From 746c58906b291a1082a582116f3ae4601595676d Mon Sep 17 00:00:00 2001
From: Daniel Dehennin <daniel.dehennin@baby-gnu.org>
Date: Tue, 12 Jan 2021 10:31:29 +0100
Subject: [PATCH] feat(map): update to v5 `map.jinja`

BREAKING CHANGE: `map.jinja` now export a generic `mapdata` variable

BREAKING CHANGE: The parameters per grains are now under `openvpn/parameters/`
---
 docs/README.rst                               |   6 +
 docs/map.jinja.rst                            | 498 ++++++++++++++++++
 openvpn/_mapdata/init.sls                     |   4 +-
 openvpn/config.sls                            |   2 +-
 openvpn/dhparams.sls                          |   2 +-
 openvpn/general_config.sls                    |   2 +-
 openvpn/hardening.sls                         |   2 +-
 openvpn/ifconfig_pool_persist.sls             |   2 +-
 openvpn/install.sls                           |   2 +-
 openvpn/libmapstack.jinja                     | 300 +++++++++++
 openvpn/libmatchers.jinja                     | 222 ++++++++
 openvpn/libsaltcli.jinja                      |  16 +
 openvpn/map.jinja                             |  85 ++-
 .../files/connection.jinja                    |   2 +-
 openvpn/network_manager_networks/init.sls     |   2 +-
 openvpn/osfamilymap.yaml                      |  32 --
 openvpn/osfingermap.yaml                      |   5 -
 openvpn/osmap.yaml                            |  20 -
 openvpn/{ => parameters}/defaults.yaml        |   6 +-
 openvpn/parameters/map_jinja.yaml             |  17 +
 openvpn/parameters/os/Debian.yaml             |  17 +
 openvpn/parameters/os/Fedora.yaml             |  19 +
 openvpn/parameters/os/Ubuntu.yaml             |  17 +
 openvpn/parameters/os_family/Arch.yaml        |  16 +
 openvpn/parameters/os_family/Debian.yaml      |  21 +
 openvpn/parameters/os_family/FreeBSD.yaml     |  19 +
 openvpn/parameters/os_family/RedHat.yaml      |  16 +
 openvpn/parameters/os_family/Windows.yaml     |  17 +
 openvpn/parameters/osfinger/CentOS-6.yaml     |  14 +
 openvpn/repo.sls                              |   2 +-
 openvpn/service.sls                           |   2 +-
 .../default/files/_mapdata/amazonlinux-1.yaml |   8 +
 .../default/files/_mapdata/amazonlinux-2.yaml |   8 +
 .../files/_mapdata/arch-base-latest.yaml      |   8 +
 .../default/files/_mapdata/centos-6.yaml      |   8 +
 .../default/files/_mapdata/centos-7.yaml      |   8 +
 .../default/files/_mapdata/centos-8.yaml      |   8 +
 .../default/files/_mapdata/debian-10.yaml     |   8 +
 .../default/files/_mapdata/debian-9.yaml      |   8 +
 .../default/files/_mapdata/fedora-31.yaml     |   8 +
 .../default/files/_mapdata/fedora-32.yaml     |   8 +
 .../default/files/_mapdata/fedora-33.yaml     |   8 +
 .../default/files/_mapdata/gentoo-2-sysd.yaml |   8 +
 .../default/files/_mapdata/gentoo-2-sysv.yaml |   8 +
 .../default/files/_mapdata/opensuse-15.yaml   |   8 +
 .../default/files/_mapdata/oraclelinux-7.yaml |   8 +
 .../default/files/_mapdata/oraclelinux-8.yaml |   8 +
 .../default/files/_mapdata/ubuntu-16.yaml     |   8 +
 .../default/files/_mapdata/ubuntu-18.yaml     |   8 +
 .../default/files/_mapdata/ubuntu-20.yaml     |   8 +
 .../files/_mapdata/windows-2019-server.yaml   |   8 +
 .../default/files/_mapdata/windows-8.yaml     |   8 +
 52 files changed, 1460 insertions(+), 95 deletions(-)
 create mode 100644 docs/map.jinja.rst
 create mode 100644 openvpn/libmapstack.jinja
 create mode 100644 openvpn/libmatchers.jinja
 create mode 100644 openvpn/libsaltcli.jinja
 delete mode 100644 openvpn/osfamilymap.yaml
 delete mode 100644 openvpn/osfingermap.yaml
 delete mode 100644 openvpn/osmap.yaml
 rename openvpn/{ => parameters}/defaults.yaml (83%)
 create mode 100644 openvpn/parameters/map_jinja.yaml
 create mode 100644 openvpn/parameters/os/Debian.yaml
 create mode 100644 openvpn/parameters/os/Fedora.yaml
 create mode 100644 openvpn/parameters/os/Ubuntu.yaml
 create mode 100644 openvpn/parameters/os_family/Arch.yaml
 create mode 100644 openvpn/parameters/os_family/Debian.yaml
 create mode 100644 openvpn/parameters/os_family/FreeBSD.yaml
 create mode 100644 openvpn/parameters/os_family/RedHat.yaml
 create mode 100644 openvpn/parameters/os_family/Windows.yaml
 create mode 100644 openvpn/parameters/osfinger/CentOS-6.yaml

diff --git a/docs/README.rst b/docs/README.rst
index eb0d55f..a5cc91f 100644
--- a/docs/README.rst
+++ b/docs/README.rst
@@ -33,6 +33,12 @@ which contains the currently released version. This formula is versioned accordi
 
 See `Formula Versioning Section <https://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html#versioning>`_ for more details.
 
+If you need (non-default) configuration, please refer to:
+
+- `how to configure the formula with map.jinja <map.jinja.rst>`_
+- the ``pillar.example`` file
+
+
 Contributing to this repo
 -------------------------
 
diff --git a/docs/map.jinja.rst b/docs/map.jinja.rst
new file mode 100644
index 0000000..3a75e57
--- /dev/null
+++ b/docs/map.jinja.rst
@@ -0,0 +1,498 @@
+.. _map.jinja:
+
+``map.jinja``: gather formula configuration values
+==================================================
+
+The `documentation`_ explains the use of a ``map.jinja`` to gather parameters values for a formula.
+
+As `pillars`_ are rendered on the Salt master for every minion, this increases the load on the master as the pillar values and the number of minions grows.
+
+As a good practice, you should:
+
+- store non-secret data in YAML files distributed by the `fileserver`_
+- store secret data in:
+
+  - `pillars`_ (and look for the use of something like `pillar.vault`_)
+  - `SDB`_ (and look for the use of something like `sdb.vault`_)
+
+Current best practice is to let ``map.jinja`` handle parameters from all sources, to minimise the use of pillars, grains or configuration from ``sls`` files and templates directly.
+
+
+.. contents:: **Table of Contents**
+
+
+For formula users
+-----------------
+
+
+Quick start: configure per role and per DNS domain name values
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+We will see a quick setup to configure the ``TEMPLATE`` formula for different DNS domain name and several roles.
+
+For this example, I'll define 2 kinds of `fileserver`_ sources:
+
+1. formulas git repositories with hard-coded version reference to avoid breaking my setup randomly at upstream update. they are the last sources where files are looked up
+2. parameters of the formulas in the file backend `roots`_
+
+
+Configure the fileserver backends
+`````````````````````````````````
+
+I configure the `fileserver`_ backends to serve:
+
+1. files from `roots`_ first
+2. `gitfs`_ repositories last
+
+Create the file ``/etc/salt/master.d/fileserver.conf`` and restart the ``master``:
+
+.. code-block:: yaml
+
+    ---
+    ##
+    ## file server
+    ##
+    fileserver_backend:
+      # parameters values and override
+      - roots
+      # formulas
+      - gitfs
+
+    # The files in this directory will take precedence over git repositories
+    file_roots:
+      base:
+        - /srv/salt
+
+    # List of formulas I'm using
+    gitfs_remotes:
+      - https://github.com/saltstack-formulas/template-formula.git:
+        - base: v4.1.1
+      - https://github.com/saltstack-formulas/openssh-formula.git:
+        - base: v2.0.1
+    ...
+
+
+Create per DNS configuration for ``TEMPLATE`` formula
+`````````````````````````````````````````````````````
+
+Now, we can provides the per DNS domain name configuration files for the ``TEMPLATE`` formulas under ``/srv/salt/TEMPLATE/parameters/``.
+
+We create the directory for ``dns:domain`` grain and we add a symlink for the ``domain`` grain which is extracted from the minion ``id``:
+
+.. code-block:: console
+
+    mkdir -p /srv/salt/TEMPLATE/parameters/dns:domain/
+    ln -s dns:domain /srv/salt/TEMPLATE/parameters/domain
+
+We create a configuration for the DNS domain ``example.net`` in ``/srv/salt/TEMPLATE/parameters/dns:domain/example.net.yaml``:
+
+.. code-block:: yaml
+
+    ---
+    values:
+      config: /etc/template-formula-example-net.conf
+    ...
+
+We create another configuration for the DNS domain ``example.com`` in ``/srv/salt/TEMPLATE/parameters/dns:domain/example.com.yaml``:
+
+.. code-block:: yaml
+
+    ---
+    values:
+      config: /etc/template-formula-{{ grains['os_family'] }}.conf
+    ...
+
+
+Create per role configuration for ``TEMPLATE`` formula
+``````````````````````````````````````````````````````
+
+Now, we can provides the per role configuration files for the ``TEMPLATE`` formulas under ``/srv/salt/TEMPLATE/parameters/``.
+
+We create the directory for roles:
+
+.. code-block:: console
+
+    mkdir -p /srv/salt/TEMPLATE/parameters/roles
+
+We will define 2 roles:
+
+- ``TEMPLATE/server``
+- ``TEMPLATE/client``
+
+We create a configuration for the role ``TEMPLATE/server`` in ``/srv/salt/TEMPLATE/parameters/roles/TEMPLATE/server.yaml``:
+
+.. code-block:: yaml
+
+    ---
+    values:
+      config: /etc/template-formula-server.conf
+    ...
+
+We create another configuration for the role ``TEMPLATE/client`` in ``/srv/salt/TEMPLATE/parameters/roles/TEMPLATE/client.yaml``:
+
+.. code-block:: yaml
+
+    ---
+    values:
+      config: /etc/template-formula-client.conf
+    ...
+
+
+Enable roles and the ``dns:domain`` and ``domain`` grains for ``map.jinja``
+```````````````````````````````````````````````````````````````````````````
+
+We need to redefine the sources for ``map.jinja`` to load values from our new configuration files, we provide a global configuration for all our minions.
+
+We create the global parameters file ``/srv/salt/parameters/map_jinja.yaml``:
+
+.. code-block:: yaml
+
+    ---
+    values:
+      map_jinja:
+        sources:
+          # default values
+          - "Y:G@osarch"
+          - "Y:G@os_family"
+          - "Y:G@os"
+          - "Y:G@osfinger"
+          - "C@{{ tplroot ~ ':lookup' }}"
+          - "C@{{ tplroot }}"
+
+          # Roles activate/deactivate things
+          # then thing are configured depending on environment
+          # So roles comes before `dns:domain`, `domain` and `id`
+          - "Y:C@roles"
+
+          # DNS domain configured (DHCP or resolv.conf)
+          - "Y:G@dns:domain"
+
+          # Based on minion ID
+          - "Y:G@domain"
+
+          # default values
+          - "Y:G@id"
+    ...
+
+The syntax is explained later at `Sources of configuration values`_.
+
+
+Bind roles to minions
+`````````````````````
+
+We associate roles `grains`_ to minion using `grains.append`_.
+
+For the servers:
+
+.. code-block:: console
+
+    salt 'server-*' grains.append roles TEMPLATE/server
+
+For the clients:
+
+.. code-block:: console
+
+    salt 'client-*' grains.append roles TEMPLATE/client
+
+.. note::
+
+    Since we used ``Y:C@roles``, ``map.jinja`` will do a ``salt['config.get']('roles')`` to retrieve the roles so you could use any other method to bind roles to minions (`pillars`_ or `SDB`_) but `grains`_ seems to be the prefered method.
+
+Note for Microsoft Windows systems
+``````````````````````````````````
+
+If you have a minion running under windows, you can't use colon ``:`` as a delimiter for grain path query (see `bug 58726`_) in which case you should use an alternate delimiter:
+
+Modify ``/srv/salt/parameters/map_jinja.yaml`` to change the query for ``dns:domain`` to define the `alternate delimiter`_:
+
+.. code-block:: yaml
+
+    ---
+    values:
+      map_jinja:
+        sources:
+          # default values
+          - "Y:G@osarch"
+          - "Y:G@os_family"
+          - "Y:G@os"
+          - "Y:G@osfinger"
+          - "C@{{ tplroot ~ ':lookup' }}"
+          - "C@{{ tplroot }}"
+
+          # Roles activate/deactivate things
+          # then thing are configured depending on environment
+          # So roles comes before `dns:domain`, `domain` and `id`
+          - "Y:C@roles"
+
+          # DNS domain configured (DHCP or resolv.conf)
+          - "Y:G:!@dns!domain"
+
+          # Based on minion ID
+          - "Y:G@domain"
+
+          # default values
+          - "Y:G@id"
+    ...
+
+And then, rename the directory:
+
+.. code-block:: console
+
+    mv /srv/salt/TEMPLATE/parameters/dns:domain/  '/srv/salt/TEMPLATE/parameters/dns!domain/'
+
+
+Format of configuration YAML files
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+When you write a new YAML file, note that it must conform to the following layout:
+
+- a mandatory ``values`` key to store the configuration values
+- two optional keys to configure the use of `salt.slsutil.merge`_
+
+  - an optional ``strategy`` key to configure the merging strategy, for example ``strategy: 'recurse'``, the default is ``smart``
+  - an optional ``merge_lists`` key to configure if lists should be merged or overridden for the ``recurse`` and ``overwrite`` strategy, for example ``merge_lists: 'true'``
+
+Here is a valid example:
+
+.. code-block:: yaml
+
+    ---
+    strategy: 'recurse'
+    merge_lists: 'false'
+    values:
+      pkg:
+        name: 'some-package'
+      config: '/path/to/a/configuration/file'
+    ...
+
+You can use `Jinja`_ as with any SLS files:
+
+.. code-block:: yaml
+
+    ---
+    strategy: 'overwrite'
+    merge_lists: 'true'
+    values:
+      output_dir: /tmp/{{ grains['id'] }}
+    ...
+
+
+Sources of configuration values
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+
+Configuring ``map.jinja`` sources
+`````````````````````````````````
+
+The ``map.jinja`` file uses several sources where to lookup parameter values. The list of sources can be modified by two files:
+
+1. a global ``salt://parameters/map_jinja.yaml``
+2. a per formula ``salt://{{ tplroot }}/parameters/map_jinja.yaml``, it overrides the global configuration
+
+Each source definition has the form ``[<TYPE>[:<OPTION>[:<DELIMITER>]]@]<KEY>`` where ``<TYPE>`` can be one of:
+
+- ``Y`` to load values from YAML files from the `fileserver`_, this is the default when no type is defined
+- ``C`` to lookup values with `salt['config.get']`_
+- ``G`` to lookup values with `salt['grains.get']`_
+- ``I`` to lookup values with `salt['pillar.get']`_
+
+The YAML type option can define the query method to lookup the key value to build the file name:
+
+- ``C`` to query with `salt['config.get']`_, this is the default when no query method is defined
+- ``G`` to query with `salt['grains.get']`_
+- ``I`` to query with `salt['pillar.get']`_
+
+The ``C``, ``G`` or ``I`` types can define the ``SUB`` option to store values in the sub key ``mapdata.<KEY>`` instead of directly in ``mapdata``.
+
+All types can define the ``<DELIMITER>`` option to use an `alternate delimiter`_ of the ``<KEY>``, for example: on windows system you can't use colon ``:`` for YAML file path name and you should use something else like exclamation mark ``!``.
+
+Finally, the ``<KEY>`` describes what to lookup to either build the YAML filename or gather values using one of the query methods.
+
+.. note::
+
+    For the YAML type, if the ``<KEY>`` can't be looked up, then it's used a literal string path to a YAML file, for example: ``any/path/can/be/used/here.yaml`` will result in the loading of ``salt://{{ tplroot }}/parameters/any/path/can/be/used/here.yaml`` if it exists.
+
+The built-in ``map_jinja:sources`` is:
+
+.. code-block:: yaml
+
+    values:
+      map_jinja:
+        sources:
+          - "Y:G@osarch"
+          - "Y:G@os_family"
+          - "Y:G@os"
+          - "Y:G@osfinger"
+          - "C@{{ tplroot ~ ':lookup' }}"
+          - "C@{{ tplroot }}"
+          - "Y:G@id"
+
+This is strictly equivalent to the following ``map_jinja.yaml`` using `Jinja`_:
+
+.. code-block:: sls
+
+    values:
+      map_jinja:
+        sources:
+          - "parameters/osarch/{{ salt['grains.get']('osarch') }}.yaml"
+          - "parameters/os_family/{{ salt['grains.get']('os_family') }}.yaml"
+          - "parameters/os/{{ salt['grains.get']('os') }}.yaml"
+          - "parameters/osfinger/{{ salt['grains.get']('osfinger') }}.yaml"
+          - "C@{{ tplroot ~ ':lookup' }}"
+          - "C@{{ tplroot }}"
+          - "parameters/id/{{ salt['grains.get']('id') }}.yaml"
+
+
+Loading values from the configuration sources
+`````````````````````````````````````````````
+
+For each configuration source defined in ``map_jinja:sources``, ``map.jinja`` will:
+
+#. load values depending on the source type:
+
+   - for YAML file sources
+
+     - if the ``<KEY>`` can be looked up, load values from the YAML file named ``salt://{{ tplroot }}/paramaters/<KEY>/{{ salt['<QUERY_METHOD>']('<KEY>') }}.yaml`` if it exists
+     - otherwise, load the YAML file named ``salt://{{ tplroot }}/parameters/<KEY>.yaml`` if it exists
+
+   - for ``C``, ``G`` or ``I`` source type, lookup the value of ``salt['<QUERY_METHOD>']('<KEY>')``
+
+#. merge the loaded values with the previous ones using `salt.slsutil.merge`_
+
+There will be no error if a YAML file does not exists, they are all optional.
+
+
+Configuration values from ``salt['config.get']``
+````````````````````````````````````````````````
+
+For sources with of type ``C`` declared in ``map_jinja:sources``, you can configure the ``merge`` option of `salt['config.get']`_ by defining per formula ``strategy`` configuration key (retrieved with ``salt['config.get'](tplroot ~ ':strategy')`` with one of the following values:
+
+- ``recurse`` merge recursively dictionaries. Non dictionary values replace already defined values
+- ``overwrite`` new value completely replace old ones
+
+By default, no merging is done, the first value found is returned.
+
+
+Global view of the order of preferences
+```````````````````````````````````````
+
+To summarize, here is a complete example of the load order of formula configuration values for an ``AMD64`` ``Ubuntu 18.04`` minion named ``minion1.example.net`` for the ``libvirt`` formula:
+
+#. ``parameters/defaults.yaml``
+#. ``parameters/osarch/amd64.yaml``
+#. ``parameters/os_family/Debian.yaml``
+#. ``parameters/os/Ubuntu.yaml``
+#. ``parameters/osfinger/Ubuntu-18.04.yaml``
+#. ``salt['config.get']('libvirt:lookup')``
+#. ``salt['config.get']('libvirt')``
+#. ``parameters/id/minion1.example.net``
+
+Remember that the order is important, for example, the value of ``key1:subkey1`` loaded from ``parameters/os_family/Debian.yaml`` is overridden by a value loaded from ``parameters/id/minion1.example.net``.
+
+
+For formula authors and contributors
+------------------------------------
+
+Dependencies
+^^^^^^^^^^^^
+
+``map.jinja`` requires:
+
+- salt minion 2018.3.3 minimum to use the `traverse`_ jinja filter
+- to be located at the root of the formula named directory (e.g. ``libvirt-formula/libvirt/map.jinja``)
+- the ``libsaltcli.jinja`` library, stored in the same directory, to disable the ``merge`` option of `salt['config.get']`_ over `salt-ssh`_
+
+
+Use formula configuration values in ``sls``
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The ``map.jinja`` exports a unique ``mapdata`` variable which could be renamed during import.
+
+Here is the best way to use it in an ``sls`` file:
+
+.. code-block:: sls
+
+    {#- Get the `tplroot` from `tpldir` #}
+    {%- set tplroot = tpldir.split("/")[0] %}
+    {%- from tplroot ~ "/map.jinja" import mapdata as TEMPLATE with context %}
+
+    test-does-nothing-but-display-TEMPLATE-as-json:
+      test.nop:
+        - name: {{ TEMPLATE | json }}
+
+
+Use formula configuration values in templates
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+When you need to process salt templates, you should avoid calling `salt['config.get']`_ (or `salt['pillar.get']`_ and `salt['grains.get']`_) directly from the template. All the needed values should be available within the ``mapdata`` variable exported by ``map.jinja``.
+
+Here is an example based on `template-formula/TEMPLATE/config/file.sls`_:
+
+.. code-block:: sls
+
+    # -*- coding: utf-8 -*-
+    # vim: ft=sls
+
+    {#- Get the `tplroot` from `tpldir` #}
+    {%- set tplroot = tpldir.split('/')[0] %}
+    {%- set sls_package_install = tplroot ~ '.package.install' %}
+    {%- from tplroot ~ "/map.jinja" import mapdata as TEMPLATE with context %}
+    {%- from tplroot ~ "/libtofs.jinja" import files_switch with context %}
+
+    include:
+      - {{ sls_package_install }}
+
+    TEMPLATE-config-file-file-managed:
+      file.managed:
+        - name: {{ TEMPLATE.config }}
+        - source: {{ files_switch(['example.tmpl'],
+                                  lookup='TEMPLATE-config-file-file-managed'
+                     )
+                  }}
+        - mode: 644
+        - user: root
+        - group: {{ TEMPLATE.rootgroup }}
+        - makedirs: True
+        - template: jinja
+        - require:
+          - sls: {{ sls_package_install }}
+        - context:
+            TEMPLATE: {{ TEMPLATE | json }}
+
+This ``sls`` file expose a ``TEMPLATE`` context variable to the jinja template which could be used like this:
+
+.. code-block:: jinja
+
+    ########################################################################
+    # File managed by Salt at <{{ source }}>.
+    # Your changes will be overwritten.
+    ########################################################################
+
+    This is another example file from SaltStack template-formula.
+
+    # This is here for testing purposes
+    {{ TEMPLATE | json }}
+
+    winner of the merge: {{ TEMPLATE['winner'] }}
+
+
+.. _documentation: https://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html#writing-formulas
+.. _fileserver: https://docs.saltstack.com/en/latest/ref/file_server
+.. _salt['config.get']: https://docs.saltstack.com/en/latest/ref/modules/all/salt.modules.config.html#salt.modules.config.get
+.. _salt['grains.get']: https://docs.saltstack.com/en/latest/ref/modules/all/salt.modules.grains.html#salt.modules.grains.get
+.. _salt['pillar.get']: https://docs.saltstack.com/en/latest/ref/modules/all/salt.modules.pillar.html#salt.modules.pillar.get
+.. _alternate delimiter: https://docs.saltstack.com/en/latest/topics/targeting/compound.html#alternate-delimiters
+.. _pillar.vault: https://docs.saltstack.com/en/latest/ref/pillar/all/salt.pillar.vault.html
+.. _pillars: https://docs.saltstack.com/en/latest/topics/pillar/
+.. _grains: https://docs.saltstack.com/en/latest/topics/grains/
+.. _grains.append: https://docs.saltstack.com/en/latest/ref/modules/all/salt.modules.grains.html#salt.modules.grains.append
+.. _SDB: https://docs.saltstack.com/en/latest/topics/sdb/index.html
+.. _sdb.vault: https://docs.saltstack.com/en/latest/ref/sdb/all/salt.sdb.vault.html
+.. _Jinja: https://docs.saltstack.com/en/latest/topics/jinja
+.. _roots: https://docs.saltstack.com/en/latest/ref/file_server/all/salt.fileserver.roots.html
+.. _gitfs: https://docs.saltstack.com/en/latest/topics/tutorials/gitfs.html
+.. _salt.slsutil.merge: https://docs.saltstack.com/en/latest/ref/modules/all/salt.modules.slsutil.html
+.. _traverse: https://docs.saltstack.com/en/latest/topics/jinja/index.html#traverse
+.. _salt-ssh: https://docs.saltstack.com/en/latest/topics/ssh/
+.. _template-formula/TEMPLATE/config/file.sls: https://github.com/saltstack-formulas/template-formula/blob/master/TEMPLATE/config/file.sls
+.. _bug 58726: https://github.com/saltstack/salt/issues/58726
diff --git a/openvpn/_mapdata/init.sls b/openvpn/_mapdata/init.sls
index adfe9b4..3013d70 100644
--- a/openvpn/_mapdata/init.sls
+++ b/openvpn/_mapdata/init.sls
@@ -3,11 +3,11 @@
 ---
 {#- Get the `tplroot` from `tpldir` #}
 {%- set tplroot = tpldir.split("/")[0] %}
-{%- from tplroot ~ "/map.jinja" import map with context %}
+{%- from tplroot ~ "/map.jinja" import mapdata with context %}
 
 {%- set _mapdata = {
       "values": {
-        "map": map,
+        'map': mapdata
       }
     } %}
 {%- do salt["log.debug"]("### MAP.JINJA DUMP ###\n" ~ _mapdata | yaml(False)) %}
diff --git a/openvpn/config.sls b/openvpn/config.sls
index e9b0964..c2ca506 100644
--- a/openvpn/config.sls
+++ b/openvpn/config.sls
@@ -1,4 +1,4 @@
-{% from "openvpn/map.jinja" import map with context %}
+{%- from "openvpn/map.jinja" import mapdata as map with context %}
 {% from "openvpn/macros.jinja" import multipart_param with context %}
 
 include:
diff --git a/openvpn/dhparams.sls b/openvpn/dhparams.sls
index e82379d..54aa14c 100644
--- a/openvpn/dhparams.sls
+++ b/openvpn/dhparams.sls
@@ -1,4 +1,4 @@
-{%- from "openvpn/map.jinja" import map with context %}
+{%- from "openvpn/map.jinja" import mapdata as map with context %}
 
 # Generate diffie hellman files
 {% if salt['pillar.get']('openvpn:server', False) %}
diff --git a/openvpn/general_config.sls b/openvpn/general_config.sls
index d6a7a27..9b43c83 100644
--- a/openvpn/general_config.sls
+++ b/openvpn/general_config.sls
@@ -1,6 +1,6 @@
 {# This SLS serves only as a capsule to ease handling of dependencies. #}
 
-{% from "openvpn/map.jinja" import map with context %}
+{%- from "openvpn/map.jinja" import mapdata as map with context %}
 
 {%- if map.manage_group is sameas false or map.user in ['nobody', 'nogroup'] %}
 {%-   set manage_group = False %}
diff --git a/openvpn/hardening.sls b/openvpn/hardening.sls
index 639e696..1109a9c 100644
--- a/openvpn/hardening.sls
+++ b/openvpn/hardening.sls
@@ -1,4 +1,4 @@
-{% from "openvpn/map.jinja" import map with context %}
+{%- from "openvpn/map.jinja" import mapdata as map with context %}
 
 include:
     - openvpn.config
diff --git a/openvpn/ifconfig_pool_persist.sls b/openvpn/ifconfig_pool_persist.sls
index b6b43e7..ee7046d 100644
--- a/openvpn/ifconfig_pool_persist.sls
+++ b/openvpn/ifconfig_pool_persist.sls
@@ -1,4 +1,4 @@
-{% from "openvpn/map.jinja" import map with context %}
+{%- from "openvpn/map.jinja" import mapdata as map with context %}
 
 # deploy ifconfig_pool_persist files
 {%- for filename, config in  salt['pillar.get']('openvpn', {}).get('ifconfig_pool_persist', {}).items() %}
diff --git a/openvpn/install.sls b/openvpn/install.sls
index 5e6cc11..2a9e009 100644
--- a/openvpn/install.sls
+++ b/openvpn/install.sls
@@ -1,4 +1,4 @@
-{%- from "openvpn/map.jinja" import map with context %}
+{%- from "openvpn/map.jinja" import mapdata as map with context %}
 
 # Install openvpn packages
 openvpn_pkgs:
diff --git a/openvpn/libmapstack.jinja b/openvpn/libmapstack.jinja
new file mode 100644
index 0000000..7f9ab38
--- /dev/null
+++ b/openvpn/libmapstack.jinja
@@ -0,0 +1,300 @@
+{#- -*- coding: utf-8 -*- #}
+{#- vim: ft=jinja #}
+
+{#- Get the `tplroot` from `tpldir` #}
+{%- set tplroot = tpldir.split("/")[0] %}
+{%- from tplroot ~ "/libmatchers.jinja" import parse_matchers, query_map %}
+
+{%- set _default_config_dirs = [
+      "parameters/",
+      tplroot ~ "/parameters"
+    ] %}
+
+{%- macro mapstack(
+      matchers,
+      defaults=None,
+      dirs=_default_config_dirs,
+      log_prefix="libmapstack: "
+    ) %}
+{#-
+    Load configuration in the order of `matchers` and merge
+    successively the values with `defaults`.
+
+    The `matchers` are processed using `libmatchers.jinja` to select
+    the configuration sources from where the values are loaded.
+
+    Parameters:
+
+      - `matchers`: list of matchers in the form
+        `[<TYPE>[:<OPTION>[:<DELIMITER>]]@]<QUERY>`
+
+      - `defaults`: dictionary of default values to start the merging,
+        they are considered built-ins. It must conform to the same
+        layout as the YAML files: a mandatory `values` key and two
+        optional `strategy` and `merge_lists` keys.
+
+      - `dirs`: list of directory where to look-up the configuration
+        file matching the matchers, by default a global `salt://parameters/`
+        and a per formula `salt://<tplroot>/parameters`
+
+      - `log_prefix`: prefix used in the log outputs, by default it is
+        `libmapstack: `
+
+    Example: On a Debian system with `roles=["nginx/server", "telegraf"]`
+
+      {%- set settings = mapstack(
+            matchers=[
+              "Y:G@os_family",
+              "I@" ~ tplroot,
+              "Y:C@roles",
+            ],
+            dirs=["defaults", tplroot ~ "/parameters"],
+          )
+          | load_yaml %}
+
+      This will merge the values:
+
+        - starting with the default empty dictionary `{}` (no
+          `defaults` parameter)
+
+        - from the YAML files
+
+          - `salt://defaults/os_family/Debian.yaml`
+
+          - `salt://{{ tplroot }}/parameters/os_family/Debian.yaml`
+
+        - from the pillar `salt["pillar.get"](tplroot)`
+
+        - from the `nginx/server` YAML files:
+
+          - `salt://defaults/roles/nginx/server.yaml`
+
+          - `salt://{{ tplroot }}/parameters/roles/nginx/server.yaml`
+
+        - from the `telegraf` YAML files:
+
+          - `salt://defaults/roles/telegraf.yaml`
+
+          - `salt://{{ tplroot }}/parameters/roles/telegraf.yaml`
+
+    Each YAML file and the `defaults` parameters must conform to the
+    following layout:
+
+      - a mandatory `values` key to store the configuration values
+
+      - two optional keys to configure the use of `salt.slsutil.merge`
+
+        - an optional `strategy` key to configure the merging
+          strategy, for example `strategy: 'recurse'`, the default is
+          `smart`
+
+        - an optional `merge_lists` key to configure if lists should
+          be merged or overridden for the `recurse` and `overwrite`
+          strategies, for example `merge_lists: 'true'`
+#}
+{%-   set stack = defaults | default({"values": {} }, boolean=True) %}
+
+{#-   Build configuration file names based on matchers #}
+{%-   set matchers = parse_matchers(
+        matchers,
+        log_prefix=log_prefix
+      )
+      | load_yaml %}
+
+{%-   do salt["log.debug"](
+        log_prefix
+        ~ "built-in configuration:\n"
+        ~ {"values": defaults | traverse("values")}
+        | yaml(False)
+      ) %}
+
+{%-   for param_dir in dirs %}
+{%-     for matcher in matchers %}
+{#-       `slsutil.merge` options from #}
+{#-       1. the `value` #}
+{#-       2. the `defaults` #}
+{#-       3. the built-in #}
+{%-       set strategy = matcher.value
+          | traverse(
+            "strategy",
+            defaults
+            | traverse(
+              "strategy",
+              "smart"
+            )
+          ) %}
+{%-       set merge_lists = matcher.value
+          | traverse(
+            "merge_lists",
+            defaults
+            | traverse(
+              "merge_lists",
+              False
+            )
+          )
+          | to_bool %}
+
+{%-       if matcher.type in query_map.keys() %}
+{#-         No value is an empty list, must be a dict for `stack.update` #}
+{%-         set normalized_value = matcher.value | default({}, boolean=True) %}
+
+{#-         Merge in `mapdata.<query>` instead of directly in `mapdata` #}
+{%-         set is_sub_key = matcher.option | default(False) == "SUB" %}
+{%-         if is_sub_key %}
+{#-           Merge values with `mapdata.<key>`, `<key>` and `<key>:lookup` are merged together #}
+{%-           set value = { matcher.query | regex_replace(":lookup$", ""): normalized_value } %}
+{%-         else %}
+{%-           set value = normalized_value %}
+{%-         endif %}
+
+{%-         do salt["log.debug"](
+              log_prefix
+              ~ "merge "
+              ~ "sub key " * is_sub_key
+              ~ "'"
+              ~ matcher.query
+              ~ "' retrieved with '"
+              ~ matcher.query_method
+              ~ "', merge: strategy='"
+              ~ strategy
+              ~ "', lists='"
+              ~ merge_lists
+              ~ "':\n"
+              ~ value
+              | yaml(False)
+            ) %}
+
+{%-         do stack.update(
+              {
+                "values": salt["slsutil.merge"](
+                  stack["values"],
+                  value,
+                  strategy=strategy,
+                  merge_lists=merge_lists,
+                )
+              }
+            ) %}
+
+{%-       else %}
+{#-         Load YAML file matching the grain/pillar/... #}
+{#-         Fallback to use the source name as a direct filename #}
+
+{%-         if matcher.value | length == 0 %}
+{#-           Mangle `matcher.value` to use it as literal path #}
+{%-           set query_parts = matcher.query.split("/") %}
+{%-           set yaml_dirname = query_parts[0:-1] | join("/") %}
+{%-           set yaml_names = query_parts[-1] %}
+{%-         else %}
+{%-           set yaml_dirname = matcher.query %}
+{%-           set yaml_names = matcher.value %}
+{%-         endif %}
+
+{#-         Some configuration return list #}
+{%-         if yaml_names is string %}
+{%-           set yaml_names = [yaml_names] %}
+{%-         endif %}
+
+{#-         `yaml_dirname` can be an empty string with literal path like `myconf.yaml` #}
+{%-         set yaml_dir = [
+              param_dir,
+              yaml_dirname
+            ]
+            | select
+            | join("/") %}
+
+{%-         for yaml_name in yaml_names %}
+{#-           Make sure to have a `.yaml` extension #}
+{#-           Use `.rpartition` to strip last `.yaml` in `dir.yaml/file.yaml` #}
+{%-           set yaml_filename = [
+                yaml_dir.rstrip("/"),
+                yaml_name.rpartition(".yaml")
+                | reject("equalto", ".yaml")
+                | join
+                ~ ".yaml"
+              ]
+              | select
+              | join("/") %}
+
+{%-           do salt["log.debug"](
+                log_prefix
+                ~ "load configuration values from "
+                ~ yaml_filename
+              ) %}
+{%-           load_yaml as yaml_values %}
+{%-             include yaml_filename ignore missing %}
+{%-           endload %}
+
+{%-           if yaml_values %}
+{%-             do salt["log.debug"](
+                  log_prefix
+                  ~ "loaded configuration values from "
+                  ~ yaml_name
+                  ~ ":\n"
+                  ~ yaml_values
+                  | yaml(False)
+                ) %}
+
+{#-             `slsutil.merge` options from #}
+{#-             1. the `value` #}
+{#-             2. the `defaults` #}
+{#-             3. the built-in #}
+{%-             set strategy = yaml_values
+                  | traverse(
+                    "strategy",
+                    defaults
+                    | traverse(
+                      "strategy",
+                      "smart"
+                    )
+                  ) %}
+{%-             set merge_lists = yaml_values
+                  | traverse(
+                    "merge_lists",
+                    defaults
+                    | traverse(
+                      "merge_lists",
+                      False
+                    )
+                  )
+                  | to_bool %}
+{%-             do stack.update(
+                  {
+                    "values": salt["slsutil.merge"](
+                      stack["values"],
+                      yaml_values
+                      | traverse("values", {}),
+                      strategy=strategy,
+                      merge_lists=merge_lists,
+                    )
+                  }
+                ) %}
+{%-             do salt["log.debug"](
+                  log_prefix
+                  ~ "merged configuration values from "
+                  ~ yaml_name
+                  ~ ", merge: strategy='"
+                  ~ strategy
+                  ~ "', merge_lists='"
+                  ~ merge_lists
+                  ~ "':\n"
+                  ~ {"values": stack["values"]}
+                  | yaml(False)
+                ) %}
+{%-           endif %}
+{%-         endfor %}
+{%-       endif %}
+{%-     endfor %}
+{%-   endfor %}
+
+{%-   do salt["log.debug"](
+        log_prefix
+        ~ "final configuration values:\n"
+        ~ {"values": stack["values"]}
+        | yaml(False)
+      ) %}
+
+{#- Output stack as YAML, caller should use with something like #}
+{#- `{%- set config = mapstack(matchers=["foo"]) | load_yaml %}` #}
+{{ stack | yaml }}
+
+{%- endmacro %}
diff --git a/openvpn/libmatchers.jinja b/openvpn/libmatchers.jinja
new file mode 100644
index 0000000..e9aaed3
--- /dev/null
+++ b/openvpn/libmatchers.jinja
@@ -0,0 +1,222 @@
+{#- -*- coding: utf-8 -*- #}
+{#- vim: ft=jinja #}
+
+{#- Get the `tplroot` from `tpldir` #}
+{%- set tplroot = tpldir.split("/")[0] %}
+{%- from tplroot ~ "/libsaltcli.jinja" import cli %}
+
+{%- set query_map = {
+      "C": "config.get",
+      "G": "grains.get",
+      "I": "pillar.get",
+    } %}
+
+{#- When no part before `@` is provided: #}
+{#-   - define a filename path, noted `F` #}
+{#-   - use `salt["config.get"]`, noted `C` #}
+{#-   - use colon `:` delimiter for querying #}
+{%- set _defaults = {
+      "type": "F",
+      "query_type": "C",
+      "query_delimiter": ":"
+    } %}
+
+{%- macro parse_matchers(
+      matchers,
+      config_get_strategy=None,
+      log_prefix="libmatchers: "
+    ) %}
+{#-   matcher format is `[<TYPE>[:<OPTION>[:DELIMITER]]@]<KEY>` #}
+{#-   each matcher has a type: #}
+{#-   - `F` to build a file name (the default when no type is set) #}
+{#-   - `C` to lookup values with `config.get` #}
+{#-   - `G` to lookup values with `grains.get` #}
+{#-   - `I` to lookup values with `pillar.get` #}
+{#-   The `FILE` type option can define query type to build the file name: #}
+{#-   - `C` for query with `config.get` (the default when to query type is set) #}
+{#-   - `G` for query with `grains.get` #}
+{#-   - `I` for query with `pillar.get` #}
+{#-   With `DELIMITER`, you can choose a different delimiter when doing queries #}
+{%-   set parsed_matchers = [] %}
+{%-   for matcher in matchers %}
+{%-     do salt["log.debug"](
+          log_prefix
+          ~ "process matcher: '"
+          ~ matcher
+          ~ "'"
+        ) %}
+
+{%-     set parsed = {} %}
+{%-     set matcher_parts = matcher.split('@') %}
+{%-     if matcher_parts | length == 1 %}
+{#-       By default we load YAML files for config looked up by `config.get` #}
+{%-       do parsed.update(
+            {
+              "type": _defaults["type"],
+              "option": None,
+              "query_method": query_map[_defaults["query_type"]],
+              "query_delimiter": _defaults["query_delimiter"],
+              "query": matcher
+            }
+          ) %}
+{%-       do salt["log.debug"](
+            log_prefix
+            ~ "use built-in defaults for matcher:\n"
+            ~ parsed
+            | yaml(False)
+            | indent(4, True)
+          ) %}
+{%-     else %}
+{%-       do salt["log.debug"](
+            log_prefix
+            ~ "parse matcher: '"
+            ~ matcher
+            ~ "'"
+          ) %}
+{%-       set metadatas = matcher_parts[0].split(":") %}
+{%-       do parsed.update(
+            {
+              "query": matcher_parts[1]
+            }
+          ) %}
+{%-       if metadatas | length == 1 %}
+{%-         do parsed.update(
+              {
+                "type": metadatas[0],
+                "option": "C",
+                "query_delimiter": ":"
+              }
+            ) %}
+{%-         do salt["log.debug"](
+              log_prefix
+              ~ "parse as 1 metadata matcher:\n"
+              ~ parsed
+              | yaml(False)
+              | indent(4, True)
+            ) %}
+{%-       elif metadatas | length == 2 %}
+{%-         do parsed.update(
+              {
+                "type": metadatas[0],
+                "option": metadatas[1],
+                "query_delimiter": ":"
+              }
+            ) %}
+{%-         do salt["log.debug"](
+              log_prefix
+              ~ "parse as 2 metadata matcher:\n"
+              ~ parsed
+              | yaml(False)
+              | indent(4, True)
+            ) %}
+{%-       elif metadatas | length == 3 %}
+{%-         do parsed.update(
+              {
+                "type": metadatas[0],
+                "option": metadatas[1],
+                "query_delimiter": metadatas[2] | default(":", boolean=True)
+              }
+            ) %}
+{%-         do salt["log.debug"](
+              log_prefix
+              ~ "parse as 3 metadata matcher:\n"
+              ~ parsed
+              | yaml(False)
+              | indent(4, True)
+            ) %}
+{%-       elif metadatas | length == 4 %}
+{#-         The delimiter is `:` #}
+{%-         do parsed.update(
+              {
+                "type": metadatas[0],
+                "option": metadatas[1],
+                "query_delimiter": ":"
+              }
+            ) %}
+{%-         do salt["log.debug"](
+              log_prefix
+              ~ "parse as 4 metadata matcher:\n"
+              ~ parsed
+              | yaml(False)
+              | indent(4, True)
+            ) %}
+{%-       endif %}
+{%-     endif %}
+
+{#-     The `<OPTION>` has different meaning based on type #}
+{%-     if query_map.get(parsed.type, False) %}
+{%-       do parsed.update(
+            {
+              "query_method": query_map[parsed.type]
+            }
+          ) %}
+{%-     else %}
+{%-       do parsed.update(
+            {
+              "query_method": query_map[
+                parsed.option
+                | default("C", boolean=True)
+              ]
+            }
+          ) %}
+{%-     endif %}
+
+{#-     Add `merge:` option to `salt["config.get"]` if configured #}
+{%-     if cli in ["minion", "local"] and parsed.query_method == "config.get" and config_get_strategy %}
+{%-       set query_opts = {
+            "merge": config_get_strategy,
+            "delimiter": parsed.query_delimiter,
+          } %}
+{%-       set query_opts_msg = (
+            ", delimiter='"
+            ~ parsed.query_delimiter
+            ~ "', merge: strategy='"
+            ~ config_get_strategy
+            ~ "'"
+          ) %}
+{%-     else %}
+{%-       if cli not in ["minion", "local"] %}
+{%-         do salt["log.error"](
+              log_prefix
+              ~ "the 'delimiter' and 'merge' options of 'config.get' are skipped when the salt command type is '"
+              ~ cli
+              ~ "'"
+            ) %}
+{%-       endif %}
+{%-       set query_opts = {} %}
+{%-       set query_opts_msg = "" %}
+{%-     endif %}
+
+{%-     do salt["log.debug"](
+          log_prefix
+          ~ "lookup '"
+          ~ parsed.query
+          ~ "' with '"
+          ~ parsed.query_method
+          ~ "'"
+          ~ query_opts_msg
+        ) %}
+{%-     set values = salt[parsed.query_method](
+          parsed.query,
+          default=[],
+          **query_opts
+        ) %}
+{%-     do parsed.update(
+          {
+            "value": values
+          }
+        ) %}
+
+{%-     do parsed_matchers.append(parsed) %}
+
+{%-   endfor %}
+{%-   do salt["log.debug"](
+        log_prefix
+        ~ "parsed matchers:\n"
+        ~ parsed_matchers
+        | yaml(False)
+        | indent(4, True)
+      ) %}
+
+{{ parsed_matchers | yaml }}
+{%- endmacro %}
diff --git a/openvpn/libsaltcli.jinja b/openvpn/libsaltcli.jinja
new file mode 100644
index 0000000..5c3593e
--- /dev/null
+++ b/openvpn/libsaltcli.jinja
@@ -0,0 +1,16 @@
+# -*- coding: utf-8 -*-
+# vim: ft=jinja
+
+{#- Get the relevant values from the `opts` dict #}
+{%- set opts_cli = opts.get('__cli', '') %}
+{%- set opts_masteropts_cli = opts | traverse('__master_opts__:__cli', '') %}
+
+{#- Determine the type of salt command being run #}
+{%- if opts_cli == 'salt-minion' %}
+{%-   set cli = 'minion' %}
+{%- elif opts_cli == 'salt-call' %}
+{%-   set cli = 'ssh' if opts_masteropts_cli in ('salt-ssh', 'salt-master') else 'local' %}
+{%- else %}
+{%-   set cli = 'unknown' %}
+{%- endif %}
+{%- do salt['log.debug']('[libsaltcli] the salt command type has been identified to be: ' ~ cli) %}
diff --git a/openvpn/map.jinja b/openvpn/map.jinja
index 6052fbf..9fdba2b 100644
--- a/openvpn/map.jinja
+++ b/openvpn/map.jinja
@@ -1,24 +1,61 @@
-{% import_yaml "openvpn/defaults.yaml" as defaults %}
-{% import_yaml "openvpn/osfamilymap.yaml" as osfamilymap %}
-{% import_yaml "openvpn/osmap.yaml" as osmap %}
-{% import_yaml "openvpn/osfingermap.yaml" as osfingermap %}
-
-{% do defaults.openvpn.update({'multi_services': salt['grains.has_value']('systemd')}) %}
-
-{% set map = salt['grains.filter_by'](
-    defaults,
-    merge=salt['grains.filter_by'](
-        osfamilymap,
-        grain='os_family',
-        merge=salt['grains.filter_by'](
-            osmap,
-            grain='os',
-            merge=salt['grains.filter_by'](
-                osfingermap,
-                grain='os',
-                merge=salt['pillar.get']('openvpn:lookup', {}),
-            ),
-        ),
-    ),
-    base='openvpn')
- %}
+# -*- coding: utf-8 -*-
+# vim: ft=jinja
+
+{#- Get the `tplroot` from `tpldir` #}
+{%- set tplroot = tpldir.split("/")[0] %}
+{%- from tplroot ~ "/libmapstack.jinja" import mapstack %}
+
+{#- Where to lookup parameters source files #}
+{%- set formula_param_dir = tplroot ~ "/parameters" %}
+
+{#- List of sources to lookup for parameters #}
+{#- Fallback to previously used grains plus minion `id` #}
+{%- set map_sources = [
+      "Y:G@osarch",
+      "Y:G@os_family",
+      "Y:G@os",
+      "Y:G@osfinger",
+      "C@" ~ tplroot ~ ":lookup",
+      "C@" ~ tplroot,
+      "Y:G@id",
+    ] %}
+
+{%- set _map_settings = mapstack(
+      matchers=["map_jinja.yaml"],
+      defaults={
+        "values": {"sources": map_sources}
+      },
+      log_prefix="map.jinja configuration: ",
+    )
+    | load_yaml %}
+
+{%- set map_sources = _map_settings | traverse("values:sources") %}
+{%- do salt["log.debug"](
+      "map.jinja: load parameters from sources:\n"
+      ~ map_sources
+      | yaml(False)
+    ) %}
+
+{#- Load formula parameters values #}
+{%- set _formula_matchers = ["defaults.yaml"] + map_sources %}
+{%- set _formula_settings = mapstack(
+      matchers=_formula_matchers,
+      dirs=[formula_param_dir],
+      defaults={
+        "values": {},
+        "merge_strategy": salt["config.get"](tplroot ~ ":strategy", None),
+        "merge_lists": salt["config.get"](tplroot ~ ":merge_lists", False),
+      },
+      log_prefix="map.jinja: ",
+    )
+    | load_yaml %}
+
+{#- Make sure to track `map.jinja` configuration with `_mapdata` #}
+{%- do _formula_settings["values"].update(
+      {
+        "map_jinja": _map_settings["values"]
+      }
+    ) %}
+
+{%- do salt["log.debug"]("map.jinja: save parameters in variable 'mapdata'") %}
+{%- set mapdata = _formula_settings["values"] %}
diff --git a/openvpn/network_manager_networks/files/connection.jinja b/openvpn/network_manager_networks/files/connection.jinja
index 4e08a9a..e031c7e 100644
--- a/openvpn/network_manager_networks/files/connection.jinja
+++ b/openvpn/network_manager_networks/files/connection.jinja
@@ -1,5 +1,5 @@
 {%- from "openvpn/macros.jinja" import multipart_param with context -%}
-{%- from "openvpn/map.jinja" import map with context %}
+{%- from "openvpn/map.jinja" import mapdata as map with context %}
 
 {%- macro pairs(data) -%}
 {%-   for key, value in data|dictsort -%}
diff --git a/openvpn/network_manager_networks/init.sls b/openvpn/network_manager_networks/init.sls
index 41cdfc4..05466e6 100644
--- a/openvpn/network_manager_networks/init.sls
+++ b/openvpn/network_manager_networks/init.sls
@@ -1,4 +1,4 @@
-{% from "openvpn/map.jinja" import map with context %}
+{%- from "openvpn/map.jinja" import mapdata as map with context %}
 
 include:
   - openvpn.repo
diff --git a/openvpn/osfamilymap.yaml b/openvpn/osfamilymap.yaml
deleted file mode 100644
index 03acdec..0000000
--- a/openvpn/osfamilymap.yaml
+++ /dev/null
@@ -1,32 +0,0 @@
-# -*- coding: utf-8 -*-
-# vim: ft=yaml
----
-Arch:
-  pkgs:
-    - openvpn
-    - easy-rsa
-Debian:
-  group: nogroup
-  log_user: root
-  client:
-    conf_dir: /etc/openvpn/client
-    service: openvpn-client
-  server:
-    conf_dir: /etc/openvpn/server
-    service: openvpn-server
-RedHat:
-  pkgs:
-    - openvpn
-    - openssl
-FreeBSD:
-  conf_dir: /usr/local/etc/openvpn
-  group: openvpn
-  multi_services: true
-  user: openvpn
-  manage_user: false
-  manage_group: false
-Windows:
-  bin_dir: C:\Program Files\OpenVPN\bin\
-  conf_dir: C:\Program Files\OpenVPN\config
-  conf_ext: ovpn
-  service: OpenVPNServiceInteractive
diff --git a/openvpn/osfingermap.yaml b/openvpn/osfingermap.yaml
deleted file mode 100644
index 1a8c218..0000000
--- a/openvpn/osfingermap.yaml
+++ /dev/null
@@ -1,5 +0,0 @@
-# -*- coding: utf-8 -*-
-# vim: ft=yaml
----
-CentOS-6:
-  multi_services: false
diff --git a/openvpn/osmap.yaml b/openvpn/osmap.yaml
deleted file mode 100644
index 014b245..0000000
--- a/openvpn/osmap.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-# -*- coding: utf-8 -*-
-# vim: ft=yaml
----
-Debian:
-  external_repo_supported:
-    - wheezy
-    - jessie
-    - stretch
-Fedora:
-  client:
-    conf_dir: /etc/openvpn/client
-    service: openvpn-client
-  server:
-    conf_dir: /etc/openvpn/server
-    service: openvpn-server
-Ubuntu:
-  external_repo_supported:
-    - precise
-    - trusty
-    - xenial
diff --git a/openvpn/defaults.yaml b/openvpn/parameters/defaults.yaml
similarity index 83%
rename from openvpn/defaults.yaml
rename to openvpn/parameters/defaults.yaml
index 5f48ab9..c8f563c 100644
--- a/openvpn/defaults.yaml
+++ b/openvpn/parameters/defaults.yaml
@@ -1,7 +1,8 @@
+# yamllint disable-file
 # -*- coding: utf-8 -*-
 # vim: ft=yaml
 ---
-openvpn:
+values:
   bin_dir: ~
   conf_dir: /etc/openvpn
   conf_ext: conf
@@ -13,7 +14,7 @@ openvpn:
   group: nobody
   # None, will default to 'user'
   log_user: ~
-  multi_services: false
+  multi_services: {{ salt['grains.has_value']('systemd') }}
   pkgs: ['openvpn']
   service: openvpn
   service_function: running
@@ -21,3 +22,4 @@ openvpn:
   network_manager_pkgs:
     - network-manager-openvpn
     - network-manager-openvpn-gnome
+...
diff --git a/openvpn/parameters/map_jinja.yaml b/openvpn/parameters/map_jinja.yaml
new file mode 100644
index 0000000..389892e
--- /dev/null
+++ b/openvpn/parameters/map_jinja.yaml
@@ -0,0 +1,17 @@
+# -*- coding: utf-8 -*-
+# vim: ft=yaml
+#
+# Formula specific configuration of `map.jinja`
+---
+values:
+  sources:
+    - "Y:G@osarch"
+    - "Y:G@os_family"
+    - "Y:G@os"
+    - "Y:G@osfinger"
+
+    # For compatibility, don't merge `salt["config.get"]("openvpn")`
+    - "C@openvpn:lookup"
+
+    - "Y:G@id"
+...
diff --git a/openvpn/parameters/os/Debian.yaml b/openvpn/parameters/os/Debian.yaml
new file mode 100644
index 0000000..357a6ea
--- /dev/null
+++ b/openvpn/parameters/os/Debian.yaml
@@ -0,0 +1,17 @@
+# -*- coding: utf-8 -*-
+# vim: ft=yaml
+#
+# Setup variables specific to salt['config.get']('os') == Debian.
+# You just need to add the key:values for this `os` that differ
+# from `defaults.yaml` + `<osarch>.yaml` + `<os_family>.yaml`.
+#
+# If you do not need to provide defaults via the `os` config,
+# you can remove this file or provide at least an empty dict, e.g.
+# values: {}
+---
+values:
+  external_repo_supported:
+    - wheezy
+    - jessie
+    - stretch
+...
diff --git a/openvpn/parameters/os/Fedora.yaml b/openvpn/parameters/os/Fedora.yaml
new file mode 100644
index 0000000..75ca1d6
--- /dev/null
+++ b/openvpn/parameters/os/Fedora.yaml
@@ -0,0 +1,19 @@
+# -*- coding: utf-8 -*-
+# vim: ft=yaml
+#
+# Setup variables specific to salt['config.get']('os') == Fedora.
+# You just need to add the key:values for this `os` that differ
+# from `defaults.yaml` + `<osarch>.yaml` + `<os_family>.yaml`.
+#
+# If you do not need to provide defaults via the `os` config,
+# you can remove this file or provide at least an empty dict, e.g.
+# values: {}
+---
+values:
+  client:
+    conf_dir: /etc/openvpn/client
+    service: openvpn-client
+  server:
+    conf_dir: /etc/openvpn/server
+    service: openvpn-server
+...
diff --git a/openvpn/parameters/os/Ubuntu.yaml b/openvpn/parameters/os/Ubuntu.yaml
new file mode 100644
index 0000000..76d0ea6
--- /dev/null
+++ b/openvpn/parameters/os/Ubuntu.yaml
@@ -0,0 +1,17 @@
+# -*- coding: utf-8 -*-
+# vim: ft=yaml
+#
+# Setup variables specific to salt['config.get']('os') == Ubuntu.
+# You just need to add the key:values for this `os` that differ
+# from `defaults.yaml` + `<osarch>.yaml` + `<os_family>.yaml`.
+#
+# If you do not need to provide defaults via the `os` config,
+# you can remove this file or provide at least an empty dict, e.g.
+# values: {}
+---
+values:
+  external_repo_supported:
+    - precise
+    - trusty
+    - xenial
+...
diff --git a/openvpn/parameters/os_family/Arch.yaml b/openvpn/parameters/os_family/Arch.yaml
new file mode 100644
index 0000000..0172da7
--- /dev/null
+++ b/openvpn/parameters/os_family/Arch.yaml
@@ -0,0 +1,16 @@
+# -*- coding: utf-8 -*-
+# vim: ft=yaml
+#
+# Setup variables specific to salt['config.get']('os_family') == Arch.
+# You just need to add the key:values for this `os_family` that differ
+# from `defaults.yaml` + `<osarch>.yaml`.
+#
+# If you do not need to provide defaults via the `os_family` config,
+# you can remove this file or provide at least an empty dict, e.g.
+# values: {}
+---
+values:
+  pkgs:
+    - openvpn
+    - easy-rsa
+...
diff --git a/openvpn/parameters/os_family/Debian.yaml b/openvpn/parameters/os_family/Debian.yaml
new file mode 100644
index 0000000..7064f7a
--- /dev/null
+++ b/openvpn/parameters/os_family/Debian.yaml
@@ -0,0 +1,21 @@
+# -*- coding: utf-8 -*-
+# vim: ft=yaml
+#
+# Setup variables specific to salt['config.get']('os_family') == Debian.
+# You just need to add the key:values for this `os_family` that differ
+# from `defaults.yaml` + `<osarch>.yaml`.
+#
+# If you do not need to provide defaults via the `os_family` config,
+# you can remove this file or provide at least an empty dict, e.g.
+# values: {}
+---
+values:
+  group: nogroup
+  log_user: root
+  client:
+    conf_dir: /etc/openvpn/client
+    service: openvpn-client
+  server:
+    conf_dir: /etc/openvpn/server
+    service: openvpn-server
+...
diff --git a/openvpn/parameters/os_family/FreeBSD.yaml b/openvpn/parameters/os_family/FreeBSD.yaml
new file mode 100644
index 0000000..8ed7381
--- /dev/null
+++ b/openvpn/parameters/os_family/FreeBSD.yaml
@@ -0,0 +1,19 @@
+# -*- coding: utf-8 -*-
+# vim: ft=yaml
+#
+# Setup variables specific to salt['config.get']('os_family') == FreeBSD.
+# You just need to add the key:values for this `os_family` that differ
+# from `defaults.yaml` + `<osarch>.yaml`.
+#
+# If you do not need to provide defaults via the `os_family` config,
+# you can remove this file or provide at least an empty dict, e.g.
+# values: {}
+---
+values:
+  conf_dir: /usr/local/etc/openvpn
+  group: openvpn
+  multi_services: true
+  user: openvpn
+  manage_user: false
+  manage_group: false
+...
diff --git a/openvpn/parameters/os_family/RedHat.yaml b/openvpn/parameters/os_family/RedHat.yaml
new file mode 100644
index 0000000..d41ba76
--- /dev/null
+++ b/openvpn/parameters/os_family/RedHat.yaml
@@ -0,0 +1,16 @@
+# -*- coding: utf-8 -*-
+# vim: ft=yaml
+#
+# Setup variables specific to salt['config.get']('os_family') == RedHat.
+# You just need to add the key:values for this `os_family` that differ
+# from `defaults.yaml` + `<osarch>.yaml`.
+#
+# If you do not need to provide defaults via the `os_family` config,
+# you can remove this file or provide at least an empty dict, e.g.
+# values: {}
+---
+values:
+  pkgs:
+    - openvpn
+    - openssl
+...
diff --git a/openvpn/parameters/os_family/Windows.yaml b/openvpn/parameters/os_family/Windows.yaml
new file mode 100644
index 0000000..1f149ed
--- /dev/null
+++ b/openvpn/parameters/os_family/Windows.yaml
@@ -0,0 +1,17 @@
+# -*- coding: utf-8 -*-
+# vim: ft=yaml
+#
+# Setup variables specific to salt['config.get']('os_family') == Windows.
+# You just need to add the key:values for this `os_family` that differ
+# from `defaults.yaml` + `<osarch>.yaml`.
+#
+# If you do not need to provide defaults via the `os_family` config,
+# you can remove this file or provide at least an empty dict, e.g.
+# values: {}
+---
+values:
+  bin_dir: C:\Program Files\OpenVPN\bin\
+  conf_dir: C:\Program Files\OpenVPN\config
+  conf_ext: ovpn
+  service: OpenVPNServiceInteractive
+...
diff --git a/openvpn/parameters/osfinger/CentOS-6.yaml b/openvpn/parameters/osfinger/CentOS-6.yaml
new file mode 100644
index 0000000..a215e1c
--- /dev/null
+++ b/openvpn/parameters/osfinger/CentOS-6.yaml
@@ -0,0 +1,14 @@
+# -*- coding: utf-8 -*-
+# vim: ft=yaml
+#
+# Setup variables specific to salt['config.get']('osfinger') == CentOS-6.
+# You just need to add the key:values for this `osfinger` that differ
+# from `defaults.yaml`.
+#
+# If you do not need to provide defaults via the `osfinger` config,
+# you can remove this file or provide at least an empty dict, e.g.
+# values: {}
+---
+values:
+  multi_services: false
+...
diff --git a/openvpn/repo.sls b/openvpn/repo.sls
index f4d373a..4744ede 100644
--- a/openvpn/repo.sls
+++ b/openvpn/repo.sls
@@ -1,4 +1,4 @@
-{%- from "openvpn/map.jinja" import map with context %}
+{%- from "openvpn/map.jinja" import mapdata as map with context %}
 
 include:
   - openvpn.install
diff --git a/openvpn/service.sls b/openvpn/service.sls
index 726a6c9..92f46df 100644
--- a/openvpn/service.sls
+++ b/openvpn/service.sls
@@ -1,6 +1,6 @@
 # Ensure openvpn service is running and autostart is enabled
 
-{% from "openvpn/map.jinja" import map with context %}
+{%- from "openvpn/map.jinja" import mapdata as map with context %}
 
 
 {% if map.multi_services %}
diff --git a/test/integration/default/files/_mapdata/amazonlinux-1.yaml b/test/integration/default/files/_mapdata/amazonlinux-1.yaml
index 7f04475..2a18884 100644
--- a/test/integration/default/files/_mapdata/amazonlinux-1.yaml
+++ b/test/integration/default/files/_mapdata/amazonlinux-1.yaml
@@ -16,6 +16,14 @@ values:
     log_user: null
     manage_group: true
     manage_user: true
+    map_jinja:
+      sources:
+      - Y:G@osarch
+      - Y:G@os_family
+      - Y:G@os
+      - Y:G@osfinger
+      - C@openvpn:lookup
+      - Y:G@id
     multi_services: false
     network_manager_pkgs:
     - network-manager-openvpn
diff --git a/test/integration/default/files/_mapdata/amazonlinux-2.yaml b/test/integration/default/files/_mapdata/amazonlinux-2.yaml
index 640f306..bb02db1 100644
--- a/test/integration/default/files/_mapdata/amazonlinux-2.yaml
+++ b/test/integration/default/files/_mapdata/amazonlinux-2.yaml
@@ -16,6 +16,14 @@ values:
     log_user: null
     manage_group: true
     manage_user: true
+    map_jinja:
+      sources:
+      - Y:G@osarch
+      - Y:G@os_family
+      - Y:G@os
+      - Y:G@osfinger
+      - C@openvpn:lookup
+      - Y:G@id
     multi_services: true
     network_manager_pkgs:
     - network-manager-openvpn
diff --git a/test/integration/default/files/_mapdata/arch-base-latest.yaml b/test/integration/default/files/_mapdata/arch-base-latest.yaml
index fb6f431..fa35c74 100644
--- a/test/integration/default/files/_mapdata/arch-base-latest.yaml
+++ b/test/integration/default/files/_mapdata/arch-base-latest.yaml
@@ -16,6 +16,14 @@ values:
     log_user: null
     manage_group: true
     manage_user: true
+    map_jinja:
+      sources:
+      - Y:G@osarch
+      - Y:G@os_family
+      - Y:G@os
+      - Y:G@osfinger
+      - C@openvpn:lookup
+      - Y:G@id
     multi_services: true
     network_manager_pkgs:
     - network-manager-openvpn
diff --git a/test/integration/default/files/_mapdata/centos-6.yaml b/test/integration/default/files/_mapdata/centos-6.yaml
index 3f1dbc0..ba7caa4 100644
--- a/test/integration/default/files/_mapdata/centos-6.yaml
+++ b/test/integration/default/files/_mapdata/centos-6.yaml
@@ -16,6 +16,14 @@ values:
     log_user: null
     manage_group: true
     manage_user: true
+    map_jinja:
+      sources:
+      - Y:G@osarch
+      - Y:G@os_family
+      - Y:G@os
+      - Y:G@osfinger
+      - C@openvpn:lookup
+      - Y:G@id
     multi_services: false
     network_manager_pkgs:
     - network-manager-openvpn
diff --git a/test/integration/default/files/_mapdata/centos-7.yaml b/test/integration/default/files/_mapdata/centos-7.yaml
index b6e1a46..952f76a 100644
--- a/test/integration/default/files/_mapdata/centos-7.yaml
+++ b/test/integration/default/files/_mapdata/centos-7.yaml
@@ -16,6 +16,14 @@ values:
     log_user: null
     manage_group: true
     manage_user: true
+    map_jinja:
+      sources:
+      - Y:G@osarch
+      - Y:G@os_family
+      - Y:G@os
+      - Y:G@osfinger
+      - C@openvpn:lookup
+      - Y:G@id
     multi_services: true
     network_manager_pkgs:
     - network-manager-openvpn
diff --git a/test/integration/default/files/_mapdata/centos-8.yaml b/test/integration/default/files/_mapdata/centos-8.yaml
index cdccc7d..ad29898 100644
--- a/test/integration/default/files/_mapdata/centos-8.yaml
+++ b/test/integration/default/files/_mapdata/centos-8.yaml
@@ -16,6 +16,14 @@ values:
     log_user: null
     manage_group: true
     manage_user: true
+    map_jinja:
+      sources:
+      - Y:G@osarch
+      - Y:G@os_family
+      - Y:G@os
+      - Y:G@osfinger
+      - C@openvpn:lookup
+      - Y:G@id
     multi_services: true
     network_manager_pkgs:
     - network-manager-openvpn
diff --git a/test/integration/default/files/_mapdata/debian-10.yaml b/test/integration/default/files/_mapdata/debian-10.yaml
index 30eabe5..1f874ce 100644
--- a/test/integration/default/files/_mapdata/debian-10.yaml
+++ b/test/integration/default/files/_mapdata/debian-10.yaml
@@ -22,6 +22,14 @@ values:
     log_user: root
     manage_group: true
     manage_user: true
+    map_jinja:
+      sources:
+      - Y:G@osarch
+      - Y:G@os_family
+      - Y:G@os
+      - Y:G@osfinger
+      - C@openvpn:lookup
+      - Y:G@id
     multi_services: true
     network_manager_pkgs:
     - network-manager-openvpn
diff --git a/test/integration/default/files/_mapdata/debian-9.yaml b/test/integration/default/files/_mapdata/debian-9.yaml
index e6abe97..b1442e4 100644
--- a/test/integration/default/files/_mapdata/debian-9.yaml
+++ b/test/integration/default/files/_mapdata/debian-9.yaml
@@ -22,6 +22,14 @@ values:
     log_user: root
     manage_group: true
     manage_user: true
+    map_jinja:
+      sources:
+      - Y:G@osarch
+      - Y:G@os_family
+      - Y:G@os
+      - Y:G@osfinger
+      - C@openvpn:lookup
+      - Y:G@id
     multi_services: true
     network_manager_pkgs:
     - network-manager-openvpn
diff --git a/test/integration/default/files/_mapdata/fedora-31.yaml b/test/integration/default/files/_mapdata/fedora-31.yaml
index 5f8e221..8a6b575 100644
--- a/test/integration/default/files/_mapdata/fedora-31.yaml
+++ b/test/integration/default/files/_mapdata/fedora-31.yaml
@@ -19,6 +19,14 @@ values:
     log_user: null
     manage_group: true
     manage_user: true
+    map_jinja:
+      sources:
+      - Y:G@osarch
+      - Y:G@os_family
+      - Y:G@os
+      - Y:G@osfinger
+      - C@openvpn:lookup
+      - Y:G@id
     multi_services: true
     network_manager_pkgs:
     - network-manager-openvpn
diff --git a/test/integration/default/files/_mapdata/fedora-32.yaml b/test/integration/default/files/_mapdata/fedora-32.yaml
index d187ce7..8af12d0 100644
--- a/test/integration/default/files/_mapdata/fedora-32.yaml
+++ b/test/integration/default/files/_mapdata/fedora-32.yaml
@@ -19,6 +19,14 @@ values:
     log_user: null
     manage_group: true
     manage_user: true
+    map_jinja:
+      sources:
+      - Y:G@osarch
+      - Y:G@os_family
+      - Y:G@os
+      - Y:G@osfinger
+      - C@openvpn:lookup
+      - Y:G@id
     multi_services: true
     network_manager_pkgs:
     - network-manager-openvpn
diff --git a/test/integration/default/files/_mapdata/fedora-33.yaml b/test/integration/default/files/_mapdata/fedora-33.yaml
index 447156c..b3913e0 100644
--- a/test/integration/default/files/_mapdata/fedora-33.yaml
+++ b/test/integration/default/files/_mapdata/fedora-33.yaml
@@ -19,6 +19,14 @@ values:
     log_user: null
     manage_group: true
     manage_user: true
+    map_jinja:
+      sources:
+      - Y:G@osarch
+      - Y:G@os_family
+      - Y:G@os
+      - Y:G@osfinger
+      - C@openvpn:lookup
+      - Y:G@id
     multi_services: true
     network_manager_pkgs:
     - network-manager-openvpn
diff --git a/test/integration/default/files/_mapdata/gentoo-2-sysd.yaml b/test/integration/default/files/_mapdata/gentoo-2-sysd.yaml
index afd2936..bf7523b 100644
--- a/test/integration/default/files/_mapdata/gentoo-2-sysd.yaml
+++ b/test/integration/default/files/_mapdata/gentoo-2-sysd.yaml
@@ -16,6 +16,14 @@ values:
     log_user: null
     manage_group: true
     manage_user: true
+    map_jinja:
+      sources:
+      - Y:G@osarch
+      - Y:G@os_family
+      - Y:G@os
+      - Y:G@osfinger
+      - C@openvpn:lookup
+      - Y:G@id
     multi_services: true
     network_manager_pkgs:
     - network-manager-openvpn
diff --git a/test/integration/default/files/_mapdata/gentoo-2-sysv.yaml b/test/integration/default/files/_mapdata/gentoo-2-sysv.yaml
index 57d4492..43615e4 100644
--- a/test/integration/default/files/_mapdata/gentoo-2-sysv.yaml
+++ b/test/integration/default/files/_mapdata/gentoo-2-sysv.yaml
@@ -16,6 +16,14 @@ values:
     log_user: null
     manage_group: true
     manage_user: true
+    map_jinja:
+      sources:
+      - Y:G@osarch
+      - Y:G@os_family
+      - Y:G@os
+      - Y:G@osfinger
+      - C@openvpn:lookup
+      - Y:G@id
     multi_services: false
     network_manager_pkgs:
     - network-manager-openvpn
diff --git a/test/integration/default/files/_mapdata/opensuse-15.yaml b/test/integration/default/files/_mapdata/opensuse-15.yaml
index 07ca4a5..5f16bcb 100644
--- a/test/integration/default/files/_mapdata/opensuse-15.yaml
+++ b/test/integration/default/files/_mapdata/opensuse-15.yaml
@@ -16,6 +16,14 @@ values:
     log_user: null
     manage_group: true
     manage_user: true
+    map_jinja:
+      sources:
+      - Y:G@osarch
+      - Y:G@os_family
+      - Y:G@os
+      - Y:G@osfinger
+      - C@openvpn:lookup
+      - Y:G@id
     multi_services: true
     network_manager_pkgs:
     - network-manager-openvpn
diff --git a/test/integration/default/files/_mapdata/oraclelinux-7.yaml b/test/integration/default/files/_mapdata/oraclelinux-7.yaml
index dd2c79f..74cf61b 100644
--- a/test/integration/default/files/_mapdata/oraclelinux-7.yaml
+++ b/test/integration/default/files/_mapdata/oraclelinux-7.yaml
@@ -16,6 +16,14 @@ values:
     log_user: null
     manage_group: true
     manage_user: true
+    map_jinja:
+      sources:
+      - Y:G@osarch
+      - Y:G@os_family
+      - Y:G@os
+      - Y:G@osfinger
+      - C@openvpn:lookup
+      - Y:G@id
     multi_services: true
     network_manager_pkgs:
     - network-manager-openvpn
diff --git a/test/integration/default/files/_mapdata/oraclelinux-8.yaml b/test/integration/default/files/_mapdata/oraclelinux-8.yaml
index b525443..b1b8d3e 100644
--- a/test/integration/default/files/_mapdata/oraclelinux-8.yaml
+++ b/test/integration/default/files/_mapdata/oraclelinux-8.yaml
@@ -16,6 +16,14 @@ values:
     log_user: null
     manage_group: true
     manage_user: true
+    map_jinja:
+      sources:
+      - Y:G@osarch
+      - Y:G@os_family
+      - Y:G@os
+      - Y:G@osfinger
+      - C@openvpn:lookup
+      - Y:G@id
     multi_services: true
     network_manager_pkgs:
     - network-manager-openvpn
diff --git a/test/integration/default/files/_mapdata/ubuntu-16.yaml b/test/integration/default/files/_mapdata/ubuntu-16.yaml
index affbfcd..9eaef6b 100644
--- a/test/integration/default/files/_mapdata/ubuntu-16.yaml
+++ b/test/integration/default/files/_mapdata/ubuntu-16.yaml
@@ -22,6 +22,14 @@ values:
     log_user: root
     manage_group: true
     manage_user: true
+    map_jinja:
+      sources:
+      - Y:G@osarch
+      - Y:G@os_family
+      - Y:G@os
+      - Y:G@osfinger
+      - C@openvpn:lookup
+      - Y:G@id
     multi_services: true
     network_manager_pkgs:
     - network-manager-openvpn
diff --git a/test/integration/default/files/_mapdata/ubuntu-18.yaml b/test/integration/default/files/_mapdata/ubuntu-18.yaml
index 6e93f42..a206c6c 100644
--- a/test/integration/default/files/_mapdata/ubuntu-18.yaml
+++ b/test/integration/default/files/_mapdata/ubuntu-18.yaml
@@ -22,6 +22,14 @@ values:
     log_user: root
     manage_group: true
     manage_user: true
+    map_jinja:
+      sources:
+      - Y:G@osarch
+      - Y:G@os_family
+      - Y:G@os
+      - Y:G@osfinger
+      - C@openvpn:lookup
+      - Y:G@id
     multi_services: true
     network_manager_pkgs:
     - network-manager-openvpn
diff --git a/test/integration/default/files/_mapdata/ubuntu-20.yaml b/test/integration/default/files/_mapdata/ubuntu-20.yaml
index e951a20..dc40ef6 100644
--- a/test/integration/default/files/_mapdata/ubuntu-20.yaml
+++ b/test/integration/default/files/_mapdata/ubuntu-20.yaml
@@ -22,6 +22,14 @@ values:
     log_user: root
     manage_group: true
     manage_user: true
+    map_jinja:
+      sources:
+      - Y:G@osarch
+      - Y:G@os_family
+      - Y:G@os
+      - Y:G@osfinger
+      - C@openvpn:lookup
+      - Y:G@id
     multi_services: true
     network_manager_pkgs:
     - network-manager-openvpn
diff --git a/test/integration/default/files/_mapdata/windows-2019-server.yaml b/test/integration/default/files/_mapdata/windows-2019-server.yaml
index 4a31a91..407ce8f 100644
--- a/test/integration/default/files/_mapdata/windows-2019-server.yaml
+++ b/test/integration/default/files/_mapdata/windows-2019-server.yaml
@@ -14,6 +14,14 @@ values:
     external_repo_version: stable
     group: nobody
     log_user: null
+    map_jinja:
+      sources:
+      - Y:G@osarch
+      - Y:G@os_family
+      - Y:G@os
+      - Y:G@osfinger
+      - C@openvpn:lookup
+      - Y:G@id
     multi_services: false
     network_manager_pkgs:
     - network-manager-openvpn
diff --git a/test/integration/default/files/_mapdata/windows-8.yaml b/test/integration/default/files/_mapdata/windows-8.yaml
index 88163ae..f82b578 100644
--- a/test/integration/default/files/_mapdata/windows-8.yaml
+++ b/test/integration/default/files/_mapdata/windows-8.yaml
@@ -14,6 +14,14 @@ values:
     external_repo_version: stable
     group: nobody
     log_user: null
+    map_jinja:
+      sources:
+      - Y:G@osarch
+      - Y:G@os_family
+      - Y:G@os
+      - Y:G@osfinger
+      - C@openvpn:lookup
+      - Y:G@id
     multi_services: false
     network_manager_pkgs:
     - network-manager-openvpn