diff --git a/data_bags/credentials/encfs.json b/data_bags/credentials/encfs.json new file mode 100644 index 0000000..88377e1 --- /dev/null +++ b/data_bags/credentials/encfs.json @@ -0,0 +1,10 @@ +{ + "id": "encfs", + "password": { + "encrypted_data": "+1Q3ojHS0lJgE7lFv3zEv653UHgRiuuuxBQQpfa+XrKaeQms2Kiw\n", + "iv": "sMb1a/NmjcAW62Uf\n", + "auth_tag": "n6jpD1fGoqidgMHRuL3K+A==\n", + "version": 3, + "cipher": "aes-256-gcm" + } +} \ No newline at end of file diff --git a/site-cookbooks/kosmos-postgresql/files/encfs.service b/site-cookbooks/kosmos-postgresql/files/encfs.service deleted file mode 100644 index 4fdef2a..0000000 --- a/site-cookbooks/kosmos-postgresql/files/encfs.service +++ /dev/null @@ -1,10 +0,0 @@ -[Unit] -Description=EncFS for PostgreSQL data dir -Before=postgresql@12-main.service -[Service] -Type=oneshot -RemainAfterExit=yes -ExecStart=/usr/local/bin/mount_pg_encfs -ExecStop=/bin/umount /var/lib/postgresql -[Install] -WantedBy=multi-user.target diff --git a/site-cookbooks/kosmos-postgresql/recipes/replica.rb b/site-cookbooks/kosmos-postgresql/recipes/replica.rb index 357ce4a..8a3f7d5 100644 --- a/site-cookbooks/kosmos-postgresql/recipes/replica.rb +++ b/site-cookbooks/kosmos-postgresql/recipes/replica.rb @@ -29,7 +29,6 @@ postgresql_service = "postgresql@#{postgresql_version}-main" postgresql_custom_server postgresql_version do role "replica" - encfs true end service postgresql_service do diff --git a/site-cookbooks/kosmos-postgresql/resources/server.rb b/site-cookbooks/kosmos-postgresql/resources/server.rb index 1aa074c..652a0ee 100644 --- a/site-cookbooks/kosmos-postgresql/resources/server.rb +++ b/site-cookbooks/kosmos-postgresql/resources/server.rb @@ -2,16 +2,23 @@ resource_name :postgresql_custom_server property :postgresql_version, String, required: true, name_property: true property :role, String, required: true # Can be primary or replica -property :encfs, [TrueClass, FalseClass], default: false action :create do postgresql_version = new_resource.postgresql_version - postgresql_data_dir = data_dir(postgresql_version) + postgresql_data_dir = "/mnt/data/postgresql/#{postgresql_version}/main" postgresql_service = "postgresql@#{postgresql_version}-main" node.override['build-essential']['compile_time'] = true include_recipe 'build-essential::default' + directory postgresql_data_dir do + owner "postgres" + group "postgres" + mode "0750" + recursive true + action :create + end + package("libpq-dev") { action :nothing }.run_action(:install) chef_gem 'pg' do @@ -38,46 +45,6 @@ action :create do action :install end - postgresql_user "replication" do - action :create - replication true - password postgresql_data_bag_item['replication_password'] - end - - if new_resource.encfs - # FIXME: encfs always runs a configuration assistant when creating a new - # volume, so this needs to be done manually: - # systemctl stop postgresql@12-main - # mv /var/lib/postgresql /var/lib/postgresql.old - # encfs /var/lib/postgresql_encrypted /var/lib/postgresql --public - # Pick p (paranoia mode) and enter the password from the data bag twice - # mv /var/lib/postgresql/* /var/lib/postgresql/ - # systemctl start postgresql@12-main - - package "encfs" - - template "/usr/local/bin/mount_pg_encfs" do - source "mount_pg_encfs.erb" - mode "0700" - variables password: postgresql_data_bag_item["encfs_password"] - end - - execute "systemctl daemon-reload" do - command "systemctl daemon-reload" - action :nothing - end - - # The service will automatically mount the encrypted volume on startup - cookbook_file "/lib/systemd/system/encfs_postgresql.service" do - source "encfs.service" - notifies :run, "execute[systemctl daemon-reload]", :delayed - end - - service "encfs_postgresql" do - action [:enable] - end - end - shared_buffers = if node['memory']['total'].to_i / 1024 < 1024 # > 1GB RAM "128MB" else # >= 1GB RAM, use 25% of total RAM @@ -91,6 +58,7 @@ action :create do dynamic_shared_memory_type: "posix", timezone: "UTC", # default is GMT listen_addresses: "0.0.0.0", + data_directory: postgresql_data_dir } if new_resource.role == "replica" @@ -129,6 +97,13 @@ action :create do additional_config additional_config notifies :reload, "service[#{postgresql_service}]" end + + postgresql_user "replication" do + action :create + replication true + password postgresql_data_bag_item['replication_password'] + end + end action_class do diff --git a/site-cookbooks/kosmos-postgresql/templates/mount_pg_encfs.erb b/site-cookbooks/kosmos-postgresql/templates/mount_pg_encfs.erb deleted file mode 100644 index e2ce74e..0000000 --- a/site-cookbooks/kosmos-postgresql/templates/mount_pg_encfs.erb +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh - -/bin/echo "<%= @password %>" | encfs /var/lib/postgresql_encrypted /var/lib/postgresql --public -S diff --git a/site-cookbooks/kosmos_encfs/.gitignore b/site-cookbooks/kosmos_encfs/.gitignore new file mode 100644 index 0000000..9abf29f --- /dev/null +++ b/site-cookbooks/kosmos_encfs/.gitignore @@ -0,0 +1,22 @@ +.vagrant +*~ +*# +.#* +\#*# +.*.sw[a-z] +*.un~ + +# Bundler +Gemfile.lock +gems.locked +bin/* +.bundle/* + +# test kitchen +.kitchen/ +kitchen.local.yml + +# Chef +Berksfile.lock +.zero-knife.rb +Policyfile.lock.json diff --git a/site-cookbooks/kosmos_encfs/CHANGELOG.md b/site-cookbooks/kosmos_encfs/CHANGELOG.md new file mode 100644 index 0000000..019f310 --- /dev/null +++ b/site-cookbooks/kosmos_encfs/CHANGELOG.md @@ -0,0 +1,7 @@ +# kosmos_encfs CHANGELOG + +This file is used to list changes made in each version of the kosmos_encfs cookbook. + +# 0.1.0 + +Initial release. diff --git a/site-cookbooks/kosmos_encfs/LICENSE b/site-cookbooks/kosmos_encfs/LICENSE new file mode 100644 index 0000000..f518b02 --- /dev/null +++ b/site-cookbooks/kosmos_encfs/LICENSE @@ -0,0 +1,20 @@ +Copyright (c) 2020 Kosmos Developers + +Permission is hereby granted, free of charge, to any person obtaining +a copy of this software and associated documentation files (the +"Software"), to deal in the Software without restriction, including +without limitation the rights to use, copy, modify, merge, publish, +distribute, sublicense, and/or sell copies of the Software, and to +permit persons to whom the Software is furnished to do so, subject to +the following conditions: + +The above copyright notice and this permission notice shall be +included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE +LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION +OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION +WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/site-cookbooks/kosmos_encfs/README.md b/site-cookbooks/kosmos_encfs/README.md new file mode 100644 index 0000000..821ae83 --- /dev/null +++ b/site-cookbooks/kosmos_encfs/README.md @@ -0,0 +1,3 @@ +# kosmos_encfs + +Install encfs and set up encryption for a data directory diff --git a/site-cookbooks/kosmos_encfs/chefignore b/site-cookbooks/kosmos_encfs/chefignore new file mode 100644 index 0000000..5039e1c --- /dev/null +++ b/site-cookbooks/kosmos_encfs/chefignore @@ -0,0 +1,110 @@ +# Put files/directories that should be ignored in this file when uploading +# to a Chef Infra Server or Supermarket. +# Lines that start with '# ' are comments. + +# OS generated files # +###################### +.DS_Store +ehthumbs.db +Icon? +nohup.out +Thumbs.db + +# SASS # +######## +.sass-cache + +# EDITORS # +########### +.#* +.project +.settings +*_flymake +*_flymake.* +*.bak +*.sw[a-z] +*.tmproj +*~ +\#* +mkmf.log +REVISION +TAGS* +tmtags + +## COMPILED ## +############## +*.class +*.com +*.dll +*.exe +*.o +*.pyc +*.so +*/rdoc/ +a.out + +# Testing # +########### +.circleci/* +.codeclimate.yml +.foodcritic +.kitchen* +.rspec +.rubocop.yml +.travis.yml +.watchr +azure-pipelines.yml +examples/* +features/* +Guardfile +kitchen.yml* +Procfile +Rakefile +spec/* +spec/* +spec/fixtures/* +test/* + +# SCM # +####### +.git +.gitattributes +.gitconfig +.github/* +.gitignore +.gitmodules +.svn +*/.bzr/* +*/.git +*/.hg/* +*/.svn/* + +# Berkshelf # +############# +Berksfile +Berksfile.lock +cookbooks/* +tmp + +# Bundler # +########### +vendor/* +Gemfile +Gemfile.lock + +# Policyfile # +############## +Policyfile.rb +Policyfile.lock.json + +# Cookbooks # +############# +CHANGELOG* +CONTRIBUTING* +TESTING* +CODE_OF_CONDUCT* + +# Vagrant # +########### +.vagrant +Vagrantfile diff --git a/site-cookbooks/kosmos_encfs/files/encfs.service b/site-cookbooks/kosmos_encfs/files/encfs.service new file mode 100644 index 0000000..f0f8da9 --- /dev/null +++ b/site-cookbooks/kosmos_encfs/files/encfs.service @@ -0,0 +1,11 @@ +[Unit] +Description=EncFS for data dir +Before=postgresql@12-main.service +BindsTo=postgresql@12-main.service +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/local/bin/mount_encfs +ExecStop=/bin/umount /mnt/data +[Install] +WantedBy=multi-user.target diff --git a/site-cookbooks/kosmos_encfs/metadata.rb b/site-cookbooks/kosmos_encfs/metadata.rb new file mode 100644 index 0000000..0920b48 --- /dev/null +++ b/site-cookbooks/kosmos_encfs/metadata.rb @@ -0,0 +1,20 @@ +name 'kosmos_encfs' +maintainer 'The Authors' +maintainer_email 'you@example.com' +license 'All Rights Reserved' +description 'Installs/Configures kosmos_encfs' +long_description 'Installs/Configures kosmos_encfs' +version '0.1.0' +chef_version '>= 14.0' + +# The `issues_url` points to the location where issues for this cookbook are +# tracked. A `View Issues` link will be displayed on this cookbook's page when +# uploaded to a Supermarket. +# +# issues_url 'https://github.com//kosmos_encfs/issues' + +# The `source_url` points to the development repository for this cookbook. A +# `View Source` link will be displayed on this cookbook's page when uploaded to +# a Supermarket. +# +# source_url 'https://github.com//kosmos_encfs' diff --git a/site-cookbooks/kosmos_encfs/recipes/default.rb b/site-cookbooks/kosmos_encfs/recipes/default.rb new file mode 100644 index 0000000..05ce02a --- /dev/null +++ b/site-cookbooks/kosmos_encfs/recipes/default.rb @@ -0,0 +1,70 @@ +# +# Cookbook:: kosmos_encfs +# Recipe:: default +# +# The MIT License (MIT) +# +# Copyright:: 2020, Kosmos Developers +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +# THE SOFTWARE. +# + +encfs_data_bag_item = data_bag_item("credentials", "encfs") +encfs_password = encfs_data_bag_item["password"] + +package "encfs" + +encrypted_directory = "/usr/local/lib/encrypted_data" +mount_directory = "/mnt/data" + +template "/usr/local/bin/mount_encfs" do + source "mount_encfs.erb" + mode "0700" + variables encrypted_directory: encrypted_directory, + mount_directory: mount_directory +end + +execute "systemctl daemon-reload" do + command "systemctl daemon-reload" + action :nothing +end + +directory mount_directory do + action :create + mode "0775" +end + +execute "create encrypted file system" do + command <<-EOF +echo "y\\\n +y\\\n +p\\\n +#{encfs_password}\\\n +#{encfs_password}\\\n +" | encfs #{encrypted_directory} #{mount_directory} --public --stdinpass + EOF + sensitive true + not_if { ::File.exist?(encrypted_directory) } +end + +# The service will automatically +cookbook_file "/lib/systemd/system/encfs.service" do + source "encfs.service" + notifies :run, "execute[systemctl daemon-reload]", :delayed +end diff --git a/site-cookbooks/kosmos_encfs/templates/mount_encfs.erb b/site-cookbooks/kosmos_encfs/templates/mount_encfs.erb new file mode 100644 index 0000000..10555ca --- /dev/null +++ b/site-cookbooks/kosmos_encfs/templates/mount_encfs.erb @@ -0,0 +1,3 @@ +#!/bin/sh + +systemd-ask-password --echo "encfs password:" | encfs <%= @encrypted_directory %> <%= @mount_directory %> --public -S