data_bags/credentials/encfs.json

@@ -0,0 +1,10 @@
+{
+  "id": "encfs",
+  "password": {
+    "encrypted_data": "+1Q3ojHS0lJgE7lFv3zEv653UHgRiuuuxBQQpfa+XrKaeQms2Kiw\n",
+    "iv": "sMb1a/NmjcAW62Uf\n",
+    "auth_tag": "n6jpD1fGoqidgMHRuL3K+A==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  }
+}

site-cookbooks/kosmos-postgresql/files/encfs.service

@@ -1,10 +0,0 @@
-[Unit]
-Description=EncFS for PostgreSQL data dir
-Before=postgresql@12-main.service
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-ExecStart=/usr/local/bin/mount_pg_encfs
-ExecStop=/bin/umount /var/lib/postgresql
-[Install]
-WantedBy=multi-user.target

site-cookbooks/kosmos-postgresql/recipes/replica.rb

@@ -29,7 +29,6 @@ postgresql_service = "postgresql@#{postgresql_version}-main"
 
 postgresql_custom_server postgresql_version do
   role "replica"
-  encfs true
 end
 
 service postgresql_service do

site-cookbooks/kosmos-postgresql/resources/server.rb

@@ -2,16 +2,23 @@ resource_name :postgresql_custom_server
 
 property :postgresql_version, String, required: true, name_property: true
 property :role, String, required: true # Can be primary or replica
-property :encfs, [TrueClass, FalseClass], default: false
 
 action :create do
   postgresql_version = new_resource.postgresql_version
-  postgresql_data_dir = data_dir(postgresql_version)
+  postgresql_data_dir = "/mnt/data/postgresql/#{postgresql_version}/main"
   postgresql_service = "postgresql@#{postgresql_version}-main"
 
   node.override['build-essential']['compile_time'] = true
   include_recipe 'build-essential::default'
 
+  directory postgresql_data_dir do
+    owner "postgres"
+    group "postgres"
+    mode "0750"
+    recursive true
+    action :create
+  end
+
   package("libpq-dev") { action :nothing }.run_action(:install)
 
   chef_gem 'pg' do
@@ -38,46 +45,6 @@ action :create do
     action :install
   end
 
-  postgresql_user "replication" do
-    action :create
-    replication true
-    password postgresql_data_bag_item['replication_password']
-  end
-
-  if new_resource.encfs
-    # FIXME: encfs always runs a configuration assistant when creating a new
-    # volume, so this needs to be done manually:
-    #    systemctl stop postgresql@12-main
-    #    mv /var/lib/postgresql /var/lib/postgresql.old
-    #    encfs /var/lib/postgresql_encrypted /var/lib/postgresql --public
-    # Pick p (paranoia mode) and enter the password from the data bag twice
-    #    mv /var/lib/postgresql/* /var/lib/postgresql/
-    #    systemctl start postgresql@12-main
-
-    package "encfs"
-
-    template "/usr/local/bin/mount_pg_encfs" do
-      source "mount_pg_encfs.erb"
-      mode "0700"
-      variables password: postgresql_data_bag_item["encfs_password"]
-    end
-
-    execute "systemctl daemon-reload" do
-      command "systemctl daemon-reload"
-      action :nothing
-    end
-
-    # The service will automatically mount the encrypted volume on startup
-    cookbook_file "/lib/systemd/system/encfs_postgresql.service" do
-      source "encfs.service"
-      notifies :run, "execute[systemctl daemon-reload]", :delayed
-    end
-
-    service "encfs_postgresql" do
-      action [:enable]
-    end
-  end
-
   shared_buffers = if node['memory']['total'].to_i / 1024 < 1024 # > 1GB RAM
                      "128MB"
                    else # >= 1GB RAM, use 25% of total RAM
@@ -91,6 +58,7 @@ action :create do
     dynamic_shared_memory_type: "posix",
     timezone: "UTC", # default is GMT
     listen_addresses: "0.0.0.0",
+    data_directory: postgresql_data_dir
   }
 
   if new_resource.role == "replica"
@@ -129,6 +97,13 @@ action :create do
     additional_config additional_config
     notifies :reload, "service[#{postgresql_service}]"
   end
+
+  postgresql_user "replication" do
+    action :create
+    replication true
+    password postgresql_data_bag_item['replication_password']
+  end
+
 end
 
 action_class do

site-cookbooks/kosmos-postgresql/templates/mount_pg_encfs.erb

@@ -1,3 +0,0 @@
-#!/bin/sh
-
-/bin/echo "<%= @password %>" | encfs /var/lib/postgresql_encrypted /var/lib/postgresql --public -S

site-cookbooks/kosmos_encfs/.gitignore

@@ -0,0 +1,22 @@
+.vagrant
+*~
+*#
+.#*
+\#*#
+.*.sw[a-z]
+*.un~
+
+# Bundler
+Gemfile.lock
+gems.locked
+bin/*
+.bundle/*
+
+# test kitchen
+.kitchen/
+kitchen.local.yml
+
+# Chef
+Berksfile.lock
+.zero-knife.rb
+Policyfile.lock.json

site-cookbooks/kosmos_encfs/CHANGELOG.md

@@ -0,0 +1,7 @@
+# kosmos_encfs CHANGELOG
+
+This file is used to list changes made in each version of the kosmos_encfs cookbook.
+
+# 0.1.0
+
+Initial release.

site-cookbooks/kosmos_encfs/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2020 Kosmos Developers
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

site-cookbooks/kosmos_encfs/README.md

@@ -0,0 +1,3 @@
+# kosmos_encfs
+
+Install encfs and set up encryption for a data directory

site-cookbooks/kosmos_encfs/chefignore

@@ -0,0 +1,110 @@
+# Put files/directories that should be ignored in this file when uploading
+# to a Chef Infra Server or Supermarket.
+# Lines that start with '# ' are comments.
+
+# OS generated files #
+######################
+.DS_Store
+ehthumbs.db
+Icon?
+nohup.out
+Thumbs.db
+
+# SASS #
+########
+.sass-cache
+
+# EDITORS #
+###########
+.#*
+.project
+.settings
+*_flymake
+*_flymake.*
+*.bak
+*.sw[a-z]
+*.tmproj
+*~
+\#*
+mkmf.log
+REVISION
+TAGS*
+tmtags
+
+## COMPILED ##
+##############
+*.class
+*.com
+*.dll
+*.exe
+*.o
+*.pyc
+*.so
+*/rdoc/
+a.out
+
+# Testing #
+###########
+.circleci/*
+.codeclimate.yml
+.foodcritic
+.kitchen*
+.rspec
+.rubocop.yml
+.travis.yml
+.watchr
+azure-pipelines.yml
+examples/*
+features/*
+Guardfile
+kitchen.yml*
+Procfile
+Rakefile
+spec/*
+spec/*
+spec/fixtures/*
+test/*
+
+# SCM #
+#######
+.git
+.gitattributes
+.gitconfig
+.github/*
+.gitignore
+.gitmodules
+.svn
+*/.bzr/*
+*/.git
+*/.hg/*
+*/.svn/*
+
+# Berkshelf #
+#############
+Berksfile
+Berksfile.lock
+cookbooks/*
+tmp
+
+# Bundler #
+###########
+vendor/*
+Gemfile
+Gemfile.lock
+
+# Policyfile #
+##############
+Policyfile.rb
+Policyfile.lock.json
+
+# Cookbooks #
+#############
+CHANGELOG*
+CONTRIBUTING*
+TESTING*
+CODE_OF_CONDUCT*
+
+# Vagrant #
+###########
+.vagrant
+Vagrantfile

site-cookbooks/kosmos_encfs/files/encfs.service

@@ -0,0 +1,11 @@
+[Unit]
+Description=EncFS for data dir
+Before=postgresql@12-main.service
+BindsTo=postgresql@12-main.service
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/local/bin/mount_encfs
+ExecStop=/bin/umount /mnt/data
+[Install]
+WantedBy=multi-user.target

site-cookbooks/kosmos_encfs/metadata.rb

@@ -0,0 +1,20 @@
+name 'kosmos_encfs'
+maintainer 'The Authors'
+maintainer_email 'you@example.com'
+license 'All Rights Reserved'
+description 'Installs/Configures kosmos_encfs'
+long_description 'Installs/Configures kosmos_encfs'
+version '0.1.0'
+chef_version '>= 14.0'
+
+# The `issues_url` points to the location where issues for this cookbook are
+# tracked.  A `View Issues` link will be displayed on this cookbook's page when
+# uploaded to a Supermarket.
+#
+# issues_url 'https://github.com/<insert_org_here>/kosmos_encfs/issues'
+
+# The `source_url` points to the development repository for this cookbook.  A
+# `View Source` link will be displayed on this cookbook's page when uploaded to
+# a Supermarket.
+#
+# source_url 'https://github.com/<insert_org_here>/kosmos_encfs'

site-cookbooks/kosmos_encfs/recipes/default.rb

@@ -0,0 +1,70 @@
+#
+# Cookbook:: kosmos_encfs
+# Recipe:: default
+#
+# The MIT License (MIT)
+#
+# Copyright:: 2020, Kosmos Developers
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#
+
+encfs_data_bag_item = data_bag_item("credentials", "encfs")
+encfs_password = encfs_data_bag_item["password"]
+
+package "encfs"
+
+encrypted_directory = "/usr/local/lib/encrypted_data"
+mount_directory = "/mnt/data"
+
+template "/usr/local/bin/mount_encfs" do
+  source "mount_encfs.erb"
+  mode "0700"
+  variables encrypted_directory: encrypted_directory,
+            mount_directory: mount_directory
+end
+
+execute "systemctl daemon-reload" do
+  command "systemctl daemon-reload"
+  action :nothing
+end
+
+directory mount_directory do
+  action :create
+  mode "0775"
+end
+
+execute "create encrypted file system" do
+  command <<-EOF
+echo "y\\\n
+y\\\n
+p\\\n
+#{encfs_password}\\\n
+#{encfs_password}\\\n
+" | encfs #{encrypted_directory} #{mount_directory} --public --stdinpass
+  EOF
+  sensitive true
+  not_if { ::File.exist?(encrypted_directory) }
+end
+
+# The service will automatically 
+cookbook_file "/lib/systemd/system/encfs.service" do
+  source "encfs.service"
+  notifies :run, "execute[systemctl daemon-reload]", :delayed
+end

site-cookbooks/kosmos_encfs/templates/mount_encfs.erb

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+systemd-ask-password --echo "encfs password:" | encfs <%= @encrypted_directory %> <%= @mount_directory %> --public -S