Use Ubuntu 22.04 for new VMs

Also, remove the custom config image generation and replace it with
`--cloud-init` options.

clients/garage-3.json

@@ -1,4 +0,0 @@
-{
-  "name": "garage-3",
-  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtRSB8/ObjvQq6WuOVS/f\nypdX/2fLsUlt5tQ8GNuSY9rSM8gdvcXUvnPlxthZO4yvcPX85wmtBZX8fRJFdkJg\nYRCJbuVKO9sLTq8OUWXYpfU1q10FUhl034zxOMslpxVB6toirnk025vyq9jbuKP+\nYO+c40KZr67mgm0hveJfylayfiKP1HGm4HrV0maFivCgC8D+MPDDv75CsqRe5WSc\nh2CoauDJwVlhKZ92yq87ugGBhJJRUGOQZcfEvkUGj/HNAS6tuHl8YmVmhO8hBdee\nNto6RF54E1zB80R9oT/qitw23miEyUcHHVxhTR4tTWflZgd8l4wDOhX3Nf20xknu\nFQIDAQAB\n-----END PUBLIC KEY-----\n"
-}

clients/garage-8.json

@@ -0,0 +1,4 @@
+{
+  "name": "garage-8",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt4hXODzgHsIeWxXJm/F6\nSTFJ8JC89mWru7pOFzPWenOVMHgp4UpUB4rDTwQqojsWTDiq0x3ckUyOPw3Nj0jv\nxP4MMGS4SI0oRSJKzrYYss0hgUDTOBBd+Wxn0UiNEpN/PfQo9VZj9v/jak57cz7z\n5+rpl5v27fhgUIChjsHxdy+EamvCrYc+1JhyrLOlwlt8JxkZ8UPhoeZLWAbDgGLS\nEzHWSSVtBUPK+KYmVb2OK4lB56zPfek0U3gKN+04a1650jzOit8LzE6NaT180QDv\nX+gG6tk53vSXDmkBXsQ1mtB8aF+HaEG2Pra5HyihlweCPYdJT+e28wpq6+P5l3YR\ndQIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/postgres-4.json

@@ -1,4 +0,0 @@
-{
-  "name": "postgres-4",
-  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu6fPxOZeKloF/EgYvU0k\nOwv8bJjsCQcWaMTPle5//mRTszA6PM2z9RI+Mfr45qxTlsL9pQY8WJOWF6QOK31x\nszuqcr7oOjtAhrLI8f/oNDEDjcx325FqG9gNKQEAD7d4zodh+PhDe6x7GIyIS7lG\nIcD5Zre9iDwv8FGLR+5GLqS8SJOPL/wJkQ8w+N0f8YDFw81kiTta5NLhAx3fMDs0\n2kmoNlbmKlNZTtLjCfCV+/pa9oY6wycjck3GvobiFE/4cWaNkeGlPc+uAwlfmrOv\nHy0tq1XBX/BCvE5kMXmhnMT23JXjm2s2PgCLgEVGAXilXk/T597KDm+z4oBpAQma\nnQIDAQAB\n-----END PUBLIC KEY-----\n"
-}

clients/postgres-6.json

@@ -0,0 +1,4 @@
+{
+  "name": "postgres-6",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtVzM0fwlimmq11jTGTko\nK87LRYSar61tNF3qVWp9axNSMa6BSxVark9eYOqY4eLh/5vJVDqXDFq30/IUWg40\nH8hHWaOEvQrP2dm/XFw1RmunfbfN9gN07TuhaT3xFD5t+jFBuOSoJ4cPnFIABuVt\nFLrjgtYYjtZe5hGE9ZPmS7o2ATM5EU9mxeQ+TkgDbr8StvSPGdZ1ykhagf1pegGU\nRIfZ+4ZKzyDUAq+fYNhIbmlm5h2gP+XdtakPy43j7n0iN1vwDgBqJ2pdaVs/GcFf\nvaztoltguoknI2NPSez1N217asTTLuth0nHxVXiKCVXnqwDjxgWmuP6X2B7VYjyc\nxQIDAQAB\n-----END PUBLIC KEY-----\n"
+}

data_bags/credentials/akkounts.json

@@ -1,51 +1,72 @@
 {
   "id": "akkounts",
   "postgresql_username": {
-    "encrypted_data": "/Idxzq83imf6o6pbmFAk7bgxg69N7/1KNhgj\n",
-    "iv": "34BrmVmlxzuA7IJG\n",
-    "auth_tag": "VyLpWDshrOd417ZiY3432w==\n",
+    "encrypted_data": "bDlOkEmhvMgyVzPeTNUzYnzRLf3T9cc0cDxt\n",
+    "iv": "GCCUoqU5pxQ7fGkv\n",
+    "auth_tag": "Q7mrSHIBluMe3CGVmoR86Q==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "postgresql_password": {
-    "encrypted_data": "XqEmt+yu7mB6vBOUCT/5AtIptdUamfniz+PrFYCP0A==\n",
-    "iv": "2XdVUHkeeS1LHzMx\n",
-    "auth_tag": "mq0v9ikHD7pxTUrGO+VF9A==\n",
+    "encrypted_data": "wD0HtdsNe/hl4ZaOy8hyr2k4z8TXQrrSja3KNVE47w==\n",
+    "iv": "tb5yz8WDer0CsGvJ\n",
+    "auth_tag": "/+K2anuCff/6M7Pu70Smqw==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "sentry_dsn": {
-    "encrypted_data": "u82JsPq5HvQRE2eWIbVp73LdqffyuTTylbURtM7XRJ6AXyKp1WD/iwVhNnL7\n/NKSWR24/u63WJCP4rXpW7293ZRU5UW/W3GwlOjNtbdxcaQ=\n",
-    "iv": "0GIV8v92dh4+Ma/Z\n",
-    "auth_tag": "XbuxPIZ5VxuMjw/f+usCgA==\n",
+    "encrypted_data": "jCz681x0WVixHYZUb62TO+1cgyJMiJ2UMqWcaztx57yDBOIiKW3oSZjuXdhP\n9WCesfXQF/lgzITZno3IKDqzlKjWgbGLC75y8FLguxidCHI=\n",
+    "iv": "IRNOzN/hLwg1iqax\n",
+    "auth_tag": "eg9dWnEK04JDb94e4CFa9Q==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "rails_master_key": {
-    "encrypted_data": "31N79um4TTD0tuDurrZVztoSv0sxZ70paV7AhD8P4+lX8kUkfhiugCbdhst0\n12YP5v/8\n",
-    "iv": "l4qanaerdou8AApw\n",
-    "auth_tag": "yvkcM4on1EMm1LhmmZ+O+g==\n",
+    "encrypted_data": "nUB77VLRp41rluH7hLBwQqPtnh/HsmfLr2VbcIZHWawL3o2TGuY+mj648f9L\n7XsEpgqY\n",
+    "iv": "fpdbDitqTRHxEKiv\n",
+    "auth_tag": "I44fn8Ott3L/Y5LYr56U/Q==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "discourse_connect_secret": {
-    "encrypted_data": "Ebs8KVEA0r4nFxYNjxxZFUWndxwoKes/9ihEgqgKLN76t6yzCUONeJZBMl0G\nXLdI8A==\n",
-    "iv": "ob8KBWeoHXFlZ7Nk\n",
-    "auth_tag": "motppQbVEhg6qyKRYpqctA==\n",
+    "encrypted_data": "ENtMn+1XTVFmdEZw7LU6WGoMbSZY654ggm3vPACGfFgqo6r0LhG60c5OTdqv\nZvT5/Q==\n",
+    "iv": "bL1BmvRhgxFqSM1P\n",
+    "auth_tag": "sEBZzGWwwYFHn+4B4SsyCA==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "lndhub_admin_token": {
-    "encrypted_data": "I2hSF6X9L3OWbet5QWzrCyA3XyGFhFBgHh/uFr5dQ3RB\n",
-    "iv": "Kr8u2j5napFSamYc\n",
-    "auth_tag": "t93UNWomf+6WaZF7VVzTeQ==\n",
+    "encrypted_data": "4LPGFoARzI8UYnsJPIk8sax/rAA16pUULEZWn86e2C7L\n",
+    "iv": "nvjXrOwgfgutwEVw\n",
+    "auth_tag": "A89RUf1sdcS3FVscNPWYLg==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "btcpay_auth_token": {
-    "encrypted_data": "0qesJ5KMvU2DlKdz7lExJWq0X9XYjpsqw61kLXWw4UNYwpNxPyFJSjbR9yKh\ntu0zMdtMB9Vur9izWBY=\n",
-    "iv": "gw2oAyeF2Kuvb3Em\n",
-    "auth_tag": "zMtos/E3e3XXeTlAY7o0lg==\n",
+    "encrypted_data": "ky5iWYF06os0Ek6vIRzWqMTekqJhCOh/Q9DTDIeKhSyk8TnT3O71lCNEt1F5\nXCNq6ux3V6oyHVLWj0o=\n",
+    "iv": "zk6WnxsY89oNW1F9\n",
+    "auth_tag": "FAIMXKvQ1T7QKezVSNJbwQ==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "s3_access_key": {
+    "encrypted_data": "KfhfEGwPjOonlz6rpnNTinXFPqX/sIbqQn/aby0UDi/G/7cvEcOiNcCkfuSz\n",
+    "iv": "Q3rg06v6K9pUDLDY\n",
+    "auth_tag": "G5ugdlJ896KtYtObKLclJA==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "s3_secret_key": {
+    "encrypted_data": "N8s1OoDrYXHjqSydQA0kY7dd68Aelq4+/cgmJlYfP92u4YA17V4TR7fsvQZL\nkqjuUSClNYPc0XiCwf/5gxVirE9AO6OmmvSV7lUyu4hcEY6unrU=\n",
+    "iv": "bXzIVWnX6V0P6PRb\n",
+    "auth_tag": "1EOjCfsX9P6ETjUsgBvBsA==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "nostr_private_key": {
+    "encrypted_data": "Sf8PEyQ0sqcgxddSlIDxLOVzPjOkTFObsYuTgcxkbEV7igrati4e8QVVUEBD\n1yoLJXelp8jlCr28Ectci29jc53gYSMTLSQsw97uYas2R0dGCqQ=\n",
+    "iv": "+1CIUyvIUOveLrY4\n",
+    "auth_tag": "GDqS+IuAIfMBmHIeFXaV7A==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   }

data_bags/credentials/gandi_api.json

@@ -0,0 +1,24 @@
+{
+  "id": "gandi_api",
+  "key": {
+    "encrypted_data": "d3/rJMX6B9GuzUt0/mIk/lgQ3qGyQdbNXH6UEm3ZX7DeSl+rbW9FPJCRWg==\n",
+    "iv": "15YVAYla7PqqVOab\n",
+    "auth_tag": "xQSq+ld6SDOAER07N4ZkUQ==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "access_token": {
+    "encrypted_data": "geQwcNosiJZmqbbMpD/I+a2yueBzpV6C8Rb7vrCD8kR161ZRjvqLe+g/1XpT\n2/65wKYDMTrdto1I030=\n",
+    "iv": "1sj58eyooOZ8FTYn\n",
+    "auth_tag": "yBNfgWXaToc06VDLly/HUw==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "domains": {
+    "encrypted_data": "p5rIQTyCE+0d4HIuA4GKEAFekh7qEC4xe9Rm/kP0DyzY83FO0/4uKIvYoZRB\n",
+    "iv": "LWlx98NSS1/ngCH1\n",
+    "auth_tag": "FID+x/LjTZ3cgQV5U2xZLA==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  }
+}

data_bags/credentials/gandi_api_5apps.json

@@ -1,9 +0,0 @@
-{
-  "id": "gandi_api_5apps",
-  "key": {
-    "encrypted_data": "+tcD9x5MkNpf2Za5iLM7oTGrmAXxuWFEbyg4xrcWypSkSTjdIncOfD1UoIoS\nGzy1\n",
-    "iv": "ymls2idI/PdiRZCgsulwrA==\n",
-    "version": 1,
-    "cipher": "aes-256-cbc"
-  }
-}

data_bags/credentials/gitea.json

@@ -1,58 +1,58 @@
 {
   "id": "gitea",
   "jwt_secret": {
-    "encrypted_data": "HHKq1HcxV9uC0aBdkn2AAA9C3dn2o8DnL2uDtZBf+epGC8sOko6/BSvsm8wV\nuG7yVmeFajgyCePSv4M8Or8=\n",
-    "iv": "raypiojdRL+DkiDa\n",
-    "auth_tag": "JZmWJyLTHNHAHNufRizL+w==\n",
+    "encrypted_data": "wMxs1Ec4vKRSzFtL2KuU1XfmR1t5KDx/7XBbI7V0QfgK+JwYbxU5w6feQCBE\nxOMepAXVUwU7RxPZ+hwQgPg=\n",
+    "iv": "F4vtuOL2B9e9LQnb\n",
+    "auth_tag": "NHATxHbr+3Y3Kxa68NwnjQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "internal_token": {
-    "encrypted_data": "VFez8gOv5hnpBkURlufdPHvfQsL+lFlL8M9vywgKEi4XrXcNlDvoKKqdtSMv\nxGuoKqF/4NFcl2X3JRwp1j5iut+Jdg5CpnVVQLWKHc022LjD7K9nRsdmiD9Q\nLsLnU1Trzqg8VZS2ryqdjI4elkgoc15lmXwJvTNgRUzDqw==\n",
-    "iv": "q7H4q7kBfRt4floS\n",
-    "auth_tag": "vyd4ZwVxeFTTfvjI4k5irQ==\n",
+    "encrypted_data": "mlvUtIjs6kcv7XcYCUOgOE/kDSE4Ts5G+CZuPrJapW9XwkebmyOnHJvXdihY\np/chUtar0pNB5Q16LeeZF9KrzOiDo/OXb40TPUzpsB0/607zV1z829STd4l7\nu5g4Zur13nxC9jT0zQL9QgDEobYdjgf/xu1BXxFT+Ue3lQ==\n",
+    "iv": "25+1a2OJYFNxdf1N\n",
+    "auth_tag": "aF8Gn6Mm7AwLjbR8cDnitg==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "secret_key": {
-    "encrypted_data": "7tD4E/5AuxxmNdu4arWj/BBNTUv6JX+m2ITbcLfE+VE2WacsCZUEyi1d1v0B\nyujQ9bljJn3z0zV4PxKFJILKjQb35PSiA8b86X/75Y1B9Gl64ds=\n",
-    "iv": "gE2O5aN+Nea6VXi7\n",
-    "auth_tag": "3+EmAUgBBDyChRBHsUtLig==\n",
+    "encrypted_data": "xQuHuijNHoo2WicM2UvSGpwPHd0UilxlIl4BM2Rgyih5bdhjxB6UtUcY9uJQ\nYgxEd7y7R5+XhUAu87CEs4qAGtguDDxGtSGwgTSopvAYZewPFLw=\n",
+    "iv": "Kxwqagjps8kP7Dhz\n",
+    "auth_tag": "WGz5TzBzksf36hKPzBZTQQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "postgresql_password": {
-    "encrypted_data": "mWN2sTOjZ1EPUH/KAJ8owoPM7v/+IfIHEPACN7gFDrqG8dWGjfiu+fvILw==\n",
-    "iv": "ldm57dVSdiPnk5l3\n",
-    "auth_tag": "D+r/0obCYWx53vIeUDPGMQ==\n",
+    "encrypted_data": "ZziPtXhQM/TQBE+077smnjEPzfJOSo9Cj/CUnG/Be1AN0UAfielf68EhLg==\n",
+    "iv": "iBdSrY15vOc3eycF\n",
+    "auth_tag": "km2CkraKlpOygaz7Xy548Q==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "s3_key_id": {
-    "encrypted_data": "AvlsAInGyPMvHle5YZT3EHMTG89PggqmFaddvHSQLEkvI2EycktxJ/btjGOP\n",
-    "iv": "qGkILPp5EWc21wwa\n",
-    "auth_tag": "eIpCgZAnWZR7nlllj+IXMQ==\n",
+    "encrypted_data": "1j0znqBgNbHMyJIf51MmfkjkpU3SPv+EL8F30mrfQ44vsGziyeiWfp91hGUM\n",
+    "iv": "dzJM1EX/X8Qy5KbR\n",
+    "auth_tag": "2YUCCFG/oTph3svFYhhYzg==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "s3_secret_key": {
-    "encrypted_data": "TAo4ViF7cL+ibIuHM77irZW08ilD46S8N5BV91gc2wegvHpHqLHw5zrsDxfu\nDiJHGUfjge/NBOGN5VSKKC0nFfMJ4sLPxVSiKyON4RMBSuzSqmo=\n",
-    "iv": "tjK8XdaCZOdLUHyo\n",
-    "auth_tag": "Qu1z6e1/4gPIyaCwBjaWsw==\n",
+    "encrypted_data": "7P3JUyl0LsGuGi8GhSYdXHm4bQhnkGfSrbEMGyfzjSYB5hqm17kYZwNbNA0O\nIUmJ6Kq9Nby7IFTd1qFo7aA+dXuvxJD5QXO8T5E+D0xIaWMHPco=\n",
+    "iv": "+ivHjYpQG/3gQWAi\n",
+    "auth_tag": "fftxN0Z/Kfrn+oFk07jKYQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "s3_bucket": {
-    "encrypted_data": "NTp9+KyzlblporEwM7SEwoClXu5cI10SfVrJ/uywcf/x2l8=\n",
-    "iv": "TFTeQ8yKUhblmrFK\n",
-    "auth_tag": "L9nrXEeJhxcLO4YgGk4zpg==\n",
+    "encrypted_data": "98UnmjwIlLjNFQojZlQRMZAWpI/7s9xJkgvh4sU5I2jWmYk=\n",
+    "iv": "zLck9Dp6OP+L3BwX\n",
+    "auth_tag": "Zc5G6bd7CbZfDCZ31YWxMg==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "runners": {
-    "encrypted_data": "yTCk4/hqw/4vEaXobdYU4vZRxErNp0GX4qDMuHwdr7UOQk2qQ8O8j44njPv2\ncKcIm6CQiip+GRuvl6+zETd8gctC0W14n5Rfep4zQbMp/BW3ypGambVk6z1m\nRnT4dMEl32rwcXG8c3w+vAFpx8smrK5iyy4ca0ZijC+eeysk4OAwn0XkvQuV\nB1Jy9CmVm9xiZ6sXaiU13tTry8A=\n",
-    "iv": "+biM/42g5doJNOax\n",
-    "auth_tag": "WwNgd6aqm26GcekYVOeBDQ==\n",
+    "encrypted_data": "f0RRLCrGT7LDUEXcM6m2dJ7C95UPqVZz9dfNLsYa/3SZLDcm1p4FDIy0Su6R\nrXMoAI9IdLBN7/BDMMvqkULEq3Bx5vXn+oTUsUYuKxWmvKEUhC4virOApxh6\n5GbuqcOEPKaf9lHByL+2HKdAmJMzVRGD0t78ePS2pU4H6IFnS9V1p6opOEPr\nzTJ+0PM98eQ/voFKDHGNHUqgDs2qu9wUYNmcHe1eSimFdJiOCN0Mlszu3HL0\nXkHfrGbLrcW+8Ol7dTXdDJB7WAd3R3vddoZQ+mrwzGGDeSMm+ezeMzAX\n",
+    "iv": "NtZ9SbbscX47BXGH\n",
+    "auth_tag": "ZGBzxjNFB5WPnJCpdFwtAQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   }

data_bags/credentials/liquor-cabinet.json

@@ -0,0 +1,17 @@
+{
+  "id": "liquor-cabinet",
+  "s3_access_key": {
+    "encrypted_data": "TKYUWVboQZUKvw4bqrKsL28dH2DGR5iDBQclAwm5I7GqkxFfkG2d91qLv+BA\n",
+    "iv": "B8YYzXeFGxMG34WI\n",
+    "auth_tag": "HOIfcpJOFYIVvf5o8lk4mg==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "s3_secret_key": {
+    "encrypted_data": "GRqGJkGJ/f0zQVtO0r9TcXBqlpnfC5PiwTZK8QmsqEhzQI6U67NAf62QqTgl\nGVI1h8G5ITgC3l0xVhcvH6m2bcs9fjNzFIqnhoZhzGwEt51A5Zk=\n",
+    "iv": "UAlmoUWLedpd79xa\n",
+    "auth_tag": "2F/EJhY5/59dtFFwkd106A==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  }
+}

data_bags/credentials/mastodon.json

@@ -1,79 +1,93 @@
 {
   "id": "mastodon",
   "paperclip_secret": {
-    "encrypted_data": "orOIbqFANPCkd4sUTCyyoh4z1o6SBudgH4wKJudTo9dANaHGhWcBUFKrhZi1\nMJTBQx/d0hiDI1P2XN3h+hROCg3JJ8OClUSJH9CfN5GlbWvXh0Nhq7hqy8L3\nLAPL+uigiXI6ObrnKQoD8LeJIB46233uwaCA/7zB6gah0ExJ2DXGH6qq9JSS\nqmTFiy+hT+VHGrUo\n",
-    "iv": "U4E4NLYLkP0/tTTs\n",
-    "auth_tag": "WKQ+pDPZp7B791lhC5j3iQ==\n",
+    "encrypted_data": "VJn4Yd2N7qFV+nWXPjPA8Y2KEXL/gZs2gK5E3DZZc9ogFXV7RtpDtq+NKGJU\ndpR8ohtEZvkyC+iBkMAlnS1sSVKiLdQ1xXvbzkj04mYgjnLvwsZ19uVpBGwR\nt/DON7Bhe5Fw+OyrBQksqNcZQSpB9sMBfgA1IgCpdVGHQ8PmkMbFTaZZYcoF\n7gg3yUw5/0t3vRdL\n",
+    "iv": "X5atp/KaIurfln/u\n",
+    "auth_tag": "mVnBoUb5HwhXNYUddJbq8Q==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "secret_key_base": {
-    "encrypted_data": "vweClhdY8SqQkK+p0OYUL2B6Fsz5eQDpEYWCtd/eRJfwwYAObbLcMWRC6MwE\neQVMw59bOqYc3RBuv/+WPLtENazA1bYCXBXQr1J6xqjJAz0Mo6KbRyxy5n78\nv8q6RSiao1VVIUXohtFlQgWeV6x5sz34bJxjlHinKvKsgiGXiuVBxYUUfzWQ\nuzrGug09cpZBqfpc\n",
-    "iv": "Z0/csEBH5/X1+MR+\n",
-    "auth_tag": "fTvBN6eovi3JVEK0ZX97Nw==\n",
+    "encrypted_data": "d0sNREFhzQEJhkRzielbCNBJOVAdfThv7zcYTZ1vFZ20i/mzB9GWW2nb+1yn\nNFjAq8wCLpLXn9n3FClE+WOqnAw0jwTlyScRM5lzjKI5SxHKkBQHGyFs2AF8\nqFjEvpiqxhjsc4kNOJGO8DdcyHuulXyaO9fJg8HDnU1ov1vSSuTc0ABKgycY\nMq/Xt10UXnhP8cPw\n",
+    "iv": "HFT7fdGQ2KRJ2NFy\n",
+    "auth_tag": "C55JT2msLQCoI+09VKf+Jw==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "otp_secret": {
-    "encrypted_data": "o1ts1bUgPIzFQXjJ2MpBMLntWkyPxDaJAaU1K3WzmNMXnw5MVlkKKCEFVccd\nPss/MwDuBkbNPhri3ZkH48m9SiayWETVYvw5GZzcVsw4TeMu915O44lfl9tX\nW3XHU+DBps1BVH9535R4X9M1aFW4W4XfwHtS5wcrZqtVhNhS3NSgE4JpN/Dz\nFdcFAOhflnt8fIAN\n",
-    "iv": "QLsxmIlX1NpxMyHz\n",
-    "auth_tag": "j1h/PvIoqshTBN5c5IaAsA==\n",
+    "encrypted_data": "1iH7mUkaUzyn9dfDwMdiJ8X059qWSUO3DqivsOFfI1f44nMnzllaYPu6nh8O\nNLNCOzvsSAonhhaq1X+foOdyPIG2mGhE/juKveDD57/AdZAayHWsbsQlPC4l\nwdShz/ANrq0YZ/zOhpT2sZj1TZavW+S+JlxJFX2kP24D4dUzwG0vNj7522+Q\n9NAApJdUte1ZYF/b\n",
+    "iv": "00/vs5zTdoC19+pS\n",
+    "auth_tag": "3cjYqebMshnmWkQ3SdRcCQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "aws_access_key_id": {
-    "encrypted_data": "YQHUx0GugKu0AtlbGLRGocFEhTGAghWA0DUs1Nxs4Hd3bTIp4lyM\n",
-    "iv": "54zt2tkQhHtpY7sO\n",
-    "auth_tag": "ofBJx3QDsjHe66ga3nji8g==\n",
+    "encrypted_data": "krcfpxOrAkwZR2GP4glTaFg2dw/COw8BO8I+KICqyl4bvpL5NrB9\n",
+    "iv": "paoDKp6EIU8bjxzF\n",
+    "auth_tag": "p6Pt/tz5dgGXzW5cO06nBg==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "aws_secret_access_key": {
-    "encrypted_data": "FAz6xZ+wsCz/KFA+DK6f4V04rxJt+9U/yXUGF9tvce0VqB3scH+T0KDDn1/n\nZ/0G0Tbxt2urRPbPUdI=\n",
-    "iv": "iapSpeM6lfDMIfNk\n",
-    "auth_tag": "HlkwUnNeJlOUrZ3ieN5xAQ==\n",
+    "encrypted_data": "aQySCT7gxeNiMMocq81KtIi+YzrZwMBeTd4LrRSN8iNEikWReJrrfagBwozy\n+Gfdw4bMGzY1dhF1Sl4=\n",
+    "iv": "R/hvvOvmqq/uoKbx\n",
+    "auth_tag": "QBJY/3+OprBXO/FSNwv2OQ==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "ldap_bind_dn": {
+    "encrypted_data": "wDPABdL+DlXz2WWV4XwW20kM4EWPSwc/ajBmbdYMnjFau6c76CIBpbFhrFoj\n3mwDbHz8cgOnLNvozXSV4w6N7URCN/mWWTBHNhd3ppw=\n",
+    "iv": "8rQ0M4LT1HbCNpq9\n",
+    "auth_tag": "AuO5R6WCtd75TGJNfgFSCg==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "ldap_password": {
+    "encrypted_data": "y0t8RuptVYiTKmUhaAWsC4c2ZzhQsYeVLeMPiQBn+Q==\n",
+    "iv": "mixYzDKkPSIDQ/l+\n",
+    "auth_tag": "DbLlZG7rlgBmyCdJ3nhSYA==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "smtp_user_name": {
-    "encrypted_data": "ivB09/mCRrUaz9X4NFRBiqytjgy/vxN5Nha7gopFq5eSu9v4K9MkaLRqHh1I\nYw==\n",
-    "iv": "a8WKhRKsUjqBtfmn\n",
-    "auth_tag": "ib5WJNNaO7bRIspdACmOLw==\n",
+    "encrypted_data": "Ugc29HUFcirv6jOOlYNs9uvmhfwa2rG41im/MusCx0Vu0AZKcdy0krGi/kCZ\nKg==\n",
+    "iv": "ZlDK854w+vTNmeJe\n",
+    "auth_tag": "Nj95g0JMxrT419OLQIX26g==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "smtp_password": {
-    "encrypted_data": "FxPz2e7fUNqcAu+DDJKlqn8rcSBLmnzigTFf5moZlQ1zz4YVl6pqHisa22Qz\nbfUx9rjU\n",
-    "iv": "GvRlNDV/b1WawtOP\n",
-    "auth_tag": "kyRCGfSJQelIwThDT4iQQQ==\n",
+    "encrypted_data": "D1TGjRfmM1ZeUmzwewlKXfQvvqTSzpzNlK5MKIU8dxbAH175UKn5qiemDEWe\nRYPe1LWT\n",
+    "iv": "D1OVfD5bMcefM5DP\n",
+    "auth_tag": "2E/q2gTbdXiLVnOMDeJv9w==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "vapid_private_key": {
-    "encrypted_data": "DlbEAhd+SkSJoOSuwGhd5bdFlJADnT0w4u0+6m8AJoWJjoSCGAnzzmdHWT/k\nVUDkwiBCkqmEPK0oTvxnl/a8\n",
-    "iv": "6e0Gay7GVrQad1rI\n",
-    "auth_tag": "jjVundJ/ITxP/oYgEgzElg==\n",
+    "encrypted_data": "+87bVrbd/XvWhZH1IYusc4Hla7ZZmylptAyJf48CMG/F3SMEO33OqW2I+UWh\nSkqbxai5+GaMhvZHB8U2Clod\n",
+    "iv": "HVhNdFQl0TvCcjsa\n",
+    "auth_tag": "EEQXuQ5keOHXmchhBh+Ixw==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "vapid_public_key": {
-    "encrypted_data": "+m37w/eWYqdEjsEYQw27FvQC+37ucruOFjZAjo0OgCwA0SoVz4VHX2eSA2AK\njX4CnM91cY4e/WG/ZHKlOMN1PftyQn2bdGaw35nXDanep8z0ROa01JEEi5DE\nUFRKvBmPInTeR6xvemuj7GM=\n",
-    "iv": "loYbGrAsWGLUZ+BK\n",
-    "auth_tag": "lAfpEEVQq+n7MLLm/kpmIA==\n",
+    "encrypted_data": "nBm1lXbn1+Kzol95+QSEjsUI/n7ObhdEqEyfYcVSP/LiLy57KOBQDu6CjSMz\n+PN9yEP4lOjtscqHS29jTC2vi3PSui9XpOFHRxFBnDuyKxczrnID2KlLCNRQ\n228G3VRgFIMAWMYKACgzUk0=\n",
+    "iv": "xHrVl+4JGkQbfUW3\n",
+    "auth_tag": "rfFoBMocq17YiDSlOCvWqw==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "s3_key_id": {
-    "encrypted_data": "4B8OQ0iVCCna4FvC+EuS5prEUWaHRm1+tzXGmFoCQ4WZfhUA1HwT3x651e/R\n",
-    "iv": "1/zGwcQPQQQCiXIs\n",
-    "auth_tag": "siK9ph1q3/VVEycy91wkqQ==\n",
+    "encrypted_data": "pq0+VZhjoxzLuyY34f23wOmuks9Wevt8Wu6muKZAsZMSuU0iJvlRoK/65Qa0\n",
+    "iv": "QTxO+IfYcpI170ON\n",
+    "auth_tag": "4ZHva2iBYgDv6DyhMRRXzA==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "s3_secret_key": {
-    "encrypted_data": "BSAc8dE/rQUiVvTGV6Ee/ZUDpq4HZlpoaCZ+lbQAbcnxui4ib0OTLPFwhVJ9\n4OQWahtSzkqxMc6MKWpadLT1a3oTnvnae9b3u40X5b2P3VyZYCM=\n",
-    "iv": "bqw8GTqLMTs5vD5n\n",
-    "auth_tag": "+e48L1lYVNda7VE3uLOAHA==\n",
+    "encrypted_data": "YMZqKtOXDPAME8IWWC+lO8TsxHMzawlbTju9z/Hcb5DnQAOy82QufTN90m73\n/xikUboAdKcA5YGn0mkm+Rt/ygVR6DFirYV3kwi2M3qyGVJifug=\n",
+    "iv": "9AwabheRFOgC8IKR\n",
+    "auth_tag": "iU2kkA1q8OsblN5jaZrWGQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   }

environments/production.json

@@ -3,6 +3,7 @@
   "override_attributes": {
     "akkounts": {
       "btcpay": {
+        "public_url": "https://btcpay.kosmos.org",
         "store_id": "FNJVVsrVkKaduPDAkRVchdegjwzsNhpceAdonCaXAwBX"
       },
       "ejabberd": {
@@ -11,6 +12,9 @@
       "lndhub": {
         "public_url": "https://lndhub.kosmos.org",
         "public_key": "024cd3be18617f39cf645851e3ba63f51fc13f0bb09e3bb25e6fd4de556486d946"
+      },
+      "nostr": {
+        "public_key": "b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a"
       }
     },
     "discourse": {
@@ -33,8 +37,7 @@
         "hostmaster@kosmos.org":  "mail@kosmos.org",
         "postmaster@kosmos.org":  "mail@kosmos.org",
         "abuse@kosmos.org":       "mail@kosmos.org",
-        "mail@kosmos.org":        "foundation@kosmos.org",
-        "hackerhouse@kosmos.org": "mail@lagrange6.com"
+        "mail@kosmos.org":        "foundation@kosmos.org"
       }
     },
     "garage": {
@@ -43,8 +46,9 @@
       "s3_web_root_domain": "web.s3.kosmos.org",
       "s3_web_domains": [
         "media.kosmos.chat",
-        "s3.kosmos.social",
-        "s3.community.kosmos.org"
+        "s3.accounts.kosmos.org",
+        "s3.community.kosmos.org",
+        "s3.kosmos.social"
       ],
       "xmpp_upload_bucket": "kosmos-xmpp-uploads"
     },
@@ -64,13 +68,15 @@
       "backup": {
         "nodes_excluded": [
           "garage-",
+          "lq-",
           "rsk-",
-          "postgres-5"
+          "postgres-6"
         ]
       }
     },
     "kosmos-mastodon": {
       "domain": "kosmos.social",
+      "user_address_domain": "kosmos.social",
       "s3_endpoint": "http://localhost:3900",
       "s3_region": "garage",
       "s3_bucket": "kosmos-social",
@@ -80,6 +86,16 @@
         "mastodon.w7nooprauv6yrnhzh2ajpcnj3doinked2aaztlwfyt6u6pva2qdxqhid.onion"
       ]
     },
+    "liquor-cabinet": {
+      "ufw_source_allowed": "10.1.1.0/24",
+      "redis_port": 6379,
+      "redis_db": 1,
+      "s3_endpoint": "http://localhost:3900",
+      "s3_region": "garage",
+      "s3_bucket": "rs-kosmos",
+      "domain": "storage.kosmos.org",
+      "root_redirect_url": "https://accounts.kosmos.org"
+    },
     "mediawiki": {
       "url": "https://wiki.kosmos.org"
     },

nodes/akkounts-1.json

@@ -17,6 +17,7 @@
       "kvm_guest",
       "ldap_client",
       "sentry_client",
+      "garage_gateway",
       "akkounts",
       "postgresql_client"
     ],
@@ -26,6 +27,9 @@
       "kosmos_kvm::guest",
       "kosmos-dirsrv::hostsfile",
       "kosmos_sentry::client",
+      "kosmos_garage",
+      "kosmos_garage::default",
+      "kosmos_garage::firewall_rpc",
       "kosmos_postgresql::hostsfile",
       "kosmos-akkounts",
       "kosmos-akkounts::default",
@@ -43,6 +47,7 @@
       "postfix::_attributes",
       "postfix::sasl_auth",
       "hostname::default",
+      "firewall::default",
       "redisio::default",
       "redisio::_install_prereqs",
       "redisio::install",
@@ -76,6 +81,7 @@
     "role[kvm_guest]",
     "role[ldap_client]",
     "role[sentry_client]",
+    "role[garage_gateway]",
     "role[akkounts]"
   ]
 }

nodes/draco.kosmos.org.json

@@ -47,11 +47,11 @@
       "kosmos_assets::nginx_site",
       "kosmos_discourse::nginx",
       "kosmos_drone::nginx",
-      "kosmos-ejabberd::nginx",
       "kosmos_garage::nginx_web",
       "kosmos_garage::nginx_s3",
       "kosmos_gitea::nginx",
       "kosmos_gitea::nginx_ssh",
+      "kosmos_liquor-cabinet::nginx",
       "kosmos_rsk::nginx_testnet",
       "kosmos_rsk::nginx_mainnet",
       "kosmos_website",

nodes/fornax.kosmos.org.json

@@ -45,6 +45,7 @@
       "kosmos_garage::nginx_s3",
       "kosmos_gitea::nginx",
       "kosmos_gitea::nginx_ssh",
+      "kosmos_liquor-cabinet::nginx",
       "kosmos_rsk::nginx_testnet",
       "kosmos_rsk::nginx_mainnet",
       "kosmos_website",

nodes/garage-8.json

@@ -1,17 +1,17 @@
 {
-  "name": "garage-3",
+  "name": "garage-8",
   "chef_environment": "production",
   "normal": {
     "knife_zero": {
-      "host": "10.1.1.39"
+      "host": "10.1.1.61"
     }
   },
   "automatic": {
-    "fqdn": "garage-3",
+    "fqdn": "garage-8",
     "os": "linux",
-    "os_version": "5.4.0-132-generic",
-    "hostname": "garage-3",
-    "ipaddress": "192.168.122.191",
+    "os_version": "5.4.0-1090-kvm",
+    "hostname": "garage-8",
+    "ipaddress": "192.168.122.207",
     "roles": [
       "base",
       "kvm_guest",
@@ -46,13 +46,13 @@
     "cloud": null,
     "chef_packages": {
       "chef": {
-        "version": "18.3.0",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.3.0/lib",
+        "version": "18.4.2",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.4.2/lib",
         "chef_effortless": null
       },
       "ohai": {
-        "version": "18.1.4",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
+        "version": "18.1.11",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
       }
     }
   },
@@ -61,4 +61,4 @@
     "role[kvm_guest]",
     "role[garage_node]"
   ]
-}
+}

nodes/lq-1.json

@@ -1,5 +1,6 @@
 {
   "name": "lq-1",
+  "chef_environment": "production",
   "normal": {
     "knife_zero": {
       "host": "10.1.1.87"
@@ -8,17 +9,24 @@
   "automatic": {
     "fqdn": "lq-1",
     "os": "linux",
-    "os_version": "5.4.0-1090-kvm",
+    "os_version": "5.4.0-1104-kvm",
     "hostname": "lq-1",
     "ipaddress": "192.168.122.158",
     "roles": [
       "base",
-      "kvm_guest"
+      "kvm_guest",
+      "garage_gateway",
+      "liquor_cabinet"
     ],
     "recipes": [
       "kosmos-base",
       "kosmos-base::default",
       "kosmos_kvm::guest",
+      "kosmos_garage",
+      "kosmos_garage::default",
+      "kosmos_garage::firewall_rpc",
+      "kosmos_liquor-cabinet",
+      "kosmos_liquor-cabinet::default",
       "apt::default",
       "timezone_iii::default",
       "timezone_iii::debian",
@@ -32,7 +40,9 @@
       "postfix::_common",
       "postfix::_attributes",
       "postfix::sasl_auth",
-      "hostname::default"
+      "hostname::default",
+      "firewall::default",
+      "liquor_cabinet::default"
     ],
     "platform": "ubuntu",
     "platform_version": "20.04",
@@ -51,6 +61,8 @@
   },
   "run_list": [
     "role[base]",
-    "role[kvm_guest]"
+    "role[kvm_guest]",
+    "role[garage_gateway]",
+    "role[liquor_cabinet]"
   ]
 }

nodes/lq-2.json

@@ -1,5 +1,6 @@
 {
   "name": "lq-2",
+  "chef_environment": "production",
   "normal": {
     "knife_zero": {
       "host": "10.1.1.188"
@@ -8,17 +9,24 @@
   "automatic": {
     "fqdn": "lq-2",
     "os": "linux",
-    "os_version": "5.4.0-1090-kvm",
+    "os_version": "5.4.0-1104-kvm",
     "hostname": "lq-2",
     "ipaddress": "192.168.122.47",
     "roles": [
       "base",
-      "kvm_guest"
+      "kvm_guest",
+      "garage_gateway",
+      "liquor_cabinet"
     ],
     "recipes": [
       "kosmos-base",
       "kosmos-base::default",
       "kosmos_kvm::guest",
+      "kosmos_garage",
+      "kosmos_garage::default",
+      "kosmos_garage::firewall_rpc",
+      "kosmos_liquor-cabinet",
+      "kosmos_liquor-cabinet::default",
       "apt::default",
       "timezone_iii::default",
       "timezone_iii::debian",
@@ -32,7 +40,9 @@
       "postfix::_common",
       "postfix::_attributes",
       "postfix::sasl_auth",
-      "hostname::default"
+      "hostname::default",
+      "firewall::default",
+      "liquor_cabinet::default"
     ],
     "platform": "ubuntu",
     "platform_version": "20.04",
@@ -51,6 +61,8 @@
   },
   "run_list": [
     "role[base]",
-    "role[kvm_guest]"
+    "role[kvm_guest]",
+    "role[garage_gateway]",
+    "role[liquor_cabinet]"
   ]
 }

nodes/mastodon-3.json

@@ -14,6 +14,7 @@
     "ipaddress": "192.168.122.161",
     "roles": [
       "kvm_guest",
+      "ldap_client",
       "garage_gateway",
       "mastodon",
       "postgresql_client"
@@ -22,6 +23,7 @@
       "kosmos-base",
       "kosmos-base::default",
       "kosmos_kvm::guest",
+      "kosmos-dirsrv::hostsfile",
       "kosmos_garage",
       "kosmos_garage::default",
       "kosmos_garage::firewall_rpc",
@@ -84,6 +86,7 @@
   "run_list": [
     "recipe[kosmos-base]",
     "role[kvm_guest]",
+    "role[ldap_client]",
     "role[garage_gateway]",
     "role[mastodon]"
   ]

nodes/postgres-5.json

@@ -13,12 +13,20 @@
     "ipaddress": "192.168.122.211",
     "roles": [
       "base",
-      "kvm_guest"
+      "kvm_guest",
+      "postgresql_primary"
     ],
     "recipes": [
       "kosmos-base",
       "kosmos-base::default",
       "kosmos_kvm::guest",
+      "kosmos_postgresql::primary",
+      "kosmos_postgresql::firewall",
+      "kosmos-bitcoin::lndhub-go_pg_db",
+      "kosmos-bitcoin::nbxplorer_pg_db",
+      "kosmos_drone::pg_db",
+      "kosmos_gitea::pg_db",
+      "kosmos-mastodon::pg_db",
       "apt::default",
       "timezone_iii::default",
       "timezone_iii::debian",
@@ -52,6 +60,6 @@
   "run_list": [
     "role[base]",
     "role[kvm_guest]",
-    "role[postgresql_replica]"
+    "role[postgresql_primary]"
   ]
 }

nodes/postgres-6.json

@@ -1,32 +1,24 @@
 {
-  "name": "postgres-4",
+  "name": "postgres-6",
   "normal": {
     "knife_zero": {
-      "host": "10.1.1.107"
+      "host": "10.1.1.196"
     }
   },
   "automatic": {
-    "fqdn": "postgres-4",
+    "fqdn": "postgres-6",
     "os": "linux",
-    "os_version": "5.4.0-122-generic",
-    "hostname": "postgres-4",
-    "ipaddress": "192.168.122.3",
+    "os_version": "5.4.0-173-generic",
+    "hostname": "postgres-6",
+    "ipaddress": "192.168.122.60",
     "roles": [
       "base",
-      "kvm_guest",
-      "postgresql_primary"
+      "kvm_guest"
     ],
     "recipes": [
       "kosmos-base",
       "kosmos-base::default",
       "kosmos_kvm::guest",
-      "kosmos_postgresql::primary",
-      "kosmos_postgresql::firewall",
-      "kosmos-bitcoin::lndhub-go_pg_db",
-      "kosmos-bitcoin::nbxplorer_pg_db",
-      "kosmos_drone::pg_db",
-      "kosmos_gitea::pg_db",
-      "kosmos-mastodon::pg_db",
       "apt::default",
       "timezone_iii::default",
       "timezone_iii::debian",
@@ -47,19 +39,19 @@
     "cloud": null,
     "chef_packages": {
       "chef": {
-        "version": "18.3.0",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.3.0/lib",
+        "version": "18.4.2",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.4.2/lib",
         "chef_effortless": null
       },
       "ohai": {
-        "version": "18.1.4",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
+        "version": "18.1.11",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
       }
     }
   },
   "run_list": [
     "role[base]",
     "role[kvm_guest]",
-    "role[postgresql_primary]"
+    "role[postgresql_replica]"
   ]
-}
+}

roles/liquor_cabinet.rb

@@ -0,0 +1,5 @@
+name "liquor_cabinet"
+
+run_list %w(
+  kosmos_liquor-cabinet::default
+)

roles/openresty_proxy.rb

@@ -25,6 +25,7 @@ production_run_list = %w(
   kosmos_garage::nginx_s3
   kosmos_gitea::nginx
   kosmos_gitea::nginx_ssh
+  kosmos_liquor-cabinet::nginx
   kosmos_rsk::nginx_testnet
   kosmos_rsk::nginx_mainnet
   kosmos_website::default

scripts/postgresql/switch_primary.sh

@@ -21,3 +21,4 @@ bundle exec knife ssh roles:postgresql_client -a knife_zero.host "sudo sed -r \"
 # TODO
 # 1. Change roles in node configs
 # 2. Converge new primary
+echo "You need to update the role in the '$new_primary_hostname' node config to 'postgres_primary' and converge it now."

site-cookbooks/kosmos-akkounts/attributes/default.rb

@@ -1,5 +1,5 @@
 node.default['akkounts']['repo'] = 'https://gitea.kosmos.org/kosmos/akkounts.git'
-node.default['akkounts']['revision'] = 'master'
+node.default['akkounts']['revision'] = 'live'
 node.default['akkounts']['port'] = 3000
 node.default['akkounts']['domain'] = 'accounts.kosmos.org'
 node.default['akkounts']['primary_domain'] = 'kosmos.org'
@@ -11,6 +11,7 @@ node.default['akkounts']['smtp']['domain']          = 'kosmos.org'
 node.default['akkounts']['smtp']['auth_method']     = 'plain'
 node.default['akkounts']['smtp']['enable_starttls'] = 'auto'
 
+node.default['akkounts']['btcpay']['public_url'] = nil
 node.default['akkounts']['btcpay']['store_id'] = nil
 
 node.default['akkounts']['ejabberd']['admin_url'] = nil
@@ -19,3 +20,11 @@ node.default['akkounts']['lndhub']['api_url'] = nil
 node.default['akkounts']['lndhub']['public_url'] = nil
 node.default['akkounts']['lndhub']['public_key'] = nil
 node.default['akkounts']['lndhub']['postgres_db'] = 'lndhub'
+
+node.default['akkounts']['nostr']['public_key'] = nil
+
+node.default['akkounts']['s3_enabled'] = true
+node.default['akkounts']['s3_endpoint'] = "https://s3.kosmos.org"
+node.default['akkounts']['s3_region'] = "garage"
+node.default['akkounts']['s3_bucket'] = "akkounts-production"
+node.default['akkounts']['s3_alias_host'] = "https://s3.accounts.kosmos.org"

site-cookbooks/kosmos-akkounts/recipes/default.rb

@@ -30,12 +30,12 @@ npm_package "yarn" do
   version "1.22.4"
 end
 
-ruby_version = "2.7.5"
+ruby_version = "3.3.0"
 ruby_path = "/opt/ruby_build/builds/#{ruby_version}"
 bundle_path = "#{ruby_path}/bin/bundle"
 rails_env = node.chef_environment == "development" ? "development" : "production"
 
-ruby_build_install 'v20230615'
+ruby_build_install 'v20240221'
 ruby_build_definition ruby_version do
   prefix_path ruby_path
 end
@@ -69,17 +69,34 @@ if webhooks_allowed_ips.length > 0
   env[:webhooks_allowed_ips] = webhooks_allowed_ips
 end
 
+#
+# BTCPay Server
+#
+
 if btcpay_host
   env[:btcpay_api_url] = "http://#{btcpay_host}:23001/api/v1"
+  env[:btcpay_public_url] = node['akkounts']['btcpay']['public_url']
   env[:btcpay_store_id] = node['akkounts']['btcpay']['store_id']
   env[:btcpay_auth_token] = credentials["btcpay_auth_token"]
 end
 
+#
+# Discourse
+#
+
 env[:discourse_public_url] = "https://#{node['discourse']['domain']}"
 env[:discourse_connect_secret] = credentials['discourse_connect_secret']
 
+#
+# Drone CI
+#
+
 env[:droneci_public_url] = node["droneci"]["public_url"]
 
+#
+# ejabberd
+#
+
 ejabberd_private_ip_addresses = []
 search(:node, "role:ejabberd").each do |node|
   ejabberd_private_ip_addresses << node["knife_zero"]["host"]
@@ -101,8 +118,16 @@ if ejabberd_private_ip_addresses.size > 0
   env[:ejabberd_admin_url] = node['akkounts']['ejabberd']['admin_url']
 end
 
+#
+# Gitea
+#
+
 env[:gitea_public_url] = "https://#{node['gitea']['domain']}"
 
+#
+# lndhub.go
+#
+
 if lndhub_host
   node.override["akkounts"]["lndhub"]["api_url"] = "http://#{lndhub_host}:3026"
   env[:lndhub_legacy_api_url] = node["akkounts"]["lndhub"]["api_url"]
@@ -119,10 +144,57 @@ if lndhub_host
   end
 end
 
+#
+# Mastodon
+#
+
 env[:mastodon_public_url] = "https://#{node['kosmos-mastodon']['domain']}"
+env[:mastodon_address_domain] = node['kosmos-mastodon']['user_address_domain']
+
+#
+# MediaWiki
+#
 
 env[:mediawiki_public_url] = node['mediawiki']['url']
 
+#
+# Nostr
+#
+
+env[:nostr_private_key] = credentials['nostr_private_key']
+env[:nostr_public_key] = node['akkounts']['nostr']['public_key']
+
+#
+# remoteStorage / Liquor Cabinet
+#
+
+env[:rs_storage_url] = "https://#{node['liquor-cabinet']['domain']}"
+
+rs_redis_host = search(:node, "role:redis_server").first["knife_zero"]["host"] rescue nil
+rs_redis_port = node['liquor-cabinet']['redis_port']
+rs_redis_db = node['liquor-cabinet']['redis_db']
+if rs_redis_host
+  env[:rs_redis_url] = "redis://#{rs_redis_host}:#{rs_redis_port}/#{rs_redis_db}"
+end
+
+#
+# S3
+#
+
+if node['akkounts']['s3_enabled']
+  env[:s3_enabled] = true
+  env[:s3_endpoint] = node['akkounts']['s3_endpoint']
+  env[:s3_region] = node['akkounts']['s3_region']
+  env[:s3_bucket] = node['akkounts']['s3_bucket']
+  env[:s3_alias_host] = node['akkounts']['s3_alias_host']
+  env[:s3_access_key] = credentials['s3_access_key']
+  env[:s3_secret_key] = credentials['s3_secret_key']
+end
+
+#
+# Akkounts Deployment
+#
+
 systemd_unit "akkounts.service" do
   content({
     Unit: {

site-cookbooks/kosmos-base/recipes/letsencrypt.rb

@@ -2,27 +2,6 @@
 # Cookbook Name:: kosmos-base
 # Recipe:: letsencrypt
 #
-# The MIT License (MIT)
-#
-# Copyright:: 2019, Kosmos Developers
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
 
 unless platform?('ubuntu')
   raise "This recipe only supports Ubuntu installs"

site-cookbooks/kosmos-base/resources/tls_cert_for.rb

@@ -3,6 +3,8 @@ provides :tls_cert_for
 
 property :domain, [String, Array], name_property: true
 property :auth, [String, NilClass], default: nil
+property :deploy_hook, [String, NilClass], default: nil
+property :acme_domain, [String, NilClass], default: nil
 
 default_action :create
 
@@ -17,13 +19,35 @@ action :create do
 
   case new_resource.auth
   when "gandi_dns"
-    gandi_api_data_bag_item = data_bag_item('credentials', 'gandi_api_5apps')
+    gandi_api_credentials = data_bag_item('credentials', 'gandi_api')
 
     hook_path = "/root/gandi_dns_certbot_hook.sh"
+    hook_auth_command = "#{hook_path} auth"
+    hook_cleanup_command = "#{hook_path} cleanup"
+
+    if new_resource.acme_domain
+      hook_auth_command += " #{new_resource.acme_domain}"
+      hook_cleanup_command += " #{new_resource.acme_domain}"
+    end
+
     template hook_path do
       cookbook "kosmos-base"
-      variables gandi_api_key: gandi_api_data_bag_item["key"]
-      mode 0770
+      variables access_token: gandi_api_credentials["access_token"]
+      mode 0700
+      sensitive true
+    end
+
+    if new_resource.deploy_hook
+      deploy_hook_path = "/etc/letsencrypt/renewal-hooks/#{domains.first}"
+
+      file deploy_hook_path do
+        content new_resource.deploy_hook
+        mode 0755
+        owner "root"
+        group "root"
+      end
+    elsif node.run_list.roles.include?("openresty_proxy")
+      deploy_hook_path = "/etc/letsencrypt/renewal-hooks/post/openresty"
     end
 
     # Generate a Let's Encrypt cert (only if no cert has been generated before).
@@ -34,10 +58,10 @@ action :create do
         --preferred-challenges dns \
         --manual-public-ip-logging-ok \
         --agree-tos \
-        --manual-auth-hook '#{hook_path} auth' \
-        --manual-cleanup-hook '#{hook_path} cleanup' \
+        --manual-auth-hook '#{hook_auth_command}' \
+        --manual-cleanup-hook '#{hook_cleanup_command}' \
         --email ops@kosmos.org \
-        #{node.run_list.roles.include?("openresty_proxy") ? '--deploy-hook /etc/letsencrypt/renewal-hooks/post/openresty' : nil } \
+        #{"--deploy-hook #{deploy_hook_path}" if defined?(deploy_hook_path)} \
         #{domains.map {|d| "-d #{d}" }.join(" ")}
       CMD
       not_if do

site-cookbooks/kosmos-base/templates/default/gandi_dns_certbot_hook.sh.erb

@@ -1,21 +1,16 @@
 #!/usr/bin/env bash
-#
-
 set -euf -o pipefail
 
 # ************** USAGE **************
 #
-# Example usage (with this hook file saved in /root/):
+# Example usage:
 #
-#   sudo su -
 #   certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos -d "5apps.com" -d muc.5apps.com -d "xmpp.5apps.com" \
 #     --manual-auth-hook "/root/letsencrypt_hook.sh auth" --manual-cleanup-hook "/root/letsencrypt_hook.sh cleanup"
 #
-# This hook requires configuration, continue reading.
-#
 # ************** CONFIGURATION **************
 #
-# GANDI_API_KEY: Your Gandi Live API key
+# ACCESS_TOKEN: Your Gandi Live API key
 #
 # PROVIDER_UPDATE_DELAY:
 #   How many seconds to wait after updating your DNS records. This may be required,
@@ -25,10 +20,16 @@ set -euf -o pipefail
 #
 #   Defaults to 30 seconds.
 #
-GANDI_API_KEY="<%= @gandi_api_key %>"
+# VALIDATION_DOMAIN:
+#   Domain to create ACME DNS entries on. Use this when redirecting ACME subdomains
+#   from the original domain to a proxy validation domain that we control.
+#
+ACCESS_TOKEN="<%= @access_token %>"
 PROVIDER_UPDATE_DELAY=10
+VALIDATION_DOMAIN="${2:-}"
 
 regex='.*\.(.*\..*)'
+
 if [[ $CERTBOT_DOMAIN =~ $regex ]]
 then
   DOMAIN="${BASH_REMATCH[1]}"
@@ -36,25 +37,41 @@ else
   DOMAIN="${CERTBOT_DOMAIN}"
 fi
 
+if [[ -n "$VALIDATION_DOMAIN" ]]
+then
+  if [[ $VALIDATION_DOMAIN =~ $regex ]]
+  then
+    ACME_BASE_DOMAIN="${BASH_REMATCH[1]}"
+  else
+    echo "Validation domain has to be a subdomain, but it is not: \"${VALIDATION_DOMAIN}\""
+    exit 1
+  fi
+  ACME_DOMAIN="${CERTBOT_DOMAIN}.${VALIDATION_DOMAIN}"
+else
+  ACME_BASE_DOMAIN="${DOMAIN}"
+  ACME_DOMAIN="_acme-challenge.${CERTBOT_DOMAIN}"
+fi
+
 # To be invoked via Certbot's --manual-auth-hook
 function auth {
-    curl -s -D- -H "Content-Type: application/json" \
-        -H "X-Api-Key: ${GANDI_API_KEY}" \
-        -d "{\"rrset_name\": \"_acme-challenge.${CERTBOT_DOMAIN}.\",
-             \"rrset_type\": \"TXT\",
-             \"rrset_ttl\": 3600,
-             \"rrset_values\": [\"${CERTBOT_VALIDATION}\"]}" \
-        "https://dns.api.gandi.net/api/v5/domains/${DOMAIN}/records"
+  curl -s -D- \
+       -H "Content-Type: application/json" \
+       -H "Authorization: Bearer ${ACCESS_TOKEN}" \
+       -d "{\"rrset_name\": \"${ACME_DOMAIN}.\",
+            \"rrset_type\": \"TXT\",
+            \"rrset_ttl\": 300,
+            \"rrset_values\": [\"${CERTBOT_VALIDATION}\"]}" \
+       "https://api.gandi.net/v5/livedns/domains/${ACME_BASE_DOMAIN}/records"
 
-
-    sleep ${PROVIDER_UPDATE_DELAY}
+  sleep ${PROVIDER_UPDATE_DELAY}
 }
 
 # To be invoked via Certbot's --manual-cleanup-hook
 function cleanup {
-    curl -s -X DELETE -H "Content-Type: application/json" \
-        -H "X-Api-Key: ${GANDI_API_KEY}" \
-        https://dns.api.gandi.net/api/v5/domains/${DOMAIN}/records/_acme-challenge.${CERTBOT_DOMAIN}./TXT
+  curl -s -X DELETE \
+       -H "Content-Type: application/json" \
+       -H "Authorization: Bearer ${ACCESS_TOKEN}" \
+       "https://api.gandi.net/v5/livedns/domains/${ACME_BASE_DOMAIN}/records/${ACME_DOMAIN}./TXT"
 }
 
 HANDLER=$1; shift;

site-cookbooks/kosmos-bitcoin/attributes/default.rb

@@ -98,7 +98,7 @@ node.default['dotnet']['ms_packages_src_url'] = "https://packages.microsoft.com/
 node.default['dotnet']['ms_packages_src_checksum'] = "4df5811c41fdded83eb9e2da9336a8dfa5594a79dc8a80133bd815f4f85b9991"
 
 node.default['nbxplorer']['repo'] = 'https://github.com/dgarage/NBXplorer'
-node.default['nbxplorer']['revision'] = 'v2.4.3'
+node.default['nbxplorer']['revision'] = 'v2.5.0'
 node.default['nbxplorer']['source_dir'] = '/opt/nbxplorer'
 node.default['nbxplorer']['config_path'] = "/home/#{node['bitcoin']['username']}/.nbxplorer/Main/settings.config"
 node.default['nbxplorer']['port'] = '24445'
@@ -106,7 +106,7 @@ node.default['nbxplorer']['postgres']['database'] = 'nbxplorer'
 node.default['nbxplorer']['postgres']['user'] = 'nbxplorer'
 
 node.default['btcpay']['repo'] = 'https://github.com/btcpayserver/btcpayserver'
-node.default['btcpay']['revision'] = 'v1.11.7'
+node.default['btcpay']['revision'] = 'v1.12.5'
 node.default['btcpay']['source_dir'] = '/opt/btcpay'
 node.default['btcpay']['config_path'] = "/home/#{node['bitcoin']['username']}/.btcpayserver/Main/settings.config"
 node.default['btcpay']['log_path'] = "/home/#{node['bitcoin']['username']}/.btcpayserver/debug.log"

site-cookbooks/kosmos-ejabberd/recipes/default.rb

@@ -154,6 +154,11 @@ admin_users = ejabberd_credentials['admins']
 
 hosts.each do |host|
   ldap_rootdn = "uid=service,ou=#{host[:name]},cn=applications,dc=kosmos,dc=org"
+  if host[:name] == "kosmos.org"
+    ldap_filter = "(&(objectClass=person)(serviceEnabled=xmpp))"
+  else
+    ldap_filter = "(objectClass=person)"
+  end
 
   template "/opt/ejabberd/conf/#{host[:name]}.yml" do
     source    "vhost.yml.erb"
@@ -167,7 +172,8 @@ hosts.each do |host|
               ldap_base: ldap_base,
               ldap_server: ldap_domain,
               ldap_rootdn: ldap_rootdn,
-              ldap_encryption_type: ldap_encryption_type
+              ldap_encryption_type: ldap_encryption_type,
+              ldap_filter: ldap_filter
     notifies :reload, "service[ejabberd]", :delayed
   end
 end

site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb

@@ -33,11 +33,11 @@ file "/etc/letsencrypt/renewal-hooks/post/ejabberd" do
   group "root"
 end
 
-gandi_api_data_bag_item = data_bag_item('credentials', 'gandi_api_5apps')
+gandi_api_credentials = data_bag_item('credentials', 'gandi_api')
 
 template "/root/gandi_dns_certbot_hook.sh" do
-  variables gandi_api_key: gandi_api_data_bag_item["key"]
-  mode 0770
+  variables access_token: gandi_api_credentials["access_token"]
+  mode 0700
 end
 
 # Generate a Let's Encrypt cert (only if no cert has been generated before).
@@ -52,7 +52,7 @@ end
 # Generate a Let's Encrypt cert (only if no cert has been generated before).
 # The systemd timer will take care of renewing
 execute "letsencrypt cert for 5apps xmpp" do
-  command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@5apps.com -d 5apps.com -d muc.5apps.com -d xmpp.5apps.com -d uploads.xmpp.5apps.com -n"
+  command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth letsencrypt.kosmos.chat\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup letsencrypt.kosmos.chat\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@5apps.com -d 5apps.com -d muc.5apps.com -d xmpp.5apps.com -d uploads.xmpp.5apps.com -n"
   not_if do
     File.exist?("/etc/letsencrypt/live/5apps.com/fullchain.pem")
   end

site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb

@@ -123,7 +123,7 @@ shaper_rules:
   max_user_sessions: 10
   max_user_offline_messages:
     - 5000: admin
-    - 100
+    - 1000
   c2s_shaper:
     - none: admin
     - normal

site-cookbooks/kosmos-ejabberd/templates/gandi_dns_certbot_hook.sh.erb

@@ -1,21 +1,16 @@
 #!/usr/bin/env bash
-#
-
 set -euf -o pipefail
 
 # ************** USAGE **************
 #
-# Example usage (with this hook file saved in /root/):
+# Example usage:
 #
-#   sudo su -
 #   certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos -d "5apps.com" -d muc.5apps.com -d "xmpp.5apps.com" \
 #     --manual-auth-hook "/root/letsencrypt_hook.sh auth" --manual-cleanup-hook "/root/letsencrypt_hook.sh cleanup"
 #
-# This hook requires configuration, continue reading.
-#
 # ************** CONFIGURATION **************
 #
-# GANDI_API_KEY: Your Gandi Live API key
+# ACCESS_TOKEN: Your Gandi Live API key
 #
 # PROVIDER_UPDATE_DELAY:
 #   How many seconds to wait after updating your DNS records. This may be required,
@@ -25,10 +20,16 @@ set -euf -o pipefail
 #
 #   Defaults to 30 seconds.
 #
-GANDI_API_KEY="<%= @gandi_api_key %>"
-PROVIDER_UPDATE_DELAY=30
+# VALIDATION_DOMAIN:
+#   Domain to create ACME DNS entries on. Use this when redirecting ACME subdomains
+#   from the original domain to a proxy validation domain that we control.
+#
+ACCESS_TOKEN="<%= @access_token %>"
+PROVIDER_UPDATE_DELAY=10
+VALIDATION_DOMAIN="${2:-}"
 
 regex='.*\.(.*\..*)'
+
 if [[ $CERTBOT_DOMAIN =~ $regex ]]
 then
   DOMAIN="${BASH_REMATCH[1]}"
@@ -36,25 +37,41 @@ else
   DOMAIN="${CERTBOT_DOMAIN}"
 fi
 
+if [[ -n "$VALIDATION_DOMAIN" ]]
+then
+  if [[ $VALIDATION_DOMAIN =~ $regex ]]
+  then
+    ACME_BASE_DOMAIN="${BASH_REMATCH[1]}"
+  else
+    echo "Validation domain has to be a subdomain, but it is not: \"${VALIDATION_DOMAIN}\""
+    exit 1
+  fi
+  ACME_DOMAIN="${CERTBOT_DOMAIN}.${VALIDATION_DOMAIN}"
+else
+  ACME_BASE_DOMAIN="${DOMAIN}"
+  ACME_DOMAIN="_acme-challenge.${CERTBOT_DOMAIN}"
+fi
+
 # To be invoked via Certbot's --manual-auth-hook
 function auth {
-    curl -s -D- -H "Content-Type: application/json" \
-        -H "X-Api-Key: ${GANDI_API_KEY}" \
-        -d "{\"rrset_name\": \"_acme-challenge.${CERTBOT_DOMAIN}.\",
-             \"rrset_type\": \"TXT\",
-             \"rrset_ttl\": 3600,
-             \"rrset_values\": [\"${CERTBOT_VALIDATION}\"]}" \
-        "https://dns.api.gandi.net/api/v5/domains/${DOMAIN}/records"
+  curl -s -D- \
+       -H "Content-Type: application/json" \
+       -H "Authorization: Bearer ${ACCESS_TOKEN}" \
+       -d "{\"rrset_name\": \"${ACME_DOMAIN}.\",
+            \"rrset_type\": \"TXT\",
+            \"rrset_ttl\": 300,
+            \"rrset_values\": [\"${CERTBOT_VALIDATION}\"]}" \
+       "https://api.gandi.net/v5/livedns/domains/${ACME_BASE_DOMAIN}/records"
 
-
-    sleep ${PROVIDER_UPDATE_DELAY}
+  sleep ${PROVIDER_UPDATE_DELAY}
 }
 
 # To be invoked via Certbot's --manual-cleanup-hook
 function cleanup {
-    curl -s -X DELETE -H "Content-Type: application/json" \
-        -H "X-Api-Key: ${GANDI_API_KEY}" \
-        https://dns.api.gandi.net/api/v5/domains/${DOMAIN}/records/_acme-challenge.${CERTBOT_DOMAIN}./TXT
+  curl -s -X DELETE \
+       -H "Content-Type: application/json" \
+       -H "Authorization: Bearer ${ACCESS_TOKEN}" \
+       "https://api.gandi.net/v5/livedns/domains/${ACME_BASE_DOMAIN}/records/${ACME_DOMAIN}./TXT"
 }
 
 HANDLER=$1; shift;

site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb

@@ -16,7 +16,7 @@ host_config:
     ldap_password: "<%= @host[:ldap_password] %>"
     ldap_encrypt: <%= @ldap_encryption_type %>
     ldap_base: "ou=<%= @host[:name] %>,<%= @ldap_base %>"
-    ldap_filter: "(objectClass=person)"
+    ldap_filter: "<%= @ldap_filter %>"
   <% end -%>
 
 append_host_config:

site-cookbooks/kosmos-ipfs/attributes/default.rb

@@ -62,4 +62,4 @@ node.default['kosmos-ipfs']['ipfs']['config'] = {
 node.default['kosmos-ipfs']['nginx']['domain'] = "ipfs.kosmos.org"
 node.default['kosmos-ipfs']['nginx']['external_api_port'] = 5444
 
-node.default['kosmos-ipfs']['kredits-pinner']['revision'] = "v2.2.0"
+node.default['kosmos-ipfs']['kredits-pinner']['revision'] = "v2.3.0"

site-cookbooks/kosmos-mastodon/recipes/default.rb

@@ -44,7 +44,7 @@ end
 
 elasticsearch_service 'elasticsearch'
 
-postgresql_data_bag_item = data_bag_item('credentials', 'postgresql')
+postgresql_credentials = data_bag_item('credentials', 'postgresql')
 
 mastodon_path = node["kosmos-mastodon"]["directory"]
 mastodon_user = "mastodon"
@@ -75,7 +75,7 @@ npm_package "yarn" do
   version "1.22.4"
 end
 
-ruby_version = "3.0.6"
+ruby_version = "3.3.0"
 
 ruby_path = "/opt/ruby_build/builds/#{ruby_version}"
 bundle_path = "#{ruby_path}/bin/bundle"
@@ -168,7 +168,22 @@ execute "restart mastodon services" do
   notifies :restart, "service[mastodon-streaming]", :delayed
 end
 
-mastodon_credentials = data_bag_item('credentials', 'mastodon')
+credentials = data_bag_item('credentials', 'mastodon')
+
+ldap_config = {
+  host: "ldap.kosmos.local",
+  port: 389,
+  method: "plain",
+  base: "ou=kosmos.org,cn=users,dc=kosmos,dc=org",
+  bind_dn: credentials["ldap_bind_dn"],
+  password: credentials["ldap_password"],
+  uid: "cn",
+  mail: "mail",
+  search_filter: "(&(|(cn=%{email})(mail=%{email}))(serviceEnabled=mastodon))",
+  uid_conversion_enabled: "true",
+  uid_conversion_search: "-",
+  uid_conversion_replace: "_"
+}
 
 template "#{mastodon_path}/.env.#{rails_env}" do
   source "env.erb"
@@ -178,21 +193,22 @@ template "#{mastodon_path}/.env.#{rails_env}" do
   variables redis_url: node["kosmos-mastodon"]["redis_url"],
             domain: node["kosmos-mastodon"]["domain"],
             alternate_domains: node["kosmos-mastodon"]["alternate_domains"],
-            paperclip_secret: mastodon_credentials['paperclip_secret'],
-            secret_key_base: mastodon_credentials['secret_key_base'],
-            otp_secret: mastodon_credentials['otp_secret'],
-            smtp_login: mastodon_credentials['smtp_user_name'],
-            smtp_password: mastodon_credentials['smtp_password'],
+            paperclip_secret: credentials['paperclip_secret'],
+            secret_key_base: credentials['secret_key_base'],
+            otp_secret: credentials['otp_secret'],
+            ldap: ldap_config,
+            smtp_login: credentials['smtp_user_name'],
+            smtp_password: credentials['smtp_password'],
             smtp_from_address: "mail@#{node['kosmos-mastodon']['domain']}",
             s3_endpoint: node["kosmos-mastodon"]["s3_endpoint"],
             s3_region: node["kosmos-mastodon"]["s3_region"],
             s3_bucket: node["kosmos-mastodon"]["s3_bucket"],
             s3_alias_host: node["kosmos-mastodon"]["s3_alias_host"],
-            aws_access_key_id: mastodon_credentials['s3_key_id'],
-            aws_secret_access_key: mastodon_credentials['s3_secret_key'],
-            vapid_private_key: mastodon_credentials['vapid_private_key'],
-            vapid_public_key: mastodon_credentials['vapid_public_key'],
-            db_pass: postgresql_data_bag_item['mastodon_user_password'],
+            aws_access_key_id: credentials['s3_key_id'],
+            aws_secret_access_key: credentials['s3_secret_key'],
+            vapid_private_key: credentials['vapid_private_key'],
+            vapid_public_key: credentials['vapid_public_key'],
+            db_pass: postgresql_credentials['mastodon_user_password'],
             db_host: "pg.kosmos.local",
             default_locale: node["kosmos-mastodon"]["default_locale"],
             allowed_private_addresses: node["kosmos-mastodon"]["allowed_private_addresses"],

site-cookbooks/kosmos-mastodon/recipes/nginx.rb

@@ -34,6 +34,7 @@ end
 
 tls_cert_for server_name do
   auth "gandi_dns"
+  acme_domain "letsencrypt.kosmos.org"
   action :create
 end
 

site-cookbooks/kosmos-mastodon/templates/default/env.erb

@@ -29,6 +29,23 @@ SMTP_LOGIN=<%= @smtp_login %>
 SMTP_PASSWORD=<%= @smtp_password %>
 SMTP_FROM_ADDRESS=<%= @smtp_from_address %>
 
+<% if @ldap %>
+# LDAP configuration
+LDAP_ENABLED=true
+LDAP_HOST=<%= @ldap[:host] %>
+LDAP_PORT=<%= @ldap[:port] %>
+LDAP_METHOD='<%= @ldap[:method] %>'
+LDAP_BASE='<%= @ldap[:base] %>'
+LDAP_BIND_DN='<%= @ldap[:bind_dn] %>'
+LDAP_PASSWORD='<%= @ldap[:password] %>'
+LDAP_UID=<%= @ldap[:uid] %>
+LDAP_MAIL=<%= @ldap[:mail] %>
+LDAP_SEARCH_FILTER='<%= @ldap[:search_filter] %>'
+LDAP_UID_CONVERSION_ENABLED=<%= @ldap[:uid_conversion_enabled] %>
+LDAP_UID_CONVERSION_SEARCH=<%= @ldap[:uid_conversion_search] %>
+LDAP_UID_CONVERSION_REPLACE=<%= @ldap[:uid_conversion_replace] %>
+<% end %>
+
 # Optional asset host for multi-server setups
 # CDN_HOST=assets.example.com
 

site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb

@@ -32,6 +32,12 @@ server {
 <% if @onion_address %>
   add_header Onion-Location https://mastodon.<%= @onion_address %>$request_uri;
 <% end %>
+
+  location ~ ^/.well-known/(lnurlp|keysend) {
+    add_header 'Access-Control-Allow-Origin' '*';
+    proxy_ssl_server_name on;
+    proxy_pass https://accounts.kosmos.org;
+  }
 }
 
 <% if @onion_address %>

site-cookbooks/kosmos_email/recipes/default.rb

@@ -7,6 +7,7 @@ domain   = node["email"]["domain"]
 hostname = node["email"]["hostname"]
 root_dir = node["email"]["root_directory"]
 ip_addr  = node["knife_zero"]["host"]
+extra_hostnames = ["smtp.#{domain}", "imap.#{domain}"]
 
 node.override["set_fqdn"] = hostname
 include_recipe "hostname"
@@ -23,7 +24,9 @@ directory root_dir do
 end
 
 tls_cert_for hostname do
+  domain ([hostname]+extra_hostnames)
   auth "gandi_dns"
+  deploy_hook "systemctl reload postfix.service && systemctl reload dovecot.service"
   action :create
 end
 

site-cookbooks/kosmos_garage/recipes/nginx_web.rb

@@ -3,6 +3,8 @@
 # Recipe:: nginx_web
 #
 
+gandi_api_credentials = data_bag_item('credentials', 'gandi_api')
+
 file "#{node['openresty']['dir']}/conf.d/garage.conf" do
   content <<-EOF
 upstream garage_web {
@@ -40,8 +42,12 @@ end
 #
 
 node['garage']['s3_web_domains'].each do |domain_name|
+  second_level_domain = domain_name.match(/(?:.*\.)?([^.]+\.[^.]+)$/) { $1 }
+  proxy_validation = !gandi_api_credentials["domains"].include?(second_level_domain)
+
   tls_cert_for domain_name do
     auth "gandi_dns"
+    acme_domain "letsencrypt.kosmos.org" if proxy_validation
     action :create
   end
 

site-cookbooks/kosmos_gitea/attributes/default.rb

@@ -1,7 +1,5 @@
-gitea_version = "1.21.3"
-node.default["gitea"]["version"] = gitea_version
-node.default["gitea"]["binary_url"] = "https://dl.gitea.io/gitea/#{gitea_version}/gitea-#{gitea_version}-linux-amd64"
-node.default["gitea"]["binary_checksum"] = "ccf6cc2077401e382bca0d000553a781a42c9103656bd33ef32bf093cca570eb"
+node.default["gitea"]["version"] = "1.22.0"
+node.default["gitea"]["checksum"] = "a31086f073cb9592d28611394b2de3655db515d961e4fdcf5b549cb40753ef3d"
 node.default["gitea"]["working_directory"] = "/var/lib/gitea"
 node.default["gitea"]["port"] = 3000
 node.default["gitea"]["postgresql_host"] = "localhost:5432"
@@ -16,5 +14,5 @@ node.default["gitea"]["config"] = {
   }
 }
 
-node.default["gitea"]["act_runner"]["download_url"] = "https://dl.gitea.com/act_runner/main/act_runner-main-linux-amd64"
-node.default["gitea"]["act_runner"]["checksum"] = "577ec7c64e7458b1e97cbe61d02da1ba1f4ddf24281b175f24f65101e72c000c"
+node.default["gitea"]["act_runner"]["version"] = "0.2.6"
+node.default["gitea"]["act_runner"]["checksum"] = "234c2bdb871e7b0bfb84697f353395bfc7819faf9f0c0443845868b64a041057"

site-cookbooks/kosmos_gitea/recipes/act_runner.rb

@@ -3,6 +3,8 @@
 # Recipe:: act_runner
 #
 
+version           = node["gitea"]["act_runner"]["version"]
+download_url      = "https://dl.gitea.com/act_runner/#{version}/act_runner-#{version}-linux-amd64"
 working_directory = node["gitea"]["working_directory"]
 gitea_credentials = data_bag_item("credentials", "gitea")
 runners           = gitea_credentials["runners"]
@@ -24,7 +26,7 @@ end
 end
 
 remote_file "/usr/local/bin/act_runner" do
-  source node["gitea"]["act_runner"]["download_url"]
+  source download_url
   checksum node["gitea"]["act_runner"]["checksum"]
   mode "0750"
 end
@@ -66,6 +68,7 @@ act_runner register \
         WorkingDirectory: runner_dir,
         Environment: "HOME=/root",
         ExecStart: "/usr/local/bin/act_runner daemon",
+        ExecStartPre: "/bin/sleep 3", # Wait for Gitea's API to be up when restarting at the same time
         Restart: "always",
       },
       Install: {

site-cookbooks/kosmos_gitea/recipes/default.rb

@@ -3,6 +3,8 @@
 # Recipe:: default
 #
 
+version                   = node["gitea"]["version"]
+download_url              = "https://dl.gitea.io/gitea/#{version}/gitea-#{version}-linux-amd64"
 working_directory         = node["gitea"]["working_directory"]
 git_home_directory        = "/home/git"
 repository_root_directory = "#{git_home_directory}/gitea-repositories"
@@ -107,8 +109,8 @@ template "#{config_directory}/app.ini" do
 end
 
 remote_file gitea_binary_path do
-  source node['gitea']['binary_url']
-  checksum node['gitea']['binary_checksum']
+  source download_url
+  checksum node['gitea']['checksum']
   mode "0755"
   notifies :restart, "service[gitea]", :delayed
 end

site-cookbooks/kosmos_gitea/templates/default/app.ini.erb

@@ -112,3 +112,7 @@ MINIO_USE_SSL=<%= c["use_ssl"] %>
 [actions]
 ENABLED = true
 <% end %>
+
+[other]
+SHOW_FOOTER_VERSION = false
+SHOW_FOOTER_TEMPLATE_LOAD_TIME = false

site-cookbooks/kosmos_kvm/attributes/default.rb

@@ -1,9 +1,9 @@
-ubuntu_server_cloud_image_release = "20230506"
+release = "20240514"
 
 node.default["kosmos_kvm"]["host"]["qemu_base_image"] = {
-  "url" => "https://cloud-images.ubuntu.com/releases/focal/release-#{ubuntu_server_cloud_image_release}/ubuntu-20.04-server-cloudimg-amd64-disk-kvm.img",
-  "checksum" => "27d2b91fd2b715729d739e2a3155dce70d1aaae4f05c177f338b9d4b60be638c",
-  "path" => "/var/lib/libvirt/images/base/ubuntu-20.04-server-cloudimg-amd64-disk-kvm-#{ubuntu_server_cloud_image_release}.qcow2"
+  "url" => "https://cloud-images.ubuntu.com/releases/jammy/release-#{release}/ubuntu-22.04-server-cloudimg-amd64-disk-kvm.img",
+  "checksum" => "2e7698b3ebd7caead06b08bd3ece241e6ce294a6db01f92ea12bcb56d6972c3f",
+  "path" => "/var/lib/libvirt/images/base/ubuntu-22.04-server-cloudimg-amd64-disk-kvm-#{release}.qcow2"
 }
 
 # A systemd.timer OnCalendar config value

site-cookbooks/kosmos_kvm/files/backup_vm.sh

@@ -22,8 +22,5 @@ borg create -v $REPOSITORY::$1_$(date +%F_%H-%M) \
         /var/lib/libvirt/images/$1.qcow2  \
         /root/backups/vm_meta/$1.xml
 
-echo "Pivoting base image back to original"
-virsh blockcommit $1 vda --pivot --base=/var/lib/libvirt/images/$1.qcow2
-
-echo "Removing snapshot image"
-rm /var/lib/libvirt/images/$1.hotswap.qcow2
+echo "Pivoting base image back to original, and removing the snapshot image"
+virsh blockcommit $1 vda --pivot --base=/var/lib/libvirt/images/$1.qcow2 && rm /var/lib/libvirt/images/$1.hotswap.qcow2

site-cookbooks/kosmos_kvm/templates/create_vm.erb

@@ -17,7 +17,7 @@ DISKSIZE=${4:-10} # 10GB default
 # Directory where image files will be stored
 IMAGE_DIR=/var/lib/libvirt/images
 IMAGE_PATH=$IMAGE_DIR/${VMNAME}.qcow2
-CIDATA_PATH=${IMAGE_DIR}/cidata-${VMNAME}.iso
+CIDATA_PATH=${IMAGE_DIR}/${VMNAME}-cloudinit
 BASE_FILE=<%= @base_image_path %>
 
 # Create the VM image if it does not already exist
@@ -38,9 +38,8 @@ qemu-img info "$IMAGE_PATH"
 # Check if the cloud-init metadata file exists
 # if not, generate it
 if [ ! -r $CIDATA_PATH ]; then
-  pushd $(dirname $CIDATA_PATH)
-  mkdir -p $VMNAME
-  cd $VMNAME
+  mkdir -p $CIDATA_PATH
+  pushd $CIDATA_PATH
 
   cat > user-data <<-EOS
 #cloud-config
@@ -62,25 +61,19 @@ instance-id: $VMNAME
 local-hostname: $VMNAME
 EOS
 
-  genisoimage -output "$CIDATA_PATH" -volid cidata -joliet -rock user-data meta-data
-  chown libvirt-qemu:kvm "$CIDATA_PATH"
-  chmod 600 "$CIDATA_PATH"
   popd
 fi
 
-# setting --os-variant to ubuntu20.04 and ubuntu18.04 breaks SSH and networking
 virt-install \
   --name "$VMNAME" \
   --ram "$RAM" \
   --vcpus "$CPUS" \
   --cpu host \
   --arch x86_64 \
-  --os-type linux \
-  --os-variant ubuntu16.04 \
+  --osinfo detect=on,name=ubuntujammy \
   --hvm \
   --virt-type kvm \
   --disk "$IMAGE_PATH" \
-  --cdrom "$CIDATA_PATH" \
   --boot hd \
   --network=bridge=virbr0,model=virtio \
   --graphics none \
@@ -88,4 +81,5 @@ virt-install \
   --console pty \
   --channel unix,mode=bind,path=/var/lib/libvirt/qemu/$VMNAME.guest_agent.0,target_type=virtio,name=org.qemu.guest_agent.0 \
   --autostart \
-  --import
+  --import \
+  --cloud-init root-password-generate=off,disable=on,meta-data=$CIDATA_PATH/meta-data,user-data=$CIDATA_PATH/user-data

site-cookbooks/kosmos_liquor-cabinet/.gitignore

@@ -0,0 +1,25 @@
+.vagrant
+*~
+*#
+.#*
+\#*#
+.*.sw[a-z]
+*.un~
+
+# Bundler
+Gemfile.lock
+gems.locked
+bin/*
+.bundle/*
+
+# test kitchen
+.kitchen/
+kitchen.local.yml
+
+# Chef Infra
+Berksfile.lock
+.zero-knife.rb
+Policyfile.lock.json
+
+.idea/
+

site-cookbooks/kosmos_liquor-cabinet/CHANGELOG.md

@@ -0,0 +1,7 @@
+# kosmos_liquor-cabinet CHANGELOG
+
+This file is used to list changes made in each version of the kosmos_liquor-cabinet cookbook.
+
+## 0.1.0
+
+Initial release.

site-cookbooks/kosmos_liquor-cabinet/LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2024 Kosmos Developers
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

site-cookbooks/kosmos_liquor-cabinet/README.md

@@ -0,0 +1,7 @@
+# kosmos_liquor-cabinet
+
+Installs/configures the [Liquor Cabinet][1] [remoteStorage][2] API server and
+reverse proxy.
+
+[1]: https://gitea.kosmos.org/5apps/liquor-cabinet
+[2]: https://remotestorage.io

site-cookbooks/kosmos_liquor-cabinet/attributes/default.rb

@@ -0,0 +1,4 @@
+node.default['liquor-cabinet']['app_server_role'] = 'liquor_cabinet'
+node.default['liquor-cabinet']['max_upload_size'] = 100 # MB
+node.default['liquor-cabinet']['server_name'] = 'storage.example.com'
+node.default['liquor-cabinet']['root_redirect_url'] = 'https://example.com/storage'

site-cookbooks/kosmos_liquor-cabinet/chefignore

@@ -0,0 +1,115 @@
+# Put files/directories that should be ignored in this file when uploading
+# to a Chef Infra Server or Supermarket.
+# Lines that start with '# ' are comments.
+
+# OS generated files #
+######################
+.DS_Store
+ehthumbs.db
+Icon?
+nohup.out
+Thumbs.db
+.envrc
+
+# EDITORS #
+###########
+.#*
+.project
+.settings
+*_flymake
+*_flymake.*
+*.bak
+*.sw[a-z]
+*.tmproj
+*~
+\#*
+REVISION
+TAGS*
+tmtags
+.vscode
+.editorconfig
+
+## COMPILED ##
+##############
+*.class
+*.com
+*.dll
+*.exe
+*.o
+*.pyc
+*.so
+*/rdoc/
+a.out
+mkmf.log
+
+# Testing #
+###########
+.circleci/*
+.codeclimate.yml
+.delivery/*
+.foodcritic
+.kitchen*
+.mdlrc
+.overcommit.yml
+.rspec
+.rubocop.yml
+.travis.yml
+.watchr
+.yamllint
+azure-pipelines.yml
+Dangerfile
+examples/*
+features/*
+Guardfile
+kitchen.yml*
+mlc_config.json
+Procfile
+Rakefile
+spec/*
+test/*
+
+# SCM #
+#######
+.git
+.gitattributes
+.gitconfig
+.github/*
+.gitignore
+.gitkeep
+.gitmodules
+.svn
+*/.bzr/*
+*/.git
+*/.hg/*
+*/.svn/*
+
+# Berkshelf #
+#############
+Berksfile
+Berksfile.lock
+cookbooks/*
+tmp
+
+# Bundler #
+###########
+vendor/*
+Gemfile
+Gemfile.lock
+
+# Policyfile #
+##############
+Policyfile.rb
+Policyfile.lock.json
+
+# Documentation #
+#############
+CODE_OF_CONDUCT*
+CONTRIBUTING*
+documentation/*
+TESTING*
+UPGRADING*
+
+# Vagrant #
+###########
+.vagrant
+Vagrantfile

site-cookbooks/kosmos_liquor-cabinet/kitchen.yml

@@ -0,0 +1,37 @@
+---
+driver:
+  name: dokken
+  privileged: true  # allows systemd services to start
+
+provisioner:
+  name: dokken
+
+transport:
+  name: dokken
+
+verifier:
+  name: inspec
+
+platforms:
+  # @see https://github.com/chef-cookbooks/testing_examples/blob/main/kitchen.dokken.yml
+  # @see https://hub.docker.com/u/dokken
+  - name: ubuntu-20.04
+    driver:
+      image: dokken/ubuntu-20.04
+      pid_one_command: /bin/systemd
+      intermediate_instructions:
+        - RUN /usr/bin/apt-get update
+
+  - name: centos-8
+    driver:
+      image: dokken/centos-8
+      pid_one_command: /usr/lib/systemd/systemd
+
+suites:
+  - name: default
+    run_list:
+      - recipe[kosmos_liquor-cabinet::default]
+    verifier:
+      inspec_tests:
+        - test/integration/default
+    attributes:

site-cookbooks/kosmos_liquor-cabinet/metadata.rb

@@ -0,0 +1,12 @@
+name 'kosmos_liquor-cabinet'
+maintainer 'Kosmos Developers'
+maintainer_email 'ops@kosmos.org'
+license 'MIT'
+description 'Installs/configures Liquor Cabinet API and reverse proxy'
+version '0.1.0'
+chef_version '>= 18.2'
+issues_url 'https://gitea.kosmos.org/kosmos/chef/issues'
+# source_url 'https://gitea.kosmos.org/kosmos/chef'
+
+depends 'liquor_cabinet'
+depends 'kosmos_openresty'

site-cookbooks/kosmos_liquor-cabinet/recipes/default.rb

@@ -0,0 +1,6 @@
+#
+# Cookbook:: kosmos_liquor-cabinet
+# Recipe:: default
+#
+
+include_recipe 'liquor_cabinet'

site-cookbooks/kosmos_liquor-cabinet/recipes/nginx.rb

@@ -0,0 +1,30 @@
+#
+# Cookbook:: kosmos_liquor-cabinet
+# Recipe:: nginx
+#
+
+app_name = node['liquor-cabinet']['app_name']
+domain   = node[app_name]['domain']
+
+tls_cert_for domain do
+  auth "gandi_dns"
+  action :create
+end
+
+upstream_hosts = []
+search(:node, "role:#{node[app_name]['app_server_role']}").each do |node|
+  upstream_hosts << node["knife_zero"]["host"]
+end
+upstream_hosts.push("localhost") if upstream_hosts.empty?
+
+openresty_site domain do
+  template "nginx_conf_liquor-cabinet.erb"
+  variables app_name: app_name,
+            server_name: domain,
+            root_redirect_url: node[app_name]['root_redirect_url'],
+            max_upload_size: node['liquor-cabinet']['max_upload_size'],
+            upstream_hosts: upstream_hosts,
+            upstream_port: node[app_name]['rainbows']['port'],
+            ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
+            ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
+end

site-cookbooks/kosmos_liquor-cabinet/templates/nginx_conf_liquor-cabinet.erb

@@ -0,0 +1,79 @@
+#
+# Generated by Chef
+#
+upstream _<%= @app_name %> {
+<% @upstream_hosts.each do |host| -%>
+  server <%= host %>:<%= @upstream_port %>;
+<% end -%>
+}
+
+# TODO use cookbook attribute when enabling
+# variables_hash_max_size 2048;
+
+server {
+  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>80;
+  listen [::]:80;
+  server_name <%= @server_name %>;
+  # Redirect to https
+  location / {
+    return 301 https://<%= @server_name %>$request_uri;
+  }
+}
+
+server {
+  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
+  listen [::]:443 ssl http2;
+  server_name <%= @server_name %>;
+
+  access_log <%= node[:nginx][:log_dir] %>/<%= @app_name %>.access.log; # TODO json_liquor_cabinet;
+  error_log <%= node[:nginx][:log_dir] %>/<%= @app_name %>.error.log warn;
+
+  add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload";
+
+  # TODO
+  # log_by_lua_file "<%= @log_by_lua_file %>";
+
+  # We need strong ETags, disable compression
+  gzip off;
+  # brotli off;
+  # pagespeed off;
+
+  # Set a large maximum upload size
+  client_max_body_size <%= @max_upload_size %>m;
+
+  # TODO
+  # Use rate limiting (the zone is defined in
+  # /etc/nginx/conf.d/rate_limiting.conf)
+  # limit_req zone=per_ip burst=5000;
+
+  location = / {
+    return 301 <%= @root_redirect_url %>;
+  }
+
+  location / {
+    try_files $uri @proxy;
+  }
+
+  location @proxy {
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto https;
+    proxy_set_header Host $http_host;
+
+    proxy_redirect off;
+
+    proxy_buffering on;
+    # Increase number of buffers. Default is 8
+    proxy_buffers 1024 8k;
+
+    # Needed for big uploads
+    proxy_read_timeout 180s;
+    proxy_send_timeout 180s;
+
+    proxy_pass http://_<%= @app_name %>;
+
+    proxy_next_upstream error timeout http_502 http_500;
+  }
+
+  ssl_certificate <%= @ssl_cert %>;
+  ssl_certificate_key <%= @ssl_key %>;
+}

site-cookbooks/kosmos_website/templates/nginx_conf_website.erb

@@ -18,15 +18,8 @@ server {
   ssl_certificate     <%= @ssl_cert %>;
   ssl_certificate_key <%= @ssl_key %>;
 
-  location /.well-known/lnurlp/ {
+  location ~ ^/.well-known/(webfinger|nostr|lnurlp|keysend) {
     proxy_ssl_server_name on;
-    rewrite /.well-known/lnurlp/([^/]+) /lnurlpay/$1@kosmos.org break;
-    proxy_pass https://accounts.kosmos.org;
-  }
-
-  location /.well-known/keysend/ {
-    proxy_ssl_server_name on;
-    rewrite /.well-known/keysend/([^/]+) /keysend/$1@kosmos.org break;
     proxy_pass https://accounts.kosmos.org;
   }
 }

site-cookbooks/liquor_cabinet/.gitignore

@@ -0,0 +1,25 @@
+.vagrant
+*~
+*#
+.#*
+\#*#
+.*.sw[a-z]
+*.un~
+
+# Bundler
+Gemfile.lock
+gems.locked
+bin/*
+.bundle/*
+
+# test kitchen
+.kitchen/
+kitchen.local.yml
+
+# Chef Infra
+Berksfile.lock
+.zero-knife.rb
+Policyfile.lock.json
+
+.idea/
+

site-cookbooks/liquor_cabinet/CHANGELOG.md

@@ -0,0 +1,7 @@
+# liquor_cabinet CHANGELOG
+
+This file is used to list changes made in each version of the liquor_cabinet cookbook.
+
+## 0.1.0
+
+Initial release.

site-cookbooks/liquor_cabinet/LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2024 Kosmos Developers
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

site-cookbooks/liquor_cabinet/README.md

@@ -0,0 +1,6 @@
+# liquor_cabinet
+
+Installs/configures the [Liquor Cabinet][1] [remoteStorage][2] API server.
+
+[1]: https://gitea.kosmos.org/5apps/liquor-cabinet
+[2]: https://remotestorage.io

site-cookbooks/liquor_cabinet/attributes/default.rb

@@ -0,0 +1,28 @@
+node.default['liquor-cabinet']['app_name'] = "liquor-cabinet"
+node.default['liquor-cabinet']['user'] = "deploy"
+node.default['liquor-cabinet']['group'] = "deploy"
+node.default['liquor-cabinet']['repo'] = 'https://gitea.kosmos.org/5apps/liquor-cabinet.git'
+node.default['liquor-cabinet']['revision'] = 'master'
+node.default['liquor-cabinet']['deploy_path'] = "/opt/#{node['liquor-cabinet']['app_name']}"
+node.default['liquor-cabinet']['redis_server_role'] = 'redis_server'
+node.default['liquor-cabinet']['redis_port'] = 6379
+node.default['liquor-cabinet']['redis_db'] = 1
+node.default['liquor-cabinet']['s3_endpoint'] = nil
+node.default['liquor-cabinet']['s3_region'] = nil
+node.default['liquor-cabinet']['s3_bucket'] = nil
+node.default['liquor-cabinet']['ufw_source_allowed'] = nil
+node.default['liquor-cabinet']['maintenance_mode_enabled'] = false
+node.default['liquor-cabinet']['ruby']['version'] = "3.1.4"
+node.default['liquor-cabinet']['rainbows'] = {
+  'port' => 3000,
+  'preload_app' => true,
+  'timeout' => 60,
+  'worker_processes' => node['cpu']['total'],
+  'worker_connections' => 100,
+  'client_header_buffer_size' => 1024,
+  'client_max_body_size' => 104857600,
+  'client_max_header_size' => 114688,
+  'copy_stream' => 'IO',
+  'keepalive_requests' => 100,
+  'keepalive_timeout' => 5
+}

site-cookbooks/liquor_cabinet/chefignore

@@ -0,0 +1,115 @@
+# Put files/directories that should be ignored in this file when uploading
+# to a Chef Infra Server or Supermarket.
+# Lines that start with '# ' are comments.
+
+# OS generated files #
+######################
+.DS_Store
+ehthumbs.db
+Icon?
+nohup.out
+Thumbs.db
+.envrc
+
+# EDITORS #
+###########
+.#*
+.project
+.settings
+*_flymake
+*_flymake.*
+*.bak
+*.sw[a-z]
+*.tmproj
+*~
+\#*
+REVISION
+TAGS*
+tmtags
+.vscode
+.editorconfig
+
+## COMPILED ##
+##############
+*.class
+*.com
+*.dll
+*.exe
+*.o
+*.pyc
+*.so
+*/rdoc/
+a.out
+mkmf.log
+
+# Testing #
+###########
+.circleci/*
+.codeclimate.yml
+.delivery/*
+.foodcritic
+.kitchen*
+.mdlrc
+.overcommit.yml
+.rspec
+.rubocop.yml
+.travis.yml
+.watchr
+.yamllint
+azure-pipelines.yml
+Dangerfile
+examples/*
+features/*
+Guardfile
+kitchen.yml*
+mlc_config.json
+Procfile
+Rakefile
+spec/*
+test/*
+
+# SCM #
+#######
+.git
+.gitattributes
+.gitconfig
+.github/*
+.gitignore
+.gitkeep
+.gitmodules
+.svn
+*/.bzr/*
+*/.git
+*/.hg/*
+*/.svn/*
+
+# Berkshelf #
+#############
+Berksfile
+Berksfile.lock
+cookbooks/*
+tmp
+
+# Bundler #
+###########
+vendor/*
+Gemfile
+Gemfile.lock
+
+# Policyfile #
+##############
+Policyfile.rb
+Policyfile.lock.json
+
+# Documentation #
+#############
+CODE_OF_CONDUCT*
+CONTRIBUTING*
+documentation/*
+TESTING*
+UPGRADING*
+
+# Vagrant #
+###########
+.vagrant
+Vagrantfile

site-cookbooks/liquor_cabinet/kitchen.yml

@@ -0,0 +1,37 @@
+---
+driver:
+  name: dokken
+  privileged: true  # allows systemd services to start
+
+provisioner:
+  name: dokken
+
+transport:
+  name: dokken
+
+verifier:
+  name: inspec
+
+platforms:
+  # @see https://github.com/chef-cookbooks/testing_examples/blob/main/kitchen.dokken.yml
+  # @see https://hub.docker.com/u/dokken
+  - name: ubuntu-20.04
+    driver:
+      image: dokken/ubuntu-20.04
+      pid_one_command: /bin/systemd
+      intermediate_instructions:
+        - RUN /usr/bin/apt-get update
+
+  - name: centos-8
+    driver:
+      image: dokken/centos-8
+      pid_one_command: /usr/lib/systemd/systemd
+
+suites:
+  - name: default
+    run_list:
+      - recipe[liquor_cabinet::default]
+    verifier:
+      inspec_tests:
+        - test/integration/default
+    attributes:

site-cookbooks/liquor_cabinet/metadata.rb

@@ -0,0 +1,12 @@
+name 'liquor_cabinet'
+maintainer 'Kosmos Developers'
+maintainer_email 'ops@kosmos.org'
+license 'MIT'
+description 'Installs/configures the Liquor Cabinet remoteStorage API server'
+version '0.1.0'
+chef_version '>= 18.2'
+issues_url 'https://gitea.kosmos.org/kosmos/chef/issues'
+# source_url 'https://gitea.kosmos.org/kosmos/chef'
+
+depends 'firewall'
+depends "ruby_build"

site-cookbooks/liquor_cabinet/recipes/default.rb

@@ -0,0 +1,139 @@
+#
+# Cookbook:: liquor_cabinet
+# Recipe:: default
+#
+
+app_name     = node['liquor-cabinet']['app_name']
+deploy_user  = node[app_name]['user']
+deploy_group = node[app_name]['group']
+deploy_path  = node[app_name]['deploy_path']
+credentials  = Chef::EncryptedDataBagItem.load('credentials', app_name)
+
+ruby_version = node[app_name]['ruby']['version']
+ruby_path    = "/opt/ruby_build/builds/#{ruby_version}"
+bundle_path  = "#{ruby_path}/bin/bundle"
+rack_env     = node.chef_environment == "production" ? "production" : "development"
+
+ruby_build_install 'v20231225'
+ruby_build_definition ruby_version do
+  prefix_path ruby_path
+end
+
+group deploy_group
+
+user deploy_user do
+  group       deploy_group
+  manage_home true
+  shell       "/bin/bash"
+end
+
+directory deploy_path do
+  owner deploy_user
+  group deploy_group
+  mode  '0750'
+end
+
+redis_server_role = node[app_name]['redis_server_role']
+redis_host = search(:node, "role:#{redis_server_role}").first['knife_zero']['host'] rescue nil
+if redis_host.nil?
+  Chef::Log.warn("No node found with '#{redis_server_role}' role. Stopping here.")
+  return
+end
+
+git deploy_path do
+  repository node[app_name]['repo']
+  revision node[app_name]['revision']
+  user  deploy_user
+  group deploy_group
+  notifies :restart, "service[#{app_name}]", :delayed
+end
+
+directory "#{deploy_path}/tmp" do
+  owner deploy_user
+  group deploy_group
+  mode  0750
+end
+
+execute "bundle install" do
+  user deploy_user
+  cwd deploy_path
+  command "#{bundle_path} install --without development,test --deployment"
+end
+
+template "#{deploy_path}/config.yml.erb" do
+  source 'config.yml.erb'
+  owner deploy_user
+  group deploy_group
+  mode '0600'
+  sensitive true
+  variables environment: rack_env,
+            redis_host: redis_host,
+            redis_port: node[app_name]['redis_port'],
+            redis_db: node[app_name]['redis_db'],
+            s3_endpoint: node[app_name]['s3_endpoint'],
+            s3_region: node[app_name]['s3_region'],
+            s3_bucket: node[app_name]['s3_bucket'],
+            s3_access_key: credentials['s3_access_key'],
+            s3_secret_key: credentials['s3_secret_key'],
+            maintenance_mode_enabled: node[app_name]['maintenance_mode_enabled']
+            # TODO sentry_dsn: credentials['sentry_dsn']
+  notifies :restart, "service[#{app_name}]", :delayed
+end
+
+directory '/etc/rainbows' do
+  owner deploy_user
+  group deploy_group
+  mode  '0750'
+end
+
+template "/etc/rainbows/#{app_name}.rb" do
+  source 'rainbows.rb.erb'
+  owner deploy_user
+  group deploy_group
+  mode '0640'
+  variables user: deploy_user,
+            group: deploy_group,
+            app_name: app_name,
+            working_directory: deploy_path,
+            config: node[app_name]['rainbows']
+  notifies :restart, "service[#{app_name}]", :delayed
+end
+
+systemd_unit "#{app_name}.service" do
+  content({
+    Unit: {
+      Description: "Liquor Cabinet remoteStorage HTTP API",
+      Documentation: ["https://gitea.kosmos.org/5apps/liquor-cabinet"],
+      After: "syslog.target network.target"
+    },
+    Service: {
+      Type: "simple",
+      User: deploy_user,
+      WorkingDirectory: deploy_path,
+      Environment: "RACK_ENV=#{rack_env}",
+      ExecStart: "#{bundle_path} exec rainbows -c /etc/rainbows/#{app_name}.rb -E #{rack_env}",
+      PIDFile: "#{deploy_path}/tmp/rainbows.pid",
+      TimeoutSec: "10",
+      Restart: "on-failure",
+    },
+    Install: {
+      WantedBy: "multi-user.target"
+    }
+  })
+  verify false
+  triggers_reload true
+  action [:create, :enable]
+end
+
+service app_name do
+  action [:enable, :start]
+end
+
+if node[app_name]['ufw_source_allowed']
+  firewall_rule app_name do
+    command  :allow
+    protocol :tcp
+    port     node[app_name]['rainbows']['port']
+    source   node[app_name]['ufw_source_allowed']
+  end
+end

site-cookbooks/liquor_cabinet/templates/config.yml.erb

@@ -0,0 +1,12 @@
+<%= @environment %>:
+  maintenance: <%= @maintenance_mode_enabled %>
+  redis:
+    host: <%= @redis_host %>
+    port: <%= @redis_port %>
+    db: <%= @redis_db %>
+  s3:
+    endpoint: <%= @s3_endpoint %>
+    region: <%= @s3_region %>
+    bucket: <%= @s3_bucket %>
+    access_key_id: <%= @s3_access_key %>
+    secret_key_id: <%= @s3_secret_key %>

site-cookbooks/liquor_cabinet/templates/rainbows.rb.erb

@@ -0,0 +1,32 @@
+##
+# Rainbows config at /etc/rainbows/<%= @app_name %>.rb
+# Managed by Chef - Local changes will be overwritten by Chef runs
+##
+
+# What ports/sockets to listen on, and what options for them.
+listen "<%= @config['port'] %>", { tcp_nodelay: true, backlog: 100 }
+
+# What the timeout for killing busy workers is, in seconds
+timeout <%= @config['timeout'] %>
+
+# Whether the app should be pre-loaded
+preload_app <%= @config['preload_app'] %>
+
+# How many worker processes
+worker_processes <%= @config['worker_processes'] %>
+
+# Run forked children as specified user/group
+user "<%= @user %>", "<%= @group %>"
+
+pid "<%= @working_directory %>/tmp/rainbows.pid"
+
+Rainbows! do
+  use :ThreadSpawn
+  client_header_buffer_size <%= @config['client_header_buffer_size'] %>
+  client_max_body_size <%= @config['client_max_body_size'] %>
+  client_max_header_size <%= @config['client_max_header_size'] %>
+  copy_stream <%= @config['copy_stream'] %>
+  keepalive_requests <%= @config['keepalive_requests'] %>
+  keepalive_timeout <%= @config['keepalive_timeout'] %>
+  worker_connections <%= @config['worker_connections'] %>
+end

site-cookbooks/sockethub/recipes/proxy.rb

@@ -24,10 +24,10 @@ file "/etc/letsencrypt/renewal-hooks/post/nginx" do
   group "root"
 end
 
-gandi_api_data_bag_item = data_bag_item('credentials', 'gandi_api_5apps')
+gandi_api_credentials = data_bag_item('credentials', 'gandi_api')
 
 template "/root/gandi_dns_certbot_hook.sh" do
-  variables gandi_api_key: gandi_api_data_bag_item["key"]
+  variables gandi_api_key: gandi_api_credentials["key"]
   mode 0770
 end