WIP Set up akaunting

Upgrade Gitea to 1.22.5
Remove outdated flag from certbot command
2024-12-16 12:05:51 +04:00 · 2024-12-12 18:32:58 +04:00 · 2024-12-12 18:32:26 +04:00 · 2024-12-12 18:31:54 +04:00 · 2024-12-12 18:30:16 +04:00 · 2024-12-12 18:29:16 +04:00
81 changed files with 984 additions and 391 deletions
--- a/README.md
+++ b/README.md
@@ -38,6 +38,10 @@ Clone this repository, `cd` into it, and run:
    knife zero bootstrap ubuntu@zerotier-ip-address -x ubuntu --sudo --run-list "role[base],role[kvm_guest]" --secret-file .chef/encrypted_data_bag_secret
 ### Bootstrap a new VM with environment and role/app (postgres replica as example)
    knife zero bootstrap ubuntu@10.1.1.134 -x ubuntu --sudo --environment production --run-list "role[base],role[kvm_guest],role[postgresql_replica]" --secret-file .chef/encrypted_data_bag_secret
 ### Run Chef Zero on a host server
    knife zero converge -p2222 name:server-name.kosmos.org
--- a/clients/akaunting-1.json
+++ b/clients/akaunting-1.json
@@ -0,0 +1,4 @@
 {
  "name": "akaunting-1",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzmNpNWJh5DeXDsINDqAt\n5OtcGhnzLtqdILTD8A8KuPxWhoKI0k9xwvuT4yO2DLQqFMPyGefRuQkVsIq2OuU5\npK8B5c79E9MBHxti6mQZw4b/Jhmul+x2LGtOWYjPTDhFYXRsNNDtFDxwpwJGPede\nYts026yExHPhiF35Mt1JxA3TXJfPC8Vx0YGHu/6Ev+1fLmcKhFmhed5yKkA0gwod\nczdyQiCfw3ze9LuS90QmALpFOHHpekZeywemdwyPia207CoTrXsPLWj9KmuUEIQJ\nwL+OlEU2tVA6KaBKpl54n5/tMsccZmlicbNsVpgkk6LctrkNh6Kk+fW9ry3L/Gxg\nAwIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/clients/garage-10.json
+++ b/clients/garage-10.json
@@ -0,0 +1,4 @@
 {
  "name": "garage-10",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw2+3Wo+KkXVJCOX1SxT9\nSdwKXgPbCDM3EI9uwoxhMxQfRyN53dxIsBDsQUVOIe1Z8yqm4FenMQlNmeDR+QLE\nvNFf1fisinW+D9VVRm+CjcJy96i/Dyt786Z6YRrDlB860HxCbfTL2Zv5BRtbyIKg\nhz5gO+9PMEpPVR2ij9iue4K6jbM1AAL2ia/P6zDWLJqeIzUocCeHV5N0Z3jXH6qr\nf444v78x35MMJ+3tg5h95SU1/PDCpdSTct4uHEuKIosiN7p4DlYMoM5iSyvVoujr\nflRQPEpGzS9qEt3rDo/F4ltzYMx6bf1tB/0QaBKD+zwPZWTTwf61tSBo5/NkGvJc\nFQIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/clients/garage-11.json
+++ b/clients/garage-11.json
@@ -0,0 +1,4 @@
 {
  "name": "garage-11",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzfZcNEQojtmaogd9vGP/\nMsVPhAOlQ4kxKgrUas+p+XT7lXRan6b3M8UZEleIaL1HWsjSVwtFWRnNl8kg8rF8\nNEkLeOX8kHf7IoXDFOQa2TXanY8tSqrfh9/heFunt4Q3DluVt7S3bBdwukbDXm/n\nXJS2EQP33eJT4reL6FpVR0oVlFCzI3Vmf7ieSHIBXrbXy7AIvGC2+NVXvQle6pqp\nx0rqU6Wc6ef/VtIv+vK3YFnt9ue3tC63mexyeNKgRYf1YjDx61wo2bOY2t8rqN8y\nHeZ3dmAN8/Vwjk5VGnZqK7kRQ92G4IcE+mEp7MuwXcLqQ9WB960o+evay+o1R5JS\nhwIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/clients/garage-4.json
+++ b/clients/garage-4.json
@@ -1,4 +0,0 @@
 {
  "name": "garage-4",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8it7QtT6zDiJJqlyHKfQ\nLqwu6bLblD15WWxlUSiOdhz3njWDv1BIDCAdkCR3HAXgxvk8sMj9QkvWS7u1+bc4\nxvHrY4Tgfg+Tk1h3gGa7ukll8s1WLIbGjj89vrK8PFr4iuDqRytYRMmcdMsNzPkS\nKcsOjFYWGV7KM/OwoQGVIOUPB+WtkrFAvNkXtIU6Wd5orzFMjt/9DPF2aO7QegL8\nG1mQmXcPGl9NSDUXptn/kzFKm/p4n7pjy6OypFT192ak7OA/s+CvQlaVE2tb/M3c\ne4J6A+PInV5AGKY6BxI3QRQLZIlqE0FXawFKr1iRU4JP4tVnICXZqy+SDXQU1zar\nTQIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/clients/garage-5.json
+++ b/clients/garage-5.json
@@ -1,4 +0,0 @@
 {
  "name": "garage-5",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnJxLFOBbml94W/GAe7nm\ntZs1Ziy8IbqXySsm8bSwWhRMQ8UuseqQLG30R3Q5X5AoJbtNfd26l63qLtP2fFtL\n5km9dV+2FoIJWFetl8Wzr7CaLYAiNzTQSFHlV7+6DKmPMDcJ63GKrFR77vkSGOG6\nOWL1bJy5BOaClp/sKL/0WQ0+mRbTP6RCQ2eI+46clAg702SenBU6Nz9HDm+teKN7\nYlP1CvzXgfgfpDOsat7wGn5+oKcmKavZxcdn8bt5jRpg8v3JezaZIjMXt7XcNS4n\n0F4XO/efnZE5B5SN68j4BpD8N79zJw4HlRIGP+RaYv2qLtBeWgLHCCs9wXQXfj6b\nLwIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/clients/garage-6.json
+++ b/clients/garage-6.json
@@ -1,4 +0,0 @@
 {
  "name": "garage-6",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwasYgWLM8ShvirFiKRE6\nGWqc3pMlvcrk4YnWAUW5Y/H26EnyexxWNfnwlEcq8thJ3M3hs7zkoF3Yk4uqX869\n4/niYqXwYgeE1K3gzLp4K1+w3yVupYAFVFStVEHJyuMlLJ+ulDEGvNdQDuIfw7+E\nr6DcDLa1o92Eo0wL1ihYyMilduH0LdFTixL+tEBXbbPWBa3RDJJCFsRF1+UC6hAH\nzmaWL661Gdzdabxjm/FlGUYkdbDqeInZq/1GMQqv+9/DcNRkWA9H7i4Ykrfpx4/2\nRZ8xtx/DbnJVB1zYoORygFMMAkTu5E+R8ropeI7Wi77Yq0S7laiRlYQYQml3x9ak\nzQIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/clients/garage-9.json
+++ b/clients/garage-9.json
@@ -0,0 +1,4 @@
 {
  "name": "garage-9",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnMHzKE8JBrsQkmRDeMjX\n71mBzvRzNM90cwA8xtvIkXesdTyGqohX9k/PJbCY5ySGK9PpMaYDPVAnwnUP8LFQ\n3G98aSbLxUjqU/PBzRsnWpihehr05uz9zYcNFzr4LTNvGQZsq47nN9Tk+LG3zHP7\nAZViv2mJ4ZRnukXf6KHlyoVvhuTu+tiBM8QzjTF97iP/aguNPzYHmrecy9Uf5bSA\nZrbNZT+ayxtgswC2OclhRucx7XLSuHXtpwFqsQzSAhiX1aQ3wwCyH9WJtVwpfUsE\nlxTjcQiSM9aPZ8iSC0shpBaKD1j3iF/2K2Jk+88++zMhJJPLermvaJxzsdePgvyk\nKQIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/clients/postgres-5.json
+++ b/clients/postgres-5.json
@@ -1,4 +0,0 @@
 {
  "name": "postgres-5",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvXZv6Gk+dhIVkTXH9hJ1\nt2oqsMSLmTUj71uPN+4j0rxCQriXa095Nle9ifJAxfwzQyKEpWKyZd1Hpyye6bL1\nwgWATZ/u5ZS4B63NhRFyDxgPlHWBBohaZBN42zeq0Y0PNGHPVGDH/zFDrpP22Q9Q\nYScsyXTauE/Yf8a/rKR5jdnoVsVVMxk0LHxka8FcM2cqVsDAcK7GqIG6epqNFY8P\nUb1P+mVxRwnkzvf1VtG212ezV/yw9uiQcUkHS+JwZMAgbC34k9iDyRmk6l4sj/Zk\nNem20ImMqdDzsrX8zEe21K+KNvpejPH9fxaNCwR8W+woBMMzqD3I7P9PbLjc70Rx\nRwIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/clients/postgres-7.json
+++ b/clients/postgres-7.json
@@ -0,0 +1,4 @@
 {
  "name": "postgres-7",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArraIm6mXi0qgK4oWDs2I\nOIx+g/LPnfRd5aBXhoHcekGiJKttQTi5dRdN4+T6qVEC2h4Cc9qN47h2TZPLDh/M\neIZvu0AyicpectzXf6DtDZh0hFCnv47RDi9927op9tjMXk0SV1tLel7MN0dawATw\ny0vQkkr/5a3ZdiP4dFv+bdfVrj+Tuh85BYPVyX2mxq9F7Efxrt6rzVBiqr6uJLUY\nStpeB3CCalC4zQApKX2xrdtr2k8aJbqC6C//LiKbb7VKn+ZuZJ32L/+9HDEzQoFC\no0ZZPMhfnjcU+iSHYZuPMTJTNbwgRuOgpn9O8kZ239qYc59z7HEXwwWiYPDevbiM\nCQIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/clients/postgres-8.json
+++ b/clients/postgres-8.json
@@ -0,0 +1,4 @@
 {
  "name": "postgres-8",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx88DgM/x1UbKRzgPexXE\nSyfrAsqaDVjqZz7yF3tqAc9A52Ol0KOM6NESoPWBVMbS86WtAjBcMHcOoQBJ+ovp\nXcjNlRtO1Il6/d4uCRr4CEDX+yeS0Qrt0SOORnoTbVlkq9VlVljyCmxk8VBCILzk\ndHvFr62mahMy6vOEcpCQgCwYE3ISH2jlTDz2agoK/CjIyyqFTlB1N7mJVGLrJdcA\nA2JOxDRE8HqOdpY7bHcHj4uyMWaKuM3zxXK04lhrvuPRfJUhXgsK9r5jeTEa8407\nqV9K+mB17R1dBeHmWEPDRt02HELe2SUjYmlmyVX73H2mWKDLBFpAFjOfz86CJ6jf\nDQIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/data_bags/credentials/akaunting.json
+++ b/data_bags/credentials/akaunting.json
@@ -0,0 +1,31 @@
 {
  "id": "akaunting",
  "app_key": {
    "encrypted_data": "C7VVGHHrE/ESwtGeODf8zVraayO5uBSXaGR7f4yoj0MDq9WxPujItC3dIkMQ\ngjGzk8fH\n",
    "iv": "4+d+RMLeuqaneFBa\n",
    "auth_tag": "sBQDUVl6QbL/h9pd0kBQ0g==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "pg_database": {
    "encrypted_data": "4mqHsMfDAqPvDmGsWgS9iE63qVeus7diSW8WiA==\n",
    "iv": "6Cb1lVUcXBz+GA4u\n",
    "auth_tag": "8O3N0m8jGhxs/YacdhgNHA==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "pg_username": {
    "encrypted_data": "Nu0wiBhvqUwqC7PL2Qo8otq0b3faJqRsabqp2g==\n",
    "iv": "1uA8mJc7itT0qHcx\n",
    "auth_tag": "PRWw6LTlFrWs63SDRsovtQ==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "pg_password": {
    "encrypted_data": "oXDKiXQ4aH5M2pVu1sx7dj0awKCORke03fq0uemjIfCMYbM=\n",
    "iv": "snPyC8mocevc5kGH\n",
    "auth_tag": "9wx4GPSydkYr2WGpZK5HZg==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  }
 }
--- a/data_bags/credentials/akkounts.json
+++ b/data_bags/credentials/akkounts.json
@@ -1,72 +1,72 @@
 {
  "id": "akkounts",
  "postgresql_username": {
-    "encrypted_data": "bDlOkEmhvMgyVzPeTNUzYnzRLf3T9cc0cDxt\n",
+    "encrypted_data": "ofLOjxGBj7no+lWrIvtxQQFoeozCh6mpfMTt\n",
-    "iv": "GCCUoqU5pxQ7fGkv\n",
+    "iv": "/CF+o4GqZx2O5WOm\n",
-    "auth_tag": "Q7mrSHIBluMe3CGVmoR86Q==\n",
+    "auth_tag": "bjHXfgNQfXpQ2gucPLrUWA==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "postgresql_password": {
-    "encrypted_data": "wD0HtdsNe/hl4ZaOy8hyr2k4z8TXQrrSja3KNVE47w==\n",
+    "encrypted_data": "f8Jfs4aqIjc6/6/NQlI2Fv8TzSgVmi5g0iYNhh9bAA==\n",
-    "iv": "tb5yz8WDer0CsGvJ\n",
+    "iv": "vAzrZeUodmu4x5eB\n",
-    "auth_tag": "/+K2anuCff/6M7Pu70Smqw==\n",
+    "auth_tag": "vx8eH2SY7I4IkZElXSC1Nw==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "sentry_dsn": {
-    "encrypted_data": "jCz681x0WVixHYZUb62TO+1cgyJMiJ2UMqWcaztx57yDBOIiKW3oSZjuXdhP\n9WCesfXQF/lgzITZno3IKDqzlKjWgbGLC75y8FLguxidCHI=\n",
+    "encrypted_data": "oxW5jGU8DlIp5A9enxBhcJXuKyaZ5HziXq8Zw+Rbvpbv4C/RTGkJkgZdKcH1\nVzW/wNAT8nTK+nEvWgcQ3svjE40ltj2jcOexIRqLbuCClJE=\n",
-    "iv": "IRNOzN/hLwg1iqax\n",
+    "iv": "wpW9+VdX5GjocHSl\n",
-    "auth_tag": "eg9dWnEK04JDb94e4CFa9Q==\n",
+    "auth_tag": "1qrf1kZMrIR7WRiSaRjppQ==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "rails_master_key": {
-    "encrypted_data": "nUB77VLRp41rluH7hLBwQqPtnh/HsmfLr2VbcIZHWawL3o2TGuY+mj648f9L\n7XsEpgqY\n",
+    "encrypted_data": "KHVYYH7Nb9/SsoKkYfbjzhFwj3Ioj72hm5pfdCuinf+GQvjKumq99eQTlKdf\nBZM1n0XN\n",
-    "iv": "fpdbDitqTRHxEKiv\n",
+    "iv": "x9AQZvw/vCinKQ8k\n",
-    "auth_tag": "I44fn8Ott3L/Y5LYr56U/Q==\n",
+    "auth_tag": "mi0KHHOTBvVNhtvqk38BtQ==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "discourse_connect_secret": {
-    "encrypted_data": "ENtMn+1XTVFmdEZw7LU6WGoMbSZY654ggm3vPACGfFgqo6r0LhG60c5OTdqv\nZvT5/Q==\n",
+    "encrypted_data": "WyLrV0DOsxyafSqyeQVj0BhVwm/0gvWeJLBsAbiqCGphryoYqUByPcum1T6R\n2H44nQ==\n",
-    "iv": "bL1BmvRhgxFqSM1P\n",
+    "iv": "lUtlJDv6Ieq8Bs5x\n",
-    "auth_tag": "sEBZzGWwwYFHn+4B4SsyCA==\n",
+    "auth_tag": "ku22BlQKw/BhHxuANTF6yg==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "lndhub_admin_token": {
-    "encrypted_data": "4LPGFoARzI8UYnsJPIk8sax/rAA16pUULEZWn86e2C7L\n",
+    "encrypted_data": "DQuxQW8ks3sUzyHYEpQVyPg2f/U4/LWeRoCD9225Hd+c\n",
-    "iv": "nvjXrOwgfgutwEVw\n",
+    "iv": "mjxYi+YAcKGuurD2\n",
-    "auth_tag": "A89RUf1sdcS3FVscNPWYLg==\n",
+    "auth_tag": "8P3bFFNeQ5HQgpXDB5Sk5A==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "btcpay_auth_token": {
-    "encrypted_data": "ky5iWYF06os0Ek6vIRzWqMTekqJhCOh/Q9DTDIeKhSyk8TnT3O71lCNEt1F5\nXCNq6ux3V6oyHVLWj0o=\n",
+    "encrypted_data": "3wsY9osaUdX4SvBPfHprNLSbx6/rfI5BfXnDxsc6OET3nGn19qBhH6wgeiwZ\n/dweqdQ25HpbFPygddc=\n",
-    "iv": "zk6WnxsY89oNW1F9\n",
+    "iv": "ccouibxktHLlUCQJ\n",
-    "auth_tag": "FAIMXKvQ1T7QKezVSNJbwQ==\n",
+    "auth_tag": "pWuRC8O2EAkmztL/9V3now==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "s3_access_key": {
-    "encrypted_data": "KfhfEGwPjOonlz6rpnNTinXFPqX/sIbqQn/aby0UDi/G/7cvEcOiNcCkfuSz\n",
+    "encrypted_data": "hJGHa+hEmddtsZ4UncrYBkjRa/2Csqdh79tXpTVxUWbIsYGdlvyadk7C1UCj\n",
-    "iv": "Q3rg06v6K9pUDLDY\n",
+    "iv": "GlxNdnWiNzmNYthg\n",
-    "auth_tag": "G5ugdlJ896KtYtObKLclJA==\n",
+    "auth_tag": "hlRLkroUN01L7VzQFBU/IA==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "s3_secret_key": {
-    "encrypted_data": "N8s1OoDrYXHjqSydQA0kY7dd68Aelq4+/cgmJlYfP92u4YA17V4TR7fsvQZL\nkqjuUSClNYPc0XiCwf/5gxVirE9AO6OmmvSV7lUyu4hcEY6unrU=\n",
+    "encrypted_data": "LKdQJOKIfFIoiF3GvfTs1mg3AI//Aoi8r42zcw8QhEVPB8ONsSf0/vhM037C\nf5nzUk7xwglvTOveqbOM+UTBJF/4oblQfgwFW3VobWUGkJqjtKE=\n",
-    "iv": "bXzIVWnX6V0P6PRb\n",
+    "iv": "tWTxzK/ccpjlLmQV\n",
-    "auth_tag": "1EOjCfsX9P6ETjUsgBvBsA==\n",
+    "auth_tag": "n2MFkTIquyqz4wqRNdSJcg==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "nostr_private_key": {
-    "encrypted_data": "Sf8PEyQ0sqcgxddSlIDxLOVzPjOkTFObsYuTgcxkbEV7igrati4e8QVVUEBD\n1yoLJXelp8jlCr28Ectci29jc53gYSMTLSQsw97uYas2R0dGCqQ=\n",
+    "encrypted_data": "CPMeNxzpYMReaQU4+v+EqpVESRsnaYc3a4y7OkHOhtn2gjaNEDERGKvRmlyd\nD6vxKPcIrwTCZ7neJ3YLOVOxPDNv6skqdtMHBwSgl7aBEOrx7tY=\n",
-    "iv": "+1CIUyvIUOveLrY4\n",
+    "iv": "AV1on2sw1avmFFuY\n",
-    "auth_tag": "GDqS+IuAIfMBmHIeFXaV7A==\n",
+    "auth_tag": "9rb9qQBKrj5Xja1t+qROKQ==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  }
--- a/data_bags/credentials/backup.json
+++ b/data_bags/credentials/backup.json
@@ -1,27 +1,38 @@
 {
  "id": "backup",
  "s3_access_key_id": {
-    "encrypted_data": "emGNH4v7TTEh05Go/DsI3k7CFnaK4p/4JxodC4BYpyWw47/Z3dsuRMu4vXM3\n3YLH\n",
+    "encrypted_data": "245TrPvuoBRRTimhbt6qqsFb+JnnD377sPt1pguJy7Q2BXOy/jrX0wyMt+cP\nuA==\n",
-    "iv": "Dau+ekb3UTYdl8w3fQKVcA==\n",
+    "iv": "ylmRxSRO3AA4MSJN\n",
-    "version": 1,
+    "auth_tag": "45tBcYZowPLrbv4Zu2P0Fw==\n",
-    "cipher": "aes-256-cbc"
+    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "s3_secret_access_key": {
-    "encrypted_data": "Mxyly86JxrWUbubbSiqPdRosChzfI1Q8eBEG4n+2B9JJG4yExltO5Wc5kgSs\nX01MPXAc+PGLm+J9MngUtypo/g==\n",
+    "encrypted_data": "jDIOjlBzTkBUzpj243T6KnBuH0qwyW7BUFMcqllljFSzxs7K8wYJOUreNbOP\ny8OpDWAuO0H4O4LuFMJXeM8=\n",
-    "iv": "WRhBJGiuScYYsUsoT5j/UA==\n",
+    "iv": "PzvZr37EkJqz6JtM\n",
-    "version": 1,
+    "auth_tag": "e3XW8oHVgmYibv/IBzj0yA==\n",
-    "cipher": "aes-256-cbc"
+    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "s3_endpoint": {
    "encrypted_data": "ErJIEChxrreW7WKEwRtuP2MyYlsZRtqLdGa/x5QY58qgO036FgR3Hs2Z3yce\n",
    "iv": "HOSAOgUjO7XGwk50\n",
    "auth_tag": "XE1bwMIXHHE72V9K2KOLnw==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "s3_region": {
-    "encrypted_data": "2ZGxu0tVzKNfx3K1Wleg0SAwGaPkHCi/XfKpJ+J7q40=\n",
+    "encrypted_data": "8cNSaYu7HH95ftG66lFdUIPZD7soz907CPA=\n",
-    "iv": "CNTZW2SEIgfw+IyzGI3TzQ==\n",
+    "iv": "pU21ulF75y/SIs3x\n",
-    "version": 1,
+    "auth_tag": "7WQQCbSbB2GybjY+C+5IvQ==\n",
-    "cipher": "aes-256-cbc"
+    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "encryption_password": {
-    "encrypted_data": "tsBWKBwhQFfEAM0EWMPtljSbqU1c5mOJXPjYJjNT5RUFhPlqa7gsE8aJbs+D\nSPKjAQ62j+iHeqCk9mE9CCkgBA==\n",
+    "encrypted_data": "l23CiIO2s1fIRn0NdoWZ+wK+Zhx3hCYDHf4ypjqMRekZ7xqafvXHHuogD5aj\npxYUKloH\n",
-    "iv": "uq5YAXuq2ynRLv9EIWoCFA==\n",
+    "iv": "Dzx83eP9L7Jqqidh\n",
-    "version": 1,
+    "auth_tag": "UVn5XA5Tgsikc1GdOt1MUQ==\n",
-    "cipher": "aes-256-cbc"
+    "version": 3,
    "cipher": "aes-256-gcm"
  }
 }
--- a/data_bags/credentials/gandi_api.json
+++ b/data_bags/credentials/gandi_api.json
@@ -1,23 +1,23 @@
 {
  "id": "gandi_api",
  "key": {
-    "encrypted_data": "d3/rJMX6B9GuzUt0/mIk/lgQ3qGyQdbNXH6UEm3ZX7DeSl+rbW9FPJCRWg==\n",
+    "encrypted_data": "Ky1/PdywtEIl5vVXhzu3n2JetqOxnNjpjQ7yCao6qwIAn8oYxnv1c1hFAQ==\n",
-    "iv": "15YVAYla7PqqVOab\n",
+    "iv": "stAc2FxDvUqrh0kt\n",
-    "auth_tag": "xQSq+ld6SDOAER07N4ZkUQ==\n",
+    "auth_tag": "rcK4Qt+f2O4Zo5IMmG0fkw==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "access_token": {
-    "encrypted_data": "geQwcNosiJZmqbbMpD/I+a2yueBzpV6C8Rb7vrCD8kR161ZRjvqLe+g/1XpT\n2/65wKYDMTrdto1I030=\n",
+    "encrypted_data": "J7zoLhEbPfPjnVWBmFmDdPKRer5GGw2o6Ad0uinznANugfaDiqjyYinOdEDF\nHlAqLmXv4J40rr3F+o4=\n",
-    "iv": "1sj58eyooOZ8FTYn\n",
+    "iv": "fAxFqVh9QqrfBsPW\n",
-    "auth_tag": "yBNfgWXaToc06VDLly/HUw==\n",
+    "auth_tag": "9ugi4frDLv8f7X0X1+k4DA==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "domains": {
-    "encrypted_data": "p5rIQTyCE+0d4HIuA4GKEAFekh7qEC4xe9Rm/kP0DyzY83FO0/4uKIvYoZRB\n",
+    "encrypted_data": "X0KOKlJp5GYbKcq/jzmlaMmTXV1U7exWSqi3UxX9Sw==\n",
-    "iv": "LWlx98NSS1/ngCH1\n",
+    "iv": "9JucnYLlYdQ9N6pd\n",
-    "auth_tag": "FID+x/LjTZ3cgQV5U2xZLA==\n",
+    "auth_tag": "sERYPDnVUJwVfSS8/xrPpQ==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  }
--- a/data_bags/credentials/mastodon.json
+++ b/data_bags/credentials/mastodon.json
@@ -1,93 +1,114 @@
 {
  "id": "mastodon",
  "active_record_encryption_deterministic_key": {
    "encrypted_data": "2ik8hqK7wrtxyC73DLI8FNezZiWp2rdjwaWZkTUFRj+iwvpSrGVEwMx6uxDI\nWa7zF3p/\n",
    "iv": "XMp6wqwzStXZx+F3\n",
    "auth_tag": "vloJOLqEcghfQXOYohVVlg==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "active_record_encryption_key_derivation_salt": {
    "encrypted_data": "Nq/rHayMYmT/82k3tJUKU8YTvDKUKLoK204aT0CMGZertZaAD3dtA9AkprrA\nPK0D9CdL\n",
    "iv": "tn9C+igusYMH6GyM\n",
    "auth_tag": "+ReZRNrfpl6ZDwYQpwm6dw==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "active_record_encryption_primary_key": {
    "encrypted_data": "UEDMuKHgZDBhpB9BwbPmtdmIDWHyS9/bSzaEbtTRvLcV8dGOE5q9lDVIIsQp\n2HE0c92p\n",
    "iv": "tnB0pQ3OGDne3mN/\n",
    "auth_tag": "kt234ms+bmcxJj/+FH/72Q==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "paperclip_secret": {
-    "encrypted_data": "VJn4Yd2N7qFV+nWXPjPA8Y2KEXL/gZs2gK5E3DZZc9ogFXV7RtpDtq+NKGJU\ndpR8ohtEZvkyC+iBkMAlnS1sSVKiLdQ1xXvbzkj04mYgjnLvwsZ19uVpBGwR\nt/DON7Bhe5Fw+OyrBQksqNcZQSpB9sMBfgA1IgCpdVGHQ8PmkMbFTaZZYcoF\n7gg3yUw5/0t3vRdL\n",
+    "encrypted_data": "AlsnNTRF6GEyHjMHnC4VdzF4swMlppz/Gcp1xr0OuMEgQiOcW1oSZjDRZCRV\nmuGqZXZx64wqZyzTsJZ6ayCLsmWlPq6L21odHWyO+P/C5ubenSXnuCjpUn3/\nHs8WLX3kwVmqCRnVgDl2vEZ5H4XedSLr7R7YM7gQkM0UX4muMDWWnOTR8/x/\ni1ecwBY5RjdewwyR\n",
-    "iv": "X5atp/KaIurfln/u\n",
+    "iv": "RWiLePhFyPekYSl9\n",
-    "auth_tag": "mVnBoUb5HwhXNYUddJbq8Q==\n",
+    "auth_tag": "sUq4ZX9CFKPbwDyuKQfNLQ==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "secret_key_base": {
-    "encrypted_data": "d0sNREFhzQEJhkRzielbCNBJOVAdfThv7zcYTZ1vFZ20i/mzB9GWW2nb+1yn\nNFjAq8wCLpLXn9n3FClE+WOqnAw0jwTlyScRM5lzjKI5SxHKkBQHGyFs2AF8\nqFjEvpiqxhjsc4kNOJGO8DdcyHuulXyaO9fJg8HDnU1ov1vSSuTc0ABKgycY\nMq/Xt10UXnhP8cPw\n",
+    "encrypted_data": "K5CmIXFa9mS4/dODBQAN9Bw0SFpbLiZAB8ewiYpkB8NDXP6X/BX8aDjW2Y4F\ncMvpFyiFldRBhrh1MSKTVYQEoJ3JhlNL9HCdPsAYbBEW70AuEBpHvOtD5OxH\nqgbH4Reuk6JX5AI8SwDD3zGrdT12mTFVNgSujzuZMvpi1Sro2HtRGAkjmnaa\nMGKrBV21O1CREJJg\n",
-    "iv": "HFT7fdGQ2KRJ2NFy\n",
+    "iv": "/yMMmz1YtKIs5HSd\n",
-    "auth_tag": "C55JT2msLQCoI+09VKf+Jw==\n",
+    "auth_tag": "WXgIVWjIdbMFlJhTD5J0JQ==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "otp_secret": {
-    "encrypted_data": "1iH7mUkaUzyn9dfDwMdiJ8X059qWSUO3DqivsOFfI1f44nMnzllaYPu6nh8O\nNLNCOzvsSAonhhaq1X+foOdyPIG2mGhE/juKveDD57/AdZAayHWsbsQlPC4l\nwdShz/ANrq0YZ/zOhpT2sZj1TZavW+S+JlxJFX2kP24D4dUzwG0vNj7522+Q\n9NAApJdUte1ZYF/b\n",
+    "encrypted_data": "OPLnYRySSIDOcVHy2A5V+pCrz9zVIPjdpAGmCdgQkXtJfsS9NzNtxOPwrXo6\nuQlV9iPjr1Y9ljGKYytbF0fPgAa5q6Z1oHMY9vOGs/LGKj8wHDmIvxQ+Gil1\nC+dZEePmqGaySlNSB/gNzcFIvjBH3mDxHJJe9hDxSv5miNS9l9f3UvQeLP2M\nU7/aHKagL9ZHOp/d\n",
-    "iv": "00/vs5zTdoC19+pS\n",
+    "iv": "wqJBLdZhJ7M/KRG9\n",
-    "auth_tag": "3cjYqebMshnmWkQ3SdRcCQ==\n",
+    "auth_tag": "dv5YyZszZCrRnTleaiGd4A==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "aws_access_key_id": {
-    "encrypted_data": "krcfpxOrAkwZR2GP4glTaFg2dw/COw8BO8I+KICqyl4bvpL5NrB9\n",
+    "encrypted_data": "A1/gfcyrwT6i9W6aGTJ8pH4Dm4o8ACDxvooDroA/2N0szOiNyiYX\n",
-    "iv": "paoDKp6EIU8bjxzF\n",
+    "iv": "JNvf21KhdM3yoLGt\n",
-    "auth_tag": "p6Pt/tz5dgGXzW5cO06nBg==\n",
+    "auth_tag": "2xaZql1ymPYuXuvXzT3ymA==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "aws_secret_access_key": {
-    "encrypted_data": "aQySCT7gxeNiMMocq81KtIi+YzrZwMBeTd4LrRSN8iNEikWReJrrfagBwozy\n+Gfdw4bMGzY1dhF1Sl4=\n",
+    "encrypted_data": "T1tc01nACxhDgygKaiAq3LChGYSgmW8LAwr1aSxXmJ5D2NtypJDikiHrJbFZ\nfWFgm1qe4L8iD/k5+ro=\n",
-    "iv": "R/hvvOvmqq/uoKbx\n",
+    "iv": "FDTPQQDLUMKW7TXx\n",
-    "auth_tag": "QBJY/3+OprBXO/FSNwv2OQ==\n",
+    "auth_tag": "msY6PFFYhlwQ0X7gekSDiw==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "ldap_bind_dn": {
-    "encrypted_data": "wDPABdL+DlXz2WWV4XwW20kM4EWPSwc/ajBmbdYMnjFau6c76CIBpbFhrFoj\n3mwDbHz8cgOnLNvozXSV4w6N7URCN/mWWTBHNhd3ppw=\n",
+    "encrypted_data": "C/YNROVyOxmR4O2Cy52TX41EKli2bCOMzwYD+6Hz/SiKkgidnKUHlvHlbTDq\nkWwlRDM2o8esOCKaEAGPNWcNc9IHlaSsfwhr4YWnwe0=\n",
-    "iv": "8rQ0M4LT1HbCNpq9\n",
+    "iv": "QCQF0+vH+//+nDxr\n",
-    "auth_tag": "AuO5R6WCtd75TGJNfgFSCg==\n",
+    "auth_tag": "a0PbyO/7wjufqH2acDCqmQ==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "ldap_password": {
-    "encrypted_data": "y0t8RuptVYiTKmUhaAWsC4c2ZzhQsYeVLeMPiQBn+Q==\n",
+    "encrypted_data": "SqwKeiyzfvvZGqH5gi35BdW3W+Fo/AQQjso1Yfp2XA==\n",
-    "iv": "mixYzDKkPSIDQ/l+\n",
+    "iv": "md2/etFJ1r/BKaYg\n",
-    "auth_tag": "DbLlZG7rlgBmyCdJ3nhSYA==\n",
+    "auth_tag": "OlCCOoYSD7ukdH2yWCd6KA==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "smtp_user_name": {
-    "encrypted_data": "Ugc29HUFcirv6jOOlYNs9uvmhfwa2rG41im/MusCx0Vu0AZKcdy0krGi/kCZ\nKg==\n",
+    "encrypted_data": "0kzppmSSUg7lEyYnI5a0nf+xO0vSVx88rbxI+niIdzFOOBKSIL6uVHJ340dw\nMQ==\n",
-    "iv": "ZlDK854w+vTNmeJe\n",
+    "iv": "lQR77ETTtIIyaG1r\n",
-    "auth_tag": "Nj95g0JMxrT419OLQIX26g==\n",
+    "auth_tag": "smF2HRg8WdmD+MWwkT3TqA==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "smtp_password": {
-    "encrypted_data": "D1TGjRfmM1ZeUmzwewlKXfQvvqTSzpzNlK5MKIU8dxbAH175UKn5qiemDEWe\nRYPe1LWT\n",
+    "encrypted_data": "1i0m9qiZA/8k8fMKo+04uyndl1UhagtHweBFICIorWALkB68edjb8OhUDxv9\nTubiXYRC\n",
-    "iv": "D1OVfD5bMcefM5DP\n",
+    "iv": "IU2x4ips9HWmKoxi\n",
-    "auth_tag": "2E/q2gTbdXiLVnOMDeJv9w==\n",
+    "auth_tag": "BZJTDfPBvt8cf6/MbKzUJQ==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "vapid_private_key": {
-    "encrypted_data": "+87bVrbd/XvWhZH1IYusc4Hla7ZZmylptAyJf48CMG/F3SMEO33OqW2I+UWh\nSkqbxai5+GaMhvZHB8U2Clod\n",
+    "encrypted_data": "+LmySMvzrV3z2z7BmJG9hpvkL06mGc87RG20XQhhdAJ2Z/5uMMjev2pUf7du\ntv2qvDJAimhkZajuDGL9R3eq\n",
-    "iv": "HVhNdFQl0TvCcjsa\n",
+    "iv": "Mg7NhPl31O6Z4P+v\n",
-    "auth_tag": "EEQXuQ5keOHXmchhBh+Ixw==\n",
+    "auth_tag": "qYWPInhgoWAjg0zQ+XXt5w==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "vapid_public_key": {
-    "encrypted_data": "nBm1lXbn1+Kzol95+QSEjsUI/n7ObhdEqEyfYcVSP/LiLy57KOBQDu6CjSMz\n+PN9yEP4lOjtscqHS29jTC2vi3PSui9XpOFHRxFBnDuyKxczrnID2KlLCNRQ\n228G3VRgFIMAWMYKACgzUk0=\n",
+    "encrypted_data": "NOyc+Cech9qG2HhnhajDaJMWd1OU5Rp6hws6i4xF5mLPePMJ9mJTqzklkuMK\npYSEdtcxA3KmDt1HrFxfezYUc9xO9pvlm0BPA7XAFmF/PU7/AJbFqgPU6pX/\ntSDLSdFuMB3ky+cl4DJi+O4=\n",
-    "iv": "xHrVl+4JGkQbfUW3\n",
+    "iv": "rgUglYiHB/mhqGha\n",
-    "auth_tag": "rfFoBMocq17YiDSlOCvWqw==\n",
+    "auth_tag": "DEX7hdNsNLi/LIrMkdUe/Q==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "s3_key_id": {
-    "encrypted_data": "pq0+VZhjoxzLuyY34f23wOmuks9Wevt8Wu6muKZAsZMSuU0iJvlRoK/65Qa0\n",
+    "encrypted_data": "rPVzrYYIbcM+ssVpdL6wpCTdzLIEKXke1+eMlPLMG2gPuoh+W3eO3nFGb/s2\n",
-    "iv": "QTxO+IfYcpI170ON\n",
+    "iv": "/qI8F9cvnfKG7ZXE\n",
-    "auth_tag": "4ZHva2iBYgDv6DyhMRRXzA==\n",
+    "auth_tag": "z1+MPdkO/+SCaag2ULelPg==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "s3_secret_key": {
-    "encrypted_data": "YMZqKtOXDPAME8IWWC+lO8TsxHMzawlbTju9z/Hcb5DnQAOy82QufTN90m73\n/xikUboAdKcA5YGn0mkm+Rt/ygVR6DFirYV3kwi2M3qyGVJifug=\n",
+    "encrypted_data": "RMnB9kZ+slbQXfpo0udYld6S1QqBxqM1YbszdLfSAdKK9I0J3Kmvh/CQ5Fbx\nyov6LClmsl1rjtH16r7cY32M4Woq+6miERdtecyDrrYkNHz0xkA=\n",
-    "iv": "9AwabheRFOgC8IKR\n",
+    "iv": "pO7bm3aOtjuwYjG/\n",
-    "auth_tag": "iU2kkA1q8OsblN5jaZrWGQ==\n",
+    "auth_tag": "SRvn4z1+Vd5VAGgjG64s+Q==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  }
--- a/environments/production.json
+++ b/environments/production.json
@@ -108,13 +108,15 @@
      "real_ip_header": "x-real-ip",
      "policy_path": "/opt/strfry/strfry-policy.ts",
      "whitelist_pubkeys": [
-        "b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a"
+        "b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a",
        "b3e1b7c0ef48294bd856203bfd460625de95d3afb894e5f09b14cd1f0e7097cf"
      ],
      "info": {
        "name": "Kosmos Relay",
        "description": "Members-only nostr relay for kosmos.org users",
-        "pubkey": "1f79058c77a224e5be226c8f024cacdad4d741855d75ed9f11473ba8eb86e1cb",
+        "pubkey": "b3e1b7c0ef48294bd856203bfd460625de95d3afb894e5f09b14cd1f0e7097cf",
-        "contact": "ops@kosmos.org"
+        "contact": "ops@kosmos.org",
        "icon": "https://assets.kosmos.org/img/app-icon-256px.png"
      }
    }
  }
--- a/nodes/akaunting-1.json
+++ b/nodes/akaunting-1.json
@@ -0,0 +1,66 @@
 {
  "name": "akaunting-1",
  "chef_environment": "production",
  "normal": {
    "knife_zero": {
      "host": "10.1.1.215"
    }
  },
  "automatic": {
    "fqdn": "akaunting-1",
    "os": "linux",
    "os_version": "5.15.0-1069-kvm",
    "hostname": "akaunting-1",
    "ipaddress": "192.168.122.162",
    "roles": [
      "base",
      "kvm_guest",
      "akaunting",
      "postgresql_client"
    ],
    "recipes": [
      "kosmos-base",
      "kosmos-base::default",
      "kosmos_kvm::guest",
      "kosmos_postgresql::hostsfile",
      "kosmos_akaunting",
      "kosmos_akaunting::default",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
      "kosmos-postfix::default",
      "postfix::default",
      "postfix::_common",
      "postfix::_attributes",
      "postfix::sasl_auth",
      "hostname::default",
      "kosmos-nodejs::default",
      "nodejs::nodejs_from_package",
      "nodejs::repo"
    ],
    "platform": "ubuntu",
    "platform_version": "22.04",
    "cloud": null,
    "chef_packages": {
      "chef": {
        "version": "18.5.0",
        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
        "chef_effortless": null
      },
      "ohai": {
        "version": "18.1.11",
        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
      }
    }
  },
  "run_list": [
    "role[base]",
    "role[kvm_guest]",
    "role[akaunting]"
  ]
 }
--- a/nodes/bitcoin-2.json
+++ b/nodes/bitcoin-2.json
@@ -16,7 +16,6 @@
      "kvm_guest",
      "sentry_client",
      "bitcoind",
      "cln",
      "lnd",
      "lndhub",
      "postgresql_client",
@@ -30,10 +29,8 @@
      "tor-full",
      "tor-full::default",
      "kosmos-bitcoin::bitcoind",
      "kosmos-bitcoin::c-lightning",
      "kosmos-bitcoin::lnd",
      "kosmos-bitcoin::lnd-scb-s3",
      "kosmos-bitcoin::boltz",
      "kosmos-bitcoin::rtl",
      "kosmos-bitcoin::peerswap-lnd",
      "kosmos_postgresql::hostsfile",
@@ -103,7 +100,6 @@
    "role[sentry_client]",
    "recipe[tor-full]",
    "role[bitcoind]",
    "role[cln]",
    "role[lnd]",
    "role[lndhub]",
    "role[btcpay]"
--- a/nodes/garage-10.json
+++ b/nodes/garage-10.json
@@ -1,17 +1,17 @@
 {
-  "name": "garage-4",
+  "name": "garage-10",
  "chef_environment": "production",
  "normal": {
    "knife_zero": {
-      "host": "10.1.1.104"
+      "host": "10.1.1.27"
    }
  },
  "automatic": {
-    "fqdn": "garage-4",
+    "fqdn": "garage-10",
    "os": "linux",
-    "os_version": "5.4.0-132-generic",
+    "os_version": "5.4.0-1090-kvm",
-    "hostname": "garage-4",
+    "hostname": "garage-10",
-    "ipaddress": "192.168.122.123",
+    "ipaddress": "192.168.122.70",
    "roles": [
      "base",
      "kvm_guest",
@@ -23,7 +23,8 @@
      "kosmos_kvm::guest",
      "kosmos_garage",
      "kosmos_garage::default",
-      "kosmos_garage::firewall",
+      "kosmos_garage::firewall_rpc",
      "kosmos_garage::firewall_apis",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
@@ -38,21 +39,20 @@
      "postfix::_attributes",
      "postfix::sasl_auth",
      "hostname::default",
-      "firewall::default",
+      "firewall::default"
      "chef-sugar::default"
    ],
    "platform": "ubuntu",
    "platform_version": "20.04",
    "cloud": null,
    "chef_packages": {
      "chef": {
-        "version": "17.10.3",
+        "version": "18.5.0",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.10.3/lib",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
        "chef_effortless": null
      },
      "ohai": {
-        "version": "17.9.0",
+        "version": "18.1.11",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai"
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
      }
    }
  },
--- a/nodes/garage-11.json
+++ b/nodes/garage-11.json
@@ -1,17 +1,17 @@
 {
-  "name": "garage-5",
+  "name": "garage-11",
  "chef_environment": "production",
  "normal": {
    "knife_zero": {
-      "host": "10.1.1.33"
+      "host": "10.1.1.165"
    }
  },
  "automatic": {
-    "fqdn": "garage-5",
+    "fqdn": "garage-11",
    "os": "linux",
-    "os_version": "5.15.0-84-generic",
+    "os_version": "5.15.0-1059-kvm",
-    "hostname": "garage-5",
+    "hostname": "garage-11",
-    "ipaddress": "192.168.122.55",
+    "ipaddress": "192.168.122.9",
    "roles": [
      "base",
      "kvm_guest",
@@ -46,13 +46,13 @@
    "cloud": null,
    "chef_packages": {
      "chef": {
-        "version": "18.3.0",
+        "version": "18.5.0",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.3.0/lib",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
        "chef_effortless": null
      },
      "ohai": {
-        "version": "18.1.4",
+        "version": "18.1.11",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
      }
    }
  },
--- a/nodes/garage-9.json
+++ b/nodes/garage-9.json
@@ -1,17 +1,17 @@
 {
-  "name": "garage-6",
+  "name": "garage-9",
  "chef_environment": "production",
  "normal": {
    "knife_zero": {
-      "host": "10.1.1.161"
+      "host": "10.1.1.223"
    }
  },
  "automatic": {
-    "fqdn": "garage-6",
+    "fqdn": "garage-9",
    "os": "linux",
    "os_version": "5.4.0-1090-kvm",
-    "hostname": "garage-6",
+    "hostname": "garage-9",
-    "ipaddress": "192.168.122.213",
+    "ipaddress": "192.168.122.21",
    "roles": [
      "base",
      "kvm_guest",
@@ -46,13 +46,13 @@
    "cloud": null,
    "chef_packages": {
      "chef": {
-        "version": "18.3.0",
+        "version": "18.5.0",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.3.0/lib",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
        "chef_effortless": null
      },
      "ohai": {
-        "version": "18.1.4",
+        "version": "18.1.11",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
      }
    }
  },
--- a/nodes/gitea-2.json
+++ b/nodes/gitea-2.json
@@ -32,6 +32,7 @@
      "kosmos_postgresql::hostsfile",
      "kosmos_gitea",
      "kosmos_gitea::default",
      "kosmos_gitea::backup",
      "kosmos_gitea::act_runner",
      "apt::default",
      "timezone_iii::default",
@@ -47,7 +48,9 @@
      "postfix::_attributes",
      "postfix::sasl_auth",
      "hostname::default",
-      "firewall::default"
+      "firewall::default",
      "backup::default",
      "logrotate::default"
    ],
    "platform": "ubuntu",
    "platform_version": "20.04",
--- a/nodes/her.json
+++ b/nodes/her.json
@@ -9,7 +9,7 @@
  "automatic": {
    "fqdn": "her",
    "os": "linux",
-    "os_version": "5.15.0-84-generic",
+    "os_version": "5.15.0-101-generic",
    "hostname": "her",
    "ipaddress": "192.168.30.172",
    "roles": [
--- a/nodes/mail.kosmos.org.json
+++ b/nodes/mail.kosmos.org.json
@@ -10,7 +10,7 @@
    "fqdn": "mail.kosmos.org",
    "os": "linux",
    "os_version": "5.15.0-1048-kvm",
-    "hostname": "mail",
+    "hostname": "mail.kosmos.org",
    "ipaddress": "192.168.122.131",
    "roles": [
      "base",
--- a/nodes/mastodon-3.json
+++ b/nodes/mastodon-3.json
@@ -63,8 +63,6 @@
      "redisio::disable_os_default",
      "redisio::configure",
      "redisio::enable",
      "nodejs::npm",
      "nodejs::install",
      "backup::default",
      "logrotate::default"
    ],
--- a/nodes/postgres-6.json
+++ b/nodes/postgres-6.json
@@ -13,12 +13,21 @@
    "ipaddress": "192.168.122.60",
    "roles": [
      "base",
-      "kvm_guest"
+      "kvm_guest",
      "postgresql_primary"
    ],
    "recipes": [
      "kosmos-base",
      "kosmos-base::default",
      "kosmos_kvm::guest",
      "kosmos_postgresql::primary",
      "kosmos_postgresql::firewall",
      "kosmos_akaunting::pg_db",
      "kosmos-bitcoin::lndhub-go_pg_db",
      "kosmos-bitcoin::nbxplorer_pg_db",
      "kosmos_drone::pg_db",
      "kosmos_gitea::pg_db",
      "kosmos-mastodon::pg_db",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
@@ -52,6 +61,6 @@
  "run_list": [
    "role[base]",
    "role[kvm_guest]",
-    "role[postgresql_replica]"
+    "role[postgresql_primary]"
  ]
 }
--- a/nodes/postgres-7.json
+++ b/nodes/postgres-7.json
@@ -1,32 +1,29 @@
 {
-  "name": "postgres-5",
+  "name": "postgres-7",
  "chef_environment": "production",
  "normal": {
    "knife_zero": {
-      "host": "10.1.1.54"
+      "host": "10.1.1.134"
    }
  },
  "automatic": {
-    "fqdn": "postgres-5",
+    "fqdn": "postgres-7",
    "os": "linux",
-    "os_version": "5.4.0-153-generic",
+    "os_version": "5.4.0-1123-kvm",
-    "hostname": "postgres-5",
+    "hostname": "postgres-7",
-    "ipaddress": "192.168.122.211",
+    "ipaddress": "192.168.122.89",
    "roles": [
      "base",
      "kvm_guest",
-      "postgresql_primary"
+      "postgresql_replica"
    ],
    "recipes": [
      "kosmos-base",
      "kosmos-base::default",
      "kosmos_kvm::guest",
-      "kosmos_postgresql::primary",
+      "kosmos_postgresql::hostsfile",
      "kosmos_postgresql::replica",
      "kosmos_postgresql::firewall",
      "kosmos-bitcoin::lndhub-go_pg_db",
      "kosmos-bitcoin::nbxplorer_pg_db",
      "kosmos_drone::pg_db",
      "kosmos_gitea::pg_db",
      "kosmos-mastodon::pg_db",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
@@ -47,19 +44,19 @@
    "cloud": null,
    "chef_packages": {
      "chef": {
-        "version": "18.2.7",
+        "version": "18.5.0",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.2.7/lib",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
        "chef_effortless": null
      },
      "ohai": {
-        "version": "18.1.4",
+        "version": "18.1.11",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
      }
    }
  },
  "run_list": [
    "role[base]",
    "role[kvm_guest]",
-    "role[postgresql_primary]"
+    "role[postgresql_replica]"
  ]
 }
--- a/nodes/postgres-8.json
+++ b/nodes/postgres-8.json
@@ -0,0 +1,62 @@
 {
  "name": "postgres-8",
  "chef_environment": "production",
  "normal": {
    "knife_zero": {
      "host": "10.1.1.99"
    }
  },
  "automatic": {
    "fqdn": "postgres-8",
    "os": "linux",
    "os_version": "5.15.0-1059-kvm",
    "hostname": "postgres-8",
    "ipaddress": "192.168.122.100",
    "roles": [
      "base",
      "kvm_guest",
      "postgresql_replica"
    ],
    "recipes": [
      "kosmos-base",
      "kosmos-base::default",
      "kosmos_kvm::guest",
      "kosmos_postgresql::hostsfile",
      "kosmos_postgresql::replica",
      "kosmos_postgresql::firewall",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
      "kosmos-postfix::default",
      "postfix::default",
      "postfix::_common",
      "postfix::_attributes",
      "postfix::sasl_auth",
      "hostname::default"
    ],
    "platform": "ubuntu",
    "platform_version": "22.04",
    "cloud": null,
    "chef_packages": {
      "chef": {
        "version": "18.5.0",
        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
        "chef_effortless": null
      },
      "ohai": {
        "version": "18.1.11",
        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
      }
    }
  },
  "run_list": [
    "role[base]",
    "role[kvm_guest]",
    "role[postgresql_replica]"
  ]
 }
--- a/nodes/wiki-1.json
+++ b/nodes/wiki-1.json
@@ -8,16 +8,19 @@
  "automatic": {
    "fqdn": "wiki-1",
    "os": "linux",
-    "os_version": "5.4.0-91-generic",
+    "os_version": "5.4.0-167-generic",
    "hostname": "wiki-1",
    "ipaddress": "192.168.122.26",
    "roles": [
-      "kvm_guest"
+      "base",
      "kvm_guest",
      "ldap_client"
    ],
    "recipes": [
      "kosmos-base",
      "kosmos-base::default",
      "kosmos_kvm::guest",
      "kosmos-dirsrv::hostsfile",
      "kosmos-mediawiki",
      "kosmos-mediawiki::default",
      "apt::default",
@@ -41,7 +44,6 @@
      "php::package",
      "php::ini",
      "composer::global_configs",
      "kosmos-dirsrv::hostsfile",
      "mediawiki::default",
      "mediawiki::database",
      "kosmos-nginx::default",
--- a/roles/akaunting.rb
+++ b/roles/akaunting.rb
@@ -0,0 +1,6 @@
 name "akaunting"
 run_list %w[
  role[postgresql_client]
  kosmos_akaunting::default
 ]
--- a/roles/gitea.rb
+++ b/roles/gitea.rb
@@ -3,4 +3,5 @@ name "gitea"
 run_list %w(
  role[postgresql_client]
  kosmos_gitea::default
  kosmos_gitea::backup
 )
--- a/roles/lnd.rb
+++ b/roles/lnd.rb
@@ -3,7 +3,6 @@ name "lnd"
 run_list %w(
  kosmos-bitcoin::lnd
  kosmos-bitcoin::lnd-scb-s3
  kosmos-bitcoin::boltz
  kosmos-bitcoin::rtl
  kosmos-bitcoin::peerswap-lnd
 )
--- a/roles/postgresql_primary.rb
+++ b/roles/postgresql_primary.rb
@@ -3,6 +3,7 @@ name "postgresql_primary"
 run_list %w(
  kosmos_postgresql::primary
  kosmos_postgresql::firewall
  kosmos_akaunting::pg_db
  kosmos-bitcoin::lndhub-go_pg_db
  kosmos-bitcoin::nbxplorer_pg_db
  kosmos_drone::pg_db
--- a/site-cookbooks/backup/attributes/default.rb
+++ b/site-cookbooks/backup/attributes/default.rb
@@ -42,5 +42,5 @@ default['backup']['orbit']['keep'] = 10
 default['backup']['cron']['hour'] = "05"
 default['backup']['cron']['minute'] = "7"
-default['backup']['s3']['keep'] = 15
+default['backup']['s3']['keep'] = 10
-default['backup']['s3']['bucket'] = "kosmos-dev-backups"
+default['backup']['s3']['bucket'] = "kosmos-backups"
--- a/site-cookbooks/backup/recipes/default.rb
+++ b/site-cookbooks/backup/recipes/default.rb
@@ -28,6 +28,7 @@ template "#{backup_dir}/config.rb" do
  sensitive true
  variables s3_access_key_id: backup_data["s3_access_key_id"],
            s3_secret_access_key: backup_data["s3_secret_access_key"],
            s3_endpoint: backup_data["s3_endpoint"],
            s3_region: backup_data["s3_region"],
            encryption_password: backup_data["encryption_password"],
            mail_from: "backups@kosmos.org",
--- a/site-cookbooks/backup/templates/default/config.rb.erb
+++ b/site-cookbooks/backup/templates/default/config.rb.erb
@@ -23,6 +23,10 @@ Storage::S3.defaults do |s3|
  s3.secret_access_key = "<%= @s3_secret_access_key %>"
  s3.region            = "<%= @s3_region %>"
  s3.bucket            = "<%= node['backup']['s3']['bucket'] %>"
  s3.fog_options       = {
    endpoint: "<%= @s3_endpoint %>",
    aws_signature_version: 2
  }
 end
 Encryptor::OpenSSL.defaults do |encryption|
@@ -88,7 +92,6 @@ end
 preconfigure 'KosmosBackup' do
  split_into_chunks_of 250 # megabytes
  store_with S3
  compress_with Bzip2
  encrypt_with OpenSSL
  notify_by Mail do |mail|
--- a/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb
+++ b/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb
@@ -14,6 +14,10 @@ server {
  listen [::]:443 ssl http2;
  server_name <%= @domain %>;
  if ($host != $server_name) {
    return 301 $scheme://$server_name$request_uri;
  }
  ssl_certificate     <%= @ssl_cert %>;
  ssl_certificate_key <%= @ssl_key %>;
@@ -39,6 +43,9 @@ server {
  location @proxy {
    proxy_set_header Host $http_host;
    set $x_forwarded_host $http_x_forwarded_host;
    if ($x_forwarded_host = "") { set $x_forwarded_host $host; }
    proxy_set_header X-Forwarded-Host $x_forwarded_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
--- a/site-cookbooks/kosmos-base/resources/tls_cert_for.rb
+++ b/site-cookbooks/kosmos-base/resources/tls_cert_for.rb
@@ -56,7 +56,6 @@ action :create do
      command <<-CMD
      certbot certonly --manual -n \
        --preferred-challenges dns \
        --manual-public-ip-logging-ok \
        --agree-tos \
        --manual-auth-hook '#{hook_auth_command}' \
        --manual-cleanup-hook '#{hook_cleanup_command}' \
--- a/site-cookbooks/kosmos-bitcoin/attributes/default.rb
+++ b/site-cookbooks/kosmos-bitcoin/attributes/default.rb
@@ -1,5 +1,5 @@
-node.default['bitcoin']['version']   = '26.0'
+node.default['bitcoin']['version']   = '28.0'
-node.default['bitcoin']['checksum']  = 'ab1d99276e28db62d1d9f3901e85ac358d7f1ebcb942d348a9c4e46f0fcdc0a1'
+node.default['bitcoin']['checksum']  = '700ae2d1e204602eb07f2779a6e6669893bc96c0dca290593f80ff8e102ff37f'
 node.default['bitcoin']['username']  = 'satoshi'
 node.default['bitcoin']['usergroup'] = 'bitcoin'
 node.default['bitcoin']['network']   = 'mainnet'
@@ -24,7 +24,8 @@ node.default['bitcoin']['conf'] = {
  rpcbind: "127.0.0.1:8332",
  gen: 0,
  zmqpubrawblock: 'tcp://127.0.0.1:8337',
-  zmqpubrawtx: 'tcp://127.0.0.1:8338'
+  zmqpubrawtx: 'tcp://127.0.0.1:8338',
  deprecatedrpc: 'warnings' # TODO remove when upgrading to LND 0.18.4
 }
 # Also enables Tor for LND
@@ -40,7 +41,7 @@ node.default['c-lightning']['log_level'] = 'info'
 node.default['c-lightning']['public_ip'] = '148.251.237.73'
 node.default['lnd']['repo'] = 'https://github.com/lightningnetwork/lnd'
-node.default['lnd']['revision'] = 'v0.17.3-beta'
+node.default['lnd']['revision'] = 'v0.18.3-beta'
 node.default['lnd']['source_dir'] = '/opt/lnd'
 node.default['lnd']['lnd_dir'] = "/home/#{node['bitcoin']['username']}/.lnd"
 node.default['lnd']['alias'] = 'ln2.kosmos.org'
@@ -58,24 +59,13 @@ node.default['lnd']['tor'] = {
  'skip-proxy-for-clearnet-targets' => 'true'
 }
 node.default['boltz']['repo'] = 'https://github.com/BoltzExchange/boltz-lnd.git'
 node.default['boltz']['revision'] = 'v1.2.7'
 node.default['boltz']['source_dir'] = '/opt/boltz'
 node.default['boltz']['boltz_dir'] = "/home/#{node['bitcoin']['username']}/.boltz-lnd"
 node.default['boltz']['grpc_host'] = '127.0.0.1'
 node.default['boltz']['grpc_port'] = '9002'
 node.default['boltz']['rest_disabled'] = 'false'
 node.default['boltz']['rest_host'] = '127.0.0.1'
 node.default['boltz']['rest_port'] = '9003'
 node.default['boltz']['no_macaroons'] = 'false'
 node.default['rtl']['repo'] = 'https://github.com/Ride-The-Lightning/RTL.git'
-node.default['rtl']['revision'] = 'v0.15.0'
+node.default['rtl']['revision'] = 'v0.15.2'
 node.default['rtl']['host'] = '10.1.1.163'
 node.default['rtl']['port'] = '3000'
 node.default['lndhub-go']['repo'] = 'https://github.com/getAlby/lndhub.go.git'
-node.default['lndhub-go']['revision'] = '0.14.0'
+node.default['lndhub-go']['revision'] = '1.0.2'
 node.default['lndhub-go']['source_dir'] = '/opt/lndhub-go'
 node.default['lndhub-go']['port'] = 3026
 node.default['lndhub-go']['domain'] = 'lndhub.kosmos.org'
@@ -85,6 +75,8 @@ node.default['lndhub-go']['postgres']['port'] = 5432
 node.default['lndhub-go']['default_rate_limit'] = 20
 node.default['lndhub-go']['strict_rate_limit'] = 1
 node.default['lndhub-go']['burst_rate_limit'] = 10
 node.default['lndhub-go']['service_fee'] = 1
 node.default['lndhub-go']['no_service_fee_up_to_amount'] = 1000
 node.default['lndhub-go']['branding'] = {
  'title' => 'LndHub - Kosmos Lightning',
  'desc' => 'Kosmos accounts for the Lightning Network',
--- a/site-cookbooks/kosmos-bitcoin/recipes/aws-client.rb
+++ b/site-cookbooks/kosmos-bitcoin/recipes/aws-client.rb
@@ -11,6 +11,7 @@ credentials = Chef::EncryptedDataBagItem.load('credentials', 'backup')
 file "/root/.aws/config" do
  mode "600"
  sensitive true
  content lazy { <<-EOF
 [default]
 region = #{credentials["s3_region"]}
--- a/site-cookbooks/kosmos-bitcoin/recipes/bitcoind.rb
+++ b/site-cookbooks/kosmos-bitcoin/recipes/bitcoind.rb
@@ -12,8 +12,15 @@ if node["bitcoin"]["blocksdir_mount_type"]
  include_recipe "kosmos-bitcoin::blocksdir-mount"
 end
-%w{ libtool autotools-dev make automake cmake curl g++-multilib libtool
+apt_repository "ubuntu-toolchain-r" do
-    binutils-gold bsdmainutils pkg-config python3 patch }.each do |pkg|
+  # provides g++-13, needed for better c++-20 support
  uri "ppa:ubuntu-toolchain-r/test"
 end
 %w{
  gcc-13 g++-13 libtool autotools-dev make automake cmake curl bison
  binutils-gold pkg-config python3 patch
 }.each do |pkg|
  apt_package pkg
 end
@@ -26,20 +33,21 @@ end
 execute "compile_bitcoin-core_dependencies" do
  cwd "/usr/local/bitcoind/depends"
-  command "make NO_QT=1"
+  environment ({'CC' => 'gcc-13', 'CXX' => 'g++-13', 'NO_QT' => '1'})
  command "make -j 2"
  action :nothing
  notifies :run, 'bash[compile_bitcoin-core]', :immediately
 end
 bash "compile_bitcoin-core" do
  cwd "/usr/local/bitcoind"
  environment ({'CC' => 'gcc-13', 'CXX' => 'g++-13', 'NO_QT' => '1'})
  code <<-EOH
    ./autogen.sh
    ./configure --prefix=$PWD/depends/x86_64-pc-linux-gnu
    make
  EOH
  action :nothing
  notifies :restart, "systemd_unit[bitcoind.service]", :delayed
 end
 link "/usr/local/bin/bitcoind" do
--- a/site-cookbooks/kosmos-bitcoin/recipes/boltz.rb
+++ b/site-cookbooks/kosmos-bitcoin/recipes/boltz.rb
@@ -1,87 +0,0 @@
 #
 # Cookbook:: kosmos-bitcoin
 # Recipe:: boltz
 #
 include_recipe "git"
 include_recipe "kosmos-bitcoin::golang"
 git node['boltz']['source_dir'] do
  repository node['boltz']['repo']
  revision node['boltz']['revision']
  action :sync
  notifies :run, 'bash[compile_and_install_boltz]', :immediately
 end
 bash "compile_and_install_boltz" do
  cwd node['boltz']['source_dir']
  code <<-EOH
 go mod vendor && \
 make build && \
 make install
  EOH
  action :nothing
  notifies :restart, "systemd_unit[boltzd.service]", :delayed
 end
 bitcoin_user  = node['bitcoin']['username']
 bitcoin_group = node['bitcoin']['usergroup']
 boltz_dir     = node['boltz']['boltz_dir']
 lnd_dir       = node['lnd']['lnd_dir']
 directory boltz_dir do
  owner bitcoin_user
  group bitcoin_group
  mode '0750'
  action :create
 end
 template "#{boltz_dir}/boltz.toml" do
  source "boltz.toml.erb"
  owner bitcoin_user
  group bitcoin_group
  mode '0640'
  variables lnd_grpc_host: '127.0.0.1',
            lnd_grpc_port: '10009',
            lnd_macaroon_path: "#{lnd_dir}/data/chain/bitcoin/mainnet/admin.macaroon",
            lnd_tlscert_path: "#{lnd_dir}/tls.cert",
            boltz_config: node['boltz']
  notifies :restart, "systemd_unit[boltzd.service]", :delayed
 end
 systemd_unit 'boltzd.service' do
  content({
    Unit: {
      Description: 'Boltz Daemon',
      Documentation: ['https://lnd.docs.boltz.exchange'],
      Requires: 'lnd.service',
      After: 'lnd.service'
    },
    Service: {
      User: bitcoin_user,
      Group: bitcoin_group,
      Type: 'simple',
      ExecStart: "/opt/boltz/boltzd",
      Restart: 'always',
      RestartSec: '30',
      TimeoutSec: '240',
      LimitNOFILE: '128000',
      PrivateTmp: true,
      ProtectSystem: 'full',
      NoNewPrivileges: true,
      PrivateDevices: true,
      MemoryDenyWriteExecute: true
    },
    Install: {
      WantedBy: 'multi-user.target'
    }
  })
  verify false
  triggers_reload true
  action [:create, :enable, :start]
 end
 unless node.chef_environment == 'development'
  node.override['backup']['archives']['boltz'] = [node['boltz']['boltz_dir']]
  include_recipe 'backup'
 end
--- a/site-cookbooks/kosmos-bitcoin/recipes/golang.rb
+++ b/site-cookbooks/kosmos-bitcoin/recipes/golang.rb
@@ -5,7 +5,7 @@
 # Internal recipe for managing the Go installation in one place
 #
-node.override['golang']['version'] = "1.20.3"
+node.override['golang']['version'] = "1.23.1"
 include_recipe "golang"
 link '/usr/local/bin/go' do
--- a/site-cookbooks/kosmos-bitcoin/recipes/lnd-scb-s3.rb
+++ b/site-cookbooks/kosmos-bitcoin/recipes/lnd-scb-s3.rb
@@ -10,12 +10,14 @@ include_recipe "kosmos-bitcoin::aws-client"
 package "inotify-tools"
 backup_script_path = "/opt/lnd-channel-backup-s3.sh"
 backup_credentials = Chef::EncryptedDataBagItem.load('credentials', 'backup')
 template backup_script_path do
  source "lnd-channel-backup-s3.sh.erb"
  mode '0740'
  variables lnd_dir: node['lnd']['lnd_dir'],
            bitcoin_network: node['bitcoin']['network'],
            s3_endpoint: backup_credentials['s3_endpoint'],
            s3_bucket: node['backup']['s3']['bucket'],
            s3_scb_dir: "#{node['name']}/lnd/#{node['bitcoin']['network']}"
  notifies :restart, "systemd_unit[lnd-channel-backup.service]", :delayed
--- a/site-cookbooks/kosmos-bitcoin/recipes/lndhub-go.rb
+++ b/site-cookbooks/kosmos-bitcoin/recipes/lndhub-go.rb
@@ -66,6 +66,8 @@ template "#{source_dir}/.env" do
    default_rate_limit: node['lndhub-go']['default_rate_limit'],
    strict_rate_limit: node['lndhub-go']['strict_rate_limit'],
    burst_rate_limit: node['lndhub-go']['burst_rate_limit'],
    service_fee: 1,
    no_service_fee_up_to_amount: 1000,
    branding: node['lndhub-go']['branding'],
    webhook_url: node['lndhub-go']['webhook_url'],
    sentry_dsn: credentials['sentry_dsn']
--- a/site-cookbooks/kosmos-bitcoin/recipes/rtl.rb
+++ b/site-cookbooks/kosmos-bitcoin/recipes/rtl.rb
@@ -46,24 +46,22 @@ rtl_config = {
  multiPassHashed: credentials["multiPassHashed"]
 }
 if node['boltz']
  # TODO adapt for multi-node usage
  rtl_config[:nodes][0][:Authentication][:boltzMacaroonPath] = "#{node['boltz']['boltz_dir']}/macaroons"
  rtl_config[:nodes][0][:Settings][:boltzServerUrl] = "https://#{node['boltz']['rest_host']}:#{node['boltz']['rest_port']}"
 end
 git rtl_dir do
  user bitcoin_user
  group bitcoin_group
  repository node['rtl']['repo']
  revision node['rtl']['revision']
  notifies :run, "execute[npm_install]", :immediately
  notifies :restart, "systemd_unit[#{app_name}.service]", :delayed
 end
-execute "npm install" do
+execute "npm_install" do
  cwd rtl_dir
  environment "HOME" => rtl_dir
  user bitcoin_user
  # TODO remove --force when upstream dependency issues have been resolved
  command "npm install --force"
  action :nothing
 end
 file "#{rtl_dir}/RTL-Config.json" do
--- a/site-cookbooks/kosmos-bitcoin/templates/boltz.toml.erb
+++ b/site-cookbooks/kosmos-bitcoin/templates/boltz.toml.erb
@@ -1,32 +0,0 @@
 [LND]
 # Host of the gRPC interface of LND
 host = "<%= @lnd_grpc_host %>"
 # Port of the gRPC interface of LND
 port = <%= @lnd_grpc_port %>
 # Path to a macaroon file of LND
 # The daemon needs to have permission to read various endpoints, generate addresses and pay invoices 
 macaroon = "<%= @lnd_macaroon_path %>"
 # Path to the TLS certificate of LND
 certificate = "<%= @lnd_tlscert_path %>"
 [RPC]
 # Host of the gRPC interface
 host = "<%= @boltz_config['grpc_host'] %>"
 # Port of the gRPC interface
 port = <%= @boltz_config['grpc_port'] %>
 # Whether the REST proxy for the gRPC interface should be disabled
 restDisabled = <%= @boltz_config['rest_disabled'] %>
 # Host of the REST proxy
 restHost = "<%= @boltz_config['rest_host'] %>"
 # Port of the REST proxy
 restPort = <%= @boltz_config['rest_port'] %>
 # Whether the macaroon authentication for the gRPC and REST interface should be disabled
 noMacaroons = <%= @boltz_config['no_macaroons'] %>
--- a/site-cookbooks/kosmos-bitcoin/templates/lnd-channel-backup-s3.sh.erb
+++ b/site-cookbooks/kosmos-bitcoin/templates/lnd-channel-backup-s3.sh.erb
@@ -3,5 +3,5 @@ set -xe -o pipefail
 while true; do
  inotifywait <%= @lnd_dir %>/data/chain/bitcoin/<%= @bitcoin_network %>/channel.backup
-  aws s3 cp <%= @lnd_dir %>/data/chain/bitcoin/<%= @bitcoin_network %>/channel.backup "s3://<%= @s3_bucket %>/<%= @s3_scb_dir %>/channel.backup"
+  aws --endpoint <%= @s3_endpoint %> s3 cp <%= @lnd_dir %>/data/chain/bitcoin/<%= @bitcoin_network %>/channel.backup "s3://<%= @s3_bucket %>/<%= @s3_scb_dir %>/channel.backup"
 done
--- a/site-cookbooks/kosmos-bitcoin/templates/lnd.conf.erb
+++ b/site-cookbooks/kosmos-bitcoin/templates/lnd.conf.erb
@@ -12,7 +12,6 @@ minchansize=<%= @lnd_minchansize %>
 autopilot.active=0
 [Bitcoin]
 bitcoin.active=1
 bitcoin.mainnet=1
 bitcoin.node=bitcoind
 bitcoin.basefee=<%= @lnd_basefee %>
--- a/site-cookbooks/kosmos-ejabberd/recipes/default.rb
+++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb
--- a/site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb
+++ b/site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb
@@ -15,7 +15,7 @@ set -e
 # letsencrypt live folder
 for domain in $RENEWED_DOMAINS; do
  case $domain in
-  kosmos.org|5apps.com)
+  kosmos.org|kosmos.chat|5apps.com)
    cp "${RENEWED_LINEAGE}/privkey.pem" /opt/ejabberd/conf/$domain.key
    cp "${RENEWED_LINEAGE}/fullchain.pem" /opt/ejabberd/conf/$domain.crt
    chown ejabberd:ejabberd /opt/ejabberd/conf/$domain.*
@@ -42,17 +42,24 @@ end
 # Generate a Let's Encrypt cert (only if no cert has been generated before).
 # The systemd timer will take care of renewing
-execute "letsencrypt cert for kosmos xmpp" do
+execute "letsencrypt cert for kosmos.org domains" do
-  command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@kosmos.org -d kosmos.org -d xmpp.kosmos.org -d chat.kosmos.org -d kosmos.chat -d uploads.xmpp.kosmos.org -n"
+  command "certbot certonly --manual --preferred-challenges dns --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup letsencrypt.kosmos.org\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@kosmos.org -d kosmos.org -d xmpp.kosmos.org -d chat.kosmos.org -d uploads.xmpp.kosmos.org -n"
  not_if do
    File.exist?("/etc/letsencrypt/live/kosmos.org/fullchain.pem")
  end
 end
 execute "letsencrypt cert for kosmos.chat" do
  command "certbot certonly --manual --preferred-challenges dns --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth letsencrypt.kosmos.org\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup letsencrypt.kosmos.org\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@kosmos.org -d kosmos.chat -n"
  not_if do
    File.exist?("/etc/letsencrypt/live/kosmos.chat/fullchain.pem")
  end
 end
 # Generate a Let's Encrypt cert (only if no cert has been generated before).
 # The systemd timer will take care of renewing
 execute "letsencrypt cert for 5apps xmpp" do
-  command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth letsencrypt.kosmos.chat\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup letsencrypt.kosmos.chat\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@5apps.com -d 5apps.com -d muc.5apps.com -d xmpp.5apps.com -d uploads.xmpp.5apps.com -n"
+  command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth letsencrypt.kosmos.org\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup letsencrypt.kosmos.org\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@5apps.com -d 5apps.com -d muc.5apps.com -d xmpp.5apps.com -d uploads.xmpp.5apps.com -n"
  not_if do
    File.exist?("/etc/letsencrypt/live/5apps.com/fullchain.pem")
  end
--- a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb
+++ b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb
@@ -216,7 +216,7 @@ modules:
    access_createnode: pubsub_createnode
    ignore_pep_from_offline: false
    last_item_cache: false
-    max_items_node: 1000
+    max_items_node: 10000
    plugins:
      - "flat"
      - "pep" # pep requires mod_caps
@@ -258,6 +258,8 @@ modules:
        type: turns
        transport: tcp
        restricted: true
  mod_vcard:
    search: false
  mod_vcard_xupdate: {}
  mod_avatar: {}
  mod_version: {}
--- a/site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb
+++ b/site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb
@@ -1,7 +1,8 @@
 # Generated by Chef for <%= @host[:name] %>
 certfiles:
-  - "/opt/ejabberd/conf/<%= @host[:name] %>.crt"
+<% @host[:certfiles].each do |certfile| %>
-  - "/opt/ejabberd/conf/<%= @host[:name] %>.key"
+  - <%= certfile %>
 <% end %>
 host_config:
  "<%= @host[:name] %>":
    sql_type: pgsql
--- a/site-cookbooks/kosmos-hubot/recipes/nginx_botka_irc-libera-chat.rb
+++ b/site-cookbooks/kosmos-hubot/recipes/nginx_botka_irc-libera-chat.rb
@@ -4,6 +4,7 @@ upstream_host = search(:node, "role:hubot").first["knife_zero"]["host"]
 tls_cert_for domain do
  auth "gandi_dns"
  acme_domain "letsencrypt.kosmos.org"
  action :create
 end
--- a/site-cookbooks/kosmos-hubot/recipes/nginx_hal8000_xmpp.rb
+++ b/site-cookbooks/kosmos-hubot/recipes/nginx_hal8000_xmpp.rb
@@ -5,6 +5,7 @@ upstream_host = search(:node, "role:hubot").first["knife_zero"]["host"]
 tls_cert_for domain do
  auth "gandi_dns"
  acme_domain "letsencrypt.kosmos.org"
  action :create
 end
--- a/site-cookbooks/kosmos-mastodon/attributes/default.rb
+++ b/site-cookbooks/kosmos-mastodon/attributes/default.rb
@@ -1,5 +1,5 @@
 node.default["kosmos-mastodon"]["repo"]              = "https://gitea.kosmos.org/kosmos/mastodon.git"
-node.default["kosmos-mastodon"]["revision"]          = "production"
+node.default["kosmos-mastodon"]["revision"]          = "production-4.3"
 node.default["kosmos-mastodon"]["directory"]         = "/opt/mastodon"
 node.default["kosmos-mastodon"]["bind_ip"]           = "127.0.0.1"
 node.default["kosmos-mastodon"]["app_port"]          = 3000
@@ -20,6 +20,10 @@ node.default["kosmos-mastodon"]["s3_region"]     = nil
 node.default["kosmos-mastodon"]["s3_bucket"]     = nil
 node.default["kosmos-mastodon"]["s3_alias_host"] = nil
 node.default["kosmos-mastodon"]["sso_account_sign_up_url"] = "https://kosmos.org"
 node.default["kosmos-mastodon"]["sso_account_reset_password_url"] = "https://accounts.kosmos.org/users/password/new"
 node.default["kosmos-mastodon"]["sso_account_resend_confirmation_url"] = "https://accounts.kosmos.org/users/confirmation/new"
 node.default["kosmos-mastodon"]["default_locale"] = "en"
 node.default["kosmos-mastodon"]["libre_translate_endpoint"] = nil
--- a/site-cookbooks/kosmos-mastodon/recipes/backup.rb
+++ b/site-cookbooks/kosmos-mastodon/recipes/backup.rb
@@ -6,13 +6,12 @@
 postgresql_data_bag_item = data_bag_item('credentials', 'postgresql')
 unless node.chef_environment == "development"
-  unless node["backup"]["postgresql"]["databases"].keys.include? 'mastodon'
+  node.override['backup']['s3']['keep'] = 1
  node.override["backup"]["postgresql"]["host"] = "pg.kosmos.local"
  node.override["backup"]["postgresql"]["databases"]["mastodon"] = {
    username: "mastodon",
    password: postgresql_data_bag_item['mastodon_user_password']
  }
  end
  include_recipe "backup"
 end
--- a/site-cookbooks/kosmos-mastodon/recipes/default.rb
+++ b/site-cookbooks/kosmos-mastodon/recipes/default.rb
@@ -3,7 +3,7 @@
 # Recipe:: default
 #
-node.override["nodejs"]["repo"] = "https://deb.nodesource.com/node_16.x"
+node.override["nodejs"]["repo"] = "https://deb.nodesource.com/node_18.x"
 include_recipe "kosmos-nodejs"
 include_recipe "java"
@@ -71,11 +71,7 @@ package %w(build-essential imagemagick ffmpeg libxml2-dev libxslt1-dev file git
           curl pkg-config libprotobuf-dev protobuf-compiler libidn11
           libidn11-dev libjemalloc2 libpq-dev)
-npm_package "yarn" do
+ruby_version = "3.3.5"
  version "1.22.4"
 end
 ruby_version = "3.3.0"
 ruby_path = "/opt/ruby_build/builds/#{ruby_version}"
 bundle_path = "#{ruby_path}/bin/bundle"
@@ -190,9 +186,13 @@ template "#{mastodon_path}/.env.#{rails_env}" do
  mode  "0640"
  owner mastodon_user
  group mastodon_user
  sensitive true
  variables redis_url: node["kosmos-mastodon"]["redis_url"],
            domain: node["kosmos-mastodon"]["domain"],
            alternate_domains: node["kosmos-mastodon"]["alternate_domains"],
            active_record_encryption_deterministic_key: credentials["active_record_encryption_deterministic_key"],
            active_record_encryption_key_derivation_salt: credentials["active_record_encryption_key_derivation_salt"],
            active_record_encryption_primary_key: credentials["active_record_encryption_primary_key"],
            paperclip_secret: credentials['paperclip_secret'],
            secret_key_base: credentials['secret_key_base'],
            otp_secret: credentials['otp_secret'],
@@ -210,6 +210,9 @@ template "#{mastodon_path}/.env.#{rails_env}" do
            vapid_public_key: credentials['vapid_public_key'],
            db_pass: postgresql_credentials['mastodon_user_password'],
            db_host: "pg.kosmos.local",
            sso_account_sign_up_url: node["kosmos-mastodon"]["sso_account_sign_up_url"],
            sso_account_reset_password_url: node["kosmos-mastodon"]["sso_account_reset_password_url"],
            sso_account_resend_confirmation_url: node["kosmos-mastodon"]["sso_account_resend_confirmation_url"],
            default_locale: node["kosmos-mastodon"]["default_locale"],
            allowed_private_addresses: node["kosmos-mastodon"]["allowed_private_addresses"],
            libre_translate_endpoint: node["kosmos-mastodon"]["libre_translate_endpoint"]
@@ -227,7 +230,7 @@ execute "yarn install" do
  environment deploy_env
  user mastodon_user
  cwd mastodon_path
-  command "yarn install --frozen-lockfile"
+  command "corepack prepare && yarn install --immutable"
 end
 execute "rake assets:precompile" do
--- a/site-cookbooks/kosmos-mastodon/templates/default/env.erb
+++ b/site-cookbooks/kosmos-mastodon/templates/default/env.erb
@@ -12,6 +12,9 @@ LOCAL_HTTPS=true
 # Application secrets
 # Generate each with the `rake secret` task (`docker-compose run --rm web rake secret` if you use docker compose)
 ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=<%= @active_record_encryption_deterministic_key %>
 ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=<%= @active_record_encryption_key_derivation_salt %>
 ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=<%= @active_record_encryption_primary_key %>
 PAPERCLIP_SECRET=<%= @paperclip_secret %>
 SECRET_KEY_BASE=<%= @secret_key_base %>
 OTP_SECRET=<%= @otp_secret %>
@@ -44,6 +47,9 @@ LDAP_SEARCH_FILTER='<%= @ldap[:search_filter] %>'
 LDAP_UID_CONVERSION_ENABLED=<%= @ldap[:uid_conversion_enabled] %>
 LDAP_UID_CONVERSION_SEARCH=<%= @ldap[:uid_conversion_search] %>
 LDAP_UID_CONVERSION_REPLACE=<%= @ldap[:uid_conversion_replace] %>
 SSO_ACCOUNT_SIGN_UP=<%= @sso_account_sign_up_url %>
 SSO_ACCOUNT_RESET_PASSWORD=<%= @sso_account_reset_password_url %>
 SSO_ACCOUNT_RESEND_CONFIRMATION=<%= @sso_account_resend_confirmation_url %>
 <% end %>
 # Optional asset host for multi-server setups
--- a/site-cookbooks/kosmos_akaunting/.gitignore
+++ b/site-cookbooks/kosmos_akaunting/.gitignore
@@ -0,0 +1,25 @@
 .vagrant
 *~
 *#
 .#*
 \#*#
 .*.sw[a-z]
 *.un~
 # Bundler
 Gemfile.lock
 gems.locked
 bin/*
 .bundle/*
 # test kitchen
 .kitchen/
 kitchen.local.yml
 # Chef Infra
 Berksfile.lock
 .zero-knife.rb
 Policyfile.lock.json
 .idea/
--- a/site-cookbooks/kosmos_akaunting/Policyfile.rb
+++ b/site-cookbooks/kosmos_akaunting/Policyfile.rb
@@ -0,0 +1,16 @@
 # Policyfile.rb - Describe how you want Chef Infra Client to build your system.
 #
 # For more information on the Policyfile feature, visit
 # https://docs.chef.io/policyfile/
 # A name that describes what the system you're building with Chef does.
 name 'kosmos_akaunting'
 # Where to find external cookbooks:
 default_source :supermarket
 # run_list: chef-client will run these recipes in the order specified.
 run_list 'kosmos_akaunting::default'
 # Specify a custom source for a single cookbook:
 cookbook 'kosmos_akaunting', path: '.'
--- a/site-cookbooks/kosmos_akaunting/README.md
+++ b/site-cookbooks/kosmos_akaunting/README.md
@@ -0,0 +1,4 @@
 # kosmos_akaunting
 TODO: Enter the cookbook description here.
--- a/site-cookbooks/kosmos_akaunting/attributes/default.rb
+++ b/site-cookbooks/kosmos_akaunting/attributes/default.rb
@@ -0,0 +1,5 @@
 node.default["akaunting"]["user"] = "deploy"
 node.default["akaunting"]["group"] = "www-data"
 node.default["akaunting"]["repo"] = "https://github.com/akaunting/akaunting.git"
 node.default["akaunting"]["revision"] = "3.1.12"
 node.default["akaunting"]["port"] = 80
--- a/site-cookbooks/kosmos_akaunting/chefignore
+++ b/site-cookbooks/kosmos_akaunting/chefignore
@@ -0,0 +1,115 @@
 # Put files/directories that should be ignored in this file when uploading
 # to a Chef Infra Server or Supermarket.
 # Lines that start with '# ' are comments.
 # OS generated files #
 ######################
 .DS_Store
 ehthumbs.db
 Icon?
 nohup.out
 Thumbs.db
 .envrc
 # EDITORS #
 ###########
 .#*
 .project
 .settings
 *_flymake
 *_flymake.*
 *.bak
 *.sw[a-z]
 *.tmproj
 *~
 \#*
 REVISION
 TAGS*
 tmtags
 .vscode
 .editorconfig
 ## COMPILED ##
 ##############
 *.class
 *.com
 *.dll
 *.exe
 *.o
 *.pyc
 *.so
 */rdoc/
 a.out
 mkmf.log
 # Testing #
 ###########
 .circleci/*
 .codeclimate.yml
 .delivery/*
 .foodcritic
 .kitchen*
 .mdlrc
 .overcommit.yml
 .rspec
 .rubocop.yml
 .travis.yml
 .watchr
 .yamllint
 azure-pipelines.yml
 Dangerfile
 examples/*
 features/*
 Guardfile
 kitchen.yml*
 mlc_config.json
 Procfile
 Rakefile
 spec/*
 test/*
 # SCM #
 #######
 .git
 .gitattributes
 .gitconfig
 .github/*
 .gitignore
 .gitkeep
 .gitmodules
 .svn
 */.bzr/*
 */.git
 */.hg/*
 */.svn/*
 # Berkshelf #
 #############
 Berksfile
 Berksfile.lock
 cookbooks/*
 tmp
 # Bundler #
 ###########
 vendor/*
 Gemfile
 Gemfile.lock
 # Policyfile #
 ##############
 Policyfile.rb
 Policyfile.lock.json
 # Documentation #
 #############
 CODE_OF_CONDUCT*
 CONTRIBUTING*
 documentation/*
 TESTING*
 UPGRADING*
 # Vagrant #
 ###########
 .vagrant
 Vagrantfile
--- a/site-cookbooks/kosmos_akaunting/kitchen.yml
+++ b/site-cookbooks/kosmos_akaunting/kitchen.yml
@@ -0,0 +1,31 @@
 ---
 driver:
  name: vagrant
 ## The forwarded_port port feature lets you connect to ports on the VM guest
 ## via localhost on the host.
 ## see also: https://www.vagrantup.com/docs/networking/forwarded_ports
 #  network:
 #    - ["forwarded_port", {guest: 80, host: 8080}]
 provisioner:
  name: chef_zero
  ## product_name and product_version specifies a specific Chef product and version to install.
  ## see the Chef documentation for more details: https://docs.chef.io/workstation/config_yml_kitchen/
  #  product_name: chef
  #  product_version: 17
 verifier:
  name: inspec
 platforms:
  - name: ubuntu-20.04
  - name: centos-8
 suites:
  - name: default
    verifier:
      inspec_tests:
        - test/integration/default
--- a/site-cookbooks/kosmos_akaunting/metadata.rb
+++ b/site-cookbooks/kosmos_akaunting/metadata.rb
@@ -0,0 +1,9 @@
 name 'kosmos_akaunting'
 maintainer 'Kosmos Developers'
 maintainer_email 'mail@kosmos.org'
 license 'MIT'
 description 'Installs/configures akaunting for Kosmos'
 version '0.1.0'
 chef_version '>= 18.0'
 depends 'kosmos-nodejs'
--- a/site-cookbooks/kosmos_akaunting/recipes/default.rb
+++ b/site-cookbooks/kosmos_akaunting/recipes/default.rb
@@ -0,0 +1,148 @@
 #
 # Cookbook:: kosmos_akaunting
 # Recipe:: default
 #
 app_name     = "akaunting"
 deploy_user  = node["akaunting"]["user"]
 deploy_group = node["akaunting"]["group"]
 deploy_path  = "/opt/#{app_name}"
 credentials  = data_bag_item("credentials", "akaunting")
 pg_host      = search(:node, "role:postgresql_primary").first["knife_zero"]["host"] rescue "localhost"
 env = {
  app_name: "Akaunting",
  app_env: "production",
  app_locale: "en-US",
  app_installed: "true",
  app_key: credentials["app_key"],
  app_debug: "true",
  app_schedule_time: "\"09:00\"",
  app_url: "http://akaunting.kosmos.org",
  db_connection: "pgsql",
  db_host: pg_host,
  db_port: "5432",
  db_database: credentials["pg_database"],
  db_username: credentials["pg_username"],
  db_password: credentials["pg_password"],
  log_level: "debug"
  # mail_mailer: "mail",
  # mail_host: "localhost",
  # mail_port: "2525",
  # mail_username: "null",
  # mail_password: "null",
  # mail_encryption: "null",
  # mail_from_name: "null",
  # mail_from_address: "null",
 }
 %w[
  unzip nginx php8.1 php8.1-cli php8.1-bcmath php8.1-ctype php8.1-curl
  php8.1-dom php8.1-fileinfo php8.1-intl php8.1-fpm php8.1-gd php8.1-mbstring
  php8.1-pdo php8.1-pgsql php8.1-tokenizer php8.1-xml php8.1-zip
 ].each do |pkg|
  package pkg
 end
 # TODO install composer
 node.override["nodejs"]["repo"] = "https://deb.nodesource.com/node_18.x"
 include_recipe "kosmos-nodejs"
 group deploy_group
 user deploy_user do
  group       deploy_group
  manage_home true
  shell       "/bin/bash"
 end
 directory deploy_path do
  owner deploy_user
  group deploy_group
  mode "0775"
 end
 git deploy_path do
  repository node[app_name]["repo"]
  revision node[app_name]["revision"]
  user deploy_user
  group deploy_group
  action :sync
  notifies :run, "execute[composer_install]", :immediately
  notifies :run, "execute[npm_install]", :immediately
  notifies :restart, "service[php8.1-fpm]", :delayed
 end
 execute "composer_install" do
  user deploy_user
  cwd deploy_path
  command "composer install"
  action :nothing
 end
 execute "npm_install" do
  user deploy_user
  cwd deploy_path
  command "npm install"
  action :nothing
  notifies :run, "execute[compile_assets]", :immediately
 end
 execute "compile_assets" do
  user deploy_user
  cwd deploy_path
  command "npm run prod"
  action :nothing
 end
 execute "set_storage_permissions" do
  command "chown -R www-data:www-data #{deploy_path}/storage"
 end
 template "#{deploy_path}/.env" do
  source 'env.erb'
  owner deploy_user
  group deploy_group
  mode 0660
  sensitive true
  variables config: env
  notifies :restart, "service[php8.1-fpm]", :delayed
 end
 template "/etc/nginx/sites-available/default" do
  source 'nginx-local.conf.erb'
  owner deploy_user
  group deploy_group
  mode 0660
  variables deploy_path: deploy_path,
            port: node["akaunting"]["port"]
  notifies :restart, "service[nginx]", :delayed
 end
 # template "/etc/php/8.1/fpm/pool.d/akaunting.conf" do
 #   source 'php-fpm.pool.erb'
 #   owner deploy_user
 #   group deploy_group
 #   mode 0600
 #   variables user: deploy_user,
 #             group: deploy_group,
 #             chdir: deploy_path,
 #             port: node["akaunting"]["port"]
 #   notifies :restart, "service[php8.1-fpm]", :delayed
 # end
 service "php8.1-fpm" do
  action [:enable, :start]
 end
 service "nginx" do
  action [:enable, :start]
 end
 firewall_rule "akaunting_zerotier" do
  command  :allow
  port     node["akaunting"]["port"]
  protocol :tcp
  source   "10.1.1.0/24"
 end
--- a/site-cookbooks/kosmos_akaunting/recipes/pg_db.rb
+++ b/site-cookbooks/kosmos_akaunting/recipes/pg_db.rb
@@ -0,0 +1,16 @@
 #
 # Cookbook:: kosmos_akaunting
 # Recipe:: pg_db
 #
 credentials = data_bag_item("credentials", "akaunting")
 postgresql_user credentials["pg_username"] do
  action :create
  password credentials["pg_password"]
 end
 postgresql_database credentials["pg_database"] do
  owner credentials["pg_username"]
  action :create
 end
--- a/site-cookbooks/kosmos_akaunting/templates/env.erb
+++ b/site-cookbooks/kosmos_akaunting/templates/env.erb
@@ -0,0 +1,11 @@
 <% @config.each do |key, value| %>
 <% if value.is_a?(Hash) %>
 <% value.each do |k, v| %>
 <%= "#{key.upcase}_#{k.upcase}" %>=<%= v.to_s %>
 <% end %>
 <% else %>
 <% if value %>
 <%= key.upcase %>=<%= value.to_s %>
 <% end %>
 <% end %>
 <% end %>
--- a/site-cookbooks/kosmos_akaunting/templates/nginx-local.conf.erb
+++ b/site-cookbooks/kosmos_akaunting/templates/nginx-local.conf.erb
@@ -0,0 +1,49 @@
 server {
  listen 80 default_server;
  server_name akaunting.kosmos.org;
  root <%= @deploy_path %>;
  add_header X-Frame-Options "SAMEORIGIN";
  add_header X-XSS-Protection "1; mode=block";
  add_header X-Content-Type-Options "nosniff";
  index index.html index.htm index.php;
  charset utf-8;
  location / {
    try_files $uri $uri/ /index.php?$query_string;
  }
  # Prevent Direct Access To Protected Files
  location ~ \.(env|log) {
    deny all;
  }
  # Prevent Direct Access To Protected Folders
  location ~ ^/(^app$|bootstrap|config|database|overrides|resources|routes|storage|tests|artisan) {
    deny all;
  }
  # Prevent Direct Access To modules/vendor Folders Except Assets
  location ~ ^/(modules|vendor)\/(.*)\.((?!ico|gif|jpg|jpeg|png|js\b|css|less|sass|font|woff|woff2|eot|ttf|svg|xls|xlsx).)*$ {
    deny all;
  }
  error_page 404 /index.php;
  # Pass PHP Scripts To FastCGI Server
  location ~ \.php$ {
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass unix:/var/run/php/php8.1-fpm.sock; # Depends On The PHP Version
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include fastcgi_params;
  }
  location ~ /\.(?!well-known).* {
    deny all;
  }
 }
--- a/site-cookbooks/kosmos_akaunting/templates/php-fpm.pool.erb
+++ b/site-cookbooks/kosmos_akaunting/templates/php-fpm.pool.erb
@@ -0,0 +1,18 @@
 [akaunting]
 user = <%= @user %>
 group = <%= @group %>
 listen = 0.0.0.0:<%= @port %>
 listen.owner = <%= @user %>
 listen.group = <%= @group %>
 listen.mode = 0660
 pm = dynamic
 pm.max_children = 10
 pm.start_servers = 4
 pm.min_spare_servers = 2
 pm.max_spare_servers = 6
 pm.max_requests = 500
 chdir = <%= @chdir %>
 catch_workers_output = yes
 php_admin_flag[log_errors] = on
--- a/site-cookbooks/kosmos_akaunting/test/integration/default/default_test.rb
+++ b/site-cookbooks/kosmos_akaunting/test/integration/default/default_test.rb
@@ -0,0 +1,16 @@
 # Chef InSpec test for recipe kosmos_akaunting::default
 # The Chef InSpec reference, with examples and extensive documentation, can be
 # found at https://docs.chef.io/inspec/resources/
 unless os.windows?
  # This is an example test, replace with your own test.
  describe user('root'), :skip do
    it { should exist }
  end
 end
 # This is an example test, replace it with your own test.
 describe port(80), :skip do
  it { should_not be_listening }
 end
--- a/site-cookbooks/kosmos_gitea/attributes/default.rb
+++ b/site-cookbooks/kosmos_gitea/attributes/default.rb
@@ -1,5 +1,5 @@
-node.default["gitea"]["version"] = "1.22.1"
+node.default["gitea"]["version"] = "1.22.5"
-node.default["gitea"]["checksum"] = "b8043324545eec269fc8f18c22b49fc365ed367e0dd41e081b79832de2570f9c"
+node.default["gitea"]["checksum"] = "ce2c7e4fff3c1e3ed59f5b5e00e3f2d301f012c34e329fccd564bc5129075460"
 node.default["gitea"]["working_directory"] = "/var/lib/gitea"
 node.default["gitea"]["port"] = 3000
 node.default["gitea"]["postgresql_host"] = "localhost:5432"
--- a/site-cookbooks/kosmos_gitea/recipes/backup.rb
+++ b/site-cookbooks/kosmos_gitea/recipes/backup.rb
@@ -8,5 +8,6 @@
 unless node.chef_environment == "development"
  # backup the data dir and the config files
  node.override["backup"]["archives"]["gitea"] = [node["gitea"]["working_directory"]]
  node.override['backup']['s3']['keep'] = 2
  include_recipe "backup"
 end
--- a/site-cookbooks/kosmos_liquor-cabinet/templates/nginx_conf_liquor-cabinet.erb
+++ b/site-cookbooks/kosmos_liquor-cabinet/templates/nginx_conf_liquor-cabinet.erb
@@ -10,16 +10,6 @@ upstream _<%= @app_name %> {
 # TODO use cookbook attribute when enabling
 # variables_hash_max_size 2048;
 server {
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>80;
  listen [::]:80;
  server_name <%= @server_name %>;
  # Redirect to https
  location / {
    return 301 https://<%= @server_name %>$request_uri;
  }
 }
 server {
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
  listen [::]:443 ssl http2;
--- a/site-cookbooks/kosmos_strfry/templates/nginx_conf_strfry.erb
+++ b/site-cookbooks/kosmos_strfry/templates/nginx_conf_strfry.erb
@@ -5,8 +5,9 @@ upstream _strfry {
 }
 server {
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
  server_name <%= @domain %>;
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
  listen [::]:443 ssl http2;
  access_log "/var/log/nginx/<%= @domain %>.access.log";
  error_log "/var/log/nginx/<%= @domain %>.error.log";
--- a/site-cookbooks/kosmos_website/recipes/redirects.rb
+++ b/site-cookbooks/kosmos_website/recipes/redirects.rb
@@ -6,6 +6,7 @@
 redirects = [
  {
    domain: "kosmos.chat",
    acme_domain: "letsencrypt.kosmos.org",
    target: "https://kosmos.org",
    http_status: 307
  },
--- a/site-cookbooks/kosmos_website/templates/nginx_conf_redirect.erb
+++ b/site-cookbooks/kosmos_website/templates/nginx_conf_redirect.erb
@@ -14,7 +14,5 @@ server {
  ssl_certificate     <%= @ssl_cert %>;
  ssl_certificate_key <%= @ssl_key %>;
-  location / {
+  return <%= @http_status || 307 %> <%= @target %>;
    return <%= @http_status || 301 %> <%= @target %>;
  }
 }
--- a/site-cookbooks/kosmos_website/templates/nginx_conf_website.erb
+++ b/site-cookbooks/kosmos_website/templates/nginx_conf_website.erb
@@ -2,7 +2,7 @@
 server {
  server_name _;
-  listen 80 default_server;
+  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>80 default_server;
  location / {
    return 301 https://<%= @domain %>;
@@ -14,6 +14,10 @@ server {
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2 default_server;
  listen [::]:443 ssl http2 default_server;
  if ($host != $server_name) {
    return 307 $scheme://$server_name;
  }
  root /var/www/<%= @domain %>/public;
  access_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.access.log;
@@ -22,14 +26,13 @@ server {
  gzip_static on;
  gzip_comp_level 5;
  add_header 'Access-Control-Allow-Origin' '*';
  ssl_certificate     <%= @ssl_cert %>;
  ssl_certificate_key <%= @ssl_key %>;
 <% if @accounts_url %>
-  location ~ ^/.well-known/(webfinger|nostr|lnurlp|keysend) {
+  location ~ ^/.well-known/(keysend|lnurlp|nostr|openpgpkey|webfinger) {
    proxy_ssl_server_name on;
    proxy_set_header X-Forwarded-Host $host;
    proxy_pass https://accounts.kosmos.org;
  }
 <% end %>
--- a/site-cookbooks/strfry
+++ b/site-cookbooks/strfry
Author	SHA1	Message	Date
Râu Cao	f20ebb9d86	WIP Set up akaunting	2024-12-16 12:05:51 +04:00
Râu Cao	31b7ff9217	Upgrade Gitea to 1.22.5	2024-12-12 18:32:58 +04:00
Râu Cao	d90a374811	Remove outdated flag from certbot command	2024-12-12 18:32:26 +04:00
Râu Cao	12cd14fff5	Deploy new postgres primary	2024-12-12 18:31:54 +04:00
Râu Cao	b67d91077d	Remove old garage nodes	2024-12-12 18:30:16 +04:00
Râu Cao	070badfeb3	Add postgres replica bootstrap example	2024-12-12 18:29:16 +04:00
Râu Cao	2d8a1cebb1	Update node info	2024-12-09 20:44:18 +04:00
Râu Cao	67cd89b7b8	Merge pull request 'Fix TLS cert updates for kosmos.chat' (#578 ) from chore/fix_cert_updates_kosmos-chat into master Reviewed-on: #578	2024-12-09 14:21:05 +00:00
Râu Cao	e4112a3626	Fix TLS cert updates for kosmos.chat Some recipes weren't updated for the proxy validation yet. Needed to split the ejabberd cert in two, so it can do normal validation on `.org` and proxy validation on `.chat`.	2024-12-09 18:17:10 +04:00
Râu Cao	89813465b2	Merge pull request 'Upgrade Mastodon to 4.3' (#577 ) from chore/upgrade_mastodon into master Reviewed-on: #577	2024-12-09 14:14:35 +00:00
Râu Cao	6106e627e2	Upgrade Mastodon to 4.3 Co-authored-by: Greg Karékinian <greg@karekinian.com>	2024-12-09 18:12:45 +04:00
Râu Cao	d8baa41c14	Add new node configs	2024-12-09 18:11:51 +04:00
Greg	8405b8df52	Merge pull request 'Upgrade lndhub.go to 1.0.2, add service fee config' (#576 ) from chore/upgrade_lndhub into master Reviewed-on: #576 Reviewed-by: Greg <greg@noreply.kosmos.org>	2024-10-20 19:27:19 +00:00
Râu Cao	775f2275bb	Upgrade Gitea to 1.22.3	2024-10-19 14:42:11 +02:00
Râu Cao	b4019b224b	Upgrade lndhub.go to 1.0.2, add service fee config Co-authored-by: Michael Bumann <hello@michaelbumann.com>	2024-10-18 12:36:41 +02:00
Râu Cao	52841d8c53	Add WKD endpoint to website nginx conf	2024-10-17 11:58:53 +02:00
Râu Cao	b9b97d5056	Fix mail server VM backups	2024-10-16 12:48:08 +02:00
Râu Cao	e5448aa85c	Merge pull request 'Upgrade strfry, add new Kosmos profile/pubkey, relay icon' (#575 ) from chore/upgrade_strfry into master Reviewed-on: #575	2024-10-16 10:44:47 +00:00
Râu Cao	4d1125ac2b	Upgrade strfry to 1.0.1 Also set up and use a new Kosmos pubkey/profile and add a relay icon	2024-10-16 12:42:49 +02:00
Râu Cao	3853f94ae0	Use new proxy domain for ejabberd cert	2024-10-16 12:40:10 +02:00
Râu Cao	d1097c7688	Fix and improve nginx redirects, akkounts headers	2024-10-16 12:39:34 +02:00
Râu Cao	7949fd067c	Add IPv6 support for nostr.kosmos.org	2024-10-16 12:37:47 +02:00
Râu Cao	0726e58f7c	Update ejabberd LDAP filter for new akkounts release	2024-10-16 12:36:30 +02:00
Râu Cao	fe581c348a	Fix bookmarks disappearing for XMPP users The limit for PEP nodes was ridiculously low. No idea why, but it means users were only able to save 10 items (e.g. channel bookmarks) at once.	2024-10-16 12:34:31 +02:00
Râu Cao	af62078960	Update node info	2024-10-16 12:34:17 +02:00
Râu Cao	9b4deff91e	Remove cln from bitcoin-2 node	2024-10-16 12:34:01 +02:00
Râu Cao	0944bc5266	Merge pull request 'Migrate S3 backups from AWS, fix automatic cleanups' (#574 ) from chore/move_fix_s3_backups into master Reviewed-on: #574	2024-10-16 10:33:24 +00:00
Râu Cao	eb06926606	Migrate S3 backups from AWS, fix automatic cleanups The cleanups were broken in that every single archive was also copied to a shared folder and never deleted from there. Co-authored-by: Greg Karékinian <greg@karekinian.com>	2024-10-16 12:31:51 +02:00
Râu Cao	15096ca17b	Merge pull request 'Bitcoin-related software upgrades' (#573 ) from chore/bitcoin_upgrades into master Reviewed-on: #573	2024-10-16 10:25:53 +00:00
Râu Cao	3551b71154	Add sensitive attribute to resource with credentials	2024-10-16 12:23:38 +02:00
Râu Cao	752bb74663	Remove boltz service and RTL integration We use peerswap these days, and the build process for boltz was made much more complicated at some point. Not worth upgrading for us.	2024-10-16 12:23:38 +02:00
Râu Cao	c64526a944	Upgrade RTL to v0.15.2 Need to use `npm install --force` due to a dependency issue	2024-10-16 12:23:38 +02:00
Râu Cao	da242d4817	Upgrade LND to 0.18.3	2024-10-16 12:23:29 +02:00
Râu Cao	0af4bc1d0d	Upgrade bitcoind to 28.0 Requires a newer C++ compiler	2024-10-16 11:28:13 +02:00
Greg	c9f5a745a3	Merge pull request 'Fix Mastodon signup/password/confirmation links' (#570 ) from chore/562-mastodon_login_urls into master Reviewed-on: #570 Reviewed-by: Greg <greg@noreply.kosmos.org>	2024-08-23 14:18:12 +00:00
Râu Cao	d935b99d7d	Fix Mastodon signup/password/confirmation links Adds ENV vars for our custom fix in `b916182bc1` fixes #562	2024-08-22 21:51:49 +02:00
		`@@ -0,0 +1,4 @@`
							`# kosmos_akaunting`

							`TODO: Enter the cookbook description here.`