Encrypt the Postgresql data dir on the replica (centaurus)

encfs always runs a configuration assistant when creating a new volume, so this needs to be done manually: systemctl stop postgresql@12-main mv /var/lib/postgresql /var/lib/postgresql.old encfs /var/lib/postgresql_encrypted /var/lib/postgresql --public Pick p (paranoia mode) and enter the password from the data bag twice mv /var/lib/postgresql/* /var/lib/postgresql/ systemctl start postgresql@12-main This is running on centaurus and is mounted automatically on boot by a system unit Refs #129
2020-05-15 18:41:31 +02:00 · 2020-05-15 18:41:31 +02:00 · 55b1cbc1d7
commit 55b1cbc1d7
parent 4475af9204
4 changed files with 49 additions and 0 deletions
--- a/site-cookbooks/kosmos-postgresql/files/encfs.service
+++ b/site-cookbooks/kosmos-postgresql/files/encfs.service
@ -0,0 +1,10 @@
+[Unit]
+Description=EncFS for PostgreSQL data dir
+Before=postgresql@12-main.service
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/local/bin/mount_pg_encfs
+ExecStop=/bin/umount /var/lib/postgresql
+[Install]
+WantedBy=multi-user.target
--- a/site-cookbooks/kosmos-postgresql/recipes/replica.rb
+++ b/site-cookbooks/kosmos-postgresql/recipes/replica.rb
@ -29,6 +29,7 @@ postgresql_service = "postgresql@#{postgresql_version}-main"

 postgresql_custom_server postgresql_version do
  role "replica"
+  encfs true
 end

 service postgresql_service do
--- a/site-cookbooks/kosmos-postgresql/resources/server.rb
+++ b/site-cookbooks/kosmos-postgresql/resources/server.rb
@ -2,6 +2,7 @@ resource_name :postgresql_custom_server

 property :postgresql_version, String, required: true, name_property: true
 property :role, String, required: true # Can be primary or replica
+property :encfs, [TrueClass, FalseClass], default: false

 action :create do
  postgresql_version = new_resource.postgresql_version
@ -43,6 +44,40 @@ action :create do
    password postgresql_data_bag_item['replication_password']
  end

+  if new_resource.encfs
+    # FIXME: encfs always runs a configuration assistant when creating a new
+    # volume, so this needs to be done manually:
+    #    systemctl stop postgresql@12-main
+    #    mv /var/lib/postgresql /var/lib/postgresql.old
+    #    encfs /var/lib/postgresql_encrypted /var/lib/postgresql --public
+    # Pick p (paranoia mode) and enter the password from the data bag twice
+    #    mv /var/lib/postgresql/* /var/lib/postgresql/
+    #    systemctl start postgresql@12-main
+
+    package "encfs"
+
+    template "/usr/local/bin/mount_pg_encfs" do
+      source "mount_pg_encfs.erb"
+      mode "0700"
+      variables password: postgresql_data_bag_item["encfs_password"]
+    end
+
+    execute "systemctl daemon-reload" do
+      command "systemctl daemon-reload"
+      action :nothing
+    end
+
+    # The service will automatically mount the encrypted volume on startup
+    cookbook_file "/lib/systemd/system/encfs_postgresql.service" do
+      source "encfs.service"
+      notifies :run, "execute[systemctl daemon-reload]", :delayed
+    end
+
+    service "encfs_postgresql" do
+      action [:enable]
+    end
+  end
+
  shared_buffers = if node['memory']['total'].to_i / 1024 < 1024 # > 1GB RAM
                     "128MB"
                   else # >= 1GB RAM, use 25% of total RAM
--- a/site-cookbooks/kosmos-postgresql/templates/mount_pg_encfs.erb
+++ b/site-cookbooks/kosmos-postgresql/templates/mount_pg_encfs.erb
@ -0,0 +1,3 @@
+#!/bin/sh
+
+/bin/echo "<%= @password %>" | encfs /var/lib/postgresql_encrypted /var/lib/postgresql --public -S