Finish initial encfs cookbook and postgres adaptations
This commit is contained in:
parent
379161eb1e
commit
b662c04183
|
@ -21,3 +21,4 @@ chef_version '>= 12.14' if respond_to?(:chef_version)
|
|||
|
||||
depends "postgresql", ">= 7.0.0"
|
||||
depends "build-essential"
|
||||
depends "kosmos_encfs"
|
||||
|
|
|
@ -27,11 +27,6 @@
|
|||
postgresql_version = "12"
|
||||
postgresql_service = "postgresql@#{postgresql_version}-main"
|
||||
|
||||
# TODO check if still necessary
|
||||
user "postgres" do
|
||||
manage_home false
|
||||
end
|
||||
|
||||
postgresql_custom_server postgresql_version do
|
||||
role "primary"
|
||||
end
|
||||
|
|
|
@ -4,19 +4,19 @@ property :postgresql_version, String, required: true, name_property: true
|
|||
property :role, String, required: true # Can be primary or replica
|
||||
|
||||
action :create do
|
||||
encfs_data_dir = node["kosmos_encfs"]["data_directory"]
|
||||
postgresql_version = new_resource.postgresql_version
|
||||
postgresql_data_dir = "/mnt/data/postgresql/#{postgresql_version}/main"
|
||||
postgresql_data_dir = "#{encfs_data_dir}/postgresql/#{postgresql_version}/main"
|
||||
postgresql_service = "postgresql@#{postgresql_version}-main"
|
||||
|
||||
node.override['build-essential']['compile_time'] = true
|
||||
include_recipe 'build-essential::default'
|
||||
|
||||
# TODO should likely go in the encfs cookbook somewhere
|
||||
directory "/mnt/data" do
|
||||
mode "0755"
|
||||
user "postgres" do
|
||||
manage_home false
|
||||
end
|
||||
|
||||
directory "/mnt/data/postgresql" do
|
||||
directory "#{encfs_data_dir}/postgresql" do
|
||||
owner "postgres"
|
||||
group "postgres"
|
||||
mode "0750"
|
||||
|
@ -43,6 +43,9 @@ action :create do
|
|||
action :start
|
||||
end
|
||||
|
||||
# Activates the postgres service when encrypted data dir is mounted
|
||||
encfs_path_activation_unit postgresql_service
|
||||
|
||||
# This service is a dependency that will auto-start our cluster service on
|
||||
# boot if it's enabled, so we disable it explicitly
|
||||
service "postgresql" do
|
||||
|
|
|
@ -0,0 +1 @@
|
|||
node.default["kosmos_encfs"]["data_directory"] = "/mnt/data"
|
|
@ -31,7 +31,7 @@ encfs_password = encfs_data_bag_item["password"]
|
|||
package "encfs"
|
||||
|
||||
encrypted_directory = "/usr/local/lib/encrypted_data"
|
||||
mount_directory = "/mnt/data"
|
||||
mount_directory = node["kosmos_encfs"]["data_directory"]
|
||||
|
||||
template "/usr/local/bin/mount_encfs" do
|
||||
source "mount_encfs.erb"
|
||||
|
@ -53,7 +53,7 @@ end
|
|||
|
||||
directory mount_directory do
|
||||
action :create
|
||||
mode "0775"
|
||||
mode "0755"
|
||||
end
|
||||
|
||||
# FIXME the password that is stored using this script does not match the actual password
|
||||
|
|
|
@ -0,0 +1,21 @@
|
|||
resource_name :encfs_path_activation_unit
|
||||
|
||||
property :service_name, String, required: true, name_property: true
|
||||
|
||||
action :create do
|
||||
systemd_unit "#{new_resource.service_name}.path" do
|
||||
content <<-EOF
|
||||
[Unit]
|
||||
Description=Start #{new_resource.service_name} when encrypted data directory is mounted
|
||||
|
||||
[Path]
|
||||
PathExists=/tmp/data-dir-mounted.txt
|
||||
Unit=#{new_resource.service_name}
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
EOF
|
||||
triggers_reload true
|
||||
action [:create, :enable, :start]
|
||||
end
|
||||
end
|
|
@ -1,4 +1,5 @@
|
|||
#!/bin/sh
|
||||
|
||||
systemd-ask-password --echo "encfs password:" | encfs <%= @encrypted_directory %> <%= @mount_directory %> --public --stdinpass
|
||||
/bin/chmod go+rx <%= @mount_directory %>
|
||||
echo "Encrypted data directory mounted as <%= @mount_directory %>" > /tmp/data-dir-mounted.txt
|
||||
|
|
|
@ -1,9 +0,0 @@
|
|||
[Unit]
|
||||
Description=Start <%= @service_unit %> when encrypted data directory is mounted
|
||||
|
||||
[Path]
|
||||
PathExists=/tmp/data-dir-mounted.txt
|
||||
Unit=<%= @service_unit %>
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
Loading…
Reference in New Issue