Remove obsolete recipe

Reviewed-on: #604
Reviewed-by: Râu Cao <raucao@kosmos.org>

Berksfile

@@ -13,6 +13,9 @@ cookbook 'ipfs',
 cookbook 'mediawiki',
   git: 'https://github.com/67P/mediawiki-cookbook.git',
   ref: 'nginx'
+cookbook 'postfix',
+  git: 'https://gitea.kosmos.org/kosmos/postfix-cookbook.git',
+  ref: 'bugfix/sasl_attributes'
 
 cookbook 'apache2',                '= 3.3.0'
 cookbook 'apt',                    '~> 7.3.0'
@@ -32,7 +35,6 @@ cookbook 'ntp',                    '= 3.4.0'
 cookbook 'ohai',                   '~> 5.2.5'
 cookbook 'openssl',                '~> 8.5.5'
 cookbook 'php',                    '~> 8.0.0'
-cookbook 'postfix',                '~> 6.0.26'
 cookbook 'timezone_iii',           '= 1.0.4'
 cookbook 'ulimit',                 '~> 1.0.0'
 cookbook 'users',                  '~> 5.3.1'

Berksfile.lock

@@ -28,7 +28,10 @@ DEPENDENCIES
   ohai (~> 5.2.5)
   openssl (~> 8.5.5)
   php (~> 8.0.0)
-  postfix (~> 6.0.26)
+  postfix
+    git: https://gitea.kosmos.org/kosmos/postfix-cookbook.git
+    revision: dd6598572a775ae73f17527260ec8097b52d385b
+    ref: bugfix/
   redisio (~> 6.4.1)
   ruby_build (~> 2.5.0)
   timezone_iii (= 1.0.4)
@@ -90,7 +93,7 @@ GRAPH
   openssl (8.5.5)
   php (8.0.1)
     yum-epel (>= 0.0.0)
-  postfix (6.0.26)
+  postfix (6.4.1)
   redisio (6.4.1)
     selinux (>= 0.0.0)
   ruby_build (2.5.0)

clients/garage-12.json

@@ -0,0 +1,4 @@
+{
+  "name": "garage-12",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9GtHHi298BjiIqpZ3WkT\nkYAPfWD60hFe/8icYcq/F/6cHLYKZQ4chek9X/hDCMq4tHEN6Oh58T5x/nuNdPrK\nIAMGyVAGk6ekWlmD4jwdEf6TGb/J3ffJTRDvwX/I8xD/DW3wtXsN+X24T59ByGTm\nrnwRmmmwHF3otRx9wnCsIgDQ0AjiUujsfNNv1FcLXD/WJLys9lEeU5aJ4XtHTwDv\ntJM8YyVEFhEnuvgdKmzn5+F5k9VGdUwForlFOBfvzbCnTZMDMmDVeiUtAUv/7xWQ\nQl2mLUGCtgWuYJYXsQacAJ6pa3h+7cQyshC6w3dwUG+1fS9lNO0Yp1GGX1AGYKpp\nPQIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/garage-13.json

@@ -0,0 +1,4 @@
+{
+  "name": "garage-13",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvbqWc6OwRxgHfsQuTNL4\naxeVvNen5d9srYpZSHjuBB/k9NHB+9P6vU5qF37XHkw1lVUGeYbPHzhYsx3O0/kZ\nH5f4+4SMy/P9jc6SE7AJF4qtYKgJ88koZdqCww07c6K9g+BnEGFFZui/h3hUBxWj\nTfhBHEWPyQ2bl/lr9sIJwsEz+EN0isGn/eIXkmw9J6LdLJ5Q0LLks33K28FNOU7q\nfeAN4MiBVMUtgCGyT2Voe6WrOXwQLSDXQONOp3sfSfFExsIJ1s24xdd7AMD7/9a7\n4sFDZ4swhqAWgWmW2giR7Kb8wTvGQLO/O/uUbmKz3DZXgkOKXHdHCEB/PZx1mRNM\nEwIDAQAB\n-----END PUBLIC KEY-----\n"
+}

cookbooks/postfix/.markdownlint-cli2.yaml

@@ -3,3 +3,5 @@ config:
   line-length: false # MD013
   no-duplicate-heading: false # MD024
   reference-links-images: false # MD052
+ignores:
+  - .github/copilot-instructions.md

cookbooks/postfix/.vscode/extensions.json

@@ -0,0 +1,8 @@
+{
+  "recommendations": [
+    "chef-software.chef",
+    "Shopify.ruby-lsp",
+    "editorconfig.editorconfig",
+    "DavidAnson.vscode-markdownlint"
+  ]
+}

cookbooks/postfix/CHANGELOG.md

@@ -2,9 +2,48 @@
 
 This file is used to list changes made in each version of the postfix cookbook.
 
+## Unreleased
+
+## 6.4.1 - *2025-09-04*
+
+## 6.4.0 - *2025-07-30* ## 6.4.0 - *2025-07-30*
+
+Standardise files with files in sous-chefs/repo-management
+
+## 6.4.0 - *2025-07-30*
+
+## 6.3.0 - *2025-07-30*
+
+- Use LMDB instead of hash on el10
+
+## 6.3.0 - *2025-07-30*
+
+## 6.2.2 - *2025-01-30*
+
+## 6.2.1 - *2025-01-30*
+
+## 6.2.0 - *2025-01-30*
+
+## 6.2.0
+
+- Correctly fix aliases quoting logic
+- Convert all serverspec tests to inspec
+- Add Github actions
+- Update platforms to test
+
+## 6.0.29 - *2024-11-18*
+
+- Standardise files with files in sous-chefs/repo-management
+
+## 6.0.28 - *2024-07-15*
+
+- Standardise files with files in sous-chefs/repo-management
+
+## 6.0.27 - *2024-05-06*
+
 ## 6.0.26 - *2023-10-03*
 
-- add installation of postfix addon packages for RHEL 8
+- Add installation of postfix addon packages for RHEL 8
 
 ## 6.0.25 - *2023-10-03*
 

cookbooks/postfix/attributes/default.rb

@@ -13,9 +13,10 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-
-default['postfix']['packages'] = %w(postfix)
-
+default['postfix']['packages'] = value_for_platform(
+  amazon: { '>= 2023' => %w(postfix postfix-lmdb) },
+  default: %w(postfix)
+)
 # Generic cookbook attributes
 default['postfix']['mail_type'] = 'client'
 default['postfix']['relayhost_role'] = 'relayhost'
@@ -37,11 +38,19 @@ default['postfix']['master_template_source'] = 'postfix'
 default['postfix']['sender_canonical_map_entries'] = {}
 default['postfix']['smtp_generic_map_entries'] = {}
 default['postfix']['recipient_canonical_map_entries'] = {}
-default['postfix']['access_db_type'] = 'hash'
-default['postfix']['aliases_db_type'] = 'hash'
-default['postfix']['transport_db_type'] = 'hash'
-default['postfix']['virtual_alias_db_type'] = 'hash'
-default['postfix']['virtual_alias_domains_db_type'] = 'hash'
+
+default['postfix']['db_type'] = value_for_platform(
+  %w(centos redhat almalinux rocky oracle) => { '>= 10' => 'lmdb' },
+  amazon: { '>= 2023' => 'lmdb' },
+  %w(opensuseleap suse) => { '>= 15' => 'lmdb' },
+  default: 'hash'
+)
+
+default['postfix']['access_db_type'] = lazy { node['postfix']['db_type'] }
+default['postfix']['aliases_db_type'] = lazy { node['postfix']['db_type'] }
+default['postfix']['transport_db_type'] = lazy { node['postfix']['db_type'] }
+default['postfix']['virtual_alias_db_type'] = lazy { node['postfix']['db_type'] }
+default['postfix']['virtual_alias_domains_db_type'] = lazy { node['postfix']['db_type'] }
 
 case node['platform']
 when 'smartos'
@@ -96,6 +105,9 @@ default['postfix']['main']['smtp_sasl_auth_enable'] = 'no'
 default['postfix']['main']['mailbox_size_limit'] = 0
 default['postfix']['main']['mynetworks'] = nil
 default['postfix']['main']['inet_interfaces'] = 'loopback-only'
+default['postfix']['main']['default_database_type'] = lazy { node['postfix']['db_type'] }
+default['postfix']['main']['alias_database'] = lazy { "#{node['postfix']['db_type']}:#{node['postfix']['aliases_db']}" }
+default['postfix']['main']['alias_maps'] = lazy { "#{node['postfix']['db_type']}:#{node['postfix']['aliases_db']}" }
 
 # Conditional attributes, also reference _attributes recipe
 case node['platform_family']
@@ -407,4 +419,4 @@ default['postfix']['aliases'] = if platform?('freebsd')
                                   {}
                                 end
 
-default['postfix']['main']['smtpd_relay_restrictions'] = "hash:#{node['postfix']['relay_restrictions_db']}, reject" if node['postfix']['use_relay_restrictions_maps']
+default['postfix']['main']['smtpd_relay_restrictions'] = lazy { "#{node['postfix']['db_type']}:#{node['postfix']['relay_restrictions_db']}, reject" if node['postfix']['use_relay_restrictions_maps'] }

cookbooks/postfix/metadata.json

@@ -26,7 +26,7 @@
   "recipes": {
 
   },
-  "version": "6.0.26",
+  "version": "6.4.1",
   "source_url": "https://github.com/sous-chefs/postfix",
   "issues_url": "https://github.com/sous-chefs/postfix/issues",
   "privacy": false,

cookbooks/postfix/metadata.rb

@@ -3,7 +3,7 @@ maintainer        'Sous Chefs'
 maintainer_email  'help@sous-chefs.org'
 license           'Apache-2.0'
 description       'Installs and configures postfix for client or outbound relayhost, or to do SASL auth'
-version           '6.0.26'
+version           '6.4.1'
 source_url        'https://github.com/sous-chefs/postfix'
 issues_url        'https://github.com/sous-chefs/postfix/issues'
 chef_version      '>= 12.15'

cookbooks/postfix/recipes/_attributes.rb

@@ -29,24 +29,22 @@ end
 
 if node['postfix']['main']['smtp_sasl_auth_enable'] == 'yes'
   node.default_unless['postfix']['sasl_password_file'] = "#{node['postfix']['conf_dir']}/sasl_passwd"
-  node.default_unless['postfix']['main']['smtp_sasl_password_maps'] = "hash:#{node['postfix']['sasl_password_file']}"
+  node.default_unless['postfix']['main']['smtp_sasl_password_maps'] = "#{node['postfix']['db_type']}:#{node['postfix']['sasl_password_file']}"
   node.default_unless['postfix']['main']['smtp_sasl_security_options'] = 'noanonymous'
-  node.default_unless['postfix']['sasl']['smtp_sasl_user_name'] = ''
-  node.default_unless['postfix']['sasl']['smtp_sasl_passwd']    = ''
   node.default_unless['postfix']['main']['relayhost'] = ''
 end
 
-node.default_unless['postfix']['main']['alias_maps'] = ["hash:#{node['postfix']['aliases_db']}"] if node['postfix']['use_alias_maps']
+node.default_unless['postfix']['main']['alias_maps'] = ["#{node['postfix']['db_type']}:#{node['postfix']['aliases_db']}"] if node['postfix']['use_alias_maps']
 
-node.default_unless['postfix']['main']['transport_maps'] = ["hash:#{node['postfix']['transport_db']}"] if node['postfix']['use_transport_maps']
+node.default_unless['postfix']['main']['transport_maps'] = ["#{node['postfix']['db_type']}:#{node['postfix']['transport_db']}"] if node['postfix']['use_transport_maps']
 
-node.default_unless['postfix']['main']['access_maps'] = ["hash:#{node['postfix']['access_db']}"] if node['postfix']['use_access_maps']
+node.default_unless['postfix']['main']['access_maps'] = ["#{node['postfix']['db_type']}:#{node['postfix']['access_db']}"] if node['postfix']['use_access_maps']
 
 node.default_unless['postfix']['main']['virtual_alias_maps'] = ["#{node['postfix']['virtual_alias_db_type']}:#{node['postfix']['virtual_alias_db']}"] if node['postfix']['use_virtual_aliases']
 
 node.default_unless['postfix']['main']['virtual_alias_domains'] = ["#{node['postfix']['virtual_alias_domains_db_type']}:#{node['postfix']['virtual_alias_domains_db']}"] if node['postfix']['use_virtual_aliases_domains']
 
-node.default_unless['postfix']['main']['smtpd_relay_restrictions'] = "hash:#{node['postfix']['relay_restrictions_db']}, reject" if node['postfix']['use_relay_restrictions_maps']
+node.default_unless['postfix']['main']['smtpd_relay_restrictions'] = "#{node['postfix']['db_type']}:#{node['postfix']['relay_restrictions_db']}, reject" if node['postfix']['use_relay_restrictions_maps']
 
 node.default_unless['postfix']['main']['maildrop_destination_recipient_limit'] = 1 if node['postfix']['master']['maildrop']['active']
 

cookbooks/postfix/recipes/_common.rb

@@ -155,7 +155,7 @@ unless node['postfix']['sender_canonical_map_entries'].empty?
     notifies :reload, 'service[postfix]'
   end
 
-  node.default['postfix']['main']['sender_canonical_maps'] = "hash:#{node['postfix']['conf_dir']}/sender_canonical" unless node['postfix']['main'].key?('sender_canonical_maps')
+  node.default['postfix']['main']['sender_canonical_maps'] = "#{node['postfix']['db_type']}:#{node['postfix']['conf_dir']}/sender_canonical" unless node['postfix']['main'].key?('sender_canonical_maps')
 end
 
 execute 'update-postfix-smtp_generic' do
@@ -172,7 +172,7 @@ unless node['postfix']['smtp_generic_map_entries'].empty?
     notifies :reload, 'service[postfix]'
   end
 
-  node.default['postfix']['main']['smtp_generic_maps'] = "hash:#{node['postfix']['conf_dir']}/smtp_generic" unless node['postfix']['main'].key?('smtp_generic_maps')
+  node.default['postfix']['main']['smtp_generic_maps'] = "#{node['postfix']['db_type']}:#{node['postfix']['conf_dir']}/smtp_generic" unless node['postfix']['main'].key?('smtp_generic_maps')
 end
 
 execute 'update-postfix-recipient_canonical' do
@@ -189,7 +189,7 @@ unless node['postfix']['recipient_canonical_map_entries'].empty?
     notifies :reload, 'service[postfix]'
   end
 
-  node.default['postfix']['main']['recipient_canonical_maps'] = "hash:#{node['postfix']['conf_dir']}/recipient_canonical" unless node['postfix']['main'].key?('recipient_canonical_maps')
+  node.default['postfix']['main']['recipient_canonical_maps'] = "#{node['postfix']['db_type']}:#{node['postfix']['conf_dir']}/recipient_canonical" unless node['postfix']['main'].key?('recipient_canonical_maps')
 end
 
 service 'postfix' do

cookbooks/postfix/recipes/maps.rb

@@ -18,8 +18,8 @@ node['postfix']['maps'].each do |type, maps|
     package "postfix-#{type}" if %w(pgsql mysql ldap cdb).include?(type)
   end
 
-  if platform?('redhat') && node['platform_version'].to_i == 8
-    package "postfix-#{type}" if %w(pgsql mysql ldap cdb).include?(type)
+  if platform_family?('rhel') && node['platform_version'].to_i >= 8
+    package "postfix-#{type}" if %w(pgsql mysql ldap cdb lmdb).include?(type)
   end
 
   separator = if %w(pgsql mysql ldap memcache sqlite).include?(type)
@@ -32,7 +32,7 @@ node['postfix']['maps'].each do |type, maps|
       command "postmap #{file}"
       environment PATH: "#{ENV['PATH']}:/opt/omni/bin:/opt/omni/sbin" if platform_family?('omnios')
       action :nothing
-    end if %w(btree cdb dbm hash sdbm).include?(type)
+    end if %w(btree cdb dbm hash lmdb sdbm).include?(type)
     template "#{file}-#{type}" do
       path file
       source 'maps.erb'
@@ -41,7 +41,7 @@ node['postfix']['maps'].each do |type, maps|
         map: content,
         separator: separator
       )
-      notifies :run, "execute[update-postmap-#{file}]" if %w(btree cdb dbm hash sdbm).include?(type)
+      notifies :run, "execute[update-postmap-#{file}]" if %w(btree cdb dbm hash lmdb sdbm).include?(type)
       notifies :restart, 'service[postfix]'
     end
   end

cookbooks/postfix/renovate.json

@@ -1,9 +1,10 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": ["config:base"],
-  "packageRules": [{
+  "packageRules": [
+    {
       "groupName": "Actions",
-      "matchUpdateTypes": ["patch", "pin", "digest"],
+      "matchUpdateTypes": ["minor", "patch", "pin"],
       "automerge": true,
       "addLabels": ["Release: Patch", "Skip: Announcements"]
     },

cookbooks/postfix/templates/aliases.erb

@@ -6,5 +6,5 @@
 postmaster:    root
 
 <% node['postfix']['aliases'].each do |name, value| %>
-<%= name %>: <%= [value].flatten.map{|x| if (x.include?("@")) then x else %Q("#{x}") end}.join(', ') %>
+<%= name.match?(/[\s#:@]/) ? "\"#{name}\"" : name %>: <%= [value].flatten.map{|x| x.include?("|") ? "\"#{x}\"" : x}.join(',') %>
 <% end unless node['postfix']['aliases'].nil? %>

data_bags/credentials/akkounts.json

@@ -1,72 +1,93 @@
 {
   "id": "akkounts",
-  "postgresql_username": {
-    "encrypted_data": "bDlOkEmhvMgyVzPeTNUzYnzRLf3T9cc0cDxt\n",
-    "iv": "GCCUoqU5pxQ7fGkv\n",
-    "auth_tag": "Q7mrSHIBluMe3CGVmoR86Q==\n",
+  "rails_master_key": {
+    "encrypted_data": "q/0BtGuFZJQhw+iG4ZmFG12DPaWQDGTb/nCmRoxOnsACkANqMv/zZ39CoNFe\nLPtZiItY\n",
+    "iv": "JV8R0iu6TrqcZRxL\n",
+    "auth_tag": "YxZIhEUnrd3XrwR6f9wO4A==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
-  "postgresql_password": {
-    "encrypted_data": "wD0HtdsNe/hl4ZaOy8hyr2k4z8TXQrrSja3KNVE47w==\n",
-    "iv": "tb5yz8WDer0CsGvJ\n",
-    "auth_tag": "/+K2anuCff/6M7Pu70Smqw==\n",
+  "rails_secret_key_base": {
+    "encrypted_data": "JmDQew3+OR6+yJ1xErwXeTn6jw8N2HwTc9yvAVJ3G+7w1s3N7rKDM6+M50ez\n2zP4Lm/eXzH4WTsTZlQcodlyNpi66pvUCGAkNM36rwTN5yvnhqPUmuSQi7AG\nDTBronBwr9ENvwA/gRuugyyhrRB1iuStpzpYKCMhZ2ae9Mrxdux0+ezfSLn4\nuP22uUrEqdQ/BWsW\n",
+    "iv": "U/+YncCk13U6bYMz\n",
+    "auth_tag": "2wPYJ/uVPv4jLKpAW/x6sw==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "rails_encryption_primary_key": {
+    "encrypted_data": "u/7z91Og/2eM7PWi2JWYAQMhYX4S5+bMMeVpkFPu778Gqj6Td9pagsWIak/d\nb7AU1zjF\n",
+    "iv": "wYhrJWcuWbY8yo8S\n",
+    "auth_tag": "WEoEdNy6VBvB2d5gb8DTXw==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "rails_encryption_key_derivation_salt": {
+    "encrypted_data": "noOwTZuxfhsH94bjOT9rWCKS9rb3wAoXELGrc4nJZeNrb/B9XnOLTuK/wen8\nfmtoym0P\n",
+    "iv": "jiFWs3VXhJdQBNqk\n",
+    "auth_tag": "XDpJFgadYp7LyRqU7SO+Fg==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "postgresql": {
+    "encrypted_data": "Xorg8R8COxE/Swivu8MqZiwstD6rD+8FmgDx70pFscZ/CTb6WQRpyqGSrGZt\nZ7oL9WrqZs+mQgBb30odU+Sgdr6x\n",
+    "iv": "6QWZc3+MY0hBCc/s\n",
+    "auth_tag": "ZM+7OYyx5E9PciNG2OILhg==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "ldap": {
+    "encrypted_data": "mr2Z7hXF1GOn8RmqeZMMdaUcmiVP4ZeKtTX6RYW1cR+FQiUwoITwTPBE9XUx\n2cqZ9Mcd8uJicmf9vd+PfwPtRtoZFwqHQ4LDRFLW64hBZyiEkZWxWW+HzgPr\n",
+    "iv": "k1AkyEplnJ4IZO1Z\n",
+    "auth_tag": "zAOcrPex3VLDfRFq38n7fA==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "sentry_dsn": {
-    "encrypted_data": "jCz681x0WVixHYZUb62TO+1cgyJMiJ2UMqWcaztx57yDBOIiKW3oSZjuXdhP\n9WCesfXQF/lgzITZno3IKDqzlKjWgbGLC75y8FLguxidCHI=\n",
-    "iv": "IRNOzN/hLwg1iqax\n",
-    "auth_tag": "eg9dWnEK04JDb94e4CFa9Q==\n",
-    "version": 3,
-    "cipher": "aes-256-gcm"
-  },
-  "rails_master_key": {
-    "encrypted_data": "nUB77VLRp41rluH7hLBwQqPtnh/HsmfLr2VbcIZHWawL3o2TGuY+mj648f9L\n7XsEpgqY\n",
-    "iv": "fpdbDitqTRHxEKiv\n",
-    "auth_tag": "I44fn8Ott3L/Y5LYr56U/Q==\n",
+    "encrypted_data": "51cAERaRBCRg/sMb5c13EcnJzsz6VEf7jx6X3ooUSzm9wHoEfC5Hs/qakr/D\nqm9x3s3aGURRzyLUIEoe9jCohGguh6ehrXYVrun0B6pghVU=\n",
+    "iv": "hJsiiW6dFQMEQ+2p\n",
+    "auth_tag": "TOIahNrUhhsdQGlzp6UV5g==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "discourse_connect_secret": {
-    "encrypted_data": "ENtMn+1XTVFmdEZw7LU6WGoMbSZY654ggm3vPACGfFgqo6r0LhG60c5OTdqv\nZvT5/Q==\n",
-    "iv": "bL1BmvRhgxFqSM1P\n",
-    "auth_tag": "sEBZzGWwwYFHn+4B4SsyCA==\n",
+    "encrypted_data": "pvKcwuZgUJsAvClQ4V0BwhwEg09EUEWVxoSx+mFlfG1KpvZE4Cu3u3PalPSD\nldyKsw==\n",
+    "iv": "ED85d6PKyaKB3Wlv\n",
+    "auth_tag": "XVCU/WigC97tNe0bUK6okQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "lndhub_admin_token": {
-    "encrypted_data": "4LPGFoARzI8UYnsJPIk8sax/rAA16pUULEZWn86e2C7L\n",
-    "iv": "nvjXrOwgfgutwEVw\n",
-    "auth_tag": "A89RUf1sdcS3FVscNPWYLg==\n",
+    "encrypted_data": "LvCgahQblsKOxK9iNbwDd31atBfemVppHqV7s3K/sR4j\n",
+    "iv": "zObzh2jEsqXk2vD2\n",
+    "auth_tag": "n9m/sBYBfzggwQLWrGpR2Q==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "btcpay_auth_token": {
-    "encrypted_data": "ky5iWYF06os0Ek6vIRzWqMTekqJhCOh/Q9DTDIeKhSyk8TnT3O71lCNEt1F5\nXCNq6ux3V6oyHVLWj0o=\n",
-    "iv": "zk6WnxsY89oNW1F9\n",
-    "auth_tag": "FAIMXKvQ1T7QKezVSNJbwQ==\n",
+    "encrypted_data": "M4kGd6+jresm90nWrJG25mX6rfhaU+VlJlIVd/IjOAUsDABryyulJul3GZFh\nFPSI4uEhgIWtn56I0bA=\n",
+    "iv": "hvqHm7A/YfUOJwRJ\n",
+    "auth_tag": "DhtT6IeixD1MSRX+D7JxZA==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "s3_access_key": {
-    "encrypted_data": "KfhfEGwPjOonlz6rpnNTinXFPqX/sIbqQn/aby0UDi/G/7cvEcOiNcCkfuSz\n",
-    "iv": "Q3rg06v6K9pUDLDY\n",
-    "auth_tag": "G5ugdlJ896KtYtObKLclJA==\n",
+    "encrypted_data": "FPRpLZoIbLcVWPJhOlX7ZeXGv6TZIWYAD+BKTsJOyOHxDG3eRULqQc89cGWi\n",
+    "iv": "f9WiiGLmDxtygp60\n",
+    "auth_tag": "lGnq4itmByuF/Yp20/6coQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "s3_secret_key": {
-    "encrypted_data": "N8s1OoDrYXHjqSydQA0kY7dd68Aelq4+/cgmJlYfP92u4YA17V4TR7fsvQZL\nkqjuUSClNYPc0XiCwf/5gxVirE9AO6OmmvSV7lUyu4hcEY6unrU=\n",
-    "iv": "bXzIVWnX6V0P6PRb\n",
-    "auth_tag": "1EOjCfsX9P6ETjUsgBvBsA==\n",
+    "encrypted_data": "JnnwISbHJ+d7JZB/C0NH0fb8p+bDSwoq5t5knSi+bSTltSxKcq6PRX9K6bov\nEbo0GTdWePbuc5NCsyYxfrkzCtpLXTIxeCROtinRmFIgMFNwaOA=\n",
+    "iv": "pKPCaANDqGtbFV3V\n",
+    "auth_tag": "S//hn2HOhuZH8+UfCNBWDg==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "nostr_private_key": {
-    "encrypted_data": "Sf8PEyQ0sqcgxddSlIDxLOVzPjOkTFObsYuTgcxkbEV7igrati4e8QVVUEBD\n1yoLJXelp8jlCr28Ectci29jc53gYSMTLSQsw97uYas2R0dGCqQ=\n",
-    "iv": "+1CIUyvIUOveLrY4\n",
-    "auth_tag": "GDqS+IuAIfMBmHIeFXaV7A==\n",
+    "encrypted_data": "AKfFiLow+veDyEWBwmCDuLerT3l+o2aJUCeHg2mZZIyoH4oeo/9crZwIdjBn\n70reouqnHNG9mBHuO/+IPGfj53mHLo+oGHh+6LkL3ImI4MFBofY=\n",
+    "iv": "bPlOKk2qkJAzdKf+\n",
+    "auth_tag": "VIp1IOjBGatn2MN5LHVymg==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   }

data_bags/credentials/gandi_api.json

@@ -1,23 +1,23 @@
 {
   "id": "gandi_api",
   "key": {
-    "encrypted_data": "Ky1/PdywtEIl5vVXhzu3n2JetqOxnNjpjQ7yCao6qwIAn8oYxnv1c1hFAQ==\n",
-    "iv": "stAc2FxDvUqrh0kt\n",
-    "auth_tag": "rcK4Qt+f2O4Zo5IMmG0fkw==\n",
+    "encrypted_data": "lU7/xYTmP5Sb6SsK5TNNIyegWozzBtUzpg7oDdl6gcz9FEMmG2ft0Ljh5Q==\n",
+    "iv": "EZPQD3C+wsP/mBhF\n",
+    "auth_tag": "vF9E8Pj4Z8quJJdOMg/QTw==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "access_token": {
-    "encrypted_data": "J7zoLhEbPfPjnVWBmFmDdPKRer5GGw2o6Ad0uinznANugfaDiqjyYinOdEDF\nHlAqLmXv4J40rr3F+o4=\n",
-    "iv": "fAxFqVh9QqrfBsPW\n",
-    "auth_tag": "9ugi4frDLv8f7X0X1+k4DA==\n",
+    "encrypted_data": "1Uw69JkNrmb8LU/qssuod1SlqxxrWR7TJQZeeivRrNzrMIVTEW/1uwJIYL6b\nM4GeeYl9lIRlMMmLBkc=\n",
+    "iv": "cc1GJKu6Cf4DkIgX\n",
+    "auth_tag": "ERem4S7ozG695kjvWIMghw==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "domains": {
-    "encrypted_data": "X0KOKlJp5GYbKcq/jzmlaMmTXV1U7exWSqi3UxX9Sw==\n",
-    "iv": "9JucnYLlYdQ9N6pd\n",
-    "auth_tag": "sERYPDnVUJwVfSS8/xrPpQ==\n",
+    "encrypted_data": "scZ5blsSjs54DlitR7KZ3enLbyceOR5q0wjHw1golQ==\n",
+    "iv": "oDcHm7shAzW97b4t\n",
+    "auth_tag": "62Zais9yf68SwmZRsmZ3hw==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   }

data_bags/credentials/kosmos-rs.json

@@ -0,0 +1,10 @@
+{
+  "id": "kosmos-rs",
+  "auth_tokens": {
+    "encrypted_data": "fiznpRw7VKlm232+U6XV1rqkAf2Z8CpoD8KyvuvOH2JniaymlcTHgazGWQ8s\nGeqK4RU9l4d29e9i+Mh0k4vnhO4q\n",
+    "iv": "SvurcL2oNSNWjlxp\n",
+    "auth_tag": "JLQ7vGXAuYYJpLEpL6C+Rw==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  }
+}

data_bags/credentials/lndhub-go.json

@@ -1,30 +1,30 @@
 {
   "id": "lndhub-go",
   "jwt_secret": {
-    "encrypted_data": "3T4JYnoISKXCnatCBeLCXyE8wVjzphw5/JU5A0vHfQ2xSDZreIRQ\n",
-    "iv": "bGQZjCk6FtD/hqVj\n",
-    "auth_tag": "CS87+UK1ZIFMiNcNaoyO6w==\n",
+    "encrypted_data": "lJsKBTCRzI83xmRHXzpnuRH/4cuMOR+Rd+SBU50G9HdibadIEDhS\n",
+    "iv": "f/SvsWtZIYOVc54X\n",
+    "auth_tag": "YlJ78EuJbcPfjCPc2eH+ug==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "postgresql_password": {
-    "encrypted_data": "u8kf/6WdSTzyIz2kF+24JgOPLndWH2WmTFZ3CToJsnay\n",
-    "iv": "KqLtV2UuaAzJx7C8\n",
-    "auth_tag": "3aqx45+epb2NFkNfOfG89A==\n",
+    "encrypted_data": "aT0yNlWjvk/0S4z2kZB4Ye1u/ngk5J6fGPbwZSfdq6cy\n",
+    "iv": "OgUttF4LlSrL/7gH\n",
+    "auth_tag": "pcbbGqbQ2RjU+i9dt8c3OQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "admin_token": {
-    "encrypted_data": "Z737fXqRE9JHfunRhc2GG281dFFN1bvBvTzTDzl/Vb8O\n",
-    "iv": "oKLQJbD67tiz2235\n",
-    "auth_tag": "SlVIqC9d9SRoO78M7cBjTw==\n",
+    "encrypted_data": "I9EsqCCxMIw+fX6sfu6KX8B5fJj9DX5Y4tbX30jdnmxr\n",
+    "iv": "vnERvIWYInO6+Y8q\n",
+    "auth_tag": "gO+MprZUQgPEWJQUmSF1sA==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "sentry_dsn": {
-    "encrypted_data": "gmDHGDWkTIvaXjcWMs1dnKnbqtsADPJ2mLmWw8Idj6RVevU5CabjvviAxEo1\n3hs2LWuObumRSCQt2QKap191uMq3CL2+da53hbsv+JUkxl4=\n",
-    "iv": "Yt0fSsxL4SNicwUY\n",
-    "auth_tag": "j7BWbcNnymHHMNTADWmCNw==\n",
+    "encrypted_data": "+sUXWgl6dXpA1/0FqjKC3Jnl54aor6gtM+19EM/NsHwg4qu672YnSgxV+c9x\nHM3JZBYxBYvJ+HYGAvMmhlGvaOOEIvLmFUpCCJeVUXR32S8=\n",
+    "iv": "82+DzAnHiptaX7sO\n",
+    "auth_tag": "CDx44iRBVhSIF8DOxb2c+w==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   }

doc/mastodon.md

@@ -0,0 +1,15 @@
+# Mastodon
+
+Running on kosmos.social
+
+## Ops
+
+### Enable maintance mode
+
+Return a 503 and maintance page for all requests:
+
+    knife ssh -p2222 -a knife_zero.host "role:openresty_proxy" "sudo cp -p /var/www/maintenance.html /var/www/kosmos.social/public/ && sudo systemctl reload openresty"
+
+### Stop maintenance mode
+
+    knife ssh -p2222 -a knife_zero.host "role:openresty_proxy" "sudo rm /var/www/kosmos.social/public/maintenance.html && sudo systemctl reload openresty"

environments/production.json

@@ -105,19 +105,39 @@
     },
     "strfry": {
       "domain": "nostr.kosmos.org",
-      "real_ip_header": "x-real-ip",
-      "policy_path": "/opt/strfry/strfry-policy.ts",
-      "whitelist_pubkeys": [
-        "b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a",
-        "b3e1b7c0ef48294bd856203bfd460625de95d3afb894e5f09b14cd1f0e7097cf"
-      ],
-      "info": {
-        "name": "Kosmos Relay",
-        "description": "Members-only nostr relay for kosmos.org users",
-        "pubkey": "b3e1b7c0ef48294bd856203bfd460625de95d3afb894e5f09b14cd1f0e7097cf",
-        "contact": "ops@kosmos.org",
-        "icon": "https://assets.kosmos.org/img/app-icon-256px.png"
+      "config": {
+        "events": {
+          "max_event_size": "524288"
+        },
+        "relay": {
+          "bind": "0.0.0.0",
+          "real_ip_header": "x-real-ip",
+          "info": {
+            "name": "Kosmos Relay",
+            "description": "Members-only nostr relay for kosmos.org users",
+            "pubkey": "b3e1b7c0ef48294bd856203bfd460625de95d3afb894e5f09b14cd1f0e7097cf",
+            "contact": "ops@kosmos.org",
+            "icon": "https://assets.kosmos.org/img/app-icon-256px.png"
+          },
+          "write_policy": {
+            "plugin": "/opt/strfry/strfry-policy.ts"
+          },
+          "logging": {
+            "dump_in_all": true
+          }
+        }
+      },
+      "known_pubkeys": {
+        "_": "b3e1b7c0ef48294bd856203bfd460625de95d3afb894e5f09b14cd1f0e7097cf",
+        "accounts": "b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a",
+        "bitcoincore": "47750177bb6bb113784e4973f6b2e3dd27ef1eff227d6e38d0046d618969e41a",
+        "fiatjaf": "3bf0c63fcb93463407af97a5e5ee64fa883d107ef9e558472c4eb9aaaefa459d"
       }
+    },
+    "substr": {
+      "relay_urls": [
+        "ws://localhost:7777"
+      ]
     }
   }
 }

nodes/akkounts-1.json

@@ -9,7 +9,7 @@
   "automatic": {
     "fqdn": "akkounts-1",
     "os": "linux",
-    "os_version": "5.4.0-148-generic",
+    "os_version": "5.4.0-216-generic",
     "hostname": "akkounts-1",
     "ipaddress": "192.168.122.160",
     "roles": [
@@ -38,6 +38,7 @@
       "timezone_iii::debian",
       "ntp::default",
       "ntp::apparmor",
+      "kosmos-base::journald_conf",
       "kosmos-base::systemd_emails",
       "apt::unattended-upgrades",
       "kosmos-base::firewall",

nodes/bitcoin-2.json

@@ -38,11 +38,13 @@
       "kosmos-bitcoin::dotnet",
       "kosmos-bitcoin::nbxplorer",
       "kosmos-bitcoin::btcpay",
+      "kosmos-bitcoin::price_tracking",
       "apt::default",
       "timezone_iii::default",
       "timezone_iii::debian",
       "ntp::default",
       "ntp::apparmor",
+      "kosmos-base::journald_conf",
       "kosmos-base::systemd_emails",
       "apt::unattended-upgrades",
       "kosmos-base::firewall",
@@ -102,6 +104,7 @@
     "role[bitcoind]",
     "role[lnd]",
     "role[lndhub]",
-    "role[btcpay]"
+    "role[btcpay]",
+    "recipe[kosmos-bitcoin::price_tracking]"
   ]
 }

nodes/draco.kosmos.org.json

@@ -20,7 +20,7 @@
   "automatic": {
     "fqdn": "draco.kosmos.org",
     "os": "linux",
-    "os_version": "5.4.0-54-generic",
+    "os_version": "5.4.0-187-generic",
     "hostname": "draco",
     "ipaddress": "148.251.237.73",
     "roles": [

nodes/drone-1.json

@@ -8,26 +8,27 @@
   "automatic": {
     "fqdn": "drone-1",
     "os": "linux",
-    "os_version": "5.4.0-1058-kvm",
+    "os_version": "5.4.0-1133-kvm",
     "hostname": "drone-1",
     "ipaddress": "192.168.122.200",
     "roles": [
+      "kvm_guest",
       "drone",
-      "postgresql_client",
-      "kvm_guest"
+      "postgresql_client"
     ],
     "recipes": [
       "kosmos-base",
       "kosmos-base::default",
+      "kosmos_kvm::guest",
       "kosmos_postgresql::hostsfile",
       "kosmos_drone",
       "kosmos_drone::default",
-      "kosmos_kvm::guest",
       "apt::default",
       "timezone_iii::default",
       "timezone_iii::debian",
       "ntp::default",
       "ntp::apparmor",
+      "kosmos-base::journald_conf",
       "kosmos-base::systemd_emails",
       "apt::unattended-upgrades",
       "kosmos-base::firewall",
@@ -43,13 +44,13 @@
     "cloud": null,
     "chef_packages": {
       "chef": {
-        "version": "17.9.52",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.9.52/lib",
+        "version": "18.7.10",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.7.10/lib",
         "chef_effortless": null
       },
       "ohai": {
-        "version": "17.9.0",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai"
+        "version": "18.2.5",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.5/lib/ohai"
       }
     }
   },
@@ -58,4 +59,4 @@
     "role[kvm_guest]",
     "role[drone]"
   ]
-}
+}

nodes/ejabberd-4.json

@@ -37,6 +37,7 @@
       "timezone_iii::debian",
       "ntp::default",
       "ntp::apparmor",
+      "kosmos-base::journald_conf",
       "kosmos-base::systemd_emails",
       "apt::unattended-upgrades",
       "kosmos-base::firewall",

nodes/ejabberd-8.json

@@ -37,6 +37,7 @@
       "timezone_iii::debian",
       "ntp::default",
       "ntp::apparmor",
+      "kosmos-base::journald_conf",
       "kosmos-base::systemd_emails",
       "apt::unattended-upgrades",
       "kosmos-base::firewall",

nodes/garage-12.json

@@ -0,0 +1,65 @@
+{
+  "name": "garage-12",
+  "chef_environment": "production",
+  "normal": {
+    "knife_zero": {
+      "host": "10.1.1.224"
+    }
+  },
+  "automatic": {
+    "fqdn": "garage-12",
+    "os": "linux",
+    "os_version": "5.15.0-1059-kvm",
+    "hostname": "garage-12",
+    "ipaddress": "192.168.122.173",
+    "roles": [
+      "base",
+      "kvm_guest",
+      "garage_node"
+    ],
+    "recipes": [
+      "kosmos-base",
+      "kosmos-base::default",
+      "kosmos_kvm::guest",
+      "kosmos_garage",
+      "kosmos_garage::default",
+      "kosmos_garage::firewall_rpc",
+      "kosmos_garage::firewall_apis",
+      "apt::default",
+      "timezone_iii::default",
+      "timezone_iii::debian",
+      "ntp::default",
+      "ntp::apparmor",
+      "kosmos-base::journald_conf",
+      "kosmos-base::systemd_emails",
+      "apt::unattended-upgrades",
+      "kosmos-base::firewall",
+      "kosmos-postfix::default",
+      "postfix::default",
+      "postfix::_common",
+      "postfix::_attributes",
+      "postfix::sasl_auth",
+      "hostname::default",
+      "firewall::default"
+    ],
+    "platform": "ubuntu",
+    "platform_version": "22.04",
+    "cloud": null,
+    "chef_packages": {
+      "chef": {
+        "version": "18.7.10",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.7.10/lib",
+        "chef_effortless": null
+      },
+      "ohai": {
+        "version": "18.2.5",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.5/lib/ohai"
+      }
+    }
+  },
+  "run_list": [
+    "role[base]",
+    "role[kvm_guest]",
+    "role[garage_node]"
+  ]
+}

nodes/garage-13.json

@@ -0,0 +1,65 @@
+{
+  "name": "garage-13",
+  "chef_environment": "production",
+  "normal": {
+    "knife_zero": {
+      "host": "10.1.1.179"
+    }
+  },
+  "automatic": {
+    "fqdn": "garage-13",
+    "os": "linux",
+    "os_version": "5.15.0-1059-kvm",
+    "hostname": "garage-13",
+    "ipaddress": "192.168.122.27",
+    "roles": [
+      "base",
+      "kvm_guest",
+      "garage_node"
+    ],
+    "recipes": [
+      "kosmos-base",
+      "kosmos-base::default",
+      "kosmos_kvm::guest",
+      "kosmos_garage",
+      "kosmos_garage::default",
+      "kosmos_garage::firewall_rpc",
+      "kosmos_garage::firewall_apis",
+      "apt::default",
+      "timezone_iii::default",
+      "timezone_iii::debian",
+      "ntp::default",
+      "ntp::apparmor",
+      "kosmos-base::journald_conf",
+      "kosmos-base::systemd_emails",
+      "apt::unattended-upgrades",
+      "kosmos-base::firewall",
+      "kosmos-postfix::default",
+      "postfix::default",
+      "postfix::_common",
+      "postfix::_attributes",
+      "postfix::sasl_auth",
+      "hostname::default",
+      "firewall::default"
+    ],
+    "platform": "ubuntu",
+    "platform_version": "22.04",
+    "cloud": null,
+    "chef_packages": {
+      "chef": {
+        "version": "18.7.10",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.7.10/lib",
+        "chef_effortless": null
+      },
+      "ohai": {
+        "version": "18.2.5",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.5/lib/ohai"
+      }
+    }
+  },
+  "run_list": [
+    "role[base]",
+    "role[kvm_guest]",
+    "role[garage_node]"
+  ]
+}

nodes/gitea-2.json

@@ -9,7 +9,7 @@
   "automatic": {
     "fqdn": "gitea-2",
     "os": "linux",
-    "os_version": "5.4.0-1096-kvm",
+    "os_version": "5.4.0-1123-kvm",
     "hostname": "gitea-2",
     "ipaddress": "192.168.122.189",
     "roles": [
@@ -39,6 +39,7 @@
       "timezone_iii::debian",
       "ntp::default",
       "ntp::apparmor",
+      "kosmos-base::journald_conf",
       "kosmos-base::systemd_emails",
       "apt::unattended-upgrades",
       "kosmos-base::firewall",
@@ -49,6 +50,13 @@
       "postfix::sasl_auth",
       "hostname::default",
       "firewall::default",
+      "kosmos_gitea::compile_from_source",
+      "git::default",
+      "git::package",
+      "kosmos-nodejs::default",
+      "nodejs::nodejs_from_package",
+      "nodejs::repo",
+      "golang::default",
       "backup::default",
       "logrotate::default"
     ],

nodes/mastodon-3.json

@@ -37,6 +37,7 @@
       "timezone_iii::debian",
       "ntp::default",
       "ntp::apparmor",
+      "kosmos-base::journald_conf",
       "kosmos-base::systemd_emails",
       "apt::unattended-upgrades",
       "kosmos-base::firewall",

nodes/postgres-6.json

@@ -22,6 +22,7 @@
       "kosmos_kvm::guest",
       "kosmos_postgresql::primary",
       "kosmos_postgresql::firewall",
+      "kosmos-akkounts::pg_db",
       "kosmos-bitcoin::lndhub-go_pg_db",
       "kosmos-bitcoin::nbxplorer_pg_db",
       "kosmos_drone::pg_db",

nodes/postgres-7.json

@@ -29,6 +29,7 @@
       "timezone_iii::debian",
       "ntp::default",
       "ntp::apparmor",
+      "kosmos-base::journald_conf",
       "kosmos-base::systemd_emails",
       "apt::unattended-upgrades",
       "kosmos-base::firewall",

nodes/strfry-1.json

@@ -27,11 +27,13 @@
       "strfry::default",
       "kosmos_strfry::policies",
       "kosmos_strfry::firewall",
+      "kosmos_strfry::substr",
       "apt::default",
       "timezone_iii::default",
       "timezone_iii::debian",
       "ntp::default",
       "ntp::apparmor",
+      "kosmos-base::journald_conf",
       "kosmos-base::systemd_emails",
       "apt::unattended-upgrades",
       "kosmos-base::firewall",

nodes/wiki-1.json

@@ -28,6 +28,7 @@
       "timezone_iii::debian",
       "ntp::default",
       "ntp::apparmor",
+      "kosmos-base::journald_conf",
       "kosmos-base::systemd_emails",
       "apt::unattended-upgrades",
       "kosmos-base::firewall",
@@ -66,12 +67,13 @@
     "cloud": null,
     "chef_packages": {
       "chef": {
-        "version": "15.13.8",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/chef-15.13.8/lib"
+        "version": "18.7.10",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.7.10/lib",
+        "chef_effortless": null
       },
       "ohai": {
-        "version": "15.12.0",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/ohai-15.12.0/lib/ohai"
+        "version": "18.2.5",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.5/lib/ohai"
       }
     }
   },

roles/gitea.rb

@@ -5,3 +5,11 @@ run_list %w(
   kosmos_gitea::default
   kosmos_gitea::backup
 )
+
+override_attributes(
+  "gitea" => {
+    "repo" => "https://github.com/67P/gitea.git",
+    "revision" => "ldap_sync",
+    "log" => { "level" => "Info" }
+  },
+)

roles/postgresql_primary.rb

@@ -3,6 +3,7 @@ name "postgresql_primary"
 run_list %w(
   kosmos_postgresql::primary
   kosmos_postgresql::firewall
+  kosmos-akkounts::pg_db
   kosmos-bitcoin::lndhub-go_pg_db
   kosmos-bitcoin::nbxplorer_pg_db
   kosmos_drone::pg_db

roles/strfry.rb

@@ -5,4 +5,5 @@ run_list %w(
   strfry::default
   kosmos_strfry::policies
   kosmos_strfry::firewall
+  kosmos_strfry::substr
 )

site-cookbooks/kosmos-akkounts/recipes/default.rb

@@ -24,13 +24,12 @@ package "libvips"
 
 include_recipe 'redisio::default'
 include_recipe 'redisio::enable'
+
+node.override["nodejs"]["repo"] = "https://deb.nodesource.com/node_20.x"
 include_recipe 'kosmos-nodejs'
+npm_package "bun"
 
-npm_package "yarn" do
-  version "1.22.4"
-end
-
-ruby_version = "3.3.0"
+ruby_version = "3.3.8"
 ruby_path = "/opt/ruby_build/builds/#{ruby_version}"
 bundle_path = "#{ruby_path}/bin/bundle"
 rails_env = node.chef_environment == "development" ? "development" : "production"
@@ -48,7 +47,28 @@ webhooks_allowed_ips = [lndhub_host].compact.uniq.join(',')
 env = {
   primary_domain: node['akkounts']['primary_domain'],
   akkounts_domain: node['akkounts']['domain'],
-  rails_serve_static_files: true
+  rails_serve_static_files: true,
+  secret_key_base: credentials["rails_secret_key_base"],
+  encryption_primary_key: credentials["rails_encryption_primary_key"],
+  encryption_key_derivation_salt: credentials["rails_encryption_key_derivation_salt"],
+  db_adapter: "postgresql",
+  pg_host: "pg.kosmos.local",
+  pg_port: 5432,
+  pg_database: "akkounts",
+  pg_database_queue: "akkounts_queue",
+  pg_username: credentials["postgresql"]["username"],
+  pg_password: credentials["postgresql"]["password"]
+}
+
+env[:ldap] = {
+  host: "ldap.kosmos.local",
+  port: 389,
+  use_tls: false,
+  uid_attr: "cn",
+  base: "ou=kosmos.org,cn=users,dc=kosmos,dc=org",
+  admin_user: credentials["ldap"]["admin_user"],
+  admin_password: credentials["ldap"]["admin_password"],
+  suffix: "dc=kosmos,dc=org"
 }
 
 smtp_server, smtp_port = smtp_credentials[:relayhost].split(":")
@@ -138,9 +158,9 @@ if lndhub_host
   if postgres_readonly_host
     env[:lndhub_admin_ui] = true
     env[:lndhub_pg_host] = postgres_readonly_host
-    env[:lndhub_pg_database] = node['akkounts']['lndhub']['postgres_db']
-    env[:lndhub_pg_username] = credentials['postgresql_username']
-    env[:lndhub_pg_password] = credentials['postgresql_password']
+    env[:lndhub_pg_database] = node["akkounts"]["lndhub"]["postgres_db"]
+    env[:lndhub_pg_username] = credentials["postgresql"]["username"]
+    env[:lndhub_pg_password] = credentials["postgresql"]["password"]
   end
 end
 
@@ -208,7 +228,7 @@ systemd_unit "akkounts.service" do
       Type: "simple",
       User: deploy_user,
       WorkingDirectory: deploy_path,
-      Environment: "RAILS_ENV=#{rails_env}",
+      Environment: "RAILS_ENV=#{rails_env} SOLID_QUEUE_IN_PUMA=true",
       ExecStart: "#{bundle_path} exec puma -C config/puma.rb --pidfile #{deploy_path}/tmp/puma.pid",
       ExecStop: "#{bundle_path} exec puma -C config/puma.rb --pidfile #{deploy_path}/tmp/puma.pid stop",
       ExecReload: "#{bundle_path} exec pumactl -F config/puma.rb --pidfile #{deploy_path}/tmp/puma.pid phased-restart",
@@ -225,36 +245,6 @@ systemd_unit "akkounts.service" do
   action [:create, :enable]
 end
 
-systemd_unit "akkounts-sidekiq.service" do
-  content({
-    Unit: {
-      Description: "Kosmos Accounts async/background jobs",
-      Documentation: ["https://gitea.kosmos.org/kosmos/akkounts"],
-      Requires: "redis@6379.service",
-      After: "syslog.target network.target redis@6379.service"
-    },
-    Service: {
-      Type: "notify",
-      User: deploy_user,
-      WorkingDirectory: deploy_path,
-      Environment: "MALLOC_ARENA_MAX=2",
-      ExecStart: "#{bundle_path} exec sidekiq -C #{deploy_path}/config/sidekiq.yml -e #{rails_env}",
-      WatchdogSec: "10",
-      Restart: "on-failure",
-      RestartSec: "1",
-      StandardOutput: "syslog",
-      StandardError: "syslog",
-      SyslogIdentifier: "sidekiq"
-    },
-    Install: {
-      WantedBy: "multi-user.target"
-    }
-  })
-  verify false
-  triggers_reload true
-  action [:create, :enable]
-end
-
 deploy_env = {
   "HOME" => deploy_path,
   "PATH" => "#{ruby_path}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin",
@@ -267,15 +257,7 @@ git deploy_path do
   revision node[app_name]["revision"]
   user  deploy_user
   group deploy_group
-  # Restart services on deployments
-  notifies :run, "execute[restart #{app_name} services]", :delayed
-end
-
-execute "restart #{app_name} services" do
-  command "true"
-  action :nothing
   notifies :restart, "service[#{app_name}]", :delayed
-  notifies :restart, "service[#{app_name}-sidekiq]", :delayed
 end
 
 file "#{deploy_path}/config/master.key" do
@@ -283,7 +265,7 @@ file "#{deploy_path}/config/master.key" do
   mode '0400'
   owner deploy_user
   group deploy_group
-  notifies :run, "execute[restart #{app_name} services]", :delayed
+  notifies :restart, "service[#{app_name}]", :delayed
 end
 
 template "#{deploy_path}/.env.#{rails_env}" do
@@ -293,7 +275,7 @@ template "#{deploy_path}/.env.#{rails_env}" do
   mode 0600
   sensitive true
   variables config: env
-  notifies :run, "execute[restart #{app_name} services]", :delayed
+  notifies :restart, "service[#{app_name}]", :delayed
 end
 
 execute "bundle install" do
@@ -303,13 +285,6 @@ execute "bundle install" do
   command "bundle install --without development,test --deployment"
 end
 
-execute "yarn install" do
-  environment deploy_env
-  user deploy_user
-  cwd deploy_path
-  command "yarn install --pure-lockfile"
-end
-
 execute 'rake db:migrate' do
   environment deploy_env
   user deploy_user
@@ -330,10 +305,6 @@ service "akkounts" do
   action [:enable, :start]
 end
 
-service "akkounts-sidekiq" do
-  action [:enable, :start]
-end
-
 firewall_rule "akkounts_zerotier" do
   command  :allow
   port     node["akkounts"]["port"]

site-cookbooks/kosmos-akkounts/recipes/pg_db.rb

@@ -0,0 +1,22 @@
+#
+# Cookbook:: kosmos-akkounts
+# Recipe:: pg_db
+#
+
+credentials = data_bag_item("credentials", "akkounts")
+pg_username = credentials["postgresql"]["username"]
+pg_password = credentials["postgresql"]["password"]
+
+postgresql_user pg_username do
+  action :create
+  password pg_password
+end
+
+databases = ["akkounts", "akkounts_queue"]
+
+databases.each do |database|
+  postgresql_database database do
+    owner pg_username
+    action :create
+  end
+end

site-cookbooks/kosmos-base/attributes/default.rb

@@ -0,0 +1,2 @@
+node.default["kosmos-base"]["journald"]["system_max_use"] = "256M"
+node.default["kosmos-base"]["journald"]["max_retention_sec"] = "7d"

site-cookbooks/kosmos-base/recipes/andromeda_firewall.rb

@@ -1,52 +0,0 @@
-#
-# Cookbook Name:: kosmos-base
-# Recipe:: andromeda_firewall
-#
-# The MIT License (MIT)
-#
-# Copyright:: 2019, Kosmos Developers
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
-
-# Temporary extra rules for Andromeda
-
-firewall_rule 'bitcoind' do
-  port     [8333, 8334, 8335]
-  protocol :tcp
-  command  :allow
-end
-
-firewall_rule 'lnd' do
-  port     [9736]
-  # port     [9736, 8002]
-  protocol :tcp
-  command  :allow
-end
-
-firewall_rule 'lightningd' do
-  port     [9735]
-  protocol :tcp
-  command  :allow
-end
-
-firewall_rule 'spark_wallet' do
-  port     8008
-  protocol :tcp
-  command  :allow
-end

site-cookbooks/kosmos-base/recipes/default.rb

@@ -27,11 +27,19 @@
 include_recipe 'apt'
 include_recipe 'timezone_iii'
 include_recipe 'ntp'
+include_recipe 'kosmos-base::journald_conf'
 include_recipe 'kosmos-base::systemd_emails'
 
+node.override["apt"]["unattended_upgrades"]["enable"] = true
+node.override["apt"]["unattended_upgrades"]["mail_only_on_error"] = false
+node.override["apt"]["unattended_upgrades"]["sender"] = "ops@kosmos.org"
 node.override["apt"]["unattended_upgrades"]["allowed_origins"] = [
   "${distro_id}:${distro_codename}-security",
-  "${distro_id}:${distro_codename}-updates"
+  "${distro_id}:${distro_codename}-updates",
+  "${distro_id}ESMApps:${distro_codename}-apps-security",
+  "${distro_id}ESMApps:${distro_codename}-apps-updates",
+  "${distro_id}ESM:${distro_codename}-infra-security",
+  "${distro_id}ESM:${distro_codename}-infra-updates"
 ]
 node.override["apt"]["unattended_upgrades"]["mail"] = "ops@kosmos.org"
 node.override["apt"]["unattended_upgrades"]["syslog_enable"] = true

site-cookbooks/kosmos-base/recipes/journald_conf.rb

@@ -0,0 +1,14 @@
+#
+# Cookbook Name:: kosmos-base
+# Recipe:: journald_conf
+#
+
+service "systemd-journald"
+
+template "/etc/systemd/journald.conf" do
+  source "journald.conf.erb"
+  variables system_max_use: node["kosmos-base"]["journald"]["system_max_use"],
+            max_retention_sec: node["kosmos-base"]["journald"]["max_retention_sec"]
+  # Restarting journald is required
+  notifies :restart, "service[systemd-journald]", :delayed
+end

site-cookbooks/kosmos-base/templates/default/journald.conf.erb

@@ -0,0 +1,6 @@
+[Journal]
+# Set the maximum size of the journal logs in bytes
+SystemMaxUse=<%= @system_max_use %>
+
+# Set the number of days after which logs will be deleted
+MaxRetentionSec=<%= @max_retention_sec %>

site-cookbooks/kosmos-bitcoin/attributes/default.rb

@@ -1,5 +1,5 @@
-node.default['bitcoin']['version']   = '28.0'
-node.default['bitcoin']['checksum']  = '700ae2d1e204602eb07f2779a6e6669893bc96c0dca290593f80ff8e102ff37f'
+node.default['bitcoin']['version']   = '30.0'
+node.default['bitcoin']['checksum']  = '9b472a4d51dfed9aa9d0ded2cb8c7bcb9267f8439a23a98f36eb509c1a5e6974'
 node.default['bitcoin']['username']  = 'satoshi'
 node.default['bitcoin']['usergroup'] = 'bitcoin'
 node.default['bitcoin']['network']   = 'mainnet'
@@ -41,7 +41,7 @@ node.default['c-lightning']['log_level'] = 'info'
 node.default['c-lightning']['public_ip'] = '148.251.237.73'
 
 node.default['lnd']['repo'] = 'https://github.com/lightningnetwork/lnd'
-node.default['lnd']['revision'] = 'v0.18.3-beta'
+node.default['lnd']['revision'] = 'v0.19.1-beta'
 node.default['lnd']['source_dir'] = '/opt/lnd'
 node.default['lnd']['lnd_dir'] = "/home/#{node['bitcoin']['username']}/.lnd"
 node.default['lnd']['alias'] = 'ln2.kosmos.org'
@@ -90,7 +90,7 @@ node.default['dotnet']['ms_packages_src_url'] = "https://packages.microsoft.com/
 node.default['dotnet']['ms_packages_src_checksum'] = "4df5811c41fdded83eb9e2da9336a8dfa5594a79dc8a80133bd815f4f85b9991"
 
 node.default['nbxplorer']['repo'] = 'https://github.com/dgarage/NBXplorer'
-node.default['nbxplorer']['revision'] = 'v2.5.0'
+node.default['nbxplorer']['revision'] = 'v2.5.26'
 node.default['nbxplorer']['source_dir'] = '/opt/nbxplorer'
 node.default['nbxplorer']['config_path'] = "/home/#{node['bitcoin']['username']}/.nbxplorer/Main/settings.config"
 node.default['nbxplorer']['port'] = '24445'
@@ -98,7 +98,7 @@ node.default['nbxplorer']['postgres']['database'] = 'nbxplorer'
 node.default['nbxplorer']['postgres']['user'] = 'nbxplorer'
 
 node.default['btcpay']['repo'] = 'https://github.com/btcpayserver/btcpayserver'
-node.default['btcpay']['revision'] = 'v1.12.5'
+node.default['btcpay']['revision'] = 'v2.1.1'
 node.default['btcpay']['source_dir'] = '/opt/btcpay'
 node.default['btcpay']['config_path'] = "/home/#{node['bitcoin']['username']}/.btcpayserver/Main/settings.config"
 node.default['btcpay']['log_path'] = "/home/#{node['bitcoin']['username']}/.btcpayserver/debug.log"
@@ -111,3 +111,5 @@ node.default['btcpay']['postgres']['user'] = 'satoshi'
 node.default['peerswap']['repo'] = 'https://github.com/ElementsProject/peerswap.git'
 node.default['peerswap']['revision'] = 'master'
 node.default['peerswap-lnd']['source_dir'] = '/opt/peerswap'
+
+node.default['price_tracking']['rs_base_url'] = "https://storage.kosmos.org/kosmos/public/btc-price"

site-cookbooks/kosmos-bitcoin/recipes/bitcoind.rb

@@ -34,7 +34,7 @@ end
 execute "compile_bitcoin-core_dependencies" do
   cwd "/usr/local/bitcoind/depends"
   environment ({'CC' => 'gcc-13', 'CXX' => 'g++-13', 'NO_QT' => '1'})
-  command "make -j 2"
+  command "make -j $(($(nproc)/2))"
   action :nothing
   notifies :run, 'bash[compile_bitcoin-core]', :immediately
 end
@@ -43,21 +43,13 @@ bash "compile_bitcoin-core" do
   cwd "/usr/local/bitcoind"
   environment ({'CC' => 'gcc-13', 'CXX' => 'g++-13', 'NO_QT' => '1'})
   code <<-EOH
-    ./autogen.sh
-    ./configure --prefix=$PWD/depends/x86_64-pc-linux-gnu
-    make
+    cmake -B build --toolchain depends/x86_64-pc-linux-gnu/toolchain.cmake -DBUILD_TESTS=OFF
+    cmake --build build -j $(($(nproc)/2))
+    cmake --install build
   EOH
   action :nothing
 end
 
-link "/usr/local/bin/bitcoind" do
-  to "/usr/local/bitcoind/src/bitcoind"
-end
-
-link "/usr/local/bin/bitcoin-cli" do
-  to "/usr/local/bitcoind/src/bitcoin-cli"
-end
-
 bitcoin_user      = node['bitcoin']['username']
 bitcoin_group     = node['bitcoin']['usergroup']
 bitcoin_datadir   = node['bitcoin']['datadir']

site-cookbooks/kosmos-bitcoin/recipes/btcpay.rb

@@ -21,6 +21,7 @@ bash 'build_btcpay' do
     systemctl stop btcpayserver.service
     ./build.sh
   EOH
+  environment "DOTNET_CLI_TELEMETRY_OPTOUT" => 1
   action :nothing
   notifies :restart, "service[btcpayserver]", :delayed
 end
@@ -87,7 +88,7 @@ systemd_unit 'btcpayserver.service' do
       Group: node['bitcoin']['usergroup'],
       Type: 'simple',
       WorkingDirectory: node['btcpay']['source_dir'],
-      Environment: defined?(nbxpg_connect) ? "'BTCPAY_EXPLORERPOSTGRES=#{nbxpg_connect}'" : '',
+      Environment: "'BTCPAY_EXPLORERPOSTGRES=#{nbxpg_connect}' 'DOTNET_CLI_TELEMETRY_OPTOUT=1'",
       ExecStart: "#{node['btcpay']['source_dir']}/run.sh --conf=#{node['btcpay']['config_path']}",
       PIDFile: '/run/btcpayserver/btcpayserver.pid',
       Restart: 'on-failure',
@@ -103,6 +104,8 @@ systemd_unit 'btcpayserver.service' do
   verify false
   triggers_reload true
   action [:create]
+  # reload is not applicable
+  notifies :restart, "service[btcpayserver]", :delayed
 end
 
 service "btcpayserver" do

site-cookbooks/kosmos-bitcoin/recipes/nbxplorer.rb

@@ -58,9 +58,7 @@ directory '/run/nbxplorer' do
 end
 
 env = {
-  NBXPLORER_POSTGRES: "User ID=#{postgres_user};Password=#{credentials['postgresql_password']};Database=#{postgres_database};Host=pg.kosmos.local;Port=5432;Application Name=nbxplorer;MaxPoolSize=20",
-  NBXPLORER_AUTOMIGRATE: "1",
-  NBXPLORER_NOMIGRATEEVTS: "1"
+  NBXPLORER_POSTGRES: "User ID=#{postgres_user};Password=#{credentials['postgresql_password']};Database=#{postgres_database};Host=pg.kosmos.local;Port=5432;Application Name=nbxplorer;MaxPoolSize=20"
 }
 
 systemd_unit 'nbxplorer.service' do

site-cookbooks/kosmos-bitcoin/recipes/price_tracking.rb

@@ -0,0 +1,59 @@
+#
+# Cookbook:: kosmos-bitcoin
+# Recipe:: price_tracking
+#
+# Track BTC rates and publish them via remoteStorage
+#
+
+%w[curl jq].each do |pkg|
+  apt_package pkg
+end
+
+daily_tracker_path = "/usr/local/bin/btc-price-tracker-daily"
+
+credentials = Chef::EncryptedDataBagItem.load('credentials', 'kosmos-rs')
+
+template daily_tracker_path do
+  source "btc-price-tracker-daily.sh.erb"
+  mode '0740'
+  variables rs_base_url: node['price_tracking']['rs_base_url']
+  notifies :restart, "systemd_unit[lnd-channel-backup.service]", :delayed
+end
+
+systemd_unit 'btc-price-tracker-daily.service' do
+  content({
+    Unit: {
+      Description: 'BTC price tracker (daily rates)',
+      After: 'network-online.target',
+      Wants: 'network-online.target'
+    },
+    Service: {
+      Type: 'oneshot',
+      ExecStart: daily_tracker_path,
+      Environment: "RS_AUTH=#{credentials["auth_tokens"]["/btc-price"]}"
+    },
+    Install: {
+      WantedBy: 'multi-user.target'
+    }
+  })
+  sensitive true
+  triggers_reload true
+  action [:create]
+end
+
+systemd_unit 'btc-price-tracker-daily.timer' do
+  content({
+    Unit: {
+      Description: 'Run BTC price tracker daily'
+    },
+    Timer: {
+      OnCalendar: '*-*-* 00:00:00',
+      Persistent: 'true'
+    },
+    Install: {
+      WantedBy: 'timers.target'
+    }
+  })
+  triggers_reload true
+  action [:create, :enable, :start]
+end

site-cookbooks/kosmos-bitcoin/templates/btc-price-tracker-daily.sh.erb

@@ -0,0 +1,49 @@
+#!/bin/bash
+
+# Calculate yesterday's date in YYYY-MM-DD format
+YESTERDAY=$(date -d "yesterday" +%Y-%m-%d)
+echo "Starting price tracking for $YESTERDAY" >&2
+
+# Fetch and process rates for a fiat currency
+get_price_data() {
+    local currency=$1
+    local data avg open24 last
+
+    data=$(curl -s "https://www.bitstamp.net/api/v2/ticker/btc${currency,,}/")
+    if [ $? -eq 0 ] && [ ! -z "$data" ]; then
+        echo "Successfully retrieved ${currency} price data" >&2
+        open24=$(echo "$data" | jq -r '.open_24')
+        last=$(echo "$data" | jq -r '.last')
+        avg=$(( (${open24%.*} + ${last%.*}) / 2 ))
+        echo $avg
+    else
+        echo "ERROR: Failed to retrieve ${currency} price data" >&2
+        exit 1
+    fi
+}
+
+# Get price data for each currency
+usd_avg=$(get_price_data "USD")
+eur_avg=$(get_price_data "EUR")
+gbp_avg=$(get_price_data "GBP")
+
+# Create JSON
+json="{\"EUR\":$eur_avg,\"USD\":$usd_avg,\"GBP\":$gbp_avg}"
+echo "Rates: $json" >&2
+
+# PUT in remote storage
+response=$(curl -X PUT \
+    -H "Authorization: Bearer $RS_AUTH" \
+    -H "Content-Type: application/json" \
+    -d "$json" \
+    -w "%{http_code}" \
+    -s \
+    -o /dev/null \
+    "<%= @rs_base_url %>/$YESTERDAY")
+
+if [ "$response" -eq 200 ] || [ "$response" -eq 201 ]; then
+   echo "Successfully uploaded price data" >&2
+else
+   echo "ERROR: Failed to upload price data. HTTP status: $response" >&2
+   exit 1
+fi

site-cookbooks/kosmos-ejabberd/attributes/default.rb

@@ -1,6 +1,6 @@
-node.default["ejabberd"]["version"] = "23.10"
+node.default["ejabberd"]["version"] = "25.08"
 node.default["ejabberd"]["package_version"] = "1"
-node.default["ejabberd"]["checksum"] = "1b02108c81e22ab28be84630d54061f0584b76d5c2702e598352269736b05e77"
+node.default["ejabberd"]["checksum"] = "e4703bc41b5843fc4b76e8b54a9380d5895f9b3dcd4795e05ad0c260ed9b9a23"
 node.default["ejabberd"]["turn_domain"] = "turn.kosmos.org"
 node.default["ejabberd"]["stun_auth_realm"] = "kosmos.org"
 node.default["ejabberd"]["stun_turn_port"] = 3478

site-cookbooks/kosmos-ejabberd/recipes/default.rb

@@ -65,15 +65,13 @@ file "/opt/ejabberd/.hosts.erlang" do
   content ejabberd_hostnames.map{|h| "#{h}."}.join("\n")
 end
 
-ruby_block "configure ERLANG_NODE" do
-  block do
-    file = Chef::Util::FileEdit.new("/opt/ejabberd/conf/ejabberdctl.cfg")
-    file.search_file_replace_line(
-      %r{#ERLANG_NODE=ejabberd@localhost},
-      "ERLANG_NODE=ejabberd@#{node['name']}"
-    )
-    file.write_file
-  end
+template "/opt/ejabberd/conf/ejabberdctl.cfg" do
+  source    "ejabberdctl.cfg.erb"
+  mode      0644
+  owner     'ejabberd'
+  group     'ejabberd'
+  variables epmd_node_name: "ejabberd@#{node['name']}"
+  notifies :reload, "service[ejabberd]", :delayed
 end
 
 postgresql_data_bag_item = data_bag_item('credentials', 'postgresql')
@@ -110,6 +108,7 @@ hosts = [
         access_persistent: muc_create
         access_register: muc_create
         max_user_conferences: 1000
+        max_users: 2000
         default_room_options:
           mam: true
         preload_rooms: true
@@ -224,10 +223,3 @@ end
 unless node.chef_environment == "development"
   include_recipe "kosmos-ejabberd::firewall"
 end
-
-firewall_rule 'ejabberd_http' do
-  port     [80]
-  source   "10.1.1.0/24"
-  protocol :tcp
-  command  :allow
-end

site-cookbooks/kosmos-ejabberd/recipes/firewall.rb

@@ -35,3 +35,10 @@ firewall_rule 'ejabberd_turn' do
   protocol :udp
   command  :allow
 end
+
+firewall_rule 'ejabberd_http' do
+  port     [80]
+  source   "10.1.1.0/24"
+  protocol :tcp
+  command  :allow
+end

site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb

@@ -16,8 +16,8 @@ set -e
 for domain in $RENEWED_DOMAINS; do
   case $domain in
   kosmos.org|kosmos.chat|5apps.com)
-    cp "${RENEWED_LINEAGE}/privkey.pem" /opt/ejabberd/conf/$domain.key
-    cp "${RENEWED_LINEAGE}/fullchain.pem" /opt/ejabberd/conf/$domain.crt
+    cp "/etc/letsencrypt/live/${domain}/privkey.pem" /opt/ejabberd/conf/$domain.key
+    cp "/etc/letsencrypt/live/${domain}/fullchain.pem" /opt/ejabberd/conf/$domain.crt
     chown ejabberd:ejabberd /opt/ejabberd/conf/$domain.*
     chmod 600 /opt/ejabberd/conf/$domain.*
     /opt/ejabberd-#{node["ejabberd"]["version"]}/bin/ejabberdctl reload_config
@@ -38,12 +38,13 @@ gandi_api_credentials = data_bag_item('credentials', 'gandi_api')
 template "/root/gandi_dns_certbot_hook.sh" do
   variables access_token: gandi_api_credentials["access_token"]
   mode 0700
+  sensitive true
 end
 
 # Generate a Let's Encrypt cert (only if no cert has been generated before).
 # The systemd timer will take care of renewing
 execute "letsencrypt cert for kosmos.org domains" do
-  command "certbot certonly --manual --preferred-challenges dns --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup letsencrypt.kosmos.org\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@kosmos.org -d kosmos.org -d xmpp.kosmos.org -d chat.kosmos.org -d uploads.xmpp.kosmos.org -n"
+  command "certbot certonly --manual --preferred-challenges dns --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@kosmos.org -d kosmos.org -d xmpp.kosmos.org -d chat.kosmos.org -d upload.kosmos.org -d proxy.kosmos.org -d pubsub.kosmos.org -d uploads.xmpp.kosmos.org -n"
   not_if do
     File.exist?("/etc/letsencrypt/live/kosmos.org/fullchain.pem")
   end

site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb

@@ -1,10 +1,11 @@
-loglevel: 4
-
 log_rotate_size: 10485760
-log_rotate_date: ""
 log_rotate_count: 1
 
-log_rate_limit: 100
+loglevel: info
+hide_sensitive_log_data: true
+
+log_modules_fully:
+  - mod_s3_upload
 
 hosts:
 <% @hosts.each do |host| -%>
@@ -95,6 +96,8 @@ auth_method: sql
 
 default_db: sql
 
+update_sql_schema: true
+
 shaper:
   normal:
     rate: 3000
@@ -119,6 +122,15 @@ acl:
       - "::1/128"
       - "::FFFF:127.0.0.1/128"
 
+api_permissions:
+  "webadmin commands":
+    who:
+      - admin
+    from:
+      - ejabberd_web_admin
+    what:
+      - "*"
+
 shaper_rules:
   max_user_sessions: 10
   max_user_offline_messages:
@@ -185,8 +197,11 @@ api_permissions:
     what:
       - "add_rosteritem"
       - "delete_rosteritem"
-      - "send_message"
+      - "get_vcard2"
+      - "muc_register_nick"
       - "private_set"
+      - "send_message"
+      - "send_stanza"
 
 language: "en"
 
@@ -231,7 +246,6 @@ modules:
   mod_shared_roster: {}
   mod_stun_disco:
     offer_local_services: false
-    credentials_lifetime: 300
     secret: <%= @stun_secret %>
     services:
       -

site-cookbooks/kosmos-ejabberd/templates/ejabberdctl.cfg.erb

@@ -0,0 +1,175 @@
+#
+# In this file you can configure options that are passed by ejabberdctl
+# to the erlang runtime system when starting ejabberd
+#
+
+#' POLL: Kernel polling ([true|false])
+#
+# The kernel polling option requires support in the kernel.
+# Additionally, you need to enable this feature while compiling Erlang.
+#
+# Default: true
+#
+#POLL=true
+
+#.
+#' SMP: SMP support ([enable|auto|disable])
+#
+# Explanation in Erlang/OTP documentation:
+# enable: starts the Erlang runtime system with SMP support enabled.
+#   This may fail if no runtime system with SMP support is available.
+# auto: starts the Erlang runtime system with SMP support enabled if it
+#   is available and more than one logical processor are detected.
+# disable: starts a runtime system without SMP support.
+#
+# Default: enable
+#
+#SMP=enable
+
+#.
+#' ERL_MAX_PORTS: Maximum number of simultaneously open Erlang ports
+#
+# ejabberd consumes two or three ports for every connection, either
+# from a client or from another Jabber server. So take this into
+# account when setting this limit.
+#
+# Default: 32000
+# Maximum: 268435456
+#
+#ERL_MAX_PORTS=32000
+
+#.
+#' FIREWALL_WINDOW: Range of allowed ports to pass through a firewall
+#
+# If Ejabberd is configured to run in cluster, and a firewall is blocking ports,
+# it's possible to make Erlang use a defined range of port (instead of dynamic
+# ports) for node communication.
+#
+# Default: not defined
+# Example: 4200-4210
+#
+FIREWALL_WINDOW=4200-4210
+
+#.
+#' INET_DIST_INTERFACE: IP address where this Erlang node listens other nodes
+#
+# This communication is used by ejabberdctl command line tool,
+# and in a cluster of several ejabberd nodes.
+#
+# Default: 0.0.0.0
+#
+#INET_DIST_INTERFACE=127.0.0.1
+
+#.
+#' ERL_EPMD_ADDRESS: IP addresses where epmd listens for connections
+#
+# IMPORTANT: This option works only in Erlang/OTP R14B03 and newer.
+#
+# This environment variable may be set to a comma-separated
+# list of IP addresses, in which case the epmd daemon
+# will listen only on the specified address(es) and on the
+# loopback address (which is implicitly added to the list if it
+# has not been specified). The default behaviour is to listen on
+# all available IP addresses.
+#
+# Default: 0.0.0.0
+#
+#ERL_EPMD_ADDRESS=127.0.0.1
+
+#.
+#' ERL_PROCESSES: Maximum number of Erlang processes
+#
+# Erlang consumes a lot of lightweight processes. If there is a lot of activity
+# on ejabberd so that the maximum number of processes is reached, people will
+# experience greater latency times. As these processes are implemented in
+# Erlang, and therefore not related to the operating system processes, you do
+# not have to worry about allowing a huge number of them.
+#
+# Default: 250000
+# Maximum: 268435456
+#
+#ERL_PROCESSES=250000
+
+#.
+#' ERL_MAX_ETS_TABLES: Maximum number of ETS and Mnesia tables
+#
+# The number of concurrent ETS and Mnesia tables is limited. When the limit is
+# reached, errors will appear in the logs:
+#   ** Too many db tables **
+# You can safely increase this limit when starting ejabberd. It impacts memory
+# consumption but the difference will be quite small.
+#
+# Default: 1400
+#
+#ERL_MAX_ETS_TABLES=1400
+
+#.
+#' ERL_OPTIONS: Additional Erlang options
+#
+# The next variable allows to specify additional options passed to erlang while
+# starting ejabberd. Some useful options are -noshell, -detached, -heart. When
+# ejabberd is started from an init.d script options -noshell and -detached are
+# added implicitly. See erl(1) for more info.
+#
+# It might be useful to add "-pa /usr/local/lib/ejabberd/ebin" if you
+# want to add local modules in this path.
+#
+# Default: ""
+#
+#ERL_OPTIONS=""
+
+#.
+#' ERLANG_NODE: Erlang node name
+#
+# The next variable allows to explicitly specify erlang node for ejabberd
+# It can be given in different formats:
+# ERLANG_NODE=ejabberd
+#   Lets erlang add hostname to the node (ejabberd uses short name in this case)
+# ERLANG_NODE=ejabberd@hostname
+#   Erlang uses node name as is (so make sure that hostname is a real
+#   machine hostname or you'll not be able to control ejabberd)
+# ERLANG_NODE=ejabberd@hostname.domainname
+#   The same as previous, but erlang will use long hostname
+#   (see erl (1) manual for details)
+#
+# Default: ejabberd@localhost
+#
+ERLANG_NODE=<%= @epmd_node_name %>
+
+#.
+#' EJABBERD_PID_PATH: ejabberd PID file
+#
+# Indicate the full path to the ejabberd Process identifier (PID) file.
+# If this variable is defined, ejabberd writes the PID file when starts,
+# and deletes it when stops.
+# Remember to create the directory and grant write permission to ejabberd.
+#
+# Default: don't write PID file
+#
+#EJABBERD_PID_PATH=/var/run/ejabberd/ejabberd.pid
+
+#.
+#' CONTRIB_MODULES_PATH: contributed ejabberd modules path
+#
+# Specify the full path to the contributed ejabberd modules. If the path is not
+# defined, ejabberd will use ~/.ejabberd-modules in home of user running ejabberd.
+#
+# Default: $HOME/.ejabberd-modules
+#
+#CONTRIB_MODULES_PATH=/opt/ejabberd-modules
+
+#.
+#' CONTRIB_MODULES_CONF_DIR: configuration directory for contributed modules
+#
+# Specify the full path to the configuration directory for contributed ejabberd
+# modules. In order to configure a module named mod_foo, a mod_foo.yml file can
+# be created in this directory. This file will then be used instead of the
+# default configuration file provided with the module.
+#
+# Default: $CONTRIB_MODULES_PATH/conf
+#
+#CONTRIB_MODULES_CONF_DIR=/etc/ejabberd/modules
+
+#.
+#'
+# vim: foldmarker=#',#. foldmethod=marker:

site-cookbooks/kosmos-mastodon/recipes/default.rb

@@ -265,6 +265,44 @@ service "mastodon-streaming" do
   action [:enable, :start]
 end
 
+#
+# Delete cached remote media older than 30 days
+# Will be re-fetched if necessary
+#
+
+systemd_unit 'mastodon-delete-old-media-cache.service' do
+  content({
+    Unit: {
+      Description: 'Delete old Mastodon media cache'
+    },
+    Service: {
+      Type: "oneshot",
+      WorkingDirectory: mastodon_path,
+      Environment: "RAILS_ENV=#{rails_env}",
+      ExecStart: "#{bundle_path} exec bin/tootctl media remove --days 30",
+    }
+  })
+  triggers_reload true
+  action [:create]
+end
+
+systemd_unit 'mastodon-delete-old-media-cache.timer' do
+  content({
+    Unit: {
+      Description: 'Delete old Mastodon media cache'
+    },
+    Timer: {
+      OnCalendar: '*-*-* 00:00:00',
+      Persistent: 'true'
+    },
+    Install: {
+      WantedBy: 'timer.target'
+    }
+  })
+  triggers_reload true
+  action [:create, :enable, :start]
+end
+
 firewall_rule "mastodon_app" do
   port     node['kosmos-mastodon']['app_port']
   source   "10.1.1.0/24"

site-cookbooks/kosmos-mastodon/recipes/nginx.rb

@@ -12,6 +12,13 @@ search(:node, "role:mastodon").each do |node|
 end
 if upstream_hosts.any?
   web_root_dir = "/var/www/#{server_name}/public"
+  directory web_root_dir do
+    action :create
+    recursive true
+    owner 'www-data'
+    group 'www-data'
+    mode 0755
+  end
 else
   web_root_dir = "#{app_dir}/public"
   upstream_hosts << "localhost"

site-cookbooks/kosmos-mediawiki/metadata.rb

@@ -3,7 +3,6 @@ maintainer       'Kosmos'
 maintainer_email 'mail@kosmos.org'
 license          'MIT'
 description      'Installs/Configures kosmos-mediawiki'
-long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
 version          '0.3.1'
 
 depends "mediawiki"

site-cookbooks/kosmos-mediawiki/recipes/default.rb

@@ -1,9 +1,9 @@
 #
-# Cookbook Name:: kosmos-mediawiki
-# Recipe:: default
+# Cookbook:: kosmos-mediawiki
+# Recipe:: default.rb
 #
 
-include_recipe 'apt'
+apt_update
 include_recipe 'ark'
 include_recipe 'composer'
 
@@ -11,15 +11,15 @@ apt_package 'imagemagick'
 
 server_name = 'wiki.kosmos.org'
 
-node.override['mediawiki']['version']         = "1.34.2"
-node.override['mediawiki']['webdir']          = "#{node['mediawiki']['docroot_dir']}/mediawiki-#{node['mediawiki']['version']}"
+node.override['mediawiki']['version'] = "1.34.2"
+node.override['mediawiki']['webdir'] = "#{node['mediawiki']['docroot_dir']}/mediawiki-#{node['mediawiki']['version']}"
 node.override['mediawiki']['tarball']['name'] = "mediawiki-#{node['mediawiki']['version']}.tar.gz"
-node.override['mediawiki']['tarball']['url']  = "https://releases.wikimedia.org/mediawiki/1.34/#{node['mediawiki']['tarball']['name']}"
-node.override['mediawiki']['language_code']   = 'en'
-node.override['mediawiki']['server_name']     = server_name
-node.override['mediawiki']['site_name']       = 'Kosmos Wiki'
+node.override['mediawiki']['tarball']['url'] = "https://releases.wikimedia.org/mediawiki/1.34/#{node['mediawiki']['tarball']['name']}"
+node.override['mediawiki']['language_code'] = 'en'
+node.override['mediawiki']['server_name'] = server_name
+node.override['mediawiki']['site_name'] = 'Kosmos Wiki'
 protocol = node.chef_environment == "development" ? "http" : "https"
-node.override['mediawiki']['server']          = "#{protocol}://#{server_name}"
+node.override['mediawiki']['server'] = "#{protocol}://#{server_name}"
 mysql_credentials = data_bag_item('credentials', 'mysql')
 mediawiki_credentials = data_bag_item('credentials', 'mediawiki')
 
@@ -30,14 +30,14 @@ directory "#{node['mediawiki']['webdir']}/skins/common/images" do
   owner node['nginx']['user']
   group node['nginx']['group']
   recursive true
-  mode 0750
+  mode "750"
 end
 
 cookbook_file "#{node['mediawiki']['webdir']}/skins/common/images/kosmos.png" do
   source 'kosmos.png'
   owner node['nginx']['user']
   group node['nginx']['group']
-  mode 0640
+  mode "640"
 end
 
 directory "#{node['mediawiki']['webdir']}/.well-known/acme-challenge" do
@@ -80,14 +80,14 @@ nginx_certbot_site server_name
 # Extensions
 #
 
-mediawiki_credentials = Chef::EncryptedDataBagItem.load('credentials', 'mediawiki')
+mediawiki_credentials = data_bag_item('credentials', 'mediawiki')
 
 #
 # MediawikiHubot extension
 #
 
 # requires curl extension
-if platform?('ubuntu') && node[:platform_version].to_f < 16.04
+if platform?('ubuntu') && node["platform_version"].to_f < 16.04
   package "php5-curl"
 else
   package "php-curl"
@@ -100,7 +100,7 @@ ark "MediawikiHubot" do
   action :cherry_pick
 end
 
-hubot_credentials = Chef::EncryptedDataBagItem.load('credentials', 'hal8000_xmpp')
+hubot_credentials = data_bag_item('credentials', 'hal8000_xmpp')
 webhook_token = hubot_credentials['webhook_token']
 
 template "#{node['mediawiki']['webdir']}/extensions/MediawikiHubot/DefaultConfig.php" do
@@ -145,7 +145,7 @@ end
 
 ruby_block "configuration" do
   block do
-    # FIXME This is internal Chef API and should not be used from recipes, as
+    # FIXME: This is internal Chef API and should not be used from recipes, as
     # it is unsupported for that
     file = Chef::Util::FileEdit.new("#{node['mediawiki']['webdir']}/LocalSettings.php")
     file.search_file_replace_line(%r{\$wgLogo\ =\ \"\$wgResourceBasePath\/resources\/assets\/wiki.png\";},
@@ -235,7 +235,7 @@ wfLoadExtension( 'LDAPAuthentication2' );
 $wgGroupPermissions['*']['createaccount'] = false;
 $wgGroupPermissions['*']['autocreateaccount'] = true;
                                  EOF
-                                 )
+      )
 
       file.write_file
     end
@@ -247,9 +247,7 @@ end
 #
 
 file "#{node['mediawiki']['webdir']}/composer.local.json" do
-  requires = { "require": {
-    "mediawiki/mermaid": "~1.0"
-  }}.to_json
+  requires = { "require": { "mediawiki/mermaid": "~1.0" } }.to_json
   content requires
   owner node['nginx']['user']
   group node['nginx']['group']

site-cookbooks/kosmos-nginx/recipes/default.rb

@@ -59,7 +59,7 @@ cookbook_file "#{node["nginx"]["user_home"]}/maintenance.html" do
   source "maintenance.html"
   owner node['nginx']['user']
   group node['nginx']['group']
-  mode "0640"
+  mode "0755"
 end
 
 unless node.chef_environment == "development"

site-cookbooks/kosmos-postfix/recipes/default.rb

@@ -3,20 +3,23 @@
 # Recipe:: default
 #
 
-node.default['postfix']['main']['smtp_tls_CAfile']  = '/etc/ssl/certs/ca-certificates.crt'
-node.default['postfix']['main']['smtpd_tls_CAfile'] = '/etc/ssl/certs/ca-certificates.crt'
+node.default["postfix"]["main"]["smtp_tls_CAfile"]  = "/etc/ssl/certs/ca-certificates.crt"
+node.default["postfix"]["main"]["smtpd_tls_CAfile"] = "/etc/ssl/certs/ca-certificates.crt"
 
 return if node.run_list.roles.include?("email_server")
 
-smtp_credentials = Chef::EncryptedDataBagItem.load('credentials', 'smtp')
+smtp_credentials = Chef::EncryptedDataBagItem.load("credentials", "smtp")
 
-node.default['postfix']['sasl']['smtp_sasl_user_name']        = smtp_credentials['user_name']
-node.default['postfix']['sasl']['smtp_sasl_passwd']           = smtp_credentials['password']
-node.default['postfix']['sasl_password_file']                 = "#{node['postfix']['conf_dir']}/sasl_passwd"
-# Postfix doesn't support smtps relayhost, use STARTSSL instead
-node.default['postfix']['main']['relayhost']                  = smtp_credentials['relayhost']
-node.default['postfix']['main']['smtp_sasl_auth_enable']      = 'yes'
-node.default['postfix']['main']['smtp_sasl_password_maps']    = "hash:#{node['postfix']['sasl_password_file']}"
-node.default['postfix']['main']['smtp_sasl_security_options'] = 'noanonymous'
+node.default["postfix"]["sasl"] = {
+  smtp_credentials["relayhost"] => {
+    "username" => smtp_credentials["user_name"],
+    "password" => smtp_credentials["password"]
+  }
+}
 
-include_recipe 'postfix::default'
+# Postfix doesn"t support smtps relayhost, use STARTSSL instead
+node.default["postfix"]["main"]["relayhost"]                  = smtp_credentials["relayhost"]
+node.default["postfix"]["main"]["smtp_sasl_auth_enable"]      = "yes"
+node.default["postfix"]["main"]["smtp_sasl_security_options"] = "noanonymous"
+
+include_recipe "postfix::default"

site-cookbooks/kosmos_drone/recipes/default.rb

@@ -26,7 +26,7 @@ template "#{deploy_path}/docker-compose.yml" do
   mode 0640
   variables domain: node["kosmos_drone"]["domain"],
             upstream_port: node["kosmos_drone"]["upstream_port"],
-            gitea_server: "https://#{node["kosmos_gitea"]["nginx"]["domain"]}",
+            gitea_server: "https://#{node["gitea"]["domain"]}",
             client_id: credentials['client_id'],
             client_secret: credentials['client_secret'],
             rpc_secret: credentials['rpc_secret'],

site-cookbooks/kosmos_gitea/attributes/default.rb

@@ -1,13 +1,21 @@
-node.default["gitea"]["version"] = "1.22.5"
-node.default["gitea"]["checksum"] = "ce2c7e4fff3c1e3ed59f5b5e00e3f2d301f012c34e329fccd564bc5129075460"
+node.default["gitea"]["version"] = "1.23.8"
+node.default["gitea"]["checksum"] = "827037e7ca940866918abc62a7488736923396c467fcb4acd0dd9829bb6a6f4c"
+node.default["gitea"]["repo"] = nil
+node.default["gitea"]["revision"] = nil
 node.default["gitea"]["working_directory"] = "/var/lib/gitea"
 node.default["gitea"]["port"] = 3000
 node.default["gitea"]["postgresql_host"] = "localhost:5432"
 node.default["gitea"]["domain"] = "gitea.kosmos.org"
 
 node.default["gitea"]["config"] = {
+  "log": {
+    "level" => "Info",
+    "logger.router.MODE" => "",
+    "logger.xorm.MODE" => "",
+    "logger.access.MODE" => ""
+  },
   "actions": {
-    "enabled": true
+    "enabled" => true
   },
   "webhook":  {
     "allowed_host_list" => "external,127.0.1.1"

site-cookbooks/kosmos_gitea/metadata.rb

@@ -10,5 +10,8 @@ chef_version '>= 14.0'
 depends "firewall"
 depends "kosmos_openresty"
 depends "kosmos_postgresql"
-depends "backup"
 depends "kosmos-dirsrv"
+depends 'kosmos-nodejs'
+depends 'git'
+depends 'golang'
+depends "backup"

site-cookbooks/kosmos_gitea/recipes/compile_from_source.rb

@@ -0,0 +1,42 @@
+#
+# Cookbook:: kosmos_gitea
+# Recipe:: compile_from_source
+#
+# Compiles/installs Gitea from source
+#
+
+include_recipe "git"
+
+node.override["nodejs"]["repo"] = "https://deb.nodesource.com/node_20.x"
+include_recipe 'kosmos-nodejs'
+
+node.override["golang"]["version"] = "1.23.9"
+include_recipe "golang"
+
+link "/usr/local/bin/go" do
+  to "/usr/local/go/bin/go"
+end
+
+source_dir = "/opt/gitea"
+
+git source_dir do
+  repository node["gitea"]["repo"]
+  revision node["gitea"]["revision"]
+  action :sync
+  notifies :run, "execute[npm_install]", :immediately
+end
+
+execute "npm_install" do
+  cwd source_dir
+  command "npm ci"
+  action :nothing
+  notifies :run, "bash[compile_gitea]", :immediately
+end
+
+bash "compile_gitea" do
+  cwd source_dir
+  environment "TAGS" => "bindata"
+  code "make build"
+  action :nothing
+  notifies :restart, "service[gitea]", :delayed
+end

site-cookbooks/kosmos_gitea/recipes/default.rb

@@ -5,11 +5,12 @@
 
 version                   = node["gitea"]["version"]
 download_url              = "https://dl.gitea.io/gitea/#{version}/gitea-#{version}-linux-amd64"
+compile_from_source       = node["gitea"]["repo"] && node["gitea"]["revision"]
 working_directory         = node["gitea"]["working_directory"]
 git_home_directory        = "/home/git"
 repository_root_directory = "#{git_home_directory}/gitea-repositories"
 config_directory          = "/etc/gitea"
-gitea_binary_path         = "/usr/local/bin/gitea"
+gitea_binary_path         = compile_from_source ? "/opt/gitea/gitea" : "/usr/local/bin/gitea"
 gitea_data_bag_item       = data_bag_item("credentials", "gitea")
 smtp_credentials          = data_bag_item("credentials", "smtp")
 smtp_addr                 = smtp_credentials["relayhost"].split(":")[0]
@@ -18,7 +19,6 @@ jwt_secret                = gitea_data_bag_item["jwt_secret"]
 internal_token            = gitea_data_bag_item["internal_token"]
 secret_key                = gitea_data_bag_item["secret_key"]
 
-# Dependency
 package "git"
 
 user "git" do
@@ -108,11 +108,15 @@ template "#{config_directory}/app.ini" do
   notifies :restart, "service[gitea]", :delayed
 end
 
-remote_file gitea_binary_path do
-  source download_url
-  checksum node['gitea']['checksum']
-  mode "0755"
-  notifies :restart, "service[gitea]", :delayed
+if compile_from_source
+  include_recipe "kosmos_gitea::compile_from_source"
+else
+  remote_file gitea_binary_path do
+    source download_url
+    checksum node['gitea']['checksum']
+    mode "0755"
+    notifies :restart, "service[gitea]", :delayed
+  end
 end
 
 execute "systemctl daemon-reload" do

site-cookbooks/kosmos_gitea/templates/default/app.ini.erb

@@ -24,9 +24,11 @@ NAME    = gitea
 USER    = gitea
 PASSWD  = <%= @postgresql_password %>
 SSL_MODE = disable
+MAX_OPEN_CONNS = 20
 
 [repository]
 ROOT = <%= @repository_root_directory %>
+DISABLE_DOWNLOAD_SOURCE_ARCHIVES = true
 
 # [indexer]
 # ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
@@ -72,8 +74,11 @@ ENABLE_OPENID_SIGNIN = false
 ENABLE_OPENID_SIGNUP = false
 
 [log]
-MODE      = console
-LEVEL     = Debug
+MODE = console
+LEVEL = <%= @config["log"]["level"] %>
+logger.router.MODE = <%= @config["log"]["logger.router.MODE"] %>
+logger.xorm.MODE = <%= @config["log"]["logger.xorm.MODE"] %>
+logger.access.MODE = <%= @config["log"]["logger.access.MODE"] %>
 
 [attachment]
 ENABLED = true

site-cookbooks/kosmos_gitea/templates/default/nginx_conf_web.erb

@@ -16,7 +16,7 @@ server {
 
   add_header Strict-Transport-Security "max-age=31536000";
 
-  client_max_body_size 20M;
+  client_max_body_size 121M;
 
   location ~ ^/(avatars|repo-avatars)/.*$ {
     proxy_buffers 1024 8k;

site-cookbooks/kosmos_kvm/README.md

@@ -1,4 +1,14 @@
 # kosmos_kvm
 
-TODO: Enter the cookbook description here.
+## Create a new VM
 
+A script is deployed by the `host` recipe to `/usr/local/sbin/create_vm`
+
+### Usage
+
+```
+create_vm VMNAME RAM CPUS DISKSIZE
+```
+
+* `RAM` in megabytes
+* `DISKSIZE` in gigabytes, defaults to 10

site-cookbooks/kosmos_rsk/attributes/default.rb

@@ -1,4 +1,4 @@
-node.default['rskj']['version'] = '5.3.0~jammy'
+node.default['rskj']['version'] = '7.0.0~jammy'
 node.default['rskj']['network'] = 'testnet'
 
 node.default['rskj']['nginx']['domain'] = nil

site-cookbooks/kosmos_rsk/recipes/rskj.rb

@@ -19,6 +19,8 @@ apt_repository 'rskj' do
   key '5EED9995C84A49BC02D4F507DF10691F518C7BEA'
 end
 
+apt_package 'openjdk-17-jdk'
+
 apt_package 'rskj' do
   response_file 'rskj-preseed.cfg.erb'
   response_file_variables network: node['rskj']['network']

site-cookbooks/kosmos_rsk/test/integration/rskj/rskj_test.rb

@@ -9,7 +9,7 @@ end
 
 describe package('rskj') do
   it { should be_installed }
-  its('version') { should eq '5.3.0~jammy' }
+  its('version') { should eq '7.0.0~jammy' }
 end
 
 describe service('rsk') do

site-cookbooks/kosmos_strfry/attributes/default.rb

@@ -1,2 +1,10 @@
 node.default["strfry"]["ldap_search_dn"] = "ou=kosmos.org,cn=users,dc=kosmos,dc=org"
 node.default["strfry"]["extras_dir"] = "/opt/strfry"
+
+# node.default["substr"]["repo"] = "https://gitea.kosmos.org/kosmos/substr.git"
+# node.default["substr"]["revision"] = "master"
+node.default["substr"]["version"] = "nightly"
+node.default["substr"]["download_url"] = "https://gitea.kosmos.org/api/packages/kosmos/generic/substr/#{node["substr"]["version"]}/substr_x86_64-unknown-linux-gnu"
+node.default["substr"]["workdir"] = "/opt/substr"
+node.default["substr"]["port"] = 30023
+node.default["substr"]["relay_urls"] = ["ws://localhost:7777"]

site-cookbooks/kosmos_strfry/recipes/policies.rb

@@ -24,7 +24,7 @@ env = {
   ldap_bind_dn: ldap_credentials["service_dn"],
   ldap_password: ldap_credentials["service_password"],
   ldap_search_dn: node["strfry"]["ldap_search_dn"],
-  whitelist_pubkeys: node["strfry"]["whitelist_pubkeys"].join(",")
+  whitelist_pubkeys: node["strfry"]["known_pubkeys"].values.join(",")
 }
 
 template "#{extras_dir}/.env" do

site-cookbooks/kosmos_strfry/recipes/substr.rb

@@ -0,0 +1,100 @@
+#
+# Cookbook:: kosmos_strfry
+# Recipe:: substr
+#
+
+unless platform?("ubuntu")
+  raise "This recipe only supports Ubuntu installs at the moment"
+end
+
+apt_package "imagemagick"
+
+directory node["substr"]["workdir"] do
+  owner node["strfry"]["user"]
+  group node["strfry"]["group"]
+  mode "0755"
+end
+
+if node["substr"]["download_url"]
+  remote_file '/usr/local/bin/substr' do
+    source node["substr"]["download_url"]
+    checksum node["substr"]["checksum"]
+    mode '0755'
+    show_progress true
+    notifies :restart, "service[substr]", :delayed
+  end
+
+  exec_start = "/usr/local/bin/substr"
+else
+  # TODO Install Deno 2
+
+  git node["substr"]["workdir"] do
+    user node["strfry"]["user"]
+    group node["strfry"]["group"]
+    repository node['substr']['repo']
+    revision node['substr']['revision']
+    action :sync
+    notifies :restart, "service[substr]", :delayed
+  end
+
+  exec_start = "deno task server"
+end
+
+file "#{node["substr"]["workdir"]}/users.yaml" do
+  mode "0644"
+  owner node["strfry"]["user"]
+  group node["strfry"]["group"]
+  content node["strfry"]["known_pubkeys"].to_yaml
+  notifies :restart, "service[substr]", :delayed
+end
+
+ldap_credentials = Chef::EncryptedDataBagItem.load('credentials', 'dirsrv')
+
+env = {
+  port: node['substr']['port'],
+  base_url: "https://#{node["strfry"]["domain"]}",
+  relay_urls: node['substr']['relay_urls'].join(","),
+  ldap_url: 'ldap://ldap.kosmos.local:389', # requires "ldap_client" role
+  ldap_bind_dn: ldap_credentials["service_dn"],
+  ldap_password: ldap_credentials["service_password"],
+  ldap_search_dn: node["strfry"]["ldap_search_dn"],
+}
+
+template "#{node["substr"]["workdir"]}/.env" do
+  source 'env.erb'
+  owner node["strfry"]["user"]
+  group node["strfry"]["group"]
+  mode 0600
+  sensitive true
+  variables config: env
+  notifies :restart, "service[substr]", :delayed
+end
+
+systemd_unit "substr.service" do
+  content({
+    Unit: {
+      Description: "substr for nostr",
+      Documentation: ["https://gitea.kosmos.org/kosmos/substr"],
+    },
+    Service: {
+      Type: "simple",
+      User: node["strfry"]["user"],
+      WorkingDirectory: node["substr"]["workdir"],
+      ExecStart: exec_start,
+      Restart: "on-failure",
+      RestartSec: "5",
+      ProtectHome: "no",
+      NoNewPrivileges: "yes",
+      ProtectSystem: "full"
+    },
+    Install: {
+      WantedBy: "multi-user.target"
+    }
+  })
+  triggers_reload true
+  action :create
+end
+
+service "substr" do
+  action [:enable, :start]
+end

site-cookbooks/kosmos_strfry/templates/nginx_conf_strfry.erb

@@ -4,6 +4,12 @@ upstream _strfry {
 <% end %>
 }
 
+upstream _substr {
+<% @upstream_hosts.each do |host| %>
+  server <%= host %>:30023;
+<% end %>
+}
+
 server {
   server_name <%= @domain %>;
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
@@ -15,6 +21,16 @@ server {
   ssl_certificate     <%= @ssl_cert %>;
   ssl_certificate_key <%= @ssl_key %>;
 
+  location = /favicon.ico {
+    alias /var/www/assets.kosmos.org/site/img/favicon.ico;
+  }
+
+  location ~* ^/[@~n]|^/assets {
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_pass http://_substr;
+  }
+
   location / {
     proxy_set_header Host $host;
     proxy_set_header X-Real-IP $remote_addr;

site-cookbooks/kosmos_website/templates/nginx_conf_website.erb

@@ -29,11 +29,15 @@ server {
   ssl_certificate     <%= @ssl_cert %>;
   ssl_certificate_key <%= @ssl_key %>;
 
+  location /.well-known/host-meta.json {
+    add_header 'Access-Control-Allow-Origin' '*';
+  }
+
 <% if @accounts_url %>
   location ~ ^/.well-known/(keysend|lnurlp|nostr|openpgpkey|webfinger) {
     proxy_ssl_server_name on;
     proxy_set_header X-Forwarded-Host $host;
-    proxy_pass https://accounts.kosmos.org;
+    proxy_pass <%= @accounts_url %>;
   }
 <% end %>
 }