]> git.openstreetmap.org Git - chef.git/blob - cookbooks/db/recipes/master.rb
projects / chef.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
prometheus: security version update
[chef.git] / cookbooks / db / recipes / master.rb
1 #
2 # Cookbook:: db
3 # Recipe:: master
4 #
5 # Copyright:: 2011, OpenStreetMap Foundation
6 #
7 # Licensed under the Apache License, Version 2.0 (the "License");
8 # you may not use this file except in compliance with the License.
9 # You may obtain a copy of the License at
10 #
11 #     https://www.apache.org/licenses/LICENSE-2.0
12 #
13 # Unless required by applicable law or agreed to in writing, software
14 # distributed under the License is distributed on an "AS IS" BASIS,
15 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 # See the License for the specific language governing permissions and
17 # limitations under the License.
18 #
19
20 include_recipe "db::base"
21
22 passwords = data_bag_item("db", "passwords")
23
24 postgresql_user "tomh" do
25   cluster node[:db][:cluster]
26   superuser true
27 end
28
29 postgresql_user "grant" do
30   cluster node[:db][:cluster]
31 end
32
33 postgresql_user "openstreetmap" do
34   cluster node[:db][:cluster]
35   password passwords["openstreetmap"]
36 end
37
38 postgresql_user "rails" do
39   cluster node[:db][:cluster]
40   password passwords["rails"]
41 end
42
43 postgresql_user "cgimap" do
44   cluster node[:db][:cluster]
45   password passwords["cgimap"]
46 end
47
48 postgresql_user "planetdump" do
49   cluster node[:db][:cluster]
50   password passwords["planetdump"]
51 end
52
53 postgresql_user "planetdiff" do
54   cluster node[:db][:cluster]
55   password passwords["planetdiff"]
56   replication true
57 end
58
59 postgresql_user "backup" do
60   cluster node[:db][:cluster]
61   password passwords["backup"]
62 end
63
64 postgresql_user "replication" do
65   cluster node[:db][:cluster]
66   password passwords["replication"]
67   replication true
68 end
69
70 postgresql_database "openstreetmap" do
71   cluster node[:db][:cluster]
72   owner "openstreetmap"
73 end
74
75 postgresql_extension "btree_gist" do
76   cluster node[:db][:cluster]
77   database "openstreetmap"
78   only_if { node[:postgresql][:clusters][node[:db][:cluster]] && node[:postgresql][:clusters][node[:db][:cluster]][:version] >= 9.0 }
79 end
80
81 postgresql_extension "postgis" do
82   cluster node[:db][:cluster]
83   database "openstreetmap"
84   owner "postgres"
85 end
86
87 CGIMAP_PERMISSIONS = {
88   "changeset_comments" => [:select],
89   "changeset_tags" => [:select],
90   "changesets" => [:select, :update],
91   "current_node_tags" => [:select, :insert, :delete],
92   "current_nodes" => [:select, :insert, :update],
93   "current_nodes_id_seq" => [:update],
94   "current_relation_members" => [:select, :insert, :delete],
95   "current_relation_tags" => [:select, :insert, :delete],
96   "current_relations" => [:select, :insert, :update],
97   "current_relations_id_seq" => [:update],
98   "current_way_nodes" => [:select, :insert, :delete],
99   "current_way_tags" => [:select, :insert, :delete],
100   "current_ways" => [:select, :insert, :update],
101   "current_ways_id_seq" => [:update],
102   "issues" => [:select],
103   "node_tags" => [:select, :insert],
104   "nodes" => [:select, :insert],
105   "oauth_access_grants" => [:select],
106   "oauth_access_tokens" => [:select],
107   "oauth_applications" => [:select],
108   "relation_members" => [:select, :insert],
109   "relation_tags" => [:select, :insert],
110   "relations" => [:select, :insert],
111   "reports" => [:select],
112   "user_blocks" => [:select],
113   "user_roles" => [:select],
114   "users" => [:select],
115   "way_nodes" => [:select, :insert],
116   "way_tags" => [:select, :insert],
117   "ways" => [:select, :insert]
118 }.freeze
119
120 PLANETDUMP_PERMISSIONS = {
121   "note_comments" => :select,
122   "notes" => :select,
123   "users" => :select
124 }.freeze
125
126 PLANETDIFF_PERMISSIONS = {
127   "changeset_comments" => :select,
128   "changeset_tags" => :select,
129   "changesets" => :select,
130   "node_tags" => :select,
131   "nodes" => :select,
132   "relation_members" => :select,
133   "relation_tags" => :select,
134   "relations" => :select,
135   "users" => :select,
136   "way_nodes" => :select,
137   "way_tags" => :select,
138   "ways" => :select
139 }.freeze
140
141 PROMETHEUS_PERMISSIONS = {
142   "delayed_jobs" => :select
143 }.freeze
144
145 %w[
146   acls
147   active_storage_attachments
148   active_storage_blobs
149   active_storage_variant_records
150   ar_internal_metadata
151   changeset_comments
152   changeset_tags
153   changesets
154   changesets_subscribers
155   current_node_tags
156   current_nodes
157   current_relation_members
158   current_relation_tags
159   current_relations
160   current_way_nodes
161   current_way_tags
162   current_ways
163   delayed_jobs
164   diary_comments
165   diary_entries
166   diary_entry_subscriptions
167   friends
168   gps_points
169   gpx_file_tags
170   gpx_files
171   issue_comments
172   issues
173   languages
174   messages
175   node_tags
176   nodes
177   note_comments
178   note_subscriptions
179   notes
180   noticed_events
181   noticed_notifications
182   oauth_access_grants
183   oauth_access_tokens
184   oauth_applications
185   oauth_openid_requests
186   redactions
187   relation_members
188   relation_tags
189   relations
190   reports
191   schema_migrations
192   social_links
193   spammy_phrases
194   user_blocks
195   user_mutes
196   user_preferences
197   user_roles
198   users
199   way_nodes
200   way_tags
201   ways
202 ].each do |table|
203   postgresql_table table do
204     cluster node[:db][:cluster]
205     database "openstreetmap"
206     owner "openstreetmap"
207     permissions "openstreetmap" => [:all],
208                 "rails" => [:select, :insert, :update, :delete],
209                 "cgimap" => CGIMAP_PERMISSIONS[table],
210                 "planetdump" => PLANETDUMP_PERMISSIONS[table],
211                 "planetdiff" => PLANETDIFF_PERMISSIONS[table],
212                 "prometheus" => PROMETHEUS_PERMISSIONS[table],
213                 "backup" => [:select],
214                 "grant" => [:select]
215   end
216 end
217
218 %w[
219   acls_id_seq
220   active_storage_attachments_id_seq
221   active_storage_blobs_id_seq
222   active_storage_variant_records_id_seq
223   changeset_comments_id_seq
224   changesets_id_seq
225   current_nodes_id_seq
226   current_relations_id_seq
227   current_ways_id_seq
228   delayed_jobs_id_seq
229   diary_comments_id_seq
230   diary_entries_id_seq
231   friends_id_seq
232   gpx_file_tags_id_seq
233   gpx_files_id_seq
234   issue_comments_id_seq
235   issues_id_seq
236   messages_id_seq
237   note_comments_id_seq
238   notes_id_seq
239   noticed_events_id_seq
240   noticed_notifications_id_seq
241   oauth_access_grants_id_seq
242   oauth_access_tokens_id_seq
243   oauth_applications_id_seq
244   oauth_openid_requests_id_seq
245   redactions_id_seq
246   reports_id_seq
247   social_links_id_seq
248   spammy_phrases_id_seq
249   user_blocks_id_seq
250   user_mutes_id_seq
251   user_roles_id_seq
252   users_id_seq
253 ].each do |sequence|
254   postgresql_sequence sequence do
255     cluster node[:db][:cluster]
256     database "openstreetmap"
257     owner "openstreetmap"
258     permissions "openstreetmap" => [:all],
259                 "rails" => [:usage],
260                 "cgimap" => CGIMAP_PERMISSIONS[sequence],
261                 "backup" => [:select],
262                 "grant" => [:select]
263   end
264 end
265
266 cookbook_file "/usr/local/share/monthly-reindex.sql" do
267   owner "root"
268   group "root"
269   mode "644"
270 end
271
272 systemd_service "monthly-reindex" do
273   description "Monthly database reindex"
274   exec_start "/usr/bin/psql -f /usr/local/share/monthly-reindex.sql openstreetmap"
275   user "postgres"
276   sandbox true
277   restrict_address_families "AF_UNIX"
278   remove_ipc false
279 end
280
281 systemd_timer "monthly-reindex" do
282   description "Monthly database reindex"
283   on_calendar "Sun *-*-1..7 02:00"
284 end
285
286 service "monthly-reindex.timer" do
287   action [:enable, :start]
288 end
289
290 cookbook_file "/usr/local/share/yearly-reindex.sql" do
291   owner "root"
292   group "root"
293   mode "644"
294 end
295
296 systemd_service "yearly-reindex" do
297   description "Yearly database reindex"
298   exec_start "/usr/bin/psql -f /usr/local/share/yearly-reindex.sql openstreetmap"
299   user "postgres"
300   sandbox true
301   restrict_address_families "AF_UNIX"
302   remove_ipc false
303 end
304
305 systemd_timer "yearly-reindex" do
306   description "Yearly database reindex"
307   on_calendar "Thu *-1-8..14 02:00"
308 end
309
310 service "yearly-reindex.timer" do
311   action [:enable, :start]
312 end
313
314 template "/etc/prometheus/exporters/sql_rails.collector.yml" do
315   source "sql_rails.yml.erb"
316   owner "root"
317   group "root"
318   mode "0644"
319 end
Chef configuration management public repo for configuring & maintaining the OpenStreetMap servers.