Use Ubuntu 22.04 for new VMs

Also, remove the custom config image generation and replace it with
`--cloud-init` options.

.gitmodules

@@ -4,9 +4,3 @@
 [submodule "site-cookbooks/openresty"]
 	path = site-cookbooks/openresty
 	url = https://github.com/67P/chef-openresty.git
-[submodule "site-cookbooks/strfry"]
-	path = site-cookbooks/strfry
-	url = git@gitea.kosmos.org:kosmos/strfry-cookbook.git
-[submodule "site-cookbooks/deno"]
-	path = site-cookbooks/deno
-	url = git@gitea.kosmos.org:kosmos/deno-cookbook.git

clients/strfry-1.json

@@ -1,4 +0,0 @@
-{
-  "name": "strfry-1",
-  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzDV/RMGMXVDbvoA6PNh8\nQzhtHwYDCFcUSkbrwP6tzh6GpVunGEOdOdhj2V63T2tF1H+lujxQXh5pK7C0D6VZ\niO04ftJlo7/svyxUcwWr+znyN5sFdQRh3cBZiGSBYolizwoqgtPFlbNhmWAzV0Du\n9t8mhz70IK3B+UdwWyHtoK0NNsJGnQ9YzAvcjyDmEO/3sCjAhNnxVpmXftpcSmd9\nMonzFtIDBbRRll4AHZYRbmXCzx63+VmelvdnufnbY82liol0zzBwJaBD1wyNlG0y\ni96p3Kx03bLNlIaYVGbjZeJi+6oo2VDWJ4OloLLAYoHDSipeHT9qWfUdnE6ge4Lm\nywIDAQAB\n-----END PUBLIC KEY-----\n"
-}

data_bags/credentials/dirsrv.json

@@ -1,30 +1,9 @@
 {
   "id": "dirsrv",
-  "admin_dn": {
-    "encrypted_data": "zRtz6Scb9WtUXGyjc0xyvsre0YvqupuaFz+RPApj7DEQTmYyZPVb\n",
-    "iv": "xfIXMhEBHBWqa4Dz\n",
-    "auth_tag": "BcA32u1njcnCZ+yrBGSceQ==\n",
-    "version": 3,
-    "cipher": "aes-256-gcm"
-  },
   "admin_password": {
-    "encrypted_data": "7JpXl3JZDqKWDfYt/wuNbkbob+oRuONhkuAlpqUCCEIn+tY=\n",
+    "encrypted_data": "i71l5E129mXCcDAyME8sNMUkYUlQMgt7Eh6noyFcLNgbaMo=\n",
-    "iv": "Lcwc4NDzrfcBaIKQ\n",
+    "iv": "KNW2B8tpX7ywZwbg\n",
-    "auth_tag": "rrePS3Bhdnwbr2d/o8vMhg==\n",
+    "auth_tag": "GawQ+FSlA5v5YVyryeUxng==\n",
-    "version": 3,
-    "cipher": "aes-256-gcm"
-  },
-  "service_dn": {
-    "encrypted_data": "sqRFiZreLeTPQljSfhAuV3DmsPxSC8tzWjCdu+WSSbO67sBQA+xhmGtzBhBD\nDZPGJw+jtAxzuVvPdAjxgAVgxXO6C6WEo87L1tdJewE=\n",
-    "iv": "GUEGtyRJXrPhWcUs\n",
-    "auth_tag": "2USsrx//3V7RCyumGCbMkg==\n",
-    "version": 3,
-    "cipher": "aes-256-gcm"
-  },
-  "service_password": {
-    "encrypted_data": "f2wi8B8SEt6p5G0TF3dZ72j0vMFlvwcP1suxYnshBA==\n",
-    "iv": "rOnUoxbnkaJtodM+\n",
-    "auth_tag": "dVLCtBVMjxLfW2D8XjJBdQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   }

environments/production.json

@@ -101,17 +101,6 @@
     },
     "sentry": {
       "allowed_ips": "10.1.1.0/24"
-    },
-    "strfry": {
-      "domain": "nostr.kosmos.org",
-      "real_ip_header": "x-real-ip",
-      "policy_path": "/opt/strfry-policy.ts",
-      "info": {
-        "name": "Kosmos Relay",
-        "description": "Members-only nostr relay for kosmos.org users",
-        "pubkey": "1f79058c77a224e5be226c8f024cacdad4d741855d75ed9f11473ba8eb86e1cb",
-        "contact": "ops@kosmos.org"
-      }
     }
   }
 }

nodes/draco.kosmos.org.json

@@ -54,7 +54,6 @@
       "kosmos_liquor-cabinet::nginx",
       "kosmos_rsk::nginx_testnet",
       "kosmos_rsk::nginx_mainnet",
-      "kosmos_strfry::nginx",
       "kosmos_website",
       "kosmos_website::default",
       "kosmos-akkounts::nginx",

nodes/fornax.kosmos.org.json

@@ -48,7 +48,6 @@
       "kosmos_liquor-cabinet::nginx",
       "kosmos_rsk::nginx_testnet",
       "kosmos_rsk::nginx_mainnet",
-      "kosmos_strfry::nginx",
       "kosmos_website",
       "kosmos_website::default",
       "kosmos-akkounts::nginx",

nodes/strfry-1.json

@@ -1,66 +0,0 @@
-{
-  "name": "strfry-1",
-  "chef_environment": "production",
-  "normal": {
-    "knife_zero": {
-      "host": "10.1.1.164"
-    }
-  },
-  "automatic": {
-    "fqdn": "strfry-1",
-    "os": "linux",
-    "os_version": "5.15.0-1060-kvm",
-    "hostname": "strfry-1",
-    "ipaddress": "192.168.122.54",
-    "roles": [
-      "base",
-      "kvm_guest",
-      "strfry",
-      "ldap_client"
-    ],
-    "recipes": [
-      "kosmos-base",
-      "kosmos-base::default",
-      "kosmos_kvm::guest",
-      "kosmos-dirsrv::hostsfile",
-      "strfry",
-      "strfry::default",
-      "kosmos_strfry::policies",
-      "kosmos_strfry::firewall",
-      "apt::default",
-      "timezone_iii::default",
-      "timezone_iii::debian",
-      "ntp::default",
-      "ntp::apparmor",
-      "kosmos-base::systemd_emails",
-      "apt::unattended-upgrades",
-      "kosmos-base::firewall",
-      "kosmos-postfix::default",
-      "postfix::default",
-      "postfix::_common",
-      "postfix::_attributes",
-      "postfix::sasl_auth",
-      "hostname::default",
-      "deno::default"
-    ],
-    "platform": "ubuntu",
-    "platform_version": "22.04",
-    "cloud": null,
-    "chef_packages": {
-      "chef": {
-        "version": "18.4.12",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.4.12/lib",
-        "chef_effortless": null
-      },
-      "ohai": {
-        "version": "18.1.11",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
-      }
-    }
-  },
-  "run_list": [
-    "role[base]",
-    "role[kvm_guest]",
-    "role[strfry]"
-  ]
-}

roles/openresty_proxy.rb

@@ -28,7 +28,6 @@ production_run_list = %w(
   kosmos_liquor-cabinet::nginx
   kosmos_rsk::nginx_testnet
   kosmos_rsk::nginx_mainnet
-  kosmos_strfry::nginx
   kosmos_website::default
   kosmos-akkounts::nginx
   kosmos-akkounts::nginx_api

roles/strfry.rb

@@ -1,8 +0,0 @@
-name "strfry"
-
-run_list %w(
-  role[ldap_client]
-  strfry::default
-  kosmos_strfry::policies
-  kosmos_strfry::firewall
-)

site-cookbooks/kosmos_kvm/attributes/default.rb

@@ -1,10 +1,9 @@
 release = "20240514"
-img_filename = "ubuntu-22.04-server-cloudimg-amd64-disk-kvm"
 
 node.default["kosmos_kvm"]["host"]["qemu_base_image"] = {
-  "url" => "https://cloud-images.ubuntu.com/releases/jammy/release-#{release}/#{img_filename}.img",
+  "url" => "https://cloud-images.ubuntu.com/releases/jammy/release-#{release}/ubuntu-22.04-server-cloudimg-amd64-disk-kvm.img",
   "checksum" => "2e7698b3ebd7caead06b08bd3ece241e6ce294a6db01f92ea12bcb56d6972c3f",
-  "path" => "/var/lib/libvirt/images/base/#{img_filename}-#{release}.qcow2"
+  "path" => "/var/lib/libvirt/images/base/ubuntu-22.04-server-cloudimg-amd64-disk-kvm-#{release}.qcow2"
 }
 
 # A systemd.timer OnCalendar config value

site-cookbooks/kosmos_kvm/templates/create_vm.erb

@@ -17,7 +17,7 @@ DISKSIZE=${4:-10} # 10GB default
 # Directory where image files will be stored
 IMAGE_DIR=/var/lib/libvirt/images
 IMAGE_PATH=$IMAGE_DIR/${VMNAME}.qcow2
-CIDATA_PATH=${IMAGE_DIR}/cidata-${VMNAME}.iso
+CIDATA_PATH=${IMAGE_DIR}/${VMNAME}-cloudinit
 BASE_FILE=<%= @base_image_path %>
 
 # Create the VM image if it does not already exist
@@ -38,9 +38,8 @@ qemu-img info "$IMAGE_PATH"
 # Check if the cloud-init metadata file exists
 # if not, generate it
 if [ ! -r $CIDATA_PATH ]; then
-  pushd $(dirname $CIDATA_PATH)
+  mkdir -p $CIDATA_PATH
-  mkdir -p $VMNAME
+  pushd $CIDATA_PATH
-  cd $VMNAME
 
   cat > user-data <<-EOS
 #cloud-config
@@ -62,25 +61,19 @@ instance-id: $VMNAME
 local-hostname: $VMNAME
 EOS
 
-  genisoimage -output "$CIDATA_PATH" -volid cidata -joliet -rock user-data meta-data
-  chown libvirt-qemu:kvm "$CIDATA_PATH"
-  chmod 600 "$CIDATA_PATH"
   popd
 fi
 
-# setting --os-variant to ubuntu20.04 and ubuntu18.04 breaks SSH and networking
 virt-install \
   --name "$VMNAME" \
   --ram "$RAM" \
   --vcpus "$CPUS" \
   --cpu host \
   --arch x86_64 \
-  --os-type linux \
+  --osinfo detect=on,name=ubuntujammy \
-  --os-variant ubuntu16.04 \
   --hvm \
   --virt-type kvm \
   --disk "$IMAGE_PATH" \
-  --cdrom "$CIDATA_PATH" \
   --boot hd \
   --network=bridge=virbr0,model=virtio \
   --graphics none \
@@ -88,4 +81,5 @@ virt-install \
   --console pty \
   --channel unix,mode=bind,path=/var/lib/libvirt/qemu/$VMNAME.guest_agent.0,target_type=virtio,name=org.qemu.guest_agent.0 \
   --autostart \
-  --import
+  --import \
+  --cloud-init root-password-generate=off,disable=on,meta-data=$CIDATA_PATH/meta-data,user-data=$CIDATA_PATH/user-data

site-cookbooks/kosmos_strfry/LICENSE

@@ -1,20 +0,0 @@
-Copyright (c) 2024 Kosmos Developers
-
-Permission is hereby granted, free of charge, to any person obtaining
-a copy of this software and associated documentation files (the
-"Software"), to deal in the Software without restriction, including
-without limitation the rights to use, copy, modify, merge, publish,
-distribute, sublicense, and/or sell copies of the Software, and to
-permit persons to whom the Software is furnished to do so, subject to
-the following conditions:
-
-The above copyright notice and this permission notice shall be
-included in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
-EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
-NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
-LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
-OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
-WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

site-cookbooks/kosmos_strfry/README.md

@@ -1,4 +0,0 @@
-kosmos_strfry
-=============
-
-Installs/configures a strfry relay and its reverse proxy config

site-cookbooks/kosmos_strfry/attributes/default.rb

@@ -1 +0,0 @@
-node.default["strfry"]["ldap_search_dn"] = "ou=kosmos.org,cn=users,dc=kosmos,dc=org"

site-cookbooks/kosmos_strfry/metadata.rb

@@ -1,10 +0,0 @@
-name             'kosmos_strfry'
-maintainer       'Kosmos'
-maintainer_email 'mail@kosmos.org'
-license          'MIT'
-description      'strfry wrapper cookbook'
-long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
-version          '0.1.0'
-
-depends 'kosmos_openresty'
-depends 'deno'

site-cookbooks/kosmos_strfry/recipes/firewall.rb

@@ -1,13 +0,0 @@
-#
-# Cookbook Name:: kosmos_strfry
-# Recipe:: firewall
-#
-
-include_recipe "kosmos-base::firewall"
-
-firewall_rule "strfry" do
-  port     node["strfry"]["port"]
-  source   "10.1.1.0/24"
-  protocol :tcp
-  command  :allow
-end

site-cookbooks/kosmos_strfry/recipes/nginx.rb

@@ -1,29 +0,0 @@
-#
-# Cookbook Name:: kosmos_strfry
-# Recipe:: nginx
-#
-
-domain = node["strfry"]["domain"]
-
-upstream_hosts = []
-search(:node, 'role:strfry').each do |node|
-  upstream_hosts << node['knife_zero']['host']
-end
-if upstream_hosts.empty?
-  Chef::Log.warn("No node found with 'strfry' role. Not configuring nginx site.")
-  return
-end
-
-tls_cert_for domain do
-  auth "gandi_dns"
-  action :create
-end
-
-openresty_site domain do
-  template "nginx_conf_strfry.erb"
-  variables domain: domain,
-            upstream_port: node['strfry']['port'],
-            upstream_hosts: upstream_hosts,
-            ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
-            ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
-end

site-cookbooks/kosmos_strfry/recipes/policies.rb

@@ -1,62 +0,0 @@
-#
-# Cookbook Name:: kosmos_strfry
-# Recipe:: policies
-#
-
-include_recipe "deno"
-
-#
-# config
-#
-
-ldap_credentials = Chef::EncryptedDataBagItem.load('credentials', 'dirsrv')
-
-env = {
-  ldap_url: 'ldap://ldap.kosmos.local:389', # requires "ldap_client" role
-  ldap_bind_dn: ldap_credentials["service_dn"],
-  ldap_password: ldap_credentials["service_password"],
-  ldap_search_dn: node["strfry"]["ldap_search_dn"]
-}
-
-template "/opt/.env" do
-  source 'env.erb'
-  owner node["strfry"]["user"]
-  group node["strfry"]["group"]
-  mode 0600
-  sensitive true
-  variables config: env
-  notifies :restart, "service[strfry]", :delayed
-end
-
-#
-# strfry deno scripts
-#
-
-base_url = "https://gitea.kosmos.org/kosmos/akkounts/raw/branch/master/extras/strfry"
-
-remote_file "/opt/strfry-policy.ts" do
-  source "#{base_url}/strfry-policy.ts"
-  owner node["strfry"]["user"]
-  group node["strfry"]["group"]
-  mode "0755"
-  notifies :restart, "service[strfry]", :delayed
-end
-
-remote_file "/opt/ldap-policy.ts" do
-  source "#{base_url}/ldap-policy.ts"
-  owner node["strfry"]["user"]
-  group node["strfry"]["group"]
-  mode "0644"
-  notifies :restart, "service[strfry]", :delayed
-end
-
-remote_file "/opt/strfry-sync.ts" do
-  source "#{base_url}/strfry-sync.ts"
-  owner node["strfry"]["user"]
-  group node["strfry"]["group"]
-  mode "0644"
-end
-
-# service "strfry" do
-#   action :nothing
-# end

site-cookbooks/kosmos_strfry/templates/env.erb

@@ -1,11 +0,0 @@
-<% @config.each do |key, value| %>
-<% if value.is_a?(Hash) %>
-<% value.each do |k, v| %>
-<%= "#{key.upcase}_#{k.upcase}" %>=<%= v.to_s %>
-<% end %>
-<% else %>
-<% if value %>
-<%= key.upcase %>=<%= value.to_s %>
-<% end %>
-<% end %>
-<% end %>

site-cookbooks/kosmos_strfry/templates/nginx_conf_strfry.erb

@@ -1,25 +0,0 @@
-upstream _strfry {
-<% @upstream_hosts.each do |host| %>
-  server <%= host %>:<%= @upstream_port || "7777" %>;
-<% end %>
-}
-
-server {
-  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  server_name <%= @domain %>;
-
-  access_log "/var/log/nginx/<%= @domain %>.access.log";
-  error_log "/var/log/nginx/<%= @domain %>.error.log";
-
-  ssl_certificate     <%= @ssl_cert %>;
-  ssl_certificate_key <%= @ssl_key %>;
-
-  location / {
-    proxy_set_header Host $host;
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_pass http://_strfry;
-    proxy_http_version 1.1;
-    proxy_set_header Upgrade $http_upgrade;
-    proxy_set_header Connection "upgrade";
-  }
-}