files = {
    '/usr/local/share/icinga/plugins/check_vm_status': {
        'mode': '0755',
    },
}

if node.has_bundle('nftables') and node.has_bundle('apt'):
    # libvirt on debian depends on either iptables or firewalld. Since
    # we're managing firewall rules using bundlewrap, we don't want either
    # of those to interfere. So we install firewalld, then ensure it is
    # never running. After that, we ensure the bundlewrap managed rules
    # are active.
    svc_systemd['firewalld'] = {
        'running': False,
        'enabled': False,
        'masked': True,
        'needs': {
            'pkg_apt:firewalld',
        },
        'needed_by': {
            'svc_systemd:nftables',
        },
        'triggers': {
            'svc_systemd:nftables:reload',
        },
    }

if node.has_bundle('pacman'):
    svc_systemd['libvirtd'] = {
        'running': None, # triggered via .socket
    }
    svc_systemd['virtlogd'] = {
        'running': None, # triggered via .socket
        'enabled': None, # triggered via .socket
    }