site-cookbooks/kosmos_encfs/README.md

@@ -1,3 +1,15 @@
 # kosmos_encfs
 
-Install encfs and set up encryption for a data directory
+Install encfs and set up encryption for a data directory.
+
+## Provisioning a new machine
+
+Add encfs to the run list and run chef before adding other cookbooks that
+depends on the encfs mount.
+
+Log into the system and create the data directory like so:
+
+    encfs /usr/local/lib/encrypted_data /mnt/data --public
+
+When asked for config options, choose nothing (i.e. "standard"). Do NOT choose
+paranoia mode, as it breaks some software, like e.g. PostgreSQL.

site-cookbooks/kosmos_encfs/files/encfs.service

@@ -1,11 +1,9 @@
 [Unit]
 Description=EncFS for data dir
-Before=postgresql@12-main.service
-BindsTo=postgresql@12-main.service
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 ExecStart=/usr/local/bin/mount_encfs
-ExecStop=/bin/umount /mnt/data
+ExecStop=/usr/local/bin/unmount_encfs
 [Install]
 WantedBy=multi-user.target

site-cookbooks/kosmos_encfs/recipes/default.rb

@@ -35,11 +35,17 @@ mount_directory = "/mnt/data"
 
 template "/usr/local/bin/mount_encfs" do
   source "mount_encfs.erb"
-  mode "0700"
+  mode "0755"
   variables encrypted_directory: encrypted_directory,
             mount_directory: mount_directory
 end
 
+template "/usr/local/bin/unmount_encfs" do
+  source "unmount_encfs.erb"
+  mode "0700"
+  variables mount_directory: mount_directory
+end
+
 execute "systemctl daemon-reload" do
   command "systemctl daemon-reload"
   action :nothing
@@ -50,19 +56,22 @@ directory mount_directory do
   mode "0775"
 end
 
-execute "create encrypted file system" do
-  command <<-EOF
-echo "y\\\n
-y\\\n
-p\\\n
-#{encfs_password}\\\n
-#{encfs_password}\\\n
-" | encfs #{encrypted_directory} #{mount_directory} --public --stdinpass
-  EOF
-  sensitive true
-  not_if { ::File.exist?(encrypted_directory) }
-end
+# FIXME the password that is stored using this script does not match the actual password
+# execute "create encrypted file system" do
+#   command <<-EOF
+# echo "y\\\n
+# y\\\n
+# FIXME paranoia mode breaks hard links, which postgres relies on
+# p\\\n
+# #{encfs_password}\\\n
+# #{encfs_password}\\\n
+# " | encfs #{encrypted_directory} #{mount_directory} --public --stdinpass
+#   EOF
+#   sensitive true
+#   not_if { ::File.exist?(encrypted_directory) }
+# end
 
+# FIXME there seems to be half a comment missing here
 # The service will automatically 
 cookbook_file "/lib/systemd/system/encfs.service" do
   source "encfs.service"

site-cookbooks/kosmos_encfs/templates/mount_encfs.erb

@@ -1,3 +1,4 @@
 #!/bin/sh
 
 systemd-ask-password --echo "encfs password:" | encfs <%= @encrypted_directory %> <%= @mount_directory %> --public --stdinpass
+echo "Encrypted data directory mounted as <%= @mount_directory %>" > /tmp/data-dir-mounted.txt

site-cookbooks/kosmos_encfs/templates/systemd_unit.path.erb

@@ -0,0 +1,9 @@
+[Unit]
+Description=Start <%= @service_unit %> when encrypted data directory is mounted
+
+[Path]
+PathExists=/tmp/data-dir-mounted.txt
+Unit=<%= @service_unit %>
+
+[Install]
+WantedBy=multi-user.target

site-cookbooks/kosmos_encfs/templates/unmount_encfs.erb

@@ -0,0 +1,4 @@
+#!/bin/sh
+
+rm /tmp/data-dir-mounted.txt
+/bin/umount <%= @mount_directory %>