Merge pull request 'Set up Blossom server on blossom.kosmos.org' (#630) from feature/blossom_server into master

Reviewed-on: #630
Reviewed-by: Greg <greg@kosmos.org>

.gitmodules

@@ -10,3 +10,6 @@
 [submodule "site-cookbooks/deno"]
 	path = site-cookbooks/deno
 	url = git@gitea.kosmos.org:kosmos/deno-cookbook.git
+[submodule "site-cookbooks/blossom"]
+	path = site-cookbooks/blossom
+	url = git@gitea.kosmos.org:kosmos/blossom-cookbook.git

AGENTS.md

@@ -0,0 +1,41 @@
+# AGENTS.md
+
+Welcome, AI Agent! This file contains essential context and rules for interacting with the Kosmos Chef repository. Read this carefully before planning or executing any changes.
+
+## 🏢 Project Overview
+This repository contains the infrastructure automation code used by Kosmos to provision and configure bare metal servers (KVM hosts) and Ubuntu virtual machines (KVM guests). 
+
+We use **Chef Infra**, managed locally via **Knife Zero** (agentless Chef), and **Berkshelf** for dependency management.
+
+## 📂 Directory Structure & Rules
+
+* **`site-cookbooks/`**: 🟢 **EDITABLE.** This directory contains all custom, internal cookbooks written specifically for Kosmos services (e.g., `kosmos-postgresql`, `kosmos_gitea`, `kosmos-mastodon`). *Active development happens here.*
+* **`cookbooks/`**: 🔴 **DO NOT EDIT.** This directory contains third-party/community cookbooks that are vendored. These are managed by Berkshelf. Modifying them directly will result in lost changes.
+* **`roles/`**: 🟢 **EDITABLE.** Contains Chef roles written in Ruby (e.g., `base.rb`, `kvm_guest.rb`, `postgresql_primary.rb`). These define run-lists and role-specific default attributes for servers.
+* **`environments/`**: Contains Chef environment definitions (like `production.rb`).
+* **`data_bags/`**: Contains data bag configurations, often encrypted. Be cautious and do not expose secrets. (Note: Agents should not manage data bag secrets directly unless provided the `.chef/encrypted_data_bag_secret`).
+* **`nodes/`**: Contains JSON state files for bootstrapped nodes. *Agents typically do not edit these directly unless cleaning up a deleted node.*
+* **`Berksfile`**: Defines community cookbook dependencies.
+* **`Vagrantfile` / `.kitchen/`**: Used for local virtualization and integration testing.
+
+## 🛠️ Tooling & Workflows
+
+1. **Dependency Management (Berkshelf)**
+   If a new community cookbook is required:
+   - Add it to the `Berksfile` at the root.
+   - Instruct the user to run `berks install` and `berks vendor cookbooks/ --delete` (or run it via the `bash` tool if permitted).
+
+2. **Provisioning (Knife Zero)**
+   - Bootstrapping and converging nodes is done using `knife zero`. 
+   - *Example:* `knife zero converge name:server-name.kosmos.org`
+
+3. **Code Style & Conventions**
+   - Chef recipes, resources, and roles are written in **Ruby**. 
+   - Follow standard Chef and Ruby (RuboCop) idioms. Look at neighboring files in `site-cookbooks/` or `roles/` to match formatting and naming conventions.
+
+## 🚨 Core Directives for AI Agents
+
+1. **Infrastructure as Code**: Manual server configurations are highly discouraged. All changes must be codified in a cookbook or role.
+2. **Test Safety Nets**: Look for `.kitchen.yml` within specific `site-cookbooks/<name>` to understand if local integration tests are available.
+3. **No Assumptions**: Do not assume standard test commands. Check `README.md` and repository config files first.
+4. **Secret Handling**: Avoid hardcoding passwords or API keys in recipes or roles. Assume sensitive information is managed via Chef `data_bags`.

clients/garage-16.json

@@ -0,0 +1,4 @@
+{
+  "name": "garage-16",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqYCUN4WNP05pjbxVJd1/\nvmDZU6XRrVVZS5piSSRzs+uxrcUQZew9oe8YwnB9Acf7nl1igS1Fa3e3TyVdrdrM\n+zKLIszJfZw8qH0BhUHYhIm5o+NXeUDR6zor5/4msq9yyXxMFM3FY6HSnz1IBY6P\n43GdArRqAhccGZTBzvowHZvVTkG553oYF1ETxlUWn+9l142YZufNK+B2JGUGSnf3\nS0A2vlQi7DGHBcUaPPqCLeaXB1cQ4Q6SqMvnExpi0xTdY2QXLlSIBJvJVowLtQKs\npS5qHxwCabMY/uHVoEKxgmMcGvjp4L0PoaXRcev5I2sDfbLuz1VxYfatjgI/1psg\ntwIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/rsk-testnet-6.json

@@ -0,0 +1,4 @@
+{
+  "name": "rsk-testnet-6",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl1p4+F536/peA4XWMJtm\njggPl6yJb42V5bg3kDa8SHoIoQgXn59d3BclZ1Oz2+JhFd3Rrn4FN3Z1wzGpP+gA\nnxQOfgRG1ucahh7Nxaw3IdoHm7r/EdEOc9FrxvGJ+09YnmLfzn4iVQpsUiOiNVS7\n0LXtMXYtsjD+o6BTbOhGU8FMmGhMhQfXFVgoDdTiM/Q62zPw8Vtpa3yFpFJAu+dA\n+mm5h5W6FnaWJXM2arn3PxDOt+JQSWp5PYG4goU1FFreU9iFuoeGEfLy8unlbbXt\ne96QhNuCkOA15xqta0Z3oL7IlXWns7dLgZYlpZT9zaExIs3AEDaQcleacQPzXKSG\nswIDAQAB\n-----END PUBLIC KEY-----\n"
+}

data_bags/credentials/blossom.json

@@ -0,0 +1,24 @@
+{
+  "id": "blossom",
+  "admin_password": {
+    "encrypted_data": "Gd6AzFmySL0p+xo1PnRn9p4Fwge1m3CQj+NRLIUD8P9u1C8=\n",
+    "iv": "l6KVzF9xEEBRRAmh\n",
+    "auth_tag": "P791KMh9TxuHiWJpDKxWQA==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "s3_access_key": {
+    "encrypted_data": "S8jB2LDQOxI/p5ugggW1Sk50TS9TJe9sLv04O/VD9/v22SSM7J6ETomTA+Hd\n",
+    "iv": "dUIIZbdAT9q72ioX\n",
+    "auth_tag": "+5fCNOuTE/+FqdV6rDNbkw==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "s3_secret_key": {
+    "encrypted_data": "soT63l2frBJDNmHetXmEPvNYBsTpvTyR95FA2rxuZXvVE7hMj21La8/0Amk7\nv+mHOBUMaGG9BTLN0tVFkL0+lGPXdZJTbtDHgluk5l6lLPyc8KY=\n",
+    "iv": "RuXs2pL9C/wpwJ/w\n",
+    "auth_tag": "nu7dE2udTkxaUZCR42h09w==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  }
+}

environments/production.json

@@ -18,6 +18,16 @@
         "relay_url": "wss://nostr.kosmos.org"
       }
     },
+    "blossom": {
+      "domain": "blossom.kosmos.org",
+      "storage": {
+        "s3": {
+          "endpoint": "s3.kosmos.org",
+          "region": "garage",
+          "bucket": "blossom"
+        }
+      }
+    },
     "discourse": {
       "domain": "community.kosmos.org"
     },

nodes/akkounts-1.json

@@ -67,13 +67,13 @@
     "cloud": null,
     "chef_packages": {
       "chef": {
-        "version": "18.2.7",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.2.7/lib",
+        "version": "18.10.17",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.10.17/lib",
         "chef_effortless": null
       },
       "ohai": {
-        "version": "18.1.4",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
+        "version": "18.2.13",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.13/lib/ohai"
       }
     }
   },

nodes/bitcoin-2.json

@@ -8,7 +8,7 @@
   "automatic": {
     "fqdn": "bitcoin-2",
     "os": "linux",
-    "os_version": "5.4.0-163-generic",
+    "os_version": "5.4.0-216-generic",
     "hostname": "bitcoin-2",
     "ipaddress": "192.168.122.148",
     "roles": [

nodes/draco.kosmos.org.json

@@ -46,6 +46,7 @@
       "kosmos_garage::default",
       "kosmos_garage::firewall_rpc",
       "kosmos_assets::nginx_site",
+      "kosmos_blossom::nginx",
       "kosmos_discourse::nginx",
       "kosmos_drone::nginx",
       "kosmos_garage::nginx_web",
@@ -112,13 +113,13 @@
     "cloud": null,
     "chef_packages": {
       "chef": {
-        "version": "18.2.7",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.2.7/lib",
+        "version": "18.10.17",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.10.17/lib",
         "chef_effortless": null
       },
       "ohai": {
-        "version": "18.1.4",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
+        "version": "18.2.13",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.13/lib/ohai"
       }
     }
   },

nodes/fornax.kosmos.org.json

@@ -39,6 +39,7 @@
       "kosmos_garage::default",
       "kosmos_garage::firewall_rpc",
       "kosmos_assets::nginx_site",
+      "kosmos_blossom::nginx",
       "kosmos_discourse::nginx",
       "kosmos_drone::nginx",
       "kosmos_garage::nginx_web",
@@ -105,13 +106,13 @@
     "cloud": null,
     "chef_packages": {
       "chef": {
-        "version": "18.2.7",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.2.7/lib",
+        "version": "18.10.17",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.10.17/lib",
         "chef_effortless": null
       },
       "ohai": {
-        "version": "18.1.4",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
+        "version": "18.2.13",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.13/lib/ohai"
       }
     }
   },

nodes/garage-16.json

@@ -0,0 +1,63 @@
+{
+  "name": "garage-16",
+  "chef_environment": "production",
+  "normal": {
+    "knife_zero": {
+      "host": "10.1.1.153"
+    }
+  },
+  "automatic": {
+    "fqdn": "garage-16",
+    "os": "linux",
+    "os_version": "6.8.0-106-generic",
+    "hostname": "garage-16",
+    "ipaddress": "192.168.122.182",
+    "roles": [
+      "base",
+      "kvm_guest",
+      "garage_node"
+    ],
+    "recipes": [
+      "kosmos-base",
+      "kosmos-base::default",
+      "kosmos_kvm::guest",
+      "kosmos_garage",
+      "kosmos_garage::default",
+      "kosmos_garage::firewall_rpc",
+      "kosmos_garage::firewall_apis",
+      "apt::default",
+      "timezone_iii::default",
+      "timezone_iii::debian",
+      "kosmos-base::journald_conf",
+      "kosmos-base::systemd_emails",
+      "apt::unattended-upgrades",
+      "kosmos-base::firewall",
+      "kosmos-postfix::default",
+      "postfix::default",
+      "postfix::_common",
+      "postfix::_attributes",
+      "postfix::sasl_auth",
+      "hostname::default",
+      "firewall::default"
+    ],
+    "platform": "ubuntu",
+    "platform_version": "24.04",
+    "cloud": null,
+    "chef_packages": {
+      "chef": {
+        "version": "18.10.17",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.10.17/lib",
+        "chef_effortless": null
+      },
+      "ohai": {
+        "version": "18.2.13",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.13/lib/ohai"
+      }
+    }
+  },
+  "run_list": [
+    "role[base]",
+    "role[kvm_guest]",
+    "role[garage_node]"
+  ]
+}

nodes/leo.json

@@ -8,7 +8,7 @@
   "automatic": {
     "fqdn": "leo",
     "os": "linux",
-    "os_version": "5.15.0-164-generic",
+    "os_version": "5.15.0-173-generic",
     "hostname": "leo",
     "ipaddress": "5.9.81.116",
     "roles": [

nodes/mail.kosmos.org.json

@@ -30,6 +30,7 @@
       "timezone_iii::debian",
       "ntp::default",
       "ntp::apparmor",
+      "kosmos-base::journald_conf",
       "kosmos-base::systemd_emails",
       "apt::unattended-upgrades",
       "kosmos-base::firewall",

nodes/rsk-testnet-6.json

@@ -0,0 +1,60 @@
+{
+  "name": "rsk-testnet-6",
+  "normal": {
+    "knife_zero": {
+      "host": "10.1.1.20"
+    }
+  },
+  "automatic": {
+    "fqdn": "rsk-testnet-6",
+    "os": "linux",
+    "os_version": "6.8.0-107-generic",
+    "hostname": "rsk-testnet-6",
+    "ipaddress": "192.168.122.231",
+    "roles": [
+      "base",
+      "kvm_guest",
+      "rskj_testnet"
+    ],
+    "recipes": [
+      "kosmos-base",
+      "kosmos-base::default",
+      "kosmos_kvm::guest",
+      "kosmos_rsk::rskj",
+      "apt::default",
+      "timezone_iii::default",
+      "timezone_iii::debian",
+      "kosmos-base::journald_conf",
+      "kosmos-base::systemd_emails",
+      "apt::unattended-upgrades",
+      "kosmos-base::firewall",
+      "kosmos-postfix::default",
+      "postfix::default",
+      "postfix::_common",
+      "postfix::_attributes",
+      "postfix::sasl_auth",
+      "hostname::default",
+      "kosmos_rsk::firewall",
+      "firewall::default"
+    ],
+    "platform": "ubuntu",
+    "platform_version": "24.04",
+    "cloud": null,
+    "chef_packages": {
+      "chef": {
+        "version": "18.10.17",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.10.17/lib",
+        "chef_effortless": null
+      },
+      "ohai": {
+        "version": "18.2.13",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.13/lib/ohai"
+      }
+    }
+  },
+  "run_list": [
+    "role[base]",
+    "role[kvm_guest]",
+    "role[rskj_testnet]"
+  ]
+}

nodes/strfry-1.json

@@ -16,7 +16,8 @@
       "base",
       "kvm_guest",
       "strfry",
-      "ldap_client"
+      "ldap_client",
+      "blossom"
     ],
     "recipes": [
       "kosmos-base",
@@ -28,6 +29,8 @@
       "kosmos_strfry::policies",
       "kosmos_strfry::firewall",
       "kosmos_strfry::substr",
+      "kosmos_blossom",
+      "kosmos_blossom::default",
       "apt::default",
       "timezone_iii::default",
       "timezone_iii::debian",
@@ -43,7 +46,8 @@
       "postfix::_attributes",
       "postfix::sasl_auth",
       "hostname::default",
-      "deno::default"
+      "deno::default",
+      "blossom::default"
     ],
     "platform": "ubuntu",
     "platform_version": "22.04",
@@ -63,6 +67,7 @@
   "run_list": [
     "role[base]",
     "role[kvm_guest]",
-    "role[strfry]"
+    "role[strfry]",
+    "role[blossom]"
   ]
 }

roles/blossom.rb

@@ -0,0 +1,16 @@
+name "blossom"
+
+override_attributes(
+  "blossom" => {
+    "allowed_pubkeys" => [
+      # "b3e1b7c0ef48294bd856203bfd460625de95d3afb894e5f09b14cd1f0e7097cf",
+      # "07e188a1ff87ce171d517b8ed2bb7a31b1d3453a0db3b15379ec07b724d232f3",
+      # "898a73f2c1f9a9f42d9ef4ac363622f92fdd4290c8f190340a0862d8e0f70046"
+    ]
+  },
+)
+
+run_list %w(
+  role[ldap_client]
+  kosmos_blossom::default
+)

roles/openresty_proxy.rb

@@ -19,6 +19,7 @@ production_run_list = %w(
   role[openresty]
   role[garage_gateway]
   kosmos_assets::nginx_site
+  kosmos_blossom::nginx
   kosmos_discourse::nginx
   kosmos_drone::nginx
   kosmos_garage::nginx_web

site-cookbooks/kosmos-bitcoin/attributes/default.rb

@@ -86,9 +86,6 @@ node.default['lndhub-go']['branding'] = {
   'footer' => 'about=https://kosmos.org'
 }
 
-node.default['dotnet']['ms_packages_src_url'] = "https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb"
-node.default['dotnet']['ms_packages_src_checksum'] = "4df5811c41fdded83eb9e2da9336a8dfa5594a79dc8a80133bd815f4f85b9991"
-
 node.default['nbxplorer']['repo'] = 'https://github.com/dgarage/NBXplorer'
 node.default['nbxplorer']['revision'] = 'v2.5.26'
 node.default['nbxplorer']['source_dir'] = '/opt/nbxplorer'
@@ -98,7 +95,7 @@ node.default['nbxplorer']['postgres']['database'] = 'nbxplorer'
 node.default['nbxplorer']['postgres']['user'] = 'nbxplorer'
 
 node.default['btcpay']['repo'] = 'https://github.com/btcpayserver/btcpayserver'
-node.default['btcpay']['revision'] = 'v2.1.1'
+node.default['btcpay']['revision'] = 'v2.3.7'
 node.default['btcpay']['source_dir'] = '/opt/btcpay'
 node.default['btcpay']['config_path'] = "/home/#{node['bitcoin']['username']}/.btcpayserver/Main/settings.config"
 node.default['btcpay']['log_path'] = "/home/#{node['bitcoin']['username']}/.btcpayserver/debug.log"

site-cookbooks/kosmos-bitcoin/recipes/dotnet.rb

@@ -5,29 +5,16 @@
 
 build_essential
 
-apt_repository 'universe' do
-  uri 'http://archive.ubuntu.com/ubuntu/'
-  distribution 'focal'
-  components ['universe']
+remote_file "/opt/dotnet-install.sh" do
+  source "https://dot.net/v1/dotnet-install.sh"
+  mode "0755"
 end
 
-apt_package 'apt-transport-https'
-
-remote_file '/opt/packages-microsoft-prod.deb' do
-  source node['dotnet']['ms_packages_src_url']
-  checksum node['dotnet']['ms_packages_src_checksum']
-  action :create_if_missing
+execute "install_dotnet_10" do
+  command "/opt/dotnet-install.sh -c 10.0 --install-dir /usr/share/dotnet"
+  not_if '/usr/share/dotnet/dotnet --version | grep -q "^10\."'
 end
 
-dpkg_package 'packages-microsoft-prod' do
-  source '/opt/packages-microsoft-prod.deb'
-  action :install
-  notifies :run, 'execute[apt_update]'
+link "/usr/bin/dotnet" do
+  to "/usr/share/dotnet/dotnet"
 end
-
-execute 'apt_update' do
-  command 'apt update'
-  action :nothing
-end
-
-apt_package 'dotnet-sdk-8.0'

site-cookbooks/kosmos_blossom/attributes/default.rb

@@ -0,0 +1 @@
+# No attributes here, use the blossom cookbook's attributes

site-cookbooks/kosmos_blossom/metadata.rb

@@ -0,0 +1,6 @@
+name 'kosmos_blossom'
+description 'Configures Blossom server for Kosmos infrastructure'
+version '0.1.0'
+depends 'blossom'
+depends 'kosmos-base'
+depends 'kosmos_openresty'

site-cookbooks/kosmos_blossom/recipes/default.rb

@@ -0,0 +1,38 @@
+#
+# Cookbook Name:: kosmos_blossom
+# Recipe:: default
+#
+
+credentials = Chef::EncryptedDataBagItem.load('credentials', 'blossom')
+ldap_credentials = Chef::EncryptedDataBagItem.load('credentials', 'dirsrv')
+
+node.default['blossom']['repo_url'] = 'https://github.com/67P/blossom-server.git'
+node.default['blossom']['revision'] = 'feature/ldap'
+
+node.default['blossom']['storage']['backend'] = 's3'
+node.default['blossom']['storage']['s3']['access_key'] = credentials['s3_access_key']
+node.default['blossom']['storage']['s3']['secret_key'] = credentials['s3_secret_key']
+
+node.default['blossom']['allow_anonymous_uploads'] = false
+
+node.default['blossom']['ldap']['enabled'] = true
+node.default['blossom']['ldap']['url'] = 'ldap://ldap.kosmos.local:389'
+node.default['blossom']['ldap']['bind_dn'] = ldap_credentials["service_dn"]
+node.default['blossom']['ldap']['password'] = ldap_credentials["service_password"]
+node.default['blossom']['ldap']['search_dn'] = "ou=kosmos.org,cn=users,dc=kosmos,dc=org"
+node.default['blossom']['ldap']['search_filter'] = "(nostrKey={pubkey})"
+
+node.default['blossom']['dashboard']['enabled'] = true
+node.default['blossom']['dashboard']['username'] = credentials['admin_username'] || 'admin'
+node.default['blossom']['dashboard']['password'] = credentials['admin_password']
+
+node.default['blossom']['landing']['title'] = 'Kosmos Blossom Server'
+
+include_recipe 'blossom::default'
+
+firewall_rule 'blossom' do
+  port     node['blossom']['port']
+  source   '10.1.1.0/24'
+  protocol :tcp
+  command  :allow
+end

site-cookbooks/kosmos_blossom/recipes/nginx.rb

@@ -0,0 +1,28 @@
+#
+# Cookbook Name:: kosmos_blossom
+# Recipe:: nginx
+#
+
+domain = node['blossom']['domain']
+
+blossom_node = search(:node, 'role:blossom').first
+
+if blossom_node.nil?
+  Chef::Log.warn("No node found with 'blossom' role. Not configuring nginx site.")
+  return
+end
+
+tls_cert_for domain do
+  auth 'gandi_dns'
+  action :create
+end
+
+openresty_site domain do
+  template 'nginx_conf_blossom.erb'
+  variables domain: domain,
+            upstream_host: blossom_node['knife_zero']['host'],
+            upstream_port: node['blossom']['port'],
+            max_size_mb: node['blossom']['max_size'] / 1024 / 1024,
+            ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
+            ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
+end

site-cookbooks/kosmos_blossom/templates/default/nginx_conf_blossom.erb

@@ -0,0 +1,26 @@
+upstream _blossom {
+  server <%= @upstream_host %>:<%= @upstream_port %>;
+}
+
+server {
+  server_name <%= @domain %>;
+  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
+
+  access_log "/var/log/nginx/<%= @domain %>.access.log";
+  error_log "/var/log/nginx/<%= @domain %>.error.log";
+
+  client_max_body_size <%= @max_size_mb %>M;
+
+  ssl_certificate <%= @ssl_cert %>;
+  ssl_certificate_key <%= @ssl_key %>;
+
+  location / {
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_pass http://_blossom;
+    proxy_http_version 1.1;
+  }
+}

site-cookbooks/kosmos_gitea/templates/default/nginx_conf_web.erb

@@ -18,6 +18,8 @@ server {
 
   client_max_body_size 121M;
 
+  proxy_intercept_errors on;
+
   location ~ ^/(avatars|repo-avatars)/.*$ {
     proxy_buffers 1024 8k;
     proxy_pass http://_gitea_web;
@@ -52,5 +54,18 @@ server {
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header X-Forwarded-Proto $scheme;
+    error_page 404 = @slow_404;
+  }
+
+  # Slow down 404 responses to make scraping random URLs less attractive
+  location @slow_404 {
+    internal;
+    default_type text/plain;
+    content_by_lua_block {
+      ngx.sleep(10)
+      ngx.status = 404
+      ngx.say("Not Found")
+      ngx.exit(ngx.HTTP_NOT_FOUND)
+    }
   }
 }

site-cookbooks/kosmos_kvm/attributes/default.rb

@@ -1,9 +1,9 @@
-release = "20260320"
-img_filename = "ubuntu-22.04-server-cloudimg-amd64-disk-kvm"
+release = "20260321"
+img_filename = "ubuntu-24.04-server-cloudimg-amd64"
 
 node.default["kosmos_kvm"]["host"]["qemu_base_image"] = {
-  "url" => "https://cloud-images.ubuntu.com/releases/jammy/release-#{release}/#{img_filename}.img",
-  "checksum" => "f7173eb7137b4f0ebeaea8fffe68ecdab1e3c787bde1fd8dfdf27103554332b3",
+  "url" => "https://cloud-images.ubuntu.com/releases/noble/release-#{release}/#{img_filename}.img",
+  "checksum" => "5c3ddb00f60bc455dac0862fabe9d8bacec46c33ac1751143c5c3683404b110d",
   "path" => "/var/lib/libvirt/images/base/#{img_filename}-#{release}.qcow2"
 }
 

site-cookbooks/kosmos_kvm/templates/create_vm.erb

@@ -70,7 +70,7 @@ virt-install \
   --vcpus "$CPUS" \
   --cpu host \
   --arch x86_64 \
-  --osinfo detect=on,name=ubuntujammy \
+  --osinfo detect=on,name=ubuntu24.04 \
   --hvm \
   --virt-type kvm \
   --disk "$IMAGE_PATH" \

site-cookbooks/kosmos_rsk/Berksfile

@@ -1,5 +1,8 @@
 source 'https://supermarket.chef.io'
 
-cookbook 'kosmos-nginx', path: '../../site-cookbooks/kosmos-nginx'
+cookbook 'kosmos_openresty', path: '../../site-cookbooks/kosmos_openresty'
+cookbook 'kosmos-base', path: '../../site-cookbooks/kosmos-base'
+cookbook 'openresty', path: '../../site-cookbooks/openresty'
+cookbook 'kosmos-postfix', path: '../../site-cookbooks/kosmos-postfix'
 
 metadata

site-cookbooks/kosmos_rsk/attributes/default.rb

@@ -1,4 +1,4 @@
-node.default['rskj']['version'] = '7.0.0~jammy'
+node.default['rskj']['version'] = "9.0.1~#{node['lsb']['codename']}"
 node.default['rskj']['network'] = 'testnet'
 
 node.default['rskj']['nginx']['domain'] = nil

site-cookbooks/kosmos_rsk/kitchen.yml

@@ -34,9 +34,9 @@ verifier:
   name: inspec
 
 platforms:
-  - name: ubuntu-22.04
+  - name: ubuntu-24.04
     driver:
-      image: dokken/ubuntu-22.04
+      image: dokken/ubuntu-24.04
       privileged: true
       pid_one_command: /usr/lib/systemd/systemd
       intermediate_instructions:

site-cookbooks/kosmos_rsk/metadata.rb

@@ -3,7 +3,7 @@ maintainer 'Kosmos Developers'
 maintainer_email 'ops@kosmos.org'
 license 'MIT'
 description 'Installs/configures RSKj and related software'
-version '0.4.0'
+version '0.5.0'
 chef_version '>= 18.2'
 issues_url 'https://gitea.kosmos.org/kosmos/chef/issues'
 source_url 'https://gitea.kosmos.org/kosmos/chef'

site-cookbooks/kosmos_rsk/recipes/rskj.rb

@@ -20,10 +20,19 @@ apt_repository 'rskj' do
 end
 
 apt_package 'openjdk-17-jdk'
+apt_package 'debconf-utils'
+
+execute 'preseed-rskj-license' do
+  command 'echo "rskj shared/accepted-rsk-license-v1-1 boolean true" | debconf-set-selections'
+  not_if 'debconf-get-selections | grep -q "shared/accepted-rsk-license-v1-1.*true"'
+end
+
+execute 'preseed-rskj-config' do
+  command "echo \"rskj shared/config select #{node['rskj']['network']}\" | debconf-set-selections"
+  not_if "debconf-get-selections | grep -q \"shared/config.*#{node['rskj']['network']}\""
+end
 
 apt_package 'rskj' do
-  response_file 'rskj-preseed.cfg.erb'
-  response_file_variables network: node['rskj']['network']
   options '--assume-yes'
   version node['rskj']['version']
 end

site-cookbooks/kosmos_rsk/templates/rskj-preseed.cfg.erb

@@ -1,6 +1,6 @@
 #_preseed_V1
 # Do you agree to the terms of the applicable licenses?
-rskj shared/accepted-rsk-license-v1-1 select true
+rskj shared/accepted-rsk-license-v1-1 boolean true
 # Choose a configuration environment to run your node.
 # Choices: mainnet, testnet, regtest
 rskj shared/config select <%= @network %>

site-cookbooks/kosmos_rsk/test/integration/rskj/rskj_test.rb

@@ -9,7 +9,7 @@ end
 
 describe package('rskj') do
   it { should be_installed }
-  its('version') { should eq '7.0.0~jammy' }
+  its('version') { should eq '9.0.1~noble' }
 end
 
 describe service('rsk') do