ "$DOMAIN" = "${config['match_domain']}" ]; then
@@ -25,7 +25,7 @@ deploy_cert() {<%text>
 exit_hook() {<%text>
     local ERROR="${1:-}"</%text>
 
-% for service in sorted(node.metadata.get('letsencrypt', {}).get('reload_after', set())):
+% for service in sorted(node.metadata.get('letsencrypt/reload_after', set())):
     systemctl reload-or-restart ${service}
 % endfor
 }
diff --git a/bundles/lldp/files/bundlewrap.conf b/bundles/lldp/files/bundlewrap.conf
index 3cebe1d..32b38fe 100644
--- a/bundles/lldp/files/bundlewrap.conf
+++ b/bundles/lldp/files/bundlewrap.conf
@@ -6,5 +6,5 @@
 #
 # --> Diese Datei wird von BundleWrap verwaltet! <--
 
-configure system hostname "${node.metadata.get('lldp', {}).get('hostname', node.name)}"
+configure system hostname "${node.metadata.get('lldp/hostname', node.name)}"
 configure system platform "${node.os}"
diff --git a/bundles/nfs-client/items.py b/bundles/nfs-client/items.py
index 30a6852..df06881 100644
--- a/bundles/nfs-client/items.py
+++ b/bundles/nfs-client/items.py
@@ -1,4 +1,4 @@
-for mount, data in node.metadata.get('nfs-client',{}).get('mounts',{}).items():
+for mount, data in node.metadata.get('nfs-client/mounts',{}).items():
     data['mount'] = mount
     data['mount_options'] = set(data.get('mount_options', set()))
 
diff --git a/bundles/nginx/items.py b/bundles/nginx/items.py
index d39c3e3..c6d9d01 100644
--- a/bundles/nginx/items.py
+++ b/bundles/nginx/items.py
@@ -60,7 +60,7 @@ if node.metadata['nginx']['use_ssl_for_all_connections']:
         },
     }
 
-for vhost, config in node.metadata.get('nginx', {}).get('vhosts', {}).items():
+for vhost, config in node.metadata.get('nginx/vhosts', {}).items():
     if not 'domain' in config:
         config['domain'] = vhost
 
@@ -69,7 +69,7 @@ for vhost, config in node.metadata.get('nginx', {}).get('vhosts', {}).items():
         'content_type': 'mako',
         'context': {
             'vhost': vhost,
-            'php_version': node.metadata.get('php', {}).get('version', ''),
+            'php_version': node.metadata.get('php/version', ''),
             **config,
         },
         'needs': set(),
diff --git a/bundles/octoprint/items.py b/bundles/octoprint/items.py
index 3cce0e8..fcfb6bb 100644
--- a/bundles/octoprint/items.py
+++ b/bundles/octoprint/items.py
@@ -39,7 +39,7 @@ files = {
         'mode': '0755',
         'content_type': 'mako',
         'context': {
-            'api_key': node.metadata.get('octoprint', {}).get('api_key', ''),
+            'api_key': node.metadata.get('octoprint/api_key', ''),
         },
     },
 }
diff --git a/bundles/openssh/items.py b/bundles/openssh/items.py
index 4636b1b..475c60f 100644
--- a/bundles/openssh/items.py
+++ b/bundles/openssh/items.py
@@ -1,5 +1,5 @@
 users_from_metadata = set()
-additional_users = node.metadata.get('openssh', {}).get('allowed_users', set())
+additional_users = node.metadata.get('openssh/allowed_users', set())
 
 for user, config in node.metadata.get('users', {}).items():
     if 'ssh_pubkey' in config and not config.get('delete', False):
diff --git a/bundles/openvpn-client/items.py b/bundles/openvpn-client/items.py
index 686632e..3ffa405 100644
--- a/bundles/openvpn-client/items.py
+++ b/bundles/openvpn-client/items.py
@@ -6,7 +6,7 @@ directories = {
     },
 }
 
-for config in node.metadata.get('openvpn-client', {}).get('configs', set()):
+for config in node.metadata.get('openvpn-client/configs', set()):
     files[f'/etc/openvpn/client/{config}.conf'] = {
         'content': repo.vault.decrypt_file(join('openvpn-client', f'{config}.conf.vault')),
         'triggers': {
diff --git a/bundles/pacman/items.py b/bundles/pacman/items.py
index 0e6f5e6..2975762 100644
--- a/bundles/pacman/items.py
+++ b/bundles/pacman/items.py
@@ -15,5 +15,5 @@ pkg_pacman = {
     'wpa_actiond': {},
 }
 
-for pkg, config in node.metadata.get('pacman', {}).get('packages', {}).items():
+for pkg, config in node.metadata.get('pacman/packages', {}).items():
     pkg_pacman[pkg] = config
diff --git a/bundles/postfix/files/aliases b/bundles/postfix/files/aliases
index d3989ba..128342b 100644
--- a/bundles/postfix/files/aliases
+++ b/bundles/postfix/files/aliases
@@ -1,6 +1,6 @@
 root: hostmaster@kunbox.net
 postmaster: hostmaster@kunbox.net
 
-% for source, target in node.metadata.get('postfix', {}).get('aliases', {}).items():
+% for source, target in node.metadata.get('postfix/aliases', {}).items():
 ${source}: ${', '.join(sorted(target))}
 % endfor
diff --git a/bundles/postfix/files/main.cf b/bundles/postfix/files/main.cf
index 56de85e..ec16d2a 100644
--- a/bundles/postfix/files/main.cf
+++ b/bundles/postfix/files/main.cf
@@ -3,14 +3,14 @@ biff = no
 append_dot_mydomain = no
 readme_directory = no
 compatibility_level = 2
-myhostname = ${node.metadata.get('postfix', {}).get('myhostname', node.metadata['hostname'])}
+myhostname = ${node.metadata.get('postfix/myhostname', node.metadata['hostname'])}
 myorigin = /etc/mailname
 mydestination = $myhostname, localhost
 mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
 mailbox_size_limit = 0
 recipient_delimiter = +
 inet_protocols = all
-message_size_limit = ${node.metadata.get('postfix', {}).get('message_size_limit_mb', 10)*1024*1024}
+message_size_limit = ${node.metadata.get('postfix/message_size_limit_mb', 10)*1024*1024}
 alias_database = hash:/etc/aliases
 alias_maps = hash:/etc/aliases
 
diff --git a/bundles/postfix/items.py b/bundles/postfix/items.py
index dca77ee..69215dd 100644
--- a/bundles/postfix/items.py
+++ b/bundles/postfix/items.py
@@ -3,7 +3,7 @@ if node.has_bundle('postfixadmin'):
 
 files = {
     '/etc/mailname': {
-        'content': node.metadata.get('postfix', {}).get('myhostname', node.metadata['hostname']),
+        'content': node.metadata.get('postfix/myhostname', node.metadata['hostname']),
         'triggers': {
             'svc_systemd:postfix:restart',
         },
diff --git a/bundles/postgresql/files/pg_hba.conf b/bundles/postgresql/files/pg_hba.conf
index 36c863b..8aeee1c 100644
--- a/bundles/postgresql/files/pg_hba.conf
+++ b/bundles/postgresql/files/pg_hba.conf
@@ -1,4 +1,4 @@
-% for custom_rule in sorted(node.metadata.get('postgresql', {}).get('custom_rules', [])):
+% for custom_rule in sorted(node.metadata.get('postgresql/custom_rules', [])):
 ${custom_rule}
 % endfor
 local   all             postgres                                peer
diff --git a/bundles/postgresql/items.py b/bundles/postgresql/items.py
index 59a73e1..f1d2953 100644
--- a/bundles/postgresql/items.py
+++ b/bundles/postgresql/items.py
@@ -63,7 +63,7 @@ if node.has_bundle('backup-client'): # and not node.has_bundle('zfs'):
         'source': 'backup-pre-hook',
         'content_type': 'mako',
         'context': {
-            'databases': node.metadata.get('postgresql', {}).get('databases', {}).keys(),
+            'databases': node.metadata.get('postgresql/databases', {}).keys(),
         },
         'mode': '0700',
     }
@@ -89,7 +89,7 @@ svc_systemd = {
 
 postgres_dbs = {}
 
-for user, config in node.metadata.get('postgresql', {}).get('roles', {}).items():
+for user, config in node.metadata.get('postgresql/roles', {}).items():
     postgres_roles[user] = {
         'password': config['password'],
         'needs': {
@@ -97,7 +97,7 @@ for user, config in node.metadata.get('postgresql', {}).get('roles', {}).items()
         },
     }
 
-for database, config in node.metadata.get('postgresql', {}).get('databases', {}).items():
+for database, config in node.metadata.get('postgresql/databases', {}).items():
     postgres_dbs[database] = {
         'owner': config['owner'],
         'needs': {
diff --git a/bundles/powerdns/items.py b/bundles/powerdns/items.py
index 1849c61..a4b0970 100644
--- a/bundles/powerdns/items.py
+++ b/bundles/powerdns/items.py
@@ -24,7 +24,7 @@ $TTL 60
     )
 """
 for rnode in sorted(repo.nodes_in_group('dns')):
-    ZONE_HEADER += '@       IN  NS {}.\n'.format(rnode.metadata.get('powerdns', {}).get('my_hostname', rnode.metadata['hostname']))
+    ZONE_HEADER += '@       IN  NS {}.\n'.format(rnode.metadata.get('powerdns/my_hostname', rnode.metadata['hostname']))
 
 directories = {
     '/etc/powerdns/pdns.d': {
@@ -85,7 +85,7 @@ actions = {
     },
 }
 
-if node.metadata['powerdns'].get('features', {}).get('bind', False):
+if node.metadata.get('powerdns/features/bind', False):
     primary_zones = set()
     for zone in listdir(zone_path):
         if not isfile(join(zone_path, zone)) or zone.startswith(".") or zone.startswith("_"):
@@ -103,7 +103,7 @@ if node.metadata['powerdns'].get('features', {}).get('bind', False):
             'content_type': 'mako',
             'context': {
                 'header': ZONE_HEADER.format(serial=serial),
-                'metadata_records': node.metadata.get('powerdns', {}).get('bind-zones', {}).get(zone, {}).get('records', []),
+                'metadata_records': node.metadata.get('powerdns/bind-zones/{}/records'.format(zone), []),
             },
             'source': 'bind-zones/{}'.format(zone),
             'triggers': {
@@ -142,7 +142,7 @@ if node.metadata['powerdns'].get('features', {}).get('bind', False):
         },
     }
 
-if node.metadata['powerdns'].get('features', {}).get('pgsql', False):
+if node.metadata.get('powerdns/features/pgsql', False):
     files['/etc/powerdns/pdns.d/pgsql.conf'] = {
         'content_type': 'mako',
         'context': {
diff --git a/bundles/pppd/items.py b/bundles/pppd/items.py
index 586c909..7e2cf6e 100644
--- a/bundles/pppd/items.py
+++ b/bundles/pppd/items.py
@@ -71,7 +71,7 @@ files = {
     '/etc/ppp/wait-until-stopped': {
         'content_type': 'mako',
         'context': {
-            'services': node.metadata.get('pppd', {}).get('wait-until-stopped', set()),
+            'services': node.metadata.get('pppd/wait-until-stopped', set()),
         },
         'mode': '0700',
     },
diff --git a/bundles/radicale/items.py b/bundles/radicale/items.py
index 7d6335a..c387765 100644
--- a/bundles/radicale/items.py
+++ b/bundles/radicale/items.py
@@ -27,7 +27,7 @@ files = {
     '/etc/radicale/htpasswd': {
         'content_type': 'mako',
         'context': {
-            'users': node.metadata.get('radicale', {}).get('users', {}),
+            'users': node.metadata.get('radicale/users', {}),
         },
         'triggers': {
             'svc_systemd:radicale:restart',
diff --git a/bundles/redis/files/redis.conf b/bundles/redis/files/redis.conf
index 0d16d71..f479be2 100644
--- a/bundles/redis/files/redis.conf
+++ b/bundles/redis/files/redis.conf
@@ -3,10 +3,10 @@ aof-load-truncated yes
 aof-rewrite-incremental-fsync yes
 appendfilename "appendonly.aof"
 appendfsync everysec
-appendonly ${node.metadata.get('redis', {}).get('appendonly', "no")}
+appendonly ${node.metadata.get('redis/appendonly', "no")}
 auto-aof-rewrite-min-size 64mb
 auto-aof-rewrite-percentage 100
-bind ${node.metadata.get('redis', {}).get('bind', "127.0.0.1")}
+bind ${node.metadata.get('redis/bind', '127.0.0.1')}
 client-output-buffer-limit normal 0 0 0
 client-output-buffer-limit pubsub 32mb 8mb 60
 client-output-buffer-limit slave 256mb 64mb 60
diff --git a/bundles/rspamd/files/ip_whitelist.map b/bundles/rspamd/files/ip_whitelist.map
index 416ea5f..74b0d95 100644
--- a/bundles/rspamd/files/ip_whitelist.map
+++ b/bundles/rspamd/files/ip_whitelist.map
@@ -1,3 +1,3 @@
-% for ip in sorted(node.metadata.get('rspamd', {}).get('ignore_spam_check_for_ips', set())):
+% for ip in sorted(node.metadata.get('rspamd/ignore_spam_check_for_ips', set())):
 ${ip}
 % endfor
diff --git a/bundles/smartd/files/smartd.conf b/bundles/smartd/files/smartd.conf
index dd75d69..491fa75 100644
--- a/bundles/smartd/files/smartd.conf
+++ b/bundles/smartd/files/smartd.conf
@@ -1,4 +1,4 @@
 DEFAULT -d auto -a -n standby,12
-% for disk in sorted(node.metadata.get('smartd', {}).get('disks', set())):
+% for disk in sorted(node.metadata.get('smartd/disks', set())):
 ${disk}
 % endfor
diff --git a/bundles/systemd-networkd/items.py b/bundles/systemd-networkd/items.py
index 8c026ed..6d068d4 100644
--- a/bundles/systemd-networkd/items.py
+++ b/bundles/systemd-networkd/items.py
@@ -73,7 +73,7 @@ for interface, config in node.metadata['interfaces'].items():
             },
         }
 
-for bond, config in node.metadata.get('systemd-networkd', {}).get('bonds', {}).items():
+for bond, config in node.metadata.get('systemd-networkd/bonds', {}).items():
     files['/etc/systemd/network/20-bond-{}.netdev'.format(bond)] = {
         'source': 'template-bond.netdev',
         'content_type': 'mako',
@@ -104,7 +104,7 @@ for bond, config in node.metadata.get('systemd-networkd', {}).get('bonds', {}).i
         },
     }
 
-for brname, config in node.metadata.get('systemd-networkd', {}).get('bridges', {}).items():
+for brname, config in node.metadata.get('systemd-networkd/bridges', {}).items():
     files['/etc/systemd/network/30-bridge-{}.netdev'.format(brname)] = {
         'source': 'template-bridge.netdev',
         'content_type': 'mako',
diff --git a/bundles/systemd/items.py b/bundles/systemd/items.py
index 6e587dc..6c8f671 100644
--- a/bundles/systemd/items.py
+++ b/bundles/systemd/items.py
@@ -31,7 +31,7 @@ files = {
     '/etc/systemd/journald.conf': {
         'content_type': 'mako',
         'context': {
-            'journal': node.metadata.get('systemd', {}).get('journal', {}),
+            'journal': node.metadata.get('systemd/journal', {}),
         },
         'triggers': {
             'svc_systemd:systemd-journald:restart',
diff --git a/bundles/wireguard/files/pppd-ip-up b/bundles/wireguard/files/pppd-ip-up
index d61343f..aaab096 100644
--- a/bundles/wireguard/files/pppd-ip-up
+++ b/bundles/wireguard/files/pppd-ip-up
@@ -4,7 +4,7 @@
 # it gets connected. Easiest way is to simply send some pings to the
 # other side.
 
-% for peer, config in node.metadata.get('wireguard', {}).get('peers', {}).items():
+% for peer, config in node.metadata.get('wireguard/peers', {}).items():
 %   for ip in sorted(config['ips']):
 # refresh connection to ${peer} ${ip}
 /usr/bin/ping -c 4 ${ip.split('/')[0] if '/' in ip else ip}
diff --git a/bundles/zfs/files/zfs-modprobe.conf b/bundles/zfs/files/zfs-modprobe.conf
index 08bc244..256c971 100644
--- a/bundles/zfs/files/zfs-modprobe.conf
+++ b/bundles/zfs/files/zfs-modprobe.conf
@@ -1,5 +1,5 @@
 <%
-    arc_max_mb = node.metadata.get('zfs', {}).get('module_options', {}).get('zfs_arc_max_mb', 1024)
+    arc_max_mb = node.metadata.get('zfs/module_options/zfs_arc_max_mb', 1024)
 %>\
 % if arc_max_mb != 0:
 options zfs zfs_arc_max=${arc_max_mb * 1024 * 1024}
diff --git a/bundles/zfs/items.py b/bundles/zfs/items.py
index 002665c..ad09841 100644
--- a/bundles/zfs/items.py
+++ b/bundles/zfs/items.py
@@ -30,7 +30,7 @@ files = {
     },
     '/etc/zfs-snapshot-config.json': {
         'content': dumps(
-            node.metadata.get('zfs', {}).get('snapshots', {}),
+            node.metadata.get('zfs/snapshots', {}),
             cls=MetadataJSONEncoder,  # turns sets into sorted lists
             indent=4,
             sort_keys=True,
@@ -72,10 +72,10 @@ svc_systemd = {
     },
 }
 
-zfs_datasets = node.metadata.get('zfs', {}).get('datasets', {})
+zfs_datasets = node.metadata.get('zfs/datasets', {})
 zfs_pools = {}
 
-for name, attrs in node.metadata.get('zfs', {}).get('pools', {}).items():
+for name, attrs in node.metadata.get('zfs/pools', {}).items():
     zfs_pools[name] = attrs
 
     # Not yet supported on debian buster
diff --git a/hooks/test_backup_metadata.py b/hooks/test_backup_metadata.py
index 49b12c2..337121b 100644
--- a/hooks/test_backup_metadata.py
+++ b/hooks/test_backup_metadata.py
@@ -2,7 +2,7 @@ def test_node(repo, node, **kwargs):
     if not node.has_bundle('backup-client'):
         return
 
-    if node.metadata.get('backups', {}).get('exclude_from_backups', False):
+    if node.metadata.get('backups/exclude_from_backups', False):
         return
 
-    assert len(node.metadata.get('backups', {}).get('paths', set())) > 0, f'{node.name} has backups configured, but no backup paths defined!'
+    assert len(node.metadata.get('backups/paths', set())) > 0, f'{node.name} has backups configured, but no backup paths defined!'