cookbooks/oxidized/recipes/default.rb

   1 #
   2 # Cookbook:: oxidized
   3 # Recipe:: default
   4 #
   5 # Copyright:: 2022, OpenStreetMap Foundation
   6 #
   7 # Licensed under the Apache License, Version 2.0 (the "License");
   8 # you may not use this file except in compliance with the License.
   9 # You may obtain a copy of the License at
  10 #
  11 #     https://www.apache.org/licenses/LICENSE-2.0
  12 #
  13 # Unless required by applicable law or agreed to in writing, software
  14 # distributed under the License is distributed on an "AS IS" BASIS,
  15 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  16 # See the License for the specific language governing permissions and
  17 # limitations under the License.
  18 #
  19
  20 include_recipe "git"
  21 include_recipe "ruby"
  22
  23 package %w[
  24   gcc
  25   g++
  26   make
  27   cmake
  28   libssl-dev
  29   libssh2-1-dev
  30   zlib1g-dev
  31   pkg-config
  32   libyaml-dev
  33   logrotate
  34 ]
  35
  36 keys = data_bag_item("oxidized", "keys")
  37 devices = data_bag_item("oxidized", "devices")
  38
  39 directory "/etc/oxidized" do
  40   owner "root"
  41   group "root"
  42   mode "755"
  43 end
  44
  45 template "/etc/oxidized/config" do
  46   source "config.erb"
  47   owner "oxidized"
  48   group "oxidized"
  49   mode "444"
  50   notifies :restart, "service[oxidized]"
  51 end
  52
  53 template "/etc/oxidized/routers.db" do
  54   source "routers.db.erb"
  55   owner "oxidized"
  56   group "oxidized"
  57   mode "400"
  58   variables :devices => devices
  59   notifies :restart, "service[oxidized]"
  60 end
  61
  62 directory "/var/log/oxidized" do
  63   owner "oxidized"
  64   group "oxidized"
  65   mode "755"
  66 end
  67
  68 directory "/opt/oxidized" do
  69   owner "oxidized"
  70   group "oxidized"
  71   mode "755"
  72 end
  73
  74 git "/opt/oxidized/daemon" do
  75   action :sync
  76   repository "https://github.com/openstreetmap/oxidized.git"
  77   depth 1
  78   user "oxidized"
  79   group "oxidized"
  80   notifies :run, "bundle_install[/opt/oxidized/daemon]", :immediately
  81 end
  82
  83 directory "/opt/oxidized/.ssh" do
  84   owner "oxidized"
  85   group "oxidized"
  86   mode "700"
  87 end
  88
  89 # Key is set as a deployment key in github repo
  90 file "/opt/oxidized/.ssh/id_ed25519" do
  91   content keys["git"].join("\n")
  92   owner "oxidized"
  93   group "oxidized"
  94   mode "400"
  95   notifies :delete, "file[/opt/oxidized/.ssh/id_ed25519.pub]", :immediately
  96   notifies :restart, "service[oxidized]"
  97 end
  98
  99 # Ensure public key is deleted if private key is changed. Trigged by notify
 100 file "/opt/oxidized/.ssh/id_ed25519.pub" do
 101   action :nothing
 102 end
 103
 104 execute "/opt/oxidized/.ssh/id_ed25519.pub" do
 105   command "ssh-keygen -f /opt/oxidized/.ssh/id_ed25519 -y > /opt/oxidized/.ssh/id_ed25519.pub"
 106   user "oxidized"
 107   group "oxidized"
 108   creates "/opt/oxidized/.ssh/id_ed25519.pub"
 109   notifies :restart, "service[oxidized]"
 110 end
 111
 112 ssh_known_hosts_entry "github.com" do
 113   action [:create, :flush]
 114   file_location "/opt/oxidized/.ssh/known_hosts"
 115   owner "oxidized"
 116   group "oxidized"
 117 end
 118
 119 directory "/var/lib/oxidized" do
 120   owner "oxidized"
 121   group "oxidized"
 122   mode "750"
 123 end
 124
 125 git "/var/lib/oxidized/configs.git" do
 126   action :sync
 127   repository "git@github.com:openstreetmap/oxidized-configs.git" # Uses oxidized ssh key
 128   checkout_branch "master" # branch is hardcoded in oxidized
 129   user "oxidized"
 130   group "oxidized"
 131 end
 132
 133 bundle_config "/opt/oxidized/daemon" do
 134   user "oxidized"
 135   group "oxidized"
 136   settings "deployment" => "true",
 137            "build.rugged" => "--with-ssh"
 138 end
 139
 140 bundle_install "/opt/oxidized/daemon" do
 141   action :nothing
 142   user "oxidized"
 143   group "oxidized"
 144   notifies :restart, "service[oxidized]"
 145 end
 146
 147 # Based on https://github.com/ytti/oxidized/blob/master/extra/oxidized.service
 148 systemd_service "oxidized" do
 149   description "oxidized network device backup daemon"
 150   after "network.target"
 151   user "oxidized"
 152   working_directory "/opt/oxidized/daemon"
 153   runtime_directory "oxidized"
 154   exec_start "#{node[:ruby][:bundle]} exec oxidized"
 155   environment "OXIDIZED_HOME" => "/etc/oxidized",
 156               "OXIDIZED_LOGS" => "/var/log/oxidized"
 157   nice 10
 158   sandbox :enable_network => true
 159   restrict_address_families "AF_NETLINK"
 160   read_write_paths ["/run/oxidized", "/var/lib/oxidized", "/var/log/oxidized"]
 161   restart "on-failure"
 162   notifies :restart, "service[oxidized]"
 163 end
 164
 165 service "oxidized" do
 166   action [:enable, :start]
 167 end
 168
 169 template "/etc/logrotate.d/oxidized" do
 170   source "logrotate.erb"
 171   owner "root"
 172   group "root"
 173   mode "644"
 174 end