Configure postgres recipes for VMs and zerotier access

* Remove encfs (using encrypted volumes instead)
* Allow access without TLS from zerotier network
This commit is contained in:
2021-01-07 13:53:30 +01:00
parent 9d9907f0ed
commit 4872677066
9 changed files with 86 additions and 205 deletions

View File

@@ -4,22 +4,13 @@ property :postgresql_version, String, required: true, name_property: true
property :role, String, required: true # Can be primary or replica
action :create do
encfs_data_dir = node["kosmos_encfs"]["data_directory"]
postgresql_version = new_resource.postgresql_version
postgresql_data_dir = "#{encfs_data_dir}/postgresql/#{postgresql_version}/main"
postgresql_data_dir = "/var/lib/postgresql/#{postgresql_version}/main"
postgresql_service = "postgresql@#{postgresql_version}-main"
postgresql_credentials = data_bag_item('credentials', 'postgresql')
node.override['build-essential']['compile_time'] = true
include_recipe 'build-essential::default'
user "postgres" do
manage_home false
end
directory "#{encfs_data_dir}/postgresql" do
owner "postgres"
group "postgres"
mode "0750"
build_essential do
compile_time true
end
package("libpq-dev") { action :nothing }.run_action(:install)
@@ -28,13 +19,14 @@ action :create do
compile_time true
end
postgresql_data_bag_item = data_bag_item('credentials', 'postgresql')
user "postgres" do
manage_home false
end
postgresql_server_install "main" do
version postgresql_version
setup_repo true
password postgresql_data_bag_item['server_password']
data_directory postgresql_data_dir
password postgresql_credentials['server_password']
action :install
end
@@ -43,9 +35,6 @@ action :create do
action :start
end
# Activates the postgres service when encrypted data dir is mounted
encfs_path_activation_unit postgresql_service
# This service is a dependency that will auto-start our cluster service on
# boot if it's enabled, so we disable it explicitly
service "postgresql" do
@@ -69,36 +58,8 @@ action :create do
additional_config[:promote_trigger_file] = "#{postgresql_data_dir}/failover.trigger"
ssl_cert = postgresql_data_bag_item['ssl_cert']
ssl_cert_path = "#{postgresql_data_dir}/server.crt"
ssl_key = postgresql_data_bag_item['ssl_key']
ssl_key_path = "#{postgresql_data_dir}/server.key"
file ssl_cert_path do
content ssl_cert
owner "postgres"
group "postgres"
mode "0640"
sensitive true
end
file ssl_key_path do
content ssl_key
owner "postgres"
group "postgres"
mode "0600"
sensitive true
end
additional_config[:ssl] = "on"
additional_config[:ssl_cert_file] = ssl_cert_path
additional_config[:ssl_key_file] = ssl_key_path
# ejabberd does not support 1.3 yet
additional_config[:ssl_min_protocol_version] = "TLSv1.2"
postgresql_server_conf "main" do
version postgresql_version
data_directory postgresql_data_dir
additional_config additional_config
notifies :reload, "service[#{postgresql_service}]", :delayed
end
@@ -106,7 +67,7 @@ action :create do
postgresql_user "replication" do
action :create
replication true
password postgresql_data_bag_item['replication_password']
password postgresql_credentials['replication_password']
end
end