Merge pull request 'Migrate S3 backups from AWS, fix automatic cleanups' (#574) from chore/move_fix_s3_backups into master

Reviewed-on: #574

data_bags/credentials/backup.json

@@ -1,27 +1,38 @@
 {
   "id": "backup",
   "s3_access_key_id": {
-    "encrypted_data": "emGNH4v7TTEh05Go/DsI3k7CFnaK4p/4JxodC4BYpyWw47/Z3dsuRMu4vXM3\n3YLH\n",
+    "encrypted_data": "245TrPvuoBRRTimhbt6qqsFb+JnnD377sPt1pguJy7Q2BXOy/jrX0wyMt+cP\nuA==\n",
-    "iv": "Dau+ekb3UTYdl8w3fQKVcA==\n",
+    "iv": "ylmRxSRO3AA4MSJN\n",
-    "version": 1,
+    "auth_tag": "45tBcYZowPLrbv4Zu2P0Fw==\n",
-    "cipher": "aes-256-cbc"
+    "version": 3,
+    "cipher": "aes-256-gcm"
   },
   "s3_secret_access_key": {
-    "encrypted_data": "Mxyly86JxrWUbubbSiqPdRosChzfI1Q8eBEG4n+2B9JJG4yExltO5Wc5kgSs\nX01MPXAc+PGLm+J9MngUtypo/g==\n",
+    "encrypted_data": "jDIOjlBzTkBUzpj243T6KnBuH0qwyW7BUFMcqllljFSzxs7K8wYJOUreNbOP\ny8OpDWAuO0H4O4LuFMJXeM8=\n",
-    "iv": "WRhBJGiuScYYsUsoT5j/UA==\n",
+    "iv": "PzvZr37EkJqz6JtM\n",
-    "version": 1,
+    "auth_tag": "e3XW8oHVgmYibv/IBzj0yA==\n",
-    "cipher": "aes-256-cbc"
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "s3_endpoint": {
+    "encrypted_data": "ErJIEChxrreW7WKEwRtuP2MyYlsZRtqLdGa/x5QY58qgO036FgR3Hs2Z3yce\n",
+    "iv": "HOSAOgUjO7XGwk50\n",
+    "auth_tag": "XE1bwMIXHHE72V9K2KOLnw==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
   },
   "s3_region": {
-    "encrypted_data": "2ZGxu0tVzKNfx3K1Wleg0SAwGaPkHCi/XfKpJ+J7q40=\n",
+    "encrypted_data": "8cNSaYu7HH95ftG66lFdUIPZD7soz907CPA=\n",
-    "iv": "CNTZW2SEIgfw+IyzGI3TzQ==\n",
+    "iv": "pU21ulF75y/SIs3x\n",
-    "version": 1,
+    "auth_tag": "7WQQCbSbB2GybjY+C+5IvQ==\n",
-    "cipher": "aes-256-cbc"
+    "version": 3,
+    "cipher": "aes-256-gcm"
   },
   "encryption_password": {
-    "encrypted_data": "tsBWKBwhQFfEAM0EWMPtljSbqU1c5mOJXPjYJjNT5RUFhPlqa7gsE8aJbs+D\nSPKjAQ62j+iHeqCk9mE9CCkgBA==\n",
+    "encrypted_data": "l23CiIO2s1fIRn0NdoWZ+wK+Zhx3hCYDHf4ypjqMRekZ7xqafvXHHuogD5aj\npxYUKloH\n",
-    "iv": "uq5YAXuq2ynRLv9EIWoCFA==\n",
+    "iv": "Dzx83eP9L7Jqqidh\n",
-    "version": 1,
+    "auth_tag": "UVn5XA5Tgsikc1GdOt1MUQ==\n",
-    "cipher": "aes-256-cbc"
+    "version": 3,
+    "cipher": "aes-256-gcm"
   }
 }

nodes/bitcoin-2.json

@@ -33,7 +33,6 @@
       "kosmos-bitcoin::c-lightning",
       "kosmos-bitcoin::lnd",
       "kosmos-bitcoin::lnd-scb-s3",
-      "kosmos-bitcoin::boltz",
       "kosmos-bitcoin::rtl",
       "kosmos-bitcoin::peerswap-lnd",
       "kosmos_postgresql::hostsfile",

nodes/gitea-2.json

@@ -32,6 +32,7 @@
       "kosmos_postgresql::hostsfile",
       "kosmos_gitea",
       "kosmos_gitea::default",
+      "kosmos_gitea::backup",
       "kosmos_gitea::act_runner",
       "apt::default",
       "timezone_iii::default",
@@ -47,7 +48,9 @@
       "postfix::_attributes",
       "postfix::sasl_auth",
       "hostname::default",
-      "firewall::default"
+      "firewall::default",
+      "backup::default",
+      "logrotate::default"
     ],
     "platform": "ubuntu",
     "platform_version": "20.04",

roles/gitea.rb

@@ -3,4 +3,5 @@ name "gitea"
 run_list %w(
   role[postgresql_client]
   kosmos_gitea::default
+  kosmos_gitea::backup
 )

roles/lnd.rb

@@ -3,7 +3,6 @@ name "lnd"
 run_list %w(
   kosmos-bitcoin::lnd
   kosmos-bitcoin::lnd-scb-s3
-  kosmos-bitcoin::boltz
   kosmos-bitcoin::rtl
   kosmos-bitcoin::peerswap-lnd
 )

site-cookbooks/backup/attributes/default.rb

@@ -42,5 +42,5 @@ default['backup']['orbit']['keep'] = 10
 default['backup']['cron']['hour'] = "05"
 default['backup']['cron']['minute'] = "7"
 
-default['backup']['s3']['keep'] = 15
+default['backup']['s3']['keep'] = 10
-default['backup']['s3']['bucket'] = "kosmos-dev-backups"
+default['backup']['s3']['bucket'] = "kosmos-backups"

site-cookbooks/backup/recipes/default.rb

@@ -28,6 +28,7 @@ template "#{backup_dir}/config.rb" do
   sensitive true
   variables s3_access_key_id: backup_data["s3_access_key_id"],
             s3_secret_access_key: backup_data["s3_secret_access_key"],
+            s3_endpoint: backup_data["s3_endpoint"],
             s3_region: backup_data["s3_region"],
             encryption_password: backup_data["encryption_password"],
             mail_from: "backups@kosmos.org",

site-cookbooks/backup/templates/default/config.rb.erb

@@ -23,6 +23,10 @@ Storage::S3.defaults do |s3|
   s3.secret_access_key = "<%= @s3_secret_access_key %>"
   s3.region            = "<%= @s3_region %>"
   s3.bucket            = "<%= node['backup']['s3']['bucket'] %>"
+  s3.fog_options       = {
+    endpoint: "<%= @s3_endpoint %>",
+    aws_signature_version: 2
+  }
 end
 
 Encryptor::OpenSSL.defaults do |encryption|
@@ -88,7 +92,6 @@ end
 
 preconfigure 'KosmosBackup' do
   split_into_chunks_of 250 # megabytes
-  store_with S3
   compress_with Bzip2
   encrypt_with OpenSSL
   notify_by Mail do |mail|

site-cookbooks/kosmos-bitcoin/attributes/default.rb

@@ -1,5 +1,5 @@
-node.default['bitcoin']['version']   = '26.0'
+node.default['bitcoin']['version']   = '28.0'
-node.default['bitcoin']['checksum']  = 'ab1d99276e28db62d1d9f3901e85ac358d7f1ebcb942d348a9c4e46f0fcdc0a1'
+node.default['bitcoin']['checksum']  = '700ae2d1e204602eb07f2779a6e6669893bc96c0dca290593f80ff8e102ff37f'
 node.default['bitcoin']['username']  = 'satoshi'
 node.default['bitcoin']['usergroup'] = 'bitcoin'
 node.default['bitcoin']['network']   = 'mainnet'
@@ -24,7 +24,8 @@ node.default['bitcoin']['conf'] = {
   rpcbind: "127.0.0.1:8332",
   gen: 0,
   zmqpubrawblock: 'tcp://127.0.0.1:8337',
-  zmqpubrawtx: 'tcp://127.0.0.1:8338'
+  zmqpubrawtx: 'tcp://127.0.0.1:8338',
+  deprecatedrpc: 'warnings' # TODO remove when upgrading to LND 0.18.4
 }
 
 # Also enables Tor for LND
@@ -40,7 +41,7 @@ node.default['c-lightning']['log_level'] = 'info'
 node.default['c-lightning']['public_ip'] = '148.251.237.73'
 
 node.default['lnd']['repo'] = 'https://github.com/lightningnetwork/lnd'
-node.default['lnd']['revision'] = 'v0.17.3-beta'
+node.default['lnd']['revision'] = 'v0.18.3-beta'
 node.default['lnd']['source_dir'] = '/opt/lnd'
 node.default['lnd']['lnd_dir'] = "/home/#{node['bitcoin']['username']}/.lnd"
 node.default['lnd']['alias'] = 'ln2.kosmos.org'
@@ -58,19 +59,8 @@ node.default['lnd']['tor'] = {
   'skip-proxy-for-clearnet-targets' => 'true'
 }
 
-node.default['boltz']['repo'] = 'https://github.com/BoltzExchange/boltz-lnd.git'
-node.default['boltz']['revision'] = 'v1.2.7'
-node.default['boltz']['source_dir'] = '/opt/boltz'
-node.default['boltz']['boltz_dir'] = "/home/#{node['bitcoin']['username']}/.boltz-lnd"
-node.default['boltz']['grpc_host'] = '127.0.0.1'
-node.default['boltz']['grpc_port'] = '9002'
-node.default['boltz']['rest_disabled'] = 'false'
-node.default['boltz']['rest_host'] = '127.0.0.1'
-node.default['boltz']['rest_port'] = '9003'
-node.default['boltz']['no_macaroons'] = 'false'
-
 node.default['rtl']['repo'] = 'https://github.com/Ride-The-Lightning/RTL.git'
-node.default['rtl']['revision'] = 'v0.15.0'
+node.default['rtl']['revision'] = 'v0.15.2'
 node.default['rtl']['host'] = '10.1.1.163'
 node.default['rtl']['port'] = '3000'
 

site-cookbooks/kosmos-bitcoin/recipes/aws-client.rb

@@ -11,6 +11,7 @@ credentials = Chef::EncryptedDataBagItem.load('credentials', 'backup')
 
 file "/root/.aws/config" do
   mode "600"
+  sensitive true
   content lazy { <<-EOF
 [default]
 region = #{credentials["s3_region"]}

site-cookbooks/kosmos-bitcoin/recipes/bitcoind.rb

@@ -12,8 +12,15 @@ if node["bitcoin"]["blocksdir_mount_type"]
   include_recipe "kosmos-bitcoin::blocksdir-mount"
 end
 
-%w{ libtool autotools-dev make automake cmake curl g++-multilib libtool
+apt_repository "ubuntu-toolchain-r" do
-    binutils-gold bsdmainutils pkg-config python3 patch }.each do |pkg|
+  # provides g++-13, needed for better c++-20 support
+  uri "ppa:ubuntu-toolchain-r/test"
+end
+
+%w{
+  gcc-13 g++-13 libtool autotools-dev make automake cmake curl bison
+  binutils-gold pkg-config python3 patch
+}.each do |pkg|
   apt_package pkg
 end
 
@@ -26,20 +33,21 @@ end
 
 execute "compile_bitcoin-core_dependencies" do
   cwd "/usr/local/bitcoind/depends"
-  command "make NO_QT=1"
+  environment ({'CC' => 'gcc-13', 'CXX' => 'g++-13', 'NO_QT' => '1'})
+  command "make -j 2"
   action :nothing
   notifies :run, 'bash[compile_bitcoin-core]', :immediately
 end
 
 bash "compile_bitcoin-core" do
   cwd "/usr/local/bitcoind"
+  environment ({'CC' => 'gcc-13', 'CXX' => 'g++-13', 'NO_QT' => '1'})
   code <<-EOH
     ./autogen.sh
     ./configure --prefix=$PWD/depends/x86_64-pc-linux-gnu
     make
   EOH
   action :nothing
-  notifies :restart, "systemd_unit[bitcoind.service]", :delayed
 end
 
 link "/usr/local/bin/bitcoind" do

site-cookbooks/kosmos-bitcoin/recipes/boltz.rb

@@ -1,87 +0,0 @@
-#
-# Cookbook:: kosmos-bitcoin
-# Recipe:: boltz
-#
-
-include_recipe "git"
-include_recipe "kosmos-bitcoin::golang"
-
-git node['boltz']['source_dir'] do
-  repository node['boltz']['repo']
-  revision node['boltz']['revision']
-  action :sync
-  notifies :run, 'bash[compile_and_install_boltz]', :immediately
-end
-
-bash "compile_and_install_boltz" do
-  cwd node['boltz']['source_dir']
-  code <<-EOH
-go mod vendor && \
-make build && \
-make install
-  EOH
-  action :nothing
-  notifies :restart, "systemd_unit[boltzd.service]", :delayed
-end
-
-bitcoin_user  = node['bitcoin']['username']
-bitcoin_group = node['bitcoin']['usergroup']
-boltz_dir     = node['boltz']['boltz_dir']
-lnd_dir       = node['lnd']['lnd_dir']
-
-directory boltz_dir do
-  owner bitcoin_user
-  group bitcoin_group
-  mode '0750'
-  action :create
-end
-
-template "#{boltz_dir}/boltz.toml" do
-  source "boltz.toml.erb"
-  owner bitcoin_user
-  group bitcoin_group
-  mode '0640'
-  variables lnd_grpc_host: '127.0.0.1',
-            lnd_grpc_port: '10009',
-            lnd_macaroon_path: "#{lnd_dir}/data/chain/bitcoin/mainnet/admin.macaroon",
-            lnd_tlscert_path: "#{lnd_dir}/tls.cert",
-            boltz_config: node['boltz']
-  notifies :restart, "systemd_unit[boltzd.service]", :delayed
-end
-
-systemd_unit 'boltzd.service' do
-  content({
-    Unit: {
-      Description: 'Boltz Daemon',
-      Documentation: ['https://lnd.docs.boltz.exchange'],
-      Requires: 'lnd.service',
-      After: 'lnd.service'
-    },
-    Service: {
-      User: bitcoin_user,
-      Group: bitcoin_group,
-      Type: 'simple',
-      ExecStart: "/opt/boltz/boltzd",
-      Restart: 'always',
-      RestartSec: '30',
-      TimeoutSec: '240',
-      LimitNOFILE: '128000',
-      PrivateTmp: true,
-      ProtectSystem: 'full',
-      NoNewPrivileges: true,
-      PrivateDevices: true,
-      MemoryDenyWriteExecute: true
-    },
-    Install: {
-      WantedBy: 'multi-user.target'
-    }
-  })
-  verify false
-  triggers_reload true
-  action [:create, :enable, :start]
-end
-
-unless node.chef_environment == 'development'
-  node.override['backup']['archives']['boltz'] = [node['boltz']['boltz_dir']]
-  include_recipe 'backup'
-end

site-cookbooks/kosmos-bitcoin/recipes/golang.rb

@@ -5,7 +5,7 @@
 # Internal recipe for managing the Go installation in one place
 #
 
-node.override['golang']['version'] = "1.20.3"
+node.override['golang']['version'] = "1.23.1"
 include_recipe "golang"
 
 link '/usr/local/bin/go' do

site-cookbooks/kosmos-bitcoin/recipes/lnd-scb-s3.rb

@@ -10,12 +10,14 @@ include_recipe "kosmos-bitcoin::aws-client"
 package "inotify-tools"
 
 backup_script_path = "/opt/lnd-channel-backup-s3.sh"
+backup_credentials = Chef::EncryptedDataBagItem.load('credentials', 'backup')
 
 template backup_script_path do
   source "lnd-channel-backup-s3.sh.erb"
   mode '0740'
   variables lnd_dir: node['lnd']['lnd_dir'],
             bitcoin_network: node['bitcoin']['network'],
+            s3_endpoint: backup_credentials['s3_endpoint'],
             s3_bucket: node['backup']['s3']['bucket'],
             s3_scb_dir: "#{node['name']}/lnd/#{node['bitcoin']['network']}"
   notifies :restart, "systemd_unit[lnd-channel-backup.service]", :delayed

site-cookbooks/kosmos-bitcoin/recipes/rtl.rb

@@ -46,24 +46,22 @@ rtl_config = {
   multiPassHashed: credentials["multiPassHashed"]
 }
 
-if node['boltz']
-  # TODO adapt for multi-node usage
-  rtl_config[:nodes][0][:Authentication][:boltzMacaroonPath] = "#{node['boltz']['boltz_dir']}/macaroons"
-  rtl_config[:nodes][0][:Settings][:boltzServerUrl] = "https://#{node['boltz']['rest_host']}:#{node['boltz']['rest_port']}"
-end
-
 git rtl_dir do
   user bitcoin_user
   group bitcoin_group
   repository node['rtl']['repo']
   revision node['rtl']['revision']
+  notifies :run, "execute[npm_install]", :immediately
   notifies :restart, "systemd_unit[#{app_name}.service]", :delayed
 end
 
-execute "npm install" do
+execute "npm_install" do
   cwd rtl_dir
   environment "HOME" => rtl_dir
   user bitcoin_user
+  # TODO remove --force when upstream dependency issues have been resolved
+  command "npm install --force"
+  action :nothing
 end
 
 file "#{rtl_dir}/RTL-Config.json" do

site-cookbooks/kosmos-bitcoin/templates/boltz.toml.erb

@@ -1,32 +0,0 @@
-[LND]
-# Host of the gRPC interface of LND
-host = "<%= @lnd_grpc_host %>"
-
-# Port of the gRPC interface of LND
-port = <%= @lnd_grpc_port %>
-
-# Path to a macaroon file of LND
-# The daemon needs to have permission to read various endpoints, generate addresses and pay invoices 
-macaroon = "<%= @lnd_macaroon_path %>"
-
-# Path to the TLS certificate of LND
-certificate = "<%= @lnd_tlscert_path %>"
-
-[RPC]
-# Host of the gRPC interface
-host = "<%= @boltz_config['grpc_host'] %>"
-
-# Port of the gRPC interface
-port = <%= @boltz_config['grpc_port'] %>
-
-# Whether the REST proxy for the gRPC interface should be disabled
-restDisabled = <%= @boltz_config['rest_disabled'] %>
-
-# Host of the REST proxy
-restHost = "<%= @boltz_config['rest_host'] %>"
-
-# Port of the REST proxy
-restPort = <%= @boltz_config['rest_port'] %>
-
-# Whether the macaroon authentication for the gRPC and REST interface should be disabled
-noMacaroons = <%= @boltz_config['no_macaroons'] %>

site-cookbooks/kosmos-bitcoin/templates/lnd-channel-backup-s3.sh.erb

@@ -3,5 +3,5 @@ set -xe -o pipefail
 
 while true; do
   inotifywait <%= @lnd_dir %>/data/chain/bitcoin/<%= @bitcoin_network %>/channel.backup
-  aws s3 cp <%= @lnd_dir %>/data/chain/bitcoin/<%= @bitcoin_network %>/channel.backup "s3://<%= @s3_bucket %>/<%= @s3_scb_dir %>/channel.backup"
+  aws --endpoint <%= @s3_endpoint %> s3 cp <%= @lnd_dir %>/data/chain/bitcoin/<%= @bitcoin_network %>/channel.backup "s3://<%= @s3_bucket %>/<%= @s3_scb_dir %>/channel.backup"
 done

site-cookbooks/kosmos-bitcoin/templates/lnd.conf.erb

@@ -12,7 +12,6 @@ minchansize=<%= @lnd_minchansize %>
 autopilot.active=0
 
 [Bitcoin]
-bitcoin.active=1
 bitcoin.mainnet=1
 bitcoin.node=bitcoind
 bitcoin.basefee=<%= @lnd_basefee %>

site-cookbooks/kosmos-mastodon/attributes/default.rb

@@ -10,7 +10,7 @@ node.default["kosmos-mastodon"]["redis_url"]         = "redis://localhost:6379/0
 node.default["kosmos-mastodon"]["sidekiq_threads"]   = 25
 node.default["kosmos-mastodon"]["allowed_private_addresses"] = "127.0.0.1"
 
-node.default["kosmos-mastodon"]["onion_address"]     = nil
+node.default["kosmos-mastodon"]["onion_address"] = nil
 
 # Allocate this amount of RAM to the Java heap for Elasticsearch
 node.default["kosmos-mastodon"]["elasticsearch"]["allocated_memory"] = "1536m"
@@ -20,6 +20,10 @@ node.default["kosmos-mastodon"]["s3_region"]     = nil
 node.default["kosmos-mastodon"]["s3_bucket"]     = nil
 node.default["kosmos-mastodon"]["s3_alias_host"] = nil
 
+node.default["kosmos-mastodon"]["sso_account_sign_up_url"] = "https://kosmos.org"
+node.default["kosmos-mastodon"]["sso_account_reset_password_url"] = "https://accounts.kosmos.org/users/password/new"
+node.default["kosmos-mastodon"]["sso_account_resend_confirmation_url"] = "https://accounts.kosmos.org/users/confirmation/new"
+
 node.default["kosmos-mastodon"]["default_locale"] = "en"
 node.default["kosmos-mastodon"]["libre_translate_endpoint"] = nil
 

site-cookbooks/kosmos-mastodon/recipes/backup.rb

@@ -6,13 +6,12 @@
 postgresql_data_bag_item = data_bag_item('credentials', 'postgresql')
 
 unless node.chef_environment == "development"
-  unless node["backup"]["postgresql"]["databases"].keys.include? 'mastodon'
+  node.override['backup']['s3']['keep'] = 1
-    node.override["backup"]["postgresql"]["host"] = "pg.kosmos.local"
+  node.override["backup"]["postgresql"]["host"] = "pg.kosmos.local"
-    node.override["backup"]["postgresql"]["databases"]["mastodon"] = {
+  node.override["backup"]["postgresql"]["databases"]["mastodon"] = {
-      username: "mastodon",
+    username: "mastodon",
-      password: postgresql_data_bag_item['mastodon_user_password']
+    password: postgresql_data_bag_item['mastodon_user_password']
-    }
+  }
-  end
 
   include_recipe "backup"
 end

site-cookbooks/kosmos-mastodon/recipes/default.rb

@@ -190,6 +190,7 @@ template "#{mastodon_path}/.env.#{rails_env}" do
   mode  "0640"
   owner mastodon_user
   group mastodon_user
+  sensitive true
   variables redis_url: node["kosmos-mastodon"]["redis_url"],
             domain: node["kosmos-mastodon"]["domain"],
             alternate_domains: node["kosmos-mastodon"]["alternate_domains"],
@@ -210,6 +211,9 @@ template "#{mastodon_path}/.env.#{rails_env}" do
             vapid_public_key: credentials['vapid_public_key'],
             db_pass: postgresql_credentials['mastodon_user_password'],
             db_host: "pg.kosmos.local",
+            sso_account_sign_up_url: node["kosmos-mastodon"]["sso_account_sign_up_url"],
+            sso_account_reset_password_url: node["kosmos-mastodon"]["sso_account_reset_password_url"],
+            sso_account_resend_confirmation_url: node["kosmos-mastodon"]["sso_account_resend_confirmation_url"],
             default_locale: node["kosmos-mastodon"]["default_locale"],
             allowed_private_addresses: node["kosmos-mastodon"]["allowed_private_addresses"],
             libre_translate_endpoint: node["kosmos-mastodon"]["libre_translate_endpoint"]

site-cookbooks/kosmos-mastodon/templates/default/env.erb

@@ -44,6 +44,9 @@ LDAP_SEARCH_FILTER='<%= @ldap[:search_filter] %>'
 LDAP_UID_CONVERSION_ENABLED=<%= @ldap[:uid_conversion_enabled] %>
 LDAP_UID_CONVERSION_SEARCH=<%= @ldap[:uid_conversion_search] %>
 LDAP_UID_CONVERSION_REPLACE=<%= @ldap[:uid_conversion_replace] %>
+SSO_ACCOUNT_SIGN_UP=<%= @sso_account_sign_up_url %>
+SSO_ACCOUNT_RESET_PASSWORD=<%= @sso_account_reset_password_url %>
+SSO_ACCOUNT_RESEND_CONFIRMATION=<%= @sso_account_resend_confirmation_url %>
 <% end %>
 
 # Optional asset host for multi-server setups

site-cookbooks/kosmos_gitea/attributes/default.rb

@@ -1,5 +1,5 @@
-node.default["gitea"]["version"] = "1.22.0"
+node.default["gitea"]["version"] = "1.22.1"
-node.default["gitea"]["checksum"] = "a31086f073cb9592d28611394b2de3655db515d961e4fdcf5b549cb40753ef3d"
+node.default["gitea"]["checksum"] = "b8043324545eec269fc8f18c22b49fc365ed367e0dd41e081b79832de2570f9c"
 node.default["gitea"]["working_directory"] = "/var/lib/gitea"
 node.default["gitea"]["port"] = 3000
 node.default["gitea"]["postgresql_host"] = "localhost:5432"

site-cookbooks/kosmos_gitea/recipes/backup.rb

@@ -8,5 +8,6 @@
 unless node.chef_environment == "development"
   # backup the data dir and the config files
   node.override["backup"]["archives"]["gitea"] = [node["gitea"]["working_directory"]]
+  node.override['backup']['s3']['keep'] = 2
   include_recipe "backup"
 end