Configure Gitea commit signing with SSH key

Reviewed-on: #622
Reviewed-by: Râu Cao <raucao@kosmos.org>

clients/garage-14.json

@@ -0,0 +1,4 @@
+{
+  "name": "garage-14",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqNY8AuaM4byhaTZacfRJ\nv/qyHxcDJOMX/ElF1H908spdbB2ZiLXHOH1Ucw1d+NV6/QUtWk+ikKFPpasnatD7\nmjE57noH+H47Rll0nD7oT+in+fOBDHF9R0P6/qyRSdJbJkHOh0iC0MG4LcUfv0AY\nnVBW5iLZSe/PC3+PvhCv7yrx3ikSs0mg1ZWppw0ka5Ek3ZCZp5FB4L6++GYWpM+1\n6YI0CjMoRcXsaEQsJWhxHXT8/KDhW0BR8woZUGm0/Yn4teLYJzioxRfBep3lbygx\nOIsDN9IJzo2zVTGPDZQLXhVemIhzaepqTC77ibH7F0gN/1vsQBc/qf7UhbwaF4rR\ndQIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/postgres-7.json

@@ -1,4 +0,0 @@
-{
-  "name": "postgres-7",
-  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArraIm6mXi0qgK4oWDs2I\nOIx+g/LPnfRd5aBXhoHcekGiJKttQTi5dRdN4+T6qVEC2h4Cc9qN47h2TZPLDh/M\neIZvu0AyicpectzXf6DtDZh0hFCnv47RDi9927op9tjMXk0SV1tLel7MN0dawATw\ny0vQkkr/5a3ZdiP4dFv+bdfVrj+Tuh85BYPVyX2mxq9F7Efxrt6rzVBiqr6uJLUY\nStpeB3CCalC4zQApKX2xrdtr2k8aJbqC6C//LiKbb7VKn+ZuZJ32L/+9HDEzQoFC\no0ZZPMhfnjcU+iSHYZuPMTJTNbwgRuOgpn9O8kZ239qYc59z7HEXwwWiYPDevbiM\nCQIDAQAB\n-----END PUBLIC KEY-----\n"
-}

clients/postgres-9.json

@@ -0,0 +1,4 @@
+{
+  "name": "postgres-9",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2dcE9HH0r5TBb/FGj2+e\nOw8ssoxeB61JmR4/psdZ6oPR08gxyqOY0ODziCmyIdXwFhjIcC44HjxCbcB8TU8G\nWGqlmfqWWIJW0x/2xOycHobAWDn5fC5ttTXkR3HC1TutX/2mH26mtfz9UjNdPaTo\nVZFMcxeaBCFSNlYC7hPUQ5f/qBdhhpLxP9uyzU+YFPqtwLP7g8EAUQObM4L+m6Q8\nqE7xgYpnhgaNrPsmvaVuoNylMGwyK0j1whOkcik8UgLprD70ISNSNxxcLehbvA3G\nPQPQRRuFF36fu2gECWGopbrFKwQGNfgJguQoXM1RQZQMQqWHPS933k5i6bi5pnhp\nzwIDAQAB\n-----END PUBLIC KEY-----\n"
+}

nodes/akkounts-1.json

@@ -9,7 +9,7 @@
   "automatic": {
     "fqdn": "akkounts-1",
     "os": "linux",
-    "os_version": "5.4.0-216-generic",
+    "os_version": "5.4.0-223-generic",
     "hostname": "akkounts-1",
     "ipaddress": "192.168.122.160",
     "roles": [

nodes/draco.kosmos.org.json

@@ -12,6 +12,7 @@
     },
     "openresty": {
       "listen_ip": "148.251.237.111",
+      "listen_ipv6": "2a01:4f8:202:804a::2",
       "log_formats": {
         "json": "{\"ip\":\"$remote_addr\",\"time\":\"$time_local\",\"host\":\"$host\",\"method\":\"$request_method\",\"uri\":\"$uri\",\"status\":$status,\"size\":$body_bytes_sent,\"referer\":\"$http_referer\",\"upstream_addr\":\"$upstream_addr\",\"upstream_response_time\":\"$upstream_response_time\",\"ua\":\"$http_user_agent\"}"
       }
@@ -81,6 +82,7 @@
       "timezone_iii::debian",
       "ntp::default",
       "ntp::apparmor",
+      "kosmos-base::journald_conf",
       "kosmos-base::systemd_emails",
       "apt::unattended-upgrades",
       "kosmos-base::firewall",

nodes/fornax.kosmos.org.json

@@ -75,6 +75,7 @@
       "timezone_iii::debian",
       "ntp::default",
       "ntp::apparmor",
+      "kosmos-base::journald_conf",
       "kosmos-base::systemd_emails",
       "apt::unattended-upgrades",
       "kosmos-base::firewall",

nodes/garage-14.json

@@ -0,0 +1,64 @@
+{
+  "name": "garage-14",
+  "chef_environment": "production",
+  "normal": {
+    "knife_zero": {
+      "host": "10.1.1.157"
+    }
+  },
+  "automatic": {
+    "fqdn": "garage-14",
+    "os": "linux",
+    "os_version": "5.15.0-1059-kvm",
+    "hostname": "garage-14",
+    "ipaddress": "192.168.122.251",
+    "roles": [
+      "base",
+      "kvm_guest",
+      "garage_node"
+    ],
+    "recipes": [
+      "kosmos-base",
+      "kosmos-base::default",
+      "kosmos_kvm::guest",
+      "kosmos_garage",
+      "kosmos_garage::default",
+      "kosmos_garage::firewall_rpc",
+      "kosmos_garage::firewall_apis",
+      "apt::default",
+      "timezone_iii::default",
+      "timezone_iii::debian",
+      "ntp::default",
+      "ntp::apparmor",
+      "kosmos-base::systemd_emails",
+      "apt::unattended-upgrades",
+      "kosmos-base::firewall",
+      "kosmos-postfix::default",
+      "postfix::default",
+      "postfix::_common",
+      "postfix::_attributes",
+      "postfix::sasl_auth",
+      "hostname::default",
+      "firewall::default"
+    ],
+    "platform": "ubuntu",
+    "platform_version": "22.04",
+    "cloud": null,
+    "chef_packages": {
+      "chef": {
+        "version": "18.8.54",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.8.54/lib",
+        "chef_effortless": null
+      },
+      "ohai": {
+        "version": "18.2.8",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.8/lib/ohai"
+      }
+    }
+  },
+  "run_list": [
+    "role[base]",
+    "role[kvm_guest]",
+    "role[garage_node]"
+  ]
+}

nodes/gitea-2.json

@@ -50,13 +50,6 @@
       "postfix::sasl_auth",
       "hostname::default",
       "firewall::default",
-      "kosmos_gitea::compile_from_source",
-      "git::default",
-      "git::package",
-      "kosmos-nodejs::default",
-      "nodejs::nodejs_from_package",
-      "nodejs::repo",
-      "golang::default",
       "backup::default",
       "logrotate::default"
     ],

nodes/postgres-9.json

@@ -1,17 +1,17 @@
 {
-  "name": "postgres-7",
+  "name": "postgres-9",
   "chef_environment": "production",
   "normal": {
     "knife_zero": {
-      "host": "10.1.1.134"
+      "host": "10.1.1.3"
     }
   },
   "automatic": {
-    "fqdn": "postgres-7",
+    "fqdn": "postgres-9",
     "os": "linux",
-    "os_version": "5.4.0-1123-kvm",
-    "hostname": "postgres-7",
-    "ipaddress": "192.168.122.89",
+    "os_version": "5.15.0-1059-kvm",
+    "hostname": "postgres-9",
+    "ipaddress": "192.168.122.64",
     "roles": [
       "base",
       "kvm_guest",
@@ -41,17 +41,17 @@
       "hostname::default"
     ],
     "platform": "ubuntu",
-    "platform_version": "20.04",
+    "platform_version": "22.04",
     "cloud": null,
     "chef_packages": {
       "chef": {
-        "version": "18.5.0",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
+        "version": "18.8.54",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.8.54/lib",
         "chef_effortless": null
       },
       "ohai": {
-        "version": "18.1.11",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
+        "version": "18.2.8",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.8/lib/ohai"
       }
     }
   },

roles/gitea.rb

@@ -8,8 +8,8 @@ run_list %w(
 
 override_attributes(
   "gitea" => {
-    "repo" => "https://github.com/67P/gitea.git",
-    "revision" => "ldap_sync",
+    # "repo" => "https://github.com/67P/gitea.git",
+    # "revision" => "ldap_sync",
     "log" => { "level" => "Info" }
   },
 )

site-cookbooks/discourse/templates/nginx_conf.erb

@@ -8,8 +8,8 @@ upstream _<%= @upstream_name %> {
 <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
 server {
   server_name <%= @server_name %>;
-  listen 443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
 
   ssl_certificate     <%= @ssl_cert %>;
   ssl_certificate_key <%= @ssl_key %>;

site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb

@@ -11,7 +11,7 @@ proxy_cache_path <%= node[:openresty][:cache_dir] %>/akkounts levels=1:2
 
 server {
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
   server_name <%= @domain %>;
 
   if ($host != $server_name) {

site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts_api.erb

@@ -7,7 +7,7 @@ upstream _akkounts_api {
 
 server {
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
   server_name <%= @domain %>;
 
   ssl_certificate     <%= @ssl_cert %>;

site-cookbooks/kosmos-bitcoin/templates/nginx_conf_btcpayserver.erb

@@ -49,7 +49,7 @@ server {
   client_max_body_size 100M;
   server_name <%= @server_name %>;
   listen 443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
 
   access_log <%= node[:nginx][:log_dir] %>/btcpayserver.access.log json;
   error_log <%= node[:nginx][:log_dir] %>/btcpayserver.error.log warn;

site-cookbooks/kosmos-bitcoin/templates/nginx_conf_lndhub.erb

@@ -7,7 +7,7 @@ upstream _lndhub {
 
 server {
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
   server_name <%= @server_name %>;
 
   add_header Strict-Transport-Security "max-age=15768000";

site-cookbooks/kosmos-btcpayserver/templates/nginx_conf_btcpayserver.erb

@@ -49,7 +49,7 @@ server {
   server_name <%= @server_name %>;
   <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
   listen 443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
   <% else -%>
   listen 80;
   <% end -%>

site-cookbooks/kosmos-ejabberd/templates/nginx_conf_upload_service.erb

@@ -3,7 +3,7 @@
 
 server {
   listen 443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
   server_name <%= @server_name %>;
 
   ssl_certificate     <%= @ssl_cert %>;

site-cookbooks/kosmos-hubot/templates/default/nginx_conf_hubot.erb

@@ -7,7 +7,7 @@ upstream _express_<%= @server_name.gsub(".", "_") %> {
 
 server {
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
   server_name <%= @server_name %>;
 
   add_header Strict-Transport-Security "max-age=15768000";

site-cookbooks/kosmos-ipfs/templates/default/nginx_conf_ipfs.kosmos.org.erb

@@ -12,7 +12,7 @@ upstream _ipfs_api {
 server {
   server_name <%= @server_name %>;
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
 
   access_log /var/log/nginx/<%= @server_name %>.access.log;
   error_log  /var/log/nginx/<%= @server_name %>.error.log;

site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb

@@ -21,7 +21,7 @@ proxy_cache_path /var/cache/nginx/mastodon levels=1:2
 
 server {
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
   server_name <%= @server_name %>;
   include <%= @shared_config_path %>;
 

site-cookbooks/kosmos_assets/templates/nginx_conf_assets.erb

@@ -3,7 +3,7 @@
 
 server {
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
   server_name <%= @domain %>;
 
   root /var/www/<%= @domain %>/site;

site-cookbooks/kosmos_discourse/templates/nginx_conf.erb

@@ -9,7 +9,7 @@ upstream _discourse {
 server {
   server_name <%= @server_name %>;
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
 
   ssl_certificate     <%= @ssl_cert %>;
   ssl_certificate_key <%= @ssl_key %>;

site-cookbooks/kosmos_drone/templates/nginx_conf.erb

@@ -8,7 +8,7 @@ upstream _drone {
 server {
   server_name <%= @server_name %>;
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
 
   ssl_certificate     <%= @ssl_cert %>;
   ssl_certificate_key <%= @ssl_key %>;

site-cookbooks/kosmos_garage/templates/nginx_conf_s3.erb

@@ -4,7 +4,7 @@ upstream garage_s3 {
 
 server {
   listen <%= "#{node[:openresty][:listen_ip]}:" if node[:openresty][:listen_ip] %>443 ssl http2;
-  listen [::]:443 http2 ssl;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
 
   ssl_certificate     <%= @ssl_cert %>;
   ssl_certificate_key <%= @ssl_key %>;

site-cookbooks/kosmos_garage/templates/nginx_conf_web.erb

@@ -1,6 +1,6 @@
 server {
   listen <%= "#{node[:openresty][:listen_ip]}:" if node[:openresty][:listen_ip] %>443 ssl http2;
-  listen [::]:443 http2 ssl;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
 
   server_name <%= @server_name %>;
 

site-cookbooks/kosmos_gitea/attributes/default.rb

@@ -1,11 +1,12 @@
-node.default["gitea"]["version"] = "1.23.8"
-node.default["gitea"]["checksum"] = "827037e7ca940866918abc62a7488736923396c467fcb4acd0dd9829bb6a6f4c"
+node.default["gitea"]["version"] = "1.25.4"
+node.default["gitea"]["checksum"] = "a3031853e67c53714728ef705642c9046a11fb0ea356aff592e23efe6114607d"
 node.default["gitea"]["repo"] = nil
 node.default["gitea"]["revision"] = nil
 node.default["gitea"]["working_directory"] = "/var/lib/gitea"
 node.default["gitea"]["port"] = 3000
 node.default["gitea"]["postgresql_host"] = "localhost:5432"
 node.default["gitea"]["domain"] = "gitea.kosmos.org"
+node.default["gitea"]["email"] = "gitea@kosmos.org"
 
 node.default["gitea"]["config"] = {
   "log": {
@@ -22,5 +23,5 @@ node.default["gitea"]["config"] = {
   }
 }
 
-node.default["gitea"]["act_runner"]["version"] = "0.2.6"
-node.default["gitea"]["act_runner"]["checksum"] = "234c2bdb871e7b0bfb84697f353395bfc7819faf9f0c0443845868b64a041057"
+node.default["gitea"]["act_runner"]["version"] = "0.2.13"
+node.default["gitea"]["act_runner"]["checksum"] = "3acac8b506ac8cadc88a55155b5d6378f0fab0b8f62d1e0c0450f4ccd69733e2"

site-cookbooks/kosmos_gitea/recipes/default.rb

@@ -19,6 +19,17 @@ jwt_secret                = gitea_data_bag_item["jwt_secret"]
 internal_token            = gitea_data_bag_item["internal_token"]
 secret_key                = gitea_data_bag_item["secret_key"]
 
+apt_repository "git-core-ppa" do
+  uri "http://ppa.launchpad.net/git-core/ppa/ubuntu"
+  components ["main"]
+  key "E1DF1F24"
+  action :add
+  only_if do
+    node['platform'] == 'ubuntu' &&
+      Gem::Version.new(node['platform_version']) < Gem::Version.new('22.04')
+  end
+end
+
 package "git"
 
 user "git" do
@@ -26,6 +37,13 @@ user "git" do
   home "/home/git"
 end
 
+directory "/home/git/.ssh" do
+  owner "git"
+  group "git"
+  mode "0700"
+  recursive true
+end
+
 directory working_directory do
   owner "git"
   group "git"
@@ -78,6 +96,8 @@ if node.chef_environment == "production"
 end
 
 config_variables = {
+  domain: node["gitea"]["domain"],
+  email: node["gitea"]["email"],
   working_directory: working_directory,
   git_home_directory: git_home_directory,
   repository_root_directory: repository_root_directory,
@@ -98,6 +118,16 @@ config_variables = {
   s3_bucket: gitea_data_bag_item["s3_bucket"]
 }
 
+bash "Generate git ed25519 keypair" do
+  user "git"
+  group "git"
+  cwd git_home_directory
+  code <<-EOH
+    ssh-keygen -t ed25519 -f #{git_home_directory}/.ssh/id_ed25519
+  EOH
+  creates "#{git_home_directory}/.ssh/id_ed25519"
+end
+
 template "#{config_directory}/app.ini" do
   source "app.ini.erb"
   owner "git"
@@ -129,7 +159,7 @@ template "/etc/systemd/system/gitea.service" do
             git_home_directory: git_home_directory,
             config_directory: config_directory,
             gitea_binary_path: gitea_binary_path
-  notifies :run, "execute[systemctl daemon-reload]", :delayed
+  notifies :run, "execute[systemctl daemon-reload]", :immediately
 end
 
 service "gitea" do

site-cookbooks/kosmos_gitea/templates/default/app.ini.erb

@@ -2,12 +2,12 @@ APP_NAME = Gitea
 RUN_MODE = prod
 
 [server]
-SSH_DOMAIN       = gitea.kosmos.org
+SSH_DOMAIN = <%= @domain %>
 HTTP_PORT        = 3000
 DISABLE_SSH      = false
 SSH_PORT         = 22
 PROTOCOL = http
-DOMAIN = gitea.kosmos.org
+DOMAIN = <%= @domain %>
 # Gitea is running behind an nginx reverse load balancer, use an HTTPS root URL
 ROOT_URL = https://%(DOMAIN)s
 # REDIRECT_OTHER_PORT = true
@@ -30,6 +30,16 @@ MAX_OPEN_CONNS = 20
 ROOT = <%= @repository_root_directory %>
 DISABLE_DOWNLOAD_SOURCE_ARCHIVES = true
 
+[repository.signing]
+SIGNING_KEY = <%= @git_home_directory %>/.ssh/id_ed25519.pub
+SIGNING_NAME = Gitea
+SIGNING_EMAIL = git@<%= @domain %>
+SIGNING_FORMAT = ssh
+INITIAL_COMMIT = always
+CRUD_ACTIONS = always
+WIKI = always
+MERGES = always
+
 # [indexer]
 # ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
 
@@ -46,7 +56,7 @@ SMTP_ADDR = <%= @smtp_addr %>
 SMTP_PORT = <%= @smtp_port %>
 USER = <%= @smtp_user %>
 PASSWD = <%= @smtp_password %>
-FROM = gitea@kosmos.org
+FROM = <%= @email %>
 
 [security]
 INTERNAL_TOKEN = <%= @internal_token %>

site-cookbooks/kosmos_gitea/templates/default/nginx_conf_ssh.erb

@@ -4,5 +4,6 @@ upstream _gitea_ssh {
 
 server {
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>22;
+  listen [::]:22;
   proxy_pass _gitea_ssh;
 }

site-cookbooks/kosmos_gitea/templates/default/nginx_conf_web.erb

@@ -6,7 +6,7 @@ upstream _gitea_web {
 server {
   server_name <%= @server_name %>;
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
 
   ssl_certificate     <%= @ssl_cert %>;
   ssl_certificate_key <%= @ssl_key %>;

site-cookbooks/kosmos_liquor-cabinet/templates/nginx_conf_liquor-cabinet.erb

@@ -12,7 +12,7 @@ upstream _<%= @app_name %> {
 
 server {
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
   server_name <%= @server_name %>;
 
   access_log <%= node[:nginx][:log_dir] %>/<%= @app_name %>.access.log; # TODO json_liquor_cabinet;

site-cookbooks/kosmos_openresty/attributes/default.rb

@@ -0,0 +1 @@
+node.default["openresty"]["listen_ipv6"] = "::"

site-cookbooks/kosmos_rsk/templates/nginx_conf_rskj.erb

@@ -6,7 +6,7 @@ upstream _<%= @upstream_name %> {
 
 server {
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
 
   server_name <%= @domain %>;
 

site-cookbooks/kosmos_strfry/templates/nginx_conf_strfry.erb

@@ -13,7 +13,7 @@ upstream _substr {
 server {
   server_name <%= @domain %>;
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
 
   access_log "/var/log/nginx/<%= @domain %>.access.log";
   error_log "/var/log/nginx/<%= @domain %>.error.log";

site-cookbooks/kosmos_website/templates/nginx_conf_redirect.erb

@@ -3,7 +3,7 @@
 server {
   server_name <%= @domain %>;
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
 
   access_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.access.log;
   error_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.error.log warn;

site-cookbooks/kosmos_website/templates/nginx_conf_simple.erb

@@ -3,7 +3,7 @@
 server {
   server_name <%= @domain %>;
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
 
   root /var/www/<%= @domain %>/public;
 

site-cookbooks/kosmos_website/templates/nginx_conf_website.erb

@@ -3,6 +3,7 @@
 server {
   server_name _;
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>80 default_server;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:80 default_server;
 
   location / {
     return 301 https://<%= @domain %>;
@@ -12,7 +13,7 @@ server {
 server {
   server_name <%= @domain %>;
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2 default_server;
-  listen [::]:443 ssl http2 default_server;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2 default_server;
 
   if ($host != $server_name) {
     return 307 $scheme://$server_name;

site-cookbooks/kredits-github/templates/default/nginx_conf.erb

@@ -5,8 +5,8 @@ upstream _<%= @app_name %> {
 
 <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
 server {
-  listen 443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
   server_name <%= @server_name %>;
 
   access_log <%= node[:nginx][:log_dir] %>/<%= @app_name %>.access.log json;

site-cookbooks/remotestorage_discourse/templates/nginx_conf.erb

@@ -8,7 +8,7 @@ upstream _rs_discourse {
 server {
   server_name <%= @server_name %>;
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
 
   ssl_certificate     <%= @ssl_cert %>;
   ssl_certificate_key <%= @ssl_key %>;