Merge pull request 'Upgrade lndhub.go to 1.0.2, add service fee config' (#576) from chore/upgrade_lndhub into master

Reviewed-on: #576
Reviewed-by: Greg <greg@noreply.kosmos.org>

data_bags/credentials/backup.json

@@ -1,27 +1,38 @@
 {
   "id": "backup",
   "s3_access_key_id": {
-    "encrypted_data": "emGNH4v7TTEh05Go/DsI3k7CFnaK4p/4JxodC4BYpyWw47/Z3dsuRMu4vXM3\n3YLH\n",
+    "encrypted_data": "245TrPvuoBRRTimhbt6qqsFb+JnnD377sPt1pguJy7Q2BXOy/jrX0wyMt+cP\nuA==\n",
-    "iv": "Dau+ekb3UTYdl8w3fQKVcA==\n",
+    "iv": "ylmRxSRO3AA4MSJN\n",
-    "version": 1,
+    "auth_tag": "45tBcYZowPLrbv4Zu2P0Fw==\n",
-    "cipher": "aes-256-cbc"
+    "version": 3,
+    "cipher": "aes-256-gcm"
   },
   "s3_secret_access_key": {
-    "encrypted_data": "Mxyly86JxrWUbubbSiqPdRosChzfI1Q8eBEG4n+2B9JJG4yExltO5Wc5kgSs\nX01MPXAc+PGLm+J9MngUtypo/g==\n",
+    "encrypted_data": "jDIOjlBzTkBUzpj243T6KnBuH0qwyW7BUFMcqllljFSzxs7K8wYJOUreNbOP\ny8OpDWAuO0H4O4LuFMJXeM8=\n",
-    "iv": "WRhBJGiuScYYsUsoT5j/UA==\n",
+    "iv": "PzvZr37EkJqz6JtM\n",
-    "version": 1,
+    "auth_tag": "e3XW8oHVgmYibv/IBzj0yA==\n",
-    "cipher": "aes-256-cbc"
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "s3_endpoint": {
+    "encrypted_data": "ErJIEChxrreW7WKEwRtuP2MyYlsZRtqLdGa/x5QY58qgO036FgR3Hs2Z3yce\n",
+    "iv": "HOSAOgUjO7XGwk50\n",
+    "auth_tag": "XE1bwMIXHHE72V9K2KOLnw==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
   },
   "s3_region": {
-    "encrypted_data": "2ZGxu0tVzKNfx3K1Wleg0SAwGaPkHCi/XfKpJ+J7q40=\n",
+    "encrypted_data": "8cNSaYu7HH95ftG66lFdUIPZD7soz907CPA=\n",
-    "iv": "CNTZW2SEIgfw+IyzGI3TzQ==\n",
+    "iv": "pU21ulF75y/SIs3x\n",
-    "version": 1,
+    "auth_tag": "7WQQCbSbB2GybjY+C+5IvQ==\n",
-    "cipher": "aes-256-cbc"
+    "version": 3,
+    "cipher": "aes-256-gcm"
   },
   "encryption_password": {
-    "encrypted_data": "tsBWKBwhQFfEAM0EWMPtljSbqU1c5mOJXPjYJjNT5RUFhPlqa7gsE8aJbs+D\nSPKjAQ62j+iHeqCk9mE9CCkgBA==\n",
+    "encrypted_data": "l23CiIO2s1fIRn0NdoWZ+wK+Zhx3hCYDHf4ypjqMRekZ7xqafvXHHuogD5aj\npxYUKloH\n",
-    "iv": "uq5YAXuq2ynRLv9EIWoCFA==\n",
+    "iv": "Dzx83eP9L7Jqqidh\n",
-    "version": 1,
+    "auth_tag": "UVn5XA5Tgsikc1GdOt1MUQ==\n",
-    "cipher": "aes-256-cbc"
+    "version": 3,
+    "cipher": "aes-256-gcm"
   }
 }

environments/production.json

@@ -108,13 +108,15 @@
       "real_ip_header": "x-real-ip",
       "policy_path": "/opt/strfry/strfry-policy.ts",
       "whitelist_pubkeys": [
-        "b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a"
+        "b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a",
+        "b3e1b7c0ef48294bd856203bfd460625de95d3afb894e5f09b14cd1f0e7097cf"
       ],
       "info": {
         "name": "Kosmos Relay",
         "description": "Members-only nostr relay for kosmos.org users",
-        "pubkey": "1f79058c77a224e5be226c8f024cacdad4d741855d75ed9f11473ba8eb86e1cb",
+        "pubkey": "b3e1b7c0ef48294bd856203bfd460625de95d3afb894e5f09b14cd1f0e7097cf",
-        "contact": "ops@kosmos.org"
+        "contact": "ops@kosmos.org",
+        "icon": "https://assets.kosmos.org/img/app-icon-256px.png"
       }
     }
   }

nodes/bitcoin-2.json

@@ -16,7 +16,6 @@
       "kvm_guest",
       "sentry_client",
       "bitcoind",
-      "cln",
       "lnd",
       "lndhub",
       "postgresql_client",
@@ -30,10 +29,8 @@
       "tor-full",
       "tor-full::default",
       "kosmos-bitcoin::bitcoind",
-      "kosmos-bitcoin::c-lightning",
       "kosmos-bitcoin::lnd",
       "kosmos-bitcoin::lnd-scb-s3",
-      "kosmos-bitcoin::boltz",
       "kosmos-bitcoin::rtl",
       "kosmos-bitcoin::peerswap-lnd",
       "kosmos_postgresql::hostsfile",
@@ -103,7 +100,6 @@
     "role[sentry_client]",
     "recipe[tor-full]",
     "role[bitcoind]",
-    "role[cln]",
     "role[lnd]",
     "role[lndhub]",
     "role[btcpay]"

nodes/mail.kosmos.org.json

@@ -10,7 +10,7 @@
     "fqdn": "mail.kosmos.org",
     "os": "linux",
     "os_version": "5.15.0-1048-kvm",
-    "hostname": "mail",
+    "hostname": "mail.kosmos.org",
     "ipaddress": "192.168.122.131",
     "roles": [
       "base",

nodes/wiki-1.json

@@ -8,16 +8,19 @@
   "automatic": {
     "fqdn": "wiki-1",
     "os": "linux",
-    "os_version": "5.4.0-91-generic",
+    "os_version": "5.4.0-167-generic",
     "hostname": "wiki-1",
     "ipaddress": "192.168.122.26",
     "roles": [
-      "kvm_guest"
+      "base",
+      "kvm_guest",
+      "ldap_client"
     ],
     "recipes": [
       "kosmos-base",
       "kosmos-base::default",
       "kosmos_kvm::guest",
+      "kosmos-dirsrv::hostsfile",
       "kosmos-mediawiki",
       "kosmos-mediawiki::default",
       "apt::default",
@@ -41,7 +44,6 @@
       "php::package",
       "php::ini",
       "composer::global_configs",
-      "kosmos-dirsrv::hostsfile",
       "mediawiki::default",
       "mediawiki::database",
       "kosmos-nginx::default",
@@ -79,4 +81,4 @@
     "role[ldap_client]",
     "recipe[kosmos-mediawiki]"
   ]
-}
+}

roles/gitea.rb

@@ -3,4 +3,5 @@ name "gitea"
 run_list %w(
   role[postgresql_client]
   kosmos_gitea::default
+  kosmos_gitea::backup
 )

roles/lnd.rb

@@ -3,7 +3,6 @@ name "lnd"
 run_list %w(
   kosmos-bitcoin::lnd
   kosmos-bitcoin::lnd-scb-s3
-  kosmos-bitcoin::boltz
   kosmos-bitcoin::rtl
   kosmos-bitcoin::peerswap-lnd
 )

site-cookbooks/backup/attributes/default.rb

@@ -42,5 +42,5 @@ default['backup']['orbit']['keep'] = 10
 default['backup']['cron']['hour'] = "05"
 default['backup']['cron']['minute'] = "7"
 
-default['backup']['s3']['keep'] = 15
+default['backup']['s3']['keep'] = 10
-default['backup']['s3']['bucket'] = "kosmos-dev-backups"
+default['backup']['s3']['bucket'] = "kosmos-backups"

site-cookbooks/backup/recipes/default.rb

@@ -28,6 +28,7 @@ template "#{backup_dir}/config.rb" do
   sensitive true
   variables s3_access_key_id: backup_data["s3_access_key_id"],
             s3_secret_access_key: backup_data["s3_secret_access_key"],
+            s3_endpoint: backup_data["s3_endpoint"],
             s3_region: backup_data["s3_region"],
             encryption_password: backup_data["encryption_password"],
             mail_from: "backups@kosmos.org",

site-cookbooks/backup/templates/default/config.rb.erb

@@ -23,6 +23,10 @@ Storage::S3.defaults do |s3|
   s3.secret_access_key = "<%= @s3_secret_access_key %>"
   s3.region            = "<%= @s3_region %>"
   s3.bucket            = "<%= node['backup']['s3']['bucket'] %>"
+  s3.fog_options       = {
+    endpoint: "<%= @s3_endpoint %>",
+    aws_signature_version: 2
+  }
 end
 
 Encryptor::OpenSSL.defaults do |encryption|
@@ -88,7 +92,6 @@ end
 
 preconfigure 'KosmosBackup' do
   split_into_chunks_of 250 # megabytes
-  store_with S3
   compress_with Bzip2
   encrypt_with OpenSSL
   notify_by Mail do |mail|

site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb

@@ -14,6 +14,10 @@ server {
   listen [::]:443 ssl http2;
   server_name <%= @domain %>;
 
+  if ($host != $server_name) {
+    return 301 $scheme://$server_name$request_uri;
+  }
+
   ssl_certificate     <%= @ssl_cert %>;
   ssl_certificate_key <%= @ssl_key %>;
 
@@ -39,6 +43,9 @@ server {
 
   location @proxy {
     proxy_set_header Host $http_host;
+    set $x_forwarded_host $http_x_forwarded_host;
+    if ($x_forwarded_host = "") { set $x_forwarded_host $host; }
+    proxy_set_header X-Forwarded-Host $x_forwarded_host;
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header X-Forwarded-Proto https;

site-cookbooks/kosmos-bitcoin/attributes/default.rb

@@ -1,5 +1,5 @@
-node.default['bitcoin']['version']   = '26.0'
+node.default['bitcoin']['version']   = '28.0'
-node.default['bitcoin']['checksum']  = 'ab1d99276e28db62d1d9f3901e85ac358d7f1ebcb942d348a9c4e46f0fcdc0a1'
+node.default['bitcoin']['checksum']  = '700ae2d1e204602eb07f2779a6e6669893bc96c0dca290593f80ff8e102ff37f'
 node.default['bitcoin']['username']  = 'satoshi'
 node.default['bitcoin']['usergroup'] = 'bitcoin'
 node.default['bitcoin']['network']   = 'mainnet'
@@ -24,7 +24,8 @@ node.default['bitcoin']['conf'] = {
   rpcbind: "127.0.0.1:8332",
   gen: 0,
   zmqpubrawblock: 'tcp://127.0.0.1:8337',
-  zmqpubrawtx: 'tcp://127.0.0.1:8338'
+  zmqpubrawtx: 'tcp://127.0.0.1:8338',
+  deprecatedrpc: 'warnings' # TODO remove when upgrading to LND 0.18.4
 }
 
 # Also enables Tor for LND
@@ -40,7 +41,7 @@ node.default['c-lightning']['log_level'] = 'info'
 node.default['c-lightning']['public_ip'] = '148.251.237.73'
 
 node.default['lnd']['repo'] = 'https://github.com/lightningnetwork/lnd'
-node.default['lnd']['revision'] = 'v0.17.3-beta'
+node.default['lnd']['revision'] = 'v0.18.3-beta'
 node.default['lnd']['source_dir'] = '/opt/lnd'
 node.default['lnd']['lnd_dir'] = "/home/#{node['bitcoin']['username']}/.lnd"
 node.default['lnd']['alias'] = 'ln2.kosmos.org'
@@ -58,24 +59,13 @@ node.default['lnd']['tor'] = {
   'skip-proxy-for-clearnet-targets' => 'true'
 }
 
-node.default['boltz']['repo'] = 'https://github.com/BoltzExchange/boltz-lnd.git'
-node.default['boltz']['revision'] = 'v1.2.7'
-node.default['boltz']['source_dir'] = '/opt/boltz'
-node.default['boltz']['boltz_dir'] = "/home/#{node['bitcoin']['username']}/.boltz-lnd"
-node.default['boltz']['grpc_host'] = '127.0.0.1'
-node.default['boltz']['grpc_port'] = '9002'
-node.default['boltz']['rest_disabled'] = 'false'
-node.default['boltz']['rest_host'] = '127.0.0.1'
-node.default['boltz']['rest_port'] = '9003'
-node.default['boltz']['no_macaroons'] = 'false'
-
 node.default['rtl']['repo'] = 'https://github.com/Ride-The-Lightning/RTL.git'
-node.default['rtl']['revision'] = 'v0.15.0'
+node.default['rtl']['revision'] = 'v0.15.2'
 node.default['rtl']['host'] = '10.1.1.163'
 node.default['rtl']['port'] = '3000'
 
 node.default['lndhub-go']['repo'] = 'https://github.com/getAlby/lndhub.go.git'
-node.default['lndhub-go']['revision'] = '0.14.0'
+node.default['lndhub-go']['revision'] = '1.0.2'
 node.default['lndhub-go']['source_dir'] = '/opt/lndhub-go'
 node.default['lndhub-go']['port'] = 3026
 node.default['lndhub-go']['domain'] = 'lndhub.kosmos.org'
@@ -83,8 +73,10 @@ node.default['lndhub-go']['postgres']['database'] = 'lndhub'
 node.default['lndhub-go']['postgres']['user'] = 'lndhub'
 node.default['lndhub-go']['postgres']['port'] = 5432
 node.default['lndhub-go']['default_rate_limit'] = 20
-node.default['lndhub-go']['strict_rate_limit'] =  1
+node.default['lndhub-go']['strict_rate_limit'] = 1
-node.default['lndhub-go']['burst_rate_limit'] =  10
+node.default['lndhub-go']['burst_rate_limit'] = 10
+node.default['lndhub-go']['service_fee'] = 1
+node.default['lndhub-go']['no_service_fee_up_to_amount'] = 1000
 node.default['lndhub-go']['branding'] = {
   'title' => 'LndHub - Kosmos Lightning',
   'desc' => 'Kosmos accounts for the Lightning Network',

site-cookbooks/kosmos-bitcoin/recipes/aws-client.rb

@@ -11,6 +11,7 @@ credentials = Chef::EncryptedDataBagItem.load('credentials', 'backup')
 
 file "/root/.aws/config" do
   mode "600"
+  sensitive true
   content lazy { <<-EOF
 [default]
 region = #{credentials["s3_region"]}

site-cookbooks/kosmos-bitcoin/recipes/bitcoind.rb

@@ -12,8 +12,15 @@ if node["bitcoin"]["blocksdir_mount_type"]
   include_recipe "kosmos-bitcoin::blocksdir-mount"
 end
 
-%w{ libtool autotools-dev make automake cmake curl g++-multilib libtool
+apt_repository "ubuntu-toolchain-r" do
-    binutils-gold bsdmainutils pkg-config python3 patch }.each do |pkg|
+  # provides g++-13, needed for better c++-20 support
+  uri "ppa:ubuntu-toolchain-r/test"
+end
+
+%w{
+  gcc-13 g++-13 libtool autotools-dev make automake cmake curl bison
+  binutils-gold pkg-config python3 patch
+}.each do |pkg|
   apt_package pkg
 end
 
@@ -26,20 +33,21 @@ end
 
 execute "compile_bitcoin-core_dependencies" do
   cwd "/usr/local/bitcoind/depends"
-  command "make NO_QT=1"
+  environment ({'CC' => 'gcc-13', 'CXX' => 'g++-13', 'NO_QT' => '1'})
+  command "make -j 2"
   action :nothing
   notifies :run, 'bash[compile_bitcoin-core]', :immediately
 end
 
 bash "compile_bitcoin-core" do
   cwd "/usr/local/bitcoind"
+  environment ({'CC' => 'gcc-13', 'CXX' => 'g++-13', 'NO_QT' => '1'})
   code <<-EOH
     ./autogen.sh
     ./configure --prefix=$PWD/depends/x86_64-pc-linux-gnu
     make
   EOH
   action :nothing
-  notifies :restart, "systemd_unit[bitcoind.service]", :delayed
 end
 
 link "/usr/local/bin/bitcoind" do

site-cookbooks/kosmos-bitcoin/recipes/boltz.rb

@@ -1,87 +0,0 @@
-#
-# Cookbook:: kosmos-bitcoin
-# Recipe:: boltz
-#
-
-include_recipe "git"
-include_recipe "kosmos-bitcoin::golang"
-
-git node['boltz']['source_dir'] do
-  repository node['boltz']['repo']
-  revision node['boltz']['revision']
-  action :sync
-  notifies :run, 'bash[compile_and_install_boltz]', :immediately
-end
-
-bash "compile_and_install_boltz" do
-  cwd node['boltz']['source_dir']
-  code <<-EOH
-go mod vendor && \
-make build && \
-make install
-  EOH
-  action :nothing
-  notifies :restart, "systemd_unit[boltzd.service]", :delayed
-end
-
-bitcoin_user  = node['bitcoin']['username']
-bitcoin_group = node['bitcoin']['usergroup']
-boltz_dir     = node['boltz']['boltz_dir']
-lnd_dir       = node['lnd']['lnd_dir']
-
-directory boltz_dir do
-  owner bitcoin_user
-  group bitcoin_group
-  mode '0750'
-  action :create
-end
-
-template "#{boltz_dir}/boltz.toml" do
-  source "boltz.toml.erb"
-  owner bitcoin_user
-  group bitcoin_group
-  mode '0640'
-  variables lnd_grpc_host: '127.0.0.1',
-            lnd_grpc_port: '10009',
-            lnd_macaroon_path: "#{lnd_dir}/data/chain/bitcoin/mainnet/admin.macaroon",
-            lnd_tlscert_path: "#{lnd_dir}/tls.cert",
-            boltz_config: node['boltz']
-  notifies :restart, "systemd_unit[boltzd.service]", :delayed
-end
-
-systemd_unit 'boltzd.service' do
-  content({
-    Unit: {
-      Description: 'Boltz Daemon',
-      Documentation: ['https://lnd.docs.boltz.exchange'],
-      Requires: 'lnd.service',
-      After: 'lnd.service'
-    },
-    Service: {
-      User: bitcoin_user,
-      Group: bitcoin_group,
-      Type: 'simple',
-      ExecStart: "/opt/boltz/boltzd",
-      Restart: 'always',
-      RestartSec: '30',
-      TimeoutSec: '240',
-      LimitNOFILE: '128000',
-      PrivateTmp: true,
-      ProtectSystem: 'full',
-      NoNewPrivileges: true,
-      PrivateDevices: true,
-      MemoryDenyWriteExecute: true
-    },
-    Install: {
-      WantedBy: 'multi-user.target'
-    }
-  })
-  verify false
-  triggers_reload true
-  action [:create, :enable, :start]
-end
-
-unless node.chef_environment == 'development'
-  node.override['backup']['archives']['boltz'] = [node['boltz']['boltz_dir']]
-  include_recipe 'backup'
-end

site-cookbooks/kosmos-bitcoin/recipes/golang.rb

@@ -5,7 +5,7 @@
 # Internal recipe for managing the Go installation in one place
 #
 
-node.override['golang']['version'] = "1.20.3"
+node.override['golang']['version'] = "1.23.1"
 include_recipe "golang"
 
 link '/usr/local/bin/go' do

site-cookbooks/kosmos-bitcoin/recipes/lnd-scb-s3.rb

@@ -10,12 +10,14 @@ include_recipe "kosmos-bitcoin::aws-client"
 package "inotify-tools"
 
 backup_script_path = "/opt/lnd-channel-backup-s3.sh"
+backup_credentials = Chef::EncryptedDataBagItem.load('credentials', 'backup')
 
 template backup_script_path do
   source "lnd-channel-backup-s3.sh.erb"
   mode '0740'
   variables lnd_dir: node['lnd']['lnd_dir'],
             bitcoin_network: node['bitcoin']['network'],
+            s3_endpoint: backup_credentials['s3_endpoint'],
             s3_bucket: node['backup']['s3']['bucket'],
             s3_scb_dir: "#{node['name']}/lnd/#{node['bitcoin']['network']}"
   notifies :restart, "systemd_unit[lnd-channel-backup.service]", :delayed

site-cookbooks/kosmos-bitcoin/recipes/lndhub-go.rb

@@ -66,6 +66,8 @@ template "#{source_dir}/.env" do
     default_rate_limit: node['lndhub-go']['default_rate_limit'],
     strict_rate_limit: node['lndhub-go']['strict_rate_limit'],
     burst_rate_limit: node['lndhub-go']['burst_rate_limit'],
+    service_fee: 1,
+    no_service_fee_up_to_amount: 1000,
     branding: node['lndhub-go']['branding'],
     webhook_url: node['lndhub-go']['webhook_url'],
     sentry_dsn: credentials['sentry_dsn']

site-cookbooks/kosmos-bitcoin/recipes/rtl.rb

@@ -46,24 +46,22 @@ rtl_config = {
   multiPassHashed: credentials["multiPassHashed"]
 }
 
-if node['boltz']
-  # TODO adapt for multi-node usage
-  rtl_config[:nodes][0][:Authentication][:boltzMacaroonPath] = "#{node['boltz']['boltz_dir']}/macaroons"
-  rtl_config[:nodes][0][:Settings][:boltzServerUrl] = "https://#{node['boltz']['rest_host']}:#{node['boltz']['rest_port']}"
-end
-
 git rtl_dir do
   user bitcoin_user
   group bitcoin_group
   repository node['rtl']['repo']
   revision node['rtl']['revision']
+  notifies :run, "execute[npm_install]", :immediately
   notifies :restart, "systemd_unit[#{app_name}.service]", :delayed
 end
 
-execute "npm install" do
+execute "npm_install" do
   cwd rtl_dir
   environment "HOME" => rtl_dir
   user bitcoin_user
+  # TODO remove --force when upstream dependency issues have been resolved
+  command "npm install --force"
+  action :nothing
 end
 
 file "#{rtl_dir}/RTL-Config.json" do

site-cookbooks/kosmos-bitcoin/templates/boltz.toml.erb

@@ -1,32 +0,0 @@
-[LND]
-# Host of the gRPC interface of LND
-host = "<%= @lnd_grpc_host %>"
-
-# Port of the gRPC interface of LND
-port = <%= @lnd_grpc_port %>
-
-# Path to a macaroon file of LND
-# The daemon needs to have permission to read various endpoints, generate addresses and pay invoices 
-macaroon = "<%= @lnd_macaroon_path %>"
-
-# Path to the TLS certificate of LND
-certificate = "<%= @lnd_tlscert_path %>"
-
-[RPC]
-# Host of the gRPC interface
-host = "<%= @boltz_config['grpc_host'] %>"
-
-# Port of the gRPC interface
-port = <%= @boltz_config['grpc_port'] %>
-
-# Whether the REST proxy for the gRPC interface should be disabled
-restDisabled = <%= @boltz_config['rest_disabled'] %>
-
-# Host of the REST proxy
-restHost = "<%= @boltz_config['rest_host'] %>"
-
-# Port of the REST proxy
-restPort = <%= @boltz_config['rest_port'] %>
-
-# Whether the macaroon authentication for the gRPC and REST interface should be disabled
-noMacaroons = <%= @boltz_config['no_macaroons'] %>

site-cookbooks/kosmos-bitcoin/templates/lnd-channel-backup-s3.sh.erb

@@ -3,5 +3,5 @@ set -xe -o pipefail
 
 while true; do
   inotifywait <%= @lnd_dir %>/data/chain/bitcoin/<%= @bitcoin_network %>/channel.backup
-  aws s3 cp <%= @lnd_dir %>/data/chain/bitcoin/<%= @bitcoin_network %>/channel.backup "s3://<%= @s3_bucket %>/<%= @s3_scb_dir %>/channel.backup"
+  aws --endpoint <%= @s3_endpoint %> s3 cp <%= @lnd_dir %>/data/chain/bitcoin/<%= @bitcoin_network %>/channel.backup "s3://<%= @s3_bucket %>/<%= @s3_scb_dir %>/channel.backup"
 done

site-cookbooks/kosmos-bitcoin/templates/lnd.conf.erb

@@ -12,7 +12,6 @@ minchansize=<%= @lnd_minchansize %>
 autopilot.active=0
 
 [Bitcoin]
-bitcoin.active=1
 bitcoin.mainnet=1
 bitcoin.node=bitcoind
 bitcoin.basefee=<%= @lnd_basefee %>

site-cookbooks/kosmos-ejabberd/recipes/default.rb

@@ -155,7 +155,7 @@ admin_users = ejabberd_credentials['admins']
 hosts.each do |host|
   ldap_rootdn = "uid=service,ou=#{host[:name]},cn=applications,dc=kosmos,dc=org"
   if host[:name] == "kosmos.org"
-    ldap_filter = "(&(objectClass=person)(serviceEnabled=xmpp))"
+    ldap_filter = "(&(objectClass=person)(serviceEnabled=ejabberd))"
   else
     ldap_filter = "(objectClass=person)"
   end

site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb

@@ -52,7 +52,7 @@ end
 # Generate a Let's Encrypt cert (only if no cert has been generated before).
 # The systemd timer will take care of renewing
 execute "letsencrypt cert for 5apps xmpp" do
-  command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth letsencrypt.kosmos.chat\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup letsencrypt.kosmos.chat\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@5apps.com -d 5apps.com -d muc.5apps.com -d xmpp.5apps.com -d uploads.xmpp.5apps.com -n"
+  command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth letsencrypt.kosmos.org\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup letsencrypt.kosmos.org\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@5apps.com -d 5apps.com -d muc.5apps.com -d xmpp.5apps.com -d uploads.xmpp.5apps.com -n"
   not_if do
     File.exist?("/etc/letsencrypt/live/5apps.com/fullchain.pem")
   end

site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb

@@ -216,7 +216,7 @@ modules:
     access_createnode: pubsub_createnode
     ignore_pep_from_offline: false
     last_item_cache: false
-    max_items_node: 10
+    max_items_node: 10000
     plugins:
       - "flat"
       - "pep" # pep requires mod_caps

site-cookbooks/kosmos-mastodon/attributes/default.rb

@@ -10,7 +10,7 @@ node.default["kosmos-mastodon"]["redis_url"]         = "redis://localhost:6379/0
 node.default["kosmos-mastodon"]["sidekiq_threads"]   = 25
 node.default["kosmos-mastodon"]["allowed_private_addresses"] = "127.0.0.1"
 
-node.default["kosmos-mastodon"]["onion_address"]     = nil
+node.default["kosmos-mastodon"]["onion_address"] = nil
 
 # Allocate this amount of RAM to the Java heap for Elasticsearch
 node.default["kosmos-mastodon"]["elasticsearch"]["allocated_memory"] = "1536m"
@@ -20,6 +20,10 @@ node.default["kosmos-mastodon"]["s3_region"]     = nil
 node.default["kosmos-mastodon"]["s3_bucket"]     = nil
 node.default["kosmos-mastodon"]["s3_alias_host"] = nil
 
+node.default["kosmos-mastodon"]["sso_account_sign_up_url"] = "https://kosmos.org"
+node.default["kosmos-mastodon"]["sso_account_reset_password_url"] = "https://accounts.kosmos.org/users/password/new"
+node.default["kosmos-mastodon"]["sso_account_resend_confirmation_url"] = "https://accounts.kosmos.org/users/confirmation/new"
+
 node.default["kosmos-mastodon"]["default_locale"] = "en"
 node.default["kosmos-mastodon"]["libre_translate_endpoint"] = nil
 

site-cookbooks/kosmos-mastodon/recipes/backup.rb

@@ -6,13 +6,12 @@
 postgresql_data_bag_item = data_bag_item('credentials', 'postgresql')
 
 unless node.chef_environment == "development"
-  unless node["backup"]["postgresql"]["databases"].keys.include? 'mastodon'
+  node.override['backup']['s3']['keep'] = 1
-    node.override["backup"]["postgresql"]["host"] = "pg.kosmos.local"
+  node.override["backup"]["postgresql"]["host"] = "pg.kosmos.local"
-    node.override["backup"]["postgresql"]["databases"]["mastodon"] = {
+  node.override["backup"]["postgresql"]["databases"]["mastodon"] = {
-      username: "mastodon",
+    username: "mastodon",
-      password: postgresql_data_bag_item['mastodon_user_password']
+    password: postgresql_data_bag_item['mastodon_user_password']
-    }
+  }
-  end
 
   include_recipe "backup"
 end

site-cookbooks/kosmos-mastodon/recipes/default.rb

@@ -190,6 +190,7 @@ template "#{mastodon_path}/.env.#{rails_env}" do
   mode  "0640"
   owner mastodon_user
   group mastodon_user
+  sensitive true
   variables redis_url: node["kosmos-mastodon"]["redis_url"],
             domain: node["kosmos-mastodon"]["domain"],
             alternate_domains: node["kosmos-mastodon"]["alternate_domains"],
@@ -210,6 +211,9 @@ template "#{mastodon_path}/.env.#{rails_env}" do
             vapid_public_key: credentials['vapid_public_key'],
             db_pass: postgresql_credentials['mastodon_user_password'],
             db_host: "pg.kosmos.local",
+            sso_account_sign_up_url: node["kosmos-mastodon"]["sso_account_sign_up_url"],
+            sso_account_reset_password_url: node["kosmos-mastodon"]["sso_account_reset_password_url"],
+            sso_account_resend_confirmation_url: node["kosmos-mastodon"]["sso_account_resend_confirmation_url"],
             default_locale: node["kosmos-mastodon"]["default_locale"],
             allowed_private_addresses: node["kosmos-mastodon"]["allowed_private_addresses"],
             libre_translate_endpoint: node["kosmos-mastodon"]["libre_translate_endpoint"]

site-cookbooks/kosmos-mastodon/templates/default/env.erb

@@ -44,6 +44,9 @@ LDAP_SEARCH_FILTER='<%= @ldap[:search_filter] %>'
 LDAP_UID_CONVERSION_ENABLED=<%= @ldap[:uid_conversion_enabled] %>
 LDAP_UID_CONVERSION_SEARCH=<%= @ldap[:uid_conversion_search] %>
 LDAP_UID_CONVERSION_REPLACE=<%= @ldap[:uid_conversion_replace] %>
+SSO_ACCOUNT_SIGN_UP=<%= @sso_account_sign_up_url %>
+SSO_ACCOUNT_RESET_PASSWORD=<%= @sso_account_reset_password_url %>
+SSO_ACCOUNT_RESEND_CONFIRMATION=<%= @sso_account_resend_confirmation_url %>
 <% end %>
 
 # Optional asset host for multi-server setups

site-cookbooks/kosmos_gitea/attributes/default.rb

@@ -1,5 +1,5 @@
-node.default["gitea"]["version"] = "1.22.0"
+node.default["gitea"]["version"] = "1.22.3"
-node.default["gitea"]["checksum"] = "a31086f073cb9592d28611394b2de3655db515d961e4fdcf5b549cb40753ef3d"
+node.default["gitea"]["checksum"] = "a720ff937912a6eb6c0cacf6ebcdd774deed5197cd945ecc34f5744cb5c517e8"
 node.default["gitea"]["working_directory"] = "/var/lib/gitea"
 node.default["gitea"]["port"] = 3000
 node.default["gitea"]["postgresql_host"] = "localhost:5432"

site-cookbooks/kosmos_gitea/recipes/backup.rb

@@ -8,5 +8,6 @@
 unless node.chef_environment == "development"
   # backup the data dir and the config files
   node.override["backup"]["archives"]["gitea"] = [node["gitea"]["working_directory"]]
+  node.override['backup']['s3']['keep'] = 2
   include_recipe "backup"
 end

site-cookbooks/kosmos_liquor-cabinet/templates/nginx_conf_liquor-cabinet.erb

@@ -10,16 +10,6 @@ upstream _<%= @app_name %> {
 # TODO use cookbook attribute when enabling
 # variables_hash_max_size 2048;
 
-server {
-  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>80;
-  listen [::]:80;
-  server_name <%= @server_name %>;
-  # Redirect to https
-  location / {
-    return 301 https://<%= @server_name %>$request_uri;
-  }
-}
-
 server {
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
   listen [::]:443 ssl http2;

site-cookbooks/kosmos_strfry/templates/nginx_conf_strfry.erb

@@ -5,8 +5,9 @@ upstream _strfry {
 }
 
 server {
-  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
   server_name <%= @domain %>;
+  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
+  listen [::]:443 ssl http2;
 
   access_log "/var/log/nginx/<%= @domain %>.access.log";
   error_log "/var/log/nginx/<%= @domain %>.error.log";

site-cookbooks/kosmos_website/templates/nginx_conf_redirect.erb

@@ -14,7 +14,5 @@ server {
   ssl_certificate     <%= @ssl_cert %>;
   ssl_certificate_key <%= @ssl_key %>;
 
-  location / {
+  return <%= @http_status || 307 %> <%= @target %>;
-    return <%= @http_status || 301 %> <%= @target %>;
-  }
 }

site-cookbooks/kosmos_website/templates/nginx_conf_website.erb

@@ -2,7 +2,7 @@
 
 server {
   server_name _;
-  listen 80 default_server;
+  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>80 default_server;
 
   location / {
     return 301 https://<%= @domain %>;
@@ -14,6 +14,10 @@ server {
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2 default_server;
   listen [::]:443 ssl http2 default_server;
 
+  if ($host != $server_name) {
+    return 307 $scheme://$server_name;
+  }
+
   root /var/www/<%= @domain %>/public;
 
   access_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.access.log;
@@ -22,14 +26,13 @@ server {
   gzip_static on;
   gzip_comp_level 5;
 
-  add_header 'Access-Control-Allow-Origin' '*';
-
   ssl_certificate     <%= @ssl_cert %>;
   ssl_certificate_key <%= @ssl_key %>;
 
 <% if @accounts_url %>
-  location ~ ^/.well-known/(webfinger|nostr|lnurlp|keysend) {
+  location ~ ^/.well-known/(keysend|lnurlp|nostr|openpgpkey|webfinger) {
     proxy_ssl_server_name on;
+    proxy_set_header X-Forwarded-Host $host;
     proxy_pass https://accounts.kosmos.org;
   }
 <% end %>