Create new VMs with Ubuntu 24.04

Co-authored-by: Greg Karékinian <greg@karekinian.com>

AGENTS.md

@@ -0,0 +1,41 @@
+# AGENTS.md
+
+Welcome, AI Agent! This file contains essential context and rules for interacting with the Kosmos Chef repository. Read this carefully before planning or executing any changes.
+
+## 🏢 Project Overview
+This repository contains the infrastructure automation code used by Kosmos to provision and configure bare metal servers (KVM hosts) and Ubuntu virtual machines (KVM guests). 
+
+We use **Chef Infra**, managed locally via **Knife Zero** (agentless Chef), and **Berkshelf** for dependency management.
+
+## 📂 Directory Structure & Rules
+
+* **`site-cookbooks/`**: 🟢 **EDITABLE.** This directory contains all custom, internal cookbooks written specifically for Kosmos services (e.g., `kosmos-postgresql`, `kosmos_gitea`, `kosmos-mastodon`). *Active development happens here.*
+* **`cookbooks/`**: 🔴 **DO NOT EDIT.** This directory contains third-party/community cookbooks that are vendored. These are managed by Berkshelf. Modifying them directly will result in lost changes.
+* **`roles/`**: 🟢 **EDITABLE.** Contains Chef roles written in Ruby (e.g., `base.rb`, `kvm_guest.rb`, `postgresql_primary.rb`). These define run-lists and role-specific default attributes for servers.
+* **`environments/`**: Contains Chef environment definitions (like `production.rb`).
+* **`data_bags/`**: Contains data bag configurations, often encrypted. Be cautious and do not expose secrets. (Note: Agents should not manage data bag secrets directly unless provided the `.chef/encrypted_data_bag_secret`).
+* **`nodes/`**: Contains JSON state files for bootstrapped nodes. *Agents typically do not edit these directly unless cleaning up a deleted node.*
+* **`Berksfile`**: Defines community cookbook dependencies.
+* **`Vagrantfile` / `.kitchen/`**: Used for local virtualization and integration testing.
+
+## 🛠️ Tooling & Workflows
+
+1. **Dependency Management (Berkshelf)**
+   If a new community cookbook is required:
+   - Add it to the `Berksfile` at the root.
+   - Instruct the user to run `berks install` and `berks vendor cookbooks/ --delete` (or run it via the `bash` tool if permitted).
+
+2. **Provisioning (Knife Zero)**
+   - Bootstrapping and converging nodes is done using `knife zero`. 
+   - *Example:* `knife zero converge name:server-name.kosmos.org`
+
+3. **Code Style & Conventions**
+   - Chef recipes, resources, and roles are written in **Ruby**. 
+   - Follow standard Chef and Ruby (RuboCop) idioms. Look at neighboring files in `site-cookbooks/` or `roles/` to match formatting and naming conventions.
+
+## 🚨 Core Directives for AI Agents
+
+1. **Infrastructure as Code**: Manual server configurations are highly discouraged. All changes must be codified in a cookbook or role.
+2. **Test Safety Nets**: Look for `.kitchen.yml` within specific `site-cookbooks/<name>` to understand if local integration tests are available.
+3. **No Assumptions**: Do not assume standard test commands. Check `README.md` and repository config files first.
+4. **Secret Handling**: Avoid hardcoding passwords or API keys in recipes or roles. Assume sensitive information is managed via Chef `data_bags`.

clients/garage-14.json

@@ -1,4 +1,4 @@
 {
   "name": "garage-14",
-  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqNY8AuaM4byhaTZacfRJ\nv/qyHxcDJOMX/ElF1H908spdbB2ZiLXHOH1Ucw1d+NV6/QUtWk+ikKFPpasnatD7\nmjE57noH+H47Rll0nD7oT+in+fOBDHF9R0P6/qyRSdJbJkHOh0iC0MG4LcUfv0AY\nnVBW5iLZSe/PC3+PvhCv7yrx3ikSs0mg1ZWppw0ka5Ek3ZCZp5FB4L6++GYWpM+1\n6YI0CjMoRcXsaEQsJWhxHXT8/KDhW0BR8woZUGm0/Yn4teLYJzioxRfBep3lbygx\nOIsDN9IJzo2zVTGPDZQLXhVemIhzaepqTC77ibH7F0gN/1vsQBc/qf7UhbwaF4rR\ndQIDAQAB\n-----END PUBLIC KEY-----\n"
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAypINv1zTZ7+pyT0iRhik\n0W70ASYADo7qK7QyE9/3nu2sUrP1IjoNFsv/ceKwicH7Fw2Ei1o+yKZlKn7zJzY7\n93YRZndF04VH2bmqy0uOWK0Bdat7gCld5bvS6FmRflg7g64LFb33/64QIVsVGHGL\nYF2TO//x79t9JKcQDa4h5MOWzJNTFuEcUGa0gJjMYpWGVHEJSgRuIgyhXmyIJJgY\nguj6ymTm5+3VS7NzoNy2fbTt1LRpHb5UWrCR15oiLZiDSMLMx0CcGOCmrhvODi4k\n0umw+2NPd1G50s9z7KVbTqybuQ65se2amRnkVcNfaBIU5qk9bVqcmhZlEozmBZCd\ndwIDAQAB\n-----END PUBLIC KEY-----\n"
 }

clients/garage-15.json

@@ -0,0 +1,4 @@
+{
+  "name": "garage-15",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy14sTt5gxVZi9C3KIEBu\nDyUgbb6jc3/GR22fNPTqV6uDHhxzhE2UsYwY/7yuA1RasdwHEOBWZaoC0Om5/Zmi\n8gn6//v1ILyLNaAcw+SQcxZkCN8Sk/0atRS9HYk1agE8Mvh72Fe2z3l+92VMefy7\nJwJUNNBTbnV2WVCchChoWnfhI7bkSLSHp0M2MO2pI+lkpSdmfkJSa5z9zihgxKO8\nXfvhryDCZNvfRVHhwc+ffpap0gLF0H9riGKE4FwLy4YqbuW1Tgm6bObb9bpOIw6Q\nVfH3kC/KMK5FlnxGmYtDkhRJ/wjGInRBk9WK/QOmjyd2FVxipEQmA4RdjlznRC9I\nrwIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/leo.json

@@ -0,0 +1,4 @@
+{
+  "name": "leo",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnFfQsJnREjbXTtpT6BVt\naBaUzRmCQi8Du0TzeUG0ENrY0p5Exqleye2rC6bJlB3PER1xr5zdtuXLgbcVumIb\nzroU5JPtFbQk7r/pj0atT+UEYzl16iuEpprQ/bug+f0nE514USr6YG4G+tlZ/jBI\nSHsCQF1P8ufXFLW0ewC7rdvBkgA+DwK14naRxS4jO5MSl4wmNTjs/jymTg508mQq\nf5tG52t8qFdgn9pRdBXmyTpPtwK7I4rZ+1Qn+1E5m4oQUZsxh8Ba1bGbKotVO7Ua\nYL1yCGx7zRRUvLLIdSMvlRXTJBUSQtQ8P4QUDWTY1Na2w3t9sulKg2Lwsw8tktvC\nCwIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/postgres-10.json

@@ -0,0 +1,4 @@
+{
+  "name": "postgres-10",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2oBb5omC7ZionWhudgFm\n2NGcRXsI0c7+g1+0duaxj5dziaRTltqzpRJTfiJD6R36FcvEqwGc+qQgYSMzc1Xd\nY4OTvJFIDiFAmROm/DZYgFtTDldVNJZO2bbU3COYf/Z2Poq56gC4zLLd/zf6shgb\n2Mty8PlQ82JJAY9EMI3aAifdnZ1k/g4weFC4LFg9lUcNNXOwlAjp//LJ3ku3aY1r\nwW74msSeWEjE44YZdWyMYgM7Fy1hz5giHFQtRdOLemRCWQ8h26wn/cmWld7lsLg+\nlYqxokxWXGv8r5zR8kDTBkd0dxY7ZMbo7oESY4Uhuf4UReMe2ZGHto1E7w3llSj+\n7wIDAQAB\n-----END PUBLIC KEY-----\n"
+}

data_bags/credentials/gandi_api.json

@@ -1,23 +1,16 @@
 {
   "id": "gandi_api",
-  "key": {
-    "encrypted_data": "lU7/xYTmP5Sb6SsK5TNNIyegWozzBtUzpg7oDdl6gcz9FEMmG2ft0Ljh5Q==\n",
-    "iv": "EZPQD3C+wsP/mBhF\n",
-    "auth_tag": "vF9E8Pj4Z8quJJdOMg/QTw==\n",
-    "version": 3,
-    "cipher": "aes-256-gcm"
-  },
   "access_token": {
-    "encrypted_data": "1Uw69JkNrmb8LU/qssuod1SlqxxrWR7TJQZeeivRrNzrMIVTEW/1uwJIYL6b\nM4GeeYl9lIRlMMmLBkc=\n",
+    "encrypted_data": "+skwxHnpAj/3d3e2u7s7B9EydbETj8b0flWahvb5gt/o4JYFWHrhIyX/0IVa\n4wgmu08eDgU51i0knGA=\n",
-    "iv": "cc1GJKu6Cf4DkIgX\n",
+    "iv": "ONKrFCt8Oj3GKIQ5\n",
-    "auth_tag": "ERem4S7ozG695kjvWIMghw==\n",
+    "auth_tag": "j9Hrk8ZZFMQub4NUO+2e4g==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "domains": {
-    "encrypted_data": "scZ5blsSjs54DlitR7KZ3enLbyceOR5q0wjHw1golQ==\n",
+    "encrypted_data": "lGfoPHdXEYYdJmoIA9M119wjVl1v4UzIv5gHADwx0A==\n",
-    "iv": "oDcHm7shAzW97b4t\n",
+    "iv": "q6XKbxhW7X9ONxNt\n",
-    "auth_tag": "62Zais9yf68SwmZRsmZ3hw==\n",
+    "auth_tag": "ns9WJH8Oe75siWu+sOZkRg==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   }

nodes/draco.kosmos.org.json

@@ -12,6 +12,7 @@
     },
     "openresty": {
       "listen_ip": "148.251.237.111",
+      "listen_ipv6": "2a01:4f8:202:804a::2",
       "log_formats": {
         "json": "{\"ip\":\"$remote_addr\",\"time\":\"$time_local\",\"host\":\"$host\",\"method\":\"$request_method\",\"uri\":\"$uri\",\"status\":$status,\"size\":$body_bytes_sent,\"referer\":\"$http_referer\",\"upstream_addr\":\"$upstream_addr\",\"upstream_response_time\":\"$upstream_response_time\",\"ua\":\"$http_user_agent\"}"
       }

nodes/garage-14.json

@@ -3,15 +3,15 @@
   "chef_environment": "production",
   "normal": {
     "knife_zero": {
-      "host": "10.1.1.157"
+      "host": "10.1.1.151"
     }
   },
   "automatic": {
     "fqdn": "garage-14",
     "os": "linux",
-    "os_version": "5.15.0-1059-kvm",
+    "os_version": "5.15.0-1095-kvm",
     "hostname": "garage-14",
-    "ipaddress": "192.168.122.251",
+    "ipaddress": "192.168.122.36",
     "roles": [
       "base",
       "kvm_guest",
@@ -30,6 +30,7 @@
       "timezone_iii::debian",
       "ntp::default",
       "ntp::apparmor",
+      "kosmos-base::journald_conf",
       "kosmos-base::systemd_emails",
       "apt::unattended-upgrades",
       "kosmos-base::firewall",
@@ -46,13 +47,13 @@
     "cloud": null,
     "chef_packages": {
       "chef": {
-        "version": "18.8.54",
+        "version": "18.10.17",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.8.54/lib",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.10.17/lib",
         "chef_effortless": null
       },
       "ohai": {
-        "version": "18.2.8",
+        "version": "18.2.13",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.8/lib/ohai"
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.13/lib/ohai"
       }
     }
   },

nodes/garage-15.json

@@ -0,0 +1,65 @@
+{
+  "name": "garage-15",
+  "chef_environment": "production",
+  "normal": {
+    "knife_zero": {
+      "host": "10.1.1.82"
+    }
+  },
+  "automatic": {
+    "fqdn": "garage-15",
+    "os": "linux",
+    "os_version": "5.15.0-1095-kvm",
+    "hostname": "garage-15",
+    "ipaddress": "192.168.122.57",
+    "roles": [
+      "base",
+      "kvm_guest",
+      "garage_node"
+    ],
+    "recipes": [
+      "kosmos-base",
+      "kosmos-base::default",
+      "kosmos_kvm::guest",
+      "kosmos_garage",
+      "kosmos_garage::default",
+      "kosmos_garage::firewall_rpc",
+      "kosmos_garage::firewall_apis",
+      "apt::default",
+      "timezone_iii::default",
+      "timezone_iii::debian",
+      "ntp::default",
+      "ntp::apparmor",
+      "kosmos-base::journald_conf",
+      "kosmos-base::systemd_emails",
+      "apt::unattended-upgrades",
+      "kosmos-base::firewall",
+      "kosmos-postfix::default",
+      "postfix::default",
+      "postfix::_common",
+      "postfix::_attributes",
+      "postfix::sasl_auth",
+      "hostname::default",
+      "firewall::default"
+    ],
+    "platform": "ubuntu",
+    "platform_version": "22.04",
+    "cloud": null,
+    "chef_packages": {
+      "chef": {
+        "version": "18.10.17",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.10.17/lib",
+        "chef_effortless": null
+      },
+      "ohai": {
+        "version": "18.2.13",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.13/lib/ohai"
+      }
+    }
+  },
+  "run_list": [
+    "role[base]",
+    "role[kvm_guest]",
+    "role[garage_node]"
+  ]
+}

nodes/gitea-2.json

@@ -50,13 +50,6 @@
       "postfix::sasl_auth",
       "hostname::default",
       "firewall::default",
-      "kosmos_gitea::compile_from_source",
-      "git::default",
-      "git::package",
-      "kosmos-nodejs::default",
-      "nodejs::nodejs_from_package",
-      "nodejs::repo",
-      "golang::default",
       "backup::default",
       "logrotate::default"
     ],

nodes/leo.json

@@ -0,0 +1,56 @@
+{
+  "name": "leo",
+  "normal": {
+    "knife_zero": {
+      "host": "leo.kosmos.org"
+    }
+  },
+  "automatic": {
+    "fqdn": "leo",
+    "os": "linux",
+    "os_version": "5.15.0-164-generic",
+    "hostname": "leo",
+    "ipaddress": "5.9.81.116",
+    "roles": [
+      "base"
+    ],
+    "recipes": [
+      "kosmos-base",
+      "kosmos-base::default",
+      "kosmos_kvm::host",
+      "apt::default",
+      "timezone_iii::default",
+      "timezone_iii::debian",
+      "ntp::default",
+      "ntp::apparmor",
+      "kosmos-base::journald_conf",
+      "kosmos-base::systemd_emails",
+      "apt::unattended-upgrades",
+      "kosmos-base::firewall",
+      "kosmos-postfix::default",
+      "postfix::default",
+      "postfix::_common",
+      "postfix::_attributes",
+      "postfix::sasl_auth",
+      "hostname::default"
+    ],
+    "platform": "ubuntu",
+    "platform_version": "22.04",
+    "cloud": null,
+    "chef_packages": {
+      "chef": {
+        "version": "18.10.17",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.10.17/lib",
+        "chef_effortless": null
+      },
+      "ohai": {
+        "version": "18.2.13",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.13/lib/ohai"
+      }
+    }
+  },
+  "run_list": [
+    "role[base]",
+    "recipe[kosmos_kvm::host]"
+  ]
+}

nodes/postgres-10.json

@@ -0,0 +1,63 @@
+{
+  "name": "postgres-10",
+  "chef_environment": "production",
+  "normal": {
+    "knife_zero": {
+      "host": "10.1.1.176"
+    }
+  },
+  "automatic": {
+    "fqdn": "postgres-10",
+    "os": "linux",
+    "os_version": "5.15.0-1095-kvm",
+    "hostname": "postgres-10",
+    "ipaddress": "192.168.122.41",
+    "roles": [
+      "base",
+      "kvm_guest",
+      "postgresql_replica"
+    ],
+    "recipes": [
+      "kosmos-base",
+      "kosmos-base::default",
+      "kosmos_kvm::guest",
+      "kosmos_postgresql::hostsfile",
+      "kosmos_postgresql::replica",
+      "kosmos_postgresql::firewall",
+      "apt::default",
+      "timezone_iii::default",
+      "timezone_iii::debian",
+      "ntp::default",
+      "ntp::apparmor",
+      "kosmos-base::journald_conf",
+      "kosmos-base::systemd_emails",
+      "apt::unattended-upgrades",
+      "kosmos-base::firewall",
+      "kosmos-postfix::default",
+      "postfix::default",
+      "postfix::_common",
+      "postfix::_attributes",
+      "postfix::sasl_auth",
+      "hostname::default"
+    ],
+    "platform": "ubuntu",
+    "platform_version": "22.04",
+    "cloud": null,
+    "chef_packages": {
+      "chef": {
+        "version": "18.10.17",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.10.17/lib",
+        "chef_effortless": null
+      },
+      "ohai": {
+        "version": "18.2.13",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.13/lib/ohai"
+      }
+    }
+  },
+  "run_list": [
+    "role[base]",
+    "role[kvm_guest]",
+    "role[postgresql_replica]"
+  ]
+}

roles/gitea.rb

@@ -8,8 +8,8 @@ run_list %w(
 
 override_attributes(
   "gitea" => {
-    "repo" => "https://github.com/67P/gitea.git",
+    # "repo" => "https://github.com/67P/gitea.git",
-    "revision" => "ldap_sync",
+    # "revision" => "ldap_sync",
     "log" => { "level" => "Info" }
   },
 )

site-cookbooks/discourse/templates/nginx_conf.erb

@@ -8,8 +8,8 @@ upstream _<%= @upstream_name %> {
 <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
 server {
   server_name <%= @server_name %>;
-  listen 443 ssl http2;
+  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
 
   ssl_certificate     <%= @ssl_cert %>;
   ssl_certificate_key <%= @ssl_key %>;

site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb

@@ -11,7 +11,7 @@ proxy_cache_path <%= node[:openresty][:cache_dir] %>/akkounts levels=1:2
 
 server {
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
   server_name <%= @domain %>;
 
   if ($host != $server_name) {

site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts_api.erb

@@ -7,7 +7,7 @@ upstream _akkounts_api {
 
 server {
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
   server_name <%= @domain %>;
 
   ssl_certificate     <%= @ssl_cert %>;

site-cookbooks/kosmos-base/recipes/default.rb

@@ -26,9 +26,9 @@
 
 include_recipe 'apt'
 include_recipe 'timezone_iii'
-include_recipe 'ntp'
 include_recipe 'kosmos-base::journald_conf'
 include_recipe 'kosmos-base::systemd_emails'
+include_recipe "ntp" if node["platform"] == "ubuntu" && node["platform_version"].to_f < 24.04
 
 node.override["apt"]["unattended_upgrades"]["enable"] = true
 node.override["apt"]["unattended_upgrades"]["mail_only_on_error"] = false

site-cookbooks/kosmos-bitcoin/templates/btc-price-tracker-daily.sh.erb

@@ -1,49 +1,86 @@
 #!/bin/bash
+set -e
+set -o pipefail
 
 # Calculate yesterday's date in YYYY-MM-DD format
 YESTERDAY=$(date -d "yesterday" +%Y-%m-%d)
 echo "Starting price tracking for $YESTERDAY" >&2
 
+# Helper function to perform HTTP requests with retries
+# Usage: make_request <retries> <method> <url> [data] [header1] [header2] ...
+make_request() {
+    local retries=$1
+    local method=$2
+    local url=$3
+    local data=$4
+    shift 4
+    local headers=("$@")
+
+    local count=0
+    local wait_time=3
+    local response
+
+    while [ "$count" -lt "$retries" ]; do
+        local curl_opts=(-s -S -f -X "$method")
+
+        if [ -n "$data" ]; then
+            curl_opts+=(-d "$data")
+        fi
+
+        for h in "${headers[@]}"; do
+            curl_opts+=(-H "$h")
+        done
+
+        if response=$(curl "${curl_opts[@]}" "$url"); then
+            echo "$response"
+            return 0
+        fi
+
+        echo "Request to $url failed (Attempt $((count+1))/$retries). Retrying in ${wait_time}s..." >&2
+        sleep "$wait_time"
+        count=$((count + 1))
+    done
+
+    echo "ERROR: Request to $url failed after $retries attempts" >&2
+    return 1
+}
+
 # Fetch and process rates for a fiat currency
 get_price_data() {
     local currency=$1
     local data avg open24 last
 
-    data=$(curl -s "https://www.bitstamp.net/api/v2/ticker/btc${currency,,}/")
+    if data=$(make_request 3 "GET" "https://www.bitstamp.net/api/v2/ticker/btc${currency,,}/" ""); then
-    if [ $? -eq 0 ] && [ ! -z "$data" ]; then
         echo "Successfully retrieved ${currency} price data" >&2
         open24=$(echo "$data" | jq -r '.open_24')
         last=$(echo "$data" | jq -r '.last')
-        avg=$(( (${open24%.*} + ${last%.*}) / 2 ))
+        avg=$(echo "$open24 $last" | awk '{printf "%.0f", ($1 + $2) / 2}')
         echo $avg
     else
         echo "ERROR: Failed to retrieve ${currency} price data" >&2
-        exit 1
+        return 1
     fi
 }
 
 # Get price data for each currency
-usd_avg=$(get_price_data "USD")
+usd_avg=$(get_price_data "USD") || exit 1
-eur_avg=$(get_price_data "EUR")
+eur_avg=$(get_price_data "EUR") || exit 1
-gbp_avg=$(get_price_data "GBP")
+gbp_avg=$(get_price_data "GBP") || exit 1
 
 # Create JSON
-json="{\"EUR\":$eur_avg,\"USD\":$usd_avg,\"GBP\":$gbp_avg}"
+json=$(jq -n \
+  --argjson eur "$eur_avg" \
+  --argjson usd "$usd_avg" \
+  --argjson gbp "$gbp_avg" \
+  '{"EUR": $eur, "USD": $usd, "GBP": $gbp}')
 echo "Rates: $json" >&2
 
 # PUT in remote storage
-response=$(curl -X PUT \
+if make_request 3 "PUT" "<%= @rs_base_url %>/$YESTERDAY" "$json" \
-    -H "Authorization: Bearer $RS_AUTH" \
+    "Authorization: Bearer $RS_AUTH" \
-    -H "Content-Type: application/json" \
+    "Content-Type: application/json" > /dev/null; then
-    -d "$json" \
-    -w "%{http_code}" \
-    -s \
-    -o /dev/null \
-    "<%= @rs_base_url %>/$YESTERDAY")
-
-if [ "$response" -eq 200 ] || [ "$response" -eq 201 ]; then
    echo "Successfully uploaded price data" >&2
 else
-   echo "ERROR: Failed to upload price data. HTTP status: $response" >&2
+   echo "ERROR: Failed to upload price data" >&2
    exit 1
 fi

site-cookbooks/kosmos-bitcoin/templates/nginx_conf_btcpayserver.erb

@@ -49,7 +49,7 @@ server {
   client_max_body_size 100M;
   server_name <%= @server_name %>;
   listen 443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
 
   access_log <%= node[:nginx][:log_dir] %>/btcpayserver.access.log json;
   error_log <%= node[:nginx][:log_dir] %>/btcpayserver.error.log warn;

site-cookbooks/kosmos-bitcoin/templates/nginx_conf_lndhub.erb

@@ -7,7 +7,7 @@ upstream _lndhub {
 
 server {
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
   server_name <%= @server_name %>;
 
   add_header Strict-Transport-Security "max-age=15768000";

site-cookbooks/kosmos-btcpayserver/templates/nginx_conf_btcpayserver.erb

@@ -49,7 +49,7 @@ server {
   server_name <%= @server_name %>;
   <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
   listen 443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
   <% else -%>
   listen 80;
   <% end -%>

site-cookbooks/kosmos-ejabberd/templates/nginx_conf_upload_service.erb

@@ -3,7 +3,7 @@
 
 server {
   listen 443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
   server_name <%= @server_name %>;
 
   ssl_certificate     <%= @ssl_cert %>;

site-cookbooks/kosmos-hubot/templates/default/nginx_conf_hubot.erb

@@ -7,7 +7,7 @@ upstream _express_<%= @server_name.gsub(".", "_") %> {
 
 server {
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
   server_name <%= @server_name %>;
 
   add_header Strict-Transport-Security "max-age=15768000";

site-cookbooks/kosmos-ipfs/templates/default/nginx_conf_ipfs.kosmos.org.erb

@@ -12,7 +12,7 @@ upstream _ipfs_api {
 server {
   server_name <%= @server_name %>;
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
 
   access_log /var/log/nginx/<%= @server_name %>.access.log;
   error_log  /var/log/nginx/<%= @server_name %>.error.log;

site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb

@@ -21,7 +21,7 @@ proxy_cache_path /var/cache/nginx/mastodon levels=1:2
 
 server {
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
   server_name <%= @server_name %>;
   include <%= @shared_config_path %>;
 

site-cookbooks/kosmos_assets/templates/nginx_conf_assets.erb

@@ -3,7 +3,7 @@
 
 server {
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
   server_name <%= @domain %>;
 
   root /var/www/<%= @domain %>/site;

site-cookbooks/kosmos_discourse/templates/nginx_conf.erb

@@ -9,7 +9,7 @@ upstream _discourse {
 server {
   server_name <%= @server_name %>;
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
 
   ssl_certificate     <%= @ssl_cert %>;
   ssl_certificate_key <%= @ssl_key %>;

site-cookbooks/kosmos_drone/templates/nginx_conf.erb

@@ -8,7 +8,7 @@ upstream _drone {
 server {
   server_name <%= @server_name %>;
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
 
   ssl_certificate     <%= @ssl_cert %>;
   ssl_certificate_key <%= @ssl_key %>;

site-cookbooks/kosmos_garage/templates/nginx_conf_s3.erb

@@ -4,7 +4,7 @@ upstream garage_s3 {
 
 server {
   listen <%= "#{node[:openresty][:listen_ip]}:" if node[:openresty][:listen_ip] %>443 ssl http2;
-  listen [::]:443 http2 ssl;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
 
   ssl_certificate     <%= @ssl_cert %>;
   ssl_certificate_key <%= @ssl_key %>;

site-cookbooks/kosmos_garage/templates/nginx_conf_web.erb

@@ -1,6 +1,6 @@
 server {
   listen <%= "#{node[:openresty][:listen_ip]}:" if node[:openresty][:listen_ip] %>443 ssl http2;
-  listen [::]:443 http2 ssl;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
 
   server_name <%= @server_name %>;
 
@@ -18,6 +18,7 @@ server {
   }
 
   location / {
+    add_header 'Access-Control-Allow-Origin' '*' always;
     proxy_intercept_errors on;
     proxy_cache garage_cache;
     proxy_pass http://garage_web;

site-cookbooks/kosmos_gitea/attributes/default.rb

@@ -1,11 +1,12 @@
-node.default["gitea"]["version"] = "1.23.8"
+node.default["gitea"]["version"] = "1.25.4"
-node.default["gitea"]["checksum"] = "827037e7ca940866918abc62a7488736923396c467fcb4acd0dd9829bb6a6f4c"
+node.default["gitea"]["checksum"] = "a3031853e67c53714728ef705642c9046a11fb0ea356aff592e23efe6114607d"
 node.default["gitea"]["repo"] = nil
 node.default["gitea"]["revision"] = nil
 node.default["gitea"]["working_directory"] = "/var/lib/gitea"
 node.default["gitea"]["port"] = 3000
 node.default["gitea"]["postgresql_host"] = "localhost:5432"
 node.default["gitea"]["domain"] = "gitea.kosmos.org"
+node.default["gitea"]["email"] = "gitea@kosmos.org"
 
 node.default["gitea"]["config"] = {
   "log": {
@@ -22,5 +23,5 @@ node.default["gitea"]["config"] = {
   }
 }
 
-node.default["gitea"]["act_runner"]["version"] = "0.2.6"
+node.default["gitea"]["act_runner"]["version"] = "0.2.13"
-node.default["gitea"]["act_runner"]["checksum"] = "234c2bdb871e7b0bfb84697f353395bfc7819faf9f0c0443845868b64a041057"
+node.default["gitea"]["act_runner"]["checksum"] = "3acac8b506ac8cadc88a55155b5d6378f0fab0b8f62d1e0c0450f4ccd69733e2"

site-cookbooks/kosmos_gitea/recipes/default.rb

@@ -19,6 +19,17 @@ jwt_secret                = gitea_data_bag_item["jwt_secret"]
 internal_token            = gitea_data_bag_item["internal_token"]
 secret_key                = gitea_data_bag_item["secret_key"]
 
+apt_repository "git-core-ppa" do
+  uri "http://ppa.launchpad.net/git-core/ppa/ubuntu"
+  components ["main"]
+  key "E1DF1F24"
+  action :add
+  only_if do
+    node['platform'] == 'ubuntu' &&
+      Gem::Version.new(node['platform_version']) < Gem::Version.new('22.04')
+  end
+end
+
 package "git"
 
 user "git" do
@@ -26,6 +37,13 @@ user "git" do
   home "/home/git"
 end
 
+directory "/home/git/.ssh" do
+  owner "git"
+  group "git"
+  mode "0700"
+  recursive true
+end
+
 directory working_directory do
   owner "git"
   group "git"
@@ -78,6 +96,8 @@ if node.chef_environment == "production"
 end
 
 config_variables = {
+  domain: node["gitea"]["domain"],
+  email: node["gitea"]["email"],
   working_directory: working_directory,
   git_home_directory: git_home_directory,
   repository_root_directory: repository_root_directory,
@@ -98,6 +118,16 @@ config_variables = {
   s3_bucket: gitea_data_bag_item["s3_bucket"]
 }
 
+bash "Generate git ed25519 keypair" do
+  user "git"
+  group "git"
+  cwd git_home_directory
+  code <<-EOH
+    ssh-keygen -t ed25519 -f #{git_home_directory}/.ssh/id_ed25519
+  EOH
+  creates "#{git_home_directory}/.ssh/id_ed25519"
+end
+
 template "#{config_directory}/app.ini" do
   source "app.ini.erb"
   owner "git"
@@ -129,7 +159,7 @@ template "/etc/systemd/system/gitea.service" do
             git_home_directory: git_home_directory,
             config_directory: config_directory,
             gitea_binary_path: gitea_binary_path
-  notifies :run, "execute[systemctl daemon-reload]", :delayed
+  notifies :run, "execute[systemctl daemon-reload]", :immediately
 end
 
 service "gitea" do

site-cookbooks/kosmos_gitea/templates/default/app.ini.erb

@@ -2,12 +2,12 @@ APP_NAME = Gitea
 RUN_MODE = prod
 
 [server]
-SSH_DOMAIN       = gitea.kosmos.org
+SSH_DOMAIN = <%= @domain %>
 HTTP_PORT        = 3000
 DISABLE_SSH      = false
 SSH_PORT         = 22
 PROTOCOL = http
-DOMAIN = gitea.kosmos.org
+DOMAIN = <%= @domain %>
 # Gitea is running behind an nginx reverse load balancer, use an HTTPS root URL
 ROOT_URL = https://%(DOMAIN)s
 # REDIRECT_OTHER_PORT = true
@@ -30,6 +30,16 @@ MAX_OPEN_CONNS = 20
 ROOT = <%= @repository_root_directory %>
 DISABLE_DOWNLOAD_SOURCE_ARCHIVES = true
 
+[repository.signing]
+SIGNING_KEY = <%= @git_home_directory %>/.ssh/id_ed25519.pub
+SIGNING_NAME = Gitea
+SIGNING_EMAIL = git@<%= @domain %>
+SIGNING_FORMAT = ssh
+INITIAL_COMMIT = always
+CRUD_ACTIONS = always
+WIKI = always
+MERGES = always
+
 # [indexer]
 # ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
 
@@ -46,7 +56,7 @@ SMTP_ADDR = <%= @smtp_addr %>
 SMTP_PORT = <%= @smtp_port %>
 USER = <%= @smtp_user %>
 PASSWD = <%= @smtp_password %>
-FROM = gitea@kosmos.org
+FROM = <%= @email %>
 
 [security]
 INTERNAL_TOKEN = <%= @internal_token %>

site-cookbooks/kosmos_gitea/templates/default/nginx_conf_ssh.erb

@@ -4,5 +4,6 @@ upstream _gitea_ssh {
 
 server {
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>22;
+  listen [::]:22;
   proxy_pass _gitea_ssh;
 }

site-cookbooks/kosmos_gitea/templates/default/nginx_conf_web.erb

@@ -6,7 +6,7 @@ upstream _gitea_web {
 server {
   server_name <%= @server_name %>;
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
 
   ssl_certificate     <%= @ssl_cert %>;
   ssl_certificate_key <%= @ssl_key %>;

site-cookbooks/kosmos_kvm/attributes/default.rb

@@ -1,9 +1,9 @@
-release = "20240514"
+release = "20260321"
-img_filename = "ubuntu-22.04-server-cloudimg-amd64-disk-kvm"
+img_filename = "ubuntu-24.04-server-cloudimg-amd64"
 
 node.default["kosmos_kvm"]["host"]["qemu_base_image"] = {
-  "url" => "https://cloud-images.ubuntu.com/releases/jammy/release-#{release}/#{img_filename}.img",
+  "url" => "https://cloud-images.ubuntu.com/releases/noble/release-#{release}/#{img_filename}.img",
-  "checksum" => "2e7698b3ebd7caead06b08bd3ece241e6ce294a6db01f92ea12bcb56d6972c3f",
+  "checksum" => "5c3ddb00f60bc455dac0862fabe9d8bacec46c33ac1751143c5c3683404b110d",
   "path" => "/var/lib/libvirt/images/base/#{img_filename}-#{release}.qcow2"
 }
 

site-cookbooks/kosmos_kvm/recipes/host.rb

@@ -3,7 +3,7 @@
 # Recipe:: host
 #
 
-package %w(virtinst libvirt-daemon-system)
+package %w(virtinst libvirt-daemon-system libvirt-clients)
 
 directory "/var/lib/libvirt/images/base" do
   recursive true

site-cookbooks/kosmos_kvm/templates/create_vm.erb

@@ -17,7 +17,7 @@ DISKSIZE=${4:-10} # 10GB default
 # Directory where image files will be stored
 IMAGE_DIR=/var/lib/libvirt/images
 IMAGE_PATH=$IMAGE_DIR/${VMNAME}.qcow2
-CIDATA_PATH=${IMAGE_DIR}/cidata-${VMNAME}.iso
+CIDATA_PATH=${IMAGE_DIR}/${VMNAME}-cloudinit
 BASE_FILE=<%= @base_image_path %>
 
 # Create the VM image if it does not already exist
@@ -38,9 +38,8 @@ qemu-img info "$IMAGE_PATH"
 # Check if the cloud-init metadata file exists
 # if not, generate it
 if [ ! -r $CIDATA_PATH ]; then
-  pushd $(dirname $CIDATA_PATH)
+  mkdir -p $CIDATA_PATH
-  mkdir -p $VMNAME
+  pushd $CIDATA_PATH
-  cd $VMNAME
 
   cat > user-data <<-EOS
 #cloud-config
@@ -62,25 +61,19 @@ instance-id: $VMNAME
 local-hostname: $VMNAME
 EOS
 
-  genisoimage -output "$CIDATA_PATH" -volid cidata -joliet -rock user-data meta-data
-  chown libvirt-qemu:kvm "$CIDATA_PATH"
-  chmod 600 "$CIDATA_PATH"
   popd
 fi
 
-# setting --os-variant to ubuntu20.04 and ubuntu18.04 breaks SSH and networking
 virt-install \
   --name "$VMNAME" \
   --ram "$RAM" \
   --vcpus "$CPUS" \
   --cpu host \
   --arch x86_64 \
-  --os-type linux \
+  --osinfo detect=on,name=ubuntu24.04 \
-  --os-variant ubuntu16.04 \
   --hvm \
   --virt-type kvm \
   --disk "$IMAGE_PATH" \
-  --cdrom "$CIDATA_PATH" \
   --boot hd \
   --network=bridge=virbr0,model=virtio \
   --graphics none \
@@ -88,4 +81,5 @@ virt-install \
   --console pty \
   --channel unix,mode=bind,path=/var/lib/libvirt/qemu/$VMNAME.guest_agent.0,target_type=virtio,name=org.qemu.guest_agent.0 \
   --autostart \
-  --import
+  --import \
+  --cloud-init root-password-generate=off,disable=on,meta-data=$CIDATA_PATH/meta-data,user-data=$CIDATA_PATH/user-data

site-cookbooks/kosmos_liquor-cabinet/templates/nginx_conf_liquor-cabinet.erb

@@ -12,7 +12,7 @@ upstream _<%= @app_name %> {
 
 server {
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
   server_name <%= @server_name %>;
 
   access_log <%= node[:nginx][:log_dir] %>/<%= @app_name %>.access.log; # TODO json_liquor_cabinet;

site-cookbooks/kosmos_openresty/attributes/default.rb

@@ -0,0 +1 @@
+node.default["openresty"]["listen_ipv6"] = "::"

site-cookbooks/kosmos_rsk/templates/nginx_conf_rskj.erb

@@ -6,7 +6,7 @@ upstream _<%= @upstream_name %> {
 
 server {
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
 
   server_name <%= @domain %>;
 

site-cookbooks/kosmos_strfry/templates/nginx_conf_strfry.erb

@@ -13,7 +13,7 @@ upstream _substr {
 server {
   server_name <%= @domain %>;
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
 
   access_log "/var/log/nginx/<%= @domain %>.access.log";
   error_log "/var/log/nginx/<%= @domain %>.error.log";

site-cookbooks/kosmos_website/templates/nginx_conf_redirect.erb

@@ -3,7 +3,7 @@
 server {
   server_name <%= @domain %>;
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
 
   access_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.access.log;
   error_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.error.log warn;

site-cookbooks/kosmos_website/templates/nginx_conf_simple.erb

@@ -3,7 +3,7 @@
 server {
   server_name <%= @domain %>;
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
 
   root /var/www/<%= @domain %>/public;
 

site-cookbooks/kosmos_website/templates/nginx_conf_website.erb

@@ -3,6 +3,7 @@
 server {
   server_name _;
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>80 default_server;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:80 default_server;
 
   location / {
     return 301 https://<%= @domain %>;
@@ -12,7 +13,7 @@ server {
 server {
   server_name <%= @domain %>;
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2 default_server;
-  listen [::]:443 ssl http2 default_server;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2 default_server;
 
   if ($host != $server_name) {
     return 307 $scheme://$server_name;

site-cookbooks/kredits-github/templates/default/nginx_conf.erb

@@ -5,8 +5,8 @@ upstream _<%= @app_name %> {
 
 <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
 server {
-  listen 443 ssl http2;
+  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
   server_name <%= @server_name %>;
 
   access_log <%= node[:nginx][:log_dir] %>/<%= @app_name %>.access.log json;

site-cookbooks/remotestorage_discourse/templates/nginx_conf.erb

@@ -8,7 +8,7 @@ upstream _rs_discourse {
 server {
   server_name <%= @server_name %>;
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen [::]:443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
 
   ssl_certificate     <%= @ssl_cert %>;
   ssl_certificate_key <%= @ssl_key %>;