X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/7462752b7ab11a897eb630138ead2080c5847399..7f55df0811600d62bdb34c65c56b3d1928780d34:/cookbooks/oxidized/recipes/default.rb?ds=sidebyside

diff --git a/cookbooks/oxidized/recipes/default.rb b/cookbooks/oxidized/recipes/default.rb
index 6d5486d49..28f65bf79 100644
--- a/cookbooks/oxidized/recipes/default.rb
+++ b/cookbooks/oxidized/recipes/default.rb
@@ -29,6 +29,8 @@ package %w[
   libssh2-1-dev
   zlib1g-dev
   pkg-config
+  libyaml-dev
+  logrotate
 ]
 
 keys = data_bag_item("oxidized", "keys")
@@ -75,7 +77,7 @@ git "/opt/oxidized/daemon" do
   depth 1
   user "oxidized"
   group "oxidized"
-  notifies :run, "bundle_install[/opt/oxidized/daemon]"
+  notifies :run, "bundle_install[/opt/oxidized/daemon]", :immediately
 end
 
 directory "/opt/oxidized/.ssh" do
@@ -85,29 +87,30 @@ directory "/opt/oxidized/.ssh" do
 end
 
 # Key is set as a deployment key in github repo
-file "/opt/oxidized/.ssh/id_rsa" do
+file "/opt/oxidized/.ssh/id_ed25519" do
   content keys["git"].join("\n")
   owner "oxidized"
   group "oxidized"
   mode "400"
-  notifies :delete, "file[/opt/oxidized/.ssh/id_rsa.pub]", :immediately
+  notifies :delete, "file[/opt/oxidized/.ssh/id_ed25519.pub]", :immediately
   notifies :restart, "service[oxidized]"
 end
 
 # Ensure public key is deleted if private key is changed. Trigged by notify
-file "/opt/oxidized/.ssh/id_rsa.pub" do
+file "/opt/oxidized/.ssh/id_ed25519.pub" do
   action :nothing
 end
 
-execute "/opt/oxidized/.ssh/id_rsa.pub" do
-  command "ssh-keygen -f /opt/oxidized/.ssh/id_rsa -y > /opt/oxidized/.ssh/id_rsa.pub"
+execute "/opt/oxidized/.ssh/id_ed25519.pub" do
+  command "ssh-keygen -f /opt/oxidized/.ssh/id_ed25519 -y > /opt/oxidized/.ssh/id_ed25519.pub"
   user "oxidized"
   group "oxidized"
-  creates "/opt/oxidized/.ssh/id_rsa.pub"
+  creates "/opt/oxidized/.ssh/id_ed25519.pub"
   notifies :restart, "service[oxidized]"
 end
 
-ssh_known_hosts_entry 'github.com' do
+ssh_known_hosts_entry "github.com" do
+  action [:create, :flush]
   file_location "/opt/oxidized/.ssh/known_hosts"
   owner "oxidized"
   group "oxidized"
@@ -127,9 +130,15 @@ git "/var/lib/oxidized/configs.git" do
   group "oxidized"
 end
 
+bundle_config "/opt/oxidized/daemon" do
+  user "oxidized"
+  group "oxidized"
+  settings "deployment" => "true",
+           "build.rugged" => "--with-ssh"
+end
+
 bundle_install "/opt/oxidized/daemon" do
   action :nothing
-  options "--deployment"
   user "oxidized"
   group "oxidized"
   notifies :restart, "service[oxidized]"
@@ -146,11 +155,8 @@ systemd_service "oxidized" do
   environment "OXIDIZED_HOME" => "/etc/oxidized",
               "OXIDIZED_LOGS" => "/var/log/oxidized"
   nice 10
-  private_tmp true
-  private_devices true
-  protect_system "full"
-  protect_home true
-  no_new_privileges true
+  sandbox :enable_network => true
+  read_write_paths ["/run/oxidized", "/var/lib/oxidized", "/var/log/oxidized"]
   restart "on-failure"
   notifies :restart, "service[oxidized]"
 end