kosmos/chef
8
3
Fork 0
Code Issues 34 Pull Requests 3 Projects 2 Activity

Compare commits

base: kosmos:71391ce32385bcabf1606feea2feaf6f87fcd8cd
Branches Tags
kosmos:master kosmos:feature/237-gitea_ssh_signing kosmos:bugfix/substr_url_matching kosmos:notes/ejabberd_ldap_photo kosmos:feature/akaunting kosmos:chore/ejabberd_service_avatar kosmos:feature/237-gitea_gpg kosmos:jammy_jellyfish
...
compare: kosmos:feature/akaunting
Branches Tags
kosmos:feature/237-gitea_ssh_signing kosmos:master kosmos:bugfix/substr_url_matching kosmos:notes/ejabberd_ldap_photo kosmos:feature/akaunting kosmos:chore/ejabberd_service_avatar kosmos:feature/237-gitea_gpg kosmos:jammy_jellyfish

61 Commits
71391ce323 ... feature/ak

Author SHA1 Message Date
Râu Cao
f20ebb9d86 WIP Set up akaunting 2024-12-16 12:05:51 +04:00
Râu Cao
31b7ff9217 Upgrade Gitea to 1.22.5 2024-12-12 18:32:58 +04:00
Râu Cao
d90a374811 Remove outdated flag from certbot command 2024-12-12 18:32:26 +04:00
Râu Cao
12cd14fff5 Deploy new postgres primary 2024-12-12 18:31:54 +04:00
Râu Cao
b67d91077d Remove old garage nodes 2024-12-12 18:30:16 +04:00
Râu Cao
070badfeb3 Add postgres replica bootstrap example 2024-12-12 18:29:16 +04:00
Râu Cao
2d8a1cebb1 Update node info 2024-12-09 20:44:18 +04:00
Râu Cao
67cd89b7b8 Merge pull request 'Fix TLS cert updates for kosmos.chat' (#578) from chore/fix_cert_updates_kosmos-chat into master 
Reviewed-on: #578
 2024-12-09 14:21:05 +00:00
Râu Cao
e4112a3626 Fix TLS cert updates for kosmos.chat 
Some recipes weren't updated for the proxy validation yet. Needed to
split the ejabberd cert in two, so it can do normal validation on
`.org` and proxy validation on `.chat`.
 2024-12-09 18:17:10 +04:00
Râu Cao
89813465b2 Merge pull request 'Upgrade Mastodon to 4.3' (#577) from chore/upgrade_mastodon into master 
Reviewed-on: #577
 2024-12-09 14:14:35 +00:00
Râu Cao
6106e627e2 Upgrade Mastodon to 4.3 
Co-authored-by: Greg Karékinian <greg@karekinian.com>
 2024-12-09 18:12:45 +04:00
Râu Cao
d8baa41c14 Add new node configs 2024-12-09 18:11:51 +04:00
Greg
8405b8df52 Merge pull request 'Upgrade lndhub.go to 1.0.2, add service fee config' (#576) from chore/upgrade_lndhub into master 
Reviewed-on: #576
Reviewed-by: Greg <greg@noreply.kosmos.org>
 2024-10-20 19:27:19 +00:00
Râu Cao
775f2275bb Upgrade Gitea to 1.22.3 2024-10-19 14:42:11 +02:00
Râu Cao
b4019b224b Upgrade lndhub.go to 1.0.2, add service fee config 
Co-authored-by: Michael Bumann <hello@michaelbumann.com>
 2024-10-18 12:36:41 +02:00
Râu Cao
52841d8c53 Add WKD endpoint to website nginx conf 2024-10-17 11:58:53 +02:00
Râu Cao
b9b97d5056 Fix mail server VM backups 2024-10-16 12:48:08 +02:00
Râu Cao
e5448aa85c Merge pull request 'Upgrade strfry, add new Kosmos profile/pubkey, relay icon' (#575) from chore/upgrade_strfry into master 
Reviewed-on: #575
 2024-10-16 10:44:47 +00:00
Râu Cao
4d1125ac2b Upgrade strfry to 1.0.1 
Also set up and use a new Kosmos pubkey/profile and add a relay icon
 2024-10-16 12:42:49 +02:00
Râu Cao
3853f94ae0 Use new proxy domain for ejabberd cert 2024-10-16 12:40:10 +02:00
Râu Cao
d1097c7688 Fix and improve nginx redirects, akkounts headers 2024-10-16 12:39:34 +02:00
Râu Cao
7949fd067c Add IPv6 support for nostr.kosmos.org 2024-10-16 12:37:47 +02:00
Râu Cao
0726e58f7c Update ejabberd LDAP filter for new akkounts release 2024-10-16 12:36:30 +02:00
Râu Cao
fe581c348a Fix bookmarks disappearing for XMPP users 
The limit for PEP nodes was ridiculously low. No idea why, but it means
users were only able to save 10 items (e.g. channel bookmarks) at once.
 2024-10-16 12:34:31 +02:00
Râu Cao
af62078960 Update node info 2024-10-16 12:34:17 +02:00
Râu Cao
9b4deff91e Remove cln from bitcoin-2 node 2024-10-16 12:34:01 +02:00
Râu Cao
0944bc5266 Merge pull request 'Migrate S3 backups from AWS, fix automatic cleanups' (#574) from chore/move_fix_s3_backups into master 
Reviewed-on: #574
 2024-10-16 10:33:24 +00:00
Râu Cao
eb06926606 Migrate S3 backups from AWS, fix automatic cleanups 
The cleanups were broken in that every single archive was also copied to
a shared folder and never deleted from there.

Co-authored-by: Greg Karékinian <greg@karekinian.com>
 2024-10-16 12:31:51 +02:00
Râu Cao
15096ca17b Merge pull request 'Bitcoin-related software upgrades' (#573) from chore/bitcoin_upgrades into master 
Reviewed-on: #573
 2024-10-16 10:25:53 +00:00
Râu Cao
3551b71154 Add sensitive attribute to resource with credentials 2024-10-16 12:23:38 +02:00
Râu Cao
752bb74663 Remove boltz service and RTL integration 
We use peerswap these days, and the build process for boltz was made
much more complicated at some point. Not worth upgrading for us.
 2024-10-16 12:23:38 +02:00
Râu Cao
c64526a944 Upgrade RTL to v0.15.2 
Need to use `npm install --force` due to a dependency issue
 2024-10-16 12:23:38 +02:00
Râu Cao
da242d4817 Upgrade LND to 0.18.3 2024-10-16 12:23:29 +02:00
Râu Cao
0af4bc1d0d Upgrade bitcoind to 28.0 
Requires a newer C++ compiler
 2024-10-16 11:28:13 +02:00
Greg
c9f5a745a3 Merge pull request 'Fix Mastodon signup/password/confirmation links' (#570) from chore/562-mastodon_login_urls into master 
Reviewed-on: #570
Reviewed-by: Greg <greg@noreply.kosmos.org>
 2024-08-23 14:18:12 +00:00
Râu Cao
d935b99d7d Fix Mastodon signup/password/confirmation links 
Adds ENV vars for our custom fix in b916182bc1

fixes #562
 2024-08-22 21:51:49 +02:00
Râu Cao
d048bbb297 Merge pull request 'Upgrade Gitea to 1.22.1' (#568) from chore/upgrade_gitea into master 
Reviewed-on: #568
 2024-08-10 11:45:39 +00:00
Râu Cao
61bd121709 Upgrade Gitea to 1.22.1 2024-08-10 13:44:39 +02:00
Râu Cao
ec9b912e45 Merge pull request 'Configure nginx default vhost, add specific redirects for some domains' (#565) from chore/nginx_redirects into master 
Reviewed-on: #565
 2024-08-09 12:44:29 +00:00
Râu Cao
d53ba42a1d Make kosmos.org the default nginx vhost 2024-08-04 16:51:57 +02:00
Râu Cao
a99f7f7574 Add config for accounts .well-known proxyying 2024-08-04 16:51:18 +02:00
Râu Cao
1c8ee14bb3 Add HTTP redirects for kosmos.chat and kosmos.cash 2024-08-04 16:49:20 +02:00
Râu Cao
cdedf49be3 Merge pull request 'Fix download URLs for Mastodon exports/archives' (#564) from bugfix/mastodon_archive_download_urls into master 
Reviewed-on: #564
 2024-08-04 14:46:26 +00:00
Râu Cao
5e727ec279 Fix download URLs for Mastodon exports/archives 
See https://github.com/mastodon/mastodon/issues/24380
 2024-08-04 14:55:22 +02:00
Râu Cao
9d928298d2 Fix Gitea user/repo avatar URLs in certain situations 
I encountered a CORS proxy which somehow ended up with http://_gitea_web
URLs.
 2024-07-10 11:36:07 +02:00
Râu Cao
1174661b46 Use proxy domain for RS Discourse ACME challenge 2024-07-08 20:31:46 +02:00
Greg
2dff7cf850 Merge pull request 'Add new service: nostr.kosmos.org (members-only nostr relay)' (#559) from feature/strfry into master 
Reviewed-on: #559
Reviewed-by: Greg <greg@noreply.kosmos.org>
 2024-07-05 07:33:40 +00:00
Râu Cao
232360efba Remove commented code 2024-07-03 09:23:13 +02:00
Râu Cao
8b8e8f3438 Move strfry extras into their own directory 2024-07-03 09:22:50 +02:00
Râu Cao
522c213b09 Add Deno lockfile 2024-06-20 18:16:27 +02:00
Râu Cao
80eddfbf56 Configure strfry whitelist 
Allow akkounts pubkey to publish to our own relay
 2024-06-20 15:38:27 +02:00
Râu Cao
7e664723a1 Configure akkounts nostr relay URL in production 2024-06-20 15:04:17 +02:00
Râu Cao
f5961af7fe Create/deploy strfry VM 2024-06-11 23:17:33 +02:00
Râu Cao
d1301dad3e Add, configure, deploy strfry policies 2024-06-11 23:12:22 +02:00
Râu Cao
42c46a5645 Deploy strfry reverse proxy 2024-06-11 23:10:24 +02:00
Râu Cao
5be9081613 Header name has to be all lowercase in strfry config 2024-06-11 23:09:49 +02:00
Râu Cao
1649d03665 Update strfry cookbook 2024-06-11 23:09:48 +02:00
Râu Cao
b9a3910364 Update strfry cookbook 2024-06-11 23:09:48 +02:00
Râu Cao
9835b85181 Fall back to default port for strfry proxy 
When we don't override it elsewhere
 2024-06-11 23:09:48 +02:00
Râu Cao
dbccd9d2bf Add kosmos_strfry cookbook, configs 2024-06-11 23:09:48 +02:00
Râu Cao
1a5f312699 Add strfry cookbook 2024-06-11 23:09:48 +02:00
108 changed files with 1423 additions and 390 deletions
Expand all files Collapse all files

6
.gitmodules vendored
View File

@@ -4,3 +4,9 @@
[submodule "site-cookbooks/openresty"]
path = site-cookbooks/openresty
url = https://github.com/67P/chef-openresty.git
[submodule "site-cookbooks/strfry"]
path = site-cookbooks/strfry
url = git@gitea.kosmos.org:kosmos/strfry-cookbook.git
[submodule "site-cookbooks/deno"]
path = site-cookbooks/deno
url = git@gitea.kosmos.org:kosmos/deno-cookbook.git

4
README.md
View File

@@ -38,6 +38,10 @@ Clone this repository, `cd` into it, and run:
knife zero bootstrap ubuntu@zerotier-ip-address -x ubuntu --sudo --run-list "role[base],role[kvm_guest]" --secret-file .chef/encrypted_data_bag_secret
### Bootstrap a new VM with environment and role/app (postgres replica as example)
knife zero bootstrap ubuntu@10.1.1.134 -x ubuntu --sudo --environment production --run-list "role[base],role[kvm_guest],role[postgresql_replica]" --secret-file .chef/encrypted_data_bag_secret
### Run Chef Zero on a host server
knife zero converge -p2222 name:server-name.kosmos.org

4
clients/akaunting-1.json Normal file
View File

@@ -0,0 +1,4 @@
{
"name": "akaunting-1",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzmNpNWJh5DeXDsINDqAt\n5OtcGhnzLtqdILTD8A8KuPxWhoKI0k9xwvuT4yO2DLQqFMPyGefRuQkVsIq2OuU5\npK8B5c79E9MBHxti6mQZw4b/Jhmul+x2LGtOWYjPTDhFYXRsNNDtFDxwpwJGPede\nYts026yExHPhiF35Mt1JxA3TXJfPC8Vx0YGHu/6Ev+1fLmcKhFmhed5yKkA0gwod\nczdyQiCfw3ze9LuS90QmALpFOHHpekZeywemdwyPia207CoTrXsPLWj9KmuUEIQJ\nwL+OlEU2tVA6KaBKpl54n5/tMsccZmlicbNsVpgkk6LctrkNh6Kk+fW9ry3L/Gxg\nAwIDAQAB\n-----END PUBLIC KEY-----\n"
}

4
clients/garage-10.json Normal file
View File

@@ -0,0 +1,4 @@
{
"name": "garage-10",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw2+3Wo+KkXVJCOX1SxT9\nSdwKXgPbCDM3EI9uwoxhMxQfRyN53dxIsBDsQUVOIe1Z8yqm4FenMQlNmeDR+QLE\nvNFf1fisinW+D9VVRm+CjcJy96i/Dyt786Z6YRrDlB860HxCbfTL2Zv5BRtbyIKg\nhz5gO+9PMEpPVR2ij9iue4K6jbM1AAL2ia/P6zDWLJqeIzUocCeHV5N0Z3jXH6qr\nf444v78x35MMJ+3tg5h95SU1/PDCpdSTct4uHEuKIosiN7p4DlYMoM5iSyvVoujr\nflRQPEpGzS9qEt3rDo/F4ltzYMx6bf1tB/0QaBKD+zwPZWTTwf61tSBo5/NkGvJc\nFQIDAQAB\n-----END PUBLIC KEY-----\n"
}

4
clients/garage-11.json Normal file
View File

@@ -0,0 +1,4 @@
{
"name": "garage-11",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzfZcNEQojtmaogd9vGP/\nMsVPhAOlQ4kxKgrUas+p+XT7lXRan6b3M8UZEleIaL1HWsjSVwtFWRnNl8kg8rF8\nNEkLeOX8kHf7IoXDFOQa2TXanY8tSqrfh9/heFunt4Q3DluVt7S3bBdwukbDXm/n\nXJS2EQP33eJT4reL6FpVR0oVlFCzI3Vmf7ieSHIBXrbXy7AIvGC2+NVXvQle6pqp\nx0rqU6Wc6ef/VtIv+vK3YFnt9ue3tC63mexyeNKgRYf1YjDx61wo2bOY2t8rqN8y\nHeZ3dmAN8/Vwjk5VGnZqK7kRQ92G4IcE+mEp7MuwXcLqQ9WB960o+evay+o1R5JS\nhwIDAQAB\n-----END PUBLIC KEY-----\n"
}

4
clients/garage-4.json
View File

@@ -1,4 +0,0 @@
{
"name": "garage-4",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8it7QtT6zDiJJqlyHKfQ\nLqwu6bLblD15WWxlUSiOdhz3njWDv1BIDCAdkCR3HAXgxvk8sMj9QkvWS7u1+bc4\nxvHrY4Tgfg+Tk1h3gGa7ukll8s1WLIbGjj89vrK8PFr4iuDqRytYRMmcdMsNzPkS\nKcsOjFYWGV7KM/OwoQGVIOUPB+WtkrFAvNkXtIU6Wd5orzFMjt/9DPF2aO7QegL8\nG1mQmXcPGl9NSDUXptn/kzFKm/p4n7pjy6OypFT192ak7OA/s+CvQlaVE2tb/M3c\ne4J6A+PInV5AGKY6BxI3QRQLZIlqE0FXawFKr1iRU4JP4tVnICXZqy+SDXQU1zar\nTQIDAQAB\n-----END PUBLIC KEY-----\n"
}

4
clients/garage-5.json
View File

@@ -1,4 +0,0 @@
{
"name": "garage-5",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnJxLFOBbml94W/GAe7nm\ntZs1Ziy8IbqXySsm8bSwWhRMQ8UuseqQLG30R3Q5X5AoJbtNfd26l63qLtP2fFtL\n5km9dV+2FoIJWFetl8Wzr7CaLYAiNzTQSFHlV7+6DKmPMDcJ63GKrFR77vkSGOG6\nOWL1bJy5BOaClp/sKL/0WQ0+mRbTP6RCQ2eI+46clAg702SenBU6Nz9HDm+teKN7\nYlP1CvzXgfgfpDOsat7wGn5+oKcmKavZxcdn8bt5jRpg8v3JezaZIjMXt7XcNS4n\n0F4XO/efnZE5B5SN68j4BpD8N79zJw4HlRIGP+RaYv2qLtBeWgLHCCs9wXQXfj6b\nLwIDAQAB\n-----END PUBLIC KEY-----\n"
}

4
clients/garage-6.json
View File

@@ -1,4 +0,0 @@
{
"name": "garage-6",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwasYgWLM8ShvirFiKRE6\nGWqc3pMlvcrk4YnWAUW5Y/H26EnyexxWNfnwlEcq8thJ3M3hs7zkoF3Yk4uqX869\n4/niYqXwYgeE1K3gzLp4K1+w3yVupYAFVFStVEHJyuMlLJ+ulDEGvNdQDuIfw7+E\nr6DcDLa1o92Eo0wL1ihYyMilduH0LdFTixL+tEBXbbPWBa3RDJJCFsRF1+UC6hAH\nzmaWL661Gdzdabxjm/FlGUYkdbDqeInZq/1GMQqv+9/DcNRkWA9H7i4Ykrfpx4/2\nRZ8xtx/DbnJVB1zYoORygFMMAkTu5E+R8ropeI7Wi77Yq0S7laiRlYQYQml3x9ak\nzQIDAQAB\n-----END PUBLIC KEY-----\n"
}

4
clients/garage-9.json Normal file
View File

@@ -0,0 +1,4 @@
{
"name": "garage-9",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnMHzKE8JBrsQkmRDeMjX\n71mBzvRzNM90cwA8xtvIkXesdTyGqohX9k/PJbCY5ySGK9PpMaYDPVAnwnUP8LFQ\n3G98aSbLxUjqU/PBzRsnWpihehr05uz9zYcNFzr4LTNvGQZsq47nN9Tk+LG3zHP7\nAZViv2mJ4ZRnukXf6KHlyoVvhuTu+tiBM8QzjTF97iP/aguNPzYHmrecy9Uf5bSA\nZrbNZT+ayxtgswC2OclhRucx7XLSuHXtpwFqsQzSAhiX1aQ3wwCyH9WJtVwpfUsE\nlxTjcQiSM9aPZ8iSC0shpBaKD1j3iF/2K2Jk+88++zMhJJPLermvaJxzsdePgvyk\nKQIDAQAB\n-----END PUBLIC KEY-----\n"
}

4
clients/postgres-5.json
View File

@@ -1,4 +0,0 @@
{
"name": "postgres-5",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvXZv6Gk+dhIVkTXH9hJ1\nt2oqsMSLmTUj71uPN+4j0rxCQriXa095Nle9ifJAxfwzQyKEpWKyZd1Hpyye6bL1\nwgWATZ/u5ZS4B63NhRFyDxgPlHWBBohaZBN42zeq0Y0PNGHPVGDH/zFDrpP22Q9Q\nYScsyXTauE/Yf8a/rKR5jdnoVsVVMxk0LHxka8FcM2cqVsDAcK7GqIG6epqNFY8P\nUb1P+mVxRwnkzvf1VtG212ezV/yw9uiQcUkHS+JwZMAgbC34k9iDyRmk6l4sj/Zk\nNem20ImMqdDzsrX8zEe21K+KNvpejPH9fxaNCwR8W+woBMMzqD3I7P9PbLjc70Rx\nRwIDAQAB\n-----END PUBLIC KEY-----\n"
}

4
clients/postgres-7.json Normal file
View File

@@ -0,0 +1,4 @@
{
"name": "postgres-7",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArraIm6mXi0qgK4oWDs2I\nOIx+g/LPnfRd5aBXhoHcekGiJKttQTi5dRdN4+T6qVEC2h4Cc9qN47h2TZPLDh/M\neIZvu0AyicpectzXf6DtDZh0hFCnv47RDi9927op9tjMXk0SV1tLel7MN0dawATw\ny0vQkkr/5a3ZdiP4dFv+bdfVrj+Tuh85BYPVyX2mxq9F7Efxrt6rzVBiqr6uJLUY\nStpeB3CCalC4zQApKX2xrdtr2k8aJbqC6C//LiKbb7VKn+ZuZJ32L/+9HDEzQoFC\no0ZZPMhfnjcU+iSHYZuPMTJTNbwgRuOgpn9O8kZ239qYc59z7HEXwwWiYPDevbiM\nCQIDAQAB\n-----END PUBLIC KEY-----\n"
}

4
clients/postgres-8.json Normal file
View File

@@ -0,0 +1,4 @@
{
"name": "postgres-8",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx88DgM/x1UbKRzgPexXE\nSyfrAsqaDVjqZz7yF3tqAc9A52Ol0KOM6NESoPWBVMbS86WtAjBcMHcOoQBJ+ovp\nXcjNlRtO1Il6/d4uCRr4CEDX+yeS0Qrt0SOORnoTbVlkq9VlVljyCmxk8VBCILzk\ndHvFr62mahMy6vOEcpCQgCwYE3ISH2jlTDz2agoK/CjIyyqFTlB1N7mJVGLrJdcA\nA2JOxDRE8HqOdpY7bHcHj4uyMWaKuM3zxXK04lhrvuPRfJUhXgsK9r5jeTEa8407\nqV9K+mB17R1dBeHmWEPDRt02HELe2SUjYmlmyVX73H2mWKDLBFpAFjOfz86CJ6jf\nDQIDAQAB\n-----END PUBLIC KEY-----\n"
}

4
clients/strfry-1.json Normal file
View File

@@ -0,0 +1,4 @@
{
"name": "strfry-1",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzDV/RMGMXVDbvoA6PNh8\nQzhtHwYDCFcUSkbrwP6tzh6GpVunGEOdOdhj2V63T2tF1H+lujxQXh5pK7C0D6VZ\niO04ftJlo7/svyxUcwWr+znyN5sFdQRh3cBZiGSBYolizwoqgtPFlbNhmWAzV0Du\n9t8mhz70IK3B+UdwWyHtoK0NNsJGnQ9YzAvcjyDmEO/3sCjAhNnxVpmXftpcSmd9\nMonzFtIDBbRRll4AHZYRbmXCzx63+VmelvdnufnbY82liol0zzBwJaBD1wyNlG0y\ni96p3Kx03bLNlIaYVGbjZeJi+6oo2VDWJ4OloLLAYoHDSipeHT9qWfUdnE6ge4Lm\nywIDAQAB\n-----END PUBLIC KEY-----\n"
}

31
data_bags/credentials/akaunting.json Normal file
View File

@@ -0,0 +1,31 @@
{
"id": "akaunting",
"app_key": {
"encrypted_data": "C7VVGHHrE/ESwtGeODf8zVraayO5uBSXaGR7f4yoj0MDq9WxPujItC3dIkMQ\ngjGzk8fH\n",
"iv": "4+d+RMLeuqaneFBa\n",
"auth_tag": "sBQDUVl6QbL/h9pd0kBQ0g==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"pg_database": {
"encrypted_data": "4mqHsMfDAqPvDmGsWgS9iE63qVeus7diSW8WiA==\n",
"iv": "6Cb1lVUcXBz+GA4u\n",
"auth_tag": "8O3N0m8jGhxs/YacdhgNHA==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"pg_username": {
"encrypted_data": "Nu0wiBhvqUwqC7PL2Qo8otq0b3faJqRsabqp2g==\n",
"iv": "1uA8mJc7itT0qHcx\n",
"auth_tag": "PRWw6LTlFrWs63SDRsovtQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"pg_password": {
"encrypted_data": "oXDKiXQ4aH5M2pVu1sx7dj0awKCORke03fq0uemjIfCMYbM=\n",
"iv": "snPyC8mocevc5kGH\n",
"auth_tag": "9wx4GPSydkYr2WGpZK5HZg==\n",
"version": 3,
"cipher": "aes-256-gcm"
}
}

60
data_bags/credentials/akkounts.json
View File

@@ -1,72 +1,72 @@
{
"id": "akkounts",
"postgresql_username": {
"encrypted_data": "bDlOkEmhvMgyVzPeTNUzYnzRLf3T9cc0cDxt\n",
"iv": "GCCUoqU5pxQ7fGkv\n",
"auth_tag": "Q7mrSHIBluMe3CGVmoR86Q==\n",
"encrypted_data": "ofLOjxGBj7no+lWrIvtxQQFoeozCh6mpfMTt\n",
"iv": "/CF+o4GqZx2O5WOm\n",
"auth_tag": "bjHXfgNQfXpQ2gucPLrUWA==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"postgresql_password": {
"encrypted_data": "wD0HtdsNe/hl4ZaOy8hyr2k4z8TXQrrSja3KNVE47w==\n",
"iv": "tb5yz8WDer0CsGvJ\n",
"auth_tag": "/+K2anuCff/6M7Pu70Smqw==\n",
"encrypted_data": "f8Jfs4aqIjc6/6/NQlI2Fv8TzSgVmi5g0iYNhh9bAA==\n",
"iv": "vAzrZeUodmu4x5eB\n",
"auth_tag": "vx8eH2SY7I4IkZElXSC1Nw==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"sentry_dsn": {
"encrypted_data": "jCz681x0WVixHYZUb62TO+1cgyJMiJ2UMqWcaztx57yDBOIiKW3oSZjuXdhP\n9WCesfXQF/lgzITZno3IKDqzlKjWgbGLC75y8FLguxidCHI=\n",
"iv": "IRNOzN/hLwg1iqax\n",
"auth_tag": "eg9dWnEK04JDb94e4CFa9Q==\n",
"encrypted_data": "oxW5jGU8DlIp5A9enxBhcJXuKyaZ5HziXq8Zw+Rbvpbv4C/RTGkJkgZdKcH1\nVzW/wNAT8nTK+nEvWgcQ3svjE40ltj2jcOexIRqLbuCClJE=\n",
"iv": "wpW9+VdX5GjocHSl\n",
"auth_tag": "1qrf1kZMrIR7WRiSaRjppQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"rails_master_key": {
"encrypted_data": "nUB77VLRp41rluH7hLBwQqPtnh/HsmfLr2VbcIZHWawL3o2TGuY+mj648f9L\n7XsEpgqY\n",
"iv": "fpdbDitqTRHxEKiv\n",
"auth_tag": "I44fn8Ott3L/Y5LYr56U/Q==\n",
"encrypted_data": "KHVYYH7Nb9/SsoKkYfbjzhFwj3Ioj72hm5pfdCuinf+GQvjKumq99eQTlKdf\nBZM1n0XN\n",
"iv": "x9AQZvw/vCinKQ8k\n",
"auth_tag": "mi0KHHOTBvVNhtvqk38BtQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"discourse_connect_secret": {
"encrypted_data": "ENtMn+1XTVFmdEZw7LU6WGoMbSZY654ggm3vPACGfFgqo6r0LhG60c5OTdqv\nZvT5/Q==\n",
"iv": "bL1BmvRhgxFqSM1P\n",
"auth_tag": "sEBZzGWwwYFHn+4B4SsyCA==\n",
"encrypted_data": "WyLrV0DOsxyafSqyeQVj0BhVwm/0gvWeJLBsAbiqCGphryoYqUByPcum1T6R\n2H44nQ==\n",
"iv": "lUtlJDv6Ieq8Bs5x\n",
"auth_tag": "ku22BlQKw/BhHxuANTF6yg==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"lndhub_admin_token": {
"encrypted_data": "4LPGFoARzI8UYnsJPIk8sax/rAA16pUULEZWn86e2C7L\n",
"iv": "nvjXrOwgfgutwEVw\n",
"auth_tag": "A89RUf1sdcS3FVscNPWYLg==\n",
"encrypted_data": "DQuxQW8ks3sUzyHYEpQVyPg2f/U4/LWeRoCD9225Hd+c\n",
"iv": "mjxYi+YAcKGuurD2\n",
"auth_tag": "8P3bFFNeQ5HQgpXDB5Sk5A==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"btcpay_auth_token": {
"encrypted_data": "ky5iWYF06os0Ek6vIRzWqMTekqJhCOh/Q9DTDIeKhSyk8TnT3O71lCNEt1F5\nXCNq6ux3V6oyHVLWj0o=\n",
"iv": "zk6WnxsY89oNW1F9\n",
"auth_tag": "FAIMXKvQ1T7QKezVSNJbwQ==\n",
"encrypted_data": "3wsY9osaUdX4SvBPfHprNLSbx6/rfI5BfXnDxsc6OET3nGn19qBhH6wgeiwZ\n/dweqdQ25HpbFPygddc=\n",
"iv": "ccouibxktHLlUCQJ\n",
"auth_tag": "pWuRC8O2EAkmztL/9V3now==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"s3_access_key": {
"encrypted_data": "KfhfEGwPjOonlz6rpnNTinXFPqX/sIbqQn/aby0UDi/G/7cvEcOiNcCkfuSz\n",
"iv": "Q3rg06v6K9pUDLDY\n",
"auth_tag": "G5ugdlJ896KtYtObKLclJA==\n",
"encrypted_data": "hJGHa+hEmddtsZ4UncrYBkjRa/2Csqdh79tXpTVxUWbIsYGdlvyadk7C1UCj\n",
"iv": "GlxNdnWiNzmNYthg\n",
"auth_tag": "hlRLkroUN01L7VzQFBU/IA==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"s3_secret_key": {
"encrypted_data": "N8s1OoDrYXHjqSydQA0kY7dd68Aelq4+/cgmJlYfP92u4YA17V4TR7fsvQZL\nkqjuUSClNYPc0XiCwf/5gxVirE9AO6OmmvSV7lUyu4hcEY6unrU=\n",
"iv": "bXzIVWnX6V0P6PRb\n",
"auth_tag": "1EOjCfsX9P6ETjUsgBvBsA==\n",
"encrypted_data": "LKdQJOKIfFIoiF3GvfTs1mg3AI//Aoi8r42zcw8QhEVPB8ONsSf0/vhM037C\nf5nzUk7xwglvTOveqbOM+UTBJF/4oblQfgwFW3VobWUGkJqjtKE=\n",
"iv": "tWTxzK/ccpjlLmQV\n",
"auth_tag": "n2MFkTIquyqz4wqRNdSJcg==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"nostr_private_key": {
"encrypted_data": "Sf8PEyQ0sqcgxddSlIDxLOVzPjOkTFObsYuTgcxkbEV7igrati4e8QVVUEBD\n1yoLJXelp8jlCr28Ectci29jc53gYSMTLSQsw97uYas2R0dGCqQ=\n",
"iv": "+1CIUyvIUOveLrY4\n",
"auth_tag": "GDqS+IuAIfMBmHIeFXaV7A==\n",
"encrypted_data": "CPMeNxzpYMReaQU4+v+EqpVESRsnaYc3a4y7OkHOhtn2gjaNEDERGKvRmlyd\nD6vxKPcIrwTCZ7neJ3YLOVOxPDNv6skqdtMHBwSgl7aBEOrx7tY=\n",
"iv": "AV1on2sw1avmFFuY\n",
"auth_tag": "9rb9qQBKrj5Xja1t+qROKQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
}

43
data_bags/credentials/backup.json
View File

@@ -1,27 +1,38 @@
{
"id": "backup",
"s3_access_key_id": {
"encrypted_data": "emGNH4v7TTEh05Go/DsI3k7CFnaK4p/4JxodC4BYpyWw47/Z3dsuRMu4vXM3\n3YLH\n",
"iv": "Dau+ekb3UTYdl8w3fQKVcA==\n",
"version": 1,
"cipher": "aes-256-cbc"
"encrypted_data": "245TrPvuoBRRTimhbt6qqsFb+JnnD377sPt1pguJy7Q2BXOy/jrX0wyMt+cP\nuA==\n",
"iv": "ylmRxSRO3AA4MSJN\n",
"auth_tag": "45tBcYZowPLrbv4Zu2P0Fw==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"s3_secret_access_key": {
"encrypted_data": "Mxyly86JxrWUbubbSiqPdRosChzfI1Q8eBEG4n+2B9JJG4yExltO5Wc5kgSs\nX01MPXAc+PGLm+J9MngUtypo/g==\n",
"iv": "WRhBJGiuScYYsUsoT5j/UA==\n",
"version": 1,
"cipher": "aes-256-cbc"
"encrypted_data": "jDIOjlBzTkBUzpj243T6KnBuH0qwyW7BUFMcqllljFSzxs7K8wYJOUreNbOP\ny8OpDWAuO0H4O4LuFMJXeM8=\n",
"iv": "PzvZr37EkJqz6JtM\n",
"auth_tag": "e3XW8oHVgmYibv/IBzj0yA==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"s3_endpoint": {
"encrypted_data": "ErJIEChxrreW7WKEwRtuP2MyYlsZRtqLdGa/x5QY58qgO036FgR3Hs2Z3yce\n",
"iv": "HOSAOgUjO7XGwk50\n",
"auth_tag": "XE1bwMIXHHE72V9K2KOLnw==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"s3_region": {
"encrypted_data": "2ZGxu0tVzKNfx3K1Wleg0SAwGaPkHCi/XfKpJ+J7q40=\n",
"iv": "CNTZW2SEIgfw+IyzGI3TzQ==\n",
"version": 1,
"cipher": "aes-256-cbc"
"encrypted_data": "8cNSaYu7HH95ftG66lFdUIPZD7soz907CPA=\n",
"iv": "pU21ulF75y/SIs3x\n",
"auth_tag": "7WQQCbSbB2GybjY+C+5IvQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"encryption_password": {
"encrypted_data": "tsBWKBwhQFfEAM0EWMPtljSbqU1c5mOJXPjYJjNT5RUFhPlqa7gsE8aJbs+D\nSPKjAQ62j+iHeqCk9mE9CCkgBA==\n",
"iv": "uq5YAXuq2ynRLv9EIWoCFA==\n",
"version": 1,
"cipher": "aes-256-cbc"
"encrypted_data": "l23CiIO2s1fIRn0NdoWZ+wK+Zhx3hCYDHf4ypjqMRekZ7xqafvXHHuogD5aj\npxYUKloH\n",
"iv": "Dzx83eP9L7Jqqidh\n",
"auth_tag": "UVn5XA5Tgsikc1GdOt1MUQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
}
}

27
data_bags/credentials/dirsrv.json
View File

@@ -1,9 +1,30 @@
{
"id": "dirsrv",
"admin_dn": {
"encrypted_data": "zRtz6Scb9WtUXGyjc0xyvsre0YvqupuaFz+RPApj7DEQTmYyZPVb\n",
"iv": "xfIXMhEBHBWqa4Dz\n",
"auth_tag": "BcA32u1njcnCZ+yrBGSceQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"admin_password": {
"encrypted_data": "i71l5E129mXCcDAyME8sNMUkYUlQMgt7Eh6noyFcLNgbaMo=\n",
"iv": "KNW2B8tpX7ywZwbg\n",
"auth_tag": "GawQ+FSlA5v5YVyryeUxng==\n",
"encrypted_data": "7JpXl3JZDqKWDfYt/wuNbkbob+oRuONhkuAlpqUCCEIn+tY=\n",
"iv": "Lcwc4NDzrfcBaIKQ\n",
"auth_tag": "rrePS3Bhdnwbr2d/o8vMhg==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"service_dn": {
"encrypted_data": "sqRFiZreLeTPQljSfhAuV3DmsPxSC8tzWjCdu+WSSbO67sBQA+xhmGtzBhBD\nDZPGJw+jtAxzuVvPdAjxgAVgxXO6C6WEo87L1tdJewE=\n",
"iv": "GUEGtyRJXrPhWcUs\n",
"auth_tag": "2USsrx//3V7RCyumGCbMkg==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"service_password": {
"encrypted_data": "f2wi8B8SEt6p5G0TF3dZ72j0vMFlvwcP1suxYnshBA==\n",
"iv": "rOnUoxbnkaJtodM+\n",
"auth_tag": "dVLCtBVMjxLfW2D8XjJBdQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
}

18
data_bags/credentials/gandi_api.json
View File

@@ -1,23 +1,23 @@
{
"id": "gandi_api",
"key": {
"encrypted_data": "d3/rJMX6B9GuzUt0/mIk/lgQ3qGyQdbNXH6UEm3ZX7DeSl+rbW9FPJCRWg==\n",
"iv": "15YVAYla7PqqVOab\n",
"auth_tag": "xQSq+ld6SDOAER07N4ZkUQ==\n",
"encrypted_data": "Ky1/PdywtEIl5vVXhzu3n2JetqOxnNjpjQ7yCao6qwIAn8oYxnv1c1hFAQ==\n",
"iv": "stAc2FxDvUqrh0kt\n",
"auth_tag": "rcK4Qt+f2O4Zo5IMmG0fkw==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"access_token": {
"encrypted_data": "geQwcNosiJZmqbbMpD/I+a2yueBzpV6C8Rb7vrCD8kR161ZRjvqLe+g/1XpT\n2/65wKYDMTrdto1I030=\n",
"iv": "1sj58eyooOZ8FTYn\n",
"auth_tag": "yBNfgWXaToc06VDLly/HUw==\n",
"encrypted_data": "J7zoLhEbPfPjnVWBmFmDdPKRer5GGw2o6Ad0uinznANugfaDiqjyYinOdEDF\nHlAqLmXv4J40rr3F+o4=\n",
"iv": "fAxFqVh9QqrfBsPW\n",
"auth_tag": "9ugi4frDLv8f7X0X1+k4DA==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"domains": {
"encrypted_data": "p5rIQTyCE+0d4HIuA4GKEAFekh7qEC4xe9Rm/kP0DyzY83FO0/4uKIvYoZRB\n",
"iv": "LWlx98NSS1/ngCH1\n",
"auth_tag": "FID+x/LjTZ3cgQV5U2xZLA==\n",
"encrypted_data": "X0KOKlJp5GYbKcq/jzmlaMmTXV1U7exWSqi3UxX9Sw==\n",
"iv": "9JucnYLlYdQ9N6pd\n",
"auth_tag": "sERYPDnVUJwVfSS8/xrPpQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
}

99
data_bags/credentials/mastodon.json
View File

@@ -1,93 +1,114 @@
{
"id": "mastodon",
"active_record_encryption_deterministic_key": {
"encrypted_data": "2ik8hqK7wrtxyC73DLI8FNezZiWp2rdjwaWZkTUFRj+iwvpSrGVEwMx6uxDI\nWa7zF3p/\n",
"iv": "XMp6wqwzStXZx+F3\n",
"auth_tag": "vloJOLqEcghfQXOYohVVlg==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"active_record_encryption_key_derivation_salt": {
"encrypted_data": "Nq/rHayMYmT/82k3tJUKU8YTvDKUKLoK204aT0CMGZertZaAD3dtA9AkprrA\nPK0D9CdL\n",
"iv": "tn9C+igusYMH6GyM\n",
"auth_tag": "+ReZRNrfpl6ZDwYQpwm6dw==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"active_record_encryption_primary_key": {
"encrypted_data": "UEDMuKHgZDBhpB9BwbPmtdmIDWHyS9/bSzaEbtTRvLcV8dGOE5q9lDVIIsQp\n2HE0c92p\n",
"iv": "tnB0pQ3OGDne3mN/\n",
"auth_tag": "kt234ms+bmcxJj/+FH/72Q==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"paperclip_secret": {
"encrypted_data": "VJn4Yd2N7qFV+nWXPjPA8Y2KEXL/gZs2gK5E3DZZc9ogFXV7RtpDtq+NKGJU\ndpR8ohtEZvkyC+iBkMAlnS1sSVKiLdQ1xXvbzkj04mYgjnLvwsZ19uVpBGwR\nt/DON7Bhe5Fw+OyrBQksqNcZQSpB9sMBfgA1IgCpdVGHQ8PmkMbFTaZZYcoF\n7gg3yUw5/0t3vRdL\n",
"iv": "X5atp/KaIurfln/u\n",
"auth_tag": "mVnBoUb5HwhXNYUddJbq8Q==\n",
"encrypted_data": "AlsnNTRF6GEyHjMHnC4VdzF4swMlppz/Gcp1xr0OuMEgQiOcW1oSZjDRZCRV\nmuGqZXZx64wqZyzTsJZ6ayCLsmWlPq6L21odHWyO+P/C5ubenSXnuCjpUn3/\nHs8WLX3kwVmqCRnVgDl2vEZ5H4XedSLr7R7YM7gQkM0UX4muMDWWnOTR8/x/\ni1ecwBY5RjdewwyR\n",
"iv": "RWiLePhFyPekYSl9\n",
"auth_tag": "sUq4ZX9CFKPbwDyuKQfNLQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"secret_key_base": {
"encrypted_data": "d0sNREFhzQEJhkRzielbCNBJOVAdfThv7zcYTZ1vFZ20i/mzB9GWW2nb+1yn\nNFjAq8wCLpLXn9n3FClE+WOqnAw0jwTlyScRM5lzjKI5SxHKkBQHGyFs2AF8\nqFjEvpiqxhjsc4kNOJGO8DdcyHuulXyaO9fJg8HDnU1ov1vSSuTc0ABKgycY\nMq/Xt10UXnhP8cPw\n",
"iv": "HFT7fdGQ2KRJ2NFy\n",
"auth_tag": "C55JT2msLQCoI+09VKf+Jw==\n",
"encrypted_data": "K5CmIXFa9mS4/dODBQAN9Bw0SFpbLiZAB8ewiYpkB8NDXP6X/BX8aDjW2Y4F\ncMvpFyiFldRBhrh1MSKTVYQEoJ3JhlNL9HCdPsAYbBEW70AuEBpHvOtD5OxH\nqgbH4Reuk6JX5AI8SwDD3zGrdT12mTFVNgSujzuZMvpi1Sro2HtRGAkjmnaa\nMGKrBV21O1CREJJg\n",
"iv": "/yMMmz1YtKIs5HSd\n",
"auth_tag": "WXgIVWjIdbMFlJhTD5J0JQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"otp_secret": {
"encrypted_data": "1iH7mUkaUzyn9dfDwMdiJ8X059qWSUO3DqivsOFfI1f44nMnzllaYPu6nh8O\nNLNCOzvsSAonhhaq1X+foOdyPIG2mGhE/juKveDD57/AdZAayHWsbsQlPC4l\nwdShz/ANrq0YZ/zOhpT2sZj1TZavW+S+JlxJFX2kP24D4dUzwG0vNj7522+Q\n9NAApJdUte1ZYF/b\n",
"iv": "00/vs5zTdoC19+pS\n",
"auth_tag": "3cjYqebMshnmWkQ3SdRcCQ==\n",
"encrypted_data": "OPLnYRySSIDOcVHy2A5V+pCrz9zVIPjdpAGmCdgQkXtJfsS9NzNtxOPwrXo6\nuQlV9iPjr1Y9ljGKYytbF0fPgAa5q6Z1oHMY9vOGs/LGKj8wHDmIvxQ+Gil1\nC+dZEePmqGaySlNSB/gNzcFIvjBH3mDxHJJe9hDxSv5miNS9l9f3UvQeLP2M\nU7/aHKagL9ZHOp/d\n",
"iv": "wqJBLdZhJ7M/KRG9\n",
"auth_tag": "dv5YyZszZCrRnTleaiGd4A==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"aws_access_key_id": {
"encrypted_data": "krcfpxOrAkwZR2GP4glTaFg2dw/COw8BO8I+KICqyl4bvpL5NrB9\n",
"iv": "paoDKp6EIU8bjxzF\n",
"auth_tag": "p6Pt/tz5dgGXzW5cO06nBg==\n",
"encrypted_data": "A1/gfcyrwT6i9W6aGTJ8pH4Dm4o8ACDxvooDroA/2N0szOiNyiYX\n",
"iv": "JNvf21KhdM3yoLGt\n",
"auth_tag": "2xaZql1ymPYuXuvXzT3ymA==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"aws_secret_access_key": {
"encrypted_data": "aQySCT7gxeNiMMocq81KtIi+YzrZwMBeTd4LrRSN8iNEikWReJrrfagBwozy\n+Gfdw4bMGzY1dhF1Sl4=\n",
"iv": "R/hvvOvmqq/uoKbx\n",
"auth_tag": "QBJY/3+OprBXO/FSNwv2OQ==\n",
"encrypted_data": "T1tc01nACxhDgygKaiAq3LChGYSgmW8LAwr1aSxXmJ5D2NtypJDikiHrJbFZ\nfWFgm1qe4L8iD/k5+ro=\n",
"iv": "FDTPQQDLUMKW7TXx\n",
"auth_tag": "msY6PFFYhlwQ0X7gekSDiw==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"ldap_bind_dn": {
"encrypted_data": "wDPABdL+DlXz2WWV4XwW20kM4EWPSwc/ajBmbdYMnjFau6c76CIBpbFhrFoj\n3mwDbHz8cgOnLNvozXSV4w6N7URCN/mWWTBHNhd3ppw=\n",
"iv": "8rQ0M4LT1HbCNpq9\n",
"auth_tag": "AuO5R6WCtd75TGJNfgFSCg==\n",
"encrypted_data": "C/YNROVyOxmR4O2Cy52TX41EKli2bCOMzwYD+6Hz/SiKkgidnKUHlvHlbTDq\nkWwlRDM2o8esOCKaEAGPNWcNc9IHlaSsfwhr4YWnwe0=\n",
"iv": "QCQF0+vH+//+nDxr\n",
"auth_tag": "a0PbyO/7wjufqH2acDCqmQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"ldap_password": {
"encrypted_data": "y0t8RuptVYiTKmUhaAWsC4c2ZzhQsYeVLeMPiQBn+Q==\n",
"iv": "mixYzDKkPSIDQ/l+\n",
"auth_tag": "DbLlZG7rlgBmyCdJ3nhSYA==\n",
"encrypted_data": "SqwKeiyzfvvZGqH5gi35BdW3W+Fo/AQQjso1Yfp2XA==\n",
"iv": "md2/etFJ1r/BKaYg\n",
"auth_tag": "OlCCOoYSD7ukdH2yWCd6KA==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"smtp_user_name": {
"encrypted_data": "Ugc29HUFcirv6jOOlYNs9uvmhfwa2rG41im/MusCx0Vu0AZKcdy0krGi/kCZ\nKg==\n",
"iv": "ZlDK854w+vTNmeJe\n",
"auth_tag": "Nj95g0JMxrT419OLQIX26g==\n",
"encrypted_data": "0kzppmSSUg7lEyYnI5a0nf+xO0vSVx88rbxI+niIdzFOOBKSIL6uVHJ340dw\nMQ==\n",
"iv": "lQR77ETTtIIyaG1r\n",
"auth_tag": "smF2HRg8WdmD+MWwkT3TqA==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"smtp_password": {
"encrypted_data": "D1TGjRfmM1ZeUmzwewlKXfQvvqTSzpzNlK5MKIU8dxbAH175UKn5qiemDEWe\nRYPe1LWT\n",
"iv": "D1OVfD5bMcefM5DP\n",
"auth_tag": "2E/q2gTbdXiLVnOMDeJv9w==\n",
"encrypted_data": "1i0m9qiZA/8k8fMKo+04uyndl1UhagtHweBFICIorWALkB68edjb8OhUDxv9\nTubiXYRC\n",
"iv": "IU2x4ips9HWmKoxi\n",
"auth_tag": "BZJTDfPBvt8cf6/MbKzUJQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"vapid_private_key": {
"encrypted_data": "+87bVrbd/XvWhZH1IYusc4Hla7ZZmylptAyJf48CMG/F3SMEO33OqW2I+UWh\nSkqbxai5+GaMhvZHB8U2Clod\n",
"iv": "HVhNdFQl0TvCcjsa\n",
"auth_tag": "EEQXuQ5keOHXmchhBh+Ixw==\n",
"encrypted_data": "+LmySMvzrV3z2z7BmJG9hpvkL06mGc87RG20XQhhdAJ2Z/5uMMjev2pUf7du\ntv2qvDJAimhkZajuDGL9R3eq\n",
"iv": "Mg7NhPl31O6Z4P+v\n",
"auth_tag": "qYWPInhgoWAjg0zQ+XXt5w==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"vapid_public_key": {
"encrypted_data": "nBm1lXbn1+Kzol95+QSEjsUI/n7ObhdEqEyfYcVSP/LiLy57KOBQDu6CjSMz\n+PN9yEP4lOjtscqHS29jTC2vi3PSui9XpOFHRxFBnDuyKxczrnID2KlLCNRQ\n228G3VRgFIMAWMYKACgzUk0=\n",
"iv": "xHrVl+4JGkQbfUW3\n",
"auth_tag": "rfFoBMocq17YiDSlOCvWqw==\n",
"encrypted_data": "NOyc+Cech9qG2HhnhajDaJMWd1OU5Rp6hws6i4xF5mLPePMJ9mJTqzklkuMK\npYSEdtcxA3KmDt1HrFxfezYUc9xO9pvlm0BPA7XAFmF/PU7/AJbFqgPU6pX/\ntSDLSdFuMB3ky+cl4DJi+O4=\n",
"iv": "rgUglYiHB/mhqGha\n",
"auth_tag": "DEX7hdNsNLi/LIrMkdUe/Q==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"s3_key_id": {
"encrypted_data": "pq0+VZhjoxzLuyY34f23wOmuks9Wevt8Wu6muKZAsZMSuU0iJvlRoK/65Qa0\n",
"iv": "QTxO+IfYcpI170ON\n",
"auth_tag": "4ZHva2iBYgDv6DyhMRRXzA==\n",
"encrypted_data": "rPVzrYYIbcM+ssVpdL6wpCTdzLIEKXke1+eMlPLMG2gPuoh+W3eO3nFGb/s2\n",
"iv": "/qI8F9cvnfKG7ZXE\n",
"auth_tag": "z1+MPdkO/+SCaag2ULelPg==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"s3_secret_key": {
"encrypted_data": "YMZqKtOXDPAME8IWWC+lO8TsxHMzawlbTju9z/Hcb5DnQAOy82QufTN90m73\n/xikUboAdKcA5YGn0mkm+Rt/ygVR6DFirYV3kwi2M3qyGVJifug=\n",
"iv": "9AwabheRFOgC8IKR\n",
"auth_tag": "iU2kkA1q8OsblN5jaZrWGQ==\n",
"encrypted_data": "RMnB9kZ+slbQXfpo0udYld6S1QqBxqM1YbszdLfSAdKK9I0J3Kmvh/CQ5Fbx\nyov6LClmsl1rjtH16r7cY32M4Woq+6miERdtecyDrrYkNHz0xkA=\n",
"iv": "pO7bm3aOtjuwYjG/\n",
"auth_tag": "SRvn4z1+Vd5VAGgjG64s+Q==\n",
"version": 3,
"cipher": "aes-256-gcm"
}

19
environments/production.json
View File

@@ -14,7 +14,8 @@
"public_key": "024cd3be18617f39cf645851e3ba63f51fc13f0bb09e3bb25e6fd4de556486d946"
},
"nostr": {
"public_key": "b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a"
"public_key": "b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a",
"relay_url": "wss://nostr.kosmos.org"
}
},
"discourse": {
@@ -101,6 +102,22 @@
},
"sentry": {
"allowed_ips": "10.1.1.0/24"
},
"strfry": {
"domain": "nostr.kosmos.org",
"real_ip_header": "x-real-ip",
"policy_path": "/opt/strfry/strfry-policy.ts",
"whitelist_pubkeys": [
"b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a",
"b3e1b7c0ef48294bd856203bfd460625de95d3afb894e5f09b14cd1f0e7097cf"
],
"info": {
"name": "Kosmos Relay",
"description": "Members-only nostr relay for kosmos.org users",
"pubkey": "b3e1b7c0ef48294bd856203bfd460625de95d3afb894e5f09b14cd1f0e7097cf",
"contact": "ops@kosmos.org",
"icon": "https://assets.kosmos.org/img/app-icon-256px.png"
}
}
}
}

66
nodes/akaunting-1.json Normal file
View File

@@ -0,0 +1,66 @@
{
"name": "akaunting-1",
"chef_environment": "production",
"normal": {
"knife_zero": {
"host": "10.1.1.215"
}
},
"automatic": {
"fqdn": "akaunting-1",
"os": "linux",
"os_version": "5.15.0-1069-kvm",
"hostname": "akaunting-1",
"ipaddress": "192.168.122.162",
"roles": [
"base",
"kvm_guest",
"akaunting",
"postgresql_client"
],
"recipes": [
"kosmos-base",
"kosmos-base::default",
"kosmos_kvm::guest",
"kosmos_postgresql::hostsfile",
"kosmos_akaunting",
"kosmos_akaunting::default",
"apt::default",
"timezone_iii::default",
"timezone_iii::debian",
"ntp::default",
"ntp::apparmor",
"kosmos-base::systemd_emails",
"apt::unattended-upgrades",
"kosmos-base::firewall",
"kosmos-postfix::default",
"postfix::default",
"postfix::_common",
"postfix::_attributes",
"postfix::sasl_auth",
"hostname::default",
"kosmos-nodejs::default",
"nodejs::nodejs_from_package",
"nodejs::repo"
],
"platform": "ubuntu",
"platform_version": "22.04",
"cloud": null,
"chef_packages": {
"chef": {
"version": "18.5.0",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
"chef_effortless": null
},
"ohai": {
"version": "18.1.11",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
}
}
},
"run_list": [
"role[base]",
"role[kvm_guest]",
"role[akaunting]"
]
}

4
nodes/bitcoin-2.json
View File

@@ -16,7 +16,6 @@
"kvm_guest",
"sentry_client",
"bitcoind",
"cln",
"lnd",
"lndhub",
"postgresql_client",
@@ -30,10 +29,8 @@
"tor-full",
"tor-full::default",
"kosmos-bitcoin::bitcoind",
"kosmos-bitcoin::c-lightning",
"kosmos-bitcoin::lnd",
"kosmos-bitcoin::lnd-scb-s3",
"kosmos-bitcoin::boltz",
"kosmos-bitcoin::rtl",
"kosmos-bitcoin::peerswap-lnd",
"kosmos_postgresql::hostsfile",
@@ -103,7 +100,6 @@
"role[sentry_client]",
"recipe[tor-full]",
"role[bitcoind]",
"role[cln]",
"role[lnd]",
"role[lndhub]",
"role[btcpay]"

2
nodes/draco.kosmos.org.json
View File

@@ -54,8 +54,10 @@
"kosmos_liquor-cabinet::nginx",
"kosmos_rsk::nginx_testnet",
"kosmos_rsk::nginx_mainnet",
"kosmos_strfry::nginx",
"kosmos_website",
"kosmos_website::default",
"kosmos_website::redirects",
"kosmos-akkounts::nginx",
"kosmos-akkounts::nginx_api",
"kosmos-bitcoin::nginx_lndhub",

2
nodes/fornax.kosmos.org.json
View File

@@ -48,8 +48,10 @@
"kosmos_liquor-cabinet::nginx",
"kosmos_rsk::nginx_testnet",
"kosmos_rsk::nginx_mainnet",
"kosmos_strfry::nginx",
"kosmos_website",
"kosmos_website::default",
"kosmos_website::redirects",
"kosmos-akkounts::nginx",
"kosmos-akkounts::nginx_api",
"kosmos-bitcoin::nginx_lndhub",

28
nodes/garage-4.json → nodes/garage-10.json
View File

@@ -1,17 +1,17 @@
{
"name": "garage-4",
"name": "garage-10",
"chef_environment": "production",
"normal": {
"knife_zero": {
"host": "10.1.1.104"
"host": "10.1.1.27"
}
},
"automatic": {
"fqdn": "garage-4",
"fqdn": "garage-10",
"os": "linux",
"os_version": "5.4.0-132-generic",
"hostname": "garage-4",
"ipaddress": "192.168.122.123",
"os_version": "5.4.0-1090-kvm",
"hostname": "garage-10",
"ipaddress": "192.168.122.70",
"roles": [
"base",
"kvm_guest",
@@ -23,7 +23,8 @@
"kosmos_kvm::guest",
"kosmos_garage",
"kosmos_garage::default",
"kosmos_garage::firewall",
"kosmos_garage::firewall_rpc",
"kosmos_garage::firewall_apis",
"apt::default",
"timezone_iii::default",
"timezone_iii::debian",
@@ -38,21 +39,20 @@
"postfix::_attributes",
"postfix::sasl_auth",
"hostname::default",
"firewall::default",
"chef-sugar::default"
"firewall::default"
],
"platform": "ubuntu",
"platform_version": "20.04",
"cloud": null,
"chef_packages": {
"chef": {
"version": "17.10.3",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.10.3/lib",
"version": "18.5.0",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
"chef_effortless": null
},
"ohai": {
"version": "17.9.0",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai"
"version": "18.1.11",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
}
}
},
@@ -61,4 +61,4 @@
"role[kvm_guest]",
"role[garage_node]"
]
}
}

20
nodes/garage-5.json → nodes/garage-11.json
View File

@@ -1,17 +1,17 @@
{
"name": "garage-5",
"name": "garage-11",
"chef_environment": "production",
"normal": {
"knife_zero": {
"host": "10.1.1.33"
"host": "10.1.1.165"
}
},
"automatic": {
"fqdn": "garage-5",
"fqdn": "garage-11",
"os": "linux",
"os_version": "5.15.0-84-generic",
"hostname": "garage-5",
"ipaddress": "192.168.122.55",
"os_version": "5.15.0-1059-kvm",
"hostname": "garage-11",
"ipaddress": "192.168.122.9",
"roles": [
"base",
"kvm_guest",
@@ -46,13 +46,13 @@
"cloud": null,
"chef_packages": {
"chef": {
"version": "18.3.0",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.3.0/lib",
"version": "18.5.0",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
"chef_effortless": null
},
"ohai": {
"version": "18.1.4",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
"version": "18.1.11",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
}
}
},

18
nodes/garage-6.json → nodes/garage-9.json
View File

@@ -1,17 +1,17 @@
{
"name": "garage-6",
"name": "garage-9",
"chef_environment": "production",
"normal": {
"knife_zero": {
"host": "10.1.1.161"
"host": "10.1.1.223"
}
},
"automatic": {
"fqdn": "garage-6",
"fqdn": "garage-9",
"os": "linux",
"os_version": "5.4.0-1090-kvm",
"hostname": "garage-6",
"ipaddress": "192.168.122.213",
"hostname": "garage-9",
"ipaddress": "192.168.122.21",
"roles": [
"base",
"kvm_guest",
@@ -46,13 +46,13 @@
"cloud": null,
"chef_packages": {
"chef": {
"version": "18.3.0",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.3.0/lib",
"version": "18.5.0",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
"chef_effortless": null
},
"ohai": {
"version": "18.1.4",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
"version": "18.1.11",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
}
}
},

5
nodes/gitea-2.json
View File

@@ -32,6 +32,7 @@
"kosmos_postgresql::hostsfile",
"kosmos_gitea",
"kosmos_gitea::default",
"kosmos_gitea::backup",
"kosmos_gitea::act_runner",
"apt::default",
"timezone_iii::default",
@@ -47,7 +48,9 @@
"postfix::_attributes",
"postfix::sasl_auth",
"hostname::default",
"firewall::default"
"firewall::default",
"backup::default",
"logrotate::default"
],
"platform": "ubuntu",
"platform_version": "20.04",

2
nodes/her.json
View File

@@ -9,7 +9,7 @@
"automatic": {
"fqdn": "her",
"os": "linux",
"os_version": "5.15.0-84-generic",
"os_version": "5.15.0-101-generic",
"hostname": "her",
"ipaddress": "192.168.30.172",
"roles": [

2
nodes/mail.kosmos.org.json
View File

@@ -10,7 +10,7 @@
"fqdn": "mail.kosmos.org",
"os": "linux",
"os_version": "5.15.0-1048-kvm",
"hostname": "mail",
"hostname": "mail.kosmos.org",
"ipaddress": "192.168.122.131",
"roles": [
"base",

2
nodes/mastodon-3.json
View File

@@ -63,8 +63,6 @@
"redisio::disable_os_default",
"redisio::configure",
"redisio::enable",
"nodejs::npm",
"nodejs::install",
"backup::default",
"logrotate::default"
],

13
nodes/postgres-6.json
View File

@@ -13,12 +13,21 @@
"ipaddress": "192.168.122.60",
"roles": [
"base",
"kvm_guest"
"kvm_guest",
"postgresql_primary"
],
"recipes": [
"kosmos-base",
"kosmos-base::default",
"kosmos_kvm::guest",
"kosmos_postgresql::primary",
"kosmos_postgresql::firewall",
"kosmos_akaunting::pg_db",
"kosmos-bitcoin::lndhub-go_pg_db",
"kosmos-bitcoin::nbxplorer_pg_db",
"kosmos_drone::pg_db",
"kosmos_gitea::pg_db",
"kosmos-mastodon::pg_db",
"apt::default",
"timezone_iii::default",
"timezone_iii::debian",
@@ -52,6 +61,6 @@
"run_list": [
"role[base]",
"role[kvm_guest]",
"role[postgresql_replica]"
"role[postgresql_primary]"
]
}

33
nodes/postgres-5.json → nodes/postgres-7.json
View File

@@ -1,32 +1,29 @@
{
"name": "postgres-5",
"name": "postgres-7",
"chef_environment": "production",
"normal": {
"knife_zero": {
"host": "10.1.1.54"
"host": "10.1.1.134"
}
},
"automatic": {
"fqdn": "postgres-5",
"fqdn": "postgres-7",
"os": "linux",
"os_version": "5.4.0-153-generic",
"hostname": "postgres-5",
"ipaddress": "192.168.122.211",
"os_version": "5.4.0-1123-kvm",
"hostname": "postgres-7",
"ipaddress": "192.168.122.89",
"roles": [
"base",
"kvm_guest",
"postgresql_primary"
"postgresql_replica"
],
"recipes": [
"kosmos-base",
"kosmos-base::default",
"kosmos_kvm::guest",
"kosmos_postgresql::primary",
"kosmos_postgresql::hostsfile",
"kosmos_postgresql::replica",
"kosmos_postgresql::firewall",
"kosmos-bitcoin::lndhub-go_pg_db",
"kosmos-bitcoin::nbxplorer_pg_db",
"kosmos_drone::pg_db",
"kosmos_gitea::pg_db",
"kosmos-mastodon::pg_db",
"apt::default",
"timezone_iii::default",
"timezone_iii::debian",
@@ -47,19 +44,19 @@
"cloud": null,
"chef_packages": {
"chef": {
"version": "18.2.7",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.2.7/lib",
"version": "18.5.0",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
"chef_effortless": null
},
"ohai": {
"version": "18.1.4",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
"version": "18.1.11",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
}
}
},
"run_list": [
"role[base]",
"role[kvm_guest]",
"role[postgresql_primary]"
"role[postgresql_replica]"
]
}

62
nodes/postgres-8.json Normal file
View File

@@ -0,0 +1,62 @@
{
"name": "postgres-8",
"chef_environment": "production",
"normal": {
"knife_zero": {
"host": "10.1.1.99"
}
},
"automatic": {
"fqdn": "postgres-8",
"os": "linux",
"os_version": "5.15.0-1059-kvm",
"hostname": "postgres-8",
"ipaddress": "192.168.122.100",
"roles": [
"base",
"kvm_guest",
"postgresql_replica"
],
"recipes": [
"kosmos-base",
"kosmos-base::default",
"kosmos_kvm::guest",
"kosmos_postgresql::hostsfile",
"kosmos_postgresql::replica",
"kosmos_postgresql::firewall",
"apt::default",
"timezone_iii::default",
"timezone_iii::debian",
"ntp::default",
"ntp::apparmor",
"kosmos-base::systemd_emails",
"apt::unattended-upgrades",
"kosmos-base::firewall",
"kosmos-postfix::default",
"postfix::default",
"postfix::_common",
"postfix::_attributes",
"postfix::sasl_auth",
"hostname::default"
],
"platform": "ubuntu",
"platform_version": "22.04",
"cloud": null,
"chef_packages": {
"chef": {
"version": "18.5.0",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
"chef_effortless": null
},
"ohai": {
"version": "18.1.11",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
}
}
},
"run_list": [
"role[base]",
"role[kvm_guest]",
"role[postgresql_replica]"
]
}

66
nodes/strfry-1.json Normal file
View File

@@ -0,0 +1,66 @@
{
"name": "strfry-1",
"chef_environment": "production",
"normal": {
"knife_zero": {
"host": "10.1.1.164"
}
},
"automatic": {
"fqdn": "strfry-1",
"os": "linux",
"os_version": "5.15.0-1060-kvm",
"hostname": "strfry-1",
"ipaddress": "192.168.122.54",
"roles": [
"base",
"kvm_guest",
"strfry",
"ldap_client"
],
"recipes": [
"kosmos-base",
"kosmos-base::default",
"kosmos_kvm::guest",
"kosmos-dirsrv::hostsfile",
"strfry",
"strfry::default",
"kosmos_strfry::policies",
"kosmos_strfry::firewall",
"apt::default",
"timezone_iii::default",
"timezone_iii::debian",
"ntp::default",
"ntp::apparmor",
"kosmos-base::systemd_emails",
"apt::unattended-upgrades",
"kosmos-base::firewall",
"kosmos-postfix::default",
"postfix::default",
"postfix::_common",
"postfix::_attributes",
"postfix::sasl_auth",
"hostname::default",
"deno::default"
],
"platform": "ubuntu",
"platform_version": "22.04",
"cloud": null,
"chef_packages": {
"chef": {
"version": "18.4.12",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.4.12/lib",
"chef_effortless": null
},
"ohai": {
"version": "18.1.11",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
}
}
},
"run_list": [
"role[base]",
"role[kvm_guest]",
"role[strfry]"
]
}

10
nodes/wiki-1.json
View File

@@ -8,16 +8,19 @@
"automatic": {
"fqdn": "wiki-1",
"os": "linux",
"os_version": "5.4.0-91-generic",
"os_version": "5.4.0-167-generic",
"hostname": "wiki-1",
"ipaddress": "192.168.122.26",
"roles": [
"kvm_guest"
"base",
"kvm_guest",
"ldap_client"
],
"recipes": [
"kosmos-base",
"kosmos-base::default",
"kosmos_kvm::guest",
"kosmos-dirsrv::hostsfile",
"kosmos-mediawiki",
"kosmos-mediawiki::default",
"apt::default",
@@ -41,7 +44,6 @@
"php::package",
"php::ini",
"composer::global_configs",
"kosmos-dirsrv::hostsfile",
"mediawiki::default",
"mediawiki::database",
"kosmos-nginx::default",
@@ -79,4 +81,4 @@
"role[ldap_client]",
"recipe[kosmos-mediawiki]"
]
}
}

6
roles/akaunting.rb Normal file
View File

@@ -0,0 +1,6 @@
name "akaunting"
run_list %w[
role[postgresql_client]
kosmos_akaunting::default
]

1
roles/gitea.rb
View File

@@ -3,4 +3,5 @@ name "gitea"
run_list %w(
role[postgresql_client]
kosmos_gitea::default
kosmos_gitea::backup
)

1
roles/lnd.rb
View File

@@ -3,7 +3,6 @@ name "lnd"
run_list %w(
kosmos-bitcoin::lnd
kosmos-bitcoin::lnd-scb-s3
kosmos-bitcoin::boltz
kosmos-bitcoin::rtl
kosmos-bitcoin::peerswap-lnd
)

2
roles/openresty_proxy.rb
View File

@@ -28,7 +28,9 @@ production_run_list = %w(
kosmos_liquor-cabinet::nginx
kosmos_rsk::nginx_testnet
kosmos_rsk::nginx_mainnet
kosmos_strfry::nginx
kosmos_website::default
kosmos_website::redirects
kosmos-akkounts::nginx
kosmos-akkounts::nginx_api
kosmos-bitcoin::nginx_lndhub

1
roles/postgresql_primary.rb
View File

@@ -3,6 +3,7 @@ name "postgresql_primary"
run_list %w(
kosmos_postgresql::primary
kosmos_postgresql::firewall
kosmos_akaunting::pg_db
kosmos-bitcoin::lndhub-go_pg_db
kosmos-bitcoin::nbxplorer_pg_db
kosmos_drone::pg_db

8
roles/strfry.rb Normal file
View File

@@ -0,0 +1,8 @@
name "strfry"
run_list %w(
role[ldap_client]
strfry::default
kosmos_strfry::policies
kosmos_strfry::firewall
)

4
site-cookbooks/backup/attributes/default.rb
View File

@@ -42,5 +42,5 @@ default['backup']['orbit']['keep'] = 10
default['backup']['cron']['hour'] = "05"
default['backup']['cron']['minute'] = "7"
default['backup']['s3']['keep'] = 15
default['backup']['s3']['bucket'] = "kosmos-dev-backups"
default['backup']['s3']['keep'] = 10
default['backup']['s3']['bucket'] = "kosmos-backups"

1
site-cookbooks/backup/recipes/default.rb
View File

@@ -28,6 +28,7 @@ template "#{backup_dir}/config.rb" do
sensitive true
variables s3_access_key_id: backup_data["s3_access_key_id"],
s3_secret_access_key: backup_data["s3_secret_access_key"],
s3_endpoint: backup_data["s3_endpoint"],
s3_region: backup_data["s3_region"],
encryption_password: backup_data["encryption_password"],
mail_from: "backups@kosmos.org",

5
site-cookbooks/backup/templates/default/config.rb.erb
View File

@@ -23,6 +23,10 @@ Storage::S3.defaults do |s3|
s3.secret_access_key = "<%= @s3_secret_access_key %>"
s3.region = "<%= @s3_region %>"
s3.bucket = "<%= node['backup']['s3']['bucket'] %>"
s3.fog_options = {
endpoint: "<%= @s3_endpoint %>",
aws_signature_version: 2
}
end
Encryptor::OpenSSL.defaults do |encryption|
@@ -88,7 +92,6 @@ end
preconfigure 'KosmosBackup' do
split_into_chunks_of 250 # megabytes
store_with S3
compress_with Bzip2
encrypt_with OpenSSL
notify_by Mail do |mail|

1
site-cookbooks/deno Submodule

Submodule site-cookbooks/deno added at 617f7959ab

1
site-cookbooks/kosmos-akkounts/attributes/default.rb
View File

@@ -22,6 +22,7 @@ node.default['akkounts']['lndhub']['public_key'] = nil
node.default['akkounts']['lndhub']['postgres_db'] = 'lndhub'
node.default['akkounts']['nostr']['public_key'] = nil
node.default['akkounts']['nostr']['relay_url'] = nil
node.default['akkounts']['s3_enabled'] = true
node.default['akkounts']['s3_endpoint'] = "https://s3.kosmos.org"

1
site-cookbooks/kosmos-akkounts/recipes/default.rb
View File

@@ -163,6 +163,7 @@ env[:mediawiki_public_url] = node['mediawiki']['url']
env[:nostr_private_key] = credentials['nostr_private_key']
env[:nostr_public_key] = node['akkounts']['nostr']['public_key']
env[:nostr_relay_url] = node['akkounts']['nostr']['relay_url']
#
# remoteStorage / Liquor Cabinet

7
site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb
View File

@@ -14,6 +14,10 @@ server {
listen [::]:443 ssl http2;
server_name <%= @domain %>;
if ($host != $server_name) {
return 301 $scheme://$server_name$request_uri;
}
ssl_certificate <%= @ssl_cert %>;
ssl_certificate_key <%= @ssl_key %>;
@@ -39,6 +43,9 @@ server {
location @proxy {
proxy_set_header Host $http_host;
set $x_forwarded_host $http_x_forwarded_host;
if ($x_forwarded_host = "") { set $x_forwarded_host $host; }
proxy_set_header X-Forwarded-Host $x_forwarded_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;

1
site-cookbooks/kosmos-base/resources/tls_cert_for.rb
View File

@@ -56,7 +56,6 @@ action :create do
command <<-CMD
certbot certonly --manual -n \
--preferred-challenges dns \
--manual-public-ip-logging-ok \
--agree-tos \
--manual-auth-hook '#{hook_auth_command}' \
--manual-cleanup-hook '#{hook_cleanup_command}' \

30
site-cookbooks/kosmos-bitcoin/attributes/default.rb
View File

@@ -1,5 +1,5 @@
node.default['bitcoin']['version'] = '26.0'
node.default['bitcoin']['checksum'] = 'ab1d99276e28db62d1d9f3901e85ac358d7f1ebcb942d348a9c4e46f0fcdc0a1'
node.default['bitcoin']['version'] = '28.0'
node.default['bitcoin']['checksum'] = '700ae2d1e204602eb07f2779a6e6669893bc96c0dca290593f80ff8e102ff37f'
node.default['bitcoin']['username'] = 'satoshi'
node.default['bitcoin']['usergroup'] = 'bitcoin'
node.default['bitcoin']['network'] = 'mainnet'
@@ -24,7 +24,8 @@ node.default['bitcoin']['conf'] = {
rpcbind: "127.0.0.1:8332",
gen: 0,
zmqpubrawblock: 'tcp://127.0.0.1:8337',
zmqpubrawtx: 'tcp://127.0.0.1:8338'
zmqpubrawtx: 'tcp://127.0.0.1:8338',
deprecatedrpc: 'warnings' # TODO remove when upgrading to LND 0.18.4
}
# Also enables Tor for LND
@@ -40,7 +41,7 @@ node.default['c-lightning']['log_level'] = 'info'
node.default['c-lightning']['public_ip'] = '148.251.237.73'
node.default['lnd']['repo'] = 'https://github.com/lightningnetwork/lnd'
node.default['lnd']['revision'] = 'v0.17.3-beta'
node.default['lnd']['revision'] = 'v0.18.3-beta'
node.default['lnd']['source_dir'] = '/opt/lnd'
node.default['lnd']['lnd_dir'] = "/home/#{node['bitcoin']['username']}/.lnd"
node.default['lnd']['alias'] = 'ln2.kosmos.org'
@@ -58,24 +59,13 @@ node.default['lnd']['tor'] = {
'skip-proxy-for-clearnet-targets' => 'true'
}
node.default['boltz']['repo'] = 'https://github.com/BoltzExchange/boltz-lnd.git'
node.default['boltz']['revision'] = 'v1.2.7'
node.default['boltz']['source_dir'] = '/opt/boltz'
node.default['boltz']['boltz_dir'] = "/home/#{node['bitcoin']['username']}/.boltz-lnd"
node.default['boltz']['grpc_host'] = '127.0.0.1'
node.default['boltz']['grpc_port'] = '9002'
node.default['boltz']['rest_disabled'] = 'false'
node.default['boltz']['rest_host'] = '127.0.0.1'
node.default['boltz']['rest_port'] = '9003'
node.default['boltz']['no_macaroons'] = 'false'
node.default['rtl']['repo'] = 'https://github.com/Ride-The-Lightning/RTL.git'
node.default['rtl']['revision'] = 'v0.15.0'
node.default['rtl']['revision'] = 'v0.15.2'
node.default['rtl']['host'] = '10.1.1.163'
node.default['rtl']['port'] = '3000'
node.default['lndhub-go']['repo'] = 'https://github.com/getAlby/lndhub.go.git'
node.default['lndhub-go']['revision'] = '0.14.0'
node.default['lndhub-go']['revision'] = '1.0.2'
node.default['lndhub-go']['source_dir'] = '/opt/lndhub-go'
node.default['lndhub-go']['port'] = 3026
node.default['lndhub-go']['domain'] = 'lndhub.kosmos.org'
@@ -83,8 +73,10 @@ node.default['lndhub-go']['postgres']['database'] = 'lndhub'
node.default['lndhub-go']['postgres']['user'] = 'lndhub'
node.default['lndhub-go']['postgres']['port'] = 5432
node.default['lndhub-go']['default_rate_limit'] = 20
node.default['lndhub-go']['strict_rate_limit'] = 1
node.default['lndhub-go']['burst_rate_limit'] = 10
node.default['lndhub-go']['strict_rate_limit'] = 1
node.default['lndhub-go']['burst_rate_limit'] = 10
node.default['lndhub-go']['service_fee'] = 1
node.default['lndhub-go']['no_service_fee_up_to_amount'] = 1000
node.default['lndhub-go']['branding'] = {
'title' => 'LndHub - Kosmos Lightning',
'desc' => 'Kosmos accounts for the Lightning Network',

1
site-cookbooks/kosmos-bitcoin/recipes/aws-client.rb
View File

@@ -11,6 +11,7 @@ credentials = Chef::EncryptedDataBagItem.load('credentials', 'backup')
file "/root/.aws/config" do
mode "600"
sensitive true
content lazy { <<-EOF
[default]
region = #{credentials["s3_region"]}

16
site-cookbooks/kosmos-bitcoin/recipes/bitcoind.rb
View File

@@ -12,8 +12,15 @@ if node["bitcoin"]["blocksdir_mount_type"]
include_recipe "kosmos-bitcoin::blocksdir-mount"
end
%w{ libtool autotools-dev make automake cmake curl g++-multilib libtool
binutils-gold bsdmainutils pkg-config python3 patch }.each do |pkg|
apt_repository "ubuntu-toolchain-r" do
# provides g++-13, needed for better c++-20 support
uri "ppa:ubuntu-toolchain-r/test"
end
%w{
gcc-13 g++-13 libtool autotools-dev make automake cmake curl bison
binutils-gold pkg-config python3 patch
}.each do |pkg|
apt_package pkg
end
@@ -26,20 +33,21 @@ end
execute "compile_bitcoin-core_dependencies" do
cwd "/usr/local/bitcoind/depends"
command "make NO_QT=1"
environment ({'CC' => 'gcc-13', 'CXX' => 'g++-13', 'NO_QT' => '1'})
command "make -j 2"
action :nothing
notifies :run, 'bash[compile_bitcoin-core]', :immediately
end
bash "compile_bitcoin-core" do
cwd "/usr/local/bitcoind"
environment ({'CC' => 'gcc-13', 'CXX' => 'g++-13', 'NO_QT' => '1'})
code <<-EOH
./autogen.sh
./configure --prefix=$PWD/depends/x86_64-pc-linux-gnu
make
EOH
action :nothing
notifies :restart, "systemd_unit[bitcoind.service]", :delayed
end
link "/usr/local/bin/bitcoind" do

87
site-cookbooks/kosmos-bitcoin/recipes/boltz.rb
View File

@@ -1,87 +0,0 @@
#
# Cookbook:: kosmos-bitcoin
# Recipe:: boltz
#
include_recipe "git"
include_recipe "kosmos-bitcoin::golang"
git node['boltz']['source_dir'] do
repository node['boltz']['repo']
revision node['boltz']['revision']
action :sync
notifies :run, 'bash[compile_and_install_boltz]', :immediately
end
bash "compile_and_install_boltz" do
cwd node['boltz']['source_dir']
code <<-EOH
go mod vendor && \
make build && \
make install
EOH
action :nothing
notifies :restart, "systemd_unit[boltzd.service]", :delayed
end
bitcoin_user = node['bitcoin']['username']
bitcoin_group = node['bitcoin']['usergroup']
boltz_dir = node['boltz']['boltz_dir']
lnd_dir = node['lnd']['lnd_dir']
directory boltz_dir do
owner bitcoin_user
group bitcoin_group
mode '0750'
action :create
end
template "#{boltz_dir}/boltz.toml" do
source "boltz.toml.erb"
owner bitcoin_user
group bitcoin_group
mode '0640'
variables lnd_grpc_host: '127.0.0.1',
lnd_grpc_port: '10009',
lnd_macaroon_path: "#{lnd_dir}/data/chain/bitcoin/mainnet/admin.macaroon",
lnd_tlscert_path: "#{lnd_dir}/tls.cert",
boltz_config: node['boltz']
notifies :restart, "systemd_unit[boltzd.service]", :delayed
end
systemd_unit 'boltzd.service' do
content({
Unit: {
Description: 'Boltz Daemon',
Documentation: ['https://lnd.docs.boltz.exchange'],
Requires: 'lnd.service',
After: 'lnd.service'
},
Service: {
User: bitcoin_user,
Group: bitcoin_group,
Type: 'simple',
ExecStart: "/opt/boltz/boltzd",
Restart: 'always',
RestartSec: '30',
TimeoutSec: '240',
LimitNOFILE: '128000',
PrivateTmp: true,
ProtectSystem: 'full',
NoNewPrivileges: true,
PrivateDevices: true,
MemoryDenyWriteExecute: true
},
Install: {
WantedBy: 'multi-user.target'
}
})
verify false
triggers_reload true
action [:create, :enable, :start]
end
unless node.chef_environment == 'development'
node.override['backup']['archives']['boltz'] = [node['boltz']['boltz_dir']]
include_recipe 'backup'
end

2
site-cookbooks/kosmos-bitcoin/recipes/golang.rb
View File

@@ -5,7 +5,7 @@
# Internal recipe for managing the Go installation in one place
#
node.override['golang']['version'] = "1.20.3"
node.override['golang']['version'] = "1.23.1"
include_recipe "golang"
link '/usr/local/bin/go' do

2
site-cookbooks/kosmos-bitcoin/recipes/lnd-scb-s3.rb
View File

@@ -10,12 +10,14 @@ include_recipe "kosmos-bitcoin::aws-client"
package "inotify-tools"
backup_script_path = "/opt/lnd-channel-backup-s3.sh"
backup_credentials = Chef::EncryptedDataBagItem.load('credentials', 'backup')
template backup_script_path do
source "lnd-channel-backup-s3.sh.erb"
mode '0740'
variables lnd_dir: node['lnd']['lnd_dir'],
bitcoin_network: node['bitcoin']['network'],
s3_endpoint: backup_credentials['s3_endpoint'],
s3_bucket: node['backup']['s3']['bucket'],
s3_scb_dir: "#{node['name']}/lnd/#{node['bitcoin']['network']}"
notifies :restart, "systemd_unit[lnd-channel-backup.service]", :delayed

2
site-cookbooks/kosmos-bitcoin/recipes/lndhub-go.rb
View File

@@ -66,6 +66,8 @@ template "#{source_dir}/.env" do
default_rate_limit: node['lndhub-go']['default_rate_limit'],
strict_rate_limit: node['lndhub-go']['strict_rate_limit'],
burst_rate_limit: node['lndhub-go']['burst_rate_limit'],
service_fee: 1,
no_service_fee_up_to_amount: 1000,
branding: node['lndhub-go']['branding'],
webhook_url: node['lndhub-go']['webhook_url'],
sentry_dsn: credentials['sentry_dsn']

12
site-cookbooks/kosmos-bitcoin/recipes/rtl.rb
View File

@@ -46,24 +46,22 @@ rtl_config = {
multiPassHashed: credentials["multiPassHashed"]
}
if node['boltz']
# TODO adapt for multi-node usage
rtl_config[:nodes][0][:Authentication][:boltzMacaroonPath] = "#{node['boltz']['boltz_dir']}/macaroons"
rtl_config[:nodes][0][:Settings][:boltzServerUrl] = "https://#{node['boltz']['rest_host']}:#{node['boltz']['rest_port']}"
end
git rtl_dir do
user bitcoin_user
group bitcoin_group
repository node['rtl']['repo']
revision node['rtl']['revision']
notifies :run, "execute[npm_install]", :immediately
notifies :restart, "systemd_unit[#{app_name}.service]", :delayed
end
execute "npm install" do
execute "npm_install" do
cwd rtl_dir
environment "HOME" => rtl_dir
user bitcoin_user
# TODO remove --force when upstream dependency issues have been resolved
command "npm install --force"
action :nothing
end
file "#{rtl_dir}/RTL-Config.json" do

32
site-cookbooks/kosmos-bitcoin/templates/boltz.toml.erb
View File

@@ -1,32 +0,0 @@
[LND]
# Host of the gRPC interface of LND
host = "<%= @lnd_grpc_host %>"
# Port of the gRPC interface of LND
port = <%= @lnd_grpc_port %>
# Path to a macaroon file of LND
# The daemon needs to have permission to read various endpoints, generate addresses and pay invoices
macaroon = "<%= @lnd_macaroon_path %>"
# Path to the TLS certificate of LND
certificate = "<%= @lnd_tlscert_path %>"
[RPC]
# Host of the gRPC interface
host = "<%= @boltz_config['grpc_host'] %>"
# Port of the gRPC interface
port = <%= @boltz_config['grpc_port'] %>
# Whether the REST proxy for the gRPC interface should be disabled
restDisabled = <%= @boltz_config['rest_disabled'] %>
# Host of the REST proxy
restHost = "<%= @boltz_config['rest_host'] %>"
# Port of the REST proxy
restPort = <%= @boltz_config['rest_port'] %>
# Whether the macaroon authentication for the gRPC and REST interface should be disabled
noMacaroons = <%= @boltz_config['no_macaroons'] %>

2
site-cookbooks/kosmos-bitcoin/templates/lnd-channel-backup-s3.sh.erb
View File

@@ -3,5 +3,5 @@ set -xe -o pipefail
while true; do
inotifywait <%= @lnd_dir %>/data/chain/bitcoin/<%= @bitcoin_network %>/channel.backup
aws s3 cp <%= @lnd_dir %>/data/chain/bitcoin/<%= @bitcoin_network %>/channel.backup "s3://<%= @s3_bucket %>/<%= @s3_scb_dir %>/channel.backup"
aws --endpoint <%= @s3_endpoint %> s3 cp <%= @lnd_dir %>/data/chain/bitcoin/<%= @bitcoin_network %>/channel.backup "s3://<%= @s3_bucket %>/<%= @s3_scb_dir %>/channel.backup"
done

1
site-cookbooks/kosmos-bitcoin/templates/lnd.conf.erb
View File

@@ -12,7 +12,6 @@ minchansize=<%= @lnd_minchansize %>
autopilot.active=0
[Bitcoin]
bitcoin.active=1
bitcoin.mainnet=1
bitcoin.node=bitcoind
bitcoin.basefee=<%= @lnd_basefee %>

12
site-cookbooks/kosmos-ejabberd/recipes/default.rb
View File

@@ -84,6 +84,12 @@ hosts = [
sql_database: "ejabberd",
ldap_enabled: true,
ldap_password: ejabberd_credentials['kosmos_ldap_password'],
certfiles: [
"/opt/ejabberd/conf/kosmos.org.crt",
"/opt/ejabberd/conf/kosmos.org.key",
"/opt/ejabberd/conf/kosmos.chat.crt",
"/opt/ejabberd/conf/kosmos.chat.key"
],
append_host_config: <<-EOF
modules:
mod_disco:
@@ -114,6 +120,10 @@ hosts = [
sql_database: "ejabberd_5apps",
ldap_enabled: true,
ldap_password: ejabberd_credentials['5apps_ldap_password'],
certfiles: [
"/opt/ejabberd/conf/5apps.com.crt",
"/opt/ejabberd/conf/5apps.com.key"
],
append_host_config: <<-EOF
modules:
mod_disco:
@@ -155,7 +165,7 @@ admin_users = ejabberd_credentials['admins']
hosts.each do |host|
ldap_rootdn = "uid=service,ou=#{host[:name]},cn=applications,dc=kosmos,dc=org"
if host[:name] == "kosmos.org"
ldap_filter = "(&(objectClass=person)(serviceEnabled=xmpp))"
ldap_filter = "(&(objectClass=person)(serviceEnabled=ejabberd))"
else
ldap_filter = "(objectClass=person)"
end

15
site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb
View File

@@ -15,7 +15,7 @@ set -e
# letsencrypt live folder
for domain in $RENEWED_DOMAINS; do
case $domain in
kosmos.org|5apps.com)
kosmos.org|kosmos.chat|5apps.com)
cp "${RENEWED_LINEAGE}/privkey.pem" /opt/ejabberd/conf/$domain.key
cp "${RENEWED_LINEAGE}/fullchain.pem" /opt/ejabberd/conf/$domain.crt
chown ejabberd:ejabberd /opt/ejabberd/conf/$domain.*
@@ -42,17 +42,24 @@ end
# Generate a Let's Encrypt cert (only if no cert has been generated before).
# The systemd timer will take care of renewing
execute "letsencrypt cert for kosmos xmpp" do
command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@kosmos.org -d kosmos.org -d xmpp.kosmos.org -d chat.kosmos.org -d kosmos.chat -d uploads.xmpp.kosmos.org -n"
execute "letsencrypt cert for kosmos.org domains" do
command "certbot certonly --manual --preferred-challenges dns --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup letsencrypt.kosmos.org\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@kosmos.org -d kosmos.org -d xmpp.kosmos.org -d chat.kosmos.org -d uploads.xmpp.kosmos.org -n"
not_if do
File.exist?("/etc/letsencrypt/live/kosmos.org/fullchain.pem")
end
end
execute "letsencrypt cert for kosmos.chat" do
command "certbot certonly --manual --preferred-challenges dns --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth letsencrypt.kosmos.org\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup letsencrypt.kosmos.org\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@kosmos.org -d kosmos.chat -n"
not_if do
File.exist?("/etc/letsencrypt/live/kosmos.chat/fullchain.pem")
end
end
# Generate a Let's Encrypt cert (only if no cert has been generated before).
# The systemd timer will take care of renewing
execute "letsencrypt cert for 5apps xmpp" do
command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth letsencrypt.kosmos.chat\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup letsencrypt.kosmos.chat\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@5apps.com -d 5apps.com -d muc.5apps.com -d xmpp.5apps.com -d uploads.xmpp.5apps.com -n"
command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth letsencrypt.kosmos.org\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup letsencrypt.kosmos.org\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@5apps.com -d 5apps.com -d muc.5apps.com -d xmpp.5apps.com -d uploads.xmpp.5apps.com -n"
not_if do
File.exist?("/etc/letsencrypt/live/5apps.com/fullchain.pem")
end

2
site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb
View File

@@ -216,7 +216,7 @@ modules:
access_createnode: pubsub_createnode
ignore_pep_from_offline: false
last_item_cache: false
max_items_node: 10
max_items_node: 10000
plugins:
- "flat"
- "pep" # pep requires mod_caps

5
site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb
View File

@@ -1,7 +1,8 @@
# Generated by Chef for <%= @host[:name] %>
certfiles:
- "/opt/ejabberd/conf/<%= @host[:name] %>.crt"
- "/opt/ejabberd/conf/<%= @host[:name] %>.key"
<% @host[:certfiles].each do |certfile| %>
- <%= certfile %>
<% end %>
host_config:
"<%= @host[:name] %>":
sql_type: pgsql

1
site-cookbooks/kosmos-hubot/recipes/nginx_botka_irc-libera-chat.rb
View File

@@ -4,6 +4,7 @@ upstream_host = search(:node, "role:hubot").first["knife_zero"]["host"]
tls_cert_for domain do
auth "gandi_dns"
acme_domain "letsencrypt.kosmos.org"
action :create
end

1
site-cookbooks/kosmos-hubot/recipes/nginx_hal8000_xmpp.rb
View File

@@ -5,6 +5,7 @@ upstream_host = search(:node, "role:hubot").first["knife_zero"]["host"]
tls_cert_for domain do
auth "gandi_dns"
acme_domain "letsencrypt.kosmos.org"
action :create
end

8
site-cookbooks/kosmos-mastodon/attributes/default.rb
View File

@@ -1,5 +1,5 @@
node.default["kosmos-mastodon"]["repo"] = "https://gitea.kosmos.org/kosmos/mastodon.git"
node.default["kosmos-mastodon"]["revision"] = "production"
node.default["kosmos-mastodon"]["revision"] = "production-4.3"
node.default["kosmos-mastodon"]["directory"] = "/opt/mastodon"
node.default["kosmos-mastodon"]["bind_ip"] = "127.0.0.1"
node.default["kosmos-mastodon"]["app_port"] = 3000
@@ -10,7 +10,7 @@ node.default["kosmos-mastodon"]["redis_url"] = "redis://localhost:6379/0
node.default["kosmos-mastodon"]["sidekiq_threads"] = 25
node.default["kosmos-mastodon"]["allowed_private_addresses"] = "127.0.0.1"
node.default["kosmos-mastodon"]["onion_address"] = nil
node.default["kosmos-mastodon"]["onion_address"] = nil
# Allocate this amount of RAM to the Java heap for Elasticsearch
node.default["kosmos-mastodon"]["elasticsearch"]["allocated_memory"] = "1536m"
@@ -20,6 +20,10 @@ node.default["kosmos-mastodon"]["s3_region"] = nil
node.default["kosmos-mastodon"]["s3_bucket"] = nil
node.default["kosmos-mastodon"]["s3_alias_host"] = nil
node.default["kosmos-mastodon"]["sso_account_sign_up_url"] = "https://kosmos.org"
node.default["kosmos-mastodon"]["sso_account_reset_password_url"] = "https://accounts.kosmos.org/users/password/new"
node.default["kosmos-mastodon"]["sso_account_resend_confirmation_url"] = "https://accounts.kosmos.org/users/confirmation/new"
node.default["kosmos-mastodon"]["default_locale"] = "en"
node.default["kosmos-mastodon"]["libre_translate_endpoint"] = nil

13
site-cookbooks/kosmos-mastodon/recipes/backup.rb
View File

@@ -6,13 +6,12 @@
postgresql_data_bag_item = data_bag_item('credentials', 'postgresql')
unless node.chef_environment == "development"
unless node["backup"]["postgresql"]["databases"].keys.include? 'mastodon'
node.override["backup"]["postgresql"]["host"] = "pg.kosmos.local"
node.override["backup"]["postgresql"]["databases"]["mastodon"] = {
username: "mastodon",
password: postgresql_data_bag_item['mastodon_user_password']
}
end
node.override['backup']['s3']['keep'] = 1
node.override["backup"]["postgresql"]["host"] = "pg.kosmos.local"
node.override["backup"]["postgresql"]["databases"]["mastodon"] = {
username: "mastodon",
password: postgresql_data_bag_item['mastodon_user_password']
}
include_recipe "backup"
end

17
site-cookbooks/kosmos-mastodon/recipes/default.rb
View File

@@ -3,7 +3,7 @@
# Recipe:: default
#
node.override["nodejs"]["repo"] = "https://deb.nodesource.com/node_16.x"
node.override["nodejs"]["repo"] = "https://deb.nodesource.com/node_18.x"
include_recipe "kosmos-nodejs"
include_recipe "java"
@@ -71,11 +71,7 @@ package %w(build-essential imagemagick ffmpeg libxml2-dev libxslt1-dev file git
curl pkg-config libprotobuf-dev protobuf-compiler libidn11
libidn11-dev libjemalloc2 libpq-dev)
npm_package "yarn" do
version "1.22.4"
end
ruby_version = "3.3.0"
ruby_version = "3.3.5"
ruby_path = "/opt/ruby_build/builds/#{ruby_version}"
bundle_path = "#{ruby_path}/bin/bundle"
@@ -190,9 +186,13 @@ template "#{mastodon_path}/.env.#{rails_env}" do
mode "0640"
owner mastodon_user
group mastodon_user
sensitive true
variables redis_url: node["kosmos-mastodon"]["redis_url"],
domain: node["kosmos-mastodon"]["domain"],
alternate_domains: node["kosmos-mastodon"]["alternate_domains"],
active_record_encryption_deterministic_key: credentials["active_record_encryption_deterministic_key"],
active_record_encryption_key_derivation_salt: credentials["active_record_encryption_key_derivation_salt"],
active_record_encryption_primary_key: credentials["active_record_encryption_primary_key"],
paperclip_secret: credentials['paperclip_secret'],
secret_key_base: credentials['secret_key_base'],
otp_secret: credentials['otp_secret'],
@@ -210,6 +210,9 @@ template "#{mastodon_path}/.env.#{rails_env}" do
vapid_public_key: credentials['vapid_public_key'],
db_pass: postgresql_credentials['mastodon_user_password'],
db_host: "pg.kosmos.local",
sso_account_sign_up_url: node["kosmos-mastodon"]["sso_account_sign_up_url"],
sso_account_reset_password_url: node["kosmos-mastodon"]["sso_account_reset_password_url"],
sso_account_resend_confirmation_url: node["kosmos-mastodon"]["sso_account_resend_confirmation_url"],
default_locale: node["kosmos-mastodon"]["default_locale"],
allowed_private_addresses: node["kosmos-mastodon"]["allowed_private_addresses"],
libre_translate_endpoint: node["kosmos-mastodon"]["libre_translate_endpoint"]
@@ -227,7 +230,7 @@ execute "yarn install" do
environment deploy_env
user mastodon_user
cwd mastodon_path
command "yarn install --frozen-lockfile"
command "corepack prepare && yarn install --immutable"
end
execute "rake assets:precompile" do

4
site-cookbooks/kosmos-mastodon/recipes/nginx.rb
View File

@@ -28,7 +28,9 @@ template "#{node['openresty']['dir']}/snippets/mastodon.conf" do
owner 'www-data'
mode 0640
variables web_root_dir: web_root_dir,
server_name: server_name
server_name: server_name,
s3_private_url: "#{node["kosmos-mastodon"]["s3_endpoint"]}/#{node["kosmos-mastodon"]["s3_bucket"]}/",
s3_public_url: "https://#{node["kosmos-mastodon"]["s3_alias_host"]}/"
notifies :reload, 'service[openresty]', :delayed
end

6
site-cookbooks/kosmos-mastodon/templates/default/env.erb
View File

@@ -12,6 +12,9 @@ LOCAL_HTTPS=true
# Application secrets
# Generate each with the `rake secret` task (`docker-compose run --rm web rake secret` if you use docker compose)
ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=<%= @active_record_encryption_deterministic_key %>
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=<%= @active_record_encryption_key_derivation_salt %>
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=<%= @active_record_encryption_primary_key %>
PAPERCLIP_SECRET=<%= @paperclip_secret %>
SECRET_KEY_BASE=<%= @secret_key_base %>
OTP_SECRET=<%= @otp_secret %>
@@ -44,6 +47,9 @@ LDAP_SEARCH_FILTER='<%= @ldap[:search_filter] %>'
LDAP_UID_CONVERSION_ENABLED=<%= @ldap[:uid_conversion_enabled] %>
LDAP_UID_CONVERSION_SEARCH=<%= @ldap[:uid_conversion_search] %>
LDAP_UID_CONVERSION_REPLACE=<%= @ldap[:uid_conversion_replace] %>
SSO_ACCOUNT_SIGN_UP=<%= @sso_account_sign_up_url %>
SSO_ACCOUNT_RESET_PASSWORD=<%= @sso_account_reset_password_url %>
SSO_ACCOUNT_RESEND_CONFIRMATION=<%= @sso_account_resend_confirmation_url %>
<% end %>
# Optional asset host for multi-server setups

4
site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_shared.erb
View File

@@ -108,11 +108,13 @@ location @proxy {
proxy_pass http://mastodon_app;
proxy_buffering on;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
# https://github.com/mastodon/mastodon/issues/24380
proxy_redirect <%= @s3_private_url %> <%= @s3_public_url %>;
tcp_nodelay on;
}

25
site-cookbooks/kosmos_akaunting/.gitignore vendored Normal file
View File

@@ -0,0 +1,25 @@
.vagrant
*~
*#
.#*
\#*#
.*.sw[a-z]
*.un~
# Bundler
Gemfile.lock
gems.locked
bin/*
.bundle/*
# test kitchen
.kitchen/
kitchen.local.yml
# Chef Infra
Berksfile.lock
.zero-knife.rb
Policyfile.lock.json
.idea/

16
site-cookbooks/kosmos_akaunting/Policyfile.rb Normal file
View File

@@ -0,0 +1,16 @@
# Policyfile.rb - Describe how you want Chef Infra Client to build your system.
#
# For more information on the Policyfile feature, visit
# https://docs.chef.io/policyfile/
# A name that describes what the system you're building with Chef does.
name 'kosmos_akaunting'
# Where to find external cookbooks:
default_source :supermarket
# run_list: chef-client will run these recipes in the order specified.
run_list 'kosmos_akaunting::default'
# Specify a custom source for a single cookbook:
cookbook 'kosmos_akaunting', path: '.'

4
site-cookbooks/kosmos_akaunting/README.md Normal file
View File

@@ -0,0 +1,4 @@
# kosmos_akaunting
TODO: Enter the cookbook description here.

5
site-cookbooks/kosmos_akaunting/attributes/default.rb Normal file
View File

@@ -0,0 +1,5 @@
node.default["akaunting"]["user"] = "deploy"
node.default["akaunting"]["group"] = "www-data"
node.default["akaunting"]["repo"] = "https://github.com/akaunting/akaunting.git"
node.default["akaunting"]["revision"] = "3.1.12"
node.default["akaunting"]["port"] = 80

115
site-cookbooks/kosmos_akaunting/chefignore Normal file
View File

@@ -0,0 +1,115 @@
# Put files/directories that should be ignored in this file when uploading
# to a Chef Infra Server or Supermarket.
# Lines that start with '# ' are comments.
# OS generated files #
######################
.DS_Store
ehthumbs.db
Icon?
nohup.out
Thumbs.db
.envrc
# EDITORS #
###########
.#*
.project
.settings
*_flymake
*_flymake.*
*.bak
*.sw[a-z]
*.tmproj
*~
\#*
REVISION
TAGS*
tmtags
.vscode
.editorconfig
## COMPILED ##
##############
*.class
*.com
*.dll
*.exe
*.o
*.pyc
*.so
*/rdoc/
a.out
mkmf.log
# Testing #
###########
.circleci/*
.codeclimate.yml
.delivery/*
.foodcritic
.kitchen*
.mdlrc
.overcommit.yml
.rspec
.rubocop.yml
.travis.yml
.watchr
.yamllint
azure-pipelines.yml
Dangerfile
examples/*
features/*
Guardfile
kitchen.yml*
mlc_config.json
Procfile
Rakefile
spec/*
test/*
# SCM #
#######
.git
.gitattributes
.gitconfig
.github/*
.gitignore
.gitkeep
.gitmodules
.svn
*/.bzr/*
*/.git
*/.hg/*
*/.svn/*
# Berkshelf #
#############
Berksfile
Berksfile.lock
cookbooks/*
tmp
# Bundler #
###########
vendor/*
Gemfile
Gemfile.lock
# Policyfile #
##############
Policyfile.rb
Policyfile.lock.json
# Documentation #
#############
CODE_OF_CONDUCT*
CONTRIBUTING*
documentation/*
TESTING*
UPGRADING*
# Vagrant #
###########
.vagrant
Vagrantfile

31
site-cookbooks/kosmos_akaunting/kitchen.yml Normal file
View File

@@ -0,0 +1,31 @@
---
driver:
name: vagrant
## The forwarded_port port feature lets you connect to ports on the VM guest
## via localhost on the host.
## see also: https://www.vagrantup.com/docs/networking/forwarded_ports
# network:
# - ["forwarded_port", {guest: 80, host: 8080}]
provisioner:
name: chef_zero
## product_name and product_version specifies a specific Chef product and version to install.
## see the Chef documentation for more details: https://docs.chef.io/workstation/config_yml_kitchen/
# product_name: chef
# product_version: 17
verifier:
name: inspec
platforms:
- name: ubuntu-20.04
- name: centos-8
suites:
- name: default
verifier:
inspec_tests:
- test/integration/default

9
site-cookbooks/kosmos_akaunting/metadata.rb Normal file
View File

@@ -0,0 +1,9 @@
name 'kosmos_akaunting'
maintainer 'Kosmos Developers'
maintainer_email 'mail@kosmos.org'
license 'MIT'
description 'Installs/configures akaunting for Kosmos'
version '0.1.0'
chef_version '>= 18.0'
depends 'kosmos-nodejs'

148
site-cookbooks/kosmos_akaunting/recipes/default.rb Normal file
View File

@@ -0,0 +1,148 @@
#
# Cookbook:: kosmos_akaunting
# Recipe:: default
#
app_name = "akaunting"
deploy_user = node["akaunting"]["user"]
deploy_group = node["akaunting"]["group"]
deploy_path = "/opt/#{app_name}"
credentials = data_bag_item("credentials", "akaunting")
pg_host = search(:node, "role:postgresql_primary").first["knife_zero"]["host"] rescue "localhost"
env = {
app_name: "Akaunting",
app_env: "production",
app_locale: "en-US",
app_installed: "true",
app_key: credentials["app_key"],
app_debug: "true",
app_schedule_time: "\"09:00\"",
app_url: "http://akaunting.kosmos.org",
db_connection: "pgsql",
db_host: pg_host,
db_port: "5432",
db_database: credentials["pg_database"],
db_username: credentials["pg_username"],
db_password: credentials["pg_password"],
log_level: "debug"
# mail_mailer: "mail",
# mail_host: "localhost",
# mail_port: "2525",
# mail_username: "null",
# mail_password: "null",
# mail_encryption: "null",
# mail_from_name: "null",
# mail_from_address: "null",
}
%w[
unzip nginx php8.1 php8.1-cli php8.1-bcmath php8.1-ctype php8.1-curl
php8.1-dom php8.1-fileinfo php8.1-intl php8.1-fpm php8.1-gd php8.1-mbstring
php8.1-pdo php8.1-pgsql php8.1-tokenizer php8.1-xml php8.1-zip
].each do |pkg|
package pkg
end
# TODO install composer
node.override["nodejs"]["repo"] = "https://deb.nodesource.com/node_18.x"
include_recipe "kosmos-nodejs"
group deploy_group
user deploy_user do
group deploy_group
manage_home true
shell "/bin/bash"
end
directory deploy_path do
owner deploy_user
group deploy_group
mode "0775"
end
git deploy_path do
repository node[app_name]["repo"]
revision node[app_name]["revision"]
user deploy_user
group deploy_group
action :sync
notifies :run, "execute[composer_install]", :immediately
notifies :run, "execute[npm_install]", :immediately
notifies :restart, "service[php8.1-fpm]", :delayed
end
execute "composer_install" do
user deploy_user
cwd deploy_path
command "composer install"
action :nothing
end
execute "npm_install" do
user deploy_user
cwd deploy_path
command "npm install"
action :nothing
notifies :run, "execute[compile_assets]", :immediately
end
execute "compile_assets" do
user deploy_user
cwd deploy_path
command "npm run prod"
action :nothing
end
execute "set_storage_permissions" do
command "chown -R www-data:www-data #{deploy_path}/storage"
end
template "#{deploy_path}/.env" do
source 'env.erb'
owner deploy_user
group deploy_group
mode 0660
sensitive true
variables config: env
notifies :restart, "service[php8.1-fpm]", :delayed
end
template "/etc/nginx/sites-available/default" do
source 'nginx-local.conf.erb'
owner deploy_user
group deploy_group
mode 0660
variables deploy_path: deploy_path,
port: node["akaunting"]["port"]
notifies :restart, "service[nginx]", :delayed
end
# template "/etc/php/8.1/fpm/pool.d/akaunting.conf" do
# source 'php-fpm.pool.erb'
# owner deploy_user
# group deploy_group
# mode 0600
# variables user: deploy_user,
# group: deploy_group,
# chdir: deploy_path,
# port: node["akaunting"]["port"]
# notifies :restart, "service[php8.1-fpm]", :delayed
# end
service "php8.1-fpm" do
action [:enable, :start]
end
service "nginx" do
action [:enable, :start]
end
firewall_rule "akaunting_zerotier" do
command :allow
port node["akaunting"]["port"]
protocol :tcp
source "10.1.1.0/24"
end

16
site-cookbooks/kosmos_akaunting/recipes/pg_db.rb Normal file
View File

@@ -0,0 +1,16 @@
#
# Cookbook:: kosmos_akaunting
# Recipe:: pg_db
#
credentials = data_bag_item("credentials", "akaunting")
postgresql_user credentials["pg_username"] do
action :create
password credentials["pg_password"]
end
postgresql_database credentials["pg_database"] do
owner credentials["pg_username"]
action :create
end

11
site-cookbooks/kosmos_akaunting/templates/env.erb Normal file
View File

@@ -0,0 +1,11 @@
<% @config.each do |key, value| %>
<% if value.is_a?(Hash) %>
<% value.each do |k, v| %>
<%= "#{key.upcase}_#{k.upcase}" %>=<%= v.to_s %>
<% end %>
<% else %>
<% if value %>
<%= key.upcase %>=<%= value.to_s %>
<% end %>
<% end %>
<% end %>

49
site-cookbooks/kosmos_akaunting/templates/nginx-local.conf.erb Normal file
View File

@@ -0,0 +1,49 @@
server {
listen 80 default_server;
server_name akaunting.kosmos.org;
root <%= @deploy_path %>;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
index index.html index.htm index.php;
charset utf-8;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
# Prevent Direct Access To Protected Files
location ~ \.(env|log) {
deny all;
}
# Prevent Direct Access To Protected Folders
location ~ ^/(^app$|bootstrap|config|database|overrides|resources|routes|storage|tests|artisan) {
deny all;
}
# Prevent Direct Access To modules/vendor Folders Except Assets
location ~ ^/(modules|vendor)\/(.*)\.((?!ico|gif|jpg|jpeg|png|js\b|css|less|sass|font|woff|woff2|eot|ttf|svg|xls|xlsx).)*$ {
deny all;
}
error_page 404 /index.php;
# Pass PHP Scripts To FastCGI Server
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php8.1-fpm.sock; # Depends On The PHP Version
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ~ /\.(?!well-known).* {
deny all;
}
}

18
site-cookbooks/kosmos_akaunting/templates/php-fpm.pool.erb Normal file
View File

@@ -0,0 +1,18 @@
[akaunting]
user = <%= @user %>
group = <%= @group %>
listen = 0.0.0.0:<%= @port %>
listen.owner = <%= @user %>
listen.group = <%= @group %>
listen.mode = 0660
pm = dynamic
pm.max_children = 10
pm.start_servers = 4
pm.min_spare_servers = 2
pm.max_spare_servers = 6
pm.max_requests = 500
chdir = <%= @chdir %>
catch_workers_output = yes
php_admin_flag[log_errors] = on

16
site-cookbooks/kosmos_akaunting/test/integration/default/default_test.rb Normal file
View File

@@ -0,0 +1,16 @@
# Chef InSpec test for recipe kosmos_akaunting::default
# The Chef InSpec reference, with examples and extensive documentation, can be
# found at https://docs.chef.io/inspec/resources/
unless os.windows?
# This is an example test, replace with your own test.
describe user('root'), :skip do
it { should exist }
end
end
# This is an example test, replace it with your own test.
describe port(80), :skip do
it { should_not be_listening }
end

4
site-cookbooks/kosmos_gitea/attributes/default.rb
View File

@@ -1,5 +1,5 @@
node.default["gitea"]["version"] = "1.22.0"
node.default["gitea"]["checksum"] = "a31086f073cb9592d28611394b2de3655db515d961e4fdcf5b549cb40753ef3d"
node.default["gitea"]["version"] = "1.22.5"
node.default["gitea"]["checksum"] = "ce2c7e4fff3c1e3ed59f5b5e00e3f2d301f012c34e329fccd564bc5129075460"
node.default["gitea"]["working_directory"] = "/var/lib/gitea"
node.default["gitea"]["port"] = 3000
node.default["gitea"]["postgresql_host"] = "localhost:5432"

1
site-cookbooks/kosmos_gitea/recipes/backup.rb
View File

@@ -8,5 +8,6 @@
unless node.chef_environment == "development"
# backup the data dir and the config files
node.override["backup"]["archives"]["gitea"] = [node["gitea"]["working_directory"]]
node.override['backup']['s3']['keep'] = 2
include_recipe "backup"
end

21
site-cookbooks/kosmos_gitea/templates/default/nginx_conf_web.erb
View File

@@ -21,8 +21,13 @@ server {
location ~ ^/(avatars|repo-avatars)/.*$ {
proxy_buffers 1024 8k;
proxy_pass http://_gitea_web;
proxy_http_version 1.1;
expires 30d;
proxy_set_header Connection $http_connection;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# Docker registry
@@ -30,12 +35,22 @@ server {
client_max_body_size 0;
proxy_buffers 1024 8k;
proxy_pass http://_gitea_web;
proxy_http_version 1.1;
proxy_set_header Connection $http_connection;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location / {
proxy_buffers 1024 8k;
proxy_pass http://_gitea_web;
proxy_http_version 1.1;
proxy_set_header Connection $http_connection;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}

9
site-cookbooks/kosmos_kvm/attributes/default.rb
View File

@@ -1,9 +1,10 @@
ubuntu_server_cloud_image_release = "20230506"
release = "20240514"
img_filename = "ubuntu-22.04-server-cloudimg-amd64-disk-kvm"
node.default["kosmos_kvm"]["host"]["qemu_base_image"] = {
"url" => "https://cloud-images.ubuntu.com/releases/focal/release-#{ubuntu_server_cloud_image_release}/ubuntu-20.04-server-cloudimg-amd64-disk-kvm.img",
"checksum" => "27d2b91fd2b715729d739e2a3155dce70d1aaae4f05c177f338b9d4b60be638c",
"path" => "/var/lib/libvirt/images/base/ubuntu-20.04-server-cloudimg-amd64-disk-kvm-#{ubuntu_server_cloud_image_release}.qcow2"
"url" => "https://cloud-images.ubuntu.com/releases/jammy/release-#{release}/#{img_filename}.img",
"checksum" => "2e7698b3ebd7caead06b08bd3ece241e6ce294a6db01f92ea12bcb56d6972c3f",
"path" => "/var/lib/libvirt/images/base/#{img_filename}-#{release}.qcow2"
}
# A systemd.timer OnCalendar config value

10
site-cookbooks/kosmos_liquor-cabinet/templates/nginx_conf_liquor-cabinet.erb
View File

@@ -10,16 +10,6 @@ upstream _<%= @app_name %> {
# TODO use cookbook attribute when enabling
# variables_hash_max_size 2048;
server {
listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>80;
listen [::]:80;
server_name <%= @server_name %>;
# Redirect to https
location / {
return 301 https://<%= @server_name %>$request_uri;
}
}
server {
listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
listen [::]:443 ssl http2;

20
site-cookbooks/kosmos_strfry/LICENSE Normal file
View File

@@ -0,0 +1,20 @@
Copyright (c) 2024 Kosmos Developers
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

4
site-cookbooks/kosmos_strfry/README.md Normal file
View File

@@ -0,0 +1,4 @@
kosmos_strfry
=============
Installs/configures a strfry relay and its reverse proxy config

2
site-cookbooks/kosmos_strfry/attributes/default.rb Normal file
View File

@@ -0,0 +1,2 @@
node.default["strfry"]["ldap_search_dn"] = "ou=kosmos.org,cn=users,dc=kosmos,dc=org"
node.default["strfry"]["extras_dir"] = "/opt/strfry"

10
site-cookbooks/kosmos_strfry/metadata.rb Normal file
View File

@@ -0,0 +1,10 @@
name 'kosmos_strfry'
maintainer 'Kosmos'
maintainer_email 'mail@kosmos.org'
license 'MIT'
description 'strfry wrapper cookbook'
long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
version '0.1.0'
depends 'kosmos_openresty'
depends 'deno'

13
site-cookbooks/kosmos_strfry/recipes/firewall.rb Normal file
View File

@@ -0,0 +1,13 @@
#
# Cookbook Name:: kosmos_strfry
# Recipe:: firewall
#
include_recipe "kosmos-base::firewall"
firewall_rule "strfry" do
port node["strfry"]["port"]
source "10.1.1.0/24"
protocol :tcp
command :allow
end

29
site-cookbooks/kosmos_strfry/recipes/nginx.rb Normal file
View File

@@ -0,0 +1,29 @@
#
# Cookbook Name:: kosmos_strfry
# Recipe:: nginx
#
domain = node["strfry"]["domain"]
upstream_hosts = []
search(:node, 'role:strfry').each do |node|
upstream_hosts << node['knife_zero']['host']
end
if upstream_hosts.empty?
Chef::Log.warn("No node found with 'strfry' role. Not configuring nginx site.")
return
end
tls_cert_for domain do
auth "gandi_dns"
action :create
end
openresty_site domain do
template "nginx_conf_strfry.erb"
variables domain: domain,
upstream_port: node['strfry']['port'],
upstream_hosts: upstream_hosts,
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
end

83
site-cookbooks/kosmos_strfry/recipes/policies.rb Normal file
View File

@@ -0,0 +1,83 @@
#
# Cookbook Name:: kosmos_strfry
# Recipe:: policies
#
include_recipe "deno"
#
# config
#
ldap_credentials = Chef::EncryptedDataBagItem.load('credentials', 'dirsrv')
extras_dir = node["strfry"]["extras_dir"]
directory extras_dir do
owner node["strfry"]["user"]
group node["strfry"]["group"]
mode "0755"
end
env = {
ldap_url: 'ldap://ldap.kosmos.local:389', # requires "ldap_client" role
ldap_bind_dn: ldap_credentials["service_dn"],
ldap_password: ldap_credentials["service_password"],
ldap_search_dn: node["strfry"]["ldap_search_dn"],
whitelist_pubkeys: node["strfry"]["whitelist_pubkeys"].join(",")
}
template "#{extras_dir}/.env" do
source 'env.erb'
owner node["strfry"]["user"]
group node["strfry"]["group"]
mode 0600
sensitive true
variables config: env
notifies :restart, "service[strfry]", :delayed
end
#
# strfry deno scripts
#
base_url = "https://gitea.kosmos.org/kosmos/akkounts/raw/branch/live/extras/strfry"
remote_file "#{extras_dir}/deno.json" do
source "#{base_url}/deno.json"
owner node["strfry"]["user"]
group node["strfry"]["group"]
mode "0644"
notifies :restart, "service[strfry]", :delayed
end
remote_file "#{extras_dir}/deno.lock" do
source "#{base_url}/deno.lock"
owner node["strfry"]["user"]
group node["strfry"]["group"]
mode "0644"
notifies :restart, "service[strfry]", :delayed
end
remote_file "#{extras_dir}/strfry-policy.ts" do
source "#{base_url}/strfry-policy.ts"
owner node["strfry"]["user"]
group node["strfry"]["group"]
mode "0755"
notifies :restart, "service[strfry]", :delayed
end
remote_file "#{extras_dir}/ldap-policy.ts" do
source "#{base_url}/ldap-policy.ts"
owner node["strfry"]["user"]
group node["strfry"]["group"]
mode "0644"
notifies :restart, "service[strfry]", :delayed
end
remote_file "#{extras_dir}/strfry-sync.ts" do
source "#{base_url}/strfry-sync.ts"
owner node["strfry"]["user"]
group node["strfry"]["group"]
mode "0644"
end

11
site-cookbooks/kosmos_strfry/templates/env.erb Normal file
View File

@@ -0,0 +1,11 @@
<% @config.each do |key, value| %>
<% if value.is_a?(Hash) %>
<% value.each do |k, v| %>
<%= "#{key.upcase}_#{k.upcase}" %>=<%= v.to_s %>
<% end %>
<% else %>
<% if value %>
<%= key.upcase %>=<%= value.to_s %>
<% end %>
<% end %>
<% end %>

26
site-cookbooks/kosmos_strfry/templates/nginx_conf_strfry.erb Normal file
View File

@@ -0,0 +1,26 @@
upstream _strfry {
<% @upstream_hosts.each do |host| %>
server <%= host %>:<%= @upstream_port || "7777" %>;
<% end %>
}
server {
server_name <%= @domain %>;
listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
listen [::]:443 ssl http2;
access_log "/var/log/nginx/<%= @domain %>.access.log";
error_log "/var/log/nginx/<%= @domain %>.error.log";
ssl_certificate <%= @ssl_cert %>;
ssl_certificate_key <%= @ssl_key %>;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://_strfry;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}

Some files were not shown because too many files have changed in this diff Show More