Commit Graph

1164 Commits

Author SHA1 Message Date
Greg Karékinian dba6629869 Use the attribute from the encfs recipe for the data directory 2020-06-10 14:41:03 +02:00
raucao d88d3b07a5 Merge pull request 'Encrypt PostgreSQL data directory' (#166) from feature/pg_encfs into master 2020-06-08 15:02:58 +00:00
basti b662c04183 Finish initial encfs cookbook and postgres adaptations 2020-06-08 17:01:24 +02:00
basti 379161eb1e Fix postgres installation
Also, do not start at boot anymore, in favor of path-based activation.
2020-06-07 12:47:06 +02:00
basti 353f2c13f1 Improve encfs cookbook
Fix some things, and prepare for path-based activation. Also, comment
the buggy initial dir creation and explain manual provisioning in README
for now.
2020-06-07 12:45:33 +02:00
basti 8918452fc5 Use latest postgresql fork 2020-06-07 12:40:39 +02:00
basti 4fe0e913f8 Use our own fork of the postgresql cookbook 2020-06-07 12:29:34 +02:00
basti bd99b76287 Use human-readable flag for encfs mount script
In case someone wants to see what it does without reading a manual in
the future.
2020-06-06 12:24:08 +02:00
Greg Karékinian 1e60722ec4 Create an initial encfs cookbook
Usage: Add the kosmos_encfs::default recipe to the run list of a node.
Creating the encrypted directory will keep it mounted. After a reboot,
start the encfs service and enter the password:

```
$ systemctl start encfs
encfs password:
```

For now postgresql@12-main is a hardcoded dependency of the encfs
Systemd unit that is automatically started once the user inputs the
correct password. This list of dependency will need to be different for
every server, based on the services it is running
2020-06-04 19:50:20 +02:00
Greg Karékinian eded62a3ec Merge branch 'master' into feature/pg_encfs 2020-06-04 15:13:53 +02:00
Greg Karékinian 759fa52e03 Enable the certbot resource 2020-06-02 16:19:05 +02:00
Greg Karékinian 0f10723c81 Enable secure cookies 2020-06-02 16:18:48 +02:00
Greg Karékinian 55865c526c Add the Let's Encrypt hook dir to the config
Only enabled when there is no TLS cert. This is already part of the
certbot nginx vhost
2020-06-02 16:17:34 +02:00
Greg Karékinian 0c502580c2 Fix the condition for the Let's Encrypt cert in the template
The line contained an extra !
2020-06-02 16:16:30 +02:00
Greg Karékinian c8e50fd226 Install git, it is a required dependency for Gitea
I didn't catch it because git is installed by default in the Vagrant box
I used to write the cookbook
2020-06-02 11:41:19 +02:00
Greg Karékinian 94330f2052 Comment out the COOKIE_SECURE config for now
We will enable it again after we have a valid TLS cert generated with
Let's Encrypt. It prevents logins using http, and we will need that as
an admin account
2020-05-28 18:43:31 +02:00
Greg Karékinian baaae695af Merge branch 'master' into feature/147-gitea_cookbook 2020-05-28 15:44:44 +02:00
Greg Karékinian baa0739936 Add the backup recipe
Also move the Gitea data dir to an attribute
2020-05-26 15:21:26 +02:00
Greg Karékinian 3332a1b2e8 Write initial README 2020-05-26 15:21:07 +02:00
Greg Karékinian 210c76c479 Fix the name of the Let's Encrypt cert execute resource
The resource in the notification was invalid, missing the type of
resource (execute)

Fixes #171
2020-05-26 14:10:47 +02:00
raucao 6469d2286e Merge branch 'feature/zoom_options' of kosmos/chef into master 2020-05-25 15:52:41 +00:00
basti 5fcb047505 Update Mastodon system dependencies
Needs new Ruby, and why not upgrade Yarn in the process. Running in
production.
2020-05-25 17:49:22 +02:00
basti f92b43e0f4 Configure Zoom meeting whitelist
So we only log contributions for actual Kosmos calls
2020-05-25 16:57:09 +02:00
Greg Karékinian 1f0e2ccbdd Move the binary URL to an attribute 2020-05-21 11:51:06 +02:00
Greg Karékinian 51d4d88568 Initial kosmos_gitea cookbook
The default recipe deploys the gitea binary, generates a config file and
our custom Kosmos label set. The service runs as a Systemd unit.

The pg_db recipe needs to run on the primary PostgreSQL (currently
andromeda).

The backup recipe is empty for now

Refs #147
2020-05-18 19:39:43 +02:00
Greg Karékinian 20cbc678bc Add a method that returns the PostgreSQL service 2020-05-18 19:38:37 +02:00
Greg Karékinian d79cdf087b Move the PGPASS environment variable to the execute resource
That way it does not appear in the list of running processes while the
command is running
2020-05-15 18:45:12 +02:00
Greg Karékinian 31dc14e88c Fix the firewall rules for PostgreSQL
I got the source and destination mixed up.
2020-05-15 18:44:42 +02:00
Greg Karékinian 55b1cbc1d7 Encrypt the Postgresql data dir on the replica (centaurus)
encfs always runs a configuration assistant when creating a new
volume, so this needs to be done manually:

   systemctl stop postgresql@12-main
   mv /var/lib/postgresql /var/lib/postgresql.old
   encfs /var/lib/postgresql_encrypted /var/lib/postgresql --public
Pick p (paranoia mode) and enter the password from the data bag twice

   mv /var/lib/postgresql/* /var/lib/postgresql/
   systemctl start postgresql@12-main

This is running on centaurus and is mounted automatically on boot by a
system unit

Refs #129
2020-05-15 18:41:31 +02:00
Greg Karékinian 57f46c6c61 Merge branch 'master' into bugfix/enable_dirsrv 2020-05-15 17:24:04 +02:00
Greg Karékinian b4209fa294 Fix the invalid ACIs on initial creation (for real)
Follow-up to #156

I found another issue with the initial ACI creation, while creating a
fresh VM. I thought I had fixed it in #156 but I was wrong. This time
the ACIs are really set and the code runs successfully.

The ACIs are set on the suffix, so modifying it is needed

This won't be executed on a server that is already running, this is only
done on the initial setup
2020-05-15 14:05:35 +02:00
Greg Karékinian 10f0460fd5 Fix startup of the dirsrv@master Systemd unit on boot
The symlink created by Chef's service resource was wrong. Creating the
correct symlink fixes the automatic startup on boot
2020-05-15 13:54:34 +02:00
Greg Karékinian 18973fe4f6 Remove the deleted tls property from the resources 2020-05-14 15:09:15 +02:00
Greg Karékinian fbf610a643 Merge branch 'master' into feature/160-postgres_replication 2020-05-14 15:06:00 +02:00
Greg Karékinian 069090bf44 Remove TODOs
Access rules will not be part of this cookbook, they need to be added to
the cookbooks that use a PostgreSQL database
2020-05-14 13:15:47 +02:00
Greg Karékinian dd92d6cdb7 Remove deploying the root cert to clients from the README
We do not want to verify the root cert so this is not needed
2020-05-14 13:14:42 +02:00
Greg Karékinian 124ee5e6f3 Update the README 2020-05-14 12:36:20 +02:00
Greg Karékinian 0063776297 Remove unused dependencies 2020-05-13 19:11:00 +02:00
Greg Karékinian 8d2ab785fc Use a self-signed TLS certificate for PostgreSQL 2020-05-13 19:10:14 +02:00
Greg Karékinian 84cb3de4a0 Remove outdated comment
This was the case when the code lived inside of the custom resource
2020-05-13 19:04:12 +02:00
Greg Karékinian eb98aa1bac Clarify the firewall and client authentication rules 2020-05-12 16:04:58 +02:00
Greg Karékinian 0180da1aa6 Fix a typo in the README 2020-05-12 15:59:55 +02:00
Greg Karékinian 254f9020ae Enable firewall rules to allow primary/replica to connect 2020-05-12 12:10:10 +02:00
Greg Karékinian 80c7263a72 Upgrade PostgreSQL from 10 to 12
Refs #160
2020-05-11 18:26:57 +02:00
Greg Karékinian 21119fff08 Add a custom resource to set up PostgreSQL 12
Supports both primary and replica. The access rules and firewall have to
be set up outside of the custom resource, so they are part of the
recipes instead

Refs #160
2020-05-11 18:23:11 +02:00
basti 4448ec2173 Configure TURN properly
Was missing a couple of necessary properties, and is now using an
explicit port range for TURN, and opening those ports in UFW.
2020-05-02 14:07:14 +02:00
basti ef2fa2da72 Configure STUN/TURN
Configures built-in STUN/TURN support, and adds the new service discovery
module for it.
2020-05-01 16:25:38 +02:00
basti 35a56aa221 Update version to 20.04 2020-05-01 14:55:13 +02:00
greg 53d53f2375 Merge branch 'bugfix/152-remove_encryption_keys_tls' of kosmos/chef into master 2020-04-30 15:50:26 +00:00
greg ee13c3cbe9 Merge branch 'bugfix/153-update_ejabberd_20.03' of kosmos/chef into master 2020-04-21 13:38:53 +00:00