keys = data_bag_item("oxidized", "keys")
devices = data_bag_item("oxidized", "devices")
+directory "/etc/oxidized" do
+ owner "root"
+ group "root"
+ mode "755"
+end
+
template "/etc/oxidized/config" do
source "config.erb"
owner "oxidized"
mode "755"
end
+directory "/opt/oxidized" do
+ owner "oxidized"
+ group "oxidized"
+ mode "755"
+end
+
+git "/opt/oxidized/daemon" do
+ action :sync
+ repository "https://github.com/openstreetmap/oxidized.git"
+ depth 1
+ user "oxidized"
+ group "oxidized"
+ notifies :run, "bundle_install[/opt/oxidized/daemon]", :immediately
+end
+
+directory "/opt/oxidized/.ssh" do
+ owner "oxidized"
+ group "oxidized"
+ mode "700"
+end
+
# Key is set as a deployment key in github repo
-file "/opt/oxidized/.ssh/id_rsa" do
+file "/opt/oxidized/.ssh/id_ed25519" do
content keys["git"].join("\n")
owner "oxidized"
group "oxidized"
mode "400"
- notifies :delete, "file[/opt/oxidized/.ssh/id_rsa.pub]", :immediately
+ notifies :delete, "file[/opt/oxidized/.ssh/id_ed25519.pub]", :immediately
notifies :restart, "service[oxidized]"
end
# Ensure public key is deleted if private key is changed. Trigged by notify
-file "/opt/oxidized/.ssh/id_rsa.pub" do
+file "/opt/oxidized/.ssh/id_ed25519.pub" do
action :nothing
end
-execute "/opt/oxidized/.ssh/id_rsa.pub" do
- command "ssh-keygen -f /opt/oxidized/.ssh/id_rsa -y > /opt/oxidized/.ssh/id_rsa.pub"
- owner "oxidized"
+execute "/opt/oxidized/.ssh/id_ed25519.pub" do
+ command "ssh-keygen -f /opt/oxidized/.ssh/id_ed25519 -y > /opt/oxidized/.ssh/id_ed25519.pub"
+ user "oxidized"
group "oxidized"
- creates "/opt/oxidized/.ssh/id_rsa.pub"
+ creates "/opt/oxidized/.ssh/id_ed25519.pub"
notifies :restart, "service[oxidized]"
end
-git "/opt/oxidized" do
- action :sync
- repository "https://github.com/openstreetmap/oxidized.git"
- depth 1
- user "oxidized"
+ssh_known_hosts_entry "github.com" do
+ action [:create, :flush]
+ file_location "/opt/oxidized/.ssh/known_hosts"
+ owner "oxidized"
+ group "oxidized"
+end
+
+directory "/var/lib/oxidized" do
+ owner "oxidized"
group "oxidized"
- notifies :run, "bundle_install[/opt/oxidized]"
+ mode "750"
end
git "/var/lib/oxidized/configs.git" do
group "oxidized"
end
-bundle_install "/opt/oxidized" do
+bundle_install "/opt/oxidized/daemon" do
action :nothing
options "--deployment"
user "oxidized"
description "oxidized network device backup daemon"
after "network.target"
user "oxidized"
- working_directory "/opt/oxidized"
+ working_directory "/opt/oxidized/daemon"
+ runtime_directory "oxidized"
exec_start "#{node[:ruby][:bundle]} exec oxidized"
environment "OXIDIZED_HOME" => "/etc/oxidized",
"OXIDIZED_LOGS" => "/var/log/oxidized"
nice 10
- private_tmp true
- private_devices true
- protect_system "full"
- protect_home true
- no_new_privileges true
+ sandbox :enable_network => true
+ read_write_paths ["/run/oxidized", "/var/lib/oxidized", "/var/log/oxidized"]
restart "on-failure"
notifies :restart, "service[oxidized]"
end