diff --git a/site-cookbooks/kosmos_encfs/README.md b/site-cookbooks/kosmos_encfs/README.md index 821ae83..5c5ed8e 100644 --- a/site-cookbooks/kosmos_encfs/README.md +++ b/site-cookbooks/kosmos_encfs/README.md @@ -1,3 +1,15 @@ # kosmos_encfs -Install encfs and set up encryption for a data directory +Install encfs and set up encryption for a data directory. + +## Provisioning a new machine + +Add encfs to the run list and run chef before adding other cookbooks that +depends on the encfs mount. + +Log into the system and create the data directory like so: + + encfs /usr/local/lib/encrypted_data /mnt/data --public + +When asked for config options, choose nothing (i.e. "standard"). Do NOT choose +paranoia mode, as it breaks some software, like e.g. PostgreSQL. diff --git a/site-cookbooks/kosmos_encfs/files/encfs.service b/site-cookbooks/kosmos_encfs/files/encfs.service index f0f8da9..12eed81 100644 --- a/site-cookbooks/kosmos_encfs/files/encfs.service +++ b/site-cookbooks/kosmos_encfs/files/encfs.service @@ -1,11 +1,9 @@ [Unit] Description=EncFS for data dir -Before=postgresql@12-main.service -BindsTo=postgresql@12-main.service [Service] Type=oneshot RemainAfterExit=yes ExecStart=/usr/local/bin/mount_encfs -ExecStop=/bin/umount /mnt/data +ExecStop=/usr/local/bin/unmount_encfs [Install] WantedBy=multi-user.target diff --git a/site-cookbooks/kosmos_encfs/recipes/default.rb b/site-cookbooks/kosmos_encfs/recipes/default.rb index 05ce02a..ce4832f 100644 --- a/site-cookbooks/kosmos_encfs/recipes/default.rb +++ b/site-cookbooks/kosmos_encfs/recipes/default.rb @@ -35,11 +35,17 @@ mount_directory = "/mnt/data" template "/usr/local/bin/mount_encfs" do source "mount_encfs.erb" - mode "0700" + mode "0755" variables encrypted_directory: encrypted_directory, mount_directory: mount_directory end +template "/usr/local/bin/unmount_encfs" do + source "unmount_encfs.erb" + mode "0700" + variables mount_directory: mount_directory +end + execute "systemctl daemon-reload" do command "systemctl daemon-reload" action :nothing @@ -50,19 +56,22 @@ directory mount_directory do mode "0775" end -execute "create encrypted file system" do - command <<-EOF -echo "y\\\n -y\\\n -p\\\n -#{encfs_password}\\\n -#{encfs_password}\\\n -" | encfs #{encrypted_directory} #{mount_directory} --public --stdinpass - EOF - sensitive true - not_if { ::File.exist?(encrypted_directory) } -end +# FIXME the password that is stored using this script does not match the actual password +# execute "create encrypted file system" do +# command <<-EOF +# echo "y\\\n +# y\\\n +# FIXME paranoia mode breaks hard links, which postgres relies on +# p\\\n +# #{encfs_password}\\\n +# #{encfs_password}\\\n +# " | encfs #{encrypted_directory} #{mount_directory} --public --stdinpass +# EOF +# sensitive true +# not_if { ::File.exist?(encrypted_directory) } +# end +# FIXME there seems to be half a comment missing here # The service will automatically cookbook_file "/lib/systemd/system/encfs.service" do source "encfs.service" diff --git a/site-cookbooks/kosmos_encfs/templates/mount_encfs.erb b/site-cookbooks/kosmos_encfs/templates/mount_encfs.erb index 74e1221..d669e34 100644 --- a/site-cookbooks/kosmos_encfs/templates/mount_encfs.erb +++ b/site-cookbooks/kosmos_encfs/templates/mount_encfs.erb @@ -1,3 +1,4 @@ #!/bin/sh systemd-ask-password --echo "encfs password:" | encfs <%= @encrypted_directory %> <%= @mount_directory %> --public --stdinpass +echo "Encrypted data directory mounted as <%= @mount_directory %>" > /tmp/data-dir-mounted.txt diff --git a/site-cookbooks/kosmos_encfs/templates/systemd_unit.path.erb b/site-cookbooks/kosmos_encfs/templates/systemd_unit.path.erb new file mode 100644 index 0000000..c559ac0 --- /dev/null +++ b/site-cookbooks/kosmos_encfs/templates/systemd_unit.path.erb @@ -0,0 +1,9 @@ +[Unit] +Description=Start <%= @service_unit %> when encrypted data directory is mounted + +[Path] +PathExists=/tmp/data-dir-mounted.txt +Unit=<%= @service_unit %> + +[Install] +WantedBy=multi-user.target diff --git a/site-cookbooks/kosmos_encfs/templates/unmount_encfs.erb b/site-cookbooks/kosmos_encfs/templates/unmount_encfs.erb new file mode 100644 index 0000000..02690a7 --- /dev/null +++ b/site-cookbooks/kosmos_encfs/templates/unmount_encfs.erb @@ -0,0 +1,4 @@ +#!/bin/sh + +rm /tmp/data-dir-mounted.txt +/bin/umount <%= @mount_directory %>