Merge branch 'master' into jammy_jellyfish

2023-12-05 14:21:55 +01:00 · 2023-12-05 14:21:55 +01:00 · 67244f78e1
commit 67244f78e1
parent ee3b8a3fc1 1e9878d17e
33 changed files with 102 additions and 253 deletions
--- a/clients/barnard.kosmos.org.json
+++ b/clients/barnard.kosmos.org.json
@ -1,4 +0,0 @@
-{
-  "name": "barnard.kosmos.org",
-  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5Rr+3giLkr0xqZPRPn9Z\ngxvmAaUo6VSs1qnMfznNNN/CGCYett0ndEJp4wI8xp2fq75b2TSm4jqhqjtgYVVD\nEeSOKTZEnoE7YSssodGTAK5YnrVIPNyWd61Ih/NkHzCjlcuVX6sJD7z/pgK+WMao\nAAxzMrefvHALFBmJIxbugakru/nvDcQeV8DOF+UjzsO5CTC0BUzCFeXBG7HD3W+6\nP2wQlMKteM9uQU6Agx7XegeWS2Lfnxg1em5TNbw1PbLofROwr1pCUPfVzQ0CAVxm\nXLzmA2xtMqCT2j83DU9WleZPYiS0rg+r9T1jsDX0TyH4NTV8gO2SJ9BMUNcX+3Ox\nmQIDAQAB\n-----END PUBLIC KEY-----\n"
-}
--- a/clients/centaurus.kosmos.org.json
+++ b/clients/centaurus.kosmos.org.json
@ -1,4 +0,0 @@
-{
-  "name": "centaurus.kosmos.org",
-  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsVV0j8DQSlefAAAmafjx\nyT1j1idLQF0oltTp2p4jFEsnEdFeP4Plpluy+detra1gM9sBBBuvRKGt8NP+Yoc7\nbnn7qU13E/nWUQh9n15+jjgUirXg7CxluKfj2VvsdchJRIvzDwwZz5sqITiGG7/S\n2r2KBBBnuGlGShQJZhhcLW4P+3YgxW8DUgUsRdvreVuvF1hcnaSymldfos1CqYL8\nawtsZ2rtdZHmZxfguXl91WBCu2OxsT13i3kInnDQsFB0tYKq+TFSLAHxneKTYPRW\ngYgP9RSBZ51iQ+6R1CenYsr4SePVCmwaZGb8bmd0QLvGKlBhjX29a5bE5tjzeoBD\nuwIDAQAB\n-----END PUBLIC KEY-----\n"
-}
--- a/clients/discourse-1.json
+++ b/clients/discourse-1.json
@ -1,4 +0,0 @@
-{
-  "name": "discourse-1",
-  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxJBhKUtTcmjP8eG4aLNF\n9UfNU9lRIFhfywjFJjtXoYdNaUatZHE3s1HKND0SjJs5BRQbZBEKLxTHCgnPZD4U\nlRgZ65JtHwi+JNM6ac4TQm5JYKA++KxX7FtOiJV6oGX6foNoFVHrGi+fhTlLE9hL\npHRQWTpM8ErpUEj3VHez+k6KT1Mr3QO5T9L5kqu1BdTYwtyfXJE0VfyDKz/rwrvc\ngPvZd167p8YCTu/rWLG9X8tag+ySUR9cmlEn5sCsBLmq56Zurf0VIe/0tuGPI8DP\nAVc4dIXHsfGuKLwBfFPSDy9YbI7F8gbaD05UnUVn60IWPmWsE19K/iIc/OnJZwRO\nkQIDAQAB\n-----END PUBLIC KEY-----\n"
-}
--- a/clients/ejabberd-6.json
+++ b/clients/ejabberd-6.json
@ -1,4 +0,0 @@
-{
-  "name": "ejabberd-6",
-  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqvGOanDqJOhf0xl/TYcs\nqYhhGz4ptFzxmfxiCMWbnbDcICBLHni28dJHhP2ggfUKOGcp+OIqiy783eRUrPsf\nnH9VmvTnz4NdXIB5J45FgBtfYiF9ZseaPL+ufTSCbZj7Ih3lzTAbO5Ug+UOj852B\nnnqH2Ht2jXMp2v3NW4gAG9QyRpr6P5cyVWBrMFExjuhNWg119tJv+33oGnflrNRi\njV3yGbRFRpqAomAVCr6DAA9SX/R8J3yKTky6MdRGrXKH/7eXH0ehDi33Y9Pyy9Ci\nkQX/JRHffuJeBF3Tndiojqdx81C6oIh2s/H3JMew/DdRxjzlPP4nemYWXv1/YVcS\nCwIDAQAB\n-----END PUBLIC KEY-----\n"
-}
--- a/clients/ejabberd-7.json
+++ b/clients/ejabberd-7.json
@ -1,4 +0,0 @@
-{
-  "name": "ejabberd-7",
-  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzHfqcI/6w58gLwDFCKxw\n0TeKFOf4MFBnmUGsWyi8BEskkjh4QEDc4pUFeiVuEADFyBfCnALWh004nKhiwamc\nECybfAKlJryoQQEcYZC6H4rZf3SW7xPLk12X00YySNroYM50PM5Ly/G7MI9a669g\n6HNOgn1MYIEh8unpsAHjfKpx72bNutRYKKvBDaHXNvlJ459Jr8HNpERFk8IeaGcF\n4BKqf/MNxkQHOfy7R4ETXeLUBrgD13SmLbs6mM3lXS6IgkoeFyAvAPP4ZgwgiJ6w\nqIKsX4cRt8xnJJ+MTNBX4oc0f9+Gu8bUpr2JZ8tcwq3GUgDjv+JSJpk/uDzzbQUe\nIwIDAQAB\n-----END PUBLIC KEY-----\n"
-}
--- a/clients/gitea-1.json
+++ b/clients/gitea-1.json
@ -1,4 +0,0 @@
-{
-  "name": "gitea-1",
-  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0bp4I/f5dLL22GRHanLV\nw57sNBEWT3Vx32B24hScKNP5nYDW0dIRkt1c7SLEpe+diNgyIwk7JlI20Vl+oaVo\njdCpmHSB18yXxQT2Ub6aI8ApwFLECVA6SckekcwxLJc/oGRMB52PonI8opJOVbPa\nF+heZ5NNDiMvn3E8qODdMWSjDiJNSVLJgsCPFHAt32aJgLaXQTqG5lrmltaamscW\njGlFqiBJw/5saCkKBPdPwdX4RcDqvGX1FdE1LVB42cskv8CrnvEVFLBxKXAhAr6s\nNhOhenzLGHpy58tNoUoUw3v4WiPRtcnlNxeSVG5LKkjaK04f2oxeZx3SiSU/1naY\nkwIDAQAB\n-----END PUBLIC KEY-----\n"
-}
--- a/clients/mastodon-2.json
+++ b/clients/mastodon-2.json
@ -1,4 +0,0 @@
-{
-  "name": "mastodon-2",
-  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA27a8h17CCQLP8JY59n+M\nURsrbeVvRi3yIUe1IklOlRSTy0L3Z37rFuSNC3dC9rKl/pHDKtorgeukxbFADXQx\nkta2LNX8gf09jCWsUdga5lWIbfOdtlCLRDG1MVEUSA0f6Sxdqr8RbjM2ch31T6Me\n5Z6DYdggwBujcPHwZC1AugI1wJ0T5XHY9f2MDs/XjNEdw3ThYbAdbl1e09ql6Gtg\nSVCa4RlLg/KICdLJtVOLkX6049/XRxi41I6xvu9tXsqgV3+bs8dYbeGLsTWmpPIv\naAUMcf/A5t4B2DVpnlXDytPqfvZQPD3aBVyfEJRGI1yD6Vi9zL3RyIhDQ/I7PMNI\naQIDAQAB\n-----END PUBLIC KEY-----\n"
-}
--- a/clients/nodejs-1.json
+++ b/clients/nodejs-1.json
@ -1,4 +0,0 @@
-{
-  "name": "nodejs-1",
-  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9L4BQgLEpQSSbSLwXOab\nfFey5VSk8ynDmj2I9sOpPMIXkXpmbONkyXqZ4CqKrMRtesXAg1F1lIwzE/WJy0wP\n9CRhEgnclHRHE3TVqWt8dC6+u5kx5o48EF8X9UWgV1098c21gcn68NZ7+l/janws\ntLYrgMynikcadaGtAkRszGG0dX+qdeRx9hRzhTNUIG4AYe6bUA6/LfOEPyRyuo3Q\ncaN5fAJSK+RRMWr1d7Mzd8k+l3xXzcUTMUL2To+Zh0Fw2SIEocM4NS1W9nAm4+Cq\nhlQUhsoHDwk7bDsIQtRNfy3bX59PSIVMcWLNkWilLzZW1yRtFGPTJfPlR4Y1XJb5\nuwIDAQAB\n-----END PUBLIC KEY-----\n"
-}
--- a/clients/nodejs-2.json
+++ b/clients/nodejs-2.json
@ -1,4 +0,0 @@
-{
-  "name": "nodejs-2",
-  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuWyrBQXathrKzRO7HbX7\nZXqkeGo7X0q3qckO/Uh4Ht67bFb6iQDRo/gRkaVA0PM++2AhtW7wV2NYXR/3qowc\n1gGtO0zuQq56crcL7k9nVuFJ1IbYDyasEq+5nUKzEUVT0hK1/Vzh12gLFhDkBOX+\nCvISLTTQgEGljwNQLf1kZTraJcdDSN0R2k2jl+idJkeAuK5cjMEJa7Fog8scM2rR\nzGhB8gDRp+iq4HQ+yE3R1yXW9rBfWoConnXiNxholt3e2aAte2V1KnEmVLO/8ceo\nvqIp5xEcDKIAIrSqsmopRFXJ0PjS/nbS0Z2ynxpyh1BV4sqr/y4oOryrnwO+LqBB\nHwIDAQAB\n-----END PUBLIC KEY-----\n"
-}
--- a/clients/nodejs-3.json
+++ b/clients/nodejs-3.json
@ -1,4 +0,0 @@
-{
-  "name": "nodejs-3",
-  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyqP7aGx+S9Mdt6xmaGnJ\nfNWWQsg4BvLiP1qtVt3VRrcXF2cy1bhgfnmqoBqnDk4bGlRoTzF+rSOw284+O2UQ\ntUlsBRos4TOyGfbYHehF12Re6NX51K9LHwaprr3eN5h08wLI8pjVrRJlbce8pHST\nXQ/CZvU+CBg43LE08cXr5kRmhnZrgh70g7zTO8+1E6y74r1LEh77Ar4uaaB5jXw7\n6o9TyfaA1HgyqvfYbH+9KPrJfMX/DeLrYPMI3IG/j3fzDUQQ8o9Pb5B+G1Apl+I+\nsTcgWRei5u06aZHLMMd8MMo4O1yUhbt05kxfVhlDGUDWBdi3cvsMf95t6MNdz/eq\niwIDAQAB\n-----END PUBLIC KEY-----\n"
-}
--- a/clients/rsk-mainnet-1.json
+++ b/clients/rsk-mainnet-1.json
@ -1,4 +0,0 @@
-{
-  "name": "rsk-mainnet-1",
-  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtavs6RQW6af9fWuEuhI1\nQa4Ff7Z1CfZ0fHz152UqUeUKatQ/psKVs5ULWDV/b69fSuNsUzkCny9OwtwyQB/F\n2U+vbv3/3As3z6i3V3q8q4ahCHd7tkMmxMLaWcdkfWbpupWTRkCEX+PSDKS0hdfp\n3EQKVA2FrqR0sSnnT+Q66kZw4/WJrNwtSLcps4D5OubG7xr/uUn3Vyv5qXvS/7kx\nGvMONs55qh64Gtc3FSFPEdVyZXasCMEWwXyadqzf+/qJtEYlK0Uy5E/u7CTsnmcH\n9TEiYVw0/6PomQ2HJfSlZVUUO007OliBHO9bWOwZ6qI5c53pt5KES0dyy6SQ4m+8\nawIDAQAB\n-----END PUBLIC KEY-----\n"
-}
--- a/clients/rsk-mainnet-2.json
+++ b/clients/rsk-mainnet-2.json
@ -1,4 +0,0 @@
-{
-  "name": "rsk-mainnet-2",
-  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu1cuvB3l7sBKJXqjhTih\nQloXteYOr/cQ24R5xUDnHZpCzM75khBjf9ZIX5fskManQ7MI4oFHAaKF6sCWT9QQ\nnL3ON0rCX8wDwBJpKY3iFisAK7f86GO5qkG2ovwG4wO1x69eKX52w33xGpPLPrmw\nBhFv+KfT56KZ3NCvDIQ6tew9VJ3g2V2zUtlL7xZIcdkgTXB06Ec8gbtoCAD3MVUQ\noxMCn+CK6QIAHGxpLIFEv5Y4hNRJ3+0RSuQikhhFzd7P2swnUgDSxDpbfoShroCC\neDw29sapOkQ+PwiHo2Zy8Qtr5m1ToGIhh8l1f/k2vi0Vf2xWVaTjbaeePEDMy9Fd\nKQIDAQAB\n-----END PUBLIC KEY-----\n"
-}
--- a/clients/rsk-testnet-1.json
+++ b/clients/rsk-testnet-1.json
@ -1,4 +0,0 @@
-{
-  "name": "rsk-testnet-1",
-  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0JU46rCyLGOi5OdeeE2M\nobUUxO+Jqd9t9bP75Pyj0uH8WaxNv1PIdWZJiR+fcE+draBV86/YLxHzOFvsnMi+\nE/qgeXLKErGtTSb12mWq0gYv/wz9uqRbtcsv40gpu2BtNv9ycdXYACB/s0ipnuUO\nX/os4YHDvWV1cshwzgsQ87ad7OdT/Nldggtp4go60TkBi49VaftiJzYqVm1ey3xz\nd7+EsQWqhQHAac6POEuPjwNuM2valf/8+nI4Uday/CiFrDDV1SffRG30sd4rJF15\nh1S1Kxyetr72EmQwIGbJuDJL7eUU7blXjg6UtTxDDsl6rYUO5s/j7wZLoFhmC854\npQIDAQAB\n-----END PUBLIC KEY-----\n"
-}
--- a/clients/rsk-testnet-2.json
+++ b/clients/rsk-testnet-2.json
@ -1,4 +0,0 @@
-{
-  "name": "rsk-testnet-2",
-  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzG2bgL0n5Q7bTR4WYHOB\nZNOuRem/jjarU/bL0VKKn0JqD3PPDAnhq9gRn7H8SwyGoVFN60YGzu45O4c+SqN3\nCXN+FeFabigH2tKLxBz3kNDYTT/F1ErLLi/6ydrCV3tpddR5KTqLSOntojG8KNzc\nyG4rMV9ebCE1wDVxAFdEA+YDZS8YjP0nO5sLWFacA0ZTx27t5ugqZP1acjSvKzWs\nZ+ekX5Pbws/oUHyaqEEPdz7er4MTBm0bdkCHZbM7132oBcH/huJZhmTXFEdoy4ML\nhP4MWWSvwo66HDYjnaID82a8W1RJZZu2irbPHrfVlaFAh8VQk1T1kkUu0bMovT3V\nYQIDAQAB\n-----END PUBLIC KEY-----\n"
-}
--- a/clients/rsk-testnet-3.json
+++ b/clients/rsk-testnet-3.json
@ -1,4 +0,0 @@
-{
-  "name": "rsk-testnet-3",
-  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxbo3GccgPZp8UWhb9l2w\n+o6Qe5s4Tf/1TMOw3ppLw+IGCZhq9LEe8s8kngbBX7dMywbyDuf8vLXwvAHFKvC+\nx4XOXq0r9xDX8ujTCfqJxiSYk1KTyqM4lmi7qno7F9/Nwo7h3HuVbpkT752ojf+/\nDCSXwHL+uHlF6z3jKZ8iYBRHFrWmudh8bOm6lVsp/Iv4pQ/btZf8W5zULlk/Z6lT\nb6GS538Lnaoeu7wPCf/awL5GBg9findY3oS1lsEE+PfAu6SAHmbJcItMkrON7Esd\ng9xtwsjX1VICpJhOSkVS1nmRfYohELVJMdiKSLq+b5UskscbCjkRGY6GAPH8cVGg\nSQIDAQAB\n-----END PUBLIC KEY-----\n"
-}
--- a/nodes/draco.kosmos.org.json
+++ b/nodes/draco.kosmos.org.json
@ -47,6 +47,7 @@
      "kosmos_drone::nginx",
      "kosmos-ejabberd::nginx",
      "kosmos_garage::nginx_web",
+      "kosmos_garage::nginx_s3",
      "kosmos_gitea::nginx",
      "kosmos_gitea::nginx_ssh",
      "kosmos_rsk::nginx_testnet",
--- a/nodes/fornax.kosmos.org.json
+++ b/nodes/fornax.kosmos.org.json
@ -30,6 +30,7 @@
      "kosmos-base",
      "kosmos-base::default",
      "kosmos_kvm::host",
+      "kosmos_kvm::backup",
      "kosmos_openresty",
      "kosmos_openresty::default",
      "kosmos_openresty::firewall",
--- a/nodes/gitea-2.json
+++ b/nodes/gitea-2.json
@ -9,7 +9,7 @@
  "automatic": {
    "fqdn": "gitea-2",
    "os": "linux",
-    "os_version": "5.4.0-1090-kvm",
+    "os_version": "5.4.0-1096-kvm",
    "hostname": "gitea-2",
    "ipaddress": "192.168.122.189",
    "roles": [
--- a/nodes/rsk-mainnet-2.json
+++ b/nodes/rsk-mainnet-2.json
@ -1,73 +0,0 @@
-{
-  "name": "rsk-mainnet-2",
-  "normal": {
-    "knife_zero": {
-      "host": "10.1.1.75"
-    }
-  },
-  "automatic": {
-    "fqdn": "rsk-mainnet-2",
-    "os": "linux",
-    "os_version": "5.4.0-1084-kvm",
-    "hostname": "rsk-mainnet-2",
-    "ipaddress": "192.168.122.208",
-    "roles": [
-      "kvm_guest",
-      "rskj_mainnet"
-    ],
-    "recipes": [
-      "kosmos-base",
-      "kosmos-base::default",
-      "kosmos_kvm::guest",
-      "kosmos_rsk::rskj",
-      "kosmos_rsk::nginx",
-      "apt::default",
-      "timezone_iii::default",
-      "timezone_iii::debian",
-      "ntp::default",
-      "ntp::apparmor",
-      "kosmos-base::systemd_emails",
-      "apt::unattended-upgrades",
-      "kosmos-base::firewall",
-      "kosmos-postfix::default",
-      "postfix::default",
-      "postfix::_common",
-      "postfix::_attributes",
-      "postfix::sasl_auth",
-      "hostname::default",
-      "kosmos_rsk::firewall",
-      "firewall::default",
-      "chef-sugar::default",
-      "kosmos-nginx::default",
-      "nginx::default",
-      "nginx::package",
-      "nginx::ohai_plugin",
-      "nginx::repo",
-      "nginx::commons",
-      "nginx::commons_dir",
-      "nginx::commons_script",
-      "nginx::commons_conf",
-      "kosmos-nginx::firewall",
-      "kosmos-base::letsencrypt"
-    ],
-    "platform": "ubuntu",
-    "platform_version": "20.04",
-    "cloud": null,
-    "chef_packages": {
-      "chef": {
-        "version": "17.9.52",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.9.52/lib",
-        "chef_effortless": null
-      },
-      "ohai": {
-        "version": "17.9.0",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai"
-      }
-    }
-  },
-  "run_list": [
-    "recipe[kosmos-base]",
-    "role[kvm_guest]",
-    "role[rskj_mainnet]"
-  ]
-}
--- a/nodes/rsk-testnet-3.json
+++ b/nodes/rsk-testnet-3.json
@ -1,73 +0,0 @@
-{
-  "name": "rsk-testnet-3",
-  "normal": {
-    "knife_zero": {
-      "host": "10.1.1.175"
-    }
-  },
-  "automatic": {
-    "fqdn": "rsk-testnet-3",
-    "os": "linux",
-    "os_version": "5.4.0-1084-kvm",
-    "hostname": "rsk-testnet-3",
-    "ipaddress": "192.168.122.231",
-    "roles": [
-      "kvm_guest",
-      "rskj_testnet"
-    ],
-    "recipes": [
-      "kosmos-base",
-      "kosmos-base::default",
-      "kosmos_kvm::guest",
-      "kosmos_rsk::rskj",
-      "kosmos_rsk::nginx",
-      "apt::default",
-      "timezone_iii::default",
-      "timezone_iii::debian",
-      "ntp::default",
-      "ntp::apparmor",
-      "kosmos-base::systemd_emails",
-      "apt::unattended-upgrades",
-      "kosmos-base::firewall",
-      "kosmos-postfix::default",
-      "postfix::default",
-      "postfix::_common",
-      "postfix::_attributes",
-      "postfix::sasl_auth",
-      "hostname::default",
-      "kosmos_rsk::firewall",
-      "firewall::default",
-      "chef-sugar::default",
-      "kosmos-nginx::default",
-      "nginx::default",
-      "nginx::package",
-      "nginx::ohai_plugin",
-      "nginx::repo",
-      "nginx::commons",
-      "nginx::commons_dir",
-      "nginx::commons_script",
-      "nginx::commons_conf",
-      "kosmos-nginx::firewall",
-      "kosmos-base::letsencrypt"
-    ],
-    "platform": "ubuntu",
-    "platform_version": "20.04",
-    "cloud": null,
-    "chef_packages": {
-      "chef": {
-        "version": "17.9.52",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.9.52/lib",
-        "chef_effortless": null
-      },
-      "ohai": {
-        "version": "17.9.0",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai"
-      }
-    }
-  },
-  "run_list": [
-    "recipe[kosmos-base]",
-    "role[kvm_guest]",
-    "role[rskj_testnet]"
-  ]
-}
--- a/site-cookbooks/kosmos-base/templates/default/gandi_dns_certbot_hook.sh.erb
+++ b/site-cookbooks/kosmos-base/templates/default/gandi_dns_certbot_hook.sh.erb
@ -26,7 +26,7 @@ set -euf -o pipefail
 #   Defaults to 30 seconds.
 #
 GANDI_API_KEY="<%= @gandi_api_key %>"
-PROVIDER_UPDATE_DELAY=2
+PROVIDER_UPDATE_DELAY=10

 regex='.*\.(.*\..*)'
 if [[ $CERTBOT_DOMAIN =~ $regex ]]
--- a/site-cookbooks/kosmos-mastodon/attributes/default.rb
+++ b/site-cookbooks/kosmos-mastodon/attributes/default.rb
@ -1,5 +1,5 @@
 node.default["kosmos-mastodon"]["repo"]              = "https://gitea.kosmos.org/kosmos/mastodon.git"
-node.default["kosmos-mastodon"]["revision"]          = "kosmos-production"
+node.default["kosmos-mastodon"]["revision"]          = "production"
 node.default["kosmos-mastodon"]["directory"]         = "/opt/mastodon"
 node.default["kosmos-mastodon"]["bind_ip"]           = "127.0.0.1"
 node.default["kosmos-mastodon"]["app_port"]          = 3000
--- a/site-cookbooks/kosmos-mastodon/recipes/default.rb
+++ b/site-cookbooks/kosmos-mastodon/recipes/default.rb
@ -3,6 +3,8 @@
 # Recipe:: default
 #

+node.override["nodejs"]["repo"] = "https://deb.nodesource.com/node_16.x"
+
 include_recipe "kosmos-nodejs"
 include_recipe "java"
 include_recipe 'redisio::default'
@ -73,13 +75,12 @@ npm_package "yarn" do
  version "1.22.4"
 end

-ruby_version = "3.0.4"
-# ruby_version = "3.2.2"
+ruby_version = "3.0.6"

 ruby_path = "/opt/ruby_build/builds/#{ruby_version}"
 bundle_path = "#{ruby_path}/bin/bundle"

-ruby_build_install 'v20230615'
+ruby_build_install 'v20231025'
 ruby_build_definition ruby_version do
  prefix_path ruby_path
 end
@ -210,15 +211,7 @@ execute "yarn install" do
  environment deploy_env
  user mastodon_user
  cwd mastodon_path
-  command "yarn install --pure-lockfile"
-end
-
-execute "rake db:migrate" do
-  environment deploy_env
-  user mastodon_user
-  group mastodon_user
-  cwd mastodon_path
-  command "bundle exec rake db:migrate"
+  command "yarn install --frozen-lockfile"
 end

 execute "rake assets:precompile" do
@ -229,6 +222,14 @@ execute "rake assets:precompile" do
  command "bundle exec rake assets:precompile"
 end

+execute "rake db:migrate" do
+  environment deploy_env
+  user mastodon_user
+  group mastodon_user
+  cwd mastodon_path
+  command "bundle exec rake db:migrate"
+end
+
 service "mastodon-web" do
  action [:enable, :start]
 end
--- a/site-cookbooks/kosmos-mastodon/templates/default/mastodon-sidekiq.systemd.service.erb
+++ b/site-cookbooks/kosmos-mastodon/templates/default/mastodon-sidekiq.systemd.service.erb
@ -8,7 +8,8 @@ Type=simple
 User=<%= @user %>
 WorkingDirectory=<%= @app_dir %>
 Environment="RAILS_ENV=production"
-Environment="DB_POOL=50"
+Environment="DB_POOL=<%= @sidekiq_threads %>"
+Environment="MALLOC_ARENA_MAX=2"
 Environment="LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so.2"
 ExecStart=<%= @bundle_path %> exec sidekiq -c <%= @sidekiq_threads %> -q default -q mailers -q pull -q push -q ingress
 TimeoutSec=15
--- a/site-cookbooks/kosmos-mastodon/templates/default/mastodon-streaming.systemd.service.erb
+++ b/site-cookbooks/kosmos-mastodon/templates/default/mastodon-streaming.systemd.service.erb
@ -8,9 +8,10 @@ WorkingDirectory=<%= @app_dir %>
 Environment="NODE_ENV=production"
 Environment="BIND=<%= @bind %>"
 Environment="PORT=<%= @port %>"
-ExecStart=/usr/bin/npm run start
+ExecStart=/usr/bin/node ./streaming
 TimeoutSec=15
 Restart=always
+LimitNOFILE=65536

 [Install]
 WantedBy=multi-user.target
--- a/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_shared.erb
+++ b/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_shared.erb
@ -15,7 +15,7 @@ gzip_proxied any;
 gzip_comp_level 6;
 gzip_buffers 16 8k;
 gzip_http_version 1.1;
-gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml image/x-icon;

 location / {
 # If the maintenance file is present, show maintenance page
@ -25,34 +25,60 @@ location / {
  try_files $uri @proxy;
 }

-location /sw.js {
-  add_header Cache-Control "max-age=0, no-cache, no-store, must-revalidate";
-  add_header Pragma "no-cache";
+location = /sw.js {
+  add_header Cache-Control "public, max-age=604800, must-revalidate";
+  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
  try_files $uri @proxy;
 }

-location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) {
-  add_header Cache-Control "public, max-age=31536000, immutable";
-  proxy_cache mastodon_cache;
+location ~ ^/assets/ {
+  add_header Cache-Control "public, max-age=2419200, must-revalidate";
+  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
  try_files $uri @proxy;
 }

-location @proxy {
-  proxy_set_header Host $host;
-  proxy_set_header X-Real-IP $remote_addr;
-  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-  proxy_set_header X-Forwarded-Proto https;
-  proxy_set_header Proxy "";
-  proxy_pass_header Server;
+location ~ ^/avatars/ {
+  add_header Cache-Control "public, max-age=2419200, must-revalidate";
+  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+  try_files $uri @proxy;
+}

-  proxy_pass http://mastodon_app;
-  proxy_buffering off;
-  proxy_redirect off;
-  proxy_http_version 1.1;
-  proxy_set_header Upgrade $http_upgrade;
-  proxy_set_header Connection $connection_upgrade;
+location ~ ^/emoji/ {
+  add_header Cache-Control "public, max-age=2419200, must-revalidate";
+  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+  try_files $uri @proxy;
+}

-  tcp_nodelay on;
+location ~ ^/headers/ {
+  add_header Cache-Control "public, max-age=2419200, must-revalidate";
+  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+  try_files $uri @proxy;
+}
+
+location ~ ^/packs/ {
+  add_header Cache-Control "public, max-age=2419200, must-revalidate";
+  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+  try_files $uri @proxy;
+}
+
+location ~ ^/shortcuts/ {
+  add_header Cache-Control "public, max-age=2419200, must-revalidate";
+  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+  try_files $uri @proxy;
+}
+
+location ~ ^/sounds/ {
+  add_header Cache-Control "public, max-age=2419200, must-revalidate";
+  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+  try_files $uri @proxy;
+}
+
+location ~ ^/system/ {
+  add_header Cache-Control "public, max-age=2419200, immutable";
+  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+  add_header X-Content-Type-Options nosniff;
+  add_header Content-Security-Policy "default-src 'none'; form-action 'none'";
+  try_files $uri @proxy;
 }

 location /api/v1/streaming {
@ -72,6 +98,24 @@ location /api/v1/streaming {
  tcp_nodelay on;
 }

+location @proxy {
+  proxy_set_header Host $host;
+  proxy_set_header X-Real-IP $remote_addr;
+  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+  proxy_set_header X-Forwarded-Proto https;
+  proxy_set_header Proxy "";
+  proxy_pass_header Server;
+
+  proxy_pass http://mastodon_app;
+  proxy_buffering on;
+  proxy_redirect off;
+  proxy_http_version 1.1;
+  proxy_set_header Upgrade $http_upgrade;
+  proxy_set_header Connection $connection_upgrade;
+
+  tcp_nodelay on;
+}
+
 error_page 500 501 502 504 /500.html;
 error_page 503 /maintenance.html;

--- a/site-cookbooks/kosmos_garage/attributes/default.rb
+++ b/site-cookbooks/kosmos_garage/attributes/default.rb
@ -10,3 +10,4 @@ node.default['garage']['s3_api_root_domain'] = '.s3.garage.localhost'
 node.default['garage']['s3_web_root_domain'] = '.web.garage.localhost'
 node.default['garage']['s3_web_domains']     = []
 node.default['garage']['xmpp_upload_bucket'] = nil
+node.default['garage']['max_part_upload_size_mb'] = 101
--- a/site-cookbooks/kosmos_garage/recipes/nginx_s3.rb
+++ b/site-cookbooks/kosmos_garage/recipes/nginx_s3.rb
@ -17,6 +17,7 @@ openresty_site domain_name do
  variables server_name: "#{domain_name} #{server_name}",
            domain_name: domain_name,
            xmpp_upload_bucket: node['garage']['xmpp_upload_bucket'],
+            max_part_upload_size_mb: node['garage']["max_part_upload_size_mb"],
            ssl_cert:    "/etc/letsencrypt/live/#{domain_name}/fullchain.pem",
            ssl_key:     "/etc/letsencrypt/live/#{domain_name}/privkey.pem"
 end
--- a/site-cookbooks/kosmos_garage/templates/nginx_conf_s3.erb
+++ b/site-cookbooks/kosmos_garage/templates/nginx_conf_s3.erb
@ -16,6 +16,8 @@ server {

  error_page 401 403 404 500 /__empty-page.html;

+  client_max_body_size <%= @max_part_upload_size_mb %>m;
+
  location = /__empty-page.html {
    internal;
    return 200 "";
--- a/site-cookbooks/kosmos_gitea/attributes/default.rb
+++ b/site-cookbooks/kosmos_gitea/attributes/default.rb
@ -1,7 +1,7 @@
-gitea_version = "1.20.3"
+gitea_version = "1.20.5"
 node.default["gitea"]["version"] = gitea_version
 node.default["gitea"]["binary_url"] = "https://dl.gitea.io/gitea/#{gitea_version}/gitea-#{gitea_version}-linux-amd64"
-node.default["gitea"]["binary_checksum"] = "bf9415d5f25690b81443302e6c68c16509c74e0b1385297c75a5b4913e43afd7"
+node.default["gitea"]["binary_checksum"] = "ae8d21f36098a62272fcfa67ecbb567d0ba6cf5aecaaab29a6b98a407d435bdf"
 node.default["gitea"]["working_directory"] = "/var/lib/gitea"
 node.default["gitea"]["port"] = 3000
 node.default["gitea"]["postgresql_host"] = "localhost:5432"
--- a/site-cookbooks/kosmos_kvm/files/backup_vm.sh
+++ b/site-cookbooks/kosmos_kvm/files/backup_vm.sh
@ -1,7 +1,6 @@
 #!/bin/bash
 # GENERATED BY CHEF
 # DO NOT EDIT
-set -e

 REPOSITORY=$BORG_REPO

@ -18,6 +17,7 @@ virsh snapshot-create-as --domain $1  \
        --disk-only           \
        --diskspec vda,snapshot=external

+# TODO report failures
 borg create -v $REPOSITORY::$1_$(date +%F_%H-%M) \
        /var/lib/libvirt/images/$1.qcow2  \
        /root/backups/vm_meta/$1.xml
--- a/site-cookbooks/kosmos_kvm/templates/backup_all_vms.sh.erb
+++ b/site-cookbooks/kosmos_kvm/templates/backup_all_vms.sh.erb
@ -1,14 +1,12 @@
 #!/bin/bash
 # GENERATED BY CHEF
 # DO NOT EDIT
-set -e

 echo "Backing up all VMs with kvm_guest chef role..."

 for domain in <%= @vm_domains.join(" ") %>
 do
-  /root/backups/backup_vm.sh $domain
-  /root/backups/prune_vm_backups.sh $domain
+  /root/backups/backup_vm.sh $domain && /root/backups/prune_vm_backups.sh $domain
  # TODO Enable this when upgrading borg to 1.2
  # borg compact $BORG_REPO
 done
--- a/site-cookbooks/kosmos_rsk/templates/nginx_conf_rskj.erb
+++ b/site-cookbooks/kosmos_rsk/templates/nginx_conf_rskj.erb
@ -26,12 +26,16 @@ server {
      return 204;
    }

+    proxy_pass http://_<%= @upstream_name %>;
+
+    proxy_redirect off;
+    proxy_next_upstream error timeout invalid_header http_500;
+    proxy_connect_timeout 2;
+
    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Real-IP $remote_addr;
-    proxy_redirect off;
-    proxy_pass http://_<%= @upstream_name %>;
   }

  ssl_certificate <%= @ssl_cert %>;