kosmos/chef
kosmos/chef
8
3
Fork 0
Code Issues 26 Pull Requests 2 Projects 2 Activity
2,019 Commits 6 Branches 0 Tags
Commit Graph

78 Commits

Author SHA1 Message Date
Greg Karekinian
cc40c0db19 Configure unattended-upgrades for ESM 2025-09-09 10:12:35 +02:00
Greg Karekinian
0cae8dca69 Set the email sender in unattended-upgrades config 
Mailgun was rejecting the email as it did not have a valid sender
(the default, which is something like root@akkounts-1). Unattended
upgrades have been working properly, now we will start getting emails
next time an upgrade is done on akkounts-1.
 2025-07-15 10:12:02 +02:00
Greg Karekinian
773950b9a5 Always send an email on unattended-upgrades 2025-05-31 17:00:07 +02:00
Greg Karekinian
f39a1ed250 Enable unattended-upgrades 
We were missing a positive value on
`["apt"]["unattended_upgrades"]["enable"]` to enable it.

Refs #499
 2025-05-31 16:44:01 +02:00
Greg Karekinian
7dc4f674a0 Use the systemd unit instead of an execute resource 
Also extract the attributes so it is possible to override them.
 2025-05-21 13:40:12 +02:00
Greg Karekinian
3e2ee30334 Configure maximum size and timespan of journald logs 
Closes #506
 2025-05-21 11:36:15 +02:00
Râu Cao
d90a374811
Remove outdated flag from certbot command 2024-12-12 18:32:26 +04:00
Râu Cao
ff313525c8
Reload postfix and dovecot on cert renewal 
closes #552

Co-authored-by: Greg Karékinian <greg@karekinian.com>
 2024-06-05 16:44:18 +02:00
Râu Cao
0c29fad404
Remove superfluous license header 
Co-authored-by: Greg Karékinian <greg@karekinian.com>
 2024-06-05 15:50:09 +02:00
Râu Cao
989185f951
Support proxy domain validation for Garage web domains 
Also rename the data bag item
 2024-04-30 12:23:36 +02:00
Râu Cao
4cbda69a6b
Add support for proxy domain validation to tls_cert resource 2024-04-26 12:24:17 +02:00
Râu Cao
9d0ff358ef Only use certbot deploy hook when applicable 2023-12-01 10:00:07 +01:00
Râu Cao
390753faa3
Increase update delay for Gandi DNS records 2023-11-05 01:01:16 +01:00
Râu Cao
0f12a54eab
Refactor tor usage entirely 
Use a custom resource and separate recipe for service configs with
pre-set keys and hostnames
 2023-07-30 12:39:41 +02:00
Râu Cao
cb0fc27134
Refactor tor usage, set up new tor proxy on draco 2023-07-29 16:26:20 +02:00
Greg Karékinian
05daff9029 Install certbot when using the tls_cert_for resource 2023-07-17 18:07:50 +02:00
Greg Karékinian
c1e2145ba1 Create a resource to get a Let's Encrypt cert with DNS validation 2023-07-12 20:35:15 +02:00
Sebastian Kippe
e89e0b3122
Fix letsencrypt bootstrap for ejabberd 2022-05-11 16:27:21 +02:00
Sebastian Kippe
71dda86d94
Remove obsolete license header 2022-03-22 16:21:29 -06:00
Greg Karékinian
e6b7794e20 Extract firewall definitions to their own recipe 
This allows us to use them for KVM hosts as well. Until now we had set
up ufw rules manually on the two KVM hosts (draco and centaurus)

Refs #244
 2020-12-04 16:27:42 +01:00
Greg Karékinian
7636f6ed19 Move the Gandi DNS certbot hook to kosmos-ejabberd 2020-11-25 16:36:07 +01:00
Sebastian Kippe
a1a0d7e4c1
Switch Certbot to snap package on Ubuntu 20.04+ 
Needs only minor changes. Tested and running on wiki.kosmos.org already.
 2020-09-06 13:46:06 +02:00
Greg Karékinian
84cf008bac Install vim 2020-06-19 17:30:02 +02:00
Greg Karékinian
b4357df471 Enable unattended-upgrades (security and updates repositories) 
... with email notifications on failure and logging with syslog
 2020-06-19 17:30:02 +02:00
Greg Karékinian
2c2ae596ed Don't update chef using the chef_client_updater cookbook 
It only makes sense when using Chef Server, which we don't
 2019-10-08 18:17:34 +02:00
Greg Karékinian
3a693efcd6 Add email notifications for failed certbot runs 
Based on https://wiki.archlinux.org/index.php/Systemd/Timers#MAILTO

This can easily be used by other services, with one line added to the
[Unit] section of a service:

OnFailure=status-email-ops@%n.service

Refs #3
 2019-06-20 12:46:27 +02:00
Greg Karékinian
4cc5f3e6d1 Remove the XMPP firewall rules for andromeda 
They are part of the kosmos-ejabberd cookbook now
 2019-05-14 17:10:33 +02:00
Greg Karékinian
ad23530653 Add the firewall rules for ejabberd 
Includes the missing 5223 port in the andromeda_firewall recipe too
 2019-05-13 17:08:21 +02:00
Sebastian Kippe
7c29957ed9
Fix and consolidate firewall rules 
Most of them are already defined in the appropriate recipe. And one can
be moved. (These are currently opened on every server for no reason.)
 2019-04-19 15:52:56 +01:00
Greg Karékinian
57d0885d26 Change the licenses of hte kosmos cookbooks to MIT 2019-04-12 11:41:20 +02:00
Greg Karékinian
12355a6b27 Add a base role, so that chef is updated before anything else 2019-04-08 17:58:02 +02:00
Greg Karékinian
4b75ae78dc Set the minimum Chef version since it depends on the new sudo resource 2019-04-08 12:31:47 +02:00
Greg Karékinian
6e3e8cde1b Create the Let's Encrypt hook subdirectories 2019-04-08 11:16:38 +02:00
Greg Karékinian
b1a3c5e2cd Revert "Revert "Remove the sudo cookbook"" 
This reverts commit 87d7c721b16356a3607f9462916e6b04a93dbad5.
 2019-04-03 12:52:40 +02:00
Greg Karékinian
2f05629fde Revert "Revert "Update Chef to 14.11.21"" 
This reverts commit db4b45b5c26c50c7b883d0f96b2a9a5136f26b58.
 2019-04-03 12:52:32 +02:00
Greg Karékinian
87d7c721b1 Revert "Remove the sudo cookbook" 
This reverts commit 73d1722d4b5c545ec488c5eb2119dd8b9b155363.
 2019-04-03 10:30:38 +02:00
Greg Karékinian
db4b45b5c2 Revert "Update Chef to 14.11.21" 
This reverts commit 2f599ffd6d757bc98ac862836110c7b32cda3c51.
 2019-04-03 10:30:24 +02:00
Greg Karékinian
73d1722d4b Remove the sudo cookbook 
Chef 14 ships with a sudo resource:
https://docs.chef.io/resource_sudo.html
 2019-04-02 12:17:06 +02:00
Greg Karékinian
2f599ffd6d Update Chef to 14.11.21 
Closes #21
 2019-04-02 12:16:13 +02:00
Greg Karékinian
5fa0fa661b Install certbot from the direct download when on 15.04 
It does not have a ppa release. Add a cron job for renewal. When using
the PPA a Systemd timer is part of the package
 2019-03-18 16:52:05 +01:00
Greg Karékinian
b30dcab4da Remove an IPFS port from the ejabberd firewall 2019-03-15 12:30:56 +01:00
Greg Karékinian
c3135402ad Move the nginx hook to the deploy directory, create renewal-hooks dir 2019-03-14 20:21:34 +01:00
Greg Karékinian
f12ddefec8 Move the Gandi DNS hook for certbot to the kosmos-base cookbook 2019-03-14 18:01:29 +01:00
Greg Karékinian
65482f09c3 Extract the post hooks to their own script in Certbot's config dir 2019-03-14 15:21:50 +01:00
Greg Karékinian
fa27187f11 Switch from the git version of certbot to the Ubuntu PPA 2019-03-14 10:49:47 +01:00
Sebastian Kippe
0ea1971b6c
Open up some more ports in firewall 
From some manual playing around.
 2019-02-28 17:19:06 +07:00
Greg Karékinian
56d14748f9 Fix the Let's Encrypt renew hook script 
Only copy over the certs to the prosody directory if it's the 5apps.com
wildcard, not for any 5apps.com subdomain
 2018-12-20 17:26:37 +01:00
Greg Karékinian
185649a5f9 Automatically generate a Let's Encrypt cert for all 5apps xmpp domains 
Uses the Gandi LiveDNS API
 2018-09-04 17:38:17 +02:00
Sebastian Kippe
214e69427e Open up port for Prosody HTTP uploads 2018-09-04 14:14:02 +08:00
Sebastian Kippe
db039a185a Update certbot 2018-06-13 18:52:13 +02:00