Use Ubuntu 22.04 for new VMs

Also, remove the custom config image generation and replace it with `--cloud-init` options.
2024-06-07 20:53:20 +02:00
129 changed files with 568 additions and 1564 deletions
--- a/.gitmodules
+++ b/.gitmodules
@ -4,9 +4,3 @@
 [submodule "site-cookbooks/openresty"]
 	path = site-cookbooks/openresty
 	url = https://github.com/67P/chef-openresty.git
 [submodule "site-cookbooks/strfry"]
 	path = site-cookbooks/strfry
 	url = git@gitea.kosmos.org:kosmos/strfry-cookbook.git
 [submodule "site-cookbooks/deno"]
 	path = site-cookbooks/deno
 	url = git@gitea.kosmos.org:kosmos/deno-cookbook.git
--- a/4
+++ b/4
@ -13,9 +13,6 @@ cookbook 'ipfs',
 cookbook 'mediawiki',
  git: 'https://github.com/67P/mediawiki-cookbook.git',
  ref: 'nginx'
 cookbook 'postfix',
  git: 'https://gitea.kosmos.org/kosmos/postfix-cookbook.git',
  ref: 'bugfix/sasl_attributes'
 cookbook 'apache2',                '= 3.3.0'
 cookbook 'apt',                    '~> 7.3.0'
@ -35,6 +32,7 @@ cookbook 'ntp',                    '= 3.4.0'
 cookbook 'ohai',                   '~> 5.2.5'
 cookbook 'openssl',                '~> 8.5.5'
 cookbook 'php',                    '~> 8.0.0'
 cookbook 'postfix',                '~> 6.0.26'
 cookbook 'timezone_iii',           '= 1.0.4'
 cookbook 'ulimit',                 '~> 1.0.0'
 cookbook 'users',                  '~> 5.3.1'
--- a/Berksfile.lock
+++ b/Berksfile.lock
@ -28,10 +28,7 @@ DEPENDENCIES
  ohai (~> 5.2.5)
  openssl (~> 8.5.5)
  php (~> 8.0.0)
-  postfix
+  postfix (~> 6.0.26)
    git: https://gitea.kosmos.org/kosmos/postfix-cookbook.git
    revision: dd6598572a775ae73f17527260ec8097b52d385b
    ref: bugfix/
  redisio (~> 6.4.1)
  ruby_build (~> 2.5.0)
  timezone_iii (= 1.0.4)
@ -93,7 +90,7 @@ GRAPH
  openssl (8.5.5)
  php (8.0.1)
    yum-epel (>= 0.0.0)
-  postfix (6.4.1)
+  postfix (6.0.26)
  redisio (6.4.1)
    selinux (>= 0.0.0)
  ruby_build (2.5.0)
--- a/README.md
+++ b/README.md
@ -38,10 +38,6 @@ Clone this repository, `cd` into it, and run:
    knife zero bootstrap ubuntu@zerotier-ip-address -x ubuntu --sudo --run-list "role[base],role[kvm_guest]" --secret-file .chef/encrypted_data_bag_secret
 ### Bootstrap a new VM with environment and role/app (postgres replica as example)
    knife zero bootstrap ubuntu@10.1.1.134 -x ubuntu --sudo --environment production --run-list "role[base],role[kvm_guest],role[postgresql_replica]" --secret-file .chef/encrypted_data_bag_secret
 ### Run Chef Zero on a host server
    knife zero converge -p2222 name:server-name.kosmos.org
--- a/clients/garage-10.json
+++ b/clients/garage-10.json
@ -1,4 +0,0 @@
 {
  "name": "garage-10",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw2+3Wo+KkXVJCOX1SxT9\nSdwKXgPbCDM3EI9uwoxhMxQfRyN53dxIsBDsQUVOIe1Z8yqm4FenMQlNmeDR+QLE\nvNFf1fisinW+D9VVRm+CjcJy96i/Dyt786Z6YRrDlB860HxCbfTL2Zv5BRtbyIKg\nhz5gO+9PMEpPVR2ij9iue4K6jbM1AAL2ia/P6zDWLJqeIzUocCeHV5N0Z3jXH6qr\nf444v78x35MMJ+3tg5h95SU1/PDCpdSTct4uHEuKIosiN7p4DlYMoM5iSyvVoujr\nflRQPEpGzS9qEt3rDo/F4ltzYMx6bf1tB/0QaBKD+zwPZWTTwf61tSBo5/NkGvJc\nFQIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/clients/garage-11.json
+++ b/clients/garage-11.json
@ -1,4 +0,0 @@
 {
  "name": "garage-11",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzfZcNEQojtmaogd9vGP/\nMsVPhAOlQ4kxKgrUas+p+XT7lXRan6b3M8UZEleIaL1HWsjSVwtFWRnNl8kg8rF8\nNEkLeOX8kHf7IoXDFOQa2TXanY8tSqrfh9/heFunt4Q3DluVt7S3bBdwukbDXm/n\nXJS2EQP33eJT4reL6FpVR0oVlFCzI3Vmf7ieSHIBXrbXy7AIvGC2+NVXvQle6pqp\nx0rqU6Wc6ef/VtIv+vK3YFnt9ue3tC63mexyeNKgRYf1YjDx61wo2bOY2t8rqN8y\nHeZ3dmAN8/Vwjk5VGnZqK7kRQ92G4IcE+mEp7MuwXcLqQ9WB960o+evay+o1R5JS\nhwIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/clients/garage-4.json
+++ b/clients/garage-4.json
@ -0,0 +1,4 @@
 {
  "name": "garage-4",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8it7QtT6zDiJJqlyHKfQ\nLqwu6bLblD15WWxlUSiOdhz3njWDv1BIDCAdkCR3HAXgxvk8sMj9QkvWS7u1+bc4\nxvHrY4Tgfg+Tk1h3gGa7ukll8s1WLIbGjj89vrK8PFr4iuDqRytYRMmcdMsNzPkS\nKcsOjFYWGV7KM/OwoQGVIOUPB+WtkrFAvNkXtIU6Wd5orzFMjt/9DPF2aO7QegL8\nG1mQmXcPGl9NSDUXptn/kzFKm/p4n7pjy6OypFT192ak7OA/s+CvQlaVE2tb/M3c\ne4J6A+PInV5AGKY6BxI3QRQLZIlqE0FXawFKr1iRU4JP4tVnICXZqy+SDXQU1zar\nTQIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/clients/garage-5.json
+++ b/clients/garage-5.json
@ -0,0 +1,4 @@
 {
  "name": "garage-5",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnJxLFOBbml94W/GAe7nm\ntZs1Ziy8IbqXySsm8bSwWhRMQ8UuseqQLG30R3Q5X5AoJbtNfd26l63qLtP2fFtL\n5km9dV+2FoIJWFetl8Wzr7CaLYAiNzTQSFHlV7+6DKmPMDcJ63GKrFR77vkSGOG6\nOWL1bJy5BOaClp/sKL/0WQ0+mRbTP6RCQ2eI+46clAg702SenBU6Nz9HDm+teKN7\nYlP1CvzXgfgfpDOsat7wGn5+oKcmKavZxcdn8bt5jRpg8v3JezaZIjMXt7XcNS4n\n0F4XO/efnZE5B5SN68j4BpD8N79zJw4HlRIGP+RaYv2qLtBeWgLHCCs9wXQXfj6b\nLwIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/clients/garage-6.json
+++ b/clients/garage-6.json
@ -0,0 +1,4 @@
 {
  "name": "garage-6",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwasYgWLM8ShvirFiKRE6\nGWqc3pMlvcrk4YnWAUW5Y/H26EnyexxWNfnwlEcq8thJ3M3hs7zkoF3Yk4uqX869\n4/niYqXwYgeE1K3gzLp4K1+w3yVupYAFVFStVEHJyuMlLJ+ulDEGvNdQDuIfw7+E\nr6DcDLa1o92Eo0wL1ihYyMilduH0LdFTixL+tEBXbbPWBa3RDJJCFsRF1+UC6hAH\nzmaWL661Gdzdabxjm/FlGUYkdbDqeInZq/1GMQqv+9/DcNRkWA9H7i4Ykrfpx4/2\nRZ8xtx/DbnJVB1zYoORygFMMAkTu5E+R8ropeI7Wi77Yq0S7laiRlYQYQml3x9ak\nzQIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/clients/garage-9.json
+++ b/clients/garage-9.json
@ -1,4 +0,0 @@
 {
  "name": "garage-9",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnMHzKE8JBrsQkmRDeMjX\n71mBzvRzNM90cwA8xtvIkXesdTyGqohX9k/PJbCY5ySGK9PpMaYDPVAnwnUP8LFQ\n3G98aSbLxUjqU/PBzRsnWpihehr05uz9zYcNFzr4LTNvGQZsq47nN9Tk+LG3zHP7\nAZViv2mJ4ZRnukXf6KHlyoVvhuTu+tiBM8QzjTF97iP/aguNPzYHmrecy9Uf5bSA\nZrbNZT+ayxtgswC2OclhRucx7XLSuHXtpwFqsQzSAhiX1aQ3wwCyH9WJtVwpfUsE\nlxTjcQiSM9aPZ8iSC0shpBaKD1j3iF/2K2Jk+88++zMhJJPLermvaJxzsdePgvyk\nKQIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/clients/postgres-5.json
+++ b/clients/postgres-5.json
@ -0,0 +1,4 @@
 {
  "name": "postgres-5",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvXZv6Gk+dhIVkTXH9hJ1\nt2oqsMSLmTUj71uPN+4j0rxCQriXa095Nle9ifJAxfwzQyKEpWKyZd1Hpyye6bL1\nwgWATZ/u5ZS4B63NhRFyDxgPlHWBBohaZBN42zeq0Y0PNGHPVGDH/zFDrpP22Q9Q\nYScsyXTauE/Yf8a/rKR5jdnoVsVVMxk0LHxka8FcM2cqVsDAcK7GqIG6epqNFY8P\nUb1P+mVxRwnkzvf1VtG212ezV/yw9uiQcUkHS+JwZMAgbC34k9iDyRmk6l4sj/Zk\nNem20ImMqdDzsrX8zEe21K+KNvpejPH9fxaNCwR8W+woBMMzqD3I7P9PbLjc70Rx\nRwIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/clients/postgres-7.json
+++ b/clients/postgres-7.json
@ -1,4 +0,0 @@
 {
  "name": "postgres-7",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArraIm6mXi0qgK4oWDs2I\nOIx+g/LPnfRd5aBXhoHcekGiJKttQTi5dRdN4+T6qVEC2h4Cc9qN47h2TZPLDh/M\neIZvu0AyicpectzXf6DtDZh0hFCnv47RDi9927op9tjMXk0SV1tLel7MN0dawATw\ny0vQkkr/5a3ZdiP4dFv+bdfVrj+Tuh85BYPVyX2mxq9F7Efxrt6rzVBiqr6uJLUY\nStpeB3CCalC4zQApKX2xrdtr2k8aJbqC6C//LiKbb7VKn+ZuZJ32L/+9HDEzQoFC\no0ZZPMhfnjcU+iSHYZuPMTJTNbwgRuOgpn9O8kZ239qYc59z7HEXwwWiYPDevbiM\nCQIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/clients/postgres-8.json
+++ b/clients/postgres-8.json
@ -1,4 +0,0 @@
 {
  "name": "postgres-8",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx88DgM/x1UbKRzgPexXE\nSyfrAsqaDVjqZz7yF3tqAc9A52Ol0KOM6NESoPWBVMbS86WtAjBcMHcOoQBJ+ovp\nXcjNlRtO1Il6/d4uCRr4CEDX+yeS0Qrt0SOORnoTbVlkq9VlVljyCmxk8VBCILzk\ndHvFr62mahMy6vOEcpCQgCwYE3ISH2jlTDz2agoK/CjIyyqFTlB1N7mJVGLrJdcA\nA2JOxDRE8HqOdpY7bHcHj4uyMWaKuM3zxXK04lhrvuPRfJUhXgsK9r5jeTEa8407\nqV9K+mB17R1dBeHmWEPDRt02HELe2SUjYmlmyVX73H2mWKDLBFpAFjOfz86CJ6jf\nDQIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/clients/strfry-1.json
+++ b/clients/strfry-1.json
@ -1,4 +0,0 @@
 {
  "name": "strfry-1",
  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzDV/RMGMXVDbvoA6PNh8\nQzhtHwYDCFcUSkbrwP6tzh6GpVunGEOdOdhj2V63T2tF1H+lujxQXh5pK7C0D6VZ\niO04ftJlo7/svyxUcwWr+znyN5sFdQRh3cBZiGSBYolizwoqgtPFlbNhmWAzV0Du\n9t8mhz70IK3B+UdwWyHtoK0NNsJGnQ9YzAvcjyDmEO/3sCjAhNnxVpmXftpcSmd9\nMonzFtIDBbRRll4AHZYRbmXCzx63+VmelvdnufnbY82liol0zzBwJaBD1wyNlG0y\ni96p3Kx03bLNlIaYVGbjZeJi+6oo2VDWJ4OloLLAYoHDSipeHT9qWfUdnE6ge4Lm\nywIDAQAB\n-----END PUBLIC KEY-----\n"
 }
--- a/cookbooks/postfix/.markdownlint-cli2.yaml
+++ b/cookbooks/postfix/.markdownlint-cli2.yaml
@ -3,5 +3,3 @@ config:
  line-length: false # MD013
  no-duplicate-heading: false # MD024
  reference-links-images: false # MD052
 ignores:
  - .github/copilot-instructions.md
--- a/cookbooks/postfix/.vscode/extensions.json
+++ b/cookbooks/postfix/.vscode/extensions.json
@ -1,8 +0,0 @@
 {
  "recommendations": [
    "chef-software.chef",
    "Shopify.ruby-lsp",
    "editorconfig.editorconfig",
    "DavidAnson.vscode-markdownlint"
  ]
 }
--- a/cookbooks/postfix/CHANGELOG.md
+++ b/cookbooks/postfix/CHANGELOG.md
@ -2,48 +2,9 @@
 This file is used to list changes made in each version of the postfix cookbook.
 ## Unreleased
 ## 6.4.1 - *2025-09-04*
 ## 6.4.0 - *2025-07-30* ## 6.4.0 - *2025-07-30*
 Standardise files with files in sous-chefs/repo-management
 ## 6.4.0 - *2025-07-30*
 ## 6.3.0 - *2025-07-30*
 - Use LMDB instead of hash on el10
 ## 6.3.0 - *2025-07-30*
 ## 6.2.2 - *2025-01-30*
 ## 6.2.1 - *2025-01-30*
 ## 6.2.0 - *2025-01-30*
 ## 6.2.0
 - Correctly fix aliases quoting logic
 - Convert all serverspec tests to inspec
 - Add Github actions
 - Update platforms to test
 ## 6.0.29 - *2024-11-18*
 - Standardise files with files in sous-chefs/repo-management
 ## 6.0.28 - *2024-07-15*
 - Standardise files with files in sous-chefs/repo-management
 ## 6.0.27 - *2024-05-06*
 ## 6.0.26 - *2023-10-03*
- Add installation of postfix addon packages for RHEL 8
+- add installation of postfix addon packages for RHEL 8
 ## 6.0.25 - *2023-10-03*
--- a/cookbooks/postfix/attributes/default.rb
+++ b/cookbooks/postfix/attributes/default.rb
@ -13,10 +13,9 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-default['postfix']['packages'] = value_for_platform(
+
-  amazon: { '>= 2023' => %w(postfix postfix-lmdb) },
+default['postfix']['packages'] = %w(postfix)
-  default: %w(postfix)
+
 )
 # Generic cookbook attributes
 default['postfix']['mail_type'] = 'client'
 default['postfix']['relayhost_role'] = 'relayhost'
@ -38,19 +37,11 @@ default['postfix']['master_template_source'] = 'postfix'
 default['postfix']['sender_canonical_map_entries'] = {}
 default['postfix']['smtp_generic_map_entries'] = {}
 default['postfix']['recipient_canonical_map_entries'] = {}
-
+default['postfix']['access_db_type'] = 'hash'
-default['postfix']['db_type'] = value_for_platform(
+default['postfix']['aliases_db_type'] = 'hash'
-  %w(centos redhat almalinux rocky oracle) => { '>= 10' => 'lmdb' },
+default['postfix']['transport_db_type'] = 'hash'
-  amazon: { '>= 2023' => 'lmdb' },
+default['postfix']['virtual_alias_db_type'] = 'hash'
-  %w(opensuseleap suse) => { '>= 15' => 'lmdb' },
+default['postfix']['virtual_alias_domains_db_type'] = 'hash'
  default: 'hash'
 )
 default['postfix']['access_db_type'] = lazy { node['postfix']['db_type'] }
 default['postfix']['aliases_db_type'] = lazy { node['postfix']['db_type'] }
 default['postfix']['transport_db_type'] = lazy { node['postfix']['db_type'] }
 default['postfix']['virtual_alias_db_type'] = lazy { node['postfix']['db_type'] }
 default['postfix']['virtual_alias_domains_db_type'] = lazy { node['postfix']['db_type'] }
 case node['platform']
 when 'smartos'
@ -105,9 +96,6 @@ default['postfix']['main']['smtp_sasl_auth_enable'] = 'no'
 default['postfix']['main']['mailbox_size_limit'] = 0
 default['postfix']['main']['mynetworks'] = nil
 default['postfix']['main']['inet_interfaces'] = 'loopback-only'
 default['postfix']['main']['default_database_type'] = lazy { node['postfix']['db_type'] }
 default['postfix']['main']['alias_database'] = lazy { "#{node['postfix']['db_type']}:#{node['postfix']['aliases_db']}" }
 default['postfix']['main']['alias_maps'] = lazy { "#{node['postfix']['db_type']}:#{node['postfix']['aliases_db']}" }
 # Conditional attributes, also reference _attributes recipe
 case node['platform_family']
@ -419,4 +407,4 @@ default['postfix']['aliases'] = if platform?('freebsd')
                                  {}
                                end
-default['postfix']['main']['smtpd_relay_restrictions'] = lazy { "#{node['postfix']['db_type']}:#{node['postfix']['relay_restrictions_db']}, reject" if node['postfix']['use_relay_restrictions_maps'] }
+default['postfix']['main']['smtpd_relay_restrictions'] = "hash:#{node['postfix']['relay_restrictions_db']}, reject" if node['postfix']['use_relay_restrictions_maps']
--- a/cookbooks/postfix/metadata.json
+++ b/cookbooks/postfix/metadata.json
@ -26,7 +26,7 @@
  "recipes": {
  },
-  "version": "6.4.1",
+  "version": "6.0.26",
  "source_url": "https://github.com/sous-chefs/postfix",
  "issues_url": "https://github.com/sous-chefs/postfix/issues",
  "privacy": false,
--- a/cookbooks/postfix/metadata.rb
+++ b/cookbooks/postfix/metadata.rb
@ -3,7 +3,7 @@ maintainer        'Sous Chefs'
 maintainer_email  'help@sous-chefs.org'
 license           'Apache-2.0'
 description       'Installs and configures postfix for client or outbound relayhost, or to do SASL auth'
-version           '6.4.1'
+version           '6.0.26'
 source_url        'https://github.com/sous-chefs/postfix'
 issues_url        'https://github.com/sous-chefs/postfix/issues'
 chef_version      '>= 12.15'
--- a/cookbooks/postfix/recipes/_attributes.rb
+++ b/cookbooks/postfix/recipes/_attributes.rb
@ -29,22 +29,24 @@ end
 if node['postfix']['main']['smtp_sasl_auth_enable'] == 'yes'
  node.default_unless['postfix']['sasl_password_file'] = "#{node['postfix']['conf_dir']}/sasl_passwd"
-  node.default_unless['postfix']['main']['smtp_sasl_password_maps'] = "#{node['postfix']['db_type']}:#{node['postfix']['sasl_password_file']}"
+  node.default_unless['postfix']['main']['smtp_sasl_password_maps'] = "hash:#{node['postfix']['sasl_password_file']}"
  node.default_unless['postfix']['main']['smtp_sasl_security_options'] = 'noanonymous'
  node.default_unless['postfix']['sasl']['smtp_sasl_user_name'] = ''
  node.default_unless['postfix']['sasl']['smtp_sasl_passwd']    = ''
  node.default_unless['postfix']['main']['relayhost'] = ''
 end
-node.default_unless['postfix']['main']['alias_maps'] = ["#{node['postfix']['db_type']}:#{node['postfix']['aliases_db']}"] if node['postfix']['use_alias_maps']
+node.default_unless['postfix']['main']['alias_maps'] = ["hash:#{node['postfix']['aliases_db']}"] if node['postfix']['use_alias_maps']
-node.default_unless['postfix']['main']['transport_maps'] = ["#{node['postfix']['db_type']}:#{node['postfix']['transport_db']}"] if node['postfix']['use_transport_maps']
+node.default_unless['postfix']['main']['transport_maps'] = ["hash:#{node['postfix']['transport_db']}"] if node['postfix']['use_transport_maps']
-node.default_unless['postfix']['main']['access_maps'] = ["#{node['postfix']['db_type']}:#{node['postfix']['access_db']}"] if node['postfix']['use_access_maps']
+node.default_unless['postfix']['main']['access_maps'] = ["hash:#{node['postfix']['access_db']}"] if node['postfix']['use_access_maps']
 node.default_unless['postfix']['main']['virtual_alias_maps'] = ["#{node['postfix']['virtual_alias_db_type']}:#{node['postfix']['virtual_alias_db']}"] if node['postfix']['use_virtual_aliases']
 node.default_unless['postfix']['main']['virtual_alias_domains'] = ["#{node['postfix']['virtual_alias_domains_db_type']}:#{node['postfix']['virtual_alias_domains_db']}"] if node['postfix']['use_virtual_aliases_domains']
-node.default_unless['postfix']['main']['smtpd_relay_restrictions'] = "#{node['postfix']['db_type']}:#{node['postfix']['relay_restrictions_db']}, reject" if node['postfix']['use_relay_restrictions_maps']
+node.default_unless['postfix']['main']['smtpd_relay_restrictions'] = "hash:#{node['postfix']['relay_restrictions_db']}, reject" if node['postfix']['use_relay_restrictions_maps']
 node.default_unless['postfix']['main']['maildrop_destination_recipient_limit'] = 1 if node['postfix']['master']['maildrop']['active']
--- a/cookbooks/postfix/recipes/_common.rb
+++ b/cookbooks/postfix/recipes/_common.rb
@ -155,7 +155,7 @@ unless node['postfix']['sender_canonical_map_entries'].empty?
    notifies :reload, 'service[postfix]'
  end
-  node.default['postfix']['main']['sender_canonical_maps'] = "#{node['postfix']['db_type']}:#{node['postfix']['conf_dir']}/sender_canonical" unless node['postfix']['main'].key?('sender_canonical_maps')
+  node.default['postfix']['main']['sender_canonical_maps'] = "hash:#{node['postfix']['conf_dir']}/sender_canonical" unless node['postfix']['main'].key?('sender_canonical_maps')
 end
 execute 'update-postfix-smtp_generic' do
@ -172,7 +172,7 @@ unless node['postfix']['smtp_generic_map_entries'].empty?
    notifies :reload, 'service[postfix]'
  end
-  node.default['postfix']['main']['smtp_generic_maps'] = "#{node['postfix']['db_type']}:#{node['postfix']['conf_dir']}/smtp_generic" unless node['postfix']['main'].key?('smtp_generic_maps')
+  node.default['postfix']['main']['smtp_generic_maps'] = "hash:#{node['postfix']['conf_dir']}/smtp_generic" unless node['postfix']['main'].key?('smtp_generic_maps')
 end
 execute 'update-postfix-recipient_canonical' do
@ -189,7 +189,7 @@ unless node['postfix']['recipient_canonical_map_entries'].empty?
    notifies :reload, 'service[postfix]'
  end
-  node.default['postfix']['main']['recipient_canonical_maps'] = "#{node['postfix']['db_type']}:#{node['postfix']['conf_dir']}/recipient_canonical" unless node['postfix']['main'].key?('recipient_canonical_maps')
+  node.default['postfix']['main']['recipient_canonical_maps'] = "hash:#{node['postfix']['conf_dir']}/recipient_canonical" unless node['postfix']['main'].key?('recipient_canonical_maps')
 end
 service 'postfix' do
--- a/cookbooks/postfix/recipes/maps.rb
+++ b/cookbooks/postfix/recipes/maps.rb
@ -18,8 +18,8 @@ node['postfix']['maps'].each do |type, maps|
    package "postfix-#{type}" if %w(pgsql mysql ldap cdb).include?(type)
  end
-  if platform_family?('rhel') && node['platform_version'].to_i >= 8
+  if platform?('redhat') && node['platform_version'].to_i == 8
-    package "postfix-#{type}" if %w(pgsql mysql ldap cdb lmdb).include?(type)
+    package "postfix-#{type}" if %w(pgsql mysql ldap cdb).include?(type)
  end
  separator = if %w(pgsql mysql ldap memcache sqlite).include?(type)
@ -32,7 +32,7 @@ node['postfix']['maps'].each do |type, maps|
      command "postmap #{file}"
      environment PATH: "#{ENV['PATH']}:/opt/omni/bin:/opt/omni/sbin" if platform_family?('omnios')
      action :nothing
-    end if %w(btree cdb dbm hash lmdb sdbm).include?(type)
+    end if %w(btree cdb dbm hash sdbm).include?(type)
    template "#{file}-#{type}" do
      path file
      source 'maps.erb'
@ -41,7 +41,7 @@ node['postfix']['maps'].each do |type, maps|
        map: content,
        separator: separator
      )
-      notifies :run, "execute[update-postmap-#{file}]" if %w(btree cdb dbm hash lmdb sdbm).include?(type)
+      notifies :run, "execute[update-postmap-#{file}]" if %w(btree cdb dbm hash sdbm).include?(type)
      notifies :restart, 'service[postfix]'
    end
  end
--- a/cookbooks/postfix/renovate.json
+++ b/cookbooks/postfix/renovate.json
@ -1,10 +1,9 @@
 {
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": ["config:base"],
-  "packageRules": [
+  "packageRules": [{
    {
      "groupName": "Actions",
-      "matchUpdateTypes": ["minor", "patch", "pin"],
+      "matchUpdateTypes": ["patch", "pin", "digest"],
      "automerge": true,
      "addLabels": ["Release: Patch", "Skip: Announcements"]
    },
--- a/cookbooks/postfix/templates/aliases.erb
+++ b/cookbooks/postfix/templates/aliases.erb
@ -6,5 +6,5 @@
 postmaster:    root
 <% node['postfix']['aliases'].each do |name, value| %>
-<%= name.match?(/[\s#:@]/) ? "\"#{name}\"" : name %>: <%= [value].flatten.map{|x| x.include?("|") ? "\"#{x}\"" : x}.join(',') %>
+<%= name %>: <%= [value].flatten.map{|x| if (x.include?("@")) then x else %Q("#{x}") end}.join(', ') %>
 <% end unless node['postfix']['aliases'].nil? %>
--- a/data_bags/credentials/akkounts.json
+++ b/data_bags/credentials/akkounts.json
@ -1,93 +1,72 @@
 {
  "id": "akkounts",
-  "rails_master_key": {
+  "postgresql_username": {
-    "encrypted_data": "q/0BtGuFZJQhw+iG4ZmFG12DPaWQDGTb/nCmRoxOnsACkANqMv/zZ39CoNFe\nLPtZiItY\n",
+    "encrypted_data": "bDlOkEmhvMgyVzPeTNUzYnzRLf3T9cc0cDxt\n",
-    "iv": "JV8R0iu6TrqcZRxL\n",
+    "iv": "GCCUoqU5pxQ7fGkv\n",
-    "auth_tag": "YxZIhEUnrd3XrwR6f9wO4A==\n",
+    "auth_tag": "Q7mrSHIBluMe3CGVmoR86Q==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
-  "rails_secret_key_base": {
+  "postgresql_password": {
-    "encrypted_data": "JmDQew3+OR6+yJ1xErwXeTn6jw8N2HwTc9yvAVJ3G+7w1s3N7rKDM6+M50ez\n2zP4Lm/eXzH4WTsTZlQcodlyNpi66pvUCGAkNM36rwTN5yvnhqPUmuSQi7AG\nDTBronBwr9ENvwA/gRuugyyhrRB1iuStpzpYKCMhZ2ae9Mrxdux0+ezfSLn4\nuP22uUrEqdQ/BWsW\n",
+    "encrypted_data": "wD0HtdsNe/hl4ZaOy8hyr2k4z8TXQrrSja3KNVE47w==\n",
-    "iv": "U/+YncCk13U6bYMz\n",
+    "iv": "tb5yz8WDer0CsGvJ\n",
-    "auth_tag": "2wPYJ/uVPv4jLKpAW/x6sw==\n",
+    "auth_tag": "/+K2anuCff/6M7Pu70Smqw==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "rails_encryption_primary_key": {
    "encrypted_data": "u/7z91Og/2eM7PWi2JWYAQMhYX4S5+bMMeVpkFPu778Gqj6Td9pagsWIak/d\nb7AU1zjF\n",
    "iv": "wYhrJWcuWbY8yo8S\n",
    "auth_tag": "WEoEdNy6VBvB2d5gb8DTXw==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "rails_encryption_key_derivation_salt": {
    "encrypted_data": "noOwTZuxfhsH94bjOT9rWCKS9rb3wAoXELGrc4nJZeNrb/B9XnOLTuK/wen8\nfmtoym0P\n",
    "iv": "jiFWs3VXhJdQBNqk\n",
    "auth_tag": "XDpJFgadYp7LyRqU7SO+Fg==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "postgresql": {
    "encrypted_data": "Xorg8R8COxE/Swivu8MqZiwstD6rD+8FmgDx70pFscZ/CTb6WQRpyqGSrGZt\nZ7oL9WrqZs+mQgBb30odU+Sgdr6x\n",
    "iv": "6QWZc3+MY0hBCc/s\n",
    "auth_tag": "ZM+7OYyx5E9PciNG2OILhg==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "ldap": {
    "encrypted_data": "mr2Z7hXF1GOn8RmqeZMMdaUcmiVP4ZeKtTX6RYW1cR+FQiUwoITwTPBE9XUx\n2cqZ9Mcd8uJicmf9vd+PfwPtRtoZFwqHQ4LDRFLW64hBZyiEkZWxWW+HzgPr\n",
    "iv": "k1AkyEplnJ4IZO1Z\n",
    "auth_tag": "zAOcrPex3VLDfRFq38n7fA==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "sentry_dsn": {
-    "encrypted_data": "51cAERaRBCRg/sMb5c13EcnJzsz6VEf7jx6X3ooUSzm9wHoEfC5Hs/qakr/D\nqm9x3s3aGURRzyLUIEoe9jCohGguh6ehrXYVrun0B6pghVU=\n",
+    "encrypted_data": "jCz681x0WVixHYZUb62TO+1cgyJMiJ2UMqWcaztx57yDBOIiKW3oSZjuXdhP\n9WCesfXQF/lgzITZno3IKDqzlKjWgbGLC75y8FLguxidCHI=\n",
-    "iv": "hJsiiW6dFQMEQ+2p\n",
+    "iv": "IRNOzN/hLwg1iqax\n",
-    "auth_tag": "TOIahNrUhhsdQGlzp6UV5g==\n",
+    "auth_tag": "eg9dWnEK04JDb94e4CFa9Q==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "rails_master_key": {
    "encrypted_data": "nUB77VLRp41rluH7hLBwQqPtnh/HsmfLr2VbcIZHWawL3o2TGuY+mj648f9L\n7XsEpgqY\n",
    "iv": "fpdbDitqTRHxEKiv\n",
    "auth_tag": "I44fn8Ott3L/Y5LYr56U/Q==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "discourse_connect_secret": {
-    "encrypted_data": "pvKcwuZgUJsAvClQ4V0BwhwEg09EUEWVxoSx+mFlfG1KpvZE4Cu3u3PalPSD\nldyKsw==\n",
+    "encrypted_data": "ENtMn+1XTVFmdEZw7LU6WGoMbSZY654ggm3vPACGfFgqo6r0LhG60c5OTdqv\nZvT5/Q==\n",
-    "iv": "ED85d6PKyaKB3Wlv\n",
+    "iv": "bL1BmvRhgxFqSM1P\n",
-    "auth_tag": "XVCU/WigC97tNe0bUK6okQ==\n",
+    "auth_tag": "sEBZzGWwwYFHn+4B4SsyCA==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "lndhub_admin_token": {
-    "encrypted_data": "LvCgahQblsKOxK9iNbwDd31atBfemVppHqV7s3K/sR4j\n",
+    "encrypted_data": "4LPGFoARzI8UYnsJPIk8sax/rAA16pUULEZWn86e2C7L\n",
-    "iv": "zObzh2jEsqXk2vD2\n",
+    "iv": "nvjXrOwgfgutwEVw\n",
-    "auth_tag": "n9m/sBYBfzggwQLWrGpR2Q==\n",
+    "auth_tag": "A89RUf1sdcS3FVscNPWYLg==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "btcpay_auth_token": {
-    "encrypted_data": "M4kGd6+jresm90nWrJG25mX6rfhaU+VlJlIVd/IjOAUsDABryyulJul3GZFh\nFPSI4uEhgIWtn56I0bA=\n",
+    "encrypted_data": "ky5iWYF06os0Ek6vIRzWqMTekqJhCOh/Q9DTDIeKhSyk8TnT3O71lCNEt1F5\nXCNq6ux3V6oyHVLWj0o=\n",
-    "iv": "hvqHm7A/YfUOJwRJ\n",
+    "iv": "zk6WnxsY89oNW1F9\n",
-    "auth_tag": "DhtT6IeixD1MSRX+D7JxZA==\n",
+    "auth_tag": "FAIMXKvQ1T7QKezVSNJbwQ==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "s3_access_key": {
-    "encrypted_data": "FPRpLZoIbLcVWPJhOlX7ZeXGv6TZIWYAD+BKTsJOyOHxDG3eRULqQc89cGWi\n",
+    "encrypted_data": "KfhfEGwPjOonlz6rpnNTinXFPqX/sIbqQn/aby0UDi/G/7cvEcOiNcCkfuSz\n",
-    "iv": "f9WiiGLmDxtygp60\n",
+    "iv": "Q3rg06v6K9pUDLDY\n",
-    "auth_tag": "lGnq4itmByuF/Yp20/6coQ==\n",
+    "auth_tag": "G5ugdlJ896KtYtObKLclJA==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "s3_secret_key": {
-    "encrypted_data": "JnnwISbHJ+d7JZB/C0NH0fb8p+bDSwoq5t5knSi+bSTltSxKcq6PRX9K6bov\nEbo0GTdWePbuc5NCsyYxfrkzCtpLXTIxeCROtinRmFIgMFNwaOA=\n",
+    "encrypted_data": "N8s1OoDrYXHjqSydQA0kY7dd68Aelq4+/cgmJlYfP92u4YA17V4TR7fsvQZL\nkqjuUSClNYPc0XiCwf/5gxVirE9AO6OmmvSV7lUyu4hcEY6unrU=\n",
-    "iv": "pKPCaANDqGtbFV3V\n",
+    "iv": "bXzIVWnX6V0P6PRb\n",
-    "auth_tag": "S//hn2HOhuZH8+UfCNBWDg==\n",
+    "auth_tag": "1EOjCfsX9P6ETjUsgBvBsA==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "nostr_private_key": {
-    "encrypted_data": "AKfFiLow+veDyEWBwmCDuLerT3l+o2aJUCeHg2mZZIyoH4oeo/9crZwIdjBn\n70reouqnHNG9mBHuO/+IPGfj53mHLo+oGHh+6LkL3ImI4MFBofY=\n",
+    "encrypted_data": "Sf8PEyQ0sqcgxddSlIDxLOVzPjOkTFObsYuTgcxkbEV7igrati4e8QVVUEBD\n1yoLJXelp8jlCr28Ectci29jc53gYSMTLSQsw97uYas2R0dGCqQ=\n",
-    "iv": "bPlOKk2qkJAzdKf+\n",
+    "iv": "+1CIUyvIUOveLrY4\n",
-    "auth_tag": "VIp1IOjBGatn2MN5LHVymg==\n",
+    "auth_tag": "GDqS+IuAIfMBmHIeFXaV7A==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  }
--- a/data_bags/credentials/backup.json
+++ b/data_bags/credentials/backup.json
@ -1,38 +1,27 @@
 {
  "id": "backup",
  "s3_access_key_id": {
-    "encrypted_data": "245TrPvuoBRRTimhbt6qqsFb+JnnD377sPt1pguJy7Q2BXOy/jrX0wyMt+cP\nuA==\n",
+    "encrypted_data": "emGNH4v7TTEh05Go/DsI3k7CFnaK4p/4JxodC4BYpyWw47/Z3dsuRMu4vXM3\n3YLH\n",
-    "iv": "ylmRxSRO3AA4MSJN\n",
+    "iv": "Dau+ekb3UTYdl8w3fQKVcA==\n",
-    "auth_tag": "45tBcYZowPLrbv4Zu2P0Fw==\n",
+    "version": 1,
-    "version": 3,
+    "cipher": "aes-256-cbc"
    "cipher": "aes-256-gcm"
  },
  "s3_secret_access_key": {
-    "encrypted_data": "jDIOjlBzTkBUzpj243T6KnBuH0qwyW7BUFMcqllljFSzxs7K8wYJOUreNbOP\ny8OpDWAuO0H4O4LuFMJXeM8=\n",
+    "encrypted_data": "Mxyly86JxrWUbubbSiqPdRosChzfI1Q8eBEG4n+2B9JJG4yExltO5Wc5kgSs\nX01MPXAc+PGLm+J9MngUtypo/g==\n",
-    "iv": "PzvZr37EkJqz6JtM\n",
+    "iv": "WRhBJGiuScYYsUsoT5j/UA==\n",
-    "auth_tag": "e3XW8oHVgmYibv/IBzj0yA==\n",
+    "version": 1,
-    "version": 3,
+    "cipher": "aes-256-cbc"
    "cipher": "aes-256-gcm"
  },
  "s3_endpoint": {
    "encrypted_data": "ErJIEChxrreW7WKEwRtuP2MyYlsZRtqLdGa/x5QY58qgO036FgR3Hs2Z3yce\n",
    "iv": "HOSAOgUjO7XGwk50\n",
    "auth_tag": "XE1bwMIXHHE72V9K2KOLnw==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "s3_region": {
-    "encrypted_data": "8cNSaYu7HH95ftG66lFdUIPZD7soz907CPA=\n",
+    "encrypted_data": "2ZGxu0tVzKNfx3K1Wleg0SAwGaPkHCi/XfKpJ+J7q40=\n",
-    "iv": "pU21ulF75y/SIs3x\n",
+    "iv": "CNTZW2SEIgfw+IyzGI3TzQ==\n",
-    "auth_tag": "7WQQCbSbB2GybjY+C+5IvQ==\n",
+    "version": 1,
-    "version": 3,
+    "cipher": "aes-256-cbc"
    "cipher": "aes-256-gcm"
  },
  "encryption_password": {
-    "encrypted_data": "l23CiIO2s1fIRn0NdoWZ+wK+Zhx3hCYDHf4ypjqMRekZ7xqafvXHHuogD5aj\npxYUKloH\n",
+    "encrypted_data": "tsBWKBwhQFfEAM0EWMPtljSbqU1c5mOJXPjYJjNT5RUFhPlqa7gsE8aJbs+D\nSPKjAQ62j+iHeqCk9mE9CCkgBA==\n",
-    "iv": "Dzx83eP9L7Jqqidh\n",
+    "iv": "uq5YAXuq2ynRLv9EIWoCFA==\n",
-    "auth_tag": "UVn5XA5Tgsikc1GdOt1MUQ==\n",
+    "version": 1,
-    "version": 3,
+    "cipher": "aes-256-cbc"
    "cipher": "aes-256-gcm"
  }
 }
--- a/data_bags/credentials/dirsrv.json
+++ b/data_bags/credentials/dirsrv.json
@ -1,30 +1,9 @@
 {
  "id": "dirsrv",
  "admin_dn": {
    "encrypted_data": "zRtz6Scb9WtUXGyjc0xyvsre0YvqupuaFz+RPApj7DEQTmYyZPVb\n",
    "iv": "xfIXMhEBHBWqa4Dz\n",
    "auth_tag": "BcA32u1njcnCZ+yrBGSceQ==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "admin_password": {
-    "encrypted_data": "7JpXl3JZDqKWDfYt/wuNbkbob+oRuONhkuAlpqUCCEIn+tY=\n",
+    "encrypted_data": "i71l5E129mXCcDAyME8sNMUkYUlQMgt7Eh6noyFcLNgbaMo=\n",
-    "iv": "Lcwc4NDzrfcBaIKQ\n",
+    "iv": "KNW2B8tpX7ywZwbg\n",
-    "auth_tag": "rrePS3Bhdnwbr2d/o8vMhg==\n",
+    "auth_tag": "GawQ+FSlA5v5YVyryeUxng==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "service_dn": {
    "encrypted_data": "sqRFiZreLeTPQljSfhAuV3DmsPxSC8tzWjCdu+WSSbO67sBQA+xhmGtzBhBD\nDZPGJw+jtAxzuVvPdAjxgAVgxXO6C6WEo87L1tdJewE=\n",
    "iv": "GUEGtyRJXrPhWcUs\n",
    "auth_tag": "2USsrx//3V7RCyumGCbMkg==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "service_password": {
    "encrypted_data": "f2wi8B8SEt6p5G0TF3dZ72j0vMFlvwcP1suxYnshBA==\n",
    "iv": "rOnUoxbnkaJtodM+\n",
    "auth_tag": "dVLCtBVMjxLfW2D8XjJBdQ==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  }
--- a/data_bags/credentials/gandi_api.json
+++ b/data_bags/credentials/gandi_api.json
@ -1,23 +1,23 @@
 {
  "id": "gandi_api",
  "key": {
-    "encrypted_data": "lU7/xYTmP5Sb6SsK5TNNIyegWozzBtUzpg7oDdl6gcz9FEMmG2ft0Ljh5Q==\n",
+    "encrypted_data": "d3/rJMX6B9GuzUt0/mIk/lgQ3qGyQdbNXH6UEm3ZX7DeSl+rbW9FPJCRWg==\n",
-    "iv": "EZPQD3C+wsP/mBhF\n",
+    "iv": "15YVAYla7PqqVOab\n",
-    "auth_tag": "vF9E8Pj4Z8quJJdOMg/QTw==\n",
+    "auth_tag": "xQSq+ld6SDOAER07N4ZkUQ==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "access_token": {
-    "encrypted_data": "1Uw69JkNrmb8LU/qssuod1SlqxxrWR7TJQZeeivRrNzrMIVTEW/1uwJIYL6b\nM4GeeYl9lIRlMMmLBkc=\n",
+    "encrypted_data": "geQwcNosiJZmqbbMpD/I+a2yueBzpV6C8Rb7vrCD8kR161ZRjvqLe+g/1XpT\n2/65wKYDMTrdto1I030=\n",
-    "iv": "cc1GJKu6Cf4DkIgX\n",
+    "iv": "1sj58eyooOZ8FTYn\n",
-    "auth_tag": "ERem4S7ozG695kjvWIMghw==\n",
+    "auth_tag": "yBNfgWXaToc06VDLly/HUw==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "domains": {
-    "encrypted_data": "scZ5blsSjs54DlitR7KZ3enLbyceOR5q0wjHw1golQ==\n",
+    "encrypted_data": "p5rIQTyCE+0d4HIuA4GKEAFekh7qEC4xe9Rm/kP0DyzY83FO0/4uKIvYoZRB\n",
-    "iv": "oDcHm7shAzW97b4t\n",
+    "iv": "LWlx98NSS1/ngCH1\n",
-    "auth_tag": "62Zais9yf68SwmZRsmZ3hw==\n",
+    "auth_tag": "FID+x/LjTZ3cgQV5U2xZLA==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  }
--- a/data_bags/credentials/kosmos-rs.json
+++ b/data_bags/credentials/kosmos-rs.json
@ -1,10 +0,0 @@
 {
  "id": "kosmos-rs",
  "auth_tokens": {
    "encrypted_data": "fiznpRw7VKlm232+U6XV1rqkAf2Z8CpoD8KyvuvOH2JniaymlcTHgazGWQ8s\nGeqK4RU9l4d29e9i+Mh0k4vnhO4q\n",
    "iv": "SvurcL2oNSNWjlxp\n",
    "auth_tag": "JLQ7vGXAuYYJpLEpL6C+Rw==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  }
 }
--- a/data_bags/credentials/lndhub-go.json
+++ b/data_bags/credentials/lndhub-go.json
@ -1,30 +1,30 @@
 {
  "id": "lndhub-go",
  "jwt_secret": {
-    "encrypted_data": "lJsKBTCRzI83xmRHXzpnuRH/4cuMOR+Rd+SBU50G9HdibadIEDhS\n",
+    "encrypted_data": "3T4JYnoISKXCnatCBeLCXyE8wVjzphw5/JU5A0vHfQ2xSDZreIRQ\n",
-    "iv": "f/SvsWtZIYOVc54X\n",
+    "iv": "bGQZjCk6FtD/hqVj\n",
-    "auth_tag": "YlJ78EuJbcPfjCPc2eH+ug==\n",
+    "auth_tag": "CS87+UK1ZIFMiNcNaoyO6w==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "postgresql_password": {
-    "encrypted_data": "aT0yNlWjvk/0S4z2kZB4Ye1u/ngk5J6fGPbwZSfdq6cy\n",
+    "encrypted_data": "u8kf/6WdSTzyIz2kF+24JgOPLndWH2WmTFZ3CToJsnay\n",
-    "iv": "OgUttF4LlSrL/7gH\n",
+    "iv": "KqLtV2UuaAzJx7C8\n",
-    "auth_tag": "pcbbGqbQ2RjU+i9dt8c3OQ==\n",
+    "auth_tag": "3aqx45+epb2NFkNfOfG89A==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "admin_token": {
-    "encrypted_data": "I9EsqCCxMIw+fX6sfu6KX8B5fJj9DX5Y4tbX30jdnmxr\n",
+    "encrypted_data": "Z737fXqRE9JHfunRhc2GG281dFFN1bvBvTzTDzl/Vb8O\n",
-    "iv": "vnERvIWYInO6+Y8q\n",
+    "iv": "oKLQJbD67tiz2235\n",
-    "auth_tag": "gO+MprZUQgPEWJQUmSF1sA==\n",
+    "auth_tag": "SlVIqC9d9SRoO78M7cBjTw==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "sentry_dsn": {
-    "encrypted_data": "+sUXWgl6dXpA1/0FqjKC3Jnl54aor6gtM+19EM/NsHwg4qu672YnSgxV+c9x\nHM3JZBYxBYvJ+HYGAvMmhlGvaOOEIvLmFUpCCJeVUXR32S8=\n",
+    "encrypted_data": "gmDHGDWkTIvaXjcWMs1dnKnbqtsADPJ2mLmWw8Idj6RVevU5CabjvviAxEo1\n3hs2LWuObumRSCQt2QKap191uMq3CL2+da53hbsv+JUkxl4=\n",
-    "iv": "82+DzAnHiptaX7sO\n",
+    "iv": "Yt0fSsxL4SNicwUY\n",
-    "auth_tag": "CDx44iRBVhSIF8DOxb2c+w==\n",
+    "auth_tag": "j7BWbcNnymHHMNTADWmCNw==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  }
--- a/data_bags/credentials/mastodon.json
+++ b/data_bags/credentials/mastodon.json
@ -1,114 +1,93 @@
 {
  "id": "mastodon",
  "active_record_encryption_deterministic_key": {
    "encrypted_data": "2ik8hqK7wrtxyC73DLI8FNezZiWp2rdjwaWZkTUFRj+iwvpSrGVEwMx6uxDI\nWa7zF3p/\n",
    "iv": "XMp6wqwzStXZx+F3\n",
    "auth_tag": "vloJOLqEcghfQXOYohVVlg==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "active_record_encryption_key_derivation_salt": {
    "encrypted_data": "Nq/rHayMYmT/82k3tJUKU8YTvDKUKLoK204aT0CMGZertZaAD3dtA9AkprrA\nPK0D9CdL\n",
    "iv": "tn9C+igusYMH6GyM\n",
    "auth_tag": "+ReZRNrfpl6ZDwYQpwm6dw==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "active_record_encryption_primary_key": {
    "encrypted_data": "UEDMuKHgZDBhpB9BwbPmtdmIDWHyS9/bSzaEbtTRvLcV8dGOE5q9lDVIIsQp\n2HE0c92p\n",
    "iv": "tnB0pQ3OGDne3mN/\n",
    "auth_tag": "kt234ms+bmcxJj/+FH/72Q==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "paperclip_secret": {
-    "encrypted_data": "AlsnNTRF6GEyHjMHnC4VdzF4swMlppz/Gcp1xr0OuMEgQiOcW1oSZjDRZCRV\nmuGqZXZx64wqZyzTsJZ6ayCLsmWlPq6L21odHWyO+P/C5ubenSXnuCjpUn3/\nHs8WLX3kwVmqCRnVgDl2vEZ5H4XedSLr7R7YM7gQkM0UX4muMDWWnOTR8/x/\ni1ecwBY5RjdewwyR\n",
+    "encrypted_data": "VJn4Yd2N7qFV+nWXPjPA8Y2KEXL/gZs2gK5E3DZZc9ogFXV7RtpDtq+NKGJU\ndpR8ohtEZvkyC+iBkMAlnS1sSVKiLdQ1xXvbzkj04mYgjnLvwsZ19uVpBGwR\nt/DON7Bhe5Fw+OyrBQksqNcZQSpB9sMBfgA1IgCpdVGHQ8PmkMbFTaZZYcoF\n7gg3yUw5/0t3vRdL\n",
-    "iv": "RWiLePhFyPekYSl9\n",
+    "iv": "X5atp/KaIurfln/u\n",
-    "auth_tag": "sUq4ZX9CFKPbwDyuKQfNLQ==\n",
+    "auth_tag": "mVnBoUb5HwhXNYUddJbq8Q==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "secret_key_base": {
-    "encrypted_data": "K5CmIXFa9mS4/dODBQAN9Bw0SFpbLiZAB8ewiYpkB8NDXP6X/BX8aDjW2Y4F\ncMvpFyiFldRBhrh1MSKTVYQEoJ3JhlNL9HCdPsAYbBEW70AuEBpHvOtD5OxH\nqgbH4Reuk6JX5AI8SwDD3zGrdT12mTFVNgSujzuZMvpi1Sro2HtRGAkjmnaa\nMGKrBV21O1CREJJg\n",
+    "encrypted_data": "d0sNREFhzQEJhkRzielbCNBJOVAdfThv7zcYTZ1vFZ20i/mzB9GWW2nb+1yn\nNFjAq8wCLpLXn9n3FClE+WOqnAw0jwTlyScRM5lzjKI5SxHKkBQHGyFs2AF8\nqFjEvpiqxhjsc4kNOJGO8DdcyHuulXyaO9fJg8HDnU1ov1vSSuTc0ABKgycY\nMq/Xt10UXnhP8cPw\n",
-    "iv": "/yMMmz1YtKIs5HSd\n",
+    "iv": "HFT7fdGQ2KRJ2NFy\n",
-    "auth_tag": "WXgIVWjIdbMFlJhTD5J0JQ==\n",
+    "auth_tag": "C55JT2msLQCoI+09VKf+Jw==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "otp_secret": {
-    "encrypted_data": "OPLnYRySSIDOcVHy2A5V+pCrz9zVIPjdpAGmCdgQkXtJfsS9NzNtxOPwrXo6\nuQlV9iPjr1Y9ljGKYytbF0fPgAa5q6Z1oHMY9vOGs/LGKj8wHDmIvxQ+Gil1\nC+dZEePmqGaySlNSB/gNzcFIvjBH3mDxHJJe9hDxSv5miNS9l9f3UvQeLP2M\nU7/aHKagL9ZHOp/d\n",
+    "encrypted_data": "1iH7mUkaUzyn9dfDwMdiJ8X059qWSUO3DqivsOFfI1f44nMnzllaYPu6nh8O\nNLNCOzvsSAonhhaq1X+foOdyPIG2mGhE/juKveDD57/AdZAayHWsbsQlPC4l\nwdShz/ANrq0YZ/zOhpT2sZj1TZavW+S+JlxJFX2kP24D4dUzwG0vNj7522+Q\n9NAApJdUte1ZYF/b\n",
-    "iv": "wqJBLdZhJ7M/KRG9\n",
+    "iv": "00/vs5zTdoC19+pS\n",
-    "auth_tag": "dv5YyZszZCrRnTleaiGd4A==\n",
+    "auth_tag": "3cjYqebMshnmWkQ3SdRcCQ==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "aws_access_key_id": {
-    "encrypted_data": "A1/gfcyrwT6i9W6aGTJ8pH4Dm4o8ACDxvooDroA/2N0szOiNyiYX\n",
+    "encrypted_data": "krcfpxOrAkwZR2GP4glTaFg2dw/COw8BO8I+KICqyl4bvpL5NrB9\n",
-    "iv": "JNvf21KhdM3yoLGt\n",
+    "iv": "paoDKp6EIU8bjxzF\n",
-    "auth_tag": "2xaZql1ymPYuXuvXzT3ymA==\n",
+    "auth_tag": "p6Pt/tz5dgGXzW5cO06nBg==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "aws_secret_access_key": {
-    "encrypted_data": "T1tc01nACxhDgygKaiAq3LChGYSgmW8LAwr1aSxXmJ5D2NtypJDikiHrJbFZ\nfWFgm1qe4L8iD/k5+ro=\n",
+    "encrypted_data": "aQySCT7gxeNiMMocq81KtIi+YzrZwMBeTd4LrRSN8iNEikWReJrrfagBwozy\n+Gfdw4bMGzY1dhF1Sl4=\n",
-    "iv": "FDTPQQDLUMKW7TXx\n",
+    "iv": "R/hvvOvmqq/uoKbx\n",
-    "auth_tag": "msY6PFFYhlwQ0X7gekSDiw==\n",
+    "auth_tag": "QBJY/3+OprBXO/FSNwv2OQ==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "ldap_bind_dn": {
-    "encrypted_data": "C/YNROVyOxmR4O2Cy52TX41EKli2bCOMzwYD+6Hz/SiKkgidnKUHlvHlbTDq\nkWwlRDM2o8esOCKaEAGPNWcNc9IHlaSsfwhr4YWnwe0=\n",
+    "encrypted_data": "wDPABdL+DlXz2WWV4XwW20kM4EWPSwc/ajBmbdYMnjFau6c76CIBpbFhrFoj\n3mwDbHz8cgOnLNvozXSV4w6N7URCN/mWWTBHNhd3ppw=\n",
-    "iv": "QCQF0+vH+//+nDxr\n",
+    "iv": "8rQ0M4LT1HbCNpq9\n",
-    "auth_tag": "a0PbyO/7wjufqH2acDCqmQ==\n",
+    "auth_tag": "AuO5R6WCtd75TGJNfgFSCg==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "ldap_password": {
-    "encrypted_data": "SqwKeiyzfvvZGqH5gi35BdW3W+Fo/AQQjso1Yfp2XA==\n",
+    "encrypted_data": "y0t8RuptVYiTKmUhaAWsC4c2ZzhQsYeVLeMPiQBn+Q==\n",
-    "iv": "md2/etFJ1r/BKaYg\n",
+    "iv": "mixYzDKkPSIDQ/l+\n",
-    "auth_tag": "OlCCOoYSD7ukdH2yWCd6KA==\n",
+    "auth_tag": "DbLlZG7rlgBmyCdJ3nhSYA==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "smtp_user_name": {
-    "encrypted_data": "0kzppmSSUg7lEyYnI5a0nf+xO0vSVx88rbxI+niIdzFOOBKSIL6uVHJ340dw\nMQ==\n",
+    "encrypted_data": "Ugc29HUFcirv6jOOlYNs9uvmhfwa2rG41im/MusCx0Vu0AZKcdy0krGi/kCZ\nKg==\n",
-    "iv": "lQR77ETTtIIyaG1r\n",
+    "iv": "ZlDK854w+vTNmeJe\n",
-    "auth_tag": "smF2HRg8WdmD+MWwkT3TqA==\n",
+    "auth_tag": "Nj95g0JMxrT419OLQIX26g==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "smtp_password": {
-    "encrypted_data": "1i0m9qiZA/8k8fMKo+04uyndl1UhagtHweBFICIorWALkB68edjb8OhUDxv9\nTubiXYRC\n",
+    "encrypted_data": "D1TGjRfmM1ZeUmzwewlKXfQvvqTSzpzNlK5MKIU8dxbAH175UKn5qiemDEWe\nRYPe1LWT\n",
-    "iv": "IU2x4ips9HWmKoxi\n",
+    "iv": "D1OVfD5bMcefM5DP\n",
-    "auth_tag": "BZJTDfPBvt8cf6/MbKzUJQ==\n",
+    "auth_tag": "2E/q2gTbdXiLVnOMDeJv9w==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "vapid_private_key": {
-    "encrypted_data": "+LmySMvzrV3z2z7BmJG9hpvkL06mGc87RG20XQhhdAJ2Z/5uMMjev2pUf7du\ntv2qvDJAimhkZajuDGL9R3eq\n",
+    "encrypted_data": "+87bVrbd/XvWhZH1IYusc4Hla7ZZmylptAyJf48CMG/F3SMEO33OqW2I+UWh\nSkqbxai5+GaMhvZHB8U2Clod\n",
-    "iv": "Mg7NhPl31O6Z4P+v\n",
+    "iv": "HVhNdFQl0TvCcjsa\n",
-    "auth_tag": "qYWPInhgoWAjg0zQ+XXt5w==\n",
+    "auth_tag": "EEQXuQ5keOHXmchhBh+Ixw==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "vapid_public_key": {
-    "encrypted_data": "NOyc+Cech9qG2HhnhajDaJMWd1OU5Rp6hws6i4xF5mLPePMJ9mJTqzklkuMK\npYSEdtcxA3KmDt1HrFxfezYUc9xO9pvlm0BPA7XAFmF/PU7/AJbFqgPU6pX/\ntSDLSdFuMB3ky+cl4DJi+O4=\n",
+    "encrypted_data": "nBm1lXbn1+Kzol95+QSEjsUI/n7ObhdEqEyfYcVSP/LiLy57KOBQDu6CjSMz\n+PN9yEP4lOjtscqHS29jTC2vi3PSui9XpOFHRxFBnDuyKxczrnID2KlLCNRQ\n228G3VRgFIMAWMYKACgzUk0=\n",
-    "iv": "rgUglYiHB/mhqGha\n",
+    "iv": "xHrVl+4JGkQbfUW3\n",
-    "auth_tag": "DEX7hdNsNLi/LIrMkdUe/Q==\n",
+    "auth_tag": "rfFoBMocq17YiDSlOCvWqw==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "s3_key_id": {
-    "encrypted_data": "rPVzrYYIbcM+ssVpdL6wpCTdzLIEKXke1+eMlPLMG2gPuoh+W3eO3nFGb/s2\n",
+    "encrypted_data": "pq0+VZhjoxzLuyY34f23wOmuks9Wevt8Wu6muKZAsZMSuU0iJvlRoK/65Qa0\n",
-    "iv": "/qI8F9cvnfKG7ZXE\n",
+    "iv": "QTxO+IfYcpI170ON\n",
-    "auth_tag": "z1+MPdkO/+SCaag2ULelPg==\n",
+    "auth_tag": "4ZHva2iBYgDv6DyhMRRXzA==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "s3_secret_key": {
-    "encrypted_data": "RMnB9kZ+slbQXfpo0udYld6S1QqBxqM1YbszdLfSAdKK9I0J3Kmvh/CQ5Fbx\nyov6LClmsl1rjtH16r7cY32M4Woq+6miERdtecyDrrYkNHz0xkA=\n",
+    "encrypted_data": "YMZqKtOXDPAME8IWWC+lO8TsxHMzawlbTju9z/Hcb5DnQAOy82QufTN90m73\n/xikUboAdKcA5YGn0mkm+Rt/ygVR6DFirYV3kwi2M3qyGVJifug=\n",
-    "iv": "pO7bm3aOtjuwYjG/\n",
+    "iv": "9AwabheRFOgC8IKR\n",
-    "auth_tag": "SRvn4z1+Vd5VAGgjG64s+Q==\n",
+    "auth_tag": "iU2kkA1q8OsblN5jaZrWGQ==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  }
--- a/doc/mastodon.md
+++ b/doc/mastodon.md
@ -1,15 +0,0 @@
 # Mastodon
 Running on kosmos.social
 ## Ops
 ### Enable maintance mode
 Return a 503 and maintance page for all requests:
    knife ssh -p2222 -a knife_zero.host "role:openresty_proxy" "sudo cp -p /var/www/maintenance.html /var/www/kosmos.social/public/ && sudo systemctl reload openresty"
 ### Stop maintenance mode
    knife ssh -p2222 -a knife_zero.host "role:openresty_proxy" "sudo rm /var/www/kosmos.social/public/maintenance.html && sudo systemctl reload openresty"
--- a/environments/production.json
+++ b/environments/production.json
@ -14,8 +14,7 @@
        "public_key": "024cd3be18617f39cf645851e3ba63f51fc13f0bb09e3bb25e6fd4de556486d946"
      },
      "nostr": {
-        "public_key": "b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a",
+        "public_key": "b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a"
        "relay_url": "wss://nostr.kosmos.org"
      }
    },
    "discourse": {
@ -102,42 +101,6 @@
    },
    "sentry": {
      "allowed_ips": "10.1.1.0/24"
    },
    "strfry": {
      "domain": "nostr.kosmos.org",
      "config": {
        "events": {
          "max_event_size": "524288"
        },
        "relay": {
          "bind": "0.0.0.0",
          "real_ip_header": "x-real-ip",
          "info": {
            "name": "Kosmos Relay",
            "description": "Members-only nostr relay for kosmos.org users",
            "pubkey": "b3e1b7c0ef48294bd856203bfd460625de95d3afb894e5f09b14cd1f0e7097cf",
            "contact": "ops@kosmos.org",
            "icon": "https://assets.kosmos.org/img/app-icon-256px.png"
          },
          "write_policy": {
            "plugin": "/opt/strfry/strfry-policy.ts"
          },
          "logging": {
            "dump_in_all": true
          }
        }
      },
      "known_pubkeys": {
        "_": "b3e1b7c0ef48294bd856203bfd460625de95d3afb894e5f09b14cd1f0e7097cf",
        "accounts": "b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a",
        "bitcoincore": "47750177bb6bb113784e4973f6b2e3dd27ef1eff227d6e38d0046d618969e41a",
        "fiatjaf": "3bf0c63fcb93463407af97a5e5ee64fa883d107ef9e558472c4eb9aaaefa459d"
      }
    },
    "substr": {
      "relay_urls": [
        "ws://localhost:7777"
      ]
    }
  }
 }
--- a/nodes/akkounts-1.json
+++ b/nodes/akkounts-1.json
@ -9,7 +9,7 @@
  "automatic": {
    "fqdn": "akkounts-1",
    "os": "linux",
-    "os_version": "5.4.0-216-generic",
+    "os_version": "5.4.0-148-generic",
    "hostname": "akkounts-1",
    "ipaddress": "192.168.122.160",
    "roles": [
@ -38,7 +38,6 @@
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
--- a/nodes/bitcoin-2.json
+++ b/nodes/bitcoin-2.json
@ -16,6 +16,7 @@
      "kvm_guest",
      "sentry_client",
      "bitcoind",
      "cln",
      "lnd",
      "lndhub",
      "postgresql_client",
@ -29,8 +30,10 @@
      "tor-full",
      "tor-full::default",
      "kosmos-bitcoin::bitcoind",
      "kosmos-bitcoin::c-lightning",
      "kosmos-bitcoin::lnd",
      "kosmos-bitcoin::lnd-scb-s3",
      "kosmos-bitcoin::boltz",
      "kosmos-bitcoin::rtl",
      "kosmos-bitcoin::peerswap-lnd",
      "kosmos_postgresql::hostsfile",
@ -38,13 +41,11 @@
      "kosmos-bitcoin::dotnet",
      "kosmos-bitcoin::nbxplorer",
      "kosmos-bitcoin::btcpay",
      "kosmos-bitcoin::price_tracking",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
@ -102,9 +103,9 @@
    "role[sentry_client]",
    "recipe[tor-full]",
    "role[bitcoind]",
    "role[cln]",
    "role[lnd]",
    "role[lndhub]",
-    "role[btcpay]",
+    "role[btcpay]"
    "recipe[kosmos-bitcoin::price_tracking]"
  ]
 }
--- a/nodes/draco.kosmos.org.json
+++ b/nodes/draco.kosmos.org.json
@ -20,7 +20,7 @@
  "automatic": {
    "fqdn": "draco.kosmos.org",
    "os": "linux",
-    "os_version": "5.4.0-187-generic",
+    "os_version": "5.4.0-54-generic",
    "hostname": "draco",
    "ipaddress": "148.251.237.73",
    "roles": [
@ -54,10 +54,8 @@
      "kosmos_liquor-cabinet::nginx",
      "kosmos_rsk::nginx_testnet",
      "kosmos_rsk::nginx_mainnet",
      "kosmos_strfry::nginx",
      "kosmos_website",
      "kosmos_website::default",
      "kosmos_website::redirects",
      "kosmos-akkounts::nginx",
      "kosmos-akkounts::nginx_api",
      "kosmos-bitcoin::nginx_lndhub",
--- a/nodes/drone-1.json
+++ b/nodes/drone-1.json
@ -8,27 +8,26 @@
  "automatic": {
    "fqdn": "drone-1",
    "os": "linux",
-    "os_version": "5.4.0-1133-kvm",
+    "os_version": "5.4.0-1058-kvm",
    "hostname": "drone-1",
    "ipaddress": "192.168.122.200",
    "roles": [
      "kvm_guest",
      "drone",
-      "postgresql_client"
+      "postgresql_client",
      "kvm_guest"
    ],
    "recipes": [
      "kosmos-base",
      "kosmos-base::default",
      "kosmos_kvm::guest",
      "kosmos_postgresql::hostsfile",
      "kosmos_drone",
      "kosmos_drone::default",
      "kosmos_kvm::guest",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
@ -44,13 +43,13 @@
    "cloud": null,
    "chef_packages": {
      "chef": {
-        "version": "18.7.10",
+        "version": "17.9.52",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.7.10/lib",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.9.52/lib",
        "chef_effortless": null
      },
      "ohai": {
-        "version": "18.2.5",
+        "version": "17.9.0",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.5/lib/ohai"
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai"
      }
    }
  },
--- a/nodes/fornax.kosmos.org.json
+++ b/nodes/fornax.kosmos.org.json
@ -48,10 +48,8 @@
      "kosmos_liquor-cabinet::nginx",
      "kosmos_rsk::nginx_testnet",
      "kosmos_rsk::nginx_mainnet",
      "kosmos_strfry::nginx",
      "kosmos_website",
      "kosmos_website::default",
      "kosmos_website::redirects",
      "kosmos-akkounts::nginx",
      "kosmos-akkounts::nginx_api",
      "kosmos-bitcoin::nginx_lndhub",
--- a/nodes/garage-10.json
+++ b/nodes/garage-10.json
@ -1,17 +1,17 @@
 {
-  "name": "garage-10",
+  "name": "garage-4",
  "chef_environment": "production",
  "normal": {
    "knife_zero": {
-      "host": "10.1.1.27"
+      "host": "10.1.1.104"
    }
  },
  "automatic": {
-    "fqdn": "garage-10",
+    "fqdn": "garage-4",
    "os": "linux",
-    "os_version": "5.4.0-1090-kvm",
+    "os_version": "5.4.0-132-generic",
-    "hostname": "garage-10",
+    "hostname": "garage-4",
-    "ipaddress": "192.168.122.70",
+    "ipaddress": "192.168.122.123",
    "roles": [
      "base",
      "kvm_guest",
@ -23,8 +23,7 @@
      "kosmos_kvm::guest",
      "kosmos_garage",
      "kosmos_garage::default",
-      "kosmos_garage::firewall_rpc",
+      "kosmos_garage::firewall",
      "kosmos_garage::firewall_apis",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
@ -39,20 +38,21 @@
      "postfix::_attributes",
      "postfix::sasl_auth",
      "hostname::default",
-      "firewall::default"
+      "firewall::default",
      "chef-sugar::default"
    ],
    "platform": "ubuntu",
    "platform_version": "20.04",
    "cloud": null,
    "chef_packages": {
      "chef": {
-        "version": "18.5.0",
+        "version": "17.10.3",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.10.3/lib",
        "chef_effortless": null
      },
      "ohai": {
-        "version": "18.1.11",
+        "version": "17.9.0",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai"
      }
    }
  },
--- a/nodes/garage-11.json
+++ b/nodes/garage-11.json
@ -1,17 +1,17 @@
 {
-  "name": "garage-11",
+  "name": "garage-5",
  "chef_environment": "production",
  "normal": {
    "knife_zero": {
-      "host": "10.1.1.165"
+      "host": "10.1.1.33"
    }
  },
  "automatic": {
-    "fqdn": "garage-11",
+    "fqdn": "garage-5",
    "os": "linux",
-    "os_version": "5.15.0-1059-kvm",
+    "os_version": "5.15.0-84-generic",
-    "hostname": "garage-11",
+    "hostname": "garage-5",
-    "ipaddress": "192.168.122.9",
+    "ipaddress": "192.168.122.55",
    "roles": [
      "base",
      "kvm_guest",
@ -46,13 +46,13 @@
    "cloud": null,
    "chef_packages": {
      "chef": {
-        "version": "18.5.0",
+        "version": "18.3.0",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.3.0/lib",
        "chef_effortless": null
      },
      "ohai": {
-        "version": "18.1.11",
+        "version": "18.1.4",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
      }
    }
  },
--- a/nodes/garage-6.json
+++ b/nodes/garage-6.json
@ -1,17 +1,17 @@
 {
-  "name": "garage-9",
+  "name": "garage-6",
  "chef_environment": "production",
  "normal": {
    "knife_zero": {
-      "host": "10.1.1.223"
+      "host": "10.1.1.161"
    }
  },
  "automatic": {
-    "fqdn": "garage-9",
+    "fqdn": "garage-6",
    "os": "linux",
    "os_version": "5.4.0-1090-kvm",
-    "hostname": "garage-9",
+    "hostname": "garage-6",
-    "ipaddress": "192.168.122.21",
+    "ipaddress": "192.168.122.213",
    "roles": [
      "base",
      "kvm_guest",
@ -46,13 +46,13 @@
    "cloud": null,
    "chef_packages": {
      "chef": {
-        "version": "18.5.0",
+        "version": "18.3.0",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.3.0/lib",
        "chef_effortless": null
      },
      "ohai": {
-        "version": "18.1.11",
+        "version": "18.1.4",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
      }
    }
  },
--- a/nodes/gitea-2.json
+++ b/nodes/gitea-2.json
@ -9,7 +9,7 @@
  "automatic": {
    "fqdn": "gitea-2",
    "os": "linux",
-    "os_version": "5.4.0-1123-kvm",
+    "os_version": "5.4.0-1096-kvm",
    "hostname": "gitea-2",
    "ipaddress": "192.168.122.189",
    "roles": [
@ -32,14 +32,12 @@
      "kosmos_postgresql::hostsfile",
      "kosmos_gitea",
      "kosmos_gitea::default",
      "kosmos_gitea::backup",
      "kosmos_gitea::act_runner",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
@ -49,16 +47,7 @@
      "postfix::_attributes",
      "postfix::sasl_auth",
      "hostname::default",
-      "firewall::default",
+      "firewall::default"
      "kosmos_gitea::compile_from_source",
      "git::default",
      "git::package",
      "kosmos-nodejs::default",
      "nodejs::nodejs_from_package",
      "nodejs::repo",
      "golang::default",
      "backup::default",
      "logrotate::default"
    ],
    "platform": "ubuntu",
    "platform_version": "20.04",
--- a/nodes/mail.kosmos.org.json
+++ b/nodes/mail.kosmos.org.json
@ -10,7 +10,7 @@
    "fqdn": "mail.kosmos.org",
    "os": "linux",
    "os_version": "5.15.0-1048-kvm",
-    "hostname": "mail.kosmos.org",
+    "hostname": "mail",
    "ipaddress": "192.168.122.131",
    "roles": [
      "base",
--- a/nodes/mastodon-3.json
+++ b/nodes/mastodon-3.json
@ -37,7 +37,6 @@
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
@ -64,6 +63,8 @@
      "redisio::disable_os_default",
      "redisio::configure",
      "redisio::enable",
      "nodejs::npm",
      "nodejs::install",
      "backup::default",
      "logrotate::default"
    ],
--- a/nodes/postgres-5.json
+++ b/nodes/postgres-5.json
@ -1,35 +1,37 @@
 {
-  "name": "postgres-7",
+  "name": "postgres-5",
  "chef_environment": "production",
  "normal": {
    "knife_zero": {
-      "host": "10.1.1.134"
+      "host": "10.1.1.54"
    }
  },
  "automatic": {
-    "fqdn": "postgres-7",
+    "fqdn": "postgres-5",
    "os": "linux",
-    "os_version": "5.4.0-1123-kvm",
+    "os_version": "5.4.0-153-generic",
-    "hostname": "postgres-7",
+    "hostname": "postgres-5",
-    "ipaddress": "192.168.122.89",
+    "ipaddress": "192.168.122.211",
    "roles": [
      "base",
      "kvm_guest",
-      "postgresql_replica"
+      "postgresql_primary"
    ],
    "recipes": [
      "kosmos-base",
      "kosmos-base::default",
      "kosmos_kvm::guest",
-      "kosmos_postgresql::hostsfile",
+      "kosmos_postgresql::primary",
      "kosmos_postgresql::replica",
      "kosmos_postgresql::firewall",
      "kosmos-bitcoin::lndhub-go_pg_db",
      "kosmos-bitcoin::nbxplorer_pg_db",
      "kosmos_drone::pg_db",
      "kosmos_gitea::pg_db",
      "kosmos-mastodon::pg_db",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
@ -45,19 +47,19 @@
    "cloud": null,
    "chef_packages": {
      "chef": {
-        "version": "18.5.0",
+        "version": "18.2.7",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.2.7/lib",
        "chef_effortless": null
      },
      "ohai": {
-        "version": "18.1.11",
+        "version": "18.1.4",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
      }
    }
  },
  "run_list": [
    "role[base]",
    "role[kvm_guest]",
-    "role[postgresql_replica]"
+    "role[postgresql_primary]"
  ]
 }
--- a/nodes/postgres-6.json
+++ b/nodes/postgres-6.json
@ -13,21 +13,12 @@
    "ipaddress": "192.168.122.60",
    "roles": [
      "base",
-      "kvm_guest",
+      "kvm_guest"
      "postgresql_primary"
    ],
    "recipes": [
      "kosmos-base",
      "kosmos-base::default",
      "kosmos_kvm::guest",
      "kosmos_postgresql::primary",
      "kosmos_postgresql::firewall",
      "kosmos-akkounts::pg_db",
      "kosmos-bitcoin::lndhub-go_pg_db",
      "kosmos-bitcoin::nbxplorer_pg_db",
      "kosmos_drone::pg_db",
      "kosmos_gitea::pg_db",
      "kosmos-mastodon::pg_db",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
@ -61,6 +52,6 @@
  "run_list": [
    "role[base]",
    "role[kvm_guest]",
-    "role[postgresql_primary]"
+    "role[postgresql_replica]"
  ]
 }
--- a/nodes/postgres-8.json
+++ b/nodes/postgres-8.json
@ -1,62 +0,0 @@
 {
  "name": "postgres-8",
  "chef_environment": "production",
  "normal": {
    "knife_zero": {
      "host": "10.1.1.99"
    }
  },
  "automatic": {
    "fqdn": "postgres-8",
    "os": "linux",
    "os_version": "5.15.0-1059-kvm",
    "hostname": "postgres-8",
    "ipaddress": "192.168.122.100",
    "roles": [
      "base",
      "kvm_guest",
      "postgresql_replica"
    ],
    "recipes": [
      "kosmos-base",
      "kosmos-base::default",
      "kosmos_kvm::guest",
      "kosmos_postgresql::hostsfile",
      "kosmos_postgresql::replica",
      "kosmos_postgresql::firewall",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
      "kosmos-postfix::default",
      "postfix::default",
      "postfix::_common",
      "postfix::_attributes",
      "postfix::sasl_auth",
      "hostname::default"
    ],
    "platform": "ubuntu",
    "platform_version": "22.04",
    "cloud": null,
    "chef_packages": {
      "chef": {
        "version": "18.5.0",
        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
        "chef_effortless": null
      },
      "ohai": {
        "version": "18.1.11",
        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
      }
    }
  },
  "run_list": [
    "role[base]",
    "role[kvm_guest]",
    "role[postgresql_replica]"
  ]
 }
--- a/nodes/strfry-1.json
+++ b/nodes/strfry-1.json
@ -1,68 +0,0 @@
 {
  "name": "strfry-1",
  "chef_environment": "production",
  "normal": {
    "knife_zero": {
      "host": "10.1.1.164"
    }
  },
  "automatic": {
    "fqdn": "strfry-1",
    "os": "linux",
    "os_version": "5.15.0-1060-kvm",
    "hostname": "strfry-1",
    "ipaddress": "192.168.122.54",
    "roles": [
      "base",
      "kvm_guest",
      "strfry",
      "ldap_client"
    ],
    "recipes": [
      "kosmos-base",
      "kosmos-base::default",
      "kosmos_kvm::guest",
      "kosmos-dirsrv::hostsfile",
      "strfry",
      "strfry::default",
      "kosmos_strfry::policies",
      "kosmos_strfry::firewall",
      "kosmos_strfry::substr",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
      "ntp::default",
      "ntp::apparmor",
      "kosmos-base::journald_conf",
      "kosmos-base::systemd_emails",
      "apt::unattended-upgrades",
      "kosmos-base::firewall",
      "kosmos-postfix::default",
      "postfix::default",
      "postfix::_common",
      "postfix::_attributes",
      "postfix::sasl_auth",
      "hostname::default",
      "deno::default"
    ],
    "platform": "ubuntu",
    "platform_version": "22.04",
    "cloud": null,
    "chef_packages": {
      "chef": {
        "version": "18.4.12",
        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.4.12/lib",
        "chef_effortless": null
      },
      "ohai": {
        "version": "18.1.11",
        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
      }
    }
  },
  "run_list": [
    "role[base]",
    "role[kvm_guest]",
    "role[strfry]"
  ]
 }
--- a/nodes/wiki-1.json
+++ b/nodes/wiki-1.json
@ -8,19 +8,16 @@
  "automatic": {
    "fqdn": "wiki-1",
    "os": "linux",
-    "os_version": "5.4.0-167-generic",
+    "os_version": "5.4.0-91-generic",
    "hostname": "wiki-1",
    "ipaddress": "192.168.122.26",
    "roles": [
-      "base",
+      "kvm_guest"
      "kvm_guest",
      "ldap_client"
    ],
    "recipes": [
      "kosmos-base",
      "kosmos-base::default",
      "kosmos_kvm::guest",
      "kosmos-dirsrv::hostsfile",
      "kosmos-mediawiki",
      "kosmos-mediawiki::default",
      "apt::default",
@ -44,6 +41,7 @@
      "php::package",
      "php::ini",
      "composer::global_configs",
      "kosmos-dirsrv::hostsfile",
      "mediawiki::default",
      "mediawiki::database",
      "kosmos-nginx::default",
--- a/roles/gitea.rb
+++ b/roles/gitea.rb
@ -3,13 +3,4 @@ name "gitea"
 run_list %w(
  role[postgresql_client]
  kosmos_gitea::default
  kosmos_gitea::backup
 )
 override_attributes(
  "gitea" => {
    "repo" => "https://github.com/67P/gitea.git",
    "revision" => "ldap_sync",
    "log" => { "level" => "Info" }
  },
 )
--- a/roles/lnd.rb
+++ b/roles/lnd.rb
@ -3,6 +3,7 @@ name "lnd"
 run_list %w(
  kosmos-bitcoin::lnd
  kosmos-bitcoin::lnd-scb-s3
  kosmos-bitcoin::boltz
  kosmos-bitcoin::rtl
  kosmos-bitcoin::peerswap-lnd
 )
--- a/roles/openresty_proxy.rb
+++ b/roles/openresty_proxy.rb
@ -28,9 +28,7 @@ production_run_list = %w(
  kosmos_liquor-cabinet::nginx
  kosmos_rsk::nginx_testnet
  kosmos_rsk::nginx_mainnet
  kosmos_strfry::nginx
  kosmos_website::default
  kosmos_website::redirects
  kosmos-akkounts::nginx
  kosmos-akkounts::nginx_api
  kosmos-bitcoin::nginx_lndhub
--- a/roles/postgresql_primary.rb
+++ b/roles/postgresql_primary.rb
@ -3,7 +3,6 @@ name "postgresql_primary"
 run_list %w(
  kosmos_postgresql::primary
  kosmos_postgresql::firewall
  kosmos-akkounts::pg_db
  kosmos-bitcoin::lndhub-go_pg_db
  kosmos-bitcoin::nbxplorer_pg_db
  kosmos_drone::pg_db
--- a/roles/strfry.rb
+++ b/roles/strfry.rb
@ -1,9 +0,0 @@
 name "strfry"
 run_list %w(
  role[ldap_client]
  strfry::default
  kosmos_strfry::policies
  kosmos_strfry::firewall
  kosmos_strfry::substr
 )
--- a/site-cookbooks/backup/attributes/default.rb
+++ b/site-cookbooks/backup/attributes/default.rb
@ -42,5 +42,5 @@ default['backup']['orbit']['keep'] = 10
 default['backup']['cron']['hour'] = "05"
 default['backup']['cron']['minute'] = "7"
-default['backup']['s3']['keep'] = 10
+default['backup']['s3']['keep'] = 15
-default['backup']['s3']['bucket'] = "kosmos-backups"
+default['backup']['s3']['bucket'] = "kosmos-dev-backups"
--- a/site-cookbooks/backup/recipes/default.rb
+++ b/site-cookbooks/backup/recipes/default.rb
@ -28,7 +28,6 @@ template "#{backup_dir}/config.rb" do
  sensitive true
  variables s3_access_key_id: backup_data["s3_access_key_id"],
            s3_secret_access_key: backup_data["s3_secret_access_key"],
            s3_endpoint: backup_data["s3_endpoint"],
            s3_region: backup_data["s3_region"],
            encryption_password: backup_data["encryption_password"],
            mail_from: "backups@kosmos.org",
--- a/site-cookbooks/backup/templates/default/config.rb.erb
+++ b/site-cookbooks/backup/templates/default/config.rb.erb
@ -23,10 +23,6 @@ Storage::S3.defaults do |s3|
  s3.secret_access_key = "<%= @s3_secret_access_key %>"
  s3.region            = "<%= @s3_region %>"
  s3.bucket            = "<%= node['backup']['s3']['bucket'] %>"
  s3.fog_options       = {
    endpoint: "<%= @s3_endpoint %>",
    aws_signature_version: 2
  }
 end
 Encryptor::OpenSSL.defaults do |encryption|
@ -92,6 +88,7 @@ end
 preconfigure 'KosmosBackup' do
  split_into_chunks_of 250 # megabytes
  store_with S3
  compress_with Bzip2
  encrypt_with OpenSSL
  notify_by Mail do |mail|
--- a/site-cookbooks/deno
+++ b/site-cookbooks/deno
@ -1 +0,0 @@
 Subproject commit 92839b20a4c3b0a15b99bd86ea7cae16645570a6
--- a/site-cookbooks/kosmos-akkounts/attributes/default.rb
+++ b/site-cookbooks/kosmos-akkounts/attributes/default.rb
@ -22,7 +22,6 @@ node.default['akkounts']['lndhub']['public_key'] = nil
 node.default['akkounts']['lndhub']['postgres_db'] = 'lndhub'
 node.default['akkounts']['nostr']['public_key'] = nil
 node.default['akkounts']['nostr']['relay_url'] = nil
 node.default['akkounts']['s3_enabled'] = true
 node.default['akkounts']['s3_endpoint'] = "https://s3.kosmos.org"
--- a/site-cookbooks/kosmos-akkounts/recipes/default.rb
+++ b/site-cookbooks/kosmos-akkounts/recipes/default.rb
@ -24,12 +24,13 @@ package "libvips"
 include_recipe 'redisio::default'
 include_recipe 'redisio::enable'
 node.override["nodejs"]["repo"] = "https://deb.nodesource.com/node_20.x"
 include_recipe 'kosmos-nodejs'
 npm_package "bun"
-ruby_version = "3.3.8"
+npm_package "yarn" do
  version "1.22.4"
 end
 ruby_version = "3.3.0"
 ruby_path = "/opt/ruby_build/builds/#{ruby_version}"
 bundle_path = "#{ruby_path}/bin/bundle"
 rails_env = node.chef_environment == "development" ? "development" : "production"
@ -47,28 +48,7 @@ webhooks_allowed_ips = [lndhub_host].compact.uniq.join(',')
 env = {
  primary_domain: node['akkounts']['primary_domain'],
  akkounts_domain: node['akkounts']['domain'],
-  rails_serve_static_files: true,
+  rails_serve_static_files: true
  secret_key_base: credentials["rails_secret_key_base"],
  encryption_primary_key: credentials["rails_encryption_primary_key"],
  encryption_key_derivation_salt: credentials["rails_encryption_key_derivation_salt"],
  db_adapter: "postgresql",
  pg_host: "pg.kosmos.local",
  pg_port: 5432,
  pg_database: "akkounts",
  pg_database_queue: "akkounts_queue",
  pg_username: credentials["postgresql"]["username"],
  pg_password: credentials["postgresql"]["password"]
 }
 env[:ldap] = {
  host: "ldap.kosmos.local",
  port: 389,
  use_tls: false,
  uid_attr: "cn",
  base: "ou=kosmos.org,cn=users,dc=kosmos,dc=org",
  admin_user: credentials["ldap"]["admin_user"],
  admin_password: credentials["ldap"]["admin_password"],
  suffix: "dc=kosmos,dc=org"
 }
 smtp_server, smtp_port = smtp_credentials[:relayhost].split(":")
@ -158,9 +138,9 @@ if lndhub_host
  if postgres_readonly_host
    env[:lndhub_admin_ui] = true
    env[:lndhub_pg_host] = postgres_readonly_host
-    env[:lndhub_pg_database] = node["akkounts"]["lndhub"]["postgres_db"]
+    env[:lndhub_pg_database] = node['akkounts']['lndhub']['postgres_db']
-    env[:lndhub_pg_username] = credentials["postgresql"]["username"]
+    env[:lndhub_pg_username] = credentials['postgresql_username']
-    env[:lndhub_pg_password] = credentials["postgresql"]["password"]
+    env[:lndhub_pg_password] = credentials['postgresql_password']
  end
 end
@ -183,7 +163,6 @@ env[:mediawiki_public_url] = node['mediawiki']['url']
 env[:nostr_private_key] = credentials['nostr_private_key']
 env[:nostr_public_key] = node['akkounts']['nostr']['public_key']
 env[:nostr_relay_url] = node['akkounts']['nostr']['relay_url']
 #
 # remoteStorage / Liquor Cabinet
@ -228,7 +207,7 @@ systemd_unit "akkounts.service" do
      Type: "simple",
      User: deploy_user,
      WorkingDirectory: deploy_path,
-      Environment: "RAILS_ENV=#{rails_env} SOLID_QUEUE_IN_PUMA=true",
+      Environment: "RAILS_ENV=#{rails_env}",
      ExecStart: "#{bundle_path} exec puma -C config/puma.rb --pidfile #{deploy_path}/tmp/puma.pid",
      ExecStop: "#{bundle_path} exec puma -C config/puma.rb --pidfile #{deploy_path}/tmp/puma.pid stop",
      ExecReload: "#{bundle_path} exec pumactl -F config/puma.rb --pidfile #{deploy_path}/tmp/puma.pid phased-restart",
@ -245,6 +224,36 @@ systemd_unit "akkounts.service" do
  action [:create, :enable]
 end
 systemd_unit "akkounts-sidekiq.service" do
  content({
    Unit: {
      Description: "Kosmos Accounts async/background jobs",
      Documentation: ["https://gitea.kosmos.org/kosmos/akkounts"],
      Requires: "redis@6379.service",
      After: "syslog.target network.target redis@6379.service"
    },
    Service: {
      Type: "notify",
      User: deploy_user,
      WorkingDirectory: deploy_path,
      Environment: "MALLOC_ARENA_MAX=2",
      ExecStart: "#{bundle_path} exec sidekiq -C #{deploy_path}/config/sidekiq.yml -e #{rails_env}",
      WatchdogSec: "10",
      Restart: "on-failure",
      RestartSec: "1",
      StandardOutput: "syslog",
      StandardError: "syslog",
      SyslogIdentifier: "sidekiq"
    },
    Install: {
      WantedBy: "multi-user.target"
    }
  })
  verify false
  triggers_reload true
  action [:create, :enable]
 end
 deploy_env = {
  "HOME" => deploy_path,
  "PATH" => "#{ruby_path}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin",
@ -257,7 +266,15 @@ git deploy_path do
  revision node[app_name]["revision"]
  user  deploy_user
  group deploy_group
  # Restart services on deployments
  notifies :run, "execute[restart #{app_name} services]", :delayed
 end
 execute "restart #{app_name} services" do
  command "true"
  action :nothing
  notifies :restart, "service[#{app_name}]", :delayed
  notifies :restart, "service[#{app_name}-sidekiq]", :delayed
 end
 file "#{deploy_path}/config/master.key" do
@ -265,7 +282,7 @@ file "#{deploy_path}/config/master.key" do
  mode '0400'
  owner deploy_user
  group deploy_group
-  notifies :restart, "service[#{app_name}]", :delayed
+  notifies :run, "execute[restart #{app_name} services]", :delayed
 end
 template "#{deploy_path}/.env.#{rails_env}" do
@ -275,7 +292,7 @@ template "#{deploy_path}/.env.#{rails_env}" do
  mode 0600
  sensitive true
  variables config: env
-  notifies :restart, "service[#{app_name}]", :delayed
+  notifies :run, "execute[restart #{app_name} services]", :delayed
 end
 execute "bundle install" do
@ -285,6 +302,13 @@ execute "bundle install" do
  command "bundle install --without development,test --deployment"
 end
 execute "yarn install" do
  environment deploy_env
  user deploy_user
  cwd deploy_path
  command "yarn install --pure-lockfile"
 end
 execute 'rake db:migrate' do
  environment deploy_env
  user deploy_user
@ -305,6 +329,10 @@ service "akkounts" do
  action [:enable, :start]
 end
 service "akkounts-sidekiq" do
  action [:enable, :start]
 end
 firewall_rule "akkounts_zerotier" do
  command  :allow
  port     node["akkounts"]["port"]
--- a/site-cookbooks/kosmos-akkounts/recipes/pg_db.rb
+++ b/site-cookbooks/kosmos-akkounts/recipes/pg_db.rb
@ -1,22 +0,0 @@
 #
 # Cookbook:: kosmos-akkounts
 # Recipe:: pg_db
 #
 credentials = data_bag_item("credentials", "akkounts")
 pg_username = credentials["postgresql"]["username"]
 pg_password = credentials["postgresql"]["password"]
 postgresql_user pg_username do
  action :create
  password pg_password
 end
 databases = ["akkounts", "akkounts_queue"]
 databases.each do |database|
  postgresql_database database do
    owner pg_username
    action :create
  end
 end
--- a/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb
+++ b/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb
@ -14,10 +14,6 @@ server {
  listen [::]:443 ssl http2;
  server_name <%= @domain %>;
  if ($host != $server_name) {
    return 301 $scheme://$server_name$request_uri;
  }
  ssl_certificate     <%= @ssl_cert %>;
  ssl_certificate_key <%= @ssl_key %>;
@ -43,9 +39,6 @@ server {
  location @proxy {
    proxy_set_header Host $http_host;
    set $x_forwarded_host $http_x_forwarded_host;
    if ($x_forwarded_host = "") { set $x_forwarded_host $host; }
    proxy_set_header X-Forwarded-Host $x_forwarded_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
--- a/site-cookbooks/kosmos-base/attributes/default.rb
+++ b/site-cookbooks/kosmos-base/attributes/default.rb
@ -1,2 +0,0 @@
 node.default["kosmos-base"]["journald"]["system_max_use"] = "256M"
 node.default["kosmos-base"]["journald"]["max_retention_sec"] = "7d"
--- a/site-cookbooks/kosmos-base/recipes/default.rb
+++ b/site-cookbooks/kosmos-base/recipes/default.rb
@ -27,19 +27,11 @@
 include_recipe 'apt'
 include_recipe 'timezone_iii'
 include_recipe 'ntp'
 include_recipe 'kosmos-base::journald_conf'
 include_recipe 'kosmos-base::systemd_emails'
 node.override["apt"]["unattended_upgrades"]["enable"] = true
 node.override["apt"]["unattended_upgrades"]["mail_only_on_error"] = false
 node.override["apt"]["unattended_upgrades"]["sender"] = "ops@kosmos.org"
 node.override["apt"]["unattended_upgrades"]["allowed_origins"] = [
  "${distro_id}:${distro_codename}-security",
-  "${distro_id}:${distro_codename}-updates",
+  "${distro_id}:${distro_codename}-updates"
  "${distro_id}ESMApps:${distro_codename}-apps-security",
  "${distro_id}ESMApps:${distro_codename}-apps-updates",
  "${distro_id}ESM:${distro_codename}-infra-security",
  "${distro_id}ESM:${distro_codename}-infra-updates"
 ]
 node.override["apt"]["unattended_upgrades"]["mail"] = "ops@kosmos.org"
 node.override["apt"]["unattended_upgrades"]["syslog_enable"] = true
--- a/site-cookbooks/kosmos-base/recipes/journald_conf.rb
+++ b/site-cookbooks/kosmos-base/recipes/journald_conf.rb
@ -1,14 +0,0 @@
 #
 # Cookbook Name:: kosmos-base
 # Recipe:: journald_conf
 #
 service "systemd-journald"
 template "/etc/systemd/journald.conf" do
  source "journald.conf.erb"
  variables system_max_use: node["kosmos-base"]["journald"]["system_max_use"],
            max_retention_sec: node["kosmos-base"]["journald"]["max_retention_sec"]
  # Restarting journald is required
  notifies :restart, "service[systemd-journald]", :delayed
 end
--- a/site-cookbooks/kosmos-base/resources/tls_cert_for.rb
+++ b/site-cookbooks/kosmos-base/resources/tls_cert_for.rb
@ -56,6 +56,7 @@ action :create do
      command <<-CMD
      certbot certonly --manual -n \
        --preferred-challenges dns \
        --manual-public-ip-logging-ok \
        --agree-tos \
        --manual-auth-hook '#{hook_auth_command}' \
        --manual-cleanup-hook '#{hook_cleanup_command}' \
--- a/site-cookbooks/kosmos-base/templates/default/journald.conf.erb
+++ b/site-cookbooks/kosmos-base/templates/default/journald.conf.erb
@ -1,6 +0,0 @@
 [Journal]
 # Set the maximum size of the journal logs in bytes
 SystemMaxUse=<%= @system_max_use %>
 # Set the number of days after which logs will be deleted
 MaxRetentionSec=<%= @max_retention_sec %>
--- a/site-cookbooks/kosmos-bitcoin/attributes/default.rb
+++ b/site-cookbooks/kosmos-bitcoin/attributes/default.rb
@ -1,5 +1,5 @@
-node.default['bitcoin']['version']   = '29.0'
+node.default['bitcoin']['version']   = '26.0'
-node.default['bitcoin']['checksum']  = '882c782c34a3bf2eacd1fae5cdc58b35b869883512f197f7d6dc8f195decfdaa'
+node.default['bitcoin']['checksum']  = 'ab1d99276e28db62d1d9f3901e85ac358d7f1ebcb942d348a9c4e46f0fcdc0a1'
 node.default['bitcoin']['username']  = 'satoshi'
 node.default['bitcoin']['usergroup'] = 'bitcoin'
 node.default['bitcoin']['network']   = 'mainnet'
@ -24,8 +24,7 @@ node.default['bitcoin']['conf'] = {
  rpcbind: "127.0.0.1:8332",
  gen: 0,
  zmqpubrawblock: 'tcp://127.0.0.1:8337',
-  zmqpubrawtx: 'tcp://127.0.0.1:8338',
+  zmqpubrawtx: 'tcp://127.0.0.1:8338'
  deprecatedrpc: 'warnings' # TODO remove when upgrading to LND 0.18.4
 }
 # Also enables Tor for LND
@ -41,7 +40,7 @@ node.default['c-lightning']['log_level'] = 'info'
 node.default['c-lightning']['public_ip'] = '148.251.237.73'
 node.default['lnd']['repo'] = 'https://github.com/lightningnetwork/lnd'
-node.default['lnd']['revision'] = 'v0.19.1-beta'
+node.default['lnd']['revision'] = 'v0.17.3-beta'
 node.default['lnd']['source_dir'] = '/opt/lnd'
 node.default['lnd']['lnd_dir'] = "/home/#{node['bitcoin']['username']}/.lnd"
 node.default['lnd']['alias'] = 'ln2.kosmos.org'
@ -59,13 +58,24 @@ node.default['lnd']['tor'] = {
  'skip-proxy-for-clearnet-targets' => 'true'
 }
 node.default['boltz']['repo'] = 'https://github.com/BoltzExchange/boltz-lnd.git'
 node.default['boltz']['revision'] = 'v1.2.7'
 node.default['boltz']['source_dir'] = '/opt/boltz'
 node.default['boltz']['boltz_dir'] = "/home/#{node['bitcoin']['username']}/.boltz-lnd"
 node.default['boltz']['grpc_host'] = '127.0.0.1'
 node.default['boltz']['grpc_port'] = '9002'
 node.default['boltz']['rest_disabled'] = 'false'
 node.default['boltz']['rest_host'] = '127.0.0.1'
 node.default['boltz']['rest_port'] = '9003'
 node.default['boltz']['no_macaroons'] = 'false'
 node.default['rtl']['repo'] = 'https://github.com/Ride-The-Lightning/RTL.git'
-node.default['rtl']['revision'] = 'v0.15.2'
+node.default['rtl']['revision'] = 'v0.15.0'
 node.default['rtl']['host'] = '10.1.1.163'
 node.default['rtl']['port'] = '3000'
 node.default['lndhub-go']['repo'] = 'https://github.com/getAlby/lndhub.go.git'
-node.default['lndhub-go']['revision'] = '1.0.2'
+node.default['lndhub-go']['revision'] = '0.14.0'
 node.default['lndhub-go']['source_dir'] = '/opt/lndhub-go'
 node.default['lndhub-go']['port'] = 3026
 node.default['lndhub-go']['domain'] = 'lndhub.kosmos.org'
@ -75,8 +85,6 @@ node.default['lndhub-go']['postgres']['port'] = 5432
 node.default['lndhub-go']['default_rate_limit'] = 20
 node.default['lndhub-go']['strict_rate_limit'] =  1
 node.default['lndhub-go']['burst_rate_limit'] =  10
 node.default['lndhub-go']['service_fee'] = 1
 node.default['lndhub-go']['no_service_fee_up_to_amount'] = 1000
 node.default['lndhub-go']['branding'] = {
  'title' => 'LndHub - Kosmos Lightning',
  'desc' => 'Kosmos accounts for the Lightning Network',
@ -90,7 +98,7 @@ node.default['dotnet']['ms_packages_src_url'] = "https://packages.microsoft.com/
 node.default['dotnet']['ms_packages_src_checksum'] = "4df5811c41fdded83eb9e2da9336a8dfa5594a79dc8a80133bd815f4f85b9991"
 node.default['nbxplorer']['repo'] = 'https://github.com/dgarage/NBXplorer'
-node.default['nbxplorer']['revision'] = 'v2.5.26'
+node.default['nbxplorer']['revision'] = 'v2.5.0'
 node.default['nbxplorer']['source_dir'] = '/opt/nbxplorer'
 node.default['nbxplorer']['config_path'] = "/home/#{node['bitcoin']['username']}/.nbxplorer/Main/settings.config"
 node.default['nbxplorer']['port'] = '24445'
@ -98,7 +106,7 @@ node.default['nbxplorer']['postgres']['database'] = 'nbxplorer'
 node.default['nbxplorer']['postgres']['user'] = 'nbxplorer'
 node.default['btcpay']['repo'] = 'https://github.com/btcpayserver/btcpayserver'
-node.default['btcpay']['revision'] = 'v2.1.1'
+node.default['btcpay']['revision'] = 'v1.12.5'
 node.default['btcpay']['source_dir'] = '/opt/btcpay'
 node.default['btcpay']['config_path'] = "/home/#{node['bitcoin']['username']}/.btcpayserver/Main/settings.config"
 node.default['btcpay']['log_path'] = "/home/#{node['bitcoin']['username']}/.btcpayserver/debug.log"
@ -111,5 +119,3 @@ node.default['btcpay']['postgres']['user'] = 'satoshi'
 node.default['peerswap']['repo'] = 'https://github.com/ElementsProject/peerswap.git'
 node.default['peerswap']['revision'] = 'master'
 node.default['peerswap-lnd']['source_dir'] = '/opt/peerswap'
 node.default['price_tracking']['rs_base_url'] = "https://storage.kosmos.org/kosmos/public/btc-price"
--- a/site-cookbooks/kosmos-bitcoin/recipes/aws-client.rb
+++ b/site-cookbooks/kosmos-bitcoin/recipes/aws-client.rb
@ -11,7 +11,6 @@ credentials = Chef::EncryptedDataBagItem.load('credentials', 'backup')
 file "/root/.aws/config" do
  mode "600"
  sensitive true
  content lazy { <<-EOF
 [default]
 region = #{credentials["s3_region"]}
--- a/site-cookbooks/kosmos-bitcoin/recipes/bitcoind.rb
+++ b/site-cookbooks/kosmos-bitcoin/recipes/bitcoind.rb
@ -12,15 +12,8 @@ if node["bitcoin"]["blocksdir_mount_type"]
  include_recipe "kosmos-bitcoin::blocksdir-mount"
 end
-apt_repository "ubuntu-toolchain-r" do
+%w{ libtool autotools-dev make automake cmake curl g++-multilib libtool
-  # provides g++-13, needed for better c++-20 support
+    binutils-gold bsdmainutils pkg-config python3 patch }.each do |pkg|
  uri "ppa:ubuntu-toolchain-r/test"
 end
 %w{
  gcc-13 g++-13 libtool autotools-dev make automake cmake curl bison
  binutils-gold pkg-config python3 patch
 }.each do |pkg|
  apt_package pkg
 end
@ -33,21 +26,28 @@ end
 execute "compile_bitcoin-core_dependencies" do
  cwd "/usr/local/bitcoind/depends"
-  environment ({'CC' => 'gcc-13', 'CXX' => 'g++-13', 'NO_QT' => '1'})
+  command "make NO_QT=1"
  command "make -j $(($(nproc)/2))"
  action :nothing
  notifies :run, 'bash[compile_bitcoin-core]', :immediately
 end
 bash "compile_bitcoin-core" do
  cwd "/usr/local/bitcoind"
  environment ({'CC' => 'gcc-13', 'CXX' => 'g++-13', 'NO_QT' => '1'})
  code <<-EOH
-    cmake -B build --toolchain depends/x86_64-pc-linux-gnu/toolchain.cmake
+    ./autogen.sh
-    cmake --build build -j $(($(nproc)/2))
+    ./configure --prefix=$PWD/depends/x86_64-pc-linux-gnu
-    cmake --install build
+    make
  EOH
  action :nothing
  notifies :restart, "systemd_unit[bitcoind.service]", :delayed
 end
 link "/usr/local/bin/bitcoind" do
  to "/usr/local/bitcoind/src/bitcoind"
 end
 link "/usr/local/bin/bitcoin-cli" do
  to "/usr/local/bitcoind/src/bitcoin-cli"
 end
 bitcoin_user      = node['bitcoin']['username']
--- a/site-cookbooks/kosmos-bitcoin/recipes/boltz.rb
+++ b/site-cookbooks/kosmos-bitcoin/recipes/boltz.rb
@ -0,0 +1,87 @@
 #
 # Cookbook:: kosmos-bitcoin
 # Recipe:: boltz
 #
 include_recipe "git"
 include_recipe "kosmos-bitcoin::golang"
 git node['boltz']['source_dir'] do
  repository node['boltz']['repo']
  revision node['boltz']['revision']
  action :sync
  notifies :run, 'bash[compile_and_install_boltz]', :immediately
 end
 bash "compile_and_install_boltz" do
  cwd node['boltz']['source_dir']
  code <<-EOH
 go mod vendor && \
 make build && \
 make install
  EOH
  action :nothing
  notifies :restart, "systemd_unit[boltzd.service]", :delayed
 end
 bitcoin_user  = node['bitcoin']['username']
 bitcoin_group = node['bitcoin']['usergroup']
 boltz_dir     = node['boltz']['boltz_dir']
 lnd_dir       = node['lnd']['lnd_dir']
 directory boltz_dir do
  owner bitcoin_user
  group bitcoin_group
  mode '0750'
  action :create
 end
 template "#{boltz_dir}/boltz.toml" do
  source "boltz.toml.erb"
  owner bitcoin_user
  group bitcoin_group
  mode '0640'
  variables lnd_grpc_host: '127.0.0.1',
            lnd_grpc_port: '10009',
            lnd_macaroon_path: "#{lnd_dir}/data/chain/bitcoin/mainnet/admin.macaroon",
            lnd_tlscert_path: "#{lnd_dir}/tls.cert",
            boltz_config: node['boltz']
  notifies :restart, "systemd_unit[boltzd.service]", :delayed
 end
 systemd_unit 'boltzd.service' do
  content({
    Unit: {
      Description: 'Boltz Daemon',
      Documentation: ['https://lnd.docs.boltz.exchange'],
      Requires: 'lnd.service',
      After: 'lnd.service'
    },
    Service: {
      User: bitcoin_user,
      Group: bitcoin_group,
      Type: 'simple',
      ExecStart: "/opt/boltz/boltzd",
      Restart: 'always',
      RestartSec: '30',
      TimeoutSec: '240',
      LimitNOFILE: '128000',
      PrivateTmp: true,
      ProtectSystem: 'full',
      NoNewPrivileges: true,
      PrivateDevices: true,
      MemoryDenyWriteExecute: true
    },
    Install: {
      WantedBy: 'multi-user.target'
    }
  })
  verify false
  triggers_reload true
  action [:create, :enable, :start]
 end
 unless node.chef_environment == 'development'
  node.override['backup']['archives']['boltz'] = [node['boltz']['boltz_dir']]
  include_recipe 'backup'
 end
--- a/site-cookbooks/kosmos-bitcoin/recipes/btcpay.rb
+++ b/site-cookbooks/kosmos-bitcoin/recipes/btcpay.rb
@ -21,7 +21,6 @@ bash 'build_btcpay' do
    systemctl stop btcpayserver.service
    ./build.sh
  EOH
  environment "DOTNET_CLI_TELEMETRY_OPTOUT" => 1
  action :nothing
  notifies :restart, "service[btcpayserver]", :delayed
 end
@ -88,7 +87,7 @@ systemd_unit 'btcpayserver.service' do
      Group: node['bitcoin']['usergroup'],
      Type: 'simple',
      WorkingDirectory: node['btcpay']['source_dir'],
-      Environment: "'BTCPAY_EXPLORERPOSTGRES=#{nbxpg_connect}' 'DOTNET_CLI_TELEMETRY_OPTOUT=1'",
+      Environment: defined?(nbxpg_connect) ? "'BTCPAY_EXPLORERPOSTGRES=#{nbxpg_connect}'" : '',
      ExecStart: "#{node['btcpay']['source_dir']}/run.sh --conf=#{node['btcpay']['config_path']}",
      PIDFile: '/run/btcpayserver/btcpayserver.pid',
      Restart: 'on-failure',
@ -104,8 +103,6 @@ systemd_unit 'btcpayserver.service' do
  verify false
  triggers_reload true
  action [:create]
  # reload is not applicable
  notifies :restart, "service[btcpayserver]", :delayed
 end
 service "btcpayserver" do
--- a/site-cookbooks/kosmos-bitcoin/recipes/golang.rb
+++ b/site-cookbooks/kosmos-bitcoin/recipes/golang.rb
@ -5,7 +5,7 @@
 # Internal recipe for managing the Go installation in one place
 #
-node.override['golang']['version'] = "1.23.1"
+node.override['golang']['version'] = "1.20.3"
 include_recipe "golang"
 link '/usr/local/bin/go' do
--- a/site-cookbooks/kosmos-bitcoin/recipes/lnd-scb-s3.rb
+++ b/site-cookbooks/kosmos-bitcoin/recipes/lnd-scb-s3.rb
@ -10,14 +10,12 @@ include_recipe "kosmos-bitcoin::aws-client"
 package "inotify-tools"
 backup_script_path = "/opt/lnd-channel-backup-s3.sh"
 backup_credentials = Chef::EncryptedDataBagItem.load('credentials', 'backup')
 template backup_script_path do
  source "lnd-channel-backup-s3.sh.erb"
  mode '0740'
  variables lnd_dir: node['lnd']['lnd_dir'],
            bitcoin_network: node['bitcoin']['network'],
            s3_endpoint: backup_credentials['s3_endpoint'],
            s3_bucket: node['backup']['s3']['bucket'],
            s3_scb_dir: "#{node['name']}/lnd/#{node['bitcoin']['network']}"
  notifies :restart, "systemd_unit[lnd-channel-backup.service]", :delayed
--- a/site-cookbooks/kosmos-bitcoin/recipes/lndhub-go.rb
+++ b/site-cookbooks/kosmos-bitcoin/recipes/lndhub-go.rb
@ -66,8 +66,6 @@ template "#{source_dir}/.env" do
    default_rate_limit: node['lndhub-go']['default_rate_limit'],
    strict_rate_limit: node['lndhub-go']['strict_rate_limit'],
    burst_rate_limit: node['lndhub-go']['burst_rate_limit'],
    service_fee: 1,
    no_service_fee_up_to_amount: 1000,
    branding: node['lndhub-go']['branding'],
    webhook_url: node['lndhub-go']['webhook_url'],
    sentry_dsn: credentials['sentry_dsn']
--- a/site-cookbooks/kosmos-bitcoin/recipes/nbxplorer.rb
+++ b/site-cookbooks/kosmos-bitcoin/recipes/nbxplorer.rb
@ -58,7 +58,9 @@ directory '/run/nbxplorer' do
 end
 env = {
-  NBXPLORER_POSTGRES: "User ID=#{postgres_user};Password=#{credentials['postgresql_password']};Database=#{postgres_database};Host=pg.kosmos.local;Port=5432;Application Name=nbxplorer;MaxPoolSize=20"
+  NBXPLORER_POSTGRES: "User ID=#{postgres_user};Password=#{credentials['postgresql_password']};Database=#{postgres_database};Host=pg.kosmos.local;Port=5432;Application Name=nbxplorer;MaxPoolSize=20",
  NBXPLORER_AUTOMIGRATE: "1",
  NBXPLORER_NOMIGRATEEVTS: "1"
 }
 systemd_unit 'nbxplorer.service' do
--- a/site-cookbooks/kosmos-bitcoin/recipes/price_tracking.rb
+++ b/site-cookbooks/kosmos-bitcoin/recipes/price_tracking.rb
@ -1,59 +0,0 @@
 #
 # Cookbook:: kosmos-bitcoin
 # Recipe:: price_tracking
 #
 # Track BTC rates and publish them via remoteStorage
 #
 %w[curl jq].each do |pkg|
  apt_package pkg
 end
 daily_tracker_path = "/usr/local/bin/btc-price-tracker-daily"
 credentials = Chef::EncryptedDataBagItem.load('credentials', 'kosmos-rs')
 template daily_tracker_path do
  source "btc-price-tracker-daily.sh.erb"
  mode '0740'
  variables rs_base_url: node['price_tracking']['rs_base_url']
  notifies :restart, "systemd_unit[lnd-channel-backup.service]", :delayed
 end
 systemd_unit 'btc-price-tracker-daily.service' do
  content({
    Unit: {
      Description: 'BTC price tracker (daily rates)',
      After: 'network-online.target',
      Wants: 'network-online.target'
    },
    Service: {
      Type: 'oneshot',
      ExecStart: daily_tracker_path,
      Environment: "RS_AUTH=#{credentials["auth_tokens"]["/btc-price"]}"
    },
    Install: {
      WantedBy: 'multi-user.target'
    }
  })
  sensitive true
  triggers_reload true
  action [:create]
 end
 systemd_unit 'btc-price-tracker-daily.timer' do
  content({
    Unit: {
      Description: 'Run BTC price tracker daily'
    },
    Timer: {
      OnCalendar: '*-*-* 00:00:00',
      Persistent: 'true'
    },
    Install: {
      WantedBy: 'timers.target'
    }
  })
  triggers_reload true
  action [:create, :enable, :start]
 end
--- a/site-cookbooks/kosmos-bitcoin/recipes/rtl.rb
+++ b/site-cookbooks/kosmos-bitcoin/recipes/rtl.rb
@ -46,22 +46,24 @@ rtl_config = {
  multiPassHashed: credentials["multiPassHashed"]
 }
 if node['boltz']
  # TODO adapt for multi-node usage
  rtl_config[:nodes][0][:Authentication][:boltzMacaroonPath] = "#{node['boltz']['boltz_dir']}/macaroons"
  rtl_config[:nodes][0][:Settings][:boltzServerUrl] = "https://#{node['boltz']['rest_host']}:#{node['boltz']['rest_port']}"
 end
 git rtl_dir do
  user bitcoin_user
  group bitcoin_group
  repository node['rtl']['repo']
  revision node['rtl']['revision']
  notifies :run, "execute[npm_install]", :immediately
  notifies :restart, "systemd_unit[#{app_name}.service]", :delayed
 end
-execute "npm_install" do
+execute "npm install" do
  cwd rtl_dir
  environment "HOME" => rtl_dir
  user bitcoin_user
  # TODO remove --force when upstream dependency issues have been resolved
  command "npm install --force"
  action :nothing
 end
 file "#{rtl_dir}/RTL-Config.json" do
--- a/site-cookbooks/kosmos-bitcoin/templates/boltz.toml.erb
+++ b/site-cookbooks/kosmos-bitcoin/templates/boltz.toml.erb
@ -0,0 +1,32 @@
 [LND]
 # Host of the gRPC interface of LND
 host = "<%= @lnd_grpc_host %>"
 # Port of the gRPC interface of LND
 port = <%= @lnd_grpc_port %>
 # Path to a macaroon file of LND
 # The daemon needs to have permission to read various endpoints, generate addresses and pay invoices 
 macaroon = "<%= @lnd_macaroon_path %>"
 # Path to the TLS certificate of LND
 certificate = "<%= @lnd_tlscert_path %>"
 [RPC]
 # Host of the gRPC interface
 host = "<%= @boltz_config['grpc_host'] %>"
 # Port of the gRPC interface
 port = <%= @boltz_config['grpc_port'] %>
 # Whether the REST proxy for the gRPC interface should be disabled
 restDisabled = <%= @boltz_config['rest_disabled'] %>
 # Host of the REST proxy
 restHost = "<%= @boltz_config['rest_host'] %>"
 # Port of the REST proxy
 restPort = <%= @boltz_config['rest_port'] %>
 # Whether the macaroon authentication for the gRPC and REST interface should be disabled
 noMacaroons = <%= @boltz_config['no_macaroons'] %>
--- a/site-cookbooks/kosmos-bitcoin/templates/btc-price-tracker-daily.sh.erb
+++ b/site-cookbooks/kosmos-bitcoin/templates/btc-price-tracker-daily.sh.erb
@ -1,49 +0,0 @@
 #!/bin/bash
 # Calculate yesterday's date in YYYY-MM-DD format
 YESTERDAY=$(date -d "yesterday" +%Y-%m-%d)
 echo "Starting price tracking for $YESTERDAY" >&2
 # Fetch and process rates for a fiat currency
 get_price_data() {
    local currency=$1
    local data avg open24 last
    data=$(curl -s "https://www.bitstamp.net/api/v2/ticker/btc${currency,,}/")
    if [ $? -eq 0 ] && [ ! -z "$data" ]; then
        echo "Successfully retrieved ${currency} price data" >&2
        open24=$(echo "$data" | jq -r '.open_24')
        last=$(echo "$data" | jq -r '.last')
        avg=$(( (${open24%.*} + ${last%.*}) / 2 ))
        echo $avg
    else
        echo "ERROR: Failed to retrieve ${currency} price data" >&2
        exit 1
    fi
 }
 # Get price data for each currency
 usd_avg=$(get_price_data "USD")
 eur_avg=$(get_price_data "EUR")
 gbp_avg=$(get_price_data "GBP")
 # Create JSON
 json="{\"EUR\":$eur_avg,\"USD\":$usd_avg,\"GBP\":$gbp_avg}"
 echo "Rates: $json" >&2
 # PUT in remote storage
 response=$(curl -X PUT \
    -H "Authorization: Bearer $RS_AUTH" \
    -H "Content-Type: application/json" \
    -d "$json" \
    -w "%{http_code}" \
    -s \
    -o /dev/null \
    "<%= @rs_base_url %>/$YESTERDAY")
 if [ "$response" -eq 200 ] || [ "$response" -eq 201 ]; then
   echo "Successfully uploaded price data" >&2
 else
   echo "ERROR: Failed to upload price data. HTTP status: $response" >&2
   exit 1
 fi
--- a/site-cookbooks/kosmos-bitcoin/templates/lnd-channel-backup-s3.sh.erb
+++ b/site-cookbooks/kosmos-bitcoin/templates/lnd-channel-backup-s3.sh.erb
@ -3,5 +3,5 @@ set -xe -o pipefail
 while true; do
  inotifywait <%= @lnd_dir %>/data/chain/bitcoin/<%= @bitcoin_network %>/channel.backup
-  aws --endpoint <%= @s3_endpoint %> s3 cp <%= @lnd_dir %>/data/chain/bitcoin/<%= @bitcoin_network %>/channel.backup "s3://<%= @s3_bucket %>/<%= @s3_scb_dir %>/channel.backup"
+  aws s3 cp <%= @lnd_dir %>/data/chain/bitcoin/<%= @bitcoin_network %>/channel.backup "s3://<%= @s3_bucket %>/<%= @s3_scb_dir %>/channel.backup"
 done
--- a/site-cookbooks/kosmos-bitcoin/templates/lnd.conf.erb
+++ b/site-cookbooks/kosmos-bitcoin/templates/lnd.conf.erb
@ -12,6 +12,7 @@ minchansize=<%= @lnd_minchansize %>
 autopilot.active=0
 [Bitcoin]
 bitcoin.active=1
 bitcoin.mainnet=1
 bitcoin.node=bitcoind
 bitcoin.basefee=<%= @lnd_basefee %>
--- a/site-cookbooks/kosmos-ejabberd/recipes/default.rb
+++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb
@ -84,12 +84,6 @@ hosts = [
    sql_database: "ejabberd",
    ldap_enabled: true,
    ldap_password: ejabberd_credentials['kosmos_ldap_password'],
    certfiles: [
      "/opt/ejabberd/conf/kosmos.org.crt",
      "/opt/ejabberd/conf/kosmos.org.key",
      "/opt/ejabberd/conf/kosmos.chat.crt",
      "/opt/ejabberd/conf/kosmos.chat.key"
    ],
    append_host_config: <<-EOF
    modules:
      mod_disco:
@ -110,7 +104,6 @@ hosts = [
        access_persistent: muc_create
        access_register: muc_create
        max_user_conferences: 1000
        max_users: 2000
        default_room_options:
          mam: true
        preload_rooms: true
@ -121,10 +114,6 @@ hosts = [
    sql_database: "ejabberd_5apps",
    ldap_enabled: true,
    ldap_password: ejabberd_credentials['5apps_ldap_password'],
    certfiles: [
      "/opt/ejabberd/conf/5apps.com.crt",
      "/opt/ejabberd/conf/5apps.com.key"
    ],
    append_host_config: <<-EOF
    modules:
      mod_disco:
@ -166,7 +155,7 @@ admin_users = ejabberd_credentials['admins']
 hosts.each do |host|
  ldap_rootdn = "uid=service,ou=#{host[:name]},cn=applications,dc=kosmos,dc=org"
  if host[:name] == "kosmos.org"
-    ldap_filter = "(&(objectClass=person)(serviceEnabled=ejabberd))"
+    ldap_filter = "(&(objectClass=person)(serviceEnabled=xmpp))"
  else
    ldap_filter = "(objectClass=person)"
  end
--- a/site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb
+++ b/site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb
@ -15,9 +15,9 @@ set -e
 # letsencrypt live folder
 for domain in $RENEWED_DOMAINS; do
  case $domain in
-  kosmos.org|kosmos.chat|5apps.com)
+  kosmos.org|5apps.com)
-    cp "/etc/letsencrypt/live/${domain}/privkey.pem" /opt/ejabberd/conf/$domain.key
+    cp "${RENEWED_LINEAGE}/privkey.pem" /opt/ejabberd/conf/$domain.key
-    cp "/etc/letsencrypt/live/${domain}/fullchain.pem" /opt/ejabberd/conf/$domain.crt
+    cp "${RENEWED_LINEAGE}/fullchain.pem" /opt/ejabberd/conf/$domain.crt
    chown ejabberd:ejabberd /opt/ejabberd/conf/$domain.*
    chmod 600 /opt/ejabberd/conf/$domain.*
    /opt/ejabberd-#{node["ejabberd"]["version"]}/bin/ejabberdctl reload_config
@ -38,29 +38,21 @@ gandi_api_credentials = data_bag_item('credentials', 'gandi_api')
 template "/root/gandi_dns_certbot_hook.sh" do
  variables access_token: gandi_api_credentials["access_token"]
  mode 0700
  sensitive true
 end
 # Generate a Let's Encrypt cert (only if no cert has been generated before).
 # The systemd timer will take care of renewing
-execute "letsencrypt cert for kosmos.org domains" do
+execute "letsencrypt cert for kosmos xmpp" do
-  command "certbot certonly --manual --preferred-challenges dns --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@kosmos.org -d kosmos.org -d xmpp.kosmos.org -d chat.kosmos.org -d upload.kosmos.org -d proxy.kosmos.org -d pubsub.kosmos.org -d uploads.xmpp.kosmos.org -n"
+  command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@kosmos.org -d kosmos.org -d xmpp.kosmos.org -d chat.kosmos.org -d kosmos.chat -d uploads.xmpp.kosmos.org -n"
  not_if do
    File.exist?("/etc/letsencrypt/live/kosmos.org/fullchain.pem")
  end
 end
 execute "letsencrypt cert for kosmos.chat" do
  command "certbot certonly --manual --preferred-challenges dns --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth letsencrypt.kosmos.org\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup letsencrypt.kosmos.org\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@kosmos.org -d kosmos.chat -n"
  not_if do
    File.exist?("/etc/letsencrypt/live/kosmos.chat/fullchain.pem")
  end
 end
 # Generate a Let's Encrypt cert (only if no cert has been generated before).
 # The systemd timer will take care of renewing
 execute "letsencrypt cert for 5apps xmpp" do
-  command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth letsencrypt.kosmos.org\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup letsencrypt.kosmos.org\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@5apps.com -d 5apps.com -d muc.5apps.com -d xmpp.5apps.com -d uploads.xmpp.5apps.com -n"
+  command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth letsencrypt.kosmos.chat\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup letsencrypt.kosmos.chat\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@5apps.com -d 5apps.com -d muc.5apps.com -d xmpp.5apps.com -d uploads.xmpp.5apps.com -n"
  not_if do
    File.exist?("/etc/letsencrypt/live/5apps.com/fullchain.pem")
  end
--- a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb
+++ b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb
@ -185,11 +185,8 @@ api_permissions:
    what:
      - "add_rosteritem"
      - "delete_rosteritem"
      - "get_vcard2"
      - "muc_register_nick"
      - "private_set"
      - "send_message"
-      - "send_stanza"
+      - "private_set"
 language: "en"
@ -219,7 +216,7 @@ modules:
    access_createnode: pubsub_createnode
    ignore_pep_from_offline: false
    last_item_cache: false
-    max_items_node: 10000
+    max_items_node: 10
    plugins:
      - "flat"
      - "pep" # pep requires mod_caps
@ -234,6 +231,7 @@ modules:
  mod_shared_roster: {}
  mod_stun_disco:
    offer_local_services: false
    credentials_lifetime: 300
    secret: <%= @stun_secret %>
    services:
      -
--- a/site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb
+++ b/site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb
@ -1,8 +1,7 @@
 # Generated by Chef for <%= @host[:name] %>
 certfiles:
-<% @host[:certfiles].each do |certfile| %>
+  - "/opt/ejabberd/conf/<%= @host[:name] %>.crt"
-  - <%= certfile %>
+  - "/opt/ejabberd/conf/<%= @host[:name] %>.key"
 <% end %>
 host_config:
  "<%= @host[:name] %>":
    sql_type: pgsql
--- a/site-cookbooks/kosmos-hubot/recipes/nginx_botka_irc-libera-chat.rb
+++ b/site-cookbooks/kosmos-hubot/recipes/nginx_botka_irc-libera-chat.rb
@ -4,7 +4,6 @@ upstream_host = search(:node, "role:hubot").first["knife_zero"]["host"]
 tls_cert_for domain do
  auth "gandi_dns"
  acme_domain "letsencrypt.kosmos.org"
  action :create
 end
--- a/site-cookbooks/kosmos-hubot/recipes/nginx_hal8000_xmpp.rb
+++ b/site-cookbooks/kosmos-hubot/recipes/nginx_hal8000_xmpp.rb
@ -5,7 +5,6 @@ upstream_host = search(:node, "role:hubot").first["knife_zero"]["host"]
 tls_cert_for domain do
  auth "gandi_dns"
  acme_domain "letsencrypt.kosmos.org"
  action :create
 end
--- a/site-cookbooks/kosmos-mastodon/attributes/default.rb
+++ b/site-cookbooks/kosmos-mastodon/attributes/default.rb
@ -1,5 +1,5 @@
 node.default["kosmos-mastodon"]["repo"]              = "https://gitea.kosmos.org/kosmos/mastodon.git"
-node.default["kosmos-mastodon"]["revision"]          = "production-4.3"
+node.default["kosmos-mastodon"]["revision"]          = "production"
 node.default["kosmos-mastodon"]["directory"]         = "/opt/mastodon"
 node.default["kosmos-mastodon"]["bind_ip"]           = "127.0.0.1"
 node.default["kosmos-mastodon"]["app_port"]          = 3000
@ -20,10 +20,6 @@ node.default["kosmos-mastodon"]["s3_region"]     = nil
 node.default["kosmos-mastodon"]["s3_bucket"]     = nil
 node.default["kosmos-mastodon"]["s3_alias_host"] = nil
 node.default["kosmos-mastodon"]["sso_account_sign_up_url"] = "https://kosmos.org"
 node.default["kosmos-mastodon"]["sso_account_reset_password_url"] = "https://accounts.kosmos.org/users/password/new"
 node.default["kosmos-mastodon"]["sso_account_resend_confirmation_url"] = "https://accounts.kosmos.org/users/confirmation/new"
 node.default["kosmos-mastodon"]["default_locale"] = "en"
 node.default["kosmos-mastodon"]["libre_translate_endpoint"] = nil
--- a/site-cookbooks/kosmos-mastodon/recipes/backup.rb
+++ b/site-cookbooks/kosmos-mastodon/recipes/backup.rb
@ -6,12 +6,13 @@
 postgresql_data_bag_item = data_bag_item('credentials', 'postgresql')
 unless node.chef_environment == "development"
-  node.override['backup']['s3']['keep'] = 1
+  unless node["backup"]["postgresql"]["databases"].keys.include? 'mastodon'
    node.override["backup"]["postgresql"]["host"] = "pg.kosmos.local"
    node.override["backup"]["postgresql"]["databases"]["mastodon"] = {
      username: "mastodon",
      password: postgresql_data_bag_item['mastodon_user_password']
    }
  end
  include_recipe "backup"
 end
--- a/site-cookbooks/kosmos-mastodon/recipes/default.rb
+++ b/site-cookbooks/kosmos-mastodon/recipes/default.rb
@ -3,7 +3,7 @@
 # Recipe:: default
 #
-node.override["nodejs"]["repo"] = "https://deb.nodesource.com/node_18.x"
+node.override["nodejs"]["repo"] = "https://deb.nodesource.com/node_16.x"
 include_recipe "kosmos-nodejs"
 include_recipe "java"
@ -71,7 +71,11 @@ package %w(build-essential imagemagick ffmpeg libxml2-dev libxslt1-dev file git
           curl pkg-config libprotobuf-dev protobuf-compiler libidn11
           libidn11-dev libjemalloc2 libpq-dev)
-ruby_version = "3.3.5"
+npm_package "yarn" do
  version "1.22.4"
 end
 ruby_version = "3.3.0"
 ruby_path = "/opt/ruby_build/builds/#{ruby_version}"
 bundle_path = "#{ruby_path}/bin/bundle"
@ -186,13 +190,9 @@ template "#{mastodon_path}/.env.#{rails_env}" do
  mode  "0640"
  owner mastodon_user
  group mastodon_user
  sensitive true
  variables redis_url: node["kosmos-mastodon"]["redis_url"],
            domain: node["kosmos-mastodon"]["domain"],
            alternate_domains: node["kosmos-mastodon"]["alternate_domains"],
            active_record_encryption_deterministic_key: credentials["active_record_encryption_deterministic_key"],
            active_record_encryption_key_derivation_salt: credentials["active_record_encryption_key_derivation_salt"],
            active_record_encryption_primary_key: credentials["active_record_encryption_primary_key"],
            paperclip_secret: credentials['paperclip_secret'],
            secret_key_base: credentials['secret_key_base'],
            otp_secret: credentials['otp_secret'],
@ -210,9 +210,6 @@ template "#{mastodon_path}/.env.#{rails_env}" do
            vapid_public_key: credentials['vapid_public_key'],
            db_pass: postgresql_credentials['mastodon_user_password'],
            db_host: "pg.kosmos.local",
            sso_account_sign_up_url: node["kosmos-mastodon"]["sso_account_sign_up_url"],
            sso_account_reset_password_url: node["kosmos-mastodon"]["sso_account_reset_password_url"],
            sso_account_resend_confirmation_url: node["kosmos-mastodon"]["sso_account_resend_confirmation_url"],
            default_locale: node["kosmos-mastodon"]["default_locale"],
            allowed_private_addresses: node["kosmos-mastodon"]["allowed_private_addresses"],
            libre_translate_endpoint: node["kosmos-mastodon"]["libre_translate_endpoint"]
@ -230,7 +227,7 @@ execute "yarn install" do
  environment deploy_env
  user mastodon_user
  cwd mastodon_path
-  command "corepack prepare && yarn install --immutable"
+  command "yarn install --frozen-lockfile"
 end
 execute "rake assets:precompile" do
@ -265,44 +262,6 @@ service "mastodon-streaming" do
  action [:enable, :start]
 end
 #
 # Delete cached remote media older than 30 days
 # Will be re-fetched if necessary
 #
 systemd_unit 'mastodon-delete-old-media-cache.service' do
  content({
    Unit: {
      Description: 'Delete old Mastodon media cache'
    },
    Service: {
      Type: "oneshot",
      WorkingDirectory: mastodon_path,
      Environment: "RAILS_ENV=#{rails_env}",
      ExecStart: "#{bundle_path} exec bin/tootctl media remove --days 30",
    }
  })
  triggers_reload true
  action [:create]
 end
 systemd_unit 'mastodon-delete-old-media-cache.timer' do
  content({
    Unit: {
      Description: 'Delete old Mastodon media cache'
    },
    Timer: {
      OnCalendar: '*-*-* 00:00:00',
      Persistent: 'true'
    },
    Install: {
      WantedBy: 'timer.target'
    }
  })
  triggers_reload true
  action [:create, :enable, :start]
 end
 firewall_rule "mastodon_app" do
  port     node['kosmos-mastodon']['app_port']
  source   "10.1.1.0/24"
--- a/site-cookbooks/kosmos-mastodon/recipes/nginx.rb
+++ b/site-cookbooks/kosmos-mastodon/recipes/nginx.rb
@ -12,13 +12,6 @@ search(:node, "role:mastodon").each do |node|
 end
 if upstream_hosts.any?
  web_root_dir = "/var/www/#{server_name}/public"
  directory web_root_dir do
    action :create
    recursive true
    owner 'www-data'
    group 'www-data'
    mode 0755
  end
 else
  web_root_dir = "#{app_dir}/public"
  upstream_hosts << "localhost"
@ -35,9 +28,7 @@ template "#{node['openresty']['dir']}/snippets/mastodon.conf" do
  owner 'www-data'
  mode 0640
  variables web_root_dir: web_root_dir,
-            server_name:  server_name,
+            server_name:  server_name
            s3_private_url: "#{node["kosmos-mastodon"]["s3_endpoint"]}/#{node["kosmos-mastodon"]["s3_bucket"]}/",
            s3_public_url: "https://#{node["kosmos-mastodon"]["s3_alias_host"]}/"
  notifies :reload, 'service[openresty]', :delayed
 end
--- a/site-cookbooks/kosmos-mastodon/templates/default/env.erb
+++ b/site-cookbooks/kosmos-mastodon/templates/default/env.erb
@ -12,9 +12,6 @@ LOCAL_HTTPS=true
 # Application secrets
 # Generate each with the `rake secret` task (`docker-compose run --rm web rake secret` if you use docker compose)
 ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=<%= @active_record_encryption_deterministic_key %>
 ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=<%= @active_record_encryption_key_derivation_salt %>
 ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=<%= @active_record_encryption_primary_key %>
 PAPERCLIP_SECRET=<%= @paperclip_secret %>
 SECRET_KEY_BASE=<%= @secret_key_base %>
 OTP_SECRET=<%= @otp_secret %>
@ -47,9 +44,6 @@ LDAP_SEARCH_FILTER='<%= @ldap[:search_filter] %>'
 LDAP_UID_CONVERSION_ENABLED=<%= @ldap[:uid_conversion_enabled] %>
 LDAP_UID_CONVERSION_SEARCH=<%= @ldap[:uid_conversion_search] %>
 LDAP_UID_CONVERSION_REPLACE=<%= @ldap[:uid_conversion_replace] %>
 SSO_ACCOUNT_SIGN_UP=<%= @sso_account_sign_up_url %>
 SSO_ACCOUNT_RESET_PASSWORD=<%= @sso_account_reset_password_url %>
 SSO_ACCOUNT_RESEND_CONFIRMATION=<%= @sso_account_resend_confirmation_url %>
 <% end %>
 # Optional asset host for multi-server setups
--- a/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_shared.erb
+++ b/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_shared.erb
@ -108,13 +108,11 @@ location @proxy {
  proxy_pass http://mastodon_app;
  proxy_buffering on;
  proxy_redirect off;
  proxy_http_version 1.1;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection $connection_upgrade;
  # https://github.com/mastodon/mastodon/issues/24380
  proxy_redirect <%= @s3_private_url %> <%= @s3_public_url %>;
  tcp_nodelay on;
 }
--- a/site-cookbooks/kosmos-nginx/recipes/default.rb
+++ b/site-cookbooks/kosmos-nginx/recipes/default.rb
@ -59,7 +59,7 @@ cookbook_file "#{node["nginx"]["user_home"]}/maintenance.html" do
  source "maintenance.html"
  owner node['nginx']['user']
  group node['nginx']['group']
-  mode "0755"
+  mode "0640"
 end
 unless node.chef_environment == "development"
--- a/site-cookbooks/kosmos-postfix/recipes/default.rb
+++ b/site-cookbooks/kosmos-postfix/recipes/default.rb
@ -3,23 +3,20 @@
 # Recipe:: default
 #
-node.default["postfix"]["main"]["smtp_tls_CAfile"]  = "/etc/ssl/certs/ca-certificates.crt"
+node.default['postfix']['main']['smtp_tls_CAfile']  = '/etc/ssl/certs/ca-certificates.crt'
-node.default["postfix"]["main"]["smtpd_tls_CAfile"] = "/etc/ssl/certs/ca-certificates.crt"
+node.default['postfix']['main']['smtpd_tls_CAfile'] = '/etc/ssl/certs/ca-certificates.crt'
 return if node.run_list.roles.include?("email_server")
-smtp_credentials = Chef::EncryptedDataBagItem.load("credentials", "smtp")
+smtp_credentials = Chef::EncryptedDataBagItem.load('credentials', 'smtp')
-node.default["postfix"]["sasl"] = {
+node.default['postfix']['sasl']['smtp_sasl_user_name']        = smtp_credentials['user_name']
-  smtp_credentials["relayhost"] => {
+node.default['postfix']['sasl']['smtp_sasl_passwd']           = smtp_credentials['password']
-    "username" => smtp_credentials["user_name"],
+node.default['postfix']['sasl_password_file']                 = "#{node['postfix']['conf_dir']}/sasl_passwd"
-    "password" => smtp_credentials["password"]
+# Postfix doesn't support smtps relayhost, use STARTSSL instead
-  }
+node.default['postfix']['main']['relayhost']                  = smtp_credentials['relayhost']
-}
+node.default['postfix']['main']['smtp_sasl_auth_enable']      = 'yes'
 node.default['postfix']['main']['smtp_sasl_password_maps']    = "hash:#{node['postfix']['sasl_password_file']}"
 node.default['postfix']['main']['smtp_sasl_security_options'] = 'noanonymous'
-# Postfix doesn"t support smtps relayhost, use STARTSSL instead
+include_recipe 'postfix::default'
 node.default["postfix"]["main"]["relayhost"]                  = smtp_credentials["relayhost"]
 node.default["postfix"]["main"]["smtp_sasl_auth_enable"]      = "yes"
 node.default["postfix"]["main"]["smtp_sasl_security_options"] = "noanonymous"
 include_recipe "postfix::default"
--- a/site-cookbooks/kosmos_drone/recipes/default.rb
+++ b/site-cookbooks/kosmos_drone/recipes/default.rb
@ -26,7 +26,7 @@ template "#{deploy_path}/docker-compose.yml" do
  mode 0640
  variables domain: node["kosmos_drone"]["domain"],
            upstream_port: node["kosmos_drone"]["upstream_port"],
-            gitea_server: "https://#{node["gitea"]["domain"]}",
+            gitea_server: "https://#{node["kosmos_gitea"]["nginx"]["domain"]}",
            client_id: credentials['client_id'],
            client_secret: credentials['client_secret'],
            rpc_secret: credentials['rpc_secret'],
--- a/site-cookbooks/kosmos_gitea/attributes/default.rb
+++ b/site-cookbooks/kosmos_gitea/attributes/default.rb
@ -1,21 +1,13 @@
-node.default["gitea"]["version"] = "1.23.8"
+node.default["gitea"]["version"] = "1.22.0"
-node.default["gitea"]["checksum"] = "827037e7ca940866918abc62a7488736923396c467fcb4acd0dd9829bb6a6f4c"
+node.default["gitea"]["checksum"] = "a31086f073cb9592d28611394b2de3655db515d961e4fdcf5b549cb40753ef3d"
 node.default["gitea"]["repo"] = nil
 node.default["gitea"]["revision"] = nil
 node.default["gitea"]["working_directory"] = "/var/lib/gitea"
 node.default["gitea"]["port"] = 3000
 node.default["gitea"]["postgresql_host"] = "localhost:5432"
 node.default["gitea"]["domain"] = "gitea.kosmos.org"
 node.default["gitea"]["config"] = {
  "log": {
    "level" => "Info",
    "logger.router.MODE" => "",
    "logger.xorm.MODE" => "",
    "logger.access.MODE" => ""
  },
  "actions": {
-    "enabled" => true
+    "enabled": true
  },
  "webhook":  {
    "allowed_host_list" => "external,127.0.1.1"
--- a/site-cookbooks/kosmos_gitea/metadata.rb
+++ b/site-cookbooks/kosmos_gitea/metadata.rb
@ -10,8 +10,5 @@ chef_version '>= 14.0'
 depends "firewall"
 depends "kosmos_openresty"
 depends "kosmos_postgresql"
 depends "kosmos-dirsrv"
 depends 'kosmos-nodejs'
 depends 'git'
 depends 'golang'
 depends "backup"
 depends "kosmos-dirsrv"
--- a/Show More
+++ b/Show More
		`@ -1 +0,0 @@`
			`Subproject commit 92839b20a4c3b0a15b99bd86ea7cae16645570a6`
		`@ -1,2 +0,0 @@`
			`node.default["kosmos-base"]["journald"]["system_max_use"] = "256M"`
			`node.default["kosmos-base"]["journald"]["max_retention_sec"] = "7d"`