Merge pull request 'Fix postgres running out of available connection slots' (#584) from bugfix/gitea_db_connections into master

Reviewed-on: #584

data_bags/credentials/akkounts.json

@@ -1,72 +1,72 @@
 {
   "id": "akkounts",
   "postgresql_username": {
-    "encrypted_data": "bDlOkEmhvMgyVzPeTNUzYnzRLf3T9cc0cDxt\n",
-    "iv": "GCCUoqU5pxQ7fGkv\n",
-    "auth_tag": "Q7mrSHIBluMe3CGVmoR86Q==\n",
+    "encrypted_data": "v2QoNkkxXGflxEdspIpfJdBjQVraMyF9yHq7\n",
+    "iv": "du8wubB9xQjOVeOS\n",
+    "auth_tag": "gDZLYz5/XBCQDlDaFoP6mQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "postgresql_password": {
-    "encrypted_data": "wD0HtdsNe/hl4ZaOy8hyr2k4z8TXQrrSja3KNVE47w==\n",
-    "iv": "tb5yz8WDer0CsGvJ\n",
-    "auth_tag": "/+K2anuCff/6M7Pu70Smqw==\n",
+    "encrypted_data": "Naz4R5oOCUS/S/CZmW5eoil8BpJ3K1WLUIc3mAihhA==\n",
+    "iv": "0S9Sb1MUoBVWbW9t\n",
+    "auth_tag": "L2yGzVMKiKAzfpA+HADRqA==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "sentry_dsn": {
-    "encrypted_data": "jCz681x0WVixHYZUb62TO+1cgyJMiJ2UMqWcaztx57yDBOIiKW3oSZjuXdhP\n9WCesfXQF/lgzITZno3IKDqzlKjWgbGLC75y8FLguxidCHI=\n",
-    "iv": "IRNOzN/hLwg1iqax\n",
-    "auth_tag": "eg9dWnEK04JDb94e4CFa9Q==\n",
+    "encrypted_data": "OXiAeg6lIqEnbplAnKlkwb3o3DTfMJbLC0wnxmguQ8GZiP0RcpPOwUAa9Q3U\naA44f36BCKgHtCxdlVB59TTFA9W24ecU5KWb/jIc7mueSoc=\n",
+    "iv": "86cAncfc1K4d43ql\n",
+    "auth_tag": "0i04Y/eFIN+b+5F605d7Dg==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "rails_master_key": {
-    "encrypted_data": "nUB77VLRp41rluH7hLBwQqPtnh/HsmfLr2VbcIZHWawL3o2TGuY+mj648f9L\n7XsEpgqY\n",
-    "iv": "fpdbDitqTRHxEKiv\n",
-    "auth_tag": "I44fn8Ott3L/Y5LYr56U/Q==\n",
+    "encrypted_data": "Ypv4g33evnuutOWmGl49kq3Ca3SmfWIswyxGIZA0J/o1ZMGpMOfySim/e7r8\nzdAM/PFo\n",
+    "iv": "w2bflz2KIbu/vRT1\n",
+    "auth_tag": "tpemUQJly8Ft9lN6rP+W4w==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "discourse_connect_secret": {
-    "encrypted_data": "ENtMn+1XTVFmdEZw7LU6WGoMbSZY654ggm3vPACGfFgqo6r0LhG60c5OTdqv\nZvT5/Q==\n",
-    "iv": "bL1BmvRhgxFqSM1P\n",
-    "auth_tag": "sEBZzGWwwYFHn+4B4SsyCA==\n",
+    "encrypted_data": "DUK6G5SyRiehJh3iHtCKQj8Ki5+suk9Ds5/ZMp6OP1EshdbpziQ4XNey2x+R\nHCTSVg==\n",
+    "iv": "kfhA3apCUAHcNlwH\n",
+    "auth_tag": "BqRV+CiF9rFrqEToJeisoQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "lndhub_admin_token": {
-    "encrypted_data": "4LPGFoARzI8UYnsJPIk8sax/rAA16pUULEZWn86e2C7L\n",
-    "iv": "nvjXrOwgfgutwEVw\n",
-    "auth_tag": "A89RUf1sdcS3FVscNPWYLg==\n",
+    "encrypted_data": "C3aKQIEwcQNCrr+uyLiOY2KAHZh5dUvTZ9IdANPqkGlr\n",
+    "iv": "qrhJJzmmced9lNF1\n",
+    "auth_tag": "CH1fOwMWsidmWBwX2+4nJg==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "btcpay_auth_token": {
-    "encrypted_data": "ky5iWYF06os0Ek6vIRzWqMTekqJhCOh/Q9DTDIeKhSyk8TnT3O71lCNEt1F5\nXCNq6ux3V6oyHVLWj0o=\n",
-    "iv": "zk6WnxsY89oNW1F9\n",
-    "auth_tag": "FAIMXKvQ1T7QKezVSNJbwQ==\n",
+    "encrypted_data": "0vRq3ZeYPtNcdlCUQI0ip6YOaQZKBeK/dODL7IxdrAK9pHz+u53aL8LW92nJ\nmHW2DYcv+eX3ltnwu88=\n",
+    "iv": "5HenMAvE1Uu5l7jJ\n",
+    "auth_tag": "rJzkZPRYar1qw4dauSNV2w==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "s3_access_key": {
-    "encrypted_data": "KfhfEGwPjOonlz6rpnNTinXFPqX/sIbqQn/aby0UDi/G/7cvEcOiNcCkfuSz\n",
-    "iv": "Q3rg06v6K9pUDLDY\n",
-    "auth_tag": "G5ugdlJ896KtYtObKLclJA==\n",
+    "encrypted_data": "QB7XpwhzCvLczUojhcjXy+KX26rEDQHSSw983KP8W7Nud1SNbheU1PrDEQv/\n",
+    "iv": "DTtUXHNQ2g04E+oE\n",
+    "auth_tag": "0XSkHE+MG4AnVT4XJR9tzw==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "s3_secret_key": {
-    "encrypted_data": "N8s1OoDrYXHjqSydQA0kY7dd68Aelq4+/cgmJlYfP92u4YA17V4TR7fsvQZL\nkqjuUSClNYPc0XiCwf/5gxVirE9AO6OmmvSV7lUyu4hcEY6unrU=\n",
-    "iv": "bXzIVWnX6V0P6PRb\n",
-    "auth_tag": "1EOjCfsX9P6ETjUsgBvBsA==\n",
+    "encrypted_data": "IEUzFfOBuOwjzD1DbRyk07+jFlZhQVY+a7riDJ3QU1cNYZ3OTJUgJkowA/u5\nrZ6jqehGIzvPlDuzIezxQwN+Dy0ZJueB/ZEdRqhfkXUxgzkqb2s=\n",
+    "iv": "gs9Igisu2EH+dAC/\n",
+    "auth_tag": "gDFuQCwlCL5mvys83CGv+w==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "nostr_private_key": {
-    "encrypted_data": "Sf8PEyQ0sqcgxddSlIDxLOVzPjOkTFObsYuTgcxkbEV7igrati4e8QVVUEBD\n1yoLJXelp8jlCr28Ectci29jc53gYSMTLSQsw97uYas2R0dGCqQ=\n",
-    "iv": "+1CIUyvIUOveLrY4\n",
-    "auth_tag": "GDqS+IuAIfMBmHIeFXaV7A==\n",
+    "encrypted_data": "sFnQlwyZF0tfMzbaG/bdwqQLPVdHPpbyDT66FY1+ubssmWUpxsuNtbI71KyY\nI1784c7SSl4qKRgHZRrR658bYMKU4whe836qBgSf7Icczp1VSQY=\n",
+    "iv": "x8RJT4dcNdtm59Zz\n",
+    "auth_tag": "6yxBq1W4jCNDYwP6+cTE6g==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   }

data_bags/credentials/kosmos-rs.json

@@ -0,0 +1,10 @@
+{
+  "id": "kosmos-rs",
+  "auth_tokens": {
+    "encrypted_data": "fiznpRw7VKlm232+U6XV1rqkAf2Z8CpoD8KyvuvOH2JniaymlcTHgazGWQ8s\nGeqK4RU9l4d29e9i+Mh0k4vnhO4q\n",
+    "iv": "SvurcL2oNSNWjlxp\n",
+    "auth_tag": "JLQ7vGXAuYYJpLEpL6C+Rw==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  }
+}

data_bags/credentials/lndhub-go.json

@@ -1,30 +1,30 @@
 {
   "id": "lndhub-go",
   "jwt_secret": {
-    "encrypted_data": "3T4JYnoISKXCnatCBeLCXyE8wVjzphw5/JU5A0vHfQ2xSDZreIRQ\n",
-    "iv": "bGQZjCk6FtD/hqVj\n",
-    "auth_tag": "CS87+UK1ZIFMiNcNaoyO6w==\n",
+    "encrypted_data": "lJsKBTCRzI83xmRHXzpnuRH/4cuMOR+Rd+SBU50G9HdibadIEDhS\n",
+    "iv": "f/SvsWtZIYOVc54X\n",
+    "auth_tag": "YlJ78EuJbcPfjCPc2eH+ug==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "postgresql_password": {
-    "encrypted_data": "u8kf/6WdSTzyIz2kF+24JgOPLndWH2WmTFZ3CToJsnay\n",
-    "iv": "KqLtV2UuaAzJx7C8\n",
-    "auth_tag": "3aqx45+epb2NFkNfOfG89A==\n",
+    "encrypted_data": "aT0yNlWjvk/0S4z2kZB4Ye1u/ngk5J6fGPbwZSfdq6cy\n",
+    "iv": "OgUttF4LlSrL/7gH\n",
+    "auth_tag": "pcbbGqbQ2RjU+i9dt8c3OQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "admin_token": {
-    "encrypted_data": "Z737fXqRE9JHfunRhc2GG281dFFN1bvBvTzTDzl/Vb8O\n",
-    "iv": "oKLQJbD67tiz2235\n",
-    "auth_tag": "SlVIqC9d9SRoO78M7cBjTw==\n",
+    "encrypted_data": "I9EsqCCxMIw+fX6sfu6KX8B5fJj9DX5Y4tbX30jdnmxr\n",
+    "iv": "vnERvIWYInO6+Y8q\n",
+    "auth_tag": "gO+MprZUQgPEWJQUmSF1sA==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "sentry_dsn": {
-    "encrypted_data": "gmDHGDWkTIvaXjcWMs1dnKnbqtsADPJ2mLmWw8Idj6RVevU5CabjvviAxEo1\n3hs2LWuObumRSCQt2QKap191uMq3CL2+da53hbsv+JUkxl4=\n",
-    "iv": "Yt0fSsxL4SNicwUY\n",
-    "auth_tag": "j7BWbcNnymHHMNTADWmCNw==\n",
+    "encrypted_data": "+sUXWgl6dXpA1/0FqjKC3Jnl54aor6gtM+19EM/NsHwg4qu672YnSgxV+c9x\nHM3JZBYxBYvJ+HYGAvMmhlGvaOOEIvLmFUpCCJeVUXR32S8=\n",
+    "iv": "82+DzAnHiptaX7sO\n",
+    "auth_tag": "CDx44iRBVhSIF8DOxb2c+w==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   }

environments/production.json

@@ -107,10 +107,12 @@
       "domain": "nostr.kosmos.org",
       "real_ip_header": "x-real-ip",
       "policy_path": "/opt/strfry/strfry-policy.ts",
-      "whitelist_pubkeys": [
-        "b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a",
-        "b3e1b7c0ef48294bd856203bfd460625de95d3afb894e5f09b14cd1f0e7097cf"
-      ],
+      "known_pubkeys": {
+        "_": "b3e1b7c0ef48294bd856203bfd460625de95d3afb894e5f09b14cd1f0e7097cf",
+        "accounts": "b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a",
+        "bitcoincore": "47750177bb6bb113784e4973f6b2e3dd27ef1eff227d6e38d0046d618969e41a",
+        "fiatjaf": "3bf0c63fcb93463407af97a5e5ee64fa883d107ef9e558472c4eb9aaaefa459d"
+      },
       "info": {
         "name": "Kosmos Relay",
         "description": "Members-only nostr relay for kosmos.org users",
@@ -118,6 +120,11 @@
         "contact": "ops@kosmos.org",
         "icon": "https://assets.kosmos.org/img/app-icon-256px.png"
       }
+    },
+    "substr": {
+      "relay_urls": [
+        "ws://localhost:7777"
+      ]
     }
   }
 }

nodes/bitcoin-2.json

@@ -38,6 +38,7 @@
       "kosmos-bitcoin::dotnet",
       "kosmos-bitcoin::nbxplorer",
       "kosmos-bitcoin::btcpay",
+      "kosmos-bitcoin::price_tracking",
       "apt::default",
       "timezone_iii::default",
       "timezone_iii::debian",
@@ -102,6 +103,7 @@
     "role[bitcoind]",
     "role[lnd]",
     "role[lndhub]",
-    "role[btcpay]"
+    "role[btcpay]",
+    "recipe[kosmos-bitcoin::price_tracking]"
   ]
 }

nodes/gitea-2.json

@@ -9,7 +9,7 @@
   "automatic": {
     "fqdn": "gitea-2",
     "os": "linux",
-    "os_version": "5.4.0-1096-kvm",
+    "os_version": "5.4.0-1123-kvm",
     "hostname": "gitea-2",
     "ipaddress": "192.168.122.189",
     "roles": [

nodes/strfry-1.json

@@ -27,6 +27,7 @@
       "strfry::default",
       "kosmos_strfry::policies",
       "kosmos_strfry::firewall",
+      "kosmos_strfry::substr",
       "apt::default",
       "timezone_iii::default",
       "timezone_iii::debian",

roles/strfry.rb

@@ -5,4 +5,5 @@ run_list %w(
   strfry::default
   kosmos_strfry::policies
   kosmos_strfry::firewall
+  kosmos_strfry::substr
 )

site-cookbooks/kosmos-bitcoin/attributes/default.rb

@@ -41,7 +41,7 @@ node.default['c-lightning']['log_level'] = 'info'
 node.default['c-lightning']['public_ip'] = '148.251.237.73'
 
 node.default['lnd']['repo'] = 'https://github.com/lightningnetwork/lnd'
-node.default['lnd']['revision'] = 'v0.18.3-beta'
+node.default['lnd']['revision'] = 'v0.18.5-beta'
 node.default['lnd']['source_dir'] = '/opt/lnd'
 node.default['lnd']['lnd_dir'] = "/home/#{node['bitcoin']['username']}/.lnd"
 node.default['lnd']['alias'] = 'ln2.kosmos.org'
@@ -111,3 +111,5 @@ node.default['btcpay']['postgres']['user'] = 'satoshi'
 node.default['peerswap']['repo'] = 'https://github.com/ElementsProject/peerswap.git'
 node.default['peerswap']['revision'] = 'master'
 node.default['peerswap-lnd']['source_dir'] = '/opt/peerswap'
+
+node.default['price_tracking']['rs_base_url'] = "https://storage.kosmos.org/kosmos/public/btc-price"

site-cookbooks/kosmos-bitcoin/recipes/price_tracking.rb

@@ -0,0 +1,59 @@
+#
+# Cookbook:: kosmos-bitcoin
+# Recipe:: price_tracking
+#
+# Track BTC rates and publish them via remoteStorage
+#
+
+%w[curl jq].each do |pkg|
+  apt_package pkg
+end
+
+daily_tracker_path = "/usr/local/bin/btc-price-tracker-daily"
+
+credentials = Chef::EncryptedDataBagItem.load('credentials', 'kosmos-rs')
+
+template daily_tracker_path do
+  source "btc-price-tracker-daily.sh.erb"
+  mode '0740'
+  variables rs_base_url: node['price_tracking']['rs_base_url']
+  notifies :restart, "systemd_unit[lnd-channel-backup.service]", :delayed
+end
+
+systemd_unit 'btc-price-tracker-daily.service' do
+  content({
+    Unit: {
+      Description: 'BTC price tracker (daily rates)',
+      After: 'network-online.target',
+      Wants: 'network-online.target'
+    },
+    Service: {
+      Type: 'oneshot',
+      ExecStart: daily_tracker_path,
+      Environment: "RS_AUTH=#{credentials["auth_tokens"]["/btc-price"]}"
+    },
+    Install: {
+      WantedBy: 'multi-user.target'
+    }
+  })
+  sensitive true
+  triggers_reload true
+  action [:create]
+end
+
+systemd_unit 'btc-price-tracker-daily.timer' do
+  content({
+    Unit: {
+      Description: 'Run BTC price tracker daily'
+    },
+    Timer: {
+      OnCalendar: '*-*-* 00:00:00',
+      Persistent: 'true'
+    },
+    Install: {
+      WantedBy: 'timers.target'
+    }
+  })
+  triggers_reload true
+  action [:create, :enable, :start]
+end

site-cookbooks/kosmos-bitcoin/templates/btc-price-tracker-daily.sh.erb

@@ -0,0 +1,49 @@
+#!/bin/bash
+
+# Calculate yesterday's date in YYYY-MM-DD format
+YESTERDAY=$(date -d "yesterday" +%Y-%m-%d)
+echo "Starting price tracking for $YESTERDAY" >&2
+
+# Fetch and process rates for a fiat currency
+get_price_data() {
+    local currency=$1
+    local data avg open24 last
+
+    data=$(curl -s "https://www.bitstamp.net/api/v2/ticker/btc${currency,,}/")
+    if [ $? -eq 0 ] && [ ! -z "$data" ]; then
+        echo "Successfully retrieved ${currency} price data" >&2
+        open24=$(echo "$data" | jq -r '.open_24')
+        last=$(echo "$data" | jq -r '.last')
+        avg=$(( (${open24%.*} + ${last%.*}) / 2 ))
+        echo $avg
+    else
+        echo "ERROR: Failed to retrieve ${currency} price data" >&2
+        exit 1
+    fi
+}
+
+# Get price data for each currency
+usd_avg=$(get_price_data "USD")
+eur_avg=$(get_price_data "EUR")
+gbp_avg=$(get_price_data "GBP")
+
+# Create JSON
+json="{\"EUR\":$eur_avg,\"USD\":$usd_avg,\"GBP\":$gbp_avg}"
+echo "Rates: $json" >&2
+
+# PUT in remote storage
+response=$(curl -X PUT \
+    -H "Authorization: Bearer $RS_AUTH" \
+    -H "Content-Type: application/json" \
+    -d "$json" \
+    -w "%{http_code}" \
+    -s \
+    -o /dev/null \
+    "<%= @rs_base_url %>/$YESTERDAY")
+
+if [ "$response" -eq 200 ] || [ "$response" -eq 201 ]; then
+   echo "Successfully uploaded price data" >&2
+else
+   echo "ERROR: Failed to upload price data. HTTP status: $response" >&2
+   exit 1
+fi

site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb

@@ -231,7 +231,6 @@ modules:
   mod_shared_roster: {}
   mod_stun_disco:
     offer_local_services: false
-    credentials_lifetime: 300
     secret: <%= @stun_secret %>
     services:
       -

site-cookbooks/kosmos_gitea/attributes/default.rb

@@ -1,5 +1,5 @@
-node.default["gitea"]["version"] = "1.22.5"
-node.default["gitea"]["checksum"] = "ce2c7e4fff3c1e3ed59f5b5e00e3f2d301f012c34e329fccd564bc5129075460"
+node.default["gitea"]["version"] = "1.23.4"
+node.default["gitea"]["checksum"] = "51c25be0bfc3dab25f7e16e736d0a8e15b8c6c571e69139ee487993956caf8bf"
 node.default["gitea"]["working_directory"] = "/var/lib/gitea"
 node.default["gitea"]["port"] = 3000
 node.default["gitea"]["postgresql_host"] = "localhost:5432"

site-cookbooks/kosmos_gitea/templates/default/app.ini.erb

@@ -24,6 +24,7 @@ NAME    = gitea
 USER    = gitea
 PASSWD  = <%= @postgresql_password %>
 SSL_MODE = disable
+MAX_OPEN_CONNS = 20
 
 [repository]
 ROOT = <%= @repository_root_directory %>

site-cookbooks/kosmos_gitea/templates/default/nginx_conf_web.erb

@@ -16,7 +16,7 @@ server {
 
   add_header Strict-Transport-Security "max-age=31536000";
 
-  client_max_body_size 20M;
+  client_max_body_size 121M;
 
   location ~ ^/(avatars|repo-avatars)/.*$ {
     proxy_buffers 1024 8k;

site-cookbooks/kosmos_strfry/attributes/default.rb

@@ -1,2 +1,10 @@
 node.default["strfry"]["ldap_search_dn"] = "ou=kosmos.org,cn=users,dc=kosmos,dc=org"
 node.default["strfry"]["extras_dir"] = "/opt/strfry"
+
+# node.default["substr"]["repo"] = "https://gitea.kosmos.org/kosmos/substr.git"
+# node.default["substr"]["revision"] = "master"
+node.default["substr"]["version"] = "nightly"
+node.default["substr"]["download_url"] = "https://gitea.kosmos.org/api/packages/kosmos/generic/substr/#{node["substr"]["version"]}/substr_x86_64-unknown-linux-gnu"
+node.default["substr"]["workdir"] = "/opt/substr"
+node.default["substr"]["port"] = 30023
+node.default["substr"]["relay_urls"] = ["ws://localhost:7777"]

site-cookbooks/kosmos_strfry/recipes/policies.rb

@@ -24,7 +24,7 @@ env = {
   ldap_bind_dn: ldap_credentials["service_dn"],
   ldap_password: ldap_credentials["service_password"],
   ldap_search_dn: node["strfry"]["ldap_search_dn"],
-  whitelist_pubkeys: node["strfry"]["whitelist_pubkeys"].join(",")
+  whitelist_pubkeys: node["strfry"]["known_pubkeys"].values.join(",")
 }
 
 template "#{extras_dir}/.env" do

site-cookbooks/kosmos_strfry/recipes/substr.rb

@@ -0,0 +1,100 @@
+#
+# Cookbook:: kosmos_strfry
+# Recipe:: substr
+#
+
+unless platform?("ubuntu")
+  raise "This recipe only supports Ubuntu installs at the moment"
+end
+
+apt_package "imagemagick"
+
+directory node["substr"]["workdir"] do
+  owner node["strfry"]["user"]
+  group node["strfry"]["group"]
+  mode "0755"
+end
+
+if node["substr"]["download_url"]
+  remote_file '/usr/local/bin/substr' do
+    source node["substr"]["download_url"]
+    checksum node["substr"]["checksum"]
+    mode '0755'
+    show_progress true
+    notifies :restart, "service[substr]", :delayed
+  end
+
+  exec_start = "/usr/local/bin/substr"
+else
+  # TODO Install Deno 2
+
+  git node["substr"]["workdir"] do
+    user node["strfry"]["user"]
+    group node["strfry"]["group"]
+    repository node['substr']['repo']
+    revision node['substr']['revision']
+    action :sync
+    notifies :restart, "service[substr]", :delayed
+  end
+
+  exec_start = "deno task server"
+end
+
+file "#{node["substr"]["workdir"]}/users.yaml" do
+  mode "0644"
+  owner node["strfry"]["user"]
+  group node["strfry"]["group"]
+  content node["strfry"]["known_pubkeys"].to_yaml
+  notifies :restart, "service[substr]", :delayed
+end
+
+ldap_credentials = Chef::EncryptedDataBagItem.load('credentials', 'dirsrv')
+
+env = {
+  port: node['substr']['port'],
+  base_url: "https://#{node["strfry"]["domain"]}",
+  relay_urls: node['substr']['relay_urls'].join(","),
+  ldap_url: 'ldap://ldap.kosmos.local:389', # requires "ldap_client" role
+  ldap_bind_dn: ldap_credentials["service_dn"],
+  ldap_password: ldap_credentials["service_password"],
+  ldap_search_dn: node["strfry"]["ldap_search_dn"],
+}
+
+template "#{node["substr"]["workdir"]}/.env" do
+  source 'env.erb'
+  owner node["strfry"]["user"]
+  group node["strfry"]["group"]
+  mode 0600
+  sensitive true
+  variables config: env
+  notifies :restart, "service[substr]", :delayed
+end
+
+systemd_unit "substr.service" do
+  content({
+    Unit: {
+      Description: "substr for nostr",
+      Documentation: ["https://gitea.kosmos.org/kosmos/substr"],
+    },
+    Service: {
+      Type: "simple",
+      User: node["strfry"]["user"],
+      WorkingDirectory: node["substr"]["workdir"],
+      ExecStart: exec_start,
+      Restart: "on-failure",
+      RestartSec: "5",
+      ProtectHome: "no",
+      NoNewPrivileges: "yes",
+      ProtectSystem: "full"
+    },
+    Install: {
+      WantedBy: "multi-user.target"
+    }
+  })
+  triggers_reload true
+  action :create
+end
+
+service "substr" do
+  action [:enable, :start]
+end

site-cookbooks/kosmos_strfry/templates/nginx_conf_strfry.erb

@@ -4,6 +4,12 @@ upstream _strfry {
 <% end %>
 }
 
+upstream _substr {
+<% @upstream_hosts.each do |host| %>
+  server <%= host %>:30023;
+<% end %>
+}
+
 server {
   server_name <%= @domain %>;
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
@@ -15,6 +21,16 @@ server {
   ssl_certificate     <%= @ssl_cert %>;
   ssl_certificate_key <%= @ssl_key %>;
 
+  location = /favicon.ico {
+    alias /var/www/assets.kosmos.org/site/img/favicon.ico;
+  }
+
+  location ~* ^/[@~n]|^/assets {
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_pass http://_substr;
+  }
+
   location / {
     proxy_set_header Host $host;
     proxy_set_header X-Real-IP $remote_addr;