Use Ubuntu 22.04 for new VMs

Also, remove the custom config image generation and replace it with
`--cloud-init` options.

.gitmodules

@@ -4,9 +4,3 @@
 [submodule "site-cookbooks/openresty"]
 	path = site-cookbooks/openresty
 	url = https://github.com/67P/chef-openresty.git
-[submodule "site-cookbooks/strfry"]
-	path = site-cookbooks/strfry
-	url = git@gitea.kosmos.org:kosmos/strfry-cookbook.git
-[submodule "site-cookbooks/deno"]
-	path = site-cookbooks/deno
-	url = git@gitea.kosmos.org:kosmos/deno-cookbook.git

clients/strfry-1.json

@@ -1,4 +0,0 @@
-{
-  "name": "strfry-1",
-  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzDV/RMGMXVDbvoA6PNh8\nQzhtHwYDCFcUSkbrwP6tzh6GpVunGEOdOdhj2V63T2tF1H+lujxQXh5pK7C0D6VZ\niO04ftJlo7/svyxUcwWr+znyN5sFdQRh3cBZiGSBYolizwoqgtPFlbNhmWAzV0Du\n9t8mhz70IK3B+UdwWyHtoK0NNsJGnQ9YzAvcjyDmEO/3sCjAhNnxVpmXftpcSmd9\nMonzFtIDBbRRll4AHZYRbmXCzx63+VmelvdnufnbY82liol0zzBwJaBD1wyNlG0y\ni96p3Kx03bLNlIaYVGbjZeJi+6oo2VDWJ4OloLLAYoHDSipeHT9qWfUdnE6ge4Lm\nywIDAQAB\n-----END PUBLIC KEY-----\n"
-}

data_bags/credentials/backup.json

@@ -1,38 +1,27 @@
 {
   "id": "backup",
   "s3_access_key_id": {
-    "encrypted_data": "245TrPvuoBRRTimhbt6qqsFb+JnnD377sPt1pguJy7Q2BXOy/jrX0wyMt+cP\nuA==\n",
+    "encrypted_data": "emGNH4v7TTEh05Go/DsI3k7CFnaK4p/4JxodC4BYpyWw47/Z3dsuRMu4vXM3\n3YLH\n",
-    "iv": "ylmRxSRO3AA4MSJN\n",
+    "iv": "Dau+ekb3UTYdl8w3fQKVcA==\n",
-    "auth_tag": "45tBcYZowPLrbv4Zu2P0Fw==\n",
+    "version": 1,
-    "version": 3,
+    "cipher": "aes-256-cbc"
-    "cipher": "aes-256-gcm"
   },
   "s3_secret_access_key": {
-    "encrypted_data": "jDIOjlBzTkBUzpj243T6KnBuH0qwyW7BUFMcqllljFSzxs7K8wYJOUreNbOP\ny8OpDWAuO0H4O4LuFMJXeM8=\n",
+    "encrypted_data": "Mxyly86JxrWUbubbSiqPdRosChzfI1Q8eBEG4n+2B9JJG4yExltO5Wc5kgSs\nX01MPXAc+PGLm+J9MngUtypo/g==\n",
-    "iv": "PzvZr37EkJqz6JtM\n",
+    "iv": "WRhBJGiuScYYsUsoT5j/UA==\n",
-    "auth_tag": "e3XW8oHVgmYibv/IBzj0yA==\n",
+    "version": 1,
-    "version": 3,
+    "cipher": "aes-256-cbc"
-    "cipher": "aes-256-gcm"
-  },
-  "s3_endpoint": {
-    "encrypted_data": "ErJIEChxrreW7WKEwRtuP2MyYlsZRtqLdGa/x5QY58qgO036FgR3Hs2Z3yce\n",
-    "iv": "HOSAOgUjO7XGwk50\n",
-    "auth_tag": "XE1bwMIXHHE72V9K2KOLnw==\n",
-    "version": 3,
-    "cipher": "aes-256-gcm"
   },
   "s3_region": {
-    "encrypted_data": "8cNSaYu7HH95ftG66lFdUIPZD7soz907CPA=\n",
+    "encrypted_data": "2ZGxu0tVzKNfx3K1Wleg0SAwGaPkHCi/XfKpJ+J7q40=\n",
-    "iv": "pU21ulF75y/SIs3x\n",
+    "iv": "CNTZW2SEIgfw+IyzGI3TzQ==\n",
-    "auth_tag": "7WQQCbSbB2GybjY+C+5IvQ==\n",
+    "version": 1,
-    "version": 3,
+    "cipher": "aes-256-cbc"
-    "cipher": "aes-256-gcm"
   },
   "encryption_password": {
-    "encrypted_data": "l23CiIO2s1fIRn0NdoWZ+wK+Zhx3hCYDHf4ypjqMRekZ7xqafvXHHuogD5aj\npxYUKloH\n",
+    "encrypted_data": "tsBWKBwhQFfEAM0EWMPtljSbqU1c5mOJXPjYJjNT5RUFhPlqa7gsE8aJbs+D\nSPKjAQ62j+iHeqCk9mE9CCkgBA==\n",
-    "iv": "Dzx83eP9L7Jqqidh\n",
+    "iv": "uq5YAXuq2ynRLv9EIWoCFA==\n",
-    "auth_tag": "UVn5XA5Tgsikc1GdOt1MUQ==\n",
+    "version": 1,
-    "version": 3,
+    "cipher": "aes-256-cbc"
-    "cipher": "aes-256-gcm"
   }
 }

data_bags/credentials/dirsrv.json

@@ -1,30 +1,9 @@
 {
   "id": "dirsrv",
-  "admin_dn": {
-    "encrypted_data": "zRtz6Scb9WtUXGyjc0xyvsre0YvqupuaFz+RPApj7DEQTmYyZPVb\n",
-    "iv": "xfIXMhEBHBWqa4Dz\n",
-    "auth_tag": "BcA32u1njcnCZ+yrBGSceQ==\n",
-    "version": 3,
-    "cipher": "aes-256-gcm"
-  },
   "admin_password": {
-    "encrypted_data": "7JpXl3JZDqKWDfYt/wuNbkbob+oRuONhkuAlpqUCCEIn+tY=\n",
+    "encrypted_data": "i71l5E129mXCcDAyME8sNMUkYUlQMgt7Eh6noyFcLNgbaMo=\n",
-    "iv": "Lcwc4NDzrfcBaIKQ\n",
+    "iv": "KNW2B8tpX7ywZwbg\n",
-    "auth_tag": "rrePS3Bhdnwbr2d/o8vMhg==\n",
+    "auth_tag": "GawQ+FSlA5v5YVyryeUxng==\n",
-    "version": 3,
-    "cipher": "aes-256-gcm"
-  },
-  "service_dn": {
-    "encrypted_data": "sqRFiZreLeTPQljSfhAuV3DmsPxSC8tzWjCdu+WSSbO67sBQA+xhmGtzBhBD\nDZPGJw+jtAxzuVvPdAjxgAVgxXO6C6WEo87L1tdJewE=\n",
-    "iv": "GUEGtyRJXrPhWcUs\n",
-    "auth_tag": "2USsrx//3V7RCyumGCbMkg==\n",
-    "version": 3,
-    "cipher": "aes-256-gcm"
-  },
-  "service_password": {
-    "encrypted_data": "f2wi8B8SEt6p5G0TF3dZ72j0vMFlvwcP1suxYnshBA==\n",
-    "iv": "rOnUoxbnkaJtodM+\n",
-    "auth_tag": "dVLCtBVMjxLfW2D8XjJBdQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   }

environments/production.json

@@ -14,8 +14,7 @@
         "public_key": "024cd3be18617f39cf645851e3ba63f51fc13f0bb09e3bb25e6fd4de556486d946"
       },
       "nostr": {
-        "public_key": "b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a",
+        "public_key": "b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a"
-        "relay_url": "wss://nostr.kosmos.org"
       }
     },
     "discourse": {
@@ -102,20 +101,6 @@
     },
     "sentry": {
       "allowed_ips": "10.1.1.0/24"
-    },
-    "strfry": {
-      "domain": "nostr.kosmos.org",
-      "real_ip_header": "x-real-ip",
-      "policy_path": "/opt/strfry/strfry-policy.ts",
-      "whitelist_pubkeys": [
-        "b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a"
-      ],
-      "info": {
-        "name": "Kosmos Relay",
-        "description": "Members-only nostr relay for kosmos.org users",
-        "pubkey": "1f79058c77a224e5be226c8f024cacdad4d741855d75ed9f11473ba8eb86e1cb",
-        "contact": "ops@kosmos.org"
-      }
     }
   }
 }

nodes/bitcoin-2.json

@@ -16,6 +16,7 @@
       "kvm_guest",
       "sentry_client",
       "bitcoind",
+      "cln",
       "lnd",
       "lndhub",
       "postgresql_client",
@@ -29,8 +30,10 @@
       "tor-full",
       "tor-full::default",
       "kosmos-bitcoin::bitcoind",
+      "kosmos-bitcoin::c-lightning",
       "kosmos-bitcoin::lnd",
       "kosmos-bitcoin::lnd-scb-s3",
+      "kosmos-bitcoin::boltz",
       "kosmos-bitcoin::rtl",
       "kosmos-bitcoin::peerswap-lnd",
       "kosmos_postgresql::hostsfile",
@@ -100,6 +103,7 @@
     "role[sentry_client]",
     "recipe[tor-full]",
     "role[bitcoind]",
+    "role[cln]",
     "role[lnd]",
     "role[lndhub]",
     "role[btcpay]"

nodes/draco.kosmos.org.json

@@ -54,10 +54,8 @@
       "kosmos_liquor-cabinet::nginx",
       "kosmos_rsk::nginx_testnet",
       "kosmos_rsk::nginx_mainnet",
-      "kosmos_strfry::nginx",
       "kosmos_website",
       "kosmos_website::default",
-      "kosmos_website::redirects",
       "kosmos-akkounts::nginx",
       "kosmos-akkounts::nginx_api",
       "kosmos-bitcoin::nginx_lndhub",

nodes/fornax.kosmos.org.json

@@ -48,10 +48,8 @@
       "kosmos_liquor-cabinet::nginx",
       "kosmos_rsk::nginx_testnet",
       "kosmos_rsk::nginx_mainnet",
-      "kosmos_strfry::nginx",
       "kosmos_website",
       "kosmos_website::default",
-      "kosmos_website::redirects",
       "kosmos-akkounts::nginx",
       "kosmos-akkounts::nginx_api",
       "kosmos-bitcoin::nginx_lndhub",

nodes/gitea-2.json

@@ -32,7 +32,6 @@
       "kosmos_postgresql::hostsfile",
       "kosmos_gitea",
       "kosmos_gitea::default",
-      "kosmos_gitea::backup",
       "kosmos_gitea::act_runner",
       "apt::default",
       "timezone_iii::default",
@@ -48,9 +47,7 @@
       "postfix::_attributes",
       "postfix::sasl_auth",
       "hostname::default",
-      "firewall::default",
+      "firewall::default"
-      "backup::default",
-      "logrotate::default"
     ],
     "platform": "ubuntu",
     "platform_version": "20.04",

nodes/strfry-1.json

@@ -1,66 +0,0 @@
-{
-  "name": "strfry-1",
-  "chef_environment": "production",
-  "normal": {
-    "knife_zero": {
-      "host": "10.1.1.164"
-    }
-  },
-  "automatic": {
-    "fqdn": "strfry-1",
-    "os": "linux",
-    "os_version": "5.15.0-1060-kvm",
-    "hostname": "strfry-1",
-    "ipaddress": "192.168.122.54",
-    "roles": [
-      "base",
-      "kvm_guest",
-      "strfry",
-      "ldap_client"
-    ],
-    "recipes": [
-      "kosmos-base",
-      "kosmos-base::default",
-      "kosmos_kvm::guest",
-      "kosmos-dirsrv::hostsfile",
-      "strfry",
-      "strfry::default",
-      "kosmos_strfry::policies",
-      "kosmos_strfry::firewall",
-      "apt::default",
-      "timezone_iii::default",
-      "timezone_iii::debian",
-      "ntp::default",
-      "ntp::apparmor",
-      "kosmos-base::systemd_emails",
-      "apt::unattended-upgrades",
-      "kosmos-base::firewall",
-      "kosmos-postfix::default",
-      "postfix::default",
-      "postfix::_common",
-      "postfix::_attributes",
-      "postfix::sasl_auth",
-      "hostname::default",
-      "deno::default"
-    ],
-    "platform": "ubuntu",
-    "platform_version": "22.04",
-    "cloud": null,
-    "chef_packages": {
-      "chef": {
-        "version": "18.4.12",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.4.12/lib",
-        "chef_effortless": null
-      },
-      "ohai": {
-        "version": "18.1.11",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
-      }
-    }
-  },
-  "run_list": [
-    "role[base]",
-    "role[kvm_guest]",
-    "role[strfry]"
-  ]
-}

nodes/wiki-1.json

@@ -8,19 +8,16 @@
   "automatic": {
     "fqdn": "wiki-1",
     "os": "linux",
-    "os_version": "5.4.0-167-generic",
+    "os_version": "5.4.0-91-generic",
     "hostname": "wiki-1",
     "ipaddress": "192.168.122.26",
     "roles": [
-      "base",
+      "kvm_guest"
-      "kvm_guest",
-      "ldap_client"
     ],
     "recipes": [
       "kosmos-base",
       "kosmos-base::default",
       "kosmos_kvm::guest",
-      "kosmos-dirsrv::hostsfile",
       "kosmos-mediawiki",
       "kosmos-mediawiki::default",
       "apt::default",
@@ -44,6 +41,7 @@
       "php::package",
       "php::ini",
       "composer::global_configs",
+      "kosmos-dirsrv::hostsfile",
       "mediawiki::default",
       "mediawiki::database",
       "kosmos-nginx::default",
@@ -81,4 +79,4 @@
     "role[ldap_client]",
     "recipe[kosmos-mediawiki]"
   ]
-}
+}

roles/gitea.rb

@@ -3,5 +3,4 @@ name "gitea"
 run_list %w(
   role[postgresql_client]
   kosmos_gitea::default
-  kosmos_gitea::backup
 )

roles/lnd.rb

@@ -3,6 +3,7 @@ name "lnd"
 run_list %w(
   kosmos-bitcoin::lnd
   kosmos-bitcoin::lnd-scb-s3
+  kosmos-bitcoin::boltz
   kosmos-bitcoin::rtl
   kosmos-bitcoin::peerswap-lnd
 )

roles/openresty_proxy.rb

@@ -28,9 +28,7 @@ production_run_list = %w(
   kosmos_liquor-cabinet::nginx
   kosmos_rsk::nginx_testnet
   kosmos_rsk::nginx_mainnet
-  kosmos_strfry::nginx
   kosmos_website::default
-  kosmos_website::redirects
   kosmos-akkounts::nginx
   kosmos-akkounts::nginx_api
   kosmos-bitcoin::nginx_lndhub

roles/strfry.rb

@@ -1,8 +0,0 @@
-name "strfry"
-
-run_list %w(
-  role[ldap_client]
-  strfry::default
-  kosmos_strfry::policies
-  kosmos_strfry::firewall
-)

site-cookbooks/backup/attributes/default.rb

@@ -42,5 +42,5 @@ default['backup']['orbit']['keep'] = 10
 default['backup']['cron']['hour'] = "05"
 default['backup']['cron']['minute'] = "7"
 
-default['backup']['s3']['keep'] = 10
+default['backup']['s3']['keep'] = 15
-default['backup']['s3']['bucket'] = "kosmos-backups"
+default['backup']['s3']['bucket'] = "kosmos-dev-backups"

site-cookbooks/backup/recipes/default.rb

@@ -28,7 +28,6 @@ template "#{backup_dir}/config.rb" do
   sensitive true
   variables s3_access_key_id: backup_data["s3_access_key_id"],
             s3_secret_access_key: backup_data["s3_secret_access_key"],
-            s3_endpoint: backup_data["s3_endpoint"],
             s3_region: backup_data["s3_region"],
             encryption_password: backup_data["encryption_password"],
             mail_from: "backups@kosmos.org",

site-cookbooks/backup/templates/default/config.rb.erb

@@ -23,10 +23,6 @@ Storage::S3.defaults do |s3|
   s3.secret_access_key = "<%= @s3_secret_access_key %>"
   s3.region            = "<%= @s3_region %>"
   s3.bucket            = "<%= node['backup']['s3']['bucket'] %>"
-  s3.fog_options       = {
-    endpoint: "<%= @s3_endpoint %>",
-    aws_signature_version: 2
-  }
 end
 
 Encryptor::OpenSSL.defaults do |encryption|
@@ -92,6 +88,7 @@ end
 
 preconfigure 'KosmosBackup' do
   split_into_chunks_of 250 # megabytes
+  store_with S3
   compress_with Bzip2
   encrypt_with OpenSSL
   notify_by Mail do |mail|

site-cookbooks/kosmos-akkounts/attributes/default.rb

@@ -22,7 +22,6 @@ node.default['akkounts']['lndhub']['public_key'] = nil
 node.default['akkounts']['lndhub']['postgres_db'] = 'lndhub'
 
 node.default['akkounts']['nostr']['public_key'] = nil
-node.default['akkounts']['nostr']['relay_url'] = nil
 
 node.default['akkounts']['s3_enabled'] = true
 node.default['akkounts']['s3_endpoint'] = "https://s3.kosmos.org"

site-cookbooks/kosmos-akkounts/recipes/default.rb

@@ -163,7 +163,6 @@ env[:mediawiki_public_url] = node['mediawiki']['url']
 
 env[:nostr_private_key] = credentials['nostr_private_key']
 env[:nostr_public_key] = node['akkounts']['nostr']['public_key']
-env[:nostr_relay_url] = node['akkounts']['nostr']['relay_url']
 
 #
 # remoteStorage / Liquor Cabinet

site-cookbooks/kosmos-bitcoin/attributes/default.rb

@@ -1,5 +1,5 @@
-node.default['bitcoin']['version']   = '28.0'
+node.default['bitcoin']['version']   = '26.0'
-node.default['bitcoin']['checksum']  = '700ae2d1e204602eb07f2779a6e6669893bc96c0dca290593f80ff8e102ff37f'
+node.default['bitcoin']['checksum']  = 'ab1d99276e28db62d1d9f3901e85ac358d7f1ebcb942d348a9c4e46f0fcdc0a1'
 node.default['bitcoin']['username']  = 'satoshi'
 node.default['bitcoin']['usergroup'] = 'bitcoin'
 node.default['bitcoin']['network']   = 'mainnet'
@@ -24,8 +24,7 @@ node.default['bitcoin']['conf'] = {
   rpcbind: "127.0.0.1:8332",
   gen: 0,
   zmqpubrawblock: 'tcp://127.0.0.1:8337',
-  zmqpubrawtx: 'tcp://127.0.0.1:8338',
+  zmqpubrawtx: 'tcp://127.0.0.1:8338'
-  deprecatedrpc: 'warnings' # TODO remove when upgrading to LND 0.18.4
 }
 
 # Also enables Tor for LND
@@ -41,7 +40,7 @@ node.default['c-lightning']['log_level'] = 'info'
 node.default['c-lightning']['public_ip'] = '148.251.237.73'
 
 node.default['lnd']['repo'] = 'https://github.com/lightningnetwork/lnd'
-node.default['lnd']['revision'] = 'v0.18.3-beta'
+node.default['lnd']['revision'] = 'v0.17.3-beta'
 node.default['lnd']['source_dir'] = '/opt/lnd'
 node.default['lnd']['lnd_dir'] = "/home/#{node['bitcoin']['username']}/.lnd"
 node.default['lnd']['alias'] = 'ln2.kosmos.org'
@@ -59,8 +58,19 @@ node.default['lnd']['tor'] = {
   'skip-proxy-for-clearnet-targets' => 'true'
 }
 
+node.default['boltz']['repo'] = 'https://github.com/BoltzExchange/boltz-lnd.git'
+node.default['boltz']['revision'] = 'v1.2.7'
+node.default['boltz']['source_dir'] = '/opt/boltz'
+node.default['boltz']['boltz_dir'] = "/home/#{node['bitcoin']['username']}/.boltz-lnd"
+node.default['boltz']['grpc_host'] = '127.0.0.1'
+node.default['boltz']['grpc_port'] = '9002'
+node.default['boltz']['rest_disabled'] = 'false'
+node.default['boltz']['rest_host'] = '127.0.0.1'
+node.default['boltz']['rest_port'] = '9003'
+node.default['boltz']['no_macaroons'] = 'false'
+
 node.default['rtl']['repo'] = 'https://github.com/Ride-The-Lightning/RTL.git'
-node.default['rtl']['revision'] = 'v0.15.2'
+node.default['rtl']['revision'] = 'v0.15.0'
 node.default['rtl']['host'] = '10.1.1.163'
 node.default['rtl']['port'] = '3000'
 

site-cookbooks/kosmos-bitcoin/recipes/aws-client.rb

@@ -11,7 +11,6 @@ credentials = Chef::EncryptedDataBagItem.load('credentials', 'backup')
 
 file "/root/.aws/config" do
   mode "600"
-  sensitive true
   content lazy { <<-EOF
 [default]
 region = #{credentials["s3_region"]}

site-cookbooks/kosmos-bitcoin/recipes/bitcoind.rb

@@ -12,15 +12,8 @@ if node["bitcoin"]["blocksdir_mount_type"]
   include_recipe "kosmos-bitcoin::blocksdir-mount"
 end
 
-apt_repository "ubuntu-toolchain-r" do
+%w{ libtool autotools-dev make automake cmake curl g++-multilib libtool
-  # provides g++-13, needed for better c++-20 support
+    binutils-gold bsdmainutils pkg-config python3 patch }.each do |pkg|
-  uri "ppa:ubuntu-toolchain-r/test"
-end
-
-%w{
-  gcc-13 g++-13 libtool autotools-dev make automake cmake curl bison
-  binutils-gold pkg-config python3 patch
-}.each do |pkg|
   apt_package pkg
 end
 
@@ -33,21 +26,20 @@ end
 
 execute "compile_bitcoin-core_dependencies" do
   cwd "/usr/local/bitcoind/depends"
-  environment ({'CC' => 'gcc-13', 'CXX' => 'g++-13', 'NO_QT' => '1'})
+  command "make NO_QT=1"
-  command "make -j 2"
   action :nothing
   notifies :run, 'bash[compile_bitcoin-core]', :immediately
 end
 
 bash "compile_bitcoin-core" do
   cwd "/usr/local/bitcoind"
-  environment ({'CC' => 'gcc-13', 'CXX' => 'g++-13', 'NO_QT' => '1'})
   code <<-EOH
     ./autogen.sh
     ./configure --prefix=$PWD/depends/x86_64-pc-linux-gnu
     make
   EOH
   action :nothing
+  notifies :restart, "systemd_unit[bitcoind.service]", :delayed
 end
 
 link "/usr/local/bin/bitcoind" do

site-cookbooks/kosmos-bitcoin/recipes/boltz.rb

@@ -0,0 +1,87 @@
+#
+# Cookbook:: kosmos-bitcoin
+# Recipe:: boltz
+#
+
+include_recipe "git"
+include_recipe "kosmos-bitcoin::golang"
+
+git node['boltz']['source_dir'] do
+  repository node['boltz']['repo']
+  revision node['boltz']['revision']
+  action :sync
+  notifies :run, 'bash[compile_and_install_boltz]', :immediately
+end
+
+bash "compile_and_install_boltz" do
+  cwd node['boltz']['source_dir']
+  code <<-EOH
+go mod vendor && \
+make build && \
+make install
+  EOH
+  action :nothing
+  notifies :restart, "systemd_unit[boltzd.service]", :delayed
+end
+
+bitcoin_user  = node['bitcoin']['username']
+bitcoin_group = node['bitcoin']['usergroup']
+boltz_dir     = node['boltz']['boltz_dir']
+lnd_dir       = node['lnd']['lnd_dir']
+
+directory boltz_dir do
+  owner bitcoin_user
+  group bitcoin_group
+  mode '0750'
+  action :create
+end
+
+template "#{boltz_dir}/boltz.toml" do
+  source "boltz.toml.erb"
+  owner bitcoin_user
+  group bitcoin_group
+  mode '0640'
+  variables lnd_grpc_host: '127.0.0.1',
+            lnd_grpc_port: '10009',
+            lnd_macaroon_path: "#{lnd_dir}/data/chain/bitcoin/mainnet/admin.macaroon",
+            lnd_tlscert_path: "#{lnd_dir}/tls.cert",
+            boltz_config: node['boltz']
+  notifies :restart, "systemd_unit[boltzd.service]", :delayed
+end
+
+systemd_unit 'boltzd.service' do
+  content({
+    Unit: {
+      Description: 'Boltz Daemon',
+      Documentation: ['https://lnd.docs.boltz.exchange'],
+      Requires: 'lnd.service',
+      After: 'lnd.service'
+    },
+    Service: {
+      User: bitcoin_user,
+      Group: bitcoin_group,
+      Type: 'simple',
+      ExecStart: "/opt/boltz/boltzd",
+      Restart: 'always',
+      RestartSec: '30',
+      TimeoutSec: '240',
+      LimitNOFILE: '128000',
+      PrivateTmp: true,
+      ProtectSystem: 'full',
+      NoNewPrivileges: true,
+      PrivateDevices: true,
+      MemoryDenyWriteExecute: true
+    },
+    Install: {
+      WantedBy: 'multi-user.target'
+    }
+  })
+  verify false
+  triggers_reload true
+  action [:create, :enable, :start]
+end
+
+unless node.chef_environment == 'development'
+  node.override['backup']['archives']['boltz'] = [node['boltz']['boltz_dir']]
+  include_recipe 'backup'
+end

site-cookbooks/kosmos-bitcoin/recipes/golang.rb

@@ -5,7 +5,7 @@
 # Internal recipe for managing the Go installation in one place
 #
 
-node.override['golang']['version'] = "1.23.1"
+node.override['golang']['version'] = "1.20.3"
 include_recipe "golang"
 
 link '/usr/local/bin/go' do

site-cookbooks/kosmos-bitcoin/recipes/lnd-scb-s3.rb

@@ -10,14 +10,12 @@ include_recipe "kosmos-bitcoin::aws-client"
 package "inotify-tools"
 
 backup_script_path = "/opt/lnd-channel-backup-s3.sh"
-backup_credentials = Chef::EncryptedDataBagItem.load('credentials', 'backup')
 
 template backup_script_path do
   source "lnd-channel-backup-s3.sh.erb"
   mode '0740'
   variables lnd_dir: node['lnd']['lnd_dir'],
             bitcoin_network: node['bitcoin']['network'],
-            s3_endpoint: backup_credentials['s3_endpoint'],
             s3_bucket: node['backup']['s3']['bucket'],
             s3_scb_dir: "#{node['name']}/lnd/#{node['bitcoin']['network']}"
   notifies :restart, "systemd_unit[lnd-channel-backup.service]", :delayed

site-cookbooks/kosmos-bitcoin/recipes/rtl.rb

@@ -46,22 +46,24 @@ rtl_config = {
   multiPassHashed: credentials["multiPassHashed"]
 }
 
+if node['boltz']
+  # TODO adapt for multi-node usage
+  rtl_config[:nodes][0][:Authentication][:boltzMacaroonPath] = "#{node['boltz']['boltz_dir']}/macaroons"
+  rtl_config[:nodes][0][:Settings][:boltzServerUrl] = "https://#{node['boltz']['rest_host']}:#{node['boltz']['rest_port']}"
+end
+
 git rtl_dir do
   user bitcoin_user
   group bitcoin_group
   repository node['rtl']['repo']
   revision node['rtl']['revision']
-  notifies :run, "execute[npm_install]", :immediately
   notifies :restart, "systemd_unit[#{app_name}.service]", :delayed
 end
 
-execute "npm_install" do
+execute "npm install" do
   cwd rtl_dir
   environment "HOME" => rtl_dir
   user bitcoin_user
-  # TODO remove --force when upstream dependency issues have been resolved
-  command "npm install --force"
-  action :nothing
 end
 
 file "#{rtl_dir}/RTL-Config.json" do

site-cookbooks/kosmos-bitcoin/templates/boltz.toml.erb

@@ -0,0 +1,32 @@
+[LND]
+# Host of the gRPC interface of LND
+host = "<%= @lnd_grpc_host %>"
+
+# Port of the gRPC interface of LND
+port = <%= @lnd_grpc_port %>
+
+# Path to a macaroon file of LND
+# The daemon needs to have permission to read various endpoints, generate addresses and pay invoices 
+macaroon = "<%= @lnd_macaroon_path %>"
+
+# Path to the TLS certificate of LND
+certificate = "<%= @lnd_tlscert_path %>"
+
+[RPC]
+# Host of the gRPC interface
+host = "<%= @boltz_config['grpc_host'] %>"
+
+# Port of the gRPC interface
+port = <%= @boltz_config['grpc_port'] %>
+
+# Whether the REST proxy for the gRPC interface should be disabled
+restDisabled = <%= @boltz_config['rest_disabled'] %>
+
+# Host of the REST proxy
+restHost = "<%= @boltz_config['rest_host'] %>"
+
+# Port of the REST proxy
+restPort = <%= @boltz_config['rest_port'] %>
+
+# Whether the macaroon authentication for the gRPC and REST interface should be disabled
+noMacaroons = <%= @boltz_config['no_macaroons'] %>

site-cookbooks/kosmos-bitcoin/templates/lnd-channel-backup-s3.sh.erb

@@ -3,5 +3,5 @@ set -xe -o pipefail
 
 while true; do
   inotifywait <%= @lnd_dir %>/data/chain/bitcoin/<%= @bitcoin_network %>/channel.backup
-  aws --endpoint <%= @s3_endpoint %> s3 cp <%= @lnd_dir %>/data/chain/bitcoin/<%= @bitcoin_network %>/channel.backup "s3://<%= @s3_bucket %>/<%= @s3_scb_dir %>/channel.backup"
+  aws s3 cp <%= @lnd_dir %>/data/chain/bitcoin/<%= @bitcoin_network %>/channel.backup "s3://<%= @s3_bucket %>/<%= @s3_scb_dir %>/channel.backup"
 done

site-cookbooks/kosmos-bitcoin/templates/lnd.conf.erb

@@ -12,6 +12,7 @@ minchansize=<%= @lnd_minchansize %>
 autopilot.active=0
 
 [Bitcoin]
+bitcoin.active=1
 bitcoin.mainnet=1
 bitcoin.node=bitcoind
 bitcoin.basefee=<%= @lnd_basefee %>

site-cookbooks/kosmos-ejabberd/recipes/default.rb

@@ -155,7 +155,7 @@ admin_users = ejabberd_credentials['admins']
 hosts.each do |host|
   ldap_rootdn = "uid=service,ou=#{host[:name]},cn=applications,dc=kosmos,dc=org"
   if host[:name] == "kosmos.org"
-    ldap_filter = "(&(objectClass=person)(serviceEnabled=ejabberd))"
+    ldap_filter = "(&(objectClass=person)(serviceEnabled=xmpp))"
   else
     ldap_filter = "(objectClass=person)"
   end

site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb

@@ -216,7 +216,7 @@ modules:
     access_createnode: pubsub_createnode
     ignore_pep_from_offline: false
     last_item_cache: false
-    max_items_node: 10000
+    max_items_node: 10
     plugins:
       - "flat"
       - "pep" # pep requires mod_caps

site-cookbooks/kosmos-mastodon/attributes/default.rb

@@ -10,7 +10,7 @@ node.default["kosmos-mastodon"]["redis_url"]         = "redis://localhost:6379/0
 node.default["kosmos-mastodon"]["sidekiq_threads"]   = 25
 node.default["kosmos-mastodon"]["allowed_private_addresses"] = "127.0.0.1"
 
-node.default["kosmos-mastodon"]["onion_address"] = nil
+node.default["kosmos-mastodon"]["onion_address"]     = nil
 
 # Allocate this amount of RAM to the Java heap for Elasticsearch
 node.default["kosmos-mastodon"]["elasticsearch"]["allocated_memory"] = "1536m"
@@ -20,10 +20,6 @@ node.default["kosmos-mastodon"]["s3_region"]     = nil
 node.default["kosmos-mastodon"]["s3_bucket"]     = nil
 node.default["kosmos-mastodon"]["s3_alias_host"] = nil
 
-node.default["kosmos-mastodon"]["sso_account_sign_up_url"] = "https://kosmos.org"
-node.default["kosmos-mastodon"]["sso_account_reset_password_url"] = "https://accounts.kosmos.org/users/password/new"
-node.default["kosmos-mastodon"]["sso_account_resend_confirmation_url"] = "https://accounts.kosmos.org/users/confirmation/new"
-
 node.default["kosmos-mastodon"]["default_locale"] = "en"
 node.default["kosmos-mastodon"]["libre_translate_endpoint"] = nil
 

site-cookbooks/kosmos-mastodon/recipes/backup.rb

@@ -6,12 +6,13 @@
 postgresql_data_bag_item = data_bag_item('credentials', 'postgresql')
 
 unless node.chef_environment == "development"
-  node.override['backup']['s3']['keep'] = 1
+  unless node["backup"]["postgresql"]["databases"].keys.include? 'mastodon'
-  node.override["backup"]["postgresql"]["host"] = "pg.kosmos.local"
+    node.override["backup"]["postgresql"]["host"] = "pg.kosmos.local"
-  node.override["backup"]["postgresql"]["databases"]["mastodon"] = {
+    node.override["backup"]["postgresql"]["databases"]["mastodon"] = {
-    username: "mastodon",
+      username: "mastodon",
-    password: postgresql_data_bag_item['mastodon_user_password']
+      password: postgresql_data_bag_item['mastodon_user_password']
-  }
+    }
+  end
 
   include_recipe "backup"
 end

site-cookbooks/kosmos-mastodon/recipes/default.rb

@@ -190,7 +190,6 @@ template "#{mastodon_path}/.env.#{rails_env}" do
   mode  "0640"
   owner mastodon_user
   group mastodon_user
-  sensitive true
   variables redis_url: node["kosmos-mastodon"]["redis_url"],
             domain: node["kosmos-mastodon"]["domain"],
             alternate_domains: node["kosmos-mastodon"]["alternate_domains"],
@@ -211,9 +210,6 @@ template "#{mastodon_path}/.env.#{rails_env}" do
             vapid_public_key: credentials['vapid_public_key'],
             db_pass: postgresql_credentials['mastodon_user_password'],
             db_host: "pg.kosmos.local",
-            sso_account_sign_up_url: node["kosmos-mastodon"]["sso_account_sign_up_url"],
-            sso_account_reset_password_url: node["kosmos-mastodon"]["sso_account_reset_password_url"],
-            sso_account_resend_confirmation_url: node["kosmos-mastodon"]["sso_account_resend_confirmation_url"],
             default_locale: node["kosmos-mastodon"]["default_locale"],
             allowed_private_addresses: node["kosmos-mastodon"]["allowed_private_addresses"],
             libre_translate_endpoint: node["kosmos-mastodon"]["libre_translate_endpoint"]

site-cookbooks/kosmos-mastodon/recipes/nginx.rb

@@ -28,9 +28,7 @@ template "#{node['openresty']['dir']}/snippets/mastodon.conf" do
   owner 'www-data'
   mode 0640
   variables web_root_dir: web_root_dir,
-            server_name:  server_name,
+            server_name:  server_name
-            s3_private_url: "#{node["kosmos-mastodon"]["s3_endpoint"]}/#{node["kosmos-mastodon"]["s3_bucket"]}/",
-            s3_public_url: "https://#{node["kosmos-mastodon"]["s3_alias_host"]}/"
   notifies :reload, 'service[openresty]', :delayed
 end
 

site-cookbooks/kosmos-mastodon/templates/default/env.erb

@@ -44,9 +44,6 @@ LDAP_SEARCH_FILTER='<%= @ldap[:search_filter] %>'
 LDAP_UID_CONVERSION_ENABLED=<%= @ldap[:uid_conversion_enabled] %>
 LDAP_UID_CONVERSION_SEARCH=<%= @ldap[:uid_conversion_search] %>
 LDAP_UID_CONVERSION_REPLACE=<%= @ldap[:uid_conversion_replace] %>
-SSO_ACCOUNT_SIGN_UP=<%= @sso_account_sign_up_url %>
-SSO_ACCOUNT_RESET_PASSWORD=<%= @sso_account_reset_password_url %>
-SSO_ACCOUNT_RESEND_CONFIRMATION=<%= @sso_account_resend_confirmation_url %>
 <% end %>
 
 # Optional asset host for multi-server setups

site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_shared.erb

@@ -108,13 +108,11 @@ location @proxy {
 
   proxy_pass http://mastodon_app;
   proxy_buffering on;
+  proxy_redirect off;
   proxy_http_version 1.1;
   proxy_set_header Upgrade $http_upgrade;
   proxy_set_header Connection $connection_upgrade;
 
-  # https://github.com/mastodon/mastodon/issues/24380
-  proxy_redirect <%= @s3_private_url %> <%= @s3_public_url %>;
-
   tcp_nodelay on;
 }
 

site-cookbooks/kosmos_gitea/attributes/default.rb

@@ -1,5 +1,5 @@
-node.default["gitea"]["version"] = "1.22.1"
+node.default["gitea"]["version"] = "1.22.0"
-node.default["gitea"]["checksum"] = "b8043324545eec269fc8f18c22b49fc365ed367e0dd41e081b79832de2570f9c"
+node.default["gitea"]["checksum"] = "a31086f073cb9592d28611394b2de3655db515d961e4fdcf5b549cb40753ef3d"
 node.default["gitea"]["working_directory"] = "/var/lib/gitea"
 node.default["gitea"]["port"] = 3000
 node.default["gitea"]["postgresql_host"] = "localhost:5432"

site-cookbooks/kosmos_gitea/recipes/backup.rb

@@ -8,6 +8,5 @@
 unless node.chef_environment == "development"
   # backup the data dir and the config files
   node.override["backup"]["archives"]["gitea"] = [node["gitea"]["working_directory"]]
-  node.override['backup']['s3']['keep'] = 2
   include_recipe "backup"
 end

site-cookbooks/kosmos_gitea/templates/default/nginx_conf_web.erb

@@ -21,13 +21,8 @@ server {
   location ~ ^/(avatars|repo-avatars)/.*$ {
     proxy_buffers 1024 8k;
     proxy_pass http://_gitea_web;
+    proxy_http_version 1.1;
     expires 30d;
-    proxy_set_header Connection $http_connection;
-    proxy_set_header Upgrade $http_upgrade;
-    proxy_set_header Host $host;
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header X-Forwarded-Proto $scheme;
   }
 
   # Docker registry
@@ -35,22 +30,12 @@ server {
     client_max_body_size 0;
     proxy_buffers 1024 8k;
     proxy_pass http://_gitea_web;
-    proxy_set_header Connection $http_connection;
+    proxy_http_version 1.1;
-    proxy_set_header Upgrade $http_upgrade;
-    proxy_set_header Host $host;
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header X-Forwarded-Proto $scheme;
   }
 
   location / {
     proxy_buffers 1024 8k;
     proxy_pass http://_gitea_web;
-    proxy_set_header Connection $http_connection;
+    proxy_http_version 1.1;
-    proxy_set_header Upgrade $http_upgrade;
-    proxy_set_header Host $host;
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header X-Forwarded-Proto $scheme;
   }
 }

site-cookbooks/kosmos_kvm/attributes/default.rb

@@ -1,10 +1,9 @@
 release = "20240514"
-img_filename = "ubuntu-22.04-server-cloudimg-amd64-disk-kvm"
 
 node.default["kosmos_kvm"]["host"]["qemu_base_image"] = {
-  "url" => "https://cloud-images.ubuntu.com/releases/jammy/release-#{release}/#{img_filename}.img",
+  "url" => "https://cloud-images.ubuntu.com/releases/jammy/release-#{release}/ubuntu-22.04-server-cloudimg-amd64-disk-kvm.img",
   "checksum" => "2e7698b3ebd7caead06b08bd3ece241e6ce294a6db01f92ea12bcb56d6972c3f",
-  "path" => "/var/lib/libvirt/images/base/#{img_filename}-#{release}.qcow2"
+  "path" => "/var/lib/libvirt/images/base/ubuntu-22.04-server-cloudimg-amd64-disk-kvm-#{release}.qcow2"
 }
 
 # A systemd.timer OnCalendar config value

site-cookbooks/kosmos_kvm/templates/create_vm.erb

@@ -17,7 +17,7 @@ DISKSIZE=${4:-10} # 10GB default
 # Directory where image files will be stored
 IMAGE_DIR=/var/lib/libvirt/images
 IMAGE_PATH=$IMAGE_DIR/${VMNAME}.qcow2
-CIDATA_PATH=${IMAGE_DIR}/cidata-${VMNAME}.iso
+CIDATA_PATH=${IMAGE_DIR}/${VMNAME}-cloudinit
 BASE_FILE=<%= @base_image_path %>
 
 # Create the VM image if it does not already exist
@@ -38,9 +38,8 @@ qemu-img info "$IMAGE_PATH"
 # Check if the cloud-init metadata file exists
 # if not, generate it
 if [ ! -r $CIDATA_PATH ]; then
-  pushd $(dirname $CIDATA_PATH)
+  mkdir -p $CIDATA_PATH
-  mkdir -p $VMNAME
+  pushd $CIDATA_PATH
-  cd $VMNAME
 
   cat > user-data <<-EOS
 #cloud-config
@@ -62,25 +61,19 @@ instance-id: $VMNAME
 local-hostname: $VMNAME
 EOS
 
-  genisoimage -output "$CIDATA_PATH" -volid cidata -joliet -rock user-data meta-data
-  chown libvirt-qemu:kvm "$CIDATA_PATH"
-  chmod 600 "$CIDATA_PATH"
   popd
 fi
 
-# setting --os-variant to ubuntu20.04 and ubuntu18.04 breaks SSH and networking
 virt-install \
   --name "$VMNAME" \
   --ram "$RAM" \
   --vcpus "$CPUS" \
   --cpu host \
   --arch x86_64 \
-  --os-type linux \
+  --osinfo detect=on,name=ubuntujammy \
-  --os-variant ubuntu16.04 \
   --hvm \
   --virt-type kvm \
   --disk "$IMAGE_PATH" \
-  --cdrom "$CIDATA_PATH" \
   --boot hd \
   --network=bridge=virbr0,model=virtio \
   --graphics none \
@@ -88,4 +81,5 @@ virt-install \
   --console pty \
   --channel unix,mode=bind,path=/var/lib/libvirt/qemu/$VMNAME.guest_agent.0,target_type=virtio,name=org.qemu.guest_agent.0 \
   --autostart \
-  --import
+  --import \
+  --cloud-init root-password-generate=off,disable=on,meta-data=$CIDATA_PATH/meta-data,user-data=$CIDATA_PATH/user-data

site-cookbooks/kosmos_strfry/LICENSE

@@ -1,20 +0,0 @@
-Copyright (c) 2024 Kosmos Developers
-
-Permission is hereby granted, free of charge, to any person obtaining
-a copy of this software and associated documentation files (the
-"Software"), to deal in the Software without restriction, including
-without limitation the rights to use, copy, modify, merge, publish,
-distribute, sublicense, and/or sell copies of the Software, and to
-permit persons to whom the Software is furnished to do so, subject to
-the following conditions:
-
-The above copyright notice and this permission notice shall be
-included in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
-EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
-NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
-LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
-OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
-WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

site-cookbooks/kosmos_strfry/README.md

@@ -1,4 +0,0 @@
-kosmos_strfry
-=============
-
-Installs/configures a strfry relay and its reverse proxy config

site-cookbooks/kosmos_strfry/attributes/default.rb

@@ -1,2 +0,0 @@
-node.default["strfry"]["ldap_search_dn"] = "ou=kosmos.org,cn=users,dc=kosmos,dc=org"
-node.default["strfry"]["extras_dir"] = "/opt/strfry"

site-cookbooks/kosmos_strfry/metadata.rb

@@ -1,10 +0,0 @@
-name             'kosmos_strfry'
-maintainer       'Kosmos'
-maintainer_email 'mail@kosmos.org'
-license          'MIT'
-description      'strfry wrapper cookbook'
-long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
-version          '0.1.0'
-
-depends 'kosmos_openresty'
-depends 'deno'

site-cookbooks/kosmos_strfry/recipes/firewall.rb

@@ -1,13 +0,0 @@
-#
-# Cookbook Name:: kosmos_strfry
-# Recipe:: firewall
-#
-
-include_recipe "kosmos-base::firewall"
-
-firewall_rule "strfry" do
-  port     node["strfry"]["port"]
-  source   "10.1.1.0/24"
-  protocol :tcp
-  command  :allow
-end

site-cookbooks/kosmos_strfry/recipes/nginx.rb

@@ -1,29 +0,0 @@
-#
-# Cookbook Name:: kosmos_strfry
-# Recipe:: nginx
-#
-
-domain = node["strfry"]["domain"]
-
-upstream_hosts = []
-search(:node, 'role:strfry').each do |node|
-  upstream_hosts << node['knife_zero']['host']
-end
-if upstream_hosts.empty?
-  Chef::Log.warn("No node found with 'strfry' role. Not configuring nginx site.")
-  return
-end
-
-tls_cert_for domain do
-  auth "gandi_dns"
-  action :create
-end
-
-openresty_site domain do
-  template "nginx_conf_strfry.erb"
-  variables domain: domain,
-            upstream_port: node['strfry']['port'],
-            upstream_hosts: upstream_hosts,
-            ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
-            ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
-end

site-cookbooks/kosmos_strfry/recipes/policies.rb

@@ -1,83 +0,0 @@
-#
-# Cookbook Name:: kosmos_strfry
-# Recipe:: policies
-#
-
-include_recipe "deno"
-
-#
-# config
-#
-
-ldap_credentials = Chef::EncryptedDataBagItem.load('credentials', 'dirsrv')
-
-extras_dir = node["strfry"]["extras_dir"]
-
-directory extras_dir do
-  owner node["strfry"]["user"]
-  group node["strfry"]["group"]
-  mode "0755"
-end
-
-env = {
-  ldap_url: 'ldap://ldap.kosmos.local:389', # requires "ldap_client" role
-  ldap_bind_dn: ldap_credentials["service_dn"],
-  ldap_password: ldap_credentials["service_password"],
-  ldap_search_dn: node["strfry"]["ldap_search_dn"],
-  whitelist_pubkeys: node["strfry"]["whitelist_pubkeys"].join(",")
-}
-
-template "#{extras_dir}/.env" do
-  source 'env.erb'
-  owner node["strfry"]["user"]
-  group node["strfry"]["group"]
-  mode 0600
-  sensitive true
-  variables config: env
-  notifies :restart, "service[strfry]", :delayed
-end
-
-#
-# strfry deno scripts
-#
-
-base_url = "https://gitea.kosmos.org/kosmos/akkounts/raw/branch/live/extras/strfry"
-
-remote_file "#{extras_dir}/deno.json" do
-  source "#{base_url}/deno.json"
-  owner node["strfry"]["user"]
-  group node["strfry"]["group"]
-  mode "0644"
-  notifies :restart, "service[strfry]", :delayed
-end
-
-remote_file "#{extras_dir}/deno.lock" do
-  source "#{base_url}/deno.lock"
-  owner node["strfry"]["user"]
-  group node["strfry"]["group"]
-  mode "0644"
-  notifies :restart, "service[strfry]", :delayed
-end
-
-remote_file "#{extras_dir}/strfry-policy.ts" do
-  source "#{base_url}/strfry-policy.ts"
-  owner node["strfry"]["user"]
-  group node["strfry"]["group"]
-  mode "0755"
-  notifies :restart, "service[strfry]", :delayed
-end
-
-remote_file "#{extras_dir}/ldap-policy.ts" do
-  source "#{base_url}/ldap-policy.ts"
-  owner node["strfry"]["user"]
-  group node["strfry"]["group"]
-  mode "0644"
-  notifies :restart, "service[strfry]", :delayed
-end
-
-remote_file "#{extras_dir}/strfry-sync.ts" do
-  source "#{base_url}/strfry-sync.ts"
-  owner node["strfry"]["user"]
-  group node["strfry"]["group"]
-  mode "0644"
-end

site-cookbooks/kosmos_strfry/templates/env.erb

@@ -1,11 +0,0 @@
-<% @config.each do |key, value| %>
-<% if value.is_a?(Hash) %>
-<% value.each do |k, v| %>
-<%= "#{key.upcase}_#{k.upcase}" %>=<%= v.to_s %>
-<% end %>
-<% else %>
-<% if value %>
-<%= key.upcase %>=<%= value.to_s %>
-<% end %>
-<% end %>
-<% end %>

site-cookbooks/kosmos_strfry/templates/nginx_conf_strfry.erb

@@ -1,26 +0,0 @@
-upstream _strfry {
-<% @upstream_hosts.each do |host| %>
-  server <%= host %>:<%= @upstream_port || "7777" %>;
-<% end %>
-}
-
-server {
-  server_name <%= @domain %>;
-  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
-
-  access_log "/var/log/nginx/<%= @domain %>.access.log";
-  error_log "/var/log/nginx/<%= @domain %>.error.log";
-
-  ssl_certificate     <%= @ssl_cert %>;
-  ssl_certificate_key <%= @ssl_key %>;
-
-  location / {
-    proxy_set_header Host $host;
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_pass http://_strfry;
-    proxy_http_version 1.1;
-    proxy_set_header Upgrade $http_upgrade;
-    proxy_set_header Connection "upgrade";
-  }
-}

site-cookbooks/kosmos_website/attributes/default.rb

@@ -1,4 +1,3 @@
-node.default["kosmos_website"]["domain"]       = "kosmos.org"
+node.default["kosmos_website"]["domain"]   = "kosmos.org"
-node.default["kosmos_website"]["repo"]         = "https://gitea.kosmos.org/kosmos/website.git"
+node.default["kosmos_website"]["repo"]     = "https://gitea.kosmos.org/kosmos/website.git"
-node.default["kosmos_website"]["revision"]     = "chore/content"
+node.default["kosmos_website"]["revision"] = "chore/content"
-node.default["kosmos_website"]["accounts_url"] = "https://accounts.kosmos.org"

site-cookbooks/kosmos_website/recipes/default.rb

@@ -23,7 +23,6 @@ end
 openresty_site domain do
   template "nginx_conf_website.erb"
   variables domain: domain,
-            accounts_url: node.default["kosmos_website"]["accounts_url"],
             ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
             ssl_key:  "/etc/letsencrypt/live/#{domain}/privkey.pem"
 end

site-cookbooks/kosmos_website/recipes/redirects.rb

@@ -1,35 +0,0 @@
-#
-# Cookbook:: kosmos_website
-# Recipe:: redirects
-#
-
-redirects = [
-  {
-    domain: "kosmos.chat",
-    target: "https://kosmos.org",
-    http_status: 307
-  },
-  {
-    domain: "kosmos.cash",
-    acme_domain: "letsencrypt.kosmos.org",
-    target: "https://kosmos.org",
-    http_status: 307
-  }
-]
-
-redirects.each do |redirect|
-  tls_cert_for redirect[:domain] do
-    auth "gandi_dns"
-    acme_domain redirect[:acme_domain] unless redirect[:acme_domain].nil?
-    action :create
-  end
-
-  openresty_site redirect[:domain] do
-    template "nginx_conf_redirect.erb"
-    variables domain: redirect[:domain],
-              target: redirect[:target],
-              http_status: redirect[:http_status],
-              ssl_cert: "/etc/letsencrypt/live/#{redirect[:domain]}/fullchain.pem",
-              ssl_key:  "/etc/letsencrypt/live/#{redirect[:domain]}/privkey.pem"
-  end
-end

site-cookbooks/kosmos_website/templates/nginx_conf_redirect.erb

@@ -1,20 +0,0 @@
-# Generated by Chef
-
-server {
-  server_name <%= @domain %>;
-  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
-
-  access_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.access.log;
-  error_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.error.log warn;
-
-  gzip_static on;
-  gzip_comp_level 5;
-
-  ssl_certificate     <%= @ssl_cert %>;
-  ssl_certificate_key <%= @ssl_key %>;
-
-  location / {
-    return <%= @http_status || 301 %> <%= @target %>;
-  }
-}

site-cookbooks/kosmos_website/templates/nginx_conf_simple.erb

@@ -1,18 +0,0 @@
-# Generated by Chef
-
-server {
-  server_name <%= @domain %>;
-  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
-
-  root /var/www/<%= @domain %>/public;
-
-  access_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.access.log;
-  error_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.error.log warn;
-
-  gzip_static on;
-  gzip_comp_level 5;
-
-  ssl_certificate     <%= @ssl_cert %>;
-  ssl_certificate_key <%= @ssl_key %>;
-}

site-cookbooks/kosmos_website/templates/nginx_conf_website.erb

@@ -1,18 +1,9 @@
 # Generated by Chef
 
-server {
-  server_name _;
-  listen 80 default_server;
-
-  location / {
-    return 301 https://<%= @domain %>;
-  }
-}
-
 server {
   server_name <%= @domain %>;
-  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2 default_server;
+  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2 default_server;
+  listen [::]:443 ssl http2;
 
   root /var/www/<%= @domain %>/public;
 
@@ -27,10 +18,8 @@ server {
   ssl_certificate     <%= @ssl_cert %>;
   ssl_certificate_key <%= @ssl_key %>;
 
-<% if @accounts_url %>
   location ~ ^/.well-known/(webfinger|nostr|lnurlp|keysend) {
     proxy_ssl_server_name on;
     proxy_pass https://accounts.kosmos.org;
   }
-<% end %>
 }

site-cookbooks/remotestorage_discourse/recipes/nginx.rb

@@ -18,7 +18,6 @@ end
 
 tls_cert_for domain do
   auth "gandi_dns"
-  acme_domain "letsencrypt.kosmos.org"
   action :create
 end