Update node info

Upgrade ejabberd to 25.08
2025-09-21 12:43:49 +02:00 · 2025-09-21 12:42:29 +02:00
116 changed files with 414 additions and 1619 deletions
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -1,41 +0,0 @@
 # AGENTS.md
 Welcome, AI Agent! This file contains essential context and rules for interacting with the Kosmos Chef repository. Read this carefully before planning or executing any changes.
 ## 🏢 Project Overview
 This repository contains the infrastructure automation code used by Kosmos to provision and configure bare metal servers (KVM hosts) and Ubuntu virtual machines (KVM guests). 
 We use **Chef Infra**, managed locally via **Knife Zero** (agentless Chef), and **Berkshelf** for dependency management.
 ## 📂 Directory Structure & Rules
 * **`site-cookbooks/`**: 🟢 **EDITABLE.** This directory contains all custom, internal cookbooks written specifically for Kosmos services (e.g., `kosmos-postgresql`, `kosmos_gitea`, `kosmos-mastodon`). *Active development happens here.*
 * **`cookbooks/`**: 🔴 **DO NOT EDIT.** This directory contains third-party/community cookbooks that are vendored. These are managed by Berkshelf. Modifying them directly will result in lost changes.
 * **`roles/`**: 🟢 **EDITABLE.** Contains Chef roles written in Ruby (e.g., `base.rb`, `kvm_guest.rb`, `postgresql_primary.rb`). These define run-lists and role-specific default attributes for servers.
 * **`environments/`**: Contains Chef environment definitions (like `production.rb`).
 * **`data_bags/`**: Contains data bag configurations, often encrypted. Be cautious and do not expose secrets. (Note: Agents should not manage data bag secrets directly unless provided the `.chef/encrypted_data_bag_secret`).
 * **`nodes/`**: Contains JSON state files for bootstrapped nodes. *Agents typically do not edit these directly unless cleaning up a deleted node.*
 * **`Berksfile`**: Defines community cookbook dependencies.
 * **`Vagrantfile` / `.kitchen/`**: Used for local virtualization and integration testing.
 ## 🛠️ Tooling & Workflows
 1. **Dependency Management (Berkshelf)**
   If a new community cookbook is required:
   - Add it to the `Berksfile` at the root.
   - Instruct the user to run `berks install` and `berks vendor cookbooks/ --delete` (or run it via the `bash` tool if permitted).
 2. **Provisioning (Knife Zero)**
   - Bootstrapping and converging nodes is done using `knife zero`. 
   - *Example:* `knife zero converge name:server-name.kosmos.org`
 3. **Code Style & Conventions**
   - Chef recipes, resources, and roles are written in **Ruby**. 
   - Follow standard Chef and Ruby (RuboCop) idioms. Look at neighboring files in `site-cookbooks/` or `roles/` to match formatting and naming conventions.
 ## 🚨 Core Directives for AI Agents
 1. **Infrastructure as Code**: Manual server configurations are highly discouraged. All changes must be codified in a cookbook or role.
 2. **Test Safety Nets**: Look for `.kitchen.yml` within specific `site-cookbooks/<name>` to understand if local integration tests are available.
 3. **No Assumptions**: Do not assume standard test commands. Check `README.md` and repository config files first.
 4. **Secret Handling**: Avoid hardcoding passwords or API keys in recipes or roles. Assume sensitive information is managed via Chef `data_bags`.
--- a/1
+++ b/1
@@ -24,7 +24,6 @@ cookbook 'composer',               '~> 2.7.0'
 cookbook 'fail2ban',               '~> 7.0.4'
 cookbook 'git',                    '~> 10.0.0'
 cookbook 'golang',                 '~> 5.3.1'
 cookbook 'homebrew',               '>= 6.0.0'
 cookbook 'hostname',               '= 0.4.2'
 cookbook 'hostsfile',              '~> 3.0.1'
 cookbook 'java',                   '~> 4.3.0'
--- a/Berksfile.lock
+++ b/Berksfile.lock
@@ -8,7 +8,6 @@ DEPENDENCIES
  firewall (~> 6.2.16)
  git (~> 10.0.0)
  golang (~> 5.3.1)
  homebrew (>= 6.0.0)
  hostname (= 0.4.2)
  hostsfile (~> 3.0.1)
  ipfs
@@ -63,7 +62,7 @@ GRAPH
  git (10.0.0)
  golang (5.3.1)
    ark (>= 6.0)
-  homebrew (6.0.2)
+  homebrew (5.4.1)
  hostname (0.4.2)
    hostsfile (>= 0.0.0)
  hostsfile (3.0.1)
--- a/clients/garage-12.json
+++ b/clients/garage-12.json
@@ -1,4 +0,0 @@
 {
  "name": "garage-12",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9GtHHi298BjiIqpZ3WkT\nkYAPfWD60hFe/8icYcq/F/6cHLYKZQ4chek9X/hDCMq4tHEN6Oh58T5x/nuNdPrK\nIAMGyVAGk6ekWlmD4jwdEf6TGb/J3ffJTRDvwX/I8xD/DW3wtXsN+X24T59ByGTm\nrnwRmmmwHF3otRx9wnCsIgDQ0AjiUujsfNNv1FcLXD/WJLys9lEeU5aJ4XtHTwDv\ntJM8YyVEFhEnuvgdKmzn5+F5k9VGdUwForlFOBfvzbCnTZMDMmDVeiUtAUv/7xWQ\nQl2mLUGCtgWuYJYXsQacAJ6pa3h+7cQyshC6w3dwUG+1fS9lNO0Yp1GGX1AGYKpp\nPQIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/clients/garage-13.json
+++ b/clients/garage-13.json
@@ -1,4 +0,0 @@
 {
  "name": "garage-13",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvbqWc6OwRxgHfsQuTNL4\naxeVvNen5d9srYpZSHjuBB/k9NHB+9P6vU5qF37XHkw1lVUGeYbPHzhYsx3O0/kZ\nH5f4+4SMy/P9jc6SE7AJF4qtYKgJ88koZdqCww07c6K9g+BnEGFFZui/h3hUBxWj\nTfhBHEWPyQ2bl/lr9sIJwsEz+EN0isGn/eIXkmw9J6LdLJ5Q0LLks33K28FNOU7q\nfeAN4MiBVMUtgCGyT2Voe6WrOXwQLSDXQONOp3sfSfFExsIJ1s24xdd7AMD7/9a7\n4sFDZ4swhqAWgWmW2giR7Kb8wTvGQLO/O/uUbmKz3DZXgkOKXHdHCEB/PZx1mRNM\nEwIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/clients/garage-14.json
+++ b/clients/garage-14.json
@@ -1,4 +0,0 @@
 {
  "name": "garage-14",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAypINv1zTZ7+pyT0iRhik\n0W70ASYADo7qK7QyE9/3nu2sUrP1IjoNFsv/ceKwicH7Fw2Ei1o+yKZlKn7zJzY7\n93YRZndF04VH2bmqy0uOWK0Bdat7gCld5bvS6FmRflg7g64LFb33/64QIVsVGHGL\nYF2TO//x79t9JKcQDa4h5MOWzJNTFuEcUGa0gJjMYpWGVHEJSgRuIgyhXmyIJJgY\nguj6ymTm5+3VS7NzoNy2fbTt1LRpHb5UWrCR15oiLZiDSMLMx0CcGOCmrhvODi4k\n0umw+2NPd1G50s9z7KVbTqybuQ65se2amRnkVcNfaBIU5qk9bVqcmhZlEozmBZCd\ndwIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/clients/garage-15.json
+++ b/clients/garage-15.json
@@ -1,4 +0,0 @@
 {
  "name": "garage-15",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy14sTt5gxVZi9C3KIEBu\nDyUgbb6jc3/GR22fNPTqV6uDHhxzhE2UsYwY/7yuA1RasdwHEOBWZaoC0Om5/Zmi\n8gn6//v1ILyLNaAcw+SQcxZkCN8Sk/0atRS9HYk1agE8Mvh72Fe2z3l+92VMefy7\nJwJUNNBTbnV2WVCchChoWnfhI7bkSLSHp0M2MO2pI+lkpSdmfkJSa5z9zihgxKO8\nXfvhryDCZNvfRVHhwc+ffpap0gLF0H9riGKE4FwLy4YqbuW1Tgm6bObb9bpOIw6Q\nVfH3kC/KMK5FlnxGmYtDkhRJ/wjGInRBk9WK/QOmjyd2FVxipEQmA4RdjlznRC9I\nrwIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/clients/leo.json
+++ b/clients/leo.json
@@ -1,4 +0,0 @@
 {
  "name": "leo",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnFfQsJnREjbXTtpT6BVt\naBaUzRmCQi8Du0TzeUG0ENrY0p5Exqleye2rC6bJlB3PER1xr5zdtuXLgbcVumIb\nzroU5JPtFbQk7r/pj0atT+UEYzl16iuEpprQ/bug+f0nE514USr6YG4G+tlZ/jBI\nSHsCQF1P8ufXFLW0ewC7rdvBkgA+DwK14naRxS4jO5MSl4wmNTjs/jymTg508mQq\nf5tG52t8qFdgn9pRdBXmyTpPtwK7I4rZ+1Qn+1E5m4oQUZsxh8Ba1bGbKotVO7Ua\nYL1yCGx7zRRUvLLIdSMvlRXTJBUSQtQ8P4QUDWTY1Na2w3t9sulKg2Lwsw8tktvC\nCwIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/clients/postgres-10.json
+++ b/clients/postgres-10.json
@@ -1,4 +0,0 @@
 {
  "name": "postgres-10",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2oBb5omC7ZionWhudgFm\n2NGcRXsI0c7+g1+0duaxj5dziaRTltqzpRJTfiJD6R36FcvEqwGc+qQgYSMzc1Xd\nY4OTvJFIDiFAmROm/DZYgFtTDldVNJZO2bbU3COYf/Z2Poq56gC4zLLd/zf6shgb\n2Mty8PlQ82JJAY9EMI3aAifdnZ1k/g4weFC4LFg9lUcNNXOwlAjp//LJ3ku3aY1r\nwW74msSeWEjE44YZdWyMYgM7Fy1hz5giHFQtRdOLemRCWQ8h26wn/cmWld7lsLg+\nlYqxokxWXGv8r5zR8kDTBkd0dxY7ZMbo7oESY4Uhuf4UReMe2ZGHto1E7w3llSj+\n7wIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/clients/postgres-11.json
+++ b/clients/postgres-11.json
@@ -1,4 +0,0 @@
 {
  "name": "postgres-11",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1foYpuubS2ovlg3uHO12\nQ/ROZ8MpG+LkCAM46uVfPaoWwfY0vdfMsBOanHDgm9DGUCEBJZ6LPrvCvGXbpPy6\n9GSswK75zVWODblNjvvV4ueGFq4bBFwRuZNjyMlqgyzeU+srZL0ivelu5XEuGuoD\nPYCBKWYqGMz85/eMC7/tinTJtKPyOtXe/G8meji+r7gh3j+ypj/EWeKfcRDa4aGe\n/DmMCurIjjPAXFLMAA6fIqPWVfcPw4APNPE60Z92yPGsTbPu7bL54M5f7udmmu7H\nOgk1HjMAmXCuLDzTkfaxqHP+57yELg/YpXR1E93VmBeQuIBsyOFEk6AmUmA1Ib6e\nnQIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/clients/postgres-12.json
+++ b/clients/postgres-12.json
@@ -1,4 +0,0 @@
 {
  "name": "postgres-12",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1mYGrYB8keUKmXA8dhWc\ncCLzp50xR0ajSw+bWYydyRqD5wuEVKjiJu4+G9QmTVXkVgJ+AYI0Y9/WZYpDqVH6\nvLUo6BSNQaWx20q93qIdOGLy8YG3Qyznezk4l8T9u9vWZDyDpKw6gCxzikMkrXxb\n0cqOYtyud8+PtSEEMogSjOKhRURVHlVrlVH3SQO7Whke9rkiFcbXzubsK9yjkUtF\nxZafSoGorOlDsPvFTfYnkepVB+GHcgiribRYSrO+73GypC2kqMhCpWrb6a0VWsP/\nh53+q3JL3vBvdvjcv51Wpf4n6JdnXnQGn2/MdXEzw+NXgjU4/IdYtbORSbaI8F5t\nowIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/clients/postgres-7.json
+++ b/clients/postgres-7.json
@@ -0,0 +1,4 @@
 {
  "name": "postgres-7",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArraIm6mXi0qgK4oWDs2I\nOIx+g/LPnfRd5aBXhoHcekGiJKttQTi5dRdN4+T6qVEC2h4Cc9qN47h2TZPLDh/M\neIZvu0AyicpectzXf6DtDZh0hFCnv47RDi9927op9tjMXk0SV1tLel7MN0dawATw\ny0vQkkr/5a3ZdiP4dFv+bdfVrj+Tuh85BYPVyX2mxq9F7Efxrt6rzVBiqr6uJLUY\nStpeB3CCalC4zQApKX2xrdtr2k8aJbqC6C//LiKbb7VKn+ZuZJ32L/+9HDEzQoFC\no0ZZPMhfnjcU+iSHYZuPMTJTNbwgRuOgpn9O8kZ239qYc59z7HEXwwWiYPDevbiM\nCQIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/clients/postgres-9.json
+++ b/clients/postgres-9.json
@@ -1,4 +0,0 @@
 {
  "name": "postgres-9",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2dcE9HH0r5TBb/FGj2+e\nOw8ssoxeB61JmR4/psdZ6oPR08gxyqOY0ODziCmyIdXwFhjIcC44HjxCbcB8TU8G\nWGqlmfqWWIJW0x/2xOycHobAWDn5fC5ttTXkR3HC1TutX/2mH26mtfz9UjNdPaTo\nVZFMcxeaBCFSNlYC7hPUQ5f/qBdhhpLxP9uyzU+YFPqtwLP7g8EAUQObM4L+m6Q8\nqE7xgYpnhgaNrPsmvaVuoNylMGwyK0j1whOkcik8UgLprD70ISNSNxxcLehbvA3G\nPQPQRRuFF36fu2gECWGopbrFKwQGNfgJguQoXM1RQZQMQqWHPS933k5i6bi5pnhp\nzwIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/clients/rsk-testnet-6.json
+++ b/clients/rsk-testnet-6.json
@@ -1,4 +0,0 @@
 {
  "name": "rsk-testnet-6",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl1p4+F536/peA4XWMJtm\njggPl6yJb42V5bg3kDa8SHoIoQgXn59d3BclZ1Oz2+JhFd3Rrn4FN3Z1wzGpP+gA\nnxQOfgRG1ucahh7Nxaw3IdoHm7r/EdEOc9FrxvGJ+09YnmLfzn4iVQpsUiOiNVS7\n0LXtMXYtsjD+o6BTbOhGU8FMmGhMhQfXFVgoDdTiM/Q62zPw8Vtpa3yFpFJAu+dA\n+mm5h5W6FnaWJXM2arn3PxDOt+JQSWp5PYG4goU1FFreU9iFuoeGEfLy8unlbbXt\ne96QhNuCkOA15xqta0Z3oL7IlXWns7dLgZYlpZT9zaExIs3AEDaQcleacQPzXKSG\nswIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/cookbooks/homebrew/.markdownlint-cli2.yaml
+++ b/cookbooks/homebrew/.markdownlint-cli2.yaml
@@ -3,5 +3,3 @@ config:
  line-length: false # MD013
  no-duplicate-heading: false # MD024
  reference-links-images: false # MD052
 ignores:
  - .github/copilot-instructions.md
--- a/cookbooks/homebrew/CHANGELOG.md
+++ b/cookbooks/homebrew/CHANGELOG.md
@@ -2,48 +2,6 @@
 This file is used to list changes made in each version of the homebrew cookbook.
 ## 6.0.2 - *2025-09-04*
 Standardise files with files in sous-chefs/repo-management
 Standardise files with files in sous-chefs/repo-management
 ## 6.0.1 - *2025-03-24*
 ## 6.0.0 - *2025-03-17*
 - Updated library call for new homebrew class name found in chef-client 18.6.2+ releases
 ## 5.4.9 - *2024-11-18*
 Standardise files with files in sous-chefs/repo-management
 Standardise files with files in sous-chefs/repo-management
 Standardise files with files in sous-chefs/repo-management
 Standardise files with files in sous-chefs/repo-management
 Standardise files with files in sous-chefs/repo-management
 ## 5.4.8 - *2024-05-07*
 ## 5.4.7 - *2024-05-06*
 - Explicitly include `Which` module from `Chef` which fixes runs on 18.x clients.
 ## 5.4.6 - *2024-05-06*
 ## 5.4.5 - *2023-11-01*
 Standardise files with files in sous-chefs/repo-management
 ## 5.4.4 - *2023-09-28*
 ## 5.4.3 - *2023-09-04*
 ## 5.4.2 - *2023-07-10*
 ## 5.4.1 - *2023-06-01*
 ## 5.4.0 - *2023-04-24*
--- a/cookbooks/homebrew/libraries/helpers.rb
+++ b/cookbooks/homebrew/libraries/helpers.rb
@@ -20,9 +20,8 @@
 #
 class HomebrewUserWrapper
-  require 'chef/mixin/homebrew'
+  require 'chef/mixin/homebrew_user'
-  include Chef::Mixin::Homebrew
+  include Chef::Mixin::HomebrewUser
  include Chef::Mixin::Which
 end
 module Homebrew
@@ -60,17 +59,41 @@ module Homebrew
  def owner
    @owner ||= begin
-                 HomebrewUserWrapper.new.find_homebrew_username
+      # once we only support 14.0 we can switch this to find_homebrew_username
-               rescue
+      require 'etc'
-                 Chef::Exceptions::CannotDetermineHomebrewPath
+      ::Etc.getpwuid(HomebrewUserWrapper.new.find_homebrew_uid).name
               rescue Chef::Exceptions::CannotDetermineHomebrewOwner
                 calculate_owner
    end.tap do |owner|
      Chef::Log.debug("Homebrew owner is #{owner}")
    end
  end
  private
  def calculate_owner
    owner = homebrew_owner_attr || sudo_user || current_user
    if owner == 'root'
      raise Chef::Exceptions::User,
           "Homebrew owner is 'root' which is not supported. " \
           "To set an explicit owner, please set node['homebrew']['owner']."
    end
    owner
  end
  def homebrew_owner_attr
    Chef.node['homebrew']['owner']
  end
  def sudo_user
    ENV['SUDO_USER']
  end
  def current_user
    ENV['USER']
  end
 end unless defined?(Homebrew)
 class HomebrewWrapper
  include Homebrew
 end
 Chef::Mixin::Homebrew.include(Homebrew)
--- a/cookbooks/homebrew/metadata.json
+++ b/cookbooks/homebrew/metadata.json
@@ -17,13 +17,13 @@
  "recipes": {
  },
-  "version": "6.0.2",
+  "version": "5.4.1",
  "source_url": "https://github.com/sous-chefs/homebrew",
  "issues_url": "https://github.com/sous-chefs/homebrew/issues",
  "privacy": false,
  "chef_versions": [
    [
-      ">= 18.6.2"
+      ">= 15.3"
    ]
  ],
  "ohai_versions": [
--- a/cookbooks/homebrew/metadata.rb
+++ b/cookbooks/homebrew/metadata.rb
@@ -3,9 +3,9 @@ maintainer       'Sous Chefs'
 maintainer_email 'help@sous-chefs.org'
 license          'Apache-2.0'
 description      'Install Homebrew and includes resources for working with taps and casks'
-version          '6.0.2'
+version          '5.4.1'
 supports         'mac_os_x'
 source_url 'https://github.com/sous-chefs/homebrew'
 issues_url 'https://github.com/sous-chefs/homebrew/issues'
-chef_version '>= 18.6.2'
+chef_version '>= 15.3'
--- a/cookbooks/homebrew/renovate.json
+++ b/cookbooks/homebrew/renovate.json
@@ -1,10 +1,9 @@
 {
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": ["config:base"],
-  "packageRules": [
+  "packageRules": [{
    {
      "groupName": "Actions",
-      "matchUpdateTypes": ["minor", "patch", "pin"],
+      "matchUpdateTypes": ["patch", "pin", "digest"],
      "automerge": true,
      "addLabels": ["Release: Patch", "Skip: Announcements"]
    },
--- a/cookbooks/homebrew/resources/cask.rb
+++ b/cookbooks/homebrew/resources/cask.rb
@@ -19,7 +19,6 @@
 # limitations under the License.
 #
 unified_mode true
 chef_version_for_provides '< 14.0' if respond_to?(:chef_version_for_provides)
 property :cask_name, String, regex: %r{^[\w/-]+$}, name_property: true
--- a/cookbooks/homebrew/resources/tap.rb
+++ b/cookbooks/homebrew/resources/tap.rb
@@ -19,7 +19,6 @@
 # limitations under the License.
 #
 unified_mode true
 chef_version_for_provides '< 14.0' if respond_to?(:chef_version_for_provides)
 property :tap_name, String, name_property: true, regex: %r{^[\w-]+(?:\/[\w-]+)+$}
--- a/data_bags/credentials/gandi_api.json
+++ b/data_bags/credentials/gandi_api.json
@@ -1,16 +1,23 @@
 {
  "id": "gandi_api",
  "key": {
    "encrypted_data": "lU7/xYTmP5Sb6SsK5TNNIyegWozzBtUzpg7oDdl6gcz9FEMmG2ft0Ljh5Q==\n",
    "iv": "EZPQD3C+wsP/mBhF\n",
    "auth_tag": "vF9E8Pj4Z8quJJdOMg/QTw==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "access_token": {
-    "encrypted_data": "+skwxHnpAj/3d3e2u7s7B9EydbETj8b0flWahvb5gt/o4JYFWHrhIyX/0IVa\n4wgmu08eDgU51i0knGA=\n",
+    "encrypted_data": "1Uw69JkNrmb8LU/qssuod1SlqxxrWR7TJQZeeivRrNzrMIVTEW/1uwJIYL6b\nM4GeeYl9lIRlMMmLBkc=\n",
-    "iv": "ONKrFCt8Oj3GKIQ5\n",
+    "iv": "cc1GJKu6Cf4DkIgX\n",
-    "auth_tag": "j9Hrk8ZZFMQub4NUO+2e4g==\n",
+    "auth_tag": "ERem4S7ozG695kjvWIMghw==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "domains": {
-    "encrypted_data": "lGfoPHdXEYYdJmoIA9M119wjVl1v4UzIv5gHADwx0A==\n",
+    "encrypted_data": "scZ5blsSjs54DlitR7KZ3enLbyceOR5q0wjHw1golQ==\n",
-    "iv": "q6XKbxhW7X9ONxNt\n",
+    "iv": "oDcHm7shAzW97b4t\n",
-    "auth_tag": "ns9WJH8Oe75siWu+sOZkRg==\n",
+    "auth_tag": "62Zais9yf68SwmZRsmZ3hw==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  }
--- a/doc/postgres/migration.md
+++ b/doc/postgres/migration.md
@@ -1,287 +0,0 @@
 # Migrating PostgreSQL cluster to a new major version
 ## Summary
 1. Dump from a replica
 2. Restore to fresh VM running new major version
 3. Add logical replication for delta sync from current/old primary
 4. Switch primary to new server
 5. Remove logical replication on new server
 ## Runbook
 * Primary host: `PRIMARY_HOST`
 * Replica host: `REPLICA_HOST`
 * New PG14 host: `NEW_HOST`
 * PostgreSQL superuser: `postgres`
 * Running locally on each machine via `sudo -u postgres`
 Adjust hostnames/IPs/etc. where needed.
 ---
 ### 🟢 0. PRIMARY — Pre-checks
 ```bash
 sudo -u postgres psql -c "SHOW wal_level;"
 sudo -u postgres psql -c "SHOW max_replication_slots;"
 ```
 If needed, edit config:
 ```bash
 sudo -u postgres vi $PGDATA/postgresql.conf
 ```
 Ensure:
 ```conf
 wal_level = logical
 max_replication_slots = 10
 ```
 Restart if changed:
 ```bash
 sudo systemctl restart postgresql
 ```
 ---
 ### 🔵🟡 3. Create keypair for syncing dump later
 🔵 On NEW_HOST:
 ```bash
 sudo mkdir -p /home/postgres/.ssh && \
 sudo chown -R postgres:postgres /home/postgres && \
 sudo chmod 700 /home/postgres/.ssh && \
 sudo -u postgres bash -c 'ssh-keygen -t ecdsa -b 256 -f /home/postgres/.ssh/id_ecdsa -N "" -C "postgres@$(hostname)"' && \
 sudo cat /home/postgres/.ssh/id_ecdsa.pub
 ```
 Copy the public key from the above output
 🟡 On replica:
 ```bash
 sudo mkdir -p /home/postgres/.ssh && \
 sudo chown -R postgres:postgres /home/postgres && \
 sudo chmod 700 /home/postgres/.ssh && \
 echo [public_key] | sudo tee /home/postgres/.ssh/authorized_keys > /dev/null && \
 sudo chmod 700 /home/postgres/.ssh
 ```
 ---
 ### 🟢 1. PRIMARY — Create publication and replication slots
 ```bash
 sudo -u postgres pg_create_replication_publications
 ```
 or
 ```bash
 sudo -u postgres pg_create_replication_publication [db_name]
 ```
 Listing publications and slots:
 ```bash
 sudo -u postgres pg_list_replication_publications
 sudo -u postgres pg_list_replication_slots
 ```
 ---
 ### 🟡 3. REPLICA — Pause replication
 ```bash
 sudo -u postgres psql -c "SELECT pg_wal_replay_pause();"
 ```
 Verify:
 ```bash
 sudo -u postgres psql -c "SELECT pg_is_wal_replay_paused();"
 ```
 ---
 ### 🟡 4. REPLICA — Run dump
 ```bash
 sudo -u postgres pg_dump_all_databases
 ```
 or
 ```bash
 sudo -u postgres bash -c "pg_dumpall --globals-only > /tmp/globals.sql"
 sudo -u postgres pg_dump_database [db_name]
 ```
 ---
 ### 🟡 5. REPLICA — Resume replication
 ```bash
 sudo -u postgres psql -c "SELECT pg_wal_replay_resume();"
 ```
 ---
 ### 🔵 6. COPY dumps to NEW HOST
 From NEW_HOST:
 ```bash
 export REPLICA_HOST=[private_ip] && \
 cd /tmp && \
 sudo -u postgres scp "postgres@$REPLICA_HOST:/tmp/globals.sql" . && \
 sudo -u postgres scp "postgres@$REPLICA_HOST:/tmp/dump_*.tar.zst" .
 ```
 ---
 ### 🔵 7. NEW HOST (PostgreSQL 14) — Restore
 #### 7.1 Restore globals
 ```bash
 sudo -u postgres psql -f /tmp/globals.sql
 ```
 ---
 #### 7.2 Create databases
 ```bash
 sudo -u postgres psql -Atqc "SELECT datname FROM pg_database WHERE datallowconn AND datname NOT IN ('template1')" | \
 xargs -I{} sudo -u postgres createdb {}
 ```
 or
 ```bash
 sudo -u postgres createdb [db_name]
 ```
 ---
 #### 7.3 Restore each database
 ```bash
 sudo -u postgres pg_restore_all_databases
 ```
 or
 ```bash
 sudo -u postgres pg_restore_database [db_name]
 ```
 ---
 ### 🔵 8. NEW HOST — Create subscriptions
 ```bash
 sudo -u postgres pg_create_replication_subscriptions
 ```
 or
 ```bash
 sudo -u postgres pg_create_replication_subscription [db_name]
 ```
 ---
 ### 🔵 9. NEW HOST — Monitor replication
 ```bash
 sudo -u postgres pg_list_replication_subscriptions
 ```
 ---
 ### 🔴 11. CUTOVER
 #### 11.1 Stop writes on old primary
 Put app(s) in maintenance mode, stop the app/daemons.
 ---
 #### 11.2 Wait for replication to catch up
 TODO: not the best way to check, since WAL LSNs keep increasing
 ```bash
 sudo -u postgres psql -d [db_name] -c "SELECT * FROM pg_stat_subscription;"
 ```
 ---
 #### 11.3 Fix sequences
 Run per DB:
 ```bash
 sudo -u postgres pg_fix_sequences_in_all_databases
 ```
 or
 ```bash
 sudo -u postgres pg_fix_sequences [db_name]
 ```
 ---
 #### 11.4 Point app to NEW_HOST
 1. Update `pg.kosmos.local` in `/etc/hosts` on app server(s). For example:
   ```bash
   export NEW_PG_PRIMARY=[private_ip]
   knife ssh roles:ejabberd -a knife_zero.host "sudo sed -r \"s/^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\s(pg.kosmos.local)/$NEW_PG_PRIMARY\t\1/\" -i /etc/hosts"
   ```
   Or override node attribute(s) if necessary and/or approporiate.
 2. Start the app/daemons, and deactivate maintenance mode.
 ---
 ### 🧹 12. CLEANUP NEW_HOST
 ```bash
 sudo -u postgres pg_drop_replication_subscriptions
 ```
 ---
 ### 🧹 13. CLEANUP PRIMARY
 TODO: Looks like slots are dropped automatically, when subscriptions are dropped
 ```bash
 sudo -u postgres pg_drop_replication_publications
 ```
 ---
 ### 🧹 13. CLEANUP Chef
 Once all apps/databases are migrated, update the role in the node
 config of the new primary to 'postgres_primary' and converge it.
 Also delete the old primary node config from the Chef repo.
 ---
 ### ✅ DONE
 ---
--- a/nodes/akkounts-1.json
+++ b/nodes/akkounts-1.json
@@ -9,7 +9,7 @@
  "automatic": {
    "fqdn": "akkounts-1",
    "os": "linux",
-    "os_version": "5.4.0-223-generic",
+    "os_version": "5.4.0-216-generic",
    "hostname": "akkounts-1",
    "ipaddress": "192.168.122.160",
    "roles": [
@@ -67,13 +67,13 @@
    "cloud": null,
    "chef_packages": {
      "chef": {
-        "version": "18.10.17",
+        "version": "18.2.7",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.10.17/lib",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.2.7/lib",
        "chef_effortless": null
      },
      "ohai": {
-        "version": "18.2.13",
+        "version": "18.1.4",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.13/lib/ohai"
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
      }
    }
  },
--- a/nodes/bitcoin-2.json
+++ b/nodes/bitcoin-2.json
@@ -8,7 +8,7 @@
  "automatic": {
    "fqdn": "bitcoin-2",
    "os": "linux",
-    "os_version": "5.4.0-216-generic",
+    "os_version": "5.4.0-163-generic",
    "hostname": "bitcoin-2",
    "ipaddress": "192.168.122.148",
    "roles": [
--- a/nodes/draco.kosmos.org.json
+++ b/nodes/draco.kosmos.org.json
@@ -12,7 +12,6 @@
    },
    "openresty": {
      "listen_ip": "148.251.237.111",
      "listen_ipv6": "2a01:4f8:202:804a::2",
      "log_formats": {
        "json": "{\"ip\":\"$remote_addr\",\"time\":\"$time_local\",\"host\":\"$host\",\"method\":\"$request_method\",\"uri\":\"$uri\",\"status\":$status,\"size\":$body_bytes_sent,\"referer\":\"$http_referer\",\"upstream_addr\":\"$upstream_addr\",\"upstream_response_time\":\"$upstream_response_time\",\"ua\":\"$http_user_agent\"}"
      }
@@ -82,7 +81,6 @@
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
--- a/nodes/fornax.kosmos.org.json
+++ b/nodes/fornax.kosmos.org.json
@@ -75,7 +75,6 @@
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
--- a/nodes/garage-12.json
+++ b/nodes/garage-12.json
@@ -1,65 +0,0 @@
 {
  "name": "garage-12",
  "chef_environment": "production",
  "normal": {
    "knife_zero": {
      "host": "10.1.1.224"
    }
  },
  "automatic": {
    "fqdn": "garage-12",
    "os": "linux",
    "os_version": "5.15.0-1059-kvm",
    "hostname": "garage-12",
    "ipaddress": "192.168.122.173",
    "roles": [
      "base",
      "kvm_guest",
      "garage_node"
    ],
    "recipes": [
      "kosmos-base",
      "kosmos-base::default",
      "kosmos_kvm::guest",
      "kosmos_garage",
      "kosmos_garage::default",
      "kosmos_garage::firewall_rpc",
      "kosmos_garage::firewall_apis",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
      "kosmos-postfix::default",
      "postfix::default",
      "postfix::_common",
      "postfix::_attributes",
      "postfix::sasl_auth",
      "hostname::default",
      "firewall::default"
    ],
    "platform": "ubuntu",
    "platform_version": "22.04",
    "cloud": null,
    "chef_packages": {
      "chef": {
        "version": "18.7.10",
        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.7.10/lib",
        "chef_effortless": null
      },
      "ohai": {
        "version": "18.2.5",
        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.5/lib/ohai"
      }
    }
  },
  "run_list": [
    "role[base]",
    "role[kvm_guest]",
    "role[garage_node]"
  ]
 }
--- a/nodes/garage-14.json
+++ b/nodes/garage-14.json
@@ -1,65 +0,0 @@
 {
  "name": "garage-14",
  "chef_environment": "production",
  "normal": {
    "knife_zero": {
      "host": "10.1.1.151"
    }
  },
  "automatic": {
    "fqdn": "garage-14",
    "os": "linux",
    "os_version": "5.15.0-1095-kvm",
    "hostname": "garage-14",
    "ipaddress": "192.168.122.36",
    "roles": [
      "base",
      "kvm_guest",
      "garage_node"
    ],
    "recipes": [
      "kosmos-base",
      "kosmos-base::default",
      "kosmos_kvm::guest",
      "kosmos_garage",
      "kosmos_garage::default",
      "kosmos_garage::firewall_rpc",
      "kosmos_garage::firewall_apis",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
      "kosmos-postfix::default",
      "postfix::default",
      "postfix::_common",
      "postfix::_attributes",
      "postfix::sasl_auth",
      "hostname::default",
      "firewall::default"
    ],
    "platform": "ubuntu",
    "platform_version": "22.04",
    "cloud": null,
    "chef_packages": {
      "chef": {
        "version": "18.10.17",
        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.10.17/lib",
        "chef_effortless": null
      },
      "ohai": {
        "version": "18.2.13",
        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.13/lib/ohai"
      }
    }
  },
  "run_list": [
    "role[base]",
    "role[kvm_guest]",
    "role[garage_node]"
  ]
 }
--- a/nodes/garage-15.json
+++ b/nodes/garage-15.json
@@ -1,65 +0,0 @@
 {
  "name": "garage-15",
  "chef_environment": "production",
  "normal": {
    "knife_zero": {
      "host": "10.1.1.82"
    }
  },
  "automatic": {
    "fqdn": "garage-15",
    "os": "linux",
    "os_version": "5.15.0-1095-kvm",
    "hostname": "garage-15",
    "ipaddress": "192.168.122.57",
    "roles": [
      "base",
      "kvm_guest",
      "garage_node"
    ],
    "recipes": [
      "kosmos-base",
      "kosmos-base::default",
      "kosmos_kvm::guest",
      "kosmos_garage",
      "kosmos_garage::default",
      "kosmos_garage::firewall_rpc",
      "kosmos_garage::firewall_apis",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
      "kosmos-postfix::default",
      "postfix::default",
      "postfix::_common",
      "postfix::_attributes",
      "postfix::sasl_auth",
      "hostname::default",
      "firewall::default"
    ],
    "platform": "ubuntu",
    "platform_version": "22.04",
    "cloud": null,
    "chef_packages": {
      "chef": {
        "version": "18.10.17",
        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.10.17/lib",
        "chef_effortless": null
      },
      "ohai": {
        "version": "18.2.13",
        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.13/lib/ohai"
      }
    }
  },
  "run_list": [
    "role[base]",
    "role[kvm_guest]",
    "role[garage_node]"
  ]
 }
--- a/nodes/gitea-2.json
+++ b/nodes/gitea-2.json
@@ -50,6 +50,13 @@
      "postfix::sasl_auth",
      "hostname::default",
      "firewall::default",
      "kosmos_gitea::compile_from_source",
      "git::default",
      "git::package",
      "kosmos-nodejs::default",
      "nodejs::nodejs_from_package",
      "nodejs::repo",
      "golang::default",
      "backup::default",
      "logrotate::default"
    ],
--- a/nodes/leo.json
+++ b/nodes/leo.json
@@ -1,56 +0,0 @@
 {
  "name": "leo",
  "normal": {
    "knife_zero": {
      "host": "leo.kosmos.org"
    }
  },
  "automatic": {
    "fqdn": "leo",
    "os": "linux",
    "os_version": "5.15.0-173-generic",
    "hostname": "leo",
    "ipaddress": "5.9.81.116",
    "roles": [
      "base"
    ],
    "recipes": [
      "kosmos-base",
      "kosmos-base::default",
      "kosmos_kvm::host",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
      "kosmos-postfix::default",
      "postfix::default",
      "postfix::_common",
      "postfix::_attributes",
      "postfix::sasl_auth",
      "hostname::default"
    ],
    "platform": "ubuntu",
    "platform_version": "22.04",
    "cloud": null,
    "chef_packages": {
      "chef": {
        "version": "18.10.17",
        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.10.17/lib",
        "chef_effortless": null
      },
      "ohai": {
        "version": "18.2.13",
        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.13/lib/ohai"
      }
    }
  },
  "run_list": [
    "role[base]",
    "recipe[kosmos_kvm::host]"
  ]
 }
--- a/nodes/postgres-11.json
+++ b/nodes/postgres-11.json
@@ -1,17 +1,16 @@
 {
-  "name": "postgres-11",
+  "name": "postgres-6",
  "chef_environment": "production",
  "normal": {
    "knife_zero": {
-      "host": "10.1.1.91"
+      "host": "10.1.1.196"
    }
  },
  "automatic": {
-    "fqdn": "postgres-11",
+    "fqdn": "postgres-6",
    "os": "linux",
-    "os_version": "5.15.0-1095-kvm",
+    "os_version": "5.4.0-173-generic",
-    "hostname": "postgres-11",
+    "hostname": "postgres-6",
-    "ipaddress": "192.168.122.142",
+    "ipaddress": "192.168.122.60",
    "roles": [
      "base",
      "kvm_guest",
@@ -22,20 +21,18 @@
      "kosmos-base::default",
      "kosmos_kvm::guest",
      "kosmos_postgresql::primary",
      "kosmos_postgresql::firewall",
      "kosmos-akkounts::pg_db",
      "kosmos-bitcoin::lndhub-go_pg_db",
      "kosmos-bitcoin::nbxplorer_pg_db",
      "kosmos_drone::pg_db",
      "kosmos_gitea::pg_db",
      "kosmos-mastodon::pg_db",
      "kosmos_postgresql::firewall",
      "kosmos_postgresql::management_scripts",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
@@ -47,17 +44,17 @@
      "hostname::default"
    ],
    "platform": "ubuntu",
-    "platform_version": "22.04",
+    "platform_version": "20.04",
    "cloud": null,
    "chef_packages": {
      "chef": {
-        "version": "18.10.17",
+        "version": "18.4.2",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.10.17/lib",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.4.2/lib",
        "chef_effortless": null
      },
      "ohai": {
-        "version": "18.2.13",
+        "version": "18.1.11",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.13/lib/ohai"
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
      }
    }
  },
--- a/nodes/postgres-12.json
+++ b/nodes/postgres-12.json
@@ -1,5 +1,5 @@
 {
-  "name": "postgres-12",
+  "name": "postgres-7",
  "chef_environment": "production",
  "normal": {
    "knife_zero": {
@@ -7,11 +7,11 @@
    }
  },
  "automatic": {
-    "fqdn": "postgres-12",
+    "fqdn": "postgres-7",
    "os": "linux",
-    "os_version": "5.15.0-1096-kvm",
+    "os_version": "5.4.0-1123-kvm",
-    "hostname": "postgres-12",
+    "hostname": "postgres-7",
-    "ipaddress": "192.168.122.139",
+    "ipaddress": "192.168.122.89",
    "roles": [
      "base",
      "kvm_guest",
@@ -24,7 +24,6 @@
      "kosmos_postgresql::hostsfile",
      "kosmos_postgresql::replica",
      "kosmos_postgresql::firewall",
      "kosmos_postgresql::management_scripts",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
@@ -42,17 +41,17 @@
      "hostname::default"
    ],
    "platform": "ubuntu",
-    "platform_version": "22.04",
+    "platform_version": "20.04",
    "cloud": null,
    "chef_packages": {
      "chef": {
-        "version": "18.10.17",
+        "version": "18.5.0",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.10.17/lib",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
        "chef_effortless": null
      },
      "ohai": {
-        "version": "18.2.13",
+        "version": "18.1.11",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.13/lib/ohai"
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
      }
    }
  },
--- a/nodes/postgres-8.json
+++ b/nodes/postgres-8.json
@@ -1,36 +1,34 @@
 {
-  "name": "garage-13",
+  "name": "postgres-8",
  "chef_environment": "production",
  "normal": {
    "knife_zero": {
-      "host": "10.1.1.179"
+      "host": "10.1.1.99"
    }
  },
  "automatic": {
-    "fqdn": "garage-13",
+    "fqdn": "postgres-8",
    "os": "linux",
    "os_version": "5.15.0-1059-kvm",
-    "hostname": "garage-13",
+    "hostname": "postgres-8",
-    "ipaddress": "192.168.122.27",
+    "ipaddress": "192.168.122.100",
    "roles": [
      "base",
      "kvm_guest",
-      "garage_node"
+      "postgresql_replica"
    ],
    "recipes": [
      "kosmos-base",
      "kosmos-base::default",
      "kosmos_kvm::guest",
-      "kosmos_garage",
+      "kosmos_postgresql::hostsfile",
-      "kosmos_garage::default",
+      "kosmos_postgresql::replica",
-      "kosmos_garage::firewall_rpc",
+      "kosmos_postgresql::firewall",
      "kosmos_garage::firewall_apis",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
@@ -39,27 +37,26 @@
      "postfix::_common",
      "postfix::_attributes",
      "postfix::sasl_auth",
-      "hostname::default",
+      "hostname::default"
      "firewall::default"
    ],
    "platform": "ubuntu",
    "platform_version": "22.04",
    "cloud": null,
    "chef_packages": {
      "chef": {
-        "version": "18.7.10",
+        "version": "18.5.0",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.7.10/lib",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
        "chef_effortless": null
      },
      "ohai": {
-        "version": "18.2.5",
+        "version": "18.1.11",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.5/lib/ohai"
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
      }
    }
  },
  "run_list": [
    "role[base]",
    "role[kvm_guest]",
-    "role[garage_node]"
+    "role[postgresql_replica]"
  ]
 }
--- a/nodes/rsk-testnet-6.json
+++ b/nodes/rsk-testnet-6.json
@@ -1,60 +0,0 @@
 {
  "name": "rsk-testnet-6",
  "normal": {
    "knife_zero": {
      "host": "10.1.1.20"
    }
  },
  "automatic": {
    "fqdn": "rsk-testnet-6",
    "os": "linux",
    "os_version": "6.8.0-107-generic",
    "hostname": "rsk-testnet-6",
    "ipaddress": "192.168.122.231",
    "roles": [
      "base",
      "kvm_guest",
      "rskj_testnet"
    ],
    "recipes": [
      "kosmos-base",
      "kosmos-base::default",
      "kosmos_kvm::guest",
      "kosmos_rsk::rskj",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
      "kosmos-postfix::default",
      "postfix::default",
      "postfix::_common",
      "postfix::_attributes",
      "postfix::sasl_auth",
      "hostname::default",
      "kosmos_rsk::firewall",
      "firewall::default"
    ],
    "platform": "ubuntu",
    "platform_version": "24.04",
    "cloud": null,
    "chef_packages": {
      "chef": {
        "version": "18.10.17",
        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.10.17/lib",
        "chef_effortless": null
      },
      "ohai": {
        "version": "18.2.13",
        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.13/lib/ohai"
      }
    }
  },
  "run_list": [
    "role[base]",
    "role[kvm_guest]",
    "role[rskj_testnet]"
  ]
 }
--- a/nodes/wiki-1.json
+++ b/nodes/wiki-1.json
@@ -28,7 +28,6 @@
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
@@ -67,13 +66,12 @@
    "cloud": null,
    "chef_packages": {
      "chef": {
-        "version": "18.7.10",
+        "version": "15.13.8",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.7.10/lib",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/chef-15.13.8/lib"
        "chef_effortless": null
      },
      "ohai": {
-        "version": "18.2.5",
+        "version": "15.12.0",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.5/lib/ohai"
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/ohai-15.12.0/lib/ohai"
      }
    }
  },
--- a/roles/gitea.rb
+++ b/roles/gitea.rb
@@ -8,8 +8,8 @@ run_list %w(
 override_attributes(
  "gitea" => {
-    # "repo" => "https://github.com/67P/gitea.git",
+    "repo" => "https://github.com/67P/gitea.git",
-    # "revision" => "ldap_sync",
+    "revision" => "ldap_sync",
    "log" => { "level" => "Info" }
  },
 )
--- a/roles/postgresql_primary.rb
+++ b/roles/postgresql_primary.rb
@@ -1,13 +1,12 @@
 name "postgresql_primary"
-run_list [
+run_list %w(
-  "kosmos_postgresql::primary",
+  kosmos_postgresql::primary
-  "kosmos-akkounts::pg_db",
+  kosmos_postgresql::firewall
-  "kosmos-bitcoin::lndhub-go_pg_db",
+  kosmos-akkounts::pg_db
-  "kosmos-bitcoin::nbxplorer_pg_db",
+  kosmos-bitcoin::lndhub-go_pg_db
-  "kosmos_drone::pg_db",
+  kosmos-bitcoin::nbxplorer_pg_db
-  "kosmos_gitea::pg_db",
+  kosmos_drone::pg_db
-  "kosmos-mastodon::pg_db",
+  kosmos_gitea::pg_db
-  "kosmos_postgresql::firewall",
+  kosmos-mastodon::pg_db
-  "kosmos_postgresql::management_scripts"
+)
 ]
--- a/roles/postgresql_replica.rb
+++ b/roles/postgresql_replica.rb
@@ -1,8 +1,7 @@
 name "postgresql_replica"
-run_list [
+run_list %w(
-  "kosmos_postgresql::hostsfile",
+  kosmos_postgresql::hostsfile
-  "kosmos_postgresql::replica",
+  kosmos_postgresql::replica
-  "kosmos_postgresql::firewall",
+  kosmos_postgresql::firewall
-  "kosmos_postgresql::management_scripts"
+)
 ]
--- a/roles/postgresql_replica_logical.rb
+++ b/roles/postgresql_replica_logical.rb
@@ -1,8 +0,0 @@
 name "postgresql_replica_logical"
 run_list [
  "kosmos_postgresql::hostsfile",
  "kosmos_postgresql::replica_logical",
  "kosmos_postgresql::firewall",
  "kosmos_postgresql::management_scripts"
 ]
--- a/site-cookbooks/discourse/templates/nginx_conf.erb
+++ b/site-cookbooks/discourse/templates/nginx_conf.erb
@@ -8,8 +8,8 @@ upstream _<%= @upstream_name %> {
 <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
 server {
  server_name <%= @server_name %>;
-  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
+  listen 443 ssl http2;
-  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
+  listen [::]:443 ssl http2;
  ssl_certificate     <%= @ssl_cert %>;
  ssl_certificate_key <%= @ssl_key %>;
--- a/site-cookbooks/kosmos-akkounts/recipes/default.rb
+++ b/site-cookbooks/kosmos-akkounts/recipes/default.rb
@@ -230,6 +230,7 @@ systemd_unit "akkounts.service" do
      WorkingDirectory: deploy_path,
      Environment: "RAILS_ENV=#{rails_env} SOLID_QUEUE_IN_PUMA=true",
      ExecStart: "#{bundle_path} exec puma -C config/puma.rb --pidfile #{deploy_path}/tmp/puma.pid",
      ExecStop: "#{bundle_path} exec puma -C config/puma.rb --pidfile #{deploy_path}/tmp/puma.pid stop",
      ExecReload: "#{bundle_path} exec pumactl -F config/puma.rb --pidfile #{deploy_path}/tmp/puma.pid phased-restart",
      PIDFile: "#{deploy_path}/tmp/puma.pid",
      TimeoutSec: "10",
--- a/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb
+++ b/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb
@@ -11,7 +11,7 @@ proxy_cache_path <%= node[:openresty][:cache_dir] %>/akkounts levels=1:2
 server {
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
+  listen [::]:443 ssl http2;
  server_name <%= @domain %>;
  if ($host != $server_name) {
--- a/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts_api.erb
+++ b/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts_api.erb
@@ -7,7 +7,7 @@ upstream _akkounts_api {
 server {
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
+  listen [::]:443 ssl http2;
  server_name <%= @domain %>;
  ssl_certificate     <%= @ssl_cert %>;
--- a/site-cookbooks/kosmos-base/recipes/andromeda_firewall.rb
+++ b/site-cookbooks/kosmos-base/recipes/andromeda_firewall.rb
@@ -0,0 +1,52 @@
 #
 # Cookbook Name:: kosmos-base
 # Recipe:: andromeda_firewall
 #
 # The MIT License (MIT)
 #
 # Copyright:: 2019, Kosmos Developers
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
 # in the Software without restriction, including without limitation the rights
 # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 # copies of the Software, and to permit persons to whom the Software is
 # furnished to do so, subject to the following conditions:
 #
 # The above copyright notice and this permission notice shall be included in
 # all copies or substantial portions of the Software.
 #
 # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 # THE SOFTWARE.
 # Temporary extra rules for Andromeda
 firewall_rule 'bitcoind' do
  port     [8333, 8334, 8335]
  protocol :tcp
  command  :allow
 end
 firewall_rule 'lnd' do
  port     [9736]
  # port     [9736, 8002]
  protocol :tcp
  command  :allow
 end
 firewall_rule 'lightningd' do
  port     [9735]
  protocol :tcp
  command  :allow
 end
 firewall_rule 'spark_wallet' do
  port     8008
  protocol :tcp
  command  :allow
 end
--- a/site-cookbooks/kosmos-base/recipes/default.rb
+++ b/site-cookbooks/kosmos-base/recipes/default.rb
@@ -24,17 +24,11 @@
 # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 # THE SOFTWARE.
-include_recipe "apt"
+include_recipe 'apt'
-
+include_recipe 'timezone_iii'
-directory "/etc/apt/keyrings" do
+include_recipe 'ntp'
-  mode "0755"
+include_recipe 'kosmos-base::journald_conf'
-  action :create
+include_recipe 'kosmos-base::systemd_emails'
 end
 include_recipe "timezone_iii"
 include_recipe "ntp" if node["platform"] == "ubuntu" && node["platform_version"].to_f < 24.04
 include_recipe "kosmos-base::journald_conf"
 include_recipe "kosmos-base::systemd_emails"
 node.override["apt"]["unattended_upgrades"]["enable"] = true
 node.override["apt"]["unattended_upgrades"]["mail_only_on_error"] = false
@@ -49,20 +43,20 @@ node.override["apt"]["unattended_upgrades"]["allowed_origins"] = [
 ]
 node.override["apt"]["unattended_upgrades"]["mail"] = "ops@kosmos.org"
 node.override["apt"]["unattended_upgrades"]["syslog_enable"] = true
-include_recipe "apt::unattended-upgrades"
+include_recipe 'apt::unattended-upgrades'
-package "mailutils"
+package 'mailutils'
-package "mosh"
+package 'mosh'
-package "vim"
+package 'vim'
 # Don't create users and rewrite the sudo config in development environment.
 # It breaks the vagrant user
 unless node.chef_environment == "development"
  # Searches data bag "users" for groups attribute "sysadmin".
  # Places returned users in Unix group "sysadmin" with GID 2300.
-  users_manage "sysadmin" do
+  users_manage 'sysadmin' do
    group_id 2300
-    action %i[remove create]
+    action [:remove, :create]
  end
  sudo "sysadmin" do
@@ -71,35 +65,35 @@ unless node.chef_environment == "development"
    defaults [
    # not default on Ubuntu, explicitely enable. Uses a minimal white list of
    # environment variables
-      "env_reset",
+    'env_reset',
    # Send emails on unauthorized attempts
-      "mail_badpass",
+    'mail_badpass',
-      'secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"'
+    'secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"',
    ]
  end
  include_recipe "kosmos-base::firewall"
-  include_recipe "kosmos-postfix"
+  include_recipe 'kosmos-postfix'
-  node.override["set_fqdn"] = "*"
+  node.override['set_fqdn'] = '*'
-  include_recipe "hostname"
+  include_recipe 'hostname'
-  package "ca-certificates"
+  package 'ca-certificates'
-  directory "/usr/local/share/ca-certificates/cacert" do
+  directory '/usr/local/share/ca-certificates/cacert' do
    action :create
  end
-  ["http://www.cacert.org/certs/root.crt", "http://www.cacert.org/certs/class3.crt"].each do |cert|
+  ['http://www.cacert.org/certs/root.crt', 'http://www.cacert.org/certs/class3.crt'].each do |cert|
    remote_file "/usr/local/share/ca-certificates/cacert/#{File.basename(cert)}" do
      source cert
      action :create_if_missing
-      notifies :run, "execute[update-ca-certificates]", :immediately
+      notifies :run, 'execute[update-ca-certificates]', :immediately
    end
  end
-  execute "update-ca-certificates" do
+  execute 'update-ca-certificates' do
    action :nothing
  end
 end
--- a/site-cookbooks/kosmos-bitcoin/attributes/default.rb
+++ b/site-cookbooks/kosmos-bitcoin/attributes/default.rb
@@ -1,5 +1,5 @@
-node.default['bitcoin']['version']   = '30.0'
+node.default['bitcoin']['version']   = '29.0'
-node.default['bitcoin']['checksum']  = '9b472a4d51dfed9aa9d0ded2cb8c7bcb9267f8439a23a98f36eb509c1a5e6974'
+node.default['bitcoin']['checksum']  = '882c782c34a3bf2eacd1fae5cdc58b35b869883512f197f7d6dc8f195decfdaa'
 node.default['bitcoin']['username']  = 'satoshi'
 node.default['bitcoin']['usergroup'] = 'bitcoin'
 node.default['bitcoin']['network']   = 'mainnet'
@@ -86,6 +86,9 @@ node.default['lndhub-go']['branding'] = {
  'footer' => 'about=https://kosmos.org'
 }
 node.default['dotnet']['ms_packages_src_url'] = "https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb"
 node.default['dotnet']['ms_packages_src_checksum'] = "4df5811c41fdded83eb9e2da9336a8dfa5594a79dc8a80133bd815f4f85b9991"
 node.default['nbxplorer']['repo'] = 'https://github.com/dgarage/NBXplorer'
 node.default['nbxplorer']['revision'] = 'v2.5.26'
 node.default['nbxplorer']['source_dir'] = '/opt/nbxplorer'
@@ -95,7 +98,7 @@ node.default['nbxplorer']['postgres']['database'] = 'nbxplorer'
 node.default['nbxplorer']['postgres']['user'] = 'nbxplorer'
 node.default['btcpay']['repo'] = 'https://github.com/btcpayserver/btcpayserver'
-node.default['btcpay']['revision'] = 'v2.3.7'
+node.default['btcpay']['revision'] = 'v2.1.1'
 node.default['btcpay']['source_dir'] = '/opt/btcpay'
 node.default['btcpay']['config_path'] = "/home/#{node['bitcoin']['username']}/.btcpayserver/Main/settings.config"
 node.default['btcpay']['log_path'] = "/home/#{node['bitcoin']['username']}/.btcpayserver/debug.log"
--- a/site-cookbooks/kosmos-bitcoin/recipes/bitcoind.rb
+++ b/site-cookbooks/kosmos-bitcoin/recipes/bitcoind.rb
@@ -43,7 +43,7 @@ bash "compile_bitcoin-core" do
  cwd "/usr/local/bitcoind"
  environment ({'CC' => 'gcc-13', 'CXX' => 'g++-13', 'NO_QT' => '1'})
  code <<-EOH
-    cmake -B build --toolchain depends/x86_64-pc-linux-gnu/toolchain.cmake -DBUILD_TESTS=OFF
+    cmake -B build --toolchain depends/x86_64-pc-linux-gnu/toolchain.cmake
    cmake --build build -j $(($(nproc)/2))
    cmake --install build
  EOH
--- a/site-cookbooks/kosmos-bitcoin/recipes/dotnet.rb
+++ b/site-cookbooks/kosmos-bitcoin/recipes/dotnet.rb
@@ -5,16 +5,29 @@
 build_essential
-remote_file "/opt/dotnet-install.sh" do
+apt_repository 'universe' do
-  source "https://dot.net/v1/dotnet-install.sh"
+  uri 'http://archive.ubuntu.com/ubuntu/'
-  mode "0755"
+  distribution 'focal'
  components ['universe']
 end
-execute "install_dotnet_10" do
+apt_package 'apt-transport-https'
-  command "/opt/dotnet-install.sh -c 10.0 --install-dir /usr/share/dotnet"
+
-  not_if '/usr/share/dotnet/dotnet --version | grep -q "^10\."'
+remote_file '/opt/packages-microsoft-prod.deb' do
  source node['dotnet']['ms_packages_src_url']
  checksum node['dotnet']['ms_packages_src_checksum']
  action :create_if_missing
 end
-link "/usr/bin/dotnet" do
+dpkg_package 'packages-microsoft-prod' do
-  to "/usr/share/dotnet/dotnet"
+  source '/opt/packages-microsoft-prod.deb'
  action :install
  notifies :run, 'execute[apt_update]'
 end
 execute 'apt_update' do
  command 'apt update'
  action :nothing
 end
 apt_package 'dotnet-sdk-8.0'
--- a/site-cookbooks/kosmos-bitcoin/templates/btc-price-tracker-daily.sh.erb
+++ b/site-cookbooks/kosmos-bitcoin/templates/btc-price-tracker-daily.sh.erb
@@ -1,86 +1,49 @@
 #!/bin/bash
 set -e
 set -o pipefail
 # Calculate yesterday's date in YYYY-MM-DD format
 YESTERDAY=$(date -d "yesterday" +%Y-%m-%d)
 echo "Starting price tracking for $YESTERDAY" >&2
 # Helper function to perform HTTP requests with retries
 # Usage: make_request <retries> <method> <url> [data] [header1] [header2] ...
 make_request() {
    local retries=$1
    local method=$2
    local url=$3
    local data=$4
    shift 4
    local headers=("$@")
    local count=0
    local wait_time=3
    local response
    while [ "$count" -lt "$retries" ]; do
        local curl_opts=(-s -S -f -X "$method")
        if [ -n "$data" ]; then
            curl_opts+=(-d "$data")
        fi
        for h in "${headers[@]}"; do
            curl_opts+=(-H "$h")
        done
        if response=$(curl "${curl_opts[@]}" "$url"); then
            echo "$response"
            return 0
        fi
        echo "Request to $url failed (Attempt $((count+1))/$retries). Retrying in ${wait_time}s..." >&2
        sleep "$wait_time"
        count=$((count + 1))
    done
    echo "ERROR: Request to $url failed after $retries attempts" >&2
    return 1
 }
 # Fetch and process rates for a fiat currency
 get_price_data() {
    local currency=$1
    local data avg open24 last
-    if data=$(make_request 3 "GET" "https://www.bitstamp.net/api/v2/ticker/btc${currency,,}/" ""); then
+    data=$(curl -s "https://www.bitstamp.net/api/v2/ticker/btc${currency,,}/")
    if [ $? -eq 0 ] && [ ! -z "$data" ]; then
        echo "Successfully retrieved ${currency} price data" >&2
        open24=$(echo "$data" | jq -r '.open_24')
        last=$(echo "$data" | jq -r '.last')
-        avg=$(echo "$open24 $last" | awk '{printf "%.0f", ($1 + $2) / 2}')
+        avg=$(( (${open24%.*} + ${last%.*}) / 2 ))
        echo $avg
    else
        echo "ERROR: Failed to retrieve ${currency} price data" >&2
-        return 1
+        exit 1
    fi
 }
 # Get price data for each currency
-usd_avg=$(get_price_data "USD") || exit 1
+usd_avg=$(get_price_data "USD")
-eur_avg=$(get_price_data "EUR") || exit 1
+eur_avg=$(get_price_data "EUR")
-gbp_avg=$(get_price_data "GBP") || exit 1
+gbp_avg=$(get_price_data "GBP")
 # Create JSON
-json=$(jq -n \
+json="{\"EUR\":$eur_avg,\"USD\":$usd_avg,\"GBP\":$gbp_avg}"
  --argjson eur "$eur_avg" \
  --argjson usd "$usd_avg" \
  --argjson gbp "$gbp_avg" \
  '{"EUR": $eur, "USD": $usd, "GBP": $gbp}')
 echo "Rates: $json" >&2
 # PUT in remote storage
-if make_request 3 "PUT" "<%= @rs_base_url %>/$YESTERDAY" "$json" \
+response=$(curl -X PUT \
-    "Authorization: Bearer $RS_AUTH" \
+    -H "Authorization: Bearer $RS_AUTH" \
-    "Content-Type: application/json" > /dev/null; then
+    -H "Content-Type: application/json" \
    -d "$json" \
    -w "%{http_code}" \
    -s \
    -o /dev/null \
    "<%= @rs_base_url %>/$YESTERDAY")
 if [ "$response" -eq 200 ] || [ "$response" -eq 201 ]; then
   echo "Successfully uploaded price data" >&2
 else
-   echo "ERROR: Failed to upload price data" >&2
+   echo "ERROR: Failed to upload price data. HTTP status: $response" >&2
   exit 1
 fi
--- a/site-cookbooks/kosmos-bitcoin/templates/nginx_conf_btcpayserver.erb
+++ b/site-cookbooks/kosmos-bitcoin/templates/nginx_conf_btcpayserver.erb
@@ -49,7 +49,7 @@ server {
  client_max_body_size 100M;
  server_name <%= @server_name %>;
  listen 443 ssl http2;
-  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
+  listen [::]:443 ssl http2;
  access_log <%= node[:nginx][:log_dir] %>/btcpayserver.access.log json;
  error_log <%= node[:nginx][:log_dir] %>/btcpayserver.error.log warn;
--- a/site-cookbooks/kosmos-bitcoin/templates/nginx_conf_lndhub.erb
+++ b/site-cookbooks/kosmos-bitcoin/templates/nginx_conf_lndhub.erb
@@ -7,7 +7,7 @@ upstream _lndhub {
 server {
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
+  listen [::]:443 ssl http2;
  server_name <%= @server_name %>;
  add_header Strict-Transport-Security "max-age=15768000";
--- a/site-cookbooks/kosmos-btcpayserver/templates/nginx_conf_btcpayserver.erb
+++ b/site-cookbooks/kosmos-btcpayserver/templates/nginx_conf_btcpayserver.erb
@@ -49,7 +49,7 @@ server {
  server_name <%= @server_name %>;
  <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
  listen 443 ssl http2;
-  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
+  listen [::]:443 ssl http2;
  <% else -%>
  listen 80;
  <% end -%>
--- a/site-cookbooks/kosmos-ejabberd/templates/nginx_conf_upload_service.erb
+++ b/site-cookbooks/kosmos-ejabberd/templates/nginx_conf_upload_service.erb
@@ -3,7 +3,7 @@
 server {
  listen 443 ssl http2;
-  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
+  listen [::]:443 ssl http2;
  server_name <%= @server_name %>;
  ssl_certificate     <%= @ssl_cert %>;
--- a/site-cookbooks/kosmos-hubot/templates/default/nginx_conf_hubot.erb
+++ b/site-cookbooks/kosmos-hubot/templates/default/nginx_conf_hubot.erb
@@ -7,7 +7,7 @@ upstream _express_<%= @server_name.gsub(".", "_") %> {
 server {
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
+  listen [::]:443 ssl http2;
  server_name <%= @server_name %>;
  add_header Strict-Transport-Security "max-age=15768000";
--- a/site-cookbooks/kosmos-ipfs/templates/default/nginx_conf_ipfs.kosmos.org.erb
+++ b/site-cookbooks/kosmos-ipfs/templates/default/nginx_conf_ipfs.kosmos.org.erb
@@ -12,7 +12,7 @@ upstream _ipfs_api {
 server {
  server_name <%= @server_name %>;
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
+  listen [::]:443 ssl http2;
  access_log /var/log/nginx/<%= @server_name %>.access.log;
  error_log  /var/log/nginx/<%= @server_name %>.error.log;
--- a/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb
+++ b/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb
@@ -21,7 +21,7 @@ proxy_cache_path /var/cache/nginx/mastodon levels=1:2
 server {
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
+  listen [::]:443 ssl http2;
  server_name <%= @server_name %>;
  include <%= @shared_config_path %>;
--- a/site-cookbooks/kosmos-mediawiki/metadata.rb
+++ b/site-cookbooks/kosmos-mediawiki/metadata.rb
@@ -3,6 +3,7 @@ maintainer       'Kosmos'
 maintainer_email 'mail@kosmos.org'
 license          'MIT'
 description      'Installs/Configures kosmos-mediawiki'
 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
 version          '0.3.1'
 depends "mediawiki"
--- a/site-cookbooks/kosmos-mediawiki/recipes/default.rb
+++ b/site-cookbooks/kosmos-mediawiki/recipes/default.rb
@@ -1,9 +1,9 @@
 #
-# Cookbook:: kosmos-mediawiki
+# Cookbook Name:: kosmos-mediawiki
-# Recipe:: default.rb
+# Recipe:: default
 #
-apt_update
+include_recipe 'apt'
 include_recipe 'ark'
 include_recipe 'composer'
@@ -30,14 +30,14 @@ directory "#{node['mediawiki']['webdir']}/skins/common/images" do
  owner node['nginx']['user']
  group node['nginx']['group']
  recursive true
-  mode "750"
+  mode 0750
 end
 cookbook_file "#{node['mediawiki']['webdir']}/skins/common/images/kosmos.png" do
  source 'kosmos.png'
  owner node['nginx']['user']
  group node['nginx']['group']
-  mode "640"
+  mode 0640
 end
 directory "#{node['mediawiki']['webdir']}/.well-known/acme-challenge" do
@@ -80,14 +80,14 @@ nginx_certbot_site server_name
 # Extensions
 #
-mediawiki_credentials = data_bag_item('credentials', 'mediawiki')
+mediawiki_credentials = Chef::EncryptedDataBagItem.load('credentials', 'mediawiki')
 #
 # MediawikiHubot extension
 #
 # requires curl extension
-if platform?('ubuntu') && node["platform_version"].to_f < 16.04
+if platform?('ubuntu') && node[:platform_version].to_f < 16.04
  package "php5-curl"
 else
  package "php-curl"
@@ -100,7 +100,7 @@ ark "MediawikiHubot" do
  action :cherry_pick
 end
-hubot_credentials = data_bag_item('credentials', 'hal8000_xmpp')
+hubot_credentials = Chef::EncryptedDataBagItem.load('credentials', 'hal8000_xmpp')
 webhook_token = hubot_credentials['webhook_token']
 template "#{node['mediawiki']['webdir']}/extensions/MediawikiHubot/DefaultConfig.php" do
@@ -145,7 +145,7 @@ end
 ruby_block "configuration" do
  block do
-    # FIXME: This is internal Chef API and should not be used from recipes, as
+    # FIXME This is internal Chef API and should not be used from recipes, as
    # it is unsupported for that
    file = Chef::Util::FileEdit.new("#{node['mediawiki']['webdir']}/LocalSettings.php")
    file.search_file_replace_line(%r{\$wgLogo\ =\ \"\$wgResourceBasePath\/resources\/assets\/wiki.png\";},
@@ -247,7 +247,9 @@ end
 #
 file "#{node['mediawiki']['webdir']}/composer.local.json" do
-  requires = { "require": { "mediawiki/mermaid": "~1.0" } }.to_json
+  requires = { "require": {
    "mediawiki/mermaid": "~1.0"
  }}.to_json
  content requires
  owner node['nginx']['user']
  group node['nginx']['group']
--- a/site-cookbooks/kosmos_assets/templates/nginx_conf_assets.erb
+++ b/site-cookbooks/kosmos_assets/templates/nginx_conf_assets.erb
@@ -3,7 +3,7 @@
 server {
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
+  listen [::]:443 ssl http2;
  server_name <%= @domain %>;
  root /var/www/<%= @domain %>/site;
--- a/site-cookbooks/kosmos_discourse/templates/nginx_conf.erb
+++ b/site-cookbooks/kosmos_discourse/templates/nginx_conf.erb
@@ -9,7 +9,7 @@ upstream _discourse {
 server {
  server_name <%= @server_name %>;
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
+  listen [::]:443 ssl http2;
  ssl_certificate     <%= @ssl_cert %>;
  ssl_certificate_key <%= @ssl_key %>;
--- a/site-cookbooks/kosmos_drone/attributes/default.rb
+++ b/site-cookbooks/kosmos_drone/attributes/default.rb
@@ -1,6 +1,2 @@
 node.default["kosmos_drone"]["domain"] = "drone.kosmos.org"
 node.default["kosmos_drone"]["upstream_port"] = 80
 node.default["kosmos_drone"]["pg_host"] = "pg.kosmos.local"
 node.default["kosmos_drone"]["pg_port"] = 5432
 node.default["kosmos_drone"]["pg_db"] = "drone"
 node.default["kosmos_drone"]["pg_user"] = "drone"
--- a/site-cookbooks/kosmos_drone/recipes/default.rb
+++ b/site-cookbooks/kosmos_drone/recipes/default.rb
@@ -9,11 +9,11 @@ credentials = data_bag_item("credentials", "drone")
 drone_credentials = data_bag_item('credentials', 'drone')
 postgres_config = {
-  host: node["kosmos_drone"]["pg_host"],
+  username: "drone",
-  port: node["kosmos_drone"]["pg_port"],
+  password: drone_credentials["postgresql_password"],
-  database: node["kosmos_drone"]["pg_db"],
+  host: "pg.kosmos.local",
-  username: node["kosmos_drone"]["pg_user"],
+  port: 5432,
-  password: drone_credentials["postgresql_password"]
+  database: "drone"
 }
 directory deploy_path do
--- a/site-cookbooks/kosmos_drone/templates/nginx_conf.erb
+++ b/site-cookbooks/kosmos_drone/templates/nginx_conf.erb
@@ -8,7 +8,7 @@ upstream _drone {
 server {
  server_name <%= @server_name %>;
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
+  listen [::]:443 ssl http2;
  ssl_certificate     <%= @ssl_cert %>;
  ssl_certificate_key <%= @ssl_key %>;
--- a/site-cookbooks/kosmos_garage/templates/nginx_conf_s3.erb
+++ b/site-cookbooks/kosmos_garage/templates/nginx_conf_s3.erb
@@ -4,7 +4,7 @@ upstream garage_s3 {
 server {
  listen <%= "#{node[:openresty][:listen_ip]}:" if node[:openresty][:listen_ip] %>443 ssl http2;
-  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
+  listen [::]:443 http2 ssl;
  ssl_certificate     <%= @ssl_cert %>;
  ssl_certificate_key <%= @ssl_key %>;
--- a/site-cookbooks/kosmos_garage/templates/nginx_conf_web.erb
+++ b/site-cookbooks/kosmos_garage/templates/nginx_conf_web.erb
@@ -1,6 +1,6 @@
 server {
  listen <%= "#{node[:openresty][:listen_ip]}:" if node[:openresty][:listen_ip] %>443 ssl http2;
-  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
+  listen [::]:443 http2 ssl;
  server_name <%= @server_name %>;
@@ -18,7 +18,6 @@ server {
  }
  location / {
    add_header 'Access-Control-Allow-Origin' '*' always;
    proxy_intercept_errors on;
    proxy_cache garage_cache;
    proxy_pass http://garage_web;
--- a/site-cookbooks/kosmos_gitea/attributes/default.rb
+++ b/site-cookbooks/kosmos_gitea/attributes/default.rb
@@ -1,12 +1,11 @@
-node.default["gitea"]["version"] = "1.25.4"
+node.default["gitea"]["version"] = "1.23.8"
-node.default["gitea"]["checksum"] = "a3031853e67c53714728ef705642c9046a11fb0ea356aff592e23efe6114607d"
+node.default["gitea"]["checksum"] = "827037e7ca940866918abc62a7488736923396c467fcb4acd0dd9829bb6a6f4c"
 node.default["gitea"]["repo"] = nil
 node.default["gitea"]["revision"] = nil
 node.default["gitea"]["working_directory"] = "/var/lib/gitea"
 node.default["gitea"]["port"] = 3000
 node.default["gitea"]["postgresql_host"] = "localhost:5432"
 node.default["gitea"]["domain"] = "gitea.kosmos.org"
 node.default["gitea"]["email"] = "gitea@kosmos.org"
 node.default["gitea"]["config"] = {
  "log": {
@@ -23,5 +22,5 @@ node.default["gitea"]["config"] = {
  }
 }
-node.default["gitea"]["act_runner"]["version"] = "0.2.13"
+node.default["gitea"]["act_runner"]["version"] = "0.2.6"
-node.default["gitea"]["act_runner"]["checksum"] = "3acac8b506ac8cadc88a55155b5d6378f0fab0b8f62d1e0c0450f4ccd69733e2"
+node.default["gitea"]["act_runner"]["checksum"] = "234c2bdb871e7b0bfb84697f353395bfc7819faf9f0c0443845868b64a041057"
--- a/site-cookbooks/kosmos_gitea/recipes/default.rb
+++ b/site-cookbooks/kosmos_gitea/recipes/default.rb
@@ -19,17 +19,6 @@ jwt_secret                = gitea_data_bag_item["jwt_secret"]
 internal_token            = gitea_data_bag_item["internal_token"]
 secret_key                = gitea_data_bag_item["secret_key"]
 apt_repository "git-core-ppa" do
  uri "http://ppa.launchpad.net/git-core/ppa/ubuntu"
  components ["main"]
  key "E1DF1F24"
  action :add
  only_if do
    node['platform'] == 'ubuntu' &&
      Gem::Version.new(node['platform_version']) < Gem::Version.new('22.04')
  end
 end
 package "git"
 user "git" do
@@ -37,13 +26,6 @@ user "git" do
  home "/home/git"
 end
 directory "/home/git/.ssh" do
  owner "git"
  group "git"
  mode "0700"
  recursive true
 end
 directory working_directory do
  owner "git"
  group "git"
@@ -96,8 +78,6 @@ if node.chef_environment == "production"
 end
 config_variables = {
  domain: node["gitea"]["domain"],
  email: node["gitea"]["email"],
  working_directory: working_directory,
  git_home_directory: git_home_directory,
  repository_root_directory: repository_root_directory,
@@ -118,16 +98,6 @@ config_variables = {
  s3_bucket: gitea_data_bag_item["s3_bucket"]
 }
 bash "Generate git ed25519 keypair" do
  user "git"
  group "git"
  cwd git_home_directory
  code <<-EOH
    ssh-keygen -t ed25519 -f #{git_home_directory}/.ssh/id_ed25519
  EOH
  creates "#{git_home_directory}/.ssh/id_ed25519"
 end
 template "#{config_directory}/app.ini" do
  source "app.ini.erb"
  owner "git"
@@ -159,7 +129,7 @@ template "/etc/systemd/system/gitea.service" do
            git_home_directory: git_home_directory,
            config_directory: config_directory,
            gitea_binary_path: gitea_binary_path
-  notifies :run, "execute[systemctl daemon-reload]", :immediately
+  notifies :run, "execute[systemctl daemon-reload]", :delayed
 end
 service "gitea" do
--- a/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb
+++ b/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb
@@ -2,12 +2,12 @@ APP_NAME = Gitea
 RUN_MODE = prod
 [server]
-SSH_DOMAIN = <%= @domain %>
+SSH_DOMAIN       = gitea.kosmos.org
 HTTP_PORT        = 3000
 DISABLE_SSH      = false
 SSH_PORT         = 22
 PROTOCOL = http
-DOMAIN = <%= @domain %>
+DOMAIN = gitea.kosmos.org
 # Gitea is running behind an nginx reverse load balancer, use an HTTPS root URL
 ROOT_URL = https://%(DOMAIN)s
 # REDIRECT_OTHER_PORT = true
@@ -30,16 +30,6 @@ MAX_OPEN_CONNS = 20
 ROOT = <%= @repository_root_directory %>
 DISABLE_DOWNLOAD_SOURCE_ARCHIVES = true
 [repository.signing]
 SIGNING_KEY = <%= @git_home_directory %>/.ssh/id_ed25519.pub
 SIGNING_NAME = Gitea
 SIGNING_EMAIL = git@<%= @domain %>
 SIGNING_FORMAT = ssh
 INITIAL_COMMIT = always
 CRUD_ACTIONS = always
 WIKI = always
 MERGES = always
 # [indexer]
 # ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
@@ -56,7 +46,7 @@ SMTP_ADDR = <%= @smtp_addr %>
 SMTP_PORT = <%= @smtp_port %>
 USER = <%= @smtp_user %>
 PASSWD = <%= @smtp_password %>
-FROM = <%= @email %>
+FROM = gitea@kosmos.org
 [security]
 INTERNAL_TOKEN = <%= @internal_token %>
--- a/site-cookbooks/kosmos_gitea/templates/default/nginx_conf_ssh.erb
+++ b/site-cookbooks/kosmos_gitea/templates/default/nginx_conf_ssh.erb
@@ -4,6 +4,5 @@ upstream _gitea_ssh {
 server {
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>22;
  listen [::]:22;
  proxy_pass _gitea_ssh;
 }
--- a/site-cookbooks/kosmos_gitea/templates/default/nginx_conf_web.erb
+++ b/site-cookbooks/kosmos_gitea/templates/default/nginx_conf_web.erb
@@ -6,7 +6,7 @@ upstream _gitea_web {
 server {
  server_name <%= @server_name %>;
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
+  listen [::]:443 ssl http2;
  ssl_certificate     <%= @ssl_cert %>;
  ssl_certificate_key <%= @ssl_key %>;
@@ -18,8 +18,6 @@ server {
  client_max_body_size 121M;
  proxy_intercept_errors on;
  location ~ ^/(avatars|repo-avatars)/.*$ {
    proxy_buffers 1024 8k;
    proxy_pass http://_gitea_web;
@@ -54,18 +52,5 @@ server {
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    error_page 404 = @slow_404;
  }
  # Slow down 404 responses to make scraping random URLs less attractive
  location @slow_404 {
    internal;
    default_type text/plain;
    content_by_lua_block {
      ngx.sleep(10)
      ngx.status = 404
      ngx.say("Not Found")
      ngx.exit(ngx.HTTP_NOT_FOUND)
    }
  }
 }
--- a/site-cookbooks/kosmos_kvm/README.md
+++ b/site-cookbooks/kosmos_kvm/README.md
@@ -1,14 +1,4 @@
 # kosmos_kvm
-## Create a new VM
+TODO: Enter the cookbook description here.
 A script is deployed by the `host` recipe to `/usr/local/sbin/create_vm`
 ### Usage
 ```
 create_vm VMNAME RAM CPUS DISKSIZE
 ```
 * `RAM` in megabytes
 * `DISKSIZE` in gigabytes, defaults to 10
--- a/site-cookbooks/kosmos_kvm/attributes/default.rb
+++ b/site-cookbooks/kosmos_kvm/attributes/default.rb
@@ -1,9 +1,9 @@
-release = "20260321"
+release = "20240514"
-img_filename = "ubuntu-24.04-server-cloudimg-amd64"
+img_filename = "ubuntu-22.04-server-cloudimg-amd64-disk-kvm"
 node.default["kosmos_kvm"]["host"]["qemu_base_image"] = {
-  "url" => "https://cloud-images.ubuntu.com/releases/noble/release-#{release}/#{img_filename}.img",
+  "url" => "https://cloud-images.ubuntu.com/releases/jammy/release-#{release}/#{img_filename}.img",
-  "checksum" => "5c3ddb00f60bc455dac0862fabe9d8bacec46c33ac1751143c5c3683404b110d",
+  "checksum" => "2e7698b3ebd7caead06b08bd3ece241e6ce294a6db01f92ea12bcb56d6972c3f",
  "path" => "/var/lib/libvirt/images/base/#{img_filename}-#{release}.qcow2"
 }
--- a/site-cookbooks/kosmos_kvm/recipes/host.rb
+++ b/site-cookbooks/kosmos_kvm/recipes/host.rb
@@ -3,7 +3,7 @@
 # Recipe:: host
 #
-package %w(virtinst libvirt-daemon-system libvirt-clients)
+package %w(virtinst libvirt-daemon-system)
 directory "/var/lib/libvirt/images/base" do
  recursive true
--- a/site-cookbooks/kosmos_kvm/templates/create_vm.erb
+++ b/site-cookbooks/kosmos_kvm/templates/create_vm.erb
@@ -17,7 +17,7 @@ DISKSIZE=${4:-10} # 10GB default
 # Directory where image files will be stored
 IMAGE_DIR=/var/lib/libvirt/images
 IMAGE_PATH=$IMAGE_DIR/${VMNAME}.qcow2
-CIDATA_PATH=${IMAGE_DIR}/${VMNAME}-cloudinit
+CIDATA_PATH=${IMAGE_DIR}/cidata-${VMNAME}.iso
 BASE_FILE=<%= @base_image_path %>
 # Create the VM image if it does not already exist
@@ -38,8 +38,9 @@ qemu-img info "$IMAGE_PATH"
 # Check if the cloud-init metadata file exists
 # if not, generate it
 if [ ! -r $CIDATA_PATH ]; then
-  mkdir -p $CIDATA_PATH
+  pushd $(dirname $CIDATA_PATH)
-  pushd $CIDATA_PATH
+  mkdir -p $VMNAME
  cd $VMNAME
  cat > user-data <<-EOS
 #cloud-config
@@ -61,19 +62,25 @@ instance-id: $VMNAME
 local-hostname: $VMNAME
 EOS
  genisoimage -output "$CIDATA_PATH" -volid cidata -joliet -rock user-data meta-data
  chown libvirt-qemu:kvm "$CIDATA_PATH"
  chmod 600 "$CIDATA_PATH"
  popd
 fi
 # setting --os-variant to ubuntu20.04 and ubuntu18.04 breaks SSH and networking
 virt-install \
  --name "$VMNAME" \
  --ram "$RAM" \
  --vcpus "$CPUS" \
  --cpu host \
  --arch x86_64 \
-  --osinfo detect=on,name=ubuntu24.04 \
+  --os-type linux \
  --os-variant ubuntu16.04 \
  --hvm \
  --virt-type kvm \
  --disk "$IMAGE_PATH" \
  --cdrom "$CIDATA_PATH" \
  --boot hd \
  --network=bridge=virbr0,model=virtio \
  --graphics none \
@@ -81,5 +88,4 @@ virt-install \
  --console pty \
  --channel unix,mode=bind,path=/var/lib/libvirt/qemu/$VMNAME.guest_agent.0,target_type=virtio,name=org.qemu.guest_agent.0 \
  --autostart \
-  --import \
+  --import
  --cloud-init root-password-generate=off,disable=on,meta-data=$CIDATA_PATH/meta-data,user-data=$CIDATA_PATH/user-data
--- a/site-cookbooks/kosmos_liquor-cabinet/templates/nginx_conf_liquor-cabinet.erb
+++ b/site-cookbooks/kosmos_liquor-cabinet/templates/nginx_conf_liquor-cabinet.erb
@@ -12,7 +12,7 @@ upstream _<%= @app_name %> {
 server {
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
-  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
+  listen [::]:443 ssl http2;
  server_name <%= @server_name %>;
  access_log <%= node[:nginx][:log_dir] %>/<%= @app_name %>.access.log; # TODO json_liquor_cabinet;
--- a/site-cookbooks/kosmos_openresty/attributes/default.rb
+++ b/site-cookbooks/kosmos_openresty/attributes/default.rb
@@ -1 +0,0 @@
 node.default["openresty"]["listen_ipv6"] = "::"
--- a/site-cookbooks/kosmos_postgresql/attributes/default.rb
+++ b/site-cookbooks/kosmos_postgresql/attributes/default.rb
@@ -1,8 +1,3 @@
 node.default['kosmos_postgresql']['postgresql_version'] = "14"
 # This is set to false by default, and set to true in the server resource
 # for replicas.
 node.default['kosmos_postgresql']['ready_to_set_up_replica'] = false
 # Address space from which clients are allowed to connect
 node.default['kosmos_postgresql']['access_addr'] = "10.1.1.0/24"
--- a/site-cookbooks/kosmos_postgresql/files/create_publication.sh
+++ b/site-cookbooks/kosmos_postgresql/files/create_publication.sh
@@ -1,31 +0,0 @@
 #!/bin/bash
 set -euo pipefail
 DB_NAME="${1:?Usage: $0 <database_name>}"
 echo "== Processing DB: $DB_NAME =="
 # Create publication (idempotent)
 psql -d "$DB_NAME" -v ON_ERROR_STOP=1 <<'SQL'
 DO $$
 BEGIN
  IF NOT EXISTS (
    SELECT 1 FROM pg_publication WHERE pubname = 'migrate_pub'
  ) THEN
    CREATE PUBLICATION migrate_pub FOR ALL TABLES;
  END IF;
 END
 $$;
 SQL
 # Create logical replication slot (idempotent-ish)
 SLOT="migrate_slot_${DB_NAME}"
 if ! psql -d "$DB_NAME" -Atqc "SELECT 1 FROM pg_replication_slots WHERE slot_name = '$SLOT'" | grep -q 1; then
  echo "  Creating slot: $SLOT"
  psql -d "$DB_NAME" -c "SELECT pg_create_logical_replication_slot('$SLOT', 'pgoutput');"
 else
  echo "  Slot already exists: $SLOT"
 fi
 echo "== Done =="
--- a/site-cookbooks/kosmos_postgresql/files/create_publications.sh
+++ b/site-cookbooks/kosmos_postgresql/files/create_publications.sh
@@ -1,34 +0,0 @@
 #!/bin/bash
 set -e
 echo "== Creating publication in each database =="
 for db in $(psql -Atqc "SELECT datname FROM pg_database WHERE datallowconn AND datname NOT IN ('template1','postgres')"); do
  echo "Processing DB: $db"
  # Create publication (idempotent)
  psql -d "$db" -v ON_ERROR_STOP=1 <<SQL
 DO \$\$
 BEGIN
  IF NOT EXISTS (
    SELECT 1 FROM pg_publication WHERE pubname = 'migrate_pub'
  ) THEN
    CREATE PUBLICATION migrate_pub FOR ALL TABLES;
  END IF;
 END
 \$\$;
 SQL
  # Create logical replication slot (idempotent-ish)
  SLOT="migrate_slot_${db}"
  if ! psql -d "$db" -Atqc "SELECT 1 FROM pg_replication_slots WHERE slot_name = '$SLOT'" | grep -q 1; then
    echo "  Creating slot: $SLOT"
    psql -d "$db" -c "SELECT pg_create_logical_replication_slot('$SLOT', 'pgoutput');"
  else
    echo "  Slot already exists: $SLOT"
  fi
 done
 echo "== Done =="
--- a/site-cookbooks/kosmos_postgresql/files/drop_publications.sh
+++ b/site-cookbooks/kosmos_postgresql/files/drop_publications.sh
@@ -1,34 +0,0 @@
 #!/bin/bash
 set -e
 echo "== Dropping subscriptions slots and publications =="
 for db in $(psql -Atqc "SELECT datname FROM pg_database WHERE datallowconn AND datname NOT IN ('template1','postgres')"); do
  echo "Processing DB: $db"
  SLOT="migrate_slot_${db}"
  # Drop slot if exists
  if psql -d "$db" -Atqc "SELECT 1 FROM pg_replication_slots WHERE slot_name = '$SLOT'" | grep -q 1; then
    echo "  Dropping slot: $SLOT"
    psql -d "$db" -c "SELECT pg_drop_replication_slot('$SLOT');"
  else
    echo "  Slot not found: $SLOT"
  fi
  # Drop publication if exists
  psql -d "$db" -v ON_ERROR_STOP=1 <<SQL
 DO \$\$
 BEGIN
  IF EXISTS (
    SELECT 1 FROM pg_publication WHERE pubname = 'migrate_pub'
  ) THEN
    DROP PUBLICATION migrate_pub;
  END IF;
 END
 \$\$;
 SQL
 done
 echo "== Done =="
--- a/site-cookbooks/kosmos_postgresql/files/drop_subscriptions.sh
+++ b/site-cookbooks/kosmos_postgresql/files/drop_subscriptions.sh
@@ -1,29 +0,0 @@
 #!/usr/bin/env bash
 set -e
 echo "== Dropping subscriptions =="
 for db in $(psql -Atqc "SELECT datname FROM pg_database WHERE datallowconn AND datname NOT IN ('template1','postgres')"); do
  echo "Processing DB: $db"
  SUB="migrate_sub_${db}"
  # Check if subscription exists
  EXISTS=$(psql -d "$db" -Atqc "SELECT 1 FROM pg_subscription WHERE subname = '$SUB'")
  if [ "$EXISTS" = "1" ]; then
    echo "  Found subscription: $SUB"
    # Disable first (good practice)
    psql -d "$db" -c "ALTER SUBSCRIPTION $SUB DISABLE;"
    # Drop it (must be top-level)
    psql -d "$db" -c "DROP SUBSCRIPTION $SUB;"
  else
    echo "  No subscription: $SUB"
  fi
 done
 echo "== Done =="
--- a/site-cookbooks/kosmos_postgresql/files/dump_all_databases.sh
+++ b/site-cookbooks/kosmos_postgresql/files/dump_all_databases.sh
@@ -1,9 +0,0 @@
 #!/bin/bash
 cd /tmp && \
 (pg_dumpall --globals-only > globals.sql) && \
 psql -Atqc "SELECT datname FROM pg_database WHERE datallowconn AND datname NOT IN (''template1'',''postgres'')" | \
 xargs -I{} -P4 sh -c "
  pg_dump -Fd -j 4 -d \"{}\" -f dump_{} &&
  tar -cf - dump_{} | zstd -19 -T0 > dump_{}.tar.zst &&
  rm -rf dump_{}
 "
--- a/site-cookbooks/kosmos_postgresql/files/dump_database.sh
+++ b/site-cookbooks/kosmos_postgresql/files/dump_database.sh
@@ -1,10 +0,0 @@
 #!/bin/bash
 set -euo pipefail
 DB_NAME="${1:?Usage: $0 <database_name>}"
 cd /tmp
 pg_dump -Fd -j 4 -d "$DB_NAME" -f "dump_${DB_NAME}"
 tar -cf - "dump_${DB_NAME}" | zstd -19 -T0 > "dump_${DB_NAME}.tar.zst"
 rm -rf "dump_${DB_NAME}"
--- a/site-cookbooks/kosmos_postgresql/files/fix_sequences.sh
+++ b/site-cookbooks/kosmos_postgresql/files/fix_sequences.sh
@@ -1,35 +0,0 @@
 #!/bin/bash
 set -e
 DB="$1"
 if [ -z "$DB" ]; then
  echo "Usage: $0 <database>"
  exit 1
 fi
 echo "== Fixing sequences in database: $DB =="
 SQL=$(psql -d "$DB" -Atqc "
  SELECT
    'SELECT setval(' ||
    quote_literal(pg_get_serial_sequence(quote_ident(n.nspname)||'.'||quote_ident(c.relname), a.attname)) ||
    ', COALESCE(MAX(' || quote_ident(a.attname) || '), 0) + 1, false) FROM ' ||
    quote_ident(n.nspname)||'.'||quote_ident(c.relname) || ';'
  FROM pg_class c
  JOIN pg_namespace n ON n.oid = c.relnamespace
  JOIN pg_attribute a ON a.attrelid = c.oid
  WHERE c.relkind = 'r'
    AND a.attnum > 0
    AND NOT a.attisdropped
    AND pg_get_serial_sequence(quote_ident(n.nspname)||'.'||quote_ident(c.relname), a.attname) IS NOT NULL;
 ")
 if [ -z "$SQL" ]; then
  echo "No sequences found in $DB"
  exit 0
 fi
 echo "$SQL" | psql -d "$DB"
 echo "== Done =="
--- a/site-cookbooks/kosmos_postgresql/files/fix_sequences_in_all_databases.sh
+++ b/site-cookbooks/kosmos_postgresql/files/fix_sequences_in_all_databases.sh
@@ -1,38 +0,0 @@
 #!/bin/bash
 set -e
 echo "== Fixing sequences across all databases =="
 for db in $(psql -Atqc "SELECT datname FROM pg_database WHERE datallowconn AND datname NOT IN ('template1','postgres')"); do
  echo "---- DB: $db ----"
  # Generate fix statements
  SQL=$(psql -d "$db" -Atqc "
    SELECT
      'SELECT setval(' ||
      quote_literal(pg_get_serial_sequence(quote_ident(n.nspname)||'.'||quote_ident(c.relname), a.attname)) ||
      ', COALESCE(MAX(' || quote_ident(a.attname) || '), 0) + 1, false) FROM ' ||
      quote_ident(n.nspname)||'.'||quote_ident(c.relname) || ';'
    FROM pg_class c
    JOIN pg_namespace n ON n.oid = c.relnamespace
    JOIN pg_attribute a ON a.attrelid = c.oid
    WHERE c.relkind = 'r'
      AND a.attnum > 0
      AND NOT a.attisdropped
      AND pg_get_serial_sequence(quote_ident(n.nspname)||'.'||quote_ident(c.relname), a.attname) IS NOT NULL;
  ")
  if [ -z "$SQL" ]; then
    echo "No sequences found in $db"
    continue
  fi
  echo "Fixing sequences in $db..."
  # Execute generated statements
  echo "$SQL" | psql -d "$db"
 done
 echo "== Done fixing sequences =="
--- a/site-cookbooks/kosmos_postgresql/files/list_publications.sh
+++ b/site-cookbooks/kosmos_postgresql/files/list_publications.sh
@@ -1,5 +0,0 @@
 #!/bin/bash
 for db in $(psql -Atqc "SELECT datname FROM pg_database WHERE datallowconn AND datname NOT IN ('template1','postgres')"); do
  echo "DB: $db"
  psql -d "$db" -Atqc "SELECT pubname FROM pg_publication;"
 done
--- a/site-cookbooks/kosmos_postgresql/files/list_replication_slots.sh
+++ b/site-cookbooks/kosmos_postgresql/files/list_replication_slots.sh
@@ -1,5 +0,0 @@
 #!/bin/bash
 psql -c "
 SELECT slot_name,
 pg_size_pretty(pg_wal_lsn_diff(pg_current_wal_lsn(), restart_lsn))
 FROM pg_replication_slots;"
--- a/site-cookbooks/kosmos_postgresql/files/list_subscriptions.sh
+++ b/site-cookbooks/kosmos_postgresql/files/list_subscriptions.sh
@@ -1,16 +0,0 @@
 #!/bin/bash
 set -euo pipefail
 psql -Atqc "
 SELECT datname
 FROM pg_database
 WHERE datallowconn
  AND datname NOT IN ('template1','postgres')
 " | while read -r db; do
  result=$(psql -X -At -d "$db" -c "SELECT * FROM pg_stat_subscription;" 2>/dev/null || true)
  if [[ -n "$result" ]]; then
    echo "==== DB: $db ===="
    echo "$result"
  fi
 done
--- a/site-cookbooks/kosmos_postgresql/files/restore_all_databases.sh
+++ b/site-cookbooks/kosmos_postgresql/files/restore_all_databases.sh
@@ -1,12 +0,0 @@
 #!/bin/bash
 set -euo pipefail
 cd /tmp
 for f in dump_*.tar.zst; do
  db=$(echo $f | sed "s/dump_\(.*\)\.tar\.zst/\1/")
  echo "Restoring $db"
  zstd -d "$f" -c | tar -xf -
  pg_restore -j 4 -d "$db" dump_$db
  rm -rf "dump_$db"
 done
--- a/site-cookbooks/kosmos_postgresql/files/restore_database.sh
+++ b/site-cookbooks/kosmos_postgresql/files/restore_database.sh
@@ -1,14 +0,0 @@
 #!/bin/bash
 set -euo pipefail
 DB_NAME="${1:?Usage: $0 <database_name>}"
 cd /tmp
 FILE="dump_${DB_NAME}.tar.zst"
 DIR="dump_${DB_NAME}"
 echo "Restoring $DB_NAME"
 zstd -d "$FILE" -c | tar -xf -
 pg_restore -j 4 -d "$DB_NAME" "$DIR"
 rm -rf "$DIR"
--- a/site-cookbooks/kosmos_postgresql/libraries/helpers.rb
+++ b/site-cookbooks/kosmos_postgresql/libraries/helpers.rb
@@ -36,8 +36,10 @@ class Chef
      end
    end
-    def postgresql_version
+    def postgresql_service_name
-      node['kosmos_postgresql']['postgresql_version']
+      postgresql_version = "12"
      "postgresql@#{postgresql_version}-main"
    end
  end
 end
--- a/site-cookbooks/kosmos_postgresql/recipes/management_scripts.rb
+++ b/site-cookbooks/kosmos_postgresql/recipes/management_scripts.rb
@@ -1,121 +0,0 @@
 #
 # Cookbook:: kosmos_postgresql
 # Recipe:: management_scripts
 #
 credentials = data_bag_item('credentials', 'postgresql')
 cookbook_file "/usr/local/bin/pg_dump_all_databases" do
  source "dump_all_databases.sh"
  user "postgres"
  group "postgres"
  mode "0744"
 end
 cookbook_file "/usr/local/bin/pg_dump_database" do
  source "dump_database.sh"
  user "postgres"
  group "postgres"
  mode "0744"
 end
 cookbook_file "/usr/local/bin/pg_restore_all_databases" do
  source "restore_all_databases.sh"
  user "postgres"
  group "postgres"
  mode "0744"
 end
 cookbook_file "/usr/local/bin/pg_restore_database" do
  source "restore_database.sh"
  user "postgres"
  group "postgres"
  mode "0744"
 end
 cookbook_file "/usr/local/bin/pg_create_replication_publications" do
  source "create_publications.sh"
  user "postgres"
  group "postgres"
  mode "0744"
 end
 cookbook_file "/usr/local/bin/pg_create_replication_publication" do
  source "create_publication.sh"
  user "postgres"
  group "postgres"
  mode "0744"
 end
 cookbook_file "/usr/local/bin/pg_drop_replication_publications" do
  source "drop_publications.sh"
  user "postgres"
  group "postgres"
  mode "0744"
 end
 cookbook_file "/usr/local/bin/pg_list_replication_publications" do
  source "list_publications.sh"
  user "postgres"
  group "postgres"
  mode "0744"
 end
 cookbook_file "/usr/local/bin/pg_list_replication_slots" do
  source "list_replication_slots.sh"
  user "postgres"
  group "postgres"
  mode "0744"
 end
 template "/usr/local/bin/pg_create_replication_subscriptions" do
  source "create_subscriptions.sh.erb"
  user "postgres"
  group "postgres"
  mode "0740"
  variables pg_host: "pg.kosmos.local",
            pg_port: 5432,
            pg_user: "replication",
            pg_pass: credentials["replication_password"]
  sensitive true
 end
 template "/usr/local/bin/pg_create_replication_subscription" do
  source "create_subscription.sh.erb"
  user "postgres"
  group "postgres"
  mode "0740"
  variables pg_host: "pg.kosmos.local",
            pg_port: 5432,
            pg_user: "replication",
            pg_pass: credentials["replication_password"]
  sensitive true
 end
 cookbook_file "/usr/local/bin/pg_drop_replication_subscriptions" do
  source "drop_subscriptions.sh"
  user "postgres"
  group "postgres"
  mode "0744"
 end
 cookbook_file "/usr/local/bin/pg_list_replication_subscriptions" do
  source "list_subscriptions.sh"
  user "postgres"
  group "postgres"
  mode "0744"
 end
 cookbook_file "/usr/local/bin/pg_fix_sequences_in_all_databases" do
  source "fix_sequences.sh"
  user "postgres"
  group "postgres"
  mode "0744"
 end
 cookbook_file "/usr/local/bin/pg_fix_sequences" do
  source "fix_sequences.sh"
  user "postgres"
  group "postgres"
  mode "0744"
 end
--- a/site-cookbooks/kosmos_postgresql/recipes/primary.rb
+++ b/site-cookbooks/kosmos_postgresql/recipes/primary.rb
@@ -3,6 +3,31 @@
 # Recipe:: primary
 #
 postgresql_version = "12"
 postgresql_service = "postgresql@#{postgresql_version}-main"
 service postgresql_service do
  supports restart: true, status: true, reload: true
 end
 postgresql_custom_server postgresql_version do
  role "primary"
 end
 postgresql_access "zerotier members" do
  access_type "host"
  access_db "all"
  access_user "all"
  access_addr "10.1.1.0/24"
  access_method "md5"
  notifies :reload, "service[#{postgresql_service}]", :immediately
 end
 postgresql_access "zerotier members replication" do
  access_type "host"
  access_db "replication"
  access_user "replication"
  access_addr "10.1.1.0/24"
  access_method "md5"
  notifies :reload, "service[#{postgresql_service}]", :immediately
 end
--- a/site-cookbooks/kosmos_postgresql/recipes/replica.rb
+++ b/site-cookbooks/kosmos_postgresql/recipes/replica.rb
@@ -3,34 +3,54 @@
 # Recipe:: replica
 #
 postgresql_version = "12"
 postgresql_service = "postgresql@#{postgresql_version}-main"
 postgresql_custom_server postgresql_version do
  role "replica"
 end
 service postgresql_service do
  supports restart: true, status: true, reload: true
 end
 postgresql_data_bag_item = data_bag_item('credentials', 'postgresql')
 primary = postgresql_primary
-if primary.nil?
+unless primary.nil?
-  Chef::Log.warn("No PostgreSQL primary node found. Skipping replication setup.")
+  # TODO
-  return
+  postgresql_data_dir = "/var/lib/postgresql/#{postgresql_version}/main"
 end
-postgresql_service_name = "postgresql@#{postgresql_version}-main"
+  # FIXME get zerotier IP
-postgresql_data_dir = "/var/lib/postgresql/#{postgresql_version}/main"
+  execute "set up replication" do
 # TODO Replace pg.kosmos.local with private IP once available
 # via proper node attribute
 # https://gitea.kosmos.org/kosmos/chef/issues/263
 execute "set up replication" do
    command <<-EOF
-systemctl stop #{postgresql_service_name}
+systemctl stop #{postgresql_service}
 mv #{postgresql_data_dir} #{postgresql_data_dir}.old
 pg_basebackup -h pg.kosmos.local -U replication -D #{postgresql_data_dir} -R
 chown -R postgres:postgres #{postgresql_data_dir}
-systemctl start #{postgresql_service_name}
+systemctl start #{postgresql_service}
    EOF
    environment 'PGPASSWORD' => postgresql_data_bag_item['replication_password']
    sensitive true
    not_if { ::File.exist? "#{postgresql_data_dir}/standby.signal" }
  end
  postgresql_access "zerotier members" do
    access_type "host"
    access_db "all"
    access_user "all"
    access_addr "10.1.1.0/24"
    access_method "md5"
    notifies :reload, "service[#{postgresql_service}]", :immediately
  end
  postgresql_access "zerotier members replication" do
    access_type "host"
    access_db "replication"
    access_user "replication"
    access_addr "10.1.1.0/24"
    access_method "md5"
    notifies :reload, "service[#{postgresql_service}]", :immediately
  end
 end
--- a/site-cookbooks/kosmos_postgresql/recipes/replica_logical.rb
+++ b/site-cookbooks/kosmos_postgresql/recipes/replica_logical.rb
@@ -1,8 +0,0 @@
 #
 # Cookbook:: kosmos_postgresql
 # Recipe:: replica_logical
 #
 postgresql_custom_server postgresql_version do
  role "replica_logical"
 end
--- a/site-cookbooks/kosmos_postgresql/resources/server.rb
+++ b/site-cookbooks/kosmos_postgresql/resources/server.rb
@@ -44,28 +44,25 @@ action :create do
  shared_buffers = if node['memory']['total'].to_i / 1024 < 1024 # < 1GB RAM
                     "128MB"
-                   else # >= 1GB RAM, use 25% of total RAM
+                   else # >= 1GB RAM, use 50% of total RAM
-                     "#{node['memory']['total'].to_i / 1024 / 4}MB"
+                     "#{node['memory']['total'].to_i / 1024 / 2}MB"
                   end
  additional_config = {
    max_connections: 200, # default
    shared_buffers: shared_buffers,
    work_mem: "4MB",
    unix_socket_directories: "/var/run/postgresql",
    dynamic_shared_memory_type: "posix",
    timezone: "UTC", # default is GMT
    listen_addresses: "0.0.0.0",
    promote_trigger_file: "#{postgresql_data_dir}/failover.trigger",
-    wal_level: "logical",
+    wal_keep_segments: 256
    wal_keep_size: 4096, # 256 segments, 16MB each
    max_replication_slots: 16
  }
  postgresql_server_conf "main" do
    version postgresql_version
    additional_config additional_config
-    notifies :restart, "service[#{postgresql_service}]", :delayed
+    notifies :reload, "service[#{postgresql_service}]", :delayed
  end
  postgresql_user "replication" do
@@ -73,24 +70,6 @@ action :create do
    replication true
    password postgresql_credentials['replication_password']
  end
  postgresql_access "all members" do
    access_type "host"
    access_db "all"
    access_user "all"
    access_addr node['kosmos_postgresql']['access_addr']
    access_method "md5"
    notifies :reload, "service[#{postgresql_service}]", :immediately
  end
  postgresql_access "replication members" do
    access_type "host"
    access_db "replication"
    access_user "replication"
    access_addr node['kosmos_postgresql']['access_addr']
    access_method "md5"
    notifies :reload, "service[#{postgresql_service}]", :immediately
  end
 end
 action_class do
--- a/site-cookbooks/kosmos_postgresql/templates/create_subscription.sh.erb
+++ b/site-cookbooks/kosmos_postgresql/templates/create_subscription.sh.erb
@@ -1,31 +0,0 @@
 #!/bin/bash
 set -euo pipefail
 DB_NAME="${1:?Usage: $0 <database_name>}"
 echo "== Processing DB: $DB_NAME =="
 SLOT="migrate_slot_${DB_NAME}"
 SUB="migrate_sub_${DB_NAME}"
 psql -d "$DB_NAME" -v ON_ERROR_STOP=1 <<SQL
 DO \$\$
 BEGIN
  IF NOT EXISTS (
    SELECT 1 FROM pg_subscription WHERE subname = '$SUB'
  ) THEN
    CREATE SUBSCRIPTION $SUB
    CONNECTION 'host=<%= @pg_host %> port=<%= @pg_port %> dbname=$DB_NAME user=<%= @pg_user %> password=<%= @pg_pass %>'
    PUBLICATION migrate_pub
    WITH (
      slot_name = '$SLOT',
      create_slot = false,
      copy_data = false,
      enabled = true
    );
  END IF;
 END
 \$\$;
 SQL
 echo "== Done =="
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Râu Cao	7095399ccd	Update node info	2025-09-21 12:43:49 +02:00
Râu Cao	a653f62d0a	Upgrade ejabberd to 25.08	2025-09-21 12:42:29 +02:00
		`@@ -1 +0,0 @@`
			`node.default["openresty"]["listen_ipv6"] = "::"`