Upgrade Mastodon to 4.2.1

Reviewed-on: #523

clients/garage-5.json

@@ -0,0 +1,4 @@
+{
+  "name": "garage-5",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnJxLFOBbml94W/GAe7nm\ntZs1Ziy8IbqXySsm8bSwWhRMQ8UuseqQLG30R3Q5X5AoJbtNfd26l63qLtP2fFtL\n5km9dV+2FoIJWFetl8Wzr7CaLYAiNzTQSFHlV7+6DKmPMDcJ63GKrFR77vkSGOG6\nOWL1bJy5BOaClp/sKL/0WQ0+mRbTP6RCQ2eI+46clAg702SenBU6Nz9HDm+teKN7\nYlP1CvzXgfgfpDOsat7wGn5+oKcmKavZxcdn8bt5jRpg8v3JezaZIjMXt7XcNS4n\n0F4XO/efnZE5B5SN68j4BpD8N79zJw4HlRIGP+RaYv2qLtBeWgLHCCs9wXQXfj6b\nLwIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/her.json

@@ -0,0 +1,4 @@
+{
+  "name": "her",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsuj7OCWX2qz/WbsjMgpi\nI4CM13Pxrj+8Enrl4IorkK6O338rhdtfXmOJt2AuDuj6u12Xtnk0LN2n01hffXNu\nU0Hwy+szavnbjiqC8jw1nyCFwYgdy8lCj3WV4t/gRWFhiHZGkhBKaksAoo8jJqZv\nXi/4ZuRov01HJgT6CJBEfR5TUaRCHM4hz2Y60mmegmUNLTRUNIDy6rg5W8JplMlJ\ny0dJc6uEp8asKhPnEfMz1kXukjnsBLXZmxglqdAQeaZ1I78QvRV3rYh0Ge2ZPF8t\nv2c+mUMbH7e80lJPgp7rwqjKrjLfaYo/1ZqTqr3ArWw3253ttLp8KX1ltX69nIHq\nMwIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/rsk-mainnet-3.json

@@ -0,0 +1,4 @@
+{
+  "name": "rsk-mainnet-3",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwdrYfy0Spmt8VETCdUgW\nHbxV3uYA3kn2swvOdIjIR29gNO+t6wWv6FHnV/pfefIweIPaNlr9VMoUejUKX809\ngzdsiVWh1T6s4Yzbbt+O8mF3my5RXiSvizda8c6U65vofBSL2WVzE1AW9v7lXRHX\nJ4auKrpgKWkNLU52QLIP9/X5YLUHQtpTnplO31eb+jSD185aN1qoIxugunxnWSgm\n2NgUPlVbNCFrhv0PVv4Ts10eX6smRX3LKyNBtRRXM3GIrQHlAYRohIpy3lt8tKm4\nE/v9qpXQHvqEmX9FH1/Sonea849cWX3LuxUYLT2XFpaNwUxJK56Ef0HsgZESaxL+\n3QIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/rsk-testnet-4.json

@@ -0,0 +1,4 @@
+{
+  "name": "rsk-testnet-4",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1NgmlPomxGRtu5oyro+m\ndQwBXwrhEuE73aLrUsqGOVSezph6LnETiEMFUIe1weoG+xdcykcUUMt7o1+nKs+E\nl8dxMIgbXAxdpI4n8gOpii70Sh30BDbh8+qZHsKBq32UmkCpz2ViVe/Vb3ViqB3e\n0GIkknPle5G4IC612O8EUkCenwcD1jSXYyug5zWI2T/TwnTuw4JdxfhkMgBM7Y2n\nR1YY6GwAMkK97wE/yBM74+Tiv/6lDy/JDbYmUVcQ55C937oodSWLAEM24EcOOtMA\nKfGumnthbdHzmHjONmLIegD3OJGYC2ulcB9qmaL/7cyIRhf6fEQrBolCH5881fxl\nxwIDAQAB\n-----END PUBLIC KEY-----\n"
+}

data_bags/credentials/ejabberd.json

@@ -1,44 +1,58 @@
 {
   "id": "ejabberd",
   "5apps_ldap_password": {
-    "encrypted_data": "Jyt8IRrAt2LbyaMoKmo3SS+1ywXZhr1B0VtaE6L+Rg==\n",
-    "iv": "fpVbd9Xl662cJvKU\n",
-    "auth_tag": "dmWcmajdGiFHNamYT+SZWQ==\n",
+    "encrypted_data": "jsV7M+1lg4cc+x3WP+sWg4K5XcyFNPrCnlPA6Tl+mA==\n",
+    "iv": "qkYV3ljTHgiEdpHk\n",
+    "auth_tag": "SUfcAAr8PmA51JVn+IWRXg==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "kosmos_ldap_password": {
-    "encrypted_data": "RtKK1k/gBQYZczxRC7r2MhB65lITFH69UBbdoNjoIQ==\n",
-    "iv": "MtMrzXMVoxe/rRGX\n",
-    "auth_tag": "q5SZT+2rT+jUDh9FNjZq8Q==\n",
+    "encrypted_data": "JzDO3Xlr0aF6xWmHXhkWDjpimgmQDR9SgQn0EAA20g==\n",
+    "iv": "gtMZ06rxKzi6O3we\n",
+    "auth_tag": "jnjd0P3yx8p4VOuoe4AArg==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "uploads_secret": {
-    "encrypted_data": "01E+ANiUyZXzeSPtgQ9G2PHP0iyW2G2ApBg0shntTtoe\n",
-    "iv": "97nkWn0VLV4g9NmN\n",
-    "auth_tag": "bvQ2owruKwJZNPQ8eb2pXQ==\n",
+    "encrypted_data": "LXd5zSsZDqQ/jVUVCjN8i+DjcS89xkn9jUh/+Qsqzty8\n",
+    "iv": "Xrh8s7woFiUDAR8N\n",
+    "auth_tag": "tdlaQGzJIDWjz+xRNq1/UQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "admins": {
-    "encrypted_data": "bqSE9Owd1uxwFnFfE3+i7CNM+6SekM84Zkp6mBm1e++e4WAwhXgjvvdD/4hx\nYSysn41o77DG\n",
-    "iv": "p3MHwqp0eCM0ct1R\n",
-    "auth_tag": "MKvzZYJgvAeNmDUgZy8hdg==\n",
+    "encrypted_data": "5ykS3j5SfWstOwVcgtitAHpKSCyol+cqQvpd5gEGbnqUPB1x/1XzN+L01jSY\nCPcSUSJadXyu\n",
+    "iv": "9OqWkcaMwUwrnUr5\n",
+    "auth_tag": "boB/6oxS9lyTVk3xlddUXw==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "erlang_cookie": {
-    "encrypted_data": "+fYG16Q2ImhMIvnVnNRmCD3THSqkgHkEFdgqvOEFjAg8YT10do+B\n",
-    "iv": "znHqFysDrwAaDF9u\n",
-    "auth_tag": "2DQDCeEBz025Q2tXpbJq4w==\n",
+    "encrypted_data": "dJGPR8Wt08dndhj2i8u5QIS7xVKxMlFNIXlR7z87L6bq2GV5uSbi\n",
+    "iv": "MSCY5oPea7PBr4t+\n",
+    "auth_tag": "15UteU8giZoPWkV8f8a85Q==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "stun_secret": {
-    "encrypted_data": "ZPTari/XE9MhCz4u7ydjt6hbSxCRpuqV1v198uGbAOsvqD+LI9PqmV76df0=\n",
-    "iv": "Tu/A0E2rQ324ksfg\n",
-    "auth_tag": "CFqLmR2uNrL+7wAzmgLgCA==\n",
+    "encrypted_data": "raGN5Q3yrVxmpYcnLtxh2lzpFUZp+uZxE0+RyWdkKOv4pmg52Sxbgw1vvdg=\n",
+    "iv": "3/SpX2kO/g8Fp0oY\n",
+    "auth_tag": "hFzJs0sz/Gf8RAivDen7Hw==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "s3_key_id": {
+    "encrypted_data": "TJm8USSzLn7N9IqV5UgVBCfp7XXyL5JKxvC5mdL+2ZDTnWUFuIOH5tFmigtc\n",
+    "iv": "fpoAWqct04pDHzeZ\n",
+    "auth_tag": "1aUzuzDCXePi4tKFOiZZVw==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "s3_secret_key": {
+    "encrypted_data": "tUfqkVuGTRbc8r8hJsgaHeWSKh1EEvqzXBhLBXZ3O7QnM+zfL70DXdtLa5zl\nghmypGIUXok/wY4LCV92GoVC7SyEdYWwFHB7wqmV/QXICHMy8eE=\n",
+    "iv": "d4vzG9SeAtdMttO/\n",
+    "auth_tag": "HJkNEd11pKwSu3ImogV1iQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   }

environments/production.json

@@ -16,14 +16,19 @@
     "droneci": {
       "public_url": "https://drone.kosmos.org"
     },
+    "ejabberd": {
+      "turn_ip_address": "148.251.83.201"
+    },
     "garage": {
       "replication_mode": "2",
-      "s3_api_root_domain": ".s3.garage.kosmos.org",
-      "s3_web_root_domain": ".web.garage.kosmos.org",
+      "s3_api_root_domain": "s3.kosmos.org",
+      "s3_web_root_domain": "web.s3.kosmos.org",
       "s3_web_domains": [
+        "media.kosmos.chat",
         "s3.kosmos.social",
         "s3.community.kosmos.org"
-      ]
+      ],
+      "xmpp_upload_bucket": "kosmos-xmpp-uploads"
     },
     "gitea": {
       "domain": "gitea.kosmos.org",

nodes/ejabberd-4.json

@@ -1,5 +1,6 @@
 {
   "name": "ejabberd-4",
+  "chef_environment": "production",
   "normal": {
     "knife_zero": {
       "host": "10.1.1.113"
@@ -16,7 +17,8 @@
       "kvm_guest",
       "ldap_client",
       "ejabberd",
-      "postgresql_client"
+      "postgresql_client",
+      "garage_gateway"
     ],
     "recipes": [
       "kosmos-base",
@@ -24,6 +26,9 @@
       "kosmos_kvm::guest",
       "kosmos-dirsrv::hostsfile",
       "kosmos_postgresql::hostsfile",
+      "kosmos_garage",
+      "kosmos_garage::default",
+      "kosmos_garage::firewall_rpc",
       "kosmos-ejabberd::letsencrypt",
       "kosmos-ejabberd",
       "kosmos-ejabberd::default",
@@ -41,22 +46,22 @@
       "postfix::_attributes",
       "postfix::sasl_auth",
       "hostname::default",
+      "firewall::default",
       "kosmos-base::letsencrypt",
-      "kosmos-ejabberd::firewall",
-      "tor-full::default"
+      "kosmos-ejabberd::firewall"
     ],
     "platform": "ubuntu",
     "platform_version": "20.04",
     "cloud": null,
     "chef_packages": {
       "chef": {
-        "version": "17.9.26",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.9.26/lib",
+        "version": "18.3.0",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.3.0/lib",
         "chef_effortless": null
       },
       "ohai": {
-        "version": "17.9.1",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.1/lib/ohai"
+        "version": "18.1.4",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
       }
     }
   },
@@ -66,4 +71,4 @@
     "role[ldap_client]",
     "role[ejabberd]"
   ]
-}
+}

nodes/ejabberd-8.json

@@ -1,5 +1,6 @@
 {
   "name": "ejabberd-8",
+  "chef_environment": "production",
   "normal": {
     "knife_zero": {
       "host": "10.1.1.123"
@@ -16,7 +17,8 @@
       "kvm_guest",
       "ldap_client",
       "ejabberd",
-      "postgresql_client"
+      "postgresql_client",
+      "garage_gateway"
     ],
     "recipes": [
       "kosmos-base",
@@ -24,6 +26,9 @@
       "kosmos_kvm::guest",
       "kosmos-dirsrv::hostsfile",
       "kosmos_postgresql::hostsfile",
+      "kosmos_garage",
+      "kosmos_garage::default",
+      "kosmos_garage::firewall_rpc",
       "kosmos-ejabberd::letsencrypt",
       "kosmos-ejabberd",
       "kosmos-ejabberd::default",
@@ -41,22 +46,22 @@
       "postfix::_attributes",
       "postfix::sasl_auth",
       "hostname::default",
+      "firewall::default",
       "kosmos-base::letsencrypt",
-      "kosmos-ejabberd::firewall",
-      "tor-full::default"
+      "kosmos-ejabberd::firewall"
     ],
     "platform": "ubuntu",
     "platform_version": "20.04",
     "cloud": null,
     "chef_packages": {
       "chef": {
-        "version": "17.10.3",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.10.3/lib",
+        "version": "18.3.0",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.3.0/lib",
         "chef_effortless": null
       },
       "ohai": {
-        "version": "17.9.0",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai"
+        "version": "18.1.4",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
       }
     }
   },
@@ -66,4 +71,4 @@
     "role[ldap_client]",
     "role[ejabberd]"
   ]
-}
+}

nodes/fornax.kosmos.org.json

@@ -30,7 +30,6 @@
       "kosmos-base",
       "kosmos-base::default",
       "kosmos_kvm::host",
-      "kosmos_kvm::backup",
       "kosmos_openresty",
       "kosmos_openresty::default",
       "kosmos_openresty::firewall",
@@ -42,6 +41,7 @@
       "kosmos_drone::nginx",
       "kosmos-ejabberd::nginx",
       "kosmos_garage::nginx_web",
+      "kosmos_garage::nginx_s3",
       "kosmos_gitea::nginx",
       "kosmos_gitea::nginx_ssh",
       "kosmos_rsk::nginx_testnet",
@@ -62,6 +62,9 @@
       "kosmos_zerotier::controller",
       "kosmos_zerotier::firewall",
       "kosmos_zerotier::zncui",
+      "kosmos-ejabberd::firewall",
+      "kosmos-ipfs::firewall_swarm",
+      "sockethub::firewall",
       "apt::default",
       "timezone_iii::default",
       "timezone_iii::debian",
@@ -110,6 +113,10 @@
     "role[base]",
     "role[kvm_host]",
     "role[openresty_proxy]",
-    "role[zerotier_controller]"
+    "role[zerotier_controller]",
+    "recipe[kosmos-ejabberd::firewall]",
+    "recipe[kosmos-ipfs::firewall_swarm]",
+    "recipe[kosmos_zerotier::firewall]",
+    "recipe[sockethub::firewall]"
   ]
 }

nodes/garage-2.json

@@ -23,7 +23,8 @@
       "kosmos_kvm::guest",
       "kosmos_garage",
       "kosmos_garage::default",
-      "kosmos_garage::firewall",
+      "kosmos_garage::firewall_rpc",
+      "kosmos_garage::firewall_apis",
       "apt::default",
       "timezone_iii::default",
       "timezone_iii::debian",
@@ -38,21 +39,20 @@
       "postfix::_attributes",
       "postfix::sasl_auth",
       "hostname::default",
-      "firewall::default",
-      "chef-sugar::default"
+      "firewall::default"
     ],
     "platform": "ubuntu",
     "platform_version": "20.04",
     "cloud": null,
     "chef_packages": {
       "chef": {
-        "version": "17.10.3",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.10.3/lib",
+        "version": "18.3.0",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.3.0/lib",
         "chef_effortless": null
       },
       "ohai": {
-        "version": "17.9.0",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai"
+        "version": "18.1.4",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
       }
     }
   },

nodes/garage-3.json

@@ -23,7 +23,8 @@
       "kosmos_kvm::guest",
       "kosmos_garage",
       "kosmos_garage::default",
-      "kosmos_garage::firewall",
+      "kosmos_garage::firewall_rpc",
+      "kosmos_garage::firewall_apis",
       "apt::default",
       "timezone_iii::default",
       "timezone_iii::debian",
@@ -38,21 +39,20 @@
       "postfix::_attributes",
       "postfix::sasl_auth",
       "hostname::default",
-      "firewall::default",
-      "chef-sugar::default"
+      "firewall::default"
     ],
     "platform": "ubuntu",
     "platform_version": "20.04",
     "cloud": null,
     "chef_packages": {
       "chef": {
-        "version": "17.10.3",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.10.3/lib",
+        "version": "18.3.0",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.3.0/lib",
         "chef_effortless": null
       },
       "ohai": {
-        "version": "17.9.0",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai"
+        "version": "18.1.4",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
       }
     }
   },

nodes/garage-5.json

@@ -0,0 +1,64 @@
+{
+  "name": "garage-5",
+  "chef_environment": "production",
+  "normal": {
+    "knife_zero": {
+      "host": "10.1.1.33"
+    }
+  },
+  "automatic": {
+    "fqdn": "garage-5",
+    "os": "linux",
+    "os_version": "5.15.0-84-generic",
+    "hostname": "garage-5",
+    "ipaddress": "192.168.122.55",
+    "roles": [
+      "base",
+      "kvm_guest",
+      "garage_node"
+    ],
+    "recipes": [
+      "kosmos-base",
+      "kosmos-base::default",
+      "kosmos_kvm::guest",
+      "kosmos_garage",
+      "kosmos_garage::default",
+      "kosmos_garage::firewall_rpc",
+      "kosmos_garage::firewall_apis",
+      "apt::default",
+      "timezone_iii::default",
+      "timezone_iii::debian",
+      "ntp::default",
+      "ntp::apparmor",
+      "kosmos-base::systemd_emails",
+      "apt::unattended-upgrades",
+      "kosmos-base::firewall",
+      "kosmos-postfix::default",
+      "postfix::default",
+      "postfix::_common",
+      "postfix::_attributes",
+      "postfix::sasl_auth",
+      "hostname::default",
+      "firewall::default"
+    ],
+    "platform": "ubuntu",
+    "platform_version": "22.04",
+    "cloud": null,
+    "chef_packages": {
+      "chef": {
+        "version": "18.3.0",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.3.0/lib",
+        "chef_effortless": null
+      },
+      "ohai": {
+        "version": "18.1.4",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
+      }
+    }
+  },
+  "run_list": [
+    "role[base]",
+    "role[kvm_guest]",
+    "role[garage_node]"
+  ]
+}

nodes/her.json

@@ -0,0 +1,56 @@
+{
+  "name": "her",
+  "normal": {
+    "knife_zero": {
+      "host": "10.1.1.222"
+    }
+  },
+  "automatic": {
+    "fqdn": "her",
+    "os": "linux",
+    "os_version": "5.15.0-84-generic",
+    "hostname": "her",
+    "ipaddress": "192.168.30.172",
+    "roles": [
+      "base",
+      "kvm_host"
+    ],
+    "recipes": [
+      "kosmos-base",
+      "kosmos-base::default",
+      "kosmos_kvm::host",
+      "apt::default",
+      "timezone_iii::default",
+      "timezone_iii::debian",
+      "ntp::default",
+      "ntp::apparmor",
+      "kosmos-base::systemd_emails",
+      "apt::unattended-upgrades",
+      "kosmos-base::firewall",
+      "kosmos-postfix::default",
+      "postfix::default",
+      "postfix::_common",
+      "postfix::_attributes",
+      "postfix::sasl_auth",
+      "hostname::default"
+    ],
+    "platform": "ubuntu",
+    "platform_version": "22.04",
+    "cloud": null,
+    "chef_packages": {
+      "chef": {
+        "version": "18.3.0",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.3.0/lib",
+        "chef_effortless": null
+      },
+      "ohai": {
+        "version": "18.1.4",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
+      }
+    }
+  },
+  "run_list": [
+    "role[base]",
+    "role[kvm_host]"
+  ]
+}

nodes/postgres-4.json

@@ -12,6 +12,7 @@
     "hostname": "postgres-4",
     "ipaddress": "192.168.122.3",
     "roles": [
+      "base",
       "kvm_guest",
       "postgresql_primary"
     ],
@@ -46,18 +47,18 @@
     "cloud": null,
     "chef_packages": {
       "chef": {
-        "version": "17.7.29",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.7.29/lib",
+        "version": "18.3.0",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.3.0/lib",
         "chef_effortless": null
       },
       "ohai": {
-        "version": "17.7.8",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.7.8/lib/ohai"
+        "version": "18.1.4",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
       }
     }
   },
   "run_list": [
-    "recipe[kosmos-base]",
+    "role[base]",
     "role[kvm_guest]",
     "role[postgresql_primary]"
   ]

nodes/rsk-mainnet-3.json

@@ -0,0 +1,61 @@
+{
+  "name": "rsk-mainnet-3",
+  "normal": {
+    "knife_zero": {
+      "host": "10.1.1.150"
+    }
+  },
+  "automatic": {
+    "fqdn": "rsk-mainnet-3",
+    "os": "linux",
+    "os_version": "5.15.0-1046-kvm",
+    "hostname": "rsk-mainnet-3",
+    "ipaddress": "192.168.122.233",
+    "roles": [
+      "base",
+      "kvm_guest",
+      "rskj_mainnet"
+    ],
+    "recipes": [
+      "kosmos-base",
+      "kosmos-base::default",
+      "kosmos_kvm::guest",
+      "kosmos_rsk::rskj",
+      "apt::default",
+      "timezone_iii::default",
+      "timezone_iii::debian",
+      "ntp::default",
+      "ntp::apparmor",
+      "kosmos-base::systemd_emails",
+      "apt::unattended-upgrades",
+      "kosmos-base::firewall",
+      "kosmos-postfix::default",
+      "postfix::default",
+      "postfix::_common",
+      "postfix::_attributes",
+      "postfix::sasl_auth",
+      "hostname::default",
+      "kosmos_rsk::firewall",
+      "firewall::default"
+    ],
+    "platform": "ubuntu",
+    "platform_version": "22.04",
+    "cloud": null,
+    "chef_packages": {
+      "chef": {
+        "version": "18.3.0",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.3.0/lib",
+        "chef_effortless": null
+      },
+      "ohai": {
+        "version": "18.1.4",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
+      }
+    }
+  },
+  "run_list": [
+    "role[base]",
+    "role[kvm_guest]",
+    "role[rskj_mainnet]"
+  ]
+}

nodes/rsk-testnet-4.json

@@ -0,0 +1,61 @@
+{
+  "name": "rsk-testnet-4",
+  "normal": {
+    "knife_zero": {
+      "host": "10.1.1.126"
+    }
+  },
+  "automatic": {
+    "fqdn": "rsk-testnet-4",
+    "os": "linux",
+    "os_version": "5.15.0-1045-kvm",
+    "hostname": "rsk-testnet-4",
+    "ipaddress": "192.168.122.235",
+    "roles": [
+      "base",
+      "kvm_guest",
+      "rskj_testnet"
+    ],
+    "recipes": [
+      "kosmos-base",
+      "kosmos-base::default",
+      "kosmos_kvm::guest",
+      "kosmos_rsk::rskj",
+      "apt::default",
+      "timezone_iii::default",
+      "timezone_iii::debian",
+      "ntp::default",
+      "ntp::apparmor",
+      "kosmos-base::systemd_emails",
+      "apt::unattended-upgrades",
+      "kosmos-base::firewall",
+      "kosmos-postfix::default",
+      "postfix::default",
+      "postfix::_common",
+      "postfix::_attributes",
+      "postfix::sasl_auth",
+      "hostname::default",
+      "kosmos_rsk::firewall",
+      "firewall::default"
+    ],
+    "platform": "ubuntu",
+    "platform_version": "22.04",
+    "cloud": null,
+    "chef_packages": {
+      "chef": {
+        "version": "18.3.0",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.3.0/lib",
+        "chef_effortless": null
+      },
+      "ohai": {
+        "version": "18.1.4",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
+      }
+    }
+  },
+  "run_list": [
+    "role[base]",
+    "role[kvm_guest]",
+    "role[rskj_testnet]"
+  ]
+}

roles/ejabberd.rb

@@ -7,6 +7,7 @@ default_run_list = %w(
 
 production_run_list = %w(
   role[postgresql_client]
+  role[garage_gateway]
   kosmos-ejabberd::letsencrypt
   kosmos-ejabberd::default
 )

roles/openresty_proxy.rb

@@ -23,6 +23,7 @@ production_run_list = %w(
   kosmos_drone::nginx
   kosmos-ejabberd::nginx
   kosmos_garage::nginx_web
+  kosmos_garage::nginx_s3
   kosmos_gitea::nginx
   kosmos_gitea::nginx_ssh
   kosmos_rsk::nginx_testnet

roles/rskj_mainnet.rb

@@ -9,7 +9,6 @@ default_attributes 'rskj' => {
 
 default_run_list = %w(
   kosmos_rsk::rskj
-  kosmos_rsk::nginx
 )
 
 env_run_lists(

site-cookbooks/kosmos-ejabberd/attributes/default.rb

@@ -1,16 +1,7 @@
-node.default["kosmos-ejabberd"]["version"] = "23.04"
-node.default["kosmos-ejabberd"]["package_version"] = "1"
-node.default["kosmos-ejabberd"]["checksum"] = "0bc273043085f8bc333abd176e767cc0a77b7336014777c2f2d10ae27e3d8aec"
-node.default["kosmos-ejabberd"]["turn_ip_address"] = "148.251.83.201"
-node.default["kosmos-ejabberd"]["stun_turn_port"] = 3478
-node.default["kosmos-ejabberd"]["turn_min_port"] = 50000
-node.default["kosmos-ejabberd"]["turn_max_port"] = 50050
-
-node.default["kosmos-ejabberd"]["uploads"] = {
-  "domain" => "uploads.kosmos.chat",
-  "max_upload_size_mb" => "100",
-  "upload.pm" => {
-    "repo" => "https://gitea.kosmos.org/kosmos/ngx_http_upload.git",
-    "revision" => "0.2"
-  }
-}
+node.default["ejabberd"]["version"] = "23.10"
+node.default["ejabberd"]["package_version"] = "1"
+node.default["ejabberd"]["checksum"] = "1b02108c81e22ab28be84630d54061f0584b76d5c2702e598352269736b05e77"
+node.default["ejabberd"]["turn_ip_address"] = nil
+node.default["ejabberd"]["stun_turn_port"] = 3478
+node.default["ejabberd"]["turn_min_port"] = 50000
+node.default["ejabberd"]["turn_max_port"] = 50050

site-cookbooks/kosmos-ejabberd/recipes/default.rb

@@ -5,12 +5,12 @@
 
 ejabberd_credentials = data_bag_item("credentials", "ejabberd")
 
-ejabberd_version = node["kosmos-ejabberd"]["version"]
-package_checksum = node["kosmos-ejabberd"]["checksum"]
+ejabberd_version = node["ejabberd"]["version"]
+package_checksum = node["ejabberd"]["checksum"]
 package_path = "#{Chef::Config['file_cache_path']}/ejabberd_#{ejabberd_version}_amd64.deb"
 
 remote_file package_path do
-  source "https://github.com/processone/ejabberd/releases/download/#{ejabberd_version}/ejabberd_#{ejabberd_version}-#{node["kosmos-ejabberd"]["package_version"]}_amd64.deb"
+  source "https://github.com/processone/ejabberd/releases/download/#{ejabberd_version}/ejabberd_#{ejabberd_version}-#{node["ejabberd"]["package_version"]}_amd64.deb"
   checksum package_checksum
   notifies :install, "dpkg_package[ejabberd]", :immediately
 end
@@ -22,6 +22,21 @@ dpkg_package "ejabberd" do
   action :nothing
 end
 
+execute "update contrib modules" do
+  command "ejabberdctl modules_update_specs"
+end
+
+%w[mod_s3_upload].each do |emod|
+  execute "install #{emod}" do
+    command "ejabberdctl module_install #{emod}"
+    not_if { ::File.exist?("/opt/ejabberd/.ejabberd-modules/#{emod}/ebin") }
+  end
+
+  file "/opt/ejabberd/.ejabberd-modules/#{emod}/conf/#{emod}.yml" do
+    action :delete
+  end
+end
+
 file "/opt/ejabberd/.erlang.cookie" do
   mode "0400"
   owner "ejabberd"
@@ -70,7 +85,7 @@ hosts = [
     ldap_enabled: true,
     ldap_password: ejabberd_credentials['kosmos_ldap_password'],
     append_host_config: <<-EOF
-modules:
+    modules:
       mod_disco:
         extra_domains:
           - kosmos.chat
@@ -92,12 +107,6 @@ modules:
         default_room_options:
           mam: true
         preload_rooms: true
-      mod_muc_rtbl: {}
-      mod_http_upload:
-        put_url: "https://uploads.kosmos.chat/8af2c77"
-        external_secret: "#{ejabberd_credentials["uploads_secret"]}"
-        max_size: 104857600
-        thumbnail: false # otherwise needs the identify command from ImageMagick installed
                 EOF
   },
   {
@@ -106,7 +115,7 @@ modules:
     ldap_enabled: true,
     ldap_password: ejabberd_credentials['5apps_ldap_password'],
     append_host_config: <<-EOF
-modules:
+    modules:
       mod_disco:
         extra_domains:
           - muc.5apps.com
@@ -133,12 +142,6 @@ modules:
           persistent: true
           mam: true
         preload_rooms: true
-      mod_muc_rtbl: {}
-      mod_http_upload:
-        put_url: "https://uploads.kosmos.chat/2802cfe"
-        external_secret: "#{ejabberd_credentials["uploads_secret"]}"
-        max_size: 104857600
-        thumbnail: false # otherwise needs the identify command from ImageMagick installed
                 EOF
   }
 ]
@@ -182,12 +185,19 @@ template "/opt/ejabberd/conf/ejabberd.yml" do
             admin_users: admin_users,
             stun_auth_realm: "kosmos.org",
             stun_secret: ejabberd_credentials['stun_secret'],
-            turn_ip_address: node["kosmos-ejabberd"]["turn_ip_address"],
-            stun_turn_port: node["kosmos-ejabberd"]["stun_turn_port"],
-            turn_min_port: node["kosmos-ejabberd"]["turn_min_port"],
-            turn_max_port: node["kosmos-ejabberd"]["turn_max_port"],
+            turn_ip_address: node["ejabberd"]["turn_ip_address"],
+            stun_turn_port: node["ejabberd"]["stun_turn_port"],
+            turn_min_port: node["ejabberd"]["turn_min_port"],
+            turn_max_port: node["ejabberd"]["turn_max_port"],
             private_ip_address: node["knife_zero"]["host"],
-            akkounts_ip_addresses: akkounts_ip_addresses
+            akkounts_ip_addresses: akkounts_ip_addresses,
+            mod_s3_upload: {
+              region: "garage",
+              bucket_url: "https://#{node["garage"]["xmpp_upload_bucket"]}.#{node["garage"]["s3_api_root_domain"]}",
+              download_url: "https://media.kosmos.chat",
+              key_id: ejabberd_credentials['s3_key_id'],
+              secret_key: ejabberd_credentials['s3_secret_key']
+            }
   notifies :reload, "service[ejabberd]", :delayed
 end
 

site-cookbooks/kosmos-ejabberd/recipes/firewall.rb

@@ -25,13 +25,13 @@ firewall_rule 'erlang_cluster' do
 end
 
 firewall_rule 'ejabberd_stun_turn' do
-  port     node["kosmos-ejabberd"]["stun_turn_port"]
+  port     node["ejabberd"]["stun_turn_port"]
   protocol :udp
   command  :allow
 end
 
 firewall_rule 'ejabberd_turn' do
-  port     node["kosmos-ejabberd"]["turn_min_port"]..node["kosmos-ejabberd"]["turn_max_port"]
+  port     node["ejabberd"]["turn_min_port"]..node["ejabberd"]["turn_max_port"]
   protocol :udp
   command  :allow
 end

site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb

@@ -20,7 +20,7 @@ for domain in $RENEWED_DOMAINS; do
     cp "${RENEWED_LINEAGE}/fullchain.pem" /opt/ejabberd/conf/$domain.crt
     chown ejabberd:ejabberd /opt/ejabberd/conf/$domain.*
     chmod 600 /opt/ejabberd/conf/$domain.*
-    /opt/ejabberd-#{node["kosmos-ejabberd"]["version"]}/bin/ejabberdctl reload_config
+    /opt/ejabberd-#{node["ejabberd"]["version"]}/bin/ejabberdctl reload_config
     ;;
   esac
 done

site-cookbooks/kosmos-ejabberd/recipes/nginx.rb

@@ -20,20 +20,20 @@ end
 openresty_stream "ejabberd" do
   template "nginx_conf_streams.erb"
   variables ejabberd_hosts: ["10.1.1.113"],
-            stun_turn_port: node["kosmos-ejabberd"]["stun_turn_port"],
-            turn_min_port: node["kosmos-ejabberd"]["turn_min_port"],
-            turn_max_port: node["kosmos-ejabberd"]["turn_max_port"]
+            stun_turn_port: node["ejabberd"]["stun_turn_port"],
+            turn_min_port: node["ejabberd"]["turn_min_port"],
+            turn_max_port: node["ejabberd"]["turn_max_port"]
   action :enable
 end
 
 firewall_rule 'ejabberd_stun_turn' do
-  port     node["kosmos-ejabberd"]["stun_turn_port"]
+  port     node["ejabberd"]["stun_turn_port"]
   protocol :udp
   command  :allow
 end
 
 firewall_rule 'ejabberd_turn' do
-  port     node["kosmos-ejabberd"]["turn_min_port"]..node["kosmos-ejabberd"]["turn_max_port"]
+  port     node["ejabberd"]["turn_min_port"]..node["ejabberd"]["turn_max_port"]
   protocol :udp
   command  :allow
 end

site-cookbooks/kosmos-ejabberd/recipes/pg_db.rb

@@ -2,28 +2,6 @@
 # Cookbook:: kosmos-ejabberd
 # Recipe:: pg_db
 #
-# The MIT License (MIT)
-#
-# Copyright:: 2020, Kosmos Developers
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
-#
 
 postgresql_data_bag_item = data_bag_item('credentials', 'postgresql')
 

site-cookbooks/kosmos-ejabberd/recipes/upload_service.rb

@@ -8,7 +8,7 @@ include_recipe "kosmos-nginx::with_perl"
 ejabberd_credentials = data_bag_item("credentials", "ejabberd")
 uploads_secret = ejabberd_credentials["uploads_secret"]
 
-upload_config = node["kosmos-ejabberd"]["uploads"]
+upload_config = node["ejabberd"]["uploads"]
 domain = upload_config["domain"]
 
 git "/opt/upload.pm" do

site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb

@@ -77,7 +77,6 @@ listen:
     request_handlers:
       "/ws": ejabberd_http_ws
       "/bosh": mod_bosh
-      "/upload": mod_http_upload
       "/admin": ejabberd_web_admin
     custom_headers:
       "Access-Control-Allow-Origin": "*"
@@ -261,6 +260,23 @@ modules:
   mod_stream_mgmt: {}
   mod_s2s_dialback: {}
   mod_http_api: {}
+  mod_muc_occupantid: {}
+  mod_muc_rtbl: {}
+  mod_s3_upload:
+    region: <%= @mod_s3_upload[:region] %>
+    bucket_url: <%= @mod_s3_upload[:bucket_url] %>
+    download_url: <%= @mod_s3_upload[:download_url] %>
+    access_key_id: <%= @mod_s3_upload[:key_id] %>
+    access_key_secret: <%= @mod_s3_upload[:secret_key] %>
+    max_size: 104857600
+    put_ttl: 600
+    set_public: true
+    service_name: 'S3 Upload'
+    access: local
+    hosts:
+<% @hosts.each do |host| -%>
+      - "upload.<%= host[:name] %>"
+<% end -%>
 
 allow_contrib_modules: true
 

site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb

@@ -21,5 +21,5 @@ host_config:
 
 append_host_config:
   "<%= @host[:name] %>":
-    <%= @host[:append_host_config].chomp %>
+<%= @host[:append_host_config].chomp %>
 

site-cookbooks/kosmos-mastodon/attributes/default.rb

@@ -1,5 +1,5 @@
 node.default["kosmos-mastodon"]["repo"]              = "https://gitea.kosmos.org/kosmos/mastodon.git"
-node.default["kosmos-mastodon"]["revision"]          = "kosmos-production"
+node.default["kosmos-mastodon"]["revision"]          = "production"
 node.default["kosmos-mastodon"]["directory"]         = "/opt/mastodon"
 node.default["kosmos-mastodon"]["bind_ip"]           = "127.0.0.1"
 node.default["kosmos-mastodon"]["app_port"]          = 3000

site-cookbooks/kosmos-mastodon/recipes/default.rb

@@ -3,6 +3,8 @@
 # Recipe:: default
 #
 
+node.override["nodejs"]["repo"] = "https://deb.nodesource.com/node_16.x"
+
 include_recipe "kosmos-nodejs"
 include_recipe "java"
 include_recipe 'redisio::default'
@@ -73,13 +75,12 @@ npm_package "yarn" do
   version "1.22.4"
 end
 
-ruby_version = "3.0.4"
-# ruby_version = "3.2.2"
+ruby_version = "3.0.6"
 
 ruby_path = "/opt/ruby_build/builds/#{ruby_version}"
 bundle_path = "#{ruby_path}/bin/bundle"
 
-ruby_build_install 'v20230615'
+ruby_build_install 'v20231025'
 ruby_build_definition ruby_version do
   prefix_path ruby_path
 end
@@ -210,15 +211,7 @@ execute "yarn install" do
   environment deploy_env
   user mastodon_user
   cwd mastodon_path
-  command "yarn install --pure-lockfile"
-end
-
-execute "rake db:migrate" do
-  environment deploy_env
-  user mastodon_user
-  group mastodon_user
-  cwd mastodon_path
-  command "bundle exec rake db:migrate"
+  command "yarn install --frozen-lockfile"
 end
 
 execute "rake assets:precompile" do
@@ -229,6 +222,14 @@ execute "rake assets:precompile" do
   command "bundle exec rake assets:precompile"
 end
 
+execute "rake db:migrate" do
+  environment deploy_env
+  user mastodon_user
+  group mastodon_user
+  cwd mastodon_path
+  command "bundle exec rake db:migrate"
+end
+
 service "mastodon-web" do
   action [:enable, :start]
 end

site-cookbooks/kosmos-mastodon/templates/default/mastodon-sidekiq.systemd.service.erb

@@ -8,7 +8,8 @@ Type=simple
 User=<%= @user %>
 WorkingDirectory=<%= @app_dir %>
 Environment="RAILS_ENV=production"
-Environment="DB_POOL=50"
+Environment="DB_POOL=<%= @sidekiq_threads %>"
+Environment="MALLOC_ARENA_MAX=2"
 Environment="LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so.2"
 ExecStart=<%= @bundle_path %> exec sidekiq -c <%= @sidekiq_threads %> -q default -q mailers -q pull -q push -q ingress
 TimeoutSec=15

site-cookbooks/kosmos-mastodon/templates/default/mastodon-streaming.systemd.service.erb

@@ -8,9 +8,10 @@ WorkingDirectory=<%= @app_dir %>
 Environment="NODE_ENV=production"
 Environment="BIND=<%= @bind %>"
 Environment="PORT=<%= @port %>"
-ExecStart=/usr/bin/npm run start
+ExecStart=/usr/bin/node ./streaming
 TimeoutSec=15
 Restart=always
+LimitNOFILE=65536
 
 [Install]
 WantedBy=multi-user.target

site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_shared.erb

@@ -15,7 +15,7 @@ gzip_proxied any;
 gzip_comp_level 6;
 gzip_buffers 16 8k;
 gzip_http_version 1.1;
-gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml image/x-icon;
 
 location / {
 # If the maintenance file is present, show maintenance page
@@ -25,34 +25,60 @@ location / {
   try_files $uri @proxy;
 }
 
-location /sw.js {
-  add_header Cache-Control "max-age=0, no-cache, no-store, must-revalidate";
-  add_header Pragma "no-cache";
+location = /sw.js {
+  add_header Cache-Control "public, max-age=604800, must-revalidate";
+  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
   try_files $uri @proxy;
 }
 
-location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) {
-  add_header Cache-Control "public, max-age=31536000, immutable";
-  proxy_cache mastodon_cache;
+location ~ ^/assets/ {
+  add_header Cache-Control "public, max-age=2419200, must-revalidate";
+  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
   try_files $uri @proxy;
 }
 
-location @proxy {
-  proxy_set_header Host $host;
-  proxy_set_header X-Real-IP $remote_addr;
-  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-  proxy_set_header X-Forwarded-Proto https;
-  proxy_set_header Proxy "";
-  proxy_pass_header Server;
+location ~ ^/avatars/ {
+  add_header Cache-Control "public, max-age=2419200, must-revalidate";
+  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+  try_files $uri @proxy;
+}
 
-  proxy_pass http://mastodon_app;
-  proxy_buffering off;
-  proxy_redirect off;
-  proxy_http_version 1.1;
-  proxy_set_header Upgrade $http_upgrade;
-  proxy_set_header Connection $connection_upgrade;
+location ~ ^/emoji/ {
+  add_header Cache-Control "public, max-age=2419200, must-revalidate";
+  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+  try_files $uri @proxy;
+}
 
-  tcp_nodelay on;
+location ~ ^/headers/ {
+  add_header Cache-Control "public, max-age=2419200, must-revalidate";
+  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+  try_files $uri @proxy;
+}
+
+location ~ ^/packs/ {
+  add_header Cache-Control "public, max-age=2419200, must-revalidate";
+  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+  try_files $uri @proxy;
+}
+
+location ~ ^/shortcuts/ {
+  add_header Cache-Control "public, max-age=2419200, must-revalidate";
+  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+  try_files $uri @proxy;
+}
+
+location ~ ^/sounds/ {
+  add_header Cache-Control "public, max-age=2419200, must-revalidate";
+  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+  try_files $uri @proxy;
+}
+
+location ~ ^/system/ {
+  add_header Cache-Control "public, max-age=2419200, immutable";
+  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+  add_header X-Content-Type-Options nosniff;
+  add_header Content-Security-Policy "default-src 'none'; form-action 'none'";
+  try_files $uri @proxy;
 }
 
 location /api/v1/streaming {
@@ -72,6 +98,24 @@ location /api/v1/streaming {
   tcp_nodelay on;
 }
 
+location @proxy {
+  proxy_set_header Host $host;
+  proxy_set_header X-Real-IP $remote_addr;
+  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+  proxy_set_header X-Forwarded-Proto https;
+  proxy_set_header Proxy "";
+  proxy_pass_header Server;
+
+  proxy_pass http://mastodon_app;
+  proxy_buffering on;
+  proxy_redirect off;
+  proxy_http_version 1.1;
+  proxy_set_header Upgrade $http_upgrade;
+  proxy_set_header Connection $connection_upgrade;
+
+  tcp_nodelay on;
+}
+
 error_page 500 501 502 504 /500.html;
 error_page 503 /maintenance.html;
 

site-cookbooks/kosmos_garage/attributes/default.rb

@@ -1,5 +1,5 @@
-node.default['garage']['version']            = '0.8.0'
-node.default['garage']['checksum']['amd64']  = '66dd2ea1f677281a43e10eb619523b1b269f8fde9047ce8caa70958f3b13ca74'
+node.default['garage']['version']            = '0.8.4'
+node.default['garage']['checksum']['amd64']  = '45403d494847c42efc620f66c52d27c0bb0446a490e62f5b0b87489a588a767d'
 node.default['garage']['replication_mode']   = 'none'
 node.default['garage']['s3_api_port']        = 3900
 node.default['garage']['rpc_port']           = 3901
@@ -9,3 +9,4 @@ node.default['garage']['k2v_api_port']       = 3904
 node.default['garage']['s3_api_root_domain'] = '.s3.garage.localhost'
 node.default['garage']['s3_web_root_domain'] = '.web.garage.localhost'
 node.default['garage']['s3_web_domains']     = []
+node.default['garage']['xmpp_upload_bucket'] = nil

site-cookbooks/kosmos_garage/recipes/nginx_s3.rb

@@ -0,0 +1,22 @@
+#
+# Cookbook Name:: kosmos_garage
+# Recipe:: nginx_s3
+#
+
+domain_name = node['garage']['s3_api_root_domain']
+server_name = "*.#{domain_name}"
+
+tls_cert_for domain_name do
+  domain [domain_name, server_name]
+  auth "gandi_dns"
+  action :create
+end
+
+openresty_site domain_name do
+  template "nginx_conf_s3.erb"
+  variables server_name: "#{domain_name} #{server_name}",
+            domain_name: domain_name,
+            xmpp_upload_bucket: node['garage']['xmpp_upload_bucket'],
+            ssl_cert:    "/etc/letsencrypt/live/#{domain_name}/fullchain.pem",
+            ssl_key:     "/etc/letsencrypt/live/#{domain_name}/privkey.pem"
+end

site-cookbooks/kosmos_garage/recipes/nginx_web.rb

@@ -15,18 +15,41 @@ proxy_cache_path #{node['openresty']['cache_dir']}/garage
 EOF
 end
 
-domains = node['garage']['s3_web_domains']
+#
+# Root domain for public Web access via bucket-name.root-domain.tld
+#
 
-domains.each do |server_name|
-  tls_cert_for server_name do
+domain_name = node['garage']['s3_web_root_domain']
+server_name = "*.#{domain_name}"
+
+tls_cert_for server_name do
+  auth "gandi_dns"
+  action :create
+end
+
+openresty_site domain_name do
+  template "nginx_conf_web.erb"
+  variables server_name: server_name,
+            domain_name: domain_name,
+            ssl_cert:    "/etc/letsencrypt/live/#{domain_name}/fullchain.pem",
+            ssl_key:     "/etc/letsencrypt/live/#{domain_name}/privkey.pem"
+end
+
+#
+# Custom domains for public Web access
+#
+
+node['garage']['s3_web_domains'].each do |domain_name|
+  tls_cert_for domain_name do
     auth "gandi_dns"
     action :create
   end
 
-  openresty_site server_name do
+  openresty_site domain_name do
     template "nginx_conf_web.erb"
-    variables server_name: server_name,
-              ssl_cert:    "/etc/letsencrypt/live/#{server_name}/fullchain.pem",
-              ssl_key:     "/etc/letsencrypt/live/#{server_name}/privkey.pem"
+    variables server_name: domain_name,
+              domain_name: domain_name,
+              ssl_cert:    "/etc/letsencrypt/live/#{domain_name}/fullchain.pem",
+              ssl_key:     "/etc/letsencrypt/live/#{domain_name}/privkey.pem"
   end
 end

site-cookbooks/kosmos_garage/templates/garage.toml.erb

@@ -11,11 +11,11 @@ rpc_secret = "<%= @rpc_secret %>"
 [s3_api]
 s3_region = "<%= @s3_region %>"
 api_bind_addr = "[::]:<%= @s3_api_port %>"
-root_domain = "<%= @s3_api_root_domain %>"
+root_domain = ".<%= @s3_api_root_domain %>"
 
 [s3_web]
 bind_addr = "[::]:<%= @s3_web_port %>"
-root_domain = "<%= @s3_web_root_domain %>"
+root_domain = ".<%= @s3_web_root_domain %>"
 index = "index.html"
 
 [k2v_api]

site-cookbooks/kosmos_garage/templates/nginx_conf_s3.erb

@@ -0,0 +1,49 @@
+upstream garage_s3 {
+  server 127.0.0.1:3900;
+}
+
+server {
+  listen <%= "#{node[:openresty][:listen_ip]}:" if node[:openresty][:listen_ip] %>443 ssl http2;
+  listen [::]:443 http2 ssl;
+
+  ssl_certificate     <%= @ssl_cert %>;
+  ssl_certificate_key <%= @ssl_key %>;
+
+  server_name <%= @server_name %>;
+
+  access_log <%= node[:openresty][:log_dir] %>/<%= @domain_name %>.access.log json;
+  error_log <%= node[:openresty][:log_dir] %>/<%= @domain_name %>.error.log warn;
+
+  error_page 401 403 404 500 /__empty-page.html;
+
+  location = /__empty-page.html {
+    internal;
+    return 200 "";
+  }
+
+  location / {
+    if ($request_method = OPTIONS) {
+      add_header Content-Length 0;
+      add_header Content-Type text/plain;
+      return 200;
+    }
+
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header Host $host;
+    proxy_request_buffering off;
+    proxy_max_temp_file_size 0;
+
+    proxy_pass http://garage_s3;
+
+<% if @xmpp_upload_bucket %>
+    # Some XMPP clients (e.g. Beagle, Siskin, Snikket, Monal) require a 201 CREATED
+    # for PUT requests to be considered successful
+    header_filter_by_lua_block {
+      if ngx.var.http_host == "<%= @xmpp_upload_bucket %>.<%= @domain_name %>" and
+         ngx.req.get_method() == "PUT" and ngx.status == ngx.HTTP_OK then
+        ngx.status = ngx.HTTP_CREATED
+      end
+    }
+<% end %>
+  }
+}

site-cookbooks/kosmos_garage/templates/nginx_conf_web.erb

@@ -1,14 +1,15 @@
 server {
-  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
+  listen <%= "#{node[:openresty][:listen_ip]}:" if node[:openresty][:listen_ip] %>443 ssl http2;
   listen [::]:443 http2 ssl;
 
   server_name <%= @server_name %>;
 
-  access_log off;
-
   ssl_certificate     <%= @ssl_cert %>;
   ssl_certificate_key <%= @ssl_key %>;
 
+  access_log <%= node[:openresty][:log_dir] %>/<%= @domain_name %>.access.log json;
+  error_log <%= node[:openresty][:log_dir] %>/<%= @domain_name %>.error.log warn;
+
   error_page 401 403 404 500 /__empty-page.html;
 
   location = /__empty-page.html {

site-cookbooks/kosmos_gitea/attributes/default.rb

@@ -1,7 +1,7 @@
-gitea_version = "1.20.3"
+gitea_version = "1.20.5"
 node.default["gitea"]["version"] = gitea_version
 node.default["gitea"]["binary_url"] = "https://dl.gitea.io/gitea/#{gitea_version}/gitea-#{gitea_version}-linux-amd64"
-node.default["gitea"]["binary_checksum"] = "bf9415d5f25690b81443302e6c68c16509c74e0b1385297c75a5b4913e43afd7"
+node.default["gitea"]["binary_checksum"] = "ae8d21f36098a62272fcfa67ecbb567d0ba6cf5aecaaab29a6b98a407d435bdf"
 node.default["gitea"]["working_directory"] = "/var/lib/gitea"
 node.default["gitea"]["port"] = 3000
 node.default["gitea"]["postgresql_host"] = "localhost:5432"

site-cookbooks/kosmos_postgresql/resources/server.rb

@@ -54,11 +54,11 @@ action :create do
     unix_socket_directories: "/var/run/postgresql",
     dynamic_shared_memory_type: "posix",
     timezone: "UTC", # default is GMT
-    listen_addresses: "0.0.0.0"
+    listen_addresses: "0.0.0.0",
+    promote_trigger_file: "#{postgresql_data_dir}/failover.trigger",
+    wal_keep_segments: 256
   }
 
-  additional_config[:promote_trigger_file] = "#{postgresql_data_dir}/failover.trigger"
-
   postgresql_server_conf "main" do
     version postgresql_version
     additional_config additional_config

site-cookbooks/kosmos_rsk/attributes/default.rb

@@ -1,4 +1,4 @@
-node.default['rskj']['version'] = '4.4.0~focal'
+node.default['rskj']['version'] = '5.3.0~jammy'
 node.default['rskj']['network'] = 'testnet'
 
 node.default['rskj']['nginx']['domain'] = nil

site-cookbooks/kosmos_rsk/kitchen.yml

@@ -1,6 +1,7 @@
 ---
 driver:
   name: dokken
+  chef_version: 18.2.7
   pull_platform_image: false
   pull_chef_image: false
   memory_limit: 2147483648 # 2GB
@@ -18,7 +19,7 @@ transport:
 
 provisioner:
   name: dokken
-  clean_dokken_sandbox: false
+  # clean_dokken_sandbox: false
   # You may wish to disable always updating cookbooks in CI or other testing environments.
   # For example:
   #   always_update_cookbooks: <%= !ENV['CI'] %>
@@ -33,9 +34,9 @@ verifier:
   name: inspec
 
 platforms:
-  - name: ubuntu-20.04
+  - name: ubuntu-22.04
     driver:
-      image: dokken/ubuntu-20.04
+      image: dokken/ubuntu-22.04
       privileged: true
       pid_one_command: /usr/lib/systemd/systemd
       intermediate_instructions:

site-cookbooks/kosmos_rsk/metadata.rb

@@ -3,8 +3,8 @@ maintainer 'Kosmos Developers'
 maintainer_email 'ops@kosmos.org'
 license 'MIT'
 description 'Installs/configures RSKj and related software'
-version '0.3.0'
-chef_version '>= 15.0'
+version '0.4.0'
+chef_version '>= 18.2'
 issues_url 'https://gitea.kosmos.org/kosmos/chef/issues'
 source_url 'https://gitea.kosmos.org/kosmos/chef'
 

site-cookbooks/kosmos_rsk/test/integration/rskj/rskj_test.rb

@@ -9,7 +9,7 @@ end
 
 describe package('rskj') do
   it { should be_installed }
-  its('version') { should eq '4.4.0~focal' }
+  its('version') { should eq '5.3.0~jammy' }
 end
 
 describe service('rsk') do

site-cookbooks/remotestorage_discourse/templates/nginx_conf.erb

@@ -26,6 +26,7 @@ server {
     proxy_buffers 1024 8k;
 
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto https;
 
     proxy_pass http://_rs_discourse;
     proxy_http_version 1.1;