]> git.openstreetmap.org Git - chef.git/blob - cookbooks/db/recipes/master.rb
palulukon: Allow access to AWS IP metadata NTP service
[chef.git] / cookbooks / db / recipes / master.rb
1 #
2 # Cookbook:: db
3 # Recipe:: master
4 #
5 # Copyright:: 2011, OpenStreetMap Foundation
6 #
7 # Licensed under the Apache License, Version 2.0 (the "License");
8 # you may not use this file except in compliance with the License.
9 # You may obtain a copy of the License at
10 #
11 #     https://www.apache.org/licenses/LICENSE-2.0
12 #
13 # Unless required by applicable law or agreed to in writing, software
14 # distributed under the License is distributed on an "AS IS" BASIS,
15 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 # See the License for the specific language governing permissions and
17 # limitations under the License.
18 #
19
20 include_recipe "db::base"
21
22 passwords = data_bag_item("db", "passwords")
23
24 postgresql_user "tomh" do
25   cluster node[:db][:cluster]
26   superuser true
27 end
28
29 postgresql_user "matt" do
30   cluster node[:db][:cluster]
31   superuser true
32 end
33
34 postgresql_user "openstreetmap" do
35   cluster node[:db][:cluster]
36   password passwords["openstreetmap"]
37 end
38
39 postgresql_user "rails" do
40   cluster node[:db][:cluster]
41   password passwords["rails"]
42 end
43
44 postgresql_user "cgimap" do
45   cluster node[:db][:cluster]
46   password passwords["cgimap"]
47 end
48
49 postgresql_user "planetdump" do
50   cluster node[:db][:cluster]
51   password passwords["planetdump"]
52 end
53
54 postgresql_user "planetdiff" do
55   cluster node[:db][:cluster]
56   password passwords["planetdiff"]
57   replication true
58 end
59
60 postgresql_user "backup" do
61   cluster node[:db][:cluster]
62   password passwords["backup"]
63 end
64
65 postgresql_user "replication" do
66   cluster node[:db][:cluster]
67   password passwords["replication"]
68   replication true
69 end
70
71 postgresql_database "openstreetmap" do
72   cluster node[:db][:cluster]
73   owner "openstreetmap"
74 end
75
76 postgresql_extension "btree_gist" do
77   cluster node[:db][:cluster]
78   database "openstreetmap"
79   only_if { node[:postgresql][:clusters][node[:db][:cluster]] && node[:postgresql][:clusters][node[:db][:cluster]][:version] >= 9.0 }
80 end
81
82 CGIMAP_PERMISSIONS = {
83   "changeset_comments" => [:select],
84   "changeset_tags" => [:select],
85   "changesets" => [:select, :update],
86   "current_node_tags" => [:select, :insert, :delete],
87   "current_nodes" => [:select, :insert, :update],
88   "current_nodes_id_seq" => [:update],
89   "current_relation_members" => [:select, :insert, :delete],
90   "current_relation_tags" => [:select, :insert, :delete],
91   "current_relations" => [:select, :insert, :update],
92   "current_relations_id_seq" => [:update],
93   "current_way_nodes" => [:select, :insert, :delete],
94   "current_way_tags" => [:select, :insert, :delete],
95   "current_ways" => [:select, :insert, :update],
96   "current_ways_id_seq" => [:update],
97   "issues" => [:select],
98   "node_tags" => [:select, :insert],
99   "nodes" => [:select, :insert],
100   "oauth_access_grants" => [:select],
101   "oauth_access_tokens" => [:select],
102   "oauth_applications" => [:select],
103   "relation_members" => [:select, :insert],
104   "relation_tags" => [:select, :insert],
105   "relations" => [:select, :insert],
106   "reports" => [:select],
107   "user_blocks" => [:select],
108   "user_roles" => [:select],
109   "users" => [:select],
110   "way_nodes" => [:select, :insert],
111   "way_tags" => [:select, :insert],
112   "ways" => [:select, :insert]
113 }.freeze
114
115 PLANETDUMP_PERMISSIONS = {
116   "note_comments" => :select,
117   "notes" => :select,
118   "users" => :select
119 }.freeze
120
121 PLANETDIFF_PERMISSIONS = {
122   "changeset_comments" => :select,
123   "changeset_tags" => :select,
124   "changesets" => :select,
125   "node_tags" => :select,
126   "nodes" => :select,
127   "relation_members" => :select,
128   "relation_tags" => :select,
129   "relations" => :select,
130   "users" => :select,
131   "way_nodes" => :select,
132   "way_tags" => :select,
133   "ways" => :select
134 }.freeze
135
136 PROMETHEUS_PERMISSIONS = {
137   "delayed_jobs" => :select
138 }.freeze
139
140 %w[
141   acls
142   active_storage_attachments
143   active_storage_blobs
144   active_storage_variant_records
145   ar_internal_metadata
146   changeset_comments
147   changeset_tags
148   changesets
149   changesets_subscribers
150   current_node_tags
151   current_nodes
152   current_relation_members
153   current_relation_tags
154   current_relations
155   current_way_nodes
156   current_way_tags
157   current_ways
158   delayed_jobs
159   diary_comments
160   diary_entries
161   diary_entry_subscriptions
162   friends
163   gps_points
164   gpx_file_tags
165   gpx_files
166   issue_comments
167   issues
168   languages
169   messages
170   node_tags
171   nodes
172   note_comments
173   note_subscriptions
174   notes
175   oauth_access_grants
176   oauth_access_tokens
177   oauth_applications
178   oauth_openid_requests
179   redactions
180   relation_members
181   relation_tags
182   relations
183   reports
184   schema_migrations
185   user_blocks
186   user_mutes
187   user_preferences
188   user_roles
189   users
190   way_nodes
191   way_tags
192   ways
193 ].each do |table|
194   postgresql_table table do
195     cluster node[:db][:cluster]
196     database "openstreetmap"
197     owner "openstreetmap"
198     permissions "openstreetmap" => [:all],
199                 "rails" => [:select, :insert, :update, :delete],
200                 "cgimap" => CGIMAP_PERMISSIONS[table],
201                 "planetdump" => PLANETDUMP_PERMISSIONS[table],
202                 "planetdiff" => PLANETDIFF_PERMISSIONS[table],
203                 "prometheus" => PROMETHEUS_PERMISSIONS[table],
204                 "backup" => [:select]
205   end
206 end
207
208 %w[
209   acls_id_seq
210   active_storage_attachments_id_seq
211   active_storage_blobs_id_seq
212   active_storage_variant_records_id_seq
213   changeset_comments_id_seq
214   changesets_id_seq
215   current_nodes_id_seq
216   current_relations_id_seq
217   current_ways_id_seq
218   delayed_jobs_id_seq
219   diary_comments_id_seq
220   diary_entries_id_seq
221   friends_id_seq
222   gpx_file_tags_id_seq
223   gpx_files_id_seq
224   issue_comments_id_seq
225   issues_id_seq
226   messages_id_seq
227   note_comments_id_seq
228   notes_id_seq
229   oauth_access_grants_id_seq
230   oauth_access_tokens_id_seq
231   oauth_applications_id_seq
232   oauth_openid_requests_id_seq
233   redactions_id_seq
234   reports_id_seq
235   user_blocks_id_seq
236   user_mutes_id_seq
237   user_roles_id_seq
238   users_id_seq
239 ].each do |sequence|
240   postgresql_sequence sequence do
241     cluster node[:db][:cluster]
242     database "openstreetmap"
243     owner "openstreetmap"
244     permissions "openstreetmap" => [:all],
245                 "rails" => [:usage],
246                 "cgimap" => CGIMAP_PERMISSIONS[sequence],
247                 "backup" => [:select]
248   end
249 end
250
251 cookbook_file "/usr/local/share/monthly-reindex.sql" do
252   owner "root"
253   group "root"
254   mode "644"
255 end
256
257 systemd_service "monthly-reindex" do
258   description "Monthly database reindex"
259   exec_start "/usr/bin/psql -f /usr/local/share/monthly-reindex.sql openstreetmap"
260   user "postgres"
261   sandbox true
262   restrict_address_families "AF_UNIX"
263   remove_ipc false
264 end
265
266 systemd_timer "monthly-reindex" do
267   description "Monthly database reindex"
268   on_calendar "Sun *-*-1..7 02:00"
269 end
270
271 service "monthly-reindex.timer" do
272   action [:enable, :start]
273 end
274
275 cookbook_file "/usr/local/share/yearly-reindex.sql" do
276   owner "root"
277   group "root"
278   mode "644"
279 end
280
281 systemd_service "yearly-reindex" do
282   description "Yearly database reindex"
283   exec_start "/usr/bin/psql -f /usr/local/share/yearly-reindex.sql openstreetmap"
284   user "postgres"
285   sandbox true
286   restrict_address_families "AF_UNIX"
287   remove_ipc false
288 end
289
290 systemd_timer "yearly-reindex" do
291   description "Yearly database reindex"
292   on_calendar "Thu *-1-8..14 02:00"
293 end
294
295 service "yearly-reindex.timer" do
296   action [:enable, :start]
297 end
298
299 template "/etc/prometheus/exporters/sql_rails.collector.yml" do
300   source "sql_rails.yml.erb"
301   owner "root"
302   group "root"
303   mode "0644"
304 end