### Install Chef Workstation

* macOS, Windows, RHEL, Ubuntu: https://docs.chef.io/workstation/install_workstation/
* Arch Linux: https://aur.archlinux.org/packages/chef-workstation

#### rbenv

If you use rbenv to manage Ruby versions on your system, install the
(rbenv-chef-workstation)[https://github.com/docwhat/rbenv-chef-workstation]
plugin.

### Install gem dependencies

    bundle install

### Bootstrap a new server

    knife zero bootstrap root@dev.kosmos.org --run-list "recipe[kosmos-base],..." -j '{"example_cookbook":{"memory_max":"256M"}}' --secret-file .chef/encrypted_data_bag_secret

### Bootstrap a new VM

    knife zero bootstrap ubuntu@zerotier-ip-address -x ubuntu --sudo --run-list "recipe[kosmos-base]" --secret-file .chef/encrypted_data_bag_secret

### Run Chef Zero

    knife zero converge name:dev.kosmos.org

### Run Chef Zero on a VM

    knife zero converge -a knife_zero.host name:vm-name-23

### Update Chef Client on a server:

    knife zero converge name:dev.kosmos.org --client-version 15.3.14

### Managing cookbooks

Cookbooks are managed via Berkshelf. Run `berks --help` for command help.

Install cookbooks listed in Berksfile:

    berks install

Vendor installed cookbooks to the `cookbooks/` dir:

    berks vendor cookbooks/ --delete

### "Expired" TLS certificates

If you encounter expired TLS certificates during a Chef run (e.g. for remote
files), the issue is likely that the certificate has been issued by Let's
Encrypt and Chef is still using its own, outdated CA cert store (see
[here](https://github.com/chef/chef/issues/12126#issuecomment-932067530) for
example).

As a hotfix, you can manually remove the "DST Root CA X3" cert from
`/opt/chef/embedded/ssl/cert.pem` on the machine you're trying to converge.