From 7d11450c4e87bdafb8c7f838152d18a97afa1c83 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Sun, 11 Dec 2022 14:30:27 +0100
Subject: [PATCH 01/15] Set up lndhub.go

closes #454
---
 data_bags/credentials/lndhub-go.json          | 24 +++++
 nodes/bitcoin-2.json                          | 12 ++-
 nodes/postgres-2.json                         |  4 +-
 roles/postgresql_primary.rb                   |  3 +-
 .../kosmos-bitcoin/attributes/default.rb      |  9 ++
 site-cookbooks/kosmos-bitcoin/metadata.rb     | 20 +---
 .../kosmos-bitcoin/recipes/lndhub-go.rb       | 98 +++++++++++++++++++
 .../kosmos-bitcoin/recipes/lndhub-go_pg_db.rb | 19 ++++
 .../templates/lndhub-go.env.erb               |  3 +
 9 files changed, 171 insertions(+), 21 deletions(-)
 create mode 100644 data_bags/credentials/lndhub-go.json
 create mode 100644 site-cookbooks/kosmos-bitcoin/recipes/lndhub-go.rb
 create mode 100644 site-cookbooks/kosmos-bitcoin/recipes/lndhub-go_pg_db.rb
 create mode 100644 site-cookbooks/kosmos-bitcoin/templates/lndhub-go.env.erb

diff --git a/data_bags/credentials/lndhub-go.json b/data_bags/credentials/lndhub-go.json
new file mode 100644
index 0000000..d61ccc9
--- /dev/null
+++ b/data_bags/credentials/lndhub-go.json
@@ -0,0 +1,24 @@
+{
+  "id": "lndhub-go",
+  "jwt_secret": {
+    "encrypted_data": "cFost8pLsoJ/8Gp5m/TgN8xjMkvk0oZuEZ3XfxDIaYjOVYi3fEX8\n",
+    "iv": "47gV4v/D+10B6xqu\n",
+    "auth_tag": "MKEyVFfJ3f5pxWRSyMH4Rw==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "postgresql_password": {
+    "encrypted_data": "YSMEIWdZn08lyrZeJNAUZ5xwKhWHESa1A5MojKJ/5iiE\n",
+    "iv": "0mlURPOohnKbG+i8\n",
+    "auth_tag": "bqIOqFEEIxA99wlvpTqxFA==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "admin_token": {
+    "encrypted_data": "Jv2vQySZT9qn87g24IOYK1dpfSbZoUE/8VtZhzljQGIL\n",
+    "iv": "kjtrzmjTFKQq+nTV\n",
+    "auth_tag": "3YbOzU/ndVARbHTU1hoa9g==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  }
+}
\ No newline at end of file
diff --git a/nodes/bitcoin-2.json b/nodes/bitcoin-2.json
index 6112db0..0e458c8 100644
--- a/nodes/bitcoin-2.json
+++ b/nodes/bitcoin-2.json
@@ -12,14 +12,16 @@
     "hostname": "bitcoin-2",
     "ipaddress": "192.168.122.148",
     "roles": [
+      "base",
       "kvm_guest",
-      "btcpay",
-      "postgresql_client"
+      "postgresql_client",
+      "btcpay"
     ],
     "recipes": [
       "kosmos-base",
       "kosmos-base::default",
       "kosmos_kvm::guest",
+      "kosmos_postgresql::hostsfile",
       "tor-full",
       "tor-full::default",
       "kosmos-bitcoin::source",
@@ -29,7 +31,7 @@
       "kosmos-bitcoin::boltz",
       "kosmos-bitcoin::rtl",
       "kosmos-bitcoin::lndhub",
-      "kosmos_postgresql::hostsfile",
+      "kosmos-bitcoin::lndhub-go",
       "kosmos-bitcoin::dotnet",
       "kosmos-bitcoin::nbxplorer",
       "kosmos-bitcoin::btcpay",
@@ -97,8 +99,9 @@
     }
   },
   "run_list": [
-    "recipe[kosmos-base]",
+    "role[base]",
     "role[kvm_guest]",
+    "role[postgresql_client]",
     "recipe[tor-full]",
     "recipe[kosmos-bitcoin::source]",
     "recipe[kosmos-bitcoin::c-lightning]",
@@ -107,6 +110,7 @@
     "recipe[kosmos-bitcoin::boltz]",
     "recipe[kosmos-bitcoin::rtl]",
     "recipe[kosmos-bitcoin::lndhub]",
+    "recipe[kosmos-bitcoin::lndhub-go]",
     "role[btcpay]"
   ]
 }
\ No newline at end of file
diff --git a/nodes/postgres-2.json b/nodes/postgres-2.json
index 6cc24a9..2ddf554 100644
--- a/nodes/postgres-2.json
+++ b/nodes/postgres-2.json
@@ -21,8 +21,10 @@
       "kosmos_kvm::guest",
       "kosmos_postgresql::primary",
       "kosmos_postgresql::firewall",
-      "kosmos_gitea::pg_db",
+      "kosmos-bitcoin::lndhub-go_pg_db",
       "kosmos_drone::pg_db",
+      "kosmos_gitea::pg_db",
+      "kosmos-mastodon::pg_db",
       "apt::default",
       "timezone_iii::default",
       "timezone_iii::debian",
diff --git a/roles/postgresql_primary.rb b/roles/postgresql_primary.rb
index 183da14..9854b01 100644
--- a/roles/postgresql_primary.rb
+++ b/roles/postgresql_primary.rb
@@ -3,7 +3,8 @@ name "postgresql_primary"
 run_list %w(
   kosmos_postgresql::primary
   kosmos_postgresql::firewall
-  kosmos_gitea::pg_db
+  kosmos-bitcoin::lndhub-go_pg_db
   kosmos_drone::pg_db
+  kosmos_gitea::pg_db
   kosmos-mastodon::pg_db
 )
diff --git a/site-cookbooks/kosmos-bitcoin/attributes/default.rb b/site-cookbooks/kosmos-bitcoin/attributes/default.rb
index 26efdd9..0786a61 100644
--- a/site-cookbooks/kosmos-bitcoin/attributes/default.rb
+++ b/site-cookbooks/kosmos-bitcoin/attributes/default.rb
@@ -79,6 +79,15 @@ node.default['lndhub']['revision'] = 'master'
 node.default['lndhub']['port'] = '3023'
 node.default['lndhub']['domain'] = 'lndhub.kosmos.org'
 
+node.default['lndhub-go']['repo'] = 'https://github.com/getAlby/lndhub.go.git'
+node.default['lndhub-go']['revision'] = '0.11.0'
+node.default['lndhub-go']['source_dir'] = '/opt/lndhub-go'
+node.default['lndhub-go']['port'] = 3026
+node.default['lndhub-go']['domain'] = 'lndhub.kosmos.org'
+node.default['lndhub-go']['postgres']['database'] = 'lndhub'
+node.default['lndhub-go']['postgres']['user'] = 'lndhub'
+node.default['lndhub-go']['postgres']['port'] = 5432
+
 node.default['dotnet']['ms_packages_src_url'] = "https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb"
 node.default['dotnet']['ms_packages_src_checksum'] = "4df5811c41fdded83eb9e2da9336a8dfa5594a79dc8a80133bd815f4f85b9991"
 
diff --git a/site-cookbooks/kosmos-bitcoin/metadata.rb b/site-cookbooks/kosmos-bitcoin/metadata.rb
index 8f58ce4..cfea78c 100644
--- a/site-cookbooks/kosmos-bitcoin/metadata.rb
+++ b/site-cookbooks/kosmos-bitcoin/metadata.rb
@@ -7,25 +7,15 @@ long_description 'Installs/configures bitcoin-related software'
 version '0.1.0'
 chef_version '>= 14.0'
 
-# The `issues_url` points to the location where issues for this cookbook are
-# tracked.  A `View Issues` link will be displayed on this cookbook's page when
-# uploaded to a Supermarket.
-#
-# issues_url 'https://github.com/<insert_org_here>/kosmos-bitcoin/issues'
-
-# The `source_url` points to the development repository for this cookbook.  A
-# `View Source` link will be displayed on this cookbook's page when uploaded to
-# a Supermarket.
-#
-# source_url 'https://github.com/<insert_org_here>/kosmos-bitcoin'
-
+depends 'application_javascript'
 depends 'ark'
 depends 'backup'
+depends 'firewall'
 depends 'git'
 depends 'golang'
 depends 'kosmos-nginx'
 depends 'kosmos-nodejs'
-depends 'firewall'
-depends 'application_javascript'
-depends 'tor-full'
+depends 'kosmos_postgresql'
+depends 'postgresql'
 depends 'redisio'
+depends 'tor-full'
diff --git a/site-cookbooks/kosmos-bitcoin/recipes/lndhub-go.rb b/site-cookbooks/kosmos-bitcoin/recipes/lndhub-go.rb
new file mode 100644
index 0000000..f529d02
--- /dev/null
+++ b/site-cookbooks/kosmos-bitcoin/recipes/lndhub-go.rb
@@ -0,0 +1,98 @@
+#
+# Cookbook:: kosmos-bitcoin
+# Recipe:: lndhub-go
+#
+
+include_recipe 'git'
+include_recipe 'kosmos-bitcoin::golang'
+
+bitcoin_user  = node['bitcoin']['username']
+bitcoin_group = node['bitcoin']['usergroup']
+lnd_dir       = node['lnd']['lnd_dir']
+lncli_bin     = "/opt/go/bin/lncli"
+source_dir    = node['lndhub-go']['source_dir']
+macaroon_path = "#{lnd_dir}/data/lndhub.macaroon"
+credentials   = data_bag_item('credentials', 'lndhub-go')
+postgres_host = "pg.kosmos.local"
+postgres_user = node['lndhub-go']['postgres']['user']
+postgres_db   = node['lndhub-go']['postgres']['database']
+postgres_port = node['lndhub-go']['postgres']['port']
+
+git source_dir do
+  repository node['lndhub-go']['repo']
+  revision node['lndhub-go']['revision']
+  action :sync
+  notifies :run, 'bash[compile_lndhub-go]', :immediately
+end
+
+bash 'compile_lndhub-go' do
+  cwd node['lndhub-go']['source_dir']
+  code "make"
+  action :nothing
+  notifies :restart, "systemd_unit[lndhub-go.service]", :delayed
+end
+
+bash 'bake_lndhub_macaroon' do
+  user bitcoin_user
+  cwd lnd_dir
+  code "#{lncli_bin} bakemacaroon --save_to=./data/lndhub.macaroon info:read invoices:read invoices:write offchain:read offchain:write"
+  not_if { File.exist?(macaroon_path) }
+end
+
+template "#{source_dir}/.env" do
+  source 'lndhub-go.env.erb'
+  owner bitcoin_user
+  group bitcoin_group
+  mode 0600
+  sensitive true
+  variables config: {
+    database_uri: "postgresql://#{postgres_user}:#{credentials['postgresql_password']}@#{postgres_host}:#{postgres_port}/#{postgres_db}?sslmode=disable",
+    jwt_secret: credentials['jwt_secret'],
+    lnd_address: 'localhost:10009', # gRPC address,
+    lnd_macaroon_file: macaroon_path,
+    lnd_cert_file:  "#{lnd_dir}/tls.cert",
+    custom_name: node['lndhub-go']['domain'],
+    port: node['lndhub-go']['port'],
+    admin_token: credentials['admin_token']
+  }
+  notifies :restart, 'service[lndhub-go]', :delayed
+end
+
+systemd_unit 'lndhub-go.service' do
+  content({
+    Unit: {
+      Description: 'LndHub compatible API written in Go',
+      Documentation: ['https://github.com/getAlby/lndhub.go/blob/main/README.md'],
+      Requires: 'lnd.service',
+      After: 'lnd.service'
+    },
+    Service: {
+      User: bitcoin_user,
+      Group: bitcoin_group,
+      Type: 'simple',
+      WorkingDirectory: source_dir,
+      ExecStart: "#{source_dir}/lndhub",
+      Restart: 'always',
+      RestartSec: '10',
+      TimeoutSec: '60',
+      PrivateTmp: true,
+      ProtectSystem: 'full',
+      NoNewPrivileges: true,
+      PrivateDevices: true,
+      MemoryDenyWriteExecute: true
+    },
+    Install: {
+      WantedBy: 'multi-user.target'
+    }
+  })
+  verify false
+  triggers_reload true
+  action [:create, :enable, :start]
+end
+
+firewall_rule 'lndhub-go' do
+  port     node['lndhub-go']['port']
+  source   "10.1.1.0/24"
+  protocol :tcp
+  command  :allow
+end
diff --git a/site-cookbooks/kosmos-bitcoin/recipes/lndhub-go_pg_db.rb b/site-cookbooks/kosmos-bitcoin/recipes/lndhub-go_pg_db.rb
new file mode 100644
index 0000000..b18d8b8
--- /dev/null
+++ b/site-cookbooks/kosmos-bitcoin/recipes/lndhub-go_pg_db.rb
@@ -0,0 +1,19 @@
+#
+# Cookbook Name:: kosmos-bitcoin
+# Recipe:: lndhub-go_pg_db
+#
+
+credentials = data_bag_item('credentials', 'lndhub-go')
+
+postgres_user = node['lndhub-go']['postgres']['user']
+postgres_db   = node['lndhub-go']['postgres']['database']
+
+postgresql_user postgres_user do
+  action :create
+  password credentials['postgresql_password']
+end
+
+postgresql_database postgres_db do
+  owner postgres_user
+  action :create
+end
diff --git a/site-cookbooks/kosmos-bitcoin/templates/lndhub-go.env.erb b/site-cookbooks/kosmos-bitcoin/templates/lndhub-go.env.erb
new file mode 100644
index 0000000..e467ef6
--- /dev/null
+++ b/site-cookbooks/kosmos-bitcoin/templates/lndhub-go.env.erb
@@ -0,0 +1,3 @@
+<% @config.each do |key, value| %>
+<%= key.upcase %>=<%= value.to_s %>
+<% end %>

From 379a503dd00735feb1a02cd39c18178f32279b5a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Thu, 22 Dec 2022 19:33:25 +0700
Subject: [PATCH 02/15] Move lndhub nginx site to proxy

And configure for lndhub-go. Also configure branding for public lndhub
dashboard
---
 .../kosmos-bitcoin/attributes/default.rb      |  8 +++++
 .../kosmos-bitcoin/recipes/lndhub-go.rb       |  7 ++++-
 .../kosmos-bitcoin/recipes/lndhub.rb          | 26 ++---------------
 .../kosmos-bitcoin/recipes/nginx_lndhub.rb    | 29 +++++++++++++++++++
 .../templates/lndhub-go.env.erb               |  6 ++++
 .../templates/nginx_conf_lndhub.erb           | 10 ++++---
 6 files changed, 57 insertions(+), 29 deletions(-)
 create mode 100644 site-cookbooks/kosmos-bitcoin/recipes/nginx_lndhub.rb

diff --git a/site-cookbooks/kosmos-bitcoin/attributes/default.rb b/site-cookbooks/kosmos-bitcoin/attributes/default.rb
index 0786a61..af75e8d 100644
--- a/site-cookbooks/kosmos-bitcoin/attributes/default.rb
+++ b/site-cookbooks/kosmos-bitcoin/attributes/default.rb
@@ -87,6 +87,14 @@ node.default['lndhub-go']['domain'] = 'lndhub.kosmos.org'
 node.default['lndhub-go']['postgres']['database'] = 'lndhub'
 node.default['lndhub-go']['postgres']['user'] = 'lndhub'
 node.default['lndhub-go']['postgres']['port'] = 5432
+node.default['lndhub-go']['branding'] = {
+  'title' => 'LndHub - Kosmos Lightning',
+  'desc' => 'Kosmos accounts for the Lightning Network',
+  'url' => 'https://lndhub.kosmos.org',
+  'logo' => 'https://storage.5apps.com/basti/public/shares/221222-0955-icon-lndhub-400px.png',
+  'favicon' => 'https://kosmos.org/favicon.ico',
+  'footer' => 'about=https://kosmos.org'
+}
 
 node.default['dotnet']['ms_packages_src_url'] = "https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb"
 node.default['dotnet']['ms_packages_src_checksum'] = "4df5811c41fdded83eb9e2da9336a8dfa5594a79dc8a80133bd815f4f85b9991"
diff --git a/site-cookbooks/kosmos-bitcoin/recipes/lndhub-go.rb b/site-cookbooks/kosmos-bitcoin/recipes/lndhub-go.rb
index f529d02..285ed38 100644
--- a/site-cookbooks/kosmos-bitcoin/recipes/lndhub-go.rb
+++ b/site-cookbooks/kosmos-bitcoin/recipes/lndhub-go.rb
@@ -53,7 +53,8 @@ template "#{source_dir}/.env" do
     lnd_cert_file:  "#{lnd_dir}/tls.cert",
     custom_name: node['lndhub-go']['domain'],
     port: node['lndhub-go']['port'],
-    admin_token: credentials['admin_token']
+    admin_token: credentials['admin_token'],
+    branding: node['lndhub-go']['branding']
   }
   notifies :restart, 'service[lndhub-go]', :delayed
 end
@@ -90,6 +91,10 @@ systemd_unit 'lndhub-go.service' do
   action [:create, :enable, :start]
 end
 
+service "lndhub-go" do
+  action :nothing
+end
+
 firewall_rule 'lndhub-go' do
   port     node['lndhub-go']['port']
   source   "10.1.1.0/24"
diff --git a/site-cookbooks/kosmos-bitcoin/recipes/lndhub.rb b/site-cookbooks/kosmos-bitcoin/recipes/lndhub.rb
index 1921279..d846241 100644
--- a/site-cookbooks/kosmos-bitcoin/recipes/lndhub.rb
+++ b/site-cookbooks/kosmos-bitcoin/recipes/lndhub.rb
@@ -90,27 +90,5 @@ firewall_rule 'lndhub_private' do
   command  :allow
 end
 
-unless node.chef_environment == "development"
-  include_recipe "kosmos-base::letsencrypt"
-  include_recipe "kosmos-nginx"
-
-  nginx_certbot_site node[app_name]['domain']
-
-  template "#{node['nginx']['dir']}/sites-available/#{node[app_name]['domain']}" do
-    source 'nginx_conf_lndhub.erb'
-    owner node["nginx"]["user"]
-    mode 0640
-    variables port: node[app_name]['port'],
-              server_name:  node[app_name]['domain'],
-              ssl_cert:     "/etc/letsencrypt/live/#{node[app_name]['domain']}/fullchain.pem",
-              ssl_key:      "/etc/letsencrypt/live/#{node[app_name]['domain']}/privkey.pem"
-    notifies :reload, 'service[nginx]', :delayed
-  end
-
-  nginx_site node[app_name]['domain'] do
-    action :enable
-  end
-
-  node.override["backup"]["archives"]["lndhub"] = ["/var/lib/redis/dump-6379.rdb"]
-  include_recipe "backup"
-end
+node.override["backup"]["archives"]["lndhub"] = ["/var/lib/redis/dump-6379.rdb"]
+include_recipe "backup"
diff --git a/site-cookbooks/kosmos-bitcoin/recipes/nginx_lndhub.rb b/site-cookbooks/kosmos-bitcoin/recipes/nginx_lndhub.rb
new file mode 100644
index 0000000..dcf54f7
--- /dev/null
+++ b/site-cookbooks/kosmos-bitcoin/recipes/nginx_lndhub.rb
@@ -0,0 +1,29 @@
+#
+# Cookbook:: kosmos-bitcoin
+# Recipe:: nginx_lndhub
+#
+
+include_recipe "kosmos-base::letsencrypt"
+include_recipe "kosmos-nginx"
+
+domain = node['lndhub-go']['domain']
+
+nginx_certbot_site domain
+
+upstream_host = search(:node, "role:lndhub").first["knife_zero"]["host"]
+
+template "#{node['nginx']['dir']}/sites-available/#{domain}" do
+  source 'nginx_conf_lndhub.erb'
+  owner node["nginx"]["user"]
+  mode 0640
+  variables port: node['lndhub-go']['port'],
+            server_name: domain,
+            ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
+            ssl_key:  "/etc/letsencrypt/live/#{domain}/privkey.pem",
+            upstream_host: upstream_host
+  notifies :reload, 'service[nginx]', :delayed
+end
+
+nginx_site domain do
+  action :enable
+end
diff --git a/site-cookbooks/kosmos-bitcoin/templates/lndhub-go.env.erb b/site-cookbooks/kosmos-bitcoin/templates/lndhub-go.env.erb
index e467ef6..5fd3936 100644
--- a/site-cookbooks/kosmos-bitcoin/templates/lndhub-go.env.erb
+++ b/site-cookbooks/kosmos-bitcoin/templates/lndhub-go.env.erb
@@ -1,3 +1,9 @@
 <% @config.each do |key, value| %>
+<% if value.is_a?(Hash) %>
+<% value.each do |k, v| %>
+<%= "#{key.upcase}_#{k.upcase}" %>=<%= v.to_s %>
+<% end %>
+<% else %>
 <%= key.upcase %>=<%= value.to_s %>
 <% end %>
+<% end %>
diff --git a/site-cookbooks/kosmos-bitcoin/templates/nginx_conf_lndhub.erb b/site-cookbooks/kosmos-bitcoin/templates/nginx_conf_lndhub.erb
index cd8b3e4..06d258e 100644
--- a/site-cookbooks/kosmos-bitcoin/templates/nginx_conf_lndhub.erb
+++ b/site-cookbooks/kosmos-bitcoin/templates/nginx_conf_lndhub.erb
@@ -2,10 +2,9 @@
 # Generated by Chef
 #
 upstream _lndhub {
-  server localhost:<%= @port %>;
+  server <%= @upstream_host || "localhost" %>:<%= @port %>;
 }
 
-<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
 server {
   listen 443 ssl http2;
   server_name <%= @server_name %>;
@@ -16,10 +15,13 @@ server {
   error_log <%= node[:nginx][:log_dir] %>/<%= @server_name %>.error.log warn;
 
   location / {
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto https;
+    proxy_set_header Host $http_host;
+    proxy_redirect off;
     proxy_pass http://_lndhub;
-   }
+  }
 
   ssl_certificate <%= @ssl_cert %>;
   ssl_certificate_key <%= @ssl_key %>;
 }
-<% end -%>

From fb1206d03fefb3fc47356cd6e728c499998ed946 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Thu, 22 Dec 2022 19:35:41 +0700
Subject: [PATCH 03/15] Refactor bitcoin-related roles and node config

---
 nodes/bitcoin-2.json | 15 +++++----------
 roles/bitcoind.rb    |  5 +++++
 roles/cln.rb         |  5 +++++
 roles/lnd.rb         |  8 ++++++++
 roles/lndhub.rb      |  7 +++++++
 roles/nginx_proxy.rb |  7 ++++---
 6 files changed, 34 insertions(+), 13 deletions(-)
 create mode 100644 roles/bitcoind.rb
 create mode 100644 roles/cln.rb
 create mode 100644 roles/lnd.rb
 create mode 100644 roles/lndhub.rb

diff --git a/nodes/bitcoin-2.json b/nodes/bitcoin-2.json
index 0e458c8..6411721 100644
--- a/nodes/bitcoin-2.json
+++ b/nodes/bitcoin-2.json
@@ -101,16 +101,11 @@
   "run_list": [
     "role[base]",
     "role[kvm_guest]",
-    "role[postgresql_client]",
     "recipe[tor-full]",
-    "recipe[kosmos-bitcoin::source]",
-    "recipe[kosmos-bitcoin::c-lightning]",
-    "recipe[kosmos-bitcoin::lnd]",
-    "recipe[kosmos-bitcoin::lnd-scb-s3]",
-    "recipe[kosmos-bitcoin::boltz]",
-    "recipe[kosmos-bitcoin::rtl]",
-    "recipe[kosmos-bitcoin::lndhub]",
-    "recipe[kosmos-bitcoin::lndhub-go]",
+    "role[bitcoind]",
+    "role[cln]",
+    "role[lnd]",
+    "role[lndhub]",
     "role[btcpay]"
   ]
-}
\ No newline at end of file
+}
diff --git a/roles/bitcoind.rb b/roles/bitcoind.rb
new file mode 100644
index 0000000..d786e4f
--- /dev/null
+++ b/roles/bitcoind.rb
@@ -0,0 +1,5 @@
+name "bitcoind"
+
+run_list %w(
+  kosmos-bitcoin::source
+)
diff --git a/roles/cln.rb b/roles/cln.rb
new file mode 100644
index 0000000..b75b75f
--- /dev/null
+++ b/roles/cln.rb
@@ -0,0 +1,5 @@
+name "cln"
+
+run_list %w(
+  kosmos-bitcoin::c-lightning
+)
diff --git a/roles/lnd.rb b/roles/lnd.rb
new file mode 100644
index 0000000..85f5f9e
--- /dev/null
+++ b/roles/lnd.rb
@@ -0,0 +1,8 @@
+name "lnd"
+
+run_list %w(
+  kosmos-bitcoin::lnd
+  kosmos-bitcoin::lnd-scb-s3
+  kosmos-bitcoin::boltz
+  kosmos-bitcoin::rtl
+)
diff --git a/roles/lndhub.rb b/roles/lndhub.rb
new file mode 100644
index 0000000..6f67d07
--- /dev/null
+++ b/roles/lndhub.rb
@@ -0,0 +1,7 @@
+name "lndhub"
+
+run_list %w(
+  role[postgresql_client]
+  kosmos-bitcoin::lndhub
+  kosmos-bitcoin::lndhub-go
+)
diff --git a/roles/nginx_proxy.rb b/roles/nginx_proxy.rb
index 0edd22b..9aa9cc9 100644
--- a/roles/nginx_proxy.rb
+++ b/roles/nginx_proxy.rb
@@ -18,18 +18,19 @@ default_run_list = %w(
   kosmos_assets::nginx_site
   kosmos_discourse::nginx
   kosmos_drone::nginx
+  kosmos_garage::default
+  kosmos_garage::firewall_rpc
+  kosmos_garage::nginx_web
   kosmos_gitea::nginx
   kosmos_website::default
   kosmos-akkounts::nginx_api
+  kosmos-bitcoin::nginx_lndhub
   kosmos-ejabberd::nginx
   kosmos-hubot::nginx_botka_irc-libera-chat
   kosmos-hubot::nginx_hal8000_xmpp
   kosmos-ipfs::nginx_public_gateway
   kosmos-mastodon::nginx
   remotestorage_discourse::nginx
-  kosmos_garage::default
-  kosmos_garage::firewall_rpc
-  kosmos_garage::nginx_web
 )
 
 env_run_lists(

From 7802ea25e6e6502b40197f45efbd2eabf4a9a5f9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Thu, 22 Dec 2022 19:45:45 +0700
Subject: [PATCH 04/15] Ignore chef environment when looking up primary

We use mixed environments still, not everything is in "production" yet.
---
 site-cookbooks/kosmos_postgresql/libraries/helpers.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/site-cookbooks/kosmos_postgresql/libraries/helpers.rb b/site-cookbooks/kosmos_postgresql/libraries/helpers.rb
index 7d3c397..18e245d 100644
--- a/site-cookbooks/kosmos_postgresql/libraries/helpers.rb
+++ b/site-cookbooks/kosmos_postgresql/libraries/helpers.rb
@@ -1,7 +1,7 @@
 class Chef
   class Recipe
     def postgresql_primary
-      postgresql_primary = search(:node, "role:postgresql_primary AND chef_environment:#{node.chef_environment}").first
+      postgresql_primary = search(:node, "role:postgresql_primary").first
 
       unless postgresql_primary.nil?
         primary_ip = ip_for(postgresql_primary)

From e0c400c007c2e52a9436fecbc479a7b70191e011 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Thu, 22 Dec 2022 20:03:58 +0700
Subject: [PATCH 05/15] Use correct asset URL for lndhub logo

---
 site-cookbooks/kosmos-bitcoin/attributes/default.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/site-cookbooks/kosmos-bitcoin/attributes/default.rb b/site-cookbooks/kosmos-bitcoin/attributes/default.rb
index af75e8d..5c3efdd 100644
--- a/site-cookbooks/kosmos-bitcoin/attributes/default.rb
+++ b/site-cookbooks/kosmos-bitcoin/attributes/default.rb
@@ -91,7 +91,7 @@ node.default['lndhub-go']['branding'] = {
   'title' => 'LndHub - Kosmos Lightning',
   'desc' => 'Kosmos accounts for the Lightning Network',
   'url' => 'https://lndhub.kosmos.org',
-  'logo' => 'https://storage.5apps.com/basti/public/shares/221222-0955-icon-lndhub-400px.png',
+  'logo' => 'https://assets.kosmos.org/img/icon-lndhub-400px.png',
   'favicon' => 'https://kosmos.org/favicon.ico',
   'footer' => 'about=https://kosmos.org'
 }

From a7e04f4e6371c86d3969f4ec00939ee5be2593a4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Fri, 23 Dec 2022 11:06:11 +0700
Subject: [PATCH 06/15] Exclude lndhub backups in dev

---
 site-cookbooks/kosmos-bitcoin/recipes/lndhub.rb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/site-cookbooks/kosmos-bitcoin/recipes/lndhub.rb b/site-cookbooks/kosmos-bitcoin/recipes/lndhub.rb
index d846241..c877a4a 100644
--- a/site-cookbooks/kosmos-bitcoin/recipes/lndhub.rb
+++ b/site-cookbooks/kosmos-bitcoin/recipes/lndhub.rb
@@ -90,5 +90,7 @@ firewall_rule 'lndhub_private' do
   command  :allow
 end
 
+return if node.chef_environment == "development"
+
 node.override["backup"]["archives"]["lndhub"] = ["/var/lib/redis/dump-6379.rdb"]
 include_recipe "backup"

From 3641ea7a60faf8e3b4c69077e45c2e7aa4ad2cbf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Fri, 23 Dec 2022 18:02:42 +0700
Subject: [PATCH 07/15] Deploy lndhub.go branch of akkounts

---
 nodes/akkounts-1.json                                | 6 ++++--
 site-cookbooks/kosmos-akkounts/attributes/default.rb | 2 +-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/nodes/akkounts-1.json b/nodes/akkounts-1.json
index 0ca0d1e..cbd58f3 100644
--- a/nodes/akkounts-1.json
+++ b/nodes/akkounts-1.json
@@ -12,7 +12,9 @@
     "hostname": "akkounts-1",
     "ipaddress": "192.168.122.160",
     "roles": [
+      "base",
       "kvm_guest",
+      "ldap_client",
       "akkounts",
       "postgresql_client"
     ],
@@ -20,6 +22,7 @@
       "kosmos-base",
       "kosmos-base::default",
       "kosmos_kvm::guest",
+      "kosmos-dirsrv::hostsfile",
       "kosmos_postgresql::hostsfile",
       "kosmos-akkounts",
       "kosmos-akkounts::default",
@@ -46,7 +49,6 @@
       "redis::default",
       "backup::default",
       "logrotate::default",
-      "kosmos-dirsrv::hostsfile",
       "nodejs::npm",
       "nodejs::install",
       "kosmos-nginx::default",
@@ -83,4 +85,4 @@
     "role[ldap_client]",
     "role[akkounts]"
   ]
-}
+}
\ No newline at end of file
diff --git a/site-cookbooks/kosmos-akkounts/attributes/default.rb b/site-cookbooks/kosmos-akkounts/attributes/default.rb
index 4386c90..5d2759b 100644
--- a/site-cookbooks/kosmos-akkounts/attributes/default.rb
+++ b/site-cookbooks/kosmos-akkounts/attributes/default.rb
@@ -1,5 +1,5 @@
 node.default['akkounts']['repo'] = 'https://gitea.kosmos.org/kosmos/akkounts.git'
-node.default['akkounts']['revision'] = 'master'
+node.default['akkounts']['revision'] = 'feature/73-lndhub-go'
 node.default['akkounts']['port'] = 3000
 node.default['akkounts']['domain'] = 'accounts.kosmos.org'
 

From b738dc1e8047fba5794f3012bd0fc44c82cb4c4c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Wed, 30 Nov 2022 12:13:39 +0100
Subject: [PATCH 08/15] Add nginx proxy hosts for Garage Web access

The respective bucket needs to be configured with a domain alias. When a
new alias is added to the `s3_web_domains` config, a new nginx site can
then be deployed to the `nginx_proxy` hosts.
---
 environments/production.json                  |  7 ++--
 .../kosmos_garage/attributes/default.rb       |  3 +-
 .../kosmos_garage/recipes/nginx_web.rb        | 26 +++++++++++++++
 .../templates/nginx_conf_web.erb              | 33 +++++++++++++++++++
 4 files changed, 66 insertions(+), 3 deletions(-)
 create mode 100644 site-cookbooks/kosmos_garage/recipes/nginx_web.rb
 create mode 100644 site-cookbooks/kosmos_garage/templates/nginx_conf_web.erb

diff --git a/environments/production.json b/environments/production.json
index 635c0f3..8c0e97a 100644
--- a/environments/production.json
+++ b/environments/production.json
@@ -4,7 +4,10 @@
     "garage": {
       "replication_mode": "2",
       "s3_api_root_domain": ".s3.garage.kosmos.org",
-      "s3_web_root_domain": ".web.garage.kosmos.org"
+      "s3_web_root_domain": ".web.garage.kosmos.org",
+      "s3_web_domains": [
+        "s3.kosmos.social"
+      ]
     },
     "gitea": {
       "postgresql_host": "pg.kosmos.local:5432",
@@ -23,4 +26,4 @@
       ]
     }
   }
-}
\ No newline at end of file
+}
diff --git a/site-cookbooks/kosmos_garage/attributes/default.rb b/site-cookbooks/kosmos_garage/attributes/default.rb
index 068ede8..68cf18f 100644
--- a/site-cookbooks/kosmos_garage/attributes/default.rb
+++ b/site-cookbooks/kosmos_garage/attributes/default.rb
@@ -1,5 +1,6 @@
 node.default['garage']['version']            = '0.8.0'
 node.default['garage']['checksum']['amd64']  = '66dd2ea1f677281a43e10eb619523b1b269f8fde9047ce8caa70958f3b13ca74'
+node.default['garage']['replication_mode']   = 'none'
 node.default['garage']['s3_api_port']        = 3900
 node.default['garage']['rpc_port']           = 3901
 node.default['garage']['s3_web_port']        = 3902
@@ -7,4 +8,4 @@ node.default['garage']['admin_port']         = 3903
 node.default['garage']['k2v_api_port']       = 3904
 node.default['garage']['s3_api_root_domain'] = '.s3.garage.localhost'
 node.default['garage']['s3_web_root_domain'] = '.web.garage.localhost'
-node.default['garage']['replication_mode']   = 'none'
+node.default['garage']['s3_web_domains']     = []
diff --git a/site-cookbooks/kosmos_garage/recipes/nginx_web.rb b/site-cookbooks/kosmos_garage/recipes/nginx_web.rb
new file mode 100644
index 0000000..83e6399
--- /dev/null
+++ b/site-cookbooks/kosmos_garage/recipes/nginx_web.rb
@@ -0,0 +1,26 @@
+#
+# Cookbook Name:: kosmos_garage
+# Recipe:: nginx_web
+#
+
+include_recipe "kosmos-nginx"
+
+domains = node['garage']['s3_web_domains']
+
+domains.each do |server_name|
+  nginx_certbot_site server_name
+
+  template "#{node['nginx']['dir']}/sites-available/#{server_name}" do
+    source 'nginx_conf_web.erb'
+    owner 'www-data'
+    mode 0640
+    variables server_name:         server_name,
+              ssl_cert:            "/etc/letsencrypt/live/#{server_name}/fullchain.pem",
+              ssl_key:             "/etc/letsencrypt/live/#{server_name}/privkey.pem"
+    notifies :reload, 'service[nginx]', :delayed
+  end
+
+  nginx_site server_name do
+    action :enable
+  end
+end
diff --git a/site-cookbooks/kosmos_garage/templates/nginx_conf_web.erb b/site-cookbooks/kosmos_garage/templates/nginx_conf_web.erb
new file mode 100644
index 0000000..566980f
--- /dev/null
+++ b/site-cookbooks/kosmos_garage/templates/nginx_conf_web.erb
@@ -0,0 +1,33 @@
+upstream garage_web {
+  server localhost:3902;
+}
+
+proxy_cache_path /var/cache/nginx/garage levels=1:2 keys_zone=garage_cache:10m
+                 max_size=1g inactive=60m use_temp_path=off;
+
+server {
+  listen 443 http2 ssl;
+  listen [::]:443 http2 ssl;
+
+  server_name <%= @server_name %>;
+
+  access_log off;
+
+  ssl_certificate     <%= @ssl_cert %>;
+  ssl_certificate_key <%= @ssl_key %>;
+
+  error_page 401 403 404 500 /__empty-page.html;
+
+  location = /__empty-page.html {
+    internal;
+    return 200 "";
+  }
+
+  location / {
+    proxy_intercept_errors on;
+    proxy_cache garage_cache;
+    proxy_pass http://garage_web;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header Host $host;
+  }
+}

From 3d7b4df3761eb355c19fd15c5cb55666eb1434e0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Sat, 24 Dec 2022 00:58:11 +0700
Subject: [PATCH 09/15] Add rate limit config for lndhub-go

---
 site-cookbooks/kosmos-bitcoin/attributes/default.rb | 5 ++++-
 site-cookbooks/kosmos-bitcoin/recipes/lndhub-go.rb  | 3 +++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/site-cookbooks/kosmos-bitcoin/attributes/default.rb b/site-cookbooks/kosmos-bitcoin/attributes/default.rb
index 5c3efdd..84ff448 100644
--- a/site-cookbooks/kosmos-bitcoin/attributes/default.rb
+++ b/site-cookbooks/kosmos-bitcoin/attributes/default.rb
@@ -80,13 +80,16 @@ node.default['lndhub']['port'] = '3023'
 node.default['lndhub']['domain'] = 'lndhub.kosmos.org'
 
 node.default['lndhub-go']['repo'] = 'https://github.com/getAlby/lndhub.go.git'
-node.default['lndhub-go']['revision'] = '0.11.0'
+node.default['lndhub-go']['revision'] = '0.12.0'
 node.default['lndhub-go']['source_dir'] = '/opt/lndhub-go'
 node.default['lndhub-go']['port'] = 3026
 node.default['lndhub-go']['domain'] = 'lndhub.kosmos.org'
 node.default['lndhub-go']['postgres']['database'] = 'lndhub'
 node.default['lndhub-go']['postgres']['user'] = 'lndhub'
 node.default['lndhub-go']['postgres']['port'] = 5432
+node.default['lndhub-go']['default_rate_limit'] = 20
+node.default['lndhub-go']['strict_rate_limit'] =  1
+node.default['lndhub-go']['burst_rate_limit'] =  10
 node.default['lndhub-go']['branding'] = {
   'title' => 'LndHub - Kosmos Lightning',
   'desc' => 'Kosmos accounts for the Lightning Network',
diff --git a/site-cookbooks/kosmos-bitcoin/recipes/lndhub-go.rb b/site-cookbooks/kosmos-bitcoin/recipes/lndhub-go.rb
index 285ed38..4d5cfca 100644
--- a/site-cookbooks/kosmos-bitcoin/recipes/lndhub-go.rb
+++ b/site-cookbooks/kosmos-bitcoin/recipes/lndhub-go.rb
@@ -54,6 +54,9 @@ template "#{source_dir}/.env" do
     custom_name: node['lndhub-go']['domain'],
     port: node['lndhub-go']['port'],
     admin_token: credentials['admin_token'],
+    default_rate_limit: node['lndhub-go']['default_rate_limit'],
+    strict_rate_limit: node['lndhub-go']['strict_rate_limit'],
+    burst_rate_limit: node['lndhub-go']['burst_rate_limit'],
     branding: node['lndhub-go']['branding']
   }
   notifies :restart, 'service[lndhub-go]', :delayed

From 8c8e978ae96f570145a7470b84d545817a80d2dc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Sat, 24 Dec 2022 00:58:31 +0700
Subject: [PATCH 10/15] Update node configs

---
 nodes/bitcoin-2.json         | 12 ++++++++----
 nodes/fornax.kosmos.org.json | 13 +++++++------
 2 files changed, 15 insertions(+), 10 deletions(-)

diff --git a/nodes/bitcoin-2.json b/nodes/bitcoin-2.json
index 6411721..a6dbc46 100644
--- a/nodes/bitcoin-2.json
+++ b/nodes/bitcoin-2.json
@@ -14,6 +14,10 @@
     "roles": [
       "base",
       "kvm_guest",
+      "bitcoind",
+      "cln",
+      "lnd",
+      "lndhub",
       "postgresql_client",
       "btcpay"
     ],
@@ -21,7 +25,6 @@
       "kosmos-base",
       "kosmos-base::default",
       "kosmos_kvm::guest",
-      "kosmos_postgresql::hostsfile",
       "tor-full",
       "tor-full::default",
       "kosmos-bitcoin::source",
@@ -30,6 +33,7 @@
       "kosmos-bitcoin::lnd-scb-s3",
       "kosmos-bitcoin::boltz",
       "kosmos-bitcoin::rtl",
+      "kosmos_postgresql::hostsfile",
       "kosmos-bitcoin::lndhub",
       "kosmos-bitcoin::lndhub-go",
       "kosmos-bitcoin::dotnet",
@@ -72,7 +76,6 @@
       "redisio::disable_os_default",
       "redisio::configure",
       "redisio::enable",
-      "kosmos-base::letsencrypt",
       "kosmos-nginx::default",
       "nginx::default",
       "nginx::package",
@@ -82,7 +85,8 @@
       "nginx::commons_dir",
       "nginx::commons_script",
       "nginx::commons_conf",
-      "kosmos-nginx::firewall"
+      "kosmos-nginx::firewall",
+      "kosmos-base::letsencrypt"
     ],
     "platform": "ubuntu",
     "platform_version": "20.04",
@@ -108,4 +112,4 @@
     "role[lndhub]",
     "role[btcpay]"
   ]
-}
+}
\ No newline at end of file
diff --git a/nodes/fornax.kosmos.org.json b/nodes/fornax.kosmos.org.json
index b3683d7..71769a1 100644
--- a/nodes/fornax.kosmos.org.json
+++ b/nodes/fornax.kosmos.org.json
@@ -31,20 +31,21 @@
       "kosmos_assets::nginx_site",
       "kosmos_discourse::nginx",
       "kosmos_drone::nginx",
+      "kosmos_garage",
+      "kosmos_garage::default",
+      "kosmos_garage::firewall_rpc",
+      "kosmos_garage::nginx_web",
       "kosmos_gitea::nginx",
       "kosmos_website",
       "kosmos_website::default",
       "kosmos-akkounts::nginx_api",
+      "kosmos-bitcoin::nginx_lndhub",
       "kosmos-ejabberd::nginx",
       "kosmos-hubot::nginx_botka_irc-libera-chat",
       "kosmos-hubot::nginx_hal8000_xmpp",
       "kosmos-ipfs::nginx_public_gateway",
       "kosmos-mastodon::nginx",
       "remotestorage_discourse::nginx",
-      "kosmos_garage",
-      "kosmos_garage::default",
-      "kosmos_garage::firewall_rpc",
-      "kosmos_garage::nginx_web",
       "kosmos_zerotier::controller",
       "kosmos_zerotier::firewall",
       "kosmos_zerotier::zncui",
@@ -73,11 +74,11 @@
       "nginx::commons_conf",
       "kosmos-nginx::firewall",
       "discourse::nginx",
+      "firewall::default",
+      "chef-sugar::default",
       "git::default",
       "git::package",
       "kosmos-base::letsencrypt",
-      "firewall::default",
-      "chef-sugar::default",
       "fail2ban::default"
     ],
     "platform": "ubuntu",

From 90e17b0abca6e724a06d986345c8c342b68c4423 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Sun, 25 Dec 2022 16:28:14 +0700
Subject: [PATCH 11/15] Rename bitcoind recipe

Was still using a name from when the cookbook didn't set up anything
else
---
 roles/bitcoind.rb                                               | 2 +-
 .../kosmos-bitcoin/recipes/{source.rb => bitcoind.rb}           | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
 rename site-cookbooks/kosmos-bitcoin/recipes/{source.rb => bitcoind.rb} (99%)

diff --git a/roles/bitcoind.rb b/roles/bitcoind.rb
index d786e4f..e8306dc 100644
--- a/roles/bitcoind.rb
+++ b/roles/bitcoind.rb
@@ -1,5 +1,5 @@
 name "bitcoind"
 
 run_list %w(
-  kosmos-bitcoin::source
+  kosmos-bitcoin::bitcoind
 )
diff --git a/site-cookbooks/kosmos-bitcoin/recipes/source.rb b/site-cookbooks/kosmos-bitcoin/recipes/bitcoind.rb
similarity index 99%
rename from site-cookbooks/kosmos-bitcoin/recipes/source.rb
rename to site-cookbooks/kosmos-bitcoin/recipes/bitcoind.rb
index a44cc89..a4991ff 100644
--- a/site-cookbooks/kosmos-bitcoin/recipes/source.rb
+++ b/site-cookbooks/kosmos-bitcoin/recipes/bitcoind.rb
@@ -1,6 +1,6 @@
 #
 # Cookbook:: kosmos-bitcoin
-# Recipe:: source
+# Recipe:: bitcoind
 #
 
 build_essential

From ea635a52e92bef70723aaa756fc611be18bb0564 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Mon, 26 Dec 2022 11:14:40 +0700
Subject: [PATCH 12/15] Formatting

---
 site-cookbooks/kosmos-bitcoin/recipes/lndhub-go.rb | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/site-cookbooks/kosmos-bitcoin/recipes/lndhub-go.rb b/site-cookbooks/kosmos-bitcoin/recipes/lndhub-go.rb
index 4d5cfca..797e231 100644
--- a/site-cookbooks/kosmos-bitcoin/recipes/lndhub-go.rb
+++ b/site-cookbooks/kosmos-bitcoin/recipes/lndhub-go.rb
@@ -5,11 +5,12 @@
 
 include_recipe 'git'
 include_recipe 'kosmos-bitcoin::golang'
+include_recipe 'kosmos-bitcoin::user'
 
 bitcoin_user  = node['bitcoin']['username']
 bitcoin_group = node['bitcoin']['usergroup']
 lnd_dir       = node['lnd']['lnd_dir']
-lncli_bin     = "/opt/go/bin/lncli"
+lncli_bin     = '/opt/go/bin/lncli'
 source_dir    = node['lndhub-go']['source_dir']
 macaroon_path = "#{lnd_dir}/data/lndhub.macaroon"
 credentials   = data_bag_item('credentials', 'lndhub-go')
@@ -26,10 +27,10 @@ git source_dir do
 end
 
 bash 'compile_lndhub-go' do
-  cwd node['lndhub-go']['source_dir']
-  code "make"
+  cwd source_dir
+  code 'make'
   action :nothing
-  notifies :restart, "systemd_unit[lndhub-go.service]", :delayed
+  notifies :restart, 'service[lndhub-go]', :delayed
 end
 
 bash 'bake_lndhub_macaroon' do
@@ -94,13 +95,13 @@ systemd_unit 'lndhub-go.service' do
   action [:create, :enable, :start]
 end
 
-service "lndhub-go" do
+service 'lndhub-go' do
   action :nothing
 end
 
 firewall_rule 'lndhub-go' do
   port     node['lndhub-go']['port']
-  source   "10.1.1.0/24"
+  source   '10.1.1.0/24'
   protocol :tcp
   command  :allow
 end

From b3465e186fe69dfc9d19d0de8d510e43ad977576 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Mon, 26 Dec 2022 11:16:01 +0700
Subject: [PATCH 13/15] Fix comment

---
 site-cookbooks/kosmos-bitcoin/recipes/golang.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/site-cookbooks/kosmos-bitcoin/recipes/golang.rb b/site-cookbooks/kosmos-bitcoin/recipes/golang.rb
index b6ff84b..81fd97e 100644
--- a/site-cookbooks/kosmos-bitcoin/recipes/golang.rb
+++ b/site-cookbooks/kosmos-bitcoin/recipes/golang.rb
@@ -1,6 +1,6 @@
 #
 # Cookbook:: kosmos-bitcoin
-# Recipe:: boltz
+# Recipe:: golang
 #
 # Internal recipe for managing the Go installation in one place
 #

From 4f1b1aff30c5996c471441aba290cebecf41205a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Mon, 26 Dec 2022 11:16:08 +0700
Subject: [PATCH 14/15] Set up PeerSwap

Allows to swap sats in and out of Lightning channels without a 3rd party
(and their fees). Instead, swaps can be initiated directly with the
channel peer.

https://www.peerswap.dev/
---
 nodes/bitcoin-2.json                          |  3 +-
 roles/lnd.rb                                  |  1 +
 .../kosmos-bitcoin/attributes/default.rb      |  4 +
 .../kosmos-bitcoin/recipes/peerswap-lnd.rb    | 94 +++++++++++++++++++
 .../templates/peerswap-lnd.conf.erb           |  3 +
 5 files changed, 104 insertions(+), 1 deletion(-)
 create mode 100644 site-cookbooks/kosmos-bitcoin/recipes/peerswap-lnd.rb
 create mode 100644 site-cookbooks/kosmos-bitcoin/templates/peerswap-lnd.conf.erb

diff --git a/nodes/bitcoin-2.json b/nodes/bitcoin-2.json
index a6dbc46..5b6faf1 100644
--- a/nodes/bitcoin-2.json
+++ b/nodes/bitcoin-2.json
@@ -27,12 +27,13 @@
       "kosmos_kvm::guest",
       "tor-full",
       "tor-full::default",
-      "kosmos-bitcoin::source",
+      "kosmos-bitcoin::bitcoind",
       "kosmos-bitcoin::c-lightning",
       "kosmos-bitcoin::lnd",
       "kosmos-bitcoin::lnd-scb-s3",
       "kosmos-bitcoin::boltz",
       "kosmos-bitcoin::rtl",
+      "kosmos-bitcoin::peerswap-lnd",
       "kosmos_postgresql::hostsfile",
       "kosmos-bitcoin::lndhub",
       "kosmos-bitcoin::lndhub-go",
diff --git a/roles/lnd.rb b/roles/lnd.rb
index 85f5f9e..982f9a7 100644
--- a/roles/lnd.rb
+++ b/roles/lnd.rb
@@ -5,4 +5,5 @@ run_list %w(
   kosmos-bitcoin::lnd-scb-s3
   kosmos-bitcoin::boltz
   kosmos-bitcoin::rtl
+  kosmos-bitcoin::peerswap-lnd
 )
diff --git a/site-cookbooks/kosmos-bitcoin/attributes/default.rb b/site-cookbooks/kosmos-bitcoin/attributes/default.rb
index 84ff448..f82d5a2 100644
--- a/site-cookbooks/kosmos-bitcoin/attributes/default.rb
+++ b/site-cookbooks/kosmos-bitcoin/attributes/default.rb
@@ -118,3 +118,7 @@ node.default["btcpay"]["domain"] = 'btcpay.kosmos.org'
 node.default['btcpay']['postgres']['port'] = 5432
 node.default['btcpay']['postgres']['database'] = 'btcpayserver'
 node.default['btcpay']['postgres']['user'] = 'satoshi'
+
+node.default['peerswap']['repo'] = 'https://github.com/ElementsProject/peerswap.git'
+node.default['peerswap']['revision'] = 'master'
+node.default['peerswap-lnd']['source_dir'] = '/opt/peerswap'
diff --git a/site-cookbooks/kosmos-bitcoin/recipes/peerswap-lnd.rb b/site-cookbooks/kosmos-bitcoin/recipes/peerswap-lnd.rb
new file mode 100644
index 0000000..076daea
--- /dev/null
+++ b/site-cookbooks/kosmos-bitcoin/recipes/peerswap-lnd.rb
@@ -0,0 +1,94 @@
+#
+# Cookbook:: kosmos-bitcoin
+# Recipe:: peerswap-lnd
+#
+
+include_recipe 'git'
+include_recipe 'kosmos-bitcoin::golang'
+include_recipe 'kosmos-bitcoin::user'
+
+bitcoin_user  = node['bitcoin']['username']
+bitcoin_group = node['bitcoin']['usergroup']
+lnd_dir       = node['lnd']['lnd_dir']
+macaroon_path = "#{lnd_dir}/data/chain/bitcoin/#{node['bitcoin']['network']}/admin.macaroon"
+source_dir    = node['peerswap-lnd']['source_dir']
+config_dir    = "/home/#{bitcoin_user}/.peerswap"
+
+directory config_dir do
+  owner bitcoin_user
+  group bitcoin_group
+  mode '0700'
+  action :create
+end
+
+git source_dir do
+  repository node['peerswap']['repo']
+  revision node['peerswap']['revision']
+  action :sync
+  notifies :run, 'bash[compile_peerswap]', :immediately
+end
+
+bash 'compile_peerswap' do
+  cwd source_dir
+  environment 'GOPATH' => '/opt/go'
+  code 'make lnd-release'
+  action :run
+  notifies :restart, 'service[peerswap]', :delayed
+end
+
+template "#{config_dir}/peerswap.conf" do
+  source 'peerswap-lnd.conf.erb'
+  owner bitcoin_user
+  group bitcoin_group
+  mode 0600
+  sensitive true
+  variables config: {
+    tlscertpath:  "#{lnd_dir}/tls.cert",
+    macaroonpath: macaroon_path
+  }
+  notifies :restart, 'service[peerswap]', :delayed
+end
+
+file "#{config_dir}/policy.conf" do
+  owner bitcoin_user
+  group bitcoin_group
+  mode 0600
+  content 'accept_all_peers=true'
+  notifies :restart, 'service[peerswap]', :delayed
+end
+
+systemd_unit 'peerswap.service' do
+  content({
+    Unit: {
+      Description: 'PeerSwap Lightning channel balancing',
+      Documentation: ['https://github.com/ElementsProject/peerswap'],
+      Requires: 'lnd.service',
+      After: 'lnd.service'
+    },
+    Service: {
+      User: bitcoin_user,
+      Group: bitcoin_group,
+      Type: 'simple',
+      WorkingDirectory: source_dir,
+      ExecStart: "/opt/go/bin/peerswapd",
+      Restart: 'always',
+      RestartSec: '10',
+      TimeoutSec: '60',
+      PrivateTmp: true,
+      ProtectSystem: 'full',
+      NoNewPrivileges: true,
+      PrivateDevices: true,
+      MemoryDenyWriteExecute: true
+    },
+    Install: {
+      WantedBy: 'multi-user.target'
+    }
+  })
+  verify false
+  triggers_reload true
+  action [:create, :enable, :start]
+end
+
+service 'peerswap' do
+  action :nothing
+end
diff --git a/site-cookbooks/kosmos-bitcoin/templates/peerswap-lnd.conf.erb b/site-cookbooks/kosmos-bitcoin/templates/peerswap-lnd.conf.erb
new file mode 100644
index 0000000..dfce355
--- /dev/null
+++ b/site-cookbooks/kosmos-bitcoin/templates/peerswap-lnd.conf.erb
@@ -0,0 +1,3 @@
+<% @config.each do |k, v| %>
+<%= "lnd.#{k}=#{v}" %>
+<% end %>

From 176dd64438eddcd526a90d7fa8b52e52b0ef36da Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Mon, 26 Dec 2022 11:29:17 +0700
Subject: [PATCH 15/15] Remove peerswap policy file from recipe

This will be auto-created anyway, and we don't want to overwrite changes
added by the CLI.
---
 site-cookbooks/kosmos-bitcoin/recipes/peerswap-lnd.rb | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/site-cookbooks/kosmos-bitcoin/recipes/peerswap-lnd.rb b/site-cookbooks/kosmos-bitcoin/recipes/peerswap-lnd.rb
index 076daea..17eaa98 100644
--- a/site-cookbooks/kosmos-bitcoin/recipes/peerswap-lnd.rb
+++ b/site-cookbooks/kosmos-bitcoin/recipes/peerswap-lnd.rb
@@ -49,14 +49,6 @@ template "#{config_dir}/peerswap.conf" do
   notifies :restart, 'service[peerswap]', :delayed
 end
 
-file "#{config_dir}/policy.conf" do
-  owner bitcoin_user
-  group bitcoin_group
-  mode 0600
-  content 'accept_all_peers=true'
-  notifies :restart, 'service[peerswap]', :delayed
-end
-
 systemd_unit 'peerswap.service' do
   content({
     Unit: {