Merge pull request 'Move PostgreSQL to VMs and access via Zerotier' (#282) from feature/postgres_vms into master

Reviewed-on: #282

site-cookbooks/kosmos-ejabberd/recipes/default.rb

@@ -138,11 +138,6 @@ ldap_base = "cn=users,dc=kosmos,dc=org"
 
 admin_users = ejabberd_credentials['admins']
 
-postgresql_primary_node = postgresql_primary
-postgresql_server = postgresql_primary_node[:ipaddress]
-# PostgreSQL is on the same server, connect through localhost
-postgresql_server = "localhost" if postgresql_primary_node[:hostname] == node[:hostname]
-
 hosts.each do |host|
   ldap_rootdn = "uid=xmpp,ou=#{host[:name]},cn=applications,dc=kosmos,dc=org"
 
@@ -153,7 +148,7 @@ hosts.each do |host|
     group     'ejabberd'
     sensitive true
     variables pgsql_password: postgresql_data_bag_item['ejabberd_user_password'],
-              sql_server: postgresql_server,
+              sql_server: "pg.kosmos.local",
               host: host,
               ldap_base: ldap_base,
               ldap_server: ldap_domain,

site-cookbooks/kosmos-mastodon/recipes/default.rb

@@ -21,10 +21,6 @@ end
 elasticsearch_service 'elasticsearch'
 
 postgresql_data_bag_item = data_bag_item('credentials', 'postgresql')
-postgresql_primary_node = postgresql_primary
-postgresql_server = postgresql_primary_node[:ipaddress]
-# PostgreSQL is on the same server, connect through localhost
-postgresql_server = "localhost" if postgresql_primary_node[:hostname] == node[:hostname]
 
 mastodon_path = node["kosmos-mastodon"]["directory"]
 
@@ -138,7 +134,8 @@ application mastodon_path do
               vapid_private_key: mastodon_credentials['vapid_private_key'],
               vapid_public_key: mastodon_credentials['vapid_public_key'],
               db_pass: postgresql_data_bag_item['mastodon_user_password'],
-              db_host: postgresql_server
+              db_host: "pg.kosmos.local"
+    notifies :restart, "application[#{mastodon_path}]", :delayed
   end
 
   execute "bundle install" do

site-cookbooks/kosmos-postgresql/LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2019 Kosmos Developers
+Copyright (c) 2019-2020 Kosmos Developers
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

site-cookbooks/kosmos-postgresql/libraries/helpers.rb

@@ -26,7 +26,13 @@ class Chef
       if node.chef_environment == "development"
         server_node['network']['interfaces']['eth1']['routes'].first['src']
       else
-        server_node['ipaddress']
+        # If the server has a private Zerotier IP, use it
+        if server_node['knife_zero'] && server_node['knife_zero']['host'] && \
+            server_node['knife_zero']['host'].start_with?("10.1.1.")
+          server_node['knife_zero']['host']
+        else
+          server_node['ipaddress']
+        end
       end
     end
 

site-cookbooks/kosmos-postgresql/metadata.rb

@@ -22,3 +22,4 @@ chef_version '>= 12.14' if respond_to?(:chef_version)
 depends "postgresql", ">= 7.0.0"
 depends "build-essential"
 depends "kosmos_encfs"
+depends "hostsfile"

site-cookbooks/kosmos-postgresql/recipes/default.rb

@@ -1,90 +0,0 @@
-#
-# Cookbook:: kosmos-postgresql
-# Recipe:: default
-#
-# The MIT License (MIT)
-#
-# Copyright:: 2019, Kosmos Developers
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
-
-postgresql_version = "12"
-postgresql_service = "postgresql@#{postgresql_version}-main"
-
-service postgresql_service do
-  supports restart: true, status: true, reload: true
-end
-
-postgresql_custom_server postgresql_version do
-  role "primary"
-end
-
-# This will only be run once, if the /var/lib/postgresql/10/main directory
-# exists. The old data directory is then moved.
-execute "upgrade postgresql to 12" do
-  command <<-EOF
-systemctl stop postgresql@12-main
-systemctl stop postgresql@10-main
-su - postgres -c "/usr/lib/postgresql/12/bin/pg_upgrade --old-bindir=/usr/lib/postgresql/10/bin/ --new-bindir=/usr/lib/postgresql/12/bin/ --old-datadir=/etc/postgresql/10/main/ --new-datadir=/etc/postgresql/12/main/"
-mv /var/lib/postgresql/10/main /var/lib/postgresql/10/main.old
-systemctl start postgresql@12-main
-  EOF
-  only_if { ::File.exist? "/var/lib/postgresql/10/main" }
-end
-
-# Services that connect to PostgreSQL need to have the postgresql_client role
-# as part of their run list. See the gitea and ejabberd roles.
-postgresql_clients = search(:node, "roles:postgresql_client AND chef_environment:#{node.chef_environment}") || []
-
-postgresql_clients.each do |client|
-  ip = ip_for(client)
-  hostname = client[:hostname]
-
-  postgresql_access "#{hostname} all" do
-    access_type "host"
-    access_db "all"
-    access_user "all"
-    access_addr "#{ip}/32"
-    access_method "md5"
-    notifies :reload, "service[#{postgresql_service}]", :immediately
-  end
-
-  firewall_rule "postgresql #{hostname}" do
-    port        5432
-    protocol    :tcp
-    command     :allow
-    source ip
-  end
-end
-
-postgresql_replicas.each do |replica|
-  postgresql_access "#{replica[:hostname]} replication" do
-    access_type "host"
-    access_db "replication"
-    access_user "replication"
-    access_addr "#{replica[:ipaddress]}/32"
-    access_method "md5"
-    notifies :reload, "service[#{postgresql_service}]", :immediately
-  end
-
-end
-
-unless node.chef_environment == "development"
-  include_recipe "kosmos-postgresql::firewall_replicas"
-end

site-cookbooks/kosmos-postgresql/recipes/firewall.rb

@@ -0,0 +1,15 @@
+#
+# Cookbook:: kosmos-postgresql
+# Recipe:: firewall
+#
+
+unless node.chef_environment == "development"
+  include_recipe "kosmos-base::firewall"
+
+  firewall_rule "postgresql zerotier members" do
+    port     5432
+    protocol :tcp
+    command  :allow
+    source   "10.1.1.0/24"
+  end
+end

site-cookbooks/kosmos-postgresql/recipes/firewall_replicas.rb

@@ -1,36 +0,0 @@
-#
-# Cookbook:: kosmos-postgresql
-# Recipe:: firewall_replicas
-#
-# The MIT License (MIT)
-#
-# Copyright:: 2020, Kosmos Developers
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
-
-include_recipe "kosmos-base::firewall"
-
-postgresql_replicas.each do |replica|
-  firewall_rule "postgresql replica #{replica[:hostname]}" do
-    port        5432
-    protocol    :tcp
-    command     :allow
-    source replica[:ipaddress]
-  end
-end

site-cookbooks/kosmos-postgresql/recipes/hostsfile.rb

@@ -0,0 +1,16 @@
+#
+# Cookbook:: kosmos-postgresql
+# Recipe:: hostsfile
+#
+
+begin
+primary_ip = postgresql_primary[:ipaddress]
+rescue NoMethodError
+end
+
+unless primary_ip.nil?
+  hostsfile_entry primary_ip do
+    hostname  "pg.kosmos.local"
+    unique    true
+  end
+end

site-cookbooks/kosmos-postgresql/recipes/primary.rb

@@ -0,0 +1,33 @@
+#
+# Cookbook:: kosmos-postgresql
+# Recipe:: primary
+#
+
+postgresql_version = "12"
+postgresql_service = "postgresql@#{postgresql_version}-main"
+
+service postgresql_service do
+  supports restart: true, status: true, reload: true
+end
+
+postgresql_custom_server postgresql_version do
+  role "primary"
+end
+
+postgresql_access "zerotier members" do
+  access_type "host"
+  access_db "all"
+  access_user "all"
+  access_addr "10.1.1.0/24"
+  access_method "md5"
+  notifies :reload, "service[#{postgresql_service}]", :immediately
+end
+
+postgresql_access "zerotier members replication" do
+  access_type "host"
+  access_db "replication"
+  access_user "replication"
+  access_addr "10.1.1.0/24"
+  access_method "md5"
+  notifies :reload, "service[#{postgresql_service}]", :immediately
+end

site-cookbooks/kosmos-postgresql/recipes/replica.rb

@@ -2,27 +2,6 @@
 # Cookbook:: kosmos-postgresql
 # Recipe:: replica
 #
-# The MIT License (MIT)
-#
-# Copyright:: 2019, Kosmos Developers
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
 
 postgresql_version = "12"
 postgresql_service = "postgresql@#{postgresql_version}-main"
@@ -40,43 +19,38 @@ postgresql_data_bag_item = data_bag_item('credentials', 'postgresql')
 primary = postgresql_primary
 
 unless primary.nil?
-  postgresql_data_dir = "#{node["kosmos_encfs"]["data_directory"]}/postgresql/#{postgresql_version}/main"
+  # TODO
+  postgresql_data_dir = "/var/lib/postgresql/#{postgresql_version}/main"
 
-  if node['kosmos-postgresql']['ready_to_set_up_replica']
-    execute "set up replication" do
-      command <<-EOF
+  # FIXME get zerotier IP
+  execute "set up replication" do
+    command <<-EOF
 systemctl stop #{postgresql_service}
 mv #{postgresql_data_dir} #{postgresql_data_dir}.old
-pg_basebackup -h #{primary[:ipaddress]} -U replication -D #{postgresql_data_dir} -R
+pg_basebackup -h pg.kosmos.local -U replication -D #{postgresql_data_dir} -R
 chown -R postgres:postgres #{postgresql_data_dir}
 systemctl start #{postgresql_service}
-      EOF
-      environment 'PGPASSWORD' => postgresql_data_bag_item['replication_password']
-      sensitive true
-      not_if { ::File.exist? "#{postgresql_data_dir}/standby.signal" }
-    end
+    EOF
+    environment 'PGPASSWORD' => postgresql_data_bag_item['replication_password']
+    sensitive true
+    not_if { ::File.exist? "#{postgresql_data_dir}/standby.signal" }
   end
 
-  postgresql_access "replication" do
+  postgresql_access "zerotier members" do
     access_type "host"
-    access_db "replication"
-    access_user "replication"
-    access_addr "#{primary[:ipaddress]}/32"
+    access_db "all"
+    access_user "all"
+    access_addr "10.1.1.0/24"
     access_method "md5"
     notifies :reload, "service[#{postgresql_service}]", :immediately
   end
 
-  # On the next Chef run the replica will be set up
-  node.normal['kosmos-postgresql']['ready_to_set_up_replica'] = true
-
-  unless node.chef_environment == "development"
-    include_recipe "kosmos-base::firewall"
-
-    firewall_rule "postgresql primary #{primary[:hostname]}" do
-      port        5432
-      protocol    :tcp
-      command     :allow
-      source primary[:ipaddress]
-    end
+  postgresql_access "zerotier members replication" do
+    access_type "host"
+    access_db "replication"
+    access_user "replication"
+    access_addr "10.1.1.0/24"
+    access_method "md5"
+    notifies :reload, "service[#{postgresql_service}]", :immediately
   end
 end

site-cookbooks/kosmos-postgresql/resources/server.rb

@@ -4,22 +4,13 @@ property :postgresql_version, String, required: true, name_property: true
 property :role, String, required: true # Can be primary or replica
 
 action :create do
-  encfs_data_dir = node["kosmos_encfs"]["data_directory"]
   postgresql_version = new_resource.postgresql_version
-  postgresql_data_dir = "#{encfs_data_dir}/postgresql/#{postgresql_version}/main"
+  postgresql_data_dir = "/var/lib/postgresql/#{postgresql_version}/main"
   postgresql_service = "postgresql@#{postgresql_version}-main"
+  postgresql_credentials = data_bag_item('credentials', 'postgresql')
 
-  node.override['build-essential']['compile_time'] = true
-  include_recipe 'build-essential::default'
-
-  user "postgres" do
-    manage_home false
-  end
-
-  directory "#{encfs_data_dir}/postgresql" do
-    owner "postgres"
-    group "postgres"
-    mode "0750"
+  build_essential do
+    compile_time true
   end
 
   package("libpq-dev") { action :nothing }.run_action(:install)
@@ -28,24 +19,22 @@ action :create do
     compile_time true
   end
 
-  postgresql_data_bag_item = data_bag_item('credentials', 'postgresql')
+  user "postgres" do
+    manage_home false
+  end
 
   postgresql_server_install "main" do
     version postgresql_version
     setup_repo true
-    password postgresql_data_bag_item['server_password']
-    data_directory postgresql_data_dir
+    password postgresql_credentials['server_password']
     action :install
   end
 
   service postgresql_service do
     supports restart: true, status: true, reload: true
-    action :start
+    action [:enable, :start]
   end
 
-  # Activates the postgres service when encrypted data dir is mounted
-  encfs_path_activation_unit postgresql_service
-
   # This service is a dependency that will auto-start our cluster service on
   # boot if it's enabled, so we disable it explicitly
   service "postgresql" do
@@ -69,36 +58,8 @@ action :create do
 
   additional_config[:promote_trigger_file] = "#{postgresql_data_dir}/failover.trigger"
 
-  ssl_cert = postgresql_data_bag_item['ssl_cert']
-  ssl_cert_path = "#{postgresql_data_dir}/server.crt"
-  ssl_key = postgresql_data_bag_item['ssl_key']
-  ssl_key_path = "#{postgresql_data_dir}/server.key"
-
-  file ssl_cert_path do
-    content ssl_cert
-    owner "postgres"
-    group "postgres"
-    mode "0640"
-    sensitive true
-  end
-
-  file ssl_key_path do
-    content ssl_key
-    owner "postgres"
-    group "postgres"
-    mode "0600"
-    sensitive true
-  end
-
-  additional_config[:ssl]           = "on"
-  additional_config[:ssl_cert_file] = ssl_cert_path
-  additional_config[:ssl_key_file]  = ssl_key_path
-  # ejabberd does not support 1.3 yet
-  additional_config[:ssl_min_protocol_version]  = "TLSv1.2"
-
   postgresql_server_conf "main" do
     version postgresql_version
-    data_directory postgresql_data_dir
     additional_config additional_config
     notifies :reload, "service[#{postgresql_service}]", :delayed
   end
@@ -106,7 +67,7 @@ action :create do
   postgresql_user "replication" do
     action :create
     replication true
-    password postgresql_data_bag_item['replication_password']
+    password postgresql_credentials['replication_password']
   end
 end
 

site-cookbooks/kosmos_gitea/recipes/default.rb

@@ -37,10 +37,6 @@ smtp_credentials = data_bag_item("credentials", "smtp")
 jwt_secret = gitea_data_bag_item["jwt_secret"]
 internal_token = gitea_data_bag_item["internal_token"]
 secret_key = gitea_data_bag_item["secret_key"]
-postgresql_primary_node = postgresql_primary
-postgresql_server = postgresql_primary_node[:ipaddress]
-# PostgreSQL is on the same server, connect through localhost
-postgresql_server = "localhost" if postgresql_primary_node[:hostname] == node[:hostname]
 
 # Dependency
 package "git"
@@ -110,7 +106,7 @@ template "#{config_directory}/app.ini" do
             jwt_secret: jwt_secret,
             internal_token: internal_token,
             secret_key: secret_key,
-            postgresql_host: "#{postgresql_server}:5432",
+            postgresql_host: "pg.kosmos.local:5432",
             postgresql_password: gitea_data_bag_item["postgresql_password"],
             smtp_host: smtp_credentials["relayhost"],
             smtp_user: smtp_credentials["user_name"],

site-cookbooks/kosmos_gitea/templates/default/app.ini.erb

@@ -23,7 +23,7 @@ HOST    = <%= @postgresql_host %>
 NAME    = gitea
 USER    = gitea
 PASSWD  = <%= @postgresql_password %>
-SSL_MODE = verify-ca
+SSL_MODE = disable
 
 # [indexer]
 # ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve

site-cookbooks/kosmos_zerotier/recipes/default.rb

@@ -2,3 +2,15 @@
 # Cookbook:: kosmos_zerotier
 # Recipe:: default
 #
+
+zerotier_controller = search(:node, "role:zerotier_controller").first
+
+controller_url = "http://#{zerotier_controller["knife_zero"]["host"]}:#{node['kosmos_zerotier']['server_port']}"
+
+credentials = data_bag_item("credentials", "zerotier")
+
+zerotier_network credentials["network_id"] do
+  node_name node['fqdn']
+  auth_token credentials["auth_token"]
+  central_url controller_url
+end