From d029d90214102c29ff4b3c80f7bccea1ec03f99d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kosmos.org>
Date: Tue, 6 May 2025 15:46:37 +0400
Subject: [PATCH] Generate postgres user/db for akkounts, use credentials from
 env
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Greg Karékinian <greg@karekinian.com>
---
 data_bags/credentials/akkounts.json           | 63 ++++++++---------
 nodes/postgres-6.json                         |  1 +
 roles/postgresql_primary.rb                   |  1 +
 .../kosmos-akkounts/recipes/default.rb        | 70 ++++---------------
 .../kosmos-akkounts/recipes/pg_db.rb          | 22 ++++++
 5 files changed, 66 insertions(+), 91 deletions(-)
 create mode 100644 site-cookbooks/kosmos-akkounts/recipes/pg_db.rb

diff --git a/data_bags/credentials/akkounts.json b/data_bags/credentials/akkounts.json
index bb50bd1..28e79f3 100644
--- a/data_bags/credentials/akkounts.json
+++ b/data_bags/credentials/akkounts.json
@@ -1,72 +1,65 @@
 {
   "id": "akkounts",
-  "postgresql_username": {
-    "encrypted_data": "v2QoNkkxXGflxEdspIpfJdBjQVraMyF9yHq7\n",
-    "iv": "du8wubB9xQjOVeOS\n",
-    "auth_tag": "gDZLYz5/XBCQDlDaFoP6mQ==\n",
-    "version": 3,
-    "cipher": "aes-256-gcm"
-  },
-  "postgresql_password": {
-    "encrypted_data": "Naz4R5oOCUS/S/CZmW5eoil8BpJ3K1WLUIc3mAihhA==\n",
-    "iv": "0S9Sb1MUoBVWbW9t\n",
-    "auth_tag": "L2yGzVMKiKAzfpA+HADRqA==\n",
+  "postgresql": {
+    "encrypted_data": "QniE89zGMyQ+ujKrs1cUfAZYbqysS2cl6gvNohloQttlrEzcwcbbSgNk7+Em\nVQZNk8oddiZWFhKx2rS/6w2xN6/S\n",
+    "iv": "TS8cu5wPd8Cq9qyK\n",
+    "auth_tag": "sJAfzoh3w5+KO+YrJDxV3Q==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "sentry_dsn": {
-    "encrypted_data": "OXiAeg6lIqEnbplAnKlkwb3o3DTfMJbLC0wnxmguQ8GZiP0RcpPOwUAa9Q3U\naA44f36BCKgHtCxdlVB59TTFA9W24ecU5KWb/jIc7mueSoc=\n",
-    "iv": "86cAncfc1K4d43ql\n",
-    "auth_tag": "0i04Y/eFIN+b+5F605d7Dg==\n",
+    "encrypted_data": "thN8SHTqR+uE54M78F4m67mJLbK2xI3lm6Hyj3L0xCEDkCXAOU88y5w1SjPd\nt5Erlqyy97AK2KXCoGUcx/GE0JUFBcvkrhLODshDyNI4Jno=\n",
+    "iv": "+XOBOMwL+GLUjXrg\n",
+    "auth_tag": "xoUbiuwu215y+F7MkUQWxg==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "rails_master_key": {
-    "encrypted_data": "Ypv4g33evnuutOWmGl49kq3Ca3SmfWIswyxGIZA0J/o1ZMGpMOfySim/e7r8\nzdAM/PFo\n",
-    "iv": "w2bflz2KIbu/vRT1\n",
-    "auth_tag": "tpemUQJly8Ft9lN6rP+W4w==\n",
+    "encrypted_data": "W1U4LBiEVU3WI3o5aCEjHPCb/u3GcPZYOK0CtLU/yNrY0BTafevpF8xXTllx\nkd/MvxwB\n",
+    "iv": "DcdHIgy66hwxmBmt\n",
+    "auth_tag": "9fGhoduUHerBvU64LyqjQA==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "discourse_connect_secret": {
-    "encrypted_data": "DUK6G5SyRiehJh3iHtCKQj8Ki5+suk9Ds5/ZMp6OP1EshdbpziQ4XNey2x+R\nHCTSVg==\n",
-    "iv": "kfhA3apCUAHcNlwH\n",
-    "auth_tag": "BqRV+CiF9rFrqEToJeisoQ==\n",
+    "encrypted_data": "YEKQbAY3ZBVIUUrVe6R7phDPiFsCSGSicJy1Gv/G+IseGmqbuefCWvvRvhBW\nFxxEMg==\n",
+    "iv": "kF/DYeO5neO470Xa\n",
+    "auth_tag": "309Lt0QUzY8obqre2sKPhQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "lndhub_admin_token": {
-    "encrypted_data": "C3aKQIEwcQNCrr+uyLiOY2KAHZh5dUvTZ9IdANPqkGlr\n",
-    "iv": "qrhJJzmmced9lNF1\n",
-    "auth_tag": "CH1fOwMWsidmWBwX2+4nJg==\n",
+    "encrypted_data": "qa1W/w/IbUcEoqRBTKfGRXMaba7RIke3YthFaoNQej6h\n",
+    "iv": "4rN6s8FKHG2S0frS\n",
+    "auth_tag": "1P1+o05gYLSRIhEK0MwDYg==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "btcpay_auth_token": {
-    "encrypted_data": "0vRq3ZeYPtNcdlCUQI0ip6YOaQZKBeK/dODL7IxdrAK9pHz+u53aL8LW92nJ\nmHW2DYcv+eX3ltnwu88=\n",
-    "iv": "5HenMAvE1Uu5l7jJ\n",
-    "auth_tag": "rJzkZPRYar1qw4dauSNV2w==\n",
+    "encrypted_data": "bOQTsV4H66oUfTbfAJLXGnF4bNns5qyaHDxKRwRc29OCc3Ou2te2WV0nNnai\nXbe6om0yfOSeDe4V4zg=\n",
+    "iv": "Cd27/sNY+EY/+AbZ\n",
+    "auth_tag": "sTpATXSPMGpXvIZrhlTZmA==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "s3_access_key": {
-    "encrypted_data": "QB7XpwhzCvLczUojhcjXy+KX26rEDQHSSw983KP8W7Nud1SNbheU1PrDEQv/\n",
-    "iv": "DTtUXHNQ2g04E+oE\n",
-    "auth_tag": "0XSkHE+MG4AnVT4XJR9tzw==\n",
+    "encrypted_data": "53aBDio/eb8zBj4TJGMbKvhBS+Nzjt5WBORu1jKYy5rOL7l/57QYqhj3o4DV\n",
+    "iv": "QEgqL8J+r2rnEXt/\n",
+    "auth_tag": "eehuZfMGocNtEsdY4IH7Nw==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "s3_secret_key": {
-    "encrypted_data": "IEUzFfOBuOwjzD1DbRyk07+jFlZhQVY+a7riDJ3QU1cNYZ3OTJUgJkowA/u5\nrZ6jqehGIzvPlDuzIezxQwN+Dy0ZJueB/ZEdRqhfkXUxgzkqb2s=\n",
-    "iv": "gs9Igisu2EH+dAC/\n",
-    "auth_tag": "gDFuQCwlCL5mvys83CGv+w==\n",
+    "encrypted_data": "cjEbyKKN5bZyG6yy6ovh38dTNmZI9iciEpJ8pfw3jaD2cW/SXYHOenhnhAId\n1daUMHvWfIx82cDsnxZstCW0wmYML70+xU0TVMadsIPJMdIC5Fc=\n",
+    "iv": "fDCPTxINTEmxX2kz\n",
+    "auth_tag": "S7TDJnU7Ms8D4WUnw5a7dA==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "nostr_private_key": {
-    "encrypted_data": "sFnQlwyZF0tfMzbaG/bdwqQLPVdHPpbyDT66FY1+ubssmWUpxsuNtbI71KyY\nI1784c7SSl4qKRgHZRrR658bYMKU4whe836qBgSf7Icczp1VSQY=\n",
-    "iv": "x8RJT4dcNdtm59Zz\n",
-    "auth_tag": "6yxBq1W4jCNDYwP6+cTE6g==\n",
+    "encrypted_data": "BwWnS0xQn/EsZPF6ohjsQuFnAnUmJxGasUNpFUN6+ZE31t5XtGDjnzU1doTy\n1ToBCnJkNVCrUxg3j6YKTH6sFinrZrDT4WAn501Y0Swz95VRrvc=\n",
+    "iv": "huVql9m/qhHTm/0c\n",
+    "auth_tag": "2GWcyZ6bgFQEeWjbyJbW7g==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   }
diff --git a/nodes/postgres-6.json b/nodes/postgres-6.json
index a756544..59d1cdc 100644
--- a/nodes/postgres-6.json
+++ b/nodes/postgres-6.json
@@ -22,6 +22,7 @@
       "kosmos_kvm::guest",
       "kosmos_postgresql::primary",
       "kosmos_postgresql::firewall",
+      "kosmos-akkounts::pg_db",
       "kosmos-bitcoin::lndhub-go_pg_db",
       "kosmos-bitcoin::nbxplorer_pg_db",
       "kosmos_drone::pg_db",
diff --git a/roles/postgresql_primary.rb b/roles/postgresql_primary.rb
index 5f3f2bd..a4fb4b8 100644
--- a/roles/postgresql_primary.rb
+++ b/roles/postgresql_primary.rb
@@ -3,6 +3,7 @@ name "postgresql_primary"
 run_list %w(
   kosmos_postgresql::primary
   kosmos_postgresql::firewall
+  kosmos-akkounts::pg_db
   kosmos-bitcoin::lndhub-go_pg_db
   kosmos-bitcoin::nbxplorer_pg_db
   kosmos_drone::pg_db
diff --git a/site-cookbooks/kosmos-akkounts/recipes/default.rb b/site-cookbooks/kosmos-akkounts/recipes/default.rb
index 2311aa5..cdf7858 100644
--- a/site-cookbooks/kosmos-akkounts/recipes/default.rb
+++ b/site-cookbooks/kosmos-akkounts/recipes/default.rb
@@ -47,7 +47,14 @@ webhooks_allowed_ips = [lndhub_host].compact.uniq.join(',')
 env = {
   primary_domain: node['akkounts']['primary_domain'],
   akkounts_domain: node['akkounts']['domain'],
-  rails_serve_static_files: true
+  rails_serve_static_files: true,
+  db_adapter: "postgresql",
+  pg_host: "pg.kosmos.local",
+  pg_port: 5432,
+  pg_database: "akkounts",
+  pg_database_queue: "akkounts_queue",
+  pg_username: credentials["postgresql"]["username"],
+  pg_password: credentials["postgresql"]["password"]
 }
 
 smtp_server, smtp_port = smtp_credentials[:relayhost].split(":")
@@ -137,9 +144,9 @@ if lndhub_host
   if postgres_readonly_host
     env[:lndhub_admin_ui] = true
     env[:lndhub_pg_host] = postgres_readonly_host
-    env[:lndhub_pg_database] = node['akkounts']['lndhub']['postgres_db']
-    env[:lndhub_pg_username] = credentials['postgresql_username']
-    env[:lndhub_pg_password] = credentials['postgresql_password']
+    env[:lndhub_pg_database] = node["akkounts"]["lndhub"]["postgres_db"]
+    env[:lndhub_pg_username] = credentials["postgresql"]["username"]
+    env[:lndhub_pg_password] = credentials["postgresql"]["password"]
   end
 end
 
@@ -207,7 +214,7 @@ systemd_unit "akkounts.service" do
       Type: "simple",
       User: deploy_user,
       WorkingDirectory: deploy_path,
-      Environment: "RAILS_ENV=#{rails_env}",
+      Environment: "RAILS_ENV=#{rails_env} SOLID_QUEUE_IN_PUMA=true",
       ExecStart: "#{bundle_path} exec puma -C config/puma.rb --pidfile #{deploy_path}/tmp/puma.pid",
       ExecStop: "#{bundle_path} exec puma -C config/puma.rb --pidfile #{deploy_path}/tmp/puma.pid stop",
       ExecReload: "#{bundle_path} exec pumactl -F config/puma.rb --pidfile #{deploy_path}/tmp/puma.pid phased-restart",
@@ -224,36 +231,6 @@ systemd_unit "akkounts.service" do
   action [:create, :enable]
 end
 
-systemd_unit "akkounts-sidekiq.service" do
-  content({
-    Unit: {
-      Description: "Kosmos Accounts async/background jobs",
-      Documentation: ["https://gitea.kosmos.org/kosmos/akkounts"],
-      Requires: "redis@6379.service",
-      After: "syslog.target network.target redis@6379.service"
-    },
-    Service: {
-      Type: "notify",
-      User: deploy_user,
-      WorkingDirectory: deploy_path,
-      Environment: "MALLOC_ARENA_MAX=2",
-      ExecStart: "#{bundle_path} exec sidekiq -C #{deploy_path}/config/sidekiq.yml -e #{rails_env}",
-      WatchdogSec: "10",
-      Restart: "on-failure",
-      RestartSec: "1",
-      StandardOutput: "syslog",
-      StandardError: "syslog",
-      SyslogIdentifier: "sidekiq"
-    },
-    Install: {
-      WantedBy: "multi-user.target"
-    }
-  })
-  verify false
-  triggers_reload true
-  action [:create, :enable]
-end
-
 deploy_env = {
   "HOME" => deploy_path,
   "PATH" => "#{ruby_path}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin",
@@ -266,15 +243,7 @@ git deploy_path do
   revision node[app_name]["revision"]
   user  deploy_user
   group deploy_group
-  # Restart services on deployments
-  notifies :run, "execute[restart #{app_name} services]", :delayed
-end
-
-execute "restart #{app_name} services" do
-  command "true"
-  action :nothing
   notifies :restart, "service[#{app_name}]", :delayed
-  notifies :restart, "service[#{app_name}-sidekiq]", :delayed
 end
 
 file "#{deploy_path}/config/master.key" do
@@ -282,7 +251,7 @@ file "#{deploy_path}/config/master.key" do
   mode '0400'
   owner deploy_user
   group deploy_group
-  notifies :run, "execute[restart #{app_name} services]", :delayed
+  notifies :restart, "service[#{app_name}]", :delayed
 end
 
 template "#{deploy_path}/.env.#{rails_env}" do
@@ -292,7 +261,7 @@ template "#{deploy_path}/.env.#{rails_env}" do
   mode 0600
   sensitive true
   variables config: env
-  notifies :run, "execute[restart #{app_name} services]", :delayed
+  notifies :restart, "service[#{app_name}]", :delayed
 end
 
 execute "bundle install" do
@@ -302,13 +271,6 @@ execute "bundle install" do
   command "bundle install --without development,test --deployment"
 end
 
-# execute "yarn install" do
-#   environment deploy_env
-#   user deploy_user
-#   cwd deploy_path
-#   command "yarn install --pure-lockfile"
-# end
-
 execute 'rake db:migrate' do
   environment deploy_env
   user deploy_user
@@ -329,10 +291,6 @@ service "akkounts" do
   action [:enable, :start]
 end
 
-service "akkounts-sidekiq" do
-  action [:enable, :start]
-end
-
 firewall_rule "akkounts_zerotier" do
   command  :allow
   port     node["akkounts"]["port"]
diff --git a/site-cookbooks/kosmos-akkounts/recipes/pg_db.rb b/site-cookbooks/kosmos-akkounts/recipes/pg_db.rb
new file mode 100644
index 0000000..3facbf6
--- /dev/null
+++ b/site-cookbooks/kosmos-akkounts/recipes/pg_db.rb
@@ -0,0 +1,22 @@
+#
+# Cookbook:: kosmos-akkounts
+# Recipe:: pg_db
+#
+
+credentials = data_bag_item("credentials", "akkounts")
+pg_username = credentials["postgresql"]["username"]
+pg_password = credentials["postgresql"]["password"]
+
+postgresql_user pg_username do
+  action :create
+  password pg_password
+end
+
+databases = ["akkounts", "akkounts_queue"]
+
+databases.each do |database|
+  postgresql_database database do
+    owner pg_username
+    action :create
+  end
+end