Merge pull request 'Add PostgreSQL primary support to the kosmos-ejabberd cookbook' (#181) from feature/180-ejabberd_pg_primary into master

The role is empty but is used to explicitly define servers that have
access rights to all PostgreSQL databases and users

roles/ejabberd.rb

@@ -1,7 +1,18 @@
 name "ejabberd"
 
-run_list %w(
+default_run_list = %w(
+  role[postgresql_client]
+  kosmos-ejabberd::default
+)
+
+production_run_list = %w(
+  role[postgresql_client]
   kosmos-ejabberd::default
   kosmos-ejabberd::letsencrypt
   kosmos-ejabberd::backup
 )
+env_run_lists(
+  'production' => production_run_list,
+  'development' => default_run_list,
+  '_default' => default_run_list
+)

roles/gitea.rb

@@ -1,6 +1,7 @@
 name "gitea"
 
 run_list %w(
+  role[postgresql_client]
   kosmos_gitea::default
   kosmos_gitea::backup
 )

roles/postgresql_client.rb

@@ -0,0 +1,5 @@
+# This role is used by the kosmos-postgresql::default recipe to add access
+# rules to every server that is a PostgreSQL client
+name "postgresql_client"
+
+run_list []

site-cookbooks/kosmos-ejabberd/recipes/default.rb

@@ -28,11 +28,6 @@ include_recipe "kosmos-postgresql"
 
 ejabberd_credentials = data_bag_item("credentials", "ejabberd")
 
-cookbook_file "#{Chef::Config[:file_cache_path]}/pg.sql" do
-  source "pg.sql"
-  mode "0664"
-end
-
 ejabberd_version = node["kosmos-ejabberd"]["version"]
 package_checksum = node["kosmos-ejabberd"]["checksum"]
 package_path = "#{Chef::Config['file_cache_path']}/ejabberd_#{ejabberd_version}-0_amd64.deb"
@@ -52,11 +47,6 @@ end
 
 postgresql_data_bag_item = data_bag_item('credentials', 'postgresql')
 
-postgresql_user 'ejabberd' do
-  action :create
-  password postgresql_data_bag_item['ejabberd_user_password']
-end
-
 hosts = [
   {
     name: "kosmos.org",
@@ -111,21 +101,14 @@ ldap_base = "cn=users,dc=kosmos,dc=org"
 
 admin_users = ejabberd_credentials['admins']
 
+postgresql_primary_node = postgresql_primary
+postgresql_server = postgresql_primary_node[:ipaddress]
+# PostgreSQL is on the same server, connect through localhost
+postgresql_server = "localhost" if postgresql_primary_node[:hostname] == node[:hostname]
+
 hosts.each do |host|
   ldap_rootdn = "uid=xmpp,ou=#{host[:name]},cn=applications,dc=kosmos,dc=org"
 
-  postgresql_database host[:sql_database] do
-    owner 'ejabberd'
-    action :create
-    notifies :run, "execute[create db schema #{host[:sql_database]}]", :delayed
-  end
-
-  execute "create db schema #{host[:sql_database]}" do
-    user "ejabberd"
-    command "psql #{host[:sql_database]} < #{Chef::Config[:file_cache_path]}/pg.sql"
-    action :nothing
-  end
-
   template "/opt/ejabberd/conf/#{host[:name]}.yml" do
     source    "vhost.yml.erb"
     mode      0640
@@ -133,6 +116,7 @@ hosts.each do |host|
     group     'ejabberd'
     sensitive true
     variables pgsql_password: postgresql_data_bag_item['ejabberd_user_password'],
+              sql_server: postgresql_server,
               host: host,
               ldap_base: ldap_base,
               ldap_server: ldap_domain,
@@ -152,8 +136,7 @@ template "/opt/ejabberd/conf/ejabberd.yml" do
   source    "ejabberd.yml.erb"
   mode      0640
   sensitive true
-  variables pgsql_password: postgresql_data_bag_item['ejabberd_user_password'],
-            hosts: hosts,
+  variables hosts: hosts,
             admin_users: admin_users,
             stun_auth_realm: "kosmos.org",
             turn_ip_address: node['ipaddress'],

site-cookbooks/kosmos-ejabberd/recipes/pg_db.rb

@@ -0,0 +1,55 @@
+#
+# Cookbook:: kosmos-ejabberd
+# Recipe:: pg_db
+#
+# The MIT License (MIT)
+#
+# Copyright:: 2020, Kosmos Developers
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#
+
+postgresql_data_bag_item = data_bag_item('credentials', 'postgresql')
+
+postgresql_user 'ejabberd' do
+  action :create
+  password postgresql_data_bag_item['ejabberd_user_password']
+end
+
+databases = ["ejabberd", "ejabberd_5apps"]
+
+databases.each do |database|
+  postgresql_database database do
+    owner 'ejabberd'
+    action :create
+    notifies :run, "execute[create db schema #{database}]", :delayed
+  end
+
+  cookbook_file "#{Chef::Config[:file_cache_path]}/pg.sql" do
+    source "pg.sql"
+    mode "0664"
+  end
+
+  execute "create db schema #{database}" do
+    user "postgres"
+    command "psql #{database} < #{Chef::Config[:file_cache_path]}/pg.sql"
+    action :nothing
+  end
+
+end

site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb

@@ -7,7 +7,7 @@ certfiles:
 host_config:
   "<%= @host[:name] %>":
     sql_type: pgsql
-    sql_server: "localhost"
+    sql_server: "<%= @sql_server %>"
     sql_database: "<%= @host[:sql_database] %>"
     sql_username: "ejabberd"
     sql_password: "<%= @pgsql_password %>"

site-cookbooks/kosmos-postgresql/recipes/default.rb

@@ -27,6 +27,10 @@
 postgresql_version = "12"
 postgresql_service = "postgresql@#{postgresql_version}-main"
 
+service postgresql_service do
+  supports restart: true, status: true, reload: true
+end
+
 postgresql_custom_server postgresql_version do
   role "primary"
 end
@@ -44,6 +48,24 @@ systemctl start postgresql@12-main
   only_if { ::File.exist? "/var/lib/postgresql/10/main" }
 end
 
+# Services that connect to PostgreSQL need to have the postgresql_client role
+# as part of their run list. See the gitea and ejabberd roles.
+postgresql_clients = search(:node, "roles:postgresql_client AND chef_environment:#{node.chef_environment}") || []
+
+postgresql_clients.each do |client|
+  ip = ip_for(client)
+  hostname = client[:hostname]
+
+  postgresql_access "#{hostname} all" do
+    access_type "host"
+    access_db "all"
+    access_user "all"
+    access_addr "#{ip}/32"
+    access_method "md5"
+    notifies :reload, "service[#{postgresql_service}]", :immediately
+  end
+end
+
 postgresql_replicas.each do |replica|
   postgresql_access "#{replica[:hostname]} replication" do
     access_type "host"

site-cookbooks/kosmos_gitea/recipes/pg_db.rb

@@ -6,12 +6,6 @@
 
 gitea_data_bag_item = data_bag_item("credentials", "gitea")
 
-postgresql_service = "service[#{postgresql_service_name}]"
-
-service postgresql_service do
-  supports restart: true, status: true, reload: true
-end
-
 postgresql_user "gitea" do
   action :create
   password gitea_data_bag_item["postgresql_password"]
@@ -21,17 +15,3 @@ postgresql_database "gitea" do
   owner "gitea"
   action :create
 end
-
-search(:node, "role:gitea AND chef_environment:#{node.chef_environment}").each do |gitea_server|
-  ip = ip_for(gitea_server)
-  hostname = gitea_server[:hostname]
-
-  postgresql_access "gitea #{hostname}" do
-    access_type "host"
-    access_db "gitea"
-    access_user "gitea"
-    access_addr "#{ip}/32"
-    access_method "md5"
-    notifies :reload, postgresql_service, :delayed
-  end
-end