kosmos/chef
kosmos/chef
8
3
Fork 0
Code Issues 26 Pull Requests 2 Projects 2 Activity
1,174 Commits 6 Branches 0 Tags
Commit Graph

41 Commits

Author SHA1 Message Date
Greg Karékinian
7ce8b7d461 Enable PostgreSQL service 2021-01-23 19:14:55 +01:00
Greg Karékinian
a4a35da0ff Replace the hardcoded primary pg IP with a hostname 2021-01-23 17:34:58 +01:00
Greg Karékinian
dd78b8cf7e Use the PG primary private Zerotier IP if it exists 2021-01-22 18:41:45 +01:00
Greg Karékinian
88e52607e3 Add a recipe to set up a hosts entry for the PG primary 2021-01-22 18:41:45 +01:00
Sebastian Kippe
4872677066
Configure postgres recipes for VMs and zerotier access 
* Remove encfs (using encrypted volumes instead)
* Allow access without TLS from zerotier network
 2021-01-07 13:53:30 +01:00
Sebastian Kippe
9d9907f0ed
Remove extra license copy from recipe, update year 2021-01-07 12:53:44 +01:00
greg
7d0490f3da Merge branch 'master' into bugfix/postgresql_client_firewall 2020-12-22 17:16:49 +00:00
Greg Karékinian
c700f98976 Add a firewall rule to allow clients to connect 
Previously it was not an issue because services that connected to the
PostgreSQL primary were also on the same server as a standby server.
 2020-12-18 17:53:28 +01:00
Greg Karékinian
f75aeaf9b5 Always set the promote trigger file config 
Only setting it for standby servers isn't useful, as we need to be able
to touch this file to trigger the promotion of a new primary server
after running Chef on it.
 2020-12-18 17:02:13 +01:00
Greg Karékinian
e6b7794e20 Extract firewall definitions to their own recipe 
This allows us to use them for KVM hosts as well. Until now we had set
up ufw rules manually on the two KVM hosts (draco and centaurus)

Refs #244
 2020-12-04 16:27:42 +01:00
Greg Karékinian
ee9c241a4d Add a postgresql_client role 
The role is empty but is used to explicitly define servers that have
access rights to all PostgreSQL databases and users
 2020-06-12 16:54:58 +02:00
Greg Karékinian
6f696d7634 Define access rules in the PostgreSQL primary recipe 
Access is done for the IP of a server for all users and all databases
for ejabberd and gitea
 2020-06-11 18:20:04 +02:00
Greg Karékinian
a0db6adaf2 Pass the data_directory to the postgresql_server_conf resource 
Previously we were passing it as an additional config, but it is set by
default. The last value was used, the custom one, so the server still
used the correct file
 2020-06-10 14:41:07 +02:00
Greg Karékinian
e3e726097f Do not enable the postgresql@12-main service 
We want it to run only once the encrypted data directory has been
mounted
 2020-06-10 14:41:07 +02:00
Greg Karékinian
dba6629869 Use the attribute from the encfs recipe for the data directory 2020-06-10 14:41:03 +02:00
Sebastian Kippe
b662c04183
Finish initial encfs cookbook and postgres adaptations 2020-06-08 17:01:24 +02:00
Sebastian Kippe
379161eb1e
Fix postgres installation 
Also, do not start at boot anymore, in favor of path-based activation.
 2020-06-07 12:47:06 +02:00
Greg Karékinian
1e60722ec4 Create an initial encfs cookbook 
Usage: Add the kosmos_encfs::default recipe to the run list of a node.
Creating the encrypted directory will keep it mounted. After a reboot,
start the encfs service and enter the password:

```
$ systemctl start encfs
encfs password:
```

For now postgresql@12-main is a hardcoded dependency of the encfs
Systemd unit that is automatically started once the user inputs the
correct password. This list of dependency will need to be different for
every server, based on the services it is running
 2020-06-04 19:50:20 +02:00
Greg Karékinian
eded62a3ec Merge branch 'master' into feature/pg_encfs 2020-06-04 15:13:53 +02:00
Greg Karékinian
20cbc678bc Add a method that returns the PostgreSQL service 2020-05-18 19:38:37 +02:00
Greg Karékinian
d79cdf087b Move the PGPASS environment variable to the execute resource 
That way it does not appear in the list of running processes while the
command is running
 2020-05-15 18:45:12 +02:00
Greg Karékinian
31dc14e88c Fix the firewall rules for PostgreSQL 
I got the source and destination mixed up.
 2020-05-15 18:44:42 +02:00
Greg Karékinian
55b1cbc1d7 Encrypt the Postgresql data dir on the replica (centaurus) 
encfs always runs a configuration assistant when creating a new
volume, so this needs to be done manually:

   systemctl stop postgresql@12-main
   mv /var/lib/postgresql /var/lib/postgresql.old
   encfs /var/lib/postgresql_encrypted /var/lib/postgresql --public
Pick p (paranoia mode) and enter the password from the data bag twice

   mv /var/lib/postgresql/* /var/lib/postgresql/
   systemctl start postgresql@12-main

This is running on centaurus and is mounted automatically on boot by a
system unit

Refs #129
 2020-05-15 18:41:31 +02:00
Greg Karékinian
18973fe4f6 Remove the deleted tls property from the resources 2020-05-14 15:09:15 +02:00
Greg Karékinian
069090bf44 Remove TODOs 
Access rules will not be part of this cookbook, they need to be added to
the cookbooks that use a PostgreSQL database
 2020-05-14 13:15:47 +02:00
Greg Karékinian
dd92d6cdb7 Remove deploying the root cert to clients from the README 
We do not want to verify the root cert so this is not needed
 2020-05-14 13:14:42 +02:00
Greg Karékinian
124ee5e6f3 Update the README 2020-05-14 12:36:20 +02:00
Greg Karékinian
0063776297 Remove unused dependencies 2020-05-13 19:11:00 +02:00
Greg Karékinian
8d2ab785fc Use a self-signed TLS certificate for PostgreSQL 2020-05-13 19:10:14 +02:00
Greg Karékinian
84cb3de4a0 Remove outdated comment 
This was the case when the code lived inside of the custom resource
 2020-05-13 19:04:12 +02:00
Greg Karékinian
eb98aa1bac Clarify the firewall and client authentication rules 2020-05-12 16:04:58 +02:00
Greg Karékinian
0180da1aa6 Fix a typo in the README 2020-05-12 15:59:55 +02:00
Greg Karékinian
254f9020ae Enable firewall rules to allow primary/replica to connect 2020-05-12 12:10:10 +02:00
Greg Karékinian
80c7263a72 Upgrade PostgreSQL from 10 to 12 
Refs #160
 2020-05-11 18:26:57 +02:00
Greg Karékinian
21119fff08 Add a custom resource to set up PostgreSQL 12 
Supports both primary and replica. The access rules and firewall have to
be set up outside of the custom resource, so they are part of the
recipes instead

Refs #160
 2020-05-11 18:23:11 +02:00
Greg Karékinian
cd00f4c049 Remove boilerplate from the CHANGELOG 2019-04-12 11:42:29 +02:00
Greg Karékinian
57d0885d26 Change the licenses of hte kosmos cookbooks to MIT 2019-04-12 11:41:20 +02:00
Greg Karékinian
44eee142a7 Do nothing on old Ubuntu versions 2019-04-08 11:22:54 +02:00
Greg Karékinian
6b9ce81212 Set postgresql password from an encrypted data bag 2019-04-03 11:34:59 +02:00
Greg Karékinian
d8a0ecec76 Update the postgresql cookbook 2019-04-03 11:34:41 +02:00
Greg Karékinian
85b7278ccc Add initial kosmos-postgresql cookbook 
This is to install PostgreSQL all in one place instead of for each
service that needs it (Mastodon, ejabberd, ...)
 2019-04-03 11:34:34 +02:00