Merge branch 'master' into feature/lndhub

Reviewed-on: #366

README.md

@@ -44,3 +44,14 @@ Install cookbooks listed in Berksfile:
 Vendor installed cookbooks to the `cookbooks/` dir:
 
     berks vendor cookbooks/ --delete
+
+### "Expired" TLS certificates
+
+If you encounter expired TLS certificates during a Chef run (e.g. for remote
+files), the issue is likely that the certificate has been issued by Let's
+Encrypt and Chef is still using its own, outdated CA cert store (see
+[here](https://github.com/chef/chef/issues/12126#issuecomment-932067530) for
+example).
+
+As a hotfix, you can manually remove the "DST Root CA X3" cert from
+`/opt/chef/embedded/ssl/cert.pem` on the machine you're trying to converge.

clients/postgres-4.json

@@ -0,0 +1,4 @@
+{
+  "name": "postgres-4",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu6fPxOZeKloF/EgYvU0k\nOwv8bJjsCQcWaMTPle5//mRTszA6PM2z9RI+Mfr45qxTlsL9pQY8WJOWF6QOK31x\nszuqcr7oOjtAhrLI8f/oNDEDjcx325FqG9gNKQEAD7d4zodh+PhDe6x7GIyIS7lG\nIcD5Zre9iDwv8FGLR+5GLqS8SJOPL/wJkQ8w+N0f8YDFw81kiTta5NLhAx3fMDs0\n2kmoNlbmKlNZTtLjCfCV+/pa9oY6wycjck3GvobiFE/4cWaNkeGlPc+uAwlfmrOv\nHy0tq1XBX/BCvE5kMXmhnMT23JXjm2s2PgCLgEVGAXilXk/T597KDm+z4oBpAQma\nnQIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/rsk-mainnet-1.json

@@ -0,0 +1,4 @@
+{
+  "name": "rsk-mainnet-1",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtavs6RQW6af9fWuEuhI1\nQa4Ff7Z1CfZ0fHz152UqUeUKatQ/psKVs5ULWDV/b69fSuNsUzkCny9OwtwyQB/F\n2U+vbv3/3As3z6i3V3q8q4ahCHd7tkMmxMLaWcdkfWbpupWTRkCEX+PSDKS0hdfp\n3EQKVA2FrqR0sSnnT+Q66kZw4/WJrNwtSLcps4D5OubG7xr/uUn3Vyv5qXvS/7kx\nGvMONs55qh64Gtc3FSFPEdVyZXasCMEWwXyadqzf+/qJtEYlK0Uy5E/u7CTsnmcH\n9TEiYVw0/6PomQ2HJfSlZVUUO007OliBHO9bWOwZ6qI5c53pt5KES0dyy6SQ4m+8\nawIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/rsk-testnet-2.json

@@ -0,0 +1,4 @@
+{
+  "name": "rsk-testnet-2",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzG2bgL0n5Q7bTR4WYHOB\nZNOuRem/jjarU/bL0VKKn0JqD3PPDAnhq9gRn7H8SwyGoVFN60YGzu45O4c+SqN3\nCXN+FeFabigH2tKLxBz3kNDYTT/F1ErLLi/6ydrCV3tpddR5KTqLSOntojG8KNzc\nyG4rMV9ebCE1wDVxAFdEA+YDZS8YjP0nO5sLWFacA0ZTx27t5ugqZP1acjSvKzWs\nZ+ekX5Pbws/oUHyaqEEPdz7er4MTBm0bdkCHZbM7132oBcH/huJZhmTXFEdoy4ML\nhP4MWWSvwo66HDYjnaID82a8W1RJZZu2irbPHrfVlaFAh8VQk1T1kkUu0bMovT3V\nYQIDAQAB\n-----END PUBLIC KEY-----\n"
+}

doc/backups.md

@@ -0,0 +1,21 @@
+Backup
+======
+
+## Backup gem
+
+Backups are stored on AWS S3, in the `kosmos-dev-backups` bucket.
+
+The S3 credentials as well as the backup password are stored in the
+`credentials` data bag under the `backup` item.
+
+### Restore
+
+To decrypt a backup archive, use the following command:
+
+    openssl aes-256-cbc -d -base64 -pbkdf2 -in my_backup.tar.enc -out my_backup.tar
+
+If you get an error message along the lines of "bad decrypt", the archive was
+likely encrypted before we switched the key derivation scheme. Try without
+`-pbkdf2` in this case:
+
+    openssl aes-256-cbc -d -base64 -in my_backup.tar.enc -out my_backup.tar

nodes/akkounts-1.json

@@ -8,7 +8,7 @@
   "automatic": {
     "fqdn": "akkounts-1",
     "os": "linux",
-    "os_version": "5.4.0-54-generic",
+    "os_version": "5.4.0-90-generic",
     "hostname": "akkounts-1",
     "ipaddress": "192.168.122.160",
     "roles": [
@@ -18,7 +18,7 @@
     "recipes": [
       "kosmos-base",
       "kosmos-base::default",
-      "kosmos-postgresql::hostsfile",
+      "kosmos_postgresql::hostsfile",
       "kosmos-akkounts",
       "kosmos-akkounts::default",
       "kosmos-akkounts::nginx",

nodes/centaurus.kosmos.org.json

@@ -33,6 +33,8 @@
       "kosmos_assets::nginx_site",
       "kosmos_kvm::host",
       "kosmos-ejabberd::firewall",
+      "kosmos_website",
+      "kosmos_website::default",
       "kosmos_zerotier::firewall",
       "sockethub::_firewall",
       "apt::default",
@@ -86,6 +88,7 @@
     "recipe[kosmos_assets::nginx_site]",
     "recipe[kosmos_kvm::host]",
     "recipe[kosmos-ejabberd::firewall]",
+    "recipe[kosmos_website::default]",
     "recipe[kosmos_zerotier::firewall]",
     "recipe[sockethub::_firewall]"
   ]

nodes/fornax.kosmos.org.json

@@ -0,0 +1,54 @@
+{
+  "name": "fornax.kosmos.org",
+  "normal": {
+    "knife_zero": {
+      "host": "fornax.kosmos.org"
+    }
+  },
+  "automatic": {
+    "fqdn": "fornax.kosmos.org",
+    "os": "linux",
+    "os_version": "5.4.0-88-generic",
+    "hostname": "fornax",
+    "ipaddress": "148.251.83.201",
+    "roles": [
+
+    ],
+    "recipes": [
+      "kosmos-base",
+      "kosmos-base::default",
+      "kosmos_kvm::host",
+      "apt::default",
+      "timezone_iii::default",
+      "timezone_iii::debian",
+      "ntp::default",
+      "kosmos-base::systemd_emails",
+      "apt::unattended-upgrades",
+      "kosmos-base::firewall",
+      "kosmos-postfix::default",
+      "postfix::default",
+      "postfix::_common",
+      "postfix::_attributes",
+      "postfix::sasl_auth",
+      "hostname::default"
+    ],
+    "platform": "ubuntu",
+    "platform_version": "20.04",
+    "cloud": null,
+    "chef_packages": {
+      "chef": {
+        "version": "17.5.22",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.5.22/lib",
+        "chef_effortless": null
+      },
+      "ohai": {
+        "version": "17.5.2",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.5.2/lib/ohai"
+      }
+    }
+  },
+  "run_list": [
+    "recipe[kosmos-base]",
+    "recipe[kosmos_kvm::host]"
+  ]
+}

nodes/nodejs-2.json

@@ -8,7 +8,7 @@
   "automatic": {
     "fqdn": "nodejs-2",
     "os": "linux",
-    "os_version": "5.4.0-1045-kvm",
+    "os_version": "5.4.0-1049-kvm",
     "hostname": "nodejs-2",
     "ipaddress": "192.168.122.243",
     "roles": [

nodes/postgres-2.json

@@ -8,17 +8,17 @@
   "automatic": {
     "fqdn": "postgres-2",
     "os": "linux",
-    "os_version": "5.4.0-64-generic",
+    "os_version": "5.4.0-77-generic",
     "hostname": "postgres-2",
     "ipaddress": "192.168.122.244",
     "roles": [
-      "postgresql_replica"
+      "postgresql_primary"
     ],
     "recipes": [
       "kosmos-base",
       "kosmos-base::default",
-      "kosmos-postgresql::replica",
-      "kosmos-postgresql::firewall",
+      "kosmos_postgresql::primary",
+      "kosmos_postgresql::firewall",
       "apt::default",
       "timezone_iii::default",
       "timezone_iii::debian",
@@ -52,4 +52,4 @@
     "recipe[kosmos-base]",
     "role[postgresql_primary]"
   ]
-}
+}

nodes/postgres-4.json

@@ -0,0 +1,57 @@
+{
+  "name": "postgres-4",
+  "normal": {
+    "knife_zero": {
+      "host": "10.1.1.107"
+    }
+  },
+  "automatic": {
+    "fqdn": "postgres-4",
+    "os": "linux",
+    "os_version": "5.4.0-91-generic",
+    "hostname": "postgres-4",
+    "ipaddress": "192.168.122.3",
+    "roles": [
+      "postgresql_replica"
+    ],
+    "recipes": [
+      "kosmos-base",
+      "kosmos-base::default",
+      "kosmos_postgresql::hostsfile",
+      "kosmos_postgresql::replica",
+      "kosmos_postgresql::firewall",
+      "apt::default",
+      "timezone_iii::default",
+      "timezone_iii::debian",
+      "ntp::default",
+      "ntp::apparmor",
+      "kosmos-base::systemd_emails",
+      "apt::unattended-upgrades",
+      "kosmos-base::firewall",
+      "kosmos-postfix::default",
+      "postfix::default",
+      "postfix::_common",
+      "postfix::_attributes",
+      "postfix::sasl_auth",
+      "hostname::default"
+    ],
+    "platform": "ubuntu",
+    "platform_version": "20.04",
+    "cloud": null,
+    "chef_packages": {
+      "chef": {
+        "version": "17.7.29",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.7.29/lib",
+        "chef_effortless": null
+      },
+      "ohai": {
+        "version": "17.7.8",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.7.8/lib/ohai"
+      }
+    }
+  },
+  "run_list": [
+    "recipe[kosmos-base]",
+    "role[postgresql_replica]"
+  ]
+}

nodes/rsk-mainnet-1.json

@@ -0,0 +1,57 @@
+{
+  "name": "rsk-mainnet-1",
+  "normal": {
+    "knife_zero": {
+      "host": "10.1.1.137"
+    }
+  },
+  "automatic": {
+    "fqdn": "rsk-mainnet-1",
+    "os": "linux",
+    "os_version": "5.4.0-1048-kvm",
+    "hostname": "rsk-mainnet-1",
+    "ipaddress": "192.168.122.233",
+    "roles": [
+      "rsk_mainnet"
+    ],
+    "recipes": [
+      "kosmos-base",
+      "kosmos-base::default",
+      "kosmos_rsk::rskj",
+      "apt::default",
+      "timezone_iii::default",
+      "timezone_iii::debian",
+      "ntp::default",
+      "ntp::apparmor",
+      "kosmos-base::systemd_emails",
+      "apt::unattended-upgrades",
+      "kosmos-base::firewall",
+      "kosmos-postfix::default",
+      "postfix::default",
+      "postfix::_common",
+      "postfix::_attributes",
+      "postfix::sasl_auth",
+      "hostname::default",
+      "firewall::default",
+      "chef-sugar::default"
+    ],
+    "platform": "ubuntu",
+    "platform_version": "20.04",
+    "cloud": null,
+    "chef_packages": {
+      "chef": {
+        "version": "17.6.18",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18/lib",
+        "chef_effortless": null
+      },
+      "ohai": {
+        "version": "17.6.0",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.6.0/lib/ohai"
+      }
+    }
+  },
+  "run_list": [
+    "recipe[kosmos-base]",
+    "role[rsk_mainnet]"
+  ]
+}

nodes/rsk-testnet-2.json

@@ -0,0 +1,57 @@
+{
+  "name": "rsk-testnet-2",
+  "normal": {
+    "knife_zero": {
+      "host": "10.1.1.214"
+    }
+  },
+  "automatic": {
+    "fqdn": "rsk-testnet-2",
+    "os": "linux",
+    "os_version": "5.4.0-1048-kvm",
+    "hostname": "rsk-testnet-2",
+    "ipaddress": "192.168.122.29",
+    "roles": [
+      "rsk_testnet"
+    ],
+    "recipes": [
+      "kosmos-base",
+      "kosmos-base::default",
+      "kosmos_rsk::rskj",
+      "apt::default",
+      "timezone_iii::default",
+      "timezone_iii::debian",
+      "ntp::default",
+      "ntp::apparmor",
+      "kosmos-base::systemd_emails",
+      "apt::unattended-upgrades",
+      "kosmos-base::firewall",
+      "kosmos-postfix::default",
+      "postfix::default",
+      "postfix::_common",
+      "postfix::_attributes",
+      "postfix::sasl_auth",
+      "hostname::default",
+      "firewall::default",
+      "chef-sugar::default"
+    ],
+    "platform": "ubuntu",
+    "platform_version": "20.04",
+    "cloud": null,
+    "chef_packages": {
+      "chef": {
+        "version": "17.6.18",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18/lib",
+        "chef_effortless": null
+      },
+      "ohai": {
+        "version": "17.6.0",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.6.0/lib/ohai"
+      }
+    }
+  },
+  "run_list": [
+    "recipe[kosmos-base]",
+    "role[rsk_testnet]"
+  ]
+}

roles/parity.rb

@@ -1,6 +0,0 @@
-name 'parity'
-
-run_list %w(
-  recipe[kosmos-parity::from_package]
-  recipe[kosmos-parity::node_dev]
-)

roles/postgresql_client.rb

@@ -3,5 +3,5 @@
 name "postgresql_client"
 
 run_list %w(
-  kosmos-postgresql::hostsfile
+  kosmos_postgresql::hostsfile
 )

roles/postgresql_primary.rb

@@ -1,6 +1,6 @@
 name "postgresql_primary"
 
 run_list %w(
-  kosmos-postgresql::primary
-  kosmos-postgresql::firewall
+  kosmos_postgresql::primary
+  kosmos_postgresql::firewall
 )

roles/postgresql_replica.rb

@@ -1,7 +1,7 @@
 name "postgresql_replica"
 
 run_list %w(
-  kosmos-postgresql::hostsfile
-  kosmos-postgresql::replica
-  kosmos-postgresql::firewall
+  kosmos_postgresql::hostsfile
+  kosmos_postgresql::replica
+  kosmos_postgresql::firewall
 )

roles/rsk_mainnet.rb

@@ -0,0 +1,11 @@
+name "rsk_mainnet"
+
+run_list %w(
+  kosmos_rsk::rskj
+)
+
+override_attributes(
+  :rskj => {
+    :network => "mainnet"
+  }
+)

roles/rsk_testnet.rb

@@ -0,0 +1,5 @@
+name "rsk_testnet"
+
+run_list %w(
+  kosmos_rsk::rskj
+)

site-cookbooks/backup/recipes/default.rb

@@ -32,6 +32,8 @@ gem_package 'backup' do
   version '5.0.0.beta.2'
 end
 
+smtp_credentials = Chef::EncryptedDataBagItem.load('credentials', 'smtp')
+
 backup_data = Chef::EncryptedDataBagItem.load('credentials', 'backup')
 backup_dir = node["backup"]["dir"]
 directory backup_dir
@@ -46,8 +48,12 @@ template "#{backup_dir}/config.rb" do
             s3_secret_access_key: backup_data["s3_secret_access_key"],
             s3_region: backup_data["s3_region"],
             encryption_password: backup_data["encryption_password"],
+            mail_from: "backups@kosmos.org",
             mail_to: "ops@5apps.com",
-            mail_from: "backups@kosmos.org"
+            mail_address: 'smtp.mailgun.org',
+            mail_domain: 'kosmos.org',
+            mail_user_name: smtp_credentials["user_name"],
+            mail_password: smtp_credentials["password"]
 end
 
 template "#{backup_dir}/models/default.rb" do

site-cookbooks/backup/templates/default/config.rb.erb

@@ -6,6 +6,18 @@
 # Documentation: http://backup.github.io/backup
 # Issue Tracker: https://github.com/backup/backup/issues
 
+#
+# Monkey patch to not use deprecated key derivation scheme
+# https://github.com/backup/backup/issues/949#issuecomment-589883577
+#
+module OpenSSLFixDeprecatedKeyDerivation
+  def options
+    super + ' -pbkdf2'
+  end
+end
+require 'backup/encryptor/open_ssl'
+Backup::Encryptor::OpenSSL.prepend(OpenSSLFixDeprecatedKeyDerivation)
+
 Storage::S3.defaults do |s3|
   s3.access_key_id     = "<%= @s3_access_key_id %>"
   s3.secret_access_key = "<%= @s3_secret_access_key %>"
@@ -22,7 +34,13 @@ end
 Notifier::Mail.defaults do |mail|
   mail.from                 = "<%= node.name %> <<%= @mail_from %>>"
   mail.to                   = "<%= @mail_to %>"
-  mail.delivery_method      = :sendmail
+  mail.address              = "<%= @mail_address %>"
+  mail.domain               = "<%= @mail_domain %>"
+  mail.user_name            = "<%= @mail_user_name %>"
+  mail.password             = "<%= @mail_password %>"
+  mail.port                 = <%= @mail_port || 587  %>
+  mail.authentication       = "<%= @mail_authentication || 'plain' %>"
+  mail.encryption           = <%= @mail_encryption || ':starttls' %>
 end
 
 <%- if node["backup"]["mongodb"] -%>
@@ -75,7 +93,7 @@ preconfigure 'KosmosBackup' do
   encrypt_with OpenSSL
   notify_by Mail do |mail|
     mail.on_success = false
-    mail.on_warning = false
+    mail.on_warning = true
     mail.on_failure = true
   end
 end

site-cookbooks/kosmos-akkounts/metadata.rb

@@ -14,5 +14,5 @@ depends "poise-ruby-build"
 depends "application"
 depends 'application_git'
 depends "postgresql"
-depends "kosmos-postgresql"
+depends "kosmos_postgresql"
 depends "backup"

site-cookbooks/kosmos-ejabberd/Berksfile

@@ -2,5 +2,5 @@
 source 'https://supermarket.chef.io'
 source chef_repo: ".."
 
-cookbook "kosmos-postgresql", path: "../kosmos-postgresql"
+cookbook "kosmos_postgresql", path: "../kosmos_postgresql"
 metadata

site-cookbooks/kosmos-ejabberd/metadata.rb

@@ -20,9 +20,9 @@ chef_version '>= 12.14' if respond_to?(:chef_version)
 # source_url 'https://github.com/<insert_org_here>/kosmos-ejabberd'
 
 depends "kosmos-base"
-depends "kosmos-postgresql"
 depends "kosmos-nginx"
 depends "kosmos-dirsrv"
+depends "kosmos_postgresql"
 depends "backup"
 depends "firewall"
 depends "tor-full"

site-cookbooks/kosmos-mastodon/metadata.rb

@@ -13,7 +13,7 @@ depends "poise-ruby-build"
 depends "application"
 depends "application_git"
 depends "postgresql"
-depends "kosmos-postgresql"
+depends "kosmos_postgresql"
 depends "backup"
 depends "elasticsearch"
 depends "tor-full"

site-cookbooks/kosmos-nginx/resources/nginx_certbot_site.rb

@@ -1,4 +1,5 @@
 resource_name :nginx_certbot_site
+provides :nginx_certbot_site
 
 property :domain, String, name_property: true
 # pass it if the site name is not the same as the hostname, for example for the

site-cookbooks/kosmos-postgresql/CHANGELOG.md

@@ -1,5 +0,0 @@
-# kosmos-postgresql CHANGELOG
-
-# 0.1.0
-
-Initial release.

site-cookbooks/kosmos_drone/recipes/default.rb

@@ -2,27 +2,6 @@
 # Cookbook:: kosmos_drone
 # Recipe:: default
 #
-# The MIT License (MIT)
-#
-# Copyright:: 2020, Kosmos Developers
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
 
 package "docker-compose"
 domain = "drone.kosmos.org"

site-cookbooks/kosmos_drone/templates/docker-compose.yml.erb

@@ -2,7 +2,7 @@ version: '3'
 
 services:
   drone-server:
-    image: drone/drone:1
+    image: drone/drone:2.5
 
     ports:
       - "<%= @upstream_port %>:80"
@@ -19,7 +19,7 @@ services:
       - DRONE_RPC_SECRET=<%= @rpc_secret %>
 
   drone-runner:
-    image: drone/drone-runner-docker:1
+    image: drone/drone-runner-docker:1.8
 
     command: agent
     restart: always

site-cookbooks/kosmos_gitea/attributes/default.rb

@@ -1,6 +1,6 @@
-gitea_version = "1.14.6"
+gitea_version = "1.15.6"
 node.default["kosmos_gitea"]["version"] = gitea_version
 node.default["kosmos_gitea"]["binary_url"] = "https://dl.gitea.io/gitea/#{gitea_version}/gitea-#{gitea_version}-linux-amd64"
-node.default["kosmos_gitea"]["binary_checksum"] = "20cc0a89421695320b077c9fe4f16996f03aaf9d24f661f8d2255794551c849b"
+node.default["kosmos_gitea"]["binary_checksum"] = "1b7473b5993e07b33fec58edbc1a90f15f040759ca4647e97317c33d5dfe58be"
 node.default["kosmos_gitea"]["nginx"]["domain"] = "gitea.kosmos.org"
 node.default["kosmos_gitea"]["working_directory"] = "/var/lib/gitea"

site-cookbooks/kosmos_gitea/metadata.rb

@@ -20,5 +20,5 @@ chef_version '>= 14.0'
 # source_url 'https://github.com/<insert_org_here>/kosmos_gitea'
 
 depends "kosmos-nginx"
-depends "kosmos-postgresql"
+depends "kosmos_postgresql"
 depends "backup"

site-cookbooks/kosmos_gitea/recipes/default.rb

@@ -76,7 +76,7 @@ template "#{config_directory}/app.ini" do
   source "app.ini.erb"
   owner "git"
   group "git"
-  mode "0640"
+  mode "0600"
   sensitive true
   variables working_directory: working_directory,
             git_home_directory: git_home_directory,

site-cookbooks/kosmos_gitea/templates/default/app.ini.erb

@@ -46,6 +46,7 @@ PASSWD = <%= @smtp_password %>
 
 [oauth2]
 JWT_SECRET = <%= @jwt_secret %>
+JWT_SIGNING_ALGORITHM = HS256
 
 [security]
 INTERNAL_TOKEN = <%= @internal_token %>

site-cookbooks/kosmos_kvm/recipes/host.rb

@@ -2,34 +2,13 @@
 # Cookbook:: kosmos_kvm
 # Recipe:: host
 #
-# The MIT License (MIT)
-#
-# Copyright:: 2020, Kosmos Developers
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
 
 package %w(virtinst libvirt-daemon-system)
 
 directory "/var/lib/libvirt/images/base" do
   recursive true
   owner "libvirt-qemu"
-  group "root"
+  group "kvm"
   mode "0750"
 end
 
@@ -37,7 +16,7 @@ end
 remote_file "/var/lib/libvirt/images/base/ubuntu-20.04-server-cloudimg-amd64-disk-kvm.qcow2" do
   source "http://cloud-images.ubuntu.com/releases/focal/release/ubuntu-20.04-server-cloudimg-amd64-disk-kvm.img"
   owner "libvirt-qemu"
-  group "root"
+  group "kvm"
   mode "0640"
 end
 

site-cookbooks/kosmos_postgresql/CHANGELOG.md

@@ -0,0 +1,5 @@
+# kosmos_postgresql CHANGELOG
+
+# 0.1.0
+
+Initial release.

site-cookbooks/kosmos_postgresql/README.md

@@ -1,4 +1,4 @@
-# kosmos-postgresql
+# kosmos_postgresql
 
 ## Usage
 

site-cookbooks/kosmos_postgresql/attributes/default.rb

@@ -1,3 +1,3 @@
 # This is set to false by default, and set to true in the server resource
 # for replicas.
-node.default['kosmos-postgresql']['ready_to_set_up_replica'] = false
+node.default['kosmos_postgresql']['ready_to_set_up_replica'] = false

site-cookbooks/kosmos_postgresql/metadata.rb

@@ -1,9 +1,9 @@
-name 'kosmos-postgresql'
+name 'kosmos_postgresql'
 maintainer 'Kosmos'
 maintainer_email 'ops@5apps.com'
 license 'MIT'
-description 'Installs/Configures kosmos-postgresql'
-long_description 'Installs/Configures kosmos-postgresql'
+description 'Installs/Configures kosmos_postgresql'
+long_description 'Installs/Configures kosmos_postgresql'
 version '0.1.0'
 chef_version '>= 12.14' if respond_to?(:chef_version)
 
@@ -11,13 +11,13 @@ chef_version '>= 12.14' if respond_to?(:chef_version)
 # tracked.  A `View Issues` link will be displayed on this cookbook's page when
 # uploaded to a Supermarket.
 #
-# issues_url 'https://github.com/<insert_org_here>/kosmos-postgresql/issues'
+# issues_url 'https://github.com/<insert_org_here>/kosmos_postgresql/issues'
 
 # The `source_url` points to the development repository for this cookbook.  A
 # `View Source` link will be displayed on this cookbook's page when uploaded to
 # a Supermarket.
 #
-# source_url 'https://github.com/<insert_org_here>/kosmos-postgresql'
+# source_url 'https://github.com/<insert_org_here>/kosmos_postgresql'
 
 depends "postgresql", ">= 7.0.0"
 depends "build-essential"

site-cookbooks/kosmos_postgresql/recipes/firewall.rb

@@ -1,5 +1,5 @@
 #
-# Cookbook:: kosmos-postgresql
+# Cookbook:: kosmos_postgresql
 # Recipe:: firewall
 #
 

site-cookbooks/kosmos_postgresql/recipes/hostsfile.rb

@@ -1,5 +1,5 @@
 #
-# Cookbook:: kosmos-postgresql
+# Cookbook:: kosmos_postgresql
 # Recipe:: hostsfile
 #
 

site-cookbooks/kosmos_postgresql/recipes/primary.rb

@@ -1,5 +1,5 @@
 #
-# Cookbook:: kosmos-postgresql
+# Cookbook:: kosmos_postgresql
 # Recipe:: primary
 #
 

site-cookbooks/kosmos_postgresql/recipes/replica.rb

@@ -1,5 +1,5 @@
 #
-# Cookbook:: kosmos-postgresql
+# Cookbook:: kosmos_postgresql
 # Recipe:: replica
 #
 

site-cookbooks/kosmos_postgresql/resources/server.rb

@@ -1,4 +1,5 @@
 resource_name :postgresql_custom_server
+provides :postgresql_custom_server
 
 property :postgresql_version, String, required: true, name_property: true
 property :role, String, required: true # Can be primary or replica
@@ -41,14 +42,14 @@ action :create do
     action :disable
   end
 
-  shared_buffers = if node['memory']['total'].to_i / 1024 < 1024 # > 1GB RAM
+  shared_buffers = if node['memory']['total'].to_i / 1024 < 1024 # < 1GB RAM
                      "128MB"
-                   else # >= 1GB RAM, use 25% of total RAM
-                     "#{node['memory']['total'].to_i / 1024 / 4}MB"
+                   else # >= 1GB RAM, use 50% of total RAM
+                     "#{node['memory']['total'].to_i / 1024 / 2}MB"
                    end
 
   additional_config = {
-    max_connections: 100, # default
+    max_connections: 200, # default
     shared_buffers: shared_buffers,
     unix_socket_directories: "/var/run/postgresql",
     dynamic_shared_memory_type: "posix",

site-cookbooks/kosmos_rsk/attributes/default.rb

@@ -1,2 +1,2 @@
-node.default['rskj']['version'] = '2.2.0~focal'
+node.default['rskj']['version'] = '3.0.1~focal'
 node.default['rskj']['network'] = 'testnet'

site-cookbooks/kosmos_rsk/recipes/firewall.rb

@@ -0,0 +1,7 @@
+include_recipe 'firewall'
+
+firewall_rule 'rskj' do
+  port     [4444,50505]
+  protocol :tcp
+  command  :allow
+end

site-cookbooks/kosmos_rsk/recipes/rskj.rb

@@ -30,10 +30,4 @@ service "rsk" do
   action [:enable, :start]
 end
 
-include_recipe 'firewall'
-
-firewall_rule 'rskj' do
-  port     [4444,50505]
-  protocol :tcp
-  command  :allow
-end
+include_recipe 'kosmos_rsk::firewall'

site-cookbooks/kosmos_website/attributes/default.rb

@@ -0,0 +1,3 @@
+node.default["kosmos_website"]["domain"]   = "kosmos.org"
+node.default["kosmos_website"]["repo"]     = "https://gitea.kosmos.org/kosmos/website.git"
+node.default["kosmos_website"]["revision"] = "master"

site-cookbooks/kosmos_website/metadata.rb

@@ -0,0 +1,10 @@
+name 'kosmos_website'
+maintainer 'Kosmos'
+maintainer_email 'ops@kosmos.org'
+license 'MIT'
+description 'Configures the main kosmos.org website'
+long_description 'Configures the main kosmos.org website'
+version '1.0.0'
+chef_version '>= 15.10' if respond_to?(:chef_version)
+
+depends "kosmos-nginx"

site-cookbooks/kosmos_website/recipes/default.rb

@@ -0,0 +1,38 @@
+#
+# Cookbook:: kosmos_website
+# Recipe:: default
+#
+
+include_recipe "kosmos-nginx"
+
+domain = node["kosmos_website"]["domain"]
+
+nginx_certbot_site domain
+
+directory "/var/www/#{domain}/site" do
+  user node["nginx"]["user"]
+  group node["nginx"]["group"]
+  mode "0755"
+end
+
+git "/var/www/#{domain}/site" do
+  user node["nginx"]["user"]
+  group node["nginx"]["group"]
+  repository node["kosmos_website"]["repo"]
+  revision node["kosmos_website"]["revision"]
+  action :sync
+end
+
+template "#{node["nginx"]["dir"]}/sites-available/#{domain}" do
+  source "nginx_conf_website.erb"
+  owner node["nginx"]["user"]
+  mode 0640
+  variables domain: domain,
+            ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
+            ssl_key:  "/etc/letsencrypt/live/#{domain}/privkey.pem"
+  notifies :reload, "service[nginx]", :delayed
+end
+
+nginx_site domain do
+  action :enable
+end

site-cookbooks/kosmos_website/templates/nginx_conf_website.erb

@@ -0,0 +1,26 @@
+<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
+# Generated by Chef
+
+server {
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+  server_name <%= @domain %>;
+
+  root /var/www/<%= @domain %>/site;
+
+  access_log off;
+  gzip_static on;
+  gzip_comp_level 5;
+
+  add_header 'Access-Control-Allow-Origin' '*';
+
+  ssl_certificate     <%= @ssl_cert %>;
+  ssl_certificate_key <%= @ssl_key %>;
+
+  location /.well-known/lnurlp/ {
+    proxy_ssl_server_name on;
+    rewrite /.well-known/lnurlp/([^/]+) /lnurlpay/$1@kosmos.org break;
+    proxy_pass https://accounts.kosmos.org;
+  }
+}
+<% end -%>