Add sensitive attribute to resource with credentials

We use peerswap these days, and the build process for boltz was made
much more complicated at some point. Not worth upgrading for us.

.gitmodules

@@ -4,3 +4,9 @@
 [submodule "site-cookbooks/openresty"]
 	path = site-cookbooks/openresty
 	url = https://github.com/67P/chef-openresty.git
+[submodule "site-cookbooks/strfry"]
+	path = site-cookbooks/strfry
+	url = git@gitea.kosmos.org:kosmos/strfry-cookbook.git
+[submodule "site-cookbooks/deno"]
+	path = site-cookbooks/deno
+	url = git@gitea.kosmos.org:kosmos/deno-cookbook.git

clients/strfry-1.json

@@ -0,0 +1,4 @@
+{
+  "name": "strfry-1",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzDV/RMGMXVDbvoA6PNh8\nQzhtHwYDCFcUSkbrwP6tzh6GpVunGEOdOdhj2V63T2tF1H+lujxQXh5pK7C0D6VZ\niO04ftJlo7/svyxUcwWr+znyN5sFdQRh3cBZiGSBYolizwoqgtPFlbNhmWAzV0Du\n9t8mhz70IK3B+UdwWyHtoK0NNsJGnQ9YzAvcjyDmEO/3sCjAhNnxVpmXftpcSmd9\nMonzFtIDBbRRll4AHZYRbmXCzx63+VmelvdnufnbY82liol0zzBwJaBD1wyNlG0y\ni96p3Kx03bLNlIaYVGbjZeJi+6oo2VDWJ4OloLLAYoHDSipeHT9qWfUdnE6ge4Lm\nywIDAQAB\n-----END PUBLIC KEY-----\n"
+}

data_bags/credentials/dirsrv.json

@@ -1,9 +1,30 @@
 {
   "id": "dirsrv",
+  "admin_dn": {
+    "encrypted_data": "zRtz6Scb9WtUXGyjc0xyvsre0YvqupuaFz+RPApj7DEQTmYyZPVb\n",
+    "iv": "xfIXMhEBHBWqa4Dz\n",
+    "auth_tag": "BcA32u1njcnCZ+yrBGSceQ==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
   "admin_password": {
-    "encrypted_data": "i71l5E129mXCcDAyME8sNMUkYUlQMgt7Eh6noyFcLNgbaMo=\n",
-    "iv": "KNW2B8tpX7ywZwbg\n",
-    "auth_tag": "GawQ+FSlA5v5YVyryeUxng==\n",
+    "encrypted_data": "7JpXl3JZDqKWDfYt/wuNbkbob+oRuONhkuAlpqUCCEIn+tY=\n",
+    "iv": "Lcwc4NDzrfcBaIKQ\n",
+    "auth_tag": "rrePS3Bhdnwbr2d/o8vMhg==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "service_dn": {
+    "encrypted_data": "sqRFiZreLeTPQljSfhAuV3DmsPxSC8tzWjCdu+WSSbO67sBQA+xhmGtzBhBD\nDZPGJw+jtAxzuVvPdAjxgAVgxXO6C6WEo87L1tdJewE=\n",
+    "iv": "GUEGtyRJXrPhWcUs\n",
+    "auth_tag": "2USsrx//3V7RCyumGCbMkg==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "service_password": {
+    "encrypted_data": "f2wi8B8SEt6p5G0TF3dZ72j0vMFlvwcP1suxYnshBA==\n",
+    "iv": "rOnUoxbnkaJtodM+\n",
+    "auth_tag": "dVLCtBVMjxLfW2D8XjJBdQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   }

environments/production.json

@@ -14,7 +14,8 @@
         "public_key": "024cd3be18617f39cf645851e3ba63f51fc13f0bb09e3bb25e6fd4de556486d946"
       },
       "nostr": {
-        "public_key": "b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a"
+        "public_key": "b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a",
+        "relay_url": "wss://nostr.kosmos.org"
       }
     },
     "discourse": {
@@ -101,6 +102,20 @@
     },
     "sentry": {
       "allowed_ips": "10.1.1.0/24"
+    },
+    "strfry": {
+      "domain": "nostr.kosmos.org",
+      "real_ip_header": "x-real-ip",
+      "policy_path": "/opt/strfry/strfry-policy.ts",
+      "whitelist_pubkeys": [
+        "b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a"
+      ],
+      "info": {
+        "name": "Kosmos Relay",
+        "description": "Members-only nostr relay for kosmos.org users",
+        "pubkey": "1f79058c77a224e5be226c8f024cacdad4d741855d75ed9f11473ba8eb86e1cb",
+        "contact": "ops@kosmos.org"
+      }
     }
   }
 }

nodes/bitcoin-2.json

@@ -33,7 +33,6 @@
       "kosmos-bitcoin::c-lightning",
       "kosmos-bitcoin::lnd",
       "kosmos-bitcoin::lnd-scb-s3",
-      "kosmos-bitcoin::boltz",
       "kosmos-bitcoin::rtl",
       "kosmos-bitcoin::peerswap-lnd",
       "kosmos_postgresql::hostsfile",

nodes/draco.kosmos.org.json

@@ -54,8 +54,10 @@
       "kosmos_liquor-cabinet::nginx",
       "kosmos_rsk::nginx_testnet",
       "kosmos_rsk::nginx_mainnet",
+      "kosmos_strfry::nginx",
       "kosmos_website",
       "kosmos_website::default",
+      "kosmos_website::redirects",
       "kosmos-akkounts::nginx",
       "kosmos-akkounts::nginx_api",
       "kosmos-bitcoin::nginx_lndhub",

nodes/fornax.kosmos.org.json

@@ -48,8 +48,10 @@
       "kosmos_liquor-cabinet::nginx",
       "kosmos_rsk::nginx_testnet",
       "kosmos_rsk::nginx_mainnet",
+      "kosmos_strfry::nginx",
       "kosmos_website",
       "kosmos_website::default",
+      "kosmos_website::redirects",
       "kosmos-akkounts::nginx",
       "kosmos-akkounts::nginx_api",
       "kosmos-bitcoin::nginx_lndhub",

nodes/strfry-1.json

@@ -0,0 +1,66 @@
+{
+  "name": "strfry-1",
+  "chef_environment": "production",
+  "normal": {
+    "knife_zero": {
+      "host": "10.1.1.164"
+    }
+  },
+  "automatic": {
+    "fqdn": "strfry-1",
+    "os": "linux",
+    "os_version": "5.15.0-1060-kvm",
+    "hostname": "strfry-1",
+    "ipaddress": "192.168.122.54",
+    "roles": [
+      "base",
+      "kvm_guest",
+      "strfry",
+      "ldap_client"
+    ],
+    "recipes": [
+      "kosmos-base",
+      "kosmos-base::default",
+      "kosmos_kvm::guest",
+      "kosmos-dirsrv::hostsfile",
+      "strfry",
+      "strfry::default",
+      "kosmos_strfry::policies",
+      "kosmos_strfry::firewall",
+      "apt::default",
+      "timezone_iii::default",
+      "timezone_iii::debian",
+      "ntp::default",
+      "ntp::apparmor",
+      "kosmos-base::systemd_emails",
+      "apt::unattended-upgrades",
+      "kosmos-base::firewall",
+      "kosmos-postfix::default",
+      "postfix::default",
+      "postfix::_common",
+      "postfix::_attributes",
+      "postfix::sasl_auth",
+      "hostname::default",
+      "deno::default"
+    ],
+    "platform": "ubuntu",
+    "platform_version": "22.04",
+    "cloud": null,
+    "chef_packages": {
+      "chef": {
+        "version": "18.4.12",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.4.12/lib",
+        "chef_effortless": null
+      },
+      "ohai": {
+        "version": "18.1.11",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
+      }
+    }
+  },
+  "run_list": [
+    "role[base]",
+    "role[kvm_guest]",
+    "role[strfry]"
+  ]
+}

roles/lnd.rb

@@ -3,7 +3,6 @@ name "lnd"
 run_list %w(
   kosmos-bitcoin::lnd
   kosmos-bitcoin::lnd-scb-s3
-  kosmos-bitcoin::boltz
   kosmos-bitcoin::rtl
   kosmos-bitcoin::peerswap-lnd
 )

roles/openresty_proxy.rb

@@ -28,7 +28,9 @@ production_run_list = %w(
   kosmos_liquor-cabinet::nginx
   kosmos_rsk::nginx_testnet
   kosmos_rsk::nginx_mainnet
+  kosmos_strfry::nginx
   kosmos_website::default
+  kosmos_website::redirects
   kosmos-akkounts::nginx
   kosmos-akkounts::nginx_api
   kosmos-bitcoin::nginx_lndhub

roles/strfry.rb

@@ -0,0 +1,8 @@
+name "strfry"
+
+run_list %w(
+  role[ldap_client]
+  strfry::default
+  kosmos_strfry::policies
+  kosmos_strfry::firewall
+)

site-cookbooks/deno

@@ -0,0 +1 @@
+Subproject commit 617f7959abda045326c8f06f1c1bcedbaa7c7285

site-cookbooks/kosmos-akkounts/attributes/default.rb

@@ -22,6 +22,7 @@ node.default['akkounts']['lndhub']['public_key'] = nil
 node.default['akkounts']['lndhub']['postgres_db'] = 'lndhub'
 
 node.default['akkounts']['nostr']['public_key'] = nil
+node.default['akkounts']['nostr']['relay_url'] = nil
 
 node.default['akkounts']['s3_enabled'] = true
 node.default['akkounts']['s3_endpoint'] = "https://s3.kosmos.org"

site-cookbooks/kosmos-akkounts/recipes/default.rb

@@ -163,6 +163,7 @@ env[:mediawiki_public_url] = node['mediawiki']['url']
 
 env[:nostr_private_key] = credentials['nostr_private_key']
 env[:nostr_public_key] = node['akkounts']['nostr']['public_key']
+env[:nostr_relay_url] = node['akkounts']['nostr']['relay_url']
 
 #
 # remoteStorage / Liquor Cabinet

site-cookbooks/kosmos-bitcoin/attributes/default.rb

@@ -1,5 +1,5 @@
-node.default['bitcoin']['version']   = '26.0'
-node.default['bitcoin']['checksum']  = 'ab1d99276e28db62d1d9f3901e85ac358d7f1ebcb942d348a9c4e46f0fcdc0a1'
+node.default['bitcoin']['version']   = '28.0'
+node.default['bitcoin']['checksum']  = '700ae2d1e204602eb07f2779a6e6669893bc96c0dca290593f80ff8e102ff37f'
 node.default['bitcoin']['username']  = 'satoshi'
 node.default['bitcoin']['usergroup'] = 'bitcoin'
 node.default['bitcoin']['network']   = 'mainnet'
@@ -24,7 +24,8 @@ node.default['bitcoin']['conf'] = {
   rpcbind: "127.0.0.1:8332",
   gen: 0,
   zmqpubrawblock: 'tcp://127.0.0.1:8337',
-  zmqpubrawtx: 'tcp://127.0.0.1:8338'
+  zmqpubrawtx: 'tcp://127.0.0.1:8338',
+  deprecatedrpc: 'warnings' # TODO remove when upgrading to LND 0.18.4
 }
 
 # Also enables Tor for LND
@@ -40,7 +41,7 @@ node.default['c-lightning']['log_level'] = 'info'
 node.default['c-lightning']['public_ip'] = '148.251.237.73'
 
 node.default['lnd']['repo'] = 'https://github.com/lightningnetwork/lnd'
-node.default['lnd']['revision'] = 'v0.17.3-beta'
+node.default['lnd']['revision'] = 'v0.18.3-beta'
 node.default['lnd']['source_dir'] = '/opt/lnd'
 node.default['lnd']['lnd_dir'] = "/home/#{node['bitcoin']['username']}/.lnd"
 node.default['lnd']['alias'] = 'ln2.kosmos.org'
@@ -58,19 +59,8 @@ node.default['lnd']['tor'] = {
   'skip-proxy-for-clearnet-targets' => 'true'
 }
 
-node.default['boltz']['repo'] = 'https://github.com/BoltzExchange/boltz-lnd.git'
-node.default['boltz']['revision'] = 'v1.2.7'
-node.default['boltz']['source_dir'] = '/opt/boltz'
-node.default['boltz']['boltz_dir'] = "/home/#{node['bitcoin']['username']}/.boltz-lnd"
-node.default['boltz']['grpc_host'] = '127.0.0.1'
-node.default['boltz']['grpc_port'] = '9002'
-node.default['boltz']['rest_disabled'] = 'false'
-node.default['boltz']['rest_host'] = '127.0.0.1'
-node.default['boltz']['rest_port'] = '9003'
-node.default['boltz']['no_macaroons'] = 'false'
-
 node.default['rtl']['repo'] = 'https://github.com/Ride-The-Lightning/RTL.git'
-node.default['rtl']['revision'] = 'v0.15.0'
+node.default['rtl']['revision'] = 'v0.15.2'
 node.default['rtl']['host'] = '10.1.1.163'
 node.default['rtl']['port'] = '3000'
 

site-cookbooks/kosmos-bitcoin/recipes/aws-client.rb

@@ -11,6 +11,7 @@ credentials = Chef::EncryptedDataBagItem.load('credentials', 'backup')
 
 file "/root/.aws/config" do
   mode "600"
+  sensitive true
   content lazy { <<-EOF
 [default]
 region = #{credentials["s3_region"]}

site-cookbooks/kosmos-bitcoin/recipes/bitcoind.rb

@@ -12,8 +12,15 @@ if node["bitcoin"]["blocksdir_mount_type"]
   include_recipe "kosmos-bitcoin::blocksdir-mount"
 end
 
-%w{ libtool autotools-dev make automake cmake curl g++-multilib libtool
-    binutils-gold bsdmainutils pkg-config python3 patch }.each do |pkg|
+apt_repository "ubuntu-toolchain-r" do
+  # provides g++-13, needed for better c++-20 support
+  uri "ppa:ubuntu-toolchain-r/test"
+end
+
+%w{
+  gcc-13 g++-13 libtool autotools-dev make automake cmake curl bison
+  binutils-gold pkg-config python3 patch
+}.each do |pkg|
   apt_package pkg
 end
 
@@ -26,20 +33,21 @@ end
 
 execute "compile_bitcoin-core_dependencies" do
   cwd "/usr/local/bitcoind/depends"
-  command "make NO_QT=1"
+  environment ({'CC' => 'gcc-13', 'CXX' => 'g++-13', 'NO_QT' => '1'})
+  command "make -j 2"
   action :nothing
   notifies :run, 'bash[compile_bitcoin-core]', :immediately
 end
 
 bash "compile_bitcoin-core" do
   cwd "/usr/local/bitcoind"
+  environment ({'CC' => 'gcc-13', 'CXX' => 'g++-13', 'NO_QT' => '1'})
   code <<-EOH
     ./autogen.sh
     ./configure --prefix=$PWD/depends/x86_64-pc-linux-gnu
     make
   EOH
   action :nothing
-  notifies :restart, "systemd_unit[bitcoind.service]", :delayed
 end
 
 link "/usr/local/bin/bitcoind" do

site-cookbooks/kosmos-bitcoin/recipes/boltz.rb

@@ -1,87 +0,0 @@
-#
-# Cookbook:: kosmos-bitcoin
-# Recipe:: boltz
-#
-
-include_recipe "git"
-include_recipe "kosmos-bitcoin::golang"
-
-git node['boltz']['source_dir'] do
-  repository node['boltz']['repo']
-  revision node['boltz']['revision']
-  action :sync
-  notifies :run, 'bash[compile_and_install_boltz]', :immediately
-end
-
-bash "compile_and_install_boltz" do
-  cwd node['boltz']['source_dir']
-  code <<-EOH
-go mod vendor && \
-make build && \
-make install
-  EOH
-  action :nothing
-  notifies :restart, "systemd_unit[boltzd.service]", :delayed
-end
-
-bitcoin_user  = node['bitcoin']['username']
-bitcoin_group = node['bitcoin']['usergroup']
-boltz_dir     = node['boltz']['boltz_dir']
-lnd_dir       = node['lnd']['lnd_dir']
-
-directory boltz_dir do
-  owner bitcoin_user
-  group bitcoin_group
-  mode '0750'
-  action :create
-end
-
-template "#{boltz_dir}/boltz.toml" do
-  source "boltz.toml.erb"
-  owner bitcoin_user
-  group bitcoin_group
-  mode '0640'
-  variables lnd_grpc_host: '127.0.0.1',
-            lnd_grpc_port: '10009',
-            lnd_macaroon_path: "#{lnd_dir}/data/chain/bitcoin/mainnet/admin.macaroon",
-            lnd_tlscert_path: "#{lnd_dir}/tls.cert",
-            boltz_config: node['boltz']
-  notifies :restart, "systemd_unit[boltzd.service]", :delayed
-end
-
-systemd_unit 'boltzd.service' do
-  content({
-    Unit: {
-      Description: 'Boltz Daemon',
-      Documentation: ['https://lnd.docs.boltz.exchange'],
-      Requires: 'lnd.service',
-      After: 'lnd.service'
-    },
-    Service: {
-      User: bitcoin_user,
-      Group: bitcoin_group,
-      Type: 'simple',
-      ExecStart: "/opt/boltz/boltzd",
-      Restart: 'always',
-      RestartSec: '30',
-      TimeoutSec: '240',
-      LimitNOFILE: '128000',
-      PrivateTmp: true,
-      ProtectSystem: 'full',
-      NoNewPrivileges: true,
-      PrivateDevices: true,
-      MemoryDenyWriteExecute: true
-    },
-    Install: {
-      WantedBy: 'multi-user.target'
-    }
-  })
-  verify false
-  triggers_reload true
-  action [:create, :enable, :start]
-end
-
-unless node.chef_environment == 'development'
-  node.override['backup']['archives']['boltz'] = [node['boltz']['boltz_dir']]
-  include_recipe 'backup'
-end

site-cookbooks/kosmos-bitcoin/recipes/golang.rb

@@ -5,7 +5,7 @@
 # Internal recipe for managing the Go installation in one place
 #
 
-node.override['golang']['version'] = "1.20.3"
+node.override['golang']['version'] = "1.23.1"
 include_recipe "golang"
 
 link '/usr/local/bin/go' do

site-cookbooks/kosmos-bitcoin/recipes/rtl.rb

@@ -46,24 +46,22 @@ rtl_config = {
   multiPassHashed: credentials["multiPassHashed"]
 }
 
-if node['boltz']
-  # TODO adapt for multi-node usage
-  rtl_config[:nodes][0][:Authentication][:boltzMacaroonPath] = "#{node['boltz']['boltz_dir']}/macaroons"
-  rtl_config[:nodes][0][:Settings][:boltzServerUrl] = "https://#{node['boltz']['rest_host']}:#{node['boltz']['rest_port']}"
-end
-
 git rtl_dir do
   user bitcoin_user
   group bitcoin_group
   repository node['rtl']['repo']
   revision node['rtl']['revision']
+  notifies :run, "execute[npm_install]", :immediately
   notifies :restart, "systemd_unit[#{app_name}.service]", :delayed
 end
 
-execute "npm install" do
+execute "npm_install" do
   cwd rtl_dir
   environment "HOME" => rtl_dir
   user bitcoin_user
+  # TODO remove --force when upstream dependency issues have been resolved
+  command "npm install --force"
+  action :nothing
 end
 
 file "#{rtl_dir}/RTL-Config.json" do

site-cookbooks/kosmos-bitcoin/templates/boltz.toml.erb

@@ -1,32 +0,0 @@
-[LND]
-# Host of the gRPC interface of LND
-host = "<%= @lnd_grpc_host %>"
-
-# Port of the gRPC interface of LND
-port = <%= @lnd_grpc_port %>
-
-# Path to a macaroon file of LND
-# The daemon needs to have permission to read various endpoints, generate addresses and pay invoices 
-macaroon = "<%= @lnd_macaroon_path %>"
-
-# Path to the TLS certificate of LND
-certificate = "<%= @lnd_tlscert_path %>"
-
-[RPC]
-# Host of the gRPC interface
-host = "<%= @boltz_config['grpc_host'] %>"
-
-# Port of the gRPC interface
-port = <%= @boltz_config['grpc_port'] %>
-
-# Whether the REST proxy for the gRPC interface should be disabled
-restDisabled = <%= @boltz_config['rest_disabled'] %>
-
-# Host of the REST proxy
-restHost = "<%= @boltz_config['rest_host'] %>"
-
-# Port of the REST proxy
-restPort = <%= @boltz_config['rest_port'] %>
-
-# Whether the macaroon authentication for the gRPC and REST interface should be disabled
-noMacaroons = <%= @boltz_config['no_macaroons'] %>

site-cookbooks/kosmos-bitcoin/templates/lnd.conf.erb

@@ -12,7 +12,6 @@ minchansize=<%= @lnd_minchansize %>
 autopilot.active=0
 
 [Bitcoin]
-bitcoin.active=1
 bitcoin.mainnet=1
 bitcoin.node=bitcoind
 bitcoin.basefee=<%= @lnd_basefee %>

site-cookbooks/kosmos-mastodon/attributes/default.rb

@@ -10,7 +10,7 @@ node.default["kosmos-mastodon"]["redis_url"]         = "redis://localhost:6379/0
 node.default["kosmos-mastodon"]["sidekiq_threads"]   = 25
 node.default["kosmos-mastodon"]["allowed_private_addresses"] = "127.0.0.1"
 
-node.default["kosmos-mastodon"]["onion_address"]     = nil
+node.default["kosmos-mastodon"]["onion_address"] = nil
 
 # Allocate this amount of RAM to the Java heap for Elasticsearch
 node.default["kosmos-mastodon"]["elasticsearch"]["allocated_memory"] = "1536m"
@@ -20,6 +20,10 @@ node.default["kosmos-mastodon"]["s3_region"]     = nil
 node.default["kosmos-mastodon"]["s3_bucket"]     = nil
 node.default["kosmos-mastodon"]["s3_alias_host"] = nil
 
+node.default["kosmos-mastodon"]["sso_account_sign_up_url"] = "https://kosmos.org"
+node.default["kosmos-mastodon"]["sso_account_reset_password_url"] = "https://accounts.kosmos.org/users/password/new"
+node.default["kosmos-mastodon"]["sso_account_resend_confirmation_url"] = "https://accounts.kosmos.org/users/confirmation/new"
+
 node.default["kosmos-mastodon"]["default_locale"] = "en"
 node.default["kosmos-mastodon"]["libre_translate_endpoint"] = nil
 

site-cookbooks/kosmos-mastodon/recipes/default.rb

@@ -190,6 +190,7 @@ template "#{mastodon_path}/.env.#{rails_env}" do
   mode  "0640"
   owner mastodon_user
   group mastodon_user
+  sensitive true
   variables redis_url: node["kosmos-mastodon"]["redis_url"],
             domain: node["kosmos-mastodon"]["domain"],
             alternate_domains: node["kosmos-mastodon"]["alternate_domains"],
@@ -210,6 +211,9 @@ template "#{mastodon_path}/.env.#{rails_env}" do
             vapid_public_key: credentials['vapid_public_key'],
             db_pass: postgresql_credentials['mastodon_user_password'],
             db_host: "pg.kosmos.local",
+            sso_account_sign_up_url: node["kosmos-mastodon"]["sso_account_sign_up_url"],
+            sso_account_reset_password_url: node["kosmos-mastodon"]["sso_account_reset_password_url"],
+            sso_account_resend_confirmation_url: node["kosmos-mastodon"]["sso_account_resend_confirmation_url"],
             default_locale: node["kosmos-mastodon"]["default_locale"],
             allowed_private_addresses: node["kosmos-mastodon"]["allowed_private_addresses"],
             libre_translate_endpoint: node["kosmos-mastodon"]["libre_translate_endpoint"]

site-cookbooks/kosmos-mastodon/recipes/nginx.rb

@@ -28,7 +28,9 @@ template "#{node['openresty']['dir']}/snippets/mastodon.conf" do
   owner 'www-data'
   mode 0640
   variables web_root_dir: web_root_dir,
-            server_name:  server_name
+            server_name:  server_name,
+            s3_private_url: "#{node["kosmos-mastodon"]["s3_endpoint"]}/#{node["kosmos-mastodon"]["s3_bucket"]}/",
+            s3_public_url: "https://#{node["kosmos-mastodon"]["s3_alias_host"]}/"
   notifies :reload, 'service[openresty]', :delayed
 end
 

site-cookbooks/kosmos-mastodon/templates/default/env.erb

@@ -44,6 +44,9 @@ LDAP_SEARCH_FILTER='<%= @ldap[:search_filter] %>'
 LDAP_UID_CONVERSION_ENABLED=<%= @ldap[:uid_conversion_enabled] %>
 LDAP_UID_CONVERSION_SEARCH=<%= @ldap[:uid_conversion_search] %>
 LDAP_UID_CONVERSION_REPLACE=<%= @ldap[:uid_conversion_replace] %>
+SSO_ACCOUNT_SIGN_UP=<%= @sso_account_sign_up_url %>
+SSO_ACCOUNT_RESET_PASSWORD=<%= @sso_account_reset_password_url %>
+SSO_ACCOUNT_RESEND_CONFIRMATION=<%= @sso_account_resend_confirmation_url %>
 <% end %>
 
 # Optional asset host for multi-server setups

site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_shared.erb

@@ -108,11 +108,13 @@ location @proxy {
 
   proxy_pass http://mastodon_app;
   proxy_buffering on;
-  proxy_redirect off;
   proxy_http_version 1.1;
   proxy_set_header Upgrade $http_upgrade;
   proxy_set_header Connection $connection_upgrade;
 
+  # https://github.com/mastodon/mastodon/issues/24380
+  proxy_redirect <%= @s3_private_url %> <%= @s3_public_url %>;
+
   tcp_nodelay on;
 }
 

site-cookbooks/kosmos_gitea/attributes/default.rb

@@ -1,5 +1,5 @@
-node.default["gitea"]["version"] = "1.22.0"
-node.default["gitea"]["checksum"] = "a31086f073cb9592d28611394b2de3655db515d961e4fdcf5b549cb40753ef3d"
+node.default["gitea"]["version"] = "1.22.1"
+node.default["gitea"]["checksum"] = "b8043324545eec269fc8f18c22b49fc365ed367e0dd41e081b79832de2570f9c"
 node.default["gitea"]["working_directory"] = "/var/lib/gitea"
 node.default["gitea"]["port"] = 3000
 node.default["gitea"]["postgresql_host"] = "localhost:5432"

site-cookbooks/kosmos_gitea/templates/default/nginx_conf_web.erb

@@ -21,8 +21,13 @@ server {
   location ~ ^/(avatars|repo-avatars)/.*$ {
     proxy_buffers 1024 8k;
     proxy_pass http://_gitea_web;
-    proxy_http_version 1.1;
     expires 30d;
+    proxy_set_header Connection $http_connection;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
   }
 
   # Docker registry
@@ -30,12 +35,22 @@ server {
     client_max_body_size 0;
     proxy_buffers 1024 8k;
     proxy_pass http://_gitea_web;
-    proxy_http_version 1.1;
+    proxy_set_header Connection $http_connection;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
   }
 
   location / {
     proxy_buffers 1024 8k;
     proxy_pass http://_gitea_web;
-    proxy_http_version 1.1;
+    proxy_set_header Connection $http_connection;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
   }
 }

site-cookbooks/kosmos_kvm/attributes/default.rb

@@ -1,9 +1,10 @@
-ubuntu_server_cloud_image_release = "20230506"
+release = "20240514"
+img_filename = "ubuntu-22.04-server-cloudimg-amd64-disk-kvm"
 
 node.default["kosmos_kvm"]["host"]["qemu_base_image"] = {
-  "url" => "https://cloud-images.ubuntu.com/releases/focal/release-#{ubuntu_server_cloud_image_release}/ubuntu-20.04-server-cloudimg-amd64-disk-kvm.img",
-  "checksum" => "27d2b91fd2b715729d739e2a3155dce70d1aaae4f05c177f338b9d4b60be638c",
-  "path" => "/var/lib/libvirt/images/base/ubuntu-20.04-server-cloudimg-amd64-disk-kvm-#{ubuntu_server_cloud_image_release}.qcow2"
+  "url" => "https://cloud-images.ubuntu.com/releases/jammy/release-#{release}/#{img_filename}.img",
+  "checksum" => "2e7698b3ebd7caead06b08bd3ece241e6ce294a6db01f92ea12bcb56d6972c3f",
+  "path" => "/var/lib/libvirt/images/base/#{img_filename}-#{release}.qcow2"
 }
 
 # A systemd.timer OnCalendar config value

site-cookbooks/kosmos_strfry/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2024 Kosmos Developers
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

site-cookbooks/kosmos_strfry/README.md

@@ -0,0 +1,4 @@
+kosmos_strfry
+=============
+
+Installs/configures a strfry relay and its reverse proxy config

site-cookbooks/kosmos_strfry/attributes/default.rb

@@ -0,0 +1,2 @@
+node.default["strfry"]["ldap_search_dn"] = "ou=kosmos.org,cn=users,dc=kosmos,dc=org"
+node.default["strfry"]["extras_dir"] = "/opt/strfry"

site-cookbooks/kosmos_strfry/metadata.rb

@@ -0,0 +1,10 @@
+name             'kosmos_strfry'
+maintainer       'Kosmos'
+maintainer_email 'mail@kosmos.org'
+license          'MIT'
+description      'strfry wrapper cookbook'
+long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
+version          '0.1.0'
+
+depends 'kosmos_openresty'
+depends 'deno'

site-cookbooks/kosmos_strfry/recipes/firewall.rb

@@ -0,0 +1,13 @@
+#
+# Cookbook Name:: kosmos_strfry
+# Recipe:: firewall
+#
+
+include_recipe "kosmos-base::firewall"
+
+firewall_rule "strfry" do
+  port     node["strfry"]["port"]
+  source   "10.1.1.0/24"
+  protocol :tcp
+  command  :allow
+end

site-cookbooks/kosmos_strfry/recipes/nginx.rb

@@ -0,0 +1,29 @@
+#
+# Cookbook Name:: kosmos_strfry
+# Recipe:: nginx
+#
+
+domain = node["strfry"]["domain"]
+
+upstream_hosts = []
+search(:node, 'role:strfry').each do |node|
+  upstream_hosts << node['knife_zero']['host']
+end
+if upstream_hosts.empty?
+  Chef::Log.warn("No node found with 'strfry' role. Not configuring nginx site.")
+  return
+end
+
+tls_cert_for domain do
+  auth "gandi_dns"
+  action :create
+end
+
+openresty_site domain do
+  template "nginx_conf_strfry.erb"
+  variables domain: domain,
+            upstream_port: node['strfry']['port'],
+            upstream_hosts: upstream_hosts,
+            ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
+            ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
+end

site-cookbooks/kosmos_strfry/recipes/policies.rb

@@ -0,0 +1,83 @@
+#
+# Cookbook Name:: kosmos_strfry
+# Recipe:: policies
+#
+
+include_recipe "deno"
+
+#
+# config
+#
+
+ldap_credentials = Chef::EncryptedDataBagItem.load('credentials', 'dirsrv')
+
+extras_dir = node["strfry"]["extras_dir"]
+
+directory extras_dir do
+  owner node["strfry"]["user"]
+  group node["strfry"]["group"]
+  mode "0755"
+end
+
+env = {
+  ldap_url: 'ldap://ldap.kosmos.local:389', # requires "ldap_client" role
+  ldap_bind_dn: ldap_credentials["service_dn"],
+  ldap_password: ldap_credentials["service_password"],
+  ldap_search_dn: node["strfry"]["ldap_search_dn"],
+  whitelist_pubkeys: node["strfry"]["whitelist_pubkeys"].join(",")
+}
+
+template "#{extras_dir}/.env" do
+  source 'env.erb'
+  owner node["strfry"]["user"]
+  group node["strfry"]["group"]
+  mode 0600
+  sensitive true
+  variables config: env
+  notifies :restart, "service[strfry]", :delayed
+end
+
+#
+# strfry deno scripts
+#
+
+base_url = "https://gitea.kosmos.org/kosmos/akkounts/raw/branch/live/extras/strfry"
+
+remote_file "#{extras_dir}/deno.json" do
+  source "#{base_url}/deno.json"
+  owner node["strfry"]["user"]
+  group node["strfry"]["group"]
+  mode "0644"
+  notifies :restart, "service[strfry]", :delayed
+end
+
+remote_file "#{extras_dir}/deno.lock" do
+  source "#{base_url}/deno.lock"
+  owner node["strfry"]["user"]
+  group node["strfry"]["group"]
+  mode "0644"
+  notifies :restart, "service[strfry]", :delayed
+end
+
+remote_file "#{extras_dir}/strfry-policy.ts" do
+  source "#{base_url}/strfry-policy.ts"
+  owner node["strfry"]["user"]
+  group node["strfry"]["group"]
+  mode "0755"
+  notifies :restart, "service[strfry]", :delayed
+end
+
+remote_file "#{extras_dir}/ldap-policy.ts" do
+  source "#{base_url}/ldap-policy.ts"
+  owner node["strfry"]["user"]
+  group node["strfry"]["group"]
+  mode "0644"
+  notifies :restart, "service[strfry]", :delayed
+end
+
+remote_file "#{extras_dir}/strfry-sync.ts" do
+  source "#{base_url}/strfry-sync.ts"
+  owner node["strfry"]["user"]
+  group node["strfry"]["group"]
+  mode "0644"
+end

site-cookbooks/kosmos_strfry/templates/env.erb

@@ -0,0 +1,11 @@
+<% @config.each do |key, value| %>
+<% if value.is_a?(Hash) %>
+<% value.each do |k, v| %>
+<%= "#{key.upcase}_#{k.upcase}" %>=<%= v.to_s %>
+<% end %>
+<% else %>
+<% if value %>
+<%= key.upcase %>=<%= value.to_s %>
+<% end %>
+<% end %>
+<% end %>

site-cookbooks/kosmos_strfry/templates/nginx_conf_strfry.erb

@@ -0,0 +1,25 @@
+upstream _strfry {
+<% @upstream_hosts.each do |host| %>
+  server <%= host %>:<%= @upstream_port || "7777" %>;
+<% end %>
+}
+
+server {
+  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
+  server_name <%= @domain %>;
+
+  access_log "/var/log/nginx/<%= @domain %>.access.log";
+  error_log "/var/log/nginx/<%= @domain %>.error.log";
+
+  ssl_certificate     <%= @ssl_cert %>;
+  ssl_certificate_key <%= @ssl_key %>;
+
+  location / {
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_pass http://_strfry;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+  }
+}

site-cookbooks/kosmos_website/attributes/default.rb

@@ -1,3 +1,4 @@
-node.default["kosmos_website"]["domain"]   = "kosmos.org"
-node.default["kosmos_website"]["repo"]     = "https://gitea.kosmos.org/kosmos/website.git"
-node.default["kosmos_website"]["revision"] = "chore/content"
+node.default["kosmos_website"]["domain"]       = "kosmos.org"
+node.default["kosmos_website"]["repo"]         = "https://gitea.kosmos.org/kosmos/website.git"
+node.default["kosmos_website"]["revision"]     = "chore/content"
+node.default["kosmos_website"]["accounts_url"] = "https://accounts.kosmos.org"

site-cookbooks/kosmos_website/recipes/default.rb

@@ -23,6 +23,7 @@ end
 openresty_site domain do
   template "nginx_conf_website.erb"
   variables domain: domain,
+            accounts_url: node.default["kosmos_website"]["accounts_url"],
             ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
             ssl_key:  "/etc/letsencrypt/live/#{domain}/privkey.pem"
 end

site-cookbooks/kosmos_website/recipes/redirects.rb

@@ -0,0 +1,35 @@
+#
+# Cookbook:: kosmos_website
+# Recipe:: redirects
+#
+
+redirects = [
+  {
+    domain: "kosmos.chat",
+    target: "https://kosmos.org",
+    http_status: 307
+  },
+  {
+    domain: "kosmos.cash",
+    acme_domain: "letsencrypt.kosmos.org",
+    target: "https://kosmos.org",
+    http_status: 307
+  }
+]
+
+redirects.each do |redirect|
+  tls_cert_for redirect[:domain] do
+    auth "gandi_dns"
+    acme_domain redirect[:acme_domain] unless redirect[:acme_domain].nil?
+    action :create
+  end
+
+  openresty_site redirect[:domain] do
+    template "nginx_conf_redirect.erb"
+    variables domain: redirect[:domain],
+              target: redirect[:target],
+              http_status: redirect[:http_status],
+              ssl_cert: "/etc/letsencrypt/live/#{redirect[:domain]}/fullchain.pem",
+              ssl_key:  "/etc/letsencrypt/live/#{redirect[:domain]}/privkey.pem"
+  end
+end

site-cookbooks/kosmos_website/templates/nginx_conf_redirect.erb

@@ -0,0 +1,20 @@
+# Generated by Chef
+
+server {
+  server_name <%= @domain %>;
+  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
+  listen [::]:443 ssl http2;
+
+  access_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.access.log;
+  error_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.error.log warn;
+
+  gzip_static on;
+  gzip_comp_level 5;
+
+  ssl_certificate     <%= @ssl_cert %>;
+  ssl_certificate_key <%= @ssl_key %>;
+
+  location / {
+    return <%= @http_status || 301 %> <%= @target %>;
+  }
+}

site-cookbooks/kosmos_website/templates/nginx_conf_simple.erb

@@ -0,0 +1,18 @@
+# Generated by Chef
+
+server {
+  server_name <%= @domain %>;
+  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
+  listen [::]:443 ssl http2;
+
+  root /var/www/<%= @domain %>/public;
+
+  access_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.access.log;
+  error_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.error.log warn;
+
+  gzip_static on;
+  gzip_comp_level 5;
+
+  ssl_certificate     <%= @ssl_cert %>;
+  ssl_certificate_key <%= @ssl_key %>;
+}

site-cookbooks/kosmos_website/templates/nginx_conf_website.erb

@@ -1,9 +1,18 @@
 # Generated by Chef
 
+server {
+  server_name _;
+  listen 80 default_server;
+
+  location / {
+    return 301 https://<%= @domain %>;
+  }
+}
+
 server {
   server_name <%= @domain %>;
-  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2 default_server;
+  listen [::]:443 ssl http2 default_server;
 
   root /var/www/<%= @domain %>/public;
 
@@ -18,8 +27,10 @@ server {
   ssl_certificate     <%= @ssl_cert %>;
   ssl_certificate_key <%= @ssl_key %>;
 
+<% if @accounts_url %>
   location ~ ^/.well-known/(webfinger|nostr|lnurlp|keysend) {
     proxy_ssl_server_name on;
     proxy_pass https://accounts.kosmos.org;
   }
+<% end %>
 }

site-cookbooks/remotestorage_discourse/recipes/nginx.rb

@@ -18,6 +18,7 @@ end
 
 tls_cert_for domain do
   auth "gandi_dns"
+  acme_domain "letsencrypt.kosmos.org"
   action :create
 end
 

site-cookbooks/strfry

@@ -0,0 +1 @@
+Subproject commit a4756377b480c9bcceba4867969a0c15880913dc