Map LDAP jpegPhoto to vcard-temp PHOTO

Reviewed-on: #592
Reviewed-by: Greg <greg@noreply.kosmos.org>

.gitmodules

@@ -4,3 +4,9 @@
 [submodule "site-cookbooks/openresty"]
 	path = site-cookbooks/openresty
 	url = https://github.com/67P/chef-openresty.git
+[submodule "site-cookbooks/strfry"]
+	path = site-cookbooks/strfry
+	url = git@gitea.kosmos.org:kosmos/strfry-cookbook.git
+[submodule "site-cookbooks/deno"]
+	path = site-cookbooks/deno
+	url = git@gitea.kosmos.org:kosmos/deno-cookbook.git

README.md

@@ -38,6 +38,10 @@ Clone this repository, `cd` into it, and run:
 
     knife zero bootstrap ubuntu@zerotier-ip-address -x ubuntu --sudo --run-list "role[base],role[kvm_guest]" --secret-file .chef/encrypted_data_bag_secret
 
+### Bootstrap a new VM with environment and role/app (postgres replica as example)
+
+    knife zero bootstrap ubuntu@10.1.1.134 -x ubuntu --sudo --environment production --run-list "role[base],role[kvm_guest],role[postgresql_replica]" --secret-file .chef/encrypted_data_bag_secret
+
 ### Run Chef Zero on a host server
 
     knife zero converge -p2222 name:server-name.kosmos.org

clients/garage-10.json

@@ -0,0 +1,4 @@
+{
+  "name": "garage-10",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw2+3Wo+KkXVJCOX1SxT9\nSdwKXgPbCDM3EI9uwoxhMxQfRyN53dxIsBDsQUVOIe1Z8yqm4FenMQlNmeDR+QLE\nvNFf1fisinW+D9VVRm+CjcJy96i/Dyt786Z6YRrDlB860HxCbfTL2Zv5BRtbyIKg\nhz5gO+9PMEpPVR2ij9iue4K6jbM1AAL2ia/P6zDWLJqeIzUocCeHV5N0Z3jXH6qr\nf444v78x35MMJ+3tg5h95SU1/PDCpdSTct4uHEuKIosiN7p4DlYMoM5iSyvVoujr\nflRQPEpGzS9qEt3rDo/F4ltzYMx6bf1tB/0QaBKD+zwPZWTTwf61tSBo5/NkGvJc\nFQIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/garage-11.json

@@ -0,0 +1,4 @@
+{
+  "name": "garage-11",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzfZcNEQojtmaogd9vGP/\nMsVPhAOlQ4kxKgrUas+p+XT7lXRan6b3M8UZEleIaL1HWsjSVwtFWRnNl8kg8rF8\nNEkLeOX8kHf7IoXDFOQa2TXanY8tSqrfh9/heFunt4Q3DluVt7S3bBdwukbDXm/n\nXJS2EQP33eJT4reL6FpVR0oVlFCzI3Vmf7ieSHIBXrbXy7AIvGC2+NVXvQle6pqp\nx0rqU6Wc6ef/VtIv+vK3YFnt9ue3tC63mexyeNKgRYf1YjDx61wo2bOY2t8rqN8y\nHeZ3dmAN8/Vwjk5VGnZqK7kRQ92G4IcE+mEp7MuwXcLqQ9WB960o+evay+o1R5JS\nhwIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/garage-3.json

@@ -1,4 +0,0 @@
-{
-  "name": "garage-3",
-  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtRSB8/ObjvQq6WuOVS/f\nypdX/2fLsUlt5tQ8GNuSY9rSM8gdvcXUvnPlxthZO4yvcPX85wmtBZX8fRJFdkJg\nYRCJbuVKO9sLTq8OUWXYpfU1q10FUhl034zxOMslpxVB6toirnk025vyq9jbuKP+\nYO+c40KZr67mgm0hveJfylayfiKP1HGm4HrV0maFivCgC8D+MPDDv75CsqRe5WSc\nh2CoauDJwVlhKZ92yq87ugGBhJJRUGOQZcfEvkUGj/HNAS6tuHl8YmVmhO8hBdee\nNto6RF54E1zB80R9oT/qitw23miEyUcHHVxhTR4tTWflZgd8l4wDOhX3Nf20xknu\nFQIDAQAB\n-----END PUBLIC KEY-----\n"
-}

clients/garage-4.json

@@ -1,4 +0,0 @@
-{
-  "name": "garage-4",
-  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8it7QtT6zDiJJqlyHKfQ\nLqwu6bLblD15WWxlUSiOdhz3njWDv1BIDCAdkCR3HAXgxvk8sMj9QkvWS7u1+bc4\nxvHrY4Tgfg+Tk1h3gGa7ukll8s1WLIbGjj89vrK8PFr4iuDqRytYRMmcdMsNzPkS\nKcsOjFYWGV7KM/OwoQGVIOUPB+WtkrFAvNkXtIU6Wd5orzFMjt/9DPF2aO7QegL8\nG1mQmXcPGl9NSDUXptn/kzFKm/p4n7pjy6OypFT192ak7OA/s+CvQlaVE2tb/M3c\ne4J6A+PInV5AGKY6BxI3QRQLZIlqE0FXawFKr1iRU4JP4tVnICXZqy+SDXQU1zar\nTQIDAQAB\n-----END PUBLIC KEY-----\n"
-}

clients/garage-5.json

@@ -1,4 +0,0 @@
-{
-  "name": "garage-5",
-  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnJxLFOBbml94W/GAe7nm\ntZs1Ziy8IbqXySsm8bSwWhRMQ8UuseqQLG30R3Q5X5AoJbtNfd26l63qLtP2fFtL\n5km9dV+2FoIJWFetl8Wzr7CaLYAiNzTQSFHlV7+6DKmPMDcJ63GKrFR77vkSGOG6\nOWL1bJy5BOaClp/sKL/0WQ0+mRbTP6RCQ2eI+46clAg702SenBU6Nz9HDm+teKN7\nYlP1CvzXgfgfpDOsat7wGn5+oKcmKavZxcdn8bt5jRpg8v3JezaZIjMXt7XcNS4n\n0F4XO/efnZE5B5SN68j4BpD8N79zJw4HlRIGP+RaYv2qLtBeWgLHCCs9wXQXfj6b\nLwIDAQAB\n-----END PUBLIC KEY-----\n"
-}

clients/garage-6.json

@@ -1,4 +0,0 @@
-{
-  "name": "garage-6",
-  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwasYgWLM8ShvirFiKRE6\nGWqc3pMlvcrk4YnWAUW5Y/H26EnyexxWNfnwlEcq8thJ3M3hs7zkoF3Yk4uqX869\n4/niYqXwYgeE1K3gzLp4K1+w3yVupYAFVFStVEHJyuMlLJ+ulDEGvNdQDuIfw7+E\nr6DcDLa1o92Eo0wL1ihYyMilduH0LdFTixL+tEBXbbPWBa3RDJJCFsRF1+UC6hAH\nzmaWL661Gdzdabxjm/FlGUYkdbDqeInZq/1GMQqv+9/DcNRkWA9H7i4Ykrfpx4/2\nRZ8xtx/DbnJVB1zYoORygFMMAkTu5E+R8ropeI7Wi77Yq0S7laiRlYQYQml3x9ak\nzQIDAQAB\n-----END PUBLIC KEY-----\n"
-}

clients/garage-8.json

@@ -0,0 +1,4 @@
+{
+  "name": "garage-8",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt4hXODzgHsIeWxXJm/F6\nSTFJ8JC89mWru7pOFzPWenOVMHgp4UpUB4rDTwQqojsWTDiq0x3ckUyOPw3Nj0jv\nxP4MMGS4SI0oRSJKzrYYss0hgUDTOBBd+Wxn0UiNEpN/PfQo9VZj9v/jak57cz7z\n5+rpl5v27fhgUIChjsHxdy+EamvCrYc+1JhyrLOlwlt8JxkZ8UPhoeZLWAbDgGLS\nEzHWSSVtBUPK+KYmVb2OK4lB56zPfek0U3gKN+04a1650jzOit8LzE6NaT180QDv\nX+gG6tk53vSXDmkBXsQ1mtB8aF+HaEG2Pra5HyihlweCPYdJT+e28wpq6+P5l3YR\ndQIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/garage-9.json

@@ -0,0 +1,4 @@
+{
+  "name": "garage-9",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnMHzKE8JBrsQkmRDeMjX\n71mBzvRzNM90cwA8xtvIkXesdTyGqohX9k/PJbCY5ySGK9PpMaYDPVAnwnUP8LFQ\n3G98aSbLxUjqU/PBzRsnWpihehr05uz9zYcNFzr4LTNvGQZsq47nN9Tk+LG3zHP7\nAZViv2mJ4ZRnukXf6KHlyoVvhuTu+tiBM8QzjTF97iP/aguNPzYHmrecy9Uf5bSA\nZrbNZT+ayxtgswC2OclhRucx7XLSuHXtpwFqsQzSAhiX1aQ3wwCyH9WJtVwpfUsE\nlxTjcQiSM9aPZ8iSC0shpBaKD1j3iF/2K2Jk+88++zMhJJPLermvaJxzsdePgvyk\nKQIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/postgres-4.json

@@ -1,4 +0,0 @@
-{
-  "name": "postgres-4",
-  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu6fPxOZeKloF/EgYvU0k\nOwv8bJjsCQcWaMTPle5//mRTszA6PM2z9RI+Mfr45qxTlsL9pQY8WJOWF6QOK31x\nszuqcr7oOjtAhrLI8f/oNDEDjcx325FqG9gNKQEAD7d4zodh+PhDe6x7GIyIS7lG\nIcD5Zre9iDwv8FGLR+5GLqS8SJOPL/wJkQ8w+N0f8YDFw81kiTta5NLhAx3fMDs0\n2kmoNlbmKlNZTtLjCfCV+/pa9oY6wycjck3GvobiFE/4cWaNkeGlPc+uAwlfmrOv\nHy0tq1XBX/BCvE5kMXmhnMT23JXjm2s2PgCLgEVGAXilXk/T597KDm+z4oBpAQma\nnQIDAQAB\n-----END PUBLIC KEY-----\n"
-}

clients/postgres-5.json

@@ -1,4 +0,0 @@
-{
-  "name": "postgres-5",
-  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvXZv6Gk+dhIVkTXH9hJ1\nt2oqsMSLmTUj71uPN+4j0rxCQriXa095Nle9ifJAxfwzQyKEpWKyZd1Hpyye6bL1\nwgWATZ/u5ZS4B63NhRFyDxgPlHWBBohaZBN42zeq0Y0PNGHPVGDH/zFDrpP22Q9Q\nYScsyXTauE/Yf8a/rKR5jdnoVsVVMxk0LHxka8FcM2cqVsDAcK7GqIG6epqNFY8P\nUb1P+mVxRwnkzvf1VtG212ezV/yw9uiQcUkHS+JwZMAgbC34k9iDyRmk6l4sj/Zk\nNem20ImMqdDzsrX8zEe21K+KNvpejPH9fxaNCwR8W+woBMMzqD3I7P9PbLjc70Rx\nRwIDAQAB\n-----END PUBLIC KEY-----\n"
-}

clients/postgres-6.json

@@ -0,0 +1,4 @@
+{
+  "name": "postgres-6",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtVzM0fwlimmq11jTGTko\nK87LRYSar61tNF3qVWp9axNSMa6BSxVark9eYOqY4eLh/5vJVDqXDFq30/IUWg40\nH8hHWaOEvQrP2dm/XFw1RmunfbfN9gN07TuhaT3xFD5t+jFBuOSoJ4cPnFIABuVt\nFLrjgtYYjtZe5hGE9ZPmS7o2ATM5EU9mxeQ+TkgDbr8StvSPGdZ1ykhagf1pegGU\nRIfZ+4ZKzyDUAq+fYNhIbmlm5h2gP+XdtakPy43j7n0iN1vwDgBqJ2pdaVs/GcFf\nvaztoltguoknI2NPSez1N217asTTLuth0nHxVXiKCVXnqwDjxgWmuP6X2B7VYjyc\nxQIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/postgres-7.json

@@ -0,0 +1,4 @@
+{
+  "name": "postgres-7",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArraIm6mXi0qgK4oWDs2I\nOIx+g/LPnfRd5aBXhoHcekGiJKttQTi5dRdN4+T6qVEC2h4Cc9qN47h2TZPLDh/M\neIZvu0AyicpectzXf6DtDZh0hFCnv47RDi9927op9tjMXk0SV1tLel7MN0dawATw\ny0vQkkr/5a3ZdiP4dFv+bdfVrj+Tuh85BYPVyX2mxq9F7Efxrt6rzVBiqr6uJLUY\nStpeB3CCalC4zQApKX2xrdtr2k8aJbqC6C//LiKbb7VKn+ZuZJ32L/+9HDEzQoFC\no0ZZPMhfnjcU+iSHYZuPMTJTNbwgRuOgpn9O8kZ239qYc59z7HEXwwWiYPDevbiM\nCQIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/postgres-8.json

@@ -0,0 +1,4 @@
+{
+  "name": "postgres-8",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx88DgM/x1UbKRzgPexXE\nSyfrAsqaDVjqZz7yF3tqAc9A52Ol0KOM6NESoPWBVMbS86WtAjBcMHcOoQBJ+ovp\nXcjNlRtO1Il6/d4uCRr4CEDX+yeS0Qrt0SOORnoTbVlkq9VlVljyCmxk8VBCILzk\ndHvFr62mahMy6vOEcpCQgCwYE3ISH2jlTDz2agoK/CjIyyqFTlB1N7mJVGLrJdcA\nA2JOxDRE8HqOdpY7bHcHj4uyMWaKuM3zxXK04lhrvuPRfJUhXgsK9r5jeTEa8407\nqV9K+mB17R1dBeHmWEPDRt02HELe2SUjYmlmyVX73H2mWKDLBFpAFjOfz86CJ6jf\nDQIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/strfry-1.json

@@ -0,0 +1,4 @@
+{
+  "name": "strfry-1",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzDV/RMGMXVDbvoA6PNh8\nQzhtHwYDCFcUSkbrwP6tzh6GpVunGEOdOdhj2V63T2tF1H+lujxQXh5pK7C0D6VZ\niO04ftJlo7/svyxUcwWr+znyN5sFdQRh3cBZiGSBYolizwoqgtPFlbNhmWAzV0Du\n9t8mhz70IK3B+UdwWyHtoK0NNsJGnQ9YzAvcjyDmEO/3sCjAhNnxVpmXftpcSmd9\nMonzFtIDBbRRll4AHZYRbmXCzx63+VmelvdnufnbY82liol0zzBwJaBD1wyNlG0y\ni96p3Kx03bLNlIaYVGbjZeJi+6oo2VDWJ4OloLLAYoHDSipeHT9qWfUdnE6ge4Lm\nywIDAQAB\n-----END PUBLIC KEY-----\n"
+}

data_bags/credentials/akkounts.json

@@ -1,65 +1,93 @@
 {
   "id": "akkounts",
-  "postgresql_username": {
-    "encrypted_data": "l00Lmdbl5xNq07XU4XmcnRxXsIJaYyMQQ6xI\n",
-    "iv": "yxvL6hKwlVWmdMzl\n",
-    "auth_tag": "mMCV9ewJW/0TfVE76WBSZw==\n",
+  "rails_master_key": {
+    "encrypted_data": "q/0BtGuFZJQhw+iG4ZmFG12DPaWQDGTb/nCmRoxOnsACkANqMv/zZ39CoNFe\nLPtZiItY\n",
+    "iv": "JV8R0iu6TrqcZRxL\n",
+    "auth_tag": "YxZIhEUnrd3XrwR6f9wO4A==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
-  "postgresql_password": {
-    "encrypted_data": "Q6xWsH6bmI1GfMzme3mBRYrt3XmDwFJ7E4FjYg2Rrw==\n",
-    "iv": "jcQmuT7Jz3g3XE8d\n",
-    "auth_tag": "nNMvf9UmP6ikf1BW93QZIw==\n",
+  "rails_secret_key_base": {
+    "encrypted_data": "JmDQew3+OR6+yJ1xErwXeTn6jw8N2HwTc9yvAVJ3G+7w1s3N7rKDM6+M50ez\n2zP4Lm/eXzH4WTsTZlQcodlyNpi66pvUCGAkNM36rwTN5yvnhqPUmuSQi7AG\nDTBronBwr9ENvwA/gRuugyyhrRB1iuStpzpYKCMhZ2ae9Mrxdux0+ezfSLn4\nuP22uUrEqdQ/BWsW\n",
+    "iv": "U/+YncCk13U6bYMz\n",
+    "auth_tag": "2wPYJ/uVPv4jLKpAW/x6sw==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "rails_encryption_primary_key": {
+    "encrypted_data": "u/7z91Og/2eM7PWi2JWYAQMhYX4S5+bMMeVpkFPu778Gqj6Td9pagsWIak/d\nb7AU1zjF\n",
+    "iv": "wYhrJWcuWbY8yo8S\n",
+    "auth_tag": "WEoEdNy6VBvB2d5gb8DTXw==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "rails_encryption_key_derivation_salt": {
+    "encrypted_data": "noOwTZuxfhsH94bjOT9rWCKS9rb3wAoXELGrc4nJZeNrb/B9XnOLTuK/wen8\nfmtoym0P\n",
+    "iv": "jiFWs3VXhJdQBNqk\n",
+    "auth_tag": "XDpJFgadYp7LyRqU7SO+Fg==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "postgresql": {
+    "encrypted_data": "Xorg8R8COxE/Swivu8MqZiwstD6rD+8FmgDx70pFscZ/CTb6WQRpyqGSrGZt\nZ7oL9WrqZs+mQgBb30odU+Sgdr6x\n",
+    "iv": "6QWZc3+MY0hBCc/s\n",
+    "auth_tag": "ZM+7OYyx5E9PciNG2OILhg==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "ldap": {
+    "encrypted_data": "mr2Z7hXF1GOn8RmqeZMMdaUcmiVP4ZeKtTX6RYW1cR+FQiUwoITwTPBE9XUx\n2cqZ9Mcd8uJicmf9vd+PfwPtRtoZFwqHQ4LDRFLW64hBZyiEkZWxWW+HzgPr\n",
+    "iv": "k1AkyEplnJ4IZO1Z\n",
+    "auth_tag": "zAOcrPex3VLDfRFq38n7fA==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "sentry_dsn": {
-    "encrypted_data": "V7cqlH2baN1Ix/ggQFeo9PY6dNKKpnDECaB1cO3XuCfy74oN2ot44nbpCQTA\nUl0+1LQv/qNn/L4gmJkqZfdIXZQqhR+iTc06UJxe3aTKJDw=\n",
-    "iv": "HJtdKYcApwaxhTXI\n",
-    "auth_tag": "qyIYK9h6nciJTFXBWOjVOA==\n",
-    "version": 3,
-    "cipher": "aes-256-gcm"
-  },
-  "rails_master_key": {
-    "encrypted_data": "KAl2Kgq1TXjOm4TNxGwZkPwJeOSNLbLLKiRdb4fTyBFfUhIGGeCS9VvV9kIb\n9sQZ6HLU\n",
-    "iv": "BBPvDNs6nBXDti5I\n",
-    "auth_tag": "yjM/0nyUwt+5SSGuLC5qWA==\n",
+    "encrypted_data": "51cAERaRBCRg/sMb5c13EcnJzsz6VEf7jx6X3ooUSzm9wHoEfC5Hs/qakr/D\nqm9x3s3aGURRzyLUIEoe9jCohGguh6ehrXYVrun0B6pghVU=\n",
+    "iv": "hJsiiW6dFQMEQ+2p\n",
+    "auth_tag": "TOIahNrUhhsdQGlzp6UV5g==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "discourse_connect_secret": {
-    "encrypted_data": "YHkZGzXeK3nDHaXt3JKmGtCcvMfgvv3yHbvS2C+CLKagOIOe+0+2/CiNuh4U\nxO1Pug==\n",
-    "iv": "SnUxDpIMQum8ySfN\n",
-    "auth_tag": "Ny6I+3EoCA1s74JLjjbbyQ==\n",
+    "encrypted_data": "pvKcwuZgUJsAvClQ4V0BwhwEg09EUEWVxoSx+mFlfG1KpvZE4Cu3u3PalPSD\nldyKsw==\n",
+    "iv": "ED85d6PKyaKB3Wlv\n",
+    "auth_tag": "XVCU/WigC97tNe0bUK6okQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "lndhub_admin_token": {
-    "encrypted_data": "dJHxB80Enwkm+2aNuIrp7lILAy2J5tQaChPJCl/BHwMo\n",
-    "iv": "zHLtD1jTIwvjMt1l\n",
-    "auth_tag": "IC0adEzsS5YF5YHqabWw2A==\n",
+    "encrypted_data": "LvCgahQblsKOxK9iNbwDd31atBfemVppHqV7s3K/sR4j\n",
+    "iv": "zObzh2jEsqXk2vD2\n",
+    "auth_tag": "n9m/sBYBfzggwQLWrGpR2Q==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "btcpay_auth_token": {
-    "encrypted_data": "YbM0HvgIijluKQBcgfKn6hmWvdbhr0ijR1xKc+BRZCZJsRaJBHTjCbwhH8T9\nVnBESruyjhxphtBetcc=\n",
-    "iv": "3107v/c2Tonx6/cP\n",
-    "auth_tag": "jnO9fvoXJW5gbDMRjkdMPA==\n",
+    "encrypted_data": "M4kGd6+jresm90nWrJG25mX6rfhaU+VlJlIVd/IjOAUsDABryyulJul3GZFh\nFPSI4uEhgIWtn56I0bA=\n",
+    "iv": "hvqHm7A/YfUOJwRJ\n",
+    "auth_tag": "DhtT6IeixD1MSRX+D7JxZA==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "s3_access_key": {
-    "encrypted_data": "PFjQKe1us12SNHlReQ4f0qctulPp4d2F3t5t+AGocp87PS/kZx77rtHQtruK\n",
-    "iv": "BGD8+XchqwPmhhwi\n",
-    "auth_tag": "XefaZKCVs8hotszALN+kxQ==\n",
+    "encrypted_data": "FPRpLZoIbLcVWPJhOlX7ZeXGv6TZIWYAD+BKTsJOyOHxDG3eRULqQc89cGWi\n",
+    "iv": "f9WiiGLmDxtygp60\n",
+    "auth_tag": "lGnq4itmByuF/Yp20/6coQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "s3_secret_key": {
-    "encrypted_data": "ziO35x8P1YMaSeenMNQoTWug62b5ZVLFlkMlJEFGnYjHK5qTAn6ir06WnMJC\n0zErzTZsPpcr7KpE/ipWgWHRy7qVbGnd6iVO4t9tf5NjiU2OXfA=\n",
-    "iv": "S3syCCxh2m+mylLu\n",
-    "auth_tag": "ZMkyBqXMXr3K3LGqxWvbtA==\n",
+    "encrypted_data": "JnnwISbHJ+d7JZB/C0NH0fb8p+bDSwoq5t5knSi+bSTltSxKcq6PRX9K6bov\nEbo0GTdWePbuc5NCsyYxfrkzCtpLXTIxeCROtinRmFIgMFNwaOA=\n",
+    "iv": "pKPCaANDqGtbFV3V\n",
+    "auth_tag": "S//hn2HOhuZH8+UfCNBWDg==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "nostr_private_key": {
+    "encrypted_data": "AKfFiLow+veDyEWBwmCDuLerT3l+o2aJUCeHg2mZZIyoH4oeo/9crZwIdjBn\n70reouqnHNG9mBHuO/+IPGfj53mHLo+oGHh+6LkL3ImI4MFBofY=\n",
+    "iv": "bPlOKk2qkJAzdKf+\n",
+    "auth_tag": "VIp1IOjBGatn2MN5LHVymg==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   }

data_bags/credentials/backup.json

@@ -1,27 +1,38 @@
 {
   "id": "backup",
   "s3_access_key_id": {
-    "encrypted_data": "emGNH4v7TTEh05Go/DsI3k7CFnaK4p/4JxodC4BYpyWw47/Z3dsuRMu4vXM3\n3YLH\n",
-    "iv": "Dau+ekb3UTYdl8w3fQKVcA==\n",
-    "version": 1,
-    "cipher": "aes-256-cbc"
+    "encrypted_data": "245TrPvuoBRRTimhbt6qqsFb+JnnD377sPt1pguJy7Q2BXOy/jrX0wyMt+cP\nuA==\n",
+    "iv": "ylmRxSRO3AA4MSJN\n",
+    "auth_tag": "45tBcYZowPLrbv4Zu2P0Fw==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
   },
   "s3_secret_access_key": {
-    "encrypted_data": "Mxyly86JxrWUbubbSiqPdRosChzfI1Q8eBEG4n+2B9JJG4yExltO5Wc5kgSs\nX01MPXAc+PGLm+J9MngUtypo/g==\n",
-    "iv": "WRhBJGiuScYYsUsoT5j/UA==\n",
-    "version": 1,
-    "cipher": "aes-256-cbc"
+    "encrypted_data": "jDIOjlBzTkBUzpj243T6KnBuH0qwyW7BUFMcqllljFSzxs7K8wYJOUreNbOP\ny8OpDWAuO0H4O4LuFMJXeM8=\n",
+    "iv": "PzvZr37EkJqz6JtM\n",
+    "auth_tag": "e3XW8oHVgmYibv/IBzj0yA==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "s3_endpoint": {
+    "encrypted_data": "ErJIEChxrreW7WKEwRtuP2MyYlsZRtqLdGa/x5QY58qgO036FgR3Hs2Z3yce\n",
+    "iv": "HOSAOgUjO7XGwk50\n",
+    "auth_tag": "XE1bwMIXHHE72V9K2KOLnw==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
   },
   "s3_region": {
-    "encrypted_data": "2ZGxu0tVzKNfx3K1Wleg0SAwGaPkHCi/XfKpJ+J7q40=\n",
-    "iv": "CNTZW2SEIgfw+IyzGI3TzQ==\n",
-    "version": 1,
-    "cipher": "aes-256-cbc"
+    "encrypted_data": "8cNSaYu7HH95ftG66lFdUIPZD7soz907CPA=\n",
+    "iv": "pU21ulF75y/SIs3x\n",
+    "auth_tag": "7WQQCbSbB2GybjY+C+5IvQ==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
   },
   "encryption_password": {
-    "encrypted_data": "tsBWKBwhQFfEAM0EWMPtljSbqU1c5mOJXPjYJjNT5RUFhPlqa7gsE8aJbs+D\nSPKjAQ62j+iHeqCk9mE9CCkgBA==\n",
-    "iv": "uq5YAXuq2ynRLv9EIWoCFA==\n",
-    "version": 1,
-    "cipher": "aes-256-cbc"
+    "encrypted_data": "l23CiIO2s1fIRn0NdoWZ+wK+Zhx3hCYDHf4ypjqMRekZ7xqafvXHHuogD5aj\npxYUKloH\n",
+    "iv": "Dzx83eP9L7Jqqidh\n",
+    "auth_tag": "UVn5XA5Tgsikc1GdOt1MUQ==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
   }
 }

data_bags/credentials/dirsrv.json

@@ -1,9 +1,30 @@
 {
   "id": "dirsrv",
+  "admin_dn": {
+    "encrypted_data": "zRtz6Scb9WtUXGyjc0xyvsre0YvqupuaFz+RPApj7DEQTmYyZPVb\n",
+    "iv": "xfIXMhEBHBWqa4Dz\n",
+    "auth_tag": "BcA32u1njcnCZ+yrBGSceQ==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
   "admin_password": {
-    "encrypted_data": "i71l5E129mXCcDAyME8sNMUkYUlQMgt7Eh6noyFcLNgbaMo=\n",
-    "iv": "KNW2B8tpX7ywZwbg\n",
-    "auth_tag": "GawQ+FSlA5v5YVyryeUxng==\n",
+    "encrypted_data": "7JpXl3JZDqKWDfYt/wuNbkbob+oRuONhkuAlpqUCCEIn+tY=\n",
+    "iv": "Lcwc4NDzrfcBaIKQ\n",
+    "auth_tag": "rrePS3Bhdnwbr2d/o8vMhg==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "service_dn": {
+    "encrypted_data": "sqRFiZreLeTPQljSfhAuV3DmsPxSC8tzWjCdu+WSSbO67sBQA+xhmGtzBhBD\nDZPGJw+jtAxzuVvPdAjxgAVgxXO6C6WEo87L1tdJewE=\n",
+    "iv": "GUEGtyRJXrPhWcUs\n",
+    "auth_tag": "2USsrx//3V7RCyumGCbMkg==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "service_password": {
+    "encrypted_data": "f2wi8B8SEt6p5G0TF3dZ72j0vMFlvwcP1suxYnshBA==\n",
+    "iv": "rOnUoxbnkaJtodM+\n",
+    "auth_tag": "dVLCtBVMjxLfW2D8XjJBdQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   }

data_bags/credentials/gandi_api.json

@@ -0,0 +1,24 @@
+{
+  "id": "gandi_api",
+  "key": {
+    "encrypted_data": "lU7/xYTmP5Sb6SsK5TNNIyegWozzBtUzpg7oDdl6gcz9FEMmG2ft0Ljh5Q==\n",
+    "iv": "EZPQD3C+wsP/mBhF\n",
+    "auth_tag": "vF9E8Pj4Z8quJJdOMg/QTw==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "access_token": {
+    "encrypted_data": "1Uw69JkNrmb8LU/qssuod1SlqxxrWR7TJQZeeivRrNzrMIVTEW/1uwJIYL6b\nM4GeeYl9lIRlMMmLBkc=\n",
+    "iv": "cc1GJKu6Cf4DkIgX\n",
+    "auth_tag": "ERem4S7ozG695kjvWIMghw==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "domains": {
+    "encrypted_data": "scZ5blsSjs54DlitR7KZ3enLbyceOR5q0wjHw1golQ==\n",
+    "iv": "oDcHm7shAzW97b4t\n",
+    "auth_tag": "62Zais9yf68SwmZRsmZ3hw==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  }
+}

data_bags/credentials/gandi_api_5apps.json

@@ -1,9 +0,0 @@
-{
-  "id": "gandi_api_5apps",
-  "key": {
-    "encrypted_data": "+tcD9x5MkNpf2Za5iLM7oTGrmAXxuWFEbyg4xrcWypSkSTjdIncOfD1UoIoS\nGzy1\n",
-    "iv": "ymls2idI/PdiRZCgsulwrA==\n",
-    "version": 1,
-    "cipher": "aes-256-cbc"
-  }
-}

data_bags/credentials/gitea.json

@@ -1,58 +1,58 @@
 {
   "id": "gitea",
   "jwt_secret": {
-    "encrypted_data": "HHKq1HcxV9uC0aBdkn2AAA9C3dn2o8DnL2uDtZBf+epGC8sOko6/BSvsm8wV\nuG7yVmeFajgyCePSv4M8Or8=\n",
-    "iv": "raypiojdRL+DkiDa\n",
-    "auth_tag": "JZmWJyLTHNHAHNufRizL+w==\n",
+    "encrypted_data": "wMxs1Ec4vKRSzFtL2KuU1XfmR1t5KDx/7XBbI7V0QfgK+JwYbxU5w6feQCBE\nxOMepAXVUwU7RxPZ+hwQgPg=\n",
+    "iv": "F4vtuOL2B9e9LQnb\n",
+    "auth_tag": "NHATxHbr+3Y3Kxa68NwnjQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "internal_token": {
-    "encrypted_data": "VFez8gOv5hnpBkURlufdPHvfQsL+lFlL8M9vywgKEi4XrXcNlDvoKKqdtSMv\nxGuoKqF/4NFcl2X3JRwp1j5iut+Jdg5CpnVVQLWKHc022LjD7K9nRsdmiD9Q\nLsLnU1Trzqg8VZS2ryqdjI4elkgoc15lmXwJvTNgRUzDqw==\n",
-    "iv": "q7H4q7kBfRt4floS\n",
-    "auth_tag": "vyd4ZwVxeFTTfvjI4k5irQ==\n",
+    "encrypted_data": "mlvUtIjs6kcv7XcYCUOgOE/kDSE4Ts5G+CZuPrJapW9XwkebmyOnHJvXdihY\np/chUtar0pNB5Q16LeeZF9KrzOiDo/OXb40TPUzpsB0/607zV1z829STd4l7\nu5g4Zur13nxC9jT0zQL9QgDEobYdjgf/xu1BXxFT+Ue3lQ==\n",
+    "iv": "25+1a2OJYFNxdf1N\n",
+    "auth_tag": "aF8Gn6Mm7AwLjbR8cDnitg==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "secret_key": {
-    "encrypted_data": "7tD4E/5AuxxmNdu4arWj/BBNTUv6JX+m2ITbcLfE+VE2WacsCZUEyi1d1v0B\nyujQ9bljJn3z0zV4PxKFJILKjQb35PSiA8b86X/75Y1B9Gl64ds=\n",
-    "iv": "gE2O5aN+Nea6VXi7\n",
-    "auth_tag": "3+EmAUgBBDyChRBHsUtLig==\n",
+    "encrypted_data": "xQuHuijNHoo2WicM2UvSGpwPHd0UilxlIl4BM2Rgyih5bdhjxB6UtUcY9uJQ\nYgxEd7y7R5+XhUAu87CEs4qAGtguDDxGtSGwgTSopvAYZewPFLw=\n",
+    "iv": "Kxwqagjps8kP7Dhz\n",
+    "auth_tag": "WGz5TzBzksf36hKPzBZTQQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "postgresql_password": {
-    "encrypted_data": "mWN2sTOjZ1EPUH/KAJ8owoPM7v/+IfIHEPACN7gFDrqG8dWGjfiu+fvILw==\n",
-    "iv": "ldm57dVSdiPnk5l3\n",
-    "auth_tag": "D+r/0obCYWx53vIeUDPGMQ==\n",
+    "encrypted_data": "ZziPtXhQM/TQBE+077smnjEPzfJOSo9Cj/CUnG/Be1AN0UAfielf68EhLg==\n",
+    "iv": "iBdSrY15vOc3eycF\n",
+    "auth_tag": "km2CkraKlpOygaz7Xy548Q==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "s3_key_id": {
-    "encrypted_data": "AvlsAInGyPMvHle5YZT3EHMTG89PggqmFaddvHSQLEkvI2EycktxJ/btjGOP\n",
-    "iv": "qGkILPp5EWc21wwa\n",
-    "auth_tag": "eIpCgZAnWZR7nlllj+IXMQ==\n",
+    "encrypted_data": "1j0znqBgNbHMyJIf51MmfkjkpU3SPv+EL8F30mrfQ44vsGziyeiWfp91hGUM\n",
+    "iv": "dzJM1EX/X8Qy5KbR\n",
+    "auth_tag": "2YUCCFG/oTph3svFYhhYzg==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "s3_secret_key": {
-    "encrypted_data": "TAo4ViF7cL+ibIuHM77irZW08ilD46S8N5BV91gc2wegvHpHqLHw5zrsDxfu\nDiJHGUfjge/NBOGN5VSKKC0nFfMJ4sLPxVSiKyON4RMBSuzSqmo=\n",
-    "iv": "tjK8XdaCZOdLUHyo\n",
-    "auth_tag": "Qu1z6e1/4gPIyaCwBjaWsw==\n",
+    "encrypted_data": "7P3JUyl0LsGuGi8GhSYdXHm4bQhnkGfSrbEMGyfzjSYB5hqm17kYZwNbNA0O\nIUmJ6Kq9Nby7IFTd1qFo7aA+dXuvxJD5QXO8T5E+D0xIaWMHPco=\n",
+    "iv": "+ivHjYpQG/3gQWAi\n",
+    "auth_tag": "fftxN0Z/Kfrn+oFk07jKYQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "s3_bucket": {
-    "encrypted_data": "NTp9+KyzlblporEwM7SEwoClXu5cI10SfVrJ/uywcf/x2l8=\n",
-    "iv": "TFTeQ8yKUhblmrFK\n",
-    "auth_tag": "L9nrXEeJhxcLO4YgGk4zpg==\n",
+    "encrypted_data": "98UnmjwIlLjNFQojZlQRMZAWpI/7s9xJkgvh4sU5I2jWmYk=\n",
+    "iv": "zLck9Dp6OP+L3BwX\n",
+    "auth_tag": "Zc5G6bd7CbZfDCZ31YWxMg==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "runners": {
-    "encrypted_data": "yTCk4/hqw/4vEaXobdYU4vZRxErNp0GX4qDMuHwdr7UOQk2qQ8O8j44njPv2\ncKcIm6CQiip+GRuvl6+zETd8gctC0W14n5Rfep4zQbMp/BW3ypGambVk6z1m\nRnT4dMEl32rwcXG8c3w+vAFpx8smrK5iyy4ca0ZijC+eeysk4OAwn0XkvQuV\nB1Jy9CmVm9xiZ6sXaiU13tTry8A=\n",
-    "iv": "+biM/42g5doJNOax\n",
-    "auth_tag": "WwNgd6aqm26GcekYVOeBDQ==\n",
+    "encrypted_data": "f0RRLCrGT7LDUEXcM6m2dJ7C95UPqVZz9dfNLsYa/3SZLDcm1p4FDIy0Su6R\nrXMoAI9IdLBN7/BDMMvqkULEq3Bx5vXn+oTUsUYuKxWmvKEUhC4virOApxh6\n5GbuqcOEPKaf9lHByL+2HKdAmJMzVRGD0t78ePS2pU4H6IFnS9V1p6opOEPr\nzTJ+0PM98eQ/voFKDHGNHUqgDs2qu9wUYNmcHe1eSimFdJiOCN0Mlszu3HL0\nXkHfrGbLrcW+8Ol7dTXdDJB7WAd3R3vddoZQ+mrwzGGDeSMm+ezeMzAX\n",
+    "iv": "NtZ9SbbscX47BXGH\n",
+    "auth_tag": "ZGBzxjNFB5WPnJCpdFwtAQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   }

data_bags/credentials/kosmos-rs.json

@@ -0,0 +1,10 @@
+{
+  "id": "kosmos-rs",
+  "auth_tokens": {
+    "encrypted_data": "fiznpRw7VKlm232+U6XV1rqkAf2Z8CpoD8KyvuvOH2JniaymlcTHgazGWQ8s\nGeqK4RU9l4d29e9i+Mh0k4vnhO4q\n",
+    "iv": "SvurcL2oNSNWjlxp\n",
+    "auth_tag": "JLQ7vGXAuYYJpLEpL6C+Rw==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  }
+}

data_bags/credentials/lndhub-go.json

@@ -1,30 +1,30 @@
 {
   "id": "lndhub-go",
   "jwt_secret": {
-    "encrypted_data": "3T4JYnoISKXCnatCBeLCXyE8wVjzphw5/JU5A0vHfQ2xSDZreIRQ\n",
-    "iv": "bGQZjCk6FtD/hqVj\n",
-    "auth_tag": "CS87+UK1ZIFMiNcNaoyO6w==\n",
+    "encrypted_data": "lJsKBTCRzI83xmRHXzpnuRH/4cuMOR+Rd+SBU50G9HdibadIEDhS\n",
+    "iv": "f/SvsWtZIYOVc54X\n",
+    "auth_tag": "YlJ78EuJbcPfjCPc2eH+ug==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "postgresql_password": {
-    "encrypted_data": "u8kf/6WdSTzyIz2kF+24JgOPLndWH2WmTFZ3CToJsnay\n",
-    "iv": "KqLtV2UuaAzJx7C8\n",
-    "auth_tag": "3aqx45+epb2NFkNfOfG89A==\n",
+    "encrypted_data": "aT0yNlWjvk/0S4z2kZB4Ye1u/ngk5J6fGPbwZSfdq6cy\n",
+    "iv": "OgUttF4LlSrL/7gH\n",
+    "auth_tag": "pcbbGqbQ2RjU+i9dt8c3OQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "admin_token": {
-    "encrypted_data": "Z737fXqRE9JHfunRhc2GG281dFFN1bvBvTzTDzl/Vb8O\n",
-    "iv": "oKLQJbD67tiz2235\n",
-    "auth_tag": "SlVIqC9d9SRoO78M7cBjTw==\n",
+    "encrypted_data": "I9EsqCCxMIw+fX6sfu6KX8B5fJj9DX5Y4tbX30jdnmxr\n",
+    "iv": "vnERvIWYInO6+Y8q\n",
+    "auth_tag": "gO+MprZUQgPEWJQUmSF1sA==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "sentry_dsn": {
-    "encrypted_data": "gmDHGDWkTIvaXjcWMs1dnKnbqtsADPJ2mLmWw8Idj6RVevU5CabjvviAxEo1\n3hs2LWuObumRSCQt2QKap191uMq3CL2+da53hbsv+JUkxl4=\n",
-    "iv": "Yt0fSsxL4SNicwUY\n",
-    "auth_tag": "j7BWbcNnymHHMNTADWmCNw==\n",
+    "encrypted_data": "+sUXWgl6dXpA1/0FqjKC3Jnl54aor6gtM+19EM/NsHwg4qu672YnSgxV+c9x\nHM3JZBYxBYvJ+HYGAvMmhlGvaOOEIvLmFUpCCJeVUXR32S8=\n",
+    "iv": "82+DzAnHiptaX7sO\n",
+    "auth_tag": "CDx44iRBVhSIF8DOxb2c+w==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   }

data_bags/credentials/mastodon.json

@@ -1,79 +1,114 @@
 {
   "id": "mastodon",
+  "active_record_encryption_deterministic_key": {
+    "encrypted_data": "2ik8hqK7wrtxyC73DLI8FNezZiWp2rdjwaWZkTUFRj+iwvpSrGVEwMx6uxDI\nWa7zF3p/\n",
+    "iv": "XMp6wqwzStXZx+F3\n",
+    "auth_tag": "vloJOLqEcghfQXOYohVVlg==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "active_record_encryption_key_derivation_salt": {
+    "encrypted_data": "Nq/rHayMYmT/82k3tJUKU8YTvDKUKLoK204aT0CMGZertZaAD3dtA9AkprrA\nPK0D9CdL\n",
+    "iv": "tn9C+igusYMH6GyM\n",
+    "auth_tag": "+ReZRNrfpl6ZDwYQpwm6dw==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "active_record_encryption_primary_key": {
+    "encrypted_data": "UEDMuKHgZDBhpB9BwbPmtdmIDWHyS9/bSzaEbtTRvLcV8dGOE5q9lDVIIsQp\n2HE0c92p\n",
+    "iv": "tnB0pQ3OGDne3mN/\n",
+    "auth_tag": "kt234ms+bmcxJj/+FH/72Q==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
   "paperclip_secret": {
-    "encrypted_data": "orOIbqFANPCkd4sUTCyyoh4z1o6SBudgH4wKJudTo9dANaHGhWcBUFKrhZi1\nMJTBQx/d0hiDI1P2XN3h+hROCg3JJ8OClUSJH9CfN5GlbWvXh0Nhq7hqy8L3\nLAPL+uigiXI6ObrnKQoD8LeJIB46233uwaCA/7zB6gah0ExJ2DXGH6qq9JSS\nqmTFiy+hT+VHGrUo\n",
-    "iv": "U4E4NLYLkP0/tTTs\n",
-    "auth_tag": "WKQ+pDPZp7B791lhC5j3iQ==\n",
+    "encrypted_data": "AlsnNTRF6GEyHjMHnC4VdzF4swMlppz/Gcp1xr0OuMEgQiOcW1oSZjDRZCRV\nmuGqZXZx64wqZyzTsJZ6ayCLsmWlPq6L21odHWyO+P/C5ubenSXnuCjpUn3/\nHs8WLX3kwVmqCRnVgDl2vEZ5H4XedSLr7R7YM7gQkM0UX4muMDWWnOTR8/x/\ni1ecwBY5RjdewwyR\n",
+    "iv": "RWiLePhFyPekYSl9\n",
+    "auth_tag": "sUq4ZX9CFKPbwDyuKQfNLQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "secret_key_base": {
-    "encrypted_data": "vweClhdY8SqQkK+p0OYUL2B6Fsz5eQDpEYWCtd/eRJfwwYAObbLcMWRC6MwE\neQVMw59bOqYc3RBuv/+WPLtENazA1bYCXBXQr1J6xqjJAz0Mo6KbRyxy5n78\nv8q6RSiao1VVIUXohtFlQgWeV6x5sz34bJxjlHinKvKsgiGXiuVBxYUUfzWQ\nuzrGug09cpZBqfpc\n",
-    "iv": "Z0/csEBH5/X1+MR+\n",
-    "auth_tag": "fTvBN6eovi3JVEK0ZX97Nw==\n",
+    "encrypted_data": "K5CmIXFa9mS4/dODBQAN9Bw0SFpbLiZAB8ewiYpkB8NDXP6X/BX8aDjW2Y4F\ncMvpFyiFldRBhrh1MSKTVYQEoJ3JhlNL9HCdPsAYbBEW70AuEBpHvOtD5OxH\nqgbH4Reuk6JX5AI8SwDD3zGrdT12mTFVNgSujzuZMvpi1Sro2HtRGAkjmnaa\nMGKrBV21O1CREJJg\n",
+    "iv": "/yMMmz1YtKIs5HSd\n",
+    "auth_tag": "WXgIVWjIdbMFlJhTD5J0JQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "otp_secret": {
-    "encrypted_data": "o1ts1bUgPIzFQXjJ2MpBMLntWkyPxDaJAaU1K3WzmNMXnw5MVlkKKCEFVccd\nPss/MwDuBkbNPhri3ZkH48m9SiayWETVYvw5GZzcVsw4TeMu915O44lfl9tX\nW3XHU+DBps1BVH9535R4X9M1aFW4W4XfwHtS5wcrZqtVhNhS3NSgE4JpN/Dz\nFdcFAOhflnt8fIAN\n",
-    "iv": "QLsxmIlX1NpxMyHz\n",
-    "auth_tag": "j1h/PvIoqshTBN5c5IaAsA==\n",
+    "encrypted_data": "OPLnYRySSIDOcVHy2A5V+pCrz9zVIPjdpAGmCdgQkXtJfsS9NzNtxOPwrXo6\nuQlV9iPjr1Y9ljGKYytbF0fPgAa5q6Z1oHMY9vOGs/LGKj8wHDmIvxQ+Gil1\nC+dZEePmqGaySlNSB/gNzcFIvjBH3mDxHJJe9hDxSv5miNS9l9f3UvQeLP2M\nU7/aHKagL9ZHOp/d\n",
+    "iv": "wqJBLdZhJ7M/KRG9\n",
+    "auth_tag": "dv5YyZszZCrRnTleaiGd4A==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "aws_access_key_id": {
-    "encrypted_data": "YQHUx0GugKu0AtlbGLRGocFEhTGAghWA0DUs1Nxs4Hd3bTIp4lyM\n",
-    "iv": "54zt2tkQhHtpY7sO\n",
-    "auth_tag": "ofBJx3QDsjHe66ga3nji8g==\n",
+    "encrypted_data": "A1/gfcyrwT6i9W6aGTJ8pH4Dm4o8ACDxvooDroA/2N0szOiNyiYX\n",
+    "iv": "JNvf21KhdM3yoLGt\n",
+    "auth_tag": "2xaZql1ymPYuXuvXzT3ymA==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "aws_secret_access_key": {
-    "encrypted_data": "FAz6xZ+wsCz/KFA+DK6f4V04rxJt+9U/yXUGF9tvce0VqB3scH+T0KDDn1/n\nZ/0G0Tbxt2urRPbPUdI=\n",
-    "iv": "iapSpeM6lfDMIfNk\n",
-    "auth_tag": "HlkwUnNeJlOUrZ3ieN5xAQ==\n",
+    "encrypted_data": "T1tc01nACxhDgygKaiAq3LChGYSgmW8LAwr1aSxXmJ5D2NtypJDikiHrJbFZ\nfWFgm1qe4L8iD/k5+ro=\n",
+    "iv": "FDTPQQDLUMKW7TXx\n",
+    "auth_tag": "msY6PFFYhlwQ0X7gekSDiw==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "ldap_bind_dn": {
+    "encrypted_data": "C/YNROVyOxmR4O2Cy52TX41EKli2bCOMzwYD+6Hz/SiKkgidnKUHlvHlbTDq\nkWwlRDM2o8esOCKaEAGPNWcNc9IHlaSsfwhr4YWnwe0=\n",
+    "iv": "QCQF0+vH+//+nDxr\n",
+    "auth_tag": "a0PbyO/7wjufqH2acDCqmQ==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "ldap_password": {
+    "encrypted_data": "SqwKeiyzfvvZGqH5gi35BdW3W+Fo/AQQjso1Yfp2XA==\n",
+    "iv": "md2/etFJ1r/BKaYg\n",
+    "auth_tag": "OlCCOoYSD7ukdH2yWCd6KA==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "smtp_user_name": {
-    "encrypted_data": "ivB09/mCRrUaz9X4NFRBiqytjgy/vxN5Nha7gopFq5eSu9v4K9MkaLRqHh1I\nYw==\n",
-    "iv": "a8WKhRKsUjqBtfmn\n",
-    "auth_tag": "ib5WJNNaO7bRIspdACmOLw==\n",
+    "encrypted_data": "0kzppmSSUg7lEyYnI5a0nf+xO0vSVx88rbxI+niIdzFOOBKSIL6uVHJ340dw\nMQ==\n",
+    "iv": "lQR77ETTtIIyaG1r\n",
+    "auth_tag": "smF2HRg8WdmD+MWwkT3TqA==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "smtp_password": {
-    "encrypted_data": "FxPz2e7fUNqcAu+DDJKlqn8rcSBLmnzigTFf5moZlQ1zz4YVl6pqHisa22Qz\nbfUx9rjU\n",
-    "iv": "GvRlNDV/b1WawtOP\n",
-    "auth_tag": "kyRCGfSJQelIwThDT4iQQQ==\n",
+    "encrypted_data": "1i0m9qiZA/8k8fMKo+04uyndl1UhagtHweBFICIorWALkB68edjb8OhUDxv9\nTubiXYRC\n",
+    "iv": "IU2x4ips9HWmKoxi\n",
+    "auth_tag": "BZJTDfPBvt8cf6/MbKzUJQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "vapid_private_key": {
-    "encrypted_data": "DlbEAhd+SkSJoOSuwGhd5bdFlJADnT0w4u0+6m8AJoWJjoSCGAnzzmdHWT/k\nVUDkwiBCkqmEPK0oTvxnl/a8\n",
-    "iv": "6e0Gay7GVrQad1rI\n",
-    "auth_tag": "jjVundJ/ITxP/oYgEgzElg==\n",
+    "encrypted_data": "+LmySMvzrV3z2z7BmJG9hpvkL06mGc87RG20XQhhdAJ2Z/5uMMjev2pUf7du\ntv2qvDJAimhkZajuDGL9R3eq\n",
+    "iv": "Mg7NhPl31O6Z4P+v\n",
+    "auth_tag": "qYWPInhgoWAjg0zQ+XXt5w==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "vapid_public_key": {
-    "encrypted_data": "+m37w/eWYqdEjsEYQw27FvQC+37ucruOFjZAjo0OgCwA0SoVz4VHX2eSA2AK\njX4CnM91cY4e/WG/ZHKlOMN1PftyQn2bdGaw35nXDanep8z0ROa01JEEi5DE\nUFRKvBmPInTeR6xvemuj7GM=\n",
-    "iv": "loYbGrAsWGLUZ+BK\n",
-    "auth_tag": "lAfpEEVQq+n7MLLm/kpmIA==\n",
+    "encrypted_data": "NOyc+Cech9qG2HhnhajDaJMWd1OU5Rp6hws6i4xF5mLPePMJ9mJTqzklkuMK\npYSEdtcxA3KmDt1HrFxfezYUc9xO9pvlm0BPA7XAFmF/PU7/AJbFqgPU6pX/\ntSDLSdFuMB3ky+cl4DJi+O4=\n",
+    "iv": "rgUglYiHB/mhqGha\n",
+    "auth_tag": "DEX7hdNsNLi/LIrMkdUe/Q==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "s3_key_id": {
-    "encrypted_data": "4B8OQ0iVCCna4FvC+EuS5prEUWaHRm1+tzXGmFoCQ4WZfhUA1HwT3x651e/R\n",
-    "iv": "1/zGwcQPQQQCiXIs\n",
-    "auth_tag": "siK9ph1q3/VVEycy91wkqQ==\n",
+    "encrypted_data": "rPVzrYYIbcM+ssVpdL6wpCTdzLIEKXke1+eMlPLMG2gPuoh+W3eO3nFGb/s2\n",
+    "iv": "/qI8F9cvnfKG7ZXE\n",
+    "auth_tag": "z1+MPdkO/+SCaag2ULelPg==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "s3_secret_key": {
-    "encrypted_data": "BSAc8dE/rQUiVvTGV6Ee/ZUDpq4HZlpoaCZ+lbQAbcnxui4ib0OTLPFwhVJ9\n4OQWahtSzkqxMc6MKWpadLT1a3oTnvnae9b3u40X5b2P3VyZYCM=\n",
-    "iv": "bqw8GTqLMTs5vD5n\n",
-    "auth_tag": "+e48L1lYVNda7VE3uLOAHA==\n",
+    "encrypted_data": "RMnB9kZ+slbQXfpo0udYld6S1QqBxqM1YbszdLfSAdKK9I0J3Kmvh/CQ5Fbx\nyov6LClmsl1rjtH16r7cY32M4Woq+6miERdtecyDrrYkNHz0xkA=\n",
+    "iv": "pO7bm3aOtjuwYjG/\n",
+    "auth_tag": "SRvn4z1+Vd5VAGgjG64s+Q==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   }

environments/production.json

@@ -3,6 +3,7 @@
   "override_attributes": {
     "akkounts": {
       "btcpay": {
+        "public_url": "https://btcpay.kosmos.org",
         "store_id": "FNJVVsrVkKaduPDAkRVchdegjwzsNhpceAdonCaXAwBX"
       },
       "ejabberd": {
@@ -11,6 +12,10 @@
       "lndhub": {
         "public_url": "https://lndhub.kosmos.org",
         "public_key": "024cd3be18617f39cf645851e3ba63f51fc13f0bb09e3bb25e6fd4de556486d946"
+      },
+      "nostr": {
+        "public_key": "b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a",
+        "relay_url": "wss://nostr.kosmos.org"
       }
     },
     "discourse": {
@@ -20,7 +25,7 @@
       "public_url": "https://drone.kosmos.org"
     },
     "ejabberd": {
-      "turn_ip_address": "148.251.83.201"
+      "turn_domain": "turn.kosmos.org"
     },
     "email": {
       "domain": "kosmos.org",
@@ -33,8 +38,7 @@
         "hostmaster@kosmos.org":  "mail@kosmos.org",
         "postmaster@kosmos.org":  "mail@kosmos.org",
         "abuse@kosmos.org":       "mail@kosmos.org",
-        "mail@kosmos.org":        "foundation@kosmos.org",
-        "hackerhouse@kosmos.org": "mail@lagrange6.com"
+        "mail@kosmos.org":        "foundation@kosmos.org"
       }
     },
     "garage": {
@@ -65,13 +69,15 @@
       "backup": {
         "nodes_excluded": [
           "garage-",
+          "lq-",
           "rsk-",
-          "postgres-5"
+          "postgres-6"
         ]
       }
     },
     "kosmos-mastodon": {
       "domain": "kosmos.social",
+      "user_address_domain": "kosmos.social",
       "s3_endpoint": "http://localhost:3900",
       "s3_region": "garage",
       "s3_bucket": "kosmos-social",
@@ -96,6 +102,29 @@
     },
     "sentry": {
       "allowed_ips": "10.1.1.0/24"
+    },
+    "strfry": {
+      "domain": "nostr.kosmos.org",
+      "real_ip_header": "x-real-ip",
+      "policy_path": "/opt/strfry/strfry-policy.ts",
+      "known_pubkeys": {
+        "_": "b3e1b7c0ef48294bd856203bfd460625de95d3afb894e5f09b14cd1f0e7097cf",
+        "accounts": "b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a",
+        "bitcoincore": "47750177bb6bb113784e4973f6b2e3dd27ef1eff227d6e38d0046d618969e41a",
+        "fiatjaf": "3bf0c63fcb93463407af97a5e5ee64fa883d107ef9e558472c4eb9aaaefa459d"
+      },
+      "info": {
+        "name": "Kosmos Relay",
+        "description": "Members-only nostr relay for kosmos.org users",
+        "pubkey": "b3e1b7c0ef48294bd856203bfd460625de95d3afb894e5f09b14cd1f0e7097cf",
+        "contact": "ops@kosmos.org",
+        "icon": "https://assets.kosmos.org/img/app-icon-256px.png"
+      }
+    },
+    "substr": {
+      "relay_urls": [
+        "ws://localhost:7777"
+      ]
     }
   }
 }

nodes/bitcoin-2.json

@@ -16,7 +16,6 @@
       "kvm_guest",
       "sentry_client",
       "bitcoind",
-      "cln",
       "lnd",
       "lndhub",
       "postgresql_client",
@@ -30,10 +29,8 @@
       "tor-full",
       "tor-full::default",
       "kosmos-bitcoin::bitcoind",
-      "kosmos-bitcoin::c-lightning",
       "kosmos-bitcoin::lnd",
       "kosmos-bitcoin::lnd-scb-s3",
-      "kosmos-bitcoin::boltz",
       "kosmos-bitcoin::rtl",
       "kosmos-bitcoin::peerswap-lnd",
       "kosmos_postgresql::hostsfile",
@@ -41,6 +38,7 @@
       "kosmos-bitcoin::dotnet",
       "kosmos-bitcoin::nbxplorer",
       "kosmos-bitcoin::btcpay",
+      "kosmos-bitcoin::price_tracking",
       "apt::default",
       "timezone_iii::default",
       "timezone_iii::debian",
@@ -103,9 +101,9 @@
     "role[sentry_client]",
     "recipe[tor-full]",
     "role[bitcoind]",
-    "role[cln]",
     "role[lnd]",
     "role[lndhub]",
-    "role[btcpay]"
+    "role[btcpay]",
+    "recipe[kosmos-bitcoin::price_tracking]"
   ]
 }

nodes/draco.kosmos.org.json

@@ -20,7 +20,7 @@
   "automatic": {
     "fqdn": "draco.kosmos.org",
     "os": "linux",
-    "os_version": "5.4.0-54-generic",
+    "os_version": "5.4.0-187-generic",
     "hostname": "draco",
     "ipaddress": "148.251.237.73",
     "roles": [
@@ -47,7 +47,6 @@
       "kosmos_assets::nginx_site",
       "kosmos_discourse::nginx",
       "kosmos_drone::nginx",
-      "kosmos-ejabberd::nginx",
       "kosmos_garage::nginx_web",
       "kosmos_garage::nginx_s3",
       "kosmos_gitea::nginx",
@@ -55,8 +54,10 @@
       "kosmos_liquor-cabinet::nginx",
       "kosmos_rsk::nginx_testnet",
       "kosmos_rsk::nginx_mainnet",
+      "kosmos_strfry::nginx",
       "kosmos_website",
       "kosmos_website::default",
+      "kosmos_website::redirects",
       "kosmos-akkounts::nginx",
       "kosmos-akkounts::nginx_api",
       "kosmos-bitcoin::nginx_lndhub",

nodes/fornax.kosmos.org.json

@@ -24,7 +24,8 @@
       "openresty",
       "garage_gateway",
       "tor_proxy",
-      "zerotier_controller"
+      "zerotier_controller",
+      "turn_server"
     ],
     "recipes": [
       "kosmos-base",
@@ -40,7 +41,6 @@
       "kosmos_assets::nginx_site",
       "kosmos_discourse::nginx",
       "kosmos_drone::nginx",
-      "kosmos-ejabberd::nginx",
       "kosmos_garage::nginx_web",
       "kosmos_garage::nginx_s3",
       "kosmos_gitea::nginx",
@@ -48,8 +48,10 @@
       "kosmos_liquor-cabinet::nginx",
       "kosmos_rsk::nginx_testnet",
       "kosmos_rsk::nginx_mainnet",
+      "kosmos_strfry::nginx",
       "kosmos_website",
       "kosmos_website::default",
+      "kosmos_website::redirects",
       "kosmos-akkounts::nginx",
       "kosmos-akkounts::nginx_api",
       "kosmos-bitcoin::nginx_lndhub",
@@ -64,6 +66,7 @@
       "kosmos_zerotier::controller",
       "kosmos_zerotier::firewall",
       "kosmos_zerotier::zncui",
+      "kosmos-ejabberd::coturn",
       "kosmos-ejabberd::firewall",
       "kosmos-ipfs::firewall_swarm",
       "sockethub::firewall",
@@ -116,6 +119,7 @@
     "role[kvm_host]",
     "role[openresty_proxy]",
     "role[zerotier_controller]",
+    "role[turn_server]",
     "recipe[kosmos-ejabberd::firewall]",
     "recipe[kosmos-ipfs::firewall_swarm]",
     "recipe[kosmos_zerotier::firewall]",

nodes/garage-10.json

@@ -1,17 +1,17 @@
 {
-  "name": "garage-4",
+  "name": "garage-10",
   "chef_environment": "production",
   "normal": {
     "knife_zero": {
-      "host": "10.1.1.104"
+      "host": "10.1.1.27"
     }
   },
   "automatic": {
-    "fqdn": "garage-4",
+    "fqdn": "garage-10",
     "os": "linux",
-    "os_version": "5.4.0-132-generic",
-    "hostname": "garage-4",
-    "ipaddress": "192.168.122.123",
+    "os_version": "5.4.0-1090-kvm",
+    "hostname": "garage-10",
+    "ipaddress": "192.168.122.70",
     "roles": [
       "base",
       "kvm_guest",
@@ -23,7 +23,8 @@
       "kosmos_kvm::guest",
       "kosmos_garage",
       "kosmos_garage::default",
-      "kosmos_garage::firewall",
+      "kosmos_garage::firewall_rpc",
+      "kosmos_garage::firewall_apis",
       "apt::default",
       "timezone_iii::default",
       "timezone_iii::debian",
@@ -38,21 +39,20 @@
       "postfix::_attributes",
       "postfix::sasl_auth",
       "hostname::default",
-      "firewall::default",
-      "chef-sugar::default"
+      "firewall::default"
     ],
     "platform": "ubuntu",
     "platform_version": "20.04",
     "cloud": null,
     "chef_packages": {
       "chef": {
-        "version": "17.10.3",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.10.3/lib",
+        "version": "18.5.0",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
         "chef_effortless": null
       },
       "ohai": {
-        "version": "17.9.0",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai"
+        "version": "18.1.11",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
       }
     }
   },
@@ -61,4 +61,4 @@
     "role[kvm_guest]",
     "role[garage_node]"
   ]
-}
+}

nodes/garage-11.json

@@ -1,17 +1,17 @@
 {
-  "name": "garage-5",
+  "name": "garage-11",
   "chef_environment": "production",
   "normal": {
     "knife_zero": {
-      "host": "10.1.1.33"
+      "host": "10.1.1.165"
     }
   },
   "automatic": {
-    "fqdn": "garage-5",
+    "fqdn": "garage-11",
     "os": "linux",
-    "os_version": "5.15.0-84-generic",
-    "hostname": "garage-5",
-    "ipaddress": "192.168.122.55",
+    "os_version": "5.15.0-1059-kvm",
+    "hostname": "garage-11",
+    "ipaddress": "192.168.122.9",
     "roles": [
       "base",
       "kvm_guest",
@@ -46,13 +46,13 @@
     "cloud": null,
     "chef_packages": {
       "chef": {
-        "version": "18.3.0",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.3.0/lib",
+        "version": "18.5.0",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
         "chef_effortless": null
       },
       "ohai": {
-        "version": "18.1.4",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
+        "version": "18.1.11",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
       }
     }
   },

nodes/garage-8.json

@@ -1,17 +1,17 @@
 {
-  "name": "garage-6",
+  "name": "garage-8",
   "chef_environment": "production",
   "normal": {
     "knife_zero": {
-      "host": "10.1.1.161"
+      "host": "10.1.1.61"
     }
   },
   "automatic": {
-    "fqdn": "garage-6",
+    "fqdn": "garage-8",
     "os": "linux",
     "os_version": "5.4.0-1090-kvm",
-    "hostname": "garage-6",
-    "ipaddress": "192.168.122.213",
+    "hostname": "garage-8",
+    "ipaddress": "192.168.122.207",
     "roles": [
       "base",
       "kvm_guest",
@@ -46,13 +46,13 @@
     "cloud": null,
     "chef_packages": {
       "chef": {
-        "version": "18.3.0",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.3.0/lib",
+        "version": "18.4.2",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.4.2/lib",
         "chef_effortless": null
       },
       "ohai": {
-        "version": "18.1.4",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
+        "version": "18.1.11",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
       }
     }
   },

nodes/garage-9.json

@@ -1,17 +1,17 @@
 {
-  "name": "garage-3",
+  "name": "garage-9",
   "chef_environment": "production",
   "normal": {
     "knife_zero": {
-      "host": "10.1.1.39"
+      "host": "10.1.1.223"
     }
   },
   "automatic": {
-    "fqdn": "garage-3",
+    "fqdn": "garage-9",
     "os": "linux",
-    "os_version": "5.4.0-132-generic",
-    "hostname": "garage-3",
-    "ipaddress": "192.168.122.191",
+    "os_version": "5.4.0-1090-kvm",
+    "hostname": "garage-9",
+    "ipaddress": "192.168.122.21",
     "roles": [
       "base",
       "kvm_guest",
@@ -46,13 +46,13 @@
     "cloud": null,
     "chef_packages": {
       "chef": {
-        "version": "18.3.0",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.3.0/lib",
+        "version": "18.5.0",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
         "chef_effortless": null
       },
       "ohai": {
-        "version": "18.1.4",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
+        "version": "18.1.11",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
       }
     }
   },
@@ -61,4 +61,4 @@
     "role[kvm_guest]",
     "role[garage_node]"
   ]
-}
+}

nodes/gitea-2.json

@@ -9,7 +9,7 @@
   "automatic": {
     "fqdn": "gitea-2",
     "os": "linux",
-    "os_version": "5.4.0-1096-kvm",
+    "os_version": "5.4.0-1123-kvm",
     "hostname": "gitea-2",
     "ipaddress": "192.168.122.189",
     "roles": [
@@ -32,6 +32,7 @@
       "kosmos_postgresql::hostsfile",
       "kosmos_gitea",
       "kosmos_gitea::default",
+      "kosmos_gitea::backup",
       "kosmos_gitea::act_runner",
       "apt::default",
       "timezone_iii::default",
@@ -47,7 +48,9 @@
       "postfix::_attributes",
       "postfix::sasl_auth",
       "hostname::default",
-      "firewall::default"
+      "firewall::default",
+      "backup::default",
+      "logrotate::default"
     ],
     "platform": "ubuntu",
     "platform_version": "20.04",

nodes/lq-2.json

@@ -25,8 +25,8 @@
       "kosmos_garage",
       "kosmos_garage::default",
       "kosmos_garage::firewall_rpc",
-      "liquor_cabinet",
-      "liquor_cabinet::default",
+      "kosmos_liquor-cabinet",
+      "kosmos_liquor-cabinet::default",
       "apt::default",
       "timezone_iii::default",
       "timezone_iii::debian",
@@ -41,7 +41,8 @@
       "postfix::_attributes",
       "postfix::sasl_auth",
       "hostname::default",
-      "firewall::default"
+      "firewall::default",
+      "liquor_cabinet::default"
     ],
     "platform": "ubuntu",
     "platform_version": "20.04",

nodes/mail.kosmos.org.json

@@ -10,7 +10,7 @@
     "fqdn": "mail.kosmos.org",
     "os": "linux",
     "os_version": "5.15.0-1048-kvm",
-    "hostname": "mail",
+    "hostname": "mail.kosmos.org",
     "ipaddress": "192.168.122.131",
     "roles": [
       "base",

nodes/mastodon-3.json

@@ -14,6 +14,7 @@
     "ipaddress": "192.168.122.161",
     "roles": [
       "kvm_guest",
+      "ldap_client",
       "garage_gateway",
       "mastodon",
       "postgresql_client"
@@ -22,6 +23,7 @@
       "kosmos-base",
       "kosmos-base::default",
       "kosmos_kvm::guest",
+      "kosmos-dirsrv::hostsfile",
       "kosmos_garage",
       "kosmos_garage::default",
       "kosmos_garage::firewall_rpc",
@@ -61,8 +63,6 @@
       "redisio::disable_os_default",
       "redisio::configure",
       "redisio::enable",
-      "nodejs::npm",
-      "nodejs::install",
       "backup::default",
       "logrotate::default"
     ],
@@ -84,6 +84,7 @@
   "run_list": [
     "recipe[kosmos-base]",
     "role[kvm_guest]",
+    "role[ldap_client]",
     "role[garage_gateway]",
     "role[mastodon]"
   ]

nodes/postgres-6.json

@@ -1,16 +1,16 @@
 {
-  "name": "postgres-4",
+  "name": "postgres-6",
   "normal": {
     "knife_zero": {
-      "host": "10.1.1.107"
+      "host": "10.1.1.196"
     }
   },
   "automatic": {
-    "fqdn": "postgres-4",
+    "fqdn": "postgres-6",
     "os": "linux",
-    "os_version": "5.4.0-122-generic",
-    "hostname": "postgres-4",
-    "ipaddress": "192.168.122.3",
+    "os_version": "5.4.0-173-generic",
+    "hostname": "postgres-6",
+    "ipaddress": "192.168.122.60",
     "roles": [
       "base",
       "kvm_guest",
@@ -22,6 +22,7 @@
       "kosmos_kvm::guest",
       "kosmos_postgresql::primary",
       "kosmos_postgresql::firewall",
+      "kosmos-akkounts::pg_db",
       "kosmos-bitcoin::lndhub-go_pg_db",
       "kosmos-bitcoin::nbxplorer_pg_db",
       "kosmos_drone::pg_db",
@@ -47,13 +48,13 @@
     "cloud": null,
     "chef_packages": {
       "chef": {
-        "version": "18.3.0",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.3.0/lib",
+        "version": "18.4.2",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.4.2/lib",
         "chef_effortless": null
       },
       "ohai": {
-        "version": "18.1.4",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
+        "version": "18.1.11",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
       }
     }
   },
@@ -62,4 +63,4 @@
     "role[kvm_guest]",
     "role[postgresql_primary]"
   ]
-}
+}

nodes/postgres-7.json

@@ -1,24 +1,29 @@
 {
-  "name": "postgres-5",
+  "name": "postgres-7",
+  "chef_environment": "production",
   "normal": {
     "knife_zero": {
-      "host": "10.1.1.54"
+      "host": "10.1.1.134"
     }
   },
   "automatic": {
-    "fqdn": "postgres-5",
+    "fqdn": "postgres-7",
     "os": "linux",
-    "os_version": "5.4.0-153-generic",
-    "hostname": "postgres-5",
-    "ipaddress": "192.168.122.211",
+    "os_version": "5.4.0-1123-kvm",
+    "hostname": "postgres-7",
+    "ipaddress": "192.168.122.89",
     "roles": [
       "base",
-      "kvm_guest"
+      "kvm_guest",
+      "postgresql_replica"
     ],
     "recipes": [
       "kosmos-base",
       "kosmos-base::default",
       "kosmos_kvm::guest",
+      "kosmos_postgresql::hostsfile",
+      "kosmos_postgresql::replica",
+      "kosmos_postgresql::firewall",
       "apt::default",
       "timezone_iii::default",
       "timezone_iii::debian",
@@ -39,13 +44,13 @@
     "cloud": null,
     "chef_packages": {
       "chef": {
-        "version": "18.2.7",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.2.7/lib",
+        "version": "18.5.0",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
         "chef_effortless": null
       },
       "ohai": {
-        "version": "18.1.4",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
+        "version": "18.1.11",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
       }
     }
   },

nodes/postgres-8.json

@@ -0,0 +1,62 @@
+{
+  "name": "postgres-8",
+  "chef_environment": "production",
+  "normal": {
+    "knife_zero": {
+      "host": "10.1.1.99"
+    }
+  },
+  "automatic": {
+    "fqdn": "postgres-8",
+    "os": "linux",
+    "os_version": "5.15.0-1059-kvm",
+    "hostname": "postgres-8",
+    "ipaddress": "192.168.122.100",
+    "roles": [
+      "base",
+      "kvm_guest",
+      "postgresql_replica"
+    ],
+    "recipes": [
+      "kosmos-base",
+      "kosmos-base::default",
+      "kosmos_kvm::guest",
+      "kosmos_postgresql::hostsfile",
+      "kosmos_postgresql::replica",
+      "kosmos_postgresql::firewall",
+      "apt::default",
+      "timezone_iii::default",
+      "timezone_iii::debian",
+      "ntp::default",
+      "ntp::apparmor",
+      "kosmos-base::systemd_emails",
+      "apt::unattended-upgrades",
+      "kosmos-base::firewall",
+      "kosmos-postfix::default",
+      "postfix::default",
+      "postfix::_common",
+      "postfix::_attributes",
+      "postfix::sasl_auth",
+      "hostname::default"
+    ],
+    "platform": "ubuntu",
+    "platform_version": "22.04",
+    "cloud": null,
+    "chef_packages": {
+      "chef": {
+        "version": "18.5.0",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
+        "chef_effortless": null
+      },
+      "ohai": {
+        "version": "18.1.11",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
+      }
+    }
+  },
+  "run_list": [
+    "role[base]",
+    "role[kvm_guest]",
+    "role[postgresql_replica]"
+  ]
+}

nodes/strfry-1.json

@@ -0,0 +1,67 @@
+{
+  "name": "strfry-1",
+  "chef_environment": "production",
+  "normal": {
+    "knife_zero": {
+      "host": "10.1.1.164"
+    }
+  },
+  "automatic": {
+    "fqdn": "strfry-1",
+    "os": "linux",
+    "os_version": "5.15.0-1060-kvm",
+    "hostname": "strfry-1",
+    "ipaddress": "192.168.122.54",
+    "roles": [
+      "base",
+      "kvm_guest",
+      "strfry",
+      "ldap_client"
+    ],
+    "recipes": [
+      "kosmos-base",
+      "kosmos-base::default",
+      "kosmos_kvm::guest",
+      "kosmos-dirsrv::hostsfile",
+      "strfry",
+      "strfry::default",
+      "kosmos_strfry::policies",
+      "kosmos_strfry::firewall",
+      "kosmos_strfry::substr",
+      "apt::default",
+      "timezone_iii::default",
+      "timezone_iii::debian",
+      "ntp::default",
+      "ntp::apparmor",
+      "kosmos-base::systemd_emails",
+      "apt::unattended-upgrades",
+      "kosmos-base::firewall",
+      "kosmos-postfix::default",
+      "postfix::default",
+      "postfix::_common",
+      "postfix::_attributes",
+      "postfix::sasl_auth",
+      "hostname::default",
+      "deno::default"
+    ],
+    "platform": "ubuntu",
+    "platform_version": "22.04",
+    "cloud": null,
+    "chef_packages": {
+      "chef": {
+        "version": "18.4.12",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.4.12/lib",
+        "chef_effortless": null
+      },
+      "ohai": {
+        "version": "18.1.11",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
+      }
+    }
+  },
+  "run_list": [
+    "role[base]",
+    "role[kvm_guest]",
+    "role[strfry]"
+  ]
+}

nodes/wiki-1.json

@@ -8,16 +8,19 @@
   "automatic": {
     "fqdn": "wiki-1",
     "os": "linux",
-    "os_version": "5.4.0-91-generic",
+    "os_version": "5.4.0-167-generic",
     "hostname": "wiki-1",
     "ipaddress": "192.168.122.26",
     "roles": [
-      "kvm_guest"
+      "base",
+      "kvm_guest",
+      "ldap_client"
     ],
     "recipes": [
       "kosmos-base",
       "kosmos-base::default",
       "kosmos_kvm::guest",
+      "kosmos-dirsrv::hostsfile",
       "kosmos-mediawiki",
       "kosmos-mediawiki::default",
       "apt::default",
@@ -41,7 +44,6 @@
       "php::package",
       "php::ini",
       "composer::global_configs",
-      "kosmos-dirsrv::hostsfile",
       "mediawiki::default",
       "mediawiki::database",
       "kosmos-nginx::default",
@@ -79,4 +81,4 @@
     "role[ldap_client]",
     "recipe[kosmos-mediawiki]"
   ]
-}
+}

roles/gitea.rb

@@ -3,4 +3,5 @@ name "gitea"
 run_list %w(
   role[postgresql_client]
   kosmos_gitea::default
+  kosmos_gitea::backup
 )

roles/lnd.rb

@@ -3,7 +3,6 @@ name "lnd"
 run_list %w(
   kosmos-bitcoin::lnd
   kosmos-bitcoin::lnd-scb-s3
-  kosmos-bitcoin::boltz
   kosmos-bitcoin::rtl
   kosmos-bitcoin::peerswap-lnd
 )

roles/openresty_proxy.rb

@@ -21,7 +21,6 @@ production_run_list = %w(
   kosmos_assets::nginx_site
   kosmos_discourse::nginx
   kosmos_drone::nginx
-  kosmos-ejabberd::nginx
   kosmos_garage::nginx_web
   kosmos_garage::nginx_s3
   kosmos_gitea::nginx
@@ -29,7 +28,9 @@ production_run_list = %w(
   kosmos_liquor-cabinet::nginx
   kosmos_rsk::nginx_testnet
   kosmos_rsk::nginx_mainnet
+  kosmos_strfry::nginx
   kosmos_website::default
+  kosmos_website::redirects
   kosmos-akkounts::nginx
   kosmos-akkounts::nginx_api
   kosmos-bitcoin::nginx_lndhub

roles/postgresql_primary.rb

@@ -3,6 +3,7 @@ name "postgresql_primary"
 run_list %w(
   kosmos_postgresql::primary
   kosmos_postgresql::firewall
+  kosmos-akkounts::pg_db
   kosmos-bitcoin::lndhub-go_pg_db
   kosmos-bitcoin::nbxplorer_pg_db
   kosmos_drone::pg_db

roles/strfry.rb

@@ -0,0 +1,9 @@
+name "strfry"
+
+run_list %w(
+  role[ldap_client]
+  strfry::default
+  kosmos_strfry::policies
+  kosmos_strfry::firewall
+  kosmos_strfry::substr
+)

roles/turn_server.rb

@@ -0,0 +1,5 @@
+name "turn_server"
+
+run_list %w(
+  kosmos-ejabberd::coturn
+)

scripts/postgresql/switch_primary.sh

@@ -21,3 +21,4 @@ bundle exec knife ssh roles:postgresql_client -a knife_zero.host "sudo sed -r \"
 # TODO
 # 1. Change roles in node configs
 # 2. Converge new primary
+echo "You need to update the role in the '$new_primary_hostname' node config to 'postgres_primary' and converge it now."

site-cookbooks/backup/attributes/default.rb

@@ -42,5 +42,5 @@ default['backup']['orbit']['keep'] = 10
 default['backup']['cron']['hour'] = "05"
 default['backup']['cron']['minute'] = "7"
 
-default['backup']['s3']['keep'] = 15
-default['backup']['s3']['bucket'] = "kosmos-dev-backups"
+default['backup']['s3']['keep'] = 10
+default['backup']['s3']['bucket'] = "kosmos-backups"

site-cookbooks/backup/recipes/default.rb

@@ -28,6 +28,7 @@ template "#{backup_dir}/config.rb" do
   sensitive true
   variables s3_access_key_id: backup_data["s3_access_key_id"],
             s3_secret_access_key: backup_data["s3_secret_access_key"],
+            s3_endpoint: backup_data["s3_endpoint"],
             s3_region: backup_data["s3_region"],
             encryption_password: backup_data["encryption_password"],
             mail_from: "backups@kosmos.org",

site-cookbooks/backup/templates/default/config.rb.erb

@@ -23,6 +23,10 @@ Storage::S3.defaults do |s3|
   s3.secret_access_key = "<%= @s3_secret_access_key %>"
   s3.region            = "<%= @s3_region %>"
   s3.bucket            = "<%= node['backup']['s3']['bucket'] %>"
+  s3.fog_options       = {
+    endpoint: "<%= @s3_endpoint %>",
+    aws_signature_version: 2
+  }
 end
 
 Encryptor::OpenSSL.defaults do |encryption|
@@ -88,7 +92,6 @@ end
 
 preconfigure 'KosmosBackup' do
   split_into_chunks_of 250 # megabytes
-  store_with S3
   compress_with Bzip2
   encrypt_with OpenSSL
   notify_by Mail do |mail|

site-cookbooks/kosmos-akkounts/attributes/default.rb

@@ -1,5 +1,5 @@
 node.default['akkounts']['repo'] = 'https://gitea.kosmos.org/kosmos/akkounts.git'
-node.default['akkounts']['revision'] = 'master'
+node.default['akkounts']['revision'] = 'live'
 node.default['akkounts']['port'] = 3000
 node.default['akkounts']['domain'] = 'accounts.kosmos.org'
 node.default['akkounts']['primary_domain'] = 'kosmos.org'
@@ -11,6 +11,7 @@ node.default['akkounts']['smtp']['domain']          = 'kosmos.org'
 node.default['akkounts']['smtp']['auth_method']     = 'plain'
 node.default['akkounts']['smtp']['enable_starttls'] = 'auto'
 
+node.default['akkounts']['btcpay']['public_url'] = nil
 node.default['akkounts']['btcpay']['store_id'] = nil
 
 node.default['akkounts']['ejabberd']['admin_url'] = nil
@@ -20,6 +21,9 @@ node.default['akkounts']['lndhub']['public_url'] = nil
 node.default['akkounts']['lndhub']['public_key'] = nil
 node.default['akkounts']['lndhub']['postgres_db'] = 'lndhub'
 
+node.default['akkounts']['nostr']['public_key'] = nil
+node.default['akkounts']['nostr']['relay_url'] = nil
+
 node.default['akkounts']['s3_enabled'] = true
 node.default['akkounts']['s3_endpoint'] = "https://s3.kosmos.org"
 node.default['akkounts']['s3_region'] = "garage"

site-cookbooks/kosmos-akkounts/recipes/default.rb

@@ -24,18 +24,17 @@ package "libvips"
 
 include_recipe 'redisio::default'
 include_recipe 'redisio::enable'
+
+node.override["nodejs"]["repo"] = "https://deb.nodesource.com/node_20.x"
 include_recipe 'kosmos-nodejs'
+npm_package "bun"
 
-npm_package "yarn" do
-  version "1.22.4"
-end
-
-ruby_version = "2.7.5"
+ruby_version = "3.3.8"
 ruby_path = "/opt/ruby_build/builds/#{ruby_version}"
 bundle_path = "#{ruby_path}/bin/bundle"
 rails_env = node.chef_environment == "development" ? "development" : "production"
 
-ruby_build_install 'v20230615'
+ruby_build_install 'v20240221'
 ruby_build_definition ruby_version do
   prefix_path ruby_path
 end
@@ -48,7 +47,28 @@ webhooks_allowed_ips = [lndhub_host].compact.uniq.join(',')
 env = {
   primary_domain: node['akkounts']['primary_domain'],
   akkounts_domain: node['akkounts']['domain'],
-  rails_serve_static_files: true
+  rails_serve_static_files: true,
+  secret_key_base: credentials["rails_secret_key_base"],
+  encryption_primary_key: credentials["rails_encryption_primary_key"],
+  encryption_key_derivation_salt: credentials["rails_encryption_key_derivation_salt"],
+  db_adapter: "postgresql",
+  pg_host: "pg.kosmos.local",
+  pg_port: 5432,
+  pg_database: "akkounts",
+  pg_database_queue: "akkounts_queue",
+  pg_username: credentials["postgresql"]["username"],
+  pg_password: credentials["postgresql"]["password"]
+}
+
+env[:ldap] = {
+  host: "ldap.kosmos.local",
+  port: 389,
+  use_tls: false,
+  uid_attr: "cn",
+  base: "ou=kosmos.org,cn=users,dc=kosmos,dc=org",
+  admin_user: credentials["ldap"]["admin_user"],
+  admin_password: credentials["ldap"]["admin_password"],
+  suffix: "dc=kosmos,dc=org"
 }
 
 smtp_server, smtp_port = smtp_credentials[:relayhost].split(":")
@@ -75,6 +95,7 @@ end
 
 if btcpay_host
   env[:btcpay_api_url] = "http://#{btcpay_host}:23001/api/v1"
+  env[:btcpay_public_url] = node['akkounts']['btcpay']['public_url']
   env[:btcpay_store_id] = node['akkounts']['btcpay']['store_id']
   env[:btcpay_auth_token] = credentials["btcpay_auth_token"]
 end
@@ -137,9 +158,9 @@ if lndhub_host
   if postgres_readonly_host
     env[:lndhub_admin_ui] = true
     env[:lndhub_pg_host] = postgres_readonly_host
-    env[:lndhub_pg_database] = node['akkounts']['lndhub']['postgres_db']
-    env[:lndhub_pg_username] = credentials['postgresql_username']
-    env[:lndhub_pg_password] = credentials['postgresql_password']
+    env[:lndhub_pg_database] = node["akkounts"]["lndhub"]["postgres_db"]
+    env[:lndhub_pg_username] = credentials["postgresql"]["username"]
+    env[:lndhub_pg_password] = credentials["postgresql"]["password"]
   end
 end
 
@@ -148,6 +169,7 @@ end
 #
 
 env[:mastodon_public_url] = "https://#{node['kosmos-mastodon']['domain']}"
+env[:mastodon_address_domain] = node['kosmos-mastodon']['user_address_domain']
 
 #
 # MediaWiki
@@ -155,6 +177,14 @@ env[:mastodon_public_url] = "https://#{node['kosmos-mastodon']['domain']}"
 
 env[:mediawiki_public_url] = node['mediawiki']['url']
 
+#
+# Nostr
+#
+
+env[:nostr_private_key] = credentials['nostr_private_key']
+env[:nostr_public_key] = node['akkounts']['nostr']['public_key']
+env[:nostr_relay_url] = node['akkounts']['nostr']['relay_url']
+
 #
 # remoteStorage / Liquor Cabinet
 #
@@ -198,7 +228,7 @@ systemd_unit "akkounts.service" do
       Type: "simple",
       User: deploy_user,
       WorkingDirectory: deploy_path,
-      Environment: "RAILS_ENV=#{rails_env}",
+      Environment: "RAILS_ENV=#{rails_env} SOLID_QUEUE_IN_PUMA=true",
       ExecStart: "#{bundle_path} exec puma -C config/puma.rb --pidfile #{deploy_path}/tmp/puma.pid",
       ExecStop: "#{bundle_path} exec puma -C config/puma.rb --pidfile #{deploy_path}/tmp/puma.pid stop",
       ExecReload: "#{bundle_path} exec pumactl -F config/puma.rb --pidfile #{deploy_path}/tmp/puma.pid phased-restart",
@@ -215,36 +245,6 @@ systemd_unit "akkounts.service" do
   action [:create, :enable]
 end
 
-systemd_unit "akkounts-sidekiq.service" do
-  content({
-    Unit: {
-      Description: "Kosmos Accounts async/background jobs",
-      Documentation: ["https://gitea.kosmos.org/kosmos/akkounts"],
-      Requires: "redis@6379.service",
-      After: "syslog.target network.target redis@6379.service"
-    },
-    Service: {
-      Type: "notify",
-      User: deploy_user,
-      WorkingDirectory: deploy_path,
-      Environment: "MALLOC_ARENA_MAX=2",
-      ExecStart: "#{bundle_path} exec sidekiq -C #{deploy_path}/config/sidekiq.yml -e #{rails_env}",
-      WatchdogSec: "10",
-      Restart: "on-failure",
-      RestartSec: "1",
-      StandardOutput: "syslog",
-      StandardError: "syslog",
-      SyslogIdentifier: "sidekiq"
-    },
-    Install: {
-      WantedBy: "multi-user.target"
-    }
-  })
-  verify false
-  triggers_reload true
-  action [:create, :enable]
-end
-
 deploy_env = {
   "HOME" => deploy_path,
   "PATH" => "#{ruby_path}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin",
@@ -257,15 +257,7 @@ git deploy_path do
   revision node[app_name]["revision"]
   user  deploy_user
   group deploy_group
-  # Restart services on deployments
-  notifies :run, "execute[restart #{app_name} services]", :delayed
-end
-
-execute "restart #{app_name} services" do
-  command "true"
-  action :nothing
   notifies :restart, "service[#{app_name}]", :delayed
-  notifies :restart, "service[#{app_name}-sidekiq]", :delayed
 end
 
 file "#{deploy_path}/config/master.key" do
@@ -273,7 +265,7 @@ file "#{deploy_path}/config/master.key" do
   mode '0400'
   owner deploy_user
   group deploy_group
-  notifies :run, "execute[restart #{app_name} services]", :delayed
+  notifies :restart, "service[#{app_name}]", :delayed
 end
 
 template "#{deploy_path}/.env.#{rails_env}" do
@@ -283,7 +275,7 @@ template "#{deploy_path}/.env.#{rails_env}" do
   mode 0600
   sensitive true
   variables config: env
-  notifies :run, "execute[restart #{app_name} services]", :delayed
+  notifies :restart, "service[#{app_name}]", :delayed
 end
 
 execute "bundle install" do
@@ -293,13 +285,6 @@ execute "bundle install" do
   command "bundle install --without development,test --deployment"
 end
 
-execute "yarn install" do
-  environment deploy_env
-  user deploy_user
-  cwd deploy_path
-  command "yarn install --pure-lockfile"
-end
-
 execute 'rake db:migrate' do
   environment deploy_env
   user deploy_user
@@ -320,10 +305,6 @@ service "akkounts" do
   action [:enable, :start]
 end
 
-service "akkounts-sidekiq" do
-  action [:enable, :start]
-end
-
 firewall_rule "akkounts_zerotier" do
   command  :allow
   port     node["akkounts"]["port"]

site-cookbooks/kosmos-akkounts/recipes/pg_db.rb

@@ -0,0 +1,22 @@
+#
+# Cookbook:: kosmos-akkounts
+# Recipe:: pg_db
+#
+
+credentials = data_bag_item("credentials", "akkounts")
+pg_username = credentials["postgresql"]["username"]
+pg_password = credentials["postgresql"]["password"]
+
+postgresql_user pg_username do
+  action :create
+  password pg_password
+end
+
+databases = ["akkounts", "akkounts_queue"]
+
+databases.each do |database|
+  postgresql_database database do
+    owner pg_username
+    action :create
+  end
+end

site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb

@@ -14,6 +14,10 @@ server {
   listen [::]:443 ssl http2;
   server_name <%= @domain %>;
 
+  if ($host != $server_name) {
+    return 301 $scheme://$server_name$request_uri;
+  }
+
   ssl_certificate     <%= @ssl_cert %>;
   ssl_certificate_key <%= @ssl_key %>;
 
@@ -39,6 +43,9 @@ server {
 
   location @proxy {
     proxy_set_header Host $http_host;
+    set $x_forwarded_host $http_x_forwarded_host;
+    if ($x_forwarded_host = "") { set $x_forwarded_host $host; }
+    proxy_set_header X-Forwarded-Host $x_forwarded_host;
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header X-Forwarded-Proto https;

site-cookbooks/kosmos-base/recipes/letsencrypt.rb

@@ -2,27 +2,6 @@
 # Cookbook Name:: kosmos-base
 # Recipe:: letsencrypt
 #
-# The MIT License (MIT)
-#
-# Copyright:: 2019, Kosmos Developers
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
 
 unless platform?('ubuntu')
   raise "This recipe only supports Ubuntu installs"

site-cookbooks/kosmos-base/resources/tls_cert_for.rb

@@ -3,6 +3,8 @@ provides :tls_cert_for
 
 property :domain, [String, Array], name_property: true
 property :auth, [String, NilClass], default: nil
+property :deploy_hook, [String, NilClass], default: nil
+property :acme_domain, [String, NilClass], default: nil
 
 default_action :create
 
@@ -17,13 +19,35 @@ action :create do
 
   case new_resource.auth
   when "gandi_dns"
-    gandi_api_data_bag_item = data_bag_item('credentials', 'gandi_api_5apps')
+    gandi_api_credentials = data_bag_item('credentials', 'gandi_api')
 
     hook_path = "/root/gandi_dns_certbot_hook.sh"
+    hook_auth_command = "#{hook_path} auth"
+    hook_cleanup_command = "#{hook_path} cleanup"
+
+    if new_resource.acme_domain
+      hook_auth_command += " #{new_resource.acme_domain}"
+      hook_cleanup_command += " #{new_resource.acme_domain}"
+    end
+
     template hook_path do
       cookbook "kosmos-base"
-      variables gandi_api_key: gandi_api_data_bag_item["key"]
-      mode 0770
+      variables access_token: gandi_api_credentials["access_token"]
+      mode 0700
+      sensitive true
+    end
+
+    if new_resource.deploy_hook
+      deploy_hook_path = "/etc/letsencrypt/renewal-hooks/#{domains.first}"
+
+      file deploy_hook_path do
+        content new_resource.deploy_hook
+        mode 0755
+        owner "root"
+        group "root"
+      end
+    elsif node.run_list.roles.include?("openresty_proxy")
+      deploy_hook_path = "/etc/letsencrypt/renewal-hooks/post/openresty"
     end
 
     # Generate a Let's Encrypt cert (only if no cert has been generated before).
@@ -32,12 +56,11 @@ action :create do
       command <<-CMD
       certbot certonly --manual -n \
         --preferred-challenges dns \
-        --manual-public-ip-logging-ok \
         --agree-tos \
-        --manual-auth-hook '#{hook_path} auth' \
-        --manual-cleanup-hook '#{hook_path} cleanup' \
+        --manual-auth-hook '#{hook_auth_command}' \
+        --manual-cleanup-hook '#{hook_cleanup_command}' \
         --email ops@kosmos.org \
-        #{node.run_list.roles.include?("openresty_proxy") ? '--deploy-hook /etc/letsencrypt/renewal-hooks/post/openresty' : nil } \
+        #{"--deploy-hook #{deploy_hook_path}" if defined?(deploy_hook_path)} \
         #{domains.map {|d| "-d #{d}" }.join(" ")}
       CMD
       not_if do

site-cookbooks/kosmos-base/templates/default/gandi_dns_certbot_hook.sh.erb

@@ -1,21 +1,16 @@
 #!/usr/bin/env bash
-#
-
 set -euf -o pipefail
 
 # ************** USAGE **************
 #
-# Example usage (with this hook file saved in /root/):
+# Example usage:
 #
-#   sudo su -
 #   certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos -d "5apps.com" -d muc.5apps.com -d "xmpp.5apps.com" \
 #     --manual-auth-hook "/root/letsencrypt_hook.sh auth" --manual-cleanup-hook "/root/letsencrypt_hook.sh cleanup"
 #
-# This hook requires configuration, continue reading.
-#
 # ************** CONFIGURATION **************
 #
-# GANDI_API_KEY: Your Gandi Live API key
+# ACCESS_TOKEN: Your Gandi Live API key
 #
 # PROVIDER_UPDATE_DELAY:
 #   How many seconds to wait after updating your DNS records. This may be required,
@@ -25,10 +20,16 @@ set -euf -o pipefail
 #
 #   Defaults to 30 seconds.
 #
-GANDI_API_KEY="<%= @gandi_api_key %>"
+# VALIDATION_DOMAIN:
+#   Domain to create ACME DNS entries on. Use this when redirecting ACME subdomains
+#   from the original domain to a proxy validation domain that we control.
+#
+ACCESS_TOKEN="<%= @access_token %>"
 PROVIDER_UPDATE_DELAY=10
+VALIDATION_DOMAIN="${2:-}"
 
 regex='.*\.(.*\..*)'
+
 if [[ $CERTBOT_DOMAIN =~ $regex ]]
 then
   DOMAIN="${BASH_REMATCH[1]}"
@@ -36,25 +37,41 @@ else
   DOMAIN="${CERTBOT_DOMAIN}"
 fi
 
+if [[ -n "$VALIDATION_DOMAIN" ]]
+then
+  if [[ $VALIDATION_DOMAIN =~ $regex ]]
+  then
+    ACME_BASE_DOMAIN="${BASH_REMATCH[1]}"
+  else
+    echo "Validation domain has to be a subdomain, but it is not: \"${VALIDATION_DOMAIN}\""
+    exit 1
+  fi
+  ACME_DOMAIN="${CERTBOT_DOMAIN}.${VALIDATION_DOMAIN}"
+else
+  ACME_BASE_DOMAIN="${DOMAIN}"
+  ACME_DOMAIN="_acme-challenge.${CERTBOT_DOMAIN}"
+fi
+
 # To be invoked via Certbot's --manual-auth-hook
 function auth {
-    curl -s -D- -H "Content-Type: application/json" \
-        -H "X-Api-Key: ${GANDI_API_KEY}" \
-        -d "{\"rrset_name\": \"_acme-challenge.${CERTBOT_DOMAIN}.\",
-             \"rrset_type\": \"TXT\",
-             \"rrset_ttl\": 3600,
-             \"rrset_values\": [\"${CERTBOT_VALIDATION}\"]}" \
-        "https://dns.api.gandi.net/api/v5/domains/${DOMAIN}/records"
+  curl -s -D- \
+       -H "Content-Type: application/json" \
+       -H "Authorization: Bearer ${ACCESS_TOKEN}" \
+       -d "{\"rrset_name\": \"${ACME_DOMAIN}.\",
+            \"rrset_type\": \"TXT\",
+            \"rrset_ttl\": 300,
+            \"rrset_values\": [\"${CERTBOT_VALIDATION}\"]}" \
+       "https://api.gandi.net/v5/livedns/domains/${ACME_BASE_DOMAIN}/records"
 
-
-    sleep ${PROVIDER_UPDATE_DELAY}
+  sleep ${PROVIDER_UPDATE_DELAY}
 }
 
 # To be invoked via Certbot's --manual-cleanup-hook
 function cleanup {
-    curl -s -X DELETE -H "Content-Type: application/json" \
-        -H "X-Api-Key: ${GANDI_API_KEY}" \
-        https://dns.api.gandi.net/api/v5/domains/${DOMAIN}/records/_acme-challenge.${CERTBOT_DOMAIN}./TXT
+  curl -s -X DELETE \
+       -H "Content-Type: application/json" \
+       -H "Authorization: Bearer ${ACCESS_TOKEN}" \
+       "https://api.gandi.net/v5/livedns/domains/${ACME_BASE_DOMAIN}/records/${ACME_DOMAIN}./TXT"
 }
 
 HANDLER=$1; shift;

site-cookbooks/kosmos-bitcoin/attributes/default.rb

@@ -1,5 +1,5 @@
-node.default['bitcoin']['version']   = '26.0'
-node.default['bitcoin']['checksum']  = 'ab1d99276e28db62d1d9f3901e85ac358d7f1ebcb942d348a9c4e46f0fcdc0a1'
+node.default['bitcoin']['version']   = '28.0'
+node.default['bitcoin']['checksum']  = '700ae2d1e204602eb07f2779a6e6669893bc96c0dca290593f80ff8e102ff37f'
 node.default['bitcoin']['username']  = 'satoshi'
 node.default['bitcoin']['usergroup'] = 'bitcoin'
 node.default['bitcoin']['network']   = 'mainnet'
@@ -24,7 +24,8 @@ node.default['bitcoin']['conf'] = {
   rpcbind: "127.0.0.1:8332",
   gen: 0,
   zmqpubrawblock: 'tcp://127.0.0.1:8337',
-  zmqpubrawtx: 'tcp://127.0.0.1:8338'
+  zmqpubrawtx: 'tcp://127.0.0.1:8338',
+  deprecatedrpc: 'warnings' # TODO remove when upgrading to LND 0.18.4
 }
 
 # Also enables Tor for LND
@@ -40,7 +41,7 @@ node.default['c-lightning']['log_level'] = 'info'
 node.default['c-lightning']['public_ip'] = '148.251.237.73'
 
 node.default['lnd']['repo'] = 'https://github.com/lightningnetwork/lnd'
-node.default['lnd']['revision'] = 'v0.17.3-beta'
+node.default['lnd']['revision'] = 'v0.18.5-beta'
 node.default['lnd']['source_dir'] = '/opt/lnd'
 node.default['lnd']['lnd_dir'] = "/home/#{node['bitcoin']['username']}/.lnd"
 node.default['lnd']['alias'] = 'ln2.kosmos.org'
@@ -58,24 +59,13 @@ node.default['lnd']['tor'] = {
   'skip-proxy-for-clearnet-targets' => 'true'
 }
 
-node.default['boltz']['repo'] = 'https://github.com/BoltzExchange/boltz-lnd.git'
-node.default['boltz']['revision'] = 'v1.2.7'
-node.default['boltz']['source_dir'] = '/opt/boltz'
-node.default['boltz']['boltz_dir'] = "/home/#{node['bitcoin']['username']}/.boltz-lnd"
-node.default['boltz']['grpc_host'] = '127.0.0.1'
-node.default['boltz']['grpc_port'] = '9002'
-node.default['boltz']['rest_disabled'] = 'false'
-node.default['boltz']['rest_host'] = '127.0.0.1'
-node.default['boltz']['rest_port'] = '9003'
-node.default['boltz']['no_macaroons'] = 'false'
-
 node.default['rtl']['repo'] = 'https://github.com/Ride-The-Lightning/RTL.git'
-node.default['rtl']['revision'] = 'v0.15.0'
+node.default['rtl']['revision'] = 'v0.15.2'
 node.default['rtl']['host'] = '10.1.1.163'
 node.default['rtl']['port'] = '3000'
 
 node.default['lndhub-go']['repo'] = 'https://github.com/getAlby/lndhub.go.git'
-node.default['lndhub-go']['revision'] = '0.14.0'
+node.default['lndhub-go']['revision'] = '1.0.2'
 node.default['lndhub-go']['source_dir'] = '/opt/lndhub-go'
 node.default['lndhub-go']['port'] = 3026
 node.default['lndhub-go']['domain'] = 'lndhub.kosmos.org'
@@ -83,8 +73,10 @@ node.default['lndhub-go']['postgres']['database'] = 'lndhub'
 node.default['lndhub-go']['postgres']['user'] = 'lndhub'
 node.default['lndhub-go']['postgres']['port'] = 5432
 node.default['lndhub-go']['default_rate_limit'] = 20
-node.default['lndhub-go']['strict_rate_limit'] =  1
-node.default['lndhub-go']['burst_rate_limit'] =  10
+node.default['lndhub-go']['strict_rate_limit'] = 1
+node.default['lndhub-go']['burst_rate_limit'] = 10
+node.default['lndhub-go']['service_fee'] = 1
+node.default['lndhub-go']['no_service_fee_up_to_amount'] = 1000
 node.default['lndhub-go']['branding'] = {
   'title' => 'LndHub - Kosmos Lightning',
   'desc' => 'Kosmos accounts for the Lightning Network',
@@ -98,7 +90,7 @@ node.default['dotnet']['ms_packages_src_url'] = "https://packages.microsoft.com/
 node.default['dotnet']['ms_packages_src_checksum'] = "4df5811c41fdded83eb9e2da9336a8dfa5594a79dc8a80133bd815f4f85b9991"
 
 node.default['nbxplorer']['repo'] = 'https://github.com/dgarage/NBXplorer'
-node.default['nbxplorer']['revision'] = 'v2.4.3'
+node.default['nbxplorer']['revision'] = 'v2.5.23'
 node.default['nbxplorer']['source_dir'] = '/opt/nbxplorer'
 node.default['nbxplorer']['config_path'] = "/home/#{node['bitcoin']['username']}/.nbxplorer/Main/settings.config"
 node.default['nbxplorer']['port'] = '24445'
@@ -106,7 +98,7 @@ node.default['nbxplorer']['postgres']['database'] = 'nbxplorer'
 node.default['nbxplorer']['postgres']['user'] = 'nbxplorer'
 
 node.default['btcpay']['repo'] = 'https://github.com/btcpayserver/btcpayserver'
-node.default['btcpay']['revision'] = 'v1.11.7'
+node.default['btcpay']['revision'] = 'v2.0.7'
 node.default['btcpay']['source_dir'] = '/opt/btcpay'
 node.default['btcpay']['config_path'] = "/home/#{node['bitcoin']['username']}/.btcpayserver/Main/settings.config"
 node.default['btcpay']['log_path'] = "/home/#{node['bitcoin']['username']}/.btcpayserver/debug.log"
@@ -119,3 +111,5 @@ node.default['btcpay']['postgres']['user'] = 'satoshi'
 node.default['peerswap']['repo'] = 'https://github.com/ElementsProject/peerswap.git'
 node.default['peerswap']['revision'] = 'master'
 node.default['peerswap-lnd']['source_dir'] = '/opt/peerswap'
+
+node.default['price_tracking']['rs_base_url'] = "https://storage.kosmos.org/kosmos/public/btc-price"

site-cookbooks/kosmos-bitcoin/recipes/aws-client.rb

@@ -11,6 +11,7 @@ credentials = Chef::EncryptedDataBagItem.load('credentials', 'backup')
 
 file "/root/.aws/config" do
   mode "600"
+  sensitive true
   content lazy { <<-EOF
 [default]
 region = #{credentials["s3_region"]}

site-cookbooks/kosmos-bitcoin/recipes/bitcoind.rb

@@ -12,8 +12,15 @@ if node["bitcoin"]["blocksdir_mount_type"]
   include_recipe "kosmos-bitcoin::blocksdir-mount"
 end
 
-%w{ libtool autotools-dev make automake cmake curl g++-multilib libtool
-    binutils-gold bsdmainutils pkg-config python3 patch }.each do |pkg|
+apt_repository "ubuntu-toolchain-r" do
+  # provides g++-13, needed for better c++-20 support
+  uri "ppa:ubuntu-toolchain-r/test"
+end
+
+%w{
+  gcc-13 g++-13 libtool autotools-dev make automake cmake curl bison
+  binutils-gold pkg-config python3 patch
+}.each do |pkg|
   apt_package pkg
 end
 
@@ -26,20 +33,21 @@ end
 
 execute "compile_bitcoin-core_dependencies" do
   cwd "/usr/local/bitcoind/depends"
-  command "make NO_QT=1"
+  environment ({'CC' => 'gcc-13', 'CXX' => 'g++-13', 'NO_QT' => '1'})
+  command "make -j 2"
   action :nothing
   notifies :run, 'bash[compile_bitcoin-core]', :immediately
 end
 
 bash "compile_bitcoin-core" do
   cwd "/usr/local/bitcoind"
+  environment ({'CC' => 'gcc-13', 'CXX' => 'g++-13', 'NO_QT' => '1'})
   code <<-EOH
     ./autogen.sh
     ./configure --prefix=$PWD/depends/x86_64-pc-linux-gnu
     make
   EOH
   action :nothing
-  notifies :restart, "systemd_unit[bitcoind.service]", :delayed
 end
 
 link "/usr/local/bin/bitcoind" do

site-cookbooks/kosmos-bitcoin/recipes/boltz.rb

@@ -1,87 +0,0 @@
-#
-# Cookbook:: kosmos-bitcoin
-# Recipe:: boltz
-#
-
-include_recipe "git"
-include_recipe "kosmos-bitcoin::golang"
-
-git node['boltz']['source_dir'] do
-  repository node['boltz']['repo']
-  revision node['boltz']['revision']
-  action :sync
-  notifies :run, 'bash[compile_and_install_boltz]', :immediately
-end
-
-bash "compile_and_install_boltz" do
-  cwd node['boltz']['source_dir']
-  code <<-EOH
-go mod vendor && \
-make build && \
-make install
-  EOH
-  action :nothing
-  notifies :restart, "systemd_unit[boltzd.service]", :delayed
-end
-
-bitcoin_user  = node['bitcoin']['username']
-bitcoin_group = node['bitcoin']['usergroup']
-boltz_dir     = node['boltz']['boltz_dir']
-lnd_dir       = node['lnd']['lnd_dir']
-
-directory boltz_dir do
-  owner bitcoin_user
-  group bitcoin_group
-  mode '0750'
-  action :create
-end
-
-template "#{boltz_dir}/boltz.toml" do
-  source "boltz.toml.erb"
-  owner bitcoin_user
-  group bitcoin_group
-  mode '0640'
-  variables lnd_grpc_host: '127.0.0.1',
-            lnd_grpc_port: '10009',
-            lnd_macaroon_path: "#{lnd_dir}/data/chain/bitcoin/mainnet/admin.macaroon",
-            lnd_tlscert_path: "#{lnd_dir}/tls.cert",
-            boltz_config: node['boltz']
-  notifies :restart, "systemd_unit[boltzd.service]", :delayed
-end
-
-systemd_unit 'boltzd.service' do
-  content({
-    Unit: {
-      Description: 'Boltz Daemon',
-      Documentation: ['https://lnd.docs.boltz.exchange'],
-      Requires: 'lnd.service',
-      After: 'lnd.service'
-    },
-    Service: {
-      User: bitcoin_user,
-      Group: bitcoin_group,
-      Type: 'simple',
-      ExecStart: "/opt/boltz/boltzd",
-      Restart: 'always',
-      RestartSec: '30',
-      TimeoutSec: '240',
-      LimitNOFILE: '128000',
-      PrivateTmp: true,
-      ProtectSystem: 'full',
-      NoNewPrivileges: true,
-      PrivateDevices: true,
-      MemoryDenyWriteExecute: true
-    },
-    Install: {
-      WantedBy: 'multi-user.target'
-    }
-  })
-  verify false
-  triggers_reload true
-  action [:create, :enable, :start]
-end
-
-unless node.chef_environment == 'development'
-  node.override['backup']['archives']['boltz'] = [node['boltz']['boltz_dir']]
-  include_recipe 'backup'
-end

site-cookbooks/kosmos-bitcoin/recipes/golang.rb

@@ -5,7 +5,7 @@
 # Internal recipe for managing the Go installation in one place
 #
 
-node.override['golang']['version'] = "1.20.3"
+node.override['golang']['version'] = "1.23.1"
 include_recipe "golang"
 
 link '/usr/local/bin/go' do

site-cookbooks/kosmos-bitcoin/recipes/lnd-scb-s3.rb

@@ -10,12 +10,14 @@ include_recipe "kosmos-bitcoin::aws-client"
 package "inotify-tools"
 
 backup_script_path = "/opt/lnd-channel-backup-s3.sh"
+backup_credentials = Chef::EncryptedDataBagItem.load('credentials', 'backup')
 
 template backup_script_path do
   source "lnd-channel-backup-s3.sh.erb"
   mode '0740'
   variables lnd_dir: node['lnd']['lnd_dir'],
             bitcoin_network: node['bitcoin']['network'],
+            s3_endpoint: backup_credentials['s3_endpoint'],
             s3_bucket: node['backup']['s3']['bucket'],
             s3_scb_dir: "#{node['name']}/lnd/#{node['bitcoin']['network']}"
   notifies :restart, "systemd_unit[lnd-channel-backup.service]", :delayed

site-cookbooks/kosmos-bitcoin/recipes/lndhub-go.rb

@@ -66,6 +66,8 @@ template "#{source_dir}/.env" do
     default_rate_limit: node['lndhub-go']['default_rate_limit'],
     strict_rate_limit: node['lndhub-go']['strict_rate_limit'],
     burst_rate_limit: node['lndhub-go']['burst_rate_limit'],
+    service_fee: 1,
+    no_service_fee_up_to_amount: 1000,
     branding: node['lndhub-go']['branding'],
     webhook_url: node['lndhub-go']['webhook_url'],
     sentry_dsn: credentials['sentry_dsn']

site-cookbooks/kosmos-bitcoin/recipes/nbxplorer.rb

@@ -58,9 +58,7 @@ directory '/run/nbxplorer' do
 end
 
 env = {
-  NBXPLORER_POSTGRES: "User ID=#{postgres_user};Password=#{credentials['postgresql_password']};Database=#{postgres_database};Host=pg.kosmos.local;Port=5432;Application Name=nbxplorer;MaxPoolSize=20",
-  NBXPLORER_AUTOMIGRATE: "1",
-  NBXPLORER_NOMIGRATEEVTS: "1"
+  NBXPLORER_POSTGRES: "User ID=#{postgres_user};Password=#{credentials['postgresql_password']};Database=#{postgres_database};Host=pg.kosmos.local;Port=5432;Application Name=nbxplorer;MaxPoolSize=20"
 }
 
 systemd_unit 'nbxplorer.service' do

site-cookbooks/kosmos-bitcoin/recipes/price_tracking.rb

@@ -0,0 +1,59 @@
+#
+# Cookbook:: kosmos-bitcoin
+# Recipe:: price_tracking
+#
+# Track BTC rates and publish them via remoteStorage
+#
+
+%w[curl jq].each do |pkg|
+  apt_package pkg
+end
+
+daily_tracker_path = "/usr/local/bin/btc-price-tracker-daily"
+
+credentials = Chef::EncryptedDataBagItem.load('credentials', 'kosmos-rs')
+
+template daily_tracker_path do
+  source "btc-price-tracker-daily.sh.erb"
+  mode '0740'
+  variables rs_base_url: node['price_tracking']['rs_base_url']
+  notifies :restart, "systemd_unit[lnd-channel-backup.service]", :delayed
+end
+
+systemd_unit 'btc-price-tracker-daily.service' do
+  content({
+    Unit: {
+      Description: 'BTC price tracker (daily rates)',
+      After: 'network-online.target',
+      Wants: 'network-online.target'
+    },
+    Service: {
+      Type: 'oneshot',
+      ExecStart: daily_tracker_path,
+      Environment: "RS_AUTH=#{credentials["auth_tokens"]["/btc-price"]}"
+    },
+    Install: {
+      WantedBy: 'multi-user.target'
+    }
+  })
+  sensitive true
+  triggers_reload true
+  action [:create]
+end
+
+systemd_unit 'btc-price-tracker-daily.timer' do
+  content({
+    Unit: {
+      Description: 'Run BTC price tracker daily'
+    },
+    Timer: {
+      OnCalendar: '*-*-* 00:00:00',
+      Persistent: 'true'
+    },
+    Install: {
+      WantedBy: 'timers.target'
+    }
+  })
+  triggers_reload true
+  action [:create, :enable, :start]
+end

site-cookbooks/kosmos-bitcoin/recipes/rtl.rb

@@ -46,24 +46,22 @@ rtl_config = {
   multiPassHashed: credentials["multiPassHashed"]
 }
 
-if node['boltz']
-  # TODO adapt for multi-node usage
-  rtl_config[:nodes][0][:Authentication][:boltzMacaroonPath] = "#{node['boltz']['boltz_dir']}/macaroons"
-  rtl_config[:nodes][0][:Settings][:boltzServerUrl] = "https://#{node['boltz']['rest_host']}:#{node['boltz']['rest_port']}"
-end
-
 git rtl_dir do
   user bitcoin_user
   group bitcoin_group
   repository node['rtl']['repo']
   revision node['rtl']['revision']
+  notifies :run, "execute[npm_install]", :immediately
   notifies :restart, "systemd_unit[#{app_name}.service]", :delayed
 end
 
-execute "npm install" do
+execute "npm_install" do
   cwd rtl_dir
   environment "HOME" => rtl_dir
   user bitcoin_user
+  # TODO remove --force when upstream dependency issues have been resolved
+  command "npm install --force"
+  action :nothing
 end
 
 file "#{rtl_dir}/RTL-Config.json" do

site-cookbooks/kosmos-bitcoin/templates/boltz.toml.erb

@@ -1,32 +0,0 @@
-[LND]
-# Host of the gRPC interface of LND
-host = "<%= @lnd_grpc_host %>"
-
-# Port of the gRPC interface of LND
-port = <%= @lnd_grpc_port %>
-
-# Path to a macaroon file of LND
-# The daemon needs to have permission to read various endpoints, generate addresses and pay invoices 
-macaroon = "<%= @lnd_macaroon_path %>"
-
-# Path to the TLS certificate of LND
-certificate = "<%= @lnd_tlscert_path %>"
-
-[RPC]
-# Host of the gRPC interface
-host = "<%= @boltz_config['grpc_host'] %>"
-
-# Port of the gRPC interface
-port = <%= @boltz_config['grpc_port'] %>
-
-# Whether the REST proxy for the gRPC interface should be disabled
-restDisabled = <%= @boltz_config['rest_disabled'] %>
-
-# Host of the REST proxy
-restHost = "<%= @boltz_config['rest_host'] %>"
-
-# Port of the REST proxy
-restPort = <%= @boltz_config['rest_port'] %>
-
-# Whether the macaroon authentication for the gRPC and REST interface should be disabled
-noMacaroons = <%= @boltz_config['no_macaroons'] %>

site-cookbooks/kosmos-bitcoin/templates/btc-price-tracker-daily.sh.erb

@@ -0,0 +1,49 @@
+#!/bin/bash
+
+# Calculate yesterday's date in YYYY-MM-DD format
+YESTERDAY=$(date -d "yesterday" +%Y-%m-%d)
+echo "Starting price tracking for $YESTERDAY" >&2
+
+# Fetch and process rates for a fiat currency
+get_price_data() {
+    local currency=$1
+    local data avg open24 last
+
+    data=$(curl -s "https://www.bitstamp.net/api/v2/ticker/btc${currency,,}/")
+    if [ $? -eq 0 ] && [ ! -z "$data" ]; then
+        echo "Successfully retrieved ${currency} price data" >&2
+        open24=$(echo "$data" | jq -r '.open_24')
+        last=$(echo "$data" | jq -r '.last')
+        avg=$(( (${open24%.*} + ${last%.*}) / 2 ))
+        echo $avg
+    else
+        echo "ERROR: Failed to retrieve ${currency} price data" >&2
+        exit 1
+    fi
+}
+
+# Get price data for each currency
+usd_avg=$(get_price_data "USD")
+eur_avg=$(get_price_data "EUR")
+gbp_avg=$(get_price_data "GBP")
+
+# Create JSON
+json="{\"EUR\":$eur_avg,\"USD\":$usd_avg,\"GBP\":$gbp_avg}"
+echo "Rates: $json" >&2
+
+# PUT in remote storage
+response=$(curl -X PUT \
+    -H "Authorization: Bearer $RS_AUTH" \
+    -H "Content-Type: application/json" \
+    -d "$json" \
+    -w "%{http_code}" \
+    -s \
+    -o /dev/null \
+    "<%= @rs_base_url %>/$YESTERDAY")
+
+if [ "$response" -eq 200 ] || [ "$response" -eq 201 ]; then
+   echo "Successfully uploaded price data" >&2
+else
+   echo "ERROR: Failed to upload price data. HTTP status: $response" >&2
+   exit 1
+fi

site-cookbooks/kosmos-bitcoin/templates/lnd-channel-backup-s3.sh.erb

@@ -3,5 +3,5 @@ set -xe -o pipefail
 
 while true; do
   inotifywait <%= @lnd_dir %>/data/chain/bitcoin/<%= @bitcoin_network %>/channel.backup
-  aws s3 cp <%= @lnd_dir %>/data/chain/bitcoin/<%= @bitcoin_network %>/channel.backup "s3://<%= @s3_bucket %>/<%= @s3_scb_dir %>/channel.backup"
+  aws --endpoint <%= @s3_endpoint %> s3 cp <%= @lnd_dir %>/data/chain/bitcoin/<%= @bitcoin_network %>/channel.backup "s3://<%= @s3_bucket %>/<%= @s3_scb_dir %>/channel.backup"
 done

site-cookbooks/kosmos-bitcoin/templates/lnd.conf.erb

@@ -12,7 +12,6 @@ minchansize=<%= @lnd_minchansize %>
 autopilot.active=0
 
 [Bitcoin]
-bitcoin.active=1
 bitcoin.mainnet=1
 bitcoin.node=bitcoind
 bitcoin.basefee=<%= @lnd_basefee %>

site-cookbooks/kosmos-ejabberd/attributes/default.rb

@@ -1,7 +1,9 @@
 node.default["ejabberd"]["version"] = "23.10"
 node.default["ejabberd"]["package_version"] = "1"
 node.default["ejabberd"]["checksum"] = "1b02108c81e22ab28be84630d54061f0584b76d5c2702e598352269736b05e77"
-node.default["ejabberd"]["turn_ip_address"] = nil
+node.default["ejabberd"]["turn_domain"] = "turn.kosmos.org"
+node.default["ejabberd"]["stun_auth_realm"] = "kosmos.org"
 node.default["ejabberd"]["stun_turn_port"] = 3478
+node.default["ejabberd"]["stun_turn_port_tls"] = 5349
 node.default["ejabberd"]["turn_min_port"] = 50000
-node.default["ejabberd"]["turn_max_port"] = 50050
+node.default["ejabberd"]["turn_max_port"] = 50999

site-cookbooks/kosmos-ejabberd/recipes/coturn.rb

@@ -0,0 +1,52 @@
+#
+# Cookbook:: kosmos-ejabberd
+# Recipe:: coturn
+#
+
+apt_package 'coturn'
+
+domain = node["ejabberd"]["turn_domain"]
+credentials = data_bag_item("credentials", "ejabberd")
+
+tls_cert_for domain do
+  auth "gandi_dns"
+  action :create
+end
+
+template "/etc/turnserver.conf" do
+  source "turnserver.conf.erb"
+  mode 0644
+  variables listening_port: node["ejabberd"]["stun_turn_port"],
+            tls_listening_port: node["ejabberd"]["stun_turn_port_tls"],
+            listening_ip: node["ipaddress"],
+            relay_ip: node["ipaddress"],
+            min_port: node["ejabberd"]["turn_min_port"],
+            max_port: node["ejabberd"]["turn_max_port"],
+            realm: node["ejabberd"]["stun_auth_realm"],
+            static_auth_secret: credentials["stun_secret"],
+            cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
+            pkey: "/etc/letsencrypt/live/#{domain}/privkey.pem"
+  notifies :restart, "service[coturn]", :delayed
+end
+
+firewall_rule 'ejabberd_stun_turn' do
+  port     node["ejabberd"]["stun_turn_port"]
+  protocol :udp
+  command  :allow
+end
+
+firewall_rule 'ejabberd_stun_turn_tls' do
+  port     node["ejabberd"]["stun_turn_port_tls"]
+  protocol :tcp
+  command  :allow
+end
+
+firewall_rule 'ejabberd_turn' do
+  port     node["ejabberd"]["turn_min_port"]..node["ejabberd"]["turn_max_port"]
+  protocol :udp
+  command  :allow
+end
+
+service "coturn" do
+  action [:enable, :start]
+end

site-cookbooks/kosmos-ejabberd/recipes/default.rb

@@ -84,6 +84,12 @@ hosts = [
     sql_database: "ejabberd",
     ldap_enabled: true,
     ldap_password: ejabberd_credentials['kosmos_ldap_password'],
+    certfiles: [
+      "/opt/ejabberd/conf/kosmos.org.crt",
+      "/opt/ejabberd/conf/kosmos.org.key",
+      "/opt/ejabberd/conf/kosmos.chat.crt",
+      "/opt/ejabberd/conf/kosmos.chat.key"
+    ],
     append_host_config: <<-EOF
     modules:
       mod_disco:
@@ -114,6 +120,10 @@ hosts = [
     sql_database: "ejabberd_5apps",
     ldap_enabled: true,
     ldap_password: ejabberd_credentials['5apps_ldap_password'],
+    certfiles: [
+      "/opt/ejabberd/conf/5apps.com.crt",
+      "/opt/ejabberd/conf/5apps.com.key"
+    ],
     append_host_config: <<-EOF
     modules:
       mod_disco:
@@ -154,6 +164,11 @@ admin_users = ejabberd_credentials['admins']
 
 hosts.each do |host|
   ldap_rootdn = "uid=service,ou=#{host[:name]},cn=applications,dc=kosmos,dc=org"
+  if host[:name] == "kosmos.org"
+    ldap_filter = "(&(objectClass=person)(serviceEnabled=ejabberd))"
+  else
+    ldap_filter = "(objectClass=person)"
+  end
 
   template "/opt/ejabberd/conf/#{host[:name]}.yml" do
     source    "vhost.yml.erb"
@@ -167,7 +182,8 @@ hosts.each do |host|
               ldap_base: ldap_base,
               ldap_server: ldap_domain,
               ldap_rootdn: ldap_rootdn,
-              ldap_encryption_type: ldap_encryption_type
+              ldap_encryption_type: ldap_encryption_type,
+              ldap_filter: ldap_filter
     notifies :reload, "service[ejabberd]", :delayed
   end
 end
@@ -183,10 +199,10 @@ template "/opt/ejabberd/conf/ejabberd.yml" do
   sensitive true
   variables hosts: hosts,
             admin_users: admin_users,
-            stun_auth_realm: "kosmos.org",
+            turn_domain: node["ejabberd"]["turn_domain"],
             stun_secret: ejabberd_credentials['stun_secret'],
-            turn_ip_address: node["ejabberd"]["turn_ip_address"],
             stun_turn_port: node["ejabberd"]["stun_turn_port"],
+            stun_turn_port_tls: node["ejabberd"]["stun_turn_port_tls"],
             turn_min_port: node["ejabberd"]["turn_min_port"],
             turn_max_port: node["ejabberd"]["turn_max_port"],
             private_ip_address: node["knife_zero"]["host"],

site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb

@@ -15,9 +15,9 @@ set -e
 # letsencrypt live folder
 for domain in $RENEWED_DOMAINS; do
   case $domain in
-  kosmos.org|5apps.com)
-    cp "${RENEWED_LINEAGE}/privkey.pem" /opt/ejabberd/conf/$domain.key
-    cp "${RENEWED_LINEAGE}/fullchain.pem" /opt/ejabberd/conf/$domain.crt
+  kosmos.org|kosmos.chat|5apps.com)
+    cp "/etc/letsencrypt/live/${domain}/privkey.pem" /opt/ejabberd/conf/$domain.key
+    cp "/etc/letsencrypt/live/${domain}/fullchain.pem" /opt/ejabberd/conf/$domain.crt
     chown ejabberd:ejabberd /opt/ejabberd/conf/$domain.*
     chmod 600 /opt/ejabberd/conf/$domain.*
     /opt/ejabberd-#{node["ejabberd"]["version"]}/bin/ejabberdctl reload_config
@@ -33,26 +33,34 @@ file "/etc/letsencrypt/renewal-hooks/post/ejabberd" do
   group "root"
 end
 
-gandi_api_data_bag_item = data_bag_item('credentials', 'gandi_api_5apps')
+gandi_api_credentials = data_bag_item('credentials', 'gandi_api')
 
 template "/root/gandi_dns_certbot_hook.sh" do
-  variables gandi_api_key: gandi_api_data_bag_item["key"]
-  mode 0770
+  variables access_token: gandi_api_credentials["access_token"]
+  mode 0700
+  sensitive true
 end
 
 # Generate a Let's Encrypt cert (only if no cert has been generated before).
 # The systemd timer will take care of renewing
-execute "letsencrypt cert for kosmos xmpp" do
-  command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@kosmos.org -d kosmos.org -d xmpp.kosmos.org -d chat.kosmos.org -d kosmos.chat -d uploads.xmpp.kosmos.org -n"
+execute "letsencrypt cert for kosmos.org domains" do
+  command "certbot certonly --manual --preferred-challenges dns --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@kosmos.org -d kosmos.org -d xmpp.kosmos.org -d chat.kosmos.org -d upload.kosmos.org -d proxy.kosmos.org -d pubsub.kosmos.org -d uploads.xmpp.kosmos.org -n"
   not_if do
     File.exist?("/etc/letsencrypt/live/kosmos.org/fullchain.pem")
   end
 end
 
+execute "letsencrypt cert for kosmos.chat" do
+  command "certbot certonly --manual --preferred-challenges dns --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth letsencrypt.kosmos.org\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup letsencrypt.kosmos.org\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@kosmos.org -d kosmos.chat -n"
+  not_if do
+    File.exist?("/etc/letsencrypt/live/kosmos.chat/fullchain.pem")
+  end
+end
+
 # Generate a Let's Encrypt cert (only if no cert has been generated before).
 # The systemd timer will take care of renewing
 execute "letsencrypt cert for 5apps xmpp" do
-  command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@5apps.com -d 5apps.com -d muc.5apps.com -d xmpp.5apps.com -d uploads.xmpp.5apps.com -n"
+  command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth letsencrypt.kosmos.org\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup letsencrypt.kosmos.org\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@5apps.com -d 5apps.com -d muc.5apps.com -d xmpp.5apps.com -d uploads.xmpp.5apps.com -n"
   not_if do
     File.exist?("/etc/letsencrypt/live/5apps.com/fullchain.pem")
   end

site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb

@@ -87,16 +87,6 @@ listen:
     ##  "/pub/archive": mod_http_fileserver
     ## register: true
     captcha: false
-  -
-    port: <%= @stun_turn_port %>
-    transport: udp
-    module: ejabberd_stun
-    auth_realm: <%= @stun_auth_realm %>
-    use_turn: true
-    tls: false
-    turn_ipv4_address: <%= @turn_ip_address %>
-    turn_min_port: <%= @turn_min_port %>
-    turn_max_port: <%= @turn_max_port %>
 
 s2s_use_starttls: optional
 
@@ -133,7 +123,7 @@ shaper_rules:
   max_user_sessions: 10
   max_user_offline_messages:
     - 5000: admin
-    - 100
+    - 1000
   c2s_shaper:
     - none: admin
     - normal
@@ -226,7 +216,7 @@ modules:
     access_createnode: pubsub_createnode
     ignore_pep_from_offline: false
     last_item_cache: false
-    max_items_node: 10
+    max_items_node: 10000
     plugins:
       - "flat"
       - "pep" # pep requires mod_caps
@@ -240,22 +230,38 @@ modules:
     store_current_id: true
   mod_shared_roster: {}
   mod_stun_disco:
+    offer_local_services: false
     secret: <%= @stun_secret %>
     services:
       -
-        host: <%= @turn_ip_address %>
+        host: <%= @turn_domain %>
         port: <%= @stun_turn_port %>
         type: stun
         transport: udp
         restricted: false
       -
-        host: <%= @turn_ip_address %>
+        host: <%= @turn_domain %>
+        port: <%= @stun_turn_port_tls %>
+        type: stuns
+        transport: tcp
+        restricted: false
+      -
+        host: <%= @turn_domain %>
         port: <%= @stun_turn_port %>
         type: turn
         transport: udp
         restricted: true
+      -
+        host: <%= @turn_domain %>
+        port: <%= @stun_turn_port_tls %>
+        type: turns
+        transport: tcp
+        restricted: true
   mod_vcard:
+    db_type: ldap
     search: false
+    ldap_vcard_map:
+      PHOTO: {"%s": [jpegPhoto]}
   mod_vcard_xupdate: {}
   mod_avatar: {}
   mod_version: {}

site-cookbooks/kosmos-ejabberd/templates/gandi_dns_certbot_hook.sh.erb

@@ -1,21 +1,16 @@
 #!/usr/bin/env bash
-#
-
 set -euf -o pipefail
 
 # ************** USAGE **************
 #
-# Example usage (with this hook file saved in /root/):
+# Example usage:
 #
-#   sudo su -
 #   certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos -d "5apps.com" -d muc.5apps.com -d "xmpp.5apps.com" \
 #     --manual-auth-hook "/root/letsencrypt_hook.sh auth" --manual-cleanup-hook "/root/letsencrypt_hook.sh cleanup"
 #
-# This hook requires configuration, continue reading.
-#
 # ************** CONFIGURATION **************
 #
-# GANDI_API_KEY: Your Gandi Live API key
+# ACCESS_TOKEN: Your Gandi Live API key
 #
 # PROVIDER_UPDATE_DELAY:
 #   How many seconds to wait after updating your DNS records. This may be required,
@@ -25,10 +20,16 @@ set -euf -o pipefail
 #
 #   Defaults to 30 seconds.
 #
-GANDI_API_KEY="<%= @gandi_api_key %>"
-PROVIDER_UPDATE_DELAY=30
+# VALIDATION_DOMAIN:
+#   Domain to create ACME DNS entries on. Use this when redirecting ACME subdomains
+#   from the original domain to a proxy validation domain that we control.
+#
+ACCESS_TOKEN="<%= @access_token %>"
+PROVIDER_UPDATE_DELAY=10
+VALIDATION_DOMAIN="${2:-}"
 
 regex='.*\.(.*\..*)'
+
 if [[ $CERTBOT_DOMAIN =~ $regex ]]
 then
   DOMAIN="${BASH_REMATCH[1]}"
@@ -36,25 +37,41 @@ else
   DOMAIN="${CERTBOT_DOMAIN}"
 fi
 
+if [[ -n "$VALIDATION_DOMAIN" ]]
+then
+  if [[ $VALIDATION_DOMAIN =~ $regex ]]
+  then
+    ACME_BASE_DOMAIN="${BASH_REMATCH[1]}"
+  else
+    echo "Validation domain has to be a subdomain, but it is not: \"${VALIDATION_DOMAIN}\""
+    exit 1
+  fi
+  ACME_DOMAIN="${CERTBOT_DOMAIN}.${VALIDATION_DOMAIN}"
+else
+  ACME_BASE_DOMAIN="${DOMAIN}"
+  ACME_DOMAIN="_acme-challenge.${CERTBOT_DOMAIN}"
+fi
+
 # To be invoked via Certbot's --manual-auth-hook
 function auth {
-    curl -s -D- -H "Content-Type: application/json" \
-        -H "X-Api-Key: ${GANDI_API_KEY}" \
-        -d "{\"rrset_name\": \"_acme-challenge.${CERTBOT_DOMAIN}.\",
-             \"rrset_type\": \"TXT\",
-             \"rrset_ttl\": 3600,
-             \"rrset_values\": [\"${CERTBOT_VALIDATION}\"]}" \
-        "https://dns.api.gandi.net/api/v5/domains/${DOMAIN}/records"
+  curl -s -D- \
+       -H "Content-Type: application/json" \
+       -H "Authorization: Bearer ${ACCESS_TOKEN}" \
+       -d "{\"rrset_name\": \"${ACME_DOMAIN}.\",
+            \"rrset_type\": \"TXT\",
+            \"rrset_ttl\": 300,
+            \"rrset_values\": [\"${CERTBOT_VALIDATION}\"]}" \
+       "https://api.gandi.net/v5/livedns/domains/${ACME_BASE_DOMAIN}/records"
 
-
-    sleep ${PROVIDER_UPDATE_DELAY}
+  sleep ${PROVIDER_UPDATE_DELAY}
 }
 
 # To be invoked via Certbot's --manual-cleanup-hook
 function cleanup {
-    curl -s -X DELETE -H "Content-Type: application/json" \
-        -H "X-Api-Key: ${GANDI_API_KEY}" \
-        https://dns.api.gandi.net/api/v5/domains/${DOMAIN}/records/_acme-challenge.${CERTBOT_DOMAIN}./TXT
+  curl -s -X DELETE \
+       -H "Content-Type: application/json" \
+       -H "Authorization: Bearer ${ACCESS_TOKEN}" \
+       "https://api.gandi.net/v5/livedns/domains/${ACME_BASE_DOMAIN}/records/${ACME_DOMAIN}./TXT"
 }
 
 HANDLER=$1; shift;

site-cookbooks/kosmos-ejabberd/templates/turnserver.conf.erb

@@ -0,0 +1,708 @@
+# Coturn TURN SERVER configuration file
+#
+# Boolean values note: where boolean value is supposed to be used,
+# you can use '0', 'off', 'no', 'false', 'f' as 'false, 
+# and you can use '1', 'on', 'yes', 'true', 't' as 'true' 
+# If the value is missed, then it means 'true'.
+#
+
+# Listener interface device (optional, Linux only).
+# NOT RECOMMENDED. 
+#
+#listening-device=eth0
+
+# TURN listener port for UDP and TCP (Default: 3478).
+# Note: actually, TLS & DTLS sessions can connect to the 
+# "plain" TCP & UDP port(s), too - if allowed by configuration.
+#
+listening-port=<%= @listening_port %>
+
+# TURN listener port for TLS (Default: 5349).
+# Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
+# port(s), too - if allowed by configuration. The TURN server 
+# "automatically" recognizes the type of traffic. Actually, two listening
+# endpoints (the "plain" one and the "tls" one) are equivalent in terms of
+# functionality; but we keep both endpoints to satisfy the RFC 5766 specs.
+# For secure TCP connections, we currently support SSL version 3 and 
+# TLS version 1.0, 1.1 and 1.2.
+# For secure UDP connections, we support DTLS version 1.
+#
+tls-listening-port=<%= @tls_listening_port %>
+
+# Alternative listening port for UDP and TCP listeners;
+# default (or zero) value means "listening port plus one". 
+# This is needed for RFC 5780 support
+# (STUN extension specs, NAT behavior discovery). The TURN Server 
+# supports RFC 5780 only if it is started with more than one 
+# listening IP address of the same family (IPv4 or IPv6).
+# RFC 5780 is supported only by UDP protocol, other protocols
+# are listening to that endpoint only for "symmetry".
+#
+#alt-listening-port=0
+							 
+# Alternative listening port for TLS and DTLS protocols.
+# Default (or zero) value means "TLS listening port plus one".
+#
+#alt-tls-listening-port=0
+	
+# Listener IP address of relay server. Multiple listeners can be specified.
+# If no IP(s) specified in the config file or in the command line options, 
+# then all IPv4 and IPv6 system IPs will be used for listening.
+#
+listening-ip=<%= @listening_ip %>
+#listening-ip=10.207.21.238
+#listening-ip=2607:f0d0:1002:51::4
+
+# Auxiliary STUN/TURN server listening endpoint.
+# Aux servers have almost full TURN and STUN functionality.
+# The (minor) limitations are:
+#
+# 1) Auxiliary servers do not have alternative ports and
+# they do not support STUN RFC 5780 functionality (CHANGE REQUEST).
+#
+# 2) Auxiliary servers also are never returning ALTERNATIVE-SERVER reply.
+# 
+# Valid formats are 1.2.3.4:5555 for IPv4 and [1:2::3:4]:5555 for IPv6.
+#
+# There may be multiple aux-server options, each will be used for listening
+# to client requests.
+#
+#aux-server=172.17.19.110:33478
+#aux-server=[2607:f0d0:1002:51::4]:33478
+
+# (recommended for older Linuxes only)
+# Automatically balance UDP traffic over auxiliary servers (if configured).
+# The load balancing is using the ALTERNATE-SERVER mechanism.
+# The TURN client must support 300 ALTERNATE-SERVER response for this 
+# functionality.
+#
+#udp-self-balance
+
+# Relay interface device for relay sockets (optional, Linux only).
+# NOT RECOMMENDED.
+#
+#relay-device=eth1
+
+# Relay address (the local IP address that will be used to relay the 
+# packets to the peer).
+# Multiple relay addresses may be used.
+# The same IP(s) can be used as both listening IP(s) and relay IP(s).
+#
+# If no relay IP(s) specified, then the turnserver will apply the default
+# policy: it will decide itself which relay addresses to be used, and it 
+# will always be using the client socket IP address as the relay IP address
+# of the TURN session (if the requested relay address family is the same
+# as the family of the client socket).
+#
+relay-ip=<%= @relay_ip %>
+#relay-ip=2607:f0d0:1002:51::5
+
+# For Amazon EC2 users:
+#
+# TURN Server public/private address mapping, if the server is behind NAT.
+# In that situation, if a -X is used in form "-X <ip>" then that ip will be reported
+# as relay IP address of all allocations. This scenario works only in a simple case
+# when one single relay address is be used, and no RFC5780 functionality is required.
+# That single relay address must be mapped by NAT to the 'external' IP.
+# The "external-ip" value, if not empty, is returned in XOR-RELAYED-ADDRESS field.
+# For that 'external' IP, NAT must forward ports directly (relayed port 12345
+# must be always mapped to the same 'external' port 12345).
+#
+# In more complex case when more than one IP address is involved,
+# that option must be used several times, each entry must
+# have form "-X <public-ip/private-ip>", to map all involved addresses.
+# RFC5780 NAT discovery STUN functionality will work correctly,
+# if the addresses are mapped properly, even when the TURN server itself 
+# is behind A NAT.
+#
+# By default, this value is empty, and no address mapping is used.
+#
+#external-ip=60.70.80.91
+#
+#OR:
+#
+#external-ip=60.70.80.91/172.17.19.101
+#external-ip=60.70.80.92/172.17.19.102
+
+
+# Number of the relay threads to handle the established connections
+# (in addition to authentication thread and the listener thread).
+# If explicitly set to 0 then application runs relay process in a 
+# single thread, in the same thread with the listener process 
+# (the authentication thread will still be a separate thread).
+#
+# If this parameter is not set, then the default OS-dependent 
+# thread pattern algorithm will be employed. Usually the default
+# algorithm is the most optimal, so you have to change this option
+# only if you want to make some fine tweaks. 
+#
+# In the older systems (Linux kernel before 3.9),
+# the number of UDP threads is always one thread per network listening
+# endpoint - including the auxiliary endpoints - unless 0 (zero) or 
+# 1 (one) value is set.
+#
+#relay-threads=0
+
+# Lower and upper bounds of the UDP relay endpoints:
+# (default values are 49152 and 65535)
+#
+min-port=<%= @min_port %>
+max-port=<%= @max_port %>
+	
+# Uncomment to run TURN server in 'normal' 'moderate' verbose mode.
+# By default the verbose mode is off.
+verbose
+	
+# Uncomment to run TURN server in 'extra' verbose mode.
+# This mode is very annoying and produces lots of output.
+# Not recommended under any normal circumstances.
+#	
+#Verbose
+
+# Uncomment to use fingerprints in the TURN messages.
+# By default the fingerprints are off.
+#
+#fingerprint
+
+# Uncomment to use long-term credential mechanism.
+# By default no credentials mechanism is used (any user allowed).
+#
+#lt-cred-mech
+
+# This option is opposite to lt-cred-mech. 
+# (TURN Server with no-auth option allows anonymous access).
+# If neither option is defined, and no users are defined,
+# then no-auth is default. If at least one user is defined, 
+# in this file or in command line or in usersdb file, then
+# lt-cred-mech is default.
+#
+#no-auth
+
+# TURN REST API flag.
+# (Time Limited Long Term Credential)
+# Flag that sets a special authorization option that is based upon authentication secret.
+#
+# This feature's purpose is to support "TURN Server REST API", see
+# "TURN REST API" link in the project's page 
+# https://github.com/coturn/coturn/
+#
+# This option is used with timestamp:
+# 
+# usercombo -> "timestamp:userid"
+# turn user -> usercombo
+# turn password -> base64(hmac(secret key, usercombo))
+#
+# This allows TURN credentials to be accounted for a specific user id.
+# If you don't have a suitable id, the timestamp alone can be used.
+# This option is just turning on secret-based authentication.
+# The actual value of the secret is defined either by option static-auth-secret,
+# or can be found in the turn_secret table in the database (see below).
+# 
+# Read more about it:
+#  - https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00
+#  - https://www.ietf.org/proceedings/87/slides/slides-87-behave-10.pdf
+#
+# Be aware that use-auth-secret overrides some part of lt-cred-mech.
+# Notice that this feature depends internally on lt-cred-mech, so if you set
+# use-auth-secret then it enables internally automatically lt-cred-mech option
+# like if you enable both.
+#
+# You can use only one of the to auth mechanisms in the same time because,
+# both mechanism use the username and password validation in different way.
+#
+# This way be aware that you can't use both auth mechnaism in the same time!
+# Use in config either the lt-cred-mech or the use-auth-secret
+# to avoid any confusion.
+#
+use-auth-secret
+
+# 'Static' authentication secret value (a string) for TURN REST API only. 
+# If not set, then the turn server
+# will try to use the 'dynamic' value in turn_secret table
+# in user database (if present). The database-stored  value can be changed on-the-fly
+# by a separate program, so this is why that other mode is 'dynamic'.
+#
+static-auth-secret=<%= @static_auth_secret %>
+
+# Server name used for
+# the oAuth authentication purposes.
+# The default value is the realm name.
+#
+#server-name=blackdow.carleon.gov
+
+# Flag that allows oAuth authentication.
+#
+#oauth
+
+# 'Static' user accounts for long term credentials mechanism, only.
+# This option cannot be used with TURN REST API.
+# 'Static' user accounts are NOT dynamically checked by the turnserver process, 
+# so that they can NOT be changed while the turnserver is running.
+#
+#user=username1:key1
+#user=username2:key2
+# OR:
+#user=username1:password1
+#user=username2:password2
+#
+# Keys must be generated by turnadmin utility. The key value depends
+# on user name, realm, and password:
+#
+# Example:
+# $ turnadmin -k -u ninefingers -r north.gov -p youhavetoberealistic
+# Output: 0xbc807ee29df3c9ffa736523fb2c4e8ee
+# ('0x' in the beginning of the key is what differentiates the key from
+# password. If it has 0x then it is a key, otherwise it is a password).
+#
+# The corresponding user account entry in the config file will be:
+# 
+#user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee
+# Or, equivalently, with open clear password (less secure):
+#user=ninefingers:youhavetoberealistic
+#
+
+# SQLite database file name.
+#
+# Default file name is /var/db/turndb or /usr/local/var/db/turndb or
+# /var/lib/turn/turndb.
+# 
+#userdb=/var/db/turndb
+
+# PostgreSQL database connection string in the case that we are using PostgreSQL
+# as the user database.
+# This database can be used for long-term credential mechanism
+# and it can store the secret value for secret-based timed authentication in TURN RESP API. 
+# See http://www.postgresql.org/docs/8.4/static/libpq-connect.html for 8.x PostgreSQL
+# versions connection string format, see 
+# http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING
+# for 9.x and newer connection string formats.
+#
+#psql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> connect_timeout=30"
+
+# MySQL database connection string in the case that we are using MySQL
+# as the user database.
+# This database can be used for long-term credential mechanism
+# and it can store the secret value for secret-based timed authentication in TURN RESP API.
+#
+# Optional connection string parameters for the secure communications (SSL): 
+# ca, capath, cert, key, cipher 
+# (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the 
+# command options description).
+#
+# Use string format as below (space separated parameters, all optional):
+#
+#mysql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> port=<port> connect_timeout=<seconds> read_timeout=<seconds>"
+
+# If you want to use in the MySQL connection string the password in encrypted format,
+# then set in this option the MySQL password encryption secret key file.
+#
+# Warning: If this option is set, then mysql password must be set in "mysql-userdb" in encrypted format! 
+# If you want to use cleartext password then do not set this option!
+#
+# This is the file path which contain secret key of aes encryption while using password encryption.
+#
+#secret-key-file=/path/
+
+# MongoDB database connection string in the case that we are using MongoDB
+# as the user database.
+# This database can be used for long-term credential mechanism
+# and it can store the secret value for secret-based timed authentication in TURN RESP API. 
+# Use string format is described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html
+#
+#mongo-userdb="mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]"
+
+# Redis database connection string in the case that we are using Redis
+# as the user database.
+# This database can be used for long-term credential mechanism
+# and it can store the secret value for secret-based timed authentication in TURN RESP API. 
+# Use string format as below (space separated parameters, all optional):
+#
+#redis-userdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
+
+# Redis status and statistics database connection string, if used (default - empty, no Redis stats DB used).
+# This database keeps allocations status information, and it can be also used for publishing
+# and delivering traffic and allocation event notifications.
+# The connection string has the same parameters as redis-userdb connection string. 
+# Use string format as below (space separated parameters, all optional):
+#
+#redis-statsdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
+
+# The default realm to be used for the users when no explicit 
+# origin/realm relationship was found in the database, or if the TURN
+# server is not using any database (just the commands-line settings
+# and the userdb file). Must be used with long-term credentials 
+# mechanism or with TURN REST API.
+#
+# Note: If default realm is not specified at all, then realm falls back to the host domain name.
+#       If domain name is empty string, or '(None)', then it is initialized to am empty string.
+#
+realm=<%= @realm %>
+
+# The flag that sets the origin consistency 
+# check: across the session, all requests must have the same
+# main ORIGIN attribute value (if the ORIGIN was
+# initially used by the session).
+#
+#check-origin-consistency
+
+# Per-user allocation quota.
+# default value is 0 (no quota, unlimited number of sessions per user).
+# This option can also be set through the database, for a particular realm.
+#
+#user-quota=0
+
+# Total allocation quota.
+# default value is 0 (no quota).
+# This option can also be set through the database, for a particular realm.
+#
+#total-quota=0
+
+# Max bytes-per-second bandwidth a TURN session is allowed to handle
+# (input and output network streams are treated separately). Anything above
+# that limit will be dropped or temporary suppressed (within
+# the available buffer limits).
+# This option can also be set through the database, for a particular realm.
+#
+#max-bps=0
+
+#
+# Maximum server capacity.
+# Total bytes-per-second bandwidth the TURN server is allowed to allocate
+# for the sessions, combined (input and output network streams are treated separately).
+#
+# bps-capacity=0
+
+# Uncomment if no UDP client listener is desired.
+# By default UDP client listener is always started.
+#
+#no-udp
+
+# Uncomment if no TCP client listener is desired.
+# By default TCP client listener is always started.
+#
+#no-tcp
+
+# Uncomment if no TLS client listener is desired.
+# By default TLS client listener is always started.
+#
+#no-tls
+
+# Uncomment if no DTLS client listener is desired.
+# By default DTLS client listener is always started.
+#
+#no-dtls
+
+# Uncomment if no UDP relay endpoints are allowed.
+# By default UDP relay endpoints are enabled (like in RFC 5766).
+#
+#no-udp-relay
+
+# Uncomment if no TCP relay endpoints are allowed.
+# By default TCP relay endpoints are enabled (like in RFC 6062).
+#
+#no-tcp-relay
+
+# Uncomment if extra security is desired,
+# with nonce value having limited lifetime.
+# By default, the nonce value is unique for a session,
+# and has unlimited lifetime. 
+# Set this option to limit the nonce lifetime. 
+# It defaults to 600 secs (10 min) if no value is provided. After that delay, 
+# the client will get 438 error and will have to re-authenticate itself.
+#
+#stale-nonce=600
+
+# Uncomment if you want to set the maximum allocation
+# time before it has to be refreshed.
+# Default is 3600s.
+#
+#max-allocate-lifetime=3600
+
+
+# Uncomment to set the lifetime for the channel.
+# Default value is 600 secs (10 minutes).
+# This value MUST not be changed for production purposes.
+#
+#channel-lifetime=600
+
+# Uncomment to set the permission lifetime.
+# Default to 300 secs (5 minutes).
+# In production this value MUST not be changed,
+# however it can be useful for test purposes.
+#
+#permission-lifetime=300
+
+# Certificate file.
+# Use an absolute path or path relative to the 
+# configuration file.
+#
+cert=<%= @cert %>
+
+# Private key file.
+# Use an absolute path or path relative to the 
+# configuration file.
+# Use PEM file format.
+#
+pkey=<%= @pkey %>
+
+# Private key file password, if it is in encoded format.
+# This option has no default value.
+#
+#pkey-pwd=...
+
+# Allowed OpenSSL cipher list for TLS/DTLS connections.
+# Default value is "DEFAULT".
+#
+#cipher-list="DEFAULT"
+
+# CA file in OpenSSL format. 
+# Forces TURN server to verify the client SSL certificates.
+# By default it is not set: there is no default value and the client
+# certificate is not checked.
+#
+# Example:
+#CA-file=/etc/ssh/id_rsa.cert
+
+# Curve name for EC ciphers, if supported by OpenSSL 
+# library (TLS and DTLS). The default value is prime256v1, 
+# if pre-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+,
+# an optimal curve will be automatically calculated, if not defined
+# by this option.
+#
+#ec-curve-name=prime256v1
+
+# Use 566 bits predefined DH TLS key. Default size of the key is 1066.
+#
+#dh566
+
+# Use 2066 bits predefined DH TLS key. Default size of the key is 1066.
+#
+#dh2066
+
+# Use custom DH TLS key, stored in PEM format in the file.
+# Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.
+#
+#dh-file=<DH-PEM-file-name>
+
+# Flag to prevent stdout log messages.
+# By default, all log messages are going to both stdout and to 
+# the configured log file. With this option everything will be 
+# going to the configured log only (unless the log file itself is stdout).
+#
+#no-stdout-log
+
+# Option to set the log file name.
+# By default, the turnserver tries to open a log file in 
+# /var/log, /var/tmp, /tmp and current directories directories
+# (which open operation succeeds first that file will be used).
+# With this option you can set the definite log file name.
+# The special names are "stdout" and "-" - they will force everything 
+# to the stdout. Also, the "syslog" name will force everything to
+# the system log (syslog). 
+# In the runtime, the logfile can be reset with the SIGHUP signal 
+# to the turnserver process.
+#
+#log-file=/var/tmp/turn.log
+
+# Option to redirect all log output into system log (syslog).
+#
+syslog
+
+# This flag means that no log file rollover will be used, and the log file
+# name will be constructed as-is, without PID and date appendage.
+# This option can be used, for example, together with the logrotate tool.
+#
+#simple-log
+
+# Option to set the "redirection" mode. The value of this option
+# will be the address of the alternate server for UDP & TCP service in form of 
+# <ip>[:<port>]. The server will send this value in the attribute
+# ALTERNATE-SERVER, with error 300, on ALLOCATE request, to the client.
+# Client will receive only values with the same address family
+# as the client network endpoint address family. 
+# See RFC 5389 and RFC 5766 for ALTERNATE-SERVER functionality description. 
+# The client must use the obtained value for subsequent TURN communications.
+# If more than one --alternate-server options are provided, then the functionality
+# can be more accurately described as "load-balancing" than a mere "redirection". 
+# If the port number is omitted, then the default port 
+# number 3478 for the UDP/TCP protocols will be used.
+# Colon (:) characters in IPv6 addresses may conflict with the syntax of 
+# the option. To alleviate this conflict, literal IPv6 addresses are enclosed 
+# in square brackets in such resource identifiers, for example: 
+# [2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 . 
+# Multiple alternate servers can be set. They will be used in the
+# round-robin manner. All servers in the pool are considered of equal weight and 
+# the load will be distributed equally. For example, if we have 4 alternate servers, 
+# then each server will receive 25% of ALLOCATE requests. A alternate TURN server 
+# address can be used more than one time with the alternate-server option, so this 
+# can emulate "weighting" of the servers.
+#
+# Examples: 
+#alternate-server=1.2.3.4:5678
+#alternate-server=11.22.33.44:56789
+#alternate-server=5.6.7.8
+#alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
+			
+# Option to set alternative server for TLS & DTLS services in form of 
+# <ip>:<port>. If the port number is omitted, then the default port 
+# number 5349 for the TLS/DTLS protocols will be used. See the previous 
+# option for the functionality description.
+#
+# Examples: 
+#tls-alternate-server=1.2.3.4:5678
+#tls-alternate-server=11.22.33.44:56789
+#tls-alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
+
+# Option to suppress TURN functionality, only STUN requests will be processed.
+# Run as STUN server only, all TURN requests will be ignored.
+# By default, this option is NOT set.
+#
+#stun-only
+
+# Option to suppress STUN functionality, only TURN requests will be processed.
+# Run as TURN server only, all STUN requests will be ignored.
+# By default, this option is NOT set.
+#
+#no-stun
+
+# This is the timestamp/username separator symbol (character) in TURN REST API.
+# The default value is ':'.
+# rest-api-separator=:	
+
+# Flag that can be used to allow peers on the loopback addresses (127.x.x.x and ::1).
+# This is an extra security measure.
+#
+# (To avoid any security issue that allowing loopback access may raise,
+# the no-loopback-peers option is replaced by allow-loopback-peers.)
+#
+# Allow it only for testing in a development environment! 
+# In production it adds a possible security vulnerability, so for security reasons 
+# it is not allowed using it together with empty cli-password. 
+#
+#allow-loopback-peers
+
+# Flag that can be used to disallow peers on well-known broadcast addresses (224.0.0.0 and above, and FFXX:*).
+# This is an extra security measure.
+#
+#no-multicast-peers
+
+# Option to set the max time, in seconds, allowed for full allocation establishment. 
+# Default is 60 seconds.
+#
+#max-allocate-timeout=60
+
+# Option to allow or ban specific ip addresses or ranges of ip addresses. 
+# If an ip address is specified as both allowed and denied, then the ip address is 
+# considered to be allowed. This is useful when you wish to ban a range of ip 
+# addresses, except for a few specific ips within that range.
+#
+# This can be used when you do not want users of the turn server to be able to access
+# machines reachable by the turn server, but would otherwise be unreachable from the 
+# internet (e.g. when the turn server is sitting behind a NAT)
+#
+# Examples:
+# denied-peer-ip=83.166.64.0-83.166.95.255
+# allowed-peer-ip=83.166.68.45
+
+# File name to store the pid of the process.
+# Default is /var/run/turnserver.pid (if superuser account is used) or
+# /var/tmp/turnserver.pid .
+#
+#pidfile="/var/run/turnserver.pid"
+
+# Require authentication of the STUN Binding request.
+# By default, the clients are allowed anonymous access to the STUN Binding functionality.
+#
+#secure-stun
+
+# Mobility with ICE (MICE) specs support.
+#
+#mobility
+
+# Allocate Address Family according 
+# If enabled then TURN server allocates address family according  the TURN 
+# Client <=> Server communication address family.
+# (By default coTURN works according RFC 6156.)
+# !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!!
+#
+#keep-address-family
+
+
+# User name to run the process. After the initialization, the turnserver process
+# will make an attempt to change the current user ID to that user.
+#
+#proc-user=<user-name>
+
+# Group name to run the process. After the initialization, the turnserver process
+# will make an attempt to change the current group ID to that group.
+#
+#proc-group=<group-name>
+
+# Turn OFF the CLI support.
+# By default it is always ON.
+# See also options cli-ip and cli-port.
+#
+no-cli
+
+#Local system IP address to be used for CLI server endpoint. Default value
+# is 127.0.0.1.
+#
+#cli-ip=127.0.0.1
+
+# CLI server port. Default is 5766.
+#
+#cli-port=5766
+
+# CLI access password. Default is empty (no password).
+# For the security reasons, it is recommended to use the encrypted
+# for of the password (see the -P command in the turnadmin utility).
+#
+# Secure form for password 'qwerty':
+#
+#cli-password=$5$79a316b350311570$81df9cfb9af7f5e5a76eada31e7097b663a0670f99a3c07ded3f1c8e59c5658a
+#
+# Or unsecure form for the same password:
+#
+#cli-password=qwerty
+
+# Enable Web-admin support on https. By default it is Disabled.
+# If it is enabled it also enables a http a simple static banner page
+# with a small reminder that the admin page is available only on https.
+#
+#web-admin
+
+# Local system IP address to be used for Web-admin server endpoint. Default value is 127.0.0.1.
+#
+#web-admin-ip=127.0.0.1
+
+# Web-admin server port. Default is 8080.
+#
+#web-admin-port=8080
+
+# Web-admin server listen on STUN/TURN worker threads
+# By default it is disabled for security resons! (Not recommended in any production environment!)
+#
+#web-admin-listen-on-workers
+
+# Server relay. NON-STANDARD AND DANGEROUS OPTION. 
+# Only for those applications when we want to run 
+# server applications on the relay endpoints.
+# This option eliminates the IP permissions check on 
+# the packets incoming to the relay endpoints.
+#
+#server-relay
+
+# Maximum number of output sessions in ps CLI command.
+# This value can be changed on-the-fly in CLI. The default value is 256.
+#
+#cli-max-output-sessions
+
+# Set network engine type for the process (for internal purposes).
+#
+#ne=[1|2|3]
+
+# Do not allow an TLS/DTLS version of protocol
+#
+#no-tlsv1
+#no-tlsv1_1
+#no-tlsv1_2

site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb

@@ -1,7 +1,8 @@
 # Generated by Chef for <%= @host[:name] %>
 certfiles:
-  - "/opt/ejabberd/conf/<%= @host[:name] %>.crt"
-  - "/opt/ejabberd/conf/<%= @host[:name] %>.key"
+<% @host[:certfiles].each do |certfile| %>
+  - <%= certfile %>
+<% end %>
 host_config:
   "<%= @host[:name] %>":
     sql_type: pgsql
@@ -16,7 +17,7 @@ host_config:
     ldap_password: "<%= @host[:ldap_password] %>"
     ldap_encrypt: <%= @ldap_encryption_type %>
     ldap_base: "ou=<%= @host[:name] %>,<%= @ldap_base %>"
-    ldap_filter: "(objectClass=person)"
+    ldap_filter: "<%= @ldap_filter %>"
   <% end -%>
 
 append_host_config:

site-cookbooks/kosmos-hubot/recipes/nginx_botka_irc-libera-chat.rb

@@ -4,6 +4,7 @@ upstream_host = search(:node, "role:hubot").first["knife_zero"]["host"]
 
 tls_cert_for domain do
   auth "gandi_dns"
+  acme_domain "letsencrypt.kosmos.org"
   action :create
 end
 

site-cookbooks/kosmos-hubot/recipes/nginx_hal8000_xmpp.rb

@@ -5,6 +5,7 @@ upstream_host = search(:node, "role:hubot").first["knife_zero"]["host"]
 
 tls_cert_for domain do
   auth "gandi_dns"
+  acme_domain "letsencrypt.kosmos.org"
   action :create
 end
 

site-cookbooks/kosmos-ipfs/attributes/default.rb

@@ -62,4 +62,4 @@ node.default['kosmos-ipfs']['ipfs']['config'] = {
 node.default['kosmos-ipfs']['nginx']['domain'] = "ipfs.kosmos.org"
 node.default['kosmos-ipfs']['nginx']['external_api_port'] = 5444
 
-node.default['kosmos-ipfs']['kredits-pinner']['revision'] = "v2.2.0"
+node.default['kosmos-ipfs']['kredits-pinner']['revision'] = "v2.3.0"

site-cookbooks/kosmos-mastodon/attributes/default.rb

@@ -1,5 +1,5 @@
 node.default["kosmos-mastodon"]["repo"]              = "https://gitea.kosmos.org/kosmos/mastodon.git"
-node.default["kosmos-mastodon"]["revision"]          = "production"
+node.default["kosmos-mastodon"]["revision"]          = "production-4.3"
 node.default["kosmos-mastodon"]["directory"]         = "/opt/mastodon"
 node.default["kosmos-mastodon"]["bind_ip"]           = "127.0.0.1"
 node.default["kosmos-mastodon"]["app_port"]          = 3000
@@ -10,7 +10,7 @@ node.default["kosmos-mastodon"]["redis_url"]         = "redis://localhost:6379/0
 node.default["kosmos-mastodon"]["sidekiq_threads"]   = 25
 node.default["kosmos-mastodon"]["allowed_private_addresses"] = "127.0.0.1"
 
-node.default["kosmos-mastodon"]["onion_address"]     = nil
+node.default["kosmos-mastodon"]["onion_address"] = nil
 
 # Allocate this amount of RAM to the Java heap for Elasticsearch
 node.default["kosmos-mastodon"]["elasticsearch"]["allocated_memory"] = "1536m"
@@ -20,6 +20,10 @@ node.default["kosmos-mastodon"]["s3_region"]     = nil
 node.default["kosmos-mastodon"]["s3_bucket"]     = nil
 node.default["kosmos-mastodon"]["s3_alias_host"] = nil
 
+node.default["kosmos-mastodon"]["sso_account_sign_up_url"] = "https://kosmos.org"
+node.default["kosmos-mastodon"]["sso_account_reset_password_url"] = "https://accounts.kosmos.org/users/password/new"
+node.default["kosmos-mastodon"]["sso_account_resend_confirmation_url"] = "https://accounts.kosmos.org/users/confirmation/new"
+
 node.default["kosmos-mastodon"]["default_locale"] = "en"
 node.default["kosmos-mastodon"]["libre_translate_endpoint"] = nil
 

site-cookbooks/kosmos-mastodon/recipes/backup.rb

@@ -6,13 +6,12 @@
 postgresql_data_bag_item = data_bag_item('credentials', 'postgresql')
 
 unless node.chef_environment == "development"
-  unless node["backup"]["postgresql"]["databases"].keys.include? 'mastodon'
-    node.override["backup"]["postgresql"]["host"] = "pg.kosmos.local"
-    node.override["backup"]["postgresql"]["databases"]["mastodon"] = {
-      username: "mastodon",
-      password: postgresql_data_bag_item['mastodon_user_password']
-    }
-  end
+  node.override['backup']['s3']['keep'] = 1
+  node.override["backup"]["postgresql"]["host"] = "pg.kosmos.local"
+  node.override["backup"]["postgresql"]["databases"]["mastodon"] = {
+    username: "mastodon",
+    password: postgresql_data_bag_item['mastodon_user_password']
+  }
 
   include_recipe "backup"
 end

site-cookbooks/kosmos-mastodon/recipes/default.rb

@@ -3,7 +3,7 @@
 # Recipe:: default
 #
 
-node.override["nodejs"]["repo"] = "https://deb.nodesource.com/node_16.x"
+node.override["nodejs"]["repo"] = "https://deb.nodesource.com/node_18.x"
 
 include_recipe "kosmos-nodejs"
 include_recipe "java"
@@ -44,7 +44,7 @@ end
 
 elasticsearch_service 'elasticsearch'
 
-postgresql_data_bag_item = data_bag_item('credentials', 'postgresql')
+postgresql_credentials = data_bag_item('credentials', 'postgresql')
 
 mastodon_path = node["kosmos-mastodon"]["directory"]
 mastodon_user = "mastodon"
@@ -71,11 +71,7 @@ package %w(build-essential imagemagick ffmpeg libxml2-dev libxslt1-dev file git
            curl pkg-config libprotobuf-dev protobuf-compiler libidn11
            libidn11-dev libjemalloc2 libpq-dev)
 
-npm_package "yarn" do
-  version "1.22.4"
-end
-
-ruby_version = "3.0.6"
+ruby_version = "3.3.5"
 
 ruby_path = "/opt/ruby_build/builds/#{ruby_version}"
 bundle_path = "#{ruby_path}/bin/bundle"
@@ -168,32 +164,55 @@ execute "restart mastodon services" do
   notifies :restart, "service[mastodon-streaming]", :delayed
 end
 
-mastodon_credentials = data_bag_item('credentials', 'mastodon')
+credentials = data_bag_item('credentials', 'mastodon')
+
+ldap_config = {
+  host: "ldap.kosmos.local",
+  port: 389,
+  method: "plain",
+  base: "ou=kosmos.org,cn=users,dc=kosmos,dc=org",
+  bind_dn: credentials["ldap_bind_dn"],
+  password: credentials["ldap_password"],
+  uid: "cn",
+  mail: "mail",
+  search_filter: "(&(|(cn=%{email})(mail=%{email}))(serviceEnabled=mastodon))",
+  uid_conversion_enabled: "true",
+  uid_conversion_search: "-",
+  uid_conversion_replace: "_"
+}
 
 template "#{mastodon_path}/.env.#{rails_env}" do
   source "env.erb"
   mode  "0640"
   owner mastodon_user
   group mastodon_user
+  sensitive true
   variables redis_url: node["kosmos-mastodon"]["redis_url"],
             domain: node["kosmos-mastodon"]["domain"],
             alternate_domains: node["kosmos-mastodon"]["alternate_domains"],
-            paperclip_secret: mastodon_credentials['paperclip_secret'],
-            secret_key_base: mastodon_credentials['secret_key_base'],
-            otp_secret: mastodon_credentials['otp_secret'],
-            smtp_login: mastodon_credentials['smtp_user_name'],
-            smtp_password: mastodon_credentials['smtp_password'],
+            active_record_encryption_deterministic_key: credentials["active_record_encryption_deterministic_key"],
+            active_record_encryption_key_derivation_salt: credentials["active_record_encryption_key_derivation_salt"],
+            active_record_encryption_primary_key: credentials["active_record_encryption_primary_key"],
+            paperclip_secret: credentials['paperclip_secret'],
+            secret_key_base: credentials['secret_key_base'],
+            otp_secret: credentials['otp_secret'],
+            ldap: ldap_config,
+            smtp_login: credentials['smtp_user_name'],
+            smtp_password: credentials['smtp_password'],
             smtp_from_address: "mail@#{node['kosmos-mastodon']['domain']}",
             s3_endpoint: node["kosmos-mastodon"]["s3_endpoint"],
             s3_region: node["kosmos-mastodon"]["s3_region"],
             s3_bucket: node["kosmos-mastodon"]["s3_bucket"],
             s3_alias_host: node["kosmos-mastodon"]["s3_alias_host"],
-            aws_access_key_id: mastodon_credentials['s3_key_id'],
-            aws_secret_access_key: mastodon_credentials['s3_secret_key'],
-            vapid_private_key: mastodon_credentials['vapid_private_key'],
-            vapid_public_key: mastodon_credentials['vapid_public_key'],
-            db_pass: postgresql_data_bag_item['mastodon_user_password'],
+            aws_access_key_id: credentials['s3_key_id'],
+            aws_secret_access_key: credentials['s3_secret_key'],
+            vapid_private_key: credentials['vapid_private_key'],
+            vapid_public_key: credentials['vapid_public_key'],
+            db_pass: postgresql_credentials['mastodon_user_password'],
             db_host: "pg.kosmos.local",
+            sso_account_sign_up_url: node["kosmos-mastodon"]["sso_account_sign_up_url"],
+            sso_account_reset_password_url: node["kosmos-mastodon"]["sso_account_reset_password_url"],
+            sso_account_resend_confirmation_url: node["kosmos-mastodon"]["sso_account_resend_confirmation_url"],
             default_locale: node["kosmos-mastodon"]["default_locale"],
             allowed_private_addresses: node["kosmos-mastodon"]["allowed_private_addresses"],
             libre_translate_endpoint: node["kosmos-mastodon"]["libre_translate_endpoint"]
@@ -211,7 +230,7 @@ execute "yarn install" do
   environment deploy_env
   user mastodon_user
   cwd mastodon_path
-  command "yarn install --frozen-lockfile"
+  command "corepack prepare && yarn install --immutable"
 end
 
 execute "rake assets:precompile" do

site-cookbooks/kosmos-mastodon/recipes/nginx.rb

@@ -12,6 +12,13 @@ search(:node, "role:mastodon").each do |node|
 end
 if upstream_hosts.any?
   web_root_dir = "/var/www/#{server_name}/public"
+  directory web_root_dir do
+    action :create
+    recursive true
+    owner 'www-data'
+    group 'www-data'
+    mode 0755
+  end
 else
   web_root_dir = "#{app_dir}/public"
   upstream_hosts << "localhost"
@@ -28,12 +35,15 @@ template "#{node['openresty']['dir']}/snippets/mastodon.conf" do
   owner 'www-data'
   mode 0640
   variables web_root_dir: web_root_dir,
-            server_name:  server_name
+            server_name:  server_name,
+            s3_private_url: "#{node["kosmos-mastodon"]["s3_endpoint"]}/#{node["kosmos-mastodon"]["s3_bucket"]}/",
+            s3_public_url: "https://#{node["kosmos-mastodon"]["s3_alias_host"]}/"
   notifies :reload, 'service[openresty]', :delayed
 end
 
 tls_cert_for server_name do
   auth "gandi_dns"
+  acme_domain "letsencrypt.kosmos.org"
   action :create
 end
 

site-cookbooks/kosmos-mastodon/templates/default/env.erb

@@ -12,6 +12,9 @@ LOCAL_HTTPS=true
 
 # Application secrets
 # Generate each with the `rake secret` task (`docker-compose run --rm web rake secret` if you use docker compose)
+ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=<%= @active_record_encryption_deterministic_key %>
+ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=<%= @active_record_encryption_key_derivation_salt %>
+ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=<%= @active_record_encryption_primary_key %>
 PAPERCLIP_SECRET=<%= @paperclip_secret %>
 SECRET_KEY_BASE=<%= @secret_key_base %>
 OTP_SECRET=<%= @otp_secret %>
@@ -29,6 +32,26 @@ SMTP_LOGIN=<%= @smtp_login %>
 SMTP_PASSWORD=<%= @smtp_password %>
 SMTP_FROM_ADDRESS=<%= @smtp_from_address %>
 
+<% if @ldap %>
+# LDAP configuration
+LDAP_ENABLED=true
+LDAP_HOST=<%= @ldap[:host] %>
+LDAP_PORT=<%= @ldap[:port] %>
+LDAP_METHOD='<%= @ldap[:method] %>'
+LDAP_BASE='<%= @ldap[:base] %>'
+LDAP_BIND_DN='<%= @ldap[:bind_dn] %>'
+LDAP_PASSWORD='<%= @ldap[:password] %>'
+LDAP_UID=<%= @ldap[:uid] %>
+LDAP_MAIL=<%= @ldap[:mail] %>
+LDAP_SEARCH_FILTER='<%= @ldap[:search_filter] %>'
+LDAP_UID_CONVERSION_ENABLED=<%= @ldap[:uid_conversion_enabled] %>
+LDAP_UID_CONVERSION_SEARCH=<%= @ldap[:uid_conversion_search] %>
+LDAP_UID_CONVERSION_REPLACE=<%= @ldap[:uid_conversion_replace] %>
+SSO_ACCOUNT_SIGN_UP=<%= @sso_account_sign_up_url %>
+SSO_ACCOUNT_RESET_PASSWORD=<%= @sso_account_reset_password_url %>
+SSO_ACCOUNT_RESEND_CONFIRMATION=<%= @sso_account_resend_confirmation_url %>
+<% end %>
+
 # Optional asset host for multi-server setups
 # CDN_HOST=assets.example.com
 

site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb

@@ -32,6 +32,12 @@ server {
 <% if @onion_address %>
   add_header Onion-Location https://mastodon.<%= @onion_address %>$request_uri;
 <% end %>
+
+  location ~ ^/.well-known/(lnurlp|keysend) {
+    add_header 'Access-Control-Allow-Origin' '*';
+    proxy_ssl_server_name on;
+    proxy_pass https://accounts.kosmos.org;
+  }
 }
 
 <% if @onion_address %>

site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_shared.erb

@@ -108,11 +108,13 @@ location @proxy {
 
   proxy_pass http://mastodon_app;
   proxy_buffering on;
-  proxy_redirect off;
   proxy_http_version 1.1;
   proxy_set_header Upgrade $http_upgrade;
   proxy_set_header Connection $connection_upgrade;
 
+  # https://github.com/mastodon/mastodon/issues/24380
+  proxy_redirect <%= @s3_private_url %> <%= @s3_public_url %>;
+
   tcp_nodelay on;
 }
 

site-cookbooks/kosmos-nginx/recipes/default.rb

@@ -59,7 +59,7 @@ cookbook_file "#{node["nginx"]["user_home"]}/maintenance.html" do
   source "maintenance.html"
   owner node['nginx']['user']
   group node['nginx']['group']
-  mode "0640"
+  mode "0755"
 end
 
 unless node.chef_environment == "development"

site-cookbooks/kosmos_email/recipes/default.rb

@@ -7,6 +7,7 @@ domain   = node["email"]["domain"]
 hostname = node["email"]["hostname"]
 root_dir = node["email"]["root_directory"]
 ip_addr  = node["knife_zero"]["host"]
+extra_hostnames = ["smtp.#{domain}", "imap.#{domain}"]
 
 node.override["set_fqdn"] = hostname
 include_recipe "hostname"
@@ -23,7 +24,9 @@ directory root_dir do
 end
 
 tls_cert_for hostname do
+  domain ([hostname]+extra_hostnames)
   auth "gandi_dns"
+  deploy_hook "systemctl reload postfix.service && systemctl reload dovecot.service"
   action :create
 end
 

site-cookbooks/kosmos_garage/recipes/nginx_web.rb

@@ -3,6 +3,8 @@
 # Recipe:: nginx_web
 #
 
+gandi_api_credentials = data_bag_item('credentials', 'gandi_api')
+
 file "#{node['openresty']['dir']}/conf.d/garage.conf" do
   content <<-EOF
 upstream garage_web {
@@ -40,8 +42,12 @@ end
 #
 
 node['garage']['s3_web_domains'].each do |domain_name|
+  second_level_domain = domain_name.match(/(?:.*\.)?([^.]+\.[^.]+)$/) { $1 }
+  proxy_validation = !gandi_api_credentials["domains"].include?(second_level_domain)
+
   tls_cert_for domain_name do
     auth "gandi_dns"
+    acme_domain "letsencrypt.kosmos.org" if proxy_validation
     action :create
   end
 

site-cookbooks/kosmos_gitea/attributes/default.rb

@@ -1,7 +1,5 @@
-gitea_version = "1.21.3"
-node.default["gitea"]["version"] = gitea_version
-node.default["gitea"]["binary_url"] = "https://dl.gitea.io/gitea/#{gitea_version}/gitea-#{gitea_version}-linux-amd64"
-node.default["gitea"]["binary_checksum"] = "ccf6cc2077401e382bca0d000553a781a42c9103656bd33ef32bf093cca570eb"
+node.default["gitea"]["version"] = "1.23.7"
+node.default["gitea"]["checksum"] = "3c0a7121ad1d9c525a92c68a7c040546553cd41e7464ce2fa811246b648c0a46"
 node.default["gitea"]["working_directory"] = "/var/lib/gitea"
 node.default["gitea"]["port"] = 3000
 node.default["gitea"]["postgresql_host"] = "localhost:5432"
@@ -16,5 +14,5 @@ node.default["gitea"]["config"] = {
   }
 }
 
-node.default["gitea"]["act_runner"]["download_url"] = "https://dl.gitea.com/act_runner/main/act_runner-main-linux-amd64"
-node.default["gitea"]["act_runner"]["checksum"] = "577ec7c64e7458b1e97cbe61d02da1ba1f4ddf24281b175f24f65101e72c000c"
+node.default["gitea"]["act_runner"]["version"] = "0.2.6"
+node.default["gitea"]["act_runner"]["checksum"] = "234c2bdb871e7b0bfb84697f353395bfc7819faf9f0c0443845868b64a041057"

site-cookbooks/kosmos_gitea/recipes/act_runner.rb

@@ -3,6 +3,8 @@
 # Recipe:: act_runner
 #
 
+version           = node["gitea"]["act_runner"]["version"]
+download_url      = "https://dl.gitea.com/act_runner/#{version}/act_runner-#{version}-linux-amd64"
 working_directory = node["gitea"]["working_directory"]
 gitea_credentials = data_bag_item("credentials", "gitea")
 runners           = gitea_credentials["runners"]
@@ -24,7 +26,7 @@ end
 end
 
 remote_file "/usr/local/bin/act_runner" do
-  source node["gitea"]["act_runner"]["download_url"]
+  source download_url
   checksum node["gitea"]["act_runner"]["checksum"]
   mode "0750"
 end
@@ -66,6 +68,7 @@ act_runner register \
         WorkingDirectory: runner_dir,
         Environment: "HOME=/root",
         ExecStart: "/usr/local/bin/act_runner daemon",
+        ExecStartPre: "/bin/sleep 3", # Wait for Gitea's API to be up when restarting at the same time
         Restart: "always",
       },
       Install: {

site-cookbooks/kosmos_gitea/recipes/backup.rb

@@ -8,5 +8,6 @@
 unless node.chef_environment == "development"
   # backup the data dir and the config files
   node.override["backup"]["archives"]["gitea"] = [node["gitea"]["working_directory"]]
+  node.override['backup']['s3']['keep'] = 2
   include_recipe "backup"
 end

site-cookbooks/kosmos_gitea/recipes/default.rb

@@ -3,6 +3,8 @@
 # Recipe:: default
 #
 
+version                   = node["gitea"]["version"]
+download_url              = "https://dl.gitea.io/gitea/#{version}/gitea-#{version}-linux-amd64"
 working_directory         = node["gitea"]["working_directory"]
 git_home_directory        = "/home/git"
 repository_root_directory = "#{git_home_directory}/gitea-repositories"
@@ -107,8 +109,8 @@ template "#{config_directory}/app.ini" do
 end
 
 remote_file gitea_binary_path do
-  source node['gitea']['binary_url']
-  checksum node['gitea']['binary_checksum']
+  source download_url
+  checksum node['gitea']['checksum']
   mode "0755"
   notifies :restart, "service[gitea]", :delayed
 end

site-cookbooks/kosmos_gitea/templates/default/app.ini.erb

@@ -24,9 +24,11 @@ NAME    = gitea
 USER    = gitea
 PASSWD  = <%= @postgresql_password %>
 SSL_MODE = disable
+MAX_OPEN_CONNS = 20
 
 [repository]
 ROOT = <%= @repository_root_directory %>
+DISABLE_DOWNLOAD_SOURCE_ARCHIVES = true
 
 # [indexer]
 # ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
@@ -112,3 +114,7 @@ MINIO_USE_SSL=<%= c["use_ssl"] %>
 [actions]
 ENABLED = true
 <% end %>
+
+[other]
+SHOW_FOOTER_VERSION = false
+SHOW_FOOTER_TEMPLATE_LOAD_TIME = false