]> git.openstreetmap.org Git - chef.git/blob - cookbooks/oxidized/recipes/default.rb
Grant roles to newly created users
[chef.git] / cookbooks / oxidized / recipes / default.rb
1 #
2 # Cookbook:: oxidized
3 # Recipe:: default
4 #
5 # Copyright:: 2022, OpenStreetMap Foundation
6 #
7 # Licensed under the Apache License, Version 2.0 (the "License");
8 # you may not use this file except in compliance with the License.
9 # You may obtain a copy of the License at
10 #
11 #     https://www.apache.org/licenses/LICENSE-2.0
12 #
13 # Unless required by applicable law or agreed to in writing, software
14 # distributed under the License is distributed on an "AS IS" BASIS,
15 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 # See the License for the specific language governing permissions and
17 # limitations under the License.
18 #
19
20 include_recipe "git"
21 include_recipe "ruby"
22
23 package %w[
24   gcc
25   g++
26   make
27   cmake
28   libssl-dev
29   libssh2-1-dev
30   zlib1g-dev
31   pkg-config
32   libyaml-dev
33 ]
34
35 keys = data_bag_item("oxidized", "keys")
36 devices = data_bag_item("oxidized", "devices")
37
38 directory "/etc/oxidized" do
39   owner "root"
40   group "root"
41   mode "755"
42 end
43
44 template "/etc/oxidized/config" do
45   source "config.erb"
46   owner "oxidized"
47   group "oxidized"
48   mode "444"
49   notifies :restart, "service[oxidized]"
50 end
51
52 template "/etc/oxidized/routers.db" do
53   source "routers.db.erb"
54   owner "oxidized"
55   group "oxidized"
56   mode "400"
57   variables :devices => devices
58   notifies :restart, "service[oxidized]"
59 end
60
61 directory "/var/log/oxidized" do
62   owner "oxidized"
63   group "oxidized"
64   mode "755"
65 end
66
67 directory "/opt/oxidized" do
68   owner "oxidized"
69   group "oxidized"
70   mode "755"
71 end
72
73 git "/opt/oxidized/daemon" do
74   action :sync
75   repository "https://github.com/openstreetmap/oxidized.git"
76   depth 1
77   user "oxidized"
78   group "oxidized"
79   notifies :run, "bundle_install[/opt/oxidized/daemon]", :immediately
80 end
81
82 directory "/opt/oxidized/.ssh" do
83   owner "oxidized"
84   group "oxidized"
85   mode "700"
86 end
87
88 # Key is set as a deployment key in github repo
89 file "/opt/oxidized/.ssh/id_ed25519" do
90   content keys["git"].join("\n")
91   owner "oxidized"
92   group "oxidized"
93   mode "400"
94   notifies :delete, "file[/opt/oxidized/.ssh/id_ed25519.pub]", :immediately
95   notifies :restart, "service[oxidized]"
96 end
97
98 # Ensure public key is deleted if private key is changed. Trigged by notify
99 file "/opt/oxidized/.ssh/id_ed25519.pub" do
100   action :nothing
101 end
102
103 execute "/opt/oxidized/.ssh/id_ed25519.pub" do
104   command "ssh-keygen -f /opt/oxidized/.ssh/id_ed25519 -y > /opt/oxidized/.ssh/id_ed25519.pub"
105   user "oxidized"
106   group "oxidized"
107   creates "/opt/oxidized/.ssh/id_ed25519.pub"
108   notifies :restart, "service[oxidized]"
109 end
110
111 ssh_known_hosts_entry "github.com" do
112   action [:create, :flush]
113   file_location "/opt/oxidized/.ssh/known_hosts"
114   owner "oxidized"
115   group "oxidized"
116 end
117
118 directory "/var/lib/oxidized" do
119   owner "oxidized"
120   group "oxidized"
121   mode "750"
122 end
123
124 git "/var/lib/oxidized/configs.git" do
125   action :sync
126   repository "git@github.com:openstreetmap/oxidized-configs.git" # Uses oxidized ssh key
127   checkout_branch "master" # branch is hardcoded in oxidized
128   user "oxidized"
129   group "oxidized"
130 end
131
132 bundle_install "/opt/oxidized/daemon" do
133   action :nothing
134   options "--deployment"
135   user "oxidized"
136   group "oxidized"
137   notifies :restart, "service[oxidized]"
138 end
139
140 # Based on https://github.com/ytti/oxidized/blob/master/extra/oxidized.service
141 systemd_service "oxidized" do
142   description "oxidized network device backup daemon"
143   after "network.target"
144   user "oxidized"
145   working_directory "/opt/oxidized/daemon"
146   runtime_directory "oxidized"
147   exec_start "#{node[:ruby][:bundle]} exec oxidized"
148   environment "OXIDIZED_HOME" => "/etc/oxidized",
149               "OXIDIZED_LOGS" => "/var/log/oxidized"
150   nice 10
151   sandbox :enable_network => true
152   read_write_paths ["/run/oxidized", "/var/lib/oxidized", "/var/log/oxidized"]
153   restart "on-failure"
154   notifies :restart, "service[oxidized]"
155 end
156
157 service "oxidized" do
158   action [:enable, :start]
159 end
160
161 template "/etc/logrotate.d/oxidized" do
162   source "logrotate.erb"
163   owner "root"
164   group "root"
165   mode "644"
166 end