Finish initial encfs cookbook and postgres adaptations

This commit is contained in:
Basti 2020-06-08 17:01:24 +02:00
parent 379161eb1e
commit b662c04183
No known key found for this signature in database
GPG Key ID: BE4634D632D39B67
8 changed files with 34 additions and 21 deletions

View File

@ -21,3 +21,4 @@ chef_version '>= 12.14' if respond_to?(:chef_version)
depends "postgresql", ">= 7.0.0"
depends "build-essential"
depends "kosmos_encfs"

View File

@ -27,11 +27,6 @@
postgresql_version = "12"
postgresql_service = "postgresql@#{postgresql_version}-main"
# TODO check if still necessary
user "postgres" do
manage_home false
end
postgresql_custom_server postgresql_version do
role "primary"
end

View File

@ -4,19 +4,19 @@ property :postgresql_version, String, required: true, name_property: true
property :role, String, required: true # Can be primary or replica
action :create do
encfs_data_dir = node["kosmos_encfs"]["data_directory"]
postgresql_version = new_resource.postgresql_version
postgresql_data_dir = "/mnt/data/postgresql/#{postgresql_version}/main"
postgresql_data_dir = "#{encfs_data_dir}/postgresql/#{postgresql_version}/main"
postgresql_service = "postgresql@#{postgresql_version}-main"
node.override['build-essential']['compile_time'] = true
include_recipe 'build-essential::default'
# TODO should likely go in the encfs cookbook somewhere
directory "/mnt/data" do
mode "0755"
user "postgres" do
manage_home false
end
directory "/mnt/data/postgresql" do
directory "#{encfs_data_dir}/postgresql" do
owner "postgres"
group "postgres"
mode "0750"
@ -43,6 +43,9 @@ action :create do
action :start
end
# Activates the postgres service when encrypted data dir is mounted
encfs_path_activation_unit postgresql_service
# This service is a dependency that will auto-start our cluster service on
# boot if it's enabled, so we disable it explicitly
service "postgresql" do

View File

@ -0,0 +1 @@
node.default["kosmos_encfs"]["data_directory"] = "/mnt/data"

View File

@ -31,7 +31,7 @@ encfs_password = encfs_data_bag_item["password"]
package "encfs"
encrypted_directory = "/usr/local/lib/encrypted_data"
mount_directory = "/mnt/data"
mount_directory = node["kosmos_encfs"]["data_directory"]
template "/usr/local/bin/mount_encfs" do
source "mount_encfs.erb"
@ -53,7 +53,7 @@ end
directory mount_directory do
action :create
mode "0775"
mode "0755"
end
# FIXME the password that is stored using this script does not match the actual password

View File

@ -0,0 +1,21 @@
resource_name :encfs_path_activation_unit
property :service_name, String, required: true, name_property: true
action :create do
systemd_unit "#{new_resource.service_name}.path" do
content <<-EOF
[Unit]
Description=Start #{new_resource.service_name} when encrypted data directory is mounted
[Path]
PathExists=/tmp/data-dir-mounted.txt
Unit=#{new_resource.service_name}
[Install]
WantedBy=multi-user.target
EOF
triggers_reload true
action [:create, :enable, :start]
end
end

View File

@ -1,4 +1,5 @@
#!/bin/sh
systemd-ask-password --echo "encfs password:" | encfs <%= @encrypted_directory %> <%= @mount_directory %> --public --stdinpass
/bin/chmod go+rx <%= @mount_directory %>
echo "Encrypted data directory mounted as <%= @mount_directory %>" > /tmp/data-dir-mounted.txt

View File

@ -1,9 +0,0 @@
[Unit]
Description=Start <%= @service_unit %> when encrypted data directory is mounted
[Path]
PathExists=/tmp/data-dir-mounted.txt
Unit=<%= @service_unit %>
[Install]
WantedBy=multi-user.target