Set vcard with avatar for kosmos.org itself

data_bags/credentials/backup.json

@@ -1,38 +1,27 @@
 {
   "id": "backup",
   "s3_access_key_id": {
-    "encrypted_data": "245TrPvuoBRRTimhbt6qqsFb+JnnD377sPt1pguJy7Q2BXOy/jrX0wyMt+cP\nuA==\n",
-    "iv": "ylmRxSRO3AA4MSJN\n",
-    "auth_tag": "45tBcYZowPLrbv4Zu2P0Fw==\n",
-    "version": 3,
-    "cipher": "aes-256-gcm"
+    "encrypted_data": "emGNH4v7TTEh05Go/DsI3k7CFnaK4p/4JxodC4BYpyWw47/Z3dsuRMu4vXM3\n3YLH\n",
+    "iv": "Dau+ekb3UTYdl8w3fQKVcA==\n",
+    "version": 1,
+    "cipher": "aes-256-cbc"
   },
   "s3_secret_access_key": {
-    "encrypted_data": "jDIOjlBzTkBUzpj243T6KnBuH0qwyW7BUFMcqllljFSzxs7K8wYJOUreNbOP\ny8OpDWAuO0H4O4LuFMJXeM8=\n",
-    "iv": "PzvZr37EkJqz6JtM\n",
-    "auth_tag": "e3XW8oHVgmYibv/IBzj0yA==\n",
-    "version": 3,
-    "cipher": "aes-256-gcm"
-  },
-  "s3_endpoint": {
-    "encrypted_data": "ErJIEChxrreW7WKEwRtuP2MyYlsZRtqLdGa/x5QY58qgO036FgR3Hs2Z3yce\n",
-    "iv": "HOSAOgUjO7XGwk50\n",
-    "auth_tag": "XE1bwMIXHHE72V9K2KOLnw==\n",
-    "version": 3,
-    "cipher": "aes-256-gcm"
+    "encrypted_data": "Mxyly86JxrWUbubbSiqPdRosChzfI1Q8eBEG4n+2B9JJG4yExltO5Wc5kgSs\nX01MPXAc+PGLm+J9MngUtypo/g==\n",
+    "iv": "WRhBJGiuScYYsUsoT5j/UA==\n",
+    "version": 1,
+    "cipher": "aes-256-cbc"
   },
   "s3_region": {
-    "encrypted_data": "8cNSaYu7HH95ftG66lFdUIPZD7soz907CPA=\n",
-    "iv": "pU21ulF75y/SIs3x\n",
-    "auth_tag": "7WQQCbSbB2GybjY+C+5IvQ==\n",
-    "version": 3,
-    "cipher": "aes-256-gcm"
+    "encrypted_data": "2ZGxu0tVzKNfx3K1Wleg0SAwGaPkHCi/XfKpJ+J7q40=\n",
+    "iv": "CNTZW2SEIgfw+IyzGI3TzQ==\n",
+    "version": 1,
+    "cipher": "aes-256-cbc"
   },
   "encryption_password": {
-    "encrypted_data": "l23CiIO2s1fIRn0NdoWZ+wK+Zhx3hCYDHf4ypjqMRekZ7xqafvXHHuogD5aj\npxYUKloH\n",
-    "iv": "Dzx83eP9L7Jqqidh\n",
-    "auth_tag": "UVn5XA5Tgsikc1GdOt1MUQ==\n",
-    "version": 3,
-    "cipher": "aes-256-gcm"
+    "encrypted_data": "tsBWKBwhQFfEAM0EWMPtljSbqU1c5mOJXPjYJjNT5RUFhPlqa7gsE8aJbs+D\nSPKjAQ62j+iHeqCk9mE9CCkgBA==\n",
+    "iv": "uq5YAXuq2ynRLv9EIWoCFA==\n",
+    "version": 1,
+    "cipher": "aes-256-cbc"
   }
 }

environments/production.json

@@ -108,15 +108,13 @@
       "real_ip_header": "x-real-ip",
       "policy_path": "/opt/strfry/strfry-policy.ts",
       "whitelist_pubkeys": [
-        "b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a",
-        "b3e1b7c0ef48294bd856203bfd460625de95d3afb894e5f09b14cd1f0e7097cf"
+        "b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a"
       ],
       "info": {
         "name": "Kosmos Relay",
         "description": "Members-only nostr relay for kosmos.org users",
-        "pubkey": "b3e1b7c0ef48294bd856203bfd460625de95d3afb894e5f09b14cd1f0e7097cf",
-        "contact": "ops@kosmos.org",
-        "icon": "https://assets.kosmos.org/img/app-icon-256px.png"
+        "pubkey": "1f79058c77a224e5be226c8f024cacdad4d741855d75ed9f11473ba8eb86e1cb",
+        "contact": "ops@kosmos.org"
       }
     }
   }

nodes/bitcoin-2.json

@@ -16,6 +16,7 @@
       "kvm_guest",
       "sentry_client",
       "bitcoind",
+      "cln",
       "lnd",
       "lndhub",
       "postgresql_client",
@@ -29,8 +30,10 @@
       "tor-full",
       "tor-full::default",
       "kosmos-bitcoin::bitcoind",
+      "kosmos-bitcoin::c-lightning",
       "kosmos-bitcoin::lnd",
       "kosmos-bitcoin::lnd-scb-s3",
+      "kosmos-bitcoin::boltz",
       "kosmos-bitcoin::rtl",
       "kosmos-bitcoin::peerswap-lnd",
       "kosmos_postgresql::hostsfile",
@@ -100,6 +103,7 @@
     "role[sentry_client]",
     "recipe[tor-full]",
     "role[bitcoind]",
+    "role[cln]",
     "role[lnd]",
     "role[lndhub]",
     "role[btcpay]"

nodes/mail.kosmos.org.json

@@ -10,7 +10,7 @@
     "fqdn": "mail.kosmos.org",
     "os": "linux",
     "os_version": "5.15.0-1048-kvm",
-    "hostname": "mail.kosmos.org",
+    "hostname": "mail",
     "ipaddress": "192.168.122.131",
     "roles": [
       "base",

nodes/wiki-1.json

@@ -8,19 +8,16 @@
   "automatic": {
     "fqdn": "wiki-1",
     "os": "linux",
-    "os_version": "5.4.0-167-generic",
+    "os_version": "5.4.0-91-generic",
     "hostname": "wiki-1",
     "ipaddress": "192.168.122.26",
     "roles": [
-      "base",
-      "kvm_guest",
-      "ldap_client"
+      "kvm_guest"
     ],
     "recipes": [
       "kosmos-base",
       "kosmos-base::default",
       "kosmos_kvm::guest",
-      "kosmos-dirsrv::hostsfile",
       "kosmos-mediawiki",
       "kosmos-mediawiki::default",
       "apt::default",
@@ -44,6 +41,7 @@
       "php::package",
       "php::ini",
       "composer::global_configs",
+      "kosmos-dirsrv::hostsfile",
       "mediawiki::default",
       "mediawiki::database",
       "kosmos-nginx::default",
@@ -81,4 +79,4 @@
     "role[ldap_client]",
     "recipe[kosmos-mediawiki]"
   ]
-}
+}

roles/gitea.rb

@@ -3,5 +3,4 @@ name "gitea"
 run_list %w(
   role[postgresql_client]
   kosmos_gitea::default
-  kosmos_gitea::backup
 )

roles/lnd.rb

@@ -3,6 +3,7 @@ name "lnd"
 run_list %w(
   kosmos-bitcoin::lnd
   kosmos-bitcoin::lnd-scb-s3
+  kosmos-bitcoin::boltz
   kosmos-bitcoin::rtl
   kosmos-bitcoin::peerswap-lnd
 )

site-cookbooks/backup/attributes/default.rb

@@ -42,5 +42,5 @@ default['backup']['orbit']['keep'] = 10
 default['backup']['cron']['hour'] = "05"
 default['backup']['cron']['minute'] = "7"
 
-default['backup']['s3']['keep'] = 10
-default['backup']['s3']['bucket'] = "kosmos-backups"
+default['backup']['s3']['keep'] = 15
+default['backup']['s3']['bucket'] = "kosmos-dev-backups"

site-cookbooks/backup/recipes/default.rb

@@ -28,7 +28,6 @@ template "#{backup_dir}/config.rb" do
   sensitive true
   variables s3_access_key_id: backup_data["s3_access_key_id"],
             s3_secret_access_key: backup_data["s3_secret_access_key"],
-            s3_endpoint: backup_data["s3_endpoint"],
             s3_region: backup_data["s3_region"],
             encryption_password: backup_data["encryption_password"],
             mail_from: "backups@kosmos.org",

site-cookbooks/backup/templates/default/config.rb.erb

@@ -23,10 +23,6 @@ Storage::S3.defaults do |s3|
   s3.secret_access_key = "<%= @s3_secret_access_key %>"
   s3.region            = "<%= @s3_region %>"
   s3.bucket            = "<%= node['backup']['s3']['bucket'] %>"
-  s3.fog_options       = {
-    endpoint: "<%= @s3_endpoint %>",
-    aws_signature_version: 2
-  }
 end
 
 Encryptor::OpenSSL.defaults do |encryption|
@@ -92,6 +88,7 @@ end
 
 preconfigure 'KosmosBackup' do
   split_into_chunks_of 250 # megabytes
+  store_with S3
   compress_with Bzip2
   encrypt_with OpenSSL
   notify_by Mail do |mail|

site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb

@@ -14,10 +14,6 @@ server {
   listen [::]:443 ssl http2;
   server_name <%= @domain %>;
 
-  if ($host != $server_name) {
-    return 301 $scheme://$server_name$request_uri;
-  }
-
   ssl_certificate     <%= @ssl_cert %>;
   ssl_certificate_key <%= @ssl_key %>;
 
@@ -43,9 +39,6 @@ server {
 
   location @proxy {
     proxy_set_header Host $http_host;
-    set $x_forwarded_host $http_x_forwarded_host;
-    if ($x_forwarded_host = "") { set $x_forwarded_host $host; }
-    proxy_set_header X-Forwarded-Host $x_forwarded_host;
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header X-Forwarded-Proto https;

site-cookbooks/kosmos-bitcoin/attributes/default.rb

@@ -1,5 +1,5 @@
-node.default['bitcoin']['version']   = '28.0'
-node.default['bitcoin']['checksum']  = '700ae2d1e204602eb07f2779a6e6669893bc96c0dca290593f80ff8e102ff37f'
+node.default['bitcoin']['version']   = '26.0'
+node.default['bitcoin']['checksum']  = 'ab1d99276e28db62d1d9f3901e85ac358d7f1ebcb942d348a9c4e46f0fcdc0a1'
 node.default['bitcoin']['username']  = 'satoshi'
 node.default['bitcoin']['usergroup'] = 'bitcoin'
 node.default['bitcoin']['network']   = 'mainnet'
@@ -24,8 +24,7 @@ node.default['bitcoin']['conf'] = {
   rpcbind: "127.0.0.1:8332",
   gen: 0,
   zmqpubrawblock: 'tcp://127.0.0.1:8337',
-  zmqpubrawtx: 'tcp://127.0.0.1:8338',
-  deprecatedrpc: 'warnings' # TODO remove when upgrading to LND 0.18.4
+  zmqpubrawtx: 'tcp://127.0.0.1:8338'
 }
 
 # Also enables Tor for LND
@@ -41,7 +40,7 @@ node.default['c-lightning']['log_level'] = 'info'
 node.default['c-lightning']['public_ip'] = '148.251.237.73'
 
 node.default['lnd']['repo'] = 'https://github.com/lightningnetwork/lnd'
-node.default['lnd']['revision'] = 'v0.18.3-beta'
+node.default['lnd']['revision'] = 'v0.17.3-beta'
 node.default['lnd']['source_dir'] = '/opt/lnd'
 node.default['lnd']['lnd_dir'] = "/home/#{node['bitcoin']['username']}/.lnd"
 node.default['lnd']['alias'] = 'ln2.kosmos.org'
@@ -59,8 +58,19 @@ node.default['lnd']['tor'] = {
   'skip-proxy-for-clearnet-targets' => 'true'
 }
 
+node.default['boltz']['repo'] = 'https://github.com/BoltzExchange/boltz-lnd.git'
+node.default['boltz']['revision'] = 'v1.2.7'
+node.default['boltz']['source_dir'] = '/opt/boltz'
+node.default['boltz']['boltz_dir'] = "/home/#{node['bitcoin']['username']}/.boltz-lnd"
+node.default['boltz']['grpc_host'] = '127.0.0.1'
+node.default['boltz']['grpc_port'] = '9002'
+node.default['boltz']['rest_disabled'] = 'false'
+node.default['boltz']['rest_host'] = '127.0.0.1'
+node.default['boltz']['rest_port'] = '9003'
+node.default['boltz']['no_macaroons'] = 'false'
+
 node.default['rtl']['repo'] = 'https://github.com/Ride-The-Lightning/RTL.git'
-node.default['rtl']['revision'] = 'v0.15.2'
+node.default['rtl']['revision'] = 'v0.15.0'
 node.default['rtl']['host'] = '10.1.1.163'
 node.default['rtl']['port'] = '3000'
 

site-cookbooks/kosmos-bitcoin/recipes/aws-client.rb

@@ -11,7 +11,6 @@ credentials = Chef::EncryptedDataBagItem.load('credentials', 'backup')
 
 file "/root/.aws/config" do
   mode "600"
-  sensitive true
   content lazy { <<-EOF
 [default]
 region = #{credentials["s3_region"]}

site-cookbooks/kosmos-bitcoin/recipes/bitcoind.rb

@@ -12,15 +12,8 @@ if node["bitcoin"]["blocksdir_mount_type"]
   include_recipe "kosmos-bitcoin::blocksdir-mount"
 end
 
-apt_repository "ubuntu-toolchain-r" do
-  # provides g++-13, needed for better c++-20 support
-  uri "ppa:ubuntu-toolchain-r/test"
-end
-
-%w{
-  gcc-13 g++-13 libtool autotools-dev make automake cmake curl bison
-  binutils-gold pkg-config python3 patch
-}.each do |pkg|
+%w{ libtool autotools-dev make automake cmake curl g++-multilib libtool
+    binutils-gold bsdmainutils pkg-config python3 patch }.each do |pkg|
   apt_package pkg
 end
 
@@ -33,21 +26,20 @@ end
 
 execute "compile_bitcoin-core_dependencies" do
   cwd "/usr/local/bitcoind/depends"
-  environment ({'CC' => 'gcc-13', 'CXX' => 'g++-13', 'NO_QT' => '1'})
-  command "make -j 2"
+  command "make NO_QT=1"
   action :nothing
   notifies :run, 'bash[compile_bitcoin-core]', :immediately
 end
 
 bash "compile_bitcoin-core" do
   cwd "/usr/local/bitcoind"
-  environment ({'CC' => 'gcc-13', 'CXX' => 'g++-13', 'NO_QT' => '1'})
   code <<-EOH
     ./autogen.sh
     ./configure --prefix=$PWD/depends/x86_64-pc-linux-gnu
     make
   EOH
   action :nothing
+  notifies :restart, "systemd_unit[bitcoind.service]", :delayed
 end
 
 link "/usr/local/bin/bitcoind" do

site-cookbooks/kosmos-bitcoin/recipes/boltz.rb

@@ -0,0 +1,87 @@
+#
+# Cookbook:: kosmos-bitcoin
+# Recipe:: boltz
+#
+
+include_recipe "git"
+include_recipe "kosmos-bitcoin::golang"
+
+git node['boltz']['source_dir'] do
+  repository node['boltz']['repo']
+  revision node['boltz']['revision']
+  action :sync
+  notifies :run, 'bash[compile_and_install_boltz]', :immediately
+end
+
+bash "compile_and_install_boltz" do
+  cwd node['boltz']['source_dir']
+  code <<-EOH
+go mod vendor && \
+make build && \
+make install
+  EOH
+  action :nothing
+  notifies :restart, "systemd_unit[boltzd.service]", :delayed
+end
+
+bitcoin_user  = node['bitcoin']['username']
+bitcoin_group = node['bitcoin']['usergroup']
+boltz_dir     = node['boltz']['boltz_dir']
+lnd_dir       = node['lnd']['lnd_dir']
+
+directory boltz_dir do
+  owner bitcoin_user
+  group bitcoin_group
+  mode '0750'
+  action :create
+end
+
+template "#{boltz_dir}/boltz.toml" do
+  source "boltz.toml.erb"
+  owner bitcoin_user
+  group bitcoin_group
+  mode '0640'
+  variables lnd_grpc_host: '127.0.0.1',
+            lnd_grpc_port: '10009',
+            lnd_macaroon_path: "#{lnd_dir}/data/chain/bitcoin/mainnet/admin.macaroon",
+            lnd_tlscert_path: "#{lnd_dir}/tls.cert",
+            boltz_config: node['boltz']
+  notifies :restart, "systemd_unit[boltzd.service]", :delayed
+end
+
+systemd_unit 'boltzd.service' do
+  content({
+    Unit: {
+      Description: 'Boltz Daemon',
+      Documentation: ['https://lnd.docs.boltz.exchange'],
+      Requires: 'lnd.service',
+      After: 'lnd.service'
+    },
+    Service: {
+      User: bitcoin_user,
+      Group: bitcoin_group,
+      Type: 'simple',
+      ExecStart: "/opt/boltz/boltzd",
+      Restart: 'always',
+      RestartSec: '30',
+      TimeoutSec: '240',
+      LimitNOFILE: '128000',
+      PrivateTmp: true,
+      ProtectSystem: 'full',
+      NoNewPrivileges: true,
+      PrivateDevices: true,
+      MemoryDenyWriteExecute: true
+    },
+    Install: {
+      WantedBy: 'multi-user.target'
+    }
+  })
+  verify false
+  triggers_reload true
+  action [:create, :enable, :start]
+end
+
+unless node.chef_environment == 'development'
+  node.override['backup']['archives']['boltz'] = [node['boltz']['boltz_dir']]
+  include_recipe 'backup'
+end

site-cookbooks/kosmos-bitcoin/recipes/golang.rb

@@ -5,7 +5,7 @@
 # Internal recipe for managing the Go installation in one place
 #
 
-node.override['golang']['version'] = "1.23.1"
+node.override['golang']['version'] = "1.20.3"
 include_recipe "golang"
 
 link '/usr/local/bin/go' do

site-cookbooks/kosmos-bitcoin/recipes/lnd-scb-s3.rb

@@ -10,14 +10,12 @@ include_recipe "kosmos-bitcoin::aws-client"
 package "inotify-tools"
 
 backup_script_path = "/opt/lnd-channel-backup-s3.sh"
-backup_credentials = Chef::EncryptedDataBagItem.load('credentials', 'backup')
 
 template backup_script_path do
   source "lnd-channel-backup-s3.sh.erb"
   mode '0740'
   variables lnd_dir: node['lnd']['lnd_dir'],
             bitcoin_network: node['bitcoin']['network'],
-            s3_endpoint: backup_credentials['s3_endpoint'],
             s3_bucket: node['backup']['s3']['bucket'],
             s3_scb_dir: "#{node['name']}/lnd/#{node['bitcoin']['network']}"
   notifies :restart, "systemd_unit[lnd-channel-backup.service]", :delayed

site-cookbooks/kosmos-bitcoin/recipes/rtl.rb

@@ -46,22 +46,24 @@ rtl_config = {
   multiPassHashed: credentials["multiPassHashed"]
 }
 
+if node['boltz']
+  # TODO adapt for multi-node usage
+  rtl_config[:nodes][0][:Authentication][:boltzMacaroonPath] = "#{node['boltz']['boltz_dir']}/macaroons"
+  rtl_config[:nodes][0][:Settings][:boltzServerUrl] = "https://#{node['boltz']['rest_host']}:#{node['boltz']['rest_port']}"
+end
+
 git rtl_dir do
   user bitcoin_user
   group bitcoin_group
   repository node['rtl']['repo']
   revision node['rtl']['revision']
-  notifies :run, "execute[npm_install]", :immediately
   notifies :restart, "systemd_unit[#{app_name}.service]", :delayed
 end
 
-execute "npm_install" do
+execute "npm install" do
   cwd rtl_dir
   environment "HOME" => rtl_dir
   user bitcoin_user
-  # TODO remove --force when upstream dependency issues have been resolved
-  command "npm install --force"
-  action :nothing
 end
 
 file "#{rtl_dir}/RTL-Config.json" do

site-cookbooks/kosmos-bitcoin/templates/boltz.toml.erb

@@ -0,0 +1,32 @@
+[LND]
+# Host of the gRPC interface of LND
+host = "<%= @lnd_grpc_host %>"
+
+# Port of the gRPC interface of LND
+port = <%= @lnd_grpc_port %>
+
+# Path to a macaroon file of LND
+# The daemon needs to have permission to read various endpoints, generate addresses and pay invoices 
+macaroon = "<%= @lnd_macaroon_path %>"
+
+# Path to the TLS certificate of LND
+certificate = "<%= @lnd_tlscert_path %>"
+
+[RPC]
+# Host of the gRPC interface
+host = "<%= @boltz_config['grpc_host'] %>"
+
+# Port of the gRPC interface
+port = <%= @boltz_config['grpc_port'] %>
+
+# Whether the REST proxy for the gRPC interface should be disabled
+restDisabled = <%= @boltz_config['rest_disabled'] %>
+
+# Host of the REST proxy
+restHost = "<%= @boltz_config['rest_host'] %>"
+
+# Port of the REST proxy
+restPort = <%= @boltz_config['rest_port'] %>
+
+# Whether the macaroon authentication for the gRPC and REST interface should be disabled
+noMacaroons = <%= @boltz_config['no_macaroons'] %>

site-cookbooks/kosmos-bitcoin/templates/lnd-channel-backup-s3.sh.erb

@@ -3,5 +3,5 @@ set -xe -o pipefail
 
 while true; do
   inotifywait <%= @lnd_dir %>/data/chain/bitcoin/<%= @bitcoin_network %>/channel.backup
-  aws --endpoint <%= @s3_endpoint %> s3 cp <%= @lnd_dir %>/data/chain/bitcoin/<%= @bitcoin_network %>/channel.backup "s3://<%= @s3_bucket %>/<%= @s3_scb_dir %>/channel.backup"
+  aws s3 cp <%= @lnd_dir %>/data/chain/bitcoin/<%= @bitcoin_network %>/channel.backup "s3://<%= @s3_bucket %>/<%= @s3_scb_dir %>/channel.backup"
 done

site-cookbooks/kosmos-bitcoin/templates/lnd.conf.erb

@@ -12,6 +12,7 @@ minchansize=<%= @lnd_minchansize %>
 autopilot.active=0
 
 [Bitcoin]
+bitcoin.active=1
 bitcoin.mainnet=1
 bitcoin.node=bitcoind
 bitcoin.basefee=<%= @lnd_basefee %>

site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb

@@ -52,7 +52,7 @@ end
 # Generate a Let's Encrypt cert (only if no cert has been generated before).
 # The systemd timer will take care of renewing
 execute "letsencrypt cert for 5apps xmpp" do
-  command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth letsencrypt.kosmos.org\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup letsencrypt.kosmos.org\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@5apps.com -d 5apps.com -d muc.5apps.com -d xmpp.5apps.com -d uploads.xmpp.5apps.com -n"
+  command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth letsencrypt.kosmos.chat\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup letsencrypt.kosmos.chat\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@5apps.com -d 5apps.com -d muc.5apps.com -d xmpp.5apps.com -d uploads.xmpp.5apps.com -n"
   not_if do
     File.exist?("/etc/letsencrypt/live/5apps.com/fullchain.pem")
   end

site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb

@@ -216,7 +216,7 @@ modules:
     access_createnode: pubsub_createnode
     ignore_pep_from_offline: false
     last_item_cache: false
-    max_items_node: 10000
+    max_items_node: 1000
     plugins:
       - "flat"
       - "pep" # pep requires mod_caps
@@ -258,8 +258,6 @@ modules:
         type: turns
         transport: tcp
         restricted: true
-  mod_vcard:
-    search: false
   mod_vcard_xupdate: {}
   mod_avatar: {}
   mod_version: {}

site-cookbooks/kosmos-mastodon/attributes/default.rb

@@ -10,7 +10,7 @@ node.default["kosmos-mastodon"]["redis_url"]         = "redis://localhost:6379/0
 node.default["kosmos-mastodon"]["sidekiq_threads"]   = 25
 node.default["kosmos-mastodon"]["allowed_private_addresses"] = "127.0.0.1"
 
-node.default["kosmos-mastodon"]["onion_address"] = nil
+node.default["kosmos-mastodon"]["onion_address"]     = nil
 
 # Allocate this amount of RAM to the Java heap for Elasticsearch
 node.default["kosmos-mastodon"]["elasticsearch"]["allocated_memory"] = "1536m"
@@ -20,10 +20,6 @@ node.default["kosmos-mastodon"]["s3_region"]     = nil
 node.default["kosmos-mastodon"]["s3_bucket"]     = nil
 node.default["kosmos-mastodon"]["s3_alias_host"] = nil
 
-node.default["kosmos-mastodon"]["sso_account_sign_up_url"] = "https://kosmos.org"
-node.default["kosmos-mastodon"]["sso_account_reset_password_url"] = "https://accounts.kosmos.org/users/password/new"
-node.default["kosmos-mastodon"]["sso_account_resend_confirmation_url"] = "https://accounts.kosmos.org/users/confirmation/new"
-
 node.default["kosmos-mastodon"]["default_locale"] = "en"
 node.default["kosmos-mastodon"]["libre_translate_endpoint"] = nil
 

site-cookbooks/kosmos-mastodon/recipes/backup.rb

@@ -6,12 +6,13 @@
 postgresql_data_bag_item = data_bag_item('credentials', 'postgresql')
 
 unless node.chef_environment == "development"
-  node.override['backup']['s3']['keep'] = 1
-  node.override["backup"]["postgresql"]["host"] = "pg.kosmos.local"
-  node.override["backup"]["postgresql"]["databases"]["mastodon"] = {
-    username: "mastodon",
-    password: postgresql_data_bag_item['mastodon_user_password']
-  }
+  unless node["backup"]["postgresql"]["databases"].keys.include? 'mastodon'
+    node.override["backup"]["postgresql"]["host"] = "pg.kosmos.local"
+    node.override["backup"]["postgresql"]["databases"]["mastodon"] = {
+      username: "mastodon",
+      password: postgresql_data_bag_item['mastodon_user_password']
+    }
+  end
 
   include_recipe "backup"
 end

site-cookbooks/kosmos-mastodon/recipes/default.rb

@@ -190,7 +190,6 @@ template "#{mastodon_path}/.env.#{rails_env}" do
   mode  "0640"
   owner mastodon_user
   group mastodon_user
-  sensitive true
   variables redis_url: node["kosmos-mastodon"]["redis_url"],
             domain: node["kosmos-mastodon"]["domain"],
             alternate_domains: node["kosmos-mastodon"]["alternate_domains"],
@@ -211,9 +210,6 @@ template "#{mastodon_path}/.env.#{rails_env}" do
             vapid_public_key: credentials['vapid_public_key'],
             db_pass: postgresql_credentials['mastodon_user_password'],
             db_host: "pg.kosmos.local",
-            sso_account_sign_up_url: node["kosmos-mastodon"]["sso_account_sign_up_url"],
-            sso_account_reset_password_url: node["kosmos-mastodon"]["sso_account_reset_password_url"],
-            sso_account_resend_confirmation_url: node["kosmos-mastodon"]["sso_account_resend_confirmation_url"],
             default_locale: node["kosmos-mastodon"]["default_locale"],
             allowed_private_addresses: node["kosmos-mastodon"]["allowed_private_addresses"],
             libre_translate_endpoint: node["kosmos-mastodon"]["libre_translate_endpoint"]

site-cookbooks/kosmos-mastodon/templates/default/env.erb

@@ -44,9 +44,6 @@ LDAP_SEARCH_FILTER='<%= @ldap[:search_filter] %>'
 LDAP_UID_CONVERSION_ENABLED=<%= @ldap[:uid_conversion_enabled] %>
 LDAP_UID_CONVERSION_SEARCH=<%= @ldap[:uid_conversion_search] %>
 LDAP_UID_CONVERSION_REPLACE=<%= @ldap[:uid_conversion_replace] %>
-SSO_ACCOUNT_SIGN_UP=<%= @sso_account_sign_up_url %>
-SSO_ACCOUNT_RESET_PASSWORD=<%= @sso_account_reset_password_url %>
-SSO_ACCOUNT_RESEND_CONFIRMATION=<%= @sso_account_resend_confirmation_url %>
 <% end %>
 
 # Optional asset host for multi-server setups

site-cookbooks/kosmos_gitea/attributes/default.rb

@@ -1,5 +1,5 @@
-node.default["gitea"]["version"] = "1.22.3"
-node.default["gitea"]["checksum"] = "a720ff937912a6eb6c0cacf6ebcdd774deed5197cd945ecc34f5744cb5c517e8"
+node.default["gitea"]["version"] = "1.22.1"
+node.default["gitea"]["checksum"] = "b8043324545eec269fc8f18c22b49fc365ed367e0dd41e081b79832de2570f9c"
 node.default["gitea"]["working_directory"] = "/var/lib/gitea"
 node.default["gitea"]["port"] = 3000
 node.default["gitea"]["postgresql_host"] = "localhost:5432"

site-cookbooks/kosmos_gitea/recipes/backup.rb

@@ -8,6 +8,5 @@
 unless node.chef_environment == "development"
   # backup the data dir and the config files
   node.override["backup"]["archives"]["gitea"] = [node["gitea"]["working_directory"]]
-  node.override['backup']['s3']['keep'] = 2
   include_recipe "backup"
 end

site-cookbooks/kosmos_liquor-cabinet/templates/nginx_conf_liquor-cabinet.erb

@@ -10,6 +10,16 @@ upstream _<%= @app_name %> {
 # TODO use cookbook attribute when enabling
 # variables_hash_max_size 2048;
 
+server {
+  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>80;
+  listen [::]:80;
+  server_name <%= @server_name %>;
+  # Redirect to https
+  location / {
+    return 301 https://<%= @server_name %>$request_uri;
+  }
+}
+
 server {
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
   listen [::]:443 ssl http2;

site-cookbooks/kosmos_strfry/templates/nginx_conf_strfry.erb

@@ -5,9 +5,8 @@ upstream _strfry {
 }
 
 server {
-  server_name <%= @domain %>;
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  server_name <%= @domain %>;
 
   access_log "/var/log/nginx/<%= @domain %>.access.log";
   error_log "/var/log/nginx/<%= @domain %>.error.log";

site-cookbooks/kosmos_website/templates/nginx_conf_redirect.erb

@@ -14,5 +14,7 @@ server {
   ssl_certificate     <%= @ssl_cert %>;
   ssl_certificate_key <%= @ssl_key %>;
 
-  return <%= @http_status || 307 %> <%= @target %>;
+  location / {
+    return <%= @http_status || 301 %> <%= @target %>;
+  }
 }

site-cookbooks/kosmos_website/templates/nginx_conf_website.erb

@@ -2,7 +2,7 @@
 
 server {
   server_name _;
-  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>80 default_server;
+  listen 80 default_server;
 
   location / {
     return 301 https://<%= @domain %>;
@@ -14,10 +14,6 @@ server {
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2 default_server;
   listen [::]:443 ssl http2 default_server;
 
-  if ($host != $server_name) {
-    return 307 $scheme://$server_name;
-  }
-
   root /var/www/<%= @domain %>/public;
 
   access_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.access.log;
@@ -26,13 +22,14 @@ server {
   gzip_static on;
   gzip_comp_level 5;
 
+  add_header 'Access-Control-Allow-Origin' '*';
+
   ssl_certificate     <%= @ssl_cert %>;
   ssl_certificate_key <%= @ssl_key %>;
 
 <% if @accounts_url %>
-  location ~ ^/.well-known/(keysend|lnurlp|nostr|openpgpkey|webfinger) {
+  location ~ ^/.well-known/(webfinger|nostr|lnurlp|keysend) {
     proxy_ssl_server_name on;
-    proxy_set_header X-Forwarded-Host $host;
     proxy_pass https://accounts.kosmos.org;
   }
 <% end %>