From 1a5f3126999068afeabaea6584d1ccd7c73c98bc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kosmos.org>
Date: Fri, 7 Jun 2024 19:43:09 +0200
Subject: [PATCH 01/14] Add strfry cookbook

---
 .gitmodules           | 3 +++
 site-cookbooks/strfry | 1 +
 2 files changed, 4 insertions(+)
 create mode 160000 site-cookbooks/strfry

diff --git a/.gitmodules b/.gitmodules
index 7167701..3bc3da1 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -4,3 +4,6 @@
 [submodule "site-cookbooks/openresty"]
 	path = site-cookbooks/openresty
 	url = https://github.com/67P/chef-openresty.git
+[submodule "site-cookbooks/strfry"]
+	path = site-cookbooks/strfry
+	url = git@gitea.kosmos.org:kosmos/strfry-cookbook.git
diff --git a/site-cookbooks/strfry b/site-cookbooks/strfry
new file mode 160000
index 0000000..b4e8958
--- /dev/null
+++ b/site-cookbooks/strfry
@@ -0,0 +1 @@
+Subproject commit b4e89583fb0bed864e017e1f24d9440f84d125e6

From dbccd9d2bf6b2cb9a56ec4a043b542e9fb6726fe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kosmos.org>
Date: Fri, 7 Jun 2024 20:43:46 +0200
Subject: [PATCH 02/14] Add kosmos_strfry cookbook, configs

---
 environments/production.json                  | 10 +++++++
 nodes/draco.kosmos.org.json                   |  1 +
 roles/openresty_proxy.rb                      |  1 +
 roles/strfry.rb                               |  6 ++++
 site-cookbooks/kosmos_strfry/LICENSE          | 20 +++++++++++++
 site-cookbooks/kosmos_strfry/README.md        |  4 +++
 site-cookbooks/kosmos_strfry/metadata.rb      |  9 ++++++
 .../kosmos_strfry/recipes/firewall.rb         | 13 +++++++++
 site-cookbooks/kosmos_strfry/recipes/nginx.rb | 29 +++++++++++++++++++
 .../templates/nginx_conf_strfry.erb           | 28 ++++++++++++++++++
 10 files changed, 121 insertions(+)
 create mode 100644 roles/strfry.rb
 create mode 100644 site-cookbooks/kosmos_strfry/LICENSE
 create mode 100644 site-cookbooks/kosmos_strfry/README.md
 create mode 100644 site-cookbooks/kosmos_strfry/metadata.rb
 create mode 100644 site-cookbooks/kosmos_strfry/recipes/firewall.rb
 create mode 100644 site-cookbooks/kosmos_strfry/recipes/nginx.rb
 create mode 100644 site-cookbooks/kosmos_strfry/templates/nginx_conf_strfry.erb

diff --git a/environments/production.json b/environments/production.json
index 4f84064..d226fa7 100644
--- a/environments/production.json
+++ b/environments/production.json
@@ -101,6 +101,16 @@
     },
     "sentry": {
       "allowed_ips": "10.1.1.0/24"
+    },
+    "strfry": {
+      "domain": "nostr.kosmos.org",
+      "real_ip_header": "X-Real-IP",
+      "info": {
+        "name": "Kosmos Relay",
+        "description": "Members-only nostr relay for kosmos.org users",
+        "pubkey": "1f79058c77a224e5be226c8f024cacdad4d741855d75ed9f11473ba8eb86e1cb",
+        "contact": "ops@kosmos.org"
+      }
     }
   }
 }
diff --git a/nodes/draco.kosmos.org.json b/nodes/draco.kosmos.org.json
index f07f268..f95e990 100644
--- a/nodes/draco.kosmos.org.json
+++ b/nodes/draco.kosmos.org.json
@@ -54,6 +54,7 @@
       "kosmos_liquor-cabinet::nginx",
       "kosmos_rsk::nginx_testnet",
       "kosmos_rsk::nginx_mainnet",
+      "kosmos_strfry::nginx",
       "kosmos_website",
       "kosmos_website::default",
       "kosmos-akkounts::nginx",
diff --git a/roles/openresty_proxy.rb b/roles/openresty_proxy.rb
index 38e8bbb..c238c1b 100644
--- a/roles/openresty_proxy.rb
+++ b/roles/openresty_proxy.rb
@@ -28,6 +28,7 @@ production_run_list = %w(
   kosmos_liquor-cabinet::nginx
   kosmos_rsk::nginx_testnet
   kosmos_rsk::nginx_mainnet
+  kosmos_strfry::nginx
   kosmos_website::default
   kosmos-akkounts::nginx
   kosmos-akkounts::nginx_api
diff --git a/roles/strfry.rb b/roles/strfry.rb
new file mode 100644
index 0000000..65472d2
--- /dev/null
+++ b/roles/strfry.rb
@@ -0,0 +1,6 @@
+name "strfry"
+
+run_list %w(
+  strfry::default
+  kosmos_strfry::firewall
+)
diff --git a/site-cookbooks/kosmos_strfry/LICENSE b/site-cookbooks/kosmos_strfry/LICENSE
new file mode 100644
index 0000000..b5a9703
--- /dev/null
+++ b/site-cookbooks/kosmos_strfry/LICENSE
@@ -0,0 +1,20 @@
+Copyright (c) 2024 Kosmos Developers
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
diff --git a/site-cookbooks/kosmos_strfry/README.md b/site-cookbooks/kosmos_strfry/README.md
new file mode 100644
index 0000000..04638b2
--- /dev/null
+++ b/site-cookbooks/kosmos_strfry/README.md
@@ -0,0 +1,4 @@
+kosmos_strfry
+=============
+
+Installs/configures a strfry relay and its reverse proxy config
diff --git a/site-cookbooks/kosmos_strfry/metadata.rb b/site-cookbooks/kosmos_strfry/metadata.rb
new file mode 100644
index 0000000..8498c01
--- /dev/null
+++ b/site-cookbooks/kosmos_strfry/metadata.rb
@@ -0,0 +1,9 @@
+name             'kosmos_strfry'
+maintainer       'Kosmos'
+maintainer_email 'mail@kosmos.org'
+license          'MIT'
+description      'strfry wrapper cookbook'
+long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
+version          '0.1.0'
+
+depends 'kosmos_openresty'
diff --git a/site-cookbooks/kosmos_strfry/recipes/firewall.rb b/site-cookbooks/kosmos_strfry/recipes/firewall.rb
new file mode 100644
index 0000000..ea26f83
--- /dev/null
+++ b/site-cookbooks/kosmos_strfry/recipes/firewall.rb
@@ -0,0 +1,13 @@
+#
+# Cookbook Name:: kosmos_strfry
+# Recipe:: firewall
+#
+
+include_recipe "kosmos-base::firewall"
+
+firewall_rule "strfry" do
+  port     node["strfry"]["port"]
+  source   "10.1.1.0/24"
+  protocol :tcp
+  command  :allow
+end
diff --git a/site-cookbooks/kosmos_strfry/recipes/nginx.rb b/site-cookbooks/kosmos_strfry/recipes/nginx.rb
new file mode 100644
index 0000000..58cc724
--- /dev/null
+++ b/site-cookbooks/kosmos_strfry/recipes/nginx.rb
@@ -0,0 +1,29 @@
+#
+# Cookbook Name:: kosmos_strfry
+# Recipe:: nginx
+#
+
+domain = node["strfry"]["domain"]
+
+upstream_hosts = []
+search(:node, 'role:strfry').each do |node|
+  upstream_hosts << node['knife_zero']['host']
+end
+if upstream_hosts.empty?
+  Chef::Log.warn("No node found with 'strfry' role. Not configuring nginx site.")
+  return
+end
+
+tls_cert_for domain do
+  auth "gandi_dns"
+  action :create
+end
+
+openresty_site domain do
+  template "nginx_conf_strfry.erb"
+  variables domain: domain,
+            upstream_port: node['strfry']['port'],
+            upstream_hosts: upstream_hosts,
+            ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
+            ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
+end
diff --git a/site-cookbooks/kosmos_strfry/templates/nginx_conf_strfry.erb b/site-cookbooks/kosmos_strfry/templates/nginx_conf_strfry.erb
new file mode 100644
index 0000000..c48ce62
--- /dev/null
+++ b/site-cookbooks/kosmos_strfry/templates/nginx_conf_strfry.erb
@@ -0,0 +1,28 @@
+upstream _strfry {
+<% @upstream_hosts.each do |host| %>
+  server <%= host %>:<%= @upstream_port %>;
+<% end %>
+}
+
+server {
+  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
+  listen [::]:443 ssl http2;
+  server_name <%= @domain %>;
+
+  access_log "/var/log/nginx/<%= @domain %>.access.log";
+  error_log "/var/log/nginx/<%= @domain %>.error.log";
+
+  ssl_certificate     <%= @ssl_cert %>;
+  ssl_certificate_key <%= @ssl_key %>;
+
+  location / {
+    proxy_set_header Host $host;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto https;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_pass http://_strfry;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+  }
+}

From 9835b85181ce0f6a0027e3bbcab5209a79ca7342 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kosmos.org>
Date: Sat, 8 Jun 2024 16:25:47 +0200
Subject: [PATCH 03/14] Fall back to default port for strfry proxy

When we don't override it elsewhere
---
 site-cookbooks/kosmos_strfry/templates/nginx_conf_strfry.erb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/site-cookbooks/kosmos_strfry/templates/nginx_conf_strfry.erb b/site-cookbooks/kosmos_strfry/templates/nginx_conf_strfry.erb
index c48ce62..a9fb157 100644
--- a/site-cookbooks/kosmos_strfry/templates/nginx_conf_strfry.erb
+++ b/site-cookbooks/kosmos_strfry/templates/nginx_conf_strfry.erb
@@ -1,6 +1,6 @@
 upstream _strfry {
 <% @upstream_hosts.each do |host| %>
-  server <%= host %>:<%= @upstream_port %>;
+  server <%= host %>:<%= @upstream_port || "7777" %>;
 <% end %>
 }
 

From b9a39103641e16cdf7681b1638f526d9d848b90a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kosmos.org>
Date: Sat, 8 Jun 2024 16:27:57 +0200
Subject: [PATCH 04/14] Update strfry cookbook

---
 site-cookbooks/strfry | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/site-cookbooks/strfry b/site-cookbooks/strfry
index b4e8958..33012f6 160000
--- a/site-cookbooks/strfry
+++ b/site-cookbooks/strfry
@@ -1 +1 @@
-Subproject commit b4e89583fb0bed864e017e1f24d9440f84d125e6
+Subproject commit 33012f64c7095565eed41271a5aaf916551b1b7f

From 1649d03665e134a3faecfd542e8c4aa1ea20d852 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kosmos.org>
Date: Sat, 8 Jun 2024 17:14:35 +0200
Subject: [PATCH 05/14] Update strfry cookbook

---
 .gitmodules           | 3 +++
 site-cookbooks/deno   | 1 +
 site-cookbooks/strfry | 2 +-
 3 files changed, 5 insertions(+), 1 deletion(-)
 create mode 160000 site-cookbooks/deno

diff --git a/.gitmodules b/.gitmodules
index 3bc3da1..3f36f91 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -7,3 +7,6 @@
 [submodule "site-cookbooks/strfry"]
 	path = site-cookbooks/strfry
 	url = git@gitea.kosmos.org:kosmos/strfry-cookbook.git
+[submodule "site-cookbooks/deno"]
+	path = site-cookbooks/deno
+	url = git@gitea.kosmos.org:kosmos/deno-cookbook.git
diff --git a/site-cookbooks/deno b/site-cookbooks/deno
new file mode 160000
index 0000000..617f795
--- /dev/null
+++ b/site-cookbooks/deno
@@ -0,0 +1 @@
+Subproject commit 617f7959abda045326c8f06f1c1bcedbaa7c7285
diff --git a/site-cookbooks/strfry b/site-cookbooks/strfry
index 33012f6..65b6d65 160000
--- a/site-cookbooks/strfry
+++ b/site-cookbooks/strfry
@@ -1 +1 @@
-Subproject commit 33012f64c7095565eed41271a5aaf916551b1b7f
+Subproject commit 65b6d65527f6869fa5492b80de878fe29b50a386

From 5be90816132bd5b20885da4a853fee86e8c56782 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kosmos.org>
Date: Sat, 8 Jun 2024 21:19:53 +0200
Subject: [PATCH 06/14] Header name has to be all lowercase in strfry config

---
 environments/production.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/environments/production.json b/environments/production.json
index d226fa7..ab93492 100644
--- a/environments/production.json
+++ b/environments/production.json
@@ -104,7 +104,7 @@
     },
     "strfry": {
       "domain": "nostr.kosmos.org",
-      "real_ip_header": "X-Real-IP",
+      "real_ip_header": "x-real-ip",
       "info": {
         "name": "Kosmos Relay",
         "description": "Members-only nostr relay for kosmos.org users",

From 42c46a5645e45029ca08ac4264cbb80dce26da0e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kosmos.org>
Date: Tue, 11 Jun 2024 22:54:12 +0200
Subject: [PATCH 07/14] Deploy strfry reverse proxy

---
 nodes/fornax.kosmos.org.json                                 | 1 +
 site-cookbooks/kosmos_strfry/templates/nginx_conf_strfry.erb | 3 ---
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/nodes/fornax.kosmos.org.json b/nodes/fornax.kosmos.org.json
index bc81069..d5903f9 100644
--- a/nodes/fornax.kosmos.org.json
+++ b/nodes/fornax.kosmos.org.json
@@ -48,6 +48,7 @@
       "kosmos_liquor-cabinet::nginx",
       "kosmos_rsk::nginx_testnet",
       "kosmos_rsk::nginx_mainnet",
+      "kosmos_strfry::nginx",
       "kosmos_website",
       "kosmos_website::default",
       "kosmos-akkounts::nginx",
diff --git a/site-cookbooks/kosmos_strfry/templates/nginx_conf_strfry.erb b/site-cookbooks/kosmos_strfry/templates/nginx_conf_strfry.erb
index a9fb157..2f8cee7 100644
--- a/site-cookbooks/kosmos_strfry/templates/nginx_conf_strfry.erb
+++ b/site-cookbooks/kosmos_strfry/templates/nginx_conf_strfry.erb
@@ -6,7 +6,6 @@ upstream _strfry {
 
 server {
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
   server_name <%= @domain %>;
 
   access_log "/var/log/nginx/<%= @domain %>.access.log";
@@ -17,8 +16,6 @@ server {
 
   location / {
     proxy_set_header Host $host;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header X-Forwarded-Proto https;
     proxy_set_header X-Real-IP $remote_addr;
     proxy_pass http://_strfry;
     proxy_http_version 1.1;

From d1301dad3ed824e3eb7e1037c2fdd759a1c0d1d0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kosmos.org>
Date: Tue, 11 Jun 2024 23:12:22 +0200
Subject: [PATCH 08/14] Add, configure, deploy strfry policies

---
 data_bags/credentials/dirsrv.json             | 27 +++++++-
 environments/production.json                  |  1 +
 roles/strfry.rb                               |  2 +
 .../kosmos_kvm/attributes/default.rb          |  9 +--
 .../kosmos_strfry/attributes/default.rb       |  1 +
 site-cookbooks/kosmos_strfry/metadata.rb      |  1 +
 .../kosmos_strfry/recipes/policies.rb         | 62 +++++++++++++++++++
 .../kosmos_strfry/templates/env.erb           | 11 ++++
 site-cookbooks/strfry                         |  2 +-
 9 files changed, 108 insertions(+), 8 deletions(-)
 create mode 100644 site-cookbooks/kosmos_strfry/attributes/default.rb
 create mode 100644 site-cookbooks/kosmos_strfry/recipes/policies.rb
 create mode 100644 site-cookbooks/kosmos_strfry/templates/env.erb

diff --git a/data_bags/credentials/dirsrv.json b/data_bags/credentials/dirsrv.json
index cf4ce41..8ab60bd 100644
--- a/data_bags/credentials/dirsrv.json
+++ b/data_bags/credentials/dirsrv.json
@@ -1,9 +1,30 @@
 {
   "id": "dirsrv",
+  "admin_dn": {
+    "encrypted_data": "zRtz6Scb9WtUXGyjc0xyvsre0YvqupuaFz+RPApj7DEQTmYyZPVb\n",
+    "iv": "xfIXMhEBHBWqa4Dz\n",
+    "auth_tag": "BcA32u1njcnCZ+yrBGSceQ==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
   "admin_password": {
-    "encrypted_data": "i71l5E129mXCcDAyME8sNMUkYUlQMgt7Eh6noyFcLNgbaMo=\n",
-    "iv": "KNW2B8tpX7ywZwbg\n",
-    "auth_tag": "GawQ+FSlA5v5YVyryeUxng==\n",
+    "encrypted_data": "7JpXl3JZDqKWDfYt/wuNbkbob+oRuONhkuAlpqUCCEIn+tY=\n",
+    "iv": "Lcwc4NDzrfcBaIKQ\n",
+    "auth_tag": "rrePS3Bhdnwbr2d/o8vMhg==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "service_dn": {
+    "encrypted_data": "sqRFiZreLeTPQljSfhAuV3DmsPxSC8tzWjCdu+WSSbO67sBQA+xhmGtzBhBD\nDZPGJw+jtAxzuVvPdAjxgAVgxXO6C6WEo87L1tdJewE=\n",
+    "iv": "GUEGtyRJXrPhWcUs\n",
+    "auth_tag": "2USsrx//3V7RCyumGCbMkg==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "service_password": {
+    "encrypted_data": "f2wi8B8SEt6p5G0TF3dZ72j0vMFlvwcP1suxYnshBA==\n",
+    "iv": "rOnUoxbnkaJtodM+\n",
+    "auth_tag": "dVLCtBVMjxLfW2D8XjJBdQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   }
diff --git a/environments/production.json b/environments/production.json
index ab93492..623c265 100644
--- a/environments/production.json
+++ b/environments/production.json
@@ -105,6 +105,7 @@
     "strfry": {
       "domain": "nostr.kosmos.org",
       "real_ip_header": "x-real-ip",
+      "policy_path": "/opt/strfry-policy.ts",
       "info": {
         "name": "Kosmos Relay",
         "description": "Members-only nostr relay for kosmos.org users",
diff --git a/roles/strfry.rb b/roles/strfry.rb
index 65472d2..256dac9 100644
--- a/roles/strfry.rb
+++ b/roles/strfry.rb
@@ -1,6 +1,8 @@
 name "strfry"
 
 run_list %w(
+  role[ldap_client]
   strfry::default
+  kosmos_strfry::policies
   kosmos_strfry::firewall
 )
diff --git a/site-cookbooks/kosmos_kvm/attributes/default.rb b/site-cookbooks/kosmos_kvm/attributes/default.rb
index 4783c7e..25863d2 100644
--- a/site-cookbooks/kosmos_kvm/attributes/default.rb
+++ b/site-cookbooks/kosmos_kvm/attributes/default.rb
@@ -1,9 +1,10 @@
-ubuntu_server_cloud_image_release = "20230506"
+release = "20240514"
+img_filename = "ubuntu-22.04-server-cloudimg-amd64-disk-kvm"
 
 node.default["kosmos_kvm"]["host"]["qemu_base_image"] = {
-  "url" => "https://cloud-images.ubuntu.com/releases/focal/release-#{ubuntu_server_cloud_image_release}/ubuntu-20.04-server-cloudimg-amd64-disk-kvm.img",
-  "checksum" => "27d2b91fd2b715729d739e2a3155dce70d1aaae4f05c177f338b9d4b60be638c",
-  "path" => "/var/lib/libvirt/images/base/ubuntu-20.04-server-cloudimg-amd64-disk-kvm-#{ubuntu_server_cloud_image_release}.qcow2"
+  "url" => "https://cloud-images.ubuntu.com/releases/jammy/release-#{release}/#{img_filename}.img",
+  "checksum" => "2e7698b3ebd7caead06b08bd3ece241e6ce294a6db01f92ea12bcb56d6972c3f",
+  "path" => "/var/lib/libvirt/images/base/#{img_filename}-#{release}.qcow2"
 }
 
 # A systemd.timer OnCalendar config value
diff --git a/site-cookbooks/kosmos_strfry/attributes/default.rb b/site-cookbooks/kosmos_strfry/attributes/default.rb
new file mode 100644
index 0000000..e794f13
--- /dev/null
+++ b/site-cookbooks/kosmos_strfry/attributes/default.rb
@@ -0,0 +1 @@
+node.default["strfry"]["ldap_search_dn"] = "ou=kosmos.org,cn=users,dc=kosmos,dc=org"
diff --git a/site-cookbooks/kosmos_strfry/metadata.rb b/site-cookbooks/kosmos_strfry/metadata.rb
index 8498c01..c1be761 100644
--- a/site-cookbooks/kosmos_strfry/metadata.rb
+++ b/site-cookbooks/kosmos_strfry/metadata.rb
@@ -7,3 +7,4 @@ long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
 version          '0.1.0'
 
 depends 'kosmos_openresty'
+depends 'deno'
diff --git a/site-cookbooks/kosmos_strfry/recipes/policies.rb b/site-cookbooks/kosmos_strfry/recipes/policies.rb
new file mode 100644
index 0000000..cb4d9ec
--- /dev/null
+++ b/site-cookbooks/kosmos_strfry/recipes/policies.rb
@@ -0,0 +1,62 @@
+#
+# Cookbook Name:: kosmos_strfry
+# Recipe:: policies
+#
+
+include_recipe "deno"
+
+#
+# config
+#
+
+ldap_credentials = Chef::EncryptedDataBagItem.load('credentials', 'dirsrv')
+
+env = {
+  ldap_url: 'ldap://ldap.kosmos.local:389', # requires "ldap_client" role
+  ldap_bind_dn: ldap_credentials["service_dn"],
+  ldap_password: ldap_credentials["service_password"],
+  ldap_search_dn: node["strfry"]["ldap_search_dn"]
+}
+
+template "/opt/.env" do
+  source 'env.erb'
+  owner node["strfry"]["user"]
+  group node["strfry"]["group"]
+  mode 0600
+  sensitive true
+  variables config: env
+  notifies :restart, "service[strfry]", :delayed
+end
+
+#
+# strfry deno scripts
+#
+
+base_url = "https://gitea.kosmos.org/kosmos/akkounts/raw/branch/master/extras/strfry"
+
+remote_file "/opt/strfry-policy.ts" do
+  source "#{base_url}/strfry-policy.ts"
+  owner node["strfry"]["user"]
+  group node["strfry"]["group"]
+  mode "0755"
+  notifies :restart, "service[strfry]", :delayed
+end
+
+remote_file "/opt/ldap-policy.ts" do
+  source "#{base_url}/ldap-policy.ts"
+  owner node["strfry"]["user"]
+  group node["strfry"]["group"]
+  mode "0644"
+  notifies :restart, "service[strfry]", :delayed
+end
+
+remote_file "/opt/strfry-sync.ts" do
+  source "#{base_url}/strfry-sync.ts"
+  owner node["strfry"]["user"]
+  group node["strfry"]["group"]
+  mode "0644"
+end
+
+# service "strfry" do
+#   action :nothing
+# end
diff --git a/site-cookbooks/kosmos_strfry/templates/env.erb b/site-cookbooks/kosmos_strfry/templates/env.erb
new file mode 100644
index 0000000..4b1faa5
--- /dev/null
+++ b/site-cookbooks/kosmos_strfry/templates/env.erb
@@ -0,0 +1,11 @@
+<% @config.each do |key, value| %>
+<% if value.is_a?(Hash) %>
+<% value.each do |k, v| %>
+<%= "#{key.upcase}_#{k.upcase}" %>=<%= v.to_s %>
+<% end %>
+<% else %>
+<% if value %>
+<%= key.upcase %>=<%= value.to_s %>
+<% end %>
+<% end %>
+<% end %>
diff --git a/site-cookbooks/strfry b/site-cookbooks/strfry
index 65b6d65..a475637 160000
--- a/site-cookbooks/strfry
+++ b/site-cookbooks/strfry
@@ -1 +1 @@
-Subproject commit 65b6d65527f6869fa5492b80de878fe29b50a386
+Subproject commit a4756377b480c9bcceba4867969a0c15880913dc

From f5961af7fee1558defd17c6de2cafb2a8f4bd3d6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kosmos.org>
Date: Tue, 11 Jun 2024 22:53:23 +0200
Subject: [PATCH 09/14] Create/deploy strfry VM

---
 clients/strfry-1.json |  4 +++
 nodes/strfry-1.json   | 66 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 70 insertions(+)
 create mode 100644 clients/strfry-1.json
 create mode 100644 nodes/strfry-1.json

diff --git a/clients/strfry-1.json b/clients/strfry-1.json
new file mode 100644
index 0000000..3ca35c9
--- /dev/null
+++ b/clients/strfry-1.json
@@ -0,0 +1,4 @@
+{
+  "name": "strfry-1",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzDV/RMGMXVDbvoA6PNh8\nQzhtHwYDCFcUSkbrwP6tzh6GpVunGEOdOdhj2V63T2tF1H+lujxQXh5pK7C0D6VZ\niO04ftJlo7/svyxUcwWr+znyN5sFdQRh3cBZiGSBYolizwoqgtPFlbNhmWAzV0Du\n9t8mhz70IK3B+UdwWyHtoK0NNsJGnQ9YzAvcjyDmEO/3sCjAhNnxVpmXftpcSmd9\nMonzFtIDBbRRll4AHZYRbmXCzx63+VmelvdnufnbY82liol0zzBwJaBD1wyNlG0y\ni96p3Kx03bLNlIaYVGbjZeJi+6oo2VDWJ4OloLLAYoHDSipeHT9qWfUdnE6ge4Lm\nywIDAQAB\n-----END PUBLIC KEY-----\n"
+}
\ No newline at end of file
diff --git a/nodes/strfry-1.json b/nodes/strfry-1.json
new file mode 100644
index 0000000..114bbb9
--- /dev/null
+++ b/nodes/strfry-1.json
@@ -0,0 +1,66 @@
+{
+  "name": "strfry-1",
+  "chef_environment": "production",
+  "normal": {
+    "knife_zero": {
+      "host": "10.1.1.164"
+    }
+  },
+  "automatic": {
+    "fqdn": "strfry-1",
+    "os": "linux",
+    "os_version": "5.15.0-1060-kvm",
+    "hostname": "strfry-1",
+    "ipaddress": "192.168.122.54",
+    "roles": [
+      "base",
+      "kvm_guest",
+      "strfry",
+      "ldap_client"
+    ],
+    "recipes": [
+      "kosmos-base",
+      "kosmos-base::default",
+      "kosmos_kvm::guest",
+      "kosmos-dirsrv::hostsfile",
+      "strfry",
+      "strfry::default",
+      "kosmos_strfry::policies",
+      "kosmos_strfry::firewall",
+      "apt::default",
+      "timezone_iii::default",
+      "timezone_iii::debian",
+      "ntp::default",
+      "ntp::apparmor",
+      "kosmos-base::systemd_emails",
+      "apt::unattended-upgrades",
+      "kosmos-base::firewall",
+      "kosmos-postfix::default",
+      "postfix::default",
+      "postfix::_common",
+      "postfix::_attributes",
+      "postfix::sasl_auth",
+      "hostname::default",
+      "deno::default"
+    ],
+    "platform": "ubuntu",
+    "platform_version": "22.04",
+    "cloud": null,
+    "chef_packages": {
+      "chef": {
+        "version": "18.4.12",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.4.12/lib",
+        "chef_effortless": null
+      },
+      "ohai": {
+        "version": "18.1.11",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
+      }
+    }
+  },
+  "run_list": [
+    "role[base]",
+    "role[kvm_guest]",
+    "role[strfry]"
+  ]
+}

From 7e664723a1abb71382e0ffc238f44b66a4ba1c3e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kosmos.org>
Date: Thu, 20 Jun 2024 15:04:17 +0200
Subject: [PATCH 10/14] Configure akkounts nostr relay URL in production

---
 environments/production.json                         | 3 ++-
 site-cookbooks/kosmos-akkounts/attributes/default.rb | 1 +
 site-cookbooks/kosmos-akkounts/recipes/default.rb    | 1 +
 3 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/environments/production.json b/environments/production.json
index 623c265..9904aba 100644
--- a/environments/production.json
+++ b/environments/production.json
@@ -14,7 +14,8 @@
         "public_key": "024cd3be18617f39cf645851e3ba63f51fc13f0bb09e3bb25e6fd4de556486d946"
       },
       "nostr": {
-        "public_key": "b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a"
+        "public_key": "b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a",
+        "relay_url": "wss://nostr.kosmos.org"
       }
     },
     "discourse": {
diff --git a/site-cookbooks/kosmos-akkounts/attributes/default.rb b/site-cookbooks/kosmos-akkounts/attributes/default.rb
index 8c8ad69..421f50f 100644
--- a/site-cookbooks/kosmos-akkounts/attributes/default.rb
+++ b/site-cookbooks/kosmos-akkounts/attributes/default.rb
@@ -22,6 +22,7 @@ node.default['akkounts']['lndhub']['public_key'] = nil
 node.default['akkounts']['lndhub']['postgres_db'] = 'lndhub'
 
 node.default['akkounts']['nostr']['public_key'] = nil
+node.default['akkounts']['nostr']['relay_url'] = nil
 
 node.default['akkounts']['s3_enabled'] = true
 node.default['akkounts']['s3_endpoint'] = "https://s3.kosmos.org"
diff --git a/site-cookbooks/kosmos-akkounts/recipes/default.rb b/site-cookbooks/kosmos-akkounts/recipes/default.rb
index 2dd0a2b..8ffa7ab 100644
--- a/site-cookbooks/kosmos-akkounts/recipes/default.rb
+++ b/site-cookbooks/kosmos-akkounts/recipes/default.rb
@@ -163,6 +163,7 @@ env[:mediawiki_public_url] = node['mediawiki']['url']
 
 env[:nostr_private_key] = credentials['nostr_private_key']
 env[:nostr_public_key] = node['akkounts']['nostr']['public_key']
+env[:nostr_relay_url] = node['akkounts']['nostr']['relay_url']
 
 #
 # remoteStorage / Liquor Cabinet

From 80eddfbf568beaf41bb2fdddd603ee18daa48298 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kosmos.org>
Date: Thu, 20 Jun 2024 15:38:27 +0200
Subject: [PATCH 11/14] Configure strfry whitelist

Allow akkounts pubkey to publish to our own relay
---
 environments/production.json                     |  3 +++
 site-cookbooks/kosmos_strfry/recipes/policies.rb | 13 +++++++++++--
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/environments/production.json b/environments/production.json
index 9904aba..d7832ca 100644
--- a/environments/production.json
+++ b/environments/production.json
@@ -107,6 +107,9 @@
       "domain": "nostr.kosmos.org",
       "real_ip_header": "x-real-ip",
       "policy_path": "/opt/strfry-policy.ts",
+      "whitelist_pubkeys": [
+        "b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a"
+      ],
       "info": {
         "name": "Kosmos Relay",
         "description": "Members-only nostr relay for kosmos.org users",
diff --git a/site-cookbooks/kosmos_strfry/recipes/policies.rb b/site-cookbooks/kosmos_strfry/recipes/policies.rb
index cb4d9ec..af1b0e5 100644
--- a/site-cookbooks/kosmos_strfry/recipes/policies.rb
+++ b/site-cookbooks/kosmos_strfry/recipes/policies.rb
@@ -15,7 +15,8 @@ env = {
   ldap_url: 'ldap://ldap.kosmos.local:389', # requires "ldap_client" role
   ldap_bind_dn: ldap_credentials["service_dn"],
   ldap_password: ldap_credentials["service_password"],
-  ldap_search_dn: node["strfry"]["ldap_search_dn"]
+  ldap_search_dn: node["strfry"]["ldap_search_dn"],
+  whitelist_pubkeys: node["strfry"]["whitelist_pubkeys"].join(",")
 }
 
 template "/opt/.env" do
@@ -32,7 +33,15 @@ end
 # strfry deno scripts
 #
 
-base_url = "https://gitea.kosmos.org/kosmos/akkounts/raw/branch/master/extras/strfry"
+base_url = "https://gitea.kosmos.org/kosmos/akkounts/raw/branch/live/extras/strfry"
+
+remote_file "/opt/deno.json" do
+  source "#{base_url}/deno.json"
+  owner node["strfry"]["user"]
+  group node["strfry"]["group"]
+  mode "0644"
+  notifies :restart, "service[strfry]", :delayed
+end
 
 remote_file "/opt/strfry-policy.ts" do
   source "#{base_url}/strfry-policy.ts"

From 522c213b099543dae8115d00054552b7f4d1b0dc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kosmos.org>
Date: Thu, 20 Jun 2024 18:16:27 +0200
Subject: [PATCH 12/14] Add Deno lockfile

---
 site-cookbooks/kosmos_strfry/recipes/policies.rb | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/site-cookbooks/kosmos_strfry/recipes/policies.rb b/site-cookbooks/kosmos_strfry/recipes/policies.rb
index af1b0e5..30bd144 100644
--- a/site-cookbooks/kosmos_strfry/recipes/policies.rb
+++ b/site-cookbooks/kosmos_strfry/recipes/policies.rb
@@ -43,6 +43,14 @@ remote_file "/opt/deno.json" do
   notifies :restart, "service[strfry]", :delayed
 end
 
+remote_file "/opt/deno.lock" do
+  source "#{base_url}/deno.lock"
+  owner node["strfry"]["user"]
+  group node["strfry"]["group"]
+  mode "0644"
+  notifies :restart, "service[strfry]", :delayed
+end
+
 remote_file "/opt/strfry-policy.ts" do
   source "#{base_url}/strfry-policy.ts"
   owner node["strfry"]["user"]

From 8b8e8f3438eec90008ef53e0b7d929d277cb17e1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kosmos.org>
Date: Wed, 3 Jul 2024 09:22:50 +0200
Subject: [PATCH 13/14] Move strfry extras into their own directory

---
 environments/production.json                  |  2 +-
 .../kosmos_strfry/attributes/default.rb       |  1 +
 .../kosmos_strfry/recipes/policies.rb         | 20 +++++++++++++------
 3 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/environments/production.json b/environments/production.json
index d7832ca..84cf15d 100644
--- a/environments/production.json
+++ b/environments/production.json
@@ -106,7 +106,7 @@
     "strfry": {
       "domain": "nostr.kosmos.org",
       "real_ip_header": "x-real-ip",
-      "policy_path": "/opt/strfry-policy.ts",
+      "policy_path": "/opt/strfry/strfry-policy.ts",
       "whitelist_pubkeys": [
         "b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a"
       ],
diff --git a/site-cookbooks/kosmos_strfry/attributes/default.rb b/site-cookbooks/kosmos_strfry/attributes/default.rb
index e794f13..10b0eba 100644
--- a/site-cookbooks/kosmos_strfry/attributes/default.rb
+++ b/site-cookbooks/kosmos_strfry/attributes/default.rb
@@ -1 +1,2 @@
 node.default["strfry"]["ldap_search_dn"] = "ou=kosmos.org,cn=users,dc=kosmos,dc=org"
+node.default["strfry"]["extras_dir"] = "/opt/strfry"
diff --git a/site-cookbooks/kosmos_strfry/recipes/policies.rb b/site-cookbooks/kosmos_strfry/recipes/policies.rb
index 30bd144..43dfa3a 100644
--- a/site-cookbooks/kosmos_strfry/recipes/policies.rb
+++ b/site-cookbooks/kosmos_strfry/recipes/policies.rb
@@ -11,6 +11,14 @@ include_recipe "deno"
 
 ldap_credentials = Chef::EncryptedDataBagItem.load('credentials', 'dirsrv')
 
+extras_dir = node["strfry"]["extras_dir"]
+
+directory extras_dir do
+  owner node["strfry"]["user"]
+  group node["strfry"]["group"]
+  mode "0755"
+end
+
 env = {
   ldap_url: 'ldap://ldap.kosmos.local:389', # requires "ldap_client" role
   ldap_bind_dn: ldap_credentials["service_dn"],
@@ -19,7 +27,7 @@ env = {
   whitelist_pubkeys: node["strfry"]["whitelist_pubkeys"].join(",")
 }
 
-template "/opt/.env" do
+template "#{extras_dir}/.env" do
   source 'env.erb'
   owner node["strfry"]["user"]
   group node["strfry"]["group"]
@@ -35,7 +43,7 @@ end
 
 base_url = "https://gitea.kosmos.org/kosmos/akkounts/raw/branch/live/extras/strfry"
 
-remote_file "/opt/deno.json" do
+remote_file "#{extras_dir}/deno.json" do
   source "#{base_url}/deno.json"
   owner node["strfry"]["user"]
   group node["strfry"]["group"]
@@ -43,7 +51,7 @@ remote_file "/opt/deno.json" do
   notifies :restart, "service[strfry]", :delayed
 end
 
-remote_file "/opt/deno.lock" do
+remote_file "#{extras_dir}/deno.lock" do
   source "#{base_url}/deno.lock"
   owner node["strfry"]["user"]
   group node["strfry"]["group"]
@@ -51,7 +59,7 @@ remote_file "/opt/deno.lock" do
   notifies :restart, "service[strfry]", :delayed
 end
 
-remote_file "/opt/strfry-policy.ts" do
+remote_file "#{extras_dir}/strfry-policy.ts" do
   source "#{base_url}/strfry-policy.ts"
   owner node["strfry"]["user"]
   group node["strfry"]["group"]
@@ -59,7 +67,7 @@ remote_file "/opt/strfry-policy.ts" do
   notifies :restart, "service[strfry]", :delayed
 end
 
-remote_file "/opt/ldap-policy.ts" do
+remote_file "#{extras_dir}/ldap-policy.ts" do
   source "#{base_url}/ldap-policy.ts"
   owner node["strfry"]["user"]
   group node["strfry"]["group"]
@@ -67,7 +75,7 @@ remote_file "/opt/ldap-policy.ts" do
   notifies :restart, "service[strfry]", :delayed
 end
 
-remote_file "/opt/strfry-sync.ts" do
+remote_file "#{extras_dir}/strfry-sync.ts" do
   source "#{base_url}/strfry-sync.ts"
   owner node["strfry"]["user"]
   group node["strfry"]["group"]

From 232360efbab0ea15844668ae13f849cdf3fb9745 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kosmos.org>
Date: Wed, 3 Jul 2024 09:23:13 +0200
Subject: [PATCH 14/14] Remove commented code

---
 site-cookbooks/kosmos_strfry/recipes/policies.rb | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/site-cookbooks/kosmos_strfry/recipes/policies.rb b/site-cookbooks/kosmos_strfry/recipes/policies.rb
index 43dfa3a..235a154 100644
--- a/site-cookbooks/kosmos_strfry/recipes/policies.rb
+++ b/site-cookbooks/kosmos_strfry/recipes/policies.rb
@@ -81,7 +81,3 @@ remote_file "#{extras_dir}/strfry-sync.ts" do
   group node["strfry"]["group"]
   mode "0644"
 end
-
-# service "strfry" do
-#   action :nothing
-# end