From ca13acb99f1831aa82c9336262138a6e8d030d3a Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Fri, 22 Oct 2021 13:59:42 +0200 Subject: [PATCH 01/21] Remove obsolete Parity role --- roles/parity.rb | 6 ------ 1 file changed, 6 deletions(-) delete mode 100644 roles/parity.rb diff --git a/roles/parity.rb b/roles/parity.rb deleted file mode 100644 index 69e1f1a..0000000 --- a/roles/parity.rb +++ /dev/null @@ -1,6 +0,0 @@ -name 'parity' - -run_list %w( - recipe[kosmos-parity::from_package] - recipe[kosmos-parity::node_dev] -) From 5dd44fc28383785bbe1d64f43e0eef3147fa5f27 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Fri, 22 Oct 2021 14:00:09 +0200 Subject: [PATCH 02/21] Add new RSK VM node configs --- clients/rsk-mainnet-1.json | 4 +++ clients/rsk-testnet-2.json | 4 +++ nodes/rsk-mainnet-1.json | 57 ++++++++++++++++++++++++++++++++++++++ nodes/rsk-testnet-2.json | 57 ++++++++++++++++++++++++++++++++++++++ 4 files changed, 122 insertions(+) create mode 100644 clients/rsk-mainnet-1.json create mode 100644 clients/rsk-testnet-2.json create mode 100644 nodes/rsk-mainnet-1.json create mode 100644 nodes/rsk-testnet-2.json diff --git a/clients/rsk-mainnet-1.json b/clients/rsk-mainnet-1.json new file mode 100644 index 0000000..7422123 --- /dev/null +++ b/clients/rsk-mainnet-1.json @@ -0,0 +1,4 @@ +{ + "name": "rsk-mainnet-1", + "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtavs6RQW6af9fWuEuhI1\nQa4Ff7Z1CfZ0fHz152UqUeUKatQ/psKVs5ULWDV/b69fSuNsUzkCny9OwtwyQB/F\n2U+vbv3/3As3z6i3V3q8q4ahCHd7tkMmxMLaWcdkfWbpupWTRkCEX+PSDKS0hdfp\n3EQKVA2FrqR0sSnnT+Q66kZw4/WJrNwtSLcps4D5OubG7xr/uUn3Vyv5qXvS/7kx\nGvMONs55qh64Gtc3FSFPEdVyZXasCMEWwXyadqzf+/qJtEYlK0Uy5E/u7CTsnmcH\n9TEiYVw0/6PomQ2HJfSlZVUUO007OliBHO9bWOwZ6qI5c53pt5KES0dyy6SQ4m+8\nawIDAQAB\n-----END PUBLIC KEY-----\n" +} \ No newline at end of file diff --git a/clients/rsk-testnet-2.json b/clients/rsk-testnet-2.json new file mode 100644 index 0000000..2739bd0 --- /dev/null +++ b/clients/rsk-testnet-2.json @@ -0,0 +1,4 @@ +{ + "name": "rsk-testnet-2", + "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzG2bgL0n5Q7bTR4WYHOB\nZNOuRem/jjarU/bL0VKKn0JqD3PPDAnhq9gRn7H8SwyGoVFN60YGzu45O4c+SqN3\nCXN+FeFabigH2tKLxBz3kNDYTT/F1ErLLi/6ydrCV3tpddR5KTqLSOntojG8KNzc\nyG4rMV9ebCE1wDVxAFdEA+YDZS8YjP0nO5sLWFacA0ZTx27t5ugqZP1acjSvKzWs\nZ+ekX5Pbws/oUHyaqEEPdz7er4MTBm0bdkCHZbM7132oBcH/huJZhmTXFEdoy4ML\nhP4MWWSvwo66HDYjnaID82a8W1RJZZu2irbPHrfVlaFAh8VQk1T1kkUu0bMovT3V\nYQIDAQAB\n-----END PUBLIC KEY-----\n" +} \ No newline at end of file diff --git a/nodes/rsk-mainnet-1.json b/nodes/rsk-mainnet-1.json new file mode 100644 index 0000000..efc92a3 --- /dev/null +++ b/nodes/rsk-mainnet-1.json @@ -0,0 +1,57 @@ +{ + "name": "rsk-mainnet-1", + "normal": { + "knife_zero": { + "host": "10.1.1.137" + } + }, + "automatic": { + "fqdn": "rsk-mainnet-1", + "os": "linux", + "os_version": "5.4.0-1048-kvm", + "hostname": "rsk-mainnet-1", + "ipaddress": "192.168.122.233", + "roles": [ + "rsk_mainnet" + ], + "recipes": [ + "kosmos-base", + "kosmos-base::default", + "kosmos_rsk::rskj", + "apt::default", + "timezone_iii::default", + "timezone_iii::debian", + "ntp::default", + "ntp::apparmor", + "kosmos-base::systemd_emails", + "apt::unattended-upgrades", + "kosmos-base::firewall", + "kosmos-postfix::default", + "postfix::default", + "postfix::_common", + "postfix::_attributes", + "postfix::sasl_auth", + "hostname::default", + "firewall::default", + "chef-sugar::default" + ], + "platform": "ubuntu", + "platform_version": "20.04", + "cloud": null, + "chef_packages": { + "chef": { + "version": "17.6.18", + "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18/lib", + "chef_effortless": null + }, + "ohai": { + "version": "17.6.0", + "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.6.0/lib/ohai" + } + } + }, + "run_list": [ + "recipe[kosmos-base]", + "role[rsk_mainnet]" + ] +} \ No newline at end of file diff --git a/nodes/rsk-testnet-2.json b/nodes/rsk-testnet-2.json new file mode 100644 index 0000000..5735317 --- /dev/null +++ b/nodes/rsk-testnet-2.json @@ -0,0 +1,57 @@ +{ + "name": "rsk-testnet-2", + "normal": { + "knife_zero": { + "host": "10.1.1.214" + } + }, + "automatic": { + "fqdn": "rsk-testnet-2", + "os": "linux", + "os_version": "5.4.0-1048-kvm", + "hostname": "rsk-testnet-2", + "ipaddress": "192.168.122.29", + "roles": [ + "rsk_testnet" + ], + "recipes": [ + "kosmos-base", + "kosmos-base::default", + "kosmos_rsk::rskj", + "apt::default", + "timezone_iii::default", + "timezone_iii::debian", + "ntp::default", + "ntp::apparmor", + "kosmos-base::systemd_emails", + "apt::unattended-upgrades", + "kosmos-base::firewall", + "kosmos-postfix::default", + "postfix::default", + "postfix::_common", + "postfix::_attributes", + "postfix::sasl_auth", + "hostname::default", + "firewall::default", + "chef-sugar::default" + ], + "platform": "ubuntu", + "platform_version": "20.04", + "cloud": null, + "chef_packages": { + "chef": { + "version": "17.6.18", + "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18/lib", + "chef_effortless": null + }, + "ohai": { + "version": "17.6.0", + "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.6.0/lib/ohai" + } + } + }, + "run_list": [ + "recipe[kosmos-base]", + "role[rsk_testnet]" + ] +} \ No newline at end of file From ce7a7d5f83987c773b2d514064e43760dc6a8e1f Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Fri, 22 Oct 2021 14:01:39 +0200 Subject: [PATCH 03/21] Update RSKj version --- site-cookbooks/kosmos_rsk/attributes/default.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site-cookbooks/kosmos_rsk/attributes/default.rb b/site-cookbooks/kosmos_rsk/attributes/default.rb index 48cc220..608edad 100644 --- a/site-cookbooks/kosmos_rsk/attributes/default.rb +++ b/site-cookbooks/kosmos_rsk/attributes/default.rb @@ -1,2 +1,2 @@ -node.default['rskj']['version'] = '2.2.0~focal' +node.default['rskj']['version'] = '3.0.1~focal' node.default['rskj']['network'] = 'testnet' From 83202747cf706220fe23b35a94132b39a436368d Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Fri, 22 Oct 2021 14:02:41 +0200 Subject: [PATCH 04/21] Move RSKj firewall config to own recipe --- site-cookbooks/kosmos_rsk/recipes/firewall.rb | 7 +++++++ site-cookbooks/kosmos_rsk/recipes/rskj.rb | 8 +------- 2 files changed, 8 insertions(+), 7 deletions(-) create mode 100644 site-cookbooks/kosmos_rsk/recipes/firewall.rb diff --git a/site-cookbooks/kosmos_rsk/recipes/firewall.rb b/site-cookbooks/kosmos_rsk/recipes/firewall.rb new file mode 100644 index 0000000..b1c9bcf --- /dev/null +++ b/site-cookbooks/kosmos_rsk/recipes/firewall.rb @@ -0,0 +1,7 @@ +include_recipe 'firewall' + +firewall_rule 'rskj' do + port [4444,50505] + protocol :tcp + command :allow +end diff --git a/site-cookbooks/kosmos_rsk/recipes/rskj.rb b/site-cookbooks/kosmos_rsk/recipes/rskj.rb index 0ec4a5d..ea9a7ab 100644 --- a/site-cookbooks/kosmos_rsk/recipes/rskj.rb +++ b/site-cookbooks/kosmos_rsk/recipes/rskj.rb @@ -30,10 +30,4 @@ service "rsk" do action [:enable, :start] end -include_recipe 'firewall' - -firewall_rule 'rskj' do - port [4444,50505] - protocol :tcp - command :allow -end +include_recipe 'kosmos_rsk::firewall' From e6ad9865bc6c769467b2a61c7a302ad11f210c50 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Fri, 22 Oct 2021 14:02:56 +0200 Subject: [PATCH 05/21] Add roles for RSK testnet/mainnet --- roles/rsk_mainnet.rb | 11 +++++++++++ roles/rsk_testnet.rb | 5 +++++ 2 files changed, 16 insertions(+) create mode 100644 roles/rsk_mainnet.rb create mode 100644 roles/rsk_testnet.rb diff --git a/roles/rsk_mainnet.rb b/roles/rsk_mainnet.rb new file mode 100644 index 0000000..cfa58c1 --- /dev/null +++ b/roles/rsk_mainnet.rb @@ -0,0 +1,11 @@ +name "rsk_mainnet" + +run_list %w( + kosmos_rsk::rskj +) + +override_attributes( + :rskj => { + :network => "mainnet" + } +) diff --git a/roles/rsk_testnet.rb b/roles/rsk_testnet.rb new file mode 100644 index 0000000..281b45d --- /dev/null +++ b/roles/rsk_testnet.rb @@ -0,0 +1,5 @@ +name "rsk_testnet" + +run_list %w( + kosmos_rsk::rskj +) From b911ec92c9a9301ec3a63d3df6cf215aea9f4064 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Tue, 16 Nov 2021 13:23:25 -0600 Subject: [PATCH 06/21] Update node info --- nodes/nodejs-2.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/nodejs-2.json b/nodes/nodejs-2.json index 241fb7e..67f0e7d 100644 --- a/nodes/nodejs-2.json +++ b/nodes/nodejs-2.json @@ -8,7 +8,7 @@ "automatic": { "fqdn": "nodejs-2", "os": "linux", - "os_version": "5.4.0-1045-kvm", + "os_version": "5.4.0-1049-kvm", "hostname": "nodejs-2", "ipaddress": "192.168.122.243", "roles": [ From f93909da70151ed82685784cb20f5497a6ed751b Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Mon, 22 Nov 2021 23:46:36 -0600 Subject: [PATCH 07/21] Update akkounts-1 node info --- nodes/akkounts-1.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/akkounts-1.json b/nodes/akkounts-1.json index 411d304..93a1617 100644 --- a/nodes/akkounts-1.json +++ b/nodes/akkounts-1.json @@ -8,7 +8,7 @@ "automatic": { "fqdn": "akkounts-1", "os": "linux", - "os_version": "5.4.0-54-generic", + "os_version": "5.4.0-90-generic", "hostname": "akkounts-1", "ipaddress": "192.168.122.160", "roles": [ From 24f94bdb026f2a154976c04dbc6085499ebb1c46 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Thu, 25 Nov 2021 16:44:48 -0600 Subject: [PATCH 08/21] Upgrade Gitea to 1.15.6 Configures the JWT signing algorithm to be the old, less secure algorithm, until we update the token for Drone CI (and any other OAuth apps). closes #338 --- site-cookbooks/kosmos_gitea/attributes/default.rb | 4 ++-- site-cookbooks/kosmos_gitea/recipes/default.rb | 2 +- site-cookbooks/kosmos_gitea/templates/default/app.ini.erb | 1 + 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/site-cookbooks/kosmos_gitea/attributes/default.rb b/site-cookbooks/kosmos_gitea/attributes/default.rb index 5ede51d..a2d7925 100644 --- a/site-cookbooks/kosmos_gitea/attributes/default.rb +++ b/site-cookbooks/kosmos_gitea/attributes/default.rb @@ -1,6 +1,6 @@ -gitea_version = "1.14.6" +gitea_version = "1.15.6" node.default["kosmos_gitea"]["version"] = gitea_version node.default["kosmos_gitea"]["binary_url"] = "https://dl.gitea.io/gitea/#{gitea_version}/gitea-#{gitea_version}-linux-amd64" -node.default["kosmos_gitea"]["binary_checksum"] = "20cc0a89421695320b077c9fe4f16996f03aaf9d24f661f8d2255794551c849b" +node.default["kosmos_gitea"]["binary_checksum"] = "1b7473b5993e07b33fec58edbc1a90f15f040759ca4647e97317c33d5dfe58be" node.default["kosmos_gitea"]["nginx"]["domain"] = "gitea.kosmos.org" node.default["kosmos_gitea"]["working_directory"] = "/var/lib/gitea" diff --git a/site-cookbooks/kosmos_gitea/recipes/default.rb b/site-cookbooks/kosmos_gitea/recipes/default.rb index 22d148e..9a2bddf 100644 --- a/site-cookbooks/kosmos_gitea/recipes/default.rb +++ b/site-cookbooks/kosmos_gitea/recipes/default.rb @@ -76,7 +76,7 @@ template "#{config_directory}/app.ini" do source "app.ini.erb" owner "git" group "git" - mode "0640" + mode "0600" sensitive true variables working_directory: working_directory, git_home_directory: git_home_directory, diff --git a/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb b/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb index 04eab6e..e013a0d 100644 --- a/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb +++ b/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb @@ -46,6 +46,7 @@ PASSWD = <%= @smtp_password %> [oauth2] JWT_SECRET = <%= @jwt_secret %> +JWT_SIGNING_ALGORITHM = HS256 [security] INTERNAL_TOKEN = <%= @internal_token %> From 9656399e9d701326459bd846a4e4b0875595d44b Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Thu, 25 Nov 2021 17:27:48 -0600 Subject: [PATCH 09/21] Remove superfluous license header --- .../kosmos_drone/recipes/default.rb | 21 ------------------- 1 file changed, 21 deletions(-) diff --git a/site-cookbooks/kosmos_drone/recipes/default.rb b/site-cookbooks/kosmos_drone/recipes/default.rb index f8629fc..a0a2017 100644 --- a/site-cookbooks/kosmos_drone/recipes/default.rb +++ b/site-cookbooks/kosmos_drone/recipes/default.rb @@ -2,27 +2,6 @@ # Cookbook:: kosmos_drone # Recipe:: default # -# The MIT License (MIT) -# -# Copyright:: 2020, Kosmos Developers -# -# Permission is hereby granted, free of charge, to any person obtaining a copy -# of this software and associated documentation files (the "Software"), to deal -# in the Software without restriction, including without limitation the rights -# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -# copies of the Software, and to permit persons to whom the Software is -# furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be included in -# all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -# THE SOFTWARE. package "docker-compose" domain = "drone.kosmos.org" From 5717d11f7eabfff1342d26fe68b741cf4362818b Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Thu, 25 Nov 2021 17:28:02 -0600 Subject: [PATCH 10/21] Upgrade Drone CI to latest version closes #356 --- site-cookbooks/kosmos_drone/templates/docker-compose.yml.erb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/site-cookbooks/kosmos_drone/templates/docker-compose.yml.erb b/site-cookbooks/kosmos_drone/templates/docker-compose.yml.erb index 7854ce8..049a061 100644 --- a/site-cookbooks/kosmos_drone/templates/docker-compose.yml.erb +++ b/site-cookbooks/kosmos_drone/templates/docker-compose.yml.erb @@ -2,7 +2,7 @@ version: '3' services: drone-server: - image: drone/drone:1 + image: drone/drone:2.5 ports: - "<%= @upstream_port %>:80" @@ -19,7 +19,7 @@ services: - DRONE_RPC_SECRET=<%= @rpc_secret %> drone-runner: - image: drone/drone-runner-docker:1 + image: drone/drone-runner-docker:1.8 command: agent restart: always From 1e6c40b1366916312ae96556451084091890d95d Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Thu, 25 Nov 2021 19:37:48 -0600 Subject: [PATCH 11/21] Update README --- README.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/README.md b/README.md index 7ff3f92..31772d0 100644 --- a/README.md +++ b/README.md @@ -44,3 +44,14 @@ Install cookbooks listed in Berksfile: Vendor installed cookbooks to the `cookbooks/` dir: berks vendor cookbooks/ --delete + +### "Expired" TLS certificates + +If you encounter expired TLS certificates during a Chef run (e.g. for remote +files), the issue is likely that the certificate has been issued by Let's +Encrypt and Chef is still using its own, outdated CA cert store (see +[here](https://github.com/chef/chef/issues/12126#issuecomment-932067530) for +example). + +As a hotfix, you can manually remove the "DST Root CA X3" cert from +`/opt/chef/embedded/ssl/cert.pem` on the machine you're trying to converge. From d14d109a009c01434e93007ae6bc9aabb093019a Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Fri, 26 Nov 2021 14:10:39 -0600 Subject: [PATCH 12/21] Configure/deploy kosmos.org Includes a new directive for Lightning Address resolution. --- nodes/centaurus.kosmos.org.json | 3 ++ .../kosmos_website/attributes/default.rb | 3 ++ site-cookbooks/kosmos_website/metadata.rb | 10 +++++ .../kosmos_website/recipes/default.rb | 38 +++++++++++++++++++ .../templates/nginx_conf_website.erb | 26 +++++++++++++ 5 files changed, 80 insertions(+) create mode 100644 site-cookbooks/kosmos_website/attributes/default.rb create mode 100644 site-cookbooks/kosmos_website/metadata.rb create mode 100644 site-cookbooks/kosmos_website/recipes/default.rb create mode 100644 site-cookbooks/kosmos_website/templates/nginx_conf_website.erb diff --git a/nodes/centaurus.kosmos.org.json b/nodes/centaurus.kosmos.org.json index 70f42cc..325d48f 100644 --- a/nodes/centaurus.kosmos.org.json +++ b/nodes/centaurus.kosmos.org.json @@ -33,6 +33,8 @@ "kosmos_assets::nginx_site", "kosmos_kvm::host", "kosmos-ejabberd::firewall", + "kosmos_website", + "kosmos_website::default", "kosmos_zerotier::firewall", "sockethub::_firewall", "apt::default", @@ -86,6 +88,7 @@ "recipe[kosmos_assets::nginx_site]", "recipe[kosmos_kvm::host]", "recipe[kosmos-ejabberd::firewall]", + "recipe[kosmos_website::default]", "recipe[kosmos_zerotier::firewall]", "recipe[sockethub::_firewall]" ] diff --git a/site-cookbooks/kosmos_website/attributes/default.rb b/site-cookbooks/kosmos_website/attributes/default.rb new file mode 100644 index 0000000..4f0e4a0 --- /dev/null +++ b/site-cookbooks/kosmos_website/attributes/default.rb @@ -0,0 +1,3 @@ +node.default["kosmos_website"]["domain"] = "kosmos.org" +node.default["kosmos_website"]["repo"] = "https://gitea.kosmos.org/kosmos/website.git" +node.default["kosmos_website"]["revision"] = "master" diff --git a/site-cookbooks/kosmos_website/metadata.rb b/site-cookbooks/kosmos_website/metadata.rb new file mode 100644 index 0000000..a828211 --- /dev/null +++ b/site-cookbooks/kosmos_website/metadata.rb @@ -0,0 +1,10 @@ +name 'kosmos_website' +maintainer 'Kosmos' +maintainer_email 'ops@kosmos.org' +license 'MIT' +description 'Configures the main kosmos.org website' +long_description 'Configures the main kosmos.org website' +version '1.0.0' +chef_version '>= 15.10' if respond_to?(:chef_version) + +depends "kosmos-nginx" diff --git a/site-cookbooks/kosmos_website/recipes/default.rb b/site-cookbooks/kosmos_website/recipes/default.rb new file mode 100644 index 0000000..903809a --- /dev/null +++ b/site-cookbooks/kosmos_website/recipes/default.rb @@ -0,0 +1,38 @@ +# +# Cookbook:: kosmos_website +# Recipe:: default +# + +include_recipe "kosmos-nginx" + +domain = node["kosmos_website"]["domain"] + +nginx_certbot_site domain + +directory "/var/www/#{domain}/site" do + user node["nginx"]["user"] + group node["nginx"]["group"] + mode "0755" +end + +git "/var/www/#{domain}/site" do + user node["nginx"]["user"] + group node["nginx"]["group"] + repository node["kosmos_website"]["repo"] + revision node["kosmos_website"]["revision"] + action :sync +end + +template "#{node["nginx"]["dir"]}/sites-available/#{domain}" do + source "nginx_conf_website.erb" + owner node["nginx"]["user"] + mode 0640 + variables domain: domain, + ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", + ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem" + notifies :reload, "service[nginx]", :delayed +end + +nginx_site domain do + action :enable +end diff --git a/site-cookbooks/kosmos_website/templates/nginx_conf_website.erb b/site-cookbooks/kosmos_website/templates/nginx_conf_website.erb new file mode 100644 index 0000000..9e06160 --- /dev/null +++ b/site-cookbooks/kosmos_website/templates/nginx_conf_website.erb @@ -0,0 +1,26 @@ +<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> +# Generated by Chef + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name <%= @domain %>; + + root /var/www/<%= @domain %>/site; + + access_log off; + gzip_static on; + gzip_comp_level 5; + + add_header 'Access-Control-Allow-Origin' '*'; + + ssl_certificate <%= @ssl_cert %>; + ssl_certificate_key <%= @ssl_key %>; + + location /.well-known/lnurlp/ { + proxy_ssl_server_name on; + rewrite /.well-known/lnurlp/([^/]+) /lnurlpay/$1@kosmos.org break; + proxy_pass https://accounts.kosmos.org; + } +} +<% end -%> From cbf42b9414ba00548272d41be17d3c08ab4a69a1 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Mon, 29 Nov 2021 11:23:17 -0600 Subject: [PATCH 13/21] Add node config for fornax --- nodes/fornax.kosmos.org.json | 54 ++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 nodes/fornax.kosmos.org.json diff --git a/nodes/fornax.kosmos.org.json b/nodes/fornax.kosmos.org.json new file mode 100644 index 0000000..853710e --- /dev/null +++ b/nodes/fornax.kosmos.org.json @@ -0,0 +1,54 @@ +{ + "name": "fornax.kosmos.org", + "normal": { + "knife_zero": { + "host": "fornax.kosmos.org" + } + }, + "automatic": { + "fqdn": "fornax.kosmos.org", + "os": "linux", + "os_version": "5.4.0-88-generic", + "hostname": "fornax", + "ipaddress": "148.251.83.201", + "roles": [ + + ], + "recipes": [ + "kosmos-base", + "kosmos-base::default", + "kosmos_kvm::host", + "apt::default", + "timezone_iii::default", + "timezone_iii::debian", + "ntp::default", + "kosmos-base::systemd_emails", + "apt::unattended-upgrades", + "kosmos-base::firewall", + "kosmos-postfix::default", + "postfix::default", + "postfix::_common", + "postfix::_attributes", + "postfix::sasl_auth", + "hostname::default" + ], + "platform": "ubuntu", + "platform_version": "20.04", + "cloud": null, + "chef_packages": { + "chef": { + "version": "17.5.22", + "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.5.22/lib", + "chef_effortless": null + }, + "ohai": { + "version": "17.5.2", + "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.5.2/lib/ohai" + } + } + }, + "run_list": [ + "recipe[kosmos-base]", + "recipe[kosmos_kvm::host]" + ] +} \ No newline at end of file From fa8cbac16382525647f30539f8e1ede2fc3b75b5 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Mon, 29 Nov 2021 13:01:06 -0600 Subject: [PATCH 14/21] Fix custom resource not found in newer Chef versions fixes #361 refs #337 --- site-cookbooks/kosmos-nginx/resources/nginx_certbot_site.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/site-cookbooks/kosmos-nginx/resources/nginx_certbot_site.rb b/site-cookbooks/kosmos-nginx/resources/nginx_certbot_site.rb index 9d9c0b6..8dc974e 100644 --- a/site-cookbooks/kosmos-nginx/resources/nginx_certbot_site.rb +++ b/site-cookbooks/kosmos-nginx/resources/nginx_certbot_site.rb @@ -1,4 +1,5 @@ resource_name :nginx_certbot_site +provides :nginx_certbot_site property :domain, String, name_property: true # pass it if the site name is not the same as the hostname, for example for the From ecdc41a54f84ab5bdd161d12c25c04a3710f302c Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Mon, 29 Nov 2021 13:09:13 -0600 Subject: [PATCH 15/21] Rename postgres cookbook, deploy new replica fixes #361 closes #330 --- nodes/akkounts-1.json | 2 +- nodes/postgres-2.json | 10 +- roles/postgresql_client.rb | 2 +- roles/postgresql_primary.rb | 4 +- roles/postgresql_replica.rb | 6 +- site-cookbooks/kosmos-postgresql/.gitignore | 22 ---- site-cookbooks/kosmos-postgresql/Berksfile | 4 - site-cookbooks/kosmos-postgresql/CHANGELOG.md | 5 - site-cookbooks/kosmos-postgresql/LICENSE | 20 ---- site-cookbooks/kosmos-postgresql/README.md | 57 ---------- .../kosmos-postgresql/attributes/default.rb | 3 - site-cookbooks/kosmos-postgresql/chefignore | 104 ------------------ .../kosmos-postgresql/libraries/helpers.rb | 45 -------- site-cookbooks/kosmos-postgresql/metadata.rb | 25 ----- .../kosmos-postgresql/recipes/firewall.rb | 15 --- .../kosmos-postgresql/recipes/hostsfile.rb | 16 --- .../kosmos-postgresql/recipes/primary.rb | 33 ------ .../kosmos-postgresql/recipes/replica.rb | 56 ---------- .../kosmos-postgresql/resources/server.rb | 77 ------------- site-cookbooks/kosmos_kvm/recipes/host.rb | 25 +---- 20 files changed, 14 insertions(+), 517 deletions(-) delete mode 100644 site-cookbooks/kosmos-postgresql/.gitignore delete mode 100644 site-cookbooks/kosmos-postgresql/Berksfile delete mode 100644 site-cookbooks/kosmos-postgresql/CHANGELOG.md delete mode 100644 site-cookbooks/kosmos-postgresql/LICENSE delete mode 100644 site-cookbooks/kosmos-postgresql/README.md delete mode 100644 site-cookbooks/kosmos-postgresql/attributes/default.rb delete mode 100644 site-cookbooks/kosmos-postgresql/chefignore delete mode 100644 site-cookbooks/kosmos-postgresql/libraries/helpers.rb delete mode 100644 site-cookbooks/kosmos-postgresql/metadata.rb delete mode 100644 site-cookbooks/kosmos-postgresql/recipes/firewall.rb delete mode 100644 site-cookbooks/kosmos-postgresql/recipes/hostsfile.rb delete mode 100644 site-cookbooks/kosmos-postgresql/recipes/primary.rb delete mode 100644 site-cookbooks/kosmos-postgresql/recipes/replica.rb delete mode 100644 site-cookbooks/kosmos-postgresql/resources/server.rb diff --git a/nodes/akkounts-1.json b/nodes/akkounts-1.json index 93a1617..1168a2d 100644 --- a/nodes/akkounts-1.json +++ b/nodes/akkounts-1.json @@ -18,7 +18,7 @@ "recipes": [ "kosmos-base", "kosmos-base::default", - "kosmos-postgresql::hostsfile", + "kosmos_postgresql::hostsfile", "kosmos-akkounts", "kosmos-akkounts::default", "kosmos-akkounts::nginx", diff --git a/nodes/postgres-2.json b/nodes/postgres-2.json index cd48a8c..89bcc85 100644 --- a/nodes/postgres-2.json +++ b/nodes/postgres-2.json @@ -8,17 +8,17 @@ "automatic": { "fqdn": "postgres-2", "os": "linux", - "os_version": "5.4.0-64-generic", + "os_version": "5.4.0-77-generic", "hostname": "postgres-2", "ipaddress": "192.168.122.244", "roles": [ - "postgresql_replica" + "postgresql_primary" ], "recipes": [ "kosmos-base", "kosmos-base::default", - "kosmos-postgresql::replica", - "kosmos-postgresql::firewall", + "kosmos_postgresql::primary", + "kosmos_postgresql::firewall", "apt::default", "timezone_iii::default", "timezone_iii::debian", @@ -52,4 +52,4 @@ "recipe[kosmos-base]", "role[postgresql_primary]" ] -} +} \ No newline at end of file diff --git a/roles/postgresql_client.rb b/roles/postgresql_client.rb index 96b5418..f2fbb71 100644 --- a/roles/postgresql_client.rb +++ b/roles/postgresql_client.rb @@ -3,5 +3,5 @@ name "postgresql_client" run_list %w( - kosmos-postgresql::hostsfile + kosmos_postgresql::hostsfile ) diff --git a/roles/postgresql_primary.rb b/roles/postgresql_primary.rb index ba5e5be..58ef4b7 100644 --- a/roles/postgresql_primary.rb +++ b/roles/postgresql_primary.rb @@ -1,6 +1,6 @@ name "postgresql_primary" run_list %w( - kosmos-postgresql::primary - kosmos-postgresql::firewall + kosmos_postgresql::primary + kosmos_postgresql::firewall ) diff --git a/roles/postgresql_replica.rb b/roles/postgresql_replica.rb index 6d73f31..099291d 100644 --- a/roles/postgresql_replica.rb +++ b/roles/postgresql_replica.rb @@ -1,7 +1,7 @@ name "postgresql_replica" run_list %w( - kosmos-postgresql::hostsfile - kosmos-postgresql::replica - kosmos-postgresql::firewall + kosmos_postgresql::hostsfile + kosmos_postgresql::replica + kosmos_postgresql::firewall ) diff --git a/site-cookbooks/kosmos-postgresql/.gitignore b/site-cookbooks/kosmos-postgresql/.gitignore deleted file mode 100644 index 13e41c4..0000000 --- a/site-cookbooks/kosmos-postgresql/.gitignore +++ /dev/null @@ -1,22 +0,0 @@ -.vagrant -*~ -*# -.#* -\#*# -.*.sw[a-z] -*.un~ - -# Bundler -Gemfile.lock -gems.locked -bin/* -.bundle/* - -# test kitchen -.kitchen/ -.kitchen.local.yml - -# Chef -Berksfile.lock -.zero-knife.rb -Policyfile.lock.json diff --git a/site-cookbooks/kosmos-postgresql/Berksfile b/site-cookbooks/kosmos-postgresql/Berksfile deleted file mode 100644 index 0656a99..0000000 --- a/site-cookbooks/kosmos-postgresql/Berksfile +++ /dev/null @@ -1,4 +0,0 @@ -# frozen_string_literal: true -source 'https://supermarket.chef.io' - -metadata diff --git a/site-cookbooks/kosmos-postgresql/CHANGELOG.md b/site-cookbooks/kosmos-postgresql/CHANGELOG.md deleted file mode 100644 index 20e9a6a..0000000 --- a/site-cookbooks/kosmos-postgresql/CHANGELOG.md +++ /dev/null @@ -1,5 +0,0 @@ -# kosmos-postgresql CHANGELOG - -# 0.1.0 - -Initial release. diff --git a/site-cookbooks/kosmos-postgresql/LICENSE b/site-cookbooks/kosmos-postgresql/LICENSE deleted file mode 100644 index c150a1f..0000000 --- a/site-cookbooks/kosmos-postgresql/LICENSE +++ /dev/null @@ -1,20 +0,0 @@ -Copyright (c) 2019-2020 Kosmos Developers - -Permission is hereby granted, free of charge, to any person obtaining -a copy of this software and associated documentation files (the -"Software"), to deal in the Software without restriction, including -without limitation the rights to use, copy, modify, merge, publish, -distribute, sublicense, and/or sell copies of the Software, and to -permit persons to whom the Software is furnished to do so, subject to -the following conditions: - -The above copyright notice and this permission notice shall be -included in all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, -EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND -NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE -LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION -OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION -WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/site-cookbooks/kosmos-postgresql/README.md b/site-cookbooks/kosmos-postgresql/README.md deleted file mode 100644 index 2541424..0000000 --- a/site-cookbooks/kosmos-postgresql/README.md +++ /dev/null @@ -1,57 +0,0 @@ -# kosmos-postgresql - -## Usage - -### On the primary: - -Set the `postgresql_primary` role on the node - -### On the replica: - -Add the `postgresql_replica` role to the node's run list. Run Chef on the node -a first time. -After the initial Chef run on the replica, run Chef on the primary to add the -firewall rules and PostgreSQL access rules, then run Chef again on the replica -to set up replication. - -## Caveat - -[`firewall_rules`](https://github.com/chef-cookbooks/firewall/issues/134) and -[`postgresql_access`](https://github.com/sous-chefs/postgresql/issues/648) are -declared in recipes, not resources because of the way custom resources -work currently in Chef. See the `default.rb` and `replica.rb` recipes. - -The primary gives access to the `replication` db to the `replication` user -connecting from a replica, and replicas to the primary. For more information -about PostgreSQL client authentication, see the -[official docs](https://www.postgresql.org/docs/12/auth-pg-hba-conf.html) - -The primary opens up the PostgreSQL port (5432 TCP) to replicas, and replicas -to the primary. - -## TLS self-signed certificate - -A wildcard (`*.kosmos.org` certificate) was generated with the following -commands: - -``` -openssl req -new -nodes -text -out root.csr -keyout root.key \ - -subj "/CN=root.kosmos.org" -chmod og-rwx root.key -openssl x509 -req -in root.csr -text -days 3650 \ - -extfile /etc/ssl/openssl.cnf -extensions v3_ca \ - -signkey root.key -out root.crt -openssl req -new -nodes -text -out server.csr \ - -keyout server.key -subj "/CN=*.kosmos.org" -chmod og-rwx server.key -openssl x509 -req -in server.csr -text -days 1825 \ - -CA root.crt -CAkey root.key -CAcreateserial \ - -out server.crt -``` - -It is valid until May 12 2025. - -The content of `server.crt`, `server.key` and `root.crt` an stored in the -`postgresql` encrypted data bag. The root key is stored in LastPass -("Self-signed TLS root certificate"). `server.crt` & `server.key` are used by -the PostgreSQL server. diff --git a/site-cookbooks/kosmos-postgresql/attributes/default.rb b/site-cookbooks/kosmos-postgresql/attributes/default.rb deleted file mode 100644 index dec530f..0000000 --- a/site-cookbooks/kosmos-postgresql/attributes/default.rb +++ /dev/null @@ -1,3 +0,0 @@ -# This is set to false by default, and set to true in the server resource -# for replicas. -node.default['kosmos-postgresql']['ready_to_set_up_replica'] = false diff --git a/site-cookbooks/kosmos-postgresql/chefignore b/site-cookbooks/kosmos-postgresql/chefignore deleted file mode 100644 index 4439807..0000000 --- a/site-cookbooks/kosmos-postgresql/chefignore +++ /dev/null @@ -1,104 +0,0 @@ -# Put files/directories that should be ignored in this file when uploading -# to a chef-server or supermarket. -# Lines that start with '# ' are comments. - -# OS generated files # -###################### -.DS_Store -Icon? -nohup.out -ehthumbs.db -Thumbs.db - -# SASS # -######## -.sass-cache - -# EDITORS # -########### -\#* -.#* -*~ -*.sw[a-z] -*.bak -REVISION -TAGS* -tmtags -*_flymake.* -*_flymake -*.tmproj -.project -.settings -mkmf.log - -## COMPILED ## -############## -a.out -*.o -*.pyc -*.so -*.com -*.class -*.dll -*.exe -*/rdoc/ - -# Testing # -########### -.watchr -.rspec -spec/* -spec/fixtures/* -test/* -features/* -examples/* -Guardfile -Procfile -.kitchen* -kitchen.yml* -.rubocop.yml -spec/* -Rakefile -.travis.yml -.foodcritic -.codeclimate.yml - -# SCM # -####### -.git -*/.git -.gitignore -.gitmodules -.gitconfig -.gitattributes -.svn -*/.bzr/* -*/.hg/* -*/.svn/* - -# Berkshelf # -############# -Berksfile -Berksfile.lock -cookbooks/* -tmp - -# Bundler # -########### -vendor/* - -# Policyfile # -############## -Policyfile.rb -Policyfile.lock.json - -# Cookbooks # -############# -CONTRIBUTING* -CHANGELOG* -TESTING* - -# Vagrant # -########### -.vagrant -Vagrantfile diff --git a/site-cookbooks/kosmos-postgresql/libraries/helpers.rb b/site-cookbooks/kosmos-postgresql/libraries/helpers.rb deleted file mode 100644 index 7d3c397..0000000 --- a/site-cookbooks/kosmos-postgresql/libraries/helpers.rb +++ /dev/null @@ -1,45 +0,0 @@ -class Chef - class Recipe - def postgresql_primary - postgresql_primary = search(:node, "role:postgresql_primary AND chef_environment:#{node.chef_environment}").first - - unless postgresql_primary.nil? - primary_ip = ip_for(postgresql_primary) - - { hostname: postgresql_primary[:hostname], ipaddress: primary_ip } - end - end - - def postgresql_replicas - postgresql_replicas = [] - - search(:node, "role:postgresql_replica AND chef_environment:#{node.chef_environment}").each do |replica| - replica_ip = ip_for(replica) - - postgresql_replicas << { hostname: replica[:hostname], ipaddress: replica_ip } - end - - postgresql_replicas - end - - def ip_for(server_node) - if node.chef_environment == "development" - server_node['network']['interfaces']['eth1']['routes'].first['src'] - else - # If the server has a private Zerotier IP, use it - if server_node['knife_zero'] && server_node['knife_zero']['host'] && \ - server_node['knife_zero']['host'].start_with?("10.1.1.") - server_node['knife_zero']['host'] - else - server_node['ipaddress'] - end - end - end - - def postgresql_service_name - postgresql_version = "12" - - "postgresql@#{postgresql_version}-main" - end - end -end diff --git a/site-cookbooks/kosmos-postgresql/metadata.rb b/site-cookbooks/kosmos-postgresql/metadata.rb deleted file mode 100644 index 1b031b2..0000000 --- a/site-cookbooks/kosmos-postgresql/metadata.rb +++ /dev/null @@ -1,25 +0,0 @@ -name 'kosmos-postgresql' -maintainer 'Kosmos' -maintainer_email 'ops@5apps.com' -license 'MIT' -description 'Installs/Configures kosmos-postgresql' -long_description 'Installs/Configures kosmos-postgresql' -version '0.1.0' -chef_version '>= 12.14' if respond_to?(:chef_version) - -# The `issues_url` points to the location where issues for this cookbook are -# tracked. A `View Issues` link will be displayed on this cookbook's page when -# uploaded to a Supermarket. -# -# issues_url 'https://github.com//kosmos-postgresql/issues' - -# The `source_url` points to the development repository for this cookbook. A -# `View Source` link will be displayed on this cookbook's page when uploaded to -# a Supermarket. -# -# source_url 'https://github.com//kosmos-postgresql' - -depends "postgresql", ">= 7.0.0" -depends "build-essential" -depends "kosmos_encfs" -depends "hostsfile" diff --git a/site-cookbooks/kosmos-postgresql/recipes/firewall.rb b/site-cookbooks/kosmos-postgresql/recipes/firewall.rb deleted file mode 100644 index 7b9b380..0000000 --- a/site-cookbooks/kosmos-postgresql/recipes/firewall.rb +++ /dev/null @@ -1,15 +0,0 @@ -# -# Cookbook:: kosmos-postgresql -# Recipe:: firewall -# - -unless node.chef_environment == "development" - include_recipe "kosmos-base::firewall" - - firewall_rule "postgresql zerotier members" do - port 5432 - protocol :tcp - command :allow - source "10.1.1.0/24" - end -end diff --git a/site-cookbooks/kosmos-postgresql/recipes/hostsfile.rb b/site-cookbooks/kosmos-postgresql/recipes/hostsfile.rb deleted file mode 100644 index 265f563..0000000 --- a/site-cookbooks/kosmos-postgresql/recipes/hostsfile.rb +++ /dev/null @@ -1,16 +0,0 @@ -# -# Cookbook:: kosmos-postgresql -# Recipe:: hostsfile -# - -begin -primary_ip = postgresql_primary[:ipaddress] -rescue NoMethodError -end - -unless primary_ip.nil? - hostsfile_entry primary_ip do - hostname "pg.kosmos.local" - unique true - end -end diff --git a/site-cookbooks/kosmos-postgresql/recipes/primary.rb b/site-cookbooks/kosmos-postgresql/recipes/primary.rb deleted file mode 100644 index b3a7534..0000000 --- a/site-cookbooks/kosmos-postgresql/recipes/primary.rb +++ /dev/null @@ -1,33 +0,0 @@ -# -# Cookbook:: kosmos-postgresql -# Recipe:: primary -# - -postgresql_version = "12" -postgresql_service = "postgresql@#{postgresql_version}-main" - -service postgresql_service do - supports restart: true, status: true, reload: true -end - -postgresql_custom_server postgresql_version do - role "primary" -end - -postgresql_access "zerotier members" do - access_type "host" - access_db "all" - access_user "all" - access_addr "10.1.1.0/24" - access_method "md5" - notifies :reload, "service[#{postgresql_service}]", :immediately -end - -postgresql_access "zerotier members replication" do - access_type "host" - access_db "replication" - access_user "replication" - access_addr "10.1.1.0/24" - access_method "md5" - notifies :reload, "service[#{postgresql_service}]", :immediately -end diff --git a/site-cookbooks/kosmos-postgresql/recipes/replica.rb b/site-cookbooks/kosmos-postgresql/recipes/replica.rb deleted file mode 100644 index 6525948..0000000 --- a/site-cookbooks/kosmos-postgresql/recipes/replica.rb +++ /dev/null @@ -1,56 +0,0 @@ -# -# Cookbook:: kosmos-postgresql -# Recipe:: replica -# - -postgresql_version = "12" -postgresql_service = "postgresql@#{postgresql_version}-main" - -postgresql_custom_server postgresql_version do - role "replica" -end - -service postgresql_service do - supports restart: true, status: true, reload: true -end - -postgresql_data_bag_item = data_bag_item('credentials', 'postgresql') - -primary = postgresql_primary - -unless primary.nil? - # TODO - postgresql_data_dir = "/var/lib/postgresql/#{postgresql_version}/main" - - # FIXME get zerotier IP - execute "set up replication" do - command <<-EOF -systemctl stop #{postgresql_service} -mv #{postgresql_data_dir} #{postgresql_data_dir}.old -pg_basebackup -h pg.kosmos.local -U replication -D #{postgresql_data_dir} -R -chown -R postgres:postgres #{postgresql_data_dir} -systemctl start #{postgresql_service} - EOF - environment 'PGPASSWORD' => postgresql_data_bag_item['replication_password'] - sensitive true - not_if { ::File.exist? "#{postgresql_data_dir}/standby.signal" } - end - - postgresql_access "zerotier members" do - access_type "host" - access_db "all" - access_user "all" - access_addr "10.1.1.0/24" - access_method "md5" - notifies :reload, "service[#{postgresql_service}]", :immediately - end - - postgresql_access "zerotier members replication" do - access_type "host" - access_db "replication" - access_user "replication" - access_addr "10.1.1.0/24" - access_method "md5" - notifies :reload, "service[#{postgresql_service}]", :immediately - end -end diff --git a/site-cookbooks/kosmos-postgresql/resources/server.rb b/site-cookbooks/kosmos-postgresql/resources/server.rb deleted file mode 100644 index f71520e..0000000 --- a/site-cookbooks/kosmos-postgresql/resources/server.rb +++ /dev/null @@ -1,77 +0,0 @@ -resource_name :postgresql_custom_server - -property :postgresql_version, String, required: true, name_property: true -property :role, String, required: true # Can be primary or replica - -action :create do - postgresql_version = new_resource.postgresql_version - postgresql_data_dir = "/var/lib/postgresql/#{postgresql_version}/main" - postgresql_service = "postgresql@#{postgresql_version}-main" - postgresql_credentials = data_bag_item('credentials', 'postgresql') - - build_essential do - compile_time true - end - - package("libpq-dev") { action :nothing }.run_action(:install) - - chef_gem 'pg' do - compile_time true - end - - user "postgres" do - manage_home false - end - - postgresql_server_install "main" do - version postgresql_version - setup_repo true - password postgresql_credentials['server_password'] - action :install - end - - service postgresql_service do - supports restart: true, status: true, reload: true - action [:enable, :start] - end - - # This service is a dependency that will auto-start our cluster service on - # boot if it's enabled, so we disable it explicitly - service "postgresql" do - action :disable - end - - shared_buffers = if node['memory']['total'].to_i / 1024 < 1024 # > 1GB RAM - "128MB" - else # >= 1GB RAM, use 25% of total RAM - "#{node['memory']['total'].to_i / 1024 / 4}MB" - end - - additional_config = { - max_connections: 100, # default - shared_buffers: shared_buffers, - unix_socket_directories: "/var/run/postgresql", - dynamic_shared_memory_type: "posix", - timezone: "UTC", # default is GMT - listen_addresses: "0.0.0.0" - } - - additional_config[:promote_trigger_file] = "#{postgresql_data_dir}/failover.trigger" - - postgresql_server_conf "main" do - version postgresql_version - additional_config additional_config - notifies :reload, "service[#{postgresql_service}]", :delayed - end - - postgresql_user "replication" do - action :create - replication true - password postgresql_credentials['replication_password'] - end -end - -action_class do - # to use the data_dir helper - include PostgresqlCookbook::Helpers -end diff --git a/site-cookbooks/kosmos_kvm/recipes/host.rb b/site-cookbooks/kosmos_kvm/recipes/host.rb index a89f7eb..1d611bd 100644 --- a/site-cookbooks/kosmos_kvm/recipes/host.rb +++ b/site-cookbooks/kosmos_kvm/recipes/host.rb @@ -2,34 +2,13 @@ # Cookbook:: kosmos_kvm # Recipe:: host # -# The MIT License (MIT) -# -# Copyright:: 2020, Kosmos Developers -# -# Permission is hereby granted, free of charge, to any person obtaining a copy -# of this software and associated documentation files (the "Software"), to deal -# in the Software without restriction, including without limitation the rights -# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -# copies of the Software, and to permit persons to whom the Software is -# furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be included in -# all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -# THE SOFTWARE. package %w(virtinst libvirt-daemon-system) directory "/var/lib/libvirt/images/base" do recursive true owner "libvirt-qemu" - group "root" + group "kvm" mode "0750" end @@ -37,7 +16,7 @@ end remote_file "/var/lib/libvirt/images/base/ubuntu-20.04-server-cloudimg-amd64-disk-kvm.qcow2" do source "http://cloud-images.ubuntu.com/releases/focal/release/ubuntu-20.04-server-cloudimg-amd64-disk-kvm.img" owner "libvirt-qemu" - group "root" + group "kvm" mode "0640" end From 91ffe75bc1ed4df8a0a6507d2acbcd63c0aa9be9 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Mon, 29 Nov 2021 13:12:17 -0600 Subject: [PATCH 16/21] Add missing files --- clients/postgres-4.json | 4 + nodes/postgres-4.json | 57 ++++++++++ site-cookbooks/kosmos_postgresql/.gitignore | 22 ++++ site-cookbooks/kosmos_postgresql/Berksfile | 4 + site-cookbooks/kosmos_postgresql/CHANGELOG.md | 5 + site-cookbooks/kosmos_postgresql/LICENSE | 20 ++++ site-cookbooks/kosmos_postgresql/README.md | 57 ++++++++++ .../kosmos_postgresql/attributes/default.rb | 3 + site-cookbooks/kosmos_postgresql/chefignore | 104 ++++++++++++++++++ .../kosmos_postgresql/libraries/helpers.rb | 45 ++++++++ site-cookbooks/kosmos_postgresql/metadata.rb | 25 +++++ .../kosmos_postgresql/recipes/firewall.rb | 15 +++ .../kosmos_postgresql/recipes/hostsfile.rb | 16 +++ .../kosmos_postgresql/recipes/primary.rb | 33 ++++++ .../kosmos_postgresql/recipes/replica.rb | 56 ++++++++++ .../kosmos_postgresql/resources/server.rb | 78 +++++++++++++ 16 files changed, 544 insertions(+) create mode 100644 clients/postgres-4.json create mode 100644 nodes/postgres-4.json create mode 100644 site-cookbooks/kosmos_postgresql/.gitignore create mode 100644 site-cookbooks/kosmos_postgresql/Berksfile create mode 100644 site-cookbooks/kosmos_postgresql/CHANGELOG.md create mode 100644 site-cookbooks/kosmos_postgresql/LICENSE create mode 100644 site-cookbooks/kosmos_postgresql/README.md create mode 100644 site-cookbooks/kosmos_postgresql/attributes/default.rb create mode 100644 site-cookbooks/kosmos_postgresql/chefignore create mode 100644 site-cookbooks/kosmos_postgresql/libraries/helpers.rb create mode 100644 site-cookbooks/kosmos_postgresql/metadata.rb create mode 100644 site-cookbooks/kosmos_postgresql/recipes/firewall.rb create mode 100644 site-cookbooks/kosmos_postgresql/recipes/hostsfile.rb create mode 100644 site-cookbooks/kosmos_postgresql/recipes/primary.rb create mode 100644 site-cookbooks/kosmos_postgresql/recipes/replica.rb create mode 100644 site-cookbooks/kosmos_postgresql/resources/server.rb diff --git a/clients/postgres-4.json b/clients/postgres-4.json new file mode 100644 index 0000000..eed891f --- /dev/null +++ b/clients/postgres-4.json @@ -0,0 +1,4 @@ +{ + "name": "postgres-4", + "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu6fPxOZeKloF/EgYvU0k\nOwv8bJjsCQcWaMTPle5//mRTszA6PM2z9RI+Mfr45qxTlsL9pQY8WJOWF6QOK31x\nszuqcr7oOjtAhrLI8f/oNDEDjcx325FqG9gNKQEAD7d4zodh+PhDe6x7GIyIS7lG\nIcD5Zre9iDwv8FGLR+5GLqS8SJOPL/wJkQ8w+N0f8YDFw81kiTta5NLhAx3fMDs0\n2kmoNlbmKlNZTtLjCfCV+/pa9oY6wycjck3GvobiFE/4cWaNkeGlPc+uAwlfmrOv\nHy0tq1XBX/BCvE5kMXmhnMT23JXjm2s2PgCLgEVGAXilXk/T597KDm+z4oBpAQma\nnQIDAQAB\n-----END PUBLIC KEY-----\n" +} \ No newline at end of file diff --git a/nodes/postgres-4.json b/nodes/postgres-4.json new file mode 100644 index 0000000..77e5a0f --- /dev/null +++ b/nodes/postgres-4.json @@ -0,0 +1,57 @@ +{ + "name": "postgres-4", + "normal": { + "knife_zero": { + "host": "10.1.1.107" + } + }, + "automatic": { + "fqdn": "postgres-4", + "os": "linux", + "os_version": "5.4.0-91-generic", + "hostname": "postgres-4", + "ipaddress": "192.168.122.3", + "roles": [ + "postgresql_replica" + ], + "recipes": [ + "kosmos-base", + "kosmos-base::default", + "kosmos_postgresql::hostsfile", + "kosmos_postgresql::replica", + "kosmos_postgresql::firewall", + "apt::default", + "timezone_iii::default", + "timezone_iii::debian", + "ntp::default", + "ntp::apparmor", + "kosmos-base::systemd_emails", + "apt::unattended-upgrades", + "kosmos-base::firewall", + "kosmos-postfix::default", + "postfix::default", + "postfix::_common", + "postfix::_attributes", + "postfix::sasl_auth", + "hostname::default" + ], + "platform": "ubuntu", + "platform_version": "20.04", + "cloud": null, + "chef_packages": { + "chef": { + "version": "17.7.29", + "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.7.29/lib", + "chef_effortless": null + }, + "ohai": { + "version": "17.7.8", + "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.7.8/lib/ohai" + } + } + }, + "run_list": [ + "recipe[kosmos-base]", + "role[postgresql_replica]" + ] +} \ No newline at end of file diff --git a/site-cookbooks/kosmos_postgresql/.gitignore b/site-cookbooks/kosmos_postgresql/.gitignore new file mode 100644 index 0000000..13e41c4 --- /dev/null +++ b/site-cookbooks/kosmos_postgresql/.gitignore @@ -0,0 +1,22 @@ +.vagrant +*~ +*# +.#* +\#*# +.*.sw[a-z] +*.un~ + +# Bundler +Gemfile.lock +gems.locked +bin/* +.bundle/* + +# test kitchen +.kitchen/ +.kitchen.local.yml + +# Chef +Berksfile.lock +.zero-knife.rb +Policyfile.lock.json diff --git a/site-cookbooks/kosmos_postgresql/Berksfile b/site-cookbooks/kosmos_postgresql/Berksfile new file mode 100644 index 0000000..0656a99 --- /dev/null +++ b/site-cookbooks/kosmos_postgresql/Berksfile @@ -0,0 +1,4 @@ +# frozen_string_literal: true +source 'https://supermarket.chef.io' + +metadata diff --git a/site-cookbooks/kosmos_postgresql/CHANGELOG.md b/site-cookbooks/kosmos_postgresql/CHANGELOG.md new file mode 100644 index 0000000..1ffdd2a --- /dev/null +++ b/site-cookbooks/kosmos_postgresql/CHANGELOG.md @@ -0,0 +1,5 @@ +# kosmos_postgresql CHANGELOG + +# 0.1.0 + +Initial release. diff --git a/site-cookbooks/kosmos_postgresql/LICENSE b/site-cookbooks/kosmos_postgresql/LICENSE new file mode 100644 index 0000000..c150a1f --- /dev/null +++ b/site-cookbooks/kosmos_postgresql/LICENSE @@ -0,0 +1,20 @@ +Copyright (c) 2019-2020 Kosmos Developers + +Permission is hereby granted, free of charge, to any person obtaining +a copy of this software and associated documentation files (the +"Software"), to deal in the Software without restriction, including +without limitation the rights to use, copy, modify, merge, publish, +distribute, sublicense, and/or sell copies of the Software, and to +permit persons to whom the Software is furnished to do so, subject to +the following conditions: + +The above copyright notice and this permission notice shall be +included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE +LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION +OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION +WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/site-cookbooks/kosmos_postgresql/README.md b/site-cookbooks/kosmos_postgresql/README.md new file mode 100644 index 0000000..9ea16a7 --- /dev/null +++ b/site-cookbooks/kosmos_postgresql/README.md @@ -0,0 +1,57 @@ +# kosmos_postgresql + +## Usage + +### On the primary: + +Set the `postgresql_primary` role on the node + +### On the replica: + +Add the `postgresql_replica` role to the node's run list. Run Chef on the node +a first time. +After the initial Chef run on the replica, run Chef on the primary to add the +firewall rules and PostgreSQL access rules, then run Chef again on the replica +to set up replication. + +## Caveat + +[`firewall_rules`](https://github.com/chef-cookbooks/firewall/issues/134) and +[`postgresql_access`](https://github.com/sous-chefs/postgresql/issues/648) are +declared in recipes, not resources because of the way custom resources +work currently in Chef. See the `default.rb` and `replica.rb` recipes. + +The primary gives access to the `replication` db to the `replication` user +connecting from a replica, and replicas to the primary. For more information +about PostgreSQL client authentication, see the +[official docs](https://www.postgresql.org/docs/12/auth-pg-hba-conf.html) + +The primary opens up the PostgreSQL port (5432 TCP) to replicas, and replicas +to the primary. + +## TLS self-signed certificate + +A wildcard (`*.kosmos.org` certificate) was generated with the following +commands: + +``` +openssl req -new -nodes -text -out root.csr -keyout root.key \ + -subj "/CN=root.kosmos.org" +chmod og-rwx root.key +openssl x509 -req -in root.csr -text -days 3650 \ + -extfile /etc/ssl/openssl.cnf -extensions v3_ca \ + -signkey root.key -out root.crt +openssl req -new -nodes -text -out server.csr \ + -keyout server.key -subj "/CN=*.kosmos.org" +chmod og-rwx server.key +openssl x509 -req -in server.csr -text -days 1825 \ + -CA root.crt -CAkey root.key -CAcreateserial \ + -out server.crt +``` + +It is valid until May 12 2025. + +The content of `server.crt`, `server.key` and `root.crt` an stored in the +`postgresql` encrypted data bag. The root key is stored in LastPass +("Self-signed TLS root certificate"). `server.crt` & `server.key` are used by +the PostgreSQL server. diff --git a/site-cookbooks/kosmos_postgresql/attributes/default.rb b/site-cookbooks/kosmos_postgresql/attributes/default.rb new file mode 100644 index 0000000..f3daf9b --- /dev/null +++ b/site-cookbooks/kosmos_postgresql/attributes/default.rb @@ -0,0 +1,3 @@ +# This is set to false by default, and set to true in the server resource +# for replicas. +node.default['kosmos_postgresql']['ready_to_set_up_replica'] = false diff --git a/site-cookbooks/kosmos_postgresql/chefignore b/site-cookbooks/kosmos_postgresql/chefignore new file mode 100644 index 0000000..4439807 --- /dev/null +++ b/site-cookbooks/kosmos_postgresql/chefignore @@ -0,0 +1,104 @@ +# Put files/directories that should be ignored in this file when uploading +# to a chef-server or supermarket. +# Lines that start with '# ' are comments. + +# OS generated files # +###################### +.DS_Store +Icon? +nohup.out +ehthumbs.db +Thumbs.db + +# SASS # +######## +.sass-cache + +# EDITORS # +########### +\#* +.#* +*~ +*.sw[a-z] +*.bak +REVISION +TAGS* +tmtags +*_flymake.* +*_flymake +*.tmproj +.project +.settings +mkmf.log + +## COMPILED ## +############## +a.out +*.o +*.pyc +*.so +*.com +*.class +*.dll +*.exe +*/rdoc/ + +# Testing # +########### +.watchr +.rspec +spec/* +spec/fixtures/* +test/* +features/* +examples/* +Guardfile +Procfile +.kitchen* +kitchen.yml* +.rubocop.yml +spec/* +Rakefile +.travis.yml +.foodcritic +.codeclimate.yml + +# SCM # +####### +.git +*/.git +.gitignore +.gitmodules +.gitconfig +.gitattributes +.svn +*/.bzr/* +*/.hg/* +*/.svn/* + +# Berkshelf # +############# +Berksfile +Berksfile.lock +cookbooks/* +tmp + +# Bundler # +########### +vendor/* + +# Policyfile # +############## +Policyfile.rb +Policyfile.lock.json + +# Cookbooks # +############# +CONTRIBUTING* +CHANGELOG* +TESTING* + +# Vagrant # +########### +.vagrant +Vagrantfile diff --git a/site-cookbooks/kosmos_postgresql/libraries/helpers.rb b/site-cookbooks/kosmos_postgresql/libraries/helpers.rb new file mode 100644 index 0000000..7d3c397 --- /dev/null +++ b/site-cookbooks/kosmos_postgresql/libraries/helpers.rb @@ -0,0 +1,45 @@ +class Chef + class Recipe + def postgresql_primary + postgresql_primary = search(:node, "role:postgresql_primary AND chef_environment:#{node.chef_environment}").first + + unless postgresql_primary.nil? + primary_ip = ip_for(postgresql_primary) + + { hostname: postgresql_primary[:hostname], ipaddress: primary_ip } + end + end + + def postgresql_replicas + postgresql_replicas = [] + + search(:node, "role:postgresql_replica AND chef_environment:#{node.chef_environment}").each do |replica| + replica_ip = ip_for(replica) + + postgresql_replicas << { hostname: replica[:hostname], ipaddress: replica_ip } + end + + postgresql_replicas + end + + def ip_for(server_node) + if node.chef_environment == "development" + server_node['network']['interfaces']['eth1']['routes'].first['src'] + else + # If the server has a private Zerotier IP, use it + if server_node['knife_zero'] && server_node['knife_zero']['host'] && \ + server_node['knife_zero']['host'].start_with?("10.1.1.") + server_node['knife_zero']['host'] + else + server_node['ipaddress'] + end + end + end + + def postgresql_service_name + postgresql_version = "12" + + "postgresql@#{postgresql_version}-main" + end + end +end diff --git a/site-cookbooks/kosmos_postgresql/metadata.rb b/site-cookbooks/kosmos_postgresql/metadata.rb new file mode 100644 index 0000000..ad7ca14 --- /dev/null +++ b/site-cookbooks/kosmos_postgresql/metadata.rb @@ -0,0 +1,25 @@ +name 'kosmos_postgresql' +maintainer 'Kosmos' +maintainer_email 'ops@5apps.com' +license 'MIT' +description 'Installs/Configures kosmos_postgresql' +long_description 'Installs/Configures kosmos_postgresql' +version '0.1.0' +chef_version '>= 12.14' if respond_to?(:chef_version) + +# The `issues_url` points to the location where issues for this cookbook are +# tracked. A `View Issues` link will be displayed on this cookbook's page when +# uploaded to a Supermarket. +# +# issues_url 'https://github.com//kosmos_postgresql/issues' + +# The `source_url` points to the development repository for this cookbook. A +# `View Source` link will be displayed on this cookbook's page when uploaded to +# a Supermarket. +# +# source_url 'https://github.com//kosmos_postgresql' + +depends "postgresql", ">= 7.0.0" +depends "build-essential" +depends "kosmos_encfs" +depends "hostsfile" diff --git a/site-cookbooks/kosmos_postgresql/recipes/firewall.rb b/site-cookbooks/kosmos_postgresql/recipes/firewall.rb new file mode 100644 index 0000000..ebc3404 --- /dev/null +++ b/site-cookbooks/kosmos_postgresql/recipes/firewall.rb @@ -0,0 +1,15 @@ +# +# Cookbook:: kosmos_postgresql +# Recipe:: firewall +# + +unless node.chef_environment == "development" + include_recipe "kosmos-base::firewall" + + firewall_rule "postgresql zerotier members" do + port 5432 + protocol :tcp + command :allow + source "10.1.1.0/24" + end +end diff --git a/site-cookbooks/kosmos_postgresql/recipes/hostsfile.rb b/site-cookbooks/kosmos_postgresql/recipes/hostsfile.rb new file mode 100644 index 0000000..9000b67 --- /dev/null +++ b/site-cookbooks/kosmos_postgresql/recipes/hostsfile.rb @@ -0,0 +1,16 @@ +# +# Cookbook:: kosmos_postgresql +# Recipe:: hostsfile +# + +begin +primary_ip = postgresql_primary[:ipaddress] +rescue NoMethodError +end + +unless primary_ip.nil? + hostsfile_entry primary_ip do + hostname "pg.kosmos.local" + unique true + end +end diff --git a/site-cookbooks/kosmos_postgresql/recipes/primary.rb b/site-cookbooks/kosmos_postgresql/recipes/primary.rb new file mode 100644 index 0000000..de7466f --- /dev/null +++ b/site-cookbooks/kosmos_postgresql/recipes/primary.rb @@ -0,0 +1,33 @@ +# +# Cookbook:: kosmos_postgresql +# Recipe:: primary +# + +postgresql_version = "12" +postgresql_service = "postgresql@#{postgresql_version}-main" + +service postgresql_service do + supports restart: true, status: true, reload: true +end + +postgresql_custom_server postgresql_version do + role "primary" +end + +postgresql_access "zerotier members" do + access_type "host" + access_db "all" + access_user "all" + access_addr "10.1.1.0/24" + access_method "md5" + notifies :reload, "service[#{postgresql_service}]", :immediately +end + +postgresql_access "zerotier members replication" do + access_type "host" + access_db "replication" + access_user "replication" + access_addr "10.1.1.0/24" + access_method "md5" + notifies :reload, "service[#{postgresql_service}]", :immediately +end diff --git a/site-cookbooks/kosmos_postgresql/recipes/replica.rb b/site-cookbooks/kosmos_postgresql/recipes/replica.rb new file mode 100644 index 0000000..b1dd345 --- /dev/null +++ b/site-cookbooks/kosmos_postgresql/recipes/replica.rb @@ -0,0 +1,56 @@ +# +# Cookbook:: kosmos_postgresql +# Recipe:: replica +# + +postgresql_version = "12" +postgresql_service = "postgresql@#{postgresql_version}-main" + +postgresql_custom_server postgresql_version do + role "replica" +end + +service postgresql_service do + supports restart: true, status: true, reload: true +end + +postgresql_data_bag_item = data_bag_item('credentials', 'postgresql') + +primary = postgresql_primary + +unless primary.nil? + # TODO + postgresql_data_dir = "/var/lib/postgresql/#{postgresql_version}/main" + + # FIXME get zerotier IP + execute "set up replication" do + command <<-EOF +systemctl stop #{postgresql_service} +mv #{postgresql_data_dir} #{postgresql_data_dir}.old +pg_basebackup -h pg.kosmos.local -U replication -D #{postgresql_data_dir} -R +chown -R postgres:postgres #{postgresql_data_dir} +systemctl start #{postgresql_service} + EOF + environment 'PGPASSWORD' => postgresql_data_bag_item['replication_password'] + sensitive true + not_if { ::File.exist? "#{postgresql_data_dir}/standby.signal" } + end + + postgresql_access "zerotier members" do + access_type "host" + access_db "all" + access_user "all" + access_addr "10.1.1.0/24" + access_method "md5" + notifies :reload, "service[#{postgresql_service}]", :immediately + end + + postgresql_access "zerotier members replication" do + access_type "host" + access_db "replication" + access_user "replication" + access_addr "10.1.1.0/24" + access_method "md5" + notifies :reload, "service[#{postgresql_service}]", :immediately + end +end diff --git a/site-cookbooks/kosmos_postgresql/resources/server.rb b/site-cookbooks/kosmos_postgresql/resources/server.rb new file mode 100644 index 0000000..5d5fb1c --- /dev/null +++ b/site-cookbooks/kosmos_postgresql/resources/server.rb @@ -0,0 +1,78 @@ +resource_name :postgresql_custom_server +provides :postgresql_custom_server + +property :postgresql_version, String, required: true, name_property: true +property :role, String, required: true # Can be primary or replica + +action :create do + postgresql_version = new_resource.postgresql_version + postgresql_data_dir = "/var/lib/postgresql/#{postgresql_version}/main" + postgresql_service = "postgresql@#{postgresql_version}-main" + postgresql_credentials = data_bag_item('credentials', 'postgresql') + + build_essential do + compile_time true + end + + package("libpq-dev") { action :nothing }.run_action(:install) + + chef_gem 'pg' do + compile_time true + end + + user "postgres" do + manage_home false + end + + postgresql_server_install "main" do + version postgresql_version + setup_repo true + password postgresql_credentials['server_password'] + action :install + end + + service postgresql_service do + supports restart: true, status: true, reload: true + action [:enable, :start] + end + + # This service is a dependency that will auto-start our cluster service on + # boot if it's enabled, so we disable it explicitly + service "postgresql" do + action :disable + end + + shared_buffers = if node['memory']['total'].to_i / 1024 < 1024 # < 1GB RAM + "128MB" + else # >= 1GB RAM, use 50% of total RAM + "#{node['memory']['total'].to_i / 1024 / 2}MB" + end + + additional_config = { + max_connections: 200, # default + shared_buffers: shared_buffers, + unix_socket_directories: "/var/run/postgresql", + dynamic_shared_memory_type: "posix", + timezone: "UTC", # default is GMT + listen_addresses: "0.0.0.0" + } + + additional_config[:promote_trigger_file] = "#{postgresql_data_dir}/failover.trigger" + + postgresql_server_conf "main" do + version postgresql_version + additional_config additional_config + notifies :reload, "service[#{postgresql_service}]", :delayed + end + + postgresql_user "replication" do + action :create + replication true + password postgresql_credentials['replication_password'] + end +end + +action_class do + # to use the data_dir helper + include PostgresqlCookbook::Helpers +end From a184f27c966505cb88d0e2487a320eb5ba2fc3c7 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Tue, 30 Nov 2021 08:47:15 -0600 Subject: [PATCH 17/21] Update kosmos postgres cookbook name in other cookbooks --- site-cookbooks/kosmos-akkounts/metadata.rb | 2 +- site-cookbooks/kosmos-ejabberd/Berksfile | 2 +- site-cookbooks/kosmos-ejabberd/metadata.rb | 2 +- site-cookbooks/kosmos-mastodon/metadata.rb | 2 +- site-cookbooks/kosmos_gitea/metadata.rb | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/site-cookbooks/kosmos-akkounts/metadata.rb b/site-cookbooks/kosmos-akkounts/metadata.rb index 695ce6b..538869f 100644 --- a/site-cookbooks/kosmos-akkounts/metadata.rb +++ b/site-cookbooks/kosmos-akkounts/metadata.rb @@ -14,5 +14,5 @@ depends "poise-ruby-build" depends "application" depends 'application_git' depends "postgresql" -depends "kosmos-postgresql" +depends "kosmos_postgresql" depends "backup" diff --git a/site-cookbooks/kosmos-ejabberd/Berksfile b/site-cookbooks/kosmos-ejabberd/Berksfile index 8c1347f..abfa26f 100644 --- a/site-cookbooks/kosmos-ejabberd/Berksfile +++ b/site-cookbooks/kosmos-ejabberd/Berksfile @@ -2,5 +2,5 @@ source 'https://supermarket.chef.io' source chef_repo: ".." -cookbook "kosmos-postgresql", path: "../kosmos-postgresql" +cookbook "kosmos_postgresql", path: "../kosmos_postgresql" metadata diff --git a/site-cookbooks/kosmos-ejabberd/metadata.rb b/site-cookbooks/kosmos-ejabberd/metadata.rb index 6e90702..0131259 100644 --- a/site-cookbooks/kosmos-ejabberd/metadata.rb +++ b/site-cookbooks/kosmos-ejabberd/metadata.rb @@ -20,9 +20,9 @@ chef_version '>= 12.14' if respond_to?(:chef_version) # source_url 'https://github.com//kosmos-ejabberd' depends "kosmos-base" -depends "kosmos-postgresql" depends "kosmos-nginx" depends "kosmos-dirsrv" +depends "kosmos_postgresql" depends "backup" depends "firewall" depends "tor-full" diff --git a/site-cookbooks/kosmos-mastodon/metadata.rb b/site-cookbooks/kosmos-mastodon/metadata.rb index 5617289..5885e4e 100644 --- a/site-cookbooks/kosmos-mastodon/metadata.rb +++ b/site-cookbooks/kosmos-mastodon/metadata.rb @@ -13,7 +13,7 @@ depends "poise-ruby-build" depends "application" depends "application_git" depends "postgresql" -depends "kosmos-postgresql" +depends "kosmos_postgresql" depends "backup" depends "elasticsearch" depends "tor-full" diff --git a/site-cookbooks/kosmos_gitea/metadata.rb b/site-cookbooks/kosmos_gitea/metadata.rb index 9ceba2a..6b690ce 100644 --- a/site-cookbooks/kosmos_gitea/metadata.rb +++ b/site-cookbooks/kosmos_gitea/metadata.rb @@ -20,5 +20,5 @@ chef_version '>= 14.0' # source_url 'https://github.com//kosmos_gitea' depends "kosmos-nginx" -depends "kosmos-postgresql" +depends "kosmos_postgresql" depends "backup" From 172553ddb3a7a900e576ee3d7236e3448982fa26 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Tue, 30 Nov 2021 12:43:21 -0600 Subject: [PATCH 18/21] Add documentation for backups/restores --- doc/backups.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 doc/backups.md diff --git a/doc/backups.md b/doc/backups.md new file mode 100644 index 0000000..3a6225d --- /dev/null +++ b/doc/backups.md @@ -0,0 +1,15 @@ +Backup +====== + +## Backup gem + +Backups are stored on AWS S3, in the `kosmos-dev-backups` bucket. + +The S3 credentials as well as the backup password are stored in the +`credentials` data bag under the `backup` item. + +### Restore + +To decrypt a backup archive, use the following command: + + openssl aes-256-cbc -d -base64 -in my_backup.tar.enc -out my_backup.tar From e63cda3317beb314d6bc8c552397baa1adeeb990 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Tue, 30 Nov 2021 13:37:51 -0600 Subject: [PATCH 19/21] Use SMTP/Mailgun for backup notifications --- site-cookbooks/backup/recipes/default.rb | 8 +++++++- site-cookbooks/backup/templates/default/config.rb.erb | 8 +++++++- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/site-cookbooks/backup/recipes/default.rb b/site-cookbooks/backup/recipes/default.rb index a0aa1f7..564bcaf 100644 --- a/site-cookbooks/backup/recipes/default.rb +++ b/site-cookbooks/backup/recipes/default.rb @@ -32,6 +32,8 @@ gem_package 'backup' do version '5.0.0.beta.2' end +smtp_credentials = Chef::EncryptedDataBagItem.load('credentials', 'smtp') + backup_data = Chef::EncryptedDataBagItem.load('credentials', 'backup') backup_dir = node["backup"]["dir"] directory backup_dir @@ -46,8 +48,12 @@ template "#{backup_dir}/config.rb" do s3_secret_access_key: backup_data["s3_secret_access_key"], s3_region: backup_data["s3_region"], encryption_password: backup_data["encryption_password"], + mail_from: "backups@kosmos.org", mail_to: "ops@5apps.com", - mail_from: "backups@kosmos.org" + mail_address: 'smtp.mailgun.org', + mail_domain: 'kosmos.org', + mail_user_name: smtp_credentials["user_name"], + mail_password: smtp_credentials["password"] end template "#{backup_dir}/models/default.rb" do diff --git a/site-cookbooks/backup/templates/default/config.rb.erb b/site-cookbooks/backup/templates/default/config.rb.erb index 1123f80..963a338 100644 --- a/site-cookbooks/backup/templates/default/config.rb.erb +++ b/site-cookbooks/backup/templates/default/config.rb.erb @@ -22,7 +22,13 @@ end Notifier::Mail.defaults do |mail| mail.from = "<%= node.name %> <<%= @mail_from %>>" mail.to = "<%= @mail_to %>" - mail.delivery_method = :sendmail + mail.address = "<%= @mail_address %>" + mail.domain = "<%= @mail_domain %>" + mail.user_name = "<%= @mail_user_name %>" + mail.password = "<%= @mail_password %>" + mail.port = <%= @mail_port || 587 %> + mail.authentication = "<%= @mail_authentication || 'plain' %>" + mail.encryption = <%= @mail_encryption || ':starttls' %> end <%- if node["backup"]["mongodb"] -%> From c30733e5aa71762a327a61255fd73d1bb3653083 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Tue, 30 Nov 2021 13:38:18 -0600 Subject: [PATCH 20/21] Send backup notifiations when run ends with warning --- site-cookbooks/backup/templates/default/config.rb.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site-cookbooks/backup/templates/default/config.rb.erb b/site-cookbooks/backup/templates/default/config.rb.erb index 963a338..61ed8ad 100644 --- a/site-cookbooks/backup/templates/default/config.rb.erb +++ b/site-cookbooks/backup/templates/default/config.rb.erb @@ -81,7 +81,7 @@ preconfigure 'KosmosBackup' do encrypt_with OpenSSL notify_by Mail do |mail| mail.on_success = false - mail.on_warning = false + mail.on_warning = true mail.on_failure = true end end From f7afc21f9e073db5734c94b787ba89fbc1387cfe Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Tue, 30 Nov 2021 13:38:34 -0600 Subject: [PATCH 21/21] Use pbkdf2 for backup key derivation Fixes a warning thrown by OpenSSL during backup runs, and makes it more secure. --- doc/backups.md | 6 ++++++ .../backup/templates/default/config.rb.erb | 12 ++++++++++++ 2 files changed, 18 insertions(+) diff --git a/doc/backups.md b/doc/backups.md index 3a6225d..4486d50 100644 --- a/doc/backups.md +++ b/doc/backups.md @@ -12,4 +12,10 @@ The S3 credentials as well as the backup password are stored in the To decrypt a backup archive, use the following command: + openssl aes-256-cbc -d -base64 -pbkdf2 -in my_backup.tar.enc -out my_backup.tar + +If you get an error message along the lines of "bad decrypt", the archive was +likely encrypted before we switched the key derivation scheme. Try without +`-pbkdf2` in this case: + openssl aes-256-cbc -d -base64 -in my_backup.tar.enc -out my_backup.tar diff --git a/site-cookbooks/backup/templates/default/config.rb.erb b/site-cookbooks/backup/templates/default/config.rb.erb index 61ed8ad..c5f9f64 100644 --- a/site-cookbooks/backup/templates/default/config.rb.erb +++ b/site-cookbooks/backup/templates/default/config.rb.erb @@ -6,6 +6,18 @@ # Documentation: http://backup.github.io/backup # Issue Tracker: https://github.com/backup/backup/issues +# +# Monkey patch to not use deprecated key derivation scheme +# https://github.com/backup/backup/issues/949#issuecomment-589883577 +# +module OpenSSLFixDeprecatedKeyDerivation + def options + super + ' -pbkdf2' + end +end +require 'backup/encryptor/open_ssl' +Backup::Encryptor::OpenSSL.prepend(OpenSSLFixDeprecatedKeyDerivation) + Storage::S3.defaults do |s3| s3.access_key_id = "<%= @s3_access_key_id %>" s3.secret_access_key = "<%= @s3_secret_access_key %>"