Add cron job for deleting repo archives

Reviewed-on: #399

Vagrantfile

@@ -39,7 +39,7 @@ Vagrant.configure(2) do |config|
 
   # Create a private network, which allows host-only access to the machine
   # using a specific IP.
-  # config.vm.network "private_network", ip: "192.168.33.10"
+  config.vm.network "private_network", ip: "192.168.56.5"
 
   # Create a public network, which generally matched to bridged network.
   # Bridged networks make the machine appear as another physical device on

clients/discourse-1.json

@@ -0,0 +1,4 @@
+{
+  "name": "discourse-1",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxJBhKUtTcmjP8eG4aLNF\n9UfNU9lRIFhfywjFJjtXoYdNaUatZHE3s1HKND0SjJs5BRQbZBEKLxTHCgnPZD4U\nlRgZ65JtHwi+JNM6ac4TQm5JYKA++KxX7FtOiJV6oGX6foNoFVHrGi+fhTlLE9hL\npHRQWTpM8ErpUEj3VHez+k6KT1Mr3QO5T9L5kqu1BdTYwtyfXJE0VfyDKz/rwrvc\ngPvZd167p8YCTu/rWLG9X8tag+ySUR9cmlEn5sCsBLmq56Zurf0VIe/0tuGPI8DP\nAVc4dIXHsfGuKLwBfFPSDy9YbI7F8gbaD05UnUVn60IWPmWsE19K/iIc/OnJZwRO\nkQIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/discourse-2.json

@@ -0,0 +1,4 @@
+{
+  "name": "discourse-2",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwinJNGMUzUdrZwx/ZCkU\nxZRnuWqZHXHdZtkEG6beMY1sB/PpGknLgcfTjhh4FR/5hIXqBcVdUj3DZiTmhd8o\n0QpEkJPNKd08PN12CyShPwCcIA1KTqsCsNys+bp6Wff84JClAe/Oza6DonoRmhqO\ncFxSQcscuv8a6Gc/1X/aySmS01hwL+r9p0VZBEPNKEObgJXHsGIIbajlxgq037X/\n2/IsIk2etXTUSWPJLxNKSXzxC3l4Izw4NfvUgipByPTeJQ2YAVxbvrDEqquBGk5S\nll/mlF+fKX0QvUhm7sdLiSy++rHc8R1ny+4LnR1gAOscYMuLbDbpJnW0Rc0GEJOL\nVwIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/drone-1.json

@@ -0,0 +1,4 @@
+{
+  "name": "drone-1",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0DLEt7jfKPH7X7pBknG3\nWoB6Q6Vffl6Q0GRxQiMJ1uRC79dulKH097CYfLzIXFZD9gRRP4K78vW5BA2spXVV\nn3qrak9JT6BGgdFrkBEdMNGZyz814aMiyhPZrQUrmIzyH8R04xZgv7UH86qdNQ5p\nPeIXS7gU7/0PmwRgEBiM1KLq+Kba6pYdGefKqxx5D59xweH+yE+rbd5ac9xn2GP7\nyOiZoG2sMuksq7d3O4SeTS2lBAmG5IeiP2iWvHWpZD48PTr78ItkTgIbaqZU2PXV\ng+2OcJPTel5xISooe5FvW8gdpC9SYoBPvgJuJ6czc1+LdUSK7pE7577eAJNDlh+H\nRwIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/ejabberd-7.json

@@ -0,0 +1,4 @@
+{
+  "name": "ejabberd-7",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzHfqcI/6w58gLwDFCKxw\n0TeKFOf4MFBnmUGsWyi8BEskkjh4QEDc4pUFeiVuEADFyBfCnALWh004nKhiwamc\nECybfAKlJryoQQEcYZC6H4rZf3SW7xPLk12X00YySNroYM50PM5Ly/G7MI9a669g\n6HNOgn1MYIEh8unpsAHjfKpx72bNutRYKKvBDaHXNvlJ459Jr8HNpERFk8IeaGcF\n4BKqf/MNxkQHOfy7R4ETXeLUBrgD13SmLbs6mM3lXS6IgkoeFyAvAPP4ZgwgiJ6w\nqIKsX4cRt8xnJJ+MTNBX4oc0f9+Gu8bUpr2JZ8tcwq3GUgDjv+JSJpk/uDzzbQUe\nIwIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/gitea-1.json

@@ -0,0 +1,4 @@
+{
+  "name": "gitea-1",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0bp4I/f5dLL22GRHanLV\nw57sNBEWT3Vx32B24hScKNP5nYDW0dIRkt1c7SLEpe+diNgyIwk7JlI20Vl+oaVo\njdCpmHSB18yXxQT2Ub6aI8ApwFLECVA6SckekcwxLJc/oGRMB52PonI8opJOVbPa\nF+heZ5NNDiMvn3E8qODdMWSjDiJNSVLJgsCPFHAt32aJgLaXQTqG5lrmltaamscW\njGlFqiBJw/5saCkKBPdPwdX4RcDqvGX1FdE1LVB42cskv8CrnvEVFLBxKXAhAr6s\nNhOhenzLGHpy58tNoUoUw3v4WiPRtcnlNxeSVG5LKkjaK04f2oxeZx3SiSU/1naY\nkwIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/gitea-2.json

@@ -0,0 +1,4 @@
+{
+  "name": "gitea-2",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7MKbO2vvX7TD1cFKjITh\ntvsf6hgAQRcu7F0kiekx15aC3VLnRgsB9A6SXySVrqvhq/vOSTXZsIC62IQi4Oks\nhhtAA/uvwcOmZ7JkMi0vJ3Ary94dTsg/L8i/0/k2V/D4FRKTV4414wSkpglFGLhl\nvbZ6P17LrqfyAzNJwIDzwd9d6cvt4a0qxvuxbTOHkBuY8tpyGdNzhg6fATadxbBa\nRASEVFb+xqxG3K+8zRmaCFyYqmSPS/8liVVbLPAeUlK6pDyQ5g4T37E5o+CpWfPF\nkBgYw/hHQe6zt1Z4wNJ6mb8YIN/l9kFF3EE99laYxp9Ua7ffrZkRgw12C5Yrn3N6\noQIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/mastodon-2.json

@@ -0,0 +1,4 @@
+{
+  "name": "mastodon-2",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA27a8h17CCQLP8JY59n+M\nURsrbeVvRi3yIUe1IklOlRSTy0L3Z37rFuSNC3dC9rKl/pHDKtorgeukxbFADXQx\nkta2LNX8gf09jCWsUdga5lWIbfOdtlCLRDG1MVEUSA0f6Sxdqr8RbjM2ch31T6Me\n5Z6DYdggwBujcPHwZC1AugI1wJ0T5XHY9f2MDs/XjNEdw3ThYbAdbl1e09ql6Gtg\nSVCa4RlLg/KICdLJtVOLkX6049/XRxi41I6xvu9tXsqgV3+bs8dYbeGLsTWmpPIv\naAUMcf/A5t4B2DVpnlXDytPqfvZQPD3aBVyfEJRGI1yD6Vi9zL3RyIhDQ/I7PMNI\naQIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/mastodon-3.json

@@ -0,0 +1,4 @@
+{
+  "name": "mastodon-3",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArBsrwKV1RtDfw/5y/L2N\n/x7UL2q6G4JypcD5Q8/aDQOTaGuTR+4RCup+Zcn2wzpdGnX6IzS7cy4/LqMoR2pB\nq8K1FZOXvcCtwsBqsyGWiFdy5aLXy2CkHhTRbkwOLPyb1rBy+qPCBdr055BPZUWm\nTfJaxTmph+Z1J+INz0YndYxz3iKET2V99OP27D7tUdZ7yPgMDbDJWqVxPdYrmAUr\n3QLpmYWsYlmPKhpTAXlvbvzE5vgh5EC8RGfhfYRpacc6QdwbahtxMQAV9+1S2+Vj\nntHfB6PSnYwewUHs9MMn8e33KmNlOZdMAVlyJymBZ4pNceC44vxvZYElp077A6tN\nFwIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/nodejs-3.json

@@ -0,0 +1,4 @@
+{
+  "name": "nodejs-3",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyqP7aGx+S9Mdt6xmaGnJ\nfNWWQsg4BvLiP1qtVt3VRrcXF2cy1bhgfnmqoBqnDk4bGlRoTzF+rSOw284+O2UQ\ntUlsBRos4TOyGfbYHehF12Re6NX51K9LHwaprr3eN5h08wLI8pjVrRJlbce8pHST\nXQ/CZvU+CBg43LE08cXr5kRmhnZrgh70g7zTO8+1E6y74r1LEh77Ar4uaaB5jXw7\n6o9TyfaA1HgyqvfYbH+9KPrJfMX/DeLrYPMI3IG/j3fzDUQQ8o9Pb5B+G1Apl+I+\nsTcgWRei5u06aZHLMMd8MMo4O1yUhbt05kxfVhlDGUDWBdi3cvsMf95t6MNdz/eq\niwIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/nodejs-4.json

@@ -0,0 +1,4 @@
+{
+  "name": "nodejs-4",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwIlB6swdT/Z7tRx/Sm24\n/ro3Jotpsi0DiNS6i7BA1fH0OdbX5CRel62jGC1Nja9QCY8aBd00E8u7KPCuK3iY\n5aA7v91sxWZ7nbXdSwBawaNsTZAe4rMaEkA74INpq7TOvLzHcmDcgRbo+MC2Nw3T\nl0mCOaWkUWFaukTLN8zBldzEbYxztKsaL+b2TbevnSCaPkdD9WmDbmjrUiWTlnpE\nDidMjZ9rp+PcODyjlvwka1yJCoPFoN/+ZL4yXxo49tJ2kbrxSh4tdDZqiZwnajRb\n4SAuRCaHTASDSmZ1Dj0ET/miXuvy6Jgvt06eSMPDKvb+84Dk8zLf4CW6DaE2TfX4\nzwIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/postgres-3.json

@@ -1,4 +0,0 @@
-{
-  "name": "postgres-3",
-  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxPsFwxISCjy38kw78N2I\nhkxK6S0uARkPggE+OP7jWwZqHtnz1O+ZUbM/o9i/dWgm0Xl+hQ6grPtjS57VzXJq\nlwsVDGTkyb5T6wAcZao/koQbA9ZABknLH/ra52gny+7j3b2q5RIdyhddTYZwsbIG\n9y2BfcUW0Z1mPVkR2NxzFloj0ulsrJs6/5GhqbREqPz5BsyBJlwFsREK2Dy6m2nm\nVMp+GIQlRdhy/D09s/BZ/Ejwe8D3tv3jJT5CRXkndwa5qIc96E1uzRQpyyKvXZDK\nYvUdQwniW4EBNHEo/se+OqP+Du/M1dReX6aTq9axbhKiVWoD3FtMVtGqE3uf/i4I\n0QIDAQAB\n-----END PUBLIC KEY-----\n"
-}

clients/rsk-mainnet-2.json

@@ -0,0 +1,4 @@
+{
+  "name": "rsk-mainnet-2",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu1cuvB3l7sBKJXqjhTih\nQloXteYOr/cQ24R5xUDnHZpCzM75khBjf9ZIX5fskManQ7MI4oFHAaKF6sCWT9QQ\nnL3ON0rCX8wDwBJpKY3iFisAK7f86GO5qkG2ovwG4wO1x69eKX52w33xGpPLPrmw\nBhFv+KfT56KZ3NCvDIQ6tew9VJ3g2V2zUtlL7xZIcdkgTXB06Ec8gbtoCAD3MVUQ\noxMCn+CK6QIAHGxpLIFEv5Y4hNRJ3+0RSuQikhhFzd7P2swnUgDSxDpbfoShroCC\neDw29sapOkQ+PwiHo2Zy8Qtr5m1ToGIhh8l1f/k2vi0Vf2xWVaTjbaeePEDMy9Fd\nKQIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/rsk-testnet-3.json

@@ -0,0 +1,4 @@
+{
+  "name": "rsk-testnet-3",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxbo3GccgPZp8UWhb9l2w\n+o6Qe5s4Tf/1TMOw3ppLw+IGCZhq9LEe8s8kngbBX7dMywbyDuf8vLXwvAHFKvC+\nx4XOXq0r9xDX8ujTCfqJxiSYk1KTyqM4lmi7qno7F9/Nwo7h3HuVbpkT752ojf+/\nDCSXwHL+uHlF6z3jKZ8iYBRHFrWmudh8bOm6lVsp/Iv4pQ/btZf8W5zULlk/Z6lT\nb6GS538Lnaoeu7wPCf/awL5GBg9findY3oS1lsEE+PfAu6SAHmbJcItMkrON7Esd\ng9xtwsjX1VICpJhOSkVS1nmRfYohELVJMdiKSLq+b5UskscbCjkRGY6GAPH8cVGg\nSQIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/zerotier-1.json

@@ -1,4 +0,0 @@
-{
-  "name": "zerotier-1",
-  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx59liuiEXuAykaiQhjvO\nMimzWH2MOE/GdfPdlGG0IupDtGbDgpsu6lHB/Tc8ct+SEsj55KuamEmUew3EzWRQ\ngVWAPjWtlk6gqVlpU+8eJjTAxT1vaEOvetzliPDNzRBk1AAzS0IkMQwPAIqOD2Vm\nz+QDrTiEFNnbKyBDQ54uY9jBtEgTHgzZyc9KHTjcodJu/oCmOuO0ieTtMS4CDWVl\no2auyABpXX6PzW3hFvH/GB0IlVC5IBa7XS6JrbIFbZCvoAYf/egcQUTToNiKH45e\n2tPZbFpOt955zwInKTioW+Ak3qVVEPvCZ9IBTN7jZkSQuP4Ob5SA4+IbDJcXGulG\nZQIDAQAB\n-----END PUBLIC KEY-----\n"
-}

clients/zerotier-2.json

@@ -0,0 +1,4 @@
+{
+  "name": "zerotier-2",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsild7NcktO5yVR3Uw0yA\negHFToXHaJMIR1z0WrfHgklHf27lRnWRHOiNjnR6SbsvKIT1MBntg4/mQgotah+n\npo6cKF+0pvUih+hOSBZ6+WwjRf5LxJTaj/R0e2j0Gig6PlDV3yWz8+2AB6gObVcb\nKOQT1w6p+T+S9t6Hv/E0Z8CJW+7ZXDZBvjKTg4kYb47P0J5704wATf38EcVAOuoa\nJsUJoE+dTygx2QUG78eiEYqVDgBak00MA7MpFI/yPrzfn4tjSO1aY2/vy1PyG0Zq\nfgAhuFNZPWQwxMvYsK68gFxfmfwsEn0iJOFh0rPCKYWgOCxzkMLk2z7ppCmNd+H6\nNQIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/zerotier-3.json

@@ -0,0 +1,4 @@
+{
+  "name": "zerotier-3",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA70y96zXq3XiMlJhLM5Tm\nCzRiZjwqCBN1fKOoihZpsgXHtqDfYd+5BTyafAKTpzVpAZ7HJp+X4da8T/rb+Pym\nu0PrREXJSXGdWjKIgvsTVUtT51ZFYWtqbpu2l43wh57KCt7Q57JRgKTPyNbHJS0Z\ngrB6fifvQMfzFMf+WKK4X7Z6VXFP1r2cwzRvywC4/d3ZSbJ4fP3g+nnl1623Pxfc\n/BkqyaDeRt2dBEa5I8+OvFkKC8muU99fWR/gPZkkWD4pFNwLPLnPfgdk3bUd7tjN\n/0ardVX9lRJog1CjXCHaUG9aq+WFrtr/tfW+kLff/P7k00E5zplqq9Oz6VUvRMmu\nNQIDAQAB\n-----END PUBLIC KEY-----\n"
+}

data_bags/credentials/drone.json

@@ -1,23 +1,37 @@
 {
   "id": "drone",
   "client_id": {
-    "encrypted_data": "PHC6f0UJwuaxnhMhxUVhHMqauCu9aYDp3IFqVzsxEoEodKhg8pgTWS14T5E7\nVm4xlcR/CuLcOA==\n",
-    "iv": "on4hNp3g6pLsvfTE\n",
-    "auth_tag": "ytx40h2fsBHhDpyhwKbHog==\n",
+    "encrypted_data": "bfwxBJt+xNihifwXmjWK3dMDCcjZ1XgiWvqvK0Dj3zd8ZuDRZUwt++xdr/bT\n1wwz1i3udaxZqQ==\n",
+    "iv": "0Bioz/6QbDo5w8Ay\n",
+    "auth_tag": "lF8gragaEIrfR1g+Ka1Wnw==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "client_secret": {
-    "encrypted_data": "HAKFqsrbL447wgropHz2rgHmyRl3G2d24svTT+TYMI0jtQFTQPZLxNZkl3ki\n42n7baNrfXN3IJeQRyxyihw0\n",
-    "iv": "pmdiLiFgSPNNP7dl\n",
-    "auth_tag": "4j98l+lZ0k4mLioJHS5VJw==\n",
+    "encrypted_data": "1TKFuk54DqP/5kAPIfjI2PNriOIJ0NdwV2ETZdF1O7Gt55WXvHSTupQLu0NG\nQkrSXXqdgDKvW2/P+d1W0NTQ\n",
+    "iv": "nBqEog1s/Z2cHnqU\n",
+    "auth_tag": "yBjz6GQ6K6bowih970e37w==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "rpc_secret": {
-    "encrypted_data": "ll4f3ECLQTgJj47aeqnP0Ci1ncMYTwwFw1J46Qx3gPloA2YGPwlfa82Uck1k\neSHCTSNW\n",
-    "iv": "hP5Iq9zOjELUb9d8\n",
-    "auth_tag": "WJlme717tpgbWPcXwFzyvQ==\n",
+    "encrypted_data": "KBJHpfjw6aEuMoOJevkNRFA6NVF8w4cAxRsPRchN+qlLXPT1Kxql2uug8c0P\n1DdKeaZq\n",
+    "iv": "qj9C1PqC1OlDX6YR\n",
+    "auth_tag": "vgI5nxBEYnhwgJATykISJA==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "database_secret": {
+    "encrypted_data": "W+tSV89+1Ue/sNm6+dOW06jFGrmPTt4RVR8A0GUJXZhGbqBBie3jWNW3ZeKg\nfEQTYP1j\n",
+    "iv": "Of9fVasrPT7451HD\n",
+    "auth_tag": "fuY65GQr4s3vR6E3OuZdzQ==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "postgresql_password": {
+    "encrypted_data": "KqoUOOkqBy9Sfrg5THVWyOdgd21aDjXlEqxVhX1OIcsv\n",
+    "iv": "iPDmnzOO1TWA1bO1\n",
+    "auth_tag": "8o+0nRewMEGeoH5/ZfGUuQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   }

nodes/akkounts-1.json

@@ -8,7 +8,7 @@
   "automatic": {
     "fqdn": "akkounts-1",
     "os": "linux",
-    "os_version": "5.4.0-90-generic",
+    "os_version": "5.4.0-100-generic",
     "hostname": "akkounts-1",
     "ipaddress": "192.168.122.160",
     "roles": [

nodes/centaurus.kosmos.org.json

@@ -8,13 +8,12 @@
   "automatic": {
     "fqdn": "centaurus.kosmos.org",
     "os": "linux",
-    "os_version": "5.4.0-42-generic",
+    "os_version": "5.4.0-99-generic",
     "hostname": "centaurus",
     "ipaddress": "78.46.59.98",
     "roles": [
       "gitea",
       "postgresql_client",
-      "discourse",
       "drone"
     ],
     "recipes": [
@@ -26,8 +25,6 @@
       "kosmos_gitea",
       "kosmos_gitea::default",
       "kosmos_gitea::backup",
-      "kosmos_discourse",
-      "kosmos_discourse::default",
       "kosmos_drone",
       "kosmos_drone::default",
       "kosmos_assets::nginx_site",
@@ -36,7 +33,6 @@
       "kosmos_website",
       "kosmos_website::default",
       "kosmos_zerotier::firewall",
-      "sockethub::_firewall",
       "apt::default",
       "timezone_iii::default",
       "timezone_iii::debian",
@@ -81,15 +77,7 @@
   },
   "run_list": [
     "recipe[kosmos-base]",
-    "recipe[kosmos_encfs]",
-    "role[gitea]",
-    "role[discourse]",
-    "role[drone]",
-    "recipe[kosmos_assets::nginx_site]",
     "recipe[kosmos_kvm::host]",
-    "recipe[kosmos-ejabberd::firewall]",
-    "recipe[kosmos_website::default]",
-    "recipe[kosmos_zerotier::firewall]",
-    "recipe[sockethub::_firewall]"
+    "recipe[kosmos_zerotier::firewall]"
   ]
-}
+}

nodes/discourse-2.json

@@ -0,0 +1,58 @@
+{
+  "name": "discourse-2",
+  "normal": {
+    "knife_zero": {
+      "host": "10.1.1.35"
+    }
+  },
+  "automatic": {
+    "fqdn": "discourse-2",
+    "os": "linux",
+    "os_version": "5.4.0-1058-kvm",
+    "hostname": "discourse-2",
+    "ipaddress": "192.168.122.104",
+    "roles": [
+      "discourse"
+    ],
+    "recipes": [
+      "kosmos-base",
+      "kosmos-base::default",
+      "kosmos_discourse",
+      "kosmos_discourse::default",
+      "apt::default",
+      "timezone_iii::default",
+      "timezone_iii::debian",
+      "ntp::default",
+      "ntp::apparmor",
+      "kosmos-base::systemd_emails",
+      "apt::unattended-upgrades",
+      "kosmos-base::firewall",
+      "kosmos-postfix::default",
+      "postfix::default",
+      "postfix::_common",
+      "postfix::_attributes",
+      "postfix::sasl_auth",
+      "hostname::default",
+      "firewall::default",
+      "chef-sugar::default"
+    ],
+    "platform": "ubuntu",
+    "platform_version": "20.04",
+    "cloud": null,
+    "chef_packages": {
+      "chef": {
+        "version": "17.9.52",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.9.52/lib",
+        "chef_effortless": null
+      },
+      "ohai": {
+        "version": "17.9.0",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai"
+      }
+    }
+  },
+  "run_list": [
+    "recipe[kosmos-base]",
+    "role[discourse]"
+  ]
+}

nodes/draco.kosmos.org.json

@@ -12,16 +12,13 @@
     "hostname": "draco",
     "ipaddress": "148.251.237.73",
     "roles": [
-      "postgresql_primary"
+
     ],
     "recipes": [
       "kosmos-base",
       "kosmos-base::default",
       "kosmos_encfs",
       "kosmos_encfs::default",
-      "kosmos-postgresql",
-      "kosmos-postgresql::default",
-      "kosmos-postgresql::firewall_replicas",
       "kosmos_kvm::host",
       "kosmos-ejabberd::firewall",
       "kosmos-ipfs::firewall_swarm",
@@ -29,10 +26,12 @@
       "kosmos-bitcoin::firewall",
       "kosmos_zerotier::firewall",
       "kosmos-nginx::firewall",
+      "sockethub::firewall",
       "apt::default",
       "timezone_iii::default",
       "timezone_iii::debian",
       "ntp::default",
+      "ntp::apparmor",
       "kosmos-base::systemd_emails",
       "apt::unattended-upgrades",
       "kosmos-base::firewall",
@@ -43,8 +42,7 @@
       "postfix::sasl_auth",
       "hostname::default",
       "firewall::default",
-      "chef-sugar::default",
-      "build-essential::default"
+      "chef-sugar::default"
     ],
     "platform": "ubuntu",
     "platform_version": "20.04",
@@ -69,6 +67,7 @@
     "recipe[kosmos-ipfs::firewall_public_gateway]",
     "recipe[kosmos-bitcoin::firewall]",
     "recipe[kosmos_zerotier::firewall]",
-    "recipe[kosmos-nginx::firewall]"
+    "recipe[kosmos-nginx::firewall]",
+    "recipe[sockethub::firewall]"
   ]
-}
+}

nodes/drone-1.json

@@ -1,25 +1,26 @@
 {
-  "name": "postgres-3",
+  "name": "drone-1",
   "normal": {
     "knife_zero": {
-      "host": "10.1.1.115"
+      "host": "10.1.1.128"
     }
   },
   "automatic": {
-    "fqdn": "postgres-3",
+    "fqdn": "drone-1",
     "os": "linux",
-    "os_version": "5.4.0-64-generic",
-    "hostname": "postgres-3",
-    "ipaddress": "192.168.122.96",
+    "os_version": "5.4.0-1058-kvm",
+    "hostname": "drone-1",
+    "ipaddress": "192.168.122.200",
     "roles": [
-      "postgresql_replica"
+      "drone",
+      "postgresql_client"
     ],
     "recipes": [
       "kosmos-base",
       "kosmos-base::default",
-      "kosmos-postgresql::hostsfile",
-      "kosmos-postgresql::replica",
-      "kosmos-postgresql::firewall",
+      "kosmos_postgresql::hostsfile",
+      "kosmos_drone",
+      "kosmos_drone::default",
       "apt::default",
       "timezone_iii::default",
       "timezone_iii::debian",
@@ -40,17 +41,18 @@
     "cloud": null,
     "chef_packages": {
       "chef": {
-        "version": "15.15.1",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/chef-15.15.1/lib"
+        "version": "17.9.52",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.9.52/lib",
+        "chef_effortless": null
       },
       "ohai": {
-        "version": "15.12.0",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/ohai-15.12.0/lib/ohai"
+        "version": "17.9.0",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai"
       }
     }
   },
   "run_list": [
     "recipe[kosmos-base]",
-    "role[postgresql_replica]"
+    "role[drone]"
   ]
 }

nodes/ejabberd-7.json

@@ -1,16 +1,16 @@
 {
-  "name": "ejabberd-6",
+  "name": "ejabberd-7",
   "normal": {
     "knife_zero": {
-      "host": "10.1.1.145"
+      "host": "10.1.1.132"
     }
   },
   "automatic": {
-    "fqdn": "ejabberd-6",
+    "fqdn": "ejabberd-7",
     "os": "linux",
-    "os_version": "5.4.0-1049-kvm",
-    "hostname": "ejabberd-6",
-    "ipaddress": "192.168.122.248",
+    "os_version": "5.4.0-1058-kvm",
+    "hostname": "ejabberd-7",
+    "ipaddress": "192.168.122.25",
     "roles": [
       "ejabberd",
       "postgresql_client"
@@ -48,13 +48,13 @@
     "cloud": null,
     "chef_packages": {
       "chef": {
-        "version": "17.9.26",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.9.26/lib",
+        "version": "17.9.52",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.9.52/lib",
         "chef_effortless": null
       },
       "ohai": {
-        "version": "17.9.1",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.1/lib/ohai"
+        "version": "17.9.0",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai"
       }
     }
   },

nodes/fornax.kosmos.org.json

@@ -2,7 +2,7 @@
   "name": "fornax.kosmos.org",
   "normal": {
     "knife_zero": {
-      "host": "fornax.kosmos.org"
+      "host": "10.1.1.187"
     }
   },
   "automatic": {
@@ -12,16 +12,23 @@
     "hostname": "fornax",
     "ipaddress": "148.251.83.201",
     "roles": [
-
+      "nginx_proxy"
     ],
     "recipes": [
       "kosmos-base",
       "kosmos-base::default",
       "kosmos_kvm::host",
+      "kosmos_assets::nginx_site",
+      "kosmos_discourse::nginx",
+      "kosmos_drone::nginx",
+      "kosmos_gitea::nginx",
+      "kosmos_website",
+      "kosmos_website::default",
       "apt::default",
       "timezone_iii::default",
       "timezone_iii::debian",
       "ntp::default",
+      "ntp::apparmor",
       "kosmos-base::systemd_emails",
       "apt::unattended-upgrades",
       "kosmos-base::firewall",
@@ -30,7 +37,20 @@
       "postfix::_common",
       "postfix::_attributes",
       "postfix::sasl_auth",
-      "hostname::default"
+      "hostname::default",
+      "kosmos-nginx::default",
+      "nginx::default",
+      "nginx::package",
+      "nginx::ohai_plugin",
+      "nginx::repo",
+      "nginx::commons",
+      "nginx::commons_dir",
+      "nginx::commons_script",
+      "nginx::commons_conf",
+      "kosmos-nginx::firewall",
+      "git::default",
+      "git::package",
+      "kosmos-base::letsencrypt"
     ],
     "platform": "ubuntu",
     "platform_version": "20.04",
@@ -49,6 +69,7 @@
   },
   "run_list": [
     "recipe[kosmos-base]",
-    "recipe[kosmos_kvm::host]"
+    "recipe[kosmos_kvm::host]",
+    "role[nginx_proxy]"
   ]
 }

nodes/gitea-2.json

@@ -0,0 +1,61 @@
+{
+  "name": "gitea-2",
+  "normal": {
+    "knife_zero": {
+      "host": "10.1.1.21"
+    }
+  },
+  "automatic": {
+    "fqdn": "gitea-2",
+    "os": "linux",
+    "os_version": "5.4.0-1058-kvm",
+    "hostname": "gitea-2",
+    "ipaddress": "192.168.122.189",
+    "roles": [
+      "gitea",
+      "postgresql_client"
+    ],
+    "recipes": [
+      "kosmos-base",
+      "kosmos-base::default",
+      "kosmos_postgresql::hostsfile",
+      "kosmos_gitea",
+      "kosmos_gitea::default",
+      "kosmos_gitea::backup",
+      "apt::default",
+      "timezone_iii::default",
+      "timezone_iii::debian",
+      "ntp::default",
+      "ntp::apparmor",
+      "kosmos-base::systemd_emails",
+      "apt::unattended-upgrades",
+      "kosmos-base::firewall",
+      "kosmos-postfix::default",
+      "postfix::default",
+      "postfix::_common",
+      "postfix::_attributes",
+      "postfix::sasl_auth",
+      "hostname::default",
+      "backup::default",
+      "logrotate::default"
+    ],
+    "platform": "ubuntu",
+    "platform_version": "20.04",
+    "cloud": null,
+    "chef_packages": {
+      "chef": {
+        "version": "17.9.52",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.9.52/lib",
+        "chef_effortless": null
+      },
+      "ohai": {
+        "version": "17.9.0",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai"
+      }
+    }
+  },
+  "run_list": [
+    "recipe[kosmos-base]",
+    "role[gitea]"
+  ]
+}

nodes/mastodon-3.json

@@ -1,16 +1,16 @@
 {
-  "name": "mastodon-1",
+  "name": "mastodon-3",
   "normal": {
     "knife_zero": {
-      "host": "10.1.1.156"
+      "host": "10.1.1.30"
     }
   },
   "automatic": {
-    "fqdn": "mastodon-1",
+    "fqdn": "mastodon-3",
     "os": "linux",
-    "os_version": "5.4.0-1050-kvm",
-    "hostname": "mastodon-1",
-    "ipaddress": "192.168.122.197",
+    "os_version": "5.4.0-1058-kvm",
+    "hostname": "mastodon-3",
+    "ipaddress": "192.168.122.161",
     "roles": [
       "mastodon",
       "postgresql_client"
@@ -39,17 +39,19 @@
       "kosmos-nodejs::default",
       "nodejs::nodejs_from_package",
       "nodejs::repo",
-      "kosmos-redis::default",
-      "redis::server",
-      "redis::default",
-      "backup::default",
-      "logrotate::default",
       "java::default",
       "java::set_attributes_from_version",
       "java::openjdk",
       "java::notify",
       "java::default_java_symlink",
       "java::set_java_home",
+      "redisio::default",
+      "redisio::_install_prereqs",
+      "redisio::install",
+      "ulimit::default",
+      "redisio::disable_os_default",
+      "redisio::configure",
+      "redisio::enable",
       "nodejs::npm",
       "nodejs::install",
       "kosmos-nginx::default",
@@ -63,6 +65,7 @@
       "nginx::commons_conf",
       "kosmos-nginx::firewall",
       "tor-full::default",
+      "poise-git::default",
       "git::default",
       "git::package",
       "kosmos-base::letsencrypt"
@@ -76,8 +79,8 @@
         "ohai_root": "/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/ohai-15.12.0/lib/ohai"
       },
       "chef": {
-        "version": "15.14.0",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/chef-15.14.0/lib"
+        "version": "15.17.4",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/chef-15.17.4/lib"
       }
     }
   },

nodes/nodejs-4.json

@@ -1,16 +1,16 @@
 {
-  "name": "nodejs-2",
+  "name": "nodejs-4",
   "normal": {
     "knife_zero": {
-      "host": "10.1.1.229"
+      "host": "10.1.1.138"
     }
   },
   "automatic": {
-    "fqdn": "nodejs-2",
+    "fqdn": "nodejs-4",
     "os": "linux",
-    "os_version": "5.4.0-1049-kvm",
-    "hostname": "nodejs-2",
-    "ipaddress": "192.168.122.243",
+    "os_version": "5.4.0-1058-kvm",
+    "hostname": "nodejs-4",
+    "ipaddress": "192.168.122.106",
     "roles": [
       "kredits_github",
       "sockethub"
@@ -39,14 +39,17 @@
       "postfix::_attributes",
       "postfix::sasl_auth",
       "hostname::default",
+      "redisio::default",
+      "redisio::_install_prereqs",
+      "redisio::install",
+      "ulimit::default",
+      "redisio::disable_os_default",
+      "redisio::configure",
+      "redisio::enable",
       "kosmos-nodejs::default",
       "nodejs::nodejs_from_package",
       "nodejs::repo",
-      "kosmos-redis::default",
-      "redis::server",
-      "redis::default",
-      "backup::default",
-      "logrotate::default",
+      "kosmos-hubot::_user",
       "kosmos-base::letsencrypt",
       "kosmos-nginx::default",
       "nginx::default",
@@ -60,7 +63,7 @@
       "kosmos-nginx::firewall",
       "nodejs::npm",
       "nodejs::install",
-      "sockethub::_firewall"
+      "sockethub::firewall"
     ],
     "platform": "ubuntu",
     "platform_version": "20.04",
@@ -71,8 +74,8 @@
         "ohai_root": "/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/ohai-15.12.0/lib/ohai"
       },
       "chef": {
-        "version": "15.14.0",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/chef-15.14.0/lib"
+        "version": "15.17.4",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/chef-15.17.4/lib"
       }
     }
   },

nodes/postgres-2.json

@@ -19,6 +19,8 @@
       "kosmos-base::default",
       "kosmos_postgresql::primary",
       "kosmos_postgresql::firewall",
+      "kosmos_gitea::pg_db",
+      "kosmos_drone::pg_db",
       "apt::default",
       "timezone_iii::default",
       "timezone_iii::debian",

nodes/rsk-mainnet-2.json

@@ -1,16 +1,16 @@
 {
-  "name": "rsk-mainnet-1",
+  "name": "rsk-mainnet-2",
   "normal": {
     "knife_zero": {
-      "host": "10.1.1.137"
+      "host": "10.1.1.75"
     }
   },
   "automatic": {
-    "fqdn": "rsk-mainnet-1",
+    "fqdn": "rsk-mainnet-2",
     "os": "linux",
-    "os_version": "5.4.0-1048-kvm",
-    "hostname": "rsk-mainnet-1",
-    "ipaddress": "192.168.122.233",
+    "os_version": "5.4.0-1058-kvm",
+    "hostname": "rsk-mainnet-2",
+    "ipaddress": "192.168.122.208",
     "roles": [
       "rskj_mainnet"
     ],
@@ -53,13 +53,13 @@
     "cloud": null,
     "chef_packages": {
       "chef": {
-        "version": "17.6.18",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18/lib",
+        "version": "17.9.52",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.9.52/lib",
         "chef_effortless": null
       },
       "ohai": {
-        "version": "17.6.0",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.6.0/lib/ohai"
+        "version": "17.9.0",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai"
       }
     }
   },

nodes/rsk-testnet-3.json

@@ -1,16 +1,16 @@
 {
-  "name": "rsk-testnet-2",
+  "name": "rsk-testnet-3",
   "normal": {
     "knife_zero": {
-      "host": "10.1.1.214"
+      "host": "10.1.1.175"
     }
   },
   "automatic": {
-    "fqdn": "rsk-testnet-2",
+    "fqdn": "rsk-testnet-3",
     "os": "linux",
-    "os_version": "5.4.0-1048-kvm",
-    "hostname": "rsk-testnet-2",
-    "ipaddress": "192.168.122.29",
+    "os_version": "5.4.0-1058-kvm",
+    "hostname": "rsk-testnet-3",
+    "ipaddress": "192.168.122.231",
     "roles": [
       "rskj_testnet"
     ],
@@ -53,13 +53,13 @@
     "cloud": null,
     "chef_packages": {
       "chef": {
-        "version": "17.6.18",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18/lib",
+        "version": "17.9.52",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.9.52/lib",
         "chef_effortless": null
       },
       "ohai": {
-        "version": "17.6.0",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.6.0/lib/ohai"
+        "version": "17.9.0",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai"
       }
     }
   },

nodes/zerotier-2.json

@@ -1,16 +1,16 @@
 {
-  "name": "zerotier-1",
+  "name": "zerotier-2",
   "normal": {
     "knife_zero": {
       "host": "10.1.1.147"
     }
   },
   "automatic": {
-    "fqdn": "zerotier-1",
+    "fqdn": "zerotier-2",
     "os": "linux",
-    "os_version": "5.4.0-1028-kvm",
-    "hostname": "zerotier-1",
-    "ipaddress": "192.168.122.72",
+    "os_version": "5.4.0-1026-kvm",
+    "hostname": "zerotier-2",
+    "ipaddress": "192.168.122.214",
     "roles": [
       "zerotier_controller"
     ],
@@ -40,12 +40,13 @@
     "cloud": null,
     "chef_packages": {
       "chef": {
-        "version": "15.14.0",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/chef-15.14.0/lib"
+        "version": "17.9.46",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.9.46/lib",
+        "chef_effortless": null
       },
       "ohai": {
-        "version": "15.12.0",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/ohai-15.12.0/lib/ohai"
+        "version": "17.9.0",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai"
       }
     }
   },
@@ -53,4 +54,4 @@
     "recipe[kosmos-base]",
     "role[zerotier_controller]"
   ]
-}
+}

nodes/zerotier-3.json

@@ -0,0 +1,67 @@
+{
+  "name": "zerotier-3",
+  "normal": {
+    "knife_zero": {
+      "host": "165.232.88.175"
+    }
+  },
+  "automatic": {
+    "fqdn": "zerotier-3",
+    "os": "linux",
+    "os_version": "5.4.0-99-generic",
+    "hostname": "zerotier-3",
+    "ipaddress": "165.232.88.175",
+    "roles": [
+      "zerotier_controller"
+    ],
+    "recipes": [
+      "kosmos_zerotier::controller",
+      "kosmos_zerotier::firewall",
+      "kosmos_zerotier::zncui",
+      "kosmos-base",
+      "kosmos-base::default",
+      "kosmos-base::firewall",
+      "apt::default",
+      "timezone_iii::default",
+      "timezone_iii::debian",
+      "ntp::default",
+      "ntp::apparmor",
+      "kosmos-base::systemd_emails",
+      "apt::unattended-upgrades",
+      "kosmos-postfix::default",
+      "postfix::default",
+      "postfix::_common",
+      "postfix::_attributes",
+      "postfix::sasl_auth",
+      "hostname::default"
+    ],
+    "platform": "ubuntu",
+    "platform_version": "20.04",
+    "cloud": {
+      "public_ipv4_addrs": [
+        "165.232.88.175"
+      ],
+      "local_ipv4_addrs": [
+        "10.133.0.2"
+      ],
+      "provider": "digital_ocean",
+      "public_ipv4": "165.232.88.175",
+      "local_ipv4": "10.133.0.2"
+    },
+    "chef_packages": {
+      "chef": {
+        "version": "17.9.46",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.9.46/lib",
+        "chef_effortless": null
+      },
+      "ohai": {
+        "version": "17.9.0",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai"
+      }
+    }
+  },
+  "run_list": [
+    "role[zerotier_controller]",
+    "recipe[kosmos-base]"
+  ]
+}

roles/drone.rb

@@ -1,5 +1,6 @@
 name "drone"
 
 run_list %w(
+  role[postgresql_client]
   kosmos_drone::default
 )

roles/nginx_proxy.rb

@@ -0,0 +1,15 @@
+name "nginx_proxy"
+
+default_run_list = %w(
+  kosmos_assets::nginx_site
+  kosmos_discourse::nginx
+  kosmos_drone::nginx
+  kosmos_gitea::nginx
+  kosmos_website::default
+)
+
+env_run_lists(
+  '_default' => default_run_list,
+  'development' => [],
+  'production' => default_run_list
+)

roles/postgresql_primary.rb

@@ -3,4 +3,6 @@ name "postgresql_primary"
 run_list %w(
   kosmos_postgresql::primary
   kosmos_postgresql::firewall
+  kosmos_gitea::pg_db
+  kosmos_drone::pg_db
 )

roles/sockethub.rb

@@ -1,5 +1,9 @@
 name "sockethub"
 
+default_attributes 'sockethub' => {
+  'version' => '5.0.0-alpha.1'
+}
+
 run_list %w(
   sockethub::default
   sockethub::proxy

site-cookbooks/kosmos-akkounts/recipes/default.rb

@@ -27,7 +27,7 @@ npm_package "yarn" do
   version "1.22.4"
 end
 
-ruby_version = "2.6.6"
+ruby_version = "2.7.5"
 bundle_path = "/opt/ruby_build/builds/#{ruby_version}/bin/bundle"
 rails_env = node.chef_environment == "development" ? "development" : "production"
 

site-cookbooks/kosmos-base/recipes/firewall.rb

@@ -2,27 +2,6 @@
 # Cookbook Name:: kosmos-base
 # Recipe:: firewall
 #
-# The MIT License (MIT)
-#
-# Copyright:: 2019, Kosmos Developers
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
 
 # enable default firewall
 firewall 'default'

site-cookbooks/kosmos-bitcoin/attributes/default.rb

@@ -64,11 +64,11 @@ node.default['boltz']['rest_port'] = '9003'
 node.default['boltz']['no_macaroons'] = 'false'
 
 node.default['rtl']['repo'] = 'https://github.com/Ride-The-Lightning/RTL.git'
-node.default['rtl']['revision'] = 'v0.11.0'
+node.default['rtl']['revision'] = 'v0.12.1'
 node.default['rtl']['host'] = '10.1.1.163'
 node.default['rtl']['port'] = '3000'
 
-node.default['lndhub']['repo'] = 'https://github.com/bumi/LndHub.git'
+node.default['lndhub']['repo'] = 'https://gitea.kosmos.org/kosmos/lndhub.git'
 node.default['lndhub']['revision'] = 'master'
 node.default['lndhub']['port'] = '3023'
 node.default['lndhub']['domain'] = 'lndhub.kosmos.org'

site-cookbooks/kosmos-hubot/metadata.rb

@@ -7,8 +7,8 @@ long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
 version          '0.2.0'
 
 depends 'kosmos-nodejs'
-depends 'kosmos-redis'
 depends 'firewall'
 depends 'application_javascript'
 depends 'kosmos-ipfs'
 depends 'git'
+depends 'redisio'

site-cookbooks/kosmos-hubot/recipes/botka_freenode.rb

@@ -12,8 +12,9 @@ build_essential app_name do
   compile_time true
 end
 
+include_recipe 'redisio::default'
+include_recipe 'redisio::enable'
 include_recipe "kosmos-nodejs"
-include_recipe "kosmos-redis"
 
 application app_path do
   data_bag = Chef::EncryptedDataBagItem.load('credentials', app_name)

site-cookbooks/kosmos-hubot/recipes/botka_irc-libera-chat.rb

@@ -13,8 +13,10 @@ build_essential app_name do
   compile_time true
 end
 
+include_recipe 'redisio::default'
+include_recipe 'redisio::enable'
 include_recipe "kosmos-nodejs"
-include_recipe "kosmos-redis"
+include_recipe "kosmos-hubot::_user"
 
 application app_path do
   credentials = Chef::EncryptedDataBagItem.load('credentials', app_name)

site-cookbooks/kosmos-hubot/recipes/default.rb

@@ -3,8 +3,9 @@
 # Recipe:: default
 #
 
+include_recipe 'redisio::default'
+include_recipe 'redisio::enable'
 include_recipe "kosmos-nodejs"
-include_recipe "kosmos-redis"
 
 include_recipe "kosmos-hubot::_user"
 include_recipe "kosmos-hubot::hal8000"

site-cookbooks/kosmos-hubot/recipes/hal8000.rb

@@ -7,8 +7,9 @@ build_essential 'hal8000' do
   compile_time true
 end
 
+include_recipe 'redisio::default'
+include_recipe 'redisio::enable'
 include_recipe "kosmos-nodejs"
-include_recipe "kosmos-redis"
 include_recipe "kosmos-hubot::_user"
 
 unless node.chef_environment == "development"

site-cookbooks/kosmos-hubot/recipes/hal8000_xmpp.rb

@@ -12,8 +12,9 @@ build_essential app_name do
   compile_time true
 end
 
+include_recipe 'redisio::default'
+include_recipe 'redisio::enable'
 include_recipe "kosmos-nodejs"
-include_recipe "kosmos-redis"
 include_recipe "kosmos-hubot::_user"
 
 # Needed for hubot-kredits

site-cookbooks/kosmos-hubot/templates/default/nodejs.systemd.service.erb

@@ -1,8 +1,8 @@
 [Unit]
 Description=Start nodejs app
 <% unless @without_redis %>
-Requires=redis-server.service
-After=redis-server.service
+Requires=redis@6379.service
+After=redis@6379.service
 <% end %>
 
 [Service]

site-cookbooks/kosmos-mastodon/attributes/default.rb

@@ -9,6 +9,8 @@ node.default["kosmos-mastodon"]["sidekiq_threads"] = 25
 # Allocate this amount of RAM to the Java heap for Elasticsearch
 node.default["kosmos-mastodon"]["elasticsearch"]["allocated_memory"] = "1536m"
 
+node.override["redisio"]["version"] = "6.2.6"
+
 node.override["tor"]["HiddenServices"]["mastodon"] = {
   "HiddenServicePorts" => ["80 127.0.0.1:80", "443 127.0.0.1:443"]
 }

site-cookbooks/kosmos-mastodon/metadata.rb

@@ -8,7 +8,7 @@ version          '0.2.1'
 
 depends "kosmos-nginx"
 depends "kosmos-nodejs"
-depends "kosmos-redis"
+depends 'redisio'
 depends "poise-ruby-build"
 depends "application"
 depends "application_git"

site-cookbooks/kosmos-mastodon/recipes/default.rb

@@ -4,8 +4,9 @@
 #
 
 include_recipe "kosmos-nodejs"
-include_recipe "kosmos-redis"
 include_recipe "java"
+include_recipe 'redisio::default'
+include_recipe 'redisio::enable'
 
 elasticsearch_user 'elasticsearch'
 

site-cookbooks/kosmos-mastodon/templates/default/mastodon-sidekiq-scheduler.systemd.service.erb

@@ -1,14 +1,14 @@
 [Unit]
 Description=mastodon-sidekiq-scheduler
-Requires=redis-server.service
-After=redis-server.service
+Requires=redis@6379.service
+After=redis@6379.service
 
 [Service]
 Type=simple
 User=<%= @user %>
 WorkingDirectory=<%= @app_dir %>
 Environment="RAILS_ENV=production"
-Environment="LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so.1"
+Environment="LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so.2"
 ExecStart=<%= @bundle_path %> exec sidekiq -c <%= @sidekiq_threads %> -q scheduler
 TimeoutSec=15
 Restart=always

site-cookbooks/kosmos-mastodon/templates/default/mastodon-sidekiq.systemd.service.erb

@@ -1,7 +1,7 @@
 [Unit]
 Description=mastodon-sidekiq
-Requires=redis-server.service
-After=redis-server.service
+Requires=redis@6379.service
+After=redis@6379.service
 
 [Service]
 Type=simple
@@ -9,7 +9,7 @@ User=<%= @user %>
 WorkingDirectory=<%= @app_dir %>
 Environment="RAILS_ENV=production"
 Environment="DB_POOL=50"
-Environment="LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so.1"
+Environment="LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so.2"
 ExecStart=<%= @bundle_path %> exec sidekiq -c <%= @sidekiq_threads %> -q default -q mailers -q pull -q push
 TimeoutSec=15
 Restart=always

site-cookbooks/kosmos-mastodon/templates/default/mastodon-web.systemd.service.erb

@@ -1,7 +1,7 @@
 [Unit]
 Description=mastodon-web
-Requires=redis-server.service
-After=redis-server.service
+Requires=redis@6379.service
+After=redis@6379.service
 
 [Service]
 Type=simple
@@ -10,7 +10,7 @@ PIDFile=<%= @app_dir %>/tmp/puma.pid
 WorkingDirectory=<%= @app_dir %>
 Environment="RAILS_ENV=production"
 Environment="PORT=3000"
-Environment="LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so.1"
+Environment="LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so.2"
 ExecStart=<%= @bundle_path %> exec puma -C config/puma.rb --pidfile <%= @app_dir %>/tmp/puma.pid
 ExecStop=<%= @bundle_path %> exec puma -C config/puma.rb --pidfile <%= @app_dir %>/tmp/puma.pid stop
 ExecReload=<%= @bundle_path %> exec pumactl -F config/puma.rb --pidfile <%= @app_dir %>/tmp/puma.pid phased-restart

site-cookbooks/kosmos-nginx/recipes/default.rb

@@ -2,27 +2,6 @@
 # Cookbook Name:: kosmos-nginx
 # Recipe:: default
 #
-# The MIT License (MIT)
-#
-# Copyright:: 2019, Kosmos Developers
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
 
 node.override['nginx']['default_site_enabled'] = false
 node.override['nginx']['server_tokens']        = 'off'
@@ -86,3 +65,17 @@ end
 unless node.chef_environment == "development"
   include_recipe "kosmos-nginx::firewall"
 end
+
+ruby_block "nginx configuration" do
+  block do
+    file = Chef::Util::FileEdit.new("/etc/nginx/nginx.conf")
+    file.insert_line_if_no_match(/stream {/, <<-EOF
+stream {
+  include /etc/nginx/streams-enabled/*;
+}
+    EOF
+    )
+    file.write_file
+  end
+  notifies :reload, 'ohai[reload_nginx]', :immediately
+end

site-cookbooks/kosmos-nginx/resources/nginx_certbot_site.rb

@@ -9,6 +9,8 @@ property :site, String
 action :create do
   return if node.chef_environment == "development"
 
+  package "snapd"
+
   domain = new_resource.domain
   site = new_resource.site || domain
   root_directory = "/var/www/#{domain}"

site-cookbooks/kosmos-nodejs/recipes/default.rb

@@ -2,29 +2,8 @@
 # Cookbook Name:: kosmos-nodejs
 # Recipe:: default
 #
-# The MIT License (MIT)
-#
-# Copyright:: 2019, Kosmos Developers
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
 
-node.override["nodejs"]["repo"] = "https://deb.nodesource.com/node_12.x"
+node.override["nodejs"]["repo"] = "https://deb.nodesource.com/node_14.x"
 # Allows upgrading
 node.override["nodejs"]["package_action"]["nodejs"] = :upgrade
 include_recipe "nodejs::nodejs_from_package"

site-cookbooks/kosmos_discourse/metadata.rb

@@ -8,3 +8,4 @@ version '0.1.0'
 chef_version '>= 14.0'
 
 depends "kosmos-nginx"
+depends 'firewall'

site-cookbooks/kosmos_discourse/recipes/default.rb

@@ -2,37 +2,15 @@
 # Cookbook:: kosmos_discourse
 # Recipe:: default
 #
-# The MIT License (MIT)
-#
-# Copyright:: 2020, Kosmos Developers
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
 
 package "docker-compose"
-domain = "community.kosmos.org"
 deploy_path = "/opt/discourse"
 
 repo = "https://github.com/discourse/discourse_docker"
 
 git deploy_path do
   repository repo
-  revision "master"
+  revision "main"
 end
 
 systemd_unit "discourse.service" do
@@ -55,20 +33,11 @@ systemd_unit "discourse.service" do
   action [:create, :enable]
 end
 
-template "#{node['nginx']['dir']}/sites-available/#{domain}" do
-  source "nginx_conf.erb"
-  owner 'www-data'
-  mode 0640
-  variables server_name:   domain,
-            ssl_cert:      "/etc/letsencrypt/live/#{domain}/fullchain.pem",
-            ssl_key:       "/etc/letsencrypt/live/#{domain}/privkey.pem",
-            upstream_port: 3001
+include_recipe 'firewall'
 
-  notifies :reload, 'service[nginx]', :delayed
+firewall_rule 'discourse' do
+  port     [3001]
+  source   "10.1.1.0/24"
+  protocol :tcp
+  command  :allow
 end
-
-nginx_site domain do
-  action :enable
-end
-
-nginx_certbot_site domain

site-cookbooks/kosmos_discourse/recipes/nginx.rb

@@ -0,0 +1,34 @@
+#
+# Cookbook:: kosmos_discourse
+# Recipe:: nginx
+#
+
+include_recipe "kosmos-nginx"
+
+domain = "community.kosmos.org"
+
+upstream_ip_addresses = []
+search(:node, "role:discourse").each do |n|
+  upstream_ip_addresses << n["knife_zero"]["host"]
+end
+# No Discourse host, stop here
+return if upstream_ip_addresses.empty?
+
+nginx_certbot_site domain
+
+template "#{node['nginx']['dir']}/sites-available/#{domain}" do
+  source "nginx_conf.erb"
+  owner 'www-data'
+  mode 0640
+  variables server_name:           domain,
+            ssl_cert:              "/etc/letsencrypt/live/#{domain}/fullchain.pem",
+            ssl_key:               "/etc/letsencrypt/live/#{domain}/privkey.pem",
+            upstream_port:         3001,
+            upstream_ip_addresses: upstream_ip_addresses
+
+  notifies :reload, 'service[nginx]', :delayed
+end
+
+nginx_site domain do
+  action :enable
+end

site-cookbooks/kosmos_discourse/templates/nginx_conf.erb

@@ -1,6 +1,8 @@
 # Generated by Chef
 upstream _discourse {
-  server   localhost:<%= @upstream_port %>;
+  <% @upstream_ip_addresses.each do |upstream_ip_address| -%>
+  server   <%= upstream_ip_address %>:<%= @upstream_port %>;
+  <% end -%>
 }
 
 <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
@@ -16,7 +18,6 @@ server {
 
   # Send real IP to the Docker container
   set_real_ip_from 127.0.0.1;
-  set_real_ip_from 172.17.0.1;
   real_ip_header X-Forwarded-For;
 
   client_max_body_size 20M;

site-cookbooks/kosmos_drone/attributes/default.rb

@@ -0,0 +1,2 @@
+node.default["kosmos_drone"]["domain"] = "drone.kosmos.org"
+node.default["kosmos_drone"]["upstream_port"] = 80

site-cookbooks/kosmos_drone/metadata.rb

@@ -7,5 +7,6 @@ long_description 'Installs/Configures kosmos_drone'
 version '0.1.0'
 chef_version '>= 14.0'
 
+depends "firewall"
 depends "kosmos-nginx"
 depends "kosmos_gitea"

site-cookbooks/kosmos_drone/recipes/default.rb

@@ -4,10 +4,17 @@
 #
 
 package "docker-compose"
-domain = "drone.kosmos.org"
 deploy_path = "/opt/drone"
-upstream_port = 3002
 credentials = data_bag_item("credentials", "drone")
+drone_credentials = data_bag_item('credentials', 'drone')
+
+postgres_config = {
+  username: "drone",
+  password: drone_credentials["postgresql_password"],
+  host: "pg.kosmos.local",
+  port: 5432,
+  database: "drone"
+}
 
 directory deploy_path do
   action :create
@@ -17,13 +24,16 @@ template "#{deploy_path}/docker-compose.yml" do
   source "docker-compose.yml.erb"
   sensitive true
   mode 0640
-  variables upstream_port: upstream_port,
-            domain: domain,
+  variables domain: node["kosmos_drone"]["domain"],
+            upstream_port: node["kosmos_drone"]["upstream_port"],
             gitea_server: "https://#{node["kosmos_gitea"]["nginx"]["domain"]}",
             client_id: credentials['client_id'],
             client_secret: credentials['client_secret'],
             rpc_secret: credentials['rpc_secret'],
+            database_secret: credentials['database_secret'],
+            postgres: postgres_config,
             max_procs: 4
+  notifies :restart, "systemd_unit[drone.service]", :delayed
 end
 
 systemd_unit "drone.service" do
@@ -45,20 +55,9 @@ systemd_unit "drone.service" do
   action [:create, :enable, :start]
 end
 
-template "#{node['nginx']['dir']}/sites-available/#{domain}" do
-  source "nginx_conf.erb"
-  owner 'www-data'
-  mode 0640
-  variables server_name:   domain,
-            ssl_cert:      "/etc/letsencrypt/live/#{domain}/fullchain.pem",
-            ssl_key:       "/etc/letsencrypt/live/#{domain}/privkey.pem",
-            upstream_port: upstream_port
-
-  notifies :reload, 'service[nginx]', :delayed
+firewall_rule 'drone' do
+  port     [node["kosmos_drone"]["upstream_port"]]
+  source   "10.1.1.0/24" # TODO only allow nginx proxy IPs
+  protocol :tcp
+  command  :allow
 end
-
-nginx_site domain do
-  action :enable
-end
-
-nginx_certbot_site domain

site-cookbooks/kosmos_drone/recipes/nginx.rb

@@ -0,0 +1,32 @@
+#
+# Cookbook:: kosmos_drone
+# Recipe:: nginx
+#
+
+domain = node["kosmos_drone"]["domain"]
+
+upstream_ip_addresses = []
+search(:node, "role:drone").each do |n|
+  upstream_ip_addresses << n["knife_zero"]["host"]
+end
+# No Discourse host, stop here
+return if upstream_ip_addresses.empty?
+
+nginx_certbot_site domain
+
+template "#{node['nginx']['dir']}/sites-available/#{domain}" do
+  source "nginx_conf.erb"
+  owner 'www-data'
+  mode 0640
+  variables server_name:   domain,
+            upstream_ip_addresses: upstream_ip_addresses,
+            upstream_port: node["kosmos_drone"]["upstream_port"],
+            ssl_cert:      "/etc/letsencrypt/live/#{domain}/fullchain.pem",
+            ssl_key:       "/etc/letsencrypt/live/#{domain}/privkey.pem"
+
+  notifies :reload, 'service[nginx]', :delayed
+end
+
+nginx_site domain do
+  action :enable
+end

site-cookbooks/kosmos_drone/recipes/pg_db.rb

@@ -0,0 +1,16 @@
+#
+# Cookbook:: kosmos_drone
+# Recipe:: pg_db
+#
+
+drone_credentials = data_bag_item("credentials", "drone")
+
+postgresql_user "drone" do
+  action :create
+  password drone_credentials["postgresql_password"]
+end
+
+postgresql_database "drone" do
+  owner "drone"
+  action :create
+end

site-cookbooks/kosmos_drone/templates/docker-compose.yml.erb

@@ -2,7 +2,7 @@ version: '3'
 
 services:
   drone-server:
-    image: drone/drone:2.5
+    image: drone/drone:2.11
 
     ports:
       - "<%= @upstream_port %>:80"
@@ -17,6 +17,9 @@ services:
       - DRONE_SERVER_HOST=<%= @domain %>
       - DRONE_SERVER_PROTO=https # required for the Redirect URI to be built correctly
       - DRONE_RPC_SECRET=<%= @rpc_secret %>
+      - DRONE_DATABASE_DRIVER=postgres
+      - DRONE_DATABASE_DATASOURCE=postgres://<%= @postgres[:username] %>:<%= @postgres[:password] %>@<%= @postgres[:host] %>:<%= @postgres[:port] %>/<%= @postgres[:database] %>?sslmode=disable
+      - DRONE_DATABASE_SECRET=<%= @database_secret %>
 
   drone-runner:
     image: drone/drone-runner-docker:1.8

site-cookbooks/kosmos_drone/templates/nginx_conf.erb

@@ -1,7 +1,9 @@
 <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
 # Generated by Chef
 upstream _drone {
-  server   localhost:<%= @upstream_port %>;
+  <% @upstream_ip_addresses.each do |upstream_ip_address| -%>
+  server   <%= upstream_ip_address %>:<%= @upstream_port %>;
+  <% end -%>
 }
 
 server {

site-cookbooks/kosmos_gitea/attributes/default.rb

@@ -1,6 +1,13 @@
-gitea_version = "1.16.1"
+gitea_version = "1.16.3"
 node.default["kosmos_gitea"]["version"] = gitea_version
 node.default["kosmos_gitea"]["binary_url"] = "https://dl.gitea.io/gitea/#{gitea_version}/gitea-#{gitea_version}-linux-amd64"
-node.default["kosmos_gitea"]["binary_checksum"] = "f03f3a3c4dccc2219351cde5c9af372715b2ec3e88a821779702bc6f38084c97"
+node.default["kosmos_gitea"]["binary_checksum"] = "626c7da554efcfd3abd88b0355e3adf55d7f0941a01e058b2d4f5923d0d5b7c3"
 node.default["kosmos_gitea"]["nginx"]["domain"] = "gitea.kosmos.org"
 node.default["kosmos_gitea"]["working_directory"] = "/var/lib/gitea"
+node.default["kosmos_gitea"]["port"] = 3000
+
+node.default["kosmos_gitea"]["config"] = {
+  "webhook":  {
+    "allowed_host_list" => "external,127.0.1.1"
+  }
+}

site-cookbooks/kosmos_gitea/metadata.rb

@@ -19,6 +19,7 @@ chef_version '>= 14.0'
 #
 # source_url 'https://github.com/<insert_org_here>/kosmos_gitea'
 
+depends "firewall"
 depends "kosmos-nginx"
 depends "kosmos_postgresql"
 depends "backup"

site-cookbooks/kosmos_gitea/recipes/backup.rb

@@ -4,26 +4,7 @@
 #
 # The MIT License (MIT)
 #
-# Copyright:: 2020, Kosmos Developers
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
-#
+
 unless node.chef_environment == "development"
   # backup the data dir and the config files
   node.override["backup"]["archives"]["gitea"] = [node["kosmos_gitea"]["working_directory"]]

site-cookbooks/kosmos_gitea/recipes/default.rb

@@ -3,9 +3,6 @@
 # Recipe:: default
 #
 
-include_recipe "kosmos-nginx"
-
-domain                    = node["kosmos_gitea"]["nginx"]["domain"]
 working_directory         = node["kosmos_gitea"]["working_directory"]
 git_home_directory        = "/home/git"
 repository_root_directory = "#{git_home_directory}/gitea-repositories"
@@ -63,15 +60,17 @@ directory config_directory do
   mode "0750"
 end
 
-# Copy the self-signed root certificate to the system certificate store. Gitea
-# will find it there automatically
-postgresql_data_bag_item = data_bag_item('credentials', 'postgresql')
-root_cert_path = "/etc/ssl/certs/root.kosmos.org.crt"
-file root_cert_path do
-  content postgresql_data_bag_item['ssl_root_cert']
-  mode "0644"
+nginx_proxy_ip_addresses = []
+search(:node, "role:nginx_proxy").each do |node|
+  nginx_proxy_ip_addresses << node["knife_zero"]["host"]
 end
 
+node.default["kosmos_gitea"]["config"] = {
+  "webhook":  {
+    "allowed_host_list" => "external,#{nginx_proxy_ip_addresses.join(",")}"
+  }
+}
+
 template "#{config_directory}/app.ini" do
   source "app.ini.erb"
   owner "git"
@@ -90,7 +89,8 @@ template "#{config_directory}/app.ini" do
             postgresql_password: gitea_data_bag_item["postgresql_password"],
             smtp_host: smtp_credentials["relayhost"],
             smtp_user: smtp_credentials["user_name"],
-            smtp_password: smtp_credentials["password"]
+            smtp_password: smtp_credentials["password"],
+            config: node["kosmos_gitea"]["config"]
   notifies :restart, "service[gitea]", :delayed
 end
 
@@ -118,20 +118,16 @@ service "gitea" do
   action [:enable, :start]
 end
 
-template "#{node['nginx']['dir']}/sites-available/#{domain}" do
-  source "nginx_conf.erb"
-  owner 'www-data'
-  mode 0640
-  variables server_name:   domain,
-            ssl_cert:      "/etc/letsencrypt/live/#{domain}/fullchain.pem",
-            ssl_key:       "/etc/letsencrypt/live/#{domain}/privkey.pem",
-            upstream_port: 3000
-
-  notifies :reload, 'service[nginx]', :delayed
+firewall_rule 'gitea' do
+  port     [node["kosmos_gitea"]["port"]]
+  source   "10.1.1.0/24" # TODO only allow nginx proxy IPs
+  protocol :tcp
+  command  :allow
 end
 
-nginx_site domain do
-  action :enable
+# Hack-fix until we can disable auto-generation of archives
+# TODO https://gitea.kosmos.org/kosmos/chef/issues/395
+cron 'delete auto-generated repo file archives' do
+  minute '*/15'
+  command 'rm -rf /var/lib/gitea/data/repo-archive/* >/dev/null 2>&1'
 end
-
-nginx_certbot_site domain

site-cookbooks/kosmos_gitea/recipes/nginx.rb

@@ -0,0 +1,52 @@
+#
+# Cookbook:: kosmos_gitea
+# Recipe:: nginx
+#
+
+include_recipe "kosmos-nginx"
+
+domain  = node["kosmos_gitea"]["nginx"]["domain"]
+
+# upstream_ip_addresses = []
+# search(:node, "role:gitea").each do |n|
+#   upstream_ip_addresses << n["knife_zero"]["host"]
+# end
+begin
+  upstream_ip_address = search(:node, "role:gitea").first["knife_zero"]["host"]
+rescue
+  Chef::Log.warn('No server with "gitea" role. Stopping here.')
+  return
+end
+
+nginx_certbot_site domain
+
+template "#{node['nginx']['dir']}/sites-available/#{domain}" do
+  source "nginx_conf_web.erb"
+  owner 'www-data'
+  mode 0640
+  variables server_name:   domain,
+            ssl_cert:      "/etc/letsencrypt/live/#{domain}/fullchain.pem",
+            ssl_key:       "/etc/letsencrypt/live/#{domain}/privkey.pem",
+            upstream_host: upstream_ip_address,
+            upstream_port: node["kosmos_gitea"]["port"]
+
+  notifies :reload, 'service[nginx]', :delayed
+end
+
+nginx_site domain do
+  action :enable
+end
+
+template "#{node['nginx']['dir']}/streams-available/ssh" do
+  source "nginx_conf_ssh.erb"
+  owner 'www-data'
+  mode 0640
+  variables domain: domain,
+            upstream_host: upstream_ip_address
+
+  notifies :reload, 'service[nginx]', :delayed
+end
+
+nginx_stream "ssh" do
+  action :enable
+end

site-cookbooks/kosmos_gitea/recipes/pg_db.rb

@@ -2,7 +2,6 @@
 # Cookbook:: kosmos_gitea
 # Recipe:: pg_db
 #
-# Copyright:: 2020, Kosmos Developers, All Rights Reserved.
 
 gitea_data_bag_item = data_bag_item("credentials", "gitea")
 

site-cookbooks/kosmos_gitea/templates/default/app.ini.erb

@@ -44,10 +44,6 @@ FROM = gitea@kosmos.org
 USER = <%= @smtp_user %>
 PASSWD = <%= @smtp_password %>
 
-[oauth2]
-JWT_SECRET = <%= @jwt_secret %>
-JWT_SIGNING_ALGORITHM = HS256
-
 [security]
 INTERNAL_TOKEN = <%= @internal_token %>
 INSTALL_LOCK   = true
@@ -85,3 +81,8 @@ ALLOWED_TYPES = image/gif|image/jpeg|image/png|application/zip|application/gzip
 MAX_SIZE = 10
 ; ; Max number of files per upload. Defaults to 5
 MAX_FILES = 5
+
+<% if c = @config["webhook"] %>
+[webhook]
+<% if c["allowed_host_list"] %>ALLOWED_HOST_LIST = <%= c["allowed_host_list"] %><% end %>
+<% end %>

site-cookbooks/kosmos_gitea/templates/default/nginx_conf_ssh.erb

@@ -0,0 +1,8 @@
+upstream _gitea_ssh {
+  server <%= @upstream_host %>:22;
+}
+
+server {
+  listen 148.251.83.201:22;
+  proxy_pass _gitea_ssh;
+}

site-cookbooks/kosmos_gitea/templates/default/nginx_conf_web.erb

@@ -1,6 +1,6 @@
 # Generated by Chef
-upstream _gitea {
-  server   localhost:<%= @upstream_port %>;
+upstream _gitea_web {
+  server   <%= @upstream_host %>:<%= @upstream_port %>;
 }
 
 server {
@@ -26,14 +26,14 @@ server {
 
   location ~ ^/(avatars|repo-avatars)/.*$ {
     proxy_buffers 1024 8k;
-    proxy_pass http://_gitea;
+    proxy_pass http://_gitea_web;
     proxy_http_version 1.1;
     expires 30d;
   }
 
   location / {
     proxy_buffers 1024 8k;
-    proxy_pass http://_gitea;
+    proxy_pass http://_gitea_web;
     proxy_http_version 1.1;
   }
 }

site-cookbooks/kosmos_kvm/recipes/host.rb

@@ -24,3 +24,9 @@ cookbook_file "/usr/local/sbin/create_vm" do
   source "create_vm"
   mode "0750"
 end
+
+firewall_rule 'ssh-alt-port' do
+  port     [2222]
+  protocol :tcp
+  command  :allow
+end

site-cookbooks/kosmos_rsk/attributes/default.rb

@@ -1,2 +1,2 @@
-node.default['rskj']['version'] = '3.0.1~focal'
+node.default['rskj']['version'] = '3.2.0~focal'
 node.default['rskj']['network'] = 'testnet'

site-cookbooks/kosmos_website/metadata.rb

@@ -8,3 +8,4 @@ version '1.0.0'
 chef_version '>= 15.10' if respond_to?(:chef_version)
 
 depends "kosmos-nginx"
+depends 'git'

site-cookbooks/kosmos_website/recipes/default.rb

@@ -4,6 +4,7 @@
 #
 
 include_recipe "kosmos-nginx"
+include_recipe "git"
 
 domain = node["kosmos_website"]["domain"]
 

site-cookbooks/kosmos_zerotier/attributes/default.rb

@@ -3,4 +3,4 @@ node.default['kosmos_zerotier']['server_port'] = 9993
 node.default['ztncui']['version'] = '0.6.6'
 node.default['ztncui']['checksum'] = 'fa83679266a571c10e13b11293ebfb9d1c3515019f2af1e7dd066b5a37411018'
 node.default['ztncui']['http_all_interfaces'] = true
-node.default['ztncui']['http_allow_access_from'] = '10.1.1.0/24'
+node.default['ztncui']['http_allow_access_from'] = ['10.1.1.0/24','10.2.2.0/24']

site-cookbooks/kosmos_zerotier/recipes/zncui.rb

@@ -28,11 +28,13 @@ end
 
 include_recipe 'kosmos-base::firewall'
 
-if node['ztncui']['http_allow_access_from']
-  firewall_rule 'zncui_http' do
-    port     3000
-    protocol :tcp
-    command  :allow
-    source   node['ztncui']['http_allow_access_from']
+if ip_addresses = node['ztncui']['http_allow_access_from']
+  ip_addresses.each_with_index do |ip_address, i|
+    firewall_rule "zncui_http_#{i}" do
+      port     3000
+      protocol :tcp
+      command  :allow
+      source   ip_address
+    end
   end
 end

site-cookbooks/sockethub/metadata.rb

@@ -6,7 +6,7 @@ description      'Installs/Configures sockethub'
 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
 version          '0.2.0'
 
-depends 'kosmos-redis'
+depends 'firewall'
+depends 'redisio'
 depends 'kosmos-nodejs'
 depends 'kosmos-nginx'
-depends 'firewall'

site-cookbooks/sockethub/recipes/_firewall.rb

@@ -1,36 +0,0 @@
-#
-# Cookbook Name:: sockethub
-# Recipe:: _firewall
-#
-# The MIT License (MIT)
-#
-# Copyright:: 2019, Kosmos Developers
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
-
-unless node.chef_environment == "development"
-  include_recipe "kosmos-base::firewall"
-
-  firewall_rule 'sockethub' do
-    port     node['sockethub']['external_port'].to_i
-    protocol :tcp
-    command  :allow
-  end
-end
-

site-cookbooks/sockethub/recipes/default.rb

@@ -2,30 +2,10 @@
 # Cookbook Name:: sockethub
 # Recipe:: default
 #
-# The MIT License (MIT)
-#
-# Copyright:: 2019, Kosmos Developers
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
 
+include_recipe 'redisio::default'
+include_recipe 'redisio::enable'
 include_recipe 'kosmos-nodejs'
-include_recipe 'kosmos-redis'
 
 user  = "sockethub"
 group = "sockethub"
@@ -67,8 +47,8 @@ systemd_unit "sockethub_nodejs.service" do
   content <<-EOF
 [Unit]
 Description=Start sockethub
-Requires=redis-server.service
-After=redis-server.service
+Requires=redis@6379.service
+After=redis@6379.service
 
 [Service]
 ExecStart=#{entry}

site-cookbooks/sockethub/recipes/firewall.rb

@@ -0,0 +1,14 @@
+#
+# Cookbook Name:: sockethub
+# Recipe:: firewall
+#
+
+unless node.chef_environment == "development"
+  include_recipe "kosmos-base::firewall"
+
+  firewall_rule 'sockethub' do
+    port     node['sockethub']['external_port'].to_i
+    protocol :tcp
+    command  :allow
+  end
+end

site-cookbooks/sockethub/recipes/proxy.rb

@@ -2,29 +2,8 @@
 # Cookbook Name:: sockethub
 # Recipe:: proxy
 #
-# The MIT License (MIT)
-#
-# Copyright:: 2019, Kosmos Developers
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
 
-include_recipe 'sockethub::_firewall'
+include_recipe 'sockethub::firewall'
 include_recipe 'kosmos-nginx'
 include_recipe "kosmos-base::letsencrypt"