kosmos/chef
kosmos/chef
8
3
Fork 0
Code Issues 29 Pull Requests 2 Projects 2 Activity

Encrypt PostgreSQL data directory #166

Merged
raucao merged 11 commits from feature/pg_encfs into master 2020-06-08 15:02:59 +00:00
Conversation 15 Commits 11 Files Changed 43 +49
4 changed files with 49 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 55b1cbc1d7 - Show all commits

10
site-cookbooks/kosmos-postgresql/files/encfs.service Normal file
View File

@ -0,0 +1,10 @@
[Unit]
Description=EncFS for PostgreSQL data dir
Before=postgresql@12-main.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/local/bin/mount_pg_encfs
ExecStop=/bin/umount /var/lib/postgresql
[Install]
WantedBy=multi-user.target

1
site-cookbooks/kosmos-postgresql/recipes/replica.rb
View File

@ -29,6 +29,7 @@ postgresql_service = "postgresql@#{postgresql_version}-main"
postgresql_custom_server postgresql_version do
role "replica"
encfs true
end
service postgresql_service do

35
site-cookbooks/kosmos-postgresql/resources/server.rb
View File

@ -2,6 +2,7 @@ resource_name :postgresql_custom_server
property :postgresql_version, String, required: true, name_property: true
property :role, String, required: true # Can be primary or replica
property :encfs, [TrueClass, FalseClass], default: false
action :create do
postgresql_version = new_resource.postgresql_version
@ -43,6 +44,40 @@ action :create do
password postgresql_data_bag_item['replication_password']
end
if new_resource.encfs
# FIXME: encfs always runs a configuration assistant when creating a new
# volume, so this needs to be done manually:
greg commented 2020-06-08 13:38:00 +00:00
Review
Copy Link

postgresql is a dummy service, it only runs /bin/true. The service to disable is the content of the postgresql_service variable (postgresql@12-main), so this can be moved above

`postgresql` is a dummy service, it only runs `/bin/true`. The service to disable is the content of the `postgresql_service` variable (`postgresql@12-main`), so this can be moved above
# systemctl stop postgresql@12-main
# mv /var/lib/postgresql /var/lib/postgresql.old
# encfs /var/lib/postgresql_encrypted /var/lib/postgresql --public
# Pick p (paranoia mode) and enter the password from the data bag twice
# mv /var/lib/postgresql/* /var/lib/postgresql/
# systemctl start postgresql@12-main
package "encfs"
template "/usr/local/bin/mount_pg_encfs" do
source "mount_pg_encfs.erb"
mode "0700"
variables password: postgresql_data_bag_item["encfs_password"]
end
execute "systemctl daemon-reload" do
command "systemctl daemon-reload"
action :nothing
end
# The service will automatically mount the encrypted volume on startup
cookbook_file "/lib/systemd/system/encfs_postgresql.service" do
source "encfs.service"
notifies :run, "execute[systemctl daemon-reload]", :delayed
end
service "encfs_postgresql" do
action [:enable]
end
end
shared_buffers = if node['memory']['total'].to_i / 1024 < 1024 # > 1GB RAM
"128MB"
else # >= 1GB RAM, use 25% of total RAM

3
site-cookbooks/kosmos-postgresql/templates/mount_pg_encfs.erb Normal file
View File

@ -0,0 +1,3 @@
#!/bin/sh
/bin/echo "<%= @password %>" | encfs /var/lib/postgresql_encrypted /var/lib/postgresql --public -S