# kosmos-postgresql

## Usage

### On the primary:

Set the `postgresql_primary` role on the node

### On the replica:

Add the `postgresql_replica` role to the node's run list. Run Chef on the node
a first time.
After the initial Chef run on the replica, run Chef on the primary to add the
firewall rules and PostgreSQL access rules, then run Chef again on the replica
to set up replication.

## Caveat

[`firewall_rules`](https://github.com/chef-cookbooks/firewall/issues/134) and
[`postgresql_access`](https://github.com/sous-chefs/postgresql/issues/648) are
declared in recipes, not resources because of the way custom resources
work currently in Chef. See the `default.rb` and `replica.rb` recipes.

The primary gives access to the `replication` db to the `replication` user
connecting from a replica, and replicas to the primary. For more information
about PostgreSQL client authentication, see the
[official docs](https://www.postgresql.org/docs/12/auth-pg-hba-conf.html)

The primary opens up the PostgreSQL port (5432 TCP) to replicas, and replicas
to the primary.

## TLS self-signed certificate

A wildcard (`*.kosmos.org` certificate) was generated with the following
commands:

```
openssl req -new -nodes -text -out root.csr -keyout root.key \
  -subj "/CN=root.kosmos.org"
chmod og-rwx root.key
openssl x509 -req -in root.csr -text -days 3650 \
  -extfile /etc/ssl/openssl.cnf -extensions v3_ca \
  -signkey root.key -out root.crt
openssl req -new -nodes -text -out server.csr \
  -keyout server.key -subj "/CN=*.kosmos.org"
chmod og-rwx server.key
openssl x509 -req -in server.csr -text -days 1825 \
  -CA root.crt -CAkey root.key -CAcreateserial \
  -out server.crt
```

It is valid until May 12 2025.

The content of `server.crt`, `server.key` and `root.crt` an stored in the
`postgresql` encrypted data bag. The root key is stored in LastPass
("Self-signed TLS root certificate"). `server.crt` & `server.key` are used by
the PostgreSQL server.