Generate postgres user/db for akkounts, use credentials from env

2025-05-06 15:46:37 +04:00
139 changed files with 488 additions and 2052 deletions
--- a/5
+++ b/5
@@ -13,9 +13,6 @@ cookbook 'ipfs',
 cookbook 'mediawiki',
  git: 'https://github.com/67P/mediawiki-cookbook.git',
  ref: 'nginx'
 cookbook 'postfix',
  git: 'https://gitea.kosmos.org/kosmos/postfix-cookbook.git',
  ref: 'bugfix/sasl_attributes'
 cookbook 'apache2',                '= 3.3.0'
 cookbook 'apt',                    '~> 7.3.0'
@@ -24,7 +21,6 @@ cookbook 'composer',               '~> 2.7.0'
 cookbook 'fail2ban',               '~> 7.0.4'
 cookbook 'git',                    '~> 10.0.0'
 cookbook 'golang',                 '~> 5.3.1'
 cookbook 'homebrew',               '>= 6.0.0'
 cookbook 'hostname',               '= 0.4.2'
 cookbook 'hostsfile',              '~> 3.0.1'
 cookbook 'java',                   '~> 4.3.0'
@@ -36,6 +32,7 @@ cookbook 'ntp',                    '= 3.4.0'
 cookbook 'ohai',                   '~> 5.2.5'
 cookbook 'openssl',                '~> 8.5.5'
 cookbook 'php',                    '~> 8.0.0'
 cookbook 'postfix',                '~> 6.0.26'
 cookbook 'timezone_iii',           '= 1.0.4'
 cookbook 'ulimit',                 '~> 1.0.0'
 cookbook 'users',                  '~> 5.3.1'
--- a/Berksfile.lock
+++ b/Berksfile.lock
@@ -8,7 +8,6 @@ DEPENDENCIES
  firewall (~> 6.2.16)
  git (~> 10.0.0)
  golang (~> 5.3.1)
  homebrew (>= 6.0.0)
  hostname (= 0.4.2)
  hostsfile (~> 3.0.1)
  ipfs
@@ -29,10 +28,7 @@ DEPENDENCIES
  ohai (~> 5.2.5)
  openssl (~> 8.5.5)
  php (~> 8.0.0)
-  postfix
+  postfix (~> 6.0.26)
    git: https://gitea.kosmos.org/kosmos/postfix-cookbook.git
    revision: dd6598572a775ae73f17527260ec8097b52d385b
    ref: bugfix/
  redisio (~> 6.4.1)
  ruby_build (~> 2.5.0)
  timezone_iii (= 1.0.4)
@@ -63,7 +59,7 @@ GRAPH
  git (10.0.0)
  golang (5.3.1)
    ark (>= 6.0)
-  homebrew (6.0.2)
+  homebrew (5.4.1)
  hostname (0.4.2)
    hostsfile (>= 0.0.0)
  hostsfile (3.0.1)
@@ -94,7 +90,7 @@ GRAPH
  openssl (8.5.5)
  php (8.0.1)
    yum-epel (>= 0.0.0)
-  postfix (6.4.1)
+  postfix (6.0.26)
  redisio (6.4.1)
    selinux (>= 0.0.0)
  ruby_build (2.5.0)
--- a/clients/garage-12.json
+++ b/clients/garage-12.json
@@ -1,4 +0,0 @@
 {
  "name": "garage-12",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9GtHHi298BjiIqpZ3WkT\nkYAPfWD60hFe/8icYcq/F/6cHLYKZQ4chek9X/hDCMq4tHEN6Oh58T5x/nuNdPrK\nIAMGyVAGk6ekWlmD4jwdEf6TGb/J3ffJTRDvwX/I8xD/DW3wtXsN+X24T59ByGTm\nrnwRmmmwHF3otRx9wnCsIgDQ0AjiUujsfNNv1FcLXD/WJLys9lEeU5aJ4XtHTwDv\ntJM8YyVEFhEnuvgdKmzn5+F5k9VGdUwForlFOBfvzbCnTZMDMmDVeiUtAUv/7xWQ\nQl2mLUGCtgWuYJYXsQacAJ6pa3h+7cQyshC6w3dwUG+1fS9lNO0Yp1GGX1AGYKpp\nPQIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/clients/garage-13.json
+++ b/clients/garage-13.json
@@ -1,4 +0,0 @@
 {
  "name": "garage-13",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvbqWc6OwRxgHfsQuTNL4\naxeVvNen5d9srYpZSHjuBB/k9NHB+9P6vU5qF37XHkw1lVUGeYbPHzhYsx3O0/kZ\nH5f4+4SMy/P9jc6SE7AJF4qtYKgJ88koZdqCww07c6K9g+BnEGFFZui/h3hUBxWj\nTfhBHEWPyQ2bl/lr9sIJwsEz+EN0isGn/eIXkmw9J6LdLJ5Q0LLks33K28FNOU7q\nfeAN4MiBVMUtgCGyT2Voe6WrOXwQLSDXQONOp3sfSfFExsIJ1s24xdd7AMD7/9a7\n4sFDZ4swhqAWgWmW2giR7Kb8wTvGQLO/O/uUbmKz3DZXgkOKXHdHCEB/PZx1mRNM\nEwIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/clients/garage-14.json
+++ b/clients/garage-14.json
@@ -1,4 +0,0 @@
 {
  "name": "garage-14",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAypINv1zTZ7+pyT0iRhik\n0W70ASYADo7qK7QyE9/3nu2sUrP1IjoNFsv/ceKwicH7Fw2Ei1o+yKZlKn7zJzY7\n93YRZndF04VH2bmqy0uOWK0Bdat7gCld5bvS6FmRflg7g64LFb33/64QIVsVGHGL\nYF2TO//x79t9JKcQDa4h5MOWzJNTFuEcUGa0gJjMYpWGVHEJSgRuIgyhXmyIJJgY\nguj6ymTm5+3VS7NzoNy2fbTt1LRpHb5UWrCR15oiLZiDSMLMx0CcGOCmrhvODi4k\n0umw+2NPd1G50s9z7KVbTqybuQ65se2amRnkVcNfaBIU5qk9bVqcmhZlEozmBZCd\ndwIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/clients/garage-15.json
+++ b/clients/garage-15.json
@@ -1,4 +0,0 @@
 {
  "name": "garage-15",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy14sTt5gxVZi9C3KIEBu\nDyUgbb6jc3/GR22fNPTqV6uDHhxzhE2UsYwY/7yuA1RasdwHEOBWZaoC0Om5/Zmi\n8gn6//v1ILyLNaAcw+SQcxZkCN8Sk/0atRS9HYk1agE8Mvh72Fe2z3l+92VMefy7\nJwJUNNBTbnV2WVCchChoWnfhI7bkSLSHp0M2MO2pI+lkpSdmfkJSa5z9zihgxKO8\nXfvhryDCZNvfRVHhwc+ffpap0gLF0H9riGKE4FwLy4YqbuW1Tgm6bObb9bpOIw6Q\nVfH3kC/KMK5FlnxGmYtDkhRJ/wjGInRBk9WK/QOmjyd2FVxipEQmA4RdjlznRC9I\nrwIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/clients/leo.json
+++ b/clients/leo.json
@@ -1,4 +0,0 @@
 {
  "name": "leo",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnFfQsJnREjbXTtpT6BVt\naBaUzRmCQi8Du0TzeUG0ENrY0p5Exqleye2rC6bJlB3PER1xr5zdtuXLgbcVumIb\nzroU5JPtFbQk7r/pj0atT+UEYzl16iuEpprQ/bug+f0nE514USr6YG4G+tlZ/jBI\nSHsCQF1P8ufXFLW0ewC7rdvBkgA+DwK14naRxS4jO5MSl4wmNTjs/jymTg508mQq\nf5tG52t8qFdgn9pRdBXmyTpPtwK7I4rZ+1Qn+1E5m4oQUZsxh8Ba1bGbKotVO7Ua\nYL1yCGx7zRRUvLLIdSMvlRXTJBUSQtQ8P4QUDWTY1Na2w3t9sulKg2Lwsw8tktvC\nCwIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/clients/postgres-10.json
+++ b/clients/postgres-10.json
@@ -1,4 +0,0 @@
 {
  "name": "postgres-10",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2oBb5omC7ZionWhudgFm\n2NGcRXsI0c7+g1+0duaxj5dziaRTltqzpRJTfiJD6R36FcvEqwGc+qQgYSMzc1Xd\nY4OTvJFIDiFAmROm/DZYgFtTDldVNJZO2bbU3COYf/Z2Poq56gC4zLLd/zf6shgb\n2Mty8PlQ82JJAY9EMI3aAifdnZ1k/g4weFC4LFg9lUcNNXOwlAjp//LJ3ku3aY1r\nwW74msSeWEjE44YZdWyMYgM7Fy1hz5giHFQtRdOLemRCWQ8h26wn/cmWld7lsLg+\nlYqxokxWXGv8r5zR8kDTBkd0dxY7ZMbo7oESY4Uhuf4UReMe2ZGHto1E7w3llSj+\n7wIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/clients/postgres-11.json
+++ b/clients/postgres-11.json
@@ -1,4 +0,0 @@
 {
  "name": "postgres-11",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1foYpuubS2ovlg3uHO12\nQ/ROZ8MpG+LkCAM46uVfPaoWwfY0vdfMsBOanHDgm9DGUCEBJZ6LPrvCvGXbpPy6\n9GSswK75zVWODblNjvvV4ueGFq4bBFwRuZNjyMlqgyzeU+srZL0ivelu5XEuGuoD\nPYCBKWYqGMz85/eMC7/tinTJtKPyOtXe/G8meji+r7gh3j+ypj/EWeKfcRDa4aGe\n/DmMCurIjjPAXFLMAA6fIqPWVfcPw4APNPE60Z92yPGsTbPu7bL54M5f7udmmu7H\nOgk1HjMAmXCuLDzTkfaxqHP+57yELg/YpXR1E93VmBeQuIBsyOFEk6AmUmA1Ib6e\nnQIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/clients/postgres-12.json
+++ b/clients/postgres-12.json
@@ -1,4 +0,0 @@
 {
  "name": "postgres-12",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1mYGrYB8keUKmXA8dhWc\ncCLzp50xR0ajSw+bWYydyRqD5wuEVKjiJu4+G9QmTVXkVgJ+AYI0Y9/WZYpDqVH6\nvLUo6BSNQaWx20q93qIdOGLy8YG3Qyznezk4l8T9u9vWZDyDpKw6gCxzikMkrXxb\n0cqOYtyud8+PtSEEMogSjOKhRURVHlVrlVH3SQO7Whke9rkiFcbXzubsK9yjkUtF\nxZafSoGorOlDsPvFTfYnkepVB+GHcgiribRYSrO+73GypC2kqMhCpWrb6a0VWsP/\nh53+q3JL3vBvdvjcv51Wpf4n6JdnXnQGn2/MdXEzw+NXgjU4/IdYtbORSbaI8F5t\nowIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/clients/postgres-7.json
+++ b/clients/postgres-7.json
@@ -0,0 +1,4 @@
 {
  "name": "postgres-7",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArraIm6mXi0qgK4oWDs2I\nOIx+g/LPnfRd5aBXhoHcekGiJKttQTi5dRdN4+T6qVEC2h4Cc9qN47h2TZPLDh/M\neIZvu0AyicpectzXf6DtDZh0hFCnv47RDi9927op9tjMXk0SV1tLel7MN0dawATw\ny0vQkkr/5a3ZdiP4dFv+bdfVrj+Tuh85BYPVyX2mxq9F7Efxrt6rzVBiqr6uJLUY\nStpeB3CCalC4zQApKX2xrdtr2k8aJbqC6C//LiKbb7VKn+ZuZJ32L/+9HDEzQoFC\no0ZZPMhfnjcU+iSHYZuPMTJTNbwgRuOgpn9O8kZ239qYc59z7HEXwwWiYPDevbiM\nCQIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/clients/postgres-9.json
+++ b/clients/postgres-9.json
@@ -1,4 +0,0 @@
 {
  "name": "postgres-9",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2dcE9HH0r5TBb/FGj2+e\nOw8ssoxeB61JmR4/psdZ6oPR08gxyqOY0ODziCmyIdXwFhjIcC44HjxCbcB8TU8G\nWGqlmfqWWIJW0x/2xOycHobAWDn5fC5ttTXkR3HC1TutX/2mH26mtfz9UjNdPaTo\nVZFMcxeaBCFSNlYC7hPUQ5f/qBdhhpLxP9uyzU+YFPqtwLP7g8EAUQObM4L+m6Q8\nqE7xgYpnhgaNrPsmvaVuoNylMGwyK0j1whOkcik8UgLprD70ISNSNxxcLehbvA3G\nPQPQRRuFF36fu2gECWGopbrFKwQGNfgJguQoXM1RQZQMQqWHPS933k5i6bi5pnhp\nzwIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/cookbooks/homebrew/.markdownlint-cli2.yaml
+++ b/cookbooks/homebrew/.markdownlint-cli2.yaml
@@ -3,5 +3,3 @@ config:
  line-length: false # MD013
  no-duplicate-heading: false # MD024
  reference-links-images: false # MD052
 ignores:
  - .github/copilot-instructions.md
--- a/cookbooks/homebrew/CHANGELOG.md
+++ b/cookbooks/homebrew/CHANGELOG.md
@@ -2,48 +2,6 @@
 This file is used to list changes made in each version of the homebrew cookbook.
 ## 6.0.2 - *2025-09-04*
 Standardise files with files in sous-chefs/repo-management
 Standardise files with files in sous-chefs/repo-management
 ## 6.0.1 - *2025-03-24*
 ## 6.0.0 - *2025-03-17*
 - Updated library call for new homebrew class name found in chef-client 18.6.2+ releases
 ## 5.4.9 - *2024-11-18*
 Standardise files with files in sous-chefs/repo-management
 Standardise files with files in sous-chefs/repo-management
 Standardise files with files in sous-chefs/repo-management
 Standardise files with files in sous-chefs/repo-management
 Standardise files with files in sous-chefs/repo-management
 ## 5.4.8 - *2024-05-07*
 ## 5.4.7 - *2024-05-06*
 - Explicitly include `Which` module from `Chef` which fixes runs on 18.x clients.
 ## 5.4.6 - *2024-05-06*
 ## 5.4.5 - *2023-11-01*
 Standardise files with files in sous-chefs/repo-management
 ## 5.4.4 - *2023-09-28*
 ## 5.4.3 - *2023-09-04*
 ## 5.4.2 - *2023-07-10*
 ## 5.4.1 - *2023-06-01*
 ## 5.4.0 - *2023-04-24*
--- a/cookbooks/homebrew/libraries/helpers.rb
+++ b/cookbooks/homebrew/libraries/helpers.rb
@@ -20,9 +20,8 @@
 #
 class HomebrewUserWrapper
-  require 'chef/mixin/homebrew'
+  require 'chef/mixin/homebrew_user'
-  include Chef::Mixin::Homebrew
+  include Chef::Mixin::HomebrewUser
  include Chef::Mixin::Which
 end
 module Homebrew
@@ -60,17 +59,41 @@ module Homebrew
  def owner
    @owner ||= begin
-                 HomebrewUserWrapper.new.find_homebrew_username
+      # once we only support 14.0 we can switch this to find_homebrew_username
-               rescue
+      require 'etc'
-                 Chef::Exceptions::CannotDetermineHomebrewPath
+      ::Etc.getpwuid(HomebrewUserWrapper.new.find_homebrew_uid).name
-               end.tap do |owner|
+               rescue Chef::Exceptions::CannotDetermineHomebrewOwner
-                 Chef::Log.debug("Homebrew owner is #{owner}")
+                 calculate_owner
-               end
+    end.tap do |owner|
      Chef::Log.debug("Homebrew owner is #{owner}")
    end
  end
  private
  def calculate_owner
    owner = homebrew_owner_attr || sudo_user || current_user
    if owner == 'root'
      raise Chef::Exceptions::User,
           "Homebrew owner is 'root' which is not supported. " \
           "To set an explicit owner, please set node['homebrew']['owner']."
    end
    owner
  end
  def homebrew_owner_attr
    Chef.node['homebrew']['owner']
  end
  def sudo_user
    ENV['SUDO_USER']
  end
  def current_user
    ENV['USER']
  end
 end unless defined?(Homebrew)
 class HomebrewWrapper
  include Homebrew
 end
 Chef::Mixin::Homebrew.include(Homebrew)
--- a/cookbooks/homebrew/metadata.json
+++ b/cookbooks/homebrew/metadata.json
@@ -17,13 +17,13 @@
  "recipes": {
  },
-  "version": "6.0.2",
+  "version": "5.4.1",
  "source_url": "https://github.com/sous-chefs/homebrew",
  "issues_url": "https://github.com/sous-chefs/homebrew/issues",
  "privacy": false,
  "chef_versions": [
    [
-      ">= 18.6.2"
+      ">= 15.3"
    ]
  ],
  "ohai_versions": [
--- a/cookbooks/homebrew/metadata.rb
+++ b/cookbooks/homebrew/metadata.rb
@@ -3,9 +3,9 @@ maintainer       'Sous Chefs'
 maintainer_email 'help@sous-chefs.org'
 license          'Apache-2.0'
 description      'Install Homebrew and includes resources for working with taps and casks'
-version          '6.0.2'
+version          '5.4.1'
 supports         'mac_os_x'
 source_url 'https://github.com/sous-chefs/homebrew'
 issues_url 'https://github.com/sous-chefs/homebrew/issues'
-chef_version '>= 18.6.2'
+chef_version '>= 15.3'
--- a/cookbooks/homebrew/renovate.json
+++ b/cookbooks/homebrew/renovate.json
@@ -1,10 +1,9 @@
 {
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": ["config:base"],
-  "packageRules": [
+  "packageRules": [{
    {
      "groupName": "Actions",
-      "matchUpdateTypes": ["minor", "patch", "pin"],
+      "matchUpdateTypes": ["patch", "pin", "digest"],
      "automerge": true,
      "addLabels": ["Release: Patch", "Skip: Announcements"]
    },
--- a/cookbooks/homebrew/resources/cask.rb
+++ b/cookbooks/homebrew/resources/cask.rb
@@ -19,7 +19,6 @@
 # limitations under the License.
 #
 unified_mode true
 chef_version_for_provides '< 14.0' if respond_to?(:chef_version_for_provides)
 property :cask_name, String, regex: %r{^[\w/-]+$}, name_property: true
--- a/cookbooks/homebrew/resources/tap.rb
+++ b/cookbooks/homebrew/resources/tap.rb
@@ -19,7 +19,6 @@
 # limitations under the License.
 #
 unified_mode true
 chef_version_for_provides '< 14.0' if respond_to?(:chef_version_for_provides)
 property :tap_name, String, name_property: true, regex: %r{^[\w-]+(?:\/[\w-]+)+$}
--- a/cookbooks/postfix/.markdownlint-cli2.yaml
+++ b/cookbooks/postfix/.markdownlint-cli2.yaml
@@ -3,5 +3,3 @@ config:
  line-length: false # MD013
  no-duplicate-heading: false # MD024
  reference-links-images: false # MD052
 ignores:
  - .github/copilot-instructions.md
--- a/cookbooks/postfix/.vscode/extensions.json
+++ b/cookbooks/postfix/.vscode/extensions.json
@@ -1,8 +0,0 @@
 {
  "recommendations": [
    "chef-software.chef",
    "Shopify.ruby-lsp",
    "editorconfig.editorconfig",
    "DavidAnson.vscode-markdownlint"
  ]
 }
--- a/cookbooks/postfix/CHANGELOG.md
+++ b/cookbooks/postfix/CHANGELOG.md
@@ -2,48 +2,9 @@
 This file is used to list changes made in each version of the postfix cookbook.
 ## Unreleased
 ## 6.4.1 - *2025-09-04*
 ## 6.4.0 - *2025-07-30* ## 6.4.0 - *2025-07-30*
 Standardise files with files in sous-chefs/repo-management
 ## 6.4.0 - *2025-07-30*
 ## 6.3.0 - *2025-07-30*
 - Use LMDB instead of hash on el10
 ## 6.3.0 - *2025-07-30*
 ## 6.2.2 - *2025-01-30*
 ## 6.2.1 - *2025-01-30*
 ## 6.2.0 - *2025-01-30*
 ## 6.2.0
 - Correctly fix aliases quoting logic
 - Convert all serverspec tests to inspec
 - Add Github actions
 - Update platforms to test
 ## 6.0.29 - *2024-11-18*
 - Standardise files with files in sous-chefs/repo-management
 ## 6.0.28 - *2024-07-15*
 - Standardise files with files in sous-chefs/repo-management
 ## 6.0.27 - *2024-05-06*
 ## 6.0.26 - *2023-10-03*
- Add installation of postfix addon packages for RHEL 8
+- add installation of postfix addon packages for RHEL 8
 ## 6.0.25 - *2023-10-03*
--- a/cookbooks/postfix/attributes/default.rb
+++ b/cookbooks/postfix/attributes/default.rb
@@ -13,10 +13,9 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-default['postfix']['packages'] = value_for_platform(
+
-  amazon: { '>= 2023' => %w(postfix postfix-lmdb) },
+default['postfix']['packages'] = %w(postfix)
-  default: %w(postfix)
+
 )
 # Generic cookbook attributes
 default['postfix']['mail_type'] = 'client'
 default['postfix']['relayhost_role'] = 'relayhost'
@@ -38,19 +37,11 @@ default['postfix']['master_template_source'] = 'postfix'
 default['postfix']['sender_canonical_map_entries'] = {}
 default['postfix']['smtp_generic_map_entries'] = {}
 default['postfix']['recipient_canonical_map_entries'] = {}
-
+default['postfix']['access_db_type'] = 'hash'
-default['postfix']['db_type'] = value_for_platform(
+default['postfix']['aliases_db_type'] = 'hash'
-  %w(centos redhat almalinux rocky oracle) => { '>= 10' => 'lmdb' },
+default['postfix']['transport_db_type'] = 'hash'
-  amazon: { '>= 2023' => 'lmdb' },
+default['postfix']['virtual_alias_db_type'] = 'hash'
-  %w(opensuseleap suse) => { '>= 15' => 'lmdb' },
+default['postfix']['virtual_alias_domains_db_type'] = 'hash'
  default: 'hash'
 )
 default['postfix']['access_db_type'] = lazy { node['postfix']['db_type'] }
 default['postfix']['aliases_db_type'] = lazy { node['postfix']['db_type'] }
 default['postfix']['transport_db_type'] = lazy { node['postfix']['db_type'] }
 default['postfix']['virtual_alias_db_type'] = lazy { node['postfix']['db_type'] }
 default['postfix']['virtual_alias_domains_db_type'] = lazy { node['postfix']['db_type'] }
 case node['platform']
 when 'smartos'
@@ -105,9 +96,6 @@ default['postfix']['main']['smtp_sasl_auth_enable'] = 'no'
 default['postfix']['main']['mailbox_size_limit'] = 0
 default['postfix']['main']['mynetworks'] = nil
 default['postfix']['main']['inet_interfaces'] = 'loopback-only'
 default['postfix']['main']['default_database_type'] = lazy { node['postfix']['db_type'] }
 default['postfix']['main']['alias_database'] = lazy { "#{node['postfix']['db_type']}:#{node['postfix']['aliases_db']}" }
 default['postfix']['main']['alias_maps'] = lazy { "#{node['postfix']['db_type']}:#{node['postfix']['aliases_db']}" }
 # Conditional attributes, also reference _attributes recipe
 case node['platform_family']
@@ -419,4 +407,4 @@ default['postfix']['aliases'] = if platform?('freebsd')
                                  {}
                                end
-default['postfix']['main']['smtpd_relay_restrictions'] = lazy { "#{node['postfix']['db_type']}:#{node['postfix']['relay_restrictions_db']}, reject" if node['postfix']['use_relay_restrictions_maps'] }
+default['postfix']['main']['smtpd_relay_restrictions'] = "hash:#{node['postfix']['relay_restrictions_db']}, reject" if node['postfix']['use_relay_restrictions_maps']
--- a/cookbooks/postfix/metadata.json
+++ b/cookbooks/postfix/metadata.json
@@ -26,7 +26,7 @@
  "recipes": {
  },
-  "version": "6.4.1",
+  "version": "6.0.26",
  "source_url": "https://github.com/sous-chefs/postfix",
  "issues_url": "https://github.com/sous-chefs/postfix/issues",
  "privacy": false,
--- a/cookbooks/postfix/metadata.rb
+++ b/cookbooks/postfix/metadata.rb
@@ -3,7 +3,7 @@ maintainer        'Sous Chefs'
 maintainer_email  'help@sous-chefs.org'
 license           'Apache-2.0'
 description       'Installs and configures postfix for client or outbound relayhost, or to do SASL auth'
-version           '6.4.1'
+version           '6.0.26'
 source_url        'https://github.com/sous-chefs/postfix'
 issues_url        'https://github.com/sous-chefs/postfix/issues'
 chef_version      '>= 12.15'
--- a/cookbooks/postfix/recipes/_attributes.rb
+++ b/cookbooks/postfix/recipes/_attributes.rb
@@ -29,22 +29,24 @@ end
 if node['postfix']['main']['smtp_sasl_auth_enable'] == 'yes'
  node.default_unless['postfix']['sasl_password_file'] = "#{node['postfix']['conf_dir']}/sasl_passwd"
-  node.default_unless['postfix']['main']['smtp_sasl_password_maps'] = "#{node['postfix']['db_type']}:#{node['postfix']['sasl_password_file']}"
+  node.default_unless['postfix']['main']['smtp_sasl_password_maps'] = "hash:#{node['postfix']['sasl_password_file']}"
  node.default_unless['postfix']['main']['smtp_sasl_security_options'] = 'noanonymous'
  node.default_unless['postfix']['sasl']['smtp_sasl_user_name'] = ''
  node.default_unless['postfix']['sasl']['smtp_sasl_passwd']    = ''
  node.default_unless['postfix']['main']['relayhost'] = ''
 end
-node.default_unless['postfix']['main']['alias_maps'] = ["#{node['postfix']['db_type']}:#{node['postfix']['aliases_db']}"] if node['postfix']['use_alias_maps']
+node.default_unless['postfix']['main']['alias_maps'] = ["hash:#{node['postfix']['aliases_db']}"] if node['postfix']['use_alias_maps']
-node.default_unless['postfix']['main']['transport_maps'] = ["#{node['postfix']['db_type']}:#{node['postfix']['transport_db']}"] if node['postfix']['use_transport_maps']
+node.default_unless['postfix']['main']['transport_maps'] = ["hash:#{node['postfix']['transport_db']}"] if node['postfix']['use_transport_maps']
-node.default_unless['postfix']['main']['access_maps'] = ["#{node['postfix']['db_type']}:#{node['postfix']['access_db']}"] if node['postfix']['use_access_maps']
+node.default_unless['postfix']['main']['access_maps'] = ["hash:#{node['postfix']['access_db']}"] if node['postfix']['use_access_maps']
 node.default_unless['postfix']['main']['virtual_alias_maps'] = ["#{node['postfix']['virtual_alias_db_type']}:#{node['postfix']['virtual_alias_db']}"] if node['postfix']['use_virtual_aliases']
 node.default_unless['postfix']['main']['virtual_alias_domains'] = ["#{node['postfix']['virtual_alias_domains_db_type']}:#{node['postfix']['virtual_alias_domains_db']}"] if node['postfix']['use_virtual_aliases_domains']
-node.default_unless['postfix']['main']['smtpd_relay_restrictions'] = "#{node['postfix']['db_type']}:#{node['postfix']['relay_restrictions_db']}, reject" if node['postfix']['use_relay_restrictions_maps']
+node.default_unless['postfix']['main']['smtpd_relay_restrictions'] = "hash:#{node['postfix']['relay_restrictions_db']}, reject" if node['postfix']['use_relay_restrictions_maps']
 node.default_unless['postfix']['main']['maildrop_destination_recipient_limit'] = 1 if node['postfix']['master']['maildrop']['active']
--- a/cookbooks/postfix/recipes/_common.rb
+++ b/cookbooks/postfix/recipes/_common.rb
@@ -155,7 +155,7 @@ unless node['postfix']['sender_canonical_map_entries'].empty?
    notifies :reload, 'service[postfix]'
  end
-  node.default['postfix']['main']['sender_canonical_maps'] = "#{node['postfix']['db_type']}:#{node['postfix']['conf_dir']}/sender_canonical" unless node['postfix']['main'].key?('sender_canonical_maps')
+  node.default['postfix']['main']['sender_canonical_maps'] = "hash:#{node['postfix']['conf_dir']}/sender_canonical" unless node['postfix']['main'].key?('sender_canonical_maps')
 end
 execute 'update-postfix-smtp_generic' do
@@ -172,7 +172,7 @@ unless node['postfix']['smtp_generic_map_entries'].empty?
    notifies :reload, 'service[postfix]'
  end
-  node.default['postfix']['main']['smtp_generic_maps'] = "#{node['postfix']['db_type']}:#{node['postfix']['conf_dir']}/smtp_generic" unless node['postfix']['main'].key?('smtp_generic_maps')
+  node.default['postfix']['main']['smtp_generic_maps'] = "hash:#{node['postfix']['conf_dir']}/smtp_generic" unless node['postfix']['main'].key?('smtp_generic_maps')
 end
 execute 'update-postfix-recipient_canonical' do
@@ -189,7 +189,7 @@ unless node['postfix']['recipient_canonical_map_entries'].empty?
    notifies :reload, 'service[postfix]'
  end
-  node.default['postfix']['main']['recipient_canonical_maps'] = "#{node['postfix']['db_type']}:#{node['postfix']['conf_dir']}/recipient_canonical" unless node['postfix']['main'].key?('recipient_canonical_maps')
+  node.default['postfix']['main']['recipient_canonical_maps'] = "hash:#{node['postfix']['conf_dir']}/recipient_canonical" unless node['postfix']['main'].key?('recipient_canonical_maps')
 end
 service 'postfix' do
--- a/cookbooks/postfix/recipes/maps.rb
+++ b/cookbooks/postfix/recipes/maps.rb
@@ -18,8 +18,8 @@ node['postfix']['maps'].each do |type, maps|
    package "postfix-#{type}" if %w(pgsql mysql ldap cdb).include?(type)
  end
-  if platform_family?('rhel') && node['platform_version'].to_i >= 8
+  if platform?('redhat') && node['platform_version'].to_i == 8
-    package "postfix-#{type}" if %w(pgsql mysql ldap cdb lmdb).include?(type)
+    package "postfix-#{type}" if %w(pgsql mysql ldap cdb).include?(type)
  end
  separator = if %w(pgsql mysql ldap memcache sqlite).include?(type)
@@ -32,7 +32,7 @@ node['postfix']['maps'].each do |type, maps|
      command "postmap #{file}"
      environment PATH: "#{ENV['PATH']}:/opt/omni/bin:/opt/omni/sbin" if platform_family?('omnios')
      action :nothing
-    end if %w(btree cdb dbm hash lmdb sdbm).include?(type)
+    end if %w(btree cdb dbm hash sdbm).include?(type)
    template "#{file}-#{type}" do
      path file
      source 'maps.erb'
@@ -41,7 +41,7 @@ node['postfix']['maps'].each do |type, maps|
        map: content,
        separator: separator
      )
-      notifies :run, "execute[update-postmap-#{file}]" if %w(btree cdb dbm hash lmdb sdbm).include?(type)
+      notifies :run, "execute[update-postmap-#{file}]" if %w(btree cdb dbm hash sdbm).include?(type)
      notifies :restart, 'service[postfix]'
    end
  end
--- a/cookbooks/postfix/renovate.json
+++ b/cookbooks/postfix/renovate.json
@@ -1,10 +1,9 @@
 {
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": ["config:base"],
-  "packageRules": [
+  "packageRules": [{
    {
      "groupName": "Actions",
-      "matchUpdateTypes": ["minor", "patch", "pin"],
+      "matchUpdateTypes": ["patch", "pin", "digest"],
      "automerge": true,
      "addLabels": ["Release: Patch", "Skip: Announcements"]
    },
--- a/cookbooks/postfix/templates/aliases.erb
+++ b/cookbooks/postfix/templates/aliases.erb
@@ -6,5 +6,5 @@
 postmaster:    root
 <% node['postfix']['aliases'].each do |name, value| %>
-<%= name.match?(/[\s#:@]/) ? "\"#{name}\"" : name %>: <%= [value].flatten.map{|x| x.include?("|") ? "\"#{x}\"" : x}.join(',') %>
+<%= name %>: <%= [value].flatten.map{|x| if (x.include?("@")) then x else %Q("#{x}") end}.join(', ') %>
 <% end unless node['postfix']['aliases'].nil? %>
--- a/data_bags/credentials/akkounts.json
+++ b/data_bags/credentials/akkounts.json
@@ -1,93 +1,65 @@
 {
  "id": "akkounts",
  "rails_master_key": {
    "encrypted_data": "q/0BtGuFZJQhw+iG4ZmFG12DPaWQDGTb/nCmRoxOnsACkANqMv/zZ39CoNFe\nLPtZiItY\n",
    "iv": "JV8R0iu6TrqcZRxL\n",
    "auth_tag": "YxZIhEUnrd3XrwR6f9wO4A==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "rails_secret_key_base": {
    "encrypted_data": "JmDQew3+OR6+yJ1xErwXeTn6jw8N2HwTc9yvAVJ3G+7w1s3N7rKDM6+M50ez\n2zP4Lm/eXzH4WTsTZlQcodlyNpi66pvUCGAkNM36rwTN5yvnhqPUmuSQi7AG\nDTBronBwr9ENvwA/gRuugyyhrRB1iuStpzpYKCMhZ2ae9Mrxdux0+ezfSLn4\nuP22uUrEqdQ/BWsW\n",
    "iv": "U/+YncCk13U6bYMz\n",
    "auth_tag": "2wPYJ/uVPv4jLKpAW/x6sw==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "rails_encryption_primary_key": {
    "encrypted_data": "u/7z91Og/2eM7PWi2JWYAQMhYX4S5+bMMeVpkFPu778Gqj6Td9pagsWIak/d\nb7AU1zjF\n",
    "iv": "wYhrJWcuWbY8yo8S\n",
    "auth_tag": "WEoEdNy6VBvB2d5gb8DTXw==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "rails_encryption_key_derivation_salt": {
    "encrypted_data": "noOwTZuxfhsH94bjOT9rWCKS9rb3wAoXELGrc4nJZeNrb/B9XnOLTuK/wen8\nfmtoym0P\n",
    "iv": "jiFWs3VXhJdQBNqk\n",
    "auth_tag": "XDpJFgadYp7LyRqU7SO+Fg==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "postgresql": {
-    "encrypted_data": "Xorg8R8COxE/Swivu8MqZiwstD6rD+8FmgDx70pFscZ/CTb6WQRpyqGSrGZt\nZ7oL9WrqZs+mQgBb30odU+Sgdr6x\n",
+    "encrypted_data": "QniE89zGMyQ+ujKrs1cUfAZYbqysS2cl6gvNohloQttlrEzcwcbbSgNk7+Em\nVQZNk8oddiZWFhKx2rS/6w2xN6/S\n",
-    "iv": "6QWZc3+MY0hBCc/s\n",
+    "iv": "TS8cu5wPd8Cq9qyK\n",
-    "auth_tag": "ZM+7OYyx5E9PciNG2OILhg==\n",
+    "auth_tag": "sJAfzoh3w5+KO+YrJDxV3Q==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "ldap": {
    "encrypted_data": "mr2Z7hXF1GOn8RmqeZMMdaUcmiVP4ZeKtTX6RYW1cR+FQiUwoITwTPBE9XUx\n2cqZ9Mcd8uJicmf9vd+PfwPtRtoZFwqHQ4LDRFLW64hBZyiEkZWxWW+HzgPr\n",
    "iv": "k1AkyEplnJ4IZO1Z\n",
    "auth_tag": "zAOcrPex3VLDfRFq38n7fA==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "sentry_dsn": {
-    "encrypted_data": "51cAERaRBCRg/sMb5c13EcnJzsz6VEf7jx6X3ooUSzm9wHoEfC5Hs/qakr/D\nqm9x3s3aGURRzyLUIEoe9jCohGguh6ehrXYVrun0B6pghVU=\n",
+    "encrypted_data": "thN8SHTqR+uE54M78F4m67mJLbK2xI3lm6Hyj3L0xCEDkCXAOU88y5w1SjPd\nt5Erlqyy97AK2KXCoGUcx/GE0JUFBcvkrhLODshDyNI4Jno=\n",
-    "iv": "hJsiiW6dFQMEQ+2p\n",
+    "iv": "+XOBOMwL+GLUjXrg\n",
-    "auth_tag": "TOIahNrUhhsdQGlzp6UV5g==\n",
+    "auth_tag": "xoUbiuwu215y+F7MkUQWxg==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "rails_master_key": {
    "encrypted_data": "W1U4LBiEVU3WI3o5aCEjHPCb/u3GcPZYOK0CtLU/yNrY0BTafevpF8xXTllx\nkd/MvxwB\n",
    "iv": "DcdHIgy66hwxmBmt\n",
    "auth_tag": "9fGhoduUHerBvU64LyqjQA==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "discourse_connect_secret": {
-    "encrypted_data": "pvKcwuZgUJsAvClQ4V0BwhwEg09EUEWVxoSx+mFlfG1KpvZE4Cu3u3PalPSD\nldyKsw==\n",
+    "encrypted_data": "YEKQbAY3ZBVIUUrVe6R7phDPiFsCSGSicJy1Gv/G+IseGmqbuefCWvvRvhBW\nFxxEMg==\n",
-    "iv": "ED85d6PKyaKB3Wlv\n",
+    "iv": "kF/DYeO5neO470Xa\n",
-    "auth_tag": "XVCU/WigC97tNe0bUK6okQ==\n",
+    "auth_tag": "309Lt0QUzY8obqre2sKPhQ==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "lndhub_admin_token": {
-    "encrypted_data": "LvCgahQblsKOxK9iNbwDd31atBfemVppHqV7s3K/sR4j\n",
+    "encrypted_data": "qa1W/w/IbUcEoqRBTKfGRXMaba7RIke3YthFaoNQej6h\n",
-    "iv": "zObzh2jEsqXk2vD2\n",
+    "iv": "4rN6s8FKHG2S0frS\n",
-    "auth_tag": "n9m/sBYBfzggwQLWrGpR2Q==\n",
+    "auth_tag": "1P1+o05gYLSRIhEK0MwDYg==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "btcpay_auth_token": {
-    "encrypted_data": "M4kGd6+jresm90nWrJG25mX6rfhaU+VlJlIVd/IjOAUsDABryyulJul3GZFh\nFPSI4uEhgIWtn56I0bA=\n",
+    "encrypted_data": "bOQTsV4H66oUfTbfAJLXGnF4bNns5qyaHDxKRwRc29OCc3Ou2te2WV0nNnai\nXbe6om0yfOSeDe4V4zg=\n",
-    "iv": "hvqHm7A/YfUOJwRJ\n",
+    "iv": "Cd27/sNY+EY/+AbZ\n",
-    "auth_tag": "DhtT6IeixD1MSRX+D7JxZA==\n",
+    "auth_tag": "sTpATXSPMGpXvIZrhlTZmA==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "s3_access_key": {
-    "encrypted_data": "FPRpLZoIbLcVWPJhOlX7ZeXGv6TZIWYAD+BKTsJOyOHxDG3eRULqQc89cGWi\n",
+    "encrypted_data": "53aBDio/eb8zBj4TJGMbKvhBS+Nzjt5WBORu1jKYy5rOL7l/57QYqhj3o4DV\n",
-    "iv": "f9WiiGLmDxtygp60\n",
+    "iv": "QEgqL8J+r2rnEXt/\n",
-    "auth_tag": "lGnq4itmByuF/Yp20/6coQ==\n",
+    "auth_tag": "eehuZfMGocNtEsdY4IH7Nw==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "s3_secret_key": {
-    "encrypted_data": "JnnwISbHJ+d7JZB/C0NH0fb8p+bDSwoq5t5knSi+bSTltSxKcq6PRX9K6bov\nEbo0GTdWePbuc5NCsyYxfrkzCtpLXTIxeCROtinRmFIgMFNwaOA=\n",
+    "encrypted_data": "cjEbyKKN5bZyG6yy6ovh38dTNmZI9iciEpJ8pfw3jaD2cW/SXYHOenhnhAId\n1daUMHvWfIx82cDsnxZstCW0wmYML70+xU0TVMadsIPJMdIC5Fc=\n",
-    "iv": "pKPCaANDqGtbFV3V\n",
+    "iv": "fDCPTxINTEmxX2kz\n",
-    "auth_tag": "S//hn2HOhuZH8+UfCNBWDg==\n",
+    "auth_tag": "S7TDJnU7Ms8D4WUnw5a7dA==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "nostr_private_key": {
-    "encrypted_data": "AKfFiLow+veDyEWBwmCDuLerT3l+o2aJUCeHg2mZZIyoH4oeo/9crZwIdjBn\n70reouqnHNG9mBHuO/+IPGfj53mHLo+oGHh+6LkL3ImI4MFBofY=\n",
+    "encrypted_data": "BwWnS0xQn/EsZPF6ohjsQuFnAnUmJxGasUNpFUN6+ZE31t5XtGDjnzU1doTy\n1ToBCnJkNVCrUxg3j6YKTH6sFinrZrDT4WAn501Y0Swz95VRrvc=\n",
-    "iv": "bPlOKk2qkJAzdKf+\n",
+    "iv": "huVql9m/qhHTm/0c\n",
-    "auth_tag": "VIp1IOjBGatn2MN5LHVymg==\n",
+    "auth_tag": "2GWcyZ6bgFQEeWjbyJbW7g==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  }
--- a/data_bags/credentials/gandi_api.json
+++ b/data_bags/credentials/gandi_api.json
@@ -1,16 +1,23 @@
 {
  "id": "gandi_api",
  "key": {
    "encrypted_data": "lU7/xYTmP5Sb6SsK5TNNIyegWozzBtUzpg7oDdl6gcz9FEMmG2ft0Ljh5Q==\n",
    "iv": "EZPQD3C+wsP/mBhF\n",
    "auth_tag": "vF9E8Pj4Z8quJJdOMg/QTw==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "access_token": {
-    "encrypted_data": "+skwxHnpAj/3d3e2u7s7B9EydbETj8b0flWahvb5gt/o4JYFWHrhIyX/0IVa\n4wgmu08eDgU51i0knGA=\n",
+    "encrypted_data": "1Uw69JkNrmb8LU/qssuod1SlqxxrWR7TJQZeeivRrNzrMIVTEW/1uwJIYL6b\nM4GeeYl9lIRlMMmLBkc=\n",
-    "iv": "ONKrFCt8Oj3GKIQ5\n",
+    "iv": "cc1GJKu6Cf4DkIgX\n",
-    "auth_tag": "j9Hrk8ZZFMQub4NUO+2e4g==\n",
+    "auth_tag": "ERem4S7ozG695kjvWIMghw==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "domains": {
-    "encrypted_data": "lGfoPHdXEYYdJmoIA9M119wjVl1v4UzIv5gHADwx0A==\n",
+    "encrypted_data": "scZ5blsSjs54DlitR7KZ3enLbyceOR5q0wjHw1golQ==\n",
-    "iv": "q6XKbxhW7X9ONxNt\n",
+    "iv": "oDcHm7shAzW97b4t\n",
-    "auth_tag": "ns9WJH8Oe75siWu+sOZkRg==\n",
+    "auth_tag": "62Zais9yf68SwmZRsmZ3hw==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  }
--- a/doc/mastodon.md
+++ b/doc/mastodon.md
@@ -1,15 +0,0 @@
 # Mastodon
 Running on kosmos.social
 ## Ops
 ### Enable maintance mode
 Return a 503 and maintance page for all requests:
    knife ssh -p2222 -a knife_zero.host "role:openresty_proxy" "sudo cp -p /var/www/maintenance.html /var/www/kosmos.social/public/ && sudo systemctl reload openresty"
 ### Stop maintenance mode
    knife ssh -p2222 -a knife_zero.host "role:openresty_proxy" "sudo rm /var/www/kosmos.social/public/maintenance.html && sudo systemctl reload openresty"
--- a/doc/postgres/migration.md
+++ b/doc/postgres/migration.md
@@ -1,287 +0,0 @@
 # Migrating PostgreSQL cluster to a new major version
 ## Summary
 1. Dump from a replica
 2. Restore to fresh VM running new major version
 3. Add logical replication for delta sync from current/old primary
 4. Switch primary to new server
 5. Remove logical replication on new server
 ## Runbook
 * Primary host: `PRIMARY_HOST`
 * Replica host: `REPLICA_HOST`
 * New PG14 host: `NEW_HOST`
 * PostgreSQL superuser: `postgres`
 * Running locally on each machine via `sudo -u postgres`
 Adjust hostnames/IPs/etc. where needed.
 ---
 ### 🟢 0. PRIMARY — Pre-checks
 ```bash
 sudo -u postgres psql -c "SHOW wal_level;"
 sudo -u postgres psql -c "SHOW max_replication_slots;"
 ```
 If needed, edit config:
 ```bash
 sudo -u postgres vi $PGDATA/postgresql.conf
 ```
 Ensure:
 ```conf
 wal_level = logical
 max_replication_slots = 10
 ```
 Restart if changed:
 ```bash
 sudo systemctl restart postgresql
 ```
 ---
 ### 🔵🟡 3. Create keypair for syncing dump later
 🔵 On NEW_HOST:
 ```bash
 sudo mkdir -p /home/postgres/.ssh && \
 sudo chown -R postgres:postgres /home/postgres && \
 sudo chmod 700 /home/postgres/.ssh && \
 sudo -u postgres bash -c 'ssh-keygen -t ecdsa -b 256 -f /home/postgres/.ssh/id_ecdsa -N "" -C "postgres@$(hostname)"' && \
 sudo cat /home/postgres/.ssh/id_ecdsa.pub
 ```
 Copy the public key from the above output
 🟡 On replica:
 ```bash
 sudo mkdir -p /home/postgres/.ssh && \
 sudo chown -R postgres:postgres /home/postgres && \
 sudo chmod 700 /home/postgres/.ssh && \
 echo [public_key] | sudo tee /home/postgres/.ssh/authorized_keys > /dev/null && \
 sudo chmod 700 /home/postgres/.ssh
 ```
 ---
 ### 🟢 1. PRIMARY — Create publication and replication slots
 ```bash
 sudo -u postgres pg_create_replication_publications
 ```
 or
 ```bash
 sudo -u postgres pg_create_replication_publication [db_name]
 ```
 Listing publications and slots:
 ```bash
 sudo -u postgres pg_list_replication_publications
 sudo -u postgres pg_list_replication_slots
 ```
 ---
 ### 🟡 3. REPLICA — Pause replication
 ```bash
 sudo -u postgres psql -c "SELECT pg_wal_replay_pause();"
 ```
 Verify:
 ```bash
 sudo -u postgres psql -c "SELECT pg_is_wal_replay_paused();"
 ```
 ---
 ### 🟡 4. REPLICA — Run dump
 ```bash
 sudo -u postgres pg_dump_all_databases
 ```
 or
 ```bash
 sudo -u postgres bash -c "pg_dumpall --globals-only > /tmp/globals.sql"
 sudo -u postgres pg_dump_database [db_name]
 ```
 ---
 ### 🟡 5. REPLICA — Resume replication
 ```bash
 sudo -u postgres psql -c "SELECT pg_wal_replay_resume();"
 ```
 ---
 ### 🔵 6. COPY dumps to NEW HOST
 From NEW_HOST:
 ```bash
 export REPLICA_HOST=[private_ip] && \
 cd /tmp && \
 sudo -u postgres scp "postgres@$REPLICA_HOST:/tmp/globals.sql" . && \
 sudo -u postgres scp "postgres@$REPLICA_HOST:/tmp/dump_*.tar.zst" .
 ```
 ---
 ### 🔵 7. NEW HOST (PostgreSQL 14) — Restore
 #### 7.1 Restore globals
 ```bash
 sudo -u postgres psql -f /tmp/globals.sql
 ```
 ---
 #### 7.2 Create databases
 ```bash
 sudo -u postgres psql -Atqc "SELECT datname FROM pg_database WHERE datallowconn AND datname NOT IN ('template1')" | \
 xargs -I{} sudo -u postgres createdb {}
 ```
 or
 ```bash
 sudo -u postgres createdb [db_name]
 ```
 ---
 #### 7.3 Restore each database
 ```bash
 sudo -u postgres pg_restore_all_databases
 ```
 or
 ```bash
 sudo -u postgres pg_restore_database [db_name]
 ```
 ---
 ### 🔵 8. NEW HOST — Create subscriptions
 ```bash
 sudo -u postgres pg_create_replication_subscriptions
 ```
 or
 ```bash
 sudo -u postgres pg_create_replication_subscription [db_name]
 ```
 ---
 ### 🔵 9. NEW HOST — Monitor replication
 ```bash
 sudo -u postgres pg_list_replication_subscriptions
 ```
 ---
 ### 🔴 11. CUTOVER
 #### 11.1 Stop writes on old primary
 Put app(s) in maintenance mode, stop the app/daemons.
 ---
 #### 11.2 Wait for replication to catch up
 TODO: not the best way to check, since WAL LSNs keep increasing
 ```bash
 sudo -u postgres psql -d [db_name] -c "SELECT * FROM pg_stat_subscription;"
 ```
 ---
 #### 11.3 Fix sequences
 Run per DB:
 ```bash
 sudo -u postgres pg_fix_sequences_in_all_databases
 ```
 or
 ```bash
 sudo -u postgres pg_fix_sequences [db_name]
 ```
 ---
 #### 11.4 Point app to NEW_HOST
 1. Update `pg.kosmos.local` in `/etc/hosts` on app server(s). For example:
   ```bash
   export NEW_PG_PRIMARY=[private_ip]
   knife ssh roles:ejabberd -a knife_zero.host "sudo sed -r \"s/^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\s(pg.kosmos.local)/$NEW_PG_PRIMARY\t\1/\" -i /etc/hosts"
   ```
   Or override node attribute(s) if necessary and/or approporiate.
 2. Start the app/daemons, and deactivate maintenance mode.
 ---
 ### 🧹 12. CLEANUP NEW_HOST
 ```bash
 sudo -u postgres pg_drop_replication_subscriptions
 ```
 ---
 ### 🧹 13. CLEANUP PRIMARY
 TODO: Looks like slots are dropped automatically, when subscriptions are dropped
 ```bash
 sudo -u postgres pg_drop_replication_publications
 ```
 ---
 ### 🧹 13. CLEANUP Chef
 Once all apps/databases are migrated, update the role in the node
 config of the new primary to 'postgres_primary' and converge it.
 Also delete the old primary node config from the Chef repo.
 ---
 ### ✅ DONE
 ---
--- a/environments/production.json
+++ b/environments/production.json
@@ -105,33 +105,20 @@
    },
    "strfry": {
      "domain": "nostr.kosmos.org",
-      "config": {
+      "real_ip_header": "x-real-ip",
-        "events": {
+      "policy_path": "/opt/strfry/strfry-policy.ts",
          "max_event_size": "524288"
        },
        "relay": {
          "bind": "0.0.0.0",
          "real_ip_header": "x-real-ip",
          "info": {
            "name": "Kosmos Relay",
            "description": "Members-only nostr relay for kosmos.org users",
            "pubkey": "b3e1b7c0ef48294bd856203bfd460625de95d3afb894e5f09b14cd1f0e7097cf",
            "contact": "ops@kosmos.org",
            "icon": "https://assets.kosmos.org/img/app-icon-256px.png"
          },
          "write_policy": {
            "plugin": "/opt/strfry/strfry-policy.ts"
          },
          "logging": {
            "dump_in_all": true
          }
        }
      },
      "known_pubkeys": {
        "_": "b3e1b7c0ef48294bd856203bfd460625de95d3afb894e5f09b14cd1f0e7097cf",
        "accounts": "b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a",
        "bitcoincore": "47750177bb6bb113784e4973f6b2e3dd27ef1eff227d6e38d0046d618969e41a",
        "fiatjaf": "3bf0c63fcb93463407af97a5e5ee64fa883d107ef9e558472c4eb9aaaefa459d"
      },
      "info": {
        "name": "Kosmos Relay",
        "description": "Members-only nostr relay for kosmos.org users",
        "pubkey": "b3e1b7c0ef48294bd856203bfd460625de95d3afb894e5f09b14cd1f0e7097cf",
        "contact": "ops@kosmos.org",
        "icon": "https://assets.kosmos.org/img/app-icon-256px.png"
      }
    },
    "substr": {
--- a/nodes/akkounts-1.json
+++ b/nodes/akkounts-1.json
@@ -9,7 +9,7 @@
  "automatic": {
    "fqdn": "akkounts-1",
    "os": "linux",
-    "os_version": "5.4.0-223-generic",
+    "os_version": "5.4.0-148-generic",
    "hostname": "akkounts-1",
    "ipaddress": "192.168.122.160",
    "roles": [
@@ -38,7 +38,6 @@
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
--- a/nodes/bitcoin-2.json
+++ b/nodes/bitcoin-2.json
@@ -44,7 +44,6 @@
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
--- a/nodes/draco.kosmos.org.json
+++ b/nodes/draco.kosmos.org.json
@@ -12,7 +12,6 @@
    },
    "openresty": {
      "listen_ip": "148.251.237.111",
      "listen_ipv6": "2a01:4f8:202:804a::2",
      "log_formats": {
        "json": "{\"ip\":\"$remote_addr\",\"time\":\"$time_local\",\"host\":\"$host\",\"method\":\"$request_method\",\"uri\":\"$uri\",\"status\":$status,\"size\":$body_bytes_sent,\"referer\":\"$http_referer\",\"upstream_addr\":\"$upstream_addr\",\"upstream_response_time\":\"$upstream_response_time\",\"ua\":\"$http_user_agent\"}"
      }
@@ -82,7 +81,6 @@
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
--- a/nodes/drone-1.json
+++ b/nodes/drone-1.json
@@ -8,27 +8,26 @@
  "automatic": {
    "fqdn": "drone-1",
    "os": "linux",
-    "os_version": "5.4.0-1133-kvm",
+    "os_version": "5.4.0-1058-kvm",
    "hostname": "drone-1",
    "ipaddress": "192.168.122.200",
    "roles": [
      "kvm_guest",
      "drone",
-      "postgresql_client"
+      "postgresql_client",
      "kvm_guest"
    ],
    "recipes": [
      "kosmos-base",
      "kosmos-base::default",
      "kosmos_kvm::guest",
      "kosmos_postgresql::hostsfile",
      "kosmos_drone",
      "kosmos_drone::default",
      "kosmos_kvm::guest",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
@@ -44,13 +43,13 @@
    "cloud": null,
    "chef_packages": {
      "chef": {
-        "version": "18.7.10",
+        "version": "17.9.52",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.7.10/lib",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.9.52/lib",
        "chef_effortless": null
      },
      "ohai": {
-        "version": "18.2.5",
+        "version": "17.9.0",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.5/lib/ohai"
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai"
      }
    }
  },
@@ -59,4 +58,4 @@
    "role[kvm_guest]",
    "role[drone]"
  ]
-}
+}
--- a/nodes/ejabberd-4.json
+++ b/nodes/ejabberd-4.json
@@ -37,7 +37,6 @@
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
--- a/nodes/ejabberd-8.json
+++ b/nodes/ejabberd-8.json
@@ -37,7 +37,6 @@
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
--- a/nodes/fornax.kosmos.org.json
+++ b/nodes/fornax.kosmos.org.json
@@ -75,7 +75,6 @@
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
--- a/nodes/garage-12.json
+++ b/nodes/garage-12.json
@@ -1,65 +0,0 @@
 {
  "name": "garage-12",
  "chef_environment": "production",
  "normal": {
    "knife_zero": {
      "host": "10.1.1.224"
    }
  },
  "automatic": {
    "fqdn": "garage-12",
    "os": "linux",
    "os_version": "5.15.0-1059-kvm",
    "hostname": "garage-12",
    "ipaddress": "192.168.122.173",
    "roles": [
      "base",
      "kvm_guest",
      "garage_node"
    ],
    "recipes": [
      "kosmos-base",
      "kosmos-base::default",
      "kosmos_kvm::guest",
      "kosmos_garage",
      "kosmos_garage::default",
      "kosmos_garage::firewall_rpc",
      "kosmos_garage::firewall_apis",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
      "kosmos-postfix::default",
      "postfix::default",
      "postfix::_common",
      "postfix::_attributes",
      "postfix::sasl_auth",
      "hostname::default",
      "firewall::default"
    ],
    "platform": "ubuntu",
    "platform_version": "22.04",
    "cloud": null,
    "chef_packages": {
      "chef": {
        "version": "18.7.10",
        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.7.10/lib",
        "chef_effortless": null
      },
      "ohai": {
        "version": "18.2.5",
        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.5/lib/ohai"
      }
    }
  },
  "run_list": [
    "role[base]",
    "role[kvm_guest]",
    "role[garage_node]"
  ]
 }
--- a/nodes/garage-14.json
+++ b/nodes/garage-14.json
@@ -1,65 +0,0 @@
 {
  "name": "garage-14",
  "chef_environment": "production",
  "normal": {
    "knife_zero": {
      "host": "10.1.1.151"
    }
  },
  "automatic": {
    "fqdn": "garage-14",
    "os": "linux",
    "os_version": "5.15.0-1095-kvm",
    "hostname": "garage-14",
    "ipaddress": "192.168.122.36",
    "roles": [
      "base",
      "kvm_guest",
      "garage_node"
    ],
    "recipes": [
      "kosmos-base",
      "kosmos-base::default",
      "kosmos_kvm::guest",
      "kosmos_garage",
      "kosmos_garage::default",
      "kosmos_garage::firewall_rpc",
      "kosmos_garage::firewall_apis",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
      "kosmos-postfix::default",
      "postfix::default",
      "postfix::_common",
      "postfix::_attributes",
      "postfix::sasl_auth",
      "hostname::default",
      "firewall::default"
    ],
    "platform": "ubuntu",
    "platform_version": "22.04",
    "cloud": null,
    "chef_packages": {
      "chef": {
        "version": "18.10.17",
        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.10.17/lib",
        "chef_effortless": null
      },
      "ohai": {
        "version": "18.2.13",
        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.13/lib/ohai"
      }
    }
  },
  "run_list": [
    "role[base]",
    "role[kvm_guest]",
    "role[garage_node]"
  ]
 }
--- a/nodes/garage-15.json
+++ b/nodes/garage-15.json
@@ -1,65 +0,0 @@
 {
  "name": "garage-15",
  "chef_environment": "production",
  "normal": {
    "knife_zero": {
      "host": "10.1.1.82"
    }
  },
  "automatic": {
    "fqdn": "garage-15",
    "os": "linux",
    "os_version": "5.15.0-1095-kvm",
    "hostname": "garage-15",
    "ipaddress": "192.168.122.57",
    "roles": [
      "base",
      "kvm_guest",
      "garage_node"
    ],
    "recipes": [
      "kosmos-base",
      "kosmos-base::default",
      "kosmos_kvm::guest",
      "kosmos_garage",
      "kosmos_garage::default",
      "kosmos_garage::firewall_rpc",
      "kosmos_garage::firewall_apis",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
      "kosmos-postfix::default",
      "postfix::default",
      "postfix::_common",
      "postfix::_attributes",
      "postfix::sasl_auth",
      "hostname::default",
      "firewall::default"
    ],
    "platform": "ubuntu",
    "platform_version": "22.04",
    "cloud": null,
    "chef_packages": {
      "chef": {
        "version": "18.10.17",
        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.10.17/lib",
        "chef_effortless": null
      },
      "ohai": {
        "version": "18.2.13",
        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.13/lib/ohai"
      }
    }
  },
  "run_list": [
    "role[base]",
    "role[kvm_guest]",
    "role[garage_node]"
  ]
 }
--- a/nodes/gitea-2.json
+++ b/nodes/gitea-2.json
@@ -39,7 +39,6 @@
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
--- a/nodes/leo.json
+++ b/nodes/leo.json
@@ -1,56 +0,0 @@
 {
  "name": "leo",
  "normal": {
    "knife_zero": {
      "host": "leo.kosmos.org"
    }
  },
  "automatic": {
    "fqdn": "leo",
    "os": "linux",
    "os_version": "5.15.0-164-generic",
    "hostname": "leo",
    "ipaddress": "5.9.81.116",
    "roles": [
      "base"
    ],
    "recipes": [
      "kosmos-base",
      "kosmos-base::default",
      "kosmos_kvm::host",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
      "kosmos-postfix::default",
      "postfix::default",
      "postfix::_common",
      "postfix::_attributes",
      "postfix::sasl_auth",
      "hostname::default"
    ],
    "platform": "ubuntu",
    "platform_version": "22.04",
    "cloud": null,
    "chef_packages": {
      "chef": {
        "version": "18.10.17",
        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.10.17/lib",
        "chef_effortless": null
      },
      "ohai": {
        "version": "18.2.13",
        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.13/lib/ohai"
      }
    }
  },
  "run_list": [
    "role[base]",
    "recipe[kosmos_kvm::host]"
  ]
 }
--- a/nodes/mastodon-3.json
+++ b/nodes/mastodon-3.json
@@ -37,7 +37,6 @@
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
--- a/nodes/postgres-11.json
+++ b/nodes/postgres-11.json
@@ -1,17 +1,16 @@
 {
-  "name": "postgres-11",
+  "name": "postgres-6",
  "chef_environment": "production",
  "normal": {
    "knife_zero": {
-      "host": "10.1.1.91"
+      "host": "10.1.1.196"
    }
  },
  "automatic": {
-    "fqdn": "postgres-11",
+    "fqdn": "postgres-6",
    "os": "linux",
-    "os_version": "5.15.0-1095-kvm",
+    "os_version": "5.4.0-173-generic",
-    "hostname": "postgres-11",
+    "hostname": "postgres-6",
-    "ipaddress": "192.168.122.142",
+    "ipaddress": "192.168.122.60",
    "roles": [
      "base",
      "kvm_guest",
@@ -22,20 +21,18 @@
      "kosmos-base::default",
      "kosmos_kvm::guest",
      "kosmos_postgresql::primary",
      "kosmos_postgresql::firewall",
      "kosmos-akkounts::pg_db",
      "kosmos-bitcoin::lndhub-go_pg_db",
      "kosmos-bitcoin::nbxplorer_pg_db",
      "kosmos_drone::pg_db",
      "kosmos_gitea::pg_db",
      "kosmos-mastodon::pg_db",
      "kosmos_postgresql::firewall",
      "kosmos_postgresql::management_scripts",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
@@ -47,17 +44,17 @@
      "hostname::default"
    ],
    "platform": "ubuntu",
-    "platform_version": "22.04",
+    "platform_version": "20.04",
    "cloud": null,
    "chef_packages": {
      "chef": {
-        "version": "18.10.17",
+        "version": "18.4.2",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.10.17/lib",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.4.2/lib",
        "chef_effortless": null
      },
      "ohai": {
-        "version": "18.2.13",
+        "version": "18.1.11",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.13/lib/ohai"
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
      }
    }
  },
--- a/nodes/postgres-7.json
+++ b/nodes/postgres-7.json
@@ -1,36 +1,34 @@
 {
-  "name": "garage-13",
+  "name": "postgres-7",
  "chef_environment": "production",
  "normal": {
    "knife_zero": {
-      "host": "10.1.1.179"
+      "host": "10.1.1.134"
    }
  },
  "automatic": {
-    "fqdn": "garage-13",
+    "fqdn": "postgres-7",
    "os": "linux",
-    "os_version": "5.15.0-1059-kvm",
+    "os_version": "5.4.0-1123-kvm",
-    "hostname": "garage-13",
+    "hostname": "postgres-7",
-    "ipaddress": "192.168.122.27",
+    "ipaddress": "192.168.122.89",
    "roles": [
      "base",
      "kvm_guest",
-      "garage_node"
+      "postgresql_replica"
    ],
    "recipes": [
      "kosmos-base",
      "kosmos-base::default",
      "kosmos_kvm::guest",
-      "kosmos_garage",
+      "kosmos_postgresql::hostsfile",
-      "kosmos_garage::default",
+      "kosmos_postgresql::replica",
-      "kosmos_garage::firewall_rpc",
+      "kosmos_postgresql::firewall",
      "kosmos_garage::firewall_apis",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
@@ -39,27 +37,26 @@
      "postfix::_common",
      "postfix::_attributes",
      "postfix::sasl_auth",
-      "hostname::default",
+      "hostname::default"
      "firewall::default"
    ],
    "platform": "ubuntu",
-    "platform_version": "22.04",
+    "platform_version": "20.04",
    "cloud": null,
    "chef_packages": {
      "chef": {
-        "version": "18.7.10",
+        "version": "18.5.0",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.7.10/lib",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
        "chef_effortless": null
      },
      "ohai": {
-        "version": "18.2.5",
+        "version": "18.1.11",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.5/lib/ohai"
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
      }
    }
  },
  "run_list": [
    "role[base]",
    "role[kvm_guest]",
-    "role[garage_node]"
+    "role[postgresql_replica]"
  ]
 }
--- a/nodes/postgres-12.json
+++ b/nodes/postgres-12.json
@@ -1,17 +1,17 @@
 {
-  "name": "postgres-12",
+  "name": "postgres-8",
  "chef_environment": "production",
  "normal": {
    "knife_zero": {
-      "host": "10.1.1.134"
+      "host": "10.1.1.99"
    }
  },
  "automatic": {
-    "fqdn": "postgres-12",
+    "fqdn": "postgres-8",
    "os": "linux",
-    "os_version": "5.15.0-1096-kvm",
+    "os_version": "5.15.0-1059-kvm",
-    "hostname": "postgres-12",
+    "hostname": "postgres-8",
-    "ipaddress": "192.168.122.139",
+    "ipaddress": "192.168.122.100",
    "roles": [
      "base",
      "kvm_guest",
@@ -24,13 +24,11 @@
      "kosmos_postgresql::hostsfile",
      "kosmos_postgresql::replica",
      "kosmos_postgresql::firewall",
      "kosmos_postgresql::management_scripts",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
@@ -46,13 +44,13 @@
    "cloud": null,
    "chef_packages": {
      "chef": {
-        "version": "18.10.17",
+        "version": "18.5.0",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.10.17/lib",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
        "chef_effortless": null
      },
      "ohai": {
-        "version": "18.2.13",
+        "version": "18.1.11",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.13/lib/ohai"
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
      }
    }
  },
--- a/nodes/strfry-1.json
+++ b/nodes/strfry-1.json
@@ -33,7 +33,6 @@
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
--- a/nodes/wiki-1.json
+++ b/nodes/wiki-1.json
@@ -28,7 +28,6 @@
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
@@ -67,13 +66,12 @@
    "cloud": null,
    "chef_packages": {
      "chef": {
-        "version": "18.7.10",
+        "version": "15.13.8",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.7.10/lib",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/chef-15.13.8/lib"
        "chef_effortless": null
      },
      "ohai": {
-        "version": "18.2.5",
+        "version": "15.12.0",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.5/lib/ohai"
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/ohai-15.12.0/lib/ohai"
      }
    }
  },
--- a/roles/gitea.rb
+++ b/roles/gitea.rb
@@ -5,11 +5,3 @@ run_list %w(
  kosmos_gitea::default
  kosmos_gitea::backup
 )
 override_attributes(
  "gitea" => {
    # "repo" => "https://github.com/67P/gitea.git",
    # "revision" => "ldap_sync",
    "log" => { "level" => "Info" }
  },
 )
--- a/roles/postgresql_primary.rb
+++ b/roles/postgresql_primary.rb
@@ -1,13 +1,12 @@
 name "postgresql_primary"
-run_list [
+run_list %w(
-  "kosmos_postgresql::primary",
+  kosmos_postgresql::primary
-  "kosmos-akkounts::pg_db",
+  kosmos_postgresql::firewall
-  "kosmos-bitcoin::lndhub-go_pg_db",
+  kosmos-akkounts::pg_db
-  "kosmos-bitcoin::nbxplorer_pg_db",
+  kosmos-bitcoin::lndhub-go_pg_db
-  "kosmos_drone::pg_db",
+  kosmos-bitcoin::nbxplorer_pg_db
-  "kosmos_gitea::pg_db",
+  kosmos_drone::pg_db
-  "kosmos-mastodon::pg_db",
+  kosmos_gitea::pg_db
-  "kosmos_postgresql::firewall",
+  kosmos-mastodon::pg_db
-  "kosmos_postgresql::management_scripts"
+)
 ]
--- a/roles/postgresql_replica.rb
+++ b/roles/postgresql_replica.rb
@@ -1,8 +1,7 @@
 name "postgresql_replica"
-run_list [
+run_list %w(
-  "kosmos_postgresql::hostsfile",
+  kosmos_postgresql::hostsfile
-  "kosmos_postgresql::replica",
+  kosmos_postgresql::replica
-  "kosmos_postgresql::firewall",
+  kosmos_postgresql::firewall
-  "kosmos_postgresql::management_scripts"
+)
 ]
--- a/roles/postgresql_replica_logical.rb
+++ b/roles/postgresql_replica_logical.rb
@@ -1,8 +0,0 @@
 name "postgresql_replica_logical"
 run_list [
  "kosmos_postgresql::hostsfile",
  "kosmos_postgresql::replica_logical",
  "kosmos_postgresql::firewall",
  "kosmos_postgresql::management_scripts"
 ]
--- a/site-cookbooks/deno
+++ b/site-cookbooks/deno
--- a/site-cookbooks/discourse/templates/nginx_conf.erb
+++ b/site-cookbooks/discourse/templates/nginx_conf.erb
@@ -8,8 +8,8 @@ upstream _<%= @upstream_name %> {
 <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
 server {
  server_name <%= @server_name %>;
-  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
+  listen 443 ssl http2;
-  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
+  listen [::]:443 ssl http2;
  ssl_certificate     <%= @ssl_cert %>;
  ssl_certificate_key <%= @ssl_key %>;
--- a/site-cookbooks/kosmos-akkounts/recipes/default.rb
+++ b/site-cookbooks/kosmos-akkounts/recipes/default.rb
@@ -29,7 +29,7 @@ node.override["nodejs"]["repo"] = "https://deb.nodesource.com/node_20.x"
 include_recipe 'kosmos-nodejs'
 npm_package "bun"
-ruby_version = "3.3.8"
+ruby_version = "3.3.0"
 ruby_path = "/opt/ruby_build/builds/#{ruby_version}"
 bundle_path = "#{ruby_path}/bin/bundle"
 rails_env = node.chef_environment == "development" ? "development" : "production"
@@ -48,9 +48,6 @@ env = {
  primary_domain: node['akkounts']['primary_domain'],
  akkounts_domain: node['akkounts']['domain'],
  rails_serve_static_files: true,
  secret_key_base: credentials["rails_secret_key_base"],
  encryption_primary_key: credentials["rails_encryption_primary_key"],
  encryption_key_derivation_salt: credentials["rails_encryption_key_derivation_salt"],
  db_adapter: "postgresql",
  pg_host: "pg.kosmos.local",
  pg_port: 5432,
@@ -60,17 +57,6 @@ env = {
  pg_password: credentials["postgresql"]["password"]
 }
 env[:ldap] = {
  host: "ldap.kosmos.local",
  port: 389,
  use_tls: false,
  uid_attr: "cn",
  base: "ou=kosmos.org,cn=users,dc=kosmos,dc=org",
  admin_user: credentials["ldap"]["admin_user"],
  admin_password: credentials["ldap"]["admin_password"],
  suffix: "dc=kosmos,dc=org"
 }
 smtp_server, smtp_port = smtp_credentials[:relayhost].split(":")
 env[:smtp] = {
  server: smtp_server,
@@ -230,6 +216,7 @@ systemd_unit "akkounts.service" do
      WorkingDirectory: deploy_path,
      Environment: "RAILS_ENV=#{rails_env} SOLID_QUEUE_IN_PUMA=true",
      ExecStart: "#{bundle_path} exec puma -C config/puma.rb --pidfile #{deploy_path}/tmp/puma.pid",
      ExecStop: "#{bundle_path} exec puma -C config/puma.rb --pidfile #{deploy_path}/tmp/puma.pid stop",
      ExecReload: "#{bundle_path} exec pumactl -F config/puma.rb --pidfile #{deploy_path}/tmp/puma.pid phased-restart",
      PIDFile: "#{deploy_path}/tmp/puma.pid",
      TimeoutSec: "10",
--- a/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb
+++ b/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb
@@ -11,7 +11,7 @@ proxy_cache_path <%= node[:openresty][:cache_dir] %>/akkounts levels=1:2
 server {
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
+  listen [::]:443 ssl http2;
  server_name <%= @domain %>;
  if ($host != $server_name) {
--- a/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts_api.erb
+++ b/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts_api.erb
@@ -7,7 +7,7 @@ upstream _akkounts_api {
 server {
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
+  listen [::]:443 ssl http2;
  server_name <%= @domain %>;
  ssl_certificate     <%= @ssl_cert %>;
--- a/site-cookbooks/kosmos-base/attributes/default.rb
+++ b/site-cookbooks/kosmos-base/attributes/default.rb
@@ -1,2 +0,0 @@
 node.default["kosmos-base"]["journald"]["system_max_use"] = "256M"
 node.default["kosmos-base"]["journald"]["max_retention_sec"] = "7d"
--- a/site-cookbooks/kosmos-base/recipes/andromeda_firewall.rb
+++ b/site-cookbooks/kosmos-base/recipes/andromeda_firewall.rb
@@ -0,0 +1,52 @@
 #
 # Cookbook Name:: kosmos-base
 # Recipe:: andromeda_firewall
 #
 # The MIT License (MIT)
 #
 # Copyright:: 2019, Kosmos Developers
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
 # in the Software without restriction, including without limitation the rights
 # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 # copies of the Software, and to permit persons to whom the Software is
 # furnished to do so, subject to the following conditions:
 #
 # The above copyright notice and this permission notice shall be included in
 # all copies or substantial portions of the Software.
 #
 # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 # THE SOFTWARE.
 # Temporary extra rules for Andromeda
 firewall_rule 'bitcoind' do
  port     [8333, 8334, 8335]
  protocol :tcp
  command  :allow
 end
 firewall_rule 'lnd' do
  port     [9736]
  # port     [9736, 8002]
  protocol :tcp
  command  :allow
 end
 firewall_rule 'lightningd' do
  port     [9735]
  protocol :tcp
  command  :allow
 end
 firewall_rule 'spark_wallet' do
  port     8008
  protocol :tcp
  command  :allow
 end
--- a/site-cookbooks/kosmos-base/recipes/default.rb
+++ b/site-cookbooks/kosmos-base/recipes/default.rb
@@ -27,19 +27,11 @@
 include_recipe 'apt'
 include_recipe 'timezone_iii'
 include_recipe 'ntp'
 include_recipe 'kosmos-base::journald_conf'
 include_recipe 'kosmos-base::systemd_emails'
 node.override["apt"]["unattended_upgrades"]["enable"] = true
 node.override["apt"]["unattended_upgrades"]["mail_only_on_error"] = false
 node.override["apt"]["unattended_upgrades"]["sender"] = "ops@kosmos.org"
 node.override["apt"]["unattended_upgrades"]["allowed_origins"] = [
  "${distro_id}:${distro_codename}-security",
-  "${distro_id}:${distro_codename}-updates",
+  "${distro_id}:${distro_codename}-updates"
  "${distro_id}ESMApps:${distro_codename}-apps-security",
  "${distro_id}ESMApps:${distro_codename}-apps-updates",
  "${distro_id}ESM:${distro_codename}-infra-security",
  "${distro_id}ESM:${distro_codename}-infra-updates"
 ]
 node.override["apt"]["unattended_upgrades"]["mail"] = "ops@kosmos.org"
 node.override["apt"]["unattended_upgrades"]["syslog_enable"] = true
--- a/site-cookbooks/kosmos-base/recipes/journald_conf.rb
+++ b/site-cookbooks/kosmos-base/recipes/journald_conf.rb
@@ -1,14 +0,0 @@
 #
 # Cookbook Name:: kosmos-base
 # Recipe:: journald_conf
 #
 service "systemd-journald"
 template "/etc/systemd/journald.conf" do
  source "journald.conf.erb"
  variables system_max_use: node["kosmos-base"]["journald"]["system_max_use"],
            max_retention_sec: node["kosmos-base"]["journald"]["max_retention_sec"]
  # Restarting journald is required
  notifies :restart, "service[systemd-journald]", :delayed
 end
--- a/site-cookbooks/kosmos-base/templates/default/journald.conf.erb
+++ b/site-cookbooks/kosmos-base/templates/default/journald.conf.erb
@@ -1,6 +0,0 @@
 [Journal]
 # Set the maximum size of the journal logs in bytes
 SystemMaxUse=<%= @system_max_use %>
 # Set the number of days after which logs will be deleted
 MaxRetentionSec=<%= @max_retention_sec %>
--- a/site-cookbooks/kosmos-bitcoin/attributes/default.rb
+++ b/site-cookbooks/kosmos-bitcoin/attributes/default.rb
@@ -1,5 +1,5 @@
-node.default['bitcoin']['version']   = '30.0'
+node.default['bitcoin']['version']   = '28.0'
-node.default['bitcoin']['checksum']  = '9b472a4d51dfed9aa9d0ded2cb8c7bcb9267f8439a23a98f36eb509c1a5e6974'
+node.default['bitcoin']['checksum']  = '700ae2d1e204602eb07f2779a6e6669893bc96c0dca290593f80ff8e102ff37f'
 node.default['bitcoin']['username']  = 'satoshi'
 node.default['bitcoin']['usergroup'] = 'bitcoin'
 node.default['bitcoin']['network']   = 'mainnet'
@@ -41,7 +41,7 @@ node.default['c-lightning']['log_level'] = 'info'
 node.default['c-lightning']['public_ip'] = '148.251.237.73'
 node.default['lnd']['repo'] = 'https://github.com/lightningnetwork/lnd'
-node.default['lnd']['revision'] = 'v0.19.1-beta'
+node.default['lnd']['revision'] = 'v0.18.5-beta'
 node.default['lnd']['source_dir'] = '/opt/lnd'
 node.default['lnd']['lnd_dir'] = "/home/#{node['bitcoin']['username']}/.lnd"
 node.default['lnd']['alias'] = 'ln2.kosmos.org'
@@ -90,7 +90,7 @@ node.default['dotnet']['ms_packages_src_url'] = "https://packages.microsoft.com/
 node.default['dotnet']['ms_packages_src_checksum'] = "4df5811c41fdded83eb9e2da9336a8dfa5594a79dc8a80133bd815f4f85b9991"
 node.default['nbxplorer']['repo'] = 'https://github.com/dgarage/NBXplorer'
-node.default['nbxplorer']['revision'] = 'v2.5.26'
+node.default['nbxplorer']['revision'] = 'v2.5.23'
 node.default['nbxplorer']['source_dir'] = '/opt/nbxplorer'
 node.default['nbxplorer']['config_path'] = "/home/#{node['bitcoin']['username']}/.nbxplorer/Main/settings.config"
 node.default['nbxplorer']['port'] = '24445'
@@ -98,7 +98,7 @@ node.default['nbxplorer']['postgres']['database'] = 'nbxplorer'
 node.default['nbxplorer']['postgres']['user'] = 'nbxplorer'
 node.default['btcpay']['repo'] = 'https://github.com/btcpayserver/btcpayserver'
-node.default['btcpay']['revision'] = 'v2.1.1'
+node.default['btcpay']['revision'] = 'v2.0.7'
 node.default['btcpay']['source_dir'] = '/opt/btcpay'
 node.default['btcpay']['config_path'] = "/home/#{node['bitcoin']['username']}/.btcpayserver/Main/settings.config"
 node.default['btcpay']['log_path'] = "/home/#{node['bitcoin']['username']}/.btcpayserver/debug.log"
--- a/site-cookbooks/kosmos-bitcoin/recipes/bitcoind.rb
+++ b/site-cookbooks/kosmos-bitcoin/recipes/bitcoind.rb
@@ -34,7 +34,7 @@ end
 execute "compile_bitcoin-core_dependencies" do
  cwd "/usr/local/bitcoind/depends"
  environment ({'CC' => 'gcc-13', 'CXX' => 'g++-13', 'NO_QT' => '1'})
-  command "make -j $(($(nproc)/2))"
+  command "make -j 2"
  action :nothing
  notifies :run, 'bash[compile_bitcoin-core]', :immediately
 end
@@ -43,13 +43,21 @@ bash "compile_bitcoin-core" do
  cwd "/usr/local/bitcoind"
  environment ({'CC' => 'gcc-13', 'CXX' => 'g++-13', 'NO_QT' => '1'})
  code <<-EOH
-    cmake -B build --toolchain depends/x86_64-pc-linux-gnu/toolchain.cmake -DBUILD_TESTS=OFF
+    ./autogen.sh
-    cmake --build build -j $(($(nproc)/2))
+    ./configure --prefix=$PWD/depends/x86_64-pc-linux-gnu
-    cmake --install build
+    make
  EOH
  action :nothing
 end
 link "/usr/local/bin/bitcoind" do
  to "/usr/local/bitcoind/src/bitcoind"
 end
 link "/usr/local/bin/bitcoin-cli" do
  to "/usr/local/bitcoind/src/bitcoin-cli"
 end
 bitcoin_user      = node['bitcoin']['username']
 bitcoin_group     = node['bitcoin']['usergroup']
 bitcoin_datadir   = node['bitcoin']['datadir']
--- a/site-cookbooks/kosmos-bitcoin/recipes/btcpay.rb
+++ b/site-cookbooks/kosmos-bitcoin/recipes/btcpay.rb
@@ -21,7 +21,6 @@ bash 'build_btcpay' do
    systemctl stop btcpayserver.service
    ./build.sh
  EOH
  environment "DOTNET_CLI_TELEMETRY_OPTOUT" => 1
  action :nothing
  notifies :restart, "service[btcpayserver]", :delayed
 end
@@ -88,7 +87,7 @@ systemd_unit 'btcpayserver.service' do
      Group: node['bitcoin']['usergroup'],
      Type: 'simple',
      WorkingDirectory: node['btcpay']['source_dir'],
-      Environment: "'BTCPAY_EXPLORERPOSTGRES=#{nbxpg_connect}' 'DOTNET_CLI_TELEMETRY_OPTOUT=1'",
+      Environment: defined?(nbxpg_connect) ? "'BTCPAY_EXPLORERPOSTGRES=#{nbxpg_connect}'" : '',
      ExecStart: "#{node['btcpay']['source_dir']}/run.sh --conf=#{node['btcpay']['config_path']}",
      PIDFile: '/run/btcpayserver/btcpayserver.pid',
      Restart: 'on-failure',
@@ -104,8 +103,6 @@ systemd_unit 'btcpayserver.service' do
  verify false
  triggers_reload true
  action [:create]
  # reload is not applicable
  notifies :restart, "service[btcpayserver]", :delayed
 end
 service "btcpayserver" do
--- a/site-cookbooks/kosmos-bitcoin/templates/btc-price-tracker-daily.sh.erb
+++ b/site-cookbooks/kosmos-bitcoin/templates/btc-price-tracker-daily.sh.erb
@@ -1,86 +1,49 @@
 #!/bin/bash
 set -e
 set -o pipefail
 # Calculate yesterday's date in YYYY-MM-DD format
 YESTERDAY=$(date -d "yesterday" +%Y-%m-%d)
 echo "Starting price tracking for $YESTERDAY" >&2
 # Helper function to perform HTTP requests with retries
 # Usage: make_request <retries> <method> <url> [data] [header1] [header2] ...
 make_request() {
    local retries=$1
    local method=$2
    local url=$3
    local data=$4
    shift 4
    local headers=("$@")
    local count=0
    local wait_time=3
    local response
    while [ "$count" -lt "$retries" ]; do
        local curl_opts=(-s -S -f -X "$method")
        if [ -n "$data" ]; then
            curl_opts+=(-d "$data")
        fi
        for h in "${headers[@]}"; do
            curl_opts+=(-H "$h")
        done
        if response=$(curl "${curl_opts[@]}" "$url"); then
            echo "$response"
            return 0
        fi
        echo "Request to $url failed (Attempt $((count+1))/$retries). Retrying in ${wait_time}s..." >&2
        sleep "$wait_time"
        count=$((count + 1))
    done
    echo "ERROR: Request to $url failed after $retries attempts" >&2
    return 1
 }
 # Fetch and process rates for a fiat currency
 get_price_data() {
    local currency=$1
    local data avg open24 last
-    if data=$(make_request 3 "GET" "https://www.bitstamp.net/api/v2/ticker/btc${currency,,}/" ""); then
+    data=$(curl -s "https://www.bitstamp.net/api/v2/ticker/btc${currency,,}/")
    if [ $? -eq 0 ] && [ ! -z "$data" ]; then
        echo "Successfully retrieved ${currency} price data" >&2
        open24=$(echo "$data" | jq -r '.open_24')
        last=$(echo "$data" | jq -r '.last')
-        avg=$(echo "$open24 $last" | awk '{printf "%.0f", ($1 + $2) / 2}')
+        avg=$(( (${open24%.*} + ${last%.*}) / 2 ))
        echo $avg
    else
        echo "ERROR: Failed to retrieve ${currency} price data" >&2
-        return 1
+        exit 1
    fi
 }
 # Get price data for each currency
-usd_avg=$(get_price_data "USD") || exit 1
+usd_avg=$(get_price_data "USD")
-eur_avg=$(get_price_data "EUR") || exit 1
+eur_avg=$(get_price_data "EUR")
-gbp_avg=$(get_price_data "GBP") || exit 1
+gbp_avg=$(get_price_data "GBP")
 # Create JSON
-json=$(jq -n \
+json="{\"EUR\":$eur_avg,\"USD\":$usd_avg,\"GBP\":$gbp_avg}"
  --argjson eur "$eur_avg" \
  --argjson usd "$usd_avg" \
  --argjson gbp "$gbp_avg" \
  '{"EUR": $eur, "USD": $usd, "GBP": $gbp}')
 echo "Rates: $json" >&2
 # PUT in remote storage
-if make_request 3 "PUT" "<%= @rs_base_url %>/$YESTERDAY" "$json" \
+response=$(curl -X PUT \
-    "Authorization: Bearer $RS_AUTH" \
+    -H "Authorization: Bearer $RS_AUTH" \
-    "Content-Type: application/json" > /dev/null; then
+    -H "Content-Type: application/json" \
    -d "$json" \
    -w "%{http_code}" \
    -s \
    -o /dev/null \
    "<%= @rs_base_url %>/$YESTERDAY")
 if [ "$response" -eq 200 ] || [ "$response" -eq 201 ]; then
   echo "Successfully uploaded price data" >&2
 else
-   echo "ERROR: Failed to upload price data" >&2
+   echo "ERROR: Failed to upload price data. HTTP status: $response" >&2
   exit 1
 fi
--- a/site-cookbooks/kosmos-bitcoin/templates/nginx_conf_btcpayserver.erb
+++ b/site-cookbooks/kosmos-bitcoin/templates/nginx_conf_btcpayserver.erb
@@ -49,7 +49,7 @@ server {
  client_max_body_size 100M;
  server_name <%= @server_name %>;
  listen 443 ssl http2;
-  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
+  listen [::]:443 ssl http2;
  access_log <%= node[:nginx][:log_dir] %>/btcpayserver.access.log json;
  error_log <%= node[:nginx][:log_dir] %>/btcpayserver.error.log warn;
--- a/site-cookbooks/kosmos-bitcoin/templates/nginx_conf_lndhub.erb
+++ b/site-cookbooks/kosmos-bitcoin/templates/nginx_conf_lndhub.erb
@@ -7,7 +7,7 @@ upstream _lndhub {
 server {
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
+  listen [::]:443 ssl http2;
  server_name <%= @server_name %>;
  add_header Strict-Transport-Security "max-age=15768000";
--- a/site-cookbooks/kosmos-btcpayserver/templates/nginx_conf_btcpayserver.erb
+++ b/site-cookbooks/kosmos-btcpayserver/templates/nginx_conf_btcpayserver.erb
@@ -49,7 +49,7 @@ server {
  server_name <%= @server_name %>;
  <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
  listen 443 ssl http2;
-  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
+  listen [::]:443 ssl http2;
  <% else -%>
  listen 80;
  <% end -%>
--- a/site-cookbooks/kosmos-ejabberd/attributes/default.rb
+++ b/site-cookbooks/kosmos-ejabberd/attributes/default.rb
@@ -1,6 +1,6 @@
-node.default["ejabberd"]["version"] = "25.08"
+node.default["ejabberd"]["version"] = "23.10"
 node.default["ejabberd"]["package_version"] = "1"
-node.default["ejabberd"]["checksum"] = "e4703bc41b5843fc4b76e8b54a9380d5895f9b3dcd4795e05ad0c260ed9b9a23"
+node.default["ejabberd"]["checksum"] = "1b02108c81e22ab28be84630d54061f0584b76d5c2702e598352269736b05e77"
 node.default["ejabberd"]["turn_domain"] = "turn.kosmos.org"
 node.default["ejabberd"]["stun_auth_realm"] = "kosmos.org"
 node.default["ejabberd"]["stun_turn_port"] = 3478
--- a/site-cookbooks/kosmos-ejabberd/recipes/default.rb
+++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb
@@ -65,13 +65,15 @@ file "/opt/ejabberd/.hosts.erlang" do
  content ejabberd_hostnames.map{|h| "#{h}."}.join("\n")
 end
-template "/opt/ejabberd/conf/ejabberdctl.cfg" do
+ruby_block "configure ERLANG_NODE" do
-  source    "ejabberdctl.cfg.erb"
+  block do
-  mode      0644
+    file = Chef::Util::FileEdit.new("/opt/ejabberd/conf/ejabberdctl.cfg")
-  owner     'ejabberd'
+    file.search_file_replace_line(
-  group     'ejabberd'
+      %r{#ERLANG_NODE=ejabberd@localhost},
-  variables epmd_node_name: "ejabberd@#{node['name']}"
+      "ERLANG_NODE=ejabberd@#{node['name']}"
-  notifies :reload, "service[ejabberd]", :delayed
+    )
    file.write_file
  end
 end
 postgresql_data_bag_item = data_bag_item('credentials', 'postgresql')
@@ -108,7 +110,6 @@ hosts = [
        access_persistent: muc_create
        access_register: muc_create
        max_user_conferences: 1000
        max_users: 2000
        default_room_options:
          mam: true
        preload_rooms: true
@@ -223,3 +224,10 @@ end
 unless node.chef_environment == "development"
  include_recipe "kosmos-ejabberd::firewall"
 end
 firewall_rule 'ejabberd_http' do
  port     [80]
  source   "10.1.1.0/24"
  protocol :tcp
  command  :allow
 end
--- a/site-cookbooks/kosmos-ejabberd/recipes/firewall.rb
+++ b/site-cookbooks/kosmos-ejabberd/recipes/firewall.rb
@@ -35,10 +35,3 @@ firewall_rule 'ejabberd_turn' do
  protocol :udp
  command  :allow
 end
 firewall_rule 'ejabberd_http' do
  port     [80]
  source   "10.1.1.0/24"
  protocol :tcp
  command  :allow
 end
--- a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb
+++ b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb
@@ -1,11 +1,10 @@
 loglevel: 4
 log_rotate_size: 10485760
 log_rotate_date: ""
 log_rotate_count: 1
-loglevel: info
+log_rate_limit: 100
 hide_sensitive_log_data: true
 log_modules_fully:
  - mod_s3_upload
 hosts:
 <% @hosts.each do |host| -%>
@@ -96,8 +95,6 @@ auth_method: sql
 default_db: sql
 update_sql_schema: true
 shaper:
  normal:
    rate: 3000
@@ -122,15 +119,6 @@ acl:
      - "::1/128"
      - "::FFFF:127.0.0.1/128"
 api_permissions:
  "webadmin commands":
    who:
      - admin
    from:
      - ejabberd_web_admin
    what:
      - "*"
 shaper_rules:
  max_user_sessions: 10
  max_user_offline_messages:
@@ -197,11 +185,8 @@ api_permissions:
    what:
      - "add_rosteritem"
      - "delete_rosteritem"
      - "get_vcard2"
      - "muc_register_nick"
      - "private_set"
      - "send_message"
-      - "send_stanza"
+      - "private_set"
 language: "en"
--- a/site-cookbooks/kosmos-ejabberd/templates/ejabberdctl.cfg.erb
+++ b/site-cookbooks/kosmos-ejabberd/templates/ejabberdctl.cfg.erb
@@ -1,175 +0,0 @@
 #
 # In this file you can configure options that are passed by ejabberdctl
 # to the erlang runtime system when starting ejabberd
 #
 #' POLL: Kernel polling ([true|false])
 #
 # The kernel polling option requires support in the kernel.
 # Additionally, you need to enable this feature while compiling Erlang.
 #
 # Default: true
 #
 #POLL=true
 #.
 #' SMP: SMP support ([enable|auto|disable])
 #
 # Explanation in Erlang/OTP documentation:
 # enable: starts the Erlang runtime system with SMP support enabled.
 #   This may fail if no runtime system with SMP support is available.
 # auto: starts the Erlang runtime system with SMP support enabled if it
 #   is available and more than one logical processor are detected.
 # disable: starts a runtime system without SMP support.
 #
 # Default: enable
 #
 #SMP=enable
 #.
 #' ERL_MAX_PORTS: Maximum number of simultaneously open Erlang ports
 #
 # ejabberd consumes two or three ports for every connection, either
 # from a client or from another Jabber server. So take this into
 # account when setting this limit.
 #
 # Default: 32000
 # Maximum: 268435456
 #
 #ERL_MAX_PORTS=32000
 #.
 #' FIREWALL_WINDOW: Range of allowed ports to pass through a firewall
 #
 # If Ejabberd is configured to run in cluster, and a firewall is blocking ports,
 # it's possible to make Erlang use a defined range of port (instead of dynamic
 # ports) for node communication.
 #
 # Default: not defined
 # Example: 4200-4210
 #
 FIREWALL_WINDOW=4200-4210
 #.
 #' INET_DIST_INTERFACE: IP address where this Erlang node listens other nodes
 #
 # This communication is used by ejabberdctl command line tool,
 # and in a cluster of several ejabberd nodes.
 #
 # Default: 0.0.0.0
 #
 #INET_DIST_INTERFACE=127.0.0.1
 #.
 #' ERL_EPMD_ADDRESS: IP addresses where epmd listens for connections
 #
 # IMPORTANT: This option works only in Erlang/OTP R14B03 and newer.
 #
 # This environment variable may be set to a comma-separated
 # list of IP addresses, in which case the epmd daemon
 # will listen only on the specified address(es) and on the
 # loopback address (which is implicitly added to the list if it
 # has not been specified). The default behaviour is to listen on
 # all available IP addresses.
 #
 # Default: 0.0.0.0
 #
 #ERL_EPMD_ADDRESS=127.0.0.1
 #.
 #' ERL_PROCESSES: Maximum number of Erlang processes
 #
 # Erlang consumes a lot of lightweight processes. If there is a lot of activity
 # on ejabberd so that the maximum number of processes is reached, people will
 # experience greater latency times. As these processes are implemented in
 # Erlang, and therefore not related to the operating system processes, you do
 # not have to worry about allowing a huge number of them.
 #
 # Default: 250000
 # Maximum: 268435456
 #
 #ERL_PROCESSES=250000
 #.
 #' ERL_MAX_ETS_TABLES: Maximum number of ETS and Mnesia tables
 #
 # The number of concurrent ETS and Mnesia tables is limited. When the limit is
 # reached, errors will appear in the logs:
 #   ** Too many db tables **
 # You can safely increase this limit when starting ejabberd. It impacts memory
 # consumption but the difference will be quite small.
 #
 # Default: 1400
 #
 #ERL_MAX_ETS_TABLES=1400
 #.
 #' ERL_OPTIONS: Additional Erlang options
 #
 # The next variable allows to specify additional options passed to erlang while
 # starting ejabberd. Some useful options are -noshell, -detached, -heart. When
 # ejabberd is started from an init.d script options -noshell and -detached are
 # added implicitly. See erl(1) for more info.
 #
 # It might be useful to add "-pa /usr/local/lib/ejabberd/ebin" if you
 # want to add local modules in this path.
 #
 # Default: ""
 #
 #ERL_OPTIONS=""
 #.
 #' ERLANG_NODE: Erlang node name
 #
 # The next variable allows to explicitly specify erlang node for ejabberd
 # It can be given in different formats:
 # ERLANG_NODE=ejabberd
 #   Lets erlang add hostname to the node (ejabberd uses short name in this case)
 # ERLANG_NODE=ejabberd@hostname
 #   Erlang uses node name as is (so make sure that hostname is a real
 #   machine hostname or you'll not be able to control ejabberd)
 # ERLANG_NODE=ejabberd@hostname.domainname
 #   The same as previous, but erlang will use long hostname
 #   (see erl (1) manual for details)
 #
 # Default: ejabberd@localhost
 #
 ERLANG_NODE=<%= @epmd_node_name %>
 #.
 #' EJABBERD_PID_PATH: ejabberd PID file
 #
 # Indicate the full path to the ejabberd Process identifier (PID) file.
 # If this variable is defined, ejabberd writes the PID file when starts,
 # and deletes it when stops.
 # Remember to create the directory and grant write permission to ejabberd.
 #
 # Default: don't write PID file
 #
 #EJABBERD_PID_PATH=/var/run/ejabberd/ejabberd.pid
 #.
 #' CONTRIB_MODULES_PATH: contributed ejabberd modules path
 #
 # Specify the full path to the contributed ejabberd modules. If the path is not
 # defined, ejabberd will use ~/.ejabberd-modules in home of user running ejabberd.
 #
 # Default: $HOME/.ejabberd-modules
 #
 #CONTRIB_MODULES_PATH=/opt/ejabberd-modules
 #.
 #' CONTRIB_MODULES_CONF_DIR: configuration directory for contributed modules
 #
 # Specify the full path to the configuration directory for contributed ejabberd
 # modules. In order to configure a module named mod_foo, a mod_foo.yml file can
 # be created in this directory. This file will then be used instead of the
 # default configuration file provided with the module.
 #
 # Default: $CONTRIB_MODULES_PATH/conf
 #
 #CONTRIB_MODULES_CONF_DIR=/etc/ejabberd/modules
 #.
 #'
 # vim: foldmarker=#',#. foldmethod=marker:
--- a/site-cookbooks/kosmos-ejabberd/templates/nginx_conf_upload_service.erb
+++ b/site-cookbooks/kosmos-ejabberd/templates/nginx_conf_upload_service.erb
@@ -3,7 +3,7 @@
 server {
  listen 443 ssl http2;
-  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
+  listen [::]:443 ssl http2;
  server_name <%= @server_name %>;
  ssl_certificate     <%= @ssl_cert %>;
--- a/site-cookbooks/kosmos-hubot/templates/default/nginx_conf_hubot.erb
+++ b/site-cookbooks/kosmos-hubot/templates/default/nginx_conf_hubot.erb
@@ -7,7 +7,7 @@ upstream _express_<%= @server_name.gsub(".", "_") %> {
 server {
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
+  listen [::]:443 ssl http2;
  server_name <%= @server_name %>;
  add_header Strict-Transport-Security "max-age=15768000";
--- a/site-cookbooks/kosmos-ipfs/templates/default/nginx_conf_ipfs.kosmos.org.erb
+++ b/site-cookbooks/kosmos-ipfs/templates/default/nginx_conf_ipfs.kosmos.org.erb
@@ -12,7 +12,7 @@ upstream _ipfs_api {
 server {
  server_name <%= @server_name %>;
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
+  listen [::]:443 ssl http2;
  access_log /var/log/nginx/<%= @server_name %>.access.log;
  error_log  /var/log/nginx/<%= @server_name %>.error.log;
--- a/site-cookbooks/kosmos-mastodon/recipes/default.rb
+++ b/site-cookbooks/kosmos-mastodon/recipes/default.rb
@@ -265,44 +265,6 @@ service "mastodon-streaming" do
  action [:enable, :start]
 end
 #
 # Delete cached remote media older than 30 days
 # Will be re-fetched if necessary
 #
 systemd_unit 'mastodon-delete-old-media-cache.service' do
  content({
    Unit: {
      Description: 'Delete old Mastodon media cache'
    },
    Service: {
      Type: "oneshot",
      WorkingDirectory: mastodon_path,
      Environment: "RAILS_ENV=#{rails_env}",
      ExecStart: "#{bundle_path} exec bin/tootctl media remove --days 30",
    }
  })
  triggers_reload true
  action [:create]
 end
 systemd_unit 'mastodon-delete-old-media-cache.timer' do
  content({
    Unit: {
      Description: 'Delete old Mastodon media cache'
    },
    Timer: {
      OnCalendar: '*-*-* 00:00:00',
      Persistent: 'true'
    },
    Install: {
      WantedBy: 'timer.target'
    }
  })
  triggers_reload true
  action [:create, :enable, :start]
 end
 firewall_rule "mastodon_app" do
  port     node['kosmos-mastodon']['app_port']
  source   "10.1.1.0/24"
--- a/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb
+++ b/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb
@@ -21,7 +21,7 @@ proxy_cache_path /var/cache/nginx/mastodon levels=1:2
 server {
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
+  listen [::]:443 ssl http2;
  server_name <%= @server_name %>;
  include <%= @shared_config_path %>;
--- a/site-cookbooks/kosmos-mediawiki/metadata.rb
+++ b/site-cookbooks/kosmos-mediawiki/metadata.rb
@@ -3,6 +3,7 @@ maintainer       'Kosmos'
 maintainer_email 'mail@kosmos.org'
 license          'MIT'
 description      'Installs/Configures kosmos-mediawiki'
 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
 version          '0.3.1'
 depends "mediawiki"
--- a/site-cookbooks/kosmos-mediawiki/recipes/default.rb
+++ b/site-cookbooks/kosmos-mediawiki/recipes/default.rb
@@ -1,9 +1,9 @@
 #
-# Cookbook:: kosmos-mediawiki
+# Cookbook Name:: kosmos-mediawiki
-# Recipe:: default.rb
+# Recipe:: default
 #
-apt_update
+include_recipe 'apt'
 include_recipe 'ark'
 include_recipe 'composer'
@@ -11,15 +11,15 @@ apt_package 'imagemagick'
 server_name = 'wiki.kosmos.org'
-node.override['mediawiki']['version'] = "1.34.2"
+node.override['mediawiki']['version']         = "1.34.2"
-node.override['mediawiki']['webdir'] = "#{node['mediawiki']['docroot_dir']}/mediawiki-#{node['mediawiki']['version']}"
+node.override['mediawiki']['webdir']          = "#{node['mediawiki']['docroot_dir']}/mediawiki-#{node['mediawiki']['version']}"
 node.override['mediawiki']['tarball']['name'] = "mediawiki-#{node['mediawiki']['version']}.tar.gz"
-node.override['mediawiki']['tarball']['url'] = "https://releases.wikimedia.org/mediawiki/1.34/#{node['mediawiki']['tarball']['name']}"
+node.override['mediawiki']['tarball']['url']  = "https://releases.wikimedia.org/mediawiki/1.34/#{node['mediawiki']['tarball']['name']}"
-node.override['mediawiki']['language_code'] = 'en'
+node.override['mediawiki']['language_code']   = 'en'
-node.override['mediawiki']['server_name'] = server_name
+node.override['mediawiki']['server_name']     = server_name
-node.override['mediawiki']['site_name'] = 'Kosmos Wiki'
+node.override['mediawiki']['site_name']       = 'Kosmos Wiki'
 protocol = node.chef_environment == "development" ? "http" : "https"
-node.override['mediawiki']['server'] = "#{protocol}://#{server_name}"
+node.override['mediawiki']['server']          = "#{protocol}://#{server_name}"
 mysql_credentials = data_bag_item('credentials', 'mysql')
 mediawiki_credentials = data_bag_item('credentials', 'mediawiki')
@@ -30,14 +30,14 @@ directory "#{node['mediawiki']['webdir']}/skins/common/images" do
  owner node['nginx']['user']
  group node['nginx']['group']
  recursive true
-  mode "750"
+  mode 0750
 end
 cookbook_file "#{node['mediawiki']['webdir']}/skins/common/images/kosmos.png" do
  source 'kosmos.png'
  owner node['nginx']['user']
  group node['nginx']['group']
-  mode "640"
+  mode 0640
 end
 directory "#{node['mediawiki']['webdir']}/.well-known/acme-challenge" do
@@ -80,14 +80,14 @@ nginx_certbot_site server_name
 # Extensions
 #
-mediawiki_credentials = data_bag_item('credentials', 'mediawiki')
+mediawiki_credentials = Chef::EncryptedDataBagItem.load('credentials', 'mediawiki')
 #
 # MediawikiHubot extension
 #
 # requires curl extension
-if platform?('ubuntu') && node["platform_version"].to_f < 16.04
+if platform?('ubuntu') && node[:platform_version].to_f < 16.04
  package "php5-curl"
 else
  package "php-curl"
@@ -100,7 +100,7 @@ ark "MediawikiHubot" do
  action :cherry_pick
 end
-hubot_credentials = data_bag_item('credentials', 'hal8000_xmpp')
+hubot_credentials = Chef::EncryptedDataBagItem.load('credentials', 'hal8000_xmpp')
 webhook_token = hubot_credentials['webhook_token']
 template "#{node['mediawiki']['webdir']}/extensions/MediawikiHubot/DefaultConfig.php" do
@@ -145,7 +145,7 @@ end
 ruby_block "configuration" do
  block do
-    # FIXME: This is internal Chef API and should not be used from recipes, as
+    # FIXME This is internal Chef API and should not be used from recipes, as
    # it is unsupported for that
    file = Chef::Util::FileEdit.new("#{node['mediawiki']['webdir']}/LocalSettings.php")
    file.search_file_replace_line(%r{\$wgLogo\ =\ \"\$wgResourceBasePath\/resources\/assets\/wiki.png\";},
@@ -235,7 +235,7 @@ wfLoadExtension( 'LDAPAuthentication2' );
 $wgGroupPermissions['*']['createaccount'] = false;
 $wgGroupPermissions['*']['autocreateaccount'] = true;
                                 EOF
-      )
+                                 )
      file.write_file
    end
@@ -247,7 +247,9 @@ end
 #
 file "#{node['mediawiki']['webdir']}/composer.local.json" do
-  requires = { "require": { "mediawiki/mermaid": "~1.0" } }.to_json
+  requires = { "require": {
    "mediawiki/mermaid": "~1.0"
  }}.to_json
  content requires
  owner node['nginx']['user']
  group node['nginx']['group']
--- a/site-cookbooks/kosmos-postfix/recipes/default.rb
+++ b/site-cookbooks/kosmos-postfix/recipes/default.rb
@@ -3,23 +3,20 @@
 # Recipe:: default
 #
-node.default["postfix"]["main"]["smtp_tls_CAfile"]  = "/etc/ssl/certs/ca-certificates.crt"
+node.default['postfix']['main']['smtp_tls_CAfile']  = '/etc/ssl/certs/ca-certificates.crt'
-node.default["postfix"]["main"]["smtpd_tls_CAfile"] = "/etc/ssl/certs/ca-certificates.crt"
+node.default['postfix']['main']['smtpd_tls_CAfile'] = '/etc/ssl/certs/ca-certificates.crt'
 return if node.run_list.roles.include?("email_server")
-smtp_credentials = Chef::EncryptedDataBagItem.load("credentials", "smtp")
+smtp_credentials = Chef::EncryptedDataBagItem.load('credentials', 'smtp')
-node.default["postfix"]["sasl"] = {
+node.default['postfix']['sasl']['smtp_sasl_user_name']        = smtp_credentials['user_name']
-  smtp_credentials["relayhost"] => {
+node.default['postfix']['sasl']['smtp_sasl_passwd']           = smtp_credentials['password']
-    "username" => smtp_credentials["user_name"],
+node.default['postfix']['sasl_password_file']                 = "#{node['postfix']['conf_dir']}/sasl_passwd"
-    "password" => smtp_credentials["password"]
+# Postfix doesn't support smtps relayhost, use STARTSSL instead
-  }
+node.default['postfix']['main']['relayhost']                  = smtp_credentials['relayhost']
-}
+node.default['postfix']['main']['smtp_sasl_auth_enable']      = 'yes'
 node.default['postfix']['main']['smtp_sasl_password_maps']    = "hash:#{node['postfix']['sasl_password_file']}"
 node.default['postfix']['main']['smtp_sasl_security_options'] = 'noanonymous'
-# Postfix doesn"t support smtps relayhost, use STARTSSL instead
+include_recipe 'postfix::default'
 node.default["postfix"]["main"]["relayhost"]                  = smtp_credentials["relayhost"]
 node.default["postfix"]["main"]["smtp_sasl_auth_enable"]      = "yes"
 node.default["postfix"]["main"]["smtp_sasl_security_options"] = "noanonymous"
 include_recipe "postfix::default"
--- a/site-cookbooks/kosmos_assets/templates/nginx_conf_assets.erb
+++ b/site-cookbooks/kosmos_assets/templates/nginx_conf_assets.erb
@@ -3,7 +3,7 @@
 server {
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
+  listen [::]:443 ssl http2;
  server_name <%= @domain %>;
  root /var/www/<%= @domain %>/site;
--- a/site-cookbooks/kosmos_discourse/templates/nginx_conf.erb
+++ b/site-cookbooks/kosmos_discourse/templates/nginx_conf.erb
@@ -9,7 +9,7 @@ upstream _discourse {
 server {
  server_name <%= @server_name %>;
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
+  listen [::]:443 ssl http2;
  ssl_certificate     <%= @ssl_cert %>;
  ssl_certificate_key <%= @ssl_key %>;
--- a/site-cookbooks/kosmos_drone/attributes/default.rb
+++ b/site-cookbooks/kosmos_drone/attributes/default.rb
@@ -1,6 +1,2 @@
 node.default["kosmos_drone"]["domain"] = "drone.kosmos.org"
 node.default["kosmos_drone"]["upstream_port"] = 80
 node.default["kosmos_drone"]["pg_host"] = "pg.kosmos.local"
 node.default["kosmos_drone"]["pg_port"] = 5432
 node.default["kosmos_drone"]["pg_db"] = "drone"
 node.default["kosmos_drone"]["pg_user"] = "drone"
--- a/site-cookbooks/kosmos_drone/recipes/default.rb
+++ b/site-cookbooks/kosmos_drone/recipes/default.rb
@@ -9,11 +9,11 @@ credentials = data_bag_item("credentials", "drone")
 drone_credentials = data_bag_item('credentials', 'drone')
 postgres_config = {
-  host: node["kosmos_drone"]["pg_host"],
+  username: "drone",
-  port: node["kosmos_drone"]["pg_port"],
+  password: drone_credentials["postgresql_password"],
-  database: node["kosmos_drone"]["pg_db"],
+  host: "pg.kosmos.local",
-  username: node["kosmos_drone"]["pg_user"],
+  port: 5432,
-  password: drone_credentials["postgresql_password"]
+  database: "drone"
 }
 directory deploy_path do
@@ -26,7 +26,7 @@ template "#{deploy_path}/docker-compose.yml" do
  mode 0640
  variables domain: node["kosmos_drone"]["domain"],
            upstream_port: node["kosmos_drone"]["upstream_port"],
-            gitea_server: "https://#{node["gitea"]["domain"]}",
+            gitea_server: "https://#{node["kosmos_gitea"]["nginx"]["domain"]}",
            client_id: credentials['client_id'],
            client_secret: credentials['client_secret'],
            rpc_secret: credentials['rpc_secret'],
--- a/site-cookbooks/kosmos_drone/templates/nginx_conf.erb
+++ b/site-cookbooks/kosmos_drone/templates/nginx_conf.erb
@@ -8,7 +8,7 @@ upstream _drone {
 server {
  server_name <%= @server_name %>;
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
+  listen [::]:443 ssl http2;
  ssl_certificate     <%= @ssl_cert %>;
  ssl_certificate_key <%= @ssl_key %>;
--- a/site-cookbooks/kosmos_garage/templates/nginx_conf_s3.erb
+++ b/site-cookbooks/kosmos_garage/templates/nginx_conf_s3.erb
@@ -4,7 +4,7 @@ upstream garage_s3 {
 server {
  listen <%= "#{node[:openresty][:listen_ip]}:" if node[:openresty][:listen_ip] %>443 ssl http2;
-  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
+  listen [::]:443 http2 ssl;
  ssl_certificate     <%= @ssl_cert %>;
  ssl_certificate_key <%= @ssl_key %>;
--- a/site-cookbooks/kosmos_garage/templates/nginx_conf_web.erb
+++ b/site-cookbooks/kosmos_garage/templates/nginx_conf_web.erb
@@ -1,6 +1,6 @@
 server {
  listen <%= "#{node[:openresty][:listen_ip]}:" if node[:openresty][:listen_ip] %>443 ssl http2;
-  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
+  listen [::]:443 http2 ssl;
  server_name <%= @server_name %>;
@@ -18,7 +18,6 @@ server {
  }
  location / {
    add_header 'Access-Control-Allow-Origin' '*' always;
    proxy_intercept_errors on;
    proxy_cache garage_cache;
    proxy_pass http://garage_web;
--- a/site-cookbooks/kosmos_gitea/attributes/default.rb
+++ b/site-cookbooks/kosmos_gitea/attributes/default.rb
@@ -1,27 +1,18 @@
-node.default["gitea"]["version"] = "1.25.4"
+node.default["gitea"]["version"] = "1.23.7"
-node.default["gitea"]["checksum"] = "a3031853e67c53714728ef705642c9046a11fb0ea356aff592e23efe6114607d"
+node.default["gitea"]["checksum"] = "3c0a7121ad1d9c525a92c68a7c040546553cd41e7464ce2fa811246b648c0a46"
 node.default["gitea"]["repo"] = nil
 node.default["gitea"]["revision"] = nil
 node.default["gitea"]["working_directory"] = "/var/lib/gitea"
 node.default["gitea"]["port"] = 3000
 node.default["gitea"]["postgresql_host"] = "localhost:5432"
 node.default["gitea"]["domain"] = "gitea.kosmos.org"
 node.default["gitea"]["email"] = "gitea@kosmos.org"
 node.default["gitea"]["config"] = {
  "log": {
    "level" => "Info",
    "logger.router.MODE" => "",
    "logger.xorm.MODE" => "",
    "logger.access.MODE" => ""
  },
  "actions": {
-    "enabled" => true
+    "enabled": true
  },
  "webhook":  {
    "allowed_host_list" => "external,127.0.1.1"
  }
 }
-node.default["gitea"]["act_runner"]["version"] = "0.2.13"
+node.default["gitea"]["act_runner"]["version"] = "0.2.6"
-node.default["gitea"]["act_runner"]["checksum"] = "3acac8b506ac8cadc88a55155b5d6378f0fab0b8f62d1e0c0450f4ccd69733e2"
+node.default["gitea"]["act_runner"]["checksum"] = "234c2bdb871e7b0bfb84697f353395bfc7819faf9f0c0443845868b64a041057"
--- a/site-cookbooks/kosmos_gitea/metadata.rb
+++ b/site-cookbooks/kosmos_gitea/metadata.rb
@@ -10,8 +10,5 @@ chef_version '>= 14.0'
 depends "firewall"
 depends "kosmos_openresty"
 depends "kosmos_postgresql"
 depends "kosmos-dirsrv"
 depends 'kosmos-nodejs'
 depends 'git'
 depends 'golang'
 depends "backup"
 depends "kosmos-dirsrv"
--- a/site-cookbooks/kosmos_gitea/recipes/compile_from_source.rb
+++ b/site-cookbooks/kosmos_gitea/recipes/compile_from_source.rb
@@ -1,42 +0,0 @@
 #
 # Cookbook:: kosmos_gitea
 # Recipe:: compile_from_source
 #
 # Compiles/installs Gitea from source
 #
 include_recipe "git"
 node.override["nodejs"]["repo"] = "https://deb.nodesource.com/node_20.x"
 include_recipe 'kosmos-nodejs'
 node.override["golang"]["version"] = "1.23.9"
 include_recipe "golang"
 link "/usr/local/bin/go" do
  to "/usr/local/go/bin/go"
 end
 source_dir = "/opt/gitea"
 git source_dir do
  repository node["gitea"]["repo"]
  revision node["gitea"]["revision"]
  action :sync
  notifies :run, "execute[npm_install]", :immediately
 end
 execute "npm_install" do
  cwd source_dir
  command "npm ci"
  action :nothing
  notifies :run, "bash[compile_gitea]", :immediately
 end
 bash "compile_gitea" do
  cwd source_dir
  environment "TAGS" => "bindata"
  code "make build"
  action :nothing
  notifies :restart, "service[gitea]", :delayed
 end
--- a/site-cookbooks/kosmos_gitea/recipes/default.rb
+++ b/site-cookbooks/kosmos_gitea/recipes/default.rb
@@ -5,12 +5,11 @@
 version                   = node["gitea"]["version"]
 download_url              = "https://dl.gitea.io/gitea/#{version}/gitea-#{version}-linux-amd64"
 compile_from_source       = node["gitea"]["repo"] && node["gitea"]["revision"]
 working_directory         = node["gitea"]["working_directory"]
 git_home_directory        = "/home/git"
 repository_root_directory = "#{git_home_directory}/gitea-repositories"
 config_directory          = "/etc/gitea"
-gitea_binary_path         = compile_from_source ? "/opt/gitea/gitea" : "/usr/local/bin/gitea"
+gitea_binary_path         = "/usr/local/bin/gitea"
 gitea_data_bag_item       = data_bag_item("credentials", "gitea")
 smtp_credentials          = data_bag_item("credentials", "smtp")
 smtp_addr                 = smtp_credentials["relayhost"].split(":")[0]
@@ -19,17 +18,7 @@ jwt_secret                = gitea_data_bag_item["jwt_secret"]
 internal_token            = gitea_data_bag_item["internal_token"]
 secret_key                = gitea_data_bag_item["secret_key"]
-apt_repository "git-core-ppa" do
+# Dependency
  uri "http://ppa.launchpad.net/git-core/ppa/ubuntu"
  components ["main"]
  key "E1DF1F24"
  action :add
  only_if do
    node['platform'] == 'ubuntu' &&
      Gem::Version.new(node['platform_version']) < Gem::Version.new('22.04')
  end
 end
 package "git"
 user "git" do
@@ -37,13 +26,6 @@ user "git" do
  home "/home/git"
 end
 directory "/home/git/.ssh" do
  owner "git"
  group "git"
  mode "0700"
  recursive true
 end
 directory working_directory do
  owner "git"
  group "git"
@@ -96,8 +78,6 @@ if node.chef_environment == "production"
 end
 config_variables = {
  domain: node["gitea"]["domain"],
  email: node["gitea"]["email"],
  working_directory: working_directory,
  git_home_directory: git_home_directory,
  repository_root_directory: repository_root_directory,
@@ -118,16 +98,6 @@ config_variables = {
  s3_bucket: gitea_data_bag_item["s3_bucket"]
 }
 bash "Generate git ed25519 keypair" do
  user "git"
  group "git"
  cwd git_home_directory
  code <<-EOH
    ssh-keygen -t ed25519 -f #{git_home_directory}/.ssh/id_ed25519
  EOH
  creates "#{git_home_directory}/.ssh/id_ed25519"
 end
 template "#{config_directory}/app.ini" do
  source "app.ini.erb"
  owner "git"
@@ -138,15 +108,11 @@ template "#{config_directory}/app.ini" do
  notifies :restart, "service[gitea]", :delayed
 end
-if compile_from_source
+remote_file gitea_binary_path do
-  include_recipe "kosmos_gitea::compile_from_source"
+  source download_url
-else
+  checksum node['gitea']['checksum']
-  remote_file gitea_binary_path do
+  mode "0755"
-    source download_url
+  notifies :restart, "service[gitea]", :delayed
    checksum node['gitea']['checksum']
    mode "0755"
    notifies :restart, "service[gitea]", :delayed
  end
 end
 execute "systemctl daemon-reload" do
@@ -159,7 +125,7 @@ template "/etc/systemd/system/gitea.service" do
            git_home_directory: git_home_directory,
            config_directory: config_directory,
            gitea_binary_path: gitea_binary_path
-  notifies :run, "execute[systemctl daemon-reload]", :immediately
+  notifies :run, "execute[systemctl daemon-reload]", :delayed
 end
 service "gitea" do
--- a/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb
+++ b/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb
@@ -2,12 +2,12 @@ APP_NAME = Gitea
 RUN_MODE = prod
 [server]
-SSH_DOMAIN = <%= @domain %>
+SSH_DOMAIN       = gitea.kosmos.org
 HTTP_PORT        = 3000
 DISABLE_SSH      = false
 SSH_PORT         = 22
 PROTOCOL = http
-DOMAIN = <%= @domain %>
+DOMAIN = gitea.kosmos.org
 # Gitea is running behind an nginx reverse load balancer, use an HTTPS root URL
 ROOT_URL = https://%(DOMAIN)s
 # REDIRECT_OTHER_PORT = true
@@ -30,16 +30,6 @@ MAX_OPEN_CONNS = 20
 ROOT = <%= @repository_root_directory %>
 DISABLE_DOWNLOAD_SOURCE_ARCHIVES = true
 [repository.signing]
 SIGNING_KEY = <%= @git_home_directory %>/.ssh/id_ed25519.pub
 SIGNING_NAME = Gitea
 SIGNING_EMAIL = git@<%= @domain %>
 SIGNING_FORMAT = ssh
 INITIAL_COMMIT = always
 CRUD_ACTIONS = always
 WIKI = always
 MERGES = always
 # [indexer]
 # ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
@@ -56,7 +46,7 @@ SMTP_ADDR = <%= @smtp_addr %>
 SMTP_PORT = <%= @smtp_port %>
 USER = <%= @smtp_user %>
 PASSWD = <%= @smtp_password %>
-FROM = <%= @email %>
+FROM = gitea@kosmos.org
 [security]
 INTERNAL_TOKEN = <%= @internal_token %>
@@ -84,11 +74,8 @@ ENABLE_OPENID_SIGNIN = false
 ENABLE_OPENID_SIGNUP = false
 [log]
-MODE = console
+MODE      = console
-LEVEL = <%= @config["log"]["level"] %>
+LEVEL     = Debug
 logger.router.MODE = <%= @config["log"]["logger.router.MODE"] %>
 logger.xorm.MODE = <%= @config["log"]["logger.xorm.MODE"] %>
 logger.access.MODE = <%= @config["log"]["logger.access.MODE"] %>
 [attachment]
 ENABLED = true
--- a/Show More
+++ b/Show More
		`@@ -1,2 +0,0 @@`
			`node.default["kosmos-base"]["journald"]["system_max_use"] = "256M"`
			`node.default["kosmos-base"]["journald"]["max_retention_sec"] = "7d"`