chef/site-cookbooks/kosmos-postgresql/README.md

# kosmos-postgresql

## Usage

### On the primary:

Set the `postgresql_primary` role on the node

### On the replica:

Add the `postgresql_replica` role to the node's run list. Run Chef on the node
a first time.
After the initial Chef run on the replica, run Chef on the primary to add the
firewall rules and PostgreSQL access rules, then run Chef again on the replica
to set up replication.

## Caveat

[`firewall_rules`](https://github.com/chef-cookbooks/firewall/issues/134) and
[`postgresql_access`](https://github.com/sous-chefs/postgresql/issues/648) are
declared in recipes, not resources because of the way custom resources
work currently in Chef. See the `default.rb` and `replica.rb` recipes.

The primary gives access to the `replication` db to the `replication` user
connecting from a replica, and replicas to the primary. For more information
about PostgreSQL client authentication, see the
[official docs](https://www.postgresql.org/docs/12/auth-pg-hba-conf.html)

The primary opens up the PostgreSQL port (5432 TCP) to replicas, and replicas
to the primary.

## TLS self-signed certificate

A wildcard (`*.kosmos.org` certificate) was generated with the following
commands:

```
openssl req -new -nodes -text -out root.csr -keyout root.key \
  -subj "/CN=root.kosmos.org"
chmod og-rwx root.key
openssl x509 -req -in root.csr -text -days 3650 \
  -extfile /etc/ssl/openssl.cnf -extensions v3_ca \
  -signkey root.key -out root.crt
openssl req -new -nodes -text -out server.csr \
  -keyout server.key -subj "/CN=*.kosmos.org"
chmod og-rwx server.key
openssl x509 -req -in server.csr -text -days 1825 \
  -CA root.crt -CAkey root.key -CAcreateserial \
  -out server.crt
```

It is valid until May 12 2025.

The content of `server.crt`, `server.key` and `root.crt` an stored in the
`postgresql` encrypted data bag. The root key is stored in LastPass
("Self-signed TLS root certificate"). `server.crt` & `server.key` are used by
the PostgreSQL server.
Add initial kosmos-postgresql cookbook This is to install PostgreSQL all in one place instead of for each service that needs it (Mastodon, ejabberd, ...) 2019-01-09 17:26:50 +00:00			`# kosmos-postgresql`

Update the README 2020-05-14 10:36:20 +00:00			`## Usage`
Add initial kosmos-postgresql cookbook This is to install PostgreSQL all in one place instead of for each service that needs it (Mastodon, ejabberd, ...) 2019-01-09 17:26:50 +00:00
Update the README 2020-05-14 10:36:20 +00:00			`### On the primary:`
Add a custom resource to set up PostgreSQL 12 Supports both primary and replica. The access rules and firewall have to be set up outside of the custom resource, so they are part of the recipes instead Refs #160 2020-05-11 16:18:21 +00:00
Update the README 2020-05-14 10:36:20 +00:00			Set the `postgresql_primary` role on the node
Add a custom resource to set up PostgreSQL 12 Supports both primary and replica. The access rules and firewall have to be set up outside of the custom resource, so they are part of the recipes instead Refs #160 2020-05-11 16:18:21 +00:00
Update the README 2020-05-14 10:36:20 +00:00			`### On the replica:`
Add a custom resource to set up PostgreSQL 12 Supports both primary and replica. The access rules and firewall have to be set up outside of the custom resource, so they are part of the recipes instead Refs #160 2020-05-11 16:18:21 +00:00
Update the README 2020-05-14 10:36:20 +00:00			Add the `postgresql_replica` role to the node's run list. Run Chef on the node
			`a first time.`
Add a custom resource to set up PostgreSQL 12 Supports both primary and replica. The access rules and firewall have to be set up outside of the custom resource, so they are part of the recipes instead Refs #160 2020-05-11 16:18:21 +00:00			`After the initial Chef run on the replica, run Chef on the primary to add the`
			`firewall rules and PostgreSQL access rules, then run Chef again on the replica`
			`to set up replication.`

Update the README 2020-05-14 10:36:20 +00:00			`## Caveat`
Add a custom resource to set up PostgreSQL 12 Supports both primary and replica. The access rules and firewall have to be set up outside of the custom resource, so they are part of the recipes instead Refs #160 2020-05-11 16:18:21 +00:00
			[`firewall_rules`](https://github.com/chef-cookbooks/firewall/issues/134) and
Clarify the firewall and client authentication rules 2020-05-12 14:04:58 +00:00			[`postgresql_access`](https://github.com/sous-chefs/postgresql/issues/648) are
			`declared in recipes, not resources because of the way custom resources`
			work currently in Chef. See the `default.rb` and `replica.rb` recipes.

			The primary gives access to the `replication` db to the `replication` user
			`connecting from a replica, and replicas to the primary. For more information`
			`about PostgreSQL client authentication, see the`
			`[official docs](https://www.postgresql.org/docs/12/auth-pg-hba-conf.html)`

			`The primary opens up the PostgreSQL port (5432 TCP) to replicas, and replicas`
			`to the primary.`
Use a self-signed TLS certificate for PostgreSQL 2020-05-13 17:10:14 +00:00
			`## TLS self-signed certificate`

			A wildcard (`*.kosmos.org` certificate) was generated with the following
			`commands:`

			```
			`openssl req -new -nodes -text -out root.csr -keyout root.key \`
			`-subj "/CN=root.kosmos.org"`
			`chmod og-rwx root.key`
			`openssl x509 -req -in root.csr -text -days 3650 \`
			`-extfile /etc/ssl/openssl.cnf -extensions v3_ca \`
			`-signkey root.key -out root.crt`
			`openssl req -new -nodes -text -out server.csr \`
			`-keyout server.key -subj "/CN=*.kosmos.org"`
			`chmod og-rwx server.key`
			`openssl x509 -req -in server.csr -text -days 1825 \`
			`-CA root.crt -CAkey root.key -CAcreateserial \`
			`-out server.crt`
			```

			`It is valid until May 12 2025.`

			The content of `server.crt`, `server.key` and `root.crt` an stored in the
			`postgresql` encrypted data bag. The root key is stored in LastPass
			("Self-signed TLS root certificate"). `server.crt` & `server.key` are used by
			`the PostgreSQL server.`