From: Tom Hughes <tom@compton.nu>
Date: Sun, 4 May 2025 18:29:08 +0000 (+0100)
Subject: Remove redundant configuration
X-Git-Url: https://git.openstreetmap.org/chef.git/commitdiff_plain/refs/heads/master?hp=6da6c1910ca185fa00079a0542de71992e0fe49f

Remove redundant configuration
---

diff --git a/.github/workflows/test-kitchen.yml b/.github/workflows/test-kitchen.yml
index 201c69b46..0587f1bf5 100644
--- a/.github/workflows/test-kitchen.yml
+++ b/.github/workflows/test-kitchen.yml
@@ -127,6 +127,10 @@ jobs:
             suite: osqa
           - os: debian-12
             suite: apt-repository
+          - os: debian-12
+            suite: blogs
+          - os: debian-12
+            suite: community
           - os: debian-12
             suite: dev
           - os: debian-12
@@ -139,16 +143,30 @@ jobs:
             suite: gps-tile
           - os: debian-12
             suite: imagery-tiler
+          - os: debian-12
+            suite: irc
           - os: debian-12
             suite: letsencrypt
           - os: debian-12
             suite: matomo
+          - os: debian-12
+            suite: nominatim
           - os: debian-12
             suite: otrs
+          - os: debian-12
+            suite: overpass
+          - os: debian-12
+            suite: prometheus-server
           - os: debian-12
             suite: serverinfo
+          - os: debian-12
+            suite: subversion
           - os: debian-12
             suite: supybot
+          - os: debian-12
+            suite: taginfo
+          - os: debian-12
+            suite: trac
           - os: debian-12
             suite: vectortile
           - os: debian-12
@@ -162,6 +180,10 @@ jobs:
         exclude:
           - suite: apt-repository
             os: ubuntu-2204
+          - suite: blogs
+            os: ubuntu-2204
+          - suite: community
+            os: ubuntu-2204
           - suite: dev
             os: ubuntu-2204
           - suite: dns
@@ -172,20 +194,34 @@ jobs:
             os: ubuntu-2204
           - suite: gps-tile
             os: ubuntu-2204
+          - suite: irc
+            os: ubuntu-2204
           - suite: letsencrypt
             os: ubuntu-2204
           - suite: mailman
             os: ubuntu-2204
           - suite: matomo
             os: ubuntu-2204
+          - suite: nominatim
+            os: ubuntu-2204
           - suite: osqa
             os: ubuntu-2204
           - suite: otrs
             os: ubuntu-2204
+          - suite: overpass
+            os: ubuntu-2204
+          - suite: prometheus-server
+            os: ubuntu-2204
           - suite: serverinfo
             os: ubuntu-2204
+          - suite: subversion
+            os: ubuntu-2204
           - suite: supybot
             os: ubuntu-2204
+          - suite: taginfo
+            os: ubuntu-2204
+          - suite: trac
+            os: ubuntu-2204
           - suite: vectortile
             os: ubuntu-2204
           - suite: web-cgimap
@@ -194,6 +230,8 @@ jobs:
             os: ubuntu-2204
           - suite: web-rails
             os: ubuntu-2204
+          - suite: wiki
+            os: ubuntu-2204
       fail-fast: false
     steps:
     - name: Login to GitHub Container Registry
diff --git a/Gemfile.lock b/Gemfile.lock
index 49f039957..48cfe23a6 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -277,9 +277,9 @@ GEM
     benchmark (0.4.0)
     bigdecimal (3.1.9)
     builder (3.3.0)
-    chef-config (18.6.2)
+    chef-config (18.7.6)
       addressable
-      chef-utils (= 18.6.2)
+      chef-utils (= 18.7.6)
       fuzzyurl
       mixlib-config (>= 2.2.12, < 4.0)
       mixlib-shellout (>= 2.0, < 4.0)
@@ -287,13 +287,13 @@ GEM
     chef-telemetry (1.1.1)
       chef-config
       concurrent-ruby (~> 1.0)
-    chef-utils (18.6.2)
+    chef-utils (18.7.6)
       concurrent-ruby
     coderay (1.1.3)
     concurrent-ruby (1.3.5)
-    connection_pool (2.5.0)
-    cookstyle (7.32.8)
-      rubocop (= 1.25.1)
+    connection_pool (2.5.2)
+    cookstyle (8.1.1)
+      rubocop (= 1.75.3)
     declarative (0.0.20)
     diff-lcs (1.6.1)
     docker-api (2.4.0)
@@ -315,7 +315,15 @@ GEM
     faraday-net_http (1.0.2)
     faraday_middleware (1.0.0)
       faraday (~> 1.0)
-    ffi (1.17.0)
+    ffi (1.17.2)
+    ffi (1.17.2-aarch64-linux-gnu)
+    ffi (1.17.2-aarch64-linux-musl)
+    ffi (1.17.2-arm-linux-gnu)
+    ffi (1.17.2-arm-linux-musl)
+    ffi (1.17.2-x86-linux-gnu)
+    ffi (1.17.2-x86-linux-musl)
+    ffi (1.17.2-x86_64-linux-gnu)
+    ffi (1.17.2-x86_64-linux-musl)
     fuzzyurl (0.9.0)
     google-apis-admin_directory_v1 (0.46.0)
       google-apis-core (>= 0.11.0, < 2.a)
@@ -388,7 +396,7 @@ GEM
       tty-prompt (~> 0.17)
       tty-table (~> 0.10)
     jmespath (1.6.2)
-    json (2.10.2)
+    json (2.11.3)
     jwt (2.10.1)
       base64
     kitchen-dokken (2.20.7)
@@ -399,11 +407,13 @@ GEM
       hashie (>= 3.4, <= 5.0)
       inspec (>= 2.2.64, < 7.0)
       test-kitchen (>= 2.7, < 4)
+    language_server-protocol (3.17.0.4)
     license-acceptance (2.1.13)
       pastel (~> 0.7)
       tomlrb (>= 1.2, < 3.0)
       tty-box (~> 0.6)
       tty-prompt (~> 0.20)
+    lint_roller (1.1.0)
     little-plugger (1.1.4)
     lockfile (2.1.3)
     logger (1.7.0)
@@ -419,9 +429,9 @@ GEM
       mixlib-shellout
       mixlib-versioning
       thor
-    mixlib-log (3.2.0)
-      ffi (~> 1.9, <= 1.17.0)
-    mixlib-shellout (3.3.8)
+    mixlib-log (3.2.3)
+      ffi (>= 1.15.5)
+    mixlib-shellout (3.3.9)
       chef-utils
     mixlib-versioning (1.2.12)
     ms_rest (0.7.6)
@@ -444,8 +454,8 @@ GEM
     nori (2.7.1)
       bigdecimal
     os (1.1.4)
-    parallel (1.26.3)
-    parser (3.3.7.3)
+    parallel (1.27.0)
+    parser (3.3.8.0)
       ast (~> 2.4.1)
       racc
     parslet (2.0.0)
@@ -481,16 +491,18 @@ GEM
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
     rspec-support (3.13.2)
-    rubocop (1.25.1)
+    rubocop (1.75.3)
+      json (~> 2.3)
+      language_server-protocol (~> 3.17.0.2)
+      lint_roller (~> 1.1.0)
       parallel (~> 1.10)
-      parser (>= 3.1.0.0)
+      parser (>= 3.3.0.2)
       rainbow (>= 2.2.2, < 4.0)
-      regexp_parser (>= 1.8, < 3.0)
-      rexml
-      rubocop-ast (>= 1.15.1, < 2.0)
+      regexp_parser (>= 2.9.3, < 3.0)
+      rubocop-ast (>= 1.44.0, < 2.0)
       ruby-progressbar (~> 1.7)
-      unicode-display_width (>= 1.4.0, < 3.0)
-    rubocop-ast (1.43.0)
+      unicode-display_width (>= 2.4.0, < 4.0)
+    rubocop-ast (1.44.1)
       parser (>= 3.3.7.2)
       prism (~> 1.4)
     ruby-progressbar (1.13.0)
@@ -687,7 +699,15 @@ GEM
     zeitwerk (2.6.18)
 
 PLATFORMS
+  aarch64-linux-gnu
+  aarch64-linux-musl
+  arm-linux-gnu
+  arm-linux-musl
   ruby
+  x86-linux-gnu
+  x86-linux-musl
+  x86_64-linux-gnu
+  x86_64-linux-musl
 
 DEPENDENCIES
   cookstyle
@@ -697,4 +717,4 @@ DEPENDENCIES
   zeitwerk (< 2.7)
 
 BUNDLED WITH
-   2.2.16
+   2.6.2
diff --git a/cookbooks/accounts/files/default/craig/.ssh/authorized_keys b/cookbooks/accounts/files/default/craig/.ssh/authorized_keys
new file mode 100644
index 000000000..101e5e13c
--- /dev/null
+++ b/cookbooks/accounts/files/default/craig/.ssh/authorized_keys
@@ -0,0 +1,2 @@
+# DO NOT EDIT - This file is being maintained by Chef - use authorized_keys2 instead
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCc26tRbrQoczW3UFfXkdt6auqFg/Ut6spGMT476fFsJFjaYp98E2lca2W9vyJq4nSn0tdxwcO4LGK1ACdhZ/81I/68d7CPv5zNjJMehgwQ1BJTM5HWaap08cEINZMQ0xt6Neyz+HIFiaJVzxmyLJCnaaCeQX/t2NmL+nQV6rJq4qS2L434Bw1qGM73zjNja4bB2IN0y5yWDRTSLg+t+DKH26DC4OJn4+pxKsyt2egB7MNj9my1MRcjPVeo/bxz3nWoxKtX9dWq9UFrd7trfSXK+7Y+9fFHl41rrrYbn3UFKcDL6Rzvp2bFytDW6FlWmuptGajWnm2HpqI69bsO7uw1
diff --git a/cookbooks/apache/recipes/default.rb b/cookbooks/apache/recipes/default.rb
index cade29d31..a17e2f4cb 100644
--- a/cookbooks/apache/recipes/default.rb
+++ b/cookbooks/apache/recipes/default.rb
@@ -114,7 +114,7 @@ fail2ban_jail "apache-forbidden" do
 end
 
 fail2ban_filter "apache-evasive" do
-  failregex ": Blacklisting address <ADDR>: possible DoS attack\.$"
+  failregex ": Blacklisting address <ADDR>: possible DoS attack\\.$"
 end
 
 fail2ban_jail "apache-evasive" do
diff --git a/cookbooks/apt/recipes/default.rb b/cookbooks/apt/recipes/default.rb
index 2ead9baf2..1d876dfb0 100644
--- a/cookbooks/apt/recipes/default.rb
+++ b/cookbooks/apt/recipes/default.rb
@@ -49,7 +49,7 @@ if platform?("debian")
   archive_components = %w[main contrib non-free non-free-firmware]
   backport_packages = case node[:lsb][:codename]
                       when "bookworm" then %W[amd64-microcode exim4 firmware-free firmware-nonfree intel-microcode libosmium linux-signed-#{dpkg_arch} osm2pgsql otrs2 pyosmium smartmontools systemd cgi-mapserver]
-                      else %W[]
+                      else %w[]
                       end
 elsif intel?
   archive_host = if node[:country]
diff --git a/cookbooks/awscli/recipes/default.rb b/cookbooks/awscli/recipes/default.rb
index 22684864d..90574c3bb 100644
--- a/cookbooks/awscli/recipes/default.rb
+++ b/cookbooks/awscli/recipes/default.rb
@@ -77,12 +77,25 @@ ruby_block "install-awscli" do
     require "fileutils"
     awscli_version_string = shell_out("#{cache_dir}/awscli/dist/aws", "--version")
     awscli_version = awscli_version_string.stdout.split(" ").first.split("/").last
-    FileUtils.mkdir_p("/opt/awscli/v2/#{awscli_version}/bin/", :mode => 0755)
-    FileUtils.mv("#{cache_dir}/awscli/dist", "/opt/awscli/v2/#{awscli_version}/dist", :force => true)
-    FileUtils.ln_sf("/opt/awscli/v2/#{awscli_version}/dist/aws", "/opt/awscli/v2/#{awscli_version}/bin/aws")
-    FileUtils.ln_sf("/opt/awscli/v2/#{awscli_version}/dist/aws_completer", "/opt/awscli/v2/#{awscli_version}/bin/aws_completer")
-    FileUtils.rm("/opt/awscli/v2/current") if File.exist?("/opt/awscli/v2/current")
-    FileUtils.ln_sf("/opt/awscli/v2/#{awscli_version}", "/opt/awscli/v2/current")
+
+    install_dir = "/opt/awscli/v2/#{awscli_version}"
+
+    FileUtils.mkdir_p("#{install_dir}/bin/", :mode => 0755)
+    FileUtils.mv("#{cache_dir}/awscli/dist", "#{install_dir}/dist", :force => true)
+    FileUtils.ln_sf("#{install_dir}/dist/aws", "#{install_dir}/bin/aws")
+    FileUtils.ln_sf("#{install_dir}/dist/aws_completer", "#{install_dir}/bin/aws_completer")
+
+    FileUtils.rm_f("/opt/awscli/v2/current")
+    FileUtils.ln_sf(install_dir, "/opt/awscli/v2/current")
+
+    # Retain the last 5 versions, including the current one
+    versions = Dir.glob("/opt/awscli/v2/*").select { |dir| File.directory?(dir) && dir != "/opt/awscli/v2/current" }
+    versions.sort_by! { |dir| File.mtime(dir) }.reverse!
+    versions_to_delete = versions[5..] || []
+
+    versions_to_delete.each do |dir|
+      FileUtils.rm_rf(dir)
+    end
   end
   action :nothing
   subscribes :run, "archive_file[#{cache_dir}/#{awscli_zip}]", :immediately
diff --git a/cookbooks/blogs/recipes/default.rb b/cookbooks/blogs/recipes/default.rb
index 5c650f242..86dfd3afe 100644
--- a/cookbooks/blogs/recipes/default.rb
+++ b/cookbooks/blogs/recipes/default.rb
@@ -22,7 +22,7 @@ include_recipe "apache"
 include_recipe "git"
 include_recipe "ruby"
 
-package %W[
+package %w[
   make
   gcc
   g++
diff --git a/cookbooks/civicrm/recipes/default.rb b/cookbooks/civicrm/recipes/default.rb
index 2aed4f64f..d10ed0788 100644
--- a/cookbooks/civicrm/recipes/default.rb
+++ b/cookbooks/civicrm/recipes/default.rb
@@ -200,21 +200,21 @@ node[:civicrm][:extensions].each_value do |details|
 end
 
 settings = edit_file "#{civicrm_directory}/civicrm/templates/CRM/common/civicrm.settings.php.template" do |line|
-  line.gsub!(/%%cms%%/, "WordPress")
-  line.gsub!(/%%CMSdbUser%%/, "civicrm")
-  line.gsub!(/%%CMSdbPass%%/, database_password)
-  line.gsub!(/%%CMSdbHost%%/, "localhost")
-  line.gsub!(/%%CMSdbName%%/, "civicrm")
-  line.gsub!(/%%dbUser%%/, "civicrm")
-  line.gsub!(/%%dbPass%%/, database_password)
-  line.gsub!(/%%dbHost%%/, "localhost")
-  line.gsub!(/%%dbName%%/, "civicrm")
-  line.gsub!(/%%crmRoot%%/, "#{civicrm_directory}/civicrm/")
-  line.gsub!(/%%templateCompileDir%%/, "/srv/supporting.openstreetmap.org/wp-content/uploads/civicrm/templates_c/")
-  line.gsub!(/%%baseURL%%/, "http://supporting.openstreetmap.org/")
-  line.gsub!(/%%siteKey%%/, site_key)
-  line.gsub!(/%%credKeys%%/, cred_keys)
-  line.gsub!(/%%signKeys%%/, sign_keys)
+  line.gsub!("%%cms%%", "WordPress")
+  line.gsub!("%%CMSdbUser%%", "civicrm")
+  line.gsub!("%%CMSdbPass%%", database_password)
+  line.gsub!("%%CMSdbHost%%", "localhost")
+  line.gsub!("%%CMSdbName%%", "civicrm")
+  line.gsub!("%%dbUser%%", "civicrm")
+  line.gsub!("%%dbPass%%", database_password)
+  line.gsub!("%%dbHost%%", "localhost")
+  line.gsub!("%%dbName%%", "civicrm")
+  line.gsub!("%%crmRoot%%", "#{civicrm_directory}/civicrm/")
+  line.gsub!("%%templateCompileDir%%", "/srv/supporting.openstreetmap.org/wp-content/uploads/civicrm/templates_c/")
+  line.gsub!("%%baseURL%%", "http://supporting.openstreetmap.org/")
+  line.gsub!("%%siteKey%%", site_key)
+  line.gsub!("%%credKeys%%", cred_keys)
+  line.gsub!("%%signKeys%%", sign_keys)
   line.gsub!(%r{// *define\('CIVICRM_CMSDIR', '/path/to/install/root/'\);}, "define('CIVICRM_CMSDIR', '/srv/supporting.openstreetmap.org');")
   # Don't recompile smarty templates on every call https://docs.civicrm.org/sysadmin/en/latest/setup/optimizations/#disable-compile-check
   line.gsub!(%r{//  define\('CIVICRM_TEMPLATE_COMPILE_CHECK', FALSE\);}, "define('CIVICRM_TEMPLATE_COMPILE_CHECK', FALSE);")
diff --git a/cookbooks/community/recipes/default.rb b/cookbooks/community/recipes/default.rb
index 55238e824..73739ac30 100644
--- a/cookbooks/community/recipes/default.rb
+++ b/cookbooks/community/recipes/default.rb
@@ -63,7 +63,7 @@ git "/srv/community.openstreetmap.org/docker" do
   action :sync
   repository "https://github.com/discourse/discourse_docker.git"
   # DANGER launch wrapper automatically updates git repo if rebuild method used: https://github.com/discourse/discourse_docker/blob/107ffb40fe8b1ea40e00814468db974a4f3f8e8f/launcher#L799
-  revision "e42fa9711e9a8b27e9618342b5b456d3ba5b8025"
+  revision "721facba644f645211571026d6677b015c15e5d6"
   user "root"
   group "root"
   notifies :run, "notify_group[discourse_container_new_data]"
diff --git a/cookbooks/community/templates/default/web_only.yml.erb b/cookbooks/community/templates/default/web_only.yml.erb
index 587507a43..fddb054a9 100644
--- a/cookbooks/community/templates/default/web_only.yml.erb
+++ b/cookbooks/community/templates/default/web_only.yml.erb
@@ -19,7 +19,7 @@ links:
 # any extra arguments for Docker?
 # docker_args:
 
-# Latest Version v3.4.2
+# Latest Version v3.4.3
 # Discourse only support tests-passed and stable branches
 params:
   version: stable
diff --git a/cookbooks/devices/metadata.rb b/cookbooks/devices/metadata.rb
index 2f71f6857..a25b0e16f 100644
--- a/cookbooks/devices/metadata.rb
+++ b/cookbooks/devices/metadata.rb
@@ -6,3 +6,4 @@ description      "Configures devices"
 
 version          "0.1"
 supports         "ubuntu"
+depends          "chef"
diff --git a/cookbooks/devices/templates/default/udev.rules.erb b/cookbooks/devices/templates/default/udev.rules.erb
index be9903891..ad2451afa 100644
--- a/cookbooks/devices/templates/default/udev.rules.erb
+++ b/cookbooks/devices/templates/default/udev.rules.erb
@@ -95,47 +95,6 @@ SUBSYSTEM=="net", ACTION=="add", ATTRS{vendor}=="0x8086", ATTRS{device}=="0x37d2
 # Disable Firmware Based LLDP handler
 SUBSYSTEM=="net", ACTION=="add", ENV{INTERFACE}=="*", DRIVERS=="i40e", RUN+="/sbin/ethtool --set-priv-flags $name disable-fw-lldp on"
 
-# Workaround unreliable Western Digital WD RE3/RE4 disks (ATA only)
-# Set sufficent Linux subsystem timeout and fix severe NCQ performance issue
-ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ENV{ID_BUS}=="ata", ENV{ID_MODEL}=="WDC_WD5002ABYS-02B1B0", ATTR{device/timeout}="90", ATTR{device/queue_depth}="1", ATTR{queue/nr_requests}="256"
-ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ENV{ID_BUS}=="ata", ENV{ID_MODEL}=="WDC_WD1002FBYS-02A6B0", ATTR{device/timeout}="90", ATTR{device/queue_depth}="1", ATTR{queue/nr_requests}="256"
-ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ENV{ID_BUS}=="ata", ENV{ID_MODEL}=="WDC_WD1003FBYX-01Y7B0", ATTR{device/timeout}="90", ATTR{device/queue_depth}="1", ATTR{queue/nr_requests}="256"
-# Disable Disk Write Cache, Set AAM and Power Management correctly
-ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ENV{ID_BUS}=="ata", ENV{ID_MODEL}=="WDC_WD1002FBYS-02A6B0", RUN+="/sbin/hdparm -q -W0 -q -M254 $env{DEVNAME}"
-ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ENV{ID_BUS}=="ata", ENV{ID_MODEL}=="WDC_WD1003FBYX-01Y7B0", RUN+="/sbin/hdparm -q -W0 -q -M254 -q -B254 $env{DEVNAME}"
-
-# Set Disks TLED / SCT Error Recovery Control
-ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ENV{ID_BUS}=="ata", ENV{ID_MODEL}=="WDC_WD1002FBYS-02A6B0", RUN+="/usr/sbin/smartctl -q errorsonly -l scterc,70,70 $env{DEVNAME}"
-ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ENV{ID_BUS}=="ata", ENV{ID_MODEL}=="WDC_WD1003FBYX-01Y7B0", RUN+="/usr/sbin/smartctl -q errorsonly -l scterc,70,70 $env{DEVNAME}"
-ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ENV{ID_BUS}=="ata", ENV{ID_MODEL}=="WDC_WD5000AAKS-00A7B0", RUN+="/usr/sbin/smartctl -q errorsonly -l scterc,70,70 $env{DEVNAME}"
-ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ENV{ID_BUS}=="ata", ENV{ID_MODEL}=="WDC_WD2000FYYZ-01UL1B2", RUN+="/usr/sbin/smartctl -q errorsonly -l scterc,70,70 $env{DEVNAME}"
-ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ENV{ID_BUS}=="ata", ENV{ID_MODEL}=="TOSHIBA_DT01ACA300", RUN+="/usr/sbin/smartctl -q errorsonly -l scterc,70,70 $env{DEVNAME}"
-ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ENV{ID_BUS}=="ata", ENV{ID_MODEL}=="ST31000340NS", RUN+="/usr/sbin/smartctl -q errorsonly -l scterc,100,100 $env{DEVNAME}"
-ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ENV{ID_BUS}=="ata", ENV{ID_MODEL}=="HGST_HTS725050A7E630", RUN+="/usr/sbin/smartctl -q errorsonly -l scterc,100,100 $env{DEVNAME}"
-ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ENV{ID_BUS}=="ata", ENV{ID_MODEL}=="HGST_HTE721010A9E630", RUN+="/usr/sbin/smartctl -q errorsonly -l scterc,100,100 $env{DEVNAME}"
-
-# Add SSD optimisation
-ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ENV{ID_BUS}=="ata", ENV{ID_MODEL}=="OCZ-VERTEX3", ATTR{queue/read_ahead_kb}="4096"
-ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ENV{ID_BUS}=="ata", ENV{ID_MODEL}=="OCZ-VERTEX3", ATTR{queue/scheduler}="noop"
-
-ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ENV{ID_BUS}=="ata", ENV{ID_MODEL}=="Samsung_SSD_840_PRO_*", ATTR{queue/read_ahead_kb}="4096"
-ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ENV{ID_BUS}=="ata", ENV{ID_MODEL}=="Samsung_SSD_840_PRO_*", ATTR{queue/scheduler}="noop"
-ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ENV{ID_BUS}=="ata", ENV{ID_MODEL}=="Samsung_SSD_840_PRO_*", ATTR{queue/read_ahead_kb}="256"
-
-ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ENV{ID_BUS}=="ata", ENV{ID_MODEL}=="Samsung_SSD_850_PRO_*", ATTR{queue/read_ahead_kb}="4096"
-ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ENV{ID_BUS}=="ata", ENV{ID_MODEL}=="Samsung_SSD_850_PRO_*", ATTR{queue/scheduler}="noop"
-ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ENV{ID_BUS}=="ata", ENV{ID_MODEL}=="Samsung_SSD_850_PRO_*", ATTR{queue/read_ahead_kb}="256"
-
-ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ENV{ID_BUS}=="ata", ENV{ID_MODEL}=="Samsung_SSD_860_PRO_*", ATTR{queue/read_ahead_kb}="4096"
-ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ENV{ID_BUS}=="ata", ENV{ID_MODEL}=="Samsung_SSD_860_PRO_*", ATTR{queue/scheduler}="noop"
-ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ENV{ID_BUS}=="ata", ENV{ID_MODEL}=="Samsung_SSD_860_PRO_*", ATTR{queue/read_ahead_kb}="256"
-
-ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ENV{ID_BUS}=="ata", ENV{ID_MODEL}=="ST240FN0021", ATTR{queue/read_ahead_kb}="4096"
-ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ENV{ID_BUS}=="ata", ENV{ID_MODEL}=="ST240FN0021", ATTR{queue/scheduler}="noop"
-
-ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ENV{ID_BUS}=="ata", ENV{ID_MODEL}=="SuperMicro_SSD", ATTR{queue/read_ahead_kb}="4096"
-ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ENV{ID_BUS}=="ata", ENV{ID_MODEL}=="SuperMicro_SSD", ATTR{queue/scheduler}="noop"
-
 # Delete failed disk in cmok
 ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ENV{ID_BUS}=="ata", ENV{ID_MODEL}=="ST_M13FQBL", ENV{ID_SERIAL}=="ST_M13FQBL_QNR_BFW", ATTR{device/delete}="1"
 
@@ -155,6 +114,8 @@ ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ENV{ID_MODEL}=="QEMU_HA
 ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ENV{ID_MODEL}=="QEMU_HARDDISK", ATTR{queue/scheduler}="noop"
 # Vendor is sometimes missing
 
-# Increase default MD raid5/raid6 strip cache + group_thread_cnt
-ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ENV{MD_LEVEL}=="raid5", ATTR{md/stripe_cache_size}="8192", ATTR{md/group_thread_cnt}="4"
-ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ENV{MD_LEVEL}=="raid6", ATTR{md/stripe_cache_size}="8192", ATTR{md/group_thread_cnt}="4"
+# Tune md stripe cache and thread count for RAID-5 / RAID-6 arrays
+<%
+  group_threads = [(node.cpu_cores.to_i / 2.0).round, 4].max
+%>
+ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ENV{MD_LEVEL}=="raid[56]", ATTR{md/stripe_cache_size}="8192", ATTR{md/group_thread_cnt}="<%= group_threads %>"
diff --git a/cookbooks/dns/recipes/default.rb b/cookbooks/dns/recipes/default.rb
index 0ec59c8b3..d5f0c1e60 100644
--- a/cookbooks/dns/recipes/default.rb
+++ b/cookbooks/dns/recipes/default.rb
@@ -60,7 +60,7 @@ end
 
 dpkg_package "dnscontrol" do
   source "#{cache_dir}/dnscontrol-#{dnscontrol_version}.deb"
-  version "#{dnscontrol_version}"
+  version dnscontrol_version
 end
 
 directory "/srv/dns.openstreetmap.org" do
diff --git a/cookbooks/exim/recipes/default.rb b/cookbooks/exim/recipes/default.rb
index 7354e93d3..e839d6045 100644
--- a/cookbooks/exim/recipes/default.rb
+++ b/cookbooks/exim/recipes/default.rb
@@ -161,7 +161,7 @@ if node[:exim][:dkim_selectors]
     mode "755"
   end
 
-  node[:exim][:dkim_selectors].each do |domain, _selector|
+  node[:exim][:dkim_selectors].each_key do |domain|
     file "/etc/exim4/dkim-keys/#{domain}" do
       content keys[domain].join("\n")
       owner "root"
diff --git a/cookbooks/hardware/recipes/default.rb b/cookbooks/hardware/recipes/default.rb
index 0dafc1f91..4340bf504 100644
--- a/cookbooks/hardware/recipes/default.rb
+++ b/cookbooks/hardware/recipes/default.rb
@@ -426,7 +426,7 @@ if !intel_ssds.empty? || !intel_nvmes.empty?
   end
 
   dpkg_package "sst" do
-    version "#{sst_package_version}"
+    version sst_package_version
     source "#{Chef::Config[:file_cache_path]}/sst_#{sst_package_version}_amd64.deb"
   end
 
diff --git a/cookbooks/imagery/recipes/tiler.rb b/cookbooks/imagery/recipes/tiler.rb
index 571425bda..2f6942b66 100644
--- a/cookbooks/imagery/recipes/tiler.rb
+++ b/cookbooks/imagery/recipes/tiler.rb
@@ -37,19 +37,19 @@ container_image = if arm?
 podman_service "titiler" do
   description "Container service for titiler"
   image container_image
-  volume :"/store/imagery"       => "/store/imagery",
+  volume :"/store/imagery" => "/store/imagery",
          :"/srv/imagery/sockets" => "/sockets"
-  environment :GDAL_CACHEMAX                       => 200,
-              :GDAL_BAND_BLOCK_CACHE               => "HASHSET",
-              :GDAL_DISABLE_READDIR_ON_OPEN        => "EMPTY_DIR",
-              :GDAL_INGESTED_BYTES_AT_OPEN         => 32768,
-              :GDAL_HTTP_MERGE_CONSECUTIVE_RANGES  => "YES",
-              :GDAL_HTTP_MULTIPLEX                 => "YES",
-              :GDAL_HTTP_VERSION                   => 2,
-              :VSI_CACHE                           => "TRUE",
-              :VSI_CACHE_SIZE                      => 5000000,
-              :TITILER_API_ROOT_PATH               => "/api/v1/titiler",
-              :FORWARDED_ALLOW_IPS                 => "*" # https://docs.gunicorn.org/en/latest/settings.html#forwarded-allow-ips
+  environment :GDAL_CACHEMAX => 200,
+              :GDAL_BAND_BLOCK_CACHE => "HASHSET",
+              :GDAL_DISABLE_READDIR_ON_OPEN => "EMPTY_DIR",
+              :GDAL_INGESTED_BYTES_AT_OPEN => 32768,
+              :GDAL_HTTP_MERGE_CONSECUTIVE_RANGES => "YES",
+              :GDAL_HTTP_MULTIPLEX => "YES",
+              :GDAL_HTTP_VERSION => 2,
+              :VSI_CACHE => "TRUE",
+              :VSI_CACHE_SIZE => 5000000,
+              :TITILER_API_ROOT_PATH => "/api/v1/titiler",
+              :FORWARDED_ALLOW_IPS => "*" # https://docs.gunicorn.org/en/latest/settings.html#forwarded-allow-ips
   command "gunicorn -k uvicorn.workers.UvicornWorker titiler.application.main:app --bind unix:/sockets/titiler.sock --workers #{node.cpu_cores}"
 end
 
diff --git a/cookbooks/imagery/resources/site.rb b/cookbooks/imagery/resources/site.rb
index 7151c68c6..b4079f0ca 100644
--- a/cookbooks/imagery/resources/site.rb
+++ b/cookbooks/imagery/resources/site.rb
@@ -87,7 +87,7 @@ action :create do
   end
 
   layers = Dir.glob("/srv/imagery/layers/#{new_resource.site}/*.yml").collect do |path|
-    YAML.safe_load(::File.read(path), :permitted_classes => [Symbol])
+    YAML.safe_load_file(path, :permitted_classes => [Symbol])
   end
 
   declare_resource :template, "/srv/#{new_resource.site}/imagery.js" do
diff --git a/cookbooks/kibana/recipes/default.rb b/cookbooks/kibana/recipes/default.rb
index 2f2fc6f28..2085cdce2 100644
--- a/cookbooks/kibana/recipes/default.rb
+++ b/cookbooks/kibana/recipes/default.rb
@@ -79,7 +79,7 @@ end
 
 node[:kibana][:sites].each do |name, details|
   file "/etc/kibana/#{name}.yml" do
-    content YAML.dump(YAML.safe_load(File.read("/opt/kibana-#{version}/config/kibana.yml")).merge(
+    content YAML.dump(YAML.safe_load_file("/opt/kibana-#{version}/config/kibana.yml").merge(
                         "port" => details[:port],
                         "host" => "127.0.0.1",
                         "elasticsearch_url" => details[:elasticsearch_url],
diff --git a/cookbooks/logstash/recipes/default.rb b/cookbooks/logstash/recipes/default.rb
index 46bc3fea0..a4b237c00 100644
--- a/cookbooks/logstash/recipes/default.rb
+++ b/cookbooks/logstash/recipes/default.rb
@@ -75,10 +75,8 @@ template "/etc/cron.daily/expire-logstash" do
   mode "755"
 end
 
-forwarders = []
-
-search(:node, "recipes:logstash\\:\\:forwarder").each do |forwarder|
-  forwarders.append(forwarder.ipaddresses(:role => :external))
+forwarders = search(:node, "recipes:logstash\\:\\:forwarder").map do |forwarder|
+  forwarder.ipaddresses(:role => :external)
 end
 
 search(:node, "roles:gateway").each do |forwarder|
diff --git a/cookbooks/mediawiki/resources/site.rb b/cookbooks/mediawiki/resources/site.rb
index 840016fa4..9d55876a6 100644
--- a/cookbooks/mediawiki/resources/site.rb
+++ b/cookbooks/mediawiki/resources/site.rb
@@ -51,9 +51,10 @@ property :fpm_max_children, :kind_of => Integer, :default => 5
 property :fpm_start_servers, :kind_of => Integer, :default => 2
 property :fpm_min_spare_servers, :kind_of => Integer, :default => 1
 property :fpm_max_spare_servers, :kind_of => Integer, :default => 3
-property :fpm_request_terminate_timeout, :kind_of => Integer, :default => 300
+property :fpm_request_terminate_timeout, :kind_of => Integer, :default => 120
 property :fpm_prometheus_port, :kind_of => Integer
 property :reload_apache, :kind_of => [TrueClass, FalseClass], :default => true
+property :backup_enabled, :kind_of => [TrueClass, FalseClass], :default => true
 
 action :create do
   node.default[:mediawiki][:sites][new_resource.site] = {
@@ -176,6 +177,12 @@ action :create do
               :directory => site_directory,
               :database_params => database_params
     only_if { ::File.exist?("#{mediawiki_directory}/LocalSettings.php") }
+    only_if { new_resource.backup_enabled }
+  end
+
+  file "/etc/cron.daily/mediawiki-#{cron_name}-backup" do
+    action :delete
+    only_if { !new_resource.backup_enabled }
   end
 
   # MobileFrontend extension is required by MinervaNeue skin
@@ -476,7 +483,7 @@ action :create do
     request_terminate_timeout new_resource.fpm_request_terminate_timeout
     php_admin_values "open_basedir" => "#{site_directory}/:/usr/share/php/:/dev/null:/tmp/"
     php_values "memory_limit" => "500M",
-               "max_execution_time" => "240",
+               "max_execution_time" => "60",
                "upload_max_filesize" => "70M",
                "post_max_size" => "100M"
     prometheus_port new_resource.fpm_prometheus_port
diff --git a/cookbooks/mediawiki/templates/default/LocalSettings.php.erb b/cookbooks/mediawiki/templates/default/LocalSettings.php.erb
index d70119627..9671130d8 100644
--- a/cookbooks/mediawiki/templates/default/LocalSettings.php.erb
+++ b/cookbooks/mediawiki/templates/default/LocalSettings.php.erb
@@ -293,7 +293,7 @@ $wgExpensiveParserFunctionLimit = 500;
 $wgSiteNotice = "<%= @mediawiki[:site_notice] %>";
 <% end -%>
 <% if @mediawiki[:site_readonly] -%>
-$wgReadOnly = "<%= @mediawiki[:site_readonly] %>";
+$wgReadOnly = ( PHP_SAPI === 'cli' ) ? false : "<%= @mediawiki[:site_readonly] %>";
 <% end -%>
 
 <% @mediawiki[:namespaces].each do |name, details| -%>
@@ -362,3 +362,13 @@ unset( $wgGroupsRemoveFromSelf['autoconfirmed'] );
 # Mediawiki 1.38 has fix to allow this to be set by $wgVirtualRestConfig
 # https://phabricator.wikimedia.org/T285478
 $wgHTTPTimeout = 240;
+
+# Enable night mode for Minerva and Vector skins
+# https://github.com/openstreetmap/operations/issues/1230
+$wgMinervaNightMode['base'] = true;
+$wgVectorNightMode['logged_in'] = true;
+$wgVectorNightMode['logged_out'] = true;
+
+# Set extremely low timeout to avoid PHP-FPM timeouts on slow connections to Wikimedia Commons (rate limiting) or similar
+$wgHTTPMaxTimeout = 5;
+$wgHTTPMaxConnectTimeout = 3;
diff --git a/cookbooks/mysql/recipes/default.rb b/cookbooks/mysql/recipes/default.rb
index baeff798e..63f70395b 100644
--- a/cookbooks/mysql/recipes/default.rb
+++ b/cookbooks/mysql/recipes/default.rb
@@ -28,7 +28,7 @@ mysql_variant = if platform?("ubuntu")
 package "#{mysql_variant}-server"
 package "#{mysql_variant}-client"
 
-service "#{mysql_variant}" do
+service mysql_variant do
   action [:enable, :start]
   supports :status => true, :restart => true
 end
diff --git a/cookbooks/networking/recipes/default.rb b/cookbooks/networking/recipes/default.rb
index 64727d091..efc79e431 100644
--- a/cookbooks/networking/recipes/default.rb
+++ b/cookbooks/networking/recipes/default.rb
@@ -57,7 +57,7 @@ interfaces = node[:networking][:interfaces].collect do |name, interface|
   [interface[:interface], name]
 end.to_h
 
-node[:networking][:interfaces].each do |_, interface|
+node[:networking][:interfaces].each_value do |interface|
   next unless interface[:interface] =~ /^(.*)\.(\d+)$/
 
   vlan_interface = Regexp.last_match(1)
@@ -71,7 +71,7 @@ node[:networking][:interfaces].each do |_, interface|
   node.default[:networking][:interfaces][parent][:vlans] << vlan_id
 end
 
-node[:networking][:interfaces].each do |_, interface|
+node[:networking][:interfaces].each_value do |interface|
   if interface[:interface] =~ /^.*\.(\d+)$/
     template "/etc/systemd/network/10-#{interface[:interface]}.netdev" do
       source "vlan.netdev.erb"
@@ -343,10 +343,8 @@ end
 
 package "nftables"
 
-interfaces = []
-
-node.interfaces(:role => :external).each do |interface|
-  interfaces << interface[:interface]
+interfaces = node.interfaces(:role => :external).map do |interface|
+  interface[:interface]
 end
 
 template "/etc/nftables.conf" do
diff --git a/cookbooks/overpass/recipes/default.rb b/cookbooks/overpass/recipes/default.rb
index 665b6730b..ffd5f49ac 100644
--- a/cookbooks/overpass/recipes/default.rb
+++ b/cookbooks/overpass/recipes/default.rb
@@ -107,7 +107,7 @@ apache_site "default" do
   action :disable
 end
 
-apache_site "#{node[:overpass][:fqdn]}" do
+apache_site node[:overpass][:fqdn] do
   template "apache.erb"
   directory "#{basedir}/site"
   variables :script_directory => "#{basedir}/cgi-bin"
@@ -152,7 +152,7 @@ systemd_service "overpass-dispatcher" do
   description "Overpass Main Dispatcher"
   wants ["overpass-area-dispatcher.service"]
   working_directory basedir
-  exec_start "#{basedir}/bin/dispatcher --osm-base #{meta_map_short[node[:overpass][:meta_mode]]} --db-dir=#{basedir}/db --rate-limit=#{node[:overpass][:rate_limit]} --space=#{node[:overpass][:dispatcher_space]}"
+  exec_start "#{basedir}/bin/dispatcher --allow-duplicate-queries=yes --osm-base #{meta_map_short[node[:overpass][:meta_mode]]} --db-dir=#{basedir}/db --rate-limit=#{node[:overpass][:rate_limit]} --space=#{node[:overpass][:dispatcher_space]}"
   exec_stop "#{basedir}/bin/dispatcher --osm-base --terminate"
   standard_output "append:#{logdir}/osm_base.log"
   user username
@@ -166,7 +166,7 @@ systemd_service "overpass-area-dispatcher" do
   description "Overpass Area Dispatcher"
   after ["overpass-dispatcher.service"]
   working_directory basedir
-  exec_start "#{basedir}/bin/dispatcher --areas #{meta_map_short[node[:overpass][:meta_mode]]} --db-dir=#{basedir}/db"
+  exec_start "#{basedir}/bin/dispatcher --allow-duplicate-queries=yes --areas #{meta_map_short[node[:overpass][:meta_mode]]} --db-dir=#{basedir}/db"
   exec_stop "#{basedir}/bin/dispatcher --areas --terminate"
   standard_output "append:#{logdir}/areas.log"
   user username
diff --git a/cookbooks/podman/resources/service.rb b/cookbooks/podman/resources/service.rb
index d9a328192..5178980d9 100644
--- a/cookbooks/podman/resources/service.rb
+++ b/cookbooks/podman/resources/service.rb
@@ -36,10 +36,10 @@ action :create do
     notify_access "all"
     environment "PODMAN_SYSTEMD_UNIT" => "%n"
     exec_start_pre "/bin/rm --force %t/%n.ctr-id"
-    exec_start "/usr/bin/podman run --cidfile=%t/%n.ctr-id --cgroups=no-conmon "\
-               "--userns=auto --label=io.containers.autoupdate=registry "\
-               "--pids-limit=-1 #{publish_options} #{environment_options} "\
-               "#{volume_options} --rm --sdnotify=conmon --detach --replace "\
+    exec_start "/usr/bin/podman run --cidfile=%t/%n.ctr-id --cgroups=no-conmon " \
+               "--userns=auto --label=io.containers.autoupdate=registry " \
+               "--pids-limit=-1 #{publish_options} #{environment_options} " \
+               "#{volume_options} --rm --sdnotify=conmon --detach --replace " \
                "--name=%N #{new_resource.image} #{new_resource.command}"
     exec_stop "/usr/bin/podman stop --ignore --time=10 --cidfile=%t/%n.ctr-id"
     exec_stop_post "/usr/bin/podman rm --force --ignore --cidfile=%t/%n.ctr-id"
diff --git a/cookbooks/podman/resources/site.rb b/cookbooks/podman/resources/site.rb
index 7cab5a5d2..225021eb7 100644
--- a/cookbooks/podman/resources/site.rb
+++ b/cookbooks/podman/resources/site.rb
@@ -67,7 +67,7 @@ action_class do
 
   def ports
     @ports ||= if ::File.exist?(ports_file)
-                 YAML.safe_load(::File.read(ports_file))
+                 YAML.safe_load_file(ports_file)
                else
                  {}
                end
diff --git a/cookbooks/postgresql/libraries/postgresql.rb b/cookbooks/postgresql/libraries/postgresql.rb
index b2df4aed6..789120d6b 100644
--- a/cookbooks/postgresql/libraries/postgresql.rb
+++ b/cookbooks/postgresql/libraries/postgresql.rb
@@ -122,7 +122,7 @@ module OpenStreetMap
     def schemas(database)
       @schemas ||= {}
       @schemas[database] ||= query("SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) AS usename, n.nspacl FROM pg_namespace AS n WHERE n.nspname !~ '^pg_' AND n.nspname <> 'information_schema'", :database => database).each_with_object({}) do |schema, schemas|
-        name = "#{schema[:nspname]}"
+        name = schema[:nspname]
 
         schemas[name] = {
           :owner => schema[:usename],
@@ -163,7 +163,7 @@ module OpenStreetMap
 
     def parse_acl(acl)
       parse_array(acl).each_with_object({}) do |entry, permissions|
-        entry = entry.sub(/^"(.*)"$/) { Regexp.last_match[1].gsub(/\\"/, '"') }.sub(%r{/.*$}, "")
+        entry = entry.sub(/^"(.*)"$/) { Regexp.last_match[1].gsub('\"', '"') }.sub(%r{/.*$}, "")
         user, privileges = entry.split("=")
 
         user = user.sub(/^"(.*)"$/, "\\1")
diff --git a/cookbooks/postgresql/resources/schema.rb b/cookbooks/postgresql/resources/schema.rb
index a7bf0ebdb..e22324d9b 100644
--- a/cookbooks/postgresql/resources/schema.rb
+++ b/cookbooks/postgresql/resources/schema.rb
@@ -109,6 +109,6 @@ action_class do
   end
 
   def qualified_name
-    "#{new_resource.name}"
+    new_resource.name
   end
 end
diff --git a/cookbooks/ruby/recipes/default.rb b/cookbooks/ruby/recipes/default.rb
index 7301e372c..886f18fe2 100644
--- a/cookbooks/ruby/recipes/default.rb
+++ b/cookbooks/ruby/recipes/default.rb
@@ -38,7 +38,7 @@ if node[:ruby][:fullstaq]
 
 else
 
-  package %W[
+  package %w[
     ruby
     ruby-dev
     ruby-bundler
diff --git a/cookbooks/stateofthemap/recipes/container.rb b/cookbooks/stateofthemap/recipes/container.rb
index 8e97accc0..af8514fa7 100644
--- a/cookbooks/stateofthemap/recipes/container.rb
+++ b/cookbooks/stateofthemap/recipes/container.rb
@@ -30,3 +30,8 @@ end
     aliases ["#{year}.stateofthemap.com", "#{year}.sotm.org"]
   end
 end
+
+podman_site "stateofthemap.eu" do
+  image "ghcr.io/openstreetmap/stateofthemap-eu-website:latest"
+  aliases ["www.stateofthemap.eu"]
+end
diff --git a/cookbooks/tile/recipes/default.rb b/cookbooks/tile/recipes/default.rb
index f969546af..782b7ad86 100644
--- a/cookbooks/tile/recipes/default.rb
+++ b/cookbooks/tile/recipes/default.rb
@@ -566,8 +566,8 @@ systemd_service "expire-tiles" do
   sandbox true
   restrict_address_families "AF_UNIX"
   read_write_paths tile_directories + [
-                     "/var/lib/replicate/expire-queue"
-                   ]
+    "/var/lib/replicate/expire-queue"
+  ]
 end
 
 systemd_path "expire-tiles" do
diff --git a/cookbooks/vectortile/attributes/default.rb b/cookbooks/vectortile/attributes/default.rb
index f72621213..62614734f 100644
--- a/cookbooks/vectortile/attributes/default.rb
+++ b/cookbooks/vectortile/attributes/default.rb
@@ -9,6 +9,8 @@ default[:vectortile][:replication][:tileupdate] = true
 default[:vectortile][:replication][:threads] = node.cpu_cores
 
 default[:vectortile][:tilekiln][:version] = "0.7.1"
+default[:vectortile][:spirit][:version] = "7fc3c62771d371f00a62249174d4d695d8324443"
+default[:vectortile][:themepark][:version] = "beb454cc56e88533fb398ab293489c4e91f4d42b"
 
 default[:postgresql][:versions] |= [node[:vectortile][:database][:cluster].split("/").first]
 default[:postgresql][:monitor_database] = "tiles"
diff --git a/cookbooks/vectortile/recipes/default.rb b/cookbooks/vectortile/recipes/default.rb
index 0f4041565..f4de30c52 100644
--- a/cookbooks/vectortile/recipes/default.rb
+++ b/cookbooks/vectortile/recipes/default.rb
@@ -77,6 +77,7 @@ package %w[
 style_directory = "/srv/vector.openstreetmap.org/spirit"
 git style_directory do
   repository "https://github.com/pnorman/spirit.git"
+  revision node[:vectortile][:spirit][:version]
   user "tileupdate"
   group "tileupdate"
 end
@@ -86,7 +87,7 @@ shortbread_config = "#{style_directory}/shortbread.yaml"
 themepark_directory = "/srv/vector.openstreetmap.org/osm2pgsql-themepark"
 git themepark_directory do
   repository "https://github.com/osm2pgsql-dev/osm2pgsql-themepark.git"
-  revision "444bfbda82dea2899e77ac7f0e88ddf7f62c3b45"
+  revision node[:vectortile][:themepark][:version]
   user "tileupdate"
   group "tileupdate"
 end
@@ -122,7 +123,7 @@ template "/usr/local/bin/import-planet" do
   owner "root"
   group "root"
   mode "755"
-  variables :node_store_options => "#{node_store_options}"
+  variables :node_store_options => node_store_options
 end
 
 template "/usr/local/bin/tilekiln-storage-init" do
@@ -130,7 +131,7 @@ template "/usr/local/bin/tilekiln-storage-init" do
   owner "root"
   group "root"
   mode "755"
-  variables :tilekiln_bin => "#{tilekiln_directory}/bin/tilekiln", :storage_database => "tiles", :config_path => "#{shortbread_config}"
+  variables :tilekiln_bin => "#{tilekiln_directory}/bin/tilekiln", :storage_database => "tiles", :config_path => shortbread_config
 end
 
 postgresql_user "tomh" do
@@ -208,10 +209,10 @@ end
 end
 
 %w[addresses aerialways aeroways boundaries boundary_labels bridges buildings
-dam_lines dam_polygons ferries land pier_lines pier_polygons place_labels
-planet_osm_nodes planet_osm_rels planet_osm_ways pois public_transport railways
-road_routes roads sites street_polygons streets_labels_points
-streets_polygons_labels water_area_labels water_areas water_lines water_lines_labels].each do |table|
+   dam_lines dam_polygons ferries land pier_lines pier_polygons place_labels
+   planet_osm_nodes planet_osm_rels planet_osm_ways pois public_transport railways
+   road_routes roads sites street_polygons streets_labels_points
+   streets_polygons_labels water_area_labels water_areas water_lines water_lines_labels].each do |table|
   postgresql_table table do
     cluster node[:vectortile][:database][:cluster]
     database "spirit"
@@ -250,7 +251,7 @@ template "/usr/local/bin/vector-update" do
   owner "root"
   group "root"
   mode "755"
-  variables :tilekiln_bin => "#{tilekiln_directory}/bin/tilekiln", :source_database => "spirit", :config_path => "#{shortbread_config}", :diff_size => "1000", :expiry_dir => "/srv/vector.openstreetmap.org/data/", :post_processing => "/usr/local/bin/tiles-rerender"
+  variables :tilekiln_bin => "#{tilekiln_directory}/bin/tilekiln", :source_database => "spirit", :config_path => shortbread_config, :diff_size => "1000", :expiry_dir => "/srv/vector.openstreetmap.org/data/", :post_processing => "/usr/local/bin/tiles-rerender"
 end
 
 rerender_layers = %w[addresses boundaries bridges buildings land pois public_transport sites street_polygons streets water_lines_labels water_lines water_polygons].join(" ")
@@ -260,7 +261,7 @@ template "/usr/local/bin/tiles-rerender" do
   owner "root"
   group "root"
   mode "755"
-  variables :tilekiln_bin => "#{tilekiln_directory}/bin/tilekiln", :source_database => "spirit", :storage_database => "tiles", :config_path => "#{shortbread_config}", :expiry_dir => "/srv/vector.openstreetmap.org/data/", :update_threads => 4, :layers => "#{rerender_layers}"
+  variables :tilekiln_bin => "#{tilekiln_directory}/bin/tilekiln", :source_database => "spirit", :storage_database => "tiles", :config_path => shortbread_config, :expiry_dir => "/srv/vector.openstreetmap.org/data/", :update_threads => 4, :layers => rerender_layers.to_s
 end
 
 systemd_service "replicate" do
diff --git a/cookbooks/web/resources/rails_port.rb b/cookbooks/web/resources/rails_port.rb
index cb71e73a5..b6209d50b 100644
--- a/cookbooks/web/resources/rails_port.rb
+++ b/cookbooks/web/resources/rails_port.rb
@@ -95,7 +95,7 @@ property :doorkeeper_signing_key, String
 property :user_account_deletion_delay, Integer
 
 action :create do
-  package %W[
+  package %w[
     imagemagick
     libvips42
     nodejs
@@ -415,14 +415,14 @@ action :create do
     recursive true
   end
 
-  bundle_config "#{rails_directory}" do
+  bundle_config rails_directory do
     user new_resource.user
     group new_resource.group
     settings "deployment" => "true",
              "build.nokogiri" => "--use-system-libraries"
   end
 
-  bundle_install "#{rails_directory}" do
+  bundle_install rails_directory do
     action :nothing
     user new_resource.user
     group new_resource.group
diff --git a/cookbooks/wiki/attributes/default.rb b/cookbooks/wiki/attributes/default.rb
index b25f9e481..71f656567 100644
--- a/cookbooks/wiki/attributes/default.rb
+++ b/cookbooks/wiki/attributes/default.rb
@@ -5,4 +5,5 @@ default[:wiki][:site_aliases] = [
 ]
 default[:wiki][:site_notice] = nil
 default[:wiki][:site_readonly] = nil
-default[:wiki][:mediawiki_version] = "1.39"
+default[:wiki][:test_mode] = false
+default[:wiki][:mediawiki_version] = "1.43"
diff --git a/cookbooks/wiki/recipes/default.rb b/cookbooks/wiki/recipes/default.rb
index 4daec683c..0590346f3 100644
--- a/cookbooks/wiki/recipes/default.rb
+++ b/cookbooks/wiki/recipes/default.rb
@@ -34,10 +34,10 @@ mediawiki_site site_name do
 
   version node[:wiki][:mediawiki_version]
 
-  fpm_max_children 200
-  fpm_start_servers 25
-  fpm_min_spare_servers 25
-  fpm_max_spare_servers 50
+  fpm_max_children 300
+  fpm_start_servers 50
+  fpm_min_spare_servers 50
+  fpm_max_spare_servers 150
   fpm_prometheus_port 9253
 
   database_name "wiki"
@@ -72,6 +72,10 @@ mediawiki_site site_name do
 
   site_notice node[:wiki][:site_notice]
   site_readonly node[:wiki][:site_readonly]
+
+  if node[:wiki][:test_mode]
+    backup_enabled false
+  end
 end
 
 mediawiki_extension "CodeEditor" do
@@ -136,6 +140,29 @@ mediawiki_extension "Kartographer" do
   template_cookbook "wiki"
 end
 
+mediawiki_extension "TemplateStyles" do
+  site site_name
+end
+
+mediawiki_extension "DynamicPageListEngine" do
+  site site_name
+  only_if { node[:wiki][:test_mode] }
+end
+
+mediawiki_extension "WikibaseCirrusSearch" do
+  site site_name
+  template "mw-ext-WikibaseCirrusSearch.inc.php.erb"
+  template_cookbook "wiki"
+  only_if { node[:wiki][:test_mode] }
+end
+
+mediawiki_extension "Translate" do
+  site site_name
+  template "mw-ext-Translate.inc.php.erb"
+  template_cookbook "wiki"
+  only_if { node[:wiki][:test_mode] }
+end
+
 cookbook_file "/srv/#{site_name}/osm_logo_wiki.png" do
   owner node[:mediawiki][:user]
   group node[:mediawiki][:group]
diff --git a/cookbooks/wiki/templates/default/mw-ext-Translate.inc.php.erb b/cookbooks/wiki/templates/default/mw-ext-Translate.inc.php.erb
new file mode 100644
index 000000000..8221ea3be
--- /dev/null
+++ b/cookbooks/wiki/templates/default/mw-ext-Translate.inc.php.erb
@@ -0,0 +1,39 @@
+<?php
+# DO NOT EDIT - This file is being maintained by Chef
+wfLoadExtension( 'Translate' );
+
+/**
+ * Allow all confirmed users to edit translations.
+ */
+$wgGroupPermissions['autoconfirmed']['translate'] = true;
+
+/**
+ * Allow all confirmed users to review translations.
+ */
+$wgGroupPermissions['autoconfirmed']['translate-messagereview'] = true;
+
+/**
+ * Allow all translations administrators to manage translations.
+ */
+$wgGroupPermissions['translationadmin']['pagetranslation'] = true;
+$wgGroupPermissions['translationadmin']['translate-manage'] = true;
+
+/**
+ * Language code for message documentation. Suggested values are qqq or info.
+ * If set to false (default), message documentation feature is disabled.
+ */
+$wgTranslateDocumentationLanguageCode = 'qqq';
+
+/**
+ * Let Translate extension use ElasticSearch to store commonly-used translation messages to suggest to translators
+ */
+$wgTranslateTranslationServices['TTMServer'] = [
+        'type' => 'ttmserver',
+        'class' => 'ElasticSearchTTMServer',
+        'cutoff' => 0.75,
+        /*
+         * See http://elastica.io/getting-started/installation.html
+         * See https://github.com/ruflin/Elastica/blob/8.x/src/Client.php
+         */
+        'config' => [ 'servers' => [ 'host' => '127.0.0.1', 'port' => 9114 ] ]
+];
diff --git a/cookbooks/wiki/templates/default/mw-ext-WikibaseCirrusSearch.inc.php.erb b/cookbooks/wiki/templates/default/mw-ext-WikibaseCirrusSearch.inc.php.erb
new file mode 100644
index 000000000..e6859b785
--- /dev/null
+++ b/cookbooks/wiki/templates/default/mw-ext-WikibaseCirrusSearch.inc.php.erb
@@ -0,0 +1,6 @@
+<?php
+# DO NOT EDIT - This file is being maintained by Chef
+wfLoadExtension( 'WikibaseCirrusSearch' );
+
+# Enable cirrus search
+$wgWBCSUseCirrus = true;
diff --git a/cookbooks/wiki/templates/default/robots.txt.erb b/cookbooks/wiki/templates/default/robots.txt.erb
index 932d07eba..8d167108f 100644
--- a/cookbooks/wiki/templates/default/robots.txt.erb
+++ b/cookbooks/wiki/templates/default/robots.txt.erb
@@ -1,3 +1,7 @@
+<% if node[:wiki][:test_mode] -%>
+User-agent: *
+Disallow: /
+<% else -%>
 User-agent: ia_archiver
 Allow: /
 
@@ -31,3 +35,4 @@ Crawl-delay: 60
 Sitemap: https://wiki.openstreetmap.org/sitemap-index-wiki.xml
 
 Host: wiki.openstreetmap.org
+<% end -%>
diff --git a/cookbooks/wordpress/resources/site.rb b/cookbooks/wordpress/resources/site.rb
index 52bba4ce5..2c07ba31e 100644
--- a/cookbooks/wordpress/resources/site.rb
+++ b/cookbooks/wordpress/resources/site.rb
@@ -82,10 +82,10 @@ action :create do
   end
 
   wp_config = edit_file "#{site_directory}/wp-config-sample.php" do |line|
-    line.gsub!(/database_name_here/, new_resource.database_name)
-    line.gsub!(/username_here/, new_resource.database_user)
-    line.gsub!(/password_here/, new_resource.database_password)
-    line.gsub!(/wp_/, new_resource.database_prefix)
+    line.gsub!("database_name_here", new_resource.database_name)
+    line.gsub!("username_here", new_resource.database_user)
+    line.gsub!("password_here", new_resource.database_password)
+    line.gsub!("wp_", new_resource.database_prefix)
 
     line.gsub!(/('AUTH_KEY', *)'put your unique phrase here'/, "\\1'#{auth_key}'")
     line.gsub!(/('SECURE_AUTH_KEY', *)'put your unique phrase here'/, "\\1'#{secure_auth_key}'")
diff --git a/roles/angor.rb b/roles/angor.rb
index be08e517c..5fba17667 100644
--- a/roles/angor.rb
+++ b/roles/angor.rb
@@ -26,8 +26,8 @@ default_attributes(
       :gmoncrieff => { :status => :user },
       :zander => { :status => :user },
       :"za-imagery" => {
-          :status => :role,
-          :members => [:grant, :htonl, :gmoncrieff, :zander]
+        :status => :role,
+        :members => [:grant, :htonl, :gmoncrieff, :zander]
       }
     }
   }
diff --git a/roles/cmok.rb b/roles/cmok.rb
index 608abf686..1740ee18c 100644
--- a/roles/cmok.rb
+++ b/roles/cmok.rb
@@ -31,6 +31,14 @@ default_attributes(
         "kernel.shmall" => 9 * 1024 * 1024 * 1024 / 4096
       }
     }
+  },
+  :vectortile => {
+    :replication => {
+      :tileupdate => false
+    },
+    :spirit => {
+      :version => "7c68ecdd82606fd64dfe6e2ba7a1f1741afcc34c"
+    }
   }
 )
 
diff --git a/roles/dev.rb b/roles/dev.rb
index 432fe0d1c..81a7f34d2 100644
--- a/roles/dev.rb
+++ b/roles/dev.rb
@@ -94,8 +94,8 @@ default_attributes(
         :members => [:apmon, :maba]
       },
       :"za-imagery" => {
-          :status => :role,
-          :members => [:grant, :htonl, :gmoncrieff, :zander]
+        :status => :role,
+        :members => [:grant, :htonl, :gmoncrieff, :zander]
       }
     }
   },
diff --git a/roles/fafnir.rb b/roles/fafnir.rb
index e7edc263c..dfed57f7f 100644
--- a/roles/fafnir.rb
+++ b/roles/fafnir.rb
@@ -7,7 +7,6 @@ default_attributes(
     :last_address => "10.0.79.254"
   },
   :exim => {
-    :external_interface => "<;${if <{${randint:100}}{75} {184.104.226.98;2001:470:1:b3b::2}{87.252.214.98;2001:4d78:fe03:1c::2}}",
     :routes => {
       :openstreetmap => {
         :comment => "openstreetmap.org",
diff --git a/roles/geodns.rb b/roles/geodns.rb
index a1df01532..74168f4b7 100644
--- a/roles/geodns.rb
+++ b/roles/geodns.rb
@@ -12,7 +12,7 @@ default_attributes(
         :list => false,
         :transfer_logging => false,
         :hosts_allow => [
-          "184.104.226.102",  # idris HE
+          "184.104.226.102", # idris HE
           "2001:470:1:b3b::6", # idris HE
           "87.252.214.102", # idris Equinix
           "2001:4d78:fe03:1c::6" # idris  Equinix
diff --git a/roles/lockheed.rb b/roles/lockheed.rb
index 82acb48b4..34cfc05da 100644
--- a/roles/lockheed.rb
+++ b/roles/lockheed.rb
@@ -72,10 +72,10 @@ default_attributes(
         :max_size => "196608M"
       },
       :proxy => {
-          :enable => true,
-          :keys_zone => "proxy_cache_zone:2048M",
-          :inactive => "180d",
-          :max_size => "196608M"
+        :enable => true,
+        :keys_zone => "proxy_cache_zone:2048M",
+        :inactive => "180d",
+        :max_size => "196608M"
       }
     }
   }
diff --git a/roles/muirdris.rb b/roles/muirdris.rb
index 1adfbdc93..7ec8c2de2 100644
--- a/roles/muirdris.rb
+++ b/roles/muirdris.rb
@@ -34,7 +34,7 @@ default_attributes(
     :site_name => "test.wiki.openstreetmap.org",
     :site_aliases => [],
     :site_notice => "TEST INSTANCE: Use wiki.openstreetmap.org for real work",
-    :mediawiki_version => "1.43"
+    :test_mode => true
   }
 )
 
diff --git a/roles/wiki.rb b/roles/wiki.rb
index 652726346..c6cb02000 100644
--- a/roles/wiki.rb
+++ b/roles/wiki.rb
@@ -14,7 +14,7 @@ default_attributes(
       :server_limit => 32,
       :max_request_workers => 800,
       :threads_per_child => 50,
-      :max_connections_per_child => 10000
+      :max_connections_per_child => 100000
     },
     :evasive => {
       :page_count => 400,
diff --git a/test/integration/dev/inspec/mysql_spec.rb b/test/integration/dev/inspec/mysql_spec.rb
index 549f33da9..628d8bee2 100644
--- a/test/integration/dev/inspec/mysql_spec.rb
+++ b/test/integration/dev/inspec/mysql_spec.rb
@@ -8,7 +8,7 @@ describe package("#{mysql_variant}-server") do
   it { should be_installed }
 end
 
-describe service("#{mysql_variant}") do
+describe service(mysql_variant) do
   it { should be_enabled }
   it { should be_running }
 end
diff --git a/test/integration/mysql/inspec/mysql_spec.rb b/test/integration/mysql/inspec/mysql_spec.rb
index 549f33da9..628d8bee2 100644
--- a/test/integration/mysql/inspec/mysql_spec.rb
+++ b/test/integration/mysql/inspec/mysql_spec.rb
@@ -8,7 +8,7 @@ describe package("#{mysql_variant}-server") do
   it { should be_installed }
 end
 
-describe service("#{mysql_variant}") do
+describe service(mysql_variant) do
   it { should be_enabled }
   it { should be_running }
 end