Upgrade Deno

Adapt strfry config to cookbook changes, increase allowed event size
Update node info
2025-06-02 10:53:38 +04:00 · 2025-06-01 20:06:47 +04:00 · 2025-06-01 20:06:32 +04:00 · 2025-05-31 12:26:28 +00:00 · 2025-05-31 15:29:18 +04:00 · 2025-05-31 15:29:03 +04:00
94 changed files with 979 additions and 517 deletions
--- a/README.md
+++ b/README.md
@ -38,6 +38,10 @@ Clone this repository, `cd` into it, and run:
    knife zero bootstrap ubuntu@zerotier-ip-address -x ubuntu --sudo --run-list "role[base],role[kvm_guest]" --secret-file .chef/encrypted_data_bag_secret
 ### Bootstrap a new VM with environment and role/app (postgres replica as example)
    knife zero bootstrap ubuntu@10.1.1.134 -x ubuntu --sudo --environment production --run-list "role[base],role[kvm_guest],role[postgresql_replica]" --secret-file .chef/encrypted_data_bag_secret
 ### Run Chef Zero on a host server
    knife zero converge -p2222 name:server-name.kosmos.org
--- a/clients/garage-10.json
+++ b/clients/garage-10.json
@ -0,0 +1,4 @@
 {
  "name": "garage-10",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw2+3Wo+KkXVJCOX1SxT9\nSdwKXgPbCDM3EI9uwoxhMxQfRyN53dxIsBDsQUVOIe1Z8yqm4FenMQlNmeDR+QLE\nvNFf1fisinW+D9VVRm+CjcJy96i/Dyt786Z6YRrDlB860HxCbfTL2Zv5BRtbyIKg\nhz5gO+9PMEpPVR2ij9iue4K6jbM1AAL2ia/P6zDWLJqeIzUocCeHV5N0Z3jXH6qr\nf444v78x35MMJ+3tg5h95SU1/PDCpdSTct4uHEuKIosiN7p4DlYMoM5iSyvVoujr\nflRQPEpGzS9qEt3rDo/F4ltzYMx6bf1tB/0QaBKD+zwPZWTTwf61tSBo5/NkGvJc\nFQIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/clients/garage-11.json
+++ b/clients/garage-11.json
@ -0,0 +1,4 @@
 {
  "name": "garage-11",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzfZcNEQojtmaogd9vGP/\nMsVPhAOlQ4kxKgrUas+p+XT7lXRan6b3M8UZEleIaL1HWsjSVwtFWRnNl8kg8rF8\nNEkLeOX8kHf7IoXDFOQa2TXanY8tSqrfh9/heFunt4Q3DluVt7S3bBdwukbDXm/n\nXJS2EQP33eJT4reL6FpVR0oVlFCzI3Vmf7ieSHIBXrbXy7AIvGC2+NVXvQle6pqp\nx0rqU6Wc6ef/VtIv+vK3YFnt9ue3tC63mexyeNKgRYf1YjDx61wo2bOY2t8rqN8y\nHeZ3dmAN8/Vwjk5VGnZqK7kRQ92G4IcE+mEp7MuwXcLqQ9WB960o+evay+o1R5JS\nhwIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/clients/garage-4.json
+++ b/clients/garage-4.json
@ -1,4 +0,0 @@
 {
  "name": "garage-4",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8it7QtT6zDiJJqlyHKfQ\nLqwu6bLblD15WWxlUSiOdhz3njWDv1BIDCAdkCR3HAXgxvk8sMj9QkvWS7u1+bc4\nxvHrY4Tgfg+Tk1h3gGa7ukll8s1WLIbGjj89vrK8PFr4iuDqRytYRMmcdMsNzPkS\nKcsOjFYWGV7KM/OwoQGVIOUPB+WtkrFAvNkXtIU6Wd5orzFMjt/9DPF2aO7QegL8\nG1mQmXcPGl9NSDUXptn/kzFKm/p4n7pjy6OypFT192ak7OA/s+CvQlaVE2tb/M3c\ne4J6A+PInV5AGKY6BxI3QRQLZIlqE0FXawFKr1iRU4JP4tVnICXZqy+SDXQU1zar\nTQIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/clients/garage-5.json
+++ b/clients/garage-5.json
@ -1,4 +0,0 @@
 {
  "name": "garage-5",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnJxLFOBbml94W/GAe7nm\ntZs1Ziy8IbqXySsm8bSwWhRMQ8UuseqQLG30R3Q5X5AoJbtNfd26l63qLtP2fFtL\n5km9dV+2FoIJWFetl8Wzr7CaLYAiNzTQSFHlV7+6DKmPMDcJ63GKrFR77vkSGOG6\nOWL1bJy5BOaClp/sKL/0WQ0+mRbTP6RCQ2eI+46clAg702SenBU6Nz9HDm+teKN7\nYlP1CvzXgfgfpDOsat7wGn5+oKcmKavZxcdn8bt5jRpg8v3JezaZIjMXt7XcNS4n\n0F4XO/efnZE5B5SN68j4BpD8N79zJw4HlRIGP+RaYv2qLtBeWgLHCCs9wXQXfj6b\nLwIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/clients/garage-6.json
+++ b/clients/garage-6.json
@ -1,4 +0,0 @@
 {
  "name": "garage-6",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwasYgWLM8ShvirFiKRE6\nGWqc3pMlvcrk4YnWAUW5Y/H26EnyexxWNfnwlEcq8thJ3M3hs7zkoF3Yk4uqX869\n4/niYqXwYgeE1K3gzLp4K1+w3yVupYAFVFStVEHJyuMlLJ+ulDEGvNdQDuIfw7+E\nr6DcDLa1o92Eo0wL1ihYyMilduH0LdFTixL+tEBXbbPWBa3RDJJCFsRF1+UC6hAH\nzmaWL661Gdzdabxjm/FlGUYkdbDqeInZq/1GMQqv+9/DcNRkWA9H7i4Ykrfpx4/2\nRZ8xtx/DbnJVB1zYoORygFMMAkTu5E+R8ropeI7Wi77Yq0S7laiRlYQYQml3x9ak\nzQIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/clients/garage-9.json
+++ b/clients/garage-9.json
@ -0,0 +1,4 @@
 {
  "name": "garage-9",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnMHzKE8JBrsQkmRDeMjX\n71mBzvRzNM90cwA8xtvIkXesdTyGqohX9k/PJbCY5ySGK9PpMaYDPVAnwnUP8LFQ\n3G98aSbLxUjqU/PBzRsnWpihehr05uz9zYcNFzr4LTNvGQZsq47nN9Tk+LG3zHP7\nAZViv2mJ4ZRnukXf6KHlyoVvhuTu+tiBM8QzjTF97iP/aguNPzYHmrecy9Uf5bSA\nZrbNZT+ayxtgswC2OclhRucx7XLSuHXtpwFqsQzSAhiX1aQ3wwCyH9WJtVwpfUsE\nlxTjcQiSM9aPZ8iSC0shpBaKD1j3iF/2K2Jk+88++zMhJJPLermvaJxzsdePgvyk\nKQIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/clients/postgres-5.json
+++ b/clients/postgres-5.json
@ -1,4 +0,0 @@
 {
  "name": "postgres-5",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvXZv6Gk+dhIVkTXH9hJ1\nt2oqsMSLmTUj71uPN+4j0rxCQriXa095Nle9ifJAxfwzQyKEpWKyZd1Hpyye6bL1\nwgWATZ/u5ZS4B63NhRFyDxgPlHWBBohaZBN42zeq0Y0PNGHPVGDH/zFDrpP22Q9Q\nYScsyXTauE/Yf8a/rKR5jdnoVsVVMxk0LHxka8FcM2cqVsDAcK7GqIG6epqNFY8P\nUb1P+mVxRwnkzvf1VtG212ezV/yw9uiQcUkHS+JwZMAgbC34k9iDyRmk6l4sj/Zk\nNem20ImMqdDzsrX8zEe21K+KNvpejPH9fxaNCwR8W+woBMMzqD3I7P9PbLjc70Rx\nRwIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/clients/postgres-7.json
+++ b/clients/postgres-7.json
@ -0,0 +1,4 @@
 {
  "name": "postgres-7",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArraIm6mXi0qgK4oWDs2I\nOIx+g/LPnfRd5aBXhoHcekGiJKttQTi5dRdN4+T6qVEC2h4Cc9qN47h2TZPLDh/M\neIZvu0AyicpectzXf6DtDZh0hFCnv47RDi9927op9tjMXk0SV1tLel7MN0dawATw\ny0vQkkr/5a3ZdiP4dFv+bdfVrj+Tuh85BYPVyX2mxq9F7Efxrt6rzVBiqr6uJLUY\nStpeB3CCalC4zQApKX2xrdtr2k8aJbqC6C//LiKbb7VKn+ZuZJ32L/+9HDEzQoFC\no0ZZPMhfnjcU+iSHYZuPMTJTNbwgRuOgpn9O8kZ239qYc59z7HEXwwWiYPDevbiM\nCQIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/clients/postgres-8.json
+++ b/clients/postgres-8.json
@ -0,0 +1,4 @@
 {
  "name": "postgres-8",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx88DgM/x1UbKRzgPexXE\nSyfrAsqaDVjqZz7yF3tqAc9A52Ol0KOM6NESoPWBVMbS86WtAjBcMHcOoQBJ+ovp\nXcjNlRtO1Il6/d4uCRr4CEDX+yeS0Qrt0SOORnoTbVlkq9VlVljyCmxk8VBCILzk\ndHvFr62mahMy6vOEcpCQgCwYE3ISH2jlTDz2agoK/CjIyyqFTlB1N7mJVGLrJdcA\nA2JOxDRE8HqOdpY7bHcHj4uyMWaKuM3zxXK04lhrvuPRfJUhXgsK9r5jeTEa8407\nqV9K+mB17R1dBeHmWEPDRt02HELe2SUjYmlmyVX73H2mWKDLBFpAFjOfz86CJ6jf\nDQIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/data_bags/credentials/akkounts.json
+++ b/data_bags/credentials/akkounts.json
@ -1,72 +1,93 @@
 {
  "id": "akkounts",
-  "postgresql_username": {
+  "rails_master_key": {
-    "encrypted_data": "bDlOkEmhvMgyVzPeTNUzYnzRLf3T9cc0cDxt\n",
+    "encrypted_data": "q/0BtGuFZJQhw+iG4ZmFG12DPaWQDGTb/nCmRoxOnsACkANqMv/zZ39CoNFe\nLPtZiItY\n",
-    "iv": "GCCUoqU5pxQ7fGkv\n",
+    "iv": "JV8R0iu6TrqcZRxL\n",
-    "auth_tag": "Q7mrSHIBluMe3CGVmoR86Q==\n",
+    "auth_tag": "YxZIhEUnrd3XrwR6f9wO4A==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
-  "postgresql_password": {
+  "rails_secret_key_base": {
-    "encrypted_data": "wD0HtdsNe/hl4ZaOy8hyr2k4z8TXQrrSja3KNVE47w==\n",
+    "encrypted_data": "JmDQew3+OR6+yJ1xErwXeTn6jw8N2HwTc9yvAVJ3G+7w1s3N7rKDM6+M50ez\n2zP4Lm/eXzH4WTsTZlQcodlyNpi66pvUCGAkNM36rwTN5yvnhqPUmuSQi7AG\nDTBronBwr9ENvwA/gRuugyyhrRB1iuStpzpYKCMhZ2ae9Mrxdux0+ezfSLn4\nuP22uUrEqdQ/BWsW\n",
-    "iv": "tb5yz8WDer0CsGvJ\n",
+    "iv": "U/+YncCk13U6bYMz\n",
-    "auth_tag": "/+K2anuCff/6M7Pu70Smqw==\n",
+    "auth_tag": "2wPYJ/uVPv4jLKpAW/x6sw==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "rails_encryption_primary_key": {
    "encrypted_data": "u/7z91Og/2eM7PWi2JWYAQMhYX4S5+bMMeVpkFPu778Gqj6Td9pagsWIak/d\nb7AU1zjF\n",
    "iv": "wYhrJWcuWbY8yo8S\n",
    "auth_tag": "WEoEdNy6VBvB2d5gb8DTXw==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "rails_encryption_key_derivation_salt": {
    "encrypted_data": "noOwTZuxfhsH94bjOT9rWCKS9rb3wAoXELGrc4nJZeNrb/B9XnOLTuK/wen8\nfmtoym0P\n",
    "iv": "jiFWs3VXhJdQBNqk\n",
    "auth_tag": "XDpJFgadYp7LyRqU7SO+Fg==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "postgresql": {
    "encrypted_data": "Xorg8R8COxE/Swivu8MqZiwstD6rD+8FmgDx70pFscZ/CTb6WQRpyqGSrGZt\nZ7oL9WrqZs+mQgBb30odU+Sgdr6x\n",
    "iv": "6QWZc3+MY0hBCc/s\n",
    "auth_tag": "ZM+7OYyx5E9PciNG2OILhg==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "ldap": {
    "encrypted_data": "mr2Z7hXF1GOn8RmqeZMMdaUcmiVP4ZeKtTX6RYW1cR+FQiUwoITwTPBE9XUx\n2cqZ9Mcd8uJicmf9vd+PfwPtRtoZFwqHQ4LDRFLW64hBZyiEkZWxWW+HzgPr\n",
    "iv": "k1AkyEplnJ4IZO1Z\n",
    "auth_tag": "zAOcrPex3VLDfRFq38n7fA==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "sentry_dsn": {
-    "encrypted_data": "jCz681x0WVixHYZUb62TO+1cgyJMiJ2UMqWcaztx57yDBOIiKW3oSZjuXdhP\n9WCesfXQF/lgzITZno3IKDqzlKjWgbGLC75y8FLguxidCHI=\n",
+    "encrypted_data": "51cAERaRBCRg/sMb5c13EcnJzsz6VEf7jx6X3ooUSzm9wHoEfC5Hs/qakr/D\nqm9x3s3aGURRzyLUIEoe9jCohGguh6ehrXYVrun0B6pghVU=\n",
-    "iv": "IRNOzN/hLwg1iqax\n",
+    "iv": "hJsiiW6dFQMEQ+2p\n",
-    "auth_tag": "eg9dWnEK04JDb94e4CFa9Q==\n",
+    "auth_tag": "TOIahNrUhhsdQGlzp6UV5g==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "rails_master_key": {
    "encrypted_data": "nUB77VLRp41rluH7hLBwQqPtnh/HsmfLr2VbcIZHWawL3o2TGuY+mj648f9L\n7XsEpgqY\n",
    "iv": "fpdbDitqTRHxEKiv\n",
    "auth_tag": "I44fn8Ott3L/Y5LYr56U/Q==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "discourse_connect_secret": {
-    "encrypted_data": "ENtMn+1XTVFmdEZw7LU6WGoMbSZY654ggm3vPACGfFgqo6r0LhG60c5OTdqv\nZvT5/Q==\n",
+    "encrypted_data": "pvKcwuZgUJsAvClQ4V0BwhwEg09EUEWVxoSx+mFlfG1KpvZE4Cu3u3PalPSD\nldyKsw==\n",
-    "iv": "bL1BmvRhgxFqSM1P\n",
+    "iv": "ED85d6PKyaKB3Wlv\n",
-    "auth_tag": "sEBZzGWwwYFHn+4B4SsyCA==\n",
+    "auth_tag": "XVCU/WigC97tNe0bUK6okQ==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "lndhub_admin_token": {
-    "encrypted_data": "4LPGFoARzI8UYnsJPIk8sax/rAA16pUULEZWn86e2C7L\n",
+    "encrypted_data": "LvCgahQblsKOxK9iNbwDd31atBfemVppHqV7s3K/sR4j\n",
-    "iv": "nvjXrOwgfgutwEVw\n",
+    "iv": "zObzh2jEsqXk2vD2\n",
-    "auth_tag": "A89RUf1sdcS3FVscNPWYLg==\n",
+    "auth_tag": "n9m/sBYBfzggwQLWrGpR2Q==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "btcpay_auth_token": {
-    "encrypted_data": "ky5iWYF06os0Ek6vIRzWqMTekqJhCOh/Q9DTDIeKhSyk8TnT3O71lCNEt1F5\nXCNq6ux3V6oyHVLWj0o=\n",
+    "encrypted_data": "M4kGd6+jresm90nWrJG25mX6rfhaU+VlJlIVd/IjOAUsDABryyulJul3GZFh\nFPSI4uEhgIWtn56I0bA=\n",
-    "iv": "zk6WnxsY89oNW1F9\n",
+    "iv": "hvqHm7A/YfUOJwRJ\n",
-    "auth_tag": "FAIMXKvQ1T7QKezVSNJbwQ==\n",
+    "auth_tag": "DhtT6IeixD1MSRX+D7JxZA==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "s3_access_key": {
-    "encrypted_data": "KfhfEGwPjOonlz6rpnNTinXFPqX/sIbqQn/aby0UDi/G/7cvEcOiNcCkfuSz\n",
+    "encrypted_data": "FPRpLZoIbLcVWPJhOlX7ZeXGv6TZIWYAD+BKTsJOyOHxDG3eRULqQc89cGWi\n",
-    "iv": "Q3rg06v6K9pUDLDY\n",
+    "iv": "f9WiiGLmDxtygp60\n",
-    "auth_tag": "G5ugdlJ896KtYtObKLclJA==\n",
+    "auth_tag": "lGnq4itmByuF/Yp20/6coQ==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "s3_secret_key": {
-    "encrypted_data": "N8s1OoDrYXHjqSydQA0kY7dd68Aelq4+/cgmJlYfP92u4YA17V4TR7fsvQZL\nkqjuUSClNYPc0XiCwf/5gxVirE9AO6OmmvSV7lUyu4hcEY6unrU=\n",
+    "encrypted_data": "JnnwISbHJ+d7JZB/C0NH0fb8p+bDSwoq5t5knSi+bSTltSxKcq6PRX9K6bov\nEbo0GTdWePbuc5NCsyYxfrkzCtpLXTIxeCROtinRmFIgMFNwaOA=\n",
-    "iv": "bXzIVWnX6V0P6PRb\n",
+    "iv": "pKPCaANDqGtbFV3V\n",
-    "auth_tag": "1EOjCfsX9P6ETjUsgBvBsA==\n",
+    "auth_tag": "S//hn2HOhuZH8+UfCNBWDg==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "nostr_private_key": {
-    "encrypted_data": "Sf8PEyQ0sqcgxddSlIDxLOVzPjOkTFObsYuTgcxkbEV7igrati4e8QVVUEBD\n1yoLJXelp8jlCr28Ectci29jc53gYSMTLSQsw97uYas2R0dGCqQ=\n",
+    "encrypted_data": "AKfFiLow+veDyEWBwmCDuLerT3l+o2aJUCeHg2mZZIyoH4oeo/9crZwIdjBn\n70reouqnHNG9mBHuO/+IPGfj53mHLo+oGHh+6LkL3ImI4MFBofY=\n",
-    "iv": "+1CIUyvIUOveLrY4\n",
+    "iv": "bPlOKk2qkJAzdKf+\n",
-    "auth_tag": "GDqS+IuAIfMBmHIeFXaV7A==\n",
+    "auth_tag": "VIp1IOjBGatn2MN5LHVymg==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  }
--- a/data_bags/credentials/backup.json
+++ b/data_bags/credentials/backup.json
@ -1,27 +1,38 @@
 {
  "id": "backup",
  "s3_access_key_id": {
-    "encrypted_data": "emGNH4v7TTEh05Go/DsI3k7CFnaK4p/4JxodC4BYpyWw47/Z3dsuRMu4vXM3\n3YLH\n",
+    "encrypted_data": "245TrPvuoBRRTimhbt6qqsFb+JnnD377sPt1pguJy7Q2BXOy/jrX0wyMt+cP\nuA==\n",
-    "iv": "Dau+ekb3UTYdl8w3fQKVcA==\n",
+    "iv": "ylmRxSRO3AA4MSJN\n",
-    "version": 1,
+    "auth_tag": "45tBcYZowPLrbv4Zu2P0Fw==\n",
-    "cipher": "aes-256-cbc"
+    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "s3_secret_access_key": {
-    "encrypted_data": "Mxyly86JxrWUbubbSiqPdRosChzfI1Q8eBEG4n+2B9JJG4yExltO5Wc5kgSs\nX01MPXAc+PGLm+J9MngUtypo/g==\n",
+    "encrypted_data": "jDIOjlBzTkBUzpj243T6KnBuH0qwyW7BUFMcqllljFSzxs7K8wYJOUreNbOP\ny8OpDWAuO0H4O4LuFMJXeM8=\n",
-    "iv": "WRhBJGiuScYYsUsoT5j/UA==\n",
+    "iv": "PzvZr37EkJqz6JtM\n",
-    "version": 1,
+    "auth_tag": "e3XW8oHVgmYibv/IBzj0yA==\n",
-    "cipher": "aes-256-cbc"
+    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "s3_endpoint": {
    "encrypted_data": "ErJIEChxrreW7WKEwRtuP2MyYlsZRtqLdGa/x5QY58qgO036FgR3Hs2Z3yce\n",
    "iv": "HOSAOgUjO7XGwk50\n",
    "auth_tag": "XE1bwMIXHHE72V9K2KOLnw==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "s3_region": {
-    "encrypted_data": "2ZGxu0tVzKNfx3K1Wleg0SAwGaPkHCi/XfKpJ+J7q40=\n",
+    "encrypted_data": "8cNSaYu7HH95ftG66lFdUIPZD7soz907CPA=\n",
-    "iv": "CNTZW2SEIgfw+IyzGI3TzQ==\n",
+    "iv": "pU21ulF75y/SIs3x\n",
-    "version": 1,
+    "auth_tag": "7WQQCbSbB2GybjY+C+5IvQ==\n",
-    "cipher": "aes-256-cbc"
+    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "encryption_password": {
-    "encrypted_data": "tsBWKBwhQFfEAM0EWMPtljSbqU1c5mOJXPjYJjNT5RUFhPlqa7gsE8aJbs+D\nSPKjAQ62j+iHeqCk9mE9CCkgBA==\n",
+    "encrypted_data": "l23CiIO2s1fIRn0NdoWZ+wK+Zhx3hCYDHf4ypjqMRekZ7xqafvXHHuogD5aj\npxYUKloH\n",
-    "iv": "uq5YAXuq2ynRLv9EIWoCFA==\n",
+    "iv": "Dzx83eP9L7Jqqidh\n",
-    "version": 1,
+    "auth_tag": "UVn5XA5Tgsikc1GdOt1MUQ==\n",
-    "cipher": "aes-256-cbc"
+    "version": 3,
    "cipher": "aes-256-gcm"
  }
 }
--- a/data_bags/credentials/gandi_api.json
+++ b/data_bags/credentials/gandi_api.json
@ -1,23 +1,23 @@
 {
  "id": "gandi_api",
  "key": {
-    "encrypted_data": "d3/rJMX6B9GuzUt0/mIk/lgQ3qGyQdbNXH6UEm3ZX7DeSl+rbW9FPJCRWg==\n",
+    "encrypted_data": "lU7/xYTmP5Sb6SsK5TNNIyegWozzBtUzpg7oDdl6gcz9FEMmG2ft0Ljh5Q==\n",
-    "iv": "15YVAYla7PqqVOab\n",
+    "iv": "EZPQD3C+wsP/mBhF\n",
-    "auth_tag": "xQSq+ld6SDOAER07N4ZkUQ==\n",
+    "auth_tag": "vF9E8Pj4Z8quJJdOMg/QTw==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "access_token": {
-    "encrypted_data": "geQwcNosiJZmqbbMpD/I+a2yueBzpV6C8Rb7vrCD8kR161ZRjvqLe+g/1XpT\n2/65wKYDMTrdto1I030=\n",
+    "encrypted_data": "1Uw69JkNrmb8LU/qssuod1SlqxxrWR7TJQZeeivRrNzrMIVTEW/1uwJIYL6b\nM4GeeYl9lIRlMMmLBkc=\n",
-    "iv": "1sj58eyooOZ8FTYn\n",
+    "iv": "cc1GJKu6Cf4DkIgX\n",
-    "auth_tag": "yBNfgWXaToc06VDLly/HUw==\n",
+    "auth_tag": "ERem4S7ozG695kjvWIMghw==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "domains": {
-    "encrypted_data": "p5rIQTyCE+0d4HIuA4GKEAFekh7qEC4xe9Rm/kP0DyzY83FO0/4uKIvYoZRB\n",
+    "encrypted_data": "scZ5blsSjs54DlitR7KZ3enLbyceOR5q0wjHw1golQ==\n",
-    "iv": "LWlx98NSS1/ngCH1\n",
+    "iv": "oDcHm7shAzW97b4t\n",
-    "auth_tag": "FID+x/LjTZ3cgQV5U2xZLA==\n",
+    "auth_tag": "62Zais9yf68SwmZRsmZ3hw==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  }
--- a/data_bags/credentials/kosmos-rs.json
+++ b/data_bags/credentials/kosmos-rs.json
@ -0,0 +1,10 @@
 {
  "id": "kosmos-rs",
  "auth_tokens": {
    "encrypted_data": "fiznpRw7VKlm232+U6XV1rqkAf2Z8CpoD8KyvuvOH2JniaymlcTHgazGWQ8s\nGeqK4RU9l4d29e9i+Mh0k4vnhO4q\n",
    "iv": "SvurcL2oNSNWjlxp\n",
    "auth_tag": "JLQ7vGXAuYYJpLEpL6C+Rw==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  }
 }
--- a/data_bags/credentials/lndhub-go.json
+++ b/data_bags/credentials/lndhub-go.json
@ -1,30 +1,30 @@
 {
  "id": "lndhub-go",
  "jwt_secret": {
-    "encrypted_data": "3T4JYnoISKXCnatCBeLCXyE8wVjzphw5/JU5A0vHfQ2xSDZreIRQ\n",
+    "encrypted_data": "lJsKBTCRzI83xmRHXzpnuRH/4cuMOR+Rd+SBU50G9HdibadIEDhS\n",
-    "iv": "bGQZjCk6FtD/hqVj\n",
+    "iv": "f/SvsWtZIYOVc54X\n",
-    "auth_tag": "CS87+UK1ZIFMiNcNaoyO6w==\n",
+    "auth_tag": "YlJ78EuJbcPfjCPc2eH+ug==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "postgresql_password": {
-    "encrypted_data": "u8kf/6WdSTzyIz2kF+24JgOPLndWH2WmTFZ3CToJsnay\n",
+    "encrypted_data": "aT0yNlWjvk/0S4z2kZB4Ye1u/ngk5J6fGPbwZSfdq6cy\n",
-    "iv": "KqLtV2UuaAzJx7C8\n",
+    "iv": "OgUttF4LlSrL/7gH\n",
-    "auth_tag": "3aqx45+epb2NFkNfOfG89A==\n",
+    "auth_tag": "pcbbGqbQ2RjU+i9dt8c3OQ==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "admin_token": {
-    "encrypted_data": "Z737fXqRE9JHfunRhc2GG281dFFN1bvBvTzTDzl/Vb8O\n",
+    "encrypted_data": "I9EsqCCxMIw+fX6sfu6KX8B5fJj9DX5Y4tbX30jdnmxr\n",
-    "iv": "oKLQJbD67tiz2235\n",
+    "iv": "vnERvIWYInO6+Y8q\n",
-    "auth_tag": "SlVIqC9d9SRoO78M7cBjTw==\n",
+    "auth_tag": "gO+MprZUQgPEWJQUmSF1sA==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "sentry_dsn": {
-    "encrypted_data": "gmDHGDWkTIvaXjcWMs1dnKnbqtsADPJ2mLmWw8Idj6RVevU5CabjvviAxEo1\n3hs2LWuObumRSCQt2QKap191uMq3CL2+da53hbsv+JUkxl4=\n",
+    "encrypted_data": "+sUXWgl6dXpA1/0FqjKC3Jnl54aor6gtM+19EM/NsHwg4qu672YnSgxV+c9x\nHM3JZBYxBYvJ+HYGAvMmhlGvaOOEIvLmFUpCCJeVUXR32S8=\n",
-    "iv": "Yt0fSsxL4SNicwUY\n",
+    "iv": "82+DzAnHiptaX7sO\n",
-    "auth_tag": "j7BWbcNnymHHMNTADWmCNw==\n",
+    "auth_tag": "CDx44iRBVhSIF8DOxb2c+w==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  }
--- a/data_bags/credentials/mastodon.json
+++ b/data_bags/credentials/mastodon.json
@ -1,93 +1,114 @@
 {
  "id": "mastodon",
  "active_record_encryption_deterministic_key": {
    "encrypted_data": "2ik8hqK7wrtxyC73DLI8FNezZiWp2rdjwaWZkTUFRj+iwvpSrGVEwMx6uxDI\nWa7zF3p/\n",
    "iv": "XMp6wqwzStXZx+F3\n",
    "auth_tag": "vloJOLqEcghfQXOYohVVlg==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "active_record_encryption_key_derivation_salt": {
    "encrypted_data": "Nq/rHayMYmT/82k3tJUKU8YTvDKUKLoK204aT0CMGZertZaAD3dtA9AkprrA\nPK0D9CdL\n",
    "iv": "tn9C+igusYMH6GyM\n",
    "auth_tag": "+ReZRNrfpl6ZDwYQpwm6dw==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "active_record_encryption_primary_key": {
    "encrypted_data": "UEDMuKHgZDBhpB9BwbPmtdmIDWHyS9/bSzaEbtTRvLcV8dGOE5q9lDVIIsQp\n2HE0c92p\n",
    "iv": "tnB0pQ3OGDne3mN/\n",
    "auth_tag": "kt234ms+bmcxJj/+FH/72Q==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "paperclip_secret": {
-    "encrypted_data": "VJn4Yd2N7qFV+nWXPjPA8Y2KEXL/gZs2gK5E3DZZc9ogFXV7RtpDtq+NKGJU\ndpR8ohtEZvkyC+iBkMAlnS1sSVKiLdQ1xXvbzkj04mYgjnLvwsZ19uVpBGwR\nt/DON7Bhe5Fw+OyrBQksqNcZQSpB9sMBfgA1IgCpdVGHQ8PmkMbFTaZZYcoF\n7gg3yUw5/0t3vRdL\n",
+    "encrypted_data": "AlsnNTRF6GEyHjMHnC4VdzF4swMlppz/Gcp1xr0OuMEgQiOcW1oSZjDRZCRV\nmuGqZXZx64wqZyzTsJZ6ayCLsmWlPq6L21odHWyO+P/C5ubenSXnuCjpUn3/\nHs8WLX3kwVmqCRnVgDl2vEZ5H4XedSLr7R7YM7gQkM0UX4muMDWWnOTR8/x/\ni1ecwBY5RjdewwyR\n",
-    "iv": "X5atp/KaIurfln/u\n",
+    "iv": "RWiLePhFyPekYSl9\n",
-    "auth_tag": "mVnBoUb5HwhXNYUddJbq8Q==\n",
+    "auth_tag": "sUq4ZX9CFKPbwDyuKQfNLQ==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "secret_key_base": {
-    "encrypted_data": "d0sNREFhzQEJhkRzielbCNBJOVAdfThv7zcYTZ1vFZ20i/mzB9GWW2nb+1yn\nNFjAq8wCLpLXn9n3FClE+WOqnAw0jwTlyScRM5lzjKI5SxHKkBQHGyFs2AF8\nqFjEvpiqxhjsc4kNOJGO8DdcyHuulXyaO9fJg8HDnU1ov1vSSuTc0ABKgycY\nMq/Xt10UXnhP8cPw\n",
+    "encrypted_data": "K5CmIXFa9mS4/dODBQAN9Bw0SFpbLiZAB8ewiYpkB8NDXP6X/BX8aDjW2Y4F\ncMvpFyiFldRBhrh1MSKTVYQEoJ3JhlNL9HCdPsAYbBEW70AuEBpHvOtD5OxH\nqgbH4Reuk6JX5AI8SwDD3zGrdT12mTFVNgSujzuZMvpi1Sro2HtRGAkjmnaa\nMGKrBV21O1CREJJg\n",
-    "iv": "HFT7fdGQ2KRJ2NFy\n",
+    "iv": "/yMMmz1YtKIs5HSd\n",
-    "auth_tag": "C55JT2msLQCoI+09VKf+Jw==\n",
+    "auth_tag": "WXgIVWjIdbMFlJhTD5J0JQ==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "otp_secret": {
-    "encrypted_data": "1iH7mUkaUzyn9dfDwMdiJ8X059qWSUO3DqivsOFfI1f44nMnzllaYPu6nh8O\nNLNCOzvsSAonhhaq1X+foOdyPIG2mGhE/juKveDD57/AdZAayHWsbsQlPC4l\nwdShz/ANrq0YZ/zOhpT2sZj1TZavW+S+JlxJFX2kP24D4dUzwG0vNj7522+Q\n9NAApJdUte1ZYF/b\n",
+    "encrypted_data": "OPLnYRySSIDOcVHy2A5V+pCrz9zVIPjdpAGmCdgQkXtJfsS9NzNtxOPwrXo6\nuQlV9iPjr1Y9ljGKYytbF0fPgAa5q6Z1oHMY9vOGs/LGKj8wHDmIvxQ+Gil1\nC+dZEePmqGaySlNSB/gNzcFIvjBH3mDxHJJe9hDxSv5miNS9l9f3UvQeLP2M\nU7/aHKagL9ZHOp/d\n",
-    "iv": "00/vs5zTdoC19+pS\n",
+    "iv": "wqJBLdZhJ7M/KRG9\n",
-    "auth_tag": "3cjYqebMshnmWkQ3SdRcCQ==\n",
+    "auth_tag": "dv5YyZszZCrRnTleaiGd4A==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "aws_access_key_id": {
-    "encrypted_data": "krcfpxOrAkwZR2GP4glTaFg2dw/COw8BO8I+KICqyl4bvpL5NrB9\n",
+    "encrypted_data": "A1/gfcyrwT6i9W6aGTJ8pH4Dm4o8ACDxvooDroA/2N0szOiNyiYX\n",
-    "iv": "paoDKp6EIU8bjxzF\n",
+    "iv": "JNvf21KhdM3yoLGt\n",
-    "auth_tag": "p6Pt/tz5dgGXzW5cO06nBg==\n",
+    "auth_tag": "2xaZql1ymPYuXuvXzT3ymA==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "aws_secret_access_key": {
-    "encrypted_data": "aQySCT7gxeNiMMocq81KtIi+YzrZwMBeTd4LrRSN8iNEikWReJrrfagBwozy\n+Gfdw4bMGzY1dhF1Sl4=\n",
+    "encrypted_data": "T1tc01nACxhDgygKaiAq3LChGYSgmW8LAwr1aSxXmJ5D2NtypJDikiHrJbFZ\nfWFgm1qe4L8iD/k5+ro=\n",
-    "iv": "R/hvvOvmqq/uoKbx\n",
+    "iv": "FDTPQQDLUMKW7TXx\n",
-    "auth_tag": "QBJY/3+OprBXO/FSNwv2OQ==\n",
+    "auth_tag": "msY6PFFYhlwQ0X7gekSDiw==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "ldap_bind_dn": {
-    "encrypted_data": "wDPABdL+DlXz2WWV4XwW20kM4EWPSwc/ajBmbdYMnjFau6c76CIBpbFhrFoj\n3mwDbHz8cgOnLNvozXSV4w6N7URCN/mWWTBHNhd3ppw=\n",
+    "encrypted_data": "C/YNROVyOxmR4O2Cy52TX41EKli2bCOMzwYD+6Hz/SiKkgidnKUHlvHlbTDq\nkWwlRDM2o8esOCKaEAGPNWcNc9IHlaSsfwhr4YWnwe0=\n",
-    "iv": "8rQ0M4LT1HbCNpq9\n",
+    "iv": "QCQF0+vH+//+nDxr\n",
-    "auth_tag": "AuO5R6WCtd75TGJNfgFSCg==\n",
+    "auth_tag": "a0PbyO/7wjufqH2acDCqmQ==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "ldap_password": {
-    "encrypted_data": "y0t8RuptVYiTKmUhaAWsC4c2ZzhQsYeVLeMPiQBn+Q==\n",
+    "encrypted_data": "SqwKeiyzfvvZGqH5gi35BdW3W+Fo/AQQjso1Yfp2XA==\n",
-    "iv": "mixYzDKkPSIDQ/l+\n",
+    "iv": "md2/etFJ1r/BKaYg\n",
-    "auth_tag": "DbLlZG7rlgBmyCdJ3nhSYA==\n",
+    "auth_tag": "OlCCOoYSD7ukdH2yWCd6KA==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "smtp_user_name": {
-    "encrypted_data": "Ugc29HUFcirv6jOOlYNs9uvmhfwa2rG41im/MusCx0Vu0AZKcdy0krGi/kCZ\nKg==\n",
+    "encrypted_data": "0kzppmSSUg7lEyYnI5a0nf+xO0vSVx88rbxI+niIdzFOOBKSIL6uVHJ340dw\nMQ==\n",
-    "iv": "ZlDK854w+vTNmeJe\n",
+    "iv": "lQR77ETTtIIyaG1r\n",
-    "auth_tag": "Nj95g0JMxrT419OLQIX26g==\n",
+    "auth_tag": "smF2HRg8WdmD+MWwkT3TqA==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "smtp_password": {
-    "encrypted_data": "D1TGjRfmM1ZeUmzwewlKXfQvvqTSzpzNlK5MKIU8dxbAH175UKn5qiemDEWe\nRYPe1LWT\n",
+    "encrypted_data": "1i0m9qiZA/8k8fMKo+04uyndl1UhagtHweBFICIorWALkB68edjb8OhUDxv9\nTubiXYRC\n",
-    "iv": "D1OVfD5bMcefM5DP\n",
+    "iv": "IU2x4ips9HWmKoxi\n",
-    "auth_tag": "2E/q2gTbdXiLVnOMDeJv9w==\n",
+    "auth_tag": "BZJTDfPBvt8cf6/MbKzUJQ==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "vapid_private_key": {
-    "encrypted_data": "+87bVrbd/XvWhZH1IYusc4Hla7ZZmylptAyJf48CMG/F3SMEO33OqW2I+UWh\nSkqbxai5+GaMhvZHB8U2Clod\n",
+    "encrypted_data": "+LmySMvzrV3z2z7BmJG9hpvkL06mGc87RG20XQhhdAJ2Z/5uMMjev2pUf7du\ntv2qvDJAimhkZajuDGL9R3eq\n",
-    "iv": "HVhNdFQl0TvCcjsa\n",
+    "iv": "Mg7NhPl31O6Z4P+v\n",
-    "auth_tag": "EEQXuQ5keOHXmchhBh+Ixw==\n",
+    "auth_tag": "qYWPInhgoWAjg0zQ+XXt5w==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "vapid_public_key": {
-    "encrypted_data": "nBm1lXbn1+Kzol95+QSEjsUI/n7ObhdEqEyfYcVSP/LiLy57KOBQDu6CjSMz\n+PN9yEP4lOjtscqHS29jTC2vi3PSui9XpOFHRxFBnDuyKxczrnID2KlLCNRQ\n228G3VRgFIMAWMYKACgzUk0=\n",
+    "encrypted_data": "NOyc+Cech9qG2HhnhajDaJMWd1OU5Rp6hws6i4xF5mLPePMJ9mJTqzklkuMK\npYSEdtcxA3KmDt1HrFxfezYUc9xO9pvlm0BPA7XAFmF/PU7/AJbFqgPU6pX/\ntSDLSdFuMB3ky+cl4DJi+O4=\n",
-    "iv": "xHrVl+4JGkQbfUW3\n",
+    "iv": "rgUglYiHB/mhqGha\n",
-    "auth_tag": "rfFoBMocq17YiDSlOCvWqw==\n",
+    "auth_tag": "DEX7hdNsNLi/LIrMkdUe/Q==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "s3_key_id": {
-    "encrypted_data": "pq0+VZhjoxzLuyY34f23wOmuks9Wevt8Wu6muKZAsZMSuU0iJvlRoK/65Qa0\n",
+    "encrypted_data": "rPVzrYYIbcM+ssVpdL6wpCTdzLIEKXke1+eMlPLMG2gPuoh+W3eO3nFGb/s2\n",
-    "iv": "QTxO+IfYcpI170ON\n",
+    "iv": "/qI8F9cvnfKG7ZXE\n",
-    "auth_tag": "4ZHva2iBYgDv6DyhMRRXzA==\n",
+    "auth_tag": "z1+MPdkO/+SCaag2ULelPg==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "s3_secret_key": {
-    "encrypted_data": "YMZqKtOXDPAME8IWWC+lO8TsxHMzawlbTju9z/Hcb5DnQAOy82QufTN90m73\n/xikUboAdKcA5YGn0mkm+Rt/ygVR6DFirYV3kwi2M3qyGVJifug=\n",
+    "encrypted_data": "RMnB9kZ+slbQXfpo0udYld6S1QqBxqM1YbszdLfSAdKK9I0J3Kmvh/CQ5Fbx\nyov6LClmsl1rjtH16r7cY32M4Woq+6miERdtecyDrrYkNHz0xkA=\n",
-    "iv": "9AwabheRFOgC8IKR\n",
+    "iv": "pO7bm3aOtjuwYjG/\n",
-    "auth_tag": "iU2kkA1q8OsblN5jaZrWGQ==\n",
+    "auth_tag": "SRvn4z1+Vd5VAGgjG64s+Q==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  }
--- a/environments/production.json
+++ b/environments/production.json
@ -105,17 +105,39 @@
    },
    "strfry": {
      "domain": "nostr.kosmos.org",
-      "real_ip_header": "x-real-ip",
+      "config": {
-      "policy_path": "/opt/strfry/strfry-policy.ts",
+        "events": {
-      "whitelist_pubkeys": [
+          "max_event_size": "524288"
-        "b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a"
+        },
-      ],
+        "relay": {
-      "info": {
+          "bind": "0.0.0.0",
-        "name": "Kosmos Relay",
+          "real_ip_header": "x-real-ip",
-        "description": "Members-only nostr relay for kosmos.org users",
+          "info": {
-        "pubkey": "1f79058c77a224e5be226c8f024cacdad4d741855d75ed9f11473ba8eb86e1cb",
+            "name": "Kosmos Relay",
-        "contact": "ops@kosmos.org"
+            "description": "Members-only nostr relay for kosmos.org users",
            "pubkey": "b3e1b7c0ef48294bd856203bfd460625de95d3afb894e5f09b14cd1f0e7097cf",
            "contact": "ops@kosmos.org",
            "icon": "https://assets.kosmos.org/img/app-icon-256px.png"
          },
          "write_policy": {
            "plugin": "/opt/strfry/strfry-policy.ts"
          },
          "logging": {
            "dump_in_all": true
          }
        }
      },
      "known_pubkeys": {
        "_": "b3e1b7c0ef48294bd856203bfd460625de95d3afb894e5f09b14cd1f0e7097cf",
        "accounts": "b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a",
        "bitcoincore": "47750177bb6bb113784e4973f6b2e3dd27ef1eff227d6e38d0046d618969e41a",
        "fiatjaf": "3bf0c63fcb93463407af97a5e5ee64fa883d107ef9e558472c4eb9aaaefa459d"
      }
    },
    "substr": {
      "relay_urls": [
        "ws://localhost:7777"
      ]
    }
  }
 }
--- a/nodes/akkounts-1.json
+++ b/nodes/akkounts-1.json
@ -38,6 +38,7 @@
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
--- a/nodes/bitcoin-2.json
+++ b/nodes/bitcoin-2.json
@ -16,7 +16,6 @@
      "kvm_guest",
      "sentry_client",
      "bitcoind",
      "cln",
      "lnd",
      "lndhub",
      "postgresql_client",
@ -30,10 +29,8 @@
      "tor-full",
      "tor-full::default",
      "kosmos-bitcoin::bitcoind",
      "kosmos-bitcoin::c-lightning",
      "kosmos-bitcoin::lnd",
      "kosmos-bitcoin::lnd-scb-s3",
      "kosmos-bitcoin::boltz",
      "kosmos-bitcoin::rtl",
      "kosmos-bitcoin::peerswap-lnd",
      "kosmos_postgresql::hostsfile",
@ -41,6 +38,7 @@
      "kosmos-bitcoin::dotnet",
      "kosmos-bitcoin::nbxplorer",
      "kosmos-bitcoin::btcpay",
      "kosmos-bitcoin::price_tracking",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
@ -103,9 +101,9 @@
    "role[sentry_client]",
    "recipe[tor-full]",
    "role[bitcoind]",
    "role[cln]",
    "role[lnd]",
    "role[lndhub]",
-    "role[btcpay]"
+    "role[btcpay]",
    "recipe[kosmos-bitcoin::price_tracking]"
  ]
 }
--- a/nodes/draco.kosmos.org.json
+++ b/nodes/draco.kosmos.org.json
@ -20,7 +20,7 @@
  "automatic": {
    "fqdn": "draco.kosmos.org",
    "os": "linux",
-    "os_version": "5.4.0-54-generic",
+    "os_version": "5.4.0-187-generic",
    "hostname": "draco",
    "ipaddress": "148.251.237.73",
    "roles": [
--- a/nodes/drone-1.json
+++ b/nodes/drone-1.json
@ -8,26 +8,27 @@
  "automatic": {
    "fqdn": "drone-1",
    "os": "linux",
-    "os_version": "5.4.0-1058-kvm",
+    "os_version": "5.4.0-1133-kvm",
    "hostname": "drone-1",
    "ipaddress": "192.168.122.200",
    "roles": [
      "kvm_guest",
      "drone",
-      "postgresql_client",
+      "postgresql_client"
      "kvm_guest"
    ],
    "recipes": [
      "kosmos-base",
      "kosmos-base::default",
      "kosmos_kvm::guest",
      "kosmos_postgresql::hostsfile",
      "kosmos_drone",
      "kosmos_drone::default",
      "kosmos_kvm::guest",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
@ -43,13 +44,13 @@
    "cloud": null,
    "chef_packages": {
      "chef": {
-        "version": "17.9.52",
+        "version": "18.7.10",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.9.52/lib",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.7.10/lib",
        "chef_effortless": null
      },
      "ohai": {
-        "version": "17.9.0",
+        "version": "18.2.5",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai"
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.5/lib/ohai"
      }
    }
  },
@ -58,4 +59,4 @@
    "role[kvm_guest]",
    "role[drone]"
  ]
-}
+}
--- a/nodes/garage-10.json
+++ b/nodes/garage-10.json
@ -1,17 +1,17 @@
 {
-  "name": "garage-4",
+  "name": "garage-10",
  "chef_environment": "production",
  "normal": {
    "knife_zero": {
-      "host": "10.1.1.104"
+      "host": "10.1.1.27"
    }
  },
  "automatic": {
-    "fqdn": "garage-4",
+    "fqdn": "garage-10",
    "os": "linux",
-    "os_version": "5.4.0-132-generic",
+    "os_version": "5.4.0-1090-kvm",
-    "hostname": "garage-4",
+    "hostname": "garage-10",
-    "ipaddress": "192.168.122.123",
+    "ipaddress": "192.168.122.70",
    "roles": [
      "base",
      "kvm_guest",
@ -23,7 +23,8 @@
      "kosmos_kvm::guest",
      "kosmos_garage",
      "kosmos_garage::default",
-      "kosmos_garage::firewall",
+      "kosmos_garage::firewall_rpc",
      "kosmos_garage::firewall_apis",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
@ -38,21 +39,20 @@
      "postfix::_attributes",
      "postfix::sasl_auth",
      "hostname::default",
-      "firewall::default",
+      "firewall::default"
      "chef-sugar::default"
    ],
    "platform": "ubuntu",
    "platform_version": "20.04",
    "cloud": null,
    "chef_packages": {
      "chef": {
-        "version": "17.10.3",
+        "version": "18.5.0",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.10.3/lib",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
        "chef_effortless": null
      },
      "ohai": {
-        "version": "17.9.0",
+        "version": "18.1.11",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai"
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
      }
    }
  },
@ -61,4 +61,4 @@
    "role[kvm_guest]",
    "role[garage_node]"
  ]
-}
+}
--- a/nodes/garage-11.json
+++ b/nodes/garage-11.json
@ -1,17 +1,17 @@
 {
-  "name": "garage-5",
+  "name": "garage-11",
  "chef_environment": "production",
  "normal": {
    "knife_zero": {
-      "host": "10.1.1.33"
+      "host": "10.1.1.165"
    }
  },
  "automatic": {
-    "fqdn": "garage-5",
+    "fqdn": "garage-11",
    "os": "linux",
-    "os_version": "5.15.0-84-generic",
+    "os_version": "5.15.0-1059-kvm",
-    "hostname": "garage-5",
+    "hostname": "garage-11",
-    "ipaddress": "192.168.122.55",
+    "ipaddress": "192.168.122.9",
    "roles": [
      "base",
      "kvm_guest",
@ -46,13 +46,13 @@
    "cloud": null,
    "chef_packages": {
      "chef": {
-        "version": "18.3.0",
+        "version": "18.5.0",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.3.0/lib",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
        "chef_effortless": null
      },
      "ohai": {
-        "version": "18.1.4",
+        "version": "18.1.11",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
      }
    }
  },
--- a/nodes/garage-9.json
+++ b/nodes/garage-9.json
@ -1,17 +1,17 @@
 {
-  "name": "garage-6",
+  "name": "garage-9",
  "chef_environment": "production",
  "normal": {
    "knife_zero": {
-      "host": "10.1.1.161"
+      "host": "10.1.1.223"
    }
  },
  "automatic": {
-    "fqdn": "garage-6",
+    "fqdn": "garage-9",
    "os": "linux",
    "os_version": "5.4.0-1090-kvm",
-    "hostname": "garage-6",
+    "hostname": "garage-9",
-    "ipaddress": "192.168.122.213",
+    "ipaddress": "192.168.122.21",
    "roles": [
      "base",
      "kvm_guest",
@ -46,13 +46,13 @@
    "cloud": null,
    "chef_packages": {
      "chef": {
-        "version": "18.3.0",
+        "version": "18.5.0",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.3.0/lib",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
        "chef_effortless": null
      },
      "ohai": {
-        "version": "18.1.4",
+        "version": "18.1.11",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
      }
    }
  },
--- a/nodes/gitea-2.json
+++ b/nodes/gitea-2.json
@ -9,7 +9,7 @@
  "automatic": {
    "fqdn": "gitea-2",
    "os": "linux",
-    "os_version": "5.4.0-1096-kvm",
+    "os_version": "5.4.0-1123-kvm",
    "hostname": "gitea-2",
    "ipaddress": "192.168.122.189",
    "roles": [
@ -32,12 +32,14 @@
      "kosmos_postgresql::hostsfile",
      "kosmos_gitea",
      "kosmos_gitea::default",
      "kosmos_gitea::backup",
      "kosmos_gitea::act_runner",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
@ -47,7 +49,16 @@
      "postfix::_attributes",
      "postfix::sasl_auth",
      "hostname::default",
-      "firewall::default"
+      "firewall::default",
      "kosmos_gitea::compile_from_source",
      "git::default",
      "git::package",
      "kosmos-nodejs::default",
      "nodejs::nodejs_from_package",
      "nodejs::repo",
      "golang::default",
      "backup::default",
      "logrotate::default"
    ],
    "platform": "ubuntu",
    "platform_version": "20.04",
--- a/nodes/mail.kosmos.org.json
+++ b/nodes/mail.kosmos.org.json
@ -10,7 +10,7 @@
    "fqdn": "mail.kosmos.org",
    "os": "linux",
    "os_version": "5.15.0-1048-kvm",
-    "hostname": "mail",
+    "hostname": "mail.kosmos.org",
    "ipaddress": "192.168.122.131",
    "roles": [
      "base",
--- a/nodes/mastodon-3.json
+++ b/nodes/mastodon-3.json
@ -37,6 +37,7 @@
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
@ -63,8 +64,6 @@
      "redisio::disable_os_default",
      "redisio::configure",
      "redisio::enable",
      "nodejs::npm",
      "nodejs::install",
      "backup::default",
      "logrotate::default"
    ],
--- a/nodes/postgres-6.json
+++ b/nodes/postgres-6.json
@ -13,12 +13,21 @@
    "ipaddress": "192.168.122.60",
    "roles": [
      "base",
-      "kvm_guest"
+      "kvm_guest",
      "postgresql_primary"
    ],
    "recipes": [
      "kosmos-base",
      "kosmos-base::default",
      "kosmos_kvm::guest",
      "kosmos_postgresql::primary",
      "kosmos_postgresql::firewall",
      "kosmos-akkounts::pg_db",
      "kosmos-bitcoin::lndhub-go_pg_db",
      "kosmos-bitcoin::nbxplorer_pg_db",
      "kosmos_drone::pg_db",
      "kosmos_gitea::pg_db",
      "kosmos-mastodon::pg_db",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
@ -52,6 +61,6 @@
  "run_list": [
    "role[base]",
    "role[kvm_guest]",
-    "role[postgresql_replica]"
+    "role[postgresql_primary]"
  ]
 }
--- a/nodes/postgres-7.json
+++ b/nodes/postgres-7.json
@ -1,37 +1,35 @@
 {
-  "name": "postgres-5",
+  "name": "postgres-7",
  "chef_environment": "production",
  "normal": {
    "knife_zero": {
-      "host": "10.1.1.54"
+      "host": "10.1.1.134"
    }
  },
  "automatic": {
-    "fqdn": "postgres-5",
+    "fqdn": "postgres-7",
    "os": "linux",
-    "os_version": "5.4.0-153-generic",
+    "os_version": "5.4.0-1123-kvm",
-    "hostname": "postgres-5",
+    "hostname": "postgres-7",
-    "ipaddress": "192.168.122.211",
+    "ipaddress": "192.168.122.89",
    "roles": [
      "base",
      "kvm_guest",
-      "postgresql_primary"
+      "postgresql_replica"
    ],
    "recipes": [
      "kosmos-base",
      "kosmos-base::default",
      "kosmos_kvm::guest",
-      "kosmos_postgresql::primary",
+      "kosmos_postgresql::hostsfile",
      "kosmos_postgresql::replica",
      "kosmos_postgresql::firewall",
      "kosmos-bitcoin::lndhub-go_pg_db",
      "kosmos-bitcoin::nbxplorer_pg_db",
      "kosmos_drone::pg_db",
      "kosmos_gitea::pg_db",
      "kosmos-mastodon::pg_db",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
@ -47,19 +45,19 @@
    "cloud": null,
    "chef_packages": {
      "chef": {
-        "version": "18.2.7",
+        "version": "18.5.0",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.2.7/lib",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
        "chef_effortless": null
      },
      "ohai": {
-        "version": "18.1.4",
+        "version": "18.1.11",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
      }
    }
  },
  "run_list": [
    "role[base]",
    "role[kvm_guest]",
-    "role[postgresql_primary]"
+    "role[postgresql_replica]"
  ]
 }
--- a/nodes/postgres-8.json
+++ b/nodes/postgres-8.json
@ -0,0 +1,62 @@
 {
  "name": "postgres-8",
  "chef_environment": "production",
  "normal": {
    "knife_zero": {
      "host": "10.1.1.99"
    }
  },
  "automatic": {
    "fqdn": "postgres-8",
    "os": "linux",
    "os_version": "5.15.0-1059-kvm",
    "hostname": "postgres-8",
    "ipaddress": "192.168.122.100",
    "roles": [
      "base",
      "kvm_guest",
      "postgresql_replica"
    ],
    "recipes": [
      "kosmos-base",
      "kosmos-base::default",
      "kosmos_kvm::guest",
      "kosmos_postgresql::hostsfile",
      "kosmos_postgresql::replica",
      "kosmos_postgresql::firewall",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
      "kosmos-postfix::default",
      "postfix::default",
      "postfix::_common",
      "postfix::_attributes",
      "postfix::sasl_auth",
      "hostname::default"
    ],
    "platform": "ubuntu",
    "platform_version": "22.04",
    "cloud": null,
    "chef_packages": {
      "chef": {
        "version": "18.5.0",
        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
        "chef_effortless": null
      },
      "ohai": {
        "version": "18.1.11",
        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
      }
    }
  },
  "run_list": [
    "role[base]",
    "role[kvm_guest]",
    "role[postgresql_replica]"
  ]
 }
--- a/nodes/strfry-1.json
+++ b/nodes/strfry-1.json
@ -27,11 +27,13 @@
      "strfry::default",
      "kosmos_strfry::policies",
      "kosmos_strfry::firewall",
      "kosmos_strfry::substr",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
--- a/nodes/wiki-1.json
+++ b/nodes/wiki-1.json
@ -8,16 +8,19 @@
  "automatic": {
    "fqdn": "wiki-1",
    "os": "linux",
-    "os_version": "5.4.0-91-generic",
+    "os_version": "5.4.0-167-generic",
    "hostname": "wiki-1",
    "ipaddress": "192.168.122.26",
    "roles": [
-      "kvm_guest"
+      "base",
      "kvm_guest",
      "ldap_client"
    ],
    "recipes": [
      "kosmos-base",
      "kosmos-base::default",
      "kosmos_kvm::guest",
      "kosmos-dirsrv::hostsfile",
      "kosmos-mediawiki",
      "kosmos-mediawiki::default",
      "apt::default",
@ -41,7 +44,6 @@
      "php::package",
      "php::ini",
      "composer::global_configs",
      "kosmos-dirsrv::hostsfile",
      "mediawiki::default",
      "mediawiki::database",
      "kosmos-nginx::default",
@ -79,4 +81,4 @@
    "role[ldap_client]",
    "recipe[kosmos-mediawiki]"
  ]
-}
+}
--- a/roles/gitea.rb
+++ b/roles/gitea.rb
@ -3,4 +3,13 @@ name "gitea"
 run_list %w(
  role[postgresql_client]
  kosmos_gitea::default
  kosmos_gitea::backup
 )
 override_attributes(
  "gitea" => {
    "repo" => "https://github.com/67P/gitea.git",
    "revision" => "ldap_sync",
    "log" => { "level" => "Info" }
  },
 )
--- a/roles/lnd.rb
+++ b/roles/lnd.rb
@ -3,7 +3,6 @@ name "lnd"
 run_list %w(
  kosmos-bitcoin::lnd
  kosmos-bitcoin::lnd-scb-s3
  kosmos-bitcoin::boltz
  kosmos-bitcoin::rtl
  kosmos-bitcoin::peerswap-lnd
 )
--- a/roles/postgresql_primary.rb
+++ b/roles/postgresql_primary.rb
@ -3,6 +3,7 @@ name "postgresql_primary"
 run_list %w(
  kosmos_postgresql::primary
  kosmos_postgresql::firewall
  kosmos-akkounts::pg_db
  kosmos-bitcoin::lndhub-go_pg_db
  kosmos-bitcoin::nbxplorer_pg_db
  kosmos_drone::pg_db
--- a/roles/strfry.rb
+++ b/roles/strfry.rb
@ -5,4 +5,5 @@ run_list %w(
  strfry::default
  kosmos_strfry::policies
  kosmos_strfry::firewall
  kosmos_strfry::substr
 )
--- a/site-cookbooks/backup/attributes/default.rb
+++ b/site-cookbooks/backup/attributes/default.rb
@ -42,5 +42,5 @@ default['backup']['orbit']['keep'] = 10
 default['backup']['cron']['hour'] = "05"
 default['backup']['cron']['minute'] = "7"
-default['backup']['s3']['keep'] = 15
+default['backup']['s3']['keep'] = 10
-default['backup']['s3']['bucket'] = "kosmos-dev-backups"
+default['backup']['s3']['bucket'] = "kosmos-backups"
--- a/site-cookbooks/backup/recipes/default.rb
+++ b/site-cookbooks/backup/recipes/default.rb
@ -28,6 +28,7 @@ template "#{backup_dir}/config.rb" do
  sensitive true
  variables s3_access_key_id: backup_data["s3_access_key_id"],
            s3_secret_access_key: backup_data["s3_secret_access_key"],
            s3_endpoint: backup_data["s3_endpoint"],
            s3_region: backup_data["s3_region"],
            encryption_password: backup_data["encryption_password"],
            mail_from: "backups@kosmos.org",
--- a/site-cookbooks/backup/templates/default/config.rb.erb
+++ b/site-cookbooks/backup/templates/default/config.rb.erb
@ -23,6 +23,10 @@ Storage::S3.defaults do |s3|
  s3.secret_access_key = "<%= @s3_secret_access_key %>"
  s3.region            = "<%= @s3_region %>"
  s3.bucket            = "<%= node['backup']['s3']['bucket'] %>"
  s3.fog_options       = {
    endpoint: "<%= @s3_endpoint %>",
    aws_signature_version: 2
  }
 end
 Encryptor::OpenSSL.defaults do |encryption|
@ -88,7 +92,6 @@ end
 preconfigure 'KosmosBackup' do
  split_into_chunks_of 250 # megabytes
  store_with S3
  compress_with Bzip2
  encrypt_with OpenSSL
  notify_by Mail do |mail|
--- a/site-cookbooks/deno
+++ b/site-cookbooks/deno
@ -1 +1 @@
-Subproject commit 617f7959abda045326c8f06f1c1bcedbaa7c7285
+Subproject commit 92839b20a4c3b0a15b99bd86ea7cae16645570a6
--- a/site-cookbooks/kosmos-akkounts/recipes/default.rb
+++ b/site-cookbooks/kosmos-akkounts/recipes/default.rb
@ -24,13 +24,12 @@ package "libvips"
 include_recipe 'redisio::default'
 include_recipe 'redisio::enable'
 node.override["nodejs"]["repo"] = "https://deb.nodesource.com/node_20.x"
 include_recipe 'kosmos-nodejs'
 npm_package "bun"
-npm_package "yarn" do
+ruby_version = "3.3.8"
  version "1.22.4"
 end
 ruby_version = "3.3.0"
 ruby_path = "/opt/ruby_build/builds/#{ruby_version}"
 bundle_path = "#{ruby_path}/bin/bundle"
 rails_env = node.chef_environment == "development" ? "development" : "production"
@ -48,7 +47,28 @@ webhooks_allowed_ips = [lndhub_host].compact.uniq.join(',')
 env = {
  primary_domain: node['akkounts']['primary_domain'],
  akkounts_domain: node['akkounts']['domain'],
-  rails_serve_static_files: true
+  rails_serve_static_files: true,
  secret_key_base: credentials["rails_secret_key_base"],
  encryption_primary_key: credentials["rails_encryption_primary_key"],
  encryption_key_derivation_salt: credentials["rails_encryption_key_derivation_salt"],
  db_adapter: "postgresql",
  pg_host: "pg.kosmos.local",
  pg_port: 5432,
  pg_database: "akkounts",
  pg_database_queue: "akkounts_queue",
  pg_username: credentials["postgresql"]["username"],
  pg_password: credentials["postgresql"]["password"]
 }
 env[:ldap] = {
  host: "ldap.kosmos.local",
  port: 389,
  use_tls: false,
  uid_attr: "cn",
  base: "ou=kosmos.org,cn=users,dc=kosmos,dc=org",
  admin_user: credentials["ldap"]["admin_user"],
  admin_password: credentials["ldap"]["admin_password"],
  suffix: "dc=kosmos,dc=org"
 }
 smtp_server, smtp_port = smtp_credentials[:relayhost].split(":")
@ -138,9 +158,9 @@ if lndhub_host
  if postgres_readonly_host
    env[:lndhub_admin_ui] = true
    env[:lndhub_pg_host] = postgres_readonly_host
-    env[:lndhub_pg_database] = node['akkounts']['lndhub']['postgres_db']
+    env[:lndhub_pg_database] = node["akkounts"]["lndhub"]["postgres_db"]
-    env[:lndhub_pg_username] = credentials['postgresql_username']
+    env[:lndhub_pg_username] = credentials["postgresql"]["username"]
-    env[:lndhub_pg_password] = credentials['postgresql_password']
+    env[:lndhub_pg_password] = credentials["postgresql"]["password"]
  end
 end
@ -208,7 +228,7 @@ systemd_unit "akkounts.service" do
      Type: "simple",
      User: deploy_user,
      WorkingDirectory: deploy_path,
-      Environment: "RAILS_ENV=#{rails_env}",
+      Environment: "RAILS_ENV=#{rails_env} SOLID_QUEUE_IN_PUMA=true",
      ExecStart: "#{bundle_path} exec puma -C config/puma.rb --pidfile #{deploy_path}/tmp/puma.pid",
      ExecStop: "#{bundle_path} exec puma -C config/puma.rb --pidfile #{deploy_path}/tmp/puma.pid stop",
      ExecReload: "#{bundle_path} exec pumactl -F config/puma.rb --pidfile #{deploy_path}/tmp/puma.pid phased-restart",
@ -225,36 +245,6 @@ systemd_unit "akkounts.service" do
  action [:create, :enable]
 end
 systemd_unit "akkounts-sidekiq.service" do
  content({
    Unit: {
      Description: "Kosmos Accounts async/background jobs",
      Documentation: ["https://gitea.kosmos.org/kosmos/akkounts"],
      Requires: "redis@6379.service",
      After: "syslog.target network.target redis@6379.service"
    },
    Service: {
      Type: "notify",
      User: deploy_user,
      WorkingDirectory: deploy_path,
      Environment: "MALLOC_ARENA_MAX=2",
      ExecStart: "#{bundle_path} exec sidekiq -C #{deploy_path}/config/sidekiq.yml -e #{rails_env}",
      WatchdogSec: "10",
      Restart: "on-failure",
      RestartSec: "1",
      StandardOutput: "syslog",
      StandardError: "syslog",
      SyslogIdentifier: "sidekiq"
    },
    Install: {
      WantedBy: "multi-user.target"
    }
  })
  verify false
  triggers_reload true
  action [:create, :enable]
 end
 deploy_env = {
  "HOME" => deploy_path,
  "PATH" => "#{ruby_path}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin",
@ -267,15 +257,7 @@ git deploy_path do
  revision node[app_name]["revision"]
  user  deploy_user
  group deploy_group
  # Restart services on deployments
  notifies :run, "execute[restart #{app_name} services]", :delayed
 end
 execute "restart #{app_name} services" do
  command "true"
  action :nothing
  notifies :restart, "service[#{app_name}]", :delayed
  notifies :restart, "service[#{app_name}-sidekiq]", :delayed
 end
 file "#{deploy_path}/config/master.key" do
@ -283,7 +265,7 @@ file "#{deploy_path}/config/master.key" do
  mode '0400'
  owner deploy_user
  group deploy_group
-  notifies :run, "execute[restart #{app_name} services]", :delayed
+  notifies :restart, "service[#{app_name}]", :delayed
 end
 template "#{deploy_path}/.env.#{rails_env}" do
@ -293,7 +275,7 @@ template "#{deploy_path}/.env.#{rails_env}" do
  mode 0600
  sensitive true
  variables config: env
-  notifies :run, "execute[restart #{app_name} services]", :delayed
+  notifies :restart, "service[#{app_name}]", :delayed
 end
 execute "bundle install" do
@ -303,13 +285,6 @@ execute "bundle install" do
  command "bundle install --without development,test --deployment"
 end
 execute "yarn install" do
  environment deploy_env
  user deploy_user
  cwd deploy_path
  command "yarn install --pure-lockfile"
 end
 execute 'rake db:migrate' do
  environment deploy_env
  user deploy_user
@ -330,10 +305,6 @@ service "akkounts" do
  action [:enable, :start]
 end
 service "akkounts-sidekiq" do
  action [:enable, :start]
 end
 firewall_rule "akkounts_zerotier" do
  command  :allow
  port     node["akkounts"]["port"]
--- a/site-cookbooks/kosmos-akkounts/recipes/pg_db.rb
+++ b/site-cookbooks/kosmos-akkounts/recipes/pg_db.rb
@ -0,0 +1,22 @@
 #
 # Cookbook:: kosmos-akkounts
 # Recipe:: pg_db
 #
 credentials = data_bag_item("credentials", "akkounts")
 pg_username = credentials["postgresql"]["username"]
 pg_password = credentials["postgresql"]["password"]
 postgresql_user pg_username do
  action :create
  password pg_password
 end
 databases = ["akkounts", "akkounts_queue"]
 databases.each do |database|
  postgresql_database database do
    owner pg_username
    action :create
  end
 end
--- a/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb
+++ b/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb
@ -14,6 +14,10 @@ server {
  listen [::]:443 ssl http2;
  server_name <%= @domain %>;
  if ($host != $server_name) {
    return 301 $scheme://$server_name$request_uri;
  }
  ssl_certificate     <%= @ssl_cert %>;
  ssl_certificate_key <%= @ssl_key %>;
@ -39,6 +43,9 @@ server {
  location @proxy {
    proxy_set_header Host $http_host;
    set $x_forwarded_host $http_x_forwarded_host;
    if ($x_forwarded_host = "") { set $x_forwarded_host $host; }
    proxy_set_header X-Forwarded-Host $x_forwarded_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
--- a/site-cookbooks/kosmos-base/attributes/default.rb
+++ b/site-cookbooks/kosmos-base/attributes/default.rb
@ -0,0 +1,2 @@
 node.default["kosmos-base"]["journald"]["system_max_use"] = "256M"
 node.default["kosmos-base"]["journald"]["max_retention_sec"] = "7d"
--- a/site-cookbooks/kosmos-base/recipes/default.rb
+++ b/site-cookbooks/kosmos-base/recipes/default.rb
@ -27,6 +27,7 @@
 include_recipe 'apt'
 include_recipe 'timezone_iii'
 include_recipe 'ntp'
 include_recipe 'kosmos-base::journald_conf'
 include_recipe 'kosmos-base::systemd_emails'
 node.override["apt"]["unattended_upgrades"]["allowed_origins"] = [
--- a/site-cookbooks/kosmos-base/recipes/journald_conf.rb
+++ b/site-cookbooks/kosmos-base/recipes/journald_conf.rb
@ -0,0 +1,14 @@
 #
 # Cookbook Name:: kosmos-base
 # Recipe:: journald_conf
 #
 service "systemd-journald"
 template "/etc/systemd/journald.conf" do
  source "journald.conf.erb"
  variables system_max_use: node["kosmos-base"]["journald"]["system_max_use"],
            max_retention_sec: node["kosmos-base"]["journald"]["max_retention_sec"]
  # Restarting journald is required
  notifies :restart, "service[systemd-journald]", :delayed
 end
--- a/site-cookbooks/kosmos-base/resources/tls_cert_for.rb
+++ b/site-cookbooks/kosmos-base/resources/tls_cert_for.rb
@ -56,7 +56,6 @@ action :create do
      command <<-CMD
      certbot certonly --manual -n \
        --preferred-challenges dns \
        --manual-public-ip-logging-ok \
        --agree-tos \
        --manual-auth-hook '#{hook_auth_command}' \
        --manual-cleanup-hook '#{hook_cleanup_command}' \
--- a/site-cookbooks/kosmos-base/templates/default/journald.conf.erb
+++ b/site-cookbooks/kosmos-base/templates/default/journald.conf.erb
@ -0,0 +1,6 @@
 [Journal]
 # Set the maximum size of the journal logs in bytes
 SystemMaxUse=<%= @system_max_use %>
 # Set the number of days after which logs will be deleted
 MaxRetentionSec=<%= @max_retention_sec %>
--- a/site-cookbooks/kosmos-bitcoin/attributes/default.rb
+++ b/site-cookbooks/kosmos-bitcoin/attributes/default.rb
@ -1,5 +1,5 @@
-node.default['bitcoin']['version']   = '26.0'
+node.default['bitcoin']['version']   = '29.0'
-node.default['bitcoin']['checksum']  = 'ab1d99276e28db62d1d9f3901e85ac358d7f1ebcb942d348a9c4e46f0fcdc0a1'
+node.default['bitcoin']['checksum']  = '882c782c34a3bf2eacd1fae5cdc58b35b869883512f197f7d6dc8f195decfdaa'
 node.default['bitcoin']['username']  = 'satoshi'
 node.default['bitcoin']['usergroup'] = 'bitcoin'
 node.default['bitcoin']['network']   = 'mainnet'
@ -24,7 +24,8 @@ node.default['bitcoin']['conf'] = {
  rpcbind: "127.0.0.1:8332",
  gen: 0,
  zmqpubrawblock: 'tcp://127.0.0.1:8337',
-  zmqpubrawtx: 'tcp://127.0.0.1:8338'
+  zmqpubrawtx: 'tcp://127.0.0.1:8338',
  deprecatedrpc: 'warnings' # TODO remove when upgrading to LND 0.18.4
 }
 # Also enables Tor for LND
@ -40,7 +41,7 @@ node.default['c-lightning']['log_level'] = 'info'
 node.default['c-lightning']['public_ip'] = '148.251.237.73'
 node.default['lnd']['repo'] = 'https://github.com/lightningnetwork/lnd'
-node.default['lnd']['revision'] = 'v0.17.3-beta'
+node.default['lnd']['revision'] = 'v0.18.5-beta'
 node.default['lnd']['source_dir'] = '/opt/lnd'
 node.default['lnd']['lnd_dir'] = "/home/#{node['bitcoin']['username']}/.lnd"
 node.default['lnd']['alias'] = 'ln2.kosmos.org'
@ -58,24 +59,13 @@ node.default['lnd']['tor'] = {
  'skip-proxy-for-clearnet-targets' => 'true'
 }
 node.default['boltz']['repo'] = 'https://github.com/BoltzExchange/boltz-lnd.git'
 node.default['boltz']['revision'] = 'v1.2.7'
 node.default['boltz']['source_dir'] = '/opt/boltz'
 node.default['boltz']['boltz_dir'] = "/home/#{node['bitcoin']['username']}/.boltz-lnd"
 node.default['boltz']['grpc_host'] = '127.0.0.1'
 node.default['boltz']['grpc_port'] = '9002'
 node.default['boltz']['rest_disabled'] = 'false'
 node.default['boltz']['rest_host'] = '127.0.0.1'
 node.default['boltz']['rest_port'] = '9003'
 node.default['boltz']['no_macaroons'] = 'false'
 node.default['rtl']['repo'] = 'https://github.com/Ride-The-Lightning/RTL.git'
-node.default['rtl']['revision'] = 'v0.15.0'
+node.default['rtl']['revision'] = 'v0.15.2'
 node.default['rtl']['host'] = '10.1.1.163'
 node.default['rtl']['port'] = '3000'
 node.default['lndhub-go']['repo'] = 'https://github.com/getAlby/lndhub.go.git'
-node.default['lndhub-go']['revision'] = '0.14.0'
+node.default['lndhub-go']['revision'] = '1.0.2'
 node.default['lndhub-go']['source_dir'] = '/opt/lndhub-go'
 node.default['lndhub-go']['port'] = 3026
 node.default['lndhub-go']['domain'] = 'lndhub.kosmos.org'
@ -83,8 +73,10 @@ node.default['lndhub-go']['postgres']['database'] = 'lndhub'
 node.default['lndhub-go']['postgres']['user'] = 'lndhub'
 node.default['lndhub-go']['postgres']['port'] = 5432
 node.default['lndhub-go']['default_rate_limit'] = 20
-node.default['lndhub-go']['strict_rate_limit'] =  1
+node.default['lndhub-go']['strict_rate_limit'] = 1
-node.default['lndhub-go']['burst_rate_limit'] =  10
+node.default['lndhub-go']['burst_rate_limit'] = 10
 node.default['lndhub-go']['service_fee'] = 1
 node.default['lndhub-go']['no_service_fee_up_to_amount'] = 1000
 node.default['lndhub-go']['branding'] = {
  'title' => 'LndHub - Kosmos Lightning',
  'desc' => 'Kosmos accounts for the Lightning Network',
@ -98,7 +90,7 @@ node.default['dotnet']['ms_packages_src_url'] = "https://packages.microsoft.com/
 node.default['dotnet']['ms_packages_src_checksum'] = "4df5811c41fdded83eb9e2da9336a8dfa5594a79dc8a80133bd815f4f85b9991"
 node.default['nbxplorer']['repo'] = 'https://github.com/dgarage/NBXplorer'
-node.default['nbxplorer']['revision'] = 'v2.5.0'
+node.default['nbxplorer']['revision'] = 'v2.5.26'
 node.default['nbxplorer']['source_dir'] = '/opt/nbxplorer'
 node.default['nbxplorer']['config_path'] = "/home/#{node['bitcoin']['username']}/.nbxplorer/Main/settings.config"
 node.default['nbxplorer']['port'] = '24445'
@ -106,7 +98,7 @@ node.default['nbxplorer']['postgres']['database'] = 'nbxplorer'
 node.default['nbxplorer']['postgres']['user'] = 'nbxplorer'
 node.default['btcpay']['repo'] = 'https://github.com/btcpayserver/btcpayserver'
-node.default['btcpay']['revision'] = 'v1.12.5'
+node.default['btcpay']['revision'] = 'v2.1.1'
 node.default['btcpay']['source_dir'] = '/opt/btcpay'
 node.default['btcpay']['config_path'] = "/home/#{node['bitcoin']['username']}/.btcpayserver/Main/settings.config"
 node.default['btcpay']['log_path'] = "/home/#{node['bitcoin']['username']}/.btcpayserver/debug.log"
@ -119,3 +111,5 @@ node.default['btcpay']['postgres']['user'] = 'satoshi'
 node.default['peerswap']['repo'] = 'https://github.com/ElementsProject/peerswap.git'
 node.default['peerswap']['revision'] = 'master'
 node.default['peerswap-lnd']['source_dir'] = '/opt/peerswap'
 node.default['price_tracking']['rs_base_url'] = "https://storage.kosmos.org/kosmos/public/btc-price"
--- a/site-cookbooks/kosmos-bitcoin/recipes/aws-client.rb
+++ b/site-cookbooks/kosmos-bitcoin/recipes/aws-client.rb
@ -11,6 +11,7 @@ credentials = Chef::EncryptedDataBagItem.load('credentials', 'backup')
 file "/root/.aws/config" do
  mode "600"
  sensitive true
  content lazy { <<-EOF
 [default]
 region = #{credentials["s3_region"]}
--- a/site-cookbooks/kosmos-bitcoin/recipes/bitcoind.rb
+++ b/site-cookbooks/kosmos-bitcoin/recipes/bitcoind.rb
@ -12,8 +12,15 @@ if node["bitcoin"]["blocksdir_mount_type"]
  include_recipe "kosmos-bitcoin::blocksdir-mount"
 end
-%w{ libtool autotools-dev make automake cmake curl g++-multilib libtool
+apt_repository "ubuntu-toolchain-r" do
-    binutils-gold bsdmainutils pkg-config python3 patch }.each do |pkg|
+  # provides g++-13, needed for better c++-20 support
  uri "ppa:ubuntu-toolchain-r/test"
 end
 %w{
  gcc-13 g++-13 libtool autotools-dev make automake cmake curl bison
  binutils-gold pkg-config python3 patch
 }.each do |pkg|
  apt_package pkg
 end
@ -26,28 +33,21 @@ end
 execute "compile_bitcoin-core_dependencies" do
  cwd "/usr/local/bitcoind/depends"
-  command "make NO_QT=1"
+  environment ({'CC' => 'gcc-13', 'CXX' => 'g++-13', 'NO_QT' => '1'})
  command "make -j $(($(nproc)/2))"
  action :nothing
  notifies :run, 'bash[compile_bitcoin-core]', :immediately
 end
 bash "compile_bitcoin-core" do
  cwd "/usr/local/bitcoind"
  environment ({'CC' => 'gcc-13', 'CXX' => 'g++-13', 'NO_QT' => '1'})
  code <<-EOH
-    ./autogen.sh
+    cmake -B build --toolchain depends/x86_64-pc-linux-gnu/toolchain.cmake
-    ./configure --prefix=$PWD/depends/x86_64-pc-linux-gnu
+    cmake --build build -j $(($(nproc)/2))
-    make
+    cmake --install build
  EOH
  action :nothing
  notifies :restart, "systemd_unit[bitcoind.service]", :delayed
 end
 link "/usr/local/bin/bitcoind" do
  to "/usr/local/bitcoind/src/bitcoind"
 end
 link "/usr/local/bin/bitcoin-cli" do
  to "/usr/local/bitcoind/src/bitcoin-cli"
 end
 bitcoin_user      = node['bitcoin']['username']
--- a/site-cookbooks/kosmos-bitcoin/recipes/boltz.rb
+++ b/site-cookbooks/kosmos-bitcoin/recipes/boltz.rb
@ -1,87 +0,0 @@
 #
 # Cookbook:: kosmos-bitcoin
 # Recipe:: boltz
 #
 include_recipe "git"
 include_recipe "kosmos-bitcoin::golang"
 git node['boltz']['source_dir'] do
  repository node['boltz']['repo']
  revision node['boltz']['revision']
  action :sync
  notifies :run, 'bash[compile_and_install_boltz]', :immediately
 end
 bash "compile_and_install_boltz" do
  cwd node['boltz']['source_dir']
  code <<-EOH
 go mod vendor && \
 make build && \
 make install
  EOH
  action :nothing
  notifies :restart, "systemd_unit[boltzd.service]", :delayed
 end
 bitcoin_user  = node['bitcoin']['username']
 bitcoin_group = node['bitcoin']['usergroup']
 boltz_dir     = node['boltz']['boltz_dir']
 lnd_dir       = node['lnd']['lnd_dir']
 directory boltz_dir do
  owner bitcoin_user
  group bitcoin_group
  mode '0750'
  action :create
 end
 template "#{boltz_dir}/boltz.toml" do
  source "boltz.toml.erb"
  owner bitcoin_user
  group bitcoin_group
  mode '0640'
  variables lnd_grpc_host: '127.0.0.1',
            lnd_grpc_port: '10009',
            lnd_macaroon_path: "#{lnd_dir}/data/chain/bitcoin/mainnet/admin.macaroon",
            lnd_tlscert_path: "#{lnd_dir}/tls.cert",
            boltz_config: node['boltz']
  notifies :restart, "systemd_unit[boltzd.service]", :delayed
 end
 systemd_unit 'boltzd.service' do
  content({
    Unit: {
      Description: 'Boltz Daemon',
      Documentation: ['https://lnd.docs.boltz.exchange'],
      Requires: 'lnd.service',
      After: 'lnd.service'
    },
    Service: {
      User: bitcoin_user,
      Group: bitcoin_group,
      Type: 'simple',
      ExecStart: "/opt/boltz/boltzd",
      Restart: 'always',
      RestartSec: '30',
      TimeoutSec: '240',
      LimitNOFILE: '128000',
      PrivateTmp: true,
      ProtectSystem: 'full',
      NoNewPrivileges: true,
      PrivateDevices: true,
      MemoryDenyWriteExecute: true
    },
    Install: {
      WantedBy: 'multi-user.target'
    }
  })
  verify false
  triggers_reload true
  action [:create, :enable, :start]
 end
 unless node.chef_environment == 'development'
  node.override['backup']['archives']['boltz'] = [node['boltz']['boltz_dir']]
  include_recipe 'backup'
 end
--- a/site-cookbooks/kosmos-bitcoin/recipes/golang.rb
+++ b/site-cookbooks/kosmos-bitcoin/recipes/golang.rb
@ -5,7 +5,7 @@
 # Internal recipe for managing the Go installation in one place
 #
-node.override['golang']['version'] = "1.20.3"
+node.override['golang']['version'] = "1.23.1"
 include_recipe "golang"
 link '/usr/local/bin/go' do
--- a/site-cookbooks/kosmos-bitcoin/recipes/lnd-scb-s3.rb
+++ b/site-cookbooks/kosmos-bitcoin/recipes/lnd-scb-s3.rb
@ -10,12 +10,14 @@ include_recipe "kosmos-bitcoin::aws-client"
 package "inotify-tools"
 backup_script_path = "/opt/lnd-channel-backup-s3.sh"
 backup_credentials = Chef::EncryptedDataBagItem.load('credentials', 'backup')
 template backup_script_path do
  source "lnd-channel-backup-s3.sh.erb"
  mode '0740'
  variables lnd_dir: node['lnd']['lnd_dir'],
            bitcoin_network: node['bitcoin']['network'],
            s3_endpoint: backup_credentials['s3_endpoint'],
            s3_bucket: node['backup']['s3']['bucket'],
            s3_scb_dir: "#{node['name']}/lnd/#{node['bitcoin']['network']}"
  notifies :restart, "systemd_unit[lnd-channel-backup.service]", :delayed
--- a/site-cookbooks/kosmos-bitcoin/recipes/lndhub-go.rb
+++ b/site-cookbooks/kosmos-bitcoin/recipes/lndhub-go.rb
@ -66,6 +66,8 @@ template "#{source_dir}/.env" do
    default_rate_limit: node['lndhub-go']['default_rate_limit'],
    strict_rate_limit: node['lndhub-go']['strict_rate_limit'],
    burst_rate_limit: node['lndhub-go']['burst_rate_limit'],
    service_fee: 1,
    no_service_fee_up_to_amount: 1000,
    branding: node['lndhub-go']['branding'],
    webhook_url: node['lndhub-go']['webhook_url'],
    sentry_dsn: credentials['sentry_dsn']
--- a/site-cookbooks/kosmos-bitcoin/recipes/nbxplorer.rb
+++ b/site-cookbooks/kosmos-bitcoin/recipes/nbxplorer.rb
@ -58,9 +58,7 @@ directory '/run/nbxplorer' do
 end
 env = {
-  NBXPLORER_POSTGRES: "User ID=#{postgres_user};Password=#{credentials['postgresql_password']};Database=#{postgres_database};Host=pg.kosmos.local;Port=5432;Application Name=nbxplorer;MaxPoolSize=20",
+  NBXPLORER_POSTGRES: "User ID=#{postgres_user};Password=#{credentials['postgresql_password']};Database=#{postgres_database};Host=pg.kosmos.local;Port=5432;Application Name=nbxplorer;MaxPoolSize=20"
  NBXPLORER_AUTOMIGRATE: "1",
  NBXPLORER_NOMIGRATEEVTS: "1"
 }
 systemd_unit 'nbxplorer.service' do
--- a/site-cookbooks/kosmos-bitcoin/recipes/price_tracking.rb
+++ b/site-cookbooks/kosmos-bitcoin/recipes/price_tracking.rb
@ -0,0 +1,59 @@
 #
 # Cookbook:: kosmos-bitcoin
 # Recipe:: price_tracking
 #
 # Track BTC rates and publish them via remoteStorage
 #
 %w[curl jq].each do |pkg|
  apt_package pkg
 end
 daily_tracker_path = "/usr/local/bin/btc-price-tracker-daily"
 credentials = Chef::EncryptedDataBagItem.load('credentials', 'kosmos-rs')
 template daily_tracker_path do
  source "btc-price-tracker-daily.sh.erb"
  mode '0740'
  variables rs_base_url: node['price_tracking']['rs_base_url']
  notifies :restart, "systemd_unit[lnd-channel-backup.service]", :delayed
 end
 systemd_unit 'btc-price-tracker-daily.service' do
  content({
    Unit: {
      Description: 'BTC price tracker (daily rates)',
      After: 'network-online.target',
      Wants: 'network-online.target'
    },
    Service: {
      Type: 'oneshot',
      ExecStart: daily_tracker_path,
      Environment: "RS_AUTH=#{credentials["auth_tokens"]["/btc-price"]}"
    },
    Install: {
      WantedBy: 'multi-user.target'
    }
  })
  sensitive true
  triggers_reload true
  action [:create]
 end
 systemd_unit 'btc-price-tracker-daily.timer' do
  content({
    Unit: {
      Description: 'Run BTC price tracker daily'
    },
    Timer: {
      OnCalendar: '*-*-* 00:00:00',
      Persistent: 'true'
    },
    Install: {
      WantedBy: 'timers.target'
    }
  })
  triggers_reload true
  action [:create, :enable, :start]
 end
--- a/site-cookbooks/kosmos-bitcoin/recipes/rtl.rb
+++ b/site-cookbooks/kosmos-bitcoin/recipes/rtl.rb
@ -46,24 +46,22 @@ rtl_config = {
  multiPassHashed: credentials["multiPassHashed"]
 }
 if node['boltz']
  # TODO adapt for multi-node usage
  rtl_config[:nodes][0][:Authentication][:boltzMacaroonPath] = "#{node['boltz']['boltz_dir']}/macaroons"
  rtl_config[:nodes][0][:Settings][:boltzServerUrl] = "https://#{node['boltz']['rest_host']}:#{node['boltz']['rest_port']}"
 end
 git rtl_dir do
  user bitcoin_user
  group bitcoin_group
  repository node['rtl']['repo']
  revision node['rtl']['revision']
  notifies :run, "execute[npm_install]", :immediately
  notifies :restart, "systemd_unit[#{app_name}.service]", :delayed
 end
-execute "npm install" do
+execute "npm_install" do
  cwd rtl_dir
  environment "HOME" => rtl_dir
  user bitcoin_user
  # TODO remove --force when upstream dependency issues have been resolved
  command "npm install --force"
  action :nothing
 end
 file "#{rtl_dir}/RTL-Config.json" do
--- a/site-cookbooks/kosmos-bitcoin/templates/boltz.toml.erb
+++ b/site-cookbooks/kosmos-bitcoin/templates/boltz.toml.erb
@ -1,32 +0,0 @@
 [LND]
 # Host of the gRPC interface of LND
 host = "<%= @lnd_grpc_host %>"
 # Port of the gRPC interface of LND
 port = <%= @lnd_grpc_port %>
 # Path to a macaroon file of LND
 # The daemon needs to have permission to read various endpoints, generate addresses and pay invoices 
 macaroon = "<%= @lnd_macaroon_path %>"
 # Path to the TLS certificate of LND
 certificate = "<%= @lnd_tlscert_path %>"
 [RPC]
 # Host of the gRPC interface
 host = "<%= @boltz_config['grpc_host'] %>"
 # Port of the gRPC interface
 port = <%= @boltz_config['grpc_port'] %>
 # Whether the REST proxy for the gRPC interface should be disabled
 restDisabled = <%= @boltz_config['rest_disabled'] %>
 # Host of the REST proxy
 restHost = "<%= @boltz_config['rest_host'] %>"
 # Port of the REST proxy
 restPort = <%= @boltz_config['rest_port'] %>
 # Whether the macaroon authentication for the gRPC and REST interface should be disabled
 noMacaroons = <%= @boltz_config['no_macaroons'] %>
--- a/site-cookbooks/kosmos-bitcoin/templates/btc-price-tracker-daily.sh.erb
+++ b/site-cookbooks/kosmos-bitcoin/templates/btc-price-tracker-daily.sh.erb
@ -0,0 +1,49 @@
 #!/bin/bash
 # Calculate yesterday's date in YYYY-MM-DD format
 YESTERDAY=$(date -d "yesterday" +%Y-%m-%d)
 echo "Starting price tracking for $YESTERDAY" >&2
 # Fetch and process rates for a fiat currency
 get_price_data() {
    local currency=$1
    local data avg open24 last
    data=$(curl -s "https://www.bitstamp.net/api/v2/ticker/btc${currency,,}/")
    if [ $? -eq 0 ] && [ ! -z "$data" ]; then
        echo "Successfully retrieved ${currency} price data" >&2
        open24=$(echo "$data" | jq -r '.open_24')
        last=$(echo "$data" | jq -r '.last')
        avg=$(( (${open24%.*} + ${last%.*}) / 2 ))
        echo $avg
    else
        echo "ERROR: Failed to retrieve ${currency} price data" >&2
        exit 1
    fi
 }
 # Get price data for each currency
 usd_avg=$(get_price_data "USD")
 eur_avg=$(get_price_data "EUR")
 gbp_avg=$(get_price_data "GBP")
 # Create JSON
 json="{\"EUR\":$eur_avg,\"USD\":$usd_avg,\"GBP\":$gbp_avg}"
 echo "Rates: $json" >&2
 # PUT in remote storage
 response=$(curl -X PUT \
    -H "Authorization: Bearer $RS_AUTH" \
    -H "Content-Type: application/json" \
    -d "$json" \
    -w "%{http_code}" \
    -s \
    -o /dev/null \
    "<%= @rs_base_url %>/$YESTERDAY")
 if [ "$response" -eq 200 ] || [ "$response" -eq 201 ]; then
   echo "Successfully uploaded price data" >&2
 else
   echo "ERROR: Failed to upload price data. HTTP status: $response" >&2
   exit 1
 fi
--- a/site-cookbooks/kosmos-bitcoin/templates/lnd-channel-backup-s3.sh.erb
+++ b/site-cookbooks/kosmos-bitcoin/templates/lnd-channel-backup-s3.sh.erb
@ -3,5 +3,5 @@ set -xe -o pipefail
 while true; do
  inotifywait <%= @lnd_dir %>/data/chain/bitcoin/<%= @bitcoin_network %>/channel.backup
-  aws s3 cp <%= @lnd_dir %>/data/chain/bitcoin/<%= @bitcoin_network %>/channel.backup "s3://<%= @s3_bucket %>/<%= @s3_scb_dir %>/channel.backup"
+  aws --endpoint <%= @s3_endpoint %> s3 cp <%= @lnd_dir %>/data/chain/bitcoin/<%= @bitcoin_network %>/channel.backup "s3://<%= @s3_bucket %>/<%= @s3_scb_dir %>/channel.backup"
 done
--- a/site-cookbooks/kosmos-bitcoin/templates/lnd.conf.erb
+++ b/site-cookbooks/kosmos-bitcoin/templates/lnd.conf.erb
@ -12,7 +12,6 @@ minchansize=<%= @lnd_minchansize %>
 autopilot.active=0
 [Bitcoin]
 bitcoin.active=1
 bitcoin.mainnet=1
 bitcoin.node=bitcoind
 bitcoin.basefee=<%= @lnd_basefee %>
--- a/site-cookbooks/kosmos-ejabberd/recipes/default.rb
+++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb
@ -84,6 +84,12 @@ hosts = [
    sql_database: "ejabberd",
    ldap_enabled: true,
    ldap_password: ejabberd_credentials['kosmos_ldap_password'],
    certfiles: [
      "/opt/ejabberd/conf/kosmos.org.crt",
      "/opt/ejabberd/conf/kosmos.org.key",
      "/opt/ejabberd/conf/kosmos.chat.crt",
      "/opt/ejabberd/conf/kosmos.chat.key"
    ],
    append_host_config: <<-EOF
    modules:
      mod_disco:
@ -104,6 +110,7 @@ hosts = [
        access_persistent: muc_create
        access_register: muc_create
        max_user_conferences: 1000
        max_users: 2000
        default_room_options:
          mam: true
        preload_rooms: true
@ -114,6 +121,10 @@ hosts = [
    sql_database: "ejabberd_5apps",
    ldap_enabled: true,
    ldap_password: ejabberd_credentials['5apps_ldap_password'],
    certfiles: [
      "/opt/ejabberd/conf/5apps.com.crt",
      "/opt/ejabberd/conf/5apps.com.key"
    ],
    append_host_config: <<-EOF
    modules:
      mod_disco:
@ -155,7 +166,7 @@ admin_users = ejabberd_credentials['admins']
 hosts.each do |host|
  ldap_rootdn = "uid=service,ou=#{host[:name]},cn=applications,dc=kosmos,dc=org"
  if host[:name] == "kosmos.org"
-    ldap_filter = "(&(objectClass=person)(serviceEnabled=xmpp))"
+    ldap_filter = "(&(objectClass=person)(serviceEnabled=ejabberd))"
  else
    ldap_filter = "(objectClass=person)"
  end
--- a/site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb
+++ b/site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb
@ -15,9 +15,9 @@ set -e
 # letsencrypt live folder
 for domain in $RENEWED_DOMAINS; do
  case $domain in
-  kosmos.org|5apps.com)
+  kosmos.org|kosmos.chat|5apps.com)
-    cp "${RENEWED_LINEAGE}/privkey.pem" /opt/ejabberd/conf/$domain.key
+    cp "/etc/letsencrypt/live/${domain}/privkey.pem" /opt/ejabberd/conf/$domain.key
-    cp "${RENEWED_LINEAGE}/fullchain.pem" /opt/ejabberd/conf/$domain.crt
+    cp "/etc/letsencrypt/live/${domain}/fullchain.pem" /opt/ejabberd/conf/$domain.crt
    chown ejabberd:ejabberd /opt/ejabberd/conf/$domain.*
    chmod 600 /opt/ejabberd/conf/$domain.*
    /opt/ejabberd-#{node["ejabberd"]["version"]}/bin/ejabberdctl reload_config
@ -38,21 +38,29 @@ gandi_api_credentials = data_bag_item('credentials', 'gandi_api')
 template "/root/gandi_dns_certbot_hook.sh" do
  variables access_token: gandi_api_credentials["access_token"]
  mode 0700
  sensitive true
 end
 # Generate a Let's Encrypt cert (only if no cert has been generated before).
 # The systemd timer will take care of renewing
-execute "letsencrypt cert for kosmos xmpp" do
+execute "letsencrypt cert for kosmos.org domains" do
-  command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@kosmos.org -d kosmos.org -d xmpp.kosmos.org -d chat.kosmos.org -d kosmos.chat -d uploads.xmpp.kosmos.org -n"
+  command "certbot certonly --manual --preferred-challenges dns --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@kosmos.org -d kosmos.org -d xmpp.kosmos.org -d chat.kosmos.org -d upload.kosmos.org -d proxy.kosmos.org -d pubsub.kosmos.org -d uploads.xmpp.kosmos.org -n"
  not_if do
    File.exist?("/etc/letsencrypt/live/kosmos.org/fullchain.pem")
  end
 end
 execute "letsencrypt cert for kosmos.chat" do
  command "certbot certonly --manual --preferred-challenges dns --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth letsencrypt.kosmos.org\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup letsencrypt.kosmos.org\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@kosmos.org -d kosmos.chat -n"
  not_if do
    File.exist?("/etc/letsencrypt/live/kosmos.chat/fullchain.pem")
  end
 end
 # Generate a Let's Encrypt cert (only if no cert has been generated before).
 # The systemd timer will take care of renewing
 execute "letsencrypt cert for 5apps xmpp" do
-  command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth letsencrypt.kosmos.chat\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup letsencrypt.kosmos.chat\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@5apps.com -d 5apps.com -d muc.5apps.com -d xmpp.5apps.com -d uploads.xmpp.5apps.com -n"
+  command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth letsencrypt.kosmos.org\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup letsencrypt.kosmos.org\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@5apps.com -d 5apps.com -d muc.5apps.com -d xmpp.5apps.com -d uploads.xmpp.5apps.com -n"
  not_if do
    File.exist?("/etc/letsencrypt/live/5apps.com/fullchain.pem")
  end
--- a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb
+++ b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb
@ -185,8 +185,11 @@ api_permissions:
    what:
      - "add_rosteritem"
      - "delete_rosteritem"
-      - "send_message"
+      - "get_vcard2"
      - "muc_register_nick"
      - "private_set"
      - "send_message"
      - "send_stanza"
 language: "en"
@ -216,7 +219,7 @@ modules:
    access_createnode: pubsub_createnode
    ignore_pep_from_offline: false
    last_item_cache: false
-    max_items_node: 10
+    max_items_node: 10000
    plugins:
      - "flat"
      - "pep" # pep requires mod_caps
@ -231,7 +234,6 @@ modules:
  mod_shared_roster: {}
  mod_stun_disco:
    offer_local_services: false
    credentials_lifetime: 300
    secret: <%= @stun_secret %>
    services:
      -
--- a/site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb
+++ b/site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb
@ -1,7 +1,8 @@
 # Generated by Chef for <%= @host[:name] %>
 certfiles:
-  - "/opt/ejabberd/conf/<%= @host[:name] %>.crt"
+<% @host[:certfiles].each do |certfile| %>
-  - "/opt/ejabberd/conf/<%= @host[:name] %>.key"
+  - <%= certfile %>
 <% end %>
 host_config:
  "<%= @host[:name] %>":
    sql_type: pgsql
--- a/site-cookbooks/kosmos-hubot/recipes/nginx_botka_irc-libera-chat.rb
+++ b/site-cookbooks/kosmos-hubot/recipes/nginx_botka_irc-libera-chat.rb
@ -4,6 +4,7 @@ upstream_host = search(:node, "role:hubot").first["knife_zero"]["host"]
 tls_cert_for domain do
  auth "gandi_dns"
  acme_domain "letsencrypt.kosmos.org"
  action :create
 end
--- a/site-cookbooks/kosmos-hubot/recipes/nginx_hal8000_xmpp.rb
+++ b/site-cookbooks/kosmos-hubot/recipes/nginx_hal8000_xmpp.rb
@ -5,6 +5,7 @@ upstream_host = search(:node, "role:hubot").first["knife_zero"]["host"]
 tls_cert_for domain do
  auth "gandi_dns"
  acme_domain "letsencrypt.kosmos.org"
  action :create
 end
--- a/site-cookbooks/kosmos-mastodon/attributes/default.rb
+++ b/site-cookbooks/kosmos-mastodon/attributes/default.rb
@ -1,5 +1,5 @@
 node.default["kosmos-mastodon"]["repo"]              = "https://gitea.kosmos.org/kosmos/mastodon.git"
-node.default["kosmos-mastodon"]["revision"]          = "production"
+node.default["kosmos-mastodon"]["revision"]          = "production-4.3"
 node.default["kosmos-mastodon"]["directory"]         = "/opt/mastodon"
 node.default["kosmos-mastodon"]["bind_ip"]           = "127.0.0.1"
 node.default["kosmos-mastodon"]["app_port"]          = 3000
@ -10,7 +10,7 @@ node.default["kosmos-mastodon"]["redis_url"]         = "redis://localhost:6379/0
 node.default["kosmos-mastodon"]["sidekiq_threads"]   = 25
 node.default["kosmos-mastodon"]["allowed_private_addresses"] = "127.0.0.1"
-node.default["kosmos-mastodon"]["onion_address"]     = nil
+node.default["kosmos-mastodon"]["onion_address"] = nil
 # Allocate this amount of RAM to the Java heap for Elasticsearch
 node.default["kosmos-mastodon"]["elasticsearch"]["allocated_memory"] = "1536m"
@ -20,6 +20,10 @@ node.default["kosmos-mastodon"]["s3_region"]     = nil
 node.default["kosmos-mastodon"]["s3_bucket"]     = nil
 node.default["kosmos-mastodon"]["s3_alias_host"] = nil
 node.default["kosmos-mastodon"]["sso_account_sign_up_url"] = "https://kosmos.org"
 node.default["kosmos-mastodon"]["sso_account_reset_password_url"] = "https://accounts.kosmos.org/users/password/new"
 node.default["kosmos-mastodon"]["sso_account_resend_confirmation_url"] = "https://accounts.kosmos.org/users/confirmation/new"
 node.default["kosmos-mastodon"]["default_locale"] = "en"
 node.default["kosmos-mastodon"]["libre_translate_endpoint"] = nil
--- a/site-cookbooks/kosmos-mastodon/recipes/backup.rb
+++ b/site-cookbooks/kosmos-mastodon/recipes/backup.rb
@ -6,13 +6,12 @@
 postgresql_data_bag_item = data_bag_item('credentials', 'postgresql')
 unless node.chef_environment == "development"
-  unless node["backup"]["postgresql"]["databases"].keys.include? 'mastodon'
+  node.override['backup']['s3']['keep'] = 1
-    node.override["backup"]["postgresql"]["host"] = "pg.kosmos.local"
+  node.override["backup"]["postgresql"]["host"] = "pg.kosmos.local"
-    node.override["backup"]["postgresql"]["databases"]["mastodon"] = {
+  node.override["backup"]["postgresql"]["databases"]["mastodon"] = {
-      username: "mastodon",
+    username: "mastodon",
-      password: postgresql_data_bag_item['mastodon_user_password']
+    password: postgresql_data_bag_item['mastodon_user_password']
-    }
+  }
  end
  include_recipe "backup"
 end
--- a/site-cookbooks/kosmos-mastodon/recipes/default.rb
+++ b/site-cookbooks/kosmos-mastodon/recipes/default.rb
@ -3,7 +3,7 @@
 # Recipe:: default
 #
-node.override["nodejs"]["repo"] = "https://deb.nodesource.com/node_16.x"
+node.override["nodejs"]["repo"] = "https://deb.nodesource.com/node_18.x"
 include_recipe "kosmos-nodejs"
 include_recipe "java"
@ -71,11 +71,7 @@ package %w(build-essential imagemagick ffmpeg libxml2-dev libxslt1-dev file git
           curl pkg-config libprotobuf-dev protobuf-compiler libidn11
           libidn11-dev libjemalloc2 libpq-dev)
-npm_package "yarn" do
+ruby_version = "3.3.5"
  version "1.22.4"
 end
 ruby_version = "3.3.0"
 ruby_path = "/opt/ruby_build/builds/#{ruby_version}"
 bundle_path = "#{ruby_path}/bin/bundle"
@ -190,9 +186,13 @@ template "#{mastodon_path}/.env.#{rails_env}" do
  mode  "0640"
  owner mastodon_user
  group mastodon_user
  sensitive true
  variables redis_url: node["kosmos-mastodon"]["redis_url"],
            domain: node["kosmos-mastodon"]["domain"],
            alternate_domains: node["kosmos-mastodon"]["alternate_domains"],
            active_record_encryption_deterministic_key: credentials["active_record_encryption_deterministic_key"],
            active_record_encryption_key_derivation_salt: credentials["active_record_encryption_key_derivation_salt"],
            active_record_encryption_primary_key: credentials["active_record_encryption_primary_key"],
            paperclip_secret: credentials['paperclip_secret'],
            secret_key_base: credentials['secret_key_base'],
            otp_secret: credentials['otp_secret'],
@ -210,6 +210,9 @@ template "#{mastodon_path}/.env.#{rails_env}" do
            vapid_public_key: credentials['vapid_public_key'],
            db_pass: postgresql_credentials['mastodon_user_password'],
            db_host: "pg.kosmos.local",
            sso_account_sign_up_url: node["kosmos-mastodon"]["sso_account_sign_up_url"],
            sso_account_reset_password_url: node["kosmos-mastodon"]["sso_account_reset_password_url"],
            sso_account_resend_confirmation_url: node["kosmos-mastodon"]["sso_account_resend_confirmation_url"],
            default_locale: node["kosmos-mastodon"]["default_locale"],
            allowed_private_addresses: node["kosmos-mastodon"]["allowed_private_addresses"],
            libre_translate_endpoint: node["kosmos-mastodon"]["libre_translate_endpoint"]
@ -227,7 +230,7 @@ execute "yarn install" do
  environment deploy_env
  user mastodon_user
  cwd mastodon_path
-  command "yarn install --frozen-lockfile"
+  command "corepack prepare && yarn install --immutable"
 end
 execute "rake assets:precompile" do
@ -262,6 +265,44 @@ service "mastodon-streaming" do
  action [:enable, :start]
 end
 #
 # Delete cached remote media older than 30 days
 # Will be re-fetched if necessary
 #
 systemd_unit 'mastodon-delete-old-media-cache.service' do
  content({
    Unit: {
      Description: 'Delete old Mastodon media cache'
    },
    Service: {
      Type: "oneshot",
      WorkingDirectory: mastodon_path,
      Environment: "RAILS_ENV=#{rails_env}",
      ExecStart: "#{bundle_path} exec bin/tootctl media remove --days 30",
    }
  })
  triggers_reload true
  action [:create]
 end
 systemd_unit 'mastodon-delete-old-media-cache.timer' do
  content({
    Unit: {
      Description: 'Delete old Mastodon media cache'
    },
    Timer: {
      OnCalendar: '*-*-* 00:00:00',
      Persistent: 'true'
    },
    Install: {
      WantedBy: 'timer.target'
    }
  })
  triggers_reload true
  action [:create, :enable, :start]
 end
 firewall_rule "mastodon_app" do
  port     node['kosmos-mastodon']['app_port']
  source   "10.1.1.0/24"
--- a/site-cookbooks/kosmos-mastodon/recipes/nginx.rb
+++ b/site-cookbooks/kosmos-mastodon/recipes/nginx.rb
@ -12,6 +12,13 @@ search(:node, "role:mastodon").each do |node|
 end
 if upstream_hosts.any?
  web_root_dir = "/var/www/#{server_name}/public"
  directory web_root_dir do
    action :create
    recursive true
    owner 'www-data'
    group 'www-data'
    mode 0755
  end
 else
  web_root_dir = "#{app_dir}/public"
  upstream_hosts << "localhost"
--- a/site-cookbooks/kosmos-mastodon/templates/default/env.erb
+++ b/site-cookbooks/kosmos-mastodon/templates/default/env.erb
@ -12,6 +12,9 @@ LOCAL_HTTPS=true
 # Application secrets
 # Generate each with the `rake secret` task (`docker-compose run --rm web rake secret` if you use docker compose)
 ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=<%= @active_record_encryption_deterministic_key %>
 ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=<%= @active_record_encryption_key_derivation_salt %>
 ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=<%= @active_record_encryption_primary_key %>
 PAPERCLIP_SECRET=<%= @paperclip_secret %>
 SECRET_KEY_BASE=<%= @secret_key_base %>
 OTP_SECRET=<%= @otp_secret %>
@ -44,6 +47,9 @@ LDAP_SEARCH_FILTER='<%= @ldap[:search_filter] %>'
 LDAP_UID_CONVERSION_ENABLED=<%= @ldap[:uid_conversion_enabled] %>
 LDAP_UID_CONVERSION_SEARCH=<%= @ldap[:uid_conversion_search] %>
 LDAP_UID_CONVERSION_REPLACE=<%= @ldap[:uid_conversion_replace] %>
 SSO_ACCOUNT_SIGN_UP=<%= @sso_account_sign_up_url %>
 SSO_ACCOUNT_RESET_PASSWORD=<%= @sso_account_reset_password_url %>
 SSO_ACCOUNT_RESEND_CONFIRMATION=<%= @sso_account_resend_confirmation_url %>
 <% end %>
 # Optional asset host for multi-server setups
--- a/site-cookbooks/kosmos-nginx/recipes/default.rb
+++ b/site-cookbooks/kosmos-nginx/recipes/default.rb
@ -59,7 +59,7 @@ cookbook_file "#{node["nginx"]["user_home"]}/maintenance.html" do
  source "maintenance.html"
  owner node['nginx']['user']
  group node['nginx']['group']
-  mode "0640"
+  mode "0755"
 end
 unless node.chef_environment == "development"
--- a/site-cookbooks/kosmos_drone/recipes/default.rb
+++ b/site-cookbooks/kosmos_drone/recipes/default.rb
@ -26,7 +26,7 @@ template "#{deploy_path}/docker-compose.yml" do
  mode 0640
  variables domain: node["kosmos_drone"]["domain"],
            upstream_port: node["kosmos_drone"]["upstream_port"],
-            gitea_server: "https://#{node["kosmos_gitea"]["nginx"]["domain"]}",
+            gitea_server: "https://#{node["gitea"]["domain"]}",
            client_id: credentials['client_id'],
            client_secret: credentials['client_secret'],
            rpc_secret: credentials['rpc_secret'],
--- a/site-cookbooks/kosmos_gitea/attributes/default.rb
+++ b/site-cookbooks/kosmos_gitea/attributes/default.rb
@ -1,13 +1,21 @@
-node.default["gitea"]["version"] = "1.22.0"
+node.default["gitea"]["version"] = "1.23.8"
-node.default["gitea"]["checksum"] = "a31086f073cb9592d28611394b2de3655db515d961e4fdcf5b549cb40753ef3d"
+node.default["gitea"]["checksum"] = "827037e7ca940866918abc62a7488736923396c467fcb4acd0dd9829bb6a6f4c"
 node.default["gitea"]["repo"] = nil
 node.default["gitea"]["revision"] = nil
 node.default["gitea"]["working_directory"] = "/var/lib/gitea"
 node.default["gitea"]["port"] = 3000
 node.default["gitea"]["postgresql_host"] = "localhost:5432"
 node.default["gitea"]["domain"] = "gitea.kosmos.org"
 node.default["gitea"]["config"] = {
  "log": {
    "level" => "Info",
    "logger.router.MODE" => "",
    "logger.xorm.MODE" => "",
    "logger.access.MODE" => ""
  },
  "actions": {
-    "enabled": true
+    "enabled" => true
  },
  "webhook":  {
    "allowed_host_list" => "external,127.0.1.1"
--- a/site-cookbooks/kosmos_gitea/metadata.rb
+++ b/site-cookbooks/kosmos_gitea/metadata.rb
@ -10,5 +10,8 @@ chef_version '>= 14.0'
 depends "firewall"
 depends "kosmos_openresty"
 depends "kosmos_postgresql"
 depends "backup"
 depends "kosmos-dirsrv"
 depends 'kosmos-nodejs'
 depends 'git'
 depends 'golang'
 depends "backup"
--- a/site-cookbooks/kosmos_gitea/recipes/backup.rb
+++ b/site-cookbooks/kosmos_gitea/recipes/backup.rb
@ -8,5 +8,6 @@
 unless node.chef_environment == "development"
  # backup the data dir and the config files
  node.override["backup"]["archives"]["gitea"] = [node["gitea"]["working_directory"]]
  node.override['backup']['s3']['keep'] = 2
  include_recipe "backup"
 end
--- a/site-cookbooks/kosmos_gitea/recipes/compile_from_source.rb
+++ b/site-cookbooks/kosmos_gitea/recipes/compile_from_source.rb
@ -0,0 +1,42 @@
 #
 # Cookbook:: kosmos_gitea
 # Recipe:: compile_from_source
 #
 # Compiles/installs Gitea from source
 #
 include_recipe "git"
 node.override["nodejs"]["repo"] = "https://deb.nodesource.com/node_20.x"
 include_recipe 'kosmos-nodejs'
 node.override["golang"]["version"] = "1.23.9"
 include_recipe "golang"
 link "/usr/local/bin/go" do
  to "/usr/local/go/bin/go"
 end
 source_dir = "/opt/gitea"
 git source_dir do
  repository node["gitea"]["repo"]
  revision node["gitea"]["revision"]
  action :sync
  notifies :run, "execute[npm_install]", :immediately
 end
 execute "npm_install" do
  cwd source_dir
  command "npm ci"
  action :nothing
  notifies :run, "bash[compile_gitea]", :immediately
 end
 bash "compile_gitea" do
  cwd source_dir
  environment "TAGS" => "bindata"
  code "make build"
  action :nothing
  notifies :restart, "service[gitea]", :delayed
 end
--- a/site-cookbooks/kosmos_gitea/recipes/default.rb
+++ b/site-cookbooks/kosmos_gitea/recipes/default.rb
@ -5,11 +5,12 @@
 version                   = node["gitea"]["version"]
 download_url              = "https://dl.gitea.io/gitea/#{version}/gitea-#{version}-linux-amd64"
 compile_from_source       = node["gitea"]["repo"] && node["gitea"]["revision"]
 working_directory         = node["gitea"]["working_directory"]
 git_home_directory        = "/home/git"
 repository_root_directory = "#{git_home_directory}/gitea-repositories"
 config_directory          = "/etc/gitea"
-gitea_binary_path         = "/usr/local/bin/gitea"
+gitea_binary_path         = compile_from_source ? "/opt/gitea/gitea" : "/usr/local/bin/gitea"
 gitea_data_bag_item       = data_bag_item("credentials", "gitea")
 smtp_credentials          = data_bag_item("credentials", "smtp")
 smtp_addr                 = smtp_credentials["relayhost"].split(":")[0]
@ -18,7 +19,6 @@ jwt_secret                = gitea_data_bag_item["jwt_secret"]
 internal_token            = gitea_data_bag_item["internal_token"]
 secret_key                = gitea_data_bag_item["secret_key"]
 # Dependency
 package "git"
 user "git" do
@ -108,11 +108,15 @@ template "#{config_directory}/app.ini" do
  notifies :restart, "service[gitea]", :delayed
 end
-remote_file gitea_binary_path do
+if compile_from_source
-  source download_url
+  include_recipe "kosmos_gitea::compile_from_source"
-  checksum node['gitea']['checksum']
+else
-  mode "0755"
+  remote_file gitea_binary_path do
-  notifies :restart, "service[gitea]", :delayed
+    source download_url
    checksum node['gitea']['checksum']
    mode "0755"
    notifies :restart, "service[gitea]", :delayed
  end
 end
 execute "systemctl daemon-reload" do
--- a/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb
+++ b/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb
@ -24,9 +24,11 @@ NAME    = gitea
 USER    = gitea
 PASSWD  = <%= @postgresql_password %>
 SSL_MODE = disable
 MAX_OPEN_CONNS = 20
 [repository]
 ROOT = <%= @repository_root_directory %>
 DISABLE_DOWNLOAD_SOURCE_ARCHIVES = true
 # [indexer]
 # ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
@ -72,8 +74,11 @@ ENABLE_OPENID_SIGNIN = false
 ENABLE_OPENID_SIGNUP = false
 [log]
-MODE      = console
+MODE = console
-LEVEL     = Debug
+LEVEL = <%= @config["log"]["level"] %>
 logger.router.MODE = <%= @config["log"]["logger.router.MODE"] %>
 logger.xorm.MODE = <%= @config["log"]["logger.xorm.MODE"] %>
 logger.access.MODE = <%= @config["log"]["logger.access.MODE"] %>
 [attachment]
 ENABLED = true
--- a/site-cookbooks/kosmos_gitea/templates/default/nginx_conf_web.erb
+++ b/site-cookbooks/kosmos_gitea/templates/default/nginx_conf_web.erb
@ -16,7 +16,7 @@ server {
  add_header Strict-Transport-Security "max-age=31536000";
-  client_max_body_size 20M;
+  client_max_body_size 121M;
  location ~ ^/(avatars|repo-avatars)/.*$ {
    proxy_buffers 1024 8k;
--- a/site-cookbooks/kosmos_liquor-cabinet/templates/nginx_conf_liquor-cabinet.erb
+++ b/site-cookbooks/kosmos_liquor-cabinet/templates/nginx_conf_liquor-cabinet.erb
@ -10,16 +10,6 @@ upstream _<%= @app_name %> {
 # TODO use cookbook attribute when enabling
 # variables_hash_max_size 2048;
 server {
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>80;
  listen [::]:80;
  server_name <%= @server_name %>;
  # Redirect to https
  location / {
    return 301 https://<%= @server_name %>$request_uri;
  }
 }
 server {
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
  listen [::]:443 ssl http2;
--- a/site-cookbooks/kosmos_rsk/attributes/default.rb
+++ b/site-cookbooks/kosmos_rsk/attributes/default.rb
@ -1,4 +1,4 @@
-node.default['rskj']['version'] = '5.3.0~jammy'
+node.default['rskj']['version'] = '7.0.0~jammy'
 node.default['rskj']['network'] = 'testnet'
 node.default['rskj']['nginx']['domain'] = nil
--- a/site-cookbooks/kosmos_rsk/recipes/rskj.rb
+++ b/site-cookbooks/kosmos_rsk/recipes/rskj.rb
@ -19,6 +19,8 @@ apt_repository 'rskj' do
  key '5EED9995C84A49BC02D4F507DF10691F518C7BEA'
 end
 apt_package 'openjdk-17-jdk'
 apt_package 'rskj' do
  response_file 'rskj-preseed.cfg.erb'
  response_file_variables network: node['rskj']['network']
--- a/site-cookbooks/kosmos_rsk/test/integration/rskj/rskj_test.rb
+++ b/site-cookbooks/kosmos_rsk/test/integration/rskj/rskj_test.rb
@ -9,7 +9,7 @@ end
 describe package('rskj') do
  it { should be_installed }
-  its('version') { should eq '5.3.0~jammy' }
+  its('version') { should eq '7.0.0~jammy' }
 end
 describe service('rsk') do
--- a/site-cookbooks/kosmos_strfry/attributes/default.rb
+++ b/site-cookbooks/kosmos_strfry/attributes/default.rb
@ -1,2 +1,10 @@
 node.default["strfry"]["ldap_search_dn"] = "ou=kosmos.org,cn=users,dc=kosmos,dc=org"
 node.default["strfry"]["extras_dir"] = "/opt/strfry"
 # node.default["substr"]["repo"] = "https://gitea.kosmos.org/kosmos/substr.git"
 # node.default["substr"]["revision"] = "master"
 node.default["substr"]["version"] = "nightly"
 node.default["substr"]["download_url"] = "https://gitea.kosmos.org/api/packages/kosmos/generic/substr/#{node["substr"]["version"]}/substr_x86_64-unknown-linux-gnu"
 node.default["substr"]["workdir"] = "/opt/substr"
 node.default["substr"]["port"] = 30023
 node.default["substr"]["relay_urls"] = ["ws://localhost:7777"]
--- a/site-cookbooks/kosmos_strfry/recipes/policies.rb
+++ b/site-cookbooks/kosmos_strfry/recipes/policies.rb
@ -24,7 +24,7 @@ env = {
  ldap_bind_dn: ldap_credentials["service_dn"],
  ldap_password: ldap_credentials["service_password"],
  ldap_search_dn: node["strfry"]["ldap_search_dn"],
-  whitelist_pubkeys: node["strfry"]["whitelist_pubkeys"].join(",")
+  whitelist_pubkeys: node["strfry"]["known_pubkeys"].values.join(",")
 }
 template "#{extras_dir}/.env" do
--- a/site-cookbooks/kosmos_strfry/recipes/substr.rb
+++ b/site-cookbooks/kosmos_strfry/recipes/substr.rb
@ -0,0 +1,100 @@
 #
 # Cookbook:: kosmos_strfry
 # Recipe:: substr
 #
 unless platform?("ubuntu")
  raise "This recipe only supports Ubuntu installs at the moment"
 end
 apt_package "imagemagick"
 directory node["substr"]["workdir"] do
  owner node["strfry"]["user"]
  group node["strfry"]["group"]
  mode "0755"
 end
 if node["substr"]["download_url"]
  remote_file '/usr/local/bin/substr' do
    source node["substr"]["download_url"]
    checksum node["substr"]["checksum"]
    mode '0755'
    show_progress true
    notifies :restart, "service[substr]", :delayed
  end
  exec_start = "/usr/local/bin/substr"
 else
  # TODO Install Deno 2
  git node["substr"]["workdir"] do
    user node["strfry"]["user"]
    group node["strfry"]["group"]
    repository node['substr']['repo']
    revision node['substr']['revision']
    action :sync
    notifies :restart, "service[substr]", :delayed
  end
  exec_start = "deno task server"
 end
 file "#{node["substr"]["workdir"]}/users.yaml" do
  mode "0644"
  owner node["strfry"]["user"]
  group node["strfry"]["group"]
  content node["strfry"]["known_pubkeys"].to_yaml
  notifies :restart, "service[substr]", :delayed
 end
 ldap_credentials = Chef::EncryptedDataBagItem.load('credentials', 'dirsrv')
 env = {
  port: node['substr']['port'],
  base_url: "https://#{node["strfry"]["domain"]}",
  relay_urls: node['substr']['relay_urls'].join(","),
  ldap_url: 'ldap://ldap.kosmos.local:389', # requires "ldap_client" role
  ldap_bind_dn: ldap_credentials["service_dn"],
  ldap_password: ldap_credentials["service_password"],
  ldap_search_dn: node["strfry"]["ldap_search_dn"],
 }
 template "#{node["substr"]["workdir"]}/.env" do
  source 'env.erb'
  owner node["strfry"]["user"]
  group node["strfry"]["group"]
  mode 0600
  sensitive true
  variables config: env
  notifies :restart, "service[substr]", :delayed
 end
 systemd_unit "substr.service" do
  content({
    Unit: {
      Description: "substr for nostr",
      Documentation: ["https://gitea.kosmos.org/kosmos/substr"],
    },
    Service: {
      Type: "simple",
      User: node["strfry"]["user"],
      WorkingDirectory: node["substr"]["workdir"],
      ExecStart: exec_start,
      Restart: "on-failure",
      RestartSec: "5",
      ProtectHome: "no",
      NoNewPrivileges: "yes",
      ProtectSystem: "full"
    },
    Install: {
      WantedBy: "multi-user.target"
    }
  })
  triggers_reload true
  action :create
 end
 service "substr" do
  action [:enable, :start]
 end
--- a/site-cookbooks/kosmos_strfry/templates/nginx_conf_strfry.erb
+++ b/site-cookbooks/kosmos_strfry/templates/nginx_conf_strfry.erb
@ -4,9 +4,16 @@ upstream _strfry {
 <% end %>
 }
 upstream _substr {
 <% @upstream_hosts.each do |host| %>
  server <%= host %>:30023;
 <% end %>
 }
 server {
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
  server_name <%= @domain %>;
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
  listen [::]:443 ssl http2;
  access_log "/var/log/nginx/<%= @domain %>.access.log";
  error_log "/var/log/nginx/<%= @domain %>.error.log";
@ -14,6 +21,16 @@ server {
  ssl_certificate     <%= @ssl_cert %>;
  ssl_certificate_key <%= @ssl_key %>;
  location = /favicon.ico {
    alias /var/www/assets.kosmos.org/site/img/favicon.ico;
  }
  location ~* ^/[@~n]|^/assets {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_pass http://_substr;
  }
  location / {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
--- a/site-cookbooks/kosmos_website/recipes/redirects.rb
+++ b/site-cookbooks/kosmos_website/recipes/redirects.rb
@ -6,6 +6,7 @@
 redirects = [
  {
    domain: "kosmos.chat",
    acme_domain: "letsencrypt.kosmos.org",
    target: "https://kosmos.org",
    http_status: 307
  },
--- a/site-cookbooks/kosmos_website/templates/nginx_conf_redirect.erb
+++ b/site-cookbooks/kosmos_website/templates/nginx_conf_redirect.erb
@ -14,7 +14,5 @@ server {
  ssl_certificate     <%= @ssl_cert %>;
  ssl_certificate_key <%= @ssl_key %>;
-  location / {
+  return <%= @http_status || 307 %> <%= @target %>;
    return <%= @http_status || 301 %> <%= @target %>;
  }
 }
--- a/site-cookbooks/kosmos_website/templates/nginx_conf_website.erb
+++ b/site-cookbooks/kosmos_website/templates/nginx_conf_website.erb
@ -2,7 +2,7 @@
 server {
  server_name _;
-  listen 80 default_server;
+  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>80 default_server;
  location / {
    return 301 https://<%= @domain %>;
@ -14,6 +14,10 @@ server {
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2 default_server;
  listen [::]:443 ssl http2 default_server;
  if ($host != $server_name) {
    return 307 $scheme://$server_name;
  }
  root /var/www/<%= @domain %>/public;
  access_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.access.log;
@ -22,15 +26,18 @@ server {
  gzip_static on;
  gzip_comp_level 5;
  add_header 'Access-Control-Allow-Origin' '*';
  ssl_certificate     <%= @ssl_cert %>;
  ssl_certificate_key <%= @ssl_key %>;
  location /.well-known/host-meta.json {
    add_header 'Access-Control-Allow-Origin' '*';
  }
 <% if @accounts_url %>
-  location ~ ^/.well-known/(webfinger|nostr|lnurlp|keysend) {
+  location ~ ^/.well-known/(keysend|lnurlp|nostr|openpgpkey|webfinger) {
    proxy_ssl_server_name on;
-    proxy_pass https://accounts.kosmos.org;
+    proxy_set_header X-Forwarded-Host $host;
    proxy_pass <%= @accounts_url %>;
  }
 <% end %>
 }
--- a/site-cookbooks/strfry
+++ b/site-cookbooks/strfry
@ -1 +1 @@
-Subproject commit a4756377b480c9bcceba4867969a0c15880913dc
+Subproject commit 2c6e64d2311d2a50b207f4d970c3a951b73d2a5c
Author	SHA1	Message	Date
Râu Cao	63d0b68c36	Upgrade Deno	2025-06-02 10:53:38 +04:00
Râu Cao	3adb2a1aee	Adapt strfry config to cookbook changes, increase allowed event size	2025-06-01 20:06:47 +04:00
Râu Cao	9cff1fb68b	Update node info	2025-06-01 20:06:32 +04:00
Greg	3c51ff261e	Merge pull request 'Compile Gitea from source, apply our LDAP fixes' (#596 ) from feature/compile_gitea_from_source into master Reviewed-on: #596 Reviewed-by: Greg <greg@kosmos.org>	2025-05-31 12:26:28 +00:00
Râu Cao	0c62ff6c84	Improve Gitea logging	2025-05-31 15:29:18 +04:00
Râu Cao	2c3b381755	Update Gitea stable version	2025-05-31 15:29:03 +04:00
Râu Cao	3492bec627	Use Gitea from source	2025-05-31 15:28:33 +04:00
Râu Cao	00f4c8bd31	Optionally compile Gitea from source	2025-05-31 15:27:21 +04:00
Râu Cao	301596500d	Update node info	2025-05-28 10:18:53 +04:00
Râu Cao	8a2bfb6b18	Fix attribute Was moved to a new name since the recipe was created	2025-05-23 14:44:04 +04:00
Râu Cao	846bf3483a	Update node info	2025-05-23 14:43:40 +04:00
Greg	e3ef1dc3b3	Merge pull request 'Upgrade Bitcoin Core, NBXplorer, BTCPay Server' (#595 ) from chore/upgrade_bitcoin_software into master Reviewed-on: #595 Reviewed-by: Greg <greg@noreply.kosmos.org>	2025-05-22 12:32:25 +00:00
Râu Cao	2089999cc8	Upgrade bitcoind to 29.0, switch to cmake	2025-05-22 15:52:22 +04:00
Râu Cao	a4aa29de0c	Upgrade NBXplorer, BTCPay Server	2025-05-22 15:50:27 +04:00
Râu Cao	98be234a4f	Merge pull request 'Configure maximum size and timespan of journald logs' (#594 ) from feature/506-journald_logs_config into master Reviewed-on: #594 Reviewed-by: Râu Cao <raucao@kosmos.org>	2025-05-21 12:12:57 +00:00
Greg Karekinian	7dc4f674a0	Use the systemd unit instead of an execute resource Also extract the attributes so it is possible to override them.	2025-05-21 13:40:12 +02:00
Greg Karekinian	49b636305e	Update mastodon-3 node file after Chef run	2025-05-21 11:36:15 +02:00
Greg Karekinian	3e2ee30334	Configure maximum size and timespan of journald logs Closes #506	2025-05-21 11:36:15 +02:00
Râu Cao	d00072ee5a	Merge pull request 'Delete old Mastodon media cache every day' (#593 ) from feature/533-delete_old_mastodon_cached_media into master Reviewed-on: #593 Reviewed-by: Râu Cao <raucao@kosmos.org>	2025-05-17 07:06:35 +00:00
Râu Cao	14687558fe	Minor cleanup	2025-05-17 10:55:06 +04:00
Râu Cao	de7cc69505	Allow more users per room	2025-05-17 10:42:41 +04:00
Greg Karekinian	b01315f998	Delete old Mastodon media cache every day This is done using a systemd timer Closes #533	2025-05-16 19:12:47 +02:00
Râu Cao	160134bd86	Allow more ejabberd API calls from akkounts	2025-05-16 15:17:43 +04:00
Greg	766030d716	Merge pull request 'Adapt akkounts recipes for config changes' (#592 ) from chore/rails_deployment into master Reviewed-on: #592 Reviewed-by: Greg <greg@noreply.kosmos.org>	2025-05-06 17:11:24 +00:00
Râu Cao	3c436bb9f1	Configure LDAP for akkounts, add more Rails credentials	2025-05-06 19:41:54 +04:00
Râu Cao	d029d90214	Generate postgres user/db for akkounts, use credentials from env Co-authored-by: Greg Karékinian <greg@karekinian.com>	2025-05-06 15:49:43 +04:00
Râu Cao	f8e5fd2f3e	Fix missing dir for Mastodon maintenance file	2025-04-29 17:53:05 +04:00
Râu Cao	cab766c806	Update node.js, install bun, for Rails 8.0 upgrade	2025-04-29 17:51:53 +04:00
Râu Cao	5777a45f0a	Fix/improve ejabberd cert renewals	2025-04-22 17:28:44 +04:00
Râu Cao	f23c37312e	Update deno cookbook	2025-04-18 16:21:07 +04:00
Râu Cao	cf1ef4f2f4	Merge pull request 'Upgrade Gitea, disable downloads of repo archives' (#588 ) from chore/upgrade_gitea into master Reviewed-on: #588	2025-04-09 13:28:28 +00:00
Râu Cao	f65256d229	Disable downloads of repo archives	2025-04-09 17:25:41 +04:00
Râu Cao	2cc0ee5b8a	Upgrade Gitea to 1.23.7	2025-04-09 17:25:17 +04:00
Râu Cao	10e8ba5569	Add missing CORS headers to host-meta.json Otherwise XMPP Web clients cannot fetch the Bosh and WS endpoint info	2025-04-08 00:10:29 +04:00
Râu Cao	6c35a20b89	Merge pull request 'Upgrade rskj to 7.0.0' (#587 ) from chore/upgrade_rskj into master Reviewed-on: #587	2025-04-05 09:14:25 +00:00
Râu Cao	e3d9a50f09	Upgrade Gitea to 1.23.6	2025-04-04 18:53:46 +04:00
Râu Cao	c4652ca2eb	Upgrade rskj to 7.0.0	2025-04-04 16:59:11 +04:00
Râu Cao	56440bfd89	Merge pull request 'Upgrade nbxplorer, BTCPay Server' (#586 ) from chore/upgrade_btcpay into master Reviewed-on: #586	2025-03-25 10:08:06 +00:00
Râu Cao	abee2407bf	Upgrade nbxplorer, BTCPay Server	2025-03-25 14:03:34 +04:00
Râu Cao	0cef08fb7b	Merge pull request 'Update Gandi API token' (#585 ) from chore/update_gandi_token into master Reviewed-on: #585	2025-03-19 14:02:49 +00:00
Râu Cao	f246f63594	Update Gandi API token For certbot renewals. Also set resource to sensitive in ejabberd recipe. Co-authored-by: Greg Karékinian <greg@karekinian.com>	2025-03-19 18:01:50 +04:00
Râu Cao	2dee25bf23	Update node info	2025-03-19 18:00:07 +04:00
Râu Cao	a28d31b415	Upgrade Gitea to 1.23.5	2025-03-05 14:09:03 +04:00
Râu Cao	0bf50bce2e	Merge pull request 'Fix postgres running out of available connection slots' (#584 ) from bugfix/gitea_db_connections into master Reviewed-on: #584	2025-03-05 10:03:51 +00:00
Râu Cao	6be99aa3de	Cap maximum open database connections Fixes Gitea opening too many connections, which can impact other apps trying to connect as well.	2025-03-05 13:53:33 +04:00
Râu Cao	90bf66ada9	Upgrade Gitea to 1.23.4	2025-02-21 10:12:27 +04:00
Râu Cao	32cfd6401f	Upgrade LND to 0.18.5 Urgent security upgrade	2025-02-19 14:19:10 +04:00
Râu Cao	1124f25069	Upgrade Gitea to 1.23.3	2025-02-12 11:51:14 +04:00
Greg	f34c7ecd9b	Merge pull request 'Publish daily BTC price in public remoteStorage' (#581 ) from feature/btc-rate-tracker into master Reviewed-on: #581 Reviewed-by: Greg <greg@noreply.kosmos.org>	2025-01-23 13:28:33 +00:00
Râu Cao	8d149a475d	Merge pull request 'Upgrade Gitea to 1.23.1' (#582 ) from chore/upgrade_gitea into master Reviewed-on: #582	2025-01-22 14:41:19 +00:00
Râu Cao	905a67475b	Upgrade Gitea to 1.23.1	2025-01-22 09:36:33 -05:00
Râu Cao	8251fa83ce	Merge pull request 'Deploy substr' (#579 ) from feature/substr into master Reviewed-on: #579	2025-01-22 14:27:02 +00:00
Râu Cao	0fa61a585e	DRY up code, add GBP rates	2025-01-17 14:52:28 -05:00
Râu Cao	89f1790afc	Publish daily BTC price in public remoteStorage	2025-01-17 10:42:09 -05:00
Râu Cao	72ac8c6a84	Update akkounts credentials	2025-01-17 09:17:43 -05:00
Râu Cao	b1bb5d0625	Use default value for STUN credentials lifetime	2025-01-14 15:30:42 -05:00
Râu Cao	b470110fd4	Upgrade Gitea to 1.22.6	2024-12-16 12:10:08 +04:00
Râu Cao	31b7ff9217	Upgrade Gitea to 1.22.5	2024-12-12 18:32:58 +04:00
Râu Cao	d90a374811	Remove outdated flag from certbot command	2024-12-12 18:32:26 +04:00
Râu Cao	12cd14fff5	Deploy new postgres primary	2024-12-12 18:31:54 +04:00
Râu Cao	b67d91077d	Remove old garage nodes	2024-12-12 18:30:16 +04:00
Râu Cao	070badfeb3	Add postgres replica bootstrap example	2024-12-12 18:29:16 +04:00
Râu Cao	4ce39738fd	Allow larger bodies for Gitea file uploads Needed for uploading larger packages to the registry	2024-12-09 21:19:39 +04:00
Râu Cao	d35e57b90e	Deploy substr	2024-12-09 21:19:13 +04:00
Râu Cao	2d8a1cebb1	Update node info	2024-12-09 20:44:18 +04:00
Râu Cao	c8160e38c8	Turn known pubkeys into object with usernames	2024-12-09 18:21:55 +04:00
Râu Cao	67cd89b7b8	Merge pull request 'Fix TLS cert updates for kosmos.chat' (#578 ) from chore/fix_cert_updates_kosmos-chat into master Reviewed-on: #578	2024-12-09 14:21:05 +00:00
Râu Cao	e4112a3626	Fix TLS cert updates for kosmos.chat Some recipes weren't updated for the proxy validation yet. Needed to split the ejabberd cert in two, so it can do normal validation on `.org` and proxy validation on `.chat`.	2024-12-09 18:17:10 +04:00
Râu Cao	89813465b2	Merge pull request 'Upgrade Mastodon to 4.3' (#577 ) from chore/upgrade_mastodon into master Reviewed-on: #577	2024-12-09 14:14:35 +00:00
Râu Cao	6106e627e2	Upgrade Mastodon to 4.3 Co-authored-by: Greg Karékinian <greg@karekinian.com>	2024-12-09 18:12:45 +04:00
Râu Cao	d8baa41c14	Add new node configs	2024-12-09 18:11:51 +04:00
Greg	8405b8df52	Merge pull request 'Upgrade lndhub.go to 1.0.2, add service fee config' (#576 ) from chore/upgrade_lndhub into master Reviewed-on: #576 Reviewed-by: Greg <greg@noreply.kosmos.org>	2024-10-20 19:27:19 +00:00
Râu Cao	775f2275bb	Upgrade Gitea to 1.22.3	2024-10-19 14:42:11 +02:00
Râu Cao	b4019b224b	Upgrade lndhub.go to 1.0.2, add service fee config Co-authored-by: Michael Bumann <hello@michaelbumann.com>	2024-10-18 12:36:41 +02:00
Râu Cao	52841d8c53	Add WKD endpoint to website nginx conf	2024-10-17 11:58:53 +02:00
Râu Cao	b9b97d5056	Fix mail server VM backups	2024-10-16 12:48:08 +02:00
Râu Cao	e5448aa85c	Merge pull request 'Upgrade strfry, add new Kosmos profile/pubkey, relay icon' (#575 ) from chore/upgrade_strfry into master Reviewed-on: #575	2024-10-16 10:44:47 +00:00
Râu Cao	4d1125ac2b	Upgrade strfry to 1.0.1 Also set up and use a new Kosmos pubkey/profile and add a relay icon	2024-10-16 12:42:49 +02:00
Râu Cao	3853f94ae0	Use new proxy domain for ejabberd cert	2024-10-16 12:40:10 +02:00
Râu Cao	d1097c7688	Fix and improve nginx redirects, akkounts headers	2024-10-16 12:39:34 +02:00
Râu Cao	7949fd067c	Add IPv6 support for nostr.kosmos.org	2024-10-16 12:37:47 +02:00
Râu Cao	0726e58f7c	Update ejabberd LDAP filter for new akkounts release	2024-10-16 12:36:30 +02:00
Râu Cao	fe581c348a	Fix bookmarks disappearing for XMPP users The limit for PEP nodes was ridiculously low. No idea why, but it means users were only able to save 10 items (e.g. channel bookmarks) at once.	2024-10-16 12:34:31 +02:00
Râu Cao	af62078960	Update node info	2024-10-16 12:34:17 +02:00
Râu Cao	9b4deff91e	Remove cln from bitcoin-2 node	2024-10-16 12:34:01 +02:00
Râu Cao	0944bc5266	Merge pull request 'Migrate S3 backups from AWS, fix automatic cleanups' (#574 ) from chore/move_fix_s3_backups into master Reviewed-on: #574	2024-10-16 10:33:24 +00:00
Râu Cao	eb06926606	Migrate S3 backups from AWS, fix automatic cleanups The cleanups were broken in that every single archive was also copied to a shared folder and never deleted from there. Co-authored-by: Greg Karékinian <greg@karekinian.com>	2024-10-16 12:31:51 +02:00
Râu Cao	15096ca17b	Merge pull request 'Bitcoin-related software upgrades' (#573 ) from chore/bitcoin_upgrades into master Reviewed-on: #573	2024-10-16 10:25:53 +00:00
Râu Cao	3551b71154	Add sensitive attribute to resource with credentials	2024-10-16 12:23:38 +02:00
Râu Cao	752bb74663	Remove boltz service and RTL integration We use peerswap these days, and the build process for boltz was made much more complicated at some point. Not worth upgrading for us.	2024-10-16 12:23:38 +02:00
Râu Cao	c64526a944	Upgrade RTL to v0.15.2 Need to use `npm install --force` due to a dependency issue	2024-10-16 12:23:38 +02:00
Râu Cao	da242d4817	Upgrade LND to 0.18.3	2024-10-16 12:23:29 +02:00
Râu Cao	0af4bc1d0d	Upgrade bitcoind to 28.0 Requires a newer C++ compiler	2024-10-16 11:28:13 +02:00
Greg	c9f5a745a3	Merge pull request 'Fix Mastodon signup/password/confirmation links' (#570 ) from chore/562-mastodon_login_urls into master Reviewed-on: #570 Reviewed-by: Greg <greg@noreply.kosmos.org>	2024-08-23 14:18:12 +00:00
Râu Cao	d935b99d7d	Fix Mastodon signup/password/confirmation links Adds ENV vars for our custom fix in `b916182bc1` fixes #562	2024-08-22 21:51:49 +02:00
Râu Cao	d048bbb297	Merge pull request 'Upgrade Gitea to 1.22.1' (#568 ) from chore/upgrade_gitea into master Reviewed-on: #568	2024-08-10 11:45:39 +00:00
Râu Cao	61bd121709	Upgrade Gitea to 1.22.1	2024-08-10 13:44:39 +02:00
		`@ -1 +1 @@`
			`Subproject commit 617f7959abda045326c8f06f1c1bcedbaa7c7285`				`Subproject commit 92839b20a4c3b0a15b99bd86ea7cae16645570a6`
		`@ -0,0 +1,2 @@`
							`node.default["kosmos-base"]["journald"]["system_max_use"] = "256M"`
							`node.default["kosmos-base"]["journald"]["max_retention_sec"] = "7d"`
		`@ -1 +1 @@`
			`Subproject commit a4756377b480c9bcceba4867969a0c15880913dc`				`Subproject commit 2c6e64d2311d2a50b207f4d970c3a951b73d2a5c`