]> git.openstreetmap.org Git - chef.git/blob - cookbooks/oxidized/recipes/default.rb
Add oxidized backup daemon
[chef.git] / cookbooks / oxidized / recipes / default.rb
1 #
2 # Cookbook:: oxidized
3 # Recipe:: default
4 #
5 # Copyright:: 2022, OpenStreetMap Foundation
6 #
7 # Licensed under the Apache License, Version 2.0 (the "License");
8 # you may not use this file except in compliance with the License.
9 # You may obtain a copy of the License at
10 #
11 #     https://www.apache.org/licenses/LICENSE-2.0
12 #
13 # Unless required by applicable law or agreed to in writing, software
14 # distributed under the License is distributed on an "AS IS" BASIS,
15 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 # See the License for the specific language governing permissions and
17 # limitations under the License.
18 #
19
20 include_recipe "git"
21 include_recipe "ruby"
22
23 package %w[
24   gcc
25   g++
26   make
27   cmake
28   libssl-dev
29   libssh2-1-dev
30   zlib1g-dev
31   pkg-config
32 ]
33
34 keys = data_bag_item("oxidized", "keys")
35 devices = data_bag_item("oxidized", "devices")
36
37 template "/etc/oxidized/config" do
38   source "config.erb"
39   owner "oxidized"
40   group "oxidized"
41   mode "444"
42   notifies :restart, "service[oxidized]"
43 end
44
45 template "/etc/oxidized/routers.db" do
46   source "routers.db.erb"
47   owner "oxidized"
48   group "oxidized"
49   mode "400"
50   variables :devices => devices
51   notifies :restart, "service[oxidized]"
52 end
53
54 directory "/var/log/oxidized" do
55   owner "oxidized"
56   group "oxidized"
57   mode "755"
58 end
59
60 # Key is set as a deployment key in github repo
61 file "/opt/oxidized/.ssh/id_rsa" do
62   content keys["git"]
63   owner "oxidized"
64   group "oxidized"
65   mode "400"
66   notifies :delete, "file[/opt/oxidized/.ssh/id_rsa.pub]", :immediately
67   notifies :restart, "service[oxidized]"
68 end
69
70 # Ensure public key is deleted if private key is changed. Trigged by notify
71 file "/opt/oxidized/.ssh/id_rsa.pub" do
72   action :nothing
73 end
74
75 exec "/opt/oxidized/.ssh/id_rsa.pub" do
76   command "ssh-keygen -f /opt/oxidized/.ssh/id_rsa -y > /opt/oxidized/.ssh/id_rsa.pub"
77   owner "oxidized"
78   group "oxidized"
79   creates "/opt/oxidized/.ssh/id_rsa.pub"
80   notifies :restart, "service[oxidized]"
81 end
82
83 git "/opt/oxidized" do
84   action :sync
85   repository "https://github.com/openstreetmap/oxidized.git"
86   depth 1
87   user "oxidized"
88   group "oxidized"
89   notifies :run, "bundle_install[/opt/oxidized]"
90 end
91
92 git "/var/lib/oxidized/configs.git" do
93   action :sync
94   repository "git@github.com:openstreetmap/oxidized-configs.git" # Uses oxidized ssh key
95   checkout_branch "master" # branch is hardcoded in oxidized
96   user "oxidized"
97   group "oxidized"
98 end
99
100 bundle_install "/opt/oxidized" do
101   action :nothing
102   options "--deployment"
103   user "oxidized"
104   group "oxidized"
105   notifies :restart, "service[oxidized]"
106 end
107
108 # Based on https://github.com/ytti/oxidized/blob/master/extra/oxidized.service
109 systemd_service "oxidized" do
110   description "oxidized network device backup daemon"
111   after "network.target"
112   user "oxidized"
113   working_directory "/opt/oxidized"
114   exec_start "#{node[:ruby][:bundle]} exec oxidized"
115   environment "OXIDIZED_HOME" => "/etc/oxidized",
116               "OXIDIZED_LOGS" => "/var/log/oxidized"
117   nice 10
118   private_tmp true
119   private_devices true
120   protect_system "full"
121   protect_home true
122   no_new_privileges true
123   restart "on-failure"
124   notifies :restart, "service[oxidized]"
125 end
126
127 service "oxidized" do
128   action [:enable, :start]
129 end
130
131 template "/etc/logrotate.d/oxidized" do
132   source "logrotate.erb"
133   owner "root"
134   group "root"
135   mode "644"
136 end