119 Commits

Author SHA1 Message Date
raucao dde29c4a6c Upgrade ejabberd to 24.02
Co-authored-by: Greg Karékinian <greg@karekinian.com>
2025-09-16 17:01:43 +02:00
raucao 03f1d16998 Update SQL Schema automatically on ejabberd upgrades
Co-authored-by: Greg Karékinian <greg@karekinian.com>
2025-09-16 16:07:10 +02:00
raucao 6534086df2 Update logger configuration
* Remove unused/deprecated options
* Hide user IPs
* Set level to "info"

Co-authored-by: Greg Karékinian <greg@karekinian.com>
2025-09-16 16:07:00 +02:00
raucao dbf0e50abf Merge pull request 'Enable unattended-upgrades' (#598) from bugfix/499-unattended_upgrades into master
Reviewed-on: #598
Reviewed-by: Râu Cao <raucao@kosmos.org>
2025-09-10 08:47:52 +00:00
Greg Karekinian a828d92185 Fix Ruby style
This is using Standard Ruby
2025-09-09 15:29:17 +02:00
Greg Karekinian 0fe6d0bd06 Use the "new" way to set up sasl in the postfix cookbook 2025-09-09 15:28:20 +02:00
Greg Karekinian 9712697569 Fork the postfix cookbook to work around a bug
I ran into the issue described in
https://github.com/sous-chefs/postfix/issues/148
and couldn't figure out a way to work around it without forking it.
2025-09-09 14:54:06 +02:00
Greg Karekinian d32f276b42 Update akkounts-1 node file after Chef run 2025-09-09 10:13:26 +02:00
Greg Karekinian cc40c0db19 Configure unattended-upgrades for ESM 2025-09-09 10:12:35 +02:00
raucao 41339c1040 Add doc for Mastodon maintenance 2025-07-27 09:17:01 +02:00
Greg Karekinian 0cae8dca69 Set the email sender in unattended-upgrades config
Mailgun was rejecting the email as it did not have a valid sender
(the default, which is something like root@akkounts-1). Unattended
upgrades have been working properly, now we will start getting emails
next time an upgrade is done on akkounts-1.
2025-07-15 10:12:02 +02:00
greg 8052c67d23 Merge pull request 'Opt-out of dotnet telemetry for btcpay' (#599) from feature/441-optout_dotnet_telemetry into master
Reviewed-on: #599
Reviewed-by: Râu Cao <raucao@kosmos.org>
2025-06-25 10:01:58 +00:00
Greg Karekinian cd269dca03 Also disable dotnet telemetry during the build 2025-06-25 10:35:07 +02:00
Greg Karekinian 7e47c879a1 Remove unused variable 2025-06-25 10:18:57 +02:00
Greg Karekinian 2b49cb1b2b Restart the btcpay service on config changes
It cannot handle reloads
2025-06-25 10:13:25 +02:00
Greg Karekinian 89fa3ede9e Remove the condition on the postgresql
Also move back the environment variable definitions to the hash
2025-06-25 09:51:35 +02:00
Greg Karekinian efb032fffa Opt-out of dotnet telemetry for btcpay
This is done by setting an environment variable in the systemd unit

Fixes #441
2025-06-24 16:53:59 +02:00
Greg Karekinian 68df49037c Merge remote-tracking branch 'origin/master' into bugfix/499-unattended_upgrades 2025-06-16 16:05:35 +02:00
raucao 364adec80f Upgrade LND to 0.19.1 2025-06-16 17:57:30 +04:00
raucao 092a2edb3c Update node info 2025-06-16 17:57:04 +04:00
raucao 63d0b68c36 Upgrade Deno 2025-06-02 10:53:38 +04:00
raucao 3adb2a1aee Adapt strfry config to cookbook changes, increase allowed event size 2025-06-01 20:06:47 +04:00
raucao 9cff1fb68b Update node info 2025-06-01 20:06:32 +04:00
Greg Karekinian 773950b9a5 Always send an email on unattended-upgrades 2025-05-31 17:00:07 +02:00
Greg Karekinian f39a1ed250 Enable unattended-upgrades
We were missing a positive value on
`["apt"]["unattended_upgrades"]["enable"]` to enable it.

Refs #499
2025-05-31 16:44:01 +02:00
greg 3c51ff261e Merge pull request 'Compile Gitea from source, apply our LDAP fixes' (#596) from feature/compile_gitea_from_source into master
Reviewed-on: #596
Reviewed-by: Greg <greg@kosmos.org>
2025-05-31 12:26:28 +00:00
raucao 0c62ff6c84 Improve Gitea logging 2025-05-31 15:29:18 +04:00
raucao 2c3b381755 Update Gitea stable version 2025-05-31 15:29:03 +04:00
raucao 3492bec627 Use Gitea from source 2025-05-31 15:28:33 +04:00
raucao 00f4c8bd31 Optionally compile Gitea from source 2025-05-31 15:27:21 +04:00
raucao 301596500d Update node info 2025-05-28 10:18:53 +04:00
raucao 8a2bfb6b18 Fix attribute
Was moved to a new name since the recipe was created
2025-05-23 14:44:04 +04:00
raucao 846bf3483a Update node info 2025-05-23 14:43:40 +04:00
greg e3ef1dc3b3 Merge pull request 'Upgrade Bitcoin Core, NBXplorer, BTCPay Server' (#595) from chore/upgrade_bitcoin_software into master
Reviewed-on: #595
Reviewed-by: Greg <greg@noreply.kosmos.org>
2025-05-22 12:32:25 +00:00
raucao 2089999cc8 Upgrade bitcoind to 29.0, switch to cmake 2025-05-22 15:52:22 +04:00
raucao a4aa29de0c Upgrade NBXplorer, BTCPay Server 2025-05-22 15:50:27 +04:00
raucao 98be234a4f Merge pull request 'Configure maximum size and timespan of journald logs' (#594) from feature/506-journald_logs_config into master
Reviewed-on: #594
Reviewed-by: Râu Cao <raucao@kosmos.org>
2025-05-21 12:12:57 +00:00
Greg Karekinian 7dc4f674a0 Use the systemd unit instead of an execute resource
Also extract the attributes so it is possible to override them.
2025-05-21 13:40:12 +02:00
Greg Karekinian 49b636305e Update mastodon-3 node file after Chef run 2025-05-21 11:36:15 +02:00
Greg Karekinian 3e2ee30334 Configure maximum size and timespan of journald logs
Closes #506
2025-05-21 11:36:15 +02:00
raucao d00072ee5a Merge pull request 'Delete old Mastodon media cache every day' (#593) from feature/533-delete_old_mastodon_cached_media into master
Reviewed-on: #593
Reviewed-by: Râu Cao <raucao@kosmos.org>
2025-05-17 07:06:35 +00:00
raucao 14687558fe Minor cleanup 2025-05-17 10:55:06 +04:00
raucao de7cc69505 Allow more users per room 2025-05-17 10:42:41 +04:00
Greg Karekinian b01315f998 Delete old Mastodon media cache every day
This is done using a systemd timer

Closes #533
2025-05-16 19:12:47 +02:00
raucao 160134bd86 Allow more ejabberd API calls from akkounts 2025-05-16 15:17:43 +04:00
greg 766030d716 Merge pull request 'Adapt akkounts recipes for config changes' (#592) from chore/rails_deployment into master
Reviewed-on: #592
Reviewed-by: Greg <greg@noreply.kosmos.org>
2025-05-06 17:11:24 +00:00
raucao 3c436bb9f1 Configure LDAP for akkounts, add more Rails credentials 2025-05-06 19:41:54 +04:00
raucao d029d90214 Generate postgres user/db for akkounts, use credentials from env
Co-authored-by: Greg Karékinian <greg@karekinian.com>
2025-05-06 15:49:43 +04:00
raucao f8e5fd2f3e Fix missing dir for Mastodon maintenance file 2025-04-29 17:53:05 +04:00
raucao cab766c806 Update node.js, install bun, for Rails 8.0 upgrade 2025-04-29 17:51:53 +04:00
raucao 5777a45f0a Fix/improve ejabberd cert renewals 2025-04-22 17:28:44 +04:00
raucao f23c37312e Update deno cookbook 2025-04-18 16:21:07 +04:00
raucao cf1ef4f2f4 Merge pull request 'Upgrade Gitea, disable downloads of repo archives' (#588) from chore/upgrade_gitea into master
Reviewed-on: #588
2025-04-09 13:28:28 +00:00
raucao f65256d229 Disable downloads of repo archives 2025-04-09 17:25:41 +04:00
raucao 2cc0ee5b8a Upgrade Gitea to 1.23.7 2025-04-09 17:25:17 +04:00
raucao 10e8ba5569 Add missing CORS headers to host-meta.json
Otherwise XMPP Web clients cannot fetch the Bosh and WS endpoint info
2025-04-08 00:10:29 +04:00
raucao 6c35a20b89 Merge pull request 'Upgrade rskj to 7.0.0' (#587) from chore/upgrade_rskj into master
Reviewed-on: #587
2025-04-05 09:14:25 +00:00
raucao e3d9a50f09 Upgrade Gitea to 1.23.6 2025-04-04 18:53:46 +04:00
raucao c4652ca2eb Upgrade rskj to 7.0.0 2025-04-04 16:59:11 +04:00
raucao 56440bfd89 Merge pull request 'Upgrade nbxplorer, BTCPay Server' (#586) from chore/upgrade_btcpay into master
Reviewed-on: #586
2025-03-25 10:08:06 +00:00
raucao abee2407bf Upgrade nbxplorer, BTCPay Server 2025-03-25 14:03:34 +04:00
raucao 0cef08fb7b Merge pull request 'Update Gandi API token' (#585) from chore/update_gandi_token into master
Reviewed-on: #585
2025-03-19 14:02:49 +00:00
raucao f246f63594 Update Gandi API token
For certbot renewals. Also set resource to sensitive in ejabberd recipe.

Co-authored-by: Greg Karékinian <greg@karekinian.com>
2025-03-19 18:01:50 +04:00
raucao 2dee25bf23 Update node info 2025-03-19 18:00:07 +04:00
raucao a28d31b415 Upgrade Gitea to 1.23.5 2025-03-05 14:09:03 +04:00
raucao 0bf50bce2e Merge pull request 'Fix postgres running out of available connection slots' (#584) from bugfix/gitea_db_connections into master
Reviewed-on: #584
2025-03-05 10:03:51 +00:00
raucao 6be99aa3de Cap maximum open database connections
Fixes Gitea opening too many connections, which can impact other apps
trying to connect as well.
2025-03-05 13:53:33 +04:00
raucao 90bf66ada9 Upgrade Gitea to 1.23.4 2025-02-21 10:12:27 +04:00
raucao 32cfd6401f Upgrade LND to 0.18.5
Urgent security upgrade
2025-02-19 14:19:10 +04:00
raucao 1124f25069 Upgrade Gitea to 1.23.3 2025-02-12 11:51:14 +04:00
greg f34c7ecd9b Merge pull request 'Publish daily BTC price in public remoteStorage' (#581) from feature/btc-rate-tracker into master
Reviewed-on: #581
Reviewed-by: Greg <greg@noreply.kosmos.org>
2025-01-23 13:28:33 +00:00
raucao 8d149a475d Merge pull request 'Upgrade Gitea to 1.23.1' (#582) from chore/upgrade_gitea into master
Reviewed-on: #582
2025-01-22 14:41:19 +00:00
raucao 905a67475b Upgrade Gitea to 1.23.1 2025-01-22 09:36:33 -05:00
raucao 8251fa83ce Merge pull request 'Deploy substr' (#579) from feature/substr into master
Reviewed-on: #579
2025-01-22 14:27:02 +00:00
raucao 0fa61a585e DRY up code, add GBP rates 2025-01-17 14:52:28 -05:00
raucao 89f1790afc Publish daily BTC price in public remoteStorage 2025-01-17 10:42:09 -05:00
raucao 72ac8c6a84 Update akkounts credentials 2025-01-17 09:17:43 -05:00
raucao b1bb5d0625 Use default value for STUN credentials lifetime 2025-01-14 15:30:42 -05:00
raucao b470110fd4 Upgrade Gitea to 1.22.6 2024-12-16 12:10:08 +04:00
raucao 31b7ff9217 Upgrade Gitea to 1.22.5 2024-12-12 18:32:58 +04:00
raucao d90a374811 Remove outdated flag from certbot command 2024-12-12 18:32:26 +04:00
raucao 12cd14fff5 Deploy new postgres primary 2024-12-12 18:31:54 +04:00
raucao b67d91077d Remove old garage nodes 2024-12-12 18:30:16 +04:00
raucao 070badfeb3 Add postgres replica bootstrap example 2024-12-12 18:29:16 +04:00
raucao 4ce39738fd Allow larger bodies for Gitea file uploads
Needed for uploading larger packages to the registry
2024-12-09 21:19:39 +04:00
raucao d35e57b90e Deploy substr 2024-12-09 21:19:13 +04:00
raucao 2d8a1cebb1 Update node info 2024-12-09 20:44:18 +04:00
raucao c8160e38c8 Turn known pubkeys into object with usernames 2024-12-09 18:21:55 +04:00
raucao 67cd89b7b8 Merge pull request 'Fix TLS cert updates for kosmos.chat' (#578) from chore/fix_cert_updates_kosmos-chat into master
Reviewed-on: #578
2024-12-09 14:21:05 +00:00
raucao e4112a3626 Fix TLS cert updates for kosmos.chat
Some recipes weren't updated for the proxy validation yet. Needed to
split the ejabberd cert in two, so it can do normal validation on
`.org` and proxy validation on `.chat`.
2024-12-09 18:17:10 +04:00
raucao 89813465b2 Merge pull request 'Upgrade Mastodon to 4.3' (#577) from chore/upgrade_mastodon into master
Reviewed-on: #577
2024-12-09 14:14:35 +00:00
raucao 6106e627e2 Upgrade Mastodon to 4.3
Co-authored-by: Greg Karékinian <greg@karekinian.com>
2024-12-09 18:12:45 +04:00
raucao d8baa41c14 Add new node configs 2024-12-09 18:11:51 +04:00
greg 8405b8df52 Merge pull request 'Upgrade lndhub.go to 1.0.2, add service fee config' (#576) from chore/upgrade_lndhub into master
Reviewed-on: #576
Reviewed-by: Greg <greg@noreply.kosmos.org>
2024-10-20 19:27:19 +00:00
raucao 775f2275bb Upgrade Gitea to 1.22.3 2024-10-19 14:42:11 +02:00
raucao b4019b224b Upgrade lndhub.go to 1.0.2, add service fee config
Co-authored-by: Michael Bumann <hello@michaelbumann.com>
2024-10-18 12:36:41 +02:00
raucao 52841d8c53 Add WKD endpoint to website nginx conf 2024-10-17 11:58:53 +02:00
raucao b9b97d5056 Fix mail server VM backups 2024-10-16 12:48:08 +02:00
raucao e5448aa85c Merge pull request 'Upgrade strfry, add new Kosmos profile/pubkey, relay icon' (#575) from chore/upgrade_strfry into master
Reviewed-on: #575
2024-10-16 10:44:47 +00:00
raucao 4d1125ac2b Upgrade strfry to 1.0.1
Also set up and use a new Kosmos pubkey/profile and add a relay icon
2024-10-16 12:42:49 +02:00
raucao 3853f94ae0 Use new proxy domain for ejabberd cert 2024-10-16 12:40:10 +02:00
raucao d1097c7688 Fix and improve nginx redirects, akkounts headers 2024-10-16 12:39:34 +02:00
raucao 7949fd067c Add IPv6 support for nostr.kosmos.org 2024-10-16 12:37:47 +02:00
raucao 0726e58f7c Update ejabberd LDAP filter for new akkounts release 2024-10-16 12:36:30 +02:00
raucao fe581c348a Fix bookmarks disappearing for XMPP users
The limit for PEP nodes was ridiculously low. No idea why, but it means
users were only able to save 10 items (e.g. channel bookmarks) at once.
2024-10-16 12:34:31 +02:00
raucao af62078960 Update node info 2024-10-16 12:34:17 +02:00
raucao 9b4deff91e Remove cln from bitcoin-2 node 2024-10-16 12:34:01 +02:00
raucao 0944bc5266 Merge pull request 'Migrate S3 backups from AWS, fix automatic cleanups' (#574) from chore/move_fix_s3_backups into master
Reviewed-on: #574
2024-10-16 10:33:24 +00:00
raucao eb06926606 Migrate S3 backups from AWS, fix automatic cleanups
The cleanups were broken in that every single archive was also copied to
a shared folder and never deleted from there.

Co-authored-by: Greg Karékinian <greg@karekinian.com>
2024-10-16 12:31:51 +02:00
raucao 15096ca17b Merge pull request 'Bitcoin-related software upgrades' (#573) from chore/bitcoin_upgrades into master
Reviewed-on: #573
2024-10-16 10:25:53 +00:00
raucao 3551b71154 Add sensitive attribute to resource with credentials 2024-10-16 12:23:38 +02:00
raucao 752bb74663 Remove boltz service and RTL integration
We use peerswap these days, and the build process for boltz was made
much more complicated at some point. Not worth upgrading for us.
2024-10-16 12:23:38 +02:00
raucao c64526a944 Upgrade RTL to v0.15.2
Need to use `npm install --force` due to a dependency issue
2024-10-16 12:23:38 +02:00
raucao da242d4817 Upgrade LND to 0.18.3 2024-10-16 12:23:29 +02:00
raucao 0af4bc1d0d Upgrade bitcoind to 28.0
Requires a newer C++ compiler
2024-10-16 11:28:13 +02:00
greg c9f5a745a3 Merge pull request 'Fix Mastodon signup/password/confirmation links' (#570) from chore/562-mastodon_login_urls into master
Reviewed-on: #570
Reviewed-by: Greg <greg@noreply.kosmos.org>
2024-08-23 14:18:12 +00:00
raucao d935b99d7d Fix Mastodon signup/password/confirmation links
Adds ENV vars for our custom fix in b916182bc1

fixes #562
2024-08-22 21:51:49 +02:00
raucao d048bbb297 Merge pull request 'Upgrade Gitea to 1.22.1' (#568) from chore/upgrade_gitea into master
Reviewed-on: #568
2024-08-10 11:45:39 +00:00
raucao 61bd121709 Upgrade Gitea to 1.22.1 2024-08-10 13:44:39 +02:00
111 changed files with 1126 additions and 570 deletions
+3 -1
View File
@@ -13,6 +13,9 @@ cookbook 'ipfs',
cookbook 'mediawiki',
git: 'https://github.com/67P/mediawiki-cookbook.git',
ref: 'nginx'
cookbook 'postfix',
git: 'https://gitea.kosmos.org/kosmos/postfix-cookbook.git',
ref: 'bugfix/sasl_attributes'
cookbook 'apache2', '= 3.3.0'
cookbook 'apt', '~> 7.3.0'
@@ -32,7 +35,6 @@ cookbook 'ntp', '= 3.4.0'
cookbook 'ohai', '~> 5.2.5'
cookbook 'openssl', '~> 8.5.5'
cookbook 'php', '~> 8.0.0'
cookbook 'postfix', '~> 6.0.26'
cookbook 'timezone_iii', '= 1.0.4'
cookbook 'ulimit', '~> 1.0.0'
cookbook 'users', '~> 5.3.1'
+5 -2
View File
@@ -28,7 +28,10 @@ DEPENDENCIES
ohai (~> 5.2.5)
openssl (~> 8.5.5)
php (~> 8.0.0)
postfix (~> 6.0.26)
postfix
git: https://gitea.kosmos.org/kosmos/postfix-cookbook.git
revision: dd6598572a775ae73f17527260ec8097b52d385b
ref: bugfix/
redisio (~> 6.4.1)
ruby_build (~> 2.5.0)
timezone_iii (= 1.0.4)
@@ -90,7 +93,7 @@ GRAPH
openssl (8.5.5)
php (8.0.1)
yum-epel (>= 0.0.0)
postfix (6.0.26)
postfix (6.4.1)
redisio (6.4.1)
selinux (>= 0.0.0)
ruby_build (2.5.0)
+4
View File
@@ -38,6 +38,10 @@ Clone this repository, `cd` into it, and run:
knife zero bootstrap ubuntu@zerotier-ip-address -x ubuntu --sudo --run-list "role[base],role[kvm_guest]" --secret-file .chef/encrypted_data_bag_secret
### Bootstrap a new VM with environment and role/app (postgres replica as example)
knife zero bootstrap ubuntu@10.1.1.134 -x ubuntu --sudo --environment production --run-list "role[base],role[kvm_guest],role[postgresql_replica]" --secret-file .chef/encrypted_data_bag_secret
### Run Chef Zero on a host server
knife zero converge -p2222 name:server-name.kosmos.org
+4
View File
@@ -0,0 +1,4 @@
{
"name": "garage-10",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw2+3Wo+KkXVJCOX1SxT9\nSdwKXgPbCDM3EI9uwoxhMxQfRyN53dxIsBDsQUVOIe1Z8yqm4FenMQlNmeDR+QLE\nvNFf1fisinW+D9VVRm+CjcJy96i/Dyt786Z6YRrDlB860HxCbfTL2Zv5BRtbyIKg\nhz5gO+9PMEpPVR2ij9iue4K6jbM1AAL2ia/P6zDWLJqeIzUocCeHV5N0Z3jXH6qr\nf444v78x35MMJ+3tg5h95SU1/PDCpdSTct4uHEuKIosiN7p4DlYMoM5iSyvVoujr\nflRQPEpGzS9qEt3rDo/F4ltzYMx6bf1tB/0QaBKD+zwPZWTTwf61tSBo5/NkGvJc\nFQIDAQAB\n-----END PUBLIC KEY-----\n"
}
+4
View File
@@ -0,0 +1,4 @@
{
"name": "garage-11",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzfZcNEQojtmaogd9vGP/\nMsVPhAOlQ4kxKgrUas+p+XT7lXRan6b3M8UZEleIaL1HWsjSVwtFWRnNl8kg8rF8\nNEkLeOX8kHf7IoXDFOQa2TXanY8tSqrfh9/heFunt4Q3DluVt7S3bBdwukbDXm/n\nXJS2EQP33eJT4reL6FpVR0oVlFCzI3Vmf7ieSHIBXrbXy7AIvGC2+NVXvQle6pqp\nx0rqU6Wc6ef/VtIv+vK3YFnt9ue3tC63mexyeNKgRYf1YjDx61wo2bOY2t8rqN8y\nHeZ3dmAN8/Vwjk5VGnZqK7kRQ92G4IcE+mEp7MuwXcLqQ9WB960o+evay+o1R5JS\nhwIDAQAB\n-----END PUBLIC KEY-----\n"
}
-4
View File
@@ -1,4 +0,0 @@
{
"name": "garage-4",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8it7QtT6zDiJJqlyHKfQ\nLqwu6bLblD15WWxlUSiOdhz3njWDv1BIDCAdkCR3HAXgxvk8sMj9QkvWS7u1+bc4\nxvHrY4Tgfg+Tk1h3gGa7ukll8s1WLIbGjj89vrK8PFr4iuDqRytYRMmcdMsNzPkS\nKcsOjFYWGV7KM/OwoQGVIOUPB+WtkrFAvNkXtIU6Wd5orzFMjt/9DPF2aO7QegL8\nG1mQmXcPGl9NSDUXptn/kzFKm/p4n7pjy6OypFT192ak7OA/s+CvQlaVE2tb/M3c\ne4J6A+PInV5AGKY6BxI3QRQLZIlqE0FXawFKr1iRU4JP4tVnICXZqy+SDXQU1zar\nTQIDAQAB\n-----END PUBLIC KEY-----\n"
}
-4
View File
@@ -1,4 +0,0 @@
{
"name": "garage-5",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnJxLFOBbml94W/GAe7nm\ntZs1Ziy8IbqXySsm8bSwWhRMQ8UuseqQLG30R3Q5X5AoJbtNfd26l63qLtP2fFtL\n5km9dV+2FoIJWFetl8Wzr7CaLYAiNzTQSFHlV7+6DKmPMDcJ63GKrFR77vkSGOG6\nOWL1bJy5BOaClp/sKL/0WQ0+mRbTP6RCQ2eI+46clAg702SenBU6Nz9HDm+teKN7\nYlP1CvzXgfgfpDOsat7wGn5+oKcmKavZxcdn8bt5jRpg8v3JezaZIjMXt7XcNS4n\n0F4XO/efnZE5B5SN68j4BpD8N79zJw4HlRIGP+RaYv2qLtBeWgLHCCs9wXQXfj6b\nLwIDAQAB\n-----END PUBLIC KEY-----\n"
}
-4
View File
@@ -1,4 +0,0 @@
{
"name": "garage-6",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwasYgWLM8ShvirFiKRE6\nGWqc3pMlvcrk4YnWAUW5Y/H26EnyexxWNfnwlEcq8thJ3M3hs7zkoF3Yk4uqX869\n4/niYqXwYgeE1K3gzLp4K1+w3yVupYAFVFStVEHJyuMlLJ+ulDEGvNdQDuIfw7+E\nr6DcDLa1o92Eo0wL1ihYyMilduH0LdFTixL+tEBXbbPWBa3RDJJCFsRF1+UC6hAH\nzmaWL661Gdzdabxjm/FlGUYkdbDqeInZq/1GMQqv+9/DcNRkWA9H7i4Ykrfpx4/2\nRZ8xtx/DbnJVB1zYoORygFMMAkTu5E+R8ropeI7Wi77Yq0S7laiRlYQYQml3x9ak\nzQIDAQAB\n-----END PUBLIC KEY-----\n"
}
+4
View File
@@ -0,0 +1,4 @@
{
"name": "garage-9",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnMHzKE8JBrsQkmRDeMjX\n71mBzvRzNM90cwA8xtvIkXesdTyGqohX9k/PJbCY5ySGK9PpMaYDPVAnwnUP8LFQ\n3G98aSbLxUjqU/PBzRsnWpihehr05uz9zYcNFzr4LTNvGQZsq47nN9Tk+LG3zHP7\nAZViv2mJ4ZRnukXf6KHlyoVvhuTu+tiBM8QzjTF97iP/aguNPzYHmrecy9Uf5bSA\nZrbNZT+ayxtgswC2OclhRucx7XLSuHXtpwFqsQzSAhiX1aQ3wwCyH9WJtVwpfUsE\nlxTjcQiSM9aPZ8iSC0shpBaKD1j3iF/2K2Jk+88++zMhJJPLermvaJxzsdePgvyk\nKQIDAQAB\n-----END PUBLIC KEY-----\n"
}
-4
View File
@@ -1,4 +0,0 @@
{
"name": "postgres-5",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvXZv6Gk+dhIVkTXH9hJ1\nt2oqsMSLmTUj71uPN+4j0rxCQriXa095Nle9ifJAxfwzQyKEpWKyZd1Hpyye6bL1\nwgWATZ/u5ZS4B63NhRFyDxgPlHWBBohaZBN42zeq0Y0PNGHPVGDH/zFDrpP22Q9Q\nYScsyXTauE/Yf8a/rKR5jdnoVsVVMxk0LHxka8FcM2cqVsDAcK7GqIG6epqNFY8P\nUb1P+mVxRwnkzvf1VtG212ezV/yw9uiQcUkHS+JwZMAgbC34k9iDyRmk6l4sj/Zk\nNem20ImMqdDzsrX8zEe21K+KNvpejPH9fxaNCwR8W+woBMMzqD3I7P9PbLjc70Rx\nRwIDAQAB\n-----END PUBLIC KEY-----\n"
}
+4
View File
@@ -0,0 +1,4 @@
{
"name": "postgres-7",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArraIm6mXi0qgK4oWDs2I\nOIx+g/LPnfRd5aBXhoHcekGiJKttQTi5dRdN4+T6qVEC2h4Cc9qN47h2TZPLDh/M\neIZvu0AyicpectzXf6DtDZh0hFCnv47RDi9927op9tjMXk0SV1tLel7MN0dawATw\ny0vQkkr/5a3ZdiP4dFv+bdfVrj+Tuh85BYPVyX2mxq9F7Efxrt6rzVBiqr6uJLUY\nStpeB3CCalC4zQApKX2xrdtr2k8aJbqC6C//LiKbb7VKn+ZuZJ32L/+9HDEzQoFC\no0ZZPMhfnjcU+iSHYZuPMTJTNbwgRuOgpn9O8kZ239qYc59z7HEXwwWiYPDevbiM\nCQIDAQAB\n-----END PUBLIC KEY-----\n"
}
+4
View File
@@ -0,0 +1,4 @@
{
"name": "postgres-8",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx88DgM/x1UbKRzgPexXE\nSyfrAsqaDVjqZz7yF3tqAc9A52Ol0KOM6NESoPWBVMbS86WtAjBcMHcOoQBJ+ovp\nXcjNlRtO1Il6/d4uCRr4CEDX+yeS0Qrt0SOORnoTbVlkq9VlVljyCmxk8VBCILzk\ndHvFr62mahMy6vOEcpCQgCwYE3ISH2jlTDz2agoK/CjIyyqFTlB1N7mJVGLrJdcA\nA2JOxDRE8HqOdpY7bHcHj4uyMWaKuM3zxXK04lhrvuPRfJUhXgsK9r5jeTEa8407\nqV9K+mB17R1dBeHmWEPDRt02HELe2SUjYmlmyVX73H2mWKDLBFpAFjOfz86CJ6jf\nDQIDAQAB\n-----END PUBLIC KEY-----\n"
}
@@ -3,3 +3,5 @@ config:
line-length: false # MD013
no-duplicate-heading: false # MD024
reference-links-images: false # MD052
ignores:
- .github/copilot-instructions.md
+8
View File
@@ -0,0 +1,8 @@
{
"recommendations": [
"chef-software.chef",
"Shopify.ruby-lsp",
"editorconfig.editorconfig",
"DavidAnson.vscode-markdownlint"
]
}
+40 -1
View File
@@ -2,9 +2,48 @@
This file is used to list changes made in each version of the postfix cookbook.
## Unreleased
## 6.4.1 - *2025-09-04*
## 6.4.0 - *2025-07-30* ## 6.4.0 - *2025-07-30*
Standardise files with files in sous-chefs/repo-management
## 6.4.0 - *2025-07-30*
## 6.3.0 - *2025-07-30*
- Use LMDB instead of hash on el10
## 6.3.0 - *2025-07-30*
## 6.2.2 - *2025-01-30*
## 6.2.1 - *2025-01-30*
## 6.2.0 - *2025-01-30*
## 6.2.0
- Correctly fix aliases quoting logic
- Convert all serverspec tests to inspec
- Add Github actions
- Update platforms to test
## 6.0.29 - *2024-11-18*
- Standardise files with files in sous-chefs/repo-management
## 6.0.28 - *2024-07-15*
- Standardise files with files in sous-chefs/repo-management
## 6.0.27 - *2024-05-06*
## 6.0.26 - *2023-10-03*
- add installation of postfix addon packages for RHEL 8
- Add installation of postfix addon packages for RHEL 8
## 6.0.25 - *2023-10-03*
+21 -9
View File
@@ -13,9 +13,10 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
default['postfix']['packages'] = %w(postfix)
default['postfix']['packages'] = value_for_platform(
amazon: { '>= 2023' => %w(postfix postfix-lmdb) },
default: %w(postfix)
)
# Generic cookbook attributes
default['postfix']['mail_type'] = 'client'
default['postfix']['relayhost_role'] = 'relayhost'
@@ -37,11 +38,19 @@ default['postfix']['master_template_source'] = 'postfix'
default['postfix']['sender_canonical_map_entries'] = {}
default['postfix']['smtp_generic_map_entries'] = {}
default['postfix']['recipient_canonical_map_entries'] = {}
default['postfix']['access_db_type'] = 'hash'
default['postfix']['aliases_db_type'] = 'hash'
default['postfix']['transport_db_type'] = 'hash'
default['postfix']['virtual_alias_db_type'] = 'hash'
default['postfix']['virtual_alias_domains_db_type'] = 'hash'
default['postfix']['db_type'] = value_for_platform(
%w(centos redhat almalinux rocky oracle) => { '>= 10' => 'lmdb' },
amazon: { '>= 2023' => 'lmdb' },
%w(opensuseleap suse) => { '>= 15' => 'lmdb' },
default: 'hash'
)
default['postfix']['access_db_type'] = lazy { node['postfix']['db_type'] }
default['postfix']['aliases_db_type'] = lazy { node['postfix']['db_type'] }
default['postfix']['transport_db_type'] = lazy { node['postfix']['db_type'] }
default['postfix']['virtual_alias_db_type'] = lazy { node['postfix']['db_type'] }
default['postfix']['virtual_alias_domains_db_type'] = lazy { node['postfix']['db_type'] }
case node['platform']
when 'smartos'
@@ -96,6 +105,9 @@ default['postfix']['main']['smtp_sasl_auth_enable'] = 'no'
default['postfix']['main']['mailbox_size_limit'] = 0
default['postfix']['main']['mynetworks'] = nil
default['postfix']['main']['inet_interfaces'] = 'loopback-only'
default['postfix']['main']['default_database_type'] = lazy { node['postfix']['db_type'] }
default['postfix']['main']['alias_database'] = lazy { "#{node['postfix']['db_type']}:#{node['postfix']['aliases_db']}" }
default['postfix']['main']['alias_maps'] = lazy { "#{node['postfix']['db_type']}:#{node['postfix']['aliases_db']}" }
# Conditional attributes, also reference _attributes recipe
case node['platform_family']
@@ -407,4 +419,4 @@ default['postfix']['aliases'] = if platform?('freebsd')
{}
end
default['postfix']['main']['smtpd_relay_restrictions'] = "hash:#{node['postfix']['relay_restrictions_db']}, reject" if node['postfix']['use_relay_restrictions_maps']
default['postfix']['main']['smtpd_relay_restrictions'] = lazy { "#{node['postfix']['db_type']}:#{node['postfix']['relay_restrictions_db']}, reject" if node['postfix']['use_relay_restrictions_maps'] }
+1 -1
View File
@@ -26,7 +26,7 @@
"recipes": {
},
"version": "6.0.26",
"version": "6.4.1",
"source_url": "https://github.com/sous-chefs/postfix",
"issues_url": "https://github.com/sous-chefs/postfix/issues",
"privacy": false,
+1 -1
View File
@@ -3,7 +3,7 @@ maintainer 'Sous Chefs'
maintainer_email 'help@sous-chefs.org'
license 'Apache-2.0'
description 'Installs and configures postfix for client or outbound relayhost, or to do SASL auth'
version '6.0.26'
version '6.4.1'
source_url 'https://github.com/sous-chefs/postfix'
issues_url 'https://github.com/sous-chefs/postfix/issues'
chef_version '>= 12.15'
+5 -7
View File
@@ -29,24 +29,22 @@ end
if node['postfix']['main']['smtp_sasl_auth_enable'] == 'yes'
node.default_unless['postfix']['sasl_password_file'] = "#{node['postfix']['conf_dir']}/sasl_passwd"
node.default_unless['postfix']['main']['smtp_sasl_password_maps'] = "hash:#{node['postfix']['sasl_password_file']}"
node.default_unless['postfix']['main']['smtp_sasl_password_maps'] = "#{node['postfix']['db_type']}:#{node['postfix']['sasl_password_file']}"
node.default_unless['postfix']['main']['smtp_sasl_security_options'] = 'noanonymous'
node.default_unless['postfix']['sasl']['smtp_sasl_user_name'] = ''
node.default_unless['postfix']['sasl']['smtp_sasl_passwd'] = ''
node.default_unless['postfix']['main']['relayhost'] = ''
end
node.default_unless['postfix']['main']['alias_maps'] = ["hash:#{node['postfix']['aliases_db']}"] if node['postfix']['use_alias_maps']
node.default_unless['postfix']['main']['alias_maps'] = ["#{node['postfix']['db_type']}:#{node['postfix']['aliases_db']}"] if node['postfix']['use_alias_maps']
node.default_unless['postfix']['main']['transport_maps'] = ["hash:#{node['postfix']['transport_db']}"] if node['postfix']['use_transport_maps']
node.default_unless['postfix']['main']['transport_maps'] = ["#{node['postfix']['db_type']}:#{node['postfix']['transport_db']}"] if node['postfix']['use_transport_maps']
node.default_unless['postfix']['main']['access_maps'] = ["hash:#{node['postfix']['access_db']}"] if node['postfix']['use_access_maps']
node.default_unless['postfix']['main']['access_maps'] = ["#{node['postfix']['db_type']}:#{node['postfix']['access_db']}"] if node['postfix']['use_access_maps']
node.default_unless['postfix']['main']['virtual_alias_maps'] = ["#{node['postfix']['virtual_alias_db_type']}:#{node['postfix']['virtual_alias_db']}"] if node['postfix']['use_virtual_aliases']
node.default_unless['postfix']['main']['virtual_alias_domains'] = ["#{node['postfix']['virtual_alias_domains_db_type']}:#{node['postfix']['virtual_alias_domains_db']}"] if node['postfix']['use_virtual_aliases_domains']
node.default_unless['postfix']['main']['smtpd_relay_restrictions'] = "hash:#{node['postfix']['relay_restrictions_db']}, reject" if node['postfix']['use_relay_restrictions_maps']
node.default_unless['postfix']['main']['smtpd_relay_restrictions'] = "#{node['postfix']['db_type']}:#{node['postfix']['relay_restrictions_db']}, reject" if node['postfix']['use_relay_restrictions_maps']
node.default_unless['postfix']['main']['maildrop_destination_recipient_limit'] = 1 if node['postfix']['master']['maildrop']['active']
+3 -3
View File
@@ -155,7 +155,7 @@ unless node['postfix']['sender_canonical_map_entries'].empty?
notifies :reload, 'service[postfix]'
end
node.default['postfix']['main']['sender_canonical_maps'] = "hash:#{node['postfix']['conf_dir']}/sender_canonical" unless node['postfix']['main'].key?('sender_canonical_maps')
node.default['postfix']['main']['sender_canonical_maps'] = "#{node['postfix']['db_type']}:#{node['postfix']['conf_dir']}/sender_canonical" unless node['postfix']['main'].key?('sender_canonical_maps')
end
execute 'update-postfix-smtp_generic' do
@@ -172,7 +172,7 @@ unless node['postfix']['smtp_generic_map_entries'].empty?
notifies :reload, 'service[postfix]'
end
node.default['postfix']['main']['smtp_generic_maps'] = "hash:#{node['postfix']['conf_dir']}/smtp_generic" unless node['postfix']['main'].key?('smtp_generic_maps')
node.default['postfix']['main']['smtp_generic_maps'] = "#{node['postfix']['db_type']}:#{node['postfix']['conf_dir']}/smtp_generic" unless node['postfix']['main'].key?('smtp_generic_maps')
end
execute 'update-postfix-recipient_canonical' do
@@ -189,7 +189,7 @@ unless node['postfix']['recipient_canonical_map_entries'].empty?
notifies :reload, 'service[postfix]'
end
node.default['postfix']['main']['recipient_canonical_maps'] = "hash:#{node['postfix']['conf_dir']}/recipient_canonical" unless node['postfix']['main'].key?('recipient_canonical_maps')
node.default['postfix']['main']['recipient_canonical_maps'] = "#{node['postfix']['db_type']}:#{node['postfix']['conf_dir']}/recipient_canonical" unless node['postfix']['main'].key?('recipient_canonical_maps')
end
service 'postfix' do
+4 -4
View File
@@ -18,8 +18,8 @@ node['postfix']['maps'].each do |type, maps|
package "postfix-#{type}" if %w(pgsql mysql ldap cdb).include?(type)
end
if platform?('redhat') && node['platform_version'].to_i == 8
package "postfix-#{type}" if %w(pgsql mysql ldap cdb).include?(type)
if platform_family?('rhel') && node['platform_version'].to_i >= 8
package "postfix-#{type}" if %w(pgsql mysql ldap cdb lmdb).include?(type)
end
separator = if %w(pgsql mysql ldap memcache sqlite).include?(type)
@@ -32,7 +32,7 @@ node['postfix']['maps'].each do |type, maps|
command "postmap #{file}"
environment PATH: "#{ENV['PATH']}:/opt/omni/bin:/opt/omni/sbin" if platform_family?('omnios')
action :nothing
end if %w(btree cdb dbm hash sdbm).include?(type)
end if %w(btree cdb dbm hash lmdb sdbm).include?(type)
template "#{file}-#{type}" do
path file
source 'maps.erb'
@@ -41,7 +41,7 @@ node['postfix']['maps'].each do |type, maps|
map: content,
separator: separator
)
notifies :run, "execute[update-postmap-#{file}]" if %w(btree cdb dbm hash sdbm).include?(type)
notifies :run, "execute[update-postmap-#{file}]" if %w(btree cdb dbm hash lmdb sdbm).include?(type)
notifies :restart, 'service[postfix]'
end
end
+3 -2
View File
@@ -1,9 +1,10 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": ["config:base"],
"packageRules": [{
"packageRules": [
{
"groupName": "Actions",
"matchUpdateTypes": ["patch", "pin", "digest"],
"matchUpdateTypes": ["minor", "patch", "pin"],
"automerge": true,
"addLabels": ["Release: Patch", "Skip: Announcements"]
},
+1 -1
View File
@@ -6,5 +6,5 @@
postmaster: root
<% node['postfix']['aliases'].each do |name, value| %>
<%= name %>: <%= [value].flatten.map{|x| if (x.include?("@")) then x else %Q("#{x}") end}.join(', ') %>
<%= name.match?(/[\s#:@]/) ? "\"#{name}\"" : name %>: <%= [value].flatten.map{|x| x.include?("|") ? "\"#{x}\"" : x}.join(',') %>
<% end unless node['postfix']['aliases'].nil? %>
+57 -36
View File
@@ -1,72 +1,93 @@
{
"id": "akkounts",
"postgresql_username": {
"encrypted_data": "bDlOkEmhvMgyVzPeTNUzYnzRLf3T9cc0cDxt\n",
"iv": "GCCUoqU5pxQ7fGkv\n",
"auth_tag": "Q7mrSHIBluMe3CGVmoR86Q==\n",
"rails_master_key": {
"encrypted_data": "q/0BtGuFZJQhw+iG4ZmFG12DPaWQDGTb/nCmRoxOnsACkANqMv/zZ39CoNFe\nLPtZiItY\n",
"iv": "JV8R0iu6TrqcZRxL\n",
"auth_tag": "YxZIhEUnrd3XrwR6f9wO4A==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"postgresql_password": {
"encrypted_data": "wD0HtdsNe/hl4ZaOy8hyr2k4z8TXQrrSja3KNVE47w==\n",
"iv": "tb5yz8WDer0CsGvJ\n",
"auth_tag": "/+K2anuCff/6M7Pu70Smqw==\n",
"rails_secret_key_base": {
"encrypted_data": "JmDQew3+OR6+yJ1xErwXeTn6jw8N2HwTc9yvAVJ3G+7w1s3N7rKDM6+M50ez\n2zP4Lm/eXzH4WTsTZlQcodlyNpi66pvUCGAkNM36rwTN5yvnhqPUmuSQi7AG\nDTBronBwr9ENvwA/gRuugyyhrRB1iuStpzpYKCMhZ2ae9Mrxdux0+ezfSLn4\nuP22uUrEqdQ/BWsW\n",
"iv": "U/+YncCk13U6bYMz\n",
"auth_tag": "2wPYJ/uVPv4jLKpAW/x6sw==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"rails_encryption_primary_key": {
"encrypted_data": "u/7z91Og/2eM7PWi2JWYAQMhYX4S5+bMMeVpkFPu778Gqj6Td9pagsWIak/d\nb7AU1zjF\n",
"iv": "wYhrJWcuWbY8yo8S\n",
"auth_tag": "WEoEdNy6VBvB2d5gb8DTXw==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"rails_encryption_key_derivation_salt": {
"encrypted_data": "noOwTZuxfhsH94bjOT9rWCKS9rb3wAoXELGrc4nJZeNrb/B9XnOLTuK/wen8\nfmtoym0P\n",
"iv": "jiFWs3VXhJdQBNqk\n",
"auth_tag": "XDpJFgadYp7LyRqU7SO+Fg==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"postgresql": {
"encrypted_data": "Xorg8R8COxE/Swivu8MqZiwstD6rD+8FmgDx70pFscZ/CTb6WQRpyqGSrGZt\nZ7oL9WrqZs+mQgBb30odU+Sgdr6x\n",
"iv": "6QWZc3+MY0hBCc/s\n",
"auth_tag": "ZM+7OYyx5E9PciNG2OILhg==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"ldap": {
"encrypted_data": "mr2Z7hXF1GOn8RmqeZMMdaUcmiVP4ZeKtTX6RYW1cR+FQiUwoITwTPBE9XUx\n2cqZ9Mcd8uJicmf9vd+PfwPtRtoZFwqHQ4LDRFLW64hBZyiEkZWxWW+HzgPr\n",
"iv": "k1AkyEplnJ4IZO1Z\n",
"auth_tag": "zAOcrPex3VLDfRFq38n7fA==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"sentry_dsn": {
"encrypted_data": "jCz681x0WVixHYZUb62TO+1cgyJMiJ2UMqWcaztx57yDBOIiKW3oSZjuXdhP\n9WCesfXQF/lgzITZno3IKDqzlKjWgbGLC75y8FLguxidCHI=\n",
"iv": "IRNOzN/hLwg1iqax\n",
"auth_tag": "eg9dWnEK04JDb94e4CFa9Q==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"rails_master_key": {
"encrypted_data": "nUB77VLRp41rluH7hLBwQqPtnh/HsmfLr2VbcIZHWawL3o2TGuY+mj648f9L\n7XsEpgqY\n",
"iv": "fpdbDitqTRHxEKiv\n",
"auth_tag": "I44fn8Ott3L/Y5LYr56U/Q==\n",
"encrypted_data": "51cAERaRBCRg/sMb5c13EcnJzsz6VEf7jx6X3ooUSzm9wHoEfC5Hs/qakr/D\nqm9x3s3aGURRzyLUIEoe9jCohGguh6ehrXYVrun0B6pghVU=\n",
"iv": "hJsiiW6dFQMEQ+2p\n",
"auth_tag": "TOIahNrUhhsdQGlzp6UV5g==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"discourse_connect_secret": {
"encrypted_data": "ENtMn+1XTVFmdEZw7LU6WGoMbSZY654ggm3vPACGfFgqo6r0LhG60c5OTdqv\nZvT5/Q==\n",
"iv": "bL1BmvRhgxFqSM1P\n",
"auth_tag": "sEBZzGWwwYFHn+4B4SsyCA==\n",
"encrypted_data": "pvKcwuZgUJsAvClQ4V0BwhwEg09EUEWVxoSx+mFlfG1KpvZE4Cu3u3PalPSD\nldyKsw==\n",
"iv": "ED85d6PKyaKB3Wlv\n",
"auth_tag": "XVCU/WigC97tNe0bUK6okQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"lndhub_admin_token": {
"encrypted_data": "4LPGFoARzI8UYnsJPIk8sax/rAA16pUULEZWn86e2C7L\n",
"iv": "nvjXrOwgfgutwEVw\n",
"auth_tag": "A89RUf1sdcS3FVscNPWYLg==\n",
"encrypted_data": "LvCgahQblsKOxK9iNbwDd31atBfemVppHqV7s3K/sR4j\n",
"iv": "zObzh2jEsqXk2vD2\n",
"auth_tag": "n9m/sBYBfzggwQLWrGpR2Q==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"btcpay_auth_token": {
"encrypted_data": "ky5iWYF06os0Ek6vIRzWqMTekqJhCOh/Q9DTDIeKhSyk8TnT3O71lCNEt1F5\nXCNq6ux3V6oyHVLWj0o=\n",
"iv": "zk6WnxsY89oNW1F9\n",
"auth_tag": "FAIMXKvQ1T7QKezVSNJbwQ==\n",
"encrypted_data": "M4kGd6+jresm90nWrJG25mX6rfhaU+VlJlIVd/IjOAUsDABryyulJul3GZFh\nFPSI4uEhgIWtn56I0bA=\n",
"iv": "hvqHm7A/YfUOJwRJ\n",
"auth_tag": "DhtT6IeixD1MSRX+D7JxZA==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"s3_access_key": {
"encrypted_data": "KfhfEGwPjOonlz6rpnNTinXFPqX/sIbqQn/aby0UDi/G/7cvEcOiNcCkfuSz\n",
"iv": "Q3rg06v6K9pUDLDY\n",
"auth_tag": "G5ugdlJ896KtYtObKLclJA==\n",
"encrypted_data": "FPRpLZoIbLcVWPJhOlX7ZeXGv6TZIWYAD+BKTsJOyOHxDG3eRULqQc89cGWi\n",
"iv": "f9WiiGLmDxtygp60\n",
"auth_tag": "lGnq4itmByuF/Yp20/6coQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"s3_secret_key": {
"encrypted_data": "N8s1OoDrYXHjqSydQA0kY7dd68Aelq4+/cgmJlYfP92u4YA17V4TR7fsvQZL\nkqjuUSClNYPc0XiCwf/5gxVirE9AO6OmmvSV7lUyu4hcEY6unrU=\n",
"iv": "bXzIVWnX6V0P6PRb\n",
"auth_tag": "1EOjCfsX9P6ETjUsgBvBsA==\n",
"encrypted_data": "JnnwISbHJ+d7JZB/C0NH0fb8p+bDSwoq5t5knSi+bSTltSxKcq6PRX9K6bov\nEbo0GTdWePbuc5NCsyYxfrkzCtpLXTIxeCROtinRmFIgMFNwaOA=\n",
"iv": "pKPCaANDqGtbFV3V\n",
"auth_tag": "S//hn2HOhuZH8+UfCNBWDg==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"nostr_private_key": {
"encrypted_data": "Sf8PEyQ0sqcgxddSlIDxLOVzPjOkTFObsYuTgcxkbEV7igrati4e8QVVUEBD\n1yoLJXelp8jlCr28Ectci29jc53gYSMTLSQsw97uYas2R0dGCqQ=\n",
"iv": "+1CIUyvIUOveLrY4\n",
"auth_tag": "GDqS+IuAIfMBmHIeFXaV7A==\n",
"encrypted_data": "AKfFiLow+veDyEWBwmCDuLerT3l+o2aJUCeHg2mZZIyoH4oeo/9crZwIdjBn\n70reouqnHNG9mBHuO/+IPGfj53mHLo+oGHh+6LkL3ImI4MFBofY=\n",
"iv": "bPlOKk2qkJAzdKf+\n",
"auth_tag": "VIp1IOjBGatn2MN5LHVymg==\n",
"version": 3,
"cipher": "aes-256-gcm"
}
+27 -16
View File
@@ -1,27 +1,38 @@
{
"id": "backup",
"s3_access_key_id": {
"encrypted_data": "emGNH4v7TTEh05Go/DsI3k7CFnaK4p/4JxodC4BYpyWw47/Z3dsuRMu4vXM3\n3YLH\n",
"iv": "Dau+ekb3UTYdl8w3fQKVcA==\n",
"version": 1,
"cipher": "aes-256-cbc"
"encrypted_data": "245TrPvuoBRRTimhbt6qqsFb+JnnD377sPt1pguJy7Q2BXOy/jrX0wyMt+cP\nuA==\n",
"iv": "ylmRxSRO3AA4MSJN\n",
"auth_tag": "45tBcYZowPLrbv4Zu2P0Fw==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"s3_secret_access_key": {
"encrypted_data": "Mxyly86JxrWUbubbSiqPdRosChzfI1Q8eBEG4n+2B9JJG4yExltO5Wc5kgSs\nX01MPXAc+PGLm+J9MngUtypo/g==\n",
"iv": "WRhBJGiuScYYsUsoT5j/UA==\n",
"version": 1,
"cipher": "aes-256-cbc"
"encrypted_data": "jDIOjlBzTkBUzpj243T6KnBuH0qwyW7BUFMcqllljFSzxs7K8wYJOUreNbOP\ny8OpDWAuO0H4O4LuFMJXeM8=\n",
"iv": "PzvZr37EkJqz6JtM\n",
"auth_tag": "e3XW8oHVgmYibv/IBzj0yA==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"s3_endpoint": {
"encrypted_data": "ErJIEChxrreW7WKEwRtuP2MyYlsZRtqLdGa/x5QY58qgO036FgR3Hs2Z3yce\n",
"iv": "HOSAOgUjO7XGwk50\n",
"auth_tag": "XE1bwMIXHHE72V9K2KOLnw==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"s3_region": {
"encrypted_data": "2ZGxu0tVzKNfx3K1Wleg0SAwGaPkHCi/XfKpJ+J7q40=\n",
"iv": "CNTZW2SEIgfw+IyzGI3TzQ==\n",
"version": 1,
"cipher": "aes-256-cbc"
"encrypted_data": "8cNSaYu7HH95ftG66lFdUIPZD7soz907CPA=\n",
"iv": "pU21ulF75y/SIs3x\n",
"auth_tag": "7WQQCbSbB2GybjY+C+5IvQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"encryption_password": {
"encrypted_data": "tsBWKBwhQFfEAM0EWMPtljSbqU1c5mOJXPjYJjNT5RUFhPlqa7gsE8aJbs+D\nSPKjAQ62j+iHeqCk9mE9CCkgBA==\n",
"iv": "uq5YAXuq2ynRLv9EIWoCFA==\n",
"version": 1,
"cipher": "aes-256-cbc"
"encrypted_data": "l23CiIO2s1fIRn0NdoWZ+wK+Zhx3hCYDHf4ypjqMRekZ7xqafvXHHuogD5aj\npxYUKloH\n",
"iv": "Dzx83eP9L7Jqqidh\n",
"auth_tag": "UVn5XA5Tgsikc1GdOt1MUQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
}
}
+9 -9
View File
@@ -1,23 +1,23 @@
{
"id": "gandi_api",
"key": {
"encrypted_data": "d3/rJMX6B9GuzUt0/mIk/lgQ3qGyQdbNXH6UEm3ZX7DeSl+rbW9FPJCRWg==\n",
"iv": "15YVAYla7PqqVOab\n",
"auth_tag": "xQSq+ld6SDOAER07N4ZkUQ==\n",
"encrypted_data": "lU7/xYTmP5Sb6SsK5TNNIyegWozzBtUzpg7oDdl6gcz9FEMmG2ft0Ljh5Q==\n",
"iv": "EZPQD3C+wsP/mBhF\n",
"auth_tag": "vF9E8Pj4Z8quJJdOMg/QTw==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"access_token": {
"encrypted_data": "geQwcNosiJZmqbbMpD/I+a2yueBzpV6C8Rb7vrCD8kR161ZRjvqLe+g/1XpT\n2/65wKYDMTrdto1I030=\n",
"iv": "1sj58eyooOZ8FTYn\n",
"auth_tag": "yBNfgWXaToc06VDLly/HUw==\n",
"encrypted_data": "1Uw69JkNrmb8LU/qssuod1SlqxxrWR7TJQZeeivRrNzrMIVTEW/1uwJIYL6b\nM4GeeYl9lIRlMMmLBkc=\n",
"iv": "cc1GJKu6Cf4DkIgX\n",
"auth_tag": "ERem4S7ozG695kjvWIMghw==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"domains": {
"encrypted_data": "p5rIQTyCE+0d4HIuA4GKEAFekh7qEC4xe9Rm/kP0DyzY83FO0/4uKIvYoZRB\n",
"iv": "LWlx98NSS1/ngCH1\n",
"auth_tag": "FID+x/LjTZ3cgQV5U2xZLA==\n",
"encrypted_data": "scZ5blsSjs54DlitR7KZ3enLbyceOR5q0wjHw1golQ==\n",
"iv": "oDcHm7shAzW97b4t\n",
"auth_tag": "62Zais9yf68SwmZRsmZ3hw==\n",
"version": 3,
"cipher": "aes-256-gcm"
}
+10
View File
@@ -0,0 +1,10 @@
{
"id": "kosmos-rs",
"auth_tokens": {
"encrypted_data": "fiznpRw7VKlm232+U6XV1rqkAf2Z8CpoD8KyvuvOH2JniaymlcTHgazGWQ8s\nGeqK4RU9l4d29e9i+Mh0k4vnhO4q\n",
"iv": "SvurcL2oNSNWjlxp\n",
"auth_tag": "JLQ7vGXAuYYJpLEpL6C+Rw==\n",
"version": 3,
"cipher": "aes-256-gcm"
}
}
+12 -12
View File
@@ -1,30 +1,30 @@
{
"id": "lndhub-go",
"jwt_secret": {
"encrypted_data": "3T4JYnoISKXCnatCBeLCXyE8wVjzphw5/JU5A0vHfQ2xSDZreIRQ\n",
"iv": "bGQZjCk6FtD/hqVj\n",
"auth_tag": "CS87+UK1ZIFMiNcNaoyO6w==\n",
"encrypted_data": "lJsKBTCRzI83xmRHXzpnuRH/4cuMOR+Rd+SBU50G9HdibadIEDhS\n",
"iv": "f/SvsWtZIYOVc54X\n",
"auth_tag": "YlJ78EuJbcPfjCPc2eH+ug==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"postgresql_password": {
"encrypted_data": "u8kf/6WdSTzyIz2kF+24JgOPLndWH2WmTFZ3CToJsnay\n",
"iv": "KqLtV2UuaAzJx7C8\n",
"auth_tag": "3aqx45+epb2NFkNfOfG89A==\n",
"encrypted_data": "aT0yNlWjvk/0S4z2kZB4Ye1u/ngk5J6fGPbwZSfdq6cy\n",
"iv": "OgUttF4LlSrL/7gH\n",
"auth_tag": "pcbbGqbQ2RjU+i9dt8c3OQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"admin_token": {
"encrypted_data": "Z737fXqRE9JHfunRhc2GG281dFFN1bvBvTzTDzl/Vb8O\n",
"iv": "oKLQJbD67tiz2235\n",
"auth_tag": "SlVIqC9d9SRoO78M7cBjTw==\n",
"encrypted_data": "I9EsqCCxMIw+fX6sfu6KX8B5fJj9DX5Y4tbX30jdnmxr\n",
"iv": "vnERvIWYInO6+Y8q\n",
"auth_tag": "gO+MprZUQgPEWJQUmSF1sA==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"sentry_dsn": {
"encrypted_data": "gmDHGDWkTIvaXjcWMs1dnKnbqtsADPJ2mLmWw8Idj6RVevU5CabjvviAxEo1\n3hs2LWuObumRSCQt2QKap191uMq3CL2+da53hbsv+JUkxl4=\n",
"iv": "Yt0fSsxL4SNicwUY\n",
"auth_tag": "j7BWbcNnymHHMNTADWmCNw==\n",
"encrypted_data": "+sUXWgl6dXpA1/0FqjKC3Jnl54aor6gtM+19EM/NsHwg4qu672YnSgxV+c9x\nHM3JZBYxBYvJ+HYGAvMmhlGvaOOEIvLmFUpCCJeVUXR32S8=\n",
"iv": "82+DzAnHiptaX7sO\n",
"auth_tag": "CDx44iRBVhSIF8DOxb2c+w==\n",
"version": 3,
"cipher": "aes-256-gcm"
}
+60 -39
View File
@@ -1,93 +1,114 @@
{
"id": "mastodon",
"active_record_encryption_deterministic_key": {
"encrypted_data": "2ik8hqK7wrtxyC73DLI8FNezZiWp2rdjwaWZkTUFRj+iwvpSrGVEwMx6uxDI\nWa7zF3p/\n",
"iv": "XMp6wqwzStXZx+F3\n",
"auth_tag": "vloJOLqEcghfQXOYohVVlg==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"active_record_encryption_key_derivation_salt": {
"encrypted_data": "Nq/rHayMYmT/82k3tJUKU8YTvDKUKLoK204aT0CMGZertZaAD3dtA9AkprrA\nPK0D9CdL\n",
"iv": "tn9C+igusYMH6GyM\n",
"auth_tag": "+ReZRNrfpl6ZDwYQpwm6dw==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"active_record_encryption_primary_key": {
"encrypted_data": "UEDMuKHgZDBhpB9BwbPmtdmIDWHyS9/bSzaEbtTRvLcV8dGOE5q9lDVIIsQp\n2HE0c92p\n",
"iv": "tnB0pQ3OGDne3mN/\n",
"auth_tag": "kt234ms+bmcxJj/+FH/72Q==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"paperclip_secret": {
"encrypted_data": "VJn4Yd2N7qFV+nWXPjPA8Y2KEXL/gZs2gK5E3DZZc9ogFXV7RtpDtq+NKGJU\ndpR8ohtEZvkyC+iBkMAlnS1sSVKiLdQ1xXvbzkj04mYgjnLvwsZ19uVpBGwR\nt/DON7Bhe5Fw+OyrBQksqNcZQSpB9sMBfgA1IgCpdVGHQ8PmkMbFTaZZYcoF\n7gg3yUw5/0t3vRdL\n",
"iv": "X5atp/KaIurfln/u\n",
"auth_tag": "mVnBoUb5HwhXNYUddJbq8Q==\n",
"encrypted_data": "AlsnNTRF6GEyHjMHnC4VdzF4swMlppz/Gcp1xr0OuMEgQiOcW1oSZjDRZCRV\nmuGqZXZx64wqZyzTsJZ6ayCLsmWlPq6L21odHWyO+P/C5ubenSXnuCjpUn3/\nHs8WLX3kwVmqCRnVgDl2vEZ5H4XedSLr7R7YM7gQkM0UX4muMDWWnOTR8/x/\ni1ecwBY5RjdewwyR\n",
"iv": "RWiLePhFyPekYSl9\n",
"auth_tag": "sUq4ZX9CFKPbwDyuKQfNLQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"secret_key_base": {
"encrypted_data": "d0sNREFhzQEJhkRzielbCNBJOVAdfThv7zcYTZ1vFZ20i/mzB9GWW2nb+1yn\nNFjAq8wCLpLXn9n3FClE+WOqnAw0jwTlyScRM5lzjKI5SxHKkBQHGyFs2AF8\nqFjEvpiqxhjsc4kNOJGO8DdcyHuulXyaO9fJg8HDnU1ov1vSSuTc0ABKgycY\nMq/Xt10UXnhP8cPw\n",
"iv": "HFT7fdGQ2KRJ2NFy\n",
"auth_tag": "C55JT2msLQCoI+09VKf+Jw==\n",
"encrypted_data": "K5CmIXFa9mS4/dODBQAN9Bw0SFpbLiZAB8ewiYpkB8NDXP6X/BX8aDjW2Y4F\ncMvpFyiFldRBhrh1MSKTVYQEoJ3JhlNL9HCdPsAYbBEW70AuEBpHvOtD5OxH\nqgbH4Reuk6JX5AI8SwDD3zGrdT12mTFVNgSujzuZMvpi1Sro2HtRGAkjmnaa\nMGKrBV21O1CREJJg\n",
"iv": "/yMMmz1YtKIs5HSd\n",
"auth_tag": "WXgIVWjIdbMFlJhTD5J0JQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"otp_secret": {
"encrypted_data": "1iH7mUkaUzyn9dfDwMdiJ8X059qWSUO3DqivsOFfI1f44nMnzllaYPu6nh8O\nNLNCOzvsSAonhhaq1X+foOdyPIG2mGhE/juKveDD57/AdZAayHWsbsQlPC4l\nwdShz/ANrq0YZ/zOhpT2sZj1TZavW+S+JlxJFX2kP24D4dUzwG0vNj7522+Q\n9NAApJdUte1ZYF/b\n",
"iv": "00/vs5zTdoC19+pS\n",
"auth_tag": "3cjYqebMshnmWkQ3SdRcCQ==\n",
"encrypted_data": "OPLnYRySSIDOcVHy2A5V+pCrz9zVIPjdpAGmCdgQkXtJfsS9NzNtxOPwrXo6\nuQlV9iPjr1Y9ljGKYytbF0fPgAa5q6Z1oHMY9vOGs/LGKj8wHDmIvxQ+Gil1\nC+dZEePmqGaySlNSB/gNzcFIvjBH3mDxHJJe9hDxSv5miNS9l9f3UvQeLP2M\nU7/aHKagL9ZHOp/d\n",
"iv": "wqJBLdZhJ7M/KRG9\n",
"auth_tag": "dv5YyZszZCrRnTleaiGd4A==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"aws_access_key_id": {
"encrypted_data": "krcfpxOrAkwZR2GP4glTaFg2dw/COw8BO8I+KICqyl4bvpL5NrB9\n",
"iv": "paoDKp6EIU8bjxzF\n",
"auth_tag": "p6Pt/tz5dgGXzW5cO06nBg==\n",
"encrypted_data": "A1/gfcyrwT6i9W6aGTJ8pH4Dm4o8ACDxvooDroA/2N0szOiNyiYX\n",
"iv": "JNvf21KhdM3yoLGt\n",
"auth_tag": "2xaZql1ymPYuXuvXzT3ymA==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"aws_secret_access_key": {
"encrypted_data": "aQySCT7gxeNiMMocq81KtIi+YzrZwMBeTd4LrRSN8iNEikWReJrrfagBwozy\n+Gfdw4bMGzY1dhF1Sl4=\n",
"iv": "R/hvvOvmqq/uoKbx\n",
"auth_tag": "QBJY/3+OprBXO/FSNwv2OQ==\n",
"encrypted_data": "T1tc01nACxhDgygKaiAq3LChGYSgmW8LAwr1aSxXmJ5D2NtypJDikiHrJbFZ\nfWFgm1qe4L8iD/k5+ro=\n",
"iv": "FDTPQQDLUMKW7TXx\n",
"auth_tag": "msY6PFFYhlwQ0X7gekSDiw==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"ldap_bind_dn": {
"encrypted_data": "wDPABdL+DlXz2WWV4XwW20kM4EWPSwc/ajBmbdYMnjFau6c76CIBpbFhrFoj\n3mwDbHz8cgOnLNvozXSV4w6N7URCN/mWWTBHNhd3ppw=\n",
"iv": "8rQ0M4LT1HbCNpq9\n",
"auth_tag": "AuO5R6WCtd75TGJNfgFSCg==\n",
"encrypted_data": "C/YNROVyOxmR4O2Cy52TX41EKli2bCOMzwYD+6Hz/SiKkgidnKUHlvHlbTDq\nkWwlRDM2o8esOCKaEAGPNWcNc9IHlaSsfwhr4YWnwe0=\n",
"iv": "QCQF0+vH+//+nDxr\n",
"auth_tag": "a0PbyO/7wjufqH2acDCqmQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"ldap_password": {
"encrypted_data": "y0t8RuptVYiTKmUhaAWsC4c2ZzhQsYeVLeMPiQBn+Q==\n",
"iv": "mixYzDKkPSIDQ/l+\n",
"auth_tag": "DbLlZG7rlgBmyCdJ3nhSYA==\n",
"encrypted_data": "SqwKeiyzfvvZGqH5gi35BdW3W+Fo/AQQjso1Yfp2XA==\n",
"iv": "md2/etFJ1r/BKaYg\n",
"auth_tag": "OlCCOoYSD7ukdH2yWCd6KA==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"smtp_user_name": {
"encrypted_data": "Ugc29HUFcirv6jOOlYNs9uvmhfwa2rG41im/MusCx0Vu0AZKcdy0krGi/kCZ\nKg==\n",
"iv": "ZlDK854w+vTNmeJe\n",
"auth_tag": "Nj95g0JMxrT419OLQIX26g==\n",
"encrypted_data": "0kzppmSSUg7lEyYnI5a0nf+xO0vSVx88rbxI+niIdzFOOBKSIL6uVHJ340dw\nMQ==\n",
"iv": "lQR77ETTtIIyaG1r\n",
"auth_tag": "smF2HRg8WdmD+MWwkT3TqA==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"smtp_password": {
"encrypted_data": "D1TGjRfmM1ZeUmzwewlKXfQvvqTSzpzNlK5MKIU8dxbAH175UKn5qiemDEWe\nRYPe1LWT\n",
"iv": "D1OVfD5bMcefM5DP\n",
"auth_tag": "2E/q2gTbdXiLVnOMDeJv9w==\n",
"encrypted_data": "1i0m9qiZA/8k8fMKo+04uyndl1UhagtHweBFICIorWALkB68edjb8OhUDxv9\nTubiXYRC\n",
"iv": "IU2x4ips9HWmKoxi\n",
"auth_tag": "BZJTDfPBvt8cf6/MbKzUJQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"vapid_private_key": {
"encrypted_data": "+87bVrbd/XvWhZH1IYusc4Hla7ZZmylptAyJf48CMG/F3SMEO33OqW2I+UWh\nSkqbxai5+GaMhvZHB8U2Clod\n",
"iv": "HVhNdFQl0TvCcjsa\n",
"auth_tag": "EEQXuQ5keOHXmchhBh+Ixw==\n",
"encrypted_data": "+LmySMvzrV3z2z7BmJG9hpvkL06mGc87RG20XQhhdAJ2Z/5uMMjev2pUf7du\ntv2qvDJAimhkZajuDGL9R3eq\n",
"iv": "Mg7NhPl31O6Z4P+v\n",
"auth_tag": "qYWPInhgoWAjg0zQ+XXt5w==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"vapid_public_key": {
"encrypted_data": "nBm1lXbn1+Kzol95+QSEjsUI/n7ObhdEqEyfYcVSP/LiLy57KOBQDu6CjSMz\n+PN9yEP4lOjtscqHS29jTC2vi3PSui9XpOFHRxFBnDuyKxczrnID2KlLCNRQ\n228G3VRgFIMAWMYKACgzUk0=\n",
"iv": "xHrVl+4JGkQbfUW3\n",
"auth_tag": "rfFoBMocq17YiDSlOCvWqw==\n",
"encrypted_data": "NOyc+Cech9qG2HhnhajDaJMWd1OU5Rp6hws6i4xF5mLPePMJ9mJTqzklkuMK\npYSEdtcxA3KmDt1HrFxfezYUc9xO9pvlm0BPA7XAFmF/PU7/AJbFqgPU6pX/\ntSDLSdFuMB3ky+cl4DJi+O4=\n",
"iv": "rgUglYiHB/mhqGha\n",
"auth_tag": "DEX7hdNsNLi/LIrMkdUe/Q==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"s3_key_id": {
"encrypted_data": "pq0+VZhjoxzLuyY34f23wOmuks9Wevt8Wu6muKZAsZMSuU0iJvlRoK/65Qa0\n",
"iv": "QTxO+IfYcpI170ON\n",
"auth_tag": "4ZHva2iBYgDv6DyhMRRXzA==\n",
"encrypted_data": "rPVzrYYIbcM+ssVpdL6wpCTdzLIEKXke1+eMlPLMG2gPuoh+W3eO3nFGb/s2\n",
"iv": "/qI8F9cvnfKG7ZXE\n",
"auth_tag": "z1+MPdkO/+SCaag2ULelPg==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"s3_secret_key": {
"encrypted_data": "YMZqKtOXDPAME8IWWC+lO8TsxHMzawlbTju9z/Hcb5DnQAOy82QufTN90m73\n/xikUboAdKcA5YGn0mkm+Rt/ygVR6DFirYV3kwi2M3qyGVJifug=\n",
"iv": "9AwabheRFOgC8IKR\n",
"auth_tag": "iU2kkA1q8OsblN5jaZrWGQ==\n",
"encrypted_data": "RMnB9kZ+slbQXfpo0udYld6S1QqBxqM1YbszdLfSAdKK9I0J3Kmvh/CQ5Fbx\nyov6LClmsl1rjtH16r7cY32M4Woq+6miERdtecyDrrYkNHz0xkA=\n",
"iv": "pO7bm3aOtjuwYjG/\n",
"auth_tag": "SRvn4z1+Vd5VAGgjG64s+Q==\n",
"version": 3,
"cipher": "aes-256-gcm"
}
+15
View File
@@ -0,0 +1,15 @@
# Mastodon
Running on kosmos.social
## Ops
### Enable maintance mode
Return a 503 and maintance page for all requests:
knife ssh -p2222 -a knife_zero.host "role:openresty_proxy" "sudo cp -p /var/www/maintenance.html /var/www/kosmos.social/public/ && sudo systemctl reload openresty"
### Stop maintenance mode
knife ssh -p2222 -a knife_zero.host "role:openresty_proxy" "sudo rm /var/www/kosmos.social/public/maintenance.html && sudo systemctl reload openresty"
+28 -6
View File
@@ -105,17 +105,39 @@
},
"strfry": {
"domain": "nostr.kosmos.org",
"config": {
"events": {
"max_event_size": "524288"
},
"relay": {
"bind": "0.0.0.0",
"real_ip_header": "x-real-ip",
"policy_path": "/opt/strfry/strfry-policy.ts",
"whitelist_pubkeys": [
"b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a"
],
"info": {
"name": "Kosmos Relay",
"description": "Members-only nostr relay for kosmos.org users",
"pubkey": "1f79058c77a224e5be226c8f024cacdad4d741855d75ed9f11473ba8eb86e1cb",
"contact": "ops@kosmos.org"
"pubkey": "b3e1b7c0ef48294bd856203bfd460625de95d3afb894e5f09b14cd1f0e7097cf",
"contact": "ops@kosmos.org",
"icon": "https://assets.kosmos.org/img/app-icon-256px.png"
},
"write_policy": {
"plugin": "/opt/strfry/strfry-policy.ts"
},
"logging": {
"dump_in_all": true
}
}
},
"known_pubkeys": {
"_": "b3e1b7c0ef48294bd856203bfd460625de95d3afb894e5f09b14cd1f0e7097cf",
"accounts": "b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a",
"bitcoincore": "47750177bb6bb113784e4973f6b2e3dd27ef1eff227d6e38d0046d618969e41a",
"fiatjaf": "3bf0c63fcb93463407af97a5e5ee64fa883d107ef9e558472c4eb9aaaefa459d"
}
},
"substr": {
"relay_urls": [
"ws://localhost:7777"
]
}
}
}
+2 -1
View File
@@ -9,7 +9,7 @@
"automatic": {
"fqdn": "akkounts-1",
"os": "linux",
"os_version": "5.4.0-148-generic",
"os_version": "5.4.0-216-generic",
"hostname": "akkounts-1",
"ipaddress": "192.168.122.160",
"roles": [
@@ -38,6 +38,7 @@
"timezone_iii::debian",
"ntp::default",
"ntp::apparmor",
"kosmos-base::journald_conf",
"kosmos-base::systemd_emails",
"apt::unattended-upgrades",
"kosmos-base::firewall",
+4 -5
View File
@@ -16,7 +16,6 @@
"kvm_guest",
"sentry_client",
"bitcoind",
"cln",
"lnd",
"lndhub",
"postgresql_client",
@@ -30,10 +29,8 @@
"tor-full",
"tor-full::default",
"kosmos-bitcoin::bitcoind",
"kosmos-bitcoin::c-lightning",
"kosmos-bitcoin::lnd",
"kosmos-bitcoin::lnd-scb-s3",
"kosmos-bitcoin::boltz",
"kosmos-bitcoin::rtl",
"kosmos-bitcoin::peerswap-lnd",
"kosmos_postgresql::hostsfile",
@@ -41,11 +38,13 @@
"kosmos-bitcoin::dotnet",
"kosmos-bitcoin::nbxplorer",
"kosmos-bitcoin::btcpay",
"kosmos-bitcoin::price_tracking",
"apt::default",
"timezone_iii::default",
"timezone_iii::debian",
"ntp::default",
"ntp::apparmor",
"kosmos-base::journald_conf",
"kosmos-base::systemd_emails",
"apt::unattended-upgrades",
"kosmos-base::firewall",
@@ -103,9 +102,9 @@
"role[sentry_client]",
"recipe[tor-full]",
"role[bitcoind]",
"role[cln]",
"role[lnd]",
"role[lndhub]",
"role[btcpay]"
"role[btcpay]",
"recipe[kosmos-bitcoin::price_tracking]"
]
}
+1 -1
View File
@@ -20,7 +20,7 @@
"automatic": {
"fqdn": "draco.kosmos.org",
"os": "linux",
"os_version": "5.4.0-54-generic",
"os_version": "5.4.0-187-generic",
"hostname": "draco",
"ipaddress": "148.251.237.73",
"roles": [
+9 -8
View File
@@ -8,26 +8,27 @@
"automatic": {
"fqdn": "drone-1",
"os": "linux",
"os_version": "5.4.0-1058-kvm",
"os_version": "5.4.0-1133-kvm",
"hostname": "drone-1",
"ipaddress": "192.168.122.200",
"roles": [
"kvm_guest",
"drone",
"postgresql_client",
"kvm_guest"
"postgresql_client"
],
"recipes": [
"kosmos-base",
"kosmos-base::default",
"kosmos_kvm::guest",
"kosmos_postgresql::hostsfile",
"kosmos_drone",
"kosmos_drone::default",
"kosmos_kvm::guest",
"apt::default",
"timezone_iii::default",
"timezone_iii::debian",
"ntp::default",
"ntp::apparmor",
"kosmos-base::journald_conf",
"kosmos-base::systemd_emails",
"apt::unattended-upgrades",
"kosmos-base::firewall",
@@ -43,13 +44,13 @@
"cloud": null,
"chef_packages": {
"chef": {
"version": "17.9.52",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.9.52/lib",
"version": "18.7.10",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.7.10/lib",
"chef_effortless": null
},
"ohai": {
"version": "17.9.0",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai"
"version": "18.2.5",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.5/lib/ohai"
}
}
},
+13 -13
View File
@@ -1,17 +1,17 @@
{
"name": "garage-4",
"name": "garage-10",
"chef_environment": "production",
"normal": {
"knife_zero": {
"host": "10.1.1.104"
"host": "10.1.1.27"
}
},
"automatic": {
"fqdn": "garage-4",
"fqdn": "garage-10",
"os": "linux",
"os_version": "5.4.0-132-generic",
"hostname": "garage-4",
"ipaddress": "192.168.122.123",
"os_version": "5.4.0-1090-kvm",
"hostname": "garage-10",
"ipaddress": "192.168.122.70",
"roles": [
"base",
"kvm_guest",
@@ -23,7 +23,8 @@
"kosmos_kvm::guest",
"kosmos_garage",
"kosmos_garage::default",
"kosmos_garage::firewall",
"kosmos_garage::firewall_rpc",
"kosmos_garage::firewall_apis",
"apt::default",
"timezone_iii::default",
"timezone_iii::debian",
@@ -38,21 +39,20 @@
"postfix::_attributes",
"postfix::sasl_auth",
"hostname::default",
"firewall::default",
"chef-sugar::default"
"firewall::default"
],
"platform": "ubuntu",
"platform_version": "20.04",
"cloud": null,
"chef_packages": {
"chef": {
"version": "17.10.3",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.10.3/lib",
"version": "18.5.0",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
"chef_effortless": null
},
"ohai": {
"version": "17.9.0",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai"
"version": "18.1.11",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
}
}
},
+10 -10
View File
@@ -1,17 +1,17 @@
{
"name": "garage-5",
"name": "garage-11",
"chef_environment": "production",
"normal": {
"knife_zero": {
"host": "10.1.1.33"
"host": "10.1.1.165"
}
},
"automatic": {
"fqdn": "garage-5",
"fqdn": "garage-11",
"os": "linux",
"os_version": "5.15.0-84-generic",
"hostname": "garage-5",
"ipaddress": "192.168.122.55",
"os_version": "5.15.0-1059-kvm",
"hostname": "garage-11",
"ipaddress": "192.168.122.9",
"roles": [
"base",
"kvm_guest",
@@ -46,13 +46,13 @@
"cloud": null,
"chef_packages": {
"chef": {
"version": "18.3.0",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.3.0/lib",
"version": "18.5.0",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
"chef_effortless": null
},
"ohai": {
"version": "18.1.4",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
"version": "18.1.11",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
}
}
},
+9 -9
View File
@@ -1,17 +1,17 @@
{
"name": "garage-6",
"name": "garage-9",
"chef_environment": "production",
"normal": {
"knife_zero": {
"host": "10.1.1.161"
"host": "10.1.1.223"
}
},
"automatic": {
"fqdn": "garage-6",
"fqdn": "garage-9",
"os": "linux",
"os_version": "5.4.0-1090-kvm",
"hostname": "garage-6",
"ipaddress": "192.168.122.213",
"hostname": "garage-9",
"ipaddress": "192.168.122.21",
"roles": [
"base",
"kvm_guest",
@@ -46,13 +46,13 @@
"cloud": null,
"chef_packages": {
"chef": {
"version": "18.3.0",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.3.0/lib",
"version": "18.5.0",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
"chef_effortless": null
},
"ohai": {
"version": "18.1.4",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
"version": "18.1.11",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
}
}
},
+13 -2
View File
@@ -9,7 +9,7 @@
"automatic": {
"fqdn": "gitea-2",
"os": "linux",
"os_version": "5.4.0-1096-kvm",
"os_version": "5.4.0-1123-kvm",
"hostname": "gitea-2",
"ipaddress": "192.168.122.189",
"roles": [
@@ -32,12 +32,14 @@
"kosmos_postgresql::hostsfile",
"kosmos_gitea",
"kosmos_gitea::default",
"kosmos_gitea::backup",
"kosmos_gitea::act_runner",
"apt::default",
"timezone_iii::default",
"timezone_iii::debian",
"ntp::default",
"ntp::apparmor",
"kosmos-base::journald_conf",
"kosmos-base::systemd_emails",
"apt::unattended-upgrades",
"kosmos-base::firewall",
@@ -47,7 +49,16 @@
"postfix::_attributes",
"postfix::sasl_auth",
"hostname::default",
"firewall::default"
"firewall::default",
"kosmos_gitea::compile_from_source",
"git::default",
"git::package",
"kosmos-nodejs::default",
"nodejs::nodejs_from_package",
"nodejs::repo",
"golang::default",
"backup::default",
"logrotate::default"
],
"platform": "ubuntu",
"platform_version": "20.04",
+1 -1
View File
@@ -10,7 +10,7 @@
"fqdn": "mail.kosmos.org",
"os": "linux",
"os_version": "5.15.0-1048-kvm",
"hostname": "mail",
"hostname": "mail.kosmos.org",
"ipaddress": "192.168.122.131",
"roles": [
"base",
+1 -2
View File
@@ -37,6 +37,7 @@
"timezone_iii::debian",
"ntp::default",
"ntp::apparmor",
"kosmos-base::journald_conf",
"kosmos-base::systemd_emails",
"apt::unattended-upgrades",
"kosmos-base::firewall",
@@ -63,8 +64,6 @@
"redisio::disable_os_default",
"redisio::configure",
"redisio::enable",
"nodejs::npm",
"nodejs::install",
"backup::default",
"logrotate::default"
],
+11 -2
View File
@@ -13,12 +13,21 @@
"ipaddress": "192.168.122.60",
"roles": [
"base",
"kvm_guest"
"kvm_guest",
"postgresql_primary"
],
"recipes": [
"kosmos-base",
"kosmos-base::default",
"kosmos_kvm::guest",
"kosmos_postgresql::primary",
"kosmos_postgresql::firewall",
"kosmos-akkounts::pg_db",
"kosmos-bitcoin::lndhub-go_pg_db",
"kosmos-bitcoin::nbxplorer_pg_db",
"kosmos_drone::pg_db",
"kosmos_gitea::pg_db",
"kosmos-mastodon::pg_db",
"apt::default",
"timezone_iii::default",
"timezone_iii::debian",
@@ -52,6 +61,6 @@
"run_list": [
"role[base]",
"role[kvm_guest]",
"role[postgresql_replica]"
"role[postgresql_primary]"
]
}
+16 -18
View File
@@ -1,37 +1,35 @@
{
"name": "postgres-5",
"name": "postgres-7",
"chef_environment": "production",
"normal": {
"knife_zero": {
"host": "10.1.1.54"
"host": "10.1.1.134"
}
},
"automatic": {
"fqdn": "postgres-5",
"fqdn": "postgres-7",
"os": "linux",
"os_version": "5.4.0-153-generic",
"hostname": "postgres-5",
"ipaddress": "192.168.122.211",
"os_version": "5.4.0-1123-kvm",
"hostname": "postgres-7",
"ipaddress": "192.168.122.89",
"roles": [
"base",
"kvm_guest",
"postgresql_primary"
"postgresql_replica"
],
"recipes": [
"kosmos-base",
"kosmos-base::default",
"kosmos_kvm::guest",
"kosmos_postgresql::primary",
"kosmos_postgresql::hostsfile",
"kosmos_postgresql::replica",
"kosmos_postgresql::firewall",
"kosmos-bitcoin::lndhub-go_pg_db",
"kosmos-bitcoin::nbxplorer_pg_db",
"kosmos_drone::pg_db",
"kosmos_gitea::pg_db",
"kosmos-mastodon::pg_db",
"apt::default",
"timezone_iii::default",
"timezone_iii::debian",
"ntp::default",
"ntp::apparmor",
"kosmos-base::journald_conf",
"kosmos-base::systemd_emails",
"apt::unattended-upgrades",
"kosmos-base::firewall",
@@ -47,19 +45,19 @@
"cloud": null,
"chef_packages": {
"chef": {
"version": "18.2.7",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.2.7/lib",
"version": "18.5.0",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
"chef_effortless": null
},
"ohai": {
"version": "18.1.4",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
"version": "18.1.11",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
}
}
},
"run_list": [
"role[base]",
"role[kvm_guest]",
"role[postgresql_primary]"
"role[postgresql_replica]"
]
}
+62
View File
@@ -0,0 +1,62 @@
{
"name": "postgres-8",
"chef_environment": "production",
"normal": {
"knife_zero": {
"host": "10.1.1.99"
}
},
"automatic": {
"fqdn": "postgres-8",
"os": "linux",
"os_version": "5.15.0-1059-kvm",
"hostname": "postgres-8",
"ipaddress": "192.168.122.100",
"roles": [
"base",
"kvm_guest",
"postgresql_replica"
],
"recipes": [
"kosmos-base",
"kosmos-base::default",
"kosmos_kvm::guest",
"kosmos_postgresql::hostsfile",
"kosmos_postgresql::replica",
"kosmos_postgresql::firewall",
"apt::default",
"timezone_iii::default",
"timezone_iii::debian",
"ntp::default",
"ntp::apparmor",
"kosmos-base::systemd_emails",
"apt::unattended-upgrades",
"kosmos-base::firewall",
"kosmos-postfix::default",
"postfix::default",
"postfix::_common",
"postfix::_attributes",
"postfix::sasl_auth",
"hostname::default"
],
"platform": "ubuntu",
"platform_version": "22.04",
"cloud": null,
"chef_packages": {
"chef": {
"version": "18.5.0",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
"chef_effortless": null
},
"ohai": {
"version": "18.1.11",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
}
}
},
"run_list": [
"role[base]",
"role[kvm_guest]",
"role[postgresql_replica]"
]
}
+2
View File
@@ -27,11 +27,13 @@
"strfry::default",
"kosmos_strfry::policies",
"kosmos_strfry::firewall",
"kosmos_strfry::substr",
"apt::default",
"timezone_iii::default",
"timezone_iii::debian",
"ntp::default",
"ntp::apparmor",
"kosmos-base::journald_conf",
"kosmos-base::systemd_emails",
"apt::unattended-upgrades",
"kosmos-base::firewall",
+5 -3
View File
@@ -8,16 +8,19 @@
"automatic": {
"fqdn": "wiki-1",
"os": "linux",
"os_version": "5.4.0-91-generic",
"os_version": "5.4.0-167-generic",
"hostname": "wiki-1",
"ipaddress": "192.168.122.26",
"roles": [
"kvm_guest"
"base",
"kvm_guest",
"ldap_client"
],
"recipes": [
"kosmos-base",
"kosmos-base::default",
"kosmos_kvm::guest",
"kosmos-dirsrv::hostsfile",
"kosmos-mediawiki",
"kosmos-mediawiki::default",
"apt::default",
@@ -41,7 +44,6 @@
"php::package",
"php::ini",
"composer::global_configs",
"kosmos-dirsrv::hostsfile",
"mediawiki::default",
"mediawiki::database",
"kosmos-nginx::default",
+9
View File
@@ -3,4 +3,13 @@ name "gitea"
run_list %w(
role[postgresql_client]
kosmos_gitea::default
kosmos_gitea::backup
)
override_attributes(
"gitea" => {
"repo" => "https://github.com/67P/gitea.git",
"revision" => "ldap_sync",
"log" => { "level" => "Info" }
},
)
-1
View File
@@ -3,7 +3,6 @@ name "lnd"
run_list %w(
kosmos-bitcoin::lnd
kosmos-bitcoin::lnd-scb-s3
kosmos-bitcoin::boltz
kosmos-bitcoin::rtl
kosmos-bitcoin::peerswap-lnd
)
+1
View File
@@ -3,6 +3,7 @@ name "postgresql_primary"
run_list %w(
kosmos_postgresql::primary
kosmos_postgresql::firewall
kosmos-akkounts::pg_db
kosmos-bitcoin::lndhub-go_pg_db
kosmos-bitcoin::nbxplorer_pg_db
kosmos_drone::pg_db
+1
View File
@@ -5,4 +5,5 @@ run_list %w(
strfry::default
kosmos_strfry::policies
kosmos_strfry::firewall
kosmos_strfry::substr
)
+2 -2
View File
@@ -42,5 +42,5 @@ default['backup']['orbit']['keep'] = 10
default['backup']['cron']['hour'] = "05"
default['backup']['cron']['minute'] = "7"
default['backup']['s3']['keep'] = 15
default['backup']['s3']['bucket'] = "kosmos-dev-backups"
default['backup']['s3']['keep'] = 10
default['backup']['s3']['bucket'] = "kosmos-backups"
+1
View File
@@ -28,6 +28,7 @@ template "#{backup_dir}/config.rb" do
sensitive true
variables s3_access_key_id: backup_data["s3_access_key_id"],
s3_secret_access_key: backup_data["s3_secret_access_key"],
s3_endpoint: backup_data["s3_endpoint"],
s3_region: backup_data["s3_region"],
encryption_password: backup_data["encryption_password"],
mail_from: "backups@kosmos.org",
@@ -23,6 +23,10 @@ Storage::S3.defaults do |s3|
s3.secret_access_key = "<%= @s3_secret_access_key %>"
s3.region = "<%= @s3_region %>"
s3.bucket = "<%= node['backup']['s3']['bucket'] %>"
s3.fog_options = {
endpoint: "<%= @s3_endpoint %>",
aws_signature_version: 2
}
end
Encryptor::OpenSSL.defaults do |encryption|
@@ -88,7 +92,6 @@ end
preconfigure 'KosmosBackup' do
split_into_chunks_of 250 # megabytes
store_with S3
compress_with Bzip2
encrypt_with OpenSSL
notify_by Mail do |mail|
@@ -24,13 +24,12 @@ package "libvips"
include_recipe 'redisio::default'
include_recipe 'redisio::enable'
node.override["nodejs"]["repo"] = "https://deb.nodesource.com/node_20.x"
include_recipe 'kosmos-nodejs'
npm_package "bun"
npm_package "yarn" do
version "1.22.4"
end
ruby_version = "3.3.0"
ruby_version = "3.3.8"
ruby_path = "/opt/ruby_build/builds/#{ruby_version}"
bundle_path = "#{ruby_path}/bin/bundle"
rails_env = node.chef_environment == "development" ? "development" : "production"
@@ -48,7 +47,28 @@ webhooks_allowed_ips = [lndhub_host].compact.uniq.join(',')
env = {
primary_domain: node['akkounts']['primary_domain'],
akkounts_domain: node['akkounts']['domain'],
rails_serve_static_files: true
rails_serve_static_files: true,
secret_key_base: credentials["rails_secret_key_base"],
encryption_primary_key: credentials["rails_encryption_primary_key"],
encryption_key_derivation_salt: credentials["rails_encryption_key_derivation_salt"],
db_adapter: "postgresql",
pg_host: "pg.kosmos.local",
pg_port: 5432,
pg_database: "akkounts",
pg_database_queue: "akkounts_queue",
pg_username: credentials["postgresql"]["username"],
pg_password: credentials["postgresql"]["password"]
}
env[:ldap] = {
host: "ldap.kosmos.local",
port: 389,
use_tls: false,
uid_attr: "cn",
base: "ou=kosmos.org,cn=users,dc=kosmos,dc=org",
admin_user: credentials["ldap"]["admin_user"],
admin_password: credentials["ldap"]["admin_password"],
suffix: "dc=kosmos,dc=org"
}
smtp_server, smtp_port = smtp_credentials[:relayhost].split(":")
@@ -138,9 +158,9 @@ if lndhub_host
if postgres_readonly_host
env[:lndhub_admin_ui] = true
env[:lndhub_pg_host] = postgres_readonly_host
env[:lndhub_pg_database] = node['akkounts']['lndhub']['postgres_db']
env[:lndhub_pg_username] = credentials['postgresql_username']
env[:lndhub_pg_password] = credentials['postgresql_password']
env[:lndhub_pg_database] = node["akkounts"]["lndhub"]["postgres_db"]
env[:lndhub_pg_username] = credentials["postgresql"]["username"]
env[:lndhub_pg_password] = credentials["postgresql"]["password"]
end
end
@@ -208,7 +228,7 @@ systemd_unit "akkounts.service" do
Type: "simple",
User: deploy_user,
WorkingDirectory: deploy_path,
Environment: "RAILS_ENV=#{rails_env}",
Environment: "RAILS_ENV=#{rails_env} SOLID_QUEUE_IN_PUMA=true",
ExecStart: "#{bundle_path} exec puma -C config/puma.rb --pidfile #{deploy_path}/tmp/puma.pid",
ExecStop: "#{bundle_path} exec puma -C config/puma.rb --pidfile #{deploy_path}/tmp/puma.pid stop",
ExecReload: "#{bundle_path} exec pumactl -F config/puma.rb --pidfile #{deploy_path}/tmp/puma.pid phased-restart",
@@ -225,36 +245,6 @@ systemd_unit "akkounts.service" do
action [:create, :enable]
end
systemd_unit "akkounts-sidekiq.service" do
content({
Unit: {
Description: "Kosmos Accounts async/background jobs",
Documentation: ["https://gitea.kosmos.org/kosmos/akkounts"],
Requires: "redis@6379.service",
After: "syslog.target network.target redis@6379.service"
},
Service: {
Type: "notify",
User: deploy_user,
WorkingDirectory: deploy_path,
Environment: "MALLOC_ARENA_MAX=2",
ExecStart: "#{bundle_path} exec sidekiq -C #{deploy_path}/config/sidekiq.yml -e #{rails_env}",
WatchdogSec: "10",
Restart: "on-failure",
RestartSec: "1",
StandardOutput: "syslog",
StandardError: "syslog",
SyslogIdentifier: "sidekiq"
},
Install: {
WantedBy: "multi-user.target"
}
})
verify false
triggers_reload true
action [:create, :enable]
end
deploy_env = {
"HOME" => deploy_path,
"PATH" => "#{ruby_path}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin",
@@ -267,15 +257,7 @@ git deploy_path do
revision node[app_name]["revision"]
user deploy_user
group deploy_group
# Restart services on deployments
notifies :run, "execute[restart #{app_name} services]", :delayed
end
execute "restart #{app_name} services" do
command "true"
action :nothing
notifies :restart, "service[#{app_name}]", :delayed
notifies :restart, "service[#{app_name}-sidekiq]", :delayed
end
file "#{deploy_path}/config/master.key" do
@@ -283,7 +265,7 @@ file "#{deploy_path}/config/master.key" do
mode '0400'
owner deploy_user
group deploy_group
notifies :run, "execute[restart #{app_name} services]", :delayed
notifies :restart, "service[#{app_name}]", :delayed
end
template "#{deploy_path}/.env.#{rails_env}" do
@@ -293,7 +275,7 @@ template "#{deploy_path}/.env.#{rails_env}" do
mode 0600
sensitive true
variables config: env
notifies :run, "execute[restart #{app_name} services]", :delayed
notifies :restart, "service[#{app_name}]", :delayed
end
execute "bundle install" do
@@ -303,13 +285,6 @@ execute "bundle install" do
command "bundle install --without development,test --deployment"
end
execute "yarn install" do
environment deploy_env
user deploy_user
cwd deploy_path
command "yarn install --pure-lockfile"
end
execute 'rake db:migrate' do
environment deploy_env
user deploy_user
@@ -330,10 +305,6 @@ service "akkounts" do
action [:enable, :start]
end
service "akkounts-sidekiq" do
action [:enable, :start]
end
firewall_rule "akkounts_zerotier" do
command :allow
port node["akkounts"]["port"]
@@ -0,0 +1,22 @@
#
# Cookbook:: kosmos-akkounts
# Recipe:: pg_db
#
credentials = data_bag_item("credentials", "akkounts")
pg_username = credentials["postgresql"]["username"]
pg_password = credentials["postgresql"]["password"]
postgresql_user pg_username do
action :create
password pg_password
end
databases = ["akkounts", "akkounts_queue"]
databases.each do |database|
postgresql_database database do
owner pg_username
action :create
end
end
@@ -14,6 +14,10 @@ server {
listen [::]:443 ssl http2;
server_name <%= @domain %>;
if ($host != $server_name) {
return 301 $scheme://$server_name$request_uri;
}
ssl_certificate <%= @ssl_cert %>;
ssl_certificate_key <%= @ssl_key %>;
@@ -39,6 +43,9 @@ server {
location @proxy {
proxy_set_header Host $http_host;
set $x_forwarded_host $http_x_forwarded_host;
if ($x_forwarded_host = "") { set $x_forwarded_host $host; }
proxy_set_header X-Forwarded-Host $x_forwarded_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
@@ -0,0 +1,2 @@
node.default["kosmos-base"]["journald"]["system_max_use"] = "256M"
node.default["kosmos-base"]["journald"]["max_retention_sec"] = "7d"
@@ -27,11 +27,19 @@
include_recipe 'apt'
include_recipe 'timezone_iii'
include_recipe 'ntp'
include_recipe 'kosmos-base::journald_conf'
include_recipe 'kosmos-base::systemd_emails'
node.override["apt"]["unattended_upgrades"]["enable"] = true
node.override["apt"]["unattended_upgrades"]["mail_only_on_error"] = false
node.override["apt"]["unattended_upgrades"]["sender"] = "ops@kosmos.org"
node.override["apt"]["unattended_upgrades"]["allowed_origins"] = [
"${distro_id}:${distro_codename}-security",
"${distro_id}:${distro_codename}-updates"
"${distro_id}:${distro_codename}-updates",
"${distro_id}ESMApps:${distro_codename}-apps-security",
"${distro_id}ESMApps:${distro_codename}-apps-updates",
"${distro_id}ESM:${distro_codename}-infra-security",
"${distro_id}ESM:${distro_codename}-infra-updates"
]
node.override["apt"]["unattended_upgrades"]["mail"] = "ops@kosmos.org"
node.override["apt"]["unattended_upgrades"]["syslog_enable"] = true
@@ -0,0 +1,14 @@
#
# Cookbook Name:: kosmos-base
# Recipe:: journald_conf
#
service "systemd-journald"
template "/etc/systemd/journald.conf" do
source "journald.conf.erb"
variables system_max_use: node["kosmos-base"]["journald"]["system_max_use"],
max_retention_sec: node["kosmos-base"]["journald"]["max_retention_sec"]
# Restarting journald is required
notifies :restart, "service[systemd-journald]", :delayed
end
@@ -56,7 +56,6 @@ action :create do
command <<-CMD
certbot certonly --manual -n \
--preferred-challenges dns \
--manual-public-ip-logging-ok \
--agree-tos \
--manual-auth-hook '#{hook_auth_command}' \
--manual-cleanup-hook '#{hook_cleanup_command}' \
@@ -0,0 +1,6 @@
[Journal]
# Set the maximum size of the journal logs in bytes
SystemMaxUse=<%= @system_max_use %>
# Set the number of days after which logs will be deleted
MaxRetentionSec=<%= @max_retention_sec %>
@@ -1,5 +1,5 @@
node.default['bitcoin']['version'] = '26.0'
node.default['bitcoin']['checksum'] = 'ab1d99276e28db62d1d9f3901e85ac358d7f1ebcb942d348a9c4e46f0fcdc0a1'
node.default['bitcoin']['version'] = '29.0'
node.default['bitcoin']['checksum'] = '882c782c34a3bf2eacd1fae5cdc58b35b869883512f197f7d6dc8f195decfdaa'
node.default['bitcoin']['username'] = 'satoshi'
node.default['bitcoin']['usergroup'] = 'bitcoin'
node.default['bitcoin']['network'] = 'mainnet'
@@ -24,7 +24,8 @@ node.default['bitcoin']['conf'] = {
rpcbind: "127.0.0.1:8332",
gen: 0,
zmqpubrawblock: 'tcp://127.0.0.1:8337',
zmqpubrawtx: 'tcp://127.0.0.1:8338'
zmqpubrawtx: 'tcp://127.0.0.1:8338',
deprecatedrpc: 'warnings' # TODO remove when upgrading to LND 0.18.4
}
# Also enables Tor for LND
@@ -40,7 +41,7 @@ node.default['c-lightning']['log_level'] = 'info'
node.default['c-lightning']['public_ip'] = '148.251.237.73'
node.default['lnd']['repo'] = 'https://github.com/lightningnetwork/lnd'
node.default['lnd']['revision'] = 'v0.17.3-beta'
node.default['lnd']['revision'] = 'v0.19.1-beta'
node.default['lnd']['source_dir'] = '/opt/lnd'
node.default['lnd']['lnd_dir'] = "/home/#{node['bitcoin']['username']}/.lnd"
node.default['lnd']['alias'] = 'ln2.kosmos.org'
@@ -58,24 +59,13 @@ node.default['lnd']['tor'] = {
'skip-proxy-for-clearnet-targets' => 'true'
}
node.default['boltz']['repo'] = 'https://github.com/BoltzExchange/boltz-lnd.git'
node.default['boltz']['revision'] = 'v1.2.7'
node.default['boltz']['source_dir'] = '/opt/boltz'
node.default['boltz']['boltz_dir'] = "/home/#{node['bitcoin']['username']}/.boltz-lnd"
node.default['boltz']['grpc_host'] = '127.0.0.1'
node.default['boltz']['grpc_port'] = '9002'
node.default['boltz']['rest_disabled'] = 'false'
node.default['boltz']['rest_host'] = '127.0.0.1'
node.default['boltz']['rest_port'] = '9003'
node.default['boltz']['no_macaroons'] = 'false'
node.default['rtl']['repo'] = 'https://github.com/Ride-The-Lightning/RTL.git'
node.default['rtl']['revision'] = 'v0.15.0'
node.default['rtl']['revision'] = 'v0.15.2'
node.default['rtl']['host'] = '10.1.1.163'
node.default['rtl']['port'] = '3000'
node.default['lndhub-go']['repo'] = 'https://github.com/getAlby/lndhub.go.git'
node.default['lndhub-go']['revision'] = '0.14.0'
node.default['lndhub-go']['revision'] = '1.0.2'
node.default['lndhub-go']['source_dir'] = '/opt/lndhub-go'
node.default['lndhub-go']['port'] = 3026
node.default['lndhub-go']['domain'] = 'lndhub.kosmos.org'
@@ -85,6 +75,8 @@ node.default['lndhub-go']['postgres']['port'] = 5432
node.default['lndhub-go']['default_rate_limit'] = 20
node.default['lndhub-go']['strict_rate_limit'] = 1
node.default['lndhub-go']['burst_rate_limit'] = 10
node.default['lndhub-go']['service_fee'] = 1
node.default['lndhub-go']['no_service_fee_up_to_amount'] = 1000
node.default['lndhub-go']['branding'] = {
'title' => 'LndHub - Kosmos Lightning',
'desc' => 'Kosmos accounts for the Lightning Network',
@@ -98,7 +90,7 @@ node.default['dotnet']['ms_packages_src_url'] = "https://packages.microsoft.com/
node.default['dotnet']['ms_packages_src_checksum'] = "4df5811c41fdded83eb9e2da9336a8dfa5594a79dc8a80133bd815f4f85b9991"
node.default['nbxplorer']['repo'] = 'https://github.com/dgarage/NBXplorer'
node.default['nbxplorer']['revision'] = 'v2.5.0'
node.default['nbxplorer']['revision'] = 'v2.5.26'
node.default['nbxplorer']['source_dir'] = '/opt/nbxplorer'
node.default['nbxplorer']['config_path'] = "/home/#{node['bitcoin']['username']}/.nbxplorer/Main/settings.config"
node.default['nbxplorer']['port'] = '24445'
@@ -106,7 +98,7 @@ node.default['nbxplorer']['postgres']['database'] = 'nbxplorer'
node.default['nbxplorer']['postgres']['user'] = 'nbxplorer'
node.default['btcpay']['repo'] = 'https://github.com/btcpayserver/btcpayserver'
node.default['btcpay']['revision'] = 'v1.12.5'
node.default['btcpay']['revision'] = 'v2.1.1'
node.default['btcpay']['source_dir'] = '/opt/btcpay'
node.default['btcpay']['config_path'] = "/home/#{node['bitcoin']['username']}/.btcpayserver/Main/settings.config"
node.default['btcpay']['log_path'] = "/home/#{node['bitcoin']['username']}/.btcpayserver/debug.log"
@@ -119,3 +111,5 @@ node.default['btcpay']['postgres']['user'] = 'satoshi'
node.default['peerswap']['repo'] = 'https://github.com/ElementsProject/peerswap.git'
node.default['peerswap']['revision'] = 'master'
node.default['peerswap-lnd']['source_dir'] = '/opt/peerswap'
node.default['price_tracking']['rs_base_url'] = "https://storage.kosmos.org/kosmos/public/btc-price"
@@ -11,6 +11,7 @@ credentials = Chef::EncryptedDataBagItem.load('credentials', 'backup')
file "/root/.aws/config" do
mode "600"
sensitive true
content lazy { <<-EOF
[default]
region = #{credentials["s3_region"]}
@@ -12,8 +12,15 @@ if node["bitcoin"]["blocksdir_mount_type"]
include_recipe "kosmos-bitcoin::blocksdir-mount"
end
%w{ libtool autotools-dev make automake cmake curl g++-multilib libtool
binutils-gold bsdmainutils pkg-config python3 patch }.each do |pkg|
apt_repository "ubuntu-toolchain-r" do
# provides g++-13, needed for better c++-20 support
uri "ppa:ubuntu-toolchain-r/test"
end
%w{
gcc-13 g++-13 libtool autotools-dev make automake cmake curl bison
binutils-gold pkg-config python3 patch
}.each do |pkg|
apt_package pkg
end
@@ -26,28 +33,21 @@ end
execute "compile_bitcoin-core_dependencies" do
cwd "/usr/local/bitcoind/depends"
command "make NO_QT=1"
environment ({'CC' => 'gcc-13', 'CXX' => 'g++-13', 'NO_QT' => '1'})
command "make -j $(($(nproc)/2))"
action :nothing
notifies :run, 'bash[compile_bitcoin-core]', :immediately
end
bash "compile_bitcoin-core" do
cwd "/usr/local/bitcoind"
environment ({'CC' => 'gcc-13', 'CXX' => 'g++-13', 'NO_QT' => '1'})
code <<-EOH
./autogen.sh
./configure --prefix=$PWD/depends/x86_64-pc-linux-gnu
make
cmake -B build --toolchain depends/x86_64-pc-linux-gnu/toolchain.cmake
cmake --build build -j $(($(nproc)/2))
cmake --install build
EOH
action :nothing
notifies :restart, "systemd_unit[bitcoind.service]", :delayed
end
link "/usr/local/bin/bitcoind" do
to "/usr/local/bitcoind/src/bitcoind"
end
link "/usr/local/bin/bitcoin-cli" do
to "/usr/local/bitcoind/src/bitcoin-cli"
end
bitcoin_user = node['bitcoin']['username']
@@ -1,87 +0,0 @@
#
# Cookbook:: kosmos-bitcoin
# Recipe:: boltz
#
include_recipe "git"
include_recipe "kosmos-bitcoin::golang"
git node['boltz']['source_dir'] do
repository node['boltz']['repo']
revision node['boltz']['revision']
action :sync
notifies :run, 'bash[compile_and_install_boltz]', :immediately
end
bash "compile_and_install_boltz" do
cwd node['boltz']['source_dir']
code <<-EOH
go mod vendor && \
make build && \
make install
EOH
action :nothing
notifies :restart, "systemd_unit[boltzd.service]", :delayed
end
bitcoin_user = node['bitcoin']['username']
bitcoin_group = node['bitcoin']['usergroup']
boltz_dir = node['boltz']['boltz_dir']
lnd_dir = node['lnd']['lnd_dir']
directory boltz_dir do
owner bitcoin_user
group bitcoin_group
mode '0750'
action :create
end
template "#{boltz_dir}/boltz.toml" do
source "boltz.toml.erb"
owner bitcoin_user
group bitcoin_group
mode '0640'
variables lnd_grpc_host: '127.0.0.1',
lnd_grpc_port: '10009',
lnd_macaroon_path: "#{lnd_dir}/data/chain/bitcoin/mainnet/admin.macaroon",
lnd_tlscert_path: "#{lnd_dir}/tls.cert",
boltz_config: node['boltz']
notifies :restart, "systemd_unit[boltzd.service]", :delayed
end
systemd_unit 'boltzd.service' do
content({
Unit: {
Description: 'Boltz Daemon',
Documentation: ['https://lnd.docs.boltz.exchange'],
Requires: 'lnd.service',
After: 'lnd.service'
},
Service: {
User: bitcoin_user,
Group: bitcoin_group,
Type: 'simple',
ExecStart: "/opt/boltz/boltzd",
Restart: 'always',
RestartSec: '30',
TimeoutSec: '240',
LimitNOFILE: '128000',
PrivateTmp: true,
ProtectSystem: 'full',
NoNewPrivileges: true,
PrivateDevices: true,
MemoryDenyWriteExecute: true
},
Install: {
WantedBy: 'multi-user.target'
}
})
verify false
triggers_reload true
action [:create, :enable, :start]
end
unless node.chef_environment == 'development'
node.override['backup']['archives']['boltz'] = [node['boltz']['boltz_dir']]
include_recipe 'backup'
end
@@ -21,6 +21,7 @@ bash 'build_btcpay' do
systemctl stop btcpayserver.service
./build.sh
EOH
environment "DOTNET_CLI_TELEMETRY_OPTOUT" => 1
action :nothing
notifies :restart, "service[btcpayserver]", :delayed
end
@@ -87,7 +88,7 @@ systemd_unit 'btcpayserver.service' do
Group: node['bitcoin']['usergroup'],
Type: 'simple',
WorkingDirectory: node['btcpay']['source_dir'],
Environment: defined?(nbxpg_connect) ? "'BTCPAY_EXPLORERPOSTGRES=#{nbxpg_connect}'" : '',
Environment: "'BTCPAY_EXPLORERPOSTGRES=#{nbxpg_connect}' 'DOTNET_CLI_TELEMETRY_OPTOUT=1'",
ExecStart: "#{node['btcpay']['source_dir']}/run.sh --conf=#{node['btcpay']['config_path']}",
PIDFile: '/run/btcpayserver/btcpayserver.pid',
Restart: 'on-failure',
@@ -103,6 +104,8 @@ systemd_unit 'btcpayserver.service' do
verify false
triggers_reload true
action [:create]
# reload is not applicable
notifies :restart, "service[btcpayserver]", :delayed
end
service "btcpayserver" do
@@ -5,7 +5,7 @@
# Internal recipe for managing the Go installation in one place
#
node.override['golang']['version'] = "1.20.3"
node.override['golang']['version'] = "1.23.1"
include_recipe "golang"
link '/usr/local/bin/go' do
@@ -10,12 +10,14 @@ include_recipe "kosmos-bitcoin::aws-client"
package "inotify-tools"
backup_script_path = "/opt/lnd-channel-backup-s3.sh"
backup_credentials = Chef::EncryptedDataBagItem.load('credentials', 'backup')
template backup_script_path do
source "lnd-channel-backup-s3.sh.erb"
mode '0740'
variables lnd_dir: node['lnd']['lnd_dir'],
bitcoin_network: node['bitcoin']['network'],
s3_endpoint: backup_credentials['s3_endpoint'],
s3_bucket: node['backup']['s3']['bucket'],
s3_scb_dir: "#{node['name']}/lnd/#{node['bitcoin']['network']}"
notifies :restart, "systemd_unit[lnd-channel-backup.service]", :delayed
@@ -66,6 +66,8 @@ template "#{source_dir}/.env" do
default_rate_limit: node['lndhub-go']['default_rate_limit'],
strict_rate_limit: node['lndhub-go']['strict_rate_limit'],
burst_rate_limit: node['lndhub-go']['burst_rate_limit'],
service_fee: 1,
no_service_fee_up_to_amount: 1000,
branding: node['lndhub-go']['branding'],
webhook_url: node['lndhub-go']['webhook_url'],
sentry_dsn: credentials['sentry_dsn']
@@ -58,9 +58,7 @@ directory '/run/nbxplorer' do
end
env = {
NBXPLORER_POSTGRES: "User ID=#{postgres_user};Password=#{credentials['postgresql_password']};Database=#{postgres_database};Host=pg.kosmos.local;Port=5432;Application Name=nbxplorer;MaxPoolSize=20",
NBXPLORER_AUTOMIGRATE: "1",
NBXPLORER_NOMIGRATEEVTS: "1"
NBXPLORER_POSTGRES: "User ID=#{postgres_user};Password=#{credentials['postgresql_password']};Database=#{postgres_database};Host=pg.kosmos.local;Port=5432;Application Name=nbxplorer;MaxPoolSize=20"
}
systemd_unit 'nbxplorer.service' do
@@ -0,0 +1,59 @@
#
# Cookbook:: kosmos-bitcoin
# Recipe:: price_tracking
#
# Track BTC rates and publish them via remoteStorage
#
%w[curl jq].each do |pkg|
apt_package pkg
end
daily_tracker_path = "/usr/local/bin/btc-price-tracker-daily"
credentials = Chef::EncryptedDataBagItem.load('credentials', 'kosmos-rs')
template daily_tracker_path do
source "btc-price-tracker-daily.sh.erb"
mode '0740'
variables rs_base_url: node['price_tracking']['rs_base_url']
notifies :restart, "systemd_unit[lnd-channel-backup.service]", :delayed
end
systemd_unit 'btc-price-tracker-daily.service' do
content({
Unit: {
Description: 'BTC price tracker (daily rates)',
After: 'network-online.target',
Wants: 'network-online.target'
},
Service: {
Type: 'oneshot',
ExecStart: daily_tracker_path,
Environment: "RS_AUTH=#{credentials["auth_tokens"]["/btc-price"]}"
},
Install: {
WantedBy: 'multi-user.target'
}
})
sensitive true
triggers_reload true
action [:create]
end
systemd_unit 'btc-price-tracker-daily.timer' do
content({
Unit: {
Description: 'Run BTC price tracker daily'
},
Timer: {
OnCalendar: '*-*-* 00:00:00',
Persistent: 'true'
},
Install: {
WantedBy: 'timers.target'
}
})
triggers_reload true
action [:create, :enable, :start]
end
+5 -7
View File
@@ -46,24 +46,22 @@ rtl_config = {
multiPassHashed: credentials["multiPassHashed"]
}
if node['boltz']
# TODO adapt for multi-node usage
rtl_config[:nodes][0][:Authentication][:boltzMacaroonPath] = "#{node['boltz']['boltz_dir']}/macaroons"
rtl_config[:nodes][0][:Settings][:boltzServerUrl] = "https://#{node['boltz']['rest_host']}:#{node['boltz']['rest_port']}"
end
git rtl_dir do
user bitcoin_user
group bitcoin_group
repository node['rtl']['repo']
revision node['rtl']['revision']
notifies :run, "execute[npm_install]", :immediately
notifies :restart, "systemd_unit[#{app_name}.service]", :delayed
end
execute "npm install" do
execute "npm_install" do
cwd rtl_dir
environment "HOME" => rtl_dir
user bitcoin_user
# TODO remove --force when upstream dependency issues have been resolved
command "npm install --force"
action :nothing
end
file "#{rtl_dir}/RTL-Config.json" do
@@ -1,32 +0,0 @@
[LND]
# Host of the gRPC interface of LND
host = "<%= @lnd_grpc_host %>"
# Port of the gRPC interface of LND
port = <%= @lnd_grpc_port %>
# Path to a macaroon file of LND
# The daemon needs to have permission to read various endpoints, generate addresses and pay invoices
macaroon = "<%= @lnd_macaroon_path %>"
# Path to the TLS certificate of LND
certificate = "<%= @lnd_tlscert_path %>"
[RPC]
# Host of the gRPC interface
host = "<%= @boltz_config['grpc_host'] %>"
# Port of the gRPC interface
port = <%= @boltz_config['grpc_port'] %>
# Whether the REST proxy for the gRPC interface should be disabled
restDisabled = <%= @boltz_config['rest_disabled'] %>
# Host of the REST proxy
restHost = "<%= @boltz_config['rest_host'] %>"
# Port of the REST proxy
restPort = <%= @boltz_config['rest_port'] %>
# Whether the macaroon authentication for the gRPC and REST interface should be disabled
noMacaroons = <%= @boltz_config['no_macaroons'] %>
@@ -0,0 +1,49 @@
#!/bin/bash
# Calculate yesterday's date in YYYY-MM-DD format
YESTERDAY=$(date -d "yesterday" +%Y-%m-%d)
echo "Starting price tracking for $YESTERDAY" >&2
# Fetch and process rates for a fiat currency
get_price_data() {
local currency=$1
local data avg open24 last
data=$(curl -s "https://www.bitstamp.net/api/v2/ticker/btc${currency,,}/")
if [ $? -eq 0 ] && [ ! -z "$data" ]; then
echo "Successfully retrieved ${currency} price data" >&2
open24=$(echo "$data" | jq -r '.open_24')
last=$(echo "$data" | jq -r '.last')
avg=$(( (${open24%.*} + ${last%.*}) / 2 ))
echo $avg
else
echo "ERROR: Failed to retrieve ${currency} price data" >&2
exit 1
fi
}
# Get price data for each currency
usd_avg=$(get_price_data "USD")
eur_avg=$(get_price_data "EUR")
gbp_avg=$(get_price_data "GBP")
# Create JSON
json="{\"EUR\":$eur_avg,\"USD\":$usd_avg,\"GBP\":$gbp_avg}"
echo "Rates: $json" >&2
# PUT in remote storage
response=$(curl -X PUT \
-H "Authorization: Bearer $RS_AUTH" \
-H "Content-Type: application/json" \
-d "$json" \
-w "%{http_code}" \
-s \
-o /dev/null \
"<%= @rs_base_url %>/$YESTERDAY")
if [ "$response" -eq 200 ] || [ "$response" -eq 201 ]; then
echo "Successfully uploaded price data" >&2
else
echo "ERROR: Failed to upload price data. HTTP status: $response" >&2
exit 1
fi
@@ -3,5 +3,5 @@ set -xe -o pipefail
while true; do
inotifywait <%= @lnd_dir %>/data/chain/bitcoin/<%= @bitcoin_network %>/channel.backup
aws s3 cp <%= @lnd_dir %>/data/chain/bitcoin/<%= @bitcoin_network %>/channel.backup "s3://<%= @s3_bucket %>/<%= @s3_scb_dir %>/channel.backup"
aws --endpoint <%= @s3_endpoint %> s3 cp <%= @lnd_dir %>/data/chain/bitcoin/<%= @bitcoin_network %>/channel.backup "s3://<%= @s3_bucket %>/<%= @s3_scb_dir %>/channel.backup"
done
@@ -12,7 +12,6 @@ minchansize=<%= @lnd_minchansize %>
autopilot.active=0
[Bitcoin]
bitcoin.active=1
bitcoin.mainnet=1
bitcoin.node=bitcoind
bitcoin.basefee=<%= @lnd_basefee %>
@@ -1,6 +1,6 @@
node.default["ejabberd"]["version"] = "23.10"
node.default["ejabberd"]["version"] = "24.02"
node.default["ejabberd"]["package_version"] = "1"
node.default["ejabberd"]["checksum"] = "1b02108c81e22ab28be84630d54061f0584b76d5c2702e598352269736b05e77"
node.default["ejabberd"]["checksum"] = "476c187b42074b88472fd1c8042418072e47962facd47dab4e5883f6f61b2173"
node.default["ejabberd"]["turn_domain"] = "turn.kosmos.org"
node.default["ejabberd"]["stun_auth_realm"] = "kosmos.org"
node.default["ejabberd"]["stun_turn_port"] = 3478
@@ -84,6 +84,12 @@ hosts = [
sql_database: "ejabberd",
ldap_enabled: true,
ldap_password: ejabberd_credentials['kosmos_ldap_password'],
certfiles: [
"/opt/ejabberd/conf/kosmos.org.crt",
"/opt/ejabberd/conf/kosmos.org.key",
"/opt/ejabberd/conf/kosmos.chat.crt",
"/opt/ejabberd/conf/kosmos.chat.key"
],
append_host_config: <<-EOF
modules:
mod_disco:
@@ -104,6 +110,7 @@ hosts = [
access_persistent: muc_create
access_register: muc_create
max_user_conferences: 1000
max_users: 2000
default_room_options:
mam: true
preload_rooms: true
@@ -114,6 +121,10 @@ hosts = [
sql_database: "ejabberd_5apps",
ldap_enabled: true,
ldap_password: ejabberd_credentials['5apps_ldap_password'],
certfiles: [
"/opt/ejabberd/conf/5apps.com.crt",
"/opt/ejabberd/conf/5apps.com.key"
],
append_host_config: <<-EOF
modules:
mod_disco:
@@ -155,7 +166,7 @@ admin_users = ejabberd_credentials['admins']
hosts.each do |host|
ldap_rootdn = "uid=service,ou=#{host[:name]},cn=applications,dc=kosmos,dc=org"
if host[:name] == "kosmos.org"
ldap_filter = "(&(objectClass=person)(serviceEnabled=xmpp))"
ldap_filter = "(&(objectClass=person)(serviceEnabled=ejabberd))"
else
ldap_filter = "(objectClass=person)"
end
@@ -15,9 +15,9 @@ set -e
# letsencrypt live folder
for domain in $RENEWED_DOMAINS; do
case $domain in
kosmos.org|5apps.com)
cp "${RENEWED_LINEAGE}/privkey.pem" /opt/ejabberd/conf/$domain.key
cp "${RENEWED_LINEAGE}/fullchain.pem" /opt/ejabberd/conf/$domain.crt
kosmos.org|kosmos.chat|5apps.com)
cp "/etc/letsencrypt/live/${domain}/privkey.pem" /opt/ejabberd/conf/$domain.key
cp "/etc/letsencrypt/live/${domain}/fullchain.pem" /opt/ejabberd/conf/$domain.crt
chown ejabberd:ejabberd /opt/ejabberd/conf/$domain.*
chmod 600 /opt/ejabberd/conf/$domain.*
/opt/ejabberd-#{node["ejabberd"]["version"]}/bin/ejabberdctl reload_config
@@ -38,21 +38,29 @@ gandi_api_credentials = data_bag_item('credentials', 'gandi_api')
template "/root/gandi_dns_certbot_hook.sh" do
variables access_token: gandi_api_credentials["access_token"]
mode 0700
sensitive true
end
# Generate a Let's Encrypt cert (only if no cert has been generated before).
# The systemd timer will take care of renewing
execute "letsencrypt cert for kosmos xmpp" do
command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@kosmos.org -d kosmos.org -d xmpp.kosmos.org -d chat.kosmos.org -d kosmos.chat -d uploads.xmpp.kosmos.org -n"
execute "letsencrypt cert for kosmos.org domains" do
command "certbot certonly --manual --preferred-challenges dns --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@kosmos.org -d kosmos.org -d xmpp.kosmos.org -d chat.kosmos.org -d upload.kosmos.org -d proxy.kosmos.org -d pubsub.kosmos.org -d uploads.xmpp.kosmos.org -n"
not_if do
File.exist?("/etc/letsencrypt/live/kosmos.org/fullchain.pem")
end
end
execute "letsencrypt cert for kosmos.chat" do
command "certbot certonly --manual --preferred-challenges dns --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth letsencrypt.kosmos.org\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup letsencrypt.kosmos.org\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@kosmos.org -d kosmos.chat -n"
not_if do
File.exist?("/etc/letsencrypt/live/kosmos.chat/fullchain.pem")
end
end
# Generate a Let's Encrypt cert (only if no cert has been generated before).
# The systemd timer will take care of renewing
execute "letsencrypt cert for 5apps xmpp" do
command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth letsencrypt.kosmos.chat\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup letsencrypt.kosmos.chat\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@5apps.com -d 5apps.com -d muc.5apps.com -d xmpp.5apps.com -d uploads.xmpp.5apps.com -n"
command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth letsencrypt.kosmos.org\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup letsencrypt.kosmos.org\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@5apps.com -d 5apps.com -d muc.5apps.com -d xmpp.5apps.com -d uploads.xmpp.5apps.com -n"
not_if do
File.exist?("/etc/letsencrypt/live/5apps.com/fullchain.pem")
end
@@ -1,10 +1,8 @@
loglevel: 4
log_rotate_size: 10485760
log_rotate_date: ""
log_rotate_count: 1
log_rate_limit: 100
loglevel: info
hide_sensitive_log_data: true
hosts:
<% @hosts.each do |host| -%>
@@ -95,6 +93,8 @@ auth_method: sql
default_db: sql
update_sql_schema: true
shaper:
normal:
rate: 3000
@@ -185,8 +185,11 @@ api_permissions:
what:
- "add_rosteritem"
- "delete_rosteritem"
- "send_message"
- "get_vcard2"
- "muc_register_nick"
- "private_set"
- "send_message"
- "send_stanza"
language: "en"
@@ -216,7 +219,7 @@ modules:
access_createnode: pubsub_createnode
ignore_pep_from_offline: false
last_item_cache: false
max_items_node: 10
max_items_node: 10000
plugins:
- "flat"
- "pep" # pep requires mod_caps
@@ -231,7 +234,6 @@ modules:
mod_shared_roster: {}
mod_stun_disco:
offer_local_services: false
credentials_lifetime: 300
secret: <%= @stun_secret %>
services:
-
@@ -1,7 +1,8 @@
# Generated by Chef for <%= @host[:name] %>
certfiles:
- "/opt/ejabberd/conf/<%= @host[:name] %>.crt"
- "/opt/ejabberd/conf/<%= @host[:name] %>.key"
<% @host[:certfiles].each do |certfile| %>
- <%= certfile %>
<% end %>
host_config:
"<%= @host[:name] %>":
sql_type: pgsql
@@ -4,6 +4,7 @@ upstream_host = search(:node, "role:hubot").first["knife_zero"]["host"]
tls_cert_for domain do
auth "gandi_dns"
acme_domain "letsencrypt.kosmos.org"
action :create
end
@@ -5,6 +5,7 @@ upstream_host = search(:node, "role:hubot").first["knife_zero"]["host"]
tls_cert_for domain do
auth "gandi_dns"
acme_domain "letsencrypt.kosmos.org"
action :create
end
@@ -1,5 +1,5 @@
node.default["kosmos-mastodon"]["repo"] = "https://gitea.kosmos.org/kosmos/mastodon.git"
node.default["kosmos-mastodon"]["revision"] = "production"
node.default["kosmos-mastodon"]["revision"] = "production-4.3"
node.default["kosmos-mastodon"]["directory"] = "/opt/mastodon"
node.default["kosmos-mastodon"]["bind_ip"] = "127.0.0.1"
node.default["kosmos-mastodon"]["app_port"] = 3000
@@ -20,6 +20,10 @@ node.default["kosmos-mastodon"]["s3_region"] = nil
node.default["kosmos-mastodon"]["s3_bucket"] = nil
node.default["kosmos-mastodon"]["s3_alias_host"] = nil
node.default["kosmos-mastodon"]["sso_account_sign_up_url"] = "https://kosmos.org"
node.default["kosmos-mastodon"]["sso_account_reset_password_url"] = "https://accounts.kosmos.org/users/password/new"
node.default["kosmos-mastodon"]["sso_account_resend_confirmation_url"] = "https://accounts.kosmos.org/users/confirmation/new"
node.default["kosmos-mastodon"]["default_locale"] = "en"
node.default["kosmos-mastodon"]["libre_translate_endpoint"] = nil
@@ -6,13 +6,12 @@
postgresql_data_bag_item = data_bag_item('credentials', 'postgresql')
unless node.chef_environment == "development"
unless node["backup"]["postgresql"]["databases"].keys.include? 'mastodon'
node.override['backup']['s3']['keep'] = 1
node.override["backup"]["postgresql"]["host"] = "pg.kosmos.local"
node.override["backup"]["postgresql"]["databases"]["mastodon"] = {
username: "mastodon",
password: postgresql_data_bag_item['mastodon_user_password']
}
end
include_recipe "backup"
end
@@ -3,7 +3,7 @@
# Recipe:: default
#
node.override["nodejs"]["repo"] = "https://deb.nodesource.com/node_16.x"
node.override["nodejs"]["repo"] = "https://deb.nodesource.com/node_18.x"
include_recipe "kosmos-nodejs"
include_recipe "java"
@@ -71,11 +71,7 @@ package %w(build-essential imagemagick ffmpeg libxml2-dev libxslt1-dev file git
curl pkg-config libprotobuf-dev protobuf-compiler libidn11
libidn11-dev libjemalloc2 libpq-dev)
npm_package "yarn" do
version "1.22.4"
end
ruby_version = "3.3.0"
ruby_version = "3.3.5"
ruby_path = "/opt/ruby_build/builds/#{ruby_version}"
bundle_path = "#{ruby_path}/bin/bundle"
@@ -190,9 +186,13 @@ template "#{mastodon_path}/.env.#{rails_env}" do
mode "0640"
owner mastodon_user
group mastodon_user
sensitive true
variables redis_url: node["kosmos-mastodon"]["redis_url"],
domain: node["kosmos-mastodon"]["domain"],
alternate_domains: node["kosmos-mastodon"]["alternate_domains"],
active_record_encryption_deterministic_key: credentials["active_record_encryption_deterministic_key"],
active_record_encryption_key_derivation_salt: credentials["active_record_encryption_key_derivation_salt"],
active_record_encryption_primary_key: credentials["active_record_encryption_primary_key"],
paperclip_secret: credentials['paperclip_secret'],
secret_key_base: credentials['secret_key_base'],
otp_secret: credentials['otp_secret'],
@@ -210,6 +210,9 @@ template "#{mastodon_path}/.env.#{rails_env}" do
vapid_public_key: credentials['vapid_public_key'],
db_pass: postgresql_credentials['mastodon_user_password'],
db_host: "pg.kosmos.local",
sso_account_sign_up_url: node["kosmos-mastodon"]["sso_account_sign_up_url"],
sso_account_reset_password_url: node["kosmos-mastodon"]["sso_account_reset_password_url"],
sso_account_resend_confirmation_url: node["kosmos-mastodon"]["sso_account_resend_confirmation_url"],
default_locale: node["kosmos-mastodon"]["default_locale"],
allowed_private_addresses: node["kosmos-mastodon"]["allowed_private_addresses"],
libre_translate_endpoint: node["kosmos-mastodon"]["libre_translate_endpoint"]
@@ -227,7 +230,7 @@ execute "yarn install" do
environment deploy_env
user mastodon_user
cwd mastodon_path
command "yarn install --frozen-lockfile"
command "corepack prepare && yarn install --immutable"
end
execute "rake assets:precompile" do
@@ -262,6 +265,44 @@ service "mastodon-streaming" do
action [:enable, :start]
end
#
# Delete cached remote media older than 30 days
# Will be re-fetched if necessary
#
systemd_unit 'mastodon-delete-old-media-cache.service' do
content({
Unit: {
Description: 'Delete old Mastodon media cache'
},
Service: {
Type: "oneshot",
WorkingDirectory: mastodon_path,
Environment: "RAILS_ENV=#{rails_env}",
ExecStart: "#{bundle_path} exec bin/tootctl media remove --days 30",
}
})
triggers_reload true
action [:create]
end
systemd_unit 'mastodon-delete-old-media-cache.timer' do
content({
Unit: {
Description: 'Delete old Mastodon media cache'
},
Timer: {
OnCalendar: '*-*-* 00:00:00',
Persistent: 'true'
},
Install: {
WantedBy: 'timer.target'
}
})
triggers_reload true
action [:create, :enable, :start]
end
firewall_rule "mastodon_app" do
port node['kosmos-mastodon']['app_port']
source "10.1.1.0/24"
@@ -12,6 +12,13 @@ search(:node, "role:mastodon").each do |node|
end
if upstream_hosts.any?
web_root_dir = "/var/www/#{server_name}/public"
directory web_root_dir do
action :create
recursive true
owner 'www-data'
group 'www-data'
mode 0755
end
else
web_root_dir = "#{app_dir}/public"
upstream_hosts << "localhost"
@@ -12,6 +12,9 @@ LOCAL_HTTPS=true
# Application secrets
# Generate each with the `rake secret` task (`docker-compose run --rm web rake secret` if you use docker compose)
ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=<%= @active_record_encryption_deterministic_key %>
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=<%= @active_record_encryption_key_derivation_salt %>
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=<%= @active_record_encryption_primary_key %>
PAPERCLIP_SECRET=<%= @paperclip_secret %>
SECRET_KEY_BASE=<%= @secret_key_base %>
OTP_SECRET=<%= @otp_secret %>
@@ -44,6 +47,9 @@ LDAP_SEARCH_FILTER='<%= @ldap[:search_filter] %>'
LDAP_UID_CONVERSION_ENABLED=<%= @ldap[:uid_conversion_enabled] %>
LDAP_UID_CONVERSION_SEARCH=<%= @ldap[:uid_conversion_search] %>
LDAP_UID_CONVERSION_REPLACE=<%= @ldap[:uid_conversion_replace] %>
SSO_ACCOUNT_SIGN_UP=<%= @sso_account_sign_up_url %>
SSO_ACCOUNT_RESET_PASSWORD=<%= @sso_account_reset_password_url %>
SSO_ACCOUNT_RESEND_CONFIRMATION=<%= @sso_account_resend_confirmation_url %>
<% end %>
# Optional asset host for multi-server setups
@@ -59,7 +59,7 @@ cookbook_file "#{node["nginx"]["user_home"]}/maintenance.html" do
source "maintenance.html"
owner node['nginx']['user']
group node['nginx']['group']
mode "0640"
mode "0755"
end
unless node.chef_environment == "development"
@@ -3,20 +3,23 @@
# Recipe:: default
#
node.default['postfix']['main']['smtp_tls_CAfile'] = '/etc/ssl/certs/ca-certificates.crt'
node.default['postfix']['main']['smtpd_tls_CAfile'] = '/etc/ssl/certs/ca-certificates.crt'
node.default["postfix"]["main"]["smtp_tls_CAfile"] = "/etc/ssl/certs/ca-certificates.crt"
node.default["postfix"]["main"]["smtpd_tls_CAfile"] = "/etc/ssl/certs/ca-certificates.crt"
return if node.run_list.roles.include?("email_server")
smtp_credentials = Chef::EncryptedDataBagItem.load('credentials', 'smtp')
smtp_credentials = Chef::EncryptedDataBagItem.load("credentials", "smtp")
node.default['postfix']['sasl']['smtp_sasl_user_name'] = smtp_credentials['user_name']
node.default['postfix']['sasl']['smtp_sasl_passwd'] = smtp_credentials['password']
node.default['postfix']['sasl_password_file'] = "#{node['postfix']['conf_dir']}/sasl_passwd"
# Postfix doesn't support smtps relayhost, use STARTSSL instead
node.default['postfix']['main']['relayhost'] = smtp_credentials['relayhost']
node.default['postfix']['main']['smtp_sasl_auth_enable'] = 'yes'
node.default['postfix']['main']['smtp_sasl_password_maps'] = "hash:#{node['postfix']['sasl_password_file']}"
node.default['postfix']['main']['smtp_sasl_security_options'] = 'noanonymous'
node.default["postfix"]["sasl"] = {
smtp_credentials["relayhost"] => {
"username" => smtp_credentials["user_name"],
"password" => smtp_credentials["password"]
}
}
include_recipe 'postfix::default'
# Postfix doesn"t support smtps relayhost, use STARTSSL instead
node.default["postfix"]["main"]["relayhost"] = smtp_credentials["relayhost"]
node.default["postfix"]["main"]["smtp_sasl_auth_enable"] = "yes"
node.default["postfix"]["main"]["smtp_sasl_security_options"] = "noanonymous"
include_recipe "postfix::default"
@@ -26,7 +26,7 @@ template "#{deploy_path}/docker-compose.yml" do
mode 0640
variables domain: node["kosmos_drone"]["domain"],
upstream_port: node["kosmos_drone"]["upstream_port"],
gitea_server: "https://#{node["kosmos_gitea"]["nginx"]["domain"]}",
gitea_server: "https://#{node["gitea"]["domain"]}",
client_id: credentials['client_id'],
client_secret: credentials['client_secret'],
rpc_secret: credentials['rpc_secret'],
@@ -1,13 +1,21 @@
node.default["gitea"]["version"] = "1.22.0"
node.default["gitea"]["checksum"] = "a31086f073cb9592d28611394b2de3655db515d961e4fdcf5b549cb40753ef3d"
node.default["gitea"]["version"] = "1.23.8"
node.default["gitea"]["checksum"] = "827037e7ca940866918abc62a7488736923396c467fcb4acd0dd9829bb6a6f4c"
node.default["gitea"]["repo"] = nil
node.default["gitea"]["revision"] = nil
node.default["gitea"]["working_directory"] = "/var/lib/gitea"
node.default["gitea"]["port"] = 3000
node.default["gitea"]["postgresql_host"] = "localhost:5432"
node.default["gitea"]["domain"] = "gitea.kosmos.org"
node.default["gitea"]["config"] = {
"log": {
"level" => "Info",
"logger.router.MODE" => "",
"logger.xorm.MODE" => "",
"logger.access.MODE" => ""
},
"actions": {
"enabled": true
"enabled" => true
},
"webhook": {
"allowed_host_list" => "external,127.0.1.1"
+4 -1
View File
@@ -10,5 +10,8 @@ chef_version '>= 14.0'
depends "firewall"
depends "kosmos_openresty"
depends "kosmos_postgresql"
depends "backup"
depends "kosmos-dirsrv"
depends 'kosmos-nodejs'
depends 'git'
depends 'golang'
depends "backup"
@@ -8,5 +8,6 @@
unless node.chef_environment == "development"
# backup the data dir and the config files
node.override["backup"]["archives"]["gitea"] = [node["gitea"]["working_directory"]]
node.override['backup']['s3']['keep'] = 2
include_recipe "backup"
end
@@ -0,0 +1,42 @@
#
# Cookbook:: kosmos_gitea
# Recipe:: compile_from_source
#
# Compiles/installs Gitea from source
#
include_recipe "git"
node.override["nodejs"]["repo"] = "https://deb.nodesource.com/node_20.x"
include_recipe 'kosmos-nodejs'
node.override["golang"]["version"] = "1.23.9"
include_recipe "golang"
link "/usr/local/bin/go" do
to "/usr/local/go/bin/go"
end
source_dir = "/opt/gitea"
git source_dir do
repository node["gitea"]["repo"]
revision node["gitea"]["revision"]
action :sync
notifies :run, "execute[npm_install]", :immediately
end
execute "npm_install" do
cwd source_dir
command "npm ci"
action :nothing
notifies :run, "bash[compile_gitea]", :immediately
end
bash "compile_gitea" do
cwd source_dir
environment "TAGS" => "bindata"
code "make build"
action :nothing
notifies :restart, "service[gitea]", :delayed
end
@@ -5,11 +5,12 @@
version = node["gitea"]["version"]
download_url = "https://dl.gitea.io/gitea/#{version}/gitea-#{version}-linux-amd64"
compile_from_source = node["gitea"]["repo"] && node["gitea"]["revision"]
working_directory = node["gitea"]["working_directory"]
git_home_directory = "/home/git"
repository_root_directory = "#{git_home_directory}/gitea-repositories"
config_directory = "/etc/gitea"
gitea_binary_path = "/usr/local/bin/gitea"
gitea_binary_path = compile_from_source ? "/opt/gitea/gitea" : "/usr/local/bin/gitea"
gitea_data_bag_item = data_bag_item("credentials", "gitea")
smtp_credentials = data_bag_item("credentials", "smtp")
smtp_addr = smtp_credentials["relayhost"].split(":")[0]
@@ -18,7 +19,6 @@ jwt_secret = gitea_data_bag_item["jwt_secret"]
internal_token = gitea_data_bag_item["internal_token"]
secret_key = gitea_data_bag_item["secret_key"]
# Dependency
package "git"
user "git" do
@@ -108,11 +108,15 @@ template "#{config_directory}/app.ini" do
notifies :restart, "service[gitea]", :delayed
end
remote_file gitea_binary_path do
if compile_from_source
include_recipe "kosmos_gitea::compile_from_source"
else
remote_file gitea_binary_path do
source download_url
checksum node['gitea']['checksum']
mode "0755"
notifies :restart, "service[gitea]", :delayed
end
end
execute "systemctl daemon-reload" do
@@ -24,9 +24,11 @@ NAME = gitea
USER = gitea
PASSWD = <%= @postgresql_password %>
SSL_MODE = disable
MAX_OPEN_CONNS = 20
[repository]
ROOT = <%= @repository_root_directory %>
DISABLE_DOWNLOAD_SOURCE_ARCHIVES = true
# [indexer]
# ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
@@ -73,7 +75,10 @@ ENABLE_OPENID_SIGNUP = false
[log]
MODE = console
LEVEL = Debug
LEVEL = <%= @config["log"]["level"] %>
logger.router.MODE = <%= @config["log"]["logger.router.MODE"] %>
logger.xorm.MODE = <%= @config["log"]["logger.xorm.MODE"] %>
logger.access.MODE = <%= @config["log"]["logger.access.MODE"] %>
[attachment]
ENABLED = true
@@ -16,7 +16,7 @@ server {
add_header Strict-Transport-Security "max-age=31536000";
client_max_body_size 20M;
client_max_body_size 121M;
location ~ ^/(avatars|repo-avatars)/.*$ {
proxy_buffers 1024 8k;
@@ -10,16 +10,6 @@ upstream _<%= @app_name %> {
# TODO use cookbook attribute when enabling
# variables_hash_max_size 2048;
server {
listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>80;
listen [::]:80;
server_name <%= @server_name %>;
# Redirect to https
location / {
return 301 https://<%= @server_name %>$request_uri;
}
}
server {
listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
listen [::]:443 ssl http2;

Some files were not shown because too many files have changed in this diff Show More