Merge pull request 'Set up lndhub.go' (#457) from feature/454-lndhub.go into master

Reviewed-on: #457

data_bags/credentials/lndhub-go.json

@@ -0,0 +1,24 @@
+{
+  "id": "lndhub-go",
+  "jwt_secret": {
+    "encrypted_data": "cFost8pLsoJ/8Gp5m/TgN8xjMkvk0oZuEZ3XfxDIaYjOVYi3fEX8\n",
+    "iv": "47gV4v/D+10B6xqu\n",
+    "auth_tag": "MKEyVFfJ3f5pxWRSyMH4Rw==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "postgresql_password": {
+    "encrypted_data": "YSMEIWdZn08lyrZeJNAUZ5xwKhWHESa1A5MojKJ/5iiE\n",
+    "iv": "0mlURPOohnKbG+i8\n",
+    "auth_tag": "bqIOqFEEIxA99wlvpTqxFA==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "admin_token": {
+    "encrypted_data": "Jv2vQySZT9qn87g24IOYK1dpfSbZoUE/8VtZhzljQGIL\n",
+    "iv": "kjtrzmjTFKQq+nTV\n",
+    "auth_tag": "3YbOzU/ndVARbHTU1hoa9g==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  }
+}

environments/production.json

@@ -4,7 +4,10 @@
     "garage": {
       "replication_mode": "2",
       "s3_api_root_domain": ".s3.garage.kosmos.org",
-      "s3_web_root_domain": ".web.garage.kosmos.org"
+      "s3_web_root_domain": ".web.garage.kosmos.org",
+      "s3_web_domains": [
+        "s3.kosmos.social"
+      ]
     },
     "gitea": {
       "postgresql_host": "pg.kosmos.local:5432",
@@ -23,4 +26,4 @@
       ]
     }
   }
-}
+}

nodes/akkounts-1.json

@@ -12,7 +12,9 @@
     "hostname": "akkounts-1",
     "ipaddress": "192.168.122.160",
     "roles": [
+      "base",
       "kvm_guest",
+      "ldap_client",
       "akkounts",
       "postgresql_client"
     ],
@@ -20,6 +22,7 @@
       "kosmos-base",
       "kosmos-base::default",
       "kosmos_kvm::guest",
+      "kosmos-dirsrv::hostsfile",
       "kosmos_postgresql::hostsfile",
       "kosmos-akkounts",
       "kosmos-akkounts::default",
@@ -46,7 +49,6 @@
       "redis::default",
       "backup::default",
       "logrotate::default",
-      "kosmos-dirsrv::hostsfile",
       "nodejs::npm",
       "nodejs::install",
       "kosmos-nginx::default",
@@ -83,4 +85,4 @@
     "role[ldap_client]",
     "role[akkounts]"
   ]
-}
+}

nodes/bitcoin-2.json

@@ -12,9 +12,14 @@
     "hostname": "bitcoin-2",
     "ipaddress": "192.168.122.148",
     "roles": [
+      "base",
       "kvm_guest",
-      "btcpay",
-      "postgresql_client"
+      "bitcoind",
+      "cln",
+      "lnd",
+      "lndhub",
+      "postgresql_client",
+      "btcpay"
     ],
     "recipes": [
       "kosmos-base",
@@ -22,14 +27,16 @@
       "kosmos_kvm::guest",
       "tor-full",
       "tor-full::default",
-      "kosmos-bitcoin::source",
+      "kosmos-bitcoin::bitcoind",
       "kosmos-bitcoin::c-lightning",
       "kosmos-bitcoin::lnd",
       "kosmos-bitcoin::lnd-scb-s3",
       "kosmos-bitcoin::boltz",
       "kosmos-bitcoin::rtl",
-      "kosmos-bitcoin::lndhub",
+      "kosmos-bitcoin::peerswap-lnd",
       "kosmos_postgresql::hostsfile",
+      "kosmos-bitcoin::lndhub",
+      "kosmos-bitcoin::lndhub-go",
       "kosmos-bitcoin::dotnet",
       "kosmos-bitcoin::nbxplorer",
       "kosmos-bitcoin::btcpay",
@@ -70,7 +77,6 @@
       "redisio::disable_os_default",
       "redisio::configure",
       "redisio::enable",
-      "kosmos-base::letsencrypt",
       "kosmos-nginx::default",
       "nginx::default",
       "nginx::package",
@@ -80,7 +86,8 @@
       "nginx::commons_dir",
       "nginx::commons_script",
       "nginx::commons_conf",
-      "kosmos-nginx::firewall"
+      "kosmos-nginx::firewall",
+      "kosmos-base::letsencrypt"
     ],
     "platform": "ubuntu",
     "platform_version": "20.04",
@@ -97,16 +104,13 @@
     }
   },
   "run_list": [
-    "recipe[kosmos-base]",
+    "role[base]",
     "role[kvm_guest]",
     "recipe[tor-full]",
-    "recipe[kosmos-bitcoin::source]",
-    "recipe[kosmos-bitcoin::c-lightning]",
-    "recipe[kosmos-bitcoin::lnd]",
-    "recipe[kosmos-bitcoin::lnd-scb-s3]",
-    "recipe[kosmos-bitcoin::boltz]",
-    "recipe[kosmos-bitcoin::rtl]",
-    "recipe[kosmos-bitcoin::lndhub]",
+    "role[bitcoind]",
+    "role[cln]",
+    "role[lnd]",
+    "role[lndhub]",
     "role[btcpay]"
   ]
 }

nodes/fornax.kosmos.org.json

@@ -31,20 +31,21 @@
       "kosmos_assets::nginx_site",
       "kosmos_discourse::nginx",
       "kosmos_drone::nginx",
+      "kosmos_garage",
+      "kosmos_garage::default",
+      "kosmos_garage::firewall_rpc",
+      "kosmos_garage::nginx_web",
       "kosmos_gitea::nginx",
       "kosmos_website",
       "kosmos_website::default",
       "kosmos-akkounts::nginx_api",
+      "kosmos-bitcoin::nginx_lndhub",
       "kosmos-ejabberd::nginx",
       "kosmos-hubot::nginx_botka_irc-libera-chat",
       "kosmos-hubot::nginx_hal8000_xmpp",
       "kosmos-ipfs::nginx_public_gateway",
       "kosmos-mastodon::nginx",
       "remotestorage_discourse::nginx",
-      "kosmos_garage",
-      "kosmos_garage::default",
-      "kosmos_garage::firewall_rpc",
-      "kosmos_garage::nginx_web",
       "kosmos_zerotier::controller",
       "kosmos_zerotier::firewall",
       "kosmos_zerotier::zncui",
@@ -73,11 +74,11 @@
       "nginx::commons_conf",
       "kosmos-nginx::firewall",
       "discourse::nginx",
+      "firewall::default",
+      "chef-sugar::default",
       "git::default",
       "git::package",
       "kosmos-base::letsencrypt",
-      "firewall::default",
-      "chef-sugar::default",
       "fail2ban::default"
     ],
     "platform": "ubuntu",

nodes/postgres-2.json

@@ -21,8 +21,10 @@
       "kosmos_kvm::guest",
       "kosmos_postgresql::primary",
       "kosmos_postgresql::firewall",
-      "kosmos_gitea::pg_db",
+      "kosmos-bitcoin::lndhub-go_pg_db",
       "kosmos_drone::pg_db",
+      "kosmos_gitea::pg_db",
+      "kosmos-mastodon::pg_db",
       "apt::default",
       "timezone_iii::default",
       "timezone_iii::debian",

roles/bitcoind.rb

@@ -0,0 +1,5 @@
+name "bitcoind"
+
+run_list %w(
+  kosmos-bitcoin::bitcoind
+)

roles/cln.rb

@@ -0,0 +1,5 @@
+name "cln"
+
+run_list %w(
+  kosmos-bitcoin::c-lightning
+)

roles/lnd.rb

@@ -0,0 +1,9 @@
+name "lnd"
+
+run_list %w(
+  kosmos-bitcoin::lnd
+  kosmos-bitcoin::lnd-scb-s3
+  kosmos-bitcoin::boltz
+  kosmos-bitcoin::rtl
+  kosmos-bitcoin::peerswap-lnd
+)

roles/lndhub.rb

@@ -0,0 +1,7 @@
+name "lndhub"
+
+run_list %w(
+  role[postgresql_client]
+  kosmos-bitcoin::lndhub
+  kosmos-bitcoin::lndhub-go
+)

roles/nginx_proxy.rb

@@ -18,18 +18,19 @@ default_run_list = %w(
   kosmos_assets::nginx_site
   kosmos_discourse::nginx
   kosmos_drone::nginx
+  kosmos_garage::default
+  kosmos_garage::firewall_rpc
+  kosmos_garage::nginx_web
   kosmos_gitea::nginx
   kosmos_website::default
   kosmos-akkounts::nginx_api
+  kosmos-bitcoin::nginx_lndhub
   kosmos-ejabberd::nginx
   kosmos-hubot::nginx_botka_irc-libera-chat
   kosmos-hubot::nginx_hal8000_xmpp
   kosmos-ipfs::nginx_public_gateway
   kosmos-mastodon::nginx
   remotestorage_discourse::nginx
-  kosmos_garage::default
-  kosmos_garage::firewall_rpc
-  kosmos_garage::nginx_web
 )
 
 env_run_lists(

roles/postgresql_primary.rb

@@ -3,7 +3,8 @@ name "postgresql_primary"
 run_list %w(
   kosmos_postgresql::primary
   kosmos_postgresql::firewall
-  kosmos_gitea::pg_db
+  kosmos-bitcoin::lndhub-go_pg_db
   kosmos_drone::pg_db
+  kosmos_gitea::pg_db
   kosmos-mastodon::pg_db
 )

site-cookbooks/kosmos-akkounts/attributes/default.rb

@@ -1,5 +1,5 @@
 node.default['akkounts']['repo'] = 'https://gitea.kosmos.org/kosmos/akkounts.git'
-node.default['akkounts']['revision'] = 'master'
+node.default['akkounts']['revision'] = 'feature/73-lndhub-go'
 node.default['akkounts']['port'] = 3000
 node.default['akkounts']['domain'] = 'accounts.kosmos.org'
 

site-cookbooks/kosmos-bitcoin/attributes/default.rb

@@ -79,6 +79,26 @@ node.default['lndhub']['revision'] = 'master'
 node.default['lndhub']['port'] = '3023'
 node.default['lndhub']['domain'] = 'lndhub.kosmos.org'
 
+node.default['lndhub-go']['repo'] = 'https://github.com/getAlby/lndhub.go.git'
+node.default['lndhub-go']['revision'] = '0.12.0'
+node.default['lndhub-go']['source_dir'] = '/opt/lndhub-go'
+node.default['lndhub-go']['port'] = 3026
+node.default['lndhub-go']['domain'] = 'lndhub.kosmos.org'
+node.default['lndhub-go']['postgres']['database'] = 'lndhub'
+node.default['lndhub-go']['postgres']['user'] = 'lndhub'
+node.default['lndhub-go']['postgres']['port'] = 5432
+node.default['lndhub-go']['default_rate_limit'] = 20
+node.default['lndhub-go']['strict_rate_limit'] =  1
+node.default['lndhub-go']['burst_rate_limit'] =  10
+node.default['lndhub-go']['branding'] = {
+  'title' => 'LndHub - Kosmos Lightning',
+  'desc' => 'Kosmos accounts for the Lightning Network',
+  'url' => 'https://lndhub.kosmos.org',
+  'logo' => 'https://assets.kosmos.org/img/icon-lndhub-400px.png',
+  'favicon' => 'https://kosmos.org/favicon.ico',
+  'footer' => 'about=https://kosmos.org'
+}
+
 node.default['dotnet']['ms_packages_src_url'] = "https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb"
 node.default['dotnet']['ms_packages_src_checksum'] = "4df5811c41fdded83eb9e2da9336a8dfa5594a79dc8a80133bd815f4f85b9991"
 
@@ -98,3 +118,7 @@ node.default["btcpay"]["domain"] = 'btcpay.kosmos.org'
 node.default['btcpay']['postgres']['port'] = 5432
 node.default['btcpay']['postgres']['database'] = 'btcpayserver'
 node.default['btcpay']['postgres']['user'] = 'satoshi'
+
+node.default['peerswap']['repo'] = 'https://github.com/ElementsProject/peerswap.git'
+node.default['peerswap']['revision'] = 'master'
+node.default['peerswap-lnd']['source_dir'] = '/opt/peerswap'

site-cookbooks/kosmos-bitcoin/metadata.rb

@@ -7,25 +7,15 @@ long_description 'Installs/configures bitcoin-related software'
 version '0.1.0'
 chef_version '>= 14.0'
 
-# The `issues_url` points to the location where issues for this cookbook are
-# tracked.  A `View Issues` link will be displayed on this cookbook's page when
-# uploaded to a Supermarket.
-#
-# issues_url 'https://github.com/<insert_org_here>/kosmos-bitcoin/issues'
-
-# The `source_url` points to the development repository for this cookbook.  A
-# `View Source` link will be displayed on this cookbook's page when uploaded to
-# a Supermarket.
-#
-# source_url 'https://github.com/<insert_org_here>/kosmos-bitcoin'
-
+depends 'application_javascript'
 depends 'ark'
 depends 'backup'
+depends 'firewall'
 depends 'git'
 depends 'golang'
 depends 'kosmos-nginx'
 depends 'kosmos-nodejs'
-depends 'firewall'
-depends 'application_javascript'
-depends 'tor-full'
+depends 'kosmos_postgresql'
+depends 'postgresql'
 depends 'redisio'
+depends 'tor-full'

site-cookbooks/kosmos-bitcoin/recipes/bitcoind.rb

@@ -1,6 +1,6 @@
 #
 # Cookbook:: kosmos-bitcoin
-# Recipe:: source
+# Recipe:: bitcoind
 #
 
 build_essential

site-cookbooks/kosmos-bitcoin/recipes/golang.rb

@@ -1,6 +1,6 @@
 #
 # Cookbook:: kosmos-bitcoin
-# Recipe:: boltz
+# Recipe:: golang
 #
 # Internal recipe for managing the Go installation in one place
 #

site-cookbooks/kosmos-bitcoin/recipes/lndhub-go.rb

@@ -0,0 +1,107 @@
+#
+# Cookbook:: kosmos-bitcoin
+# Recipe:: lndhub-go
+#
+
+include_recipe 'git'
+include_recipe 'kosmos-bitcoin::golang'
+include_recipe 'kosmos-bitcoin::user'
+
+bitcoin_user  = node['bitcoin']['username']
+bitcoin_group = node['bitcoin']['usergroup']
+lnd_dir       = node['lnd']['lnd_dir']
+lncli_bin     = '/opt/go/bin/lncli'
+source_dir    = node['lndhub-go']['source_dir']
+macaroon_path = "#{lnd_dir}/data/lndhub.macaroon"
+credentials   = data_bag_item('credentials', 'lndhub-go')
+postgres_host = "pg.kosmos.local"
+postgres_user = node['lndhub-go']['postgres']['user']
+postgres_db   = node['lndhub-go']['postgres']['database']
+postgres_port = node['lndhub-go']['postgres']['port']
+
+git source_dir do
+  repository node['lndhub-go']['repo']
+  revision node['lndhub-go']['revision']
+  action :sync
+  notifies :run, 'bash[compile_lndhub-go]', :immediately
+end
+
+bash 'compile_lndhub-go' do
+  cwd source_dir
+  code 'make'
+  action :nothing
+  notifies :restart, 'service[lndhub-go]', :delayed
+end
+
+bash 'bake_lndhub_macaroon' do
+  user bitcoin_user
+  cwd lnd_dir
+  code "#{lncli_bin} bakemacaroon --save_to=./data/lndhub.macaroon info:read invoices:read invoices:write offchain:read offchain:write"
+  not_if { File.exist?(macaroon_path) }
+end
+
+template "#{source_dir}/.env" do
+  source 'lndhub-go.env.erb'
+  owner bitcoin_user
+  group bitcoin_group
+  mode 0600
+  sensitive true
+  variables config: {
+    database_uri: "postgresql://#{postgres_user}:#{credentials['postgresql_password']}@#{postgres_host}:#{postgres_port}/#{postgres_db}?sslmode=disable",
+    jwt_secret: credentials['jwt_secret'],
+    lnd_address: 'localhost:10009', # gRPC address,
+    lnd_macaroon_file: macaroon_path,
+    lnd_cert_file:  "#{lnd_dir}/tls.cert",
+    custom_name: node['lndhub-go']['domain'],
+    port: node['lndhub-go']['port'],
+    admin_token: credentials['admin_token'],
+    default_rate_limit: node['lndhub-go']['default_rate_limit'],
+    strict_rate_limit: node['lndhub-go']['strict_rate_limit'],
+    burst_rate_limit: node['lndhub-go']['burst_rate_limit'],
+    branding: node['lndhub-go']['branding']
+  }
+  notifies :restart, 'service[lndhub-go]', :delayed
+end
+
+systemd_unit 'lndhub-go.service' do
+  content({
+    Unit: {
+      Description: 'LndHub compatible API written in Go',
+      Documentation: ['https://github.com/getAlby/lndhub.go/blob/main/README.md'],
+      Requires: 'lnd.service',
+      After: 'lnd.service'
+    },
+    Service: {
+      User: bitcoin_user,
+      Group: bitcoin_group,
+      Type: 'simple',
+      WorkingDirectory: source_dir,
+      ExecStart: "#{source_dir}/lndhub",
+      Restart: 'always',
+      RestartSec: '10',
+      TimeoutSec: '60',
+      PrivateTmp: true,
+      ProtectSystem: 'full',
+      NoNewPrivileges: true,
+      PrivateDevices: true,
+      MemoryDenyWriteExecute: true
+    },
+    Install: {
+      WantedBy: 'multi-user.target'
+    }
+  })
+  verify false
+  triggers_reload true
+  action [:create, :enable, :start]
+end
+
+service 'lndhub-go' do
+  action :nothing
+end
+
+firewall_rule 'lndhub-go' do
+  port     node['lndhub-go']['port']
+  source   '10.1.1.0/24'
+  protocol :tcp
+  command  :allow
+end

site-cookbooks/kosmos-bitcoin/recipes/lndhub-go_pg_db.rb

@@ -0,0 +1,19 @@
+#
+# Cookbook Name:: kosmos-bitcoin
+# Recipe:: lndhub-go_pg_db
+#
+
+credentials = data_bag_item('credentials', 'lndhub-go')
+
+postgres_user = node['lndhub-go']['postgres']['user']
+postgres_db   = node['lndhub-go']['postgres']['database']
+
+postgresql_user postgres_user do
+  action :create
+  password credentials['postgresql_password']
+end
+
+postgresql_database postgres_db do
+  owner postgres_user
+  action :create
+end

site-cookbooks/kosmos-bitcoin/recipes/lndhub.rb

@@ -90,27 +90,7 @@ firewall_rule 'lndhub_private' do
   command  :allow
 end
 
-unless node.chef_environment == "development"
-  include_recipe "kosmos-base::letsencrypt"
-  include_recipe "kosmos-nginx"
+return if node.chef_environment == "development"
 
-  nginx_certbot_site node[app_name]['domain']
-
-  template "#{node['nginx']['dir']}/sites-available/#{node[app_name]['domain']}" do
-    source 'nginx_conf_lndhub.erb'
-    owner node["nginx"]["user"]
-    mode 0640
-    variables port: node[app_name]['port'],
-              server_name:  node[app_name]['domain'],
-              ssl_cert:     "/etc/letsencrypt/live/#{node[app_name]['domain']}/fullchain.pem",
-              ssl_key:      "/etc/letsencrypt/live/#{node[app_name]['domain']}/privkey.pem"
-    notifies :reload, 'service[nginx]', :delayed
-  end
-
-  nginx_site node[app_name]['domain'] do
-    action :enable
-  end
-
-  node.override["backup"]["archives"]["lndhub"] = ["/var/lib/redis/dump-6379.rdb"]
-  include_recipe "backup"
-end
+node.override["backup"]["archives"]["lndhub"] = ["/var/lib/redis/dump-6379.rdb"]
+include_recipe "backup"

site-cookbooks/kosmos-bitcoin/recipes/nginx_lndhub.rb

@@ -0,0 +1,29 @@
+#
+# Cookbook:: kosmos-bitcoin
+# Recipe:: nginx_lndhub
+#
+
+include_recipe "kosmos-base::letsencrypt"
+include_recipe "kosmos-nginx"
+
+domain = node['lndhub-go']['domain']
+
+nginx_certbot_site domain
+
+upstream_host = search(:node, "role:lndhub").first["knife_zero"]["host"]
+
+template "#{node['nginx']['dir']}/sites-available/#{domain}" do
+  source 'nginx_conf_lndhub.erb'
+  owner node["nginx"]["user"]
+  mode 0640
+  variables port: node['lndhub-go']['port'],
+            server_name: domain,
+            ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
+            ssl_key:  "/etc/letsencrypt/live/#{domain}/privkey.pem",
+            upstream_host: upstream_host
+  notifies :reload, 'service[nginx]', :delayed
+end
+
+nginx_site domain do
+  action :enable
+end

site-cookbooks/kosmos-bitcoin/recipes/peerswap-lnd.rb

@@ -0,0 +1,86 @@
+#
+# Cookbook:: kosmos-bitcoin
+# Recipe:: peerswap-lnd
+#
+
+include_recipe 'git'
+include_recipe 'kosmos-bitcoin::golang'
+include_recipe 'kosmos-bitcoin::user'
+
+bitcoin_user  = node['bitcoin']['username']
+bitcoin_group = node['bitcoin']['usergroup']
+lnd_dir       = node['lnd']['lnd_dir']
+macaroon_path = "#{lnd_dir}/data/chain/bitcoin/#{node['bitcoin']['network']}/admin.macaroon"
+source_dir    = node['peerswap-lnd']['source_dir']
+config_dir    = "/home/#{bitcoin_user}/.peerswap"
+
+directory config_dir do
+  owner bitcoin_user
+  group bitcoin_group
+  mode '0700'
+  action :create
+end
+
+git source_dir do
+  repository node['peerswap']['repo']
+  revision node['peerswap']['revision']
+  action :sync
+  notifies :run, 'bash[compile_peerswap]', :immediately
+end
+
+bash 'compile_peerswap' do
+  cwd source_dir
+  environment 'GOPATH' => '/opt/go'
+  code 'make lnd-release'
+  action :run
+  notifies :restart, 'service[peerswap]', :delayed
+end
+
+template "#{config_dir}/peerswap.conf" do
+  source 'peerswap-lnd.conf.erb'
+  owner bitcoin_user
+  group bitcoin_group
+  mode 0600
+  sensitive true
+  variables config: {
+    tlscertpath:  "#{lnd_dir}/tls.cert",
+    macaroonpath: macaroon_path
+  }
+  notifies :restart, 'service[peerswap]', :delayed
+end
+
+systemd_unit 'peerswap.service' do
+  content({
+    Unit: {
+      Description: 'PeerSwap Lightning channel balancing',
+      Documentation: ['https://github.com/ElementsProject/peerswap'],
+      Requires: 'lnd.service',
+      After: 'lnd.service'
+    },
+    Service: {
+      User: bitcoin_user,
+      Group: bitcoin_group,
+      Type: 'simple',
+      WorkingDirectory: source_dir,
+      ExecStart: "/opt/go/bin/peerswapd",
+      Restart: 'always',
+      RestartSec: '10',
+      TimeoutSec: '60',
+      PrivateTmp: true,
+      ProtectSystem: 'full',
+      NoNewPrivileges: true,
+      PrivateDevices: true,
+      MemoryDenyWriteExecute: true
+    },
+    Install: {
+      WantedBy: 'multi-user.target'
+    }
+  })
+  verify false
+  triggers_reload true
+  action [:create, :enable, :start]
+end
+
+service 'peerswap' do
+  action :nothing
+end

site-cookbooks/kosmos-bitcoin/templates/lndhub-go.env.erb

@@ -0,0 +1,9 @@
+<% @config.each do |key, value| %>
+<% if value.is_a?(Hash) %>
+<% value.each do |k, v| %>
+<%= "#{key.upcase}_#{k.upcase}" %>=<%= v.to_s %>
+<% end %>
+<% else %>
+<%= key.upcase %>=<%= value.to_s %>
+<% end %>
+<% end %>

site-cookbooks/kosmos-bitcoin/templates/nginx_conf_lndhub.erb

@@ -2,10 +2,9 @@
 # Generated by Chef
 #
 upstream _lndhub {
-  server localhost:<%= @port %>;
+  server <%= @upstream_host || "localhost" %>:<%= @port %>;
 }
 
-<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
 server {
   listen 443 ssl http2;
   server_name <%= @server_name %>;
@@ -16,10 +15,13 @@ server {
   error_log <%= node[:nginx][:log_dir] %>/<%= @server_name %>.error.log warn;
 
   location / {
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto https;
+    proxy_set_header Host $http_host;
+    proxy_redirect off;
     proxy_pass http://_lndhub;
-   }
+  }
 
   ssl_certificate <%= @ssl_cert %>;
   ssl_certificate_key <%= @ssl_key %>;
 }
-<% end -%>

site-cookbooks/kosmos-bitcoin/templates/peerswap-lnd.conf.erb

@@ -0,0 +1,3 @@
+<% @config.each do |k, v| %>
+<%= "lnd.#{k}=#{v}" %>
+<% end %>

site-cookbooks/kosmos_garage/attributes/default.rb

@@ -1,5 +1,6 @@
 node.default['garage']['version']            = '0.8.0'
 node.default['garage']['checksum']['amd64']  = '66dd2ea1f677281a43e10eb619523b1b269f8fde9047ce8caa70958f3b13ca74'
+node.default['garage']['replication_mode']   = 'none'
 node.default['garage']['s3_api_port']        = 3900
 node.default['garage']['rpc_port']           = 3901
 node.default['garage']['s3_web_port']        = 3902
@@ -7,4 +8,4 @@ node.default['garage']['admin_port']         = 3903
 node.default['garage']['k2v_api_port']       = 3904
 node.default['garage']['s3_api_root_domain'] = '.s3.garage.localhost'
 node.default['garage']['s3_web_root_domain'] = '.web.garage.localhost'
-node.default['garage']['replication_mode']   = 'none'
+node.default['garage']['s3_web_domains']     = []

site-cookbooks/kosmos_garage/recipes/nginx_web.rb

@@ -0,0 +1,26 @@
+#
+# Cookbook Name:: kosmos_garage
+# Recipe:: nginx_web
+#
+
+include_recipe "kosmos-nginx"
+
+domains = node['garage']['s3_web_domains']
+
+domains.each do |server_name|
+  nginx_certbot_site server_name
+
+  template "#{node['nginx']['dir']}/sites-available/#{server_name}" do
+    source 'nginx_conf_web.erb'
+    owner 'www-data'
+    mode 0640
+    variables server_name:         server_name,
+              ssl_cert:            "/etc/letsencrypt/live/#{server_name}/fullchain.pem",
+              ssl_key:             "/etc/letsencrypt/live/#{server_name}/privkey.pem"
+    notifies :reload, 'service[nginx]', :delayed
+  end
+
+  nginx_site server_name do
+    action :enable
+  end
+end

site-cookbooks/kosmos_garage/templates/nginx_conf_web.erb

@@ -0,0 +1,33 @@
+upstream garage_web {
+  server localhost:3902;
+}
+
+proxy_cache_path /var/cache/nginx/garage levels=1:2 keys_zone=garage_cache:10m
+                 max_size=1g inactive=60m use_temp_path=off;
+
+server {
+  listen 443 http2 ssl;
+  listen [::]:443 http2 ssl;
+
+  server_name <%= @server_name %>;
+
+  access_log off;
+
+  ssl_certificate     <%= @ssl_cert %>;
+  ssl_certificate_key <%= @ssl_key %>;
+
+  error_page 401 403 404 500 /__empty-page.html;
+
+  location = /__empty-page.html {
+    internal;
+    return 200 "";
+  }
+
+  location / {
+    proxy_intercept_errors on;
+    proxy_cache garage_cache;
+    proxy_pass http://garage_web;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header Host $host;
+  }
+}

site-cookbooks/kosmos_postgresql/libraries/helpers.rb

@@ -1,7 +1,7 @@
 class Chef
   class Recipe
     def postgresql_primary
-      postgresql_primary = search(:node, "role:postgresql_primary AND chef_environment:#{node.chef_environment}").first
+      postgresql_primary = search(:node, "role:postgresql_primary").first
 
       unless postgresql_primary.nil?
         primary_ip = ip_for(postgresql_primary)