Configure commit signing for Gitea

refs #237

.gitmodules

@@ -4,3 +4,9 @@
 [submodule "site-cookbooks/openresty"]
 	path = site-cookbooks/openresty
 	url = https://github.com/67P/chef-openresty.git
+[submodule "site-cookbooks/strfry"]
+	path = site-cookbooks/strfry
+	url = git@gitea.kosmos.org:kosmos/strfry-cookbook.git
+[submodule "site-cookbooks/deno"]
+	path = site-cookbooks/deno
+	url = git@gitea.kosmos.org:kosmos/deno-cookbook.git

Berksfile

@@ -21,6 +21,7 @@ cookbook 'composer',               '~> 2.7.0'
 cookbook 'fail2ban',               '~> 7.0.4'
 cookbook 'git',                    '~> 10.0.0'
 cookbook 'golang',                 '~> 5.3.1'
+cookbook 'gpg',                    '~> 2.0.13'
 cookbook 'hostname',               '= 0.4.2'
 cookbook 'hostsfile',              '~> 3.0.1'
 cookbook 'java',                   '~> 4.3.0'
@@ -32,11 +33,12 @@ cookbook 'ntp',                    '= 3.4.0'
 cookbook 'ohai',                   '~> 5.2.5'
 cookbook 'openssl',                '~> 8.5.5'
 cookbook 'php',                    '~> 8.0.0'
-cookbook 'postfix',                '= 5.0.2'
+cookbook 'postfix',                '~> 6.0.26'
 cookbook 'timezone_iii',           '= 1.0.4'
 cookbook 'ulimit',                 '~> 1.0.0'
 cookbook 'users',                  '~> 5.3.1'
 cookbook 'zerotier',               '~> 1.0.7'
+cookbook 'unbound',                '~> 3.0.2'
 
 # openresty dependency
 cookbook 'jemalloc',               '~> 0.1.7'

Berksfile.lock

@@ -8,6 +8,7 @@ DEPENDENCIES
   firewall (~> 6.2.16)
   git (~> 10.0.0)
   golang (~> 5.3.1)
+  gpg (~> 2.0.13)
   hostname (= 0.4.2)
   hostsfile (~> 3.0.1)
   ipfs
@@ -28,11 +29,12 @@ DEPENDENCIES
   ohai (~> 5.2.5)
   openssl (~> 8.5.5)
   php (~> 8.0.0)
-  postfix (= 5.0.2)
+  postfix (~> 6.0.26)
   redisio (~> 6.4.1)
   ruby_build (~> 2.5.0)
   timezone_iii (= 1.0.4)
   ulimit (~> 1.0.0)
+  unbound (~> 3.0.2)
   users (~> 5.3.1)
   yum
   zerotier (~> 1.0.7)
@@ -58,6 +60,8 @@ GRAPH
   git (10.0.0)
   golang (5.3.1)
     ark (>= 6.0)
+  gpg (2.0.13)
+    yum-epel (>= 0.0.0)
   homebrew (5.4.1)
   hostname (0.4.2)
     hostsfile (>= 0.0.0)
@@ -89,7 +93,7 @@ GRAPH
   openssl (8.5.5)
   php (8.0.1)
     yum-epel (>= 0.0.0)
-  postfix (5.0.2)
+  postfix (6.0.26)
   redisio (6.4.1)
     selinux (>= 0.0.0)
   ruby_build (2.5.0)
@@ -99,6 +103,7 @@ GRAPH
   seven_zip (4.2.2)
   timezone_iii (1.0.4)
   ulimit (1.0.0)
+  unbound (3.0.2)
   users (5.3.1)
   windows (7.0.2)
   yum (7.4.13)

clients/email-1.json

@@ -0,0 +1,4 @@
+{
+  "name": "email-1",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxDRdvMYKRjejoFsOxS6s\n4gj0Gsaxk/j25A5VPHBcEhr+NOh8W/6NnTTHuFMaorEIl/2kscgrcwriDN7xIFmO\nz/C1+spDLPMGSWd+422KSS3fjVfByLlMwxh171RDZBlZVze7H7CIV/rxCG7Ri85y\nPvyp2rT4ioyVGyYK3e8CiXwQckpFC1ex9VRk/GR8zbCYUIw+qbTFRcl/mQuxKqWK\n22vrgAR+6OL8lcyhssmKiQ1r3GtxwJusgffw4/5S8sRR1z8OB4wiwgOWR1E36EbF\nhTBjFzPiKVjVjP/TQpUoYdnBhuD223M8nPWJl1HMVQPMjL6R2BBOF+iK0Wx9SiFD\nJwIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/garage-3.json

@@ -1,4 +0,0 @@
-{
-  "name": "garage-3",
-  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtRSB8/ObjvQq6WuOVS/f\nypdX/2fLsUlt5tQ8GNuSY9rSM8gdvcXUvnPlxthZO4yvcPX85wmtBZX8fRJFdkJg\nYRCJbuVKO9sLTq8OUWXYpfU1q10FUhl034zxOMslpxVB6toirnk025vyq9jbuKP+\nYO+c40KZr67mgm0hveJfylayfiKP1HGm4HrV0maFivCgC8D+MPDDv75CsqRe5WSc\nh2CoauDJwVlhKZ92yq87ugGBhJJRUGOQZcfEvkUGj/HNAS6tuHl8YmVmhO8hBdee\nNto6RF54E1zB80R9oT/qitw23miEyUcHHVxhTR4tTWflZgd8l4wDOhX3Nf20xknu\nFQIDAQAB\n-----END PUBLIC KEY-----\n"
-}

clients/garage-6.json

@@ -0,0 +1,4 @@
+{
+  "name": "garage-6",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwasYgWLM8ShvirFiKRE6\nGWqc3pMlvcrk4YnWAUW5Y/H26EnyexxWNfnwlEcq8thJ3M3hs7zkoF3Yk4uqX869\n4/niYqXwYgeE1K3gzLp4K1+w3yVupYAFVFStVEHJyuMlLJ+ulDEGvNdQDuIfw7+E\nr6DcDLa1o92Eo0wL1ihYyMilduH0LdFTixL+tEBXbbPWBa3RDJJCFsRF1+UC6hAH\nzmaWL661Gdzdabxjm/FlGUYkdbDqeInZq/1GMQqv+9/DcNRkWA9H7i4Ykrfpx4/2\nRZ8xtx/DbnJVB1zYoORygFMMAkTu5E+R8ropeI7Wi77Yq0S7laiRlYQYQml3x9ak\nzQIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/garage-7.json

@@ -0,0 +1,4 @@
+{
+  "name": "garage-7",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwoAigZUSwsfbBHx2PQ6W\n38Ght6eCvbpW1lsS58hTieRmRn+pgZVjvixhsBh57rUasCjaBywXk9BpNj2Foxck\nReHeoDI0RHsgniClyMrYj80y2NhoB6J8NB+cHkhdzIKplm6AH6M5xaAedtZU639a\n1nHMtpDlJhzgIYsiq1q06Aqd1w0Z9tf1RXQ1WvMDhTY4wlE5RZ2epBb6Usnlbjo2\nSqCIGIjRLmZxdsSWoiUUTlVPdUCzTNsN5G/ZVdRswhgseDmVJCIkK2Aji/XzhIrR\nh4RvUv9dhFemOVsFctJ/dQILXz5MZLUgakKf970M5R/Zggv//pqRSsYcB2UfaBpV\nLQIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/garage-8.json

@@ -0,0 +1,4 @@
+{
+  "name": "garage-8",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt4hXODzgHsIeWxXJm/F6\nSTFJ8JC89mWru7pOFzPWenOVMHgp4UpUB4rDTwQqojsWTDiq0x3ckUyOPw3Nj0jv\nxP4MMGS4SI0oRSJKzrYYss0hgUDTOBBd+Wxn0UiNEpN/PfQo9VZj9v/jak57cz7z\n5+rpl5v27fhgUIChjsHxdy+EamvCrYc+1JhyrLOlwlt8JxkZ8UPhoeZLWAbDgGLS\nEzHWSSVtBUPK+KYmVb2OK4lB56zPfek0U3gKN+04a1650jzOit8LzE6NaT180QDv\nX+gG6tk53vSXDmkBXsQ1mtB8aF+HaEG2Pra5HyihlweCPYdJT+e28wpq6+P5l3YR\ndQIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/postgres-4.json

@@ -1,4 +0,0 @@
-{
-  "name": "postgres-4",
-  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu6fPxOZeKloF/EgYvU0k\nOwv8bJjsCQcWaMTPle5//mRTszA6PM2z9RI+Mfr45qxTlsL9pQY8WJOWF6QOK31x\nszuqcr7oOjtAhrLI8f/oNDEDjcx325FqG9gNKQEAD7d4zodh+PhDe6x7GIyIS7lG\nIcD5Zre9iDwv8FGLR+5GLqS8SJOPL/wJkQ8w+N0f8YDFw81kiTta5NLhAx3fMDs0\n2kmoNlbmKlNZTtLjCfCV+/pa9oY6wycjck3GvobiFE/4cWaNkeGlPc+uAwlfmrOv\nHy0tq1XBX/BCvE5kMXmhnMT23JXjm2s2PgCLgEVGAXilXk/T597KDm+z4oBpAQma\nnQIDAQAB\n-----END PUBLIC KEY-----\n"
-}

clients/postgres-6.json

@@ -0,0 +1,4 @@
+{
+  "name": "postgres-6",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtVzM0fwlimmq11jTGTko\nK87LRYSar61tNF3qVWp9axNSMa6BSxVark9eYOqY4eLh/5vJVDqXDFq30/IUWg40\nH8hHWaOEvQrP2dm/XFw1RmunfbfN9gN07TuhaT3xFD5t+jFBuOSoJ4cPnFIABuVt\nFLrjgtYYjtZe5hGE9ZPmS7o2ATM5EU9mxeQ+TkgDbr8StvSPGdZ1ykhagf1pegGU\nRIfZ+4ZKzyDUAq+fYNhIbmlm5h2gP+XdtakPy43j7n0iN1vwDgBqJ2pdaVs/GcFf\nvaztoltguoknI2NPSez1N217asTTLuth0nHxVXiKCVXnqwDjxgWmuP6X2B7VYjyc\nxQIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/rsk-testnet-5.json

@@ -0,0 +1,4 @@
+{
+  "name": "rsk-testnet-5",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx/UHlgcSeh9Do7CTCKXC\n/4/aO2OvT+ijDVmrMYCNtE4sMeuFqKPnV1zxJZmRm4VNhkSQDkdWYD+6XvuFYW60\nyjB/N6D5lLlyjG4HD6fTkfh0K6f7t5mOYV7o4T59OoA3cBZuSROjtWmJ8jEFJ+k9\nII2kcyhPQcFN01ckzvZKRSPbVRccMoc+AKTjB3ZUfs/ERtlVoDrK4jEHluXOxUJO\nBKCcLonjJuLlpRLh7QfKrKFcR4idn5Ir43R6aSUesI/ipKwKsXnR3Bu7vXp74VF3\nMJ3EkdSBG+qJzy51fbRfQiUPAr/vSoVQZwW7FkIhIqqLkMaYCymn7qKfTGujoNU7\nlwIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/strfry-1.json

@@ -0,0 +1,4 @@
+{
+  "name": "strfry-1",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzDV/RMGMXVDbvoA6PNh8\nQzhtHwYDCFcUSkbrwP6tzh6GpVunGEOdOdhj2V63T2tF1H+lujxQXh5pK7C0D6VZ\niO04ftJlo7/svyxUcwWr+znyN5sFdQRh3cBZiGSBYolizwoqgtPFlbNhmWAzV0Du\n9t8mhz70IK3B+UdwWyHtoK0NNsJGnQ9YzAvcjyDmEO/3sCjAhNnxVpmXftpcSmd9\nMonzFtIDBbRRll4AHZYRbmXCzx63+VmelvdnufnbY82liol0zzBwJaBD1wyNlG0y\ni96p3Kx03bLNlIaYVGbjZeJi+6oo2VDWJ4OloLLAYoHDSipeHT9qWfUdnE6ge4Lm\nywIDAQAB\n-----END PUBLIC KEY-----\n"
+}

cookbooks/gpg/.markdownlint-cli2.yaml

@@ -0,0 +1,5 @@
+config:
+  ul-indent: false # MD007
+  line-length: false # MD013
+  no-duplicate-heading: false # MD024
+  reference-links-images: false # MD052

cookbooks/gpg/CHANGELOG.md

@@ -0,0 +1,89 @@
+# gpg Cookbook CHANGELOG
+
+This file is used to list changes made in each version of the gpg cookbook.
+
+## 2.0.13 - *2024-05-02*
+
+## 2.0.12 - *2024-05-02*
+
+## 2.0.11 - *2023-09-28*
+
+## 2.0.10 - *2023-09-04*
+
+## 2.0.9 - *2023-07-10*
+
+## 2.0.8 - *2023-05-16*
+
+- Fix markdown formatting in the changelog
+- Standardise files with files in sous-chefs/repo-management
+
+## 2.0.7 - *2023-05-16*
+
+- Standardise files with files in sous-chefs/repo-management
+
+## 2.0.6 - *2023-05-03*
+
+- Standardise files with files in sous-chefs/repo-management
+
+## 2.0.5 - *2023-04-01*
+
+- Standardise files with files in sous-chefs/repo-management
+
+## 2.0.4 - *2023-03-02*
+
+- Standardise files with files in sous-chefs/repo-management
+
+## 2.0.3 - *2023-02-14*
+
+- Remove delivery folder
+
+## 2.0.2 - *2021-08-31*
+
+- Standardise files with files in sous-chefs/repo-management
+
+## 2.0.1 - *2021-06-01*
+
+- Standardise files with files in sous-chefs/repo-management
+
+## 2.0.0 - *2021-05-07*
+
+- Update tested platforms
+- Set minimum Chef version to 15.3 for unified_mode support
+
+## 1.3.0 - *2020-12-14*
+
+- Added support for SUSE and OpenSUSE
+
+## 1.2.0 (2020-08-26)
+
+- Comment out enforce_idempotency in kitchen.dokken.yml so tests work
+- Update/Remove the platforms we test against
+- Fix support for pinentry_mode on Ubuntu 16.04
+
+## 1.1.0 (2020-05-14)
+
+- resolved cookstyle error: resources/install.rb:1:36 convention: `Layout/TrailingWhitespace`
+- resolved cookstyle error: resources/install.rb:1:37 refactor: `ChefModernize/FoodcriticComments`
+
+## 1.0.1 (2020-01-26)
+
+- Use Github Actions for testing
+- Fix Ubuntu platform checks in the `gpg_key` resource
+- Use true/false in the resource to simplify the types
+
+## 1.0.0 (2019-01-26)
+
+- Adds two new resources `gpg_install` and `gpg_key`
+- Use CircleCI for testing
+
+## 0.3.0 (2018-05-08)
+
+- Sous Chefs will now be maintaining this cookbook. For more information on Sous Chefs see <http://sous-chefs.org/>
+- This cookbook now requires Chef 12 or later
+- Added a chefignore file
+- Added local testing with delivery local mode
+- Added Code of conduct, testing, contributing, license, and changelog files
+- Added `chef_version`, `source_url`, and `issues_url` to the metadata
+- Added ubuntu/debian to the metadata as supported platforms
+- Updated the kitchen config to use Vagrant on common platforms
+- Resolved all cookstyle / foodcritic warnings

cookbooks/gpg/LICENSE

@@ -0,0 +1,202 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "{}"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright {yyyy} {name of copyright owner}
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+

cookbooks/gpg/README.md

@@ -0,0 +1,63 @@
+# GPG cookbook
+
+[![Cookbook Version](https://img.shields.io/cookbook/v/gpg.svg)](https://supermarket.chef.io/cookbooks/gpg)
+[![Build Status](https://img.shields.io/circleci/project/github/sous-chefs/gpg/master.svg)](https://circleci.com/gh/sous-chefs/gpg)
+[![OpenCollective](https://opencollective.com/sous-chefs/backers/badge.svg)](#backers)
+[![OpenCollective](https://opencollective.com/sous-chefs/sponsors/badge.svg)](#sponsors)
+[![License](https://img.shields.io/badge/License-Apache%202.0-green.svg)](https://opensource.org/licenses/Apache-2.0)
+
+Installs and configures GPG on a system
+
+## Maintainers
+
+This cookbook is maintained by the Sous Chefs. The Sous Chefs are a community of Chef cookbook maintainers working together to maintain important cookbooks. If you’d like to know more please visit [sous-chefs.org](https://sous-chefs.org/) or come chat with us on the Chef Community Slack in [#sous-chefs](https://chefcommunity.slack.com/messages/C2V7B88SF).
+
+## Custom resources
+
+This cookboks uses custom resources to control GPG2.
+
+Install GPG2 and haveged
+
+```ruby
+gpg_install
+```
+
+Generate a GPG key for a user
+
+```ruby
+gpg_key 'foo' do
+  user 'foo'
+  passphrase 'this-is-not-secure'
+end
+```
+
+For further detail please see the documentation for each resource, or the test cookbook for example usage.
+
+- [gpg_install](https://github.com/sous-chefs/gpg/blob/master/documentation/resource/install.md)
+- [gpg_key](https://github.com/sous-chefs/gpg/blob/master/documentation/resource/key.md)
+- [Test Cookbook](https://github.com/sous-chefs/gpg/blob/master/test/fixtures/cookbooks/test/recipes)
+
+## Contributors
+
+This project exists thanks to all the people who [contribute.](https://opencollective.com/sous-chefs/contributors.svg?width=890&button=false)
+
+### Backers
+
+Thank you to all our backers!
+
+![https://opencollective.com/sous-chefs#backers](https://opencollective.com/sous-chefs/backers.svg?width=600&avatarHeight=40)
+
+### Sponsors
+
+Support this project by becoming a sponsor. Your logo will show up here with a link to your website.
+
+![https://opencollective.com/sous-chefs/sponsor/0/website](https://opencollective.com/sous-chefs/sponsor/0/avatar.svg?avatarHeight=100)
+![https://opencollective.com/sous-chefs/sponsor/1/website](https://opencollective.com/sous-chefs/sponsor/1/avatar.svg?avatarHeight=100)
+![https://opencollective.com/sous-chefs/sponsor/2/website](https://opencollective.com/sous-chefs/sponsor/2/avatar.svg?avatarHeight=100)
+![https://opencollective.com/sous-chefs/sponsor/3/website](https://opencollective.com/sous-chefs/sponsor/3/avatar.svg?avatarHeight=100)
+![https://opencollective.com/sous-chefs/sponsor/4/website](https://opencollective.com/sous-chefs/sponsor/4/avatar.svg?avatarHeight=100)
+![https://opencollective.com/sous-chefs/sponsor/5/website](https://opencollective.com/sous-chefs/sponsor/5/avatar.svg?avatarHeight=100)
+![https://opencollective.com/sous-chefs/sponsor/6/website](https://opencollective.com/sous-chefs/sponsor/6/avatar.svg?avatarHeight=100)
+![https://opencollective.com/sous-chefs/sponsor/7/website](https://opencollective.com/sous-chefs/sponsor/7/avatar.svg?avatarHeight=100)
+![https://opencollective.com/sous-chefs/sponsor/8/website](https://opencollective.com/sous-chefs/sponsor/8/avatar.svg?avatarHeight=100)
+![https://opencollective.com/sous-chefs/sponsor/9/website](https://opencollective.com/sous-chefs/sponsor/9/avatar.svg?avatarHeight=100)

cookbooks/gpg/chefignore

@@ -0,0 +1,115 @@
+# Put files/directories that should be ignored in this file when uploading
+# to a Chef Infra Server or Supermarket.
+# Lines that start with '# ' are comments.
+
+# OS generated files #
+######################
+.DS_Store
+ehthumbs.db
+Icon?
+nohup.out
+Thumbs.db
+.envrc
+
+# EDITORS #
+###########
+.#*
+.project
+.settings
+*_flymake
+*_flymake.*
+*.bak
+*.sw[a-z]
+*.tmproj
+*~
+\#*
+REVISION
+TAGS*
+tmtags
+.vscode
+.editorconfig
+
+## COMPILED ##
+##############
+*.class
+*.com
+*.dll
+*.exe
+*.o
+*.pyc
+*.so
+*/rdoc/
+a.out
+mkmf.log
+
+# Testing #
+###########
+.circleci/*
+.codeclimate.yml
+.delivery/*
+.foodcritic
+.kitchen*
+.mdlrc
+.overcommit.yml
+.rspec
+.rubocop.yml
+.travis.yml
+.watchr
+.yamllint
+azure-pipelines.yml
+Dangerfile
+examples/*
+features/*
+Guardfile
+kitchen*.yml
+mlc_config.json
+Procfile
+Rakefile
+spec/*
+test/*
+
+# SCM #
+#######
+.git
+.gitattributes
+.gitconfig
+.github/*
+.gitignore
+.gitkeep
+.gitmodules
+.svn
+*/.bzr/*
+*/.git
+*/.hg/*
+*/.svn/*
+
+# Berkshelf #
+#############
+Berksfile
+Berksfile.lock
+cookbooks/*
+tmp
+
+# Bundler #
+###########
+vendor/*
+Gemfile
+Gemfile.lock
+
+# Policyfile #
+##############
+Policyfile.rb
+Policyfile.lock.json
+
+# Documentation #
+#############
+CODE_OF_CONDUCT*
+CONTRIBUTING*
+documentation/*
+TESTING*
+UPGRADING*
+
+# Vagrant #
+###########
+.vagrant
+Vagrantfile

cookbooks/gpg/libraries/helpers.rb

@@ -0,0 +1,43 @@
+module Gpg
+  module Helpers
+    include Chef::Mixin::ShellOut
+
+    def key_exists(new_resource)
+      gpg_check = gpg_cmd
+      gpg_check << gpg_opts if new_resource.override_default_keyring
+      gpg_check << "--list-keys | grep '#{new_resource.name_real}'"
+
+      cmd = Mixlib::ShellOut.new(
+        gpg_check,
+        user: new_resource.user,
+        group: new_resource.group
+      )
+
+      cmd.run_command
+
+      cmd.exitstatus == 0
+    end
+
+    def gpg_opts(new_resource)
+      if new_resource.override_default_keyring
+        "--no-default-keyring --secret-keyring #{new_resource.secring_file} --keyring #{new_resource.pubring_file}"
+      else
+        false
+      end
+    end
+
+    def gpg_cmd
+      "gpg2 --homedir #{new_resource.home_dir} "
+    end
+
+    def gpg2_packages
+      packages = %w(haveged)
+      if platform_family?('suse')
+        packages.push('gpg2')
+      else
+        packages.push('gnupg2')
+      end
+      packages
+    end
+  end
+end

cookbooks/gpg/metadata.json

@@ -0,0 +1,43 @@
+{
+  "name": "gpg",
+  "description": "Installs/Configures gpg",
+  "long_description": "",
+  "maintainer": "Sous Chefs",
+  "maintainer_email": "help@sous-chefs.org",
+  "license": "Apache-2.0",
+  "platforms": {
+    "debian": ">= 0.0.0",
+    "ubuntu": ">= 0.0.0",
+    "centos": ">= 0.0.0",
+    "redhat": ">= 0.0.0",
+    "oracle": ">= 0.0.0",
+    "amazon": ">= 0.0.0",
+    "opensuse": ">= 0.0.0",
+    "suse": ">= 0.0.0"
+  },
+  "dependencies": {
+    "yum-epel": ">= 0.0.0"
+  },
+  "providing": {
+
+  },
+  "recipes": {
+
+  },
+  "version": "2.0.13",
+  "source_url": "https://github.com/sous-chefs/gpg",
+  "issues_url": "https://github.com/sous-chefs/gpg/issues",
+  "privacy": false,
+  "chef_versions": [
+    [
+      ">= 15.3"
+    ]
+  ],
+  "ohai_versions": [
+
+  ],
+  "gems": [
+
+  ],
+  "eager_load_libraries": true
+}

cookbooks/gpg/metadata.rb

@@ -0,0 +1,20 @@
+name             'gpg'
+maintainer       'Sous Chefs'
+maintainer_email 'help@sous-chefs.org'
+license          'Apache-2.0'
+description      'Installs/Configures gpg'
+source_url       'https://github.com/sous-chefs/gpg'
+issues_url       'https://github.com/sous-chefs/gpg/issues'
+version          '2.0.13'
+chef_version     '>= 15.3'
+
+depends 'yum-epel'
+
+supports 'debian'
+supports 'ubuntu'
+supports 'centos'
+supports 'redhat'
+supports 'oracle'
+supports 'amazon'
+supports 'opensuse'
+supports 'suse'

cookbooks/gpg/renovate.json

@@ -0,0 +1,18 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": ["config:base"],
+  "packageRules": [
+    {
+      "groupName": "Actions",
+      "matchUpdateTypes": ["minor", "patch", "pin"],
+      "automerge": true,
+      "addLabels": ["Release: Patch", "Skip: Announcements"]
+    },
+    {
+      "groupName": "Actions",
+      "matchUpdateTypes": ["major"],
+      "automerge": false,
+      "addLabels": ["Release: Patch", "Skip: Announcements"]
+    }
+  ]
+}

cookbooks/gpg/resources/install.rb

@@ -0,0 +1,18 @@
+unified_mode true
+
+property :name, String, default: ''
+
+action :install do
+  include_recipe 'yum-epel' if platform_family?('rhel', 'amazon')
+
+  package gpg2_packages
+
+  service 'haveged' do
+    supports [:status, :restart]
+    action :start
+  end
+end
+
+action_class do
+  include Gpg::Helpers
+end

cookbooks/gpg/resources/key.rb

@@ -0,0 +1,166 @@
+unified_mode true
+
+property :batch_name, String,
+         name_property: true,
+         description: 'Name of  the key/batch to generate.'
+
+property :override_default_keyring, [true, false],
+         default: false,
+         description: 'Set to true if you want to override the pubring_file and secring_file locations.'
+
+property :pubring_file, String,
+         description: 'Public keyring file location (override_default_keyring must be set to true or this option will be ignored)'
+
+property :secring_file, String,
+         description: 'Secret keyring file location (override_default_keyring must be set to true or this option will be ignored)'
+
+property :user, String,
+         default: 'root',
+         description: 'User to generate the key for'
+
+property :group, String,
+         default: lazy { user },
+         description: 'Group to run the generate command as'
+
+property :key_type, String,
+         default: '1', equal_to: %w(RSA 1 DSA 17 ),
+         description: 'Corresponds to GPG option: Key-Type (RSA or DSA)'
+
+property :key_length, String,
+         default: '2048', equal_to: %w( 2048 4096 ),
+         description: 'Corresponds to GPG option: Key-Length (2048 or 4096)'
+
+property :name_real, String,
+         default: lazy { "Chef Generated Default (#{batch_name})" },
+         description: 'Corresponds to GPG option: Name-Real'
+
+property :name_comment, String,
+         default: 'generated by Chef',
+         description: 'Corresponds to GPG option: Name-Comment'
+
+property :name_email, String,
+         default: lazy { "#{node.name}@example.com" },
+         description: 'Corresponds to GPG option: Name-Email'
+
+property :expire_date, String,
+         default: '0',
+         description: 'Corresponds to GPG option: Expire-Date. Defaults to 0 (no expiry)'
+
+property :home_dir, String,
+         default: lazy { ::File.expand_path("~#{user}/.gnupg") },
+         description: 'Location to store the keyring. Defaults to ~/.gnupg'
+
+property :batch_config_file, String,
+         default: lazy { ::File.join(home_dir, "gpg_batch_config_#{batch_name}") },
+         description: 'Batch config file name'
+
+property :passphrase, String,
+         sensitive: true,
+         description: 'Passphrase for key'
+
+property :key_file, String,
+         description: 'Keyfile name'
+
+property :key_fingerprint, String,
+         description: 'Key finger print. Used to identify when deleting keys using the :delete action'
+
+# Only Ubuntu > 16.04 supports the pinetree_mode. And requires it
+property :pinentry_mode, [String, FalseClass],
+         default: platform?('ubuntu') && node['platform_version'].to_f > 16.04 ? 'loopback' : false,
+         description: 'Pinentry mode. Set to loopback on Ubuntu and False (off) for all other platforms.'
+
+property :batch, [true, false],
+         default: true,
+         description: 'Turn batch mode on or off when genrating keys'
+
+action :generate do
+  unless key_exists(new_resource)
+
+    config_dir = ::File.dirname(new_resource.batch_config_file)
+
+    directory config_dir do
+      owner new_resource.user
+      mode '0700'
+      recursive true
+      not_if { ::Dir.exist?(config_dir) }
+    end
+
+    file new_resource.batch_config_file do
+      content <<~EOS
+        Key-Type: #{new_resource.key_type}
+        Key-Length: #{new_resource.key_length}
+        Name-Real: #{new_resource.name_real}
+        Name-Comment: #{new_resource.name_comment}
+        Name-Email: #{new_resource.name_email}
+        Expire-Date: #{new_resource.expire_date}
+      EOS
+
+      if new_resource.override_default_keyring
+        content << "%pubring #{new_resource.pubring_file}\n"
+        content << "%secring #{new_resource.secring_file}\n"
+      end
+
+      content << "Passphrase: #{new_resource.passphrase}" if new_resource.passphrase
+      content << "%commit\n"
+      mode '0600'
+      owner new_resource.user
+      sensitive true
+    end
+
+    cmd = gpg_cmd
+    cmd << gpg_opts(new_resource) if new_resource.override_default_keyring
+    cmd << " --passphrase #{new_resource.passphrase}"
+    cmd << ' --yes'
+    cmd << ' --batch' if new_resource.batch
+    cmd << ' --pinentry-mode loopback' if new_resource.pinentry_mode
+    cmd << " --gen-key #{new_resource.batch_config_file}"
+
+    execute 'gpg2: generate' do
+      command cmd
+      live_stream true
+      user new_resource.user
+      group new_resource.group
+    end
+
+  end
+end
+
+action :import do
+  execute 'gpg2: import key' do
+    command "#{gpg_cmd} --import #{new_resource.key_file}"
+    user new_resource.user
+    group new_resource.group
+    not_if { key_exists(new_resource) }
+  end
+end
+
+action :export do
+  execute 'gpg2: export key' do
+    command "#{gpg_cmd} --export -a \"#{new_resource.name_real}\" > #{new_resource.key_file}"
+    user new_resource.user
+    group new_resource.group
+    not_if { ::File.exist?(new_resource.key_file) }
+  end
+end
+
+action :delete_public_key do
+  execute 'gpg2: delete key' do
+    command "#{gpg_cmd} --batch --yes --delete-key \"#{new_resource.key_fingerprint}\""
+    user new_resource.user
+    group new_resource.group
+    only_if { key_exists(new_resource) }
+  end
+end
+
+action :delete_secret_keys do
+  execute 'gpg2: delete key' do
+    command "#{gpg_cmd} --batch --yes --delete-secret-keys \"#{new_resource.key_fingerprint}\""
+    user new_resource.user
+    group new_resource.group
+    only_if { key_exists(new_resource) }
+  end
+end
+
+action_class do
+  include Gpg::Helpers
+end

cookbooks/postfix/.markdownlint-cli2.yaml

@@ -0,0 +1,5 @@
+config:
+  ul-indent: false # MD007
+  line-length: false # MD013
+  no-duplicate-heading: false # MD024
+  reference-links-images: false # MD052

cookbooks/postfix/CHANGELOG.md

@@ -2,6 +2,176 @@
 
 This file is used to list changes made in each version of the postfix cookbook.
 
+## 6.0.26 - *2023-10-03*
+
+- add installation of postfix addon packages for RHEL 8
+
+## 6.0.25 - *2023-10-03*
+
+Fix markdown
+
+## 6.0.24 - *2023-09-28*
+
+Standardise files with files in sous-chefs/repo-management
+
+## 6.0.23 - *2023-09-04*
+
+Standardise files with files in sous-chefs/repo-management
+
+## 6.0.22 - *2023-08-29*
+
+Standardise files with files in sous-chefs/repo-management
+
+## 6.0.21 - *2023-05-17*
+
+Standardise files with files in sous-chefs/repo-management
+
+## 6.0.20 - *2023-04-17*
+
+Fix CI permissions
+
+## 6.0.19 - *2023-04-17*
+
+Standardise files with files in sous-chefs/repo-management
+
+## 6.0.18 - *2023-04-07*
+
+Standardise files with files in sous-chefs/repo-management
+
+## 6.0.17 - *2023-04-01*
+
+Standardise files with files in sous-chefs/repo-management
+
+## 6.0.16 - *2023-04-01*
+
+Standardise files with files in sous-chefs/repo-management
+
+## 6.0.15 - *2023-04-01*
+
+Standardise files with files in sous-chefs/repo-management
+
+## 6.0.14 - *2023-03-20*
+
+Standardise files with files in sous-chefs/repo-management
+
+## 6.0.13 - *2023-03-15*
+
+Standardise files with files in sous-chefs/repo-management
+
+## 6.0.12 - *2023-02-23*
+
+Standardise files with files in sous-chefs/repo-management
+
+## 6.0.11 - *2023-02-16*
+
+Standardise files with files in sous-chefs/repo-management
+
+## 6.0.10 - *2023-02-14*
+
+Standardise files with files in sous-chefs/repo-management
+
+## 6.0.9 - *2023-02-14*
+
+Standardise files with files in sous-chefs/repo-management
+
+## 6.0.8 - *2022-12-08*
+
+Standardise files with files in sous-chefs/repo-management
+
+## 6.0.7 - *2022-02-03*
+
+Standardise files with files in sous-chefs/repo-management
+
+## 6.0.6 - *2022-02-02*
+
+- Update tested platforms
+- Remove delivery and move to calling RSpec directly via a reusable workflow
+
+## 6.0.5 - *2022-01-08*
+
+- resolved cookstyle error: test/integration/helpers/serverspec/spec_helper.rb:9:21 convention: `Style/FileRead`
+
+## 6.0.4 - *2021-08-19*
+
+## 6.0.3 - *2021-08-19*
+
+- Fixed TLS configuration
+
+## 6.0.2 - *2021-06-30*
+
+- Make sure we write the main.conf and master.conf before we try to use any commands (like postmap)
+
+## 6.0.1 - *2021-06-01*
+
+## 6.0.0 - *2020-11-23*
+
+- Disabled SSLv3 by default
+
+## 5.4.1 - 2020-10-20
+
+- Ensure all postmap files are rebuilt immediately if needed
+
+## 5.4.0 - 2020-10-11
+
+### Changed
+
+- Sous Chefs Adoption
+- Update to use Sous Chefs GH workflow
+- Update README to sous-chefs
+- Update metadata.rb to Sous Chefs
+- Update test-kitchen to Sous Chefs
+
+### Added
+
+- Standardise files with files in sous-chefs/repo-management
+- Add Ubuntu 20.04 testing
+
+### Fixed
+
+- Cookstyle fixes
+- ChefSpec fixes
+- Yamllint fixes
+- MDL fixes
+- Fix OpenSUSE installation issues
+
+### Removed
+
+- Remove EL 6 testing
+- Remove Amazon Linux 1 testing
+
+## 5.3.1 (2018-07-24)
+
+- Fixed sbin issue with Chef13
+
+## 5.3.0 (2018-05-23)
+
+- support multiple sasl_passwd entries
+- Add `packages` attribute so different postfix packages can be installed
+- add ability to set network connection port for a remote relayhost
+
+## 5.2.1 (2017-11-22)
+
+- Properly support FreeBSD
+- Do not run service restart for solaris which fails
+
+## 5.2.0 (2017-08-07)
+
+- Lazily evaluate the config template variables to allow overrides to properly apply
+- Avoid Chefspec deprecation warnings
+
+## 5.1.1 (2017-07-28)
+
+- Fix support for Amazon Linux on Chef 13
+- Expand testing to cover Debian 9 in Travis
+
+## 5.1.0 (2017-07-28)
+
+- Add an option to allow recipient canonical maps
+
+## 5.0.3 (2017-06-26)
+
+- Correct attribute line for use_relay_restrictions_maps to prevent converge failures
+
 ## 5.0.2 (2017-05-17)
 
 - Fix use_relay_restrictions_maps attribute misspelling in attributes file
@@ -117,51 +287,51 @@ Reverting #37 - [COOK-3418] Virtual Domain Support PR - duplicate of #55
 
 ### Bug
 
-- **[COOK-4357](https://tickets.chef.io/browse/COOK-4357)** - postfix::sasl_auth recipe fails to converge
+- postfix::sasl_auth recipe fails to converge
 
 ## v3.1.0 (2014-02-19)
 
 ### Bug
 
-- **[COOK-4322](https://tickets.chef.io/browse/COOK-4322)** - Postfix cookbook has incorrect default path for sasl_passwd
+- Postfix cookbook has incorrect default path for sasl_passwd
 
 ### New Feature
 
-- **[COOK-4086](https://tickets.chef.io/browse/COOK-4086)** - use conf_dir attribute for sasl recipe, and add omnios support
-- **[COOK-2551](https://tickets.chef.io/browse/COOK-2551)** - Support creating the sender_canonical map file
+- use conf_dir attribute for sasl recipe, and add omnios support
+- Support creating the sender_canonical map file
 
 ## v3.0.4
 
 ### Bug
 
-- **[COOK-3824](https://tickets.chef.io/browse/COOK-3824)** - main.cf.erb mishandles lists
+- main.cf.erb mishandles lists
 
 ### Improvement
 
-- **[COOK-3822](https://tickets.chef.io/browse/COOK-3822)** - postfix cookbook readme has an incorrect example
+- postfix cookbook readme has an incorrect example
 - Got rubocop errors down to 32
 
 ### New Feature
 
-- **[COOK-2551](https://tickets.chef.io/browse/COOK-2551)** - Support creating the sender_canonical map file
+- Support creating the sender_canonical map file
 
 ## v3.0.2
 
 ### Bug
 
-- **[COOK-3617](https://tickets.chef.io/browse/COOK-3617)** - Fix error when no there is no FQDN
-- **[COOK-3530](https://tickets.chef.io/browse/COOK-3530)** - Update `client.rb` after 3.0.0 refactor
-- **[COOK-2499](https://tickets.chef.io/browse/COOK-2499)** - Do not use resource cloning
+- Fix error when no there is no FQDN
+- Update `client.rb` after 3.0.0 refactor
+- Do not use resource cloning
 
 ### Improvement
 
-- **[COOK-3116](https://tickets.chef.io/browse/COOK-3116)** - Add SmartOS support
+- Add SmartOS support
 
 ## v3.0.0
 
 ### Improvement
 
-- **[COOK-3328](https://tickets.chef.io/browse/COOK-3328)** - Postfix main/master and attributes refactor
+- Postfix main/master and attributes refactor
 
 **Breaking changes**:
 

cookbooks/postfix/CONTRIBUTING.md

@@ -1 +0,0 @@
-Please refer to <https://github.com/chef-cookbooks/community_cookbook_documentation/blob/master/CONTRIBUTING.MD>

cookbooks/postfix/LICENSE

@@ -0,0 +1,202 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "{}"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright {yyyy} {name of copyright owner}
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+

cookbooks/postfix/MAINTAINERS.md

@@ -1,15 +0,0 @@
-<!-- This is a generated file. Please do not edit directly -->
-
-# Maintainers
-
-This file lists how this cookbook project is maintained. When making changes to the system, this file tells you who needs to review your patch - you need a review from an existing maintainer for the cookbook to provide a :+1: on your pull request. Additionally, you need to not receive a veto from a Lieutenant or the Project Lead.
-
-Check out [How Cookbooks are Maintained](https://github.com/chef-cookbooks/community_cookbook_documentation/blob/master/CONTRIBUTING.MD) for details on the process and how to become a maintainer or the project lead.
-
-# Project Maintainer
-* [Tim Smith](https://github.com/tas50)
-
-# Maintainers
-* [Jennifer Davis](https://github.com/sigje)
-* [Tim Smith](https://github.com/tas50)
-* [Thom May](https://github.com/thommay)

cookbooks/postfix/README.md

@@ -1,19 +1,28 @@
 # postfix Cookbook
 
-[![Build Status](https://travis-ci.org/chef-cookbooks/postfix.svg?branch=master)](https://travis-ci.org/chef-cookbooks/postfix) [![Cookbook Version](https://img.shields.io/cookbook/v/postfix.svg)](https://supermarket.chef.io/cookbooks/postfix)
+[![Cookbook Version](https://img.shields.io/cookbook/v/postfix.svg)](https://supermarket.chef.io/cookbooks/postfix)
+[![CI State](https://github.com/sous-chefs/postfix/workflows/ci/badge.svg)](https://github.com/sous-chefs/postfix/actions?query=workflow%3Aci)
+[![OpenCollective](https://opencollective.com/sous-chefs/backers/badge.svg)](#backers)
+[![OpenCollective](https://opencollective.com/sous-chefs/sponsors/badge.svg)](#sponsors)
+[![License](https://img.shields.io/badge/License-Apache%202.0-green.svg)](https://opensource.org/licenses/Apache-2.0)
 
 Installs and configures postfix for client or outbound relayhost, or to do SASL authentication.
 
 On RHEL-family systems, sendmail will be replaced with postfix.
 
+## Maintainers
+
+This cookbook is maintained by the Sous Chefs. The Sous Chefs are a community of Chef cookbook maintainers working together to maintain important cookbooks. If you’d like to know more please visit [sous-chefs.org](https://sous-chefs.org/) or come chat with us on the Chef Community Slack in [#sous-chefs](https://chefcommunity.slack.com/messages/C2V7B88SF).
+
 ## Requirements
 
 ### Platforms
 
-- Ubuntu 12.04+
-- Debian 7.0+
-- RHEL/CentOS/Scientific 5.7+, 6.2+
+- Ubuntu
+- Debian
+- RHEL/CentOS/Scientific
 - Amazon Linux (as of AMIs created after 4/9/2012)
+- FreeBSD
 
 May work on other platforms with or without modification.
 
@@ -33,6 +42,7 @@ See `attributes/default.rb` for default values.
 
 - `node['postfix']['mail_type']` - Sets the kind of mail configuration. `master` will set up a server (relayhost).
 - `node['postfix']['relayhost_role']` - name of a role used for search in the client recipe.
+- `node['postfix']['relayhost_port']` - listening network port of the relayhost.
 - `node['postfix']['multi_environment_relay']` - set to true if nodes should not constrain search for the relayhost in their own environment.
 - `node['postfix']['use_procmail']` - set to true if nodes should use procmail as the delivery agent.
 - `node['postfix']['use_alias_maps']` - set to true if you want the cookbook to use/configure alias maps
@@ -43,7 +53,7 @@ See `attributes/default.rb` for default values.
 - `node['postfix']['aliases']` - hash of aliases to create with `recipe[postfix::aliases]`, see below under **Recipes** for more information.
 - `node['postfix']['transports']` - hash of transports to create with `recipe[postfix::transports]`, see below under **Recipes** for more information.
 - `node['postfix']['access']` - hash of access to create with `recipe[postfix::access]`, see below under **Recipes** for more information.
-- `node['postfix']['virtual_aliases']` - hash of virtual_aliases to create with `recipe[postfix::virtual_aliases]`, see below under __Recipes__ for more information.
+- `node['postfix']['virtual_aliases']` - hash of virtual_aliases to create with `recipe[postfix::virtual_aliases]`, see below under **Recipes** for more information.
 - `node['postfix']['main_template_source']` - Cookbook source for main.cf template. Default 'postfix'
 - `node['postfix']['master_template_source']` - Cookbook source for master.cf template. Default 'postfix'
 
@@ -75,10 +85,20 @@ This change in namespace to `node['postfix']['main']` should allow for greater f
 - `node['postfix']['main']['smtp_sasl_password_maps']` - Set to `hash:/etc/postfix/sasl_passwd` template file
 - `node['postfix']['main']['smtp_sasl_security_options']` - Set to noanonymous
 - `node['postfix']['main']['relayhost']` - Set to empty string
-- `node['postfix']['sasl']['smtp_sasl_user_name']` - SASL user to authenticate as. Default empty
-- `node['postfix']['sasl']['smtp_sasl_passwd']` - SASL password to use. Default empty.
 - `node['postfix']['sender_canonical_map_entries']` - (hash with key value pairs); default not configured. Setup generic canonical maps. See `man 5 canonical`. If has at least one value, then will be enabled in config.
 - `node['postfix']['smtp_generic_map_entries']` - (hash with key value pairs); default not configured. Setup generic postfix maps. See `man 5 generic`. If has at least one value, then will be enabled in config.
+- `node['postfix']['recipient_canonical_map_entries']` - (hash with key value pairs); default not configured. Setup generic canonical maps. See `man 5 canonical`. If has at least one value, then will be enabled in config.
+- `node['postfix']['sasl']['smtp_sasl_user_name']` - SASL user to authenticate as. Default empty. You can only use this until the current version. The new syntax is below.
+- `node['postfix']['sasl']['smtp_sasl_passwd']` - SASL password to use. Default empty. You can only use this until the current version. The new syntax is below.
+- `node['postfix']['sasl']` = ```json {
+    "relayhost1" => {
+      'username' => 'foo',
+      'password' => 'bar'
+    },
+    "relayhost2" => {
+      ...
+    }
+  }``` - You must set the following attribute, otherwise the attribute will default to empty
 
 Example of json role config, for setup *_map_entries:
 
@@ -331,8 +351,14 @@ override_attributes(
       "smtp_sasl_auth_enable" => "yes"
     },
     "sasl" => {
-      "smtp_sasl_passwd" => "your_password",
-      "smtp_sasl_user_name" => "your_username"
+      "relayhost1" => {
+        "username" => "your_password",
+        "password" => "your_username"
+      },
+      "relayhost2" => {
+        ...
+      },
+      ...
     }
   }
 )
@@ -425,22 +451,27 @@ override_attributes(
 )
 ```
 
-## License & Authors
+## Contributors
 
-**Author:** Cookbook Engineering Team ([cookbooks@chef.io](mailto:cookbooks@chef.io))
+This project exists thanks to all the people who [contribute.](https://opencollective.com/sous-chefs/contributors.svg?width=890&button=false)
 
-**Copyright:** 2009-2016, Chef Software, Inc.
+### Backers
 
-```
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
+Thank you to all our backers!
 
-    http://www.apache.org/licenses/LICENSE-2.0
+![https://opencollective.com/sous-chefs#backers](https://opencollective.com/sous-chefs/backers.svg?width=600&avatarHeight=40)
 
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-```
+### Sponsors
+
+Support this project by becoming a sponsor. Your logo will show up here with a link to your website.
+
+![https://opencollective.com/sous-chefs/sponsor/0/website](https://opencollective.com/sous-chefs/sponsor/0/avatar.svg?avatarHeight=100)
+![https://opencollective.com/sous-chefs/sponsor/1/website](https://opencollective.com/sous-chefs/sponsor/1/avatar.svg?avatarHeight=100)
+![https://opencollective.com/sous-chefs/sponsor/2/website](https://opencollective.com/sous-chefs/sponsor/2/avatar.svg?avatarHeight=100)
+![https://opencollective.com/sous-chefs/sponsor/3/website](https://opencollective.com/sous-chefs/sponsor/3/avatar.svg?avatarHeight=100)
+![https://opencollective.com/sous-chefs/sponsor/4/website](https://opencollective.com/sous-chefs/sponsor/4/avatar.svg?avatarHeight=100)
+![https://opencollective.com/sous-chefs/sponsor/5/website](https://opencollective.com/sous-chefs/sponsor/5/avatar.svg?avatarHeight=100)
+![https://opencollective.com/sous-chefs/sponsor/6/website](https://opencollective.com/sous-chefs/sponsor/6/avatar.svg?avatarHeight=100)
+![https://opencollective.com/sous-chefs/sponsor/7/website](https://opencollective.com/sous-chefs/sponsor/7/avatar.svg?avatarHeight=100)
+![https://opencollective.com/sous-chefs/sponsor/8/website](https://opencollective.com/sous-chefs/sponsor/8/avatar.svg?avatarHeight=100)
+![https://opencollective.com/sous-chefs/sponsor/9/website](https://opencollective.com/sous-chefs/sponsor/9/avatar.svg?avatarHeight=100)

cookbooks/postfix/attributes/default.rb

@@ -1,5 +1,5 @@
 # Author:: Joshua Timberman <joshua@chef.io>
-# Copyright:: 2009-2017, Chef Software, Inc.
+# Copyright:: 2009-2019, Chef Software, Inc.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -14,12 +14,15 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+default['postfix']['packages'] = %w(postfix)
+
 # Generic cookbook attributes
 default['postfix']['mail_type'] = 'client'
 default['postfix']['relayhost_role'] = 'relayhost'
+default['postfix']['relayhost_port'] = '25'
 default['postfix']['multi_environment_relay'] = false
 default['postfix']['use_procmail'] = false
-default['postfix']['use_alias_maps'] = (node['platform'] == 'freebsd')
+default['postfix']['use_alias_maps'] = platform?('freebsd')
 default['postfix']['use_transport_maps'] = false
 default['postfix']['use_access_maps'] = false
 default['postfix']['use_virtual_aliases'] = false
@@ -33,6 +36,7 @@ default['postfix']['main_template_source'] = 'postfix'
 default['postfix']['master_template_source'] = 'postfix'
 default['postfix']['sender_canonical_map_entries'] = {}
 default['postfix']['smtp_generic_map_entries'] = {}
+default['postfix']['recipient_canonical_map_entries'] = {}
 default['postfix']['access_db_type'] = 'hash'
 default['postfix']['aliases_db_type'] = 'hash'
 default['postfix']['transport_db_type'] = 'hash'
@@ -84,6 +88,10 @@ default['postfix']['main']['myorigin'] = '$myhostname'
 default['postfix']['main']['mydestination'] = [node['postfix']['main']['myhostname'], node['hostname'], 'localhost.localdomain', 'localhost'].compact
 default['postfix']['main']['smtpd_use_tls'] = 'yes'
 default['postfix']['main']['smtp_use_tls'] = 'yes'
+default['postfix']['main']['smtpd_tls_mandatory_protocols'] = '!SSLv2,!SSLv3'
+default['postfix']['main']['smtp_tls_mandatory_protocols'] = '!SSLv2,!SSLv3'
+default['postfix']['main']['smtpd_tls_protocols'] = '!SSLv2,!SSLv3'
+default['postfix']['main']['smtp_tls_protocols'] = '!SSLv2,!SSLv3'
 default['postfix']['main']['smtp_sasl_auth_enable'] = 'no'
 default['postfix']['main']['mailbox_size_limit'] = 0
 default['postfix']['main']['mynetworks'] = nil
@@ -99,6 +107,11 @@ when 'smartos'
   default['postfix']['cafile'] = '/opt/local/etc/postfix/cacert.pem'
 when 'rhel'
   default['postfix']['cafile'] = '/etc/pki/tls/cert.pem'
+when 'amazon'
+  default['postfix']['cafile'] = '/etc/pki/tls/cert.pem'
+when 'suse'
+  default['postfix']['main']['setgid_group'] = 'maildrop'
+  default['postfix']['main']['daemon_directory'] = '/usr/lib/postfix/bin'
 else
   default['postfix']['cafile'] = "#{node['postfix']['conf_dir']}/cacert.pem"
 end
@@ -374,27 +387,24 @@ default['postfix']['master']['bsmtp']['command'] = 'pipe'
 default['postfix']['master']['bsmtp']['args'] = ['flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient']
 
 # OS Aliases
-default['postfix']['aliases'] = case node['platform']
-                                when 'freebsd'
+default['postfix']['aliases'] = if platform?('freebsd')
                                   {
-                                    'MAILER-DAEMON' =>  'postmaster',
-                                    'bin' =>            'root',
-                                    'daemon' =>         'root',
-                                    'named' =>          'root',
-                                    'nobody' =>         'root',
-                                    'uucp' =>           'root',
-                                    'www' =>            'root',
-                                    'ftp-bugs' =>       'root',
-                                    'postfix' =>        'root',
-                                    'manager' =>        'root',
-                                    'dumper' =>         'root',
-                                    'operator' =>       'root',
-                                    'abuse' =>          'postmaster',
+                                    'MAILER-DAEMON' => 'postmaster',
+                                    'bin' => 'root',
+                                    'daemon' => 'root',
+                                    'named' => 'root',
+                                    'nobody' => 'root',
+                                    'uucp' => 'root',
+                                    'www' => 'root',
+                                    'ftp-bugs' => 'root',
+                                    'postfix' => 'root',
+                                    'manager' => 'root',
+                                    'dumper' => 'root',
+                                    'operator' => 'root',
+                                    'abuse' => 'postmaster',
                                   }
                                 else
                                   {}
                                 end
 
-if node['postfix']['use_relay_restrictions_maps']
-  default['postfix']['main']['smtpd_relay_restrictions'] = "hash:#{node['postfix']['relay_restrictions_db']}, reject"
-end
+default['postfix']['main']['smtpd_relay_restrictions'] = "hash:#{node['postfix']['relay_restrictions_db']}, reject" if node['postfix']['use_relay_restrictions_maps']

cookbooks/postfix/chefignore

@@ -0,0 +1,115 @@
+# Put files/directories that should be ignored in this file when uploading
+# to a Chef Infra Server or Supermarket.
+# Lines that start with '# ' are comments.
+
+# OS generated files #
+######################
+.DS_Store
+ehthumbs.db
+Icon?
+nohup.out
+Thumbs.db
+.envrc
+
+# EDITORS #
+###########
+.#*
+.project
+.settings
+*_flymake
+*_flymake.*
+*.bak
+*.sw[a-z]
+*.tmproj
+*~
+\#*
+REVISION
+TAGS*
+tmtags
+.vscode
+.editorconfig
+
+## COMPILED ##
+##############
+*.class
+*.com
+*.dll
+*.exe
+*.o
+*.pyc
+*.so
+*/rdoc/
+a.out
+mkmf.log
+
+# Testing #
+###########
+.circleci/*
+.codeclimate.yml
+.delivery/*
+.foodcritic
+.kitchen*
+.mdlrc
+.overcommit.yml
+.rspec
+.rubocop.yml
+.travis.yml
+.watchr
+.yamllint
+azure-pipelines.yml
+Dangerfile
+examples/*
+features/*
+Guardfile
+kitchen*.yml
+mlc_config.json
+Procfile
+Rakefile
+spec/*
+test/*
+
+# SCM #
+#######
+.git
+.gitattributes
+.gitconfig
+.github/*
+.gitignore
+.gitkeep
+.gitmodules
+.svn
+*/.bzr/*
+*/.git
+*/.hg/*
+*/.svn/*
+
+# Berkshelf #
+#############
+Berksfile
+Berksfile.lock
+cookbooks/*
+tmp
+
+# Bundler #
+###########
+vendor/*
+Gemfile
+Gemfile.lock
+
+# Policyfile #
+##############
+Policyfile.rb
+Policyfile.lock.json
+
+# Documentation #
+#############
+CODE_OF_CONDUCT*
+CONTRIBUTING*
+documentation/*
+TESTING*
+UPGRADING*
+
+# Vagrant #
+###########
+.vagrant
+Vagrantfile

cookbooks/postfix/metadata.rb

@@ -0,0 +1,20 @@
+name              'postfix'
+maintainer        'Sous Chefs'
+maintainer_email  'help@sous-chefs.org'
+license           'Apache-2.0'
+description       'Installs and configures postfix for client or outbound relayhost, or to do SASL auth'
+version           '6.0.26'
+source_url        'https://github.com/sous-chefs/postfix'
+issues_url        'https://github.com/sous-chefs/postfix/issues'
+chef_version      '>= 12.15'
+
+supports 'amazon'
+supports 'centos'
+supports 'debian'
+supports 'fedora'
+supports 'freebsd'
+supports 'oracle'
+supports 'redhat'
+supports 'scientific'
+supports 'smartos'
+supports 'ubuntu'

cookbooks/postfix/recipes/_attributes.rb

@@ -1,4 +1,4 @@
-# Copyright:: 2012-2017, Chef Software, Inc.
+# Copyright:: 2012-2019, Chef Software, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -13,9 +13,7 @@
 # limitations under the License.
 #
 
-if node['postfix']['use_procmail']
-  node.default_unless['postfix']['main']['mailbox_command'] = '/usr/bin/procmail -a "$EXTENSION"'
-end
+node.default_unless['postfix']['main']['mailbox_command'] = '/usr/bin/procmail -a "$EXTENSION"' if node['postfix']['use_procmail']
 
 if node['postfix']['main']['smtpd_use_tls'] == 'yes'
   node.default_unless['postfix']['main']['smtpd_tls_cert_file'] = '/etc/ssl/certs/ssl-cert-snakeoil.pem'
@@ -38,34 +36,18 @@ if node['postfix']['main']['smtp_sasl_auth_enable'] == 'yes'
   node.default_unless['postfix']['main']['relayhost'] = ''
 end
 
-if node['postfix']['use_alias_maps']
-  node.default_unless['postfix']['main']['alias_maps'] = ["hash:#{node['postfix']['aliases_db']}"]
-end
+node.default_unless['postfix']['main']['alias_maps'] = ["hash:#{node['postfix']['aliases_db']}"] if node['postfix']['use_alias_maps']
 
-if node['postfix']['use_transport_maps']
-  node.default_unless['postfix']['main']['transport_maps'] = ["hash:#{node['postfix']['transport_db']}"]
-end
+node.default_unless['postfix']['main']['transport_maps'] = ["hash:#{node['postfix']['transport_db']}"] if node['postfix']['use_transport_maps']
 
-if node['postfix']['use_access_maps']
-  node.default_unless['postfix']['main']['access_maps'] = ["hash:#{node['postfix']['access_db']}"]
-end
+node.default_unless['postfix']['main']['access_maps'] = ["hash:#{node['postfix']['access_db']}"] if node['postfix']['use_access_maps']
 
-if node['postfix']['use_virtual_aliases']
-  node.default_unless['postfix']['main']['virtual_alias_maps'] = ["#{node['postfix']['virtual_alias_db_type']}:#{node['postfix']['virtual_alias_db']}"]
-end
+node.default_unless['postfix']['main']['virtual_alias_maps'] = ["#{node['postfix']['virtual_alias_db_type']}:#{node['postfix']['virtual_alias_db']}"] if node['postfix']['use_virtual_aliases']
 
-if node['postfix']['use_virtual_aliases_domains']
-  node.default_unless['postfix']['main']['virtual_alias_domains'] = ["#{node['postfix']['virtual_alias_domains_db_type']}:#{node['postfix']['virtual_alias_domains_db']}"]
-end
+node.default_unless['postfix']['main']['virtual_alias_domains'] = ["#{node['postfix']['virtual_alias_domains_db_type']}:#{node['postfix']['virtual_alias_domains_db']}"] if node['postfix']['use_virtual_aliases_domains']
 
-if node['postfix']['use_relay_restrictions_maps']
-  default['postfix']['main']['smtpd_relay_restrictions'] = "hash:#{node['postfix']['relay_restrictions_db']}, reject"
-end
+node.default_unless['postfix']['main']['smtpd_relay_restrictions'] = "hash:#{node['postfix']['relay_restrictions_db']}, reject" if node['postfix']['use_relay_restrictions_maps']
 
-if node['postfix']['master']['maildrop']['active']
-  node.default_unless['postfix']['main']['maildrop_destination_recipient_limit'] = 1
-end
+node.default_unless['postfix']['main']['maildrop_destination_recipient_limit'] = 1 if node['postfix']['master']['maildrop']['active']
 
-if node['postfix']['master']['cyrus']['active']
-  node.default_unless['postfix']['main']['cyrus_destination_recipient_limit'] = 1
-end
+node.default_unless['postfix']['main']['cyrus_destination_recipient_limit'] = 1 if node['postfix']['master']['cyrus']['active']

cookbooks/postfix/recipes/_common.rb

@@ -2,7 +2,7 @@
 # Cookbook:: common
 # Recipe:: default
 #
-# Copyright:: 2009-2017, Chef Software, Inc.
+# Copyright:: 2009-2020, Chef Software, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -19,12 +19,19 @@
 
 include_recipe 'postfix::_attributes'
 
-package 'postfix'
+# use multi-package when we can
+if node['os'] == 'linux'
+  package node['postfix']['packages']
+else
+  node['postfix']['packages'].each do |pkg|
+    package pkg
+  end
+end
 
 package 'procmail' if node['postfix']['use_procmail']
 
 case node['platform_family']
-when 'rhel', 'fedora'
+when 'rhel', 'fedora', 'amazon'
   service 'sendmail' do
     action :nothing
   end
@@ -35,6 +42,8 @@ when 'rhel', 'fedora'
     notifies :start, 'service[postfix]'
     not_if '/usr/bin/test /etc/alternatives/mta -ef /usr/sbin/sendmail.postfix'
   end
+when 'suse'
+  file '/var/adm/postfix.configured'
 when 'omnios'
   manifest_path = ::File.join(Chef::Config[:file_cache_path], 'manifest-postfix.xml')
 
@@ -67,7 +76,68 @@ when 'omnios'
   execute 'load postfix manifest' do
     action :nothing
     command "svccfg import #{manifest_path}"
-    notifies :restart, 'service[postfix]'
+    notifies :restart, 'service[postfix]' unless platform_family?('solaris2')
+  end
+when 'freebsd'
+  # Actions are based on docs provided by FreeBSD:
+  # https://www.freebsd.org/doc/handbook/mail-changingmta.html
+  service 'sendmail' do
+    action :nothing
+  end
+
+  template '/etc/mail/mailer.conf' do
+    source 'mailer.erb'
+    owner 'root'
+    group 0
+    notifies :restart, 'service[postfix]' unless platform_family?('solaris2')
+  end
+
+  execute 'switch_mailer_to_postfix' do
+    command [
+      'sysrc',
+      'sendmail_enable=NO',
+      'sendmail_submit_enable=NO',
+      'sendmail_outbound_enable=NO',
+      'sendmail_msp_queue_enable=NO',
+      'postfix_enable=YES',
+    ]
+    notifies :stop, 'service[sendmail]', :immediately
+    notifies :disable, 'service[sendmail]', :immediately
+    notifies :start, 'service[postfix]', :delayed
+    only_if "sysrc sendmail_enable sendmail_submit_enable sendmail_outbound_enable sendmail_msp_queue_enable | egrep -q '(YES|unknown variable)' || sysrc postfix_enable | egrep -q '(NO|unknown variable)'"
+  end
+
+  execute 'disable_periodic' do
+    # rubocop:disable Lint/ParenthesesAsGroupedExpression
+    environment ({ 'RC_CONFS' => '/etc/periodic.conf' })
+    command [
+      'sysrc',
+      'daily_clean_hoststat_enable=NO',
+      'daily_status_mail_rejects_enable=NO',
+      'daily_status_include_submit_mailq=NO',
+      'daily_submit_queuerun=NO',
+    ]
+    only_if "RC_CONFS=/etc/periodic.conf sysrc daily_clean_hoststat_enable daily_status_mail_rejects_enable daily_status_include_submit_mailq daily_submit_queuerun | egrep -q '(YES|unknown variable)'"
+  end
+end
+
+# We need to write the config first as the below postmap immediately commands assume config is correct
+# Which is not the case as ipv6 is assumed to be available by the postfix package
+# And if someone wants to disable this first we need to update the config first aswell
+%w( main master ).each do |cfg|
+  template "#{node['postfix']['conf_dir']}/#{cfg}.cf" do
+    source "#{cfg}.cf.erb"
+    owner 'root'
+    group node['root_group']
+    mode '0644'
+    # restart service for solaris on chef-client has a bug
+    # unless condition can be removed after
+    # https://github.com/chef/chef/pull/6596 merge/release
+    notifies :restart, 'service[postfix]' unless platform_family?('solaris2')
+    variables(
+      lazy { { settings: node['postfix'][cfg] } }
+    )
+    cookbook node['postfix']["#{cfg}_template_source"]
   end
 end
 
@@ -81,13 +151,11 @@ unless node['postfix']['sender_canonical_map_entries'].empty?
     owner 'root'
     group node['root_group']
     mode '0644'
-    notifies :run, 'execute[update-postfix-sender_canonical]'
+    notifies :run, 'execute[update-postfix-sender_canonical]', :immediately
     notifies :reload, 'service[postfix]'
   end
 
-  unless node['postfix']['main'].key?('sender_canonical_maps')
-    node.normal['postfix']['main']['sender_canonical_maps'] = "hash:#{node['postfix']['conf_dir']}/sender_canonical"
-  end
+  node.default['postfix']['main']['sender_canonical_maps'] = "hash:#{node['postfix']['conf_dir']}/sender_canonical" unless node['postfix']['main'].key?('sender_canonical_maps')
 end
 
 execute 'update-postfix-smtp_generic' do
@@ -100,28 +168,31 @@ unless node['postfix']['smtp_generic_map_entries'].empty?
     owner 'root'
     group node['root_group']
     mode '0644'
-    notifies :run, 'execute[update-postfix-smtp_generic]'
+    notifies :run, 'execute[update-postfix-smtp_generic]', :immediately
     notifies :reload, 'service[postfix]'
   end
 
-  unless node['postfix']['main'].key?('smtp_generic_maps')
-    node.normal['postfix']['main']['smtp_generic_maps'] = "hash:#{node['postfix']['conf_dir']}/smtp_generic"
-  end
+  node.default['postfix']['main']['smtp_generic_maps'] = "hash:#{node['postfix']['conf_dir']}/smtp_generic" unless node['postfix']['main'].key?('smtp_generic_maps')
 end
 
-%w( main master ).each do |cfg|
-  template "#{node['postfix']['conf_dir']}/#{cfg}.cf" do
-    source "#{cfg}.cf.erb"
+execute 'update-postfix-recipient_canonical' do
+  command "postmap #{node['postfix']['conf_dir']}/recipient_canonical"
+  action :nothing
+end
+
+unless node['postfix']['recipient_canonical_map_entries'].empty?
+  template "#{node['postfix']['conf_dir']}/recipient_canonical" do
     owner 'root'
     group node['root_group']
     mode '0644'
-    notifies :restart, 'service[postfix]'
-    variables(settings: node['postfix'][cfg])
-    cookbook node['postfix']["#{cfg}_template_source"]
+    notifies :run, 'execute[update-postfix-recipient_canonical]', :immediately
+    notifies :reload, 'service[postfix]'
   end
+
+  node.default['postfix']['main']['recipient_canonical_maps'] = "hash:#{node['postfix']['conf_dir']}/recipient_canonical" unless node['postfix']['main'].key?('recipient_canonical_maps')
 end
 
 service 'postfix' do
   supports status: true, restart: true, reload: true
-  action :enable
+  action [:enable, :start]
 end

cookbooks/postfix/recipes/access.rb

@@ -1,4 +1,4 @@
-# Copyright:: 2012-2017, Chef Software, Inc.
+# Copyright:: 2012-2019, Chef Software, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -23,5 +23,5 @@ end
 
 template node['postfix']['access_db'] do
   source 'access.erb'
-  notifies :run, 'execute[update-postfix-access]'
+  notifies :run, 'execute[update-postfix-access]', :immediately
 end

cookbooks/postfix/recipes/aliases.rb

@@ -1,4 +1,4 @@
-# Copyright:: 2012-2017, Chef Software, Inc.
+# Copyright:: 2012-2019, Chef Software, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -25,5 +25,5 @@ end
 
 template node['postfix']['aliases_db'] do
   source 'aliases.erb'
-  notifies :run, 'execute[update-postfix-aliases]'
+  notifies :run, 'execute[update-postfix-aliases]', :immediately
 end

cookbooks/postfix/recipes/client.rb

@@ -2,7 +2,7 @@
 # Cookbook:: postfix
 # Recipe:: client
 #
-# Copyright:: 2009-2017, Chef Software, Inc.
+# Copyright:: 2009-2019, Chef Software, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -24,6 +24,9 @@ end
 
 query = "role:#{node['postfix']['relayhost_role']}"
 relayhost = ''
+# if the relayhost_port attribute is not port 25, append to the relayhost
+relayhost_port = node['postfix']['relayhost_port'].to_s != '25' ? ":#{node['postfix']['relayhost_port']}" : ''
+
 # results = []
 
 if node.run_list.roles.include?(node['postfix']['relayhost_role'])
@@ -36,6 +39,6 @@ else
   relayhost = results.map { |n| n['ipaddress'] }.first
 end
 
-node.normal['postfix']['main']['relayhost'] = "[#{relayhost}]"
+node.default['postfix']['main']['relayhost'] = "[#{relayhost}]#{relayhost_port}"
 
 include_recipe 'postfix'

cookbooks/postfix/recipes/default.rb

@@ -2,7 +2,7 @@
 # Cookbook:: postfix
 # Recipe:: default
 #
-# Copyright:: 2009-2017, Chef Software, Inc.
+# Copyright:: 2009-2019, Chef Software, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

cookbooks/postfix/recipes/maps.rb

@@ -1,5 +1,4 @@
-# encoding: utf-8
-# Copyright:: 2012-2017, Chef Software, Inc.
+# Copyright:: 2012-2019, Chef Software, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -15,7 +14,11 @@
 #
 
 node['postfix']['maps'].each do |type, maps|
-  if node['platform_family'] == 'debian'
+  if platform_family?('debian')
+    package "postfix-#{type}" if %w(pgsql mysql ldap cdb).include?(type)
+  end
+
+  if platform?('redhat') && node['platform_version'].to_i == 8
     package "postfix-#{type}" if %w(pgsql mysql ldap cdb).include?(type)
   end
 
@@ -38,9 +41,7 @@ node['postfix']['maps'].each do |type, maps|
         map: content,
         separator: separator
       )
-      if %w(btree cdb dbm hash sdbm).include?(type)
-        notifies :run, "execute[update-postmap-#{file}]"
-      end
+      notifies :run, "execute[update-postmap-#{file}]" if %w(btree cdb dbm hash sdbm).include?(type)
       notifies :restart, 'service[postfix]'
     end
   end

cookbooks/postfix/recipes/relay_restrictions.rb

@@ -1,4 +1,4 @@
-# Copyright:: 2012-2017, Chef Software, Inc.
+# Copyright:: 2012-2019, Chef Software, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -15,13 +15,15 @@
 
 include_recipe 'postfix::_common'
 
+postmap_command = platform_family?('rhel') ? '/usr/sbin/postmap' : 'postmap'
+
 execute 'update-postfix-relay-restrictions' do
-  command "postmap #{node['postfix']['relay_restrictions_db']}"
+  command "#{postmap_command} #{node['postfix']['relay_restrictions_db']}"
   environment PATH: "#{ENV['PATH']}:/opt/omni/bin:/opt/omni/sbin" if platform_family?('omnios')
   action :nothing
 end
 
 template node['postfix']['relay_restrictions_db'] do
   source 'relay_restrictions.erb'
-  notifies :run, 'execute[update-postfix-relay-restrictions]'
+  notifies :run, 'execute[update-postfix-relay-restrictions]', :immediately
 end

cookbooks/postfix/recipes/sasl_auth.rb

@@ -3,7 +3,7 @@
 # Cookbook:: postfix
 # Recipe:: sasl_auth
 #
-# Copyright:: 2009-2017, Chef Software, Inc.
+# Copyright:: 2009-2019, Chef Software, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -28,11 +28,9 @@ case node['platform_family']
 when 'debian'
   sasl_pkgs = %w(libsasl2-2 libsasl2-modules ca-certificates)
 when 'rhel'
-  sasl_pkgs = if node['platform_version'].to_i < 6
-                %w(cyrus-sasl cyrus-sasl-plain openssl)
-              else
-                %w(cyrus-sasl cyrus-sasl-plain ca-certificates)
-              end
+  sasl_pkgs = %w(cyrus-sasl cyrus-sasl-plain ca-certificates)
+when 'amazon'
+  sasl_pkgs = %w(cyrus-sasl cyrus-sasl-plain ca-certificates)
 when 'fedora'
   sasl_pkgs = %w(cyrus-sasl cyrus-sasl-plain ca-certificates)
 end

cookbooks/postfix/recipes/server.rb

@@ -3,7 +3,7 @@
 # Cookbook:: postfix
 # Recipe:: server
 #
-# Copyright:: 2009-2017, Chef Software, Inc.
+# Copyright:: 2009-2019, Chef Software, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

cookbooks/postfix/recipes/transports.rb

@@ -1,4 +1,4 @@
-# Copyright:: 2012-2017, Chef Software, Inc.
+# Copyright:: 2012-2019, Chef Software, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -15,13 +15,15 @@
 
 include_recipe 'postfix::_common'
 
+postmap_command = platform_family?('rhel') ? '/usr/sbin/postmap' : 'postmap'
+
 execute 'update-postfix-transport' do
-  command "postmap #{node['postfix']['transport_db']}"
+  command "#{postmap_command} #{node['postfix']['transport_db']}"
   environment PATH: "#{ENV['PATH']}:/opt/omni/bin:/opt/omni/sbin" if platform_family?('omnios')
   action :nothing
 end
 
 template node['postfix']['transport_db'] do
   source 'transport.erb'
-  notifies :run, 'execute[update-postfix-transport]'
+  notifies :run, 'execute[update-postfix-transport]', :immediately
 end

cookbooks/postfix/recipes/virtual_aliases.rb

@@ -1,4 +1,4 @@
-# Copyright:: 2012-2017, Chef Software, Inc.
+# Copyright:: 2012-2019, Chef Software, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -23,6 +23,6 @@ end
 
 template node['postfix']['virtual_alias_db'] do
   source 'virtual_aliases.erb'
-  notifies :run, 'execute[update-postfix-virtual-alias]'
+  notifies :run, 'execute[update-postfix-virtual-alias]', :immediately
   notifies :restart, 'service[postfix]'
 end

cookbooks/postfix/recipes/virtual_aliases_domains.rb

@@ -1,4 +1,4 @@
-# Copyright:: 2012-2017, Chef Software, Inc.
+# Copyright:: 2012-2019, Chef Software, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -23,6 +23,6 @@ end
 
 template node['postfix']['virtual_alias_domains_db'] do
   source 'virtual_aliases_domains.erb'
-  notifies :run, 'execute[update-postfix-virtual-alias-domains]'
+  notifies :run, 'execute[update-postfix-virtual-alias-domains]', :immediately
   notifies :restart, 'service[postfix]'
 end

cookbooks/postfix/renovate.json

@@ -0,0 +1,17 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": ["config:base"],
+  "packageRules": [{
+      "groupName": "Actions",
+      "matchUpdateTypes": ["patch", "pin", "digest"],
+      "automerge": true,
+      "addLabels": ["Release: Patch", "Skip: Announcements"]
+    },
+    {
+      "groupName": "Actions",
+      "matchUpdateTypes": ["major"],
+      "automerge": false,
+      "addLabels": ["Release: Patch", "Skip: Announcements"]
+    }
+  ]
+}

cookbooks/postfix/templates/default/sasl_passwd.erb

@@ -1,4 +0,0 @@
-# Auto-generated by Chef.
-# Local modifications will be overwritten.
-#
-<%= node['postfix']['main']['relayhost'] %> <%= @settings['smtp_sasl_user_name'] %>:<%= @settings['smtp_sasl_passwd'] %>

cookbooks/postfix/templates/mailer.erb

@@ -0,0 +1,10 @@
+#
+# Auto-generated by Chef.
+# Local modifications will be overwritten.
+#
+# Execute the Postfix sendmail program, named /usr/local/sbin/sendmail
+#
+sendmail        /usr/local/sbin/sendmail
+send-mail       /usr/local/sbin/sendmail
+mailq           /usr/local/sbin/sendmail
+newaliases      /usr/local/sbin/sendmail

cookbooks/postfix/templates/recipient_canonical.erb

@@ -0,0 +1,9 @@
+#
+# Auto-generated by Chef.
+# Local modifications will be overwritten.
+#
+# See man 5 canonical for format
+
+<% node['postfix']['recipient_canonical_map_entries'].each do |name, value| %>
+<%= name %> <%= value %>
+<% end unless node['postfix']['recipient_canonical_map_entries'].nil? %>

cookbooks/postfix/templates/sasl_passwd.erb

@@ -0,0 +1,8 @@
+# Auto-generated by Chef.
+# Local modifications will be overwritten.
+
+<% if !@settings.nil? && !@settings.empty? -%>
+<%   @settings.sort.map do |relayhost,value| -%>
+<%= relayhost %> <%= value['username'] %>:<%= value['password'] %>
+<%   end -%>
+<% end -%>

cookbooks/unbound/CHANGELOG.md

@@ -0,0 +1,64 @@
+# CHANGELOG
+
+This file is used to list changes made in each version of the unbound cookbook.
+
+## 3.0.2 - *2023-10-02*
+
+- Update Ci files and remove CircleCI config
+
+## 3.0.1 - *2022-09-30*
+
+- Add missing `fallback-enable` setting to `config_authority_zone`
+
+## 3.0.0 - *2022-04-04*
+
+- Add separate configuration resources
+- Default recipe now only runs installation
+- Refactor configuration template to be Hash driven
+
+## 2.0.3 - *2022-03-04*
+
+- resolved cookstyle error: .delivery/project.toml:2:8 convention: `Style/StringLiterals`
+- resolved cookstyle error: .delivery/project.toml:4:10 convention: `Style/StringLiterals`
+- resolved cookstyle error: .delivery/project.toml:5:13 convention: `Style/StringLiterals`
+- resolved cookstyle error: .delivery/project.toml:6:10 convention: `Style/StringLiterals`
+- resolved cookstyle error: .delivery/project.toml:7:9 convention: `Style/StringLiterals`
+- resolved cookstyle error: .delivery/project.toml:8:14 convention: `Style/StringLiterals`
+- resolved cookstyle error: .delivery/project.toml:9:11 convention: `Style/StringLiterals`
+
+## 2.0.2 - *2021-08-31*
+
+- Standardise files with files in sous-chefs/repo-management
+
+## 2.0.1 - *2021-06-01*
+
+- Updated tests folder to match other cookbooks
+- Updated spec platform to supported version
+
+## 2.0.0 - 2020-05-05
+
+- Upgraded to circleci for testing
+- Minimum Chef Infra Client version is now **13.0**
+- Removed unused long_description metadata.rb field
+- Simplify overly complex platform logic
+- Migrate to actions for testing
+
+## [1.0.1]
+
+- Simplify logic with root_group
+- Fix `root_group` not using new_resource
+- Use strings for file modes
+- Resolve foodcritic warnings in the `rr` resource
+- Fix platform_family logic on the service Update platforms.
+- Use dokken images for travis testing.
+- Don't test on debian-8/9 and centos-6 as these services don't currently start.
+- Account for a list of forward-addrs / effectively disable remote control (#27)
+
+## [1.0.0]
+
+- Add new custom resources `unbound_install` & `unbound_configure`
+
+## [0.1.1]
+
+- Adding support and kitchen testing for forward_zone generation
+- Updating to use Sous Chefs guidelines

cookbooks/unbound/LICENSE

@@ -0,0 +1,201 @@
+                              Apache License
+                        Version 2.0, January 2004
+                     http://www.apache.org/licenses/
+
+TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+1. Definitions.
+
+   "License" shall mean the terms and conditions for use, reproduction,
+   and distribution as defined by Sections 1 through 9 of this document.
+
+   "Licensor" shall mean the copyright owner or entity authorized by
+   the copyright owner that is granting the License.
+
+   "Legal Entity" shall mean the union of the acting entity and all
+   other entities that control, are controlled by, or are under common
+   control with that entity. For the purposes of this definition,
+   "control" means (i) the power, direct or indirect, to cause the
+   direction or management of such entity, whether by contract or
+   otherwise, or (ii) ownership of fifty percent (50%) or more of the
+   outstanding shares, or (iii) beneficial ownership of such entity.
+
+   "You" (or "Your") shall mean an individual or Legal Entity
+   exercising permissions granted by this License.
+
+   "Source" form shall mean the preferred form for making modifications,
+   including but not limited to software source code, documentation
+   source, and configuration files.
+
+   "Object" form shall mean any form resulting from mechanical
+   transformation or translation of a Source form, including but
+   not limited to compiled object code, generated documentation,
+   and conversions to other media types.
+
+   "Work" shall mean the work of authorship, whether in Source or
+   Object form, made available under the License, as indicated by a
+   copyright notice that is included in or attached to the work
+   (an example is provided in the Appendix below).
+
+   "Derivative Works" shall mean any work, whether in Source or Object
+   form, that is based on (or derived from) the Work and for which the
+   editorial revisions, annotations, elaborations, or other modifications
+   represent, as a whole, an original work of authorship. For the purposes
+   of this License, Derivative Works shall not include works that remain
+   separable from, or merely link (or bind by name) to the interfaces of,
+   the Work and Derivative Works thereof.
+
+   "Contribution" shall mean any work of authorship, including
+   the original version of the Work and any modifications or additions
+   to that Work or Derivative Works thereof, that is intentionally
+   submitted to Licensor for inclusion in the Work by the copyright owner
+   or by an individual or Legal Entity authorized to submit on behalf of
+   the copyright owner. For the purposes of this definition, "submitted"
+   means any form of electronic, verbal, or written communication sent
+   to the Licensor or its representatives, including but not limited to
+   communication on electronic mailing lists, source code control systems,
+   and issue tracking systems that are managed by, or on behalf of, the
+   Licensor for the purpose of discussing and improving the Work, but
+   excluding communication that is conspicuously marked or otherwise
+   designated in writing by the copyright owner as "Not a Contribution."
+
+   "Contributor" shall mean Licensor and any individual or Legal Entity
+   on behalf of whom a Contribution has been received by Licensor and
+   subsequently incorporated within the Work.
+
+2. Grant of Copyright License. Subject to the terms and conditions of
+   this License, each Contributor hereby grants to You a perpetual,
+   worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+   copyright license to reproduce, prepare Derivative Works of,
+   publicly display, publicly perform, sublicense, and distribute the
+   Work and such Derivative Works in Source or Object form.
+
+3. Grant of Patent License. Subject to the terms and conditions of
+   this License, each Contributor hereby grants to You a perpetual,
+   worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+   (except as stated in this section) patent license to make, have made,
+   use, offer to sell, sell, import, and otherwise transfer the Work,
+   where such license applies only to those patent claims licensable
+   by such Contributor that are necessarily infringed by their
+   Contribution(s) alone or by combination of their Contribution(s)
+   with the Work to which such Contribution(s) was submitted. If You
+   institute patent litigation against any entity (including a
+   cross-claim or counterclaim in a lawsuit) alleging that the Work
+   or a Contribution incorporated within the Work constitutes direct
+   or contributory patent infringement, then any patent licenses
+   granted to You under this License for that Work shall terminate
+   as of the date such litigation is filed.
+
+4. Redistribution. You may reproduce and distribute copies of the
+   Work or Derivative Works thereof in any medium, with or without
+   modifications, and in Source or Object form, provided that You
+   meet the following conditions:
+
+   (a) You must give any other recipients of the Work or
+       Derivative Works a copy of this License; and
+
+   (b) You must cause any modified files to carry prominent notices
+       stating that You changed the files; and
+
+   (c) You must retain, in the Source form of any Derivative Works
+       that You distribute, all copyright, patent, trademark, and
+       attribution notices from the Source form of the Work,
+       excluding those notices that do not pertain to any part of
+       the Derivative Works; and
+
+   (d) If the Work includes a "NOTICE" text file as part of its
+       distribution, then any Derivative Works that You distribute must
+       include a readable copy of the attribution notices contained
+       within such NOTICE file, excluding those notices that do not
+       pertain to any part of the Derivative Works, in at least one
+       of the following places: within a NOTICE text file distributed
+       as part of the Derivative Works; within the Source form or
+       documentation, if provided along with the Derivative Works; or,
+       within a display generated by the Derivative Works, if and
+       wherever such third-party notices normally appear. The contents
+       of the NOTICE file are for informational purposes only and
+       do not modify the License. You may add Your own attribution
+       notices within Derivative Works that You distribute, alongside
+       or as an addendum to the NOTICE text from the Work, provided
+       that such additional attribution notices cannot be construed
+       as modifying the License.
+
+   You may add Your own copyright statement to Your modifications and
+   may provide additional or different license terms and conditions
+   for use, reproduction, or distribution of Your modifications, or
+   for any such Derivative Works as a whole, provided Your use,
+   reproduction, and distribution of the Work otherwise complies with
+   the conditions stated in this License.
+
+5. Submission of Contributions. Unless You explicitly state otherwise,
+   any Contribution intentionally submitted for inclusion in the Work
+   by You to the Licensor shall be under the terms and conditions of
+   this License, without any additional terms or conditions.
+   Notwithstanding the above, nothing herein shall supersede or modify
+   the terms of any separate license agreement you may have executed
+   with Licensor regarding such Contributions.
+
+6. Trademarks. This License does not grant permission to use the trade
+   names, trademarks, service marks, or product names of the Licensor,
+   except as required for reasonable and customary use in describing the
+   origin of the Work and reproducing the content of the NOTICE file.
+
+7. Disclaimer of Warranty. Unless required by applicable law or
+   agreed to in writing, Licensor provides the Work (and each
+   Contributor provides its Contributions) on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+   implied, including, without limitation, any warranties or conditions
+   of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+   PARTICULAR PURPOSE. You are solely responsible for determining the
+   appropriateness of using or redistributing the Work and assume any
+   risks associated with Your exercise of permissions under this License.
+
+8. Limitation of Liability. In no event and under no legal theory,
+   whether in tort (including negligence), contract, or otherwise,
+   unless required by applicable law (such as deliberate and grossly
+   negligent acts) or agreed to in writing, shall any Contributor be
+   liable to You for damages, including any direct, indirect, special,
+   incidental, or consequential damages of any character arising as a
+   result of this License or out of the use or inability to use the
+   Work (including but not limited to damages for loss of goodwill,
+   work stoppage, computer failure or malfunction, or any and all
+   other commercial damages or losses), even if such Contributor
+   has been advised of the possibility of such damages.
+
+9. Accepting Warranty or Additional Liability. While redistributing
+   the Work or Derivative Works thereof, You may choose to offer,
+   and charge a fee for, acceptance of support, warranty, indemnity,
+   or other liability obligations and/or rights consistent with this
+   License. However, in accepting such obligations, You may act only
+   on Your own behalf and on Your sole responsibility, not on behalf
+   of any other Contributor, and only if You agree to indemnify,
+   defend, and hold each Contributor harmless for any liability
+   incurred by, or claims asserted against, such Contributor by reason
+   of your accepting any such warranty or additional liability.
+
+END OF TERMS AND CONDITIONS
+
+APPENDIX: How to apply the Apache License to your work.
+
+   To apply the Apache License to your work, attach the following
+   boilerplate notice, with the fields enclosed by brackets "[]"
+   replaced with your own identifying information. (Don't include
+   the brackets!)  The text should be enclosed in the appropriate
+   comment syntax for the file format. We also recommend that a
+   file or class name and description of purpose be included on the
+   same "printed page" as the copyright notice for easier
+   identification within third-party archives.
+
+Copyright [yyyy] [name of copyright owner]
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

cookbooks/unbound/README.md

@@ -0,0 +1,78 @@
+# Unbound Cookbook
+
+[![Cookbook Version](https://img.shields.io/cookbook/v/unbound.svg)](https://supermarket.chef.io/cookbooks/unbound)
+[![Build Status](https://img.shields.io/circleci/project/github/sous-chefs/unbound/master.svg)](https://circleci.com/gh/sous-chefs/unbound)
+[![OpenCollective](https://opencollective.com/sous-chefs/backers/badge.svg)](#backers)
+[![OpenCollective](https://opencollective.com/sous-chefs/sponsors/badge.svg)](#sponsors)
+[![License](https://img.shields.io/badge/License-Apache%202.0-green.svg)](https://opensource.org/licenses/Apache-2.0)
+
+Installs and manages the unbound DNS server.
+
+- [http://unbound.net](http://unbound.net)
+
+## Maintainers
+
+This cookbook is maintained by the Sous Chefs. The Sous Chefs are a community of Chef cookbook maintainers working together to maintain important cookbooks. If you’d like to know more please visit [sous-chefs.org](https://sous-chefs.org/) or come chat with us on the Chef Community Slack in [#sous-chefs](https://chefcommunity.slack.com/messages/C2V7B88SF).
+
+## Requirements
+
+### Platform
+
+A platform with unbound available as a native package. The following platforms have unbound packaged, but note that the filesystem locations are not consistent and at this time only Linux + FHS is supported.
+
+- Ubuntu/Debian
+- Red Hat/CentOS/Fedora (requires EPEL)
+- FreeBSD
+
+### Chef
+
+- Chef 16
+
+## Resources
+
+- [unbound_config_authority_zone](documentation/unbound_config_authority_zone.md)
+- [unbound_config_cachedb](documentation/unbound_config_cachedb.md)
+- [unbound_config_dns64](documentation/unbound_config_dns64.md)
+- [unbound_config_dnscrypt](documentation/unbound_config_dnscrypt.md)
+- [unbound_config_dnstap](documentation/unbound_config_dnstap.md)
+- [unbound_config_dynamic_library](documentation/unbound_config_dynamic_library.md)
+- [unbound_config_forward_zone](documentation/unbound_config_forward_zone.md)
+- [unbound_config_python_script](documentation/unbound_config_python_script.md)
+- [unbound_config_remote_control](documentation/unbound_config_remote_control.md)
+- [unbound_config_rpz_zone](documentation/unbound_config_rpz_zone.md)
+- [unbound_config_server](documentation/unbound_config_server.md)
+- [unbound_config_stub_zone](documentation/unbound_config_stub_zone.md)
+- [unbound_config_view](documentation/unbound_config_view.md)
+- [unbound_package](documentation/unbound_package.md)
+- [unbound_service](documentation/unbound_service.md)
+
+## Recipes
+
+### default
+
+Installs unbound using defaults.
+
+## Contributors
+
+This project exists thanks to all the people who [contribute.](https://opencollective.com/sous-chefs/contributors.svg?width=890&button=false)
+
+### Backers
+
+Thank you to all our backers!
+
+![https://opencollective.com/sous-chefs#backers](https://opencollective.com/sous-chefs/backers.svg?width=600&avatarHeight=40)
+
+### Sponsors
+
+Support this project by becoming a sponsor. Your logo will show up here with a link to your website.
+
+![https://opencollective.com/sous-chefs/sponsor/0/website](https://opencollective.com/sous-chefs/sponsor/0/avatar.svg?avatarHeight=100)
+![https://opencollective.com/sous-chefs/sponsor/1/website](https://opencollective.com/sous-chefs/sponsor/1/avatar.svg?avatarHeight=100)
+![https://opencollective.com/sous-chefs/sponsor/2/website](https://opencollective.com/sous-chefs/sponsor/2/avatar.svg?avatarHeight=100)
+![https://opencollective.com/sous-chefs/sponsor/3/website](https://opencollective.com/sous-chefs/sponsor/3/avatar.svg?avatarHeight=100)
+![https://opencollective.com/sous-chefs/sponsor/4/website](https://opencollective.com/sous-chefs/sponsor/4/avatar.svg?avatarHeight=100)
+![https://opencollective.com/sous-chefs/sponsor/5/website](https://opencollective.com/sous-chefs/sponsor/5/avatar.svg?avatarHeight=100)
+![https://opencollective.com/sous-chefs/sponsor/6/website](https://opencollective.com/sous-chefs/sponsor/6/avatar.svg?avatarHeight=100)
+![https://opencollective.com/sous-chefs/sponsor/7/website](https://opencollective.com/sous-chefs/sponsor/7/avatar.svg?avatarHeight=100)
+![https://opencollective.com/sous-chefs/sponsor/8/website](https://opencollective.com/sous-chefs/sponsor/8/avatar.svg?avatarHeight=100)
+![https://opencollective.com/sous-chefs/sponsor/9/website](https://opencollective.com/sous-chefs/sponsor/9/avatar.svg?avatarHeight=100)

cookbooks/unbound/chefignore

@@ -0,0 +1,115 @@
+# Put files/directories that should be ignored in this file when uploading
+# to a Chef Infra Server or Supermarket.
+# Lines that start with '# ' are comments.
+
+# OS generated files #
+######################
+.DS_Store
+ehthumbs.db
+Icon?
+nohup.out
+Thumbs.db
+.envrc
+
+# EDITORS #
+###########
+.#*
+.project
+.settings
+*_flymake
+*_flymake.*
+*.bak
+*.sw[a-z]
+*.tmproj
+*~
+\#*
+REVISION
+TAGS*
+tmtags
+.vscode
+.editorconfig
+
+## COMPILED ##
+##############
+*.class
+*.com
+*.dll
+*.exe
+*.o
+*.pyc
+*.so
+*/rdoc/
+a.out
+mkmf.log
+
+# Testing #
+###########
+.circleci/*
+.codeclimate.yml
+.delivery/*
+.foodcritic
+.kitchen*
+.mdlrc
+.overcommit.yml
+.rspec
+.rubocop.yml
+.travis.yml
+.watchr
+.yamllint
+azure-pipelines.yml
+Dangerfile
+examples/*
+features/*
+Guardfile
+kitchen.yml*
+mlc_config.json
+Procfile
+Rakefile
+spec/*
+test/*
+
+# SCM #
+#######
+.git
+.gitattributes
+.gitconfig
+.github/*
+.gitignore
+.gitkeep
+.gitmodules
+.svn
+*/.bzr/*
+*/.git
+*/.hg/*
+*/.svn/*
+
+# Berkshelf #
+#############
+Berksfile
+Berksfile.lock
+cookbooks/*
+tmp
+
+# Bundler #
+###########
+vendor/*
+Gemfile
+Gemfile.lock
+
+# Policyfile #
+##############
+Policyfile.rb
+Policyfile.lock.json
+
+# Documentation #
+#############
+CODE_OF_CONDUCT*
+CONTRIBUTING*
+documentation/*
+TESTING*
+UPGRADING*
+
+# Vagrant #
+###########
+.vagrant
+Vagrantfile

cookbooks/unbound/kitchen.dokken.yml

@@ -0,0 +1,56 @@
+---
+driver:
+  name: dokken
+  privileged: true
+  chef_version: <%= ENV['CHEF_VERSION'] || 'current' %>
+
+transport:
+  name: dokken
+
+provisioner:
+  name: dokken
+
+platforms:
+  - name: centos-7
+    driver:
+      image: dokken/centos-7
+      pid_one_command: /usr/lib/systemd/systemd
+
+  - name: centos-stream-8
+    driver:
+      image: dokken/centos-stream-8
+      pid_one_command: /usr/lib/systemd/systemd
+
+  - name: fedora-latest
+    driver:
+      image: dokken/fedora-latest
+      pid_one_command: /usr/lib/systemd/systemd
+
+  - name: ubuntu-18.04
+    driver:
+      image: dokken/ubuntu-18.04
+      pid_one_command: /bin/systemd
+      intermediate_instructions:
+        - RUN /usr/bin/apt-get update
+
+  - name: ubuntu-20.04
+    driver:
+      image: dokken/ubuntu-20.04
+      pid_one_command: /bin/systemd
+      intermediate_instructions:
+        - RUN /usr/bin/apt-get update
+
+  - name: debian-10
+    driver:
+      image: dokken/debian-10
+      pid_one_command: /bin/systemd
+      intermediate_instructions:
+        - RUN /usr/bin/apt-get update
+
+  - name: debian-11
+    driver:
+      image: dokken/debian-11
+      pid_one_command: /bin/systemd
+      intermediate_instructions:
+        - RUN /usr/bin/apt-get update
+...

cookbooks/unbound/libraries/helpers.rb

@@ -0,0 +1,59 @@
+#
+# Cookbook:: unbound
+# Library:: helpers
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+module Unbound
+  module Cookbook
+    module Helpers
+      def default_config_dir
+        return '/etc/unbound' if %i(unbound_config unbound_configure unbound_config_server).include?(declared_type)
+
+        return '/etc/unbound/unbound.conf.d' if platform?('debian', 'ubuntu')
+
+        case declared_type
+        when :unbound_config_local
+          '/etc/unbound/local.d'
+        when :unbound_config_key
+          '/etc/unbound/keys.d'
+        else
+          '/etc/unbound/conf.d'
+        end
+      end
+
+      def default_includes_dir
+        case node['platform_family']
+        when 'rhel', 'fedora'
+          %w(/etc/unbound/conf.d/*.conf /etc/unbound/local.d/*.conf)
+        when 'debian'
+          %w(/etc/unbound/unbound.conf.d/*.conf)
+        else
+          raise "Unsupported platform family #{node['platform_family']}"
+        end
+      end
+
+      def unbound_yes_no?(value)
+        case value
+        when true
+          'yes'
+        when false
+          'no'
+        when 'yes', 'YES', 'no', 'NO'
+          value.downcase
+        end
+      end
+    end
+  end
+end

cookbooks/unbound/libraries/template.rb

@@ -0,0 +1,26 @@
+#
+# Cookbook:: unbound
+# Library:: template
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+module Unbound
+  module Cookbook
+    module TemplateHelpers
+      def template_partial_indent(output, level, spaces = 2)
+        output.split("\n").each { |l| l.prepend(' ' * (level * spaces)) }.join("\n")
+      end
+    end
+  end
+end

cookbooks/unbound/metadata.json

@@ -0,0 +1,42 @@
+{
+  "name": "unbound",
+  "description": "Manages unbound DNS resolver",
+  "long_description": "",
+  "maintainer": "Sous Chefs",
+  "maintainer_email": "help@sous-chefs.org",
+  "license": "Apache-2.0",
+  "platforms": {
+    "debian": ">= 0.0.0",
+    "ubuntu": ">= 0.0.0",
+    "centos": ">= 0.0.0",
+    "redhat": ">= 0.0.0",
+    "scientific": ">= 0.0.0",
+    "oracle": ">= 0.0.0",
+    "amazon": ">= 0.0.0"
+  },
+  "dependencies": {
+
+  },
+  "providing": {
+
+  },
+  "recipes": {
+
+  },
+  "version": "3.0.2",
+  "source_url": "https://github.com/sous-chefs/unbound",
+  "issues_url": "https://github.com/sous-chefs/unbound/issues",
+  "privacy": false,
+  "chef_versions": [
+    [
+      ">= 16"
+    ]
+  ],
+  "ohai_versions": [
+
+  ],
+  "gems": [
+
+  ],
+  "eager_load_libraries": true
+}

cookbooks/unbound/metadata.rb

@@ -0,0 +1,13 @@
+name             'unbound'
+maintainer       'Sous Chefs'
+maintainer_email 'help@sous-chefs.org'
+license          'Apache-2.0'
+description      'Manages unbound DNS resolver'
+version          '3.0.2'
+issues_url       'https://github.com/sous-chefs/unbound/issues'
+source_url       'https://github.com/sous-chefs/unbound'
+chef_version     '>= 16'
+
+%w(debian ubuntu centos redhat scientific oracle amazon).each do |os|
+  supports os
+end

cookbooks/unbound/recipes/default.rb

@@ -0,0 +1,25 @@
+#
+# Cookbook:: unbound
+# Recipe:: default
+#
+# Copyright:: 2011, Joshua Timberman
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+log 'v3_warning' do
+  message 'Version 3.0.0 of this cookbook removed all configuration actions from the default recipe'
+  level :warn
+end
+
+unbound_package 'unbound'

cookbooks/unbound/renovate.json

@@ -0,0 +1,6 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:base"
+  ]
+}

cookbooks/unbound/resources/config_authority_zone.rb

@@ -0,0 +1,93 @@
+#
+# Cookbook:: unbound
+# Resource:: config_authority_zone
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+unified_mode true
+
+provides :unbound_config_auth_zone
+
+use 'partials/_config_file'
+
+property :config_file, String,
+          default: lazy { "#{config_dir}/authority-zone-#{name}.conf" },
+          desired_state: false,
+          description: 'Set to override unbound configuration file.'
+
+property :zone_name, String,
+          default: lazy { name }
+
+property :primary, [String, Array],
+          coerce: proc { |p| Array(p) }
+
+property :master, [String, Array],
+          coerce: proc { |p| Array(p) }
+
+property :url, [String, Array],
+          coerce: proc { |p| Array(p) }
+
+property :allow_notify, [String, Array],
+          coerce: proc { |p| Array(p) }
+
+property :fallback_enabled, [String, true, false],
+          coerce: proc { |p| unbound_yes_no?(p) }
+
+property :for_downstream, [String, true, false],
+          coerce: proc { |p| unbound_yes_no?(p) }
+
+property :for_upstream, [String, true, false],
+          coerce: proc { |p| unbound_yes_no?(p) }
+
+property :zonemd_check, [String, true, false],
+          coerce: proc { |p| unbound_yes_no?(p) }
+
+property :zonemd_reject_absence, [String, true, false],
+          coerce: proc { |p| unbound_yes_no?(p) }
+
+property :zonefile, String
+
+load_current_value do |new_resource|
+  current_value_does_not_exist! unless ::File.exist?(new_resource.config_file)
+
+  if ::File.exist?(new_resource.config_file)
+    owner ::Etc.getpwuid(::File.stat(new_resource.config_file).uid).name
+    group ::Etc.getgrgid(::File.stat(new_resource.config_file).gid).name
+    mode ::File.stat(new_resource.config_file).mode.to_s(8)[-4..-1]
+  end
+end
+
+action_class do
+  def do_template_action
+    zone_config = {
+      'name' => new_resource.zone_name,
+      'primary' => new_resource.primary.dup,
+      'master' => new_resource.master.dup,
+      'url' => new_resource.url.dup,
+      'allow-notify' => new_resource.allow_notify.dup,
+      'fallback-enabled' => new_resource.fallback_enabled,
+      'for-downstream' => new_resource.for_downstream,
+      'for-upstream' => new_resource.for_upstream,
+      'zonemd-check' => new_resource.zonemd_check,
+      'zonemd-reject-absence' => new_resource.zonemd_reject_absence,
+      'zonefile' => new_resource.zonefile,
+    }.compact
+
+    config = {
+      'auth-zone' => zone_config,
+    }
+
+    perform_config_action(config)
+  end
+end

cookbooks/unbound/resources/config_cachedb.rb

@@ -0,0 +1,67 @@
+#
+# Cookbook:: unbound
+# Resource:: config_cachedb
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+unified_mode true
+
+use 'partials/_config_file'
+
+property :config_file, String,
+          default: lazy { "#{config_dir}/cachedb.conf" },
+          desired_state: false,
+          description: 'Set to override unbound configuration file.'
+
+property :backend, String
+
+property :secret_seed, String
+
+property :redis_server_host, String
+
+property :redis_server_port, Integer
+
+property :redis_timeout, Integer
+
+property :redis_expire_records, [String, true, false],
+          coerce: proc { |p| unbound_yes_no?(p) }
+
+load_current_value do |new_resource|
+  current_value_does_not_exist! unless ::File.exist?(new_resource.config_file)
+
+  if ::File.exist?(new_resource.config_file)
+    owner ::Etc.getpwuid(::File.stat(new_resource.config_file).uid).name
+    group ::Etc.getgrgid(::File.stat(new_resource.config_file).gid).name
+    mode ::File.stat(new_resource.config_file).mode.to_s(8)[-4..-1]
+  end
+end
+
+action_class do
+  def do_template_action
+    cachedb_config = {
+      'backend' => new_resource.backend,
+      'secret-seed' => new_resource.secret_seed,
+      'redis-server-host' => new_resource.redis_server_host,
+      'redis-server-port' => new_resource.redis_server_port,
+      'redis-timeout' => new_resource.redis_timeout,
+      'redis-expire-records' => new_resource.redis_expire_records,
+    }.compact
+
+    config = {
+      'cachedb' => cachedb_config,
+    }
+
+    perform_config_action(config)
+  end
+end

cookbooks/unbound/resources/config_dns64.rb

@@ -0,0 +1,58 @@
+#
+# Cookbook:: unbound
+# Resource:: config_dns64
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+unified_mode true
+
+use 'partials/_config_file'
+
+property :config_file, String,
+          default: lazy { "#{config_dir}/dns64.conf" },
+          desired_state: false,
+          description: 'Set to override unbound configuration file.'
+
+property :dns64_prefix, String
+
+property :dns64_synthall, [String, true, false],
+          coerce: proc { |p| unbound_yes_no?(p) }
+
+property :dns64_ignore_aaaa, String
+
+load_current_value do |new_resource|
+  current_value_does_not_exist! unless ::File.exist?(new_resource.config_file)
+
+  if ::File.exist?(new_resource.config_file)
+    owner ::Etc.getpwuid(::File.stat(new_resource.config_file).uid).name
+    group ::Etc.getgrgid(::File.stat(new_resource.config_file).gid).name
+    mode ::File.stat(new_resource.config_file).mode.to_s(8)[-4..-1]
+  end
+end
+
+action_class do
+  def do_template_action
+    dns64_config = {
+      'dns64-prefix' => new_resource.dns64_prefix,
+      'dns64-synthall' => new_resource.dns64_synthall,
+      'dns64-ignore-aaaa' => new_resource.dns64_ignore_aaaa,
+    }.compact
+
+    config = {
+      'server' => dns64_config,
+    }
+
+    perform_config_action(config)
+  end
+end

cookbooks/unbound/resources/config_dnscrypt.rb

@@ -0,0 +1,80 @@
+#
+# Cookbook:: unbound
+# Resource:: config_dnscrypt
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+unified_mode true
+
+use 'partials/_config_file'
+
+property :config_file, String,
+          default: lazy { "#{config_dir}/dnscrypt.conf" },
+          desired_state: false,
+          description: 'Set to override unbound configuration file.'
+
+property :dnscrypt_enable, [String, true, false],
+          coerce: proc { |p| unbound_yes_no?(p) }
+
+property :dnscrypt_port, Integer
+
+property :dnscrypt_provider, [String, Array],
+          coerce: proc { |p| Array(p) }
+
+property :dnscrypt_secret_key, String
+
+property :dnscrypt_provider_cert, String
+
+property :dnscrypt_provider_cert_rotated, String
+
+property :dnscrypt_shared_secret_cache_size, String
+
+property :dnscrypt_shared_secret_cache_slabs, Integer
+
+property :dnscrypt_nonce_cache_size, String
+
+property :dnscrypt_nonce_cache_slabs, Integer
+
+load_current_value do |new_resource|
+  current_value_does_not_exist! unless ::File.exist?(new_resource.config_file)
+
+  if ::File.exist?(new_resource.config_file)
+    owner ::Etc.getpwuid(::File.stat(new_resource.config_file).uid).name
+    group ::Etc.getgrgid(::File.stat(new_resource.config_file).gid).name
+    mode ::File.stat(new_resource.config_file).mode.to_s(8)[-4..-1]
+  end
+end
+
+action_class do
+  def do_template_action
+    dnscrypt_config = {
+      'dnscrypt-enable' => new_resource.dnscrypt_enable,
+      'dnscrypt-port' => new_resource.dnscrypt_port,
+      'dnscrypt-provider' => new_resource.dnscrypt_provider.dup,
+      'dnscrypt-secret-key' => new_resource.dnscrypt_secret_key,
+      'dnscrypt-provider-cert' => new_resource.dnscrypt_provider_cert,
+      'dnscrypt-provider-cert-rotated' => new_resource.dnscrypt_provider_cert_rotated,
+      'dnscrypt-shared-secret-cache-size' => new_resource.dnscrypt_shared_secret_cache_size,
+      'dnscrypt-shared-secret-cache-slabs' => new_resource.dnscrypt_shared_secret_cache_slabs,
+      'dnscrypt-nonce-cache-size' => new_resource.dnscrypt_nonce_cache_size,
+      'dnscrypt-nonce-cache-slabs' => new_resource.dnscrypt_nonce_cache_slabs,
+    }.compact
+
+    config = {
+      'dnscrypt' => dnscrypt_config,
+    }
+
+    perform_config_action(config)
+  end
+end

cookbooks/unbound/resources/config_dnstap.rb

@@ -0,0 +1,116 @@
+#
+# Cookbook:: unbound
+# Resource:: config_dnstap
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+unified_mode true
+
+use 'partials/_config_file'
+
+property :config_file, String,
+          default: lazy { "#{config_dir}/dnstap.conf" },
+          desired_state: false,
+          description: 'Set to override unbound configuration file.'
+
+property :dnstap_enable, [String, true, false],
+          coerce: proc { |p| unbound_yes_no?(p) }
+
+property :dnstap_bidirectional, [String, true, false],
+          coerce: proc { |p| unbound_yes_no?(p) }
+
+property :dnstap_socket_path, String
+
+property :dnstap_ip, String
+
+property :dnstap_tls, [String, true, false],
+          coerce: proc { |p| unbound_yes_no?(p) }
+
+property :dnstap_tls_server_name, String
+
+property :dnstap_tls_cert_bundle, String
+
+property :dnstap_tls_client_key_file, String
+
+property :dnstap_tls_client_cert_file, String
+
+property :dnstap_send_identity, [String, true, false],
+          coerce: proc { |p| unbound_yes_no?(p) }
+
+property :dnstap_send_version, [String, true, false],
+          coerce: proc { |p| unbound_yes_no?(p) }
+
+property :dnstap_identity, String
+
+property :dnstap_version, String
+
+property :dnstap_log_resolver_query_messages, [String, true, false],
+          coerce: proc { |p| unbound_yes_no?(p) }
+
+property :dnstap_log_resolver_response_messages, [String, true, false],
+          coerce: proc { |p| unbound_yes_no?(p) }
+
+property :dnstap_log_client_query_messages, [String, true, false],
+          coerce: proc { |p| unbound_yes_no?(p) }
+
+property :dnstap_log_client_response_messages, [String, true, false],
+          coerce: proc { |p| unbound_yes_no?(p) }
+
+property :dnstap_log_forwarder_query_messages, [String, true, false],
+          coerce: proc { |p| unbound_yes_no?(p) }
+
+property :dnstap_log_forwarder_response_messages, [String, true, false],
+          coerce: proc { |p| unbound_yes_no?(p) }
+
+load_current_value do |new_resource|
+  current_value_does_not_exist! unless ::File.exist?(new_resource.config_file)
+
+  if ::File.exist?(new_resource.config_file)
+    owner ::Etc.getpwuid(::File.stat(new_resource.config_file).uid).name
+    group ::Etc.getgrgid(::File.stat(new_resource.config_file).gid).name
+    mode ::File.stat(new_resource.config_file).mode.to_s(8)[-4..-1]
+  end
+end
+
+action_class do
+  def do_template_action
+    zone_config = {
+      'dnstap-enable' => new_resource.dnstap_enable,
+      'dnstap-bidirectional' => new_resource.dnstap_bidirectional,
+      'dnstap-socket-path' => new_resource.dnstap_socket_path,
+      'dnstap-ip' => new_resource.dnstap_ip,
+      'dnstap-tls' => new_resource.dnstap_tls,
+      'dnstap-tls-server-name' => new_resource.dnstap_tls_server_name,
+      'dnstap-tls-cert-bundle' => new_resource.dnstap_tls_cert_bundle,
+      'dnstap-tls-client-key-file' => new_resource.dnstap_tls_client_key_file,
+      'dnstap-tls-client-cert-file' => new_resource.dnstap_tls_client_cert_file,
+      'dnstap-send-identity' => new_resource.dnstap_send_identity,
+      'dnstap-send-version' => new_resource.dnstap_send_version,
+      'dnstap-identity' => new_resource.dnstap_identity,
+      'dnstap-version' => new_resource.dnstap_version,
+      'dnstap-log-resolver-query-messages' => new_resource.dnstap_log_resolver_query_messages,
+      'dnstap-log-resolver-response-messages' => new_resource.dnstap_log_resolver_response_messages,
+      'dnstap-log-client-query-messages' => new_resource.dnstap_log_client_query_messages,
+      'dnstap-log-client-response-messages' => new_resource.dnstap_log_client_response_messages,
+      'dnstap-log-forwarder-query-messages' => new_resource.dnstap_log_forwarder_query_messages,
+      'dnstap-log-forwarder-response-messages' => new_resource.dnstap_log_forwarder_response_messages,
+    }.compact
+
+    config = {
+      'dnstap' => zone_config,
+    }
+
+    perform_config_action(config)
+  end
+end

cookbooks/unbound/resources/config_dynamic_library.rb

@@ -0,0 +1,48 @@
+#
+# Cookbook:: unbound
+# Resource:: config_dynamic_library
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+unified_mode true
+
+use 'partials/_config_file'
+
+property :config_file, String,
+          default: lazy { "#{config_dir}/dyn-lib-#{name}.conf" },
+          desired_state: false,
+          description: 'Set to override unbound configuration file.'
+
+property :dynlib_file, [String, Array],
+          coerce: proc { |p| Array(p) }
+
+load_current_value do |new_resource|
+  current_value_does_not_exist! unless ::File.exist?(new_resource.config_file)
+
+  if ::File.exist?(new_resource.config_file)
+    owner ::Etc.getpwuid(::File.stat(new_resource.config_file).uid).name
+    group ::Etc.getgrgid(::File.stat(new_resource.config_file).gid).name
+    mode ::File.stat(new_resource.config_file).mode.to_s(8)[-4..-1]
+  end
+end
+
+action_class do
+  def do_template_action
+    config = {
+      'dynlib-file' => new_resource.dynlib_file.dup,
+    }
+
+    perform_config_action(config)
+  end
+end

cookbooks/unbound/resources/config_forward_zone.rb

@@ -0,0 +1,80 @@
+#
+# Cookbook:: unbound
+# Resource:: config_forward_zone
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+unified_mode true
+
+use 'partials/_config_file'
+
+property :config_file, String,
+          default: lazy { "#{config_dir}/forward-zone-#{name}.conf" },
+          desired_state: false,
+          description: 'Set to override unbound configuration file.'
+
+property :zone_name, String,
+          default: lazy { name }
+
+property :forward_host, [String, Array],
+          coerce: proc { |p| Array(p) }
+
+property :forward_addr, [String, Array],
+          coerce: proc { |p| Array(p) }
+
+property :forward_first, [String, true, false],
+          coerce: proc { |p| unbound_yes_no?(p) }
+
+property :forward_tls_upstream, [String, true, false],
+          coerce: proc { |p| unbound_yes_no?(p) }
+
+property :forward_ssl_upstream, [String, true, false],
+          coerce: proc { |p| unbound_yes_no?(p) }
+
+property :forward_tcp_upstream, [String, true, false],
+          coerce: proc { |p| unbound_yes_no?(p) }
+
+property :forward_no_cache, [String, true, false],
+          coerce: proc { |p| unbound_yes_no?(p) }
+
+load_current_value do |new_resource|
+  current_value_does_not_exist! unless ::File.exist?(new_resource.config_file)
+
+  if ::File.exist?(new_resource.config_file)
+    owner ::Etc.getpwuid(::File.stat(new_resource.config_file).uid).name
+    group ::Etc.getgrgid(::File.stat(new_resource.config_file).gid).name
+    mode ::File.stat(new_resource.config_file).mode.to_s(8)[-4..-1]
+  end
+end
+
+action_class do
+  def do_template_action
+    zone_config = {
+      'name' => new_resource.zone_name,
+      'forward-host' => new_resource.forward_host.dup,
+      'forward-addr' => new_resource.forward_addr.dup,
+      'forward-first' => new_resource.forward_first,
+      'forward-tls-upstream' => new_resource.forward_tls_upstream,
+      'forward-ssl-upstream' => new_resource.forward_ssl_upstream,
+      'forward-tcp-upstream' => new_resource.forward_tcp_upstream,
+      'forward-no-cache' => new_resource.forward_no_cache,
+    }.compact
+
+    config = {
+      'forward-zone' => zone_config,
+    }
+
+    perform_config_action(config)
+  end
+end

cookbooks/unbound/resources/config_python_script.rb

@@ -0,0 +1,53 @@
+#
+# Cookbook:: unbound
+# Resource:: config_python_script
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+unified_mode true
+
+use 'partials/_config_file'
+
+property :config_file, String,
+          default: lazy { "#{config_dir}/python-script-#{name}.conf" },
+          desired_state: false,
+          description: 'Set to override unbound configuration file.'
+
+property :python_script, [String, Array],
+          coerce: proc { |p| Array(p) },
+          required: true
+
+load_current_value do |new_resource|
+  current_value_does_not_exist! unless ::File.exist?(new_resource.config_file)
+
+  if ::File.exist?(new_resource.config_file)
+    owner ::Etc.getpwuid(::File.stat(new_resource.config_file).uid).name
+    group ::Etc.getgrgid(::File.stat(new_resource.config_file).gid).name
+    mode ::File.stat(new_resource.config_file).mode.to_s(8)[-4..-1]
+  end
+end
+
+action_class do
+  def do_template_action
+    declare_resource(:package, 'python3-unbound')
+
+    config = {
+      'python' => {
+        'python-script' => new_resource.python_script.dup,
+      },
+    }
+
+    perform_config_action(config)
+  end
+end

cookbooks/unbound/resources/config_remote_control.rb

@@ -0,0 +1,77 @@
+#
+# Cookbook:: unbound
+# Resource:: config_remote_control
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+unified_mode true
+
+use 'partials/_config_file'
+
+property :config_file, String,
+          default: lazy { "#{config_dir}/remote-control.conf" },
+          desired_state: false,
+          description: 'Set to override unbound configuration file.'
+
+property :control_enable, [String, true, false],
+          coerce: proc { |p| unbound_yes_no?(p) }
+
+property :control_interface, [String, Array],
+          coerce: proc { |p| Array(p) }
+
+property :control_port, Integer
+
+property :control_use_cert, [String, true, false],
+          coerce: proc { |p| unbound_yes_no?(p) }
+
+property :control_key_file, String
+
+property :control_cert_file, String
+
+property :server, String
+
+property :server_key_file, String
+
+property :server_cert_file, String
+
+load_current_value do |new_resource|
+  current_value_does_not_exist! unless ::File.exist?(new_resource.config_file)
+
+  if ::File.exist?(new_resource.config_file)
+    owner ::Etc.getpwuid(::File.stat(new_resource.config_file).uid).name
+    group ::Etc.getgrgid(::File.stat(new_resource.config_file).gid).name
+    mode ::File.stat(new_resource.config_file).mode.to_s(8)[-4..-1]
+  end
+end
+
+action_class do
+  def do_template_action
+    remote_control = {
+      'control-enable' => new_resource.control_enable,
+      'control-interface' => new_resource.control_interface.dup,
+      'control-port' => new_resource.control_port,
+      'control-use-cert' => new_resource.control_use_cert,
+      'control-key-file' => new_resource.control_key_file,
+      'control-cert-file' => new_resource.control_cert_file,
+      'server-key-file' => new_resource.server_key_file,
+      'server-cert-file' => new_resource.server_cert_file,
+    }.compact
+
+    config = {
+      'remote-control' => remote_control,
+    }
+
+    perform_config_action(config)
+  end
+end

cookbooks/unbound/resources/config_rpz_zone.rb

@@ -0,0 +1,98 @@
+#
+# Cookbook:: unbound
+# Resource:: config_rpz_zone
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+unified_mode true
+
+use 'partials/_config_file'
+
+property :config_file, String,
+          default: lazy { "#{config_dir}/rpz-zone-#{name}.conf" },
+          desired_state: false,
+          description: 'Set to override unbound configuration file.'
+
+property :zone_name, String,
+          default: lazy { name }
+
+property :primary, [String, Array],
+          coerce: proc { |p| Array(p) }
+
+property :master, [String, Array],
+          coerce: proc { |p| Array(p) }
+
+property :url, [String, Array],
+          coerce: proc { |p| Array(p) }
+
+property :allow_notify, [String, Array],
+          coerce: proc { |p| Array(p) }
+
+property :zonefile, String
+
+property :rpz_action_override, [String, Symbol],
+          equal_to: %w(nxdomain nodata passthru drop disabled cname),
+          coerce: proc { |p| p.to_s }
+
+property :rpz_cname_override, String
+
+property :rpz_log, [String, true, false],
+          coerce: proc { |p| unbound_yes_no?(p) }
+
+property :rpz_log_name, String
+
+property :rpz_signal_nxdomain_ra, [String, true, false],
+          coerce: proc { |p| unbound_yes_no?(p) }
+
+property :for_downstream, [String, true, false],
+          coerce: proc { |p| unbound_yes_no?(p) }
+
+property :tags, [String, Array],
+          coerce: proc { |p| "\"#{p.to_a.join(' ')} \"" }
+
+load_current_value do |new_resource|
+  current_value_does_not_exist! unless ::File.exist?(new_resource.config_file)
+
+  if ::File.exist?(new_resource.config_file)
+    owner ::Etc.getpwuid(::File.stat(new_resource.config_file).uid).name
+    group ::Etc.getgrgid(::File.stat(new_resource.config_file).gid).name
+    mode ::File.stat(new_resource.config_file).mode.to_s(8)[-4..-1]
+  end
+end
+
+action_class do
+  def do_template_action
+    zone_config = {
+      'name' => new_resource.zone_name,
+      'primary' => new_resource.primary.dup,
+      'master' => new_resource.master.dup,
+      'url' => new_resource.url.dup,
+      'allow-notify' => new_resource.allow_notify.dup,
+      'zonefile' => new_resource.zonefile,
+      'rpz-action-override' => new_resource.rpz_action_override,
+      'rpz-cname-override' => new_resource.rpz_cname_override,
+      'rpz-log' => new_resource.rpz_log,
+      'rpz-log-name' => new_resource.rpz_log_name,
+      'rpz-signal-nxfomain-ra' => new_resource.rpz_signal_nxdomain_ra,
+      'for-downstream' => new_resource.for_downstream,
+      'tags' => new_resource.tags.dup,
+    }.compact
+
+    config = {
+      'rpz' => zone_config,
+    }
+
+    perform_config_action(config)
+  end
+end

cookbooks/unbound/resources/config_server.rb

@@ -0,0 +1,58 @@
+#
+# Cookbook:: unbound
+# Resource:: config_server
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+unified_mode true
+
+provides :unbound_config_server
+provides :unbound_configure
+provides :unbound_config
+
+use 'partials/_config_file'
+
+property :config_file, String,
+          default: lazy { "#{config_dir}/unbound.conf" },
+          desired_state: false,
+          description: 'Set to override unbound configuration file.'
+
+property :include, [String, Array],
+          default: lazy { default_includes_dir },
+          coerce: proc { |p| Array(p) }
+
+property :server, Hash,
+          default: {},
+          description: 'Server configuration as a Hash'
+
+load_current_value do |new_resource|
+  current_value_does_not_exist! unless ::File.exist?(new_resource.config_file)
+
+  if ::File.exist?(new_resource.config_file)
+    owner ::Etc.getpwuid(::File.stat(new_resource.config_file).uid).name
+    group ::Etc.getgrgid(::File.stat(new_resource.config_file).gid).name
+    mode ::File.stat(new_resource.config_file).mode.to_s(8)[-4..-1]
+  end
+end
+
+action_class do
+  def do_template_action
+    config = {
+      'include' => new_resource.include.dup,
+      'server' => new_resource.server.dup,
+    }.compact
+
+    perform_config_action(config)
+  end
+end

cookbooks/unbound/resources/config_stub_zone.rb

@@ -0,0 +1,84 @@
+#
+# Cookbook:: unbound
+# Resource:: config_stub_zone
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+unified_mode true
+
+use 'partials/_config_file'
+
+property :config_file, String,
+          default: lazy { "#{config_dir}/stub-zone-#{name}.conf" },
+          desired_state: false,
+          description: 'Set to override unbound configuration file.'
+
+property :zone_name, String,
+          default: lazy { name }
+
+property :stub_host, [String, Array],
+          coerce: proc { |p| Array(p) }
+
+property :stub_addr, [String, Array],
+          coerce: proc { |p| Array(p) }
+
+property :stub_prime, [String, true, false],
+          coerce: proc { |p| unbound_yes_no?(p) }
+
+property :stub_first, [String, true, false],
+          coerce: proc { |p| unbound_yes_no?(p) }
+
+property :stub_tls_upstream, [String, true, false],
+          coerce: proc { |p| unbound_yes_no?(p) }
+
+property :stub_ssl_upstream, [String, true, false],
+          coerce: proc { |p| unbound_yes_no?(p) }
+
+property :stub_tcp_upstream, [String, true, false],
+          coerce: proc { |p| unbound_yes_no?(p) }
+
+property :stub_no_cache, [String, true, false],
+          coerce: proc { |p| unbound_yes_no?(p) }
+
+load_current_value do |new_resource|
+  current_value_does_not_exist! unless ::File.exist?(new_resource.config_file)
+
+  if ::File.exist?(new_resource.config_file)
+    owner ::Etc.getpwuid(::File.stat(new_resource.config_file).uid).name
+    group ::Etc.getgrgid(::File.stat(new_resource.config_file).gid).name
+    mode ::File.stat(new_resource.config_file).mode.to_s(8)[-4..-1]
+  end
+end
+
+action_class do
+  def do_template_action
+    zone_config = {
+      'name' => new_resource.zone_name,
+      'stub-host' => new_resource.stub_host.dup,
+      'stub-addr' => new_resource.stub_addr.dup,
+      'stub-prime' => new_resource.stub_prime,
+      'stub-first' => new_resource.stub_first,
+      'stub-tls-upstream' => new_resource.stub_tls_upstream,
+      'stub-ssl-upstream' => new_resource.stub_ssl_upstream,
+      'stub-tcp-upstream' => new_resource.stub_tcp_upstream,
+      'stub-no-cache' => new_resource.stub_no_cache,
+    }.compact
+
+    config = {
+      'stub-zone' => zone_config,
+    }
+
+    perform_config_action(config)
+  end
+end

cookbooks/unbound/resources/config_view.rb

@@ -0,0 +1,68 @@
+#
+# Cookbook:: unbound
+# Resource:: config_view
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+unified_mode true
+
+use 'partials/_config_file'
+
+property :config_file, String,
+          default: lazy { "#{config_dir}/view-#{name}.conf" },
+          desired_state: false,
+          description: 'Set to override unbound configuration file.'
+
+property :zone_name, String,
+          default: lazy { name }
+
+property :local_zone, [String, Array],
+          coerce: proc { |p| Array(p) }
+
+property :local_data, [String, Array],
+          coerce: proc { |p| Array(p) }
+
+property :local_data_ptr, [String, Array],
+          coerce: proc { |p| Array(p) }
+
+property :view_first, [String, true, false],
+          coerce: proc { |p| unbound_yes_no?(p) }
+
+load_current_value do |new_resource|
+  current_value_does_not_exist! unless ::File.exist?(new_resource.config_file)
+
+  if ::File.exist?(new_resource.config_file)
+    owner ::Etc.getpwuid(::File.stat(new_resource.config_file).uid).name
+    group ::Etc.getgrgid(::File.stat(new_resource.config_file).gid).name
+    mode ::File.stat(new_resource.config_file).mode.to_s(8)[-4..-1]
+  end
+end
+
+action_class do
+  def do_template_action
+    zone_config = {
+      'name' => new_resource.zone_name,
+      'local-zone' => new_resource.local_zone.dup,
+      'local-data' => new_resource.local_data.dup,
+      'local-data-ptr' => new_resource.local_data_ptr.dup,
+      'view-first' => new_resource.view_first,
+    }.compact
+
+    config = {
+      'view' => zone_config,
+    }
+
+    perform_config_action(config)
+  end
+end

cookbooks/unbound/resources/package.rb

@@ -0,0 +1,36 @@
+#
+# Cookbook:: unbound
+# Resource:: package
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+unified_mode true
+
+provides :unbound_install
+
+property :packages, [String, Array],
+          coerce: proc { |p| p.is_a?(Array) ? p : [ p ] },
+          default: %w(unbound),
+          description: 'Unbound packages to install.'
+
+action_class do
+  def do_package_action(action)
+    package 'unbound' do
+      package_name new_resource.packages
+      action action
+    end
+  end
+end
+
+%i(install upgrade remove).each { |pkg_action| action(pkg_action) { do_package_action(action) } }

cookbooks/unbound/resources/partials/_config_file.rb

@@ -0,0 +1,122 @@
+#
+# Cookbook:: unbound
+# Resource:: _config_file
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+unified_mode true
+
+include Unbound::Cookbook::Helpers
+
+property :owner, String,
+          default: 'root',
+          description: 'Set to override config file owner. Defaults to root.'
+
+property :group, String,
+          default: 'unbound',
+          description: 'Set to override config file group. Defaults to unbound.'
+
+property :mode, String,
+          default: '0640',
+          description: 'Set to override config file mode. Defaults to 0640.'
+
+property :directory_mode, String,
+          default: '0750',
+          description: 'Set to override config directory mode. Defaults to 0750.'
+
+property :config_dir, String,
+          default: lazy { default_config_dir },
+          desired_state: false,
+          description: 'Set to override unbound configuration directory.'
+
+property :config_file, String,
+          default: lazy { "#{config_dir}/#{name}.conf" },
+          desired_state: false,
+          description: 'Set to override unbound configuration file.'
+
+property :cookbook, String,
+          default: 'unbound',
+          desired_state: false,
+          description: 'Template source cookbook for the unbound configuration file.'
+
+property :template, String,
+          default: 'unbound.conf.erb',
+          desired_state: false,
+          description: 'Template source file for the unbound configuration file.'
+
+property :sensitive, [true, false],
+          desired_state: false,
+          description: 'Ensure that sensitive resource data is not output by Chef Infra Client.'
+
+property :sort, [true, false],
+          default: true
+
+property :template_properties, Hash,
+          default: {}
+
+property :extra_options, Hash,
+          default: {}
+
+action_class do
+  def deepsort?
+    return if defined?(DeepSort)
+
+    begin
+      Gem::Specification.find_by_name('deepsort')
+    rescue Gem::MissingSpecError
+      declare_resource(:chef_gem, 'deepsort')
+    end
+
+    require 'deepsort'
+
+    true
+  end
+
+  def perform_config_action(config)
+    directory new_resource.config_dir do
+      owner new_resource.owner
+      group new_resource.group
+      mode new_resource.directory_mode
+
+      recursive true
+
+      action new_resource.action.eql?(:delete) ? :delete : :create
+    end
+
+    config.merge!(new_resource.extra_options.dup) unless new_resource.extra_options.empty?
+
+    if new_resource.sort
+      deepsort?
+      config.deep_sort!
+    end
+
+    template new_resource.config_file do
+      cookbook new_resource.cookbook
+      source new_resource.template
+
+      owner new_resource.owner
+      group new_resource.group
+      mode new_resource.mode
+      sensitive new_resource.sensitive
+
+      helpers(Unbound::Cookbook::TemplateHelpers)
+
+      variables(content: config)
+
+      action new_resource.action
+    end
+  end
+end
+
+%i(create create_if_missing delete).each { |action_type| action(action_type) { do_template_action } }

cookbooks/unbound/resources/service.rb

@@ -0,0 +1,69 @@
+#
+# Cookbook:: unbound
+# Resource:: service
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+unified_mode true
+
+property :service_name, String,
+          default: 'unbound',
+          description: 'The service name to perform actions upon'
+
+property :config_test, [true, false],
+          default: true,
+          description: 'Perform configuration file test before performing service action'
+
+property :config_test_fail_action, Symbol,
+          equal_to: %i(raise log),
+          default: :raise,
+          description: 'Action to perform upon configuration test failure.'
+
+action_class do
+  def perform_config_test
+    cmd = shell_out('/usr/sbin/unbound-checkconf')
+    cmd.error!
+  rescue Mixlib::ShellOut::ShellCommandFailed
+    if new_resource.config_test_fail_action.eql?(:log)
+      Chef::Log.error("Configuration test failed, #{new_resource.service_name} #{action} action aborted!\n\n"\
+                      "Error\n-----\n#{cmd.stderr}")
+    else
+      raise "Configuration test failed, #{new_resource.service_name} #{action} action aborted!\n\n"\
+            "Error\n-----\nAction: #{action}\n#{cmd.stderr}"
+    end
+  end
+
+  def do_service_action(service_action)
+    with_run_context(:root) do
+      if %i(start restart reload).include?(service_action)
+        if new_resource.config_test
+          perform_config_test
+          Chef::Log.info("Configuration test passed, creating #{new_resource.service_name} #{new_resource.declared_type} resource with action #{service_action}")
+        else
+          Chef::Log.info("Configuration test disabled, creating #{new_resource.service_name} #{new_resource.declared_type} resource with action #{service_action}")
+        end
+
+        declare_resource(:service, new_resource.service_name) { delayed_action(service_action) }
+      else
+        declare_resource(:service, new_resource.service_name) { action(service_action) }
+      end
+    end
+  end
+end
+
+%i(start stop restart reload enable disable).each { |action_type| action(action_type) { do_service_action(action_type) } }
+
+action :test do
+  converge_by('Performing configuration test') { perform_config_test }
+end

cookbooks/unbound/templates/default/partials/_generic_config.erb

@@ -0,0 +1,22 @@
+<% unless @content.nil? -%>
+<% @content.each do |key, value| %>
+<% case value %>
+<% when nil %>
+<%= key %>
+<% when String, Numeric %>
+<%= key %><% if @separator %><%= @separator %><% end %> <%= value %>
+<% when Array %>
+<% value.each do |val| %>
+<% if val.is_a?(Hash) %>
+<%= key %><% if @separator %><%= @separator %><% end %>
+<%= template_partial_indent(render('partials/_generic_config.erb', cookbook: 'unbound', variables: { content: val, separator: ':' }), 1, 2) %>
+<% else %>
+<%= key %><% if @separator %><%= @separator %><% end %> <%= val %>
+<% end %>
+<% end %>
+<% when Hash %>
+<%= key %><% if @separator %><%= @separator %><% end %>
+<%= template_partial_indent(render('partials/_generic_config.erb', cookbook: 'unbound', variables: { content: value, separator: ':' }), 1, 2) %>
+<% end %>
+<% end %>
+<% end %>

cookbooks/unbound/templates/default/unbound.conf.erb

@@ -0,0 +1,5 @@
+#
+# Generated by Chef Infra for <%= node['fqdn'] %>
+# Do NOT modify this file by hand, any changes will be overwritten.
+
+<%= render('partials/_generic_config.erb', cookbook: 'unbound', variables: { content: @content, separator: ':' }) %>

data_bags/credentials/akkounts.json

@@ -1,37 +1,72 @@
 {
   "id": "akkounts",
   "postgresql_username": {
-    "encrypted_data": "W+Ia820+uYCAED9LRkQ1ZVe//56GRS5u0HrG\n",
-    "iv": "NpuVENC7C5FCjsEz\n",
-    "auth_tag": "KbqVv27nTc4qm7kzRWcjUQ==\n",
+    "encrypted_data": "bDlOkEmhvMgyVzPeTNUzYnzRLf3T9cc0cDxt\n",
+    "iv": "GCCUoqU5pxQ7fGkv\n",
+    "auth_tag": "Q7mrSHIBluMe3CGVmoR86Q==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "postgresql_password": {
-    "encrypted_data": "gPzUikJ3vBhjEzor0ie2341VPLRHNIvGvuD+HBwldw==\n",
-    "iv": "Jsnldm8Bx9IzXMNy\n",
-    "auth_tag": "63YXFGVxHn23X+/11qwTSA==\n",
+    "encrypted_data": "wD0HtdsNe/hl4ZaOy8hyr2k4z8TXQrrSja3KNVE47w==\n",
+    "iv": "tb5yz8WDer0CsGvJ\n",
+    "auth_tag": "/+K2anuCff/6M7Pu70Smqw==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "sentry_dsn": {
-    "encrypted_data": "3aC1Nc+WiJIn+jc4HY4Rb1WAqCqEurbOLXhbah4zSIbVIaNGEKzaoC+IA+qi\nV1jAVxbE0A1w91MrGE6HNa+oMjiTMurYx7JzVBIpCm01rgo=\n",
-    "iv": "SxEbTBYY2Pa5BzAF\n",
-    "auth_tag": "zGkIpM/aeyuNm2F0I3VAcA==\n",
+    "encrypted_data": "jCz681x0WVixHYZUb62TO+1cgyJMiJ2UMqWcaztx57yDBOIiKW3oSZjuXdhP\n9WCesfXQF/lgzITZno3IKDqzlKjWgbGLC75y8FLguxidCHI=\n",
+    "iv": "IRNOzN/hLwg1iqax\n",
+    "auth_tag": "eg9dWnEK04JDb94e4CFa9Q==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "rails_master_key": {
-    "encrypted_data": "cWOeQYNzOjgDNi7ZpkMC/jN7nSPyODYRhA6EIhhihzPxkEDt+/4HGNAhLHGK\nlJiQeRD/\n",
-    "iv": "Svsvx9gsO9OQs9RV\n",
-    "auth_tag": "mXVNNo13F6FddhWnri1yHQ==\n",
+    "encrypted_data": "nUB77VLRp41rluH7hLBwQqPtnh/HsmfLr2VbcIZHWawL3o2TGuY+mj648f9L\n7XsEpgqY\n",
+    "iv": "fpdbDitqTRHxEKiv\n",
+    "auth_tag": "I44fn8Ott3L/Y5LYr56U/Q==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "discourse_connect_secret": {
-    "encrypted_data": "BQcE5fUkiqJyuOR1dR9vNyxWzgWGX1Wl1WINJDGJ1sJiajrgAspPgDt0dX5L\nhxG8CQ==\n",
-    "iv": "UKpt0F1FODuosQ9u\n",
-    "auth_tag": "MLgv0jR9MhWGmQNUkA8GUQ==\n",
+    "encrypted_data": "ENtMn+1XTVFmdEZw7LU6WGoMbSZY654ggm3vPACGfFgqo6r0LhG60c5OTdqv\nZvT5/Q==\n",
+    "iv": "bL1BmvRhgxFqSM1P\n",
+    "auth_tag": "sEBZzGWwwYFHn+4B4SsyCA==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "lndhub_admin_token": {
+    "encrypted_data": "4LPGFoARzI8UYnsJPIk8sax/rAA16pUULEZWn86e2C7L\n",
+    "iv": "nvjXrOwgfgutwEVw\n",
+    "auth_tag": "A89RUf1sdcS3FVscNPWYLg==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "btcpay_auth_token": {
+    "encrypted_data": "ky5iWYF06os0Ek6vIRzWqMTekqJhCOh/Q9DTDIeKhSyk8TnT3O71lCNEt1F5\nXCNq6ux3V6oyHVLWj0o=\n",
+    "iv": "zk6WnxsY89oNW1F9\n",
+    "auth_tag": "FAIMXKvQ1T7QKezVSNJbwQ==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "s3_access_key": {
+    "encrypted_data": "KfhfEGwPjOonlz6rpnNTinXFPqX/sIbqQn/aby0UDi/G/7cvEcOiNcCkfuSz\n",
+    "iv": "Q3rg06v6K9pUDLDY\n",
+    "auth_tag": "G5ugdlJ896KtYtObKLclJA==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "s3_secret_key": {
+    "encrypted_data": "N8s1OoDrYXHjqSydQA0kY7dd68Aelq4+/cgmJlYfP92u4YA17V4TR7fsvQZL\nkqjuUSClNYPc0XiCwf/5gxVirE9AO6OmmvSV7lUyu4hcEY6unrU=\n",
+    "iv": "bXzIVWnX6V0P6PRb\n",
+    "auth_tag": "1EOjCfsX9P6ETjUsgBvBsA==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "nostr_private_key": {
+    "encrypted_data": "Sf8PEyQ0sqcgxddSlIDxLOVzPjOkTFObsYuTgcxkbEV7igrati4e8QVVUEBD\n1yoLJXelp8jlCr28Ectci29jc53gYSMTLSQsw97uYas2R0dGCqQ=\n",
+    "iv": "+1CIUyvIUOveLrY4\n",
+    "auth_tag": "GDqS+IuAIfMBmHIeFXaV7A==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   }

data_bags/credentials/borg.json

@@ -1,23 +1,30 @@
 {
   "id": "borg",
   "ssh_key": {
-    "encrypted_data": "znPXuD/hMY4+1eihuSx1sB/QKohd92B8/TkZd5g+J+uH1yedbeKosc+q7fJT\njlFy0ebySS5URB1O5ij4/YbulnhcNhYb5/ozf6GnhBl2VlmQD0fdE+NlSlGf\nB6nM+qbvtR9V2sAtaVaugILHy4jD/y1jBnh3VyoKtiLG9WrPe1Q5gwTxEDLi\nn7qpcamZt1D5QB+6kMpVqAmL4oV0oFervfrRcf1QyR0vriwdAMz2+iuQ6/Cq\nyRSDkuaGChrX3W8hd+WkaQaU3ak6A2Ih9iO8MIa9j75FpzCDnBl0A1WLvzeC\ngILDFT0J1eSnDhAZfpOPZxCkaGB6ueop1BwWGhtmDZns1IdKccKRhK56i7BC\nGaJv8nDYxmSq90RYZdhnmbVPCyNrbcj+Pkun+N/us7WE2mYZZTXXy0CE1WMC\n0xglisNS06ODTToD8dmv3wLqeS4yk0Ws9JypWxjUS0NGc9k/uGa5MGIBxJfm\nsi4X0ZaoxMPHmNnOCMMIC0MQE82tBtA3tM2mxd6rohgtdtpo9cxsKWW2Pu3O\nW6Wq/A3d4X/9+LbjQKe48gqCeuZXanJxniBtdm2Z08Yi30/lQRwhauGXP1FT\nyot2FVZLLdTHaDHdcaUjU8A/NJsS+DRPWT8xAk1w1jVPytQMZUrPUYbjPXTu\nhqj24Qyyxb836y23hVCNrrRJg35Mb/mHy8LEbxJ1cxoekAR8d5r+yR5UF72j\nDLg+7fEqzIoSqjFB5Ho2hemTzajxwD2d+FATxQN7C+T1LBenDE/cw0HTKV/H\nnjPvb+bLfhCVb0xdkTlFlnF4WUn32tEQhTGrXefQcSV94Go75MoegIflwNo4\nnOsEOeD9VSwRKqsJ82pjRFaGr7HovakeqE/itruvEKGKn+53Sc9xVRgnyve7\nsQ0vdbVSsH6dBQJYDgSUdNNU9PXbqRqbk3CqFpQAEaxoy6mE9oPK89Mdx9mF\no9B8G291d1GvaOSvJjvlzlWmqUCYhQLR+HTeHf+5gp1dSJRlL3b55m1x7PCC\nB4Ma6XLo9gdF/XXGfZE98vg/MJ5w0JjLYouU/v8BaHNWdrxo5MEoky246LmL\ntLY57TbfGu8HTmvScir43hevIC4JqDHJhUQrz3vmd1yFcUBgWIqEYv6guU8K\nW9cYS+LBwbKDg7uXOx93P5pgPzMZbS0aBPt0QCwIwGmhQTPba+WWh6rPwNkl\nV4HRG0TgFJ8skgKWLhEMOYC02KRT/ve+OJ1LawqIK5BsMK81KoX2Drf7Oyba\nOkekMHsA9T6woSjIBTouKIz8r09vkJe9W/0pN7Y/NtE+y+FuZlKC1peafc3x\nE4ZhNotHtyAydsB6NgxpjkBNxUsVe+DlTyGCzEis/pG2XREUniiqd5DhbPKM\nH9EkXiRrtvrmD792ca8lGfMYTNOcoLD1vRlzFmHCjE7NOKAZ4lEwZWEGnxwp\nIEJFCScdPmDxK0uqMw2DaEjlAVblg1EOcs1xG4JwOcY/aWkuslp2MrmOIh7a\nSUdlr+SBi7faEMIslG24s3noDD4DFU5CQSb0ErH6j02VsUi90QYrm9XCkfEl\n2OcbvC9KICmKEj1mxvTQLBALtyTJGXIOzPbxp/Dw2a9o/WnsWDaXhTcLGqdu\nNn3ghESEb1G+pYHJa7lJ62RSQTpRp19gpdUS8SRhqwUkceFCnuuFST3SmspU\ngpjY8xsRZ3h9fzI/ob1nan5pXnzZCf76X7bGL3DqNlpq1SkdGI5NaN7ko42u\nkPafYy6MiAU6lYvg4G4pobJu8qnGcX9Wuf4K2Jl7niOQTUDIwjyrd+1uI9S2\nn5rLmwhQFxPrT/FuLg3nYAohrnAuMDXFQ13XO0q9smaSZDXPheGdTxT4HRTE\nkN1oAvvmhtVbBqNbKBY09Dn1khiUa3mIineJ6wuKS1buiTDlLGiSPAXhaJRB\naplbJLGjtBXSGiAuxHEb2l/G/kIa71R7Vc7h2fYzAXFbPhApllEof43cZVtM\n9kN1m2bshbAG2boD51jb9P4C9H73ICJXGDAUVvScgYAIs4YnCVFIPdmU6dP+\nd4yZTM9bxuezUI2sj6cpWcq8H9+skZjRY+J2vKH/twAaWcnxLUxKfLuUAWNy\nH63iRIAhaWfl3k6dhPbYFnsxrrch99NuMTAEyE5vykiCMg8WlCmittteGyIq\nfOs9eFaoNRkf4Qh5IrOUoPhXO/8Jw7eY3aK2bQvGuutlfxOYsFJWjK3qT7RQ\nAeyv639jDn1W3vvOlFX5+Xx8R5IZLVdElAe39y6rgw27pMZT+IJew/j5EF2j\nsinxUvARi98wW+NP8WXV5CMFXh2JnmxfTLvdsWHJlB/XyktIiJE4KaHlNIaV\nxLdKmarS3hS31DQmpB2LDGPp8QFyV9kY0gvE282A1Fs0w01pByKDcMmvr3pD\nHh40DfYt4ZTJGnLP69IKt3328KEeMlHqns22zZuAidMus1o6k4YkF1WNpZn2\nSdXVG0hcdnvRC4qKdVv+TBFuPSy68cdwPeHs612hcezoHi2pbTkM2YKDJ75m\nvqaBzdpSDcuKVovuwBt3/guHoLD2ipRM0EfZ208aKiuOuYXwGD3PPm5WKUvd\nBSiZw7p37QY6zYh0/bTN2FumftYWz7mrZL4pFIcd8m/tSlU537+TnCbPm1KT\nWFVFBonxsyhHnZC4X0YQQTZ0V9TKCGWdVUgRxZwwQ/0acxFe1j1bqVnDBxR6\nH98xnEPvEh6bHpHujwcdCKTN4AbIJcFVKuCyvl/OtzMBjUXVKOAZcRS42TvY\nkhzQXiOOKqoE29aNDtQ/VRC8s1aN6L6xCorlCcBBurMcmDdJy+r4YUrNqmEA\nZQwFecRXxwzguk6GR3m8RzY1iDRSqm+yCMqjWKx6eycV91izjXbueT45g3Hn\nSqw2cw6rowGZUEcP3vRdHyxsJSEG2kPvU9JLzgkCwUovtlbdHee2JkV9TdkF\nzEMxjA9B5mxPp5lMFj8jhHhzDmZRxpW/EUBZCkZh5SVbGeg6qTFKRS6zZPYC\nkfv0XICx154cOj0TsW4QHxTHLOV9r93HIPihZDHg2udN7JhYfwsO4RbwDQEv\nxumaM3NTGrXOBxV2vtYSoGSQOmCd8X+gXKxKtTeaV4rCm2aIGVsdfeYQTNSD\nrBxetCJdGB0DrEAr/9bJ5RS2CB9JmEa4ktMHEFTmvTqhWu4Ye2TJBC+H/yqP\nNrYQ4+5lYnZ4BuvxKBvhbH52UURqG27NwQXmFd/h3NlI5GVi5tveRO1+3F1j\ncMTgj49UCB2SNndcJDkK9z7kSBdnmtNo3m3/K9wucw9NxH7sM0yrgeQupbrU\nlgsobzoGluvBijJlp6A7qy4AoOsDGoo4gevK23CR8XN+droGY2RGWThWGuPZ\np7hsG/0f6ICQmU8ARsj/Civ9EbGe/2ZnlHafBtRhmfpZp2/Y7UxX6pmcNARB\nj8Gmr9DWiUXKUBtIkiBSTr7keRF8GuaXSc4pz1phKuAhngy7rYuMhqQr7Sw0\nJCk7cwdvZdq/erjtIh/AHJOPboUCalsLfTdMJguuocUuQr+SEg==\n",
-    "iv": "3uagVTqoXUcWvs9W\n",
-    "auth_tag": "s3wlsnLRHCI2NjC6/ZwbiQ==\n",
+    "encrypted_data": "oK6Q98lJxmXGtnV9EjkgXmcObYt4eHlI6DMTRVrKn5zEBTBH7e66oXpx1nW9\nyvbxrDkJsgAEsx5ty3ktVwGgziZIGB9AnXbtVw0C/uQZ/omNtzL+J7l7MTHS\nfdUboBX2U3WI7oO+DPVHcfSB9ua5OqSdxw+arYjMd2iJUJ3EL5W6OcUfmYEz\nytmcqIol0/3f0xJ02Zj1YejZ3LTcZ2NG3nYFe0V5VJXBCtYeBnvFqpTkaRvm\nB1BdzslaFTWpjlNbOFjSWkl/Ky98En9I2nPFghgwr0W2/niTo5jcdS6wpNGt\nZKRSoF7ShJVlwMW+82WY5XdAJQFUuCDXroaOlu101dz1capzvcAow7J3I+Pm\nd3ylMal41sPiDRaUdLeFFkcinXZpu3PmCwehISDB4adVQMVkicUiusNjMqlU\nX5Dp7ALCJKkl0TMRTDho5+RqWYRNN8XJ6cxTsy3WrXND6ytw50A2fakT/Nds\n3qAWWuKh0HExVvQXJoB/uej0BIC37HNJg4OeD/oOCStoTD9D7an2SkP9Qopg\n7yBYMLqS2lOI8/avCDI/bwkPlIe0LtKomcNuE33bGeasrO4Hqi/v4R2Fzx3C\ntelWtWoKX+aJUylCBOEf11Xbkfm5BV6WitrfkAMfLwa+vBvMYbRp+58L8uVx\nNvjCYqrSArKcTHh6FdqFmljj/Lssfn5Y0EaRJ0oA/i+4XhnyNNDC52LyjVbY\ne2399bX/SAxh4MeJM4CbCn1qEELioQJznJhnt8jmCEHbMJ7s34ewJWMaPfAa\n6Tl2QGxsbSqHDkcINdxl6MIy/v2NInIH8Wjo/AlSoU9fjWlxPafE40f27/8v\nGQdXRNM5/BbADrSr2MFPTqJdTSKjC8a3m6LaHJg6sON+JtsAmflV2mZ2qKhg\n1klfj9Qvr2MwC5a6xseuAbpQoAVfle/+iQI3l5hYxaSanCPUzwkD5RSL/YfX\nwWxT9WmkC7+iHif5ZkZ4YwMSdt+NJcULqYGot2f+gugYFsYGvdGc+8UVH6wM\n1W/iLOZU4KZ1wAZvoh/rMiZN3Z5yUMHc0LDUY+1pZSBylPauvrkjVRYSD9K+\n+KX1gkvwsgn3+AVqZZ2Kqlj/6oFqdXdEHnbqZAhWBRmNrHu5lcrc4QUmaSqN\n+UlWLXfK5FGBaGVm6Bzz2tHzUTNjxrJKkrx1WK6pm/qGFiRsCMDJMJtLyD0/\n0g6vtD8jf2OYZudayGOHQhfTrQRD3ByAhjeprXTc4sUxt2ogLN+23FIaswbE\nAcL9R/un1Ym7OPUBE3KNJ9GE524Op9I+7XPr9JEC2R9DqVcm6XYbS5u7YB5g\n5W1OK0KX3AC1dt8Tkezp+Rp3nV86UUJFCQcWUXc51+lNk31BUtuUGIGbnFdZ\nm9m5xlNmApvQ/25y0Nbw2QhmB/4l8Aqj+OGXLHWLv2DFfxwxUfyUZCzYg1XS\nTFr58cDSCmHFMkJDPzY6YBasgPMSRgdZDdJMXSumpO5wqygcgqtT9LiT073X\n2DfG1tIAx2F4H1HuxAnLygQxVf33eGJVMJbPuDCo2G2uvJYfj2zJJQsBsBgZ\n5XD1rEyjLuekfLysn2G3ZMLczWSn2oyvxt/+gUGhfij84YsQp415W+7LJY+1\nd+3F7+qyYnOE2uTzmqk63IZ9sSPIM8seXUKrWd95KtjKG/zvILW5ksye3X3R\nwsVSeu/+tATxZhFH0bdgo+vcZB+CA8IhUqdjigKTSQo3O/CMqPn2yKhY9j3D\nBabR6Vo1Ip68n6dfbZ/DtrPmcm+XD8fxflm0Ssx/vbRsiPn2zwPDWek92TKP\n8Y9rD8t+H6hoDKXLJZWpJPhAtnjJWkpY4qVErtoDQ5yfViuC+qlfpoRlRa4R\nQsiSYERhqeXZeWLMk/hwoEx32DhgOwLhfX6NP5j1vXNeRfBc9zvj+V1Izhkt\naQLy+8z1gvHKMjWy9TLvLjFT3XyJY4ePlVUCJJ9DGCjBO8tuwcNt6ZGfjwv7\nrorBDF8BeBQFhv/Cd+B78Avc8BptLXFscPHt2a31X4sFbrrDh5g0ZylD7xLB\nj45jID4tLHrgHRZ5aRIzBO1OhNUONMJuNZ+XlXAFx2bjx09HZq1cYfKimHg5\nM5um+/h8X202wr9shY1HguzuGCBlDAv4X1Qjoz12B4U1FY9c665AmC5iJaWN\nm/PFXwPa4aynOTdJrhmPRcnqI8WzDbS4/EedzpKCSn1WcHe52oMtXcC8yLAD\nM1BOcpPXWXCFc9NNOHcq5bBAB/+4sVGnBDKMUisiVGeLCck5BePH2loLdezF\nRcDEZ5uXyLWypzHLmRODRCeJcP/LaI6dAHyeRF3IYXMR/nls21wzE1+6nEpI\n6YUxdCiFPaZxDKuZzjolsACBbU+vb1lGOmj2aR0VQxg+UlPLl78/jj6ZIqKj\n11Atoxz6rVrm1kAkYSArDs6AH9xt+B33rlwloIeChLbNFpHJJbvJlcmR+q67\nMbgb1Dz0tKESxzjlep+N17+KpFtbHdGBkwLhEFphFekoUQjOgLQKhmJRRN0+\nsvLY4/Yg6hmxJdeRZgRusFRcc3fnPrE9S+ms5nJ1MWSCzCfhhVLb8N7KB2h5\nYRQlB68mrI0PaBAaDiJsUuSujadvx42UWRQSmLssbf9DhY8Lr4HaP3qag7Hv\ntAZfzlQ1MGgDQ0EN3ctllhqQS8493/ToioarYulmWyYHPYNvV9qZlQm0//Tv\nutSHzmW5N/iIA3MuSHn36IWZeuAEnhMfm0RjVMh8Pb+05xc/Vebeg1yXMVFL\njDE02Sd37RtYx96Xvc14q5hnpxnBiOyUynmi3kjafb5WH5Wb6fpEuWxlSwyO\nR9EKIh6MOmdAXaVC+3gglsaO7DbPK6mNSE8zkI1dYleDHRs6m/UER2imaUlg\nkItsSuqDRzpeMoNZjs+9ATdFXClpgKKoyw8Okl/CapKVzdco2lRP9MLF61Al\nAA9ndyHiQOf0ttHv3rCLuCZ/+KBZNCn6ur65ykDbuivloZm/oCm7b1nGj7do\nPwB+QD4YxlNB+5OFOS7+KuiWafC5LUqsnjWoAQOmRLDCbQWPA3hkMs/dL4EO\n7NYtI+Ibmh81qOHPe4W/txkQi4fc+uxw/3cXT1pobvAnT4x28AxZxJqyIvDp\nwmoMYIpG68GjChZrKj6wyEVhc+N/7JyUbKZjuJymzzKWwhTWPN+qoIlDigxb\n7xrr8P+FtoLOcdwb5nr4JJ2T4Z/0oa4uIgYcIdBgI2AMHkpsT3eOXyqEO620\nWEyGmLCDAv/nbFn0QNBsDC386N4Dnic893r127SQHgo7Ln2rZg4+Ia3m+ADs\n1NWN1WLtD7AiRmegsZRcFp9UrBLyUo/EGGDzkRtWmw01HuLYRLMpvvhN/W9G\nekpLadu/+gZ+HMKzlG6LL9GC3cbiJSdd3gowL/eIbFnsifbiixW3kKDlWUxF\nekQ2jF1lcGhLJ5VnVsgTL0ASKUhHBSSY4GVahAz4je35dJ7BgPqKN+DYx3aO\nLDWU/0iENp0o5eIIP4p+4wW58OTpbkC3L8hOrC8Bi59PmYlKtg==\n",
+    "iv": "bhJZlhYQTG/xAvuY\n",
+    "auth_tag": "oqYQGqNaSFqpxfoJi/oOBQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "passphrase": {
-    "encrypted_data": "wzSJQ+VfZuXmqrL3xW/LxiUvF/B6EYHAQtmhrJjt2oMT1G2OEgp5\n",
-    "iv": "BqTyfQwKKCTOn3q3\n",
-    "auth_tag": "sh1e8UuQSrq1o5G0O5fXCA==\n",
+    "encrypted_data": "5n1l4Mi3ik1RgcF+c71fQbTS1kAOgNaGEcpdKV11uDbzHDVuw21S\n",
+    "iv": "N+AVJrfPxoRJlWOO\n",
+    "auth_tag": "x5Wr3zuJhCXzTIl3gAOA0w==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "repository": {
-    "encrypted_data": "Ezc5YMp0VM82dlq0+ikk2xZeqNHi+XETlsc2cDlFG/NxY408JO3ErPDEa9d9\nzud+jcCt/01GKqPdslGhP3jsUUb/f3kWMkTWqGkyWXV1121E0uHwyrva62NT\n5A==\n",
-    "iv": "QtNBUjJ5NrQS0JD7\n",
-    "auth_tag": "ZQImzlvHWwX1OsxMZK1jGA==\n",
+    "encrypted_data": "Jz0IoAeeeF5lXMTgpkanRqshOxUW0IAJ8tUYFEQckWB13tmsEwNd+val8g+d\nkQ6NQMg8oLRtPbDOi6bTgmTykFrYW5JS5EiD2/ynQQktWA/ZIxnyuoHocX+A\naw==\n",
+    "iv": "BGl1aUBCHzuG61H+\n",
+    "auth_tag": "mlYt/CKamtPZTaESlG/lFA==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "nodes": {
+    "encrypted_data": "v9vXGwyAu2fqj5blo/6Jeht3R7SLlxMSWCuC2nTlURBODz9fled1z/LAoABc\nOaVLXKrgHYUnYgriSF7Q9zemrRnrcsPmqKFVLKqNDIjjyd1LnxwdopG9EGxD\nKNVY3GQI1L511kY+0ahZj6OJ63o0MSccysabSnptWNHCsD2eFh+77oMpYfYy\n3OWWLOT4kzK1lbNDmI8IM6JywLE=\n",
+    "iv": "r4LctfXGF86FNXbZ\n",
+    "auth_tag": "P01f5Vcxz8EyY6BohQWzOA==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   }

data_bags/credentials/dirsrv.json

@@ -1,9 +1,30 @@
 {
   "id": "dirsrv",
+  "admin_dn": {
+    "encrypted_data": "zRtz6Scb9WtUXGyjc0xyvsre0YvqupuaFz+RPApj7DEQTmYyZPVb\n",
+    "iv": "xfIXMhEBHBWqa4Dz\n",
+    "auth_tag": "BcA32u1njcnCZ+yrBGSceQ==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
   "admin_password": {
-    "encrypted_data": "i71l5E129mXCcDAyME8sNMUkYUlQMgt7Eh6noyFcLNgbaMo=\n",
-    "iv": "KNW2B8tpX7ywZwbg\n",
-    "auth_tag": "GawQ+FSlA5v5YVyryeUxng==\n",
+    "encrypted_data": "7JpXl3JZDqKWDfYt/wuNbkbob+oRuONhkuAlpqUCCEIn+tY=\n",
+    "iv": "Lcwc4NDzrfcBaIKQ\n",
+    "auth_tag": "rrePS3Bhdnwbr2d/o8vMhg==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "service_dn": {
+    "encrypted_data": "sqRFiZreLeTPQljSfhAuV3DmsPxSC8tzWjCdu+WSSbO67sBQA+xhmGtzBhBD\nDZPGJw+jtAxzuVvPdAjxgAVgxXO6C6WEo87L1tdJewE=\n",
+    "iv": "GUEGtyRJXrPhWcUs\n",
+    "auth_tag": "2USsrx//3V7RCyumGCbMkg==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "service_password": {
+    "encrypted_data": "f2wi8B8SEt6p5G0TF3dZ72j0vMFlvwcP1suxYnshBA==\n",
+    "iv": "rOnUoxbnkaJtodM+\n",
+    "auth_tag": "dVLCtBVMjxLfW2D8XjJBdQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   }

data_bags/credentials/email.json

@@ -0,0 +1,17 @@
+{
+  "id": "email",
+  "ldap_dn": {
+    "encrypted_data": "jMHHa8DeU4HCieF/ElOxrNJcHLRzjXGGFB1eJubtiARFpMYx+4hG\n",
+    "iv": "ojKHl8Va1GOj1sfr\n",
+    "auth_tag": "wkHLRyFF7WYllh+hXRIBJA==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "ldap_dnpass": {
+    "encrypted_data": "mCyzownpB0Q7BW4k7E+yXIwzSzaChPTEZHAWGiEcnXo2ioQ=\n",
+    "iv": "jc9/VY7AlQ5ttMm8\n",
+    "auth_tag": "mAZuoZOIJ4zRLdYbaetiag==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  }
+}

data_bags/credentials/gandi_api.json

@@ -0,0 +1,24 @@
+{
+  "id": "gandi_api",
+  "key": {
+    "encrypted_data": "d3/rJMX6B9GuzUt0/mIk/lgQ3qGyQdbNXH6UEm3ZX7DeSl+rbW9FPJCRWg==\n",
+    "iv": "15YVAYla7PqqVOab\n",
+    "auth_tag": "xQSq+ld6SDOAER07N4ZkUQ==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "access_token": {
+    "encrypted_data": "geQwcNosiJZmqbbMpD/I+a2yueBzpV6C8Rb7vrCD8kR161ZRjvqLe+g/1XpT\n2/65wKYDMTrdto1I030=\n",
+    "iv": "1sj58eyooOZ8FTYn\n",
+    "auth_tag": "yBNfgWXaToc06VDLly/HUw==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "domains": {
+    "encrypted_data": "p5rIQTyCE+0d4HIuA4GKEAFekh7qEC4xe9Rm/kP0DyzY83FO0/4uKIvYoZRB\n",
+    "iv": "LWlx98NSS1/ngCH1\n",
+    "auth_tag": "FID+x/LjTZ3cgQV5U2xZLA==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  }
+}

data_bags/credentials/gandi_api_5apps.json

@@ -1,9 +0,0 @@
-{
-  "id": "gandi_api_5apps",
-  "key": {
-    "encrypted_data": "+tcD9x5MkNpf2Za5iLM7oTGrmAXxuWFEbyg4xrcWypSkSTjdIncOfD1UoIoS\nGzy1\n",
-    "iv": "ymls2idI/PdiRZCgsulwrA==\n",
-    "version": 1,
-    "cipher": "aes-256-cbc"
-  }
-}

data_bags/credentials/gitea.json

@@ -1,58 +1,58 @@
 {
   "id": "gitea",
   "jwt_secret": {
-    "encrypted_data": "HHKq1HcxV9uC0aBdkn2AAA9C3dn2o8DnL2uDtZBf+epGC8sOko6/BSvsm8wV\nuG7yVmeFajgyCePSv4M8Or8=\n",
-    "iv": "raypiojdRL+DkiDa\n",
-    "auth_tag": "JZmWJyLTHNHAHNufRizL+w==\n",
+    "encrypted_data": "wMxs1Ec4vKRSzFtL2KuU1XfmR1t5KDx/7XBbI7V0QfgK+JwYbxU5w6feQCBE\nxOMepAXVUwU7RxPZ+hwQgPg=\n",
+    "iv": "F4vtuOL2B9e9LQnb\n",
+    "auth_tag": "NHATxHbr+3Y3Kxa68NwnjQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "internal_token": {
-    "encrypted_data": "VFez8gOv5hnpBkURlufdPHvfQsL+lFlL8M9vywgKEi4XrXcNlDvoKKqdtSMv\nxGuoKqF/4NFcl2X3JRwp1j5iut+Jdg5CpnVVQLWKHc022LjD7K9nRsdmiD9Q\nLsLnU1Trzqg8VZS2ryqdjI4elkgoc15lmXwJvTNgRUzDqw==\n",
-    "iv": "q7H4q7kBfRt4floS\n",
-    "auth_tag": "vyd4ZwVxeFTTfvjI4k5irQ==\n",
+    "encrypted_data": "mlvUtIjs6kcv7XcYCUOgOE/kDSE4Ts5G+CZuPrJapW9XwkebmyOnHJvXdihY\np/chUtar0pNB5Q16LeeZF9KrzOiDo/OXb40TPUzpsB0/607zV1z829STd4l7\nu5g4Zur13nxC9jT0zQL9QgDEobYdjgf/xu1BXxFT+Ue3lQ==\n",
+    "iv": "25+1a2OJYFNxdf1N\n",
+    "auth_tag": "aF8Gn6Mm7AwLjbR8cDnitg==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "secret_key": {
-    "encrypted_data": "7tD4E/5AuxxmNdu4arWj/BBNTUv6JX+m2ITbcLfE+VE2WacsCZUEyi1d1v0B\nyujQ9bljJn3z0zV4PxKFJILKjQb35PSiA8b86X/75Y1B9Gl64ds=\n",
-    "iv": "gE2O5aN+Nea6VXi7\n",
-    "auth_tag": "3+EmAUgBBDyChRBHsUtLig==\n",
+    "encrypted_data": "xQuHuijNHoo2WicM2UvSGpwPHd0UilxlIl4BM2Rgyih5bdhjxB6UtUcY9uJQ\nYgxEd7y7R5+XhUAu87CEs4qAGtguDDxGtSGwgTSopvAYZewPFLw=\n",
+    "iv": "Kxwqagjps8kP7Dhz\n",
+    "auth_tag": "WGz5TzBzksf36hKPzBZTQQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "postgresql_password": {
-    "encrypted_data": "mWN2sTOjZ1EPUH/KAJ8owoPM7v/+IfIHEPACN7gFDrqG8dWGjfiu+fvILw==\n",
-    "iv": "ldm57dVSdiPnk5l3\n",
-    "auth_tag": "D+r/0obCYWx53vIeUDPGMQ==\n",
+    "encrypted_data": "ZziPtXhQM/TQBE+077smnjEPzfJOSo9Cj/CUnG/Be1AN0UAfielf68EhLg==\n",
+    "iv": "iBdSrY15vOc3eycF\n",
+    "auth_tag": "km2CkraKlpOygaz7Xy548Q==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "s3_key_id": {
-    "encrypted_data": "AvlsAInGyPMvHle5YZT3EHMTG89PggqmFaddvHSQLEkvI2EycktxJ/btjGOP\n",
-    "iv": "qGkILPp5EWc21wwa\n",
-    "auth_tag": "eIpCgZAnWZR7nlllj+IXMQ==\n",
+    "encrypted_data": "1j0znqBgNbHMyJIf51MmfkjkpU3SPv+EL8F30mrfQ44vsGziyeiWfp91hGUM\n",
+    "iv": "dzJM1EX/X8Qy5KbR\n",
+    "auth_tag": "2YUCCFG/oTph3svFYhhYzg==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "s3_secret_key": {
-    "encrypted_data": "TAo4ViF7cL+ibIuHM77irZW08ilD46S8N5BV91gc2wegvHpHqLHw5zrsDxfu\nDiJHGUfjge/NBOGN5VSKKC0nFfMJ4sLPxVSiKyON4RMBSuzSqmo=\n",
-    "iv": "tjK8XdaCZOdLUHyo\n",
-    "auth_tag": "Qu1z6e1/4gPIyaCwBjaWsw==\n",
+    "encrypted_data": "7P3JUyl0LsGuGi8GhSYdXHm4bQhnkGfSrbEMGyfzjSYB5hqm17kYZwNbNA0O\nIUmJ6Kq9Nby7IFTd1qFo7aA+dXuvxJD5QXO8T5E+D0xIaWMHPco=\n",
+    "iv": "+ivHjYpQG/3gQWAi\n",
+    "auth_tag": "fftxN0Z/Kfrn+oFk07jKYQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "s3_bucket": {
-    "encrypted_data": "NTp9+KyzlblporEwM7SEwoClXu5cI10SfVrJ/uywcf/x2l8=\n",
-    "iv": "TFTeQ8yKUhblmrFK\n",
-    "auth_tag": "L9nrXEeJhxcLO4YgGk4zpg==\n",
+    "encrypted_data": "98UnmjwIlLjNFQojZlQRMZAWpI/7s9xJkgvh4sU5I2jWmYk=\n",
+    "iv": "zLck9Dp6OP+L3BwX\n",
+    "auth_tag": "Zc5G6bd7CbZfDCZ31YWxMg==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "runners": {
-    "encrypted_data": "yTCk4/hqw/4vEaXobdYU4vZRxErNp0GX4qDMuHwdr7UOQk2qQ8O8j44njPv2\ncKcIm6CQiip+GRuvl6+zETd8gctC0W14n5Rfep4zQbMp/BW3ypGambVk6z1m\nRnT4dMEl32rwcXG8c3w+vAFpx8smrK5iyy4ca0ZijC+eeysk4OAwn0XkvQuV\nB1Jy9CmVm9xiZ6sXaiU13tTry8A=\n",
-    "iv": "+biM/42g5doJNOax\n",
-    "auth_tag": "WwNgd6aqm26GcekYVOeBDQ==\n",
+    "encrypted_data": "f0RRLCrGT7LDUEXcM6m2dJ7C95UPqVZz9dfNLsYa/3SZLDcm1p4FDIy0Su6R\nrXMoAI9IdLBN7/BDMMvqkULEq3Bx5vXn+oTUsUYuKxWmvKEUhC4virOApxh6\n5GbuqcOEPKaf9lHByL+2HKdAmJMzVRGD0t78ePS2pU4H6IFnS9V1p6opOEPr\nzTJ+0PM98eQ/voFKDHGNHUqgDs2qu9wUYNmcHe1eSimFdJiOCN0Mlszu3HL0\nXkHfrGbLrcW+8Ol7dTXdDJB7WAd3R3vddoZQ+mrwzGGDeSMm+ezeMzAX\n",
+    "iv": "NtZ9SbbscX47BXGH\n",
+    "auth_tag": "ZGBzxjNFB5WPnJCpdFwtAQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   }