Upgrade act_runner

Reviewed-on: #622
Reviewed-by: Râu Cao <raucao@kosmos.org>

clients/garage-12.json

@@ -0,0 +1,4 @@
+{
+  "name": "garage-12",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9GtHHi298BjiIqpZ3WkT\nkYAPfWD60hFe/8icYcq/F/6cHLYKZQ4chek9X/hDCMq4tHEN6Oh58T5x/nuNdPrK\nIAMGyVAGk6ekWlmD4jwdEf6TGb/J3ffJTRDvwX/I8xD/DW3wtXsN+X24T59ByGTm\nrnwRmmmwHF3otRx9wnCsIgDQ0AjiUujsfNNv1FcLXD/WJLys9lEeU5aJ4XtHTwDv\ntJM8YyVEFhEnuvgdKmzn5+F5k9VGdUwForlFOBfvzbCnTZMDMmDVeiUtAUv/7xWQ\nQl2mLUGCtgWuYJYXsQacAJ6pa3h+7cQyshC6w3dwUG+1fS9lNO0Yp1GGX1AGYKpp\nPQIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/garage-13.json

@@ -0,0 +1,4 @@
+{
+  "name": "garage-13",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvbqWc6OwRxgHfsQuTNL4\naxeVvNen5d9srYpZSHjuBB/k9NHB+9P6vU5qF37XHkw1lVUGeYbPHzhYsx3O0/kZ\nH5f4+4SMy/P9jc6SE7AJF4qtYKgJ88koZdqCww07c6K9g+BnEGFFZui/h3hUBxWj\nTfhBHEWPyQ2bl/lr9sIJwsEz+EN0isGn/eIXkmw9J6LdLJ5Q0LLks33K28FNOU7q\nfeAN4MiBVMUtgCGyT2Voe6WrOXwQLSDXQONOp3sfSfFExsIJ1s24xdd7AMD7/9a7\n4sFDZ4swhqAWgWmW2giR7Kb8wTvGQLO/O/uUbmKz3DZXgkOKXHdHCEB/PZx1mRNM\nEwIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/garage-14.json

@@ -0,0 +1,4 @@
+{
+  "name": "garage-14",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqNY8AuaM4byhaTZacfRJ\nv/qyHxcDJOMX/ElF1H908spdbB2ZiLXHOH1Ucw1d+NV6/QUtWk+ikKFPpasnatD7\nmjE57noH+H47Rll0nD7oT+in+fOBDHF9R0P6/qyRSdJbJkHOh0iC0MG4LcUfv0AY\nnVBW5iLZSe/PC3+PvhCv7yrx3ikSs0mg1ZWppw0ka5Ek3ZCZp5FB4L6++GYWpM+1\n6YI0CjMoRcXsaEQsJWhxHXT8/KDhW0BR8woZUGm0/Yn4teLYJzioxRfBep3lbygx\nOIsDN9IJzo2zVTGPDZQLXhVemIhzaepqTC77ibH7F0gN/1vsQBc/qf7UhbwaF4rR\ndQIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/postgres-7.json

@@ -1,4 +0,0 @@
-{
-  "name": "postgres-7",
-  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArraIm6mXi0qgK4oWDs2I\nOIx+g/LPnfRd5aBXhoHcekGiJKttQTi5dRdN4+T6qVEC2h4Cc9qN47h2TZPLDh/M\neIZvu0AyicpectzXf6DtDZh0hFCnv47RDi9927op9tjMXk0SV1tLel7MN0dawATw\ny0vQkkr/5a3ZdiP4dFv+bdfVrj+Tuh85BYPVyX2mxq9F7Efxrt6rzVBiqr6uJLUY\nStpeB3CCalC4zQApKX2xrdtr2k8aJbqC6C//LiKbb7VKn+ZuZJ32L/+9HDEzQoFC\no0ZZPMhfnjcU+iSHYZuPMTJTNbwgRuOgpn9O8kZ239qYc59z7HEXwwWiYPDevbiM\nCQIDAQAB\n-----END PUBLIC KEY-----\n"
-}

clients/postgres-9.json

@@ -0,0 +1,4 @@
+{
+  "name": "postgres-9",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2dcE9HH0r5TBb/FGj2+e\nOw8ssoxeB61JmR4/psdZ6oPR08gxyqOY0ODziCmyIdXwFhjIcC44HjxCbcB8TU8G\nWGqlmfqWWIJW0x/2xOycHobAWDn5fC5ttTXkR3HC1TutX/2mH26mtfz9UjNdPaTo\nVZFMcxeaBCFSNlYC7hPUQ5f/qBdhhpLxP9uyzU+YFPqtwLP7g8EAUQObM4L+m6Q8\nqE7xgYpnhgaNrPsmvaVuoNylMGwyK0j1whOkcik8UgLprD70ISNSNxxcLehbvA3G\nPQPQRRuFF36fu2gECWGopbrFKwQGNfgJguQoXM1RQZQMQqWHPS933k5i6bi5pnhp\nzwIDAQAB\n-----END PUBLIC KEY-----\n"
+}

doc/mastodon.md

@@ -0,0 +1,15 @@
+# Mastodon
+
+Running on kosmos.social
+
+## Ops
+
+### Enable maintance mode
+
+Return a 503 and maintance page for all requests:
+
+    knife ssh -p2222 -a knife_zero.host "role:openresty_proxy" "sudo cp -p /var/www/maintenance.html /var/www/kosmos.social/public/ && sudo systemctl reload openresty"
+
+### Stop maintenance mode
+
+    knife ssh -p2222 -a knife_zero.host "role:openresty_proxy" "sudo rm /var/www/kosmos.social/public/maintenance.html && sudo systemctl reload openresty"

nodes/akkounts-1.json

@@ -9,7 +9,7 @@
   "automatic": {
     "fqdn": "akkounts-1",
     "os": "linux",
-    "os_version": "5.4.0-216-generic",
+    "os_version": "5.4.0-223-generic",
     "hostname": "akkounts-1",
     "ipaddress": "192.168.122.160",
     "roles": [

nodes/draco.kosmos.org.json

@@ -12,6 +12,7 @@
     },
     "openresty": {
       "listen_ip": "148.251.237.111",
+      "listen_ipv6": "2a01:4f8:202:804a::2",
       "log_formats": {
         "json": "{\"ip\":\"$remote_addr\",\"time\":\"$time_local\",\"host\":\"$host\",\"method\":\"$request_method\",\"uri\":\"$uri\",\"status\":$status,\"size\":$body_bytes_sent,\"referer\":\"$http_referer\",\"upstream_addr\":\"$upstream_addr\",\"upstream_response_time\":\"$upstream_response_time\",\"ua\":\"$http_user_agent\"}"
       }
@@ -81,6 +82,7 @@
       "timezone_iii::debian",
       "ntp::default",
       "ntp::apparmor",
+      "kosmos-base::journald_conf",
       "kosmos-base::systemd_emails",
       "apt::unattended-upgrades",
       "kosmos-base::firewall",

nodes/ejabberd-4.json

@@ -37,6 +37,7 @@
       "timezone_iii::debian",
       "ntp::default",
       "ntp::apparmor",
+      "kosmos-base::journald_conf",
       "kosmos-base::systemd_emails",
       "apt::unattended-upgrades",
       "kosmos-base::firewall",

nodes/ejabberd-8.json

@@ -37,6 +37,7 @@
       "timezone_iii::debian",
       "ntp::default",
       "ntp::apparmor",
+      "kosmos-base::journald_conf",
       "kosmos-base::systemd_emails",
       "apt::unattended-upgrades",
       "kosmos-base::firewall",

nodes/fornax.kosmos.org.json

@@ -75,6 +75,7 @@
       "timezone_iii::debian",
       "ntp::default",
       "ntp::apparmor",
+      "kosmos-base::journald_conf",
       "kosmos-base::systemd_emails",
       "apt::unattended-upgrades",
       "kosmos-base::firewall",

nodes/garage-12.json

@@ -0,0 +1,65 @@
+{
+  "name": "garage-12",
+  "chef_environment": "production",
+  "normal": {
+    "knife_zero": {
+      "host": "10.1.1.224"
+    }
+  },
+  "automatic": {
+    "fqdn": "garage-12",
+    "os": "linux",
+    "os_version": "5.15.0-1059-kvm",
+    "hostname": "garage-12",
+    "ipaddress": "192.168.122.173",
+    "roles": [
+      "base",
+      "kvm_guest",
+      "garage_node"
+    ],
+    "recipes": [
+      "kosmos-base",
+      "kosmos-base::default",
+      "kosmos_kvm::guest",
+      "kosmos_garage",
+      "kosmos_garage::default",
+      "kosmos_garage::firewall_rpc",
+      "kosmos_garage::firewall_apis",
+      "apt::default",
+      "timezone_iii::default",
+      "timezone_iii::debian",
+      "ntp::default",
+      "ntp::apparmor",
+      "kosmos-base::journald_conf",
+      "kosmos-base::systemd_emails",
+      "apt::unattended-upgrades",
+      "kosmos-base::firewall",
+      "kosmos-postfix::default",
+      "postfix::default",
+      "postfix::_common",
+      "postfix::_attributes",
+      "postfix::sasl_auth",
+      "hostname::default",
+      "firewall::default"
+    ],
+    "platform": "ubuntu",
+    "platform_version": "22.04",
+    "cloud": null,
+    "chef_packages": {
+      "chef": {
+        "version": "18.7.10",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.7.10/lib",
+        "chef_effortless": null
+      },
+      "ohai": {
+        "version": "18.2.5",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.5/lib/ohai"
+      }
+    }
+  },
+  "run_list": [
+    "role[base]",
+    "role[kvm_guest]",
+    "role[garage_node]"
+  ]
+}

nodes/garage-13.json

@@ -0,0 +1,65 @@
+{
+  "name": "garage-13",
+  "chef_environment": "production",
+  "normal": {
+    "knife_zero": {
+      "host": "10.1.1.179"
+    }
+  },
+  "automatic": {
+    "fqdn": "garage-13",
+    "os": "linux",
+    "os_version": "5.15.0-1059-kvm",
+    "hostname": "garage-13",
+    "ipaddress": "192.168.122.27",
+    "roles": [
+      "base",
+      "kvm_guest",
+      "garage_node"
+    ],
+    "recipes": [
+      "kosmos-base",
+      "kosmos-base::default",
+      "kosmos_kvm::guest",
+      "kosmos_garage",
+      "kosmos_garage::default",
+      "kosmos_garage::firewall_rpc",
+      "kosmos_garage::firewall_apis",
+      "apt::default",
+      "timezone_iii::default",
+      "timezone_iii::debian",
+      "ntp::default",
+      "ntp::apparmor",
+      "kosmos-base::journald_conf",
+      "kosmos-base::systemd_emails",
+      "apt::unattended-upgrades",
+      "kosmos-base::firewall",
+      "kosmos-postfix::default",
+      "postfix::default",
+      "postfix::_common",
+      "postfix::_attributes",
+      "postfix::sasl_auth",
+      "hostname::default",
+      "firewall::default"
+    ],
+    "platform": "ubuntu",
+    "platform_version": "22.04",
+    "cloud": null,
+    "chef_packages": {
+      "chef": {
+        "version": "18.7.10",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.7.10/lib",
+        "chef_effortless": null
+      },
+      "ohai": {
+        "version": "18.2.5",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.5/lib/ohai"
+      }
+    }
+  },
+  "run_list": [
+    "role[base]",
+    "role[kvm_guest]",
+    "role[garage_node]"
+  ]
+}

nodes/garage-14.json

@@ -0,0 +1,64 @@
+{
+  "name": "garage-14",
+  "chef_environment": "production",
+  "normal": {
+    "knife_zero": {
+      "host": "10.1.1.157"
+    }
+  },
+  "automatic": {
+    "fqdn": "garage-14",
+    "os": "linux",
+    "os_version": "5.15.0-1059-kvm",
+    "hostname": "garage-14",
+    "ipaddress": "192.168.122.251",
+    "roles": [
+      "base",
+      "kvm_guest",
+      "garage_node"
+    ],
+    "recipes": [
+      "kosmos-base",
+      "kosmos-base::default",
+      "kosmos_kvm::guest",
+      "kosmos_garage",
+      "kosmos_garage::default",
+      "kosmos_garage::firewall_rpc",
+      "kosmos_garage::firewall_apis",
+      "apt::default",
+      "timezone_iii::default",
+      "timezone_iii::debian",
+      "ntp::default",
+      "ntp::apparmor",
+      "kosmos-base::systemd_emails",
+      "apt::unattended-upgrades",
+      "kosmos-base::firewall",
+      "kosmos-postfix::default",
+      "postfix::default",
+      "postfix::_common",
+      "postfix::_attributes",
+      "postfix::sasl_auth",
+      "hostname::default",
+      "firewall::default"
+    ],
+    "platform": "ubuntu",
+    "platform_version": "22.04",
+    "cloud": null,
+    "chef_packages": {
+      "chef": {
+        "version": "18.8.54",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.8.54/lib",
+        "chef_effortless": null
+      },
+      "ohai": {
+        "version": "18.2.8",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.8/lib/ohai"
+      }
+    }
+  },
+  "run_list": [
+    "role[base]",
+    "role[kvm_guest]",
+    "role[garage_node]"
+  ]
+}

nodes/gitea-2.json

@@ -50,13 +50,6 @@
       "postfix::sasl_auth",
       "hostname::default",
       "firewall::default",
-      "kosmos_gitea::compile_from_source",
-      "git::default",
-      "git::package",
-      "kosmos-nodejs::default",
-      "nodejs::nodejs_from_package",
-      "nodejs::repo",
-      "golang::default",
       "backup::default",
       "logrotate::default"
     ],

nodes/postgres-9.json

@@ -1,17 +1,17 @@
 {
-  "name": "postgres-7",
+  "name": "postgres-9",
   "chef_environment": "production",
   "normal": {
     "knife_zero": {
-      "host": "10.1.1.134"
+      "host": "10.1.1.3"
     }
   },
   "automatic": {
-    "fqdn": "postgres-7",
+    "fqdn": "postgres-9",
     "os": "linux",
-    "os_version": "5.4.0-1123-kvm",
-    "hostname": "postgres-7",
-    "ipaddress": "192.168.122.89",
+    "os_version": "5.15.0-1059-kvm",
+    "hostname": "postgres-9",
+    "ipaddress": "192.168.122.64",
     "roles": [
       "base",
       "kvm_guest",
@@ -41,17 +41,17 @@
       "hostname::default"
     ],
     "platform": "ubuntu",
-    "platform_version": "20.04",
+    "platform_version": "22.04",
     "cloud": null,
     "chef_packages": {
       "chef": {
-        "version": "18.5.0",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
+        "version": "18.8.54",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.8.54/lib",
         "chef_effortless": null
       },
       "ohai": {
-        "version": "18.1.11",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
+        "version": "18.2.8",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.8/lib/ohai"
       }
     }
   },

nodes/wiki-1.json

@@ -28,6 +28,7 @@
       "timezone_iii::debian",
       "ntp::default",
       "ntp::apparmor",
+      "kosmos-base::journald_conf",
       "kosmos-base::systemd_emails",
       "apt::unattended-upgrades",
       "kosmos-base::firewall",
@@ -66,12 +67,13 @@
     "cloud": null,
     "chef_packages": {
       "chef": {
-        "version": "15.13.8",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/chef-15.13.8/lib"
+        "version": "18.7.10",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.7.10/lib",
+        "chef_effortless": null
       },
       "ohai": {
-        "version": "15.12.0",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/ohai-15.12.0/lib/ohai"
+        "version": "18.2.5",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.5/lib/ohai"
       }
     }
   },

roles/gitea.rb

@@ -8,8 +8,8 @@ run_list %w(
 
 override_attributes(
   "gitea" => {
-    "repo" => "https://github.com/67P/gitea.git",
-    "revision" => "ldap_sync",
+    # "repo" => "https://github.com/67P/gitea.git",
+    # "revision" => "ldap_sync",
     "log" => { "level" => "Info" }
   },
 )

site-cookbooks/discourse/templates/nginx_conf.erb

@@ -8,8 +8,8 @@ upstream _<%= @upstream_name %> {
 <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
 server {
   server_name <%= @server_name %>;
-  listen 443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
 
   ssl_certificate     <%= @ssl_cert %>;
   ssl_certificate_key <%= @ssl_key %>;

site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb

@@ -11,7 +11,7 @@ proxy_cache_path <%= node[:openresty][:cache_dir] %>/akkounts levels=1:2
 
 server {
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
   server_name <%= @domain %>;
 
   if ($host != $server_name) {

site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts_api.erb

@@ -7,7 +7,7 @@ upstream _akkounts_api {
 
 server {
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
   server_name <%= @domain %>;
 
   ssl_certificate     <%= @ssl_cert %>;

site-cookbooks/kosmos-base/recipes/andromeda_firewall.rb

@@ -1,52 +0,0 @@
-#
-# Cookbook Name:: kosmos-base
-# Recipe:: andromeda_firewall
-#
-# The MIT License (MIT)
-#
-# Copyright:: 2019, Kosmos Developers
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
-
-# Temporary extra rules for Andromeda
-
-firewall_rule 'bitcoind' do
-  port     [8333, 8334, 8335]
-  protocol :tcp
-  command  :allow
-end
-
-firewall_rule 'lnd' do
-  port     [9736]
-  # port     [9736, 8002]
-  protocol :tcp
-  command  :allow
-end
-
-firewall_rule 'lightningd' do
-  port     [9735]
-  protocol :tcp
-  command  :allow
-end
-
-firewall_rule 'spark_wallet' do
-  port     8008
-  protocol :tcp
-  command  :allow
-end

site-cookbooks/kosmos-bitcoin/attributes/default.rb

@@ -1,5 +1,5 @@
-node.default['bitcoin']['version']   = '29.0'
-node.default['bitcoin']['checksum']  = '882c782c34a3bf2eacd1fae5cdc58b35b869883512f197f7d6dc8f195decfdaa'
+node.default['bitcoin']['version']   = '30.0'
+node.default['bitcoin']['checksum']  = '9b472a4d51dfed9aa9d0ded2cb8c7bcb9267f8439a23a98f36eb509c1a5e6974'
 node.default['bitcoin']['username']  = 'satoshi'
 node.default['bitcoin']['usergroup'] = 'bitcoin'
 node.default['bitcoin']['network']   = 'mainnet'

site-cookbooks/kosmos-bitcoin/recipes/bitcoind.rb

@@ -43,7 +43,7 @@ bash "compile_bitcoin-core" do
   cwd "/usr/local/bitcoind"
   environment ({'CC' => 'gcc-13', 'CXX' => 'g++-13', 'NO_QT' => '1'})
   code <<-EOH
-    cmake -B build --toolchain depends/x86_64-pc-linux-gnu/toolchain.cmake
+    cmake -B build --toolchain depends/x86_64-pc-linux-gnu/toolchain.cmake -DBUILD_TESTS=OFF
     cmake --build build -j $(($(nproc)/2))
     cmake --install build
   EOH

site-cookbooks/kosmos-bitcoin/recipes/btcpay.rb

@@ -21,6 +21,7 @@ bash 'build_btcpay' do
     systemctl stop btcpayserver.service
     ./build.sh
   EOH
+  environment "DOTNET_CLI_TELEMETRY_OPTOUT" => 1
   action :nothing
   notifies :restart, "service[btcpayserver]", :delayed
 end
@@ -87,7 +88,7 @@ systemd_unit 'btcpayserver.service' do
       Group: node['bitcoin']['usergroup'],
       Type: 'simple',
       WorkingDirectory: node['btcpay']['source_dir'],
-      Environment: defined?(nbxpg_connect) ? "'BTCPAY_EXPLORERPOSTGRES=#{nbxpg_connect}'" : '',
+      Environment: "'BTCPAY_EXPLORERPOSTGRES=#{nbxpg_connect}' 'DOTNET_CLI_TELEMETRY_OPTOUT=1'",
       ExecStart: "#{node['btcpay']['source_dir']}/run.sh --conf=#{node['btcpay']['config_path']}",
       PIDFile: '/run/btcpayserver/btcpayserver.pid',
       Restart: 'on-failure',
@@ -103,6 +104,8 @@ systemd_unit 'btcpayserver.service' do
   verify false
   triggers_reload true
   action [:create]
+  # reload is not applicable
+  notifies :restart, "service[btcpayserver]", :delayed
 end
 
 service "btcpayserver" do

site-cookbooks/kosmos-bitcoin/templates/nginx_conf_btcpayserver.erb

@@ -49,7 +49,7 @@ server {
   client_max_body_size 100M;
   server_name <%= @server_name %>;
   listen 443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
 
   access_log <%= node[:nginx][:log_dir] %>/btcpayserver.access.log json;
   error_log <%= node[:nginx][:log_dir] %>/btcpayserver.error.log warn;

site-cookbooks/kosmos-bitcoin/templates/nginx_conf_lndhub.erb

@@ -7,7 +7,7 @@ upstream _lndhub {
 
 server {
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
   server_name <%= @server_name %>;
 
   add_header Strict-Transport-Security "max-age=15768000";

site-cookbooks/kosmos-btcpayserver/templates/nginx_conf_btcpayserver.erb

@@ -49,7 +49,7 @@ server {
   server_name <%= @server_name %>;
   <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
   listen 443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
   <% else -%>
   listen 80;
   <% end -%>

site-cookbooks/kosmos-ejabberd/attributes/default.rb

@@ -1,6 +1,6 @@
-node.default["ejabberd"]["version"] = "23.10"
+node.default["ejabberd"]["version"] = "25.08"
 node.default["ejabberd"]["package_version"] = "1"
-node.default["ejabberd"]["checksum"] = "1b02108c81e22ab28be84630d54061f0584b76d5c2702e598352269736b05e77"
+node.default["ejabberd"]["checksum"] = "e4703bc41b5843fc4b76e8b54a9380d5895f9b3dcd4795e05ad0c260ed9b9a23"
 node.default["ejabberd"]["turn_domain"] = "turn.kosmos.org"
 node.default["ejabberd"]["stun_auth_realm"] = "kosmos.org"
 node.default["ejabberd"]["stun_turn_port"] = 3478

site-cookbooks/kosmos-ejabberd/recipes/default.rb

@@ -65,15 +65,13 @@ file "/opt/ejabberd/.hosts.erlang" do
   content ejabberd_hostnames.map{|h| "#{h}."}.join("\n")
 end
 
-ruby_block "configure ERLANG_NODE" do
-  block do
-    file = Chef::Util::FileEdit.new("/opt/ejabberd/conf/ejabberdctl.cfg")
-    file.search_file_replace_line(
-      %r{#ERLANG_NODE=ejabberd@localhost},
-      "ERLANG_NODE=ejabberd@#{node['name']}"
-    )
-    file.write_file
-  end
+template "/opt/ejabberd/conf/ejabberdctl.cfg" do
+  source    "ejabberdctl.cfg.erb"
+  mode      0644
+  owner     'ejabberd'
+  group     'ejabberd'
+  variables epmd_node_name: "ejabberd@#{node['name']}"
+  notifies :reload, "service[ejabberd]", :delayed
 end
 
 postgresql_data_bag_item = data_bag_item('credentials', 'postgresql')
@@ -225,10 +223,3 @@ end
 unless node.chef_environment == "development"
   include_recipe "kosmos-ejabberd::firewall"
 end
-
-firewall_rule 'ejabberd_http' do
-  port     [80]
-  source   "10.1.1.0/24"
-  protocol :tcp
-  command  :allow
-end

site-cookbooks/kosmos-ejabberd/recipes/firewall.rb

@@ -35,3 +35,10 @@ firewall_rule 'ejabberd_turn' do
   protocol :udp
   command  :allow
 end
+
+firewall_rule 'ejabberd_http' do
+  port     [80]
+  source   "10.1.1.0/24"
+  protocol :tcp
+  command  :allow
+end

site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb

@@ -1,10 +1,11 @@
-loglevel: 4
-
 log_rotate_size: 10485760
-log_rotate_date: ""
 log_rotate_count: 1
 
-log_rate_limit: 100
+loglevel: info
+hide_sensitive_log_data: true
+
+log_modules_fully:
+  - mod_s3_upload
 
 hosts:
 <% @hosts.each do |host| -%>
@@ -95,6 +96,8 @@ auth_method: sql
 
 default_db: sql
 
+update_sql_schema: true
+
 shaper:
   normal:
     rate: 3000
@@ -119,6 +122,15 @@ acl:
       - "::1/128"
       - "::FFFF:127.0.0.1/128"
 
+api_permissions:
+  "webadmin commands":
+    who:
+      - admin
+    from:
+      - ejabberd_web_admin
+    what:
+      - "*"
+
 shaper_rules:
   max_user_sessions: 10
   max_user_offline_messages:

site-cookbooks/kosmos-ejabberd/templates/ejabberdctl.cfg.erb

@@ -0,0 +1,175 @@
+#
+# In this file you can configure options that are passed by ejabberdctl
+# to the erlang runtime system when starting ejabberd
+#
+
+#' POLL: Kernel polling ([true|false])
+#
+# The kernel polling option requires support in the kernel.
+# Additionally, you need to enable this feature while compiling Erlang.
+#
+# Default: true
+#
+#POLL=true
+
+#.
+#' SMP: SMP support ([enable|auto|disable])
+#
+# Explanation in Erlang/OTP documentation:
+# enable: starts the Erlang runtime system with SMP support enabled.
+#   This may fail if no runtime system with SMP support is available.
+# auto: starts the Erlang runtime system with SMP support enabled if it
+#   is available and more than one logical processor are detected.
+# disable: starts a runtime system without SMP support.
+#
+# Default: enable
+#
+#SMP=enable
+
+#.
+#' ERL_MAX_PORTS: Maximum number of simultaneously open Erlang ports
+#
+# ejabberd consumes two or three ports for every connection, either
+# from a client or from another Jabber server. So take this into
+# account when setting this limit.
+#
+# Default: 32000
+# Maximum: 268435456
+#
+#ERL_MAX_PORTS=32000
+
+#.
+#' FIREWALL_WINDOW: Range of allowed ports to pass through a firewall
+#
+# If Ejabberd is configured to run in cluster, and a firewall is blocking ports,
+# it's possible to make Erlang use a defined range of port (instead of dynamic
+# ports) for node communication.
+#
+# Default: not defined
+# Example: 4200-4210
+#
+FIREWALL_WINDOW=4200-4210
+
+#.
+#' INET_DIST_INTERFACE: IP address where this Erlang node listens other nodes
+#
+# This communication is used by ejabberdctl command line tool,
+# and in a cluster of several ejabberd nodes.
+#
+# Default: 0.0.0.0
+#
+#INET_DIST_INTERFACE=127.0.0.1
+
+#.
+#' ERL_EPMD_ADDRESS: IP addresses where epmd listens for connections
+#
+# IMPORTANT: This option works only in Erlang/OTP R14B03 and newer.
+#
+# This environment variable may be set to a comma-separated
+# list of IP addresses, in which case the epmd daemon
+# will listen only on the specified address(es) and on the
+# loopback address (which is implicitly added to the list if it
+# has not been specified). The default behaviour is to listen on
+# all available IP addresses.
+#
+# Default: 0.0.0.0
+#
+#ERL_EPMD_ADDRESS=127.0.0.1
+
+#.
+#' ERL_PROCESSES: Maximum number of Erlang processes
+#
+# Erlang consumes a lot of lightweight processes. If there is a lot of activity
+# on ejabberd so that the maximum number of processes is reached, people will
+# experience greater latency times. As these processes are implemented in
+# Erlang, and therefore not related to the operating system processes, you do
+# not have to worry about allowing a huge number of them.
+#
+# Default: 250000
+# Maximum: 268435456
+#
+#ERL_PROCESSES=250000
+
+#.
+#' ERL_MAX_ETS_TABLES: Maximum number of ETS and Mnesia tables
+#
+# The number of concurrent ETS and Mnesia tables is limited. When the limit is
+# reached, errors will appear in the logs:
+#   ** Too many db tables **
+# You can safely increase this limit when starting ejabberd. It impacts memory
+# consumption but the difference will be quite small.
+#
+# Default: 1400
+#
+#ERL_MAX_ETS_TABLES=1400
+
+#.
+#' ERL_OPTIONS: Additional Erlang options
+#
+# The next variable allows to specify additional options passed to erlang while
+# starting ejabberd. Some useful options are -noshell, -detached, -heart. When
+# ejabberd is started from an init.d script options -noshell and -detached are
+# added implicitly. See erl(1) for more info.
+#
+# It might be useful to add "-pa /usr/local/lib/ejabberd/ebin" if you
+# want to add local modules in this path.
+#
+# Default: ""
+#
+#ERL_OPTIONS=""
+
+#.
+#' ERLANG_NODE: Erlang node name
+#
+# The next variable allows to explicitly specify erlang node for ejabberd
+# It can be given in different formats:
+# ERLANG_NODE=ejabberd
+#   Lets erlang add hostname to the node (ejabberd uses short name in this case)
+# ERLANG_NODE=ejabberd@hostname
+#   Erlang uses node name as is (so make sure that hostname is a real
+#   machine hostname or you'll not be able to control ejabberd)
+# ERLANG_NODE=ejabberd@hostname.domainname
+#   The same as previous, but erlang will use long hostname
+#   (see erl (1) manual for details)
+#
+# Default: ejabberd@localhost
+#
+ERLANG_NODE=<%= @epmd_node_name %>
+
+#.
+#' EJABBERD_PID_PATH: ejabberd PID file
+#
+# Indicate the full path to the ejabberd Process identifier (PID) file.
+# If this variable is defined, ejabberd writes the PID file when starts,
+# and deletes it when stops.
+# Remember to create the directory and grant write permission to ejabberd.
+#
+# Default: don't write PID file
+#
+#EJABBERD_PID_PATH=/var/run/ejabberd/ejabberd.pid
+
+#.
+#' CONTRIB_MODULES_PATH: contributed ejabberd modules path
+#
+# Specify the full path to the contributed ejabberd modules. If the path is not
+# defined, ejabberd will use ~/.ejabberd-modules in home of user running ejabberd.
+#
+# Default: $HOME/.ejabberd-modules
+#
+#CONTRIB_MODULES_PATH=/opt/ejabberd-modules
+
+#.
+#' CONTRIB_MODULES_CONF_DIR: configuration directory for contributed modules
+#
+# Specify the full path to the configuration directory for contributed ejabberd
+# modules. In order to configure a module named mod_foo, a mod_foo.yml file can
+# be created in this directory. This file will then be used instead of the
+# default configuration file provided with the module.
+#
+# Default: $CONTRIB_MODULES_PATH/conf
+#
+#CONTRIB_MODULES_CONF_DIR=/etc/ejabberd/modules
+
+#.
+#'
+# vim: foldmarker=#',#. foldmethod=marker:

site-cookbooks/kosmos-ejabberd/templates/nginx_conf_upload_service.erb

@@ -3,7 +3,7 @@
 
 server {
   listen 443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
   server_name <%= @server_name %>;
 
   ssl_certificate     <%= @ssl_cert %>;

site-cookbooks/kosmos-hubot/templates/default/nginx_conf_hubot.erb

@@ -7,7 +7,7 @@ upstream _express_<%= @server_name.gsub(".", "_") %> {
 
 server {
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
   server_name <%= @server_name %>;
 
   add_header Strict-Transport-Security "max-age=15768000";

site-cookbooks/kosmos-ipfs/templates/default/nginx_conf_ipfs.kosmos.org.erb

@@ -12,7 +12,7 @@ upstream _ipfs_api {
 server {
   server_name <%= @server_name %>;
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
 
   access_log /var/log/nginx/<%= @server_name %>.access.log;
   error_log  /var/log/nginx/<%= @server_name %>.error.log;

site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb

@@ -21,7 +21,7 @@ proxy_cache_path /var/cache/nginx/mastodon levels=1:2
 
 server {
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
   server_name <%= @server_name %>;
   include <%= @shared_config_path %>;
 

site-cookbooks/kosmos-mediawiki/metadata.rb

@@ -3,7 +3,6 @@ maintainer       'Kosmos'
 maintainer_email 'mail@kosmos.org'
 license          'MIT'
 description      'Installs/Configures kosmos-mediawiki'
-long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
 version          '0.3.1'
 
 depends "mediawiki"

site-cookbooks/kosmos-mediawiki/recipes/default.rb

@@ -1,9 +1,9 @@
 #
-# Cookbook Name:: kosmos-mediawiki
-# Recipe:: default
+# Cookbook:: kosmos-mediawiki
+# Recipe:: default.rb
 #
 
-include_recipe 'apt'
+apt_update
 include_recipe 'ark'
 include_recipe 'composer'
 
@@ -11,15 +11,15 @@ apt_package 'imagemagick'
 
 server_name = 'wiki.kosmos.org'
 
-node.override['mediawiki']['version']         = "1.34.2"
-node.override['mediawiki']['webdir']          = "#{node['mediawiki']['docroot_dir']}/mediawiki-#{node['mediawiki']['version']}"
+node.override['mediawiki']['version'] = "1.34.2"
+node.override['mediawiki']['webdir'] = "#{node['mediawiki']['docroot_dir']}/mediawiki-#{node['mediawiki']['version']}"
 node.override['mediawiki']['tarball']['name'] = "mediawiki-#{node['mediawiki']['version']}.tar.gz"
-node.override['mediawiki']['tarball']['url']  = "https://releases.wikimedia.org/mediawiki/1.34/#{node['mediawiki']['tarball']['name']}"
-node.override['mediawiki']['language_code']   = 'en'
-node.override['mediawiki']['server_name']     = server_name
-node.override['mediawiki']['site_name']       = 'Kosmos Wiki'
+node.override['mediawiki']['tarball']['url'] = "https://releases.wikimedia.org/mediawiki/1.34/#{node['mediawiki']['tarball']['name']}"
+node.override['mediawiki']['language_code'] = 'en'
+node.override['mediawiki']['server_name'] = server_name
+node.override['mediawiki']['site_name'] = 'Kosmos Wiki'
 protocol = node.chef_environment == "development" ? "http" : "https"
-node.override['mediawiki']['server']          = "#{protocol}://#{server_name}"
+node.override['mediawiki']['server'] = "#{protocol}://#{server_name}"
 mysql_credentials = data_bag_item('credentials', 'mysql')
 mediawiki_credentials = data_bag_item('credentials', 'mediawiki')
 
@@ -30,14 +30,14 @@ directory "#{node['mediawiki']['webdir']}/skins/common/images" do
   owner node['nginx']['user']
   group node['nginx']['group']
   recursive true
-  mode 0750
+  mode "750"
 end
 
 cookbook_file "#{node['mediawiki']['webdir']}/skins/common/images/kosmos.png" do
   source 'kosmos.png'
   owner node['nginx']['user']
   group node['nginx']['group']
-  mode 0640
+  mode "640"
 end
 
 directory "#{node['mediawiki']['webdir']}/.well-known/acme-challenge" do
@@ -80,14 +80,14 @@ nginx_certbot_site server_name
 # Extensions
 #
 
-mediawiki_credentials = Chef::EncryptedDataBagItem.load('credentials', 'mediawiki')
+mediawiki_credentials = data_bag_item('credentials', 'mediawiki')
 
 #
 # MediawikiHubot extension
 #
 
 # requires curl extension
-if platform?('ubuntu') && node[:platform_version].to_f < 16.04
+if platform?('ubuntu') && node["platform_version"].to_f < 16.04
   package "php5-curl"
 else
   package "php-curl"
@@ -100,7 +100,7 @@ ark "MediawikiHubot" do
   action :cherry_pick
 end
 
-hubot_credentials = Chef::EncryptedDataBagItem.load('credentials', 'hal8000_xmpp')
+hubot_credentials = data_bag_item('credentials', 'hal8000_xmpp')
 webhook_token = hubot_credentials['webhook_token']
 
 template "#{node['mediawiki']['webdir']}/extensions/MediawikiHubot/DefaultConfig.php" do
@@ -145,7 +145,7 @@ end
 
 ruby_block "configuration" do
   block do
-    # FIXME This is internal Chef API and should not be used from recipes, as
+    # FIXME: This is internal Chef API and should not be used from recipes, as
     # it is unsupported for that
     file = Chef::Util::FileEdit.new("#{node['mediawiki']['webdir']}/LocalSettings.php")
     file.search_file_replace_line(%r{\$wgLogo\ =\ \"\$wgResourceBasePath\/resources\/assets\/wiki.png\";},
@@ -235,7 +235,7 @@ wfLoadExtension( 'LDAPAuthentication2' );
 $wgGroupPermissions['*']['createaccount'] = false;
 $wgGroupPermissions['*']['autocreateaccount'] = true;
                                  EOF
-                                 )
+      )
 
       file.write_file
     end
@@ -247,9 +247,7 @@ end
 #
 
 file "#{node['mediawiki']['webdir']}/composer.local.json" do
-  requires = { "require": {
-    "mediawiki/mermaid": "~1.0"
-  }}.to_json
+  requires = { "require": { "mediawiki/mermaid": "~1.0" } }.to_json
   content requires
   owner node['nginx']['user']
   group node['nginx']['group']

site-cookbooks/kosmos_assets/templates/nginx_conf_assets.erb

@@ -3,7 +3,7 @@
 
 server {
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
   server_name <%= @domain %>;
 
   root /var/www/<%= @domain %>/site;

site-cookbooks/kosmos_discourse/templates/nginx_conf.erb

@@ -9,7 +9,7 @@ upstream _discourse {
 server {
   server_name <%= @server_name %>;
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
 
   ssl_certificate     <%= @ssl_cert %>;
   ssl_certificate_key <%= @ssl_key %>;

site-cookbooks/kosmos_drone/templates/nginx_conf.erb

@@ -8,7 +8,7 @@ upstream _drone {
 server {
   server_name <%= @server_name %>;
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
 
   ssl_certificate     <%= @ssl_cert %>;
   ssl_certificate_key <%= @ssl_key %>;

site-cookbooks/kosmos_garage/templates/nginx_conf_s3.erb

@@ -4,7 +4,7 @@ upstream garage_s3 {
 
 server {
   listen <%= "#{node[:openresty][:listen_ip]}:" if node[:openresty][:listen_ip] %>443 ssl http2;
-  listen [::]:443 http2 ssl;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
 
   ssl_certificate     <%= @ssl_cert %>;
   ssl_certificate_key <%= @ssl_key %>;

site-cookbooks/kosmos_garage/templates/nginx_conf_web.erb

@@ -1,6 +1,6 @@
 server {
   listen <%= "#{node[:openresty][:listen_ip]}:" if node[:openresty][:listen_ip] %>443 ssl http2;
-  listen [::]:443 http2 ssl;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
 
   server_name <%= @server_name %>;
 

site-cookbooks/kosmos_gitea/attributes/default.rb

@@ -1,5 +1,5 @@
-node.default["gitea"]["version"] = "1.23.8"
-node.default["gitea"]["checksum"] = "827037e7ca940866918abc62a7488736923396c467fcb4acd0dd9829bb6a6f4c"
+node.default["gitea"]["version"] = "1.25.4"
+node.default["gitea"]["checksum"] = "a3031853e67c53714728ef705642c9046a11fb0ea356aff592e23efe6114607d"
 node.default["gitea"]["repo"] = nil
 node.default["gitea"]["revision"] = nil
 node.default["gitea"]["working_directory"] = "/var/lib/gitea"
@@ -22,5 +22,5 @@ node.default["gitea"]["config"] = {
   }
 }
 
-node.default["gitea"]["act_runner"]["version"] = "0.2.6"
-node.default["gitea"]["act_runner"]["checksum"] = "234c2bdb871e7b0bfb84697f353395bfc7819faf9f0c0443845868b64a041057"
+node.default["gitea"]["act_runner"]["version"] = "0.2.13"
+node.default["gitea"]["act_runner"]["checksum"] = "3acac8b506ac8cadc88a55155b5d6378f0fab0b8f62d1e0c0450f4ccd69733e2"

site-cookbooks/kosmos_gitea/recipes/default.rb

@@ -129,7 +129,7 @@ template "/etc/systemd/system/gitea.service" do
             git_home_directory: git_home_directory,
             config_directory: config_directory,
             gitea_binary_path: gitea_binary_path
-  notifies :run, "execute[systemctl daemon-reload]", :delayed
+  notifies :run, "execute[systemctl daemon-reload]", :immediately
 end
 
 service "gitea" do

site-cookbooks/kosmos_gitea/templates/default/nginx_conf_ssh.erb

@@ -4,5 +4,6 @@ upstream _gitea_ssh {
 
 server {
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>22;
+  listen [::]:22;
   proxy_pass _gitea_ssh;
 }

site-cookbooks/kosmos_gitea/templates/default/nginx_conf_web.erb

@@ -6,7 +6,7 @@ upstream _gitea_web {
 server {
   server_name <%= @server_name %>;
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
 
   ssl_certificate     <%= @ssl_cert %>;
   ssl_certificate_key <%= @ssl_key %>;

site-cookbooks/kosmos_kvm/README.md

@@ -1,4 +1,14 @@
 # kosmos_kvm
 
-TODO: Enter the cookbook description here.
+## Create a new VM
 
+A script is deployed by the `host` recipe to `/usr/local/sbin/create_vm`
+
+### Usage
+
+```
+create_vm VMNAME RAM CPUS DISKSIZE
+```
+
+* `RAM` in megabytes
+* `DISKSIZE` in gigabytes, defaults to 10

site-cookbooks/kosmos_liquor-cabinet/templates/nginx_conf_liquor-cabinet.erb

@@ -12,7 +12,7 @@ upstream _<%= @app_name %> {
 
 server {
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
   server_name <%= @server_name %>;
 
   access_log <%= node[:nginx][:log_dir] %>/<%= @app_name %>.access.log; # TODO json_liquor_cabinet;

site-cookbooks/kosmos_openresty/attributes/default.rb

@@ -0,0 +1 @@
+node.default["openresty"]["listen_ipv6"] = "::"

site-cookbooks/kosmos_rsk/templates/nginx_conf_rskj.erb

@@ -6,7 +6,7 @@ upstream _<%= @upstream_name %> {
 
 server {
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
 
   server_name <%= @domain %>;
 

site-cookbooks/kosmos_strfry/templates/nginx_conf_strfry.erb

@@ -13,7 +13,7 @@ upstream _substr {
 server {
   server_name <%= @domain %>;
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
 
   access_log "/var/log/nginx/<%= @domain %>.access.log";
   error_log "/var/log/nginx/<%= @domain %>.error.log";
@@ -25,7 +25,7 @@ server {
     alias /var/www/assets.kosmos.org/site/img/favicon.ico;
   }
 
-  location ~* ^/[@~n]|^/assets {
+  location ~ ^/(?:@|~|npub|naddr|nprofile|assets/) {
     proxy_set_header Host $host;
     proxy_set_header X-Real-IP $remote_addr;
     proxy_pass http://_substr;

site-cookbooks/kosmos_website/templates/nginx_conf_redirect.erb

@@ -3,7 +3,7 @@
 server {
   server_name <%= @domain %>;
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
 
   access_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.access.log;
   error_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.error.log warn;

site-cookbooks/kosmos_website/templates/nginx_conf_simple.erb

@@ -3,7 +3,7 @@
 server {
   server_name <%= @domain %>;
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
 
   root /var/www/<%= @domain %>/public;
 

site-cookbooks/kosmos_website/templates/nginx_conf_website.erb

@@ -3,6 +3,7 @@
 server {
   server_name _;
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>80 default_server;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:80 default_server;
 
   location / {
     return 301 https://<%= @domain %>;
@@ -12,7 +13,7 @@ server {
 server {
   server_name <%= @domain %>;
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2 default_server;
-  listen [::]:443 ssl http2 default_server;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2 default_server;
 
   if ($host != $server_name) {
     return 307 $scheme://$server_name;

site-cookbooks/kredits-github/templates/default/nginx_conf.erb

@@ -5,8 +5,8 @@ upstream _<%= @app_name %> {
 
 <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
 server {
-  listen 443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
   server_name <%= @server_name %>;
 
   access_log <%= node[:nginx][:log_dir] %>/<%= @app_name %>.access.log json;

site-cookbooks/remotestorage_discourse/templates/nginx_conf.erb

@@ -8,7 +8,7 @@ upstream _rs_discourse {
 server {
   server_name <%= @server_name %>;
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
 
   ssl_certificate     <%= @ssl_cert %>;
   ssl_certificate_key <%= @ssl_key %>;