Configure postgres recipes for VMs and zerotier access

* Remove encfs (using encrypted volumes instead)
* Allow access without TLS from zerotier network

site-cookbooks/kosmos-postgresql/resources/server.rb

@@ -4,22 +4,13 @@ property :postgresql_version, String, required: true, name_property: true
 property :role, String, required: true # Can be primary or replica
 
 action :create do
-  encfs_data_dir = node["kosmos_encfs"]["data_directory"]
   postgresql_version = new_resource.postgresql_version
-  postgresql_data_dir = "#{encfs_data_dir}/postgresql/#{postgresql_version}/main"
+  postgresql_data_dir = "/var/lib/postgresql/#{postgresql_version}/main"
   postgresql_service = "postgresql@#{postgresql_version}-main"
+  postgresql_credentials = data_bag_item('credentials', 'postgresql')
 
-  node.override['build-essential']['compile_time'] = true
-  include_recipe 'build-essential::default'
-
-  user "postgres" do
-    manage_home false
-  end
-
-  directory "#{encfs_data_dir}/postgresql" do
-    owner "postgres"
-    group "postgres"
-    mode "0750"
+  build_essential do
+    compile_time true
   end
 
   package("libpq-dev") { action :nothing }.run_action(:install)
@@ -28,13 +19,14 @@ action :create do
     compile_time true
   end
 
-  postgresql_data_bag_item = data_bag_item('credentials', 'postgresql')
+  user "postgres" do
+    manage_home false
+  end
 
   postgresql_server_install "main" do
     version postgresql_version
     setup_repo true
-    password postgresql_data_bag_item['server_password']
-    data_directory postgresql_data_dir
+    password postgresql_credentials['server_password']
     action :install
   end
 
@@ -43,9 +35,6 @@ action :create do
     action :start
   end
 
-  # Activates the postgres service when encrypted data dir is mounted
-  encfs_path_activation_unit postgresql_service
-
   # This service is a dependency that will auto-start our cluster service on
   # boot if it's enabled, so we disable it explicitly
   service "postgresql" do
@@ -69,36 +58,8 @@ action :create do
 
   additional_config[:promote_trigger_file] = "#{postgresql_data_dir}/failover.trigger"
 
-  ssl_cert = postgresql_data_bag_item['ssl_cert']
-  ssl_cert_path = "#{postgresql_data_dir}/server.crt"
-  ssl_key = postgresql_data_bag_item['ssl_key']
-  ssl_key_path = "#{postgresql_data_dir}/server.key"
-
-  file ssl_cert_path do
-    content ssl_cert
-    owner "postgres"
-    group "postgres"
-    mode "0640"
-    sensitive true
-  end
-
-  file ssl_key_path do
-    content ssl_key
-    owner "postgres"
-    group "postgres"
-    mode "0600"
-    sensitive true
-  end
-
-  additional_config[:ssl]           = "on"
-  additional_config[:ssl_cert_file] = ssl_cert_path
-  additional_config[:ssl_key_file]  = ssl_key_path
-  # ejabberd does not support 1.3 yet
-  additional_config[:ssl_min_protocol_version]  = "TLSv1.2"
-
   postgresql_server_conf "main" do
     version postgresql_version
-    data_directory postgresql_data_dir
     additional_config additional_config
     notifies :reload, "service[#{postgresql_service}]", :delayed
   end
@@ -106,7 +67,7 @@ action :create do
   postgresql_user "replication" do
     action :create
     replication true
-    password postgresql_data_bag_item['replication_password']
+    password postgresql_credentials['replication_password']
   end
 end