Finish initial encfs cookbook and postgres adaptations
This commit is contained in:
parent
379161eb1e
commit
b662c04183
|
@ -21,3 +21,4 @@ chef_version '>= 12.14' if respond_to?(:chef_version)
|
||||||
|
|
||||||
depends "postgresql", ">= 7.0.0"
|
depends "postgresql", ">= 7.0.0"
|
||||||
depends "build-essential"
|
depends "build-essential"
|
||||||
|
depends "kosmos_encfs"
|
||||||
|
|
|
@ -27,11 +27,6 @@
|
||||||
postgresql_version = "12"
|
postgresql_version = "12"
|
||||||
postgresql_service = "postgresql@#{postgresql_version}-main"
|
postgresql_service = "postgresql@#{postgresql_version}-main"
|
||||||
|
|
||||||
# TODO check if still necessary
|
|
||||||
user "postgres" do
|
|
||||||
manage_home false
|
|
||||||
end
|
|
||||||
|
|
||||||
postgresql_custom_server postgresql_version do
|
postgresql_custom_server postgresql_version do
|
||||||
role "primary"
|
role "primary"
|
||||||
end
|
end
|
||||||
|
|
|
@ -4,19 +4,19 @@ property :postgresql_version, String, required: true, name_property: true
|
||||||
property :role, String, required: true # Can be primary or replica
|
property :role, String, required: true # Can be primary or replica
|
||||||
|
|
||||||
action :create do
|
action :create do
|
||||||
|
encfs_data_dir = node["kosmos_encfs"]["data_directory"]
|
||||||
postgresql_version = new_resource.postgresql_version
|
postgresql_version = new_resource.postgresql_version
|
||||||
postgresql_data_dir = "/mnt/data/postgresql/#{postgresql_version}/main"
|
postgresql_data_dir = "#{encfs_data_dir}/postgresql/#{postgresql_version}/main"
|
||||||
postgresql_service = "postgresql@#{postgresql_version}-main"
|
postgresql_service = "postgresql@#{postgresql_version}-main"
|
||||||
|
|
||||||
node.override['build-essential']['compile_time'] = true
|
node.override['build-essential']['compile_time'] = true
|
||||||
include_recipe 'build-essential::default'
|
include_recipe 'build-essential::default'
|
||||||
|
|
||||||
# TODO should likely go in the encfs cookbook somewhere
|
user "postgres" do
|
||||||
directory "/mnt/data" do
|
manage_home false
|
||||||
mode "0755"
|
|
||||||
end
|
end
|
||||||
|
|
||||||
directory "/mnt/data/postgresql" do
|
directory "#{encfs_data_dir}/postgresql" do
|
||||||
owner "postgres"
|
owner "postgres"
|
||||||
group "postgres"
|
group "postgres"
|
||||||
mode "0750"
|
mode "0750"
|
||||||
|
@ -43,6 +43,9 @@ action :create do
|
||||||
action :start
|
action :start
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Activates the postgres service when encrypted data dir is mounted
|
||||||
|
encfs_path_activation_unit postgresql_service
|
||||||
|
|
||||||
# This service is a dependency that will auto-start our cluster service on
|
# This service is a dependency that will auto-start our cluster service on
|
||||||
# boot if it's enabled, so we disable it explicitly
|
# boot if it's enabled, so we disable it explicitly
|
||||||
service "postgresql" do
|
service "postgresql" do
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
node.default["kosmos_encfs"]["data_directory"] = "/mnt/data"
|
|
@ -31,7 +31,7 @@ encfs_password = encfs_data_bag_item["password"]
|
||||||
package "encfs"
|
package "encfs"
|
||||||
|
|
||||||
encrypted_directory = "/usr/local/lib/encrypted_data"
|
encrypted_directory = "/usr/local/lib/encrypted_data"
|
||||||
mount_directory = "/mnt/data"
|
mount_directory = node["kosmos_encfs"]["data_directory"]
|
||||||
|
|
||||||
template "/usr/local/bin/mount_encfs" do
|
template "/usr/local/bin/mount_encfs" do
|
||||||
source "mount_encfs.erb"
|
source "mount_encfs.erb"
|
||||||
|
@ -53,7 +53,7 @@ end
|
||||||
|
|
||||||
directory mount_directory do
|
directory mount_directory do
|
||||||
action :create
|
action :create
|
||||||
mode "0775"
|
mode "0755"
|
||||||
end
|
end
|
||||||
|
|
||||||
# FIXME the password that is stored using this script does not match the actual password
|
# FIXME the password that is stored using this script does not match the actual password
|
||||||
|
|
|
@ -0,0 +1,21 @@
|
||||||
|
resource_name :encfs_path_activation_unit
|
||||||
|
|
||||||
|
property :service_name, String, required: true, name_property: true
|
||||||
|
|
||||||
|
action :create do
|
||||||
|
systemd_unit "#{new_resource.service_name}.path" do
|
||||||
|
content <<-EOF
|
||||||
|
[Unit]
|
||||||
|
Description=Start #{new_resource.service_name} when encrypted data directory is mounted
|
||||||
|
|
||||||
|
[Path]
|
||||||
|
PathExists=/tmp/data-dir-mounted.txt
|
||||||
|
Unit=#{new_resource.service_name}
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
|
EOF
|
||||||
|
triggers_reload true
|
||||||
|
action [:create, :enable, :start]
|
||||||
|
end
|
||||||
|
end
|
|
@ -1,4 +1,5 @@
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
|
|
||||||
systemd-ask-password --echo "encfs password:" | encfs <%= @encrypted_directory %> <%= @mount_directory %> --public --stdinpass
|
systemd-ask-password --echo "encfs password:" | encfs <%= @encrypted_directory %> <%= @mount_directory %> --public --stdinpass
|
||||||
|
/bin/chmod go+rx <%= @mount_directory %>
|
||||||
echo "Encrypted data directory mounted as <%= @mount_directory %>" > /tmp/data-dir-mounted.txt
|
echo "Encrypted data directory mounted as <%= @mount_directory %>" > /tmp/data-dir-mounted.txt
|
||||||
|
|
|
@ -1,9 +0,0 @@
|
||||||
[Unit]
|
|
||||||
Description=Start <%= @service_unit %> when encrypted data directory is mounted
|
|
||||||
|
|
||||||
[Path]
|
|
||||||
PathExists=/tmp/data-dir-mounted.txt
|
|
||||||
Unit=<%= @service_unit %>
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
Loading…
Reference in New Issue