WIP Set up akaunting

2024-12-16 12:05:51 +04:00
69 changed files with 762 additions and 625 deletions
--- a/clients/akaunting-1.json
+++ b/clients/akaunting-1.json
@ -0,0 +1,4 @@
 {
  "name": "akaunting-1",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzmNpNWJh5DeXDsINDqAt\n5OtcGhnzLtqdILTD8A8KuPxWhoKI0k9xwvuT4yO2DLQqFMPyGefRuQkVsIq2OuU5\npK8B5c79E9MBHxti6mQZw4b/Jhmul+x2LGtOWYjPTDhFYXRsNNDtFDxwpwJGPede\nYts026yExHPhiF35Mt1JxA3TXJfPC8Vx0YGHu/6Ev+1fLmcKhFmhed5yKkA0gwod\nczdyQiCfw3ze9LuS90QmALpFOHHpekZeywemdwyPia207CoTrXsPLWj9KmuUEIQJ\nwL+OlEU2tVA6KaBKpl54n5/tMsccZmlicbNsVpgkk6LctrkNh6Kk+fW9ry3L/Gxg\nAwIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/data_bags/credentials/akaunting.json
+++ b/data_bags/credentials/akaunting.json
@ -0,0 +1,31 @@
 {
  "id": "akaunting",
  "app_key": {
    "encrypted_data": "C7VVGHHrE/ESwtGeODf8zVraayO5uBSXaGR7f4yoj0MDq9WxPujItC3dIkMQ\ngjGzk8fH\n",
    "iv": "4+d+RMLeuqaneFBa\n",
    "auth_tag": "sBQDUVl6QbL/h9pd0kBQ0g==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "pg_database": {
    "encrypted_data": "4mqHsMfDAqPvDmGsWgS9iE63qVeus7diSW8WiA==\n",
    "iv": "6Cb1lVUcXBz+GA4u\n",
    "auth_tag": "8O3N0m8jGhxs/YacdhgNHA==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "pg_username": {
    "encrypted_data": "Nu0wiBhvqUwqC7PL2Qo8otq0b3faJqRsabqp2g==\n",
    "iv": "1uA8mJc7itT0qHcx\n",
    "auth_tag": "PRWw6LTlFrWs63SDRsovtQ==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "pg_password": {
    "encrypted_data": "oXDKiXQ4aH5M2pVu1sx7dj0awKCORke03fq0uemjIfCMYbM=\n",
    "iv": "snPyC8mocevc5kGH\n",
    "auth_tag": "9wx4GPSydkYr2WGpZK5HZg==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  }
 }
--- a/data_bags/credentials/akkounts.json
+++ b/data_bags/credentials/akkounts.json
@ -1,93 +1,72 @@
 {
  "id": "akkounts",
-  "rails_master_key": {
+  "postgresql_username": {
-    "encrypted_data": "q/0BtGuFZJQhw+iG4ZmFG12DPaWQDGTb/nCmRoxOnsACkANqMv/zZ39CoNFe\nLPtZiItY\n",
+    "encrypted_data": "ofLOjxGBj7no+lWrIvtxQQFoeozCh6mpfMTt\n",
-    "iv": "JV8R0iu6TrqcZRxL\n",
+    "iv": "/CF+o4GqZx2O5WOm\n",
-    "auth_tag": "YxZIhEUnrd3XrwR6f9wO4A==\n",
+    "auth_tag": "bjHXfgNQfXpQ2gucPLrUWA==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
-  "rails_secret_key_base": {
+  "postgresql_password": {
-    "encrypted_data": "JmDQew3+OR6+yJ1xErwXeTn6jw8N2HwTc9yvAVJ3G+7w1s3N7rKDM6+M50ez\n2zP4Lm/eXzH4WTsTZlQcodlyNpi66pvUCGAkNM36rwTN5yvnhqPUmuSQi7AG\nDTBronBwr9ENvwA/gRuugyyhrRB1iuStpzpYKCMhZ2ae9Mrxdux0+ezfSLn4\nuP22uUrEqdQ/BWsW\n",
+    "encrypted_data": "f8Jfs4aqIjc6/6/NQlI2Fv8TzSgVmi5g0iYNhh9bAA==\n",
-    "iv": "U/+YncCk13U6bYMz\n",
+    "iv": "vAzrZeUodmu4x5eB\n",
-    "auth_tag": "2wPYJ/uVPv4jLKpAW/x6sw==\n",
+    "auth_tag": "vx8eH2SY7I4IkZElXSC1Nw==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "rails_encryption_primary_key": {
    "encrypted_data": "u/7z91Og/2eM7PWi2JWYAQMhYX4S5+bMMeVpkFPu778Gqj6Td9pagsWIak/d\nb7AU1zjF\n",
    "iv": "wYhrJWcuWbY8yo8S\n",
    "auth_tag": "WEoEdNy6VBvB2d5gb8DTXw==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "rails_encryption_key_derivation_salt": {
    "encrypted_data": "noOwTZuxfhsH94bjOT9rWCKS9rb3wAoXELGrc4nJZeNrb/B9XnOLTuK/wen8\nfmtoym0P\n",
    "iv": "jiFWs3VXhJdQBNqk\n",
    "auth_tag": "XDpJFgadYp7LyRqU7SO+Fg==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "postgresql": {
    "encrypted_data": "Xorg8R8COxE/Swivu8MqZiwstD6rD+8FmgDx70pFscZ/CTb6WQRpyqGSrGZt\nZ7oL9WrqZs+mQgBb30odU+Sgdr6x\n",
    "iv": "6QWZc3+MY0hBCc/s\n",
    "auth_tag": "ZM+7OYyx5E9PciNG2OILhg==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "ldap": {
    "encrypted_data": "mr2Z7hXF1GOn8RmqeZMMdaUcmiVP4ZeKtTX6RYW1cR+FQiUwoITwTPBE9XUx\n2cqZ9Mcd8uJicmf9vd+PfwPtRtoZFwqHQ4LDRFLW64hBZyiEkZWxWW+HzgPr\n",
    "iv": "k1AkyEplnJ4IZO1Z\n",
    "auth_tag": "zAOcrPex3VLDfRFq38n7fA==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "sentry_dsn": {
-    "encrypted_data": "51cAERaRBCRg/sMb5c13EcnJzsz6VEf7jx6X3ooUSzm9wHoEfC5Hs/qakr/D\nqm9x3s3aGURRzyLUIEoe9jCohGguh6ehrXYVrun0B6pghVU=\n",
+    "encrypted_data": "oxW5jGU8DlIp5A9enxBhcJXuKyaZ5HziXq8Zw+Rbvpbv4C/RTGkJkgZdKcH1\nVzW/wNAT8nTK+nEvWgcQ3svjE40ltj2jcOexIRqLbuCClJE=\n",
-    "iv": "hJsiiW6dFQMEQ+2p\n",
+    "iv": "wpW9+VdX5GjocHSl\n",
-    "auth_tag": "TOIahNrUhhsdQGlzp6UV5g==\n",
+    "auth_tag": "1qrf1kZMrIR7WRiSaRjppQ==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "rails_master_key": {
    "encrypted_data": "KHVYYH7Nb9/SsoKkYfbjzhFwj3Ioj72hm5pfdCuinf+GQvjKumq99eQTlKdf\nBZM1n0XN\n",
    "iv": "x9AQZvw/vCinKQ8k\n",
    "auth_tag": "mi0KHHOTBvVNhtvqk38BtQ==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "discourse_connect_secret": {
-    "encrypted_data": "pvKcwuZgUJsAvClQ4V0BwhwEg09EUEWVxoSx+mFlfG1KpvZE4Cu3u3PalPSD\nldyKsw==\n",
+    "encrypted_data": "WyLrV0DOsxyafSqyeQVj0BhVwm/0gvWeJLBsAbiqCGphryoYqUByPcum1T6R\n2H44nQ==\n",
-    "iv": "ED85d6PKyaKB3Wlv\n",
+    "iv": "lUtlJDv6Ieq8Bs5x\n",
-    "auth_tag": "XVCU/WigC97tNe0bUK6okQ==\n",
+    "auth_tag": "ku22BlQKw/BhHxuANTF6yg==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "lndhub_admin_token": {
-    "encrypted_data": "LvCgahQblsKOxK9iNbwDd31atBfemVppHqV7s3K/sR4j\n",
+    "encrypted_data": "DQuxQW8ks3sUzyHYEpQVyPg2f/U4/LWeRoCD9225Hd+c\n",
-    "iv": "zObzh2jEsqXk2vD2\n",
+    "iv": "mjxYi+YAcKGuurD2\n",
-    "auth_tag": "n9m/sBYBfzggwQLWrGpR2Q==\n",
+    "auth_tag": "8P3bFFNeQ5HQgpXDB5Sk5A==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "btcpay_auth_token": {
-    "encrypted_data": "M4kGd6+jresm90nWrJG25mX6rfhaU+VlJlIVd/IjOAUsDABryyulJul3GZFh\nFPSI4uEhgIWtn56I0bA=\n",
+    "encrypted_data": "3wsY9osaUdX4SvBPfHprNLSbx6/rfI5BfXnDxsc6OET3nGn19qBhH6wgeiwZ\n/dweqdQ25HpbFPygddc=\n",
-    "iv": "hvqHm7A/YfUOJwRJ\n",
+    "iv": "ccouibxktHLlUCQJ\n",
-    "auth_tag": "DhtT6IeixD1MSRX+D7JxZA==\n",
+    "auth_tag": "pWuRC8O2EAkmztL/9V3now==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "s3_access_key": {
-    "encrypted_data": "FPRpLZoIbLcVWPJhOlX7ZeXGv6TZIWYAD+BKTsJOyOHxDG3eRULqQc89cGWi\n",
+    "encrypted_data": "hJGHa+hEmddtsZ4UncrYBkjRa/2Csqdh79tXpTVxUWbIsYGdlvyadk7C1UCj\n",
-    "iv": "f9WiiGLmDxtygp60\n",
+    "iv": "GlxNdnWiNzmNYthg\n",
-    "auth_tag": "lGnq4itmByuF/Yp20/6coQ==\n",
+    "auth_tag": "hlRLkroUN01L7VzQFBU/IA==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "s3_secret_key": {
-    "encrypted_data": "JnnwISbHJ+d7JZB/C0NH0fb8p+bDSwoq5t5knSi+bSTltSxKcq6PRX9K6bov\nEbo0GTdWePbuc5NCsyYxfrkzCtpLXTIxeCROtinRmFIgMFNwaOA=\n",
+    "encrypted_data": "LKdQJOKIfFIoiF3GvfTs1mg3AI//Aoi8r42zcw8QhEVPB8ONsSf0/vhM037C\nf5nzUk7xwglvTOveqbOM+UTBJF/4oblQfgwFW3VobWUGkJqjtKE=\n",
-    "iv": "pKPCaANDqGtbFV3V\n",
+    "iv": "tWTxzK/ccpjlLmQV\n",
-    "auth_tag": "S//hn2HOhuZH8+UfCNBWDg==\n",
+    "auth_tag": "n2MFkTIquyqz4wqRNdSJcg==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "nostr_private_key": {
-    "encrypted_data": "AKfFiLow+veDyEWBwmCDuLerT3l+o2aJUCeHg2mZZIyoH4oeo/9crZwIdjBn\n70reouqnHNG9mBHuO/+IPGfj53mHLo+oGHh+6LkL3ImI4MFBofY=\n",
+    "encrypted_data": "CPMeNxzpYMReaQU4+v+EqpVESRsnaYc3a4y7OkHOhtn2gjaNEDERGKvRmlyd\nD6vxKPcIrwTCZ7neJ3YLOVOxPDNv6skqdtMHBwSgl7aBEOrx7tY=\n",
-    "iv": "bPlOKk2qkJAzdKf+\n",
+    "iv": "AV1on2sw1avmFFuY\n",
-    "auth_tag": "VIp1IOjBGatn2MN5LHVymg==\n",
+    "auth_tag": "9rb9qQBKrj5Xja1t+qROKQ==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  }
--- a/data_bags/credentials/gandi_api.json
+++ b/data_bags/credentials/gandi_api.json
@ -1,23 +1,23 @@
 {
  "id": "gandi_api",
  "key": {
-    "encrypted_data": "lU7/xYTmP5Sb6SsK5TNNIyegWozzBtUzpg7oDdl6gcz9FEMmG2ft0Ljh5Q==\n",
+    "encrypted_data": "Ky1/PdywtEIl5vVXhzu3n2JetqOxnNjpjQ7yCao6qwIAn8oYxnv1c1hFAQ==\n",
-    "iv": "EZPQD3C+wsP/mBhF\n",
+    "iv": "stAc2FxDvUqrh0kt\n",
-    "auth_tag": "vF9E8Pj4Z8quJJdOMg/QTw==\n",
+    "auth_tag": "rcK4Qt+f2O4Zo5IMmG0fkw==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "access_token": {
-    "encrypted_data": "1Uw69JkNrmb8LU/qssuod1SlqxxrWR7TJQZeeivRrNzrMIVTEW/1uwJIYL6b\nM4GeeYl9lIRlMMmLBkc=\n",
+    "encrypted_data": "J7zoLhEbPfPjnVWBmFmDdPKRer5GGw2o6Ad0uinznANugfaDiqjyYinOdEDF\nHlAqLmXv4J40rr3F+o4=\n",
-    "iv": "cc1GJKu6Cf4DkIgX\n",
+    "iv": "fAxFqVh9QqrfBsPW\n",
-    "auth_tag": "ERem4S7ozG695kjvWIMghw==\n",
+    "auth_tag": "9ugi4frDLv8f7X0X1+k4DA==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "domains": {
-    "encrypted_data": "scZ5blsSjs54DlitR7KZ3enLbyceOR5q0wjHw1golQ==\n",
+    "encrypted_data": "X0KOKlJp5GYbKcq/jzmlaMmTXV1U7exWSqi3UxX9Sw==\n",
-    "iv": "oDcHm7shAzW97b4t\n",
+    "iv": "9JucnYLlYdQ9N6pd\n",
-    "auth_tag": "62Zais9yf68SwmZRsmZ3hw==\n",
+    "auth_tag": "sERYPDnVUJwVfSS8/xrPpQ==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  }
--- a/data_bags/credentials/kosmos-rs.json
+++ b/data_bags/credentials/kosmos-rs.json
@ -1,10 +0,0 @@
 {
  "id": "kosmos-rs",
  "auth_tokens": {
    "encrypted_data": "fiznpRw7VKlm232+U6XV1rqkAf2Z8CpoD8KyvuvOH2JniaymlcTHgazGWQ8s\nGeqK4RU9l4d29e9i+Mh0k4vnhO4q\n",
    "iv": "SvurcL2oNSNWjlxp\n",
    "auth_tag": "JLQ7vGXAuYYJpLEpL6C+Rw==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  }
 }
--- a/data_bags/credentials/lndhub-go.json
+++ b/data_bags/credentials/lndhub-go.json
@ -1,30 +1,30 @@
 {
  "id": "lndhub-go",
  "jwt_secret": {
-    "encrypted_data": "lJsKBTCRzI83xmRHXzpnuRH/4cuMOR+Rd+SBU50G9HdibadIEDhS\n",
+    "encrypted_data": "3T4JYnoISKXCnatCBeLCXyE8wVjzphw5/JU5A0vHfQ2xSDZreIRQ\n",
-    "iv": "f/SvsWtZIYOVc54X\n",
+    "iv": "bGQZjCk6FtD/hqVj\n",
-    "auth_tag": "YlJ78EuJbcPfjCPc2eH+ug==\n",
+    "auth_tag": "CS87+UK1ZIFMiNcNaoyO6w==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "postgresql_password": {
-    "encrypted_data": "aT0yNlWjvk/0S4z2kZB4Ye1u/ngk5J6fGPbwZSfdq6cy\n",
+    "encrypted_data": "u8kf/6WdSTzyIz2kF+24JgOPLndWH2WmTFZ3CToJsnay\n",
-    "iv": "OgUttF4LlSrL/7gH\n",
+    "iv": "KqLtV2UuaAzJx7C8\n",
-    "auth_tag": "pcbbGqbQ2RjU+i9dt8c3OQ==\n",
+    "auth_tag": "3aqx45+epb2NFkNfOfG89A==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "admin_token": {
-    "encrypted_data": "I9EsqCCxMIw+fX6sfu6KX8B5fJj9DX5Y4tbX30jdnmxr\n",
+    "encrypted_data": "Z737fXqRE9JHfunRhc2GG281dFFN1bvBvTzTDzl/Vb8O\n",
-    "iv": "vnERvIWYInO6+Y8q\n",
+    "iv": "oKLQJbD67tiz2235\n",
-    "auth_tag": "gO+MprZUQgPEWJQUmSF1sA==\n",
+    "auth_tag": "SlVIqC9d9SRoO78M7cBjTw==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "sentry_dsn": {
-    "encrypted_data": "+sUXWgl6dXpA1/0FqjKC3Jnl54aor6gtM+19EM/NsHwg4qu672YnSgxV+c9x\nHM3JZBYxBYvJ+HYGAvMmhlGvaOOEIvLmFUpCCJeVUXR32S8=\n",
+    "encrypted_data": "gmDHGDWkTIvaXjcWMs1dnKnbqtsADPJ2mLmWw8Idj6RVevU5CabjvviAxEo1\n3hs2LWuObumRSCQt2QKap191uMq3CL2+da53hbsv+JUkxl4=\n",
-    "iv": "82+DzAnHiptaX7sO\n",
+    "iv": "Yt0fSsxL4SNicwUY\n",
-    "auth_tag": "CDx44iRBVhSIF8DOxb2c+w==\n",
+    "auth_tag": "j7BWbcNnymHHMNTADWmCNw==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  }
--- a/environments/production.json
+++ b/environments/production.json
@ -105,39 +105,19 @@
    },
    "strfry": {
      "domain": "nostr.kosmos.org",
-      "config": {
+      "real_ip_header": "x-real-ip",
-        "events": {
+      "policy_path": "/opt/strfry/strfry-policy.ts",
-          "max_event_size": "524288"
+      "whitelist_pubkeys": [
-        },
+        "b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a",
-        "relay": {
+        "b3e1b7c0ef48294bd856203bfd460625de95d3afb894e5f09b14cd1f0e7097cf"
-          "bind": "0.0.0.0",
+      ],
-          "real_ip_header": "x-real-ip",
+      "info": {
-          "info": {
+        "name": "Kosmos Relay",
-            "name": "Kosmos Relay",
+        "description": "Members-only nostr relay for kosmos.org users",
-            "description": "Members-only nostr relay for kosmos.org users",
+        "pubkey": "b3e1b7c0ef48294bd856203bfd460625de95d3afb894e5f09b14cd1f0e7097cf",
-            "pubkey": "b3e1b7c0ef48294bd856203bfd460625de95d3afb894e5f09b14cd1f0e7097cf",
+        "contact": "ops@kosmos.org",
-            "contact": "ops@kosmos.org",
+        "icon": "https://assets.kosmos.org/img/app-icon-256px.png"
            "icon": "https://assets.kosmos.org/img/app-icon-256px.png"
          },
          "write_policy": {
            "plugin": "/opt/strfry/strfry-policy.ts"
          },
          "logging": {
            "dump_in_all": true
          }
        }
      },
      "known_pubkeys": {
        "_": "b3e1b7c0ef48294bd856203bfd460625de95d3afb894e5f09b14cd1f0e7097cf",
        "accounts": "b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a",
        "bitcoincore": "47750177bb6bb113784e4973f6b2e3dd27ef1eff227d6e38d0046d618969e41a",
        "fiatjaf": "3bf0c63fcb93463407af97a5e5ee64fa883d107ef9e558472c4eb9aaaefa459d"
      }
    },
    "substr": {
      "relay_urls": [
        "ws://localhost:7777"
      ]
    }
  }
 }
--- a/nodes/akaunting-1.json
+++ b/nodes/akaunting-1.json
@ -0,0 +1,66 @@
 {
  "name": "akaunting-1",
  "chef_environment": "production",
  "normal": {
    "knife_zero": {
      "host": "10.1.1.215"
    }
  },
  "automatic": {
    "fqdn": "akaunting-1",
    "os": "linux",
    "os_version": "5.15.0-1069-kvm",
    "hostname": "akaunting-1",
    "ipaddress": "192.168.122.162",
    "roles": [
      "base",
      "kvm_guest",
      "akaunting",
      "postgresql_client"
    ],
    "recipes": [
      "kosmos-base",
      "kosmos-base::default",
      "kosmos_kvm::guest",
      "kosmos_postgresql::hostsfile",
      "kosmos_akaunting",
      "kosmos_akaunting::default",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
      "kosmos-postfix::default",
      "postfix::default",
      "postfix::_common",
      "postfix::_attributes",
      "postfix::sasl_auth",
      "hostname::default",
      "kosmos-nodejs::default",
      "nodejs::nodejs_from_package",
      "nodejs::repo"
    ],
    "platform": "ubuntu",
    "platform_version": "22.04",
    "cloud": null,
    "chef_packages": {
      "chef": {
        "version": "18.5.0",
        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
        "chef_effortless": null
      },
      "ohai": {
        "version": "18.1.11",
        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
      }
    }
  },
  "run_list": [
    "role[base]",
    "role[kvm_guest]",
    "role[akaunting]"
  ]
 }
--- a/nodes/akkounts-1.json
+++ b/nodes/akkounts-1.json
@ -38,7 +38,6 @@
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
--- a/nodes/bitcoin-2.json
+++ b/nodes/bitcoin-2.json
@ -38,7 +38,6 @@
      "kosmos-bitcoin::dotnet",
      "kosmos-bitcoin::nbxplorer",
      "kosmos-bitcoin::btcpay",
      "kosmos-bitcoin::price_tracking",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
@ -103,7 +102,6 @@
    "role[bitcoind]",
    "role[lnd]",
    "role[lndhub]",
-    "role[btcpay]",
+    "role[btcpay]"
    "recipe[kosmos-bitcoin::price_tracking]"
  ]
 }
--- a/nodes/draco.kosmos.org.json
+++ b/nodes/draco.kosmos.org.json
@ -20,7 +20,7 @@
  "automatic": {
    "fqdn": "draco.kosmos.org",
    "os": "linux",
-    "os_version": "5.4.0-187-generic",
+    "os_version": "5.4.0-54-generic",
    "hostname": "draco",
    "ipaddress": "148.251.237.73",
    "roles": [
--- a/nodes/drone-1.json
+++ b/nodes/drone-1.json
@ -8,27 +8,26 @@
  "automatic": {
    "fqdn": "drone-1",
    "os": "linux",
-    "os_version": "5.4.0-1133-kvm",
+    "os_version": "5.4.0-1058-kvm",
    "hostname": "drone-1",
    "ipaddress": "192.168.122.200",
    "roles": [
      "kvm_guest",
      "drone",
-      "postgresql_client"
+      "postgresql_client",
      "kvm_guest"
    ],
    "recipes": [
      "kosmos-base",
      "kosmos-base::default",
      "kosmos_kvm::guest",
      "kosmos_postgresql::hostsfile",
      "kosmos_drone",
      "kosmos_drone::default",
      "kosmos_kvm::guest",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
@ -44,13 +43,13 @@
    "cloud": null,
    "chef_packages": {
      "chef": {
-        "version": "18.7.10",
+        "version": "17.9.52",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.7.10/lib",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.9.52/lib",
        "chef_effortless": null
      },
      "ohai": {
-        "version": "18.2.5",
+        "version": "17.9.0",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.5/lib/ohai"
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai"
      }
    }
  },
@ -59,4 +58,4 @@
    "role[kvm_guest]",
    "role[drone]"
  ]
-}
+}
--- a/nodes/gitea-2.json
+++ b/nodes/gitea-2.json
@ -9,7 +9,7 @@
  "automatic": {
    "fqdn": "gitea-2",
    "os": "linux",
-    "os_version": "5.4.0-1123-kvm",
+    "os_version": "5.4.0-1096-kvm",
    "hostname": "gitea-2",
    "ipaddress": "192.168.122.189",
    "roles": [
@ -39,7 +39,6 @@
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
@ -50,13 +49,6 @@
      "postfix::sasl_auth",
      "hostname::default",
      "firewall::default",
      "kosmos_gitea::compile_from_source",
      "git::default",
      "git::package",
      "kosmos-nodejs::default",
      "nodejs::nodejs_from_package",
      "nodejs::repo",
      "golang::default",
      "backup::default",
      "logrotate::default"
    ],
--- a/nodes/her.json
+++ b/nodes/her.json
@ -9,7 +9,7 @@
  "automatic": {
    "fqdn": "her",
    "os": "linux",
-    "os_version": "5.15.0-84-generic",
+    "os_version": "5.15.0-101-generic",
    "hostname": "her",
    "ipaddress": "192.168.30.172",
    "roles": [
--- a/nodes/mastodon-3.json
+++ b/nodes/mastodon-3.json
@ -37,7 +37,6 @@
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
--- a/nodes/postgres-6.json
+++ b/nodes/postgres-6.json
@ -22,7 +22,7 @@
      "kosmos_kvm::guest",
      "kosmos_postgresql::primary",
      "kosmos_postgresql::firewall",
-      "kosmos-akkounts::pg_db",
+      "kosmos_akaunting::pg_db",
      "kosmos-bitcoin::lndhub-go_pg_db",
      "kosmos-bitcoin::nbxplorer_pg_db",
      "kosmos_drone::pg_db",
--- a/nodes/postgres-7.json
+++ b/nodes/postgres-7.json
@ -29,7 +29,6 @@
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
--- a/nodes/strfry-1.json
+++ b/nodes/strfry-1.json
@ -27,13 +27,11 @@
      "strfry::default",
      "kosmos_strfry::policies",
      "kosmos_strfry::firewall",
      "kosmos_strfry::substr",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
--- a/roles/akaunting.rb
+++ b/roles/akaunting.rb
@ -0,0 +1,6 @@
 name "akaunting"
 run_list %w[
  role[postgresql_client]
  kosmos_akaunting::default
 ]
--- a/roles/gitea.rb
+++ b/roles/gitea.rb
@ -5,11 +5,3 @@ run_list %w(
  kosmos_gitea::default
  kosmos_gitea::backup
 )
 override_attributes(
  "gitea" => {
    "repo" => "https://github.com/67P/gitea.git",
    "revision" => "ldap_sync",
    "log" => { "level" => "Info" }
  },
 )
--- a/roles/postgresql_primary.rb
+++ b/roles/postgresql_primary.rb
@ -3,7 +3,7 @@ name "postgresql_primary"
 run_list %w(
  kosmos_postgresql::primary
  kosmos_postgresql::firewall
-  kosmos-akkounts::pg_db
+  kosmos_akaunting::pg_db
  kosmos-bitcoin::lndhub-go_pg_db
  kosmos-bitcoin::nbxplorer_pg_db
  kosmos_drone::pg_db
--- a/roles/strfry.rb
+++ b/roles/strfry.rb
@ -5,5 +5,4 @@ run_list %w(
  strfry::default
  kosmos_strfry::policies
  kosmos_strfry::firewall
  kosmos_strfry::substr
 )
--- a/site-cookbooks/deno
+++ b/site-cookbooks/deno
@ -1 +1 @@
-Subproject commit 92839b20a4c3b0a15b99bd86ea7cae16645570a6
+Subproject commit 617f7959abda045326c8f06f1c1bcedbaa7c7285
--- a/site-cookbooks/kosmos-akkounts/recipes/default.rb
+++ b/site-cookbooks/kosmos-akkounts/recipes/default.rb
@ -24,12 +24,13 @@ package "libvips"
 include_recipe 'redisio::default'
 include_recipe 'redisio::enable'
 node.override["nodejs"]["repo"] = "https://deb.nodesource.com/node_20.x"
 include_recipe 'kosmos-nodejs'
 npm_package "bun"
-ruby_version = "3.3.8"
+npm_package "yarn" do
  version "1.22.4"
 end
 ruby_version = "3.3.0"
 ruby_path = "/opt/ruby_build/builds/#{ruby_version}"
 bundle_path = "#{ruby_path}/bin/bundle"
 rails_env = node.chef_environment == "development" ? "development" : "production"
@ -47,28 +48,7 @@ webhooks_allowed_ips = [lndhub_host].compact.uniq.join(',')
 env = {
  primary_domain: node['akkounts']['primary_domain'],
  akkounts_domain: node['akkounts']['domain'],
-  rails_serve_static_files: true,
+  rails_serve_static_files: true
  secret_key_base: credentials["rails_secret_key_base"],
  encryption_primary_key: credentials["rails_encryption_primary_key"],
  encryption_key_derivation_salt: credentials["rails_encryption_key_derivation_salt"],
  db_adapter: "postgresql",
  pg_host: "pg.kosmos.local",
  pg_port: 5432,
  pg_database: "akkounts",
  pg_database_queue: "akkounts_queue",
  pg_username: credentials["postgresql"]["username"],
  pg_password: credentials["postgresql"]["password"]
 }
 env[:ldap] = {
  host: "ldap.kosmos.local",
  port: 389,
  use_tls: false,
  uid_attr: "cn",
  base: "ou=kosmos.org,cn=users,dc=kosmos,dc=org",
  admin_user: credentials["ldap"]["admin_user"],
  admin_password: credentials["ldap"]["admin_password"],
  suffix: "dc=kosmos,dc=org"
 }
 smtp_server, smtp_port = smtp_credentials[:relayhost].split(":")
@ -158,9 +138,9 @@ if lndhub_host
  if postgres_readonly_host
    env[:lndhub_admin_ui] = true
    env[:lndhub_pg_host] = postgres_readonly_host
-    env[:lndhub_pg_database] = node["akkounts"]["lndhub"]["postgres_db"]
+    env[:lndhub_pg_database] = node['akkounts']['lndhub']['postgres_db']
-    env[:lndhub_pg_username] = credentials["postgresql"]["username"]
+    env[:lndhub_pg_username] = credentials['postgresql_username']
-    env[:lndhub_pg_password] = credentials["postgresql"]["password"]
+    env[:lndhub_pg_password] = credentials['postgresql_password']
  end
 end
@ -228,7 +208,7 @@ systemd_unit "akkounts.service" do
      Type: "simple",
      User: deploy_user,
      WorkingDirectory: deploy_path,
-      Environment: "RAILS_ENV=#{rails_env} SOLID_QUEUE_IN_PUMA=true",
+      Environment: "RAILS_ENV=#{rails_env}",
      ExecStart: "#{bundle_path} exec puma -C config/puma.rb --pidfile #{deploy_path}/tmp/puma.pid",
      ExecStop: "#{bundle_path} exec puma -C config/puma.rb --pidfile #{deploy_path}/tmp/puma.pid stop",
      ExecReload: "#{bundle_path} exec pumactl -F config/puma.rb --pidfile #{deploy_path}/tmp/puma.pid phased-restart",
@ -245,6 +225,36 @@ systemd_unit "akkounts.service" do
  action [:create, :enable]
 end
 systemd_unit "akkounts-sidekiq.service" do
  content({
    Unit: {
      Description: "Kosmos Accounts async/background jobs",
      Documentation: ["https://gitea.kosmos.org/kosmos/akkounts"],
      Requires: "redis@6379.service",
      After: "syslog.target network.target redis@6379.service"
    },
    Service: {
      Type: "notify",
      User: deploy_user,
      WorkingDirectory: deploy_path,
      Environment: "MALLOC_ARENA_MAX=2",
      ExecStart: "#{bundle_path} exec sidekiq -C #{deploy_path}/config/sidekiq.yml -e #{rails_env}",
      WatchdogSec: "10",
      Restart: "on-failure",
      RestartSec: "1",
      StandardOutput: "syslog",
      StandardError: "syslog",
      SyslogIdentifier: "sidekiq"
    },
    Install: {
      WantedBy: "multi-user.target"
    }
  })
  verify false
  triggers_reload true
  action [:create, :enable]
 end
 deploy_env = {
  "HOME" => deploy_path,
  "PATH" => "#{ruby_path}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin",
@ -257,7 +267,15 @@ git deploy_path do
  revision node[app_name]["revision"]
  user  deploy_user
  group deploy_group
  # Restart services on deployments
  notifies :run, "execute[restart #{app_name} services]", :delayed
 end
 execute "restart #{app_name} services" do
  command "true"
  action :nothing
  notifies :restart, "service[#{app_name}]", :delayed
  notifies :restart, "service[#{app_name}-sidekiq]", :delayed
 end
 file "#{deploy_path}/config/master.key" do
@ -265,7 +283,7 @@ file "#{deploy_path}/config/master.key" do
  mode '0400'
  owner deploy_user
  group deploy_group
-  notifies :restart, "service[#{app_name}]", :delayed
+  notifies :run, "execute[restart #{app_name} services]", :delayed
 end
 template "#{deploy_path}/.env.#{rails_env}" do
@ -275,7 +293,7 @@ template "#{deploy_path}/.env.#{rails_env}" do
  mode 0600
  sensitive true
  variables config: env
-  notifies :restart, "service[#{app_name}]", :delayed
+  notifies :run, "execute[restart #{app_name} services]", :delayed
 end
 execute "bundle install" do
@ -285,6 +303,13 @@ execute "bundle install" do
  command "bundle install --without development,test --deployment"
 end
 execute "yarn install" do
  environment deploy_env
  user deploy_user
  cwd deploy_path
  command "yarn install --pure-lockfile"
 end
 execute 'rake db:migrate' do
  environment deploy_env
  user deploy_user
@ -305,6 +330,10 @@ service "akkounts" do
  action [:enable, :start]
 end
 service "akkounts-sidekiq" do
  action [:enable, :start]
 end
 firewall_rule "akkounts_zerotier" do
  command  :allow
  port     node["akkounts"]["port"]
--- a/site-cookbooks/kosmos-akkounts/recipes/pg_db.rb
+++ b/site-cookbooks/kosmos-akkounts/recipes/pg_db.rb
@ -1,22 +0,0 @@
 #
 # Cookbook:: kosmos-akkounts
 # Recipe:: pg_db
 #
 credentials = data_bag_item("credentials", "akkounts")
 pg_username = credentials["postgresql"]["username"]
 pg_password = credentials["postgresql"]["password"]
 postgresql_user pg_username do
  action :create
  password pg_password
 end
 databases = ["akkounts", "akkounts_queue"]
 databases.each do |database|
  postgresql_database database do
    owner pg_username
    action :create
  end
 end
--- a/site-cookbooks/kosmos-base/attributes/default.rb
+++ b/site-cookbooks/kosmos-base/attributes/default.rb
@ -1,2 +0,0 @@
 node.default["kosmos-base"]["journald"]["system_max_use"] = "256M"
 node.default["kosmos-base"]["journald"]["max_retention_sec"] = "7d"
--- a/site-cookbooks/kosmos-base/recipes/default.rb
+++ b/site-cookbooks/kosmos-base/recipes/default.rb
@ -27,7 +27,6 @@
 include_recipe 'apt'
 include_recipe 'timezone_iii'
 include_recipe 'ntp'
 include_recipe 'kosmos-base::journald_conf'
 include_recipe 'kosmos-base::systemd_emails'
 node.override["apt"]["unattended_upgrades"]["allowed_origins"] = [
--- a/site-cookbooks/kosmos-base/recipes/journald_conf.rb
+++ b/site-cookbooks/kosmos-base/recipes/journald_conf.rb
@ -1,14 +0,0 @@
 #
 # Cookbook Name:: kosmos-base
 # Recipe:: journald_conf
 #
 service "systemd-journald"
 template "/etc/systemd/journald.conf" do
  source "journald.conf.erb"
  variables system_max_use: node["kosmos-base"]["journald"]["system_max_use"],
            max_retention_sec: node["kosmos-base"]["journald"]["max_retention_sec"]
  # Restarting journald is required
  notifies :restart, "service[systemd-journald]", :delayed
 end
--- a/site-cookbooks/kosmos-base/templates/default/journald.conf.erb
+++ b/site-cookbooks/kosmos-base/templates/default/journald.conf.erb
@ -1,6 +0,0 @@
 [Journal]
 # Set the maximum size of the journal logs in bytes
 SystemMaxUse=<%= @system_max_use %>
 # Set the number of days after which logs will be deleted
 MaxRetentionSec=<%= @max_retention_sec %>
--- a/site-cookbooks/kosmos-bitcoin/attributes/default.rb
+++ b/site-cookbooks/kosmos-bitcoin/attributes/default.rb
@ -1,5 +1,5 @@
-node.default['bitcoin']['version']   = '29.0'
+node.default['bitcoin']['version']   = '28.0'
-node.default['bitcoin']['checksum']  = '882c782c34a3bf2eacd1fae5cdc58b35b869883512f197f7d6dc8f195decfdaa'
+node.default['bitcoin']['checksum']  = '700ae2d1e204602eb07f2779a6e6669893bc96c0dca290593f80ff8e102ff37f'
 node.default['bitcoin']['username']  = 'satoshi'
 node.default['bitcoin']['usergroup'] = 'bitcoin'
 node.default['bitcoin']['network']   = 'mainnet'
@ -41,7 +41,7 @@ node.default['c-lightning']['log_level'] = 'info'
 node.default['c-lightning']['public_ip'] = '148.251.237.73'
 node.default['lnd']['repo'] = 'https://github.com/lightningnetwork/lnd'
-node.default['lnd']['revision'] = 'v0.18.5-beta'
+node.default['lnd']['revision'] = 'v0.18.3-beta'
 node.default['lnd']['source_dir'] = '/opt/lnd'
 node.default['lnd']['lnd_dir'] = "/home/#{node['bitcoin']['username']}/.lnd"
 node.default['lnd']['alias'] = 'ln2.kosmos.org'
@ -90,7 +90,7 @@ node.default['dotnet']['ms_packages_src_url'] = "https://packages.microsoft.com/
 node.default['dotnet']['ms_packages_src_checksum'] = "4df5811c41fdded83eb9e2da9336a8dfa5594a79dc8a80133bd815f4f85b9991"
 node.default['nbxplorer']['repo'] = 'https://github.com/dgarage/NBXplorer'
-node.default['nbxplorer']['revision'] = 'v2.5.26'
+node.default['nbxplorer']['revision'] = 'v2.5.0'
 node.default['nbxplorer']['source_dir'] = '/opt/nbxplorer'
 node.default['nbxplorer']['config_path'] = "/home/#{node['bitcoin']['username']}/.nbxplorer/Main/settings.config"
 node.default['nbxplorer']['port'] = '24445'
@ -98,7 +98,7 @@ node.default['nbxplorer']['postgres']['database'] = 'nbxplorer'
 node.default['nbxplorer']['postgres']['user'] = 'nbxplorer'
 node.default['btcpay']['repo'] = 'https://github.com/btcpayserver/btcpayserver'
-node.default['btcpay']['revision'] = 'v2.1.1'
+node.default['btcpay']['revision'] = 'v1.12.5'
 node.default['btcpay']['source_dir'] = '/opt/btcpay'
 node.default['btcpay']['config_path'] = "/home/#{node['bitcoin']['username']}/.btcpayserver/Main/settings.config"
 node.default['btcpay']['log_path'] = "/home/#{node['bitcoin']['username']}/.btcpayserver/debug.log"
@ -111,5 +111,3 @@ node.default['btcpay']['postgres']['user'] = 'satoshi'
 node.default['peerswap']['repo'] = 'https://github.com/ElementsProject/peerswap.git'
 node.default['peerswap']['revision'] = 'master'
 node.default['peerswap-lnd']['source_dir'] = '/opt/peerswap'
 node.default['price_tracking']['rs_base_url'] = "https://storage.kosmos.org/kosmos/public/btc-price"
--- a/site-cookbooks/kosmos-bitcoin/recipes/bitcoind.rb
+++ b/site-cookbooks/kosmos-bitcoin/recipes/bitcoind.rb
@ -34,7 +34,7 @@ end
 execute "compile_bitcoin-core_dependencies" do
  cwd "/usr/local/bitcoind/depends"
  environment ({'CC' => 'gcc-13', 'CXX' => 'g++-13', 'NO_QT' => '1'})
-  command "make -j $(($(nproc)/2))"
+  command "make -j 2"
  action :nothing
  notifies :run, 'bash[compile_bitcoin-core]', :immediately
 end
@ -43,13 +43,21 @@ bash "compile_bitcoin-core" do
  cwd "/usr/local/bitcoind"
  environment ({'CC' => 'gcc-13', 'CXX' => 'g++-13', 'NO_QT' => '1'})
  code <<-EOH
-    cmake -B build --toolchain depends/x86_64-pc-linux-gnu/toolchain.cmake
+    ./autogen.sh
-    cmake --build build -j $(($(nproc)/2))
+    ./configure --prefix=$PWD/depends/x86_64-pc-linux-gnu
-    cmake --install build
+    make
  EOH
  action :nothing
 end
 link "/usr/local/bin/bitcoind" do
  to "/usr/local/bitcoind/src/bitcoind"
 end
 link "/usr/local/bin/bitcoin-cli" do
  to "/usr/local/bitcoind/src/bitcoin-cli"
 end
 bitcoin_user      = node['bitcoin']['username']
 bitcoin_group     = node['bitcoin']['usergroup']
 bitcoin_datadir   = node['bitcoin']['datadir']
--- a/site-cookbooks/kosmos-bitcoin/recipes/nbxplorer.rb
+++ b/site-cookbooks/kosmos-bitcoin/recipes/nbxplorer.rb
@ -58,7 +58,9 @@ directory '/run/nbxplorer' do
 end
 env = {
-  NBXPLORER_POSTGRES: "User ID=#{postgres_user};Password=#{credentials['postgresql_password']};Database=#{postgres_database};Host=pg.kosmos.local;Port=5432;Application Name=nbxplorer;MaxPoolSize=20"
+  NBXPLORER_POSTGRES: "User ID=#{postgres_user};Password=#{credentials['postgresql_password']};Database=#{postgres_database};Host=pg.kosmos.local;Port=5432;Application Name=nbxplorer;MaxPoolSize=20",
  NBXPLORER_AUTOMIGRATE: "1",
  NBXPLORER_NOMIGRATEEVTS: "1"
 }
 systemd_unit 'nbxplorer.service' do
--- a/site-cookbooks/kosmos-bitcoin/recipes/price_tracking.rb
+++ b/site-cookbooks/kosmos-bitcoin/recipes/price_tracking.rb
@ -1,59 +0,0 @@
 #
 # Cookbook:: kosmos-bitcoin
 # Recipe:: price_tracking
 #
 # Track BTC rates and publish them via remoteStorage
 #
 %w[curl jq].each do |pkg|
  apt_package pkg
 end
 daily_tracker_path = "/usr/local/bin/btc-price-tracker-daily"
 credentials = Chef::EncryptedDataBagItem.load('credentials', 'kosmos-rs')
 template daily_tracker_path do
  source "btc-price-tracker-daily.sh.erb"
  mode '0740'
  variables rs_base_url: node['price_tracking']['rs_base_url']
  notifies :restart, "systemd_unit[lnd-channel-backup.service]", :delayed
 end
 systemd_unit 'btc-price-tracker-daily.service' do
  content({
    Unit: {
      Description: 'BTC price tracker (daily rates)',
      After: 'network-online.target',
      Wants: 'network-online.target'
    },
    Service: {
      Type: 'oneshot',
      ExecStart: daily_tracker_path,
      Environment: "RS_AUTH=#{credentials["auth_tokens"]["/btc-price"]}"
    },
    Install: {
      WantedBy: 'multi-user.target'
    }
  })
  sensitive true
  triggers_reload true
  action [:create]
 end
 systemd_unit 'btc-price-tracker-daily.timer' do
  content({
    Unit: {
      Description: 'Run BTC price tracker daily'
    },
    Timer: {
      OnCalendar: '*-*-* 00:00:00',
      Persistent: 'true'
    },
    Install: {
      WantedBy: 'timers.target'
    }
  })
  triggers_reload true
  action [:create, :enable, :start]
 end
--- a/site-cookbooks/kosmos-bitcoin/templates/btc-price-tracker-daily.sh.erb
+++ b/site-cookbooks/kosmos-bitcoin/templates/btc-price-tracker-daily.sh.erb
@ -1,49 +0,0 @@
 #!/bin/bash
 # Calculate yesterday's date in YYYY-MM-DD format
 YESTERDAY=$(date -d "yesterday" +%Y-%m-%d)
 echo "Starting price tracking for $YESTERDAY" >&2
 # Fetch and process rates for a fiat currency
 get_price_data() {
    local currency=$1
    local data avg open24 last
    data=$(curl -s "https://www.bitstamp.net/api/v2/ticker/btc${currency,,}/")
    if [ $? -eq 0 ] && [ ! -z "$data" ]; then
        echo "Successfully retrieved ${currency} price data" >&2
        open24=$(echo "$data" | jq -r '.open_24')
        last=$(echo "$data" | jq -r '.last')
        avg=$(( (${open24%.*} + ${last%.*}) / 2 ))
        echo $avg
    else
        echo "ERROR: Failed to retrieve ${currency} price data" >&2
        exit 1
    fi
 }
 # Get price data for each currency
 usd_avg=$(get_price_data "USD")
 eur_avg=$(get_price_data "EUR")
 gbp_avg=$(get_price_data "GBP")
 # Create JSON
 json="{\"EUR\":$eur_avg,\"USD\":$usd_avg,\"GBP\":$gbp_avg}"
 echo "Rates: $json" >&2
 # PUT in remote storage
 response=$(curl -X PUT \
    -H "Authorization: Bearer $RS_AUTH" \
    -H "Content-Type: application/json" \
    -d "$json" \
    -w "%{http_code}" \
    -s \
    -o /dev/null \
    "<%= @rs_base_url %>/$YESTERDAY")
 if [ "$response" -eq 200 ] || [ "$response" -eq 201 ]; then
   echo "Successfully uploaded price data" >&2
 else
   echo "ERROR: Failed to upload price data. HTTP status: $response" >&2
   exit 1
 fi
--- a/site-cookbooks/kosmos-ejabberd/recipes/default.rb
+++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb
@ -110,7 +110,6 @@ hosts = [
        access_persistent: muc_create
        access_register: muc_create
        max_user_conferences: 1000
        max_users: 2000
        default_room_options:
          mam: true
        preload_rooms: true
--- a/site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb
+++ b/site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb
@ -16,8 +16,8 @@ set -e
 for domain in $RENEWED_DOMAINS; do
  case $domain in
  kosmos.org|kosmos.chat|5apps.com)
-    cp "/etc/letsencrypt/live/${domain}/privkey.pem" /opt/ejabberd/conf/$domain.key
+    cp "${RENEWED_LINEAGE}/privkey.pem" /opt/ejabberd/conf/$domain.key
-    cp "/etc/letsencrypt/live/${domain}/fullchain.pem" /opt/ejabberd/conf/$domain.crt
+    cp "${RENEWED_LINEAGE}/fullchain.pem" /opt/ejabberd/conf/$domain.crt
    chown ejabberd:ejabberd /opt/ejabberd/conf/$domain.*
    chmod 600 /opt/ejabberd/conf/$domain.*
    /opt/ejabberd-#{node["ejabberd"]["version"]}/bin/ejabberdctl reload_config
@ -38,13 +38,12 @@ gandi_api_credentials = data_bag_item('credentials', 'gandi_api')
 template "/root/gandi_dns_certbot_hook.sh" do
  variables access_token: gandi_api_credentials["access_token"]
  mode 0700
  sensitive true
 end
 # Generate a Let's Encrypt cert (only if no cert has been generated before).
 # The systemd timer will take care of renewing
 execute "letsencrypt cert for kosmos.org domains" do
-  command "certbot certonly --manual --preferred-challenges dns --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@kosmos.org -d kosmos.org -d xmpp.kosmos.org -d chat.kosmos.org -d upload.kosmos.org -d proxy.kosmos.org -d pubsub.kosmos.org -d uploads.xmpp.kosmos.org -n"
+  command "certbot certonly --manual --preferred-challenges dns --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup letsencrypt.kosmos.org\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@kosmos.org -d kosmos.org -d xmpp.kosmos.org -d chat.kosmos.org -d uploads.xmpp.kosmos.org -n"
  not_if do
    File.exist?("/etc/letsencrypt/live/kosmos.org/fullchain.pem")
  end
--- a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb
+++ b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb
@ -185,11 +185,8 @@ api_permissions:
    what:
      - "add_rosteritem"
      - "delete_rosteritem"
      - "get_vcard2"
      - "muc_register_nick"
      - "private_set"
      - "send_message"
-      - "send_stanza"
+      - "private_set"
 language: "en"
@ -234,6 +231,7 @@ modules:
  mod_shared_roster: {}
  mod_stun_disco:
    offer_local_services: false
    credentials_lifetime: 300
    secret: <%= @stun_secret %>
    services:
      -
--- a/site-cookbooks/kosmos-mastodon/recipes/default.rb
+++ b/site-cookbooks/kosmos-mastodon/recipes/default.rb
@ -265,44 +265,6 @@ service "mastodon-streaming" do
  action [:enable, :start]
 end
 #
 # Delete cached remote media older than 30 days
 # Will be re-fetched if necessary
 #
 systemd_unit 'mastodon-delete-old-media-cache.service' do
  content({
    Unit: {
      Description: 'Delete old Mastodon media cache'
    },
    Service: {
      Type: "oneshot",
      WorkingDirectory: mastodon_path,
      Environment: "RAILS_ENV=#{rails_env}",
      ExecStart: "#{bundle_path} exec bin/tootctl media remove --days 30",
    }
  })
  triggers_reload true
  action [:create]
 end
 systemd_unit 'mastodon-delete-old-media-cache.timer' do
  content({
    Unit: {
      Description: 'Delete old Mastodon media cache'
    },
    Timer: {
      OnCalendar: '*-*-* 00:00:00',
      Persistent: 'true'
    },
    Install: {
      WantedBy: 'timer.target'
    }
  })
  triggers_reload true
  action [:create, :enable, :start]
 end
 firewall_rule "mastodon_app" do
  port     node['kosmos-mastodon']['app_port']
  source   "10.1.1.0/24"
--- a/site-cookbooks/kosmos-mastodon/recipes/nginx.rb
+++ b/site-cookbooks/kosmos-mastodon/recipes/nginx.rb
@ -12,13 +12,6 @@ search(:node, "role:mastodon").each do |node|
 end
 if upstream_hosts.any?
  web_root_dir = "/var/www/#{server_name}/public"
  directory web_root_dir do
    action :create
    recursive true
    owner 'www-data'
    group 'www-data'
    mode 0755
  end
 else
  web_root_dir = "#{app_dir}/public"
  upstream_hosts << "localhost"
--- a/site-cookbooks/kosmos-nginx/recipes/default.rb
+++ b/site-cookbooks/kosmos-nginx/recipes/default.rb
@ -59,7 +59,7 @@ cookbook_file "#{node["nginx"]["user_home"]}/maintenance.html" do
  source "maintenance.html"
  owner node['nginx']['user']
  group node['nginx']['group']
-  mode "0755"
+  mode "0640"
 end
 unless node.chef_environment == "development"
--- a/site-cookbooks/kosmos_akaunting/.gitignore
+++ b/site-cookbooks/kosmos_akaunting/.gitignore
@ -0,0 +1,25 @@
 .vagrant
 *~
 *#
 .#*
 \#*#
 .*.sw[a-z]
 *.un~
 # Bundler
 Gemfile.lock
 gems.locked
 bin/*
 .bundle/*
 # test kitchen
 .kitchen/
 kitchen.local.yml
 # Chef Infra
 Berksfile.lock
 .zero-knife.rb
 Policyfile.lock.json
 .idea/
--- a/site-cookbooks/kosmos_akaunting/Policyfile.rb
+++ b/site-cookbooks/kosmos_akaunting/Policyfile.rb
@ -0,0 +1,16 @@
 # Policyfile.rb - Describe how you want Chef Infra Client to build your system.
 #
 # For more information on the Policyfile feature, visit
 # https://docs.chef.io/policyfile/
 # A name that describes what the system you're building with Chef does.
 name 'kosmos_akaunting'
 # Where to find external cookbooks:
 default_source :supermarket
 # run_list: chef-client will run these recipes in the order specified.
 run_list 'kosmos_akaunting::default'
 # Specify a custom source for a single cookbook:
 cookbook 'kosmos_akaunting', path: '.'
--- a/site-cookbooks/kosmos_akaunting/README.md
+++ b/site-cookbooks/kosmos_akaunting/README.md
@ -0,0 +1,4 @@
 # kosmos_akaunting
 TODO: Enter the cookbook description here.
--- a/site-cookbooks/kosmos_akaunting/attributes/default.rb
+++ b/site-cookbooks/kosmos_akaunting/attributes/default.rb
@ -0,0 +1,5 @@
 node.default["akaunting"]["user"] = "deploy"
 node.default["akaunting"]["group"] = "www-data"
 node.default["akaunting"]["repo"] = "https://github.com/akaunting/akaunting.git"
 node.default["akaunting"]["revision"] = "3.1.12"
 node.default["akaunting"]["port"] = 80
--- a/site-cookbooks/kosmos_akaunting/chefignore
+++ b/site-cookbooks/kosmos_akaunting/chefignore
@ -0,0 +1,115 @@
 # Put files/directories that should be ignored in this file when uploading
 # to a Chef Infra Server or Supermarket.
 # Lines that start with '# ' are comments.
 # OS generated files #
 ######################
 .DS_Store
 ehthumbs.db
 Icon?
 nohup.out
 Thumbs.db
 .envrc
 # EDITORS #
 ###########
 .#*
 .project
 .settings
 *_flymake
 *_flymake.*
 *.bak
 *.sw[a-z]
 *.tmproj
 *~
 \#*
 REVISION
 TAGS*
 tmtags
 .vscode
 .editorconfig
 ## COMPILED ##
 ##############
 *.class
 *.com
 *.dll
 *.exe
 *.o
 *.pyc
 *.so
 */rdoc/
 a.out
 mkmf.log
 # Testing #
 ###########
 .circleci/*
 .codeclimate.yml
 .delivery/*
 .foodcritic
 .kitchen*
 .mdlrc
 .overcommit.yml
 .rspec
 .rubocop.yml
 .travis.yml
 .watchr
 .yamllint
 azure-pipelines.yml
 Dangerfile
 examples/*
 features/*
 Guardfile
 kitchen.yml*
 mlc_config.json
 Procfile
 Rakefile
 spec/*
 test/*
 # SCM #
 #######
 .git
 .gitattributes
 .gitconfig
 .github/*
 .gitignore
 .gitkeep
 .gitmodules
 .svn
 */.bzr/*
 */.git
 */.hg/*
 */.svn/*
 # Berkshelf #
 #############
 Berksfile
 Berksfile.lock
 cookbooks/*
 tmp
 # Bundler #
 ###########
 vendor/*
 Gemfile
 Gemfile.lock
 # Policyfile #
 ##############
 Policyfile.rb
 Policyfile.lock.json
 # Documentation #
 #############
 CODE_OF_CONDUCT*
 CONTRIBUTING*
 documentation/*
 TESTING*
 UPGRADING*
 # Vagrant #
 ###########
 .vagrant
 Vagrantfile
--- a/site-cookbooks/kosmos_akaunting/kitchen.yml
+++ b/site-cookbooks/kosmos_akaunting/kitchen.yml
@ -0,0 +1,31 @@
 ---
 driver:
  name: vagrant
 ## The forwarded_port port feature lets you connect to ports on the VM guest
 ## via localhost on the host.
 ## see also: https://www.vagrantup.com/docs/networking/forwarded_ports
 #  network:
 #    - ["forwarded_port", {guest: 80, host: 8080}]
 provisioner:
  name: chef_zero
  ## product_name and product_version specifies a specific Chef product and version to install.
  ## see the Chef documentation for more details: https://docs.chef.io/workstation/config_yml_kitchen/
  #  product_name: chef
  #  product_version: 17
 verifier:
  name: inspec
 platforms:
  - name: ubuntu-20.04
  - name: centos-8
 suites:
  - name: default
    verifier:
      inspec_tests:
        - test/integration/default
--- a/site-cookbooks/kosmos_akaunting/metadata.rb
+++ b/site-cookbooks/kosmos_akaunting/metadata.rb
@ -0,0 +1,9 @@
 name 'kosmos_akaunting'
 maintainer 'Kosmos Developers'
 maintainer_email 'mail@kosmos.org'
 license 'MIT'
 description 'Installs/configures akaunting for Kosmos'
 version '0.1.0'
 chef_version '>= 18.0'
 depends 'kosmos-nodejs'
--- a/site-cookbooks/kosmos_akaunting/recipes/default.rb
+++ b/site-cookbooks/kosmos_akaunting/recipes/default.rb
@ -0,0 +1,148 @@
 #
 # Cookbook:: kosmos_akaunting
 # Recipe:: default
 #
 app_name     = "akaunting"
 deploy_user  = node["akaunting"]["user"]
 deploy_group = node["akaunting"]["group"]
 deploy_path  = "/opt/#{app_name}"
 credentials  = data_bag_item("credentials", "akaunting")
 pg_host      = search(:node, "role:postgresql_primary").first["knife_zero"]["host"] rescue "localhost"
 env = {
  app_name: "Akaunting",
  app_env: "production",
  app_locale: "en-US",
  app_installed: "true",
  app_key: credentials["app_key"],
  app_debug: "true",
  app_schedule_time: "\"09:00\"",
  app_url: "http://akaunting.kosmos.org",
  db_connection: "pgsql",
  db_host: pg_host,
  db_port: "5432",
  db_database: credentials["pg_database"],
  db_username: credentials["pg_username"],
  db_password: credentials["pg_password"],
  log_level: "debug"
  # mail_mailer: "mail",
  # mail_host: "localhost",
  # mail_port: "2525",
  # mail_username: "null",
  # mail_password: "null",
  # mail_encryption: "null",
  # mail_from_name: "null",
  # mail_from_address: "null",
 }
 %w[
  unzip nginx php8.1 php8.1-cli php8.1-bcmath php8.1-ctype php8.1-curl
  php8.1-dom php8.1-fileinfo php8.1-intl php8.1-fpm php8.1-gd php8.1-mbstring
  php8.1-pdo php8.1-pgsql php8.1-tokenizer php8.1-xml php8.1-zip
 ].each do |pkg|
  package pkg
 end
 # TODO install composer
 node.override["nodejs"]["repo"] = "https://deb.nodesource.com/node_18.x"
 include_recipe "kosmos-nodejs"
 group deploy_group
 user deploy_user do
  group       deploy_group
  manage_home true
  shell       "/bin/bash"
 end
 directory deploy_path do
  owner deploy_user
  group deploy_group
  mode "0775"
 end
 git deploy_path do
  repository node[app_name]["repo"]
  revision node[app_name]["revision"]
  user deploy_user
  group deploy_group
  action :sync
  notifies :run, "execute[composer_install]", :immediately
  notifies :run, "execute[npm_install]", :immediately
  notifies :restart, "service[php8.1-fpm]", :delayed
 end
 execute "composer_install" do
  user deploy_user
  cwd deploy_path
  command "composer install"
  action :nothing
 end
 execute "npm_install" do
  user deploy_user
  cwd deploy_path
  command "npm install"
  action :nothing
  notifies :run, "execute[compile_assets]", :immediately
 end
 execute "compile_assets" do
  user deploy_user
  cwd deploy_path
  command "npm run prod"
  action :nothing
 end
 execute "set_storage_permissions" do
  command "chown -R www-data:www-data #{deploy_path}/storage"
 end
 template "#{deploy_path}/.env" do
  source 'env.erb'
  owner deploy_user
  group deploy_group
  mode 0660
  sensitive true
  variables config: env
  notifies :restart, "service[php8.1-fpm]", :delayed
 end
 template "/etc/nginx/sites-available/default" do
  source 'nginx-local.conf.erb'
  owner deploy_user
  group deploy_group
  mode 0660
  variables deploy_path: deploy_path,
            port: node["akaunting"]["port"]
  notifies :restart, "service[nginx]", :delayed
 end
 # template "/etc/php/8.1/fpm/pool.d/akaunting.conf" do
 #   source 'php-fpm.pool.erb'
 #   owner deploy_user
 #   group deploy_group
 #   mode 0600
 #   variables user: deploy_user,
 #             group: deploy_group,
 #             chdir: deploy_path,
 #             port: node["akaunting"]["port"]
 #   notifies :restart, "service[php8.1-fpm]", :delayed
 # end
 service "php8.1-fpm" do
  action [:enable, :start]
 end
 service "nginx" do
  action [:enable, :start]
 end
 firewall_rule "akaunting_zerotier" do
  command  :allow
  port     node["akaunting"]["port"]
  protocol :tcp
  source   "10.1.1.0/24"
 end
--- a/site-cookbooks/kosmos_akaunting/recipes/pg_db.rb
+++ b/site-cookbooks/kosmos_akaunting/recipes/pg_db.rb
@ -0,0 +1,16 @@
 #
 # Cookbook:: kosmos_akaunting
 # Recipe:: pg_db
 #
 credentials = data_bag_item("credentials", "akaunting")
 postgresql_user credentials["pg_username"] do
  action :create
  password credentials["pg_password"]
 end
 postgresql_database credentials["pg_database"] do
  owner credentials["pg_username"]
  action :create
 end
--- a/site-cookbooks/kosmos_akaunting/templates/env.erb
+++ b/site-cookbooks/kosmos_akaunting/templates/env.erb
@ -0,0 +1,11 @@
 <% @config.each do |key, value| %>
 <% if value.is_a?(Hash) %>
 <% value.each do |k, v| %>
 <%= "#{key.upcase}_#{k.upcase}" %>=<%= v.to_s %>
 <% end %>
 <% else %>
 <% if value %>
 <%= key.upcase %>=<%= value.to_s %>
 <% end %>
 <% end %>
 <% end %>
--- a/site-cookbooks/kosmos_akaunting/templates/nginx-local.conf.erb
+++ b/site-cookbooks/kosmos_akaunting/templates/nginx-local.conf.erb
@ -0,0 +1,49 @@
 server {
  listen 80 default_server;
  server_name akaunting.kosmos.org;
  root <%= @deploy_path %>;
  add_header X-Frame-Options "SAMEORIGIN";
  add_header X-XSS-Protection "1; mode=block";
  add_header X-Content-Type-Options "nosniff";
  index index.html index.htm index.php;
  charset utf-8;
  location / {
    try_files $uri $uri/ /index.php?$query_string;
  }
  # Prevent Direct Access To Protected Files
  location ~ \.(env|log) {
    deny all;
  }
  # Prevent Direct Access To Protected Folders
  location ~ ^/(^app$|bootstrap|config|database|overrides|resources|routes|storage|tests|artisan) {
    deny all;
  }
  # Prevent Direct Access To modules/vendor Folders Except Assets
  location ~ ^/(modules|vendor)\/(.*)\.((?!ico|gif|jpg|jpeg|png|js\b|css|less|sass|font|woff|woff2|eot|ttf|svg|xls|xlsx).)*$ {
    deny all;
  }
  error_page 404 /index.php;
  # Pass PHP Scripts To FastCGI Server
  location ~ \.php$ {
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass unix:/var/run/php/php8.1-fpm.sock; # Depends On The PHP Version
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include fastcgi_params;
  }
  location ~ /\.(?!well-known).* {
    deny all;
  }
 }
--- a/site-cookbooks/kosmos_akaunting/templates/php-fpm.pool.erb
+++ b/site-cookbooks/kosmos_akaunting/templates/php-fpm.pool.erb
@ -0,0 +1,18 @@
 [akaunting]
 user = <%= @user %>
 group = <%= @group %>
 listen = 0.0.0.0:<%= @port %>
 listen.owner = <%= @user %>
 listen.group = <%= @group %>
 listen.mode = 0660
 pm = dynamic
 pm.max_children = 10
 pm.start_servers = 4
 pm.min_spare_servers = 2
 pm.max_spare_servers = 6
 pm.max_requests = 500
 chdir = <%= @chdir %>
 catch_workers_output = yes
 php_admin_flag[log_errors] = on
--- a/site-cookbooks/kosmos_akaunting/test/integration/default/default_test.rb
+++ b/site-cookbooks/kosmos_akaunting/test/integration/default/default_test.rb
@ -0,0 +1,16 @@
 # Chef InSpec test for recipe kosmos_akaunting::default
 # The Chef InSpec reference, with examples and extensive documentation, can be
 # found at https://docs.chef.io/inspec/resources/
 unless os.windows?
  # This is an example test, replace with your own test.
  describe user('root'), :skip do
    it { should exist }
  end
 end
 # This is an example test, replace it with your own test.
 describe port(80), :skip do
  it { should_not be_listening }
 end
--- a/site-cookbooks/kosmos_drone/recipes/default.rb
+++ b/site-cookbooks/kosmos_drone/recipes/default.rb
@ -26,7 +26,7 @@ template "#{deploy_path}/docker-compose.yml" do
  mode 0640
  variables domain: node["kosmos_drone"]["domain"],
            upstream_port: node["kosmos_drone"]["upstream_port"],
-            gitea_server: "https://#{node["gitea"]["domain"]}",
+            gitea_server: "https://#{node["kosmos_gitea"]["nginx"]["domain"]}",
            client_id: credentials['client_id'],
            client_secret: credentials['client_secret'],
            rpc_secret: credentials['rpc_secret'],
--- a/site-cookbooks/kosmos_gitea/attributes/default.rb
+++ b/site-cookbooks/kosmos_gitea/attributes/default.rb
@ -1,21 +1,13 @@
-node.default["gitea"]["version"] = "1.23.8"
+node.default["gitea"]["version"] = "1.22.5"
-node.default["gitea"]["checksum"] = "827037e7ca940866918abc62a7488736923396c467fcb4acd0dd9829bb6a6f4c"
+node.default["gitea"]["checksum"] = "ce2c7e4fff3c1e3ed59f5b5e00e3f2d301f012c34e329fccd564bc5129075460"
 node.default["gitea"]["repo"] = nil
 node.default["gitea"]["revision"] = nil
 node.default["gitea"]["working_directory"] = "/var/lib/gitea"
 node.default["gitea"]["port"] = 3000
 node.default["gitea"]["postgresql_host"] = "localhost:5432"
 node.default["gitea"]["domain"] = "gitea.kosmos.org"
 node.default["gitea"]["config"] = {
  "log": {
    "level" => "Info",
    "logger.router.MODE" => "",
    "logger.xorm.MODE" => "",
    "logger.access.MODE" => ""
  },
  "actions": {
-    "enabled" => true
+    "enabled": true
  },
  "webhook":  {
    "allowed_host_list" => "external,127.0.1.1"
--- a/site-cookbooks/kosmos_gitea/metadata.rb
+++ b/site-cookbooks/kosmos_gitea/metadata.rb
@ -10,8 +10,5 @@ chef_version '>= 14.0'
 depends "firewall"
 depends "kosmos_openresty"
 depends "kosmos_postgresql"
 depends "kosmos-dirsrv"
 depends 'kosmos-nodejs'
 depends 'git'
 depends 'golang'
 depends "backup"
 depends "kosmos-dirsrv"
--- a/site-cookbooks/kosmos_gitea/recipes/compile_from_source.rb
+++ b/site-cookbooks/kosmos_gitea/recipes/compile_from_source.rb
@ -1,42 +0,0 @@
 #
 # Cookbook:: kosmos_gitea
 # Recipe:: compile_from_source
 #
 # Compiles/installs Gitea from source
 #
 include_recipe "git"
 node.override["nodejs"]["repo"] = "https://deb.nodesource.com/node_20.x"
 include_recipe 'kosmos-nodejs'
 node.override["golang"]["version"] = "1.23.9"
 include_recipe "golang"
 link "/usr/local/bin/go" do
  to "/usr/local/go/bin/go"
 end
 source_dir = "/opt/gitea"
 git source_dir do
  repository node["gitea"]["repo"]
  revision node["gitea"]["revision"]
  action :sync
  notifies :run, "execute[npm_install]", :immediately
 end
 execute "npm_install" do
  cwd source_dir
  command "npm ci"
  action :nothing
  notifies :run, "bash[compile_gitea]", :immediately
 end
 bash "compile_gitea" do
  cwd source_dir
  environment "TAGS" => "bindata"
  code "make build"
  action :nothing
  notifies :restart, "service[gitea]", :delayed
 end
--- a/site-cookbooks/kosmos_gitea/recipes/default.rb
+++ b/site-cookbooks/kosmos_gitea/recipes/default.rb
@ -5,12 +5,11 @@
 version                   = node["gitea"]["version"]
 download_url              = "https://dl.gitea.io/gitea/#{version}/gitea-#{version}-linux-amd64"
 compile_from_source       = node["gitea"]["repo"] && node["gitea"]["revision"]
 working_directory         = node["gitea"]["working_directory"]
 git_home_directory        = "/home/git"
 repository_root_directory = "#{git_home_directory}/gitea-repositories"
 config_directory          = "/etc/gitea"
-gitea_binary_path         = compile_from_source ? "/opt/gitea/gitea" : "/usr/local/bin/gitea"
+gitea_binary_path         = "/usr/local/bin/gitea"
 gitea_data_bag_item       = data_bag_item("credentials", "gitea")
 smtp_credentials          = data_bag_item("credentials", "smtp")
 smtp_addr                 = smtp_credentials["relayhost"].split(":")[0]
@ -19,6 +18,7 @@ jwt_secret                = gitea_data_bag_item["jwt_secret"]
 internal_token            = gitea_data_bag_item["internal_token"]
 secret_key                = gitea_data_bag_item["secret_key"]
 # Dependency
 package "git"
 user "git" do
@ -108,15 +108,11 @@ template "#{config_directory}/app.ini" do
  notifies :restart, "service[gitea]", :delayed
 end
-if compile_from_source
+remote_file gitea_binary_path do
-  include_recipe "kosmos_gitea::compile_from_source"
+  source download_url
-else
+  checksum node['gitea']['checksum']
-  remote_file gitea_binary_path do
+  mode "0755"
-    source download_url
+  notifies :restart, "service[gitea]", :delayed
    checksum node['gitea']['checksum']
    mode "0755"
    notifies :restart, "service[gitea]", :delayed
  end
 end
 execute "systemctl daemon-reload" do
--- a/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb
+++ b/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb
@ -24,11 +24,9 @@ NAME    = gitea
 USER    = gitea
 PASSWD  = <%= @postgresql_password %>
 SSL_MODE = disable
 MAX_OPEN_CONNS = 20
 [repository]
 ROOT = <%= @repository_root_directory %>
 DISABLE_DOWNLOAD_SOURCE_ARCHIVES = true
 # [indexer]
 # ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
@ -74,11 +72,8 @@ ENABLE_OPENID_SIGNIN = false
 ENABLE_OPENID_SIGNUP = false
 [log]
-MODE = console
+MODE      = console
-LEVEL = <%= @config["log"]["level"] %>
+LEVEL     = Debug
 logger.router.MODE = <%= @config["log"]["logger.router.MODE"] %>
 logger.xorm.MODE = <%= @config["log"]["logger.xorm.MODE"] %>
 logger.access.MODE = <%= @config["log"]["logger.access.MODE"] %>
 [attachment]
 ENABLED = true
--- a/site-cookbooks/kosmos_gitea/templates/default/nginx_conf_web.erb
+++ b/site-cookbooks/kosmos_gitea/templates/default/nginx_conf_web.erb
@ -16,7 +16,7 @@ server {
  add_header Strict-Transport-Security "max-age=31536000";
-  client_max_body_size 121M;
+  client_max_body_size 20M;
  location ~ ^/(avatars|repo-avatars)/.*$ {
    proxy_buffers 1024 8k;
--- a/site-cookbooks/kosmos_rsk/attributes/default.rb
+++ b/site-cookbooks/kosmos_rsk/attributes/default.rb
@ -1,4 +1,4 @@
-node.default['rskj']['version'] = '7.0.0~jammy'
+node.default['rskj']['version'] = '5.3.0~jammy'
 node.default['rskj']['network'] = 'testnet'
 node.default['rskj']['nginx']['domain'] = nil
--- a/site-cookbooks/kosmos_rsk/recipes/rskj.rb
+++ b/site-cookbooks/kosmos_rsk/recipes/rskj.rb
@ -19,8 +19,6 @@ apt_repository 'rskj' do
  key '5EED9995C84A49BC02D4F507DF10691F518C7BEA'
 end
 apt_package 'openjdk-17-jdk'
 apt_package 'rskj' do
  response_file 'rskj-preseed.cfg.erb'
  response_file_variables network: node['rskj']['network']
--- a/site-cookbooks/kosmos_rsk/test/integration/rskj/rskj_test.rb
+++ b/site-cookbooks/kosmos_rsk/test/integration/rskj/rskj_test.rb
@ -9,7 +9,7 @@ end
 describe package('rskj') do
  it { should be_installed }
-  its('version') { should eq '7.0.0~jammy' }
+  its('version') { should eq '5.3.0~jammy' }
 end
 describe service('rsk') do
--- a/site-cookbooks/kosmos_strfry/attributes/default.rb
+++ b/site-cookbooks/kosmos_strfry/attributes/default.rb
@ -1,10 +1,2 @@
 node.default["strfry"]["ldap_search_dn"] = "ou=kosmos.org,cn=users,dc=kosmos,dc=org"
 node.default["strfry"]["extras_dir"] = "/opt/strfry"
 # node.default["substr"]["repo"] = "https://gitea.kosmos.org/kosmos/substr.git"
 # node.default["substr"]["revision"] = "master"
 node.default["substr"]["version"] = "nightly"
 node.default["substr"]["download_url"] = "https://gitea.kosmos.org/api/packages/kosmos/generic/substr/#{node["substr"]["version"]}/substr_x86_64-unknown-linux-gnu"
 node.default["substr"]["workdir"] = "/opt/substr"
 node.default["substr"]["port"] = 30023
 node.default["substr"]["relay_urls"] = ["ws://localhost:7777"]
--- a/site-cookbooks/kosmos_strfry/recipes/policies.rb
+++ b/site-cookbooks/kosmos_strfry/recipes/policies.rb
@ -24,7 +24,7 @@ env = {
  ldap_bind_dn: ldap_credentials["service_dn"],
  ldap_password: ldap_credentials["service_password"],
  ldap_search_dn: node["strfry"]["ldap_search_dn"],
-  whitelist_pubkeys: node["strfry"]["known_pubkeys"].values.join(",")
+  whitelist_pubkeys: node["strfry"]["whitelist_pubkeys"].join(",")
 }
 template "#{extras_dir}/.env" do
--- a/site-cookbooks/kosmos_strfry/recipes/substr.rb
+++ b/site-cookbooks/kosmos_strfry/recipes/substr.rb
@ -1,100 +0,0 @@
 #
 # Cookbook:: kosmos_strfry
 # Recipe:: substr
 #
 unless platform?("ubuntu")
  raise "This recipe only supports Ubuntu installs at the moment"
 end
 apt_package "imagemagick"
 directory node["substr"]["workdir"] do
  owner node["strfry"]["user"]
  group node["strfry"]["group"]
  mode "0755"
 end
 if node["substr"]["download_url"]
  remote_file '/usr/local/bin/substr' do
    source node["substr"]["download_url"]
    checksum node["substr"]["checksum"]
    mode '0755'
    show_progress true
    notifies :restart, "service[substr]", :delayed
  end
  exec_start = "/usr/local/bin/substr"
 else
  # TODO Install Deno 2
  git node["substr"]["workdir"] do
    user node["strfry"]["user"]
    group node["strfry"]["group"]
    repository node['substr']['repo']
    revision node['substr']['revision']
    action :sync
    notifies :restart, "service[substr]", :delayed
  end
  exec_start = "deno task server"
 end
 file "#{node["substr"]["workdir"]}/users.yaml" do
  mode "0644"
  owner node["strfry"]["user"]
  group node["strfry"]["group"]
  content node["strfry"]["known_pubkeys"].to_yaml
  notifies :restart, "service[substr]", :delayed
 end
 ldap_credentials = Chef::EncryptedDataBagItem.load('credentials', 'dirsrv')
 env = {
  port: node['substr']['port'],
  base_url: "https://#{node["strfry"]["domain"]}",
  relay_urls: node['substr']['relay_urls'].join(","),
  ldap_url: 'ldap://ldap.kosmos.local:389', # requires "ldap_client" role
  ldap_bind_dn: ldap_credentials["service_dn"],
  ldap_password: ldap_credentials["service_password"],
  ldap_search_dn: node["strfry"]["ldap_search_dn"],
 }
 template "#{node["substr"]["workdir"]}/.env" do
  source 'env.erb'
  owner node["strfry"]["user"]
  group node["strfry"]["group"]
  mode 0600
  sensitive true
  variables config: env
  notifies :restart, "service[substr]", :delayed
 end
 systemd_unit "substr.service" do
  content({
    Unit: {
      Description: "substr for nostr",
      Documentation: ["https://gitea.kosmos.org/kosmos/substr"],
    },
    Service: {
      Type: "simple",
      User: node["strfry"]["user"],
      WorkingDirectory: node["substr"]["workdir"],
      ExecStart: exec_start,
      Restart: "on-failure",
      RestartSec: "5",
      ProtectHome: "no",
      NoNewPrivileges: "yes",
      ProtectSystem: "full"
    },
    Install: {
      WantedBy: "multi-user.target"
    }
  })
  triggers_reload true
  action :create
 end
 service "substr" do
  action [:enable, :start]
 end
--- a/site-cookbooks/kosmos_strfry/templates/nginx_conf_strfry.erb
+++ b/site-cookbooks/kosmos_strfry/templates/nginx_conf_strfry.erb
@ -4,12 +4,6 @@ upstream _strfry {
 <% end %>
 }
 upstream _substr {
 <% @upstream_hosts.each do |host| %>
  server <%= host %>:30023;
 <% end %>
 }
 server {
  server_name <%= @domain %>;
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
@ -21,16 +15,6 @@ server {
  ssl_certificate     <%= @ssl_cert %>;
  ssl_certificate_key <%= @ssl_key %>;
  location = /favicon.ico {
    alias /var/www/assets.kosmos.org/site/img/favicon.ico;
  }
  location ~* ^/[@~n]|^/assets {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_pass http://_substr;
  }
  location / {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
--- a/site-cookbooks/kosmos_website/templates/nginx_conf_website.erb
+++ b/site-cookbooks/kosmos_website/templates/nginx_conf_website.erb
@ -29,15 +29,11 @@ server {
  ssl_certificate     <%= @ssl_cert %>;
  ssl_certificate_key <%= @ssl_key %>;
  location /.well-known/host-meta.json {
    add_header 'Access-Control-Allow-Origin' '*';
  }
 <% if @accounts_url %>
  location ~ ^/.well-known/(keysend|lnurlp|nostr|openpgpkey|webfinger) {
    proxy_ssl_server_name on;
    proxy_set_header X-Forwarded-Host $host;
-    proxy_pass <%= @accounts_url %>;
+    proxy_pass https://accounts.kosmos.org;
  }
 <% end %>
 }
--- a/site-cookbooks/strfry
+++ b/site-cookbooks/strfry
@ -1 +1 @@
-Subproject commit 2c6e64d2311d2a50b207f4d970c3a951b73d2a5c
+Subproject commit 8df7c00a147873f5c0ac81dabc993ed25981c544
		`@ -1 +1 @@`
			`Subproject commit 92839b20a4c3b0a15b99bd86ea7cae16645570a6`				`Subproject commit 617f7959abda045326c8f06f1c1bcedbaa7c7285`
		`@ -1,2 +0,0 @@`
			`node.default["kosmos-base"]["journald"]["system_max_use"] = "256M"`
			`node.default["kosmos-base"]["journald"]["max_retention_sec"] = "7d"`
		`@ -0,0 +1,4 @@`
							`# kosmos_akaunting`

							`TODO: Enter the cookbook description here.`
		`@ -1 +1 @@`
			`Subproject commit 2c6e64d2311d2a50b207f4d970c3a951b73d2a5c`				`Subproject commit 8df7c00a147873f5c0ac81dabc993ed25981c544`