Merge pull request 'Encrypt PostgreSQL data directory' (#166) from feature/pg_encfs into master

site-cookbooks/kosmos-postgresql/metadata.rb

@@ -21,3 +21,4 @@ chef_version '>= 12.14' if respond_to?(:chef_version)
 
 depends "postgresql", ">= 7.0.0"
 depends "build-essential"
+depends "kosmos_encfs"

site-cookbooks/kosmos-postgresql/recipes/default.rb

@@ -31,11 +31,6 @@ postgresql_custom_server postgresql_version do
   role "primary"
 end
 
-service postgresql_service do
-  supports restart: true, status: true, reload: true
-  action [:enable]
-end
-
 # This will only be run once, if the /var/lib/postgresql/10/main directory
 # exists. The old data directory is then moved.
 execute "upgrade postgresql to 12" do

site-cookbooks/kosmos-postgresql/resources/server.rb

@@ -4,13 +4,24 @@ property :postgresql_version, String, required: true, name_property: true
 property :role, String, required: true # Can be primary or replica
 
 action :create do
+  encfs_data_dir = node["kosmos_encfs"]["data_directory"]
   postgresql_version = new_resource.postgresql_version
-  postgresql_data_dir = data_dir(postgresql_version)
+  postgresql_data_dir = "#{encfs_data_dir}/postgresql/#{postgresql_version}/main"
   postgresql_service = "postgresql@#{postgresql_version}-main"
 
   node.override['build-essential']['compile_time'] = true
   include_recipe 'build-essential::default'
 
+  user "postgres" do
+    manage_home false
+  end
+
+  directory "#{encfs_data_dir}/postgresql" do
+    owner "postgres"
+    group "postgres"
+    mode "0750"
+  end
+
   package("libpq-dev") { action :nothing }.run_action(:install)
 
   chef_gem 'pg' do
@@ -23,24 +34,22 @@ action :create do
     version postgresql_version
     setup_repo true
     password postgresql_data_bag_item['server_password']
+    data_directory postgresql_data_dir
     action :install
   end
 
   service postgresql_service do
     supports restart: true, status: true, reload: true
-    # action [:enable, :start]
+    action :start
   end
 
-  postgresql_client_install "main" do
-    version postgresql_version
-    setup_repo true
-    action :install
-  end
+  # Activates the postgres service when encrypted data dir is mounted
+  encfs_path_activation_unit postgresql_service
 
-  postgresql_user "replication" do
-    action :create
-    replication true
-    password postgresql_data_bag_item['replication_password']
+  # This service is a dependency that will auto-start our cluster service on
+  # boot if it's enabled, so we disable it explicitly
+  service "postgresql" do
+    action :disable
   end
 
   shared_buffers = if node['memory']['total'].to_i / 1024 < 1024 # > 1GB RAM
@@ -56,6 +65,7 @@ action :create do
     dynamic_shared_memory_type: "posix",
     timezone: "UTC", # default is GMT
     listen_addresses: "0.0.0.0",
+    data_directory: postgresql_data_dir
   }
 
   if new_resource.role == "replica"
@@ -92,7 +102,13 @@ action :create do
   postgresql_server_conf "main" do
     version postgresql_version
     additional_config additional_config
-    notifies :reload, "service[#{postgresql_service}]"
+    notifies :reload, "service[#{postgresql_service}]", :delayed
+  end
+
+  postgresql_user "replication" do
+    action :create
+    replication true
+    password postgresql_data_bag_item['replication_password']
   end
 end
 

site-cookbooks/kosmos_encfs/.gitignore

@@ -0,0 +1,22 @@
+.vagrant
+*~
+*#
+.#*
+\#*#
+.*.sw[a-z]
+*.un~
+
+# Bundler
+Gemfile.lock
+gems.locked
+bin/*
+.bundle/*
+
+# test kitchen
+.kitchen/
+kitchen.local.yml
+
+# Chef
+Berksfile.lock
+.zero-knife.rb
+Policyfile.lock.json

site-cookbooks/kosmos_encfs/CHANGELOG.md

@@ -0,0 +1,7 @@
+# kosmos_encfs CHANGELOG
+
+This file is used to list changes made in each version of the kosmos_encfs cookbook.
+
+# 0.1.0
+
+Initial release.

site-cookbooks/kosmos_encfs/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2020 Kosmos Developers
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

site-cookbooks/kosmos_encfs/README.md

@@ -0,0 +1,15 @@
+# kosmos_encfs
+
+Install encfs and set up encryption for a data directory.
+
+## Provisioning a new machine
+
+Add encfs to the run list and run chef before adding other cookbooks that
+depends on the encfs mount.
+
+Log into the system and create the data directory like so:
+
+    encfs /usr/local/lib/encrypted_data /mnt/data --public
+
+When asked for config options, choose nothing (i.e. "standard"). Do NOT choose
+paranoia mode, as it breaks some software, like e.g. PostgreSQL.

site-cookbooks/kosmos_encfs/attributes/default.rb

@@ -0,0 +1 @@
+node.default["kosmos_encfs"]["data_directory"] = "/mnt/data"

site-cookbooks/kosmos_encfs/chefignore

@@ -0,0 +1,110 @@
+# Put files/directories that should be ignored in this file when uploading
+# to a Chef Infra Server or Supermarket.
+# Lines that start with '# ' are comments.
+
+# OS generated files #
+######################
+.DS_Store
+ehthumbs.db
+Icon?
+nohup.out
+Thumbs.db
+
+# SASS #
+########
+.sass-cache
+
+# EDITORS #
+###########
+.#*
+.project
+.settings
+*_flymake
+*_flymake.*
+*.bak
+*.sw[a-z]
+*.tmproj
+*~
+\#*
+mkmf.log
+REVISION
+TAGS*
+tmtags
+
+## COMPILED ##
+##############
+*.class
+*.com
+*.dll
+*.exe
+*.o
+*.pyc
+*.so
+*/rdoc/
+a.out
+
+# Testing #
+###########
+.circleci/*
+.codeclimate.yml
+.foodcritic
+.kitchen*
+.rspec
+.rubocop.yml
+.travis.yml
+.watchr
+azure-pipelines.yml
+examples/*
+features/*
+Guardfile
+kitchen.yml*
+Procfile
+Rakefile
+spec/*
+spec/*
+spec/fixtures/*
+test/*
+
+# SCM #
+#######
+.git
+.gitattributes
+.gitconfig
+.github/*
+.gitignore
+.gitmodules
+.svn
+*/.bzr/*
+*/.git
+*/.hg/*
+*/.svn/*
+
+# Berkshelf #
+#############
+Berksfile
+Berksfile.lock
+cookbooks/*
+tmp
+
+# Bundler #
+###########
+vendor/*
+Gemfile
+Gemfile.lock
+
+# Policyfile #
+##############
+Policyfile.rb
+Policyfile.lock.json
+
+# Cookbooks #
+#############
+CHANGELOG*
+CONTRIBUTING*
+TESTING*
+CODE_OF_CONDUCT*
+
+# Vagrant #
+###########
+.vagrant
+Vagrantfile

site-cookbooks/kosmos_encfs/files/encfs.service

@@ -0,0 +1,9 @@
+[Unit]
+Description=EncFS for data dir
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/local/bin/mount_encfs
+ExecStop=/usr/local/bin/unmount_encfs
+[Install]
+WantedBy=multi-user.target

site-cookbooks/kosmos_encfs/metadata.rb

@@ -0,0 +1,20 @@
+name 'kosmos_encfs'
+maintainer 'The Authors'
+maintainer_email 'you@example.com'
+license 'All Rights Reserved'
+description 'Installs/Configures kosmos_encfs'
+long_description 'Installs/Configures kosmos_encfs'
+version '0.1.0'
+chef_version '>= 14.0'
+
+# The `issues_url` points to the location where issues for this cookbook are
+# tracked.  A `View Issues` link will be displayed on this cookbook's page when
+# uploaded to a Supermarket.
+#
+# issues_url 'https://github.com/<insert_org_here>/kosmos_encfs/issues'
+
+# The `source_url` points to the development repository for this cookbook.  A
+# `View Source` link will be displayed on this cookbook's page when uploaded to
+# a Supermarket.
+#
+# source_url 'https://github.com/<insert_org_here>/kosmos_encfs'

site-cookbooks/kosmos_encfs/recipes/default.rb

@@ -0,0 +1,79 @@
+#
+# Cookbook:: kosmos_encfs
+# Recipe:: default
+#
+# The MIT License (MIT)
+#
+# Copyright:: 2020, Kosmos Developers
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#
+
+encfs_data_bag_item = data_bag_item("credentials", "encfs")
+encfs_password = encfs_data_bag_item["password"]
+
+package "encfs"
+
+encrypted_directory = "/usr/local/lib/encrypted_data"
+mount_directory = node["kosmos_encfs"]["data_directory"]
+
+template "/usr/local/bin/mount_encfs" do
+  source "mount_encfs.erb"
+  mode "0755"
+  variables encrypted_directory: encrypted_directory,
+            mount_directory: mount_directory
+end
+
+template "/usr/local/bin/unmount_encfs" do
+  source "unmount_encfs.erb"
+  mode "0700"
+  variables mount_directory: mount_directory
+end
+
+execute "systemctl daemon-reload" do
+  command "systemctl daemon-reload"
+  action :nothing
+end
+
+directory mount_directory do
+  action :create
+  mode "0755"
+end
+
+# FIXME the password that is stored using this script does not match the actual password
+# execute "create encrypted file system" do
+#   command <<-EOF
+# echo "y\\\n
+# y\\\n
+# FIXME paranoia mode breaks hard links, which postgres relies on
+# p\\\n
+# #{encfs_password}\\\n
+# #{encfs_password}\\\n
+# " | encfs #{encrypted_directory} #{mount_directory} --public --stdinpass
+#   EOF
+#   sensitive true
+#   not_if { ::File.exist?(encrypted_directory) }
+# end
+
+# FIXME there seems to be half a comment missing here
+# The service will automatically 
+cookbook_file "/lib/systemd/system/encfs.service" do
+  source "encfs.service"
+  notifies :run, "execute[systemctl daemon-reload]", :delayed
+end

site-cookbooks/kosmos_encfs/resources/encfs_path_activation_unit.rb

@@ -0,0 +1,21 @@
+resource_name :encfs_path_activation_unit
+
+property :service_name, String, required: true, name_property: true
+
+action :create do
+  systemd_unit "#{new_resource.service_name}.path" do
+    content <<-EOF
+[Unit]
+Description=Start #{new_resource.service_name} when encrypted data directory is mounted
+
+[Path]
+PathExists=/tmp/data-dir-mounted.txt
+Unit=#{new_resource.service_name}
+
+[Install]
+WantedBy=multi-user.target
+    EOF
+    triggers_reload true
+    action [:create, :enable, :start]
+  end
+end

site-cookbooks/kosmos_encfs/templates/mount_encfs.erb

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+systemd-ask-password --echo "encfs password:" | encfs <%= @encrypted_directory %> <%= @mount_directory %> --public --stdinpass
+/bin/chmod go+rx <%= @mount_directory %>
+echo "Encrypted data directory mounted as <%= @mount_directory %>" > /tmp/data-dir-mounted.txt

site-cookbooks/kosmos_encfs/templates/unmount_encfs.erb

@@ -0,0 +1,4 @@
+#!/bin/sh
+
+rm /tmp/data-dir-mounted.txt
+/bin/umount <%= @mount_directory %>