include_recipe "accounts"
include_recipe "apt"
include_recipe "osmosis"
+include_recipe "ruby"
+include_recipe "tools"
db_passwords = data_bag_item("db", "passwords")
package %w[
postgresql-client
- ruby
- ruby-dev
ruby-libxml
make
gcc
osmdbt
]
-gem_package "pg"
+gem_package "pg" do
+ gem_binary node[:ruby][:gem]
+end
## Build preload library to flush files
variables :password => db_passwords["planetdiff"]
end
+systemd_service "users-agreed" do
+ description "Update list of users accepting CTs"
+ user "planet"
+ exec_start "/usr/local/bin/users-agreed"
+ nice 10
+ private_tmp true
+ private_devices true
+ protect_system "strict"
+ protect_home true
+ read_write_paths "/store/planet/users_agreed"
+ restrict_address_families %w[AF_INET AF_INET6]
+ no_new_privileges true
+end
+
+systemd_timer "users-agreed" do
+ description "Update list of users accepting CTs"
+ on_calendar "7:00"
+end
+
+systemd_service "users-deleted" do
+ description "Update list of deleted users"
+ user "planet"
+ exec_start "/usr/local/bin/users-deleted"
+ nice 10
+ private_tmp true
+ private_devices true
+ protect_system "strict"
+ protect_home true
+ read_write_paths "/store/planet/users_deleted"
+ restrict_address_families %w[AF_INET AF_INET6]
+ no_new_privileges true
+end
+
+systemd_timer "users-deleted" do
+ description "Update list of deleted users"
+ on_calendar "17:00"
+end
+
## Changeset replication
directory "/store/planet/replication/changesets" do
variables :password => db_passwords["planetdiff"]
end
+systemd_service "replication-changesets" do
+ description "Changesets replication"
+ user "planet"
+ exec_start "/usr/local/bin/replicate-changesets /etc/replication/changesets.conf"
+ private_tmp true
+ private_devices true
+ protect_system "strict"
+ protect_home true
+ read_write_paths [
+ "/run/replication",
+ "/store/planet/replication/changesets"
+ ]
+ restrict_address_families %w[AF_INET AF_INET6]
+ no_new_privileges true
+end
+
+systemd_timer "replication-changesets" do
+ description "Changesets replication"
+ on_boot_sec 60
+ on_unit_active_sec 60
+ accuracy_sec 5
+end
+
## Minutely replication
directory "/store/planet/replication/minute" do
exec_start "/usr/local/bin/replicate-minute"
private_tmp true
private_devices true
- protect_system "full"
+ protect_system "strict"
protect_home true
+ read_write_paths [
+ "/run/replication",
+ "/store/replication/minute",
+ "/store/planet/replication/minute",
+ "/var/lib/replication/minute"
+ ]
restrict_address_families %w[AF_INET AF_INET6]
no_new_privileges true
end
description "Hourly replication"
user "planet"
exec_start "/usr/local/bin/osmosis -q --merge-replication-files workingDirectory=/var/lib/replication/hour"
+ environment "LD_PRELOAD" => "/opt/flush/flush.so"
private_tmp true
private_devices true
- protect_system "full"
+ protect_system "strict"
protect_home true
+ read_write_paths [
+ "/store/planet/replication/hour",
+ "/var/lib/replication/hour"
+ ]
restrict_address_families %w[AF_INET AF_INET6]
no_new_privileges true
end
description "Daily replication"
user "planet"
exec_start "/usr/local/bin/osmosis -q --merge-replication-files workingDirectory=/var/lib/replication/day"
+ environment "LD_PRELOAD" => "/opt/flush/flush.so"
private_tmp true
private_devices true
- protect_system "full"
+ protect_system "strict"
protect_home true
+ read_write_paths [
+ "/store/planet/replication/day",
+ "/var/lib/replication/day"
+ ]
restrict_address_families %w[AF_INET AF_INET6]
no_new_privileges true
end
private_tmp true
private_devices true
private_network true
- protect_system "full"
+ protect_system "strict"
protect_home true
+ read_write_paths "/var/lib/replication"
no_new_privileges true
end
## Enable/disable feeds
if node[:planet][:replication] == "enabled"
- cron_d "users-agreed" do
- minute "0"
- hour "7"
- user "planet"
- command "/usr/local/bin/users-agreed"
- mailto "zerebubuth@gmail.com"
+ service "users-agreed.timer" do
+ action [:enable, :start]
end
- cron_d "users-deleted" do
- minute "0"
- hour "17"
- user "planet"
- command "/usr/local/bin/users-deleted"
- mailto "zerebubuth@gmail.com"
+ service "users-deleted.timer" do
+ action [:enable, :start]
end
- cron_d "replication-changesets" do
- user "planet"
- command "/usr/local/bin/replicate-changesets /etc/replication/changesets.conf"
- mailto "zerebubuth@gmail.com"
+ service "replication-changesets.timer" do
+ action [:enable, :start]
end
service "replication-minutely.timer" do
action [:enable, :start]
end
else
- cron_d "users-agreed" do
- action :delete
+ service "users-agreed.timer" do
+ action [:stop, :disable]
end
- cron_d "users-deleted" do
- action :delete
+ service "users-deleted.timer" do
+ action [:stop, :disable]
end
- cron_d "replication-changesets" do
- action :delete
+ service "replication-changesets.timer" do
+ action [:stop, :disable]
end
service "replication-minutely.timer" do
projects / chef.git / blobdiff