Create an initial encfs cookbook

Usage: Add the kosmos_encfs::default recipe to the run list of a node. Creating the encrypted directory will keep it mounted. After a reboot, start the encfs service and enter the password: ``` $ systemctl start encfs encfs password: ``` For now postgresql@12-main is a hardcoded dependency of the encfs Systemd unit that is automatically started once the user inputs the correct password. This list of dependency will need to be different for every server, based on the services it is running
2020-06-04 19:50:20 +02:00
parent eded62a3ec
commit 1e60722ec4
14 changed files with 293 additions and 56 deletions
--- a/site-cookbooks/kosmos-postgresql/resources/server.rb
+++ b/site-cookbooks/kosmos-postgresql/resources/server.rb
@@ -2,16 +2,23 @@ resource_name :postgresql_custom_server

 property :postgresql_version, String, required: true, name_property: true
 property :role, String, required: true # Can be primary or replica
-property :encfs, [TrueClass, FalseClass], default: false

 action :create do
  postgresql_version = new_resource.postgresql_version
-  postgresql_data_dir = data_dir(postgresql_version)
+  postgresql_data_dir = "/mnt/data/postgresql/#{postgresql_version}/main"
  postgresql_service = "postgresql@#{postgresql_version}-main"

  node.override['build-essential']['compile_time'] = true
  include_recipe 'build-essential::default'

+  directory postgresql_data_dir do
+    owner "postgres"
+    group "postgres"
+    mode "0750"
+    recursive true
+    action :create
+  end
+
  package("libpq-dev") { action :nothing }.run_action(:install)

  chef_gem 'pg' do
@@ -38,46 +45,6 @@ action :create do
    action :install
  end

-  postgresql_user "replication" do
-    action :create
-    replication true
-    password postgresql_data_bag_item['replication_password']
-  end
-
-  if new_resource.encfs
-    # FIXME: encfs always runs a configuration assistant when creating a new
-    # volume, so this needs to be done manually:
-    #    systemctl stop postgresql@12-main
-    #    mv /var/lib/postgresql /var/lib/postgresql.old
-    #    encfs /var/lib/postgresql_encrypted /var/lib/postgresql --public
-    # Pick p (paranoia mode) and enter the password from the data bag twice
-    #    mv /var/lib/postgresql/* /var/lib/postgresql/
-    #    systemctl start postgresql@12-main
-
-    package "encfs"
-
-    template "/usr/local/bin/mount_pg_encfs" do
-      source "mount_pg_encfs.erb"
-      mode "0700"
-      variables password: postgresql_data_bag_item["encfs_password"]
-    end
-
-    execute "systemctl daemon-reload" do
-      command "systemctl daemon-reload"
-      action :nothing
-    end
-
-    # The service will automatically mount the encrypted volume on startup
-    cookbook_file "/lib/systemd/system/encfs_postgresql.service" do
-      source "encfs.service"
-      notifies :run, "execute[systemctl daemon-reload]", :delayed
-    end
-
-    service "encfs_postgresql" do
-      action [:enable]
-    end
-  end
-
  shared_buffers = if node['memory']['total'].to_i / 1024 < 1024 # > 1GB RAM
                     "128MB"
                   else # >= 1GB RAM, use 25% of total RAM
@@ -91,6 +58,7 @@ action :create do
    dynamic_shared_memory_type: "posix",
    timezone: "UTC", # default is GMT
    listen_addresses: "0.0.0.0",
+    data_directory: postgresql_data_dir
  }

  if new_resource.role == "replica"
@@ -129,6 +97,13 @@ action :create do
    additional_config additional_config
    notifies :reload, "service[#{postgresql_service}]"
  end
+
+  postgresql_user "replication" do
+    action :create
+    replication true
+    password postgresql_data_bag_item['replication_password']
+  end
+
 end

 action_class do