kosmos/chef
8
3
Fork 0
Code Issues 34 Pull Requests 3 Projects 2 Activity

Compare commits

base: kosmos:089574d0dea16b11dc5b520d79a40565d7ad8b0e
Branches Tags
kosmos:master kosmos:feature/237-gitea_ssh_signing kosmos:bugfix/substr_url_matching kosmos:notes/ejabberd_ldap_photo kosmos:feature/akaunting kosmos:chore/ejabberd_service_avatar kosmos:feature/237-gitea_gpg kosmos:jammy_jellyfish
..
compare: kosmos:feature/akaunting
Branches Tags
kosmos:feature/237-gitea_ssh_signing kosmos:master kosmos:bugfix/substr_url_matching kosmos:notes/ejabberd_ldap_photo kosmos:feature/akaunting kosmos:chore/ejabberd_service_avatar kosmos:feature/237-gitea_gpg kosmos:jammy_jellyfish

92 Commits
089574d0de ... feature/ak

Author SHA1 Message Date
Râu Cao
f20ebb9d86 WIP Set up akaunting 2024-12-16 12:05:51 +04:00
Râu Cao
31b7ff9217 Upgrade Gitea to 1.22.5 2024-12-12 18:32:58 +04:00
Râu Cao
d90a374811 Remove outdated flag from certbot command 2024-12-12 18:32:26 +04:00
Râu Cao
12cd14fff5 Deploy new postgres primary 2024-12-12 18:31:54 +04:00
Râu Cao
b67d91077d Remove old garage nodes 2024-12-12 18:30:16 +04:00
Râu Cao
070badfeb3 Add postgres replica bootstrap example 2024-12-12 18:29:16 +04:00
Râu Cao
2d8a1cebb1 Update node info 2024-12-09 20:44:18 +04:00
Râu Cao
67cd89b7b8 Merge pull request 'Fix TLS cert updates for kosmos.chat' (#578) from chore/fix_cert_updates_kosmos-chat into master 
Reviewed-on: #578
 2024-12-09 14:21:05 +00:00
Râu Cao
e4112a3626 Fix TLS cert updates for kosmos.chat 
Some recipes weren't updated for the proxy validation yet. Needed to
split the ejabberd cert in two, so it can do normal validation on
`.org` and proxy validation on `.chat`.
 2024-12-09 18:17:10 +04:00
Râu Cao
89813465b2 Merge pull request 'Upgrade Mastodon to 4.3' (#577) from chore/upgrade_mastodon into master 
Reviewed-on: #577
 2024-12-09 14:14:35 +00:00
Râu Cao
6106e627e2 Upgrade Mastodon to 4.3 
Co-authored-by: Greg Karékinian <greg@karekinian.com>
 2024-12-09 18:12:45 +04:00
Râu Cao
d8baa41c14 Add new node configs 2024-12-09 18:11:51 +04:00
Greg
8405b8df52 Merge pull request 'Upgrade lndhub.go to 1.0.2, add service fee config' (#576) from chore/upgrade_lndhub into master 
Reviewed-on: #576
Reviewed-by: Greg <greg@noreply.kosmos.org>
 2024-10-20 19:27:19 +00:00
Râu Cao
775f2275bb Upgrade Gitea to 1.22.3 2024-10-19 14:42:11 +02:00
Râu Cao
b4019b224b Upgrade lndhub.go to 1.0.2, add service fee config 
Co-authored-by: Michael Bumann <hello@michaelbumann.com>
 2024-10-18 12:36:41 +02:00
Râu Cao
52841d8c53 Add WKD endpoint to website nginx conf 2024-10-17 11:58:53 +02:00
Râu Cao
b9b97d5056 Fix mail server VM backups 2024-10-16 12:48:08 +02:00
Râu Cao
e5448aa85c Merge pull request 'Upgrade strfry, add new Kosmos profile/pubkey, relay icon' (#575) from chore/upgrade_strfry into master 
Reviewed-on: #575
 2024-10-16 10:44:47 +00:00
Râu Cao
4d1125ac2b Upgrade strfry to 1.0.1 
Also set up and use a new Kosmos pubkey/profile and add a relay icon
 2024-10-16 12:42:49 +02:00
Râu Cao
3853f94ae0 Use new proxy domain for ejabberd cert 2024-10-16 12:40:10 +02:00
Râu Cao
d1097c7688 Fix and improve nginx redirects, akkounts headers 2024-10-16 12:39:34 +02:00
Râu Cao
7949fd067c Add IPv6 support for nostr.kosmos.org 2024-10-16 12:37:47 +02:00
Râu Cao
0726e58f7c Update ejabberd LDAP filter for new akkounts release 2024-10-16 12:36:30 +02:00
Râu Cao
fe581c348a Fix bookmarks disappearing for XMPP users 
The limit for PEP nodes was ridiculously low. No idea why, but it means
users were only able to save 10 items (e.g. channel bookmarks) at once.
 2024-10-16 12:34:31 +02:00
Râu Cao
af62078960 Update node info 2024-10-16 12:34:17 +02:00
Râu Cao
9b4deff91e Remove cln from bitcoin-2 node 2024-10-16 12:34:01 +02:00
Râu Cao
0944bc5266 Merge pull request 'Migrate S3 backups from AWS, fix automatic cleanups' (#574) from chore/move_fix_s3_backups into master 
Reviewed-on: #574
 2024-10-16 10:33:24 +00:00
Râu Cao
eb06926606 Migrate S3 backups from AWS, fix automatic cleanups 
The cleanups were broken in that every single archive was also copied to
a shared folder and never deleted from there.

Co-authored-by: Greg Karékinian <greg@karekinian.com>
 2024-10-16 12:31:51 +02:00
Râu Cao
15096ca17b Merge pull request 'Bitcoin-related software upgrades' (#573) from chore/bitcoin_upgrades into master 
Reviewed-on: #573
 2024-10-16 10:25:53 +00:00
Râu Cao
3551b71154 Add sensitive attribute to resource with credentials 2024-10-16 12:23:38 +02:00
Râu Cao
752bb74663 Remove boltz service and RTL integration 
We use peerswap these days, and the build process for boltz was made
much more complicated at some point. Not worth upgrading for us.
 2024-10-16 12:23:38 +02:00
Râu Cao
c64526a944 Upgrade RTL to v0.15.2 
Need to use `npm install --force` due to a dependency issue
 2024-10-16 12:23:38 +02:00
Râu Cao
da242d4817 Upgrade LND to 0.18.3 2024-10-16 12:23:29 +02:00
Râu Cao
0af4bc1d0d Upgrade bitcoind to 28.0 
Requires a newer C++ compiler
 2024-10-16 11:28:13 +02:00
Greg
c9f5a745a3 Merge pull request 'Fix Mastodon signup/password/confirmation links' (#570) from chore/562-mastodon_login_urls into master 
Reviewed-on: #570
Reviewed-by: Greg <greg@noreply.kosmos.org>
 2024-08-23 14:18:12 +00:00
Râu Cao
d935b99d7d Fix Mastodon signup/password/confirmation links 
Adds ENV vars for our custom fix in b916182bc1

fixes #562
 2024-08-22 21:51:49 +02:00
Râu Cao
d048bbb297 Merge pull request 'Upgrade Gitea to 1.22.1' (#568) from chore/upgrade_gitea into master 
Reviewed-on: #568
 2024-08-10 11:45:39 +00:00
Râu Cao
61bd121709 Upgrade Gitea to 1.22.1 2024-08-10 13:44:39 +02:00
Râu Cao
ec9b912e45 Merge pull request 'Configure nginx default vhost, add specific redirects for some domains' (#565) from chore/nginx_redirects into master 
Reviewed-on: #565
 2024-08-09 12:44:29 +00:00
Râu Cao
d53ba42a1d Make kosmos.org the default nginx vhost 2024-08-04 16:51:57 +02:00
Râu Cao
a99f7f7574 Add config for accounts .well-known proxyying 2024-08-04 16:51:18 +02:00
Râu Cao
1c8ee14bb3 Add HTTP redirects for kosmos.chat and kosmos.cash 2024-08-04 16:49:20 +02:00
Râu Cao
cdedf49be3 Merge pull request 'Fix download URLs for Mastodon exports/archives' (#564) from bugfix/mastodon_archive_download_urls into master 
Reviewed-on: #564
 2024-08-04 14:46:26 +00:00
Râu Cao
5e727ec279 Fix download URLs for Mastodon exports/archives 
See https://github.com/mastodon/mastodon/issues/24380
 2024-08-04 14:55:22 +02:00
Râu Cao
9d928298d2 Fix Gitea user/repo avatar URLs in certain situations 
I encountered a CORS proxy which somehow ended up with http://_gitea_web
URLs.
 2024-07-10 11:36:07 +02:00
Râu Cao
1174661b46 Use proxy domain for RS Discourse ACME challenge 2024-07-08 20:31:46 +02:00
Greg
2dff7cf850 Merge pull request 'Add new service: nostr.kosmos.org (members-only nostr relay)' (#559) from feature/strfry into master 
Reviewed-on: #559
Reviewed-by: Greg <greg@noreply.kosmos.org>
 2024-07-05 07:33:40 +00:00
Râu Cao
232360efba Remove commented code 2024-07-03 09:23:13 +02:00
Râu Cao
8b8e8f3438 Move strfry extras into their own directory 2024-07-03 09:22:50 +02:00
Râu Cao
522c213b09 Add Deno lockfile 2024-06-20 18:16:27 +02:00
Râu Cao
80eddfbf56 Configure strfry whitelist 
Allow akkounts pubkey to publish to our own relay
 2024-06-20 15:38:27 +02:00
Râu Cao
7e664723a1 Configure akkounts nostr relay URL in production 2024-06-20 15:04:17 +02:00
Râu Cao
f5961af7fe Create/deploy strfry VM 2024-06-11 23:17:33 +02:00
Râu Cao
d1301dad3e Add, configure, deploy strfry policies 2024-06-11 23:12:22 +02:00
Râu Cao
42c46a5645 Deploy strfry reverse proxy 2024-06-11 23:10:24 +02:00
Râu Cao
5be9081613 Header name has to be all lowercase in strfry config 2024-06-11 23:09:49 +02:00
Râu Cao
1649d03665 Update strfry cookbook 2024-06-11 23:09:48 +02:00
Râu Cao
b9a3910364 Update strfry cookbook 2024-06-11 23:09:48 +02:00
Râu Cao
9835b85181 Fall back to default port for strfry proxy 
When we don't override it elsewhere
 2024-06-11 23:09:48 +02:00
Râu Cao
dbccd9d2bf Add kosmos_strfry cookbook, configs 2024-06-11 23:09:48 +02:00
Râu Cao
1a5f312699 Add strfry cookbook 2024-06-11 23:09:48 +02:00
Greg
f843a31e03 Merge pull request 'Improve mail server TLS certificate management' (#556) from chore/mail_server_cert into master 
Reviewed-on: #556
Reviewed-by: Greg <greg@noreply.kosmos.org>
 2024-06-05 14:49:01 +00:00
Râu Cao
ff313525c8 Reload postfix and dovecot on cert renewal 
closes #552

Co-authored-by: Greg Karékinian <greg@karekinian.com>
 2024-06-05 16:44:18 +02:00
Râu Cao
cfb379741e Add imap and smtp subdomains to mail server cert 
closes #543

Co-authored-by: Greg Karékinian <greg@karekinian.com>
 2024-06-05 15:55:29 +02:00
Râu Cao
0c29fad404 Remove superfluous license header 
Co-authored-by: Greg Karékinian <greg@karekinian.com>
 2024-06-05 15:50:09 +02:00
Râu Cao
416935d8b5 Merge pull request 'Upgrade Gitea to 1.22' (#555) from chore/upgrade_gitea into master 
Reviewed-on: #555
 2024-06-02 21:18:07 +00:00
Râu Cao
2b6f81c5d6 Upgrade Gitea to 1.22 2024-06-02 23:17:16 +02:00
Râu Cao
18496bb0da Merge pull request 'Configure akkounts for nostr zaps' (#554) from chore/akkounts_config into master 
Reviewed-on: #554
 2024-06-02 21:05:15 +00:00
Râu Cao
d878b4208e Configure akkounts for nostr zaps 2024-06-02 23:03:06 +02:00
Râu Cao
d31440d235 Add CORS headers to kosmos.social LNURL paths 2024-06-02 23:02:22 +02:00
Râu Cao
6f287f14ef Deploy live branch 2024-06-02 23:01:49 +02:00
Râu Cao
b77df3d0db Update email aliases 2024-05-16 14:34:09 +02:00
Greg
f7f5a0069d Merge pull request 'Add support for proxy domain validation to tls_cert resource' (#553) from feature/letsencrypt_proxy_validation into master 
Reviewed-on: #553
Reviewed-by: Greg <greg@noreply.kosmos.org>
 2024-05-08 12:30:29 +00:00
Râu Cao
989185f951 Support proxy domain validation for Garage web domains 
Also rename the data bag item
 2024-04-30 12:23:36 +02:00
Râu Cao
4cbda69a6b Add support for proxy domain validation to tls_cert resource 2024-04-26 12:24:17 +02:00
Râu Cao
6931fe05d0 Hide Gitea version and load times in footer 2024-04-07 13:16:19 +03:00
Râu Cao
b248ef70db Upgrade Gitea to 1.21.10 2024-04-07 13:10:10 +03:00
Râu Cao
45159ad4e7 Resolve Mastodon addresses as Lightning Address 2024-03-31 08:27:20 +04:00
Râu Cao
612cd0c55e Merge pull request 'Configure LDAP login for Mastodon (merge .social and .org accounts)' (#551) from feature/mastodon_ldap_integration into master 
Reviewed-on: #551
Reviewed-by: Greg <greg@noreply.kosmos.org>
 2024-03-29 09:51:42 +00:00
Râu Cao
83380047bb Configure LDAP integration for Mastodon 2024-03-29 09:28:13 +04:00
Râu Cao
8aebb386a4 Configure Mastodon user address domain for akkounts 2024-03-27 20:19:24 +04:00
Râu Cao
a8c4f0bd0e Merge pull request 'Only allow ejabberd logins when XMPP service is enabled for user' (#550) from feature/xmpp_service_enabled into master 
Reviewed-on: #550
 2024-03-27 16:17:04 +00:00
Râu Cao
12b4fb37fa Only allow ejabberd logins when XMPP service is enabled 2024-03-27 20:12:33 +04:00
Râu Cao
263eb88b72 Add new env var for akkounts 2024-03-14 23:05:05 +01:00
Râu Cao
25ee38fe27 Update kredits-ipfs-pinner 2024-03-14 23:04:27 +01:00
greg
e701938442 Merge pull request 'Support letsencrypt proxy validation via CNAMEs' (#548) from feature/letsencrypt_proxy_validation into master 
Reviewed-on: #548
Reviewed-by: greg <greg@noreply.kosmos.org>
 2024-03-12 14:11:14 +00:00
Râu Cao
309bc45791 Merge pull request 'Fix backup script removing image after unsuccessful pivot' (#549) from bugfix/vm_backups into master 
Reviewed-on: #549
 2024-03-11 15:35:50 +00:00
Râu Cao
82a4af05ef Fix backup script removing image after unsuccessful pivot 
If pivoting the VM backing storage back to the original image fails
(e.g. VM being down at that time), the script currently still deletes
the hotswap image, which means that all changes since the creation of
the hotswap image are lost.
 2024-03-11 16:26:14 +01:00
Râu Cao
4a8ab3abe3 Support letsencrypt proxy validation via CNAMEs 
Allows to point other domains' `_acme-challenge.example.com` entries at
`example.com.letsencrypt.kosmos.chat` so we can validate from our side
without access to the other domain's DNS records.

Used for 5apps.com XMPP for now. Can be used for others later.

Co-authored-by: Greg Karékinian <greg@karekinian.com>
 2024-03-11 16:21:28 +01:00
Râu Cao
21de964e1b Upgrade nbxplorer, btcpay 2024-03-11 16:14:03 +01:00
Râu Cao
b4ddfd19e3 Upgrade Ruby for latest Mastodon release 2024-03-11 16:13:48 +01:00
Râu Cao
08c604962c Upgrade Ruby for latest akkounts release 2024-03-11 16:13:30 +01:00
119 changed files with 1660 additions and 479 deletions
Expand all files Collapse all files

6
.gitmodules vendored
View File

@@ -4,3 +4,9 @@
[submodule "site-cookbooks/openresty"]
path = site-cookbooks/openresty
url = https://github.com/67P/chef-openresty.git
[submodule "site-cookbooks/strfry"]
path = site-cookbooks/strfry
url = git@gitea.kosmos.org:kosmos/strfry-cookbook.git
[submodule "site-cookbooks/deno"]
path = site-cookbooks/deno
url = git@gitea.kosmos.org:kosmos/deno-cookbook.git

4
README.md
View File

@@ -38,6 +38,10 @@ Clone this repository, `cd` into it, and run:
knife zero bootstrap ubuntu@zerotier-ip-address -x ubuntu --sudo --run-list "role[base],role[kvm_guest]" --secret-file .chef/encrypted_data_bag_secret
### Bootstrap a new VM with environment and role/app (postgres replica as example)
knife zero bootstrap ubuntu@10.1.1.134 -x ubuntu --sudo --environment production --run-list "role[base],role[kvm_guest],role[postgresql_replica]" --secret-file .chef/encrypted_data_bag_secret
### Run Chef Zero on a host server
knife zero converge -p2222 name:server-name.kosmos.org

4
clients/akaunting-1.json Normal file
View File

@@ -0,0 +1,4 @@
{
"name": "akaunting-1",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzmNpNWJh5DeXDsINDqAt\n5OtcGhnzLtqdILTD8A8KuPxWhoKI0k9xwvuT4yO2DLQqFMPyGefRuQkVsIq2OuU5\npK8B5c79E9MBHxti6mQZw4b/Jhmul+x2LGtOWYjPTDhFYXRsNNDtFDxwpwJGPede\nYts026yExHPhiF35Mt1JxA3TXJfPC8Vx0YGHu/6Ev+1fLmcKhFmhed5yKkA0gwod\nczdyQiCfw3ze9LuS90QmALpFOHHpekZeywemdwyPia207CoTrXsPLWj9KmuUEIQJ\nwL+OlEU2tVA6KaBKpl54n5/tMsccZmlicbNsVpgkk6LctrkNh6Kk+fW9ry3L/Gxg\nAwIDAQAB\n-----END PUBLIC KEY-----\n"
}

4
clients/garage-10.json Normal file
View File

@@ -0,0 +1,4 @@
{
"name": "garage-10",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw2+3Wo+KkXVJCOX1SxT9\nSdwKXgPbCDM3EI9uwoxhMxQfRyN53dxIsBDsQUVOIe1Z8yqm4FenMQlNmeDR+QLE\nvNFf1fisinW+D9VVRm+CjcJy96i/Dyt786Z6YRrDlB860HxCbfTL2Zv5BRtbyIKg\nhz5gO+9PMEpPVR2ij9iue4K6jbM1AAL2ia/P6zDWLJqeIzUocCeHV5N0Z3jXH6qr\nf444v78x35MMJ+3tg5h95SU1/PDCpdSTct4uHEuKIosiN7p4DlYMoM5iSyvVoujr\nflRQPEpGzS9qEt3rDo/F4ltzYMx6bf1tB/0QaBKD+zwPZWTTwf61tSBo5/NkGvJc\nFQIDAQAB\n-----END PUBLIC KEY-----\n"
}

4
clients/garage-11.json Normal file
View File

@@ -0,0 +1,4 @@
{
"name": "garage-11",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzfZcNEQojtmaogd9vGP/\nMsVPhAOlQ4kxKgrUas+p+XT7lXRan6b3M8UZEleIaL1HWsjSVwtFWRnNl8kg8rF8\nNEkLeOX8kHf7IoXDFOQa2TXanY8tSqrfh9/heFunt4Q3DluVt7S3bBdwukbDXm/n\nXJS2EQP33eJT4reL6FpVR0oVlFCzI3Vmf7ieSHIBXrbXy7AIvGC2+NVXvQle6pqp\nx0rqU6Wc6ef/VtIv+vK3YFnt9ue3tC63mexyeNKgRYf1YjDx61wo2bOY2t8rqN8y\nHeZ3dmAN8/Vwjk5VGnZqK7kRQ92G4IcE+mEp7MuwXcLqQ9WB960o+evay+o1R5JS\nhwIDAQAB\n-----END PUBLIC KEY-----\n"
}

4
clients/garage-4.json
View File

@@ -1,4 +0,0 @@
{
"name": "garage-4",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8it7QtT6zDiJJqlyHKfQ\nLqwu6bLblD15WWxlUSiOdhz3njWDv1BIDCAdkCR3HAXgxvk8sMj9QkvWS7u1+bc4\nxvHrY4Tgfg+Tk1h3gGa7ukll8s1WLIbGjj89vrK8PFr4iuDqRytYRMmcdMsNzPkS\nKcsOjFYWGV7KM/OwoQGVIOUPB+WtkrFAvNkXtIU6Wd5orzFMjt/9DPF2aO7QegL8\nG1mQmXcPGl9NSDUXptn/kzFKm/p4n7pjy6OypFT192ak7OA/s+CvQlaVE2tb/M3c\ne4J6A+PInV5AGKY6BxI3QRQLZIlqE0FXawFKr1iRU4JP4tVnICXZqy+SDXQU1zar\nTQIDAQAB\n-----END PUBLIC KEY-----\n"
}

4
clients/garage-5.json
View File

@@ -1,4 +0,0 @@
{
"name": "garage-5",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnJxLFOBbml94W/GAe7nm\ntZs1Ziy8IbqXySsm8bSwWhRMQ8UuseqQLG30R3Q5X5AoJbtNfd26l63qLtP2fFtL\n5km9dV+2FoIJWFetl8Wzr7CaLYAiNzTQSFHlV7+6DKmPMDcJ63GKrFR77vkSGOG6\nOWL1bJy5BOaClp/sKL/0WQ0+mRbTP6RCQ2eI+46clAg702SenBU6Nz9HDm+teKN7\nYlP1CvzXgfgfpDOsat7wGn5+oKcmKavZxcdn8bt5jRpg8v3JezaZIjMXt7XcNS4n\n0F4XO/efnZE5B5SN68j4BpD8N79zJw4HlRIGP+RaYv2qLtBeWgLHCCs9wXQXfj6b\nLwIDAQAB\n-----END PUBLIC KEY-----\n"
}

4
clients/garage-6.json
View File

@@ -1,4 +0,0 @@
{
"name": "garage-6",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwasYgWLM8ShvirFiKRE6\nGWqc3pMlvcrk4YnWAUW5Y/H26EnyexxWNfnwlEcq8thJ3M3hs7zkoF3Yk4uqX869\n4/niYqXwYgeE1K3gzLp4K1+w3yVupYAFVFStVEHJyuMlLJ+ulDEGvNdQDuIfw7+E\nr6DcDLa1o92Eo0wL1ihYyMilduH0LdFTixL+tEBXbbPWBa3RDJJCFsRF1+UC6hAH\nzmaWL661Gdzdabxjm/FlGUYkdbDqeInZq/1GMQqv+9/DcNRkWA9H7i4Ykrfpx4/2\nRZ8xtx/DbnJVB1zYoORygFMMAkTu5E+R8ropeI7Wi77Yq0S7laiRlYQYQml3x9ak\nzQIDAQAB\n-----END PUBLIC KEY-----\n"
}

4
clients/garage-9.json Normal file
View File

@@ -0,0 +1,4 @@
{
"name": "garage-9",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnMHzKE8JBrsQkmRDeMjX\n71mBzvRzNM90cwA8xtvIkXesdTyGqohX9k/PJbCY5ySGK9PpMaYDPVAnwnUP8LFQ\n3G98aSbLxUjqU/PBzRsnWpihehr05uz9zYcNFzr4LTNvGQZsq47nN9Tk+LG3zHP7\nAZViv2mJ4ZRnukXf6KHlyoVvhuTu+tiBM8QzjTF97iP/aguNPzYHmrecy9Uf5bSA\nZrbNZT+ayxtgswC2OclhRucx7XLSuHXtpwFqsQzSAhiX1aQ3wwCyH9WJtVwpfUsE\nlxTjcQiSM9aPZ8iSC0shpBaKD1j3iF/2K2Jk+88++zMhJJPLermvaJxzsdePgvyk\nKQIDAQAB\n-----END PUBLIC KEY-----\n"
}

4
clients/postgres-5.json
View File

@@ -1,4 +0,0 @@
{
"name": "postgres-5",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvXZv6Gk+dhIVkTXH9hJ1\nt2oqsMSLmTUj71uPN+4j0rxCQriXa095Nle9ifJAxfwzQyKEpWKyZd1Hpyye6bL1\nwgWATZ/u5ZS4B63NhRFyDxgPlHWBBohaZBN42zeq0Y0PNGHPVGDH/zFDrpP22Q9Q\nYScsyXTauE/Yf8a/rKR5jdnoVsVVMxk0LHxka8FcM2cqVsDAcK7GqIG6epqNFY8P\nUb1P+mVxRwnkzvf1VtG212ezV/yw9uiQcUkHS+JwZMAgbC34k9iDyRmk6l4sj/Zk\nNem20ImMqdDzsrX8zEe21K+KNvpejPH9fxaNCwR8W+woBMMzqD3I7P9PbLjc70Rx\nRwIDAQAB\n-----END PUBLIC KEY-----\n"
}

4
clients/postgres-7.json Normal file
View File

@@ -0,0 +1,4 @@
{
"name": "postgres-7",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArraIm6mXi0qgK4oWDs2I\nOIx+g/LPnfRd5aBXhoHcekGiJKttQTi5dRdN4+T6qVEC2h4Cc9qN47h2TZPLDh/M\neIZvu0AyicpectzXf6DtDZh0hFCnv47RDi9927op9tjMXk0SV1tLel7MN0dawATw\ny0vQkkr/5a3ZdiP4dFv+bdfVrj+Tuh85BYPVyX2mxq9F7Efxrt6rzVBiqr6uJLUY\nStpeB3CCalC4zQApKX2xrdtr2k8aJbqC6C//LiKbb7VKn+ZuZJ32L/+9HDEzQoFC\no0ZZPMhfnjcU+iSHYZuPMTJTNbwgRuOgpn9O8kZ239qYc59z7HEXwwWiYPDevbiM\nCQIDAQAB\n-----END PUBLIC KEY-----\n"
}

4
clients/postgres-8.json Normal file
View File

@@ -0,0 +1,4 @@
{
"name": "postgres-8",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx88DgM/x1UbKRzgPexXE\nSyfrAsqaDVjqZz7yF3tqAc9A52Ol0KOM6NESoPWBVMbS86WtAjBcMHcOoQBJ+ovp\nXcjNlRtO1Il6/d4uCRr4CEDX+yeS0Qrt0SOORnoTbVlkq9VlVljyCmxk8VBCILzk\ndHvFr62mahMy6vOEcpCQgCwYE3ISH2jlTDz2agoK/CjIyyqFTlB1N7mJVGLrJdcA\nA2JOxDRE8HqOdpY7bHcHj4uyMWaKuM3zxXK04lhrvuPRfJUhXgsK9r5jeTEa8407\nqV9K+mB17R1dBeHmWEPDRt02HELe2SUjYmlmyVX73H2mWKDLBFpAFjOfz86CJ6jf\nDQIDAQAB\n-----END PUBLIC KEY-----\n"
}

4
clients/strfry-1.json Normal file
View File

@@ -0,0 +1,4 @@
{
"name": "strfry-1",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzDV/RMGMXVDbvoA6PNh8\nQzhtHwYDCFcUSkbrwP6tzh6GpVunGEOdOdhj2V63T2tF1H+lujxQXh5pK7C0D6VZ\niO04ftJlo7/svyxUcwWr+znyN5sFdQRh3cBZiGSBYolizwoqgtPFlbNhmWAzV0Du\n9t8mhz70IK3B+UdwWyHtoK0NNsJGnQ9YzAvcjyDmEO/3sCjAhNnxVpmXftpcSmd9\nMonzFtIDBbRRll4AHZYRbmXCzx63+VmelvdnufnbY82liol0zzBwJaBD1wyNlG0y\ni96p3Kx03bLNlIaYVGbjZeJi+6oo2VDWJ4OloLLAYoHDSipeHT9qWfUdnE6ge4Lm\nywIDAQAB\n-----END PUBLIC KEY-----\n"
}

31
data_bags/credentials/akaunting.json Normal file
View File

@@ -0,0 +1,31 @@
{
"id": "akaunting",
"app_key": {
"encrypted_data": "C7VVGHHrE/ESwtGeODf8zVraayO5uBSXaGR7f4yoj0MDq9WxPujItC3dIkMQ\ngjGzk8fH\n",
"iv": "4+d+RMLeuqaneFBa\n",
"auth_tag": "sBQDUVl6QbL/h9pd0kBQ0g==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"pg_database": {
"encrypted_data": "4mqHsMfDAqPvDmGsWgS9iE63qVeus7diSW8WiA==\n",
"iv": "6Cb1lVUcXBz+GA4u\n",
"auth_tag": "8O3N0m8jGhxs/YacdhgNHA==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"pg_username": {
"encrypted_data": "Nu0wiBhvqUwqC7PL2Qo8otq0b3faJqRsabqp2g==\n",
"iv": "1uA8mJc7itT0qHcx\n",
"auth_tag": "PRWw6LTlFrWs63SDRsovtQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"pg_password": {
"encrypted_data": "oXDKiXQ4aH5M2pVu1sx7dj0awKCORke03fq0uemjIfCMYbM=\n",
"iv": "snPyC8mocevc5kGH\n",
"auth_tag": "9wx4GPSydkYr2WGpZK5HZg==\n",
"version": 3,
"cipher": "aes-256-gcm"
}
}

61
data_bags/credentials/akkounts.json
View File

@@ -1,65 +1,72 @@
{
"id": "akkounts",
"postgresql_username": {
"encrypted_data": "l00Lmdbl5xNq07XU4XmcnRxXsIJaYyMQQ6xI\n",
"iv": "yxvL6hKwlVWmdMzl\n",
"auth_tag": "mMCV9ewJW/0TfVE76WBSZw==\n",
"encrypted_data": "ofLOjxGBj7no+lWrIvtxQQFoeozCh6mpfMTt\n",
"iv": "/CF+o4GqZx2O5WOm\n",
"auth_tag": "bjHXfgNQfXpQ2gucPLrUWA==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"postgresql_password": {
"encrypted_data": "Q6xWsH6bmI1GfMzme3mBRYrt3XmDwFJ7E4FjYg2Rrw==\n",
"iv": "jcQmuT7Jz3g3XE8d\n",
"auth_tag": "nNMvf9UmP6ikf1BW93QZIw==\n",
"encrypted_data": "f8Jfs4aqIjc6/6/NQlI2Fv8TzSgVmi5g0iYNhh9bAA==\n",
"iv": "vAzrZeUodmu4x5eB\n",
"auth_tag": "vx8eH2SY7I4IkZElXSC1Nw==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"sentry_dsn": {
"encrypted_data": "V7cqlH2baN1Ix/ggQFeo9PY6dNKKpnDECaB1cO3XuCfy74oN2ot44nbpCQTA\nUl0+1LQv/qNn/L4gmJkqZfdIXZQqhR+iTc06UJxe3aTKJDw=\n",
"iv": "HJtdKYcApwaxhTXI\n",
"auth_tag": "qyIYK9h6nciJTFXBWOjVOA==\n",
"encrypted_data": "oxW5jGU8DlIp5A9enxBhcJXuKyaZ5HziXq8Zw+Rbvpbv4C/RTGkJkgZdKcH1\nVzW/wNAT8nTK+nEvWgcQ3svjE40ltj2jcOexIRqLbuCClJE=\n",
"iv": "wpW9+VdX5GjocHSl\n",
"auth_tag": "1qrf1kZMrIR7WRiSaRjppQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"rails_master_key": {
"encrypted_data": "KAl2Kgq1TXjOm4TNxGwZkPwJeOSNLbLLKiRdb4fTyBFfUhIGGeCS9VvV9kIb\n9sQZ6HLU\n",
"iv": "BBPvDNs6nBXDti5I\n",
"auth_tag": "yjM/0nyUwt+5SSGuLC5qWA==\n",
"encrypted_data": "KHVYYH7Nb9/SsoKkYfbjzhFwj3Ioj72hm5pfdCuinf+GQvjKumq99eQTlKdf\nBZM1n0XN\n",
"iv": "x9AQZvw/vCinKQ8k\n",
"auth_tag": "mi0KHHOTBvVNhtvqk38BtQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"discourse_connect_secret": {
"encrypted_data": "YHkZGzXeK3nDHaXt3JKmGtCcvMfgvv3yHbvS2C+CLKagOIOe+0+2/CiNuh4U\nxO1Pug==\n",
"iv": "SnUxDpIMQum8ySfN\n",
"auth_tag": "Ny6I+3EoCA1s74JLjjbbyQ==\n",
"encrypted_data": "WyLrV0DOsxyafSqyeQVj0BhVwm/0gvWeJLBsAbiqCGphryoYqUByPcum1T6R\n2H44nQ==\n",
"iv": "lUtlJDv6Ieq8Bs5x\n",
"auth_tag": "ku22BlQKw/BhHxuANTF6yg==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"lndhub_admin_token": {
"encrypted_data": "dJHxB80Enwkm+2aNuIrp7lILAy2J5tQaChPJCl/BHwMo\n",
"iv": "zHLtD1jTIwvjMt1l\n",
"auth_tag": "IC0adEzsS5YF5YHqabWw2A==\n",
"encrypted_data": "DQuxQW8ks3sUzyHYEpQVyPg2f/U4/LWeRoCD9225Hd+c\n",
"iv": "mjxYi+YAcKGuurD2\n",
"auth_tag": "8P3bFFNeQ5HQgpXDB5Sk5A==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"btcpay_auth_token": {
"encrypted_data": "YbM0HvgIijluKQBcgfKn6hmWvdbhr0ijR1xKc+BRZCZJsRaJBHTjCbwhH8T9\nVnBESruyjhxphtBetcc=\n",
"iv": "3107v/c2Tonx6/cP\n",
"auth_tag": "jnO9fvoXJW5gbDMRjkdMPA==\n",
"encrypted_data": "3wsY9osaUdX4SvBPfHprNLSbx6/rfI5BfXnDxsc6OET3nGn19qBhH6wgeiwZ\n/dweqdQ25HpbFPygddc=\n",
"iv": "ccouibxktHLlUCQJ\n",
"auth_tag": "pWuRC8O2EAkmztL/9V3now==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"s3_access_key": {
"encrypted_data": "PFjQKe1us12SNHlReQ4f0qctulPp4d2F3t5t+AGocp87PS/kZx77rtHQtruK\n",
"iv": "BGD8+XchqwPmhhwi\n",
"auth_tag": "XefaZKCVs8hotszALN+kxQ==\n",
"encrypted_data": "hJGHa+hEmddtsZ4UncrYBkjRa/2Csqdh79tXpTVxUWbIsYGdlvyadk7C1UCj\n",
"iv": "GlxNdnWiNzmNYthg\n",
"auth_tag": "hlRLkroUN01L7VzQFBU/IA==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"s3_secret_key": {
"encrypted_data": "ziO35x8P1YMaSeenMNQoTWug62b5ZVLFlkMlJEFGnYjHK5qTAn6ir06WnMJC\n0zErzTZsPpcr7KpE/ipWgWHRy7qVbGnd6iVO4t9tf5NjiU2OXfA=\n",
"iv": "S3syCCxh2m+mylLu\n",
"auth_tag": "ZMkyBqXMXr3K3LGqxWvbtA==\n",
"encrypted_data": "LKdQJOKIfFIoiF3GvfTs1mg3AI//Aoi8r42zcw8QhEVPB8ONsSf0/vhM037C\nf5nzUk7xwglvTOveqbOM+UTBJF/4oblQfgwFW3VobWUGkJqjtKE=\n",
"iv": "tWTxzK/ccpjlLmQV\n",
"auth_tag": "n2MFkTIquyqz4wqRNdSJcg==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"nostr_private_key": {
"encrypted_data": "CPMeNxzpYMReaQU4+v+EqpVESRsnaYc3a4y7OkHOhtn2gjaNEDERGKvRmlyd\nD6vxKPcIrwTCZ7neJ3YLOVOxPDNv6skqdtMHBwSgl7aBEOrx7tY=\n",
"iv": "AV1on2sw1avmFFuY\n",
"auth_tag": "9rb9qQBKrj5Xja1t+qROKQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
}

43
data_bags/credentials/backup.json
View File

@@ -1,27 +1,38 @@
{
"id": "backup",
"s3_access_key_id": {
"encrypted_data": "emGNH4v7TTEh05Go/DsI3k7CFnaK4p/4JxodC4BYpyWw47/Z3dsuRMu4vXM3\n3YLH\n",
"iv": "Dau+ekb3UTYdl8w3fQKVcA==\n",
"version": 1,
"cipher": "aes-256-cbc"
"encrypted_data": "245TrPvuoBRRTimhbt6qqsFb+JnnD377sPt1pguJy7Q2BXOy/jrX0wyMt+cP\nuA==\n",
"iv": "ylmRxSRO3AA4MSJN\n",
"auth_tag": "45tBcYZowPLrbv4Zu2P0Fw==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"s3_secret_access_key": {
"encrypted_data": "Mxyly86JxrWUbubbSiqPdRosChzfI1Q8eBEG4n+2B9JJG4yExltO5Wc5kgSs\nX01MPXAc+PGLm+J9MngUtypo/g==\n",
"iv": "WRhBJGiuScYYsUsoT5j/UA==\n",
"version": 1,
"cipher": "aes-256-cbc"
"encrypted_data": "jDIOjlBzTkBUzpj243T6KnBuH0qwyW7BUFMcqllljFSzxs7K8wYJOUreNbOP\ny8OpDWAuO0H4O4LuFMJXeM8=\n",
"iv": "PzvZr37EkJqz6JtM\n",
"auth_tag": "e3XW8oHVgmYibv/IBzj0yA==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"s3_endpoint": {
"encrypted_data": "ErJIEChxrreW7WKEwRtuP2MyYlsZRtqLdGa/x5QY58qgO036FgR3Hs2Z3yce\n",
"iv": "HOSAOgUjO7XGwk50\n",
"auth_tag": "XE1bwMIXHHE72V9K2KOLnw==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"s3_region": {
"encrypted_data": "2ZGxu0tVzKNfx3K1Wleg0SAwGaPkHCi/XfKpJ+J7q40=\n",
"iv": "CNTZW2SEIgfw+IyzGI3TzQ==\n",
"version": 1,
"cipher": "aes-256-cbc"
"encrypted_data": "8cNSaYu7HH95ftG66lFdUIPZD7soz907CPA=\n",
"iv": "pU21ulF75y/SIs3x\n",
"auth_tag": "7WQQCbSbB2GybjY+C+5IvQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"encryption_password": {
"encrypted_data": "tsBWKBwhQFfEAM0EWMPtljSbqU1c5mOJXPjYJjNT5RUFhPlqa7gsE8aJbs+D\nSPKjAQ62j+iHeqCk9mE9CCkgBA==\n",
"iv": "uq5YAXuq2ynRLv9EIWoCFA==\n",
"version": 1,
"cipher": "aes-256-cbc"
"encrypted_data": "l23CiIO2s1fIRn0NdoWZ+wK+Zhx3hCYDHf4ypjqMRekZ7xqafvXHHuogD5aj\npxYUKloH\n",
"iv": "Dzx83eP9L7Jqqidh\n",
"auth_tag": "UVn5XA5Tgsikc1GdOt1MUQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
}
}

27
data_bags/credentials/dirsrv.json
View File

@@ -1,9 +1,30 @@
{
"id": "dirsrv",
"admin_dn": {
"encrypted_data": "zRtz6Scb9WtUXGyjc0xyvsre0YvqupuaFz+RPApj7DEQTmYyZPVb\n",
"iv": "xfIXMhEBHBWqa4Dz\n",
"auth_tag": "BcA32u1njcnCZ+yrBGSceQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"admin_password": {
"encrypted_data": "i71l5E129mXCcDAyME8sNMUkYUlQMgt7Eh6noyFcLNgbaMo=\n",
"iv": "KNW2B8tpX7ywZwbg\n",
"auth_tag": "GawQ+FSlA5v5YVyryeUxng==\n",
"encrypted_data": "7JpXl3JZDqKWDfYt/wuNbkbob+oRuONhkuAlpqUCCEIn+tY=\n",
"iv": "Lcwc4NDzrfcBaIKQ\n",
"auth_tag": "rrePS3Bhdnwbr2d/o8vMhg==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"service_dn": {
"encrypted_data": "sqRFiZreLeTPQljSfhAuV3DmsPxSC8tzWjCdu+WSSbO67sBQA+xhmGtzBhBD\nDZPGJw+jtAxzuVvPdAjxgAVgxXO6C6WEo87L1tdJewE=\n",
"iv": "GUEGtyRJXrPhWcUs\n",
"auth_tag": "2USsrx//3V7RCyumGCbMkg==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"service_password": {
"encrypted_data": "f2wi8B8SEt6p5G0TF3dZ72j0vMFlvwcP1suxYnshBA==\n",
"iv": "rOnUoxbnkaJtodM+\n",
"auth_tag": "dVLCtBVMjxLfW2D8XjJBdQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
}

24
data_bags/credentials/gandi_api.json Normal file
View File

@@ -0,0 +1,24 @@
{
"id": "gandi_api",
"key": {
"encrypted_data": "Ky1/PdywtEIl5vVXhzu3n2JetqOxnNjpjQ7yCao6qwIAn8oYxnv1c1hFAQ==\n",
"iv": "stAc2FxDvUqrh0kt\n",
"auth_tag": "rcK4Qt+f2O4Zo5IMmG0fkw==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"access_token": {
"encrypted_data": "J7zoLhEbPfPjnVWBmFmDdPKRer5GGw2o6Ad0uinznANugfaDiqjyYinOdEDF\nHlAqLmXv4J40rr3F+o4=\n",
"iv": "fAxFqVh9QqrfBsPW\n",
"auth_tag": "9ugi4frDLv8f7X0X1+k4DA==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"domains": {
"encrypted_data": "X0KOKlJp5GYbKcq/jzmlaMmTXV1U7exWSqi3UxX9Sw==\n",
"iv": "9JucnYLlYdQ9N6pd\n",
"auth_tag": "sERYPDnVUJwVfSS8/xrPpQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
}
}

9
data_bags/credentials/gandi_api_5apps.json
View File

@@ -1,9 +0,0 @@
{
"id": "gandi_api_5apps",
"key": {
"encrypted_data": "+tcD9x5MkNpf2Za5iLM7oTGrmAXxuWFEbyg4xrcWypSkSTjdIncOfD1UoIoS\nGzy1\n",
"iv": "ymls2idI/PdiRZCgsulwrA==\n",
"version": 1,
"cipher": "aes-256-cbc"
}
}

101
data_bags/credentials/mastodon.json
View File

@@ -1,79 +1,114 @@
{
"id": "mastodon",
"active_record_encryption_deterministic_key": {
"encrypted_data": "2ik8hqK7wrtxyC73DLI8FNezZiWp2rdjwaWZkTUFRj+iwvpSrGVEwMx6uxDI\nWa7zF3p/\n",
"iv": "XMp6wqwzStXZx+F3\n",
"auth_tag": "vloJOLqEcghfQXOYohVVlg==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"active_record_encryption_key_derivation_salt": {
"encrypted_data": "Nq/rHayMYmT/82k3tJUKU8YTvDKUKLoK204aT0CMGZertZaAD3dtA9AkprrA\nPK0D9CdL\n",
"iv": "tn9C+igusYMH6GyM\n",
"auth_tag": "+ReZRNrfpl6ZDwYQpwm6dw==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"active_record_encryption_primary_key": {
"encrypted_data": "UEDMuKHgZDBhpB9BwbPmtdmIDWHyS9/bSzaEbtTRvLcV8dGOE5q9lDVIIsQp\n2HE0c92p\n",
"iv": "tnB0pQ3OGDne3mN/\n",
"auth_tag": "kt234ms+bmcxJj/+FH/72Q==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"paperclip_secret": {
"encrypted_data": "orOIbqFANPCkd4sUTCyyoh4z1o6SBudgH4wKJudTo9dANaHGhWcBUFKrhZi1\nMJTBQx/d0hiDI1P2XN3h+hROCg3JJ8OClUSJH9CfN5GlbWvXh0Nhq7hqy8L3\nLAPL+uigiXI6ObrnKQoD8LeJIB46233uwaCA/7zB6gah0ExJ2DXGH6qq9JSS\nqmTFiy+hT+VHGrUo\n",
"iv": "U4E4NLYLkP0/tTTs\n",
"auth_tag": "WKQ+pDPZp7B791lhC5j3iQ==\n",
"encrypted_data": "AlsnNTRF6GEyHjMHnC4VdzF4swMlppz/Gcp1xr0OuMEgQiOcW1oSZjDRZCRV\nmuGqZXZx64wqZyzTsJZ6ayCLsmWlPq6L21odHWyO+P/C5ubenSXnuCjpUn3/\nHs8WLX3kwVmqCRnVgDl2vEZ5H4XedSLr7R7YM7gQkM0UX4muMDWWnOTR8/x/\ni1ecwBY5RjdewwyR\n",
"iv": "RWiLePhFyPekYSl9\n",
"auth_tag": "sUq4ZX9CFKPbwDyuKQfNLQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"secret_key_base": {
"encrypted_data": "vweClhdY8SqQkK+p0OYUL2B6Fsz5eQDpEYWCtd/eRJfwwYAObbLcMWRC6MwE\neQVMw59bOqYc3RBuv/+WPLtENazA1bYCXBXQr1J6xqjJAz0Mo6KbRyxy5n78\nv8q6RSiao1VVIUXohtFlQgWeV6x5sz34bJxjlHinKvKsgiGXiuVBxYUUfzWQ\nuzrGug09cpZBqfpc\n",
"iv": "Z0/csEBH5/X1+MR+\n",
"auth_tag": "fTvBN6eovi3JVEK0ZX97Nw==\n",
"encrypted_data": "K5CmIXFa9mS4/dODBQAN9Bw0SFpbLiZAB8ewiYpkB8NDXP6X/BX8aDjW2Y4F\ncMvpFyiFldRBhrh1MSKTVYQEoJ3JhlNL9HCdPsAYbBEW70AuEBpHvOtD5OxH\nqgbH4Reuk6JX5AI8SwDD3zGrdT12mTFVNgSujzuZMvpi1Sro2HtRGAkjmnaa\nMGKrBV21O1CREJJg\n",
"iv": "/yMMmz1YtKIs5HSd\n",
"auth_tag": "WXgIVWjIdbMFlJhTD5J0JQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"otp_secret": {
"encrypted_data": "o1ts1bUgPIzFQXjJ2MpBMLntWkyPxDaJAaU1K3WzmNMXnw5MVlkKKCEFVccd\nPss/MwDuBkbNPhri3ZkH48m9SiayWETVYvw5GZzcVsw4TeMu915O44lfl9tX\nW3XHU+DBps1BVH9535R4X9M1aFW4W4XfwHtS5wcrZqtVhNhS3NSgE4JpN/Dz\nFdcFAOhflnt8fIAN\n",
"iv": "QLsxmIlX1NpxMyHz\n",
"auth_tag": "j1h/PvIoqshTBN5c5IaAsA==\n",
"encrypted_data": "OPLnYRySSIDOcVHy2A5V+pCrz9zVIPjdpAGmCdgQkXtJfsS9NzNtxOPwrXo6\nuQlV9iPjr1Y9ljGKYytbF0fPgAa5q6Z1oHMY9vOGs/LGKj8wHDmIvxQ+Gil1\nC+dZEePmqGaySlNSB/gNzcFIvjBH3mDxHJJe9hDxSv5miNS9l9f3UvQeLP2M\nU7/aHKagL9ZHOp/d\n",
"iv": "wqJBLdZhJ7M/KRG9\n",
"auth_tag": "dv5YyZszZCrRnTleaiGd4A==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"aws_access_key_id": {
"encrypted_data": "YQHUx0GugKu0AtlbGLRGocFEhTGAghWA0DUs1Nxs4Hd3bTIp4lyM\n",
"iv": "54zt2tkQhHtpY7sO\n",
"auth_tag": "ofBJx3QDsjHe66ga3nji8g==\n",
"encrypted_data": "A1/gfcyrwT6i9W6aGTJ8pH4Dm4o8ACDxvooDroA/2N0szOiNyiYX\n",
"iv": "JNvf21KhdM3yoLGt\n",
"auth_tag": "2xaZql1ymPYuXuvXzT3ymA==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"aws_secret_access_key": {
"encrypted_data": "FAz6xZ+wsCz/KFA+DK6f4V04rxJt+9U/yXUGF9tvce0VqB3scH+T0KDDn1/n\nZ/0G0Tbxt2urRPbPUdI=\n",
"iv": "iapSpeM6lfDMIfNk\n",
"auth_tag": "HlkwUnNeJlOUrZ3ieN5xAQ==\n",
"encrypted_data": "T1tc01nACxhDgygKaiAq3LChGYSgmW8LAwr1aSxXmJ5D2NtypJDikiHrJbFZ\nfWFgm1qe4L8iD/k5+ro=\n",
"iv": "FDTPQQDLUMKW7TXx\n",
"auth_tag": "msY6PFFYhlwQ0X7gekSDiw==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"ldap_bind_dn": {
"encrypted_data": "C/YNROVyOxmR4O2Cy52TX41EKli2bCOMzwYD+6Hz/SiKkgidnKUHlvHlbTDq\nkWwlRDM2o8esOCKaEAGPNWcNc9IHlaSsfwhr4YWnwe0=\n",
"iv": "QCQF0+vH+//+nDxr\n",
"auth_tag": "a0PbyO/7wjufqH2acDCqmQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"ldap_password": {
"encrypted_data": "SqwKeiyzfvvZGqH5gi35BdW3W+Fo/AQQjso1Yfp2XA==\n",
"iv": "md2/etFJ1r/BKaYg\n",
"auth_tag": "OlCCOoYSD7ukdH2yWCd6KA==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"smtp_user_name": {
"encrypted_data": "ivB09/mCRrUaz9X4NFRBiqytjgy/vxN5Nha7gopFq5eSu9v4K9MkaLRqHh1I\nYw==\n",
"iv": "a8WKhRKsUjqBtfmn\n",
"auth_tag": "ib5WJNNaO7bRIspdACmOLw==\n",
"encrypted_data": "0kzppmSSUg7lEyYnI5a0nf+xO0vSVx88rbxI+niIdzFOOBKSIL6uVHJ340dw\nMQ==\n",
"iv": "lQR77ETTtIIyaG1r\n",
"auth_tag": "smF2HRg8WdmD+MWwkT3TqA==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"smtp_password": {
"encrypted_data": "FxPz2e7fUNqcAu+DDJKlqn8rcSBLmnzigTFf5moZlQ1zz4YVl6pqHisa22Qz\nbfUx9rjU\n",
"iv": "GvRlNDV/b1WawtOP\n",
"auth_tag": "kyRCGfSJQelIwThDT4iQQQ==\n",
"encrypted_data": "1i0m9qiZA/8k8fMKo+04uyndl1UhagtHweBFICIorWALkB68edjb8OhUDxv9\nTubiXYRC\n",
"iv": "IU2x4ips9HWmKoxi\n",
"auth_tag": "BZJTDfPBvt8cf6/MbKzUJQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"vapid_private_key": {
"encrypted_data": "DlbEAhd+SkSJoOSuwGhd5bdFlJADnT0w4u0+6m8AJoWJjoSCGAnzzmdHWT/k\nVUDkwiBCkqmEPK0oTvxnl/a8\n",
"iv": "6e0Gay7GVrQad1rI\n",
"auth_tag": "jjVundJ/ITxP/oYgEgzElg==\n",
"encrypted_data": "+LmySMvzrV3z2z7BmJG9hpvkL06mGc87RG20XQhhdAJ2Z/5uMMjev2pUf7du\ntv2qvDJAimhkZajuDGL9R3eq\n",
"iv": "Mg7NhPl31O6Z4P+v\n",
"auth_tag": "qYWPInhgoWAjg0zQ+XXt5w==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"vapid_public_key": {
"encrypted_data": "+m37w/eWYqdEjsEYQw27FvQC+37ucruOFjZAjo0OgCwA0SoVz4VHX2eSA2AK\njX4CnM91cY4e/WG/ZHKlOMN1PftyQn2bdGaw35nXDanep8z0ROa01JEEi5DE\nUFRKvBmPInTeR6xvemuj7GM=\n",
"iv": "loYbGrAsWGLUZ+BK\n",
"auth_tag": "lAfpEEVQq+n7MLLm/kpmIA==\n",
"encrypted_data": "NOyc+Cech9qG2HhnhajDaJMWd1OU5Rp6hws6i4xF5mLPePMJ9mJTqzklkuMK\npYSEdtcxA3KmDt1HrFxfezYUc9xO9pvlm0BPA7XAFmF/PU7/AJbFqgPU6pX/\ntSDLSdFuMB3ky+cl4DJi+O4=\n",
"iv": "rgUglYiHB/mhqGha\n",
"auth_tag": "DEX7hdNsNLi/LIrMkdUe/Q==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"s3_key_id": {
"encrypted_data": "4B8OQ0iVCCna4FvC+EuS5prEUWaHRm1+tzXGmFoCQ4WZfhUA1HwT3x651e/R\n",
"iv": "1/zGwcQPQQQCiXIs\n",
"auth_tag": "siK9ph1q3/VVEycy91wkqQ==\n",
"encrypted_data": "rPVzrYYIbcM+ssVpdL6wpCTdzLIEKXke1+eMlPLMG2gPuoh+W3eO3nFGb/s2\n",
"iv": "/qI8F9cvnfKG7ZXE\n",
"auth_tag": "z1+MPdkO/+SCaag2ULelPg==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"s3_secret_key": {
"encrypted_data": "BSAc8dE/rQUiVvTGV6Ee/ZUDpq4HZlpoaCZ+lbQAbcnxui4ib0OTLPFwhVJ9\n4OQWahtSzkqxMc6MKWpadLT1a3oTnvnae9b3u40X5b2P3VyZYCM=\n",
"iv": "bqw8GTqLMTs5vD5n\n",
"auth_tag": "+e48L1lYVNda7VE3uLOAHA==\n",
"encrypted_data": "RMnB9kZ+slbQXfpo0udYld6S1QqBxqM1YbszdLfSAdKK9I0J3Kmvh/CQ5Fbx\nyov6LClmsl1rjtH16r7cY32M4Woq+6miERdtecyDrrYkNHz0xkA=\n",
"iv": "pO7bm3aOtjuwYjG/\n",
"auth_tag": "SRvn4z1+Vd5VAGgjG64s+Q==\n",
"version": 3,
"cipher": "aes-256-gcm"
}

25
environments/production.json
View File

@@ -3,6 +3,7 @@
"override_attributes": {
"akkounts": {
"btcpay": {
"public_url": "https://btcpay.kosmos.org",
"store_id": "FNJVVsrVkKaduPDAkRVchdegjwzsNhpceAdonCaXAwBX"
},
"ejabberd": {
@@ -11,6 +12,10 @@
"lndhub": {
"public_url": "https://lndhub.kosmos.org",
"public_key": "024cd3be18617f39cf645851e3ba63f51fc13f0bb09e3bb25e6fd4de556486d946"
},
"nostr": {
"public_key": "b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a",
"relay_url": "wss://nostr.kosmos.org"
}
},
"discourse": {
@@ -33,8 +38,7 @@
"hostmaster@kosmos.org": "mail@kosmos.org",
"postmaster@kosmos.org": "mail@kosmos.org",
"abuse@kosmos.org": "mail@kosmos.org",
"mail@kosmos.org": "foundation@kosmos.org",
"hackerhouse@kosmos.org": "mail@lagrange6.com"
"mail@kosmos.org": "foundation@kosmos.org"
}
},
"garage": {
@@ -73,6 +77,7 @@
},
"kosmos-mastodon": {
"domain": "kosmos.social",
"user_address_domain": "kosmos.social",
"s3_endpoint": "http://localhost:3900",
"s3_region": "garage",
"s3_bucket": "kosmos-social",
@@ -97,6 +102,22 @@
},
"sentry": {
"allowed_ips": "10.1.1.0/24"
},
"strfry": {
"domain": "nostr.kosmos.org",
"real_ip_header": "x-real-ip",
"policy_path": "/opt/strfry/strfry-policy.ts",
"whitelist_pubkeys": [
"b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a",
"b3e1b7c0ef48294bd856203bfd460625de95d3afb894e5f09b14cd1f0e7097cf"
],
"info": {
"name": "Kosmos Relay",
"description": "Members-only nostr relay for kosmos.org users",
"pubkey": "b3e1b7c0ef48294bd856203bfd460625de95d3afb894e5f09b14cd1f0e7097cf",
"contact": "ops@kosmos.org",
"icon": "https://assets.kosmos.org/img/app-icon-256px.png"
}
}
}
}

66
nodes/akaunting-1.json Normal file
View File

@@ -0,0 +1,66 @@
{
"name": "akaunting-1",
"chef_environment": "production",
"normal": {
"knife_zero": {
"host": "10.1.1.215"
}
},
"automatic": {
"fqdn": "akaunting-1",
"os": "linux",
"os_version": "5.15.0-1069-kvm",
"hostname": "akaunting-1",
"ipaddress": "192.168.122.162",
"roles": [
"base",
"kvm_guest",
"akaunting",
"postgresql_client"
],
"recipes": [
"kosmos-base",
"kosmos-base::default",
"kosmos_kvm::guest",
"kosmos_postgresql::hostsfile",
"kosmos_akaunting",
"kosmos_akaunting::default",
"apt::default",
"timezone_iii::default",
"timezone_iii::debian",
"ntp::default",
"ntp::apparmor",
"kosmos-base::systemd_emails",
"apt::unattended-upgrades",
"kosmos-base::firewall",
"kosmos-postfix::default",
"postfix::default",
"postfix::_common",
"postfix::_attributes",
"postfix::sasl_auth",
"hostname::default",
"kosmos-nodejs::default",
"nodejs::nodejs_from_package",
"nodejs::repo"
],
"platform": "ubuntu",
"platform_version": "22.04",
"cloud": null,
"chef_packages": {
"chef": {
"version": "18.5.0",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
"chef_effortless": null
},
"ohai": {
"version": "18.1.11",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
}
}
},
"run_list": [
"role[base]",
"role[kvm_guest]",
"role[akaunting]"
]
}

4
nodes/bitcoin-2.json
View File

@@ -16,7 +16,6 @@
"kvm_guest",
"sentry_client",
"bitcoind",
"cln",
"lnd",
"lndhub",
"postgresql_client",
@@ -30,10 +29,8 @@
"tor-full",
"tor-full::default",
"kosmos-bitcoin::bitcoind",
"kosmos-bitcoin::c-lightning",
"kosmos-bitcoin::lnd",
"kosmos-bitcoin::lnd-scb-s3",
"kosmos-bitcoin::boltz",
"kosmos-bitcoin::rtl",
"kosmos-bitcoin::peerswap-lnd",
"kosmos_postgresql::hostsfile",
@@ -103,7 +100,6 @@
"role[sentry_client]",
"recipe[tor-full]",
"role[bitcoind]",
"role[cln]",
"role[lnd]",
"role[lndhub]",
"role[btcpay]"

2
nodes/draco.kosmos.org.json
View File

@@ -54,8 +54,10 @@
"kosmos_liquor-cabinet::nginx",
"kosmos_rsk::nginx_testnet",
"kosmos_rsk::nginx_mainnet",
"kosmos_strfry::nginx",
"kosmos_website",
"kosmos_website::default",
"kosmos_website::redirects",
"kosmos-akkounts::nginx",
"kosmos-akkounts::nginx_api",
"kosmos-bitcoin::nginx_lndhub",

2
nodes/fornax.kosmos.org.json
View File

@@ -48,8 +48,10 @@
"kosmos_liquor-cabinet::nginx",
"kosmos_rsk::nginx_testnet",
"kosmos_rsk::nginx_mainnet",
"kosmos_strfry::nginx",
"kosmos_website",
"kosmos_website::default",
"kosmos_website::redirects",
"kosmos-akkounts::nginx",
"kosmos-akkounts::nginx_api",
"kosmos-bitcoin::nginx_lndhub",

28
nodes/garage-4.json → nodes/garage-10.json
View File

@@ -1,17 +1,17 @@
{
"name": "garage-4",
"name": "garage-10",
"chef_environment": "production",
"normal": {
"knife_zero": {
"host": "10.1.1.104"
"host": "10.1.1.27"
}
},
"automatic": {
"fqdn": "garage-4",
"fqdn": "garage-10",
"os": "linux",
"os_version": "5.4.0-132-generic",
"hostname": "garage-4",
"ipaddress": "192.168.122.123",
"os_version": "5.4.0-1090-kvm",
"hostname": "garage-10",
"ipaddress": "192.168.122.70",
"roles": [
"base",
"kvm_guest",
@@ -23,7 +23,8 @@
"kosmos_kvm::guest",
"kosmos_garage",
"kosmos_garage::default",
"kosmos_garage::firewall",
"kosmos_garage::firewall_rpc",
"kosmos_garage::firewall_apis",
"apt::default",
"timezone_iii::default",
"timezone_iii::debian",
@@ -38,21 +39,20 @@
"postfix::_attributes",
"postfix::sasl_auth",
"hostname::default",
"firewall::default",
"chef-sugar::default"
"firewall::default"
],
"platform": "ubuntu",
"platform_version": "20.04",
"cloud": null,
"chef_packages": {
"chef": {
"version": "17.10.3",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.10.3/lib",
"version": "18.5.0",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
"chef_effortless": null
},
"ohai": {
"version": "17.9.0",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai"
"version": "18.1.11",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
}
}
},
@@ -61,4 +61,4 @@
"role[kvm_guest]",
"role[garage_node]"
]
}
}

20
nodes/garage-5.json → nodes/garage-11.json
View File

@@ -1,17 +1,17 @@
{
"name": "garage-5",
"name": "garage-11",
"chef_environment": "production",
"normal": {
"knife_zero": {
"host": "10.1.1.33"
"host": "10.1.1.165"
}
},
"automatic": {
"fqdn": "garage-5",
"fqdn": "garage-11",
"os": "linux",
"os_version": "5.15.0-84-generic",
"hostname": "garage-5",
"ipaddress": "192.168.122.55",
"os_version": "5.15.0-1059-kvm",
"hostname": "garage-11",
"ipaddress": "192.168.122.9",
"roles": [
"base",
"kvm_guest",
@@ -46,13 +46,13 @@
"cloud": null,
"chef_packages": {
"chef": {
"version": "18.3.0",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.3.0/lib",
"version": "18.5.0",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
"chef_effortless": null
},
"ohai": {
"version": "18.1.4",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
"version": "18.1.11",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
}
}
},

18
nodes/garage-6.json → nodes/garage-9.json
View File

@@ -1,17 +1,17 @@
{
"name": "garage-6",
"name": "garage-9",
"chef_environment": "production",
"normal": {
"knife_zero": {
"host": "10.1.1.161"
"host": "10.1.1.223"
}
},
"automatic": {
"fqdn": "garage-6",
"fqdn": "garage-9",
"os": "linux",
"os_version": "5.4.0-1090-kvm",
"hostname": "garage-6",
"ipaddress": "192.168.122.213",
"hostname": "garage-9",
"ipaddress": "192.168.122.21",
"roles": [
"base",
"kvm_guest",
@@ -46,13 +46,13 @@
"cloud": null,
"chef_packages": {
"chef": {
"version": "18.3.0",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.3.0/lib",
"version": "18.5.0",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
"chef_effortless": null
},
"ohai": {
"version": "18.1.4",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
"version": "18.1.11",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
}
}
},

5
nodes/gitea-2.json
View File

@@ -32,6 +32,7 @@
"kosmos_postgresql::hostsfile",
"kosmos_gitea",
"kosmos_gitea::default",
"kosmos_gitea::backup",
"kosmos_gitea::act_runner",
"apt::default",
"timezone_iii::default",
@@ -47,7 +48,9 @@
"postfix::_attributes",
"postfix::sasl_auth",
"hostname::default",
"firewall::default"
"firewall::default",
"backup::default",
"logrotate::default"
],
"platform": "ubuntu",
"platform_version": "20.04",

2
nodes/her.json
View File

@@ -9,7 +9,7 @@
"automatic": {
"fqdn": "her",
"os": "linux",
"os_version": "5.15.0-84-generic",
"os_version": "5.15.0-101-generic",
"hostname": "her",
"ipaddress": "192.168.30.172",
"roles": [

2
nodes/mail.kosmos.org.json
View File

@@ -10,7 +10,7 @@
"fqdn": "mail.kosmos.org",
"os": "linux",
"os_version": "5.15.0-1048-kvm",
"hostname": "mail",
"hostname": "mail.kosmos.org",
"ipaddress": "192.168.122.131",
"roles": [
"base",

5
nodes/mastodon-3.json
View File

@@ -14,6 +14,7 @@
"ipaddress": "192.168.122.161",
"roles": [
"kvm_guest",
"ldap_client",
"garage_gateway",
"mastodon",
"postgresql_client"
@@ -22,6 +23,7 @@
"kosmos-base",
"kosmos-base::default",
"kosmos_kvm::guest",
"kosmos-dirsrv::hostsfile",
"kosmos_garage",
"kosmos_garage::default",
"kosmos_garage::firewall_rpc",
@@ -61,8 +63,6 @@
"redisio::disable_os_default",
"redisio::configure",
"redisio::enable",
"nodejs::npm",
"nodejs::install",
"backup::default",
"logrotate::default"
],
@@ -84,6 +84,7 @@
"run_list": [
"recipe[kosmos-base]",
"role[kvm_guest]",
"role[ldap_client]",
"role[garage_gateway]",
"role[mastodon]"
]

13
nodes/postgres-6.json
View File

@@ -13,12 +13,21 @@
"ipaddress": "192.168.122.60",
"roles": [
"base",
"kvm_guest"
"kvm_guest",
"postgresql_primary"
],
"recipes": [
"kosmos-base",
"kosmos-base::default",
"kosmos_kvm::guest",
"kosmos_postgresql::primary",
"kosmos_postgresql::firewall",
"kosmos_akaunting::pg_db",
"kosmos-bitcoin::lndhub-go_pg_db",
"kosmos-bitcoin::nbxplorer_pg_db",
"kosmos_drone::pg_db",
"kosmos_gitea::pg_db",
"kosmos-mastodon::pg_db",
"apt::default",
"timezone_iii::default",
"timezone_iii::debian",
@@ -52,6 +61,6 @@
"run_list": [
"role[base]",
"role[kvm_guest]",
"role[postgresql_replica]"
"role[postgresql_primary]"
]
}

33
nodes/postgres-5.json → nodes/postgres-7.json
View File

@@ -1,32 +1,29 @@
{
"name": "postgres-5",
"name": "postgres-7",
"chef_environment": "production",
"normal": {
"knife_zero": {
"host": "10.1.1.54"
"host": "10.1.1.134"
}
},
"automatic": {
"fqdn": "postgres-5",
"fqdn": "postgres-7",
"os": "linux",
"os_version": "5.4.0-153-generic",
"hostname": "postgres-5",
"ipaddress": "192.168.122.211",
"os_version": "5.4.0-1123-kvm",
"hostname": "postgres-7",
"ipaddress": "192.168.122.89",
"roles": [
"base",
"kvm_guest",
"postgresql_primary"
"postgresql_replica"
],
"recipes": [
"kosmos-base",
"kosmos-base::default",
"kosmos_kvm::guest",
"kosmos_postgresql::primary",
"kosmos_postgresql::hostsfile",
"kosmos_postgresql::replica",
"kosmos_postgresql::firewall",
"kosmos-bitcoin::lndhub-go_pg_db",
"kosmos-bitcoin::nbxplorer_pg_db",
"kosmos_drone::pg_db",
"kosmos_gitea::pg_db",
"kosmos-mastodon::pg_db",
"apt::default",
"timezone_iii::default",
"timezone_iii::debian",
@@ -47,19 +44,19 @@
"cloud": null,
"chef_packages": {
"chef": {
"version": "18.2.7",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.2.7/lib",
"version": "18.5.0",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
"chef_effortless": null
},
"ohai": {
"version": "18.1.4",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
"version": "18.1.11",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
}
}
},
"run_list": [
"role[base]",
"role[kvm_guest]",
"role[postgresql_primary]"
"role[postgresql_replica]"
]
}

62
nodes/postgres-8.json Normal file
View File

@@ -0,0 +1,62 @@
{
"name": "postgres-8",
"chef_environment": "production",
"normal": {
"knife_zero": {
"host": "10.1.1.99"
}
},
"automatic": {
"fqdn": "postgres-8",
"os": "linux",
"os_version": "5.15.0-1059-kvm",
"hostname": "postgres-8",
"ipaddress": "192.168.122.100",
"roles": [
"base",
"kvm_guest",
"postgresql_replica"
],
"recipes": [
"kosmos-base",
"kosmos-base::default",
"kosmos_kvm::guest",
"kosmos_postgresql::hostsfile",
"kosmos_postgresql::replica",
"kosmos_postgresql::firewall",
"apt::default",
"timezone_iii::default",
"timezone_iii::debian",
"ntp::default",
"ntp::apparmor",
"kosmos-base::systemd_emails",
"apt::unattended-upgrades",
"kosmos-base::firewall",
"kosmos-postfix::default",
"postfix::default",
"postfix::_common",
"postfix::_attributes",
"postfix::sasl_auth",
"hostname::default"
],
"platform": "ubuntu",
"platform_version": "22.04",
"cloud": null,
"chef_packages": {
"chef": {
"version": "18.5.0",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
"chef_effortless": null
},
"ohai": {
"version": "18.1.11",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
}
}
},
"run_list": [
"role[base]",
"role[kvm_guest]",
"role[postgresql_replica]"
]
}

66
nodes/strfry-1.json Normal file
View File

@@ -0,0 +1,66 @@
{
"name": "strfry-1",
"chef_environment": "production",
"normal": {
"knife_zero": {
"host": "10.1.1.164"
}
},
"automatic": {
"fqdn": "strfry-1",
"os": "linux",
"os_version": "5.15.0-1060-kvm",
"hostname": "strfry-1",
"ipaddress": "192.168.122.54",
"roles": [
"base",
"kvm_guest",
"strfry",
"ldap_client"
],
"recipes": [
"kosmos-base",
"kosmos-base::default",
"kosmos_kvm::guest",
"kosmos-dirsrv::hostsfile",
"strfry",
"strfry::default",
"kosmos_strfry::policies",
"kosmos_strfry::firewall",
"apt::default",
"timezone_iii::default",
"timezone_iii::debian",
"ntp::default",
"ntp::apparmor",
"kosmos-base::systemd_emails",
"apt::unattended-upgrades",
"kosmos-base::firewall",
"kosmos-postfix::default",
"postfix::default",
"postfix::_common",
"postfix::_attributes",
"postfix::sasl_auth",
"hostname::default",
"deno::default"
],
"platform": "ubuntu",
"platform_version": "22.04",
"cloud": null,
"chef_packages": {
"chef": {
"version": "18.4.12",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.4.12/lib",
"chef_effortless": null
},
"ohai": {
"version": "18.1.11",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
}
}
},
"run_list": [
"role[base]",
"role[kvm_guest]",
"role[strfry]"
]
}

10
nodes/wiki-1.json
View File

@@ -8,16 +8,19 @@
"automatic": {
"fqdn": "wiki-1",
"os": "linux",
"os_version": "5.4.0-91-generic",
"os_version": "5.4.0-167-generic",
"hostname": "wiki-1",
"ipaddress": "192.168.122.26",
"roles": [
"kvm_guest"
"base",
"kvm_guest",
"ldap_client"
],
"recipes": [
"kosmos-base",
"kosmos-base::default",
"kosmos_kvm::guest",
"kosmos-dirsrv::hostsfile",
"kosmos-mediawiki",
"kosmos-mediawiki::default",
"apt::default",
@@ -41,7 +44,6 @@
"php::package",
"php::ini",
"composer::global_configs",
"kosmos-dirsrv::hostsfile",
"mediawiki::default",
"mediawiki::database",
"kosmos-nginx::default",
@@ -79,4 +81,4 @@
"role[ldap_client]",
"recipe[kosmos-mediawiki]"
]
}
}

6
roles/akaunting.rb Normal file
View File

@@ -0,0 +1,6 @@
name "akaunting"
run_list %w[
role[postgresql_client]
kosmos_akaunting::default
]

1
roles/gitea.rb
View File

@@ -3,4 +3,5 @@ name "gitea"
run_list %w(
role[postgresql_client]
kosmos_gitea::default
kosmos_gitea::backup
)

1
roles/lnd.rb
View File

@@ -3,7 +3,6 @@ name "lnd"
run_list %w(
kosmos-bitcoin::lnd
kosmos-bitcoin::lnd-scb-s3
kosmos-bitcoin::boltz
kosmos-bitcoin::rtl
kosmos-bitcoin::peerswap-lnd
)

2
roles/openresty_proxy.rb
View File

@@ -28,7 +28,9 @@ production_run_list = %w(
kosmos_liquor-cabinet::nginx
kosmos_rsk::nginx_testnet
kosmos_rsk::nginx_mainnet
kosmos_strfry::nginx
kosmos_website::default
kosmos_website::redirects
kosmos-akkounts::nginx
kosmos-akkounts::nginx_api
kosmos-bitcoin::nginx_lndhub

1
roles/postgresql_primary.rb
View File

@@ -3,6 +3,7 @@ name "postgresql_primary"
run_list %w(
kosmos_postgresql::primary
kosmos_postgresql::firewall
kosmos_akaunting::pg_db
kosmos-bitcoin::lndhub-go_pg_db
kosmos-bitcoin::nbxplorer_pg_db
kosmos_drone::pg_db

8
roles/strfry.rb Normal file
View File

@@ -0,0 +1,8 @@
name "strfry"
run_list %w(
role[ldap_client]
strfry::default
kosmos_strfry::policies
kosmos_strfry::firewall
)

4
site-cookbooks/backup/attributes/default.rb
View File

@@ -42,5 +42,5 @@ default['backup']['orbit']['keep'] = 10
default['backup']['cron']['hour'] = "05"
default['backup']['cron']['minute'] = "7"
default['backup']['s3']['keep'] = 15
default['backup']['s3']['bucket'] = "kosmos-dev-backups"
default['backup']['s3']['keep'] = 10
default['backup']['s3']['bucket'] = "kosmos-backups"

1
site-cookbooks/backup/recipes/default.rb
View File

@@ -28,6 +28,7 @@ template "#{backup_dir}/config.rb" do
sensitive true
variables s3_access_key_id: backup_data["s3_access_key_id"],
s3_secret_access_key: backup_data["s3_secret_access_key"],
s3_endpoint: backup_data["s3_endpoint"],
s3_region: backup_data["s3_region"],
encryption_password: backup_data["encryption_password"],
mail_from: "backups@kosmos.org",

5
site-cookbooks/backup/templates/default/config.rb.erb
View File

@@ -23,6 +23,10 @@ Storage::S3.defaults do |s3|
s3.secret_access_key = "<%= @s3_secret_access_key %>"
s3.region = "<%= @s3_region %>"
s3.bucket = "<%= node['backup']['s3']['bucket'] %>"
s3.fog_options = {
endpoint: "<%= @s3_endpoint %>",
aws_signature_version: 2
}
end
Encryptor::OpenSSL.defaults do |encryption|
@@ -88,7 +92,6 @@ end
preconfigure 'KosmosBackup' do
split_into_chunks_of 250 # megabytes
store_with S3
compress_with Bzip2
encrypt_with OpenSSL
notify_by Mail do |mail|

1
site-cookbooks/deno Submodule

Submodule site-cookbooks/deno added at 617f7959ab

6
site-cookbooks/kosmos-akkounts/attributes/default.rb
View File

@@ -1,5 +1,5 @@
node.default['akkounts']['repo'] = 'https://gitea.kosmos.org/kosmos/akkounts.git'
node.default['akkounts']['revision'] = 'master'
node.default['akkounts']['revision'] = 'live'
node.default['akkounts']['port'] = 3000
node.default['akkounts']['domain'] = 'accounts.kosmos.org'
node.default['akkounts']['primary_domain'] = 'kosmos.org'
@@ -11,6 +11,7 @@ node.default['akkounts']['smtp']['domain'] = 'kosmos.org'
node.default['akkounts']['smtp']['auth_method'] = 'plain'
node.default['akkounts']['smtp']['enable_starttls'] = 'auto'
node.default['akkounts']['btcpay']['public_url'] = nil
node.default['akkounts']['btcpay']['store_id'] = nil
node.default['akkounts']['ejabberd']['admin_url'] = nil
@@ -20,6 +21,9 @@ node.default['akkounts']['lndhub']['public_url'] = nil
node.default['akkounts']['lndhub']['public_key'] = nil
node.default['akkounts']['lndhub']['postgres_db'] = 'lndhub'
node.default['akkounts']['nostr']['public_key'] = nil
node.default['akkounts']['nostr']['relay_url'] = nil
node.default['akkounts']['s3_enabled'] = true
node.default['akkounts']['s3_endpoint'] = "https://s3.kosmos.org"
node.default['akkounts']['s3_region'] = "garage"

14
site-cookbooks/kosmos-akkounts/recipes/default.rb
View File

@@ -30,12 +30,12 @@ npm_package "yarn" do
version "1.22.4"
end
ruby_version = "2.7.5"
ruby_version = "3.3.0"
ruby_path = "/opt/ruby_build/builds/#{ruby_version}"
bundle_path = "#{ruby_path}/bin/bundle"
rails_env = node.chef_environment == "development" ? "development" : "production"
ruby_build_install 'v20230615'
ruby_build_install 'v20240221'
ruby_build_definition ruby_version do
prefix_path ruby_path
end
@@ -75,6 +75,7 @@ end
if btcpay_host
env[:btcpay_api_url] = "http://#{btcpay_host}:23001/api/v1"
env[:btcpay_public_url] = node['akkounts']['btcpay']['public_url']
env[:btcpay_store_id] = node['akkounts']['btcpay']['store_id']
env[:btcpay_auth_token] = credentials["btcpay_auth_token"]
end
@@ -148,6 +149,7 @@ end
#
env[:mastodon_public_url] = "https://#{node['kosmos-mastodon']['domain']}"
env[:mastodon_address_domain] = node['kosmos-mastodon']['user_address_domain']
#
# MediaWiki
@@ -155,6 +157,14 @@ env[:mastodon_public_url] = "https://#{node['kosmos-mastodon']['domain']}"
env[:mediawiki_public_url] = node['mediawiki']['url']
#
# Nostr
#
env[:nostr_private_key] = credentials['nostr_private_key']
env[:nostr_public_key] = node['akkounts']['nostr']['public_key']
env[:nostr_relay_url] = node['akkounts']['nostr']['relay_url']
#
# remoteStorage / Liquor Cabinet
#

7
site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb
View File

@@ -14,6 +14,10 @@ server {
listen [::]:443 ssl http2;
server_name <%= @domain %>;
if ($host != $server_name) {
return 301 $scheme://$server_name$request_uri;
}
ssl_certificate <%= @ssl_cert %>;
ssl_certificate_key <%= @ssl_key %>;
@@ -39,6 +43,9 @@ server {
location @proxy {
proxy_set_header Host $http_host;
set $x_forwarded_host $http_x_forwarded_host;
if ($x_forwarded_host = "") { set $x_forwarded_host $host; }
proxy_set_header X-Forwarded-Host $x_forwarded_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;

21
site-cookbooks/kosmos-base/recipes/letsencrypt.rb
View File

@@ -2,27 +2,6 @@
# Cookbook Name:: kosmos-base
# Recipe:: letsencrypt
#
# The MIT License (MIT)
#
# Copyright:: 2019, Kosmos Developers
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
unless platform?('ubuntu')
raise "This recipe only supports Ubuntu installs"

37
site-cookbooks/kosmos-base/resources/tls_cert_for.rb
View File

@@ -3,6 +3,8 @@ provides :tls_cert_for
property :domain, [String, Array], name_property: true
property :auth, [String, NilClass], default: nil
property :deploy_hook, [String, NilClass], default: nil
property :acme_domain, [String, NilClass], default: nil
default_action :create
@@ -17,13 +19,35 @@ action :create do
case new_resource.auth
when "gandi_dns"
gandi_api_data_bag_item = data_bag_item('credentials', 'gandi_api_5apps')
gandi_api_credentials = data_bag_item('credentials', 'gandi_api')
hook_path = "/root/gandi_dns_certbot_hook.sh"
hook_auth_command = "#{hook_path} auth"
hook_cleanup_command = "#{hook_path} cleanup"
if new_resource.acme_domain
hook_auth_command += " #{new_resource.acme_domain}"
hook_cleanup_command += " #{new_resource.acme_domain}"
end
template hook_path do
cookbook "kosmos-base"
variables gandi_api_key: gandi_api_data_bag_item["key"]
mode 0770
variables access_token: gandi_api_credentials["access_token"]
mode 0700
sensitive true
end
if new_resource.deploy_hook
deploy_hook_path = "/etc/letsencrypt/renewal-hooks/#{domains.first}"
file deploy_hook_path do
content new_resource.deploy_hook
mode 0755
owner "root"
group "root"
end
elsif node.run_list.roles.include?("openresty_proxy")
deploy_hook_path = "/etc/letsencrypt/renewal-hooks/post/openresty"
end
# Generate a Let's Encrypt cert (only if no cert has been generated before).
@@ -32,12 +56,11 @@ action :create do
command <<-CMD
certbot certonly --manual -n \
--preferred-challenges dns \
--manual-public-ip-logging-ok \
--agree-tos \
--manual-auth-hook '#{hook_path} auth' \
--manual-cleanup-hook '#{hook_path} cleanup' \
--manual-auth-hook '#{hook_auth_command}' \
--manual-cleanup-hook '#{hook_cleanup_command}' \
--email ops@kosmos.org \
#{node.run_list.roles.include?("openresty_proxy") ? '--deploy-hook /etc/letsencrypt/renewal-hooks/post/openresty' : nil } \
#{"--deploy-hook #{deploy_hook_path}" if defined?(deploy_hook_path)} \
#{domains.map {|d| "-d #{d}" }.join(" ")}
CMD
not_if do

57
site-cookbooks/kosmos-base/templates/default/gandi_dns_certbot_hook.sh.erb
View File

@@ -1,21 +1,16 @@
#!/usr/bin/env bash
#
set -euf -o pipefail
# ************** USAGE **************
#
# Example usage (with this hook file saved in /root/):
# Example usage:
#
# sudo su -
# certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos -d "5apps.com" -d muc.5apps.com -d "xmpp.5apps.com" \
# --manual-auth-hook "/root/letsencrypt_hook.sh auth" --manual-cleanup-hook "/root/letsencrypt_hook.sh cleanup"
#
# This hook requires configuration, continue reading.
#
# ************** CONFIGURATION **************
#
# GANDI_API_KEY: Your Gandi Live API key
# ACCESS_TOKEN: Your Gandi Live API key
#
# PROVIDER_UPDATE_DELAY:
# How many seconds to wait after updating your DNS records. This may be required,
@@ -25,10 +20,16 @@ set -euf -o pipefail
#
# Defaults to 30 seconds.
#
GANDI_API_KEY="<%= @gandi_api_key %>"
# VALIDATION_DOMAIN:
# Domain to create ACME DNS entries on. Use this when redirecting ACME subdomains
# from the original domain to a proxy validation domain that we control.
#
ACCESS_TOKEN="<%= @access_token %>"
PROVIDER_UPDATE_DELAY=10
VALIDATION_DOMAIN="${2:-}"
regex='.*\.(.*\..*)'
if [[ $CERTBOT_DOMAIN =~ $regex ]]
then
DOMAIN="${BASH_REMATCH[1]}"
@@ -36,25 +37,41 @@ else
DOMAIN="${CERTBOT_DOMAIN}"
fi
if [[ -n "$VALIDATION_DOMAIN" ]]
then
if [[ $VALIDATION_DOMAIN =~ $regex ]]
then
ACME_BASE_DOMAIN="${BASH_REMATCH[1]}"
else
echo "Validation domain has to be a subdomain, but it is not: \"${VALIDATION_DOMAIN}\""
exit 1
fi
ACME_DOMAIN="${CERTBOT_DOMAIN}.${VALIDATION_DOMAIN}"
else
ACME_BASE_DOMAIN="${DOMAIN}"
ACME_DOMAIN="_acme-challenge.${CERTBOT_DOMAIN}"
fi
# To be invoked via Certbot's --manual-auth-hook
function auth {
curl -s -D- -H "Content-Type: application/json" \
-H "X-Api-Key: ${GANDI_API_KEY}" \
-d "{\"rrset_name\": \"_acme-challenge.${CERTBOT_DOMAIN}.\",
\"rrset_type\": \"TXT\",
\"rrset_ttl\": 3600,
\"rrset_values\": [\"${CERTBOT_VALIDATION}\"]}" \
"https://dns.api.gandi.net/api/v5/domains/${DOMAIN}/records"
curl -s -D- \
-H "Content-Type: application/json" \
-H "Authorization: Bearer ${ACCESS_TOKEN}" \
-d "{\"rrset_name\": \"${ACME_DOMAIN}.\",
\"rrset_type\": \"TXT\",
\"rrset_ttl\": 300,
\"rrset_values\": [\"${CERTBOT_VALIDATION}\"]}" \
"https://api.gandi.net/v5/livedns/domains/${ACME_BASE_DOMAIN}/records"
sleep ${PROVIDER_UPDATE_DELAY}
sleep ${PROVIDER_UPDATE_DELAY}
}
# To be invoked via Certbot's --manual-cleanup-hook
function cleanup {
curl -s -X DELETE -H "Content-Type: application/json" \
-H "X-Api-Key: ${GANDI_API_KEY}" \
https://dns.api.gandi.net/api/v5/domains/${DOMAIN}/records/_acme-challenge.${CERTBOT_DOMAIN}./TXT
curl -s -X DELETE \
-H "Content-Type: application/json" \
-H "Authorization: Bearer ${ACCESS_TOKEN}" \
"https://api.gandi.net/v5/livedns/domains/${ACME_BASE_DOMAIN}/records/${ACME_DOMAIN}./TXT"
}
HANDLER=$1; shift;

34
site-cookbooks/kosmos-bitcoin/attributes/default.rb
View File

@@ -1,5 +1,5 @@
node.default['bitcoin']['version'] = '26.0'
node.default['bitcoin']['checksum'] = 'ab1d99276e28db62d1d9f3901e85ac358d7f1ebcb942d348a9c4e46f0fcdc0a1'
node.default['bitcoin']['version'] = '28.0'
node.default['bitcoin']['checksum'] = '700ae2d1e204602eb07f2779a6e6669893bc96c0dca290593f80ff8e102ff37f'
node.default['bitcoin']['username'] = 'satoshi'
node.default['bitcoin']['usergroup'] = 'bitcoin'
node.default['bitcoin']['network'] = 'mainnet'
@@ -24,7 +24,8 @@ node.default['bitcoin']['conf'] = {
rpcbind: "127.0.0.1:8332",
gen: 0,
zmqpubrawblock: 'tcp://127.0.0.1:8337',
zmqpubrawtx: 'tcp://127.0.0.1:8338'
zmqpubrawtx: 'tcp://127.0.0.1:8338',
deprecatedrpc: 'warnings' # TODO remove when upgrading to LND 0.18.4
}
# Also enables Tor for LND
@@ -40,7 +41,7 @@ node.default['c-lightning']['log_level'] = 'info'
node.default['c-lightning']['public_ip'] = '148.251.237.73'
node.default['lnd']['repo'] = 'https://github.com/lightningnetwork/lnd'
node.default['lnd']['revision'] = 'v0.17.3-beta'
node.default['lnd']['revision'] = 'v0.18.3-beta'
node.default['lnd']['source_dir'] = '/opt/lnd'
node.default['lnd']['lnd_dir'] = "/home/#{node['bitcoin']['username']}/.lnd"
node.default['lnd']['alias'] = 'ln2.kosmos.org'
@@ -58,24 +59,13 @@ node.default['lnd']['tor'] = {
'skip-proxy-for-clearnet-targets' => 'true'
}
node.default['boltz']['repo'] = 'https://github.com/BoltzExchange/boltz-lnd.git'
node.default['boltz']['revision'] = 'v1.2.7'
node.default['boltz']['source_dir'] = '/opt/boltz'
node.default['boltz']['boltz_dir'] = "/home/#{node['bitcoin']['username']}/.boltz-lnd"
node.default['boltz']['grpc_host'] = '127.0.0.1'
node.default['boltz']['grpc_port'] = '9002'
node.default['boltz']['rest_disabled'] = 'false'
node.default['boltz']['rest_host'] = '127.0.0.1'
node.default['boltz']['rest_port'] = '9003'
node.default['boltz']['no_macaroons'] = 'false'
node.default['rtl']['repo'] = 'https://github.com/Ride-The-Lightning/RTL.git'
node.default['rtl']['revision'] = 'v0.15.0'
node.default['rtl']['revision'] = 'v0.15.2'
node.default['rtl']['host'] = '10.1.1.163'
node.default['rtl']['port'] = '3000'
node.default['lndhub-go']['repo'] = 'https://github.com/getAlby/lndhub.go.git'
node.default['lndhub-go']['revision'] = '0.14.0'
node.default['lndhub-go']['revision'] = '1.0.2'
node.default['lndhub-go']['source_dir'] = '/opt/lndhub-go'
node.default['lndhub-go']['port'] = 3026
node.default['lndhub-go']['domain'] = 'lndhub.kosmos.org'
@@ -83,8 +73,10 @@ node.default['lndhub-go']['postgres']['database'] = 'lndhub'
node.default['lndhub-go']['postgres']['user'] = 'lndhub'
node.default['lndhub-go']['postgres']['port'] = 5432
node.default['lndhub-go']['default_rate_limit'] = 20
node.default['lndhub-go']['strict_rate_limit'] = 1
node.default['lndhub-go']['burst_rate_limit'] = 10
node.default['lndhub-go']['strict_rate_limit'] = 1
node.default['lndhub-go']['burst_rate_limit'] = 10
node.default['lndhub-go']['service_fee'] = 1
node.default['lndhub-go']['no_service_fee_up_to_amount'] = 1000
node.default['lndhub-go']['branding'] = {
'title' => 'LndHub - Kosmos Lightning',
'desc' => 'Kosmos accounts for the Lightning Network',
@@ -98,7 +90,7 @@ node.default['dotnet']['ms_packages_src_url'] = "https://packages.microsoft.com/
node.default['dotnet']['ms_packages_src_checksum'] = "4df5811c41fdded83eb9e2da9336a8dfa5594a79dc8a80133bd815f4f85b9991"
node.default['nbxplorer']['repo'] = 'https://github.com/dgarage/NBXplorer'
node.default['nbxplorer']['revision'] = 'v2.4.3'
node.default['nbxplorer']['revision'] = 'v2.5.0'
node.default['nbxplorer']['source_dir'] = '/opt/nbxplorer'
node.default['nbxplorer']['config_path'] = "/home/#{node['bitcoin']['username']}/.nbxplorer/Main/settings.config"
node.default['nbxplorer']['port'] = '24445'
@@ -106,7 +98,7 @@ node.default['nbxplorer']['postgres']['database'] = 'nbxplorer'
node.default['nbxplorer']['postgres']['user'] = 'nbxplorer'
node.default['btcpay']['repo'] = 'https://github.com/btcpayserver/btcpayserver'
node.default['btcpay']['revision'] = 'v1.11.7'
node.default['btcpay']['revision'] = 'v1.12.5'
node.default['btcpay']['source_dir'] = '/opt/btcpay'
node.default['btcpay']['config_path'] = "/home/#{node['bitcoin']['username']}/.btcpayserver/Main/settings.config"
node.default['btcpay']['log_path'] = "/home/#{node['bitcoin']['username']}/.btcpayserver/debug.log"

1
site-cookbooks/kosmos-bitcoin/recipes/aws-client.rb
View File

@@ -11,6 +11,7 @@ credentials = Chef::EncryptedDataBagItem.load('credentials', 'backup')
file "/root/.aws/config" do
mode "600"
sensitive true
content lazy { <<-EOF
[default]
region = #{credentials["s3_region"]}

16
site-cookbooks/kosmos-bitcoin/recipes/bitcoind.rb
View File

@@ -12,8 +12,15 @@ if node["bitcoin"]["blocksdir_mount_type"]
include_recipe "kosmos-bitcoin::blocksdir-mount"
end
%w{ libtool autotools-dev make automake cmake curl g++-multilib libtool
binutils-gold bsdmainutils pkg-config python3 patch }.each do |pkg|
apt_repository "ubuntu-toolchain-r" do
# provides g++-13, needed for better c++-20 support
uri "ppa:ubuntu-toolchain-r/test"
end
%w{
gcc-13 g++-13 libtool autotools-dev make automake cmake curl bison
binutils-gold pkg-config python3 patch
}.each do |pkg|
apt_package pkg
end
@@ -26,20 +33,21 @@ end
execute "compile_bitcoin-core_dependencies" do
cwd "/usr/local/bitcoind/depends"
command "make NO_QT=1"
environment ({'CC' => 'gcc-13', 'CXX' => 'g++-13', 'NO_QT' => '1'})
command "make -j 2"
action :nothing
notifies :run, 'bash[compile_bitcoin-core]', :immediately
end
bash "compile_bitcoin-core" do
cwd "/usr/local/bitcoind"
environment ({'CC' => 'gcc-13', 'CXX' => 'g++-13', 'NO_QT' => '1'})
code <<-EOH
./autogen.sh
./configure --prefix=$PWD/depends/x86_64-pc-linux-gnu
make
EOH
action :nothing
notifies :restart, "systemd_unit[bitcoind.service]", :delayed
end
link "/usr/local/bin/bitcoind" do

87
site-cookbooks/kosmos-bitcoin/recipes/boltz.rb
View File

@@ -1,87 +0,0 @@
#
# Cookbook:: kosmos-bitcoin
# Recipe:: boltz
#
include_recipe "git"
include_recipe "kosmos-bitcoin::golang"
git node['boltz']['source_dir'] do
repository node['boltz']['repo']
revision node['boltz']['revision']
action :sync
notifies :run, 'bash[compile_and_install_boltz]', :immediately
end
bash "compile_and_install_boltz" do
cwd node['boltz']['source_dir']
code <<-EOH
go mod vendor && \
make build && \
make install
EOH
action :nothing
notifies :restart, "systemd_unit[boltzd.service]", :delayed
end
bitcoin_user = node['bitcoin']['username']
bitcoin_group = node['bitcoin']['usergroup']
boltz_dir = node['boltz']['boltz_dir']
lnd_dir = node['lnd']['lnd_dir']
directory boltz_dir do
owner bitcoin_user
group bitcoin_group
mode '0750'
action :create
end
template "#{boltz_dir}/boltz.toml" do
source "boltz.toml.erb"
owner bitcoin_user
group bitcoin_group
mode '0640'
variables lnd_grpc_host: '127.0.0.1',
lnd_grpc_port: '10009',
lnd_macaroon_path: "#{lnd_dir}/data/chain/bitcoin/mainnet/admin.macaroon",
lnd_tlscert_path: "#{lnd_dir}/tls.cert",
boltz_config: node['boltz']
notifies :restart, "systemd_unit[boltzd.service]", :delayed
end
systemd_unit 'boltzd.service' do
content({
Unit: {
Description: 'Boltz Daemon',
Documentation: ['https://lnd.docs.boltz.exchange'],
Requires: 'lnd.service',
After: 'lnd.service'
},
Service: {
User: bitcoin_user,
Group: bitcoin_group,
Type: 'simple',
ExecStart: "/opt/boltz/boltzd",
Restart: 'always',
RestartSec: '30',
TimeoutSec: '240',
LimitNOFILE: '128000',
PrivateTmp: true,
ProtectSystem: 'full',
NoNewPrivileges: true,
PrivateDevices: true,
MemoryDenyWriteExecute: true
},
Install: {
WantedBy: 'multi-user.target'
}
})
verify false
triggers_reload true
action [:create, :enable, :start]
end
unless node.chef_environment == 'development'
node.override['backup']['archives']['boltz'] = [node['boltz']['boltz_dir']]
include_recipe 'backup'
end

2
site-cookbooks/kosmos-bitcoin/recipes/golang.rb
View File

@@ -5,7 +5,7 @@
# Internal recipe for managing the Go installation in one place
#
node.override['golang']['version'] = "1.20.3"
node.override['golang']['version'] = "1.23.1"
include_recipe "golang"
link '/usr/local/bin/go' do

2
site-cookbooks/kosmos-bitcoin/recipes/lnd-scb-s3.rb
View File

@@ -10,12 +10,14 @@ include_recipe "kosmos-bitcoin::aws-client"
package "inotify-tools"
backup_script_path = "/opt/lnd-channel-backup-s3.sh"
backup_credentials = Chef::EncryptedDataBagItem.load('credentials', 'backup')
template backup_script_path do
source "lnd-channel-backup-s3.sh.erb"
mode '0740'
variables lnd_dir: node['lnd']['lnd_dir'],
bitcoin_network: node['bitcoin']['network'],
s3_endpoint: backup_credentials['s3_endpoint'],
s3_bucket: node['backup']['s3']['bucket'],
s3_scb_dir: "#{node['name']}/lnd/#{node['bitcoin']['network']}"
notifies :restart, "systemd_unit[lnd-channel-backup.service]", :delayed

2
site-cookbooks/kosmos-bitcoin/recipes/lndhub-go.rb
View File

@@ -66,6 +66,8 @@ template "#{source_dir}/.env" do
default_rate_limit: node['lndhub-go']['default_rate_limit'],
strict_rate_limit: node['lndhub-go']['strict_rate_limit'],
burst_rate_limit: node['lndhub-go']['burst_rate_limit'],
service_fee: 1,
no_service_fee_up_to_amount: 1000,
branding: node['lndhub-go']['branding'],
webhook_url: node['lndhub-go']['webhook_url'],
sentry_dsn: credentials['sentry_dsn']

12
site-cookbooks/kosmos-bitcoin/recipes/rtl.rb
View File

@@ -46,24 +46,22 @@ rtl_config = {
multiPassHashed: credentials["multiPassHashed"]
}
if node['boltz']
# TODO adapt for multi-node usage
rtl_config[:nodes][0][:Authentication][:boltzMacaroonPath] = "#{node['boltz']['boltz_dir']}/macaroons"
rtl_config[:nodes][0][:Settings][:boltzServerUrl] = "https://#{node['boltz']['rest_host']}:#{node['boltz']['rest_port']}"
end
git rtl_dir do
user bitcoin_user
group bitcoin_group
repository node['rtl']['repo']
revision node['rtl']['revision']
notifies :run, "execute[npm_install]", :immediately
notifies :restart, "systemd_unit[#{app_name}.service]", :delayed
end
execute "npm install" do
execute "npm_install" do
cwd rtl_dir
environment "HOME" => rtl_dir
user bitcoin_user
# TODO remove --force when upstream dependency issues have been resolved
command "npm install --force"
action :nothing
end
file "#{rtl_dir}/RTL-Config.json" do

32
site-cookbooks/kosmos-bitcoin/templates/boltz.toml.erb
View File

@@ -1,32 +0,0 @@
[LND]
# Host of the gRPC interface of LND
host = "<%= @lnd_grpc_host %>"
# Port of the gRPC interface of LND
port = <%= @lnd_grpc_port %>
# Path to a macaroon file of LND
# The daemon needs to have permission to read various endpoints, generate addresses and pay invoices
macaroon = "<%= @lnd_macaroon_path %>"
# Path to the TLS certificate of LND
certificate = "<%= @lnd_tlscert_path %>"
[RPC]
# Host of the gRPC interface
host = "<%= @boltz_config['grpc_host'] %>"
# Port of the gRPC interface
port = <%= @boltz_config['grpc_port'] %>
# Whether the REST proxy for the gRPC interface should be disabled
restDisabled = <%= @boltz_config['rest_disabled'] %>
# Host of the REST proxy
restHost = "<%= @boltz_config['rest_host'] %>"
# Port of the REST proxy
restPort = <%= @boltz_config['rest_port'] %>
# Whether the macaroon authentication for the gRPC and REST interface should be disabled
noMacaroons = <%= @boltz_config['no_macaroons'] %>

2
site-cookbooks/kosmos-bitcoin/templates/lnd-channel-backup-s3.sh.erb
View File

@@ -3,5 +3,5 @@ set -xe -o pipefail
while true; do
inotifywait <%= @lnd_dir %>/data/chain/bitcoin/<%= @bitcoin_network %>/channel.backup
aws s3 cp <%= @lnd_dir %>/data/chain/bitcoin/<%= @bitcoin_network %>/channel.backup "s3://<%= @s3_bucket %>/<%= @s3_scb_dir %>/channel.backup"
aws --endpoint <%= @s3_endpoint %> s3 cp <%= @lnd_dir %>/data/chain/bitcoin/<%= @bitcoin_network %>/channel.backup "s3://<%= @s3_bucket %>/<%= @s3_scb_dir %>/channel.backup"
done

1
site-cookbooks/kosmos-bitcoin/templates/lnd.conf.erb
View File

@@ -12,7 +12,6 @@ minchansize=<%= @lnd_minchansize %>
autopilot.active=0
[Bitcoin]
bitcoin.active=1
bitcoin.mainnet=1
bitcoin.node=bitcoind
bitcoin.basefee=<%= @lnd_basefee %>

18
site-cookbooks/kosmos-ejabberd/recipes/default.rb
View File

@@ -84,6 +84,12 @@ hosts = [
sql_database: "ejabberd",
ldap_enabled: true,
ldap_password: ejabberd_credentials['kosmos_ldap_password'],
certfiles: [
"/opt/ejabberd/conf/kosmos.org.crt",
"/opt/ejabberd/conf/kosmos.org.key",
"/opt/ejabberd/conf/kosmos.chat.crt",
"/opt/ejabberd/conf/kosmos.chat.key"
],
append_host_config: <<-EOF
modules:
mod_disco:
@@ -114,6 +120,10 @@ hosts = [
sql_database: "ejabberd_5apps",
ldap_enabled: true,
ldap_password: ejabberd_credentials['5apps_ldap_password'],
certfiles: [
"/opt/ejabberd/conf/5apps.com.crt",
"/opt/ejabberd/conf/5apps.com.key"
],
append_host_config: <<-EOF
modules:
mod_disco:
@@ -154,6 +164,11 @@ admin_users = ejabberd_credentials['admins']
hosts.each do |host|
ldap_rootdn = "uid=service,ou=#{host[:name]},cn=applications,dc=kosmos,dc=org"
if host[:name] == "kosmos.org"
ldap_filter = "(&(objectClass=person)(serviceEnabled=ejabberd))"
else
ldap_filter = "(objectClass=person)"
end
template "/opt/ejabberd/conf/#{host[:name]}.yml" do
source "vhost.yml.erb"
@@ -167,7 +182,8 @@ hosts.each do |host|
ldap_base: ldap_base,
ldap_server: ldap_domain,
ldap_rootdn: ldap_rootdn,
ldap_encryption_type: ldap_encryption_type
ldap_encryption_type: ldap_encryption_type,
ldap_filter: ldap_filter
notifies :reload, "service[ejabberd]", :delayed
end
end

21
site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb
View File

@@ -15,7 +15,7 @@ set -e
# letsencrypt live folder
for domain in $RENEWED_DOMAINS; do
case $domain in
kosmos.org|5apps.com)
kosmos.org|kosmos.chat|5apps.com)
cp "${RENEWED_LINEAGE}/privkey.pem" /opt/ejabberd/conf/$domain.key
cp "${RENEWED_LINEAGE}/fullchain.pem" /opt/ejabberd/conf/$domain.crt
chown ejabberd:ejabberd /opt/ejabberd/conf/$domain.*
@@ -33,26 +33,33 @@ file "/etc/letsencrypt/renewal-hooks/post/ejabberd" do
group "root"
end
gandi_api_data_bag_item = data_bag_item('credentials', 'gandi_api_5apps')
gandi_api_credentials = data_bag_item('credentials', 'gandi_api')
template "/root/gandi_dns_certbot_hook.sh" do
variables gandi_api_key: gandi_api_data_bag_item["key"]
mode 0770
variables access_token: gandi_api_credentials["access_token"]
mode 0700
end
# Generate a Let's Encrypt cert (only if no cert has been generated before).
# The systemd timer will take care of renewing
execute "letsencrypt cert for kosmos xmpp" do
command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@kosmos.org -d kosmos.org -d xmpp.kosmos.org -d chat.kosmos.org -d kosmos.chat -d uploads.xmpp.kosmos.org -n"
execute "letsencrypt cert for kosmos.org domains" do
command "certbot certonly --manual --preferred-challenges dns --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup letsencrypt.kosmos.org\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@kosmos.org -d kosmos.org -d xmpp.kosmos.org -d chat.kosmos.org -d uploads.xmpp.kosmos.org -n"
not_if do
File.exist?("/etc/letsencrypt/live/kosmos.org/fullchain.pem")
end
end
execute "letsencrypt cert for kosmos.chat" do
command "certbot certonly --manual --preferred-challenges dns --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth letsencrypt.kosmos.org\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup letsencrypt.kosmos.org\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@kosmos.org -d kosmos.chat -n"
not_if do
File.exist?("/etc/letsencrypt/live/kosmos.chat/fullchain.pem")
end
end
# Generate a Let's Encrypt cert (only if no cert has been generated before).
# The systemd timer will take care of renewing
execute "letsencrypt cert for 5apps xmpp" do
command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@5apps.com -d 5apps.com -d muc.5apps.com -d xmpp.5apps.com -d uploads.xmpp.5apps.com -n"
command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth letsencrypt.kosmos.org\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup letsencrypt.kosmos.org\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@5apps.com -d 5apps.com -d muc.5apps.com -d xmpp.5apps.com -d uploads.xmpp.5apps.com -n"
not_if do
File.exist?("/etc/letsencrypt/live/5apps.com/fullchain.pem")
end

2
site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb
View File

@@ -216,7 +216,7 @@ modules:
access_createnode: pubsub_createnode
ignore_pep_from_offline: false
last_item_cache: false
max_items_node: 10
max_items_node: 10000
plugins:
- "flat"
- "pep" # pep requires mod_caps

59
site-cookbooks/kosmos-ejabberd/templates/gandi_dns_certbot_hook.sh.erb
View File

@@ -1,21 +1,16 @@
#!/usr/bin/env bash
#
set -euf -o pipefail
# ************** USAGE **************
#
# Example usage (with this hook file saved in /root/):
# Example usage:
#
# sudo su -
# certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos -d "5apps.com" -d muc.5apps.com -d "xmpp.5apps.com" \
# --manual-auth-hook "/root/letsencrypt_hook.sh auth" --manual-cleanup-hook "/root/letsencrypt_hook.sh cleanup"
#
# This hook requires configuration, continue reading.
#
# ************** CONFIGURATION **************
#
# GANDI_API_KEY: Your Gandi Live API key
# ACCESS_TOKEN: Your Gandi Live API key
#
# PROVIDER_UPDATE_DELAY:
# How many seconds to wait after updating your DNS records. This may be required,
@@ -25,10 +20,16 @@ set -euf -o pipefail
#
# Defaults to 30 seconds.
#
GANDI_API_KEY="<%= @gandi_api_key %>"
PROVIDER_UPDATE_DELAY=30
# VALIDATION_DOMAIN:
# Domain to create ACME DNS entries on. Use this when redirecting ACME subdomains
# from the original domain to a proxy validation domain that we control.
#
ACCESS_TOKEN="<%= @access_token %>"
PROVIDER_UPDATE_DELAY=10
VALIDATION_DOMAIN="${2:-}"
regex='.*\.(.*\..*)'
if [[ $CERTBOT_DOMAIN =~ $regex ]]
then
DOMAIN="${BASH_REMATCH[1]}"
@@ -36,25 +37,41 @@ else
DOMAIN="${CERTBOT_DOMAIN}"
fi
if [[ -n "$VALIDATION_DOMAIN" ]]
then
if [[ $VALIDATION_DOMAIN =~ $regex ]]
then
ACME_BASE_DOMAIN="${BASH_REMATCH[1]}"
else
echo "Validation domain has to be a subdomain, but it is not: \"${VALIDATION_DOMAIN}\""
exit 1
fi
ACME_DOMAIN="${CERTBOT_DOMAIN}.${VALIDATION_DOMAIN}"
else
ACME_BASE_DOMAIN="${DOMAIN}"
ACME_DOMAIN="_acme-challenge.${CERTBOT_DOMAIN}"
fi
# To be invoked via Certbot's --manual-auth-hook
function auth {
curl -s -D- -H "Content-Type: application/json" \
-H "X-Api-Key: ${GANDI_API_KEY}" \
-d "{\"rrset_name\": \"_acme-challenge.${CERTBOT_DOMAIN}.\",
\"rrset_type\": \"TXT\",
\"rrset_ttl\": 3600,
\"rrset_values\": [\"${CERTBOT_VALIDATION}\"]}" \
"https://dns.api.gandi.net/api/v5/domains/${DOMAIN}/records"
curl -s -D- \
-H "Content-Type: application/json" \
-H "Authorization: Bearer ${ACCESS_TOKEN}" \
-d "{\"rrset_name\": \"${ACME_DOMAIN}.\",
\"rrset_type\": \"TXT\",
\"rrset_ttl\": 300,
\"rrset_values\": [\"${CERTBOT_VALIDATION}\"]}" \
"https://api.gandi.net/v5/livedns/domains/${ACME_BASE_DOMAIN}/records"
sleep ${PROVIDER_UPDATE_DELAY}
sleep ${PROVIDER_UPDATE_DELAY}
}
# To be invoked via Certbot's --manual-cleanup-hook
function cleanup {
curl -s -X DELETE -H "Content-Type: application/json" \
-H "X-Api-Key: ${GANDI_API_KEY}" \
https://dns.api.gandi.net/api/v5/domains/${DOMAIN}/records/_acme-challenge.${CERTBOT_DOMAIN}./TXT
curl -s -X DELETE \
-H "Content-Type: application/json" \
-H "Authorization: Bearer ${ACCESS_TOKEN}" \
"https://api.gandi.net/v5/livedns/domains/${ACME_BASE_DOMAIN}/records/${ACME_DOMAIN}./TXT"
}
HANDLER=$1; shift;

7
site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb
View File

@@ -1,7 +1,8 @@
# Generated by Chef for <%= @host[:name] %>
certfiles:
- "/opt/ejabberd/conf/<%= @host[:name] %>.crt"
- "/opt/ejabberd/conf/<%= @host[:name] %>.key"
<% @host[:certfiles].each do |certfile| %>
- <%= certfile %>
<% end %>
host_config:
"<%= @host[:name] %>":
sql_type: pgsql
@@ -16,7 +17,7 @@ host_config:
ldap_password: "<%= @host[:ldap_password] %>"
ldap_encrypt: <%= @ldap_encryption_type %>
ldap_base: "ou=<%= @host[:name] %>,<%= @ldap_base %>"
ldap_filter: "(objectClass=person)"
ldap_filter: "<%= @ldap_filter %>"
<% end -%>
append_host_config:

1
site-cookbooks/kosmos-hubot/recipes/nginx_botka_irc-libera-chat.rb
View File

@@ -4,6 +4,7 @@ upstream_host = search(:node, "role:hubot").first["knife_zero"]["host"]
tls_cert_for domain do
auth "gandi_dns"
acme_domain "letsencrypt.kosmos.org"
action :create
end

1
site-cookbooks/kosmos-hubot/recipes/nginx_hal8000_xmpp.rb
View File

@@ -5,6 +5,7 @@ upstream_host = search(:node, "role:hubot").first["knife_zero"]["host"]
tls_cert_for domain do
auth "gandi_dns"
acme_domain "letsencrypt.kosmos.org"
action :create
end

2
site-cookbooks/kosmos-ipfs/attributes/default.rb
View File

@@ -62,4 +62,4 @@ node.default['kosmos-ipfs']['ipfs']['config'] = {
node.default['kosmos-ipfs']['nginx']['domain'] = "ipfs.kosmos.org"
node.default['kosmos-ipfs']['nginx']['external_api_port'] = 5444
node.default['kosmos-ipfs']['kredits-pinner']['revision'] = "v2.2.0"
node.default['kosmos-ipfs']['kredits-pinner']['revision'] = "v2.3.0"

8
site-cookbooks/kosmos-mastodon/attributes/default.rb
View File

@@ -1,5 +1,5 @@
node.default["kosmos-mastodon"]["repo"] = "https://gitea.kosmos.org/kosmos/mastodon.git"
node.default["kosmos-mastodon"]["revision"] = "production"
node.default["kosmos-mastodon"]["revision"] = "production-4.3"
node.default["kosmos-mastodon"]["directory"] = "/opt/mastodon"
node.default["kosmos-mastodon"]["bind_ip"] = "127.0.0.1"
node.default["kosmos-mastodon"]["app_port"] = 3000
@@ -10,7 +10,7 @@ node.default["kosmos-mastodon"]["redis_url"] = "redis://localhost:6379/0
node.default["kosmos-mastodon"]["sidekiq_threads"] = 25
node.default["kosmos-mastodon"]["allowed_private_addresses"] = "127.0.0.1"
node.default["kosmos-mastodon"]["onion_address"] = nil
node.default["kosmos-mastodon"]["onion_address"] = nil
# Allocate this amount of RAM to the Java heap for Elasticsearch
node.default["kosmos-mastodon"]["elasticsearch"]["allocated_memory"] = "1536m"
@@ -20,6 +20,10 @@ node.default["kosmos-mastodon"]["s3_region"] = nil
node.default["kosmos-mastodon"]["s3_bucket"] = nil
node.default["kosmos-mastodon"]["s3_alias_host"] = nil
node.default["kosmos-mastodon"]["sso_account_sign_up_url"] = "https://kosmos.org"
node.default["kosmos-mastodon"]["sso_account_reset_password_url"] = "https://accounts.kosmos.org/users/password/new"
node.default["kosmos-mastodon"]["sso_account_resend_confirmation_url"] = "https://accounts.kosmos.org/users/confirmation/new"
node.default["kosmos-mastodon"]["default_locale"] = "en"
node.default["kosmos-mastodon"]["libre_translate_endpoint"] = nil

13
site-cookbooks/kosmos-mastodon/recipes/backup.rb
View File

@@ -6,13 +6,12 @@
postgresql_data_bag_item = data_bag_item('credentials', 'postgresql')
unless node.chef_environment == "development"
unless node["backup"]["postgresql"]["databases"].keys.include? 'mastodon'
node.override["backup"]["postgresql"]["host"] = "pg.kosmos.local"
node.override["backup"]["postgresql"]["databases"]["mastodon"] = {
username: "mastodon",
password: postgresql_data_bag_item['mastodon_user_password']
}
end
node.override['backup']['s3']['keep'] = 1
node.override["backup"]["postgresql"]["host"] = "pg.kosmos.local"
node.override["backup"]["postgresql"]["databases"]["mastodon"] = {
username: "mastodon",
password: postgresql_data_bag_item['mastodon_user_password']
}
include_recipe "backup"
end

57
site-cookbooks/kosmos-mastodon/recipes/default.rb
View File

@@ -3,7 +3,7 @@
# Recipe:: default
#
node.override["nodejs"]["repo"] = "https://deb.nodesource.com/node_16.x"
node.override["nodejs"]["repo"] = "https://deb.nodesource.com/node_18.x"
include_recipe "kosmos-nodejs"
include_recipe "java"
@@ -44,7 +44,7 @@ end
elasticsearch_service 'elasticsearch'
postgresql_data_bag_item = data_bag_item('credentials', 'postgresql')
postgresql_credentials = data_bag_item('credentials', 'postgresql')
mastodon_path = node["kosmos-mastodon"]["directory"]
mastodon_user = "mastodon"
@@ -71,11 +71,7 @@ package %w(build-essential imagemagick ffmpeg libxml2-dev libxslt1-dev file git
curl pkg-config libprotobuf-dev protobuf-compiler libidn11
libidn11-dev libjemalloc2 libpq-dev)
npm_package "yarn" do
version "1.22.4"
end
ruby_version = "3.0.6"
ruby_version = "3.3.5"
ruby_path = "/opt/ruby_build/builds/#{ruby_version}"
bundle_path = "#{ruby_path}/bin/bundle"
@@ -168,32 +164,55 @@ execute "restart mastodon services" do
notifies :restart, "service[mastodon-streaming]", :delayed
end
mastodon_credentials = data_bag_item('credentials', 'mastodon')
credentials = data_bag_item('credentials', 'mastodon')
ldap_config = {
host: "ldap.kosmos.local",
port: 389,
method: "plain",
base: "ou=kosmos.org,cn=users,dc=kosmos,dc=org",
bind_dn: credentials["ldap_bind_dn"],
password: credentials["ldap_password"],
uid: "cn",
mail: "mail",
search_filter: "(&(|(cn=%{email})(mail=%{email}))(serviceEnabled=mastodon))",
uid_conversion_enabled: "true",
uid_conversion_search: "-",
uid_conversion_replace: "_"
}
template "#{mastodon_path}/.env.#{rails_env}" do
source "env.erb"
mode "0640"
owner mastodon_user
group mastodon_user
sensitive true
variables redis_url: node["kosmos-mastodon"]["redis_url"],
domain: node["kosmos-mastodon"]["domain"],
alternate_domains: node["kosmos-mastodon"]["alternate_domains"],
paperclip_secret: mastodon_credentials['paperclip_secret'],
secret_key_base: mastodon_credentials['secret_key_base'],
otp_secret: mastodon_credentials['otp_secret'],
smtp_login: mastodon_credentials['smtp_user_name'],
smtp_password: mastodon_credentials['smtp_password'],
active_record_encryption_deterministic_key: credentials["active_record_encryption_deterministic_key"],
active_record_encryption_key_derivation_salt: credentials["active_record_encryption_key_derivation_salt"],
active_record_encryption_primary_key: credentials["active_record_encryption_primary_key"],
paperclip_secret: credentials['paperclip_secret'],
secret_key_base: credentials['secret_key_base'],
otp_secret: credentials['otp_secret'],
ldap: ldap_config,
smtp_login: credentials['smtp_user_name'],
smtp_password: credentials['smtp_password'],
smtp_from_address: "mail@#{node['kosmos-mastodon']['domain']}",
s3_endpoint: node["kosmos-mastodon"]["s3_endpoint"],
s3_region: node["kosmos-mastodon"]["s3_region"],
s3_bucket: node["kosmos-mastodon"]["s3_bucket"],
s3_alias_host: node["kosmos-mastodon"]["s3_alias_host"],
aws_access_key_id: mastodon_credentials['s3_key_id'],
aws_secret_access_key: mastodon_credentials['s3_secret_key'],
vapid_private_key: mastodon_credentials['vapid_private_key'],
vapid_public_key: mastodon_credentials['vapid_public_key'],
db_pass: postgresql_data_bag_item['mastodon_user_password'],
aws_access_key_id: credentials['s3_key_id'],
aws_secret_access_key: credentials['s3_secret_key'],
vapid_private_key: credentials['vapid_private_key'],
vapid_public_key: credentials['vapid_public_key'],
db_pass: postgresql_credentials['mastodon_user_password'],
db_host: "pg.kosmos.local",
sso_account_sign_up_url: node["kosmos-mastodon"]["sso_account_sign_up_url"],
sso_account_reset_password_url: node["kosmos-mastodon"]["sso_account_reset_password_url"],
sso_account_resend_confirmation_url: node["kosmos-mastodon"]["sso_account_resend_confirmation_url"],
default_locale: node["kosmos-mastodon"]["default_locale"],
allowed_private_addresses: node["kosmos-mastodon"]["allowed_private_addresses"],
libre_translate_endpoint: node["kosmos-mastodon"]["libre_translate_endpoint"]
@@ -211,7 +230,7 @@ execute "yarn install" do
environment deploy_env
user mastodon_user
cwd mastodon_path
command "yarn install --frozen-lockfile"
command "corepack prepare && yarn install --immutable"
end
execute "rake assets:precompile" do

5
site-cookbooks/kosmos-mastodon/recipes/nginx.rb
View File

@@ -28,12 +28,15 @@ template "#{node['openresty']['dir']}/snippets/mastodon.conf" do
owner 'www-data'
mode 0640
variables web_root_dir: web_root_dir,
server_name: server_name
server_name: server_name,
s3_private_url: "#{node["kosmos-mastodon"]["s3_endpoint"]}/#{node["kosmos-mastodon"]["s3_bucket"]}/",
s3_public_url: "https://#{node["kosmos-mastodon"]["s3_alias_host"]}/"
notifies :reload, 'service[openresty]', :delayed
end
tls_cert_for server_name do
auth "gandi_dns"
acme_domain "letsencrypt.kosmos.org"
action :create
end

23
site-cookbooks/kosmos-mastodon/templates/default/env.erb
View File

@@ -12,6 +12,9 @@ LOCAL_HTTPS=true
# Application secrets
# Generate each with the `rake secret` task (`docker-compose run --rm web rake secret` if you use docker compose)
ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=<%= @active_record_encryption_deterministic_key %>
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=<%= @active_record_encryption_key_derivation_salt %>
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=<%= @active_record_encryption_primary_key %>
PAPERCLIP_SECRET=<%= @paperclip_secret %>
SECRET_KEY_BASE=<%= @secret_key_base %>
OTP_SECRET=<%= @otp_secret %>
@@ -29,6 +32,26 @@ SMTP_LOGIN=<%= @smtp_login %>
SMTP_PASSWORD=<%= @smtp_password %>
SMTP_FROM_ADDRESS=<%= @smtp_from_address %>
<% if @ldap %>
# LDAP configuration
LDAP_ENABLED=true
LDAP_HOST=<%= @ldap[:host] %>
LDAP_PORT=<%= @ldap[:port] %>
LDAP_METHOD='<%= @ldap[:method] %>'
LDAP_BASE='<%= @ldap[:base] %>'
LDAP_BIND_DN='<%= @ldap[:bind_dn] %>'
LDAP_PASSWORD='<%= @ldap[:password] %>'
LDAP_UID=<%= @ldap[:uid] %>
LDAP_MAIL=<%= @ldap[:mail] %>
LDAP_SEARCH_FILTER='<%= @ldap[:search_filter] %>'
LDAP_UID_CONVERSION_ENABLED=<%= @ldap[:uid_conversion_enabled] %>
LDAP_UID_CONVERSION_SEARCH=<%= @ldap[:uid_conversion_search] %>
LDAP_UID_CONVERSION_REPLACE=<%= @ldap[:uid_conversion_replace] %>
SSO_ACCOUNT_SIGN_UP=<%= @sso_account_sign_up_url %>
SSO_ACCOUNT_RESET_PASSWORD=<%= @sso_account_reset_password_url %>
SSO_ACCOUNT_RESEND_CONFIRMATION=<%= @sso_account_resend_confirmation_url %>
<% end %>
# Optional asset host for multi-server setups
# CDN_HOST=assets.example.com

6
site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb
View File

@@ -32,6 +32,12 @@ server {
<% if @onion_address %>
add_header Onion-Location https://mastodon.<%= @onion_address %>$request_uri;
<% end %>
location ~ ^/.well-known/(lnurlp|keysend) {
add_header 'Access-Control-Allow-Origin' '*';
proxy_ssl_server_name on;
proxy_pass https://accounts.kosmos.org;
}
}
<% if @onion_address %>

4
site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_shared.erb
View File

@@ -108,11 +108,13 @@ location @proxy {
proxy_pass http://mastodon_app;
proxy_buffering on;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
# https://github.com/mastodon/mastodon/issues/24380
proxy_redirect <%= @s3_private_url %> <%= @s3_public_url %>;
tcp_nodelay on;
}

25
site-cookbooks/kosmos_akaunting/.gitignore vendored Normal file
View File

@@ -0,0 +1,25 @@
.vagrant
*~
*#
.#*
\#*#
.*.sw[a-z]
*.un~
# Bundler
Gemfile.lock
gems.locked
bin/*
.bundle/*
# test kitchen
.kitchen/
kitchen.local.yml
# Chef Infra
Berksfile.lock
.zero-knife.rb
Policyfile.lock.json
.idea/

16
site-cookbooks/kosmos_akaunting/Policyfile.rb Normal file
View File

@@ -0,0 +1,16 @@
# Policyfile.rb - Describe how you want Chef Infra Client to build your system.
#
# For more information on the Policyfile feature, visit
# https://docs.chef.io/policyfile/
# A name that describes what the system you're building with Chef does.
name 'kosmos_akaunting'
# Where to find external cookbooks:
default_source :supermarket
# run_list: chef-client will run these recipes in the order specified.
run_list 'kosmos_akaunting::default'
# Specify a custom source for a single cookbook:
cookbook 'kosmos_akaunting', path: '.'

4
site-cookbooks/kosmos_akaunting/README.md Normal file
View File

@@ -0,0 +1,4 @@
# kosmos_akaunting
TODO: Enter the cookbook description here.

5
site-cookbooks/kosmos_akaunting/attributes/default.rb Normal file
View File

@@ -0,0 +1,5 @@
node.default["akaunting"]["user"] = "deploy"
node.default["akaunting"]["group"] = "www-data"
node.default["akaunting"]["repo"] = "https://github.com/akaunting/akaunting.git"
node.default["akaunting"]["revision"] = "3.1.12"
node.default["akaunting"]["port"] = 80

115
site-cookbooks/kosmos_akaunting/chefignore Normal file
View File

@@ -0,0 +1,115 @@
# Put files/directories that should be ignored in this file when uploading
# to a Chef Infra Server or Supermarket.
# Lines that start with '# ' are comments.
# OS generated files #
######################
.DS_Store
ehthumbs.db
Icon?
nohup.out
Thumbs.db
.envrc
# EDITORS #
###########
.#*
.project
.settings
*_flymake
*_flymake.*
*.bak
*.sw[a-z]
*.tmproj
*~
\#*
REVISION
TAGS*
tmtags
.vscode
.editorconfig
## COMPILED ##
##############
*.class
*.com
*.dll
*.exe
*.o
*.pyc
*.so
*/rdoc/
a.out
mkmf.log
# Testing #
###########
.circleci/*
.codeclimate.yml
.delivery/*
.foodcritic
.kitchen*
.mdlrc
.overcommit.yml
.rspec
.rubocop.yml
.travis.yml
.watchr
.yamllint
azure-pipelines.yml
Dangerfile
examples/*
features/*
Guardfile
kitchen.yml*
mlc_config.json
Procfile
Rakefile
spec/*
test/*
# SCM #
#######
.git
.gitattributes
.gitconfig
.github/*
.gitignore
.gitkeep
.gitmodules
.svn
*/.bzr/*
*/.git
*/.hg/*
*/.svn/*
# Berkshelf #
#############
Berksfile
Berksfile.lock
cookbooks/*
tmp
# Bundler #
###########
vendor/*
Gemfile
Gemfile.lock
# Policyfile #
##############
Policyfile.rb
Policyfile.lock.json
# Documentation #
#############
CODE_OF_CONDUCT*
CONTRIBUTING*
documentation/*
TESTING*
UPGRADING*
# Vagrant #
###########
.vagrant
Vagrantfile

31
site-cookbooks/kosmos_akaunting/kitchen.yml Normal file
View File

@@ -0,0 +1,31 @@
---
driver:
name: vagrant
## The forwarded_port port feature lets you connect to ports on the VM guest
## via localhost on the host.
## see also: https://www.vagrantup.com/docs/networking/forwarded_ports
# network:
# - ["forwarded_port", {guest: 80, host: 8080}]
provisioner:
name: chef_zero
## product_name and product_version specifies a specific Chef product and version to install.
## see the Chef documentation for more details: https://docs.chef.io/workstation/config_yml_kitchen/
# product_name: chef
# product_version: 17
verifier:
name: inspec
platforms:
- name: ubuntu-20.04
- name: centos-8
suites:
- name: default
verifier:
inspec_tests:
- test/integration/default

9
site-cookbooks/kosmos_akaunting/metadata.rb Normal file
View File

@@ -0,0 +1,9 @@
name 'kosmos_akaunting'
maintainer 'Kosmos Developers'
maintainer_email 'mail@kosmos.org'
license 'MIT'
description 'Installs/configures akaunting for Kosmos'
version '0.1.0'
chef_version '>= 18.0'
depends 'kosmos-nodejs'

148
site-cookbooks/kosmos_akaunting/recipes/default.rb Normal file
View File

@@ -0,0 +1,148 @@
#
# Cookbook:: kosmos_akaunting
# Recipe:: default
#
app_name = "akaunting"
deploy_user = node["akaunting"]["user"]
deploy_group = node["akaunting"]["group"]
deploy_path = "/opt/#{app_name}"
credentials = data_bag_item("credentials", "akaunting")
pg_host = search(:node, "role:postgresql_primary").first["knife_zero"]["host"] rescue "localhost"
env = {
app_name: "Akaunting",
app_env: "production",
app_locale: "en-US",
app_installed: "true",
app_key: credentials["app_key"],
app_debug: "true",
app_schedule_time: "\"09:00\"",
app_url: "http://akaunting.kosmos.org",
db_connection: "pgsql",
db_host: pg_host,
db_port: "5432",
db_database: credentials["pg_database"],
db_username: credentials["pg_username"],
db_password: credentials["pg_password"],
log_level: "debug"
# mail_mailer: "mail",
# mail_host: "localhost",
# mail_port: "2525",
# mail_username: "null",
# mail_password: "null",
# mail_encryption: "null",
# mail_from_name: "null",
# mail_from_address: "null",
}
%w[
unzip nginx php8.1 php8.1-cli php8.1-bcmath php8.1-ctype php8.1-curl
php8.1-dom php8.1-fileinfo php8.1-intl php8.1-fpm php8.1-gd php8.1-mbstring
php8.1-pdo php8.1-pgsql php8.1-tokenizer php8.1-xml php8.1-zip
].each do |pkg|
package pkg
end
# TODO install composer
node.override["nodejs"]["repo"] = "https://deb.nodesource.com/node_18.x"
include_recipe "kosmos-nodejs"
group deploy_group
user deploy_user do
group deploy_group
manage_home true
shell "/bin/bash"
end
directory deploy_path do
owner deploy_user
group deploy_group
mode "0775"
end
git deploy_path do
repository node[app_name]["repo"]
revision node[app_name]["revision"]
user deploy_user
group deploy_group
action :sync
notifies :run, "execute[composer_install]", :immediately
notifies :run, "execute[npm_install]", :immediately
notifies :restart, "service[php8.1-fpm]", :delayed
end
execute "composer_install" do
user deploy_user
cwd deploy_path
command "composer install"
action :nothing
end
execute "npm_install" do
user deploy_user
cwd deploy_path
command "npm install"
action :nothing
notifies :run, "execute[compile_assets]", :immediately
end
execute "compile_assets" do
user deploy_user
cwd deploy_path
command "npm run prod"
action :nothing
end
execute "set_storage_permissions" do
command "chown -R www-data:www-data #{deploy_path}/storage"
end
template "#{deploy_path}/.env" do
source 'env.erb'
owner deploy_user
group deploy_group
mode 0660
sensitive true
variables config: env
notifies :restart, "service[php8.1-fpm]", :delayed
end
template "/etc/nginx/sites-available/default" do
source 'nginx-local.conf.erb'
owner deploy_user
group deploy_group
mode 0660
variables deploy_path: deploy_path,
port: node["akaunting"]["port"]
notifies :restart, "service[nginx]", :delayed
end
# template "/etc/php/8.1/fpm/pool.d/akaunting.conf" do
# source 'php-fpm.pool.erb'
# owner deploy_user
# group deploy_group
# mode 0600
# variables user: deploy_user,
# group: deploy_group,
# chdir: deploy_path,
# port: node["akaunting"]["port"]
# notifies :restart, "service[php8.1-fpm]", :delayed
# end
service "php8.1-fpm" do
action [:enable, :start]
end
service "nginx" do
action [:enable, :start]
end
firewall_rule "akaunting_zerotier" do
command :allow
port node["akaunting"]["port"]
protocol :tcp
source "10.1.1.0/24"
end

16
site-cookbooks/kosmos_akaunting/recipes/pg_db.rb Normal file
View File

@@ -0,0 +1,16 @@
#
# Cookbook:: kosmos_akaunting
# Recipe:: pg_db
#
credentials = data_bag_item("credentials", "akaunting")
postgresql_user credentials["pg_username"] do
action :create
password credentials["pg_password"]
end
postgresql_database credentials["pg_database"] do
owner credentials["pg_username"]
action :create
end

11
site-cookbooks/kosmos_akaunting/templates/env.erb Normal file
View File

@@ -0,0 +1,11 @@
<% @config.each do |key, value| %>
<% if value.is_a?(Hash) %>
<% value.each do |k, v| %>
<%= "#{key.upcase}_#{k.upcase}" %>=<%= v.to_s %>
<% end %>
<% else %>
<% if value %>
<%= key.upcase %>=<%= value.to_s %>
<% end %>
<% end %>
<% end %>

49
site-cookbooks/kosmos_akaunting/templates/nginx-local.conf.erb Normal file
View File

@@ -0,0 +1,49 @@
server {
listen 80 default_server;
server_name akaunting.kosmos.org;
root <%= @deploy_path %>;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
index index.html index.htm index.php;
charset utf-8;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
# Prevent Direct Access To Protected Files
location ~ \.(env|log) {
deny all;
}
# Prevent Direct Access To Protected Folders
location ~ ^/(^app$|bootstrap|config|database|overrides|resources|routes|storage|tests|artisan) {
deny all;
}
# Prevent Direct Access To modules/vendor Folders Except Assets
location ~ ^/(modules|vendor)\/(.*)\.((?!ico|gif|jpg|jpeg|png|js\b|css|less|sass|font|woff|woff2|eot|ttf|svg|xls|xlsx).)*$ {
deny all;
}
error_page 404 /index.php;
# Pass PHP Scripts To FastCGI Server
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php8.1-fpm.sock; # Depends On The PHP Version
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ~ /\.(?!well-known).* {
deny all;
}
}

18
site-cookbooks/kosmos_akaunting/templates/php-fpm.pool.erb Normal file
View File

@@ -0,0 +1,18 @@
[akaunting]
user = <%= @user %>
group = <%= @group %>
listen = 0.0.0.0:<%= @port %>
listen.owner = <%= @user %>
listen.group = <%= @group %>
listen.mode = 0660
pm = dynamic
pm.max_children = 10
pm.start_servers = 4
pm.min_spare_servers = 2
pm.max_spare_servers = 6
pm.max_requests = 500
chdir = <%= @chdir %>
catch_workers_output = yes
php_admin_flag[log_errors] = on

16
site-cookbooks/kosmos_akaunting/test/integration/default/default_test.rb Normal file
View File

@@ -0,0 +1,16 @@
# Chef InSpec test for recipe kosmos_akaunting::default
# The Chef InSpec reference, with examples and extensive documentation, can be
# found at https://docs.chef.io/inspec/resources/
unless os.windows?
# This is an example test, replace with your own test.
describe user('root'), :skip do
it { should exist }
end
end
# This is an example test, replace it with your own test.
describe port(80), :skip do
it { should_not be_listening }
end

3
site-cookbooks/kosmos_email/recipes/default.rb
View File

@@ -7,6 +7,7 @@ domain = node["email"]["domain"]
hostname = node["email"]["hostname"]
root_dir = node["email"]["root_directory"]
ip_addr = node["knife_zero"]["host"]
extra_hostnames = ["smtp.#{domain}", "imap.#{domain}"]
node.override["set_fqdn"] = hostname
include_recipe "hostname"
@@ -23,7 +24,9 @@ directory root_dir do
end
tls_cert_for hostname do
domain ([hostname]+extra_hostnames)
auth "gandi_dns"
deploy_hook "systemctl reload postfix.service && systemctl reload dovecot.service"
action :create
end

6
site-cookbooks/kosmos_garage/recipes/nginx_web.rb
View File

@@ -3,6 +3,8 @@
# Recipe:: nginx_web
#
gandi_api_credentials = data_bag_item('credentials', 'gandi_api')
file "#{node['openresty']['dir']}/conf.d/garage.conf" do
content <<-EOF
upstream garage_web {
@@ -40,8 +42,12 @@ end
#
node['garage']['s3_web_domains'].each do |domain_name|
second_level_domain = domain_name.match(/(?:.*\.)?([^.]+\.[^.]+)$/) { $1 }
proxy_validation = !gandi_api_credentials["domains"].include?(second_level_domain)
tls_cert_for domain_name do
auth "gandi_dns"
acme_domain "letsencrypt.kosmos.org" if proxy_validation
action :create
end

4
site-cookbooks/kosmos_gitea/attributes/default.rb
View File

@@ -1,5 +1,5 @@
node.default["gitea"]["version"] = "1.21.7"
node.default["gitea"]["checksum"] = "fa88e6404d3d34136bdd50c990a8c390d5e05f4cb2e31641559d14234e022bd6"
node.default["gitea"]["version"] = "1.22.5"
node.default["gitea"]["checksum"] = "ce2c7e4fff3c1e3ed59f5b5e00e3f2d301f012c34e329fccd564bc5129075460"
node.default["gitea"]["working_directory"] = "/var/lib/gitea"
node.default["gitea"]["port"] = 3000
node.default["gitea"]["postgresql_host"] = "localhost:5432"

1
site-cookbooks/kosmos_gitea/recipes/backup.rb
View File

@@ -8,5 +8,6 @@
unless node.chef_environment == "development"
# backup the data dir and the config files
node.override["backup"]["archives"]["gitea"] = [node["gitea"]["working_directory"]]
node.override['backup']['s3']['keep'] = 2
include_recipe "backup"
end

4
site-cookbooks/kosmos_gitea/templates/default/app.ini.erb
View File

@@ -112,3 +112,7 @@ MINIO_USE_SSL=<%= c["use_ssl"] %>
[actions]
ENABLED = true
<% end %>
[other]
SHOW_FOOTER_VERSION = false
SHOW_FOOTER_TEMPLATE_LOAD_TIME = false

21
site-cookbooks/kosmos_gitea/templates/default/nginx_conf_web.erb
View File

@@ -21,8 +21,13 @@ server {
location ~ ^/(avatars|repo-avatars)/.*$ {
proxy_buffers 1024 8k;
proxy_pass http://_gitea_web;
proxy_http_version 1.1;
expires 30d;
proxy_set_header Connection $http_connection;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# Docker registry
@@ -30,12 +35,22 @@ server {
client_max_body_size 0;
proxy_buffers 1024 8k;
proxy_pass http://_gitea_web;
proxy_http_version 1.1;
proxy_set_header Connection $http_connection;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location / {
proxy_buffers 1024 8k;
proxy_pass http://_gitea_web;
proxy_http_version 1.1;
proxy_set_header Connection $http_connection;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}

9
site-cookbooks/kosmos_kvm/attributes/default.rb
View File

@@ -1,9 +1,10 @@
ubuntu_server_cloud_image_release = "20230506"
release = "20240514"
img_filename = "ubuntu-22.04-server-cloudimg-amd64-disk-kvm"
node.default["kosmos_kvm"]["host"]["qemu_base_image"] = {
"url" => "https://cloud-images.ubuntu.com/releases/focal/release-#{ubuntu_server_cloud_image_release}/ubuntu-20.04-server-cloudimg-amd64-disk-kvm.img",
"checksum" => "27d2b91fd2b715729d739e2a3155dce70d1aaae4f05c177f338b9d4b60be638c",
"path" => "/var/lib/libvirt/images/base/ubuntu-20.04-server-cloudimg-amd64-disk-kvm-#{ubuntu_server_cloud_image_release}.qcow2"
"url" => "https://cloud-images.ubuntu.com/releases/jammy/release-#{release}/#{img_filename}.img",
"checksum" => "2e7698b3ebd7caead06b08bd3ece241e6ce294a6db01f92ea12bcb56d6972c3f",
"path" => "/var/lib/libvirt/images/base/#{img_filename}-#{release}.qcow2"
}
# A systemd.timer OnCalendar config value

7
site-cookbooks/kosmos_kvm/files/backup_vm.sh
View File

@@ -22,8 +22,5 @@ borg create -v $REPOSITORY::$1_$(date +%F_%H-%M) \
/var/lib/libvirt/images/$1.qcow2 \
/root/backups/vm_meta/$1.xml
echo "Pivoting base image back to original"
virsh blockcommit $1 vda --pivot --base=/var/lib/libvirt/images/$1.qcow2
echo "Removing snapshot image"
rm /var/lib/libvirt/images/$1.hotswap.qcow2
echo "Pivoting base image back to original, and removing the snapshot image"
virsh blockcommit $1 vda --pivot --base=/var/lib/libvirt/images/$1.qcow2 && rm /var/lib/libvirt/images/$1.hotswap.qcow2

Some files were not shown because too many files have changed in this diff Show More