X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/cf722cd9bc6500404ceae034393204b5f3082589..cc045c868bf15083df4db4442c0d92814441951e:/cookbooks/oxidized/recipes/default.rb?ds=inline diff --git a/cookbooks/oxidized/recipes/default.rb b/cookbooks/oxidized/recipes/default.rb index c20f865c0..7e4803c70 100644 --- a/cookbooks/oxidized/recipes/default.rb +++ b/cookbooks/oxidized/recipes/default.rb @@ -34,6 +34,12 @@ package %w[ keys = data_bag_item("oxidized", "keys") devices = data_bag_item("oxidized", "devices") +directory "/etc/oxidized" do + owner "root" + group "root" + mode "755" +end + template "/etc/oxidized/config" do source "config.erb" owner "oxidized" @@ -57,36 +63,61 @@ directory "/var/log/oxidized" do mode "755" end +directory "/opt/oxidized" do + owner "oxidized" + group "oxidized" + mode "755" +end + +git "/opt/oxidized/daemon" do + action :sync + repository "https://github.com/openstreetmap/oxidized.git" + depth 1 + user "oxidized" + group "oxidized" + notifies :run, "bundle_install[/opt/oxidized/daemon]", :immediately +end + +directory "/opt/oxidized/.ssh" do + owner "oxidized" + group "oxidized" + mode "700" +end + # Key is set as a deployment key in github repo -file "/opt/oxidized/.ssh/id_rsa" do +file "/opt/oxidized/.ssh/id_ed25519" do content keys["git"].join("\n") owner "oxidized" group "oxidized" mode "400" - notifies :delete, "file[/opt/oxidized/.ssh/id_rsa.pub]", :immediately + notifies :delete, "file[/opt/oxidized/.ssh/id_ed25519.pub]", :immediately notifies :restart, "service[oxidized]" end # Ensure public key is deleted if private key is changed. Trigged by notify -file "/opt/oxidized/.ssh/id_rsa.pub" do +file "/opt/oxidized/.ssh/id_ed25519.pub" do action :nothing end -execute "/opt/oxidized/.ssh/id_rsa.pub" do - command "ssh-keygen -f /opt/oxidized/.ssh/id_rsa -y > /opt/oxidized/.ssh/id_rsa.pub" - owner "oxidized" +execute "/opt/oxidized/.ssh/id_ed25519.pub" do + command "ssh-keygen -f /opt/oxidized/.ssh/id_ed25519 -y > /opt/oxidized/.ssh/id_ed25519.pub" + user "oxidized" group "oxidized" - creates "/opt/oxidized/.ssh/id_rsa.pub" + creates "/opt/oxidized/.ssh/id_ed25519.pub" notifies :restart, "service[oxidized]" end -git "/opt/oxidized" do - action :sync - repository "https://github.com/openstreetmap/oxidized.git" - depth 1 - user "oxidized" +ssh_known_hosts_entry "github.com" do + action [:create, :flush] + file_location "/opt/oxidized/.ssh/known_hosts" + owner "oxidized" + group "oxidized" +end + +directory "/var/lib/oxidized" do + owner "oxidized" group "oxidized" - notifies :run, "bundle_install[/opt/oxidized]" + mode "750" end git "/var/lib/oxidized/configs.git" do @@ -97,7 +128,7 @@ git "/var/lib/oxidized/configs.git" do group "oxidized" end -bundle_install "/opt/oxidized" do +bundle_install "/opt/oxidized/daemon" do action :nothing options "--deployment" user "oxidized" @@ -110,16 +141,14 @@ systemd_service "oxidized" do description "oxidized network device backup daemon" after "network.target" user "oxidized" - working_directory "/opt/oxidized" + working_directory "/opt/oxidized/daemon" + runtime_directory "oxidized" exec_start "#{node[:ruby][:bundle]} exec oxidized" environment "OXIDIZED_HOME" => "/etc/oxidized", "OXIDIZED_LOGS" => "/var/log/oxidized" nice 10 - private_tmp true - private_devices true - protect_system "full" - protect_home true - no_new_privileges true + sandbox :enable_network => true + read_write_paths ["/run/oxidized", "/var/lib/oxidized", "/var/log/oxidized"] restart "on-failure" notifies :restart, "service[oxidized]" end