diff --git a/AGENTS.md b/AGENTS.md new file mode 100644 index 0000000..a9d2989 --- /dev/null +++ b/AGENTS.md @@ -0,0 +1,41 @@ +# AGENTS.md + +Welcome, AI Agent! This file contains essential context and rules for interacting with the Kosmos Chef repository. Read this carefully before planning or executing any changes. + +## 🏢 Project Overview +This repository contains the infrastructure automation code used by Kosmos to provision and configure bare metal servers (KVM hosts) and Ubuntu virtual machines (KVM guests). + +We use **Chef Infra**, managed locally via **Knife Zero** (agentless Chef), and **Berkshelf** for dependency management. + +## 📂 Directory Structure & Rules + +* **`site-cookbooks/`**: 🟢 **EDITABLE.** This directory contains all custom, internal cookbooks written specifically for Kosmos services (e.g., `kosmos-postgresql`, `kosmos_gitea`, `kosmos-mastodon`). *Active development happens here.* +* **`cookbooks/`**: 🔴 **DO NOT EDIT.** This directory contains third-party/community cookbooks that are vendored. These are managed by Berkshelf. Modifying them directly will result in lost changes. +* **`roles/`**: 🟢 **EDITABLE.** Contains Chef roles written in Ruby (e.g., `base.rb`, `kvm_guest.rb`, `postgresql_primary.rb`). These define run-lists and role-specific default attributes for servers. +* **`environments/`**: Contains Chef environment definitions (like `production.rb`). +* **`data_bags/`**: Contains data bag configurations, often encrypted. Be cautious and do not expose secrets. (Note: Agents should not manage data bag secrets directly unless provided the `.chef/encrypted_data_bag_secret`). +* **`nodes/`**: Contains JSON state files for bootstrapped nodes. *Agents typically do not edit these directly unless cleaning up a deleted node.* +* **`Berksfile`**: Defines community cookbook dependencies. +* **`Vagrantfile` / `.kitchen/`**: Used for local virtualization and integration testing. + +## 🛠️ Tooling & Workflows + +1. **Dependency Management (Berkshelf)** + If a new community cookbook is required: + - Add it to the `Berksfile` at the root. + - Instruct the user to run `berks install` and `berks vendor cookbooks/ --delete` (or run it via the `bash` tool if permitted). + +2. **Provisioning (Knife Zero)** + - Bootstrapping and converging nodes is done using `knife zero`. + - *Example:* `knife zero converge name:server-name.kosmos.org` + +3. **Code Style & Conventions** + - Chef recipes, resources, and roles are written in **Ruby**. + - Follow standard Chef and Ruby (RuboCop) idioms. Look at neighboring files in `site-cookbooks/` or `roles/` to match formatting and naming conventions. + +## 🚨 Core Directives for AI Agents + +1. **Infrastructure as Code**: Manual server configurations are highly discouraged. All changes must be codified in a cookbook or role. +2. **Test Safety Nets**: Look for `.kitchen.yml` within specific `site-cookbooks/` to understand if local integration tests are available. +3. **No Assumptions**: Do not assume standard test commands. Check `README.md` and repository config files first. +4. **Secret Handling**: Avoid hardcoding passwords or API keys in recipes or roles. Assume sensitive information is managed via Chef `data_bags`. \ No newline at end of file diff --git a/clients/rsk-testnet-6.json b/clients/rsk-testnet-6.json new file mode 100644 index 0000000..5f29f93 --- /dev/null +++ b/clients/rsk-testnet-6.json @@ -0,0 +1,4 @@ +{ + "name": "rsk-testnet-6", + "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl1p4+F536/peA4XWMJtm\njggPl6yJb42V5bg3kDa8SHoIoQgXn59d3BclZ1Oz2+JhFd3Rrn4FN3Z1wzGpP+gA\nnxQOfgRG1ucahh7Nxaw3IdoHm7r/EdEOc9FrxvGJ+09YnmLfzn4iVQpsUiOiNVS7\n0LXtMXYtsjD+o6BTbOhGU8FMmGhMhQfXFVgoDdTiM/Q62zPw8Vtpa3yFpFJAu+dA\n+mm5h5W6FnaWJXM2arn3PxDOt+JQSWp5PYG4goU1FFreU9iFuoeGEfLy8unlbbXt\ne96QhNuCkOA15xqta0Z3oL7IlXWns7dLgZYlpZT9zaExIs3AEDaQcleacQPzXKSG\nswIDAQAB\n-----END PUBLIC KEY-----\n" +} \ No newline at end of file diff --git a/nodes/rsk-testnet-6.json b/nodes/rsk-testnet-6.json new file mode 100644 index 0000000..a7c4ee0 --- /dev/null +++ b/nodes/rsk-testnet-6.json @@ -0,0 +1,60 @@ +{ + "name": "rsk-testnet-6", + "normal": { + "knife_zero": { + "host": "10.1.1.20" + } + }, + "automatic": { + "fqdn": "rsk-testnet-6", + "os": "linux", + "os_version": "6.8.0-107-generic", + "hostname": "rsk-testnet-6", + "ipaddress": "192.168.122.231", + "roles": [ + "base", + "kvm_guest", + "rskj_testnet" + ], + "recipes": [ + "kosmos-base", + "kosmos-base::default", + "kosmos_kvm::guest", + "kosmos_rsk::rskj", + "apt::default", + "timezone_iii::default", + "timezone_iii::debian", + "kosmos-base::journald_conf", + "kosmos-base::systemd_emails", + "apt::unattended-upgrades", + "kosmos-base::firewall", + "kosmos-postfix::default", + "postfix::default", + "postfix::_common", + "postfix::_attributes", + "postfix::sasl_auth", + "hostname::default", + "kosmos_rsk::firewall", + "firewall::default" + ], + "platform": "ubuntu", + "platform_version": "24.04", + "cloud": null, + "chef_packages": { + "chef": { + "version": "18.10.17", + "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.10.17/lib", + "chef_effortless": null + }, + "ohai": { + "version": "18.2.13", + "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.13/lib/ohai" + } + } + }, + "run_list": [ + "role[base]", + "role[kvm_guest]", + "role[rskj_testnet]" + ] +} diff --git a/site-cookbooks/kosmos_gitea/templates/default/nginx_conf_web.erb b/site-cookbooks/kosmos_gitea/templates/default/nginx_conf_web.erb index 13c6dd2..1b40b4d 100644 --- a/site-cookbooks/kosmos_gitea/templates/default/nginx_conf_web.erb +++ b/site-cookbooks/kosmos_gitea/templates/default/nginx_conf_web.erb @@ -18,6 +18,8 @@ server { client_max_body_size 121M; + proxy_intercept_errors on; + location ~ ^/(avatars|repo-avatars)/.*$ { proxy_buffers 1024 8k; proxy_pass http://_gitea_web; @@ -52,5 +54,18 @@ server { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; + error_page 404 = @slow_404; + } + + # Slow down 404 responses to make scraping random URLs less attractive + location @slow_404 { + internal; + default_type text/plain; + content_by_lua_block { + ngx.sleep(10) + ngx.status = 404 + ngx.say("Not Found") + ngx.exit(ngx.HTTP_NOT_FOUND) + } } } diff --git a/site-cookbooks/kosmos_kvm/attributes/default.rb b/site-cookbooks/kosmos_kvm/attributes/default.rb index 8251551..2983cf6 100644 --- a/site-cookbooks/kosmos_kvm/attributes/default.rb +++ b/site-cookbooks/kosmos_kvm/attributes/default.rb @@ -1,9 +1,9 @@ -release = "20260320" -img_filename = "ubuntu-22.04-server-cloudimg-amd64-disk-kvm" +release = "20260321" +img_filename = "ubuntu-24.04-server-cloudimg-amd64" node.default["kosmos_kvm"]["host"]["qemu_base_image"] = { - "url" => "https://cloud-images.ubuntu.com/releases/jammy/release-#{release}/#{img_filename}.img", - "checksum" => "f7173eb7137b4f0ebeaea8fffe68ecdab1e3c787bde1fd8dfdf27103554332b3", + "url" => "https://cloud-images.ubuntu.com/releases/noble/release-#{release}/#{img_filename}.img", + "checksum" => "5c3ddb00f60bc455dac0862fabe9d8bacec46c33ac1751143c5c3683404b110d", "path" => "/var/lib/libvirt/images/base/#{img_filename}-#{release}.qcow2" } diff --git a/site-cookbooks/kosmos_kvm/templates/create_vm.erb b/site-cookbooks/kosmos_kvm/templates/create_vm.erb index 2060359..b94b79b 100644 --- a/site-cookbooks/kosmos_kvm/templates/create_vm.erb +++ b/site-cookbooks/kosmos_kvm/templates/create_vm.erb @@ -70,7 +70,7 @@ virt-install \ --vcpus "$CPUS" \ --cpu host \ --arch x86_64 \ - --osinfo detect=on,name=ubuntujammy \ + --osinfo detect=on,name=ubuntu24.04 \ --hvm \ --virt-type kvm \ --disk "$IMAGE_PATH" \ diff --git a/site-cookbooks/kosmos_rsk/Berksfile b/site-cookbooks/kosmos_rsk/Berksfile index 8206ad0..5f92c96 100644 --- a/site-cookbooks/kosmos_rsk/Berksfile +++ b/site-cookbooks/kosmos_rsk/Berksfile @@ -1,5 +1,8 @@ source 'https://supermarket.chef.io' -cookbook 'kosmos-nginx', path: '../../site-cookbooks/kosmos-nginx' +cookbook 'kosmos_openresty', path: '../../site-cookbooks/kosmos_openresty' +cookbook 'kosmos-base', path: '../../site-cookbooks/kosmos-base' +cookbook 'openresty', path: '../../site-cookbooks/openresty' +cookbook 'kosmos-postfix', path: '../../site-cookbooks/kosmos-postfix' metadata diff --git a/site-cookbooks/kosmos_rsk/attributes/default.rb b/site-cookbooks/kosmos_rsk/attributes/default.rb index ae59908..ae94f62 100644 --- a/site-cookbooks/kosmos_rsk/attributes/default.rb +++ b/site-cookbooks/kosmos_rsk/attributes/default.rb @@ -1,4 +1,4 @@ -node.default['rskj']['version'] = '7.0.0~jammy' +node.default['rskj']['version'] = "9.0.1~#{node['lsb']['codename']}" node.default['rskj']['network'] = 'testnet' node.default['rskj']['nginx']['domain'] = nil diff --git a/site-cookbooks/kosmos_rsk/kitchen.yml b/site-cookbooks/kosmos_rsk/kitchen.yml index 01cca76..28f774b 100644 --- a/site-cookbooks/kosmos_rsk/kitchen.yml +++ b/site-cookbooks/kosmos_rsk/kitchen.yml @@ -34,9 +34,9 @@ verifier: name: inspec platforms: - - name: ubuntu-22.04 + - name: ubuntu-24.04 driver: - image: dokken/ubuntu-22.04 + image: dokken/ubuntu-24.04 privileged: true pid_one_command: /usr/lib/systemd/systemd intermediate_instructions: diff --git a/site-cookbooks/kosmos_rsk/metadata.rb b/site-cookbooks/kosmos_rsk/metadata.rb index 6065952..a617641 100644 --- a/site-cookbooks/kosmos_rsk/metadata.rb +++ b/site-cookbooks/kosmos_rsk/metadata.rb @@ -3,7 +3,7 @@ maintainer 'Kosmos Developers' maintainer_email 'ops@kosmos.org' license 'MIT' description 'Installs/configures RSKj and related software' -version '0.4.0' +version '0.5.0' chef_version '>= 18.2' issues_url 'https://gitea.kosmos.org/kosmos/chef/issues' source_url 'https://gitea.kosmos.org/kosmos/chef' diff --git a/site-cookbooks/kosmos_rsk/recipes/rskj.rb b/site-cookbooks/kosmos_rsk/recipes/rskj.rb index 4299b00..3008473 100644 --- a/site-cookbooks/kosmos_rsk/recipes/rskj.rb +++ b/site-cookbooks/kosmos_rsk/recipes/rskj.rb @@ -20,10 +20,19 @@ apt_repository 'rskj' do end apt_package 'openjdk-17-jdk' +apt_package 'debconf-utils' + +execute 'preseed-rskj-license' do + command 'echo "rskj shared/accepted-rsk-license-v1-1 boolean true" | debconf-set-selections' + not_if 'debconf-get-selections | grep -q "shared/accepted-rsk-license-v1-1.*true"' +end + +execute 'preseed-rskj-config' do + command "echo \"rskj shared/config select #{node['rskj']['network']}\" | debconf-set-selections" + not_if "debconf-get-selections | grep -q \"shared/config.*#{node['rskj']['network']}\"" +end apt_package 'rskj' do - response_file 'rskj-preseed.cfg.erb' - response_file_variables network: node['rskj']['network'] options '--assume-yes' version node['rskj']['version'] end diff --git a/site-cookbooks/kosmos_rsk/templates/rskj-preseed.cfg.erb b/site-cookbooks/kosmos_rsk/templates/rskj-preseed.cfg.erb index 28c9efe..d0b825b 100644 --- a/site-cookbooks/kosmos_rsk/templates/rskj-preseed.cfg.erb +++ b/site-cookbooks/kosmos_rsk/templates/rskj-preseed.cfg.erb @@ -1,6 +1,6 @@ #_preseed_V1 # Do you agree to the terms of the applicable licenses? -rskj shared/accepted-rsk-license-v1-1 select true +rskj shared/accepted-rsk-license-v1-1 boolean true # Choose a configuration environment to run your node. # Choices: mainnet, testnet, regtest rskj shared/config select <%= @network %> diff --git a/site-cookbooks/kosmos_rsk/test/integration/rskj/rskj_test.rb b/site-cookbooks/kosmos_rsk/test/integration/rskj/rskj_test.rb index aec46de..0b9173f 100644 --- a/site-cookbooks/kosmos_rsk/test/integration/rskj/rskj_test.rb +++ b/site-cookbooks/kosmos_rsk/test/integration/rskj/rskj_test.rb @@ -9,7 +9,7 @@ end describe package('rskj') do it { should be_installed } - its('version') { should eq '7.0.0~jammy' } + its('version') { should eq '9.0.1~noble' } end describe service('rsk') do