WIP Prepare postgres for migration by replication

Upgrade WAL config for PG14
Refactor postgres server recipes/resource
2026-04-08 15:41:56 +04:00 · 2026-04-08 15:41:13 +04:00 · 2026-04-08 15:41:10 +04:00 · 2026-04-07 16:56:01 +04:00 · 2026-04-07 16:53:43 +04:00 · 2026-04-07 16:53:09 +04:00
67 changed files with 732 additions and 166 deletions
--- a/clients/garage-14.json
+++ b/clients/garage-14.json
@@ -0,0 +1,4 @@
 {
  "name": "garage-14",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAypINv1zTZ7+pyT0iRhik\n0W70ASYADo7qK7QyE9/3nu2sUrP1IjoNFsv/ceKwicH7Fw2Ei1o+yKZlKn7zJzY7\n93YRZndF04VH2bmqy0uOWK0Bdat7gCld5bvS6FmRflg7g64LFb33/64QIVsVGHGL\nYF2TO//x79t9JKcQDa4h5MOWzJNTFuEcUGa0gJjMYpWGVHEJSgRuIgyhXmyIJJgY\nguj6ymTm5+3VS7NzoNy2fbTt1LRpHb5UWrCR15oiLZiDSMLMx0CcGOCmrhvODi4k\n0umw+2NPd1G50s9z7KVbTqybuQ65se2amRnkVcNfaBIU5qk9bVqcmhZlEozmBZCd\ndwIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/clients/garage-15.json
+++ b/clients/garage-15.json
@@ -0,0 +1,4 @@
 {
  "name": "garage-15",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy14sTt5gxVZi9C3KIEBu\nDyUgbb6jc3/GR22fNPTqV6uDHhxzhE2UsYwY/7yuA1RasdwHEOBWZaoC0Om5/Zmi\n8gn6//v1ILyLNaAcw+SQcxZkCN8Sk/0atRS9HYk1agE8Mvh72Fe2z3l+92VMefy7\nJwJUNNBTbnV2WVCchChoWnfhI7bkSLSHp0M2MO2pI+lkpSdmfkJSa5z9zihgxKO8\nXfvhryDCZNvfRVHhwc+ffpap0gLF0H9riGKE4FwLy4YqbuW1Tgm6bObb9bpOIw6Q\nVfH3kC/KMK5FlnxGmYtDkhRJ/wjGInRBk9WK/QOmjyd2FVxipEQmA4RdjlznRC9I\nrwIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/clients/leo.json
+++ b/clients/leo.json
@@ -0,0 +1,4 @@
 {
  "name": "leo",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnFfQsJnREjbXTtpT6BVt\naBaUzRmCQi8Du0TzeUG0ENrY0p5Exqleye2rC6bJlB3PER1xr5zdtuXLgbcVumIb\nzroU5JPtFbQk7r/pj0atT+UEYzl16iuEpprQ/bug+f0nE514USr6YG4G+tlZ/jBI\nSHsCQF1P8ufXFLW0ewC7rdvBkgA+DwK14naRxS4jO5MSl4wmNTjs/jymTg508mQq\nf5tG52t8qFdgn9pRdBXmyTpPtwK7I4rZ+1Qn+1E5m4oQUZsxh8Ba1bGbKotVO7Ua\nYL1yCGx7zRRUvLLIdSMvlRXTJBUSQtQ8P4QUDWTY1Na2w3t9sulKg2Lwsw8tktvC\nCwIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/clients/postgres-10.json
+++ b/clients/postgres-10.json
@@ -0,0 +1,4 @@
 {
  "name": "postgres-10",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2oBb5omC7ZionWhudgFm\n2NGcRXsI0c7+g1+0duaxj5dziaRTltqzpRJTfiJD6R36FcvEqwGc+qQgYSMzc1Xd\nY4OTvJFIDiFAmROm/DZYgFtTDldVNJZO2bbU3COYf/Z2Poq56gC4zLLd/zf6shgb\n2Mty8PlQ82JJAY9EMI3aAifdnZ1k/g4weFC4LFg9lUcNNXOwlAjp//LJ3ku3aY1r\nwW74msSeWEjE44YZdWyMYgM7Fy1hz5giHFQtRdOLemRCWQ8h26wn/cmWld7lsLg+\nlYqxokxWXGv8r5zR8kDTBkd0dxY7ZMbo7oESY4Uhuf4UReMe2ZGHto1E7w3llSj+\n7wIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/clients/postgres-7.json
+++ b/clients/postgres-7.json
@@ -1,4 +0,0 @@
 {
  "name": "postgres-7",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArraIm6mXi0qgK4oWDs2I\nOIx+g/LPnfRd5aBXhoHcekGiJKttQTi5dRdN4+T6qVEC2h4Cc9qN47h2TZPLDh/M\neIZvu0AyicpectzXf6DtDZh0hFCnv47RDi9927op9tjMXk0SV1tLel7MN0dawATw\ny0vQkkr/5a3ZdiP4dFv+bdfVrj+Tuh85BYPVyX2mxq9F7Efxrt6rzVBiqr6uJLUY\nStpeB3CCalC4zQApKX2xrdtr2k8aJbqC6C//LiKbb7VKn+ZuZJ32L/+9HDEzQoFC\no0ZZPMhfnjcU+iSHYZuPMTJTNbwgRuOgpn9O8kZ239qYc59z7HEXwwWiYPDevbiM\nCQIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/clients/postgres-9.json
+++ b/clients/postgres-9.json
@@ -0,0 +1,4 @@
 {
  "name": "postgres-9",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2dcE9HH0r5TBb/FGj2+e\nOw8ssoxeB61JmR4/psdZ6oPR08gxyqOY0ODziCmyIdXwFhjIcC44HjxCbcB8TU8G\nWGqlmfqWWIJW0x/2xOycHobAWDn5fC5ttTXkR3HC1TutX/2mH26mtfz9UjNdPaTo\nVZFMcxeaBCFSNlYC7hPUQ5f/qBdhhpLxP9uyzU+YFPqtwLP7g8EAUQObM4L+m6Q8\nqE7xgYpnhgaNrPsmvaVuoNylMGwyK0j1whOkcik8UgLprD70ISNSNxxcLehbvA3G\nPQPQRRuFF36fu2gECWGopbrFKwQGNfgJguQoXM1RQZQMQqWHPS933k5i6bi5pnhp\nzwIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/data_bags/credentials/gandi_api.json
+++ b/data_bags/credentials/gandi_api.json
@@ -1,23 +1,16 @@
 {
  "id": "gandi_api",
  "key": {
    "encrypted_data": "lU7/xYTmP5Sb6SsK5TNNIyegWozzBtUzpg7oDdl6gcz9FEMmG2ft0Ljh5Q==\n",
    "iv": "EZPQD3C+wsP/mBhF\n",
    "auth_tag": "vF9E8Pj4Z8quJJdOMg/QTw==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "access_token": {
-    "encrypted_data": "1Uw69JkNrmb8LU/qssuod1SlqxxrWR7TJQZeeivRrNzrMIVTEW/1uwJIYL6b\nM4GeeYl9lIRlMMmLBkc=\n",
+    "encrypted_data": "+skwxHnpAj/3d3e2u7s7B9EydbETj8b0flWahvb5gt/o4JYFWHrhIyX/0IVa\n4wgmu08eDgU51i0knGA=\n",
-    "iv": "cc1GJKu6Cf4DkIgX\n",
+    "iv": "ONKrFCt8Oj3GKIQ5\n",
-    "auth_tag": "ERem4S7ozG695kjvWIMghw==\n",
+    "auth_tag": "j9Hrk8ZZFMQub4NUO+2e4g==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "domains": {
-    "encrypted_data": "scZ5blsSjs54DlitR7KZ3enLbyceOR5q0wjHw1golQ==\n",
+    "encrypted_data": "lGfoPHdXEYYdJmoIA9M119wjVl1v4UzIv5gHADwx0A==\n",
-    "iv": "oDcHm7shAzW97b4t\n",
+    "iv": "q6XKbxhW7X9ONxNt\n",
-    "auth_tag": "62Zais9yf68SwmZRsmZ3hw==\n",
+    "auth_tag": "ns9WJH8Oe75siWu+sOZkRg==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  }
--- a/nodes/akkounts-1.json
+++ b/nodes/akkounts-1.json
@@ -9,7 +9,7 @@
  "automatic": {
    "fqdn": "akkounts-1",
    "os": "linux",
-    "os_version": "5.4.0-216-generic",
+    "os_version": "5.4.0-223-generic",
    "hostname": "akkounts-1",
    "ipaddress": "192.168.122.160",
    "roles": [
--- a/nodes/draco.kosmos.org.json
+++ b/nodes/draco.kosmos.org.json
@@ -12,6 +12,7 @@
    },
    "openresty": {
      "listen_ip": "148.251.237.111",
      "listen_ipv6": "2a01:4f8:202:804a::2",
      "log_formats": {
        "json": "{\"ip\":\"$remote_addr\",\"time\":\"$time_local\",\"host\":\"$host\",\"method\":\"$request_method\",\"uri\":\"$uri\",\"status\":$status,\"size\":$body_bytes_sent,\"referer\":\"$http_referer\",\"upstream_addr\":\"$upstream_addr\",\"upstream_response_time\":\"$upstream_response_time\",\"ua\":\"$http_user_agent\"}"
      }
@@ -81,6 +82,7 @@
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
--- a/nodes/fornax.kosmos.org.json
+++ b/nodes/fornax.kosmos.org.json
@@ -75,6 +75,7 @@
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
--- a/nodes/garage-14.json
+++ b/nodes/garage-14.json
@@ -0,0 +1,65 @@
 {
  "name": "garage-14",
  "chef_environment": "production",
  "normal": {
    "knife_zero": {
      "host": "10.1.1.151"
    }
  },
  "automatic": {
    "fqdn": "garage-14",
    "os": "linux",
    "os_version": "5.15.0-1095-kvm",
    "hostname": "garage-14",
    "ipaddress": "192.168.122.36",
    "roles": [
      "base",
      "kvm_guest",
      "garage_node"
    ],
    "recipes": [
      "kosmos-base",
      "kosmos-base::default",
      "kosmos_kvm::guest",
      "kosmos_garage",
      "kosmos_garage::default",
      "kosmos_garage::firewall_rpc",
      "kosmos_garage::firewall_apis",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
      "kosmos-postfix::default",
      "postfix::default",
      "postfix::_common",
      "postfix::_attributes",
      "postfix::sasl_auth",
      "hostname::default",
      "firewall::default"
    ],
    "platform": "ubuntu",
    "platform_version": "22.04",
    "cloud": null,
    "chef_packages": {
      "chef": {
        "version": "18.10.17",
        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.10.17/lib",
        "chef_effortless": null
      },
      "ohai": {
        "version": "18.2.13",
        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.13/lib/ohai"
      }
    }
  },
  "run_list": [
    "role[base]",
    "role[kvm_guest]",
    "role[garage_node]"
  ]
 }
--- a/nodes/garage-15.json
+++ b/nodes/garage-15.json
@@ -0,0 +1,65 @@
 {
  "name": "garage-15",
  "chef_environment": "production",
  "normal": {
    "knife_zero": {
      "host": "10.1.1.82"
    }
  },
  "automatic": {
    "fqdn": "garage-15",
    "os": "linux",
    "os_version": "5.15.0-1095-kvm",
    "hostname": "garage-15",
    "ipaddress": "192.168.122.57",
    "roles": [
      "base",
      "kvm_guest",
      "garage_node"
    ],
    "recipes": [
      "kosmos-base",
      "kosmos-base::default",
      "kosmos_kvm::guest",
      "kosmos_garage",
      "kosmos_garage::default",
      "kosmos_garage::firewall_rpc",
      "kosmos_garage::firewall_apis",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
      "kosmos-postfix::default",
      "postfix::default",
      "postfix::_common",
      "postfix::_attributes",
      "postfix::sasl_auth",
      "hostname::default",
      "firewall::default"
    ],
    "platform": "ubuntu",
    "platform_version": "22.04",
    "cloud": null,
    "chef_packages": {
      "chef": {
        "version": "18.10.17",
        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.10.17/lib",
        "chef_effortless": null
      },
      "ohai": {
        "version": "18.2.13",
        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.13/lib/ohai"
      }
    }
  },
  "run_list": [
    "role[base]",
    "role[kvm_guest]",
    "role[garage_node]"
  ]
 }
--- a/nodes/gitea-2.json
+++ b/nodes/gitea-2.json
@@ -50,13 +50,6 @@
      "postfix::sasl_auth",
      "hostname::default",
      "firewall::default",
      "kosmos_gitea::compile_from_source",
      "git::default",
      "git::package",
      "kosmos-nodejs::default",
      "nodejs::nodejs_from_package",
      "nodejs::repo",
      "golang::default",
      "backup::default",
      "logrotate::default"
    ],
--- a/nodes/leo.json
+++ b/nodes/leo.json
@@ -0,0 +1,56 @@
 {
  "name": "leo",
  "normal": {
    "knife_zero": {
      "host": "leo.kosmos.org"
    }
  },
  "automatic": {
    "fqdn": "leo",
    "os": "linux",
    "os_version": "5.15.0-164-generic",
    "hostname": "leo",
    "ipaddress": "5.9.81.116",
    "roles": [
      "base"
    ],
    "recipes": [
      "kosmos-base",
      "kosmos-base::default",
      "kosmos_kvm::host",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
      "kosmos-postfix::default",
      "postfix::default",
      "postfix::_common",
      "postfix::_attributes",
      "postfix::sasl_auth",
      "hostname::default"
    ],
    "platform": "ubuntu",
    "platform_version": "22.04",
    "cloud": null,
    "chef_packages": {
      "chef": {
        "version": "18.10.17",
        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.10.17/lib",
        "chef_effortless": null
      },
      "ohai": {
        "version": "18.2.13",
        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.13/lib/ohai"
      }
    }
  },
  "run_list": [
    "role[base]",
    "recipe[kosmos_kvm::host]"
  ]
 }
--- a/nodes/postgres-10.json
+++ b/nodes/postgres-10.json
@@ -0,0 +1,63 @@
 {
  "name": "postgres-10",
  "chef_environment": "production",
  "normal": {
    "knife_zero": {
      "host": "10.1.1.176"
    }
  },
  "automatic": {
    "fqdn": "postgres-10",
    "os": "linux",
    "os_version": "5.15.0-1095-kvm",
    "hostname": "postgres-10",
    "ipaddress": "192.168.122.41",
    "roles": [
      "base",
      "kvm_guest",
      "postgresql_replica"
    ],
    "recipes": [
      "kosmos-base",
      "kosmos-base::default",
      "kosmos_kvm::guest",
      "kosmos_postgresql::hostsfile",
      "kosmos_postgresql::replica",
      "kosmos_postgresql::firewall",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
      "kosmos-postfix::default",
      "postfix::default",
      "postfix::_common",
      "postfix::_attributes",
      "postfix::sasl_auth",
      "hostname::default"
    ],
    "platform": "ubuntu",
    "platform_version": "22.04",
    "cloud": null,
    "chef_packages": {
      "chef": {
        "version": "18.10.17",
        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.10.17/lib",
        "chef_effortless": null
      },
      "ohai": {
        "version": "18.2.13",
        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.13/lib/ohai"
      }
    }
  },
  "run_list": [
    "role[base]",
    "role[kvm_guest]",
    "role[postgresql_replica]"
  ]
 }
--- a/nodes/postgres-9.json
+++ b/nodes/postgres-9.json
@@ -1,17 +1,17 @@
 {
-  "name": "postgres-7",
+  "name": "postgres-9",
  "chef_environment": "production",
  "normal": {
    "knife_zero": {
-      "host": "10.1.1.134"
+      "host": "10.1.1.3"
    }
  },
  "automatic": {
-    "fqdn": "postgres-7",
+    "fqdn": "postgres-9",
    "os": "linux",
-    "os_version": "5.4.0-1123-kvm",
+    "os_version": "5.15.0-1059-kvm",
-    "hostname": "postgres-7",
+    "hostname": "postgres-9",
-    "ipaddress": "192.168.122.89",
+    "ipaddress": "192.168.122.64",
    "roles": [
      "base",
      "kvm_guest",
@@ -41,17 +41,17 @@
      "hostname::default"
    ],
    "platform": "ubuntu",
-    "platform_version": "20.04",
+    "platform_version": "22.04",
    "cloud": null,
    "chef_packages": {
      "chef": {
-        "version": "18.5.0",
+        "version": "18.8.54",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.8.54/lib",
        "chef_effortless": null
      },
      "ohai": {
-        "version": "18.1.11",
+        "version": "18.2.8",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.8/lib/ohai"
      }
    }
  },
--- a/roles/gitea.rb
+++ b/roles/gitea.rb
@@ -8,8 +8,8 @@ run_list %w(
 override_attributes(
  "gitea" => {
-    "repo" => "https://github.com/67P/gitea.git",
+    # "repo" => "https://github.com/67P/gitea.git",
-    "revision" => "ldap_sync",
+    # "revision" => "ldap_sync",
    "log" => { "level" => "Info" }
  },
 )
--- a/roles/postgresql_replica_logical.rb
+++ b/roles/postgresql_replica_logical.rb
@@ -0,0 +1,7 @@
 name "postgresql_replica_logical"
 run_list %w(
  kosmos_postgresql::hostsfile
  kosmos_postgresql::replica_logical
  kosmos_postgresql::firewall
 )
--- a/site-cookbooks/discourse/templates/nginx_conf.erb
+++ b/site-cookbooks/discourse/templates/nginx_conf.erb
@@ -8,8 +8,8 @@ upstream _<%= @upstream_name %> {
 <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
 server {
  server_name <%= @server_name %>;
-  listen 443 ssl http2;
+  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
  ssl_certificate     <%= @ssl_cert %>;
  ssl_certificate_key <%= @ssl_key %>;
--- a/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb
+++ b/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb
@@ -11,7 +11,7 @@ proxy_cache_path <%= node[:openresty][:cache_dir] %>/akkounts levels=1:2
 server {
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
  server_name <%= @domain %>;
  if ($host != $server_name) {
--- a/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts_api.erb
+++ b/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts_api.erb
@@ -7,7 +7,7 @@ upstream _akkounts_api {
 server {
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
  server_name <%= @domain %>;
  ssl_certificate     <%= @ssl_cert %>;
--- a/site-cookbooks/kosmos-bitcoin/templates/btc-price-tracker-daily.sh.erb
+++ b/site-cookbooks/kosmos-bitcoin/templates/btc-price-tracker-daily.sh.erb
@@ -1,49 +1,86 @@
 #!/bin/bash
 set -e
 set -o pipefail
 # Calculate yesterday's date in YYYY-MM-DD format
 YESTERDAY=$(date -d "yesterday" +%Y-%m-%d)
 echo "Starting price tracking for $YESTERDAY" >&2
 # Helper function to perform HTTP requests with retries
 # Usage: make_request <retries> <method> <url> [data] [header1] [header2] ...
 make_request() {
    local retries=$1
    local method=$2
    local url=$3
    local data=$4
    shift 4
    local headers=("$@")
    local count=0
    local wait_time=3
    local response
    while [ "$count" -lt "$retries" ]; do
        local curl_opts=(-s -S -f -X "$method")
        if [ -n "$data" ]; then
            curl_opts+=(-d "$data")
        fi
        for h in "${headers[@]}"; do
            curl_opts+=(-H "$h")
        done
        if response=$(curl "${curl_opts[@]}" "$url"); then
            echo "$response"
            return 0
        fi
        echo "Request to $url failed (Attempt $((count+1))/$retries). Retrying in ${wait_time}s..." >&2
        sleep "$wait_time"
        count=$((count + 1))
    done
    echo "ERROR: Request to $url failed after $retries attempts" >&2
    return 1
 }
 # Fetch and process rates for a fiat currency
 get_price_data() {
    local currency=$1
    local data avg open24 last
-    data=$(curl -s "https://www.bitstamp.net/api/v2/ticker/btc${currency,,}/")
+    if data=$(make_request 3 "GET" "https://www.bitstamp.net/api/v2/ticker/btc${currency,,}/" ""); then
    if [ $? -eq 0 ] && [ ! -z "$data" ]; then
        echo "Successfully retrieved ${currency} price data" >&2
        open24=$(echo "$data" | jq -r '.open_24')
        last=$(echo "$data" | jq -r '.last')
-        avg=$(( (${open24%.*} + ${last%.*}) / 2 ))
+        avg=$(echo "$open24 $last" | awk '{printf "%.0f", ($1 + $2) / 2}')
        echo $avg
    else
        echo "ERROR: Failed to retrieve ${currency} price data" >&2
-        exit 1
+        return 1
    fi
 }
 # Get price data for each currency
-usd_avg=$(get_price_data "USD")
+usd_avg=$(get_price_data "USD") || exit 1
-eur_avg=$(get_price_data "EUR")
+eur_avg=$(get_price_data "EUR") || exit 1
-gbp_avg=$(get_price_data "GBP")
+gbp_avg=$(get_price_data "GBP") || exit 1
 # Create JSON
-json="{\"EUR\":$eur_avg,\"USD\":$usd_avg,\"GBP\":$gbp_avg}"
+json=$(jq -n \
  --argjson eur "$eur_avg" \
  --argjson usd "$usd_avg" \
  --argjson gbp "$gbp_avg" \
  '{"EUR": $eur, "USD": $usd, "GBP": $gbp}')
 echo "Rates: $json" >&2
 # PUT in remote storage
-response=$(curl -X PUT \
+if make_request 3 "PUT" "<%= @rs_base_url %>/$YESTERDAY" "$json" \
-    -H "Authorization: Bearer $RS_AUTH" \
+    "Authorization: Bearer $RS_AUTH" \
-    -H "Content-Type: application/json" \
+    "Content-Type: application/json" > /dev/null; then
    -d "$json" \
    -w "%{http_code}" \
    -s \
    -o /dev/null \
    "<%= @rs_base_url %>/$YESTERDAY")
 if [ "$response" -eq 200 ] || [ "$response" -eq 201 ]; then
   echo "Successfully uploaded price data" >&2
 else
-   echo "ERROR: Failed to upload price data. HTTP status: $response" >&2
+   echo "ERROR: Failed to upload price data" >&2
   exit 1
 fi
--- a/site-cookbooks/kosmos-bitcoin/templates/nginx_conf_btcpayserver.erb
+++ b/site-cookbooks/kosmos-bitcoin/templates/nginx_conf_btcpayserver.erb
@@ -49,7 +49,7 @@ server {
  client_max_body_size 100M;
  server_name <%= @server_name %>;
  listen 443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
  access_log <%= node[:nginx][:log_dir] %>/btcpayserver.access.log json;
  error_log <%= node[:nginx][:log_dir] %>/btcpayserver.error.log warn;
--- a/site-cookbooks/kosmos-bitcoin/templates/nginx_conf_lndhub.erb
+++ b/site-cookbooks/kosmos-bitcoin/templates/nginx_conf_lndhub.erb
@@ -7,7 +7,7 @@ upstream _lndhub {
 server {
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
  server_name <%= @server_name %>;
  add_header Strict-Transport-Security "max-age=15768000";
--- a/site-cookbooks/kosmos-btcpayserver/templates/nginx_conf_btcpayserver.erb
+++ b/site-cookbooks/kosmos-btcpayserver/templates/nginx_conf_btcpayserver.erb
@@ -49,7 +49,7 @@ server {
  server_name <%= @server_name %>;
  <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
  listen 443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
  <% else -%>
  listen 80;
  <% end -%>
--- a/site-cookbooks/kosmos-ejabberd/templates/nginx_conf_upload_service.erb
+++ b/site-cookbooks/kosmos-ejabberd/templates/nginx_conf_upload_service.erb
@@ -3,7 +3,7 @@
 server {
  listen 443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
  server_name <%= @server_name %>;
  ssl_certificate     <%= @ssl_cert %>;
--- a/site-cookbooks/kosmos-hubot/templates/default/nginx_conf_hubot.erb
+++ b/site-cookbooks/kosmos-hubot/templates/default/nginx_conf_hubot.erb
@@ -7,7 +7,7 @@ upstream _express_<%= @server_name.gsub(".", "_") %> {
 server {
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
  server_name <%= @server_name %>;
  add_header Strict-Transport-Security "max-age=15768000";
--- a/site-cookbooks/kosmos-ipfs/templates/default/nginx_conf_ipfs.kosmos.org.erb
+++ b/site-cookbooks/kosmos-ipfs/templates/default/nginx_conf_ipfs.kosmos.org.erb
@@ -12,7 +12,7 @@ upstream _ipfs_api {
 server {
  server_name <%= @server_name %>;
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
  access_log /var/log/nginx/<%= @server_name %>.access.log;
  error_log  /var/log/nginx/<%= @server_name %>.error.log;
--- a/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb
+++ b/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb
@@ -21,7 +21,7 @@ proxy_cache_path /var/cache/nginx/mastodon levels=1:2
 server {
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
  server_name <%= @server_name %>;
  include <%= @shared_config_path %>;
--- a/site-cookbooks/kosmos_assets/templates/nginx_conf_assets.erb
+++ b/site-cookbooks/kosmos_assets/templates/nginx_conf_assets.erb
@@ -3,7 +3,7 @@
 server {
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
  server_name <%= @domain %>;
  root /var/www/<%= @domain %>/site;
--- a/site-cookbooks/kosmos_discourse/templates/nginx_conf.erb
+++ b/site-cookbooks/kosmos_discourse/templates/nginx_conf.erb
@@ -9,7 +9,7 @@ upstream _discourse {
 server {
  server_name <%= @server_name %>;
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
  ssl_certificate     <%= @ssl_cert %>;
  ssl_certificate_key <%= @ssl_key %>;
--- a/site-cookbooks/kosmos_drone/templates/nginx_conf.erb
+++ b/site-cookbooks/kosmos_drone/templates/nginx_conf.erb
@@ -8,7 +8,7 @@ upstream _drone {
 server {
  server_name <%= @server_name %>;
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
  ssl_certificate     <%= @ssl_cert %>;
  ssl_certificate_key <%= @ssl_key %>;
--- a/site-cookbooks/kosmos_garage/templates/nginx_conf_s3.erb
+++ b/site-cookbooks/kosmos_garage/templates/nginx_conf_s3.erb
@@ -4,7 +4,7 @@ upstream garage_s3 {
 server {
  listen <%= "#{node[:openresty][:listen_ip]}:" if node[:openresty][:listen_ip] %>443 ssl http2;
-  listen [::]:443 http2 ssl;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
  ssl_certificate     <%= @ssl_cert %>;
  ssl_certificate_key <%= @ssl_key %>;
--- a/site-cookbooks/kosmos_garage/templates/nginx_conf_web.erb
+++ b/site-cookbooks/kosmos_garage/templates/nginx_conf_web.erb
@@ -1,6 +1,6 @@
 server {
  listen <%= "#{node[:openresty][:listen_ip]}:" if node[:openresty][:listen_ip] %>443 ssl http2;
-  listen [::]:443 http2 ssl;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
  server_name <%= @server_name %>;
@@ -18,6 +18,7 @@ server {
  }
  location / {
    add_header 'Access-Control-Allow-Origin' '*' always;
    proxy_intercept_errors on;
    proxy_cache garage_cache;
    proxy_pass http://garage_web;
--- a/site-cookbooks/kosmos_gitea/attributes/default.rb
+++ b/site-cookbooks/kosmos_gitea/attributes/default.rb
@@ -1,11 +1,12 @@
-node.default["gitea"]["version"] = "1.23.8"
+node.default["gitea"]["version"] = "1.25.4"
-node.default["gitea"]["checksum"] = "827037e7ca940866918abc62a7488736923396c467fcb4acd0dd9829bb6a6f4c"
+node.default["gitea"]["checksum"] = "a3031853e67c53714728ef705642c9046a11fb0ea356aff592e23efe6114607d"
 node.default["gitea"]["repo"] = nil
 node.default["gitea"]["revision"] = nil
 node.default["gitea"]["working_directory"] = "/var/lib/gitea"
 node.default["gitea"]["port"] = 3000
 node.default["gitea"]["postgresql_host"] = "localhost:5432"
 node.default["gitea"]["domain"] = "gitea.kosmos.org"
 node.default["gitea"]["email"] = "gitea@kosmos.org"
 node.default["gitea"]["config"] = {
  "log": {
@@ -22,5 +23,5 @@ node.default["gitea"]["config"] = {
  }
 }
-node.default["gitea"]["act_runner"]["version"] = "0.2.6"
+node.default["gitea"]["act_runner"]["version"] = "0.2.13"
-node.default["gitea"]["act_runner"]["checksum"] = "234c2bdb871e7b0bfb84697f353395bfc7819faf9f0c0443845868b64a041057"
+node.default["gitea"]["act_runner"]["checksum"] = "3acac8b506ac8cadc88a55155b5d6378f0fab0b8f62d1e0c0450f4ccd69733e2"
--- a/site-cookbooks/kosmos_gitea/recipes/default.rb
+++ b/site-cookbooks/kosmos_gitea/recipes/default.rb
@@ -19,6 +19,17 @@ jwt_secret                = gitea_data_bag_item["jwt_secret"]
 internal_token            = gitea_data_bag_item["internal_token"]
 secret_key                = gitea_data_bag_item["secret_key"]
 apt_repository "git-core-ppa" do
  uri "http://ppa.launchpad.net/git-core/ppa/ubuntu"
  components ["main"]
  key "E1DF1F24"
  action :add
  only_if do
    node['platform'] == 'ubuntu' &&
      Gem::Version.new(node['platform_version']) < Gem::Version.new('22.04')
  end
 end
 package "git"
 user "git" do
@@ -26,6 +37,13 @@ user "git" do
  home "/home/git"
 end
 directory "/home/git/.ssh" do
  owner "git"
  group "git"
  mode "0700"
  recursive true
 end
 directory working_directory do
  owner "git"
  group "git"
@@ -78,6 +96,8 @@ if node.chef_environment == "production"
 end
 config_variables = {
  domain: node["gitea"]["domain"],
  email: node["gitea"]["email"],
  working_directory: working_directory,
  git_home_directory: git_home_directory,
  repository_root_directory: repository_root_directory,
@@ -98,6 +118,16 @@ config_variables = {
  s3_bucket: gitea_data_bag_item["s3_bucket"]
 }
 bash "Generate git ed25519 keypair" do
  user "git"
  group "git"
  cwd git_home_directory
  code <<-EOH
    ssh-keygen -t ed25519 -f #{git_home_directory}/.ssh/id_ed25519
  EOH
  creates "#{git_home_directory}/.ssh/id_ed25519"
 end
 template "#{config_directory}/app.ini" do
  source "app.ini.erb"
  owner "git"
@@ -129,7 +159,7 @@ template "/etc/systemd/system/gitea.service" do
            git_home_directory: git_home_directory,
            config_directory: config_directory,
            gitea_binary_path: gitea_binary_path
-  notifies :run, "execute[systemctl daemon-reload]", :delayed
+  notifies :run, "execute[systemctl daemon-reload]", :immediately
 end
 service "gitea" do
--- a/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb
+++ b/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb
@@ -2,12 +2,12 @@ APP_NAME = Gitea
 RUN_MODE = prod
 [server]
-SSH_DOMAIN       = gitea.kosmos.org
+SSH_DOMAIN = <%= @domain %>
 HTTP_PORT        = 3000
 DISABLE_SSH      = false
 SSH_PORT         = 22
 PROTOCOL = http
-DOMAIN = gitea.kosmos.org
+DOMAIN = <%= @domain %>
 # Gitea is running behind an nginx reverse load balancer, use an HTTPS root URL
 ROOT_URL = https://%(DOMAIN)s
 # REDIRECT_OTHER_PORT = true
@@ -30,6 +30,16 @@ MAX_OPEN_CONNS = 20
 ROOT = <%= @repository_root_directory %>
 DISABLE_DOWNLOAD_SOURCE_ARCHIVES = true
 [repository.signing]
 SIGNING_KEY = <%= @git_home_directory %>/.ssh/id_ed25519.pub
 SIGNING_NAME = Gitea
 SIGNING_EMAIL = git@<%= @domain %>
 SIGNING_FORMAT = ssh
 INITIAL_COMMIT = always
 CRUD_ACTIONS = always
 WIKI = always
 MERGES = always
 # [indexer]
 # ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
@@ -46,7 +56,7 @@ SMTP_ADDR = <%= @smtp_addr %>
 SMTP_PORT = <%= @smtp_port %>
 USER = <%= @smtp_user %>
 PASSWD = <%= @smtp_password %>
-FROM = gitea@kosmos.org
+FROM = <%= @email %>
 [security]
 INTERNAL_TOKEN = <%= @internal_token %>
--- a/site-cookbooks/kosmos_gitea/templates/default/nginx_conf_ssh.erb
+++ b/site-cookbooks/kosmos_gitea/templates/default/nginx_conf_ssh.erb
@@ -4,5 +4,6 @@ upstream _gitea_ssh {
 server {
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>22;
  listen [::]:22;
  proxy_pass _gitea_ssh;
 }
--- a/site-cookbooks/kosmos_gitea/templates/default/nginx_conf_web.erb
+++ b/site-cookbooks/kosmos_gitea/templates/default/nginx_conf_web.erb
@@ -6,7 +6,7 @@ upstream _gitea_web {
 server {
  server_name <%= @server_name %>;
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
  ssl_certificate     <%= @ssl_cert %>;
  ssl_certificate_key <%= @ssl_key %>;
--- a/site-cookbooks/kosmos_kvm/attributes/default.rb
+++ b/site-cookbooks/kosmos_kvm/attributes/default.rb
@@ -1,9 +1,9 @@
-release = "20240514"
+release = "20260320"
 img_filename = "ubuntu-22.04-server-cloudimg-amd64-disk-kvm"
 node.default["kosmos_kvm"]["host"]["qemu_base_image"] = {
  "url" => "https://cloud-images.ubuntu.com/releases/jammy/release-#{release}/#{img_filename}.img",
-  "checksum" => "2e7698b3ebd7caead06b08bd3ece241e6ce294a6db01f92ea12bcb56d6972c3f",
+  "checksum" => "f7173eb7137b4f0ebeaea8fffe68ecdab1e3c787bde1fd8dfdf27103554332b3",
  "path" => "/var/lib/libvirt/images/base/#{img_filename}-#{release}.qcow2"
 }
--- a/site-cookbooks/kosmos_kvm/recipes/host.rb
+++ b/site-cookbooks/kosmos_kvm/recipes/host.rb
@@ -3,7 +3,7 @@
 # Recipe:: host
 #
-package %w(virtinst libvirt-daemon-system)
+package %w(virtinst libvirt-daemon-system libvirt-clients)
 directory "/var/lib/libvirt/images/base" do
  recursive true
--- a/site-cookbooks/kosmos_kvm/templates/create_vm.erb
+++ b/site-cookbooks/kosmos_kvm/templates/create_vm.erb
@@ -17,7 +17,7 @@ DISKSIZE=${4:-10} # 10GB default
 # Directory where image files will be stored
 IMAGE_DIR=/var/lib/libvirt/images
 IMAGE_PATH=$IMAGE_DIR/${VMNAME}.qcow2
-CIDATA_PATH=${IMAGE_DIR}/cidata-${VMNAME}.iso
+CIDATA_PATH=${IMAGE_DIR}/${VMNAME}-cloudinit
 BASE_FILE=<%= @base_image_path %>
 # Create the VM image if it does not already exist
@@ -38,9 +38,8 @@ qemu-img info "$IMAGE_PATH"
 # Check if the cloud-init metadata file exists
 # if not, generate it
 if [ ! -r $CIDATA_PATH ]; then
-  pushd $(dirname $CIDATA_PATH)
+  mkdir -p $CIDATA_PATH
-  mkdir -p $VMNAME
+  pushd $CIDATA_PATH
  cd $VMNAME
  cat > user-data <<-EOS
 #cloud-config
@@ -62,25 +61,19 @@ instance-id: $VMNAME
 local-hostname: $VMNAME
 EOS
  genisoimage -output "$CIDATA_PATH" -volid cidata -joliet -rock user-data meta-data
  chown libvirt-qemu:kvm "$CIDATA_PATH"
  chmod 600 "$CIDATA_PATH"
  popd
 fi
 # setting --os-variant to ubuntu20.04 and ubuntu18.04 breaks SSH and networking
 virt-install \
  --name "$VMNAME" \
  --ram "$RAM" \
  --vcpus "$CPUS" \
  --cpu host \
  --arch x86_64 \
-  --os-type linux \
+  --osinfo detect=on,name=ubuntujammy \
  --os-variant ubuntu16.04 \
  --hvm \
  --virt-type kvm \
  --disk "$IMAGE_PATH" \
  --cdrom "$CIDATA_PATH" \
  --boot hd \
  --network=bridge=virbr0,model=virtio \
  --graphics none \
@@ -88,4 +81,5 @@ virt-install \
  --console pty \
  --channel unix,mode=bind,path=/var/lib/libvirt/qemu/$VMNAME.guest_agent.0,target_type=virtio,name=org.qemu.guest_agent.0 \
  --autostart \
-  --import
+  --import \
  --cloud-init root-password-generate=off,disable=on,meta-data=$CIDATA_PATH/meta-data,user-data=$CIDATA_PATH/user-data
--- a/site-cookbooks/kosmos_liquor-cabinet/templates/nginx_conf_liquor-cabinet.erb
+++ b/site-cookbooks/kosmos_liquor-cabinet/templates/nginx_conf_liquor-cabinet.erb
@@ -12,7 +12,7 @@ upstream _<%= @app_name %> {
 server {
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
  server_name <%= @server_name %>;
  access_log <%= node[:nginx][:log_dir] %>/<%= @app_name %>.access.log; # TODO json_liquor_cabinet;
--- a/site-cookbooks/kosmos_openresty/attributes/default.rb
+++ b/site-cookbooks/kosmos_openresty/attributes/default.rb
@@ -0,0 +1 @@
 node.default["openresty"]["listen_ipv6"] = "::"
--- a/site-cookbooks/kosmos_postgresql/attributes/default.rb
+++ b/site-cookbooks/kosmos_postgresql/attributes/default.rb
@@ -1,3 +1,8 @@
 node.default['kosmos_postgresql']['postgresql_version'] = "14"
 # This is set to false by default, and set to true in the server resource
 # for replicas.
 node.default['kosmos_postgresql']['ready_to_set_up_replica'] = false
 # Address space from which clients are allowed to connect
 node.default['kosmos_postgresql']['access_addr'] = "10.1.1.0/24"
--- a/site-cookbooks/kosmos_postgresql/files/create_publications.sh
+++ b/site-cookbooks/kosmos_postgresql/files/create_publications.sh
@@ -0,0 +1,34 @@
 #!/bin/bash
 set -e
 echo "== Creating publication in each database =="
 for db in $(psql -Atqc "SELECT datname FROM pg_database WHERE datallowconn AND datname NOT IN ('template0','template1')"); do
  echo "Processing DB: $db"
  # Create publication (idempotent)
  psql -d "$db" -v ON_ERROR_STOP=1 <<SQL
 DO \$\$
 BEGIN
  IF NOT EXISTS (
    SELECT 1 FROM pg_publication WHERE pubname = 'migrate_pub'
  ) THEN
    CREATE PUBLICATION migrate_pub FOR ALL TABLES;
  END IF;
 END
 \$\$;
 SQL
  # Create logical replication slot (idempotent-ish)
  SLOT="migrate_slot_${db}"
  if ! psql -d "$db" -Atqc "SELECT 1 FROM pg_replication_slots WHERE slot_name = '$SLOT'" | grep -q 1; then
    echo "  Creating slot: $SLOT"
    psql -d "$db" -c "SELECT pg_create_logical_replication_slot('$SLOT', 'pgoutput');"
  else
    echo "  Slot already exists: $SLOT"
  fi
 done
 echo "== Done =="
--- a/site-cookbooks/kosmos_postgresql/files/drop_publications.sh
+++ b/site-cookbooks/kosmos_postgresql/files/drop_publications.sh
@@ -0,0 +1,33 @@
 set -e
 echo "== Dropping subscriptions slots and publications on PRIMARY =="
 for db in $(psql -Atqc "SELECT datname FROM pg_database WHERE datallowconn AND datname NOT IN ('template0','template1')"); do
  echo "Processing DB: $db"
  SLOT="migrate_slot_${db}"
  # Drop slot if exists
  if psql -d "$db" -Atqc "SELECT 1 FROM pg_replication_slots WHERE slot_name = '$SLOT'" | grep -q 1; then
    echo "  Dropping slot: $SLOT"
    psql -d "$db" -c "SELECT pg_drop_replication_slot('$SLOT');"
  else
    echo "  Slot not found: $SLOT"
  fi
  # Drop publication if exists
  psql -d "$db" -v ON_ERROR_STOP=1 <<SQL
 DO \$\$
 BEGIN
  IF EXISTS (
    SELECT 1 FROM pg_publication WHERE pubname = 'migrate_pub'
  ) THEN
    DROP PUBLICATION migrate_pub;
  END IF;
 END
 \$\$;
 SQL
 done
 echo "== Done =="
--- a/site-cookbooks/kosmos_postgresql/files/drop_subscriptions.sh
+++ b/site-cookbooks/kosmos_postgresql/files/drop_subscriptions.sh
@@ -0,0 +1,28 @@
 set -e
 echo "== Dropping subscriptions on PG14 =="
 for db in $(psql -Atqc "SELECT datname FROM pg_database WHERE datallowconn AND datname NOT IN ('template0,'template1'')"); do
  echo "Processing DB: $db"
  SUB="migrate_sub_${db}"
  # Disable first (important)
  psql -d "$db" -c "ALTER SUBSCRIPTION $SUB DISABLE;" 2>/dev/null || true
  # Drop subscription if exists
  psql -d "$db" -v ON_ERROR_STOP=1 <<SQL
 DO \$\$
 BEGIN
  IF EXISTS (
    SELECT 1 FROM pg_subscription WHERE subname = '$SUB'
  ) THEN
    DROP SUBSCRIPTION $SUB;
  END IF;
 END
 \$\$;
 SQL
 done
 echo "== Done =="
--- a/site-cookbooks/kosmos_postgresql/files/dump_all_databases.sh
+++ b/site-cookbooks/kosmos_postgresql/files/dump_all_databases.sh
@@ -0,0 +1,9 @@
 #!/bin/bash
 cd /tmp && \
 (pg_dumpall --globals-only > globals.sql) && \
 psql -Atqc "SELECT datname FROM pg_database WHERE datallowconn AND datname NOT IN (''template0'')" | \
 xargs -I{} -P4 sh -c "
  pg_dump -Fd -j 4 -d \"{}\" -f dump_{} &&
  tar -cf - dump_{} | zstd -19 -T0 > dump_{}.tar.zst &&
  rm -rf dump_{}
 "
--- a/site-cookbooks/kosmos_postgresql/files/list_publications.sh
+++ b/site-cookbooks/kosmos_postgresql/files/list_publications.sh
@@ -0,0 +1,5 @@
 #!/bin/bash
 for db in $(psql -Atqc "SELECT datname FROM pg_database WHERE datallowconn"); do
  echo "DB: $db"
  psql -d "$db" -Atqc "SELECT pubname FROM pg_publication;"
 done
--- a/site-cookbooks/kosmos_postgresql/files/list_replication_slots.sh
+++ b/site-cookbooks/kosmos_postgresql/files/list_replication_slots.sh
@@ -0,0 +1,5 @@
 #!/bin/bash
 psql -c "
 SELECT slot_name,
 pg_size_pretty(pg_wal_lsn_diff(pg_current_wal_lsn(), restart_lsn))
 FROM pg_replication_slots;"
--- a/site-cookbooks/kosmos_postgresql/files/list_subscriptions.sh
+++ b/site-cookbooks/kosmos_postgresql/files/list_subscriptions.sh
@@ -0,0 +1,5 @@
 #!/bin/bash
 for db in $(psql -Atqc "SELECT datname FROM pg_database WHERE datallowconn AND datname NOT IN ('template0','template1')"); do
  echo "==== DB: $db ===="
  psql -d "$db" -c "SELECT * FROM pg_stat_subscription;"
 done
--- a/site-cookbooks/kosmos_postgresql/files/restore_all_databases.sh
+++ b/site-cookbooks/kosmos_postgresql/files/restore_all_databases.sh
@@ -0,0 +1,8 @@
 #!/bin/bash
 cd /tmp
 for f in dump_*.tar.zst; do
  db=$(echo $f | sed "s/dump_\(.*\)\.tar\.zst/\1/")
  echo "Restoring $db"
  zstd -d "$f" -c | tar -xf -
  pg_restore -j 4 -d "$db" dump_$db
 done
--- a/site-cookbooks/kosmos_postgresql/libraries/helpers.rb
+++ b/site-cookbooks/kosmos_postgresql/libraries/helpers.rb
@@ -36,10 +36,16 @@ class Chef
      end
    end
-    def postgresql_service_name
+    def postgresql_version
-      postgresql_version = "12"
+      node['kosmos_postgresql']['postgresql_version']
    end
    def postgresql_service
      "postgresql@#{postgresql_version}-main"
    end
    def postgresql_data_dir
      "/var/lib/postgresql/#{postgresql_version}/main"
    end
  end
 end
--- a/site-cookbooks/kosmos_postgresql/recipes/primary.rb
+++ b/site-cookbooks/kosmos_postgresql/recipes/primary.rb
@@ -3,31 +3,41 @@
 # Recipe:: primary
 #
 postgresql_version = "12"
 postgresql_service = "postgresql@#{postgresql_version}-main"
 service postgresql_service do
  supports restart: true, status: true, reload: true
 end
 postgresql_custom_server postgresql_version do
  role "primary"
 end
-postgresql_access "zerotier members" do
+cookbook_file "/usr/local/bin/pg_dump_all_databases" do
-  access_type "host"
+  source "dump_all_databases.sh"
-  access_db "all"
+  user "postgres"
-  access_user "all"
+  group "postgres"
-  access_addr "10.1.1.0/24"
+  mode "0744"
  access_method "md5"
  notifies :reload, "service[#{postgresql_service}]", :immediately
 end
-postgresql_access "zerotier members replication" do
+cookbook_file "/usr/local/bin/pg_create_replication_publications" do
-  access_type "host"
+  source "create_publications.sh"
-  access_db "replication"
+  user "postgres"
-  access_user "replication"
+  group "postgres"
-  access_addr "10.1.1.0/24"
+  mode "0744"
-  access_method "md5"
+end
-  notifies :reload, "service[#{postgresql_service}]", :immediately
+
 cookbook_file "/usr/local/bin/pg_drop_replication_publications" do
  source "drop_publications.sh"
  user "postgres"
  group "postgres"
  mode "0744"
 end
 cookbook_file "/usr/local/bin/pg_list_replication_publications" do
  source "list_publications.sh"
  user "postgres"
  group "postgres"
  mode "0744"
 end
 cookbook_file "/usr/local/bin/pg_list_replication_slots" do
  source "list_replication_slots.sh"
  user "postgres"
  group "postgres"
  mode "0744"
 end
--- a/site-cookbooks/kosmos_postgresql/recipes/replica.rb
+++ b/site-cookbooks/kosmos_postgresql/recipes/replica.rb
@@ -3,27 +3,24 @@
 # Recipe:: replica
 #
-postgresql_version = "12"
+service postgresql_service do
-postgresql_service = "postgresql@#{postgresql_version}-main"
+  supports restart: true, status: true, reload: true
 end
 postgresql_custom_server postgresql_version do
  role "replica"
 end
 service postgresql_service do
  supports restart: true, status: true, reload: true
 end
 postgresql_data_bag_item = data_bag_item('credentials', 'postgresql')
 primary = postgresql_primary
-unless primary.nil?
+if primary.nil?
-  # TODO
+  Chef::Log.warn("No PostgreSQL primary node found. Skipping replication setup.")
-  postgresql_data_dir = "/var/lib/postgresql/#{postgresql_version}/main"
+  return
 end
-  # FIXME get zerotier IP
+execute "set up replication" do
  execute "set up replication" do
  command <<-EOF
 systemctl stop #{postgresql_service}
 mv #{postgresql_data_dir} #{postgresql_data_dir}.old
@@ -34,23 +31,4 @@ systemctl start #{postgresql_service}
  environment 'PGPASSWORD' => postgresql_data_bag_item['replication_password']
  sensitive true
  not_if { ::File.exist? "#{postgresql_data_dir}/standby.signal" }
  end
  postgresql_access "zerotier members" do
    access_type "host"
    access_db "all"
    access_user "all"
    access_addr "10.1.1.0/24"
    access_method "md5"
    notifies :reload, "service[#{postgresql_service}]", :immediately
  end
  postgresql_access "zerotier members replication" do
    access_type "host"
    access_db "replication"
    access_user "replication"
    access_addr "10.1.1.0/24"
    access_method "md5"
    notifies :reload, "service[#{postgresql_service}]", :immediately
  end
 end
--- a/site-cookbooks/kosmos_postgresql/recipes/replica_logical.rb
+++ b/site-cookbooks/kosmos_postgresql/recipes/replica_logical.rb
@@ -0,0 +1,50 @@
 #
 # Cookbook:: kosmos_postgresql
 # Recipe:: replica_logical
 #
 service postgresql_service do
  supports restart: true, status: true, reload: true
 end
 postgresql_custom_server postgresql_version do
  role "replica_logical"
 end
 postgresql_data_bag_item = data_bag_item('credentials', 'postgresql')
 primary = postgresql_primary
 if primary.nil?
  Chef::Log.warn("No PostgreSQL primary node found. Skipping replication setup.")
  return
 end
 template "/usr/local/bin/pg_create_replication_subscriptions" do
  source "create_subscriptions.sh.erb"
  user "postgres"
  group "postgres"
  mode "0740"
  sensitive true
 end
 cookbook_file "/usr/local/bin/pg_drop_replication_subscriptions" do
  source "drop_subscriptions.sh"
  user "postgres"
  group "postgres"
  mode "0744"
 end
 cookbook_file "/usr/local/bin/pg_list_replication_subscriptions" do
  source "list_subscriptions.sh"
  user "postgres"
  group "postgres"
  mode "0744"
 end
 cookbook_file "/usr/local/bin/pg_restore_all_databases" do
  source "restore_all_databases.sh"
  user "postgres"
  group "postgres"
  mode "0744"
 end
--- a/site-cookbooks/kosmos_postgresql/resources/server.rb
+++ b/site-cookbooks/kosmos_postgresql/resources/server.rb
@@ -56,7 +56,9 @@ action :create do
    timezone: "UTC", # default is GMT
    listen_addresses: "0.0.0.0",
    promote_trigger_file: "#{postgresql_data_dir}/failover.trigger",
-    wal_keep_segments: 256
+    wal_level: "logical",
    wal_keep_size: 4096, # 256 segments, 16MB each
    max_replication_slots: 16
  }
  postgresql_server_conf "main" do
@@ -70,6 +72,24 @@ action :create do
    replication true
    password postgresql_credentials['replication_password']
  end
  postgresql_access "all members" do
    access_type "host"
    access_db "all"
    access_user "all"
    access_addr node['kosmos_postgresql']['access_addr']
    access_method "md5"
    notifies :reload, "service[#{postgresql_service}]", :immediately
  end
  postgresql_access "replication members" do
    access_type "host"
    access_db "replication"
    access_user "replication"
    access_addr node['kosmos_postgresql']['access_addr']
    access_method "md5"
    notifies :reload, "service[#{postgresql_service}]", :immediately
  end
 end
 action_class do
--- a/site-cookbooks/kosmos_postgresql/templates/create_subscriptions.sh.erb
+++ b/site-cookbooks/kosmos_postgresql/templates/create_subscriptions.sh.erb
@@ -0,0 +1,33 @@
 set -e
 echo "== Creating subscriptions for all databases =="
 for db in $(psql -Atqc "SELECT datname FROM pg_database WHERE datallowconn AND datname NOT IN ('template0','template1')"); do
  echo "Processing DB: $db"
  SLOT="migrate_slot_${db}"
  SUB="migrate_sub_${db}"
  psql -d "$db" -v ON_ERROR_STOP=1 <<SQL
 DO \$\$
 BEGIN
  IF NOT EXISTS (
    SELECT 1 FROM pg_subscription WHERE subname = '$SUB'
  ) THEN
    CREATE SUBSCRIPTION $SUB
    CONNECTION 'host=<%= @pg_host %> port=<%= @pg_port %> dbname=$db user=<%= @pg_user %> password=<%= @pg_pass %>'
    PUBLICATION migrate_pub
    WITH (
      slot_name = '$SLOT',
      create_slot = false,
      copy_data = false,
      enabled = true
    );
  END IF;
 END
 \$\$;
 SQL
 done
 echo "== Done =="
--- a/site-cookbooks/kosmos_rsk/templates/nginx_conf_rskj.erb
+++ b/site-cookbooks/kosmos_rsk/templates/nginx_conf_rskj.erb
@@ -6,7 +6,7 @@ upstream _<%= @upstream_name %> {
 server {
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
  server_name <%= @domain %>;
--- a/site-cookbooks/kosmos_strfry/templates/nginx_conf_strfry.erb
+++ b/site-cookbooks/kosmos_strfry/templates/nginx_conf_strfry.erb
@@ -13,7 +13,7 @@ upstream _substr {
 server {
  server_name <%= @domain %>;
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
  access_log "/var/log/nginx/<%= @domain %>.access.log";
  error_log "/var/log/nginx/<%= @domain %>.error.log";
--- a/site-cookbooks/kosmos_website/templates/nginx_conf_redirect.erb
+++ b/site-cookbooks/kosmos_website/templates/nginx_conf_redirect.erb
@@ -3,7 +3,7 @@
 server {
  server_name <%= @domain %>;
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
  access_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.access.log;
  error_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.error.log warn;
--- a/site-cookbooks/kosmos_website/templates/nginx_conf_simple.erb
+++ b/site-cookbooks/kosmos_website/templates/nginx_conf_simple.erb
@@ -3,7 +3,7 @@
 server {
  server_name <%= @domain %>;
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
  root /var/www/<%= @domain %>/public;
--- a/site-cookbooks/kosmos_website/templates/nginx_conf_website.erb
+++ b/site-cookbooks/kosmos_website/templates/nginx_conf_website.erb
@@ -3,6 +3,7 @@
 server {
  server_name _;
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>80 default_server;
  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:80 default_server;
  location / {
    return 301 https://<%= @domain %>;
@@ -12,7 +13,7 @@ server {
 server {
  server_name <%= @domain %>;
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2 default_server;
-  listen [::]:443 ssl http2 default_server;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2 default_server;
  if ($host != $server_name) {
    return 307 $scheme://$server_name;
--- a/site-cookbooks/kredits-github/templates/default/nginx_conf.erb
+++ b/site-cookbooks/kredits-github/templates/default/nginx_conf.erb
@@ -5,8 +5,8 @@ upstream _<%= @app_name %> {
 <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
 server {
-  listen 443 ssl http2;
+  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
  server_name <%= @server_name %>;
  access_log <%= node[:nginx][:log_dir] %>/<%= @app_name %>.access.log json;
--- a/site-cookbooks/openresty
+++ b/site-cookbooks/openresty
--- a/site-cookbooks/remotestorage_discourse/templates/nginx_conf.erb
+++ b/site-cookbooks/remotestorage_discourse/templates/nginx_conf.erb
@@ -8,7 +8,7 @@ upstream _rs_discourse {
 server {
  server_name <%= @server_name %>;
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
  ssl_certificate     <%= @ssl_cert %>;
  ssl_certificate_key <%= @ssl_key %>;
Author	SHA1	Message	Date
Râu Cao	48e8ee0160	WIP Prepare postgres for migration by replication	2026-04-08 15:41:56 +04:00
Râu Cao	6583cd7010	Upgrade WAL config for PG14	2026-04-08 15:41:13 +04:00
Râu Cao	290af8177a	Refactor postgres server recipes/resource	2026-04-08 15:41:10 +04:00
Râu Cao	2cb5540a7b	Add new postgres replica (v12)	2026-04-07 16:56:01 +04:00
Râu Cao	002ad2ca62	Update Gandi API key Co-authored-by: Greg Karékinian <greg@karekinian.com>	2026-04-07 16:53:43 +04:00
Râu Cao	7710231fc4	Add CORS headers for Garage web access Fixes Discourse plugin JS usage	2026-04-07 16:53:09 +04:00
Greg Karekinian	d68deb96e9	Update openresty submodule	2026-04-07 11:40:35 +02:00
Râu Cao	01cdd000cb	Update nodes	2026-03-27 14:30:46 +04:00
Râu Cao	ea8e2de70a	Merge pull request 'Use Ubuntu 22.04 for new VMs' (#521 ) from jammy_jellyfish into master Reviewed-on: #521	2026-03-27 10:28:22 +00:00
Râu Cao	8ad3674c4d	Install libvirt CLI on KVM hosts	2026-03-27 14:27:28 +04:00
Râu Cao	25192ad3ce	Use Ubuntu 22.04 for new VMs Also, remove the custom config image generation and replace it with `--cloud-init` options.	2026-03-26 20:35:30 +04:00
Greg	55b6e24f1e	Merge pull request 'Configure Gitea commit signing with SSH key' (#623 ) from feature/237-gitea_ssh_signing into master Reviewed-on: #623 Reviewed-by: Greg <greg@kosmos.org>	2026-03-19 13:27:55 +00:00
Râu Cao	a23c7d536a	Merge pull request 'Improve BTC price tracking script' (#624 ) from feature/btc_price_tracker into master Reviewed-on: #624	2026-03-07 06:21:51 +00:00
Râu Cao	d492cd18cc	Improve BTC price tracking script 1. Robust API helper: Add make_request with retry logic for both GET (price data) and PUT (upload) requests 2. Arithmetic precision: Switch to awk for floating-point average calculation 3. Correct error handling: Updated get_price_data to return status codes and the main script to exit on failure 4. Safer JSON: Use jq to construct valid JSON payloads 5. Safety Flags: Add set -e/-o to fail fast on any command errors	2026-03-06 23:20:12 +04:00
Râu Cao	161b78be97	Configure Gitea commit signing with SSH key	2026-02-13 17:29:23 +04:00
Râu Cao	6e83384da5	Use more attributes for Gitea config	2026-02-13 16:07:24 +04:00
Râu Cao	be8278fbdc	Upgrade act_runner	2026-02-13 16:06:08 +04:00
Râu Cao	ff3f05452f	Merge pull request 'Update Gitea to 1.25.4' (#622 ) from chore/upgrade_gitea into master Reviewed-on: #622 Reviewed-by: Râu Cao <raucao@kosmos.org>	2026-02-13 10:18:36 +00:00
Greg Karekinian	1fb66092fc	Update Gitea to 1.25.4 Back to using the binary from upstream releases	2026-02-13 11:15:07 +01:00
Greg Karekinian	81691f7e21	Run systemctl daemon-reload on gitea service changes	2026-02-13 11:05:08 +01:00
Râu Cao	e9dff82628	Merge pull request 'Add IPv6 support for all OpenResty sites' (#618 ) from feature/614-ipv6 into master Reviewed-on: #618	2026-02-12 13:09:25 +00:00
Râu Cao	0933e9caa0	Add IPv6 to all OpenResty sites Co-authored-by: Greg Karékinian <greg@karekinian.com>	2026-02-12 17:05:14 +04:00
Greg	9f862a89cc	Merge pull request 'Enable Gitea SSH via IPv6' (#613 ) from chore/612-enable_ipv6_ssh into master Reviewed-on: #613 Reviewed-by: Greg <greg@kosmos.org>	2026-01-11 13:19:33 +00:00
Râu Cao	039dbdf091	Enable Gitea SSH via IPv6 closes #612	2026-01-09 13:43:06 +07:00
Râu Cao	e3559119be	Update node info	2025-11-25 10:56:35 +00:00
Râu Cao	16f95170ef	Remove old node	2025-11-25 10:55:04 +00:00
Râu Cao	36f5903271	Merge pull request 'Fix URL matcher for substr (vs strfry)' (#608 ) from bugfix/substr_url_matching into master Reviewed-on: #608	2025-11-17 11:03:48 +00:00
		`@@ -0,0 +1 @@`
							`node.default["openresty"]["listen_ipv6"] = "::"`