WIP Deploy substr

README.md

@@ -38,10 +38,6 @@ Clone this repository, `cd` into it, and run:
 
     knife zero bootstrap ubuntu@zerotier-ip-address -x ubuntu --sudo --run-list "role[base],role[kvm_guest]" --secret-file .chef/encrypted_data_bag_secret
 
-### Bootstrap a new VM with environment and role/app (postgres replica as example)
-
-    knife zero bootstrap ubuntu@10.1.1.134 -x ubuntu --sudo --environment production --run-list "role[base],role[kvm_guest],role[postgresql_replica]" --secret-file .chef/encrypted_data_bag_secret
-
 ### Run Chef Zero on a host server
 
     knife zero converge -p2222 name:server-name.kosmos.org

clients/akaunting-1.json

@@ -1,4 +0,0 @@
-{
-  "name": "akaunting-1",
-  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzmNpNWJh5DeXDsINDqAt\n5OtcGhnzLtqdILTD8A8KuPxWhoKI0k9xwvuT4yO2DLQqFMPyGefRuQkVsIq2OuU5\npK8B5c79E9MBHxti6mQZw4b/Jhmul+x2LGtOWYjPTDhFYXRsNNDtFDxwpwJGPede\nYts026yExHPhiF35Mt1JxA3TXJfPC8Vx0YGHu/6Ev+1fLmcKhFmhed5yKkA0gwod\nczdyQiCfw3ze9LuS90QmALpFOHHpekZeywemdwyPia207CoTrXsPLWj9KmuUEIQJ\nwL+OlEU2tVA6KaBKpl54n5/tMsccZmlicbNsVpgkk6LctrkNh6Kk+fW9ry3L/Gxg\nAwIDAQAB\n-----END PUBLIC KEY-----\n"
-}

clients/garage-10.json

@@ -1,4 +0,0 @@
-{
-  "name": "garage-10",
-  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw2+3Wo+KkXVJCOX1SxT9\nSdwKXgPbCDM3EI9uwoxhMxQfRyN53dxIsBDsQUVOIe1Z8yqm4FenMQlNmeDR+QLE\nvNFf1fisinW+D9VVRm+CjcJy96i/Dyt786Z6YRrDlB860HxCbfTL2Zv5BRtbyIKg\nhz5gO+9PMEpPVR2ij9iue4K6jbM1AAL2ia/P6zDWLJqeIzUocCeHV5N0Z3jXH6qr\nf444v78x35MMJ+3tg5h95SU1/PDCpdSTct4uHEuKIosiN7p4DlYMoM5iSyvVoujr\nflRQPEpGzS9qEt3rDo/F4ltzYMx6bf1tB/0QaBKD+zwPZWTTwf61tSBo5/NkGvJc\nFQIDAQAB\n-----END PUBLIC KEY-----\n"
-}

clients/garage-11.json

@@ -1,4 +0,0 @@
-{
-  "name": "garage-11",
-  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzfZcNEQojtmaogd9vGP/\nMsVPhAOlQ4kxKgrUas+p+XT7lXRan6b3M8UZEleIaL1HWsjSVwtFWRnNl8kg8rF8\nNEkLeOX8kHf7IoXDFOQa2TXanY8tSqrfh9/heFunt4Q3DluVt7S3bBdwukbDXm/n\nXJS2EQP33eJT4reL6FpVR0oVlFCzI3Vmf7ieSHIBXrbXy7AIvGC2+NVXvQle6pqp\nx0rqU6Wc6ef/VtIv+vK3YFnt9ue3tC63mexyeNKgRYf1YjDx61wo2bOY2t8rqN8y\nHeZ3dmAN8/Vwjk5VGnZqK7kRQ92G4IcE+mEp7MuwXcLqQ9WB960o+evay+o1R5JS\nhwIDAQAB\n-----END PUBLIC KEY-----\n"
-}

clients/garage-4.json

@@ -0,0 +1,4 @@
+{
+  "name": "garage-4",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8it7QtT6zDiJJqlyHKfQ\nLqwu6bLblD15WWxlUSiOdhz3njWDv1BIDCAdkCR3HAXgxvk8sMj9QkvWS7u1+bc4\nxvHrY4Tgfg+Tk1h3gGa7ukll8s1WLIbGjj89vrK8PFr4iuDqRytYRMmcdMsNzPkS\nKcsOjFYWGV7KM/OwoQGVIOUPB+WtkrFAvNkXtIU6Wd5orzFMjt/9DPF2aO7QegL8\nG1mQmXcPGl9NSDUXptn/kzFKm/p4n7pjy6OypFT192ak7OA/s+CvQlaVE2tb/M3c\ne4J6A+PInV5AGKY6BxI3QRQLZIlqE0FXawFKr1iRU4JP4tVnICXZqy+SDXQU1zar\nTQIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/garage-5.json

@@ -0,0 +1,4 @@
+{
+  "name": "garage-5",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnJxLFOBbml94W/GAe7nm\ntZs1Ziy8IbqXySsm8bSwWhRMQ8UuseqQLG30R3Q5X5AoJbtNfd26l63qLtP2fFtL\n5km9dV+2FoIJWFetl8Wzr7CaLYAiNzTQSFHlV7+6DKmPMDcJ63GKrFR77vkSGOG6\nOWL1bJy5BOaClp/sKL/0WQ0+mRbTP6RCQ2eI+46clAg702SenBU6Nz9HDm+teKN7\nYlP1CvzXgfgfpDOsat7wGn5+oKcmKavZxcdn8bt5jRpg8v3JezaZIjMXt7XcNS4n\n0F4XO/efnZE5B5SN68j4BpD8N79zJw4HlRIGP+RaYv2qLtBeWgLHCCs9wXQXfj6b\nLwIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/garage-6.json

@@ -0,0 +1,4 @@
+{
+  "name": "garage-6",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwasYgWLM8ShvirFiKRE6\nGWqc3pMlvcrk4YnWAUW5Y/H26EnyexxWNfnwlEcq8thJ3M3hs7zkoF3Yk4uqX869\n4/niYqXwYgeE1K3gzLp4K1+w3yVupYAFVFStVEHJyuMlLJ+ulDEGvNdQDuIfw7+E\nr6DcDLa1o92Eo0wL1ihYyMilduH0LdFTixL+tEBXbbPWBa3RDJJCFsRF1+UC6hAH\nzmaWL661Gdzdabxjm/FlGUYkdbDqeInZq/1GMQqv+9/DcNRkWA9H7i4Ykrfpx4/2\nRZ8xtx/DbnJVB1zYoORygFMMAkTu5E+R8ropeI7Wi77Yq0S7laiRlYQYQml3x9ak\nzQIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/garage-9.json

@@ -1,4 +0,0 @@
-{
-  "name": "garage-9",
-  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnMHzKE8JBrsQkmRDeMjX\n71mBzvRzNM90cwA8xtvIkXesdTyGqohX9k/PJbCY5ySGK9PpMaYDPVAnwnUP8LFQ\n3G98aSbLxUjqU/PBzRsnWpihehr05uz9zYcNFzr4LTNvGQZsq47nN9Tk+LG3zHP7\nAZViv2mJ4ZRnukXf6KHlyoVvhuTu+tiBM8QzjTF97iP/aguNPzYHmrecy9Uf5bSA\nZrbNZT+ayxtgswC2OclhRucx7XLSuHXtpwFqsQzSAhiX1aQ3wwCyH9WJtVwpfUsE\nlxTjcQiSM9aPZ8iSC0shpBaKD1j3iF/2K2Jk+88++zMhJJPLermvaJxzsdePgvyk\nKQIDAQAB\n-----END PUBLIC KEY-----\n"
-}

clients/postgres-5.json

@@ -0,0 +1,4 @@
+{
+  "name": "postgres-5",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvXZv6Gk+dhIVkTXH9hJ1\nt2oqsMSLmTUj71uPN+4j0rxCQriXa095Nle9ifJAxfwzQyKEpWKyZd1Hpyye6bL1\nwgWATZ/u5ZS4B63NhRFyDxgPlHWBBohaZBN42zeq0Y0PNGHPVGDH/zFDrpP22Q9Q\nYScsyXTauE/Yf8a/rKR5jdnoVsVVMxk0LHxka8FcM2cqVsDAcK7GqIG6epqNFY8P\nUb1P+mVxRwnkzvf1VtG212ezV/yw9uiQcUkHS+JwZMAgbC34k9iDyRmk6l4sj/Zk\nNem20ImMqdDzsrX8zEe21K+KNvpejPH9fxaNCwR8W+woBMMzqD3I7P9PbLjc70Rx\nRwIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/postgres-7.json

@@ -1,4 +0,0 @@
-{
-  "name": "postgres-7",
-  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArraIm6mXi0qgK4oWDs2I\nOIx+g/LPnfRd5aBXhoHcekGiJKttQTi5dRdN4+T6qVEC2h4Cc9qN47h2TZPLDh/M\neIZvu0AyicpectzXf6DtDZh0hFCnv47RDi9927op9tjMXk0SV1tLel7MN0dawATw\ny0vQkkr/5a3ZdiP4dFv+bdfVrj+Tuh85BYPVyX2mxq9F7Efxrt6rzVBiqr6uJLUY\nStpeB3CCalC4zQApKX2xrdtr2k8aJbqC6C//LiKbb7VKn+ZuZJ32L/+9HDEzQoFC\no0ZZPMhfnjcU+iSHYZuPMTJTNbwgRuOgpn9O8kZ239qYc59z7HEXwwWiYPDevbiM\nCQIDAQAB\n-----END PUBLIC KEY-----\n"
-}

clients/postgres-8.json

@@ -1,4 +0,0 @@
-{
-  "name": "postgres-8",
-  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx88DgM/x1UbKRzgPexXE\nSyfrAsqaDVjqZz7yF3tqAc9A52Ol0KOM6NESoPWBVMbS86WtAjBcMHcOoQBJ+ovp\nXcjNlRtO1Il6/d4uCRr4CEDX+yeS0Qrt0SOORnoTbVlkq9VlVljyCmxk8VBCILzk\ndHvFr62mahMy6vOEcpCQgCwYE3ISH2jlTDz2agoK/CjIyyqFTlB1N7mJVGLrJdcA\nA2JOxDRE8HqOdpY7bHcHj4uyMWaKuM3zxXK04lhrvuPRfJUhXgsK9r5jeTEa8407\nqV9K+mB17R1dBeHmWEPDRt02HELe2SUjYmlmyVX73H2mWKDLBFpAFjOfz86CJ6jf\nDQIDAQAB\n-----END PUBLIC KEY-----\n"
-}

data_bags/credentials/akaunting.json

@@ -1,31 +0,0 @@
-{
-  "id": "akaunting",
-  "app_key": {
-    "encrypted_data": "C7VVGHHrE/ESwtGeODf8zVraayO5uBSXaGR7f4yoj0MDq9WxPujItC3dIkMQ\ngjGzk8fH\n",
-    "iv": "4+d+RMLeuqaneFBa\n",
-    "auth_tag": "sBQDUVl6QbL/h9pd0kBQ0g==\n",
-    "version": 3,
-    "cipher": "aes-256-gcm"
-  },
-  "pg_database": {
-    "encrypted_data": "4mqHsMfDAqPvDmGsWgS9iE63qVeus7diSW8WiA==\n",
-    "iv": "6Cb1lVUcXBz+GA4u\n",
-    "auth_tag": "8O3N0m8jGhxs/YacdhgNHA==\n",
-    "version": 3,
-    "cipher": "aes-256-gcm"
-  },
-  "pg_username": {
-    "encrypted_data": "Nu0wiBhvqUwqC7PL2Qo8otq0b3faJqRsabqp2g==\n",
-    "iv": "1uA8mJc7itT0qHcx\n",
-    "auth_tag": "PRWw6LTlFrWs63SDRsovtQ==\n",
-    "version": 3,
-    "cipher": "aes-256-gcm"
-  },
-  "pg_password": {
-    "encrypted_data": "oXDKiXQ4aH5M2pVu1sx7dj0awKCORke03fq0uemjIfCMYbM=\n",
-    "iv": "snPyC8mocevc5kGH\n",
-    "auth_tag": "9wx4GPSydkYr2WGpZK5HZg==\n",
-    "version": 3,
-    "cipher": "aes-256-gcm"
-  }
-}

data_bags/credentials/akkounts.json

@@ -1,72 +1,72 @@
 {
   "id": "akkounts",
   "postgresql_username": {
-    "encrypted_data": "ofLOjxGBj7no+lWrIvtxQQFoeozCh6mpfMTt\n",
-    "iv": "/CF+o4GqZx2O5WOm\n",
-    "auth_tag": "bjHXfgNQfXpQ2gucPLrUWA==\n",
+    "encrypted_data": "bDlOkEmhvMgyVzPeTNUzYnzRLf3T9cc0cDxt\n",
+    "iv": "GCCUoqU5pxQ7fGkv\n",
+    "auth_tag": "Q7mrSHIBluMe3CGVmoR86Q==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "postgresql_password": {
-    "encrypted_data": "f8Jfs4aqIjc6/6/NQlI2Fv8TzSgVmi5g0iYNhh9bAA==\n",
-    "iv": "vAzrZeUodmu4x5eB\n",
-    "auth_tag": "vx8eH2SY7I4IkZElXSC1Nw==\n",
+    "encrypted_data": "wD0HtdsNe/hl4ZaOy8hyr2k4z8TXQrrSja3KNVE47w==\n",
+    "iv": "tb5yz8WDer0CsGvJ\n",
+    "auth_tag": "/+K2anuCff/6M7Pu70Smqw==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "sentry_dsn": {
-    "encrypted_data": "oxW5jGU8DlIp5A9enxBhcJXuKyaZ5HziXq8Zw+Rbvpbv4C/RTGkJkgZdKcH1\nVzW/wNAT8nTK+nEvWgcQ3svjE40ltj2jcOexIRqLbuCClJE=\n",
-    "iv": "wpW9+VdX5GjocHSl\n",
-    "auth_tag": "1qrf1kZMrIR7WRiSaRjppQ==\n",
+    "encrypted_data": "jCz681x0WVixHYZUb62TO+1cgyJMiJ2UMqWcaztx57yDBOIiKW3oSZjuXdhP\n9WCesfXQF/lgzITZno3IKDqzlKjWgbGLC75y8FLguxidCHI=\n",
+    "iv": "IRNOzN/hLwg1iqax\n",
+    "auth_tag": "eg9dWnEK04JDb94e4CFa9Q==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "rails_master_key": {
-    "encrypted_data": "KHVYYH7Nb9/SsoKkYfbjzhFwj3Ioj72hm5pfdCuinf+GQvjKumq99eQTlKdf\nBZM1n0XN\n",
-    "iv": "x9AQZvw/vCinKQ8k\n",
-    "auth_tag": "mi0KHHOTBvVNhtvqk38BtQ==\n",
+    "encrypted_data": "nUB77VLRp41rluH7hLBwQqPtnh/HsmfLr2VbcIZHWawL3o2TGuY+mj648f9L\n7XsEpgqY\n",
+    "iv": "fpdbDitqTRHxEKiv\n",
+    "auth_tag": "I44fn8Ott3L/Y5LYr56U/Q==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "discourse_connect_secret": {
-    "encrypted_data": "WyLrV0DOsxyafSqyeQVj0BhVwm/0gvWeJLBsAbiqCGphryoYqUByPcum1T6R\n2H44nQ==\n",
-    "iv": "lUtlJDv6Ieq8Bs5x\n",
-    "auth_tag": "ku22BlQKw/BhHxuANTF6yg==\n",
+    "encrypted_data": "ENtMn+1XTVFmdEZw7LU6WGoMbSZY654ggm3vPACGfFgqo6r0LhG60c5OTdqv\nZvT5/Q==\n",
+    "iv": "bL1BmvRhgxFqSM1P\n",
+    "auth_tag": "sEBZzGWwwYFHn+4B4SsyCA==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "lndhub_admin_token": {
-    "encrypted_data": "DQuxQW8ks3sUzyHYEpQVyPg2f/U4/LWeRoCD9225Hd+c\n",
-    "iv": "mjxYi+YAcKGuurD2\n",
-    "auth_tag": "8P3bFFNeQ5HQgpXDB5Sk5A==\n",
+    "encrypted_data": "4LPGFoARzI8UYnsJPIk8sax/rAA16pUULEZWn86e2C7L\n",
+    "iv": "nvjXrOwgfgutwEVw\n",
+    "auth_tag": "A89RUf1sdcS3FVscNPWYLg==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "btcpay_auth_token": {
-    "encrypted_data": "3wsY9osaUdX4SvBPfHprNLSbx6/rfI5BfXnDxsc6OET3nGn19qBhH6wgeiwZ\n/dweqdQ25HpbFPygddc=\n",
-    "iv": "ccouibxktHLlUCQJ\n",
-    "auth_tag": "pWuRC8O2EAkmztL/9V3now==\n",
+    "encrypted_data": "ky5iWYF06os0Ek6vIRzWqMTekqJhCOh/Q9DTDIeKhSyk8TnT3O71lCNEt1F5\nXCNq6ux3V6oyHVLWj0o=\n",
+    "iv": "zk6WnxsY89oNW1F9\n",
+    "auth_tag": "FAIMXKvQ1T7QKezVSNJbwQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "s3_access_key": {
-    "encrypted_data": "hJGHa+hEmddtsZ4UncrYBkjRa/2Csqdh79tXpTVxUWbIsYGdlvyadk7C1UCj\n",
-    "iv": "GlxNdnWiNzmNYthg\n",
-    "auth_tag": "hlRLkroUN01L7VzQFBU/IA==\n",
+    "encrypted_data": "KfhfEGwPjOonlz6rpnNTinXFPqX/sIbqQn/aby0UDi/G/7cvEcOiNcCkfuSz\n",
+    "iv": "Q3rg06v6K9pUDLDY\n",
+    "auth_tag": "G5ugdlJ896KtYtObKLclJA==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "s3_secret_key": {
-    "encrypted_data": "LKdQJOKIfFIoiF3GvfTs1mg3AI//Aoi8r42zcw8QhEVPB8ONsSf0/vhM037C\nf5nzUk7xwglvTOveqbOM+UTBJF/4oblQfgwFW3VobWUGkJqjtKE=\n",
-    "iv": "tWTxzK/ccpjlLmQV\n",
-    "auth_tag": "n2MFkTIquyqz4wqRNdSJcg==\n",
+    "encrypted_data": "N8s1OoDrYXHjqSydQA0kY7dd68Aelq4+/cgmJlYfP92u4YA17V4TR7fsvQZL\nkqjuUSClNYPc0XiCwf/5gxVirE9AO6OmmvSV7lUyu4hcEY6unrU=\n",
+    "iv": "bXzIVWnX6V0P6PRb\n",
+    "auth_tag": "1EOjCfsX9P6ETjUsgBvBsA==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "nostr_private_key": {
-    "encrypted_data": "CPMeNxzpYMReaQU4+v+EqpVESRsnaYc3a4y7OkHOhtn2gjaNEDERGKvRmlyd\nD6vxKPcIrwTCZ7neJ3YLOVOxPDNv6skqdtMHBwSgl7aBEOrx7tY=\n",
-    "iv": "AV1on2sw1avmFFuY\n",
-    "auth_tag": "9rb9qQBKrj5Xja1t+qROKQ==\n",
+    "encrypted_data": "Sf8PEyQ0sqcgxddSlIDxLOVzPjOkTFObsYuTgcxkbEV7igrati4e8QVVUEBD\n1yoLJXelp8jlCr28Ectci29jc53gYSMTLSQsw97uYas2R0dGCqQ=\n",
+    "iv": "+1CIUyvIUOveLrY4\n",
+    "auth_tag": "GDqS+IuAIfMBmHIeFXaV7A==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   }

data_bags/credentials/gandi_api.json

@@ -1,23 +1,23 @@
 {
   "id": "gandi_api",
   "key": {
-    "encrypted_data": "Ky1/PdywtEIl5vVXhzu3n2JetqOxnNjpjQ7yCao6qwIAn8oYxnv1c1hFAQ==\n",
-    "iv": "stAc2FxDvUqrh0kt\n",
-    "auth_tag": "rcK4Qt+f2O4Zo5IMmG0fkw==\n",
+    "encrypted_data": "d3/rJMX6B9GuzUt0/mIk/lgQ3qGyQdbNXH6UEm3ZX7DeSl+rbW9FPJCRWg==\n",
+    "iv": "15YVAYla7PqqVOab\n",
+    "auth_tag": "xQSq+ld6SDOAER07N4ZkUQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "access_token": {
-    "encrypted_data": "J7zoLhEbPfPjnVWBmFmDdPKRer5GGw2o6Ad0uinznANugfaDiqjyYinOdEDF\nHlAqLmXv4J40rr3F+o4=\n",
-    "iv": "fAxFqVh9QqrfBsPW\n",
-    "auth_tag": "9ugi4frDLv8f7X0X1+k4DA==\n",
+    "encrypted_data": "geQwcNosiJZmqbbMpD/I+a2yueBzpV6C8Rb7vrCD8kR161ZRjvqLe+g/1XpT\n2/65wKYDMTrdto1I030=\n",
+    "iv": "1sj58eyooOZ8FTYn\n",
+    "auth_tag": "yBNfgWXaToc06VDLly/HUw==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "domains": {
-    "encrypted_data": "X0KOKlJp5GYbKcq/jzmlaMmTXV1U7exWSqi3UxX9Sw==\n",
-    "iv": "9JucnYLlYdQ9N6pd\n",
-    "auth_tag": "sERYPDnVUJwVfSS8/xrPpQ==\n",
+    "encrypted_data": "p5rIQTyCE+0d4HIuA4GKEAFekh7qEC4xe9Rm/kP0DyzY83FO0/4uKIvYoZRB\n",
+    "iv": "LWlx98NSS1/ngCH1\n",
+    "auth_tag": "FID+x/LjTZ3cgQV5U2xZLA==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   }

data_bags/credentials/mastodon.json

@@ -1,114 +1,93 @@
 {
   "id": "mastodon",
-  "active_record_encryption_deterministic_key": {
-    "encrypted_data": "2ik8hqK7wrtxyC73DLI8FNezZiWp2rdjwaWZkTUFRj+iwvpSrGVEwMx6uxDI\nWa7zF3p/\n",
-    "iv": "XMp6wqwzStXZx+F3\n",
-    "auth_tag": "vloJOLqEcghfQXOYohVVlg==\n",
-    "version": 3,
-    "cipher": "aes-256-gcm"
-  },
-  "active_record_encryption_key_derivation_salt": {
-    "encrypted_data": "Nq/rHayMYmT/82k3tJUKU8YTvDKUKLoK204aT0CMGZertZaAD3dtA9AkprrA\nPK0D9CdL\n",
-    "iv": "tn9C+igusYMH6GyM\n",
-    "auth_tag": "+ReZRNrfpl6ZDwYQpwm6dw==\n",
-    "version": 3,
-    "cipher": "aes-256-gcm"
-  },
-  "active_record_encryption_primary_key": {
-    "encrypted_data": "UEDMuKHgZDBhpB9BwbPmtdmIDWHyS9/bSzaEbtTRvLcV8dGOE5q9lDVIIsQp\n2HE0c92p\n",
-    "iv": "tnB0pQ3OGDne3mN/\n",
-    "auth_tag": "kt234ms+bmcxJj/+FH/72Q==\n",
-    "version": 3,
-    "cipher": "aes-256-gcm"
-  },
   "paperclip_secret": {
-    "encrypted_data": "AlsnNTRF6GEyHjMHnC4VdzF4swMlppz/Gcp1xr0OuMEgQiOcW1oSZjDRZCRV\nmuGqZXZx64wqZyzTsJZ6ayCLsmWlPq6L21odHWyO+P/C5ubenSXnuCjpUn3/\nHs8WLX3kwVmqCRnVgDl2vEZ5H4XedSLr7R7YM7gQkM0UX4muMDWWnOTR8/x/\ni1ecwBY5RjdewwyR\n",
-    "iv": "RWiLePhFyPekYSl9\n",
-    "auth_tag": "sUq4ZX9CFKPbwDyuKQfNLQ==\n",
+    "encrypted_data": "VJn4Yd2N7qFV+nWXPjPA8Y2KEXL/gZs2gK5E3DZZc9ogFXV7RtpDtq+NKGJU\ndpR8ohtEZvkyC+iBkMAlnS1sSVKiLdQ1xXvbzkj04mYgjnLvwsZ19uVpBGwR\nt/DON7Bhe5Fw+OyrBQksqNcZQSpB9sMBfgA1IgCpdVGHQ8PmkMbFTaZZYcoF\n7gg3yUw5/0t3vRdL\n",
+    "iv": "X5atp/KaIurfln/u\n",
+    "auth_tag": "mVnBoUb5HwhXNYUddJbq8Q==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "secret_key_base": {
-    "encrypted_data": "K5CmIXFa9mS4/dODBQAN9Bw0SFpbLiZAB8ewiYpkB8NDXP6X/BX8aDjW2Y4F\ncMvpFyiFldRBhrh1MSKTVYQEoJ3JhlNL9HCdPsAYbBEW70AuEBpHvOtD5OxH\nqgbH4Reuk6JX5AI8SwDD3zGrdT12mTFVNgSujzuZMvpi1Sro2HtRGAkjmnaa\nMGKrBV21O1CREJJg\n",
-    "iv": "/yMMmz1YtKIs5HSd\n",
-    "auth_tag": "WXgIVWjIdbMFlJhTD5J0JQ==\n",
+    "encrypted_data": "d0sNREFhzQEJhkRzielbCNBJOVAdfThv7zcYTZ1vFZ20i/mzB9GWW2nb+1yn\nNFjAq8wCLpLXn9n3FClE+WOqnAw0jwTlyScRM5lzjKI5SxHKkBQHGyFs2AF8\nqFjEvpiqxhjsc4kNOJGO8DdcyHuulXyaO9fJg8HDnU1ov1vSSuTc0ABKgycY\nMq/Xt10UXnhP8cPw\n",
+    "iv": "HFT7fdGQ2KRJ2NFy\n",
+    "auth_tag": "C55JT2msLQCoI+09VKf+Jw==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "otp_secret": {
-    "encrypted_data": "OPLnYRySSIDOcVHy2A5V+pCrz9zVIPjdpAGmCdgQkXtJfsS9NzNtxOPwrXo6\nuQlV9iPjr1Y9ljGKYytbF0fPgAa5q6Z1oHMY9vOGs/LGKj8wHDmIvxQ+Gil1\nC+dZEePmqGaySlNSB/gNzcFIvjBH3mDxHJJe9hDxSv5miNS9l9f3UvQeLP2M\nU7/aHKagL9ZHOp/d\n",
-    "iv": "wqJBLdZhJ7M/KRG9\n",
-    "auth_tag": "dv5YyZszZCrRnTleaiGd4A==\n",
+    "encrypted_data": "1iH7mUkaUzyn9dfDwMdiJ8X059qWSUO3DqivsOFfI1f44nMnzllaYPu6nh8O\nNLNCOzvsSAonhhaq1X+foOdyPIG2mGhE/juKveDD57/AdZAayHWsbsQlPC4l\nwdShz/ANrq0YZ/zOhpT2sZj1TZavW+S+JlxJFX2kP24D4dUzwG0vNj7522+Q\n9NAApJdUte1ZYF/b\n",
+    "iv": "00/vs5zTdoC19+pS\n",
+    "auth_tag": "3cjYqebMshnmWkQ3SdRcCQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "aws_access_key_id": {
-    "encrypted_data": "A1/gfcyrwT6i9W6aGTJ8pH4Dm4o8ACDxvooDroA/2N0szOiNyiYX\n",
-    "iv": "JNvf21KhdM3yoLGt\n",
-    "auth_tag": "2xaZql1ymPYuXuvXzT3ymA==\n",
+    "encrypted_data": "krcfpxOrAkwZR2GP4glTaFg2dw/COw8BO8I+KICqyl4bvpL5NrB9\n",
+    "iv": "paoDKp6EIU8bjxzF\n",
+    "auth_tag": "p6Pt/tz5dgGXzW5cO06nBg==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "aws_secret_access_key": {
-    "encrypted_data": "T1tc01nACxhDgygKaiAq3LChGYSgmW8LAwr1aSxXmJ5D2NtypJDikiHrJbFZ\nfWFgm1qe4L8iD/k5+ro=\n",
-    "iv": "FDTPQQDLUMKW7TXx\n",
-    "auth_tag": "msY6PFFYhlwQ0X7gekSDiw==\n",
+    "encrypted_data": "aQySCT7gxeNiMMocq81KtIi+YzrZwMBeTd4LrRSN8iNEikWReJrrfagBwozy\n+Gfdw4bMGzY1dhF1Sl4=\n",
+    "iv": "R/hvvOvmqq/uoKbx\n",
+    "auth_tag": "QBJY/3+OprBXO/FSNwv2OQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "ldap_bind_dn": {
-    "encrypted_data": "C/YNROVyOxmR4O2Cy52TX41EKli2bCOMzwYD+6Hz/SiKkgidnKUHlvHlbTDq\nkWwlRDM2o8esOCKaEAGPNWcNc9IHlaSsfwhr4YWnwe0=\n",
-    "iv": "QCQF0+vH+//+nDxr\n",
-    "auth_tag": "a0PbyO/7wjufqH2acDCqmQ==\n",
+    "encrypted_data": "wDPABdL+DlXz2WWV4XwW20kM4EWPSwc/ajBmbdYMnjFau6c76CIBpbFhrFoj\n3mwDbHz8cgOnLNvozXSV4w6N7URCN/mWWTBHNhd3ppw=\n",
+    "iv": "8rQ0M4LT1HbCNpq9\n",
+    "auth_tag": "AuO5R6WCtd75TGJNfgFSCg==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "ldap_password": {
-    "encrypted_data": "SqwKeiyzfvvZGqH5gi35BdW3W+Fo/AQQjso1Yfp2XA==\n",
-    "iv": "md2/etFJ1r/BKaYg\n",
-    "auth_tag": "OlCCOoYSD7ukdH2yWCd6KA==\n",
+    "encrypted_data": "y0t8RuptVYiTKmUhaAWsC4c2ZzhQsYeVLeMPiQBn+Q==\n",
+    "iv": "mixYzDKkPSIDQ/l+\n",
+    "auth_tag": "DbLlZG7rlgBmyCdJ3nhSYA==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "smtp_user_name": {
-    "encrypted_data": "0kzppmSSUg7lEyYnI5a0nf+xO0vSVx88rbxI+niIdzFOOBKSIL6uVHJ340dw\nMQ==\n",
-    "iv": "lQR77ETTtIIyaG1r\n",
-    "auth_tag": "smF2HRg8WdmD+MWwkT3TqA==\n",
+    "encrypted_data": "Ugc29HUFcirv6jOOlYNs9uvmhfwa2rG41im/MusCx0Vu0AZKcdy0krGi/kCZ\nKg==\n",
+    "iv": "ZlDK854w+vTNmeJe\n",
+    "auth_tag": "Nj95g0JMxrT419OLQIX26g==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "smtp_password": {
-    "encrypted_data": "1i0m9qiZA/8k8fMKo+04uyndl1UhagtHweBFICIorWALkB68edjb8OhUDxv9\nTubiXYRC\n",
-    "iv": "IU2x4ips9HWmKoxi\n",
-    "auth_tag": "BZJTDfPBvt8cf6/MbKzUJQ==\n",
+    "encrypted_data": "D1TGjRfmM1ZeUmzwewlKXfQvvqTSzpzNlK5MKIU8dxbAH175UKn5qiemDEWe\nRYPe1LWT\n",
+    "iv": "D1OVfD5bMcefM5DP\n",
+    "auth_tag": "2E/q2gTbdXiLVnOMDeJv9w==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "vapid_private_key": {
-    "encrypted_data": "+LmySMvzrV3z2z7BmJG9hpvkL06mGc87RG20XQhhdAJ2Z/5uMMjev2pUf7du\ntv2qvDJAimhkZajuDGL9R3eq\n",
-    "iv": "Mg7NhPl31O6Z4P+v\n",
-    "auth_tag": "qYWPInhgoWAjg0zQ+XXt5w==\n",
+    "encrypted_data": "+87bVrbd/XvWhZH1IYusc4Hla7ZZmylptAyJf48CMG/F3SMEO33OqW2I+UWh\nSkqbxai5+GaMhvZHB8U2Clod\n",
+    "iv": "HVhNdFQl0TvCcjsa\n",
+    "auth_tag": "EEQXuQ5keOHXmchhBh+Ixw==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "vapid_public_key": {
-    "encrypted_data": "NOyc+Cech9qG2HhnhajDaJMWd1OU5Rp6hws6i4xF5mLPePMJ9mJTqzklkuMK\npYSEdtcxA3KmDt1HrFxfezYUc9xO9pvlm0BPA7XAFmF/PU7/AJbFqgPU6pX/\ntSDLSdFuMB3ky+cl4DJi+O4=\n",
-    "iv": "rgUglYiHB/mhqGha\n",
-    "auth_tag": "DEX7hdNsNLi/LIrMkdUe/Q==\n",
+    "encrypted_data": "nBm1lXbn1+Kzol95+QSEjsUI/n7ObhdEqEyfYcVSP/LiLy57KOBQDu6CjSMz\n+PN9yEP4lOjtscqHS29jTC2vi3PSui9XpOFHRxFBnDuyKxczrnID2KlLCNRQ\n228G3VRgFIMAWMYKACgzUk0=\n",
+    "iv": "xHrVl+4JGkQbfUW3\n",
+    "auth_tag": "rfFoBMocq17YiDSlOCvWqw==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "s3_key_id": {
-    "encrypted_data": "rPVzrYYIbcM+ssVpdL6wpCTdzLIEKXke1+eMlPLMG2gPuoh+W3eO3nFGb/s2\n",
-    "iv": "/qI8F9cvnfKG7ZXE\n",
-    "auth_tag": "z1+MPdkO/+SCaag2ULelPg==\n",
+    "encrypted_data": "pq0+VZhjoxzLuyY34f23wOmuks9Wevt8Wu6muKZAsZMSuU0iJvlRoK/65Qa0\n",
+    "iv": "QTxO+IfYcpI170ON\n",
+    "auth_tag": "4ZHva2iBYgDv6DyhMRRXzA==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "s3_secret_key": {
-    "encrypted_data": "RMnB9kZ+slbQXfpo0udYld6S1QqBxqM1YbszdLfSAdKK9I0J3Kmvh/CQ5Fbx\nyov6LClmsl1rjtH16r7cY32M4Woq+6miERdtecyDrrYkNHz0xkA=\n",
-    "iv": "pO7bm3aOtjuwYjG/\n",
-    "auth_tag": "SRvn4z1+Vd5VAGgjG64s+Q==\n",
+    "encrypted_data": "YMZqKtOXDPAME8IWWC+lO8TsxHMzawlbTju9z/Hcb5DnQAOy82QufTN90m73\n/xikUboAdKcA5YGn0mkm+Rt/ygVR6DFirYV3kwi2M3qyGVJifug=\n",
+    "iv": "9AwabheRFOgC8IKR\n",
+    "auth_tag": "iU2kkA1q8OsblN5jaZrWGQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   }

environments/production.json

@@ -107,10 +107,10 @@
       "domain": "nostr.kosmos.org",
       "real_ip_header": "x-real-ip",
       "policy_path": "/opt/strfry/strfry-policy.ts",
-      "whitelist_pubkeys": [
-        "b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a",
-        "b3e1b7c0ef48294bd856203bfd460625de95d3afb894e5f09b14cd1f0e7097cf"
-      ],
+      "known_pubkeys": {
+        "_": "b3e1b7c0ef48294bd856203bfd460625de95d3afb894e5f09b14cd1f0e7097cf",
+        "accounts": "b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a"
+      },
       "info": {
         "name": "Kosmos Relay",
         "description": "Members-only nostr relay for kosmos.org users",

nodes/akaunting-1.json

@@ -1,66 +0,0 @@
-{
-  "name": "akaunting-1",
-  "chef_environment": "production",
-  "normal": {
-    "knife_zero": {
-      "host": "10.1.1.215"
-    }
-  },
-  "automatic": {
-    "fqdn": "akaunting-1",
-    "os": "linux",
-    "os_version": "5.15.0-1069-kvm",
-    "hostname": "akaunting-1",
-    "ipaddress": "192.168.122.162",
-    "roles": [
-      "base",
-      "kvm_guest",
-      "akaunting",
-      "postgresql_client"
-    ],
-    "recipes": [
-      "kosmos-base",
-      "kosmos-base::default",
-      "kosmos_kvm::guest",
-      "kosmos_postgresql::hostsfile",
-      "kosmos_akaunting",
-      "kosmos_akaunting::default",
-      "apt::default",
-      "timezone_iii::default",
-      "timezone_iii::debian",
-      "ntp::default",
-      "ntp::apparmor",
-      "kosmos-base::systemd_emails",
-      "apt::unattended-upgrades",
-      "kosmos-base::firewall",
-      "kosmos-postfix::default",
-      "postfix::default",
-      "postfix::_common",
-      "postfix::_attributes",
-      "postfix::sasl_auth",
-      "hostname::default",
-      "kosmos-nodejs::default",
-      "nodejs::nodejs_from_package",
-      "nodejs::repo"
-    ],
-    "platform": "ubuntu",
-    "platform_version": "22.04",
-    "cloud": null,
-    "chef_packages": {
-      "chef": {
-        "version": "18.5.0",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
-        "chef_effortless": null
-      },
-      "ohai": {
-        "version": "18.1.11",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
-      }
-    }
-  },
-  "run_list": [
-    "role[base]",
-    "role[kvm_guest]",
-    "role[akaunting]"
-  ]
-}

nodes/garage-4.json

@@ -1,17 +1,17 @@
 {
-  "name": "garage-10",
+  "name": "garage-4",
   "chef_environment": "production",
   "normal": {
     "knife_zero": {
-      "host": "10.1.1.27"
+      "host": "10.1.1.104"
     }
   },
   "automatic": {
-    "fqdn": "garage-10",
+    "fqdn": "garage-4",
     "os": "linux",
-    "os_version": "5.4.0-1090-kvm",
-    "hostname": "garage-10",
-    "ipaddress": "192.168.122.70",
+    "os_version": "5.4.0-132-generic",
+    "hostname": "garage-4",
+    "ipaddress": "192.168.122.123",
     "roles": [
       "base",
       "kvm_guest",
@@ -23,8 +23,7 @@
       "kosmos_kvm::guest",
       "kosmos_garage",
       "kosmos_garage::default",
-      "kosmos_garage::firewall_rpc",
-      "kosmos_garage::firewall_apis",
+      "kosmos_garage::firewall",
       "apt::default",
       "timezone_iii::default",
       "timezone_iii::debian",
@@ -39,20 +38,21 @@
       "postfix::_attributes",
       "postfix::sasl_auth",
       "hostname::default",
-      "firewall::default"
+      "firewall::default",
+      "chef-sugar::default"
     ],
     "platform": "ubuntu",
     "platform_version": "20.04",
     "cloud": null,
     "chef_packages": {
       "chef": {
-        "version": "18.5.0",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
+        "version": "17.10.3",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.10.3/lib",
         "chef_effortless": null
       },
       "ohai": {
-        "version": "18.1.11",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
+        "version": "17.9.0",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai"
       }
     }
   },
@@ -61,4 +61,4 @@
     "role[kvm_guest]",
     "role[garage_node]"
   ]
-}
+}

nodes/garage-5.json

@@ -1,17 +1,17 @@
 {
-  "name": "garage-11",
+  "name": "garage-5",
   "chef_environment": "production",
   "normal": {
     "knife_zero": {
-      "host": "10.1.1.165"
+      "host": "10.1.1.33"
     }
   },
   "automatic": {
-    "fqdn": "garage-11",
+    "fqdn": "garage-5",
     "os": "linux",
-    "os_version": "5.15.0-1059-kvm",
-    "hostname": "garage-11",
-    "ipaddress": "192.168.122.9",
+    "os_version": "5.15.0-84-generic",
+    "hostname": "garage-5",
+    "ipaddress": "192.168.122.55",
     "roles": [
       "base",
       "kvm_guest",
@@ -46,13 +46,13 @@
     "cloud": null,
     "chef_packages": {
       "chef": {
-        "version": "18.5.0",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
+        "version": "18.3.0",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.3.0/lib",
         "chef_effortless": null
       },
       "ohai": {
-        "version": "18.1.11",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
+        "version": "18.1.4",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
       }
     }
   },

nodes/garage-6.json

@@ -1,17 +1,17 @@
 {
-  "name": "garage-9",
+  "name": "garage-6",
   "chef_environment": "production",
   "normal": {
     "knife_zero": {
-      "host": "10.1.1.223"
+      "host": "10.1.1.161"
     }
   },
   "automatic": {
-    "fqdn": "garage-9",
+    "fqdn": "garage-6",
     "os": "linux",
     "os_version": "5.4.0-1090-kvm",
-    "hostname": "garage-9",
-    "ipaddress": "192.168.122.21",
+    "hostname": "garage-6",
+    "ipaddress": "192.168.122.213",
     "roles": [
       "base",
       "kvm_guest",
@@ -46,13 +46,13 @@
     "cloud": null,
     "chef_packages": {
       "chef": {
-        "version": "18.5.0",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
+        "version": "18.3.0",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.3.0/lib",
         "chef_effortless": null
       },
       "ohai": {
-        "version": "18.1.11",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
+        "version": "18.1.4",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
       }
     }
   },

nodes/her.json

@@ -9,7 +9,7 @@
   "automatic": {
     "fqdn": "her",
     "os": "linux",
-    "os_version": "5.15.0-101-generic",
+    "os_version": "5.15.0-84-generic",
     "hostname": "her",
     "ipaddress": "192.168.30.172",
     "roles": [

nodes/mastodon-3.json

@@ -63,6 +63,8 @@
       "redisio::disable_os_default",
       "redisio::configure",
       "redisio::enable",
+      "nodejs::npm",
+      "nodejs::install",
       "backup::default",
       "logrotate::default"
     ],

nodes/postgres-5.json

@@ -1,29 +1,32 @@
 {
-  "name": "postgres-7",
-  "chef_environment": "production",
+  "name": "postgres-5",
   "normal": {
     "knife_zero": {
-      "host": "10.1.1.134"
+      "host": "10.1.1.54"
     }
   },
   "automatic": {
-    "fqdn": "postgres-7",
+    "fqdn": "postgres-5",
     "os": "linux",
-    "os_version": "5.4.0-1123-kvm",
-    "hostname": "postgres-7",
-    "ipaddress": "192.168.122.89",
+    "os_version": "5.4.0-153-generic",
+    "hostname": "postgres-5",
+    "ipaddress": "192.168.122.211",
     "roles": [
       "base",
       "kvm_guest",
-      "postgresql_replica"
+      "postgresql_primary"
     ],
     "recipes": [
       "kosmos-base",
       "kosmos-base::default",
       "kosmos_kvm::guest",
-      "kosmos_postgresql::hostsfile",
-      "kosmos_postgresql::replica",
+      "kosmos_postgresql::primary",
       "kosmos_postgresql::firewall",
+      "kosmos-bitcoin::lndhub-go_pg_db",
+      "kosmos-bitcoin::nbxplorer_pg_db",
+      "kosmos_drone::pg_db",
+      "kosmos_gitea::pg_db",
+      "kosmos-mastodon::pg_db",
       "apt::default",
       "timezone_iii::default",
       "timezone_iii::debian",
@@ -44,19 +47,19 @@
     "cloud": null,
     "chef_packages": {
       "chef": {
-        "version": "18.5.0",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
+        "version": "18.2.7",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.2.7/lib",
         "chef_effortless": null
       },
       "ohai": {
-        "version": "18.1.11",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
+        "version": "18.1.4",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
       }
     }
   },
   "run_list": [
     "role[base]",
     "role[kvm_guest]",
-    "role[postgresql_replica]"
+    "role[postgresql_primary]"
   ]
 }

nodes/postgres-6.json

@@ -13,21 +13,12 @@
     "ipaddress": "192.168.122.60",
     "roles": [
       "base",
-      "kvm_guest",
-      "postgresql_primary"
+      "kvm_guest"
     ],
     "recipes": [
       "kosmos-base",
       "kosmos-base::default",
       "kosmos_kvm::guest",
-      "kosmos_postgresql::primary",
-      "kosmos_postgresql::firewall",
-      "kosmos_akaunting::pg_db",
-      "kosmos-bitcoin::lndhub-go_pg_db",
-      "kosmos-bitcoin::nbxplorer_pg_db",
-      "kosmos_drone::pg_db",
-      "kosmos_gitea::pg_db",
-      "kosmos-mastodon::pg_db",
       "apt::default",
       "timezone_iii::default",
       "timezone_iii::debian",
@@ -61,6 +52,6 @@
   "run_list": [
     "role[base]",
     "role[kvm_guest]",
-    "role[postgresql_primary]"
+    "role[postgresql_replica]"
   ]
 }

nodes/postgres-8.json

@@ -1,62 +0,0 @@
-{
-  "name": "postgres-8",
-  "chef_environment": "production",
-  "normal": {
-    "knife_zero": {
-      "host": "10.1.1.99"
-    }
-  },
-  "automatic": {
-    "fqdn": "postgres-8",
-    "os": "linux",
-    "os_version": "5.15.0-1059-kvm",
-    "hostname": "postgres-8",
-    "ipaddress": "192.168.122.100",
-    "roles": [
-      "base",
-      "kvm_guest",
-      "postgresql_replica"
-    ],
-    "recipes": [
-      "kosmos-base",
-      "kosmos-base::default",
-      "kosmos_kvm::guest",
-      "kosmos_postgresql::hostsfile",
-      "kosmos_postgresql::replica",
-      "kosmos_postgresql::firewall",
-      "apt::default",
-      "timezone_iii::default",
-      "timezone_iii::debian",
-      "ntp::default",
-      "ntp::apparmor",
-      "kosmos-base::systemd_emails",
-      "apt::unattended-upgrades",
-      "kosmos-base::firewall",
-      "kosmos-postfix::default",
-      "postfix::default",
-      "postfix::_common",
-      "postfix::_attributes",
-      "postfix::sasl_auth",
-      "hostname::default"
-    ],
-    "platform": "ubuntu",
-    "platform_version": "22.04",
-    "cloud": null,
-    "chef_packages": {
-      "chef": {
-        "version": "18.5.0",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
-        "chef_effortless": null
-      },
-      "ohai": {
-        "version": "18.1.11",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
-      }
-    }
-  },
-  "run_list": [
-    "role[base]",
-    "role[kvm_guest]",
-    "role[postgresql_replica]"
-  ]
-}

nodes/strfry-1.json

@@ -27,6 +27,7 @@
       "strfry::default",
       "kosmos_strfry::policies",
       "kosmos_strfry::firewall",
+      "kosmos_strfry::substr",
       "apt::default",
       "timezone_iii::default",
       "timezone_iii::debian",

roles/akaunting.rb

@@ -1,6 +0,0 @@
-name "akaunting"
-
-run_list %w[
-  role[postgresql_client]
-  kosmos_akaunting::default
-]

roles/postgresql_primary.rb

@@ -3,7 +3,6 @@ name "postgresql_primary"
 run_list %w(
   kosmos_postgresql::primary
   kosmos_postgresql::firewall
-  kosmos_akaunting::pg_db
   kosmos-bitcoin::lndhub-go_pg_db
   kosmos-bitcoin::nbxplorer_pg_db
   kosmos_drone::pg_db

roles/strfry.rb

@@ -5,4 +5,5 @@ run_list %w(
   strfry::default
   kosmos_strfry::policies
   kosmos_strfry::firewall
+  kosmos_strfry::substr
 )

site-cookbooks/kosmos-base/resources/tls_cert_for.rb

@@ -56,6 +56,7 @@ action :create do
       command <<-CMD
       certbot certonly --manual -n \
         --preferred-challenges dns \
+        --manual-public-ip-logging-ok \
         --agree-tos \
         --manual-auth-hook '#{hook_auth_command}' \
         --manual-cleanup-hook '#{hook_cleanup_command}' \

site-cookbooks/kosmos-bitcoin/attributes/default.rb

@@ -65,7 +65,7 @@ node.default['rtl']['host'] = '10.1.1.163'
 node.default['rtl']['port'] = '3000'
 
 node.default['lndhub-go']['repo'] = 'https://github.com/getAlby/lndhub.go.git'
-node.default['lndhub-go']['revision'] = '1.0.2'
+node.default['lndhub-go']['revision'] = '0.14.0'
 node.default['lndhub-go']['source_dir'] = '/opt/lndhub-go'
 node.default['lndhub-go']['port'] = 3026
 node.default['lndhub-go']['domain'] = 'lndhub.kosmos.org'
@@ -73,10 +73,8 @@ node.default['lndhub-go']['postgres']['database'] = 'lndhub'
 node.default['lndhub-go']['postgres']['user'] = 'lndhub'
 node.default['lndhub-go']['postgres']['port'] = 5432
 node.default['lndhub-go']['default_rate_limit'] = 20
-node.default['lndhub-go']['strict_rate_limit'] = 1
-node.default['lndhub-go']['burst_rate_limit'] = 10
-node.default['lndhub-go']['service_fee'] = 1
-node.default['lndhub-go']['no_service_fee_up_to_amount'] = 1000
+node.default['lndhub-go']['strict_rate_limit'] =  1
+node.default['lndhub-go']['burst_rate_limit'] =  10
 node.default['lndhub-go']['branding'] = {
   'title' => 'LndHub - Kosmos Lightning',
   'desc' => 'Kosmos accounts for the Lightning Network',

site-cookbooks/kosmos-bitcoin/recipes/lndhub-go.rb

@@ -66,8 +66,6 @@ template "#{source_dir}/.env" do
     default_rate_limit: node['lndhub-go']['default_rate_limit'],
     strict_rate_limit: node['lndhub-go']['strict_rate_limit'],
     burst_rate_limit: node['lndhub-go']['burst_rate_limit'],
-    service_fee: 1,
-    no_service_fee_up_to_amount: 1000,
     branding: node['lndhub-go']['branding'],
     webhook_url: node['lndhub-go']['webhook_url'],
     sentry_dsn: credentials['sentry_dsn']

site-cookbooks/kosmos-ejabberd/recipes/default.rb

@@ -84,12 +84,6 @@ hosts = [
     sql_database: "ejabberd",
     ldap_enabled: true,
     ldap_password: ejabberd_credentials['kosmos_ldap_password'],
-    certfiles: [
-      "/opt/ejabberd/conf/kosmos.org.crt",
-      "/opt/ejabberd/conf/kosmos.org.key",
-      "/opt/ejabberd/conf/kosmos.chat.crt",
-      "/opt/ejabberd/conf/kosmos.chat.key"
-    ],
     append_host_config: <<-EOF
     modules:
       mod_disco:
@@ -120,10 +114,6 @@ hosts = [
     sql_database: "ejabberd_5apps",
     ldap_enabled: true,
     ldap_password: ejabberd_credentials['5apps_ldap_password'],
-    certfiles: [
-      "/opt/ejabberd/conf/5apps.com.crt",
-      "/opt/ejabberd/conf/5apps.com.key"
-    ],
     append_host_config: <<-EOF
     modules:
       mod_disco:

site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb

@@ -15,7 +15,7 @@ set -e
 # letsencrypt live folder
 for domain in $RENEWED_DOMAINS; do
   case $domain in
-  kosmos.org|kosmos.chat|5apps.com)
+  kosmos.org|5apps.com)
     cp "${RENEWED_LINEAGE}/privkey.pem" /opt/ejabberd/conf/$domain.key
     cp "${RENEWED_LINEAGE}/fullchain.pem" /opt/ejabberd/conf/$domain.crt
     chown ejabberd:ejabberd /opt/ejabberd/conf/$domain.*
@@ -42,20 +42,13 @@ end
 
 # Generate a Let's Encrypt cert (only if no cert has been generated before).
 # The systemd timer will take care of renewing
-execute "letsencrypt cert for kosmos.org domains" do
-  command "certbot certonly --manual --preferred-challenges dns --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup letsencrypt.kosmos.org\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@kosmos.org -d kosmos.org -d xmpp.kosmos.org -d chat.kosmos.org -d uploads.xmpp.kosmos.org -n"
+execute "letsencrypt cert for kosmos xmpp" do
+  command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@kosmos.org -d kosmos.org -d xmpp.kosmos.org -d chat.kosmos.org -d kosmos.chat -d uploads.xmpp.kosmos.org -n"
   not_if do
     File.exist?("/etc/letsencrypt/live/kosmos.org/fullchain.pem")
   end
 end
 
-execute "letsencrypt cert for kosmos.chat" do
-  command "certbot certonly --manual --preferred-challenges dns --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth letsencrypt.kosmos.org\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup letsencrypt.kosmos.org\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@kosmos.org -d kosmos.chat -n"
-  not_if do
-    File.exist?("/etc/letsencrypt/live/kosmos.chat/fullchain.pem")
-  end
-end
-
 # Generate a Let's Encrypt cert (only if no cert has been generated before).
 # The systemd timer will take care of renewing
 execute "letsencrypt cert for 5apps xmpp" do

site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb

@@ -1,8 +1,7 @@
 # Generated by Chef for <%= @host[:name] %>
 certfiles:
-<% @host[:certfiles].each do |certfile| %>
-  - <%= certfile %>
-<% end %>
+  - "/opt/ejabberd/conf/<%= @host[:name] %>.crt"
+  - "/opt/ejabberd/conf/<%= @host[:name] %>.key"
 host_config:
   "<%= @host[:name] %>":
     sql_type: pgsql

site-cookbooks/kosmos-hubot/recipes/nginx_botka_irc-libera-chat.rb

@@ -4,7 +4,6 @@ upstream_host = search(:node, "role:hubot").first["knife_zero"]["host"]
 
 tls_cert_for domain do
   auth "gandi_dns"
-  acme_domain "letsencrypt.kosmos.org"
   action :create
 end
 

site-cookbooks/kosmos-hubot/recipes/nginx_hal8000_xmpp.rb

@@ -5,7 +5,6 @@ upstream_host = search(:node, "role:hubot").first["knife_zero"]["host"]
 
 tls_cert_for domain do
   auth "gandi_dns"
-  acme_domain "letsencrypt.kosmos.org"
   action :create
 end
 

site-cookbooks/kosmos-mastodon/attributes/default.rb

@@ -1,5 +1,5 @@
 node.default["kosmos-mastodon"]["repo"]              = "https://gitea.kosmos.org/kosmos/mastodon.git"
-node.default["kosmos-mastodon"]["revision"]          = "production-4.3"
+node.default["kosmos-mastodon"]["revision"]          = "production"
 node.default["kosmos-mastodon"]["directory"]         = "/opt/mastodon"
 node.default["kosmos-mastodon"]["bind_ip"]           = "127.0.0.1"
 node.default["kosmos-mastodon"]["app_port"]          = 3000

site-cookbooks/kosmos-mastodon/recipes/default.rb

@@ -3,7 +3,7 @@
 # Recipe:: default
 #
 
-node.override["nodejs"]["repo"] = "https://deb.nodesource.com/node_18.x"
+node.override["nodejs"]["repo"] = "https://deb.nodesource.com/node_16.x"
 
 include_recipe "kosmos-nodejs"
 include_recipe "java"
@@ -71,7 +71,11 @@ package %w(build-essential imagemagick ffmpeg libxml2-dev libxslt1-dev file git
            curl pkg-config libprotobuf-dev protobuf-compiler libidn11
            libidn11-dev libjemalloc2 libpq-dev)
 
-ruby_version = "3.3.5"
+npm_package "yarn" do
+  version "1.22.4"
+end
+
+ruby_version = "3.3.0"
 
 ruby_path = "/opt/ruby_build/builds/#{ruby_version}"
 bundle_path = "#{ruby_path}/bin/bundle"
@@ -190,9 +194,6 @@ template "#{mastodon_path}/.env.#{rails_env}" do
   variables redis_url: node["kosmos-mastodon"]["redis_url"],
             domain: node["kosmos-mastodon"]["domain"],
             alternate_domains: node["kosmos-mastodon"]["alternate_domains"],
-            active_record_encryption_deterministic_key: credentials["active_record_encryption_deterministic_key"],
-            active_record_encryption_key_derivation_salt: credentials["active_record_encryption_key_derivation_salt"],
-            active_record_encryption_primary_key: credentials["active_record_encryption_primary_key"],
             paperclip_secret: credentials['paperclip_secret'],
             secret_key_base: credentials['secret_key_base'],
             otp_secret: credentials['otp_secret'],
@@ -230,7 +231,7 @@ execute "yarn install" do
   environment deploy_env
   user mastodon_user
   cwd mastodon_path
-  command "corepack prepare && yarn install --immutable"
+  command "yarn install --frozen-lockfile"
 end
 
 execute "rake assets:precompile" do

site-cookbooks/kosmos-mastodon/templates/default/env.erb

@@ -12,9 +12,6 @@ LOCAL_HTTPS=true
 
 # Application secrets
 # Generate each with the `rake secret` task (`docker-compose run --rm web rake secret` if you use docker compose)
-ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=<%= @active_record_encryption_deterministic_key %>
-ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=<%= @active_record_encryption_key_derivation_salt %>
-ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=<%= @active_record_encryption_primary_key %>
 PAPERCLIP_SECRET=<%= @paperclip_secret %>
 SECRET_KEY_BASE=<%= @secret_key_base %>
 OTP_SECRET=<%= @otp_secret %>

site-cookbooks/kosmos_akaunting/.gitignore

@@ -1,25 +0,0 @@
-.vagrant
-*~
-*#
-.#*
-\#*#
-.*.sw[a-z]
-*.un~
-
-# Bundler
-Gemfile.lock
-gems.locked
-bin/*
-.bundle/*
-
-# test kitchen
-.kitchen/
-kitchen.local.yml
-
-# Chef Infra
-Berksfile.lock
-.zero-knife.rb
-Policyfile.lock.json
-
-.idea/
-

site-cookbooks/kosmos_akaunting/Policyfile.rb

@@ -1,16 +0,0 @@
-# Policyfile.rb - Describe how you want Chef Infra Client to build your system.
-#
-# For more information on the Policyfile feature, visit
-# https://docs.chef.io/policyfile/
-
-# A name that describes what the system you're building with Chef does.
-name 'kosmos_akaunting'
-
-# Where to find external cookbooks:
-default_source :supermarket
-
-# run_list: chef-client will run these recipes in the order specified.
-run_list 'kosmos_akaunting::default'
-
-# Specify a custom source for a single cookbook:
-cookbook 'kosmos_akaunting', path: '.'

site-cookbooks/kosmos_akaunting/README.md

@@ -1,4 +0,0 @@
-# kosmos_akaunting
-
-TODO: Enter the cookbook description here.
-

site-cookbooks/kosmos_akaunting/attributes/default.rb

@@ -1,5 +0,0 @@
-node.default["akaunting"]["user"] = "deploy"
-node.default["akaunting"]["group"] = "www-data"
-node.default["akaunting"]["repo"] = "https://github.com/akaunting/akaunting.git"
-node.default["akaunting"]["revision"] = "3.1.12"
-node.default["akaunting"]["port"] = 80

site-cookbooks/kosmos_akaunting/chefignore

@@ -1,115 +0,0 @@
-# Put files/directories that should be ignored in this file when uploading
-# to a Chef Infra Server or Supermarket.
-# Lines that start with '# ' are comments.
-
-# OS generated files #
-######################
-.DS_Store
-ehthumbs.db
-Icon?
-nohup.out
-Thumbs.db
-.envrc
-
-# EDITORS #
-###########
-.#*
-.project
-.settings
-*_flymake
-*_flymake.*
-*.bak
-*.sw[a-z]
-*.tmproj
-*~
-\#*
-REVISION
-TAGS*
-tmtags
-.vscode
-.editorconfig
-
-## COMPILED ##
-##############
-*.class
-*.com
-*.dll
-*.exe
-*.o
-*.pyc
-*.so
-*/rdoc/
-a.out
-mkmf.log
-
-# Testing #
-###########
-.circleci/*
-.codeclimate.yml
-.delivery/*
-.foodcritic
-.kitchen*
-.mdlrc
-.overcommit.yml
-.rspec
-.rubocop.yml
-.travis.yml
-.watchr
-.yamllint
-azure-pipelines.yml
-Dangerfile
-examples/*
-features/*
-Guardfile
-kitchen.yml*
-mlc_config.json
-Procfile
-Rakefile
-spec/*
-test/*
-
-# SCM #
-#######
-.git
-.gitattributes
-.gitconfig
-.github/*
-.gitignore
-.gitkeep
-.gitmodules
-.svn
-*/.bzr/*
-*/.git
-*/.hg/*
-*/.svn/*
-
-# Berkshelf #
-#############
-Berksfile
-Berksfile.lock
-cookbooks/*
-tmp
-
-# Bundler #
-###########
-vendor/*
-Gemfile
-Gemfile.lock
-
-# Policyfile #
-##############
-Policyfile.rb
-Policyfile.lock.json
-
-# Documentation #
-#############
-CODE_OF_CONDUCT*
-CONTRIBUTING*
-documentation/*
-TESTING*
-UPGRADING*
-
-# Vagrant #
-###########
-.vagrant
-Vagrantfile

site-cookbooks/kosmos_akaunting/kitchen.yml

@@ -1,31 +0,0 @@
----
-driver:
-  name: vagrant
-
-## The forwarded_port port feature lets you connect to ports on the VM guest
-## via localhost on the host.
-## see also: https://www.vagrantup.com/docs/networking/forwarded_ports
-
-#  network:
-#    - ["forwarded_port", {guest: 80, host: 8080}]
-
-provisioner:
-  name: chef_zero
-
-  ## product_name and product_version specifies a specific Chef product and version to install.
-  ## see the Chef documentation for more details: https://docs.chef.io/workstation/config_yml_kitchen/
-  #  product_name: chef
-  #  product_version: 17
-
-verifier:
-  name: inspec
-
-platforms:
-  - name: ubuntu-20.04
-  - name: centos-8
-
-suites:
-  - name: default
-    verifier:
-      inspec_tests:
-        - test/integration/default

site-cookbooks/kosmos_akaunting/metadata.rb

@@ -1,9 +0,0 @@
-name 'kosmos_akaunting'
-maintainer 'Kosmos Developers'
-maintainer_email 'mail@kosmos.org'
-license 'MIT'
-description 'Installs/configures akaunting for Kosmos'
-version '0.1.0'
-chef_version '>= 18.0'
-
-depends 'kosmos-nodejs'

site-cookbooks/kosmos_akaunting/recipes/default.rb

@@ -1,148 +0,0 @@
-#
-# Cookbook:: kosmos_akaunting
-# Recipe:: default
-#
-
-app_name     = "akaunting"
-deploy_user  = node["akaunting"]["user"]
-deploy_group = node["akaunting"]["group"]
-deploy_path  = "/opt/#{app_name}"
-credentials  = data_bag_item("credentials", "akaunting")
-pg_host      = search(:node, "role:postgresql_primary").first["knife_zero"]["host"] rescue "localhost"
-
-env = {
-  app_name: "Akaunting",
-  app_env: "production",
-  app_locale: "en-US",
-  app_installed: "true",
-  app_key: credentials["app_key"],
-  app_debug: "true",
-  app_schedule_time: "\"09:00\"",
-  app_url: "http://akaunting.kosmos.org",
-  db_connection: "pgsql",
-  db_host: pg_host,
-  db_port: "5432",
-  db_database: credentials["pg_database"],
-  db_username: credentials["pg_username"],
-  db_password: credentials["pg_password"],
-  log_level: "debug"
-  # mail_mailer: "mail",
-  # mail_host: "localhost",
-  # mail_port: "2525",
-  # mail_username: "null",
-  # mail_password: "null",
-  # mail_encryption: "null",
-  # mail_from_name: "null",
-  # mail_from_address: "null",
-}
-
-%w[
-  unzip nginx php8.1 php8.1-cli php8.1-bcmath php8.1-ctype php8.1-curl
-  php8.1-dom php8.1-fileinfo php8.1-intl php8.1-fpm php8.1-gd php8.1-mbstring
-  php8.1-pdo php8.1-pgsql php8.1-tokenizer php8.1-xml php8.1-zip
-].each do |pkg|
-  package pkg
-end
-
-# TODO install composer
-
-node.override["nodejs"]["repo"] = "https://deb.nodesource.com/node_18.x"
-include_recipe "kosmos-nodejs"
-
-group deploy_group
-
-user deploy_user do
-  group       deploy_group
-  manage_home true
-  shell       "/bin/bash"
-end
-
-directory deploy_path do
-  owner deploy_user
-  group deploy_group
-  mode "0775"
-end
-
-git deploy_path do
-  repository node[app_name]["repo"]
-  revision node[app_name]["revision"]
-  user deploy_user
-  group deploy_group
-  action :sync
-  notifies :run, "execute[composer_install]", :immediately
-  notifies :run, "execute[npm_install]", :immediately
-  notifies :restart, "service[php8.1-fpm]", :delayed
-end
-
-execute "composer_install" do
-  user deploy_user
-  cwd deploy_path
-  command "composer install"
-  action :nothing
-end
-
-execute "npm_install" do
-  user deploy_user
-  cwd deploy_path
-  command "npm install"
-  action :nothing
-  notifies :run, "execute[compile_assets]", :immediately
-end
-
-execute "compile_assets" do
-  user deploy_user
-  cwd deploy_path
-  command "npm run prod"
-  action :nothing
-end
-
-execute "set_storage_permissions" do
-  command "chown -R www-data:www-data #{deploy_path}/storage"
-end
-
-template "#{deploy_path}/.env" do
-  source 'env.erb'
-  owner deploy_user
-  group deploy_group
-  mode 0660
-  sensitive true
-  variables config: env
-  notifies :restart, "service[php8.1-fpm]", :delayed
-end
-
-template "/etc/nginx/sites-available/default" do
-  source 'nginx-local.conf.erb'
-  owner deploy_user
-  group deploy_group
-  mode 0660
-  variables deploy_path: deploy_path,
-            port: node["akaunting"]["port"]
-  notifies :restart, "service[nginx]", :delayed
-end
-
-# template "/etc/php/8.1/fpm/pool.d/akaunting.conf" do
-#   source 'php-fpm.pool.erb'
-#   owner deploy_user
-#   group deploy_group
-#   mode 0600
-#   variables user: deploy_user,
-#             group: deploy_group,
-#             chdir: deploy_path,
-#             port: node["akaunting"]["port"]
-#   notifies :restart, "service[php8.1-fpm]", :delayed
-# end
-
-service "php8.1-fpm" do
-  action [:enable, :start]
-end
-
-service "nginx" do
-  action [:enable, :start]
-end
-
-firewall_rule "akaunting_zerotier" do
-  command  :allow
-  port     node["akaunting"]["port"]
-  protocol :tcp
-  source   "10.1.1.0/24"
-end

site-cookbooks/kosmos_akaunting/recipes/pg_db.rb

@@ -1,16 +0,0 @@
-#
-# Cookbook:: kosmos_akaunting
-# Recipe:: pg_db
-#
-
-credentials = data_bag_item("credentials", "akaunting")
-
-postgresql_user credentials["pg_username"] do
-  action :create
-  password credentials["pg_password"]
-end
-
-postgresql_database credentials["pg_database"] do
-  owner credentials["pg_username"]
-  action :create
-end

site-cookbooks/kosmos_akaunting/templates/env.erb

@@ -1,11 +0,0 @@
-<% @config.each do |key, value| %>
-<% if value.is_a?(Hash) %>
-<% value.each do |k, v| %>
-<%= "#{key.upcase}_#{k.upcase}" %>=<%= v.to_s %>
-<% end %>
-<% else %>
-<% if value %>
-<%= key.upcase %>=<%= value.to_s %>
-<% end %>
-<% end %>
-<% end %>

site-cookbooks/kosmos_akaunting/templates/nginx-local.conf.erb

@@ -1,49 +0,0 @@
-server {
-  listen 80 default_server;
-
-  server_name akaunting.kosmos.org;
-
-  root <%= @deploy_path %>;
-
-  add_header X-Frame-Options "SAMEORIGIN";
-  add_header X-XSS-Protection "1; mode=block";
-  add_header X-Content-Type-Options "nosniff";
-
-  index index.html index.htm index.php;
-
-  charset utf-8;
-
-  location / {
-    try_files $uri $uri/ /index.php?$query_string;
-  }
-
-  # Prevent Direct Access To Protected Files
-  location ~ \.(env|log) {
-    deny all;
-  }
-
-  # Prevent Direct Access To Protected Folders
-  location ~ ^/(^app$|bootstrap|config|database|overrides|resources|routes|storage|tests|artisan) {
-    deny all;
-  }
-
-  # Prevent Direct Access To modules/vendor Folders Except Assets
-  location ~ ^/(modules|vendor)\/(.*)\.((?!ico|gif|jpg|jpeg|png|js\b|css|less|sass|font|woff|woff2|eot|ttf|svg|xls|xlsx).)*$ {
-    deny all;
-  }
-
-  error_page 404 /index.php;
-
-  # Pass PHP Scripts To FastCGI Server
-  location ~ \.php$ {
-    fastcgi_split_path_info ^(.+\.php)(/.+)$;
-    fastcgi_pass unix:/var/run/php/php8.1-fpm.sock; # Depends On The PHP Version
-    fastcgi_index index.php;
-    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-    include fastcgi_params;
-  }
-
-  location ~ /\.(?!well-known).* {
-    deny all;
-  }
-}

site-cookbooks/kosmos_akaunting/templates/php-fpm.pool.erb

@@ -1,18 +0,0 @@
-[akaunting]
-user = <%= @user %>
-group = <%= @group %>
-listen = 0.0.0.0:<%= @port %>
-listen.owner = <%= @user %>
-listen.group = <%= @group %>
-listen.mode = 0660
-
-pm = dynamic
-pm.max_children = 10
-pm.start_servers = 4
-pm.min_spare_servers = 2
-pm.max_spare_servers = 6
-pm.max_requests = 500
-
-chdir = <%= @chdir %>
-catch_workers_output = yes
-php_admin_flag[log_errors] = on

site-cookbooks/kosmos_akaunting/test/integration/default/default_test.rb

@@ -1,16 +0,0 @@
-# Chef InSpec test for recipe kosmos_akaunting::default
-
-# The Chef InSpec reference, with examples and extensive documentation, can be
-# found at https://docs.chef.io/inspec/resources/
-
-unless os.windows?
-  # This is an example test, replace with your own test.
-  describe user('root'), :skip do
-    it { should exist }
-  end
-end
-
-# This is an example test, replace it with your own test.
-describe port(80), :skip do
-  it { should_not be_listening }
-end

site-cookbooks/kosmos_gitea/attributes/default.rb

@@ -1,5 +1,5 @@
-node.default["gitea"]["version"] = "1.22.5"
-node.default["gitea"]["checksum"] = "ce2c7e4fff3c1e3ed59f5b5e00e3f2d301f012c34e329fccd564bc5129075460"
+node.default["gitea"]["version"] = "1.22.3"
+node.default["gitea"]["checksum"] = "a720ff937912a6eb6c0cacf6ebcdd774deed5197cd945ecc34f5744cb5c517e8"
 node.default["gitea"]["working_directory"] = "/var/lib/gitea"
 node.default["gitea"]["port"] = 3000
 node.default["gitea"]["postgresql_host"] = "localhost:5432"

site-cookbooks/kosmos_strfry/attributes/default.rb

@@ -1,2 +1,7 @@
 node.default["strfry"]["ldap_search_dn"] = "ou=kosmos.org,cn=users,dc=kosmos,dc=org"
 node.default["strfry"]["extras_dir"] = "/opt/strfry"
+
+node.default["substr"]["repo"] = "https://gitea.kosmos.org/kosmos/substr.git"
+node.default["substr"]["revision"] = "master"
+node.default["substr"]["workdir"] = "/opt/substr"
+node.default["substr"]["port"] = 30023

site-cookbooks/kosmos_strfry/recipes/policies.rb

@@ -24,7 +24,7 @@ env = {
   ldap_bind_dn: ldap_credentials["service_dn"],
   ldap_password: ldap_credentials["service_password"],
   ldap_search_dn: node["strfry"]["ldap_search_dn"],
-  whitelist_pubkeys: node["strfry"]["whitelist_pubkeys"].join(",")
+  whitelist_pubkeys: node["strfry"]["known_pubkeys"].values.join(",")
 }
 
 template "#{extras_dir}/.env" do

site-cookbooks/kosmos_strfry/recipes/substr.rb

@@ -0,0 +1,97 @@
+#
+# Cookbook:: kosmos_strfry
+# Recipe:: substr
+#
+
+unless platform?("ubuntu")
+  raise "This recipe only supports Ubuntu installs at the moment"
+end
+
+if node["substr"]["download_url"]
+  #
+  # Install by downloading an executable file
+  #
+  remote_file '/usr/local/bin/substr' do
+    source node["substr"]["download_url"]
+    checksum node["substr"]["checksum"]
+    mode '0755'
+    show_progress true
+    notifies :restart, "service[substr]", :delayed
+  end
+else
+  # TODO Install Deno 2
+end
+
+directory node["substr"]["workdir"] do
+  owner node["strfry"]["user"]
+  group node["strfry"]["group"]
+  mode "0755"
+end
+
+git node["substr"]["workdir"] do
+  user node["strfry"]["user"]
+  group node["strfry"]["group"]
+  repository node['substr']['repo']
+  revision node['substr']['revision']
+  action :sync
+  notifies :restart, "service[substr]", :delayed
+end
+
+file "#{node["substr"]["workdir"]}/users.yaml" do
+  mode "0644"
+  owner node["strfry"]["user"]
+  group node["strfry"]["group"]
+  content node["strfry"]["known_pubkeys"].to_yaml
+  notifies :restart, "service[substr]", :delayed
+end
+
+ldap_credentials = Chef::EncryptedDataBagItem.load('credentials', 'dirsrv')
+
+env = {
+  port: node['substr']['port'],
+  base_url: "https://#{node["strfry"]["domain"]}",
+  relay_urls: "ws://localhost:7777",
+  ldap_url: 'ldap://ldap.kosmos.local:389', # requires "ldap_client" role
+  ldap_bind_dn: ldap_credentials["service_dn"],
+  ldap_password: ldap_credentials["service_password"],
+  ldap_search_dn: node["strfry"]["ldap_search_dn"],
+}
+
+template "#{node["substr"]["workdir"]}/.env" do
+  source 'env.erb'
+  owner node["strfry"]["user"]
+  group node["strfry"]["group"]
+  mode 0600
+  sensitive true
+  variables config: env
+  notifies :restart, "service[substr]", :delayed
+end
+
+systemd_unit "substr.service" do
+  content({
+    Unit: {
+      Description: "substr for nostr",
+      Documentation: ["https://gitea.kosmos.org/kosmos/substr"],
+    },
+    Service: {
+      Type: "simple",
+      User: node["strfry"]["user"],
+      WorkingDirectory: node["substr"]["workdir"],
+      ExecStart: "/usr/local/bin/substr",
+      Restart: "on-failure",
+      RestartSec: "5",
+      ProtectHome: "no",
+      NoNewPrivileges: "yes",
+      ProtectSystem: "full"
+    },
+    Install: {
+      WantedBy: "multi-user.target"
+    }
+  })
+  triggers_reload true
+  action :create
+end
+
+service "substr" do
+  action [:enable, :start]
+end

site-cookbooks/kosmos_strfry/templates/nginx_conf_strfry.erb

@@ -4,6 +4,12 @@ upstream _strfry {
 <% end %>
 }
 
+upstream _substr {
+<% @upstream_hosts.each do |host| %>
+  server <%= host %>:30023;
+<% end %>
+}
+
 server {
   server_name <%= @domain %>;
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
@@ -15,6 +21,16 @@ server {
   ssl_certificate     <%= @ssl_cert %>;
   ssl_certificate_key <%= @ssl_key %>;
 
+  location = /favicon.ico {
+    alias /var/www/assets.kosmos.org/site/img/favicon.ico;
+  }
+
+  location ~* ^/[@~n]|^/assets {
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_pass http://_substr;
+  }
+
   location / {
     proxy_set_header Host $host;
     proxy_set_header X-Real-IP $remote_addr;

site-cookbooks/kosmos_website/recipes/redirects.rb

@@ -6,7 +6,6 @@
 redirects = [
   {
     domain: "kosmos.chat",
-    acme_domain: "letsencrypt.kosmos.org",
     target: "https://kosmos.org",
     http_status: 307
   },