Update vendored cookbooks

Required by our Mastodon cookbook

Berksfile

@@ -13,6 +13,9 @@ cookbook 'ipfs',
 cookbook 'mediawiki',
   git: 'https://github.com/67P/mediawiki-cookbook.git',
   ref: 'nginx'
+cookbook 'postfix',
+  git: 'https://gitea.kosmos.org/kosmos/postfix-cookbook.git',
+  ref: 'bugfix/sasl_attributes'
 
 cookbook 'apache2',                '= 3.3.0'
 cookbook 'apt',                    '~> 7.3.0'
@@ -21,6 +24,7 @@ cookbook 'composer',               '~> 2.7.0'
 cookbook 'fail2ban',               '~> 7.0.4'
 cookbook 'git',                    '~> 10.0.0'
 cookbook 'golang',                 '~> 5.3.1'
+cookbook 'homebrew',               '>= 6.0.0'
 cookbook 'hostname',               '= 0.4.2'
 cookbook 'hostsfile',              '~> 3.0.1'
 cookbook 'java',                   '~> 4.3.0'
@@ -32,7 +36,6 @@ cookbook 'ntp',                    '= 3.4.0'
 cookbook 'ohai',                   '~> 5.2.5'
 cookbook 'openssl',                '~> 8.5.5'
 cookbook 'php',                    '~> 8.0.0'
-cookbook 'postfix',                '~> 6.0.26'
 cookbook 'timezone_iii',           '= 1.0.4'
 cookbook 'ulimit',                 '~> 1.0.0'
 cookbook 'users',                  '~> 5.3.1'

Berksfile.lock

@@ -8,6 +8,7 @@ DEPENDENCIES
   firewall (~> 6.2.16)
   git (~> 10.0.0)
   golang (~> 5.3.1)
+  homebrew (>= 6.0.0)
   hostname (= 0.4.2)
   hostsfile (~> 3.0.1)
   ipfs
@@ -28,7 +29,10 @@ DEPENDENCIES
   ohai (~> 5.2.5)
   openssl (~> 8.5.5)
   php (~> 8.0.0)
-  postfix (~> 6.0.26)
+  postfix
+    git: https://gitea.kosmos.org/kosmos/postfix-cookbook.git
+    revision: dd6598572a775ae73f17527260ec8097b52d385b
+    ref: bugfix/
   redisio (~> 6.4.1)
   ruby_build (~> 2.5.0)
   timezone_iii (= 1.0.4)
@@ -59,7 +63,7 @@ GRAPH
   git (10.0.0)
   golang (5.3.1)
     ark (>= 6.0)
-  homebrew (5.4.1)
+  homebrew (6.0.2)
   hostname (0.4.2)
     hostsfile (>= 0.0.0)
   hostsfile (3.0.1)
@@ -90,7 +94,7 @@ GRAPH
   openssl (8.5.5)
   php (8.0.1)
     yum-epel (>= 0.0.0)
-  postfix (6.0.26)
+  postfix (6.4.1)
   redisio (6.4.1)
     selinux (>= 0.0.0)
   ruby_build (2.5.0)

clients/garage-12.json

@@ -0,0 +1,4 @@
+{
+  "name": "garage-12",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9GtHHi298BjiIqpZ3WkT\nkYAPfWD60hFe/8icYcq/F/6cHLYKZQ4chek9X/hDCMq4tHEN6Oh58T5x/nuNdPrK\nIAMGyVAGk6ekWlmD4jwdEf6TGb/J3ffJTRDvwX/I8xD/DW3wtXsN+X24T59ByGTm\nrnwRmmmwHF3otRx9wnCsIgDQ0AjiUujsfNNv1FcLXD/WJLys9lEeU5aJ4XtHTwDv\ntJM8YyVEFhEnuvgdKmzn5+F5k9VGdUwForlFOBfvzbCnTZMDMmDVeiUtAUv/7xWQ\nQl2mLUGCtgWuYJYXsQacAJ6pa3h+7cQyshC6w3dwUG+1fS9lNO0Yp1GGX1AGYKpp\nPQIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/garage-13.json

@@ -0,0 +1,4 @@
+{
+  "name": "garage-13",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvbqWc6OwRxgHfsQuTNL4\naxeVvNen5d9srYpZSHjuBB/k9NHB+9P6vU5qF37XHkw1lVUGeYbPHzhYsx3O0/kZ\nH5f4+4SMy/P9jc6SE7AJF4qtYKgJ88koZdqCww07c6K9g+BnEGFFZui/h3hUBxWj\nTfhBHEWPyQ2bl/lr9sIJwsEz+EN0isGn/eIXkmw9J6LdLJ5Q0LLks33K28FNOU7q\nfeAN4MiBVMUtgCGyT2Voe6WrOXwQLSDXQONOp3sfSfFExsIJ1s24xdd7AMD7/9a7\n4sFDZ4swhqAWgWmW2giR7Kb8wTvGQLO/O/uUbmKz3DZXgkOKXHdHCEB/PZx1mRNM\nEwIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/garage-14.json

@@ -0,0 +1,4 @@
+{
+  "name": "garage-14",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAypINv1zTZ7+pyT0iRhik\n0W70ASYADo7qK7QyE9/3nu2sUrP1IjoNFsv/ceKwicH7Fw2Ei1o+yKZlKn7zJzY7\n93YRZndF04VH2bmqy0uOWK0Bdat7gCld5bvS6FmRflg7g64LFb33/64QIVsVGHGL\nYF2TO//x79t9JKcQDa4h5MOWzJNTFuEcUGa0gJjMYpWGVHEJSgRuIgyhXmyIJJgY\nguj6ymTm5+3VS7NzoNy2fbTt1LRpHb5UWrCR15oiLZiDSMLMx0CcGOCmrhvODi4k\n0umw+2NPd1G50s9z7KVbTqybuQ65se2amRnkVcNfaBIU5qk9bVqcmhZlEozmBZCd\ndwIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/garage-15.json

@@ -0,0 +1,4 @@
+{
+  "name": "garage-15",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy14sTt5gxVZi9C3KIEBu\nDyUgbb6jc3/GR22fNPTqV6uDHhxzhE2UsYwY/7yuA1RasdwHEOBWZaoC0Om5/Zmi\n8gn6//v1ILyLNaAcw+SQcxZkCN8Sk/0atRS9HYk1agE8Mvh72Fe2z3l+92VMefy7\nJwJUNNBTbnV2WVCchChoWnfhI7bkSLSHp0M2MO2pI+lkpSdmfkJSa5z9zihgxKO8\nXfvhryDCZNvfRVHhwc+ffpap0gLF0H9riGKE4FwLy4YqbuW1Tgm6bObb9bpOIw6Q\nVfH3kC/KMK5FlnxGmYtDkhRJ/wjGInRBk9WK/QOmjyd2FVxipEQmA4RdjlznRC9I\nrwIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/leo.json

@@ -0,0 +1,4 @@
+{
+  "name": "leo",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnFfQsJnREjbXTtpT6BVt\naBaUzRmCQi8Du0TzeUG0ENrY0p5Exqleye2rC6bJlB3PER1xr5zdtuXLgbcVumIb\nzroU5JPtFbQk7r/pj0atT+UEYzl16iuEpprQ/bug+f0nE514USr6YG4G+tlZ/jBI\nSHsCQF1P8ufXFLW0ewC7rdvBkgA+DwK14naRxS4jO5MSl4wmNTjs/jymTg508mQq\nf5tG52t8qFdgn9pRdBXmyTpPtwK7I4rZ+1Qn+1E5m4oQUZsxh8Ba1bGbKotVO7Ua\nYL1yCGx7zRRUvLLIdSMvlRXTJBUSQtQ8P4QUDWTY1Na2w3t9sulKg2Lwsw8tktvC\nCwIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/postgres-10.json

@@ -0,0 +1,4 @@
+{
+  "name": "postgres-10",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2oBb5omC7ZionWhudgFm\n2NGcRXsI0c7+g1+0duaxj5dziaRTltqzpRJTfiJD6R36FcvEqwGc+qQgYSMzc1Xd\nY4OTvJFIDiFAmROm/DZYgFtTDldVNJZO2bbU3COYf/Z2Poq56gC4zLLd/zf6shgb\n2Mty8PlQ82JJAY9EMI3aAifdnZ1k/g4weFC4LFg9lUcNNXOwlAjp//LJ3ku3aY1r\nwW74msSeWEjE44YZdWyMYgM7Fy1hz5giHFQtRdOLemRCWQ8h26wn/cmWld7lsLg+\nlYqxokxWXGv8r5zR8kDTBkd0dxY7ZMbo7oESY4Uhuf4UReMe2ZGHto1E7w3llSj+\n7wIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/postgres-11.json

@@ -0,0 +1,4 @@
+{
+  "name": "postgres-11",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1foYpuubS2ovlg3uHO12\nQ/ROZ8MpG+LkCAM46uVfPaoWwfY0vdfMsBOanHDgm9DGUCEBJZ6LPrvCvGXbpPy6\n9GSswK75zVWODblNjvvV4ueGFq4bBFwRuZNjyMlqgyzeU+srZL0ivelu5XEuGuoD\nPYCBKWYqGMz85/eMC7/tinTJtKPyOtXe/G8meji+r7gh3j+ypj/EWeKfcRDa4aGe\n/DmMCurIjjPAXFLMAA6fIqPWVfcPw4APNPE60Z92yPGsTbPu7bL54M5f7udmmu7H\nOgk1HjMAmXCuLDzTkfaxqHP+57yELg/YpXR1E93VmBeQuIBsyOFEk6AmUmA1Ib6e\nnQIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/postgres-12.json

@@ -0,0 +1,4 @@
+{
+  "name": "postgres-12",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1mYGrYB8keUKmXA8dhWc\ncCLzp50xR0ajSw+bWYydyRqD5wuEVKjiJu4+G9QmTVXkVgJ+AYI0Y9/WZYpDqVH6\nvLUo6BSNQaWx20q93qIdOGLy8YG3Qyznezk4l8T9u9vWZDyDpKw6gCxzikMkrXxb\n0cqOYtyud8+PtSEEMogSjOKhRURVHlVrlVH3SQO7Whke9rkiFcbXzubsK9yjkUtF\nxZafSoGorOlDsPvFTfYnkepVB+GHcgiribRYSrO+73GypC2kqMhCpWrb6a0VWsP/\nh53+q3JL3vBvdvjcv51Wpf4n6JdnXnQGn2/MdXEzw+NXgjU4/IdYtbORSbaI8F5t\nowIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/postgres-7.json

@@ -1,4 +0,0 @@
-{
-  "name": "postgres-7",
-  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArraIm6mXi0qgK4oWDs2I\nOIx+g/LPnfRd5aBXhoHcekGiJKttQTi5dRdN4+T6qVEC2h4Cc9qN47h2TZPLDh/M\neIZvu0AyicpectzXf6DtDZh0hFCnv47RDi9927op9tjMXk0SV1tLel7MN0dawATw\ny0vQkkr/5a3ZdiP4dFv+bdfVrj+Tuh85BYPVyX2mxq9F7Efxrt6rzVBiqr6uJLUY\nStpeB3CCalC4zQApKX2xrdtr2k8aJbqC6C//LiKbb7VKn+ZuZJ32L/+9HDEzQoFC\no0ZZPMhfnjcU+iSHYZuPMTJTNbwgRuOgpn9O8kZ239qYc59z7HEXwwWiYPDevbiM\nCQIDAQAB\n-----END PUBLIC KEY-----\n"
-}

clients/postgres-9.json

@@ -0,0 +1,4 @@
+{
+  "name": "postgres-9",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2dcE9HH0r5TBb/FGj2+e\nOw8ssoxeB61JmR4/psdZ6oPR08gxyqOY0ODziCmyIdXwFhjIcC44HjxCbcB8TU8G\nWGqlmfqWWIJW0x/2xOycHobAWDn5fC5ttTXkR3HC1TutX/2mH26mtfz9UjNdPaTo\nVZFMcxeaBCFSNlYC7hPUQ5f/qBdhhpLxP9uyzU+YFPqtwLP7g8EAUQObM4L+m6Q8\nqE7xgYpnhgaNrPsmvaVuoNylMGwyK0j1whOkcik8UgLprD70ISNSNxxcLehbvA3G\nPQPQRRuFF36fu2gECWGopbrFKwQGNfgJguQoXM1RQZQMQqWHPS933k5i6bi5pnhp\nzwIDAQAB\n-----END PUBLIC KEY-----\n"
+}

cookbooks/homebrew/.markdownlint-cli2.yaml

@@ -3,3 +3,5 @@ config:
   line-length: false # MD013
   no-duplicate-heading: false # MD024
   reference-links-images: false # MD052
+ignores:
+  - .github/copilot-instructions.md

cookbooks/homebrew/CHANGELOG.md

@@ -2,6 +2,48 @@
 
 This file is used to list changes made in each version of the homebrew cookbook.
 
+## 6.0.2 - *2025-09-04*
+
+Standardise files with files in sous-chefs/repo-management
+
+Standardise files with files in sous-chefs/repo-management
+
+## 6.0.1 - *2025-03-24*
+
+## 6.0.0 - *2025-03-17*
+
+- Updated library call for new homebrew class name found in chef-client 18.6.2+ releases
+
+## 5.4.9 - *2024-11-18*
+
+Standardise files with files in sous-chefs/repo-management
+
+Standardise files with files in sous-chefs/repo-management
+
+Standardise files with files in sous-chefs/repo-management
+
+Standardise files with files in sous-chefs/repo-management
+
+Standardise files with files in sous-chefs/repo-management
+
+## 5.4.8 - *2024-05-07*
+
+## 5.4.7 - *2024-05-06*
+
+- Explicitly include `Which` module from `Chef` which fixes runs on 18.x clients.
+
+## 5.4.6 - *2024-05-06*
+
+## 5.4.5 - *2023-11-01*
+
+Standardise files with files in sous-chefs/repo-management
+
+## 5.4.4 - *2023-09-28*
+
+## 5.4.3 - *2023-09-04*
+
+## 5.4.2 - *2023-07-10*
+
 ## 5.4.1 - *2023-06-01*
 
 ## 5.4.0 - *2023-04-24*

cookbooks/homebrew/libraries/helpers.rb

@@ -20,8 +20,9 @@
 #
 
 class HomebrewUserWrapper
-  require 'chef/mixin/homebrew_user'
-  include Chef::Mixin::HomebrewUser
+  require 'chef/mixin/homebrew'
+  include Chef::Mixin::Homebrew
+  include Chef::Mixin::Which
 end
 
 module Homebrew
@@ -59,41 +60,17 @@ module Homebrew
 
   def owner
     @owner ||= begin
-      # once we only support 14.0 we can switch this to find_homebrew_username
-      require 'etc'
-      ::Etc.getpwuid(HomebrewUserWrapper.new.find_homebrew_uid).name
-               rescue Chef::Exceptions::CannotDetermineHomebrewOwner
-                 calculate_owner
+                 HomebrewUserWrapper.new.find_homebrew_username
+               rescue
+                 Chef::Exceptions::CannotDetermineHomebrewPath
                end.tap do |owner|
                  Chef::Log.debug("Homebrew owner is #{owner}")
                end
   end
-
-  private
-
-  def calculate_owner
-    owner = homebrew_owner_attr || sudo_user || current_user
-    if owner == 'root'
-      raise Chef::Exceptions::User,
-           "Homebrew owner is 'root' which is not supported. " \
-           "To set an explicit owner, please set node['homebrew']['owner']."
-    end
-    owner
-  end
-
-  def homebrew_owner_attr
-    Chef.node['homebrew']['owner']
-  end
-
-  def sudo_user
-    ENV['SUDO_USER']
-  end
-
-  def current_user
-    ENV['USER']
-  end
 end unless defined?(Homebrew)
 
 class HomebrewWrapper
   include Homebrew
 end
+
+Chef::Mixin::Homebrew.include(Homebrew)

cookbooks/homebrew/metadata.json

@@ -17,13 +17,13 @@
   "recipes": {
 
   },
-  "version": "5.4.1",
+  "version": "6.0.2",
   "source_url": "https://github.com/sous-chefs/homebrew",
   "issues_url": "https://github.com/sous-chefs/homebrew/issues",
   "privacy": false,
   "chef_versions": [
     [
-      ">= 15.3"
+      ">= 18.6.2"
     ]
   ],
   "ohai_versions": [

cookbooks/homebrew/metadata.rb

@@ -3,9 +3,9 @@ maintainer       'Sous Chefs'
 maintainer_email 'help@sous-chefs.org'
 license          'Apache-2.0'
 description      'Install Homebrew and includes resources for working with taps and casks'
-version          '5.4.1'
+version          '6.0.2'
 supports         'mac_os_x'
 
 source_url 'https://github.com/sous-chefs/homebrew'
 issues_url 'https://github.com/sous-chefs/homebrew/issues'
-chef_version '>= 15.3'
+chef_version '>= 18.6.2'

cookbooks/homebrew/renovate.json

@@ -1,9 +1,10 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": ["config:base"],
-  "packageRules": [{
+  "packageRules": [
+    {
       "groupName": "Actions",
-      "matchUpdateTypes": ["patch", "pin", "digest"],
+      "matchUpdateTypes": ["minor", "patch", "pin"],
       "automerge": true,
       "addLabels": ["Release: Patch", "Skip: Announcements"]
     },

cookbooks/homebrew/resources/cask.rb

@@ -19,6 +19,7 @@
 # limitations under the License.
 #
 
+unified_mode true
 chef_version_for_provides '< 14.0' if respond_to?(:chef_version_for_provides)
 
 property :cask_name, String, regex: %r{^[\w/-]+$}, name_property: true

cookbooks/homebrew/resources/tap.rb

@@ -19,6 +19,7 @@
 # limitations under the License.
 #
 
+unified_mode true
 chef_version_for_provides '< 14.0' if respond_to?(:chef_version_for_provides)
 
 property :tap_name, String, name_property: true, regex: %r{^[\w-]+(?:\/[\w-]+)+$}

cookbooks/postfix/.markdownlint-cli2.yaml

@@ -3,3 +3,5 @@ config:
   line-length: false # MD013
   no-duplicate-heading: false # MD024
   reference-links-images: false # MD052
+ignores:
+  - .github/copilot-instructions.md

cookbooks/postfix/.vscode/extensions.json

@@ -0,0 +1,8 @@
+{
+  "recommendations": [
+    "chef-software.chef",
+    "Shopify.ruby-lsp",
+    "editorconfig.editorconfig",
+    "DavidAnson.vscode-markdownlint"
+  ]
+}

cookbooks/postfix/CHANGELOG.md

@@ -2,9 +2,48 @@
 
 This file is used to list changes made in each version of the postfix cookbook.
 
+## Unreleased
+
+## 6.4.1 - *2025-09-04*
+
+## 6.4.0 - *2025-07-30* ## 6.4.0 - *2025-07-30*
+
+Standardise files with files in sous-chefs/repo-management
+
+## 6.4.0 - *2025-07-30*
+
+## 6.3.0 - *2025-07-30*
+
+- Use LMDB instead of hash on el10
+
+## 6.3.0 - *2025-07-30*
+
+## 6.2.2 - *2025-01-30*
+
+## 6.2.1 - *2025-01-30*
+
+## 6.2.0 - *2025-01-30*
+
+## 6.2.0
+
+- Correctly fix aliases quoting logic
+- Convert all serverspec tests to inspec
+- Add Github actions
+- Update platforms to test
+
+## 6.0.29 - *2024-11-18*
+
+- Standardise files with files in sous-chefs/repo-management
+
+## 6.0.28 - *2024-07-15*
+
+- Standardise files with files in sous-chefs/repo-management
+
+## 6.0.27 - *2024-05-06*
+
 ## 6.0.26 - *2023-10-03*
 
-- add installation of postfix addon packages for RHEL 8
+- Add installation of postfix addon packages for RHEL 8
 
 ## 6.0.25 - *2023-10-03*
 

cookbooks/postfix/attributes/default.rb

@@ -13,9 +13,10 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-
-default['postfix']['packages'] = %w(postfix)
-
+default['postfix']['packages'] = value_for_platform(
+  amazon: { '>= 2023' => %w(postfix postfix-lmdb) },
+  default: %w(postfix)
+)
 # Generic cookbook attributes
 default['postfix']['mail_type'] = 'client'
 default['postfix']['relayhost_role'] = 'relayhost'
@@ -37,11 +38,19 @@ default['postfix']['master_template_source'] = 'postfix'
 default['postfix']['sender_canonical_map_entries'] = {}
 default['postfix']['smtp_generic_map_entries'] = {}
 default['postfix']['recipient_canonical_map_entries'] = {}
-default['postfix']['access_db_type'] = 'hash'
-default['postfix']['aliases_db_type'] = 'hash'
-default['postfix']['transport_db_type'] = 'hash'
-default['postfix']['virtual_alias_db_type'] = 'hash'
-default['postfix']['virtual_alias_domains_db_type'] = 'hash'
+
+default['postfix']['db_type'] = value_for_platform(
+  %w(centos redhat almalinux rocky oracle) => { '>= 10' => 'lmdb' },
+  amazon: { '>= 2023' => 'lmdb' },
+  %w(opensuseleap suse) => { '>= 15' => 'lmdb' },
+  default: 'hash'
+)
+
+default['postfix']['access_db_type'] = lazy { node['postfix']['db_type'] }
+default['postfix']['aliases_db_type'] = lazy { node['postfix']['db_type'] }
+default['postfix']['transport_db_type'] = lazy { node['postfix']['db_type'] }
+default['postfix']['virtual_alias_db_type'] = lazy { node['postfix']['db_type'] }
+default['postfix']['virtual_alias_domains_db_type'] = lazy { node['postfix']['db_type'] }
 
 case node['platform']
 when 'smartos'
@@ -96,6 +105,9 @@ default['postfix']['main']['smtp_sasl_auth_enable'] = 'no'
 default['postfix']['main']['mailbox_size_limit'] = 0
 default['postfix']['main']['mynetworks'] = nil
 default['postfix']['main']['inet_interfaces'] = 'loopback-only'
+default['postfix']['main']['default_database_type'] = lazy { node['postfix']['db_type'] }
+default['postfix']['main']['alias_database'] = lazy { "#{node['postfix']['db_type']}:#{node['postfix']['aliases_db']}" }
+default['postfix']['main']['alias_maps'] = lazy { "#{node['postfix']['db_type']}:#{node['postfix']['aliases_db']}" }
 
 # Conditional attributes, also reference _attributes recipe
 case node['platform_family']
@@ -407,4 +419,4 @@ default['postfix']['aliases'] = if platform?('freebsd')
                                   {}
                                 end
 
-default['postfix']['main']['smtpd_relay_restrictions'] = "hash:#{node['postfix']['relay_restrictions_db']}, reject" if node['postfix']['use_relay_restrictions_maps']
+default['postfix']['main']['smtpd_relay_restrictions'] = lazy { "#{node['postfix']['db_type']}:#{node['postfix']['relay_restrictions_db']}, reject" if node['postfix']['use_relay_restrictions_maps'] }

cookbooks/postfix/metadata.json

@@ -26,7 +26,7 @@
   "recipes": {
 
   },
-  "version": "6.0.26",
+  "version": "6.4.1",
   "source_url": "https://github.com/sous-chefs/postfix",
   "issues_url": "https://github.com/sous-chefs/postfix/issues",
   "privacy": false,

cookbooks/postfix/metadata.rb

@@ -3,7 +3,7 @@ maintainer        'Sous Chefs'
 maintainer_email  'help@sous-chefs.org'
 license           'Apache-2.0'
 description       'Installs and configures postfix for client or outbound relayhost, or to do SASL auth'
-version           '6.0.26'
+version           '6.4.1'
 source_url        'https://github.com/sous-chefs/postfix'
 issues_url        'https://github.com/sous-chefs/postfix/issues'
 chef_version      '>= 12.15'

cookbooks/postfix/recipes/_attributes.rb

@@ -29,24 +29,22 @@ end
 
 if node['postfix']['main']['smtp_sasl_auth_enable'] == 'yes'
   node.default_unless['postfix']['sasl_password_file'] = "#{node['postfix']['conf_dir']}/sasl_passwd"
-  node.default_unless['postfix']['main']['smtp_sasl_password_maps'] = "hash:#{node['postfix']['sasl_password_file']}"
+  node.default_unless['postfix']['main']['smtp_sasl_password_maps'] = "#{node['postfix']['db_type']}:#{node['postfix']['sasl_password_file']}"
   node.default_unless['postfix']['main']['smtp_sasl_security_options'] = 'noanonymous'
-  node.default_unless['postfix']['sasl']['smtp_sasl_user_name'] = ''
-  node.default_unless['postfix']['sasl']['smtp_sasl_passwd']    = ''
   node.default_unless['postfix']['main']['relayhost'] = ''
 end
 
-node.default_unless['postfix']['main']['alias_maps'] = ["hash:#{node['postfix']['aliases_db']}"] if node['postfix']['use_alias_maps']
+node.default_unless['postfix']['main']['alias_maps'] = ["#{node['postfix']['db_type']}:#{node['postfix']['aliases_db']}"] if node['postfix']['use_alias_maps']
 
-node.default_unless['postfix']['main']['transport_maps'] = ["hash:#{node['postfix']['transport_db']}"] if node['postfix']['use_transport_maps']
+node.default_unless['postfix']['main']['transport_maps'] = ["#{node['postfix']['db_type']}:#{node['postfix']['transport_db']}"] if node['postfix']['use_transport_maps']
 
-node.default_unless['postfix']['main']['access_maps'] = ["hash:#{node['postfix']['access_db']}"] if node['postfix']['use_access_maps']
+node.default_unless['postfix']['main']['access_maps'] = ["#{node['postfix']['db_type']}:#{node['postfix']['access_db']}"] if node['postfix']['use_access_maps']
 
 node.default_unless['postfix']['main']['virtual_alias_maps'] = ["#{node['postfix']['virtual_alias_db_type']}:#{node['postfix']['virtual_alias_db']}"] if node['postfix']['use_virtual_aliases']
 
 node.default_unless['postfix']['main']['virtual_alias_domains'] = ["#{node['postfix']['virtual_alias_domains_db_type']}:#{node['postfix']['virtual_alias_domains_db']}"] if node['postfix']['use_virtual_aliases_domains']
 
-node.default_unless['postfix']['main']['smtpd_relay_restrictions'] = "hash:#{node['postfix']['relay_restrictions_db']}, reject" if node['postfix']['use_relay_restrictions_maps']
+node.default_unless['postfix']['main']['smtpd_relay_restrictions'] = "#{node['postfix']['db_type']}:#{node['postfix']['relay_restrictions_db']}, reject" if node['postfix']['use_relay_restrictions_maps']
 
 node.default_unless['postfix']['main']['maildrop_destination_recipient_limit'] = 1 if node['postfix']['master']['maildrop']['active']
 

cookbooks/postfix/recipes/_common.rb

@@ -155,7 +155,7 @@ unless node['postfix']['sender_canonical_map_entries'].empty?
     notifies :reload, 'service[postfix]'
   end
 
-  node.default['postfix']['main']['sender_canonical_maps'] = "hash:#{node['postfix']['conf_dir']}/sender_canonical" unless node['postfix']['main'].key?('sender_canonical_maps')
+  node.default['postfix']['main']['sender_canonical_maps'] = "#{node['postfix']['db_type']}:#{node['postfix']['conf_dir']}/sender_canonical" unless node['postfix']['main'].key?('sender_canonical_maps')
 end
 
 execute 'update-postfix-smtp_generic' do
@@ -172,7 +172,7 @@ unless node['postfix']['smtp_generic_map_entries'].empty?
     notifies :reload, 'service[postfix]'
   end
 
-  node.default['postfix']['main']['smtp_generic_maps'] = "hash:#{node['postfix']['conf_dir']}/smtp_generic" unless node['postfix']['main'].key?('smtp_generic_maps')
+  node.default['postfix']['main']['smtp_generic_maps'] = "#{node['postfix']['db_type']}:#{node['postfix']['conf_dir']}/smtp_generic" unless node['postfix']['main'].key?('smtp_generic_maps')
 end
 
 execute 'update-postfix-recipient_canonical' do
@@ -189,7 +189,7 @@ unless node['postfix']['recipient_canonical_map_entries'].empty?
     notifies :reload, 'service[postfix]'
   end
 
-  node.default['postfix']['main']['recipient_canonical_maps'] = "hash:#{node['postfix']['conf_dir']}/recipient_canonical" unless node['postfix']['main'].key?('recipient_canonical_maps')
+  node.default['postfix']['main']['recipient_canonical_maps'] = "#{node['postfix']['db_type']}:#{node['postfix']['conf_dir']}/recipient_canonical" unless node['postfix']['main'].key?('recipient_canonical_maps')
 end
 
 service 'postfix' do

cookbooks/postfix/recipes/maps.rb

@@ -18,8 +18,8 @@ node['postfix']['maps'].each do |type, maps|
     package "postfix-#{type}" if %w(pgsql mysql ldap cdb).include?(type)
   end
 
-  if platform?('redhat') && node['platform_version'].to_i == 8
-    package "postfix-#{type}" if %w(pgsql mysql ldap cdb).include?(type)
+  if platform_family?('rhel') && node['platform_version'].to_i >= 8
+    package "postfix-#{type}" if %w(pgsql mysql ldap cdb lmdb).include?(type)
   end
 
   separator = if %w(pgsql mysql ldap memcache sqlite).include?(type)
@@ -32,7 +32,7 @@ node['postfix']['maps'].each do |type, maps|
       command "postmap #{file}"
       environment PATH: "#{ENV['PATH']}:/opt/omni/bin:/opt/omni/sbin" if platform_family?('omnios')
       action :nothing
-    end if %w(btree cdb dbm hash sdbm).include?(type)
+    end if %w(btree cdb dbm hash lmdb sdbm).include?(type)
     template "#{file}-#{type}" do
       path file
       source 'maps.erb'
@@ -41,7 +41,7 @@ node['postfix']['maps'].each do |type, maps|
         map: content,
         separator: separator
       )
-      notifies :run, "execute[update-postmap-#{file}]" if %w(btree cdb dbm hash sdbm).include?(type)
+      notifies :run, "execute[update-postmap-#{file}]" if %w(btree cdb dbm hash lmdb sdbm).include?(type)
       notifies :restart, 'service[postfix]'
     end
   end

cookbooks/postfix/renovate.json

@@ -1,9 +1,10 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": ["config:base"],
-  "packageRules": [{
+  "packageRules": [
+    {
       "groupName": "Actions",
-      "matchUpdateTypes": ["patch", "pin", "digest"],
+      "matchUpdateTypes": ["minor", "patch", "pin"],
       "automerge": true,
       "addLabels": ["Release: Patch", "Skip: Announcements"]
     },

cookbooks/postfix/templates/aliases.erb

@@ -6,5 +6,5 @@
 postmaster:    root
 
 <% node['postfix']['aliases'].each do |name, value| %>
-<%= name %>: <%= [value].flatten.map{|x| if (x.include?("@")) then x else %Q("#{x}") end}.join(', ') %>
+<%= name.match?(/[\s#:@]/) ? "\"#{name}\"" : name %>: <%= [value].flatten.map{|x| x.include?("|") ? "\"#{x}\"" : x}.join(',') %>
 <% end unless node['postfix']['aliases'].nil? %>

data_bags/credentials/gandi_api.json

@@ -1,23 +1,16 @@
 {
   "id": "gandi_api",
-  "key": {
-    "encrypted_data": "lU7/xYTmP5Sb6SsK5TNNIyegWozzBtUzpg7oDdl6gcz9FEMmG2ft0Ljh5Q==\n",
-    "iv": "EZPQD3C+wsP/mBhF\n",
-    "auth_tag": "vF9E8Pj4Z8quJJdOMg/QTw==\n",
-    "version": 3,
-    "cipher": "aes-256-gcm"
-  },
   "access_token": {
-    "encrypted_data": "1Uw69JkNrmb8LU/qssuod1SlqxxrWR7TJQZeeivRrNzrMIVTEW/1uwJIYL6b\nM4GeeYl9lIRlMMmLBkc=\n",
-    "iv": "cc1GJKu6Cf4DkIgX\n",
-    "auth_tag": "ERem4S7ozG695kjvWIMghw==\n",
+    "encrypted_data": "+skwxHnpAj/3d3e2u7s7B9EydbETj8b0flWahvb5gt/o4JYFWHrhIyX/0IVa\n4wgmu08eDgU51i0knGA=\n",
+    "iv": "ONKrFCt8Oj3GKIQ5\n",
+    "auth_tag": "j9Hrk8ZZFMQub4NUO+2e4g==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "domains": {
-    "encrypted_data": "scZ5blsSjs54DlitR7KZ3enLbyceOR5q0wjHw1golQ==\n",
-    "iv": "oDcHm7shAzW97b4t\n",
-    "auth_tag": "62Zais9yf68SwmZRsmZ3hw==\n",
+    "encrypted_data": "lGfoPHdXEYYdJmoIA9M119wjVl1v4UzIv5gHADwx0A==\n",
+    "iv": "q6XKbxhW7X9ONxNt\n",
+    "auth_tag": "ns9WJH8Oe75siWu+sOZkRg==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   }

doc/postgres/migration.md

@@ -0,0 +1,287 @@
+# Migrating PostgreSQL cluster to a new major version
+
+## Summary
+
+1. Dump from a replica
+2. Restore to fresh VM running new major version
+3. Add logical replication for delta sync from current/old primary
+4. Switch primary to new server
+5. Remove logical replication on new server
+
+## Runbook
+
+* Primary host: `PRIMARY_HOST`
+* Replica host: `REPLICA_HOST`
+* New PG14 host: `NEW_HOST`
+* PostgreSQL superuser: `postgres`
+* Running locally on each machine via `sudo -u postgres`
+
+Adjust hostnames/IPs/etc. where needed.
+
+---
+
+### 🟢 0. PRIMARY — Pre-checks
+
+```bash
+sudo -u postgres psql -c "SHOW wal_level;"
+sudo -u postgres psql -c "SHOW max_replication_slots;"
+```
+
+If needed, edit config:
+
+```bash
+sudo -u postgres vi $PGDATA/postgresql.conf
+```
+
+Ensure:
+
+```conf
+wal_level = logical
+max_replication_slots = 10
+```
+
+Restart if changed:
+
+```bash
+sudo systemctl restart postgresql
+```
+
+---
+
+### 🔵🟡 3. Create keypair for syncing dump later
+
+🔵 On NEW_HOST:
+
+```bash
+sudo mkdir -p /home/postgres/.ssh && \
+sudo chown -R postgres:postgres /home/postgres && \
+sudo chmod 700 /home/postgres/.ssh && \
+sudo -u postgres bash -c 'ssh-keygen -t ecdsa -b 256 -f /home/postgres/.ssh/id_ecdsa -N "" -C "postgres@$(hostname)"' && \
+sudo cat /home/postgres/.ssh/id_ecdsa.pub
+```
+
+Copy the public key from the above output
+
+🟡 On replica:
+
+```bash
+sudo mkdir -p /home/postgres/.ssh && \
+sudo chown -R postgres:postgres /home/postgres && \
+sudo chmod 700 /home/postgres/.ssh && \
+echo [public_key] | sudo tee /home/postgres/.ssh/authorized_keys > /dev/null && \
+sudo chmod 700 /home/postgres/.ssh
+```
+
+---
+
+### 🟢 1. PRIMARY — Create publication and replication slots
+
+```bash
+sudo -u postgres pg_create_replication_publications
+```
+
+or
+
+```bash
+sudo -u postgres pg_create_replication_publication [db_name]
+```
+
+Listing publications and slots:
+
+```bash
+sudo -u postgres pg_list_replication_publications
+sudo -u postgres pg_list_replication_slots
+```
+
+---
+
+### 🟡 3. REPLICA — Pause replication
+
+```bash
+sudo -u postgres psql -c "SELECT pg_wal_replay_pause();"
+```
+
+Verify:
+
+```bash
+sudo -u postgres psql -c "SELECT pg_is_wal_replay_paused();"
+```
+
+---
+
+### 🟡 4. REPLICA — Run dump
+
+```bash
+sudo -u postgres pg_dump_all_databases
+```
+
+or
+
+```bash
+sudo -u postgres bash -c "pg_dumpall --globals-only > /tmp/globals.sql"
+sudo -u postgres pg_dump_database [db_name]
+```
+
+---
+
+### 🟡 5. REPLICA — Resume replication
+
+```bash
+sudo -u postgres psql -c "SELECT pg_wal_replay_resume();"
+```
+
+---
+
+### 🔵 6. COPY dumps to NEW HOST
+
+From NEW_HOST:
+
+```bash
+export REPLICA_HOST=[private_ip] && \
+cd /tmp && \
+sudo -u postgres scp "postgres@$REPLICA_HOST:/tmp/globals.sql" . && \
+sudo -u postgres scp "postgres@$REPLICA_HOST:/tmp/dump_*.tar.zst" .
+```
+
+---
+
+### 🔵 7. NEW HOST (PostgreSQL 14) — Restore
+
+#### 7.1 Restore globals
+
+```bash
+sudo -u postgres psql -f /tmp/globals.sql
+```
+
+---
+
+#### 7.2 Create databases
+
+```bash
+sudo -u postgres psql -Atqc "SELECT datname FROM pg_database WHERE datallowconn AND datname NOT IN ('template1')" | \
+xargs -I{} sudo -u postgres createdb {}
+```
+
+or
+
+```bash
+sudo -u postgres createdb [db_name]
+```
+
+---
+
+#### 7.3 Restore each database
+
+```bash
+sudo -u postgres pg_restore_all_databases
+```
+
+or
+
+```bash
+sudo -u postgres pg_restore_database [db_name]
+```
+
+---
+
+### 🔵 8. NEW HOST — Create subscriptions
+
+```bash
+sudo -u postgres pg_create_replication_subscriptions
+```
+
+or
+
+```bash
+sudo -u postgres pg_create_replication_subscription [db_name]
+```
+
+---
+
+### 🔵 9. NEW HOST — Monitor replication
+
+```bash
+sudo -u postgres pg_list_replication_subscriptions
+```
+
+---
+
+### 🔴 11. CUTOVER
+
+#### 11.1 Stop writes on old primary
+
+Put app(s) in maintenance mode, stop the app/daemons.
+
+---
+
+#### 11.2 Wait for replication to catch up
+
+TODO: not the best way to check, since WAL LSNs keep increasing
+
+```bash
+sudo -u postgres psql -d [db_name] -c "SELECT * FROM pg_stat_subscription;"
+```
+
+---
+
+#### 11.3 Fix sequences
+
+Run per DB:
+
+```bash
+sudo -u postgres pg_fix_sequences_in_all_databases
+```
+
+or
+
+```bash
+sudo -u postgres pg_fix_sequences [db_name]
+```
+
+---
+
+#### 11.4 Point app to NEW_HOST
+
+1. Update `pg.kosmos.local` in `/etc/hosts` on app server(s). For example:
+
+   ```bash
+   export NEW_PG_PRIMARY=[private_ip]
+   knife ssh roles:ejabberd -a knife_zero.host "sudo sed -r \"s/^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\s(pg.kosmos.local)/$NEW_PG_PRIMARY\t\1/\" -i /etc/hosts"
+   ```
+
+   Or override node attribute(s) if necessary and/or approporiate.
+
+2. Start the app/daemons, and deactivate maintenance mode.
+
+---
+
+### 🧹 12. CLEANUP NEW_HOST
+
+```bash
+sudo -u postgres pg_drop_replication_subscriptions
+```
+
+---
+
+### 🧹 13. CLEANUP PRIMARY
+
+TODO: Looks like slots are dropped automatically, when subscriptions are dropped
+
+```bash
+sudo -u postgres pg_drop_replication_publications
+```
+
+---
+
+### 🧹 13. CLEANUP Chef
+
+Once all apps/databases are migrated, update the role in the node
+config of the new primary to 'postgres_primary' and converge it.
+
+Also delete the old primary node config from the Chef repo.
+
+---
+
+### ✅ DONE
+
+---

nodes/akkounts-1.json

@@ -9,7 +9,7 @@
   "automatic": {
     "fqdn": "akkounts-1",
     "os": "linux",
-    "os_version": "5.4.0-148-generic",
+    "os_version": "5.4.0-223-generic",
     "hostname": "akkounts-1",
     "ipaddress": "192.168.122.160",
     "roles": [

nodes/draco.kosmos.org.json

@@ -12,6 +12,7 @@
     },
     "openresty": {
       "listen_ip": "148.251.237.111",
+      "listen_ipv6": "2a01:4f8:202:804a::2",
       "log_formats": {
         "json": "{\"ip\":\"$remote_addr\",\"time\":\"$time_local\",\"host\":\"$host\",\"method\":\"$request_method\",\"uri\":\"$uri\",\"status\":$status,\"size\":$body_bytes_sent,\"referer\":\"$http_referer\",\"upstream_addr\":\"$upstream_addr\",\"upstream_response_time\":\"$upstream_response_time\",\"ua\":\"$http_user_agent\"}"
       }
@@ -81,6 +82,7 @@
       "timezone_iii::debian",
       "ntp::default",
       "ntp::apparmor",
+      "kosmos-base::journald_conf",
       "kosmos-base::systemd_emails",
       "apt::unattended-upgrades",
       "kosmos-base::firewall",

nodes/ejabberd-4.json

@@ -37,6 +37,7 @@
       "timezone_iii::debian",
       "ntp::default",
       "ntp::apparmor",
+      "kosmos-base::journald_conf",
       "kosmos-base::systemd_emails",
       "apt::unattended-upgrades",
       "kosmos-base::firewall",

nodes/ejabberd-8.json

@@ -37,6 +37,7 @@
       "timezone_iii::debian",
       "ntp::default",
       "ntp::apparmor",
+      "kosmos-base::journald_conf",
       "kosmos-base::systemd_emails",
       "apt::unattended-upgrades",
       "kosmos-base::firewall",

nodes/fornax.kosmos.org.json

@@ -75,6 +75,7 @@
       "timezone_iii::debian",
       "ntp::default",
       "ntp::apparmor",
+      "kosmos-base::journald_conf",
       "kosmos-base::systemd_emails",
       "apt::unattended-upgrades",
       "kosmos-base::firewall",

nodes/garage-12.json

@@ -0,0 +1,65 @@
+{
+  "name": "garage-12",
+  "chef_environment": "production",
+  "normal": {
+    "knife_zero": {
+      "host": "10.1.1.224"
+    }
+  },
+  "automatic": {
+    "fqdn": "garage-12",
+    "os": "linux",
+    "os_version": "5.15.0-1059-kvm",
+    "hostname": "garage-12",
+    "ipaddress": "192.168.122.173",
+    "roles": [
+      "base",
+      "kvm_guest",
+      "garage_node"
+    ],
+    "recipes": [
+      "kosmos-base",
+      "kosmos-base::default",
+      "kosmos_kvm::guest",
+      "kosmos_garage",
+      "kosmos_garage::default",
+      "kosmos_garage::firewall_rpc",
+      "kosmos_garage::firewall_apis",
+      "apt::default",
+      "timezone_iii::default",
+      "timezone_iii::debian",
+      "ntp::default",
+      "ntp::apparmor",
+      "kosmos-base::journald_conf",
+      "kosmos-base::systemd_emails",
+      "apt::unattended-upgrades",
+      "kosmos-base::firewall",
+      "kosmos-postfix::default",
+      "postfix::default",
+      "postfix::_common",
+      "postfix::_attributes",
+      "postfix::sasl_auth",
+      "hostname::default",
+      "firewall::default"
+    ],
+    "platform": "ubuntu",
+    "platform_version": "22.04",
+    "cloud": null,
+    "chef_packages": {
+      "chef": {
+        "version": "18.7.10",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.7.10/lib",
+        "chef_effortless": null
+      },
+      "ohai": {
+        "version": "18.2.5",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.5/lib/ohai"
+      }
+    }
+  },
+  "run_list": [
+    "role[base]",
+    "role[kvm_guest]",
+    "role[garage_node]"
+  ]
+}

nodes/garage-13.json

@@ -1,34 +1,36 @@
 {
-  "name": "postgres-8",
+  "name": "garage-13",
   "chef_environment": "production",
   "normal": {
     "knife_zero": {
-      "host": "10.1.1.99"
+      "host": "10.1.1.179"
     }
   },
   "automatic": {
-    "fqdn": "postgres-8",
+    "fqdn": "garage-13",
     "os": "linux",
     "os_version": "5.15.0-1059-kvm",
-    "hostname": "postgres-8",
-    "ipaddress": "192.168.122.100",
+    "hostname": "garage-13",
+    "ipaddress": "192.168.122.27",
     "roles": [
       "base",
       "kvm_guest",
-      "postgresql_replica"
+      "garage_node"
     ],
     "recipes": [
       "kosmos-base",
       "kosmos-base::default",
       "kosmos_kvm::guest",
-      "kosmos_postgresql::hostsfile",
-      "kosmos_postgresql::replica",
-      "kosmos_postgresql::firewall",
+      "kosmos_garage",
+      "kosmos_garage::default",
+      "kosmos_garage::firewall_rpc",
+      "kosmos_garage::firewall_apis",
       "apt::default",
       "timezone_iii::default",
       "timezone_iii::debian",
       "ntp::default",
       "ntp::apparmor",
+      "kosmos-base::journald_conf",
       "kosmos-base::systemd_emails",
       "apt::unattended-upgrades",
       "kosmos-base::firewall",
@@ -37,26 +39,27 @@
       "postfix::_common",
       "postfix::_attributes",
       "postfix::sasl_auth",
-      "hostname::default"
+      "hostname::default",
+      "firewall::default"
     ],
     "platform": "ubuntu",
     "platform_version": "22.04",
     "cloud": null,
     "chef_packages": {
       "chef": {
-        "version": "18.5.0",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
+        "version": "18.7.10",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.7.10/lib",
         "chef_effortless": null
       },
       "ohai": {
-        "version": "18.1.11",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
+        "version": "18.2.5",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.5/lib/ohai"
       }
     }
   },
   "run_list": [
     "role[base]",
     "role[kvm_guest]",
-    "role[postgresql_replica]"
+    "role[garage_node]"
   ]
 }

nodes/garage-14.json

@@ -0,0 +1,65 @@
+{
+  "name": "garage-14",
+  "chef_environment": "production",
+  "normal": {
+    "knife_zero": {
+      "host": "10.1.1.151"
+    }
+  },
+  "automatic": {
+    "fqdn": "garage-14",
+    "os": "linux",
+    "os_version": "5.15.0-1095-kvm",
+    "hostname": "garage-14",
+    "ipaddress": "192.168.122.36",
+    "roles": [
+      "base",
+      "kvm_guest",
+      "garage_node"
+    ],
+    "recipes": [
+      "kosmos-base",
+      "kosmos-base::default",
+      "kosmos_kvm::guest",
+      "kosmos_garage",
+      "kosmos_garage::default",
+      "kosmos_garage::firewall_rpc",
+      "kosmos_garage::firewall_apis",
+      "apt::default",
+      "timezone_iii::default",
+      "timezone_iii::debian",
+      "ntp::default",
+      "ntp::apparmor",
+      "kosmos-base::journald_conf",
+      "kosmos-base::systemd_emails",
+      "apt::unattended-upgrades",
+      "kosmos-base::firewall",
+      "kosmos-postfix::default",
+      "postfix::default",
+      "postfix::_common",
+      "postfix::_attributes",
+      "postfix::sasl_auth",
+      "hostname::default",
+      "firewall::default"
+    ],
+    "platform": "ubuntu",
+    "platform_version": "22.04",
+    "cloud": null,
+    "chef_packages": {
+      "chef": {
+        "version": "18.10.17",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.10.17/lib",
+        "chef_effortless": null
+      },
+      "ohai": {
+        "version": "18.2.13",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.13/lib/ohai"
+      }
+    }
+  },
+  "run_list": [
+    "role[base]",
+    "role[kvm_guest]",
+    "role[garage_node]"
+  ]
+}

nodes/garage-15.json

@@ -0,0 +1,65 @@
+{
+  "name": "garage-15",
+  "chef_environment": "production",
+  "normal": {
+    "knife_zero": {
+      "host": "10.1.1.82"
+    }
+  },
+  "automatic": {
+    "fqdn": "garage-15",
+    "os": "linux",
+    "os_version": "5.15.0-1095-kvm",
+    "hostname": "garage-15",
+    "ipaddress": "192.168.122.57",
+    "roles": [
+      "base",
+      "kvm_guest",
+      "garage_node"
+    ],
+    "recipes": [
+      "kosmos-base",
+      "kosmos-base::default",
+      "kosmos_kvm::guest",
+      "kosmos_garage",
+      "kosmos_garage::default",
+      "kosmos_garage::firewall_rpc",
+      "kosmos_garage::firewall_apis",
+      "apt::default",
+      "timezone_iii::default",
+      "timezone_iii::debian",
+      "ntp::default",
+      "ntp::apparmor",
+      "kosmos-base::journald_conf",
+      "kosmos-base::systemd_emails",
+      "apt::unattended-upgrades",
+      "kosmos-base::firewall",
+      "kosmos-postfix::default",
+      "postfix::default",
+      "postfix::_common",
+      "postfix::_attributes",
+      "postfix::sasl_auth",
+      "hostname::default",
+      "firewall::default"
+    ],
+    "platform": "ubuntu",
+    "platform_version": "22.04",
+    "cloud": null,
+    "chef_packages": {
+      "chef": {
+        "version": "18.10.17",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.10.17/lib",
+        "chef_effortless": null
+      },
+      "ohai": {
+        "version": "18.2.13",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.13/lib/ohai"
+      }
+    }
+  },
+  "run_list": [
+    "role[base]",
+    "role[kvm_guest]",
+    "role[garage_node]"
+  ]
+}

nodes/gitea-2.json

@@ -50,13 +50,6 @@
       "postfix::sasl_auth",
       "hostname::default",
       "firewall::default",
-      "kosmos_gitea::compile_from_source",
-      "git::default",
-      "git::package",
-      "kosmos-nodejs::default",
-      "nodejs::nodejs_from_package",
-      "nodejs::repo",
-      "golang::default",
       "backup::default",
       "logrotate::default"
     ],

nodes/leo.json

@@ -0,0 +1,56 @@
+{
+  "name": "leo",
+  "normal": {
+    "knife_zero": {
+      "host": "leo.kosmos.org"
+    }
+  },
+  "automatic": {
+    "fqdn": "leo",
+    "os": "linux",
+    "os_version": "5.15.0-164-generic",
+    "hostname": "leo",
+    "ipaddress": "5.9.81.116",
+    "roles": [
+      "base"
+    ],
+    "recipes": [
+      "kosmos-base",
+      "kosmos-base::default",
+      "kosmos_kvm::host",
+      "apt::default",
+      "timezone_iii::default",
+      "timezone_iii::debian",
+      "ntp::default",
+      "ntp::apparmor",
+      "kosmos-base::journald_conf",
+      "kosmos-base::systemd_emails",
+      "apt::unattended-upgrades",
+      "kosmos-base::firewall",
+      "kosmos-postfix::default",
+      "postfix::default",
+      "postfix::_common",
+      "postfix::_attributes",
+      "postfix::sasl_auth",
+      "hostname::default"
+    ],
+    "platform": "ubuntu",
+    "platform_version": "22.04",
+    "cloud": null,
+    "chef_packages": {
+      "chef": {
+        "version": "18.10.17",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.10.17/lib",
+        "chef_effortless": null
+      },
+      "ohai": {
+        "version": "18.2.13",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.13/lib/ohai"
+      }
+    }
+  },
+  "run_list": [
+    "role[base]",
+    "recipe[kosmos_kvm::host]"
+  ]
+}

nodes/postgres-11.json

@@ -1,16 +1,17 @@
 {
-  "name": "postgres-6",
+  "name": "postgres-11",
+  "chef_environment": "production",
   "normal": {
     "knife_zero": {
-      "host": "10.1.1.196"
+      "host": "10.1.1.91"
     }
   },
   "automatic": {
-    "fqdn": "postgres-6",
+    "fqdn": "postgres-11",
     "os": "linux",
-    "os_version": "5.4.0-173-generic",
-    "hostname": "postgres-6",
-    "ipaddress": "192.168.122.60",
+    "os_version": "5.15.0-1095-kvm",
+    "hostname": "postgres-11",
+    "ipaddress": "192.168.122.142",
     "roles": [
       "base",
       "kvm_guest",
@@ -21,18 +22,20 @@
       "kosmos-base::default",
       "kosmos_kvm::guest",
       "kosmos_postgresql::primary",
-      "kosmos_postgresql::firewall",
       "kosmos-akkounts::pg_db",
       "kosmos-bitcoin::lndhub-go_pg_db",
       "kosmos-bitcoin::nbxplorer_pg_db",
       "kosmos_drone::pg_db",
       "kosmos_gitea::pg_db",
       "kosmos-mastodon::pg_db",
+      "kosmos_postgresql::firewall",
+      "kosmos_postgresql::management_scripts",
       "apt::default",
       "timezone_iii::default",
       "timezone_iii::debian",
       "ntp::default",
       "ntp::apparmor",
+      "kosmos-base::journald_conf",
       "kosmos-base::systemd_emails",
       "apt::unattended-upgrades",
       "kosmos-base::firewall",
@@ -44,17 +47,17 @@
       "hostname::default"
     ],
     "platform": "ubuntu",
-    "platform_version": "20.04",
+    "platform_version": "22.04",
     "cloud": null,
     "chef_packages": {
       "chef": {
-        "version": "18.4.2",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.4.2/lib",
+        "version": "18.10.17",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.10.17/lib",
         "chef_effortless": null
       },
       "ohai": {
-        "version": "18.1.11",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
+        "version": "18.2.13",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.13/lib/ohai"
       }
     }
   },

nodes/postgres-12.json

@@ -1,5 +1,5 @@
 {
-  "name": "postgres-7",
+  "name": "postgres-12",
   "chef_environment": "production",
   "normal": {
     "knife_zero": {
@@ -7,11 +7,11 @@
     }
   },
   "automatic": {
-    "fqdn": "postgres-7",
+    "fqdn": "postgres-12",
     "os": "linux",
-    "os_version": "5.4.0-1123-kvm",
-    "hostname": "postgres-7",
-    "ipaddress": "192.168.122.89",
+    "os_version": "5.15.0-1096-kvm",
+    "hostname": "postgres-12",
+    "ipaddress": "192.168.122.139",
     "roles": [
       "base",
       "kvm_guest",
@@ -24,6 +24,7 @@
       "kosmos_postgresql::hostsfile",
       "kosmos_postgresql::replica",
       "kosmos_postgresql::firewall",
+      "kosmos_postgresql::management_scripts",
       "apt::default",
       "timezone_iii::default",
       "timezone_iii::debian",
@@ -41,17 +42,17 @@
       "hostname::default"
     ],
     "platform": "ubuntu",
-    "platform_version": "20.04",
+    "platform_version": "22.04",
     "cloud": null,
     "chef_packages": {
       "chef": {
-        "version": "18.5.0",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
+        "version": "18.10.17",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.10.17/lib",
         "chef_effortless": null
       },
       "ohai": {
-        "version": "18.1.11",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
+        "version": "18.2.13",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.13/lib/ohai"
       }
     }
   },

nodes/wiki-1.json

@@ -28,6 +28,7 @@
       "timezone_iii::debian",
       "ntp::default",
       "ntp::apparmor",
+      "kosmos-base::journald_conf",
       "kosmos-base::systemd_emails",
       "apt::unattended-upgrades",
       "kosmos-base::firewall",
@@ -66,12 +67,13 @@
     "cloud": null,
     "chef_packages": {
       "chef": {
-        "version": "15.13.8",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/chef-15.13.8/lib"
+        "version": "18.7.10",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.7.10/lib",
+        "chef_effortless": null
       },
       "ohai": {
-        "version": "15.12.0",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/ohai-15.12.0/lib/ohai"
+        "version": "18.2.5",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.5/lib/ohai"
       }
     }
   },

roles/gitea.rb

@@ -8,8 +8,8 @@ run_list %w(
 
 override_attributes(
   "gitea" => {
-    "repo" => "https://github.com/67P/gitea.git",
-    "revision" => "ldap_sync",
+    # "repo" => "https://github.com/67P/gitea.git",
+    # "revision" => "ldap_sync",
     "log" => { "level" => "Info" }
   },
 )

roles/postgresql_primary.rb

@@ -1,12 +1,13 @@
 name "postgresql_primary"
 
-run_list %w(
-  kosmos_postgresql::primary
-  kosmos_postgresql::firewall
-  kosmos-akkounts::pg_db
-  kosmos-bitcoin::lndhub-go_pg_db
-  kosmos-bitcoin::nbxplorer_pg_db
-  kosmos_drone::pg_db
-  kosmos_gitea::pg_db
-  kosmos-mastodon::pg_db
-)
+run_list [
+  "kosmos_postgresql::primary",
+  "kosmos-akkounts::pg_db",
+  "kosmos-bitcoin::lndhub-go_pg_db",
+  "kosmos-bitcoin::nbxplorer_pg_db",
+  "kosmos_drone::pg_db",
+  "kosmos_gitea::pg_db",
+  "kosmos-mastodon::pg_db",
+  "kosmos_postgresql::firewall",
+  "kosmos_postgresql::management_scripts"
+]

roles/postgresql_replica.rb

@@ -1,7 +1,8 @@
 name "postgresql_replica"
 
-run_list %w(
-  kosmos_postgresql::hostsfile
-  kosmos_postgresql::replica
-  kosmos_postgresql::firewall
-)
+run_list [
+  "kosmos_postgresql::hostsfile",
+  "kosmos_postgresql::replica",
+  "kosmos_postgresql::firewall",
+  "kosmos_postgresql::management_scripts"
+]

roles/postgresql_replica_logical.rb

@@ -0,0 +1,8 @@
+name "postgresql_replica_logical"
+
+run_list [
+  "kosmos_postgresql::hostsfile",
+  "kosmos_postgresql::replica_logical",
+  "kosmos_postgresql::firewall",
+  "kosmos_postgresql::management_scripts"
+]

site-cookbooks/discourse/templates/nginx_conf.erb

@@ -8,8 +8,8 @@ upstream _<%= @upstream_name %> {
 <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
 server {
   server_name <%= @server_name %>;
-  listen 443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
 
   ssl_certificate     <%= @ssl_cert %>;
   ssl_certificate_key <%= @ssl_key %>;

site-cookbooks/kosmos-akkounts/recipes/default.rb

@@ -230,7 +230,6 @@ systemd_unit "akkounts.service" do
       WorkingDirectory: deploy_path,
       Environment: "RAILS_ENV=#{rails_env} SOLID_QUEUE_IN_PUMA=true",
       ExecStart: "#{bundle_path} exec puma -C config/puma.rb --pidfile #{deploy_path}/tmp/puma.pid",
-      ExecStop: "#{bundle_path} exec puma -C config/puma.rb --pidfile #{deploy_path}/tmp/puma.pid stop",
       ExecReload: "#{bundle_path} exec pumactl -F config/puma.rb --pidfile #{deploy_path}/tmp/puma.pid phased-restart",
       PIDFile: "#{deploy_path}/tmp/puma.pid",
       TimeoutSec: "10",

site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb

@@ -11,7 +11,7 @@ proxy_cache_path <%= node[:openresty][:cache_dir] %>/akkounts levels=1:2
 
 server {
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
   server_name <%= @domain %>;
 
   if ($host != $server_name) {

site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts_api.erb

@@ -7,7 +7,7 @@ upstream _akkounts_api {
 
 server {
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
   server_name <%= @domain %>;
 
   ssl_certificate     <%= @ssl_cert %>;

site-cookbooks/kosmos-base/recipes/andromeda_firewall.rb

@@ -1,52 +0,0 @@
-#
-# Cookbook Name:: kosmos-base
-# Recipe:: andromeda_firewall
-#
-# The MIT License (MIT)
-#
-# Copyright:: 2019, Kosmos Developers
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
-
-# Temporary extra rules for Andromeda
-
-firewall_rule 'bitcoind' do
-  port     [8333, 8334, 8335]
-  protocol :tcp
-  command  :allow
-end
-
-firewall_rule 'lnd' do
-  port     [9736]
-  # port     [9736, 8002]
-  protocol :tcp
-  command  :allow
-end
-
-firewall_rule 'lightningd' do
-  port     [9735]
-  protocol :tcp
-  command  :allow
-end
-
-firewall_rule 'spark_wallet' do
-  port     8008
-  protocol :tcp
-  command  :allow
-end

site-cookbooks/kosmos-base/recipes/default.rb

@@ -30,9 +30,16 @@ include_recipe 'ntp'
 include_recipe 'kosmos-base::journald_conf'
 include_recipe 'kosmos-base::systemd_emails'
 
+node.override["apt"]["unattended_upgrades"]["enable"] = true
+node.override["apt"]["unattended_upgrades"]["mail_only_on_error"] = false
+node.override["apt"]["unattended_upgrades"]["sender"] = "ops@kosmos.org"
 node.override["apt"]["unattended_upgrades"]["allowed_origins"] = [
   "${distro_id}:${distro_codename}-security",
-  "${distro_id}:${distro_codename}-updates"
+  "${distro_id}:${distro_codename}-updates",
+  "${distro_id}ESMApps:${distro_codename}-apps-security",
+  "${distro_id}ESMApps:${distro_codename}-apps-updates",
+  "${distro_id}ESM:${distro_codename}-infra-security",
+  "${distro_id}ESM:${distro_codename}-infra-updates"
 ]
 node.override["apt"]["unattended_upgrades"]["mail"] = "ops@kosmos.org"
 node.override["apt"]["unattended_upgrades"]["syslog_enable"] = true

site-cookbooks/kosmos-bitcoin/attributes/default.rb

@@ -1,5 +1,5 @@
-node.default['bitcoin']['version']   = '29.0'
-node.default['bitcoin']['checksum']  = '882c782c34a3bf2eacd1fae5cdc58b35b869883512f197f7d6dc8f195decfdaa'
+node.default['bitcoin']['version']   = '30.0'
+node.default['bitcoin']['checksum']  = '9b472a4d51dfed9aa9d0ded2cb8c7bcb9267f8439a23a98f36eb509c1a5e6974'
 node.default['bitcoin']['username']  = 'satoshi'
 node.default['bitcoin']['usergroup'] = 'bitcoin'
 node.default['bitcoin']['network']   = 'mainnet'

site-cookbooks/kosmos-bitcoin/recipes/bitcoind.rb

@@ -43,7 +43,7 @@ bash "compile_bitcoin-core" do
   cwd "/usr/local/bitcoind"
   environment ({'CC' => 'gcc-13', 'CXX' => 'g++-13', 'NO_QT' => '1'})
   code <<-EOH
-    cmake -B build --toolchain depends/x86_64-pc-linux-gnu/toolchain.cmake
+    cmake -B build --toolchain depends/x86_64-pc-linux-gnu/toolchain.cmake -DBUILD_TESTS=OFF
     cmake --build build -j $(($(nproc)/2))
     cmake --install build
   EOH

site-cookbooks/kosmos-bitcoin/templates/btc-price-tracker-daily.sh.erb

@@ -1,49 +1,86 @@
 #!/bin/bash
+set -e
+set -o pipefail
 
 # Calculate yesterday's date in YYYY-MM-DD format
 YESTERDAY=$(date -d "yesterday" +%Y-%m-%d)
 echo "Starting price tracking for $YESTERDAY" >&2
 
+# Helper function to perform HTTP requests with retries
+# Usage: make_request <retries> <method> <url> [data] [header1] [header2] ...
+make_request() {
+    local retries=$1
+    local method=$2
+    local url=$3
+    local data=$4
+    shift 4
+    local headers=("$@")
+
+    local count=0
+    local wait_time=3
+    local response
+
+    while [ "$count" -lt "$retries" ]; do
+        local curl_opts=(-s -S -f -X "$method")
+
+        if [ -n "$data" ]; then
+            curl_opts+=(-d "$data")
+        fi
+
+        for h in "${headers[@]}"; do
+            curl_opts+=(-H "$h")
+        done
+
+        if response=$(curl "${curl_opts[@]}" "$url"); then
+            echo "$response"
+            return 0
+        fi
+
+        echo "Request to $url failed (Attempt $((count+1))/$retries). Retrying in ${wait_time}s..." >&2
+        sleep "$wait_time"
+        count=$((count + 1))
+    done
+
+    echo "ERROR: Request to $url failed after $retries attempts" >&2
+    return 1
+}
+
 # Fetch and process rates for a fiat currency
 get_price_data() {
     local currency=$1
     local data avg open24 last
 
-    data=$(curl -s "https://www.bitstamp.net/api/v2/ticker/btc${currency,,}/")
-    if [ $? -eq 0 ] && [ ! -z "$data" ]; then
+    if data=$(make_request 3 "GET" "https://www.bitstamp.net/api/v2/ticker/btc${currency,,}/" ""); then
         echo "Successfully retrieved ${currency} price data" >&2
         open24=$(echo "$data" | jq -r '.open_24')
         last=$(echo "$data" | jq -r '.last')
-        avg=$(( (${open24%.*} + ${last%.*}) / 2 ))
+        avg=$(echo "$open24 $last" | awk '{printf "%.0f", ($1 + $2) / 2}')
         echo $avg
     else
         echo "ERROR: Failed to retrieve ${currency} price data" >&2
-        exit 1
+        return 1
     fi
 }
 
 # Get price data for each currency
-usd_avg=$(get_price_data "USD")
-eur_avg=$(get_price_data "EUR")
-gbp_avg=$(get_price_data "GBP")
+usd_avg=$(get_price_data "USD") || exit 1
+eur_avg=$(get_price_data "EUR") || exit 1
+gbp_avg=$(get_price_data "GBP") || exit 1
 
 # Create JSON
-json="{\"EUR\":$eur_avg,\"USD\":$usd_avg,\"GBP\":$gbp_avg}"
+json=$(jq -n \
+  --argjson eur "$eur_avg" \
+  --argjson usd "$usd_avg" \
+  --argjson gbp "$gbp_avg" \
+  '{"EUR": $eur, "USD": $usd, "GBP": $gbp}')
 echo "Rates: $json" >&2
 
 # PUT in remote storage
-response=$(curl -X PUT \
-    -H "Authorization: Bearer $RS_AUTH" \
-    -H "Content-Type: application/json" \
-    -d "$json" \
-    -w "%{http_code}" \
-    -s \
-    -o /dev/null \
-    "<%= @rs_base_url %>/$YESTERDAY")
-
-if [ "$response" -eq 200 ] || [ "$response" -eq 201 ]; then
+if make_request 3 "PUT" "<%= @rs_base_url %>/$YESTERDAY" "$json" \
+    "Authorization: Bearer $RS_AUTH" \
+    "Content-Type: application/json" > /dev/null; then
    echo "Successfully uploaded price data" >&2
 else
-   echo "ERROR: Failed to upload price data. HTTP status: $response" >&2
+   echo "ERROR: Failed to upload price data" >&2
    exit 1
 fi

site-cookbooks/kosmos-bitcoin/templates/nginx_conf_btcpayserver.erb

@@ -49,7 +49,7 @@ server {
   client_max_body_size 100M;
   server_name <%= @server_name %>;
   listen 443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
 
   access_log <%= node[:nginx][:log_dir] %>/btcpayserver.access.log json;
   error_log <%= node[:nginx][:log_dir] %>/btcpayserver.error.log warn;

site-cookbooks/kosmos-bitcoin/templates/nginx_conf_lndhub.erb

@@ -7,7 +7,7 @@ upstream _lndhub {
 
 server {
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
   server_name <%= @server_name %>;
 
   add_header Strict-Transport-Security "max-age=15768000";

site-cookbooks/kosmos-btcpayserver/templates/nginx_conf_btcpayserver.erb

@@ -49,7 +49,7 @@ server {
   server_name <%= @server_name %>;
   <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
   listen 443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
   <% else -%>
   listen 80;
   <% end -%>

site-cookbooks/kosmos-ejabberd/attributes/default.rb

@@ -1,6 +1,6 @@
-node.default["ejabberd"]["version"] = "23.10"
+node.default["ejabberd"]["version"] = "25.08"
 node.default["ejabberd"]["package_version"] = "1"
-node.default["ejabberd"]["checksum"] = "1b02108c81e22ab28be84630d54061f0584b76d5c2702e598352269736b05e77"
+node.default["ejabberd"]["checksum"] = "e4703bc41b5843fc4b76e8b54a9380d5895f9b3dcd4795e05ad0c260ed9b9a23"
 node.default["ejabberd"]["turn_domain"] = "turn.kosmos.org"
 node.default["ejabberd"]["stun_auth_realm"] = "kosmos.org"
 node.default["ejabberd"]["stun_turn_port"] = 3478

site-cookbooks/kosmos-ejabberd/recipes/default.rb

@@ -65,15 +65,13 @@ file "/opt/ejabberd/.hosts.erlang" do
   content ejabberd_hostnames.map{|h| "#{h}."}.join("\n")
 end
 
-ruby_block "configure ERLANG_NODE" do
-  block do
-    file = Chef::Util::FileEdit.new("/opt/ejabberd/conf/ejabberdctl.cfg")
-    file.search_file_replace_line(
-      %r{#ERLANG_NODE=ejabberd@localhost},
-      "ERLANG_NODE=ejabberd@#{node['name']}"
-    )
-    file.write_file
-  end
+template "/opt/ejabberd/conf/ejabberdctl.cfg" do
+  source    "ejabberdctl.cfg.erb"
+  mode      0644
+  owner     'ejabberd'
+  group     'ejabberd'
+  variables epmd_node_name: "ejabberd@#{node['name']}"
+  notifies :reload, "service[ejabberd]", :delayed
 end
 
 postgresql_data_bag_item = data_bag_item('credentials', 'postgresql')
@@ -225,10 +223,3 @@ end
 unless node.chef_environment == "development"
   include_recipe "kosmos-ejabberd::firewall"
 end
-
-firewall_rule 'ejabberd_http' do
-  port     [80]
-  source   "10.1.1.0/24"
-  protocol :tcp
-  command  :allow
-end

site-cookbooks/kosmos-ejabberd/recipes/firewall.rb

@@ -35,3 +35,10 @@ firewall_rule 'ejabberd_turn' do
   protocol :udp
   command  :allow
 end
+
+firewall_rule 'ejabberd_http' do
+  port     [80]
+  source   "10.1.1.0/24"
+  protocol :tcp
+  command  :allow
+end

site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb

@@ -1,10 +1,11 @@
-loglevel: 4
-
 log_rotate_size: 10485760
-log_rotate_date: ""
 log_rotate_count: 1
 
-log_rate_limit: 100
+loglevel: info
+hide_sensitive_log_data: true
+
+log_modules_fully:
+  - mod_s3_upload
 
 hosts:
 <% @hosts.each do |host| -%>
@@ -95,6 +96,8 @@ auth_method: sql
 
 default_db: sql
 
+update_sql_schema: true
+
 shaper:
   normal:
     rate: 3000
@@ -119,6 +122,15 @@ acl:
       - "::1/128"
       - "::FFFF:127.0.0.1/128"
 
+api_permissions:
+  "webadmin commands":
+    who:
+      - admin
+    from:
+      - ejabberd_web_admin
+    what:
+      - "*"
+
 shaper_rules:
   max_user_sessions: 10
   max_user_offline_messages:

site-cookbooks/kosmos-ejabberd/templates/ejabberdctl.cfg.erb

@@ -0,0 +1,175 @@
+#
+# In this file you can configure options that are passed by ejabberdctl
+# to the erlang runtime system when starting ejabberd
+#
+
+#' POLL: Kernel polling ([true|false])
+#
+# The kernel polling option requires support in the kernel.
+# Additionally, you need to enable this feature while compiling Erlang.
+#
+# Default: true
+#
+#POLL=true
+
+#.
+#' SMP: SMP support ([enable|auto|disable])
+#
+# Explanation in Erlang/OTP documentation:
+# enable: starts the Erlang runtime system with SMP support enabled.
+#   This may fail if no runtime system with SMP support is available.
+# auto: starts the Erlang runtime system with SMP support enabled if it
+#   is available and more than one logical processor are detected.
+# disable: starts a runtime system without SMP support.
+#
+# Default: enable
+#
+#SMP=enable
+
+#.
+#' ERL_MAX_PORTS: Maximum number of simultaneously open Erlang ports
+#
+# ejabberd consumes two or three ports for every connection, either
+# from a client or from another Jabber server. So take this into
+# account when setting this limit.
+#
+# Default: 32000
+# Maximum: 268435456
+#
+#ERL_MAX_PORTS=32000
+
+#.
+#' FIREWALL_WINDOW: Range of allowed ports to pass through a firewall
+#
+# If Ejabberd is configured to run in cluster, and a firewall is blocking ports,
+# it's possible to make Erlang use a defined range of port (instead of dynamic
+# ports) for node communication.
+#
+# Default: not defined
+# Example: 4200-4210
+#
+FIREWALL_WINDOW=4200-4210
+
+#.
+#' INET_DIST_INTERFACE: IP address where this Erlang node listens other nodes
+#
+# This communication is used by ejabberdctl command line tool,
+# and in a cluster of several ejabberd nodes.
+#
+# Default: 0.0.0.0
+#
+#INET_DIST_INTERFACE=127.0.0.1
+
+#.
+#' ERL_EPMD_ADDRESS: IP addresses where epmd listens for connections
+#
+# IMPORTANT: This option works only in Erlang/OTP R14B03 and newer.
+#
+# This environment variable may be set to a comma-separated
+# list of IP addresses, in which case the epmd daemon
+# will listen only on the specified address(es) and on the
+# loopback address (which is implicitly added to the list if it
+# has not been specified). The default behaviour is to listen on
+# all available IP addresses.
+#
+# Default: 0.0.0.0
+#
+#ERL_EPMD_ADDRESS=127.0.0.1
+
+#.
+#' ERL_PROCESSES: Maximum number of Erlang processes
+#
+# Erlang consumes a lot of lightweight processes. If there is a lot of activity
+# on ejabberd so that the maximum number of processes is reached, people will
+# experience greater latency times. As these processes are implemented in
+# Erlang, and therefore not related to the operating system processes, you do
+# not have to worry about allowing a huge number of them.
+#
+# Default: 250000
+# Maximum: 268435456
+#
+#ERL_PROCESSES=250000
+
+#.
+#' ERL_MAX_ETS_TABLES: Maximum number of ETS and Mnesia tables
+#
+# The number of concurrent ETS and Mnesia tables is limited. When the limit is
+# reached, errors will appear in the logs:
+#   ** Too many db tables **
+# You can safely increase this limit when starting ejabberd. It impacts memory
+# consumption but the difference will be quite small.
+#
+# Default: 1400
+#
+#ERL_MAX_ETS_TABLES=1400
+
+#.
+#' ERL_OPTIONS: Additional Erlang options
+#
+# The next variable allows to specify additional options passed to erlang while
+# starting ejabberd. Some useful options are -noshell, -detached, -heart. When
+# ejabberd is started from an init.d script options -noshell and -detached are
+# added implicitly. See erl(1) for more info.
+#
+# It might be useful to add "-pa /usr/local/lib/ejabberd/ebin" if you
+# want to add local modules in this path.
+#
+# Default: ""
+#
+#ERL_OPTIONS=""
+
+#.
+#' ERLANG_NODE: Erlang node name
+#
+# The next variable allows to explicitly specify erlang node for ejabberd
+# It can be given in different formats:
+# ERLANG_NODE=ejabberd
+#   Lets erlang add hostname to the node (ejabberd uses short name in this case)
+# ERLANG_NODE=ejabberd@hostname
+#   Erlang uses node name as is (so make sure that hostname is a real
+#   machine hostname or you'll not be able to control ejabberd)
+# ERLANG_NODE=ejabberd@hostname.domainname
+#   The same as previous, but erlang will use long hostname
+#   (see erl (1) manual for details)
+#
+# Default: ejabberd@localhost
+#
+ERLANG_NODE=<%= @epmd_node_name %>
+
+#.
+#' EJABBERD_PID_PATH: ejabberd PID file
+#
+# Indicate the full path to the ejabberd Process identifier (PID) file.
+# If this variable is defined, ejabberd writes the PID file when starts,
+# and deletes it when stops.
+# Remember to create the directory and grant write permission to ejabberd.
+#
+# Default: don't write PID file
+#
+#EJABBERD_PID_PATH=/var/run/ejabberd/ejabberd.pid
+
+#.
+#' CONTRIB_MODULES_PATH: contributed ejabberd modules path
+#
+# Specify the full path to the contributed ejabberd modules. If the path is not
+# defined, ejabberd will use ~/.ejabberd-modules in home of user running ejabberd.
+#
+# Default: $HOME/.ejabberd-modules
+#
+#CONTRIB_MODULES_PATH=/opt/ejabberd-modules
+
+#.
+#' CONTRIB_MODULES_CONF_DIR: configuration directory for contributed modules
+#
+# Specify the full path to the configuration directory for contributed ejabberd
+# modules. In order to configure a module named mod_foo, a mod_foo.yml file can
+# be created in this directory. This file will then be used instead of the
+# default configuration file provided with the module.
+#
+# Default: $CONTRIB_MODULES_PATH/conf
+#
+#CONTRIB_MODULES_CONF_DIR=/etc/ejabberd/modules
+
+#.
+#'
+# vim: foldmarker=#',#. foldmethod=marker:

site-cookbooks/kosmos-ejabberd/templates/nginx_conf_upload_service.erb

@@ -3,7 +3,7 @@
 
 server {
   listen 443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
   server_name <%= @server_name %>;
 
   ssl_certificate     <%= @ssl_cert %>;

site-cookbooks/kosmos-hubot/templates/default/nginx_conf_hubot.erb

@@ -7,7 +7,7 @@ upstream _express_<%= @server_name.gsub(".", "_") %> {
 
 server {
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
   server_name <%= @server_name %>;
 
   add_header Strict-Transport-Security "max-age=15768000";

site-cookbooks/kosmos-ipfs/templates/default/nginx_conf_ipfs.kosmos.org.erb

@@ -12,7 +12,7 @@ upstream _ipfs_api {
 server {
   server_name <%= @server_name %>;
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
 
   access_log /var/log/nginx/<%= @server_name %>.access.log;
   error_log  /var/log/nginx/<%= @server_name %>.error.log;

site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb

@@ -21,7 +21,7 @@ proxy_cache_path /var/cache/nginx/mastodon levels=1:2
 
 server {
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
   server_name <%= @server_name %>;
   include <%= @shared_config_path %>;
 

site-cookbooks/kosmos-mediawiki/metadata.rb

@@ -3,7 +3,6 @@ maintainer       'Kosmos'
 maintainer_email 'mail@kosmos.org'
 license          'MIT'
 description      'Installs/Configures kosmos-mediawiki'
-long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
 version          '0.3.1'
 
 depends "mediawiki"

site-cookbooks/kosmos-mediawiki/recipes/default.rb

@@ -1,9 +1,9 @@
 #
-# Cookbook Name:: kosmos-mediawiki
-# Recipe:: default
+# Cookbook:: kosmos-mediawiki
+# Recipe:: default.rb
 #
 
-include_recipe 'apt'
+apt_update
 include_recipe 'ark'
 include_recipe 'composer'
 
@@ -30,14 +30,14 @@ directory "#{node['mediawiki']['webdir']}/skins/common/images" do
   owner node['nginx']['user']
   group node['nginx']['group']
   recursive true
-  mode 0750
+  mode "750"
 end
 
 cookbook_file "#{node['mediawiki']['webdir']}/skins/common/images/kosmos.png" do
   source 'kosmos.png'
   owner node['nginx']['user']
   group node['nginx']['group']
-  mode 0640
+  mode "640"
 end
 
 directory "#{node['mediawiki']['webdir']}/.well-known/acme-challenge" do
@@ -80,14 +80,14 @@ nginx_certbot_site server_name
 # Extensions
 #
 
-mediawiki_credentials = Chef::EncryptedDataBagItem.load('credentials', 'mediawiki')
+mediawiki_credentials = data_bag_item('credentials', 'mediawiki')
 
 #
 # MediawikiHubot extension
 #
 
 # requires curl extension
-if platform?('ubuntu') && node[:platform_version].to_f < 16.04
+if platform?('ubuntu') && node["platform_version"].to_f < 16.04
   package "php5-curl"
 else
   package "php-curl"
@@ -100,7 +100,7 @@ ark "MediawikiHubot" do
   action :cherry_pick
 end
 
-hubot_credentials = Chef::EncryptedDataBagItem.load('credentials', 'hal8000_xmpp')
+hubot_credentials = data_bag_item('credentials', 'hal8000_xmpp')
 webhook_token = hubot_credentials['webhook_token']
 
 template "#{node['mediawiki']['webdir']}/extensions/MediawikiHubot/DefaultConfig.php" do
@@ -145,7 +145,7 @@ end
 
 ruby_block "configuration" do
   block do
-    # FIXME This is internal Chef API and should not be used from recipes, as
+    # FIXME: This is internal Chef API and should not be used from recipes, as
     # it is unsupported for that
     file = Chef::Util::FileEdit.new("#{node['mediawiki']['webdir']}/LocalSettings.php")
     file.search_file_replace_line(%r{\$wgLogo\ =\ \"\$wgResourceBasePath\/resources\/assets\/wiki.png\";},
@@ -247,9 +247,7 @@ end
 #
 
 file "#{node['mediawiki']['webdir']}/composer.local.json" do
-  requires = { "require": {
-    "mediawiki/mermaid": "~1.0"
-  }}.to_json
+  requires = { "require": { "mediawiki/mermaid": "~1.0" } }.to_json
   content requires
   owner node['nginx']['user']
   group node['nginx']['group']

site-cookbooks/kosmos-postfix/recipes/default.rb

@@ -3,20 +3,23 @@
 # Recipe:: default
 #
 
-node.default['postfix']['main']['smtp_tls_CAfile']  = '/etc/ssl/certs/ca-certificates.crt'
-node.default['postfix']['main']['smtpd_tls_CAfile'] = '/etc/ssl/certs/ca-certificates.crt'
+node.default["postfix"]["main"]["smtp_tls_CAfile"]  = "/etc/ssl/certs/ca-certificates.crt"
+node.default["postfix"]["main"]["smtpd_tls_CAfile"] = "/etc/ssl/certs/ca-certificates.crt"
 
 return if node.run_list.roles.include?("email_server")
 
-smtp_credentials = Chef::EncryptedDataBagItem.load('credentials', 'smtp')
+smtp_credentials = Chef::EncryptedDataBagItem.load("credentials", "smtp")
 
-node.default['postfix']['sasl']['smtp_sasl_user_name']        = smtp_credentials['user_name']
-node.default['postfix']['sasl']['smtp_sasl_passwd']           = smtp_credentials['password']
-node.default['postfix']['sasl_password_file']                 = "#{node['postfix']['conf_dir']}/sasl_passwd"
-# Postfix doesn't support smtps relayhost, use STARTSSL instead
-node.default['postfix']['main']['relayhost']                  = smtp_credentials['relayhost']
-node.default['postfix']['main']['smtp_sasl_auth_enable']      = 'yes'
-node.default['postfix']['main']['smtp_sasl_password_maps']    = "hash:#{node['postfix']['sasl_password_file']}"
-node.default['postfix']['main']['smtp_sasl_security_options'] = 'noanonymous'
+node.default["postfix"]["sasl"] = {
+  smtp_credentials["relayhost"] => {
+    "username" => smtp_credentials["user_name"],
+    "password" => smtp_credentials["password"]
+  }
+}
 
-include_recipe 'postfix::default'
+# Postfix doesn"t support smtps relayhost, use STARTSSL instead
+node.default["postfix"]["main"]["relayhost"]                  = smtp_credentials["relayhost"]
+node.default["postfix"]["main"]["smtp_sasl_auth_enable"]      = "yes"
+node.default["postfix"]["main"]["smtp_sasl_security_options"] = "noanonymous"
+
+include_recipe "postfix::default"

site-cookbooks/kosmos_assets/templates/nginx_conf_assets.erb

@@ -3,7 +3,7 @@
 
 server {
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
   server_name <%= @domain %>;
 
   root /var/www/<%= @domain %>/site;

site-cookbooks/kosmos_discourse/templates/nginx_conf.erb

@@ -9,7 +9,7 @@ upstream _discourse {
 server {
   server_name <%= @server_name %>;
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
 
   ssl_certificate     <%= @ssl_cert %>;
   ssl_certificate_key <%= @ssl_key %>;

site-cookbooks/kosmos_drone/attributes/default.rb

@@ -1,2 +1,6 @@
 node.default["kosmos_drone"]["domain"] = "drone.kosmos.org"
 node.default["kosmos_drone"]["upstream_port"] = 80
+node.default["kosmos_drone"]["pg_host"] = "pg.kosmos.local"
+node.default["kosmos_drone"]["pg_port"] = 5432
+node.default["kosmos_drone"]["pg_db"] = "drone"
+node.default["kosmos_drone"]["pg_user"] = "drone"

site-cookbooks/kosmos_drone/recipes/default.rb

@@ -9,11 +9,11 @@ credentials = data_bag_item("credentials", "drone")
 drone_credentials = data_bag_item('credentials', 'drone')
 
 postgres_config = {
-  username: "drone",
-  password: drone_credentials["postgresql_password"],
-  host: "pg.kosmos.local",
-  port: 5432,
-  database: "drone"
+  host: node["kosmos_drone"]["pg_host"],
+  port: node["kosmos_drone"]["pg_port"],
+  database: node["kosmos_drone"]["pg_db"],
+  username: node["kosmos_drone"]["pg_user"],
+  password: drone_credentials["postgresql_password"]
 }
 
 directory deploy_path do

site-cookbooks/kosmos_drone/templates/nginx_conf.erb

@@ -8,7 +8,7 @@ upstream _drone {
 server {
   server_name <%= @server_name %>;
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
 
   ssl_certificate     <%= @ssl_cert %>;
   ssl_certificate_key <%= @ssl_key %>;

site-cookbooks/kosmos_garage/templates/nginx_conf_s3.erb

@@ -4,7 +4,7 @@ upstream garage_s3 {
 
 server {
   listen <%= "#{node[:openresty][:listen_ip]}:" if node[:openresty][:listen_ip] %>443 ssl http2;
-  listen [::]:443 http2 ssl;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
 
   ssl_certificate     <%= @ssl_cert %>;
   ssl_certificate_key <%= @ssl_key %>;

site-cookbooks/kosmos_garage/templates/nginx_conf_web.erb

@@ -1,6 +1,6 @@
 server {
   listen <%= "#{node[:openresty][:listen_ip]}:" if node[:openresty][:listen_ip] %>443 ssl http2;
-  listen [::]:443 http2 ssl;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
 
   server_name <%= @server_name %>;
 
@@ -18,6 +18,7 @@ server {
   }
 
   location / {
+    add_header 'Access-Control-Allow-Origin' '*' always;
     proxy_intercept_errors on;
     proxy_cache garage_cache;
     proxy_pass http://garage_web;

site-cookbooks/kosmos_gitea/attributes/default.rb

@@ -1,11 +1,12 @@
-node.default["gitea"]["version"] = "1.23.8"
-node.default["gitea"]["checksum"] = "827037e7ca940866918abc62a7488736923396c467fcb4acd0dd9829bb6a6f4c"
+node.default["gitea"]["version"] = "1.25.4"
+node.default["gitea"]["checksum"] = "a3031853e67c53714728ef705642c9046a11fb0ea356aff592e23efe6114607d"
 node.default["gitea"]["repo"] = nil
 node.default["gitea"]["revision"] = nil
 node.default["gitea"]["working_directory"] = "/var/lib/gitea"
 node.default["gitea"]["port"] = 3000
 node.default["gitea"]["postgresql_host"] = "localhost:5432"
 node.default["gitea"]["domain"] = "gitea.kosmos.org"
+node.default["gitea"]["email"] = "gitea@kosmos.org"
 
 node.default["gitea"]["config"] = {
   "log": {
@@ -22,5 +23,5 @@ node.default["gitea"]["config"] = {
   }
 }
 
-node.default["gitea"]["act_runner"]["version"] = "0.2.6"
-node.default["gitea"]["act_runner"]["checksum"] = "234c2bdb871e7b0bfb84697f353395bfc7819faf9f0c0443845868b64a041057"
+node.default["gitea"]["act_runner"]["version"] = "0.2.13"
+node.default["gitea"]["act_runner"]["checksum"] = "3acac8b506ac8cadc88a55155b5d6378f0fab0b8f62d1e0c0450f4ccd69733e2"

site-cookbooks/kosmos_gitea/recipes/default.rb

@@ -19,6 +19,17 @@ jwt_secret                = gitea_data_bag_item["jwt_secret"]
 internal_token            = gitea_data_bag_item["internal_token"]
 secret_key                = gitea_data_bag_item["secret_key"]
 
+apt_repository "git-core-ppa" do
+  uri "http://ppa.launchpad.net/git-core/ppa/ubuntu"
+  components ["main"]
+  key "E1DF1F24"
+  action :add
+  only_if do
+    node['platform'] == 'ubuntu' &&
+      Gem::Version.new(node['platform_version']) < Gem::Version.new('22.04')
+  end
+end
+
 package "git"
 
 user "git" do
@@ -26,6 +37,13 @@ user "git" do
   home "/home/git"
 end
 
+directory "/home/git/.ssh" do
+  owner "git"
+  group "git"
+  mode "0700"
+  recursive true
+end
+
 directory working_directory do
   owner "git"
   group "git"
@@ -78,6 +96,8 @@ if node.chef_environment == "production"
 end
 
 config_variables = {
+  domain: node["gitea"]["domain"],
+  email: node["gitea"]["email"],
   working_directory: working_directory,
   git_home_directory: git_home_directory,
   repository_root_directory: repository_root_directory,
@@ -98,6 +118,16 @@ config_variables = {
   s3_bucket: gitea_data_bag_item["s3_bucket"]
 }
 
+bash "Generate git ed25519 keypair" do
+  user "git"
+  group "git"
+  cwd git_home_directory
+  code <<-EOH
+    ssh-keygen -t ed25519 -f #{git_home_directory}/.ssh/id_ed25519
+  EOH
+  creates "#{git_home_directory}/.ssh/id_ed25519"
+end
+
 template "#{config_directory}/app.ini" do
   source "app.ini.erb"
   owner "git"
@@ -129,7 +159,7 @@ template "/etc/systemd/system/gitea.service" do
             git_home_directory: git_home_directory,
             config_directory: config_directory,
             gitea_binary_path: gitea_binary_path
-  notifies :run, "execute[systemctl daemon-reload]", :delayed
+  notifies :run, "execute[systemctl daemon-reload]", :immediately
 end
 
 service "gitea" do

site-cookbooks/kosmos_gitea/templates/default/app.ini.erb

@@ -2,12 +2,12 @@ APP_NAME = Gitea
 RUN_MODE = prod
 
 [server]
-SSH_DOMAIN       = gitea.kosmos.org
+SSH_DOMAIN = <%= @domain %>
 HTTP_PORT        = 3000
 DISABLE_SSH      = false
 SSH_PORT         = 22
 PROTOCOL = http
-DOMAIN = gitea.kosmos.org
+DOMAIN = <%= @domain %>
 # Gitea is running behind an nginx reverse load balancer, use an HTTPS root URL
 ROOT_URL = https://%(DOMAIN)s
 # REDIRECT_OTHER_PORT = true
@@ -30,6 +30,16 @@ MAX_OPEN_CONNS = 20
 ROOT = <%= @repository_root_directory %>
 DISABLE_DOWNLOAD_SOURCE_ARCHIVES = true
 
+[repository.signing]
+SIGNING_KEY = <%= @git_home_directory %>/.ssh/id_ed25519.pub
+SIGNING_NAME = Gitea
+SIGNING_EMAIL = git@<%= @domain %>
+SIGNING_FORMAT = ssh
+INITIAL_COMMIT = always
+CRUD_ACTIONS = always
+WIKI = always
+MERGES = always
+
 # [indexer]
 # ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
 
@@ -46,7 +56,7 @@ SMTP_ADDR = <%= @smtp_addr %>
 SMTP_PORT = <%= @smtp_port %>
 USER = <%= @smtp_user %>
 PASSWD = <%= @smtp_password %>
-FROM = gitea@kosmos.org
+FROM = <%= @email %>
 
 [security]
 INTERNAL_TOKEN = <%= @internal_token %>

site-cookbooks/kosmos_gitea/templates/default/nginx_conf_ssh.erb

@@ -4,5 +4,6 @@ upstream _gitea_ssh {
 
 server {
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>22;
+  listen [::]:22;
   proxy_pass _gitea_ssh;
 }

site-cookbooks/kosmos_gitea/templates/default/nginx_conf_web.erb

@@ -6,7 +6,7 @@ upstream _gitea_web {
 server {
   server_name <%= @server_name %>;
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
 
   ssl_certificate     <%= @ssl_cert %>;
   ssl_certificate_key <%= @ssl_key %>;

site-cookbooks/kosmos_kvm/README.md

@@ -1,4 +1,14 @@
 # kosmos_kvm
 
-TODO: Enter the cookbook description here.
+## Create a new VM
 
+A script is deployed by the `host` recipe to `/usr/local/sbin/create_vm`
+
+### Usage
+
+```
+create_vm VMNAME RAM CPUS DISKSIZE
+```
+
+* `RAM` in megabytes
+* `DISKSIZE` in gigabytes, defaults to 10

site-cookbooks/kosmos_kvm/attributes/default.rb

@@ -1,9 +1,9 @@
-release = "20240514"
+release = "20260320"
 img_filename = "ubuntu-22.04-server-cloudimg-amd64-disk-kvm"
 
 node.default["kosmos_kvm"]["host"]["qemu_base_image"] = {
   "url" => "https://cloud-images.ubuntu.com/releases/jammy/release-#{release}/#{img_filename}.img",
-  "checksum" => "2e7698b3ebd7caead06b08bd3ece241e6ce294a6db01f92ea12bcb56d6972c3f",
+  "checksum" => "f7173eb7137b4f0ebeaea8fffe68ecdab1e3c787bde1fd8dfdf27103554332b3",
   "path" => "/var/lib/libvirt/images/base/#{img_filename}-#{release}.qcow2"
 }
 

site-cookbooks/kosmos_kvm/recipes/host.rb

@@ -3,7 +3,7 @@
 # Recipe:: host
 #
 
-package %w(virtinst libvirt-daemon-system)
+package %w(virtinst libvirt-daemon-system libvirt-clients)
 
 directory "/var/lib/libvirt/images/base" do
   recursive true

site-cookbooks/kosmos_kvm/templates/create_vm.erb

@@ -17,7 +17,7 @@ DISKSIZE=${4:-10} # 10GB default
 # Directory where image files will be stored
 IMAGE_DIR=/var/lib/libvirt/images
 IMAGE_PATH=$IMAGE_DIR/${VMNAME}.qcow2
-CIDATA_PATH=${IMAGE_DIR}/cidata-${VMNAME}.iso
+CIDATA_PATH=${IMAGE_DIR}/${VMNAME}-cloudinit
 BASE_FILE=<%= @base_image_path %>
 
 # Create the VM image if it does not already exist
@@ -38,9 +38,8 @@ qemu-img info "$IMAGE_PATH"
 # Check if the cloud-init metadata file exists
 # if not, generate it
 if [ ! -r $CIDATA_PATH ]; then
-  pushd $(dirname $CIDATA_PATH)
-  mkdir -p $VMNAME
-  cd $VMNAME
+  mkdir -p $CIDATA_PATH
+  pushd $CIDATA_PATH
 
   cat > user-data <<-EOS
 #cloud-config
@@ -62,25 +61,19 @@ instance-id: $VMNAME
 local-hostname: $VMNAME
 EOS
 
-  genisoimage -output "$CIDATA_PATH" -volid cidata -joliet -rock user-data meta-data
-  chown libvirt-qemu:kvm "$CIDATA_PATH"
-  chmod 600 "$CIDATA_PATH"
   popd
 fi
 
-# setting --os-variant to ubuntu20.04 and ubuntu18.04 breaks SSH and networking
 virt-install \
   --name "$VMNAME" \
   --ram "$RAM" \
   --vcpus "$CPUS" \
   --cpu host \
   --arch x86_64 \
-  --os-type linux \
-  --os-variant ubuntu16.04 \
+  --osinfo detect=on,name=ubuntujammy \
   --hvm \
   --virt-type kvm \
   --disk "$IMAGE_PATH" \
-  --cdrom "$CIDATA_PATH" \
   --boot hd \
   --network=bridge=virbr0,model=virtio \
   --graphics none \
@@ -88,4 +81,5 @@ virt-install \
   --console pty \
   --channel unix,mode=bind,path=/var/lib/libvirt/qemu/$VMNAME.guest_agent.0,target_type=virtio,name=org.qemu.guest_agent.0 \
   --autostart \
-  --import
+  --import \
+  --cloud-init root-password-generate=off,disable=on,meta-data=$CIDATA_PATH/meta-data,user-data=$CIDATA_PATH/user-data

site-cookbooks/kosmos_liquor-cabinet/templates/nginx_conf_liquor-cabinet.erb

@@ -12,7 +12,7 @@ upstream _<%= @app_name %> {
 
 server {
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
   server_name <%= @server_name %>;
 
   access_log <%= node[:nginx][:log_dir] %>/<%= @app_name %>.access.log; # TODO json_liquor_cabinet;

site-cookbooks/kosmos_openresty/attributes/default.rb

@@ -0,0 +1 @@
+node.default["openresty"]["listen_ipv6"] = "::"

site-cookbooks/kosmos_postgresql/attributes/default.rb

@@ -1,3 +1,8 @@
+node.default['kosmos_postgresql']['postgresql_version'] = "14"
+
 # This is set to false by default, and set to true in the server resource
 # for replicas.
 node.default['kosmos_postgresql']['ready_to_set_up_replica'] = false
+
+# Address space from which clients are allowed to connect
+node.default['kosmos_postgresql']['access_addr'] = "10.1.1.0/24"

site-cookbooks/kosmos_postgresql/files/create_publication.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+set -euo pipefail
+
+DB_NAME="${1:?Usage: $0 <database_name>}"
+
+echo "== Processing DB: $DB_NAME =="
+
+# Create publication (idempotent)
+psql -d "$DB_NAME" -v ON_ERROR_STOP=1 <<'SQL'
+DO $$
+BEGIN
+  IF NOT EXISTS (
+    SELECT 1 FROM pg_publication WHERE pubname = 'migrate_pub'
+  ) THEN
+    CREATE PUBLICATION migrate_pub FOR ALL TABLES;
+  END IF;
+END
+$$;
+SQL
+
+# Create logical replication slot (idempotent-ish)
+SLOT="migrate_slot_${DB_NAME}"
+
+if ! psql -d "$DB_NAME" -Atqc "SELECT 1 FROM pg_replication_slots WHERE slot_name = '$SLOT'" | grep -q 1; then
+  echo "  Creating slot: $SLOT"
+  psql -d "$DB_NAME" -c "SELECT pg_create_logical_replication_slot('$SLOT', 'pgoutput');"
+else
+  echo "  Slot already exists: $SLOT"
+fi
+
+echo "== Done =="

site-cookbooks/kosmos_postgresql/files/create_publications.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+set -e
+
+echo "== Creating publication in each database =="
+
+for db in $(psql -Atqc "SELECT datname FROM pg_database WHERE datallowconn AND datname NOT IN ('template1','postgres')"); do
+  echo "Processing DB: $db"
+
+  # Create publication (idempotent)
+  psql -d "$db" -v ON_ERROR_STOP=1 <<SQL
+DO \$\$
+BEGIN
+  IF NOT EXISTS (
+    SELECT 1 FROM pg_publication WHERE pubname = 'migrate_pub'
+  ) THEN
+    CREATE PUBLICATION migrate_pub FOR ALL TABLES;
+  END IF;
+END
+\$\$;
+SQL
+
+  # Create logical replication slot (idempotent-ish)
+  SLOT="migrate_slot_${db}"
+
+  if ! psql -d "$db" -Atqc "SELECT 1 FROM pg_replication_slots WHERE slot_name = '$SLOT'" | grep -q 1; then
+    echo "  Creating slot: $SLOT"
+    psql -d "$db" -c "SELECT pg_create_logical_replication_slot('$SLOT', 'pgoutput');"
+  else
+    echo "  Slot already exists: $SLOT"
+  fi
+
+done
+
+echo "== Done =="

site-cookbooks/kosmos_postgresql/files/drop_publications.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+set -e
+
+echo "== Dropping subscriptions slots and publications =="
+
+for db in $(psql -Atqc "SELECT datname FROM pg_database WHERE datallowconn AND datname NOT IN ('template1','postgres')"); do
+  echo "Processing DB: $db"
+
+  SLOT="migrate_slot_${db}"
+
+  # Drop slot if exists
+  if psql -d "$db" -Atqc "SELECT 1 FROM pg_replication_slots WHERE slot_name = '$SLOT'" | grep -q 1; then
+    echo "  Dropping slot: $SLOT"
+    psql -d "$db" -c "SELECT pg_drop_replication_slot('$SLOT');"
+  else
+    echo "  Slot not found: $SLOT"
+  fi
+
+  # Drop publication if exists
+  psql -d "$db" -v ON_ERROR_STOP=1 <<SQL
+DO \$\$
+BEGIN
+  IF EXISTS (
+    SELECT 1 FROM pg_publication WHERE pubname = 'migrate_pub'
+  ) THEN
+    DROP PUBLICATION migrate_pub;
+  END IF;
+END
+\$\$;
+SQL
+
+done
+
+echo "== Done =="

site-cookbooks/kosmos_postgresql/files/drop_subscriptions.sh

@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+set -e
+
+echo "== Dropping subscriptions =="
+
+for db in $(psql -Atqc "SELECT datname FROM pg_database WHERE datallowconn AND datname NOT IN ('template1','postgres')"); do
+  echo "Processing DB: $db"
+
+  SUB="migrate_sub_${db}"
+
+  # Check if subscription exists
+  EXISTS=$(psql -d "$db" -Atqc "SELECT 1 FROM pg_subscription WHERE subname = '$SUB'")
+
+  if [ "$EXISTS" = "1" ]; then
+    echo "  Found subscription: $SUB"
+
+    # Disable first (good practice)
+    psql -d "$db" -c "ALTER SUBSCRIPTION $SUB DISABLE;"
+
+    # Drop it (must be top-level)
+    psql -d "$db" -c "DROP SUBSCRIPTION $SUB;"
+
+  else
+    echo "  No subscription: $SUB"
+  fi
+
+done
+
+echo "== Done =="

site-cookbooks/kosmos_postgresql/files/dump_all_databases.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+cd /tmp && \
+(pg_dumpall --globals-only > globals.sql) && \
+psql -Atqc "SELECT datname FROM pg_database WHERE datallowconn AND datname NOT IN (''template1'',''postgres'')" | \
+xargs -I{} -P4 sh -c "
+  pg_dump -Fd -j 4 -d \"{}\" -f dump_{} &&
+  tar -cf - dump_{} | zstd -19 -T0 > dump_{}.tar.zst &&
+  rm -rf dump_{}
+"

site-cookbooks/kosmos_postgresql/files/dump_database.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+set -euo pipefail
+
+DB_NAME="${1:?Usage: $0 <database_name>}"
+
+cd /tmp
+
+pg_dump -Fd -j 4 -d "$DB_NAME" -f "dump_${DB_NAME}"
+tar -cf - "dump_${DB_NAME}" | zstd -19 -T0 > "dump_${DB_NAME}.tar.zst"
+rm -rf "dump_${DB_NAME}"