From c861c7302515e36d19c6ee83763db4b3d6bb1a39 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Wed, 9 Jan 2019 18:17:50 +0100 Subject: [PATCH 01/25] Initial kosmos-ejabberd cookbook No Let's Encrypt cert generation recipe for now Hardcoded PostgreSQL password too --- .../kosmos-ejabberd/.delivery/project.toml | 1 + site-cookbooks/kosmos-ejabberd/.gitignore | 22 + site-cookbooks/kosmos-ejabberd/.kitchen.yml | 23 + site-cookbooks/kosmos-ejabberd/Berksfile | 6 + site-cookbooks/kosmos-ejabberd/CHANGELOG.md | 11 + site-cookbooks/kosmos-ejabberd/LICENSE | 3 + site-cookbooks/kosmos-ejabberd/README.md | 4 + site-cookbooks/kosmos-ejabberd/chefignore | 104 +++ .../kosmos-ejabberd/files/pg.new.sql | 573 ++++++++++++ site-cookbooks/kosmos-ejabberd/metadata.rb | 23 + .../kosmos-ejabberd/recipes/default.rb | 82 ++ .../templates/ejabberd.yml.erb | 866 ++++++++++++++++++ .../default/serverspec/default_spec.rb | 23 + 13 files changed, 1741 insertions(+) create mode 100644 site-cookbooks/kosmos-ejabberd/.delivery/project.toml create mode 100644 site-cookbooks/kosmos-ejabberd/.gitignore create mode 100644 site-cookbooks/kosmos-ejabberd/.kitchen.yml create mode 100644 site-cookbooks/kosmos-ejabberd/Berksfile create mode 100644 site-cookbooks/kosmos-ejabberd/CHANGELOG.md create mode 100644 site-cookbooks/kosmos-ejabberd/LICENSE create mode 100644 site-cookbooks/kosmos-ejabberd/README.md create mode 100644 site-cookbooks/kosmos-ejabberd/chefignore create mode 100644 site-cookbooks/kosmos-ejabberd/files/pg.new.sql create mode 100644 site-cookbooks/kosmos-ejabberd/metadata.rb create mode 100644 site-cookbooks/kosmos-ejabberd/recipes/default.rb create mode 100644 site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb create mode 100644 site-cookbooks/kosmos-ejabberd/test/integration/default/serverspec/default_spec.rb diff --git a/site-cookbooks/kosmos-ejabberd/.delivery/project.toml b/site-cookbooks/kosmos-ejabberd/.delivery/project.toml new file mode 100644 index 0000000..6d5e361 --- /dev/null +++ b/site-cookbooks/kosmos-ejabberd/.delivery/project.toml @@ -0,0 +1 @@ +remote_file = "https://raw.githubusercontent.com/chef-cookbooks/community_cookbook_tools/master/delivery/project.toml" diff --git a/site-cookbooks/kosmos-ejabberd/.gitignore b/site-cookbooks/kosmos-ejabberd/.gitignore new file mode 100644 index 0000000..13e41c4 --- /dev/null +++ b/site-cookbooks/kosmos-ejabberd/.gitignore @@ -0,0 +1,22 @@ +.vagrant +*~ +*# +.#* +\#*# +.*.sw[a-z] +*.un~ + +# Bundler +Gemfile.lock +gems.locked +bin/* +.bundle/* + +# test kitchen +.kitchen/ +.kitchen.local.yml + +# Chef +Berksfile.lock +.zero-knife.rb +Policyfile.lock.json diff --git a/site-cookbooks/kosmos-ejabberd/.kitchen.yml b/site-cookbooks/kosmos-ejabberd/.kitchen.yml new file mode 100644 index 0000000..1650f7d --- /dev/null +++ b/site-cookbooks/kosmos-ejabberd/.kitchen.yml @@ -0,0 +1,23 @@ +--- +driver: + name: vagrant + +provisioner: + name: chef_zero + # You may wish to disable always updating cookbooks in CI or other testing environments. + # For example: + # always_update_cookbooks: <%= !ENV['CI'] %> + always_update_cookbooks: true + +verifier: + name: inspec + +platforms: + - name: ubuntu-16.04 + - name: ubuntu-18.04 + +suites: + - name: default + run_list: + - recipe[kosmos-ejabberd::default] + attributes: diff --git a/site-cookbooks/kosmos-ejabberd/Berksfile b/site-cookbooks/kosmos-ejabberd/Berksfile new file mode 100644 index 0000000..8c1347f --- /dev/null +++ b/site-cookbooks/kosmos-ejabberd/Berksfile @@ -0,0 +1,6 @@ +# frozen_string_literal: true +source 'https://supermarket.chef.io' +source chef_repo: ".." + +cookbook "kosmos-postgresql", path: "../kosmos-postgresql" +metadata diff --git a/site-cookbooks/kosmos-ejabberd/CHANGELOG.md b/site-cookbooks/kosmos-ejabberd/CHANGELOG.md new file mode 100644 index 0000000..6f203ef --- /dev/null +++ b/site-cookbooks/kosmos-ejabberd/CHANGELOG.md @@ -0,0 +1,11 @@ +# kosmos-ejabberd CHANGELOG + +This file is used to list changes made in each version of the kosmos-ejabberd cookbook. + +# 0.1.0 + +Initial release. + +- change 0 +- change 1 + diff --git a/site-cookbooks/kosmos-ejabberd/LICENSE b/site-cookbooks/kosmos-ejabberd/LICENSE new file mode 100644 index 0000000..fd8848e --- /dev/null +++ b/site-cookbooks/kosmos-ejabberd/LICENSE @@ -0,0 +1,3 @@ +Copyright 2019 Kosmos + +All rights reserved, do not redistribute. diff --git a/site-cookbooks/kosmos-ejabberd/README.md b/site-cookbooks/kosmos-ejabberd/README.md new file mode 100644 index 0000000..b9d427d --- /dev/null +++ b/site-cookbooks/kosmos-ejabberd/README.md @@ -0,0 +1,4 @@ +# kosmos-ejabberd + +Sets up ejabberd with vhosts for kosmos.org (public server) and 5apps.com +(private server). diff --git a/site-cookbooks/kosmos-ejabberd/chefignore b/site-cookbooks/kosmos-ejabberd/chefignore new file mode 100644 index 0000000..4439807 --- /dev/null +++ b/site-cookbooks/kosmos-ejabberd/chefignore @@ -0,0 +1,104 @@ +# Put files/directories that should be ignored in this file when uploading +# to a chef-server or supermarket. +# Lines that start with '# ' are comments. + +# OS generated files # +###################### +.DS_Store +Icon? +nohup.out +ehthumbs.db +Thumbs.db + +# SASS # +######## +.sass-cache + +# EDITORS # +########### +\#* +.#* +*~ +*.sw[a-z] +*.bak +REVISION +TAGS* +tmtags +*_flymake.* +*_flymake +*.tmproj +.project +.settings +mkmf.log + +## COMPILED ## +############## +a.out +*.o +*.pyc +*.so +*.com +*.class +*.dll +*.exe +*/rdoc/ + +# Testing # +########### +.watchr +.rspec +spec/* +spec/fixtures/* +test/* +features/* +examples/* +Guardfile +Procfile +.kitchen* +kitchen.yml* +.rubocop.yml +spec/* +Rakefile +.travis.yml +.foodcritic +.codeclimate.yml + +# SCM # +####### +.git +*/.git +.gitignore +.gitmodules +.gitconfig +.gitattributes +.svn +*/.bzr/* +*/.hg/* +*/.svn/* + +# Berkshelf # +############# +Berksfile +Berksfile.lock +cookbooks/* +tmp + +# Bundler # +########### +vendor/* + +# Policyfile # +############## +Policyfile.rb +Policyfile.lock.json + +# Cookbooks # +############# +CONTRIBUTING* +CHANGELOG* +TESTING* + +# Vagrant # +########### +.vagrant +Vagrantfile diff --git a/site-cookbooks/kosmos-ejabberd/files/pg.new.sql b/site-cookbooks/kosmos-ejabberd/files/pg.new.sql new file mode 100644 index 0000000..5db5455 --- /dev/null +++ b/site-cookbooks/kosmos-ejabberd/files/pg.new.sql @@ -0,0 +1,573 @@ +-- +-- ejabberd, Copyright (C) 2002-2019 ProcessOne +-- +-- This program is free software; you can redistribute it and/or +-- modify it under the terms of the GNU General Public License as +-- published by the Free Software Foundation; either version 2 of the +-- License, or (at your option) any later version. +-- +-- This program is distributed in the hope that it will be useful, +-- but WITHOUT ANY WARRANTY; without even the implied warranty of +-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +-- General Public License for more details. +-- +-- You should have received a copy of the GNU General Public License along +-- with this program; if not, write to the Free Software Foundation, Inc., +-- 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +-- + +-- To update from the old schema, replace with the host's domain: + +-- ALTER TABLE users ADD COLUMN server_host text NOT NULL DEFAULT ''; +-- ALTER TABLE users DROP CONSTRAINT users_pkey; +-- ALTER TABLE users ADD PRIMARY KEY (server_host, username); +-- ALTER TABLE users ALTER COLUMN server_host DROP DEFAULT; + +-- ALTER TABLE last ADD COLUMN server_host text NOT NULL DEFAULT ''; +-- ALTER TABLE last DROP CONSTRAINT last_pkey; +-- ALTER TABLE last ADD PRIMARY KEY (server_host, username); +-- ALTER TABLE last ALTER COLUMN server_host DROP DEFAULT; + +-- ALTER TABLE rosterusers ADD COLUMN server_host text NOT NULL DEFAULT ''; +-- DROP INDEX i_rosteru_user_jid; +-- DROP INDEX i_rosteru_username; +-- DROP INDEX i_rosteru_jid; +-- CREATE UNIQUE INDEX i_rosteru_sh_user_jid ON rosterusers USING btree (server_host, username, jid); +-- CREATE INDEX i_rosteru_sh_username ON rosterusers USING btree (server_host, username); +-- CREATE INDEX i_rosteru_sh_jid ON rosterusers USING btree (server_host, jid); +-- ALTER TABLE rosterusers ALTER COLUMN server_host DROP DEFAULT; + +-- ALTER TABLE rostergroups ADD COLUMN server_host text NOT NULL DEFAULT ''; +-- DROP INDEX pk_rosterg_user_jid; +-- CREATE INDEX i_rosterg_sh_user_jid ON rostergroups USING btree (server_host, username, jid); +-- ALTER TABLE rostergroups ALTER COLUMN server_host DROP DEFAULT; + +-- ALTER TABLE sr_group ADD COLUMN server_host text NOT NULL DEFAULT ''; +-- ALTER TABLE sr_group ADD PRIMARY KEY (server_host, name); +-- ALTER TABLE sr_group ALTER COLUMN server_host DROP DEFAULT; + +-- ALTER TABLE sr_user ADD COLUMN server_host text NOT NULL DEFAULT ''; +-- DROP INDEX i_sr_user_jid_grp; +-- DROP INDEX i_sr_user_jid; +-- DROP INDEX i_sr_user_grp; +-- ALTER TABLE sr_user ADD PRIMARY KEY (server_host, jid, grp); +-- CREATE INDEX i_sr_user_sh_jid ON sr_user USING btree (server_host, jid); +-- CREATE INDEX i_sr_user_sh_grp ON sr_user USING btree (server_host, grp); +-- ALTER TABLE sr_user ALTER COLUMN server_host DROP DEFAULT; + +-- ALTER TABLE spool ADD COLUMN server_host text NOT NULL DEFAULT ''; +-- DROP INDEX i_despool; +-- CREATE INDEX i_spool_sh_username ON spool USING btree (server_host, username); +-- ALTER TABLE spool ALTER COLUMN server_host DROP DEFAULT; + +-- ALTER TABLE archive ADD COLUMN server_host text NOT NULL DEFAULT ''; +-- DROP INDEX i_username_timestamp; +-- DROP INDEX i_username_peer; +-- DROP INDEX i_username_bare_peer; +-- DROP INDEX i_timestamp; +-- CREATE INDEX i_archive_sh_username_timestamp ON archive USING btree (server_host, username, timestamp); +-- CREATE INDEX i_archive_sh_username_peer ON archive USING btree (server_host, username, peer); +-- CREATE INDEX i_archive_sh_username_bare_peer ON archive USING btree (server_host, username, bare_peer); +-- CREATE INDEX i_archive_sh_timestamp ON archive USING btree (server_host, timestamp); +-- ALTER TABLE archive ALTER COLUMN server_host DROP DEFAULT; + +-- ALTER TABLE archive_prefs ADD COLUMN server_host text NOT NULL DEFAULT ''; +-- ALTER TABLE archive_prefs DROP CONSTRAINT archive_prefs_pkey; +-- ALTER TABLE archive_prefs ADD PRIMARY KEY (server_host, username); +-- ALTER TABLE archive_prefs ALTER COLUMN server_host DROP DEFAULT; + +-- ALTER TABLE vcard ADD COLUMN server_host text NOT NULL DEFAULT ''; +-- ALTER TABLE vcard DROP CONSTRAINT vcard_pkey; +-- ALTER TABLE vcard ADD PRIMARY KEY (server_host, username); +-- ALTER TABLE vcard ALTER COLUMN server_host DROP DEFAULT; + +-- ALTER TABLE vcard_search ADD COLUMN server_host text NOT NULL DEFAULT ''; +-- ALTER TABLE vcard_search DROP CONSTRAINT vcard_search_pkey; +-- DROP INDEX i_vcard_search_lfn; +-- DROP INDEX i_vcard_search_lfamily; +-- DROP INDEX i_vcard_search_lgiven; +-- DROP INDEX i_vcard_search_lmiddle; +-- DROP INDEX i_vcard_search_lnickname; +-- DROP INDEX i_vcard_search_lbday; +-- DROP INDEX i_vcard_search_lctry; +-- DROP INDEX i_vcard_search_llocality; +-- DROP INDEX i_vcard_search_lemail; +-- DROP INDEX i_vcard_search_lorgname; +-- DROP INDEX i_vcard_search_lorgunit; +-- ALTER TABLE vcard_search ADD PRIMARY KEY (server_host, username); +-- CREATE INDEX i_vcard_search_sh_lfn ON vcard_search(server_host, lfn); +-- CREATE INDEX i_vcard_search_sh_lfamily ON vcard_search(server_host, lfamily); +-- CREATE INDEX i_vcard_search_sh_lgiven ON vcard_search(server_host, lgiven); +-- CREATE INDEX i_vcard_search_sh_lmiddle ON vcard_search(server_host, lmiddle); +-- CREATE INDEX i_vcard_search_sh_lnickname ON vcard_search(server_host, lnickname); +-- CREATE INDEX i_vcard_search_sh_lbday ON vcard_search(server_host, lbday); +-- CREATE INDEX i_vcard_search_sh_lctry ON vcard_search(server_host, lctry); +-- CREATE INDEX i_vcard_search_sh_llocality ON vcard_search(server_host, llocality); +-- CREATE INDEX i_vcard_search_sh_lemail ON vcard_search(server_host, lemail); +-- CREATE INDEX i_vcard_search_sh_lorgname ON vcard_search(server_host, lorgname); +-- CREATE INDEX i_vcard_search_sh_lorgunit ON vcard_search(server_host, lorgunit); +-- ALTER TABLE vcard_search ALTER COLUMN server_host DROP DEFAULT; + +-- ALTER TABLE privacy_default_list ADD COLUMN server_host text NOT NULL DEFAULT ''; +-- ALTER TABLE privacy_default_list DROP CONSTRAINT privacy_default_list_pkey; +-- ALTER TABLE privacy_default_list ADD PRIMARY KEY (server_host, username); +-- ALTER TABLE privacy_default_list ALTER COLUMN server_host DROP DEFAULT; + +-- ALTER TABLE privacy_list ADD COLUMN server_host text NOT NULL DEFAULT ''; +-- DROP INDEX i_privacy_list_username; +-- DROP INDEX i_privacy_list_username_name; +-- CREATE INDEX i_privacy_list_sh_username ON privacy_list USING btree (server_host, username); +-- CREATE UNIQUE INDEX i_privacy_list_sh_username_name ON privacy_list USING btree (server_host, username, name); +-- ALTER TABLE privacy_list ALTER COLUMN server_host DROP DEFAULT; + +-- ALTER TABLE private_storage ADD COLUMN server_host text NOT NULL DEFAULT ''; +-- DROP INDEX i_private_storage_username; +-- DROP INDEX i_private_storage_username_namespace; +-- ALTER TABLE private_storage ADD PRIMARY KEY (server_host, username, namespace); +-- CREATE INDEX i_private_storage_sh_username ON private_storage USING btree (server_host, username); +-- ALTER TABLE private_storage ALTER COLUMN server_host DROP DEFAULT; + +-- ALTER TABLE roster_version ADD COLUMN server_host text NOT NULL DEFAULT ''; +-- ALTER TABLE roster_version DROP CONSTRAINT roster_version_pkey; +-- ALTER TABLE roster_version ADD PRIMARY KEY (server_host, username); +-- ALTER TABLE roster_version ALTER COLUMN server_host DROP DEFAULT; + +-- ALTER TABLE muc_room ADD COLUMN server_host text NOT NULL DEFAULT ''; +-- ALTER TABLE muc_room ALTER COLUMN server_host DROP DEFAULT; + +-- ALTER TABLE muc_registered ADD COLUMN server_host text NOT NULL DEFAULT ''; +-- ALTER TABLE muc_registered ALTER COLUMN server_host DROP DEFAULT; + +-- ALTER TABLE muc_online_room ADD COLUMN server_host text NOT NULL DEFAULT ''; +-- ALTER TABLE muc_online_room ALTER COLUMN server_host DROP DEFAULT; + +-- ALTER TABLE muc_online_users ADD COLUMN server_host text NOT NULL DEFAULT ''; +-- ALTER TABLE muc_online_users ALTER COLUMN server_host DROP DEFAULT; + +-- ALTER TABLE motd ADD COLUMN server_host text NOT NULL DEFAULT ''; +-- ALTER TABLE motd DROP CONSTRAINT motd_pkey; +-- ALTER TABLE motd ADD PRIMARY KEY (server_host, username); +-- ALTER TABLE motd ALTER COLUMN server_host DROP DEFAULT; + +-- ALTER TABLE sm ADD COLUMN server_host text NOT NULL DEFAULT ''; +-- DROP INDEX i_sm_sid; +-- DROP INDEX i_sm_username; +-- ALTER TABLE sm ADD PRIMARY KEY (usec, pid); +-- CREATE INDEX i_sm_sh_username ON sm USING btree (server_host, username); +-- ALTER TABLE sm ALTER COLUMN server_host DROP DEFAULT; + + +CREATE TABLE users ( + username text NOT NULL, + server_host text NOT NULL, + "password" text NOT NULL, + serverkey text NOT NULL DEFAULT '', + salt text NOT NULL DEFAULT '', + iterationcount integer NOT NULL DEFAULT 0, + created_at TIMESTAMP NOT NULL DEFAULT now(), + PRIMARY KEY (server_host, username) +); + +-- Add support for SCRAM auth to a database created before ejabberd 16.03: +-- ALTER TABLE users ADD COLUMN serverkey text NOT NULL DEFAULT ''; +-- ALTER TABLE users ADD COLUMN salt text NOT NULL DEFAULT ''; +-- ALTER TABLE users ADD COLUMN iterationcount integer NOT NULL DEFAULT 0; + +CREATE TABLE last ( + username text NOT NULL, + server_host text NOT NULL, + seconds text NOT NULL, + state text NOT NULL, + PRIMARY KEY (server_host, username) +); + + +CREATE TABLE rosterusers ( + username text NOT NULL, + server_host text NOT NULL, + jid text NOT NULL, + nick text NOT NULL, + subscription character(1) NOT NULL, + ask character(1) NOT NULL, + askmessage text NOT NULL, + server character(1) NOT NULL, + subscribe text NOT NULL, + "type" text, + created_at TIMESTAMP NOT NULL DEFAULT now() +); + +CREATE UNIQUE INDEX i_rosteru_sh_user_jid ON rosterusers USING btree (server_host, username, jid); +CREATE INDEX i_rosteru_sh_username ON rosterusers USING btree (server_host, username); +CREATE INDEX i_rosteru_sh_jid ON rosterusers USING btree (server_host, jid); + + +CREATE TABLE rostergroups ( + username text NOT NULL, + server_host text NOT NULL, + jid text NOT NULL, + grp text NOT NULL +); + +CREATE INDEX i_rosterg_sh_user_jid ON rostergroups USING btree (server_host, username, jid); + +CREATE TABLE sr_group ( + name text NOT NULL, + server_host text NOT NULL, + opts text NOT NULL, + created_at TIMESTAMP NOT NULL DEFAULT now(), + PRIMARY KEY (server_host, name) +); + +CREATE TABLE sr_user ( + jid text NOT NULL, + server_host text NOT NULL, + grp text NOT NULL, + created_at TIMESTAMP NOT NULL DEFAULT now(), + PRIMARY KEY (server_host, jid, grp) +); + +CREATE INDEX i_sr_user_sh_jid ON sr_user USING btree (server_host, jid); +CREATE INDEX i_sr_user_sh_grp ON sr_user USING btree (server_host, grp); + +CREATE TABLE spool ( + username text NOT NULL, + server_host text NOT NULL, + xml text NOT NULL, + seq SERIAL, + created_at TIMESTAMP NOT NULL DEFAULT now() +); + +CREATE INDEX i_spool_sh_username ON spool USING btree (server_host, username); + +CREATE TABLE archive ( + username text NOT NULL, + server_host text NOT NULL, + timestamp BIGINT NOT NULL, + peer text NOT NULL, + bare_peer text NOT NULL, + xml text NOT NULL, + txt text, + id SERIAL, + kind text, + nick text, + created_at TIMESTAMP NOT NULL DEFAULT now() +); + +CREATE INDEX i_archive_sh_username_timestamp ON archive USING btree (server_host, username, timestamp); +CREATE INDEX i_archive_sh_username_peer ON archive USING btree (server_host, username, peer); +CREATE INDEX i_archive_sh_username_bare_peer ON archive USING btree (server_host, username, bare_peer); +CREATE INDEX i_archive_sh_timestamp ON archive USING btree (server_host, timestamp); + +CREATE TABLE archive_prefs ( + username text NOT NULL, + server_host text NOT NULL, + def text NOT NULL, + always text NOT NULL, + never text NOT NULL, + created_at TIMESTAMP NOT NULL DEFAULT now(), + PRIMARY KEY (server_host, username) +); + +CREATE TABLE vcard ( + username text NOT NULL, + server_host text NOT NULL, + vcard text NOT NULL, + created_at TIMESTAMP NOT NULL DEFAULT now(), + PRIMARY KEY (server_host, username) +); + +CREATE TABLE vcard_search ( + username text NOT NULL, + lusername text NOT NULL, + server_host text NOT NULL, + fn text NOT NULL, + lfn text NOT NULL, + family text NOT NULL, + lfamily text NOT NULL, + given text NOT NULL, + lgiven text NOT NULL, + middle text NOT NULL, + lmiddle text NOT NULL, + nickname text NOT NULL, + lnickname text NOT NULL, + bday text NOT NULL, + lbday text NOT NULL, + ctry text NOT NULL, + lctry text NOT NULL, + locality text NOT NULL, + llocality text NOT NULL, + email text NOT NULL, + lemail text NOT NULL, + orgname text NOT NULL, + lorgname text NOT NULL, + orgunit text NOT NULL, + lorgunit text NOT NULL, + PRIMARY KEY (server_host, username) +); + +CREATE INDEX i_vcard_search_sh_lfn ON vcard_search(server_host, lfn); +CREATE INDEX i_vcard_search_sh_lfamily ON vcard_search(server_host, lfamily); +CREATE INDEX i_vcard_search_sh_lgiven ON vcard_search(server_host, lgiven); +CREATE INDEX i_vcard_search_sh_lmiddle ON vcard_search(server_host, lmiddle); +CREATE INDEX i_vcard_search_sh_lnickname ON vcard_search(server_host, lnickname); +CREATE INDEX i_vcard_search_sh_lbday ON vcard_search(server_host, lbday); +CREATE INDEX i_vcard_search_sh_lctry ON vcard_search(server_host, lctry); +CREATE INDEX i_vcard_search_sh_llocality ON vcard_search(server_host, llocality); +CREATE INDEX i_vcard_search_sh_lemail ON vcard_search(server_host, lemail); +CREATE INDEX i_vcard_search_sh_lorgname ON vcard_search(server_host, lorgname); +CREATE INDEX i_vcard_search_sh_lorgunit ON vcard_search(server_host, lorgunit); + +CREATE TABLE privacy_default_list ( + username text NOT NULL, + server_host text NOT NULL, + name text NOT NULL, + PRIMARY KEY (server_host, username) +); + +CREATE TABLE privacy_list ( + username text NOT NULL, + server_host text NOT NULL, + name text NOT NULL, + id SERIAL UNIQUE, + created_at TIMESTAMP NOT NULL DEFAULT now() +); + +CREATE INDEX i_privacy_list_sh_username ON privacy_list USING btree (server_host, username); +CREATE UNIQUE INDEX i_privacy_list_sh_username_name ON privacy_list USING btree (server_host, username, name); + +CREATE TABLE privacy_list_data ( + id bigint REFERENCES privacy_list(id) ON DELETE CASCADE, + t character(1) NOT NULL, + value text NOT NULL, + action character(1) NOT NULL, + ord NUMERIC NOT NULL, + match_all boolean NOT NULL, + match_iq boolean NOT NULL, + match_message boolean NOT NULL, + match_presence_in boolean NOT NULL, + match_presence_out boolean NOT NULL +); + +CREATE INDEX i_privacy_list_data_id ON privacy_list_data USING btree (id); + +CREATE TABLE private_storage ( + username text NOT NULL, + server_host text NOT NULL, + namespace text NOT NULL, + data text NOT NULL, + created_at TIMESTAMP NOT NULL DEFAULT now(), + PRIMARY KEY (server_host, username, namespace) +); + +CREATE INDEX i_private_storage_sh_username ON private_storage USING btree (server_host, username); + + +CREATE TABLE roster_version ( + username text NOT NULL, + server_host text NOT NULL, + version text NOT NULL, + PRIMARY KEY (server_host, username) +); + +-- To update from 0.9.8: +-- CREATE SEQUENCE spool_seq_seq; +-- ALTER TABLE spool ADD COLUMN seq integer; +-- ALTER TABLE spool ALTER COLUMN seq SET DEFAULT nextval('spool_seq_seq'); +-- UPDATE spool SET seq = DEFAULT; +-- ALTER TABLE spool ALTER COLUMN seq SET NOT NULL; + +-- To update from 1.x: +-- ALTER TABLE rosterusers ADD COLUMN askmessage text; +-- UPDATE rosterusers SET askmessage = ''; +-- ALTER TABLE rosterusers ALTER COLUMN askmessage SET NOT NULL; + +CREATE TABLE pubsub_node ( + host text NOT NULL, + node text NOT NULL, + parent text NOT NULL DEFAULT '', + plugin text NOT NULL, + nodeid SERIAL UNIQUE +); +CREATE INDEX i_pubsub_node_parent ON pubsub_node USING btree (parent); +CREATE UNIQUE INDEX i_pubsub_node_tuple ON pubsub_node USING btree (host, node); + +CREATE TABLE pubsub_node_option ( + nodeid bigint REFERENCES pubsub_node(nodeid) ON DELETE CASCADE, + name text NOT NULL, + val text NOT NULL +); +CREATE INDEX i_pubsub_node_option_nodeid ON pubsub_node_option USING btree (nodeid); + +CREATE TABLE pubsub_node_owner ( + nodeid bigint REFERENCES pubsub_node(nodeid) ON DELETE CASCADE, + owner text NOT NULL +); +CREATE INDEX i_pubsub_node_owner_nodeid ON pubsub_node_owner USING btree (nodeid); + +CREATE TABLE pubsub_state ( + nodeid bigint REFERENCES pubsub_node(nodeid) ON DELETE CASCADE, + jid text NOT NULL, + affiliation character(1), + subscriptions text NOT NULL DEFAULT '', + stateid SERIAL UNIQUE +); +CREATE INDEX i_pubsub_state_jid ON pubsub_state USING btree (jid); +CREATE UNIQUE INDEX i_pubsub_state_tuple ON pubsub_state USING btree (nodeid, jid); + +CREATE TABLE pubsub_item ( + nodeid bigint REFERENCES pubsub_node(nodeid) ON DELETE CASCADE, + itemid text NOT NULL, + publisher text NOT NULL, + creation varchar(32) NOT NULL, + modification varchar(32) NOT NULL, + payload text NOT NULL DEFAULT '' +); +CREATE INDEX i_pubsub_item_itemid ON pubsub_item USING btree (itemid); +CREATE UNIQUE INDEX i_pubsub_item_tuple ON pubsub_item USING btree (nodeid, itemid); + +CREATE TABLE pubsub_subscription_opt ( + subid text NOT NULL, + opt_name varchar(32), + opt_value text NOT NULL +); +CREATE UNIQUE INDEX i_pubsub_subscription_opt ON pubsub_subscription_opt USING btree (subid, opt_name); + +CREATE TABLE muc_room ( + name text NOT NULL, + host text NOT NULL, + server_host text NOT NULL, + opts text NOT NULL, + created_at TIMESTAMP NOT NULL DEFAULT now() +); + +CREATE UNIQUE INDEX i_muc_room_name_host ON muc_room USING btree (name, host); + +CREATE TABLE muc_registered ( + jid text NOT NULL, + host text NOT NULL, + server_host text NOT NULL, + nick text NOT NULL, + created_at TIMESTAMP NOT NULL DEFAULT now() +); + +CREATE INDEX i_muc_registered_nick ON muc_registered USING btree (nick); +CREATE UNIQUE INDEX i_muc_registered_jid_host ON muc_registered USING btree (jid, host); + +CREATE TABLE muc_online_room ( + name text NOT NULL, + host text NOT NULL, + server_host text NOT NULL, + node text NOT NULL, + pid text NOT NULL +); + +CREATE UNIQUE INDEX i_muc_online_room_name_host ON muc_online_room USING btree (name, host); + +CREATE TABLE muc_online_users ( + username text NOT NULL, + server text NOT NULL, + resource text NOT NULL, + name text NOT NULL, + host text NOT NULL, + server_host text NOT NULL, + node text NOT NULL +); + +CREATE UNIQUE INDEX i_muc_online_users ON muc_online_users USING btree (username, server, resource, name, host); +CREATE INDEX i_muc_online_users_us ON muc_online_users USING btree (username, server); + +CREATE TABLE muc_room_subscribers ( + room text NOT NULL, + host text NOT NULL, + jid text NOT NULL, + nick text NOT NULL, + nodes text NOT NULL, + created_at TIMESTAMP NOT NULL DEFAULT now() +); + +CREATE INDEX i_muc_room_subscribers_host_jid ON muc_room_subscribers USING btree (host, jid); +CREATE UNIQUE INDEX i_muc_room_subscribers_host_room_jid ON muc_room_subscribers USING btree (host, room, jid); + +CREATE TABLE motd ( + username text NOT NULL, + server_host text NOT NULL, + xml text, + created_at TIMESTAMP NOT NULL DEFAULT now(), + PRIMARY KEY (server_host, username) +); + +CREATE TABLE caps_features ( + node text NOT NULL, + subnode text NOT NULL, + feature text, + created_at TIMESTAMP NOT NULL DEFAULT now() +); + +CREATE INDEX i_caps_features_node_subnode ON caps_features USING btree (node, subnode); + +CREATE TABLE sm ( + usec bigint NOT NULL, + pid text NOT NULL, + node text NOT NULL, + username text NOT NULL, + server_host text NOT NULL, + resource text NOT NULL, + priority text NOT NULL, + info text NOT NULL, + PRIMARY KEY (usec, pid) +); + +CREATE INDEX i_sm_node ON sm USING btree (node); +CREATE INDEX i_sm_sh_username ON sm USING btree (server_host, username); + +CREATE TABLE oauth_token ( + token text NOT NULL, + jid text NOT NULL, + scope text NOT NULL, + expire bigint NOT NULL +); + +CREATE UNIQUE INDEX i_oauth_token_token ON oauth_token USING btree (token); + +CREATE TABLE route ( + domain text NOT NULL, + server_host text NOT NULL, + node text NOT NULL, + pid text NOT NULL, + local_hint text NOT NULL +); + +CREATE UNIQUE INDEX i_route ON route USING btree (domain, server_host, node, pid); +CREATE INDEX i_route_domain ON route USING btree (domain); + +CREATE TABLE bosh ( + sid text NOT NULL, + node text NOT NULL, + pid text NOT NULL +); + +CREATE UNIQUE INDEX i_bosh_sid ON bosh USING btree (sid); + +CREATE TABLE proxy65 ( + sid text NOT NULL, + pid_t text NOT NULL, + pid_i text NOT NULL, + node_t text NOT NULL, + node_i text NOT NULL, + jid_i text NOT NULL +); + +CREATE UNIQUE INDEX i_proxy65_sid ON proxy65 USING btree (sid); +CREATE INDEX i_proxy65_jid ON proxy65 USING btree (jid_i); + +CREATE TABLE push_session ( + username text NOT NULL, + server_host text NOT NULL, + timestamp bigint NOT NULL, + service text NOT NULL, + node text NOT NULL, + xml text NOT NULL, + PRIMARY KEY (server_host, username, timestamp) +); + +CREATE UNIQUE INDEX i_push_session_susn ON push_session USING btree (server_host, username, service, node); diff --git a/site-cookbooks/kosmos-ejabberd/metadata.rb b/site-cookbooks/kosmos-ejabberd/metadata.rb new file mode 100644 index 0000000..1fcf0e6 --- /dev/null +++ b/site-cookbooks/kosmos-ejabberd/metadata.rb @@ -0,0 +1,23 @@ +name 'kosmos-ejabberd' +maintainer 'Kosmos' +maintainer_email 'ops@5apps.com' +license 'All Rights Reserved' +description 'Installs/Configures kosmos-ejabberd' +long_description 'Installs/Configures kosmos-ejabberd' +version '0.1.0' +chef_version '>= 12.14' if respond_to?(:chef_version) + +# The `issues_url` points to the location where issues for this cookbook are +# tracked. A `View Issues` link will be displayed on this cookbook's page when +# uploaded to a Supermarket. +# +# issues_url 'https://github.com//kosmos-ejabberd/issues' + +# The `source_url` points to the development repository for this cookbook. A +# `View Source` link will be displayed on this cookbook's page when uploaded to +# a Supermarket. +# +# source_url 'https://github.com//kosmos-ejabberd' + +depends "kosmos-postgresql" +depends "database" diff --git a/site-cookbooks/kosmos-ejabberd/recipes/default.rb b/site-cookbooks/kosmos-ejabberd/recipes/default.rb new file mode 100644 index 0000000..cb7a791 --- /dev/null +++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb @@ -0,0 +1,82 @@ +# +# Cookbook:: kosmos-ejabberd +# Recipe:: default +# +# Copyright:: 2019, Kosmos, All Rights Reserved. +# + +include_recipe "kosmos-postgresql" + +cookbook_file "#{Chef::Config[:file_cache_path]}/pg.new.sql" do + source "pg.new.sql" + mode "0664" +end + +ejabberd_version = "18.12.1" +package_path = "#{Chef::Config['file_cache_path']}/ejabberd_#{ejabberd_version}-0_amd64.deb" + +remote_file package_path do + source "https://www.process-one.net/downloads/downloads-action.php?file=/ejabberd/#{ejabberd_version}/ejabberd_#{ejabberd_version}-0_amd64.deb" + checksum "8352d85f98353c8f57b4f386c6ab17c342292ab60708d13f078e91475daedf05" + notifies :install, "dpkg_package[ejabberd]", :immediately +end + +dpkg_package "ejabberd" do + source package_path + action :nothing + notifies :create, "file[/lib/systemd/system/ejabberd.service]", :immediately +end + +postgresql_connection_info = { + host: '127.0.0.1', + port: 5432, + username: 'postgres', + password: node['postgresql']['password']['postgres'] +} + +postgresql_database 'ejabberd' do + connection postgresql_connection_info + action :create + notifies :run, "execute[create db schema]", :delayed +end + +postgresql_database_user 'ejabberd' do + connection postgresql_connection_info + password 'super_secret' + database_name 'ejabberd' + privileges [:all] + action [:create, :grant] +end + +execute "create db schema" do + user "ejabberd" + command "psql ejabberd < #{Chef::Config[:file_cache_path]}/pg.new.sql" + action :nothing +end + +template "/opt/ejabberd/conf/ejabberd.yml" do + source "ejabberd.yml.erb" + mode 0640 + sensitive true + variables pgsql_password: "super_secret" +end + +file "/etc/init.d/ejabberd" do + action :delete +end + +# Copy the systemd service file +file "/lib/systemd/system/ejabberd.service" do + content lazy { IO.read("/opt/ejabberd-#{ejabberd_version}/bin/ejabberd.service") } + action :nothing + notifies :run, "execute[systemctl daemon-reload]", :immediately +end + +execute "systemctl daemon-reload" do + command "systemctl daemon-reload" + action :nothing +end + +service "ejabberd" do + action [:enable, :start] +end diff --git a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb new file mode 100644 index 0000000..15f9495 --- /dev/null +++ b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb @@ -0,0 +1,866 @@ +### +###' ejabberd configuration file +### +### + +### The parameters used in this configuration file are explained in more detail +### in the ejabberd Installation and Operation Guide. +### Please consult the Guide in case of doubts, it is included with +### your copy of ejabberd, and is also available online at +### http://www.process-one.net/en/ejabberd/docs/ + +### The configuration file is written in YAML. +### Refer to http://en.wikipedia.org/wiki/YAML for the brief description. +### However, ejabberd treats different literals as different types: +### +### - unquoted or single-quoted strings. They are called "atoms". +### Example: dog, 'Jupiter', '3.14159', YELLOW +### +### - numeric literals. Example: 3, -45.0, .0 +### +### - quoted or folded strings. +### Examples of quoted string: "Lizzard", "orange". +### Example of folded string: +### > Art thou not Romeo, +### and a Montague? + +###. ======= +###' LOGGING + +## +## loglevel: Verbosity of log files generated by ejabberd. +## 0: No ejabberd log at all (not recommended) +## 1: Critical +## 2: Error +## 3: Warning +## 4: Info +## 5: Debug +## +loglevel: 5 + +## +## rotation: Describe how to rotate logs. Either size and/or date can trigger +## log rotation. Setting count to N keeps N rotated logs. Setting count to 0 +## does not disable rotation, it instead rotates the file and keeps no previous +## versions around. Setting size to X rotate log when it reaches X bytes. +## To disable rotation set the size to 0 and the date to "" +## Date syntax is taken from the syntax newsyslog uses in newsyslog.conf. +## Some examples: +## $D0 rotate every night at midnight +## $D23 rotate every day at 23:00 hr +## $W0D23 rotate every week on Sunday at 23:00 hr +## $W5D16 rotate every week on Friday at 16:00 hr +## $M1D0 rotate on the first day of every month at midnight +## $M5D6 rotate on every 5th day of the month at 6:00 hr +## +log_rotate_size: 10485760 +log_rotate_date: "" +log_rotate_count: 1 + +## +## overload protection: If you want to limit the number of messages per second +## allowed from error_logger, which is a good idea if you want to avoid a flood +## of messages when system is overloaded, you can set a limit. +## 100 is ejabberd's default. +log_rate_limit: 100 + +## +## watchdog_admins: Only useful for developers: if an ejabberd process +## consumes a lot of memory, send live notifications to these XMPP +## accounts. +## +##watchdog_admins: +## - "sebastian@5apps.com" + +###. =============== +###' NODE PARAMETERS + +## +## net_ticktime: Specifies net_kernel tick time in seconds. This options must have +## identical value on all nodes, and in most cases shouldn't be changed at all from +## default value. +## +## net_ticktime: 60 + +###. ================ +###' SERVED HOSTNAMES + +## +## hosts: Domains served by ejabberd. +## You can define one or several, for example: +## hosts: +## - "example.net" +## - "example.com" +## - "example.org" +## +hosts: + - "kosmos.org" + - "5apps.com" + +## +## route_subdomains: Delegate subdomains to other XMPP servers. +## For example, if this ejabberd serves example.org and you want +## to allow communication with an XMPP server called im.example.org. +## +## route_subdomains: s2s + +###. ============ +###' Certificates + +## List all available PEM files containing certificates for your domains, +## chains of certificates or certificate keys. Full chains will be built +## automatically by ejabberd. +## +<% if File.exist?("/opt/ejabberd/conf/kosmos.org.pem") || File.exist?("/opt/ejabberd/conf/5apps.com.pem") -%> +certfiles: +<% if File.exist?("/opt/ejabberd/conf/kosmos.org.pem") -%> + - "/opt/ejabberd/conf/kosmos.org.pem" +<% end -%> +<% if File.exist?("/opt/ejabberd/conf/5apps.com.pem") -%> + - "/opt/ejabberd/conf/5apps.com.pem" +<% end -%> +<% end -%> + +ca_file: "/opt/ejabberd/conf/cacert.pem" + +###. ================= +###' TLS configuration + +define_macro: + 'TLS_CIPHERS': "HIGH:!aNULL:!eNULL:!3DES:@STRENGTH" + 'TLS_OPTIONS': + - "no_sslv3" + - "cipher_server_preference" + - "no_compression" + 'DH_FILE': "/opt/ejabberd/conf/dhparams.pem" # generated with: openssl dhparam -out dhparams.pem 2048 + +c2s_dhfile: 'DH_FILE' +s2s_dhfile: 'DH_FILE' +c2s_ciphers: 'TLS_CIPHERS' +s2s_ciphers: 'TLS_CIPHERS' +c2s_protocol_options: 'TLS_OPTIONS' +s2s_protocol_options: 'TLS_OPTIONS' + +###. =============== +###' LISTENING PORTS + +## +## listen: The ports ejabberd will listen on, which service each is handled +## by and what options to start it with. +## +listen: + - + port: 5222 + ip: "::" + module: ejabberd_c2s + starttls: true + max_stanza_size: 65536 + shaper: c2s_shaper + access: c2s + - + port: 5269 + ip: "::" + module: ejabberd_s2s_in + max_stanza_size: 131072 + shaper: s2s_shaper + - + port: 5280 + ip: "::" + module: ejabberd_http + request_handlers: + "/ws": ejabberd_http_ws + "/bosh": mod_bosh + "/api": mod_http_api + ## "/pub/archive": mod_http_fileserver + web_admin: true + ## register: true + captcha: false + ## + ## ejabberd_service: Interact with external components (transports, ...) + ## + ## - + ## port: 8888 + ## ip: "::" + ## module: ejabberd_service + ## access: all + ## shaper_rule: fast + ## ip: "127.0.0.1" + ## privilege_access: + ## roster: "both" + ## message: "outgoing" + ## presence: "roster" + ## delegations: + ## "urn:xmpp:mam:1": + ## filtering: ["node"] + ## "http://jabber.org/protocol/pubsub": + ## filtering: [] + ## hosts: + ## "icq.example.org": + ## password: "secret" + ## "sms.example.org": + ## password: "secret" + + ## + ## ejabberd_stun: Handles STUN Binding requests + ## + ## - + ## port: 3478 + ## transport: udp + ## module: ejabberd_stun + + ## + ## To handle XML-RPC requests that provide admin credentials: + ## + ## - + ## port: 4560 + ## ip: "::" + ## module: ejabberd_xmlrpc + ## maxsessions: 10 + ## timeout: 5000 + ## access_commands: + ## admin: + ## commands: all + ## options: [] + + ## + ## To enable secure http upload + ## + - + port: 5443 + module: ejabberd_http + request_handlers: + "upload": mod_http_upload + tls: true + ##protocol_options: 'TLS_OPTIONS' + ##dhfile: 'DH_FILE' + ##ciphers: 'TLS_CIPHERS' + +## Disabling digest-md5 SASL authentication. digest-md5 requires plain-text +## password storage (see auth_password_format option). +## disable_sasl_mechanisms: "digest-md5" + +###. ================== +###' S2S GLOBAL OPTIONS + +## +## s2s_use_starttls: Enable STARTTLS for S2S connections. +## Allowed values are: false, optional or required +## You must specify 'certfiles' option +## +s2s_use_starttls: optional + +## +## S2S whitelist or blacklist +## +## Default s2s policy for undefined hosts. +## +## s2s_access: s2s + +## +## Outgoing S2S options +## +## Preferred address families (which to try first) and connect timeout +## in seconds. +## +## outgoing_s2s_families: +## - ipv4 +## - ipv6 +## outgoing_s2s_timeout: 190 + +###. ============== +###' AUTHENTICATION + +## +## auth_method: Method used to authenticate the users. +## The default method is the internal. +## If you want to use a different method, +## comment this line and enable the correct ones. +## +## auth_method: sql + +## +## Store the plain passwords or hashed for SCRAM: +## auth_password_format: plain +auth_password_format: scram +## +## Define the FQDN if ejabberd doesn't detect it: +## fqdn: "server3.example.com" + +## +## Authentication using external script +## Make sure the script is executable by ejabberd. +## +## auth_method: external +## extauth_program: "/path/to/authentication/script" + +## +## Authentication using SQL +## Remember to setup a database in the next section. +## +auth_method: sql + +## +## Authentication using PAM +## +## auth_method: pam +## pam_service: "pamservicename" + +## +## Authentication using LDAP +## +## auth_method: ldap +## +## List of LDAP servers: +## ldap_servers: +## - "localhost" +## +## Encryption of connection to LDAP servers: +## ldap_encrypt: none +## ldap_encrypt: tls +## +## Port to connect to on LDAP servers: +## ldap_port: 389 +## ldap_port: 636 +## +## LDAP manager: +## ldap_rootdn: "dc=example,dc=com" +## +## Password of LDAP manager: +## ldap_password: "******" +## +## Search base of LDAP directory: +## ldap_base: "dc=example,dc=com" +## +## LDAP attribute that holds user ID: +## ldap_uids: +## - "mail": "%u@mail.example.org" +## +## LDAP filter: +## ldap_filter: "(objectClass=shadowAccount)" + +## +## Anonymous login support: +## auth_method: anonymous +## anonymous_protocol: sasl_anon | login_anon | both +## allow_multiple_connections: true | false +## +## host_config: +## "public.example.org": +## auth_method: anonymous +## allow_multiple_connections: false +## anonymous_protocol: sasl_anon +## +## To use both anonymous and internal authentication: +## +## host_config: +## "public.example.org": +## auth_method: +## - internal +## - anonymous + +###. ============== +###' DATABASE SETUP + +## ejabberd by default uses the internal Mnesia database, +## so you do not necessarily need this section. +## This section provides configuration examples in case +## you want to use other database backends. +## Please consult the ejabberd Guide for details on database creation. + +## +## MySQL server: +## +## sql_type: mysql +## sql_server: "server" +## sql_database: "database" +## sql_username: "username" +## sql_password: "password" +## +## If you want to specify the port: +## sql_port: 1234 + +## +## PostgreSQL server: +## + +default_db: sql + +sql_type: pgsql +sql_server: "localhost" +sql_database: "ejabberd" +sql_username: "ejabberd" +sql_password: "<%= @pgsql_password %>" +new_sql_schema: true +## +## If you want to specify the port: +## sql_port: 1234 +## +## If you use PostgreSQL, have a large database, and need a +## faster but inexact replacement for "select count(*) from users" +## +## pgsql_users_number_estimate: true + +## +## SQLite: +## +## sql_type: sqlite +## sql_database: "/opt/ejabberd/database/ejabberd.db" + +## +## ODBC compatible or MSSQL server: +## +## sql_type: odbc +## sql_server: "DSN=ejabberd;UID=ejabberd;PWD=ejabberd" + +## +## Number of connections to open to the database for each virtual host +## +## sql_pool_size: 10 + +## +## Interval to make a dummy SQL request to keep the connections to the +## database alive. Specify in seconds: for example 28800 means 8 hours +## +## sql_keepalive_interval: undefined + +###. =============== +###' TRAFFIC SHAPERS + +shaper: + ## + ## The "normal" shaper limits traffic speed to 1000 B/s + ## + normal: 1000 + + ## + ## The "fast" shaper limits traffic speed to 50000 B/s + ## + fast: 50000 + +## +## This option specifies the maximum number of elements in the queue +## of the FSM. Refer to the documentation for details. +## +max_fsm_queue: 10000 + +###. ==================== +###' ACCESS CONTROL LISTS +acl: + ## + ## The 'admin' ACL grants administrative privileges to XMPP accounts. + ## You can put here as many accounts as you want. + ## + admin: + user: + - "greg@5apps.com" + - "sebastian@5apps.com" + - "garret@5apps.com" + - "raucao@kosmos.org" + + ## + ## Blocked users + ## + ## blocked: + ## user: + ## - "baduser@example.org" + ## - "test" + + ## Local users: don't modify this. + ## + local: + user_regexp: "" + + ## + ## More examples of ACLs + ## + ## jabberorg: + ## server: + ## - "jabber.org" + ## aleksey: + ## user: + ## - "aleksey@jabber.ru" + ## test: + ## user_regexp: "^test" + ## user_glob: "test*" + + ## + ## Loopback network + ## + loopback: + ip: + - "127.0.0.0/8" + - "::1/128" + - "::FFFF:127.0.0.1/128" + + ## + ## Bad XMPP servers + ## + ## bad_servers: + ## server: + ## - "xmpp.zombie.org" + ## - "xmpp.spam.com" + +## +## Define specific ACLs in a virtual host. +## +## host_config: +## "localhost": +## acl: +## admin: +## user: +## - "bob-local@localhost" + +###. ============ +###' SHAPER RULES + +shaper_rules: + ## Maximum number of simultaneous sessions allowed for a single user: + max_user_sessions: 10 + ## Maximum number of offline messages that users can have: + max_user_offline_messages: + - 5000: admin + - 100 + ## For C2S connections, all users except admins use the "normal" shaper + c2s_shaper: + - none: admin + - normal + ## All S2S connections use the "fast" shaper + s2s_shaper: fast + +###. ============ +###' ACCESS RULES +access_rules: + ## This rule allows access only for local users: + local: + - allow: local + ## Only non-blocked users can use c2s connections: + c2s: + - deny: blocked + - allow + ## Only admins can send announcement messages: + announce: + - allow: admin + ## Only admins can use the configuration interface: + configure: + - allow: admin + ## Only accounts of the local ejabberd server can create rooms: + muc_create: + - allow: admin + - allow: local + ## Only accounts on the local ejabberd server can create Pubsub nodes: + pubsub_createnode: + - allow: local + ## In-band registration allows registration of any possible username. + ## To disable in-band registration, replace 'allow' with 'deny'. + register: + - allow + ## Only allow to register from localhost + trusted_network: + - allow: loopback + ## Do not establish S2S connections with bad servers + ## If you enable this you also have to uncomment "s2s_access: s2s" + ## s2s: + ## - deny: + ## - ip: "XXX.XXX.XXX.XXX/32" + ## - deny: + ## - ip: "XXX.XXX.XXX.XXX/32" + ## - allow + +## =============== +## API PERMISSIONS +## =============== +## +## This section allows you to define who and using what method +## can execute commands offered by ejabberd. +## +## By default "console commands" section allow executing all commands +## issued using ejabberdctl command, and "admin access" section allows +## users in admin acl that connect from 127.0.0.1 to execute all +## commands except start and stop with any available access method +## (ejabberdctl, http-api, xmlrpc depending what is enabled on server). +## +## If you remove "console commands" there will be one added by +## default allowing executing all commands, but if you just change +## permissions in it, version from config file will be used instead +## of default one. +## +api_permissions: + "console commands": + from: + - ejabberd_ctl + who: all + what: "*" + "admin access": + who: + - access: + - allow: + - acl: loopback + - acl: admin + - oauth: + - scope: "ejabberd:admin" + - access: + - allow: + - acl: loopback + - acl: admin + what: + - "*" + - "!stop" + - "!start" + "public commands": + who: + - ip: "127.0.0.1/8" + what: + - "status" + - "connected_users_number" + +## By default the frequency of account registrations from the same IP +## is limited to 1 account every 10 minutes. To disable, specify: infinity +## registration_timeout: 600 + +## +## Define specific Access Rules in a virtual host. +## +## host_config: +## "localhost": +## access: +## c2s: +## - allow: admin +## - deny +## register: +## - deny + +###. ================ +###' DEFAULT LANGUAGE + +## +## language: Default language used for server messages. +## +language: "en" + +## +## Set a different default language in a virtual host. +## +## host_config: +## "localhost": +## language: "ru" + +###. ======= +###' CAPTCHA + +## +## Full path to a script that generates the image. +## +## captcha_cmd: "/opt/ejabberd-17.12/lib/ejabberd-17.12/priv/bin/captcha.sh" + +## +## Host for the URL and port where ejabberd listens for CAPTCHA requests. +## +## captcha_host: "xmpp:5280" + +## +## Limit CAPTCHA calls per minute for JID/IP to avoid DoS. +## +## captcha_limit: 5 + +###. ==== +###' ACME +## +## In order to use the acme certificate acquiring through "Let's Encrypt" +## an http listener has to be configured to listen to port 80 so that +## the authorization challenges posed by "Let's Encrypt" can be solved. +## +## A simple way of doing this would be to add the following in the listening +## section and to configure port forwarding from 80 to 5280 either via NAT +## (for ipv4 only) or using frontends such as haproxy/nginx/sslh/etc. +## - +## port: 5280 +## ip: "::" +## module: ejabberd_http + +##acme: + + ## A contact mail that the ACME Certificate Authority can contact in case of + ## an authorization issue, such as a server-initiated certificate revocation. + ## It is not mandatory to provide an email address but it is highly suggested. + ##contact: "mailto:ops@5apps.com" + + ## The ACME Certificate Authority URL. + ## This could either be: + ## - https://acme-v01.api.letsencrypt.org - (Default) for the production CA + ## - https://acme-staging.api.letsencrypt.org - for the staging CA + ## - http://localhost:4000 - for a local version of the CA + ##ca_url: "https://acme-v01.api.letsencrypt.org" + +###. ======= +###' MODULES + +## +## Modules enabled in all ejabberd virtual hosts. +## +modules: + mod_adhoc: {} + mod_admin_extra: {} + mod_announce: # recommends mod_adhoc + access: announce + mod_blocking: {} # requires mod_privacy + mod_caps: {} + mod_carboncopy: {} + mod_client_state: {} + mod_configure: {} # requires mod_adhoc + ## mod_delegation: {} # for xep0356 + mod_disco: + server_info: + - + modules: all + name: "abuse-addresses" + urls: ["mailto:abuse@kosmos.org"] + ## mod_echo: {} + ## mod_irc: {} + mod_bosh: {} + ## mod_http_fileserver: + ## docroot: "/var/www" + ## accesslog: "/opt/ejabberd-17.12/logs/access.log" + mod_http_upload: + docroot: "/var/www/xmpp.@HOST@/uploads/" + put_url: "https://xmpp.@HOST@:5443/upload" + thumbnail: false # otherwise needs the identify command from ImageMagick installed + ## mod_http_upload_quota: + ## max_days: 30 + mod_last: {} + ## XEP-0313: Message Archive Management + ## You might want to setup a SQL backend for MAM because the mnesia database is + ## limited to 2GB which might be exceeded on large servers + mod_mam: + default: always + request_activates_archiving: true + mod_muc: {} + mod_muc_admin: {} + ## mod_muc_log: {} + ## mod_multicast: {} + mod_offline: + access_max_user_messages: max_user_offline_messages + mod_ping: {} + ## mod_pres_counter: + ## count: 5 + ## interval: 60 + mod_privacy: {} + mod_private: {} + mod_proxy65: {} + mod_pubsub: + access_createnode: pubsub_createnode + ## reduces resource comsumption, but XEP incompliant + ignore_pep_from_offline: true + ## XEP compliant, but increases resource comsumption + ## ignore_pep_from_offline: false + last_item_cache: false + max_items_node: 10 + plugins: + - "flat" + - "pep" # pep requires mod_caps + mod_push: {} + mod_push_keepalive: {} + mod_register: + ## + ## Protect In-Band account registrations with CAPTCHA. + ## + ## captcha_protected: true + ## + ## Set the minimum informational entropy for passwords. + ## + ## password_strength: 32 + ## + ## After successful registration, the user receives + ## a message with this subject and body. + ## + welcome_message: + subject: "Welcome!" + body: |- + Hi. + Welcome to this XMPP server. + ## + ## When a user registers, send a notification to + ## these XMPP accounts. + ## + ## registration_watchers: + ## - "admin1@example.org" + ## + ## Only clients in the server machine can register accounts + ## + ip_access: trusted_network + ## + ## Local c2s or remote s2s users cannot register accounts + ## + ## access_from: deny + access: register + mod_roster: + versioning: true + store_current_id: true + mod_shared_roster: {} + ## mod_stats: {} + ## mod_time: {} + mod_vcard: + search: false + mod_vcard_xupdate: {} + ## Convert all avatars posted by Android clients from WebP to JPEG + ## mod_avatar: # this module needs compile option --enable-graphics + ## convert: + ## webp: jpeg + mod_version: {} + mod_stream_mgmt: {} + ## Non-SASL Authentication (XEP-0078) is now disabled by default + ## because it's obsoleted and is used mostly by abandoned + ## client software + ## mod_legacy_auth: {} + ## The module for S2S dialback (XEP-0220). Please note that you cannot + ## rely solely on dialback if you want to federate with other servers, + ## because a lot of servers have dialback disabled and instead rely on + ## PKIX authentication. Make sure you have proper certificates installed + ## and check your accessibility at https://check.messaging.one/ + mod_s2s_dialback: {} + mod_http_api: {} + +## +## Enable modules with custom options in a specific virtual host +## +## host_config: +## "localhost": +## modules: +## mod_echo: +## host: "mirror.localhost" + +host_config: + "kosmos.org": + modules: + mod_muc: + host: "chat.kosmos.org" + access: + - allow + access_admin: + - allow: admin + access_create: muc_create + access_persistent: muc_create + "5apps.com": + modules: + mod_muc: + host: "muc.5apps.com" + access: + - deny + access_admin: + - allow: admin + access_create: muc_create + access_persistent: muc_create + +## +## Enable modules management via ejabberdctl for installation and +## uninstallation of public/private contributed modules +## (enabled by default) +## + +allow_contrib_modules: true + +###. +###' +### Local Variables: +### mode: yaml +### End: +### vim: set filetype=yaml tabstop=8 foldmarker=###',###. foldmethod=marker: diff --git a/site-cookbooks/kosmos-ejabberd/test/integration/default/serverspec/default_spec.rb b/site-cookbooks/kosmos-ejabberd/test/integration/default/serverspec/default_spec.rb new file mode 100644 index 0000000..703630b --- /dev/null +++ b/site-cookbooks/kosmos-ejabberd/test/integration/default/serverspec/default_spec.rb @@ -0,0 +1,23 @@ +require 'serverspec' + +# Required by serverspec +set :backend, :exec + +describe 'ejabberd' do + describe package('ejabberd') do + it { should be_installed } + end + + it 'is listening on port 5222 (client-to-server)' do + expect(port(5222)).to be_listening + end + + it 'is listening on port 5269 (server-to-server)' do + expect(port(5269)).to be_listening + end + + it 'runs the ejabberd service' do + expect(service('ejabberd')).to be_running + expect(service('ejabberd')).to be_enabled + end +end -- 2.25.1 From 70c4419c2ac4e73c339c86356e61b0c1c46feb30 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Wed, 9 Jan 2019 18:26:50 +0100 Subject: [PATCH 02/25] Add initial kosmos-postgresql cookbook This is to install PostgreSQL all in one place instead of for each service that needs it (Mastodon, ejabberd, ...) --- site-cookbooks/kosmos-postgresql/.gitignore | 22 ++++ site-cookbooks/kosmos-postgresql/Berksfile | 4 + site-cookbooks/kosmos-postgresql/CHANGELOG.md | 11 ++ site-cookbooks/kosmos-postgresql/LICENSE | 3 + site-cookbooks/kosmos-postgresql/README.md | 4 + site-cookbooks/kosmos-postgresql/chefignore | 104 ++++++++++++++++++ site-cookbooks/kosmos-postgresql/metadata.rb | 22 ++++ .../kosmos-postgresql/recipes/default.rb | 16 +++ 8 files changed, 186 insertions(+) create mode 100644 site-cookbooks/kosmos-postgresql/.gitignore create mode 100644 site-cookbooks/kosmos-postgresql/Berksfile create mode 100644 site-cookbooks/kosmos-postgresql/CHANGELOG.md create mode 100644 site-cookbooks/kosmos-postgresql/LICENSE create mode 100644 site-cookbooks/kosmos-postgresql/README.md create mode 100644 site-cookbooks/kosmos-postgresql/chefignore create mode 100644 site-cookbooks/kosmos-postgresql/metadata.rb create mode 100644 site-cookbooks/kosmos-postgresql/recipes/default.rb diff --git a/site-cookbooks/kosmos-postgresql/.gitignore b/site-cookbooks/kosmos-postgresql/.gitignore new file mode 100644 index 0000000..13e41c4 --- /dev/null +++ b/site-cookbooks/kosmos-postgresql/.gitignore @@ -0,0 +1,22 @@ +.vagrant +*~ +*# +.#* +\#*# +.*.sw[a-z] +*.un~ + +# Bundler +Gemfile.lock +gems.locked +bin/* +.bundle/* + +# test kitchen +.kitchen/ +.kitchen.local.yml + +# Chef +Berksfile.lock +.zero-knife.rb +Policyfile.lock.json diff --git a/site-cookbooks/kosmos-postgresql/Berksfile b/site-cookbooks/kosmos-postgresql/Berksfile new file mode 100644 index 0000000..0656a99 --- /dev/null +++ b/site-cookbooks/kosmos-postgresql/Berksfile @@ -0,0 +1,4 @@ +# frozen_string_literal: true +source 'https://supermarket.chef.io' + +metadata diff --git a/site-cookbooks/kosmos-postgresql/CHANGELOG.md b/site-cookbooks/kosmos-postgresql/CHANGELOG.md new file mode 100644 index 0000000..4ec46d4 --- /dev/null +++ b/site-cookbooks/kosmos-postgresql/CHANGELOG.md @@ -0,0 +1,11 @@ +# kosmos-postgresql CHANGELOG + +This file is used to list changes made in each version of the kosmos-postgresql cookbook. + +# 0.1.0 + +Initial release. + +- change 0 +- change 1 + diff --git a/site-cookbooks/kosmos-postgresql/LICENSE b/site-cookbooks/kosmos-postgresql/LICENSE new file mode 100644 index 0000000..fd8848e --- /dev/null +++ b/site-cookbooks/kosmos-postgresql/LICENSE @@ -0,0 +1,3 @@ +Copyright 2019 Kosmos + +All rights reserved, do not redistribute. diff --git a/site-cookbooks/kosmos-postgresql/README.md b/site-cookbooks/kosmos-postgresql/README.md new file mode 100644 index 0000000..9521928 --- /dev/null +++ b/site-cookbooks/kosmos-postgresql/README.md @@ -0,0 +1,4 @@ +# kosmos-postgresql + +TODO: Enter the cookbook description here. + diff --git a/site-cookbooks/kosmos-postgresql/chefignore b/site-cookbooks/kosmos-postgresql/chefignore new file mode 100644 index 0000000..4439807 --- /dev/null +++ b/site-cookbooks/kosmos-postgresql/chefignore @@ -0,0 +1,104 @@ +# Put files/directories that should be ignored in this file when uploading +# to a chef-server or supermarket. +# Lines that start with '# ' are comments. + +# OS generated files # +###################### +.DS_Store +Icon? +nohup.out +ehthumbs.db +Thumbs.db + +# SASS # +######## +.sass-cache + +# EDITORS # +########### +\#* +.#* +*~ +*.sw[a-z] +*.bak +REVISION +TAGS* +tmtags +*_flymake.* +*_flymake +*.tmproj +.project +.settings +mkmf.log + +## COMPILED ## +############## +a.out +*.o +*.pyc +*.so +*.com +*.class +*.dll +*.exe +*/rdoc/ + +# Testing # +########### +.watchr +.rspec +spec/* +spec/fixtures/* +test/* +features/* +examples/* +Guardfile +Procfile +.kitchen* +kitchen.yml* +.rubocop.yml +spec/* +Rakefile +.travis.yml +.foodcritic +.codeclimate.yml + +# SCM # +####### +.git +*/.git +.gitignore +.gitmodules +.gitconfig +.gitattributes +.svn +*/.bzr/* +*/.hg/* +*/.svn/* + +# Berkshelf # +############# +Berksfile +Berksfile.lock +cookbooks/* +tmp + +# Bundler # +########### +vendor/* + +# Policyfile # +############## +Policyfile.rb +Policyfile.lock.json + +# Cookbooks # +############# +CONTRIBUTING* +CHANGELOG* +TESTING* + +# Vagrant # +########### +.vagrant +Vagrantfile diff --git a/site-cookbooks/kosmos-postgresql/metadata.rb b/site-cookbooks/kosmos-postgresql/metadata.rb new file mode 100644 index 0000000..748f491 --- /dev/null +++ b/site-cookbooks/kosmos-postgresql/metadata.rb @@ -0,0 +1,22 @@ +name 'kosmos-postgresql' +maintainer 'Kosmos' +maintainer_email 'ops@5apps.com' +license 'All Rights Reserved' +description 'Installs/Configures kosmos-postgresql' +long_description 'Installs/Configures kosmos-postgresql' +version '0.1.0' +chef_version '>= 12.14' if respond_to?(:chef_version) + +# The `issues_url` points to the location where issues for this cookbook are +# tracked. A `View Issues` link will be displayed on this cookbook's page when +# uploaded to a Supermarket. +# +# issues_url 'https://github.com//kosmos-postgresql/issues' + +# The `source_url` points to the development repository for this cookbook. A +# `View Source` link will be displayed on this cookbook's page when uploaded to +# a Supermarket. +# +# source_url 'https://github.com//kosmos-postgresql' + +depends "postgresql", "= 6.1.1" diff --git a/site-cookbooks/kosmos-postgresql/recipes/default.rb b/site-cookbooks/kosmos-postgresql/recipes/default.rb new file mode 100644 index 0000000..1758f29 --- /dev/null +++ b/site-cookbooks/kosmos-postgresql/recipes/default.rb @@ -0,0 +1,16 @@ +# +# Cookbook:: kosmos-postgresql +# Recipe:: default +# +# Copyright:: 2019, Kosmos, All Rights Reserved. + +node.override['postgresql']['enable_pgdg_apt'] = false +# See https://github.com/sous-chefs/postgresql/issues/480 +node.override['postgresql']['pg_gem']['version'] = '0.21.0' +include_recipe "postgresql::server" +include_recipe "postgresql::ruby" +unless node.chef_environment == "development" + node.override['postgresql']['config_pgtune']['db_type'] = "web" + include_recipe "postgresql::config_pgtune" +end + -- 2.25.1 From aa64456fc70d0b926c2ed4f47bb0d4b8918356fa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Thu, 10 Jan 2019 16:47:58 +0100 Subject: [PATCH 03/25] Reload ejabberd when the config file changes --- site-cookbooks/kosmos-ejabberd/recipes/default.rb | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/site-cookbooks/kosmos-ejabberd/recipes/default.rb b/site-cookbooks/kosmos-ejabberd/recipes/default.rb index cb7a791..d43f5ce 100644 --- a/site-cookbooks/kosmos-ejabberd/recipes/default.rb +++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb @@ -59,6 +59,12 @@ template "/opt/ejabberd/conf/ejabberd.yml" do mode 0640 sensitive true variables pgsql_password: "super_secret" + notifies :run, "execute[ejabberdctl reload_config]", :delayed +end + +execute "ejabberdctl reload_config" do + command "/opt/ejabberd-18.12.1/bin/ejabberdctl reload_config" + action :nothing end file "/etc/init.d/ejabberd" do -- 2.25.1 From 3a8a2b6be01dadb19db6d1fdcf6c7202a2845a67 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Thu, 10 Jan 2019 16:48:12 +0100 Subject: [PATCH 04/25] Switch the config to the latest version without comments Taken from the 18.12.1 default config --- .../templates/ejabberd.yml.erb | 762 ++---------------- 1 file changed, 81 insertions(+), 681 deletions(-) diff --git a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb index 15f9495..81a6328 100644 --- a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb +++ b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb @@ -1,116 +1,15 @@ -### -###' ejabberd configuration file -### -### +language: "en" -### The parameters used in this configuration file are explained in more detail -### in the ejabberd Installation and Operation Guide. -### Please consult the Guide in case of doubts, it is included with -### your copy of ejabberd, and is also available online at -### http://www.process-one.net/en/ejabberd/docs/ - -### The configuration file is written in YAML. -### Refer to http://en.wikipedia.org/wiki/YAML for the brief description. -### However, ejabberd treats different literals as different types: -### -### - unquoted or single-quoted strings. They are called "atoms". -### Example: dog, 'Jupiter', '3.14159', YELLOW -### -### - numeric literals. Example: 3, -45.0, .0 -### -### - quoted or folded strings. -### Examples of quoted string: "Lizzard", "orange". -### Example of folded string: -### > Art thou not Romeo, -### and a Montague? - -###. ======= -###' LOGGING - -## -## loglevel: Verbosity of log files generated by ejabberd. -## 0: No ejabberd log at all (not recommended) -## 1: Critical -## 2: Error -## 3: Warning -## 4: Info -## 5: Debug -## -loglevel: 5 - -## -## rotation: Describe how to rotate logs. Either size and/or date can trigger -## log rotation. Setting count to N keeps N rotated logs. Setting count to 0 -## does not disable rotation, it instead rotates the file and keeps no previous -## versions around. Setting size to X rotate log when it reaches X bytes. -## To disable rotation set the size to 0 and the date to "" -## Date syntax is taken from the syntax newsyslog uses in newsyslog.conf. -## Some examples: -## $D0 rotate every night at midnight -## $D23 rotate every day at 23:00 hr -## $W0D23 rotate every week on Sunday at 23:00 hr -## $W5D16 rotate every week on Friday at 16:00 hr -## $M1D0 rotate on the first day of every month at midnight -## $M5D6 rotate on every 5th day of the month at 6:00 hr -## +loglevel: 4 log_rotate_size: 10485760 log_rotate_date: "" log_rotate_count: 1 - -## -## overload protection: If you want to limit the number of messages per second -## allowed from error_logger, which is a good idea if you want to avoid a flood -## of messages when system is overloaded, you can set a limit. -## 100 is ejabberd's default. log_rate_limit: 100 -## -## watchdog_admins: Only useful for developers: if an ejabberd process -## consumes a lot of memory, send live notifications to these XMPP -## accounts. -## -##watchdog_admins: -## - "sebastian@5apps.com" - -###. =============== -###' NODE PARAMETERS - -## -## net_ticktime: Specifies net_kernel tick time in seconds. This options must have -## identical value on all nodes, and in most cases shouldn't be changed at all from -## default value. -## -## net_ticktime: 60 - -###. ================ -###' SERVED HOSTNAMES - -## -## hosts: Domains served by ejabberd. -## You can define one or several, for example: -## hosts: -## - "example.net" -## - "example.com" -## - "example.org" -## hosts: - "kosmos.org" - "5apps.com" -## -## route_subdomains: Delegate subdomains to other XMPP servers. -## For example, if this ejabberd serves example.org and you want -## to allow communication with an XMPP server called im.example.org. -## -## route_subdomains: s2s - -###. ============ -###' Certificates - -## List all available PEM files containing certificates for your domains, -## chains of certificates or certificate keys. Full chains will be built -## automatically by ejabberd. -## <% if File.exist?("/opt/ejabberd/conf/kosmos.org.pem") || File.exist?("/opt/ejabberd/conf/5apps.com.pem") -%> certfiles: <% if File.exist?("/opt/ejabberd/conf/kosmos.org.pem") -%> @@ -123,9 +22,6 @@ certfiles: ca_file: "/opt/ejabberd/conf/cacert.pem" -###. ================= -###' TLS configuration - define_macro: 'TLS_CIPHERS': "HIGH:!aNULL:!eNULL:!3DES:@STRENGTH" 'TLS_OPTIONS': @@ -141,248 +37,41 @@ s2s_ciphers: 'TLS_CIPHERS' c2s_protocol_options: 'TLS_OPTIONS' s2s_protocol_options: 'TLS_OPTIONS' -###. =============== -###' LISTENING PORTS - -## -## listen: The ports ejabberd will listen on, which service each is handled -## by and what options to start it with. -## listen: - port: 5222 ip: "::" module: ejabberd_c2s - starttls: true - max_stanza_size: 65536 + max_stanza_size: 262144 shaper: c2s_shaper access: c2s + starttls_required: true - port: 5269 ip: "::" module: ejabberd_s2s_in - max_stanza_size: 131072 - shaper: s2s_shaper + max_stanza_size: 524288 - port: 5280 ip: "::" module: ejabberd_http - request_handlers: - "/ws": ejabberd_http_ws - "/bosh": mod_bosh - "/api": mod_http_api - ## "/pub/archive": mod_http_fileserver web_admin: true - ## register: true - captcha: false - ## - ## ejabberd_service: Interact with external components (transports, ...) - ## - ## - - ## port: 8888 - ## ip: "::" - ## module: ejabberd_service - ## access: all - ## shaper_rule: fast - ## ip: "127.0.0.1" - ## privilege_access: - ## roster: "both" - ## message: "outgoing" - ## presence: "roster" - ## delegations: - ## "urn:xmpp:mam:1": - ## filtering: ["node"] - ## "http://jabber.org/protocol/pubsub": - ## filtering: [] - ## hosts: - ## "icq.example.org": - ## password: "secret" - ## "sms.example.org": - ## password: "secret" - - ## - ## ejabberd_stun: Handles STUN Binding requests - ## - ## - - ## port: 3478 - ## transport: udp - ## module: ejabberd_stun - - ## - ## To handle XML-RPC requests that provide admin credentials: - ## - ## - - ## port: 4560 - ## ip: "::" - ## module: ejabberd_xmlrpc - ## maxsessions: 10 - ## timeout: 5000 - ## access_commands: - ## admin: - ## commands: all - ## options: [] - - ## - ## To enable secure http upload - ## - port: 5443 + ip: "::" module: ejabberd_http request_handlers: - "upload": mod_http_upload + "/api": mod_http_api + "/bosh": mod_bosh + "/upload": mod_http_upload + "/ws": ejabberd_http_ws + "/oauth": ejabberd_oauth + web_admin: true + captcha: false tls: true - ##protocol_options: 'TLS_OPTIONS' - ##dhfile: 'DH_FILE' - ##ciphers: 'TLS_CIPHERS' -## Disabling digest-md5 SASL authentication. digest-md5 requires plain-text -## password storage (see auth_password_format option). -## disable_sasl_mechanisms: "digest-md5" - -###. ================== -###' S2S GLOBAL OPTIONS - -## -## s2s_use_starttls: Enable STARTTLS for S2S connections. -## Allowed values are: false, optional or required -## You must specify 'certfiles' option -## s2s_use_starttls: optional -## -## S2S whitelist or blacklist -## -## Default s2s policy for undefined hosts. -## -## s2s_access: s2s - -## -## Outgoing S2S options -## -## Preferred address families (which to try first) and connect timeout -## in seconds. -## -## outgoing_s2s_families: -## - ipv4 -## - ipv6 -## outgoing_s2s_timeout: 190 - -###. ============== -###' AUTHENTICATION - -## -## auth_method: Method used to authenticate the users. -## The default method is the internal. -## If you want to use a different method, -## comment this line and enable the correct ones. -## -## auth_method: sql - -## -## Store the plain passwords or hashed for SCRAM: -## auth_password_format: plain -auth_password_format: scram -## -## Define the FQDN if ejabberd doesn't detect it: -## fqdn: "server3.example.com" - -## -## Authentication using external script -## Make sure the script is executable by ejabberd. -## -## auth_method: external -## extauth_program: "/path/to/authentication/script" - -## -## Authentication using SQL -## Remember to setup a database in the next section. -## -auth_method: sql - -## -## Authentication using PAM -## -## auth_method: pam -## pam_service: "pamservicename" - -## -## Authentication using LDAP -## -## auth_method: ldap -## -## List of LDAP servers: -## ldap_servers: -## - "localhost" -## -## Encryption of connection to LDAP servers: -## ldap_encrypt: none -## ldap_encrypt: tls -## -## Port to connect to on LDAP servers: -## ldap_port: 389 -## ldap_port: 636 -## -## LDAP manager: -## ldap_rootdn: "dc=example,dc=com" -## -## Password of LDAP manager: -## ldap_password: "******" -## -## Search base of LDAP directory: -## ldap_base: "dc=example,dc=com" -## -## LDAP attribute that holds user ID: -## ldap_uids: -## - "mail": "%u@mail.example.org" -## -## LDAP filter: -## ldap_filter: "(objectClass=shadowAccount)" - -## -## Anonymous login support: -## auth_method: anonymous -## anonymous_protocol: sasl_anon | login_anon | both -## allow_multiple_connections: true | false -## -## host_config: -## "public.example.org": -## auth_method: anonymous -## allow_multiple_connections: false -## anonymous_protocol: sasl_anon -## -## To use both anonymous and internal authentication: -## -## host_config: -## "public.example.org": -## auth_method: -## - internal -## - anonymous - -###. ============== -###' DATABASE SETUP - -## ejabberd by default uses the internal Mnesia database, -## so you do not necessarily need this section. -## This section provides configuration examples in case -## you want to use other database backends. -## Please consult the ejabberd Guide for details on database creation. - -## -## MySQL server: -## -## sql_type: mysql -## sql_server: "server" -## sql_database: "database" -## sql_username: "username" -## sql_password: "password" -## -## If you want to specify the port: -## sql_port: 1234 - -## -## PostgreSQL server: -## - default_db: sql sql_type: pgsql @@ -391,65 +80,14 @@ sql_database: "ejabberd" sql_username: "ejabberd" sql_password: "<%= @pgsql_password %>" new_sql_schema: true -## -## If you want to specify the port: -## sql_port: 1234 -## -## If you use PostgreSQL, have a large database, and need a -## faster but inexact replacement for "select count(*) from users" -## -## pgsql_users_number_estimate: true - -## -## SQLite: -## -## sql_type: sqlite -## sql_database: "/opt/ejabberd/database/ejabberd.db" - -## -## ODBC compatible or MSSQL server: -## -## sql_type: odbc -## sql_server: "DSN=ejabberd;UID=ejabberd;PWD=ejabberd" - -## -## Number of connections to open to the database for each virtual host -## -## sql_pool_size: 10 - -## -## Interval to make a dummy SQL request to keep the connections to the -## database alive. Specify in seconds: for example 28800 means 8 hours -## -## sql_keepalive_interval: undefined - -###. =============== -###' TRAFFIC SHAPERS - -shaper: - ## - ## The "normal" shaper limits traffic speed to 1000 B/s - ## - normal: 1000 - - ## - ## The "fast" shaper limits traffic speed to 50000 B/s - ## - fast: 50000 - -## -## This option specifies the maximum number of elements in the queue -## of the FSM. Refer to the documentation for details. -## -max_fsm_queue: 10000 - -###. ==================== -###' ACCESS CONTROL LISTS acl: - ## - ## The 'admin' ACL grants administrative privileges to XMPP accounts. - ## You can put here as many accounts as you want. - ## + local: + user_regexp: "" + loopback: + ip: + - "127.0.0.0/8" + - "::1/128" + - "::FFFF:127.0.0.1/128" admin: user: - "greg@5apps.com" @@ -457,133 +95,25 @@ acl: - "garret@5apps.com" - "raucao@kosmos.org" - ## - ## Blocked users - ## - ## blocked: - ## user: - ## - "baduser@example.org" - ## - "test" - - ## Local users: don't modify this. - ## - local: - user_regexp: "" - - ## - ## More examples of ACLs - ## - ## jabberorg: - ## server: - ## - "jabber.org" - ## aleksey: - ## user: - ## - "aleksey@jabber.ru" - ## test: - ## user_regexp: "^test" - ## user_glob: "test*" - - ## - ## Loopback network - ## - loopback: - ip: - - "127.0.0.0/8" - - "::1/128" - - "::FFFF:127.0.0.1/128" - - ## - ## Bad XMPP servers - ## - ## bad_servers: - ## server: - ## - "xmpp.zombie.org" - ## - "xmpp.spam.com" - -## -## Define specific ACLs in a virtual host. -## -## host_config: -## "localhost": -## acl: -## admin: -## user: -## - "bob-local@localhost" - -###. ============ -###' SHAPER RULES - -shaper_rules: - ## Maximum number of simultaneous sessions allowed for a single user: - max_user_sessions: 10 - ## Maximum number of offline messages that users can have: - max_user_offline_messages: - - 5000: admin - - 100 - ## For C2S connections, all users except admins use the "normal" shaper - c2s_shaper: - - none: admin - - normal - ## All S2S connections use the "fast" shaper - s2s_shaper: fast - -###. ============ -###' ACCESS RULES access_rules: - ## This rule allows access only for local users: local: - allow: local - ## Only non-blocked users can use c2s connections: c2s: - deny: blocked - allow - ## Only admins can send announcement messages: announce: - allow: admin - ## Only admins can use the configuration interface: configure: - allow: admin - ## Only accounts of the local ejabberd server can create rooms: muc_create: - - allow: admin - allow: local - ## Only accounts on the local ejabberd server can create Pubsub nodes: pubsub_createnode: - allow: local - ## In-band registration allows registration of any possible username. - ## To disable in-band registration, replace 'allow' with 'deny'. register: - allow - ## Only allow to register from localhost trusted_network: - allow: loopback - ## Do not establish S2S connections with bad servers - ## If you enable this you also have to uncomment "s2s_access: s2s" - ## s2s: - ## - deny: - ## - ip: "XXX.XXX.XXX.XXX/32" - ## - deny: - ## - ip: "XXX.XXX.XXX.XXX/32" - ## - allow -## =============== -## API PERMISSIONS -## =============== -## -## This section allows you to define who and using what method -## can execute commands offered by ejabberd. -## -## By default "console commands" section allow executing all commands -## issued using ejabberdctl command, and "admin access" section allows -## users in admin acl that connect from 127.0.0.1 to execute all -## commands except start and stop with any available access method -## (ejabberdctl, http-api, xmlrpc depending what is enabled on server). -## -## If you remove "console commands" there will be one added by -## default allowing executing all commands, but if you just change -## permissions in it, version from config file will be used instead -## of default one. -## api_permissions: "console commands": from: @@ -613,220 +143,100 @@ api_permissions: - "status" - "connected_users_number" -## By default the frequency of account registrations from the same IP -## is limited to 1 account every 10 minutes. To disable, specify: infinity -## registration_timeout: 600 - -## -## Define specific Access Rules in a virtual host. -## -## host_config: -## "localhost": -## access: -## c2s: -## - allow: admin -## - deny -## register: -## - deny +shaper: + normal: 1000 + fast: 50000 -###. ================ -###' DEFAULT LANGUAGE +shaper_rules: + max_user_sessions: 10 + max_user_offline_messages: + - 5000: admin + - 100 + c2s_shaper: + - none: admin + - normal + s2s_shaper: fast -## -## language: Default language used for server messages. -## -language: "en" +max_fsm_queue: 10000 -## -## Set a different default language in a virtual host. -## -## host_config: -## "localhost": -## language: "ru" +acme: + contact: "mailto:admin@vagrant.vm" + ca_url: "https://acme-v01.api.letsencrypt.org" -###. ======= -###' CAPTCHA - -## -## Full path to a script that generates the image. -## -## captcha_cmd: "/opt/ejabberd-17.12/lib/ejabberd-17.12/priv/bin/captcha.sh" - -## -## Host for the URL and port where ejabberd listens for CAPTCHA requests. -## -## captcha_host: "xmpp:5280" - -## -## Limit CAPTCHA calls per minute for JID/IP to avoid DoS. -## -## captcha_limit: 5 - -###. ==== -###' ACME -## -## In order to use the acme certificate acquiring through "Let's Encrypt" -## an http listener has to be configured to listen to port 80 so that -## the authorization challenges posed by "Let's Encrypt" can be solved. -## -## A simple way of doing this would be to add the following in the listening -## section and to configure port forwarding from 80 to 5280 either via NAT -## (for ipv4 only) or using frontends such as haproxy/nginx/sslh/etc. -## - -## port: 5280 -## ip: "::" -## module: ejabberd_http - -##acme: - - ## A contact mail that the ACME Certificate Authority can contact in case of - ## an authorization issue, such as a server-initiated certificate revocation. - ## It is not mandatory to provide an email address but it is highly suggested. - ##contact: "mailto:ops@5apps.com" - - ## The ACME Certificate Authority URL. - ## This could either be: - ## - https://acme-v01.api.letsencrypt.org - (Default) for the production CA - ## - https://acme-staging.api.letsencrypt.org - for the staging CA - ## - http://localhost:4000 - for a local version of the CA - ##ca_url: "https://acme-v01.api.letsencrypt.org" - -###. ======= -###' MODULES - -## -## Modules enabled in all ejabberd virtual hosts. -## modules: mod_adhoc: {} mod_admin_extra: {} - mod_announce: # recommends mod_adhoc + mod_announce: access: announce - mod_blocking: {} # requires mod_privacy + mod_avatar: {} + mod_blocking: {} + mod_bosh: {} mod_caps: {} mod_carboncopy: {} mod_client_state: {} - mod_configure: {} # requires mod_adhoc - ## mod_delegation: {} # for xep0356 - mod_disco: - server_info: - - - modules: all - name: "abuse-addresses" - urls: ["mailto:abuse@kosmos.org"] - ## mod_echo: {} - ## mod_irc: {} - mod_bosh: {} - ## mod_http_fileserver: - ## docroot: "/var/www" - ## accesslog: "/opt/ejabberd-17.12/logs/access.log" + mod_configure: {} + mod_disco: {} + mod_fail2ban: {} + mod_http_api: {} mod_http_upload: docroot: "/var/www/xmpp.@HOST@/uploads/" put_url: "https://xmpp.@HOST@:5443/upload" - thumbnail: false # otherwise needs the identify command from ImageMagick installed - ## mod_http_upload_quota: - ## max_days: 30 mod_last: {} - ## XEP-0313: Message Archive Management - ## You might want to setup a SQL backend for MAM because the mnesia database is - ## limited to 2GB which might be exceeded on large servers mod_mam: + db_type: sql + assume_mam_usage: true default: always - request_activates_archiving: true - mod_muc: {} + mod_muc: + access: + - allow + access_admin: + - allow: admin + access_create: muc_create + access_persistent: muc_create + default_room_options: + allow_subscription: true # enable MucSub + mam: true mod_muc_admin: {} - ## mod_muc_log: {} - ## mod_multicast: {} mod_offline: access_max_user_messages: max_user_offline_messages mod_ping: {} - ## mod_pres_counter: - ## count: 5 - ## interval: 60 mod_privacy: {} mod_private: {} - mod_proxy65: {} + mod_proxy65: + access: local + max_connections: 5 mod_pubsub: access_createnode: pubsub_createnode - ## reduces resource comsumption, but XEP incompliant - ignore_pep_from_offline: true - ## XEP compliant, but increases resource comsumption - ## ignore_pep_from_offline: false - last_item_cache: false - max_items_node: 10 plugins: - "flat" - - "pep" # pep requires mod_caps + - "pep" + force_node_config: + ## Change from "whitelist" to "open" to enable OMEMO support + ## See https://github.com/processone/ejabberd/issues/2425 + "eu.siacs.conversations.axolotl.*": + access_model: whitelist + ## Avoid buggy clients to make their bookmarks public + "storage:bookmarks": + access_model: whitelist mod_push: {} mod_push_keepalive: {} mod_register: - ## - ## Protect In-Band account registrations with CAPTCHA. - ## - ## captcha_protected: true - ## - ## Set the minimum informational entropy for passwords. - ## - ## password_strength: 32 - ## - ## After successful registration, the user receives - ## a message with this subject and body. - ## - welcome_message: - subject: "Welcome!" - body: |- - Hi. - Welcome to this XMPP server. - ## - ## When a user registers, send a notification to - ## these XMPP accounts. - ## - ## registration_watchers: - ## - "admin1@example.org" - ## - ## Only clients in the server machine can register accounts - ## + ## Only accept registration requests from the "trusted" + ## network (see access_rules section above). + ## Think twice before enabling registration from any + ## address. See the Jabber SPAM Manifesto for details: + ## https://github.com/ge0rg/jabber-spam-fighting-manifesto ip_access: trusted_network - ## - ## Local c2s or remote s2s users cannot register accounts - ## - ## access_from: deny - access: register mod_roster: versioning: true - store_current_id: true - mod_shared_roster: {} - ## mod_stats: {} - ## mod_time: {} - mod_vcard: - search: false - mod_vcard_xupdate: {} - ## Convert all avatars posted by Android clients from WebP to JPEG - ## mod_avatar: # this module needs compile option --enable-graphics - ## convert: - ## webp: jpeg - mod_version: {} - mod_stream_mgmt: {} - ## Non-SASL Authentication (XEP-0078) is now disabled by default - ## because it's obsoleted and is used mostly by abandoned - ## client software - ## mod_legacy_auth: {} - ## The module for S2S dialback (XEP-0220). Please note that you cannot - ## rely solely on dialback if you want to federate with other servers, - ## because a lot of servers have dialback disabled and instead rely on - ## PKIX authentication. Make sure you have proper certificates installed - ## and check your accessibility at https://check.messaging.one/ mod_s2s_dialback: {} - mod_http_api: {} - -## -## Enable modules with custom options in a specific virtual host -## -## host_config: -## "localhost": -## modules: -## mod_echo: -## host: "mirror.localhost" + mod_shared_roster: {} + mod_stream_mgmt: + resend_on_timeout: if_offline + mod_vcard: {} + mod_vcard_xupdate: {} + mod_version: + show_os: false host_config: "kosmos.org": @@ -850,17 +260,7 @@ host_config: access_create: muc_create access_persistent: muc_create -## -## Enable modules management via ejabberdctl for installation and -## uninstallation of public/private contributed modules -## (enabled by default) -## - -allow_contrib_modules: true - -###. -###' ### Local Variables: ### mode: yaml ### End: -### vim: set filetype=yaml tabstop=8 foldmarker=###',###. foldmethod=marker: +### vim: set filetype=yaml tabstop=8 -- 2.25.1 From 2a4940b36114b9165135f7fe1f67ade24c2373b0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Thu, 24 Jan 2019 19:23:09 +0100 Subject: [PATCH 05/25] Install Ruby in the backup cookbook Also switch to the 5.0 beta version, it works with modern Rubies --- site-cookbooks/backup/metadata.rb | 2 ++ site-cookbooks/backup/templates/default/config.rb.erb | 6 +++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/site-cookbooks/backup/metadata.rb b/site-cookbooks/backup/metadata.rb index 5cd3ae7..3e854e3 100644 --- a/site-cookbooks/backup/metadata.rb +++ b/site-cookbooks/backup/metadata.rb @@ -8,3 +8,5 @@ name "backup" depends 'logrotate' depends 'mysql' +depends 'postgresql' +depends 'build-essential' diff --git a/site-cookbooks/backup/templates/default/config.rb.erb b/site-cookbooks/backup/templates/default/config.rb.erb index dec61a8..ee07022 100644 --- a/site-cookbooks/backup/templates/default/config.rb.erb +++ b/site-cookbooks/backup/templates/default/config.rb.erb @@ -1,7 +1,7 @@ # encoding: utf-8 ## -# Backup v4.x Configuration +# Backup v5.x Configuration # # Documentation: http://backup.github.io/backup # Issue Tracker: https://github.com/backup/backup/issues @@ -56,8 +56,8 @@ end <%- if node["backup"]["postgresql"] -%> Database::PostgreSQL.defaults do |db| - db.username = "<%= node["backup"]["postgresql"]["username"] %>" - db.password = "<%= node["backup"]["postgresql"]["password"] %>" + db.username = "postgres" + db.password = "<%= node['postgresql']['password']['postgres'] %>" db.host = "<%= node["backup"]["postgresql"]["host"] %>" db.port = "<%= node["backup"]["postgresql"]["port"] %>" # db.socket = "/var/run/postgresql/.s.PGSQL.5432" -- 2.25.1 From b5d76f7eaa2556f4946ae0af86a105de29c190d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Thu, 24 Jan 2019 19:31:17 +0100 Subject: [PATCH 06/25] Get rid of the deprecated set_unless --- site-cookbooks/backup/attributes/default.rb | 38 ++++++++++----------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/site-cookbooks/backup/attributes/default.rb b/site-cookbooks/backup/attributes/default.rb index 7df43a5..0d9fd55 100644 --- a/site-cookbooks/backup/attributes/default.rb +++ b/site-cookbooks/backup/attributes/default.rb @@ -1,41 +1,41 @@ # Directory where backup config and models are stored -set_unless["backup"]["dir"] = "/usr/local/lib/backup" +default["backup"]["dir"] = "/usr/local/lib/backup" # Use default backup model? -set_unless["backup"]["default_model"] = true +default["backup"]["default_model"] = true # Compression default settings -set_unless["backup"]["compression"]["best"] = true -set_unless["backup"]["compression"]["fast"] = false +default["backup"]["compression"]["best"] = true +default["backup"]["compression"]["fast"] = false default['backup']['user'] = 'backup' # Archive default settings -set_unless["backup"]["archives"] = {} +default["backup"]["archives"] = {} # MongoDB default settings if node["mongodb"] - set_unless["backup"]["mongodb"]["databases"] = [] - set_unless["backup"]["mongodb"]["host"] = "localhost" - set_unless["backup"]["mongodb"]["ipv6"] = false - set_unless["backup"]["mongodb"]["lock"] = false + default["backup"]["mongodb"]["databases"] = [] + default["backup"]["mongodb"]["host"] = "localhost" + default["backup"]["mongodb"]["ipv6"] = false + default["backup"]["mongodb"]["lock"] = false end # MySQL default settings -set_unless["backup"]["mysql"]["databases"] = [] -set_unless["backup"]["mysql"]["username"] = "root" -set_unless["backup"]["mysql"]["host"] = "localhost" +default["backup"]["mysql"]["databases"] = [] +default["backup"]["mysql"]["username"] = "root" +default["backup"]["mysql"]["host"] = "localhost" # PostgreSQL default settings -set_unless["backup"]["postgresql"]["databases"] = [] -set_unless["backup"]["postgresql"]["host"] = "localhost" -set_unless["backup"]["postgresql"]["port"] = 5432 +default["backup"]["postgresql"]["databases"] = [] +default["backup"]["postgresql"]["host"] = "localhost" +default["backup"]["postgresql"]["port"] = 5432 # Redis default settings -set_unless["backup"]["redis"]["databases"] = [] -set_unless["backup"]["redis"]["host"] = "localhost" -set_unless["backup"]["redis"]["invoke_save"] = false -set_unless["backup"]["redis"]["dump_dir"] = "/var/lib/redis" +default["backup"]["redis"]["databases"] = [] +default["backup"]["redis"]["host"] = "localhost" +default["backup"]["redis"]["invoke_save"] = false +default["backup"]["redis"]["dump_dir"] = "/var/lib/redis" default['backup']['orbit']['keep'] = 10 default['backup']['cron']['hour'] = "05" -- 2.25.1 From 28b41939820763d918669f0feebc6ba8d273d629 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Thu, 24 Jan 2019 19:32:37 +0100 Subject: [PATCH 07/25] Add a dependency on the backup cookbook --- site-cookbooks/kosmos-ejabberd/metadata.rb | 1 + .../templates/ejabberd.yml.erb | 23 ++++++++++++------- 2 files changed, 16 insertions(+), 8 deletions(-) diff --git a/site-cookbooks/kosmos-ejabberd/metadata.rb b/site-cookbooks/kosmos-ejabberd/metadata.rb index 1fcf0e6..7cb7483 100644 --- a/site-cookbooks/kosmos-ejabberd/metadata.rb +++ b/site-cookbooks/kosmos-ejabberd/metadata.rb @@ -21,3 +21,4 @@ chef_version '>= 12.14' if respond_to?(:chef_version) depends "kosmos-postgresql" depends "database" +depends "backup" diff --git a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb index 81a6328..a9e25e8 100644 --- a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb +++ b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb @@ -61,14 +61,13 @@ listen: ip: "::" module: ejabberd_http request_handlers: - "/api": mod_http_api - "/bosh": mod_bosh "/upload": mod_http_upload - "/ws": ejabberd_http_ws - "/oauth": ejabberd_oauth - web_admin: true - captcha: false tls: true + custom_headers: + "Access-Control-Allow-Origin": "*" + "Access-Control-Allow-Methods": "OPTIONS, HEAD, GET, PUT" + "Access-Control-Allow-Headers": "Authorization" + "Access-Control-Allow-Credentials": "true" s2s_use_starttls: optional @@ -183,9 +182,10 @@ modules: put_url: "https://xmpp.@HOST@:5443/upload" mod_last: {} mod_mam: + default: always db_type: sql assume_mam_usage: true - default: always + request_activates_archiving: true mod_muc: access: - allow @@ -229,11 +229,13 @@ modules: ip_access: trusted_network mod_roster: versioning: true + store_current_id: true mod_s2s_dialback: {} mod_shared_roster: {} mod_stream_mgmt: resend_on_timeout: if_offline - mod_vcard: {} + mod_vcard: + search: false mod_vcard_xupdate: {} mod_version: show_os: false @@ -249,6 +251,8 @@ host_config: - allow: admin access_create: muc_create access_persistent: muc_create + default_room_options: + mam: true "5apps.com": modules: mod_muc: @@ -259,6 +263,9 @@ host_config: - allow: admin access_create: muc_create access_persistent: muc_create + default_room_options: + mam: true +allow_contrib_modules: true ### Local Variables: ### mode: yaml -- 2.25.1 From 39821ad253137f93fcfaf8efab784355ca44d6a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Mon, 25 Feb 2019 12:57:11 +0100 Subject: [PATCH 08/25] Update the ipfs cookbook --- Berksfile.lock | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Berksfile.lock b/Berksfile.lock index 4ddbc5d..8601a8e 100644 --- a/Berksfile.lock +++ b/Berksfile.lock @@ -114,7 +114,11 @@ GRAPH hostsfile (2.4.5) iis (6.7.1) windows (>= 2.0) +<<<<<<< HEAD ipfs (0.1.2) +======= + ipfs (0.1.1) +>>>>>>> 591c746... Update the ipfs cookbook ark (>= 0.0.0) logrotate (2.2.0) mariadb (0.3.1) -- 2.25.1 From 32c4896eb70fae74898ca72638233e013b73865a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Mon, 25 Feb 2019 18:13:06 +0100 Subject: [PATCH 09/25] Add a recipe that sets up backups for ejabberd --- site-cookbooks/kosmos-ejabberd/recipes/backup.rb | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 site-cookbooks/kosmos-ejabberd/recipes/backup.rb diff --git a/site-cookbooks/kosmos-ejabberd/recipes/backup.rb b/site-cookbooks/kosmos-ejabberd/recipes/backup.rb new file mode 100644 index 0000000..f6f154a --- /dev/null +++ b/site-cookbooks/kosmos-ejabberd/recipes/backup.rb @@ -0,0 +1,16 @@ +# +# Cookbook:: kosmos-ejabberd +# Recipe:: backup +# +# Copyright:: 2019, Kosmos, All Rights Reserved. +# + +unless node.chef_environment == "development" + # backup the data dir and the config files + node.override["backup"]["archives"]["ejabberd"] = ["/opt/ejabberd", "/var/www/xmpp.kosmos.org"] + unless node["backup"]["postgresql"]["databases"].include? "ejabberd" + node.override["backup"]["postgresql"]["databases"] = + node["backup"]["postgresql"]["databases"].to_a << "ejabberd" + end + include_recipe "backup" +end -- 2.25.1 From a9d1b38f150fbf8bec09035233ae7d372f54db1e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Wed, 27 Feb 2019 12:40:15 +0100 Subject: [PATCH 10/25] Update the postgresql cookbook --- Berksfile | 2 +- Berksfile.lock | 7 +- cookbooks/postgresql/.foodcritic | 2 - cookbooks/postgresql/CHANGELOG.md | 366 ++----------- cookbooks/postgresql/CONTRIBUTING.md | 3 +- cookbooks/postgresql/README.md | 503 +++++++++++------ cookbooks/postgresql/attributes/default.rb | 244 --------- .../attributes/yum_pgdg_packages.rb | 507 ------------------ cookbooks/postgresql/libraries/default.rb | 307 ----------- cookbooks/postgresql/libraries/helpers.rb | 247 +++++++++ cookbooks/postgresql/metadata.json | 2 +- cookbooks/postgresql/metadata.rb | 15 + .../postgresql/recipes/apt_pgdg_postgresql.rb | 8 - .../postgresql/recipes/ca_certificates.rb | 2 - cookbooks/postgresql/recipes/config_initdb.rb | 147 ----- cookbooks/postgresql/recipes/config_pgtune.rb | 283 ---------- cookbooks/postgresql/recipes/contrib.rb | 33 -- cookbooks/postgresql/recipes/default.rb | 19 - cookbooks/postgresql/recipes/ruby.rb | 125 ----- cookbooks/postgresql/recipes/server.rb | 95 ---- cookbooks/postgresql/recipes/server_conf.rb | 55 -- cookbooks/postgresql/recipes/server_debian.rb | 35 -- cookbooks/postgresql/recipes/server_redhat.rb | 140 ----- .../postgresql/recipes/yum_pgdg_postgresql.rb | 41 -- cookbooks/postgresql/resources/access.rb | 59 ++ .../client.rb => resources/client_install.rb} | 27 +- cookbooks/postgresql/resources/database.rb | 67 +++ cookbooks/postgresql/resources/extension.rb | 42 +- cookbooks/postgresql/resources/ident.rb | 55 ++ cookbooks/postgresql/resources/repository.rb | 90 ++++ cookbooks/postgresql/resources/server_conf.rb | 52 ++ .../postgresql/resources/server_install.rb | 76 +++ cookbooks/postgresql/resources/user.rb | 87 +++ .../templates/default/pg_hba.conf.erb | 35 -- .../templates/default/pgsql.sysconfig.erb | 4 - .../templates/default/postgresql.service.erb | 10 - .../postgresql/templates/pg_hba.conf.erb | 33 ++ .../postgresql/templates/pg_ident.conf.erb | 49 ++ .../postgresql/templates/pgsql.sysconfig.erb | 2 + .../{default => }/postgresql.conf.erb | 9 +- .../templates/postgresql.service.erb | 6 + site-cookbooks/kosmos-postgresql/metadata.rb | 2 +- .../kosmos-postgresql/recipes/default.rb | 17 +- 43 files changed, 1272 insertions(+), 2638 deletions(-) delete mode 100644 cookbooks/postgresql/.foodcritic delete mode 100644 cookbooks/postgresql/attributes/default.rb delete mode 100644 cookbooks/postgresql/attributes/yum_pgdg_packages.rb delete mode 100644 cookbooks/postgresql/libraries/default.rb create mode 100644 cookbooks/postgresql/libraries/helpers.rb create mode 100644 cookbooks/postgresql/metadata.rb delete mode 100644 cookbooks/postgresql/recipes/apt_pgdg_postgresql.rb delete mode 100644 cookbooks/postgresql/recipes/ca_certificates.rb delete mode 100644 cookbooks/postgresql/recipes/config_initdb.rb delete mode 100644 cookbooks/postgresql/recipes/config_pgtune.rb delete mode 100644 cookbooks/postgresql/recipes/contrib.rb delete mode 100644 cookbooks/postgresql/recipes/default.rb delete mode 100644 cookbooks/postgresql/recipes/ruby.rb delete mode 100644 cookbooks/postgresql/recipes/server.rb delete mode 100644 cookbooks/postgresql/recipes/server_conf.rb delete mode 100644 cookbooks/postgresql/recipes/server_debian.rb delete mode 100644 cookbooks/postgresql/recipes/server_redhat.rb delete mode 100644 cookbooks/postgresql/recipes/yum_pgdg_postgresql.rb create mode 100644 cookbooks/postgresql/resources/access.rb rename cookbooks/postgresql/{recipes/client.rb => resources/client_install.rb} (55%) create mode 100644 cookbooks/postgresql/resources/database.rb create mode 100644 cookbooks/postgresql/resources/ident.rb create mode 100644 cookbooks/postgresql/resources/repository.rb create mode 100644 cookbooks/postgresql/resources/server_conf.rb create mode 100644 cookbooks/postgresql/resources/server_install.rb create mode 100644 cookbooks/postgresql/resources/user.rb delete mode 100644 cookbooks/postgresql/templates/default/pg_hba.conf.erb delete mode 100644 cookbooks/postgresql/templates/default/pgsql.sysconfig.erb delete mode 100644 cookbooks/postgresql/templates/default/postgresql.service.erb create mode 100644 cookbooks/postgresql/templates/pg_hba.conf.erb create mode 100644 cookbooks/postgresql/templates/pg_ident.conf.erb create mode 100644 cookbooks/postgresql/templates/pgsql.sysconfig.erb rename cookbooks/postgresql/templates/{default => }/postgresql.conf.erb (57%) create mode 100644 cookbooks/postgresql/templates/postgresql.service.erb diff --git a/Berksfile b/Berksfile index 7f1aa74..9463747 100644 --- a/Berksfile +++ b/Berksfile @@ -34,7 +34,7 @@ cookbook 'firewall', '~> 2.6.3' cookbook 'nginx', '= 9.0.0' cookbook 'build-essential', '~> 8.1.1' cookbook 'mysql', '= 6.1.3' -cookbook 'postgresql', '= 6.1.1' +cookbook 'postgresql', '= 7.1.3' cookbook 'apt', '~> 7.0.0' cookbook 'git', '= 6.0.0' cookbook 'hostsfile', '= 2.4.5' diff --git a/Berksfile.lock b/Berksfile.lock index 8601a8e..6d3c5fe 100644 --- a/Berksfile.lock +++ b/Berksfile.lock @@ -47,7 +47,7 @@ DEPENDENCIES poise-ruby-build (= 1.1.0) poise-service (~> 1.5.2) postfix (= 5.0.2) - postgresql (= 6.1.1) + postgresql (= 7.1.3) redis git: https://github.com/phlipper/chef-redis.git revision: 7476279fc9c8727f082b8d77b5e1922dc2ef437b @@ -185,10 +185,7 @@ GRAPH poise-service (1.5.2) poise (~> 2.0) postfix (5.0.2) - postgresql (6.1.1) - build-essential (>= 2.0.0) - compat_resource (>= 12.16.3) - openssl (>= 4.0) + postgresql (7.1.3) rbac (1.0.3) redis (0.5.6) apt (>= 0.0.0) diff --git a/cookbooks/postgresql/.foodcritic b/cookbooks/postgresql/.foodcritic deleted file mode 100644 index 41c5512..0000000 --- a/cookbooks/postgresql/.foodcritic +++ /dev/null @@ -1,2 +0,0 @@ -~FC037 -~FC016 diff --git a/cookbooks/postgresql/CHANGELOG.md b/cookbooks/postgresql/CHANGELOG.md index 5c4f4fa..c49c3a4 100644 --- a/cookbooks/postgresql/CHANGELOG.md +++ b/cookbooks/postgresql/CHANGELOG.md @@ -1,6 +1,61 @@ # postgresql Cookbook CHANGELOG -This file is used to list changes made in each version of the postgresql cookbook. +This file is used to list changes made in the last 3 major versions of the postgresql cookbook. + +## Unreleased + +## v7.1.3 (15-01-2019) + +- Added support for dash in database role name. + +## v7.1.2 (06-01-2019) + +- Cleanup and update the user resource documentation and code. Removed extraneous 'sensitive' property which is a common property in all Chef resources. +- Change default permissions on the postgres.conf to be world readable so that psql can work. + +## v7.1.1 (26-09-2018) + +- Rename slave to follower +- Use CircleCI for testing +- Simplyfy extension resource + +## v7.1.0 (22-06-2018) + +- Update the `initdb` script to use initdb rather than a service. #542 +- Refactor database commands to use the common connect method. #535 +- Increase the unit test coverage. + +## v7.0.0 (25-05-2018) + +_Breaking Change_ Please see UPGRADING.md and the README.md for information how to use. + +- Add custom resources for: + + - `postgresql_client_install` + - `postgresql_server_install` + - `postgresql_repository` + - `postgresql_pg_gem` + +- Deprecate recipes: + + - `apt_pgdg_postgresql` + - `config_initdb` + - `config_pgtune` + - `contrib` + - `ruby` + - `yum_pgdg_postgresql` + +- Remove deprecated tests + +## v6.1.3 (2018-04-18) + +- Fix recipes referencing the old helpers + +## v6.1.2 (2018-04-16) + +**this will be the last release of the 6.0 series before all recipes are removed from the cookbook** + +- Deprecate all recipes ## v6.1.1 (2017-03-08) @@ -92,312 +147,3 @@ This file is used to list changes made in each version of the postgresql cookboo - Remove logic in the apt_pgdg_postgresql recipe that made Chef fail when new distro releases came out - Avoid node.set deprecation warnings - Avoid managed_home deprecation warnings in server_redhat recipe - -## v4.0.6 - -- Add 16.04 Xenial to the allowed list - -## v4.0.4 - -- Add leading pound symbol on pg_hba.conf template comment line -- Update gem install for compile_time to correct deprication warning -- Add support Ubuntu Wily Werewolf pgdg apt repository -- test-kitchen platforms for Centos 7.2 and Ubuntu 15.04 -- Fixes PostgreSQL version & package name defaults for EL7 distros -- Add appropriate systemd unit file overrides for EL7 distros - -## v4.0.2 - -- Add Code of Conduct -- Add Rubocop -- Clean up of syntax in many places as result of adding and evaluating Rubocop -- Updates to test-kitchen.yml -- added additional attribute for people who are importing pgdg packages for internal repositories - - - `default['postgresql']['use_pgdg_packages'] = false` - -## v4.0.0 - -**WARNING: Please read carefully through the stated changes, as they probably will break your current setup and can result in duplicate postgresql versions being installed, configuration corruption and data loss! This list might not be complete, so be careful when using the 4.x version and make sure to test it extensively before production use!** - -When in doubt, put the following in your `Berksfile` until you are ready to upgrade: - -```ruby -cookbook 'postgresql', '~> 3.4.0' -``` - -- Potential breaking change: Restructured default attributes to avoid compile time deriving other attribute values from value of the `node[‘postgresql’][‘version’]` (#313, #302, #295, #288, #280, #261, #260, #254, #248, #217, #214, #167, #143). If you specify a custom postgresql version, make sure to adapt the following attributes as well: - -```ruby -default['postgresql']['dir'] = "/etc/postgresql/#{node['postgresql']['version']}/main" -default['postgresql']['client']['packages'] = [ "postgresql-client-#{node['postgresql']['version']}", 'libpq-dev' ] -default['postgresql']['server']['packages'] = [ "postgresql-#{node['postgresql']['version']}" ] -default['postgresql']['contrib']['packages'] = [ "postgresql-contrib-#{node['postgresql']['version']}" ] -``` - -- Potential breaking change: SSL configuration parameters. Due to the new structuring, make sure you set all SSL attributes to `override` when specifying them in a cookbook: - -```ruby -override['postgresql']['config']['ssl'] = true -override['postgresql']['config']['ssl_cert_file'] = "/path/to/cert.crt" -override['postgresql']['config']['ssl_key_file'] = "/path/to/cert.key" -override['postgresql']['config']['ssl_ciphers'] = "" -``` - -- Potential breaking change: Some node attributes are now persistet in your node configuration. This affects the following attributes: - -```json -"config": { - "data_directory": "/var/lib/postgresql/9.4/main", - "hba_file": "/etc/postgresql/9.4/main/pg_hba.conf", - "ident_file": "/etc/postgresql/9.4/main/pg_ident.conf", - "external_pid_file": "/var/run/postgresql/9.4-main.pid", - "unix_socket_directories": "/var/run/postgresql", - "ssl_cert_file": "/etc/ssl/certs/ssl-cert-snakeoil.pem", - "ssl_key_file": "/etc/ssl/private/ssl-cert-snakeoil.key" -} -``` - -- Potential breaking change: Parsing of attributes from node/ environment configuration. It has been reported that setting the `node['postgresql']['client']['packages']` attribute in a cookbook might result in the default version of the postgresql client package being installed alongside the required version. This might affect the server packages as well. -- Correct issues which caused the inability to override installation version defaults -- Correct issues which caused configuration file entries with miss matching version numbers and incorrect file system paths being defined -- Remove method pgdgrepo_rpm_info compile time use of derived attributes case many issues -- Use correct directory path and check for the correct not_if condition to determine if the database has been initialized -- Ensure that correct packages are installed in all scenarios where pg gem is compiled -- Fix errors in configuration files for unix_socket_directory and unix_socket_directories -- Updates to test-kitchen suite configuration -- Added more grey hair to my beard - -## v3.4.24 - -- Corrections to address repositories signed with newer certificates that some distributions have in their default ca-certificates package -- Updates to more accurately determine distributions service init systems adds better support for systemd systems -- Correct how version attribute is evaluated in certain places -- test-kitchen suite configuration corrections -- Opensuse support - -## v3.4.23 - -- Skipping 3.4.22 with Develop branch 3.4.23 to return to releasing cookbook from master on even numbers and develop on odd numbers. - -## v3.4.21 - -- Use more optimistic openssl version constraint -- Add Postgresql 9.4 package sources for RHEL platforms -- Update testing infrastructure to address bit rot - -## v3.4.20 - -- Revert [#251](https://github.com/sous-chefs/postgresql/pull/251), a change which caused the postgresql service to restart every Chef run. - -## v3.4.19 - -- node.save could better not be run on every chef run since it causes node.default attributes stored to the node objects to differ during a chef run and when -- Missing attribute in docs for yum_pgdg_postgresql -- restart postgres service immediately on config change -- Run restart command right away on the postgresql service. -- Add kitchen test for shared_preload_libraries & extension setup. -- Fix install order of contrib packages to fix pg_stat_statements issues. -- Add Debian Jessie to whitelist for apt.postgresql.org repo -- Install version 9.4 on Debian Jessie -- add amazon 2015 -- add rhel7 support - -## v3.4.18 - -- Revert changes from #201 with the intention of revisiting these changes as part of the next major version release. -- Specify version constraint on openssl cookbook due to an upstream release mishap - -## v3.4.16 - -- Changed hard coded value to attribute #219 -- Correction for directory creation under debian, etc. #222 -- Fedora 20 yum support #223 -- Define version-sensitive attributes in a recipe #201 - -## v3.4.14 - -- Support apt repository for Ubuntu Utopic 14.10 -- Do not try and set password on standby hosts - -## v3.4.12 - -- Create configuration templates at the appropriate time -- If template is updated restart service changed to default of :delayed -- Fix SSL for PostgreSQL versions < 9.2 - -## v3.4.10 - -- correct conditional error created in 3.4.8. - -## v3.4.8 - -- Correct scenario where work_mem could be set to 0 if con is greater than mem Issue #185 -- Add Centos7 suites to kitchen configuration - -## v3.4.6 - -- Don't include the pgdg recipes on the wrong machine types -- Add missing dir /etc/sysconfig/pgsl for centos7 -- CentOS 7 package support - -## v3.4.4 - -- fix packages on SLES11SP2 and higher -- [COOK-4737] Add flag to control database user password behavior -- add amazon platform rpm info -- Fix issues with the server_redhat recipe on Fedora 16 and later -- attribute typo correction -- correctly check and set max_connections to an integer - -## v3.4.2 - -- Changed the Gem::Installer::ExtensionBuildError to a Mixlib::ShellOut::ShellCommandFailed - -## v3.4.1 - -- Added support for Ubuntu 14.04 and Postgresql 9.3 -- Fix [COOK-3490] - -## v3.4.0 - -Updated CONTRIBUTING document. Refreshed test kitchen configuration. Merged Pull Requests: 122, 116, 104, 102, 99, 96, 93, 90. - -## v3.3.4 - -Testing - -## v3.3.2 - -- Testing maintainer transfer to Heavywater with Opscode as collaborator - -## v3.3.0 - -### Bug - -- **[COOK-3851](https://tickets.opscode.com/browse/COOK-3851)** - Postgresql: reload after config change does not pick up certain configuration changes -- **[COOK-3611](https://tickets.opscode.com/browse/COOK-3611)** - unix_socket_directory does not exists in 9.3 -- **[COOK-2954](https://tickets.opscode.com/browse/COOK-2954)** - PostgreSQL installation ignores version attribute on CentOS >= 6 - -## v3.2.0 - -- [COOK-3717] Pgdg repositories improvements -- [COOK-3756] Change postgresql.conf mode from 0600 to 0644 - -## v3.1.0 - -### Improvement - -- **[COOK-3685](https://tickets.opscode.com/browse/COOK-3685)** - Upgrade Repo Attributes for Postgresql 9.3 -- **[COOK-3597](https://tickets.opscode.com/browse/COOK-3597)** - Fix implementation of `initdb_locale` attribute for RHEL -- **[COOK-3566](https://tickets.opscode.com/browse/COOK-3566)** - Give the user's rules more priority than the default ones in pg_hba -- **[COOK-3553](https://tickets.opscode.com/browse/COOK-3553)** - Remove automatic `apt-get update` - -### Bug - -- **[COOK-3611](https://tickets.opscode.com/browse/COOK-3611)** - Remove `unix_socket_directory` (it does not exists in 9.3) -- **[COOK-3599](https://tickets.opscode.com/browse/COOK-3599)** - Automatically add PGDG apt repo dependency on PostgreSQL version -- **[COOK-3555](https://tickets.opscode.com/browse/COOK-3555)** - Documentation Fix -- **[COOK-2383](https://tickets.opscode.com/browse/COOK-2383)** - Update Postgres version in attributes - -## v3.0.4 - -### Bug - -- **[COOK-3173](https://tickets.opscode.com/browse/COOK-3173)** - Use :reload instead of :restart on conf changes -- **[COOK-2939](https://tickets.opscode.com/browse/COOK-2939)** - Fix RedHat support - -## v3.0.2 - -### Bug - -- [COOK-3076]: postgresql::ruby recipe error when using pgdg repositories - -## v3.0.0 - -This is a backwards-incompatible release because the Pitti PPA is deprecated and the recipe removed, replaced with the PGDG apt repository. - -### Bug - -- [COOK-2571]: Create helper library for pg extension detection -- [COOK-2797]: Contrib extension contianing '-' fails to load. - -### Improvement - -- [COOK-2387]: Pitti Postgresql PPA is deprecated - -### Task - -- [COOK-3022]: update baseboxes in .kitchen.yml - -## v2.4.0 - -- [COOK-2163] - Dangerous "assign-postgres-password" in "recipes/server.rb" -- Can lock out dbadmin access -- [COOK-2390] - Recipes to auto-generate many postgresql.conf settings, following "initdb" and "pgtune" -- [COOK-2435] - Foodcritic fixes for postgresql cookbook -- [COOK-2476] - Installation into database of any contrib module extensions listed in a node attribute - -## v2.2.2 - -- [COOK-2232] -Provide PGDG yum repo to install postgresql 9.x on redhat-derived distributions - -## v2.2.0 - -- [COOK-2230] - Careful about Debian minor version numbers -- [COOK-2231] - Fix support for postgresql 9.x in server_redhat recipe -- [COOK-2238] - Postgresql recipe error in password check -- [COOK-2176] - PostgreSQL cookbook in Solo mode can cause "NoMethodError: undefined method `[]' for nil:NilClass" -- [COOK-2233] - Provide postgresql::contrib recipe to install useful server administration tools - -## v2.1.0 - -- [COOK-1872] - Allow latest PostgreSQL deb packages to be installed -- [COOK-1961] - Postgresql config file changes with every Chef run -- [COOK-2041] - Postgres cookbook no longer installs on OpenSuSE 11.4 - -## v2.0.2 - -- [COOK-1406] - pg gem compile is unable to find libpq under Chef full stack (omnibus) installation - -## v2.0.0 - -This version is backwards incompatible with previous versions of the cookbook due to use of `platform_family`, and the refactored configuration files using node attributes. See README.md for details on how to modify configuration of PostgreSQL. - -- [COOK-1508] - fix mixlib shellout error on SUSE -- [COOK-1744] - Add service enable & start -- [COOK-1779] - Don't run apt-get update and others in ruby recipe if pg is installed -- [COOK-1871] - Attribute driven configuration files for PostgreSQL -- [COOK-1900] - don't assume ssl on all postgresql 8.4+ installs -- [COOK-1901] - fail a chef-solo run when the postgres password attribute is not set - -## v1.0.0 - -**Important note for this release** - -This version no longer installs Ruby bindings in the client recipe by default. Use the ruby recipe if you'd like the RubyGem. If you'd like packages for your distribution, use them in your application's specific cookbook/recipe, or modify the client packages attribute. - -This resolves the following tickets. - -- COOK-1011 -- COOK-1534 - -The following issues are also resolved with this release. - -- [COOK-1011] - Don't install postgresql packages during compile phase and remove pg gem installation -- [COOK-1224] - fix undefined variable on Debian -- [COOK-1462] - Add attribute for specifying listen address - -## v0.99.4 - -- [COOK-421] - config template is malformed -- [COOK-956] - add make package on ubuntu/debian - -## v0.99.2 - -- [COOK-916] - use < (with float) for version comparison. - -## v0.99.0 - -- Better support for Red Hat-family platforms -- Integration with database cookbook -- Make sure the postgres role is updated with a (secure) password diff --git a/cookbooks/postgresql/CONTRIBUTING.md b/cookbooks/postgresql/CONTRIBUTING.md index ae6f6df..e28e2a6 100644 --- a/cookbooks/postgresql/CONTRIBUTING.md +++ b/cookbooks/postgresql/CONTRIBUTING.md @@ -4,13 +4,12 @@ ### `master` branch -The master branch is the current comitted changes. These changes may not yet be released although we try to release often. +The master branch is the current committed changes. These changes may not yet be released although we try to release often. ## Tags All releases are tagged in git. To see the releases available to you see the changelog or the tags directly. - ## Pull requests - diff --git a/cookbooks/postgresql/README.md b/cookbooks/postgresql/README.md index 061a9b0..0c3fa7f 100644 --- a/cookbooks/postgresql/README.md +++ b/cookbooks/postgresql/README.md @@ -1,273 +1,420 @@ -# postgresql cookbook +# PostgreSQL cookbook -[![Build Status](https://travis-ci.org/sous-chefs/postgresql.svg?branch=master)](https://travis-ci.org/sous-chefs/postgresql) [![Cookbook Version](https://img.shields.io/cookbook/v/postgresql.svg)](https://supermarket.chef.io/cookbooks/postgresql) +[![CircleCI](https://circleci.com/gh/sous-chefs/postgresql/tree/master.svg?style=svg)](https://circleci.com/gh/sous-chefs/postgresql/tree/master) [![Cookbook Version](https://img.shields.io/cookbook/v/postgresql.svg)](https://supermarket.chef.io/cookbooks/postgresql) [![pullreminders](https://pullreminders.com/badge.svg)](https://pullreminders.com?ref=badge) Installs and configures PostgreSQL as a client or a server. +## Upgrading + +If you are wondering where all the recipes went in v7.0+, or how on earth I use this new cookbook please see upgrading.md for a full description. + ## Requirements ### Platforms +- Amazon Linux - Debian 7+ -- Ubuntu 12.04+ -- Red Hat/CentOS/Scientific (6.0+ required) - "EL6-family" +- Ubuntu 14.04+ +- Red Hat/CentOS/Scientific 6+ - Fedora -- SLES 12+ -- openSUSE 13+ / openSUSE Leap + +### PostgreSQL version + +We follow the currently supported versions listed on ### Chef -- Chef 12.1+ +- Chef 13.8+ -### Cookbooks +### Cookbook Dependencies -- `compat_resource` -- `openssl` -- `build-essential` +None. -## Attributes +## Resources -The following attributes are set based on the platform, see the `attributes/default.rb` file for default values. +### postgresql_client_install -- `node['postgresql']['version']` - version of postgresql to manage -- `node['postgresql']['dir']` - home directory of where postgresql data and configuration lives. -- `node['postgresql']['client']['packages']` - An array of package names that should be installed on "client" systems. -- `node['postgresql']['server']['packages']` - An array of package names that should be installed on "server" systems. -- `node['postgresql']['server']['config_change_notify']` - Type of notification triggered when a config file changes. -- `node['postgresql']['contrib']['packages']` - An array of package names that could be installed on "server" systems for useful sysadmin tools. -- `node['postgresql']['enable_pgdg_apt']` - Whether to enable the apt repo by the PostgreSQL Global Development Group, which contains newer versions of PostgreSQL. -- `node['postgresql']['enable_pgdg_yum']` - Whether to enable the yum repo by the PostgreSQL Global Development Group, which contains newer versions of PostgreSQL. -- `node['postgresql']['initdb_locale']` - Sets the default locale for the database cluster. If this attribute is not specified, the locale is inherited from the environment that initdb runs in. Sometimes you must have a system locale that is not what you want for your database cluster, and this attribute addresses that scenario. Valid only for EL-family distros (RedHat/Centos/etc.). +This resource installs PostgreSQL client packages. -The following attributes are generated in `recipe[postgresql::server]`. +#### Actions -## Configuration +- `install` - (default) Install client packages -The `postgresql.conf` and `pg_hba.conf` files are dynamically generated from attributes. Each key in `node['postgresql']['config']` is a postgresql configuration directive, and will be rendered in the config file. For example, the attribute: +#### Properties + +Name | Types | Description | Default | Required? +------------------- | ----------------- | ------------------------------------------------------------- | ----------------------------------------- | --------- +`version` | String | Version of PostgreSQL to install | '9.6' | no +`setup_repo` | Boolean | Define if you want to add the PostgreSQL repo | true | no +`hba_file` | String | | `#{conf_dir}/main/pg_hba.conf` | no +`ident_file` | String | | `#{conf_dir}/main/pg_ident.conf` | no +`external_pid_file` | String | | `/var/run/postgresql/#{version}-main.pid` | no +`password` | String, nil | Pass in a password, or have the cookbook generate one for you | | no + +#### Examples + +To install version 9.5: ```ruby -node['postgresql']['config']['listen_addresses'] = 'localhost' +postgresql_client_install 'My PostgreSQL Client install' do + version '9.5' +end ``` -Will result in the following line in the `postgresql.conf` file: +### postgresql_server_install + +This resource installs PostgreSQL client and server packages. + +#### Actions + +- `install` - (default) Install client and server packages +- `create` - Initialize the database + +#### Properties + +Name | Types | Description | Default | Required? +------------------- | --------------- | --------------------------------------------- | -------------------------------------------------- | --------- +`version` | String | Version of PostgreSQL to install | '9.6' | no +`setup_repo` | Boolean | Define if you want to add the PostgreSQL repo | true | no +`hba_file` | String | Path of pg_hba.conf file | `/pg_hba.conf'` | no +`ident_file` | String | Path of pg_ident.conf file | `/pg_ident.conf` | no +`external_pid_file` | String | Path of PID file | `/var/run/postgresql/-main.pid` | no +`password` | String, nil | Set PostgreSQL user password | 'generate' | no +`port` | Integer | Set listen port of PostgreSQL service | 5432 | no +`initdb_locale` | String | Locale to initialise the database with | 'C' | no + +#### Examples + +To install PostgreSQL server, set your own postgres password using non-default service port. ```ruby -listen_addresses = 'localhost' +postgresql_server_install 'My PostgreSQL Server install' do + action :install +end + +postgresql_server_install 'Setup my PostgreSQL 9.6 server' do + password 'MyP4ssw0rd' + port 5433 + action :create +end ``` -The attributes file contains default values for Debian and RHEL platform families (per the `node['platform_family']`). These defaults have disparity between the platforms because they were originally extracted from the postgresql.conf files in the previous version of this cookbook, which differed in their default config. The resulting configuration files will be the same as before, but the content will be dynamically rendered from the attributes. The helpful commentary will no longer be present. You should consult the PostgreSQL documentation for specific configuration details. +#### Known issues -See **Recipes** `config_initdb` and `config_pgtune` below to auto-generate many postgresql.conf settings. +On some platforms (e.g. Ubuntu 18.04), your `initdb_locale` should be set to the +same as the template database [GH-555](https://github.com/sous-chefs/postgresql/issues/555). -For values that are "on" or "off", they should be specified as literal `true` or `false`. String values will be used with single quotes. Any configuration option set to the literal `nil` will be skipped entirely. All other values (e.g., numeric literals) will be used as is. So for example: +### postgresql_server_conf + +This resource manages postgresql.conf configuration file. + +#### Actions + +- `modify` - (default) Manager PostgreSQL configuration file (postgresql.conf) + +#### Properties + +Name | Types | Description | Default | Required? +---------------------- | ------- | --------------------------------------- | --------------------------------------------------- | --------- +`version` | String | Version of PostgreSQL to install | '9.6' | no +`data_directory` | String | Path of PostgreSQL data directory | `` | no +`hba_file` | String | Path of pg_hba.conf file | `/pg_hba.conf` | no +`ident_file` | String | Path of pg_ident.conf file | `/pg_ident.conf` | no +`external_pid_file` | String | Path of PID file | `/var/run/postgresql/-main.pid` | no +`stats_temp_directory` | String | Path of stats file | `/var/run/postgresql/version>-main.pg_stat_tmp` | no +`port` | Integer | Set listen port of PostgreSQL service | 5432 | no +`additional_config` | Hash | Extra configuration for the config file | {} | no + +#### Examples + +To setup your PostgreSQL configuration with a specific data directory. If you have installed a specific version of PostgreSQL (different from 9.6), you must specify version in this resource too. ```ruby -node.default['postgresql']['config']['logging_collector'] = true -node.default['postgresql']['config']['datestyle'] = 'iso, mdy' -node.default['postgresql']['config']['ident_file'] = nil -node.default['postgresql']['config']['port'] = 5432 +postgresql_server_conf 'My PostgreSQL Config' do + version '9.5' + data_directory '/data/postgresql/9.5/main' + notifies :reload, 'service[postgresql]' +end ``` -Will result in the following config lines: +### postgresql_extension + +This resource manages PostgreSQL extensions for a given database. + +#### Actions + +- `create` - (default) Creates an extension in a given database +- `drop` - Drops an extension from the database + +#### Properties + +Name | Types | Description | Default | Required? +------------- | ------ | -------------------------------------------------------------------------------- | ---------------- | --------- +`database` | String | Name of the database to install the extension into | | yes +`extension` | String | Name of the extension to install the database | Name of resource | yes +`version` | String | Version of the extension to install | | no +`old_version` | String | Older module name for new extension replacement. Appends FROM to extension query | | no + +#### Examples + +To install the `adminpack` extension: ```ruby -logging_collector = 'on' -datestyle = 'iso,mdy' -port = 5432 +# Add the contrib package in Ubuntu/Debian +package 'postgresql-contrib-9.6' + +# Install adminpack extension +postgresql_extension 'postgres adminpack' do + database 'postgres' + extension 'adminpack' +end ``` -(no line printed for `ident_file` as it is `nil`) +### postgresql_access -Note that the `unix_socket_directory` configuration was renamed to `unix_socket_directories` in Postgres 9.3 so make sure to use the `node['postgresql']['unix_socket_directories']` attribute instead of `node['postgresql']['unix_socket_directory']`. +This resource uses the accumulator pattern to build up the `pg_hba.conf` file via chef resources instead of piling on a mountain of chef attributes to make this cookbook more reusable. It directly mirrors the configuration options of the postgres hba file in the resource and by default notifies the server with a reload to avoid a full restart, causing a potential outage of service. To revoke access, simply remove the resource and the access change won't be computed into the final `pg_hba.conf` -The `pg_hba.conf` file is dynamically generated from the `node['postgresql']['pg_hba']` attribute. This attribute must be an array of hashes, each hash containing the authorization data. As it is an array, you can append to it in your own recipes. The hash keys in the array must be symbols. Each hash will be written as a line in `pg_hba.conf`. For example, this entry from `node['postgresql']['pg_hba']`: +#### Actions -``` -[{:comment => '# Optional comment', -:type => 'local', :db => 'all', :user => 'postgres', :addr => nil, :method => 'md5'}] +- `grant` - (default) Creates an access line inside of `pg_hba.conf` + +#### Properties + +Name | Types | Description | Default | Required? +--------------- | ------ | ----------------------------------------------------------------------------------------- | ----------------- | --------- +`name` | String | Name of the access resource, this is left as a comment inside the `pg_hba` config | Resource name | yes +`source` | String | The cookbook template filename if you want to use your own custom template | 'pg_hba.conf.erb' | yes +`cookbook` | String | The cookbook to look in for the template source | 'postgresql' | yes +`comment` | String | A comment to leave above the entry in `pg_hba` | nil | no +`access_type` | String | The type of access, e.g. local or host | 'local' | yes +`access_db` | String | The database to access. Can use 'all' for all databases | 'all' | yes +`access_user` | String | The user accessing the database. Can use 'all' for any user | 'all' | yes +`access_addr` | String | The address(es) allowed access. Can be nil if method ident is used since it is local then | nil | no +`access_method` | String | Authentication method to use | 'ident' | yes + +#### Examples + +To grant access to the PostgreSQL user with ident authentication: + +```ruby +postgresql_access 'local_postgres_superuser' do + comment 'Local postgres superuser access' + access_type 'local' + access_db 'all' + access_user 'postgres' + access_addr nil + access_method 'ident' +end ``` -Will result in the following line in `pg_hba.conf`: +This generates the following line in the `pg_hba.conf`: ``` -# Optional comment -local all postgres md5 +# Local postgres superuser access +local all postgres ident ``` -Use `nil` if the CIDR-ADDRESS should be empty (as above). Don't provide a comment if none is desired in the `pg_hba.conf` file. - -Note that the following authorization rule is supplied automatically by the cookbook template. The cookbook needs this to execute SQL in the PostgreSQL server without supplying the clear-text password (which isn't known by the cookbook). Therefore, your `node['postgresql']['pg_hba']` attributes don't need to specify this authorization rule: +**Note**: The template by default generates a local access for Unix domain sockets only to support running the SQL execute resources. In Postgres version 9.1 and higher, the method is 'peer' instead of 'ident' which is identical. It looks like this: ``` # "local" is for Unix domain socket connections only -local all all ident +local all all peer ``` -(By the way, the template uses `peer` instead of `ident` for PostgreSQL-9.1 and above, which has the same effect.) +### postgresql_ident -## Recipes +This resource generate `pg_ident.conf` configuration file to manage user mapping between system and PostgreSQL users. -### default +#### Actions -Includes the client recipe. +- `create` - (default) Creates an mapping line inside of `pg_ident.conf` -### client +#### Properties -Installs the packages defined in the `node['postgresql']['client']['packages']` attribute. +Name | Types | Description | Default | Required? +-------------- | ----------- | -------------------------------------------------------------------------- | ------------------- | --------- +`mapname` | String | Name of the user mapping | Resource name | yes +`source` | String | The cookbook template filename if you want to use your own custom template | 'pg_ident.conf.erb' | no +`cookbook` | String | The cookbook to look in for the template source | 'postgresql' | no +`comment` | String, nil | A comment to leave above the entry in `pg_ident` | nil | no +`system_user` | String | System user or regexp used for the mapping | None | yes +`pg_user` | String | Pg user or regexp used for the mapping | None | yes -### ruby +#### Examples -Install the `pg` gem under Chef's Ruby environment so it can be used in other recipes. The build-essential packages and postgresql client packages will be installed during the compile phase, so that the native extensions of `pg` can be compiled. - -### server - -Includes the `server_debian` or `server_redhat` recipe to get the appropriate server packages installed and service managed. Also manages the configuration for the server: - -- generates a strong default password (via `openssl`) for `postgres` -- sets the password for postgres -- manages the `postgresql.conf` file. -- manages the `pg_hba.conf` file. - -### config_initdb - -Takes locale and timezone settings from the system configuration. This recipe creates `node.default['postgresql']['config']` attributes that conform to the system's locale and timezone. In addition, this recipe creates the same error reporting and logging settings that `initdb` provided: a rotation of 7 days of log files named postgresql-Mon.log, etc. - -The default attributes created by this recipe are easy to override with normal attributes because of Chef attribute precedence. For example, suppose a DBA wanted to keep log files indefinitely, rolling over daily or when growing to 10MB. The Chef installation could include the `postgresql::config_initdb` recipe for the locale and timezone settings, but customize the logging settings with these node JSON attributes: - -```javascript -"postgresql": { - "config": { - "log_rotation_age": "1d", - "log_rotation_size": "10MB", - "log_filename": "postgresql-%Y-%m-%d_%H%M%S.log" - } -} -``` - -Credits: This `postgresql::config_initdb` recipe is based on algorithms in the [source code](http://doxygen.postgresql.org/initdb_8c_source.html) for the PostgreSQL `initdb` utility. - -### config_pgtune - -Performance tuning. Takes the wimpy default postgresql.conf and expands the database server to be as powerful as the hardware it's being deployed on. This recipe creates a baseline configuration of `node.default['postgresql']['config']` attributes in the right general range for a dedicated Postgresql system. Most installations won't need additional performance tuning. - -The only decision you need to make is to choose a `db_type` from the following database workloads. (See the recipe code comments for more detailed descriptions.) - -- "dw" -- Data Warehouse -- "oltp" -- Online Transaction Processing -- "web" -- Web Application -- "mixed" -- Mixed DW and OLTP characteristics -- "desktop" -- Not a dedicated database - -This recipe uses a performance model with three input parameters. These node attributes are completely optional, but it is obviously important to choose the `db_type` correctly: - -- `node['postgresql']['config_pgtune']['db_type']` -- Specifies database type from the list of five choices above. If not specified, the default is "mixed". - -- `node['postgresql']['config_pgtune']['max_connections']` -- Specifies maximum number of connections expected. If not specified, it depends on database type: "web":200, "oltp":300, "dw":20, "mixed":80, "desktop":5 - -- `node['postgresql']['config_pgtune']['total_memory']` -- Specifies total system memory in kB. (E.g., "49416564kB".) If not specified, it will be taken from Ohai automatic attributes. This could be used to tune a system that isn't a dedicated database. - -The default attributes created by this recipe are easy to override with normal attributes because of Chef attribute precedence. For example, if you are running application benchmarks to try different buffer cache sizes, you would experiment with this node JSON attribute: - -```javascript -"postgresql": { - "config": { - "shared_buffers": "3GB" - } -} -``` - -Note that the recipe uses `max_connections` in its computations. If you want to override that setting, you should specify `node['postgresql']['config_pgtune']['max_connections']` instead of `node['postgresql']['config']['max_connections']`. - -Credits: This `postgresql::config_pgtune` recipe is based on the [pgtune python script](https://github.com/gregs1104/pgtune) developed by [Greg Smith](http://notemagnet.blogspot.com/2008/11/automating-initial-postgresqlconf.html) and [other pgsql-hackers](http://www.postgresql.org/message-id/491C6CDC.8090506@agliodbs.com). - -### contrib - -Installs the packages defined in the `node['postgresql']['contrib']['packages']` attribute. The contrib directory of the PostgreSQL distribution includes porting tools, analysis utilities, and plug-in features that database engineers often require. Some (like `pgbench`) are executable. Others (like `pg_buffercache`) would need to be installed into the database. - -Also installs any contrib module extensions defined in the `node['postgresql']['contrib']['extensions']` attribute. These will be available in any subsequently created databases in the cluster, because they will be installed into the `template1` database using the `CREATE EXTENSION` command. For example, it is often necessary/helpful for problem troubleshooting and maintenance planning to install the views and functions in these [standard instrumentation extensions] ([http://www.postgresql.org/message-id/flat/4DC32600.6080900@pgexperts.com#4DD3D6C6.5060006@2ndquadrant.com](mailto:http://www.postgresql.org/message-id/flat/4DC32600.6080900@pgexperts.com#4DD3D6C6.5060006@2ndquadrant.com)): +Creates a `mymapping` mapping that map `john` system user to `user1` PostgreSQL user: ```ruby -node['postgresql']['contrib']['extensions'] = [ - "pageinspect", - "pg_buffercache", - "pg_freespacemap", - "pgrowlocks", - "pg_stat_statements", - "pgstattuple" -] +postgresql_ident 'Map john to user1' do + comment 'John Mapping' + mapname 'mymapping' + system_user 'john' + pg_user 'user1' +end ``` -Note that the `pg_stat_statements` view only works if `postgresql.conf` loads its shared library, which can be done with this node attribute: +This generates the following line in the `pg_ident.conf`: + +``` +# MAPNAME SYSTEM-USERNAME PG-USERNAME + +# John Mapping +mymapping john user1 +``` + +To grant access to the foo user with password authentication: ```ruby -node['postgresql']['config']['shared_preload_libraries'] = 'pg_stat_statements' +postgresql_access 'local_foo_user' do + comment 'Foo user access' + access_type 'host' + access_db 'all' + access_user 'foo' + access_addr '127.0.0.1/32' + access_method 'md5' +end ``` -If using `shared_preload_libraries` in combination with the `contrib` recipe, make sure that the `contrib` recipe is called before the `server` recipe (to ensure the dependencies are installed and setup in order). +This generates the following line in the `pg_hba.conf`: -### apt_pgdg_postgresql +``` +# Local postgres superuser access +host all foo 127.0.0.1/32 ident +``` -Enables the PostgreSQL Global Development Group yum repository maintained by Devrim Gündüz for updated PostgreSQL packages. (The PGDG is the groups that develops PostgreSQL.) Automatically included if the `node['postgresql']['enable_pgdg_apt']` attribute is true. Also set the `node['postgresql']['client']['packages']` and `node['postgresql']['server]['packages']` to the list of packages to use from this repository, and set the `node['postgresql']['version']` attribute to the version to use (e.g., "9.2"). +### postgresql_database -### yum_pgdg_postgresql +This resource manages PostgreSQL databases. -Enables the PostgreSQL Global Development Group yum repository maintained by Devrim Gündüz for updated PostgreSQL packages. (The PGDG is the groups that develops PostgreSQL.) Automatically included if the `node['postgresql']['enable_pgdg_yum']` attribute is true. Also use `override_attributes` to set a number of values that will need to have embedded version numbers. For example: +#### Actions + +- `create` - (default) Creates the given database. +- `drop` - Drops the given database. + +#### Properties + +Name | Types | Description | Default | Required? +---------- | ------- | ------------------------------------------------------------------- | ------------------- | --------- +`database` | String | Name of the database to create | Resource name | yes +`user` | String | User which run psql command | 'postgres' | no +`template` | String | Template used to create the new database | 'template1' | no +`host` | String | Define the host server where the database creation will be executed | Not set (localhost) | no +`port` | Integer | Define the port of PostgreSQL server | 5432 | no +`encoding` | String | Define database encoding | 'UTF-8' | no +`locale` | String | Define database locale | 'en_US.UTF-8' | no +`owner` | String | Define the owner of the database | Not set | no + +#### Examples + +To create database named 'my_app' with owner 'user1': ```ruby -node['postgresql']['enable_pgdg_yum'] = true -node['postgresql']['version'] = "9.4" -node['postgresql']['dir'] = "/var/lib/pgsql/9.4/data" -node['postgresql']['config']['data_directory'] = node['postgresql']['dir'] -node['postgresql']['client']['packages'] = ["postgresql94", "postgresql94-devel"] -node['postgresql']['server']['packages'] = ["postgresql94-server"] -node['postgresql']['server']['service_name'] = "postgresql-9.4" -node['postgresql']['contrib']['packages'] = ["postgresql94-contrib"] -node['postgresql']['setup_script'] = "postgresql94-setup" +postgresql_database 'my_app' do + owner 'user1' +end ``` -You may set `node['postgresql']['pgdg']['repo_rpm_url']` attributes to pick up recent [PGDG repo packages](http://yum.postgresql.org/repopackages.php). +#### Known issues + +On some platforms (e.g. Ubuntu 18.04), your `initdb_locale` should be set to the +same as the template database [GH-555](https://github.com/sous-chefs/postgresql/issues/555). + +### postgresql_user + +This resource manage PostgreSQL users. + +#### Actions + +- `create` - (default) Creates the given user with default or given privileges. +- `update` - Update user privilieges. +- `drop` - Deletes the given user. + +#### Properties + +Name | Types | Description | Default | Required? +-------------------- | ------- | ----------------------------------------------- | -------- | --------- +`create_user` | String | User to create (defaults to the resource name) | | Yes +`superuser` | Boolean | Define if user needs superuser role | false | no +`createdb` | Boolean | Define if user needs createdb role | false | no +`createrole` | Boolean | Define if user needs createrole role | false | no +`inherit` | Boolean | Define if user inherits the privileges of roles | true | no +`replication` | Boolean | Define if user needs replication role | false | no +`login` | Boolean | Define if user can login | true | no +`password` | String | Set user's password | | no +`encrypted_password` | String | Set user's password with an hashed password | | no +`valid_until` | String | Define an account expiration date | | no +`attributes` | Hash | Additional attributes for :update action | {} | no +`user` | String | User for command | postgres | no +`database` | String | Database for command | | no +`host` | String | Hostname for command | | no +`port` | Integer | Port number to connect to postgres | 5432 | no + +#### Examples + +Create a user `user1` with a password, with `createdb` role and set an expiration date to 2018, Dec 21. + +```ruby +postgresql_user 'user1' do + password 'UserP4ssword' + createdb true + valid_until '2018-12-31' +end +``` + +Create a user `user1` with a password, with `createdb` role and set an expiration date to 2018, Dec 21. + +```ruby +postgresql_user 'user1' do + password 'UserP4ssword' + createdb true + valid_until '2018-12-31' +end +``` ## Usage -On systems that need to connect to a PostgreSQL database, add to a run list `recipe[postgresql]` or `recipe[postgresql::client]`. +To install and configure your PostgreSQL instance you need to create your own cookbook and call needed resources with your own parameters. -On systems that should be PostgreSQL servers, use `recipe[postgresql::server]` on a run list. This recipe does set a password for the `postgres` user. If you're using `chef server`, if the attribute `node['postgresql']['password']['postgres']` is not found, the recipe generates a random password and performs a node.save. (TODO: This is broken, as it disables the password.) If you're using `chef-solo`, you'll need to set the attribute `node['postgresql']['password']['postgres']` in your node's `json_attribs` file or in a role. +More examples can be found in `test/cookbooks/test/recipes` -On Debian family systems, SSL will be enabled, as the packages on Debian/Ubuntu also generate the SSL certificates. If you use another platform and wish to use SSL in postgresql, then generate your SSL certificates and distribute them in your own cookbook, and set the `node['postgresql']['config']['ssl']` attribute to true in your role/cookboook/node. - -On server systems, the postgres server is restarted when a configuration file changes. This can be changed to reload only by setting the following attribute: +## Example Usage ```ruby -node['postgresql']['server']['config_change_notify'] = :reload +# cookbooks/my_postgresql/recipes/default.rb + +postgresql_client_install 'PostgreSQL Client' do + setup_repo false + version '10.6' +end + +postgresql_server_install 'PostgreSQL Server' do + version '10.6' + setup_repo false + password 'P0stgresP4ssword' +end + +postgresql_server_conf 'PostgreSQL Config' do + notifies :reload, 'service[postgresql]' +end ``` -## Chef Solo Note +## Contributing -The following node attribute is stored on the Chef Server when using `chef-client`. Because `chef-solo` does not connect to a server or save the node object at all, to have the password persist across `chef-solo` runs, you must specify them in the `json_attribs` file used. For Example: +Please refer to each project's style guidelines and guidelines for submitting patches and additions. In general, we follow the "fork-and-pull" Git workflow. -``` -{ - "postgresql": { - "password": { - "postgres": "iloverandompasswordsbutthiswilldo" - } - }, - "run_list": ["recipe[postgresql::server]"] -} -``` +1. **Fork** the repo on GitHub +2. **Clone** the project to your own machine +3. **Commit** changes to your own branch +4. **Push** your work back up to your fork +5. Submit a **Pull request** so that we can review your changes -That should actually be the "encrypted password" instead of cleartext, so you should generate it as an md5 hash using the PostgreSQL algorithm. +NOTE: Be sure to merge the latest from "upstream" before making a pull request! -- You could copy the md5-hashed password from an existing postgres database if you have `postgres` access and want to use the same password:
- `select * from pg_shadow where usename='postgres';` -- You can run this from any postgres database session to use a new password:
- `select 'md5'||md5('iloverandompasswordsbutthiswilldo'||'postgres');` -- You can run this from a linux commandline:
- `echo -n 'iloverandompasswordsbutthiswilldo''postgres' | openssl md5 | sed -e 's/.* /md5/'` +[Contribution informations for this project](CONTRIBUTING.md) ## License -Copyright 2010-2016, Chef Software, Inc. +Copyright 2010-2017, Chef Software, Inc. ```text Licensed under the Apache License, Version 2.0 (the "License"); diff --git a/cookbooks/postgresql/attributes/default.rb b/cookbooks/postgresql/attributes/default.rb deleted file mode 100644 index 27d2c7f..0000000 --- a/cookbooks/postgresql/attributes/default.rb +++ /dev/null @@ -1,244 +0,0 @@ -# frozen_string_literal: true -# -# Cookbook:: postgresql -# Attributes:: postgresql -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -default['postgresql']['enable_pgdg_apt'] = false -default['postgresql']['enable_pgdg_yum'] = false -default['postgresql']['use_pgdg_packages'] = false - -default['postgresql']['server']['config_change_notify'] = :restart -default['postgresql']['assign_postgres_password'] = true - -# Establish default database name -default['postgresql']['database_name'] = 'template1' - -# Sets OS init system (upstart, systemd, ...), instead of relying on Ohai -default['postgresql']['server']['init_package'] = - case node['platform'] - when 'debian' - if node['platform_version'].to_f < 7.0 - 'sysv' - else - 'systemd' - end - when 'ubuntu' - if node['platform_version'].to_f < 15.04 - 'upstart' - else - 'systemd' - end - when 'amazon' - 'upstart' - when 'redhat', 'centos', 'scientific', 'oracle' - if node['platform_version'].to_i < 7 - 'sysv' - else - 'systemd' - end - when 'fedora' - 'systemd' - when 'opensuse', 'opensuseleap' - 'systemd' - else - 'upstart' - end - -case node['platform'] -when 'debian' - if node['platform_version'].to_i == 7 - default['postgresql']['version'] = '9.1' - default['postgresql']['dir'] = '/etc/postgresql/9.1/main' - default['postgresql']['client']['packages'] = ['postgresql-client-9.1', 'libpq-dev'] - default['postgresql']['server']['packages'] = ['postgresql-9.1'] - default['postgresql']['contrib']['packages'] = ['postgresql-contrib-9.1'] - else # 8+ - default['postgresql']['version'] = '9.4' - default['postgresql']['dir'] = '/etc/postgresql/9.4/main' - default['postgresql']['client']['packages'] = ['postgresql-client-9.4', 'libpq-dev'] - default['postgresql']['server']['packages'] = ['postgresql-9.4'] - default['postgresql']['contrib']['packages'] = ['postgresql-contrib-9.4'] - end - - default['postgresql']['server']['service_name'] = 'postgresql' - -when 'ubuntu' - - if node['platform_version'].to_f <= 13.10 - default['postgresql']['version'] = '9.1' - default['postgresql']['dir'] = '/etc/postgresql/9.1/main' - default['postgresql']['server']['service_name'] = 'postgresql' - default['postgresql']['client']['packages'] = ['postgresql-client-9.1', 'libpq-dev'] - default['postgresql']['server']['packages'] = ['postgresql-9.1'] - default['postgresql']['contrib']['packages'] = ['postgresql-contrib-9.1'] - elsif node['platform_version'].to_f <= 14.04 - default['postgresql']['version'] = '9.3' - default['postgresql']['dir'] = '/etc/postgresql/9.3/main' - default['postgresql']['server']['service_name'] = 'postgresql' - default['postgresql']['client']['packages'] = ['postgresql-client-9.3', 'libpq-dev'] - default['postgresql']['server']['packages'] = ['postgresql-9.3'] - default['postgresql']['contrib']['packages'] = ['postgresql-contrib-9.3'] - elsif node['platform_version'].to_f <= 15.10 - default['postgresql']['version'] = '9.4' - default['postgresql']['dir'] = '/etc/postgresql/9.4/main' - default['postgresql']['server']['service_name'] = 'postgresql' - default['postgresql']['client']['packages'] = ['postgresql-client-9.4', 'libpq-dev'] - default['postgresql']['server']['packages'] = ['postgresql-9.4'] - default['postgresql']['contrib']['packages'] = ['postgresql-contrib-9.4'] - else - default['postgresql']['version'] = '9.5' - default['postgresql']['dir'] = '/etc/postgresql/9.5/main' - default['postgresql']['server']['service_name'] = 'postgresql' - default['postgresql']['client']['packages'] = ['postgresql-client-9.5', 'libpq-dev'] - default['postgresql']['server']['packages'] = ['postgresql-9.5'] - default['postgresql']['contrib']['packages'] = ['postgresql-contrib-9.5'] - end - -when 'fedora' - - default['postgresql']['version'] = '9.5' - default['postgresql']['setup_script'] = 'postgresql-setup' - default['postgresql']['dir'] = '/var/lib/pgsql/data' - default['postgresql']['client']['packages'] = %w(postgresql-devel postgresql-contrib) - default['postgresql']['server']['packages'] = %w(postgresql-server) - default['postgresql']['contrib']['packages'] = %w(postgresql-contrib) - default['postgresql']['server']['service_name'] = 'postgresql' - default['postgresql']['uid'] = '26' - default['postgresql']['gid'] = '26' - -when 'amazon' - - if node['platform_version'].to_f >= 2015.03 - default['postgresql']['version'] = '9.2' - default['postgresql']['dir'] = '/var/lib/pgsql9/data' - end - - default['postgresql']['client']['packages'] = %w(postgresql-devel) - default['postgresql']['server']['packages'] = %w(postgresql-server) - default['postgresql']['contrib']['packages'] = %w(postgresql-contrib) - default['postgresql']['server']['service_name'] = 'postgresql' - default['postgresql']['uid'] = '26' - default['postgresql']['gid'] = '26' - -when 'redhat', 'centos', 'scientific', 'oracle' - - default['postgresql']['version'] = '8.4' - - default['postgresql']['client']['packages'] = 'postgresql84-devel' - default['postgresql']['server']['packages'] = ['postgresql84-server'] - default['postgresql']['contrib']['packages'] = ['postgresql84-contrib'] - - default['postgresql']['setup_script'] = 'postgresql-setup' - default['postgresql']['server']['service_name'] = 'postgresql' - default['postgresql']['uid'] = '26' - default['postgresql']['gid'] = '26' - - if node['platform_version'].to_f >= 6.0 && node['postgresql']['version'].to_f == 8.4 - default['postgresql']['client']['packages'] = 'postgresql-devel' - default['postgresql']['server']['packages'] = ['postgresql-server'] - default['postgresql']['contrib']['packages'] = ['postgresql-contrib'] - end - - if node['platform_version'].to_f >= 7.0 - default['postgresql']['version'] = '9.2' - default['postgresql']['client']['packages'] = 'postgresql-devel' - default['postgresql']['server']['packages'] = ['postgresql-server'] - default['postgresql']['contrib']['packages'] = ['postgresql-contrib'] - end - -when 'opensuse', 'opensuseleap' - - default['postgresql']['dir'] = '/var/lib/pgsql/data' - default['postgresql']['uid'] = '26' - default['postgresql']['gid'] = '26' - - case node['platform_version'].to_f - when 13.1 - default['postgresql']['version'] = '9.2' - default['postgresql']['client']['packages'] = ['postgresql92', 'postgresql92-devel'] - default['postgresql']['server']['packages'] = ['postgresql92-server'] - default['postgresql']['contrib']['packages'] = ['postgresql92-contrib'] - when 13.2 - default['postgresql']['version'] = '9.3' - default['postgresql']['client']['packages'] = ['postgresql93', 'postgresql93-devel'] - default['postgresql']['server']['packages'] = ['postgresql93-server'] - default['postgresql']['contrib']['packages'] = ['postgresql93-contrib'] - else # opensuseleap - default['postgresql']['version'] = '9.4' - default['postgresql']['client']['packages'] = ['postgresql94', 'postgresql94-devel'] - default['postgresql']['server']['packages'] = ['postgresql94-server'] - default['postgresql']['contrib']['packages'] = ['postgresql94-contrib'] - end - - default['postgresql']['server']['service_name'] = 'postgresql' - -when 'suse' # sles 12+ - default['postgresql']['version'] = '9.1' - default['postgresql']['client']['packages'] = ['postgresql91', 'rubygem-pg'] - default['postgresql']['server']['packages'] = ['postgresql91-server'] - default['postgresql']['contrib']['packages'] = ['postgresql91-contrib'] - default['postgresql']['dir'] = '/var/lib/pgsql/data' - default['postgresql']['server']['service_name'] = 'postgresql' -end - -case node['platform_family'] -when 'debian' - default['postgresql']['config']['listen_addresses'] = 'localhost' - default['postgresql']['config']['port'] = 5432 - default['postgresql']['config']['max_connections'] = 100 - default['postgresql']['config']['shared_buffers'] = '24MB' - default['postgresql']['config']['log_line_prefix'] = '%t ' - default['postgresql']['config']['datestyle'] = 'iso, mdy' - default['postgresql']['config']['default_text_search_config'] = 'pg_catalog.english' - default['postgresql']['config']['ssl'] = true -when 'rhel', 'fedora', 'suse' - default['postgresql']['config']['listen_addresses'] = 'localhost' - default['postgresql']['config']['port'] = 5432 - default['postgresql']['config']['max_connections'] = 100 - default['postgresql']['config']['shared_buffers'] = '32MB' - default['postgresql']['config']['logging_collector'] = true - default['postgresql']['config']['log_directory'] = 'pg_log' - default['postgresql']['config']['log_filename'] = 'postgresql-%a.log' - default['postgresql']['config']['log_truncate_on_rotation'] = true - default['postgresql']['config']['log_rotation_age'] = '1d' - default['postgresql']['config']['log_rotation_size'] = 0 - default['postgresql']['config']['datestyle'] = 'iso, mdy' - default['postgresql']['config']['lc_messages'] = 'en_US.UTF-8' - default['postgresql']['config']['lc_monetary'] = 'en_US.UTF-8' - default['postgresql']['config']['lc_numeric'] = 'en_US.UTF-8' - default['postgresql']['config']['lc_time'] = 'en_US.UTF-8' - default['postgresql']['config']['default_text_search_config'] = 'pg_catalog.english' -end - -default['postgresql']['pg_hba'] = [ - { type: 'local', db: 'all', user: 'postgres', addr: nil, method: 'ident' }, - { type: 'local', db: 'all', user: 'all', addr: nil, method: 'ident' }, - { type: 'host', db: 'all', user: 'all', addr: '127.0.0.1/32', method: 'md5' }, - { type: 'host', db: 'all', user: 'all', addr: '::1/128', method: 'md5' }, -] - -default['postgresql']['password'] = {} - -# set to install a specific version of the ruby gem pg -# if attribute is not defined, install will pick the latest available pg gem -default['postgresql']['pg_gem']['version'] = nil - -case node['platform_family'] -when 'debian' - default['postgresql']['pgdg']['release_apt_codename'] = node['lsb']['codename'] -end - -default['postgresql']['initdb_locale'] = 'UTF-8' diff --git a/cookbooks/postgresql/attributes/yum_pgdg_packages.rb b/cookbooks/postgresql/attributes/yum_pgdg_packages.rb deleted file mode 100644 index 0dfb8dc..0000000 --- a/cookbooks/postgresql/attributes/yum_pgdg_packages.rb +++ /dev/null @@ -1,507 +0,0 @@ -# frozen_string_literal: true -# The PostgreSQL RPM Building Project built repository RPMs for easy -# access to the PGDG yum repositories. Links to RPMs for installation -# on the supported version/platform combinations are listed at -# http://yum.postgresql.org/repopackages.php, and the links for -# PostgreSQL 9.2, 9.3, 9.4, 9.5 and 9.6 are captured below. -# -default['postgresql']['pgdg']['repo_rpm_url'] = { - '9.6' => { - 'amazon' => { - '2015' => { - 'i386' => { - 'url' => 'http://yum.postgresql.org/9.6/redhat/rhel-6-i386/', - 'package' => 'pgdg-ami201503-96-9.6-3.noarch.rpm', - }, - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.6/redhat/rhel-6-x86_64/', - 'package' => 'pgdg-ami201503-96-9.6-3.noarch.rpm', - }, - }, - }, - 'centos' => { - '7' => { - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.6/redhat/rhel-7-x86_64/', - 'package' => 'pgdg-centos96-9.6-3.noarch.rpm', - }, - }, - '6' => { - 'i386' => { - 'url' => 'http://yum.postgresql.org/9.6/redhat/rhel-6-i386/', - 'package' => 'pgdg-centos96-9.6-3.noarch.rpm', - }, - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.6/redhat/rhel-6-x86_64/', - 'package' => 'pgdg-centos96-9.6-3.noarch.rpm', - }, - }, - }, - 'redhat' => { - '7' => { - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.6/redhat/rhel-7-x86_64/', - 'package' => 'pgdg-redhat96-9.6-3.noarch.rpm', - }, - }, - '6' => { - 'i386' => { - 'url' => 'http://yum.postgresql.org/9.6/redhat/rhel-6-i386/', - 'package' => 'pgdg-redhat96-9.6-3.noarch.rpm', - }, - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.6/redhat/rhel-6-x86_64/', - 'package' => 'pgdg-redhat96-9.6-3.noarch.rpm', - }, - }, - }, - 'oracle' => { - '7' => { - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.6/redhat/rhel-7-x86_64/', - 'package' => 'pgdg-oraclelinux96-9.6-3.noarch.rpm', - }, - }, - '6' => { - 'i386' => { - 'url' => 'http://yum.postgresql.org/9.6/redhat/rhel-6-i386/', - 'package' => 'pgdg-oraclelinux96-9.6-3.noarch.rpm', - }, - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.6/redhat/rhel-6-x86_64/', - 'package' => 'pgdg-oraclelinux96-9.6-3.noarch.rpm', - }, - }, - }, - 'scientific' => { - '7' => { - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.6/redhat/rhel-7-x86_64/', - 'package' => 'pgdg-sl96-9.6-3.noarch.rpm', - }, - }, - '6' => { - 'i386' => { - 'url' => 'http://yum.postgresql.org/9.6/redhat/rhel-6-i386/', - 'package' => 'pgdg-sl96-9.6-3.noarch.rpm', - }, - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.6/redhat/rhel-6-x86_64/', - 'package' => 'pgdg-sl96-9.6-3.noarch.rpm', - }, - }, - }, - 'fedora' => { - '22' => { - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.6/fedora/fedora-22-x86_64/', - 'package' => 'pgdg-fedora96-9.6-3.noarch.rpm', - }, - }, - '23' => { - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.6/fedora/fedora-23-x86_64/', - 'package' => 'pgdg-fedora96-9.6-3.noarch.rpm', - }, - }, - '24' => { - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.6/fedora/fedora-24-x86_64/', - 'package' => 'pgdg-fedora96-9.6-3.noarch.rpm', - }, - }, - '25' => { - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.6/fedora/fedora-25-x86_64/', - 'package' => 'pgdg-fedora96-9.6-3.noarch.rpm', - }, - }, - }, - }, - '9.5' => { - 'amazon' => { - '2015' => { - 'i386' => { - 'url' => 'http://yum.postgresql.org/9.5/redhat/rhel-6-i386/', - 'package' => 'pgdg-ami201503-95-9.5-3.noarch.rpm', - }, - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.5/redhat/rhel-6-x86_64/', - 'package' => 'pgdg-ami201503-95-9.5-3.noarch.rpm', - }, - }, - }, - 'centos' => { - '7' => { - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.5/redhat/rhel-7-x86_64/', - 'package' => 'pgdg-centos95-9.5-3.noarch.rpm', - }, - }, - '6' => { - 'i386' => { - 'url' => 'http://yum.postgresql.org/9.5/redhat/rhel-6-i386/', - 'package' => 'pgdg-centos95-9.5-3.noarch.rpm', - }, - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.5/redhat/rhel-6-x86_64/', - 'package' => 'pgdg-centos95-9.5-3.noarch.rpm', - }, - }, - }, - 'redhat' => { - '7' => { - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.5/redhat/rhel-7-x86_64/', - 'package' => 'pgdg-redhat95-9.5-3.noarch.rpm', - }, - }, - '6' => { - 'i386' => { - 'url' => 'http://yum.postgresql.org/9.5/redhat/rhel-6-i386/', - 'package' => 'pgdg-redhat95-9.5-3.noarch.rpm', - }, - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.5/redhat/rhel-6-x86_64/', - 'package' => 'pgdg-redhat95-9.5-3.noarch.rpm', - }, - }, - }, - 'oracle' => { - '7' => { - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.5/redhat/rhel-7-x86_64/', - 'package' => 'pgdg-oraclelinux95-9.5-3.noarch.rpm', - }, - }, - '6' => { - 'i386' => { - 'url' => 'http://yum.postgresql.org/9.5/redhat/rhel-6-i386/', - 'package' => 'pgdg-oraclelinux95-9.5-3.noarch.rpm', - }, - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.5/redhat/rhel-6-x86_64/', - 'package' => 'pgdg-oraclelinux95-9.5-3.noarch.rpm', - }, - }, - }, - 'scientific' => { - '7' => { - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.5/redhat/rhel-7-x86_64/', - 'package' => 'pgdg-sl95-9.5-3.noarch.rpm', - }, - }, - '6' => { - 'i386' => { - 'url' => 'http://yum.postgresql.org/9.5/redhat/rhel-6-i386/', - 'package' => 'pgdg-sl95-9.5-3.noarch.rpm', - }, - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.5/redhat/rhel-6-x86_64/', - 'package' => 'pgdg-sl95-9.5-3.noarch.rpm', - }, - }, - }, - 'fedora' => { - '22' => { - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.5/fedora/fedora-22-x86_64/', - 'package' => 'pgdg-fedora95-9.5-3.noarch.rpm', - }, - }, - '23' => { - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.5/fedora/fedora-23-x86_64/', - 'package' => 'pgdg-fedora95-9.5-4.noarch.rpm', - }, - }, - '24' => { - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.5/fedora/fedora-24-x86_64/', - 'package' => 'pgdg-fedora95-9.5-4.noarch.rpm', - }, - }, - '25' => { - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.5/fedora/fedora-25-x86_64/', - 'package' => 'pgdg-fedora95-9.5-4.noarch.rpm', - }, - }, - }, - }, - '9.4' => { - 'redhat' => { - '7' => { - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.4/redhat/rhel-7-x86_64/', - 'package' => 'pgdg-redhat94-9.4-2.noarch.rpm', - }, - }, - '6' => { - 'i386' => { - 'url' => 'http://yum.postgresql.org/9.4/redhat/rhel-6-i386/', - 'package' => 'pgdg-redhat94-9.4-2.noarch.rpm', - }, - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.4/redhat/rhel-6-x86_64/', - 'package' => 'pgdg-redhat94-9.4-2.noarch.rpm', - }, - }, - }, - 'centos' => { - '7' => { - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.4/redhat/rhel-7-x86_64/', - 'package' => 'pgdg-centos94-9.4-2.noarch.rpm', - }, - }, - '6' => { - 'i386' => { - 'url' => 'http://yum.postgresql.org/9.4/redhat/rhel-6-i386/', - 'package' => 'pgdg-centos94-9.4-2.noarch.rpm', - }, - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.4/redhat/rhel-6-x86_64/', - 'package' => 'pgdg-centos94-9.4-2.noarch.rpm', - }, - }, - '5' => { - 'i386' => { - 'url' => 'http://yum.postgresql.org/9.4/redhat/rhel-5-i386/', - 'package' => 'pgdg-centos94-9.4-3.noarch.rpm', - }, - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.4/redhat/rhel-5-x86_64/', - 'package' => 'pgdg-centos94-9.4-3.noarch.rpm', - }, - }, - }, - 'fedora' => { - '22' => { - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.4/fedora/fedora-22-x86_64/', - 'package' => 'pgdg-fedora94-9.4-4.noarch.rpm', - }, - }, - '23' => { - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.4/fedora/fedora-23-x86_64/', - 'package' => 'pgdg-fedora94-9.4-5.noarch.rpm', - }, - }, - '24' => { - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.4/fedora/fedora-24-x86_64/', - 'package' => 'pgdg-fedora94-9.4-5.noarch.rpm', - }, - }, - '25' => { - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.4/fedora/fedora-25-x86_64/', - 'package' => 'pgdg-fedora94-9.4-5.noarch.rpm', - }, - }, - }, - 'amazon' => { - '2015' => { - 'i386' => { - 'url' => 'http://yum.postgresql.org/9.4/redhat/rhel-6-i386/', - 'package' => 'pgdg-ami201503-94-9.4-3.noarch.rpm', - }, - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.4/redhat/rhel-6-x86_64/', - 'package' => 'pgdg-ami201503-94-9.4-3.noarch.rpm', - }, - }, - }, - 'scientific' => { - '7' => { - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.4/redhat/rhel-7-x86_64/', - 'package' => 'pgdg-sl94-9.4-3.noarch.rpm', - }, - }, - '6' => { - 'i386' => { - 'url' => 'http://yum.postgresql.org/9.4/redhat/rhel-6-i386/', - 'package' => 'pgdg-sl94-9.4-3.noarch.rpm', - }, - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.4/redhat/rhel-6-x86_64/', - 'package' => 'pgdg-sl94-9.4-3.noarch.rpm', - }, - }, - }, - 'oracle' => { - '7' => { - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.4/redhat/rhel-7-x86_64/', - 'package' => 'pgdg-oraclelinux94-9.4-3.noarch.rpm', - }, - }, - '6' => { - 'i386' => { - 'url' => 'http://yum.postgresql.org/9.4/redhat/rhel-6-i386/', - 'package' => 'pgdg-oraclelinux94-9.4-3.noarch.rpm', - }, - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.4/redhat/rhel-6-x86_64/', - 'package' => 'pgdg-oraclelinux94-9.4-3.noarch.rpm', - }, - }, - }, - }, - '9.3' => { - 'amazon' => { - '2015' => { - 'i386' => { - 'url' => 'http://yum.postgresql.org/9.3/redhat/rhel-6-i386/', - 'package' => 'pgdg-redhat93-9.3-3.noarch.rpm', - }, - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.3/redhat/rhel-6-x86_64/', - 'package' => 'pgdg-redhat93-9.3-3.noarch.rpm', - }, - }, - '2014' => { - 'i386' => { - 'url' => 'http://yum.postgresql.org/9.3/redhat/rhel-6-i386/', - 'package' => 'pgdg-redhat93-9.3-3.noarch.rpm', - }, - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.3/redhat/rhel-6-x86_64/', - 'package' => 'pgdg-redhat93-9.3-3.noarch.rpm', - }, - }, - }, - 'centos' => { - '7' => { - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.3/redhat/rhel-7-x86_64/', - 'package' => 'pgdg-centos93-9.3-3.noarch.rpm', - }, - }, - '6' => { - 'i386' => { - 'url' => 'http://yum.postgresql.org/9.3/redhat/rhel-6-i386/', - 'package' => 'pgdg-centos93-9.3-3.noarch.rpm', - }, - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.3/redhat/rhel-6-x86_64/', - 'package' => 'pgdg-centos93-9.3-3.noarch.rpm', - }, - }, - }, - 'fedora' => { - '23' => { - 'x86_64' => { - 'url' => 'https://yum.postgresql.org/9.3/fedora/fedora-23-x86_64/', - 'package' => 'pgdg-fedora93-9.3-4.noarch.rpm', - }, - }, - }, - 'redhat' => { - '7' => { - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.3/redhat/rhel-7-x86_64/', - 'package' => 'pgdg-redhat93-9.3-2.noarch.rpm', - }, - }, - '6' => { - 'i386' => { - 'url' => 'http://yum.postgresql.org/9.3/redhat/rhel-6-i386/', - 'package' => 'pgdg-redhat93-9.3-3.noarch.rpm', - }, - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.3/redhat/rhel-6-x86_64/', - 'package' => 'pgdg-redhat93-9.3-3.noarch.rpm', - }, - }, - }, - 'oracle' => { - '6' => { - 'i386' => { - 'url' => 'http://yum.postgresql.org/9.3/redhat/rhel-6-i386/', - 'package' => 'pgdg-redhat93-9.3-3.noarch.rpm', - }, - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.3/redhat/rhel-6-x86_64/', - 'package' => 'pgdg-redhat93-9.3-3.noarch.rpm', - }, - }, - }, - 'scientific' => { - '6' => { - 'i386' => { - 'url' => 'http://yum.postgresql.org/9.3/redhat/rhel-6-i386/', - 'package' => 'pgdg-sl93-9.3-3.noarch.rpm', - }, - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.3/redhat/rhel-6-x86_64/', - 'package' => 'pgdg-sl93-9.3-3.noarch.rpm', - }, - }, - '5' => { - 'i386' => { - 'url' => 'http://yum.postgresql.org/9.3/redhat/rhel-5-i386/', - 'package' => 'pgdg-sl93-9.3-3.noarch.rpm', - }, - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.3/redhat/rhel-5-x86_64/', - 'package' => 'pgdg-sl93-9.3-3.noarch.rpm', - }, - }, - }, - }, - '9.2' => { - 'centos' => { - '6' => { - 'i386' => { - 'url' => 'http://yum.postgresql.org/9.2/redhat/rhel-6-i386/', - 'package' => 'pgdg-centos92-9.2-8.noarch.rpm', - }, - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.2/redhat/rhel-6-x86_64/', - 'package' => 'pgdg-centos92-9.2-8.noarch.rpm', - }, - }, - }, - 'redhat' => { - '6' => { - 'i386' => { - 'url' => 'http://yum.postgresql.org/9.2/redhat/rhel-6-i386/', - 'package' => 'pgdg-redhat92-9.2-9.noarch.rpm', - }, - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.2/redhat/rhel-6-x86_64/', - 'package' => 'pgdg-redhat92-9.2-9.noarch.rpm', - }, - }, - }, - 'oracle' => { - '6' => { - 'i386' => { - 'url' => 'http://yum.postgresql.org/9.2/redhat/rhel-6-i386/', - 'package' => 'pgdg-redhat92-9.2-9.noarch.rpm', - }, - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.2/redhat/rhel-6-x86_64/', - 'package' => 'pgdg-redhat92-9.2-9.noarch.rpm', - }, - }, - }, - 'scientific' => { - '6' => { - 'i386' => { - 'url' => 'http://yum.postgresql.org/9.2/redhat/rhel-6-i386/', - 'package' => 'pgdg-sl92-9.2-10.noarch.rpm', - }, - 'x86_64' => { - 'url' => 'http://yum.postgresql.org/9.2/redhat/rhel-6-x86_64/', - 'package' => 'pgdg-sl92-9.2-10.noarch.rpm', - }, - }, - }, - }, -} diff --git a/cookbooks/postgresql/libraries/default.rb b/cookbooks/postgresql/libraries/default.rb deleted file mode 100644 index 61eaf39..0000000 --- a/cookbooks/postgresql/libraries/default.rb +++ /dev/null @@ -1,307 +0,0 @@ -# frozen_string_literal: false -# -# Cookbook:: postgresql -# Library:: default -# Author:: David Crane () -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -include Chef::Mixin::ShellOut - -module Opscode - module PostgresqlHelpers - ####### - # Function to truncate value to 4 significant bits, render human readable. - # Used in recipes/config_initdb.rb to set this attribute: - # - # The memory settings (shared_buffers, effective_cache_size, work_mem, - # maintenance_work_mem and wal_buffers) will be rounded down to keep - # the 4 most significant bits, so that SHOW will be likely to use a - # larger divisor. The output is actually a human readable string that - # ends with "GB", "MB" or "kB" if over 1023, exactly what Postgresql - # will expect in a postgresql.conf setting. The output may be up to - # 6.25% less than the original value because of the rounding. - def binaryround(value) - # Keep a multiplier which grows through powers of 1 - multiplier = 1 - - # Truncate value to 4 most significant bits - while value >= 16 - value = (value / 2).floor - multiplier *= 2 - end - - # Factor any remaining powers of 2 into the multiplier - while value == 2 * (value / 2).floor - value = (value / 2).floor - multiplier *= 2 - end - - # Factor enough powers of 2 back into the value to - # leave the multiplier as a power of 1024 that can - # be represented as units of "GB", "MB" or "kB". - if multiplier >= 1024 * 1024 * 1024 - while multiplier > 1024 * 1024 * 1024 - value = 2 * value - multiplier = (multiplier / 2).floor - end - multiplier = 1 - units = 'GB' - - elsif multiplier >= 1024 * 1024 - while multiplier > 1024 * 1024 - value = 2 * value - multiplier = (multiplier / 2).floor - end - multiplier = 1 - units = 'MB' - - elsif multiplier >= 1024 - while multiplier > 1024 - value = 2 * value - multiplier = (multiplier / 2).floor - end - multiplier = 1 - units = 'kB' - - else - units = '' - end - - # Now we can return a nice human readable string. - "#{multiplier * value}#{units}" - end - - ####### - # Locale Configuration - - # Function to test the date order. - # Used in recipes/config_initdb.rb to set this attribute: - # node.default['postgresql']['config']['datestyle'] - def locale_date_order - # Test locale conversion of mon=11, day=22, year=33 - testtime = DateTime.new(2033, 11, 22, 0, 0, 0, '-00:00') - #=> # - - # %x - Preferred representation for the date alone, no time - res = testtime.strftime('%x') - - return 'mdy' if res.nil? - - posM = res.index('11') - posD = res.index('22') - posY = res.index('33') - - if posM.nil? || posD.nil? || posY.nil? - return 'mdy' - elseif (posY < posM && posM < posD) - return 'ymd' - elseif (posD < posM) - return 'dmy' - end - 'mdy' - end - - ####### - # Timezone Configuration - require 'find' - - # Function to determine where the system stored shared timezone data. - # Used in recipes/config_initdb.rb to detemine where it should have - # select_default_timezone(tzdir) search. - def pg_TZDIR - # System time zone conversions are controlled by a timezone data file - # identified through environment variables (TZ and TZDIR) and/or file - # and directory naming conventions specific to the Linux distribution. - # Each of these timezone names will have been loaded into the PostgreSQL - # pg_timezone_names view by the package maintainer. - # - # Instead of using the timezone name configured as the system default, - # the PostgreSQL server uses ones named in postgresql.conf settings - # (timezone and log_timezone). The initdb utility does initialize those - # settings to the timezone name that corresponds to the system default. - # - # The system's timezone name is actually a filename relative to the - # shared zoneinfo directory. That is usually /usr/share/zoneinfo, but - # it was /usr/lib/zoneinfo in older distributions and can be anywhere - # if specified by the environment variable TZDIR. The tzset(3) manpage - # seems to indicate the following precedence: - tzdir = nil - if ::File.directory?('/usr/lib/zoneinfo') - tzdir = '/usr/lib/zoneinfo' - else - share_path = [ENV['TZDIR'], '/usr/share/zoneinfo'].compact.first - tzdir = share_path if ::File.directory?(share_path) - end - tzdir - end - - ####### - # Function to support select_default_timezone(tzdir), which is - # used in recipes/config_initdb.rb. - def validate_zone(tzname) - # PostgreSQL does not support leap seconds, so this function tests - # the usual Linux tzname convention to avoid a misconfiguration. - # Assume that the tzdata package maintainer has kept all timezone - # data files with support for leap seconds is kept under the - # so-named "right/" subdir of the shared zoneinfo directory. - # - # The original PostgreSQL initdb is not Unix-specific, so it did a - # very complicated, thorough test in its pg_tz_acceptable() function - # that I could not begin to understand how to do in ruby :). - # - # Testing the tzname is good enough, since a misconfiguration - # will result in an immediate fatal error when the PostgreSQL - # service is started, with pgstartup.log messages such as: - # LOG: time zone "right/US/Eastern" appears to use leap seconds - # DETAIL: PostgreSQL does not support leap seconds. - - if tzname.index('right/') == 0 - false - else - true - end - end - - # Function to support select_default_timezone(tzdir), which is - # used in recipes/config_initdb.rb. - def scan_available_timezones(tzdir) - # There should be an /etc/localtime zoneinfo file that is a link to - # (or a copy of) a timezone data file under tzdir, which should have - # been installed under the "share" directory by the tzdata package. - # - # The initdb utility determines which shared timezone file is being - # used as the system's default /etc/localtime. The timezone name is - # the timezone file path relative to the tzdir. - - bestzonename = nil - - if tzdir.nil? - Chef::Log.error('The zoneinfo directory not found (looked for /usr/share/zoneinfo and /usr/lib/zoneinfo)') - elsif !::File.exist?('/etc/localtime') - Chef::Log.error('The system zoneinfo file not found (looked for /etc/localtime)') - elsif ::File.directory?('/etc/localtime') - Chef::Log.error('The system zoneinfo file not found (/etc/localtime is a directory instead)') - elsif ::File.symlink?('/etc/localtime') - # PostgreSQL initdb doesn't use the symlink target, but this - # certainly will make sense to any system administrator. A full - # scan of the tzdir to find the shortest filename could result - # "US/Eastern" instead of "America/New_York" as bestzonename, - # in spite of what the sysadmin had specified in the symlink. - # (There are many duplicates under tzdir, with the same timezone - # content appearing as an average of 2-3 different file names.) - path = ::File.realdirpath('/etc/localtime') - bestzonename = path.gsub("#{tzdir}/", '') - else # /etc/localtime is a file, so scan for it under tzdir - localtime_content = File.read('/etc/localtime') - - Find.find(tzdir) do |path| - # Only consider files (skip directories or symlinks) - next unless !::File.directory?(path) && !::File.symlink?(path) - # Ignore any file named "posixrules" or "localtime" - next unless ::File.basename(path) != 'posixrules' && ::File.basename(path) != 'localtime' - # Do consider if content exactly matches /etc/localtime. - next unless localtime_content == File.read(path) - tzname = path.gsub("#{tzdir}/", '') - next unless validate_zone(tzname) - if bestzonename.nil? || - tzname.length < bestzonename.length || - (tzname.length == bestzonename.length && - (tzname <=> bestzonename) < 0) - - bestzonename = tzname - end - end - end - - bestzonename - end - - # Function to support select_default_timezone(tzdir), which is - # used in recipes/config_initdb.rb. - def identify_system_timezone(tzdir) - resultbuf = scan_available_timezones(tzdir) - - if !resultbuf.nil? - # Ignore Olson's rather silly "Factory" zone; use GMT instead - resultbuf = nil if (resultbuf <=> 'Factory') == 0 - - else - # Did not find the timezone. Fallback to use a GMT zone. Note that the - # Olson timezone database names the GMT-offset zones in POSIX style: plus - # is west of Greenwich. - testtime = DateTime.now - std_ofs = testtime.strftime('%:z').split(':')[0].to_i - - resultbuf = [ - 'Etc/GMT', - -std_ofs > 0 ? '+' : '', - (-std_ofs).to_s, - ].join('') - end - - resultbuf - end - - ####### - # Function to determine the name of the system's default timezone. - # Used in recipes/config_initdb.rb to set these attributes: - # node.default['postgresql']['config']['log_timezone'] - # node.default['postgresql']['config']['timezone'] - def select_default_timezone(tzdir) - system_timezone = nil - - # Check TZ environment variable - tzname = ENV['TZ'] - if !tzname.nil? && !tzname.empty? && validate_zone(tzname) - system_timezone = tzname - - else - # Nope, so try to identify system timezone from /etc/localtime - tzname = identify_system_timezone(tzdir) - system_timezone = tzname if validate_zone(tzname) - end - - system_timezone - end - - ####### - # Function to execute an SQL statement in the default database. - # Input: Query could be a single String or an Array of String. - # Output: A String with |-separated columns and \n-separated rows. - # Note an empty output could mean psql couldn't connect. - # This is easiest for 1-field (1-row, 1-col) results, otherwise - # it will be complex to parse the results. - def execute_sql(query, db_name = node['postgresql']['database_name']) - # query could be a String or an Array of String - statement = query.is_a?(String) ? query : query.join("\n") - cmd = shell_out("psql -q --tuples-only --no-align -d #{db_name} -f -", - user: 'postgres', - input: statement) - # If psql fails, generally the postgresql service is down. - # Instead of aborting chef with a fatal error, let's just - # pass these non-zero exitstatus back as empty cmd.stdout. - if cmd.exitstatus == 0 && !cmd.stderr.empty? - # An SQL failure is still a zero exitstatus, but then the - # stderr explains the error, so let's rais that as fatal. - Chef::Log.fatal("psql failed executing this SQL statement:\n#{statement}") - Chef::Log.fatal(cmd.stderr) - raise 'SQL ERROR' - end - cmd.stdout.chomp - end - - # End the Opscode::PostgresqlHelpers module - end -end diff --git a/cookbooks/postgresql/libraries/helpers.rb b/cookbooks/postgresql/libraries/helpers.rb new file mode 100644 index 0000000..c2f9ee2 --- /dev/null +++ b/cookbooks/postgresql/libraries/helpers.rb @@ -0,0 +1,247 @@ +# +# Cookbook:: postgresql +# Library:: helpers +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +module PostgresqlCookbook + module Helpers + include Chef::Mixin::ShellOut + + require 'securerandom' + + def psql_command_string(new_resource, query, grep_for: nil, value_only: false) + cmd = "/usr/bin/psql -c \"#{query}\"" + cmd << " -d #{new_resource.database}" if new_resource.database + cmd << " -U #{new_resource.user}" if new_resource.user + cmd << " --host #{new_resource.host}" if new_resource.host + cmd << " --port #{new_resource.port}" if new_resource.port + cmd << ' --tuples-only' if value_only + cmd << " | grep #{grep_for}" if grep_for + cmd + end + + def execute_sql(new_resource, query) + # If we don't pass in a user to the resource + # default to the postgres user + user = new_resource.user ? new_resource.user : 'postgres' + + # Query could be a String or an Array of Strings + statement = query.is_a?(String) ? query : query.join("\n") + + cmd = shell_out(statement, user: user) + + # Pass back cmd so we can decide what to do with it in the calling method. + cmd + end + + def database_exists?(new_resource) + sql = %(SELECT datname from pg_database WHERE datname='#{new_resource.database}') + + exists = psql_command_string(new_resource, sql, grep_for: new_resource.database) + + cmd = execute_sql(new_resource, exists) + cmd.exitstatus == 0 + end + + def user_exists?(new_resource) + sql = %(SELECT rolname FROM pg_roles WHERE rolname='#{new_resource.create_user}';) + + exists = psql_command_string(new_resource, sql, grep_for: new_resource.create_user) + + cmd = execute_sql(new_resource, exists) + cmd.exitstatus == 0 + end + + def extension_installed?(new_resource) + query = %(SELECT extversion FROM pg_extension WHERE extname='#{new_resource.extension}';) + check_extension_version = psql_command_string(new_resource, query, value_only: true) + version_result = execute_sql(new_resource, check_extension_version) + if new_resource.version + version_result.stdout == new_resource.version + else + !version_result.stdout.nil? + end + end + + def alter_role_sql(new_resource) + sql = %(ALTER ROLE postgres ENCRYPTED PASSWORD '#{postgres_password(new_resource)}';) + psql_command_string(new_resource, sql) + end + + def create_extension_sql(new_resource) + sql = "CREATE EXTENSION IF NOT EXISTS #{new_resource.extension}" + sql << " FROM \"#{new_resource.old_version}\"" if new_resource.old_version + + psql_command_string(new_resource, sql) + end + + def user_has_password?(new_resource) + sql = %(SELECT rolpassword from pg_authid WHERE rolname='postgres' AND rolpassword IS NOT NULL;) + cmd = psql_command_string(new_resource, sql) + + res = execute_sql(new_resource, cmd) + res.stdout =~ /1 row/ ? true : false + end + + def role_sql(new_resource) + sql = %(\\"#{new_resource.create_user}\\" WITH ) + + %w(superuser createdb createrole inherit replication login).each do |perm| + sql << "#{'NO' unless new_resource.send(perm)}#{perm.upcase} " + end + + sql << if new_resource.encrypted_password + "ENCRYPTED PASSWORD '#{new_resource.encrypted_password}'" + elsif new_resource.password + "PASSWORD '#{new_resource.password}'" + else + '' + end + + sql << if new_resource.valid_until + " VALID UNTIL '#{new_resource.valid_until}'" + else + '' + end + end + + def create_user_sql(new_resource) + sql = %(CREATE ROLE #{role_sql(new_resource)}) + psql_command_string(new_resource, sql) + end + + def update_user_sql(new_resource) + sql = %(ALTER ROLE #{role_sql(new_resource)}) + psql_command_string(new_resource, sql) + end + + def update_user_with_attributes_sql(new_resource, value) + sql = %(ALTER ROLE '#{new_resource.create_user}' SET #{attr} = #{value}) + psql_command_string(new_resource, sql) + end + + def drop_user_sql(new_resource) + sql = %(DROP ROLE IF EXISTS '#{new_resource.create_user}') + psql_command_string(new_resource, sql) + end + + def data_dir(version = node.run_state['postgresql']['version']) + case node['platform_family'] + when 'rhel', 'fedora' + "/var/lib/pgsql/#{version}/data" + when 'amazon' + if node['virtualization']['system'] == 'docker' + "/var/lib/pgsql#{version.delete('.')}/data" + else + "/var/lib/pgsql/#{version}/data" + end + when 'debian' + "/var/lib/postgresql/#{version}/main" + end + end + + def conf_dir(version = node.run_state['postgresql']['version']) + case node['platform_family'] + when 'rhel', 'fedora' + "/var/lib/pgsql/#{version}/data" + when 'amazon' + if node['virtualization']['system'] == 'docker' + "/var/lib/pgsql#{version.delete('.')}/data" + else + "/var/lib/pgsql/#{version}/data" + end + when 'debian' + "/etc/postgresql/#{version}/main" + end + end + + # determine the platform specific service name + def platform_service_name(version = node.run_state['postgresql']['version']) + case node['platform_family'] + when 'rhel', 'fedora' + "postgresql-#{version}" + when 'amazon' + if node['virtualization']['system'] == 'docker' + "postgresql#{version.delete('.')}" + else + "postgresql-#{version}" + end + else + 'postgresql' + end + end + + def follower? + ::File.exist? "#{data_dir}/recovery.conf" + end + + def initialized? + return true if ::File.exist?("#{conf_dir}/PG_VERSION") + false + end + + def secure_random + r = SecureRandom.hex + Chef::Log.debug "Generated password: #{r}" + r + end + + # determine the platform specific server package name + def server_pkg_name + platform_family?('debian') ? "postgresql-#{new_resource.version}" : "postgresql#{new_resource.version.delete('.')}-server" + end + + # determine the appropriate DB init command to run based on RHEL/Fedora/Amazon release + # initdb defaults to the execution environment. + # https://www.postgresql.org/docs/9.5/static/locale.html + def rhel_init_db_command(new_resource) + cmd = if platform_family?('amazon') + '/usr/bin/initdb' + else + "/usr/pgsql-#{new_resource.version}/bin/initdb" + end + cmd << " --locale '#{new_resource.initdb_locale}'" if new_resource.initdb_locale + cmd << " -D '#{data_dir(new_resource.version)}'" + end + + # Given the base URL build the complete URL string for a yum repo + def yum_repo_url(base_url) + "#{base_url}/#{new_resource.version}/#{yum_repo_platform_family_string}/#{yum_repo_platform_string}" + end + + # The postgresql yum repos URLs are organized into redhat and fedora directories.s + # route things to the right place based on platform_family + def yum_repo_platform_family_string + platform_family?('fedora') ? 'fedora' : 'redhat' + end + + # Build the platform string that makes up the final component of the yum repo URL + def yum_repo_platform_string + platform = platform?('fedora') ? 'fedora' : 'rhel' + release = platform?('amazon') ? '6' : '$releasever' + "#{platform}-#{release}-$basearch" + end + + # On Amazon use the RHEL 6 packages. Otherwise use the releasever yum variable + def yum_releasever + platform?('amazon') ? '6' : '$releasever' + end + + # Generate a password if the value is set to generate. + def postgres_password(new_resource) + new_resource.password == 'generate' ? secure_random : new_resource.password + end + end +end diff --git a/cookbooks/postgresql/metadata.json b/cookbooks/postgresql/metadata.json index 419148d..37f8d66 100644 --- a/cookbooks/postgresql/metadata.json +++ b/cookbooks/postgresql/metadata.json @@ -1 +1 @@ -{"name":"postgresql","version":"6.1.1","description":"Installs and configures postgresql for clients or servers","long_description":"# postgresql cookbook\n\n[![Build Status](https://travis-ci.org/sous-chefs/postgresql.svg?branch=master)](https://travis-ci.org/sous-chefs/postgresql) [![Cookbook Version](https://img.shields.io/cookbook/v/postgresql.svg)](https://supermarket.chef.io/cookbooks/postgresql)\n\nInstalls and configures PostgreSQL as a client or a server.\n\n## Requirements\n\n### Platforms\n\n- Debian 7+\n- Ubuntu 12.04+\n- Red Hat/CentOS/Scientific (6.0+ required) - \"EL6-family\"\n- Fedora\n- SLES 12+\n- openSUSE 13+ / openSUSE Leap\n\n### Chef\n\n- Chef 12.1+\n\n### Cookbooks\n\n- `compat_resource`\n- `openssl`\n- `build-essential`\n\n## Attributes\n\nThe following attributes are set based on the platform, see the `attributes/default.rb` file for default values.\n\n- `node['postgresql']['version']` - version of postgresql to manage\n- `node['postgresql']['dir']` - home directory of where postgresql data and configuration lives.\n- `node['postgresql']['client']['packages']` - An array of package names that should be installed on \"client\" systems.\n- `node['postgresql']['server']['packages']` - An array of package names that should be installed on \"server\" systems.\n- `node['postgresql']['server']['config_change_notify']` - Type of notification triggered when a config file changes.\n- `node['postgresql']['contrib']['packages']` - An array of package names that could be installed on \"server\" systems for useful sysadmin tools.\n- `node['postgresql']['enable_pgdg_apt']` - Whether to enable the apt repo by the PostgreSQL Global Development Group, which contains newer versions of PostgreSQL.\n- `node['postgresql']['enable_pgdg_yum']` - Whether to enable the yum repo by the PostgreSQL Global Development Group, which contains newer versions of PostgreSQL.\n- `node['postgresql']['initdb_locale']` - Sets the default locale for the database cluster. If this attribute is not specified, the locale is inherited from the environment that initdb runs in. Sometimes you must have a system locale that is not what you want for your database cluster, and this attribute addresses that scenario. Valid only for EL-family distros (RedHat/Centos/etc.).\n\nThe following attributes are generated in `recipe[postgresql::server]`.\n\n## Configuration\n\nThe `postgresql.conf` and `pg_hba.conf` files are dynamically generated from attributes. Each key in `node['postgresql']['config']` is a postgresql configuration directive, and will be rendered in the config file. For example, the attribute:\n\n```ruby\nnode['postgresql']['config']['listen_addresses'] = 'localhost'\n```\n\nWill result in the following line in the `postgresql.conf` file:\n\n```ruby\nlisten_addresses = 'localhost'\n```\n\nThe attributes file contains default values for Debian and RHEL platform families (per the `node['platform_family']`). These defaults have disparity between the platforms because they were originally extracted from the postgresql.conf files in the previous version of this cookbook, which differed in their default config. The resulting configuration files will be the same as before, but the content will be dynamically rendered from the attributes. The helpful commentary will no longer be present. You should consult the PostgreSQL documentation for specific configuration details.\n\nSee **Recipes** `config_initdb` and `config_pgtune` below to auto-generate many postgresql.conf settings.\n\nFor values that are \"on\" or \"off\", they should be specified as literal `true` or `false`. String values will be used with single quotes. Any configuration option set to the literal `nil` will be skipped entirely. All other values (e.g., numeric literals) will be used as is. So for example:\n\n```ruby\nnode.default['postgresql']['config']['logging_collector'] = true\nnode.default['postgresql']['config']['datestyle'] = 'iso, mdy'\nnode.default['postgresql']['config']['ident_file'] = nil\nnode.default['postgresql']['config']['port'] = 5432\n```\n\nWill result in the following config lines:\n\n```ruby\nlogging_collector = 'on'\ndatestyle = 'iso,mdy'\nport = 5432\n```\n\n(no line printed for `ident_file` as it is `nil`)\n\nNote that the `unix_socket_directory` configuration was renamed to `unix_socket_directories` in Postgres 9.3 so make sure to use the `node['postgresql']['unix_socket_directories']` attribute instead of `node['postgresql']['unix_socket_directory']`.\n\nThe `pg_hba.conf` file is dynamically generated from the `node['postgresql']['pg_hba']` attribute. This attribute must be an array of hashes, each hash containing the authorization data. As it is an array, you can append to it in your own recipes. The hash keys in the array must be symbols. Each hash will be written as a line in `pg_hba.conf`. For example, this entry from `node['postgresql']['pg_hba']`:\n\n```\n[{:comment => '# Optional comment',\n:type => 'local', :db => 'all', :user => 'postgres', :addr => nil, :method => 'md5'}]\n```\n\nWill result in the following line in `pg_hba.conf`:\n\n```\n# Optional comment\nlocal all postgres md5\n```\n\nUse `nil` if the CIDR-ADDRESS should be empty (as above). Don't provide a comment if none is desired in the `pg_hba.conf` file.\n\nNote that the following authorization rule is supplied automatically by the cookbook template. The cookbook needs this to execute SQL in the PostgreSQL server without supplying the clear-text password (which isn't known by the cookbook). Therefore, your `node['postgresql']['pg_hba']` attributes don't need to specify this authorization rule:\n\n```\n# \"local\" is for Unix domain socket connections only\nlocal all all ident\n```\n\n(By the way, the template uses `peer` instead of `ident` for PostgreSQL-9.1 and above, which has the same effect.)\n\n## Recipes\n\n### default\n\nIncludes the client recipe.\n\n### client\n\nInstalls the packages defined in the `node['postgresql']['client']['packages']` attribute.\n\n### ruby\n\nInstall the `pg` gem under Chef's Ruby environment so it can be used in other recipes. The build-essential packages and postgresql client packages will be installed during the compile phase, so that the native extensions of `pg` can be compiled.\n\n### server\n\nIncludes the `server_debian` or `server_redhat` recipe to get the appropriate server packages installed and service managed. Also manages the configuration for the server:\n\n- generates a strong default password (via `openssl`) for `postgres`\n- sets the password for postgres\n- manages the `postgresql.conf` file.\n- manages the `pg_hba.conf` file.\n\n### config_initdb\n\nTakes locale and timezone settings from the system configuration. This recipe creates `node.default['postgresql']['config']` attributes that conform to the system's locale and timezone. In addition, this recipe creates the same error reporting and logging settings that `initdb` provided: a rotation of 7 days of log files named postgresql-Mon.log, etc.\n\nThe default attributes created by this recipe are easy to override with normal attributes because of Chef attribute precedence. For example, suppose a DBA wanted to keep log files indefinitely, rolling over daily or when growing to 10MB. The Chef installation could include the `postgresql::config_initdb` recipe for the locale and timezone settings, but customize the logging settings with these node JSON attributes:\n\n```javascript\n\"postgresql\": {\n \"config\": {\n \"log_rotation_age\": \"1d\",\n \"log_rotation_size\": \"10MB\",\n \"log_filename\": \"postgresql-%Y-%m-%d_%H%M%S.log\"\n }\n}\n```\n\nCredits: This `postgresql::config_initdb` recipe is based on algorithms in the [source code](http://doxygen.postgresql.org/initdb_8c_source.html) for the PostgreSQL `initdb` utility.\n\n### config_pgtune\n\nPerformance tuning. Takes the wimpy default postgresql.conf and expands the database server to be as powerful as the hardware it's being deployed on. This recipe creates a baseline configuration of `node.default['postgresql']['config']` attributes in the right general range for a dedicated Postgresql system. Most installations won't need additional performance tuning.\n\nThe only decision you need to make is to choose a `db_type` from the following database workloads. (See the recipe code comments for more detailed descriptions.)\n\n- \"dw\" -- Data Warehouse\n- \"oltp\" -- Online Transaction Processing\n- \"web\" -- Web Application\n- \"mixed\" -- Mixed DW and OLTP characteristics\n- \"desktop\" -- Not a dedicated database\n\nThis recipe uses a performance model with three input parameters. These node attributes are completely optional, but it is obviously important to choose the `db_type` correctly:\n\n- `node['postgresql']['config_pgtune']['db_type']` -- Specifies database type from the list of five choices above. If not specified, the default is \"mixed\".\n\n- `node['postgresql']['config_pgtune']['max_connections']` -- Specifies maximum number of connections expected. If not specified, it depends on database type: \"web\":200, \"oltp\":300, \"dw\":20, \"mixed\":80, \"desktop\":5\n\n- `node['postgresql']['config_pgtune']['total_memory']` -- Specifies total system memory in kB. (E.g., \"49416564kB\".) If not specified, it will be taken from Ohai automatic attributes. This could be used to tune a system that isn't a dedicated database.\n\nThe default attributes created by this recipe are easy to override with normal attributes because of Chef attribute precedence. For example, if you are running application benchmarks to try different buffer cache sizes, you would experiment with this node JSON attribute:\n\n```javascript\n\"postgresql\": {\n \"config\": {\n \"shared_buffers\": \"3GB\"\n }\n}\n```\n\nNote that the recipe uses `max_connections` in its computations. If you want to override that setting, you should specify `node['postgresql']['config_pgtune']['max_connections']` instead of `node['postgresql']['config']['max_connections']`.\n\nCredits: This `postgresql::config_pgtune` recipe is based on the [pgtune python script](https://github.com/gregs1104/pgtune) developed by [Greg Smith](http://notemagnet.blogspot.com/2008/11/automating-initial-postgresqlconf.html) and [other pgsql-hackers](http://www.postgresql.org/message-id/491C6CDC.8090506@agliodbs.com).\n\n### contrib\n\nInstalls the packages defined in the `node['postgresql']['contrib']['packages']` attribute. The contrib directory of the PostgreSQL distribution includes porting tools, analysis utilities, and plug-in features that database engineers often require. Some (like `pgbench`) are executable. Others (like `pg_buffercache`) would need to be installed into the database.\n\nAlso installs any contrib module extensions defined in the `node['postgresql']['contrib']['extensions']` attribute. These will be available in any subsequently created databases in the cluster, because they will be installed into the `template1` database using the `CREATE EXTENSION` command. For example, it is often necessary/helpful for problem troubleshooting and maintenance planning to install the views and functions in these [standard instrumentation extensions] ([http://www.postgresql.org/message-id/flat/4DC32600.6080900@pgexperts.com#4DD3D6C6.5060006@2ndquadrant.com](mailto:http://www.postgresql.org/message-id/flat/4DC32600.6080900@pgexperts.com#4DD3D6C6.5060006@2ndquadrant.com)):\n\n```ruby\nnode['postgresql']['contrib']['extensions'] = [\n \"pageinspect\",\n \"pg_buffercache\",\n \"pg_freespacemap\",\n \"pgrowlocks\",\n \"pg_stat_statements\",\n \"pgstattuple\"\n]\n```\n\nNote that the `pg_stat_statements` view only works if `postgresql.conf` loads its shared library, which can be done with this node attribute:\n\n```ruby\nnode['postgresql']['config']['shared_preload_libraries'] = 'pg_stat_statements'\n```\n\nIf using `shared_preload_libraries` in combination with the `contrib` recipe, make sure that the `contrib` recipe is called before the `server` recipe (to ensure the dependencies are installed and setup in order).\n\n### apt_pgdg_postgresql\n\nEnables the PostgreSQL Global Development Group yum repository maintained by Devrim Gündüz for updated PostgreSQL packages. (The PGDG is the groups that develops PostgreSQL.) Automatically included if the `node['postgresql']['enable_pgdg_apt']` attribute is true. Also set the `node['postgresql']['client']['packages']` and `node['postgresql']['server]['packages']` to the list of packages to use from this repository, and set the `node['postgresql']['version']` attribute to the version to use (e.g., \"9.2\").\n\n### yum_pgdg_postgresql\n\nEnables the PostgreSQL Global Development Group yum repository maintained by Devrim Gündüz for updated PostgreSQL packages. (The PGDG is the groups that develops PostgreSQL.) Automatically included if the `node['postgresql']['enable_pgdg_yum']` attribute is true. Also use `override_attributes` to set a number of values that will need to have embedded version numbers. For example:\n\n```ruby\nnode['postgresql']['enable_pgdg_yum'] = true\nnode['postgresql']['version'] = \"9.4\"\nnode['postgresql']['dir'] = \"/var/lib/pgsql/9.4/data\"\nnode['postgresql']['config']['data_directory'] = node['postgresql']['dir']\nnode['postgresql']['client']['packages'] = [\"postgresql94\", \"postgresql94-devel\"]\nnode['postgresql']['server']['packages'] = [\"postgresql94-server\"]\nnode['postgresql']['server']['service_name'] = \"postgresql-9.4\"\nnode['postgresql']['contrib']['packages'] = [\"postgresql94-contrib\"]\nnode['postgresql']['setup_script'] = \"postgresql94-setup\"\n```\n\nYou may set `node['postgresql']['pgdg']['repo_rpm_url']` attributes to pick up recent [PGDG repo packages](http://yum.postgresql.org/repopackages.php).\n\n## Usage\n\nOn systems that need to connect to a PostgreSQL database, add to a run list `recipe[postgresql]` or `recipe[postgresql::client]`.\n\nOn systems that should be PostgreSQL servers, use `recipe[postgresql::server]` on a run list. This recipe does set a password for the `postgres` user. If you're using `chef server`, if the attribute `node['postgresql']['password']['postgres']` is not found, the recipe generates a random password and performs a node.save. (TODO: This is broken, as it disables the password.) If you're using `chef-solo`, you'll need to set the attribute `node['postgresql']['password']['postgres']` in your node's `json_attribs` file or in a role.\n\nOn Debian family systems, SSL will be enabled, as the packages on Debian/Ubuntu also generate the SSL certificates. If you use another platform and wish to use SSL in postgresql, then generate your SSL certificates and distribute them in your own cookbook, and set the `node['postgresql']['config']['ssl']` attribute to true in your role/cookboook/node.\n\nOn server systems, the postgres server is restarted when a configuration file changes. This can be changed to reload only by setting the following attribute:\n\n```ruby\nnode['postgresql']['server']['config_change_notify'] = :reload\n```\n\n## Chef Solo Note\n\nThe following node attribute is stored on the Chef Server when using `chef-client`. Because `chef-solo` does not connect to a server or save the node object at all, to have the password persist across `chef-solo` runs, you must specify them in the `json_attribs` file used. For Example:\n\n```\n{\n \"postgresql\": {\n \"password\": {\n \"postgres\": \"iloverandompasswordsbutthiswilldo\"\n }\n },\n \"run_list\": [\"recipe[postgresql::server]\"]\n}\n```\n\nThat should actually be the \"encrypted password\" instead of cleartext, so you should generate it as an md5 hash using the PostgreSQL algorithm.\n\n- You could copy the md5-hashed password from an existing postgres database if you have `postgres` access and want to use the same password:
\n `select * from pg_shadow where usename='postgres';`\n- You can run this from any postgres database session to use a new password:
\n `select 'md5'||md5('iloverandompasswordsbutthiswilldo'||'postgres');`\n- You can run this from a linux commandline:
\n `echo -n 'iloverandompasswordsbutthiswilldo''postgres' | openssl md5 | sed -e 's/.* /md5/'`\n\n## License\n\nCopyright 2010-2016, Chef Software, Inc.\n\n```text\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n```\n","maintainer":"Sous Chefs","maintainer_email":"help@sous-chefs.org","license":"Apache 2.0","platforms":{"ubuntu":">= 12.04","debian":">= 7.0","opensuse":">= 13.0","suse":">= 12.0","fedora":">= 0.0.0","opensuseleap":">= 0.0.0","amazon":">= 0.0.0","redhat":">= 6.0","centos":">= 6.0","scientific":">= 6.0","oracle":">= 6.0"},"dependencies":{"compat_resource":">= 12.16.3","build-essential":">= 2.0.0","openssl":">= 4.0"},"recommendations":{},"suggestions":{},"conflicting":{},"providing":{},"replacing":{},"attributes":{},"groupings":{},"recipes":{"postgresql::default":"Includes postgresql::client","postgresql::ruby":"Installs pg gem for Ruby bindings","postgresql::client":"Installs postgresql client package(s)","postgresql::server":"Installs postgresql server packages, templates"}} \ No newline at end of file +{"name":"postgresql","version":"7.1.3","description":"Installs and configures postgresql for clients or servers","long_description":"# PostgreSQL cookbook\n\n[![CircleCI](https://circleci.com/gh/sous-chefs/postgresql/tree/master.svg?style=svg)](https://circleci.com/gh/sous-chefs/postgresql/tree/master) [![Cookbook Version](https://img.shields.io/cookbook/v/postgresql.svg)](https://supermarket.chef.io/cookbooks/postgresql) [![pullreminders](https://pullreminders.com/badge.svg)](https://pullreminders.com?ref=badge)\n\nInstalls and configures PostgreSQL as a client or a server.\n\n## Upgrading\n\nIf you are wondering where all the recipes went in v7.0+, or how on earth I use this new cookbook please see upgrading.md for a full description.\n\n## Requirements\n\n### Platforms\n\n- Amazon Linux\n- Debian 7+\n- Ubuntu 14.04+\n- Red Hat/CentOS/Scientific 6+\n- Fedora\n\n### PostgreSQL version\n\nWe follow the currently supported versions listed on \n\n### Chef\n\n- Chef 13.8+\n\n### Cookbook Dependencies\n\nNone.\n\n## Resources\n\n### postgresql_client_install\n\nThis resource installs PostgreSQL client packages.\n\n#### Actions\n\n- `install` - (default) Install client packages\n\n#### Properties\n\nName | Types | Description | Default | Required?\n------------------- | ----------------- | ------------------------------------------------------------- | ----------------------------------------- | ---------\n`version` | String | Version of PostgreSQL to install | '9.6' | no\n`setup_repo` | Boolean | Define if you want to add the PostgreSQL repo | true | no\n`hba_file` | String | | `#{conf_dir}/main/pg_hba.conf` | no\n`ident_file` | String | | `#{conf_dir}/main/pg_ident.conf` | no\n`external_pid_file` | String | | `/var/run/postgresql/#{version}-main.pid` | no\n`password` | String, nil | Pass in a password, or have the cookbook generate one for you | | no\n\n#### Examples\n\nTo install version 9.5:\n\n```ruby\npostgresql_client_install 'My PostgreSQL Client install' do\n version '9.5'\nend\n```\n\n### postgresql_server_install\n\nThis resource installs PostgreSQL client and server packages.\n\n#### Actions\n\n- `install` - (default) Install client and server packages\n- `create` - Initialize the database\n\n#### Properties\n\nName | Types | Description | Default | Required?\n------------------- | --------------- | --------------------------------------------- | -------------------------------------------------- | ---------\n`version` | String | Version of PostgreSQL to install | '9.6' | no\n`setup_repo` | Boolean | Define if you want to add the PostgreSQL repo | true | no\n`hba_file` | String | Path of pg_hba.conf file | `/pg_hba.conf'` | no\n`ident_file` | String | Path of pg_ident.conf file | `/pg_ident.conf` | no\n`external_pid_file` | String | Path of PID file | `/var/run/postgresql/-main.pid` | no\n`password` | String, nil | Set PostgreSQL user password | 'generate' | no\n`port` | Integer | Set listen port of PostgreSQL service | 5432 | no\n`initdb_locale` | String | Locale to initialise the database with | 'C' | no\n\n#### Examples\n\nTo install PostgreSQL server, set your own postgres password using non-default service port.\n\n```ruby\npostgresql_server_install 'My PostgreSQL Server install' do\n action :install\nend\n\npostgresql_server_install 'Setup my PostgreSQL 9.6 server' do\n password 'MyP4ssw0rd'\n port 5433\n action :create\nend\n```\n\n#### Known issues\n\nOn some platforms (e.g. Ubuntu 18.04), your `initdb_locale` should be set to the\nsame as the template database [GH-555](https://github.com/sous-chefs/postgresql/issues/555).\n\n### postgresql_server_conf\n\nThis resource manages postgresql.conf configuration file.\n\n#### Actions\n\n- `modify` - (default) Manager PostgreSQL configuration file (postgresql.conf)\n\n#### Properties\n\nName | Types | Description | Default | Required?\n---------------------- | ------- | --------------------------------------- | --------------------------------------------------- | ---------\n`version` | String | Version of PostgreSQL to install | '9.6' | no\n`data_directory` | String | Path of PostgreSQL data directory | `` | no\n`hba_file` | String | Path of pg_hba.conf file | `/pg_hba.conf` | no\n`ident_file` | String | Path of pg_ident.conf file | `/pg_ident.conf` | no\n`external_pid_file` | String | Path of PID file | `/var/run/postgresql/-main.pid` | no\n`stats_temp_directory` | String | Path of stats file | `/var/run/postgresql/version>-main.pg_stat_tmp` | no\n`port` | Integer | Set listen port of PostgreSQL service | 5432 | no\n`additional_config` | Hash | Extra configuration for the config file | {} | no\n\n#### Examples\n\nTo setup your PostgreSQL configuration with a specific data directory. If you have installed a specific version of PostgreSQL (different from 9.6), you must specify version in this resource too.\n\n```ruby\npostgresql_server_conf 'My PostgreSQL Config' do\n version '9.5'\n data_directory '/data/postgresql/9.5/main'\n notifies :reload, 'service[postgresql]'\nend\n```\n\n### postgresql_extension\n\nThis resource manages PostgreSQL extensions for a given database.\n\n#### Actions\n\n- `create` - (default) Creates an extension in a given database\n- `drop` - Drops an extension from the database\n\n#### Properties\n\nName | Types | Description | Default | Required?\n------------- | ------ | -------------------------------------------------------------------------------- | ---------------- | ---------\n`database` | String | Name of the database to install the extension into | | yes\n`extension` | String | Name of the extension to install the database | Name of resource | yes\n`version` | String | Version of the extension to install | | no\n`old_version` | String | Older module name for new extension replacement. Appends FROM to extension query | | no\n\n#### Examples\n\nTo install the `adminpack` extension:\n\n```ruby\n# Add the contrib package in Ubuntu/Debian\npackage 'postgresql-contrib-9.6'\n\n# Install adminpack extension\npostgresql_extension 'postgres adminpack' do\n database 'postgres'\n extension 'adminpack'\nend\n```\n\n### postgresql_access\n\nThis resource uses the accumulator pattern to build up the `pg_hba.conf` file via chef resources instead of piling on a mountain of chef attributes to make this cookbook more reusable. It directly mirrors the configuration options of the postgres hba file in the resource and by default notifies the server with a reload to avoid a full restart, causing a potential outage of service. To revoke access, simply remove the resource and the access change won't be computed into the final `pg_hba.conf`\n\n#### Actions\n\n- `grant` - (default) Creates an access line inside of `pg_hba.conf`\n\n#### Properties\n\nName | Types | Description | Default | Required?\n--------------- | ------ | ----------------------------------------------------------------------------------------- | ----------------- | ---------\n`name` | String | Name of the access resource, this is left as a comment inside the `pg_hba` config | Resource name | yes\n`source` | String | The cookbook template filename if you want to use your own custom template | 'pg_hba.conf.erb' | yes\n`cookbook` | String | The cookbook to look in for the template source | 'postgresql' | yes\n`comment` | String | A comment to leave above the entry in `pg_hba` | nil | no\n`access_type` | String | The type of access, e.g. local or host | 'local' | yes\n`access_db` | String | The database to access. Can use 'all' for all databases | 'all' | yes\n`access_user` | String | The user accessing the database. Can use 'all' for any user | 'all' | yes\n`access_addr` | String | The address(es) allowed access. Can be nil if method ident is used since it is local then | nil | no\n`access_method` | String | Authentication method to use | 'ident' | yes\n\n#### Examples\n\nTo grant access to the PostgreSQL user with ident authentication:\n\n```ruby\npostgresql_access 'local_postgres_superuser' do\n comment 'Local postgres superuser access'\n access_type 'local'\n access_db 'all'\n access_user 'postgres'\n access_addr nil\n access_method 'ident'\nend\n```\n\nThis generates the following line in the `pg_hba.conf`:\n\n```\n# Local postgres superuser access\nlocal all postgres ident\n```\n\n**Note**: The template by default generates a local access for Unix domain sockets only to support running the SQL execute resources. In Postgres version 9.1 and higher, the method is 'peer' instead of 'ident' which is identical. It looks like this:\n\n```\n# \"local\" is for Unix domain socket connections only\nlocal all all peer\n```\n\n### postgresql_ident\n\nThis resource generate `pg_ident.conf` configuration file to manage user mapping between system and PostgreSQL users.\n\n#### Actions\n\n- `create` - (default) Creates an mapping line inside of `pg_ident.conf`\n\n#### Properties\n\nName | Types | Description | Default | Required?\n-------------- | ----------- | -------------------------------------------------------------------------- | ------------------- | ---------\n`mapname` | String | Name of the user mapping | Resource name | yes\n`source` | String | The cookbook template filename if you want to use your own custom template | 'pg_ident.conf.erb' | no\n`cookbook` | String | The cookbook to look in for the template source | 'postgresql' | no\n`comment` | String, nil | A comment to leave above the entry in `pg_ident` | nil | no\n`system_user` | String | System user or regexp used for the mapping | None | yes\n`pg_user` | String | Pg user or regexp used for the mapping | None | yes\n\n#### Examples\n\nCreates a `mymapping` mapping that map `john` system user to `user1` PostgreSQL user:\n\n```ruby\npostgresql_ident 'Map john to user1' do\n comment 'John Mapping'\n mapname 'mymapping'\n system_user 'john'\n pg_user 'user1'\nend\n```\n\nThis generates the following line in the `pg_ident.conf`:\n\n```\n# MAPNAME SYSTEM-USERNAME PG-USERNAME\n\n# John Mapping\nmymapping john user1\n```\n\nTo grant access to the foo user with password authentication:\n\n```ruby\npostgresql_access 'local_foo_user' do\n comment 'Foo user access'\n access_type 'host'\n access_db 'all'\n access_user 'foo'\n access_addr '127.0.0.1/32'\n access_method 'md5'\nend\n```\n\nThis generates the following line in the `pg_hba.conf`:\n\n```\n# Local postgres superuser access\nhost all foo 127.0.0.1/32 ident\n```\n\n### postgresql_database\n\nThis resource manages PostgreSQL databases.\n\n#### Actions\n\n- `create` - (default) Creates the given database.\n- `drop` - Drops the given database.\n\n#### Properties\n\nName | Types | Description | Default | Required?\n---------- | ------- | ------------------------------------------------------------------- | ------------------- | ---------\n`database` | String | Name of the database to create | Resource name | yes\n`user` | String | User which run psql command | 'postgres' | no\n`template` | String | Template used to create the new database | 'template1' | no\n`host` | String | Define the host server where the database creation will be executed | Not set (localhost) | no\n`port` | Integer | Define the port of PostgreSQL server | 5432 | no\n`encoding` | String | Define database encoding | 'UTF-8' | no\n`locale` | String | Define database locale | 'en_US.UTF-8' | no\n`owner` | String | Define the owner of the database | Not set | no\n\n#### Examples\n\nTo create database named 'my_app' with owner 'user1':\n\n```ruby\npostgresql_database 'my_app' do\n owner 'user1'\nend\n```\n\n#### Known issues\n\nOn some platforms (e.g. Ubuntu 18.04), your `initdb_locale` should be set to the\nsame as the template database [GH-555](https://github.com/sous-chefs/postgresql/issues/555).\n\n### postgresql_user\n\nThis resource manage PostgreSQL users.\n\n#### Actions\n\n- `create` - (default) Creates the given user with default or given privileges.\n- `update` - Update user privilieges.\n- `drop` - Deletes the given user.\n\n#### Properties\n\nName | Types | Description | Default | Required?\n-------------------- | ------- | ----------------------------------------------- | -------- | ---------\n`create_user` | String | User to create (defaults to the resource name) | | Yes\n`superuser` | Boolean | Define if user needs superuser role | false | no\n`createdb` | Boolean | Define if user needs createdb role | false | no\n`createrole` | Boolean | Define if user needs createrole role | false | no\n`inherit` | Boolean | Define if user inherits the privileges of roles | true | no\n`replication` | Boolean | Define if user needs replication role | false | no\n`login` | Boolean | Define if user can login | true | no\n`password` | String | Set user's password | | no\n`encrypted_password` | String | Set user's password with an hashed password | | no\n`valid_until` | String | Define an account expiration date | | no\n`attributes` | Hash | Additional attributes for :update action | {} | no\n`user` | String | User for command | postgres | no\n`database` | String | Database for command | | no\n`host` | String | Hostname for command | | no\n`port` | Integer | Port number to connect to postgres | 5432 | no\n\n#### Examples\n\nCreate a user `user1` with a password, with `createdb` role and set an expiration date to 2018, Dec 21.\n\n```ruby\npostgresql_user 'user1' do\n password 'UserP4ssword'\n createdb true\n valid_until '2018-12-31'\nend\n```\n\nCreate a user `user1` with a password, with `createdb` role and set an expiration date to 2018, Dec 21.\n\n```ruby\npostgresql_user 'user1' do\n password 'UserP4ssword'\n createdb true\n valid_until '2018-12-31'\nend\n```\n\n## Usage\n\nTo install and configure your PostgreSQL instance you need to create your own cookbook and call needed resources with your own parameters.\n\nMore examples can be found in `test/cookbooks/test/recipes`\n\n## Example Usage\n\n```ruby\n# cookbooks/my_postgresql/recipes/default.rb\n\npostgresql_client_install 'PostgreSQL Client' do\n setup_repo false\n version '10.6'\nend\n\npostgresql_server_install 'PostgreSQL Server' do\n version '10.6'\n setup_repo false\n password 'P0stgresP4ssword'\nend\n\npostgresql_server_conf 'PostgreSQL Config' do\n notifies :reload, 'service[postgresql]'\nend\n```\n\n## Contributing\n\nPlease refer to each project's style guidelines and guidelines for submitting patches and additions. In general, we follow the \"fork-and-pull\" Git workflow.\n\n1. **Fork** the repo on GitHub\n2. **Clone** the project to your own machine\n3. **Commit** changes to your own branch\n4. **Push** your work back up to your fork\n5. Submit a **Pull request** so that we can review your changes\n\nNOTE: Be sure to merge the latest from \"upstream\" before making a pull request!\n\n[Contribution informations for this project](CONTRIBUTING.md)\n\n## License\n\nCopyright 2010-2017, Chef Software, Inc.\n\n```text\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n```\n","maintainer":"Sous Chefs","maintainer_email":"help@sous-chefs.org","license":"Apache-2.0","platforms":{"ubuntu":">= 0.0.0","debian":">= 0.0.0","fedora":">= 0.0.0","amazon":">= 0.0.0","redhat":">= 0.0.0","centos":">= 0.0.0","scientific":">= 0.0.0","oracle":">= 0.0.0"},"dependencies":{},"recommendations":{},"suggestions":{},"conflicting":{},"providing":{},"replacing":{},"attributes":{},"groupings":{},"recipes":{},"source_url":"https://github.com/sous-chefs/postgresql","issues_url":"https://github.com/sous-chefs/postgresql/issues","chef_version":[[">= 13.8"]],"ohai_version":[]} \ No newline at end of file diff --git a/cookbooks/postgresql/metadata.rb b/cookbooks/postgresql/metadata.rb new file mode 100644 index 0000000..d3b62f4 --- /dev/null +++ b/cookbooks/postgresql/metadata.rb @@ -0,0 +1,15 @@ +# frozen_string_literal: true +name 'postgresql' +maintainer 'Sous Chefs' +maintainer_email 'help@sous-chefs.org' +license 'Apache-2.0' +description 'Installs and configures postgresql for clients or servers' +long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) +version '7.1.3' +source_url 'https://github.com/sous-chefs/postgresql' +issues_url 'https://github.com/sous-chefs/postgresql/issues' +chef_version '>= 13.8' + +%w(ubuntu debian fedora amazon redhat centos scientific oracle).each do |os| + supports os +end diff --git a/cookbooks/postgresql/recipes/apt_pgdg_postgresql.rb b/cookbooks/postgresql/recipes/apt_pgdg_postgresql.rb deleted file mode 100644 index 437cf37..0000000 --- a/cookbooks/postgresql/recipes/apt_pgdg_postgresql.rb +++ /dev/null @@ -1,8 +0,0 @@ -# frozen_string_literal: true -apt_repository 'apt.postgresql.org' do - uri 'http://apt.postgresql.org/pub/repos/apt' - distribution "#{node['postgresql']['pgdg']['release_apt_codename']}-pgdg" - components ['main', node['postgresql']['version']] - key 'https://www.postgresql.org/media/keys/ACCC4CF8.asc' - action :add -end diff --git a/cookbooks/postgresql/recipes/ca_certificates.rb b/cookbooks/postgresql/recipes/ca_certificates.rb deleted file mode 100644 index 67b14ef..0000000 --- a/cookbooks/postgresql/recipes/ca_certificates.rb +++ /dev/null @@ -1,2 +0,0 @@ -# frozen_string_literal: true -Chef::Log.warn('The postgresql::ca-certificates recipe has been deprecated and will be removed in the next major release of the cookbook') diff --git a/cookbooks/postgresql/recipes/config_initdb.rb b/cookbooks/postgresql/recipes/config_initdb.rb deleted file mode 100644 index f0d3844..0000000 --- a/cookbooks/postgresql/recipes/config_initdb.rb +++ /dev/null @@ -1,147 +0,0 @@ -# frozen_string_literal: true -# -# Cookbook:: postgresql -# Recipe:: config_initdb -# Author:: David Crane () -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -####### -# Load the locale_date_order() and select_default_timezone(tzdir) -# methods from libraries/default.rb -::Chef::Recipe.send(:include, Opscode::PostgresqlHelpers) - -####### -# This recipe is derived from the setup_config() source code in the -# PostgreSQL initdb utility. It determines postgresql.conf settings that -# conform to the system's locale and timezone configuration, and also -# sets the error reporting and logging settings. -# -# See http://doxygen.postgresql.org/initdb_8c_source.html for the -# original initdb source code. -# -# By examining the system configuration, this recipe will set the -# following node.default['postgresql']['config'] attributes: -# -# - Locale and Formatting - -# * datestyle -# * lc_messages -# * lc_monetary -# * lc_numeric -# * lc_time -# * default_text_search_config -# -# - Timezone Conversion - -# * log_timezone -# * timezone -# -# In addition, this recipe will recommend the same error reporting and -# logging settings that initdb provided. These settings do differ from -# the PostgreSQL default settings, which would log to stderr only. The -# initdb settings rotate 7 days of log files named postgresql-Mon.log, -# etc. through these node.default['postgresql']['config'] attributes: -# -# - Where to Log - -# * log_destination = 'stderr' -# * log_directory = 'pg_log' -# * log_filename = 'postgresql-%a.log' -# (Default was: postgresql-%Y-%m-%d_%H%M%S.log) -# * logging_collector = true # on -# (Turned on to capture stderr logging and redirect into log files) -# (Default was: false # off) -# * log_rotation_age = 1d -# * log_rotation_size = 0 -# (Default was: 10MB) -# * log_truncate_on_rotation = true # on -# (Default was: false # off) - -####### -# Locale Configuration - -# See libraries/default.rb for the locale_date_order() method. -node.default['postgresql']['config']['datestyle'] = "iso, #{locale_date_order}" - -# According to the locale(1) manpage, the locale settings are determined -# by environment variables according to the following precedence: -# LC_ALL > (LC_MESSAGES, LC_MONETARY, LC_NUMERIC, LC_TIME) > LANG. - -node.default['postgresql']['config']['lc_messages'] = - [ENV['LC_ALL'], ENV['LC_MESSAGES'], ENV['LANG']].compact.first - -node.default['postgresql']['config']['lc_monetary'] = - [ENV['LC_ALL'], ENV['LC_MONETARY'], ENV['LANG']].compact.first - -node.default['postgresql']['config']['lc_numeric'] = - [ENV['LC_ALL'], ENV['LC_NUMERIC'], ENV['LANG']].compact.first - -node.default['postgresql']['config']['lc_time'] = - [ENV['LC_ALL'], ENV['LC_TIME'], ENV['LANG']].compact.first - -node.default['postgresql']['config']['default_text_search_config'] = - case ENV['LANG'] - when /da_.*/ - 'pg_catalog.danish' - when /nl_.*/ - 'pg_catalog.dutch' - when /en_.*/ - 'pg_catalog.english' - when /fi_.*/ - 'pg_catalog.finnish' - when /fr_.*/ - 'pg_catalog.french' - when /de_.*/ - 'pg_catalog.german' - when /hu_.*/ - 'pg_catalog.hungarian' - when /it_.*/ - 'pg_catalog.italian' - when /no_.*/ - 'pg_catalog.norwegian' - when /pt_.*/ - 'pg_catalog.portuguese' - when /ro_.*/ - 'pg_catalog.romanian' - when /ru_.*/ - 'pg_catalog.russian' - when /es_.*/ - 'pg_catalog.spanish' - when /sv_.*/ - 'pg_catalog.swedish' - when /tr_.*/ - 'pg_catalog.turkish' - end - -####### -# Timezone Configuration - -# Determine the name of the system's default timezone and specify node -# defaults for the postgresql.cof settings. If the timezone cannot be -# identified, do as initdb would do: leave it unspecified so PostgreSQL -# uses it's internal default of GMT. -tzdirpath = pg_TZDIR # See libraries/default.rb -default_timezone = select_default_timezone(tzdirpath) # See libraries/default.rb -unless default_timezone.nil? - node.default['postgresql']['config']['log_timezone'] = default_timezone - node.default['postgresql']['config']['timezone'] = default_timezone -end - -####### -# - Where to Log - -node.default['postgresql']['config']['log_destination'] = 'stderr' -node.default['postgresql']['config']['log_directory'] = 'pg_log' -node.default['postgresql']['config']['log_filename'] = 'postgresql-%a.log' -node.default['postgresql']['config']['logging_collector'] = true # on -node.default['postgresql']['config']['log_rotation_age'] = '1d' -node.default['postgresql']['config']['log_rotation_size'] = 0 -node.default['postgresql']['config']['log_truncate_on_rotation'] = true # on diff --git a/cookbooks/postgresql/recipes/config_pgtune.rb b/cookbooks/postgresql/recipes/config_pgtune.rb deleted file mode 100644 index f34fa67..0000000 --- a/cookbooks/postgresql/recipes/config_pgtune.rb +++ /dev/null @@ -1,283 +0,0 @@ -# frozen_string_literal: true -# -# Cookbook:: postgresql -# Recipe:: config_pgtune -# Author:: David Crane () -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -####### -# Load the binaryround(value) method from libraries/default.rb -::Chef::Recipe.send(:include, Opscode::PostgresqlHelpers) - -####### -# This recipe is based on Greg Smith's pgtune script (the Feb 1, 2012 -# version at https://github.com/gregs1104/pgtune). Introduction: pgtune -# takes the wimpy default postgresql.conf and expands the database -# server to be as powerful as the hardware it's being deployed on. -# -# The default postgresql.conf aims at a system with approximately 128MB -# of RAM. This recipe recommends a baseline configuration in the right -# general range for a dedicated Postgresql system. -# -# This recipe takes three optional parameters that may be passed in as -# node['postgresql']['config_pgtune'] attributes: -# * db_type -- Specifies database type as one of: dw, oltp, -# web, mixed, desktop. If not specified, the default is mixed. -# * max_connections -- Specifies number of maximum connections -# expected. If not specified, it depends on database type. -# * total_memory -- Specifies total system memory. If not specified, -# it will be detected from the Ohai automatic attributes. -# -# Using those inputs, this recipe will compute and set the following -# node.default['postgresql']['config'] attributes: -# * max_connections -# * shared_buffers -# * effective_cache_size -# * work_mem -# * maintenance_work_mem -# * checkpoint_segments -# * checkpoint_completion_target -# * wal_buffers -# * default_statistics_target -# -# This recipe deviates from the original pgtune script for 2 settings: -# shared_buffers is capped for large memory systems (which Greg -# mentioned in a TODO.rst) and wal_buffers will auto-tune starting with -# 9.1 (which is a feature that Greg built into Postgresql). - -####### -# These are the workload characteristics of the five database types -# that can be specified as node['postgresql']['config_pgtune']['db_type']: -# -# dw -- Data Warehouse -# * Typically I/O- or RAM-bound -# * Large bulk loads of data -# * Large complex reporting queries -# * Also called "Decision Support" or "Business Intelligence" -# -# oltp -- Online Transaction Processing -# * Typically CPU- or I/O-bound -# * DB slightly larger than RAM to 1TB -# * 20-40% small data write queries -# * Some long transactions and complex read queries -# -# web -- Web Application -# * Typically CPU-bound -# * DB much smaller than RAM -# * 90% or more simple queries -# -# mixed -- Mixed DW and OLTP characteristics -# * A wide mixture of queries -# -# desktop -- Not a dedicated database -# * A general workstation, perhaps for a developer - -# Parse out db_type option, or use default. -db_type = 'mixed' - -if node['postgresql'].attribute?('config_pgtune') && node['postgresql']['config_pgtune'].attribute?('db_type') - db_type = node['postgresql']['config_pgtune']['db_type'] - unless %w(dw oltp web mixed desktop).include?(db_type) - Chef::Log.fatal([ - "Bad value (#{db_type})", - "for node['postgresql']['config_pgtune']['db_type'] attribute.", - 'Valid values are one of dw, oltp, web, mixed, desktop.', - ].join(' ')) - raise - end -end - -# Parse out max_connections option, or use a value based on db_type. -con = - { 'web' => 200, - 'oltp' => 300, - 'dw' => 20, - 'mixed' => 80, - 'desktop' => 5, - }.fetch(db_type) - -if node['postgresql'].attribute?('config_pgtune') && node['postgresql']['config_pgtune'].attribute?('max_connections') - max_connections = node['postgresql']['config_pgtune']['max_connections'].to_i - if max_connections <= 0 - Chef::Log.fatal([ - "Bad value (#{max_connections})", - "for node['postgresql']['config_pgtune']['max_connections'] attribute.", - 'Valid values are non-zero integers only.', - ].join(' ')) - raise - end - con = max_connections -end - -# Parse out total_memory option, or use value detected by Ohai. -total_memory = node['memory']['total'] - -# Override max_connections with a node attribute if DevOps desires. -# For example, on a system *not* dedicated to Postgresql. -if node['postgresql'].attribute?('config_pgtune') && node['postgresql']['config_pgtune'].attribute?('total_memory') - total_memory = node['postgresql']['config_pgtune']['total_memory'] - if total_memory.match(/\A[1-9]\d*kB\Z/).nil? - Chef::Application.fatal!([ - "Bad value (#{total_memory})", - "for node['postgresql']['config_pgtune']['total_memory'] attribute.", - 'Valid values are non-zero integers followed by kB (e.g., 49416564kB).', - ].join(' ')) - end -end - -# Ohai reports node[:memory][:total] in kB, as in "921756kB" -mem = total_memory.split('kB')[0].to_i / 1024 # in MB - -####### -# RAM-related settings computed as in Greg Smith's pgtune script. -# Remember that con and mem were either chosen above based on the -# db_type or the actual total memory, or were passed in attributes. - -# (1) max_connections -# Sets the maximum number of concurrent connections. -node.default['postgresql']['config']['max_connections'] = con - -# The calculations for the next four settings would not be optimal -# for low memory systems. In that case, the calculation is skipped, -# leaving the built-in Postgresql settings, which are actually -# intended for those low memory systems. -if mem >= 256 - - # (2) shared_buffers - # Sets the number of shared memory buffers used by the server. - shared_buffers = - { 'web' => mem / 4, - 'oltp' => mem / 4, - 'dw' => mem / 4, - 'mixed' => mem / 4, - 'desktop' => mem / 16, - }.fetch(db_type) - - # Robert Haas has advised to cap the size of shared_buffers based on - # the memory architecture: 2GB on 32-bit and 8GB on 64-bit machines. - # http://rhaas.blogspot.com/2012/03/tuning-sharedbuffers-and-walbuffers.html - case node['kernel']['machine'] - when 'i386' # 32-bit machines - shared_buffers = 2 * 1024 if shared_buffers > 2 * 1024 - when 'x86_64' # 64-bit machines - shared_buffers = 8 * 1024 if shared_buffers > 8 * 1024 - end - - node.default['postgresql']['config']['shared_buffers'] = binaryround(shared_buffers * 1024 * 1024) - - # (3) effective_cache_size - # Sets the planner's assumption about the size of the disk cache. - # That is, the portion of the kernel's disk cache that will be - # used for PostgreSQL data files. - effective_cache_size = - { 'web' => mem * 3 / 4, - 'oltp' => mem * 3 / 4, - 'dw' => mem * 3 / 4, - 'mixed' => mem * 3 / 4, - 'desktop' => mem / 4, - }.fetch(db_type) - - node.default['postgresql']['config']['effective_cache_size'] = binaryround(effective_cache_size * 1024 * 1024) - - # (4) work_mem - # Sets the maximum memory to be used for query workspaces. - mem_con_v = (mem.to_f / con).ceil - - work_mem = - { 'web' => mem_con_v, - 'oltp' => mem_con_v, - 'dw' => mem_con_v / 2, - 'mixed' => mem_con_v / 2, - 'desktop' => mem_con_v / 6, - }.fetch(db_type) - - node.default['postgresql']['config']['work_mem'] = binaryround(work_mem * 1024 * 1024) - - # (5) maintenance_work_mem - # Sets the maximum memory to be used for maintenance operations. - # This includes operations such as VACUUM and CREATE INDEX. - maintenance_work_mem = - { 'web' => mem / 16, - 'oltp' => mem / 16, - 'dw' => mem / 8, - 'mixed' => mem / 16, - 'desktop' => mem / 16, - }.fetch(db_type) - - # Cap maintenence RAM at 1GB on servers with lots of memory - maintenance_work_mem = 1 * 1024 if maintenance_work_mem > 1 * 1024 - - node.default['postgresql']['config']['maintenance_work_mem'] = binaryround(maintenance_work_mem * 1024 * 1024) - -end - -####### -# Checkpoint-related parameters that affect transaction rate and -# maximum tolerable recovery playback time. - -# (6) checkpoint_segments -# Sets the maximum distance in log segments between automatic WAL checkpoints. -checkpoint_segments = - { 'web' => 8, - 'oltp' => 16, - 'dw' => 64, - 'mixed' => 16, - 'desktop' => 3, - }.fetch(db_type) - -if node['postgresql']['version'].to_f >= 9.5 - node.default['postgresql']['config']['max_wal_size'] = ((3 * checkpoint_segments) * 16).to_s + 'MB' -else - node.default['postgresql']['config']['checkpoint_segments'] = checkpoint_segments -end - -# (7) checkpoint_completion_target -# Time spent flushing dirty buffers during checkpoint, as fraction -# of checkpoint interval. -checkpoint_completion_target = - { 'web' => '0.7', - 'oltp' => '0.9', - 'dw' => '0.9', - 'mixed' => '0.9', - 'desktop' => '0.5', - }.fetch(db_type) - -node.default['postgresql']['config']['checkpoint_completion_target'] = checkpoint_completion_target - -# (8) wal_buffers -# Sets the number of disk-page buffers in shared memory for WAL. -# Starting with 9.1, wal_buffers will auto-tune if set to the -1 default. -# For 8.X and 9.0, it needed to be specified, which pgtune did as follows. -if node['postgresql']['version'].to_f < 9.1 - wal_buffers = 512 * checkpoint_segments - # The pgtune seems to use 1kB units for wal_buffers - node.default['postgresql']['config']['wal_buffers'] = binaryround(wal_buffers * 1024) -else - node.default['postgresql']['config']['wal_buffers'] = '-1' -end - -# (9) default_statistics_target -# Sets the default statistics target. This applies to table columns -# that have not had a column-specific target set via -# ALTER TABLE SET STATISTICS. -default_statistics_target = - { 'web' => 100, - 'oltp' => 100, - 'dw' => 500, - 'mixed' => 100, - 'desktop' => 100, - }.fetch(db_type) - -node.default['postgresql']['config']['default_statistics_target'] = default_statistics_target diff --git a/cookbooks/postgresql/recipes/contrib.rb b/cookbooks/postgresql/recipes/contrib.rb deleted file mode 100644 index 8990b58..0000000 --- a/cookbooks/postgresql/recipes/contrib.rb +++ /dev/null @@ -1,33 +0,0 @@ -# frozen_string_literal: true -# -# Cookbook:: postgresql -# Recipe:: contrib -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -db_name = node['postgresql']['database_name'] - -# Install the PostgreSQL contrib package(s) from the distribution, -# as specified by the node attributes. -package node['postgresql']['contrib']['packages'] - -include_recipe 'postgresql::server' - -# Install PostgreSQL contrib extentions into the database, as specified by the -# node attribute node['postgresql']['database_name']. -if node['postgresql']['contrib'].attribute?('extensions') - node['postgresql']['contrib']['extensions'].each do |pg_ext| - postgresql_extension "#{db_name}/#{pg_ext}" - end -end diff --git a/cookbooks/postgresql/recipes/default.rb b/cookbooks/postgresql/recipes/default.rb deleted file mode 100644 index 0a25b15..0000000 --- a/cookbooks/postgresql/recipes/default.rb +++ /dev/null @@ -1,19 +0,0 @@ -# frozen_string_literal: true -# -# Cookbook:: postgresql -# Recipe:: default -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -include_recipe 'postgresql::client' diff --git a/cookbooks/postgresql/recipes/ruby.rb b/cookbooks/postgresql/recipes/ruby.rb deleted file mode 100644 index 2ab4bdc..0000000 --- a/cookbooks/postgresql/recipes/ruby.rb +++ /dev/null @@ -1,125 +0,0 @@ -# frozen_string_literal: false -# -# Cookbook:: postgresql -# Recipe:: ruby -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -# Load the pgdgrepo_rpm_info method from libraries/default.rb -::Chef::Recipe.send(:include, Opscode::PostgresqlHelpers) - -begin - require 'pg' -rescue LoadError - if platform_family?('debian') - e = apt_update 'update' do - action :nothing - end - e.run_action(:update) - end - - node.override['build-essential']['compile_time'] = true - include_recipe 'build-essential' - - if node['postgresql']['enable_pgdg_yum'] && platform_family?('rhel', 'fedora') - include_recipe 'postgresql::yum_pgdg_postgresql' - - rpm_platform = node['platform'] - rpm_platform_version = node['platform_version'].to_i.to_s - arch = node['kernel']['machine'] - - resources("remote_file[#{Chef::Config[:file_cache_path]}/#{node['postgresql']['pgdg']['repo_rpm_url'][node['postgresql']['version']][rpm_platform][rpm_platform_version][arch]['package']}]").run_action(:create) - resources("package[#{node['postgresql']['pgdg']['repo_rpm_url'][node['postgresql']['version']][rpm_platform][rpm_platform_version][arch]['package']}]").run_action(:install) - - ENV['PATH'] = "/usr/pgsql-#{node['postgresql']['version']}/bin:#{ENV['PATH']}" - end - - if node['postgresql']['enable_pgdg_apt'] && platform_family?('debian') - include_recipe 'postgresql::apt_pgdg_postgresql' - resources('apt_repository[apt.postgresql.org]').run_action(:add) - end - - include_recipe 'postgresql::client' - - package node['postgresql']['client']['packages'] do - action :nothing - end.run_action(:install) - - begin - chef_gem 'pg' do - compile_time true - version node['postgresql']['pg_gem']['version'] if node['postgresql']['pg_gem']['version'] - end - rescue Gem::Installer::ExtensionBuildError, Mixlib::ShellOut::ShellCommandFailed => e - # Are we an omnibus install? - raise if RbConfig.ruby.scan(/(chef|opscode)/).empty? - # Still here, must be omnibus. Lets make this thing install! - Chef::Log.warn 'Failed to properly build pg gem. Forcing properly linking and retrying (omnibus fix)' - gem_dir = e.message.scan(/will remain installed in ([^ ]+)/).flatten.first - raise unless gem_dir - gem_name = File.basename(gem_dir) - ext_dir = File.join(gem_dir, 'ext') - gem_exec = File.join(File.dirname(RbConfig.ruby), 'gem') - new_content = <<-EOS -require 'rbconfig' -%w( -configure_args -LIBRUBYARG_SHARED -LIBRUBYARG_STATIC -LIBRUBYARG -LDFLAGS -).each do |key| - RbConfig::CONFIG[key].gsub!(/-Wl[^ ]+( ?\\/[^ ]+)?/, '') - RbConfig::MAKEFILE_CONFIG[key].gsub!(/-Wl[^ ]+( ?\\/[^ ]+)?/, '') -end -RbConfig::CONFIG['RPATHFLAG'] = '' -RbConfig::MAKEFILE_CONFIG['RPATHFLAG'] = '' -EOS - new_content << File.read(extconf_path = File.join(ext_dir, 'extconf.rb')) - File.open(extconf_path, 'w') do |file| - file.write(new_content) - end - - lib_builder = execute 'generate pg gem Makefile' do - # [COOK-3490] pg gem install requires full path on RHEL - command "PATH=$PATH:/usr/pgsql-#{node['postgresql']['version']}/bin #{RbConfig.ruby} extconf.rb" - cwd ext_dir - action :nothing - end - lib_builder.run_action(:run) - - lib_maker = execute 'make pg gem lib' do - command 'make' - cwd ext_dir - action :nothing - end - lib_maker.run_action(:run) - - lib_installer = execute 'install pg gem lib' do - command 'make install' - cwd ext_dir - action :nothing - end - lib_installer.run_action(:run) - - spec_installer = execute 'install pg spec' do - command "#{gem_exec} spec ./cache/#{gem_name}.gem --ruby > ./specifications/#{gem_name}.gemspec" - cwd File.join(gem_dir, '..', '..') - action :nothing - end - spec_installer.run_action(:run) - - Chef::Log.warn 'Installation of pg gem successful!' - end -end diff --git a/cookbooks/postgresql/recipes/server.rb b/cookbooks/postgresql/recipes/server.rb deleted file mode 100644 index 58c5419..0000000 --- a/cookbooks/postgresql/recipes/server.rb +++ /dev/null @@ -1,95 +0,0 @@ -# frozen_string_literal: true -# -# Cookbook:: postgresql -# Recipe:: server -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -::Chef::Recipe.send(:include, OpenSSLCookbook::RandomPassword) - -include_recipe 'postgresql::client' - -# randomly generate postgres password, unless using solo - see README -if Chef::Config[:solo] - missing_attrs = %w( - postgres - ).select do |attr| - node['postgresql']['password'][attr].nil? - end.map { |attr| "node['postgresql']['password']['#{attr}']" } - - unless missing_attrs.empty? - Chef::Log.fatal([ - "You must set #{missing_attrs.join(', ')} in chef-solo mode.", - 'For more information, see https://github.com/opscode-cookbooks/postgresql#chef-solo-note', - ].join(' ')) - raise - end -else - # TODO: The "secure_password" is randomly generated plain text, so it - # should be converted to a PostgreSQL specific "encrypted password" if - # it should actually install a password (as opposed to disable password - # login for user 'postgres'). However, a random password wouldn't be - # useful if it weren't saved as clear text in Chef Server for later - # retrieval. - unless node.key?('postgresql') && node['postgresql'].key?('password') && node['postgresql']['password'].key?('postgres') - node.normal_unless['postgresql']['password']['postgres'] = random_password(length: 20, mode: :base64) - node.save - end -end - -# Include the right "family" recipe for installing the server -# since they do things slightly differently. -case node['platform_family'] -when 'rhel', 'fedora' - node.normal['postgresql']['dir'] = "/var/lib/pgsql/#{node['postgresql']['version']}/data" - node.normal['postgresql']['config']['data_directory'] = "/var/lib/pgsql/#{node['postgresql']['version']}/data" - include_recipe 'postgresql::server_redhat' -when 'debian' - node.normal['postgresql']['config']['data_directory'] = "/var/lib/postgresql/#{node['postgresql']['version']}/main" - include_recipe 'postgresql::server_debian' -when 'suse' - node.normal['postgresql']['config']['data_directory'] = node['postgresql']['dir'] - include_recipe 'postgresql::server_redhat' -end - -# Versions prior to 9.2 do not have a config file option to set the SSL -# key and cert path, and instead expect them to be in a specific location. - -link ::File.join(node['postgresql']['config']['data_directory'], 'server.crt') do - to node['postgresql']['config']['ssl_cert_file'] - only_if { node['postgresql']['version'].to_f < 9.2 && node['postgresql']['config'].attribute?('ssl_cert_file') } -end - -link ::File.join(node['postgresql']['config']['data_directory'], 'server.key') do - to node['postgresql']['config']['ssl_key_file'] - only_if { node['postgresql']['version'].to_f < 9.2 && node['postgresql']['config'].attribute?('ssl_key_file') } -end - -# NOTE: Consider two facts before modifying "assign-postgres-password": -# (1) Passing the "ALTER ROLE ..." through the psql command only works -# if passwordless authorization was configured for local connections. -# For example, if pg_hba.conf has a "local all postgres ident" rule. -# (2) It is probably fruitless to optimize this with a not_if to avoid -# setting the same password. This chef recipe doesn't have access to -# the plain text password, and testing the encrypted (md5 digest) -# version is not straight-forward. -bash 'assign-postgres-password' do - user 'postgres' - code <<-EOH - echo "ALTER ROLE postgres ENCRYPTED PASSWORD \'#{node['postgresql']['password']['postgres']}\';" | psql -p #{node['postgresql']['config']['port']} - EOH - action :run - not_if "ls #{node['postgresql']['config']['data_directory']}/recovery.conf" - only_if { node['postgresql']['assign_postgres_password'] } -end diff --git a/cookbooks/postgresql/recipes/server_conf.rb b/cookbooks/postgresql/recipes/server_conf.rb deleted file mode 100644 index f9d284f..0000000 --- a/cookbooks/postgresql/recipes/server_conf.rb +++ /dev/null @@ -1,55 +0,0 @@ -# frozen_string_literal: true -# -# Cookbook:: postgresql -# Recipe:: server -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -change_notify = node['postgresql']['server']['config_change_notify'] - -# There are some configuration items which depend on correctly evaluating the intended version being installed -if node['platform_family'] == 'debian' - - node.normal['postgresql']['config']['hba_file'] = "/etc/postgresql/#{node['postgresql']['version']}/main/pg_hba.conf" - node.normal['postgresql']['config']['ident_file'] = "/etc/postgresql/#{node['postgresql']['version']}/main/pg_ident.conf" - node.normal['postgresql']['config']['external_pid_file'] = "/var/run/postgresql/#{node['postgresql']['version']}-main.pid" - - if node['postgresql']['version'].to_f < 9.3 - node.normal['postgresql']['config']['unix_socket_directory'] = '/var/run/postgresql' - else - node.normal['postgresql']['config']['unix_socket_directories'] = '/var/run/postgresql' - end - - if node['postgresql']['config']['ssl'] - node.normal['postgresql']['config']['ssl_cert_file'] = '/etc/ssl/certs/ssl-cert-snakeoil.pem' if node['postgresql']['version'].to_f >= 9.2 - node.normal['postgresql']['config']['ssl_key_file'] = '/etc/ssl/private/ssl-cert-snakeoil.key' if node['postgresql']['version'].to_f >= 9.2 - end - -end - -template "#{node['postgresql']['dir']}/postgresql.conf" do - source 'postgresql.conf.erb' - owner 'postgres' - group 'postgres' - mode '0600' - notifies change_notify, 'service[postgresql]', :immediately -end - -template "#{node['postgresql']['dir']}/pg_hba.conf" do - source 'pg_hba.conf.erb' - owner 'postgres' - group 'postgres' - mode '0600' - notifies change_notify, 'service[postgresql]', :immediately -end diff --git a/cookbooks/postgresql/recipes/server_debian.rb b/cookbooks/postgresql/recipes/server_debian.rb deleted file mode 100644 index 292b805..0000000 --- a/cookbooks/postgresql/recipes/server_debian.rb +++ /dev/null @@ -1,35 +0,0 @@ -# frozen_string_literal: true -# -# Cookbook:: postgresql -# Recipe:: server -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -include_recipe 'postgresql::client' - -package node['postgresql']['server']['packages'] - -include_recipe 'postgresql::server_conf' - -service 'postgresql' do - service_name node['postgresql']['server']['service_name'] - supports restart: true, status: true, reload: true - action [:enable, :start] -end - -execute 'Set locale and Create cluster' do - command 'export LC_ALL=C; /usr/bin/pg_createcluster --start ' + node['postgresql']['version'] + ' main' - action :run - not_if { ::File.directory?('/etc/postgresql/' + node['postgresql']['version'] + '/main') } -end diff --git a/cookbooks/postgresql/recipes/server_redhat.rb b/cookbooks/postgresql/recipes/server_redhat.rb deleted file mode 100644 index 45c9309..0000000 --- a/cookbooks/postgresql/recipes/server_redhat.rb +++ /dev/null @@ -1,140 +0,0 @@ -# frozen_string_literal: true -# -# Cookbook:: postgresql -# Recipe:: server -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -include_recipe 'postgresql::client' - -svc_name = node['postgresql']['server']['service_name'] -initdb_locale = node['postgresql']['initdb_locale'] - -shortver = node['postgresql']['version'].split('.').join - -# Create a group and user like the package will. -# Otherwise the templates fail. - -group 'postgres' do - gid node['postgresql']['gid'] -end - -user 'postgres' do - shell '/bin/bash' - comment 'PostgreSQL Server' - home '/var/lib/pgsql' - gid 'postgres' - system true - uid node['postgresql']['uid'] - manage_home false -end - -directory node['postgresql']['config']['data_directory'] do - owner 'postgres' - group 'postgres' - recursive true - action :create - mode '0700' -end - -package node['postgresql']['server']['packages'] - -# If using PGDG, add symlinks so that downstream commands all work -if node['postgresql']['enable_pgdg_yum'] == true || node['postgresql']['use_pgdg_packages'] == true - [ - "postgresql#{shortver}-setup", - "postgresql#{shortver}-check-db-dir", - ].each do |cmd| - link "/usr/bin/#{cmd}" do - to "/usr/pgsql-#{node['postgresql']['version']}/bin/#{cmd}" - end - end -end - -# The systemd unit file does not support 'initdb' or 'upgrade' actions. -# Use the postgresql-setup script instead. - -unless node['postgresql']['server']['init_package'] == 'systemd' - - directory '/etc/sysconfig/pgsql' do - mode '0644' - recursive true - action :create - end - - template "/etc/sysconfig/pgsql/#{svc_name}" do - source 'pgsql.sysconfig.erb' - mode '0644' - notifies :restart, 'service[postgresql]', :delayed - end - -end - -if node['postgresql']['server']['init_package'] == 'systemd' - - if node['platform_family'] == 'rhel' - - template_path = if node['postgresql']['use_pgdg_packages'] - "/etc/systemd/system/postgresql-#{node['postgresql']['version']}.service" - else - '/etc/systemd/system/postgresql.service' - end - - template template_path do - source 'postgresql.service.erb' - owner 'root' - group 'root' - mode '0644' - notifies :run, 'execute[systemctl-reload]', :immediately - notifies :reload, 'service[postgresql]', :delayed - end - execute 'systemctl-reload' do - command 'systemctl daemon-reload' - action :nothing - end - end - - case node['platform_family'] - when 'suse' - execute "initdb -d #{node['postgresql']['dir']}" do - user 'postgres' - not_if { ::File.exist?("#{node['postgresql']['config']['data_directory']}/PG_VERSION") } - end - else - execute "#{node['postgresql']['setup_script']} initdb #{svc_name}" do - not_if { ::File.exist?("#{node['postgresql']['config']['data_directory']}/PG_VERSION") } - end - end - -elsif !platform_family?('suse') && node['postgresql']['version'].to_f <= 9.3 - - execute "/sbin/service #{svc_name} initdb #{initdb_locale}" do - not_if { ::File.exist?("#{node['postgresql']['config']['data_directory']}/PG_VERSION") } - end - -else - - execute "/sbin/service #{svc_name} initdb" do - not_if { ::File.exist?("#{node['postgresql']['config']['data_directory']}/PG_VERSION") } - end - -end - -service 'postgresql' do - service_name svc_name - supports restart: true, status: true, reload: true - action [:enable, :start] -end - -include_recipe 'postgresql::server_conf' diff --git a/cookbooks/postgresql/recipes/yum_pgdg_postgresql.rb b/cookbooks/postgresql/recipes/yum_pgdg_postgresql.rb deleted file mode 100644 index 0e03b72..0000000 --- a/cookbooks/postgresql/recipes/yum_pgdg_postgresql.rb +++ /dev/null @@ -1,41 +0,0 @@ -# frozen_string_literal: true -# -# Cookbook:: postgresql -# Recipe::yum_pgdg_postgresql -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -###################################### -# Install the "PostgreSQL RPM Building Project - Yum Repository" - -rpm_platform = node['platform'] -rpm_platform_version = node['platform_version'].to_f.to_i.to_s -arch = node['kernel']['machine'] -pg_version = node['postgresql']['version'] -pgdg_setup = node['postgresql']['pgdg']['repo_rpm_url'][pg_version][rpm_platform][rpm_platform_version][arch] -pgdg_package = pgdg_setup['package'] -pgdg_repository = pgdg_setup['url'] - -# Download the PGDG repository RPM as a local file -remote_file "#{Chef::Config[:file_cache_path]}/#{pgdg_package}" do - source "#{pgdg_repository}#{pgdg_package}" - mode '0644' -end - -# Install the PGDG repository RPM from the local file -package pgdg_package.to_s do - provider Chef::Provider::Package::Rpm - source "#{Chef::Config[:file_cache_path]}/#{pgdg_package}" - action :install -end diff --git a/cookbooks/postgresql/resources/access.rb b/cookbooks/postgresql/resources/access.rb new file mode 100644 index 0000000..56d69cc --- /dev/null +++ b/cookbooks/postgresql/resources/access.rb @@ -0,0 +1,59 @@ +# frozen_string_literal: true +# +# Cookbook:: postgresql +# Resource:: access +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +property :access_type, String, required: true, default: 'local' +property :access_db, String, required: true, default: 'all' +property :access_user, String, required: true, default: 'postgres' +property :access_method, String, required: true, default: 'ident' +property :cookbook, String, default: 'postgresql' +property :source, String, default: 'pg_hba.conf.erb' +property :access_addr, String +property :comment, String + +action :grant do + config_resource = new_resource + with_run_context :root do # ~FC037 + edit_resource(:template, "#{conf_dir}/pg_hba.conf") do |new_resource| + source new_resource.source + cookbook new_resource.cookbook + owner 'postgres' + group 'postgres' + mode '0600' + variables[:pg_hba] ||= {} + variables[:pg_hba][new_resource.name] = { + comment: new_resource.comment, + type: new_resource.access_type, + db: new_resource.access_db, + user: new_resource.access_user, + addr: new_resource.access_addr, + method: new_resource.access_method, + } + action :nothing + delayed_action :create + notifies :trigger, config_resource, :immediately + end + end +end + +action :trigger do + new_resource.updated_by_last_action(true) # ~FC085 +end + +action_class do + include PostgresqlCookbook::Helpers +end diff --git a/cookbooks/postgresql/recipes/client.rb b/cookbooks/postgresql/resources/client_install.rb similarity index 55% rename from cookbooks/postgresql/recipes/client.rb rename to cookbooks/postgresql/resources/client_install.rb index 2158e48..2698d00 100644 --- a/cookbooks/postgresql/recipes/client.rb +++ b/cookbooks/postgresql/resources/client_install.rb @@ -1,7 +1,7 @@ # frozen_string_literal: true # # Cookbook:: postgresql -# Recipe:: client +# Resource:: client_install # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -16,19 +16,20 @@ # limitations under the License. # -case node['platform_family'] -when 'debian' - if node['postgresql']['version'].to_f > 9.3 - node.normal['postgresql']['enable_pgdg_apt'] = true +property :version, String, default: '9.6' +property :setup_repo, [true, false], default: true + +action :install do + postgresql_repository 'Add downloads.postgresql.org repository' do + version new_resource.version + only_if { new_resource.setup_repo } end - if node['postgresql']['enable_pgdg_apt'] - include_recipe 'postgresql::apt_pgdg_postgresql' - end -when 'rhel', 'fedora' - if node['postgresql']['enable_pgdg_yum'] - include_recipe 'postgresql::yum_pgdg_postgresql' + case node['platform_family'] + when 'debian' + package "postgresql-client-#{new_resource.version}" + when 'rhel', 'fedora', 'amazon' + ver = new_resource.version.delete('.') + package "postgresql#{ver}" end end - -package node['postgresql']['client']['packages'] diff --git a/cookbooks/postgresql/resources/database.rb b/cookbooks/postgresql/resources/database.rb new file mode 100644 index 0000000..be2a813 --- /dev/null +++ b/cookbooks/postgresql/resources/database.rb @@ -0,0 +1,67 @@ +# +# Cookbook:: postgresql +# Resource:: database +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +property :template, String, default: 'template1' +property :encoding, String, default: 'UTF-8' +property :locale, String, default: 'en_US.UTF-8' +property :owner, String + +# Connection prefernces +property :user, String, default: 'postgres' +property :database, String, name_property: true +property :host, [String, nil], default: nil +property :port, Integer, default: 5432 + +action :create do + createdb = 'createdb' + createdb << " -E #{new_resource.encoding}" if new_resource.encoding + createdb << " -l #{new_resource.locale}" if new_resource.locale + createdb << " -T #{new_resource.template}" unless new_resource.template.empty? + createdb << " -O #{new_resource.owner}" if new_resource.owner + createdb << " -U #{new_resource.user}" if new_resource.user + createdb << " -h #{new_resource.host}" if new_resource.host + createdb << " -p #{new_resource.port}" if new_resource.port + createdb << " #{new_resource.database}" + + bash "Create Database #{new_resource.database}" do + code createdb + user new_resource.user + not_if { follower? } + not_if { database_exists?(new_resource) } + end +end + +action :drop do + converge_by "Drop PostgreSQL Database #{new_resource.database}" do + dropdb = 'dropdb' + dropdb << " -U #{new_resource.user}" if new_resource.user + dropdb << " --host #{new_resource.host}" if new_resource.host + dropdb << " --port #{new_resource.port}" if new_resource.port + dropdb << " #{new_resource.database}" + + bash "drop postgresql database #{new_resource.database})" do + user 'postgres' + code dropdb + not_if { follower? } + only_if { database_exists?(new_resource) } + end + end +end + +action_class do + include PostgresqlCookbook::Helpers +end diff --git a/cookbooks/postgresql/resources/extension.rb b/cookbooks/postgresql/resources/extension.rb index 5a279c3..fb104dd 100644 --- a/cookbooks/postgresql/resources/extension.rb +++ b/cookbooks/postgresql/resources/extension.rb @@ -1,4 +1,3 @@ -# frozen_string_literal: true # # Cookbook:: postgresql # Resource:: extension @@ -16,42 +15,35 @@ # limitations under the License. # -include Opscode::PostgresqlHelpers +property :extension, String, name_property: true +property :old_version, String +property :version, String -# name property should take the form: -# database/extension - -property :database, String, - required: true, - default: lazy { name.scan(%r{\A[^/]+(?=/)}).first } - -property :extension, String, - required: true, - default: lazy { name.scan(%r{(?<=/)[^/]+\Z}).first } +# Connection prefernces +property :user, String, default: 'postgres' +property :database, String, required: true +property :host, [String, nil] +property :port, Integer, default: 5432 action :create do - bash "CREATE EXTENSION #{name}" do - code psql("CREATE EXTENSION IF NOT EXISTS \"#{extension}\"") + bash "CREATE EXTENSION #{new_resource.name}" do + code create_extension_sql(new_resource) user 'postgres' action :run - not_if { extension_installed? } + not_if { follower? || extension_installed?(new_resource) } end end action :drop do - bash "DROP EXTENSION #{name}" do - code psql("DROP EXTENSION IF EXISTS \"#{extension}\"") + bash "DROP EXTENSION #{new_resource.name}" do + code psql_command_string(new_resource, "DROP EXTENSION IF EXISTS \"#{new_resource.extension}\"") user 'postgres' action :run - only_if { extension_installed? } + not_if { follower? } + only_if { extension_installed?(new_resource) } end end -def psql(query) - "psql -d #{database} <<< '\\set ON_ERROR_STOP on\n#{query};'" -end - -def extension_installed? - query = "SELECT 'installed' FROM pg_extension WHERE extname = '#{extension}';" - !(execute_sql(query, database) =~ /^installed$/).nil? +action_class do + include PostgresqlCookbook::Helpers end diff --git a/cookbooks/postgresql/resources/ident.rb b/cookbooks/postgresql/resources/ident.rb new file mode 100644 index 0000000..ba677f0 --- /dev/null +++ b/cookbooks/postgresql/resources/ident.rb @@ -0,0 +1,55 @@ +# frozen_string_literal: true +# +# Cookbook:: postgresql +# Resource:: access +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +property :mapname, String, required: true +property :source, String, default: 'pg_ident.conf.erb' +property :cookbook, String, default: 'postgresql' +property :system_user, String, required: true +property :pg_user, String, required: true +property :comment, [String, nil], default: nil + +action :create do + ident_resource = new_resource + with_run_context :root do # ~FC037 + edit_resource(:template, "#{conf_dir}/pg_ident.conf") do |new_resource| + source new_resource.source + cookbook new_resource.cookbook + owner 'postgres' + group 'postgres' + mode '0640' + variables[:pg_ident] ||= {} + variables[:pg_ident][new_resource.name] = { + comment: new_resource.comment, + mapname: new_resource.mapname, + system_user: new_resource.system_user, + pg_user: new_resource.pg_user, + } + action :nothing + delayed_action :create + notifies :trigger, ident_resource, :immediately + end + end +end + +action :trigger do + new_resource.updated_by_last_action(true) # ~FC085 +end + +action_class do + include PostgresqlCookbook::Helpers +end diff --git a/cookbooks/postgresql/resources/repository.rb b/cookbooks/postgresql/resources/repository.rb new file mode 100644 index 0000000..7040c6b --- /dev/null +++ b/cookbooks/postgresql/resources/repository.rb @@ -0,0 +1,90 @@ +# frozen_string_literal: true +# +# Cookbook:: postgresql +# Resource:: repository +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +property :version, String, default: '9.6' +property :enable_pgdg, [true, false], default: true +property :enable_pgdg_source, [true, false], default: false +property :enable_pgdg_updates_testing, [true, false], default: false +property :enable_pgdg_source_updates_testing, [true, false], default: false +property :yum_gpg_key_uri, String, default: 'https://download.postgresql.org/pub/repos/yum/RPM-GPG-KEY-PGDG' +property :apt_gpg_key_uri, String, default: 'https://download.postgresql.org/pub/repos/apt/ACCC4CF8.asc' + +action :add do + case node['platform_family'] + + when 'rhel', 'fedora', 'amazon' + remote_file "/etc/pki/rpm-gpg/RPM-GPG-KEY-PGDG-#{new_resource.version}" do + source new_resource.yum_gpg_key_uri + end + + yum_repository "PostgreSQL #{new_resource.version}" do # ~FC005 + repositoryid "pgdg#{new_resource.version}" + description "PostgreSQL.org #{new_resource.version}" + baseurl yum_repo_url('https://download.postgresql.org/pub/repos/yum') + enabled new_resource.enable_pgdg + gpgcheck true + gpgkey "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-PGDG-#{new_resource.version}" + end + + yum_repository "PostgreSQL #{new_resource.version} - source " do + repositoryid "pgdg#{new_resource.version}-source" + description "PostgreSQL.org #{new_resource.version} Source" + baseurl yum_repo_url('https://download.postgresql.org/pub/repos/yum/srpms') + enabled new_resource.enable_pgdg_source + gpgcheck true + gpgkey "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-PGDG-#{new_resource.version}" + end + + yum_repository "PostgreSQL #{new_resource.version} - updates testing" do + repositoryid "pgdg#{new_resource.version}-updates-testing" + description "PostgreSQL.org #{new_resource.version} Updates Testing" + baseurl yum_repo_url('https://download.postgresql.org/pub/repos/yum/testing') + enabled new_resource.enable_pgdg_updates_testing + gpgcheck true + gpgkey "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-PGDG-#{new_resource.version}" + end + + yum_repository "PostgreSQL #{new_resource.version} - source - updates testing" do + repositoryid "pgdg#{new_resource.version}-source-updates-testing" + description "PostgreSQL.org #{new_resource.version} Source Updates Testing" + baseurl yum_repo_url('https://download.postgresql.org/pub/repos/yum/srpms/testing') + enabled new_resource.enable_pgdg_source_updates_testing + gpgcheck true + gpgkey "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-PGDG-#{new_resource.version}" + end + + when 'debian' + apt_update + + package 'apt-transport-https' + + apt_repository 'postgresql_org_repository' do + uri 'https://download.postgresql.org/pub/repos/apt/' + components ['main', new_resource.version.to_s] + distribution "#{node['lsb']['codename']}-pgdg" + key new_resource.apt_gpg_key_uri + cache_rebuild true + end + else + raise "The platform_family '#{node['platform_family']}' or platform '#{node['platform']}' is not supported by the postgresql_repository resource. If you believe this platform can/should be supported by this resource please file and issue or open a pull request at https://github.com/sous-chefs/postgresql" + end +end + +action_class do + include PostgresqlCookbook::Helpers +end diff --git a/cookbooks/postgresql/resources/server_conf.rb b/cookbooks/postgresql/resources/server_conf.rb new file mode 100644 index 0000000..3c44c22 --- /dev/null +++ b/cookbooks/postgresql/resources/server_conf.rb @@ -0,0 +1,52 @@ +# frozen_string_literal: true +# +# Cookbook:: postgresql +# Resource:: server_conf +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +include PostgresqlCookbook::Helpers + +property :version, String, default: '9.6' +property :data_directory, String, default: lazy { data_dir } +property :hba_file, String, default: lazy { "#{conf_dir}/pg_hba.conf" } +property :ident_file, String, default: lazy { "#{conf_dir}/pg_ident.conf" } +property :external_pid_file, String, default: lazy { "/var/run/postgresql/#{version}-main.pid" } +property :stats_temp_directory, String, default: lazy { "/var/run/postgresql/#{version}-main.pg_stat_tmp" } +property :port, Integer, default: 5432 +property :additional_config, Hash, default: {} +property :cookbook, String, default: 'postgresql' + +action :modify do + template "#{conf_dir}/postgresql.conf" do + cookbook new_resource.cookbook + source 'postgresql.conf.erb' + owner 'postgres' + group 'postgres' + mode '0644' + variables( + data_dir: new_resource.data_directory, + hba_file: new_resource.hba_file, + ident_file: new_resource.ident_file, + external_pid_file: new_resource.external_pid_file, + stats_temp_directory: new_resource.stats_temp_directory, + port: new_resource.port, + additional_config: new_resource.additional_config + ) + end +end + +action_class do + include PostgresqlCookbook::Helpers +end diff --git a/cookbooks/postgresql/resources/server_install.rb b/cookbooks/postgresql/resources/server_install.rb new file mode 100644 index 0000000..3c66c67 --- /dev/null +++ b/cookbooks/postgresql/resources/server_install.rb @@ -0,0 +1,76 @@ +# frozen_string_literal: true +# +# Cookbook:: postgresql +# Resource:: server_install +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +include PostgresqlCookbook::Helpers + +property :version, String, default: '9.6' +property :setup_repo, [true, false], default: true +property :hba_file, String, default: lazy { "#{conf_dir}/main/pg_hba.conf" } +property :ident_file, String, default: lazy { "#{conf_dir}/main/pg_ident.conf" } +property :external_pid_file, String, default: lazy { "/var/run/postgresql/#{version}-main.pid" } +property :password, [String, nil], default: 'generate' # Set to nil if we do not want to set a password +property :port, Integer, default: 5432 +property :initdb_locale, String + +# Connection preferences +property :user, String, default: 'postgres' +property :database, String +property :host, [String, nil] + +action :install do + node.run_state['postgresql'] ||= {} + node.run_state['postgresql']['version'] = new_resource.version + + postgresql_client_install 'Install PostgreSQL Client' do + version new_resource.version + setup_repo new_resource.setup_repo + end + + package server_pkg_name +end + +action :create do + execute 'init_db' do + command rhel_init_db_command(new_resource) + user new_resource.user + not_if { initialized? } + only_if { platform_family?('rhel', 'fedora', 'amazon') } + end + + # We use to use find_resource here. + # But that required the user to do the same in their recipe. + # This also seemed to never trigger notifications, therefore requiring a log resource + # to notify the enable/start on the service, which always fires (Check v7.0 tag for more) + service 'postgresql' do + service_name platform_service_name + supports restart: true, status: true, reload: true + action [:enable, :start] + end + + # Generate a random password or set it as per new_resource.password. + bash 'generate-postgres-password' do + user 'postgres' + code alter_role_sql(new_resource) + not_if { user_has_password?(new_resource) } + not_if { new_resource.password.nil? } + end +end + +action_class do + include PostgresqlCookbook::Helpers +end diff --git a/cookbooks/postgresql/resources/user.rb b/cookbooks/postgresql/resources/user.rb new file mode 100644 index 0000000..05da73b --- /dev/null +++ b/cookbooks/postgresql/resources/user.rb @@ -0,0 +1,87 @@ +# +# Cookbook:: postgresql +# Resource:: user +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +property :create_user, String, name_property: true +property :superuser, [true, false], default: false +property :createdb, [true, false], default: false +property :createrole, [true, false], default: false +property :inherit, [true, false], default: true +property :replication, [true, false], default: false +property :login, [true, false], default: true +property :password, String +property :encrypted_password, String +property :valid_until, String +property :attributes, Hash, default: {} + +# Connection prefernces +property :user, String, default: 'postgres' +property :database, String +property :host, String +property :port, Integer, default: 5432 + +action :create do + Chef::Log.warn('You cannot use "attributes" property with create action.') unless new_resource.attributes.empty? + + execute "create postgresql user #{new_resource.create_user}" do # ~FC009 + user 'postgres' + command create_user_sql(new_resource) + sensitive new_resource.sensitive + not_if { follower? || user_exists?(new_resource) } + end +end + +action :update do + if new_resource.attributes.empty? + execute "update postgresql user #{new_resource.create_user}" do + user 'postgres' + command update_user_sql(new_resource) + sensitive true + not_if { follower? } + only_if { user_exists?(new_resource) } + end + else + new_resource.attributes.each do |attr, value| + v = if value.is_a?(TrueClass) || value.is_a?(FalseClass) + value.to_s + else + "'#{value}'" + end + + execute "Update postgresql user #{new_resource.create_user} to set #{attr}" do + user 'postgres' + command update_user_with_attributes_sql(new_resource, v) + sensitive true + not_if { follower? } + only_if { user_exists?(new_resource) } + end + end + end +end + +action :drop do + execute "drop postgresql user #{new_resource.create_user}" do + user 'postgres' + command drop_user_sql(new_resource) + sensitive true + not_if { follower? } + only_if { user_exists?(new_resource) } + end +end + +action_class do + include PostgresqlCookbook::Helpers +end diff --git a/cookbooks/postgresql/templates/default/pg_hba.conf.erb b/cookbooks/postgresql/templates/default/pg_hba.conf.erb deleted file mode 100644 index 0c38c78..0000000 --- a/cookbooks/postgresql/templates/default/pg_hba.conf.erb +++ /dev/null @@ -1,35 +0,0 @@ -# This file was automatically generated and dropped off by Chef! - -# PostgreSQL Client Authentication Configuration File -# =================================================== -# -# Refer to the "Client Authentication" section in the PostgreSQL -# documentation for a complete description of this file. - -<% if node['postgresql']['version'].to_f < 9.1 -%> -# TYPE DATABASE USER CIDR-ADDRESS METHOD -<% elsif node['postgresql']['version'].to_f >= 9.1 -%> -# TYPE DATABASE USER ADDRESS METHOD -<% end -%> - -########### -# Other authentication configurations taken from chef node defaults: -########### -<% node['postgresql']['pg_hba'].each do |auth| -%> - -<% if auth[:comment] %> -# <%= auth[:comment] %> -<% end %> -<% if auth[:addr] %> -<%= auth[:type].ljust(7) %> <%= auth[:db].ljust(15) %> <%= auth[:user].ljust(15) %> <%= auth[:addr].ljust(23) %> <%= auth[:method] %> -<% else %> -<%= auth[:type].ljust(7) %> <%= auth[:db].ljust(15) %> <%= auth[:user].ljust(15) %> <%= auth[:method] %> -<% end %> -<% end %> - -# "local" is for Unix domain socket connections only -<% if node['postgresql']['version'].to_f < 9.1 -%> -local all all ident -<% elsif node['postgresql']['version'].to_f >= 9.1 -%> -local all all peer -<% end -%> diff --git a/cookbooks/postgresql/templates/default/pgsql.sysconfig.erb b/cookbooks/postgresql/templates/default/pgsql.sysconfig.erb deleted file mode 100644 index 5421211..0000000 --- a/cookbooks/postgresql/templates/default/pgsql.sysconfig.erb +++ /dev/null @@ -1,4 +0,0 @@ -PGDATA=<%= node['postgresql']['dir'] %> -<% if node['postgresql']['config'].attribute?("port") -%> -PGPORT=<%= node['postgresql']['config']['port'] %> -<% end -%> diff --git a/cookbooks/postgresql/templates/default/postgresql.service.erb b/cookbooks/postgresql/templates/default/postgresql.service.erb deleted file mode 100644 index 00ffff4..0000000 --- a/cookbooks/postgresql/templates/default/postgresql.service.erb +++ /dev/null @@ -1,10 +0,0 @@ -[Service] -<% if node['postgresql']['use_pgdg_packages'] %> -.include /usr/lib/systemd/system/postgresql-<%= node['postgresql']['version'] %>.service -<% else %> -.include /usr/lib/systemd/system/postgresql.service -<% end %> - -Environment= -Environment=PGPORT=<%= node['postgresql']['config']['port'] %> -Environment=PGDATA=<%= node['postgresql']['config']['data_directory'] %> diff --git a/cookbooks/postgresql/templates/pg_hba.conf.erb b/cookbooks/postgresql/templates/pg_hba.conf.erb new file mode 100644 index 0000000..9eab8a9 --- /dev/null +++ b/cookbooks/postgresql/templates/pg_hba.conf.erb @@ -0,0 +1,33 @@ +# This file was automatically generated and dropped off by Chef! + +# PostgreSQL Client Authentication Configuration File +# =================================================== +# +# Refer to the "Client Authentication" section in the PostgreSQL +# documentation for a complete description of this file. + +local all postgres peer + +# TYPE DATABASE USER ADDRESS METHOD + +# "local" is for Unix domain socket connections only +local all all peer +# IPv4 local connections: +host all all 127.0.0.1/32 md5 +# IPv6 local connections: +host all all ::1/128 md5 + +########### +# From the postgresql_access resources +########### +<% @pg_hba.each do |k,v| -%> +# <%= k %> +<% if v[:comment] -%> +# <%= v[:comment] %> +<% end -%> +<% if v[:addr] %> +<%= v[:type].ljust(7) %> <%= v[:db].ljust(15) %> <%= v[:user].ljust(15) %> <%= v[:addr].ljust(23) %> <%= v[:method] %> +<% else %> +<%= v[:type].ljust(7) %> <%= v[:db].ljust(15) %> <%= v[:user].ljust(15) %> <%= v[:method] %> +<% end %> +<% end %> diff --git a/cookbooks/postgresql/templates/pg_ident.conf.erb b/cookbooks/postgresql/templates/pg_ident.conf.erb new file mode 100644 index 0000000..f3ba499 --- /dev/null +++ b/cookbooks/postgresql/templates/pg_ident.conf.erb @@ -0,0 +1,49 @@ +# PostgreSQL User Name Maps +# ========================= +# +# Refer to the PostgreSQL documentation, chapter "Client +# Authentication" for a complete description. A short synopsis +# follows. +# +# This file controls PostgreSQL user name mapping. It maps external +# user names to their corresponding PostgreSQL user names. Records +# are of the form: +# +# MAPNAME SYSTEM-USERNAME PG-USERNAME +# +# (The uppercase quantities must be replaced by actual values.) +# +# MAPNAME is the (otherwise freely chosen) map name that was used in +# pg_hba.conf. SYSTEM-USERNAME is the detected user name of the +# client. PG-USERNAME is the requested PostgreSQL user name. The +# existence of a record specifies that SYSTEM-USERNAME may connect as +# PG-USERNAME. +# +# If SYSTEM-USERNAME starts with a slash (/), it will be treated as a +# regular expression. Optionally this can contain a capture (a +# parenthesized subexpression). The substring matching the capture +# will be substituted for \1 (backslash-one) if present in +# PG-USERNAME. +# +# Multiple maps may be specified in this file and used by pg_hba.conf. +# +# No map names are defined in the default configuration. If all +# system user names and PostgreSQL user names are the same, you don't +# need anything in this file. +# +# This file is read on server startup and when the postmaster receives +# a SIGHUP signal. If you edit the file on a running system, you have +# to SIGHUP the postmaster for the changes to take effect. You can +# use "pg_ctl reload" to do that. + +# Put your actual configuration here +# ---------------------------------- + +# MAPNAME SYSTEM-USERNAME PG-USERNAME +<% @pg_ident.each do |k,v| -%> + <% if v[:comment] -%> + +# <%= v[:comment] %> + <% end -%> +<%= v[:mapname].ljust(15) %> <%= v[:system_user].ljust(23) %> <%= v[:pg_user].ljust(15) %> +<% end %> diff --git a/cookbooks/postgresql/templates/pgsql.sysconfig.erb b/cookbooks/postgresql/templates/pgsql.sysconfig.erb new file mode 100644 index 0000000..2740356 --- /dev/null +++ b/cookbooks/postgresql/templates/pgsql.sysconfig.erb @@ -0,0 +1,2 @@ +PGDATA=<%= @postgresql_dir %> +PGPORT=<%= @port %> diff --git a/cookbooks/postgresql/templates/default/postgresql.conf.erb b/cookbooks/postgresql/templates/postgresql.conf.erb similarity index 57% rename from cookbooks/postgresql/templates/default/postgresql.conf.erb rename to cookbooks/postgresql/templates/postgresql.conf.erb index 26d77f9..7656770 100644 --- a/cookbooks/postgresql/templates/default/postgresql.conf.erb +++ b/cookbooks/postgresql/templates/postgresql.conf.erb @@ -3,9 +3,14 @@ # Please refer to the PostgreSQL documentation for details on # configuration settings. -<% node['postgresql']['config'].sort.each do |key, value| %> +data_directory = '<%= @data_dir %>' +hba_file = '<%= @hba_file %>' +ident_file = '<%= @ident_file %>' +external_pid_file = '<%= @external_pid_file %>' +stats_temp_directory = '<%= @stats_temp_directory %>' +port = <%= @port %> +<% @additional_config.sort.each do |key, value| %> <% next if value.nil? -%> -<% next if node['postgresql']['version'].to_f < 9.2 && /ssl_.*._file/.match(key) -%> <%= key %> = <%= case value when String diff --git a/cookbooks/postgresql/templates/postgresql.service.erb b/cookbooks/postgresql/templates/postgresql.service.erb new file mode 100644 index 0000000..688e7d5 --- /dev/null +++ b/cookbooks/postgresql/templates/postgresql.service.erb @@ -0,0 +1,6 @@ +[Service] +.include /usr/lib/systemd/system/<%= @svc_name %>.service + +Environment= +Environment=PGPORT=<%= @port %> +Environment=PGDATA=<%= @data_dir %> diff --git a/site-cookbooks/kosmos-postgresql/metadata.rb b/site-cookbooks/kosmos-postgresql/metadata.rb index 748f491..cd248d4 100644 --- a/site-cookbooks/kosmos-postgresql/metadata.rb +++ b/site-cookbooks/kosmos-postgresql/metadata.rb @@ -19,4 +19,4 @@ chef_version '>= 12.14' if respond_to?(:chef_version) # # source_url 'https://github.com//kosmos-postgresql' -depends "postgresql", "= 6.1.1" +depends "postgresql", ">= 7.0.0" diff --git a/site-cookbooks/kosmos-postgresql/recipes/default.rb b/site-cookbooks/kosmos-postgresql/recipes/default.rb index 1758f29..b6b7472 100644 --- a/site-cookbooks/kosmos-postgresql/recipes/default.rb +++ b/site-cookbooks/kosmos-postgresql/recipes/default.rb @@ -4,13 +4,14 @@ # # Copyright:: 2019, Kosmos, All Rights Reserved. -node.override['postgresql']['enable_pgdg_apt'] = false -# See https://github.com/sous-chefs/postgresql/issues/480 -node.override['postgresql']['pg_gem']['version'] = '0.21.0' -include_recipe "postgresql::server" -include_recipe "postgresql::ruby" -unless node.chef_environment == "development" - node.override['postgresql']['config_pgtune']['db_type'] = "web" - include_recipe "postgresql::config_pgtune" +postgresql_server_install "main" do + version "10" + setup_repo false + action :install end +postgresql_client_install "main" do + version "10" + setup_repo false + action :install +end -- 2.25.1 From 8e052ab53a43e9900a1f5d68678c8b82eb9019aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Wed, 27 Feb 2019 12:42:18 +0100 Subject: [PATCH 11/25] Add the kosmos-postgresql and ejabberd backup recipes --- nodes/andromeda.kosmos.org.json | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/nodes/andromeda.kosmos.org.json b/nodes/andromeda.kosmos.org.json index d979e2c..625d89e 100644 --- a/nodes/andromeda.kosmos.org.json +++ b/nodes/andromeda.kosmos.org.json @@ -2,8 +2,17 @@ "run_list": [ "kosmos-base", "kosmos-base::andromeda_firewall", - "role[ipfs_cluster_with_tls]" + "role[ipfs_cluster_with_tls]", + "kosmos-postgresql", + "kosmos-ejabberd::backup" ], + "normal": { + "postgresql": { + "password": { + "postgres": "iezah7ochae9uizu1Isha2Chuok8ra" + } + } + }, "automatic": { "ipaddress": "andromeda.kosmos.org" } -- 2.25.1 From 712507bed27aab9beffb52fd23a3cc3566b43ca4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Wed, 13 Mar 2019 15:23:08 +0100 Subject: [PATCH 12/25] Get rid of the 5apps.com config for now --- .../templates/ejabberd.yml.erb | 20 +------------------ 1 file changed, 1 insertion(+), 19 deletions(-) diff --git a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb index a9e25e8..65f4c5c 100644 --- a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb +++ b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb @@ -8,17 +8,11 @@ log_rate_limit: 100 hosts: - "kosmos.org" - - "5apps.com" -<% if File.exist?("/opt/ejabberd/conf/kosmos.org.pem") || File.exist?("/opt/ejabberd/conf/5apps.com.pem") -%> -certfiles: <% if File.exist?("/opt/ejabberd/conf/kosmos.org.pem") -%> +certfiles: - "/opt/ejabberd/conf/kosmos.org.pem" <% end -%> -<% if File.exist?("/opt/ejabberd/conf/5apps.com.pem") -%> - - "/opt/ejabberd/conf/5apps.com.pem" -<% end -%> -<% end -%> ca_file: "/opt/ejabberd/conf/cacert.pem" @@ -253,18 +247,6 @@ host_config: access_persistent: muc_create default_room_options: mam: true - "5apps.com": - modules: - mod_muc: - host: "muc.5apps.com" - access: - - deny - access_admin: - - allow: admin - access_create: muc_create - access_persistent: muc_create - default_room_options: - mam: true allow_contrib_modules: true ### Local Variables: -- 2.25.1 From 5ad24888ff95ac27ef8acd5296724f9bde65ca7e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Wed, 13 Mar 2019 15:23:55 +0100 Subject: [PATCH 13/25] Add our kosmos.org accounts as admins --- site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb index 65f4c5c..020249f 100644 --- a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb +++ b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb @@ -87,6 +87,8 @@ acl: - "sebastian@5apps.com" - "garret@5apps.com" - "raucao@kosmos.org" + - "greg@kosmos.org" + - "galfert@kosmos.org" access_rules: local: -- 2.25.1 From b5bd389e7766540d9ee02950ac904b15065eb38a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Wed, 13 Mar 2019 17:38:24 +0100 Subject: [PATCH 14/25] Set postgresql password from an encrypted data bag --- data_bags/credentials/postgresql.json | 17 +++++++++++++++++ .../kosmos-postgresql/recipes/default.rb | 12 ++++++++++++ 2 files changed, 29 insertions(+) create mode 100644 data_bags/credentials/postgresql.json diff --git a/data_bags/credentials/postgresql.json b/data_bags/credentials/postgresql.json new file mode 100644 index 0000000..87a3edf --- /dev/null +++ b/data_bags/credentials/postgresql.json @@ -0,0 +1,17 @@ +{ + "id": "postgresql", + "ejabberd_user_password": { + "encrypted_data": "S/vdx+qZ4FWtbM29yDRoIgjvFORoArJVlanPm/el1nCM0se0pnxw\n", + "iv": "ARRo7yYYb7fve7Fv\n", + "auth_tag": "q7AGIahxB50jHjD+/9po0g==\n", + "version": 3, + "cipher": "aes-256-gcm" + }, + "server_password": { + "encrypted_data": "guWsuw7EqHQGMawW9P77Q12P8tUslpXE3AwRbobJlaTClVU08kcz\n", + "iv": "ELRNrSW+zKYfL/eb\n", + "auth_tag": "zayCIjABap1NsOewJDzapA==\n", + "version": 3, + "cipher": "aes-256-gcm" + } +} \ No newline at end of file diff --git a/site-cookbooks/kosmos-postgresql/recipes/default.rb b/site-cookbooks/kosmos-postgresql/recipes/default.rb index b6b7472..3eaaea6 100644 --- a/site-cookbooks/kosmos-postgresql/recipes/default.rb +++ b/site-cookbooks/kosmos-postgresql/recipes/default.rb @@ -4,9 +4,21 @@ # # Copyright:: 2019, Kosmos, All Rights Reserved. +node.override['build-essential']['compile_time'] = true +include_recipe 'build-essential::default' + +package("libpq-dev") { action :nothing }.run_action(:install) + +chef_gem 'pg' do + compile_time true +end + +postgresql_data_bag_item = data_bag_item('credentials', 'postgresql') + postgresql_server_install "main" do version "10" setup_repo false + password postgresql_data_bag_item['server_password'] action :install end -- 2.25.1 From 18b12a1dc4fc324caa203e87c414647bcac4f9be Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Wed, 13 Mar 2019 17:39:39 +0100 Subject: [PATCH 15/25] Set the ejabberd postgresql user from an encrypted data bag --- .../kosmos-ejabberd/recipes/default.rb | 21 +++++++------------ 1 file changed, 7 insertions(+), 14 deletions(-) diff --git a/site-cookbooks/kosmos-ejabberd/recipes/default.rb b/site-cookbooks/kosmos-ejabberd/recipes/default.rb index d43f5ce..2ccf5c6 100644 --- a/site-cookbooks/kosmos-ejabberd/recipes/default.rb +++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb @@ -27,25 +27,18 @@ dpkg_package "ejabberd" do notifies :create, "file[/lib/systemd/system/ejabberd.service]", :immediately end -postgresql_connection_info = { - host: '127.0.0.1', - port: 5432, - username: 'postgres', - password: node['postgresql']['password']['postgres'] -} +postgresql_data_bag_item = data_bag_item('credentials', 'postgresql') +ejabberd_user_password = postgresql_data_bag_item['ejabberd_user_password'] postgresql_database 'ejabberd' do - connection postgresql_connection_info action :create notifies :run, "execute[create db schema]", :delayed end -postgresql_database_user 'ejabberd' do - connection postgresql_connection_info - password 'super_secret' - database_name 'ejabberd' - privileges [:all] - action [:create, :grant] +postgresql_user 'ejabberd' do + password ejabberd_user_password + database 'ejabberd' + action [:create] end execute "create db schema" do @@ -58,7 +51,7 @@ template "/opt/ejabberd/conf/ejabberd.yml" do source "ejabberd.yml.erb" mode 0640 sensitive true - variables pgsql_password: "super_secret" + variables pgsql_password: ejabberd_user_password notifies :run, "execute[ejabberdctl reload_config]", :delayed end -- 2.25.1 From 2cd85afb2842a1f422f21116f4d08e9f589cae9f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Wed, 13 Mar 2019 17:40:14 +0100 Subject: [PATCH 16/25] Update ejabberd to 19.02 --- .../kosmos-ejabberd/files/pg.new.sql | 71 +++++++++++++++++++ site-cookbooks/kosmos-ejabberd/metadata.rb | 1 - .../kosmos-ejabberd/recipes/default.rb | 6 +- 3 files changed, 74 insertions(+), 4 deletions(-) diff --git a/site-cookbooks/kosmos-ejabberd/files/pg.new.sql b/site-cookbooks/kosmos-ejabberd/files/pg.new.sql index 5db5455..c585fd3 100644 --- a/site-cookbooks/kosmos-ejabberd/files/pg.new.sql +++ b/site-cookbooks/kosmos-ejabberd/files/pg.new.sql @@ -571,3 +571,74 @@ CREATE TABLE push_session ( ); CREATE UNIQUE INDEX i_push_session_susn ON push_session USING btree (server_host, username, service, node); + +CREATE TABLE mix_channel ( + channel text NOT NULL, + service text NOT NULL, + username text NOT NULL, + domain text NOT NULL, + jid text NOT NULL, + hidden boolean NOT NULL, + hmac_key text NOT NULL, + created_at timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP +); + +CREATE UNIQUE INDEX i_mix_channel ON mix_channel (channel, service); +CREATE INDEX i_mix_channel_serv ON mix_channel (service); + +CREATE TABLE mix_participant ( + channel text NOT NULL, + service text NOT NULL, + username text NOT NULL, + domain text NOT NULL, + jid text NOT NULL, + id text NOT NULL, + nick text NOT NULL, + created_at timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP +); + +CREATE UNIQUE INDEX i_mix_participant ON mix_participant (channel, service, username, domain); +CREATE INDEX i_mix_participant_chan_serv ON mix_participant (channel, service); + +CREATE TABLE mix_subscription ( + channel text NOT NULL, + service text NOT NULL, + username text NOT NULL, + domain text NOT NULL, + node text NOT NULL, + jid text NOT NULL +); + +CREATE UNIQUE INDEX i_mix_subscription ON mix_subscription (channel, service, username, domain, node); +CREATE INDEX i_mix_subscription_chan_serv_ud ON mix_subscription (channel, service, username, domain); +CREATE INDEX i_mix_subscription_chan_serv_node ON mix_subscription (channel, service, node); +CREATE INDEX i_mix_subscription_chan_serv ON mix_subscription (channel, service); + +CREATE TABLE mix_pam ( + username text NOT NULL, + server_host text NOT NULL, + channel text NOT NULL, + service text NOT NULL, + id text NOT NULL, + created_at timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP +); + +CREATE UNIQUE INDEX i_mix_pam ON mix_pam (username, server_host, channel, service); +CREATE INDEX i_mix_pam_us ON mix_pam (username, server_host); + +CREATE TABLE mqtt_pub ( + username text NOT NULL, + server_host text NOT NULL, + resource text NOT NULL, + topic text NOT NULL, + qos smallint NOT NULL, + payload bytea NOT NULL, + payload_format smallint NOT NULL, + content_type text NOT NULL, + response_topic text NOT NULL, + correlation_data bytea NOT NULL, + user_properties bytea NOT NULL, + expiry bigint NOT NULL +); + +CREATE UNIQUE INDEX i_mqtt_topic_server ON mqtt_pub (topic, server_host); diff --git a/site-cookbooks/kosmos-ejabberd/metadata.rb b/site-cookbooks/kosmos-ejabberd/metadata.rb index 7cb7483..1e7a7fc 100644 --- a/site-cookbooks/kosmos-ejabberd/metadata.rb +++ b/site-cookbooks/kosmos-ejabberd/metadata.rb @@ -20,5 +20,4 @@ chef_version '>= 12.14' if respond_to?(:chef_version) # source_url 'https://github.com//kosmos-ejabberd' depends "kosmos-postgresql" -depends "database" depends "backup" diff --git a/site-cookbooks/kosmos-ejabberd/recipes/default.rb b/site-cookbooks/kosmos-ejabberd/recipes/default.rb index 2ccf5c6..f0dad74 100644 --- a/site-cookbooks/kosmos-ejabberd/recipes/default.rb +++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb @@ -12,12 +12,12 @@ cookbook_file "#{Chef::Config[:file_cache_path]}/pg.new.sql" do mode "0664" end -ejabberd_version = "18.12.1" +ejabberd_version = "19.02" package_path = "#{Chef::Config['file_cache_path']}/ejabberd_#{ejabberd_version}-0_amd64.deb" remote_file package_path do source "https://www.process-one.net/downloads/downloads-action.php?file=/ejabberd/#{ejabberd_version}/ejabberd_#{ejabberd_version}-0_amd64.deb" - checksum "8352d85f98353c8f57b4f386c6ab17c342292ab60708d13f078e91475daedf05" + checksum "aea550c58e61eab04ca9beb8896d8b04f4a79321c21dee160a67ad6787236f51" notifies :install, "dpkg_package[ejabberd]", :immediately end @@ -56,7 +56,7 @@ template "/opt/ejabberd/conf/ejabberd.yml" do end execute "ejabberdctl reload_config" do - command "/opt/ejabberd-18.12.1/bin/ejabberdctl reload_config" + command "/opt/ejabberd-#{ejabberd_version}/bin/ejabberdctl reload_config" action :nothing end -- 2.25.1 From 39f23dd3731280f3b8bfba9dc9d29906fa894c53 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Tue, 19 Mar 2019 16:26:49 +0100 Subject: [PATCH 17/25] Move the version and checksum to attributes --- site-cookbooks/kosmos-ejabberd/attributes/default.rb | 2 ++ site-cookbooks/kosmos-ejabberd/recipes/default.rb | 5 +++-- 2 files changed, 5 insertions(+), 2 deletions(-) create mode 100644 site-cookbooks/kosmos-ejabberd/attributes/default.rb diff --git a/site-cookbooks/kosmos-ejabberd/attributes/default.rb b/site-cookbooks/kosmos-ejabberd/attributes/default.rb new file mode 100644 index 0000000..3f7d227 --- /dev/null +++ b/site-cookbooks/kosmos-ejabberd/attributes/default.rb @@ -0,0 +1,2 @@ +node.default["kosmos-ejabberd"]["version"] = "19.02" +node.default["kosmos-ejabberd"]["checksum"] = "aea550c58e61eab04ca9beb8896d8b04f4a79321c21dee160a67ad6787236f51" diff --git a/site-cookbooks/kosmos-ejabberd/recipes/default.rb b/site-cookbooks/kosmos-ejabberd/recipes/default.rb index f0dad74..7f455e9 100644 --- a/site-cookbooks/kosmos-ejabberd/recipes/default.rb +++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb @@ -12,12 +12,13 @@ cookbook_file "#{Chef::Config[:file_cache_path]}/pg.new.sql" do mode "0664" end -ejabberd_version = "19.02" +ejabberd_version = node["kosmos-ejabberd"]["version"] +package_checksum = node["kosmos-ejabberd"]["checksum"] package_path = "#{Chef::Config['file_cache_path']}/ejabberd_#{ejabberd_version}-0_amd64.deb" remote_file package_path do source "https://www.process-one.net/downloads/downloads-action.php?file=/ejabberd/#{ejabberd_version}/ejabberd_#{ejabberd_version}-0_amd64.deb" - checksum "aea550c58e61eab04ca9beb8896d8b04f4a79321c21dee160a67ad6787236f51" + checksum package_checksum notifies :install, "dpkg_package[ejabberd]", :immediately end -- 2.25.1 From ec58597320b371df9bc64e2898653d95e33ac16b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Tue, 19 Mar 2019 16:27:46 +0100 Subject: [PATCH 18/25] Set up Let's Encrypt for the kosmos.org ejabberd server --- site-cookbooks/kosmos-ejabberd/metadata.rb | 1 + .../kosmos-ejabberd/recipes/letsencrypt.rb | 50 +++++++++++++++++++ 2 files changed, 51 insertions(+) create mode 100644 site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb diff --git a/site-cookbooks/kosmos-ejabberd/metadata.rb b/site-cookbooks/kosmos-ejabberd/metadata.rb index 1e7a7fc..d9ed33f 100644 --- a/site-cookbooks/kosmos-ejabberd/metadata.rb +++ b/site-cookbooks/kosmos-ejabberd/metadata.rb @@ -20,4 +20,5 @@ chef_version '>= 12.14' if respond_to?(:chef_version) # source_url 'https://github.com//kosmos-ejabberd' depends "kosmos-postgresql" +depends "kosmos-base" depends "backup" diff --git a/site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb b/site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb new file mode 100644 index 0000000..825445c --- /dev/null +++ b/site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb @@ -0,0 +1,50 @@ +# +# Cookbook:: kosmos-ejabberd +# Recipe:: letsencrypt +# +# Copyright:: 2019, Kosmos, All Rights Reserved. +# + +include_recipe "kosmos-base::letsencrypt" + +domain = "kosmos.org" +domain_and_subdomains = [domain, "chat.#{domain}" "xmpp.#{domain}"] + +ejabberd_post_hook = <<-EOF +#!/usr/bin/env bash + +set -e + +# Copy the ejabberd certificate and restart the server if it has been renewed +# This is necessary because the ejabberd user doesn't have access to the +# letsencrypt live folder +for domain in $RENEWED_DOMAINS; do + case $domain in + # Do not copy over when renewing other kosmos.org domains + #{domain}) + cat "${RENEWED_LINEAGE}/privkey.pem" "${RENEWED_LINEAGE}/fullchain.pem" > /opt/ejabberd/conf/#{domain}.pem + chown ejabberd:ejabberd /opt/ejabberd/conf/#{domain}.pem + chmod 600 /opt/ejabberd/conf/#{domain}.pem + /opt/ejabberd-#{node["kosmos-ejabberd"]["version"]}/bin/ejabberdctl reload_config + ;; + esac +done +EOF + +file "/etc/letsencrypt/renewal-hooks/post/ejabberd" do + content ejabberd_post_hook + mode 0755 + owner "root" + group "root" +end + +domain_and_subdomains_switch = domain_and_subdomains.map { |d| "-d #{d}" }.join(" ") + +# Generate a Let's Encrypt cert (only if no cert has been generated before). +# The systemd timer will take care of renewing +execute "letsencrypt cert for kosmos xmpp" do + command "/usr/bin/certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@#{domain} #{domain_and_subdomains_switch} -n" + not_if do + File.exist?("/opt/ejabberd/conf/#{domain}.pem") + end +end -- 2.25.1 From 3047dbe99f4bb7bbfcac931e421547ab89af9e32 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Tue, 19 Mar 2019 19:41:26 +0100 Subject: [PATCH 19/25] Fix botched merge --- Berksfile.lock | 4 ---- 1 file changed, 4 deletions(-) diff --git a/Berksfile.lock b/Berksfile.lock index 6d3c5fe..bc3d782 100644 --- a/Berksfile.lock +++ b/Berksfile.lock @@ -114,11 +114,7 @@ GRAPH hostsfile (2.4.5) iis (6.7.1) windows (>= 2.0) -<<<<<<< HEAD ipfs (0.1.2) -======= - ipfs (0.1.1) ->>>>>>> 591c746... Update the ipfs cookbook ark (>= 0.0.0) logrotate (2.2.0) mariadb (0.3.1) -- 2.25.1 From 20e0bb69837968f4999402420c53a1ae001ca3f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Tue, 26 Mar 2019 15:22:50 +0100 Subject: [PATCH 20/25] Add the max_user_conferences setting for mod_muc --- site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb | 1 + 1 file changed, 1 insertion(+) diff --git a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb index 020249f..9d6852f 100644 --- a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb +++ b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb @@ -189,6 +189,7 @@ modules: - allow: admin access_create: muc_create access_persistent: muc_create + max_user_conferences: 1000 default_room_options: allow_subscription: true # enable MucSub mam: true -- 2.25.1 From c3da35245835c15ba6a47f028b43831b92524601 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Tue, 26 Mar 2019 15:23:58 +0100 Subject: [PATCH 21/25] Create the hook subfolders too --- site-cookbooks/kosmos-base/recipes/letsencrypt.rb | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/site-cookbooks/kosmos-base/recipes/letsencrypt.rb b/site-cookbooks/kosmos-base/recipes/letsencrypt.rb index b5f0793..37a28c9 100644 --- a/site-cookbooks/kosmos-base/recipes/letsencrypt.rb +++ b/site-cookbooks/kosmos-base/recipes/letsencrypt.rb @@ -29,11 +29,13 @@ else end end -directory "/etc/letsencrypt/renewal-hooks" do - recursive true - mode 0755 - owner "root" - group "root" +["deploy", "post", "pre"].each do |subdir| + directory "/etc/letsencrypt/renewal-hooks/#{subdir}" do + recursive true + mode 0755 + owner "root" + group "root" + end end file "/etc/letsencrypt/renewal-hooks/deploy/nginx" do -- 2.25.1 From 6833c23a01afe51aa689d028c7377916f8b192e0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Tue, 26 Mar 2019 15:52:11 +0100 Subject: [PATCH 22/25] Replace host_config with append_host_config This was causing only the mod_muc module to be enabled for kosmos.org See the Virtual Hosting section of the docs https://docs.ejabberd.im/admin/configuration/ --- site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb index 9d6852f..583a205 100644 --- a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb +++ b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb @@ -237,7 +237,7 @@ modules: mod_version: show_os: false -host_config: +append_host_config: "kosmos.org": modules: mod_muc: -- 2.25.1 From 70fb97ba4b7e9a51a41b2845332d8cd7bd6994ec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Wed, 27 Mar 2019 10:35:12 +0100 Subject: [PATCH 23/25] Add the admin_update_sql module This allows to upgrade from the old database schema to the new one that works for multiple virtual hosts: https://blog.process-one.net/ejabberd-18-03/ ejabberdctl update_sql --- site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb | 1 + 1 file changed, 1 insertion(+) diff --git a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb index 583a205..45e0428 100644 --- a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb +++ b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb @@ -161,6 +161,7 @@ acme: modules: mod_adhoc: {} mod_admin_extra: {} + mod_admin_update_sql: {} mod_announce: access: announce mod_avatar: {} -- 2.25.1 From ce4a4bffd9e0af531dd594692581d30fef5b8885 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Wed, 27 Mar 2019 11:57:59 +0100 Subject: [PATCH 24/25] Enable OMEMO for clients using Conversations --- site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb index 45e0428..133e978 100644 --- a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb +++ b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb @@ -209,10 +209,10 @@ modules: - "flat" - "pep" force_node_config: - ## Change from "whitelist" to "open" to enable OMEMO support + ## Enable OMEMO support for clients using Conversations ## See https://github.com/processone/ejabberd/issues/2425 "eu.siacs.conversations.axolotl.*": - access_model: whitelist + access_model: open ## Avoid buggy clients to make their bookmarks public "storage:bookmarks": access_model: whitelist -- 2.25.1 From 6b316f28fb4ccad5bb1c0139201a70aa8a23f8fd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Wed, 27 Mar 2019 12:56:46 +0100 Subject: [PATCH 25/25] Start from the current config file in Andromeda Only changes: Enable the new SQL schema that allows multiple vhosts in the same database, move mod_muc config for kosmos.org to an append_host_config directive --- .../templates/ejabberd.yml.erb | 156 ++++++++++-------- 1 file changed, 87 insertions(+), 69 deletions(-) diff --git a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb index 133e978..9730415 100644 --- a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb +++ b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb @@ -1,9 +1,9 @@ -language: "en" - loglevel: 4 + log_rotate_size: 10485760 log_rotate_date: "" log_rotate_count: 1 + log_rate_limit: 100 hosts: @@ -36,27 +36,47 @@ listen: port: 5222 ip: "::" module: ejabberd_c2s - max_stanza_size: 262144 + starttls: true + max_stanza_size: 65536 + shaper: c2s_shaper + access: c2s + - + port: 5223 + ip: "::" + module: ejabberd_c2s + tls: true + max_stanza_size: 65536 shaper: c2s_shaper access: c2s - starttls_required: true - port: 5269 ip: "::" module: ejabberd_s2s_in - max_stanza_size: 524288 + max_stanza_size: 131072 + shaper: s2s_shaper - port: 5280 ip: "::" module: ejabberd_http + request_handlers: + "/ws": ejabberd_http_ws + "/bosh": mod_bosh + "/api": mod_http_api + tls: true + ## "/pub/archive": mod_http_fileserver web_admin: true + ## register: true + captcha: false - port: 5443 - ip: "::" module: ejabberd_http request_handlers: - "/upload": mod_http_upload + "upload": mod_http_upload + <% if File.exist?("/opt/ejabberd/conf/kosmos.org.pem") -%> tls: true + certfiles: + - "/opt/ejabberd/conf/kosmos.org.pem" + <% end -%> custom_headers: "Access-Control-Allow-Origin": "*" "Access-Control-Allow-Methods": "OPTIONS, HEAD, GET, PUT" @@ -65,6 +85,9 @@ listen: s2s_use_starttls: optional +auth_password_format: scram +auth_method: sql + default_db: sql sql_type: pgsql @@ -73,14 +96,14 @@ sql_database: "ejabberd" sql_username: "ejabberd" sql_password: "<%= @pgsql_password %>" new_sql_schema: true + +shaper: + normal: 1000 + fast: 50000 + +max_fsm_queue: 10000 + acl: - local: - user_regexp: "" - loopback: - ip: - - "127.0.0.0/8" - - "::1/128" - - "::FFFF:127.0.0.1/128" admin: user: - "greg@5apps.com" @@ -90,6 +113,25 @@ acl: - "greg@kosmos.org" - "galfert@kosmos.org" + local: + user_regexp: "" + + loopback: + ip: + - "127.0.0.0/8" + - "::1/128" + - "::FFFF:127.0.0.1/128" + +shaper_rules: + max_user_sessions: 10 + max_user_offline_messages: + - 5000: admin + - 100 + c2s_shaper: + - none: admin + - normal + s2s_shaper: fast + access_rules: local: - allow: local @@ -101,6 +143,7 @@ access_rules: configure: - allow: admin muc_create: + - allow: admin - allow: local pubsub_createnode: - allow: local @@ -138,50 +181,32 @@ api_permissions: - "status" - "connected_users_number" -shaper: - normal: 1000 - fast: 50000 - -shaper_rules: - max_user_sessions: 10 - max_user_offline_messages: - - 5000: admin - - 100 - c2s_shaper: - - none: admin - - normal - s2s_shaper: fast - -max_fsm_queue: 10000 - -acme: - contact: "mailto:admin@vagrant.vm" - ca_url: "https://acme-v01.api.letsencrypt.org" +language: "en" modules: mod_adhoc: {} mod_admin_extra: {} - mod_admin_update_sql: {} - mod_announce: + mod_announce: # recommends mod_adhoc access: announce - mod_avatar: {} - mod_blocking: {} - mod_bosh: {} + mod_blocking: {} # requires mod_privacy mod_caps: {} mod_carboncopy: {} mod_client_state: {} - mod_configure: {} - mod_disco: {} - mod_fail2ban: {} - mod_http_api: {} + mod_configure: {} # requires mod_adhoc + mod_disco: + server_info: + - + modules: all + name: "abuse-addresses" + urls: ["mailto:abuse@kosmos.org"] + mod_bosh: {} mod_http_upload: docroot: "/var/www/xmpp.@HOST@/uploads/" put_url: "https://xmpp.@HOST@:5443/upload" + thumbnail: false # otherwise needs the identify command from ImageMagick installed mod_last: {} mod_mam: default: always - db_type: sql - assume_mam_usage: true request_activates_archiving: true mod_muc: access: @@ -190,9 +215,7 @@ modules: - allow: admin access_create: muc_create access_persistent: muc_create - max_user_conferences: 1000 default_room_options: - allow_subscription: true # enable MucSub mam: true mod_muc_admin: {} mod_offline: @@ -200,43 +223,37 @@ modules: mod_ping: {} mod_privacy: {} mod_private: {} - mod_proxy65: - access: local - max_connections: 5 + mod_proxy65: {} mod_pubsub: access_createnode: pubsub_createnode + ignore_pep_from_offline: false + last_item_cache: false + max_items_node: 10 plugins: - "flat" - - "pep" - force_node_config: - ## Enable OMEMO support for clients using Conversations - ## See https://github.com/processone/ejabberd/issues/2425 - "eu.siacs.conversations.axolotl.*": - access_model: open - ## Avoid buggy clients to make their bookmarks public - "storage:bookmarks": - access_model: whitelist + - "pep" # pep requires mod_caps mod_push: {} mod_push_keepalive: {} mod_register: - ## Only accept registration requests from the "trusted" - ## network (see access_rules section above). - ## Think twice before enabling registration from any - ## address. See the Jabber SPAM Manifesto for details: - ## https://github.com/ge0rg/jabber-spam-fighting-manifesto + welcome_message: + subject: "Welcome!" + body: |- + Hi. + Welcome to this XMPP server. ip_access: trusted_network + access: register mod_roster: versioning: true store_current_id: true - mod_s2s_dialback: {} mod_shared_roster: {} - mod_stream_mgmt: - resend_on_timeout: if_offline mod_vcard: search: false mod_vcard_xupdate: {} - mod_version: - show_os: false + mod_avatar: {} + mod_version: {} + mod_stream_mgmt: {} + mod_s2s_dialback: {} + mod_http_api: {} append_host_config: "kosmos.org": @@ -251,9 +268,10 @@ append_host_config: access_persistent: muc_create default_room_options: mam: true + allow_contrib_modules: true ### Local Variables: ### mode: yaml ### End: -### vim: set filetype=yaml tabstop=8 +### vim: set filetype=yaml tabstop=8 foldmarker=###',###. foldmethod=marker: -- 2.25.1