chef/site-cookbooks/kosmos-postgresql/resources/server.rb

resource_name :postgresql_custom_server

property :postgresql_version, String, required: true, name_property: true
property :role, String, required: true # Can be primary or replica
property :encfs, [TrueClass, FalseClass], default: false

action :create do
  postgresql_version = new_resource.postgresql_version
  postgresql_data_dir = data_dir(postgresql_version)
  postgresql_service = "postgresql@#{postgresql_version}-main"

  node.override['build-essential']['compile_time'] = true
  include_recipe 'build-essential::default'

  package("libpq-dev") { action :nothing }.run_action(:install)

  chef_gem 'pg' do
    compile_time true
  end

  postgresql_data_bag_item = data_bag_item('credentials', 'postgresql')

  postgresql_server_install "main" do
    version postgresql_version
    setup_repo true
    password postgresql_data_bag_item['server_password']
    action :install
  end

  service postgresql_service do
    supports restart: true, status: true, reload: true
    # action [:enable, :start]
  end

  postgresql_client_install "main" do
    version postgresql_version
    setup_repo true
    action :install
  end

  postgresql_user "replication" do
    action :create
    replication true
    password postgresql_data_bag_item['replication_password']
  end

  if new_resource.encfs
    # FIXME: encfs always runs a configuration assistant when creating a new
    # volume, so this needs to be done manually:
    #    systemctl stop postgresql@12-main
    #    mv /var/lib/postgresql /var/lib/postgresql.old
    #    encfs /var/lib/postgresql_encrypted /var/lib/postgresql --public
    # Pick p (paranoia mode) and enter the password from the data bag twice
    #    mv /var/lib/postgresql/* /var/lib/postgresql/
    #    systemctl start postgresql@12-main

    package "encfs"

    template "/usr/local/bin/mount_pg_encfs" do
      source "mount_pg_encfs.erb"
      mode "0700"
      variables password: postgresql_data_bag_item["encfs_password"]
    end

    execute "systemctl daemon-reload" do
      command "systemctl daemon-reload"
      action :nothing
    end

    # The service will automatically mount the encrypted volume on startup
    cookbook_file "/lib/systemd/system/encfs_postgresql.service" do
      source "encfs.service"
      notifies :run, "execute[systemctl daemon-reload]", :delayed
    end

    service "encfs_postgresql" do
      action [:enable]
    end
  end

  shared_buffers = if node['memory']['total'].to_i / 1024 < 1024 # > 1GB RAM
                     "128MB"
                   else # >= 1GB RAM, use 25% of total RAM
                     "#{node['memory']['total'].to_i / 1024 / 4}MB"
                   end

  additional_config = {
    max_connections: 100, # default
    shared_buffers: shared_buffers,
    unix_socket_directories: "/var/run/postgresql",
    dynamic_shared_memory_type: "posix",
    timezone: "UTC", # default is GMT
    listen_addresses: "0.0.0.0",
  }

  if new_resource.role == "replica"
    additional_config[:promote_trigger_file] = "#{postgresql_data_dir}/failover.trigger"
  end

  ssl_cert = postgresql_data_bag_item['ssl_cert']
  ssl_cert_path = "#{postgresql_data_dir}/server.crt"
  ssl_key = postgresql_data_bag_item['ssl_key']
  ssl_key_path = "#{postgresql_data_dir}/server.key"

  file ssl_cert_path do
    content ssl_cert
    owner "postgres"
    group "postgres"
    mode "0640"
    sensitive true
  end

  file ssl_key_path do
    content ssl_key
    owner "postgres"
    group "postgres"
    mode "0600"
    sensitive true
  end

  additional_config[:ssl]           = "on"
  additional_config[:ssl_cert_file] = ssl_cert_path
  additional_config[:ssl_key_file]  = ssl_key_path
  # ejabberd does not support 1.3 yet
  additional_config[:ssl_min_protocol_version]  = "TLSv1.2"

  postgresql_server_conf "main" do
    version postgresql_version
    additional_config additional_config
    notifies :reload, "service[#{postgresql_service}]"
  end
end

action_class do
  # to use the data_dir helper
  include PostgresqlCookbook::Helpers
end