]> git.openstreetmap.org Git - chef.git/blob - cookbooks/db/recipes/master.rb
apache: increase mod_evasive page_count to reduce iD false positives
[chef.git] / cookbooks / db / recipes / master.rb
1 #
2 # Cookbook:: db
3 # Recipe:: master
4 #
5 # Copyright:: 2011, OpenStreetMap Foundation
6 #
7 # Licensed under the Apache License, Version 2.0 (the "License");
8 # you may not use this file except in compliance with the License.
9 # You may obtain a copy of the License at
10 #
11 #     https://www.apache.org/licenses/LICENSE-2.0
12 #
13 # Unless required by applicable law or agreed to in writing, software
14 # distributed under the License is distributed on an "AS IS" BASIS,
15 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 # See the License for the specific language governing permissions and
17 # limitations under the License.
18 #
19
20 include_recipe "db::base"
21
22 passwords = data_bag_item("db", "passwords")
23
24 postgresql_user "tomh" do
25   cluster node[:db][:cluster]
26   superuser true
27 end
28
29 postgresql_user "matt" do
30   cluster node[:db][:cluster]
31   superuser true
32 end
33
34 postgresql_user "openstreetmap" do
35   cluster node[:db][:cluster]
36   password passwords["openstreetmap"]
37 end
38
39 postgresql_user "rails" do
40   cluster node[:db][:cluster]
41   password passwords["rails"]
42 end
43
44 postgresql_user "cgimap" do
45   cluster node[:db][:cluster]
46   password passwords["cgimap"]
47 end
48
49 postgresql_user "planetdump" do
50   cluster node[:db][:cluster]
51   password passwords["planetdump"]
52 end
53
54 postgresql_user "planetdiff" do
55   cluster node[:db][:cluster]
56   password passwords["planetdiff"]
57   replication true
58 end
59
60 postgresql_user "backup" do
61   cluster node[:db][:cluster]
62   password passwords["backup"]
63 end
64
65 postgresql_user "replication" do
66   cluster node[:db][:cluster]
67   password passwords["replication"]
68   replication true
69 end
70
71 postgresql_database "openstreetmap" do
72   cluster node[:db][:cluster]
73   owner "openstreetmap"
74 end
75
76 postgresql_extension "btree_gist" do
77   cluster node[:db][:cluster]
78   database "openstreetmap"
79   only_if { node[:postgresql][:clusters][node[:db][:cluster]] && node[:postgresql][:clusters][node[:db][:cluster]][:version] >= 9.0 }
80 end
81
82 CGIMAP_PERMISSIONS = {
83   "changeset_comments" => [:select],
84   "changeset_tags" => [:select],
85   "changesets" => [:select, :update],
86   "client_applications" => [:select],
87   "current_node_tags" => [:select, :insert, :delete],
88   "current_nodes" => [:select, :insert, :update],
89   "current_nodes_id_seq" => [:update],
90   "current_relation_members" => [:select, :insert, :delete],
91   "current_relation_tags" => [:select, :insert, :delete],
92   "current_relations" => [:select, :insert, :update],
93   "current_relations_id_seq" => [:update],
94   "current_way_nodes" => [:select, :insert, :delete],
95   "current_way_tags" => [:select, :insert, :delete],
96   "current_ways" => [:select, :insert, :update],
97   "current_ways_id_seq" => [:update],
98   "issues" => [:select],
99   "node_tags" => [:select, :insert],
100   "nodes" => [:select, :insert],
101   "oauth_access_grants" => [:select],
102   "oauth_access_tokens" => [:select],
103   "oauth_applications" => [:select],
104   "oauth_nonces" => [:select, :insert],
105   "oauth_nonces_id_seq" => [:update],
106   "oauth_tokens" => [:select],
107   "relation_members" => [:select, :insert],
108   "relation_tags" => [:select, :insert],
109   "relations" => [:select, :insert],
110   "reports" => [:select],
111   "user_blocks" => [:select],
112   "user_roles" => [:select],
113   "users" => [:select],
114   "way_nodes" => [:select, :insert],
115   "way_tags" => [:select, :insert],
116   "ways" => [:select, :insert]
117 }.freeze
118
119 PLANETDUMP_PERMISSIONS = {
120   "note_comments" => :select,
121   "notes" => :select,
122   "users" => :select
123 }.freeze
124
125 PLANETDIFF_PERMISSIONS = {
126   "changeset_comments" => :select,
127   "changeset_tags" => :select,
128   "changesets" => :select,
129   "node_tags" => :select,
130   "nodes" => :select,
131   "relation_members" => :select,
132   "relation_tags" => :select,
133   "relations" => :select,
134   "users" => :select,
135   "way_nodes" => :select,
136   "way_tags" => :select,
137   "ways" => :select
138 }.freeze
139
140 PROMETHEUS_PERMISSIONS = {
141   "delayed_jobs" => :select
142 }.freeze
143
144 %w[
145   acls
146   active_storage_attachments
147   active_storage_blobs
148   active_storage_variant_records
149   ar_internal_metadata
150   changeset_comments
151   changeset_tags
152   changesets
153   changesets_subscribers
154   client_applications
155   current_node_tags
156   current_nodes
157   current_relation_members
158   current_relation_tags
159   current_relations
160   current_way_nodes
161   current_way_tags
162   current_ways
163   delayed_jobs
164   diary_comments
165   diary_entries
166   diary_entry_subscriptions
167   friends
168   gps_points
169   gpx_file_tags
170   gpx_files
171   issue_comments
172   issues
173   languages
174   messages
175   node_tags
176   nodes
177   note_comments
178   notes
179   oauth_access_grants
180   oauth_access_tokens
181   oauth_applications
182   oauth_nonces
183   oauth_openid_requests
184   oauth_tokens
185   redactions
186   relation_members
187   relation_tags
188   relations
189   reports
190   schema_migrations
191   user_blocks
192   user_mutes
193   user_preferences
194   user_roles
195   users
196   way_nodes
197   way_tags
198   ways
199 ].each do |table|
200   postgresql_table table do
201     cluster node[:db][:cluster]
202     database "openstreetmap"
203     owner "openstreetmap"
204     permissions "openstreetmap" => [:all],
205                 "rails" => [:select, :insert, :update, :delete],
206                 "cgimap" => CGIMAP_PERMISSIONS[table],
207                 "planetdump" => PLANETDUMP_PERMISSIONS[table],
208                 "planetdiff" => PLANETDIFF_PERMISSIONS[table],
209                 "prometheus" => PROMETHEUS_PERMISSIONS[table],
210                 "backup" => [:select]
211   end
212 end
213
214 %w[
215   acls_id_seq
216   active_storage_attachments_id_seq
217   active_storage_blobs_id_seq
218   active_storage_variant_records_id_seq
219   changeset_comments_id_seq
220   changesets_id_seq
221   client_applications_id_seq
222   current_nodes_id_seq
223   current_relations_id_seq
224   current_ways_id_seq
225   delayed_jobs_id_seq
226   diary_comments_id_seq
227   diary_entries_id_seq
228   friends_id_seq
229   gpx_file_tags_id_seq
230   gpx_files_id_seq
231   issue_comments_id_seq
232   issues_id_seq
233   messages_id_seq
234   note_comments_id_seq
235   notes_id_seq
236   oauth_access_grants_id_seq
237   oauth_access_tokens_id_seq
238   oauth_applications_id_seq
239   oauth_nonces_id_seq
240   oauth_openid_requests_id_seq
241   oauth_tokens_id_seq
242   redactions_id_seq
243   reports_id_seq
244   user_blocks_id_seq
245   user_mutes_id_seq
246   user_roles_id_seq
247   users_id_seq
248 ].each do |sequence|
249   postgresql_sequence sequence do
250     cluster node[:db][:cluster]
251     database "openstreetmap"
252     owner "openstreetmap"
253     permissions "openstreetmap" => [:all],
254                 "rails" => [:usage],
255                 "cgimap" => CGIMAP_PERMISSIONS[sequence],
256                 "backup" => [:select]
257   end
258 end
259
260 cookbook_file "/usr/local/share/monthly-reindex.sql" do
261   owner "root"
262   group "root"
263   mode "644"
264 end
265
266 systemd_service "monthly-reindex" do
267   description "Monthly database reindex"
268   exec_start "/usr/bin/psql -f /usr/local/share/monthly-reindex.sql openstreetmap"
269   user "postgres"
270   sandbox true
271   restrict_address_families "AF_UNIX"
272   remove_ipc false
273 end
274
275 systemd_timer "monthly-reindex" do
276   description "Monthly database reindex"
277   on_calendar "Sun *-*-1..7 02:00"
278 end
279
280 service "monthly-reindex.timer" do
281   action [:enable, :start]
282 end
283
284 cookbook_file "/usr/local/share/yearly-reindex.sql" do
285   owner "root"
286   group "root"
287   mode "644"
288 end
289
290 systemd_service "yearly-reindex" do
291   description "Yearly database reindex"
292   exec_start "/usr/bin/psql -f /usr/local/share/yearly-reindex.sql openstreetmap"
293   user "postgres"
294   sandbox true
295   restrict_address_families "AF_UNIX"
296   remove_ipc false
297 end
298
299 systemd_timer "yearly-reindex" do
300   description "Yearly database reindex"
301   on_calendar "Thu *-1-8..14 02:00"
302 end
303
304 service "yearly-reindex.timer" do
305   action [:enable, :start]
306 end
307
308 template "/etc/prometheus/exporters/sql_rails.collector.yml" do
309   source "sql_rails.yml.erb"
310   owner "root"
311   group "root"
312   mode "0644"
313 end