kosmos/chef
8
3
Fork 0
Code Issues 34 Pull Requests 3 Projects 2 Activity

Compare commits

base: kosmos:notes/ejabberd_ldap_photo
Branches Tags
kosmos:master kosmos:feature/237-gitea_ssh_signing kosmos:bugfix/substr_url_matching kosmos:notes/ejabberd_ldap_photo kosmos:feature/akaunting kosmos:chore/ejabberd_service_avatar kosmos:feature/237-gitea_gpg kosmos:jammy_jellyfish
..
compare: kosmos:a70f5f950723245ffe8acb9cd4c46eb589735cb0
Branches Tags
kosmos:feature/237-gitea_ssh_signing kosmos:master kosmos:bugfix/substr_url_matching kosmos:notes/ejabberd_ldap_photo kosmos:feature/akaunting kosmos:chore/ejabberd_service_avatar kosmos:feature/237-gitea_gpg kosmos:jammy_jellyfish

1 Commits
notes/ejab ... a70f5f9507

Author SHA1 Message Date
Râu Cao
a70f5f9507 WIP virtual domain configs 2023-12-12 23:47:02 +01:00
170 changed files with 16388 additions and 3562 deletions
Expand all files Collapse all files

6
.gitmodules vendored
View File

@@ -4,9 +4,3 @@
[submodule "site-cookbooks/openresty"]
path = site-cookbooks/openresty
url = https://github.com/67P/chef-openresty.git
[submodule "site-cookbooks/strfry"]
path = site-cookbooks/strfry
url = git@gitea.kosmos.org:kosmos/strfry-cookbook.git
[submodule "site-cookbooks/deno"]
path = site-cookbooks/deno
url = git@gitea.kosmos.org:kosmos/deno-cookbook.git

4
README.md
View File

@@ -38,10 +38,6 @@ Clone this repository, `cd` into it, and run:
knife zero bootstrap ubuntu@zerotier-ip-address -x ubuntu --sudo --run-list "role[base],role[kvm_guest]" --secret-file .chef/encrypted_data_bag_secret
### Bootstrap a new VM with environment and role/app (postgres replica as example)
knife zero bootstrap ubuntu@10.1.1.134 -x ubuntu --sudo --environment production --run-list "role[base],role[kvm_guest],role[postgresql_replica]" --secret-file .chef/encrypted_data_bag_secret
### Run Chef Zero on a host server
knife zero converge -p2222 name:server-name.kosmos.org

4
clients/garage-10.json
View File

@@ -1,4 +0,0 @@
{
"name": "garage-10",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw2+3Wo+KkXVJCOX1SxT9\nSdwKXgPbCDM3EI9uwoxhMxQfRyN53dxIsBDsQUVOIe1Z8yqm4FenMQlNmeDR+QLE\nvNFf1fisinW+D9VVRm+CjcJy96i/Dyt786Z6YRrDlB860HxCbfTL2Zv5BRtbyIKg\nhz5gO+9PMEpPVR2ij9iue4K6jbM1AAL2ia/P6zDWLJqeIzUocCeHV5N0Z3jXH6qr\nf444v78x35MMJ+3tg5h95SU1/PDCpdSTct4uHEuKIosiN7p4DlYMoM5iSyvVoujr\nflRQPEpGzS9qEt3rDo/F4ltzYMx6bf1tB/0QaBKD+zwPZWTTwf61tSBo5/NkGvJc\nFQIDAQAB\n-----END PUBLIC KEY-----\n"
}

4
clients/garage-11.json
View File

@@ -1,4 +0,0 @@
{
"name": "garage-11",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzfZcNEQojtmaogd9vGP/\nMsVPhAOlQ4kxKgrUas+p+XT7lXRan6b3M8UZEleIaL1HWsjSVwtFWRnNl8kg8rF8\nNEkLeOX8kHf7IoXDFOQa2TXanY8tSqrfh9/heFunt4Q3DluVt7S3bBdwukbDXm/n\nXJS2EQP33eJT4reL6FpVR0oVlFCzI3Vmf7ieSHIBXrbXy7AIvGC2+NVXvQle6pqp\nx0rqU6Wc6ef/VtIv+vK3YFnt9ue3tC63mexyeNKgRYf1YjDx61wo2bOY2t8rqN8y\nHeZ3dmAN8/Vwjk5VGnZqK7kRQ92G4IcE+mEp7MuwXcLqQ9WB960o+evay+o1R5JS\nhwIDAQAB\n-----END PUBLIC KEY-----\n"
}

4
clients/garage-3.json Normal file
View File

@@ -0,0 +1,4 @@
{
"name": "garage-3",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtRSB8/ObjvQq6WuOVS/f\nypdX/2fLsUlt5tQ8GNuSY9rSM8gdvcXUvnPlxthZO4yvcPX85wmtBZX8fRJFdkJg\nYRCJbuVKO9sLTq8OUWXYpfU1q10FUhl034zxOMslpxVB6toirnk025vyq9jbuKP+\nYO+c40KZr67mgm0hveJfylayfiKP1HGm4HrV0maFivCgC8D+MPDDv75CsqRe5WSc\nh2CoauDJwVlhKZ92yq87ugGBhJJRUGOQZcfEvkUGj/HNAS6tuHl8YmVmhO8hBdee\nNto6RF54E1zB80R9oT/qitw23miEyUcHHVxhTR4tTWflZgd8l4wDOhX3Nf20xknu\nFQIDAQAB\n-----END PUBLIC KEY-----\n"
}

4
clients/garage-4.json Normal file
View File

@@ -0,0 +1,4 @@
{
"name": "garage-4",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8it7QtT6zDiJJqlyHKfQ\nLqwu6bLblD15WWxlUSiOdhz3njWDv1BIDCAdkCR3HAXgxvk8sMj9QkvWS7u1+bc4\nxvHrY4Tgfg+Tk1h3gGa7ukll8s1WLIbGjj89vrK8PFr4iuDqRytYRMmcdMsNzPkS\nKcsOjFYWGV7KM/OwoQGVIOUPB+WtkrFAvNkXtIU6Wd5orzFMjt/9DPF2aO7QegL8\nG1mQmXcPGl9NSDUXptn/kzFKm/p4n7pjy6OypFT192ak7OA/s+CvQlaVE2tb/M3c\ne4J6A+PInV5AGKY6BxI3QRQLZIlqE0FXawFKr1iRU4JP4tVnICXZqy+SDXQU1zar\nTQIDAQAB\n-----END PUBLIC KEY-----\n"
}

4
clients/garage-5.json Normal file
View File

@@ -0,0 +1,4 @@
{
"name": "garage-5",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnJxLFOBbml94W/GAe7nm\ntZs1Ziy8IbqXySsm8bSwWhRMQ8UuseqQLG30R3Q5X5AoJbtNfd26l63qLtP2fFtL\n5km9dV+2FoIJWFetl8Wzr7CaLYAiNzTQSFHlV7+6DKmPMDcJ63GKrFR77vkSGOG6\nOWL1bJy5BOaClp/sKL/0WQ0+mRbTP6RCQ2eI+46clAg702SenBU6Nz9HDm+teKN7\nYlP1CvzXgfgfpDOsat7wGn5+oKcmKavZxcdn8bt5jRpg8v3JezaZIjMXt7XcNS4n\n0F4XO/efnZE5B5SN68j4BpD8N79zJw4HlRIGP+RaYv2qLtBeWgLHCCs9wXQXfj6b\nLwIDAQAB\n-----END PUBLIC KEY-----\n"
}

4
clients/garage-7.json
View File

@@ -1,4 +0,0 @@
{
"name": "garage-7",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwoAigZUSwsfbBHx2PQ6W\n38Ght6eCvbpW1lsS58hTieRmRn+pgZVjvixhsBh57rUasCjaBywXk9BpNj2Foxck\nReHeoDI0RHsgniClyMrYj80y2NhoB6J8NB+cHkhdzIKplm6AH6M5xaAedtZU639a\n1nHMtpDlJhzgIYsiq1q06Aqd1w0Z9tf1RXQ1WvMDhTY4wlE5RZ2epBb6Usnlbjo2\nSqCIGIjRLmZxdsSWoiUUTlVPdUCzTNsN5G/ZVdRswhgseDmVJCIkK2Aji/XzhIrR\nh4RvUv9dhFemOVsFctJ/dQILXz5MZLUgakKf970M5R/Zggv//pqRSsYcB2UfaBpV\nLQIDAQAB\n-----END PUBLIC KEY-----\n"
}

4
clients/garage-8.json
View File

@@ -1,4 +0,0 @@
{
"name": "garage-8",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt4hXODzgHsIeWxXJm/F6\nSTFJ8JC89mWru7pOFzPWenOVMHgp4UpUB4rDTwQqojsWTDiq0x3ckUyOPw3Nj0jv\nxP4MMGS4SI0oRSJKzrYYss0hgUDTOBBd+Wxn0UiNEpN/PfQo9VZj9v/jak57cz7z\n5+rpl5v27fhgUIChjsHxdy+EamvCrYc+1JhyrLOlwlt8JxkZ8UPhoeZLWAbDgGLS\nEzHWSSVtBUPK+KYmVb2OK4lB56zPfek0U3gKN+04a1650jzOit8LzE6NaT180QDv\nX+gG6tk53vSXDmkBXsQ1mtB8aF+HaEG2Pra5HyihlweCPYdJT+e28wpq6+P5l3YR\ndQIDAQAB\n-----END PUBLIC KEY-----\n"
}

4
clients/garage-9.json
View File

@@ -1,4 +0,0 @@
{
"name": "garage-9",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnMHzKE8JBrsQkmRDeMjX\n71mBzvRzNM90cwA8xtvIkXesdTyGqohX9k/PJbCY5ySGK9PpMaYDPVAnwnUP8LFQ\n3G98aSbLxUjqU/PBzRsnWpihehr05uz9zYcNFzr4LTNvGQZsq47nN9Tk+LG3zHP7\nAZViv2mJ4ZRnukXf6KHlyoVvhuTu+tiBM8QzjTF97iP/aguNPzYHmrecy9Uf5bSA\nZrbNZT+ayxtgswC2OclhRucx7XLSuHXtpwFqsQzSAhiX1aQ3wwCyH9WJtVwpfUsE\nlxTjcQiSM9aPZ8iSC0shpBaKD1j3iF/2K2Jk+88++zMhJJPLermvaJxzsdePgvyk\nKQIDAQAB\n-----END PUBLIC KEY-----\n"
}

4
clients/postgres-4.json Normal file
View File

@@ -0,0 +1,4 @@
{
"name": "postgres-4",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu6fPxOZeKloF/EgYvU0k\nOwv8bJjsCQcWaMTPle5//mRTszA6PM2z9RI+Mfr45qxTlsL9pQY8WJOWF6QOK31x\nszuqcr7oOjtAhrLI8f/oNDEDjcx325FqG9gNKQEAD7d4zodh+PhDe6x7GIyIS7lG\nIcD5Zre9iDwv8FGLR+5GLqS8SJOPL/wJkQ8w+N0f8YDFw81kiTta5NLhAx3fMDs0\n2kmoNlbmKlNZTtLjCfCV+/pa9oY6wycjck3GvobiFE/4cWaNkeGlPc+uAwlfmrOv\nHy0tq1XBX/BCvE5kMXmhnMT23JXjm2s2PgCLgEVGAXilXk/T597KDm+z4oBpAQma\nnQIDAQAB\n-----END PUBLIC KEY-----\n"
}

4
clients/postgres-5.json Normal file
View File

@@ -0,0 +1,4 @@
{
"name": "postgres-5",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvXZv6Gk+dhIVkTXH9hJ1\nt2oqsMSLmTUj71uPN+4j0rxCQriXa095Nle9ifJAxfwzQyKEpWKyZd1Hpyye6bL1\nwgWATZ/u5ZS4B63NhRFyDxgPlHWBBohaZBN42zeq0Y0PNGHPVGDH/zFDrpP22Q9Q\nYScsyXTauE/Yf8a/rKR5jdnoVsVVMxk0LHxka8FcM2cqVsDAcK7GqIG6epqNFY8P\nUb1P+mVxRwnkzvf1VtG212ezV/yw9uiQcUkHS+JwZMAgbC34k9iDyRmk6l4sj/Zk\nNem20ImMqdDzsrX8zEe21K+KNvpejPH9fxaNCwR8W+woBMMzqD3I7P9PbLjc70Rx\nRwIDAQAB\n-----END PUBLIC KEY-----\n"
}

4
clients/postgres-6.json
View File

@@ -1,4 +0,0 @@
{
"name": "postgres-6",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtVzM0fwlimmq11jTGTko\nK87LRYSar61tNF3qVWp9axNSMa6BSxVark9eYOqY4eLh/5vJVDqXDFq30/IUWg40\nH8hHWaOEvQrP2dm/XFw1RmunfbfN9gN07TuhaT3xFD5t+jFBuOSoJ4cPnFIABuVt\nFLrjgtYYjtZe5hGE9ZPmS7o2ATM5EU9mxeQ+TkgDbr8StvSPGdZ1ykhagf1pegGU\nRIfZ+4ZKzyDUAq+fYNhIbmlm5h2gP+XdtakPy43j7n0iN1vwDgBqJ2pdaVs/GcFf\nvaztoltguoknI2NPSez1N217asTTLuth0nHxVXiKCVXnqwDjxgWmuP6X2B7VYjyc\nxQIDAQAB\n-----END PUBLIC KEY-----\n"
}

4
clients/postgres-7.json
View File

@@ -1,4 +0,0 @@
{
"name": "postgres-7",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArraIm6mXi0qgK4oWDs2I\nOIx+g/LPnfRd5aBXhoHcekGiJKttQTi5dRdN4+T6qVEC2h4Cc9qN47h2TZPLDh/M\neIZvu0AyicpectzXf6DtDZh0hFCnv47RDi9927op9tjMXk0SV1tLel7MN0dawATw\ny0vQkkr/5a3ZdiP4dFv+bdfVrj+Tuh85BYPVyX2mxq9F7Efxrt6rzVBiqr6uJLUY\nStpeB3CCalC4zQApKX2xrdtr2k8aJbqC6C//LiKbb7VKn+ZuZJ32L/+9HDEzQoFC\no0ZZPMhfnjcU+iSHYZuPMTJTNbwgRuOgpn9O8kZ239qYc59z7HEXwwWiYPDevbiM\nCQIDAQAB\n-----END PUBLIC KEY-----\n"
}

4
clients/postgres-8.json
View File

@@ -1,4 +0,0 @@
{
"name": "postgres-8",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx88DgM/x1UbKRzgPexXE\nSyfrAsqaDVjqZz7yF3tqAc9A52Ol0KOM6NESoPWBVMbS86WtAjBcMHcOoQBJ+ovp\nXcjNlRtO1Il6/d4uCRr4CEDX+yeS0Qrt0SOORnoTbVlkq9VlVljyCmxk8VBCILzk\ndHvFr62mahMy6vOEcpCQgCwYE3ISH2jlTDz2agoK/CjIyyqFTlB1N7mJVGLrJdcA\nA2JOxDRE8HqOdpY7bHcHj4uyMWaKuM3zxXK04lhrvuPRfJUhXgsK9r5jeTEa8407\nqV9K+mB17R1dBeHmWEPDRt02HELe2SUjYmlmyVX73H2mWKDLBFpAFjOfz86CJ6jf\nDQIDAQAB\n-----END PUBLIC KEY-----\n"
}

4
clients/rsk-testnet-5.json
View File

@@ -1,4 +0,0 @@
{
"name": "rsk-testnet-5",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx/UHlgcSeh9Do7CTCKXC\n/4/aO2OvT+ijDVmrMYCNtE4sMeuFqKPnV1zxJZmRm4VNhkSQDkdWYD+6XvuFYW60\nyjB/N6D5lLlyjG4HD6fTkfh0K6f7t5mOYV7o4T59OoA3cBZuSROjtWmJ8jEFJ+k9\nII2kcyhPQcFN01ckzvZKRSPbVRccMoc+AKTjB3ZUfs/ERtlVoDrK4jEHluXOxUJO\nBKCcLonjJuLlpRLh7QfKrKFcR4idn5Ir43R6aSUesI/ipKwKsXnR3Bu7vXp74VF3\nMJ3EkdSBG+qJzy51fbRfQiUPAr/vSoVQZwW7FkIhIqqLkMaYCymn7qKfTGujoNU7\nlwIDAQAB\n-----END PUBLIC KEY-----\n"
}

4
clients/strfry-1.json
View File

@@ -1,4 +0,0 @@
{
"name": "strfry-1",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzDV/RMGMXVDbvoA6PNh8\nQzhtHwYDCFcUSkbrwP6tzh6GpVunGEOdOdhj2V63T2tF1H+lujxQXh5pK7C0D6VZ\niO04ftJlo7/svyxUcwWr+znyN5sFdQRh3cBZiGSBYolizwoqgtPFlbNhmWAzV0Du\n9t8mhz70IK3B+UdwWyHtoK0NNsJGnQ9YzAvcjyDmEO/3sCjAhNnxVpmXftpcSmd9\nMonzFtIDBbRRll4AHZYRbmXCzx63+VmelvdnufnbY82liol0zzBwJaBD1wyNlG0y\ni96p3Kx03bLNlIaYVGbjZeJi+6oo2VDWJ4OloLLAYoHDSipeHT9qWfUdnE6ge4Lm\nywIDAQAB\n-----END PUBLIC KEY-----\n"
}

98
data_bags/credentials/akkounts.json
View File

@@ -1,93 +1,37 @@
{
"id": "akkounts",
"rails_master_key": {
"encrypted_data": "q/0BtGuFZJQhw+iG4ZmFG12DPaWQDGTb/nCmRoxOnsACkANqMv/zZ39CoNFe\nLPtZiItY\n",
"iv": "JV8R0iu6TrqcZRxL\n",
"auth_tag": "YxZIhEUnrd3XrwR6f9wO4A==\n",
"postgresql_username": {
"encrypted_data": "W+Ia820+uYCAED9LRkQ1ZVe//56GRS5u0HrG\n",
"iv": "NpuVENC7C5FCjsEz\n",
"auth_tag": "KbqVv27nTc4qm7kzRWcjUQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"rails_secret_key_base": {
"encrypted_data": "JmDQew3+OR6+yJ1xErwXeTn6jw8N2HwTc9yvAVJ3G+7w1s3N7rKDM6+M50ez\n2zP4Lm/eXzH4WTsTZlQcodlyNpi66pvUCGAkNM36rwTN5yvnhqPUmuSQi7AG\nDTBronBwr9ENvwA/gRuugyyhrRB1iuStpzpYKCMhZ2ae9Mrxdux0+ezfSLn4\nuP22uUrEqdQ/BWsW\n",
"iv": "U/+YncCk13U6bYMz\n",
"auth_tag": "2wPYJ/uVPv4jLKpAW/x6sw==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"rails_encryption_primary_key": {
"encrypted_data": "u/7z91Og/2eM7PWi2JWYAQMhYX4S5+bMMeVpkFPu778Gqj6Td9pagsWIak/d\nb7AU1zjF\n",
"iv": "wYhrJWcuWbY8yo8S\n",
"auth_tag": "WEoEdNy6VBvB2d5gb8DTXw==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"rails_encryption_key_derivation_salt": {
"encrypted_data": "noOwTZuxfhsH94bjOT9rWCKS9rb3wAoXELGrc4nJZeNrb/B9XnOLTuK/wen8\nfmtoym0P\n",
"iv": "jiFWs3VXhJdQBNqk\n",
"auth_tag": "XDpJFgadYp7LyRqU7SO+Fg==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"postgresql": {
"encrypted_data": "Xorg8R8COxE/Swivu8MqZiwstD6rD+8FmgDx70pFscZ/CTb6WQRpyqGSrGZt\nZ7oL9WrqZs+mQgBb30odU+Sgdr6x\n",
"iv": "6QWZc3+MY0hBCc/s\n",
"auth_tag": "ZM+7OYyx5E9PciNG2OILhg==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"ldap": {
"encrypted_data": "mr2Z7hXF1GOn8RmqeZMMdaUcmiVP4ZeKtTX6RYW1cR+FQiUwoITwTPBE9XUx\n2cqZ9Mcd8uJicmf9vd+PfwPtRtoZFwqHQ4LDRFLW64hBZyiEkZWxWW+HzgPr\n",
"iv": "k1AkyEplnJ4IZO1Z\n",
"auth_tag": "zAOcrPex3VLDfRFq38n7fA==\n",
"postgresql_password": {
"encrypted_data": "gPzUikJ3vBhjEzor0ie2341VPLRHNIvGvuD+HBwldw==\n",
"iv": "Jsnldm8Bx9IzXMNy\n",
"auth_tag": "63YXFGVxHn23X+/11qwTSA==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"sentry_dsn": {
"encrypted_data": "51cAERaRBCRg/sMb5c13EcnJzsz6VEf7jx6X3ooUSzm9wHoEfC5Hs/qakr/D\nqm9x3s3aGURRzyLUIEoe9jCohGguh6ehrXYVrun0B6pghVU=\n",
"iv": "hJsiiW6dFQMEQ+2p\n",
"auth_tag": "TOIahNrUhhsdQGlzp6UV5g==\n",
"encrypted_data": "3aC1Nc+WiJIn+jc4HY4Rb1WAqCqEurbOLXhbah4zSIbVIaNGEKzaoC+IA+qi\nV1jAVxbE0A1w91MrGE6HNa+oMjiTMurYx7JzVBIpCm01rgo=\n",
"iv": "SxEbTBYY2Pa5BzAF\n",
"auth_tag": "zGkIpM/aeyuNm2F0I3VAcA==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"rails_master_key": {
"encrypted_data": "cWOeQYNzOjgDNi7ZpkMC/jN7nSPyODYRhA6EIhhihzPxkEDt+/4HGNAhLHGK\nlJiQeRD/\n",
"iv": "Svsvx9gsO9OQs9RV\n",
"auth_tag": "mXVNNo13F6FddhWnri1yHQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"discourse_connect_secret": {
"encrypted_data": "pvKcwuZgUJsAvClQ4V0BwhwEg09EUEWVxoSx+mFlfG1KpvZE4Cu3u3PalPSD\nldyKsw==\n",
"iv": "ED85d6PKyaKB3Wlv\n",
"auth_tag": "XVCU/WigC97tNe0bUK6okQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"lndhub_admin_token": {
"encrypted_data": "LvCgahQblsKOxK9iNbwDd31atBfemVppHqV7s3K/sR4j\n",
"iv": "zObzh2jEsqXk2vD2\n",
"auth_tag": "n9m/sBYBfzggwQLWrGpR2Q==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"btcpay_auth_token": {
"encrypted_data": "M4kGd6+jresm90nWrJG25mX6rfhaU+VlJlIVd/IjOAUsDABryyulJul3GZFh\nFPSI4uEhgIWtn56I0bA=\n",
"iv": "hvqHm7A/YfUOJwRJ\n",
"auth_tag": "DhtT6IeixD1MSRX+D7JxZA==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"s3_access_key": {
"encrypted_data": "FPRpLZoIbLcVWPJhOlX7ZeXGv6TZIWYAD+BKTsJOyOHxDG3eRULqQc89cGWi\n",
"iv": "f9WiiGLmDxtygp60\n",
"auth_tag": "lGnq4itmByuF/Yp20/6coQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"s3_secret_key": {
"encrypted_data": "JnnwISbHJ+d7JZB/C0NH0fb8p+bDSwoq5t5knSi+bSTltSxKcq6PRX9K6bov\nEbo0GTdWePbuc5NCsyYxfrkzCtpLXTIxeCROtinRmFIgMFNwaOA=\n",
"iv": "pKPCaANDqGtbFV3V\n",
"auth_tag": "S//hn2HOhuZH8+UfCNBWDg==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"nostr_private_key": {
"encrypted_data": "AKfFiLow+veDyEWBwmCDuLerT3l+o2aJUCeHg2mZZIyoH4oeo/9crZwIdjBn\n70reouqnHNG9mBHuO/+IPGfj53mHLo+oGHh+6LkL3ImI4MFBofY=\n",
"iv": "bPlOKk2qkJAzdKf+\n",
"auth_tag": "VIp1IOjBGatn2MN5LHVymg==\n",
"encrypted_data": "BQcE5fUkiqJyuOR1dR9vNyxWzgWGX1Wl1WINJDGJ1sJiajrgAspPgDt0dX5L\nhxG8CQ==\n",
"iv": "UKpt0F1FODuosQ9u\n",
"auth_tag": "MLgv0jR9MhWGmQNUkA8GUQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
}

43
data_bags/credentials/backup.json
View File

@@ -1,38 +1,27 @@
{
"id": "backup",
"s3_access_key_id": {
"encrypted_data": "245TrPvuoBRRTimhbt6qqsFb+JnnD377sPt1pguJy7Q2BXOy/jrX0wyMt+cP\nuA==\n",
"iv": "ylmRxSRO3AA4MSJN\n",
"auth_tag": "45tBcYZowPLrbv4Zu2P0Fw==\n",
"version": 3,
"cipher": "aes-256-gcm"
"encrypted_data": "emGNH4v7TTEh05Go/DsI3k7CFnaK4p/4JxodC4BYpyWw47/Z3dsuRMu4vXM3\n3YLH\n",
"iv": "Dau+ekb3UTYdl8w3fQKVcA==\n",
"version": 1,
"cipher": "aes-256-cbc"
},
"s3_secret_access_key": {
"encrypted_data": "jDIOjlBzTkBUzpj243T6KnBuH0qwyW7BUFMcqllljFSzxs7K8wYJOUreNbOP\ny8OpDWAuO0H4O4LuFMJXeM8=\n",
"iv": "PzvZr37EkJqz6JtM\n",
"auth_tag": "e3XW8oHVgmYibv/IBzj0yA==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"s3_endpoint": {
"encrypted_data": "ErJIEChxrreW7WKEwRtuP2MyYlsZRtqLdGa/x5QY58qgO036FgR3Hs2Z3yce\n",
"iv": "HOSAOgUjO7XGwk50\n",
"auth_tag": "XE1bwMIXHHE72V9K2KOLnw==\n",
"version": 3,
"cipher": "aes-256-gcm"
"encrypted_data": "Mxyly86JxrWUbubbSiqPdRosChzfI1Q8eBEG4n+2B9JJG4yExltO5Wc5kgSs\nX01MPXAc+PGLm+J9MngUtypo/g==\n",
"iv": "WRhBJGiuScYYsUsoT5j/UA==\n",
"version": 1,
"cipher": "aes-256-cbc"
},
"s3_region": {
"encrypted_data": "8cNSaYu7HH95ftG66lFdUIPZD7soz907CPA=\n",
"iv": "pU21ulF75y/SIs3x\n",
"auth_tag": "7WQQCbSbB2GybjY+C+5IvQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
"encrypted_data": "2ZGxu0tVzKNfx3K1Wleg0SAwGaPkHCi/XfKpJ+J7q40=\n",
"iv": "CNTZW2SEIgfw+IyzGI3TzQ==\n",
"version": 1,
"cipher": "aes-256-cbc"
},
"encryption_password": {
"encrypted_data": "l23CiIO2s1fIRn0NdoWZ+wK+Zhx3hCYDHf4ypjqMRekZ7xqafvXHHuogD5aj\npxYUKloH\n",
"iv": "Dzx83eP9L7Jqqidh\n",
"auth_tag": "UVn5XA5Tgsikc1GdOt1MUQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
"encrypted_data": "tsBWKBwhQFfEAM0EWMPtljSbqU1c5mOJXPjYJjNT5RUFhPlqa7gsE8aJbs+D\nSPKjAQ62j+iHeqCk9mE9CCkgBA==\n",
"iv": "uq5YAXuq2ynRLv9EIWoCFA==\n",
"version": 1,
"cipher": "aes-256-cbc"
}
}

27
data_bags/credentials/dirsrv.json
View File

@@ -1,30 +1,9 @@
{
"id": "dirsrv",
"admin_dn": {
"encrypted_data": "zRtz6Scb9WtUXGyjc0xyvsre0YvqupuaFz+RPApj7DEQTmYyZPVb\n",
"iv": "xfIXMhEBHBWqa4Dz\n",
"auth_tag": "BcA32u1njcnCZ+yrBGSceQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"admin_password": {
"encrypted_data": "7JpXl3JZDqKWDfYt/wuNbkbob+oRuONhkuAlpqUCCEIn+tY=\n",
"iv": "Lcwc4NDzrfcBaIKQ\n",
"auth_tag": "rrePS3Bhdnwbr2d/o8vMhg==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"service_dn": {
"encrypted_data": "sqRFiZreLeTPQljSfhAuV3DmsPxSC8tzWjCdu+WSSbO67sBQA+xhmGtzBhBD\nDZPGJw+jtAxzuVvPdAjxgAVgxXO6C6WEo87L1tdJewE=\n",
"iv": "GUEGtyRJXrPhWcUs\n",
"auth_tag": "2USsrx//3V7RCyumGCbMkg==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"service_password": {
"encrypted_data": "f2wi8B8SEt6p5G0TF3dZ72j0vMFlvwcP1suxYnshBA==\n",
"iv": "rOnUoxbnkaJtodM+\n",
"auth_tag": "dVLCtBVMjxLfW2D8XjJBdQ==\n",
"encrypted_data": "i71l5E129mXCcDAyME8sNMUkYUlQMgt7Eh6noyFcLNgbaMo=\n",
"iv": "KNW2B8tpX7ywZwbg\n",
"auth_tag": "GawQ+FSlA5v5YVyryeUxng==\n",
"version": 3,
"cipher": "aes-256-gcm"
}

24
data_bags/credentials/gandi_api.json
View File

@@ -1,24 +0,0 @@
{
"id": "gandi_api",
"key": {
"encrypted_data": "lU7/xYTmP5Sb6SsK5TNNIyegWozzBtUzpg7oDdl6gcz9FEMmG2ft0Ljh5Q==\n",
"iv": "EZPQD3C+wsP/mBhF\n",
"auth_tag": "vF9E8Pj4Z8quJJdOMg/QTw==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"access_token": {
"encrypted_data": "1Uw69JkNrmb8LU/qssuod1SlqxxrWR7TJQZeeivRrNzrMIVTEW/1uwJIYL6b\nM4GeeYl9lIRlMMmLBkc=\n",
"iv": "cc1GJKu6Cf4DkIgX\n",
"auth_tag": "ERem4S7ozG695kjvWIMghw==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"domains": {
"encrypted_data": "scZ5blsSjs54DlitR7KZ3enLbyceOR5q0wjHw1golQ==\n",
"iv": "oDcHm7shAzW97b4t\n",
"auth_tag": "62Zais9yf68SwmZRsmZ3hw==\n",
"version": 3,
"cipher": "aes-256-gcm"
}
}

9
data_bags/credentials/gandi_api_5apps.json Normal file
View File

@@ -0,0 +1,9 @@
{
"id": "gandi_api_5apps",
"key": {
"encrypted_data": "+tcD9x5MkNpf2Za5iLM7oTGrmAXxuWFEbyg4xrcWypSkSTjdIncOfD1UoIoS\nGzy1\n",
"iv": "ymls2idI/PdiRZCgsulwrA==\n",
"version": 1,
"cipher": "aes-256-cbc"
}
}

48
data_bags/credentials/gitea.json
View File

@@ -1,58 +1,58 @@
{
"id": "gitea",
"jwt_secret": {
"encrypted_data": "wMxs1Ec4vKRSzFtL2KuU1XfmR1t5KDx/7XBbI7V0QfgK+JwYbxU5w6feQCBE\nxOMepAXVUwU7RxPZ+hwQgPg=\n",
"iv": "F4vtuOL2B9e9LQnb\n",
"auth_tag": "NHATxHbr+3Y3Kxa68NwnjQ==\n",
"encrypted_data": "HHKq1HcxV9uC0aBdkn2AAA9C3dn2o8DnL2uDtZBf+epGC8sOko6/BSvsm8wV\nuG7yVmeFajgyCePSv4M8Or8=\n",
"iv": "raypiojdRL+DkiDa\n",
"auth_tag": "JZmWJyLTHNHAHNufRizL+w==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"internal_token": {
"encrypted_data": "mlvUtIjs6kcv7XcYCUOgOE/kDSE4Ts5G+CZuPrJapW9XwkebmyOnHJvXdihY\np/chUtar0pNB5Q16LeeZF9KrzOiDo/OXb40TPUzpsB0/607zV1z829STd4l7\nu5g4Zur13nxC9jT0zQL9QgDEobYdjgf/xu1BXxFT+Ue3lQ==\n",
"iv": "25+1a2OJYFNxdf1N\n",
"auth_tag": "aF8Gn6Mm7AwLjbR8cDnitg==\n",
"encrypted_data": "VFez8gOv5hnpBkURlufdPHvfQsL+lFlL8M9vywgKEi4XrXcNlDvoKKqdtSMv\nxGuoKqF/4NFcl2X3JRwp1j5iut+Jdg5CpnVVQLWKHc022LjD7K9nRsdmiD9Q\nLsLnU1Trzqg8VZS2ryqdjI4elkgoc15lmXwJvTNgRUzDqw==\n",
"iv": "q7H4q7kBfRt4floS\n",
"auth_tag": "vyd4ZwVxeFTTfvjI4k5irQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"secret_key": {
"encrypted_data": "xQuHuijNHoo2WicM2UvSGpwPHd0UilxlIl4BM2Rgyih5bdhjxB6UtUcY9uJQ\nYgxEd7y7R5+XhUAu87CEs4qAGtguDDxGtSGwgTSopvAYZewPFLw=\n",
"iv": "Kxwqagjps8kP7Dhz\n",
"auth_tag": "WGz5TzBzksf36hKPzBZTQQ==\n",
"encrypted_data": "7tD4E/5AuxxmNdu4arWj/BBNTUv6JX+m2ITbcLfE+VE2WacsCZUEyi1d1v0B\nyujQ9bljJn3z0zV4PxKFJILKjQb35PSiA8b86X/75Y1B9Gl64ds=\n",
"iv": "gE2O5aN+Nea6VXi7\n",
"auth_tag": "3+EmAUgBBDyChRBHsUtLig==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"postgresql_password": {
"encrypted_data": "ZziPtXhQM/TQBE+077smnjEPzfJOSo9Cj/CUnG/Be1AN0UAfielf68EhLg==\n",
"iv": "iBdSrY15vOc3eycF\n",
"auth_tag": "km2CkraKlpOygaz7Xy548Q==\n",
"encrypted_data": "mWN2sTOjZ1EPUH/KAJ8owoPM7v/+IfIHEPACN7gFDrqG8dWGjfiu+fvILw==\n",
"iv": "ldm57dVSdiPnk5l3\n",
"auth_tag": "D+r/0obCYWx53vIeUDPGMQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"s3_key_id": {
"encrypted_data": "1j0znqBgNbHMyJIf51MmfkjkpU3SPv+EL8F30mrfQ44vsGziyeiWfp91hGUM\n",
"iv": "dzJM1EX/X8Qy5KbR\n",
"auth_tag": "2YUCCFG/oTph3svFYhhYzg==\n",
"encrypted_data": "AvlsAInGyPMvHle5YZT3EHMTG89PggqmFaddvHSQLEkvI2EycktxJ/btjGOP\n",
"iv": "qGkILPp5EWc21wwa\n",
"auth_tag": "eIpCgZAnWZR7nlllj+IXMQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"s3_secret_key": {
"encrypted_data": "7P3JUyl0LsGuGi8GhSYdXHm4bQhnkGfSrbEMGyfzjSYB5hqm17kYZwNbNA0O\nIUmJ6Kq9Nby7IFTd1qFo7aA+dXuvxJD5QXO8T5E+D0xIaWMHPco=\n",
"iv": "+ivHjYpQG/3gQWAi\n",
"auth_tag": "fftxN0Z/Kfrn+oFk07jKYQ==\n",
"encrypted_data": "TAo4ViF7cL+ibIuHM77irZW08ilD46S8N5BV91gc2wegvHpHqLHw5zrsDxfu\nDiJHGUfjge/NBOGN5VSKKC0nFfMJ4sLPxVSiKyON4RMBSuzSqmo=\n",
"iv": "tjK8XdaCZOdLUHyo\n",
"auth_tag": "Qu1z6e1/4gPIyaCwBjaWsw==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"s3_bucket": {
"encrypted_data": "98UnmjwIlLjNFQojZlQRMZAWpI/7s9xJkgvh4sU5I2jWmYk=\n",
"iv": "zLck9Dp6OP+L3BwX\n",
"auth_tag": "Zc5G6bd7CbZfDCZ31YWxMg==\n",
"encrypted_data": "NTp9+KyzlblporEwM7SEwoClXu5cI10SfVrJ/uywcf/x2l8=\n",
"iv": "TFTeQ8yKUhblmrFK\n",
"auth_tag": "L9nrXEeJhxcLO4YgGk4zpg==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"runners": {
"encrypted_data": "f0RRLCrGT7LDUEXcM6m2dJ7C95UPqVZz9dfNLsYa/3SZLDcm1p4FDIy0Su6R\nrXMoAI9IdLBN7/BDMMvqkULEq3Bx5vXn+oTUsUYuKxWmvKEUhC4virOApxh6\n5GbuqcOEPKaf9lHByL+2HKdAmJMzVRGD0t78ePS2pU4H6IFnS9V1p6opOEPr\nzTJ+0PM98eQ/voFKDHGNHUqgDs2qu9wUYNmcHe1eSimFdJiOCN0Mlszu3HL0\nXkHfrGbLrcW+8Ol7dTXdDJB7WAd3R3vddoZQ+mrwzGGDeSMm+ezeMzAX\n",
"iv": "NtZ9SbbscX47BXGH\n",
"auth_tag": "ZGBzxjNFB5WPnJCpdFwtAQ==\n",
"encrypted_data": "yTCk4/hqw/4vEaXobdYU4vZRxErNp0GX4qDMuHwdr7UOQk2qQ8O8j44njPv2\ncKcIm6CQiip+GRuvl6+zETd8gctC0W14n5Rfep4zQbMp/BW3ypGambVk6z1m\nRnT4dMEl32rwcXG8c3w+vAFpx8smrK5iyy4ca0ZijC+eeysk4OAwn0XkvQuV\nB1Jy9CmVm9xiZ6sXaiU13tTry8A=\n",
"iv": "+biM/42g5doJNOax\n",
"auth_tag": "WwNgd6aqm26GcekYVOeBDQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
}

10
data_bags/credentials/kosmos-rs.json
View File

@@ -1,10 +0,0 @@
{
"id": "kosmos-rs",
"auth_tokens": {
"encrypted_data": "fiznpRw7VKlm232+U6XV1rqkAf2Z8CpoD8KyvuvOH2JniaymlcTHgazGWQ8s\nGeqK4RU9l4d29e9i+Mh0k4vnhO4q\n",
"iv": "SvurcL2oNSNWjlxp\n",
"auth_tag": "JLQ7vGXAuYYJpLEpL6C+Rw==\n",
"version": 3,
"cipher": "aes-256-gcm"
}
}

17
data_bags/credentials/liquor-cabinet.json
View File

@@ -1,17 +0,0 @@
{
"id": "liquor-cabinet",
"s3_access_key": {
"encrypted_data": "TKYUWVboQZUKvw4bqrKsL28dH2DGR5iDBQclAwm5I7GqkxFfkG2d91qLv+BA\n",
"iv": "B8YYzXeFGxMG34WI\n",
"auth_tag": "HOIfcpJOFYIVvf5o8lk4mg==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"s3_secret_key": {
"encrypted_data": "GRqGJkGJ/f0zQVtO0r9TcXBqlpnfC5PiwTZK8QmsqEhzQI6U67NAf62QqTgl\nGVI1h8G5ITgC3l0xVhcvH6m2bcs9fjNzFIqnhoZhzGwEt51A5Zk=\n",
"iv": "UAlmoUWLedpd79xa\n",
"auth_tag": "2F/EJhY5/59dtFFwkd106A==\n",
"version": 3,
"cipher": "aes-256-gcm"
}
}

24
data_bags/credentials/lndhub-go.json
View File

@@ -1,30 +1,30 @@
{
"id": "lndhub-go",
"jwt_secret": {
"encrypted_data": "lJsKBTCRzI83xmRHXzpnuRH/4cuMOR+Rd+SBU50G9HdibadIEDhS\n",
"iv": "f/SvsWtZIYOVc54X\n",
"auth_tag": "YlJ78EuJbcPfjCPc2eH+ug==\n",
"encrypted_data": "3T4JYnoISKXCnatCBeLCXyE8wVjzphw5/JU5A0vHfQ2xSDZreIRQ\n",
"iv": "bGQZjCk6FtD/hqVj\n",
"auth_tag": "CS87+UK1ZIFMiNcNaoyO6w==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"postgresql_password": {
"encrypted_data": "aT0yNlWjvk/0S4z2kZB4Ye1u/ngk5J6fGPbwZSfdq6cy\n",
"iv": "OgUttF4LlSrL/7gH\n",
"auth_tag": "pcbbGqbQ2RjU+i9dt8c3OQ==\n",
"encrypted_data": "u8kf/6WdSTzyIz2kF+24JgOPLndWH2WmTFZ3CToJsnay\n",
"iv": "KqLtV2UuaAzJx7C8\n",
"auth_tag": "3aqx45+epb2NFkNfOfG89A==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"admin_token": {
"encrypted_data": "I9EsqCCxMIw+fX6sfu6KX8B5fJj9DX5Y4tbX30jdnmxr\n",
"iv": "vnERvIWYInO6+Y8q\n",
"auth_tag": "gO+MprZUQgPEWJQUmSF1sA==\n",
"encrypted_data": "Z737fXqRE9JHfunRhc2GG281dFFN1bvBvTzTDzl/Vb8O\n",
"iv": "oKLQJbD67tiz2235\n",
"auth_tag": "SlVIqC9d9SRoO78M7cBjTw==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"sentry_dsn": {
"encrypted_data": "+sUXWgl6dXpA1/0FqjKC3Jnl54aor6gtM+19EM/NsHwg4qu672YnSgxV+c9x\nHM3JZBYxBYvJ+HYGAvMmhlGvaOOEIvLmFUpCCJeVUXR32S8=\n",
"iv": "82+DzAnHiptaX7sO\n",
"auth_tag": "CDx44iRBVhSIF8DOxb2c+w==\n",
"encrypted_data": "gmDHGDWkTIvaXjcWMs1dnKnbqtsADPJ2mLmWw8Idj6RVevU5CabjvviAxEo1\n3hs2LWuObumRSCQt2QKap191uMq3CL2+da53hbsv+JUkxl4=\n",
"iv": "Yt0fSsxL4SNicwUY\n",
"auth_tag": "j7BWbcNnymHHMNTADWmCNw==\n",
"version": 3,
"cipher": "aes-256-gcm"
}

101
data_bags/credentials/mastodon.json
View File

@@ -1,114 +1,79 @@
{
"id": "mastodon",
"active_record_encryption_deterministic_key": {
"encrypted_data": "2ik8hqK7wrtxyC73DLI8FNezZiWp2rdjwaWZkTUFRj+iwvpSrGVEwMx6uxDI\nWa7zF3p/\n",
"iv": "XMp6wqwzStXZx+F3\n",
"auth_tag": "vloJOLqEcghfQXOYohVVlg==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"active_record_encryption_key_derivation_salt": {
"encrypted_data": "Nq/rHayMYmT/82k3tJUKU8YTvDKUKLoK204aT0CMGZertZaAD3dtA9AkprrA\nPK0D9CdL\n",
"iv": "tn9C+igusYMH6GyM\n",
"auth_tag": "+ReZRNrfpl6ZDwYQpwm6dw==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"active_record_encryption_primary_key": {
"encrypted_data": "UEDMuKHgZDBhpB9BwbPmtdmIDWHyS9/bSzaEbtTRvLcV8dGOE5q9lDVIIsQp\n2HE0c92p\n",
"iv": "tnB0pQ3OGDne3mN/\n",
"auth_tag": "kt234ms+bmcxJj/+FH/72Q==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"paperclip_secret": {
"encrypted_data": "AlsnNTRF6GEyHjMHnC4VdzF4swMlppz/Gcp1xr0OuMEgQiOcW1oSZjDRZCRV\nmuGqZXZx64wqZyzTsJZ6ayCLsmWlPq6L21odHWyO+P/C5ubenSXnuCjpUn3/\nHs8WLX3kwVmqCRnVgDl2vEZ5H4XedSLr7R7YM7gQkM0UX4muMDWWnOTR8/x/\ni1ecwBY5RjdewwyR\n",
"iv": "RWiLePhFyPekYSl9\n",
"auth_tag": "sUq4ZX9CFKPbwDyuKQfNLQ==\n",
"encrypted_data": "orOIbqFANPCkd4sUTCyyoh4z1o6SBudgH4wKJudTo9dANaHGhWcBUFKrhZi1\nMJTBQx/d0hiDI1P2XN3h+hROCg3JJ8OClUSJH9CfN5GlbWvXh0Nhq7hqy8L3\nLAPL+uigiXI6ObrnKQoD8LeJIB46233uwaCA/7zB6gah0ExJ2DXGH6qq9JSS\nqmTFiy+hT+VHGrUo\n",
"iv": "U4E4NLYLkP0/tTTs\n",
"auth_tag": "WKQ+pDPZp7B791lhC5j3iQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"secret_key_base": {
"encrypted_data": "K5CmIXFa9mS4/dODBQAN9Bw0SFpbLiZAB8ewiYpkB8NDXP6X/BX8aDjW2Y4F\ncMvpFyiFldRBhrh1MSKTVYQEoJ3JhlNL9HCdPsAYbBEW70AuEBpHvOtD5OxH\nqgbH4Reuk6JX5AI8SwDD3zGrdT12mTFVNgSujzuZMvpi1Sro2HtRGAkjmnaa\nMGKrBV21O1CREJJg\n",
"iv": "/yMMmz1YtKIs5HSd\n",
"auth_tag": "WXgIVWjIdbMFlJhTD5J0JQ==\n",
"encrypted_data": "vweClhdY8SqQkK+p0OYUL2B6Fsz5eQDpEYWCtd/eRJfwwYAObbLcMWRC6MwE\neQVMw59bOqYc3RBuv/+WPLtENazA1bYCXBXQr1J6xqjJAz0Mo6KbRyxy5n78\nv8q6RSiao1VVIUXohtFlQgWeV6x5sz34bJxjlHinKvKsgiGXiuVBxYUUfzWQ\nuzrGug09cpZBqfpc\n",
"iv": "Z0/csEBH5/X1+MR+\n",
"auth_tag": "fTvBN6eovi3JVEK0ZX97Nw==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"otp_secret": {
"encrypted_data": "OPLnYRySSIDOcVHy2A5V+pCrz9zVIPjdpAGmCdgQkXtJfsS9NzNtxOPwrXo6\nuQlV9iPjr1Y9ljGKYytbF0fPgAa5q6Z1oHMY9vOGs/LGKj8wHDmIvxQ+Gil1\nC+dZEePmqGaySlNSB/gNzcFIvjBH3mDxHJJe9hDxSv5miNS9l9f3UvQeLP2M\nU7/aHKagL9ZHOp/d\n",
"iv": "wqJBLdZhJ7M/KRG9\n",
"auth_tag": "dv5YyZszZCrRnTleaiGd4A==\n",
"encrypted_data": "o1ts1bUgPIzFQXjJ2MpBMLntWkyPxDaJAaU1K3WzmNMXnw5MVlkKKCEFVccd\nPss/MwDuBkbNPhri3ZkH48m9SiayWETVYvw5GZzcVsw4TeMu915O44lfl9tX\nW3XHU+DBps1BVH9535R4X9M1aFW4W4XfwHtS5wcrZqtVhNhS3NSgE4JpN/Dz\nFdcFAOhflnt8fIAN\n",
"iv": "QLsxmIlX1NpxMyHz\n",
"auth_tag": "j1h/PvIoqshTBN5c5IaAsA==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"aws_access_key_id": {
"encrypted_data": "A1/gfcyrwT6i9W6aGTJ8pH4Dm4o8ACDxvooDroA/2N0szOiNyiYX\n",
"iv": "JNvf21KhdM3yoLGt\n",
"auth_tag": "2xaZql1ymPYuXuvXzT3ymA==\n",
"encrypted_data": "YQHUx0GugKu0AtlbGLRGocFEhTGAghWA0DUs1Nxs4Hd3bTIp4lyM\n",
"iv": "54zt2tkQhHtpY7sO\n",
"auth_tag": "ofBJx3QDsjHe66ga3nji8g==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"aws_secret_access_key": {
"encrypted_data": "T1tc01nACxhDgygKaiAq3LChGYSgmW8LAwr1aSxXmJ5D2NtypJDikiHrJbFZ\nfWFgm1qe4L8iD/k5+ro=\n",
"iv": "FDTPQQDLUMKW7TXx\n",
"auth_tag": "msY6PFFYhlwQ0X7gekSDiw==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"ldap_bind_dn": {
"encrypted_data": "C/YNROVyOxmR4O2Cy52TX41EKli2bCOMzwYD+6Hz/SiKkgidnKUHlvHlbTDq\nkWwlRDM2o8esOCKaEAGPNWcNc9IHlaSsfwhr4YWnwe0=\n",
"iv": "QCQF0+vH+//+nDxr\n",
"auth_tag": "a0PbyO/7wjufqH2acDCqmQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"ldap_password": {
"encrypted_data": "SqwKeiyzfvvZGqH5gi35BdW3W+Fo/AQQjso1Yfp2XA==\n",
"iv": "md2/etFJ1r/BKaYg\n",
"auth_tag": "OlCCOoYSD7ukdH2yWCd6KA==\n",
"encrypted_data": "FAz6xZ+wsCz/KFA+DK6f4V04rxJt+9U/yXUGF9tvce0VqB3scH+T0KDDn1/n\nZ/0G0Tbxt2urRPbPUdI=\n",
"iv": "iapSpeM6lfDMIfNk\n",
"auth_tag": "HlkwUnNeJlOUrZ3ieN5xAQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"smtp_user_name": {
"encrypted_data": "0kzppmSSUg7lEyYnI5a0nf+xO0vSVx88rbxI+niIdzFOOBKSIL6uVHJ340dw\nMQ==\n",
"iv": "lQR77ETTtIIyaG1r\n",
"auth_tag": "smF2HRg8WdmD+MWwkT3TqA==\n",
"encrypted_data": "ivB09/mCRrUaz9X4NFRBiqytjgy/vxN5Nha7gopFq5eSu9v4K9MkaLRqHh1I\nYw==\n",
"iv": "a8WKhRKsUjqBtfmn\n",
"auth_tag": "ib5WJNNaO7bRIspdACmOLw==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"smtp_password": {
"encrypted_data": "1i0m9qiZA/8k8fMKo+04uyndl1UhagtHweBFICIorWALkB68edjb8OhUDxv9\nTubiXYRC\n",
"iv": "IU2x4ips9HWmKoxi\n",
"auth_tag": "BZJTDfPBvt8cf6/MbKzUJQ==\n",
"encrypted_data": "FxPz2e7fUNqcAu+DDJKlqn8rcSBLmnzigTFf5moZlQ1zz4YVl6pqHisa22Qz\nbfUx9rjU\n",
"iv": "GvRlNDV/b1WawtOP\n",
"auth_tag": "kyRCGfSJQelIwThDT4iQQQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"vapid_private_key": {
"encrypted_data": "+LmySMvzrV3z2z7BmJG9hpvkL06mGc87RG20XQhhdAJ2Z/5uMMjev2pUf7du\ntv2qvDJAimhkZajuDGL9R3eq\n",
"iv": "Mg7NhPl31O6Z4P+v\n",
"auth_tag": "qYWPInhgoWAjg0zQ+XXt5w==\n",
"encrypted_data": "DlbEAhd+SkSJoOSuwGhd5bdFlJADnT0w4u0+6m8AJoWJjoSCGAnzzmdHWT/k\nVUDkwiBCkqmEPK0oTvxnl/a8\n",
"iv": "6e0Gay7GVrQad1rI\n",
"auth_tag": "jjVundJ/ITxP/oYgEgzElg==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"vapid_public_key": {
"encrypted_data": "NOyc+Cech9qG2HhnhajDaJMWd1OU5Rp6hws6i4xF5mLPePMJ9mJTqzklkuMK\npYSEdtcxA3KmDt1HrFxfezYUc9xO9pvlm0BPA7XAFmF/PU7/AJbFqgPU6pX/\ntSDLSdFuMB3ky+cl4DJi+O4=\n",
"iv": "rgUglYiHB/mhqGha\n",
"auth_tag": "DEX7hdNsNLi/LIrMkdUe/Q==\n",
"encrypted_data": "+m37w/eWYqdEjsEYQw27FvQC+37ucruOFjZAjo0OgCwA0SoVz4VHX2eSA2AK\njX4CnM91cY4e/WG/ZHKlOMN1PftyQn2bdGaw35nXDanep8z0ROa01JEEi5DE\nUFRKvBmPInTeR6xvemuj7GM=\n",
"iv": "loYbGrAsWGLUZ+BK\n",
"auth_tag": "lAfpEEVQq+n7MLLm/kpmIA==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"s3_key_id": {
"encrypted_data": "rPVzrYYIbcM+ssVpdL6wpCTdzLIEKXke1+eMlPLMG2gPuoh+W3eO3nFGb/s2\n",
"iv": "/qI8F9cvnfKG7ZXE\n",
"auth_tag": "z1+MPdkO/+SCaag2ULelPg==\n",
"encrypted_data": "4B8OQ0iVCCna4FvC+EuS5prEUWaHRm1+tzXGmFoCQ4WZfhUA1HwT3x651e/R\n",
"iv": "1/zGwcQPQQQCiXIs\n",
"auth_tag": "siK9ph1q3/VVEycy91wkqQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"s3_secret_key": {
"encrypted_data": "RMnB9kZ+slbQXfpo0udYld6S1QqBxqM1YbszdLfSAdKK9I0J3Kmvh/CQ5Fbx\nyov6LClmsl1rjtH16r7cY32M4Woq+6miERdtecyDrrYkNHz0xkA=\n",
"iv": "pO7bm3aOtjuwYjG/\n",
"auth_tag": "SRvn4z1+Vd5VAGgjG64s+Q==\n",
"encrypted_data": "BSAc8dE/rQUiVvTGV6Ee/ZUDpq4HZlpoaCZ+lbQAbcnxui4ib0OTLPFwhVJ9\n4OQWahtSzkqxMc6MKWpadLT1a3oTnvnae9b3u40X5b2P3VyZYCM=\n",
"iv": "bqw8GTqLMTs5vD5n\n",
"auth_tag": "+e48L1lYVNda7VE3uLOAHA==\n",
"version": 3,
"cipher": "aes-256-gcm"
}

63
environments/production.json
View File

@@ -2,20 +2,12 @@
"name": "production",
"override_attributes": {
"akkounts": {
"btcpay": {
"public_url": "https://btcpay.kosmos.org",
"store_id": "FNJVVsrVkKaduPDAkRVchdegjwzsNhpceAdonCaXAwBX"
},
"ejabberd": {
"admin_url": "https://xmpp.kosmos.org:5443/admin"
},
"lndhub": {
"public_url": "https://lndhub.kosmos.org",
"public_key": "024cd3be18617f39cf645851e3ba63f51fc13f0bb09e3bb25e6fd4de556486d946"
},
"nostr": {
"public_key": "b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a",
"relay_url": "wss://nostr.kosmos.org"
}
},
"discourse": {
@@ -25,21 +17,12 @@
"public_url": "https://drone.kosmos.org"
},
"ejabberd": {
"turn_domain": "turn.kosmos.org"
"turn_ip_address": "148.251.83.201"
},
"email": {
"domain": "kosmos.org",
"hostname": "mail.kosmos.org",
"report_contact": "abuse@kosmos.org",
"virtual_aliases": {
"admin@kosmos.org": "ops@kosmos.org",
"ops@kosmos.org": "ops@5apps.com",
"webmaster": "mail@kosmos.org",
"hostmaster@kosmos.org": "mail@kosmos.org",
"postmaster@kosmos.org": "mail@kosmos.org",
"abuse@kosmos.org": "mail@kosmos.org",
"mail@kosmos.org": "foundation@kosmos.org"
}
"report_contact": "abuse@kosmos.org"
},
"garage": {
"replication_mode": "2",
@@ -47,9 +30,8 @@
"s3_web_root_domain": "web.s3.kosmos.org",
"s3_web_domains": [
"media.kosmos.chat",
"s3.accounts.kosmos.org",
"s3.community.kosmos.org",
"s3.kosmos.social"
"s3.kosmos.social",
"s3.community.kosmos.org"
],
"xmpp_upload_bucket": "kosmos-xmpp-uploads"
},
@@ -69,15 +51,13 @@
"backup": {
"nodes_excluded": [
"garage-",
"lq-",
"rsk-",
"postgres-6"
"postgres-5"
]
}
},
"kosmos-mastodon": {
"domain": "kosmos.social",
"user_address_domain": "kosmos.social",
"s3_endpoint": "http://localhost:3900",
"s3_region": "garage",
"s3_bucket": "kosmos-social",
@@ -87,44 +67,11 @@
"mastodon.w7nooprauv6yrnhzh2ajpcnj3doinked2aaztlwfyt6u6pva2qdxqhid.onion"
]
},
"liquor-cabinet": {
"ufw_source_allowed": "10.1.1.0/24",
"redis_port": 6379,
"redis_db": 1,
"s3_endpoint": "http://localhost:3900",
"s3_region": "garage",
"s3_bucket": "rs-kosmos",
"domain": "storage.kosmos.org",
"root_redirect_url": "https://accounts.kosmos.org"
},
"mediawiki": {
"url": "https://wiki.kosmos.org"
},
"sentry": {
"allowed_ips": "10.1.1.0/24"
},
"strfry": {
"domain": "nostr.kosmos.org",
"real_ip_header": "x-real-ip",
"policy_path": "/opt/strfry/strfry-policy.ts",
"known_pubkeys": {
"_": "b3e1b7c0ef48294bd856203bfd460625de95d3afb894e5f09b14cd1f0e7097cf",
"accounts": "b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a",
"bitcoincore": "47750177bb6bb113784e4973f6b2e3dd27ef1eff227d6e38d0046d618969e41a",
"fiatjaf": "3bf0c63fcb93463407af97a5e5ee64fa883d107ef9e558472c4eb9aaaefa459d"
},
"info": {
"name": "Kosmos Relay",
"description": "Members-only nostr relay for kosmos.org users",
"pubkey": "b3e1b7c0ef48294bd856203bfd460625de95d3afb894e5f09b14cd1f0e7097cf",
"contact": "ops@kosmos.org",
"icon": "https://assets.kosmos.org/img/app-icon-256px.png"
}
},
"substr": {
"relay_urls": [
"ws://localhost:7777"
]
}
}
}

6
nodes/akkounts-1.json
View File

@@ -17,7 +17,6 @@
"kvm_guest",
"ldap_client",
"sentry_client",
"garage_gateway",
"akkounts",
"postgresql_client"
],
@@ -27,9 +26,6 @@
"kosmos_kvm::guest",
"kosmos-dirsrv::hostsfile",
"kosmos_sentry::client",
"kosmos_garage",
"kosmos_garage::default",
"kosmos_garage::firewall_rpc",
"kosmos_postgresql::hostsfile",
"kosmos-akkounts",
"kosmos-akkounts::default",
@@ -47,7 +43,6 @@
"postfix::_attributes",
"postfix::sasl_auth",
"hostname::default",
"firewall::default",
"redisio::default",
"redisio::_install_prereqs",
"redisio::install",
@@ -81,7 +76,6 @@
"role[kvm_guest]",
"role[ldap_client]",
"role[sentry_client]",
"role[garage_gateway]",
"role[akkounts]"
]
}

10
nodes/bitcoin-2.json
View File

@@ -8,7 +8,7 @@
"automatic": {
"fqdn": "bitcoin-2",
"os": "linux",
"os_version": "5.4.0-163-generic",
"os_version": "5.4.0-131-generic",
"hostname": "bitcoin-2",
"ipaddress": "192.168.122.148",
"roles": [
@@ -16,6 +16,7 @@
"kvm_guest",
"sentry_client",
"bitcoind",
"cln",
"lnd",
"lndhub",
"postgresql_client",
@@ -29,8 +30,10 @@
"tor-full",
"tor-full::default",
"kosmos-bitcoin::bitcoind",
"kosmos-bitcoin::c-lightning",
"kosmos-bitcoin::lnd",
"kosmos-bitcoin::lnd-scb-s3",
"kosmos-bitcoin::boltz",
"kosmos-bitcoin::rtl",
"kosmos-bitcoin::peerswap-lnd",
"kosmos_postgresql::hostsfile",
@@ -38,7 +41,6 @@
"kosmos-bitcoin::dotnet",
"kosmos-bitcoin::nbxplorer",
"kosmos-bitcoin::btcpay",
"kosmos-bitcoin::price_tracking",
"apt::default",
"timezone_iii::default",
"timezone_iii::debian",
@@ -101,9 +103,9 @@
"role[sentry_client]",
"recipe[tor-full]",
"role[bitcoind]",
"role[cln]",
"role[lnd]",
"role[lndhub]",
"role[btcpay]",
"recipe[kosmos-bitcoin::price_tracking]"
"role[btcpay]"
]
}

6
nodes/draco.kosmos.org.json
View File

@@ -20,7 +20,7 @@
"automatic": {
"fqdn": "draco.kosmos.org",
"os": "linux",
"os_version": "5.4.0-187-generic",
"os_version": "5.4.0-54-generic",
"hostname": "draco",
"ipaddress": "148.251.237.73",
"roles": [
@@ -47,17 +47,15 @@
"kosmos_assets::nginx_site",
"kosmos_discourse::nginx",
"kosmos_drone::nginx",
"kosmos-ejabberd::nginx",
"kosmos_garage::nginx_web",
"kosmos_garage::nginx_s3",
"kosmos_gitea::nginx",
"kosmos_gitea::nginx_ssh",
"kosmos_liquor-cabinet::nginx",
"kosmos_rsk::nginx_testnet",
"kosmos_rsk::nginx_mainnet",
"kosmos_strfry::nginx",
"kosmos_website",
"kosmos_website::default",
"kosmos_website::redirects",
"kosmos-akkounts::nginx",
"kosmos-akkounts::nginx_api",
"kosmos-bitcoin::nginx_lndhub",

9
nodes/fornax.kosmos.org.json
View File

@@ -24,8 +24,7 @@
"openresty",
"garage_gateway",
"tor_proxy",
"zerotier_controller",
"turn_server"
"zerotier_controller"
],
"recipes": [
"kosmos-base",
@@ -41,17 +40,15 @@
"kosmos_assets::nginx_site",
"kosmos_discourse::nginx",
"kosmos_drone::nginx",
"kosmos-ejabberd::nginx",
"kosmos_garage::nginx_web",
"kosmos_garage::nginx_s3",
"kosmos_gitea::nginx",
"kosmos_gitea::nginx_ssh",
"kosmos_liquor-cabinet::nginx",
"kosmos_rsk::nginx_testnet",
"kosmos_rsk::nginx_mainnet",
"kosmos_strfry::nginx",
"kosmos_website",
"kosmos_website::default",
"kosmos_website::redirects",
"kosmos-akkounts::nginx",
"kosmos-akkounts::nginx_api",
"kosmos-bitcoin::nginx_lndhub",
@@ -66,7 +63,6 @@
"kosmos_zerotier::controller",
"kosmos_zerotier::firewall",
"kosmos_zerotier::zncui",
"kosmos-ejabberd::coturn",
"kosmos-ejabberd::firewall",
"kosmos-ipfs::firewall_swarm",
"sockethub::firewall",
@@ -119,7 +115,6 @@
"role[kvm_host]",
"role[openresty_proxy]",
"role[zerotier_controller]",
"role[turn_server]",
"recipe[kosmos-ejabberd::firewall]",
"recipe[kosmos-ipfs::firewall_swarm]",
"recipe[kosmos_zerotier::firewall]",

64
nodes/garage-10.json
View File

@@ -1,64 +0,0 @@
{
"name": "garage-10",
"chef_environment": "production",
"normal": {
"knife_zero": {
"host": "10.1.1.27"
}
},
"automatic": {
"fqdn": "garage-10",
"os": "linux",
"os_version": "5.4.0-1090-kvm",
"hostname": "garage-10",
"ipaddress": "192.168.122.70",
"roles": [
"base",
"kvm_guest",
"garage_node"
],
"recipes": [
"kosmos-base",
"kosmos-base::default",
"kosmos_kvm::guest",
"kosmos_garage",
"kosmos_garage::default",
"kosmos_garage::firewall_rpc",
"kosmos_garage::firewall_apis",
"apt::default",
"timezone_iii::default",
"timezone_iii::debian",
"ntp::default",
"ntp::apparmor",
"kosmos-base::systemd_emails",
"apt::unattended-upgrades",
"kosmos-base::firewall",
"kosmos-postfix::default",
"postfix::default",
"postfix::_common",
"postfix::_attributes",
"postfix::sasl_auth",
"hostname::default",
"firewall::default"
],
"platform": "ubuntu",
"platform_version": "20.04",
"cloud": null,
"chef_packages": {
"chef": {
"version": "18.5.0",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
"chef_effortless": null
},
"ohai": {
"version": "18.1.11",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
}
}
},
"run_list": [
"role[base]",
"role[kvm_guest]",
"role[garage_node]"
]
}

14
nodes/garage-7.json → nodes/garage-3.json
View File

@@ -1,17 +1,17 @@
{
"name": "garage-7",
"name": "garage-3",
"chef_environment": "production",
"normal": {
"knife_zero": {
"host": "10.1.1.182"
"host": "10.1.1.39"
}
},
"automatic": {
"fqdn": "garage-7",
"fqdn": "garage-3",
"os": "linux",
"os_version": "5.4.0-1090-kvm",
"hostname": "garage-7",
"ipaddress": "192.168.122.86",
"os_version": "5.4.0-132-generic",
"hostname": "garage-3",
"ipaddress": "192.168.122.191",
"roles": [
"base",
"kvm_guest",
@@ -61,4 +61,4 @@
"role[kvm_guest]",
"role[garage_node]"
]
}
}

28
nodes/garage-9.json → nodes/garage-4.json
View File

@@ -1,17 +1,17 @@
{
"name": "garage-9",
"name": "garage-4",
"chef_environment": "production",
"normal": {
"knife_zero": {
"host": "10.1.1.223"
"host": "10.1.1.104"
}
},
"automatic": {
"fqdn": "garage-9",
"fqdn": "garage-4",
"os": "linux",
"os_version": "5.4.0-1090-kvm",
"hostname": "garage-9",
"ipaddress": "192.168.122.21",
"os_version": "5.4.0-132-generic",
"hostname": "garage-4",
"ipaddress": "192.168.122.123",
"roles": [
"base",
"kvm_guest",
@@ -23,8 +23,7 @@
"kosmos_kvm::guest",
"kosmos_garage",
"kosmos_garage::default",
"kosmos_garage::firewall_rpc",
"kosmos_garage::firewall_apis",
"kosmos_garage::firewall",
"apt::default",
"timezone_iii::default",
"timezone_iii::debian",
@@ -39,20 +38,21 @@
"postfix::_attributes",
"postfix::sasl_auth",
"hostname::default",
"firewall::default"
"firewall::default",
"chef-sugar::default"
],
"platform": "ubuntu",
"platform_version": "20.04",
"cloud": null,
"chef_packages": {
"chef": {
"version": "18.5.0",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
"version": "17.10.3",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.10.3/lib",
"chef_effortless": null
},
"ohai": {
"version": "18.1.11",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
"version": "17.9.0",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai"
}
}
},
@@ -61,4 +61,4 @@
"role[kvm_guest]",
"role[garage_node]"
]
}
}

20
nodes/garage-11.json → nodes/garage-5.json
View File

@@ -1,17 +1,17 @@
{
"name": "garage-11",
"name": "garage-5",
"chef_environment": "production",
"normal": {
"knife_zero": {
"host": "10.1.1.165"
"host": "10.1.1.33"
}
},
"automatic": {
"fqdn": "garage-11",
"fqdn": "garage-5",
"os": "linux",
"os_version": "5.15.0-1059-kvm",
"hostname": "garage-11",
"ipaddress": "192.168.122.9",
"os_version": "5.15.0-84-generic",
"hostname": "garage-5",
"ipaddress": "192.168.122.55",
"roles": [
"base",
"kvm_guest",
@@ -46,13 +46,13 @@
"cloud": null,
"chef_packages": {
"chef": {
"version": "18.5.0",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
"version": "18.3.0",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.3.0/lib",
"chef_effortless": null
},
"ohai": {
"version": "18.1.11",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
"version": "18.1.4",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
}
}
},

64
nodes/garage-8.json
View File

@@ -1,64 +0,0 @@
{
"name": "garage-8",
"chef_environment": "production",
"normal": {
"knife_zero": {
"host": "10.1.1.61"
}
},
"automatic": {
"fqdn": "garage-8",
"os": "linux",
"os_version": "5.4.0-1090-kvm",
"hostname": "garage-8",
"ipaddress": "192.168.122.207",
"roles": [
"base",
"kvm_guest",
"garage_node"
],
"recipes": [
"kosmos-base",
"kosmos-base::default",
"kosmos_kvm::guest",
"kosmos_garage",
"kosmos_garage::default",
"kosmos_garage::firewall_rpc",
"kosmos_garage::firewall_apis",
"apt::default",
"timezone_iii::default",
"timezone_iii::debian",
"ntp::default",
"ntp::apparmor",
"kosmos-base::systemd_emails",
"apt::unattended-upgrades",
"kosmos-base::firewall",
"kosmos-postfix::default",
"postfix::default",
"postfix::_common",
"postfix::_attributes",
"postfix::sasl_auth",
"hostname::default",
"firewall::default"
],
"platform": "ubuntu",
"platform_version": "20.04",
"cloud": null,
"chef_packages": {
"chef": {
"version": "18.4.2",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.4.2/lib",
"chef_effortless": null
},
"ohai": {
"version": "18.1.11",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
}
}
},
"run_list": [
"role[base]",
"role[kvm_guest]",
"role[garage_node]"
]
}

7
nodes/gitea-2.json
View File

@@ -9,7 +9,7 @@
"automatic": {
"fqdn": "gitea-2",
"os": "linux",
"os_version": "5.4.0-1123-kvm",
"os_version": "5.4.0-1096-kvm",
"hostname": "gitea-2",
"ipaddress": "192.168.122.189",
"roles": [
@@ -32,7 +32,6 @@
"kosmos_postgresql::hostsfile",
"kosmos_gitea",
"kosmos_gitea::default",
"kosmos_gitea::backup",
"kosmos_gitea::act_runner",
"apt::default",
"timezone_iii::default",
@@ -48,9 +47,7 @@
"postfix::_attributes",
"postfix::sasl_auth",
"hostname::default",
"firewall::default",
"backup::default",
"logrotate::default"
"firewall::default"
],
"platform": "ubuntu",
"platform_version": "20.04",

20
nodes/lq-1.json
View File

@@ -1,6 +1,5 @@
{
"name": "lq-1",
"chef_environment": "production",
"normal": {
"knife_zero": {
"host": "10.1.1.87"
@@ -9,24 +8,17 @@
"automatic": {
"fqdn": "lq-1",
"os": "linux",
"os_version": "5.4.0-1104-kvm",
"os_version": "5.4.0-1090-kvm",
"hostname": "lq-1",
"ipaddress": "192.168.122.158",
"roles": [
"base",
"kvm_guest",
"garage_gateway",
"liquor_cabinet"
"kvm_guest"
],
"recipes": [
"kosmos-base",
"kosmos-base::default",
"kosmos_kvm::guest",
"kosmos_garage",
"kosmos_garage::default",
"kosmos_garage::firewall_rpc",
"kosmos_liquor-cabinet",
"kosmos_liquor-cabinet::default",
"apt::default",
"timezone_iii::default",
"timezone_iii::debian",
@@ -40,9 +32,7 @@
"postfix::_common",
"postfix::_attributes",
"postfix::sasl_auth",
"hostname::default",
"firewall::default",
"liquor_cabinet::default"
"hostname::default"
],
"platform": "ubuntu",
"platform_version": "20.04",
@@ -61,8 +51,6 @@
},
"run_list": [
"role[base]",
"role[kvm_guest]",
"role[garage_gateway]",
"role[liquor_cabinet]"
"role[kvm_guest]"
]
}

20
nodes/lq-2.json
View File

@@ -1,6 +1,5 @@
{
"name": "lq-2",
"chef_environment": "production",
"normal": {
"knife_zero": {
"host": "10.1.1.188"
@@ -9,24 +8,17 @@
"automatic": {
"fqdn": "lq-2",
"os": "linux",
"os_version": "5.4.0-1104-kvm",
"os_version": "5.4.0-1090-kvm",
"hostname": "lq-2",
"ipaddress": "192.168.122.47",
"roles": [
"base",
"kvm_guest",
"garage_gateway",
"liquor_cabinet"
"kvm_guest"
],
"recipes": [
"kosmos-base",
"kosmos-base::default",
"kosmos_kvm::guest",
"kosmos_garage",
"kosmos_garage::default",
"kosmos_garage::firewall_rpc",
"kosmos_liquor-cabinet",
"kosmos_liquor-cabinet::default",
"apt::default",
"timezone_iii::default",
"timezone_iii::debian",
@@ -40,9 +32,7 @@
"postfix::_common",
"postfix::_attributes",
"postfix::sasl_auth",
"hostname::default",
"firewall::default",
"liquor_cabinet::default"
"hostname::default"
],
"platform": "ubuntu",
"platform_version": "20.04",
@@ -61,8 +51,6 @@
},
"run_list": [
"role[base]",
"role[kvm_guest]",
"role[garage_gateway]",
"role[liquor_cabinet]"
"role[kvm_guest]"
]
}

8
nodes/mail.kosmos.org.json
View File

@@ -3,15 +3,15 @@
"chef_environment": "production",
"normal": {
"knife_zero": {
"host": "10.1.1.95"
"host": "10.1.1.141"
}
},
"automatic": {
"fqdn": "mail.kosmos.org",
"os": "linux",
"os_version": "5.15.0-1048-kvm",
"hostname": "mail.kosmos.org",
"ipaddress": "192.168.122.131",
"os_version": "5.15.0-1045-kvm",
"hostname": "mail",
"ipaddress": "192.168.122.127",
"roles": [
"base",
"kvm_guest",

5
nodes/mastodon-3.json
View File

@@ -14,7 +14,6 @@
"ipaddress": "192.168.122.161",
"roles": [
"kvm_guest",
"ldap_client",
"garage_gateway",
"mastodon",
"postgresql_client"
@@ -23,7 +22,6 @@
"kosmos-base",
"kosmos-base::default",
"kosmos_kvm::guest",
"kosmos-dirsrv::hostsfile",
"kosmos_garage",
"kosmos_garage::default",
"kosmos_garage::firewall_rpc",
@@ -63,6 +61,8 @@
"redisio::disable_os_default",
"redisio::configure",
"redisio::enable",
"nodejs::npm",
"nodejs::install",
"backup::default",
"logrotate::default"
],
@@ -84,7 +84,6 @@
"run_list": [
"recipe[kosmos-base]",
"role[kvm_guest]",
"role[ldap_client]",
"role[garage_gateway]",
"role[mastodon]"
]

23
nodes/postgres-6.json → nodes/postgres-4.json
View File

@@ -1,16 +1,16 @@
{
"name": "postgres-6",
"name": "postgres-4",
"normal": {
"knife_zero": {
"host": "10.1.1.196"
"host": "10.1.1.107"
}
},
"automatic": {
"fqdn": "postgres-6",
"fqdn": "postgres-4",
"os": "linux",
"os_version": "5.4.0-173-generic",
"hostname": "postgres-6",
"ipaddress": "192.168.122.60",
"os_version": "5.4.0-122-generic",
"hostname": "postgres-4",
"ipaddress": "192.168.122.3",
"roles": [
"base",
"kvm_guest",
@@ -22,7 +22,6 @@
"kosmos_kvm::guest",
"kosmos_postgresql::primary",
"kosmos_postgresql::firewall",
"kosmos-akkounts::pg_db",
"kosmos-bitcoin::lndhub-go_pg_db",
"kosmos-bitcoin::nbxplorer_pg_db",
"kosmos_drone::pg_db",
@@ -48,13 +47,13 @@
"cloud": null,
"chef_packages": {
"chef": {
"version": "18.4.2",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.4.2/lib",
"version": "18.3.0",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.3.0/lib",
"chef_effortless": null
},
"ohai": {
"version": "18.1.11",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
"version": "18.1.4",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
}
}
},
@@ -63,4 +62,4 @@
"role[kvm_guest]",
"role[postgresql_primary]"
]
}
}

26
nodes/rsk-testnet-5.json → nodes/postgres-5.json
View File

@@ -1,26 +1,24 @@
{
"name": "rsk-testnet-5",
"name": "postgres-5",
"normal": {
"knife_zero": {
"host": "10.1.1.194"
"host": "10.1.1.54"
}
},
"automatic": {
"fqdn": "rsk-testnet-5",
"fqdn": "postgres-5",
"os": "linux",
"os_version": "5.4.0-1103-kvm",
"hostname": "rsk-testnet-5",
"ipaddress": "192.168.122.171",
"os_version": "5.4.0-153-generic",
"hostname": "postgres-5",
"ipaddress": "192.168.122.211",
"roles": [
"base",
"kvm_guest",
"rskj_testnet"
"kvm_guest"
],
"recipes": [
"kosmos-base",
"kosmos-base::default",
"kosmos_kvm::guest",
"kosmos_rsk::rskj",
"apt::default",
"timezone_iii::default",
"timezone_iii::debian",
@@ -34,17 +32,15 @@
"postfix::_common",
"postfix::_attributes",
"postfix::sasl_auth",
"hostname::default",
"kosmos_rsk::firewall",
"firewall::default"
"hostname::default"
],
"platform": "ubuntu",
"platform_version": "20.04",
"cloud": null,
"chef_packages": {
"chef": {
"version": "18.3.0",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.3.0/lib",
"version": "18.2.7",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.2.7/lib",
"chef_effortless": null
},
"ohai": {
@@ -56,6 +52,6 @@
"run_list": [
"role[base]",
"role[kvm_guest]",
"role[rskj_testnet]"
"role[postgresql_replica]"
]
}

62
nodes/postgres-7.json
View File

@@ -1,62 +0,0 @@
{
"name": "postgres-7",
"chef_environment": "production",
"normal": {
"knife_zero": {
"host": "10.1.1.134"
}
},
"automatic": {
"fqdn": "postgres-7",
"os": "linux",
"os_version": "5.4.0-1123-kvm",
"hostname": "postgres-7",
"ipaddress": "192.168.122.89",
"roles": [
"base",
"kvm_guest",
"postgresql_replica"
],
"recipes": [
"kosmos-base",
"kosmos-base::default",
"kosmos_kvm::guest",
"kosmos_postgresql::hostsfile",
"kosmos_postgresql::replica",
"kosmos_postgresql::firewall",
"apt::default",
"timezone_iii::default",
"timezone_iii::debian",
"ntp::default",
"ntp::apparmor",
"kosmos-base::systemd_emails",
"apt::unattended-upgrades",
"kosmos-base::firewall",
"kosmos-postfix::default",
"postfix::default",
"postfix::_common",
"postfix::_attributes",
"postfix::sasl_auth",
"hostname::default"
],
"platform": "ubuntu",
"platform_version": "20.04",
"cloud": null,
"chef_packages": {
"chef": {
"version": "18.5.0",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
"chef_effortless": null
},
"ohai": {
"version": "18.1.11",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
}
}
},
"run_list": [
"role[base]",
"role[kvm_guest]",
"role[postgresql_replica]"
]
}

62
nodes/postgres-8.json
View File

@@ -1,62 +0,0 @@
{
"name": "postgres-8",
"chef_environment": "production",
"normal": {
"knife_zero": {
"host": "10.1.1.99"
}
},
"automatic": {
"fqdn": "postgres-8",
"os": "linux",
"os_version": "5.15.0-1059-kvm",
"hostname": "postgres-8",
"ipaddress": "192.168.122.100",
"roles": [
"base",
"kvm_guest",
"postgresql_replica"
],
"recipes": [
"kosmos-base",
"kosmos-base::default",
"kosmos_kvm::guest",
"kosmos_postgresql::hostsfile",
"kosmos_postgresql::replica",
"kosmos_postgresql::firewall",
"apt::default",
"timezone_iii::default",
"timezone_iii::debian",
"ntp::default",
"ntp::apparmor",
"kosmos-base::systemd_emails",
"apt::unattended-upgrades",
"kosmos-base::firewall",
"kosmos-postfix::default",
"postfix::default",
"postfix::_common",
"postfix::_attributes",
"postfix::sasl_auth",
"hostname::default"
],
"platform": "ubuntu",
"platform_version": "22.04",
"cloud": null,
"chef_packages": {
"chef": {
"version": "18.5.0",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib",
"chef_effortless": null
},
"ohai": {
"version": "18.1.11",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
}
}
},
"run_list": [
"role[base]",
"role[kvm_guest]",
"role[postgresql_replica]"
]
}

6
nodes/redis-1.json
View File

@@ -1,6 +1,5 @@
{
"name": "redis-1",
"chef_environment": "production",
"normal": {
"knife_zero": {
"host": "10.1.1.225"
@@ -9,7 +8,7 @@
"automatic": {
"fqdn": "redis-1",
"os": "linux",
"os_version": "5.4.0-1104-kvm",
"os_version": "5.4.0-1090-kvm",
"hostname": "redis-1",
"ipaddress": "192.168.122.83",
"roles": [
@@ -23,8 +22,6 @@
"kosmos_kvm::guest",
"kosmos_redis",
"kosmos_redis::default",
"kosmos_redis::firewall",
"kosmos_redis::backup",
"apt::default",
"timezone_iii::default",
"timezone_iii::debian",
@@ -46,6 +43,7 @@
"redisio::disable_os_default",
"redisio::configure",
"redisio::enable",
"kosmos_redis::firewall",
"backup::default",
"logrotate::default"
],

20
nodes/redis-2.json
View File

@@ -1,6 +1,5 @@
{
"name": "redis-2",
"chef_environment": "production",
"normal": {
"knife_zero": {
"host": "10.1.1.208"
@@ -9,20 +8,17 @@
"automatic": {
"fqdn": "redis-2",
"os": "linux",
"os_version": "5.4.0-1104-kvm",
"os_version": "5.4.0-1090-kvm",
"hostname": "redis-2",
"ipaddress": "192.168.122.98",
"roles": [
"base",
"kvm_guest",
"redis_replica"
"kvm_guest"
],
"recipes": [
"kosmos-base",
"kosmos-base::default",
"kosmos_kvm::guest",
"kosmos_redis::replica",
"kosmos_redis::firewall",
"apt::default",
"timezone_iii::default",
"timezone_iii::debian",
@@ -36,14 +32,7 @@
"postfix::_common",
"postfix::_attributes",
"postfix::sasl_auth",
"hostname::default",
"redisio::default",
"redisio::_install_prereqs",
"redisio::install",
"redisio::ulimit",
"redisio::disable_os_default",
"redisio::configure",
"redisio::enable"
"hostname::default"
],
"platform": "ubuntu",
"platform_version": "20.04",
@@ -62,7 +51,6 @@
},
"run_list": [
"role[base]",
"role[kvm_guest]",
"role[redis_replica]"
"role[kvm_guest]"
]
}

3
nodes/rsk-testnet-4.json
View File

@@ -55,6 +55,7 @@
},
"run_list": [
"role[base]",
"role[kvm_guest]"
"role[kvm_guest]",
"role[rskj_testnet]"
]
}

67
nodes/strfry-1.json
View File

@@ -1,67 +0,0 @@
{
"name": "strfry-1",
"chef_environment": "production",
"normal": {
"knife_zero": {
"host": "10.1.1.164"
}
},
"automatic": {
"fqdn": "strfry-1",
"os": "linux",
"os_version": "5.15.0-1060-kvm",
"hostname": "strfry-1",
"ipaddress": "192.168.122.54",
"roles": [
"base",
"kvm_guest",
"strfry",
"ldap_client"
],
"recipes": [
"kosmos-base",
"kosmos-base::default",
"kosmos_kvm::guest",
"kosmos-dirsrv::hostsfile",
"strfry",
"strfry::default",
"kosmos_strfry::policies",
"kosmos_strfry::firewall",
"kosmos_strfry::substr",
"apt::default",
"timezone_iii::default",
"timezone_iii::debian",
"ntp::default",
"ntp::apparmor",
"kosmos-base::systemd_emails",
"apt::unattended-upgrades",
"kosmos-base::firewall",
"kosmos-postfix::default",
"postfix::default",
"postfix::_common",
"postfix::_attributes",
"postfix::sasl_auth",
"hostname::default",
"deno::default"
],
"platform": "ubuntu",
"platform_version": "22.04",
"cloud": null,
"chef_packages": {
"chef": {
"version": "18.4.12",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.4.12/lib",
"chef_effortless": null
},
"ohai": {
"version": "18.1.11",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
}
}
},
"run_list": [
"role[base]",
"role[kvm_guest]",
"role[strfry]"
]
}

7796
nodes/vagrant-node-bitcoin.json Normal file
View File

File diff suppressed because it is too large Load Diff

7933
nodes/vagrant-openresty.json Normal file
View File

File diff suppressed because it is too large Load Diff

10
nodes/wiki-1.json
View File

@@ -8,19 +8,16 @@
"automatic": {
"fqdn": "wiki-1",
"os": "linux",
"os_version": "5.4.0-167-generic",
"os_version": "5.4.0-91-generic",
"hostname": "wiki-1",
"ipaddress": "192.168.122.26",
"roles": [
"base",
"kvm_guest",
"ldap_client"
"kvm_guest"
],
"recipes": [
"kosmos-base",
"kosmos-base::default",
"kosmos_kvm::guest",
"kosmos-dirsrv::hostsfile",
"kosmos-mediawiki",
"kosmos-mediawiki::default",
"apt::default",
@@ -44,6 +41,7 @@
"php::package",
"php::ini",
"composer::global_configs",
"kosmos-dirsrv::hostsfile",
"mediawiki::default",
"mediawiki::database",
"kosmos-nginx::default",
@@ -81,4 +79,4 @@
"role[ldap_client]",
"recipe[kosmos-mediawiki]"
]
}
}

1
roles/gitea.rb
View File

@@ -3,5 +3,4 @@ name "gitea"
run_list %w(
role[postgresql_client]
kosmos_gitea::default
kosmos_gitea::backup
)

5
roles/liquor_cabinet.rb
View File

@@ -1,5 +0,0 @@
name "liquor_cabinet"
run_list %w(
kosmos_liquor-cabinet::default
)

1
roles/lnd.rb
View File

@@ -3,6 +3,7 @@ name "lnd"
run_list %w(
kosmos-bitcoin::lnd
kosmos-bitcoin::lnd-scb-s3
kosmos-bitcoin::boltz
kosmos-bitcoin::rtl
kosmos-bitcoin::peerswap-lnd
)

4
roles/openresty_proxy.rb
View File

@@ -21,16 +21,14 @@ production_run_list = %w(
kosmos_assets::nginx_site
kosmos_discourse::nginx
kosmos_drone::nginx
kosmos-ejabberd::nginx
kosmos_garage::nginx_web
kosmos_garage::nginx_s3
kosmos_gitea::nginx
kosmos_gitea::nginx_ssh
kosmos_liquor-cabinet::nginx
kosmos_rsk::nginx_testnet
kosmos_rsk::nginx_mainnet
kosmos_strfry::nginx
kosmos_website::default
kosmos_website::redirects
kosmos-akkounts::nginx
kosmos-akkounts::nginx_api
kosmos-bitcoin::nginx_lndhub

1
roles/postgresql_primary.rb
View File

@@ -3,7 +3,6 @@ name "postgresql_primary"
run_list %w(
kosmos_postgresql::primary
kosmos_postgresql::firewall
kosmos-akkounts::pg_db
kosmos-bitcoin::lndhub-go_pg_db
kosmos-bitcoin::nbxplorer_pg_db
kosmos_drone::pg_db

15
roles/redis_replica.rb
View File

@@ -1,15 +0,0 @@
name "redis_replica"
run_list %w(
kosmos_redis::replica
kosmos_redis::firewall
)
default_attributes({
'redisio' => {
'default_settings' => {
'slaveservestaledata' => 'yes',
'slavereadonly' => 'yes'
}
}
})

3
roles/redis_server.rb
View File

@@ -7,7 +7,6 @@ default_run_list = %w(
production_run_list = %w(
kosmos_redis::default
kosmos_redis::firewall
kosmos_redis::backup
)
env_run_lists(
@@ -15,3 +14,5 @@ env_run_lists(
'development' => default_run_list,
'production' => production_run_list
)
default_attributes({})

9
roles/strfry.rb
View File

@@ -1,9 +0,0 @@
name "strfry"
run_list %w(
role[ldap_client]
strfry::default
kosmos_strfry::policies
kosmos_strfry::firewall
kosmos_strfry::substr
)

5
roles/turn_server.rb
View File

@@ -1,5 +0,0 @@
name "turn_server"
run_list %w(
kosmos-ejabberd::coturn
)

1
scripts/postgresql/switch_primary.sh
View File

@@ -21,4 +21,3 @@ bundle exec knife ssh roles:postgresql_client -a knife_zero.host "sudo sed -r \"
# TODO
# 1. Change roles in node configs
# 2. Converge new primary
echo "You need to update the role in the '$new_primary_hostname' node config to 'postgres_primary' and converge it now."

4
site-cookbooks/backup/attributes/default.rb
View File

@@ -42,5 +42,5 @@ default['backup']['orbit']['keep'] = 10
default['backup']['cron']['hour'] = "05"
default['backup']['cron']['minute'] = "7"
default['backup']['s3']['keep'] = 10
default['backup']['s3']['bucket'] = "kosmos-backups"
default['backup']['s3']['keep'] = 15
default['backup']['s3']['bucket'] = "kosmos-dev-backups"

1
site-cookbooks/backup/recipes/default.rb
View File

@@ -28,7 +28,6 @@ template "#{backup_dir}/config.rb" do
sensitive true
variables s3_access_key_id: backup_data["s3_access_key_id"],
s3_secret_access_key: backup_data["s3_secret_access_key"],
s3_endpoint: backup_data["s3_endpoint"],
s3_region: backup_data["s3_region"],
encryption_password: backup_data["encryption_password"],
mail_from: "backups@kosmos.org",

5
site-cookbooks/backup/templates/default/config.rb.erb
View File

@@ -23,10 +23,6 @@ Storage::S3.defaults do |s3|
s3.secret_access_key = "<%= @s3_secret_access_key %>"
s3.region = "<%= @s3_region %>"
s3.bucket = "<%= node['backup']['s3']['bucket'] %>"
s3.fog_options = {
endpoint: "<%= @s3_endpoint %>",
aws_signature_version: 2
}
end
Encryptor::OpenSSL.defaults do |encryption|
@@ -92,6 +88,7 @@ end
preconfigure 'KosmosBackup' do
split_into_chunks_of 250 # megabytes
store_with S3
compress_with Bzip2
encrypt_with OpenSSL
notify_by Mail do |mail|

1
site-cookbooks/deno

Submodule site-cookbooks/deno deleted from 5ddfe642eb

14
site-cookbooks/kosmos-akkounts/attributes/default.rb
View File

@@ -1,5 +1,5 @@
node.default['akkounts']['repo'] = 'https://gitea.kosmos.org/kosmos/akkounts.git'
node.default['akkounts']['revision'] = 'live'
node.default['akkounts']['revision'] = 'master'
node.default['akkounts']['port'] = 3000
node.default['akkounts']['domain'] = 'accounts.kosmos.org'
node.default['akkounts']['primary_domain'] = 'kosmos.org'
@@ -11,21 +11,9 @@ node.default['akkounts']['smtp']['domain'] = 'kosmos.org'
node.default['akkounts']['smtp']['auth_method'] = 'plain'
node.default['akkounts']['smtp']['enable_starttls'] = 'auto'
node.default['akkounts']['btcpay']['public_url'] = nil
node.default['akkounts']['btcpay']['store_id'] = nil
node.default['akkounts']['ejabberd']['admin_url'] = nil
node.default['akkounts']['lndhub']['api_url'] = nil
node.default['akkounts']['lndhub']['public_url'] = nil
node.default['akkounts']['lndhub']['public_key'] = nil
node.default['akkounts']['lndhub']['postgres_db'] = 'lndhub'
node.default['akkounts']['nostr']['public_key'] = nil
node.default['akkounts']['nostr']['relay_url'] = nil
node.default['akkounts']['s3_enabled'] = true
node.default['akkounts']['s3_endpoint'] = "https://s3.kosmos.org"
node.default['akkounts']['s3_region'] = "garage"
node.default['akkounts']['s3_bucket'] = "akkounts-production"
node.default['akkounts']['s3_alias_host'] = "https://s3.accounts.kosmos.org"

172
site-cookbooks/kosmos-akkounts/recipes/default.rb
View File

@@ -20,21 +20,21 @@ user deploy_user do
end
package "libpq-dev"
package "libvips"
include_recipe 'redisio::default'
include_recipe 'redisio::enable'
node.override["nodejs"]["repo"] = "https://deb.nodesource.com/node_20.x"
include_recipe 'kosmos-nodejs'
npm_package "bun"
ruby_version = "3.3.8"
npm_package "yarn" do
version "1.22.4"
end
ruby_version = "2.7.5"
ruby_path = "/opt/ruby_build/builds/#{ruby_version}"
bundle_path = "#{ruby_path}/bin/bundle"
rails_env = node.chef_environment == "development" ? "development" : "production"
ruby_build_install 'v20240221'
ruby_build_install 'v20230615'
ruby_build_definition ruby_version do
prefix_path ruby_path
end
@@ -47,28 +47,7 @@ webhooks_allowed_ips = [lndhub_host].compact.uniq.join(',')
env = {
primary_domain: node['akkounts']['primary_domain'],
akkounts_domain: node['akkounts']['domain'],
rails_serve_static_files: true,
secret_key_base: credentials["rails_secret_key_base"],
encryption_primary_key: credentials["rails_encryption_primary_key"],
encryption_key_derivation_salt: credentials["rails_encryption_key_derivation_salt"],
db_adapter: "postgresql",
pg_host: "pg.kosmos.local",
pg_port: 5432,
pg_database: "akkounts",
pg_database_queue: "akkounts_queue",
pg_username: credentials["postgresql"]["username"],
pg_password: credentials["postgresql"]["password"]
}
env[:ldap] = {
host: "ldap.kosmos.local",
port: 389,
use_tls: false,
uid_attr: "cn",
base: "ou=kosmos.org,cn=users,dc=kosmos,dc=org",
admin_user: credentials["ldap"]["admin_user"],
admin_password: credentials["ldap"]["admin_password"],
suffix: "dc=kosmos,dc=org"
rails_serve_static_files: true
}
smtp_server, smtp_port = smtp_credentials[:relayhost].split(":")
@@ -89,34 +68,15 @@ if webhooks_allowed_ips.length > 0
env[:webhooks_allowed_ips] = webhooks_allowed_ips
end
#
# BTCPay Server
#
if btcpay_host
env[:btcpay_api_url] = "http://#{btcpay_host}:23001/api/v1"
env[:btcpay_public_url] = node['akkounts']['btcpay']['public_url']
env[:btcpay_store_id] = node['akkounts']['btcpay']['store_id']
env[:btcpay_auth_token] = credentials["btcpay_auth_token"]
end
#
# Discourse
#
env[:discourse_public_url] = "https://#{node['discourse']['domain']}"
env[:discourse_connect_secret] = credentials['discourse_connect_secret']
#
# Drone CI
#
env[:droneci_public_url] = node["droneci"]["public_url"]
#
# ejabberd
#
ejabberd_private_ip_addresses = []
search(:node, "role:ejabberd").each do |node|
ejabberd_private_ip_addresses << node["knife_zero"]["host"]
@@ -138,84 +98,27 @@ if ejabberd_private_ip_addresses.size > 0
env[:ejabberd_admin_url] = node['akkounts']['ejabberd']['admin_url']
end
#
# Gitea
#
env[:gitea_public_url] = "https://#{node['gitea']['domain']}"
#
# lndhub.go
#
if lndhub_host
node.override["akkounts"]["lndhub"]["api_url"] = "http://#{lndhub_host}:3026"
env[:lndhub_legacy_api_url] = node["akkounts"]["lndhub"]["api_url"]
env[:lndhub_api_url] = node["akkounts"]["lndhub"]["api_url"]
env[:lndhub_admin_token] = credentials["lndhub_admin_token"]
env[:lndhub_public_url] = node["akkounts"]["lndhub"]["public_url"]
env[:lndhub_public_key] = node["akkounts"]["lndhub"]["public_key"]
if postgres_readonly_host
env[:lndhub_admin_ui] = true
env[:lndhub_pg_host] = postgres_readonly_host
env[:lndhub_pg_database] = node["akkounts"]["lndhub"]["postgres_db"]
env[:lndhub_pg_username] = credentials["postgresql"]["username"]
env[:lndhub_pg_password] = credentials["postgresql"]["password"]
env[:lndhub_pg_database] = node['akkounts']['lndhub']['postgres_db']
env[:lndhub_pg_username] = credentials['postgresql_username']
env[:lndhub_pg_password] = credentials['postgresql_password']
end
end
#
# Mastodon
#
env[:mastodon_public_url] = "https://#{node['kosmos-mastodon']['domain']}"
env[:mastodon_address_domain] = node['kosmos-mastodon']['user_address_domain']
#
# MediaWiki
#
env[:mediawiki_public_url] = node['mediawiki']['url']
#
# Nostr
#
env[:nostr_private_key] = credentials['nostr_private_key']
env[:nostr_public_key] = node['akkounts']['nostr']['public_key']
env[:nostr_relay_url] = node['akkounts']['nostr']['relay_url']
#
# remoteStorage / Liquor Cabinet
#
env[:rs_storage_url] = "https://#{node['liquor-cabinet']['domain']}"
rs_redis_host = search(:node, "role:redis_server").first["knife_zero"]["host"] rescue nil
rs_redis_port = node['liquor-cabinet']['redis_port']
rs_redis_db = node['liquor-cabinet']['redis_db']
if rs_redis_host
env[:rs_redis_url] = "redis://#{rs_redis_host}:#{rs_redis_port}/#{rs_redis_db}"
end
#
# S3
#
if node['akkounts']['s3_enabled']
env[:s3_enabled] = true
env[:s3_endpoint] = node['akkounts']['s3_endpoint']
env[:s3_region] = node['akkounts']['s3_region']
env[:s3_bucket] = node['akkounts']['s3_bucket']
env[:s3_alias_host] = node['akkounts']['s3_alias_host']
env[:s3_access_key] = credentials['s3_access_key']
env[:s3_secret_key] = credentials['s3_secret_key']
end
#
# Akkounts Deployment
#
systemd_unit "akkounts.service" do
content({
Unit: {
@@ -228,7 +131,7 @@ systemd_unit "akkounts.service" do
Type: "simple",
User: deploy_user,
WorkingDirectory: deploy_path,
Environment: "RAILS_ENV=#{rails_env} SOLID_QUEUE_IN_PUMA=true",
Environment: "RAILS_ENV=#{rails_env}",
ExecStart: "#{bundle_path} exec puma -C config/puma.rb --pidfile #{deploy_path}/tmp/puma.pid",
ExecStop: "#{bundle_path} exec puma -C config/puma.rb --pidfile #{deploy_path}/tmp/puma.pid stop",
ExecReload: "#{bundle_path} exec pumactl -F config/puma.rb --pidfile #{deploy_path}/tmp/puma.pid phased-restart",
@@ -245,6 +148,36 @@ systemd_unit "akkounts.service" do
action [:create, :enable]
end
systemd_unit "akkounts-sidekiq.service" do
content({
Unit: {
Description: "Kosmos Accounts async/background jobs",
Documentation: ["https://gitea.kosmos.org/kosmos/akkounts"],
Requires: "redis@6379.service",
After: "syslog.target network.target redis@6379.service"
},
Service: {
Type: "notify",
User: deploy_user,
WorkingDirectory: deploy_path,
Environment: "MALLOC_ARENA_MAX=2",
ExecStart: "#{bundle_path} exec sidekiq -C #{deploy_path}/config/sidekiq.yml -e #{rails_env}",
WatchdogSec: "10",
Restart: "on-failure",
RestartSec: "1",
StandardOutput: "syslog",
StandardError: "syslog",
SyslogIdentifier: "sidekiq"
},
Install: {
WantedBy: "multi-user.target"
}
})
verify false
triggers_reload true
action [:create, :enable]
end
deploy_env = {
"HOME" => deploy_path,
"PATH" => "#{ruby_path}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin",
@@ -257,7 +190,15 @@ git deploy_path do
revision node[app_name]["revision"]
user deploy_user
group deploy_group
# Restart services on deployments
notifies :run, "execute[restart #{app_name} services]", :delayed
end
execute "restart #{app_name} services" do
command "true"
action :nothing
notifies :restart, "service[#{app_name}]", :delayed
notifies :restart, "service[#{app_name}-sidekiq]", :delayed
end
file "#{deploy_path}/config/master.key" do
@@ -265,7 +206,7 @@ file "#{deploy_path}/config/master.key" do
mode '0400'
owner deploy_user
group deploy_group
notifies :restart, "service[#{app_name}]", :delayed
notifies :run, "execute[restart #{app_name} services]", :delayed
end
template "#{deploy_path}/.env.#{rails_env}" do
@@ -275,7 +216,7 @@ template "#{deploy_path}/.env.#{rails_env}" do
mode 0600
sensitive true
variables config: env
notifies :restart, "service[#{app_name}]", :delayed
notifies :run, "execute[restart #{app_name} services]", :delayed
end
execute "bundle install" do
@@ -285,6 +226,13 @@ execute "bundle install" do
command "bundle install --without development,test --deployment"
end
execute "yarn install" do
environment deploy_env
user deploy_user
cwd deploy_path
command "yarn install --pure-lockfile"
end
execute 'rake db:migrate' do
environment deploy_env
user deploy_user
@@ -305,6 +253,10 @@ service "akkounts" do
action [:enable, :start]
end
service "akkounts-sidekiq" do
action [:enable, :start]
end
firewall_rule "akkounts_zerotier" do
command :allow
port node["akkounts"]["port"]

22
site-cookbooks/kosmos-akkounts/recipes/pg_db.rb
View File

@@ -1,22 +0,0 @@
#
# Cookbook:: kosmos-akkounts
# Recipe:: pg_db
#
credentials = data_bag_item("credentials", "akkounts")
pg_username = credentials["postgresql"]["username"]
pg_password = credentials["postgresql"]["password"]
postgresql_user pg_username do
action :create
password pg_password
end
databases = ["akkounts", "akkounts_queue"]
databases.each do |database|
postgresql_database database do
owner pg_username
action :create
end
end

7
site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb
View File

@@ -14,10 +14,6 @@ server {
listen [::]:443 ssl http2;
server_name <%= @domain %>;
if ($host != $server_name) {
return 301 $scheme://$server_name$request_uri;
}
ssl_certificate <%= @ssl_cert %>;
ssl_certificate_key <%= @ssl_key %>;
@@ -43,9 +39,6 @@ server {
location @proxy {
proxy_set_header Host $http_host;
set $x_forwarded_host $http_x_forwarded_host;
if ($x_forwarded_host = "") { set $x_forwarded_host $host; }
proxy_set_header X-Forwarded-Host $x_forwarded_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;

4
site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts_api.erb
View File

@@ -18,7 +18,7 @@ server {
access_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.access.log json;
error_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.error.log warn;
location / {
location /kredits/ {
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow-Methods' 'GET' always;
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range' always;
@@ -31,6 +31,6 @@ server {
proxy_buffers 1024 8k;
proxy_http_version 1.1;
proxy_pass http://_akkounts_api/api/;
proxy_pass http://_akkounts_api/api/kredits/;
}
}

21
site-cookbooks/kosmos-base/recipes/letsencrypt.rb
View File

@@ -2,6 +2,27 @@
# Cookbook Name:: kosmos-base
# Recipe:: letsencrypt
#
# The MIT License (MIT)
#
# Copyright:: 2019, Kosmos Developers
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
unless platform?('ubuntu')
raise "This recipe only supports Ubuntu installs"

37
site-cookbooks/kosmos-base/resources/tls_cert_for.rb
View File

@@ -3,8 +3,6 @@ provides :tls_cert_for
property :domain, [String, Array], name_property: true
property :auth, [String, NilClass], default: nil
property :deploy_hook, [String, NilClass], default: nil
property :acme_domain, [String, NilClass], default: nil
default_action :create
@@ -19,35 +17,13 @@ action :create do
case new_resource.auth
when "gandi_dns"
gandi_api_credentials = data_bag_item('credentials', 'gandi_api')
gandi_api_data_bag_item = data_bag_item('credentials', 'gandi_api_5apps')
hook_path = "/root/gandi_dns_certbot_hook.sh"
hook_auth_command = "#{hook_path} auth"
hook_cleanup_command = "#{hook_path} cleanup"
if new_resource.acme_domain
hook_auth_command += " #{new_resource.acme_domain}"
hook_cleanup_command += " #{new_resource.acme_domain}"
end
template hook_path do
cookbook "kosmos-base"
variables access_token: gandi_api_credentials["access_token"]
mode 0700
sensitive true
end
if new_resource.deploy_hook
deploy_hook_path = "/etc/letsencrypt/renewal-hooks/#{domains.first}"
file deploy_hook_path do
content new_resource.deploy_hook
mode 0755
owner "root"
group "root"
end
elsif node.run_list.roles.include?("openresty_proxy")
deploy_hook_path = "/etc/letsencrypt/renewal-hooks/post/openresty"
variables gandi_api_key: gandi_api_data_bag_item["key"]
mode 0770
end
# Generate a Let's Encrypt cert (only if no cert has been generated before).
@@ -56,11 +32,12 @@ action :create do
command <<-CMD
certbot certonly --manual -n \
--preferred-challenges dns \
--manual-public-ip-logging-ok \
--agree-tos \
--manual-auth-hook '#{hook_auth_command}' \
--manual-cleanup-hook '#{hook_cleanup_command}' \
--manual-auth-hook '#{hook_path} auth' \
--manual-cleanup-hook '#{hook_path} cleanup' \
--email ops@kosmos.org \
#{"--deploy-hook #{deploy_hook_path}" if defined?(deploy_hook_path)} \
#{node.run_list.roles.include?("openresty_proxy") ? '--deploy-hook /etc/letsencrypt/renewal-hooks/post/openresty' : nil } \
#{domains.map {|d| "-d #{d}" }.join(" ")}
CMD
not_if do

57
site-cookbooks/kosmos-base/templates/default/gandi_dns_certbot_hook.sh.erb
View File

@@ -1,16 +1,21 @@
#!/usr/bin/env bash
#
set -euf -o pipefail
# ************** USAGE **************
#
# Example usage:
# Example usage (with this hook file saved in /root/):
#
# sudo su -
# certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos -d "5apps.com" -d muc.5apps.com -d "xmpp.5apps.com" \
# --manual-auth-hook "/root/letsencrypt_hook.sh auth" --manual-cleanup-hook "/root/letsencrypt_hook.sh cleanup"
#
# This hook requires configuration, continue reading.
#
# ************** CONFIGURATION **************
#
# ACCESS_TOKEN: Your Gandi Live API key
# GANDI_API_KEY: Your Gandi Live API key
#
# PROVIDER_UPDATE_DELAY:
# How many seconds to wait after updating your DNS records. This may be required,
@@ -20,16 +25,10 @@ set -euf -o pipefail
#
# Defaults to 30 seconds.
#
# VALIDATION_DOMAIN:
# Domain to create ACME DNS entries on. Use this when redirecting ACME subdomains
# from the original domain to a proxy validation domain that we control.
#
ACCESS_TOKEN="<%= @access_token %>"
GANDI_API_KEY="<%= @gandi_api_key %>"
PROVIDER_UPDATE_DELAY=10
VALIDATION_DOMAIN="${2:-}"
regex='.*\.(.*\..*)'
if [[ $CERTBOT_DOMAIN =~ $regex ]]
then
DOMAIN="${BASH_REMATCH[1]}"
@@ -37,41 +36,25 @@ else
DOMAIN="${CERTBOT_DOMAIN}"
fi
if [[ -n "$VALIDATION_DOMAIN" ]]
then
if [[ $VALIDATION_DOMAIN =~ $regex ]]
then
ACME_BASE_DOMAIN="${BASH_REMATCH[1]}"
else
echo "Validation domain has to be a subdomain, but it is not: \"${VALIDATION_DOMAIN}\""
exit 1
fi
ACME_DOMAIN="${CERTBOT_DOMAIN}.${VALIDATION_DOMAIN}"
else
ACME_BASE_DOMAIN="${DOMAIN}"
ACME_DOMAIN="_acme-challenge.${CERTBOT_DOMAIN}"
fi
# To be invoked via Certbot's --manual-auth-hook
function auth {
curl -s -D- \
-H "Content-Type: application/json" \
-H "Authorization: Bearer ${ACCESS_TOKEN}" \
-d "{\"rrset_name\": \"${ACME_DOMAIN}.\",
\"rrset_type\": \"TXT\",
\"rrset_ttl\": 300,
\"rrset_values\": [\"${CERTBOT_VALIDATION}\"]}" \
"https://api.gandi.net/v5/livedns/domains/${ACME_BASE_DOMAIN}/records"
curl -s -D- -H "Content-Type: application/json" \
-H "X-Api-Key: ${GANDI_API_KEY}" \
-d "{\"rrset_name\": \"_acme-challenge.${CERTBOT_DOMAIN}.\",
\"rrset_type\": \"TXT\",
\"rrset_ttl\": 3600,
\"rrset_values\": [\"${CERTBOT_VALIDATION}\"]}" \
"https://dns.api.gandi.net/api/v5/domains/${DOMAIN}/records"
sleep ${PROVIDER_UPDATE_DELAY}
sleep ${PROVIDER_UPDATE_DELAY}
}
# To be invoked via Certbot's --manual-cleanup-hook
function cleanup {
curl -s -X DELETE \
-H "Content-Type: application/json" \
-H "Authorization: Bearer ${ACCESS_TOKEN}" \
"https://api.gandi.net/v5/livedns/domains/${ACME_BASE_DOMAIN}/records/${ACME_DOMAIN}./TXT"
curl -s -X DELETE -H "Content-Type: application/json" \
-H "X-Api-Key: ${GANDI_API_KEY}" \
https://dns.api.gandi.net/api/v5/domains/${DOMAIN}/records/_acme-challenge.${CERTBOT_DOMAIN}./TXT
}
HANDLER=$1; shift;

38
site-cookbooks/kosmos-bitcoin/attributes/default.rb
View File

@@ -1,5 +1,5 @@
node.default['bitcoin']['version'] = '28.0'
node.default['bitcoin']['checksum'] = '700ae2d1e204602eb07f2779a6e6669893bc96c0dca290593f80ff8e102ff37f'
node.default['bitcoin']['version'] = '25.0'
node.default['bitcoin']['checksum'] = '5df67cf42ca3b9a0c38cdafec5bbb517da5b58d251f32c8d2a47511f9be1ebc2'
node.default['bitcoin']['username'] = 'satoshi'
node.default['bitcoin']['usergroup'] = 'bitcoin'
node.default['bitcoin']['network'] = 'mainnet'
@@ -24,15 +24,14 @@ node.default['bitcoin']['conf'] = {
rpcbind: "127.0.0.1:8332",
gen: 0,
zmqpubrawblock: 'tcp://127.0.0.1:8337',
zmqpubrawtx: 'tcp://127.0.0.1:8338',
deprecatedrpc: 'warnings' # TODO remove when upgrading to LND 0.18.4
zmqpubrawtx: 'tcp://127.0.0.1:8338'
}
# Also enables Tor for LND
node.default['bitcoin']['tor_enabled'] = true
node.default['c-lightning']['repo'] = 'https://github.com/ElementsProject/lightning'
node.default['c-lightning']['revision'] = 'v23.11.1'
node.default['c-lightning']['revision'] = 'v0.10.2'
node.default['c-lightning']['source_dir'] = '/opt/c-lightning'
node.default['c-lightning']['lightning_dir'] = "/home/#{node['bitcoin']['username']}/.lightning"
node.default['c-lightning']['alias'] = 'ln3.kosmos.org'
@@ -41,7 +40,7 @@ node.default['c-lightning']['log_level'] = 'info'
node.default['c-lightning']['public_ip'] = '148.251.237.73'
node.default['lnd']['repo'] = 'https://github.com/lightningnetwork/lnd'
node.default['lnd']['revision'] = 'v0.18.5-beta'
node.default['lnd']['revision'] = 'v0.16.4-beta'
node.default['lnd']['source_dir'] = '/opt/lnd'
node.default['lnd']['lnd_dir'] = "/home/#{node['bitcoin']['username']}/.lnd"
node.default['lnd']['alias'] = 'ln2.kosmos.org'
@@ -59,13 +58,24 @@ node.default['lnd']['tor'] = {
'skip-proxy-for-clearnet-targets' => 'true'
}
node.default['boltz']['repo'] = 'https://github.com/BoltzExchange/boltz-lnd.git'
node.default['boltz']['revision'] = 'v1.2.6'
node.default['boltz']['source_dir'] = '/opt/boltz'
node.default['boltz']['boltz_dir'] = "/home/#{node['bitcoin']['username']}/.boltz-lnd"
node.default['boltz']['grpc_host'] = '127.0.0.1'
node.default['boltz']['grpc_port'] = '9002'
node.default['boltz']['rest_disabled'] = 'false'
node.default['boltz']['rest_host'] = '127.0.0.1'
node.default['boltz']['rest_port'] = '9003'
node.default['boltz']['no_macaroons'] = 'false'
node.default['rtl']['repo'] = 'https://github.com/Ride-The-Lightning/RTL.git'
node.default['rtl']['revision'] = 'v0.15.2'
node.default['rtl']['revision'] = 'v0.12.1'
node.default['rtl']['host'] = '10.1.1.163'
node.default['rtl']['port'] = '3000'
node.default['lndhub-go']['repo'] = 'https://github.com/getAlby/lndhub.go.git'
node.default['lndhub-go']['revision'] = '1.0.2'
node.default['lndhub-go']['revision'] = '0.14.0'
node.default['lndhub-go']['source_dir'] = '/opt/lndhub-go'
node.default['lndhub-go']['port'] = 3026
node.default['lndhub-go']['domain'] = 'lndhub.kosmos.org'
@@ -73,10 +83,8 @@ node.default['lndhub-go']['postgres']['database'] = 'lndhub'
node.default['lndhub-go']['postgres']['user'] = 'lndhub'
node.default['lndhub-go']['postgres']['port'] = 5432
node.default['lndhub-go']['default_rate_limit'] = 20
node.default['lndhub-go']['strict_rate_limit'] = 1
node.default['lndhub-go']['burst_rate_limit'] = 10
node.default['lndhub-go']['service_fee'] = 1
node.default['lndhub-go']['no_service_fee_up_to_amount'] = 1000
node.default['lndhub-go']['strict_rate_limit'] = 1
node.default['lndhub-go']['burst_rate_limit'] = 10
node.default['lndhub-go']['branding'] = {
'title' => 'LndHub - Kosmos Lightning',
'desc' => 'Kosmos accounts for the Lightning Network',
@@ -90,7 +98,7 @@ node.default['dotnet']['ms_packages_src_url'] = "https://packages.microsoft.com/
node.default['dotnet']['ms_packages_src_checksum'] = "4df5811c41fdded83eb9e2da9336a8dfa5594a79dc8a80133bd815f4f85b9991"
node.default['nbxplorer']['repo'] = 'https://github.com/dgarage/NBXplorer'
node.default['nbxplorer']['revision'] = 'v2.5.23'
node.default['nbxplorer']['revision'] = 'v2.3.66'
node.default['nbxplorer']['source_dir'] = '/opt/nbxplorer'
node.default['nbxplorer']['config_path'] = "/home/#{node['bitcoin']['username']}/.nbxplorer/Main/settings.config"
node.default['nbxplorer']['port'] = '24445'
@@ -98,7 +106,7 @@ node.default['nbxplorer']['postgres']['database'] = 'nbxplorer'
node.default['nbxplorer']['postgres']['user'] = 'nbxplorer'
node.default['btcpay']['repo'] = 'https://github.com/btcpayserver/btcpayserver'
node.default['btcpay']['revision'] = 'v2.0.7'
node.default['btcpay']['revision'] = 'v1.11.6'
node.default['btcpay']['source_dir'] = '/opt/btcpay'
node.default['btcpay']['config_path'] = "/home/#{node['bitcoin']['username']}/.btcpayserver/Main/settings.config"
node.default['btcpay']['log_path'] = "/home/#{node['bitcoin']['username']}/.btcpayserver/debug.log"
@@ -111,5 +119,3 @@ node.default['btcpay']['postgres']['user'] = 'satoshi'
node.default['peerswap']['repo'] = 'https://github.com/ElementsProject/peerswap.git'
node.default['peerswap']['revision'] = 'master'
node.default['peerswap-lnd']['source_dir'] = '/opt/peerswap'
node.default['price_tracking']['rs_base_url'] = "https://storage.kosmos.org/kosmos/public/btc-price"

1
site-cookbooks/kosmos-bitcoin/recipes/aws-client.rb
View File

@@ -11,7 +11,6 @@ credentials = Chef::EncryptedDataBagItem.load('credentials', 'backup')
file "/root/.aws/config" do
mode "600"
sensitive true
content lazy { <<-EOF
[default]
region = #{credentials["s3_region"]}

16
site-cookbooks/kosmos-bitcoin/recipes/bitcoind.rb
View File

@@ -12,15 +12,8 @@ if node["bitcoin"]["blocksdir_mount_type"]
include_recipe "kosmos-bitcoin::blocksdir-mount"
end
apt_repository "ubuntu-toolchain-r" do
# provides g++-13, needed for better c++-20 support
uri "ppa:ubuntu-toolchain-r/test"
end
%w{
gcc-13 g++-13 libtool autotools-dev make automake cmake curl bison
binutils-gold pkg-config python3 patch
}.each do |pkg|
%w{ libtool autotools-dev make automake cmake curl g++-multilib libtool
binutils-gold bsdmainutils pkg-config python3 patch }.each do |pkg|
apt_package pkg
end
@@ -33,21 +26,20 @@ end
execute "compile_bitcoin-core_dependencies" do
cwd "/usr/local/bitcoind/depends"
environment ({'CC' => 'gcc-13', 'CXX' => 'g++-13', 'NO_QT' => '1'})
command "make -j 2"
command "make NO_QT=1"
action :nothing
notifies :run, 'bash[compile_bitcoin-core]', :immediately
end
bash "compile_bitcoin-core" do
cwd "/usr/local/bitcoind"
environment ({'CC' => 'gcc-13', 'CXX' => 'g++-13', 'NO_QT' => '1'})
code <<-EOH
./autogen.sh
./configure --prefix=$PWD/depends/x86_64-pc-linux-gnu
make
EOH
action :nothing
notifies :restart, "systemd_unit[bitcoind.service]", :delayed
end
link "/usr/local/bin/bitcoind" do

87
site-cookbooks/kosmos-bitcoin/recipes/boltz.rb Normal file
View File

@@ -0,0 +1,87 @@
#
# Cookbook:: kosmos-bitcoin
# Recipe:: boltz
#
include_recipe "git"
include_recipe "kosmos-bitcoin::golang"
git node['boltz']['source_dir'] do
repository node['boltz']['repo']
revision node['boltz']['revision']
action :sync
notifies :run, 'bash[compile_and_install_boltz]', :immediately
end
bash "compile_and_install_boltz" do
cwd node['boltz']['source_dir']
code <<-EOH
go mod vendor && \
make build && \
make install
EOH
action :nothing
notifies :restart, "systemd_unit[boltzd.service]", :delayed
end
bitcoin_user = node['bitcoin']['username']
bitcoin_group = node['bitcoin']['usergroup']
boltz_dir = node['boltz']['boltz_dir']
lnd_dir = node['lnd']['lnd_dir']
directory boltz_dir do
owner bitcoin_user
group bitcoin_group
mode '0750'
action :create
end
template "#{boltz_dir}/boltz.toml" do
source "boltz.toml.erb"
owner bitcoin_user
group bitcoin_group
mode '0640'
variables lnd_grpc_host: '127.0.0.1',
lnd_grpc_port: '10009',
lnd_macaroon_path: "#{lnd_dir}/data/chain/bitcoin/mainnet/admin.macaroon",
lnd_tlscert_path: "#{lnd_dir}/tls.cert",
boltz_config: node['boltz']
notifies :restart, "systemd_unit[boltzd.service]", :delayed
end
systemd_unit 'boltzd.service' do
content({
Unit: {
Description: 'Boltz Daemon',
Documentation: ['https://lnd.docs.boltz.exchange'],
Requires: 'lnd.service',
After: 'lnd.service'
},
Service: {
User: bitcoin_user,
Group: bitcoin_group,
Type: 'simple',
ExecStart: "/opt/boltz/boltzd",
Restart: 'always',
RestartSec: '30',
TimeoutSec: '240',
LimitNOFILE: '128000',
PrivateTmp: true,
ProtectSystem: 'full',
NoNewPrivileges: true,
PrivateDevices: true,
MemoryDenyWriteExecute: true
},
Install: {
WantedBy: 'multi-user.target'
}
})
verify false
triggers_reload true
action [:create, :enable, :start]
end
unless node.chef_environment == 'development'
node.override['backup']['archives']['boltz'] = [node['boltz']['boltz_dir']]
include_recipe 'backup'
end

2
site-cookbooks/kosmos-bitcoin/recipes/dotnet.rb
View File

@@ -30,4 +30,4 @@ execute 'apt_update' do
action :nothing
end
apt_package 'dotnet-sdk-8.0'
apt_package 'dotnet-sdk-7.0'

2
site-cookbooks/kosmos-bitcoin/recipes/golang.rb
View File

@@ -5,7 +5,7 @@
# Internal recipe for managing the Go installation in one place
#
node.override['golang']['version'] = "1.23.1"
node.override['golang']['version'] = "1.20.3"
include_recipe "golang"
link '/usr/local/bin/go' do

2
site-cookbooks/kosmos-bitcoin/recipes/lnd-scb-s3.rb
View File

@@ -10,14 +10,12 @@ include_recipe "kosmos-bitcoin::aws-client"
package "inotify-tools"
backup_script_path = "/opt/lnd-channel-backup-s3.sh"
backup_credentials = Chef::EncryptedDataBagItem.load('credentials', 'backup')
template backup_script_path do
source "lnd-channel-backup-s3.sh.erb"
mode '0740'
variables lnd_dir: node['lnd']['lnd_dir'],
bitcoin_network: node['bitcoin']['network'],
s3_endpoint: backup_credentials['s3_endpoint'],
s3_bucket: node['backup']['s3']['bucket'],
s3_scb_dir: "#{node['name']}/lnd/#{node['bitcoin']['network']}"
notifies :restart, "systemd_unit[lnd-channel-backup.service]", :delayed

2
site-cookbooks/kosmos-bitcoin/recipes/lndhub-go.rb
View File

@@ -66,8 +66,6 @@ template "#{source_dir}/.env" do
default_rate_limit: node['lndhub-go']['default_rate_limit'],
strict_rate_limit: node['lndhub-go']['strict_rate_limit'],
burst_rate_limit: node['lndhub-go']['burst_rate_limit'],
service_fee: 1,
no_service_fee_up_to_amount: 1000,
branding: node['lndhub-go']['branding'],
webhook_url: node['lndhub-go']['webhook_url'],
sentry_dsn: credentials['sentry_dsn']

4
site-cookbooks/kosmos-bitcoin/recipes/nbxplorer.rb
View File

@@ -58,7 +58,9 @@ directory '/run/nbxplorer' do
end
env = {
NBXPLORER_POSTGRES: "User ID=#{postgres_user};Password=#{credentials['postgresql_password']};Database=#{postgres_database};Host=pg.kosmos.local;Port=5432;Application Name=nbxplorer;MaxPoolSize=20"
NBXPLORER_POSTGRES: "User ID=#{postgres_user};Password=#{credentials['postgresql_password']};Database=#{postgres_database};Host=pg.kosmos.local;Port=5432;Application Name=nbxplorer;MaxPoolSize=20",
NBXPLORER_AUTOMIGRATE: "1",
NBXPLORER_NOMIGRATEEVTS: "1"
}
systemd_unit 'nbxplorer.service' do

59
site-cookbooks/kosmos-bitcoin/recipes/price_tracking.rb
View File

@@ -1,59 +0,0 @@
#
# Cookbook:: kosmos-bitcoin
# Recipe:: price_tracking
#
# Track BTC rates and publish them via remoteStorage
#
%w[curl jq].each do |pkg|
apt_package pkg
end
daily_tracker_path = "/usr/local/bin/btc-price-tracker-daily"
credentials = Chef::EncryptedDataBagItem.load('credentials', 'kosmos-rs')
template daily_tracker_path do
source "btc-price-tracker-daily.sh.erb"
mode '0740'
variables rs_base_url: node['price_tracking']['rs_base_url']
notifies :restart, "systemd_unit[lnd-channel-backup.service]", :delayed
end
systemd_unit 'btc-price-tracker-daily.service' do
content({
Unit: {
Description: 'BTC price tracker (daily rates)',
After: 'network-online.target',
Wants: 'network-online.target'
},
Service: {
Type: 'oneshot',
ExecStart: daily_tracker_path,
Environment: "RS_AUTH=#{credentials["auth_tokens"]["/btc-price"]}"
},
Install: {
WantedBy: 'multi-user.target'
}
})
sensitive true
triggers_reload true
action [:create]
end
systemd_unit 'btc-price-tracker-daily.timer' do
content({
Unit: {
Description: 'Run BTC price tracker daily'
},
Timer: {
OnCalendar: '*-*-* 00:00:00',
Persistent: 'true'
},
Install: {
WantedBy: 'timers.target'
}
})
triggers_reload true
action [:create, :enable, :start]
end

13
site-cookbooks/kosmos-bitcoin/recipes/rtl.rb
View File

@@ -3,7 +3,6 @@
# Recipe:: rtl
#
node.override["nodejs"]["repo"] = "https://deb.nodesource.com/node_18.x"
include_recipe 'kosmos-nodejs'
app_name = "rtl"
@@ -46,22 +45,24 @@ rtl_config = {
multiPassHashed: credentials["multiPassHashed"]
}
if node['boltz']
# TODO adapt for multi-node usage
rtl_config[:nodes][0][:Authentication][:boltzMacaroonPath] = "#{node['boltz']['boltz_dir']}/macaroons"
rtl_config[:nodes][0][:Settings][:boltzServerUrl] = "https://#{node['boltz']['rest_host']}:#{node['boltz']['rest_port']}"
end
git rtl_dir do
user bitcoin_user
group bitcoin_group
repository node['rtl']['repo']
revision node['rtl']['revision']
notifies :run, "execute[npm_install]", :immediately
notifies :restart, "systemd_unit[#{app_name}.service]", :delayed
end
execute "npm_install" do
execute "npm install" do
cwd rtl_dir
environment "HOME" => rtl_dir
user bitcoin_user
# TODO remove --force when upstream dependency issues have been resolved
command "npm install --force"
action :nothing
end
file "#{rtl_dir}/RTL-Config.json" do

32
site-cookbooks/kosmos-bitcoin/templates/boltz.toml.erb Normal file
View File

@@ -0,0 +1,32 @@
[LND]
# Host of the gRPC interface of LND
host = "<%= @lnd_grpc_host %>"
# Port of the gRPC interface of LND
port = <%= @lnd_grpc_port %>
# Path to a macaroon file of LND
# The daemon needs to have permission to read various endpoints, generate addresses and pay invoices
macaroon = "<%= @lnd_macaroon_path %>"
# Path to the TLS certificate of LND
certificate = "<%= @lnd_tlscert_path %>"
[RPC]
# Host of the gRPC interface
host = "<%= @boltz_config['grpc_host'] %>"
# Port of the gRPC interface
port = <%= @boltz_config['grpc_port'] %>
# Whether the REST proxy for the gRPC interface should be disabled
restDisabled = <%= @boltz_config['rest_disabled'] %>
# Host of the REST proxy
restHost = "<%= @boltz_config['rest_host'] %>"
# Port of the REST proxy
restPort = <%= @boltz_config['rest_port'] %>
# Whether the macaroon authentication for the gRPC and REST interface should be disabled
noMacaroons = <%= @boltz_config['no_macaroons'] %>

49
site-cookbooks/kosmos-bitcoin/templates/btc-price-tracker-daily.sh.erb
View File

@@ -1,49 +0,0 @@
#!/bin/bash
# Calculate yesterday's date in YYYY-MM-DD format
YESTERDAY=$(date -d "yesterday" +%Y-%m-%d)
echo "Starting price tracking for $YESTERDAY" >&2
# Fetch and process rates for a fiat currency
get_price_data() {
local currency=$1
local data avg open24 last
data=$(curl -s "https://www.bitstamp.net/api/v2/ticker/btc${currency,,}/")
if [ $? -eq 0 ] && [ ! -z "$data" ]; then
echo "Successfully retrieved ${currency} price data" >&2
open24=$(echo "$data" | jq -r '.open_24')
last=$(echo "$data" | jq -r '.last')
avg=$(( (${open24%.*} + ${last%.*}) / 2 ))
echo $avg
else
echo "ERROR: Failed to retrieve ${currency} price data" >&2
exit 1
fi
}
# Get price data for each currency
usd_avg=$(get_price_data "USD")
eur_avg=$(get_price_data "EUR")
gbp_avg=$(get_price_data "GBP")
# Create JSON
json="{\"EUR\":$eur_avg,\"USD\":$usd_avg,\"GBP\":$gbp_avg}"
echo "Rates: $json" >&2
# PUT in remote storage
response=$(curl -X PUT \
-H "Authorization: Bearer $RS_AUTH" \
-H "Content-Type: application/json" \
-d "$json" \
-w "%{http_code}" \
-s \
-o /dev/null \
"<%= @rs_base_url %>/$YESTERDAY")
if [ "$response" -eq 200 ] || [ "$response" -eq 201 ]; then
echo "Successfully uploaded price data" >&2
else
echo "ERROR: Failed to upload price data. HTTP status: $response" >&2
exit 1
fi

2
site-cookbooks/kosmos-bitcoin/templates/lnd-channel-backup-s3.sh.erb
View File

@@ -3,5 +3,5 @@ set -xe -o pipefail
while true; do
inotifywait <%= @lnd_dir %>/data/chain/bitcoin/<%= @bitcoin_network %>/channel.backup
aws --endpoint <%= @s3_endpoint %> s3 cp <%= @lnd_dir %>/data/chain/bitcoin/<%= @bitcoin_network %>/channel.backup "s3://<%= @s3_bucket %>/<%= @s3_scb_dir %>/channel.backup"
aws s3 cp <%= @lnd_dir %>/data/chain/bitcoin/<%= @bitcoin_network %>/channel.backup "s3://<%= @s3_bucket %>/<%= @s3_scb_dir %>/channel.backup"
done

1
site-cookbooks/kosmos-bitcoin/templates/lnd.conf.erb
View File

@@ -12,6 +12,7 @@ minchansize=<%= @lnd_minchansize %>
autopilot.active=0
[Bitcoin]
bitcoin.active=1
bitcoin.mainnet=1
bitcoin.node=bitcoind
bitcoin.basefee=<%= @lnd_basefee %>

6
site-cookbooks/kosmos-ejabberd/attributes/default.rb
View File

@@ -1,9 +1,7 @@
node.default["ejabberd"]["version"] = "23.10"
node.default["ejabberd"]["package_version"] = "1"
node.default["ejabberd"]["checksum"] = "1b02108c81e22ab28be84630d54061f0584b76d5c2702e598352269736b05e77"
node.default["ejabberd"]["turn_domain"] = "turn.kosmos.org"
node.default["ejabberd"]["stun_auth_realm"] = "kosmos.org"
node.default["ejabberd"]["turn_ip_address"] = nil
node.default["ejabberd"]["stun_turn_port"] = 3478
node.default["ejabberd"]["stun_turn_port_tls"] = 5349
node.default["ejabberd"]["turn_min_port"] = 50000
node.default["ejabberd"]["turn_max_port"] = 50999
node.default["ejabberd"]["turn_max_port"] = 50050

52
site-cookbooks/kosmos-ejabberd/recipes/coturn.rb
View File

@@ -1,52 +0,0 @@
#
# Cookbook:: kosmos-ejabberd
# Recipe:: coturn
#
apt_package 'coturn'
domain = node["ejabberd"]["turn_domain"]
credentials = data_bag_item("credentials", "ejabberd")
tls_cert_for domain do
auth "gandi_dns"
action :create
end
template "/etc/turnserver.conf" do
source "turnserver.conf.erb"
mode 0644
variables listening_port: node["ejabberd"]["stun_turn_port"],
tls_listening_port: node["ejabberd"]["stun_turn_port_tls"],
listening_ip: node["ipaddress"],
relay_ip: node["ipaddress"],
min_port: node["ejabberd"]["turn_min_port"],
max_port: node["ejabberd"]["turn_max_port"],
realm: node["ejabberd"]["stun_auth_realm"],
static_auth_secret: credentials["stun_secret"],
cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
pkey: "/etc/letsencrypt/live/#{domain}/privkey.pem"
notifies :restart, "service[coturn]", :delayed
end
firewall_rule 'ejabberd_stun_turn' do
port node["ejabberd"]["stun_turn_port"]
protocol :udp
command :allow
end
firewall_rule 'ejabberd_stun_turn_tls' do
port node["ejabberd"]["stun_turn_port_tls"]
protocol :tcp
command :allow
end
firewall_rule 'ejabberd_turn' do
port node["ejabberd"]["turn_min_port"]..node["ejabberd"]["turn_max_port"]
protocol :udp
command :allow
end
service "coturn" do
action [:enable, :start]
end

22
site-cookbooks/kosmos-ejabberd/recipes/default.rb
View File

@@ -84,12 +84,6 @@ hosts = [
sql_database: "ejabberd",
ldap_enabled: true,
ldap_password: ejabberd_credentials['kosmos_ldap_password'],
certfiles: [
"/opt/ejabberd/conf/kosmos.org.crt",
"/opt/ejabberd/conf/kosmos.org.key",
"/opt/ejabberd/conf/kosmos.chat.crt",
"/opt/ejabberd/conf/kosmos.chat.key"
],
append_host_config: <<-EOF
modules:
mod_disco:
@@ -120,10 +114,6 @@ hosts = [
sql_database: "ejabberd_5apps",
ldap_enabled: true,
ldap_password: ejabberd_credentials['5apps_ldap_password'],
certfiles: [
"/opt/ejabberd/conf/5apps.com.crt",
"/opt/ejabberd/conf/5apps.com.key"
],
append_host_config: <<-EOF
modules:
mod_disco:
@@ -164,11 +154,6 @@ admin_users = ejabberd_credentials['admins']
hosts.each do |host|
ldap_rootdn = "uid=service,ou=#{host[:name]},cn=applications,dc=kosmos,dc=org"
if host[:name] == "kosmos.org"
ldap_filter = "(&(objectClass=person)(serviceEnabled=ejabberd))"
else
ldap_filter = "(objectClass=person)"
end
template "/opt/ejabberd/conf/#{host[:name]}.yml" do
source "vhost.yml.erb"
@@ -182,8 +167,7 @@ hosts.each do |host|
ldap_base: ldap_base,
ldap_server: ldap_domain,
ldap_rootdn: ldap_rootdn,
ldap_encryption_type: ldap_encryption_type,
ldap_filter: ldap_filter
ldap_encryption_type: ldap_encryption_type
notifies :reload, "service[ejabberd]", :delayed
end
end
@@ -199,10 +183,10 @@ template "/opt/ejabberd/conf/ejabberd.yml" do
sensitive true
variables hosts: hosts,
admin_users: admin_users,
turn_domain: node["ejabberd"]["turn_domain"],
stun_auth_realm: "kosmos.org",
stun_secret: ejabberd_credentials['stun_secret'],
turn_ip_address: node["ejabberd"]["turn_ip_address"],
stun_turn_port: node["ejabberd"]["stun_turn_port"],
stun_turn_port_tls: node["ejabberd"]["stun_turn_port_tls"],
turn_min_port: node["ejabberd"]["turn_min_port"],
turn_max_port: node["ejabberd"]["turn_max_port"],
private_ip_address: node["knife_zero"]["host"],

26
site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb
View File

@@ -15,9 +15,9 @@ set -e
# letsencrypt live folder
for domain in $RENEWED_DOMAINS; do
case $domain in
kosmos.org|kosmos.chat|5apps.com)
cp "/etc/letsencrypt/live/${domain}/privkey.pem" /opt/ejabberd/conf/$domain.key
cp "/etc/letsencrypt/live/${domain}/fullchain.pem" /opt/ejabberd/conf/$domain.crt
kosmos.org|5apps.com)
cp "${RENEWED_LINEAGE}/privkey.pem" /opt/ejabberd/conf/$domain.key
cp "${RENEWED_LINEAGE}/fullchain.pem" /opt/ejabberd/conf/$domain.crt
chown ejabberd:ejabberd /opt/ejabberd/conf/$domain.*
chmod 600 /opt/ejabberd/conf/$domain.*
/opt/ejabberd-#{node["ejabberd"]["version"]}/bin/ejabberdctl reload_config
@@ -33,34 +33,26 @@ file "/etc/letsencrypt/renewal-hooks/post/ejabberd" do
group "root"
end
gandi_api_credentials = data_bag_item('credentials', 'gandi_api')
gandi_api_data_bag_item = data_bag_item('credentials', 'gandi_api_5apps')
template "/root/gandi_dns_certbot_hook.sh" do
variables access_token: gandi_api_credentials["access_token"]
mode 0700
sensitive true
variables gandi_api_key: gandi_api_data_bag_item["key"]
mode 0770
end
# Generate a Let's Encrypt cert (only if no cert has been generated before).
# The systemd timer will take care of renewing
execute "letsencrypt cert for kosmos.org domains" do
command "certbot certonly --manual --preferred-challenges dns --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@kosmos.org -d kosmos.org -d xmpp.kosmos.org -d chat.kosmos.org -d upload.kosmos.org -d proxy.kosmos.org -d pubsub.kosmos.org -d uploads.xmpp.kosmos.org -n"
execute "letsencrypt cert for kosmos xmpp" do
command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@kosmos.org -d kosmos.org -d xmpp.kosmos.org -d chat.kosmos.org -d kosmos.chat -d uploads.xmpp.kosmos.org -n"
not_if do
File.exist?("/etc/letsencrypt/live/kosmos.org/fullchain.pem")
end
end
execute "letsencrypt cert for kosmos.chat" do
command "certbot certonly --manual --preferred-challenges dns --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth letsencrypt.kosmos.org\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup letsencrypt.kosmos.org\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@kosmos.org -d kosmos.chat -n"
not_if do
File.exist?("/etc/letsencrypt/live/kosmos.chat/fullchain.pem")
end
end
# Generate a Let's Encrypt cert (only if no cert has been generated before).
# The systemd timer will take care of renewing
execute "letsencrypt cert for 5apps xmpp" do
command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth letsencrypt.kosmos.org\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup letsencrypt.kosmos.org\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@5apps.com -d 5apps.com -d muc.5apps.com -d xmpp.5apps.com -d uploads.xmpp.5apps.com -n"
command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@5apps.com -d 5apps.com -d muc.5apps.com -d xmpp.5apps.com -d uploads.xmpp.5apps.com -n"
not_if do
File.exist?("/etc/letsencrypt/live/5apps.com/fullchain.pem")
end

34
site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb
View File

@@ -87,6 +87,16 @@ listen:
## "/pub/archive": mod_http_fileserver
## register: true
captcha: false
-
port: <%= @stun_turn_port %>
transport: udp
module: ejabberd_stun
auth_realm: <%= @stun_auth_realm %>
use_turn: true
tls: false
turn_ipv4_address: <%= @turn_ip_address %>
turn_min_port: <%= @turn_min_port %>
turn_max_port: <%= @turn_max_port %>
s2s_use_starttls: optional
@@ -123,7 +133,7 @@ shaper_rules:
max_user_sessions: 10
max_user_offline_messages:
- 5000: admin
- 1000
- 100
c2s_shaper:
- none: admin
- normal
@@ -216,7 +226,7 @@ modules:
access_createnode: pubsub_createnode
ignore_pep_from_offline: false
last_item_cache: false
max_items_node: 10000
max_items_node: 10
plugins:
- "flat"
- "pep" # pep requires mod_caps
@@ -230,38 +240,22 @@ modules:
store_current_id: true
mod_shared_roster: {}
mod_stun_disco:
offer_local_services: false
secret: <%= @stun_secret %>
services:
-
host: <%= @turn_domain %>
host: <%= @turn_ip_address %>
port: <%= @stun_turn_port %>
type: stun
transport: udp
restricted: false
-
host: <%= @turn_domain %>
port: <%= @stun_turn_port_tls %>
type: stuns
transport: tcp
restricted: false
-
host: <%= @turn_domain %>
host: <%= @turn_ip_address %>
port: <%= @stun_turn_port %>
type: turn
transport: udp
restricted: true
-
host: <%= @turn_domain %>
port: <%= @stun_turn_port_tls %>
type: turns
transport: tcp
restricted: true
mod_vcard:
db_type: ldap
search: false
ldap_vcard_map:
PHOTO: {"%s": [jpegPhoto]}
mod_vcard_xupdate: {}
mod_avatar: {}
mod_version: {}

59
site-cookbooks/kosmos-ejabberd/templates/gandi_dns_certbot_hook.sh.erb
View File

@@ -1,16 +1,21 @@
#!/usr/bin/env bash
#
set -euf -o pipefail
# ************** USAGE **************
#
# Example usage:
# Example usage (with this hook file saved in /root/):
#
# sudo su -
# certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos -d "5apps.com" -d muc.5apps.com -d "xmpp.5apps.com" \
# --manual-auth-hook "/root/letsencrypt_hook.sh auth" --manual-cleanup-hook "/root/letsencrypt_hook.sh cleanup"
#
# This hook requires configuration, continue reading.
#
# ************** CONFIGURATION **************
#
# ACCESS_TOKEN: Your Gandi Live API key
# GANDI_API_KEY: Your Gandi Live API key
#
# PROVIDER_UPDATE_DELAY:
# How many seconds to wait after updating your DNS records. This may be required,
@@ -20,16 +25,10 @@ set -euf -o pipefail
#
# Defaults to 30 seconds.
#
# VALIDATION_DOMAIN:
# Domain to create ACME DNS entries on. Use this when redirecting ACME subdomains
# from the original domain to a proxy validation domain that we control.
#
ACCESS_TOKEN="<%= @access_token %>"
PROVIDER_UPDATE_DELAY=10
VALIDATION_DOMAIN="${2:-}"
GANDI_API_KEY="<%= @gandi_api_key %>"
PROVIDER_UPDATE_DELAY=30
regex='.*\.(.*\..*)'
if [[ $CERTBOT_DOMAIN =~ $regex ]]
then
DOMAIN="${BASH_REMATCH[1]}"
@@ -37,41 +36,25 @@ else
DOMAIN="${CERTBOT_DOMAIN}"
fi
if [[ -n "$VALIDATION_DOMAIN" ]]
then
if [[ $VALIDATION_DOMAIN =~ $regex ]]
then
ACME_BASE_DOMAIN="${BASH_REMATCH[1]}"
else
echo "Validation domain has to be a subdomain, but it is not: \"${VALIDATION_DOMAIN}\""
exit 1
fi
ACME_DOMAIN="${CERTBOT_DOMAIN}.${VALIDATION_DOMAIN}"
else
ACME_BASE_DOMAIN="${DOMAIN}"
ACME_DOMAIN="_acme-challenge.${CERTBOT_DOMAIN}"
fi
# To be invoked via Certbot's --manual-auth-hook
function auth {
curl -s -D- \
-H "Content-Type: application/json" \
-H "Authorization: Bearer ${ACCESS_TOKEN}" \
-d "{\"rrset_name\": \"${ACME_DOMAIN}.\",
\"rrset_type\": \"TXT\",
\"rrset_ttl\": 300,
\"rrset_values\": [\"${CERTBOT_VALIDATION}\"]}" \
"https://api.gandi.net/v5/livedns/domains/${ACME_BASE_DOMAIN}/records"
curl -s -D- -H "Content-Type: application/json" \
-H "X-Api-Key: ${GANDI_API_KEY}" \
-d "{\"rrset_name\": \"_acme-challenge.${CERTBOT_DOMAIN}.\",
\"rrset_type\": \"TXT\",
\"rrset_ttl\": 3600,
\"rrset_values\": [\"${CERTBOT_VALIDATION}\"]}" \
"https://dns.api.gandi.net/api/v5/domains/${DOMAIN}/records"
sleep ${PROVIDER_UPDATE_DELAY}
sleep ${PROVIDER_UPDATE_DELAY}
}
# To be invoked via Certbot's --manual-cleanup-hook
function cleanup {
curl -s -X DELETE \
-H "Content-Type: application/json" \
-H "Authorization: Bearer ${ACCESS_TOKEN}" \
"https://api.gandi.net/v5/livedns/domains/${ACME_BASE_DOMAIN}/records/${ACME_DOMAIN}./TXT"
curl -s -X DELETE -H "Content-Type: application/json" \
-H "X-Api-Key: ${GANDI_API_KEY}" \
https://dns.api.gandi.net/api/v5/domains/${DOMAIN}/records/_acme-challenge.${CERTBOT_DOMAIN}./TXT
}
HANDLER=$1; shift;

708
site-cookbooks/kosmos-ejabberd/templates/turnserver.conf.erb
View File

@@ -1,708 +0,0 @@
# Coturn TURN SERVER configuration file
#
# Boolean values note: where boolean value is supposed to be used,
# you can use '0', 'off', 'no', 'false', 'f' as 'false,
# and you can use '1', 'on', 'yes', 'true', 't' as 'true'
# If the value is missed, then it means 'true'.
#
# Listener interface device (optional, Linux only).
# NOT RECOMMENDED.
#
#listening-device=eth0
# TURN listener port for UDP and TCP (Default: 3478).
# Note: actually, TLS & DTLS sessions can connect to the
# "plain" TCP & UDP port(s), too - if allowed by configuration.
#
listening-port=<%= @listening_port %>
# TURN listener port for TLS (Default: 5349).
# Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
# port(s), too - if allowed by configuration. The TURN server
# "automatically" recognizes the type of traffic. Actually, two listening
# endpoints (the "plain" one and the "tls" one) are equivalent in terms of
# functionality; but we keep both endpoints to satisfy the RFC 5766 specs.
# For secure TCP connections, we currently support SSL version 3 and
# TLS version 1.0, 1.1 and 1.2.
# For secure UDP connections, we support DTLS version 1.
#
tls-listening-port=<%= @tls_listening_port %>
# Alternative listening port for UDP and TCP listeners;
# default (or zero) value means "listening port plus one".
# This is needed for RFC 5780 support
# (STUN extension specs, NAT behavior discovery). The TURN Server
# supports RFC 5780 only if it is started with more than one
# listening IP address of the same family (IPv4 or IPv6).
# RFC 5780 is supported only by UDP protocol, other protocols
# are listening to that endpoint only for "symmetry".
#
#alt-listening-port=0
# Alternative listening port for TLS and DTLS protocols.
# Default (or zero) value means "TLS listening port plus one".
#
#alt-tls-listening-port=0
# Listener IP address of relay server. Multiple listeners can be specified.
# If no IP(s) specified in the config file or in the command line options,
# then all IPv4 and IPv6 system IPs will be used for listening.
#
listening-ip=<%= @listening_ip %>
#listening-ip=10.207.21.238
#listening-ip=2607:f0d0:1002:51::4
# Auxiliary STUN/TURN server listening endpoint.
# Aux servers have almost full TURN and STUN functionality.
# The (minor) limitations are:
#
# 1) Auxiliary servers do not have alternative ports and
# they do not support STUN RFC 5780 functionality (CHANGE REQUEST).
#
# 2) Auxiliary servers also are never returning ALTERNATIVE-SERVER reply.
#
# Valid formats are 1.2.3.4:5555 for IPv4 and [1:2::3:4]:5555 for IPv6.
#
# There may be multiple aux-server options, each will be used for listening
# to client requests.
#
#aux-server=172.17.19.110:33478
#aux-server=[2607:f0d0:1002:51::4]:33478
# (recommended for older Linuxes only)
# Automatically balance UDP traffic over auxiliary servers (if configured).
# The load balancing is using the ALTERNATE-SERVER mechanism.
# The TURN client must support 300 ALTERNATE-SERVER response for this
# functionality.
#
#udp-self-balance
# Relay interface device for relay sockets (optional, Linux only).
# NOT RECOMMENDED.
#
#relay-device=eth1
# Relay address (the local IP address that will be used to relay the
# packets to the peer).
# Multiple relay addresses may be used.
# The same IP(s) can be used as both listening IP(s) and relay IP(s).
#
# If no relay IP(s) specified, then the turnserver will apply the default
# policy: it will decide itself which relay addresses to be used, and it
# will always be using the client socket IP address as the relay IP address
# of the TURN session (if the requested relay address family is the same
# as the family of the client socket).
#
relay-ip=<%= @relay_ip %>
#relay-ip=2607:f0d0:1002:51::5
# For Amazon EC2 users:
#
# TURN Server public/private address mapping, if the server is behind NAT.
# In that situation, if a -X is used in form "-X <ip>" then that ip will be reported
# as relay IP address of all allocations. This scenario works only in a simple case
# when one single relay address is be used, and no RFC5780 functionality is required.
# That single relay address must be mapped by NAT to the 'external' IP.
# The "external-ip" value, if not empty, is returned in XOR-RELAYED-ADDRESS field.
# For that 'external' IP, NAT must forward ports directly (relayed port 12345
# must be always mapped to the same 'external' port 12345).
#
# In more complex case when more than one IP address is involved,
# that option must be used several times, each entry must
# have form "-X <public-ip/private-ip>", to map all involved addresses.
# RFC5780 NAT discovery STUN functionality will work correctly,
# if the addresses are mapped properly, even when the TURN server itself
# is behind A NAT.
#
# By default, this value is empty, and no address mapping is used.
#
#external-ip=60.70.80.91
#
#OR:
#
#external-ip=60.70.80.91/172.17.19.101
#external-ip=60.70.80.92/172.17.19.102
# Number of the relay threads to handle the established connections
# (in addition to authentication thread and the listener thread).
# If explicitly set to 0 then application runs relay process in a
# single thread, in the same thread with the listener process
# (the authentication thread will still be a separate thread).
#
# If this parameter is not set, then the default OS-dependent
# thread pattern algorithm will be employed. Usually the default
# algorithm is the most optimal, so you have to change this option
# only if you want to make some fine tweaks.
#
# In the older systems (Linux kernel before 3.9),
# the number of UDP threads is always one thread per network listening
# endpoint - including the auxiliary endpoints - unless 0 (zero) or
# 1 (one) value is set.
#
#relay-threads=0
# Lower and upper bounds of the UDP relay endpoints:
# (default values are 49152 and 65535)
#
min-port=<%= @min_port %>
max-port=<%= @max_port %>
# Uncomment to run TURN server in 'normal' 'moderate' verbose mode.
# By default the verbose mode is off.
verbose
# Uncomment to run TURN server in 'extra' verbose mode.
# This mode is very annoying and produces lots of output.
# Not recommended under any normal circumstances.
#
#Verbose
# Uncomment to use fingerprints in the TURN messages.
# By default the fingerprints are off.
#
#fingerprint
# Uncomment to use long-term credential mechanism.
# By default no credentials mechanism is used (any user allowed).
#
#lt-cred-mech
# This option is opposite to lt-cred-mech.
# (TURN Server with no-auth option allows anonymous access).
# If neither option is defined, and no users are defined,
# then no-auth is default. If at least one user is defined,
# in this file or in command line or in usersdb file, then
# lt-cred-mech is default.
#
#no-auth
# TURN REST API flag.
# (Time Limited Long Term Credential)
# Flag that sets a special authorization option that is based upon authentication secret.
#
# This feature's purpose is to support "TURN Server REST API", see
# "TURN REST API" link in the project's page
# https://github.com/coturn/coturn/
#
# This option is used with timestamp:
#
# usercombo -> "timestamp:userid"
# turn user -> usercombo
# turn password -> base64(hmac(secret key, usercombo))
#
# This allows TURN credentials to be accounted for a specific user id.
# If you don't have a suitable id, the timestamp alone can be used.
# This option is just turning on secret-based authentication.
# The actual value of the secret is defined either by option static-auth-secret,
# or can be found in the turn_secret table in the database (see below).
#
# Read more about it:
# - https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00
# - https://www.ietf.org/proceedings/87/slides/slides-87-behave-10.pdf
#
# Be aware that use-auth-secret overrides some part of lt-cred-mech.
# Notice that this feature depends internally on lt-cred-mech, so if you set
# use-auth-secret then it enables internally automatically lt-cred-mech option
# like if you enable both.
#
# You can use only one of the to auth mechanisms in the same time because,
# both mechanism use the username and password validation in different way.
#
# This way be aware that you can't use both auth mechnaism in the same time!
# Use in config either the lt-cred-mech or the use-auth-secret
# to avoid any confusion.
#
use-auth-secret
# 'Static' authentication secret value (a string) for TURN REST API only.
# If not set, then the turn server
# will try to use the 'dynamic' value in turn_secret table
# in user database (if present). The database-stored value can be changed on-the-fly
# by a separate program, so this is why that other mode is 'dynamic'.
#
static-auth-secret=<%= @static_auth_secret %>
# Server name used for
# the oAuth authentication purposes.
# The default value is the realm name.
#
#server-name=blackdow.carleon.gov
# Flag that allows oAuth authentication.
#
#oauth
# 'Static' user accounts for long term credentials mechanism, only.
# This option cannot be used with TURN REST API.
# 'Static' user accounts are NOT dynamically checked by the turnserver process,
# so that they can NOT be changed while the turnserver is running.
#
#user=username1:key1
#user=username2:key2
# OR:
#user=username1:password1
#user=username2:password2
#
# Keys must be generated by turnadmin utility. The key value depends
# on user name, realm, and password:
#
# Example:
# $ turnadmin -k -u ninefingers -r north.gov -p youhavetoberealistic
# Output: 0xbc807ee29df3c9ffa736523fb2c4e8ee
# ('0x' in the beginning of the key is what differentiates the key from
# password. If it has 0x then it is a key, otherwise it is a password).
#
# The corresponding user account entry in the config file will be:
#
#user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee
# Or, equivalently, with open clear password (less secure):
#user=ninefingers:youhavetoberealistic
#
# SQLite database file name.
#
# Default file name is /var/db/turndb or /usr/local/var/db/turndb or
# /var/lib/turn/turndb.
#
#userdb=/var/db/turndb
# PostgreSQL database connection string in the case that we are using PostgreSQL
# as the user database.
# This database can be used for long-term credential mechanism
# and it can store the secret value for secret-based timed authentication in TURN RESP API.
# See http://www.postgresql.org/docs/8.4/static/libpq-connect.html for 8.x PostgreSQL
# versions connection string format, see
# http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING
# for 9.x and newer connection string formats.
#
#psql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> connect_timeout=30"
# MySQL database connection string in the case that we are using MySQL
# as the user database.
# This database can be used for long-term credential mechanism
# and it can store the secret value for secret-based timed authentication in TURN RESP API.
#
# Optional connection string parameters for the secure communications (SSL):
# ca, capath, cert, key, cipher
# (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the
# command options description).
#
# Use string format as below (space separated parameters, all optional):
#
#mysql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> port=<port> connect_timeout=<seconds> read_timeout=<seconds>"
# If you want to use in the MySQL connection string the password in encrypted format,
# then set in this option the MySQL password encryption secret key file.
#
# Warning: If this option is set, then mysql password must be set in "mysql-userdb" in encrypted format!
# If you want to use cleartext password then do not set this option!
#
# This is the file path which contain secret key of aes encryption while using password encryption.
#
#secret-key-file=/path/
# MongoDB database connection string in the case that we are using MongoDB
# as the user database.
# This database can be used for long-term credential mechanism
# and it can store the secret value for secret-based timed authentication in TURN RESP API.
# Use string format is described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html
#
#mongo-userdb="mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]"
# Redis database connection string in the case that we are using Redis
# as the user database.
# This database can be used for long-term credential mechanism
# and it can store the secret value for secret-based timed authentication in TURN RESP API.
# Use string format as below (space separated parameters, all optional):
#
#redis-userdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
# Redis status and statistics database connection string, if used (default - empty, no Redis stats DB used).
# This database keeps allocations status information, and it can be also used for publishing
# and delivering traffic and allocation event notifications.
# The connection string has the same parameters as redis-userdb connection string.
# Use string format as below (space separated parameters, all optional):
#
#redis-statsdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
# The default realm to be used for the users when no explicit
# origin/realm relationship was found in the database, or if the TURN
# server is not using any database (just the commands-line settings
# and the userdb file). Must be used with long-term credentials
# mechanism or with TURN REST API.
#
# Note: If default realm is not specified at all, then realm falls back to the host domain name.
# If domain name is empty string, or '(None)', then it is initialized to am empty string.
#
realm=<%= @realm %>
# The flag that sets the origin consistency
# check: across the session, all requests must have the same
# main ORIGIN attribute value (if the ORIGIN was
# initially used by the session).
#
#check-origin-consistency
# Per-user allocation quota.
# default value is 0 (no quota, unlimited number of sessions per user).
# This option can also be set through the database, for a particular realm.
#
#user-quota=0
# Total allocation quota.
# default value is 0 (no quota).
# This option can also be set through the database, for a particular realm.
#
#total-quota=0
# Max bytes-per-second bandwidth a TURN session is allowed to handle
# (input and output network streams are treated separately). Anything above
# that limit will be dropped or temporary suppressed (within
# the available buffer limits).
# This option can also be set through the database, for a particular realm.
#
#max-bps=0
#
# Maximum server capacity.
# Total bytes-per-second bandwidth the TURN server is allowed to allocate
# for the sessions, combined (input and output network streams are treated separately).
#
# bps-capacity=0
# Uncomment if no UDP client listener is desired.
# By default UDP client listener is always started.
#
#no-udp
# Uncomment if no TCP client listener is desired.
# By default TCP client listener is always started.
#
#no-tcp
# Uncomment if no TLS client listener is desired.
# By default TLS client listener is always started.
#
#no-tls
# Uncomment if no DTLS client listener is desired.
# By default DTLS client listener is always started.
#
#no-dtls
# Uncomment if no UDP relay endpoints are allowed.
# By default UDP relay endpoints are enabled (like in RFC 5766).
#
#no-udp-relay
# Uncomment if no TCP relay endpoints are allowed.
# By default TCP relay endpoints are enabled (like in RFC 6062).
#
#no-tcp-relay
# Uncomment if extra security is desired,
# with nonce value having limited lifetime.
# By default, the nonce value is unique for a session,
# and has unlimited lifetime.
# Set this option to limit the nonce lifetime.
# It defaults to 600 secs (10 min) if no value is provided. After that delay,
# the client will get 438 error and will have to re-authenticate itself.
#
#stale-nonce=600
# Uncomment if you want to set the maximum allocation
# time before it has to be refreshed.
# Default is 3600s.
#
#max-allocate-lifetime=3600
# Uncomment to set the lifetime for the channel.
# Default value is 600 secs (10 minutes).
# This value MUST not be changed for production purposes.
#
#channel-lifetime=600
# Uncomment to set the permission lifetime.
# Default to 300 secs (5 minutes).
# In production this value MUST not be changed,
# however it can be useful for test purposes.
#
#permission-lifetime=300
# Certificate file.
# Use an absolute path or path relative to the
# configuration file.
#
cert=<%= @cert %>
# Private key file.
# Use an absolute path or path relative to the
# configuration file.
# Use PEM file format.
#
pkey=<%= @pkey %>
# Private key file password, if it is in encoded format.
# This option has no default value.
#
#pkey-pwd=...
# Allowed OpenSSL cipher list for TLS/DTLS connections.
# Default value is "DEFAULT".
#
#cipher-list="DEFAULT"
# CA file in OpenSSL format.
# Forces TURN server to verify the client SSL certificates.
# By default it is not set: there is no default value and the client
# certificate is not checked.
#
# Example:
#CA-file=/etc/ssh/id_rsa.cert
# Curve name for EC ciphers, if supported by OpenSSL
# library (TLS and DTLS). The default value is prime256v1,
# if pre-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+,
# an optimal curve will be automatically calculated, if not defined
# by this option.
#
#ec-curve-name=prime256v1
# Use 566 bits predefined DH TLS key. Default size of the key is 1066.
#
#dh566
# Use 2066 bits predefined DH TLS key. Default size of the key is 1066.
#
#dh2066
# Use custom DH TLS key, stored in PEM format in the file.
# Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.
#
#dh-file=<DH-PEM-file-name>
# Flag to prevent stdout log messages.
# By default, all log messages are going to both stdout and to
# the configured log file. With this option everything will be
# going to the configured log only (unless the log file itself is stdout).
#
#no-stdout-log
# Option to set the log file name.
# By default, the turnserver tries to open a log file in
# /var/log, /var/tmp, /tmp and current directories directories
# (which open operation succeeds first that file will be used).
# With this option you can set the definite log file name.
# The special names are "stdout" and "-" - they will force everything
# to the stdout. Also, the "syslog" name will force everything to
# the system log (syslog).
# In the runtime, the logfile can be reset with the SIGHUP signal
# to the turnserver process.
#
#log-file=/var/tmp/turn.log
# Option to redirect all log output into system log (syslog).
#
syslog
# This flag means that no log file rollover will be used, and the log file
# name will be constructed as-is, without PID and date appendage.
# This option can be used, for example, together with the logrotate tool.
#
#simple-log
# Option to set the "redirection" mode. The value of this option
# will be the address of the alternate server for UDP & TCP service in form of
# <ip>[:<port>]. The server will send this value in the attribute
# ALTERNATE-SERVER, with error 300, on ALLOCATE request, to the client.
# Client will receive only values with the same address family
# as the client network endpoint address family.
# See RFC 5389 and RFC 5766 for ALTERNATE-SERVER functionality description.
# The client must use the obtained value for subsequent TURN communications.
# If more than one --alternate-server options are provided, then the functionality
# can be more accurately described as "load-balancing" than a mere "redirection".
# If the port number is omitted, then the default port
# number 3478 for the UDP/TCP protocols will be used.
# Colon (:) characters in IPv6 addresses may conflict with the syntax of
# the option. To alleviate this conflict, literal IPv6 addresses are enclosed
# in square brackets in such resource identifiers, for example:
# [2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 .
# Multiple alternate servers can be set. They will be used in the
# round-robin manner. All servers in the pool are considered of equal weight and
# the load will be distributed equally. For example, if we have 4 alternate servers,
# then each server will receive 25% of ALLOCATE requests. A alternate TURN server
# address can be used more than one time with the alternate-server option, so this
# can emulate "weighting" of the servers.
#
# Examples:
#alternate-server=1.2.3.4:5678
#alternate-server=11.22.33.44:56789
#alternate-server=5.6.7.8
#alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
# Option to set alternative server for TLS & DTLS services in form of
# <ip>:<port>. If the port number is omitted, then the default port
# number 5349 for the TLS/DTLS protocols will be used. See the previous
# option for the functionality description.
#
# Examples:
#tls-alternate-server=1.2.3.4:5678
#tls-alternate-server=11.22.33.44:56789
#tls-alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
# Option to suppress TURN functionality, only STUN requests will be processed.
# Run as STUN server only, all TURN requests will be ignored.
# By default, this option is NOT set.
#
#stun-only
# Option to suppress STUN functionality, only TURN requests will be processed.
# Run as TURN server only, all STUN requests will be ignored.
# By default, this option is NOT set.
#
#no-stun
# This is the timestamp/username separator symbol (character) in TURN REST API.
# The default value is ':'.
# rest-api-separator=:
# Flag that can be used to allow peers on the loopback addresses (127.x.x.x and ::1).
# This is an extra security measure.
#
# (To avoid any security issue that allowing loopback access may raise,
# the no-loopback-peers option is replaced by allow-loopback-peers.)
#
# Allow it only for testing in a development environment!
# In production it adds a possible security vulnerability, so for security reasons
# it is not allowed using it together with empty cli-password.
#
#allow-loopback-peers
# Flag that can be used to disallow peers on well-known broadcast addresses (224.0.0.0 and above, and FFXX:*).
# This is an extra security measure.
#
#no-multicast-peers
# Option to set the max time, in seconds, allowed for full allocation establishment.
# Default is 60 seconds.
#
#max-allocate-timeout=60
# Option to allow or ban specific ip addresses or ranges of ip addresses.
# If an ip address is specified as both allowed and denied, then the ip address is
# considered to be allowed. This is useful when you wish to ban a range of ip
# addresses, except for a few specific ips within that range.
#
# This can be used when you do not want users of the turn server to be able to access
# machines reachable by the turn server, but would otherwise be unreachable from the
# internet (e.g. when the turn server is sitting behind a NAT)
#
# Examples:
# denied-peer-ip=83.166.64.0-83.166.95.255
# allowed-peer-ip=83.166.68.45
# File name to store the pid of the process.
# Default is /var/run/turnserver.pid (if superuser account is used) or
# /var/tmp/turnserver.pid .
#
#pidfile="/var/run/turnserver.pid"
# Require authentication of the STUN Binding request.
# By default, the clients are allowed anonymous access to the STUN Binding functionality.
#
#secure-stun
# Mobility with ICE (MICE) specs support.
#
#mobility
# Allocate Address Family according
# If enabled then TURN server allocates address family according the TURN
# Client <=> Server communication address family.
# (By default coTURN works according RFC 6156.)
# !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!!
#
#keep-address-family
# User name to run the process. After the initialization, the turnserver process
# will make an attempt to change the current user ID to that user.
#
#proc-user=<user-name>
# Group name to run the process. After the initialization, the turnserver process
# will make an attempt to change the current group ID to that group.
#
#proc-group=<group-name>
# Turn OFF the CLI support.
# By default it is always ON.
# See also options cli-ip and cli-port.
#
no-cli
#Local system IP address to be used for CLI server endpoint. Default value
# is 127.0.0.1.
#
#cli-ip=127.0.0.1
# CLI server port. Default is 5766.
#
#cli-port=5766
# CLI access password. Default is empty (no password).
# For the security reasons, it is recommended to use the encrypted
# for of the password (see the -P command in the turnadmin utility).
#
# Secure form for password 'qwerty':
#
#cli-password=$5$79a316b350311570$81df9cfb9af7f5e5a76eada31e7097b663a0670f99a3c07ded3f1c8e59c5658a
#
# Or unsecure form for the same password:
#
#cli-password=qwerty
# Enable Web-admin support on https. By default it is Disabled.
# If it is enabled it also enables a http a simple static banner page
# with a small reminder that the admin page is available only on https.
#
#web-admin
# Local system IP address to be used for Web-admin server endpoint. Default value is 127.0.0.1.
#
#web-admin-ip=127.0.0.1
# Web-admin server port. Default is 8080.
#
#web-admin-port=8080
# Web-admin server listen on STUN/TURN worker threads
# By default it is disabled for security resons! (Not recommended in any production environment!)
#
#web-admin-listen-on-workers
# Server relay. NON-STANDARD AND DANGEROUS OPTION.
# Only for those applications when we want to run
# server applications on the relay endpoints.
# This option eliminates the IP permissions check on
# the packets incoming to the relay endpoints.
#
#server-relay
# Maximum number of output sessions in ps CLI command.
# This value can be changed on-the-fly in CLI. The default value is 256.
#
#cli-max-output-sessions
# Set network engine type for the process (for internal purposes).
#
#ne=[1|2|3]
# Do not allow an TLS/DTLS version of protocol
#
#no-tlsv1
#no-tlsv1_1
#no-tlsv1_2

7
site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb
View File

@@ -1,8 +1,7 @@
# Generated by Chef for <%= @host[:name] %>
certfiles:
<% @host[:certfiles].each do |certfile| %>
- <%= certfile %>
<% end %>
- "/opt/ejabberd/conf/<%= @host[:name] %>.crt"
- "/opt/ejabberd/conf/<%= @host[:name] %>.key"
host_config:
"<%= @host[:name] %>":
sql_type: pgsql
@@ -17,7 +16,7 @@ host_config:
ldap_password: "<%= @host[:ldap_password] %>"
ldap_encrypt: <%= @ldap_encryption_type %>
ldap_base: "ou=<%= @host[:name] %>,<%= @ldap_base %>"
ldap_filter: "<%= @ldap_filter %>"
ldap_filter: "(objectClass=person)"
<% end -%>
append_host_config:

1
site-cookbooks/kosmos-hubot/recipes/nginx_botka_irc-libera-chat.rb
View File

@@ -4,7 +4,6 @@ upstream_host = search(:node, "role:hubot").first["knife_zero"]["host"]
tls_cert_for domain do
auth "gandi_dns"
acme_domain "letsencrypt.kosmos.org"
action :create
end

1
site-cookbooks/kosmos-hubot/recipes/nginx_hal8000_xmpp.rb
View File

@@ -5,7 +5,6 @@ upstream_host = search(:node, "role:hubot").first["knife_zero"]["host"]
tls_cert_for domain do
auth "gandi_dns"
acme_domain "letsencrypt.kosmos.org"
action :create
end

Some files were not shown because too many files have changed in this diff Show More