kosmos/chef
kosmos/chef
8
3
Fork 0
Code Issues 30 Pull Requests 3 Projects 2 Activity

Encrypt the Postgresql data dir on the replica (centaurus)

Browse Source 
encfs always runs a configuration assistant when creating a new
volume, so this needs to be done manually:

   systemctl stop postgresql@12-main
   mv /var/lib/postgresql /var/lib/postgresql.old
   encfs /var/lib/postgresql_encrypted /var/lib/postgresql --public
Pick p (paranoia mode) and enter the password from the data bag twice

   mv /var/lib/postgresql/* /var/lib/postgresql/
   systemctl start postgresql@12-main

This is running on centaurus and is mounted automatically on boot by a
system unit

Refs #129
This commit is contained in:
Greg Karékinian 2020-05-15 18:41:31 +02:00
parent 4475af9204
commit 55b1cbc1d7
4 changed files with 49 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
site-cookbooks/kosmos-postgresql/files/encfs.service Normal file
View File

@ -0,0 +1,10 @@
[Unit]
Description=EncFS for PostgreSQL data dir
Before=postgresql@12-main.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/local/bin/mount_pg_encfs
ExecStop=/bin/umount /var/lib/postgresql
[Install]
WantedBy=multi-user.target

1
site-cookbooks/kosmos-postgresql/recipes/replica.rb
View File

@ -29,6 +29,7 @@ postgresql_service = "postgresql@#{postgresql_version}-main"
postgresql_custom_server postgresql_version do postgresql_custom_server postgresql_version do
role "replica" role "replica"
encfs true
end end
service postgresql_service do service postgresql_service do

35
site-cookbooks/kosmos-postgresql/resources/server.rb
View File

@ -2,6 +2,7 @@ resource_name :postgresql_custom_server
property :postgresql_version, String, required: true, name_property: true property :postgresql_version, String, required: true, name_property: true
property :role, String, required: true # Can be primary or replica property :role, String, required: true # Can be primary or replica
property :encfs, [TrueClass, FalseClass], default: false
action :create do action :create do
postgresql_version = new_resource.postgresql_version postgresql_version = new_resource.postgresql_version
@ -43,6 +44,40 @@ action :create do
password postgresql_data_bag_item['replication_password'] password postgresql_data_bag_item['replication_password']
end end
if new_resource.encfs
# FIXME: encfs always runs a configuration assistant when creating a new
# volume, so this needs to be done manually:
# systemctl stop postgresql@12-main
# mv /var/lib/postgresql /var/lib/postgresql.old
# encfs /var/lib/postgresql_encrypted /var/lib/postgresql --public
# Pick p (paranoia mode) and enter the password from the data bag twice
# mv /var/lib/postgresql/* /var/lib/postgresql/
# systemctl start postgresql@12-main
package "encfs"
template "/usr/local/bin/mount_pg_encfs" do
source "mount_pg_encfs.erb"
mode "0700"
variables password: postgresql_data_bag_item["encfs_password"]
end
execute "systemctl daemon-reload" do
command "systemctl daemon-reload"
action :nothing
end
# The service will automatically mount the encrypted volume on startup
cookbook_file "/lib/systemd/system/encfs_postgresql.service" do
source "encfs.service"
notifies :run, "execute[systemctl daemon-reload]", :delayed
end
service "encfs_postgresql" do
action [:enable]
end
end
shared_buffers = if node['memory']['total'].to_i / 1024 < 1024 # > 1GB RAM shared_buffers = if node['memory']['total'].to_i / 1024 < 1024 # > 1GB RAM
"128MB" "128MB"
else # >= 1GB RAM, use 25% of total RAM else # >= 1GB RAM, use 25% of total RAM

3
site-cookbooks/kosmos-postgresql/templates/mount_pg_encfs.erb Normal file
View File

@ -0,0 +1,3 @@
#!/bin/sh
/bin/echo "<%= @password %>" | encfs /var/lib/postgresql_encrypted /var/lib/postgresql --public -S