]> git.openstreetmap.org Git - chef.git/blobdiff - cookbooks/db/recipes/master.rb
Merge remote-tracking branch 'github/pull/699'
[chef.git] / cookbooks / db / recipes / master.rb
index c2450a7a46444bcd498d296e9439f1dfdb5f8d2e..606e902bff69be86dc635c4fc1814021a125fd9b 100644 (file)
@@ -62,11 +62,6 @@ postgresql_user "backup" do
   password passwords["backup"]
 end
 
-postgresql_user "munin" do
-  cluster node[:db][:cluster]
-  password passwords["munin"]
-end
-
 postgresql_user "replication" do
   cluster node[:db][:cluster]
   password passwords["replication"]
@@ -84,30 +79,83 @@ postgresql_extension "btree_gist" do
   only_if { node[:postgresql][:clusters][node[:db][:cluster]] && node[:postgresql][:clusters][node[:db][:cluster]][:version] >= 9.0 }
 end
 
+CGIMAP_PERMISSIONS = {
+  "changeset_comments" => [:select],
+  "changeset_tags" => [:select],
+  "changesets" => [:select, :update],
+  "current_node_tags" => [:select, :insert, :delete],
+  "current_nodes" => [:select, :insert, :update],
+  "current_nodes_id_seq" => [:update],
+  "current_relation_members" => [:select, :insert, :delete],
+  "current_relation_tags" => [:select, :insert, :delete],
+  "current_relations" => [:select, :insert, :update],
+  "current_relations_id_seq" => [:update],
+  "current_way_nodes" => [:select, :insert, :delete],
+  "current_way_tags" => [:select, :insert, :delete],
+  "current_ways" => [:select, :insert, :update],
+  "current_ways_id_seq" => [:update],
+  "issues" => [:select],
+  "node_tags" => [:select, :insert],
+  "nodes" => [:select, :insert],
+  "oauth_access_grants" => [:select],
+  "oauth_access_tokens" => [:select],
+  "oauth_applications" => [:select],
+  "relation_members" => [:select, :insert],
+  "relation_tags" => [:select, :insert],
+  "relations" => [:select, :insert],
+  "reports" => [:select],
+  "user_blocks" => [:select],
+  "user_roles" => [:select],
+  "users" => [:select],
+  "way_nodes" => [:select, :insert],
+  "way_tags" => [:select, :insert],
+  "ways" => [:select, :insert]
+}.freeze
+
+PLANETDUMP_PERMISSIONS = {
+  "note_comments" => :select,
+  "notes" => :select,
+  "users" => :select
+}.freeze
+
+PLANETDIFF_PERMISSIONS = {
+  "changeset_comments" => :select,
+  "changeset_tags" => :select,
+  "changesets" => :select,
+  "node_tags" => :select,
+  "nodes" => :select,
+  "relation_members" => :select,
+  "relation_tags" => :select,
+  "relations" => :select,
+  "users" => :select,
+  "way_nodes" => :select,
+  "way_tags" => :select,
+  "ways" => :select
+}.freeze
+
+PROMETHEUS_PERMISSIONS = {
+  "delayed_jobs" => :select
+}.freeze
+
 %w[
+  acls
   active_storage_attachments
   active_storage_blobs
   active_storage_variant_records
   ar_internal_metadata
-  delayed_jobs
-  issue_comments
-  issues
-  oauth_openid_requests
-  reports
-].each do |table|
-  postgresql_table table do
-    cluster node[:db][:cluster]
-    database "openstreetmap"
-    owner "openstreetmap"
-    permissions "openstreetmap" => [:all],
-                "rails" => [:select, :insert, :update, :delete],
-                "backup" => [:select]
-  end
-end
-
-%w[
-  acls
+  changeset_comments
+  changeset_tags
+  changesets
   changesets_subscribers
+  current_node_tags
+  current_nodes
+  current_relation_members
+  current_relation_tags
+  current_relations
+  current_way_nodes
+  current_way_tags
+  current_ways
+  delayed_jobs
   diary_comments
   diary_entries
   diary_entry_subscriptions
@@ -115,123 +163,29 @@ end
   gps_points
   gpx_file_tags
   gpx_files
+  issue_comments
+  issues
   languages
   messages
-  redactions
-  schema_migrations
-  user_preferences
-  user_tokens
-].each do |table|
-  postgresql_table table do
-    cluster node[:db][:cluster]
-    database "openstreetmap"
-    owner "openstreetmap"
-    permissions "openstreetmap" => [:all],
-                "rails" => [:select, :insert, :update, :delete],
-                "backup" => [:select]
-  end
-end
-
-%w[
-  note_comments
-  notes
-].each do |table|
-  postgresql_table table do
-    cluster node[:db][:cluster]
-    database "openstreetmap"
-    owner "openstreetmap"
-    permissions "openstreetmap" => [:all],
-                "rails" => [:select, :insert, :update, :delete],
-                "planetdump" => [:select],
-                "backup" => [:select]
-  end
-end
-
-%w[
-  changeset_comments
-  changeset_tags
-].each do |table|
-  postgresql_table table do
-    cluster node[:db][:cluster]
-    database "openstreetmap"
-    owner "openstreetmap"
-    permissions "openstreetmap" => [:all],
-                "rails" => [:select, :insert, :update, :delete],
-                "cgimap" => [:select],
-                "planetdiff" => [:select],
-                "backup" => [:select]
-  end
-end
-
-%w[
-  users
-].each do |table|
-  postgresql_table table do
-    cluster node[:db][:cluster]
-    database "openstreetmap"
-    owner "openstreetmap"
-    permissions "openstreetmap" => [:all],
-                "rails" => [:select, :insert, :update, :delete],
-                "cgimap" => [:select],
-                "planetdump" => [:select],
-                "planetdiff" => [:select],
-                "backup" => [:select]
-  end
-end
-
-%w[changesets].each do |table|
-  postgresql_table table do
-    cluster node[:db][:cluster]
-    database "openstreetmap"
-    owner "openstreetmap"
-    permissions "openstreetmap" => [:all],
-                "rails" => [:select, :insert, :update, :delete],
-                "cgimap" => [:select, :update],
-                "planetdiff" => [:select],
-                "backup" => [:select]
-  end
-end
-
-%w[
-  current_nodes
-  current_relations
-  current_ways
-].each do |table|
-  postgresql_table table do
-    cluster node[:db][:cluster]
-    database "openstreetmap"
-    owner "openstreetmap"
-    permissions "openstreetmap" => [:all],
-                "rails" => [:select, :insert, :update, :delete],
-                "cgimap" => [:select, :insert, :update],
-                "backup" => [:select]
-  end
-end
-
-%w[
-  current_node_tags
-  current_relation_members
-  current_relation_tags
-  current_way_nodes
-  current_way_tags
-].each do |table|
-  postgresql_table table do
-    cluster node[:db][:cluster]
-    database "openstreetmap"
-    owner "openstreetmap"
-    permissions "openstreetmap" => [:all],
-                "rails" => [:select, :insert, :update, :delete],
-                "cgimap" => [:select, :insert, :delete],
-                "backup" => [:select]
-  end
-end
-
-%w[
   node_tags
   nodes
+  note_comments
+  notes
+  oauth_access_grants
+  oauth_access_tokens
+  oauth_applications
+  oauth_openid_requests
+  redactions
   relation_members
   relation_tags
   relations
+  reports
+  schema_migrations
+  user_blocks
+  user_mutes
+  user_preferences
+  user_roles
+  users
   way_nodes
   way_tags
   ways
@@ -242,42 +196,10 @@ end
     owner "openstreetmap"
     permissions "openstreetmap" => [:all],
                 "rails" => [:select, :insert, :update, :delete],
-                "cgimap" => [:select, :insert],
-                "planetdiff" => [:select],
-                "backup" => [:select]
-  end
-end
-
-%w[
-  client_applications
-  oauth_access_grants
-  oauth_access_tokens
-  oauth_applications
-  oauth_tokens
-  user_blocks
-  user_roles
-].each do |table|
-  postgresql_table table do
-    cluster node[:db][:cluster]
-    database "openstreetmap"
-    owner "openstreetmap"
-    permissions "openstreetmap" => [:all],
-                "rails" => [:select, :insert, :update, :delete],
-                "cgimap" => [:select],
-                "backup" => [:select]
-  end
-end
-
-%w[
-  oauth_nonces
-].each do |table|
-  postgresql_table table do
-    cluster node[:db][:cluster]
-    database "openstreetmap"
-    owner "openstreetmap"
-    permissions "openstreetmap" => [:all],
-                "rails" => [:select, :insert, :update, :delete],
-                "cgimap" => [:select, :insert],
+                "cgimap" => CGIMAP_PERMISSIONS[table],
+                "planetdump" => PLANETDUMP_PERMISSIONS[table],
+                "planetdiff" => PLANETDIFF_PERMISSIONS[table],
+                "prometheus" => PROMETHEUS_PERMISSIONS[table],
                 "backup" => [:select]
   end
 end
@@ -289,7 +211,9 @@ end
   active_storage_variant_records_id_seq
   changeset_comments_id_seq
   changesets_id_seq
-  client_applications_id_seq
+  current_nodes_id_seq
+  current_relations_id_seq
+  current_ways_id_seq
   delayed_jobs_id_seq
   diary_comments_id_seq
   diary_entries_id_seq
@@ -305,12 +229,11 @@ end
   oauth_access_tokens_id_seq
   oauth_applications_id_seq
   oauth_openid_requests_id_seq
-  oauth_tokens_id_seq
   redactions_id_seq
   reports_id_seq
   user_blocks_id_seq
+  user_mutes_id_seq
   user_roles_id_seq
-  user_tokens_id_seq
   users_id_seq
 ].each do |sequence|
   postgresql_sequence sequence do
@@ -319,23 +242,7 @@ end
     owner "openstreetmap"
     permissions "openstreetmap" => [:all],
                 "rails" => [:usage],
-                "backup" => [:select]
-  end
-end
-
-%w[
-  current_nodes_id_seq
-  current_relations_id_seq
-  current_ways_id_seq
-  oauth_nonces_id_seq
-].each do |sequence|
-  postgresql_sequence sequence do
-    cluster node[:db][:cluster]
-    database "openstreetmap"
-    owner "openstreetmap"
-    permissions "openstreetmap" => [:all],
-                "rails" => [:usage],
-                "cgimap" => [:update],
+                "cgimap" => CGIMAP_PERMISSIONS[sequence],
                 "backup" => [:select]
   end
 end
@@ -352,6 +259,7 @@ systemd_service "monthly-reindex" do
   user "postgres"
   sandbox true
   restrict_address_families "AF_UNIX"
+  remove_ipc false
 end
 
 systemd_timer "monthly-reindex" do
@@ -375,13 +283,21 @@ systemd_service "yearly-reindex" do
   user "postgres"
   sandbox true
   restrict_address_families "AF_UNIX"
+  remove_ipc false
 end
 
 systemd_timer "yearly-reindex" do
   description "Yearly database reindex"
-  on_calendar "Fri *-1-8..14 02:00"
+  on_calendar "Thu *-1-8..14 02:00"
 end
 
 service "yearly-reindex.timer" do
   action [:enable, :start]
 end
+
+template "/etc/prometheus/exporters/sql_rails.collector.yml" do
+  source "sql_rails.yml.erb"
+  owner "root"
+  group "root"
+  mode "0644"
+end