kosmos/chef
kosmos/chef
8
3
Fork 0
Code Issues 26 Pull Requests 2 Projects 2 Activity

Configure postgres recipes for VMs and zerotier access

Browse Source 
* Remove encfs (using encrypted volumes instead)
* Allow access without TLS from zerotier network
This commit is contained in:
Basti 2021-01-07 13:53:30 +01:00
parent 9d9907f0ed
commit 4872677066
Signed by untrusted user: basti
GPG Key ID: 9F88009D31D99C72
9 changed files with 86 additions and 205 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
nodes/postgres-2.json
View File

@ -12,11 +12,13 @@
"hostname": "postgres-2", "hostname": "postgres-2",
"ipaddress": "192.168.122.244", "ipaddress": "192.168.122.244",
"roles": [ "roles": [
"postgresql_replica"
], ],
"recipes": [ "recipes": [
"kosmos-base", "kosmos-base",
"kosmos-base::default", "kosmos-base::default",
"kosmos-postgresql::replica",
"kosmos-postgresql::firewall",
"apt::default", "apt::default",
"timezone_iii::default", "timezone_iii::default",
"timezone_iii::debian", "timezone_iii::debian",
@ -47,6 +49,7 @@
} }
}, },
"run_list": [ "run_list": [
"recipe[kosmos-base]" "recipe[kosmos-base]",
"role[postgresql_replica]"
] ]
} }

4
roles/postgresql_primary.rb
View File

@ -1,6 +1,6 @@
name "postgresql_primary" name "postgresql_primary"
run_list %w( run_list %w(
kosmos-postgresql::default kosmos-postgresql::primary
kosmos-postgresql::firewall_replicas kosmos-postgresql::firewall
) )

2
roles/postgresql_replica.rb
View File

@ -2,5 +2,5 @@ name "postgresql_replica"
run_list %w( run_list %w(
kosmos-postgresql::replica kosmos-postgresql::replica
kosmos-postgresql::firewall_replicas kosmos-postgresql::firewall
) )

90
site-cookbooks/kosmos-postgresql/recipes/default.rb
View File

@ -1,90 +0,0 @@
#
# Cookbook:: kosmos-postgresql
# Recipe:: default
#
# The MIT License (MIT)
#
# Copyright:: 2019, Kosmos Developers
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
postgresql_version = "12"
postgresql_service = "postgresql@#{postgresql_version}-main"
service postgresql_service do
supports restart: true, status: true, reload: true
end
postgresql_custom_server postgresql_version do
role "primary"
end
# This will only be run once, if the /var/lib/postgresql/10/main directory
# exists. The old data directory is then moved.
execute "upgrade postgresql to 12" do
command <<-EOF
systemctl stop postgresql@12-main
systemctl stop postgresql@10-main
su - postgres -c "/usr/lib/postgresql/12/bin/pg_upgrade --old-bindir=/usr/lib/postgresql/10/bin/ --new-bindir=/usr/lib/postgresql/12/bin/ --old-datadir=/etc/postgresql/10/main/ --new-datadir=/etc/postgresql/12/main/"
mv /var/lib/postgresql/10/main /var/lib/postgresql/10/main.old
systemctl start postgresql@12-main
EOF
only_if { ::File.exist? "/var/lib/postgresql/10/main" }
end
# Services that connect to PostgreSQL need to have the postgresql_client role
# as part of their run list. See the gitea and ejabberd roles.
postgresql_clients = search(:node, "roles:postgresql_client AND chef_environment:#{node.chef_environment}") || []
postgresql_clients.each do |client|
ip = ip_for(client)
hostname = client[:hostname]
postgresql_access "#{hostname} all" do
access_type "host"
access_db "all"
access_user "all"
access_addr "#{ip}/32"
access_method "md5"
notifies :reload, "service[#{postgresql_service}]", :immediately
end
firewall_rule "postgresql #{hostname}" do
port 5432
protocol :tcp
command :allow
source ip
end
end
postgresql_replicas.each do |replica|
postgresql_access "#{replica[:hostname]} replication" do
access_type "host"
access_db "replication"
access_user "replication"
access_addr "#{replica[:ipaddress]}/32"
access_method "md5"
notifies :reload, "service[#{postgresql_service}]", :immediately
end
end
unless node.chef_environment == "development"
include_recipe "kosmos-postgresql::firewall_replicas"
end

15
site-cookbooks/kosmos-postgresql/recipes/firewall.rb Normal file
View File

@ -0,0 +1,15 @@
#
# Cookbook:: kosmos-postgresql
# Recipe:: firewall
#
unless node.chef_environment == "development"
include_recipe "kosmos-base::firewall"
firewall_rule "postgresql zerotier members" do
port 5432
protocol :tcp
command :allow
source "10.1.1.0/24"
end
end

36
site-cookbooks/kosmos-postgresql/recipes/firewall_replicas.rb
View File

@ -1,36 +0,0 @@
#
# Cookbook:: kosmos-postgresql
# Recipe:: firewall_replicas
#
# The MIT License (MIT)
#
# Copyright:: 2020, Kosmos Developers
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
include_recipe "kosmos-base::firewall"
postgresql_replicas.each do |replica|
firewall_rule "postgresql replica #{replica[:hostname]}" do
port 5432
protocol :tcp
command :allow
source replica[:ipaddress]
end
end

33
site-cookbooks/kosmos-postgresql/recipes/primary.rb Normal file
View File

@ -0,0 +1,33 @@
#
# Cookbook:: kosmos-postgresql
# Recipe:: primary
#
postgresql_version = "12"
postgresql_service = "postgresql@#{postgresql_version}-main"
service postgresql_service do
supports restart: true, status: true, reload: true
end
postgresql_custom_server postgresql_version do
role "primary"
end
postgresql_access "zerotier members" do
access_type "host"
access_db "all"
access_user "all"
access_addr "10.1.1.0/24"
access_method "md5"
notifies :reload, "service[#{postgresql_service}]", :immediately
end
postgresql_access "zerotier members replication" do
access_type "host"
access_db "replication"
access_user "replication"
access_addr "10.1.1.0/24"
access_method "md5"
notifies :reload, "service[#{postgresql_service}]", :immediately
end

35
site-cookbooks/kosmos-postgresql/recipes/replica.rb
View File

@ -19,14 +19,15 @@ postgresql_data_bag_item = data_bag_item('credentials', 'postgresql')
primary = postgresql_primary primary = postgresql_primary
unless primary.nil? unless primary.nil?
postgresql_data_dir = "#{node["kosmos_encfs"]["data_directory"]}/postgresql/#{postgresql_version}/main" # TODO
postgresql_data_dir = "/var/lib/postgresql/#{postgresql_version}/main"
if node['kosmos-postgresql']['ready_to_set_up_replica'] # FIXME get zerotier IP
execute "set up replication" do execute "set up replication" do
command <<-EOF command <<-EOF
systemctl stop #{postgresql_service} systemctl stop #{postgresql_service}
mv #{postgresql_data_dir} #{postgresql_data_dir}.old mv #{postgresql_data_dir} #{postgresql_data_dir}.old
pg_basebackup -h #{primary[:ipaddress]} -U replication -D #{postgresql_data_dir} -R pg_basebackup -h 10.1.1.167 -U replication -D #{postgresql_data_dir} -R
chown -R postgres:postgres #{postgresql_data_dir} chown -R postgres:postgres #{postgresql_data_dir}
systemctl start #{postgresql_service} systemctl start #{postgresql_service}
EOF EOF
@ -34,28 +35,22 @@ systemctl start #{postgresql_service}
sensitive true sensitive true
not_if { ::File.exist? "#{postgresql_data_dir}/standby.signal" } not_if { ::File.exist? "#{postgresql_data_dir}/standby.signal" }
end end
end
postgresql_access "replication" do postgresql_access "zerotier members" do
access_type "host" access_type "host"
access_db "replication" access_db "all"
access_user "replication" access_user "all"
access_addr "#{primary[:ipaddress]}/32" access_addr "10.1.1.0/24"
access_method "md5" access_method "md5"
notifies :reload, "service[#{postgresql_service}]", :immediately notifies :reload, "service[#{postgresql_service}]", :immediately
end end
# On the next Chef run the replica will be set up postgresql_access "zerotier members replication" do
node.normal['kosmos-postgresql']['ready_to_set_up_replica'] = true access_type "host"
access_db "replication"
unless node.chef_environment == "development" access_user "replication"
include_recipe "kosmos-base::firewall" access_addr "10.1.1.0/24"
access_method "md5"
firewall_rule "postgresql primary #{primary[:hostname]}" do notifies :reload, "service[#{postgresql_service}]", :immediately
port 5432
protocol :tcp
command :allow
source primary[:ipaddress]
end
end end
end end

57
site-cookbooks/kosmos-postgresql/resources/server.rb
View File

@ -4,22 +4,13 @@ property :postgresql_version, String, required: true, name_property: true
property :role, String, required: true # Can be primary or replica property :role, String, required: true # Can be primary or replica
action :create do action :create do
encfs_data_dir = node["kosmos_encfs"]["data_directory"]
postgresql_version = new_resource.postgresql_version postgresql_version = new_resource.postgresql_version
postgresql_data_dir = "#{encfs_data_dir}/postgresql/#{postgresql_version}/main" postgresql_data_dir = "/var/lib/postgresql/#{postgresql_version}/main"
postgresql_service = "postgresql@#{postgresql_version}-main" postgresql_service = "postgresql@#{postgresql_version}-main"
postgresql_credentials = data_bag_item('credentials', 'postgresql')
node.override['build-essential']['compile_time'] = true build_essential do
include_recipe 'build-essential::default' compile_time true
user "postgres" do
manage_home false
end
directory "#{encfs_data_dir}/postgresql" do
owner "postgres"
group "postgres"
mode "0750"
end end
package("libpq-dev") { action :nothing }.run_action(:install) package("libpq-dev") { action :nothing }.run_action(:install)
@ -28,13 +19,14 @@ action :create do
compile_time true compile_time true
end end
postgresql_data_bag_item = data_bag_item('credentials', 'postgresql') user "postgres" do
manage_home false
end
postgresql_server_install "main" do postgresql_server_install "main" do
version postgresql_version version postgresql_version
setup_repo true setup_repo true
password postgresql_data_bag_item['server_password'] password postgresql_credentials['server_password']
data_directory postgresql_data_dir
action :install action :install
end end
@ -43,9 +35,6 @@ action :create do
action :start action :start
end end
# Activates the postgres service when encrypted data dir is mounted
encfs_path_activation_unit postgresql_service
# This service is a dependency that will auto-start our cluster service on # This service is a dependency that will auto-start our cluster service on
# boot if it's enabled, so we disable it explicitly # boot if it's enabled, so we disable it explicitly
service "postgresql" do service "postgresql" do
@ -69,36 +58,8 @@ action :create do
additional_config[:promote_trigger_file] = "#{postgresql_data_dir}/failover.trigger" additional_config[:promote_trigger_file] = "#{postgresql_data_dir}/failover.trigger"
ssl_cert = postgresql_data_bag_item['ssl_cert']
ssl_cert_path = "#{postgresql_data_dir}/server.crt"
ssl_key = postgresql_data_bag_item['ssl_key']
ssl_key_path = "#{postgresql_data_dir}/server.key"
file ssl_cert_path do
content ssl_cert
owner "postgres"
group "postgres"
mode "0640"
sensitive true
end
file ssl_key_path do
content ssl_key
owner "postgres"
group "postgres"
mode "0600"
sensitive true
end
additional_config[:ssl] = "on"
additional_config[:ssl_cert_file] = ssl_cert_path
additional_config[:ssl_key_file] = ssl_key_path
# ejabberd does not support 1.3 yet
additional_config[:ssl_min_protocol_version] = "TLSv1.2"
postgresql_server_conf "main" do postgresql_server_conf "main" do
version postgresql_version version postgresql_version
data_directory postgresql_data_dir
additional_config additional_config additional_config additional_config
notifies :reload, "service[#{postgresql_service}]", :delayed notifies :reload, "service[#{postgresql_service}]", :delayed
end end
@ -106,7 +67,7 @@ action :create do
postgresql_user "replication" do postgresql_user "replication" do
action :create action :create
replication true replication true
password postgresql_data_bag_item['replication_password'] password postgresql_credentials['replication_password']
end end
end end