From b662c041839731fd0873745c7ccec29b3f1f0131 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Mon, 8 Jun 2020 17:01:24 +0200 Subject: [PATCH] Finish initial encfs cookbook and postgres adaptations --- site-cookbooks/kosmos-postgresql/metadata.rb | 1 + .../kosmos-postgresql/recipes/default.rb | 5 ----- .../kosmos-postgresql/resources/server.rb | 13 +++++++----- .../kosmos_encfs/attributes/default.rb | 1 + .../kosmos_encfs/recipes/default.rb | 4 ++-- .../resources/encfs_path_activation_unit.rb | 21 +++++++++++++++++++ .../kosmos_encfs/templates/mount_encfs.erb | 1 + .../templates/systemd_unit.path.erb | 9 -------- 8 files changed, 34 insertions(+), 21 deletions(-) create mode 100644 site-cookbooks/kosmos_encfs/attributes/default.rb create mode 100644 site-cookbooks/kosmos_encfs/resources/encfs_path_activation_unit.rb delete mode 100644 site-cookbooks/kosmos_encfs/templates/systemd_unit.path.erb diff --git a/site-cookbooks/kosmos-postgresql/metadata.rb b/site-cookbooks/kosmos-postgresql/metadata.rb index c153631..29416f2 100644 --- a/site-cookbooks/kosmos-postgresql/metadata.rb +++ b/site-cookbooks/kosmos-postgresql/metadata.rb @@ -21,3 +21,4 @@ chef_version '>= 12.14' if respond_to?(:chef_version) depends "postgresql", ">= 7.0.0" depends "build-essential" +depends "kosmos_encfs" diff --git a/site-cookbooks/kosmos-postgresql/recipes/default.rb b/site-cookbooks/kosmos-postgresql/recipes/default.rb index fd635df..53ec336 100644 --- a/site-cookbooks/kosmos-postgresql/recipes/default.rb +++ b/site-cookbooks/kosmos-postgresql/recipes/default.rb @@ -27,11 +27,6 @@ postgresql_version = "12" postgresql_service = "postgresql@#{postgresql_version}-main" -# TODO check if still necessary -user "postgres" do - manage_home false -end - postgresql_custom_server postgresql_version do role "primary" end diff --git a/site-cookbooks/kosmos-postgresql/resources/server.rb b/site-cookbooks/kosmos-postgresql/resources/server.rb index 7163a5d..ba61142 100644 --- a/site-cookbooks/kosmos-postgresql/resources/server.rb +++ b/site-cookbooks/kosmos-postgresql/resources/server.rb @@ -4,19 +4,19 @@ property :postgresql_version, String, required: true, name_property: true property :role, String, required: true # Can be primary or replica action :create do + encfs_data_dir = node["kosmos_encfs"]["data_directory"] postgresql_version = new_resource.postgresql_version - postgresql_data_dir = "/mnt/data/postgresql/#{postgresql_version}/main" + postgresql_data_dir = "#{encfs_data_dir}/postgresql/#{postgresql_version}/main" postgresql_service = "postgresql@#{postgresql_version}-main" node.override['build-essential']['compile_time'] = true include_recipe 'build-essential::default' - # TODO should likely go in the encfs cookbook somewhere - directory "/mnt/data" do - mode "0755" + user "postgres" do + manage_home false end - directory "/mnt/data/postgresql" do + directory "#{encfs_data_dir}/postgresql" do owner "postgres" group "postgres" mode "0750" @@ -43,6 +43,9 @@ action :create do action :start end + # Activates the postgres service when encrypted data dir is mounted + encfs_path_activation_unit postgresql_service + # This service is a dependency that will auto-start our cluster service on # boot if it's enabled, so we disable it explicitly service "postgresql" do diff --git a/site-cookbooks/kosmos_encfs/attributes/default.rb b/site-cookbooks/kosmos_encfs/attributes/default.rb new file mode 100644 index 0000000..98a918b --- /dev/null +++ b/site-cookbooks/kosmos_encfs/attributes/default.rb @@ -0,0 +1 @@ +node.default["kosmos_encfs"]["data_directory"] = "/mnt/data" diff --git a/site-cookbooks/kosmos_encfs/recipes/default.rb b/site-cookbooks/kosmos_encfs/recipes/default.rb index ce4832f..91351fb 100644 --- a/site-cookbooks/kosmos_encfs/recipes/default.rb +++ b/site-cookbooks/kosmos_encfs/recipes/default.rb @@ -31,7 +31,7 @@ encfs_password = encfs_data_bag_item["password"] package "encfs" encrypted_directory = "/usr/local/lib/encrypted_data" -mount_directory = "/mnt/data" +mount_directory = node["kosmos_encfs"]["data_directory"] template "/usr/local/bin/mount_encfs" do source "mount_encfs.erb" @@ -53,7 +53,7 @@ end directory mount_directory do action :create - mode "0775" + mode "0755" end # FIXME the password that is stored using this script does not match the actual password diff --git a/site-cookbooks/kosmos_encfs/resources/encfs_path_activation_unit.rb b/site-cookbooks/kosmos_encfs/resources/encfs_path_activation_unit.rb new file mode 100644 index 0000000..f8e3cfd --- /dev/null +++ b/site-cookbooks/kosmos_encfs/resources/encfs_path_activation_unit.rb @@ -0,0 +1,21 @@ +resource_name :encfs_path_activation_unit + +property :service_name, String, required: true, name_property: true + +action :create do + systemd_unit "#{new_resource.service_name}.path" do + content <<-EOF +[Unit] +Description=Start #{new_resource.service_name} when encrypted data directory is mounted + +[Path] +PathExists=/tmp/data-dir-mounted.txt +Unit=#{new_resource.service_name} + +[Install] +WantedBy=multi-user.target + EOF + triggers_reload true + action [:create, :enable, :start] + end +end diff --git a/site-cookbooks/kosmos_encfs/templates/mount_encfs.erb b/site-cookbooks/kosmos_encfs/templates/mount_encfs.erb index d669e34..e5a1c02 100644 --- a/site-cookbooks/kosmos_encfs/templates/mount_encfs.erb +++ b/site-cookbooks/kosmos_encfs/templates/mount_encfs.erb @@ -1,4 +1,5 @@ #!/bin/sh systemd-ask-password --echo "encfs password:" | encfs <%= @encrypted_directory %> <%= @mount_directory %> --public --stdinpass +/bin/chmod go+rx <%= @mount_directory %> echo "Encrypted data directory mounted as <%= @mount_directory %>" > /tmp/data-dir-mounted.txt diff --git a/site-cookbooks/kosmos_encfs/templates/systemd_unit.path.erb b/site-cookbooks/kosmos_encfs/templates/systemd_unit.path.erb deleted file mode 100644 index c559ac0..0000000 --- a/site-cookbooks/kosmos_encfs/templates/systemd_unit.path.erb +++ /dev/null @@ -1,9 +0,0 @@ -[Unit] -Description=Start <%= @service_unit %> when encrypted data directory is mounted - -[Path] -PathExists=/tmp/data-dir-mounted.txt -Unit=<%= @service_unit %> - -[Install] -WantedBy=multi-user.target